From 488d65e35aabc82fcc22a1deeb75b998e7fa640d Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 25 Sep 2024 20:37:16 +0200 Subject: [PATCH 001/135] wip opensearch --- .../opensearch-manage-cluster/README.md | 0 .../opensearch-manage-cluster/action.yml | 0 .github/workflows/test-gha-eks.yml | 2 + .github/workflows/tests.yml | 3 + modules/opensearch/README.md | 123 ++++++++++ modules/opensearch/main.tf | 96 ++++++++ modules/opensearch/outputs.tf | 5 + modules/opensearch/variables.tf | 215 ++++++++++++++++++ 8 files changed, 444 insertions(+) create mode 100644 .github/actions/opensearch-manage-cluster/README.md create mode 100644 .github/actions/opensearch-manage-cluster/action.yml create mode 100644 modules/opensearch/README.md create mode 100644 modules/opensearch/main.tf create mode 100644 modules/opensearch/outputs.tf create mode 100644 modules/opensearch/variables.tf diff --git a/.github/actions/opensearch-manage-cluster/README.md b/.github/actions/opensearch-manage-cluster/README.md new file mode 100644 index 00000000..e69de29b diff --git a/.github/actions/opensearch-manage-cluster/action.yml b/.github/actions/opensearch-manage-cluster/action.yml new file mode 100644 index 00000000..e69de29b diff --git a/.github/workflows/test-gha-eks.yml b/.github/workflows/test-gha-eks.yml index 5a7f52e9..fe9d43e6 100644 --- a/.github/workflows/test-gha-eks.yml +++ b/.github/workflows/test-gha-eks.yml @@ -1,6 +1,8 @@ --- name: EKS Cluster with an AuroraDB creation and destruction test +# TODO: add opensearch + on: schedule: - cron: 0 1 * * 2 # At 01:00 on Tuesday. diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d437bca2..f74075b1 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,6 +1,9 @@ --- name: Terraform modules tests +# TODO: add opensearch + + on: schedule: - cron: 0 1 * * 2 diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md new file mode 100644 index 00000000..b70d1d93 --- /dev/null +++ b/modules/opensearch/README.md @@ -0,0 +1,123 @@ +# AWS OpenSearch Domain Terraform Module + +This Terraform module creates and manages an AWS OpenSearch domain. The module is designed to be integrated with an existing EKS cluster or VPC for seamless setup and management. Below is a detailed explanation of the module's configuration options and usage. + +## Usage + +Below is a simple example configuration that demonstrates how to use this module. Adjust the values as needed for your specific setup. + +```hcl +module "opensearch_domain" { + source = "path-to-your-module" + + domain_name = "my-opensearch-domain" + engine_version = "OpenSearch_1.0" + subnet_ids = module.eks_cluster.subnet_ids + security_group_ids = module.eks_cluster.security_group_ids + vpc_id = module.eks_cluster.vpc_id + availability_zones = module.eks_cluster.availability_zones + + instance_type = "t3.small.search" + instance_count = 2 + ebs_volume_size = 100 + + advanced_security_enabled = true + advanced_security_internal_user_database_enabled = true + advanced_security_master_user_name = "admin" + advanced_security_master_user_password = "password" + + encrypt_at_rest_kms_key_id = "kms-key-id" + access_policies = < +## Modules + +No modules. +## Resources + +| Name | Type | +|------|------| +| [aws_opensearch_domain.opensearch_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain) | resource | +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_policies](#input\_access\_policies) | IAM policy document specifying the access policies for the domain. | `any` | n/a | yes | +| [advanced\_options](#input\_advanced\_options) | Key-value string pairs to specify advanced configuration options. | `map` | 
{
  "rest.action.multi.allow_explicit_index": true
}
| no | +| [advanced\_security\_anonymous\_auth\_enabled](#input\_advanced\_security\_anonymous\_auth\_enabled) | Whether the anonymous auth is enabled. | `bool` | `false` | no | +| [advanced\_security\_enabled](#input\_advanced\_security\_enabled) | Whether advanced security is enabled. | `bool` | `false` | no | +| [advanced\_security\_internal\_user\_database\_enabled](#input\_advanced\_security\_internal\_user\_database\_enabled) | Whether the internal user database is enabled. | `bool` | `false` | no | +| [advanced\_security\_master\_user\_name](#input\_advanced\_security\_master\_user\_name) | Main user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | `"opensearch-admin"` | no | +| [advanced\_security\_master\_user\_password](#input\_advanced\_security\_master\_user\_password) | Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `any` | n/a | yes | +| [auto\_software\_update\_enabled](#input\_auto\_software\_update\_enabled) | Software update auto for the domain. | `bool` | `false` | no | +| [auto\_tune\_options](#input\_auto\_tune\_options) | Configuration block for the Auto-Tune options of the domain | `any` | 
{
  "desired_state": "ENABLED",
  "rollback_on_disable": "NO_ROLLBACK"
}
| no | +| [automated\_snapshot\_start\_hour](#input\_automated\_snapshot\_start\_hour) | Hour during which the service takes an automated daily snapshot of the indices in the domain. | `number` | `0` | no | +| [availability\_zones](#input\_availability\_zones) | Availability zones used by the domain. | `list(string)` | n/a | yes | +| [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Indicates cold storage is enabled. | `bool` | `false` | no | +| [create\_timeout](#input\_create\_timeout) | How much time to wait for the creation before timing out. | `string` | `"2h"` | no | +| [dedicated\_master\_count](#input\_dedicated\_master\_count) | Number of dedicated master nodes in the cluster. | `number` | `1` | no | +| [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Indicates whether dedicated master nodes are enabled for the cluster. | `bool` | `true` | no | +| [dedicated\_master\_type](#input\_dedicated\_master\_type) | Instance type of the dedicated master nodes in the cluster. | `string` | `""` | no | +| [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | 
{
  "enforce_https": true,
  "tls_security_policy": "Policy-Min-TLS-1-2-2019-07"
}
| no | +| [domain\_name](#input\_domain\_name) | Name of the domain. | `any` | n/a | yes | +| [ebs\_enabled](#input\_ebs\_enabled) | Whether EBS volumes are attached to data nodes in the domain. | `bool` | `true` | no | +| [ebs\_iops](#input\_ebs\_iops) | Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the GP3 and Provisioned IOPS EBS volume types. | `any` | n/a | yes | +| [ebs\_throughput](#input\_ebs\_throughput) | (Required if `ebs_volume_type` is set to gp3) Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. | `any` | n/a | yes | +| [ebs\_volume\_size](#input\_ebs\_volume\_size) | Type of EBS volumes attached to data nodes. | `number` | `64` | no | +| [ebs\_volume\_type](#input\_ebs\_volume\_type) | Type of EBS volumes attached to data nodes. | `string` | `"gp3"` | no | +| [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | +| [encrypt\_at\_rest\_enabled](#input\_encrypt\_at\_rest\_enabled) | Configuration block for encrypt at rest options. Only available for certain instance types. | `bool` | `true` | no | +| [encrypt\_at\_rest\_kms\_key\_id](#input\_encrypt\_at\_rest\_kms\_key\_id) | KMS key id used to encrypt at rest. | `any` | n/a | yes | +| [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `any` | n/a | yes | +| [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `1` | no | +| [instance\_type](#input\_instance\_type) | Instance type of data nodes in the cluster. | `string` | `"t3.small.search"` | no | +| [ip\_address\_type](#input\_ip\_address\_type) | The IP address type for the endpoint. Valid values are ipv4 and dualstack | `any` | n/a | yes | +| [multi\_az\_with\_standby\_enabled](#input\_multi\_az\_with\_standby\_enabled) | Whether a multi-AZ domain is turned on with a standby AZ. | `bool` | `false` | no | +| [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether node to node encryption is enabled. | `bool` | `true` | no | +| [off\_peak\_window\_options](#input\_off\_peak\_window\_options) | Configuration to add Off Peak update options | `map` | 
{
  "enabled": true,
  "off_peak_window": {
    "hours": 7
  }
}
| no | +| [security\_group\_ids](#input\_security\_group\_ids) | Security groups used by the domain. | `list(string)` | `[]` | no | +| [subnet\_ids](#input\_subnet\_ids) | The subnet IDs to create the cluster in. For easier usage we are passing through the subnet IDs from the AWS EKS Cluster module. | `list(string)` | n/a | yes | +| [tags](#input\_tags) | Tags assigned to the domain. | `map` | `{}` | no | +| [vpc\_id](#input\_vpc\_id) | VPC used by the domain. | `string` | n/a | yes | +| [warm\_count](#input\_warm\_count) | Number of warm nodes in the cluster. | `number` | `1` | no | +| [warm\_enabled](#input\_warm\_enabled) | Warm storage is enabled. | `bool` | `true` | no | +| [warm\_type](#input\_warm\_type) | Instance type for the OpenSearch cluster's warm nodes. | `string` | `""` | no | +| [zone\_awareness\_availability\_zone\_count](#input\_zone\_awareness\_availability\_zone\_count) | Number of availability zones used. | `number` | `1` | no | +| [zone\_awareness\_enabled](#input\_zone\_awareness\_enabled) | Indicates whether zone awareness is enabled. | `bool` | `true` | no | +## Outputs + +| Name | Description | +|------|-------------| +| [opensearch\_cluster](#output\_opensearch\_cluster) | OpenSearch cluster output | + diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf new file mode 100644 index 00000000..4b239298 --- /dev/null +++ b/modules/opensearch/main.tf @@ -0,0 +1,96 @@ +resource "aws_opensearch_domain" "opensearch_cluster" { + + tags = var.tags + + domain_name = var.domain_name + engine_version = var.engine_version + + ip_address_type = var.ip_address_type + + vpc_options { + vpc_id = var.vpc_id + subnet_ids = var.subnet_ids + security_group_ids = var.security_group_ids + availability_zones = var.availability_zones + } + + off_peak_window_options = var.off_peak_window_options + + # TODO: integrate logwatch in this component but also in the other for production ready solution + + cluster_config { + instance_type = var.instance_type + instance_count = var.instance_count + + cold_storage_options { + enabled = var.cold_storage_enabled + } + + dedicated_master_enabled = var.dedicated_master_enabled + dedicated_master_type = var.dedicated_master_type + dedicated_master_count = var.dedicated_master_count + multi_az_with_standby_enabled = var.multi_az_with_standby_enabled + + warm_enabled = var.warm_enabled + warm_count = var.warm_count + warm_type = var.warm_type + + zone_awareness_config { + availability_zone_count = var.zone_awareness_availability_zone_count + } + zone_awareness_enabled = var.zone_awareness_enabled + } + + software_update_options = { + auto_software_update_enabled = var.auto_software_update_enabled + } + + advanced_security_options { + enabled = var.advanced_security_enabled + internal_user_database_enabled = var.advanced_security_internal_user_database_enabled + + master_user_options { + master_user_name = var.advanced_security_master_user_name + master_user_password = var.advanced_security_master_user_password + } + + anonymous_auth_enabled = var.advanced_security_anonymous_auth_enabled + } + + encrypt_at_rest { + enabled = var.encrypt_at_rest_enabled + kms_key_id = var.encrypt_at_rest_kms_key_id + } + + node_to_node_encryption { + enabled = var.node_to_node_encryption_enabled + } + + ebs_options { + ebs_enabled = var.ebs_enabled + iops = var.ebs_iops + volume_size = var.ebs_volume_size + volume_type = var.ebs_volume_type + throughput = var.ebs_throughput + } + + snapshot_options { + automated_snapshot_start_hour = var.automated_snapshot_start_hour + } + + auto_tune_options = var.auto_tune_options + + advanced_options = var.advanced_options + + enable_access_policy = var.enable_access_policy + access_policies = var.access_policies + + domain_endpoint_options = var.domain_endpoint_options + + timeouts { + create = var.create_timeout + } + +} + +# TODO: add kms key, security group, subnet, inspire on aurora diff --git a/modules/opensearch/outputs.tf b/modules/opensearch/outputs.tf new file mode 100644 index 00000000..4cde9982 --- /dev/null +++ b/modules/opensearch/outputs.tf @@ -0,0 +1,5 @@ + +output "opensearch_cluster" { + value = aws_opensearch_domain.opensearch_cluster + description = "OpenSearch cluster output" +} diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf new file mode 100644 index 00000000..4052514c --- /dev/null +++ b/modules/opensearch/variables.tf @@ -0,0 +1,215 @@ +variable "domain_name" { + description = "Name of the domain." + required = true +} + +variable "engine_version" { + description = "OpenSearch version for the domain." + required = true +} + +variable "subnet_ids" { + type = list(string) + description = "The subnet IDs to create the cluster in. For easier usage we are passing through the subnet IDs from the AWS EKS Cluster module." + required = true +} + +variable "security_group_ids" { + type = list(string) + description = "Security groups used by the domain." + default = [] +} + +variable "vpc_id" { + type = string + description = "VPC used by the domain." + required = true +} + +variable "availability_zones" { + type = list(string) + description = "Availability zones used by the domain." + required = true +} + +variable "instance_type" { + default = "t3.small.search" + description = "Instance type of data nodes in the cluster." +} + +variable "instance_count" { + default = 1 + description = "Number of instances in the cluster." +} + +variable "cold_storage_enabled" { + default = false + description = "Indicates cold storage is enabled." +} + +variable "dedicated_master_enabled" { + description = "Indicates whether dedicated master nodes are enabled for the cluster." + default = true +} +variable "dedicated_master_type" { + description = "Instance type of the dedicated master nodes in the cluster." + default = "" +} + +variable "dedicated_master_count" { + description = "Number of dedicated master nodes in the cluster." + default = 1 +} + +variable "multi_az_with_standby_enabled" { + description = "Whether a multi-AZ domain is turned on with a standby AZ." + default = false +} + +variable "zone_awareness_enabled" { + description = "Indicates whether zone awareness is enabled." + default = true +} + +variable "zone_awareness_enabled" { + description = "Indicates whether zone awareness is enabled." + default = true +} + +variable "zone_awareness_availability_zone_count" { + description = "Number of availability zones used." + default = 1 +} + +variable "warm_enabled" { + description = "Warm storage is enabled." + default = true +} + +variable "warm_count" { + description = "Number of warm nodes in the cluster." + default = 1 +} + +variable "warm_type" { + description = "Instance type for the OpenSearch cluster's warm nodes." + default = "" +} + +variable "tags" { + default = {} + description = "Tags assigned to the domain." +} + +variable "auto_software_update_enabled" { + default = false + description = "Software update auto for the domain." +} + +variable "automated_snapshot_start_hour" { + default = 0 + description = "Hour during which the service takes an automated daily snapshot of the indices in the domain." +} +variable "node_to_node_encryption_enabled" { + default = true + description = "Whether node to node encryption is enabled." +} + +variable "advanced_options" { + default = { + "rest.action.multi.allow_explicit_index" = true + } + description = "Key-value string pairs to specify advanced configuration options." +} + +variable "advanced_security_enabled" { + default = false + description = "Whether advanced security is enabled." +} + +variable "advanced_security_internal_user_database_enabled" { + default = false + description = "Whether the internal user database is enabled." +} +variable "advanced_security_master_user_name" { + default = "opensearch-admin" + description = "Main user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true." +} +variable "advanced_security_master_user_password" { + description = "Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true." +} +variable "advanced_security_anonymous_auth_enabled" { + description = "Whether the anonymous auth is enabled." + default = false +} + +variable "encrypt_at_rest_enabled" { + description = "Configuration block for encrypt at rest options. Only available for certain instance types." + default = true +} + + +variable "encrypt_at_rest_kms_key_id" { + description = "KMS key id used to encrypt at rest." +} + +variable "access_policies" { + description = "IAM policy document specifying the access policies for the domain." +} + + +variable "create_timeout" { + description = "How much time to wait for the creation before timing out." + default = "2h" +} + +variable "ebs_enabled" { + description = "Whether EBS volumes are attached to data nodes in the domain." + default = true +} + +variable "ebs_iops" { + description = "Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the GP3 and Provisioned IOPS EBS volume types." +} + +variable "ebs_throughput" { + description = "(Required if `ebs_volume_type` is set to gp3) Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type." +} + +variable "ebs_volume_type" { + default = "gp3" + description = "Type of EBS volumes attached to data nodes." +} + +variable "ebs_volume_size" { + description = "Type of EBS volumes attached to data nodes." + required = true + default = 64 +} + +variable "enable_access_policy" { + default = true + description = "Determines whether an access policy will be applied to the domain" +} + +variable "auto_tune_options" { + type = any + description = "Configuration block for the Auto-Tune options of the domain" + default = { "desired_state" : "ENABLED", "rollback_on_disable" : "NO_ROLLBACK" } +} + +variable "domain_endpoint_options" { + type = any + description = "Configuration block for domain endpoint HTTP(S) related options" + default = { "enforce_https" : true, "tls_security_policy" : "Policy-Min-TLS-1-2-2019-07" } +} + +variable "ip_address_type" { + description = "The IP address type for the endpoint. Valid values are ipv4 and dualstack" +} + + +variable "off_peak_window_options" { + description = "Configuration to add Off Peak update options" + default = { "enabled" : true, "off_peak_window" : { "hours" : 7 } } +} From 5fda68aab77b5096320b764517b6dc1166db8e46 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 25 Sep 2024 20:39:21 +0200 Subject: [PATCH 002/135] update readme --- modules/opensearch/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index b70d1d93..8b031f0a 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -8,7 +8,7 @@ Below is a simple example configuration that demonstrates how to use this module ```hcl module "opensearch_domain" { - source = "path-to-your-module" + source = "github.com/camunda/camunda-tf-eks-module/modules/opensearch" domain_name = "my-opensearch-domain" engine_version = "OpenSearch_1.0" From 7b08427b9d9b05ec1b40812d967e9b35e84ea366 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 26 Sep 2024 18:31:55 +0200 Subject: [PATCH 003/135] add missing sg --- modules/opensearch/README.md | 10 +++++-- modules/opensearch/main.tf | 52 +++++++++++++++++++++++++++++---- modules/opensearch/variables.tf | 34 ++++++++++++++------- 3 files changed, 78 insertions(+), 18 deletions(-) diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index 8b031f0a..287a80f3 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -68,7 +68,11 @@ No modules. | Name | Type | |------|------| +| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_opensearch_domain.opensearch_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain) | resource | +| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.allow_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.allow_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | ## Inputs | Name | Description | Type | Default | Required | @@ -84,6 +88,7 @@ No modules. | [auto\_tune\_options](#input\_auto\_tune\_options) | Configuration block for the Auto-Tune options of the domain | `any` | 
{
  "desired_state": "ENABLED",
  "rollback_on_disable": "NO_ROLLBACK"
}
| no | | [automated\_snapshot\_start\_hour](#input\_automated\_snapshot\_start\_hour) | Hour during which the service takes an automated daily snapshot of the indices in the domain. | `number` | `0` | no | | [availability\_zones](#input\_availability\_zones) | Availability zones used by the domain. | `list(string)` | n/a | yes | +| [cidr\_blocks](#input\_cidr\_blocks) | The CIDR blocks to allow acces from and to. | `list(string)` | n/a | yes | | [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Indicates cold storage is enabled. | `bool` | `false` | no | | [create\_timeout](#input\_create\_timeout) | How much time to wait for the creation before timing out. | `string` | `"2h"` | no | | [dedicated\_master\_count](#input\_dedicated\_master\_count) | Number of dedicated master nodes in the cluster. | `number` | `1` | no | @@ -97,12 +102,13 @@ No modules. | [ebs\_volume\_size](#input\_ebs\_volume\_size) | Type of EBS volumes attached to data nodes. | `number` | `64` | no | | [ebs\_volume\_type](#input\_ebs\_volume\_type) | Type of EBS volumes attached to data nodes. | `string` | `"gp3"` | no | | [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | -| [encrypt\_at\_rest\_enabled](#input\_encrypt\_at\_rest\_enabled) | Configuration block for encrypt at rest options. Only available for certain instance types. | `bool` | `true` | no | -| [encrypt\_at\_rest\_kms\_key\_id](#input\_encrypt\_at\_rest\_kms\_key\_id) | KMS key id used to encrypt at rest. | `any` | n/a | yes | | [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `any` | n/a | yes | | [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `1` | no | | [instance\_type](#input\_instance\_type) | Instance type of data nodes in the cluster. | `string` | `"t3.small.search"` | no | | [ip\_address\_type](#input\_ip\_address\_type) | The IP address type for the endpoint. Valid values are ipv4 and dualstack | `any` | n/a | yes | +| [kms\_key\_delete\_window\_in\_days](#input\_kms\_key\_delete\_window\_in\_days) | The number of days before the KMS key is deleted after being disabled. | `number` | `7` | no | +| [kms\_key\_enable\_key\_rotation](#input\_kms\_key\_enable\_key\_rotation) | Specifies whether automatic key rotation is enabled for the KMS key. | `bool` | `true` | no | +| [kms\_key\_tags](#input\_kms\_key\_tags) | The tags to associate with the KMS key. | `map(string)` | `{}` | no | | [multi\_az\_with\_standby\_enabled](#input\_multi\_az\_with\_standby\_enabled) | Whether a multi-AZ domain is turned on with a standby AZ. | `bool` | `false` | no | | [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether node to node encryption is enabled. | `bool` | `true` | no | | [off\_peak\_window\_options](#input\_off\_peak\_window\_options) | Configuration to add Off Peak update options | `map` | 
{
  "enabled": true,
  "off_peak_window": {
    "hours": 7
  }
}
| no | diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf index 4b239298..dfd5c0f1 100644 --- a/modules/opensearch/main.tf +++ b/modules/opensearch/main.tf @@ -1,5 +1,4 @@ resource "aws_opensearch_domain" "opensearch_cluster" { - tags = var.tags domain_name = var.domain_name @@ -10,7 +9,7 @@ resource "aws_opensearch_domain" "opensearch_cluster" { vpc_options { vpc_id = var.vpc_id subnet_ids = var.subnet_ids - security_group_ids = var.security_group_ids + security_group_ids = concat([aws_security_group.this.id], var.security_group_ids) availability_zones = var.availability_zones } @@ -58,8 +57,8 @@ resource "aws_opensearch_domain" "opensearch_cluster" { } encrypt_at_rest { - enabled = var.encrypt_at_rest_enabled - kms_key_id = var.encrypt_at_rest_kms_key_id + enabled = true + kms_key_id = aws_kms_key.kms.key_id } node_to_node_encryption { @@ -93,4 +92,47 @@ resource "aws_opensearch_domain" "opensearch_cluster" { } -# TODO: add kms key, security group, subnet, inspire on aurora +resource "aws_kms_key" "key" { + description = "${var.cluster_name}-key" + deletion_window_in_days = var.kms_key_delete_window_in_days + enable_key_rotation = var.kms_key_enable_key_rotation + + tags = var.kms_key_tags +} + +resource "aws_security_group" "this" { + name = "${var.cluster_name}-allow-all-internal-access" + description = "Security group managing access to ${var.cluster_name}" + + vpc_id = var.vpc_id + + tags = var.tags +} + +resource "aws_security_group_rule" "allow_egress" { + description = "Allow outgoing traffic for the OpenSearch" + + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = var.cidr_blocks + + security_group_id = aws_security_group.this.id +} + +resource "aws_security_group_rule" "allow_ingress" { + for_each = [9200, 9300] + + description = "Allow incoming traffic for the OpenSearch on port ${each.value}" + + type = "ingress" + from_port = each.value + to_port = each.value + protocol = "tcp" + cidr_blocks = var.cidr_blocks + + security_group_id = aws_security_group.this.id +} + +# TODO: test backup diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 4052514c..07c8f8ab 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -14,6 +14,11 @@ variable "subnet_ids" { required = true } +variable "cidr_blocks" { + type = list(string) + description = "The CIDR blocks to allow acces from and to." +} + variable "security_group_ids" { type = list(string) description = "Security groups used by the domain." @@ -143,21 +148,10 @@ variable "advanced_security_anonymous_auth_enabled" { default = false } -variable "encrypt_at_rest_enabled" { - description = "Configuration block for encrypt at rest options. Only available for certain instance types." - default = true -} - - -variable "encrypt_at_rest_kms_key_id" { - description = "KMS key id used to encrypt at rest." -} - variable "access_policies" { description = "IAM policy document specifying the access policies for the domain." } - variable "create_timeout" { description = "How much time to wait for the creation before timing out." default = "2h" @@ -213,3 +207,21 @@ variable "off_peak_window_options" { description = "Configuration to add Off Peak update options" default = { "enabled" : true, "off_peak_window" : { "hours" : 7 } } } + +variable "kms_key_delete_window_in_days" { + description = "The number of days before the KMS key is deleted after being disabled." + type = number + default = 7 +} + +variable "kms_key_enable_key_rotation" { + description = "Specifies whether automatic key rotation is enabled for the KMS key." + type = bool + default = true +} + +variable "kms_key_tags" { + description = "The tags to associate with the KMS key." + type = map(string) + default = {} +} From 2c5112eb14606104c35d1455feac48a73970a116 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 26 Sep 2024 18:32:41 +0200 Subject: [PATCH 004/135] add types --- modules/opensearch/README.md | 24 +++++++------- modules/opensearch/variables.tf | 55 ++++++++++++++++++++++++++------- 2 files changed, 56 insertions(+), 23 deletions(-) diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index 287a80f3..c03122de 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -77,44 +77,44 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [access\_policies](#input\_access\_policies) | IAM policy document specifying the access policies for the domain. | `any` | n/a | yes | -| [advanced\_options](#input\_advanced\_options) | Key-value string pairs to specify advanced configuration options. | `map` | 
{
  "rest.action.multi.allow_explicit_index": true
}
| no | +| [access\_policies](#input\_access\_policies) | IAM policy document specifying the access policies for the domain. | `string` | n/a | yes | +| [advanced\_options](#input\_advanced\_options) | Key-value string pairs to specify advanced configuration options. | `map(any)` | 
{
  "rest.action.multi.allow_explicit_index": true
}
| no | | [advanced\_security\_anonymous\_auth\_enabled](#input\_advanced\_security\_anonymous\_auth\_enabled) | Whether the anonymous auth is enabled. | `bool` | `false` | no | | [advanced\_security\_enabled](#input\_advanced\_security\_enabled) | Whether advanced security is enabled. | `bool` | `false` | no | | [advanced\_security\_internal\_user\_database\_enabled](#input\_advanced\_security\_internal\_user\_database\_enabled) | Whether the internal user database is enabled. | `bool` | `false` | no | | [advanced\_security\_master\_user\_name](#input\_advanced\_security\_master\_user\_name) | Main user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | `"opensearch-admin"` | no | -| [advanced\_security\_master\_user\_password](#input\_advanced\_security\_master\_user\_password) | Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `any` | n/a | yes | +| [advanced\_security\_master\_user\_password](#input\_advanced\_security\_master\_user\_password) | Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | n/a | yes | | [auto\_software\_update\_enabled](#input\_auto\_software\_update\_enabled) | Software update auto for the domain. | `bool` | `false` | no | | [auto\_tune\_options](#input\_auto\_tune\_options) | Configuration block for the Auto-Tune options of the domain | `any` | 
{
  "desired_state": "ENABLED",
  "rollback_on_disable": "NO_ROLLBACK"
}
| no | | [automated\_snapshot\_start\_hour](#input\_automated\_snapshot\_start\_hour) | Hour during which the service takes an automated daily snapshot of the indices in the domain. | `number` | `0` | no | | [availability\_zones](#input\_availability\_zones) | Availability zones used by the domain. | `list(string)` | n/a | yes | -| [cidr\_blocks](#input\_cidr\_blocks) | The CIDR blocks to allow acces from and to. | `list(string)` | n/a | yes | +| [cidr\_blocks](#input\_cidr\_blocks) | The CIDR blocks to allow access from and to. | `list(string)` | n/a | yes | | [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Indicates cold storage is enabled. | `bool` | `false` | no | | [create\_timeout](#input\_create\_timeout) | How much time to wait for the creation before timing out. | `string` | `"2h"` | no | | [dedicated\_master\_count](#input\_dedicated\_master\_count) | Number of dedicated master nodes in the cluster. | `number` | `1` | no | | [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Indicates whether dedicated master nodes are enabled for the cluster. | `bool` | `true` | no | | [dedicated\_master\_type](#input\_dedicated\_master\_type) | Instance type of the dedicated master nodes in the cluster. | `string` | `""` | no | | [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | 
{
  "enforce_https": true,
  "tls_security_policy": "Policy-Min-TLS-1-2-2019-07"
}
| no | -| [domain\_name](#input\_domain\_name) | Name of the domain. | `any` | n/a | yes | +| [domain\_name](#input\_domain\_name) | Name of the domain. | `string` | n/a | yes | | [ebs\_enabled](#input\_ebs\_enabled) | Whether EBS volumes are attached to data nodes in the domain. | `bool` | `true` | no | -| [ebs\_iops](#input\_ebs\_iops) | Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the GP3 and Provisioned IOPS EBS volume types. | `any` | n/a | yes | -| [ebs\_throughput](#input\_ebs\_throughput) | (Required if `ebs_volume_type` is set to gp3) Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. | `any` | n/a | yes | -| [ebs\_volume\_size](#input\_ebs\_volume\_size) | Type of EBS volumes attached to data nodes. | `number` | `64` | no | +| [ebs\_iops](#input\_ebs\_iops) | Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the GP3 and Provisioned IOPS EBS volume types. | `number` | n/a | yes | +| [ebs\_throughput](#input\_ebs\_throughput) | (Required if `ebs_volume_type` is set to gp3) Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. | `number` | n/a | yes | +| [ebs\_volume\_size](#input\_ebs\_volume\_size) | Size of EBS volumes attached to data nodes. | `number` | `64` | no | | [ebs\_volume\_type](#input\_ebs\_volume\_type) | Type of EBS volumes attached to data nodes. | `string` | `"gp3"` | no | | [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | -| [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `any` | n/a | yes | +| [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `string` | n/a | yes | | [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `1` | no | | [instance\_type](#input\_instance\_type) | Instance type of data nodes in the cluster. | `string` | `"t3.small.search"` | no | -| [ip\_address\_type](#input\_ip\_address\_type) | The IP address type for the endpoint. Valid values are ipv4 and dualstack | `any` | n/a | yes | +| [ip\_address\_type](#input\_ip\_address\_type) | The IP address type for the endpoint. Valid values are ipv4 and dualstack | `string` | n/a | yes | | [kms\_key\_delete\_window\_in\_days](#input\_kms\_key\_delete\_window\_in\_days) | The number of days before the KMS key is deleted after being disabled. | `number` | `7` | no | | [kms\_key\_enable\_key\_rotation](#input\_kms\_key\_enable\_key\_rotation) | Specifies whether automatic key rotation is enabled for the KMS key. | `bool` | `true` | no | | [kms\_key\_tags](#input\_kms\_key\_tags) | The tags to associate with the KMS key. | `map(string)` | `{}` | no | | [multi\_az\_with\_standby\_enabled](#input\_multi\_az\_with\_standby\_enabled) | Whether a multi-AZ domain is turned on with a standby AZ. | `bool` | `false` | no | | [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether node to node encryption is enabled. | `bool` | `true` | no | -| [off\_peak\_window\_options](#input\_off\_peak\_window\_options) | Configuration to add Off Peak update options | `map` | 
{
  "enabled": true,
  "off_peak_window": {
    "hours": 7
  }
}
| no | +| [off\_peak\_window\_options](#input\_off\_peak\_window\_options) | Configuration to add Off Peak update options | `any` | 
{
  "enabled": true,
  "off_peak_window": {
    "hours": 7
  }
}
| no | | [security\_group\_ids](#input\_security\_group\_ids) | Security groups used by the domain. | `list(string)` | `[]` | no | | [subnet\_ids](#input\_subnet\_ids) | The subnet IDs to create the cluster in. For easier usage we are passing through the subnet IDs from the AWS EKS Cluster module. | `list(string)` | n/a | yes | -| [tags](#input\_tags) | Tags assigned to the domain. | `map` | `{}` | no | +| [tags](#input\_tags) | Tags assigned to the domain. | `map(string)` | `{}` | no | | [vpc\_id](#input\_vpc\_id) | VPC used by the domain. | `string` | n/a | yes | | [warm\_count](#input\_warm\_count) | Number of warm nodes in the cluster. | `number` | `1` | no | | [warm\_enabled](#input\_warm\_enabled) | Warm storage is enabled. | `bool` | `true` | no | diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 07c8f8ab..7de54544 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -1,9 +1,11 @@ variable "domain_name" { + type = string description = "Name of the domain." required = true } variable "engine_version" { + type = string description = "OpenSearch version for the domain." required = true } @@ -16,7 +18,7 @@ variable "subnet_ids" { variable "cidr_blocks" { type = list(string) - description = "The CIDR blocks to allow acces from and to." + description = "The CIDR blocks to allow access from and to." } variable "security_group_ids" { @@ -38,89 +40,103 @@ variable "availability_zones" { } variable "instance_type" { + type = string default = "t3.small.search" description = "Instance type of data nodes in the cluster." } variable "instance_count" { + type = number default = 1 description = "Number of instances in the cluster." } variable "cold_storage_enabled" { + type = bool default = false description = "Indicates cold storage is enabled." } variable "dedicated_master_enabled" { + type = bool description = "Indicates whether dedicated master nodes are enabled for the cluster." default = true } + variable "dedicated_master_type" { + type = string description = "Instance type of the dedicated master nodes in the cluster." default = "" } variable "dedicated_master_count" { + type = number description = "Number of dedicated master nodes in the cluster." default = 1 } variable "multi_az_with_standby_enabled" { + type = bool description = "Whether a multi-AZ domain is turned on with a standby AZ." default = false } variable "zone_awareness_enabled" { - description = "Indicates whether zone awareness is enabled." - default = true -} - -variable "zone_awareness_enabled" { + type = bool description = "Indicates whether zone awareness is enabled." default = true } variable "zone_awareness_availability_zone_count" { + type = number description = "Number of availability zones used." default = 1 } variable "warm_enabled" { + type = bool description = "Warm storage is enabled." default = true } variable "warm_count" { + type = number description = "Number of warm nodes in the cluster." default = 1 } variable "warm_type" { + type = string description = "Instance type for the OpenSearch cluster's warm nodes." default = "" } variable "tags" { + type = map(string) default = {} description = "Tags assigned to the domain." } variable "auto_software_update_enabled" { + type = bool default = false description = "Software update auto for the domain." } variable "automated_snapshot_start_hour" { + type = number default = 0 description = "Hour during which the service takes an automated daily snapshot of the indices in the domain." } + variable "node_to_node_encryption_enabled" { + type = bool default = true description = "Whether node to node encryption is enabled." } variable "advanced_options" { + type = map(any) default = { "rest.action.multi.allow_explicit_index" = true } @@ -128,60 +144,76 @@ variable "advanced_options" { } variable "advanced_security_enabled" { + type = bool default = false description = "Whether advanced security is enabled." } variable "advanced_security_internal_user_database_enabled" { + type = bool default = false description = "Whether the internal user database is enabled." } + variable "advanced_security_master_user_name" { + type = string default = "opensearch-admin" description = "Main user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true." } + variable "advanced_security_master_user_password" { + type = string description = "Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true." } + variable "advanced_security_anonymous_auth_enabled" { + type = bool description = "Whether the anonymous auth is enabled." default = false } variable "access_policies" { + type = string description = "IAM policy document specifying the access policies for the domain." } variable "create_timeout" { + type = string description = "How much time to wait for the creation before timing out." default = "2h" } variable "ebs_enabled" { + type = bool description = "Whether EBS volumes are attached to data nodes in the domain." default = true } variable "ebs_iops" { + type = number description = "Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the GP3 and Provisioned IOPS EBS volume types." } variable "ebs_throughput" { + type = number description = "(Required if `ebs_volume_type` is set to gp3) Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type." } variable "ebs_volume_type" { + type = string default = "gp3" description = "Type of EBS volumes attached to data nodes." } variable "ebs_volume_size" { - description = "Type of EBS volumes attached to data nodes." + type = number + description = "Size of EBS volumes attached to data nodes." required = true default = 64 } variable "enable_access_policy" { + type = bool default = true description = "Determines whether an access policy will be applied to the domain" } @@ -199,29 +231,30 @@ variable "domain_endpoint_options" { } variable "ip_address_type" { + type = string description = "The IP address type for the endpoint. Valid values are ipv4 and dualstack" } - variable "off_peak_window_options" { + type = any description = "Configuration to add Off Peak update options" default = { "enabled" : true, "off_peak_window" : { "hours" : 7 } } } variable "kms_key_delete_window_in_days" { - description = "The number of days before the KMS key is deleted after being disabled." type = number + description = "The number of days before the KMS key is deleted after being disabled." default = 7 } variable "kms_key_enable_key_rotation" { - description = "Specifies whether automatic key rotation is enabled for the KMS key." type = bool + description = "Specifies whether automatic key rotation is enabled for the KMS key." default = true } variable "kms_key_tags" { - description = "The tags to associate with the KMS key." type = map(string) + description = "The tags to associate with the KMS key." default = {} } From d286aaa47e4dc6064af2cccdac6b4bc2f7e5aa19 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 26 Sep 2024 19:20:05 +0200 Subject: [PATCH 005/135] update opensearch gha --- .../eks-cleanup-resources/scripts/destroy.sh | 8 + .../opensearch-manage-cluster/README.md | 162 ++++++++++++++++ .../opensearch-manage-cluster/action.yml | 173 ++++++++++++++++++ modules/opensearch/README.md | 14 +- modules/opensearch/main.tf | 2 +- modules/opensearch/outputs.tf | 40 ++++ modules/opensearch/variables.tf | 19 +- 7 files changed, 406 insertions(+), 12 deletions(-) diff --git a/.github/actions/eks-cleanup-resources/scripts/destroy.sh b/.github/actions/eks-cleanup-resources/scripts/destroy.sh index d12e0d59..715eba3c 100755 --- a/.github/actions/eks-cleanup-resources/scripts/destroy.sh +++ b/.github/actions/eks-cleanup-resources/scripts/destroy.sh @@ -152,6 +152,14 @@ destroy_resource() { -var="subnet_ids=[]" \ -var="cidr_blocks=[]" \ -var="vpc_id=vpc-dummy"; then return 1; fi + + elif [ "$terraform_module" == "opensearch" ]; then + if ! terraform destroy -auto-approve \ + -var="domain_name=$cluster_name" \ + -var="vpc_id=vpc-dummy" \ + -var="cidr_blocks=[]" \ + -var="subnet_ids=[]"; then return 1; fi + else echo "Unsupported module: $terraform_module" return 1 diff --git a/.github/actions/opensearch-manage-cluster/README.md b/.github/actions/opensearch-manage-cluster/README.md index e69de29b..f8fe49a8 100644 --- a/.github/actions/opensearch-manage-cluster/README.md +++ b/.github/actions/opensearch-manage-cluster/README.md @@ -0,0 +1,162 @@ +# Deploy OpenSearch Domain + +## Description + +This GitHub Action automates the deployment of an OpenSearch domain using Terraform. +It will also install Terraform and awscli. It will output the OpenSearch domain endpoint. + + +## Inputs + +| name | description | required | default | +| --- | --- | --- | --- | +| `domain-name` |

Name of the OpenSearch domain to deploy

| `true` | `""` | +| `engine-version` |

Version of the OpenSearch engine to deploy

| `false` | `2.15` | +| `vpc-id` |

VPC ID to create the domain in

| `true` | `""` | +| `subnet-ids` |

List of subnet IDs to create the domain in

| `true` | `""` | +| `cidr-blocks` |

CIDR blocks to allow access from and to

| `true` | `""` | +| `availability-zones` |

Array of availability zones to use for the OpenSearch domain

| `true` | `""` | +| `instance-type` |

Instance type for the OpenSearch cluster

| `false` | `t3.small.search` | +| `instance-count` |

Number of instances in the cluster

| `false` | `1` | +| `additional-terraform-vars` |

JSON object containing additional Terraform variables

| `false` | `{}` | +| `s3-backend-bucket` |

Name of the S3 bucket to store Terraform state

| `true` | `""` | +| `s3-bucket-region` |

Region of the bucket containing the resources states

| `false` | `""` | +| `tf-modules-revision` |

Git revision of the tf modules to use

| `false` | `main` | +| `tf-modules-path` |

Path where the tf OpenSearch modules will be cloned

| `false` | `./.action-tf-modules/opensearch/` | +| `tf-cli-config-credentials-hostname` |

The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file. Defaults to app.terraform.io.

| `false` | `app.terraform.io` | +| `tf-cli-config-credentials-token` |

The API token for a HCP Terraform/Terraform Enterprise instance to place within the credentials block of the Terraform CLI configuration file.

| `false` | `""` | +| `tf-terraform-version` |

The version of Terraform CLI to install. Defaults to latest.

| `false` | `latest` | +| `tf-terraform-wrapper` |

Whether or not to install a wrapper to wrap subsequent calls of the terraform binary and expose its STDOUT, STDERR, and exit code as outputs named stdout, stderr, and exitcode respectively. Defaults to true.

| `false` | `true` | +| `awscli-version` |

Version of the aws cli to use

| `false` | `2.15.52` | + + +## Outputs + +| name | description | +| --- | --- | +| `opensearch-endpoint` |

The endpoint of the deployed OpenSearch domain

| +| `terraform-state-url` |

URL of the Terraform state file in the S3 bucket

| +| `all-terraform-outputs` |

All outputs from Terraform

| + + +## Runs + +This action is a `composite` action. + +## Usage + +```yaml +- uses: camunda/camunda-tf-eks-module/.github/actions/opensearch-manage-cluster@main + with: + domain-name: + # Name of the OpenSearch domain to deploy + # + # Required: true + # Default: "" + + engine-version: + # Version of the OpenSearch engine to deploy + # + # Required: false + # Default: 2.15 + + vpc-id: + # VPC ID to create the domain in + # + # Required: true + # Default: "" + + subnet-ids: + # List of subnet IDs to create the domain in + # + # Required: true + # Default: "" + + cidr-blocks: + # CIDR blocks to allow access from and to + # + # Required: true + # Default: "" + + availability-zones: + # Array of availability zones to use for the OpenSearch domain + # + # Required: true + # Default: "" + + instance-type: + # Instance type for the OpenSearch cluster + # + # Required: false + # Default: t3.small.search + + instance-count: + # Number of instances in the cluster + # + # Required: false + # Default: 1 + + additional-terraform-vars: + # JSON object containing additional Terraform variables + # + # Required: false + # Default: {} + + s3-backend-bucket: + # Name of the S3 bucket to store Terraform state + # + # Required: true + # Default: "" + + s3-bucket-region: + # Region of the bucket containing the resources states + # + # Required: false + # Default: "" + + tf-modules-revision: + # Git revision of the tf modules to use + # + # Required: false + # Default: main + + tf-modules-path: + # Path where the tf OpenSearch modules will be cloned + # + # Required: false + # Default: ./.action-tf-modules/opensearch/ + + tf-cli-config-credentials-hostname: + # The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block + # of the Terraform CLI configuration file. Defaults to `app.terraform.io`. + # + # Required: false + # Default: app.terraform.io + + tf-cli-config-credentials-token: + # The API token for a HCP Terraform/Terraform Enterprise instance to place + # within the credentials block of the Terraform CLI configuration file. + # + # Required: false + # Default: "" + + tf-terraform-version: + # The version of Terraform CLI to install. Defaults to `latest`. + # + # Required: false + # Default: latest + + tf-terraform-wrapper: + # Whether or not to install a wrapper to wrap subsequent calls of the `terraform` binary + # and expose its STDOUT, STDERR, and exit code + # as outputs named `stdout`, `stderr`, and `exitcode` respectively. Defaults to `true`. + # + # Required: false + # Default: true + + awscli-version: + # Version of the aws cli to use + # + # Required: false + # Default: 2.15.52 +``` diff --git a/.github/actions/opensearch-manage-cluster/action.yml b/.github/actions/opensearch-manage-cluster/action.yml index e69de29b..eff0c007 100644 --- a/.github/actions/opensearch-manage-cluster/action.yml +++ b/.github/actions/opensearch-manage-cluster/action.yml @@ -0,0 +1,173 @@ +--- +name: Deploy OpenSearch Domain + +description: | + This GitHub Action automates the deployment of an OpenSearch domain using Terraform. + It will also install Terraform and awscli. It will output the OpenSearch domain endpoint. + +inputs: + domain-name: + description: Name of the OpenSearch domain to deploy + required: true + + engine-version: + description: Version of the OpenSearch engine to deploy + # TODO: add renovate + default: '2.15' + + vpc-id: + description: VPC ID to create the domain in + required: true + + subnet-ids: + description: List of subnet IDs to create the domain in + required: true + + cidr-blocks: + description: CIDR blocks to allow access from and to + required: true + + availability-zones: + description: Array of availability zones to use for the OpenSearch domain + required: true + + instance-type: + description: Instance type for the OpenSearch cluster + default: t3.small.search + + instance-count: + description: Number of instances in the cluster + default: '1' + + additional-terraform-vars: + description: JSON object containing additional Terraform variables + default: '{}' + + s3-backend-bucket: + description: Name of the S3 bucket to store Terraform state + required: true + + s3-bucket-region: + description: Region of the bucket containing the resources states + required: false + + tf-modules-revision: + description: Git revision of the tf modules to use + default: main + + tf-modules-path: + description: Path where the tf OpenSearch modules will be cloned + default: ./.action-tf-modules/opensearch/ + + tf-cli-config-credentials-hostname: + description: | + The hostname of a HCP Terraform/Terraform Enterprise instance to place within the credentials block + of the Terraform CLI configuration file. Defaults to `app.terraform.io`. + default: app.terraform.io + + tf-cli-config-credentials-token: + description: | + The API token for a HCP Terraform/Terraform Enterprise instance to place + within the credentials block of the Terraform CLI configuration file. + required: false + + tf-terraform-version: + description: The version of Terraform CLI to install. Defaults to `latest`. + default: latest + + tf-terraform-wrapper: + description: | + Whether or not to install a wrapper to wrap subsequent calls of the `terraform` binary + and expose its STDOUT, STDERR, and exit code + as outputs named `stdout`, `stderr`, and `exitcode` respectively. Defaults to `true`. + default: 'true' + + awscli-version: + description: Version of the aws cli to use + # renovate: datasource=github-releases depName=aws/aws-cli + default: 2.15.52 + +outputs: + opensearch-endpoint: + description: The endpoint of the deployed OpenSearch domain + value: ${{ steps.apply.outputs.opensearch_endpoint }} + + terraform-state-url: + description: URL of the Terraform state file in the S3 bucket + value: ${{ steps.utility.outputs.terraform-state-url }} + + all-terraform-outputs: + description: All outputs from Terraform + value: ${{ steps.fetch_outputs.outputs.all_terraform_outputs }} + +runs: + using: composite + steps: + - name: Use Utility Actions + id: utility + uses: camunda/camunda-tf-eks-module/.github/actions/utility-action@e092dfdc4e245e3fd7244214f1e025f733a24b4e + with: + awscli-version: ${{ inputs.awscli-version }} + terraform-version: ${{ inputs.tf-terraform-version }} + + s3-backend-bucket: ${{ inputs.s3-backend-bucket }} + s3-bucket-region: ${{ inputs.s3-bucket-region }} + + tf-state-key: terraform/${{ inputs.domain-name }}/gha/opensearch/terraform.tfstate + + tf-cli-config-credentials-hostname: ${{ inputs.tf-cli-config-credentials-hostname }} + tf-cli-config-credentials-token: ${{ inputs.tf-cli-config-credentials-token }} + tf-terraform-wrapper: ${{ inputs.tf-terraform-wrapper }} + + - name: Checkout Repository OpenSearch modules + uses: actions/checkout@v4 + with: + repository: camunda/camunda-tf-eks-module + ref: ${{ inputs.tf-modules-revision }} + path: ${{ inputs.tf-modules-path }} + fetch-depth: 0 + + - name: Terraform Init + shell: bash + id: init + working-directory: ${{ inputs.tf-modules-path }}/modules/opensearch/ + run: | + cp ../fixtures/backend.tf ./ + terraform version + terraform init -backend-config="bucket=${{ steps.utility.outputs.TFSTATE_BUCKET }}" -backend-config="key=${{ steps.utility.outputs.TFSTATE_KEY }}" \ + -backend-config="region=${{ steps.utility.outputs.TFSTATE_REGION }}" + terraform validate -no-color + + - name: Terraform Plan + shell: bash + id: plan + working-directory: ${{ inputs.tf-modules-path }}/modules/opensearch/ + run: | + echo '${{ inputs.additional-terraform-vars }}' > /tmp/var.tfvars.json + terraform plan -no-color -out opensearch.plan \ + -var-file=/tmp/var.tfvars.json \ + -var "domain_name=${{ inputs.domain-name }}" \ + -var "engine_version=${{ inputs.engine-version }}" \ + -var "vpc_id=${{ inputs.vpc-id }}" \ + -var 'availability_zones=${{ inputs.availability-zones }}' \ + -var 'subnet_ids=${{ inputs.subnet-ids }}' \ + -var 'cidr_blocks=${{ inputs.cidr-blocks }}' \ + -var "instance_type=${{ inputs.instance-type }}" \ + -var "instance_count=${{ inputs.instance-count }}" + + - name: Terraform Apply + shell: bash + id: apply + working-directory: ${{ inputs.tf-modules-path }}/modules/opensearch/ + run: | + terraform apply -no-color opensearch.plan + export opensearch_endpoint="$(terraform output -raw opensearch_endpoint)" + echo "opensearch_endpoint=$opensearch_endpoint" >> "$GITHUB_OUTPUT" + + - name: Fetch Terraform Outputs + shell: bash + id: fetch_outputs + working-directory: ${{ inputs.tf-modules-path }}/modules/opensearch/ + run: | + all_outputs=$(terraform output -json | jq -c .) + echo "all_terraform_outputs=$all_outputs" | tee -a "$GITHUB_OUTPUT" diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index c03122de..ec81ee47 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -87,7 +87,7 @@ No modules. | [auto\_software\_update\_enabled](#input\_auto\_software\_update\_enabled) | Software update auto for the domain. | `bool` | `false` | no | | [auto\_tune\_options](#input\_auto\_tune\_options) | Configuration block for the Auto-Tune options of the domain | `any` | 
{
  "desired_state": "ENABLED",
  "rollback_on_disable": "NO_ROLLBACK"
}
| no | | [automated\_snapshot\_start\_hour](#input\_automated\_snapshot\_start\_hour) | Hour during which the service takes an automated daily snapshot of the indices in the domain. | `number` | `0` | no | -| [availability\_zones](#input\_availability\_zones) | Availability zones used by the domain. | `list(string)` | n/a | yes | +| [availability\_zones](#input\_availability\_zones) | Availability zones used by the domain (should match the VPC). | `list(string)` | n/a | yes | | [cidr\_blocks](#input\_cidr\_blocks) | The CIDR blocks to allow access from and to. | `list(string)` | n/a | yes | | [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Indicates cold storage is enabled. | `bool` | `false` | no | | [create\_timeout](#input\_create\_timeout) | How much time to wait for the creation before timing out. | `string` | `"2h"` | no | @@ -102,7 +102,7 @@ No modules. | [ebs\_volume\_size](#input\_ebs\_volume\_size) | Size of EBS volumes attached to data nodes. | `number` | `64` | no | | [ebs\_volume\_type](#input\_ebs\_volume\_type) | Type of EBS volumes attached to data nodes. | `string` | `"gp3"` | no | | [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | -| [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `string` | n/a | yes | +| [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `string` | `"2.15"` | no | | [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `1` | no | | [instance\_type](#input\_instance\_type) | Instance type of data nodes in the cluster. | `string` | `"t3.small.search"` | no | | [ip\_address\_type](#input\_ip\_address\_type) | The IP address type for the endpoint. Valid values are ipv4 and dualstack | `string` | n/a | yes | @@ -112,7 +112,7 @@ No modules. | [multi\_az\_with\_standby\_enabled](#input\_multi\_az\_with\_standby\_enabled) | Whether a multi-AZ domain is turned on with a standby AZ. | `bool` | `false` | no | | [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether node to node encryption is enabled. | `bool` | `true` | no | | [off\_peak\_window\_options](#input\_off\_peak\_window\_options) | Configuration to add Off Peak update options | `any` | 
{
  "enabled": true,
  "off_peak_window": {
    "hours": 7
  }
}
| no | -| [security\_group\_ids](#input\_security\_group\_ids) | Security groups used by the domain. | `list(string)` | `[]` | no | +| [security\_group\_ids](#input\_security\_group\_ids) | Additional security groups used by the domain. | `list(string)` | `[]` | no | | [subnet\_ids](#input\_subnet\_ids) | The subnet IDs to create the cluster in. For easier usage we are passing through the subnet IDs from the AWS EKS Cluster module. | `list(string)` | n/a | yes | | [tags](#input\_tags) | Tags assigned to the domain. | `map(string)` | `{}` | no | | [vpc\_id](#input\_vpc\_id) | VPC used by the domain. | `string` | n/a | yes | @@ -125,5 +125,13 @@ No modules. | Name | Description | |------|-------------| +| [kms\_key\_arn](#output\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the OpenSearch domain | +| [kms\_key\_id](#output\_kms\_key\_id) | The ID of the KMS key used for OpenSearch domain encryption | | [opensearch\_cluster](#output\_opensearch\_cluster) | OpenSearch cluster output | +| [opensearch\_domain\_arn](#output\_opensearch\_domain\_arn) | The ARN of the OpenSearch domain | +| [opensearch\_domain\_endpoint](#output\_opensearch\_domain\_endpoint) | The endpoint of the OpenSearch domain | +| [opensearch\_domain\_id](#output\_opensearch\_domain\_id) | The ID of the OpenSearch domain | +| [security\_group\_id](#output\_security\_group\_id) | The ID of the security group used by OpenSearch | +| [security\_group\_rule\_egress](#output\_security\_group\_rule\_egress) | Egress rule information for OpenSearch security group | +| [security\_group\_rule\_ingress](#output\_security\_group\_rule\_ingress) | Ingress rule information for OpenSearch security group | diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf index dfd5c0f1..0467521d 100644 --- a/modules/opensearch/main.tf +++ b/modules/opensearch/main.tf @@ -2,7 +2,7 @@ resource "aws_opensearch_domain" "opensearch_cluster" { tags = var.tags domain_name = var.domain_name - engine_version = var.engine_version + engine_version = "OpenSearch_${var.engine_version}" ip_address_type = var.ip_address_type diff --git a/modules/opensearch/outputs.tf b/modules/opensearch/outputs.tf index 4cde9982..87ff2384 100644 --- a/modules/opensearch/outputs.tf +++ b/modules/opensearch/outputs.tf @@ -3,3 +3,43 @@ output "opensearch_cluster" { value = aws_opensearch_domain.opensearch_cluster description = "OpenSearch cluster output" } + +output "opensearch_domain_endpoint" { + description = "The endpoint of the OpenSearch domain" + value = aws_opensearch_domain.opensearch_cluster.endpoint +} + +output "opensearch_domain_arn" { + description = "The ARN of the OpenSearch domain" + value = aws_opensearch_domain.opensearch_cluster.arn +} + +output "opensearch_domain_id" { + description = "The ID of the OpenSearch domain" + value = aws_opensearch_domain.opensearch_cluster.domain_id +} + +output "kms_key_arn" { + description = "The ARN of the KMS key used to encrypt the OpenSearch domain" + value = aws_kms_key.key.arn +} + +output "kms_key_id" { + description = "The ID of the KMS key used for OpenSearch domain encryption" + value = aws_kms_key.key.key_id +} + +output "security_group_id" { + description = "The ID of the security group used by OpenSearch" + value = aws_security_group.this.id +} + +output "security_group_rule_ingress" { + description = "Ingress rule information for OpenSearch security group" + value = aws_security_group_rule.allow_ingress +} + +output "security_group_rule_egress" { + description = "Egress rule information for OpenSearch security group" + value = aws_security_group_rule.allow_egress +} diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 7de54544..24e11056 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -1,3 +1,5 @@ +# ! Developer: if you are adding a variable without a default value, please ensure to reference it in the cleanup script (.github/actions/eks-cleanup-resources/scripts/destroy.sh) + variable "domain_name" { type = string description = "Name of the domain." @@ -7,7 +9,8 @@ variable "domain_name" { variable "engine_version" { type = string description = "OpenSearch version for the domain." - required = true + # TODO: add renovate + default = "2.15" } variable "subnet_ids" { @@ -21,12 +24,6 @@ variable "cidr_blocks" { description = "The CIDR blocks to allow access from and to." } -variable "security_group_ids" { - type = list(string) - description = "Security groups used by the domain." - default = [] -} - variable "vpc_id" { type = string description = "VPC used by the domain." @@ -35,10 +32,16 @@ variable "vpc_id" { variable "availability_zones" { type = list(string) - description = "Availability zones used by the domain." + description = "Availability zones used by the domain (should match the VPC)." required = true } +variable "security_group_ids" { + type = list(string) + description = "Additional security groups used by the domain." + default = [] +} + variable "instance_type" { type = string default = "t3.small.search" From 9104908e545d39861f6f3aac3ab25e92560e1ca7 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 26 Sep 2024 19:46:13 +0200 Subject: [PATCH 006/135] integrate opensearch in the actions --- .github/workflows/test-gha-eks.yml | 57 +++++++++++++++++++++++++----- 1 file changed, 49 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test-gha-eks.yml b/.github/workflows/test-gha-eks.yml index fe9d43e6..bec01986 100644 --- a/.github/workflows/test-gha-eks.yml +++ b/.github/workflows/test-gha-eks.yml @@ -1,8 +1,6 @@ --- name: EKS Cluster with an AuroraDB creation and destruction test -# TODO: add opensearch - on: schedule: - cron: 0 1 * * 2 # At 01:00 on Tuesday. @@ -16,6 +14,9 @@ on: create_db: description: Should the aurora db be created default: 'true' + create_opensearch: + description: Should the opensearch domain be created + default: 'true' delete_cluster: description: Whether to delete the cluster. default: 'true' @@ -27,6 +28,14 @@ on: description: Database password. required: false type: string + opensearch_username: + description: OpenSearch username. + required: false + type: string + opensearch_password: + description: OpenSearch password. + required: false + type: string pull_request: # the paths should be synced with ../labeler.yml @@ -56,6 +65,7 @@ env: TF_STATE_BUCKET_REGION: eu-central-1 CREATE_DB: ${{ github.event.inputs.create_db || 'true' }} + CREATE_OPENSEARCH: ${{ github.event.inputs.create_opensearch || 'true' }} jobs: action-test: @@ -94,6 +104,20 @@ jobs: fi echo "db_password=$db_password" | tee -a "$GITHUB_OUTPUT" + if [[ -n "${{ inputs.opensearch_username }}" ]]; then + opensearch_username="${{ inputs.opensearch_username }}" + else + db_username="user$(openssl rand -hex 4 | tr -d '/@" ')" + fi + echo "opensearch_username=$opensearch_username" | tee -a "$GITHUB_OUTPUT" + + if [[ -n "${{ inputs.opensearch_password }}" ]]; then + opensearch_password="${{ inputs.opensearch_password }}" + else + opensearch_password="$(openssl rand -base64 12 | tr -d '/@" ')" + fi + echo "opensearch_password=$opensearch_password" | tee -a "$GITHUB_OUTPUT" + # Get the current commit hash for the modules revision tf_modules_revision=$(git rev-parse HEAD) echo "tf_modules_revision=$tf_modules_revision" | tee -a "$GITHUB_OUTPUT" @@ -131,8 +155,8 @@ jobs: s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }} - - name: Prepare Aurora Cluster - id: prepare_aurora_cluster + - name: After EKS creation infos + id: after_cluster_creation_infos run: | vpc_id=$(echo '${{ steps.create_eks_cluster.outputs.all-terraform-outputs }}' | jq -c -r '.vpc_id.value') echo "vpc_id=$vpc_id" | tee -a "$GITHUB_OUTPUT" @@ -160,11 +184,28 @@ jobs: s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }} - vpc-id: ${{ steps.prepare_aurora_cluster.outputs.vpc_id }} - subnet-ids: ${{ steps.prepare_aurora_cluster.outputs.private_subnet_ids }} - cidr-blocks: ${{ steps.prepare_aurora_cluster.outputs.private_vpc_cidr_blocks }} + vpc-id: ${{ steps.after_cluster_creation_infos.outputs.vpc_id }} + subnet-ids: ${{ steps.after_cluster_creation_infos.outputs.private_subnet_ids }} + cidr-blocks: ${{ steps.after_cluster_creation_infos.outputs.private_vpc_cidr_blocks }} + + availability-zones: ${{ steps.after_cluster_creation_infos.outputs.availability_zones }} + + + - name: Deploy OpenSearch Domain + uses: ./.github/actions/opensearch-manage-cluster + id: deploy_opensearch_domain + if: env.CREATE_OPENSEARCH == 'true' + with: + domain-name: ${{ steps.commit_info.outputs.cluster_name }}-opensearch + + vpc-id: ${{ steps.after_cluster_creation_infos.outputs.vpc_id }} + subnet-ids: ${{ steps.after_cluster_creation_infos.outputs.private_subnet_ids }} + cidr-blocks: ${{ steps.after_cluster_creation_infos.outputs.private_vpc_cidr_blocks }} + availability-zones: ${{ steps.after_cluster_creation_infos.outputs.availability_zones }} - availability-zones: ${{ steps.prepare_aurora_cluster.outputs.availability_zones }} + s3-backend-bucket: ${{ env.TF_STATE_BUCKET }} + s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} + tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }} - name: Delete Clusters timeout-minutes: 60 From a9e1cda2a12df6fea7f2114db62014747854fc8b Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 26 Sep 2024 19:54:11 +0200 Subject: [PATCH 007/135] fix tests path --- .github/workflows/test-gha-eks.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-gha-eks.yml b/.github/workflows/test-gha-eks.yml index bec01986..b5efb0b3 100644 --- a/.github/workflows/test-gha-eks.yml +++ b/.github/workflows/test-gha-eks.yml @@ -46,8 +46,8 @@ on: - modules/eks-cluster/**.tf - modules/aurora/**.tf - .tool-versions - - .github/workflows/test-gha-eks-manage-cluster.yml - - .github/actions/eks-manage-cluster/*.yml + - .github/workflows/test-gha-eks.yml + - .github/actions/*/*.yml # limit to a single execution per actor of this workflow concurrency: From bb62073c01d2687673643df161db4e29cb30a39a Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 26 Sep 2024 20:19:15 +0200 Subject: [PATCH 008/135] wip go tests --- test/src/custom_eks_opensearch_test.go | 201 +++++++++++++++++++++++++ 1 file changed, 201 insertions(+) create mode 100644 test/src/custom_eks_opensearch_test.go diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go new file mode 100644 index 00000000..b3e82ce1 --- /dev/null +++ b/test/src/custom_eks_opensearch_test.go @@ -0,0 +1,201 @@ +package test + +import ( + "context" + "fmt" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/service/eks" + "github.com/aws/aws-sdk-go-v2/service/opensearch" + "github.com/camunda/camunda-tf-eks-module/utils" + "github.com/gruntwork-io/terratest/modules/random" + "github.com/gruntwork-io/terratest/modules/terraform" + test_structure "github.com/gruntwork-io/terratest/modules/test-structure" + "github.com/stretchr/testify/suite" + "go.uber.org/zap" + "go.uber.org/zap/zaptest" + "os" + "path/filepath" + "strings" + "testing" +) + +type CustomEKSOpenSearchTestSuite struct { + suite.Suite + logger *zap.Logger + sugaredLogger *zap.SugaredLogger + clusterName string + expectedNodes int + kubeConfigPath string + region string + bucketRegion string + tfDataDir string + tfBinaryName string + varTf map[string]interface{} + tfStateS3Bucket string +} + +func (suite *CustomEKSOpenSearchTestSuite) SetupTest() { + suite.logger = zaptest.NewLogger(suite.T()) + suite.sugaredLogger = suite.logger.Sugar() + + clusterSuffix := utils.GetEnv("TESTS_CLUSTER_ID", strings.ToLower(random.UniqueId())) + suite.clusterName = fmt.Sprintf("cluster-opensearch-%s", clusterSuffix) + suite.region = utils.GetEnv("TESTS_CLUSTER_REGION", "eu-central-1") + suite.bucketRegion = utils.GetEnv("TF_STATE_BUCKET_REGION", suite.region) + suite.tfBinaryName = utils.GetEnv("TESTS_TF_BINARY_NAME", "terraform") + suite.sugaredLogger.Infow("Terraform binary for the suite", "binary", suite.tfBinaryName) + + suite.expectedNodes = 1 + var errAbsPath error + suite.tfStateS3Bucket = utils.GetEnv("TF_STATE_BUCKET", fmt.Sprintf("tests-eks-tf-state-%s", suite.bucketRegion)) + suite.tfDataDir, errAbsPath = filepath.Abs(fmt.Sprintf("../../test/states/tf-data-%s", suite.clusterName)) + suite.Require().NoError(errAbsPath) + suite.kubeConfigPath = fmt.Sprintf("%s/kubeconfig-opensearch-eks", suite.tfDataDir) +} + +func (suite *CustomEKSOpenSearchTestSuite) TearUpTest() { + // create tf state + absPath, err := filepath.Abs(suite.tfDataDir) + suite.Require().NoError(err) + err = os.MkdirAll(absPath, os.ModePerm) + suite.Require().NoError(err) +} + +func (suite *CustomEKSOpenSearchTestSuite) TearDownTest() { + suite.T().Log("Cleaning up resources...") + + err := os.Remove(suite.kubeConfigPath) + if err != nil && !os.IsNotExist(err) { + suite.T().Errorf("Failed to remove kubeConfigPath: %v", err) + } +} + +// TestCustomEKSAndOpenSearch spawns a custom EKS cluster with custom parameters, and spawns a +// a curl pod that will try to reach the OpenSearch cluster +// TODO: implement IRSA connection in the pod https://github.com/opensearch-project/logstash-output-opensearch/issues/96 +func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { + suite.varTf = map[string]interface{}{ + "name": suite.clusterName, + "region": suite.region, + "np_desired_node_count": suite.expectedNodes, + } + + suite.sugaredLogger.Infow("Creating EKS cluster...", "extraVars", suite.varTf) + + tfModuleEKS := "eks-cluster/" + fullDirEKS := fmt.Sprintf("%s%s", suite.tfDataDir, tfModuleEKS) + errTfDirEKS := os.MkdirAll(fullDirEKS, os.ModePerm) + suite.Require().NoError(errTfDirEKS) + tfDir := test_structure.CopyTerraformFolderToDest(suite.T(), "../../modules/", tfModuleEKS, fullDirEKS) + + errLinkBackend := os.Link("../../modules/fixtures/backend.tf", filepath.Join(tfDir, "backend.tf")) + suite.Require().NoError(errLinkBackend) + + terraformOptions := &terraform.Options{ + TerraformBinary: suite.tfBinaryName, + TerraformDir: tfDir, + Upgrade: false, + VarFiles: []string{"../fixtures/fixtures.default.eks.tfvars"}, + Vars: suite.varTf, + BackendConfig: map[string]interface{}{ + "bucket": suite.tfStateS3Bucket, + "key": fmt.Sprintf("terraform/%s/TestCustomEKSOpenSearchTestSuite/%sterraform.tfstate", suite.clusterName, tfModuleEKS), + "region": suite.bucketRegion, + }, + } + + // configure bucket backend + sessBackend, err := utils.GetAwsClientF(utils.GetAwsProfile(), suite.bucketRegion) + suite.Require().NoErrorf(err, "Failed to get aws client") + err = utils.CreateS3BucketIfNotExists(sessBackend, suite.tfStateS3Bucket, utils.TF_BUCKET_DESCRIPTION, suite.bucketRegion) + suite.Require().NoErrorf(err, "Failed to create s3 state bucket") + + cleanClusterAtTheEnd := utils.GetEnv("CLEAN_CLUSTER_AT_THE_END", "true") + if cleanClusterAtTheEnd == "true" { + defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) + } + + terraform.InitAndApply(suite.T(), terraformOptions) + + sess, err := utils.GetAwsClient() + suite.Require().NoErrorf(err, "Failed to get aws client") + + eksSvc := eks.NewFromConfig(sess) + opensearchSvc := opensearch.NewFromConfig(sess) + + inputEKS := &eks.DescribeClusterInput{ + Name: aws.String(suite.clusterName), + } + + result, err := eksSvc.DescribeCluster(context.Background(), inputEKS) + suite.Assert().NoError(err) + + // Spawn OpenSearch within the EKS VPC/subnet + publicBlocks := strings.Fields(strings.Trim(terraform.Output(suite.T(), terraformOptions, "public_vpc_cidr_blocks"), "[]")) + privateBlocks := strings.Fields(strings.Trim(terraform.Output(suite.T(), terraformOptions, "private_vpc_cidr_blocks"), "[]")) + + opensearchDomainName := fmt.Sprintf("opensearch-%s", suite.clusterName) + opensearchMasterUserName := "opensearch-admin" + opensearchMasterUserPassword := "password" + + varsConfigOpenSearch := map[string]interface{}{ + "domain_name": opensearchDomainName, + "advanced_security_master_user_name": opensearchMasterUserName, + "advanced_security_master_user_password": opensearchMasterUserPassword, + "subnet_ids": result.Cluster.ResourcesVpcConfig.SubnetIds, + "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, + "availability_zones": []string{fmt.Sprintf("%sa", suite.region), fmt.Sprintf("%sb", suite.region), fmt.Sprintf("%sc", suite.region)}, + "cidr_blocks": append(publicBlocks, privateBlocks...), + } + + tfModuleOpenSearch := "opensearch/" + fullDirOpenSearch := fmt.Sprintf("%s/%s", suite.tfDataDir, tfModuleOpenSearch) + errTfDirOpenSearch := os.MkdirAll(fullDirOpenSearch, os.ModePerm) + suite.Require().NoError(errTfDirOpenSearch) + + tfDirOpenSearch := test_structure.CopyTerraformFolderToDest(suite.T(), "../../modules/", tfModuleOpenSearch, fullDirOpenSearch) + + errLinkBackend = os.Link("../../modules/fixtures/backend.tf", filepath.Join(tfDirOpenSearch, "backend.tf")) + suite.Require().NoError(errLinkBackend) + + terraformOptionsOpenSearch := &terraform.Options{ + TerraformBinary: suite.tfBinaryName, + TerraformDir: tfDirOpenSearch, + Upgrade: false, + VarFiles: []string{"../fixtures/fixtures.default.opensearch.tfvars"}, + Vars: varsConfigOpenSearch, + BackendConfig: map[string]interface{}{ + "bucket": suite.tfStateS3Bucket, + "key": fmt.Sprintf("terraform/%s/TestCustomEKSOpenSearchTestSuite/%sterraform.tfstate", suite.clusterName, tfModuleOpenSearch), + "region": suite.bucketRegion, + }, + } + + if cleanClusterAtTheEnd == "true" { + defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptionsOpenSearch) + } + + terraform.InitAndApply(suite.T(), terraformOptionsOpenSearch) + opensearchEndpoint := terraform.Output(suite.T(), terraformOptionsOpenSearch, "opensearch_domain_endpoint") + suite.Assert().NotEmpty(opensearchEndpoint) + + // Test the OpenSearch connection and perform additional tests as needed + + // TODO + + // Retrieve OpenSearch information + describeDomainInput := &opensearch.DescribeDomainInput{ + DomainName: aws.String(varsConfigOpenSearch["domain_name"].(string)), + } + describeDomainOutput, err := opensearchSvc.DescribeDomain(context.Background(), describeDomainInput) + suite.Require().NoError(err) + + // Perform assertions on the OpenSearch domain configuration + + // TODO +} + +func TestCustomEKSOpenSearchTestSuite(t *testing.T) { + t.Parallel() + suite.Run(t, new(CustomEKSOpenSearchTestSuite)) +} From 4644752c4301317fd8faf4601748df8446a4881d Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 27 Sep 2024 09:59:48 +0200 Subject: [PATCH 009/135] fix --- modules/fixtures/fixtures.default.opensearch.tfvars | 0 modules/opensearch/variables.tf | 5 ----- 2 files changed, 5 deletions(-) create mode 100644 modules/fixtures/fixtures.default.opensearch.tfvars diff --git a/modules/fixtures/fixtures.default.opensearch.tfvars b/modules/fixtures/fixtures.default.opensearch.tfvars new file mode 100644 index 00000000..e69de29b diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 24e11056..0a61f7a7 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -3,7 +3,6 @@ variable "domain_name" { type = string description = "Name of the domain." - required = true } variable "engine_version" { @@ -16,7 +15,6 @@ variable "engine_version" { variable "subnet_ids" { type = list(string) description = "The subnet IDs to create the cluster in. For easier usage we are passing through the subnet IDs from the AWS EKS Cluster module." - required = true } variable "cidr_blocks" { @@ -27,13 +25,11 @@ variable "cidr_blocks" { variable "vpc_id" { type = string description = "VPC used by the domain." - required = true } variable "availability_zones" { type = list(string) description = "Availability zones used by the domain (should match the VPC)." - required = true } variable "security_group_ids" { @@ -211,7 +207,6 @@ variable "ebs_volume_type" { variable "ebs_volume_size" { type = number description = "Size of EBS volumes attached to data nodes." - required = true default = 64 } From bb057be0501bf25a7c8b078b376133fdf9f50d63 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 27 Sep 2024 10:45:18 +0200 Subject: [PATCH 010/135] fix go mod --- test/src/go.mod | 1 + test/src/go.sum | 144 +----------------------------------------------- 2 files changed, 3 insertions(+), 142 deletions(-) diff --git a/test/src/go.mod b/test/src/go.mod index 3d81e887..1f7fbca6 100644 --- a/test/src/go.mod +++ b/test/src/go.mod @@ -9,6 +9,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/eks v1.49.1 github.com/aws/aws-sdk-go-v2/service/iam v1.36.1 github.com/aws/aws-sdk-go-v2/service/kms v1.36.1 + github.com/aws/aws-sdk-go-v2/service/opensearch v1.40.2 github.com/aws/aws-sdk-go-v2/service/rds v1.84.0 github.com/aws/aws-sdk-go-v2/service/s3 v1.63.1 github.com/aws/smithy-go v1.21.0 diff --git a/test/src/go.sum b/test/src/go.sum index 75f32f6a..04119006 100644 --- a/test/src/go.sum +++ b/test/src/go.sum @@ -201,176 +201,52 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go v1.54.6 h1:HEYUib3yTt8E6vxjMWM3yAq5b+qjj/6aKA62mkgux9g= github.com/aws/aws-sdk-go v1.54.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= -github.com/aws/aws-sdk-go-v2 v1.30.4 h1:frhcagrVNrzmT95RJImMHgabt99vkXGslubDaDagTk8= -github.com/aws/aws-sdk-go-v2 v1.30.4/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= -github.com/aws/aws-sdk-go-v2 v1.30.5 h1:mWSRTwQAb0aLE17dSzztCVJWI9+cRMgqebndjwDyK0g= -github.com/aws/aws-sdk-go-v2 v1.30.5/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= github.com/aws/aws-sdk-go-v2 v1.31.0 h1:3V05LbxTSItI5kUqNwhJrrrY1BAXxXt0sN0l72QmG5U= github.com/aws/aws-sdk-go-v2 v1.31.0/go.mod h1:ztolYtaEUtdpf9Wftr31CJfLVjOnD/CVRkKOOYgF8hA= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3 h1:tW1/Rkad38LA15X4UQtjXZXNKsCgkshC3EbmcUmghTg= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3/go.mod h1:UbnqO+zjqk3uIt9yCACHJ9IVNhyhOCnYk8yA19SAWrM= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.4 h1:70PVAiL15/aBMh5LThwgXdSQorVr91L127ttckI9QQU= -github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.4/go.mod h1:/MQxMqci8tlqDH+pjmoLu1i0tbWCUP1hhyMRuFxpQCw= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5 h1:xDAuZTn4IMm8o1LnBZvmrL8JA1io4o3YWNXgohbf20g= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5/go.mod h1:wYSv6iDS621sEFLfKvpPE2ugjTuGlAG7iROg0hLOkfc= -github.com/aws/aws-sdk-go-v2/config v1.27.28 h1:OTxWGW/91C61QlneCtnD62NLb4W616/NM1jA8LhJqbg= -github.com/aws/aws-sdk-go-v2/config v1.27.28/go.mod h1:uzVRVtJSU5EFv6Fu82AoVFKozJi2ZCY6WRCXj06rbvs= -github.com/aws/aws-sdk-go-v2/config v1.27.30 h1:AQF3/+rOgeJBQP3iI4vojlPib5X6eeOYoa/af7OxAYg= -github.com/aws/aws-sdk-go-v2/config v1.27.30/go.mod h1:yxqvuubha9Vw8stEgNiStO+yZpP68Wm9hLmcm+R/Qk4= -github.com/aws/aws-sdk-go-v2/config v1.27.31 h1:kxBoRsjhT3pq0cKthgj6RU6bXTm/2SgdoUMyrVw0rAI= -github.com/aws/aws-sdk-go-v2/config v1.27.31/go.mod h1:z04nZdSWFPaDwK3DdJOG2r+scLQzMYuJeW0CujEm9FM= -github.com/aws/aws-sdk-go-v2/config v1.27.33 h1:Nof9o/MsmH4oa0s2q9a0k7tMz5x/Yj5k06lDODWz3BU= -github.com/aws/aws-sdk-go-v2/config v1.27.33/go.mod h1:kEqdYzRb8dd8Sy2pOdEbExTTF5v7ozEXX0McgPE7xks= github.com/aws/aws-sdk-go-v2/config v1.27.37 h1:xaoIwzHVuRWRHFI0jhgEdEGc8xE1l91KaeRDsWEIncU= github.com/aws/aws-sdk-go-v2/config v1.27.37/go.mod h1:S2e3ax9/8KnMSyRVNd3sWTKs+1clJ2f1U6nE0lpvQRg= -github.com/aws/aws-sdk-go-v2/credentials v1.17.28 h1:m8+AHY/ND8CMHJnPoH7PJIRakWGa4gbfbxuY9TGTUXM= -github.com/aws/aws-sdk-go-v2/credentials v1.17.28/go.mod h1:6TF7dSc78ehD1SL6KpRIPKMA1GyyWflIkjqg+qmf4+c= -github.com/aws/aws-sdk-go-v2/credentials v1.17.29 h1:CwGsupsXIlAFYuDVHv1nnK0wnxO0wZ/g1L8DSK/xiIw= -github.com/aws/aws-sdk-go-v2/credentials v1.17.29/go.mod h1:BPJ/yXV92ZVq6G8uYvbU0gSl8q94UB63nMT5ctNO38g= -github.com/aws/aws-sdk-go-v2/credentials v1.17.30 h1:aau/oYFtibVovr2rDt8FHlU17BTicFEMAi29V1U+L5Q= -github.com/aws/aws-sdk-go-v2/credentials v1.17.30/go.mod h1:BPJ/yXV92ZVq6G8uYvbU0gSl8q94UB63nMT5ctNO38g= -github.com/aws/aws-sdk-go-v2/credentials v1.17.32 h1:7Cxhp/BnT2RcGy4VisJ9miUPecY+lyE9I8JvcZofn9I= -github.com/aws/aws-sdk-go-v2/credentials v1.17.32/go.mod h1:P5/QMF3/DCHbXGEGkdbilXHsyTBX5D3HSwcrSc9p20I= github.com/aws/aws-sdk-go-v2/credentials v1.17.35 h1:7QknrZhYySEB1lEXJxGAmuD5sWwys5ZXNr4m5oEz0IE= github.com/aws/aws-sdk-go-v2/credentials v1.17.35/go.mod h1:8Vy4kk7at4aPSmibr7K+nLTzG6qUQAUO4tW49fzUV4E= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 h1:yjwoSyDZF8Jth+mUk5lSPJCkMC0lMy6FaCD51jm6ayE= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12/go.mod h1:fuR57fAgMk7ot3WcNQfb6rSEn+SUffl7ri+aa8uKysI= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 h1:pfQ2sqNpMVK6xz2RbqLEL0GH87JOwSxPV2rzm8Zsb74= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13/go.mod h1:NG7RXPUlqfsCLLFfi0+IpKN4sCB9D9fw/qTaSB+xRoU= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 h1:C/d03NAmh8C4BZXhuRNboF/DqhBkBCeDiJDcaqIT5pA= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14/go.mod h1:7I0Ju7p9mCIdlrfS+JCgqcYD0VXz/N4yozsox+0o078= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 h1:TNyt/+X43KJ9IJJMjKfa3bNTiZbUP7DeCxfbTROESwY= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16/go.mod h1:2DwJF39FlNAUiX5pAc0UNeiz16lK2t7IaFcm0LFHEgc= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 h1:pI7Bzt0BJtYA0N/JEC6B8fJ4RBrEMi1LBrkMdFYNSnQ= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17/go.mod h1:Dh5zzJYMtxfIjYW+/evjQ8uj2OyR/ve2KROHGHlSFqE= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 h1:kYQ3H1u0ANr9KEKlGs/jTLrBFPo8P8NaH/w7A01NeeM= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18/go.mod h1:r506HmK5JDUh9+Mw4CfGJGSSoqIiLCndAuqXuhbv67Y= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 h1:jYfy8UPmd+6kJW5YhY0L1/KftReOGxI/4NtVSTh9O/I= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16/go.mod h1:7ZfEPZxkW42Afq4uQB8H2E2e6ebh6mXTueEpYzjCzcs= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 h1:Mqr/V5gvrhA2gvgnF42Zh5iMiQNcOYthFYwCyrnuWlc= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17/go.mod h1:aLJpZlCmjE+V+KtN1q1uyZkfnUWpQGpbsn89XPKyzfU= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 h1:Z7IdFUONvTcvS7YuhtVxN99v2cCoHRXOS4mTr0B/pUc= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18/go.mod h1:DkKMmksZVVyat+Y+r1dEOgJEfUeA7UngIHWeKsi0yNc= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.15 h1:Z5r7SycxmSllHYmaAZPpmN8GviDrSGhMS6bldqtXZPw= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.15/go.mod h1:CetW7bDE00QoGEmPUoZuRog07SGVAUVW6LFpNP0YfIg= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.16 h1:mimdLQkIX1zr8GIPY1ZtALdBQGxcASiBd2MOp8m/dMc= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.16/go.mod h1:YHk6owoSwrIsok+cAH9PENCOGoH5PU2EllX4vLtSrsY= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.17 h1:Roo69qTpfu8OlJ2Tb7pAYVuF0CpuUMB0IYWwYP/4DZM= -github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.17/go.mod h1:NcWPxQzGM1USQggaTVwz6VpqMZPX1CvDJLDh6jnOCa4= github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.18 h1:OWYvKL53l1rbsUmW7bQyJVsYU/Ii3bbAAQIIFNbM0Tk= github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.18/go.mod h1:CUx0G1v3wG6l01tUB+j7Y8kclA8NSqK4ef0YG79a4cg= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.175.1 h1:7B5ppg4i5N2B6t+aH77WLbAu8sD98MLlzruWzq5scyY= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.175.1/go.mod h1:ISODge3zgdwOEa4Ou6WM9PKbxJWJ15DYKnr2bfmCAIA= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.176.0 h1:fWhkSvaQqa5eWiRwBw10FUnk1YatAQ9We4GdGxKiCtg= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.176.0/go.mod h1:ISODge3zgdwOEa4Ou6WM9PKbxJWJ15DYKnr2bfmCAIA= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.177.0 h1:LAdDRIj5BEZM9fLDTUWUyPzWvv5A++nCEps/RGmZNOo= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.177.0/go.mod h1:ISODge3zgdwOEa4Ou6WM9PKbxJWJ15DYKnr2bfmCAIA= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.177.2 h1:QUUvxEs9q1DsYCaWaRrV8i7n82Adm34jrHb6OPjXPqc= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.177.2/go.mod h1:TFSALWR7Xs7+KyMM87ZAYxncKFBvzEt2rpK/BJCH2ps= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.177.3 h1:dqdCh1M8h+j8OGNUpxTs7eBPFr6lOdLpdlE6IPLLSq4= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.177.3/go.mod h1:TFSALWR7Xs7+KyMM87ZAYxncKFBvzEt2rpK/BJCH2ps= github.com/aws/aws-sdk-go-v2/service/ec2 v1.178.0 h1:yCVmlqH1bWVmdS/oFyyM+hbe2c+tKGPo6r0BHhTpn1U= github.com/aws/aws-sdk-go-v2/service/ec2 v1.178.0/go.mod h1:W6sNzs5T4VpZn1Vy+FMKw8s24vt5k6zPJXcNOK0asBo= -github.com/aws/aws-sdk-go-v2/service/eks v1.48.1 h1:KZ1GkevaklMvPxcqivG4UDwar3lqMSpbK9RpZowjMec= -github.com/aws/aws-sdk-go-v2/service/eks v1.48.1/go.mod h1:fff5mmwLCVxyXCojYjPY34sUGvWtXCD325yRL5qHAVs= -github.com/aws/aws-sdk-go-v2/service/eks v1.48.2 h1:EFjJfHrl7/2qh/ZawUXtl9juOPAUUOTFDLOmov5KSgM= -github.com/aws/aws-sdk-go-v2/service/eks v1.48.2/go.mod h1:fff5mmwLCVxyXCojYjPY34sUGvWtXCD325yRL5qHAVs= -github.com/aws/aws-sdk-go-v2/service/eks v1.48.4 h1:rgYF107dG64XdYhQ1N0ac2G+8L3I+fD4Vsw8zz9wOKA= -github.com/aws/aws-sdk-go-v2/service/eks v1.48.4/go.mod h1:9dn8p15siUL80NCTPVNd+YvEpVTmWO+rboGx6qOMBa0= -github.com/aws/aws-sdk-go-v2/service/eks v1.49.0 h1:soZyFrtL96yjSG8htIcdSlunboFzp7BidxHn2SMlbJ4= -github.com/aws/aws-sdk-go-v2/service/eks v1.49.0/go.mod h1:QUjwO93Ri00egMAeWw75dviZBM5pECLx0KNeNaBtTIM= github.com/aws/aws-sdk-go-v2/service/eks v1.49.1 h1:1EJ49JWtC3wS/rImBX/6RAna2gEhBqYWYFpETSmPsVs= github.com/aws/aws-sdk-go-v2/service/eks v1.49.1/go.mod h1:QUjwO93Ri00egMAeWw75dviZBM5pECLx0KNeNaBtTIM= -github.com/aws/aws-sdk-go-v2/service/iam v1.35.0 h1:xIjTizH74aMNQBjp9D5cvjRZmOYtnrpjOGU3xkVqrjk= -github.com/aws/aws-sdk-go-v2/service/iam v1.35.0/go.mod h1:IdHqqRLKgxYR4IY7Omd7SuV4SJzJ8seF+U5PW+mvtP4= -github.com/aws/aws-sdk-go-v2/service/iam v1.35.2 h1:CK5cIZTxza9ki/4eghMeLk32/UeVcPgyDBNiFfbcG0U= -github.com/aws/aws-sdk-go-v2/service/iam v1.35.2/go.mod h1:PpmEOH3ZTQlDAezieBVdFMjPO1jovUMNPA4OpCtnwbY= -github.com/aws/aws-sdk-go-v2/service/iam v1.36.0 h1:3xvpoYVNxINJ26xmjvYFC7T4jiTICCdxwREEu0G7vqg= -github.com/aws/aws-sdk-go-v2/service/iam v1.36.0/go.mod h1:HSvujsK8xeEHMIB18oMXjSfqaN9cVqpo/MtHJIksQRk= github.com/aws/aws-sdk-go-v2/service/iam v1.36.1 h1:uBOxRx7j+9NoCkmQ2Nmmh/KvKm1l+wm917By8bgtKdU= github.com/aws/aws-sdk-go-v2/service/iam v1.36.1/go.mod h1:HSvujsK8xeEHMIB18oMXjSfqaN9cVqpo/MtHJIksQRk= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 h1:KypMCbLPPHEmf9DgMGw51jMj77VfGPAN2Kv4cfhlfgI= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4/go.mod h1:Vz1JQXliGcQktFTN/LN6uGppAIRoLBR2bMvIMP0gOjc= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 h1:QFASJGfT8wMXtuP3D5CRmMjARHv9ZmzFUMJznHDOY3w= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5/go.mod h1:QdZ3OmoIjSX+8D1OPAzPxDfjXASbBMDsz9qvtyIhtik= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.17 h1:YPYe6ZmvUfDDDELqEKtAd6bo8zxhkm+XEFEzQisqUIE= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.17/go.mod h1:oBtcnYua/CgzCWYN7NZ5j7PotFDaFSUjCYVTtfyn7vw= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.18 h1:GckUnpm4EJOAio1c8o25a+b3lVfwVzC9gnSBqiiNmZM= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.18/go.mod h1:Br6+bxfG33Dk3ynmkhsW2Z/t9D4+lRqdLDNCKi85w0U= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.19 h1:FLMkfEiRjhgeDTCjjLoc3URo/TBkgeQbocA78lfkzSI= -github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.19/go.mod h1:Vx+GucNSsdhaxs3aZIKfSUjKVGsxN25nX2SRcdhuw08= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.20 h1:rTWjG6AvWekO2B1LHeM3ktU7MqyX9rzWQ7hgzneZW7E= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.20/go.mod h1:RGW2DDpVc8hu6Y6yG8G5CHVmVOAn1oV8rNKOHRJyswg= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 h1:tJ5RnkHCiSH0jyd6gROjlJtNwov0eGYNz8s8nFcR0jQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18/go.mod h1:++NHzT+nAF7ZPrHPsA+ENvsXkOO8wEu+C6RXltAG4/c= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 h1:rfprUlsdzgl7ZL2KlXiUAoJnI/VxfHCvDFr2QDFj6u4= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19/go.mod h1:SCWkEdRq8/7EK60NcvvQ6NXKuTcchAD4ROAsC37VEZE= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 h1:Xbwbmk44URTiHNx6PNo0ujDE6ERlsCKJD3u1zfnzAPg= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20/go.mod h1:oAfOFzUB14ltPZj1rWwRc3d/6OgD76R8KlvU3EqM9Fg= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.15 h1:246A4lSTXWJw/rmlQI+TT2OcqeDMKBdyjEQrafMaQdA= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.15/go.mod h1:haVfg3761/WF7YPuJOER2MP0k4UAXyHaLclKXB6usDg= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.16 h1:jg16PhLPUiHIj8zYIW6bqzeQSuHVEiWnGA0Brz5Xv2I= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.16/go.mod h1:Uyk1zE1VVdsHSU7096h/rwnXDzOzYQVl+FNPhPw7ShY= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.17 h1:u+EfGmksnJc/x5tq3A+OD7LrMbSSR/5TrKLvkdy/fhY= -github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.17/go.mod h1:VaMx6302JHax2vHJWgRo+5n9zvbacs3bLU/23DNQrTY= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.18 h1:eb+tFOIl9ZsUe2259/BKPeniKuz4/02zZFH/i4Nf8Rg= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.18/go.mod h1:GVCC2IJNJTmdlyEsSmofEy7EfJncP7DNnXDzRjJ5Keg= -github.com/aws/aws-sdk-go-v2/service/kms v1.35.4 h1:mG1MH6yPwT5gNEeBrhig3FHc4mK0QaZOXsmQUbphP6Y= -github.com/aws/aws-sdk-go-v2/service/kms v1.35.4/go.mod h1:A5CS0VRmxxj2YKYLCY08l/Zzbd01m6JZn0WzxgT1OCA= -github.com/aws/aws-sdk-go-v2/service/kms v1.35.5 h1:XUomV7SiclZl1QuXORdGcfFqHxEHET7rmNGtxTfNB+M= -github.com/aws/aws-sdk-go-v2/service/kms v1.35.5/go.mod h1:A5CS0VRmxxj2YKYLCY08l/Zzbd01m6JZn0WzxgT1OCA= -github.com/aws/aws-sdk-go-v2/service/kms v1.35.7 h1:v0D1LeMkA/X+JHAZWERrr+sUGOt8KrCZKnJA6KszkcE= -github.com/aws/aws-sdk-go-v2/service/kms v1.35.7/go.mod h1:K9lwD0Rsx9+NSaJKsdAdlDK4b2G4KKOEve9PzHxPoMI= -github.com/aws/aws-sdk-go-v2/service/kms v1.36.0 h1:jwWMpQ/1obJRdHaix9k10zWSnSMZGdDTZIDiS5CGzq8= -github.com/aws/aws-sdk-go-v2/service/kms v1.36.0/go.mod h1:OHmlX4+o0XIlJAQGAHPIy0N9yZcYS/vNG+T7geSNcFw= github.com/aws/aws-sdk-go-v2/service/kms v1.36.1 h1:BkicHsJOtGRLSGw2CSvtbdGlMboP8S/AsWzf0U2V6m8= github.com/aws/aws-sdk-go-v2/service/kms v1.36.1/go.mod h1:OHmlX4+o0XIlJAQGAHPIy0N9yZcYS/vNG+T7geSNcFw= -github.com/aws/aws-sdk-go-v2/service/rds v1.82.1 h1:4s+9AtQQGB5n0xMm0xRbIQOFoi6rrggMlFt8WwHcDvs= -github.com/aws/aws-sdk-go-v2/service/rds v1.82.1/go.mod h1:hfUZhydujCniydsJdzZ9bwzX6nUvbfnhhYQeFNREC2I= -github.com/aws/aws-sdk-go-v2/service/rds v1.82.2 h1:kO/fQcueYZvuL5kPzTPQ503cKZj8jyBNg1MlnIqpFPg= -github.com/aws/aws-sdk-go-v2/service/rds v1.82.2/go.mod h1:hfUZhydujCniydsJdzZ9bwzX6nUvbfnhhYQeFNREC2I= -github.com/aws/aws-sdk-go-v2/service/rds v1.82.4 h1:Go6suRegLmIpQiuiTNyUUyxYrhzbrliD9wD0ZN65hlQ= -github.com/aws/aws-sdk-go-v2/service/rds v1.82.4/go.mod h1:zNFNa99yH2j3zzqZgt3Atu197K1UkE+1sfigpi5+eWo= -github.com/aws/aws-sdk-go-v2/service/rds v1.82.5 h1:MB+bWfwWE/FnTGBO0yxXbdSMvU/753OHVdMbMgQezxI= -github.com/aws/aws-sdk-go-v2/service/rds v1.82.5/go.mod h1:zNFNa99yH2j3zzqZgt3Atu197K1UkE+1sfigpi5+eWo= +github.com/aws/aws-sdk-go-v2/service/opensearch v1.40.2 h1:tQMi7jzkFcuLobVKrW4edPnnreXLNaHRJKgLutxvPdY= +github.com/aws/aws-sdk-go-v2/service/opensearch v1.40.2/go.mod h1:4rB9oWpduMw/+UqL/WdNLJZNF7iAwaJWwJ6GgsQqOjg= github.com/aws/aws-sdk-go-v2/service/rds v1.84.0 h1:y7CROMOdAjkkijg+ClGBa2KnhL7oeOP0mmBFJMSCWPc= github.com/aws/aws-sdk-go-v2/service/rds v1.84.0/go.mod h1:lhiPj6RvoJHWG2STp+k5az55YqGgFLBzkKYdYHgUh9g= -github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2 h1:sZXIzO38GZOU+O0C+INqbH7C2yALwfMWpd64tONS/NE= -github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2/go.mod h1:Lcxzg5rojyVPU/0eFwLtcyTaek/6Mtic5B1gJo7e/zE= -github.com/aws/aws-sdk-go-v2/service/s3 v1.60.1 h1:mx2ucgtv+MWzJesJY9Ig/8AFHgoE5FwLXwUVgW/FGdI= -github.com/aws/aws-sdk-go-v2/service/s3 v1.60.1/go.mod h1:BSPI0EfnYUuNHPS0uqIo5VrRwzie+Fp+YhQOUs16sKI= -github.com/aws/aws-sdk-go-v2/service/s3 v1.61.0 h1:Wb544Wh+xfSXqJ/j3R4aX9wrKUoZsJNmilBYZb3mKQ4= -github.com/aws/aws-sdk-go-v2/service/s3 v1.61.0/go.mod h1:BSPI0EfnYUuNHPS0uqIo5VrRwzie+Fp+YhQOUs16sKI= -github.com/aws/aws-sdk-go-v2/service/s3 v1.61.2 h1:Kp6PWAlXwP1UvIflkIP6MFZYBNDCa4mFCGtxrpICVOg= -github.com/aws/aws-sdk-go-v2/service/s3 v1.61.2/go.mod h1:5FmD/Dqq57gP+XwaUnd5WFPipAuzrf0HmupX27Gvjvc= -github.com/aws/aws-sdk-go-v2/service/s3 v1.63.0 h1:F6KG9CT7PPqAjnRxjKmYJopVnXPwjlzPI2FEgXHajNY= -github.com/aws/aws-sdk-go-v2/service/s3 v1.63.0/go.mod h1:NLTqRLe3pUNu3nTEHI6XlHLKYmc8fbHUdMxAB6+s41Q= github.com/aws/aws-sdk-go-v2/service/s3 v1.63.1 h1:TR96r56VwELV0qguNFCuz+/bEpRfnR3ZsS9/IG05C7Q= github.com/aws/aws-sdk-go-v2/service/s3 v1.63.1/go.mod h1:NLTqRLe3pUNu3nTEHI6XlHLKYmc8fbHUdMxAB6+s41Q= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 h1:zCsFCKvbj25i7p1u94imVoO447I/sFv8qq+lGJhRN0c= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.5/go.mod h1:ZeDX1SnKsVlejeuz41GiajjZpRSWR7/42q/EyA/QEiM= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 h1:pIaGg+08llrP7Q5aiz9ICWbY8cqhTkyy+0SHvfzQpTc= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.7/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ= github.com/aws/aws-sdk-go-v2/service/sso v1.23.1 h1:2jrVsMHqdLD1+PA4BA6Nh1eZp0Gsy3mFSB5MxDvcJtU= github.com/aws/aws-sdk-go-v2/service/sso v1.23.1/go.mod h1:XRlMvmad0ZNL+75C5FYdMvbbLkd6qiqz6foR1nA1PXY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 h1:SKvPgvdvmiTWoi0GAJ7AsJfOz3ngVkD/ERbs5pUnHNI= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5/go.mod h1:20sz31hv/WsPa3HhU3hfrIet2kxM4Pe0r20eBZ20Tac= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 h1:/Cfdu0XV3mONYKaOt1Gr0k1KvQzkzPyiKUdlWJqy+J4= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.1 h1:0L7yGCg3Hb3YQqnSgBTZM5wepougtL1aEccdcdYhHME= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.1/go.mod h1:FnvDM4sfa+isJ3kDXIzAB9GAwVSzFzSy97uZ3IsHo4E= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.4 h1:iAckBT2OeEK/kBDyN/jDtpEExhjeeA/Im2q4X0rJZT8= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.4/go.mod h1:vmSqFK+BVIwVpDAGZB3CoCXHzurt4qBE8lf+I/kRTh0= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.5 h1:OMsEmCyz2i89XwRwPouAJvhj81wINh+4UK+k/0Yo/q8= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.5/go.mod h1:vmSqFK+BVIwVpDAGZB3CoCXHzurt4qBE8lf+I/kRTh0= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 h1:NKTa1eqZYw8tiHSRGpP0VtTdub/8KNk8sDkNPFaOKDE= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.7/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o= github.com/aws/aws-sdk-go-v2/service/sts v1.31.1 h1:8K0UNOkZiK9Uh3HIF6Bx0rcNCftqGCeKmOaR7Gp5BSo= github.com/aws/aws-sdk-go-v2/service/sts v1.31.1/go.mod h1:yMWe0F+XG0DkRZK5ODZhG7BEFYhLXi2dqGsv6tX0cgI= -github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4= -github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/aws/smithy-go v1.21.0 h1:H7L8dtDRk0P1Qm6y0ji7MCYMQObJ5R9CRpyPhRUkLYA= github.com/aws/smithy-go v1.21.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -559,16 +435,12 @@ github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro= github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= -github.com/gruntwork-io/terratest v0.47.0 h1:xIy1pT7NbGVlMLDZEHl3+3iSnvffh8tN2pL6idn448c= -github.com/gruntwork-io/terratest v0.47.0/go.mod h1:oywHw1cFKXSYvKPm27U7quZVzDUlA22H2xUrKCe26xM= github.com/gruntwork-io/terratest v0.47.1 h1:qOaxnL7Su5+KpDHYUN/ek1jn8ImvCKtOkaY4OSMS4tI= github.com/gruntwork-io/terratest v0.47.1/go.mod h1:LnYX8BN5WxUMpDr8rtD39oToSL4CBERWSCusbJ0d/64= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= -github.com/hashicorp/go-getter v1.7.5 h1:dT58k9hQ/vbxNMwoI5+xFYAJuv6152UNvdHokfI5wE4= -github.com/hashicorp/go-getter v1.7.5/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= github.com/hashicorp/go-getter v1.7.6 h1:5jHuM+aH373XNtXl9TNTUH5Qd69Trve11tHIrB+6yj4= github.com/hashicorp/go-getter v1.7.6/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= @@ -1269,16 +1141,10 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= -k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= -k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= -k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= -k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8= -k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU= k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= @@ -1290,12 +1156,6 @@ k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/aws-iam-authenticator v0.6.23 h1:efBMSbBx8XSw8zLeh0tQEOtWGZIS2d/NXqydFoMjGSM= -sigs.k8s.io/aws-iam-authenticator v0.6.23/go.mod h1:8CAmUtqsLmv5QvnhXQ2+byy1EL+TCDyyYTGFXDyt0sk= -sigs.k8s.io/aws-iam-authenticator v0.6.25 h1:ndRRNTQgoxhpZqMHgy1MO+CLrHq3rb+/0xG07cuoc8s= -sigs.k8s.io/aws-iam-authenticator v0.6.25/go.mod h1:8CAmUtqsLmv5QvnhXQ2+byy1EL+TCDyyYTGFXDyt0sk= -sigs.k8s.io/aws-iam-authenticator v0.6.26 h1:cA/xsMLEG81nrSdGW2j4wBBQN50EvDTB9QT4dFJ2VAg= -sigs.k8s.io/aws-iam-authenticator v0.6.26/go.mod h1:8CAmUtqsLmv5QvnhXQ2+byy1EL+TCDyyYTGFXDyt0sk= sigs.k8s.io/aws-iam-authenticator v0.6.27 h1:uzSwFYh+hrrbpv7goZ+2FN/2oCQddiKpb8l5vBbY1i4= sigs.k8s.io/aws-iam-authenticator v0.6.27/go.mod h1:8CAmUtqsLmv5QvnhXQ2+byy1EL+TCDyyYTGFXDyt0sk= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= From 31cc34879ad2468f51cc21e29309d04a36002ab6 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 27 Sep 2024 20:21:53 +0200 Subject: [PATCH 011/135] wip irsa os --- .../opensearch-manage-cluster/README.md | 7 -- .../opensearch-manage-cluster/action.yml | 8 +- modules/fixtures/opensearch-client.yml | 56 +++++++++++ modules/opensearch/README.md | 31 +++--- modules/opensearch/main.tf | 37 ++++---- modules/opensearch/outputs.tf | 31 +++++- modules/opensearch/role.tf | 25 +++++ modules/opensearch/variables.tf | 94 +++++++++++++++---- test/src/custom_eks_opensearch_test.go | 68 +++++++++++++- test/src/utils/kube.go | 22 +++++ 10 files changed, 316 insertions(+), 63 deletions(-) create mode 100644 modules/fixtures/opensearch-client.yml create mode 100644 modules/opensearch/role.tf diff --git a/.github/actions/opensearch-manage-cluster/README.md b/.github/actions/opensearch-manage-cluster/README.md index f8fe49a8..655c3f21 100644 --- a/.github/actions/opensearch-manage-cluster/README.md +++ b/.github/actions/opensearch-manage-cluster/README.md @@ -15,7 +15,6 @@ It will also install Terraform and awscli. It will output the OpenSearch domain | `vpc-id` |

VPC ID to create the domain in

| `true` | `""` | | `subnet-ids` |

List of subnet IDs to create the domain in

| `true` | `""` | | `cidr-blocks` |

CIDR blocks to allow access from and to

| `true` | `""` | -| `availability-zones` |

Array of availability zones to use for the OpenSearch domain

| `true` | `""` | | `instance-type` |

Instance type for the OpenSearch cluster

| `false` | `t3.small.search` | | `instance-count` |

Number of instances in the cluster

| `false` | `1` | | `additional-terraform-vars` |

JSON object containing additional Terraform variables

| `false` | `{}` | @@ -78,12 +77,6 @@ This action is a `composite` action. # Required: true # Default: "" - availability-zones: - # Array of availability zones to use for the OpenSearch domain - # - # Required: true - # Default: "" - instance-type: # Instance type for the OpenSearch cluster # diff --git a/.github/actions/opensearch-manage-cluster/action.yml b/.github/actions/opensearch-manage-cluster/action.yml index eff0c007..abdbcbdb 100644 --- a/.github/actions/opensearch-manage-cluster/action.yml +++ b/.github/actions/opensearch-manage-cluster/action.yml @@ -27,14 +27,11 @@ inputs: description: CIDR blocks to allow access from and to required: true - availability-zones: - description: Array of availability zones to use for the OpenSearch domain - required: true - instance-type: description: Instance type for the OpenSearch cluster default: t3.small.search + # TODO: add number of AZs instance-count: description: Number of instances in the cluster default: '1' @@ -148,9 +145,8 @@ runs: -var-file=/tmp/var.tfvars.json \ -var "domain_name=${{ inputs.domain-name }}" \ -var "engine_version=${{ inputs.engine-version }}" \ - -var "vpc_id=${{ inputs.vpc-id }}" \ - -var 'availability_zones=${{ inputs.availability-zones }}' \ -var 'subnet_ids=${{ inputs.subnet-ids }}' \ + -var "vpc_id=${{ inputs.vpc-id }}" \ -var 'cidr_blocks=${{ inputs.cidr-blocks }}' \ -var "instance_type=${{ inputs.instance-type }}" \ -var "instance_count=${{ inputs.instance-count }}" diff --git a/modules/fixtures/opensearch-client.yml b/modules/fixtures/opensearch-client.yml new file mode 100644 index 00000000..35845cc4 --- /dev/null +++ b/modules/fixtures/opensearch-client.yml @@ -0,0 +1,56 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: opensearch-client + labels: + app: opensearch-client +spec: + backoffLimit: 0 + template: + spec: + serviceAccountName: opensearch-access-sa + restartPolicy: Never + containers: + - name: opensearch-client + image: amazonlinux:latest + command: + - sh + - -c + - | + /bin/bash <<'EOF' + set -e + + echo "Installing dependencies..." + yum install -y python3-pip curl unzip + + echo "Installing AWS CLI..." + curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + unzip awscliv2.zip + ./aws/install + + echo "Testing OpenSearch connection using IRSA..." + export AWS_OPENSEARCH_PASSWORD=$(aws opensearch get-signature-v4-auth-token \ + --region $AWS_REGION \ + --host $OPENSEARCH_ENDPOINT \ + --username $OPENSEARCH_USERNAME) + + curl -XGET -u "admin:$AWS_OPENSEARCH_PASSWORD" "https://$OPENSEARCH_ENDPOINT/_cluster/health?pretty" + + EOF + env: + - name: OPENSEARCH_ENDPOINT + valueFrom: + configMapKeyRef: + name: opensearch-config + key: opensearch_endpoint + - name: OPENSEARCH_USERNAME + valueFrom: + configMapKeyRef: + name: opensearch-config + key: opensearch_username + - name: AWS_REGION + valueFrom: + configMapKeyRef: + name: opensearch-config + key: aws_region diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index ec81ee47..f0415535 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -68,7 +68,10 @@ No modules. | Name | Type | |------|------| -| [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_iam_policy.opensearch_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.opensearch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.attach_opensearch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kms_key.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_opensearch_domain.opensearch_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain) | resource | | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.allow_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | @@ -77,7 +80,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [access\_policies](#input\_access\_policies) | IAM policy document specifying the access policies for the domain. | `string` | n/a | yes | +| [access\_policies](#input\_access\_policies) | IAM policy document specifying the access policies for the domain. | `string` | `"{}"` | no | | [advanced\_options](#input\_advanced\_options) | Key-value string pairs to specify advanced configuration options. | `map(any)` | 
{
  "rest.action.multi.allow_explicit_index": true
}
| no | | [advanced\_security\_anonymous\_auth\_enabled](#input\_advanced\_security\_anonymous\_auth\_enabled) | Whether the anonymous auth is enabled. | `bool` | `false` | no | | [advanced\_security\_enabled](#input\_advanced\_security\_enabled) | Whether advanced security is enabled. | `bool` | `false` | no | @@ -87,39 +90,42 @@ No modules. | [auto\_software\_update\_enabled](#input\_auto\_software\_update\_enabled) | Software update auto for the domain. | `bool` | `false` | no | | [auto\_tune\_options](#input\_auto\_tune\_options) | Configuration block for the Auto-Tune options of the domain | `any` | 
{
  "desired_state": "ENABLED",
  "rollback_on_disable": "NO_ROLLBACK"
}
| no | | [automated\_snapshot\_start\_hour](#input\_automated\_snapshot\_start\_hour) | Hour during which the service takes an automated daily snapshot of the indices in the domain. | `number` | `0` | no | -| [availability\_zones](#input\_availability\_zones) | Availability zones used by the domain (should match the VPC). | `list(string)` | n/a | yes | | [cidr\_blocks](#input\_cidr\_blocks) | The CIDR blocks to allow access from and to. | `list(string)` | n/a | yes | | [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Indicates cold storage is enabled. | `bool` | `false` | no | +| [create\_opensearch\_role](#input\_create\_opensearch\_role) | Flag to determine if the OpenSearch role should be created | `bool` | `true` | no | | [create\_timeout](#input\_create\_timeout) | How much time to wait for the creation before timing out. | `string` | `"2h"` | no | -| [dedicated\_master\_count](#input\_dedicated\_master\_count) | Number of dedicated master nodes in the cluster. | `number` | `1` | no | +| [dedicated\_master\_count](#input\_dedicated\_master\_count) | Number of dedicated master nodes in the cluster. | `number` | `4` | no | | [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Indicates whether dedicated master nodes are enabled for the cluster. | `bool` | `true` | no | | [dedicated\_master\_type](#input\_dedicated\_master\_type) | Instance type of the dedicated master nodes in the cluster. | `string` | `""` | no | | [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | 
{
  "enforce_https": true,
  "tls_security_policy": "Policy-Min-TLS-1-2-2019-07"
}
| no | | [domain\_name](#input\_domain\_name) | Name of the domain. | `string` | n/a | yes | | [ebs\_enabled](#input\_ebs\_enabled) | Whether EBS volumes are attached to data nodes in the domain. | `bool` | `true` | no | -| [ebs\_iops](#input\_ebs\_iops) | Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the GP3 and Provisioned IOPS EBS volume types. | `number` | n/a | yes | -| [ebs\_throughput](#input\_ebs\_throughput) | (Required if `ebs_volume_type` is set to gp3) Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. | `number` | n/a | yes | +| [ebs\_iops](#input\_ebs\_iops) | Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the GP3 and Provisioned IOPS EBS volume types. | `number` | `3000` | no | +| [ebs\_throughput](#input\_ebs\_throughput) | (Required if `ebs_volume_type` is set to gp3) Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. | `number` | `125` | no | | [ebs\_volume\_size](#input\_ebs\_volume\_size) | Size of EBS volumes attached to data nodes. | `number` | `64` | no | | [ebs\_volume\_type](#input\_ebs\_volume\_type) | Type of EBS volumes attached to data nodes. | `string` | `"gp3"` | no | | [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | | [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `string` | `"2.15"` | no | +| [iam\_role\_trust\_policy](#input\_iam\_role\_trust\_policy) | Assume role trust policy for OpenSearch role | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"oidc.eks..amazonaws.com/id/:sub\": \"system:serviceaccount::\"\n }\n }\n }\n ]\n }\n\n"` | no | | [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `1` | no | | [instance\_type](#input\_instance\_type) | Instance type of data nodes in the cluster. | `string` | `"t3.small.search"` | no | -| [ip\_address\_type](#input\_ip\_address\_type) | The IP address type for the endpoint. Valid values are ipv4 and dualstack | `string` | n/a | yes | +| [ip\_address\_type](#input\_ip\_address\_type) | The IP address type for the endpoint. Valid values are ipv4 and dualstack | `string` | `"ipv4"` | no | | [kms\_key\_delete\_window\_in\_days](#input\_kms\_key\_delete\_window\_in\_days) | The number of days before the KMS key is deleted after being disabled. | `number` | `7` | no | | [kms\_key\_enable\_key\_rotation](#input\_kms\_key\_enable\_key\_rotation) | Specifies whether automatic key rotation is enabled for the KMS key. | `bool` | `true` | no | | [kms\_key\_tags](#input\_kms\_key\_tags) | The tags to associate with the KMS key. | `map(string)` | `{}` | no | | [multi\_az\_with\_standby\_enabled](#input\_multi\_az\_with\_standby\_enabled) | Whether a multi-AZ domain is turned on with a standby AZ. | `bool` | `false` | no | | [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether node to node encryption is enabled. | `bool` | `true` | no | -| [off\_peak\_window\_options](#input\_off\_peak\_window\_options) | Configuration to add Off Peak update options | `any` | 
{
  "enabled": true,
  "off_peak_window": {
    "hours": 7
  }
}
| no | +| [off\_peak\_window\_enabled](#input\_off\_peak\_window\_enabled) | Whether to enable off peak update | `bool` | `true` | no | +| [opensearch\_access\_policy](#input\_opensearch\_access\_policy) | Access policy for OpenSearch allowing access | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"es:ESHttpGet\",\n \"es:ESHttpPut\",\n \"es:ESHttpPost\"\n ],\n \"Resource\": \"arn:aws:es:::domain//*\"\n }\n ]\n }\n\n"` | no | +| [opensearch\_role\_name](#input\_opensearch\_role\_name) | Name of the OpenSearch IAM role | `string` | `"OpenSearchRole"` | no | | [security\_group\_ids](#input\_security\_group\_ids) | Additional security groups used by the domain. | `list(string)` | `[]` | no | | [subnet\_ids](#input\_subnet\_ids) | The subnet IDs to create the cluster in. For easier usage we are passing through the subnet IDs from the AWS EKS Cluster module. | `list(string)` | n/a | yes | | [tags](#input\_tags) | Tags assigned to the domain. | `map(string)` | `{}` | no | | [vpc\_id](#input\_vpc\_id) | VPC used by the domain. | `string` | n/a | yes | -| [warm\_count](#input\_warm\_count) | Number of warm nodes in the cluster. | `number` | `1` | no | +| [warm\_count](#input\_warm\_count) | Number of warm nodes in the cluster. | `number` | `2` | no | | [warm\_enabled](#input\_warm\_enabled) | Warm storage is enabled. | `bool` | `true` | no | -| [warm\_type](#input\_warm\_type) | Instance type for the OpenSearch cluster's warm nodes. | `string` | `""` | no | -| [zone\_awareness\_availability\_zone\_count](#input\_zone\_awareness\_availability\_zone\_count) | Number of availability zones used. | `number` | `1` | no | +| [warm\_type](#input\_warm\_type) | Instance type for the OpenSearch cluster's warm nodes. | `string` | `"ultrawarm1.medium.search"` | no | +| [zone\_awareness\_availability\_zone\_count](#input\_zone\_awareness\_availability\_zone\_count) | Number of availability zones used. | `number` | `2` | no | | [zone\_awareness\_enabled](#input\_zone\_awareness\_enabled) | Indicates whether zone awareness is enabled. | `bool` | `true` | no | ## Outputs @@ -131,6 +137,9 @@ No modules. | [opensearch\_domain\_arn](#output\_opensearch\_domain\_arn) | The ARN of the OpenSearch domain | | [opensearch\_domain\_endpoint](#output\_opensearch\_domain\_endpoint) | The endpoint of the OpenSearch domain | | [opensearch\_domain\_id](#output\_opensearch\_domain\_id) | The ID of the OpenSearch domain | +| [opensearch\_policy\_arn](#output\_opensearch\_policy\_arn) | The ARN of the OpenSearch access policy | +| [opensearch\_role\_arn](#output\_opensearch\_role\_arn) | The ARN of the OpenSearch IAM role | +| [opensearch\_role\_name](#output\_opensearch\_role\_name) | The name of the OpenSearch IAM role | | [security\_group\_id](#output\_security\_group\_id) | The ID of the security group used by OpenSearch | | [security\_group\_rule\_egress](#output\_security\_group\_rule\_egress) | Egress rule information for OpenSearch security group | | [security\_group\_rule\_ingress](#output\_security\_group\_rule\_ingress) | Ingress rule information for OpenSearch security group | diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf index 0467521d..11914bef 100644 --- a/modules/opensearch/main.tf +++ b/modules/opensearch/main.tf @@ -7,13 +7,13 @@ resource "aws_opensearch_domain" "opensearch_cluster" { ip_address_type = var.ip_address_type vpc_options { - vpc_id = var.vpc_id subnet_ids = var.subnet_ids security_group_ids = concat([aws_security_group.this.id], var.security_group_ids) - availability_zones = var.availability_zones } - off_peak_window_options = var.off_peak_window_options + off_peak_window_options { + enabled = var.off_peak_window_enabled + } # TODO: integrate logwatch in this component but also in the other for production ready solution @@ -40,7 +40,7 @@ resource "aws_opensearch_domain" "opensearch_cluster" { zone_awareness_enabled = var.zone_awareness_enabled } - software_update_options = { + software_update_options { auto_software_update_enabled = var.auto_software_update_enabled } @@ -77,14 +77,19 @@ resource "aws_opensearch_domain" "opensearch_cluster" { automated_snapshot_start_hour = var.automated_snapshot_start_hour } - auto_tune_options = var.auto_tune_options + auto_tune_options { + desired_state = var.auto_tune_options.desired_state + rollback_on_disable = var.auto_tune_options.rollback_on_disable + } advanced_options = var.advanced_options - enable_access_policy = var.enable_access_policy - access_policies = var.access_policies + access_policies = var.enable_access_policy ? var.access_policies : null - domain_endpoint_options = var.domain_endpoint_options + domain_endpoint_options { + enforce_https = var.domain_endpoint_options.enforce_https + tls_security_policy = var.domain_endpoint_options.tls_security_policy + } timeouts { create = var.create_timeout @@ -92,8 +97,8 @@ resource "aws_opensearch_domain" "opensearch_cluster" { } -resource "aws_kms_key" "key" { - description = "${var.cluster_name}-key" +resource "aws_kms_key" "kms" { + description = "${var.domain_name}-key" deletion_window_in_days = var.kms_key_delete_window_in_days enable_key_rotation = var.kms_key_enable_key_rotation @@ -101,8 +106,8 @@ resource "aws_kms_key" "key" { } resource "aws_security_group" "this" { - name = "${var.cluster_name}-allow-all-internal-access" - description = "Security group managing access to ${var.cluster_name}" + name = "${var.domain_name}-allow-all-internal-access" + description = "Security group managing access to ${var.domain_name}" vpc_id = var.vpc_id @@ -122,13 +127,13 @@ resource "aws_security_group_rule" "allow_egress" { } resource "aws_security_group_rule" "allow_ingress" { - for_each = [9200, 9300] + for_each = toset(["9200", "9300"]) - description = "Allow incoming traffic for the OpenSearch on port ${each.value}" + description = "Allow incoming traffic for the OpenSearch on port ${each.key}" type = "ingress" - from_port = each.value - to_port = each.value + from_port = tonumber(each.key) + to_port = tonumber(each.key) protocol = "tcp" cidr_blocks = var.cidr_blocks diff --git a/modules/opensearch/outputs.tf b/modules/opensearch/outputs.tf index 87ff2384..ab00ca2a 100644 --- a/modules/opensearch/outputs.tf +++ b/modules/opensearch/outputs.tf @@ -2,44 +2,71 @@ output "opensearch_cluster" { value = aws_opensearch_domain.opensearch_cluster description = "OpenSearch cluster output" + sensitive = true } output "opensearch_domain_endpoint" { description = "The endpoint of the OpenSearch domain" value = aws_opensearch_domain.opensearch_cluster.endpoint + sensitive = false } output "opensearch_domain_arn" { description = "The ARN of the OpenSearch domain" value = aws_opensearch_domain.opensearch_cluster.arn + sensitive = false } output "opensearch_domain_id" { description = "The ID of the OpenSearch domain" value = aws_opensearch_domain.opensearch_cluster.domain_id + sensitive = false } output "kms_key_arn" { description = "The ARN of the KMS key used to encrypt the OpenSearch domain" - value = aws_kms_key.key.arn + value = aws_kms_key.kms.arn + sensitive = false } output "kms_key_id" { description = "The ID of the KMS key used for OpenSearch domain encryption" - value = aws_kms_key.key.key_id + value = aws_kms_key.kms.key_id + sensitive = false } output "security_group_id" { description = "The ID of the security group used by OpenSearch" value = aws_security_group.this.id + sensitive = false } output "security_group_rule_ingress" { description = "Ingress rule information for OpenSearch security group" value = aws_security_group_rule.allow_ingress + sensitive = false } output "security_group_rule_egress" { description = "Egress rule information for OpenSearch security group" value = aws_security_group_rule.allow_egress + sensitive = false +} + +output "opensearch_role_name" { + description = "The name of the OpenSearch IAM role" + value = aws_iam_role.opensearch[0].name + sensitive = false +} + +output "opensearch_role_arn" { + description = "The ARN of the OpenSearch IAM role" + value = aws_iam_role.opensearch[0].arn + sensitive = false +} + +output "opensearch_policy_arn" { + description = "The ARN of the OpenSearch access policy" + value = aws_iam_policy.opensearch_access_policy[0].arn + sensitive = false } diff --git a/modules/opensearch/role.tf b/modules/opensearch/role.tf new file mode 100644 index 00000000..385a5474 --- /dev/null +++ b/modules/opensearch/role.tf @@ -0,0 +1,25 @@ +// IAM Role for OpenSearch +resource "aws_iam_role" "opensearch" { + count = var.create_opensearch_role ? 1 : 0 + + name = var.opensearch_role_name + assume_role_policy = var.iam_role_trust_policy +} + +// IAM Policy for OpenSearch Access +resource "aws_iam_policy" "opensearch_access_policy" { + count = var.create_opensearch_role ? 1 : 0 + + name = "${var.opensearch_role_name}-access-policy" + description = "Access policy for OpenSearch" + + policy = var.opensearch_access_policy +} + +// Attach the policy to the role +resource "aws_iam_role_policy_attachment" "attach_opensearch_policy" { + count = var.create_opensearch_role ? 1 : 0 + + role = aws_iam_role.opensearch[0].name + policy_arn = aws_iam_policy.opensearch_access_policy[0].arn +} diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 0a61f7a7..f003b48d 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -12,6 +12,11 @@ variable "engine_version" { default = "2.15" } +variable "vpc_id" { + type = string + description = "VPC used by the domain." +} + variable "subnet_ids" { type = list(string) description = "The subnet IDs to create the cluster in. For easier usage we are passing through the subnet IDs from the AWS EKS Cluster module." @@ -22,16 +27,6 @@ variable "cidr_blocks" { description = "The CIDR blocks to allow access from and to." } -variable "vpc_id" { - type = string - description = "VPC used by the domain." -} - -variable "availability_zones" { - type = list(string) - description = "Availability zones used by the domain (should match the VPC)." -} - variable "security_group_ids" { type = list(string) description = "Additional security groups used by the domain." @@ -71,7 +66,7 @@ variable "dedicated_master_type" { variable "dedicated_master_count" { type = number description = "Number of dedicated master nodes in the cluster." - default = 1 + default = 4 } variable "multi_az_with_standby_enabled" { @@ -89,7 +84,7 @@ variable "zone_awareness_enabled" { variable "zone_awareness_availability_zone_count" { type = number description = "Number of availability zones used." - default = 1 + default = 2 } variable "warm_enabled" { @@ -101,13 +96,13 @@ variable "warm_enabled" { variable "warm_count" { type = number description = "Number of warm nodes in the cluster." - default = 1 + default = 2 } variable "warm_type" { type = string description = "Instance type for the OpenSearch cluster's warm nodes." - default = "" + default = "ultrawarm1.medium.search" } variable "tags" { @@ -173,6 +168,7 @@ variable "advanced_security_anonymous_auth_enabled" { variable "access_policies" { type = string + default = "{}" description = "IAM policy document specifying the access policies for the domain." } @@ -190,11 +186,13 @@ variable "ebs_enabled" { variable "ebs_iops" { type = number + default = 3000 description = "Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the GP3 and Provisioned IOPS EBS volume types." } variable "ebs_throughput" { type = number + default = 125 description = "(Required if `ebs_volume_type` is set to gp3) Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type." } @@ -230,13 +228,14 @@ variable "domain_endpoint_options" { variable "ip_address_type" { type = string + default = "ipv4" description = "The IP address type for the endpoint. Valid values are ipv4 and dualstack" } -variable "off_peak_window_options" { - type = any - description = "Configuration to add Off Peak update options" - default = { "enabled" : true, "off_peak_window" : { "hours" : 7 } } +variable "off_peak_window_enabled" { + type = bool + default = true + description = "Whether to enable off peak update" } variable "kms_key_delete_window_in_days" { @@ -256,3 +255,62 @@ variable "kms_key_tags" { description = "The tags to associate with the KMS key." default = {} } + +variable "create_opensearch_role" { + description = "Flag to determine if the OpenSearch role should be created" + type = bool + default = true +} + +variable "opensearch_role_name" { + description = "Name of the OpenSearch IAM role" + type = string + default = "OpenSearchRole" +} + +variable "iam_role_trust_policy" { + description = "Assume role trust policy for OpenSearch role" + type = string + default = <:oidc-provider/oidc.eks..amazonaws.com/id/" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::" + } + } + } + ] + } + +EOF +} + +variable "opensearch_access_policy" { + description = "Access policy for OpenSearch allowing access" + type = string + default = <::domain//*" + } + ] + } + +EOF +} diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index b3e82ce1..4f513770 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -6,7 +6,9 @@ import ( "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/eks" "github.com/aws/aws-sdk-go-v2/service/opensearch" + "github.com/aws/aws-sdk-go-v2/service/sts" "github.com/camunda/camunda-tf-eks-module/utils" + "github.com/gruntwork-io/terratest/modules/k8s" "github.com/gruntwork-io/terratest/modules/random" "github.com/gruntwork-io/terratest/modules/terraform" test_structure "github.com/gruntwork-io/terratest/modules/test-structure" @@ -122,30 +124,89 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { eksSvc := eks.NewFromConfig(sess) opensearchSvc := opensearch.NewFromConfig(sess) + stsSvc := sts.NewFromConfig(sess) inputEKS := &eks.DescribeClusterInput{ Name: aws.String(suite.clusterName), } result, err := eksSvc.DescribeCluster(context.Background(), inputEKS) + suite.sugaredLogger.Infow("eks describe cluster result", "result", result, "err", err) suite.Assert().NoError(err) + _, errKubeClient := utils.NewKubeClientSet(result.Cluster) + suite.Require().NoError(errKubeClient) + utils.GenerateKubeConfigFromAWS(suite.T(), suite.region, suite.clusterName, utils.GetAwsProfile(), suite.kubeConfigPath) + // Spawn OpenSearch within the EKS VPC/subnet publicBlocks := strings.Fields(strings.Trim(terraform.Output(suite.T(), terraformOptions, "public_vpc_cidr_blocks"), "[]")) privateBlocks := strings.Fields(strings.Trim(terraform.Output(suite.T(), terraformOptions, "private_vpc_cidr_blocks"), "[]")) - opensearchDomainName := fmt.Sprintf("opensearch-%s", suite.clusterName) + opensearchDomainName := fmt.Sprintf("os-%s", suite.clusterName) opensearchMasterUserName := "opensearch-admin" opensearchMasterUserPassword := "password" + // Extract OIDC issuer and create the IRSA role with OpenSearch access + oidcProvider := *result.Cluster.Identity.Oidc.Issuer + stsIdentity, err := stsSvc.GetCallerIdentity(context.TODO(), &sts.GetCallerIdentityInput{}) + suite.Require().NoError(err, "Failed to get AWS account ID") + accountId := *stsIdentity.Account + openSearchArn := fmt.Sprintf("arn:aws:es:%s:%s:domain/%s/*", suite.region, accountId, opensearchDomainName) + suite.sugaredLogger.Infow("OpenSearch infos", "accountId", accountId, "openSearchArn", openSearchArn) + + // Create namespace and associated service account in EKS + openSearchNamespace := "opensearch" + openSearchServiceAccount := "opensearch-access-sa" + openSearchRole := "opensearch-role" + openSearchKubectlOptions := k8s.NewKubectlOptions("", suite.kubeConfigPath, openSearchNamespace) + utils.CreateIfNotExistsNamespace(suite.T(), openSearchKubectlOptions, openSearchNamespace) + utils.CreateIfNotExistsServiceAccount(suite.T(), openSearchKubectlOptions, openSearchServiceAccount, map[string]string{ + "eks.amazonaws.com/role-arn": fmt.Sprintf("arn:aws:iam::%s:role/%s", accountId, openSearchRole), + }) + + openSearchAccessPolicy := fmt.Sprintf(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "es:ESHttpGet", + "es:ESHttpPut", + "es:ESHttpPost" + ], + "Resource": "arn:aws:es:%s:%s:domain/%s/*" + } + ] +}`, suite.region, accountId, opensearchDomainName) + + iamRoleTrustPolicy := fmt.Sprintf(`{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Federated": "arn:aws:iam::%s:oidc-provider/oidc.eks.%s.amazonaws.com/id/%s" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "oidc.eks.%s.amazonaws.com/id/%s:sub": "system:serviceaccount:%s:%s" + } + } + } + ] +}`, accountId, suite.region, oidcProvider, suite.region, oidcProvider, openSearchNamespace, openSearchServiceAccount) + varsConfigOpenSearch := map[string]interface{}{ "domain_name": opensearchDomainName, "advanced_security_master_user_name": opensearchMasterUserName, "advanced_security_master_user_password": opensearchMasterUserPassword, "subnet_ids": result.Cluster.ResourcesVpcConfig.SubnetIds, - "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, - "availability_zones": []string{fmt.Sprintf("%sa", suite.region), fmt.Sprintf("%sb", suite.region), fmt.Sprintf("%sc", suite.region)}, "cidr_blocks": append(publicBlocks, privateBlocks...), + "opensearch_access_policy": openSearchAccessPolicy, + "iam_role_trust_policy": iamRoleTrustPolicy, + "opensearch_role_name": openSearchRole, + "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, } tfModuleOpenSearch := "opensearch/" @@ -189,6 +250,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { } describeDomainOutput, err := opensearchSvc.DescribeDomain(context.Background(), describeDomainInput) suite.Require().NoError(err) + suite.sugaredLogger.Infow("Domain info", "domain", describeDomainOutput) // Perform assertions on the OpenSearch domain configuration diff --git a/test/src/utils/kube.go b/test/src/utils/kube.go index 015b9655..c7bc2b5a 100644 --- a/test/src/utils/kube.go +++ b/test/src/utils/kube.go @@ -74,6 +74,28 @@ func CreateIfNotExistsNamespace(t *testing.T, kubeCtlOptions *k8s.KubectlOptions } } +func CreateIfNotExistsServiceAccount(t *testing.T, kubeCtlOptions *k8s.KubectlOptions, serviceAccountName string, annotations map[string]string) { + _, errFindSA := k8s.GetServiceAccountE(t, kubeCtlOptions, serviceAccountName) + if errFindSA != nil { + if errors.IsNotFound(errFindSA) { + // Create service account with annotations if it does not exist + serviceAccount := &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Name: serviceAccountName, + Namespace: kubeCtlOptions.Namespace, + Annotations: annotations, + }, + } + clientset, errClient := k8s.GetKubernetesClientFromOptionsE(t, kubeCtlOptions) + require.NoError(t, errClient) + _, errSA := clientset.CoreV1().ServiceAccounts(kubeCtlOptions.Namespace).Create(context.Background(), serviceAccount, metav1.CreateOptions{}) + require.NoError(t, errSA) + } else { + require.NoError(t, errFindSA) + } + } +} + func GenerateKubeConfigFromAWS(t *testing.T, region, clusterName, awsProfile, configOutputPath string) { cmd := exec.Command("aws", "eks", "--region", region, "update-kubeconfig", "--name", clusterName, "--profile", awsProfile, "--kubeconfig", configOutputPath) _, errCmdKubeProfile := cmd.Output() From 9e8d5edba073b73bfadaf150565358dcbeaa527d Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 27 Sep 2024 20:29:23 +0200 Subject: [PATCH 012/135] fine tune default options --- modules/opensearch/README.md | 8 ++++---- modules/opensearch/variables.tf | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index f0415535..0282f507 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -88,7 +88,7 @@ No modules. | [advanced\_security\_master\_user\_name](#input\_advanced\_security\_master\_user\_name) | Main user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | `"opensearch-admin"` | no | | [advanced\_security\_master\_user\_password](#input\_advanced\_security\_master\_user\_password) | Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | n/a | yes | | [auto\_software\_update\_enabled](#input\_auto\_software\_update\_enabled) | Software update auto for the domain. | `bool` | `false` | no | -| [auto\_tune\_options](#input\_auto\_tune\_options) | Configuration block for the Auto-Tune options of the domain | `any` | 
{
  "desired_state": "ENABLED",
  "rollback_on_disable": "NO_ROLLBACK"
}
| no | +| [auto\_tune\_options](#input\_auto\_tune\_options) | Configuration block for the Auto-Tune options of the domain | `any` | 
{
  "desired_state": "DISABLED",
  "rollback_on_disable": "NO_ROLLBACK"
}
| no | | [automated\_snapshot\_start\_hour](#input\_automated\_snapshot\_start\_hour) | Hour during which the service takes an automated daily snapshot of the indices in the domain. | `number` | `0` | no | | [cidr\_blocks](#input\_cidr\_blocks) | The CIDR blocks to allow access from and to. | `list(string)` | n/a | yes | | [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Indicates cold storage is enabled. | `bool` | `false` | no | @@ -107,7 +107,7 @@ No modules. | [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | | [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `string` | `"2.15"` | no | | [iam\_role\_trust\_policy](#input\_iam\_role\_trust\_policy) | Assume role trust policy for OpenSearch role | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"oidc.eks..amazonaws.com/id/:sub\": \"system:serviceaccount::\"\n }\n }\n }\n ]\n }\n\n"` | no | -| [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `1` | no | +| [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `4` | no | | [instance\_type](#input\_instance\_type) | Instance type of data nodes in the cluster. | `string` | `"t3.small.search"` | no | | [ip\_address\_type](#input\_ip\_address\_type) | The IP address type for the endpoint. Valid values are ipv4 and dualstack | `string` | `"ipv4"` | no | | [kms\_key\_delete\_window\_in\_days](#input\_kms\_key\_delete\_window\_in\_days) | The number of days before the KMS key is deleted after being disabled. | `number` | `7` | no | @@ -123,9 +123,9 @@ No modules. | [tags](#input\_tags) | Tags assigned to the domain. | `map(string)` | `{}` | no | | [vpc\_id](#input\_vpc\_id) | VPC used by the domain. | `string` | n/a | yes | | [warm\_count](#input\_warm\_count) | Number of warm nodes in the cluster. | `number` | `2` | no | -| [warm\_enabled](#input\_warm\_enabled) | Warm storage is enabled. | `bool` | `true` | no | +| [warm\_enabled](#input\_warm\_enabled) | Warm storage is enabled. | `bool` | `false` | no | | [warm\_type](#input\_warm\_type) | Instance type for the OpenSearch cluster's warm nodes. | `string` | `"ultrawarm1.medium.search"` | no | -| [zone\_awareness\_availability\_zone\_count](#input\_zone\_awareness\_availability\_zone\_count) | Number of availability zones used. | `number` | `2` | no | +| [zone\_awareness\_availability\_zone\_count](#input\_zone\_awareness\_availability\_zone\_count) | Number of availability zones used. | `number` | `3` | no | | [zone\_awareness\_enabled](#input\_zone\_awareness\_enabled) | Indicates whether zone awareness is enabled. | `bool` | `true` | no | ## Outputs diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index f003b48d..518b2022 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -41,7 +41,7 @@ variable "instance_type" { variable "instance_count" { type = number - default = 1 + default = 4 description = "Number of instances in the cluster." } @@ -84,13 +84,13 @@ variable "zone_awareness_enabled" { variable "zone_awareness_availability_zone_count" { type = number description = "Number of availability zones used." - default = 2 + default = 3 } variable "warm_enabled" { type = bool description = "Warm storage is enabled." - default = true + default = false } variable "warm_count" { @@ -217,7 +217,7 @@ variable "enable_access_policy" { variable "auto_tune_options" { type = any description = "Configuration block for the Auto-Tune options of the domain" - default = { "desired_state" : "ENABLED", "rollback_on_disable" : "NO_ROLLBACK" } + default = { "desired_state" : "DISABLED", "rollback_on_disable" : "NO_ROLLBACK" } } variable "domain_endpoint_options" { From bc772f17dc305cec42d435d7bc36cb401b97dd65 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:27:49 +0200 Subject: [PATCH 013/135] fix default large type --- modules/opensearch/README.md | 2 +- modules/opensearch/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index 0282f507..0f0b47c4 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -96,7 +96,7 @@ No modules. | [create\_timeout](#input\_create\_timeout) | How much time to wait for the creation before timing out. | `string` | `"2h"` | no | | [dedicated\_master\_count](#input\_dedicated\_master\_count) | Number of dedicated master nodes in the cluster. | `number` | `4` | no | | [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Indicates whether dedicated master nodes are enabled for the cluster. | `bool` | `true` | no | -| [dedicated\_master\_type](#input\_dedicated\_master\_type) | Instance type of the dedicated master nodes in the cluster. | `string` | `""` | no | +| [dedicated\_master\_type](#input\_dedicated\_master\_type) | Instance type of the dedicated master nodes in the cluster. | `string` | `"m4.large.search"` | no | | [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | 
{
  "enforce_https": true,
  "tls_security_policy": "Policy-Min-TLS-1-2-2019-07"
}
| no | | [domain\_name](#input\_domain\_name) | Name of the domain. | `string` | n/a | yes | | [ebs\_enabled](#input\_ebs\_enabled) | Whether EBS volumes are attached to data nodes in the domain. | `bool` | `true` | no | diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 518b2022..dc5e6410 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -60,7 +60,7 @@ variable "dedicated_master_enabled" { variable "dedicated_master_type" { type = string description = "Instance type of the dedicated master nodes in the cluster." - default = "" + default = "m4.large.search" } variable "dedicated_master_count" { From 1a1237b886d8dc4890cbf48c1142fe13fb256a39 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 30 Sep 2024 15:29:50 +0200 Subject: [PATCH 014/135] re-enable idempotency checks for other modules than eks --- test/src/custom_eks_opensearch_test.go | 2 +- test/src/custom_eks_rds_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 4f513770..b350505a 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -236,7 +236,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptionsOpenSearch) } - terraform.InitAndApply(suite.T(), terraformOptionsOpenSearch) + terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptionsOpenSearch) opensearchEndpoint := terraform.Output(suite.T(), terraformOptionsOpenSearch, "opensearch_domain_endpoint") suite.Assert().NotEmpty(opensearchEndpoint) diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 94a7c155..eba53b74 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -187,7 +187,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptionsRDS) } - terraform.InitAndApply(suite.T(), terraformOptionsRDS) + terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptionsRDS) auroraEndpoint := terraform.Output(suite.T(), terraformOptionsRDS, "aurora_endpoint") suite.Assert().NotEmpty(auroraEndpoint) From 1725cd477eaff85ff3c88091757fd6a972736b64 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 2 Oct 2024 11:19:15 +0200 Subject: [PATCH 015/135] fix destroy --- .github/actions/eks-cleanup-resources/scripts/destroy.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/eks-cleanup-resources/scripts/destroy.sh b/.github/actions/eks-cleanup-resources/scripts/destroy.sh index 715eba3c..a127afb0 100755 --- a/.github/actions/eks-cleanup-resources/scripts/destroy.sh +++ b/.github/actions/eks-cleanup-resources/scripts/destroy.sh @@ -134,9 +134,7 @@ destroy_resource() { # Execute the terraform destroy command with appropriate variables (see https://github.com/hashicorp/terraform/issues/23552) if [ "$terraform_module" == "eks-cluster" ]; then - if terraform state list | grep -q "kubernetes_storage_class_v1.ebs_sc"; then - terraform state rm "kubernetes_storage_class_v1.ebs_sc" - fi + terraform state rm "kubernetes_storage_class_v1.ebs_sc" || true if ! terraform destroy -auto-approve \ -var="region=$AWS_REGION" \ @@ -157,6 +155,8 @@ destroy_resource() { if ! terraform destroy -auto-approve \ -var="domain_name=$cluster_name" \ -var="vpc_id=vpc-dummy" \ + -var="advanced_security_master_user_password=dummy" \ + -var="vpc_id=vpc-dummy" \ -var="cidr_blocks=[]" \ -var="subnet_ids=[]"; then return 1; fi From 5239e445f51330715f84e3e1323b24a4dea558f3 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 2 Oct 2024 16:28:29 +0200 Subject: [PATCH 016/135] re-enable idempotency tests --- modules/eks-cluster/cluster.tf | 1 - modules/opensearch/README.md | 2 +- modules/opensearch/main.tf | 5 ++--- modules/opensearch/variables.tf | 2 +- test/src/custom_eks_opensearch_test.go | 4 ++-- test/src/custom_eks_rds_test.go | 3 +-- test/src/default_eks_test.go | 3 +-- test/src/upgrade_eks_test.go | 6 ++---- 8 files changed, 10 insertions(+), 16 deletions(-) diff --git a/modules/eks-cluster/cluster.tf b/modules/eks-cluster/cluster.tf index ac721c7c..05387f6f 100644 --- a/modules/eks-cluster/cluster.tf +++ b/modules/eks-cluster/cluster.tf @@ -103,7 +103,6 @@ module "eks" { # EKS Managed Node Group definitions eks_managed_node_groups = { services = { - labels = {} name = "services" use_name_prefix = false } diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index 0f0b47c4..46723227 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -120,7 +120,7 @@ No modules. | [opensearch\_role\_name](#input\_opensearch\_role\_name) | Name of the OpenSearch IAM role | `string` | `"OpenSearchRole"` | no | | [security\_group\_ids](#input\_security\_group\_ids) | Additional security groups used by the domain. | `list(string)` | `[]` | no | | [subnet\_ids](#input\_subnet\_ids) | The subnet IDs to create the cluster in. For easier usage we are passing through the subnet IDs from the AWS EKS Cluster module. | `list(string)` | n/a | yes | -| [tags](#input\_tags) | Tags assigned to the domain. | `map(string)` | `{}` | no | +| [tags](#input\_tags) | Tags assigned to the domain. | `map(string)` | `null` | no | | [vpc\_id](#input\_vpc\_id) | VPC used by the domain. | `string` | n/a | yes | | [warm\_count](#input\_warm\_count) | Number of warm nodes in the cluster. | `number` | `2` | no | | [warm\_enabled](#input\_warm\_enabled) | Warm storage is enabled. | `bool` | `false` | no | diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf index 11914bef..5cbcf51c 100644 --- a/modules/opensearch/main.tf +++ b/modules/opensearch/main.tf @@ -31,8 +31,8 @@ resource "aws_opensearch_domain" "opensearch_cluster" { multi_az_with_standby_enabled = var.multi_az_with_standby_enabled warm_enabled = var.warm_enabled - warm_count = var.warm_count - warm_type = var.warm_type + warm_count = var.warm_enabled ? var.warm_count : null + warm_type = var.warm_enabled ? var.warm_type : null zone_awareness_config { availability_zone_count = var.zone_awareness_availability_zone_count @@ -94,7 +94,6 @@ resource "aws_opensearch_domain" "opensearch_cluster" { timeouts { create = var.create_timeout } - } resource "aws_kms_key" "kms" { diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index dc5e6410..f8effd78 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -107,7 +107,7 @@ variable "warm_type" { variable "tags" { type = map(string) - default = {} + default = null description = "Tags assigned to the domain." } diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index b350505a..7177d7f0 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -117,7 +117,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - terraform.InitAndApply(suite.T(), terraformOptions) + terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") @@ -157,7 +157,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { // Create namespace and associated service account in EKS openSearchNamespace := "opensearch" openSearchServiceAccount := "opensearch-access-sa" - openSearchRole := "opensearch-role" + openSearchRole := "OpenSearchRole" // please use the same as the default one for cleanup reasons openSearchKubectlOptions := k8s.NewKubectlOptions("", suite.kubeConfigPath, openSearchNamespace) utils.CreateIfNotExistsNamespace(suite.T(), openSearchKubectlOptions, openSearchNamespace) utils.CreateIfNotExistsServiceAccount(suite.T(), openSearchKubectlOptions, openSearchServiceAccount, map[string]string{ diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index eba53b74..e3f3f39c 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -119,8 +119,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - // since v20, we can't use InitAndApplyAndIdempotent due to labels being added - terraform.InitAndApply(suite.T(), terraformOptions) + terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") diff --git a/test/src/default_eks_test.go b/test/src/default_eks_test.go index d5df6919..34c4e0ee 100644 --- a/test/src/default_eks_test.go +++ b/test/src/default_eks_test.go @@ -121,8 +121,7 @@ func (suite *DefaultEKSTestSuite) TestDefaultEKS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - // since v20, we can't use InitAndApplyAndIdempotent due to labels being added - terraform.InitAndApply(suite.T(), terraformOptions) + terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) suite.baseChecksEKS(terraformOptions) } diff --git a/test/src/upgrade_eks_test.go b/test/src/upgrade_eks_test.go index 9e1494a8..c7c1944a 100644 --- a/test/src/upgrade_eks_test.go +++ b/test/src/upgrade_eks_test.go @@ -122,8 +122,7 @@ func (suite *UpgradeEKSTestSuite) TestUpgradeEKS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - // since v20, we can't use InitAndApplyAndIdempotent due to labels being added - terraform.InitAndApply(suite.T(), terraformOptions) + terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") @@ -211,8 +210,7 @@ func (suite *UpgradeEKSTestSuite) TestUpgradeEKS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - // since v20, we can't use InitAndApplyAndIdempotent due to labels being added - terraform.InitAndApply(suite.T(), terraformOptions) + terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) errClusterReady = utils.WaitUntilKubeClusterIsReady(result.Cluster, 5*time.Minute, uint64(suite.expectedNodes)) suite.Require().NoError(errClusterReady) From 9df3d7eedbe3a581e3dbb3aefc211b7a45b5df34 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 2 Oct 2024 20:57:52 +0200 Subject: [PATCH 017/135] tests: implement opensearch-client for irsa --- modules/fixtures/opensearch-client.yml | 49 ++++++++++++++++++------ modules/opensearch/main.tf | 8 ++-- test/src/custom_eks_opensearch_test.go | 52 +++++++++++++++++++++++--- test/src/custom_eks_rds_test.go | 3 +- 4 files changed, 89 insertions(+), 23 deletions(-) diff --git a/modules/fixtures/opensearch-client.yml b/modules/fixtures/opensearch-client.yml index 35845cc4..f70cf4eb 100644 --- a/modules/fixtures/opensearch-client.yml +++ b/modules/fixtures/opensearch-client.yml @@ -19,23 +19,53 @@ spec: - -c - | /bin/bash <<'EOF' - set -e + set -euxo pipefail echo "Installing dependencies..." - yum install -y python3-pip curl unzip + yum install -y unzip echo "Installing AWS CLI..." curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip ./aws/install + echo "Installing OpenSearch CLI..." + curl -L "https://github.com/opensearch-project/opensearch-cli/releases/download/v1.2.0/opensearch-cli-1.2.0-linux-x64.zip" -o "opensearch.zip" + unzip opensearch.zip + + # Create or replace the ~/.aws/config file with the values from the environment variables + mkdir -p ~/.aws + cat < ~/.aws/config + [profile opensearch] + role_arn = "$AWS_ROLE_ARN" + web_identity_token_file = "$AWS_WEB_IDENTITY_TOKEN_FILE" + EOCONFIG + chmod 0600 ~/.aws/config + + echo "AWS IRSA profile configured:" + cat ~/.aws/config + echo "Testing OpenSearch connection using IRSA..." - export AWS_OPENSEARCH_PASSWORD=$(aws opensearch get-signature-v4-auth-token \ - --region $AWS_REGION \ - --host $OPENSEARCH_ENDPOINT \ - --username $OPENSEARCH_USERNAME) - curl -XGET -u "admin:$AWS_OPENSEARCH_PASSWORD" "https://$OPENSEARCH_ENDPOINT/_cluster/health?pretty" + # Create or replace the /root/.opensearch-cli/config.yaml file with the values from the environment variables + mkdir -p ~/.opensearch-cli + cat < ~/.opensearch-cli/config.yaml + profiles: + - name: opensearch + endpoint: https://$OPENSEARCH_ENDPOINT + aws_iam: + profile: opensearch + service: es + max_retry: 3 + timeout: 10 + EOCONFIG_OPENSEARCH + chmod 0600 ~/.opensearch-cli/config.yaml + + echo "OpenSearch CLI profile configured:" + cat ~/.opensearch-cli/config.yaml + + # Test OpenSearch connection using the opensearch profile + ./opensearch-cli curl get --path _cluster/health --profile opensearch EOF env: @@ -44,11 +74,6 @@ spec: configMapKeyRef: name: opensearch-config key: opensearch_endpoint - - name: OPENSEARCH_USERNAME - valueFrom: - configMapKeyRef: - name: opensearch-config - key: opensearch_username - name: AWS_REGION valueFrom: configMapKeyRef: diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf index 5cbcf51c..7ce74098 100644 --- a/modules/opensearch/main.tf +++ b/modules/opensearch/main.tf @@ -126,13 +126,11 @@ resource "aws_security_group_rule" "allow_egress" { } resource "aws_security_group_rule" "allow_ingress" { - for_each = toset(["9200", "9300"]) - - description = "Allow incoming traffic for the OpenSearch on port ${each.key}" + description = "Allow incoming traffic for the OpenSearch on port 443" type = "ingress" - from_port = tonumber(each.key) - to_port = tonumber(each.key) + from_port = 443 + to_port = 443 protocol = "tcp" cidr_blocks = var.cidr_blocks diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 7177d7f0..fcbd5442 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -15,10 +15,14 @@ import ( "github.com/stretchr/testify/suite" "go.uber.org/zap" "go.uber.org/zap/zaptest" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "os" "path/filepath" "strings" "testing" + "time" ) type CustomEKSOpenSearchTestSuite struct { @@ -134,7 +138,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { suite.sugaredLogger.Infow("eks describe cluster result", "result", result, "err", err) suite.Assert().NoError(err) - _, errKubeClient := utils.NewKubeClientSet(result.Cluster) + kubeClient, errKubeClient := utils.NewKubeClientSet(result.Cluster) suite.Require().NoError(errKubeClient) utils.GenerateKubeConfigFromAWS(suite.T(), suite.region, suite.clusterName, utils.GetAwsProfile(), suite.kubeConfigPath) @@ -144,10 +148,13 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { opensearchDomainName := fmt.Sprintf("os-%s", suite.clusterName) opensearchMasterUserName := "opensearch-admin" - opensearchMasterUserPassword := "password" + opensearchMasterUserPassword := "password" // TODO: replace this by a random value // Extract OIDC issuer and create the IRSA role with OpenSearch access - oidcProvider := *result.Cluster.Identity.Oidc.Issuer + oidcProviderURL := *result.Cluster.Identity.Oidc.Issuer + partsOIDC := strings.Split(oidcProviderURL, "/") + oidcProviderID := partsOIDC[len(partsOIDC)-1] + stsIdentity, err := stsSvc.GetCallerIdentity(context.TODO(), &sts.GetCallerIdentityInput{}) suite.Require().NoError(err, "Failed to get AWS account ID") accountId := *stsIdentity.Account @@ -195,7 +202,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { } } ] -}`, accountId, suite.region, oidcProvider, suite.region, oidcProvider, openSearchNamespace, openSearchServiceAccount) +}`, accountId, suite.region, oidcProviderID, suite.region, oidcProviderID, openSearchNamespace, openSearchServiceAccount) varsConfigOpenSearch := map[string]interface{}{ "domain_name": opensearchDomainName, @@ -254,7 +261,42 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { // Perform assertions on the OpenSearch domain configuration - // TODO + // )))))))) + + // Test the OpenSearch connection and perform additional tests as needed + + configMapScript := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "opensearch-config", + Namespace: openSearchNamespace, + }, + Data: map[string]string{ + "opensearch_endpoint": opensearchEndpoint, + "aws_region": suite.region, + }, + } + + err = kubeClient.CoreV1().ConfigMaps(openSearchNamespace).Delete(context.Background(), configMapScript.Name, metav1.DeleteOptions{}) + if err != nil && !errors.IsNotFound(err) { + suite.Require().NoError(err) + } + _, err = kubeClient.CoreV1().ConfigMaps(openSearchNamespace).Create(context.Background(), configMapScript, metav1.CreateOptions{}) + k8s.WaitUntilConfigMapAvailable(suite.T(), openSearchKubectlOptions, configMapScript.Name, 6, 10*time.Second) + + // cleanup existing jobs + jobListOptions := metav1.ListOptions{LabelSelector: "app=opensearch-client"} + existingJobs := k8s.ListJobs(suite.T(), openSearchKubectlOptions, jobListOptions) + backgroundDeletion := metav1.DeletePropagationBackground + for _, job := range existingJobs { + err := kubeClient.BatchV1().Jobs(openSearchNamespace).Delete(context.Background(), job.Name, metav1.DeleteOptions{PropagationPolicy: &backgroundDeletion}) + suite.Assert().NoError(err) + } + + // deploy the postgres-client Job to test the connection + k8s.KubectlApply(suite.T(), openSearchKubectlOptions, "../../modules/fixtures/opensearch-client.yml") + errJob := utils.WaitForJobCompletion(kubeClient, openSearchNamespace, "opensearch-client", 5*time.Minute, jobListOptions) + suite.Require().NoError(errJob) + // TODO: test that without auth, the same command fails in the job } func TestCustomEKSOpenSearchTestSuite(t *testing.T) { diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index e3f3f39c..6bdf88f2 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -265,8 +265,9 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { // cleanup existing jobs jobListOptions := metav1.ListOptions{LabelSelector: "app=postgres-client"} existingJobs := k8s.ListJobs(suite.T(), pgKubeCtlOptions, jobListOptions) + backgroundDeletion := metav1.DeletePropagationBackground for _, job := range existingJobs { - err := kubeClient.BatchV1().Jobs(namespace).Delete(context.Background(), job.Name, metav1.DeleteOptions{}) + err := kubeClient.BatchV1().Jobs(namespace).Delete(context.Background(), job.Name, metav1.DeleteOptions{PropagationPolicy: &backgroundDeletion}) suite.Assert().NoError(err) } From f4e712ef20318633b95b893a639098f35cea3e20 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 11:19:25 +0200 Subject: [PATCH 018/135] update opensearch tests --- modules/eks-cluster/README.md | 1 + modules/eks-cluster/cluster.tf | 2 ++ modules/eks-cluster/variables.tf | 6 ++++++ modules/fixtures/opensearch-client.yml | 10 ++++++++++ 4 files changed, 19 insertions(+) diff --git a/modules/eks-cluster/README.md b/modules/eks-cluster/README.md index 390c3d46..bafc975d 100644 --- a/modules/eks-cluster/README.md +++ b/modules/eks-cluster/README.md @@ -53,6 +53,7 @@ module "eks_cluster" { | [authentication\_mode](#input\_authentication\_mode) | The authentication mode for the cluster. | `string` | `"API"` | no | | [cluster\_node\_ipv4\_cidr](#input\_cluster\_node\_ipv4\_cidr) | The CIDR block for public and private subnets of loadbalancers and nodes. Between /28 and /16. | `string` | `"10.192.0.0/16"` | no | | [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. Between /24 and /12. | `string` | `"10.190.0.0/16"` | no | +| [cluster\_tags](#input\_cluster\_tags) | A map of additional tags to add to the cluster | `map(string)` | `{}` | no | | [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry. | `bool` | `true` | no | | [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes version to be used by EKS | `string` | `"1.30"` | no | | [name](#input\_name) | Name being used for relevant resources - including EKS cluster name | `string` | n/a | yes | diff --git a/modules/eks-cluster/cluster.tf b/modules/eks-cluster/cluster.tf index 05387f6f..4dab851d 100644 --- a/modules/eks-cluster/cluster.tf +++ b/modules/eks-cluster/cluster.tf @@ -12,6 +12,8 @@ module "eks" { cluster_endpoint_private_access = true # private API communication for nodes within the VPC cluster_endpoint_public_access = true # API accessible to engineers + cluster_tags = var.cluster_tags + cluster_addons = { coredns = { most_recent = true diff --git a/modules/eks-cluster/variables.tf b/modules/eks-cluster/variables.tf index 5c23ab90..4ab4dc64 100644 --- a/modules/eks-cluster/variables.tf +++ b/modules/eks-cluster/variables.tf @@ -35,6 +35,12 @@ variable "np_desired_node_count" { default = 4 } +variable "cluster_tags" { + type = map(string) + description = "A map of additional tags to add to the cluster" + default = {} +} + variable "np_instance_types" { type = list(string) description = "Allow passing a list of instance types for the auto scaler to select from when scaling the default node pool" diff --git a/modules/fixtures/opensearch-client.yml b/modules/fixtures/opensearch-client.yml index f70cf4eb..648a602f 100644 --- a/modules/fixtures/opensearch-client.yml +++ b/modules/fixtures/opensearch-client.yml @@ -45,6 +45,14 @@ spec: echo "AWS IRSA profile configured:" cat ~/.aws/config + # Attempt unauthenticated access to the OpenSearch cluster, expecting a failure + if curl -s -o /dev/null -w "%{http_code}" https://$OPENSEARCH_ENDPOINT/_cluster/health | grep -q '401'; then + echo "Unauthenticated access failed as expected." + else + echo "Unauthenticated access did not fail as expected, check the configuration." + exit 1 + fi + echo "Testing OpenSearch connection using IRSA..." # Create or replace the /root/.opensearch-cli/config.yaml file with the values from the environment variables @@ -66,6 +74,8 @@ spec: # Test OpenSearch connection using the opensearch profile ./opensearch-cli curl get --path _cluster/health --profile opensearch + ./opensearch-cli curl put --path /my_index --profile opensearch + ./opensearch-cli curl get --path /my_index --profile opensearch EOF env: From 32b22228d1ea219ffb7890f9a4adca9175863e15 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 11:31:19 +0200 Subject: [PATCH 019/135] delete each cluster one by one --- .../actions/eks-cleanup-resources/README.md | 7 +++++ .../actions/eks-cleanup-resources/action.yml | 7 +++-- .../eks-cleanup-resources/scripts/destroy.sh | 15 ++++++++-- .github/workflows/test-gha-eks.yml | 29 ++++++++++++++++--- 4 files changed, 49 insertions(+), 9 deletions(-) diff --git a/.github/actions/eks-cleanup-resources/README.md b/.github/actions/eks-cleanup-resources/README.md index e41da702..722b5b4e 100644 --- a/.github/actions/eks-cleanup-resources/README.md +++ b/.github/actions/eks-cleanup-resources/README.md @@ -14,6 +14,7 @@ This GitHub Action automates the deletion of EKS resources using a shell script. | `max-age-hours` |

Maximum age of resources in hours

| `false` | `20` | | `target` |

Specify an ID to destroy specific resources or "all" to destroy all resources

| `false` | `all` | | `temp-dir` |

Temporary directory prefix used for storing resource data during processing

| `false` | `./tmp/eks-cleanup/` | +| `module-name` |

Name of the module to destroy (e.g., "eks-cluster", "aurora", "opensearch"), or "all" to destroy all modules

| `false` | `all` | ## Runs @@ -54,4 +55,10 @@ This action is a `composite` action. # # Required: false # Default: ./tmp/eks-cleanup/ + + module-name: + # Name of the module to destroy (e.g., "eks-cluster", "aurora", "opensearch"), or "all" to destroy all modules + # + # Required: false + # Default: all ``` diff --git a/.github/actions/eks-cleanup-resources/action.yml b/.github/actions/eks-cleanup-resources/action.yml index 21525c07..f6e08b35 100644 --- a/.github/actions/eks-cleanup-resources/action.yml +++ b/.github/actions/eks-cleanup-resources/action.yml @@ -4,7 +4,6 @@ name: Delete EKS resources description: | This GitHub Action automates the deletion of EKS resources using a shell script. - inputs: tf-bucket: description: Bucket containing the resources states @@ -26,6 +25,10 @@ inputs: description: Temporary directory prefix used for storing resource data during processing default: ./tmp/eks-cleanup/ + module-name: + description: Name of the module to destroy (e.g., "eks-cluster", "aurora", "opensearch"), or "all" to destroy all modules + default: all + runs: using: composite steps: @@ -38,4 +41,4 @@ runs: fi ${{ github.action_path }}/scripts/destroy.sh "${{ inputs.tf-bucket }}" ${{ github.action_path }}/../../../modules/ \ - "${{ inputs.temp-dir }}" ${{ inputs.max-age-hours }} ${{ inputs.target }} + "${{ inputs.temp-dir }}" ${{ inputs.max-age-hours }} ${{ inputs.target }} ${{ inputs.module-name }} diff --git a/.github/actions/eks-cleanup-resources/scripts/destroy.sh b/.github/actions/eks-cleanup-resources/scripts/destroy.sh index a127afb0..d2c85df9 100755 --- a/.github/actions/eks-cleanup-resources/scripts/destroy.sh +++ b/.github/actions/eks-cleanup-resources/scripts/destroy.sh @@ -9,7 +9,7 @@ set -o pipefail # is successful, it removes the corresponding S3 objects. # # Usage: -# ./destroy.sh +# ./destroy.sh [MODULE_NAME] # # Arguments: # BUCKET: The name of the S3 bucket containing the resource state files. @@ -17,18 +17,20 @@ set -o pipefail # TEMP_DIR_PREFIX: The prefix for the temporary directories created for each resource. # MIN_AGE_IN_HOURS: The minimum age (in hours) of resources to be destroyed. # ID_OR_ALL: The specific ID suffix to filter objects, or "all" to destroy all objects. +# MODULE_NAME (optional): The name of the module to destroy (e.g., "eks-cluster", "aurora", "opensearch"). Default is "all". # # Example: # ./destroy.sh tf-state-eks-ci-eu-west-3 ./modules/eks/ /tmp/eks/ 24 all -# ./destroy.sh tf-state-eks-ci-eu-west-3 ./modules/eks/ /tmp/eks/ 24 4891048 +# ./destroy.sh tf-state-eks-ci-eu-west-3 ./modules/eks/ /tmp/eks/ 24 4891048 eks-cluster # # Requirements: # - AWS CLI installed and configured with the necessary permissions to access and modify the S3 bucket. # - Terraform installed and accessible in the PATH. + # Check for required arguments if [ "$#" -ne 5 ]; then - echo "Usage: $0 " + echo "Usage: $0 [MODULE_NAME]" exit 1 fi @@ -50,6 +52,7 @@ MODULES_DIR=$2 TEMP_DIR_PREFIX=$3 MIN_AGE_IN_HOURS=$4 ID_OR_ALL=$5 +MODULE_NAME=${6:-all} FAILED=0 CURRENT_DIR=$(pwd) AWS_S3_REGION=${AWS_S3_REGION:-$AWS_REGION} @@ -203,6 +206,12 @@ for resource_id in $resources; do terraform_module=$(basename "$(dirname "$resource_id")") echo "Checking resource $resource_id (terraform module=$terraform_module)" + # Apply module name filter if specified + if [ "$MODULE_NAME" != "all" ] && [ "$MODULE_NAME" != "$terraform_module" ]; then + echo "Skipping resource $resource_id because it does not match the specified module name: $MODULE_NAME" + continue + fi + last_modified=$(aws s3api head-object --bucket "$BUCKET" --key "$resource_id" --output json | grep LastModified | awk -F '"' '{print $4}') if [ -z "$last_modified" ]; then echo "Error: Failed to retrieve last modified timestamp for resource $resource_id" diff --git a/.github/workflows/test-gha-eks.yml b/.github/workflows/test-gha-eks.yml index b5efb0b3..e6e39ed6 100644 --- a/.github/workflows/test-gha-eks.yml +++ b/.github/workflows/test-gha-eks.yml @@ -190,7 +190,6 @@ jobs: availability-zones: ${{ steps.after_cluster_creation_infos.outputs.availability_zones }} - - name: Deploy OpenSearch Domain uses: ./.github/actions/opensearch-manage-cluster id: deploy_opensearch_domain @@ -201,14 +200,35 @@ jobs: vpc-id: ${{ steps.after_cluster_creation_infos.outputs.vpc_id }} subnet-ids: ${{ steps.after_cluster_creation_infos.outputs.private_subnet_ids }} cidr-blocks: ${{ steps.after_cluster_creation_infos.outputs.private_vpc_cidr_blocks }} - availability-zones: ${{ steps.after_cluster_creation_infos.outputs.availability_zones }} s3-backend-bucket: ${{ env.TF_STATE_BUCKET }} s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }} - - name: Delete Clusters - timeout-minutes: 60 + - name: Delete OpenSearch cluster + timeout-minutes: 30 + if: always() && env.CREATE_OPENSEARCH == 'true' && !(github.event_name == 'workflow_dispatch' && inputs.delete_cluster == 'false') + uses: ./.github/actions/eks-cleanup-resources + with: + tf-bucket: ${{ env.TF_STATE_BUCKET }} + tf-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} + max-age-hours: 0 + target: ${{ steps.commit_info.outputs.cluster_name }} + module-name: opensearch + + - name: Delete Aurora cluster + timeout-minutes: 30 + if: always() && env.CREATE_DB == 'true' && !(github.event_name == 'workflow_dispatch' && inputs.delete_cluster == 'false') + uses: ./.github/actions/eks-cleanup-resources + with: + tf-bucket: ${{ env.TF_STATE_BUCKET }} + tf-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} + max-age-hours: 0 + target: ${{ steps.commit_info.outputs.cluster_name }} + module-name: aurora + + - name: Delete EKS cluster + timeout-minutes: 30 if: always() && !(github.event_name == 'workflow_dispatch' && inputs.delete_cluster == 'false') uses: ./.github/actions/eks-cleanup-resources with: @@ -216,6 +236,7 @@ jobs: tf-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} max-age-hours: 0 target: ${{ steps.commit_info.outputs.cluster_name }} + module-name: eks-cluster - name: Notify in Slack in case of failure id: slack-notification From abc4dd3839eaf3fa1db1dd5d273e021d616b9591 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 11:35:54 +0200 Subject: [PATCH 020/135] remove password auth in opensearch --- test/src/custom_eks_opensearch_test.go | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index fcbd5442..b095933b 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -78,7 +78,6 @@ func (suite *CustomEKSOpenSearchTestSuite) TearDownTest() { // TestCustomEKSAndOpenSearch spawns a custom EKS cluster with custom parameters, and spawns a // a curl pod that will try to reach the OpenSearch cluster -// TODO: implement IRSA connection in the pod https://github.com/opensearch-project/logstash-output-opensearch/issues/96 func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { suite.varTf = map[string]interface{}{ "name": suite.clusterName, @@ -147,8 +146,6 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { privateBlocks := strings.Fields(strings.Trim(terraform.Output(suite.T(), terraformOptions, "private_vpc_cidr_blocks"), "[]")) opensearchDomainName := fmt.Sprintf("os-%s", suite.clusterName) - opensearchMasterUserName := "opensearch-admin" - opensearchMasterUserPassword := "password" // TODO: replace this by a random value // Extract OIDC issuer and create the IRSA role with OpenSearch access oidcProviderURL := *result.Cluster.Identity.Oidc.Issuer @@ -205,15 +202,13 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { }`, accountId, suite.region, oidcProviderID, suite.region, oidcProviderID, openSearchNamespace, openSearchServiceAccount) varsConfigOpenSearch := map[string]interface{}{ - "domain_name": opensearchDomainName, - "advanced_security_master_user_name": opensearchMasterUserName, - "advanced_security_master_user_password": opensearchMasterUserPassword, - "subnet_ids": result.Cluster.ResourcesVpcConfig.SubnetIds, - "cidr_blocks": append(publicBlocks, privateBlocks...), - "opensearch_access_policy": openSearchAccessPolicy, - "iam_role_trust_policy": iamRoleTrustPolicy, - "opensearch_role_name": openSearchRole, - "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, + "domain_name": opensearchDomainName, + "subnet_ids": result.Cluster.ResourcesVpcConfig.SubnetIds, + "cidr_blocks": append(publicBlocks, privateBlocks...), + "opensearch_access_policy": openSearchAccessPolicy, + "iam_role_trust_policy": iamRoleTrustPolicy, + "opensearch_role_name": openSearchRole, + "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, } tfModuleOpenSearch := "opensearch/" @@ -249,8 +244,6 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { // Test the OpenSearch connection and perform additional tests as needed - // TODO - // Retrieve OpenSearch information describeDomainInput := &opensearch.DescribeDomainInput{ DomainName: aws.String(varsConfigOpenSearch["domain_name"].(string)), @@ -261,7 +254,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { // Perform assertions on the OpenSearch domain configuration - // )))))))) + // TODO: implement those tests // Test the OpenSearch connection and perform additional tests as needed @@ -296,7 +289,6 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { k8s.KubectlApply(suite.T(), openSearchKubectlOptions, "../../modules/fixtures/opensearch-client.yml") errJob := utils.WaitForJobCompletion(kubeClient, openSearchNamespace, "opensearch-client", 5*time.Minute, jobListOptions) suite.Require().NoError(errJob) - // TODO: test that without auth, the same command fails in the job } func TestCustomEKSOpenSearchTestSuite(t *testing.T) { From 21f84f18b40f05a71e3e3d924d9384dfa6e2e7c6 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 12:47:39 +0200 Subject: [PATCH 021/135] wip tests --- .../actions/aurora-manage-cluster/README.md | 7 ++ .../actions/aurora-manage-cluster/action.yml | 6 ++ .../opensearch-manage-cluster/README.md | 7 ++ .../opensearch-manage-cluster/action.yml | 13 ++- .github/workflows/test-gha-eks.yml | 2 + README.md | 2 + modules/aurora/README.md | 7 ++ modules/aurora/main.tf | 39 +-------- modules/aurora/monitoring.tf | 1 + modules/aurora/networking.tf | 33 +++++++ modules/aurora/role.tf | 25 ++++++ modules/aurora/variables.tf | 58 +++++++++++++ modules/eks-cluster/monitoring.tf | 1 + modules/fixtures/opensearch-client.yml | 2 +- modules/opensearch/README.md | 10 +-- modules/opensearch/main.tf | 34 -------- modules/opensearch/monitoring.tf | 1 + modules/opensearch/networking.tf | 32 +++++++ modules/opensearch/variables.tf | 11 +-- test/src/custom_eks_opensearch_test.go | 22 ++--- test/src/custom_eks_rds_test.go | 86 ++++++++++++++++--- test/src/go.mod | 3 +- test/src/go.sum | 2 + test/src/utils/aws.go | 14 +++ 24 files changed, 311 insertions(+), 107 deletions(-) create mode 100644 modules/aurora/monitoring.tf create mode 100644 modules/aurora/networking.tf create mode 100644 modules/aurora/role.tf create mode 100644 modules/eks-cluster/monitoring.tf create mode 100644 modules/opensearch/monitoring.tf create mode 100644 modules/opensearch/networking.tf diff --git a/.github/actions/aurora-manage-cluster/README.md b/.github/actions/aurora-manage-cluster/README.md index a6f98677..d3e20023 100644 --- a/.github/actions/aurora-manage-cluster/README.md +++ b/.github/actions/aurora-manage-cluster/README.md @@ -10,6 +10,7 @@ This action will also install Terraform and awscli. It will output the Aurora cl | name | description | required | default | | --- | --- | --- | --- | +| `aws-region` |

AWS region where the cluster will be deployed

| `true` | `""` | | `cluster-name` |

Name of the RDS Aurora cluster to deploy

| `true` | `""` | | `username` |

Username for the PostgreSQL admin user

| `true` | `""` | | `password` |

Password for the PostgreSQL admin user

| `true` | `""` | @@ -47,6 +48,12 @@ This action is a `composite` action. ```yaml - uses: camunda/camunda-tf-eks-module/.github/actions/aurora-manage-cluster@main with: + aws-region: + # AWS region where the cluster will be deployed + # + # Required: true + # Default: "" + cluster-name: # Name of the RDS Aurora cluster to deploy # diff --git a/.github/actions/aurora-manage-cluster/action.yml b/.github/actions/aurora-manage-cluster/action.yml index 53b6940f..29f62ed9 100644 --- a/.github/actions/aurora-manage-cluster/action.yml +++ b/.github/actions/aurora-manage-cluster/action.yml @@ -6,6 +6,10 @@ description: | This action will also install Terraform and awscli. It will output the Aurora cluster endpoint. inputs: + aws-region: + description: AWS region where the cluster will be deployed + required: true + cluster-name: description: Name of the RDS Aurora cluster to deploy required: true @@ -110,6 +114,8 @@ runs: awscli-version: ${{ inputs.awscli-version }} terraform-version: ${{ inputs.terraform-version }} + aws-region: ${{ inputs.aws-region }} + s3-backend-bucket: ${{ inputs.s3-backend-bucket }} s3-bucket-region: ${{ inputs.s3-bucket-region }} diff --git a/.github/actions/opensearch-manage-cluster/README.md b/.github/actions/opensearch-manage-cluster/README.md index 655c3f21..34784342 100644 --- a/.github/actions/opensearch-manage-cluster/README.md +++ b/.github/actions/opensearch-manage-cluster/README.md @@ -10,6 +10,7 @@ It will also install Terraform and awscli. It will output the OpenSearch domain | name | description | required | default | | --- | --- | --- | --- | +| `aws-region` |

AWS region where the cluster will be deployed

| `true` | `""` | | `domain-name` |

Name of the OpenSearch domain to deploy

| `true` | `""` | | `engine-version` |

Version of the OpenSearch engine to deploy

| `false` | `2.15` | | `vpc-id` |

VPC ID to create the domain in

| `true` | `""` | @@ -47,6 +48,12 @@ This action is a `composite` action. ```yaml - uses: camunda/camunda-tf-eks-module/.github/actions/opensearch-manage-cluster@main with: + aws-region: + # AWS region where the cluster will be deployed + # + # Required: true + # Default: "" + domain-name: # Name of the OpenSearch domain to deploy # diff --git a/.github/actions/opensearch-manage-cluster/action.yml b/.github/actions/opensearch-manage-cluster/action.yml index abdbcbdb..2b70d038 100644 --- a/.github/actions/opensearch-manage-cluster/action.yml +++ b/.github/actions/opensearch-manage-cluster/action.yml @@ -6,6 +6,10 @@ description: | It will also install Terraform and awscli. It will output the OpenSearch domain endpoint. inputs: + aws-region: + description: AWS region where the cluster will be deployed + required: true + domain-name: description: Name of the OpenSearch domain to deploy required: true @@ -87,7 +91,7 @@ inputs: outputs: opensearch-endpoint: description: The endpoint of the deployed OpenSearch domain - value: ${{ steps.apply.outputs.opensearch_endpoint }} + value: ${{ steps.fetch_outputs.outputs.opensearch_endpoint }} terraform-state-url: description: URL of the Terraform state file in the S3 bucket @@ -107,6 +111,8 @@ runs: awscli-version: ${{ inputs.awscli-version }} terraform-version: ${{ inputs.tf-terraform-version }} + aws-region: ${{ inputs.aws-region }} + s3-backend-bucket: ${{ inputs.s3-backend-bucket }} s3-bucket-region: ${{ inputs.s3-bucket-region }} @@ -157,13 +163,14 @@ runs: working-directory: ${{ inputs.tf-modules-path }}/modules/opensearch/ run: | terraform apply -no-color opensearch.plan - export opensearch_endpoint="$(terraform output -raw opensearch_endpoint)" - echo "opensearch_endpoint=$opensearch_endpoint" >> "$GITHUB_OUTPUT" - name: Fetch Terraform Outputs shell: bash id: fetch_outputs working-directory: ${{ inputs.tf-modules-path }}/modules/opensearch/ run: | + export opensearch_endpoint="$(terraform output -raw opensearch_endpoint)" + echo "opensearch_endpoint=$opensearch_endpoint" >> "$GITHUB_OUTPUT" + all_outputs=$(terraform output -json | jq -c .) echo "all_terraform_outputs=$all_outputs" | tee -a "$GITHUB_OUTPUT" diff --git a/.github/workflows/test-gha-eks.yml b/.github/workflows/test-gha-eks.yml index e6e39ed6..1e2e4967 100644 --- a/.github/workflows/test-gha-eks.yml +++ b/.github/workflows/test-gha-eks.yml @@ -179,6 +179,7 @@ jobs: cluster-name: ${{ steps.commit_info.outputs.cluster_name }} username: ${{ steps.commit_info.outputs.db_username }} password: ${{ steps.commit_info.outputs.db_password }} + aws-region: ${{ env.AWS_REGION }} s3-backend-bucket: ${{ env.TF_STATE_BUCKET }} s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} @@ -196,6 +197,7 @@ jobs: if: env.CREATE_OPENSEARCH == 'true' with: domain-name: ${{ steps.commit_info.outputs.cluster_name }}-opensearch + aws-region: ${{ env.AWS_REGION }} vpc-id: ${{ steps.after_cluster_creation_infos.outputs.vpc_id }} subnet-ids: ${{ steps.after_cluster_creation_infos.outputs.private_subnet_ids }} diff --git a/README.md b/README.md index 6033a774..b9cd90a5 100644 --- a/README.md +++ b/README.md @@ -50,6 +50,8 @@ module "postgresql" { } ``` +# TODO: explain how to use IRSA and associated templating with real example + #### GitHub Actions You can automate the deployment and deletion of the EKS cluster and Aurora database using GitHub Actions. Below are examples of GitHub Actions workflows for deploying and deleting these resources. diff --git a/modules/aurora/README.md b/modules/aurora/README.md index edf0cb41..2a9ecd48 100644 --- a/modules/aurora/README.md +++ b/modules/aurora/README.md @@ -36,6 +36,9 @@ No modules. | Name | Type | |------|------| | [aws_db_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | +| [aws_iam_policy.aurora_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.aurora_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.attach_aurora_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_rds_cluster.aurora_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster) | resource | | [aws_rds_cluster_instance.aurora_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance) | resource | @@ -54,7 +57,11 @@ No modules. | [default\_database\_name](#input\_default\_database\_name) | The name for the automatically created database on cluster creation. | `string` | `"camunda"` | no | | [engine](#input\_engine) | The engine type e.g. aurora, aurora-mysql, aurora-postgresql, ... | `string` | `"aurora-postgresql"` | no | | [engine\_version](#input\_engine\_version) | The DB engine version for Postgres to use. | `string` | `"15.4"` | no | +| [iam\_aurora\_access\_policy](#input\_iam\_aurora\_access\_policy) | Access policy for Aurora allowing access | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"rds-db:connect\"\n ],\n \"Resource\": \"arn:aws:rds-db:::dbuser:/\"\n }\n ]\n }\n\n"` | no | +| [iam\_aurora\_role\_name](#input\_iam\_aurora\_role\_name) | Name of the AuroraRole IAM role | `string` | `"AuroraRole"` | no | | [iam\_auth\_enabled](#input\_iam\_auth\_enabled) | Determines whether IAM auth should be activated for IRSA usage | `bool` | `false` | no | +| [iam\_create\_aurora\_role](#input\_iam\_create\_aurora\_role) | Flag to determine if the Aurora IAM role should be created, if true, this module will create a role. Please ensure that iam\_auth\_enabled is set to `true` | `bool` | `true` | no | +| [iam\_role\_trust\_policy](#input\_iam\_role\_trust\_policy) | Assume role trust policy for Aurora role | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"oidc.eks..amazonaws.com/id/:sub\": \"system:serviceaccount::\"\n }\n }\n }\n ]\n }\n\n"` | no | | [iam\_roles](#input\_iam\_roles) | Allows propagating additional IAM roles to the Aurora cluster to allow e.g. access to S3 | `list(string)` | `[]` | no | | [instance\_class](#input\_instance\_class) | The instance type of the Aurora instances | `string` | `"db.t3.medium"` | no | | [num\_instances](#input\_num\_instances) | Number of instances | `string` | `"1"` | no | diff --git a/modules/aurora/main.tf b/modules/aurora/main.tf index 185a162b..ce8d5d22 100644 --- a/modules/aurora/main.tf +++ b/modules/aurora/main.tf @@ -11,9 +11,10 @@ resource "aws_rds_cluster" "aurora_cluster" { master_username = var.username database_name = var.default_database_name - # New: Enable IAM auth + assign iam roles iam_database_authentication_enabled = var.iam_auth_enabled - iam_roles = var.iam_roles # only needed if wanted to grant access from Aurora to e.g. S3 + + # don't assign twice the roles, otherwise you may encounter conflicts + iam_roles = var.iam_roles # only needed if wanted to grant access from Aurora to e.g. S3 vpc_security_group_ids = [aws_security_group.this.id] db_subnet_group_name = aws_db_subnet_group.this.name @@ -67,40 +68,6 @@ resource "aws_rds_cluster_instance" "aurora_instance" { depends_on = [aws_rds_cluster.aurora_cluster] } -resource "aws_security_group" "this" { - name = "${var.cluster_name}-allow-all-internal-access" - description = "Security group managing access to ${var.cluster_name}" - - vpc_id = var.vpc_id - - tags = var.tags -} - -resource "aws_security_group_rule" "allow_egress" { - description = "Allow outgoing traffic for the aurora db" - - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = var.cidr_blocks - - security_group_id = aws_security_group.this.id - -} - -resource "aws_security_group_rule" "allow_ingress" { - description = "Allow incoming traffic for the aurora db for port 5432" - - type = "ingress" - from_port = 5432 - to_port = 5432 - protocol = "tcp" - cidr_blocks = var.cidr_blocks - - security_group_id = aws_security_group.this.id -} - resource "aws_db_subnet_group" "this" { name = var.cluster_name diff --git a/modules/aurora/monitoring.tf b/modules/aurora/monitoring.tf new file mode 100644 index 00000000..912d2f82 --- /dev/null +++ b/modules/aurora/monitoring.tf @@ -0,0 +1 @@ +# TODO: add monitoring diff --git a/modules/aurora/networking.tf b/modules/aurora/networking.tf new file mode 100644 index 00000000..523478b4 --- /dev/null +++ b/modules/aurora/networking.tf @@ -0,0 +1,33 @@ +resource "aws_security_group" "this" { + name = "${var.cluster_name}-allow-all-internal-access" + description = "Security group managing access to ${var.cluster_name}" + + vpc_id = var.vpc_id + + tags = var.tags +} + +resource "aws_security_group_rule" "allow_egress" { + description = "Allow outgoing traffic for the aurora db" + + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = var.cidr_blocks + + security_group_id = aws_security_group.this.id + +} + +resource "aws_security_group_rule" "allow_ingress" { + description = "Allow incoming traffic for the aurora db for port 5432" + + type = "ingress" + from_port = 5432 + to_port = 5432 + protocol = "tcp" + cidr_blocks = var.cidr_blocks + + security_group_id = aws_security_group.this.id +} diff --git a/modules/aurora/role.tf b/modules/aurora/role.tf new file mode 100644 index 00000000..1df6461a --- /dev/null +++ b/modules/aurora/role.tf @@ -0,0 +1,25 @@ +// IAM Role for Aurora +resource "aws_iam_role" "aurora_role" { + count = var.iam_create_aurora_role ? 1 : 0 + + name = var.iam_aurora_role_name + assume_role_policy = var.iam_role_trust_policy +} + +// IAM Policy for Aurora Access +resource "aws_iam_policy" "aurora_access_policy" { + count = var.iam_create_aurora_role ? 1 : 0 + + name = "${var.iam_aurora_role_name}-access-policy" + description = "Access policy for Aurora" + + policy = var.iam_aurora_access_policy +} + +// Attach the policy to the role +resource "aws_iam_role_policy_attachment" "attach_aurora_policy" { + count = var.iam_create_aurora_role ? 1 : 0 + + role = aws_iam_role.aurora_role[0].name + policy_arn = aws_iam_policy.aurora_access_policy[0].arn +} diff --git a/modules/aurora/variables.tf b/modules/aurora/variables.tf index 565b7a5f..f4941f1b 100644 --- a/modules/aurora/variables.tf +++ b/modules/aurora/variables.tf @@ -93,3 +93,61 @@ variable "default_database_name" { default = "camunda" description = "The name for the automatically created database on cluster creation." } + +variable "iam_create_aurora_role" { + description = "Flag to determine if the Aurora IAM role should be created, if true, this module will create a role. Please ensure that iam_auth_enabled is set to `true`" + type = bool + default = true +} + +variable "iam_aurora_role_name" { + description = "Name of the AuroraRole IAM role" + type = string + default = "AuroraRole" +} + +variable "iam_role_trust_policy" { + description = "Assume role trust policy for Aurora role" + type = string + default = <:oidc-provider/oidc.eks..amazonaws.com/id/" + }, + "Action": "sts:AssumeRoleWithWebIdentity", + "Condition": { + "StringEquals": { + "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::" + } + } + } + ] + } + +EOF +} + +variable "iam_aurora_access_policy" { + # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html + description = "Access policy for Aurora allowing access" + type = string + default = <::dbuser:/" + } + ] + } + +EOF +} diff --git a/modules/eks-cluster/monitoring.tf b/modules/eks-cluster/monitoring.tf new file mode 100644 index 00000000..912d2f82 --- /dev/null +++ b/modules/eks-cluster/monitoring.tf @@ -0,0 +1 @@ +# TODO: add monitoring diff --git a/modules/fixtures/opensearch-client.yml b/modules/fixtures/opensearch-client.yml index 648a602f..ad8d336a 100644 --- a/modules/fixtures/opensearch-client.yml +++ b/modules/fixtures/opensearch-client.yml @@ -46,7 +46,7 @@ spec: cat ~/.aws/config # Attempt unauthenticated access to the OpenSearch cluster, expecting a failure - if curl -s -o /dev/null -w "%{http_code}" https://$OPENSEARCH_ENDPOINT/_cluster/health | grep -q '401'; then + if curl -s -o /dev/null -w "%{http_code}" https://$OPENSEARCH_ENDPOINT/_cluster/health | grep -q '403'; then echo "Unauthenticated access failed as expected." else echo "Unauthenticated access did not fail as expected, check the configuration." diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index 46723227..0cc767a5 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -86,13 +86,12 @@ No modules. | [advanced\_security\_enabled](#input\_advanced\_security\_enabled) | Whether advanced security is enabled. | `bool` | `false` | no | | [advanced\_security\_internal\_user\_database\_enabled](#input\_advanced\_security\_internal\_user\_database\_enabled) | Whether the internal user database is enabled. | `bool` | `false` | no | | [advanced\_security\_master\_user\_name](#input\_advanced\_security\_master\_user\_name) | Main user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | `"opensearch-admin"` | no | -| [advanced\_security\_master\_user\_password](#input\_advanced\_security\_master\_user\_password) | Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | n/a | yes | +| [advanced\_security\_master\_user\_password](#input\_advanced\_security\_master\_user\_password) | Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | `""` | no | | [auto\_software\_update\_enabled](#input\_auto\_software\_update\_enabled) | Software update auto for the domain. | `bool` | `false` | no | | [auto\_tune\_options](#input\_auto\_tune\_options) | Configuration block for the Auto-Tune options of the domain | `any` | 
{
  "desired_state": "DISABLED",
  "rollback_on_disable": "NO_ROLLBACK"
}
| no | | [automated\_snapshot\_start\_hour](#input\_automated\_snapshot\_start\_hour) | Hour during which the service takes an automated daily snapshot of the indices in the domain. | `number` | `0` | no | | [cidr\_blocks](#input\_cidr\_blocks) | The CIDR blocks to allow access from and to. | `list(string)` | n/a | yes | | [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Indicates cold storage is enabled. | `bool` | `false` | no | -| [create\_opensearch\_role](#input\_create\_opensearch\_role) | Flag to determine if the OpenSearch role should be created | `bool` | `true` | no | | [create\_timeout](#input\_create\_timeout) | How much time to wait for the creation before timing out. | `string` | `"2h"` | no | | [dedicated\_master\_count](#input\_dedicated\_master\_count) | Number of dedicated master nodes in the cluster. | `number` | `4` | no | | [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Indicates whether dedicated master nodes are enabled for the cluster. | `bool` | `true` | no | @@ -106,6 +105,9 @@ No modules. | [ebs\_volume\_type](#input\_ebs\_volume\_type) | Type of EBS volumes attached to data nodes. | `string` | `"gp3"` | no | | [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | | [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `string` | `"2.15"` | no | +| [iam\_create\_opensearch\_role](#input\_iam\_create\_opensearch\_role) | Flag to determine if the OpenSearch role should be created | `bool` | `false` | no | +| [iam\_opensearch\_access\_policy](#input\_iam\_opensearch\_access\_policy) | Access policy for OpenSearch allowing access | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"es:ESHttpGet\",\n \"es:ESHttpPut\",\n \"es:ESHttpPost\"\n ],\n \"Resource\": \"arn:aws:es:::domain//*\"\n }\n ]\n }\n\n"` | no | +| [iam\_opensearch\_role\_name](#input\_iam\_opensearch\_role\_name) | Name of the OpenSearch IAM role | `string` | `"OpenSearchRole"` | no | | [iam\_role\_trust\_policy](#input\_iam\_role\_trust\_policy) | Assume role trust policy for OpenSearch role | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"oidc.eks..amazonaws.com/id/:sub\": \"system:serviceaccount::\"\n }\n }\n }\n ]\n }\n\n"` | no | | [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `4` | no | | [instance\_type](#input\_instance\_type) | Instance type of data nodes in the cluster. | `string` | `"t3.small.search"` | no | @@ -116,11 +118,9 @@ No modules. | [multi\_az\_with\_standby\_enabled](#input\_multi\_az\_with\_standby\_enabled) | Whether a multi-AZ domain is turned on with a standby AZ. | `bool` | `false` | no | | [node\_to\_node\_encryption\_enabled](#input\_node\_to\_node\_encryption\_enabled) | Whether node to node encryption is enabled. | `bool` | `true` | no | | [off\_peak\_window\_enabled](#input\_off\_peak\_window\_enabled) | Whether to enable off peak update | `bool` | `true` | no | -| [opensearch\_access\_policy](#input\_opensearch\_access\_policy) | Access policy for OpenSearch allowing access | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"es:ESHttpGet\",\n \"es:ESHttpPut\",\n \"es:ESHttpPost\"\n ],\n \"Resource\": \"arn:aws:es:::domain//*\"\n }\n ]\n }\n\n"` | no | -| [opensearch\_role\_name](#input\_opensearch\_role\_name) | Name of the OpenSearch IAM role | `string` | `"OpenSearchRole"` | no | | [security\_group\_ids](#input\_security\_group\_ids) | Additional security groups used by the domain. | `list(string)` | `[]` | no | | [subnet\_ids](#input\_subnet\_ids) | The subnet IDs to create the cluster in. For easier usage we are passing through the subnet IDs from the AWS EKS Cluster module. | `list(string)` | n/a | yes | -| [tags](#input\_tags) | Tags assigned to the domain. | `map(string)` | `null` | no | +| [tags](#input\_tags) | Tags assigned to the domain. | `map(string)` | `{}` | no | | [vpc\_id](#input\_vpc\_id) | VPC used by the domain. | `string` | n/a | yes | | [warm\_count](#input\_warm\_count) | Number of warm nodes in the cluster. | `number` | `2` | no | | [warm\_enabled](#input\_warm\_enabled) | Warm storage is enabled. | `bool` | `false` | no | diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf index 7ce74098..95f3882e 100644 --- a/modules/opensearch/main.tf +++ b/modules/opensearch/main.tf @@ -103,38 +103,4 @@ resource "aws_kms_key" "kms" { tags = var.kms_key_tags } - -resource "aws_security_group" "this" { - name = "${var.domain_name}-allow-all-internal-access" - description = "Security group managing access to ${var.domain_name}" - - vpc_id = var.vpc_id - - tags = var.tags -} - -resource "aws_security_group_rule" "allow_egress" { - description = "Allow outgoing traffic for the OpenSearch" - - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = var.cidr_blocks - - security_group_id = aws_security_group.this.id -} - -resource "aws_security_group_rule" "allow_ingress" { - description = "Allow incoming traffic for the OpenSearch on port 443" - - type = "ingress" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = var.cidr_blocks - - security_group_id = aws_security_group.this.id -} - # TODO: test backup diff --git a/modules/opensearch/monitoring.tf b/modules/opensearch/monitoring.tf new file mode 100644 index 00000000..912d2f82 --- /dev/null +++ b/modules/opensearch/monitoring.tf @@ -0,0 +1 @@ +# TODO: add monitoring diff --git a/modules/opensearch/networking.tf b/modules/opensearch/networking.tf new file mode 100644 index 00000000..940044e7 --- /dev/null +++ b/modules/opensearch/networking.tf @@ -0,0 +1,32 @@ +resource "aws_security_group" "this" { + name = "${var.domain_name}-allow-all-internal-access" + description = "Security group managing access to ${var.domain_name}" + + vpc_id = var.vpc_id + + tags = var.tags +} + +resource "aws_security_group_rule" "allow_egress" { + description = "Allow outgoing traffic for the OpenSearch" + + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = var.cidr_blocks + + security_group_id = aws_security_group.this.id +} + +resource "aws_security_group_rule" "allow_ingress" { + description = "Allow incoming traffic for the OpenSearch on port 443" + + type = "ingress" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = var.cidr_blocks + + security_group_id = aws_security_group.this.id +} diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index f8effd78..493df1f2 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -107,7 +107,7 @@ variable "warm_type" { variable "tags" { type = map(string) - default = null + default = {} description = "Tags assigned to the domain." } @@ -157,6 +157,7 @@ variable "advanced_security_master_user_name" { variable "advanced_security_master_user_password" { type = string + default = "" description = "Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true." } @@ -256,13 +257,13 @@ variable "kms_key_tags" { default = {} } -variable "create_opensearch_role" { +variable "iam_create_opensearch_role" { description = "Flag to determine if the OpenSearch role should be created" type = bool - default = true + default = false } -variable "opensearch_role_name" { +variable "iam_opensearch_role_name" { description = "Name of the OpenSearch IAM role" type = string default = "OpenSearchRole" @@ -293,7 +294,7 @@ variable "iam_role_trust_policy" { EOF } -variable "opensearch_access_policy" { +variable "iam_opensearch_access_policy" { description = "Access policy for OpenSearch allowing access" type = string default = < Date: Thu, 3 Oct 2024 16:42:56 +0200 Subject: [PATCH 022/135] update tests --- .github/workflows/tests.yml | 3 --- modules/aurora/README.md | 3 +++ modules/aurora/output.tf | 18 ++++++++++++++ modules/eks-cluster/README.md | 1 + modules/eks-cluster/cluster.tf | 2 ++ modules/eks-cluster/variables.tf | 6 +++++ modules/opensearch/role.tf | 12 ++++----- test/src/custom_eks_opensearch_test.go | 34 ++++++++++++++++++++++---- test/src/custom_eks_rds_test.go | 1 - 9 files changed, 65 insertions(+), 15 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f74075b1..d437bca2 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,9 +1,6 @@ --- name: Terraform modules tests -# TODO: add opensearch - - on: schedule: - cron: 0 1 * * 2 diff --git a/modules/aurora/README.md b/modules/aurora/README.md index 2a9ecd48..270a2e5e 100644 --- a/modules/aurora/README.md +++ b/modules/aurora/README.md @@ -75,4 +75,7 @@ No modules. | Name | Description | |------|-------------| | [aurora\_endpoint](#output\_aurora\_endpoint) | The endpoint of the Aurora cluster | +| [aurora\_policy\_arn](#output\_aurora\_policy\_arn) | The ARN of the aurora access policy | +| [aurora\_role\_arn](#output\_aurora\_role\_arn) | The ARN of the aurora IAM role | +| [aurora\_role\_name](#output\_aurora\_role\_name) | The name of the aurora IAM role | diff --git a/modules/aurora/output.tf b/modules/aurora/output.tf index fcdf1738..c7ef69c1 100644 --- a/modules/aurora/output.tf +++ b/modules/aurora/output.tf @@ -2,3 +2,21 @@ output "aurora_endpoint" { value = aws_rds_cluster.aurora_cluster.endpoint description = "The endpoint of the Aurora cluster" } + +output "aurora_role_name" { + description = "The name of the aurora IAM role" + value = aws_iam_role.aurora_role[0].name + sensitive = false +} + +output "aurora_role_arn" { + description = "The ARN of the aurora IAM role" + value = aws_iam_role.aurora_role[0].arn + sensitive = false +} + +output "aurora_policy_arn" { + description = "The ARN of the aurora access policy" + value = aws_iam_policy.aurora_access_policy[0].arn + sensitive = false +} diff --git a/modules/eks-cluster/README.md b/modules/eks-cluster/README.md index bafc975d..46f45067 100644 --- a/modules/eks-cluster/README.md +++ b/modules/eks-cluster/README.md @@ -62,6 +62,7 @@ module "eks_cluster" { | [np\_desired\_node\_count](#input\_np\_desired\_node\_count) | Actual number of nodes for the default node pool. Min-Max will be used for autoscaling | `number` | `4` | no | | [np\_disk\_size](#input\_np\_disk\_size) | Disk size of the nodes on the default node pool | `number` | `20` | no | | [np\_instance\_types](#input\_np\_instance\_types) | Allow passing a list of instance types for the auto scaler to select from when scaling the default node pool | `list(string)` | 
[
  "m6i.xlarge"
]
| no | +| [np\_labels](#input\_np\_labels) | A map of labels to add to the default pool nodes | `map(string)` | `{}` | no | | [np\_max\_node\_count](#input\_np\_max\_node\_count) | Maximum number of nodes for the default node pool | `number` | `10` | no | | [np\_min\_node\_count](#input\_np\_min\_node\_count) | Minimum number of nodes for the default node pool | `number` | `1` | no | | [region](#input\_region) | The region where the cluster and relevant resources should be deployed in | `string` | n/a | yes | diff --git a/modules/eks-cluster/cluster.tf b/modules/eks-cluster/cluster.tf index 4dab851d..f37a3ea8 100644 --- a/modules/eks-cluster/cluster.tf +++ b/modules/eks-cluster/cluster.tf @@ -86,6 +86,8 @@ module "eks" { instance_types = var.np_instance_types capacity_type = var.np_capacity_type + labels = var.np_labels + update_config = { max_unavailable = 1 } diff --git a/modules/eks-cluster/variables.tf b/modules/eks-cluster/variables.tf index 4ab4dc64..7609e0ff 100644 --- a/modules/eks-cluster/variables.tf +++ b/modules/eks-cluster/variables.tf @@ -35,6 +35,12 @@ variable "np_desired_node_count" { default = 4 } +variable "np_labels" { + type = map(string) + description = "A map of labels to add to the default pool nodes" + default = {} +} + variable "cluster_tags" { type = map(string) description = "A map of additional tags to add to the cluster" diff --git a/modules/opensearch/role.tf b/modules/opensearch/role.tf index 385a5474..be12de8c 100644 --- a/modules/opensearch/role.tf +++ b/modules/opensearch/role.tf @@ -1,24 +1,24 @@ // IAM Role for OpenSearch resource "aws_iam_role" "opensearch" { - count = var.create_opensearch_role ? 1 : 0 + count = var.iam_create_opensearch_role ? 1 : 0 - name = var.opensearch_role_name + name = var.iam_opensearch_role_name assume_role_policy = var.iam_role_trust_policy } // IAM Policy for OpenSearch Access resource "aws_iam_policy" "opensearch_access_policy" { - count = var.create_opensearch_role ? 1 : 0 + count = var.iam_create_opensearch_role ? 1 : 0 - name = "${var.opensearch_role_name}-access-policy" + name = "${var.iam_opensearch_role_name}-access-policy" description = "Access policy for OpenSearch" - policy = var.opensearch_access_policy + policy = var.iam_opensearch_access_policy } // Attach the policy to the role resource "aws_iam_role_policy_attachment" "attach_opensearch_policy" { - count = var.create_opensearch_role ? 1 : 0 + count = var.iam_create_opensearch_role ? 1 : 0 role = aws_iam_role.opensearch[0].name policy_arn = aws_iam_policy.opensearch_access_policy[0].arn diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 8c58bb9f..3fd3ba6d 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -5,7 +5,9 @@ import ( "fmt" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/eks" + "github.com/aws/aws-sdk-go-v2/service/iam" "github.com/aws/aws-sdk-go-v2/service/opensearch" + "github.com/aws/aws-sdk-go-v2/service/opensearch/types" "github.com/aws/aws-sdk-go-v2/service/sts" "github.com/camunda/camunda-tf-eks-module/utils" "github.com/gruntwork-io/terratest/modules/k8s" @@ -126,8 +128,9 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { suite.Require().NoErrorf(err, "Failed to get aws client") eksSvc := eks.NewFromConfig(sess) - opensearchSvc := opensearch.NewFromConfig(sess) + openSearchSvc := opensearch.NewFromConfig(sess) stsSvc := sts.NewFromConfig(sess) + iamSvc := iam.NewFromConfig(sess) inputEKS := &eks.DescribeClusterInput{ Name: aws.String(suite.clusterName), @@ -248,16 +251,37 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { describeDomainInput := &opensearch.DescribeDomainInput{ DomainName: aws.String(varsConfigOpenSearch["domain_name"].(string)), } - describeDomainOutput, err := opensearchSvc.DescribeDomain(context.Background(), describeDomainInput) + describeOpenSearchDomainOutput, err := openSearchSvc.DescribeDomain(context.Background(), describeDomainInput) suite.Require().NoError(err) - suite.sugaredLogger.Infow("Domain info", "domain", describeDomainOutput) + suite.sugaredLogger.Infow("Domain info", "domain", describeOpenSearchDomainOutput) + + suite.sugaredLogger.Infow("DescribeDomain info", "domain", describeOpenSearchDomainOutput.DomainStatus.EngineVersion) // Perform assertions on the OpenSearch domain configuration + suite.Assert().Equal(varsConfigOpenSearch["domain_name"].(string), *describeOpenSearchDomainOutput.DomainStatus.DomainName) + suite.Assert().Equal(int32(4), *describeOpenSearchDomainOutput.DomainStatus.ClusterConfig.InstanceCount) + suite.Assert().Equal(types.OpenSearchPartitionInstanceType("t3.small.search"), describeOpenSearchDomainOutput.DomainStatus.ClusterConfig.InstanceType) + suite.Assert().Equal(varsConfigOpenSearch["vpc_id"].(string), *describeOpenSearchDomainOutput.DomainStatus.VPCOptions.VPCId) - // TODO: implement those tests + // Verify security group information + suite.Assert().NotEmpty(describeOpenSearchDomainOutput.DomainStatus.VPCOptions.SecurityGroupIds) - // Test the OpenSearch connection and perform additional tests as needed + // Retrieve the IAM Role associated with OpenSearch + describeOpenSearchRoleInput := &iam.GetRoleInput{ + RoleName: aws.String(varsConfigOpenSearch["iam_opensearch_role_name"].(string)), + } + _, err = iamSvc.GetRole(context.Background(), describeOpenSearchRoleInput) + suite.Require().NoError(err) + // Verify IAM Policy Attachment + listAttachedPoliciesInput := &iam.ListAttachedRolePoliciesInput{ + RoleName: aws.String(varsConfigOpenSearch["iam_opensearch_role_name"].(string)), + } + _, err = iamSvc.ListAttachedRolePolicies(context.Background(), listAttachedPoliciesInput) + suite.Require().NoError(err) + + // Test the OpenSearch connection and perform additional tests as needed + suite.Assert().NotEmpty(opensearchEndpoint) configMapScript := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "opensearch-config", diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 09e3bc3b..8bdd989b 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -354,7 +354,6 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { suite.Assert().Equal(varsConfigAurora["username"].(string), *describeDBClusterOutput.DBClusters[0].MasterUsername) suite.Assert().Equal(auroraDatabase, *describeDBClusterOutput.DBClusters[0].DatabaseName) suite.Assert().Equal(int32(5432), *describeDBClusterOutput.DBClusters[0].Port) - suite.Assert().Equal("15.4", *describeDBClusterOutput.DBClusters[0].EngineVersion) suite.Assert().ElementsMatch(expectedRDSAZ, describeDBClusterOutput.DBClusters[0].AvailabilityZones) suite.Assert().Equal(varsConfigAurora["cluster_name"].(string), *describeDBClusterOutput.DBClusters[0].DBClusterIdentifier) From 878e43699fa57fb92c7a7d32f396fb8e7472c6bd Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 18:34:57 +0200 Subject: [PATCH 023/135] update tests --- modules/aurora/backup.tf | 1 + modules/aurora/main.tf | 1 - modules/eks-cluster/backup.tf | 1 + modules/fixtures/postgres-client-irsa.yml | 80 ------------------- modules/fixtures/postgres-client.yml | 55 +++++++++---- .../fixtures/scripts/create_aurora_pg_db.sh | 10 --- modules/opensearch/backup.tf | 1 + modules/opensearch/main.tf | 1 - test/src/custom_eks_rds_test.go | 67 +++++----------- 9 files changed, 65 insertions(+), 152 deletions(-) create mode 100644 modules/aurora/backup.tf create mode 100644 modules/eks-cluster/backup.tf delete mode 100644 modules/fixtures/postgres-client-irsa.yml delete mode 100755 modules/fixtures/scripts/create_aurora_pg_db.sh create mode 100644 modules/opensearch/backup.tf diff --git a/modules/aurora/backup.tf b/modules/aurora/backup.tf new file mode 100644 index 00000000..5f1ea5e0 --- /dev/null +++ b/modules/aurora/backup.tf @@ -0,0 +1 @@ +# TODO: add backup diff --git a/modules/aurora/main.tf b/modules/aurora/main.tf index ce8d5d22..fcd4c8e2 100644 --- a/modules/aurora/main.tf +++ b/modules/aurora/main.tf @@ -1,6 +1,5 @@ # Provision an RDS Aurora cluster suitable for operating within our VPC and VPN connectivity. -# TODO: add backup resource "aws_rds_cluster" "aurora_cluster" { cluster_identifier = var.cluster_name availability_zones = var.availability_zones diff --git a/modules/eks-cluster/backup.tf b/modules/eks-cluster/backup.tf new file mode 100644 index 00000000..5f1ea5e0 --- /dev/null +++ b/modules/eks-cluster/backup.tf @@ -0,0 +1 @@ +# TODO: add backup diff --git a/modules/fixtures/postgres-client-irsa.yml b/modules/fixtures/postgres-client-irsa.yml deleted file mode 100644 index 664393f8..00000000 --- a/modules/fixtures/postgres-client-irsa.yml +++ /dev/null @@ -1,80 +0,0 @@ ---- -# this manifest contains a version with the IRSA connection check, it is currently listed as a TODO -# it may be implemented or dropped depending on if it's relevant or not to test IRSA connection for the db -apiVersion: batch/v1 -kind: Job -metadata: - name: postgres-client - labels: - app: postgres-client -spec: - backoffLimit: 0 - template: - spec: - restartPolicy: Never - containers: - - name: postgres-client - image: ubuntu:latest - command: - - sh - - -c - - | - /bin/bash <<'EOF' - set -o pipefail && \ - apt-get update && \ - apt-get install -y python3 python3-pip build-essential postgresql-client && \ - echo "Creating IRSA db user" && \ - mkdir -p /tmp/scripts && \ - cp /scripts/create_aurora_pg_db.sh /tmp/scripts/create_aurora_pg_db.sh && \ - chmod +x /tmp/scripts/create_aurora_pg_db.sh && /tmp/scripts/create_aurora_pg_db.sh && \ - echo "Testing connection using IRSA" && \ - python3 -m pip install awscli && \ - AWS_PG_PASSWORD=$(aws rds generate-db-auth-token --hostname $AURORA_ENDPOINT --port $AURORA_PORT \ - --region $AWS_REGION --username $AURORA_USERNAME_IRSA) && \ - psql -h $AURORA_ENDPOINT -p $AURORA_PORT "dbname=$AURORA_DB_NAME user=$AURORA_USERNAME_IRSA password=$AWS_PG_PASSWORD" -c 'SELECT version();' - - EOF - volumeMounts: - - name: scripts - mountPath: /scripts - readOnly: true - env: - - name: AURORA_ENDPOINT - valueFrom: - configMapKeyRef: - name: aurora-config - key: aurora_endpoint - - name: AURORA_USERNAME - valueFrom: - configMapKeyRef: - name: aurora-config - key: aurora_username - - name: AURORA_USERNAME_IRSA - valueFrom: - configMapKeyRef: - name: aurora-config - key: aurora_username_irsa - - name: AURORA_PASSWORD - valueFrom: - secretKeyRef: - name: aurora-secret - key: aurora_password - - name: AURORA_PORT - valueFrom: - configMapKeyRef: - name: aurora-config - key: aurora_port - - name: AWS_REGION - valueFrom: - configMapKeyRef: - name: aurora-config - key: aws_region - - name: AURORA_DB_NAME - valueFrom: - configMapKeyRef: - name: aurora-config - key: aurora_db_name - volumes: - - name: scripts - configMap: - name: postgres-scripts diff --git a/modules/fixtures/postgres-client.yml b/modules/fixtures/postgres-client.yml index 213fdd3e..f53ecc68 100644 --- a/modules/fixtures/postgres-client.yml +++ b/modules/fixtures/postgres-client.yml @@ -1,4 +1,5 @@ --- +# this manifest contains a version with the IRSA connection check apiVersion: batch/v1 kind: Job metadata: @@ -9,6 +10,7 @@ spec: backoffLimit: 0 template: spec: + serviceAccountName: aurora-access-sa restartPolicy: Never containers: - name: postgres-client @@ -18,19 +20,46 @@ spec: - -c - | /bin/bash <<'EOF' - set -o pipefail && \ - apt-get update && \ - apt-get install -y python3 python3-pip build-essential postgresql-client && \ - echo "Creating IRSA db user" && \ - mkdir -p /tmp/scripts && \ - cp /scripts/create_aurora_pg_db.sh /tmp/scripts/create_aurora_pg_db.sh && \ - chmod +x /tmp/scripts/create_aurora_pg_db.sh && /tmp/scripts/create_aurora_pg_db.sh + set -o pipefail + + echo "Installing dependencies..." + apt-get update + apt-get install -y curl postgresql-client unzip + + echo "Installing AWS CLI..." + curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + unzip awscliv2.zip + ./aws/install + + echo "Creating IRSA db user using admin user" + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE USER \"${AURORA_USERNAME_IRSA}\" WITH LOGIN;" \ + -c "GRANT rds_iam TO \"${AURORA_USERNAME_IRSA}\";" \ + -c "GRANT rds_superuser TO \"${AURORA_USERNAME_IRSA}\";" \ + -c "GRANT ALL PRIVILEGES ON DATABASE \"${AURORA_DB_NAME}\" TO \"${AURORA_USERNAME_IRSA}\";" \ + -c "SELECT aurora_version();" \ + -c "SELECT version();" -c "\du" + + # Attempt unauthenticated access to the Aurora PostgreSQL database, expecting a failure + if psql -h "$AURORA_ENDPOINT" \ + -p "$AURORA_PORT" \ + "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME_IRSA" \ + -c 'SELECT version();' 2>&1 | grep -q 'password authentication failed'; then + echo "Unauthenticated access failed as expected." + else + echo "Unauthenticated access did not fail as expected, check the configuration." + exit 1 + fi + + echo "Testing connection using IRSA" + export AWS_PG_PASSWORD=$(aws rds generate-db-auth-token --hostname $AURORA_ENDPOINT --port $AURORA_PORT \ + --region $AWS_REGION --username $AURORA_USERNAME_IRSA) + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME_IRSA password=$AWS_PG_PASSWORD" \ + -c 'SELECT version();' + + sleep 30000 EOF - volumeMounts: - - name: scripts - mountPath: /scripts - readOnly: true env: - name: AURORA_ENDPOINT valueFrom: @@ -67,7 +96,3 @@ spec: configMapKeyRef: name: aurora-config key: aurora_db_name - volumes: - - name: scripts - configMap: - name: postgres-scripts diff --git a/modules/fixtures/scripts/create_aurora_pg_db.sh b/modules/fixtures/scripts/create_aurora_pg_db.sh deleted file mode 100755 index beb67b16..00000000 --- a/modules/fixtures/scripts/create_aurora_pg_db.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -# see https://github.com/camunda/infra-core/tree/opensearch-cluster/camunda-opensearch#user-setup -psql -h $AURORA_ENDPOINT -p $AURORA_PORT "dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ - -c "CREATE USER \"${AURORA_USERNAME_IRSA}\" WITH LOGIN;" \ - -c "GRANT rds_iam TO \"${AURORA_USERNAME_IRSA}\";" \ - -c "GRANT rds_superuser TO \"${AURORA_USERNAME_IRSA}\";" \ - -c "GRANT ALL PRIVILEGES ON DATABASE \"${AURORA_DB_NAME}\" TO \"${AURORA_USERNAME_IRSA}\";" \ - -c "SELECT aurora_version();" \ - -c "SELECT version();" -c "\du" diff --git a/modules/opensearch/backup.tf b/modules/opensearch/backup.tf new file mode 100644 index 00000000..7856a5df --- /dev/null +++ b/modules/opensearch/backup.tf @@ -0,0 +1 @@ +# TODO: test backup diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf index 95f3882e..c1de0203 100644 --- a/modules/opensearch/main.tf +++ b/modules/opensearch/main.tf @@ -103,4 +103,3 @@ resource "aws_kms_key" "kms" { tags = var.kms_key_tags } -# TODO: test backup diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 8bdd989b..424c45a7 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -155,15 +155,22 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { accountId := *stsIdentity.Account auroraClusterName := fmt.Sprintf("postgres-%s", suite.clusterName) - auroraUsername := "myuser-irsa" - auroraPassword, errPassword := password.Generate(18, 4, 4, false, false) + auroraUsername := "adminuser" + auroraPassword, errPassword := password.Generate(18, 4, 0, false, false) suite.Require().NoError(errPassword) auroraDatabase := "camunda" // Define the ARN for RDS IAM DB Auth - auroraArn := fmt.Sprintf("arn:aws:rds-db:%s:%s:dbuser:%s/%s", suite.region, accountId, auroraClusterName, auroraUsername) + auroraIRSAUsername := "myirsauser" + auroraArn := fmt.Sprintf("arn:aws:rds-db:%s:%s:dbuser:%s/%s", suite.region, accountId, auroraClusterName, auroraIRSAUsername) suite.sugaredLogger.Infow("Aurora RDS IAM infos", "accountId", accountId, "auroraArn", auroraArn) + // create a kubeclient + kubeClient, err := utils.NewKubeClientSet(result.Cluster) + suite.Require().NoError(err) + + utils.GenerateKubeConfigFromAWS(suite.T(), suite.region, suite.clusterName, utils.GetAwsProfile(), suite.kubeConfigPath) + // Create namespace and associated service account in EKS auroraNamespace := "aurora" auroraServiceAccount := "aurora-access-sa" @@ -186,7 +193,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { "Resource": "arn:aws:rds-db:%s:%s:dbuser:%s/%s" } ] -}`, suite.region, accountId, auroraClusterName, auroraUsername) +}`, suite.region, accountId, auroraClusterName, auroraIRSAUsername) // Define the trust policy for Aurora IAM role iamRoleTrustPolicy := fmt.Sprintf(`{ @@ -255,93 +262,63 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { suite.Assert().NotEmpty(auroraEndpoint) // Test of the RDS connection is performed by launching a pod on the cluster and test the pg connection - kubeClient, err := utils.NewKubeClientSet(result.Cluster) - suite.Require().NoError(err) - - utils.GenerateKubeConfigFromAWS(suite.T(), suite.region, suite.clusterName, utils.GetAwsProfile(), suite.kubeConfigPath) - - namespace := "postgres-client" - pgKubeCtlOptions := k8s.NewKubectlOptions("", suite.kubeConfigPath, namespace) - utils.CreateIfNotExistsNamespace(suite.T(), pgKubeCtlOptions, namespace) + pgKubeCtlOptions := k8s.NewKubectlOptions("", suite.kubeConfigPath, auroraNamespace) // deploy the postgres-client ConfigMap configMapPostgres := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "aurora-config", - Namespace: namespace, + Namespace: auroraNamespace, }, Data: map[string]string{ "aurora_endpoint": auroraEndpoint, "aurora_username": auroraUsername, - "aurora_username_irsa": fmt.Sprintf("%s-irsa", auroraUsername), + "aurora_password": auroraPassword, + "aurora_username_irsa": auroraIRSAUsername, "aurora_port": "5432", "aws_region": suite.region, "aurora_db_name": auroraDatabase, }, } - err = kubeClient.CoreV1().ConfigMaps(namespace).Delete(context.Background(), configMapPostgres.Name, metav1.DeleteOptions{}) + err = kubeClient.CoreV1().ConfigMaps(auroraNamespace).Delete(context.Background(), configMapPostgres.Name, metav1.DeleteOptions{}) if err != nil && !errors.IsNotFound(err) { suite.Require().NoError(err) } - _, err = kubeClient.CoreV1().ConfigMaps(namespace).Create(context.Background(), configMapPostgres, metav1.CreateOptions{}) + _, err = kubeClient.CoreV1().ConfigMaps(auroraNamespace).Create(context.Background(), configMapPostgres, metav1.CreateOptions{}) k8s.WaitUntilConfigMapAvailable(suite.T(), pgKubeCtlOptions, configMapPostgres.Name, 6, 10*time.Second) // create the secret for aurora pg password secretPostgres := &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: "aurora-secret", - Namespace: namespace, + Namespace: auroraNamespace, }, StringData: map[string]string{ "aurora_password": auroraPassword, }, } - err = kubeClient.CoreV1().Secrets(namespace).Delete(context.Background(), configMapPostgres.Name, metav1.DeleteOptions{}) + err = kubeClient.CoreV1().Secrets(auroraNamespace).Delete(context.Background(), secretPostgres.Name, metav1.DeleteOptions{}) if err != nil && !errors.IsNotFound(err) { suite.Require().NoError(err) } - _, err = kubeClient.CoreV1().Secrets(namespace).Create(context.Background(), secretPostgres, metav1.CreateOptions{}) + _, err = kubeClient.CoreV1().Secrets(auroraNamespace).Create(context.Background(), secretPostgres, metav1.CreateOptions{}) k8s.WaitUntilSecretAvailable(suite.T(), pgKubeCtlOptions, secretPostgres.Name, 6, 10*time.Second) - // add the scripts as a ConfigMap - scriptPath := "../../modules/fixtures/scripts/create_aurora_pg_db.sh" - scriptContent, err := os.ReadFile(scriptPath) - suite.Require().NoError(err) - - configMapScript := &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: "postgres-scripts", - Namespace: namespace, - }, - Data: map[string]string{ - "create_aurora_pg_db.sh": string(scriptContent), - }, - } - - err = kubeClient.CoreV1().ConfigMaps(namespace).Delete(context.Background(), configMapScript.Name, metav1.DeleteOptions{}) - if err != nil && !errors.IsNotFound(err) { - suite.Require().NoError(err) - } - _, err = kubeClient.CoreV1().ConfigMaps(namespace).Create(context.Background(), configMapScript, metav1.CreateOptions{}) - k8s.WaitUntilConfigMapAvailable(suite.T(), pgKubeCtlOptions, configMapScript.Name, 6, 10*time.Second) - // cleanup existing jobs jobListOptions := metav1.ListOptions{LabelSelector: "app=postgres-client"} existingJobs := k8s.ListJobs(suite.T(), pgKubeCtlOptions, jobListOptions) backgroundDeletion := metav1.DeletePropagationBackground for _, job := range existingJobs { - err := kubeClient.BatchV1().Jobs(namespace).Delete(context.Background(), job.Name, metav1.DeleteOptions{PropagationPolicy: &backgroundDeletion}) + err := kubeClient.BatchV1().Jobs(auroraNamespace).Delete(context.Background(), job.Name, metav1.DeleteOptions{PropagationPolicy: &backgroundDeletion}) suite.Assert().NoError(err) } // deploy the postgres-client Job to test the connection k8s.KubectlApply(suite.T(), pgKubeCtlOptions, "../../modules/fixtures/postgres-client.yml") - errJob := utils.WaitForJobCompletion(kubeClient, namespace, "postgres-client", 5*time.Minute, jobListOptions) + errJob := utils.WaitForJobCompletion(kubeClient, auroraNamespace, "postgres-client", 5*time.Minute, jobListOptions) suite.Require().NoError(errJob) - // TODO: test IRSA apply https://kubedemy.io/aws-eks-part-13-setup-iam-roles-for-service-accounts-irsa to setup iam - // Retrieve RDS information describeDBClusterInput := &rds.DescribeDBClustersInput{ DBClusterIdentifier: aws.String(varsConfigAurora["cluster_name"].(string)), From e6c38d7df947715215efa82b0fa4b4ea220b27d5 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 18:55:16 +0200 Subject: [PATCH 024/135] update --- .github/actions/opensearch-manage-cluster/README.md | 4 ++-- .github/actions/opensearch-manage-cluster/action.yml | 3 +-- modules/fixtures/postgres-client.yml | 6 ++---- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/.github/actions/opensearch-manage-cluster/README.md b/.github/actions/opensearch-manage-cluster/README.md index 34784342..e04cb1d9 100644 --- a/.github/actions/opensearch-manage-cluster/README.md +++ b/.github/actions/opensearch-manage-cluster/README.md @@ -17,7 +17,7 @@ It will also install Terraform and awscli. It will output the OpenSearch domain | `subnet-ids` |

List of subnet IDs to create the domain in

| `true` | `""` | | `cidr-blocks` |

CIDR blocks to allow access from and to

| `true` | `""` | | `instance-type` |

Instance type for the OpenSearch cluster

| `false` | `t3.small.search` | -| `instance-count` |

Number of instances in the cluster

| `false` | `1` | +| `instance-count` |

Number of instances in the cluster

| `false` | `4` | | `additional-terraform-vars` |

JSON object containing additional Terraform variables

| `false` | `{}` | | `s3-backend-bucket` |

Name of the S3 bucket to store Terraform state

| `true` | `""` | | `s3-bucket-region` |

Region of the bucket containing the resources states

| `false` | `""` | @@ -94,7 +94,7 @@ This action is a `composite` action. # Number of instances in the cluster # # Required: false - # Default: 1 + # Default: 4 additional-terraform-vars: # JSON object containing additional Terraform variables diff --git a/.github/actions/opensearch-manage-cluster/action.yml b/.github/actions/opensearch-manage-cluster/action.yml index 2b70d038..ce1d21fa 100644 --- a/.github/actions/opensearch-manage-cluster/action.yml +++ b/.github/actions/opensearch-manage-cluster/action.yml @@ -35,10 +35,9 @@ inputs: description: Instance type for the OpenSearch cluster default: t3.small.search - # TODO: add number of AZs instance-count: description: Number of instances in the cluster - default: '1' + default: '4' additional-terraform-vars: description: JSON object containing additional Terraform variables diff --git a/modules/fixtures/postgres-client.yml b/modules/fixtures/postgres-client.yml index f53ecc68..35f7cf91 100644 --- a/modules/fixtures/postgres-client.yml +++ b/modules/fixtures/postgres-client.yml @@ -43,8 +43,8 @@ spec: # Attempt unauthenticated access to the Aurora PostgreSQL database, expecting a failure if psql -h "$AURORA_ENDPOINT" \ -p "$AURORA_PORT" \ - "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME_IRSA" \ - -c 'SELECT version();' 2>&1 | grep -q 'password authentication failed'; then + "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME_IRSA password=empty" \ + -c 'SELECT version();' 2>&1 | grep -q 'authentication failed'; then echo "Unauthenticated access failed as expected." else echo "Unauthenticated access did not fail as expected, check the configuration." @@ -57,8 +57,6 @@ spec: psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME_IRSA password=$AWS_PG_PASSWORD" \ -c 'SELECT version();' - sleep 30000 - EOF env: - name: AURORA_ENDPOINT From 121c7adf32f7eb8a34fc28a553ccab2a8c1ea9eb Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 19:14:31 +0200 Subject: [PATCH 025/135] fix tests --- modules/fixtures/postgres-client.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/fixtures/postgres-client.yml b/modules/fixtures/postgres-client.yml index 35f7cf91..359cb65b 100644 --- a/modules/fixtures/postgres-client.yml +++ b/modules/fixtures/postgres-client.yml @@ -41,10 +41,10 @@ spec: -c "SELECT version();" -c "\du" # Attempt unauthenticated access to the Aurora PostgreSQL database, expecting a failure - if psql -h "$AURORA_ENDPOINT" \ - -p "$AURORA_PORT" \ - "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME_IRSA password=empty" \ - -c 'SELECT version();' 2>&1 | grep -q 'authentication failed'; then + if ! psql -h "$AURORA_ENDPOINT" \ + -p "$AURORA_PORT" \ + "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME_IRSA password=$AWS_PG_PASSWORD" \ + -c 'SELECT version();' 2>/dev/null; then echo "Unauthenticated access failed as expected." else echo "Unauthenticated access did not fail as expected, check the configuration." From e5fdfabead71d3131cc08a2f24c4f270ee97bad9 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 19:40:40 +0200 Subject: [PATCH 026/135] update doc --- README.md | 150 ++++++++++++++++++++++++- modules/eks-cluster/README.md | 1 + modules/eks-cluster/outputs.tf | 5 + test/src/custom_eks_opensearch_test.go | 2 +- test/src/custom_eks_rds_test.go | 2 +- 5 files changed, 156 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b9cd90a5..193d3c16 100644 --- a/README.md +++ b/README.md @@ -50,16 +50,162 @@ module "postgresql" { } ``` -# TODO: explain how to use IRSA and associated templating with real example +```hcl + +module "opensearch_domain" { + source = "github.com/camunda/camunda-tf-eks-module/modules/opensearch" + + domain_name = "my-opensearch-domain" + subnet_ids = module.eks_cluster.private_subnet_ids + security_group_ids = module.eks_cluster.security_group_ids + vpc_id = module.eks_cluster.vpc_id + cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) + + instance_type = "t3.small.search" + instance_count = 4 + ebs_volume_size = 100 + + advanced_security_enabled = true + advanced_security_internal_user_database_enabled = true + advanced_security_master_user_name = "admin" + advanced_security_master_user_password = "password" + + depends_on = [module.eks_cluster] +} +``` #### GitHub Actions You can automate the deployment and deletion of the EKS cluster and Aurora database using GitHub Actions. Below are examples of GitHub Actions workflows for deploying and deleting these resources. -For more details, refer to the corresponding [EKS Actions README](https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/actions/eks-manage-cluster/README.md) and [Aurora Actions README](https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/actions/aurora-manage-cluster/README.md), [Cleanup Actions README](https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/actions/eks-cleanup-resources/README.md). +For more details, refer to the corresponding [EKS Actions README](https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/actions/eks-manage-cluster/README.md), [Aurora Actions README](https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/actions/aurora-manage-cluster/README.md) and [OpenSearch Actions README](https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/actions/opensearch-manage-cluster/README.md), [Cleanup Actions README](https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/actions/eks-cleanup-resources/README.md). An example workflow can be found in https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/workflows/test-gha-eks.yml. +#### Advanced usage with IRSA + +This documentation provides a step-by-step guide to creating an EKS cluster, an Aurora RDS instance, and an OpenSearch domain with IRSA (IAM Roles for Service Accounts) roles using Terraform modules. +The modules create the necessary IAM roles and policies for Aurora and OpenSearch. To simplify the configuration, the modules use the outputs of the EKS cluster module to define the IRSA roles and policies. + +### Aurora IRSA Role and Policy + +The Aurora module uses the following outputs from the EKS cluster module to define the IRSA role and policy: + +- `module.eks_cluster.oidc_provider_arn`: The ARN of the OIDC provider for the EKS cluster. +- `module.eks_cluster.oidc_provider_id`: The ID of the OIDC provider for the EKS cluster. +- `var.account_id`: Your account id +- `var.aurora_cluster_name`: The name of the Aurora cluster to access +- `var.aurora_irsa_username`: The username of the user used to access to the AuroraDB +- `var.aurora_namespace`: The namespace to allow access +- `var.aurora_service_account`: The ServiceAccount to allow access + +You need to define the IAM role trust policy and access policy for Aurora. Here's an example of how to define these policies using the outputs of the EKS cluster module: + +```hcl +module "postgresql" { + # ... + iam_aurora_access_policy = < [ebs\_cs\_arn](#output\_ebs\_cs\_arn) | Amazon Resource Name of the ebs-csi IAM role used for IAM Roles to Service Accounts mappings | | [external\_dns\_arn](#output\_external\_dns\_arn) | Amazon Resource Name of the external-dns IAM role used for IAM Roles to Service Accounts mappings | | [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | Amazon Resource Name of the OIDC provider for the EKS cluster. Allows to add additional IRSA mappings | +| [oidc\_provider\_id](#output\_oidc\_provider\_id) | OIDC provider for the EKS cluster. Allows to add additional IRSA mappings | | [private\_route\_table\_ids](#output\_private\_route\_table\_ids) | The IDs of the private route tables associated with this VPC | | [private\_subnet\_ids](#output\_private\_subnet\_ids) | Private subnet IDs | | [private\_vpc\_cidr\_blocks](#output\_private\_vpc\_cidr\_blocks) | Private VPC CIDR blocks | diff --git a/modules/eks-cluster/outputs.tf b/modules/eks-cluster/outputs.tf index 97e138a5..d16d021b 100644 --- a/modules/eks-cluster/outputs.tf +++ b/modules/eks-cluster/outputs.tf @@ -71,6 +71,11 @@ output "oidc_provider_arn" { description = "Amazon Resource Name of the OIDC provider for the EKS cluster. Allows to add additional IRSA mappings" } +output "oidc_provider_id" { + value = split("/", module.eks.oidc_provider_arn)[4] + description = "OIDC provider for the EKS cluster. Allows to add additional IRSA mappings" +} + ################################################################################ # VPC ################################################################################ diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 3fd3ba6d..974203dd 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -163,7 +163,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { // Create namespace and associated service account in EKS openSearchNamespace := "opensearch" openSearchServiceAccount := "opensearch-access-sa" - openSearchRole := "OpenSearchRole" // please use the same as the default one for cleanup reasons + openSearchRole := fmt.Sprintf("OpenSearchRole-%s", suite.clusterName) openSearchKubectlOptions := k8s.NewKubectlOptions("", suite.kubeConfigPath, openSearchNamespace) utils.CreateIfNotExistsNamespace(suite.T(), openSearchKubectlOptions, openSearchNamespace) utils.CreateIfNotExistsServiceAccount(suite.T(), openSearchKubectlOptions, openSearchServiceAccount, map[string]string{ diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 424c45a7..cd8c3ab4 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -174,7 +174,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { // Create namespace and associated service account in EKS auroraNamespace := "aurora" auroraServiceAccount := "aurora-access-sa" - auroraRole := "AuroraRole" // please use the same as the default one for cleanup reasons + auroraRole := fmt.Sprintf("AuroraRole-%s", suite.clusterName) auroraKubectlOptions := k8s.NewKubectlOptions("", suite.kubeConfigPath, auroraNamespace) utils.CreateIfNotExistsNamespace(suite.T(), auroraKubectlOptions, auroraNamespace) utils.CreateIfNotExistsServiceAccount(suite.T(), auroraKubectlOptions, auroraServiceAccount, map[string]string{ From a2beceab425c9a9f923e06b78be87cc135d7457c Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 19:55:44 +0200 Subject: [PATCH 027/135] update readme --- README.md | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 193d3c16..6a5e1053 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ Consider installing Camunda 8 via [this guide](https://docs.camunda.io/docs/next Below is a simple example configuration for deploying both an EKS cluster and an Aurora PostgreSQL database. -See [AWS EKS Cluster inputs](./modules/eks-cluster/README.md#inputs) and [AWS Aurora RDS inputs](./modules/aurora/README.md#inputs) for further configuration options and how they affect the cluster and database creation. +See [AWS EKS Cluster inputs](./modules/eks-cluster/README.md#inputs), [AWS Aurora RDS inputs](./modules/aurora/README.md#inputs) and [AWS OpenSearch inputs](./modules/opensearch/README.md#inputs) for further configuration options and how they affect the cluster and database creation. ```hcl module "eks_cluster" { @@ -78,9 +78,9 @@ module "opensearch_domain" { You can automate the deployment and deletion of the EKS cluster and Aurora database using GitHub Actions. Below are examples of GitHub Actions workflows for deploying and deleting these resources. -For more details, refer to the corresponding [EKS Actions README](https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/actions/eks-manage-cluster/README.md), [Aurora Actions README](https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/actions/aurora-manage-cluster/README.md) and [OpenSearch Actions README](https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/actions/opensearch-manage-cluster/README.md), [Cleanup Actions README](https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/actions/eks-cleanup-resources/README.md). +For more details, refer to the corresponding [EKS Actions README](./.github/actions/eks-manage-cluster/README.md), [Aurora Actions README](./.github/actions/aurora-manage-cluster/README.md) and [OpenSearch Actions README](./.github/actions/opensearch-manage-cluster/README.md), [Cleanup Actions README](./.github/actions/eks-cleanup-resources/README.md). -An example workflow can be found in https://github.com/camunda/camunda-tf-eks-module/blob/main/.github/workflows/test-gha-eks.yml. +An example workflow can be found in [here](./.github/workflows/test-gha-eks.yml). #### Advanced usage with IRSA @@ -206,6 +206,32 @@ EOF By defining the IRSA roles and policies using the outputs of the EKS cluster module, you can simplify the configuration and ensure that the roles and policies are created with the correct permissions and trust policies. +Apply the Service Accounts definitions to your Kubernetes cluster: + +**Aurora Service Account** + +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aurora-service-account + namespace: + annotations: + eks.amazonaws.com/role-arn: :role/AuroraRole> +``` + +**OpenSearch Service Account** + +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: opensearch-service-account + namespace: + annotations: + eks.amazonaws.com/role-arn: :role/OpenSearchRole> +``` + ## Support Please note that the modules have been tested with **[Terraform](https://github.com/hashicorp/terraform)** in the version described in the [.tool-versions](./.tool-versions) of this project. From 45ab793924b0383a2257f40acb948660da6dba84 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 20:00:10 +0200 Subject: [PATCH 028/135] update gomod --- test/src/go.mod | 22 +++++++++++----------- test/src/go.sum | 44 ++++++++++++++++++++++---------------------- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/test/src/go.mod b/test/src/go.mod index f5ca2525..c1caddb1 100644 --- a/test/src/go.mod +++ b/test/src/go.mod @@ -4,15 +4,15 @@ go 1.23.0 require ( github.com/aws/aws-sdk-go-v2 v1.31.0 - github.com/aws/aws-sdk-go-v2/config v1.27.37 - github.com/aws/aws-sdk-go-v2/service/ec2 v1.178.0 - github.com/aws/aws-sdk-go-v2/service/eks v1.49.1 - github.com/aws/aws-sdk-go-v2/service/iam v1.36.1 - github.com/aws/aws-sdk-go-v2/service/kms v1.36.1 + github.com/aws/aws-sdk-go-v2/config v1.27.39 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.179.2 + github.com/aws/aws-sdk-go-v2/service/eks v1.49.3 + github.com/aws/aws-sdk-go-v2/service/iam v1.36.3 + github.com/aws/aws-sdk-go-v2/service/kms v1.36.3 github.com/aws/aws-sdk-go-v2/service/opensearch v1.40.2 - github.com/aws/aws-sdk-go-v2/service/rds v1.84.0 - github.com/aws/aws-sdk-go-v2/service/s3 v1.63.1 - github.com/aws/aws-sdk-go-v2/service/sts v1.31.1 + github.com/aws/aws-sdk-go-v2/service/rds v1.85.2 + github.com/aws/aws-sdk-go-v2/service/s3 v1.63.3 + github.com/aws/aws-sdk-go-v2/service/sts v1.31.3 github.com/aws/smithy-go v1.21.0 github.com/gruntwork-io/terratest v0.47.1 github.com/sethvargo/go-password v0.3.1 @@ -33,7 +33,7 @@ require ( github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect github.com/aws/aws-sdk-go v1.54.6 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.35 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.37 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 // indirect @@ -43,8 +43,8 @@ require ( github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.20 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.18 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.23.1 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.23.3 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.3 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect diff --git a/test/src/go.sum b/test/src/go.sum index ed7c7e9d..e9c78aeb 100644 --- a/test/src/go.sum +++ b/test/src/go.sum @@ -205,10 +205,10 @@ github.com/aws/aws-sdk-go-v2 v1.31.0 h1:3V05LbxTSItI5kUqNwhJrrrY1BAXxXt0sN0l72Qm github.com/aws/aws-sdk-go-v2 v1.31.0/go.mod h1:ztolYtaEUtdpf9Wftr31CJfLVjOnD/CVRkKOOYgF8hA= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5 h1:xDAuZTn4IMm8o1LnBZvmrL8JA1io4o3YWNXgohbf20g= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5/go.mod h1:wYSv6iDS621sEFLfKvpPE2ugjTuGlAG7iROg0hLOkfc= -github.com/aws/aws-sdk-go-v2/config v1.27.37 h1:xaoIwzHVuRWRHFI0jhgEdEGc8xE1l91KaeRDsWEIncU= -github.com/aws/aws-sdk-go-v2/config v1.27.37/go.mod h1:S2e3ax9/8KnMSyRVNd3sWTKs+1clJ2f1U6nE0lpvQRg= -github.com/aws/aws-sdk-go-v2/credentials v1.17.35 h1:7QknrZhYySEB1lEXJxGAmuD5sWwys5ZXNr4m5oEz0IE= -github.com/aws/aws-sdk-go-v2/credentials v1.17.35/go.mod h1:8Vy4kk7at4aPSmibr7K+nLTzG6qUQAUO4tW49fzUV4E= +github.com/aws/aws-sdk-go-v2/config v1.27.39 h1:FCylu78eTGzW1ynHcongXK9YHtoXD5AiiUqq3YfJYjU= +github.com/aws/aws-sdk-go-v2/config v1.27.39/go.mod h1:wczj2hbyskP4LjMKBEZwPRO1shXY+GsQleab+ZXT2ik= +github.com/aws/aws-sdk-go-v2/credentials v1.17.37 h1:G2aOH01yW8X373JK419THj5QVqu9vKEwxSEsGxihoW0= +github.com/aws/aws-sdk-go-v2/credentials v1.17.37/go.mod h1:0ecCjlb7htYCptRD45lXJ6aJDQac6D2NlKGpZqyTG6A= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 h1:C/d03NAmh8C4BZXhuRNboF/DqhBkBCeDiJDcaqIT5pA= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14/go.mod h1:7I0Ju7p9mCIdlrfS+JCgqcYD0VXz/N4yozsox+0o078= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 h1:kYQ3H1u0ANr9KEKlGs/jTLrBFPo8P8NaH/w7A01NeeM= @@ -219,12 +219,12 @@ github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvK github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.18 h1:OWYvKL53l1rbsUmW7bQyJVsYU/Ii3bbAAQIIFNbM0Tk= github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.18/go.mod h1:CUx0G1v3wG6l01tUB+j7Y8kclA8NSqK4ef0YG79a4cg= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.178.0 h1:yCVmlqH1bWVmdS/oFyyM+hbe2c+tKGPo6r0BHhTpn1U= -github.com/aws/aws-sdk-go-v2/service/ec2 v1.178.0/go.mod h1:W6sNzs5T4VpZn1Vy+FMKw8s24vt5k6zPJXcNOK0asBo= -github.com/aws/aws-sdk-go-v2/service/eks v1.49.1 h1:1EJ49JWtC3wS/rImBX/6RAna2gEhBqYWYFpETSmPsVs= -github.com/aws/aws-sdk-go-v2/service/eks v1.49.1/go.mod h1:QUjwO93Ri00egMAeWw75dviZBM5pECLx0KNeNaBtTIM= -github.com/aws/aws-sdk-go-v2/service/iam v1.36.1 h1:uBOxRx7j+9NoCkmQ2Nmmh/KvKm1l+wm917By8bgtKdU= -github.com/aws/aws-sdk-go-v2/service/iam v1.36.1/go.mod h1:HSvujsK8xeEHMIB18oMXjSfqaN9cVqpo/MtHJIksQRk= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.179.2 h1:rGBv2N0zWvNTKnxOfbBH4mNM8WMdDNkaxdqtz152G40= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.179.2/go.mod h1:W6sNzs5T4VpZn1Vy+FMKw8s24vt5k6zPJXcNOK0asBo= +github.com/aws/aws-sdk-go-v2/service/eks v1.49.3 h1:4Aq01bwq1RnyMLAgx/6kB8cqvfLlQet5cWY3MVhlsqU= +github.com/aws/aws-sdk-go-v2/service/eks v1.49.3/go.mod h1:QUjwO93Ri00egMAeWw75dviZBM5pECLx0KNeNaBtTIM= +github.com/aws/aws-sdk-go-v2/service/iam v1.36.3 h1:dV9iimLEHKYAz2qTi+tGAD9QCnAG2pLD7HUEHB7m4mI= +github.com/aws/aws-sdk-go-v2/service/iam v1.36.3/go.mod h1:HSvujsK8xeEHMIB18oMXjSfqaN9cVqpo/MtHJIksQRk= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 h1:QFASJGfT8wMXtuP3D5CRmMjARHv9ZmzFUMJznHDOY3w= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5/go.mod h1:QdZ3OmoIjSX+8D1OPAzPxDfjXASbBMDsz9qvtyIhtik= github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.20 h1:rTWjG6AvWekO2B1LHeM3ktU7MqyX9rzWQ7hgzneZW7E= @@ -233,20 +233,20 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 h1:Xbwbmk44 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20/go.mod h1:oAfOFzUB14ltPZj1rWwRc3d/6OgD76R8KlvU3EqM9Fg= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.18 h1:eb+tFOIl9ZsUe2259/BKPeniKuz4/02zZFH/i4Nf8Rg= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.18/go.mod h1:GVCC2IJNJTmdlyEsSmofEy7EfJncP7DNnXDzRjJ5Keg= -github.com/aws/aws-sdk-go-v2/service/kms v1.36.1 h1:BkicHsJOtGRLSGw2CSvtbdGlMboP8S/AsWzf0U2V6m8= -github.com/aws/aws-sdk-go-v2/service/kms v1.36.1/go.mod h1:OHmlX4+o0XIlJAQGAHPIy0N9yZcYS/vNG+T7geSNcFw= +github.com/aws/aws-sdk-go-v2/service/kms v1.36.3 h1:iHi6lC6LfW6SNvB2bixmlOW3WMyWFrHZCWX+P+CCxMk= +github.com/aws/aws-sdk-go-v2/service/kms v1.36.3/go.mod h1:OHmlX4+o0XIlJAQGAHPIy0N9yZcYS/vNG+T7geSNcFw= github.com/aws/aws-sdk-go-v2/service/opensearch v1.40.2 h1:tQMi7jzkFcuLobVKrW4edPnnreXLNaHRJKgLutxvPdY= github.com/aws/aws-sdk-go-v2/service/opensearch v1.40.2/go.mod h1:4rB9oWpduMw/+UqL/WdNLJZNF7iAwaJWwJ6GgsQqOjg= -github.com/aws/aws-sdk-go-v2/service/rds v1.84.0 h1:y7CROMOdAjkkijg+ClGBa2KnhL7oeOP0mmBFJMSCWPc= -github.com/aws/aws-sdk-go-v2/service/rds v1.84.0/go.mod h1:lhiPj6RvoJHWG2STp+k5az55YqGgFLBzkKYdYHgUh9g= -github.com/aws/aws-sdk-go-v2/service/s3 v1.63.1 h1:TR96r56VwELV0qguNFCuz+/bEpRfnR3ZsS9/IG05C7Q= -github.com/aws/aws-sdk-go-v2/service/s3 v1.63.1/go.mod h1:NLTqRLe3pUNu3nTEHI6XlHLKYmc8fbHUdMxAB6+s41Q= -github.com/aws/aws-sdk-go-v2/service/sso v1.23.1 h1:2jrVsMHqdLD1+PA4BA6Nh1eZp0Gsy3mFSB5MxDvcJtU= -github.com/aws/aws-sdk-go-v2/service/sso v1.23.1/go.mod h1:XRlMvmad0ZNL+75C5FYdMvbbLkd6qiqz6foR1nA1PXY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.1 h1:0L7yGCg3Hb3YQqnSgBTZM5wepougtL1aEccdcdYhHME= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.1/go.mod h1:FnvDM4sfa+isJ3kDXIzAB9GAwVSzFzSy97uZ3IsHo4E= -github.com/aws/aws-sdk-go-v2/service/sts v1.31.1 h1:8K0UNOkZiK9Uh3HIF6Bx0rcNCftqGCeKmOaR7Gp5BSo= -github.com/aws/aws-sdk-go-v2/service/sts v1.31.1/go.mod h1:yMWe0F+XG0DkRZK5ODZhG7BEFYhLXi2dqGsv6tX0cgI= +github.com/aws/aws-sdk-go-v2/service/rds v1.85.2 h1:KDO/FSO8V+zlvnQF6v4nOariw2qwPx5/z2pyb6X7ibk= +github.com/aws/aws-sdk-go-v2/service/rds v1.85.2/go.mod h1:lhiPj6RvoJHWG2STp+k5az55YqGgFLBzkKYdYHgUh9g= +github.com/aws/aws-sdk-go-v2/service/s3 v1.63.3 h1:3zt8qqznMuAZWDTDpcwv9Xr11M/lVj2FsRR7oYBt0OA= +github.com/aws/aws-sdk-go-v2/service/s3 v1.63.3/go.mod h1:NLTqRLe3pUNu3nTEHI6XlHLKYmc8fbHUdMxAB6+s41Q= +github.com/aws/aws-sdk-go-v2/service/sso v1.23.3 h1:rs4JCczF805+FDv2tRhZ1NU0RB2H6ryAvsWPanAr72Y= +github.com/aws/aws-sdk-go-v2/service/sso v1.23.3/go.mod h1:XRlMvmad0ZNL+75C5FYdMvbbLkd6qiqz6foR1nA1PXY= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.3 h1:S7EPdMVZod8BGKQQPTBK+FcX9g7bKR7c4+HxWqHP7Vg= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.3/go.mod h1:FnvDM4sfa+isJ3kDXIzAB9GAwVSzFzSy97uZ3IsHo4E= +github.com/aws/aws-sdk-go-v2/service/sts v1.31.3 h1:VzudTFrDCIDakXtemR7l6Qzt2+JYsVqo2MxBPt5k8T8= +github.com/aws/aws-sdk-go-v2/service/sts v1.31.3/go.mod h1:yMWe0F+XG0DkRZK5ODZhG7BEFYhLXi2dqGsv6tX0cgI= github.com/aws/smithy-go v1.21.0 h1:H7L8dtDRk0P1Qm6y0ji7MCYMQObJ5R9CRpyPhRUkLYA= github.com/aws/smithy-go v1.21.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= From 2205807b550047869b5c810e8eac4ffcf690f8bd Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 20:07:21 +0200 Subject: [PATCH 029/135] fix outpout --- modules/eks-cluster/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/eks-cluster/outputs.tf b/modules/eks-cluster/outputs.tf index d16d021b..97ce6d8f 100644 --- a/modules/eks-cluster/outputs.tf +++ b/modules/eks-cluster/outputs.tf @@ -72,7 +72,7 @@ output "oidc_provider_arn" { } output "oidc_provider_id" { - value = split("/", module.eks.oidc_provider_arn)[4] + value = replace(module.eks.oidc_provider_arn, ".*?(oidc\\.eks.*)", "$1") description = "OIDC provider for the EKS cluster. Allows to add additional IRSA mappings" } From c04688c38ba6d198a9deea92c7bf1aad7faa90cd Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 3 Oct 2024 20:33:09 +0200 Subject: [PATCH 030/135] fix destroy --- .github/actions/eks-cleanup-resources/scripts/destroy.sh | 2 +- modules/eks-cluster/outputs.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/eks-cleanup-resources/scripts/destroy.sh b/.github/actions/eks-cleanup-resources/scripts/destroy.sh index d2c85df9..bb2402a2 100755 --- a/.github/actions/eks-cleanup-resources/scripts/destroy.sh +++ b/.github/actions/eks-cleanup-resources/scripts/destroy.sh @@ -29,7 +29,7 @@ set -o pipefail # Check for required arguments -if [ "$#" -ne 5 ]; then +if [ "$#" -lt 5 ] || [ "$#" -gt 6 ]; then echo "Usage: $0 [MODULE_NAME]" exit 1 fi diff --git a/modules/eks-cluster/outputs.tf b/modules/eks-cluster/outputs.tf index 97ce6d8f..afe1d493 100644 --- a/modules/eks-cluster/outputs.tf +++ b/modules/eks-cluster/outputs.tf @@ -72,7 +72,7 @@ output "oidc_provider_arn" { } output "oidc_provider_id" { - value = replace(module.eks.oidc_provider_arn, ".*?(oidc\\.eks.*)", "$1") + value = replace(module.eks.oidc_provider_arn, ".*?(oidc\\.eks.*)", "$1") # TODO: fix this! description = "OIDC provider for the EKS cluster. Allows to add additional IRSA mappings" } From 9ab1092bfe4b5a90fb50846b76de94c014bca21b Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 4 Oct 2024 11:11:14 +0200 Subject: [PATCH 031/135] update outputs --- modules/eks-cluster/README.md | 1 + modules/eks-cluster/outputs.tf | 7 ++++++- test/src/custom_eks_opensearch_test.go | 5 +++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/modules/eks-cluster/README.md b/modules/eks-cluster/README.md index 2bf9f0bb..5b9d70d5 100644 --- a/modules/eks-cluster/README.md +++ b/modules/eks-cluster/README.md @@ -71,6 +71,7 @@ module "eks_cluster" { | Name | Description | |------|-------------| | [access\_entries](#output\_access\_entries) | Map of access entries created and their attributes | +| [aws\_caller\_identity\_account\_id](#output\_aws\_caller\_identity\_account\_id) | Account ID of the current AWS account | | [cert\_manager\_arn](#output\_cert\_manager\_arn) | Amazon Resource Name of the cert-manager IAM role used for IAM Roles to Service Accounts mappings | | [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server | | [cluster\_iam\_role\_arn](#output\_cluster\_iam\_role\_arn) | IAM role ARN of the EKS cluster | diff --git a/modules/eks-cluster/outputs.tf b/modules/eks-cluster/outputs.tf index afe1d493..3d78afd4 100644 --- a/modules/eks-cluster/outputs.tf +++ b/modules/eks-cluster/outputs.tf @@ -71,8 +71,13 @@ output "oidc_provider_arn" { description = "Amazon Resource Name of the OIDC provider for the EKS cluster. Allows to add additional IRSA mappings" } +output "aws_caller_identity_account_id" { + value = module.eks.aws_caller_identity.current.account_id + description = "Account ID of the current AWS account" +} + output "oidc_provider_id" { - value = replace(module.eks.oidc_provider_arn, ".*?(oidc\\.eks.*)", "$1") # TODO: fix this! + value = replace(module.eks.oidc_provider_arn, "arn:aws:iam::${module.eks.aws_caller_identity.current.account_id}:oidc-provider/", "") description = "OIDC provider for the EKS cluster. Allows to add additional IRSA mappings" } diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 974203dd..7c3c23f8 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -153,10 +153,15 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { // Extract OIDC issuer and create the IRSA role with RDS OpenSearch access oidcProviderID, errorOIDC := utils.ExtractOIDCProviderID(result) suite.Require().NoError(errorOIDC) + suite.Assert().NotEmpty(terraform.Output(suite.T(), terraformOptions, "oidc_provider_id")) + suite.Require().Equal(oidcProviderID, terraform.Output(suite.T(), terraformOptions, "oidc_provider_id")) stsIdentity, err := stsSvc.GetCallerIdentity(context.TODO(), &sts.GetCallerIdentityInput{}) suite.Require().NoError(err, "Failed to get AWS account ID") accountId := *stsIdentity.Account + suite.Assert().NotEmpty(terraform.Output(suite.T(), terraformOptions, "aws_caller_identity_account_id")) + suite.Require().Equal(accountId, terraform.Output(suite.T(), terraformOptions, "aws_caller_identity_account_id")) + openSearchArn := fmt.Sprintf("arn:aws:es:%s:%s:domain/%s/*", suite.region, accountId, opensearchDomainName) suite.sugaredLogger.Infow("OpenSearch infos", "accountId", accountId, "openSearchArn", openSearchArn) From a20fc665a79ea98e84dda73176f1dff4ba082520 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 4 Oct 2024 11:16:20 +0200 Subject: [PATCH 032/135] fix conditional --- modules/aurora/output.tf | 6 +++--- modules/opensearch/outputs.tf | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/aurora/output.tf b/modules/aurora/output.tf index c7ef69c1..0457cd94 100644 --- a/modules/aurora/output.tf +++ b/modules/aurora/output.tf @@ -5,18 +5,18 @@ output "aurora_endpoint" { output "aurora_role_name" { description = "The name of the aurora IAM role" - value = aws_iam_role.aurora_role[0].name + value = var.iam_create_aurora_role ? aws_iam_role.aurora_role[0].name : "" sensitive = false } output "aurora_role_arn" { description = "The ARN of the aurora IAM role" - value = aws_iam_role.aurora_role[0].arn + value = var.iam_create_aurora_role ? aws_iam_role.aurora_role[0].arn : "" sensitive = false } output "aurora_policy_arn" { description = "The ARN of the aurora access policy" - value = aws_iam_policy.aurora_access_policy[0].arn + value = var.iam_create_aurora_role ? aws_iam_policy.aurora_access_policy[0].arn : "" sensitive = false } diff --git a/modules/opensearch/outputs.tf b/modules/opensearch/outputs.tf index ab00ca2a..a7a295d7 100644 --- a/modules/opensearch/outputs.tf +++ b/modules/opensearch/outputs.tf @@ -55,18 +55,18 @@ output "security_group_rule_egress" { output "opensearch_role_name" { description = "The name of the OpenSearch IAM role" - value = aws_iam_role.opensearch[0].name + value = var.iam_create_opensearch_role ? aws_iam_role.opensearch[0].name : "" sensitive = false } output "opensearch_role_arn" { description = "The ARN of the OpenSearch IAM role" - value = aws_iam_role.opensearch[0].arn + value = var.iam_create_opensearch_role ? aws_iam_role.opensearch[0].arn : "" sensitive = false } output "opensearch_policy_arn" { description = "The ARN of the OpenSearch access policy" - value = aws_iam_policy.opensearch_access_policy[0].arn + value = var.iam_create_opensearch_role ? aws_iam_role.opensearch[0].arn : "" sensitive = false } From ede30877fd1244bd4adbe8d37dbc6b0adb27bafa Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 4 Oct 2024 11:18:09 +0200 Subject: [PATCH 033/135] fix output --- modules/eks-cluster/outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/eks-cluster/outputs.tf b/modules/eks-cluster/outputs.tf index 3d78afd4..164473ab 100644 --- a/modules/eks-cluster/outputs.tf +++ b/modules/eks-cluster/outputs.tf @@ -72,12 +72,12 @@ output "oidc_provider_arn" { } output "aws_caller_identity_account_id" { - value = module.eks.aws_caller_identity.current.account_id + value = data.aws_caller_identity.current.account_id description = "Account ID of the current AWS account" } output "oidc_provider_id" { - value = replace(module.eks.oidc_provider_arn, "arn:aws:iam::${module.eks.aws_caller_identity.current.account_id}:oidc-provider/", "") + value = replace(module.eks.oidc_provider_arn, "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/", "") description = "OIDC provider for the EKS cluster. Allows to add additional IRSA mappings" } From e1feec36096923ae30dff50391689ea427a6b42b Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 4 Oct 2024 13:05:16 +0200 Subject: [PATCH 034/135] fix default aurora role creation --- modules/aurora/README.md | 2 +- modules/aurora/variables.tf | 2 +- modules/opensearch/README.md | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/aurora/README.md b/modules/aurora/README.md index 270a2e5e..3ba5006c 100644 --- a/modules/aurora/README.md +++ b/modules/aurora/README.md @@ -60,7 +60,7 @@ No modules. | [iam\_aurora\_access\_policy](#input\_iam\_aurora\_access\_policy) | Access policy for Aurora allowing access | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"rds-db:connect\"\n ],\n \"Resource\": \"arn:aws:rds-db:::dbuser:/\"\n }\n ]\n }\n\n"` | no | | [iam\_aurora\_role\_name](#input\_iam\_aurora\_role\_name) | Name of the AuroraRole IAM role | `string` | `"AuroraRole"` | no | | [iam\_auth\_enabled](#input\_iam\_auth\_enabled) | Determines whether IAM auth should be activated for IRSA usage | `bool` | `false` | no | -| [iam\_create\_aurora\_role](#input\_iam\_create\_aurora\_role) | Flag to determine if the Aurora IAM role should be created, if true, this module will create a role. Please ensure that iam\_auth\_enabled is set to `true` | `bool` | `true` | no | +| [iam\_create\_aurora\_role](#input\_iam\_create\_aurora\_role) | Flag to determine if the Aurora IAM role should be created, if true, this module will create a role. Please ensure that iam\_auth\_enabled is set to `true` | `bool` | `false` | no | | [iam\_role\_trust\_policy](#input\_iam\_role\_trust\_policy) | Assume role trust policy for Aurora role | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"oidc.eks..amazonaws.com/id/:sub\": \"system:serviceaccount::\"\n }\n }\n }\n ]\n }\n\n"` | no | | [iam\_roles](#input\_iam\_roles) | Allows propagating additional IAM roles to the Aurora cluster to allow e.g. access to S3 | `list(string)` | `[]` | no | | [instance\_class](#input\_instance\_class) | The instance type of the Aurora instances | `string` | `"db.t3.medium"` | no | diff --git a/modules/aurora/variables.tf b/modules/aurora/variables.tf index f4941f1b..aaf5bc58 100644 --- a/modules/aurora/variables.tf +++ b/modules/aurora/variables.tf @@ -97,7 +97,7 @@ variable "default_database_name" { variable "iam_create_aurora_role" { description = "Flag to determine if the Aurora IAM role should be created, if true, this module will create a role. Please ensure that iam_auth_enabled is set to `true`" type = bool - default = true + default = false } variable "iam_aurora_role_name" { diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index 0cc767a5..065c0c5b 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -11,11 +11,11 @@ module "opensearch_domain" { source = "github.com/camunda/camunda-tf-eks-module/modules/opensearch" domain_name = "my-opensearch-domain" - engine_version = "OpenSearch_1.0" - subnet_ids = module.eks_cluster.subnet_ids + engine_version = "2.15" + subnet_ids = module.eks_cluster.private_subnet_ids security_group_ids = module.eks_cluster.security_group_ids vpc_id = module.eks_cluster.vpc_id - availability_zones = module.eks_cluster.availability_zones + cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) instance_type = "t3.small.search" instance_count = 2 From 0c0fbbf45fe50055829ce6984389fa59942636ec Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 4 Oct 2024 13:11:18 +0200 Subject: [PATCH 035/135] fix node groups labels --- modules/eks-cluster/cluster.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/eks-cluster/cluster.tf b/modules/eks-cluster/cluster.tf index f37a3ea8..1c457cdb 100644 --- a/modules/eks-cluster/cluster.tf +++ b/modules/eks-cluster/cluster.tf @@ -109,6 +109,7 @@ module "eks" { services = { name = "services" use_name_prefix = false + labels = var.np_labels } } From a3733334cb360143d39201d60792aff33ac5d3ad Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 4 Oct 2024 16:13:08 +0200 Subject: [PATCH 036/135] update default labels --- modules/eks-cluster/README.md | 2 +- modules/eks-cluster/variables.tf | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/eks-cluster/README.md b/modules/eks-cluster/README.md index 5b9d70d5..8ff8b434 100644 --- a/modules/eks-cluster/README.md +++ b/modules/eks-cluster/README.md @@ -62,7 +62,7 @@ module "eks_cluster" { | [np\_desired\_node\_count](#input\_np\_desired\_node\_count) | Actual number of nodes for the default node pool. Min-Max will be used for autoscaling | `number` | `4` | no | | [np\_disk\_size](#input\_np\_disk\_size) | Disk size of the nodes on the default node pool | `number` | `20` | no | | [np\_instance\_types](#input\_np\_instance\_types) | Allow passing a list of instance types for the auto scaler to select from when scaling the default node pool | `list(string)` | 
[
  "m6i.xlarge"
]
| no | -| [np\_labels](#input\_np\_labels) | A map of labels to add to the default pool nodes | `map(string)` | `{}` | no | +| [np\_labels](#input\_np\_labels) | A map of labels to add to the default pool nodes | `map(string)` | 
{
  "managed_by": "terraform"
}
| no | | [np\_max\_node\_count](#input\_np\_max\_node\_count) | Maximum number of nodes for the default node pool | `number` | `10` | no | | [np\_min\_node\_count](#input\_np\_min\_node\_count) | Minimum number of nodes for the default node pool | `number` | `1` | no | | [region](#input\_region) | The region where the cluster and relevant resources should be deployed in | `string` | n/a | yes | diff --git a/modules/eks-cluster/variables.tf b/modules/eks-cluster/variables.tf index 7609e0ff..2fed5a44 100644 --- a/modules/eks-cluster/variables.tf +++ b/modules/eks-cluster/variables.tf @@ -38,7 +38,9 @@ variable "np_desired_node_count" { variable "np_labels" { type = map(string) description = "A map of labels to add to the default pool nodes" - default = {} + default = { + managed_by = "terraform" + } } variable "cluster_tags" { From 628a6eb18d69060aea5607a1e866ce3c120dc8c1 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 4 Oct 2024 18:30:47 +0200 Subject: [PATCH 037/135] revert Idempotency for EKS --- modules/eks-cluster/README.md | 2 +- modules/eks-cluster/variables.tf | 4 +--- test/src/custom_eks_opensearch_test.go | 3 ++- test/src/custom_eks_rds_test.go | 3 ++- test/src/default_eks_test.go | 3 ++- test/src/upgrade_eks_test.go | 3 ++- 6 files changed, 10 insertions(+), 8 deletions(-) diff --git a/modules/eks-cluster/README.md b/modules/eks-cluster/README.md index 8ff8b434..5b9d70d5 100644 --- a/modules/eks-cluster/README.md +++ b/modules/eks-cluster/README.md @@ -62,7 +62,7 @@ module "eks_cluster" { | [np\_desired\_node\_count](#input\_np\_desired\_node\_count) | Actual number of nodes for the default node pool. Min-Max will be used for autoscaling | `number` | `4` | no | | [np\_disk\_size](#input\_np\_disk\_size) | Disk size of the nodes on the default node pool | `number` | `20` | no | | [np\_instance\_types](#input\_np\_instance\_types) | Allow passing a list of instance types for the auto scaler to select from when scaling the default node pool | `list(string)` | 
[
  "m6i.xlarge"
]
| no | -| [np\_labels](#input\_np\_labels) | A map of labels to add to the default pool nodes | `map(string)` | 
{
  "managed_by": "terraform"
}
| no | +| [np\_labels](#input\_np\_labels) | A map of labels to add to the default pool nodes | `map(string)` | `{}` | no | | [np\_max\_node\_count](#input\_np\_max\_node\_count) | Maximum number of nodes for the default node pool | `number` | `10` | no | | [np\_min\_node\_count](#input\_np\_min\_node\_count) | Minimum number of nodes for the default node pool | `number` | `1` | no | | [region](#input\_region) | The region where the cluster and relevant resources should be deployed in | `string` | n/a | yes | diff --git a/modules/eks-cluster/variables.tf b/modules/eks-cluster/variables.tf index 2fed5a44..7609e0ff 100644 --- a/modules/eks-cluster/variables.tf +++ b/modules/eks-cluster/variables.tf @@ -38,9 +38,7 @@ variable "np_desired_node_count" { variable "np_labels" { type = map(string) description = "A map of labels to add to the default pool nodes" - default = { - managed_by = "terraform" - } + default = {} } variable "cluster_tags" { diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 7c3c23f8..007fc11b 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -122,7 +122,8 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) + // due to labels, we can't test Idempotent-ency on EKS + terraform.InitAndApply(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index cd8c3ab4..50e895bd 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -121,7 +121,8 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) + // due to labels, we can't test Idempotent-ency on EKS + terraform.InitAndApply(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") diff --git a/test/src/default_eks_test.go b/test/src/default_eks_test.go index 34c4e0ee..aa7584f4 100644 --- a/test/src/default_eks_test.go +++ b/test/src/default_eks_test.go @@ -121,7 +121,8 @@ func (suite *DefaultEKSTestSuite) TestDefaultEKS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) + // due to labels, we can't test Idempotent-ency on EKS + terraform.InitAndApply(suite.T(), terraformOptions) suite.baseChecksEKS(terraformOptions) } diff --git a/test/src/upgrade_eks_test.go b/test/src/upgrade_eks_test.go index c7c1944a..196df292 100644 --- a/test/src/upgrade_eks_test.go +++ b/test/src/upgrade_eks_test.go @@ -122,7 +122,8 @@ func (suite *UpgradeEKSTestSuite) TestUpgradeEKS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) + // due to labels, we can't test Idempotent-ency on EKS + terraform.InitAndApply(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") From 4f8030341cefdffa508861212a99279f99d385fe Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 4 Oct 2024 19:25:33 +0200 Subject: [PATCH 038/135] rettriger-ci From ee987b14ab66d4cf592d3403e0d9facf2d8ad73a Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 4 Oct 2024 23:46:53 +0200 Subject: [PATCH 039/135] fix tests --- .../eks-cleanup-resources/scripts/destroy.sh | 117 ++++++++++++------ .github/workflows/test-gha-eks.yml | 27 +--- test/src/custom_eks_opensearch_test.go | 6 +- test/src/custom_eks_rds_test.go | 6 +- test/src/utils/aws.go | 8 +- 5 files changed, 88 insertions(+), 76 deletions(-) diff --git a/.github/actions/eks-cleanup-resources/scripts/destroy.sh b/.github/actions/eks-cleanup-resources/scripts/destroy.sh index bb2402a2..879fa5dc 100755 --- a/.github/actions/eks-cleanup-resources/scripts/destroy.sh +++ b/.github/actions/eks-cleanup-resources/scripts/destroy.sh @@ -27,7 +27,6 @@ set -o pipefail # - AWS CLI installed and configured with the necessary permissions to access and modify the S3 bucket. # - Terraform installed and accessible in the PATH. - # Check for required arguments if [ "$#" -lt 5 ] || [ "$#" -gt 6 ]; then echo "Usage: $0 [MODULE_NAME]" @@ -186,66 +185,106 @@ if [ $aws_exit_code -ne 0 ]; then exit 1 fi - +# Categorize resources by module type if [ "$ID_OR_ALL" == "all" ]; then resources=$(echo "$all_objects" | grep "/terraform.tfstate" | awk '{print $4}') else resources=$(echo "$all_objects" | grep "/terraform.tfstate" | grep "$ID_OR_ALL" | awk '{print $4}') fi + # Check if resources is empty (i.e., no objects found) if [ -z "$resources" ]; then echo "No terraform.tfstate objects found in the S3 bucket. Exiting script." >&2 exit 0 fi -current_timestamp=$($date_command +%s) +# Initialise arrays for the resources by module type +aurora_resources=() +opensearch_resources=() +eks_resources=() +# Classify resources into different module types for resource_id in $resources; do - cd "$CURRENT_DIR" || return 1 - terraform_module=$(basename "$(dirname "$resource_id")") - echo "Checking resource $resource_id (terraform module=$terraform_module)" - # Apply module name filter if specified - if [ "$MODULE_NAME" != "all" ] && [ "$MODULE_NAME" != "$terraform_module" ]; then - echo "Skipping resource $resource_id because it does not match the specified module name: $MODULE_NAME" - continue - fi + case "$terraform_module" in + aurora) + aurora_resources+=("$resource_id") + ;; + opensearch) + opensearch_resources+=("$resource_id") + ;; + eks-cluster) + eks_resources+=("$resource_id") + ;; + *) + echo "Skipping unsupported module: $terraform_module" + ;; + esac +done - last_modified=$(aws s3api head-object --bucket "$BUCKET" --key "$resource_id" --output json | grep LastModified | awk -F '"' '{print $4}') - if [ -z "$last_modified" ]; then - echo "Error: Failed to retrieve last modified timestamp for resource $resource_id" - exit 1 - fi +current_timestamp=$($date_command +%s) - last_modified_timestamp=$($date_command -d "$last_modified" +%s) - if [ -z "$last_modified_timestamp" ]; then - echo "Error: Failed to convert last modified timestamp to seconds since epoch for resource $resource_id" - exit 1 - fi - echo "resource $resource_id last modification: $last_modified ($last_modified_timestamp)" +# Function to process the destruction for a specific resource type +process_resources_in_order() { + local resources=("$@") # Accept an array of resources to process - file_age_hours=$(( ($current_timestamp - $last_modified_timestamp) / 3600 )) - if [ -z "$file_age_hours" ]; then - echo "Error: Failed to calculate file age in hours for resource $resource_id" - exit 1 - fi - echo "resource $resource_id is $file_age_hours hours old" + for resource_id in "${resources[@]}"; do + cd "$CURRENT_DIR" || return 1 - if [ $file_age_hours -ge "$MIN_AGE_IN_HOURS" ]; then - # name of the cluster is always after terraform/ - cluster_name=$(echo "$resource_id" | cut -d'/' -f2) - echo "Destroying resource $resource_id in $terraform_module (cluster_name=$cluster_name)" + terraform_module=$(basename "$(dirname "$resource_id")") + echo "Checking resource $resource_id (terraform module=$terraform_module)" - if ! destroy_resource "$resource_id" "$terraform_module" "$cluster_name"; then - echo "Error destroying resource $resource_id" - FAILED=1 + # Apply module name filter if specified + if [ "$MODULE_NAME" != "all" ] && [ "$MODULE_NAME" != "$terraform_module" ]; then + echo "Skipping resource $resource_id because it does not match the specified module name: $MODULE_NAME" + continue fi - else - echo "Skipping resource $resource_id as it does not meet the minimum age requirement of $MIN_AGE_IN_HOURS hours" - fi -done + last_modified=$(aws s3api head-object --bucket "$BUCKET" --key "$resource_id" --output json | grep LastModified | awk -F '"' '{print $4}') + if [ -z "$last_modified" ]; then + echo "Error: Failed to retrieve last modified timestamp for resource $resource_id" + exit 1 + fi + + last_modified_timestamp=$($date_command -d "$last_modified" +%s) + if [ -z "$last_modified_timestamp" ]; then + echo "Error: Failed to convert last modified timestamp to seconds since epoch for resource $resource_id" + exit 1 + fi + echo "Resource $resource_id last modification: $last_modified ($last_modified_timestamp)" + + file_age_hours=$(( ($current_timestamp - $last_modified_timestamp) / 3600 )) + if [ -z "$file_age_hours" ]; then + echo "Error: Failed to calculate file age in hours for resource $resource_id" + exit 1 + fi + echo "Resource $resource_id is $file_age_hours hours old" + + if [ $file_age_hours -ge "$MIN_AGE_IN_HOURS" ]; then + # Name of the cluster is always after terraform/ + cluster_name=$(echo "$resource_id" | cut -d'/' -f2) + echo "Destroying resource $resource_id in $terraform_module (cluster_name=$cluster_name)" + + if ! destroy_resource "$resource_id" "$terraform_module" "$cluster_name"; then + echo "Error destroying resource $resource_id" + FAILED=1 + fi + else + echo "Skipping resource $resource_id as it does not meet the minimum age requirement of $MIN_AGE_IN_HOURS hours" + fi + done +} + +# Destroy resources in the specific order: Aurora, OpenSearch, then EKS +echo "Destroying Aurora resources..." +process_resources_in_order "${aurora_resources[@]}" + +echo "Destroying OpenSearch resources..." +process_resources_in_order "${opensearch_resources[@]}" + +echo "Destroying EKS resources..." +process_resources_in_order "${eks_resources[@]}" echo "Cleaning up empty folders in s3://$BUCKET" # Loop until no empty folders are found diff --git a/.github/workflows/test-gha-eks.yml b/.github/workflows/test-gha-eks.yml index 1a2f11c0..b4f6ee5f 100644 --- a/.github/workflows/test-gha-eks.yml +++ b/.github/workflows/test-gha-eks.yml @@ -207,30 +207,8 @@ jobs: s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }} - - name: Delete OpenSearch cluster - timeout-minutes: 30 - if: always() && env.CREATE_OPENSEARCH == 'true' && !(github.event_name == 'workflow_dispatch' && inputs.delete_cluster == 'false') - uses: ./.github/actions/eks-cleanup-resources - with: - tf-bucket: ${{ env.TF_STATE_BUCKET }} - tf-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} - max-age-hours: 0 - target: ${{ steps.commit_info.outputs.cluster_name }} - module-name: opensearch - - - name: Delete Aurora cluster - timeout-minutes: 30 - if: always() && env.CREATE_DB == 'true' && !(github.event_name == 'workflow_dispatch' && inputs.delete_cluster == 'false') - uses: ./.github/actions/eks-cleanup-resources - with: - tf-bucket: ${{ env.TF_STATE_BUCKET }} - tf-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} - max-age-hours: 0 - target: ${{ steps.commit_info.outputs.cluster_name }} - module-name: aurora - - - name: Delete EKS cluster - timeout-minutes: 30 + - name: Delete Resources + timeout-minutes: 120 if: always() && !(github.event_name == 'workflow_dispatch' && inputs.delete_cluster == 'false') uses: ./.github/actions/eks-cleanup-resources with: @@ -238,7 +216,6 @@ jobs: tf-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} max-age-hours: 0 target: ${{ steps.commit_info.outputs.cluster_name }} - module-name: eks-cluster - name: Notify in Slack in case of failure id: slack-notification diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 007fc11b..82a2cd4a 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -197,17 +197,17 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { { "Effect": "Allow", "Principal": { - "Federated": "arn:aws:iam::%s:oidc-provider/oidc.eks.%s.amazonaws.com/id/%s" + "Federated": "arn:aws:iam::%s:oidc-provider/%s" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "oidc.eks.%s.amazonaws.com/id/%s:sub": "system:serviceaccount:%s:%s" + "%s:sub": "system:serviceaccount:%s:%s" } } } ] -}`, accountId, suite.region, oidcProviderID, suite.region, oidcProviderID, openSearchNamespace, openSearchServiceAccount) +}`, accountId, oidcProviderID, oidcProviderID, openSearchNamespace, openSearchServiceAccount) varsConfigOpenSearch := map[string]interface{}{ "domain_name": opensearchDomainName, diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 50e895bd..20b0c994 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -203,17 +203,17 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { { "Effect": "Allow", "Principal": { - "Federated": "arn:aws:iam::%s:oidc-provider/oidc.eks.%s.amazonaws.com/id/%s" + "Federated": "arn:aws:iam::%s:oidc-provider/%s" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "oidc.eks.%s.amazonaws.com/id/%s:sub": "system:serviceaccount:%s:%s" + "%s:sub": "system:serviceaccount:%s:%s" } } } ] -}`, accountId, suite.region, oidcProviderID, suite.region, oidcProviderID, auroraNamespace, auroraServiceAccount) +}`, accountId, oidcProviderID, oidcProviderID, auroraNamespace, auroraServiceAccount) varsConfigAurora := map[string]interface{}{ "username": auroraUsername, diff --git a/test/src/utils/aws.go b/test/src/utils/aws.go index 12dce4e9..be2dd388 100644 --- a/test/src/utils/aws.go +++ b/test/src/utils/aws.go @@ -161,15 +161,11 @@ func DeleteObjectFromS3Bucket(sess aws.Config, s3Bucket string, objectToDelete s return nil } -// ExtractOIDCProviderID extracts the OIDC provider ID from the EKS cluster result. +// ExtractOIDCProviderID extracts the OIDC provider from the EKS cluster result (without scheme, eg. no https://). func ExtractOIDCProviderID(clusterResult *eks.DescribeClusterOutput) (string, error) { if clusterResult == nil || clusterResult.Cluster == nil || clusterResult.Cluster.Identity == nil { return "", fmt.Errorf("invalid cluster result") } - oidcProviderURL := *clusterResult.Cluster.Identity.Oidc.Issuer - partsOIDC := strings.Split(oidcProviderURL, "/") - oidcProviderID := partsOIDC[len(partsOIDC)-1] - - return oidcProviderID, nil + return strings.ReplaceAll(*clusterResult.Cluster.Identity.Oidc.Issuer, "https://", ""), nil } From 803a5a8d4895d029510e63d80ac31d29e8a35043 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Sat, 5 Oct 2024 01:33:07 +0200 Subject: [PATCH 040/135] fix domain name --- test/src/custom_eks_opensearch_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 82a2cd4a..3eb96014 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -47,7 +47,7 @@ func (suite *CustomEKSOpenSearchTestSuite) SetupTest() { suite.sugaredLogger = suite.logger.Sugar() clusterSuffix := utils.GetEnv("TESTS_CLUSTER_ID", strings.ToLower(random.UniqueId())) - suite.clusterName = fmt.Sprintf("cluster-opensearch-%s", clusterSuffix) + suite.clusterName = fmt.Sprintf("cl-os-%s", clusterSuffix) suite.region = utils.GetEnv("TESTS_CLUSTER_REGION", "eu-central-1") suite.bucketRegion = utils.GetEnv("TF_STATE_BUCKET_REGION", suite.region) suite.tfBinaryName = utils.GetEnv("TESTS_TF_BINARY_NAME", "terraform") From 56a8e791972ad8bb9b86355a213d66226c619a3c Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Sat, 5 Oct 2024 11:55:34 +0200 Subject: [PATCH 041/135] fix tests --- .github/workflows/test-gha-eks.yml | 2 +- modules/fixtures/fixtures.default.aurora.tfvars | 3 +++ modules/fixtures/fixtures.default.eks.tfvars | 6 ++++++ modules/fixtures/fixtures.default.opensearch.tfvars | 3 +++ test/src/custom_eks_opensearch_test.go | 3 +-- test/src/custom_eks_rds_test.go | 3 +-- test/src/default_eks_test.go | 3 +-- test/src/upgrade_eks_test.go | 3 +-- 8 files changed, 17 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test-gha-eks.yml b/.github/workflows/test-gha-eks.yml index b4f6ee5f..9f31bab2 100644 --- a/.github/workflows/test-gha-eks.yml +++ b/.github/workflows/test-gha-eks.yml @@ -86,7 +86,7 @@ jobs: if [[ -n "${{ inputs.cluster_name }}" ]]; then cluster_name="${{ inputs.cluster_name }}" else - cluster_name="cl-$(git rev-parse --short HEAD)" + cluster_name="cl-$(git rev-parse --short HEAD)-t" fi echo "cluster_name=$cluster_name" | tee -a "$GITHUB_OUTPUT" diff --git a/modules/fixtures/fixtures.default.aurora.tfvars b/modules/fixtures/fixtures.default.aurora.tfvars index e69de29b..5f920138 100644 --- a/modules/fixtures/fixtures.default.aurora.tfvars +++ b/modules/fixtures/fixtures.default.aurora.tfvars @@ -0,0 +1,3 @@ +tags = { + Environment = "tests" +} diff --git a/modules/fixtures/fixtures.default.eks.tfvars b/modules/fixtures/fixtures.default.eks.tfvars index c11b59b1..2220f06a 100644 --- a/modules/fixtures/fixtures.default.eks.tfvars +++ b/modules/fixtures/fixtures.default.eks.tfvars @@ -4,3 +4,9 @@ np_instance_types = ["t2.medium"] # spot instances are cheaper with same performances for non production environments np_capacity_type = "SPOT" +cluster_tags = { + Environment = "tests" +} +np_labels = { + Environment = "tests" +} diff --git a/modules/fixtures/fixtures.default.opensearch.tfvars b/modules/fixtures/fixtures.default.opensearch.tfvars index e69de29b..5f920138 100644 --- a/modules/fixtures/fixtures.default.opensearch.tfvars +++ b/modules/fixtures/fixtures.default.opensearch.tfvars @@ -0,0 +1,3 @@ +tags = { + Environment = "tests" +} diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 3eb96014..328bfae6 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -122,8 +122,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - // due to labels, we can't test Idempotent-ency on EKS - terraform.InitAndApply(suite.T(), terraformOptions) + terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 20b0c994..9d167ea1 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -121,8 +121,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - // due to labels, we can't test Idempotent-ency on EKS - terraform.InitAndApply(suite.T(), terraformOptions) + terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") diff --git a/test/src/default_eks_test.go b/test/src/default_eks_test.go index aa7584f4..34c4e0ee 100644 --- a/test/src/default_eks_test.go +++ b/test/src/default_eks_test.go @@ -121,8 +121,7 @@ func (suite *DefaultEKSTestSuite) TestDefaultEKS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - // due to labels, we can't test Idempotent-ency on EKS - terraform.InitAndApply(suite.T(), terraformOptions) + terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) suite.baseChecksEKS(terraformOptions) } diff --git a/test/src/upgrade_eks_test.go b/test/src/upgrade_eks_test.go index 196df292..c7c1944a 100644 --- a/test/src/upgrade_eks_test.go +++ b/test/src/upgrade_eks_test.go @@ -122,8 +122,7 @@ func (suite *UpgradeEKSTestSuite) TestUpgradeEKS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - // due to labels, we can't test Idempotent-ency on EKS - terraform.InitAndApply(suite.T(), terraformOptions) + terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") From 2f96dd0cd5ed8199d695df5dc1efde53f706f2d8 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Sat, 5 Oct 2024 12:00:45 +0200 Subject: [PATCH 042/135] rebase on main --- test/src/go.sum | 1168 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1168 insertions(+) create mode 100644 test/src/go.sum diff --git a/test/src/go.sum b/test/src/go.sum new file mode 100644 index 00000000..9fd6c333 --- /dev/null +++ b/test/src/go.sum @@ -0,0 +1,1168 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= +cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= +cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= +cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= +cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= +cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= +cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= +cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= +cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= +cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= +cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= +cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= +cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= +cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= +cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= +cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= +cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= +cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA= +cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys= +cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY= +cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw= +cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY= +cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI= +cloud.google.com/go/analytics v0.12.0/go.mod h1:gkfj9h6XRf9+TS4bmuhPEShsh3hH8PAZzm/41OOhQd4= +cloud.google.com/go/area120 v0.5.0/go.mod h1:DE/n4mp+iqVyvxHN41Vf1CR602GiHQjFPusMFW6bGR4= +cloud.google.com/go/area120 v0.6.0/go.mod h1:39yFJqWVgm0UZqWTOdqkLhjoC7uFfgXRC8g/ZegeAh0= +cloud.google.com/go/artifactregistry v1.6.0/go.mod h1:IYt0oBPSAGYj/kprzsBjZ/4LnG/zOcHyFHjWPCi6SAQ= +cloud.google.com/go/artifactregistry v1.7.0/go.mod h1:mqTOFOnGZx8EtSqK/ZWcsm/4U8B77rbcLP6ruDU2Ixk= +cloud.google.com/go/asset v1.5.0/go.mod h1:5mfs8UvcM5wHhqtSv8J1CtxxaQq3AdBxxQi2jGW/K4o= +cloud.google.com/go/asset v1.7.0/go.mod h1:YbENsRK4+xTiL+Ofoj5Ckf+O17kJtgp3Y3nn4uzZz5s= +cloud.google.com/go/asset v1.8.0/go.mod h1:mUNGKhiqIdbr8X7KNayoYvyc4HbbFO9URsjbytpUaW0= +cloud.google.com/go/assuredworkloads v1.5.0/go.mod h1:n8HOZ6pff6re5KYfBXcFvSViQjDwxFkAkmUFffJRbbY= +cloud.google.com/go/assuredworkloads v1.6.0/go.mod h1:yo2YOk37Yc89Rsd5QMVECvjaMKymF9OP+QXWlKXUkXw= +cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVoYoxeLBoj4XkKYscNI= +cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0= +cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= +cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= +cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= +cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/bigquery v1.42.0/go.mod h1:8dRTJxhtG+vwBKzE5OseQn/hiydoQN3EedCaOdYmxRA= +cloud.google.com/go/billing v1.4.0/go.mod h1:g9IdKBEFlItS8bTtlrZdVLWSSdSyFUZKXNS02zKMOZY= +cloud.google.com/go/billing v1.5.0/go.mod h1:mztb1tBc3QekhjSgmpf/CV4LzWXLzCArwpLmP2Gm88s= +cloud.google.com/go/binaryauthorization v1.1.0/go.mod h1:xwnoWu3Y84jbuHa0zd526MJYmtnVXn0syOjaJgy4+dM= +cloud.google.com/go/binaryauthorization v1.2.0/go.mod h1:86WKkJHtRcv5ViNABtYMhhNWRrD1Vpi//uKEy7aYEfI= +cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY= +cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI= +cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= +cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= +cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= +cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= +cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= +cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= +cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= +cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc= +cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= +cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I= +cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4= +cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0= +cloud.google.com/go/datacatalog v1.5.0/go.mod h1:M7GPLNQeLfWqeIm3iuiruhPzkt65+Bx8dAKvScX8jvs= +cloud.google.com/go/datacatalog v1.6.0/go.mod h1:+aEyF8JKg+uXcIdAmmaMUmZ3q1b/lKLtXCmXdnc0lbc= +cloud.google.com/go/dataflow v0.6.0/go.mod h1:9QwV89cGoxjjSR9/r7eFDqqjtvbKxAK2BaYU6PVk9UM= +cloud.google.com/go/dataflow v0.7.0/go.mod h1:PX526vb4ijFMesO1o202EaUmouZKBpjHsTlCtB4parQ= +cloud.google.com/go/dataform v0.3.0/go.mod h1:cj8uNliRlHpa6L3yVhDOBrUXH+BPAO1+KFMQQNSThKo= +cloud.google.com/go/dataform v0.4.0/go.mod h1:fwV6Y4Ty2yIFL89huYlEkwUPtS7YZinZbzzj5S9FzCE= +cloud.google.com/go/datalabeling v0.5.0/go.mod h1:TGcJ0G2NzcsXSE/97yWjIZO0bXj0KbVlINXMG9ud42I= +cloud.google.com/go/datalabeling v0.6.0/go.mod h1:WqdISuk/+WIGeMkpw/1q7bK/tFEZxsrFJOJdY2bXvTQ= +cloud.google.com/go/dataqna v0.5.0/go.mod h1:90Hyk596ft3zUQ8NkFfvICSIfHFh1Bc7C4cK3vbhkeo= +cloud.google.com/go/dataqna v0.6.0/go.mod h1:1lqNpM7rqNLVgWBJyk5NF6Uen2PHym0jtVJonplVsDA= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/datastream v1.2.0/go.mod h1:i/uTP8/fZwgATHS/XFu0TcNUhuA0twZxxQ3EyCUQMwo= +cloud.google.com/go/datastream v1.3.0/go.mod h1:cqlOX8xlyYF/uxhiKn6Hbv6WjwPPuI9W2M9SAXwaLLQ= +cloud.google.com/go/dialogflow v1.15.0/go.mod h1:HbHDWs33WOGJgn6rfzBW1Kv807BE3O1+xGbn59zZWI4= +cloud.google.com/go/dialogflow v1.16.1/go.mod h1:po6LlzGfK+smoSmTBnbkIZY2w8ffjz/RcGSS+sh1el0= +cloud.google.com/go/dialogflow v1.17.0/go.mod h1:YNP09C/kXA1aZdBgC/VtXX74G/TKn7XVCcVumTflA+8= +cloud.google.com/go/documentai v1.7.0/go.mod h1:lJvftZB5NRiFSX4moiye1SMxHx0Bc3x1+p9e/RfXYiU= +cloud.google.com/go/documentai v1.8.0/go.mod h1:xGHNEB7CtsnySCNrCFdCyyMz44RhFEEX2Q7UD0c5IhU= +cloud.google.com/go/domains v0.6.0/go.mod h1:T9Rz3GasrpYk6mEGHh4rymIhjlnIuB4ofT1wTxDeT4Y= +cloud.google.com/go/domains v0.7.0/go.mod h1:PtZeqS1xjnXuRPKE/88Iru/LdfoRyEHYA9nFQf4UKpg= +cloud.google.com/go/edgecontainer v0.1.0/go.mod h1:WgkZ9tp10bFxqO8BLPqv2LlfmQF1X8lZqwW4r1BTajk= +cloud.google.com/go/edgecontainer v0.2.0/go.mod h1:RTmLijy+lGpQ7BXuTDa4C4ssxyXT34NIuHIgKuP4s5w= +cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk= +cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg= +cloud.google.com/go/gaming v1.5.0/go.mod h1:ol7rGcxP/qHTRQE/RO4bxkXq+Fix0j6D4LFPzYTIrDM= +cloud.google.com/go/gaming v1.6.0/go.mod h1:YMU1GEvA39Qt3zWGyAVA9bpYz/yAhTvaQ1t2sK4KPUA= +cloud.google.com/go/gkeconnect v0.5.0/go.mod h1:c5lsNAg5EwAy7fkqX/+goqFsU1Da/jQFqArp+wGNr/o= +cloud.google.com/go/gkeconnect v0.6.0/go.mod h1:Mln67KyU/sHJEBY8kFZ0xTeyPtzbq9StAVvEULYK16A= +cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J2TV7BK0= +cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0= +cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc= +cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= +cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc= +cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k= +cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0= +cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= +cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= +cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= +cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= +cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM= +cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo= +cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4= +cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w= +cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE= +cloud.google.com/go/memcache v1.5.0/go.mod h1:dk3fCK7dVo0cUU2c36jKb4VqKPS22BTkf81Xq617aWM= +cloud.google.com/go/metastore v1.5.0/go.mod h1:2ZNrDcQwghfdtCwJ33nM0+GrBGlVuh8rakL3vdPY3XY= +cloud.google.com/go/metastore v1.6.0/go.mod h1:6cyQTls8CWXzk45G55x57DVQ9gWg7RiH65+YgPsNh9s= +cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA= +cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o= +cloud.google.com/go/networksecurity v0.5.0/go.mod h1:xS6fOCoqpVC5zx15Z/MqkfDwH4+m/61A3ODiDV1xmiQ= +cloud.google.com/go/networksecurity v0.6.0/go.mod h1:Q5fjhTr9WMI5mbpRYEbiexTzROf7ZbDzvzCrNl14nyU= +cloud.google.com/go/notebooks v1.2.0/go.mod h1:9+wtppMfVPUeJ8fIWPOq1UnATHISkGXGqTkxeieQ6UY= +cloud.google.com/go/notebooks v1.3.0/go.mod h1:bFR5lj07DtCPC7YAAJ//vHskFBxA5JzYlH68kXVdk34= +cloud.google.com/go/osconfig v1.7.0/go.mod h1:oVHeCeZELfJP7XLxcBGTMBvRO+1nQ5tFG9VQTmYS2Fs= +cloud.google.com/go/osconfig v1.8.0/go.mod h1:EQqZLu5w5XA7eKizepumcvWx+m8mJUhEwiPqWiZeEdg= +cloud.google.com/go/oslogin v1.4.0/go.mod h1:YdgMXWRaElXz/lDk1Na6Fh5orF7gvmJ0FGLIs9LId4E= +cloud.google.com/go/oslogin v1.5.0/go.mod h1:D260Qj11W2qx/HVF29zBg+0fd6YCSjSqLUkY/qEenQU= +cloud.google.com/go/phishingprotection v0.5.0/go.mod h1:Y3HZknsK9bc9dMi+oE8Bim0lczMU6hrX0UpADuMefr0= +cloud.google.com/go/phishingprotection v0.6.0/go.mod h1:9Y3LBLgy0kDTcYET8ZH3bq/7qni15yVUoAxiFxnlSUA= +cloud.google.com/go/privatecatalog v0.5.0/go.mod h1:XgosMUvvPyxDjAVNDYxJ7wBW8//hLDDYmnsNcMGq1K0= +cloud.google.com/go/privatecatalog v0.6.0/go.mod h1:i/fbkZR0hLN29eEWiiwue8Pb+GforiEIBnV9yrRUOKI= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= +cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/recaptchaenterprise v1.3.1/go.mod h1:OdD+q+y4XGeAlxRaMn1Y7/GveP6zmq76byL6tjPE7d4= +cloud.google.com/go/recaptchaenterprise/v2 v2.1.0/go.mod h1:w9yVqajwroDNTfGuhmOjPDN//rZGySaf6PtFVcSCa7o= +cloud.google.com/go/recaptchaenterprise/v2 v2.2.0/go.mod h1:/Zu5jisWGeERrd5HnlS3EUGb/D335f9k51B/FVil0jk= +cloud.google.com/go/recaptchaenterprise/v2 v2.3.0/go.mod h1:O9LwGCjrhGHBQET5CA7dd5NwwNQUErSgEDit1DLNTdo= +cloud.google.com/go/recommendationengine v0.5.0/go.mod h1:E5756pJcVFeVgaQv3WNpImkFP8a+RptV6dDLGPILjvg= +cloud.google.com/go/recommendationengine v0.6.0/go.mod h1:08mq2umu9oIqc7tDy8sx+MNJdLG0fUi3vaSVbztHgJ4= +cloud.google.com/go/recommender v1.5.0/go.mod h1:jdoeiBIVrJe9gQjwd759ecLJbxCDED4A6p+mqoqDvTg= +cloud.google.com/go/recommender v1.6.0/go.mod h1:+yETpm25mcoiECKh9DEScGzIRyDKpZ0cEhWGo+8bo+c= +cloud.google.com/go/redis v1.7.0/go.mod h1:V3x5Jq1jzUcg+UNsRvdmsfuFnit1cfe3Z/PGyq/lm4Y= +cloud.google.com/go/redis v1.8.0/go.mod h1:Fm2szCDavWzBk2cDKxrkmWBqoCiL1+Ctwq7EyqBCA/A= +cloud.google.com/go/retail v1.8.0/go.mod h1:QblKS8waDmNUhghY2TI9O3JLlFk8jybHeV4BF19FrE4= +cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92nHwlBUY= +cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s= +cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI= +cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA= +cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4= +cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0= +cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= +cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU= +cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc= +cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs= +cloud.google.com/go/servicedirectory v1.5.0/go.mod h1:QMKFL0NUySbpZJ1UZs3oFAmdvVxhhxB6eJ/Vlp73dfg= +cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM= +cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= +cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= +cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= +cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc= +cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= +cloud.google.com/go/storage v1.28.1 h1:F5QDG5ChchaAVQhINh24U99OWHURqrW8OmQcGKXcbgI= +cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y= +cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw= +cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g= +cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU= +cloud.google.com/go/videointelligence v1.7.0/go.mod h1:k8pI/1wAhjznARtVT9U1llUaFNPh7muw8QyOUpavru4= +cloud.google.com/go/vision v1.2.0/go.mod h1:SmNwgObm5DpFBme2xpyOyasvBc1aPdjvMk2bBk0tKD0= +cloud.google.com/go/vision/v2 v2.2.0/go.mod h1:uCdV4PpN1S0jyCyq8sIM42v2Y6zOLkZs+4R9LrGYwFo= +cloud.google.com/go/vision/v2 v2.3.0/go.mod h1:UO61abBx9QRMFkNBbf1D8B1LXdS2cGiiCRx0vSpZoUo= +cloud.google.com/go/webrisk v1.4.0/go.mod h1:Hn8X6Zr+ziE2aNd8SliSDWpEnSS1u4R9+xXZmFiHmGE= +cloud.google.com/go/webrisk v1.5.0/go.mod h1:iPG6fr52Tv7sGk0H6qUFzmL3HHZev1htXuWDEEsqMTg= +cloud.google.com/go/workflows v1.6.0/go.mod h1:6t9F5h/unJz41YqfBmqSASJSXccBLtD1Vwf+KmJENM0= +cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoISEXH2bcHC3M= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= +github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= +github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= +github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= +github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go v1.54.6 h1:HEYUib3yTt8E6vxjMWM3yAq5b+qjj/6aKA62mkgux9g= +github.com/aws/aws-sdk-go v1.54.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go-v2 v1.32.0 h1:GuHp7GvMN74PXD5C97KT5D87UhIy4bQPkflQKbfkndg= +github.com/aws/aws-sdk-go-v2 v1.32.0/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5 h1:xDAuZTn4IMm8o1LnBZvmrL8JA1io4o3YWNXgohbf20g= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.5/go.mod h1:wYSv6iDS621sEFLfKvpPE2ugjTuGlAG7iROg0hLOkfc= +github.com/aws/aws-sdk-go-v2/config v1.27.41 h1:esG3WpmEuNJ6F4kVFLumN8nCfA5VBav1KKb3JPx83O4= +github.com/aws/aws-sdk-go-v2/config v1.27.41/go.mod h1:haUg09ebP+ClvPjU3EB/xe0HF9PguO19PD2fdjM2X14= +github.com/aws/aws-sdk-go-v2/credentials v1.17.39 h1:tmVexAhoGqJxNE2oc4/SJqL+Jz1x1iCPt5ts9XcqZCU= +github.com/aws/aws-sdk-go-v2/credentials v1.17.39/go.mod h1:zgOdbDI9epE608PdboJ87CYvPIejAgFevazeJW6iauQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.15 h1:kGjlNc2IXXcxPDcfMyCshNCjVgxUhC/vTJv7NvC9wKk= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.15/go.mod h1:rk/HmqPo+dX0Uv0Q1+4w3QKFdICEGSsTYz1hRWvH8UI= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.19 h1:Q/k5wCeJkSWs+62kDfOillkNIJ5NqmE3iOfm48g/W8c= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.19/go.mod h1:Wns1C66VvtA2Bv/cUBuKZKQKdjo7EVMhp90aAa+8oTI= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.19 h1:AYLE0lUfKvN6icFTR/p+NmD1amYKTbqHQ1Nm+jwE6BM= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.19/go.mod h1:1giLakj64GjuH1NBzF/DXqly5DWHtMTaOzRZ53nFX0I= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.18 h1:OWYvKL53l1rbsUmW7bQyJVsYU/Ii3bbAAQIIFNbM0Tk= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.18/go.mod h1:CUx0G1v3wG6l01tUB+j7Y8kclA8NSqK4ef0YG79a4cg= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.179.2 h1:rGBv2N0zWvNTKnxOfbBH4mNM8WMdDNkaxdqtz152G40= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.179.2/go.mod h1:W6sNzs5T4VpZn1Vy+FMKw8s24vt5k6zPJXcNOK0asBo= +github.com/aws/aws-sdk-go-v2/service/eks v1.49.3 h1:4Aq01bwq1RnyMLAgx/6kB8cqvfLlQet5cWY3MVhlsqU= +github.com/aws/aws-sdk-go-v2/service/eks v1.49.3/go.mod h1:QUjwO93Ri00egMAeWw75dviZBM5pECLx0KNeNaBtTIM= +github.com/aws/aws-sdk-go-v2/service/iam v1.36.3 h1:dV9iimLEHKYAz2qTi+tGAD9QCnAG2pLD7HUEHB7m4mI= +github.com/aws/aws-sdk-go-v2/service/iam v1.36.3/go.mod h1:HSvujsK8xeEHMIB18oMXjSfqaN9cVqpo/MtHJIksQRk= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 h1:TToQNkvGguu209puTojY/ozlqy2d/SFNcoLIqTFi42g= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0/go.mod h1:0jp+ltwkf+SwG2fm/PKo8t4y8pJSgOCO4D8Lz3k0aHQ= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.20 h1:rTWjG6AvWekO2B1LHeM3ktU7MqyX9rzWQ7hgzneZW7E= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.20/go.mod h1:RGW2DDpVc8hu6Y6yG8G5CHVmVOAn1oV8rNKOHRJyswg= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.0 h1:AdbiDUgQZmM28rDIZbiSwFxz8+3B94aOXxzs6oH+EA0= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.0/go.mod h1:uV476Bd80tiDTX4X2redMtagQUg65aU/gzPojSJ4kSI= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.18 h1:eb+tFOIl9ZsUe2259/BKPeniKuz4/02zZFH/i4Nf8Rg= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.18/go.mod h1:GVCC2IJNJTmdlyEsSmofEy7EfJncP7DNnXDzRjJ5Keg= +github.com/aws/aws-sdk-go-v2/service/kms v1.36.3 h1:iHi6lC6LfW6SNvB2bixmlOW3WMyWFrHZCWX+P+CCxMk= +github.com/aws/aws-sdk-go-v2/service/kms v1.36.3/go.mod h1:OHmlX4+o0XIlJAQGAHPIy0N9yZcYS/vNG+T7geSNcFw= +github.com/aws/aws-sdk-go-v2/service/opensearch v1.40.2 h1:tQMi7jzkFcuLobVKrW4edPnnreXLNaHRJKgLutxvPdY= +github.com/aws/aws-sdk-go-v2/service/opensearch v1.40.2/go.mod h1:4rB9oWpduMw/+UqL/WdNLJZNF7iAwaJWwJ6GgsQqOjg= +github.com/aws/aws-sdk-go-v2/service/rds v1.85.2 h1:KDO/FSO8V+zlvnQF6v4nOariw2qwPx5/z2pyb6X7ibk= +github.com/aws/aws-sdk-go-v2/service/rds v1.85.2/go.mod h1:lhiPj6RvoJHWG2STp+k5az55YqGgFLBzkKYdYHgUh9g= +github.com/aws/aws-sdk-go-v2/service/s3 v1.63.3 h1:3zt8qqznMuAZWDTDpcwv9Xr11M/lVj2FsRR7oYBt0OA= +github.com/aws/aws-sdk-go-v2/service/s3 v1.63.3/go.mod h1:NLTqRLe3pUNu3nTEHI6XlHLKYmc8fbHUdMxAB6+s41Q= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.0 h1:71FvP6XFj53NK+YiAEGVzeiccLVeFnHOCvMig0zOHsE= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.0/go.mod h1:UVJqtKXSd9YppRKgdBIkyv7qgbSGv5DchM3yX0BN2mU= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.0 h1:Uco4o19bi3AmBapImNzuMk+rfzlui52BDyVK1UfJeRA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.0/go.mod h1:+HLFhCpnG08hBee8bUdfd1mBK+rFKPt4O5igR9lXDfk= +github.com/aws/aws-sdk-go-v2/service/sts v1.32.0 h1:GiQUjZM2KUZX68o/LpZ1xqxYMuvoxpRrOwYARYog3vc= +github.com/aws/aws-sdk-go-v2/service/sts v1.32.0/go.mod h1:dKnu7M4MAS2SDlng1ytxd03H+y0LoUfEQ5E2VaaSw/4= +github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM= +github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas= +github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= +github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= +github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= +github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= +github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= +github.com/go-openapi/swag v0.22.7 h1:JWrc1uc/P9cSomxfnsFSVWoE1FW6bNbrVPmpQYpCcR8= +github.com/go-openapi/swag v0.22.7/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0= +github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= +github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= +github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw= +github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= +github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= +github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= +github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= +github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg= +github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= +github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= +github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= +github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= +github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= +github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= +github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo= +github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= +github.com/googleapis/gax-go/v2 v2.7.1 h1:gF4c0zjUP2H/s/hEGyLA3I0fA2ZWjzYiONAD6cvPr8A= +github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI= +github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= +github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= +github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro= +github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= +github.com/gruntwork-io/terratest v0.47.2 h1:t6iWwsqJH7Gx0RwXleU/vjc+2c0JXRMdj3DxYXTBssQ= +github.com/gruntwork-io/terratest v0.47.2/go.mod h1:LnYX8BN5WxUMpDr8rtD39oToSL4CBERWSCusbJ0d/64= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-getter v1.7.6 h1:5jHuM+aH373XNtXl9TNTUH5Qd69Trve11tHIrB+6yj4= +github.com/hashicorp/go-getter v1.7.6/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= +github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo= +github.com/hashicorp/go-safetemp v1.0.0/go.mod h1:oaerMy3BhqiTbVye6QuFhFtIceqFoDHxNAB65b+Rj1I= +github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= +github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl/v2 v2.9.1 h1:eOy4gREY0/ZQHNItlfuEZqtcQbXIxzojlP301hDpnac= +github.com/hashicorp/hcl/v2 v2.9.1/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg= +github.com/hashicorp/terraform-json v0.13.0 h1:Li9L+lKD1FO5RVFRM1mMMIBDoUHslOniyEi5CM+FWGY= +github.com/hashicorp/terraform-json v0.13.0/go.mod h1:y5OdLBCT+rxbwnpxZs9kGL7R9ExU76+cpdY8zHwoazk= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.15.11 h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c= +github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 h1:ofNAzWCcyTALn2Zv40+8XitdzCgXY6e9qvXwN9W0YXg= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= +github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8= +github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw= +github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/sethvargo/go-password v0.3.1 h1:WqrLTjo7X6AcVYfC6R7GtSyuUQR9hGyAj/f1PYQZCJU= +github.com/sethvargo/go-password v0.3.1/go.mod h1:rXofC1zT54N7R8K/h1WDUdkf9BOx5OptoxrMBcrXzvs= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/tmccombs/hcl2json v0.3.3 h1:+DLNYqpWE0CsOQiEZu+OZm5ZBImake3wtITYxQ8uLFQ= +github.com/tmccombs/hcl2json v0.3.3/go.mod h1:Y2chtz2x9bAeRTvSibVRVgbLJhLJXKlUeIvjeVdnm4w= +github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= +github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= +github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= +github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= +github.com/zclconf/go-cty v1.8.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= +github.com/zclconf/go-cty v1.9.1 h1:viqrgQwFl5UpSxc046qblj78wZXVDFnSOufaOTER+cc= +github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= +github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= +go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= +golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= +golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= +golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= +golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= +google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= +google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= +google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= +google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= +google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= +google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= +google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= +google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= +google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= +google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= +google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= +google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= +google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= +google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA= +google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= +google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= +google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= +google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= +google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= +google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= +google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= +google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g= +google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= +google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= +google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI= +google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= +google.golang.org/api v0.114.0 h1:1xQPji6cO2E2vLiI+C/XiFAnsn1WV3mjaEwGLhi3grE= +google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= +google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= +google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= +google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E= +google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE= +google.golang.org/genproto v0.0.0-20220801145646-83ce21fca29f/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc= +google.golang.org/genproto v0.0.0-20220815135757-37a418bb8959/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220817144833-d7fd3f11b9b1/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220829144015-23454907ede3/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220829175752-36a9c930ecbf/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220913154956-18f8339a66a5/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220914142337-ca0e39ece12f/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220915135415-7fd63a7952de/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220916172020-2692e8806bfa/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220919141832-68c03719ef51/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar2npT/g4vkk7O0WYS1sHOHbdujxbEp7CJWbw= +google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= +google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= +google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U= +google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= +google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= +google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= +google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= +google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= +google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= +google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= +google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= +google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= +google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc= +google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= +rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +sigs.k8s.io/aws-iam-authenticator v0.6.27 h1:uzSwFYh+hrrbpv7goZ+2FN/2oCQddiKpb8l5vBbY1i4= +sigs.k8s.io/aws-iam-authenticator v0.6.27/go.mod h1:8CAmUtqsLmv5QvnhXQ2+byy1EL+TCDyyYTGFXDyt0sk= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= From be944ebffc25c35d5710417a5eced751a3ff1a2b Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Sat, 5 Oct 2024 14:13:11 +0200 Subject: [PATCH 043/135] revert idempotency tests on eks --- test/src/custom_eks_opensearch_test.go | 4 +++- test/src/custom_eks_rds_test.go | 4 +++- test/src/default_eks_test.go | 4 +++- test/src/upgrade_eks_test.go | 8 ++++++-- 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 328bfae6..9a0f25ad 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -122,7 +122,9 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) + // due to output of the creation changing tags from null to {}, we can't pass the + // idempotency test + terraform.InitAndApply(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 9d167ea1..816468e8 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -121,7 +121,9 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) + // due to output of the creation changing tags from null to {}, we can't pass the + // idempotency test + terraform.InitAndApply(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") diff --git a/test/src/default_eks_test.go b/test/src/default_eks_test.go index 34c4e0ee..9d2907c6 100644 --- a/test/src/default_eks_test.go +++ b/test/src/default_eks_test.go @@ -121,7 +121,9 @@ func (suite *DefaultEKSTestSuite) TestDefaultEKS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) + // due to output of the creation changing tags from null to {}, we can't pass the + // idempotency test + terraform.InitAndApply(suite.T(), terraformOptions) suite.baseChecksEKS(terraformOptions) } diff --git a/test/src/upgrade_eks_test.go b/test/src/upgrade_eks_test.go index c7c1944a..1675327a 100644 --- a/test/src/upgrade_eks_test.go +++ b/test/src/upgrade_eks_test.go @@ -122,7 +122,9 @@ func (suite *UpgradeEKSTestSuite) TestUpgradeEKS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) + // due to output of the creation changing tags from null to {}, we can't pass the + // idempotency test + terraform.InitAndApply(suite.T(), terraformOptions) sess, err := utils.GetAwsClient() suite.Require().NoErrorf(err, "Failed to get aws client") @@ -210,7 +212,9 @@ func (suite *UpgradeEKSTestSuite) TestUpgradeEKS() { defer utils.DeferCleanup(suite.T(), suite.bucketRegion, terraformOptions) } - terraform.InitAndApplyAndIdempotent(suite.T(), terraformOptions) + // due to output of the creation changing tags from null to {}, we can't pass the + // idempotency test + terraform.InitAndApply(suite.T(), terraformOptions) errClusterReady = utils.WaitUntilKubeClusterIsReady(result.Cluster, 5*time.Minute, uint64(suite.expectedNodes)) suite.Require().NoError(errClusterReady) From 251204f968688c169fb1a5f63ee55c6776ed8730 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 7 Oct 2024 19:45:38 +0200 Subject: [PATCH 044/135] fix: ensure kubeclient is near in time of the associated tests --- test/src/custom_eks_opensearch_test.go | 6 ++++-- test/src/custom_eks_rds_test.go | 8 ++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 9a0f25ad..20bd33ac 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -142,8 +142,6 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { suite.sugaredLogger.Infow("eks describe cluster result", "result", result, "err", err) suite.Assert().NoError(err) - kubeClient, errKubeClient := utils.NewKubeClientSet(result.Cluster) - suite.Require().NoError(errKubeClient) utils.GenerateKubeConfigFromAWS(suite.T(), suite.region, suite.clusterName, utils.GetAwsProfile(), suite.kubeConfigPath) // Spawn OpenSearch within the EKS VPC/subnet @@ -300,6 +298,10 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { }, } + // spawn a kubeclient + kubeClient, errKubeClient := utils.NewKubeClientSet(result.Cluster) + suite.Require().NoError(errKubeClient) + err = kubeClient.CoreV1().ConfigMaps(openSearchNamespace).Delete(context.Background(), configMapScript.Name, metav1.DeleteOptions{}) if err != nil && !errors.IsNotFound(err) { suite.Require().NoError(err) diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 816468e8..28dd8dff 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -167,10 +167,6 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { auroraArn := fmt.Sprintf("arn:aws:rds-db:%s:%s:dbuser:%s/%s", suite.region, accountId, auroraClusterName, auroraIRSAUsername) suite.sugaredLogger.Infow("Aurora RDS IAM infos", "accountId", accountId, "auroraArn", auroraArn) - // create a kubeclient - kubeClient, err := utils.NewKubeClientSet(result.Cluster) - suite.Require().NoError(err) - utils.GenerateKubeConfigFromAWS(suite.T(), suite.region, suite.clusterName, utils.GetAwsProfile(), suite.kubeConfigPath) // Create namespace and associated service account in EKS @@ -283,6 +279,10 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { }, } + // create a kubeclient + kubeClient, err := utils.NewKubeClientSet(result.Cluster) + suite.Require().NoError(err) + err = kubeClient.CoreV1().ConfigMaps(auroraNamespace).Delete(context.Background(), configMapPostgres.Name, metav1.DeleteOptions{}) if err != nil && !errors.IsNotFound(err) { suite.Require().NoError(err) From 9b22af34e667614d82078b913d69df4c8bd63063 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 7 Oct 2024 19:50:01 +0200 Subject: [PATCH 045/135] merge: main --- test/src/go.sum | 1168 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1168 insertions(+) create mode 100644 test/src/go.sum diff --git a/test/src/go.sum b/test/src/go.sum new file mode 100644 index 00000000..2c4e4986 --- /dev/null +++ b/test/src/go.sum @@ -0,0 +1,1168 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= +cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= +cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= +cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= +cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= +cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= +cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= +cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= +cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= +cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= +cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= +cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= +cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= +cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= +cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= +cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= +cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= +cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= +cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= +cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= +cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= +cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= +cloud.google.com/go v0.104.0/go.mod h1:OO6xxXdJyvuJPcEPBLN9BJPD+jep5G1+2U5B5gkRYtA= +cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys= +cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY= +cloud.google.com/go/aiplatform v1.22.0/go.mod h1:ig5Nct50bZlzV6NvKaTwmplLLddFx0YReh9WfTO5jKw= +cloud.google.com/go/aiplatform v1.24.0/go.mod h1:67UUvRBKG6GTayHKV8DBv2RtR1t93YRu5B1P3x99mYY= +cloud.google.com/go/analytics v0.11.0/go.mod h1:DjEWCu41bVbYcKyvlws9Er60YE4a//bK6mnhWvQeFNI= +cloud.google.com/go/analytics v0.12.0/go.mod h1:gkfj9h6XRf9+TS4bmuhPEShsh3hH8PAZzm/41OOhQd4= +cloud.google.com/go/area120 v0.5.0/go.mod h1:DE/n4mp+iqVyvxHN41Vf1CR602GiHQjFPusMFW6bGR4= +cloud.google.com/go/area120 v0.6.0/go.mod h1:39yFJqWVgm0UZqWTOdqkLhjoC7uFfgXRC8g/ZegeAh0= +cloud.google.com/go/artifactregistry v1.6.0/go.mod h1:IYt0oBPSAGYj/kprzsBjZ/4LnG/zOcHyFHjWPCi6SAQ= +cloud.google.com/go/artifactregistry v1.7.0/go.mod h1:mqTOFOnGZx8EtSqK/ZWcsm/4U8B77rbcLP6ruDU2Ixk= +cloud.google.com/go/asset v1.5.0/go.mod h1:5mfs8UvcM5wHhqtSv8J1CtxxaQq3AdBxxQi2jGW/K4o= +cloud.google.com/go/asset v1.7.0/go.mod h1:YbENsRK4+xTiL+Ofoj5Ckf+O17kJtgp3Y3nn4uzZz5s= +cloud.google.com/go/asset v1.8.0/go.mod h1:mUNGKhiqIdbr8X7KNayoYvyc4HbbFO9URsjbytpUaW0= +cloud.google.com/go/assuredworkloads v1.5.0/go.mod h1:n8HOZ6pff6re5KYfBXcFvSViQjDwxFkAkmUFffJRbbY= +cloud.google.com/go/assuredworkloads v1.6.0/go.mod h1:yo2YOk37Yc89Rsd5QMVECvjaMKymF9OP+QXWlKXUkXw= +cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVoYoxeLBoj4XkKYscNI= +cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0= +cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= +cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= +cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= +cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= +cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= +cloud.google.com/go/bigquery v1.42.0/go.mod h1:8dRTJxhtG+vwBKzE5OseQn/hiydoQN3EedCaOdYmxRA= +cloud.google.com/go/billing v1.4.0/go.mod h1:g9IdKBEFlItS8bTtlrZdVLWSSdSyFUZKXNS02zKMOZY= +cloud.google.com/go/billing v1.5.0/go.mod h1:mztb1tBc3QekhjSgmpf/CV4LzWXLzCArwpLmP2Gm88s= +cloud.google.com/go/binaryauthorization v1.1.0/go.mod h1:xwnoWu3Y84jbuHa0zd526MJYmtnVXn0syOjaJgy4+dM= +cloud.google.com/go/binaryauthorization v1.2.0/go.mod h1:86WKkJHtRcv5ViNABtYMhhNWRrD1Vpi//uKEy7aYEfI= +cloud.google.com/go/cloudtasks v1.5.0/go.mod h1:fD92REy1x5woxkKEkLdvavGnPJGEn8Uic9nWuLzqCpY= +cloud.google.com/go/cloudtasks v1.6.0/go.mod h1:C6Io+sxuke9/KNRkbQpihnW93SWDU3uXt92nu85HkYI= +cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= +cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= +cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= +cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s= +cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU= +cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U= +cloud.google.com/go/compute v1.10.0/go.mod h1:ER5CLbMxl90o2jtNbGSbtfOpQKR0t15FOtRsugnLrlU= +cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc= +cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= +cloud.google.com/go/containeranalysis v0.5.1/go.mod h1:1D92jd8gRR/c0fGMlymRgxWD3Qw9C1ff6/T7mLgVL8I= +cloud.google.com/go/containeranalysis v0.6.0/go.mod h1:HEJoiEIu+lEXM+k7+qLCci0h33lX3ZqoYFdmPcoO7s4= +cloud.google.com/go/datacatalog v1.3.0/go.mod h1:g9svFY6tuR+j+hrTw3J2dNcmI0dzmSiyOzm8kpLq0a0= +cloud.google.com/go/datacatalog v1.5.0/go.mod h1:M7GPLNQeLfWqeIm3iuiruhPzkt65+Bx8dAKvScX8jvs= +cloud.google.com/go/datacatalog v1.6.0/go.mod h1:+aEyF8JKg+uXcIdAmmaMUmZ3q1b/lKLtXCmXdnc0lbc= +cloud.google.com/go/dataflow v0.6.0/go.mod h1:9QwV89cGoxjjSR9/r7eFDqqjtvbKxAK2BaYU6PVk9UM= +cloud.google.com/go/dataflow v0.7.0/go.mod h1:PX526vb4ijFMesO1o202EaUmouZKBpjHsTlCtB4parQ= +cloud.google.com/go/dataform v0.3.0/go.mod h1:cj8uNliRlHpa6L3yVhDOBrUXH+BPAO1+KFMQQNSThKo= +cloud.google.com/go/dataform v0.4.0/go.mod h1:fwV6Y4Ty2yIFL89huYlEkwUPtS7YZinZbzzj5S9FzCE= +cloud.google.com/go/datalabeling v0.5.0/go.mod h1:TGcJ0G2NzcsXSE/97yWjIZO0bXj0KbVlINXMG9ud42I= +cloud.google.com/go/datalabeling v0.6.0/go.mod h1:WqdISuk/+WIGeMkpw/1q7bK/tFEZxsrFJOJdY2bXvTQ= +cloud.google.com/go/dataqna v0.5.0/go.mod h1:90Hyk596ft3zUQ8NkFfvICSIfHFh1Bc7C4cK3vbhkeo= +cloud.google.com/go/dataqna v0.6.0/go.mod h1:1lqNpM7rqNLVgWBJyk5NF6Uen2PHym0jtVJonplVsDA= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/datastream v1.2.0/go.mod h1:i/uTP8/fZwgATHS/XFu0TcNUhuA0twZxxQ3EyCUQMwo= +cloud.google.com/go/datastream v1.3.0/go.mod h1:cqlOX8xlyYF/uxhiKn6Hbv6WjwPPuI9W2M9SAXwaLLQ= +cloud.google.com/go/dialogflow v1.15.0/go.mod h1:HbHDWs33WOGJgn6rfzBW1Kv807BE3O1+xGbn59zZWI4= +cloud.google.com/go/dialogflow v1.16.1/go.mod h1:po6LlzGfK+smoSmTBnbkIZY2w8ffjz/RcGSS+sh1el0= +cloud.google.com/go/dialogflow v1.17.0/go.mod h1:YNP09C/kXA1aZdBgC/VtXX74G/TKn7XVCcVumTflA+8= +cloud.google.com/go/documentai v1.7.0/go.mod h1:lJvftZB5NRiFSX4moiye1SMxHx0Bc3x1+p9e/RfXYiU= +cloud.google.com/go/documentai v1.8.0/go.mod h1:xGHNEB7CtsnySCNrCFdCyyMz44RhFEEX2Q7UD0c5IhU= +cloud.google.com/go/domains v0.6.0/go.mod h1:T9Rz3GasrpYk6mEGHh4rymIhjlnIuB4ofT1wTxDeT4Y= +cloud.google.com/go/domains v0.7.0/go.mod h1:PtZeqS1xjnXuRPKE/88Iru/LdfoRyEHYA9nFQf4UKpg= +cloud.google.com/go/edgecontainer v0.1.0/go.mod h1:WgkZ9tp10bFxqO8BLPqv2LlfmQF1X8lZqwW4r1BTajk= +cloud.google.com/go/edgecontainer v0.2.0/go.mod h1:RTmLijy+lGpQ7BXuTDa4C4ssxyXT34NIuHIgKuP4s5w= +cloud.google.com/go/functions v1.6.0/go.mod h1:3H1UA3qiIPRWD7PeZKLvHZ9SaQhR26XIJcC0A5GbvAk= +cloud.google.com/go/functions v1.7.0/go.mod h1:+d+QBcWM+RsrgZfV9xo6KfA1GlzJfxcfZcRPEhDDfzg= +cloud.google.com/go/gaming v1.5.0/go.mod h1:ol7rGcxP/qHTRQE/RO4bxkXq+Fix0j6D4LFPzYTIrDM= +cloud.google.com/go/gaming v1.6.0/go.mod h1:YMU1GEvA39Qt3zWGyAVA9bpYz/yAhTvaQ1t2sK4KPUA= +cloud.google.com/go/gkeconnect v0.5.0/go.mod h1:c5lsNAg5EwAy7fkqX/+goqFsU1Da/jQFqArp+wGNr/o= +cloud.google.com/go/gkeconnect v0.6.0/go.mod h1:Mln67KyU/sHJEBY8kFZ0xTeyPtzbq9StAVvEULYK16A= +cloud.google.com/go/gkehub v0.9.0/go.mod h1:WYHN6WG8w9bXU0hqNxt8rm5uxnk8IH+lPY9J2TV7BK0= +cloud.google.com/go/gkehub v0.10.0/go.mod h1:UIPwxI0DsrpsVoWpLB0stwKCP+WFVG9+y977wO+hBH0= +cloud.google.com/go/grafeas v0.2.0/go.mod h1:KhxgtF2hb0P191HlY5besjYm6MqTSTj3LSI+M+ByZHc= +cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= +cloud.google.com/go/iam v0.5.0/go.mod h1:wPU9Vt0P4UmCux7mqtRu6jcpPAb74cP1fh50J3QpkUc= +cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k= +cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0= +cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic= +cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI= +cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= +cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= +cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM= +cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo= +cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4= +cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w= +cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE= +cloud.google.com/go/memcache v1.5.0/go.mod h1:dk3fCK7dVo0cUU2c36jKb4VqKPS22BTkf81Xq617aWM= +cloud.google.com/go/metastore v1.5.0/go.mod h1:2ZNrDcQwghfdtCwJ33nM0+GrBGlVuh8rakL3vdPY3XY= +cloud.google.com/go/metastore v1.6.0/go.mod h1:6cyQTls8CWXzk45G55x57DVQ9gWg7RiH65+YgPsNh9s= +cloud.google.com/go/networkconnectivity v1.4.0/go.mod h1:nOl7YL8odKyAOtzNX73/M5/mGZgqqMeryi6UPZTk/rA= +cloud.google.com/go/networkconnectivity v1.5.0/go.mod h1:3GzqJx7uhtlM3kln0+x5wyFvuVH1pIBJjhCpjzSt75o= +cloud.google.com/go/networksecurity v0.5.0/go.mod h1:xS6fOCoqpVC5zx15Z/MqkfDwH4+m/61A3ODiDV1xmiQ= +cloud.google.com/go/networksecurity v0.6.0/go.mod h1:Q5fjhTr9WMI5mbpRYEbiexTzROf7ZbDzvzCrNl14nyU= +cloud.google.com/go/notebooks v1.2.0/go.mod h1:9+wtppMfVPUeJ8fIWPOq1UnATHISkGXGqTkxeieQ6UY= +cloud.google.com/go/notebooks v1.3.0/go.mod h1:bFR5lj07DtCPC7YAAJ//vHskFBxA5JzYlH68kXVdk34= +cloud.google.com/go/osconfig v1.7.0/go.mod h1:oVHeCeZELfJP7XLxcBGTMBvRO+1nQ5tFG9VQTmYS2Fs= +cloud.google.com/go/osconfig v1.8.0/go.mod h1:EQqZLu5w5XA7eKizepumcvWx+m8mJUhEwiPqWiZeEdg= +cloud.google.com/go/oslogin v1.4.0/go.mod h1:YdgMXWRaElXz/lDk1Na6Fh5orF7gvmJ0FGLIs9LId4E= +cloud.google.com/go/oslogin v1.5.0/go.mod h1:D260Qj11W2qx/HVF29zBg+0fd6YCSjSqLUkY/qEenQU= +cloud.google.com/go/phishingprotection v0.5.0/go.mod h1:Y3HZknsK9bc9dMi+oE8Bim0lczMU6hrX0UpADuMefr0= +cloud.google.com/go/phishingprotection v0.6.0/go.mod h1:9Y3LBLgy0kDTcYET8ZH3bq/7qni15yVUoAxiFxnlSUA= +cloud.google.com/go/privatecatalog v0.5.0/go.mod h1:XgosMUvvPyxDjAVNDYxJ7wBW8//hLDDYmnsNcMGq1K0= +cloud.google.com/go/privatecatalog v0.6.0/go.mod h1:i/fbkZR0hLN29eEWiiwue8Pb+GforiEIBnV9yrRUOKI= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= +cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= +cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= +cloud.google.com/go/recaptchaenterprise v1.3.1/go.mod h1:OdD+q+y4XGeAlxRaMn1Y7/GveP6zmq76byL6tjPE7d4= +cloud.google.com/go/recaptchaenterprise/v2 v2.1.0/go.mod h1:w9yVqajwroDNTfGuhmOjPDN//rZGySaf6PtFVcSCa7o= +cloud.google.com/go/recaptchaenterprise/v2 v2.2.0/go.mod h1:/Zu5jisWGeERrd5HnlS3EUGb/D335f9k51B/FVil0jk= +cloud.google.com/go/recaptchaenterprise/v2 v2.3.0/go.mod h1:O9LwGCjrhGHBQET5CA7dd5NwwNQUErSgEDit1DLNTdo= +cloud.google.com/go/recommendationengine v0.5.0/go.mod h1:E5756pJcVFeVgaQv3WNpImkFP8a+RptV6dDLGPILjvg= +cloud.google.com/go/recommendationengine v0.6.0/go.mod h1:08mq2umu9oIqc7tDy8sx+MNJdLG0fUi3vaSVbztHgJ4= +cloud.google.com/go/recommender v1.5.0/go.mod h1:jdoeiBIVrJe9gQjwd759ecLJbxCDED4A6p+mqoqDvTg= +cloud.google.com/go/recommender v1.6.0/go.mod h1:+yETpm25mcoiECKh9DEScGzIRyDKpZ0cEhWGo+8bo+c= +cloud.google.com/go/redis v1.7.0/go.mod h1:V3x5Jq1jzUcg+UNsRvdmsfuFnit1cfe3Z/PGyq/lm4Y= +cloud.google.com/go/redis v1.8.0/go.mod h1:Fm2szCDavWzBk2cDKxrkmWBqoCiL1+Ctwq7EyqBCA/A= +cloud.google.com/go/retail v1.8.0/go.mod h1:QblKS8waDmNUhghY2TI9O3JLlFk8jybHeV4BF19FrE4= +cloud.google.com/go/retail v1.9.0/go.mod h1:g6jb6mKuCS1QKnH/dpu7isX253absFl6iE92nHwlBUY= +cloud.google.com/go/scheduler v1.4.0/go.mod h1:drcJBmxF3aqZJRhmkHQ9b3uSSpQoltBPGPxGAWROx6s= +cloud.google.com/go/scheduler v1.5.0/go.mod h1:ri073ym49NW3AfT6DZi21vLZrG07GXr5p3H1KxN5QlI= +cloud.google.com/go/secretmanager v1.6.0/go.mod h1:awVa/OXF6IiyaU1wQ34inzQNc4ISIDIrId8qE5QGgKA= +cloud.google.com/go/security v1.5.0/go.mod h1:lgxGdyOKKjHL4YG3/YwIL2zLqMFCKs0UbQwgyZmfJl4= +cloud.google.com/go/security v1.7.0/go.mod h1:mZklORHl6Bg7CNnnjLH//0UlAlaXqiG7Lb9PsPXLfD0= +cloud.google.com/go/security v1.8.0/go.mod h1:hAQOwgmaHhztFhiQ41CjDODdWP0+AE1B3sX4OFlq+GU= +cloud.google.com/go/securitycenter v1.13.0/go.mod h1:cv5qNAqjY84FCN6Y9z28WlkKXyWsgLO832YiWwkCWcU= +cloud.google.com/go/securitycenter v1.14.0/go.mod h1:gZLAhtyKv85n52XYWt6RmeBdydyxfPeTrpToDPw4Auc= +cloud.google.com/go/servicedirectory v1.4.0/go.mod h1:gH1MUaZCgtP7qQiI+F+A+OpeKF/HQWgtAddhTbhL2bs= +cloud.google.com/go/servicedirectory v1.5.0/go.mod h1:QMKFL0NUySbpZJ1UZs3oFAmdvVxhhxB6eJ/Vlp73dfg= +cloud.google.com/go/speech v1.6.0/go.mod h1:79tcr4FHCimOp56lwC01xnt/WPJZc4v3gzyT7FoBkCM= +cloud.google.com/go/speech v1.7.0/go.mod h1:KptqL+BAQIhMsj1kOP2la5DSEEerPDuOP/2mmkhHhZQ= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= +cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= +cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= +cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc= +cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= +cloud.google.com/go/storage v1.28.1 h1:F5QDG5ChchaAVQhINh24U99OWHURqrW8OmQcGKXcbgI= +cloud.google.com/go/storage v1.28.1/go.mod h1:Qnisd4CqDdo6BGs2AD5LLnEsmSQ80wQ5ogcBBKhU86Y= +cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw= +cloud.google.com/go/talent v1.2.0/go.mod h1:MoNF9bhFQbiJ6eFD3uSsg0uBALw4n4gaCaEjBw9zo8g= +cloud.google.com/go/videointelligence v1.6.0/go.mod h1:w0DIDlVRKtwPCn/C4iwZIJdvC69yInhW0cfi+p546uU= +cloud.google.com/go/videointelligence v1.7.0/go.mod h1:k8pI/1wAhjznARtVT9U1llUaFNPh7muw8QyOUpavru4= +cloud.google.com/go/vision v1.2.0/go.mod h1:SmNwgObm5DpFBme2xpyOyasvBc1aPdjvMk2bBk0tKD0= +cloud.google.com/go/vision/v2 v2.2.0/go.mod h1:uCdV4PpN1S0jyCyq8sIM42v2Y6zOLkZs+4R9LrGYwFo= +cloud.google.com/go/vision/v2 v2.3.0/go.mod h1:UO61abBx9QRMFkNBbf1D8B1LXdS2cGiiCRx0vSpZoUo= +cloud.google.com/go/webrisk v1.4.0/go.mod h1:Hn8X6Zr+ziE2aNd8SliSDWpEnSS1u4R9+xXZmFiHmGE= +cloud.google.com/go/webrisk v1.5.0/go.mod h1:iPG6fr52Tv7sGk0H6qUFzmL3HHZev1htXuWDEEsqMTg= +cloud.google.com/go/workflows v1.6.0/go.mod h1:6t9F5h/unJz41YqfBmqSASJSXccBLtD1Vwf+KmJENM0= +cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoISEXH2bcHC3M= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= +github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= +github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= +github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= +github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= +github.com/aws/aws-sdk-go v1.54.6 h1:HEYUib3yTt8E6vxjMWM3yAq5b+qjj/6aKA62mkgux9g= +github.com/aws/aws-sdk-go v1.54.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go-v2 v1.32.0 h1:GuHp7GvMN74PXD5C97KT5D87UhIy4bQPkflQKbfkndg= +github.com/aws/aws-sdk-go-v2 v1.32.0/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.6 h1:pT3hpW0cOHRJx8Y0DfJUEQuqPild8jRGmSFmBgvydr0= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.6/go.mod h1:j/I2++U0xX+cr44QjHay4Cvxj6FUbnxrgmqN3H1jTZA= +github.com/aws/aws-sdk-go-v2/config v1.27.41 h1:esG3WpmEuNJ6F4kVFLumN8nCfA5VBav1KKb3JPx83O4= +github.com/aws/aws-sdk-go-v2/config v1.27.41/go.mod h1:haUg09ebP+ClvPjU3EB/xe0HF9PguO19PD2fdjM2X14= +github.com/aws/aws-sdk-go-v2/credentials v1.17.39 h1:tmVexAhoGqJxNE2oc4/SJqL+Jz1x1iCPt5ts9XcqZCU= +github.com/aws/aws-sdk-go-v2/credentials v1.17.39/go.mod h1:zgOdbDI9epE608PdboJ87CYvPIejAgFevazeJW6iauQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.15 h1:kGjlNc2IXXcxPDcfMyCshNCjVgxUhC/vTJv7NvC9wKk= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.15/go.mod h1:rk/HmqPo+dX0Uv0Q1+4w3QKFdICEGSsTYz1hRWvH8UI= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.19 h1:Q/k5wCeJkSWs+62kDfOillkNIJ5NqmE3iOfm48g/W8c= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.19/go.mod h1:Wns1C66VvtA2Bv/cUBuKZKQKdjo7EVMhp90aAa+8oTI= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.19 h1:AYLE0lUfKvN6icFTR/p+NmD1amYKTbqHQ1Nm+jwE6BM= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.19/go.mod h1:1giLakj64GjuH1NBzF/DXqly5DWHtMTaOzRZ53nFX0I= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.19 h1:FKdiFzTxlTRO71p0C7VrLbkkdW8qfMKF5+ej6bTmkT0= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.19/go.mod h1:abO3pCj7WLQPTllnSeYImqFfkGrmJV0JovWo/gqT5N0= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.181.0 h1:YzSOMQYRZQKuLz/bD6illIGwJfa1WFfeFAZM5Zr5LB8= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.181.0/go.mod h1:CudaKF0Yu5+ZfKMiiPdtJ/kOOBty7CIEJUhESP52e9M= +github.com/aws/aws-sdk-go-v2/service/eks v1.50.0 h1:eL4AEDwVx29t+B7dkcuL/3W+RQKR64PPbfQVQTs8FEs= +github.com/aws/aws-sdk-go-v2/service/eks v1.50.0/go.mod h1:0C9DxOpj1d8GioesPAKXMob9X2lyFepeL6C5z9oA4HM= +github.com/aws/aws-sdk-go-v2/service/iam v1.37.0 h1:FLdmwEJUDWdAflqxRNkIKNZki8dFmi5SUeTjAjxrdJU= +github.com/aws/aws-sdk-go-v2/service/iam v1.37.0/go.mod h1:Xctz/06SeHDUc3ZheMxXekSZ2rx0RX9SVhV5JeQgoqY= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 h1:TToQNkvGguu209puTojY/ozlqy2d/SFNcoLIqTFi42g= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0/go.mod h1:0jp+ltwkf+SwG2fm/PKo8t4y8pJSgOCO4D8Lz3k0aHQ= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.0 h1:FQNWhRuSq8QwW74GtU0MrveNhZbqvHsA4dkA9w8fTDQ= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.0/go.mod h1:j/zZ3zmWfGCK91K73YsfHP53BSTLSjL/y6YN39XbBLM= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.0 h1:AdbiDUgQZmM28rDIZbiSwFxz8+3B94aOXxzs6oH+EA0= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.0/go.mod h1:uV476Bd80tiDTX4X2redMtagQUg65aU/gzPojSJ4kSI= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.0 h1:1NKXS8XfhMM0bg5wVYa/eOH8AM2f6JijugbKEyQFTIg= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.0/go.mod h1:ph931DUfVfgrhZR7py9olSvHCiRpvaGxNvlWBcXxFds= +github.com/aws/aws-sdk-go-v2/service/kms v1.37.0 h1:ovrHGOiNu4S0GSMeexZlsMhBkUb3bCE3iOktFZ7rmBU= +github.com/aws/aws-sdk-go-v2/service/kms v1.37.0/go.mod h1:YLqfMkq9GWbICgqT5XMIzT8I2+MxVKodTnNBo3BONgE= +github.com/aws/aws-sdk-go-v2/service/opensearch v1.40.2 h1:tQMi7jzkFcuLobVKrW4edPnnreXLNaHRJKgLutxvPdY= +github.com/aws/aws-sdk-go-v2/service/opensearch v1.40.2/go.mod h1:4rB9oWpduMw/+UqL/WdNLJZNF7iAwaJWwJ6GgsQqOjg= +github.com/aws/aws-sdk-go-v2/service/rds v1.87.0 h1:f7u5jzUHaIIn5F121ortA0g2yDDWiPeTw2lWrgk9+ZA= +github.com/aws/aws-sdk-go-v2/service/rds v1.87.0/go.mod h1:agnQGhYbHXxPM2+zZH4WZIpki6IDU6zFGzfOlnu+1Ow= +github.com/aws/aws-sdk-go-v2/service/s3 v1.65.0 h1:2dSm7frMrw2tdJ0QvyccQNJyPGaP24dyDgZ6h1QJMGU= +github.com/aws/aws-sdk-go-v2/service/s3 v1.65.0/go.mod h1:4XSVpw66upN8wND3JZA29eXl2NOZvfFVq7DIP6xvfuQ= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.0 h1:71FvP6XFj53NK+YiAEGVzeiccLVeFnHOCvMig0zOHsE= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.0/go.mod h1:UVJqtKXSd9YppRKgdBIkyv7qgbSGv5DchM3yX0BN2mU= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.0 h1:Uco4o19bi3AmBapImNzuMk+rfzlui52BDyVK1UfJeRA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.0/go.mod h1:+HLFhCpnG08hBee8bUdfd1mBK+rFKPt4O5igR9lXDfk= +github.com/aws/aws-sdk-go-v2/service/sts v1.32.0 h1:GiQUjZM2KUZX68o/LpZ1xqxYMuvoxpRrOwYARYog3vc= +github.com/aws/aws-sdk-go-v2/service/sts v1.32.0/go.mod h1:dKnu7M4MAS2SDlng1ytxd03H+y0LoUfEQ5E2VaaSw/4= +github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM= +github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas= +github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= +github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= +github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= +github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-openapi/jsonpointer v0.20.2 h1:mQc3nmndL8ZBzStEo3JYF8wzmeWffDH4VbXz58sAx6Q= +github.com/go-openapi/jsonpointer v0.20.2/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs= +github.com/go-openapi/jsonreference v0.20.4 h1:bKlDxQxQJgwpUSgOENiMPzCTBVuc7vTdXSSgNeAhojU= +github.com/go-openapi/jsonreference v0.20.4/go.mod h1:5pZJyJP2MnYCpoeoMAql78cCHauHj0V9Lhc506VOpw4= +github.com/go-openapi/swag v0.22.7 h1:JWrc1uc/P9cSomxfnsFSVWoE1FW6bNbrVPmpQYpCcR8= +github.com/go-openapi/swag v0.22.7/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0= +github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= +github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= +github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw= +github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= +github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= +github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= +github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= +github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= +github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= +github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= +github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= +github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8= +github.com/googleapis/enterprise-certificate-proxy v0.2.0/go.mod h1:8C0jb7/mgJe/9KK8Lm7X9ctZC2t60YyIpYEI16jx0Qg= +github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= +github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= +github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= +github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= +github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= +github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c= +github.com/googleapis/gax-go/v2 v2.5.1/go.mod h1:h6B0KMMFNtI2ddbGJn3T3ZbwkeT6yqEF02fYlzkUCyo= +github.com/googleapis/gax-go/v2 v2.6.0/go.mod h1:1mjbznJAPHFpesgE5ucqfYEscaz5kMdcIDwU/6+DDoY= +github.com/googleapis/gax-go/v2 v2.7.1 h1:gF4c0zjUP2H/s/hEGyLA3I0fA2ZWjzYiONAD6cvPr8A= +github.com/googleapis/gax-go/v2 v2.7.1/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI= +github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= +github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= +github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro= +github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= +github.com/gruntwork-io/terratest v0.47.2 h1:t6iWwsqJH7Gx0RwXleU/vjc+2c0JXRMdj3DxYXTBssQ= +github.com/gruntwork-io/terratest v0.47.2/go.mod h1:LnYX8BN5WxUMpDr8rtD39oToSL4CBERWSCusbJ0d/64= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= +github.com/hashicorp/go-getter v1.7.6 h1:5jHuM+aH373XNtXl9TNTUH5Qd69Trve11tHIrB+6yj4= +github.com/hashicorp/go-getter v1.7.6/go.mod h1:W7TalhMmbPmsSMdNjD0ZskARur/9GJ17cfHTRtXV744= +github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/go-safetemp v1.0.0 h1:2HR189eFNrjHQyENnQMMpCiBAsRxzbTMIgBhEyExpmo= +github.com/hashicorp/go-safetemp v1.0.0/go.mod h1:oaerMy3BhqiTbVye6QuFhFtIceqFoDHxNAB65b+Rj1I= +github.com/hashicorp/go-version v1.3.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= +github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl/v2 v2.9.1 h1:eOy4gREY0/ZQHNItlfuEZqtcQbXIxzojlP301hDpnac= +github.com/hashicorp/hcl/v2 v2.9.1/go.mod h1:FwWsfWEjyV/CMj8s/gqAuiviY72rJ1/oayI9WftqcKg= +github.com/hashicorp/terraform-json v0.13.0 h1:Li9L+lKD1FO5RVFRM1mMMIBDoUHslOniyEi5CM+FWGY= +github.com/hashicorp/terraform-json v0.13.0/go.mod h1:y5OdLBCT+rxbwnpxZs9kGL7R9ExU76+cpdY8zHwoazk= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= +github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.15.11 h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c= +github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 h1:ofNAzWCcyTALn2Zv40+8XitdzCgXY6e9qvXwN9W0YXg= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= +github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8= +github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA= +github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To= +github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw= +github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= +github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/sethvargo/go-password v0.3.1 h1:WqrLTjo7X6AcVYfC6R7GtSyuUQR9hGyAj/f1PYQZCJU= +github.com/sethvargo/go-password v0.3.1/go.mod h1:rXofC1zT54N7R8K/h1WDUdkf9BOx5OptoxrMBcrXzvs= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/tmccombs/hcl2json v0.3.3 h1:+DLNYqpWE0CsOQiEZu+OZm5ZBImake3wtITYxQ8uLFQ= +github.com/tmccombs/hcl2json v0.3.3/go.mod h1:Y2chtz2x9bAeRTvSibVRVgbLJhLJXKlUeIvjeVdnm4w= +github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8= +github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= +github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= +github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= +github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +github.com/zclconf/go-cty v1.8.0/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= +github.com/zclconf/go-cty v1.8.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= +github.com/zclconf/go-cty v1.9.1 h1:viqrgQwFl5UpSxc046qblj78wZXVDFnSOufaOTER+cc= +github.com/zclconf/go-cty v1.9.1/go.mod h1:vVKLxnk3puL4qRAv72AO+W99LUD4da90g3uUAzyuvAk= +github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= +go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= +go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= +golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220909164309-bea034e7d591/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.0.0-20221014081412-f15817d10f9b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= +golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= +golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= +golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A= +golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= +golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= +golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= +golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= +golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= +golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= +golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= +golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= +google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= +google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= +google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= +google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= +google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= +google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= +google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= +google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= +google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= +google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= +google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= +google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= +google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= +google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= +google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= +google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= +google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= +google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= +google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= +google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA= +google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= +google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= +google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= +google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA= +google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw= +google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg= +google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o= +google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6FO2g= +google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= +google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= +google.golang.org/api v0.95.0/go.mod h1:eADj+UBuxkh5zlrSntJghuNeg8HwQ1w5lTKkuqaETEI= +google.golang.org/api v0.96.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.97.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.98.0/go.mod h1:w7wJQLTM+wvQpNf5JyEcBoxK0RH7EDrh/L4qfsuJ13s= +google.golang.org/api v0.100.0/go.mod h1:ZE3Z2+ZOr87Rx7dqFsdRQkRBk36kDtp/h+QpHbB7a70= +google.golang.org/api v0.114.0 h1:1xQPji6cO2E2vLiI+C/XiFAnsn1WV3mjaEwGLhi3grE= +google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= +google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= +google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= +google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= +google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= +google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= +google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= +google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= +google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= +google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= +google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E= +google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= +google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4= +google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20220722212130-b98a9ff5e252/go.mod h1:GkXuJDJ6aQ7lnJcRF+SJVgFdQhypqgl3LB1C9vabdRE= +google.golang.org/genproto v0.0.0-20220801145646-83ce21fca29f/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc= +google.golang.org/genproto v0.0.0-20220815135757-37a418bb8959/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220817144833-d7fd3f11b9b1/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220829144015-23454907ede3/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220829175752-36a9c930ecbf/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk= +google.golang.org/genproto v0.0.0-20220913154956-18f8339a66a5/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220914142337-ca0e39ece12f/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220915135415-7fd63a7952de/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220916172020-2692e8806bfa/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220919141832-68c03719ef51/go.mod h1:0Nb8Qy+Sk5eDzHnzlStwW3itdNaWoZA5XeSG+R3JHSo= +google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006/go.mod h1:ht8XFiar2npT/g4vkk7O0WYS1sHOHbdujxbEp7CJWbw= +google.golang.org/genproto v0.0.0-20220926165614-551eb538f295/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= +google.golang.org/genproto v0.0.0-20220926220553-6981cbe3cfce/go.mod h1:woMGP53BroOrRY3xTxlbr8Y3eB/nzAvvFM83q7kG2OI= +google.golang.org/genproto v0.0.0-20221010155953-15ba04fc1c0e/go.mod h1:3526vdqwhZAwq4wsRUaVG555sVgsNmIjRtO7t/JH29U= +google.golang.org/genproto v0.0.0-20221014173430-6e2ab493f96b/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= +google.golang.org/genproto v0.0.0-20221014213838-99cd37c6964a/go.mod h1:1vXfmgAz9N9Jx0QA82PqRVauvCz1SGSz739p0f183jM= +google.golang.org/genproto v0.0.0-20221025140454-527a21cfbd71/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s= +google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= +google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= +google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= +google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= +google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= +google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= +google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= +google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= +google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= +google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc= +google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/cheggaaa/pb.v1 v1.0.27/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= +k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= +k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= +rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= +sigs.k8s.io/aws-iam-authenticator v0.6.27 h1:uzSwFYh+hrrbpv7goZ+2FN/2oCQddiKpb8l5vBbY1i4= +sigs.k8s.io/aws-iam-authenticator v0.6.27/go.mod h1:8CAmUtqsLmv5QvnhXQ2+byy1EL+TCDyyYTGFXDyt0sk= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= From 435ab1aba1a2909a71d668fe8d2baf23b2b8c053 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 10 Oct 2024 09:36:59 +0200 Subject: [PATCH 046/135] wip instructions from doc --- examples/camunda-8.6/cluster.tf | 10 +++++++ examples/camunda-8.6/config.tf | 18 +++++++++++++ examples/camunda-8.6/db.tf | 24 +++++++++++++++++ .../camunda-8.6/irsa-postgres-create-db.yml | 0 examples/camunda-8.6/opensearch.tf | 27 +++++++++++++++++++ 5 files changed, 79 insertions(+) create mode 100644 examples/camunda-8.6/cluster.tf create mode 100644 examples/camunda-8.6/config.tf create mode 100644 examples/camunda-8.6/db.tf create mode 100644 examples/camunda-8.6/irsa-postgres-create-db.yml create mode 100644 examples/camunda-8.6/opensearch.tf diff --git a/examples/camunda-8.6/cluster.tf b/examples/camunda-8.6/cluster.tf new file mode 100644 index 00000000..e5d7bbb7 --- /dev/null +++ b/examples/camunda-8.6/cluster.tf @@ -0,0 +1,10 @@ +module "eks_cluster" { + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=feature/opensearch" + + region = "eu-west-2" # Change this to your desired AWS region + name = "cluster-name" # Change this to a name of your choice + + # Set CIDR ranges or use the defaults + cluster_service_ipv4_cidr = "10.190.0.0/16" + cluster_node_ipv4_cidr = "10.192.0.0/16" +} diff --git a/examples/camunda-8.6/config.tf b/examples/camunda-8.6/config.tf new file mode 100644 index 00000000..035255eb --- /dev/null +++ b/examples/camunda-8.6/config.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 1.0" + + backend "s3" { + bucket = "my-eks-tf-state" + key = "camunda-terraform/terraform.tfstate" + encrypt = true + } + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.69" + } + } +} + +provider "aws" {} diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf new file mode 100644 index 00000000..0ea9a526 --- /dev/null +++ b/examples/camunda-8.6/db.tf @@ -0,0 +1,24 @@ +locals { + aurora_cluster_name = "cluster-name-postgresql" # Replace "cluster-name" with your cluster's name +} + +module "postgresql" { + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=feature/opensearch" + engine_version = "15.8" + auto_minor_version_upgrade = false + cluster_name = locals.aurora_cluster_name + default_database_name = "camunda" + + # Supply your own secret values for username and password + username = "secret_user" + password = "secretvalue%23" + + vpc_id = module.eks_cluster.vpc_id + subnet_ids = module.eks_cluster.private_subnet_ids + cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) + + instance_class = "db.t3.medium" + iam_auth_enabled = true + + depends_on = [module.eks_cluster] +} diff --git a/examples/camunda-8.6/irsa-postgres-create-db.yml b/examples/camunda-8.6/irsa-postgres-create-db.yml new file mode 100644 index 00000000..e69de29b diff --git a/examples/camunda-8.6/opensearch.tf b/examples/camunda-8.6/opensearch.tf new file mode 100644 index 00000000..10bfdc5d --- /dev/null +++ b/examples/camunda-8.6/opensearch.tf @@ -0,0 +1,27 @@ +locals { + opensearch_domain_name = "domain-name-opensearch" # Replace "domain-name" with your domain name +} + +module "opensearch" { + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/opensearch?ref=feature/opensearch" + domain_name = locals.opensearch_domain_name + engine_version = "2.15" + + instance_type = "t3.medium.search" + instance_count = 3 + ebs_volume_size = 50 + + subnet_ids = module.eks_cluster.private_subnet_ids + security_group_ids = module.eks_cluster.security_group_ids + vpc_id = module.eks_cluster.vpc_id + cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) + + advanced_security_enabled = true + advanced_security_internal_user_database_enabled = true + + # Supply your own secret values + advanced_security_master_user_name = "secret_user" + advanced_security_master_user_password = "secretvalue%23" + + depends_on = [module.eks_cluster] +} From 839d40caf9b4f552c8b1fee30f9143ef46ec1855 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 10 Oct 2024 11:27:18 +0200 Subject: [PATCH 047/135] apply suggestions from PR review --- .../actions/aurora-manage-cluster/action.yml | 2 +- .github/actions/eks-manage-cluster/action.yml | 2 +- .../opensearch-manage-cluster/action.yml | 4 +- .github/workflows/daily-cleanup.yml | 2 +- .github/workflows/labeler.yml | 2 +- .github/workflows/links.yml | 2 +- .github/workflows/lint.yml | 2 +- .github/workflows/renovate-automerge.yml | 2 +- .github/workflows/test-gha-eks.yml | 13 +++-- .github/workflows/tests.yml | 2 +- README.md | 54 ++++++++++++++----- modules/fixtures/opensearch-client.yml | 7 +-- modules/fixtures/postgres-client.yml | 10 +--- test/src/custom_eks_opensearch_test.go | 2 +- 14 files changed, 64 insertions(+), 42 deletions(-) diff --git a/.github/actions/aurora-manage-cluster/action.yml b/.github/actions/aurora-manage-cluster/action.yml index bc453b8b..6ffbbbec 100644 --- a/.github/actions/aurora-manage-cluster/action.yml +++ b/.github/actions/aurora-manage-cluster/action.yml @@ -109,7 +109,7 @@ runs: id: utility # see https://github.com/orgs/community/discussions/41927 it's not possible to optimize this yet # steps.uses cannot access the github context. - uses: camunda/camunda-tf-eks-module/.github/actions/utility-action@b9fc19160ff5b03c5d5a34f61dd8593b2d199dc2 # main + uses: camunda/camunda-tf-eks-module/.github/actions/utility-action@2d49d09f14fb89eea8aa769c1e757089cc7e12bd # 2.5.1 with: awscli-version: ${{ inputs.awscli-version }} terraform-version: ${{ inputs.terraform-version }} diff --git a/.github/actions/eks-manage-cluster/action.yml b/.github/actions/eks-manage-cluster/action.yml index 63e23857..cc3afc1f 100644 --- a/.github/actions/eks-manage-cluster/action.yml +++ b/.github/actions/eks-manage-cluster/action.yml @@ -88,7 +88,7 @@ runs: # see https://github.com/orgs/community/discussions/41927 it's not possible to optimize this yet # steps.uses cannot access the github context. # uses: ${{ github.action_repository }}/utility-action@${{ github.action_ref }} - uses: camunda/camunda-tf-eks-module/.github/actions/utility-action@b9fc19160ff5b03c5d5a34f61dd8593b2d199dc2 # main + uses: camunda/camunda-tf-eks-module/.github/actions/utility-action@2d49d09f14fb89eea8aa769c1e757089cc7e12bd # 2.5.1 with: awscli-version: ${{ inputs.awscli-version }} terraform-version: ${{ inputs.terraform-version }} diff --git a/.github/actions/opensearch-manage-cluster/action.yml b/.github/actions/opensearch-manage-cluster/action.yml index ce1d21fa..179e77c3 100644 --- a/.github/actions/opensearch-manage-cluster/action.yml +++ b/.github/actions/opensearch-manage-cluster/action.yml @@ -105,7 +105,7 @@ runs: steps: - name: Use Utility Actions id: utility - uses: camunda/camunda-tf-eks-module/.github/actions/utility-action@e092dfdc4e245e3fd7244214f1e025f733a24b4e + uses: camunda/camunda-tf-eks-module/.github/actions/utility-action@2d49d09f14fb89eea8aa769c1e757089cc7e12bd # 2.5.1 with: awscli-version: ${{ inputs.awscli-version }} terraform-version: ${{ inputs.tf-terraform-version }} @@ -122,7 +122,7 @@ runs: tf-terraform-wrapper: ${{ inputs.tf-terraform-wrapper }} - name: Checkout Repository OpenSearch modules - uses: actions/checkout@v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 with: repository: camunda/camunda-tf-eks-module ref: ${{ inputs.tf-modules-revision }} diff --git a/.github/workflows/daily-cleanup.yml b/.github/workflows/daily-cleanup.yml index 02fe306b..931d5d52 100644 --- a/.github/workflows/daily-cleanup.yml +++ b/.github/workflows/daily-cleanup.yml @@ -89,7 +89,7 @@ jobs: - name: Notify in Slack in case of failure id: slack-notification if: failure() && github.event_name == 'schedule' && steps.retry-delete-orphaned-resources.outcome == 'failure' - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@46eeb5aa8a394137a866917a310f219aaf88b1cb # main + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@1b6af8e7117e4e9bdf777911b7a724879b59fcfe # 1.2.4 with: vault_addr: ${{ secrets.VAULT_ADDR }} vault_role_id: ${{ secrets.VAULT_ROLE_ID }} diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 4bb911ba..a1437114 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -20,7 +20,7 @@ jobs: - name: Notify in Slack in case of failure id: slack-notification if: failure() && github.event_name == 'schedule' - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@46eeb5aa8a394137a866917a310f219aaf88b1cb # main + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@1b6af8e7117e4e9bdf777911b7a724879b59fcfe # 1.2.4 with: vault_addr: ${{ secrets.VAULT_ADDR }} vault_role_id: ${{ secrets.VAULT_ROLE_ID }} diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index 2d9d7467..43c27c13 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -46,7 +46,7 @@ jobs: - name: Notify in Slack in case of failure id: slack-notification if: failure() && github.event_name == 'schedule' - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@46eeb5aa8a394137a866917a310f219aaf88b1cb # main + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@1b6af8e7117e4e9bdf777911b7a724879b59fcfe # 1.2.4 with: vault_addr: ${{ secrets.VAULT_ADDR }} vault_role_id: ${{ secrets.VAULT_ROLE_ID }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 98724737..1f69245a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -9,5 +9,5 @@ on: jobs: lint: - uses: camunda/infraex-common-config/.github/workflows/lint-global.yml@7e7ae626961c7766d7612620374b7c4944f420db # 1.2.3 + uses: camunda/infraex-common-config/.github/workflows/lint-global.yml@1b6af8e7117e4e9bdf777911b7a724879b59fcfe # 1.2.4 secrets: inherit diff --git a/.github/workflows/renovate-automerge.yml b/.github/workflows/renovate-automerge.yml index a42f5c0a..5b6f2173 100644 --- a/.github/workflows/renovate-automerge.yml +++ b/.github/workflows/renovate-automerge.yml @@ -11,5 +11,5 @@ concurrency: jobs: renovate-automerge: - uses: camunda/infraex-common-config/.github/workflows/automerge-global.yml@7e7ae626961c7766d7612620374b7c4944f420db # 1.2.3 + uses: camunda/infraex-common-config/.github/workflows/automerge-global.yml@1b6af8e7117e4e9bdf777911b7a724879b59fcfe # 1.2.4 secrets: inherit diff --git a/.github/workflows/test-gha-eks.yml b/.github/workflows/test-gha-eks.yml index c50ac508..07db8a13 100644 --- a/.github/workflows/test-gha-eks.yml +++ b/.github/workflows/test-gha-eks.yml @@ -1,5 +1,5 @@ --- -name: EKS Cluster with an AuroraDB creation and destruction test +name: EKS Cluster with an AuroraDB and OpenSearch creation and destruction test on: schedule: @@ -107,7 +107,7 @@ jobs: if [[ -n "${{ inputs.opensearch_username }}" ]]; then opensearch_username="${{ inputs.opensearch_username }}" else - db_username="user$(openssl rand -hex 4 | tr -d '/@" ')" + opensearch_username="user$(openssl rand -hex 4 | tr -d '/@" ')" fi echo "opensearch_username=$opensearch_username" | tee -a "$GITHUB_OUTPUT" @@ -203,6 +203,13 @@ jobs: subnet-ids: ${{ steps.after_cluster_creation_infos.outputs.private_subnet_ids }} cidr-blocks: ${{ steps.after_cluster_creation_infos.outputs.private_vpc_cidr_blocks }} + additional-terraform-vars: | + { + "advanced_security_master_user_name": "${{ steps.commit_info.outputs.opensearch_username }}", + "advanced_security_master_user_password": "${{ steps.commit_info.outputs.opensearch_password }}", + "advanced_security_internal_user_database_enabled": true + } + s3-backend-bucket: ${{ env.TF_STATE_BUCKET }} s3-bucket-region: ${{ env.TF_STATE_BUCKET_REGION }} tf-modules-revision: ${{ steps.commit_info.outputs.tf_modules_revision }} @@ -220,7 +227,7 @@ jobs: - name: Notify in Slack in case of failure id: slack-notification if: failure() && github.event_name == 'schedule' - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@46eeb5aa8a394137a866917a310f219aaf88b1cb # main + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@1b6af8e7117e4e9bdf777911b7a724879b59fcfe # 1.2.4 with: vault_addr: ${{ secrets.VAULT_ADDR }} vault_role_id: ${{ secrets.VAULT_ROLE_ID }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6253b4dd..82450dd6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -245,7 +245,7 @@ jobs: - name: Notify in Slack in case of failure id: slack-notification if: github.event_name == 'schedule' - uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@46eeb5aa8a394137a866917a310f219aaf88b1cb # main + uses: camunda/infraex-common-config/.github/actions/report-failure-on-slack@1b6af8e7117e4e9bdf777911b7a724879b59fcfe # 1.2.4 with: vault_addr: ${{ secrets.VAULT_ADDR }} vault_role_id: ${{ secrets.VAULT_ROLE_ID }} diff --git a/README.md b/README.md index 6a5e1053..dec05752 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![tests](https://github.com/camunda/camunda-tf-eks-module/actions/workflows/tests.yml/badge.svg?branch=main)](https://github.com/camunda/camunda-tf-eks-module/actions/workflows/tests.yml) [![License](https://img.shields.io/github/license/camunda/camunda-tf-eks-module)](LICENSE) -Terraform module which creates AWS EKS (Kubernetes) resources with an opinionated configuration targeting Camunda 8 and an AWS Aurora RDS cluster. +Terraform module which creates AWS EKS (Kubernetes) resources with an opinionated configuration targeting Camunda 8, an AWS Aurora RDS cluster and an OpenSearch domain. **⚠️ Warning:** This project is not intended for production use but rather for demonstration purposes only. There are no guarantees or warranties provided. @@ -15,7 +15,7 @@ Consider installing Camunda 8 via [this guide](https://docs.camunda.io/docs/next ## Usage -Below is a simple example configuration for deploying both an EKS cluster and an Aurora PostgreSQL database. +Below is a simple example configuration for deploying both an EKS cluster, an Aurora PostgreSQL database and an OpenSearch domain. See [AWS EKS Cluster inputs](./modules/eks-cluster/README.md#inputs), [AWS Aurora RDS inputs](./modules/aurora/README.md#inputs) and [AWS OpenSearch inputs](./modules/opensearch/README.md#inputs) for further configuration options and how they affect the cluster and database creation. @@ -76,7 +76,11 @@ module "opensearch_domain" { #### GitHub Actions -You can automate the deployment and deletion of the EKS cluster and Aurora database using GitHub Actions. Below are examples of GitHub Actions workflows for deploying and deleting these resources. +You can automate the deployment and deletion of the EKS cluster and Aurora database using GitHub Actions. + +**Note:** This is recommended only for development and testing purposes, not for production use. + +Below are examples of GitHub Actions workflows for deploying and deleting these resources. For more details, refer to the corresponding [EKS Actions README](./.github/actions/eks-manage-cluster/README.md), [Aurora Actions README](./.github/actions/aurora-manage-cluster/README.md) and [OpenSearch Actions README](./.github/actions/opensearch-manage-cluster/README.md), [Cleanup Actions README](./.github/actions/eks-cleanup-resources/README.md). @@ -84,8 +88,12 @@ An example workflow can be found in [here](./.github/workflows/test-gha-eks.yml) #### Advanced usage with IRSA -This documentation provides a step-by-step guide to creating an EKS cluster, an Aurora RDS instance, and an OpenSearch domain with IRSA (IAM Roles for Service Accounts) roles using Terraform modules. -The modules create the necessary IAM roles and policies for Aurora and OpenSearch. To simplify the configuration, the modules use the outputs of the EKS cluster module to define the IRSA roles and policies. +This documentation provides a step-by-step guide to creating an EKS cluster, an Aurora RDS instance, and an OpenSearch domain with IRSA (IAM Roles for Service Accounts) roles using Terraform modules. The modules create the necessary IAM roles and policies for Aurora and OpenSearch. To simplify the configuration, the modules use the outputs of the EKS cluster module to define the IRSA roles and policies. + +For further details and a more in-depth configuration, it is recommended to refer to the official documentation at: +- [Amazon EKS Terraform setup](https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/) +- [IRSA roles setup](https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/amazon-eks/irsa/) + ### Aurora IRSA Role and Policy @@ -93,11 +101,12 @@ The Aurora module uses the following outputs from the EKS cluster module to defi - `module.eks_cluster.oidc_provider_arn`: The ARN of the OIDC provider for the EKS cluster. - `module.eks_cluster.oidc_provider_id`: The ID of the OIDC provider for the EKS cluster. -- `var.account_id`: Your account id +- `var.account_id`: Your AWS account id - `var.aurora_cluster_name`: The name of the Aurora cluster to access -- `var.aurora_irsa_username`: The username of the user used to access to the AuroraDB -- `var.aurora_namespace`: The namespace to allow access -- `var.aurora_service_account`: The ServiceAccount to allow access +Here is the corrected version: +- `var.aurora_irsa_username`: The username used to access AuroraDB. This username is different from the superuser. The user must also be created manually in the database to enable the IRSA connection, as described in [the steps below](#create-irsa-user-on-the-database). +- `var.aurora_namespace`: The kubernetes namespace to allow access +- `var.aurora_service_account`: The kubernetes ServiceAccount to allow access You need to define the IAM role trust policy and access policy for Aurora. Here's an example of how to define these policies using the outputs of the EKS cluster module: @@ -146,18 +155,35 @@ EOF } ``` +#### Create IRSA User on the Database + +Once the database is up, you will need to connect to it using the superuser credentials defined in the module (`username`, `password`). + +```bash +echo "Creating IRSA DB user using admin user" +psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE USER \"${AURORA_USERNAME_IRSA}\" WITH LOGIN;" \ + -c "GRANT rds_iam TO \"${AURORA_USERNAME_IRSA}\";" \ + -c "GRANT rds_superuser TO \"${AURORA_USERNAME_IRSA}\";" \ + -c "GRANT ALL PRIVILEGES ON DATABASE \"${AURORA_DB_NAME}\" TO \"${AURORA_USERNAME_IRSA}\";" \ + -c "SELECT aurora_version();" \ + -c "SELECT version();" -c "\du" +``` + +The permissions can be adapted as needed. However, the most important permission is `rds_iam`, which is required for using IRSA with the database. + +A complete example of a pod to [create the database is available](modules/fixtures/postgres-client.yml). + ### OpenSearch IRSA Role and Policy The OpenSearch module uses the following outputs from the EKS cluster module to define the IRSA role and policy: - `module.eks_cluster.oidc_provider_arn`: The ARN of the OIDC provider for the EKS cluster. - `module.eks_cluster.oidc_provider_id`: The ID of the OIDC provider for the EKS cluster. -- `var.account_id`: Your account id +- `var.account_id`: Your AWS account id - `var.opensearch_domain_name`: The name of the OpenSearch domain to access -- `var.opensearch_namespace`: The namespace to allow access -- `var.opensearch_service_account`: The ServiceAccount to allow access - -You need to define the IAM role trust policy and access policy for OpenSearch. Here's an example of how to define these policies using the outputs of the EKS cluster module: +- `var.opensearch_namespace`: The kubernetes namespace to allow access +- `var.opensearch_service_account`: The kubernetes ServiceAccount to allow access ```hcl module "opensearch_domain" { diff --git a/modules/fixtures/opensearch-client.yml b/modules/fixtures/opensearch-client.yml index ad8d336a..3dcc8a39 100644 --- a/modules/fixtures/opensearch-client.yml +++ b/modules/fixtures/opensearch-client.yml @@ -22,12 +22,7 @@ spec: set -euxo pipefail echo "Installing dependencies..." - yum install -y unzip - - echo "Installing AWS CLI..." - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" - unzip awscliv2.zip - ./aws/install + yum install -y unzip awscli-2 echo "Installing OpenSearch CLI..." curl -L "https://github.com/opensearch-project/opensearch-cli/releases/download/v1.2.0/opensearch-cli-1.2.0-linux-x64.zip" -o "opensearch.zip" diff --git a/modules/fixtures/postgres-client.yml b/modules/fixtures/postgres-client.yml index 359cb65b..7e63e51c 100644 --- a/modules/fixtures/postgres-client.yml +++ b/modules/fixtures/postgres-client.yml @@ -14,7 +14,7 @@ spec: restartPolicy: Never containers: - name: postgres-client - image: ubuntu:latest + image: amazonlinux:latest command: - sh - -c @@ -23,13 +23,7 @@ spec: set -o pipefail echo "Installing dependencies..." - apt-get update - apt-get install -y curl postgresql-client unzip - - echo "Installing AWS CLI..." - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" - unzip awscliv2.zip - ./aws/install + yum install -y curl postgresql unzip awscli-2 echo "Creating IRSA db user using admin user" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 20bd33ac..386de6e4 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -318,7 +318,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { suite.Assert().NoError(err) } - // deploy the postgres-client Job to test the connection + // deploy the opensearch-client Job to test the connection k8s.KubectlApply(suite.T(), openSearchKubectlOptions, "../../modules/fixtures/opensearch-client.yml") errJob := utils.WaitForJobCompletion(kubeClient, openSearchNamespace, "opensearch-client", 5*time.Minute, jobListOptions) suite.Require().NoError(errJob) From 2c690f22681f57f1b467ef6b7420589c9e5055b2 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 10 Oct 2024 11:44:46 +0200 Subject: [PATCH 048/135] indicates how to retrieve the role arn --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index dec05752..55ee3a51 100644 --- a/README.md +++ b/README.md @@ -245,6 +245,7 @@ metadata: annotations: eks.amazonaws.com/role-arn: :role/AuroraRole> ``` +You can retrieve the role ARN from the module output: `aurora_role_arn`. **OpenSearch Service Account** @@ -257,6 +258,7 @@ metadata: annotations: eks.amazonaws.com/role-arn: :role/OpenSearchRole> ``` +You can retrieve the role ARN from the module output: `opensearch_role_arn`. ## Support From 0743538c011288d6fc1f70613e84cbcb9c12106c Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 10 Oct 2024 11:47:04 +0200 Subject: [PATCH 049/135] downscale opensearch instances --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 55ee3a51..bf5b2f65 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ module "opensearch_domain" { cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) instance_type = "t3.small.search" - instance_count = 4 + instance_count = 2 ebs_volume_size = 100 advanced_security_enabled = true From c3f0909bc8746746bc7cc03e3a65423274bff60c Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 10 Oct 2024 13:42:56 +0200 Subject: [PATCH 050/135] update reference doc --- examples/camunda-8.6-irsa/README.md | 4 + examples/camunda-8.6-irsa/cluster.tf | 10 +++ examples/camunda-8.6-irsa/config.tf | 18 ++++ examples/camunda-8.6-irsa/db.tf | 71 ++++++++++++++++ .../irsa-postgres-create-db.yml | 0 examples/camunda-8.6-irsa/opensearch.tf | 84 +++++++++++++++++++ examples/camunda-8.6-irsa/output.tf | 29 +++++++ examples/camunda-8.6/README.md | 4 + examples/camunda-8.6/db.tf | 3 +- examples/camunda-8.6/opensearch.tf | 4 +- examples/camunda-8.6/output.tf | 19 +++++ 11 files changed, 242 insertions(+), 4 deletions(-) create mode 100644 examples/camunda-8.6-irsa/README.md create mode 100644 examples/camunda-8.6-irsa/cluster.tf create mode 100644 examples/camunda-8.6-irsa/config.tf create mode 100644 examples/camunda-8.6-irsa/db.tf rename examples/{camunda-8.6 => camunda-8.6-irsa}/irsa-postgres-create-db.yml (100%) create mode 100644 examples/camunda-8.6-irsa/opensearch.tf create mode 100644 examples/camunda-8.6-irsa/output.tf create mode 100644 examples/camunda-8.6/README.md create mode 100644 examples/camunda-8.6/output.tf diff --git a/examples/camunda-8.6-irsa/README.md b/examples/camunda-8.6-irsa/README.md new file mode 100644 index 00000000..4ca0d850 --- /dev/null +++ b/examples/camunda-8.6-irsa/README.md @@ -0,0 +1,4 @@ +# Camunda 8.6 on AWS EKS with IRSA + +This folder describes the IaC of Camunda 8.6 on AWS EKS with IRSA. +Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf new file mode 100644 index 00000000..e5d7bbb7 --- /dev/null +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -0,0 +1,10 @@ +module "eks_cluster" { + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=feature/opensearch" + + region = "eu-west-2" # Change this to your desired AWS region + name = "cluster-name" # Change this to a name of your choice + + # Set CIDR ranges or use the defaults + cluster_service_ipv4_cidr = "10.190.0.0/16" + cluster_node_ipv4_cidr = "10.192.0.0/16" +} diff --git a/examples/camunda-8.6-irsa/config.tf b/examples/camunda-8.6-irsa/config.tf new file mode 100644 index 00000000..035255eb --- /dev/null +++ b/examples/camunda-8.6-irsa/config.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 1.0" + + backend "s3" { + bucket = "my-eks-tf-state" + key = "camunda-terraform/terraform.tfstate" + encrypt = true + } + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.69" + } + } +} + +provider "aws" {} diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf new file mode 100644 index 00000000..93e31d84 --- /dev/null +++ b/examples/camunda-8.6-irsa/db.tf @@ -0,0 +1,71 @@ +locals { + aurora_cluster_name = "cluster-name-postgresql" # Replace "cluster-name" with your cluster's name + + # IRSA configuration + aurora_irsa_username = "secret_user_irsa" # This is the username that will be used for IRSA connection to the DB + camunda_webmodeler_service_account = "webmodeler-sa" # Replace with your Kubernetes ServiceAcccount that will be created for WebModeler + camunda_identity_service_account = "identity-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Identity + camunda_keycloak_service_account = "keycloak-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Keycloak +} + +module "postgresql" { + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=feature/opensearch" + engine_version = "15.8" + auto_minor_version_upgrade = false + cluster_name = locals.aurora_cluster_name + default_database_name = "camunda" + + # Supply your own secret values for username and password + username = "secret_user" + password = "secretvalue%23" + + vpc_id = module.eks_cluster.vpc_id + subnet_ids = module.eks_cluster.private_subnet_ids + cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) + + instance_class = "db.t3.medium" + + # IAM IRSA addition + iam_aurora_role_name = "AuroraRole-${locals.aurora_cluster_name}" # Ensure this name is unique + iam_create_aurora_role = true + iam_auth_enabled = true + + iam_aurora_access_policy = < Date: Thu, 10 Oct 2024 15:08:35 +0200 Subject: [PATCH 051/135] fix output and ensure failure --- .github/actions/aurora-manage-cluster/action.yml | 8 ++++++++ .github/actions/eks-cleanup-resources/action.yml | 2 ++ .github/actions/eks-manage-cluster/action.yml | 12 ++++++++++++ .github/actions/opensearch-manage-cluster/action.yml | 10 +++++++++- .github/actions/utility-action/action.yml | 6 ++++++ 5 files changed, 37 insertions(+), 1 deletion(-) diff --git a/.github/actions/aurora-manage-cluster/action.yml b/.github/actions/aurora-manage-cluster/action.yml index 6ffbbbec..f70af9a8 100644 --- a/.github/actions/aurora-manage-cluster/action.yml +++ b/.github/actions/aurora-manage-cluster/action.yml @@ -138,6 +138,8 @@ runs: id: init working-directory: ${{ inputs.tf-modules-path }}/modules/aurora/ run: | + set -euxo pipefail + cp ../fixtures/backend.tf ./ terraform version terraform init -backend-config="bucket=${{ steps.utility.outputs.TFSTATE_BUCKET }}" -backend-config="key=${{ steps.utility.outputs.TFSTATE_KEY }}" \ @@ -149,6 +151,8 @@ runs: id: plan working-directory: ${{ inputs.tf-modules-path }}/modules/aurora/ run: | + set -euxo pipefail + echo '${{ inputs.additional-terraform-vars }}' > /tmp/var.tfvars.json terraform plan -no-color -out aurora.plan \ -var-file=/tmp/var.tfvars.json \ @@ -165,6 +169,8 @@ runs: id: apply working-directory: ${{ inputs.tf-modules-path }}/modules/aurora/ run: | + set -euxo pipefail + terraform apply -no-color aurora.plan export aurora_endpoint="$(terraform output -raw aurora_endpoint)" echo "aurora_endpoint=$aurora_endpoint" >> "$GITHUB_OUTPUT" @@ -174,5 +180,7 @@ runs: id: fetch_outputs working-directory: ${{ inputs.tf-modules-path }}/modules/aurora/ run: | + set -euxo pipefail + all_outputs=$(terraform output -json | jq -c .) echo "all_terraform_outputs=$all_outputs" | tee -a "$GITHUB_OUTPUT" diff --git a/.github/actions/eks-cleanup-resources/action.yml b/.github/actions/eks-cleanup-resources/action.yml index f6e08b35..70c75d0e 100644 --- a/.github/actions/eks-cleanup-resources/action.yml +++ b/.github/actions/eks-cleanup-resources/action.yml @@ -36,6 +36,8 @@ runs: id: delete_resources shell: bash run: | + set -euxo pipefail + if [ -n "${{ inputs.tf-bucket-region }}" ]; then export AWS_S3_REGION="${{ inputs.tf-bucket-region }}" fi diff --git a/.github/actions/eks-manage-cluster/action.yml b/.github/actions/eks-manage-cluster/action.yml index cc3afc1f..8103449e 100644 --- a/.github/actions/eks-manage-cluster/action.yml +++ b/.github/actions/eks-manage-cluster/action.yml @@ -116,6 +116,8 @@ runs: id: init working-directory: ${{ inputs.tf-modules-path }}/modules/eks-cluster/ run: | + set -euxo pipefail + cp ../fixtures/backend.tf ./ terraform version terraform init -backend-config="bucket=${{ steps.utility.outputs.TFSTATE_BUCKET }}" \ @@ -127,6 +129,8 @@ runs: id: plan working-directory: ${{ inputs.tf-modules-path }}/modules/eks-cluster/ run: | + set -euxo pipefail + echo '${{ inputs.additional-terraform-vars }}' > /tmp/var.tfvars.json terraform plan -no-color -out eks.plan \ -var-file=/tmp/var.tfvars.json \ @@ -139,6 +143,8 @@ runs: id: apply working-directory: ${{ inputs.tf-modules-path }}/modules/eks-cluster/ run: | + set -euxo pipefail + terraform apply -no-color eks.plan export cluster_endpoint="$(terraform output -raw cluster_endpoint)" echo "cluster_endpoint=$cluster_endpoint" >> "$GITHUB_OUTPUT" @@ -148,6 +154,8 @@ runs: id: fetch_outputs working-directory: ${{ inputs.tf-modules-path }}/modules/eks-cluster/ run: | + set -euxo pipefail + all_outputs=$(terraform output -json | jq -c .) echo "all_terraform_outputs=$all_outputs" | tee -a "$GITHUB_OUTPUT" @@ -156,11 +164,15 @@ runs: id: kube_config if: inputs.login == 'true' run: | + set -euxo pipefail + aws eks --region ${{ inputs.aws-region }} update-kubeconfig --name ${{ inputs.cluster-name }} - name: Output Kube Config shell: bash if: inputs.login == 'true' run: | + set -euxo pipefail + kubectl config view kubectl get ns diff --git a/.github/actions/opensearch-manage-cluster/action.yml b/.github/actions/opensearch-manage-cluster/action.yml index 179e77c3..ff5124b5 100644 --- a/.github/actions/opensearch-manage-cluster/action.yml +++ b/.github/actions/opensearch-manage-cluster/action.yml @@ -134,6 +134,8 @@ runs: id: init working-directory: ${{ inputs.tf-modules-path }}/modules/opensearch/ run: | + set -euxo pipefail + cp ../fixtures/backend.tf ./ terraform version terraform init -backend-config="bucket=${{ steps.utility.outputs.TFSTATE_BUCKET }}" -backend-config="key=${{ steps.utility.outputs.TFSTATE_KEY }}" \ @@ -145,6 +147,8 @@ runs: id: plan working-directory: ${{ inputs.tf-modules-path }}/modules/opensearch/ run: | + set -euxo pipefail + echo '${{ inputs.additional-terraform-vars }}' > /tmp/var.tfvars.json terraform plan -no-color -out opensearch.plan \ -var-file=/tmp/var.tfvars.json \ @@ -161,6 +165,8 @@ runs: id: apply working-directory: ${{ inputs.tf-modules-path }}/modules/opensearch/ run: | + set -euxo pipefail + terraform apply -no-color opensearch.plan - name: Fetch Terraform Outputs @@ -168,7 +174,9 @@ runs: id: fetch_outputs working-directory: ${{ inputs.tf-modules-path }}/modules/opensearch/ run: | - export opensearch_endpoint="$(terraform output -raw opensearch_endpoint)" + set -euxo pipefail + + export opensearch_endpoint="$(terraform output -raw opensearch_domain_endpoint)" echo "opensearch_endpoint=$opensearch_endpoint" >> "$GITHUB_OUTPUT" all_outputs=$(terraform output -json | jq -c .) diff --git a/.github/actions/utility-action/action.yml b/.github/actions/utility-action/action.yml index fab4c90f..1da4c276 100644 --- a/.github/actions/utility-action/action.yml +++ b/.github/actions/utility-action/action.yml @@ -79,6 +79,8 @@ runs: - name: Install AWS CLI shell: bash run: | + set -euxo pipefail + if ! command -v aws &> /dev/null; then echo "AWS CLI not found, installing..." curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-${{ inputs.awscli-version }}.zip" -o "awscliv2.zip" @@ -93,6 +95,8 @@ runs: shell: bash id: set-terraform-variables run: | + set -euxo pipefail + export TFSTATE_BUCKET="${{ inputs.s3-backend-bucket }}" export TFSTATE_KEY="${{ inputs.tf-state-key }}" @@ -113,6 +117,8 @@ runs: id: create-s3-bucket shell: bash run: | + set -euxo pipefail + if aws s3api head-bucket --bucket ${{ inputs.s3-backend-bucket }} --region ${{ steps.set-terraform-variables.outputs.TFSTATE_REGION }} 2>/dev/null; then echo "Bucket already exists" else From 1140c968b15cd326fa6594e4245152d8a239047d Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 10 Oct 2024 16:18:04 +0200 Subject: [PATCH 052/135] update list of sa accounts for opensearch --- examples/camunda-8.6-irsa/opensearch.tf | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index 90993272..c6276dcf 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -2,14 +2,11 @@ locals { opensearch_domain_name = "domain-name-opensearch" # Replace "domain-name" with your domain name # IRSA configuration - camunda_namespace = "camunda" # Replace with your Kubernetes namespace that will host C8 Platform - camunda_zeebe_service_account = "zeebe-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Zeebe - camunda_zeebe_gateway_service_account = "zeebegateway-sa" # Replace with your Kubernetes ServiceAcccount that will be created for ZeebeGateway - camunda_operate_service_account = "operate-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Operate - camunda_identity_service_account = "identity-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Identity - camunda_tasklist_service_account = "tasklist-sa" # Replace with your Kubernetes ServiceAcccount that will be created for TaskList - camunda_webmodeler_service_account = "webmodeler-sa" # Replace with your Kubernetes ServiceAcccount that will be created for WebModeler - camunda_connectors_service_account = "connectors-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Connectors + camunda_namespace = "camunda" # Replace with your Kubernetes namespace that will host C8 Platform + camunda_zeebe_service_account = "zeebe-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Zeebe + camunda_operate_service_account = "operate-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Operate + camunda_tasklist_service_account = "tasklist-sa" # Replace with your Kubernetes ServiceAcccount that will be created for TaskList + camunda_optimize_service_account = "optimize-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Optimize } module "opensearch_domain" { @@ -69,12 +66,9 @@ EOF "Condition": { "StringEquals": { "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${locals.camunda_namespace}:${locals.camunda_zeebe_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${locals.camunda_namespace}:${locals.camunda_zeebe_gateway_service_account}", "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${locals.camunda_namespace}:${locals.camunda_operate_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${locals.camunda_namespace}:${locals.camunda_identity_service_account}", "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${locals.camunda_namespace}:${locals.camunda_tasklist_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${locals.camunda_namespace}:${locals.camunda_webmodeler_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${locals.camunda_namespace}:${locals.camunda_connectors_service_account}" + "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${locals.camunda_namespace}:${locals.camunda_optimize_service_account}", } } } From 4974d657a27127a0d80fc1cccb97aa950e649070 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 10 Oct 2024 16:52:39 +0200 Subject: [PATCH 053/135] wip create database --- .../irsa-postgres-create-db.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml b/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml index e69de29b..a43351e8 100644 --- a/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml +++ b/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml @@ -0,0 +1,36 @@ +--- +# this manifest creates the database +apiVersion: batch/v1 +kind: Job +metadata: + name: postgres-client + labels: + app: postgres-client +spec: + backoffLimit: 0 + template: + spec: + restartPolicy: Never + containers: + - name: postgres-client + image: amazonlinux:latest + command: + - sh + - -c + - | + /bin/bash <<'EOF' + set -o pipefail + + echo "Installing dependencies..." + yum install -y curl postgresql unzip awscli-2 + + echo "Creating IRSA db user using admin user" + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE USER \"${AURORA_USERNAME_IRSA}\" WITH LOGIN;" \ + -c "GRANT rds_iam TO \"${AURORA_USERNAME_IRSA}\";" \ + -c "GRANT rds_superuser TO \"${AURORA_USERNAME_IRSA}\";" \ + -c "GRANT ALL PRIVILEGES ON DATABASE \"${AURORA_DB_NAME}\" TO \"${AURORA_USERNAME_IRSA}\";" \ + -c "SELECT aurora_version();" \ + -c "SELECT version();" -c "\du" + + EOF From 4de3db4ae24cc6edfdf1463a876496f07c2da9db Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 10 Oct 2024 23:27:40 +0200 Subject: [PATCH 054/135] align instances count with number of AZs --- .../opensearch-manage-cluster/README.md | 4 +- .../opensearch-manage-cluster/action.yml | 2 +- README.md | 2 +- examples/camunda-8.6-irsa/opensearch.tf | 78 +++++++++++++++++++ examples/camunda-8.6/opensearch.tf | 27 +++++++ modules/fixtures/postgres-client.yml | 2 +- modules/opensearch/README.md | 6 +- modules/opensearch/variables.tf | 4 +- 8 files changed, 115 insertions(+), 10 deletions(-) create mode 100644 examples/camunda-8.6-irsa/opensearch.tf create mode 100644 examples/camunda-8.6/opensearch.tf diff --git a/.github/actions/opensearch-manage-cluster/README.md b/.github/actions/opensearch-manage-cluster/README.md index e04cb1d9..713b962f 100644 --- a/.github/actions/opensearch-manage-cluster/README.md +++ b/.github/actions/opensearch-manage-cluster/README.md @@ -17,7 +17,7 @@ It will also install Terraform and awscli. It will output the OpenSearch domain | `subnet-ids` |

List of subnet IDs to create the domain in

| `true` | `""` | | `cidr-blocks` |

CIDR blocks to allow access from and to

| `true` | `""` | | `instance-type` |

Instance type for the OpenSearch cluster

| `false` | `t3.small.search` | -| `instance-count` |

Number of instances in the cluster

| `false` | `4` | +| `instance-count` |

Number of instances in the cluster

| `false` | `3` | | `additional-terraform-vars` |

JSON object containing additional Terraform variables

| `false` | `{}` | | `s3-backend-bucket` |

Name of the S3 bucket to store Terraform state

| `true` | `""` | | `s3-bucket-region` |

Region of the bucket containing the resources states

| `false` | `""` | @@ -94,7 +94,7 @@ This action is a `composite` action. # Number of instances in the cluster # # Required: false - # Default: 4 + # Default: 3 additional-terraform-vars: # JSON object containing additional Terraform variables diff --git a/.github/actions/opensearch-manage-cluster/action.yml b/.github/actions/opensearch-manage-cluster/action.yml index ff5124b5..8f03c593 100644 --- a/.github/actions/opensearch-manage-cluster/action.yml +++ b/.github/actions/opensearch-manage-cluster/action.yml @@ -37,7 +37,7 @@ inputs: instance-count: description: Number of instances in the cluster - default: '4' + default: '3' additional-terraform-vars: description: JSON object containing additional Terraform variables diff --git a/README.md b/README.md index bf5b2f65..6b442674 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ module "opensearch_domain" { cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) instance_type = "t3.small.search" - instance_count = 2 + instance_count = 3 ebs_volume_size = 100 advanced_security_enabled = true diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf new file mode 100644 index 00000000..c4430637 --- /dev/null +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -0,0 +1,78 @@ +locals { + opensearch_domain_name = "domain-name-opensearch" # Replace "domain-name" with your domain name + + # IRSA configuration + camunda_namespace = "camunda" # Replace with your Kubernetes namespace that will host C8 Platform + camunda_zeebe_service_account = "zeebe-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Zeebe + camunda_operate_service_account = "operate-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Operate + camunda_tasklist_service_account = "tasklist-sa" # Replace with your Kubernetes ServiceAcccount that will be created for TaskList + camunda_optimize_service_account = "optimize-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Optimize +} + +module "opensearch_domain" { + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/opensearch?ref=2.6.0" + domain_name = locals.opensearch_domain_name + engine_version = "2.15" + + instance_type = "t3.medium.search" + instance_count = 3 + ebs_volume_size = 50 + + subnet_ids = module.eks_cluster.private_subnet_ids + security_group_ids = module.eks_cluster.security_group_ids + vpc_id = module.eks_cluster.vpc_id + cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) + + advanced_security_enabled = true + advanced_security_internal_user_database_enabled = true + + # Supply your own secret values + advanced_security_master_user_name = "secret_user" + advanced_security_master_user_password = "secretvalue%23" + + depends_on = [module.eks_cluster] + + # IRSA configuration + iam_create_opensearch_role = true + iam_opensearch_role_name = "OpenSearchRole-${locals.opensearch_domain_name}" # Ensure uniqueness + + iam_opensearch_access_policy = < [cidr\_blocks](#input\_cidr\_blocks) | The CIDR blocks to allow access from and to. | `list(string)` | n/a | yes | | [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Indicates cold storage is enabled. | `bool` | `false` | no | | [create\_timeout](#input\_create\_timeout) | How much time to wait for the creation before timing out. | `string` | `"2h"` | no | -| [dedicated\_master\_count](#input\_dedicated\_master\_count) | Number of dedicated master nodes in the cluster. | `number` | `4` | no | +| [dedicated\_master\_count](#input\_dedicated\_master\_count) | Number of dedicated master nodes in the cluster. | `number` | `3` | no | | [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Indicates whether dedicated master nodes are enabled for the cluster. | `bool` | `true` | no | | [dedicated\_master\_type](#input\_dedicated\_master\_type) | Instance type of the dedicated master nodes in the cluster. | `string` | `"m4.large.search"` | no | | [domain\_endpoint\_options](#input\_domain\_endpoint\_options) | Configuration block for domain endpoint HTTP(S) related options | `any` | 
{
  "enforce_https": true,
  "tls_security_policy": "Policy-Min-TLS-1-2-2019-07"
}
| no | @@ -109,7 +109,7 @@ No modules. | [iam\_opensearch\_access\_policy](#input\_iam\_opensearch\_access\_policy) | Access policy for OpenSearch allowing access | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"es:ESHttpGet\",\n \"es:ESHttpPut\",\n \"es:ESHttpPost\"\n ],\n \"Resource\": \"arn:aws:es:::domain//*\"\n }\n ]\n }\n\n"` | no | | [iam\_opensearch\_role\_name](#input\_iam\_opensearch\_role\_name) | Name of the OpenSearch IAM role | `string` | `"OpenSearchRole"` | no | | [iam\_role\_trust\_policy](#input\_iam\_role\_trust\_policy) | Assume role trust policy for OpenSearch role | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"oidc.eks..amazonaws.com/id/:sub\": \"system:serviceaccount::\"\n }\n }\n }\n ]\n }\n\n"` | no | -| [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `4` | no | +| [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `3` | no | | [instance\_type](#input\_instance\_type) | Instance type of data nodes in the cluster. | `string` | `"t3.small.search"` | no | | [ip\_address\_type](#input\_ip\_address\_type) | The IP address type for the endpoint. Valid values are ipv4 and dualstack | `string` | `"ipv4"` | no | | [kms\_key\_delete\_window\_in\_days](#input\_kms\_key\_delete\_window\_in\_days) | The number of days before the KMS key is deleted after being disabled. | `number` | `7` | no | diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 493df1f2..66ac4999 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -41,7 +41,7 @@ variable "instance_type" { variable "instance_count" { type = number - default = 4 + default = 3 description = "Number of instances in the cluster." } @@ -66,7 +66,7 @@ variable "dedicated_master_type" { variable "dedicated_master_count" { type = number description = "Number of dedicated master nodes in the cluster." - default = 4 + default = 3 } variable "multi_az_with_standby_enabled" { From ce94457df8d171543dd3bf50f21ac937343d8aaf Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:20:54 +0200 Subject: [PATCH 055/135] update permissions and creation example --- .../irsa-postgres-create-db.yml | 35 +++++++++++++++++-- examples/camunda-8.6-irsa/opensearch.tf | 21 +++++++++-- modules/opensearch/README.md | 2 +- modules/opensearch/variables.tf | 21 +++++++++-- 4 files changed, 71 insertions(+), 8 deletions(-) diff --git a/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml b/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml index a43351e8..ad0e341b 100644 --- a/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml +++ b/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml @@ -22,15 +22,44 @@ spec: set -o pipefail echo "Installing dependencies..." - yum install -y curl postgresql unzip awscli-2 + yum install -y curl postgresql15 unzip awscli-2 echo "Creating IRSA db user using admin user" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE USER \"${AURORA_USERNAME_IRSA}\" WITH LOGIN;" \ -c "GRANT rds_iam TO \"${AURORA_USERNAME_IRSA}\";" \ - -c "GRANT rds_superuser TO \"${AURORA_USERNAME_IRSA}\";" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${AURORA_DB_NAME}\" TO \"${AURORA_USERNAME_IRSA}\";" \ -c "SELECT aurora_version();" \ -c "SELECT version();" -c "\du" - EOF + env: + - name: AURORA_ENDPOINT + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: AURORA_ENDPOINT + - name: AURORA_PORT + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: AURORA_PORT + - name: AURORA_DB_NAME + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: AURORA_DB_NAME + - name: AURORA_USERNAME + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: AURORA_USERNAME + - name: AURORA_PASSWORD + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: AURORA_PASSWORD + - name: AURORA_USERNAME_IRSA + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: AURORA_USERNAME_IRSA diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index c4430637..6cd00a4b 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -43,9 +43,26 @@ module "opensearch_domain" { { "Effect": "Allow", "Action": [ + "es:DescribeElasticsearchDomains", + "es:DescribeElasticsearchInstanceTypeLimits", + "es:DescribeReservedElasticsearchInstanceOfferings", + "es:DescribeReservedElasticsearchInstances", + "es:GetCompatibleElasticsearchVersions", + "es:ListDomainNames", + "es:ListElasticsearchInstanceTypes", + "es:ListElasticsearchVersions", + "es:DescribeElasticsearchDomain", + "es:DescribeElasticsearchDomainConfig", "es:ESHttpGet", - "es:ESHttpPut", - "es:ESHttpPost" + "es:ESHttpHead", + "es:GetUpgradeHistory", + "es:GetUpgradeStatus", + "es:ListTags", + "es:AddTags", + "es:RemoveTags", + "es:ESHttpDelete", + "es:ESHttpPost", + "es:ESHttpPut" ], "Resource": "arn:aws:es:${module.eks_cluster.region}:${module.eks_cluster.aws_caller_identity_account_id}:domain/${var.opensearch_domain_name}/*" } diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index f3086546..586d8a0a 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -106,7 +106,7 @@ No modules. | [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | | [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `string` | `"2.15"` | no | | [iam\_create\_opensearch\_role](#input\_iam\_create\_opensearch\_role) | Flag to determine if the OpenSearch role should be created | `bool` | `false` | no | -| [iam\_opensearch\_access\_policy](#input\_iam\_opensearch\_access\_policy) | Access policy for OpenSearch allowing access | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"es:ESHttpGet\",\n \"es:ESHttpPut\",\n \"es:ESHttpPost\"\n ],\n \"Resource\": \"arn:aws:es:::domain//*\"\n }\n ]\n }\n\n"` | no | +| [iam\_opensearch\_access\_policy](#input\_iam\_opensearch\_access\_policy) | Access policy for OpenSearch allowing access | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"es:DescribeElasticsearchDomains\",\n \"es:DescribeElasticsearchInstanceTypeLimits\",\n \"es:DescribeReservedElasticsearchInstanceOfferings\",\n \"es:DescribeReservedElasticsearchInstances\",\n \"es:GetCompatibleElasticsearchVersions\",\n \"es:ListDomainNames\",\n \"es:ListElasticsearchInstanceTypes\",\n \"es:ListElasticsearchVersions\",\n \"es:DescribeElasticsearchDomain\",\n \"es:DescribeElasticsearchDomainConfig\",\n \"es:ESHttpGet\",\n \"es:ESHttpHead\",\n \"es:GetUpgradeHistory\",\n \"es:GetUpgradeStatus\",\n \"es:ListTags\",\n \"es:AddTags\",\n \"es:RemoveTags\",\n \"es:ESHttpDelete\",\n \"es:ESHttpPost\",\n \"es:ESHttpPut\"\n ],\n \"Resource\": \"arn:aws:es:::domain//*\"\n }\n ]\n }\n\n"` | no | | [iam\_opensearch\_role\_name](#input\_iam\_opensearch\_role\_name) | Name of the OpenSearch IAM role | `string` | `"OpenSearchRole"` | no | | [iam\_role\_trust\_policy](#input\_iam\_role\_trust\_policy) | Assume role trust policy for OpenSearch role | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"oidc.eks..amazonaws.com/id/:sub\": \"system:serviceaccount::\"\n }\n }\n }\n ]\n }\n\n"` | no | | [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `3` | no | diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 66ac4999..3ee964d5 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -304,9 +304,26 @@ variable "iam_opensearch_access_policy" { { "Effect": "Allow", "Action": [ + "es:DescribeElasticsearchDomains", + "es:DescribeElasticsearchInstanceTypeLimits", + "es:DescribeReservedElasticsearchInstanceOfferings", + "es:DescribeReservedElasticsearchInstances", + "es:GetCompatibleElasticsearchVersions", + "es:ListDomainNames", + "es:ListElasticsearchInstanceTypes", + "es:ListElasticsearchVersions", + "es:DescribeElasticsearchDomain", + "es:DescribeElasticsearchDomainConfig", "es:ESHttpGet", - "es:ESHttpPut", - "es:ESHttpPost" + "es:ESHttpHead", + "es:GetUpgradeHistory", + "es:GetUpgradeStatus", + "es:ListTags", + "es:AddTags", + "es:RemoveTags", + "es:ESHttpDelete", + "es:ESHttpPost", + "es:ESHttpPut" ], "Resource": "arn:aws:es:::domain//*" } From 0bf7dca43d427e551e0804e6711e72b2e8d95d88 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 11 Oct 2024 13:45:04 +0200 Subject: [PATCH 056/135] tag modules --- examples/camunda-8.6-irsa/cluster.tf | 2 +- examples/camunda-8.6-irsa/db.tf | 2 +- examples/camunda-8.6/cluster.tf | 2 +- examples/camunda-8.6/db.tf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf index e5d7bbb7..e5e23621 100644 --- a/examples/camunda-8.6-irsa/cluster.tf +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -1,5 +1,5 @@ module "eks_cluster" { - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=feature/opensearch" + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=2.6.0" region = "eu-west-2" # Change this to your desired AWS region name = "cluster-name" # Change this to a name of your choice diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index 93e31d84..2e26d98c 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -9,7 +9,7 @@ locals { } module "postgresql" { - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=feature/opensearch" + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=2.6.0" engine_version = "15.8" auto_minor_version_upgrade = false cluster_name = locals.aurora_cluster_name diff --git a/examples/camunda-8.6/cluster.tf b/examples/camunda-8.6/cluster.tf index e5d7bbb7..e5e23621 100644 --- a/examples/camunda-8.6/cluster.tf +++ b/examples/camunda-8.6/cluster.tf @@ -1,5 +1,5 @@ module "eks_cluster" { - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=feature/opensearch" + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=2.6.0" region = "eu-west-2" # Change this to your desired AWS region name = "cluster-name" # Change this to a name of your choice diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf index 26886897..de5d1688 100644 --- a/examples/camunda-8.6/db.tf +++ b/examples/camunda-8.6/db.tf @@ -3,7 +3,7 @@ locals { } module "postgresql" { - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=feature/opensearch" + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=2.6.0" engine_version = "15.8" auto_minor_version_upgrade = false cluster_name = locals.aurora_cluster_name From 5a738cb8cec8dae037dfc2b8dd22b6baf4ee742b Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 14 Oct 2024 14:21:26 +0200 Subject: [PATCH 057/135] fix locals --- examples/camunda-8.6-irsa/db.tf | 12 ++++++------ examples/camunda-8.6-irsa/opensearch.tf | 12 ++++++------ examples/camunda-8.6/db.tf | 2 +- examples/camunda-8.6/opensearch.tf | 2 +- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index 2e26d98c..d554afce 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -12,7 +12,7 @@ module "postgresql" { source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=2.6.0" engine_version = "15.8" auto_minor_version_upgrade = false - cluster_name = locals.aurora_cluster_name + cluster_name = local.aurora_cluster_name default_database_name = "camunda" # Supply your own secret values for username and password @@ -26,7 +26,7 @@ module "postgresql" { instance_class = "db.t3.medium" # IAM IRSA addition - iam_aurora_role_name = "AuroraRole-${locals.aurora_cluster_name}" # Ensure this name is unique + iam_aurora_role_name = "AuroraRole-${local.aurora_cluster_name}" # Ensure this name is unique iam_create_aurora_role = true iam_auth_enabled = true @@ -39,7 +39,7 @@ module "postgresql" { "Action": [ "rds-db:connect" ], - "Resource": "arn:aws:rds-db:${module.eks_cluster.region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${locals.aurora_cluster_name}/${locals.aurora_irsa_username}" + "Resource": "arn:aws:rds-db:${module.eks_cluster.region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.aurora_irsa_username}" } ] } @@ -57,9 +57,9 @@ EOF "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${locals.aurora_namespace}:${locals.camunda_webmodeler_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${locals.aurora_namespace}:${locals.camunda_identity_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${locals.aurora_namespace}:${locals.camunda_keycloak_service_account}" + "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.aurora_namespace}:${local.camunda_webmodeler_service_account}", + "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.aurora_namespace}:${local.camunda_identity_service_account}", + "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.aurora_namespace}:${local.camunda_keycloak_service_account}" } } } diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index 6cd00a4b..2fed9e64 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -11,7 +11,7 @@ locals { module "opensearch_domain" { source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/opensearch?ref=2.6.0" - domain_name = locals.opensearch_domain_name + domain_name = local.opensearch_domain_name engine_version = "2.15" instance_type = "t3.medium.search" @@ -34,7 +34,7 @@ module "opensearch_domain" { # IRSA configuration iam_create_opensearch_role = true - iam_opensearch_role_name = "OpenSearchRole-${locals.opensearch_domain_name}" # Ensure uniqueness + iam_opensearch_role_name = "OpenSearchRole-${local.opensearch_domain_name}" # Ensure uniqueness iam_opensearch_access_policy = < Date: Mon, 14 Oct 2024 14:41:20 +0200 Subject: [PATCH 058/135] fix: parameters from modules examples --- README.md | 9 ++++++--- examples/camunda-8.6-irsa/cluster.tf | 9 +++++++-- examples/camunda-8.6-irsa/db.tf | 8 ++++---- examples/camunda-8.6-irsa/opensearch.tf | 9 ++++----- examples/camunda-8.6-irsa/output.tf | 4 ++-- examples/camunda-8.6/cluster.tf | 9 +++++++-- examples/camunda-8.6/opensearch.tf | 7 +++---- examples/camunda-8.6/output.tf | 2 +- 8 files changed, 34 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 6b442674..b654e5e2 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,10 @@ module "eks_cluster" { cluster_service_ipv4_cidr = "10.190.0.0/16" cluster_node_ipv4_cidr = "10.192.0.0/16" + + output "cluster_region" { + value = "eu-central-1" + } } ``` @@ -57,7 +61,6 @@ module "opensearch_domain" { domain_name = "my-opensearch-domain" subnet_ids = module.eks_cluster.private_subnet_ids - security_group_ids = module.eks_cluster.security_group_ids vpc_id = module.eks_cluster.vpc_id cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) @@ -122,7 +125,7 @@ module "postgresql" { "Action": [ "rds-db:connect" ], - "Resource": "arn:aws:rds-db:${module.eks_cluster.region}:${var.account_id}:dbuser:${var.aurora_cluster_name}/${var.aurora_irsa_username}" + "Resource": "arn:aws:rds-db:${local.eks_cluster_region}:${var.account_id}:dbuser:${var.aurora_cluster_name}/${var.aurora_irsa_username}" } ] } @@ -201,7 +204,7 @@ module "opensearch_domain" { "es:ESHttpPut", "es:ESHttpPost" ], - "Resource": "arn:aws:es:${module.eks_cluster.region}:${var.account_id}:domain/${var.opensearch_domain_name}/*" + "Resource": "arn:aws:es:${local.eks_cluster_region}:${var.account_id}:domain/${var.opensearch_domain_name}/*" } ] } diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf index e5e23621..74a945db 100644 --- a/examples/camunda-8.6-irsa/cluster.tf +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -1,8 +1,13 @@ +locals { + eks_cluster_name = "cluster-name" # Change this to a name of your choice + eks_cluster_region = "eu-west-2" # Change this to your desired AWS region +} + module "eks_cluster" { source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=2.6.0" - region = "eu-west-2" # Change this to your desired AWS region - name = "cluster-name" # Change this to a name of your choice + name = local.eks_cluster_name + region = local.eks_cluster_region # Set CIDR ranges or use the defaults cluster_service_ipv4_cidr = "10.190.0.0/16" diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index d554afce..30be591d 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -39,7 +39,7 @@ module "postgresql" { "Action": [ "rds-db:connect" ], - "Resource": "arn:aws:rds-db:${module.eks_cluster.region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.aurora_irsa_username}" + "Resource": "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.aurora_irsa_username}" } ] } @@ -57,9 +57,9 @@ EOF "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.aurora_namespace}:${local.camunda_webmodeler_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.aurora_namespace}:${local.camunda_identity_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.aurora_namespace}:${local.camunda_keycloak_service_account}" + "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_webmodeler_service_account}", + "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_identity_service_account}", + "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_keycloak_service_account}" } } } diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index 2fed9e64..13dad17d 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -18,10 +18,9 @@ module "opensearch_domain" { instance_count = 3 ebs_volume_size = 50 - subnet_ids = module.eks_cluster.private_subnet_ids - security_group_ids = module.eks_cluster.security_group_ids - vpc_id = module.eks_cluster.vpc_id - cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) + subnet_ids = module.eks_cluster.private_subnet_ids + vpc_id = module.eks_cluster.vpc_id + cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) advanced_security_enabled = true advanced_security_internal_user_database_enabled = true @@ -64,7 +63,7 @@ module "opensearch_domain" { "es:ESHttpPost", "es:ESHttpPut" ], - "Resource": "arn:aws:es:${module.eks_cluster.region}:${module.eks_cluster.aws_caller_identity_account_id}:domain/${var.opensearch_domain_name}/*" + "Resource": "arn:aws:es:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:domain/${local.opensearch_domain_name}/*" } ] } diff --git a/examples/camunda-8.6-irsa/output.tf b/examples/camunda-8.6-irsa/output.tf index 685b1e8c..4aca97d9 100644 --- a/examples/camunda-8.6-irsa/output.tf +++ b/examples/camunda-8.6-irsa/output.tf @@ -14,7 +14,7 @@ output "postgres_endpoint" { } output "opensearch_endpoint" { - value = module.opensearch.opensearch_domain_endpoint + value = module.opensearch_domain.opensearch_domain_endpoint description = "The OpenSearch endpoint URL" } @@ -24,6 +24,6 @@ output "aurora_role_arn" { } output "opensearch_role_arn" { - value = module.opensearch.opensearch_role_arn + value = module.opensearch_domain.opensearch_role_arn description = "The OpenSearch Role ARN used for IRSA" } diff --git a/examples/camunda-8.6/cluster.tf b/examples/camunda-8.6/cluster.tf index e5e23621..74a945db 100644 --- a/examples/camunda-8.6/cluster.tf +++ b/examples/camunda-8.6/cluster.tf @@ -1,8 +1,13 @@ +locals { + eks_cluster_name = "cluster-name" # Change this to a name of your choice + eks_cluster_region = "eu-west-2" # Change this to your desired AWS region +} + module "eks_cluster" { source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=2.6.0" - region = "eu-west-2" # Change this to your desired AWS region - name = "cluster-name" # Change this to a name of your choice + name = local.eks_cluster_name + region = local.eks_cluster_region # Set CIDR ranges or use the defaults cluster_service_ipv4_cidr = "10.190.0.0/16" diff --git a/examples/camunda-8.6/opensearch.tf b/examples/camunda-8.6/opensearch.tf index d6e9eff7..bb866f96 100644 --- a/examples/camunda-8.6/opensearch.tf +++ b/examples/camunda-8.6/opensearch.tf @@ -11,10 +11,9 @@ module "opensearch" { instance_count = 3 ebs_volume_size = 50 - subnet_ids = module.eks_cluster.private_subnet_ids - security_group_ids = module.eks_cluster.security_group_ids - vpc_id = module.eks_cluster.vpc_id - cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) + subnet_ids = module.eks_cluster.private_subnet_ids + vpc_id = module.eks_cluster.vpc_id + cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) advanced_security_enabled = true advanced_security_internal_user_database_enabled = true diff --git a/examples/camunda-8.6/output.tf b/examples/camunda-8.6/output.tf index 181dcfb4..0ba63926 100644 --- a/examples/camunda-8.6/output.tf +++ b/examples/camunda-8.6/output.tf @@ -14,6 +14,6 @@ output "postgres_endpoint" { } output "opensearch_endpoint" { - value = module.opensearch.opensearch_domain_endpoint + value = module.opensearch_domain.opensearch_domain_endpoint description = "The OpenSearch endpoint URL" } From b8ab0e602ec0fb300dc46556b3c9ddd23348e10d Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 14 Oct 2024 15:59:41 +0200 Subject: [PATCH 059/135] wip naming --- examples/camunda-8.6-irsa/cluster.tf | 4 ++-- examples/camunda-8.6-irsa/config.tf | 2 +- examples/camunda-8.6-irsa/db.tf | 4 +++- examples/camunda-8.6-irsa/opensearch.tf | 4 ++-- examples/camunda-8.6/cluster.tf | 4 ++-- examples/camunda-8.6/config.tf | 2 +- examples/camunda-8.6/db.tf | 4 +++- examples/camunda-8.6/opensearch.tf | 2 +- 8 files changed, 15 insertions(+), 11 deletions(-) diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf index 74a945db..9f60f80e 100644 --- a/examples/camunda-8.6-irsa/cluster.tf +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -1,6 +1,6 @@ locals { - eks_cluster_name = "cluster-name" # Change this to a name of your choice - eks_cluster_region = "eu-west-2" # Change this to your desired AWS region + eks_cluster_name = "cluster-name-irsa" # Change this to a name of your choice + eks_cluster_region = "eu-west-2" # Change this to your desired AWS region } module "eks_cluster" { diff --git a/examples/camunda-8.6-irsa/config.tf b/examples/camunda-8.6-irsa/config.tf index 035255eb..3f2605c5 100644 --- a/examples/camunda-8.6-irsa/config.tf +++ b/examples/camunda-8.6-irsa/config.tf @@ -3,7 +3,7 @@ terraform { backend "s3" { bucket = "my-eks-tf-state" - key = "camunda-terraform/terraform.tfstate" + key = "camunda-terraform/terraform-irsa.tfstate" encrypt = true } diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index 30be591d..3ee9553b 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -1,5 +1,5 @@ locals { - aurora_cluster_name = "cluster-name-postgresql" # Replace "cluster-name" with your cluster's name + aurora_cluster_name = "cluster-name-pg-irsa" # Replace "cluster-name" with your cluster's name # IRSA configuration aurora_irsa_username = "secret_user_irsa" # This is the username that will be used for IRSA connection to the DB @@ -15,6 +15,8 @@ module "postgresql" { cluster_name = local.aurora_cluster_name default_database_name = "camunda" + availability_zones = ["${local.eks_cluster_region}a", "${local.eks_cluster_region}b", "${local.eks_cluster_region}c"] + # Supply your own secret values for username and password username = "secret_user" password = "secretvalue%23" diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index 13dad17d..58656fbb 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -1,5 +1,5 @@ locals { - opensearch_domain_name = "domain-name-opensearch" # Replace "domain-name" with your domain name + opensearch_domain_name = "domain-name-os-irsa" # Replace "domain-name" with your domain name # IRSA configuration camunda_namespace = "camunda" # Replace with your Kubernetes namespace that will host C8 Platform @@ -84,7 +84,7 @@ EOF "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_zeebe_service_account}", "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_operate_service_account}", "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_tasklist_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_optimize_service_account}", + "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_optimize_service_account}" } } } diff --git a/examples/camunda-8.6/cluster.tf b/examples/camunda-8.6/cluster.tf index 74a945db..bac8a7b4 100644 --- a/examples/camunda-8.6/cluster.tf +++ b/examples/camunda-8.6/cluster.tf @@ -1,6 +1,6 @@ locals { - eks_cluster_name = "cluster-name" # Change this to a name of your choice - eks_cluster_region = "eu-west-2" # Change this to your desired AWS region + eks_cluster_name = "cluster-name-std" # Change this to a name of your choice + eks_cluster_region = "eu-west-2" # Change this to your desired AWS region } module "eks_cluster" { diff --git a/examples/camunda-8.6/config.tf b/examples/camunda-8.6/config.tf index 035255eb..5761d23e 100644 --- a/examples/camunda-8.6/config.tf +++ b/examples/camunda-8.6/config.tf @@ -3,7 +3,7 @@ terraform { backend "s3" { bucket = "my-eks-tf-state" - key = "camunda-terraform/terraform.tfstate" + key = "camunda-terraform/terraform-std.tfstate" encrypt = true } diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf index fb71c46b..777d7793 100644 --- a/examples/camunda-8.6/db.tf +++ b/examples/camunda-8.6/db.tf @@ -1,5 +1,5 @@ locals { - aurora_cluster_name = "cluster-name-postgresql" # Replace "cluster-name" with your cluster's name + aurora_cluster_name = "cluster-name-pg-std" # Replace "cluster-name" with your cluster's name } module "postgresql" { @@ -9,6 +9,8 @@ module "postgresql" { cluster_name = local.aurora_cluster_name default_database_name = "camunda" + availability_zones = ["${local.eks_cluster_region}a", "${local.eks_cluster_region}b", "${local.eks_cluster_region}c"] + # Supply your own secret values for username and password username = "secret_user" password = "secretvalue%23" diff --git a/examples/camunda-8.6/opensearch.tf b/examples/camunda-8.6/opensearch.tf index bb866f96..f9723bfd 100644 --- a/examples/camunda-8.6/opensearch.tf +++ b/examples/camunda-8.6/opensearch.tf @@ -1,5 +1,5 @@ locals { - opensearch_domain_name = "domain-name-opensearch" # Replace "domain-name" with your domain name + opensearch_domain_name = "domain-name-os-std" # Replace "domain-name" with your domain name } module "opensearch" { From 4fcc9e07c57b73ae8f68591b0b23ee78e1189303 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 14 Oct 2024 16:52:31 +0200 Subject: [PATCH 060/135] fix irsa iam --- examples/camunda-8.6-irsa/db.tf | 8 +++++--- examples/camunda-8.6-irsa/opensearch.tf | 18 +++++++++++------- examples/camunda-8.6/db.tf | 7 +++++-- examples/camunda-8.6/opensearch.tf | 8 +++++--- 4 files changed, 26 insertions(+), 15 deletions(-) diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index 3ee9553b..c2ea7ebc 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -59,9 +59,11 @@ EOF "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_webmodeler_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_identity_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_keycloak_service_account}" + "${module.eks_cluster.oidc_provider_id}:sub": [ + "system:serviceaccount:${local.camunda_namespace}:${local.camunda_webmodeler_service_account}", + "system:serviceaccount:${local.camunda_namespace}:${local.camunda_identity_service_account}", + "system:serviceaccount:${local.camunda_namespace}:${local.camunda_keycloak_service_account}" + ] } } } diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index 58656fbb..450bff8e 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -1,6 +1,9 @@ locals { opensearch_domain_name = "domain-name-os-irsa" # Replace "domain-name" with your domain name + opensearch_master_username = "secret_user" # Replace with your opensearch username + opensearch_master_password = "Secretvalue$23" # Replace with your opensearch password + # IRSA configuration camunda_namespace = "camunda" # Replace with your Kubernetes namespace that will host C8 Platform camunda_zeebe_service_account = "zeebe-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Zeebe @@ -25,9 +28,8 @@ module "opensearch_domain" { advanced_security_enabled = true advanced_security_internal_user_database_enabled = true - # Supply your own secret values - advanced_security_master_user_name = "secret_user" - advanced_security_master_user_password = "secretvalue%23" + advanced_security_master_user_name = local.opensearch_master_username + advanced_security_master_user_password = local.opensearch_master_password depends_on = [module.eks_cluster] @@ -81,10 +83,12 @@ EOF "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_zeebe_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_operate_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_tasklist_service_account}", - "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_optimize_service_account}" + "${module.eks_cluster.oidc_provider_id}:sub": [ + "system:serviceaccount:${local.camunda_namespace}:${local.camunda_zeebe_service_account}", + "system:serviceaccount:${local.camunda_namespace}:${local.camunda_operate_service_account}", + "system:serviceaccount:${local.camunda_namespace}:${local.camunda_tasklist_service_account}", + "system:serviceaccount:${local.camunda_namespace}:${local.camunda_optimize_service_account}" + ] } } } diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf index 777d7793..e1e1e697 100644 --- a/examples/camunda-8.6/db.tf +++ b/examples/camunda-8.6/db.tf @@ -1,5 +1,8 @@ locals { aurora_cluster_name = "cluster-name-pg-std" # Replace "cluster-name" with your cluster's name + + aurora_master_username = "secret_user" # Replace with your Aurora username + aurora_master_password = "secretvalue%23" # Replace with your Aurora password } module "postgresql" { @@ -12,8 +15,8 @@ module "postgresql" { availability_zones = ["${local.eks_cluster_region}a", "${local.eks_cluster_region}b", "${local.eks_cluster_region}c"] # Supply your own secret values for username and password - username = "secret_user" - password = "secretvalue%23" + username = local.aurora_master_username + password = local.aurora_master_password vpc_id = module.eks_cluster.vpc_id subnet_ids = module.eks_cluster.private_subnet_ids diff --git a/examples/camunda-8.6/opensearch.tf b/examples/camunda-8.6/opensearch.tf index f9723bfd..b4710d04 100644 --- a/examples/camunda-8.6/opensearch.tf +++ b/examples/camunda-8.6/opensearch.tf @@ -1,5 +1,8 @@ locals { opensearch_domain_name = "domain-name-os-std" # Replace "domain-name" with your domain name + + opensearch_master_username = "secret_user" # Replace with your opensearch username + opensearch_master_password = "Secretvalue$23" # Replace with your opensearch password } module "opensearch" { @@ -18,9 +21,8 @@ module "opensearch" { advanced_security_enabled = true advanced_security_internal_user_database_enabled = true - # Supply your own secret values - advanced_security_master_user_name = "secret_user" - advanced_security_master_user_password = "secretvalue%23" + advanced_security_master_user_name = local.opensearch_master_username + advanced_security_master_user_password = local.opensearch_master_password depends_on = [module.eks_cluster] } From 622b0515140b0924b59e1922b0b88e95128e9cbc Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 14 Oct 2024 18:02:14 +0200 Subject: [PATCH 061/135] fix files --- examples/camunda-8.6-irsa/db.tf | 12 ++++++++---- .../camunda-8.6-irsa/irsa-postgres-create-db.yml | 8 ++++---- examples/camunda-8.6/db.tf | 5 +++-- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index c2ea7ebc..a7a2f86e 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -1,6 +1,11 @@ locals { aurora_cluster_name = "cluster-name-pg-irsa" # Replace "cluster-name" with your cluster's name + aurora_master_username = "secret_user" # Replace with your Aurora username + aurora_master_password = "secretvalue%23" # Replace with your Aurora password + + camunda_database = "camunda" # Name of your camunda database + # IRSA configuration aurora_irsa_username = "secret_user_irsa" # This is the username that will be used for IRSA connection to the DB camunda_webmodeler_service_account = "webmodeler-sa" # Replace with your Kubernetes ServiceAcccount that will be created for WebModeler @@ -13,13 +18,12 @@ module "postgresql" { engine_version = "15.8" auto_minor_version_upgrade = false cluster_name = local.aurora_cluster_name - default_database_name = "camunda" + default_database_name = local.camunda_database availability_zones = ["${local.eks_cluster_region}a", "${local.eks_cluster_region}b", "${local.eks_cluster_region}c"] - # Supply your own secret values for username and password - username = "secret_user" - password = "secretvalue%23" + username = local.aurora_master_username + password = local.aurora_master_password vpc_id = module.eks_cluster.vpc_id subnet_ids = module.eks_cluster.private_subnet_ids diff --git a/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml b/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml index ad0e341b..c2e24fa5 100644 --- a/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml +++ b/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml @@ -3,16 +3,16 @@ apiVersion: batch/v1 kind: Job metadata: - name: postgres-client + name: create-irsa-user-db labels: - app: postgres-client + app: create-irsa-user-db spec: backoffLimit: 0 template: spec: restartPolicy: Never containers: - - name: postgres-client + - name: create-irsa-user-db image: amazonlinux:latest command: - sh @@ -22,7 +22,7 @@ spec: set -o pipefail echo "Installing dependencies..." - yum install -y curl postgresql15 unzip awscli-2 + yum install -y postgresql15 unzip awscli-2 echo "Creating IRSA db user using admin user" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf index e1e1e697..e824d5be 100644 --- a/examples/camunda-8.6/db.tf +++ b/examples/camunda-8.6/db.tf @@ -3,6 +3,8 @@ locals { aurora_master_username = "secret_user" # Replace with your Aurora username aurora_master_password = "secretvalue%23" # Replace with your Aurora password + + camunda_database = "camunda" # Name of your camunda database } module "postgresql" { @@ -10,11 +12,10 @@ module "postgresql" { engine_version = "15.8" auto_minor_version_upgrade = false cluster_name = local.aurora_cluster_name - default_database_name = "camunda" + default_database_name = local.camunda_database availability_zones = ["${local.eks_cluster_region}a", "${local.eks_cluster_region}b", "${local.eks_cluster_region}c"] - # Supply your own secret values for username and password username = local.aurora_master_username password = local.aurora_master_password From 67f92511b55f1213acd1e28dec511b06979b20b3 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 14 Oct 2024 18:16:58 +0200 Subject: [PATCH 062/135] add helm values files --- .../helm-values/values-domain.yml | 53 +++++++++++++++++++ .../helm-values/values-no-domain.yml | 9 ++++ .../camunda-8.6/helm-values/values-domain.yml | 53 +++++++++++++++++++ .../helm-values/values-no-domain.yml | 9 ++++ 4 files changed, 124 insertions(+) create mode 100644 examples/camunda-8.6-irsa/helm-values/values-domain.yml create mode 100644 examples/camunda-8.6-irsa/helm-values/values-no-domain.yml create mode 100644 examples/camunda-8.6/helm-values/values-domain.yml create mode 100644 examples/camunda-8.6/helm-values/values-no-domain.yml diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml new file mode 100644 index 00000000..fb1810c2 --- /dev/null +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -0,0 +1,53 @@ +--- +identityKeycloak: + postgresql: + enabled: false + externalDatabase: + host: ${DB_HOST} + user: ${PG_USERNAME} + password: ${PG_PASSWORD} + database: ${DEFAULT_DB_NAME} + +global: + ingress: + enabled: true + host: ${DOMAIN_NAME} + tls: + enabled: true + secretName: camunda-c8-tls + annotations: + kubernetes.io/tls-acme: 'true' + identity: + auth: + publicIssuerUrl: https://${DOMAIN_NAME}/auth/realms/camunda-platform + operate: + redirectUrl: https://${DOMAIN_NAME}/operate + tasklist: + redirectUrl: https://${DOMAIN_NAME}/tasklist + optimize: + redirectUrl: https://${DOMAIN_NAME}/optimize + +identity: + contextPath: /identity + fullURL: https://${DOMAIN_NAME}/identity + +operate: + contextPath: /operate + +tasklist: + contextPath: /tasklist + +optimize: + contextPath: /optimize + +zeebeGateway: + ingress: + grpc: + enabled: true + host: zeebe.${DOMAIN_NAME} + tls: + enabled: true + secretName: zeebe-c8-tls-grpc + annotations: + kubernetes.io/tls-acme: 'true' + contextPath: /zeebe diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml new file mode 100644 index 00000000..63b03f8b --- /dev/null +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -0,0 +1,9 @@ +--- +identityKeycloak: + postgresql: + enabled: false + externalDatabase: + host: ${DB_HOST} + user: ${PG_USERNAME} + password: ${PG_PASSWORD} + database: ${DEFAULT_DB_NAME} diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml new file mode 100644 index 00000000..fb1810c2 --- /dev/null +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -0,0 +1,53 @@ +--- +identityKeycloak: + postgresql: + enabled: false + externalDatabase: + host: ${DB_HOST} + user: ${PG_USERNAME} + password: ${PG_PASSWORD} + database: ${DEFAULT_DB_NAME} + +global: + ingress: + enabled: true + host: ${DOMAIN_NAME} + tls: + enabled: true + secretName: camunda-c8-tls + annotations: + kubernetes.io/tls-acme: 'true' + identity: + auth: + publicIssuerUrl: https://${DOMAIN_NAME}/auth/realms/camunda-platform + operate: + redirectUrl: https://${DOMAIN_NAME}/operate + tasklist: + redirectUrl: https://${DOMAIN_NAME}/tasklist + optimize: + redirectUrl: https://${DOMAIN_NAME}/optimize + +identity: + contextPath: /identity + fullURL: https://${DOMAIN_NAME}/identity + +operate: + contextPath: /operate + +tasklist: + contextPath: /tasklist + +optimize: + contextPath: /optimize + +zeebeGateway: + ingress: + grpc: + enabled: true + host: zeebe.${DOMAIN_NAME} + tls: + enabled: true + secretName: zeebe-c8-tls-grpc + annotations: + kubernetes.io/tls-acme: 'true' + contextPath: /zeebe diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml new file mode 100644 index 00000000..63b03f8b --- /dev/null +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -0,0 +1,9 @@ +--- +identityKeycloak: + postgresql: + enabled: false + externalDatabase: + host: ${DB_HOST} + user: ${PG_USERNAME} + password: ${PG_PASSWORD} + database: ${DEFAULT_DB_NAME} From eb11cdf91f2c0281fd1a3927bafe7aa75a7fb0a7 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 14 Oct 2024 19:02:34 +0200 Subject: [PATCH 063/135] update opensearch conf reference --- .../helm-values/values-domain.yml | 19 ++++++++++++++++++- .../helm-values/values-no-domain.yml | 16 +++++++++++++++- .../camunda-8.6/helm-values/values-domain.yml | 7 +++++++ .../helm-values/values-no-domain.yml | 8 ++++++++ 4 files changed, 48 insertions(+), 2 deletions(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index fb1810c2..0f277510 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -1,14 +1,31 @@ --- identityKeycloak: + serviceAccount: + name: '' + annotations: + postgresql: enabled: false externalDatabase: host: ${DB_HOST} user: ${PG_USERNAME} - password: ${PG_PASSWORD} database: ${DEFAULT_DB_NAME} + extraEnvVars: + - name: KEYCLOAK_EXTRA_ARGS + value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO + - name: KEYCLOAK_JDBC_PARAMS + value: wrapperPlugins=iam + - name: KEYCLOAK_JDBC_DRIVER + value: aws-wrapper:postgresql global: + elasticsearch: + enabled: false + opensearch: + enabled: true + aws: + enabled: true + ingress: enabled: true host: ${DOMAIN_NAME} diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 63b03f8b..60e82b98 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -5,5 +5,19 @@ identityKeycloak: externalDatabase: host: ${DB_HOST} user: ${PG_USERNAME} - password: ${PG_PASSWORD} database: ${DEFAULT_DB_NAME} + extraEnvVars: + - name: KEYCLOAK_EXTRA_ARGS + value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO + - name: KEYCLOAK_JDBC_PARAMS + value: wrapperPlugins=iam + - name: KEYCLOAK_JDBC_DRIVER + value: aws-wrapper:postgresql + +global: + elasticsearch: + enabled: false + opensearch: + enabled: true + aws: + enabled: true diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index fb1810c2..aaa64f1c 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -9,6 +9,13 @@ identityKeycloak: database: ${DEFAULT_DB_NAME} global: + elasticsearch: + enabled: false + opensearch: + enabled: true + aws: + enabled: true + ingress: enabled: true host: ${DOMAIN_NAME} diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index 63b03f8b..ba1a77e2 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -7,3 +7,11 @@ identityKeycloak: user: ${PG_USERNAME} password: ${PG_PASSWORD} database: ${DEFAULT_DB_NAME} + +global: + elasticsearch: + enabled: false + opensearch: + enabled: true + aws: + enabled: true From 94e7fd777e282a8d03d1ee2e8d986ef8ac98c9a3 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 14 Oct 2024 20:05:40 +0200 Subject: [PATCH 064/135] add irsa for all accounts --- .../helm-values/values-domain.yml | 43 +++++++++++++++- .../helm-values/values-no-domain.yml | 50 +++++++++++++++++++ 2 files changed, 92 insertions(+), 1 deletion(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index 0f277510..cc22c0cb 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -1,8 +1,9 @@ --- identityKeycloak: serviceAccount: - name: '' + name: ${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME} annotations: + eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} postgresql: enabled: false @@ -10,6 +11,7 @@ identityKeycloak: host: ${DB_HOST} user: ${PG_USERNAME} database: ${DEFAULT_DB_NAME} + extraEnvVars: - name: KEYCLOAK_EXTRA_ARGS value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO @@ -25,6 +27,10 @@ global: enabled: true aws: enabled: true + url: + protocol: https + host: ${OPENSEARCH_HOST} + port: 443 ingress: enabled: true @@ -44,19 +50,51 @@ global: optimize: redirectUrl: https://${DOMAIN_NAME}/optimize +webModeler: + serviceAccount: + name: ${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + identity: contextPath: /identity fullURL: https://${DOMAIN_NAME}/identity + serviceAccount: + name: ${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + operate: contextPath: /operate + serviceAccount: + name: ${CAMUNDA_OPERATE_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + tasklist: contextPath: /tasklist + serviceAccount: + name: ${CAMUNDA_TASKLIST_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + optimize: contextPath: /optimize + serviceAccount: + name: ${CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + +zeebe: + serviceAccount: + name: ${CAMUNDA_ZEEBE_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + zeebeGateway: ingress: grpc: @@ -68,3 +106,6 @@ zeebeGateway: annotations: kubernetes.io/tls-acme: 'true' contextPath: /zeebe + +elasticsearch: + enabled: false diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 60e82b98..326f59c1 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -1,11 +1,17 @@ --- identityKeycloak: + serviceAccount: + name: ${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + postgresql: enabled: false externalDatabase: host: ${DB_HOST} user: ${PG_USERNAME} database: ${DEFAULT_DB_NAME} + extraEnvVars: - name: KEYCLOAK_EXTRA_ARGS value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO @@ -21,3 +27,47 @@ global: enabled: true aws: enabled: true + url: + protocol: https + host: ${OPENSEARCH_HOST} + port: 443 + +webModeler: + serviceAccount: + name: ${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + +identity: + serviceAccount: + name: ${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + + +zeebe: + serviceAccount: + name: ${CAMUNDA_ZEEBE_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + +operate: + serviceAccount: + name: ${CAMUNDA_OPERATE_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + +tasklist: + serviceAccount: + name: ${CAMUNDA_TASKLIST_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + +optimize: + serviceAccount: + name: ${CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME} + annotations: + eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + +elasticsearch: + enabled: false From 26a50865cf4dc4b199b9533a291c2702bf59d9f5 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 14 Oct 2024 21:08:13 +0200 Subject: [PATCH 065/135] update irsa values --- .../helm-values/values-domain.yml | 20 ++++++++++++++++++ .../helm-values/values-no-domain.yml | 21 +++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index cc22c0cb..e5787977 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -30,6 +30,7 @@ global: url: protocol: https host: ${OPENSEARCH_HOST} + # Amazon OpenSearch Service listens on port 443 opposed to the usual port 9200. port: 443 ingress: @@ -56,6 +57,13 @@ webModeler: annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + env: + - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME + value: software.amazon.jdbc.Driver + externalDatabase: + url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam + user: ${PG_USERNAME} + identity: contextPath: /identity fullURL: https://${DOMAIN_NAME}/identity @@ -65,6 +73,15 @@ identity: annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + env: + - name: SPRING_DATASOURCE_URL + value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam + - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME + value: software.amazon.jdbc.Driver + - name: SPRING_DATASOURCE_USERNAME + value: ${PG_USERNAME} + + operate: contextPath: /operate @@ -89,6 +106,9 @@ optimize: annotations: eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + migration: + enabled: false + zeebe: serviceAccount: name: ${CAMUNDA_ZEEBE_SERVICE_ACCOUNT_NAME} diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 326f59c1..43713f31 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -9,6 +9,7 @@ identityKeycloak: enabled: false externalDatabase: host: ${DB_HOST} + port: 5432 user: ${PG_USERNAME} database: ${DEFAULT_DB_NAME} @@ -30,6 +31,7 @@ global: url: protocol: https host: ${OPENSEARCH_HOST} + # Amazon OpenSearch Service listens on port 443 opposed to the usual port 9200. port: 443 webModeler: @@ -38,12 +40,29 @@ webModeler: annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + env: + - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME + value: software.amazon.jdbc.Driver + externalDatabase: + url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam + user: ${PG_USERNAME} + + identity: serviceAccount: name: ${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME} annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + env: + - name: SPRING_DATASOURCE_URL + value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam + + - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME + value: software.amazon.jdbc.Driver + + - name: SPRING_DATASOURCE_USERNAME + value: ${PG_USERNAME} zeebe: serviceAccount: @@ -68,6 +87,8 @@ optimize: name: ${CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME} annotations: eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + migration: + enabled: false elasticsearch: enabled: false From 2c52409cd2aa83affd12a77e18a1c8b150fefd92 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 14 Oct 2024 21:08:25 +0200 Subject: [PATCH 066/135] update std values --- .../camunda-8.6/helm-values/values-domain.yml | 14 ++++++++++++++ .../camunda-8.6/helm-values/values-no-domain.yml | 15 +++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index aaa64f1c..b92e6f96 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -15,6 +15,14 @@ global: enabled: true aws: enabled: true + auth: + username: ${OPENSEARCH_MASTER_USER} + password: ${OPENSEARCH_MASTER_PASSWORD} + url: + protocol: https + host: ${OPENSEARCH_HOST} + # Amazon OpenSearch Service listens on port 443 opposed to the usual port 9200. + port: 443 ingress: enabled: true @@ -34,6 +42,10 @@ global: optimize: redirectUrl: https://${DOMAIN_NAME}/optimize + +elasticsearch: + enabled: false + identity: contextPath: /identity fullURL: https://${DOMAIN_NAME}/identity @@ -46,6 +58,8 @@ tasklist: optimize: contextPath: /optimize + migration: + enabled: false zeebeGateway: ingress: diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index ba1a77e2..b4fe77bd 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -15,3 +15,18 @@ global: enabled: true aws: enabled: true + auth: + username: ${OPENSEARCH_MASTER_USER} + password: ${OPENSEARCH_MASTER_PASSWORD} + url: + protocol: https + host: ${OPENSEARCH_HOST} + # Amazon OpenSearch Service listens on port 443 opposed to the usual port 9200. + port: 443 + +optimize: + migration: + enabled: false + +elasticsearch: + enabled: false From af60c9d907747ba128f50232877f63ce33c3d003 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 14 Oct 2024 21:16:09 +0200 Subject: [PATCH 067/135] fix manifests --- examples/camunda-8.6-irsa/helm-values/values-domain.yml | 5 ++++- examples/camunda-8.6-irsa/helm-values/values-no-domain.yml | 4 +++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index e5787977..f23c850b 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -16,9 +16,11 @@ identityKeycloak: - name: KEYCLOAK_EXTRA_ARGS value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO - name: KEYCLOAK_JDBC_PARAMS - value: wrapperPlugins=iam + value: wrapperPlugins=iam&ssl=true&sslmode=require - name: KEYCLOAK_JDBC_DRIVER value: aws-wrapper:postgresql + - name: KC_DB_DRIVER + value: software.amazon.jdbc.Driver global: elasticsearch: @@ -52,6 +54,7 @@ global: redirectUrl: https://${DOMAIN_NAME}/optimize webModeler: + # TODO: understand why it's disabled by default serviceAccount: name: ${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME} annotations: diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 43713f31..6ee16418 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -17,9 +17,11 @@ identityKeycloak: - name: KEYCLOAK_EXTRA_ARGS value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO - name: KEYCLOAK_JDBC_PARAMS - value: wrapperPlugins=iam + value: wrapperPlugins=iam&ssl=true&sslmode=require - name: KEYCLOAK_JDBC_DRIVER value: aws-wrapper:postgresql + - name: KC_DB_DRIVER + value: software.amazon.jdbc.Driver global: elasticsearch: From 6856761c79e6b7b02098889bd423c203ea47c2bc Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 14 Oct 2024 21:46:21 +0200 Subject: [PATCH 068/135] remove superuser for irsa connection --- README.md | 1 - examples/camunda-8.6-irsa/helm-values/values-domain.yml | 6 ++++++ examples/camunda-8.6-irsa/helm-values/values-no-domain.yml | 7 ++++++- modules/fixtures/postgres-client.yml | 1 - 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b654e5e2..41880113 100644 --- a/README.md +++ b/README.md @@ -167,7 +167,6 @@ echo "Creating IRSA DB user using admin user" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE USER \"${AURORA_USERNAME_IRSA}\" WITH LOGIN;" \ -c "GRANT rds_iam TO \"${AURORA_USERNAME_IRSA}\";" \ - -c "GRANT rds_superuser TO \"${AURORA_USERNAME_IRSA}\";" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${AURORA_DB_NAME}\" TO \"${AURORA_USERNAME_IRSA}\";" \ -c "SELECT aurora_version();" \ -c "SELECT version();" -c "\du" diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index f23c850b..4fa24b43 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -10,6 +10,8 @@ identityKeycloak: externalDatabase: host: ${DB_HOST} user: ${PG_USERNAME} + port: 5432 + password: '' # let it empty as we use IRSA database: ${DEFAULT_DB_NAME} extraEnvVars: @@ -21,6 +23,10 @@ identityKeycloak: value: aws-wrapper:postgresql - name: KC_DB_DRIVER value: software.amazon.jdbc.Driver + - name: KC_DB + value: postgres + - name: KC_DB_URL + value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam&ssl=true&sslmode=require global: elasticsearch: diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 6ee16418..eff03a6b 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -9,8 +9,9 @@ identityKeycloak: enabled: false externalDatabase: host: ${DB_HOST} - port: 5432 user: ${PG_USERNAME} + port: 5432 + password: '' # let it empty as we use IRSA database: ${DEFAULT_DB_NAME} extraEnvVars: @@ -22,6 +23,10 @@ identityKeycloak: value: aws-wrapper:postgresql - name: KC_DB_DRIVER value: software.amazon.jdbc.Driver + - name: KC_DB + value: postgres + - name: KC_DB_URL + value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam&ssl=true&sslmode=require global: elasticsearch: diff --git a/modules/fixtures/postgres-client.yml b/modules/fixtures/postgres-client.yml index 751c188d..a67344c1 100644 --- a/modules/fixtures/postgres-client.yml +++ b/modules/fixtures/postgres-client.yml @@ -29,7 +29,6 @@ spec: psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE USER \"${AURORA_USERNAME_IRSA}\" WITH LOGIN;" \ -c "GRANT rds_iam TO \"${AURORA_USERNAME_IRSA}\";" \ - -c "GRANT rds_superuser TO \"${AURORA_USERNAME_IRSA}\";" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${AURORA_DB_NAME}\" TO \"${AURORA_USERNAME_IRSA}\";" \ -c "SELECT aurora_version();" \ -c "SELECT version();" -c "\du" From d436eda11a7e929134db925f3a2a13eb37bfc9a4 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 11:24:18 +0200 Subject: [PATCH 069/135] move outputs --- examples/camunda-8.6-irsa/cluster.tf | 10 +++++++++ examples/camunda-8.6-irsa/db.tf | 10 +++++++++ examples/camunda-8.6-irsa/opensearch.tf | 10 +++++++++ examples/camunda-8.6-irsa/output.tf | 29 ------------------------- examples/camunda-8.6/cluster.tf | 10 +++++++++ examples/camunda-8.6/db.tf | 5 +++++ examples/camunda-8.6/opensearch.tf | 7 +++++- examples/camunda-8.6/output.tf | 19 ---------------- 8 files changed, 51 insertions(+), 49 deletions(-) delete mode 100644 examples/camunda-8.6-irsa/output.tf delete mode 100644 examples/camunda-8.6/output.tf diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf index 9f60f80e..1c38d8df 100644 --- a/examples/camunda-8.6-irsa/cluster.tf +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -13,3 +13,13 @@ module "eks_cluster" { cluster_service_ipv4_cidr = "10.190.0.0/16" cluster_node_ipv4_cidr = "10.192.0.0/16" } + +output "cert_manager_arn" { + value = module.eks_cluster.cert_manager_arn + description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the cert-manager" +} + +output "external_dns_arn" { + value = module.eks_cluster.external_dns_arn + description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the external-dns" +} diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index a7a2f86e..75ee94ba 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -77,3 +77,13 @@ EOF depends_on = [module.eks_cluster] } + +output "postgres_endpoint" { + value = module.postgresql.aurora_endpoint + description = "The Postgres endpoint URL" +} + +output "aurora_role_arn" { + value = module.postgresql.aurora_role_arn + description = "The Aurora Role ARN used for IRSA" +} diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index 450bff8e..83545dc6 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -96,3 +96,13 @@ EOF } EOF } + +output "opensearch_endpoint" { + value = module.opensearch_domain.opensearch_domain_endpoint + description = "The OpenSearch endpoint URL" +} + +output "opensearch_role_arn" { + value = module.opensearch_domain.opensearch_role_arn + description = "The OpenSearch Role ARN used for IRSA" +} diff --git a/examples/camunda-8.6-irsa/output.tf b/examples/camunda-8.6-irsa/output.tf deleted file mode 100644 index 4aca97d9..00000000 --- a/examples/camunda-8.6-irsa/output.tf +++ /dev/null @@ -1,29 +0,0 @@ -output "cert_manager_arn" { - value = module.eks_cluster.cert_manager_arn - description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the cert-manager" -} - -output "external_dns_arn" { - value = module.eks_cluster.external_dns_arn - description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the external-dns" -} - -output "postgres_endpoint" { - value = module.postgresql.aurora_endpoint - description = "The Postgres endpoint URL" -} - -output "opensearch_endpoint" { - value = module.opensearch_domain.opensearch_domain_endpoint - description = "The OpenSearch endpoint URL" -} - -output "aurora_role_arn" { - value = module.postgresql.aurora_role_arn - description = "The Aurora Role ARN used for IRSA" -} - -output "opensearch_role_arn" { - value = module.opensearch_domain.opensearch_role_arn - description = "The OpenSearch Role ARN used for IRSA" -} diff --git a/examples/camunda-8.6/cluster.tf b/examples/camunda-8.6/cluster.tf index bac8a7b4..801d1455 100644 --- a/examples/camunda-8.6/cluster.tf +++ b/examples/camunda-8.6/cluster.tf @@ -13,3 +13,13 @@ module "eks_cluster" { cluster_service_ipv4_cidr = "10.190.0.0/16" cluster_node_ipv4_cidr = "10.192.0.0/16" } + +output "cert_manager_arn" { + value = module.eks_cluster.cert_manager_arn + description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the cert-manager" +} + +output "external_dns_arn" { + value = module.eks_cluster.external_dns_arn + description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the external-dns" +} diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf index e824d5be..a600800f 100644 --- a/examples/camunda-8.6/db.tf +++ b/examples/camunda-8.6/db.tf @@ -27,3 +27,8 @@ module "postgresql" { depends_on = [module.eks_cluster] } + +output "postgres_endpoint" { + value = module.postgresql.aurora_endpoint + description = "The Postgres endpoint URL" +} diff --git a/examples/camunda-8.6/opensearch.tf b/examples/camunda-8.6/opensearch.tf index b4710d04..8bee7192 100644 --- a/examples/camunda-8.6/opensearch.tf +++ b/examples/camunda-8.6/opensearch.tf @@ -5,7 +5,7 @@ locals { opensearch_master_password = "Secretvalue$23" # Replace with your opensearch password } -module "opensearch" { +module "opensearch_domain" { source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/opensearch?ref=2.6.0" domain_name = local.opensearch_domain_name engine_version = "2.15" @@ -26,3 +26,8 @@ module "opensearch" { depends_on = [module.eks_cluster] } + +output "opensearch_endpoint" { + value = module.opensearch_domain.opensearch_domain_endpoint + description = "The OpenSearch endpoint URL" +} diff --git a/examples/camunda-8.6/output.tf b/examples/camunda-8.6/output.tf deleted file mode 100644 index 0ba63926..00000000 --- a/examples/camunda-8.6/output.tf +++ /dev/null @@ -1,19 +0,0 @@ -output "cert_manager_arn" { - value = module.eks_cluster.cert_manager_arn - description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the cert-manager" -} - -output "external_dns_arn" { - value = module.eks_cluster.external_dns_arn - description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the external-dns" -} - -output "postgres_endpoint" { - value = module.postgresql.aurora_endpoint - description = "The Postgres endpoint URL" -} - -output "opensearch_endpoint" { - value = module.opensearch_domain.opensearch_domain_endpoint - description = "The OpenSearch endpoint URL" -} From fd8e8ae253589b8314ab7b02300af9f54dd086f6 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 11:58:53 +0200 Subject: [PATCH 070/135] extract secrets from values --- .../camunda-8.6-irsa/helm-values/values-domain.yml | 4 ---- examples/camunda-8.6/helm-values/values-domain.yml | 14 +++++++++----- .../camunda-8.6/helm-values/values-no-domain.yml | 14 +++++++++----- 3 files changed, 18 insertions(+), 14 deletions(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index 4fa24b43..a2c1108a 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -23,10 +23,6 @@ identityKeycloak: value: aws-wrapper:postgresql - name: KC_DB_DRIVER value: software.amazon.jdbc.Driver - - name: KC_DB - value: postgres - - name: KC_DB_URL - value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam&ssl=true&sslmode=require global: elasticsearch: diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index b92e6f96..187b348b 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -3,10 +3,13 @@ identityKeycloak: postgresql: enabled: false externalDatabase: - host: ${DB_HOST} - user: ${PG_USERNAME} - password: ${PG_PASSWORD} - database: ${DEFAULT_DB_NAME} + # see https://artifacthub.io/packages/helm/bitnami/keycloak + existingSecret: identity-keycloak-secret # Name of an existing secret resource containing the database credentials + existingSecretHostKey: host + existingSecretPortKey: port + existingSecretUserKey: user + existingSecretDatabaseKey: database + existingSecretPasswordKey: password global: elasticsearch: @@ -17,7 +20,8 @@ global: enabled: true auth: username: ${OPENSEARCH_MASTER_USER} - password: ${OPENSEARCH_MASTER_PASSWORD} + existingSecret: opensearch-secret + existingSecretKey: password url: protocol: https host: ${OPENSEARCH_HOST} diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index b4fe77bd..de3cfaf6 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -3,10 +3,13 @@ identityKeycloak: postgresql: enabled: false externalDatabase: - host: ${DB_HOST} - user: ${PG_USERNAME} - password: ${PG_PASSWORD} - database: ${DEFAULT_DB_NAME} + # see https://artifacthub.io/packages/helm/bitnami/keycloak + existingSecret: identity-keycloak-secret # Name of an existing secret resource containing the database credentials + existingSecretHostKey: host + existingSecretPortKey: port + existingSecretUserKey: user + existingSecretDatabaseKey: database + existingSecretPasswordKey: password global: elasticsearch: @@ -17,7 +20,8 @@ global: enabled: true auth: username: ${OPENSEARCH_MASTER_USER} - password: ${OPENSEARCH_MASTER_PASSWORD} + existingSecret: opensearch-secret + existingSecretKey: password url: protocol: https host: ${OPENSEARCH_HOST} From 5e09b213ce0947688a187e1141b20cbbca29cf58 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 13:56:43 +0200 Subject: [PATCH 071/135] update values --- .../helm-values/values-domain.yml | 4 ++- .../helm-values/values-no-domain.yml | 2 ++ .../helm-values/generated-values.yml | 36 +++++++++++++++++++ .../camunda-8.6/helm-values/values-domain.yml | 2 ++ 4 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 examples/camunda-8.6/helm-values/generated-values.yml diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index a2c1108a..43efa301 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -56,7 +56,8 @@ global: redirectUrl: https://${DOMAIN_NAME}/optimize webModeler: - # TODO: understand why it's disabled by default + enabled: false # by default, webModeler is not enabled + serviceAccount: name: ${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME} annotations: @@ -111,6 +112,7 @@ optimize: annotations: eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + # OpenSearch prevents migration migration: enabled: false diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index eff03a6b..92acd4eb 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -94,6 +94,8 @@ optimize: name: ${CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME} annotations: eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN} + + # OpenSearch prevents migration migration: enabled: false diff --git a/examples/camunda-8.6/helm-values/generated-values.yml b/examples/camunda-8.6/helm-values/generated-values.yml new file mode 100644 index 00000000..c620aac4 --- /dev/null +++ b/examples/camunda-8.6/helm-values/generated-values.yml @@ -0,0 +1,36 @@ +--- +identityKeycloak: + postgresql: + enabled: false + externalDatabase: + # see https://artifacthub.io/packages/helm/bitnami/keycloak + existingSecret: identity-keycloak-secret # Name of an existing secret resource containing the database credentials + existingSecretHostKey: host + existingSecretPortKey: port + existingSecretUserKey: user + existingSecretDatabaseKey: database + existingSecretPasswordKey: password + +global: + elasticsearch: + enabled: false + opensearch: + enabled: true + aws: + enabled: true + auth: + username: secret_user + existingSecret: opensearch-secret + existingSecretKey: password + url: + protocol: https + host: vpc-domain-name-os-std-s7ttei3uulfiyez54t66sj2zkq.eu-west-2.es.amazonaws.com + # Amazon OpenSearch Service listens on port 443 opposed to the usual port 9200. + port: 443 + +optimize: + migration: + enabled: false + +elasticsearch: + enabled: false diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index 187b348b..12560668 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -62,6 +62,8 @@ tasklist: optimize: contextPath: /optimize + + # OpenSearch prevents migration migration: enabled: false From f9af940cb173cf6946f45d59f239f6e1b29428b4 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:11:59 +0200 Subject: [PATCH 072/135] remove sg for default vpc --- modules/opensearch/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index 586d8a0a..dff4b3f2 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -13,7 +13,6 @@ module "opensearch_domain" { domain_name = "my-opensearch-domain" engine_version = "2.15" subnet_ids = module.eks_cluster.private_subnet_ids - security_group_ids = module.eks_cluster.security_group_ids vpc_id = module.eks_cluster.vpc_id cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) From f1c714ccb99b7a2be8000c52b337eb3c02554288 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:09:09 +0200 Subject: [PATCH 073/135] remove basic auth for opensearch --- examples/camunda-8.6/helm-values/values-domain.yml | 5 +---- examples/camunda-8.6/helm-values/values-no-domain.yml | 5 +---- examples/camunda-8.6/opensearch.tf | 9 +-------- 3 files changed, 3 insertions(+), 16 deletions(-) diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index 12560668..12dabbe7 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -18,10 +18,7 @@ global: enabled: true aws: enabled: true - auth: - username: ${OPENSEARCH_MASTER_USER} - existingSecret: opensearch-secret - existingSecretKey: password + # we rely on the network security to access the OpenSearch domain, no basic auth is needed url: protocol: https host: ${OPENSEARCH_HOST} diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index de3cfaf6..fda55c13 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -18,10 +18,7 @@ global: enabled: true aws: enabled: true - auth: - username: ${OPENSEARCH_MASTER_USER} - existingSecret: opensearch-secret - existingSecretKey: password + # we rely on the network security to access the OpenSearch domain, no basic auth is needed url: protocol: https host: ${OPENSEARCH_HOST} diff --git a/examples/camunda-8.6/opensearch.tf b/examples/camunda-8.6/opensearch.tf index 8bee7192..e730fe9c 100644 --- a/examples/camunda-8.6/opensearch.tf +++ b/examples/camunda-8.6/opensearch.tf @@ -1,8 +1,5 @@ locals { opensearch_domain_name = "domain-name-os-std" # Replace "domain-name" with your domain name - - opensearch_master_username = "secret_user" # Replace with your opensearch username - opensearch_master_password = "Secretvalue$23" # Replace with your opensearch password } module "opensearch_domain" { @@ -18,11 +15,7 @@ module "opensearch_domain" { vpc_id = module.eks_cluster.vpc_id cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) - advanced_security_enabled = true - advanced_security_internal_user_database_enabled = true - - advanced_security_master_user_name = local.opensearch_master_username - advanced_security_master_user_password = local.opensearch_master_password + advanced_security_enabled = false depends_on = [module.eks_cluster] } From 4f46e19356d99b74efd092aaf4b63c0f6af90dab Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:56:08 +0200 Subject: [PATCH 074/135] introduce one db per component --- examples/camunda-8.6-irsa/db.tf | 23 ++++++++++++++++------- examples/camunda-8.6/db.tf | 15 +++++++++++++-- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index 75ee94ba..bfe4941e 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -4,13 +4,18 @@ locals { aurora_master_username = "secret_user" # Replace with your Aurora username aurora_master_password = "secretvalue%23" # Replace with your Aurora password - camunda_database = "camunda" # Name of your camunda database + camunda_database_keycloak = "camunda_keycloak" # Name of your camunda database for Keycloak + camunda_database_identity = "camunda_identity" # Name of your camunda database for Identity + camunda_database_webmodeler = "camunda_webmodeler" # Name of your camunda database for WebModeler # IRSA configuration - aurora_irsa_username = "secret_user_irsa" # This is the username that will be used for IRSA connection to the DB - camunda_webmodeler_service_account = "webmodeler-sa" # Replace with your Kubernetes ServiceAcccount that will be created for WebModeler - camunda_identity_service_account = "identity-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Identity - camunda_keycloak_service_account = "keycloak-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Keycloak + aurora_irsa_keycloak_username = "keycloak_irsa" # This is the username that will be used for IRSA connection to the DB on Keycloak db + aurora_irsa_identity_username = "identity_irsa" # This is the username that will be used for IRSA connection to the DB on Identity db + aurora_irsa_webmodeler_username = "webmodeler_irsa" # This is the username that will be used for IRSA connection to the DB on WebModeler db + + camunda_keycloak_service_account = "keycloak-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Keycloak + camunda_identity_service_account = "identity-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Identity + camunda_webmodeler_service_account = "webmodeler-sa" # Replace with your Kubernetes ServiceAcccount that will be created for WebModeler } module "postgresql" { @@ -18,7 +23,7 @@ module "postgresql" { engine_version = "15.8" auto_minor_version_upgrade = false cluster_name = local.aurora_cluster_name - default_database_name = local.camunda_database + default_database_name = local.camunda_database_keycloak availability_zones = ["${local.eks_cluster_region}a", "${local.eks_cluster_region}b", "${local.eks_cluster_region}c"] @@ -45,7 +50,11 @@ module "postgresql" { "Action": [ "rds-db:connect" ], - "Resource": "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.aurora_irsa_username}" + "Resource": [ + "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.aurora_irsa_keycloak_username}", + "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.aurora_irsa_identity_username}", + "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.aurora_irsa_webmodeler_username}" + ] } ] } diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf index a600800f..cba65e49 100644 --- a/examples/camunda-8.6/db.tf +++ b/examples/camunda-8.6/db.tf @@ -4,7 +4,18 @@ locals { aurora_master_username = "secret_user" # Replace with your Aurora username aurora_master_password = "secretvalue%23" # Replace with your Aurora password - camunda_database = "camunda" # Name of your camunda database + camunda_database_keycloak = "camunda_keycloak" # Name of your camunda database for Keycloak + camunda_database_identity = "camunda_identity" # Name of your camunda database for Identity + camunda_database_webmodeler = "camunda_webmodeler" # Name of your camunda database for WebModeler + + # Connection configuration + keycloak_db_username = "keycloak_db" # This is the username that will be used for connection to the DB on Keycloak db + identity_db_username = "identity_db" # This is the username that will be used for connection to the DB on Identity db + webmodeler_db_username = "webmodeler_db" # This is the username that will be used for connection to the DB on WebModeler db + + keycloak_db_password = "secretvalue%24" # Replace with a password that will be used for connection to the DB on Keycloak db + identity_db_password = "secretvalue%25" # Replace with a password that will be used for connection to the DB on Identity db + webmodeler_db_password = "secretvalue%26" # Replace with a password that will be used for connection to the DB on WebModeler db } module "postgresql" { @@ -12,7 +23,7 @@ module "postgresql" { engine_version = "15.8" auto_minor_version_upgrade = false cluster_name = local.aurora_cluster_name - default_database_name = local.camunda_database + default_database_name = local.camunda_database_keycloak availability_zones = ["${local.eks_cluster_region}a", "${local.eks_cluster_region}b", "${local.eks_cluster_region}c"] From ad4277300e294bc5c268c00cee24dda8d9435d78 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:58:20 +0200 Subject: [PATCH 075/135] update db --- examples/camunda-8.6-irsa/db.tf | 6 +++--- examples/camunda-8.6/db.tf | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index bfe4941e..ad0c94fc 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -9,9 +9,9 @@ locals { camunda_database_webmodeler = "camunda_webmodeler" # Name of your camunda database for WebModeler # IRSA configuration - aurora_irsa_keycloak_username = "keycloak_irsa" # This is the username that will be used for IRSA connection to the DB on Keycloak db - aurora_irsa_identity_username = "identity_irsa" # This is the username that will be used for IRSA connection to the DB on Identity db - aurora_irsa_webmodeler_username = "webmodeler_irsa" # This is the username that will be used for IRSA connection to the DB on WebModeler db + camunda_keycloak_db_username = "keycloak_irsa" # This is the username that will be used for IRSA connection to the DB on Keycloak db + camunda_identity_db_username = "identity_irsa" # This is the username that will be used for IRSA connection to the DB on Identity db + camunda_webmodeler_db_username = "webmodeler_irsa" # This is the username that will be used for IRSA connection to the DB on WebModeler db camunda_keycloak_service_account = "keycloak-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Keycloak camunda_identity_service_account = "identity-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Identity diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf index cba65e49..b1188bf5 100644 --- a/examples/camunda-8.6/db.tf +++ b/examples/camunda-8.6/db.tf @@ -9,13 +9,13 @@ locals { camunda_database_webmodeler = "camunda_webmodeler" # Name of your camunda database for WebModeler # Connection configuration - keycloak_db_username = "keycloak_db" # This is the username that will be used for connection to the DB on Keycloak db - identity_db_username = "identity_db" # This is the username that will be used for connection to the DB on Identity db - webmodeler_db_username = "webmodeler_db" # This is the username that will be used for connection to the DB on WebModeler db + camunda_keycloak_db_username = "keycloak_db" # This is the username that will be used for connection to the DB on Keycloak db + camunda_identity_db_username = "identity_db" # This is the username that will be used for connection to the DB on Identity db + camunda_webmodeler_db_username = "webmodeler_db" # This is the username that will be used for connection to the DB on WebModeler db - keycloak_db_password = "secretvalue%24" # Replace with a password that will be used for connection to the DB on Keycloak db - identity_db_password = "secretvalue%25" # Replace with a password that will be used for connection to the DB on Identity db - webmodeler_db_password = "secretvalue%26" # Replace with a password that will be used for connection to the DB on WebModeler db + camunda_keycloak_db_password = "secretvalue%24" # Replace with a password that will be used for connection to the DB on Keycloak db + camunda_identity_db_password = "secretvalue%25" # Replace with a password that will be used for connection to the DB on Identity db + camunda_webmodeler_db_password = "secretvalue%26" # Replace with a password that will be used for connection to the DB on WebModeler db } module "postgresql" { From f00dc1460535870f53cfbb572325895dab9555c7 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 16:51:00 +0200 Subject: [PATCH 076/135] update db creation script --- .../irsa-postgres-create-db.yml | 70 ++++++++++++++++--- 1 file changed, 62 insertions(+), 8 deletions(-) diff --git a/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml b/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml index c2e24fa5..609e060c 100644 --- a/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml +++ b/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml @@ -24,13 +24,27 @@ spec: echo "Installing dependencies..." yum install -y postgresql15 unzip awscli-2 - echo "Creating IRSA db user using admin user" + echo "Create keycloak user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ - -c "CREATE USER \"${AURORA_USERNAME_IRSA}\" WITH LOGIN;" \ - -c "GRANT rds_iam TO \"${AURORA_USERNAME_IRSA}\";" \ - -c "GRANT ALL PRIVILEGES ON DATABASE \"${AURORA_DB_NAME}\" TO \"${AURORA_USERNAME_IRSA}\";" \ - -c "SELECT aurora_version();" \ - -c "SELECT version();" -c "\du" + -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" \ + -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH LOGIN;" \ + -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" \ + -c "GRANT rds_iam TO \"${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME}\";" + + echo "Create identity user and associated database" + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" \ + -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH LOGIN;" \ + -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" \ + -c "GRANT rds_iam TO \"${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME}\";" + + echo "Create webmodeler user and associated database" + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" \ + -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH LOGIN;" \ + -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" \ + -c "GRANT rds_iam TO \"${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME}\";" + EOF env: - name: AURORA_ENDPOINT @@ -58,8 +72,48 @@ spec: secretKeyRef: name: irsa-db-secret key: AURORA_PASSWORD - - name: AURORA_USERNAME_IRSA + - name: DB_KEYCLOAK_NAME + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: DB_KEYCLOAK_NAME + - name: DB_KEYCLOAK_USERNAME + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: DB_KEYCLOAK_USERNAME + - name: CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME + - name: DB_IDENTITY_NAME + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: DB_IDENTITY_NAME + - name: DB_IDENTITY_USERNAME + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: DB_IDENTITY_USERNAME + - name: CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME + - name: DB_WEBMODELER_NAME + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: DB_WEBMODELER_NAME + - name: DB_WEBMODELER_USERNAME + valueFrom: + secretKeyRef: + name: irsa-db-secret + key: DB_WEBMODELER_USERNAME + - name: CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME valueFrom: secretKeyRef: name: irsa-db-secret - key: AURORA_USERNAME_IRSA + key: CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME From 0760f394f5982331999a814e938abb0188c190ca Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:04:19 +0200 Subject: [PATCH 077/135] update setup of database --- ...te-db.yml => setup-postgres-create-db.yml} | 36 +++--- .../camunda-8.6/setup-postgres-create-db.yml | 116 ++++++++++++++++++ 2 files changed, 134 insertions(+), 18 deletions(-) rename examples/camunda-8.6-irsa/{irsa-postgres-create-db.yml => setup-postgres-create-db.yml} (84%) create mode 100644 examples/camunda-8.6/setup-postgres-create-db.yml diff --git a/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml similarity index 84% rename from examples/camunda-8.6-irsa/irsa-postgres-create-db.yml rename to examples/camunda-8.6-irsa/setup-postgres-create-db.yml index 609e060c..5ecb52f3 100644 --- a/examples/camunda-8.6-irsa/irsa-postgres-create-db.yml +++ b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml @@ -3,16 +3,16 @@ apiVersion: batch/v1 kind: Job metadata: - name: create-irsa-user-db + name: create-setup-user-db labels: - app: create-irsa-user-db + app: create-setup-user-db spec: backoffLimit: 0 template: spec: restartPolicy: Never containers: - - name: create-irsa-user-db + - name: create-setup-user-db image: amazonlinux:latest command: - sh @@ -22,7 +22,7 @@ spec: set -o pipefail echo "Installing dependencies..." - yum install -y postgresql15 unzip awscli-2 + yum install -y postgresql15 echo "Create keycloak user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ @@ -50,70 +50,70 @@ spec: - name: AURORA_ENDPOINT valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: AURORA_ENDPOINT - name: AURORA_PORT valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: AURORA_PORT - name: AURORA_DB_NAME valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: AURORA_DB_NAME - name: AURORA_USERNAME valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: AURORA_USERNAME - name: AURORA_PASSWORD valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: AURORA_PASSWORD - name: DB_KEYCLOAK_NAME valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: DB_KEYCLOAK_NAME - name: DB_KEYCLOAK_USERNAME valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: DB_KEYCLOAK_USERNAME - name: CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME - name: DB_IDENTITY_NAME valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: DB_IDENTITY_NAME - name: DB_IDENTITY_USERNAME valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: DB_IDENTITY_USERNAME - name: CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME - name: DB_WEBMODELER_NAME valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: DB_WEBMODELER_NAME - name: DB_WEBMODELER_USERNAME valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: DB_WEBMODELER_USERNAME - name: CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME valueFrom: secretKeyRef: - name: irsa-db-secret + name: setup-db-secret key: CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME diff --git a/examples/camunda-8.6/setup-postgres-create-db.yml b/examples/camunda-8.6/setup-postgres-create-db.yml new file mode 100644 index 00000000..92e89f75 --- /dev/null +++ b/examples/camunda-8.6/setup-postgres-create-db.yml @@ -0,0 +1,116 @@ +--- +# this manifest creates the database +apiVersion: batch/v1 +kind: Job +metadata: + name: create-setup-user-db + labels: + app: create-setup-user-db +spec: + backoffLimit: 0 + template: + spec: + restartPolicy: Never + containers: + - name: create-setup-user-db + image: amazonlinux:latest + command: + - sh + - -c + - | + /bin/bash <<'EOF' + set -o pipefail + + echo "Installing dependencies..." + yum install -y postgresql15 + + echo "Create keycloak user and associated database" + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" \ + -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH PASSWORD '${DB_KEYCLOAK_PASSWORD}';" \ + -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" + + echo "Create identity user and associated database" + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" \ + -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH PASSWORD '${DB_IDENTITY_PASSWORD}';" \ + -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" + + echo "Create webmodeler user and associated database" + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" \ + -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH PASSWORD '${DB_WEBMODELER_PASSWORD}';" \ + -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" + + EOF + env: + - name: AURORA_ENDPOINT + valueFrom: + secretKeyRef: + name: setup-db-secret + key: AURORA_ENDPOINT + - name: AURORA_PORT + valueFrom: + secretKeyRef: + name: setup-db-secret + key: AURORA_PORT + - name: AURORA_DB_NAME + valueFrom: + secretKeyRef: + name: setup-db-secret + key: AURORA_DB_NAME + - name: AURORA_USERNAME + valueFrom: + secretKeyRef: + name: setup-db-secret + key: AURORA_USERNAME + - name: AURORA_PASSWORD + valueFrom: + secretKeyRef: + name: setup-db-secret + key: AURORA_PASSWORD + - name: DB_KEYCLOAK_NAME + valueFrom: + secretKeyRef: + name: setup-db-secret + key: DB_KEYCLOAK_NAME + - name: DB_KEYCLOAK_USERNAME + valueFrom: + secretKeyRef: + name: setup-db-secret + key: DB_KEYCLOAK_USERNAME + - name: DB_KEYCLOAK_PASSWORD + valueFrom: + secretKeyRef: + name: setup-db-secret + key: DB_KEYCLOAK_PASSWORD + - name: DB_IDENTITY_NAME + valueFrom: + secretKeyRef: + name: setup-db-secret + key: DB_IDENTITY_NAME + - name: DB_IDENTITY_USERNAME + valueFrom: + secretKeyRef: + name: setup-db-secret + key: DB_IDENTITY_USERNAME + - name: DB_IDENTITY_PASSWORD + valueFrom: + secretKeyRef: + name: setup-db-secret + key: DB_IDENTITY_PASSWORD + - name: DB_WEBMODELER_NAME + valueFrom: + secretKeyRef: + name: setup-db-secret + key: DB_WEBMODELER_NAME + - name: DB_WEBMODELER_USERNAME + valueFrom: + secretKeyRef: + name: setup-db-secret + key: DB_WEBMODELER_USERNAME + - name: DB_WEBMODELER_PASSWORD + valueFrom: + secretKeyRef: + name: setup-db-secret + key: DB_WEBMODELER_PASSWORD From 0878a090c467817363bc6f206defa314422a4527 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:41:21 +0200 Subject: [PATCH 078/135] configure external db for each component --- .../helm-values/values-domain.yml | 28 ++++++++++------ .../helm-values/values-no-domain.yml | 32 +++++++++++-------- .../camunda-8.6/helm-values/values-domain.yml | 19 +++++++++++ .../helm-values/values-no-domain.yml | 20 ++++++++++++ 4 files changed, 76 insertions(+), 23 deletions(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index 43efa301..be559a58 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -9,10 +9,10 @@ identityKeycloak: enabled: false externalDatabase: host: ${DB_HOST} - user: ${PG_USERNAME} + user: ${DB_KEYCLOAK_USERNAME} port: 5432 password: '' # let it empty as we use IRSA - database: ${DEFAULT_DB_NAME} + database: ${DB_KEYCLOAK_NAME} extraEnvVars: - name: KEYCLOAK_EXTRA_ARGS @@ -63,12 +63,13 @@ webModeler: annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} - env: - - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME - value: software.amazon.jdbc.Driver - externalDatabase: - url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam - user: ${PG_USERNAME} + restapi: + externalDatabase: + url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME}?wrapperPlugins=iam + user: ${DB_WEBMODELER_USERNAME} + env: + - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME + value: software.amazon.jdbc.Driver identity: contextPath: /identity @@ -79,13 +80,20 @@ identity: annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + externalDatabase: + enabled: true + host: ${DB_HOST} + port: 5432 + username: ${DB_IDENTITY_USERNAME} + database: ${DB_IDENTITY_NAME} + env: - name: SPRING_DATASOURCE_URL - value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam + value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_IDENTITY_NAME}?wrapperPlugins=iam - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME value: software.amazon.jdbc.Driver - name: SPRING_DATASOURCE_USERNAME - value: ${PG_USERNAME} + value: ${DB_IDENTITY_USERNAME} operate: diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 92acd4eb..bf24059e 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -9,10 +9,10 @@ identityKeycloak: enabled: false externalDatabase: host: ${DB_HOST} - user: ${PG_USERNAME} + user: ${DB_KEYCLOAK_USERNAME} port: 5432 password: '' # let it empty as we use IRSA - database: ${DEFAULT_DB_NAME} + database: ${DB_KEYCLOAK_NAME} extraEnvVars: - name: KEYCLOAK_EXTRA_ARGS @@ -26,7 +26,7 @@ identityKeycloak: - name: KC_DB value: postgres - name: KC_DB_URL - value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam&ssl=true&sslmode=require + value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_KEYCLOAK_NAME}?wrapperPlugins=iam&ssl=true&sslmode=require global: elasticsearch: @@ -47,12 +47,13 @@ webModeler: annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} - env: - - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME - value: software.amazon.jdbc.Driver - externalDatabase: - url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam - user: ${PG_USERNAME} + restapi: + externalDatabase: + url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME}?wrapperPlugins=iam + user: ${DB_WEBMODELER_USERNAME} + env: + - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME + value: software.amazon.jdbc.Driver identity: @@ -61,15 +62,20 @@ identity: annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + externalDatabase: + enabled: true + host: ${DB_HOST} + port: 5432 + username: ${DB_IDENTITY_USERNAME} + database: ${DB_IDENTITY_NAME} + env: - name: SPRING_DATASOURCE_URL - value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DEFAULT_DB_NAME}?wrapperPlugins=iam - + value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_IDENTITY_NAME}?wrapperPlugins=iam - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME value: software.amazon.jdbc.Driver - - name: SPRING_DATASOURCE_USERNAME - value: ${PG_USERNAME} + value: ${DB_IDENTITY_USERNAME} zeebe: serviceAccount: diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index 12dabbe7..308bcdf1 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -51,12 +51,31 @@ identity: contextPath: /identity fullURL: https://${DOMAIN_NAME}/identity + externalDatabase: + enabled: true + host: ${DB_HOST} + port: 5432 + username: ${DB_IDENTITY_USERNAME} + database: ${DB_IDENTITY_NAME} + existingSecret: identity-postgres-secret + existingSecretPasswordKey: password + operate: contextPath: /operate tasklist: contextPath: /tasklist +webModeler: + enabled: false # by default, webModeler is not enabled + + restapi: + externalDatabase: + url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME} + user: ${DB_WEBMODELER_USERNAME} + existingSecret: webmodeler-postgres-secret + existingSecretPasswordKey: password + optimize: contextPath: /optimize diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index fda55c13..ade46d96 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -25,6 +25,26 @@ global: # Amazon OpenSearch Service listens on port 443 opposed to the usual port 9200. port: 443 +identity: + externalDatabase: + enabled: true + host: ${DB_HOST} + port: 5432 + username: ${DB_IDENTITY_USERNAME} + database: ${DB_IDENTITY_NAME} + existingSecret: identity-postgres-secret + existingSecretPasswordKey: password + +webModeler: + enabled: false # by default, webModeler is not enabled + + restapi: + externalDatabase: + url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME} + user: ${DB_WEBMODELER_USERNAME} + existingSecret: webmodeler-postgres-secret + existingSecretPasswordKey: password + optimize: migration: enabled: false From 0a0511d6d7417ad5c26cef778f78e65e0b5b67bb Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:54:50 +0200 Subject: [PATCH 079/135] update database creation --- .../setup-postgres-create-db.yml | 18 +++++++++++++++--- .../camunda-8.6/setup-postgres-create-db.yml | 18 +++++++++++++++--- 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml index 5ecb52f3..5938fdab 100644 --- a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml +++ b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml @@ -27,23 +27,35 @@ spec: echo "Create keycloak user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" \ - -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH LOGIN;" \ + -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" \ -c "GRANT rds_iam TO \"${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME}\";" + -c "GRANT USAGE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" + -c "GRANT CREATE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" echo "Create identity user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" \ - -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH LOGIN;" \ + -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" \ -c "GRANT rds_iam TO \"${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME}\";" + -c "GRANT USAGE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" + -c "GRANT CREATE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" echo "Create webmodeler user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" \ - -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH LOGIN;" \ + -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" \ -c "GRANT rds_iam TO \"${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME}\";" + -c "GRANT USAGE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" + -c "GRANT CREATE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" EOF env: diff --git a/examples/camunda-8.6/setup-postgres-create-db.yml b/examples/camunda-8.6/setup-postgres-create-db.yml index 92e89f75..235ac8f3 100644 --- a/examples/camunda-8.6/setup-postgres-create-db.yml +++ b/examples/camunda-8.6/setup-postgres-create-db.yml @@ -27,20 +27,32 @@ spec: echo "Create keycloak user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" \ - -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH PASSWORD '${DB_KEYCLOAK_PASSWORD}';" \ + -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH PASSWORD '${DB_KEYCLOAK_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" + -c "GRANT USAGE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" + -c "GRANT CREATE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" echo "Create identity user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" \ - -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH PASSWORD '${DB_IDENTITY_PASSWORD}';" \ + -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH PASSWORD '${DB_IDENTITY_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" + -c "GRANT USAGE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" + -c "GRANT CREATE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" echo "Create webmodeler user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" \ - -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH PASSWORD '${DB_WEBMODELER_PASSWORD}';" \ + -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH PASSWORD '${DB_WEBMODELER_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" + -c "GRANT USAGE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" + -c "GRANT CREATE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" EOF env: From 894cd921851b259b2277b77d9b6dbdfce97189fc Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:57:19 +0200 Subject: [PATCH 080/135] fix new line --- .../setup-postgres-create-db.yml | 24 +++++++++---------- .../camunda-8.6/setup-postgres-create-db.yml | 24 +++++++++---------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml index 5938fdab..8979fddf 100644 --- a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml +++ b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml @@ -29,10 +29,10 @@ spec: -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" \ -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" \ - -c "GRANT rds_iam TO \"${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME}\";" - -c "GRANT USAGE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" - -c "GRANT CREATE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" + -c "GRANT rds_iam TO \"${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME}\";" \ + -c "GRANT USAGE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ + -c "GRANT CREATE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" echo "Create identity user and associated database" @@ -40,10 +40,10 @@ spec: -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" \ -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" \ - -c "GRANT rds_iam TO \"${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME}\";" - -c "GRANT USAGE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" - -c "GRANT CREATE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" + -c "GRANT rds_iam TO \"${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME}\";" \ + -c "GRANT USAGE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ + -c "GRANT CREATE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" echo "Create webmodeler user and associated database" @@ -51,10 +51,10 @@ spec: -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" \ -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" \ - -c "GRANT rds_iam TO \"${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME}\";" - -c "GRANT USAGE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" - -c "GRANT CREATE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" + -c "GRANT rds_iam TO \"${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME}\";" \ + -c "GRANT USAGE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ + -c "GRANT CREATE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" EOF diff --git a/examples/camunda-8.6/setup-postgres-create-db.yml b/examples/camunda-8.6/setup-postgres-create-db.yml index 235ac8f3..337b8d6d 100644 --- a/examples/camunda-8.6/setup-postgres-create-db.yml +++ b/examples/camunda-8.6/setup-postgres-create-db.yml @@ -28,30 +28,30 @@ spec: psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" \ -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH PASSWORD '${DB_KEYCLOAK_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ - -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" - -c "GRANT USAGE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" - -c "GRANT CREATE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" \ + -c "GRANT USAGE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ + -c "GRANT CREATE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" echo "Create identity user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" \ -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH PASSWORD '${DB_IDENTITY_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ - -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" - -c "GRANT USAGE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" - -c "GRANT CREATE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" \ + -c "GRANT USAGE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ + -c "GRANT CREATE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" echo "Create webmodeler user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" \ -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH PASSWORD '${DB_WEBMODELER_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ - -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" - -c "GRANT USAGE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" - -c "GRANT CREATE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" + -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" \ + -c "GRANT USAGE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ + -c "GRANT CREATE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ + -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" EOF From 178bc02bf8673255cc274b05072a4e4cf273d7f1 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 18:04:43 +0200 Subject: [PATCH 081/135] fix schema public permission --- .../setup-postgres-create-db.yml | 22 ++++++------------- .../camunda-8.6/setup-postgres-create-db.yml | 15 +++---------- 2 files changed, 10 insertions(+), 27 deletions(-) diff --git a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml index 8979fddf..f825b135 100644 --- a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml +++ b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml @@ -29,33 +29,25 @@ spec: -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" \ -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" \ - -c "GRANT rds_iam TO \"${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME}\";" \ - -c "GRANT USAGE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ - -c "GRANT CREATE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" + -c "GRANT ALL ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ + -c "GRANT rds_iam TO \"${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME}\";" + echo "Create identity user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" \ -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" \ - -c "GRANT rds_iam TO \"${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME}\";" \ - -c "GRANT USAGE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ - -c "GRANT CREATE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" + -c "GRANT ALL ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ + -c "GRANT rds_iam TO \"${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME}\";" echo "Create webmodeler user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" \ -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" \ - -c "GRANT rds_iam TO \"${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME}\";" \ - -c "GRANT USAGE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ - -c "GRANT CREATE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" + -c "GRANT ALL ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ + -c "GRANT rds_iam TO \"${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME}\";" EOF env: diff --git a/examples/camunda-8.6/setup-postgres-create-db.yml b/examples/camunda-8.6/setup-postgres-create-db.yml index 337b8d6d..ff79b2b1 100644 --- a/examples/camunda-8.6/setup-postgres-create-db.yml +++ b/examples/camunda-8.6/setup-postgres-create-db.yml @@ -29,30 +29,21 @@ spec: -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" \ -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH PASSWORD '${DB_KEYCLOAK_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" \ - -c "GRANT USAGE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ - -c "GRANT CREATE ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" + -c "GRANT ALL ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" echo "Create identity user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" \ -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH PASSWORD '${DB_IDENTITY_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" \ - -c "GRANT USAGE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ - -c "GRANT CREATE ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" + -c "GRANT ALL ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" echo "Create webmodeler user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" \ -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH PASSWORD '${DB_WEBMODELER_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" \ - -c "GRANT USAGE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ - -c "GRANT CREATE ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ - -c "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" + -c "GRANT ALL ON SCHEMA public TO \"${DB_WEBMODELER_NAME}\";" EOF env: From 5fd124cd042b895e14acd7bd2df09bd2ed029a89 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 15 Oct 2024 18:08:10 +0200 Subject: [PATCH 082/135] fix username --- examples/camunda-8.6/setup-postgres-create-db.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/camunda-8.6/setup-postgres-create-db.yml b/examples/camunda-8.6/setup-postgres-create-db.yml index ff79b2b1..7ce7f93e 100644 --- a/examples/camunda-8.6/setup-postgres-create-db.yml +++ b/examples/camunda-8.6/setup-postgres-create-db.yml @@ -43,7 +43,7 @@ spec: -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" \ -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH PASSWORD '${DB_WEBMODELER_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" \ - -c "GRANT ALL ON SCHEMA public TO \"${DB_WEBMODELER_NAME}\";" + -c "GRANT ALL ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" EOF env: From 2eeb77018d843bb78bf6ab9cd0e863b51d0f8ecd Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 16 Oct 2024 09:47:29 +0200 Subject: [PATCH 083/135] fix setup of the db --- .../setup-postgres-create-db.yml | 24 ++++++++++--------- .../camunda-8.6/setup-postgres-create-db.yml | 24 ++++++++++--------- 2 files changed, 26 insertions(+), 22 deletions(-) diff --git a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml index f825b135..3ef75247 100644 --- a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml +++ b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml @@ -25,8 +25,11 @@ spec: yum install -y postgresql15 echo "Create keycloak user and associated database" - psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ - -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" \ + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" + + # the grant SCHEMA public must be performed on the target database + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$DB_KEYCLOAK_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" \ -c "GRANT ALL ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ @@ -34,16 +37,20 @@ spec: echo "Create identity user and associated database" - psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ - -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" \ + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" + + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$DB_IDENTITY_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" \ -c "GRANT ALL ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ -c "GRANT rds_iam TO \"${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME}\";" echo "Create webmodeler user and associated database" - psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ - -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" \ + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" + + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$DB_WEBMODELER_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" \ -c "GRANT ALL ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ @@ -61,11 +68,6 @@ spec: secretKeyRef: name: setup-db-secret key: AURORA_PORT - - name: AURORA_DB_NAME - valueFrom: - secretKeyRef: - name: setup-db-secret - key: AURORA_DB_NAME - name: AURORA_USERNAME valueFrom: secretKeyRef: diff --git a/examples/camunda-8.6/setup-postgres-create-db.yml b/examples/camunda-8.6/setup-postgres-create-db.yml index 7ce7f93e..efcd05f1 100644 --- a/examples/camunda-8.6/setup-postgres-create-db.yml +++ b/examples/camunda-8.6/setup-postgres-create-db.yml @@ -25,22 +25,29 @@ spec: yum install -y postgresql15 echo "Create keycloak user and associated database" - psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ - -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" \ + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" + + # the grant SCHEMA public must be performed on the target database + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$DB_KEYCLOAK_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH PASSWORD '${DB_KEYCLOAK_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" \ -c "GRANT ALL ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" echo "Create identity user and associated database" - psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ - -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" \ + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" + + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$DB_IDENTITY_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH PASSWORD '${DB_IDENTITY_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" \ -c "GRANT ALL ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" echo "Create webmodeler user and associated database" - psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$AURORA_DB_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ - -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" \ + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ + -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" + + psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=$DB_WEBMODELER_NAME user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH PASSWORD '${DB_WEBMODELER_PASSWORD}' NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" \ -c "GRANT ALL ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" @@ -57,11 +64,6 @@ spec: secretKeyRef: name: setup-db-secret key: AURORA_PORT - - name: AURORA_DB_NAME - valueFrom: - secretKeyRef: - name: setup-db-secret - key: AURORA_DB_NAME - name: AURORA_USERNAME valueFrom: secretKeyRef: From 1960c3d9f64352a5b76e09841a261544ff70cd8d Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 16 Oct 2024 14:31:53 +0200 Subject: [PATCH 084/135] re-enable basic auth for OpenSearch --- .../camunda-8.6-irsa/helm-values/values-domain.yml | 2 +- .../helm-values/values-no-domain.yml | 2 +- examples/camunda-8.6/helm-values/values-domain.yml | 7 +++++-- .../camunda-8.6/helm-values/values-no-domain.yml | 7 +++++-- examples/camunda-8.6/opensearch.tf | 13 ++++++++++++- 5 files changed, 24 insertions(+), 7 deletions(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index be559a58..18b9f9bc 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -30,7 +30,7 @@ global: opensearch: enabled: true aws: - enabled: true + enabled: true # enable IRSA auth url: protocol: https host: ${OPENSEARCH_HOST} diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index bf24059e..e2a177ce 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -34,7 +34,7 @@ global: opensearch: enabled: true aws: - enabled: true + enabled: true # enable IRSA auth url: protocol: https host: ${OPENSEARCH_HOST} diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index 308bcdf1..d2663c39 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -17,8 +17,11 @@ global: opensearch: enabled: true aws: - enabled: true - # we rely on the network security to access the OpenSearch domain, no basic auth is needed + enabled: false # we rely on basic auth, not irsa + auth: + username: ${OPENSEARCH_MASTER_USER} + existingSecret: opensearch-secret + existingSecretKey: password url: protocol: https host: ${OPENSEARCH_HOST} diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index ade46d96..bc366dcf 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -17,8 +17,11 @@ global: opensearch: enabled: true aws: - enabled: true - # we rely on the network security to access the OpenSearch domain, no basic auth is needed + enabled: false # we rely on basic auth, not irsa + auth: + username: ${OPENSEARCH_MASTER_USER} + existingSecret: opensearch-secret + existingSecretKey: password url: protocol: https host: ${OPENSEARCH_HOST} diff --git a/examples/camunda-8.6/opensearch.tf b/examples/camunda-8.6/opensearch.tf index e730fe9c..9e30ba17 100644 --- a/examples/camunda-8.6/opensearch.tf +++ b/examples/camunda-8.6/opensearch.tf @@ -1,7 +1,12 @@ locals { opensearch_domain_name = "domain-name-os-std" # Replace "domain-name" with your domain name + + opensearch_master_username = "secret_user" # Replace with your opensearch username + opensearch_master_password = "Secretvalue$23" # Replace with your opensearch password } +# TODO: handle deletion + module "opensearch_domain" { source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/opensearch?ref=2.6.0" domain_name = local.opensearch_domain_name @@ -15,7 +20,13 @@ module "opensearch_domain" { vpc_id = module.eks_cluster.vpc_id cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) - advanced_security_enabled = false + advanced_security_enabled = false # disable fine-grained + + advanced_security_internal_user_database_enabled = true # required for master username + advanced_security_anonymous_auth_enabled = false # require basic auth + + advanced_security_master_user_name = local.opensearch_master_username + advanced_security_master_user_password = local.opensearch_master_password depends_on = [module.eks_cluster] } From 723ac467c552550cef07b8f6732b593609b292d8 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 16 Oct 2024 17:34:03 +0200 Subject: [PATCH 085/135] implement arn for cluster --- examples/camunda-8.6-irsa/cluster.tf | 5 +++++ examples/camunda-8.6-irsa/db.tf | 6 +++--- examples/camunda-8.6/cluster.tf | 5 +++++ modules/eks-cluster/README.md | 1 + modules/eks-cluster/outputs.tf | 6 ++++++ 5 files changed, 20 insertions(+), 3 deletions(-) diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf index 1c38d8df..fb35c9f2 100644 --- a/examples/camunda-8.6-irsa/cluster.tf +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -23,3 +23,8 @@ output "external_dns_arn" { value = module.eks_cluster.external_dns_arn description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the external-dns" } + +output "cluster_arn" { + value = module.eks_cluster.cluster_arn + description = "ARN of the EKS cluster" +} diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index ad0c94fc..f3098cc8 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -51,9 +51,9 @@ module "postgresql" { "rds-db:connect" ], "Resource": [ - "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.aurora_irsa_keycloak_username}", - "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.aurora_irsa_identity_username}", - "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.aurora_irsa_webmodeler_username}" + "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.camunda_keycloak_db_username}", + "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.camunda_identity_db_username}", + "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.camunda_webmodeler_db_username}" ] } ] diff --git a/examples/camunda-8.6/cluster.tf b/examples/camunda-8.6/cluster.tf index 801d1455..08d61333 100644 --- a/examples/camunda-8.6/cluster.tf +++ b/examples/camunda-8.6/cluster.tf @@ -23,3 +23,8 @@ output "external_dns_arn" { value = module.eks_cluster.external_dns_arn description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the external-dns" } + +output "cluster_arn" { + value = module.eks_cluster.cluster_arn + description = "ARN of the EKS cluster" +} diff --git a/modules/eks-cluster/README.md b/modules/eks-cluster/README.md index 0ae31804..0e0d9863 100644 --- a/modules/eks-cluster/README.md +++ b/modules/eks-cluster/README.md @@ -73,6 +73,7 @@ module "eks_cluster" { | [access\_entries](#output\_access\_entries) | Map of access entries created and their attributes | | [aws\_caller\_identity\_account\_id](#output\_aws\_caller\_identity\_account\_id) | Account ID of the current AWS account | | [cert\_manager\_arn](#output\_cert\_manager\_arn) | Amazon Resource Name of the cert-manager IAM role used for IAM Roles to Service Accounts mappings | +| [cluster\_arn](#output\_cluster\_arn) | ARN of the cluster | | [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server | | [cluster\_iam\_role\_arn](#output\_cluster\_iam\_role\_arn) | IAM role ARN of the EKS cluster | | [cluster\_iam\_role\_name](#output\_cluster\_iam\_role\_name) | IAM role name of the EKS cluster | diff --git a/modules/eks-cluster/outputs.tf b/modules/eks-cluster/outputs.tf index 164473ab..8a7c2174 100644 --- a/modules/eks-cluster/outputs.tf +++ b/modules/eks-cluster/outputs.tf @@ -36,11 +36,17 @@ output "cluster_iam_role_arn" { description = "IAM role ARN of the EKS cluster" value = module.eks.cluster_iam_role_arn } + output "access_entries" { description = "Map of access entries created and their attributes" value = module.eks.access_entries } +output "cluster_arn" { + description = "ARN of the cluster" + value = module.eks.cluster_arn +} + ################################################################################ # IRSA ################################################################################ From 1cf36ceb6e6db73a6bfcea2615df3d9b68a56735 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 16 Oct 2024 18:33:29 +0200 Subject: [PATCH 086/135] fix anonymous --- examples/camunda-8.6-irsa/cluster.tf | 5 ---- .../camunda-8.6/helm-values/values-domain.yml | 7 +++-- .../helm-values/values-no-domain.yml | 7 +++-- examples/camunda-8.6/opensearch.tf | 27 +++++++++++++------ 4 files changed, 25 insertions(+), 21 deletions(-) diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf index fb35c9f2..1c38d8df 100644 --- a/examples/camunda-8.6-irsa/cluster.tf +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -23,8 +23,3 @@ output "external_dns_arn" { value = module.eks_cluster.external_dns_arn description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the external-dns" } - -output "cluster_arn" { - value = module.eks_cluster.cluster_arn - description = "ARN of the EKS cluster" -} diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index d2663c39..ff41bcd3 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -17,11 +17,10 @@ global: opensearch: enabled: true aws: - enabled: false # we rely on basic auth, not irsa + enabled: false # we rely on anonymous auth, not irsa, basic auth is not supported on managed OpenSearch auth: - username: ${OPENSEARCH_MASTER_USER} - existingSecret: opensearch-secret - existingSecretKey: password + username: + password: url: protocol: https host: ${OPENSEARCH_HOST} diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index bc366dcf..3f8c9389 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -17,11 +17,10 @@ global: opensearch: enabled: true aws: - enabled: false # we rely on basic auth, not irsa + enabled: false # we rely on anonymous auth, not irsa, basic auth is not supported on managed OpenSearch auth: - username: ${OPENSEARCH_MASTER_USER} - existingSecret: opensearch-secret - existingSecretKey: password + username: + password: url: protocol: https host: ${OPENSEARCH_HOST} diff --git a/examples/camunda-8.6/opensearch.tf b/examples/camunda-8.6/opensearch.tf index 9e30ba17..6a70c6b6 100644 --- a/examples/camunda-8.6/opensearch.tf +++ b/examples/camunda-8.6/opensearch.tf @@ -1,8 +1,5 @@ locals { opensearch_domain_name = "domain-name-os-std" # Replace "domain-name" with your domain name - - opensearch_master_username = "secret_user" # Replace with your opensearch username - opensearch_master_password = "Secretvalue$23" # Replace with your opensearch password } # TODO: handle deletion @@ -22,11 +19,25 @@ module "opensearch_domain" { advanced_security_enabled = false # disable fine-grained - advanced_security_internal_user_database_enabled = true # required for master username - advanced_security_anonymous_auth_enabled = false # require basic auth - - advanced_security_master_user_name = local.opensearch_master_username - advanced_security_master_user_password = local.opensearch_master_password + advanced_security_internal_user_database_enabled = false + advanced_security_anonymous_auth_enabled = true # rely on anonymous auth + + # allow unauthentificated access as managed OpenSearch only allows fine tuned and no Basic Auth + access_policies = < Date: Wed, 16 Oct 2024 18:35:21 +0200 Subject: [PATCH 087/135] fix cluster arn --- examples/camunda-8.6/cluster.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/examples/camunda-8.6/cluster.tf b/examples/camunda-8.6/cluster.tf index 08d61333..801d1455 100644 --- a/examples/camunda-8.6/cluster.tf +++ b/examples/camunda-8.6/cluster.tf @@ -23,8 +23,3 @@ output "external_dns_arn" { value = module.eks_cluster.external_dns_arn description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the external-dns" } - -output "cluster_arn" { - value = module.eks_cluster.cluster_arn - description = "ARN of the EKS cluster" -} From 226c157efa1898d9456799d45b67d3cfcf65e669 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 16 Oct 2024 19:28:42 +0200 Subject: [PATCH 088/135] add existing secret --- .../helm-values/values-domain.yml | 15 ++++++++ .../helm-values/values-no-domain.yml | 21 +++++++++++ .../helm-values/generated-values.yml | 36 ------------------- .../camunda-8.6/helm-values/values-domain.yml | 15 +++++++- .../helm-values/values-no-domain.yml | 21 +++++++++++ 5 files changed, 71 insertions(+), 37 deletions(-) delete mode 100644 examples/camunda-8.6/helm-values/generated-values.yml diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index 18b9f9bc..5fdb2a65 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -24,6 +24,9 @@ identityKeycloak: - name: KC_DB_DRIVER value: software.amazon.jdbc.Driver + auth: + existingSecret: identity-secret-for-components + global: elasticsearch: enabled: false @@ -48,12 +51,24 @@ global: identity: auth: publicIssuerUrl: https://${DOMAIN_NAME}/auth/realms/camunda-platform + zeebe: + existingSecret: + name: identity-secret-for-components + connectors: + existingSecret: + name: identity-secret-for-components operate: redirectUrl: https://${DOMAIN_NAME}/operate + existingSecret: + name: identity-secret-for-components tasklist: redirectUrl: https://${DOMAIN_NAME}/tasklist + existingSecret: + name: identity-secret-for-components optimize: redirectUrl: https://${DOMAIN_NAME}/optimize + existingSecret: + name: identity-secret-for-components webModeler: enabled: false # by default, webModeler is not enabled diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index e2a177ce..75e67c2e 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -28,6 +28,9 @@ identityKeycloak: - name: KC_DB_URL value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_KEYCLOAK_NAME}?wrapperPlugins=iam&ssl=true&sslmode=require + auth: + existingSecret: identity-secret-for-components + global: elasticsearch: enabled: false @@ -41,6 +44,24 @@ global: # Amazon OpenSearch Service listens on port 443 opposed to the usual port 9200. port: 443 + identity: + auth: + zeebe: + existingSecret: + name: identity-secret-for-components + connectors: + existingSecret: + name: identity-secret-for-components + operate: + existingSecret: + name: identity-secret-for-components + tasklist: + existingSecret: + name: identity-secret-for-components + optimize: + existingSecret: + name: identity-secret-for-components + webModeler: serviceAccount: name: ${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME} diff --git a/examples/camunda-8.6/helm-values/generated-values.yml b/examples/camunda-8.6/helm-values/generated-values.yml deleted file mode 100644 index c620aac4..00000000 --- a/examples/camunda-8.6/helm-values/generated-values.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -identityKeycloak: - postgresql: - enabled: false - externalDatabase: - # see https://artifacthub.io/packages/helm/bitnami/keycloak - existingSecret: identity-keycloak-secret # Name of an existing secret resource containing the database credentials - existingSecretHostKey: host - existingSecretPortKey: port - existingSecretUserKey: user - existingSecretDatabaseKey: database - existingSecretPasswordKey: password - -global: - elasticsearch: - enabled: false - opensearch: - enabled: true - aws: - enabled: true - auth: - username: secret_user - existingSecret: opensearch-secret - existingSecretKey: password - url: - protocol: https - host: vpc-domain-name-os-std-s7ttei3uulfiyez54t66sj2zkq.eu-west-2.es.amazonaws.com - # Amazon OpenSearch Service listens on port 443 opposed to the usual port 9200. - port: 443 - -optimize: - migration: - enabled: false - -elasticsearch: - enabled: false diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index ff41bcd3..cdd6c864 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -10,6 +10,8 @@ identityKeycloak: existingSecretUserKey: user existingSecretDatabaseKey: database existingSecretPasswordKey: password + auth: + existingSecret: identity-secret-for-components global: elasticsearch: @@ -38,13 +40,24 @@ global: identity: auth: publicIssuerUrl: https://${DOMAIN_NAME}/auth/realms/camunda-platform + zeebe: + existingSecret: + name: identity-secret-for-components + connectors: + existingSecret: + name: identity-secret-for-components operate: redirectUrl: https://${DOMAIN_NAME}/operate + existingSecret: + name: identity-secret-for-components tasklist: redirectUrl: https://${DOMAIN_NAME}/tasklist + existingSecret: + name: identity-secret-for-components optimize: redirectUrl: https://${DOMAIN_NAME}/optimize - + existingSecret: + name: identity-secret-for-components elasticsearch: enabled: false diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index 3f8c9389..9ce5221e 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -11,6 +11,9 @@ identityKeycloak: existingSecretDatabaseKey: database existingSecretPasswordKey: password + auth: + existingSecret: identity-secret-for-components + global: elasticsearch: enabled: false @@ -27,6 +30,24 @@ global: # Amazon OpenSearch Service listens on port 443 opposed to the usual port 9200. port: 443 + identity: + auth: + zeebe: + existingSecret: + name: identity-secret-for-components + connectors: + existingSecret: + name: identity-secret-for-components + operate: + existingSecret: + name: identity-secret-for-components + tasklist: + existingSecret: + name: identity-secret-for-components + optimize: + existingSecret: + name: identity-secret-for-components + identity: externalDatabase: enabled: true From cb05e5ba1e7d71b65b2c1aead0923420f844d4fe Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 16 Oct 2024 21:10:24 +0200 Subject: [PATCH 089/135] add port forwarding --- .../camunda-8.6-irsa/helm-values/values-no-domain.yml | 8 ++++++++ examples/camunda-8.6/helm-values/values-no-domain.yml | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 75e67c2e..c5ce0ef7 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -45,7 +45,10 @@ global: port: 443 identity: + auth: + publicIssuerUrl: http://localhost:8070/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding + zeebe: existingSecret: name: identity-secret-for-components @@ -53,12 +56,15 @@ global: existingSecret: name: identity-secret-for-components operate: + redirectUrl: http://localhost:8071 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components tasklist: + redirectUrl: http://localhost:8072 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components optimize: + redirectUrl: http://localhost:8073 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components @@ -83,6 +89,8 @@ identity: annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + fullURL: http://localhost:8069 # replace this with a port of your choice when you will do port forwarding + externalDatabase: enabled: true host: ${DB_HOST} diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index 9ce5221e..debcd95b 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -31,7 +31,10 @@ global: port: 443 identity: + auth: + publicIssuerUrl: http://localhost:8070/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding + zeebe: existingSecret: name: identity-secret-for-components @@ -39,16 +42,21 @@ global: existingSecret: name: identity-secret-for-components operate: + redirectUrl: http://localhost:8071 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components tasklist: + redirectUrl: http://localhost:8072 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components optimize: + redirectUrl: http://localhost:8073 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components identity: + fullURL: http://localhost:8069 # replace this with a port of your choice when you will do port forwarding + externalDatabase: enabled: true host: ${DB_HOST} From 5ace55852ba89b7c69f1ccd2df8c8fef554e6523 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 16 Oct 2024 21:25:32 +0200 Subject: [PATCH 090/135] fix account names --- .../setup-postgres-create-db.yml | 21 +++---------------- 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml index 3ef75247..b8925eee 100644 --- a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml +++ b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml @@ -33,7 +33,7 @@ spec: -c "CREATE USER \"${DB_KEYCLOAK_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_KEYCLOAK_NAME}\" TO \"${DB_KEYCLOAK_USERNAME}\";" \ -c "GRANT ALL ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" \ - -c "GRANT rds_iam TO \"${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME}\";" + -c "GRANT rds_iam TO \"${DB_KEYCLOAK_USERNAME}\";" echo "Create identity user and associated database" @@ -44,7 +44,7 @@ spec: -c "CREATE USER \"${DB_IDENTITY_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_IDENTITY_NAME}\" TO \"${DB_IDENTITY_USERNAME}\";" \ -c "GRANT ALL ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" \ - -c "GRANT rds_iam TO \"${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME}\";" + -c "GRANT rds_iam TO \"${DB_IDENTITY_USERNAME}\";" echo "Create webmodeler user and associated database" psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ @@ -54,7 +54,7 @@ spec: -c "CREATE USER \"${DB_WEBMODELER_USERNAME}\" WITH LOGIN NOSUPERUSER CREATEDB CREATEROLE INHERIT;" \ -c "GRANT ALL PRIVILEGES ON DATABASE \"${DB_WEBMODELER_NAME}\" TO \"${DB_WEBMODELER_USERNAME}\";" \ -c "GRANT ALL ON SCHEMA public TO \"${DB_WEBMODELER_USERNAME}\";" \ - -c "GRANT rds_iam TO \"${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME}\";" + -c "GRANT rds_iam TO \"${DB_WEBMODELER_USERNAME}\";" EOF env: @@ -88,11 +88,6 @@ spec: secretKeyRef: name: setup-db-secret key: DB_KEYCLOAK_USERNAME - - name: CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME - valueFrom: - secretKeyRef: - name: setup-db-secret - key: CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME - name: DB_IDENTITY_NAME valueFrom: secretKeyRef: @@ -103,11 +98,6 @@ spec: secretKeyRef: name: setup-db-secret key: DB_IDENTITY_USERNAME - - name: CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME - valueFrom: - secretKeyRef: - name: setup-db-secret - key: CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME - name: DB_WEBMODELER_NAME valueFrom: secretKeyRef: @@ -118,8 +108,3 @@ spec: secretKeyRef: name: setup-db-secret key: DB_WEBMODELER_USERNAME - - name: CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME - valueFrom: - secretKeyRef: - name: setup-db-secret - key: CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME From cde6ebee507e8263f4b98103dbb2042d6f1dfee8 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 16 Oct 2024 21:39:43 +0200 Subject: [PATCH 091/135] update keycloak irsa --- examples/camunda-8.6-irsa/helm-values/values-domain.yml | 3 --- .../camunda-8.6-irsa/helm-values/values-no-domain.yml | 8 -------- 2 files changed, 11 deletions(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index 5fdb2a65..bee26253 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -11,7 +11,6 @@ identityKeycloak: host: ${DB_HOST} user: ${DB_KEYCLOAK_USERNAME} port: 5432 - password: '' # let it empty as we use IRSA database: ${DB_KEYCLOAK_NAME} extraEnvVars: @@ -21,8 +20,6 @@ identityKeycloak: value: wrapperPlugins=iam&ssl=true&sslmode=require - name: KEYCLOAK_JDBC_DRIVER value: aws-wrapper:postgresql - - name: KC_DB_DRIVER - value: software.amazon.jdbc.Driver auth: existingSecret: identity-secret-for-components diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index c5ce0ef7..043ddf85 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -11,7 +11,6 @@ identityKeycloak: host: ${DB_HOST} user: ${DB_KEYCLOAK_USERNAME} port: 5432 - password: '' # let it empty as we use IRSA database: ${DB_KEYCLOAK_NAME} extraEnvVars: @@ -21,13 +20,6 @@ identityKeycloak: value: wrapperPlugins=iam&ssl=true&sslmode=require - name: KEYCLOAK_JDBC_DRIVER value: aws-wrapper:postgresql - - name: KC_DB_DRIVER - value: software.amazon.jdbc.Driver - - name: KC_DB - value: postgres - - name: KC_DB_URL - value: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_KEYCLOAK_NAME}?wrapperPlugins=iam&ssl=true&sslmode=require - auth: existingSecret: identity-secret-for-components From ce2888eefbc91f5e2f8b13fc03f21e5d342dacbb Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 17 Oct 2024 11:10:09 +0200 Subject: [PATCH 092/135] add bash --- .../camunda-8.6-irsa/procedure/chart-env.sh | 1 + .../procedure/check-env-variables.sh | 13 +++++++++++++ .../procedure/create-identity-secret.sh | 1 + .../procedure/generate-passwords.sh | 1 + .../camunda-8.6-irsa/procedure/install-chart.sh | 1 + examples/camunda-8.6/procedure/chart-env.sh | 5 +++++ .../procedure/check-env-variables.sh | 13 +++++++++++++ .../procedure/create-external-db-secrets.sh | 17 +++++++++++++++++ .../procedure/create-identity-secret.sh | 12 ++++++++++++ .../camunda-8.6/procedure/generate-passwords.sh | 7 +++++++ examples/camunda-8.6/procedure/install-chart.sh | 6 ++++++ 11 files changed, 77 insertions(+) create mode 120000 examples/camunda-8.6-irsa/procedure/chart-env.sh create mode 100644 examples/camunda-8.6-irsa/procedure/check-env-variables.sh create mode 120000 examples/camunda-8.6-irsa/procedure/create-identity-secret.sh create mode 120000 examples/camunda-8.6-irsa/procedure/generate-passwords.sh create mode 120000 examples/camunda-8.6-irsa/procedure/install-chart.sh create mode 100644 examples/camunda-8.6/procedure/chart-env.sh create mode 100644 examples/camunda-8.6/procedure/check-env-variables.sh create mode 100644 examples/camunda-8.6/procedure/create-external-db-secrets.sh create mode 100644 examples/camunda-8.6/procedure/create-identity-secret.sh create mode 100644 examples/camunda-8.6/procedure/generate-passwords.sh create mode 100644 examples/camunda-8.6/procedure/install-chart.sh diff --git a/examples/camunda-8.6-irsa/procedure/chart-env.sh b/examples/camunda-8.6-irsa/procedure/chart-env.sh new file mode 120000 index 00000000..8e57df9a --- /dev/null +++ b/examples/camunda-8.6-irsa/procedure/chart-env.sh @@ -0,0 +1 @@ +../../camunda-8.6/procedure/chart-env.sh \ No newline at end of file diff --git a/examples/camunda-8.6-irsa/procedure/check-env-variables.sh b/examples/camunda-8.6-irsa/procedure/check-env-variables.sh new file mode 100644 index 00000000..108b0cd5 --- /dev/null +++ b/examples/camunda-8.6-irsa/procedure/check-env-variables.sh @@ -0,0 +1,13 @@ +# This script is compatible with bash only + +# List of required environment variables +required_vars=("DB_HOST" "DB_ROLE_ARN" "CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME" "DB_WEBMODELER_NAME" "DB_WEBMODELER_USERNAME" "CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME" "DB_IDENTITY_NAME" "DB_IDENTITY_USERNAME" "DB_KEYCLOAK_NAME" "DB_KEYCLOAK_USERNAME" "CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME" "OPENSEARCH_HOST" "OPENSEARCH_ROLE_ARN" "CAMUNDA_ZEEBE_SERVICE_ACCOUNT_NAME" "CAMUNDA_OPERATE_SERVICE_ACCOUNT_NAME" "CAMUNDA_TASKLIST_SERVICE_ACCOUNT_NAME" "CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME") + +# Loop through each variable and check if it is set and not empty +for var in "${required_vars[@]}"; do + if [[ -z "${!var}" ]]; then + echo "Error: $var is not set or is empty" + else + echo "$var is set to '${!var}'" + fi +done diff --git a/examples/camunda-8.6-irsa/procedure/create-identity-secret.sh b/examples/camunda-8.6-irsa/procedure/create-identity-secret.sh new file mode 120000 index 00000000..bfc9a3a1 --- /dev/null +++ b/examples/camunda-8.6-irsa/procedure/create-identity-secret.sh @@ -0,0 +1 @@ +../../camunda-8.6/procedure/create-identity-secret.sh \ No newline at end of file diff --git a/examples/camunda-8.6-irsa/procedure/generate-passwords.sh b/examples/camunda-8.6-irsa/procedure/generate-passwords.sh new file mode 120000 index 00000000..33bee158 --- /dev/null +++ b/examples/camunda-8.6-irsa/procedure/generate-passwords.sh @@ -0,0 +1 @@ +../../camunda-8.6/procedure/generate-passwords.sh \ No newline at end of file diff --git a/examples/camunda-8.6-irsa/procedure/install-chart.sh b/examples/camunda-8.6-irsa/procedure/install-chart.sh new file mode 120000 index 00000000..50bec488 --- /dev/null +++ b/examples/camunda-8.6-irsa/procedure/install-chart.sh @@ -0,0 +1 @@ +../../camunda-8.6/procedure/install-chart.sh \ No newline at end of file diff --git a/examples/camunda-8.6/procedure/chart-env.sh b/examples/camunda-8.6/procedure/chart-env.sh new file mode 100644 index 00000000..b672a975 --- /dev/null +++ b/examples/camunda-8.6/procedure/chart-env.sh @@ -0,0 +1,5 @@ +# Your standard region that you host AWS resources in +export REGION="$AWS_REGION" + +# The Camunda 8 Helm Chart version +export CAMUNDA_HELM_CHART_VERSION="11.0.0" diff --git a/examples/camunda-8.6/procedure/check-env-variables.sh b/examples/camunda-8.6/procedure/check-env-variables.sh new file mode 100644 index 00000000..3d2f6fef --- /dev/null +++ b/examples/camunda-8.6/procedure/check-env-variables.sh @@ -0,0 +1,13 @@ +# This script is compatible with bash only + +# List of required environment variables +required_vars=("DB_HOST" "DB_KEYCLOAK_NAME" "DB_KEYCLOAK_USERNAME" "DB_KEYCLOAK_PASSWORD" "DB_IDENTITY_NAME" "DB_IDENTITY_USERNAME" "DB_IDENTITY_PASSWORD" "DB_WEBMODELER_NAME" "DB_WEBMODELER_USERNAME" "DB_WEBMODELER_PASSWORD" "OPENSEARCH_HOST") + +# Loop through each variable and check if it is set and not empty +for var in "${required_vars[@]}"; do + if [[ -z "${!var}" ]]; then + echo "Error: $var is not set or is empty" + else + echo "$var is set to '${!var}'" + fi +done diff --git a/examples/camunda-8.6/procedure/create-external-db-secrets.sh b/examples/camunda-8.6/procedure/create-external-db-secrets.sh new file mode 100644 index 00000000..07104ca6 --- /dev/null +++ b/examples/camunda-8.6/procedure/create-external-db-secrets.sh @@ -0,0 +1,17 @@ +# create a secret to reference external database credentials if you use it +kubectl create secret generic identity-keycloak-secret \ + --namespace camunda \ + --from-literal=host="$DB_HOST" \ + --from-literal=user="$DB_KEYCLOAK_USERNAME" \ + --from-literal=password="$DB_KEYCLOAK_PASSWORD" \ + --from-literal=database="$DB_KEYCLOAK_NAME" \ + --from-literal=port=5432 + +# create a secret to reference external Postgres for each component of Camunda 8 +kubectl create secret generic identity-postgres-secret \ + --namespace camunda \ + --from-literal=password="$DB_IDENTITY_PASSWORD" + +kubectl create secret generic webmodeler-postgres-secret \ + --namespace camunda \ + --from-literal=password="$DB_WEBMODELER_PASSWORD" diff --git a/examples/camunda-8.6/procedure/create-identity-secret.sh b/examples/camunda-8.6/procedure/create-identity-secret.sh new file mode 100644 index 00000000..4c324202 --- /dev/null +++ b/examples/camunda-8.6/procedure/create-identity-secret.sh @@ -0,0 +1,12 @@ +kubectl create secret generic identity-secret-for-components \ + --namespace camunda \ + --from-literal=connectors-secret="$CONNECTORS_SECRET" \ + --from-literal=console-secret="$CONSOLE_SECRET" \ + --from-literal=operate-secret="$OPERATE_SECRET" \ + --from-literal=optimize-secret="$OPTIMIZE_SECRET" \ + --from-literal=tasklist-secret="$TASKLIST_SECRET" \ + --from-literal=zeebe-secret="$ZEEBE_SECRET" \ + --from-literal=admin-password="$ADMIN_PASSWORD" \ + --from-literal=postgres-password="" \ + --from-literal=password="" \ + --from-literal=smtp-password="" diff --git a/examples/camunda-8.6/procedure/generate-passwords.sh b/examples/camunda-8.6/procedure/generate-passwords.sh new file mode 100644 index 00000000..098ed07b --- /dev/null +++ b/examples/camunda-8.6/procedure/generate-passwords.sh @@ -0,0 +1,7 @@ +export CONNECTORS_SECRET="$(openssl rand -hex 16)" +export CONSOLE_SECRET="$(openssl rand -hex 16)" +export OPERATE_SECRET="$(openssl rand -hex 16)" +export OPTIMIZE_SECRET="$(openssl rand -hex 16)" +export TASKLIST_SECRET="$(openssl rand -hex 16)" +export ZEEBE_SECRET="$(openssl rand -hex 16)" +export ADMIN_PASSWORD="$(openssl rand -hex 16)" diff --git a/examples/camunda-8.6/procedure/install-chart.sh b/examples/camunda-8.6/procedure/install-chart.sh new file mode 100644 index 00000000..90055512 --- /dev/null +++ b/examples/camunda-8.6/procedure/install-chart.sh @@ -0,0 +1,6 @@ +helm upgrade --install \ + camunda camunda-platform \ + --repo https://helm.camunda.io \ + --version "$CAMUNDA_HELM_CHART_VERSION" \ + --namespace camunda \ + -f generated-values.yml From 61e7a301e1749d76ab84fe71b2b91cd8a2c41f77 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 17 Oct 2024 11:26:42 +0200 Subject: [PATCH 093/135] add scripts --- .../procedure/create-setup-db-secret.sh | 12 +++++++++ .../procedure/export-helm-values.sh | 27 +++++++++++++++++++ .../procedure/vars-create-db.sh | 1 + .../procedure/create-setup-db-secret.sh | 15 +++++++++++ .../procedure/export-helm-values.sh | 21 +++++++++++++++ .../camunda-8.6/procedure/vars-create-db.sh | 6 +++++ 6 files changed, 82 insertions(+) create mode 100644 examples/camunda-8.6-irsa/procedure/create-setup-db-secret.sh create mode 100644 examples/camunda-8.6-irsa/procedure/export-helm-values.sh create mode 120000 examples/camunda-8.6-irsa/procedure/vars-create-db.sh create mode 100644 examples/camunda-8.6/procedure/create-setup-db-secret.sh create mode 100644 examples/camunda-8.6/procedure/export-helm-values.sh create mode 100644 examples/camunda-8.6/procedure/vars-create-db.sh diff --git a/examples/camunda-8.6-irsa/procedure/create-setup-db-secret.sh b/examples/camunda-8.6-irsa/procedure/create-setup-db-secret.sh new file mode 100644 index 00000000..3453a9f8 --- /dev/null +++ b/examples/camunda-8.6-irsa/procedure/create-setup-db-secret.sh @@ -0,0 +1,12 @@ +kubectl create secret generic setup-db-secret --namespace camunda \ + --from-literal=AURORA_ENDPOINT="$AURORA_ENDPOINT" \ + --from-literal=AURORA_PORT="$AURORA_PORT" \ + --from-literal=AURORA_DB_NAME="$AURORA_DB_NAME" \ + --from-literal=AURORA_USERNAME="$AURORA_USERNAME" \ + --from-literal=AURORA_PASSWORD="$AURORA_PASSWORD" \ + --from-literal=DB_KEYCLOAK_NAME="$DB_KEYCLOAK_NAME" \ + --from-literal=DB_KEYCLOAK_USERNAME="$DB_KEYCLOAK_USERNAME" \ + --from-literal=DB_IDENTITY_NAME="$DB_IDENTITY_NAME" \ + --from-literal=DB_IDENTITY_USERNAME="$DB_IDENTITY_USERNAME" \ + --from-literal=DB_WEBMODELER_NAME="$DB_WEBMODELER_NAME" \ + --from-literal=DB_WEBMODELER_USERNAME="$DB_WEBMODELER_USERNAME" diff --git a/examples/camunda-8.6-irsa/procedure/export-helm-values.sh b/examples/camunda-8.6-irsa/procedure/export-helm-values.sh new file mode 100644 index 00000000..8dd877af --- /dev/null +++ b/examples/camunda-8.6-irsa/procedure/export-helm-values.sh @@ -0,0 +1,27 @@ +# EKS Cluster +export CERT_MANAGER_IRSA_ARN="$(terraform output -raw cert_manager_arn)" +export EXTERNAL_DNS_IRSA_ARN="$(terraform output -raw external_dns_arn)" + +# PostgreSQL +export DB_KEYCLOAK_NAME="$(terraform console << Date: Thu, 17 Oct 2024 12:13:18 +0200 Subject: [PATCH 094/135] add os fgac --- .../procedure/create-setup-os-secret.sh | 5 ++ .../procedure/vars-create-os.sh | 3 + .../setup-opensearch-fgac.yml | 70 +++++++++++++++++++ 3 files changed, 78 insertions(+) create mode 100644 examples/camunda-8.6-irsa/procedure/create-setup-os-secret.sh create mode 100644 examples/camunda-8.6-irsa/procedure/vars-create-os.sh create mode 100644 examples/camunda-8.6-irsa/setup-opensearch-fgac.yml diff --git a/examples/camunda-8.6-irsa/procedure/create-setup-os-secret.sh b/examples/camunda-8.6-irsa/procedure/create-setup-os-secret.sh new file mode 100644 index 00000000..d80d72b1 --- /dev/null +++ b/examples/camunda-8.6-irsa/procedure/create-setup-os-secret.sh @@ -0,0 +1,5 @@ +kubectl create secret generic setup-os-secret --namespace camunda \ + --from-literal=OPENSEARCH_HOST="$OPENSEARCH_HOST" \ + --from-literal=OPENSEARCH_ROLE_ARN="$OPENSEARCH_ROLE_ARN" \ + --from-literal=OPENSEARCH_MASTER_USERNAME="$OPENSEARCH_MASTER_USERNAME" \ + --from-literal=OPENSEARCH_MASTER_PASSWORD="$OPENSEARCH_MASTER_PASSWORD" diff --git a/examples/camunda-8.6-irsa/procedure/vars-create-os.sh b/examples/camunda-8.6-irsa/procedure/vars-create-os.sh new file mode 100644 index 00000000..82e2b194 --- /dev/null +++ b/examples/camunda-8.6-irsa/procedure/vars-create-os.sh @@ -0,0 +1,3 @@ +# OpenSearch Credentials (replace with your own values from the #opensearch-module-setup step) +export OPENSEARCH_MASTER_USERNAME="$(terraform console <<&2 + exit 1 + fi + EOF + env: + - name: OPENSEARCH_HOST + valueFrom: + secretKeyRef: + name: setup-os-secret + key: OPENSEARCH_HOST + - name: OPENSEARCH_ROLE_ARN + valueFrom: + secretKeyRef: + name: setup-os-secret + key: OPENSEARCH_ROLE_ARN + - name: OPENSEARCH_MASTER_USERNAME + valueFrom: + secretKeyRef: + name: setup-os-secret + key: OPENSEARCH_MASTER_USERNAME + - name: OPENSEARCH_MASTER_PASSWORD + valueFrom: + secretKeyRef: + name: setup-os-secret + key: OPENSEARCH_MASTER_PASSWORD From c8b60f5acbffd91cdc70817a65501b2cb28aca59 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 17 Oct 2024 16:12:03 +0200 Subject: [PATCH 095/135] fix opensearch policy --- examples/camunda-8.6-irsa/opensearch.tf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index 83545dc6..964e4779 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -37,6 +37,23 @@ module "opensearch_domain" { iam_create_opensearch_role = true iam_opensearch_role_name = "OpenSearchRole-${local.opensearch_domain_name}" # Ensure uniqueness + # rely on fine grained access control for this part + access_policies = < Date: Thu, 17 Oct 2024 16:50:32 +0200 Subject: [PATCH 096/135] fix opensearch role --- examples/camunda-8.6-irsa/setup-opensearch-fgac.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/examples/camunda-8.6-irsa/setup-opensearch-fgac.yml b/examples/camunda-8.6-irsa/setup-opensearch-fgac.yml index 15278b37..6aacf31e 100644 --- a/examples/camunda-8.6-irsa/setup-opensearch-fgac.yml +++ b/examples/camunda-8.6-irsa/setup-opensearch-fgac.yml @@ -21,13 +21,10 @@ spec: /bin/bash <<'EOF' set -o pipefail - echo "Installing curl..." - yum install -y curl - echo "Configuring Fine-Grained Access Control for OpenSearch..." # Send the PATCH request to map the IAM role to OpenSearch role - curl -sS -u "$OPENSEARCH_USER:$OPENSEARCH_PASSWORD" \ + curl -sS -u "$OPENSEARCH_MASTER_USERNAME:$OPENSEARCH_MASTER_PASSWORD" \ -X PATCH \ "https://$OPENSEARCH_HOST/_opendistro/_security/api/rolesmapping/all_access?pretty" \ -H 'Content-Type: application/json' \ @@ -40,12 +37,6 @@ spec: } ]' - if [ $? -eq 0 ]; then - echo "Fine-grained access control configuration successful." - else - echo "Failed to configure fine-grained access control." >&2 - exit 1 - fi EOF env: - name: OPENSEARCH_HOST From 42c43f64d709a3e7a87e9d5e36fb6375e2978b9e Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 18 Oct 2024 11:08:17 +0200 Subject: [PATCH 097/135] update roles --- modules/aurora/README.md | 11 +-- modules/aurora/role.tf | 31 ++++--- modules/aurora/variables.tf | 111 ++++++++++++------------ modules/opensearch/README.md | 11 +-- modules/opensearch/role.tf | 33 ++++--- modules/opensearch/variables.tf | 148 ++++++++++++++++---------------- 6 files changed, 174 insertions(+), 171 deletions(-) diff --git a/modules/aurora/README.md b/modules/aurora/README.md index 3ba5006c..922bb328 100644 --- a/modules/aurora/README.md +++ b/modules/aurora/README.md @@ -36,9 +36,9 @@ No modules. | Name | Type | |------|------| | [aws_db_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | -| [aws_iam_policy.aurora_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.aurora_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.attach_aurora_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_policy.access_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.attach_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_rds_cluster.aurora_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster) | resource | | [aws_rds_cluster_instance.aurora_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance) | resource | @@ -57,12 +57,9 @@ No modules. | [default\_database\_name](#input\_default\_database\_name) | The name for the automatically created database on cluster creation. | `string` | `"camunda"` | no | | [engine](#input\_engine) | The engine type e.g. aurora, aurora-mysql, aurora-postgresql, ... | `string` | `"aurora-postgresql"` | no | | [engine\_version](#input\_engine\_version) | The DB engine version for Postgres to use. | `string` | `"15.4"` | no | -| [iam\_aurora\_access\_policy](#input\_iam\_aurora\_access\_policy) | Access policy for Aurora allowing access | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"rds-db:connect\"\n ],\n \"Resource\": \"arn:aws:rds-db:::dbuser:/\"\n }\n ]\n }\n\n"` | no | -| [iam\_aurora\_role\_name](#input\_iam\_aurora\_role\_name) | Name of the AuroraRole IAM role | `string` | `"AuroraRole"` | no | | [iam\_auth\_enabled](#input\_iam\_auth\_enabled) | Determines whether IAM auth should be activated for IRSA usage | `bool` | `false` | no | -| [iam\_create\_aurora\_role](#input\_iam\_create\_aurora\_role) | Flag to determine if the Aurora IAM role should be created, if true, this module will create a role. Please ensure that iam\_auth\_enabled is set to `true` | `bool` | `false` | no | -| [iam\_role\_trust\_policy](#input\_iam\_role\_trust\_policy) | Assume role trust policy for Aurora role | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"oidc.eks..amazonaws.com/id/:sub\": \"system:serviceaccount::\"\n }\n }\n }\n ]\n }\n\n"` | no | | [iam\_roles](#input\_iam\_roles) | Allows propagating additional IAM roles to the Aurora cluster to allow e.g. access to S3 | `list(string)` | `[]` | no | +| [iam\_roles\_with\_policies](#input\_iam\_roles\_with\_policies) | List of roles with their trust and access policies | 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    access_policy = string
  }))
| `[]` | no | | [instance\_class](#input\_instance\_class) | The instance type of the Aurora instances | `string` | `"db.t3.medium"` | no | | [num\_instances](#input\_num\_instances) | Number of instances | `string` | `"1"` | no | | [password](#input\_password) | The password for the postgres admin user. Important: secret value! | `string` | n/a | yes | diff --git a/modules/aurora/role.tf b/modules/aurora/role.tf index 1df6461a..67f7b14d 100644 --- a/modules/aurora/role.tf +++ b/modules/aurora/role.tf @@ -1,25 +1,30 @@ +// Convert the list to a map by using the role_name as the key +locals { + roles_map = { for role in var.iam_roles_with_policies : role.role_name => role } +} + // IAM Role for Aurora -resource "aws_iam_role" "aurora_role" { - count = var.iam_create_aurora_role ? 1 : 0 +resource "aws_iam_role" "roles" { + for_each = local.roles_map - name = var.iam_aurora_role_name - assume_role_policy = var.iam_role_trust_policy + name = each.key + assume_role_policy = each.value.trust_policy } // IAM Policy for Aurora Access -resource "aws_iam_policy" "aurora_access_policy" { - count = var.iam_create_aurora_role ? 1 : 0 +resource "aws_iam_policy" "access_policies" { + for_each = local.roles_map - name = "${var.iam_aurora_role_name}-access-policy" - description = "Access policy for Aurora" + name = "${each.key}-access-policy" + description = "Access policy for ${each.key}" - policy = var.iam_aurora_access_policy + policy = each.value.access_policy } // Attach the policy to the role -resource "aws_iam_role_policy_attachment" "attach_aurora_policy" { - count = var.iam_create_aurora_role ? 1 : 0 +resource "aws_iam_role_policy_attachment" "attach_policies" { + for_each = local.roles_map - role = aws_iam_role.aurora_role[0].name - policy_arn = aws_iam_policy.aurora_access_policy[0].arn + role = aws_iam_role.roles[each.key].name + policy_arn = aws_iam_policy.access_policies[each.key].arn } diff --git a/modules/aurora/variables.tf b/modules/aurora/variables.tf index aaf5bc58..f8981a6e 100644 --- a/modules/aurora/variables.tf +++ b/modules/aurora/variables.tf @@ -94,60 +94,59 @@ variable "default_database_name" { description = "The name for the automatically created database on cluster creation." } -variable "iam_create_aurora_role" { - description = "Flag to determine if the Aurora IAM role should be created, if true, this module will create a role. Please ensure that iam_auth_enabled is set to `true`" - type = bool - default = false -} - -variable "iam_aurora_role_name" { - description = "Name of the AuroraRole IAM role" - type = string - default = "AuroraRole" -} - -variable "iam_role_trust_policy" { - description = "Assume role trust policy for Aurora role" - type = string - default = <:oidc-provider/oidc.eks..amazonaws.com/id/" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::" - } - } - } - ] - } - -EOF -} - -variable "iam_aurora_access_policy" { - # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html - description = "Access policy for Aurora allowing access" - type = string - default = <::dbuser:/" - } - ] - } - -EOF +variable "iam_roles_with_policies" { + description = "List of roles with their trust and access policies" + + type = list(object({ + # Name of the Role to create + role_name = string + + # Assume role trust policy for this Aurora role as a json string + trust_policy = string + + # Access policy for Aurora allowing access as a json string + # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html + access_policy = string + })) + + # By default, don't create any role and associated policies. Here's an example + # [ + # { + # role_name = "AuroraRole" + # trust_policy = <:oidc-provider/oidc.eks..amazonaws.com/id/" + # }, + # "Action": "sts:AssumeRoleWithWebIdentity", + # "Condition": { + # "StringEquals": { + # "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::" + # } + # } + # } + # ] + # } + # EOF + # access_policy = <::dbuser:/" + # } + # ] + # } + # EOF + # } + # ] + default = [] } diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index dff4b3f2..0e28dbe4 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -67,9 +67,9 @@ No modules. | Name | Type | |------|------| -| [aws_iam_policy.opensearch_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.opensearch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.attach_opensearch_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_policy.access_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.roles](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.attach_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_kms_key.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | | [aws_opensearch_domain.opensearch_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain) | resource | | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | @@ -104,10 +104,7 @@ No modules. | [ebs\_volume\_type](#input\_ebs\_volume\_type) | Type of EBS volumes attached to data nodes. | `string` | `"gp3"` | no | | [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | | [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `string` | `"2.15"` | no | -| [iam\_create\_opensearch\_role](#input\_iam\_create\_opensearch\_role) | Flag to determine if the OpenSearch role should be created | `bool` | `false` | no | -| [iam\_opensearch\_access\_policy](#input\_iam\_opensearch\_access\_policy) | Access policy for OpenSearch allowing access | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"es:DescribeElasticsearchDomains\",\n \"es:DescribeElasticsearchInstanceTypeLimits\",\n \"es:DescribeReservedElasticsearchInstanceOfferings\",\n \"es:DescribeReservedElasticsearchInstances\",\n \"es:GetCompatibleElasticsearchVersions\",\n \"es:ListDomainNames\",\n \"es:ListElasticsearchInstanceTypes\",\n \"es:ListElasticsearchVersions\",\n \"es:DescribeElasticsearchDomain\",\n \"es:DescribeElasticsearchDomainConfig\",\n \"es:ESHttpGet\",\n \"es:ESHttpHead\",\n \"es:GetUpgradeHistory\",\n \"es:GetUpgradeStatus\",\n \"es:ListTags\",\n \"es:AddTags\",\n \"es:RemoveTags\",\n \"es:ESHttpDelete\",\n \"es:ESHttpPost\",\n \"es:ESHttpPut\"\n ],\n \"Resource\": \"arn:aws:es:::domain//*\"\n }\n ]\n }\n\n"` | no | -| [iam\_opensearch\_role\_name](#input\_iam\_opensearch\_role\_name) | Name of the OpenSearch IAM role | `string` | `"OpenSearchRole"` | no | -| [iam\_role\_trust\_policy](#input\_iam\_role\_trust\_policy) | Assume role trust policy for OpenSearch role | `string` | `" {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"Federated\": \"arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/\"\n },\n \"Action\": \"sts:AssumeRoleWithWebIdentity\",\n \"Condition\": {\n \"StringEquals\": {\n \"oidc.eks..amazonaws.com/id/:sub\": \"system:serviceaccount::\"\n }\n }\n }\n ]\n }\n\n"` | no | +| [iam\_roles\_with\_policies](#input\_iam\_roles\_with\_policies) | List of roles with their trust and access policies | 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    access_policy = string
  }))
| `[]` | no | | [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `3` | no | | [instance\_type](#input\_instance\_type) | Instance type of data nodes in the cluster. | `string` | `"t3.small.search"` | no | | [ip\_address\_type](#input\_ip\_address\_type) | The IP address type for the endpoint. Valid values are ipv4 and dualstack | `string` | `"ipv4"` | no | diff --git a/modules/opensearch/role.tf b/modules/opensearch/role.tf index be12de8c..6be5377c 100644 --- a/modules/opensearch/role.tf +++ b/modules/opensearch/role.tf @@ -1,25 +1,30 @@ +// Convert the list to a map by using the role_name as the key +locals { + roles_map = { for role in var.iam_roles_with_policies : role.role_name => role } +} + // IAM Role for OpenSearch -resource "aws_iam_role" "opensearch" { - count = var.iam_create_opensearch_role ? 1 : 0 +resource "aws_iam_role" "roles" { + for_each = local.roles_map - name = var.iam_opensearch_role_name - assume_role_policy = var.iam_role_trust_policy + name = each.key + assume_role_policy = each.value.trust_policy } -// IAM Policy for OpenSearch Access -resource "aws_iam_policy" "opensearch_access_policy" { - count = var.iam_create_opensearch_role ? 1 : 0 +// IAM Policy for OpenSearch +resource "aws_iam_policy" "access_policies" { + for_each = local.roles_map - name = "${var.iam_opensearch_role_name}-access-policy" - description = "Access policy for OpenSearch" + name = "${each.key}-access-policy" + description = "Access policy for ${each.key}" - policy = var.iam_opensearch_access_policy + policy = each.value.access_policy } // Attach the policy to the role -resource "aws_iam_role_policy_attachment" "attach_opensearch_policy" { - count = var.iam_create_opensearch_role ? 1 : 0 +resource "aws_iam_role_policy_attachment" "attach_policies" { + for_each = local.roles_map - role = aws_iam_role.opensearch[0].name - policy_arn = aws_iam_policy.opensearch_access_policy[0].arn + role = aws_iam_role.roles[each.key].name + policy_arn = aws_iam_policy.access_policies[each.key].arn } diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 3ee964d5..0a49198f 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -257,78 +257,78 @@ variable "kms_key_tags" { default = {} } -variable "iam_create_opensearch_role" { - description = "Flag to determine if the OpenSearch role should be created" - type = bool - default = false -} - -variable "iam_opensearch_role_name" { - description = "Name of the OpenSearch IAM role" - type = string - default = "OpenSearchRole" -} - -variable "iam_role_trust_policy" { - description = "Assume role trust policy for OpenSearch role" - type = string - default = <:oidc-provider/oidc.eks..amazonaws.com/id/" - }, - "Action": "sts:AssumeRoleWithWebIdentity", - "Condition": { - "StringEquals": { - "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::" - } - } - } - ] - } - -EOF -} - -variable "iam_opensearch_access_policy" { - description = "Access policy for OpenSearch allowing access" - type = string - default = <::domain//*" - } - ] - } - -EOF +variable "iam_roles_with_policies" { + description = "List of roles with their trust and access policies" + + type = list(object({ + # Name of the Role to create + role_name = string + + # Assume role trust policy for this Aurora role as a json string + trust_policy = string + + # Access policy for Aurora allowing access as a json string + # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html + access_policy = string + })) + + # By default, don't create any role and associated policies, here's an example + # [ + # { + # role_name = "OpenSearchRole" + # trust_policy = <:oidc-provider/oidc.eks..amazonaws.com/id/" + # }, + # "Action": "sts:AssumeRoleWithWebIdentity", + # "Condition": { + # "StringEquals": { + # "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::" + # } + # } + # } + # ] + # } + # EOF + # access_policy = <::domain//*" + # } + # ] + # } + # EOF + # } + # ] + default = [] } From 6112fdf400a610e17015ef73a9d5d25a1890f254 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 18 Oct 2024 15:34:37 +0200 Subject: [PATCH 098/135] introduce multi roles --- README.md | 27 ++- examples/camunda-8.6-irsa/cluster.tf | 3 +- examples/camunda-8.6-irsa/db.tf | 116 ++++++++--- examples/camunda-8.6-irsa/opensearch.tf | 113 +++++------ .../procedure/check-env-variables.sh | 2 +- .../procedure/export-helm-values.sh | 10 +- examples/camunda-8.6/procedure/chart-env.sh | 1 + guides/MIGRATION_GUIDE_v2_to_v3.md | 183 ++++++++++++++++++ modules/aurora/output.tf | 22 --- modules/aurora/outputs.tf | 21 ++ modules/aurora/variables.tf | 80 ++++---- modules/opensearch/outputs.tf | 21 +- modules/opensearch/variables.tf | 117 +++++------ test/src/custom_eks_opensearch_test.go | 15 +- test/src/custom_eks_rds_test.go | 15 +- 15 files changed, 511 insertions(+), 235 deletions(-) create mode 100644 guides/MIGRATION_GUIDE_v2_to_v3.md delete mode 100644 modules/aurora/output.tf create mode 100644 modules/aurora/outputs.tf diff --git a/README.md b/README.md index 41880113..9ed89c7b 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,10 @@ You need to define the IAM role trust policy and access policy for Aurora. Here' ```hcl module "postgresql" { # ... - iam_aurora_access_policy = <:role/AuroraRole> ``` -You can retrieve the role ARN from the module output: `aurora_role_arn`. +You can retrieve the role ARN from the module output: `aurora_iam_role_arns['Aurora-your-cluster']`. **OpenSearch Service Account** @@ -260,7 +267,7 @@ metadata: annotations: eks.amazonaws.com/role-arn: :role/OpenSearchRole> ``` -You can retrieve the role ARN from the module output: `opensearch_role_arn`. +You can retrieve the role ARN from the module output: `opensearch_iam_role_arns['OpenSearch-your-cluster']`. ## Support diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf index 1c38d8df..a5adb6d5 100644 --- a/examples/camunda-8.6-irsa/cluster.tf +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -4,7 +4,8 @@ locals { } module "eks_cluster" { - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=2.6.0" + # TODO: pin to v3 + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=feature/opensearch-doc" name = local.eks_cluster_name region = local.eks_cluster_region diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index f3098cc8..6f9d5e0b 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -16,10 +16,15 @@ locals { camunda_keycloak_service_account = "keycloak-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Keycloak camunda_identity_service_account = "identity-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Identity camunda_webmodeler_service_account = "webmodeler-sa" # Replace with your Kubernetes ServiceAcccount that will be created for WebModeler + + camunda_keycloak_role_name = "AuroraRole-Keycloak-${local.aurora_cluster_name}" # IAM Role name use to allow access to the keycloak db + camunda_identity_role_name = "AuroraRole-Identity-${local.aurora_cluster_name}" # IAM Role name use to allow access to the identity db + camunda_webmodeler_role_name = "AuroraRole-Webmodeler-${local.aurora_cluster_name}" # IAM Role name use to allow access to the webmodeler db } module "postgresql" { - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=2.6.0" + # TODO: pin to v3 + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=feature/opensearch-doc" engine_version = "15.8" auto_minor_version_upgrade = false cluster_name = local.aurora_cluster_name @@ -36,13 +41,31 @@ module "postgresql" { instance_class = "db.t3.medium" - # IAM IRSA addition - iam_aurora_role_name = "AuroraRole-${local.aurora_cluster_name}" # Ensure this name is unique - iam_create_aurora_role = true - iam_auth_enabled = true - - iam_aurora_access_policy = < role.arn } + sensitive = false +} + +// Output for Policy ARNs +output "aurora_iam_role_access_policy_arns" { + description = "Map of IAM role names to their access policy ARNs" + + value = { for role_name, policy in aws_iam_policy.access_policies : role_name => policy.arn } + + sensitive = false +} \ No newline at end of file diff --git a/modules/aurora/variables.tf b/modules/aurora/variables.tf index f8981a6e..c05ae0ba 100644 --- a/modules/aurora/variables.tf +++ b/modules/aurora/variables.tf @@ -96,7 +96,6 @@ variable "default_database_name" { variable "iam_roles_with_policies" { description = "List of roles with their trust and access policies" - type = list(object({ # Name of the Role to create role_name = string @@ -106,47 +105,48 @@ variable "iam_roles_with_policies" { # Access policy for Aurora allowing access as a json string # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html + # Example: + # [ + # { + # role_name = "AuroraRole" + # trust_policy = <:oidc-provider/oidc.eks..amazonaws.com/id/" + # }, + # "Action": "sts:AssumeRoleWithWebIdentity", + # "Condition": { + # "StringEquals": { + # "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::" + # } + # } + # } + # ] + # } + # EOF + # access_policy = <::dbuser:/" + # } + # ] + # } + # EOF + # } + # ] access_policy = string })) - # By default, don't create any role and associated policies. Here's an example - # [ - # { - # role_name = "AuroraRole" - # trust_policy = <:oidc-provider/oidc.eks..amazonaws.com/id/" - # }, - # "Action": "sts:AssumeRoleWithWebIdentity", - # "Condition": { - # "StringEquals": { - # "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::" - # } - # } - # } - # ] - # } - # EOF - # access_policy = <::dbuser:/" - # } - # ] - # } - # EOF - # } - # ] + # By default, don't create any role and associated policies. default = [] } diff --git a/modules/opensearch/outputs.tf b/modules/opensearch/outputs.tf index a7a295d7..03b4969e 100644 --- a/modules/opensearch/outputs.tf +++ b/modules/opensearch/outputs.tf @@ -53,20 +53,19 @@ output "security_group_rule_egress" { sensitive = false } -output "opensearch_role_name" { - description = "The name of the OpenSearch IAM role" - value = var.iam_create_opensearch_role ? aws_iam_role.opensearch[0].name : "" - sensitive = false -} +// Output for Role ARNs +output "opensearch_iam_role_arns" { + description = "Map of IAM role names to their ARNs" -output "opensearch_role_arn" { - description = "The ARN of the OpenSearch IAM role" - value = var.iam_create_opensearch_role ? aws_iam_role.opensearch[0].arn : "" + value = { for role_name, role in aws_iam_role.roles : role_name => role.arn } sensitive = false } -output "opensearch_policy_arn" { - description = "The ARN of the OpenSearch access policy" - value = var.iam_create_opensearch_role ? aws_iam_role.opensearch[0].arn : "" +// Output for Policy ARNs +output "opensearch_iam_role_access_policy_arns" { + description = "Map of IAM role names to their access policy ARNs" + + value = { for role_name, policy in aws_iam_policy.access_policies : role_name => policy.arn } + sensitive = false } diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 0a49198f..211ded1f 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -269,66 +269,67 @@ variable "iam_roles_with_policies" { # Access policy for Aurora allowing access as a json string # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html + # Example: + # [ + # { + # role_name = "OpenSearchRole" + # trust_policy = <:oidc-provider/oidc.eks..amazonaws.com/id/" + # }, + # "Action": "sts:AssumeRoleWithWebIdentity", + # "Condition": { + # "StringEquals": { + # "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::" + # } + # } + # } + # ] + # } + # EOF + # access_policy = <::domain//*" + # } + # ] + # } + # EOF + # } + # ] access_policy = string })) - # By default, don't create any role and associated policies, here's an example - # [ - # { - # role_name = "OpenSearchRole" - # trust_policy = <:oidc-provider/oidc.eks..amazonaws.com/id/" - # }, - # "Action": "sts:AssumeRoleWithWebIdentity", - # "Condition": { - # "StringEquals": { - # "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::" - # } - # } - # } - # ] - # } - # EOF - # access_policy = <::domain//*" - # } - # ] - # } - # EOF - # } - # ] + # By default, don't create any role and associated policies. default = [] } diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 77fb0eb5..800ab3b9 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -208,15 +208,18 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { ] }`, accountId, oidcProviderID, oidcProviderID, openSearchNamespace, openSearchServiceAccount) + iamRolesWithPolicies := fmt.Sprintf(`[ + "role_name": %s, + "trust_policy": %s, + "access_policy": %s + ]`, openSearchRole, iamRoleTrustPolicy, openSearchAccessPolicy) + varsConfigOpenSearch := map[string]interface{}{ "domain_name": opensearchDomainName, "subnet_ids": result.Cluster.ResourcesVpcConfig.SubnetIds, "cidr_blocks": append(publicBlocks, privateBlocks...), "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, - "iam_create_opensearch_role": true, - "iam_opensearch_role_name": openSearchRole, - "iam_role_trust_policy": iamRoleTrustPolicy, - "iam_opensearch_access_policy": openSearchAccessPolicy, + "iam_roles_with_policies": iamRolesWithPolicies, } tfModuleOpenSearch := "opensearch/" @@ -273,14 +276,14 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { // Retrieve the IAM Role associated with OpenSearch describeOpenSearchRoleInput := &iam.GetRoleInput{ - RoleName: aws.String(varsConfigOpenSearch["iam_opensearch_role_name"].(string)), + RoleName: aws.String(openSearchRole), } _, err = iamSvc.GetRole(context.Background(), describeOpenSearchRoleInput) suite.Require().NoError(err) // Verify IAM Policy Attachment listAttachedPoliciesInput := &iam.ListAttachedRolePoliciesInput{ - RoleName: aws.String(varsConfigOpenSearch["iam_opensearch_role_name"].(string)), + RoleName: aws.String(openSearchRole), } _, err = iamSvc.ListAttachedRolePolicies(context.Background(), listAttachedPoliciesInput) suite.Require().NoError(err) diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 28dd8dff..85c324fb 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -212,6 +212,13 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { ] }`, accountId, oidcProviderID, oidcProviderID, auroraNamespace, auroraServiceAccount) + iamRolesWithPolicies := fmt.Sprintf(`[ + "role_name": %s, + "trust_policy": %s, + "access_policy": %s + ]`, auroraRole, iamRoleTrustPolicy, openSearchAccessPolicy) + + varsConfigAurora := map[string]interface{}{ "username": auroraUsername, "password": auroraPassword, @@ -221,11 +228,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, "availability_zones": []string{fmt.Sprintf("%sa", suite.region), fmt.Sprintf("%sb", suite.region), fmt.Sprintf("%sc", suite.region)}, "cidr_blocks": append(publicBlocks, privateBlocks...), - "iam_auth_enabled": true, - "iam_create_aurora_role": true, - "iam_aurora_role_name": auroraRole, - "iam_role_trust_policy": iamRoleTrustPolicy, - "iam_aurora_access_policy": auroraAccessPolicy, + "iam_roles_with_policies": iamRolesWithPolicies, } tfModuleAurora := "aurora/" @@ -329,7 +332,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { suite.Require().NoError(err) expectedRDSAZ := []string{fmt.Sprintf("%sa", suite.region), fmt.Sprintf("%sb", suite.region), fmt.Sprintf("%sc", suite.region)} - suite.Assert().Equal(varsConfigAurora["iam_auth_enabled"].(bool), *describeDBClusterOutput.DBClusters[0].IAMDatabaseAuthenticationEnabled) + suite.Assert().Equal(true, *describeDBClusterOutput.DBClusters[0].IAMDatabaseAuthenticationEnabled) suite.Assert().Equal(varsConfigAurora["username"].(string), *describeDBClusterOutput.DBClusters[0].MasterUsername) suite.Assert().Equal(auroraDatabase, *describeDBClusterOutput.DBClusters[0].DatabaseName) suite.Assert().Equal(int32(5432), *describeDBClusterOutput.DBClusters[0].Port) From 252a9122d5169c4583fc8b5e3f7ef1c9e26f7728 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 18 Oct 2024 17:42:15 +0200 Subject: [PATCH 099/135] fix go tests --- examples/camunda-8.6-irsa/db.tf | 56 ++++++++++++++++--------- examples/camunda-8.6-irsa/opensearch.tf | 22 +++++----- modules/aurora/role.tf | 15 +++---- modules/opensearch/role.tf | 17 +++----- test/src/custom_eks_opensearch_test.go | 10 ++--- test/src/custom_eks_rds_test.go | 11 +++-- 6 files changed, 69 insertions(+), 62 deletions(-) diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index 6f9d5e0b..e675ada2 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -42,11 +42,11 @@ module "postgresql" { instance_class = "db.t3.medium" # IAM IRSA - iam_roles_with_policies = < role } -} - -// IAM Role for Aurora +// IAM Role resource "aws_iam_role" "roles" { - for_each = local.roles_map + for_each = { for idx, role in var.iam_roles_with_policies : role.role_name => role } name = each.key assume_role_policy = each.value.trust_policy } -// IAM Policy for Aurora Access +// IAM Policy for Access resource "aws_iam_policy" "access_policies" { - for_each = local.roles_map + for_each = { for idx, role in var.iam_roles_with_policies : role.role_name => role } name = "${each.key}-access-policy" description = "Access policy for ${each.key}" @@ -23,7 +18,7 @@ resource "aws_iam_policy" "access_policies" { // Attach the policy to the role resource "aws_iam_role_policy_attachment" "attach_policies" { - for_each = local.roles_map + for_each = { for idx, role in var.iam_roles_with_policies : role.role_name => role } role = aws_iam_role.roles[each.key].name policy_arn = aws_iam_policy.access_policies[each.key].arn diff --git a/modules/opensearch/role.tf b/modules/opensearch/role.tf index 6be5377c..bd36688e 100644 --- a/modules/opensearch/role.tf +++ b/modules/opensearch/role.tf @@ -1,19 +1,14 @@ -// Convert the list to a map by using the role_name as the key -locals { - roles_map = { for role in var.iam_roles_with_policies : role.role_name => role } -} - -// IAM Role for OpenSearch +// IAM Role resource "aws_iam_role" "roles" { - for_each = local.roles_map + for_each = { for idx, role in var.iam_roles_with_policies : role.role_name => role } name = each.key assume_role_policy = each.value.trust_policy } -// IAM Policy for OpenSearch +// IAM Policy for Access resource "aws_iam_policy" "access_policies" { - for_each = local.roles_map + for_each = { for idx, role in var.iam_roles_with_policies : role.role_name => role } name = "${each.key}-access-policy" description = "Access policy for ${each.key}" @@ -23,8 +18,8 @@ resource "aws_iam_policy" "access_policies" { // Attach the policy to the role resource "aws_iam_role_policy_attachment" "attach_policies" { - for_each = local.roles_map + for_each = { for idx, role in var.iam_roles_with_policies : role.role_name => role } role = aws_iam_role.roles[each.key].name policy_arn = aws_iam_policy.access_policies[each.key].arn -} +} \ No newline at end of file diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 800ab3b9..03b285c3 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -208,11 +208,11 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { ] }`, accountId, oidcProviderID, oidcProviderID, openSearchNamespace, openSearchServiceAccount) - iamRolesWithPolicies := fmt.Sprintf(`[ - "role_name": %s, - "trust_policy": %s, - "access_policy": %s - ]`, openSearchRole, iamRoleTrustPolicy, openSearchAccessPolicy) + iamRolesWithPolicies = map[string]interface{}{ + "role_name": openSearchRole, + "trust_policy": iamRoleTrustPolicy, + "access_policy": openSearchAccessPolicy, + } varsConfigOpenSearch := map[string]interface{}{ "domain_name": opensearchDomainName, diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 85c324fb..a334c569 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -212,12 +212,11 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { ] }`, accountId, oidcProviderID, oidcProviderID, auroraNamespace, auroraServiceAccount) - iamRolesWithPolicies := fmt.Sprintf(`[ - "role_name": %s, - "trust_policy": %s, - "access_policy": %s - ]`, auroraRole, iamRoleTrustPolicy, openSearchAccessPolicy) - + iamRolesWithPolicies = map[string]interface{}{ + "role_name": auroraRole, + "trust_policy": iamRoleTrustPolicy, + "access_policy": auroraAccessPolicy, + } varsConfigAurora := map[string]interface{}{ "username": auroraUsername, From 800901e3c5d1f38e08e4ba6a7b0ffa0453778d16 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 18 Oct 2024 18:03:00 +0200 Subject: [PATCH 100/135] fix go tests --- test/src/custom_eks_opensearch_test.go | 2 +- test/src/custom_eks_rds_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 03b285c3..f7109565 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -208,7 +208,7 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { ] }`, accountId, oidcProviderID, oidcProviderID, openSearchNamespace, openSearchServiceAccount) - iamRolesWithPolicies = map[string]interface{}{ + iamRolesWithPolicies := map[string]interface{}{ "role_name": openSearchRole, "trust_policy": iamRoleTrustPolicy, "access_policy": openSearchAccessPolicy, diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index a334c569..4ed3e064 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -212,7 +212,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { ] }`, accountId, oidcProviderID, oidcProviderID, auroraNamespace, auroraServiceAccount) - iamRolesWithPolicies = map[string]interface{}{ + iamRolesWithPolicies := map[string]interface{}{ "role_name": auroraRole, "trust_policy": iamRoleTrustPolicy, "access_policy": auroraAccessPolicy, From a73f494574db6494c4535b3a776643493236cc2a Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 18 Oct 2024 18:08:51 +0200 Subject: [PATCH 101/135] fix go tests --- examples/camunda-8.6-irsa/helm-values/values-domain.yml | 6 +++--- .../camunda-8.6-irsa/helm-values/values-no-domain.yml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index bee26253..b7a5b053 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -3,7 +3,7 @@ identityKeycloak: serviceAccount: name: ${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME} annotations: - eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + eks.amazonaws.com/role-arn: ${DB_ROLE_KEYCLOAK_ARN} postgresql: enabled: false @@ -73,7 +73,7 @@ webModeler: serviceAccount: name: ${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME} annotations: - eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + eks.amazonaws.com/role-arn: ${DB_ROLE_WEBMODELER_ARN} restapi: externalDatabase: @@ -90,7 +90,7 @@ identity: serviceAccount: name: ${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME} annotations: - eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + eks.amazonaws.com/role-arn: ${DB_ROLE_IDENTITY_ARN} externalDatabase: enabled: true diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 043ddf85..866caef4 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -3,7 +3,7 @@ identityKeycloak: serviceAccount: name: ${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME} annotations: - eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + eks.amazonaws.com/role-arn: ${DB_ROLE_KEYCLOAK_ARN} postgresql: enabled: false @@ -15,7 +15,7 @@ identityKeycloak: extraEnvVars: - name: KEYCLOAK_EXTRA_ARGS - value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO + value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=FINER,software.amazon.jdbc:FINER - name: KEYCLOAK_JDBC_PARAMS value: wrapperPlugins=iam&ssl=true&sslmode=require - name: KEYCLOAK_JDBC_DRIVER @@ -64,7 +64,7 @@ webModeler: serviceAccount: name: ${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME} annotations: - eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + eks.amazonaws.com/role-arn: ${DB_ROLE_WEBMODELER_ARN} restapi: externalDatabase: @@ -79,7 +79,7 @@ identity: serviceAccount: name: ${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME} annotations: - eks.amazonaws.com/role-arn: ${DB_ROLE_ARN} + eks.amazonaws.com/role-arn: ${DB_ROLE_IDENTITY_ARN} fullURL: http://localhost:8069 # replace this with a port of your choice when you will do port forwarding From 95a2196fa926bda00e606dd0a5b6012cbfdac8e2 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 18 Oct 2024 19:33:30 +0200 Subject: [PATCH 102/135] fix auth iam --- examples/camunda-8.6-irsa/db.tf | 17 +++++------------ .../helm-values/values-no-domain.yml | 2 +- .../procedure/export-helm-values.sh | 8 ++++---- modules/fixtures/postgres-client.yml | 2 +- 4 files changed, 11 insertions(+), 18 deletions(-) diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index e675ada2..302f06be 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -42,6 +42,7 @@ module "postgresql" { instance_class = "db.t3.medium" # IAM IRSA + iam_auth_enabled = true iam_roles_with_policies = [ { role_name = "${local.camunda_keycloak_role_name}" @@ -57,9 +58,7 @@ module "postgresql" { "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${module.eks_cluster.oidc_provider_id}:sub": [ - "system:serviceaccount:${local.camunda_namespace}:${local.camunda_keycloak_service_account}" - ] + "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_keycloak_service_account}" } } } @@ -76,9 +75,7 @@ EOF "Action": [ "rds-db:connect" ], - "Resource": [ - "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.camunda_keycloak_db_username}" - ] + "Resource": "arn:aws:rds-db:${local.eks_cluster_region}:${module.eks_cluster.aws_caller_identity_account_id}:dbuser:${local.aurora_cluster_name}/${local.camunda_keycloak_db_username}" } ] } @@ -99,9 +96,7 @@ EOF "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${module.eks_cluster.oidc_provider_id}:sub": [ - "system:serviceaccount:${local.camunda_namespace}:${local.camunda_identity_service_account}" - ] + "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_identity_service_account}" } } } @@ -140,9 +135,7 @@ EOF "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${module.eks_cluster.oidc_provider_id}:sub": [ - "system:serviceaccount:${local.camunda_namespace}:${local.camunda_webmodeler_service_account}" - ] + "${module.eks_cluster.oidc_provider_id}:sub": "system:serviceaccount:${local.camunda_namespace}:${local.camunda_webmodeler_service_account}" } } } diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 866caef4..3e1d7810 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -15,7 +15,7 @@ identityKeycloak: extraEnvVars: - name: KEYCLOAK_EXTRA_ARGS - value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=FINER,software.amazon.jdbc:FINER + value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO - name: KEYCLOAK_JDBC_PARAMS value: wrapperPlugins=iam&ssl=true&sslmode=require - name: KEYCLOAK_JDBC_DRIVER diff --git a/examples/camunda-8.6-irsa/procedure/export-helm-values.sh b/examples/camunda-8.6-irsa/procedure/export-helm-values.sh index cbc7f63c..8feeac50 100644 --- a/examples/camunda-8.6-irsa/procedure/export-helm-values.sh +++ b/examples/camunda-8.6-irsa/procedure/export-helm-values.sh @@ -17,16 +17,16 @@ export CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME="$(terraform console << Date: Fri, 18 Oct 2024 21:05:51 +0200 Subject: [PATCH 103/135] fix instructions --- README.md | 10 ++++------ examples/camunda-8.6-irsa/cluster.tf | 2 +- examples/camunda-8.6-irsa/config.tf | 1 + examples/camunda-8.6-irsa/db.tf | 2 +- examples/camunda-8.6-irsa/opensearch.tf | 2 +- examples/camunda-8.6/cluster.tf | 1 + examples/camunda-8.6/config.tf | 1 + examples/camunda-8.6/db.tf | 1 + examples/camunda-8.6/opensearch.tf | 3 +-- modules/aurora/variables.tf | 8 ++++---- modules/opensearch/variables.tf | 8 ++++---- 11 files changed, 20 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 9ed89c7b..8cf6d661 100644 --- a/README.md +++ b/README.md @@ -28,10 +28,6 @@ module "eks_cluster" { cluster_service_ipv4_cidr = "10.190.0.0/16" cluster_node_ipv4_cidr = "10.192.0.0/16" - - output "cluster_region" { - value = "eu-central-1" - } } ``` @@ -105,6 +101,7 @@ The Aurora module uses the following outputs from the EKS cluster module to defi - `module.eks_cluster.oidc_provider_arn`: The ARN of the OIDC provider for the EKS cluster. - `module.eks_cluster.oidc_provider_id`: The ID of the OIDC provider for the EKS cluster. - `var.account_id`: Your AWS account id +- `var.aurora_region`: Your Aurora AWS Region - `var.aurora_cluster_name`: The name of the Aurora cluster to access Here is the corrected version: - `var.aurora_irsa_username`: The username used to access AuroraDB. This username is different from the superuser. The user must also be created manually in the database to enable the IRSA connection, as described in [the steps below](#create-irsa-user-on-the-database). @@ -128,7 +125,7 @@ module "postgresql" { "Action": [ "rds-db:connect" ], - "Resource": "arn:aws:rds-db:${local.eks_cluster_region}:${var.account_id}:dbuser:${var.aurora_cluster_name}/${var.aurora_irsa_username}" + "Resource": "arn:aws:rds-db:${var.aurora_region}:${var.account_id}:dbuser:${var.aurora_cluster_name}/${var.aurora_irsa_username}" } ] } @@ -186,6 +183,7 @@ The OpenSearch module uses the following outputs from the EKS cluster module to - `module.eks_cluster.oidc_provider_arn`: The ARN of the OIDC provider for the EKS cluster. - `module.eks_cluster.oidc_provider_id`: The ID of the OIDC provider for the EKS cluster. - `var.account_id`: Your AWS account id +- `var.opensearch_region`: Your OpenSearch AWS Region - `var.opensearch_domain_name`: The name of the OpenSearch domain to access - `var.opensearch_namespace`: The kubernetes namespace to allow access - `var.opensearch_service_account`: The kubernetes ServiceAccount to allow access @@ -207,7 +205,7 @@ module "opensearch_domain" { "es:ESHttpPut", "es:ESHttpPost" ], - "Resource": "arn:aws:es:${local.eks_cluster_region}:${var.account_id}:domain/${var.opensearch_domain_name}/*" + "Resource": "arn:aws:es:${var.opensearch_region}:${var.account_id}:domain/${var.opensearch_domain_name}/*" } ] } diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf index a5adb6d5..ef9dd9d1 100644 --- a/examples/camunda-8.6-irsa/cluster.tf +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -4,7 +4,7 @@ locals { } module "eks_cluster" { - # TODO: pin to v3 + # TODO: pin to v3 after the release source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=feature/opensearch-doc" name = local.eks_cluster_name diff --git a/examples/camunda-8.6-irsa/config.tf b/examples/camunda-8.6-irsa/config.tf index 3f2605c5..68e6a119 100644 --- a/examples/camunda-8.6-irsa/config.tf +++ b/examples/camunda-8.6-irsa/config.tf @@ -1,6 +1,7 @@ terraform { required_version = ">= 1.0" + # You can override the backend configuration; this is given as an example. backend "s3" { bucket = "my-eks-tf-state" key = "camunda-terraform/terraform-irsa.tfstate" diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index 302f06be..a06aa54f 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -23,7 +23,7 @@ locals { } module "postgresql" { - # TODO: pin to v3 + # TODO: pin to v3 after the release source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=feature/opensearch-doc" engine_version = "15.8" auto_minor_version_upgrade = false diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index 5a31faf9..19b7a0ed 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -15,7 +15,7 @@ locals { } module "opensearch_domain" { - # TODO: pin to v3 + # TODO: pin to v3 after the release source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/opensearch?ref=feature/opensearch-doc" domain_name = local.opensearch_domain_name engine_version = "2.15" diff --git a/examples/camunda-8.6/cluster.tf b/examples/camunda-8.6/cluster.tf index 801d1455..834b86e9 100644 --- a/examples/camunda-8.6/cluster.tf +++ b/examples/camunda-8.6/cluster.tf @@ -4,6 +4,7 @@ locals { } module "eks_cluster" { + # TODO: pin to v3 after the release source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=2.6.0" name = local.eks_cluster_name diff --git a/examples/camunda-8.6/config.tf b/examples/camunda-8.6/config.tf index 5761d23e..b9b21da4 100644 --- a/examples/camunda-8.6/config.tf +++ b/examples/camunda-8.6/config.tf @@ -1,6 +1,7 @@ terraform { required_version = ">= 1.0" + # You can override the backend configuration; this is given as an example. backend "s3" { bucket = "my-eks-tf-state" key = "camunda-terraform/terraform-std.tfstate" diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf index b1188bf5..9d7e91d1 100644 --- a/examples/camunda-8.6/db.tf +++ b/examples/camunda-8.6/db.tf @@ -19,6 +19,7 @@ locals { } module "postgresql" { + # TODO: pin to v3 after the release source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=2.6.0" engine_version = "15.8" auto_minor_version_upgrade = false diff --git a/examples/camunda-8.6/opensearch.tf b/examples/camunda-8.6/opensearch.tf index 6a70c6b6..41411fec 100644 --- a/examples/camunda-8.6/opensearch.tf +++ b/examples/camunda-8.6/opensearch.tf @@ -2,9 +2,8 @@ locals { opensearch_domain_name = "domain-name-os-std" # Replace "domain-name" with your domain name } -# TODO: handle deletion - module "opensearch_domain" { + # TODO: pin to v3 after the release source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/opensearch?ref=2.6.0" domain_name = local.opensearch_domain_name engine_version = "2.15" diff --git a/modules/aurora/variables.tf b/modules/aurora/variables.tf index c05ae0ba..e77af3cb 100644 --- a/modules/aurora/variables.tf +++ b/modules/aurora/variables.tf @@ -109,7 +109,7 @@ variable "iam_roles_with_policies" { # [ # { # role_name = "AuroraRole" - # trust_policy = < Date: Fri, 18 Oct 2024 21:51:33 +0200 Subject: [PATCH 104/135] fix multiline --- test/src/custom_eks_opensearch_test.go | 4 ++-- test/src/custom_eks_rds_test.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index f7109565..7e78a912 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -210,8 +210,8 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { iamRolesWithPolicies := map[string]interface{}{ "role_name": openSearchRole, - "trust_policy": iamRoleTrustPolicy, - "access_policy": openSearchAccessPolicy, + "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), + "access_policy": strings.ReplaceAll(openSearchAccessPolicy, "\n", " "), } varsConfigOpenSearch := map[string]interface{}{ diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 4ed3e064..84f52e3d 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -214,8 +214,8 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { iamRolesWithPolicies := map[string]interface{}{ "role_name": auroraRole, - "trust_policy": iamRoleTrustPolicy, - "access_policy": auroraAccessPolicy, + "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), + "access_policy": strings.ReplaceAll(auroraAccessPolicy, "\n", " "), } varsConfigAurora := map[string]interface{}{ From cfb6c8f4adf84a6cf1b441cd4ee1a427248725b5 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 18 Oct 2024 22:38:59 +0200 Subject: [PATCH 105/135] fix auroradb irsa --- README.md | 4 +--- examples/camunda-8.6-irsa/db.tf | 13 ++++++++++--- guides/MIGRATION_GUIDE_v2_to_v3.md | 4 ++-- modules/aurora/variables.tf | 2 +- test/src/custom_eks_rds_test.go | 5 +++-- 5 files changed, 17 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 8cf6d661..200d6ba3 100644 --- a/README.md +++ b/README.md @@ -102,8 +102,6 @@ The Aurora module uses the following outputs from the EKS cluster module to defi - `module.eks_cluster.oidc_provider_id`: The ID of the OIDC provider for the EKS cluster. - `var.account_id`: Your AWS account id - `var.aurora_region`: Your Aurora AWS Region -- `var.aurora_cluster_name`: The name of the Aurora cluster to access -Here is the corrected version: - `var.aurora_irsa_username`: The username used to access AuroraDB. This username is different from the superuser. The user must also be created manually in the database to enable the IRSA connection, as described in [the steps below](#create-irsa-user-on-the-database). - `var.aurora_namespace`: The kubernetes namespace to allow access - `var.aurora_service_account`: The kubernetes ServiceAccount to allow access @@ -125,7 +123,7 @@ module "postgresql" { "Action": [ "rds-db:connect" ], - "Resource": "arn:aws:rds-db:${var.aurora_region}:${var.account_id}:dbuser:${var.aurora_cluster_name}/${var.aurora_irsa_username}" + "Resource": "arn:aws:rds-db:${var.aurora_region}:${var.account_id}:dbuser:*/${var.aurora_irsa_username}" } ] } diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index a06aa54f..222ed8aa 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -66,6 +66,11 @@ module "postgresql" { } EOF + # Source: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html + # This policy allows a specific user to connect to all databases within the cluster region. + # You may want to restrict this permission further based on your security requirements. + # Refer to the documentation for more details. + # In this example, since the DbiResourceId is not known in advance, we use a wildcard. access_policy = </my-db-user" }] }) ``` @@ -113,7 +113,7 @@ iam_roles_with_policies = [ "Statement": [{ "Effect": "Allow", "Action": [ "rds-db:connect" ], - "Resource": "arn:aws:rds-db:us-west-2:123456789012:dbuser:my-cluster-name/my-db-user" + "Resource": "arn:aws:rds-db:us-west-2:123456789012:dbuser:/my-db-user" }] } EOF diff --git a/modules/aurora/variables.tf b/modules/aurora/variables.tf index e77af3cb..3f111533 100644 --- a/modules/aurora/variables.tf +++ b/modules/aurora/variables.tf @@ -137,7 +137,7 @@ variable "iam_roles_with_policies" { # "Action": [ # "rds-db:connect" # ], - # "Resource": "arn:aws:rds-db:::dbuser:/" + # "Resource": "arn:aws:rds-db:::dbuser:/" # } # ] # } diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 84f52e3d..27a55d08 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -180,6 +180,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { }) // Define the Aurora access policy for IAM DB Auth + // note: we use a wildcard instead of the DbiResourceId as we don't know it yet auroraAccessPolicy := fmt.Sprintf(`{ "Version": "2012-10-17", "Statement": [ @@ -188,10 +189,10 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { "Action": [ "rds-db:connect" ], - "Resource": "arn:aws:rds-db:%s:%s:dbuser:%s/%s" + "Resource": "arn:aws:rds-db:%s:%s:dbuser:*/%s" } ] -}`, suite.region, accountId, auroraClusterName, auroraIRSAUsername) +}`, suite.region, accountId, auroraIRSAUsername) // Define the trust policy for Aurora IAM role iamRoleTrustPolicy := fmt.Sprintf(`{ From 99ac48fa43c69beddca0d12494a19a2538d521de Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 21 Oct 2024 10:13:14 +0200 Subject: [PATCH 106/135] apply pre-commit --- .pre-commit-config.yaml | 1 + examples/camunda-8.6-irsa/db.tf | 30 ++++++++++++------------- examples/camunda-8.6-irsa/opensearch.tf | 8 +++---- examples/camunda-8.6/db.tf | 3 ++- guides/MIGRATION_GUIDE_v2_to_v3.md | 6 ++--- modules/aurora/README.md | 7 +++--- modules/aurora/outputs.tf | 8 +++---- modules/opensearch/README.md | 7 +++--- modules/opensearch/outputs.tf | 6 ++--- modules/opensearch/role.tf | 2 +- modules/opensearch/variables.tf | 2 +- test/src/custom_eks_opensearch_test.go | 16 ++++++------- test/src/custom_eks_rds_test.go | 24 ++++++++++---------- 13 files changed, 60 insertions(+), 60 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 12013abf..01adc168 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -30,6 +30,7 @@ repos: hooks: - id: renovate-config-validator args: [--strict] + language_version: 20.18.0 - repo: https://github.com/compilerla/conventional-pre-commit rev: v3.4.0 # use tags until renovate supports sha: https://github.com/renovatebot/renovate/issues/22567 diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index 222ed8aa..c75cfe5d 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -17,9 +17,9 @@ locals { camunda_identity_service_account = "identity-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Identity camunda_webmodeler_service_account = "webmodeler-sa" # Replace with your Kubernetes ServiceAcccount that will be created for WebModeler - camunda_keycloak_role_name = "AuroraRole-Keycloak-${local.aurora_cluster_name}" # IAM Role name use to allow access to the keycloak db - camunda_identity_role_name = "AuroraRole-Identity-${local.aurora_cluster_name}" # IAM Role name use to allow access to the identity db - camunda_webmodeler_role_name = "AuroraRole-Webmodeler-${local.aurora_cluster_name}" # IAM Role name use to allow access to the webmodeler db + camunda_keycloak_role_name = concat(["AuroraRole-Keycloak-", local.aurora_cluster_name]) # IAM Role name use to allow access to the keycloak db + camunda_identity_role_name = concat(["AuroraRole-Identity", local.aurora_cluster_name]) # IAM Role name use to allow access to the identity db + camunda_webmodeler_role_name = concat(["AuroraRole-Webmodeler", local.aurora_cluster_name]) # IAM Role name use to allow access to the webmodeler db } module "postgresql" { @@ -30,7 +30,7 @@ module "postgresql" { cluster_name = local.aurora_cluster_name default_database_name = local.camunda_database_keycloak - availability_zones = ["${local.eks_cluster_region}a", "${local.eks_cluster_region}b", "${local.eks_cluster_region}c"] + availability_zones = [concat(local.eks_cluster_region, "a"), concat(local.eks_cluster_region, "b"), concat(local.eks_cluster_region, "c")] username = local.aurora_master_username password = local.aurora_master_password @@ -42,10 +42,10 @@ module "postgresql" { instance_class = "db.t3.medium" # IAM IRSA - iam_auth_enabled = true - iam_roles_with_policies = [ + iam_auth_enabled = true + iam_roles_with_policies = [ { - role_name = "${local.camunda_keycloak_role_name}" + role_name = local.camunda_keycloak_role_name trust_policy = < [engine\_version](#input\_engine\_version) | The DB engine version for Postgres to use. | `string` | `"15.4"` | no | | [iam\_auth\_enabled](#input\_iam\_auth\_enabled) | Determines whether IAM auth should be activated for IRSA usage | `bool` | `false` | no | | [iam\_roles](#input\_iam\_roles) | Allows propagating additional IAM roles to the Aurora cluster to allow e.g. access to S3 | `list(string)` | `[]` | no | -| [iam\_roles\_with\_policies](#input\_iam\_roles\_with\_policies) | List of roles with their trust and access policies | 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    access_policy = string
  }))
| `[]` | no | +| [iam\_roles\_with\_policies](#input\_iam\_roles\_with\_policies) | List of roles with their trust and access policies | 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    # Example:
    #   [
    #     {
    #     role_name      = "AuroraRole"
    #     trust_policy   =
    #           {
    #             "Version": "2012-10-17",
    #             "Statement": [
    #               {
    #                 "Effect": "Allow",
    #                 "Principal": {
    #                   "Federated": "arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/"
    #                 },
    #                 "Action": "sts:AssumeRoleWithWebIdentity",
    #                 "Condition": {
    #                   "StringEquals": {
    #                     "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::"
    #                   }
    #                 }
    #               }
    #             ]
    #           }
    #
    #     access_policy  =
    #             {
    #               "Version": "2012-10-17",
    #               "Statement": [
    #                 {
    #                   "Effect": "Allow",
    #                   "Action": [
    #                     "rds-db:connect"
    #                   ],
    #                   "Resource": "arn:aws:rds-db:::dbuser:/"
    #                 }
    #               ]
    #             }
    #
    #   }
    #   ]
    access_policy = string
  }))
| `[]` | no | | [instance\_class](#input\_instance\_class) | The instance type of the Aurora instances | `string` | `"db.t3.medium"` | no | | [num\_instances](#input\_num\_instances) | Number of instances | `string` | `"1"` | no | | [password](#input\_password) | The password for the postgres admin user. Important: secret value! | `string` | n/a | yes | @@ -72,7 +72,6 @@ No modules. | Name | Description | |------|-------------| | [aurora\_endpoint](#output\_aurora\_endpoint) | The endpoint of the Aurora cluster | -| [aurora\_policy\_arn](#output\_aurora\_policy\_arn) | The ARN of the aurora access policy | -| [aurora\_role\_arn](#output\_aurora\_role\_arn) | The ARN of the aurora IAM role | -| [aurora\_role\_name](#output\_aurora\_role\_name) | The name of the aurora IAM role | +| [aurora\_iam\_role\_access\_policy\_arns](#output\_aurora\_iam\_role\_access\_policy\_arns) | Map of IAM role names to their access policy ARNs | +| [aurora\_iam\_role\_arns](#output\_aurora\_iam\_role\_arns) | Map of IAM role names to their ARNs | diff --git a/modules/aurora/outputs.tf b/modules/aurora/outputs.tf index 8999e0f8..20632049 100644 --- a/modules/aurora/outputs.tf +++ b/modules/aurora/outputs.tf @@ -7,8 +7,8 @@ output "aurora_endpoint" { output "aurora_iam_role_arns" { description = "Map of IAM role names to their ARNs" - value = { for role_name, role in aws_iam_role.roles : role_name => role.arn } - sensitive = false + value = { for role_name, role in aws_iam_role.roles : role_name => role.arn } + sensitive = false } // Output for Policy ARNs @@ -17,5 +17,5 @@ output "aurora_iam_role_access_policy_arns" { value = { for role_name, policy in aws_iam_policy.access_policies : role_name => policy.arn } - sensitive = false -} \ No newline at end of file + sensitive = false +} diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index 0e28dbe4..e8007832 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -104,7 +104,7 @@ No modules. | [ebs\_volume\_type](#input\_ebs\_volume\_type) | Type of EBS volumes attached to data nodes. | `string` | `"gp3"` | no | | [enable\_access\_policy](#input\_enable\_access\_policy) | Determines whether an access policy will be applied to the domain | `bool` | `true` | no | | [engine\_version](#input\_engine\_version) | OpenSearch version for the domain. | `string` | `"2.15"` | no | -| [iam\_roles\_with\_policies](#input\_iam\_roles\_with\_policies) | List of roles with their trust and access policies | 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    access_policy = string
  }))
| `[]` | no | +| [iam\_roles\_with\_policies](#input\_iam\_roles\_with\_policies) | List of roles with their trust and access policies | 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    # Example:
    #   [
    #     {
    #     role_name      = "OpenSearchRole"
    #     trust_policy   =
    # {
    #   "Version": "2012-10-17",
    #   "Statement": [
    #     {
    #       "Effect": "Allow",
    #       "Principal": {
    #         "Federated": "arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/"
    #       },
    #       "Action": "sts:AssumeRoleWithWebIdentity",
    #       "Condition": {
    #         "StringEquals": {
    #           "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::"
    #         }
    #       }
    #     }
    #   ]
    # }
    #
    #     access_policy  =
    # {
    #   "Version": "2012-10-17",
    #   "Statement": [
    #     {
    #       "Effect": "Allow",
    #       "Action": [
    #         "es:DescribeElasticsearchDomains",
    #         "es:DescribeElasticsearchInstanceTypeLimits",
    #         "es:DescribeReservedElasticsearchInstanceOfferings",
    #         "es:DescribeReservedElasticsearchInstances",
    #         "es:GetCompatibleElasticsearchVersions",
    #         "es:ListDomainNames",
    #         "es:ListElasticsearchInstanceTypes",
    #         "es:ListElasticsearchVersions",
    #         "es:DescribeElasticsearchDomain",
    #         "es:DescribeElasticsearchDomainConfig",
    #         "es:ESHttpGet",
    #         "es:ESHttpHead",
    #         "es:GetUpgradeHistory",
    #         "es:GetUpgradeStatus",
    #         "es:ListTags",
    #         "es:AddTags",
    #         "es:RemoveTags",
    #         "es:ESHttpDelete",
    #         "es:ESHttpPost",
    #         "es:ESHttpPut"
    #       ],
    #       "Resource": "arn:aws:es:::domain//*"
    #     }
    #   ]
    # }
    #
    #   }
    #   ]
    access_policy = string
  }))
| `[]` | no | | [instance\_count](#input\_instance\_count) | Number of instances in the cluster. | `number` | `3` | no | | [instance\_type](#input\_instance\_type) | Instance type of data nodes in the cluster. | `string` | `"t3.small.search"` | no | | [ip\_address\_type](#input\_ip\_address\_type) | The IP address type for the endpoint. Valid values are ipv4 and dualstack | `string` | `"ipv4"` | no | @@ -133,9 +133,8 @@ No modules. | [opensearch\_domain\_arn](#output\_opensearch\_domain\_arn) | The ARN of the OpenSearch domain | | [opensearch\_domain\_endpoint](#output\_opensearch\_domain\_endpoint) | The endpoint of the OpenSearch domain | | [opensearch\_domain\_id](#output\_opensearch\_domain\_id) | The ID of the OpenSearch domain | -| [opensearch\_policy\_arn](#output\_opensearch\_policy\_arn) | The ARN of the OpenSearch access policy | -| [opensearch\_role\_arn](#output\_opensearch\_role\_arn) | The ARN of the OpenSearch IAM role | -| [opensearch\_role\_name](#output\_opensearch\_role\_name) | The name of the OpenSearch IAM role | +| [opensearch\_iam\_role\_access\_policy\_arns](#output\_opensearch\_iam\_role\_access\_policy\_arns) | Map of IAM role names to their access policy ARNs | +| [opensearch\_iam\_role\_arns](#output\_opensearch\_iam\_role\_arns) | Map of IAM role names to their ARNs | | [security\_group\_id](#output\_security\_group\_id) | The ID of the security group used by OpenSearch | | [security\_group\_rule\_egress](#output\_security\_group\_rule\_egress) | Egress rule information for OpenSearch security group | | [security\_group\_rule\_ingress](#output\_security\_group\_rule\_ingress) | Ingress rule information for OpenSearch security group | diff --git a/modules/opensearch/outputs.tf b/modules/opensearch/outputs.tf index 03b4969e..d9a18c4e 100644 --- a/modules/opensearch/outputs.tf +++ b/modules/opensearch/outputs.tf @@ -57,8 +57,8 @@ output "security_group_rule_egress" { output "opensearch_iam_role_arns" { description = "Map of IAM role names to their ARNs" - value = { for role_name, role in aws_iam_role.roles : role_name => role.arn } - sensitive = false + value = { for role_name, role in aws_iam_role.roles : role_name => role.arn } + sensitive = false } // Output for Policy ARNs @@ -67,5 +67,5 @@ output "opensearch_iam_role_access_policy_arns" { value = { for role_name, policy in aws_iam_policy.access_policies : role_name => policy.arn } - sensitive = false + sensitive = false } diff --git a/modules/opensearch/role.tf b/modules/opensearch/role.tf index bd36688e..14ebf931 100644 --- a/modules/opensearch/role.tf +++ b/modules/opensearch/role.tf @@ -22,4 +22,4 @@ resource "aws_iam_role_policy_attachment" "attach_policies" { role = aws_iam_role.roles[each.key].name policy_arn = aws_iam_policy.access_policies[each.key].arn -} \ No newline at end of file +} diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 8ec846ba..fe469764 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -291,7 +291,7 @@ variable "iam_roles_with_policies" { # } # ] # } - # + # # access_policy = # { # "Version": "2012-10-17", diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 7e78a912..1b7270bb 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -209,17 +209,17 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { }`, accountId, oidcProviderID, oidcProviderID, openSearchNamespace, openSearchServiceAccount) iamRolesWithPolicies := map[string]interface{}{ - "role_name": openSearchRole, - "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), - "access_policy": strings.ReplaceAll(openSearchAccessPolicy, "\n", " "), + "role_name": openSearchRole, + "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), + "access_policy": strings.ReplaceAll(openSearchAccessPolicy, "\n", " "), } varsConfigOpenSearch := map[string]interface{}{ - "domain_name": opensearchDomainName, - "subnet_ids": result.Cluster.ResourcesVpcConfig.SubnetIds, - "cidr_blocks": append(publicBlocks, privateBlocks...), - "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, - "iam_roles_with_policies": iamRolesWithPolicies, + "domain_name": opensearchDomainName, + "subnet_ids": result.Cluster.ResourcesVpcConfig.SubnetIds, + "cidr_blocks": append(publicBlocks, privateBlocks...), + "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, + "iam_roles_with_policies": iamRolesWithPolicies, } tfModuleOpenSearch := "opensearch/" diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 27a55d08..c97bedea 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -214,21 +214,21 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { }`, accountId, oidcProviderID, oidcProviderID, auroraNamespace, auroraServiceAccount) iamRolesWithPolicies := map[string]interface{}{ - "role_name": auroraRole, - "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), - "access_policy": strings.ReplaceAll(auroraAccessPolicy, "\n", " "), + "role_name": auroraRole, + "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), + "access_policy": strings.ReplaceAll(auroraAccessPolicy, "\n", " "), } varsConfigAurora := map[string]interface{}{ - "username": auroraUsername, - "password": auroraPassword, - "default_database_name": auroraDatabase, - "cluster_name": auroraClusterName, - "subnet_ids": result.Cluster.ResourcesVpcConfig.SubnetIds, - "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, - "availability_zones": []string{fmt.Sprintf("%sa", suite.region), fmt.Sprintf("%sb", suite.region), fmt.Sprintf("%sc", suite.region)}, - "cidr_blocks": append(publicBlocks, privateBlocks...), - "iam_roles_with_policies": iamRolesWithPolicies, + "username": auroraUsername, + "password": auroraPassword, + "default_database_name": auroraDatabase, + "cluster_name": auroraClusterName, + "subnet_ids": result.Cluster.ResourcesVpcConfig.SubnetIds, + "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, + "availability_zones": []string{fmt.Sprintf("%sa", suite.region), fmt.Sprintf("%sb", suite.region), fmt.Sprintf("%sc", suite.region)}, + "cidr_blocks": append(publicBlocks, privateBlocks...), + "iam_roles_with_policies": iamRolesWithPolicies, } tfModuleAurora := "aurora/" From 439fc4ea52707320bc793cca9d781ed00c1dbc3b Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 21 Oct 2024 11:23:27 +0200 Subject: [PATCH 107/135] implement resourceidentifier --- README.md | 6 +++++- examples/camunda-8.6-irsa/db.tf | 20 +++++++++----------- examples/camunda-8.6-irsa/opensearch.tf | 2 +- examples/camunda-8.6/db.tf | 2 +- guides/MIGRATION_GUIDE_v2_to_v3.md | 4 ++-- modules/aurora/README.md | 6 +++++- modules/aurora/outputs.tf | 20 ++++++++++++++++++++ modules/aurora/role.tf | 3 ++- modules/aurora/variables.tf | 4 +++- test/src/custom_eks_rds_test.go | 7 +++---- 10 files changed, 51 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 200d6ba3..5a9e8d4e 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,10 @@ module "postgresql" { iam_roles_with_policies = [ { role_name = "AuroraRole-your-cluster" # ensure uniqueness of this one + + # Since {DbiResourceId} may be unknown during the apply, it will be dynamically replaced with the database's resource ID + # at apply time. {DbiResourceId} should be treated as a string template, using the value of the database's identifier. + access_policy = </my-db-user" + "Resource": "arn:aws:rds-db:us-west-2:123456789012:dbuser:{DbiResourceId}/my-db-user" }] }) ``` @@ -113,7 +113,7 @@ iam_roles_with_policies = [ "Statement": [{ "Effect": "Allow", "Action": [ "rds-db:connect" ], - "Resource": "arn:aws:rds-db:us-west-2:123456789012:dbuser:/my-db-user" + "Resource": "arn:aws:rds-db:us-west-2:123456789012:dbuser:{DbiResourceId}/my-db-user" }] } EOF diff --git a/modules/aurora/README.md b/modules/aurora/README.md index 597abc31..d2230571 100644 --- a/modules/aurora/README.md +++ b/modules/aurora/README.md @@ -59,7 +59,7 @@ No modules. | [engine\_version](#input\_engine\_version) | The DB engine version for Postgres to use. | `string` | `"15.4"` | no | | [iam\_auth\_enabled](#input\_iam\_auth\_enabled) | Determines whether IAM auth should be activated for IRSA usage | `bool` | `false` | no | | [iam\_roles](#input\_iam\_roles) | Allows propagating additional IAM roles to the Aurora cluster to allow e.g. access to S3 | `list(string)` | `[]` | no | -| [iam\_roles\_with\_policies](#input\_iam\_roles\_with\_policies) | List of roles with their trust and access policies | 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    # Example:
    #   [
    #     {
    #     role_name      = "AuroraRole"
    #     trust_policy   =
    #           {
    #             "Version": "2012-10-17",
    #             "Statement": [
    #               {
    #                 "Effect": "Allow",
    #                 "Principal": {
    #                   "Federated": "arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/"
    #                 },
    #                 "Action": "sts:AssumeRoleWithWebIdentity",
    #                 "Condition": {
    #                   "StringEquals": {
    #                     "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::"
    #                   }
    #                 }
    #               }
    #             ]
    #           }
    #
    #     access_policy  =
    #             {
    #               "Version": "2012-10-17",
    #               "Statement": [
    #                 {
    #                   "Effect": "Allow",
    #                   "Action": [
    #                     "rds-db:connect"
    #                   ],
    #                   "Resource": "arn:aws:rds-db:::dbuser:/"
    #                 }
    #               ]
    #             }
    #
    #   }
    #   ]
    access_policy = string
  }))
| `[]` | no | +| [iam\_roles\_with\_policies](#input\_iam\_roles\_with\_policies) | List of roles with their trust and access policies | 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    # Since {DbiResourceId} may be unknown during the apply, it will be dynamically replaced with the database's resource ID
    # at apply time. {DbiResourceId} should be treated as a string template, using the value of the database's identifier.
    # Example:
    #   [
    #     {
    #     role_name      = "AuroraRole"
    #     trust_policy   =
    #           {
    #             "Version": "2012-10-17",
    #             "Statement": [
    #               {
    #                 "Effect": "Allow",
    #                 "Principal": {
    #                   "Federated": "arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/"
    #                 },
    #                 "Action": "sts:AssumeRoleWithWebIdentity",
    #                 "Condition": {
    #                   "StringEquals": {
    #                     "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::"
    #                   }
    #                 }
    #               }
    #             ]
    #           }
    #
    #     access_policy  =
    #             {
    #               "Version": "2012-10-17",
    #               "Statement": [
    #                 {
    #                   "Effect": "Allow",
    #                   "Action": [
    #                     "rds-db:connect"
    #                   ],
    #                   "Resource": "arn:aws:rds-db:::dbuser:{DbiResourceId}/"
    #                 }
    #               ]
    #             }
    #
    #   }
    #   ]
    access_policy = string
  }))
| `[]` | no | | [instance\_class](#input\_instance\_class) | The instance type of the Aurora instances | `string` | `"db.t3.medium"` | no | | [num\_instances](#input\_num\_instances) | Number of instances | `string` | `"1"` | no | | [password](#input\_password) | The password for the postgres admin user. Important: secret value! | `string` | n/a | yes | @@ -71,7 +71,11 @@ No modules. | Name | Description | |------|-------------| +| [aurora\_cluster\_identifier](#output\_aurora\_cluster\_identifier) | RDS Cluster Identifier | +| [aurora\_cluster\_resource\_id](#output\_aurora\_cluster\_resource\_id) | RDS Cluster Resource ID | | [aurora\_endpoint](#output\_aurora\_endpoint) | The endpoint of the Aurora cluster | | [aurora\_iam\_role\_access\_policy\_arns](#output\_aurora\_iam\_role\_access\_policy\_arns) | Map of IAM role names to their access policy ARNs | | [aurora\_iam\_role\_arns](#output\_aurora\_iam\_role\_arns) | Map of IAM role names to their ARNs | +| [aurora\_id](#output\_aurora\_id) | RDS Cluster Identifier | +| [aurora\_resource\_id](#output\_aurora\_resource\_id) | DB Resource Identifier | diff --git a/modules/aurora/outputs.tf b/modules/aurora/outputs.tf index 20632049..86115acc 100644 --- a/modules/aurora/outputs.tf +++ b/modules/aurora/outputs.tf @@ -3,6 +3,26 @@ output "aurora_endpoint" { description = "The endpoint of the Aurora cluster" } +output "aurora_id" { + value = aws_rds_cluster.id + description = "RDS Cluster Identifier" +} + +output "aurora_resource_id" { + value = aws_rds_cluster.resource_id + description = "DB Resource Identifier" +} + +output "aurora_cluster_identifier" { + value = aws_rds_cluster.cluster_identifier + description = "RDS Cluster Identifier" +} + +output "aurora_cluster_resource_id" { + value = aws_rds_cluster.cluster_resource_id + description = "RDS Cluster Resource ID" +} + // Output for Role ARNs output "aurora_iam_role_arns" { description = "Map of IAM role names to their ARNs" diff --git a/modules/aurora/role.tf b/modules/aurora/role.tf index 14ebf931..bf976189 100644 --- a/modules/aurora/role.tf +++ b/modules/aurora/role.tf @@ -13,7 +13,8 @@ resource "aws_iam_policy" "access_policies" { name = "${each.key}-access-policy" description = "Access policy for ${each.key}" - policy = each.value.access_policy + # perform a templating of the DbiResourceId + policy = replace(each.value.access_policy, "{DbiResourceId}", aws_rds_cluster.aurora_cluster.aurora_resource_id) } // Attach the policy to the role diff --git a/modules/aurora/variables.tf b/modules/aurora/variables.tf index 3f111533..dca0717f 100644 --- a/modules/aurora/variables.tf +++ b/modules/aurora/variables.tf @@ -105,6 +105,8 @@ variable "iam_roles_with_policies" { # Access policy for Aurora allowing access as a json string # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html + # Since {DbiResourceId} may be unknown during the apply, it will be dynamically replaced with the database's resource ID + # at apply time. {DbiResourceId} should be treated as a string template, using the value of the database's identifier. # Example: # [ # { @@ -137,7 +139,7 @@ variable "iam_roles_with_policies" { # "Action": [ # "rds-db:connect" # ], - # "Resource": "arn:aws:rds-db:::dbuser:/" + # "Resource": "arn:aws:rds-db:::dbuser:{DbiResourceId}/" # } # ] # } diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index c97bedea..9a413904 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -164,8 +164,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { // Define the ARN for RDS IAM DB Auth auroraIRSAUsername := "myirsauser" - auroraArn := fmt.Sprintf("arn:aws:rds-db:%s:%s:dbuser:%s/%s", suite.region, accountId, auroraClusterName, auroraIRSAUsername) - suite.sugaredLogger.Infow("Aurora RDS IAM infos", "accountId", accountId, "auroraArn", auroraArn) + suite.sugaredLogger.Infow("Aurora RDS IAM infos", "accountId", accountId) utils.GenerateKubeConfigFromAWS(suite.T(), suite.region, suite.clusterName, utils.GetAwsProfile(), suite.kubeConfigPath) @@ -180,7 +179,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { }) // Define the Aurora access policy for IAM DB Auth - // note: we use a wildcard instead of the DbiResourceId as we don't know it yet + // note: we use a {DbiResourceId} as a template string auroraAccessPolicy := fmt.Sprintf(`{ "Version": "2012-10-17", "Statement": [ @@ -189,7 +188,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { "Action": [ "rds-db:connect" ], - "Resource": "arn:aws:rds-db:%s:%s:dbuser:*/%s" + "Resource": "arn:aws:rds-db:%s:%s:dbuser:{DbiResourceId}/%s" } ] }`, suite.region, accountId, auroraIRSAUsername) From 48e194050c1d97dfc29164026e39d0ac9d037f1e Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 21 Oct 2024 14:08:36 +0200 Subject: [PATCH 108/135] fix module outputs --- modules/aurora/outputs.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/aurora/outputs.tf b/modules/aurora/outputs.tf index 86115acc..ffcd1682 100644 --- a/modules/aurora/outputs.tf +++ b/modules/aurora/outputs.tf @@ -4,22 +4,22 @@ output "aurora_endpoint" { } output "aurora_id" { - value = aws_rds_cluster.id + value = aws_rds_cluster.aurora_cluster.id description = "RDS Cluster Identifier" } output "aurora_resource_id" { - value = aws_rds_cluster.resource_id + value = aws_rds_cluster.aurora_cluster.resource_id description = "DB Resource Identifier" } output "aurora_cluster_identifier" { - value = aws_rds_cluster.cluster_identifier + value = aws_rds_cluster.aurora_cluster.cluster_identifier description = "RDS Cluster Identifier" } output "aurora_cluster_resource_id" { - value = aws_rds_cluster.cluster_resource_id + value = aws_rds_cluster.aurora_cluster.cluster_resource_id description = "RDS Cluster Resource ID" } From d9affa833c4dd7f286288ee76605202562d16bb8 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 21 Oct 2024 14:11:48 +0200 Subject: [PATCH 109/135] fix module outputs --- modules/aurora/README.md | 1 - modules/aurora/outputs.tf | 5 ----- modules/aurora/role.tf | 2 +- 3 files changed, 1 insertion(+), 7 deletions(-) diff --git a/modules/aurora/README.md b/modules/aurora/README.md index d2230571..f896fc94 100644 --- a/modules/aurora/README.md +++ b/modules/aurora/README.md @@ -77,5 +77,4 @@ No modules. | [aurora\_iam\_role\_access\_policy\_arns](#output\_aurora\_iam\_role\_access\_policy\_arns) | Map of IAM role names to their access policy ARNs | | [aurora\_iam\_role\_arns](#output\_aurora\_iam\_role\_arns) | Map of IAM role names to their ARNs | | [aurora\_id](#output\_aurora\_id) | RDS Cluster Identifier | -| [aurora\_resource\_id](#output\_aurora\_resource\_id) | DB Resource Identifier | diff --git a/modules/aurora/outputs.tf b/modules/aurora/outputs.tf index ffcd1682..c969887f 100644 --- a/modules/aurora/outputs.tf +++ b/modules/aurora/outputs.tf @@ -8,11 +8,6 @@ output "aurora_id" { description = "RDS Cluster Identifier" } -output "aurora_resource_id" { - value = aws_rds_cluster.aurora_cluster.resource_id - description = "DB Resource Identifier" -} - output "aurora_cluster_identifier" { value = aws_rds_cluster.aurora_cluster.cluster_identifier description = "RDS Cluster Identifier" diff --git a/modules/aurora/role.tf b/modules/aurora/role.tf index bf976189..0b9fedad 100644 --- a/modules/aurora/role.tf +++ b/modules/aurora/role.tf @@ -14,7 +14,7 @@ resource "aws_iam_policy" "access_policies" { description = "Access policy for ${each.key}" # perform a templating of the DbiResourceId - policy = replace(each.value.access_policy, "{DbiResourceId}", aws_rds_cluster.aurora_cluster.aurora_resource_id) + policy = replace(each.value.access_policy, "{DbiResourceId}", aws_rds_cluster.aurora_cluster.aurora_cluster_resource_id) } // Attach the policy to the role From fd221af17a743b6cd9808d2106879048021d5492 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 21 Oct 2024 14:15:03 +0200 Subject: [PATCH 110/135] fix module outputs --- modules/aurora/role.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/aurora/role.tf b/modules/aurora/role.tf index 0b9fedad..c939dd52 100644 --- a/modules/aurora/role.tf +++ b/modules/aurora/role.tf @@ -14,7 +14,7 @@ resource "aws_iam_policy" "access_policies" { description = "Access policy for ${each.key}" # perform a templating of the DbiResourceId - policy = replace(each.value.access_policy, "{DbiResourceId}", aws_rds_cluster.aurora_cluster.aurora_cluster_resource_id) + policy = replace(each.value.access_policy, "{DbiResourceId}", aws_rds_cluster.aurora_cluster.cluster_resource_id) } // Attach the policy to the role From f2a9c68c0613c36efd0e0c500eef42695f8b991d Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 21 Oct 2024 14:47:32 +0200 Subject: [PATCH 111/135] revert changes on dbidentifier --- README.md | 7 ++++--- examples/camunda-8.6-irsa/db.tf | 22 +++++++++++++++++----- guides/MIGRATION_GUIDE_v2_to_v3.md | 4 ++-- modules/aurora/README.md | 2 +- modules/aurora/role.tf | 3 +-- modules/aurora/variables.tf | 6 +++--- test/src/custom_eks_rds_test.go | 3 +-- 7 files changed, 29 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 5a9e8d4e..c74f24a0 100644 --- a/README.md +++ b/README.md @@ -115,8 +115,9 @@ module "postgresql" { { role_name = "AuroraRole-your-cluster" # ensure uniqueness of this one - # Since {DbiResourceId} may be unknown during the apply, it will be dynamically replaced with the database's resource ID - # at apply time. {DbiResourceId} should be treated as a string template, using the value of the database's identifier. + # Source: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html + # Since the DbiResourceId may be unknown during the apply process, and because each instance of the RDS cluster contains its own DbiResourceId, + # we use the wildcard `dbuser:*` to apply to all database instances. access_policy = < [engine\_version](#input\_engine\_version) | The DB engine version for Postgres to use. | `string` | `"15.4"` | no | | [iam\_auth\_enabled](#input\_iam\_auth\_enabled) | Determines whether IAM auth should be activated for IRSA usage | `bool` | `false` | no | | [iam\_roles](#input\_iam\_roles) | Allows propagating additional IAM roles to the Aurora cluster to allow e.g. access to S3 | `list(string)` | `[]` | no | -| [iam\_roles\_with\_policies](#input\_iam\_roles\_with\_policies) | List of roles with their trust and access policies | 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    # Since {DbiResourceId} may be unknown during the apply, it will be dynamically replaced with the database's resource ID
    # at apply time. {DbiResourceId} should be treated as a string template, using the value of the database's identifier.
    # Example:
    #   [
    #     {
    #     role_name      = "AuroraRole"
    #     trust_policy   =
    #           {
    #             "Version": "2012-10-17",
    #             "Statement": [
    #               {
    #                 "Effect": "Allow",
    #                 "Principal": {
    #                   "Federated": "arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/"
    #                 },
    #                 "Action": "sts:AssumeRoleWithWebIdentity",
    #                 "Condition": {
    #                   "StringEquals": {
    #                     "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::"
    #                   }
    #                 }
    #               }
    #             ]
    #           }
    #
    #     access_policy  =
    #             {
    #               "Version": "2012-10-17",
    #               "Statement": [
    #                 {
    #                   "Effect": "Allow",
    #                   "Action": [
    #                     "rds-db:connect"
    #                   ],
    #                   "Resource": "arn:aws:rds-db:::dbuser:{DbiResourceId}/"
    #                 }
    #               ]
    #             }
    #
    #   }
    #   ]
    access_policy = string
  }))
| `[]` | no | +| [iam\_roles\_with\_policies](#input\_iam\_roles\_with\_policies) | List of roles with their trust and access policies | 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    # Since the DbiResourceId may be unknown during the apply process, and because each instance of the RDS cluster contains its own DbiResourceId,
    # we use the wildcard `dbuser:*` to apply to all database instances.
    # Example:
    #   [
    #     {
    #     role_name      = "AuroraRole"
    #     trust_policy   =
    #           {
    #             "Version": "2012-10-17",
    #             "Statement": [
    #               {
    #                 "Effect": "Allow",
    #                 "Principal": {
    #                   "Federated": "arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/"
    #                 },
    #                 "Action": "sts:AssumeRoleWithWebIdentity",
    #                 "Condition": {
    #                   "StringEquals": {
    #                     "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::"
    #                   }
    #                 }
    #               }
    #             ]
    #           }
    #
    #     access_policy  =
    #             {
    #               "Version": "2012-10-17",
    #               "Statement": [
    #                 {
    #                   "Effect": "Allow",
    #                   "Action": [
    #                     "rds-db:connect"
    #                   ],
    #                   "Resource": "arn:aws:rds-db:::dbuser:*/"
    #                 }
    #               ]
    #             }
    #
    #   }
    #   ]
    access_policy = string
  }))
| `[]` | no | | [instance\_class](#input\_instance\_class) | The instance type of the Aurora instances | `string` | `"db.t3.medium"` | no | | [num\_instances](#input\_num\_instances) | Number of instances | `string` | `"1"` | no | | [password](#input\_password) | The password for the postgres admin user. Important: secret value! | `string` | n/a | yes | diff --git a/modules/aurora/role.tf b/modules/aurora/role.tf index c939dd52..14ebf931 100644 --- a/modules/aurora/role.tf +++ b/modules/aurora/role.tf @@ -13,8 +13,7 @@ resource "aws_iam_policy" "access_policies" { name = "${each.key}-access-policy" description = "Access policy for ${each.key}" - # perform a templating of the DbiResourceId - policy = replace(each.value.access_policy, "{DbiResourceId}", aws_rds_cluster.aurora_cluster.cluster_resource_id) + policy = each.value.access_policy } // Attach the policy to the role diff --git a/modules/aurora/variables.tf b/modules/aurora/variables.tf index dca0717f..f637525c 100644 --- a/modules/aurora/variables.tf +++ b/modules/aurora/variables.tf @@ -105,8 +105,8 @@ variable "iam_roles_with_policies" { # Access policy for Aurora allowing access as a json string # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html - # Since {DbiResourceId} may be unknown during the apply, it will be dynamically replaced with the database's resource ID - # at apply time. {DbiResourceId} should be treated as a string template, using the value of the database's identifier. + # Since the DbiResourceId may be unknown during the apply process, and because each instance of the RDS cluster contains its own DbiResourceId, + # we use the wildcard `dbuser:*` to apply to all database instances. # Example: # [ # { @@ -139,7 +139,7 @@ variable "iam_roles_with_policies" { # "Action": [ # "rds-db:connect" # ], - # "Resource": "arn:aws:rds-db:::dbuser:{DbiResourceId}/" + # "Resource": "arn:aws:rds-db:::dbuser:*/" # } # ] # } diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 9a413904..6a273b47 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -179,7 +179,6 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { }) // Define the Aurora access policy for IAM DB Auth - // note: we use a {DbiResourceId} as a template string auroraAccessPolicy := fmt.Sprintf(`{ "Version": "2012-10-17", "Statement": [ @@ -188,7 +187,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { "Action": [ "rds-db:connect" ], - "Resource": "arn:aws:rds-db:%s:%s:dbuser:{DbiResourceId}/%s" + "Resource": "arn:aws:rds-db:%s:%s:dbuser:*/%s" } ] }`, suite.region, accountId, auroraIRSAUsername) From 8ecda12e94158ce9bc4a517f34720031d079df24 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 21 Oct 2024 15:40:35 +0200 Subject: [PATCH 112/135] fix renovate update --- modules/eks-cluster/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/eks-cluster/variables.tf b/modules/eks-cluster/variables.tf index 7609e0ff..8b2f8c63 100644 --- a/modules/eks-cluster/variables.tf +++ b/modules/eks-cluster/variables.tf @@ -13,7 +13,7 @@ variable "name" { variable "kubernetes_version" { type = string description = "Kubernetes version to be used by EKS" - # renovate: datasource=endoflife-date depName=amazon-eks versioning=semver + # renovate: datasource=endoflife-date depName=amazon-eks versioning=loose default = "1.30" } From 15d205a60337f6d87d7d852f67669585b2e24fc0 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 21 Oct 2024 15:42:49 +0200 Subject: [PATCH 113/135] revert outputs --- examples/camunda-8.6-irsa/db.tf | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index bd120a5b..4d737e20 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -178,15 +178,3 @@ output "aurora_iam_role_arns" { value = module.postgresql.aurora_iam_role_arns description = "Map of IAM role names to their ARNs" } - -output "aurora_id" { - value = module.postgresql.aurora_id -} - -output "aurora_cluster_identifier" { - value = module.postgresql.aurora_cluster_identifier -} - -output "aurora_cluster_resource_id" { - value = module.postgresql.aurora_cluster_resource_id -} From 73a71e5344f73f7624fad0760269ffee62b4a032 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 21 Oct 2024 18:40:58 +0200 Subject: [PATCH 114/135] fix tests --- examples/camunda-8.6-irsa/cluster.tf | 3 +++ examples/camunda-8.6/cluster.tf | 3 +++ test/src/custom_eks_opensearch_test.go | 10 ++++++---- test/src/custom_eks_rds_test.go | 10 ++++++---- 4 files changed, 18 insertions(+), 8 deletions(-) diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf index ef9dd9d1..996a9911 100644 --- a/examples/camunda-8.6-irsa/cluster.tf +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -13,6 +13,9 @@ module "eks_cluster" { # Set CIDR ranges or use the defaults cluster_service_ipv4_cidr = "10.190.0.0/16" cluster_node_ipv4_cidr = "10.192.0.0/16" + + # Default node type for the Kubernetes cluster + np_instance_types = ["m6i.xlarge"] } output "cert_manager_arn" { diff --git a/examples/camunda-8.6/cluster.tf b/examples/camunda-8.6/cluster.tf index 834b86e9..14eee804 100644 --- a/examples/camunda-8.6/cluster.tf +++ b/examples/camunda-8.6/cluster.tf @@ -13,6 +13,9 @@ module "eks_cluster" { # Set CIDR ranges or use the defaults cluster_service_ipv4_cidr = "10.190.0.0/16" cluster_node_ipv4_cidr = "10.192.0.0/16" + + # Default node type for the Kubernetes cluster + np_instance_types = ["m6i.xlarge"] } output "cert_manager_arn" { diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index 1b7270bb..c4a2b7bb 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -208,10 +208,12 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { ] }`, accountId, oidcProviderID, oidcProviderID, openSearchNamespace, openSearchServiceAccount) - iamRolesWithPolicies := map[string]interface{}{ - "role_name": openSearchRole, - "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), - "access_policy": strings.ReplaceAll(openSearchAccessPolicy, "\n", " "), + iamRolesWithPolicies := []map[string]interface{}{ + { + "role_name": openSearchRole, + "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), + "access_policy": strings.ReplaceAll(openSearchAccessPolicy, "\n", " "), + }, } varsConfigOpenSearch := map[string]interface{}{ diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 6a273b47..a948cf20 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -211,10 +211,12 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { ] }`, accountId, oidcProviderID, oidcProviderID, auroraNamespace, auroraServiceAccount) - iamRolesWithPolicies := map[string]interface{}{ - "role_name": auroraRole, - "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), - "access_policy": strings.ReplaceAll(auroraAccessPolicy, "\n", " "), + iamRolesWithPolicies := []map[string]interface{}{ + { + "role_name": auroraRole, + "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), + "access_policy": strings.ReplaceAll(auroraAccessPolicy, "\n", " "), + }, } varsConfigAurora := map[string]interface{}{ From 5bcbed92aed673fe78688cbc0822e8950926dea5 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 22 Oct 2024 18:43:57 +0200 Subject: [PATCH 115/135] pin version --- examples/camunda-8.6-irsa/cluster.tf | 3 +-- examples/camunda-8.6-irsa/db.tf | 3 +-- examples/camunda-8.6-irsa/opensearch.tf | 3 +-- examples/camunda-8.6/cluster.tf | 3 +-- examples/camunda-8.6/db.tf | 3 +-- examples/camunda-8.6/opensearch.tf | 3 +-- 6 files changed, 6 insertions(+), 12 deletions(-) diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf index 996a9911..84205b3c 100644 --- a/examples/camunda-8.6-irsa/cluster.tf +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -4,8 +4,7 @@ locals { } module "eks_cluster" { - # TODO: pin to v3 after the release - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=feature/opensearch-doc" + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=3.0.0" name = local.eks_cluster_name region = local.eks_cluster_region diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index 4d737e20..944b0ed7 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -23,8 +23,7 @@ locals { } module "postgresql" { - # TODO: pin to v3 after the release - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=feature/opensearch-doc" + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=3.0.0" engine_version = "15.8" auto_minor_version_upgrade = false cluster_name = local.aurora_cluster_name diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index 3aee8ffe..a2de966a 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -15,8 +15,7 @@ locals { } module "opensearch_domain" { - # TODO: pin to v3 after the release - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/opensearch?ref=feature/opensearch-doc" + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/opensearch?ref=3.0.0" domain_name = local.opensearch_domain_name engine_version = "2.15" diff --git a/examples/camunda-8.6/cluster.tf b/examples/camunda-8.6/cluster.tf index 14eee804..6a9e99c2 100644 --- a/examples/camunda-8.6/cluster.tf +++ b/examples/camunda-8.6/cluster.tf @@ -4,8 +4,7 @@ locals { } module "eks_cluster" { - # TODO: pin to v3 after the release - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=2.6.0" + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=3.0.0" name = local.eks_cluster_name region = local.eks_cluster_region diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf index ac74cf86..8819a01a 100644 --- a/examples/camunda-8.6/db.tf +++ b/examples/camunda-8.6/db.tf @@ -19,8 +19,7 @@ locals { } module "postgresql" { - # TODO: pin to v3 after the release - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=2.6.0" + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=3.0.0" engine_version = "15.8" auto_minor_version_upgrade = false cluster_name = local.aurora_cluster_name diff --git a/examples/camunda-8.6/opensearch.tf b/examples/camunda-8.6/opensearch.tf index 41411fec..26cc9419 100644 --- a/examples/camunda-8.6/opensearch.tf +++ b/examples/camunda-8.6/opensearch.tf @@ -3,8 +3,7 @@ locals { } module "opensearch_domain" { - # TODO: pin to v3 after the release - source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/opensearch?ref=2.6.0" + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/opensearch?ref=3.0.0" domain_name = local.opensearch_domain_name engine_version = "2.15" From 7620efc88ae11ea61e9987b5ad5778d96a4d9913 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Tue, 22 Oct 2024 20:29:11 +0200 Subject: [PATCH 116/135] fix tests --- test/src/custom_eks_opensearch_test.go | 11 ++++++----- test/src/custom_eks_rds_test.go | 11 ++++++----- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/test/src/custom_eks_opensearch_test.go b/test/src/custom_eks_opensearch_test.go index c4a2b7bb..f27b6371 100644 --- a/test/src/custom_eks_opensearch_test.go +++ b/test/src/custom_eks_opensearch_test.go @@ -208,11 +208,12 @@ func (suite *CustomEKSOpenSearchTestSuite) TestCustomEKSAndOpenSearch() { ] }`, accountId, oidcProviderID, oidcProviderID, openSearchNamespace, openSearchServiceAccount) - iamRolesWithPolicies := []map[string]interface{}{ - { - "role_name": openSearchRole, - "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), - "access_policy": strings.ReplaceAll(openSearchAccessPolicy, "\n", " "), + iamRolesWithPolicies := []interface{}{ + map[string]interface{}{ + "role_name": openSearchRole, + // escape and put everything on a single line + "trust_policy": strings.ReplaceAll(strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), `"`, `\"`), + "access_policy": strings.ReplaceAll(strings.ReplaceAll(openSearchAccessPolicy, "\n", " "), `"`, `\"`), }, } diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index a948cf20..239d03d0 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -211,11 +211,12 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { ] }`, accountId, oidcProviderID, oidcProviderID, auroraNamespace, auroraServiceAccount) - iamRolesWithPolicies := []map[string]interface{}{ - { - "role_name": auroraRole, - "trust_policy": strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), - "access_policy": strings.ReplaceAll(auroraAccessPolicy, "\n", " "), + iamRolesWithPolicies := []interface{}{ + map[string]interface{}{ + "role_name": auroraRole, + // escape and put everything on a single line + "trust_policy": strings.ReplaceAll(strings.ReplaceAll(iamRoleTrustPolicy, "\n", " "), `"`, `\"`), + "access_policy": strings.ReplaceAll(strings.ReplaceAll(auroraAccessPolicy, "\n", " "), `"`, `\"`), }, } From ccf1aa4683da438036e95eef3525bd65d32d4230 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 23 Oct 2024 09:43:38 +0200 Subject: [PATCH 117/135] fix rds tests --- test/src/custom_eks_rds_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/test/src/custom_eks_rds_test.go b/test/src/custom_eks_rds_test.go index 239d03d0..f23e1e71 100644 --- a/test/src/custom_eks_rds_test.go +++ b/test/src/custom_eks_rds_test.go @@ -229,6 +229,7 @@ func (suite *CustomEKSRDSTestSuite) TestCustomEKSAndRDS() { "vpc_id": *result.Cluster.ResourcesVpcConfig.VpcId, "availability_zones": []string{fmt.Sprintf("%sa", suite.region), fmt.Sprintf("%sb", suite.region), fmt.Sprintf("%sc", suite.region)}, "cidr_blocks": append(publicBlocks, privateBlocks...), + "iam_auth_enabled": true, "iam_roles_with_policies": iamRolesWithPolicies, } From afc37a40c9fcd0cd9a2307092fcdf8f59beeb533 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Wed, 23 Oct 2024 17:28:46 +0200 Subject: [PATCH 118/135] explicitely configure resources --- examples/camunda-8.6-irsa/cluster.tf | 3 ++- examples/camunda-8.6-irsa/db.tf | 1 + examples/camunda-8.6-irsa/opensearch.tf | 2 +- examples/camunda-8.6/cluster.tf | 3 ++- examples/camunda-8.6/db.tf | 1 + examples/camunda-8.6/opensearch.tf | 5 +++-- 6 files changed, 10 insertions(+), 5 deletions(-) diff --git a/examples/camunda-8.6-irsa/cluster.tf b/examples/camunda-8.6-irsa/cluster.tf index 84205b3c..4a0c7a9b 100644 --- a/examples/camunda-8.6-irsa/cluster.tf +++ b/examples/camunda-8.6-irsa/cluster.tf @@ -14,7 +14,8 @@ module "eks_cluster" { cluster_node_ipv4_cidr = "10.192.0.0/16" # Default node type for the Kubernetes cluster - np_instance_types = ["m6i.xlarge"] + np_instance_types = ["m6i.xlarge"] + np_desired_node_count = 4 } output "cert_manager_arn" { diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index 944b0ed7..ca901c2b 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -38,6 +38,7 @@ module "postgresql" { subnet_ids = module.eks_cluster.private_subnet_ids cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) + num_instances = "1" # only one instance, you can add add other read-only instances if you want instance_class = "db.t3.medium" # IAM IRSA diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index a2de966a..f3ac72b5 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -20,7 +20,7 @@ module "opensearch_domain" { engine_version = "2.15" instance_type = "t3.medium.search" - instance_count = 3 + instance_count = 3 # one instance per AZ ebs_volume_size = 50 subnet_ids = module.eks_cluster.private_subnet_ids diff --git a/examples/camunda-8.6/cluster.tf b/examples/camunda-8.6/cluster.tf index 6a9e99c2..ef6a8153 100644 --- a/examples/camunda-8.6/cluster.tf +++ b/examples/camunda-8.6/cluster.tf @@ -14,7 +14,8 @@ module "eks_cluster" { cluster_node_ipv4_cidr = "10.192.0.0/16" # Default node type for the Kubernetes cluster - np_instance_types = ["m6i.xlarge"] + np_instance_types = ["m6i.xlarge"] + np_desired_node_count = 4 } output "cert_manager_arn" { diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf index 8819a01a..ed9c4180 100644 --- a/examples/camunda-8.6/db.tf +++ b/examples/camunda-8.6/db.tf @@ -35,6 +35,7 @@ module "postgresql" { subnet_ids = module.eks_cluster.private_subnet_ids cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) + num_instances = "1" # only one instance, you can add add other read-only instances if you want instance_class = "db.t3.medium" depends_on = [module.eks_cluster] diff --git a/examples/camunda-8.6/opensearch.tf b/examples/camunda-8.6/opensearch.tf index 26cc9419..c35c732b 100644 --- a/examples/camunda-8.6/opensearch.tf +++ b/examples/camunda-8.6/opensearch.tf @@ -7,8 +7,9 @@ module "opensearch_domain" { domain_name = local.opensearch_domain_name engine_version = "2.15" - instance_type = "t3.medium.search" - instance_count = 3 + instance_type = "t3.medium.search" + + instance_count = 3 # one instance per AZ ebs_volume_size = 50 subnet_ids = module.eks_cluster.private_subnet_ids From 1c146898113963139136f3458a5e3886f4f0a412 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Thu, 24 Oct 2024 17:05:09 +0200 Subject: [PATCH 119/135] add 8.7 folder --- examples/camunda-8.6-irsa/README.md | 2 +- examples/camunda-8.6/README.md | 2 +- examples/camunda-8.7-irsa/README.md | 4 + examples/camunda-8.7-irsa/cluster.tf | 29 +++ examples/camunda-8.7-irsa/config.tf | 19 ++ examples/camunda-8.7-irsa/db.tf | 180 ++++++++++++++++++ .../camunda-8.7-irsa/generated-values.yml | 130 +++++++++++++ .../helm-values/values-domain.yml | 158 +++++++++++++++ .../helm-values/values-no-domain.yml | 130 +++++++++++++ examples/camunda-8.7-irsa/opensearch.tf | 131 +++++++++++++ .../camunda-8.7-irsa/procedure/chart-env.sh | 1 + .../procedure/check-env-variables.sh | 13 ++ .../procedure/create-identity-secret.sh | 1 + .../procedure/create-setup-db-secret.sh | 12 ++ .../procedure/create-setup-os-secret.sh | 5 + .../procedure/export-helm-values.sh | 33 ++++ .../procedure/generate-passwords.sh | 1 + .../procedure/install-chart.sh | 1 + .../procedure/vars-create-db.sh | 1 + .../procedure/vars-create-os.sh | 3 + .../setup-opensearch-fgac.yml | 61 ++++++ .../setup-postgres-create-db.yml | 110 +++++++++++ examples/camunda-8.7/README.md | 4 + examples/camunda-8.7/cluster.tf | 29 +++ examples/camunda-8.7/config.tf | 19 ++ examples/camunda-8.7/db.tf | 47 +++++ .../camunda-8.7/helm-values/values-domain.yml | 111 +++++++++++ .../helm-values/values-no-domain.yml | 84 ++++++++ examples/camunda-8.7/opensearch.tf | 47 +++++ examples/camunda-8.7/procedure/chart-env.sh | 6 + .../procedure/check-env-variables.sh | 13 ++ .../procedure/create-external-db-secrets.sh | 17 ++ .../procedure/create-identity-secret.sh | 12 ++ .../procedure/create-setup-db-secret.sh | 15 ++ .../procedure/export-helm-values.sh | 21 ++ .../procedure/generate-passwords.sh | 7 + .../camunda-8.7/procedure/install-chart.sh | 6 + .../camunda-8.7/procedure/vars-create-db.sh | 6 + .../camunda-8.7/setup-postgres-create-db.yml | 121 ++++++++++++ 39 files changed, 1590 insertions(+), 2 deletions(-) create mode 100644 examples/camunda-8.7-irsa/README.md create mode 100644 examples/camunda-8.7-irsa/cluster.tf create mode 100644 examples/camunda-8.7-irsa/config.tf create mode 100644 examples/camunda-8.7-irsa/db.tf create mode 100644 examples/camunda-8.7-irsa/generated-values.yml create mode 100644 examples/camunda-8.7-irsa/helm-values/values-domain.yml create mode 100644 examples/camunda-8.7-irsa/helm-values/values-no-domain.yml create mode 100644 examples/camunda-8.7-irsa/opensearch.tf create mode 120000 examples/camunda-8.7-irsa/procedure/chart-env.sh create mode 100644 examples/camunda-8.7-irsa/procedure/check-env-variables.sh create mode 120000 examples/camunda-8.7-irsa/procedure/create-identity-secret.sh create mode 100644 examples/camunda-8.7-irsa/procedure/create-setup-db-secret.sh create mode 100644 examples/camunda-8.7-irsa/procedure/create-setup-os-secret.sh create mode 100644 examples/camunda-8.7-irsa/procedure/export-helm-values.sh create mode 120000 examples/camunda-8.7-irsa/procedure/generate-passwords.sh create mode 120000 examples/camunda-8.7-irsa/procedure/install-chart.sh create mode 120000 examples/camunda-8.7-irsa/procedure/vars-create-db.sh create mode 100644 examples/camunda-8.7-irsa/procedure/vars-create-os.sh create mode 100644 examples/camunda-8.7-irsa/setup-opensearch-fgac.yml create mode 100644 examples/camunda-8.7-irsa/setup-postgres-create-db.yml create mode 100644 examples/camunda-8.7/README.md create mode 100644 examples/camunda-8.7/cluster.tf create mode 100644 examples/camunda-8.7/config.tf create mode 100644 examples/camunda-8.7/db.tf create mode 100644 examples/camunda-8.7/helm-values/values-domain.yml create mode 100644 examples/camunda-8.7/helm-values/values-no-domain.yml create mode 100644 examples/camunda-8.7/opensearch.tf create mode 100644 examples/camunda-8.7/procedure/chart-env.sh create mode 100644 examples/camunda-8.7/procedure/check-env-variables.sh create mode 100644 examples/camunda-8.7/procedure/create-external-db-secrets.sh create mode 100644 examples/camunda-8.7/procedure/create-identity-secret.sh create mode 100644 examples/camunda-8.7/procedure/create-setup-db-secret.sh create mode 100644 examples/camunda-8.7/procedure/export-helm-values.sh create mode 100644 examples/camunda-8.7/procedure/generate-passwords.sh create mode 100644 examples/camunda-8.7/procedure/install-chart.sh create mode 100644 examples/camunda-8.7/procedure/vars-create-db.sh create mode 100644 examples/camunda-8.7/setup-postgres-create-db.yml diff --git a/examples/camunda-8.6-irsa/README.md b/examples/camunda-8.6-irsa/README.md index 4ca0d850..6cc9e4ac 100644 --- a/examples/camunda-8.6-irsa/README.md +++ b/examples/camunda-8.6-irsa/README.md @@ -1,4 +1,4 @@ # Camunda 8.6 on AWS EKS with IRSA This folder describes the IaC of Camunda 8.6 on AWS EKS with IRSA. -Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ +Instructions can be found on the official documentation: https://docs.camunda.io/docs/8.6/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ diff --git a/examples/camunda-8.6/README.md b/examples/camunda-8.6/README.md index aadc5bdb..7256d5aa 100644 --- a/examples/camunda-8.6/README.md +++ b/examples/camunda-8.6/README.md @@ -1,4 +1,4 @@ # Camunda 8.6 on AWS EKS This folder describes the IaC of Camunda 8.6 on AWS EKS. -Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ +Instructions can be found on the official documentation: https://docs.camunda.io/docs/8.6/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ diff --git a/examples/camunda-8.7-irsa/README.md b/examples/camunda-8.7-irsa/README.md new file mode 100644 index 00000000..1fd56728 --- /dev/null +++ b/examples/camunda-8.7-irsa/README.md @@ -0,0 +1,4 @@ +# Camunda 8.7 on AWS EKS with IRSA + +This folder describes the IaC of Camunda 8.7 on AWS EKS with IRSA. +Instructions can be found on the official documentation: https://docs.camunda.io/docs/8.7/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ diff --git a/examples/camunda-8.7-irsa/cluster.tf b/examples/camunda-8.7-irsa/cluster.tf new file mode 100644 index 00000000..4a0c7a9b --- /dev/null +++ b/examples/camunda-8.7-irsa/cluster.tf @@ -0,0 +1,29 @@ +locals { + eks_cluster_name = "cluster-name-irsa" # Change this to a name of your choice + eks_cluster_region = "eu-west-2" # Change this to your desired AWS region +} + +module "eks_cluster" { + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=3.0.0" + + name = local.eks_cluster_name + region = local.eks_cluster_region + + # Set CIDR ranges or use the defaults + cluster_service_ipv4_cidr = "10.190.0.0/16" + cluster_node_ipv4_cidr = "10.192.0.0/16" + + # Default node type for the Kubernetes cluster + np_instance_types = ["m6i.xlarge"] + np_desired_node_count = 4 +} + +output "cert_manager_arn" { + value = module.eks_cluster.cert_manager_arn + description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the cert-manager" +} + +output "external_dns_arn" { + value = module.eks_cluster.external_dns_arn + description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the external-dns" +} diff --git a/examples/camunda-8.7-irsa/config.tf b/examples/camunda-8.7-irsa/config.tf new file mode 100644 index 00000000..68e6a119 --- /dev/null +++ b/examples/camunda-8.7-irsa/config.tf @@ -0,0 +1,19 @@ +terraform { + required_version = ">= 1.0" + + # You can override the backend configuration; this is given as an example. + backend "s3" { + bucket = "my-eks-tf-state" + key = "camunda-terraform/terraform-irsa.tfstate" + encrypt = true + } + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.69" + } + } +} + +provider "aws" {} diff --git a/examples/camunda-8.7-irsa/db.tf b/examples/camunda-8.7-irsa/db.tf new file mode 100644 index 00000000..ca901c2b --- /dev/null +++ b/examples/camunda-8.7-irsa/db.tf @@ -0,0 +1,180 @@ +locals { + aurora_cluster_name = "cluster-name-pg-irsa" # Replace "cluster-name" with your cluster's name + + aurora_master_username = "secret_user" # Replace with your Aurora username + aurora_master_password = "secretvalue%23" # Replace with your Aurora password + + camunda_database_keycloak = "camunda_keycloak" # Name of your camunda database for Keycloak + camunda_database_identity = "camunda_identity" # Name of your camunda database for Identity + camunda_database_webmodeler = "camunda_webmodeler" # Name of your camunda database for WebModeler + + # IRSA configuration + camunda_keycloak_db_username = "keycloak_irsa" # This is the username that will be used for IRSA connection to the DB on Keycloak db + camunda_identity_db_username = "identity_irsa" # This is the username that will be used for IRSA connection to the DB on Identity db + camunda_webmodeler_db_username = "webmodeler_irsa" # This is the username that will be used for IRSA connection to the DB on WebModeler db + + camunda_keycloak_service_account = "keycloak-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Keycloak + camunda_identity_service_account = "identity-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Identity + camunda_webmodeler_service_account = "webmodeler-sa" # Replace with your Kubernetes ServiceAcccount that will be created for WebModeler + + camunda_keycloak_role_name = "AuroraRole-Keycloak-${local.aurora_cluster_name}" # IAM Role name use to allow access to the keycloak db + camunda_identity_role_name = "AuroraRole-Identity-${local.aurora_cluster_name}" # IAM Role name use to allow access to the identity db + camunda_webmodeler_role_name = "AuroraRole-Webmodeler-${local.aurora_cluster_name}" # IAM Role name use to allow access to the webmodeler db +} + +module "postgresql" { + source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=3.0.0" + engine_version = "15.8" + auto_minor_version_upgrade = false + cluster_name = local.aurora_cluster_name + default_database_name = local.camunda_database_keycloak + + availability_zones = ["${local.eks_cluster_region}a", "${local.eks_cluster_region}b", "${local.eks_cluster_region}c"] + + username = local.aurora_master_username + password = local.aurora_master_password + + vpc_id = module.eks_cluster.vpc_id + subnet_ids = module.eks_cluster.private_subnet_ids + cidr_blocks = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks) + + num_instances = "1" # only one instance, you can add add other read-only instances if you want + instance_class = "db.t3.medium" + + # IAM IRSA + iam_auth_enabled = true + iam_roles_with_policies = [ + { + role_name = local.camunda_keycloak_role_name + trust_policy = < Date: Thu, 24 Oct 2024 17:10:43 +0200 Subject: [PATCH 120/135] remove broken links --- examples/camunda-8.6-irsa/README.md | 2 +- examples/camunda-8.6/README.md | 2 +- examples/camunda-8.7-irsa/README.md | 2 +- examples/camunda-8.7/README.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/camunda-8.6-irsa/README.md b/examples/camunda-8.6-irsa/README.md index 6cc9e4ac..4ca0d850 100644 --- a/examples/camunda-8.6-irsa/README.md +++ b/examples/camunda-8.6-irsa/README.md @@ -1,4 +1,4 @@ # Camunda 8.6 on AWS EKS with IRSA This folder describes the IaC of Camunda 8.6 on AWS EKS with IRSA. -Instructions can be found on the official documentation: https://docs.camunda.io/docs/8.6/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ +Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ diff --git a/examples/camunda-8.6/README.md b/examples/camunda-8.6/README.md index 7256d5aa..aadc5bdb 100644 --- a/examples/camunda-8.6/README.md +++ b/examples/camunda-8.6/README.md @@ -1,4 +1,4 @@ # Camunda 8.6 on AWS EKS This folder describes the IaC of Camunda 8.6 on AWS EKS. -Instructions can be found on the official documentation: https://docs.camunda.io/docs/8.6/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ +Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ diff --git a/examples/camunda-8.7-irsa/README.md b/examples/camunda-8.7-irsa/README.md index 1fd56728..50b3b32e 100644 --- a/examples/camunda-8.7-irsa/README.md +++ b/examples/camunda-8.7-irsa/README.md @@ -1,4 +1,4 @@ # Camunda 8.7 on AWS EKS with IRSA This folder describes the IaC of Camunda 8.7 on AWS EKS with IRSA. -Instructions can be found on the official documentation: https://docs.camunda.io/docs/8.7/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ +Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ diff --git a/examples/camunda-8.7/README.md b/examples/camunda-8.7/README.md index 672323b9..fad811da 100644 --- a/examples/camunda-8.7/README.md +++ b/examples/camunda-8.7/README.md @@ -1,4 +1,4 @@ # Camunda 8.7 on AWS EKS This folder describes the IaC of Camunda 8.7 on AWS EKS. -Instructions can be found on the official documentation: https://docs.camunda.io/docs/8.7/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ +Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/ From 7d0bb2a69367aaf6356070789010a457ee7c06a7 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 09:45:14 +0200 Subject: [PATCH 121/135] add a fix for storage class deletion --- README.md | 28 ++++++++++++++++++++++++++++ modules/eks-cluster/README.md | 1 + modules/eks-cluster/cluster.tf | 2 ++ modules/eks-cluster/variables.tf | 6 ++++++ 4 files changed, 37 insertions(+) diff --git a/README.md b/README.md index c74f24a0..569c7d0e 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,34 @@ module "opensearch_domain" { } ``` +#### Deletion Known Issues + +During the deletion process (`terraform destroy`) of the EKS Cluster, you may encounter an error message related to the `kubernetes_storage_class`: + +```` +Error: Get "http://localhost/apis/storage.k8s.io/v1/storageclasses/ebs-sc": dial tcp [::1]:80: connect: connection refused +│ +│ with module.eks_cluster.kubernetes_storage_class_v1.ebs_sc, +│ on .terraform/modules/eks_cluster/modules/eks-cluster/cluster.tf line 156, in resource "kubernetes_storage_class_v1" "ebs_sc": +│ 156: resource "kubernetes_storage_class_v1" "ebs_sc" { +│ +╵ +```` + +To resolve this issue, you can set the variable `create_ebs_gp3_default_storage_class` to `false`, which skips the creation of the `kubernetes_storage_class` resource. This helps to avoid dependency issues during deletion. Run the following command: + +```bash +terraform destroy -var="create_ebs_gp3_default_storage_class=false" +``` + +If you still encounter the issue, you may need to manually remove the state for the storage class: + +```bash +terraform state rm module.eks_cluster.kubernetes_storage_class_v1.ebs_sc +``` + +After performing these steps, re-run `terraform destroy` to complete the deletion process without further interruptions. + #### GitHub Actions You can automate the deployment and deletion of the EKS cluster and Aurora database using GitHub Actions. diff --git a/modules/eks-cluster/README.md b/modules/eks-cluster/README.md index fba237b0..9cb024d6 100644 --- a/modules/eks-cluster/README.md +++ b/modules/eks-cluster/README.md @@ -54,6 +54,7 @@ module "eks_cluster" { | [cluster\_node\_ipv4\_cidr](#input\_cluster\_node\_ipv4\_cidr) | The CIDR block for public and private subnets of loadbalancers and nodes. Between /28 and /16. | `string` | `"10.192.0.0/16"` | no | | [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. Between /24 and /12. | `string` | `"10.190.0.0/16"` | no | | [cluster\_tags](#input\_cluster\_tags) | A map of additional tags to add to the cluster | `map(string)` | `{}` | no | +| [create\_ebs\_gp3\_default\_storage\_class](#input\_create\_ebs\_gp3\_default\_storage\_class) | Flag to determine if the kubernetes\_storage\_class should be created using EBS-CSI and set on GP3 by default. Set to 'false' to skip creating the storage class, useful for avoiding dependency issues during EKS cluster deletion. | `bool` | `true` | no | | [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry. | `bool` | `true` | no | | [kubernetes\_version](#input\_kubernetes\_version) | Kubernetes version to be used by EKS | `string` | `"1.30"` | no | | [name](#input\_name) | Name being used for relevant resources - including EKS cluster name | `string` | n/a | yes | diff --git a/modules/eks-cluster/cluster.tf b/modules/eks-cluster/cluster.tf index 3dd167c8..64677561 100644 --- a/modules/eks-cluster/cluster.tf +++ b/modules/eks-cluster/cluster.tf @@ -154,6 +154,8 @@ provider "kubernetes" { # gp3 storage class resource "kubernetes_storage_class_v1" "ebs_sc" { + count = var.create_ebs_gp3_default_storage_class ? 1 : 0 + metadata { name = "ebs-sc" annotations = { diff --git a/modules/eks-cluster/variables.tf b/modules/eks-cluster/variables.tf index 8b2f8c63..d279f311 100644 --- a/modules/eks-cluster/variables.tf +++ b/modules/eks-cluster/variables.tf @@ -99,3 +99,9 @@ variable "enable_cluster_creator_admin_permissions" { type = bool default = true } + +variable "create_ebs_gp3_default_storage_class" { + type = bool + default = true + description = "Flag to determine if the kubernetes_storage_class should be created using EBS-CSI and set on GP3 by default. Set to 'false' to skip creating the storage class, useful for avoiding dependency issues during EKS cluster deletion." +} From cfe4778c4da22cc2ff51dfa1923cd3f2f2efc8a2 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 10:44:04 +0200 Subject: [PATCH 122/135] update reference config to let user set keys and bucket name --- examples/camunda-8.6-irsa/config.tf | 2 -- examples/camunda-8.6/config.tf | 2 -- examples/camunda-8.7-irsa/config.tf | 2 -- examples/camunda-8.7/config.tf | 2 -- 4 files changed, 8 deletions(-) diff --git a/examples/camunda-8.6-irsa/config.tf b/examples/camunda-8.6-irsa/config.tf index 68e6a119..16a100dc 100644 --- a/examples/camunda-8.6-irsa/config.tf +++ b/examples/camunda-8.6-irsa/config.tf @@ -3,8 +3,6 @@ terraform { # You can override the backend configuration; this is given as an example. backend "s3" { - bucket = "my-eks-tf-state" - key = "camunda-terraform/terraform-irsa.tfstate" encrypt = true } diff --git a/examples/camunda-8.6/config.tf b/examples/camunda-8.6/config.tf index b9b21da4..16a100dc 100644 --- a/examples/camunda-8.6/config.tf +++ b/examples/camunda-8.6/config.tf @@ -3,8 +3,6 @@ terraform { # You can override the backend configuration; this is given as an example. backend "s3" { - bucket = "my-eks-tf-state" - key = "camunda-terraform/terraform-std.tfstate" encrypt = true } diff --git a/examples/camunda-8.7-irsa/config.tf b/examples/camunda-8.7-irsa/config.tf index 68e6a119..16a100dc 100644 --- a/examples/camunda-8.7-irsa/config.tf +++ b/examples/camunda-8.7-irsa/config.tf @@ -3,8 +3,6 @@ terraform { # You can override the backend configuration; this is given as an example. backend "s3" { - bucket = "my-eks-tf-state" - key = "camunda-terraform/terraform-irsa.tfstate" encrypt = true } diff --git a/examples/camunda-8.7/config.tf b/examples/camunda-8.7/config.tf index b9b21da4..16a100dc 100644 --- a/examples/camunda-8.7/config.tf +++ b/examples/camunda-8.7/config.tf @@ -3,8 +3,6 @@ terraform { # You can override the backend configuration; this is given as an example. backend "s3" { - bucket = "my-eks-tf-state" - key = "camunda-terraform/terraform-std.tfstate" encrypt = true } From 460276e5ef2c65c980e9b921876f9626fc083e80 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 11:21:14 +0200 Subject: [PATCH 123/135] add user arn --- modules/opensearch/README.md | 1 + modules/opensearch/main.tf | 3 +++ modules/opensearch/variables.tf | 5 +++++ 3 files changed, 9 insertions(+) diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index e8007832..7f38af0f 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -84,6 +84,7 @@ No modules. | [advanced\_security\_anonymous\_auth\_enabled](#input\_advanced\_security\_anonymous\_auth\_enabled) | Whether the anonymous auth is enabled. | `bool` | `false` | no | | [advanced\_security\_enabled](#input\_advanced\_security\_enabled) | Whether advanced security is enabled. | `bool` | `false` | no | | [advanced\_security\_internal\_user\_database\_enabled](#input\_advanced\_security\_internal\_user\_database\_enabled) | Whether the internal user database is enabled. | `bool` | `false` | no | +| [advanced\_security\_master\_user\_arn](#input\_advanced\_security\_master\_user\_arn) | ARN for the main user. Only specify if `advanced_security_internal_user_database_enabled` is set to false. | `string` | n/a | yes | | [advanced\_security\_master\_user\_name](#input\_advanced\_security\_master\_user\_name) | Main user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | `"opensearch-admin"` | no | | [advanced\_security\_master\_user\_password](#input\_advanced\_security\_master\_user\_password) | Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | `""` | no | | [auto\_software\_update\_enabled](#input\_auto\_software\_update\_enabled) | Software update auto for the domain. | `bool` | `false` | no | diff --git a/modules/opensearch/main.tf b/modules/opensearch/main.tf index c1de0203..803401cc 100644 --- a/modules/opensearch/main.tf +++ b/modules/opensearch/main.tf @@ -51,6 +51,9 @@ resource "aws_opensearch_domain" "opensearch_cluster" { master_user_options { master_user_name = var.advanced_security_master_user_name master_user_password = var.advanced_security_master_user_password + + # Only use master_user_arn if internal_user_database_enabled is false + master_user_arn = var.advanced_security_internal_user_database_enabled ? null : var.advanced_security_master_user_arn } anonymous_auth_enabled = var.advanced_security_anonymous_auth_enabled diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index fe469764..955d91cc 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -149,6 +149,11 @@ variable "advanced_security_internal_user_database_enabled" { description = "Whether the internal user database is enabled." } +variable "advanced_security_master_user_arn" { + type = string + description = "ARN for the main user. Only specify if `advanced_security_internal_user_database_enabled` is set to false." +} + variable "advanced_security_master_user_name" { type = string default = "opensearch-admin" From b80844f1ae65be437c0476a071a958af8534d485 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 11:28:09 +0200 Subject: [PATCH 124/135] remove unused variable --- examples/camunda-8.6-irsa/procedure/create-setup-db-secret.sh | 1 - examples/camunda-8.6/procedure/create-setup-db-secret.sh | 1 - examples/camunda-8.7-irsa/procedure/create-setup-db-secret.sh | 1 - examples/camunda-8.7/procedure/create-setup-db-secret.sh | 1 - 4 files changed, 4 deletions(-) diff --git a/examples/camunda-8.6-irsa/procedure/create-setup-db-secret.sh b/examples/camunda-8.6-irsa/procedure/create-setup-db-secret.sh index 3453a9f8..92350c10 100644 --- a/examples/camunda-8.6-irsa/procedure/create-setup-db-secret.sh +++ b/examples/camunda-8.6-irsa/procedure/create-setup-db-secret.sh @@ -1,7 +1,6 @@ kubectl create secret generic setup-db-secret --namespace camunda \ --from-literal=AURORA_ENDPOINT="$AURORA_ENDPOINT" \ --from-literal=AURORA_PORT="$AURORA_PORT" \ - --from-literal=AURORA_DB_NAME="$AURORA_DB_NAME" \ --from-literal=AURORA_USERNAME="$AURORA_USERNAME" \ --from-literal=AURORA_PASSWORD="$AURORA_PASSWORD" \ --from-literal=DB_KEYCLOAK_NAME="$DB_KEYCLOAK_NAME" \ diff --git a/examples/camunda-8.6/procedure/create-setup-db-secret.sh b/examples/camunda-8.6/procedure/create-setup-db-secret.sh index 4d53980c..6cb1cd43 100644 --- a/examples/camunda-8.6/procedure/create-setup-db-secret.sh +++ b/examples/camunda-8.6/procedure/create-setup-db-secret.sh @@ -1,7 +1,6 @@ kubectl create secret generic setup-db-secret --namespace camunda \ --from-literal=AURORA_ENDPOINT="$AURORA_ENDPOINT" \ --from-literal=AURORA_PORT="$AURORA_PORT" \ - --from-literal=AURORA_DB_NAME="$AURORA_DB_NAME" \ --from-literal=AURORA_USERNAME="$AURORA_USERNAME" \ --from-literal=AURORA_PASSWORD="$AURORA_PASSWORD" \ --from-literal=DB_KEYCLOAK_NAME="$DB_KEYCLOAK_NAME" \ diff --git a/examples/camunda-8.7-irsa/procedure/create-setup-db-secret.sh b/examples/camunda-8.7-irsa/procedure/create-setup-db-secret.sh index 3453a9f8..92350c10 100644 --- a/examples/camunda-8.7-irsa/procedure/create-setup-db-secret.sh +++ b/examples/camunda-8.7-irsa/procedure/create-setup-db-secret.sh @@ -1,7 +1,6 @@ kubectl create secret generic setup-db-secret --namespace camunda \ --from-literal=AURORA_ENDPOINT="$AURORA_ENDPOINT" \ --from-literal=AURORA_PORT="$AURORA_PORT" \ - --from-literal=AURORA_DB_NAME="$AURORA_DB_NAME" \ --from-literal=AURORA_USERNAME="$AURORA_USERNAME" \ --from-literal=AURORA_PASSWORD="$AURORA_PASSWORD" \ --from-literal=DB_KEYCLOAK_NAME="$DB_KEYCLOAK_NAME" \ diff --git a/examples/camunda-8.7/procedure/create-setup-db-secret.sh b/examples/camunda-8.7/procedure/create-setup-db-secret.sh index 4d53980c..6cb1cd43 100644 --- a/examples/camunda-8.7/procedure/create-setup-db-secret.sh +++ b/examples/camunda-8.7/procedure/create-setup-db-secret.sh @@ -1,7 +1,6 @@ kubectl create secret generic setup-db-secret --namespace camunda \ --from-literal=AURORA_ENDPOINT="$AURORA_ENDPOINT" \ --from-literal=AURORA_PORT="$AURORA_PORT" \ - --from-literal=AURORA_DB_NAME="$AURORA_DB_NAME" \ --from-literal=AURORA_USERNAME="$AURORA_USERNAME" \ --from-literal=AURORA_PASSWORD="$AURORA_PASSWORD" \ --from-literal=DB_KEYCLOAK_NAME="$DB_KEYCLOAK_NAME" \ From e92cd2f3b114492eab73937f3b03f34dcfba5023 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 11:34:40 +0200 Subject: [PATCH 125/135] add an ignore message note --- examples/camunda-8.6-irsa/setup-postgres-create-db.yml | 3 +++ examples/camunda-8.6/setup-postgres-create-db.yml | 3 +++ examples/camunda-8.7-irsa/setup-postgres-create-db.yml | 3 +++ examples/camunda-8.7/setup-postgres-create-db.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml index b8925eee..cc34b276 100644 --- a/examples/camunda-8.6-irsa/setup-postgres-create-db.yml +++ b/examples/camunda-8.6-irsa/setup-postgres-create-db.yml @@ -25,6 +25,7 @@ spec: yum install -y postgresql15 echo "Create keycloak user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" @@ -37,6 +38,7 @@ spec: echo "Create identity user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" @@ -47,6 +49,7 @@ spec: -c "GRANT rds_iam TO \"${DB_IDENTITY_USERNAME}\";" echo "Create webmodeler user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" diff --git a/examples/camunda-8.6/setup-postgres-create-db.yml b/examples/camunda-8.6/setup-postgres-create-db.yml index efcd05f1..67920b28 100644 --- a/examples/camunda-8.6/setup-postgres-create-db.yml +++ b/examples/camunda-8.6/setup-postgres-create-db.yml @@ -25,6 +25,7 @@ spec: yum install -y postgresql15 echo "Create keycloak user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" @@ -35,6 +36,7 @@ spec: -c "GRANT ALL ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" echo "Create identity user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" @@ -44,6 +46,7 @@ spec: -c "GRANT ALL ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" echo "Create webmodeler user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" diff --git a/examples/camunda-8.7-irsa/setup-postgres-create-db.yml b/examples/camunda-8.7-irsa/setup-postgres-create-db.yml index b8925eee..cc34b276 100644 --- a/examples/camunda-8.7-irsa/setup-postgres-create-db.yml +++ b/examples/camunda-8.7-irsa/setup-postgres-create-db.yml @@ -25,6 +25,7 @@ spec: yum install -y postgresql15 echo "Create keycloak user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" @@ -37,6 +38,7 @@ spec: echo "Create identity user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" @@ -47,6 +49,7 @@ spec: -c "GRANT rds_iam TO \"${DB_IDENTITY_USERNAME}\";" echo "Create webmodeler user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" diff --git a/examples/camunda-8.7/setup-postgres-create-db.yml b/examples/camunda-8.7/setup-postgres-create-db.yml index efcd05f1..67920b28 100644 --- a/examples/camunda-8.7/setup-postgres-create-db.yml +++ b/examples/camunda-8.7/setup-postgres-create-db.yml @@ -25,6 +25,7 @@ spec: yum install -y postgresql15 echo "Create keycloak user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_KEYCLOAK_NAME}\";" @@ -35,6 +36,7 @@ spec: -c "GRANT ALL ON SCHEMA public TO \"${DB_KEYCLOAK_USERNAME}\";" echo "Create identity user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_IDENTITY_NAME}\";" @@ -44,6 +46,7 @@ spec: -c "GRANT ALL ON SCHEMA public TO \"${DB_IDENTITY_USERNAME}\";" echo "Create webmodeler user and associated database" + echo "Note: Any message indicating that the user or the database already exists is informational and can be safely ignored." psql -h $AURORA_ENDPOINT -p $AURORA_PORT "sslmode=require dbname=postgres user=$AURORA_USERNAME password=$AURORA_PASSWORD" \ -c "CREATE DATABASE \"${DB_WEBMODELER_NAME}\";" From dcb196a8f91bd7ed423d31c670dca99abb022f70 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 15:16:09 +0200 Subject: [PATCH 126/135] add directions for password strength --- examples/camunda-8.6-irsa/db.tf | 3 ++- examples/camunda-8.6-irsa/opensearch.tf | 2 +- examples/camunda-8.6/db.tf | 2 +- examples/camunda-8.7-irsa/db.tf | 2 +- examples/camunda-8.7-irsa/opensearch.tf | 2 +- examples/camunda-8.7/db.tf | 2 +- 6 files changed, 7 insertions(+), 6 deletions(-) diff --git a/examples/camunda-8.6-irsa/db.tf b/examples/camunda-8.6-irsa/db.tf index ca901c2b..c878f6f6 100644 --- a/examples/camunda-8.6-irsa/db.tf +++ b/examples/camunda-8.6-irsa/db.tf @@ -2,7 +2,8 @@ locals { aurora_cluster_name = "cluster-name-pg-irsa" # Replace "cluster-name" with your cluster's name aurora_master_username = "secret_user" # Replace with your Aurora username - aurora_master_password = "secretvalue%23" # Replace with your Aurora password + aurora_master_password = "secretvalue%23" # Replace with your Aurora password, password must contain at least one letter, one number, and one special character. + camunda_database_keycloak = "camunda_keycloak" # Name of your camunda database for Keycloak camunda_database_identity = "camunda_identity" # Name of your camunda database for Identity diff --git a/examples/camunda-8.6-irsa/opensearch.tf b/examples/camunda-8.6-irsa/opensearch.tf index f3ac72b5..3e9d8306 100644 --- a/examples/camunda-8.6-irsa/opensearch.tf +++ b/examples/camunda-8.6-irsa/opensearch.tf @@ -2,7 +2,7 @@ locals { opensearch_domain_name = "domain-name-os-irsa" # Replace "domain-name" with your domain name opensearch_master_username = "secret_user" # Replace with your opensearch username - opensearch_master_password = "Secretvalue$23" # Replace with your opensearch password + opensearch_master_password = "Secretvalue$23" # Replace with your opensearch password, password must contain at least one uppercase letter, one lowercase letter, one number, and one special character. opensearch_iam_role_name = "OpenSearchRole-${local.opensearch_domain_name}" # Ensure uniqueness diff --git a/examples/camunda-8.6/db.tf b/examples/camunda-8.6/db.tf index ed9c4180..6b50cc6f 100644 --- a/examples/camunda-8.6/db.tf +++ b/examples/camunda-8.6/db.tf @@ -2,7 +2,7 @@ locals { aurora_cluster_name = "cluster-name-pg-std" # Replace "cluster-name" with your cluster's name aurora_master_username = "secret_user" # Replace with your Aurora username - aurora_master_password = "secretvalue%23" # Replace with your Aurora password + aurora_master_password = "secretvalue%23" # Replace with your Aurora password, password must contain at least one letter, one number, and one special character. camunda_database_keycloak = "camunda_keycloak" # Name of your camunda database for Keycloak camunda_database_identity = "camunda_identity" # Name of your camunda database for Identity diff --git a/examples/camunda-8.7-irsa/db.tf b/examples/camunda-8.7-irsa/db.tf index ca901c2b..8a81fdfa 100644 --- a/examples/camunda-8.7-irsa/db.tf +++ b/examples/camunda-8.7-irsa/db.tf @@ -2,7 +2,7 @@ locals { aurora_cluster_name = "cluster-name-pg-irsa" # Replace "cluster-name" with your cluster's name aurora_master_username = "secret_user" # Replace with your Aurora username - aurora_master_password = "secretvalue%23" # Replace with your Aurora password + aurora_master_password = "secretvalue%23" # Replace with your Aurora password, password must contain at least one letter, one number, and one special character. camunda_database_keycloak = "camunda_keycloak" # Name of your camunda database for Keycloak camunda_database_identity = "camunda_identity" # Name of your camunda database for Identity diff --git a/examples/camunda-8.7-irsa/opensearch.tf b/examples/camunda-8.7-irsa/opensearch.tf index f3ac72b5..3e9d8306 100644 --- a/examples/camunda-8.7-irsa/opensearch.tf +++ b/examples/camunda-8.7-irsa/opensearch.tf @@ -2,7 +2,7 @@ locals { opensearch_domain_name = "domain-name-os-irsa" # Replace "domain-name" with your domain name opensearch_master_username = "secret_user" # Replace with your opensearch username - opensearch_master_password = "Secretvalue$23" # Replace with your opensearch password + opensearch_master_password = "Secretvalue$23" # Replace with your opensearch password, password must contain at least one uppercase letter, one lowercase letter, one number, and one special character. opensearch_iam_role_name = "OpenSearchRole-${local.opensearch_domain_name}" # Ensure uniqueness diff --git a/examples/camunda-8.7/db.tf b/examples/camunda-8.7/db.tf index ed9c4180..6b50cc6f 100644 --- a/examples/camunda-8.7/db.tf +++ b/examples/camunda-8.7/db.tf @@ -2,7 +2,7 @@ locals { aurora_cluster_name = "cluster-name-pg-std" # Replace "cluster-name" with your cluster's name aurora_master_username = "secret_user" # Replace with your Aurora username - aurora_master_password = "secretvalue%23" # Replace with your Aurora password + aurora_master_password = "secretvalue%23" # Replace with your Aurora password, password must contain at least one letter, one number, and one special character. camunda_database_keycloak = "camunda_keycloak" # Name of your camunda database for Keycloak camunda_database_identity = "camunda_identity" # Name of your camunda database for Identity From 8af038977b6d38281aded373a29858e475a5dc2e Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 16:02:37 +0200 Subject: [PATCH 127/135] fix 8.7 values --- examples/camunda-8.7-irsa/procedure/chart-env.sh | 2 +- examples/camunda-8.7-irsa/procedure/create-identity-secret.sh | 2 +- examples/camunda-8.7-irsa/procedure/generate-passwords.sh | 2 +- examples/camunda-8.7-irsa/procedure/install-chart.sh | 2 +- examples/camunda-8.7-irsa/procedure/vars-create-db.sh | 2 +- examples/camunda-8.7/procedure/chart-env.sh | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/camunda-8.7-irsa/procedure/chart-env.sh b/examples/camunda-8.7-irsa/procedure/chart-env.sh index 8e57df9a..a702393f 120000 --- a/examples/camunda-8.7-irsa/procedure/chart-env.sh +++ b/examples/camunda-8.7-irsa/procedure/chart-env.sh @@ -1 +1 @@ -../../camunda-8.6/procedure/chart-env.sh \ No newline at end of file +../../camunda-8.7/procedure/chart-env.sh \ No newline at end of file diff --git a/examples/camunda-8.7-irsa/procedure/create-identity-secret.sh b/examples/camunda-8.7-irsa/procedure/create-identity-secret.sh index bfc9a3a1..3128ce17 120000 --- a/examples/camunda-8.7-irsa/procedure/create-identity-secret.sh +++ b/examples/camunda-8.7-irsa/procedure/create-identity-secret.sh @@ -1 +1 @@ -../../camunda-8.6/procedure/create-identity-secret.sh \ No newline at end of file +../../camunda-8.7/procedure/create-identity-secret.sh \ No newline at end of file diff --git a/examples/camunda-8.7-irsa/procedure/generate-passwords.sh b/examples/camunda-8.7-irsa/procedure/generate-passwords.sh index 33bee158..d4a3dd8b 120000 --- a/examples/camunda-8.7-irsa/procedure/generate-passwords.sh +++ b/examples/camunda-8.7-irsa/procedure/generate-passwords.sh @@ -1 +1 @@ -../../camunda-8.6/procedure/generate-passwords.sh \ No newline at end of file +../../camunda-8.7/procedure/generate-passwords.sh \ No newline at end of file diff --git a/examples/camunda-8.7-irsa/procedure/install-chart.sh b/examples/camunda-8.7-irsa/procedure/install-chart.sh index 50bec488..07784efb 120000 --- a/examples/camunda-8.7-irsa/procedure/install-chart.sh +++ b/examples/camunda-8.7-irsa/procedure/install-chart.sh @@ -1 +1 @@ -../../camunda-8.6/procedure/install-chart.sh \ No newline at end of file +../../camunda-8.7/procedure/install-chart.sh \ No newline at end of file diff --git a/examples/camunda-8.7-irsa/procedure/vars-create-db.sh b/examples/camunda-8.7-irsa/procedure/vars-create-db.sh index cfefa0cd..41d06a93 120000 --- a/examples/camunda-8.7-irsa/procedure/vars-create-db.sh +++ b/examples/camunda-8.7-irsa/procedure/vars-create-db.sh @@ -1 +1 @@ -../../camunda-8.6/procedure/vars-create-db.sh \ No newline at end of file +../../camunda-8.7/procedure/vars-create-db.sh \ No newline at end of file diff --git a/examples/camunda-8.7/procedure/chart-env.sh b/examples/camunda-8.7/procedure/chart-env.sh index 09fcd562..1d391515 100644 --- a/examples/camunda-8.7/procedure/chart-env.sh +++ b/examples/camunda-8.7/procedure/chart-env.sh @@ -3,4 +3,4 @@ export REGION="$AWS_REGION" # The Camunda 8 Helm Chart version # renovate: datasource=helm depName=camunda-platform registryUrl=https://helm.camunda.io -export CAMUNDA_HELM_CHART_VERSION="SNAPSHOT" +export CAMUNDA_HELM_CHART_VERSION="12.0.0" From 44e257c1a2b5f4a53287778f36533dc6d78ca493 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:02:02 +0200 Subject: [PATCH 128/135] fix default values for webmodeler with mandatory parameters --- examples/camunda-8.6-irsa/helm-values/values-domain.yml | 5 +++++ .../camunda-8.6-irsa/helm-values/values-no-domain.yml | 7 +++++++ examples/camunda-8.6/helm-values/values-domain.yml | 3 +++ examples/camunda-8.6/helm-values/values-no-domain.yml | 3 +++ examples/camunda-8.7-irsa/helm-values/values-domain.yml | 5 +++++ .../camunda-8.7-irsa/helm-values/values-no-domain.yml | 8 +++++++- examples/camunda-8.7/helm-values/values-domain.yml | 3 +++ examples/camunda-8.7/helm-values/values-no-domain.yml | 3 +++ 8 files changed, 36 insertions(+), 1 deletion(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index b7a5b053..e844e7a9 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -79,9 +79,14 @@ webModeler: externalDatabase: url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME}?wrapperPlugins=iam user: ${DB_WEBMODELER_USERNAME} + existingSecret: identity-secret-for-components # this fake password reference is needed to let the chart deploy webmodeler + existingSecretPasswordKey: password env: - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME value: software.amazon.jdbc.Driver + mail: + existingSecret: identity-secret-for-components # reference the smtp password + fromAddress: changeme@example.com # change this required value identity: contextPath: /identity diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 3e1d7810..14816b5d 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -61,6 +61,8 @@ global: name: identity-secret-for-components webModeler: + enabled: false # by default, webModeler is not enabled + serviceAccount: name: ${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME} annotations: @@ -70,9 +72,14 @@ webModeler: externalDatabase: url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME}?wrapperPlugins=iam user: ${DB_WEBMODELER_USERNAME} + existingSecret: identity-secret-for-components # this fake password reference is needed to let the chart deploy webmodeler + existingSecretPasswordKey: password env: - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME value: software.amazon.jdbc.Driver + mail: + existingSecret: identity-secret-for-components # reference the smtp password + fromAddress: changeme@example.com # change this required value identity: diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index cdd6c864..14514dc5 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -90,6 +90,9 @@ webModeler: user: ${DB_WEBMODELER_USERNAME} existingSecret: webmodeler-postgres-secret existingSecretPasswordKey: password + mail: + existingSecret: identity-secret-for-components # reference the smtp password + fromAddress: changeme@example.com # change this required value optimize: contextPath: /optimize diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index debcd95b..12a82e84 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -75,6 +75,9 @@ webModeler: user: ${DB_WEBMODELER_USERNAME} existingSecret: webmodeler-postgres-secret existingSecretPasswordKey: password + mail: + existingSecret: identity-secret-for-components # reference the smtp password + fromAddress: changeme@example.com # change this required value optimize: migration: diff --git a/examples/camunda-8.7-irsa/helm-values/values-domain.yml b/examples/camunda-8.7-irsa/helm-values/values-domain.yml index b7a5b053..e844e7a9 100644 --- a/examples/camunda-8.7-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.7-irsa/helm-values/values-domain.yml @@ -79,9 +79,14 @@ webModeler: externalDatabase: url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME}?wrapperPlugins=iam user: ${DB_WEBMODELER_USERNAME} + existingSecret: identity-secret-for-components # this fake password reference is needed to let the chart deploy webmodeler + existingSecretPasswordKey: password env: - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME value: software.amazon.jdbc.Driver + mail: + existingSecret: identity-secret-for-components # reference the smtp password + fromAddress: changeme@example.com # change this required value identity: contextPath: /identity diff --git a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml index 3e1d7810..090df7ec 100644 --- a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml @@ -61,6 +61,8 @@ global: name: identity-secret-for-components webModeler: + enabled: false # by default, webModeler is not enabled + serviceAccount: name: ${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME} annotations: @@ -70,10 +72,14 @@ webModeler: externalDatabase: url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME}?wrapperPlugins=iam user: ${DB_WEBMODELER_USERNAME} + existingSecret: identity-secret-for-components # this fake password reference is needed to let the chart deploy webmodeler + existingSecretPasswordKey: password env: - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME value: software.amazon.jdbc.Driver - + mail: + existingSecret: identity-secret-for-components # reference the smtp password + fromAddress: changeme@example.com # change this required value identity: serviceAccount: diff --git a/examples/camunda-8.7/helm-values/values-domain.yml b/examples/camunda-8.7/helm-values/values-domain.yml index cdd6c864..14514dc5 100644 --- a/examples/camunda-8.7/helm-values/values-domain.yml +++ b/examples/camunda-8.7/helm-values/values-domain.yml @@ -90,6 +90,9 @@ webModeler: user: ${DB_WEBMODELER_USERNAME} existingSecret: webmodeler-postgres-secret existingSecretPasswordKey: password + mail: + existingSecret: identity-secret-for-components # reference the smtp password + fromAddress: changeme@example.com # change this required value optimize: contextPath: /optimize diff --git a/examples/camunda-8.7/helm-values/values-no-domain.yml b/examples/camunda-8.7/helm-values/values-no-domain.yml index debcd95b..12a82e84 100644 --- a/examples/camunda-8.7/helm-values/values-no-domain.yml +++ b/examples/camunda-8.7/helm-values/values-no-domain.yml @@ -75,6 +75,9 @@ webModeler: user: ${DB_WEBMODELER_USERNAME} existingSecret: webmodeler-postgres-secret existingSecretPasswordKey: password + mail: + existingSecret: identity-secret-for-components # reference the smtp password + fromAddress: changeme@example.com # change this required value optimize: migration: From 6c12e7688f62e07db97480aff5b6a6737f79c066 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:23:35 +0200 Subject: [PATCH 129/135] add console and modeler --- .../helm-values/values-domain.yml | 12 ++++++++++++ .../helm-values/values-no-domain.yml | 13 ++++++++++--- .../camunda-8.6/helm-values/values-domain.yml | 12 ++++++++++++ .../camunda-8.6/helm-values/values-no-domain.yml | 15 ++++++++++++--- .../helm-values/values-domain.yml | 12 ++++++++++++ .../helm-values/values-no-domain.yml | 15 ++++++++++++--- .../camunda-8.7/helm-values/values-domain.yml | 11 +++++++++++ .../camunda-8.7/helm-values/values-no-domain.yml | 15 ++++++++++++--- 8 files changed, 93 insertions(+), 12 deletions(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index e844e7a9..443bec15 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -66,10 +66,18 @@ global: redirectUrl: https://${DOMAIN_NAME}/optimize existingSecret: name: identity-secret-for-components + webModeler: + redirectUrl: https://${DOMAIN_NAME}/modeler + console: + redirectUrl: https://${DOMAIN_NAME}/console + existingSecret: + name: identity-secret-for-components webModeler: enabled: false # by default, webModeler is not enabled + contextPath: /modeler + serviceAccount: name: ${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME} annotations: @@ -159,5 +167,9 @@ zeebeGateway: kubernetes.io/tls-acme: 'true' contextPath: /zeebe +console: + enabled: false # by default, console is not enabled + contextPath: /console + elasticsearch: enabled: false diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 14816b5d..7f95f95f 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -48,15 +48,19 @@ global: existingSecret: name: identity-secret-for-components operate: - redirectUrl: http://localhost:8071 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8081 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components tasklist: - redirectUrl: http://localhost:8072 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8082 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components optimize: - redirectUrl: http://localhost:8073 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8083 # replace this with a port of your choice when you will do port forwarding + webModeler: + redirectUrl: http://localhost:8084 + console: + redirectUrl: http://localhost:8085 existingSecret: name: identity-secret-for-components @@ -133,5 +137,8 @@ optimize: migration: enabled: false +console: + enabled: false # by default, console is not enabled + elasticsearch: enabled: false diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index 14514dc5..f9c6982a 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -58,6 +58,12 @@ global: redirectUrl: https://${DOMAIN_NAME}/optimize existingSecret: name: identity-secret-for-components + webModeler: + redirectUrl: https://${DOMAIN_NAME}/modeler + console: + redirectUrl: https://${DOMAIN_NAME}/console + existingSecret: + name: identity-secret-for-components elasticsearch: enabled: false @@ -84,6 +90,8 @@ tasklist: webModeler: enabled: false # by default, webModeler is not enabled + contextPath: /modeler + restapi: externalDatabase: url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME} @@ -112,3 +120,7 @@ zeebeGateway: annotations: kubernetes.io/tls-acme: 'true' contextPath: /zeebe + +console: + enabled: false # by default, console is not enabled + contextPath: /console diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index 12a82e84..126e9c6b 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -42,15 +42,21 @@ global: existingSecret: name: identity-secret-for-components operate: - redirectUrl: http://localhost:8071 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8081 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components tasklist: - redirectUrl: http://localhost:8072 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8082 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components optimize: - redirectUrl: http://localhost:8073 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8083 # replace this with a port of your choice when you will do port forwarding + existingSecret: + name: identity-secret-for-components + webModeler: + redirectUrl: http://localhost:8084 + console: + redirectUrl: http://localhost:8085 existingSecret: name: identity-secret-for-components @@ -83,5 +89,8 @@ optimize: migration: enabled: false +console: + enabled: false # by default, console is not enabled + elasticsearch: enabled: false diff --git a/examples/camunda-8.7-irsa/helm-values/values-domain.yml b/examples/camunda-8.7-irsa/helm-values/values-domain.yml index e844e7a9..65d4ec89 100644 --- a/examples/camunda-8.7-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.7-irsa/helm-values/values-domain.yml @@ -66,6 +66,12 @@ global: redirectUrl: https://${DOMAIN_NAME}/optimize existingSecret: name: identity-secret-for-components + webModeler: + redirectUrl: https://${DOMAIN_NAME}/modeler + console: + redirectUrl: https://${DOMAIN_NAME}/console + existingSecret: + name: identity-secret-for-components webModeler: enabled: false # by default, webModeler is not enabled @@ -75,6 +81,8 @@ webModeler: annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_WEBMODELER_ARN} + contextPath: /modeler + restapi: externalDatabase: url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME}?wrapperPlugins=iam @@ -159,5 +167,9 @@ zeebeGateway: kubernetes.io/tls-acme: 'true' contextPath: /zeebe +console: + enabled: false # by default, console is not enabled + contextPath: /console + elasticsearch: enabled: false diff --git a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml index 090df7ec..f41fe9b4 100644 --- a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml @@ -48,15 +48,21 @@ global: existingSecret: name: identity-secret-for-components operate: - redirectUrl: http://localhost:8071 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8081 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components tasklist: - redirectUrl: http://localhost:8072 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8082 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components optimize: - redirectUrl: http://localhost:8073 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8083 # replace this with a port of your choice when you will do port forwarding + existingSecret: + name: identity-secret-for-components + webModeler: + redirectUrl: http://localhost:8084 + console: + redirectUrl: http://localhost:8085 existingSecret: name: identity-secret-for-components @@ -132,5 +138,8 @@ optimize: migration: enabled: false +console: + enabled: false # by default, console is not enabled + elasticsearch: enabled: false diff --git a/examples/camunda-8.7/helm-values/values-domain.yml b/examples/camunda-8.7/helm-values/values-domain.yml index 14514dc5..76cb18db 100644 --- a/examples/camunda-8.7/helm-values/values-domain.yml +++ b/examples/camunda-8.7/helm-values/values-domain.yml @@ -58,6 +58,12 @@ global: redirectUrl: https://${DOMAIN_NAME}/optimize existingSecret: name: identity-secret-for-components + webModeler: + redirectUrl: https://${DOMAIN_NAME}/modeler + console: + redirectUrl: https://${DOMAIN_NAME}/console + existingSecret: + name: identity-secret-for-components elasticsearch: enabled: false @@ -83,6 +89,7 @@ tasklist: webModeler: enabled: false # by default, webModeler is not enabled + contextPath: /modeler restapi: externalDatabase: @@ -112,3 +119,7 @@ zeebeGateway: annotations: kubernetes.io/tls-acme: 'true' contextPath: /zeebe + +console: + enabled: false # by default, console is not enabled + contextPath: /console diff --git a/examples/camunda-8.7/helm-values/values-no-domain.yml b/examples/camunda-8.7/helm-values/values-no-domain.yml index 12a82e84..126e9c6b 100644 --- a/examples/camunda-8.7/helm-values/values-no-domain.yml +++ b/examples/camunda-8.7/helm-values/values-no-domain.yml @@ -42,15 +42,21 @@ global: existingSecret: name: identity-secret-for-components operate: - redirectUrl: http://localhost:8071 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8081 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components tasklist: - redirectUrl: http://localhost:8072 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8082 # replace this with a port of your choice when you will do port forwarding existingSecret: name: identity-secret-for-components optimize: - redirectUrl: http://localhost:8073 # replace this with a port of your choice when you will do port forwarding + redirectUrl: http://localhost:8083 # replace this with a port of your choice when you will do port forwarding + existingSecret: + name: identity-secret-for-components + webModeler: + redirectUrl: http://localhost:8084 + console: + redirectUrl: http://localhost:8085 existingSecret: name: identity-secret-for-components @@ -83,5 +89,8 @@ optimize: migration: enabled: false +console: + enabled: false # by default, console is not enabled + elasticsearch: enabled: false From 50f5dfccb027008b9ffd56fd5c89eab26a8f268b Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:27:55 +0200 Subject: [PATCH 130/135] fix --- examples/camunda-8.6-irsa/helm-values/values-no-domain.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 7f95f95f..25305c33 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -57,6 +57,8 @@ global: name: identity-secret-for-components optimize: redirectUrl: http://localhost:8083 # replace this with a port of your choice when you will do port forwarding + existingSecret: + name: identity-secret-for-components webModeler: redirectUrl: http://localhost:8084 console: From c624e2a4246f9b14d4f7449ab5c45b632e172b25 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:40:02 +0200 Subject: [PATCH 131/135] fix keycloak url --- examples/camunda-8.6-irsa/helm-values/values-no-domain.yml | 2 +- examples/camunda-8.6/helm-values/values-no-domain.yml | 2 +- examples/camunda-8.7-irsa/helm-values/values-no-domain.yml | 2 +- examples/camunda-8.7/helm-values/values-no-domain.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 25305c33..0762365d 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -39,7 +39,7 @@ global: identity: auth: - publicIssuerUrl: http://localhost:8070/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding + publicIssuerUrl: http://localhost:18080/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding zeebe: existingSecret: diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index 126e9c6b..8e74f940 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -33,7 +33,7 @@ global: identity: auth: - publicIssuerUrl: http://localhost:8070/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding + publicIssuerUrl: http://localhost:18080/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding zeebe: existingSecret: diff --git a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml index f41fe9b4..d25c7d02 100644 --- a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml @@ -39,7 +39,7 @@ global: identity: auth: - publicIssuerUrl: http://localhost:8070/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding + publicIssuerUrl: http://localhost:18080/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding zeebe: existingSecret: diff --git a/examples/camunda-8.7/helm-values/values-no-domain.yml b/examples/camunda-8.7/helm-values/values-no-domain.yml index 126e9c6b..8e74f940 100644 --- a/examples/camunda-8.7/helm-values/values-no-domain.yml +++ b/examples/camunda-8.7/helm-values/values-no-domain.yml @@ -33,7 +33,7 @@ global: identity: auth: - publicIssuerUrl: http://localhost:8070/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding + publicIssuerUrl: http://localhost:18080/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding zeebe: existingSecret: From 7d71b2bb3f52a00a1f83c1723c84e9a6e8d49566 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 17:44:40 +0200 Subject: [PATCH 132/135] todo --- examples/camunda-8.7-irsa/helm-values/values-no-domain.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml index d25c7d02..84a0f17a 100644 --- a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml @@ -39,6 +39,7 @@ global: identity: auth: + # TODO: check why redirects to localhost:8069 instead of keycloak publicIssuerUrl: http://localhost:18080/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding zeebe: From 9fe0d67cdd90e1b3048406bb9dc8e9c3fa57be7e Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 18:42:17 +0200 Subject: [PATCH 133/135] fix wrong port --- examples/camunda-8.6-irsa/helm-values/values-no-domain.yml | 2 +- examples/camunda-8.6/helm-values/values-no-domain.yml | 2 +- examples/camunda-8.7-irsa/helm-values/values-no-domain.yml | 4 ++-- examples/camunda-8.7/helm-values/values-no-domain.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 0762365d..2ac6fc6b 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -94,7 +94,7 @@ identity: annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_IDENTITY_ARN} - fullURL: http://localhost:8069 # replace this with a port of your choice when you will do port forwarding + fullURL: http://localhost:8080 # replace this with a port of your choice when you will do port forwarding externalDatabase: enabled: true diff --git a/examples/camunda-8.6/helm-values/values-no-domain.yml b/examples/camunda-8.6/helm-values/values-no-domain.yml index 8e74f940..e3730b3f 100644 --- a/examples/camunda-8.6/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6/helm-values/values-no-domain.yml @@ -61,7 +61,7 @@ global: name: identity-secret-for-components identity: - fullURL: http://localhost:8069 # replace this with a port of your choice when you will do port forwarding + fullURL: http://localhost:8080 # replace this with a port of your choice when you will do port forwarding externalDatabase: enabled: true diff --git a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml index 84a0f17a..dc54bd65 100644 --- a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml @@ -39,7 +39,7 @@ global: identity: auth: - # TODO: check why redirects to localhost:8069 instead of keycloak + # TODO: check why redirects to localhost:8080 instead of keycloak publicIssuerUrl: http://localhost:18080/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding zeebe: @@ -94,7 +94,7 @@ identity: annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_IDENTITY_ARN} - fullURL: http://localhost:8069 # replace this with a port of your choice when you will do port forwarding + fullURL: http://localhost:8080 # replace this with a port of your choice when you will do port forwarding externalDatabase: enabled: true diff --git a/examples/camunda-8.7/helm-values/values-no-domain.yml b/examples/camunda-8.7/helm-values/values-no-domain.yml index 8e74f940..e3730b3f 100644 --- a/examples/camunda-8.7/helm-values/values-no-domain.yml +++ b/examples/camunda-8.7/helm-values/values-no-domain.yml @@ -61,7 +61,7 @@ global: name: identity-secret-for-components identity: - fullURL: http://localhost:8069 # replace this with a port of your choice when you will do port forwarding + fullURL: http://localhost:8080 # replace this with a port of your choice when you will do port forwarding externalDatabase: enabled: true From 011371764e1836cb5636331b71af02c58ffdfe75 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Fri, 25 Oct 2024 18:55:15 +0200 Subject: [PATCH 134/135] re-align --- examples/camunda-8.6-irsa/helm-values/values-domain.yml | 1 - examples/camunda-8.6-irsa/helm-values/values-no-domain.yml | 1 - examples/camunda-8.6/helm-values/values-domain.yml | 1 - examples/camunda-8.7-irsa/helm-values/values-domain.yml | 3 +-- examples/camunda-8.7-irsa/helm-values/values-no-domain.yml | 1 - 5 files changed, 1 insertion(+), 6 deletions(-) diff --git a/examples/camunda-8.6-irsa/helm-values/values-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-domain.yml index 443bec15..6b8c531c 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-domain.yml @@ -75,7 +75,6 @@ global: webModeler: enabled: false # by default, webModeler is not enabled - contextPath: /modeler serviceAccount: diff --git a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml index 2ac6fc6b..3ebec850 100644 --- a/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.6-irsa/helm-values/values-no-domain.yml @@ -87,7 +87,6 @@ webModeler: existingSecret: identity-secret-for-components # reference the smtp password fromAddress: changeme@example.com # change this required value - identity: serviceAccount: name: ${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME} diff --git a/examples/camunda-8.6/helm-values/values-domain.yml b/examples/camunda-8.6/helm-values/values-domain.yml index f9c6982a..76cb18db 100644 --- a/examples/camunda-8.6/helm-values/values-domain.yml +++ b/examples/camunda-8.6/helm-values/values-domain.yml @@ -89,7 +89,6 @@ tasklist: webModeler: enabled: false # by default, webModeler is not enabled - contextPath: /modeler restapi: diff --git a/examples/camunda-8.7-irsa/helm-values/values-domain.yml b/examples/camunda-8.7-irsa/helm-values/values-domain.yml index 65d4ec89..6b8c531c 100644 --- a/examples/camunda-8.7-irsa/helm-values/values-domain.yml +++ b/examples/camunda-8.7-irsa/helm-values/values-domain.yml @@ -75,14 +75,13 @@ global: webModeler: enabled: false # by default, webModeler is not enabled + contextPath: /modeler serviceAccount: name: ${CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME} annotations: eks.amazonaws.com/role-arn: ${DB_ROLE_WEBMODELER_ARN} - contextPath: /modeler - restapi: externalDatabase: url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME}?wrapperPlugins=iam diff --git a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml index dc54bd65..3ebec850 100644 --- a/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml +++ b/examples/camunda-8.7-irsa/helm-values/values-no-domain.yml @@ -39,7 +39,6 @@ global: identity: auth: - # TODO: check why redirects to localhost:8080 instead of keycloak publicIssuerUrl: http://localhost:18080/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding zeebe: From f55ce819ce8b0bc17b0b4ff16edac4ff0fca10f8 Mon Sep 17 00:00:00 2001 From: Leo J <153937047+leiicamundi@users.noreply.github.com> Date: Mon, 28 Oct 2024 11:30:25 +0100 Subject: [PATCH 135/135] fix non-required --- modules/opensearch/README.md | 2 +- modules/opensearch/variables.tf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/opensearch/README.md b/modules/opensearch/README.md index 7f38af0f..e3666761 100644 --- a/modules/opensearch/README.md +++ b/modules/opensearch/README.md @@ -84,7 +84,7 @@ No modules. | [advanced\_security\_anonymous\_auth\_enabled](#input\_advanced\_security\_anonymous\_auth\_enabled) | Whether the anonymous auth is enabled. | `bool` | `false` | no | | [advanced\_security\_enabled](#input\_advanced\_security\_enabled) | Whether advanced security is enabled. | `bool` | `false` | no | | [advanced\_security\_internal\_user\_database\_enabled](#input\_advanced\_security\_internal\_user\_database\_enabled) | Whether the internal user database is enabled. | `bool` | `false` | no | -| [advanced\_security\_master\_user\_arn](#input\_advanced\_security\_master\_user\_arn) | ARN for the main user. Only specify if `advanced_security_internal_user_database_enabled` is set to false. | `string` | n/a | yes | +| [advanced\_security\_master\_user\_arn](#input\_advanced\_security\_master\_user\_arn) | ARN for the main user. Only specify if `advanced_security_internal_user_database_enabled` is set to false. | `string` | `""` | no | | [advanced\_security\_master\_user\_name](#input\_advanced\_security\_master\_user\_name) | Main user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | `"opensearch-admin"` | no | | [advanced\_security\_master\_user\_password](#input\_advanced\_security\_master\_user\_password) | Main user's password, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if `advanced_security_internal_user_database_enabled` is set to true. | `string` | `""` | no | | [auto\_software\_update\_enabled](#input\_auto\_software\_update\_enabled) | Software update auto for the domain. | `bool` | `false` | no | diff --git a/modules/opensearch/variables.tf b/modules/opensearch/variables.tf index 955d91cc..cb6827e4 100644 --- a/modules/opensearch/variables.tf +++ b/modules/opensearch/variables.tf @@ -151,6 +151,7 @@ variable "advanced_security_internal_user_database_enabled" { variable "advanced_security_master_user_arn" { type = string + default = "" description = "ARN for the main user. Only specify if `advanced_security_internal_user_database_enabled` is set to false." }