From fd080f40dfc15ec3a3aa22e5a68ad9032d016dae Mon Sep 17 00:00:00 2001 From: Gabe Scarberry Date: Wed, 2 Oct 2024 10:29:58 -0500 Subject: [PATCH] WIP: this is a lot --- data.tf | 25 +++ examples/complete/fixtures.common.tfvars | 2 +- examples/complete/main.tf | 159 +++++++-------- locals.tf | 248 +++++++++++++++++++++++ main.tf | 190 ++++++++--------- variables.tf | 6 - 6 files changed, 432 insertions(+), 198 deletions(-) create mode 100644 data.tf create mode 100644 locals.tf diff --git a/data.tf b/data.tf new file mode 100644 index 0000000..92ee5e8 --- /dev/null +++ b/data.tf @@ -0,0 +1,25 @@ +data "aws_partition" "current" {} +data "aws_caller_identity" "current" {} + +data "aws_iam_session_context" "current" { + # This data source provides information on the IAM source role of an STS assumed role + # For non-role ARNs, this data source simply passes the ARN through issuer ARN + # Ref https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2327#issuecomment-1355581682 + # Ref https://github.com/hashicorp/terraform-provider-aws/issues/28381 + arn = data.aws_caller_identity.current.arn +} + +data "aws_ami" "eks_default_bottlerocket" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["bottlerocket-aws-k8s-${local.cluster_version}-x86_64-*"] + } +} + +resource "random_id" "default" { + byte_length = 2 +} + diff --git a/examples/complete/fixtures.common.tfvars b/examples/complete/fixtures.common.tfvars index 514a137..601571f 100644 --- a/examples/complete/fixtures.common.tfvars +++ b/examples/complete/fixtures.common.tfvars @@ -11,7 +11,7 @@ name_prefix = "ci" vpc_cidr = "10.200.0.0/16" secondary_cidr_blocks = ["100.64.0.0/16"] #https://aws.amazon.com/blogs/containers/optimize-ip-addresses-usage-by-pods-in-your-amazon-eks-cluster/ -create_default_vpc_endpoints = false #setting to false to make ci faster +create_default_vpc_endpoints = true #setting to false to make ci faster # new_bits is added to the cidr of vpc_cidr to chunk the subnets up # public-a - 10.200.0.0/22 - 1,022 hosts diff --git a/examples/complete/main.tf b/examples/complete/main.tf index c0a29dc..9214bc9 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -70,7 +70,7 @@ module "vpc" { intra_subnets = [for k, v in module.vpc.azs : cidrsubnet(element(module.vpc.vpc_secondary_cidr_blocks, 0), 5, k)] single_nat_gateway = true #remove if in a private VPC behind TGW enable_nat_gateway = true #remove if in a private VPC behind TGW - create_default_vpc_endpoints = var.create_default_vpc_endpoints + create_default_vpc_endpoints = true private_subnet_tags = { "kubernetes.io/cluster/${local.cluster_name}" = "shared" @@ -99,31 +99,6 @@ data "aws_ami" "eks_default_bottlerocket" { } locals { - eks_managed_node_group_defaults = { - # https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/node_groups.tf - iam_role_permissions_boundary = var.iam_role_permissions_boundary - ami_type = "AL2_x86_64" - instance_types = ["m5a.large", "m5.large", "m6i.large"] - tags = { - subnet_type = "private", - cluster = local.cluster_name - } - } - - mission_app_mg_node_group = { - managed_ng1 = { - min_size = 2 - max_size = 2 - desired_size = 2 - disk_size = 50 - } - } - - eks_managed_node_groups = merge( - var.enable_eks_managed_nodegroups ? local.mission_app_mg_node_group : {}, - # var.enable_eks_managed_nodegroups && var.keycloak_enabled ? local.keycloak_mg_node_group : {} - ) - self_managed_node_group_defaults = { iam_role_permissions_boundary = var.iam_role_permissions_boundary instance_type = null @@ -174,7 +149,7 @@ locals { } } - uds_core_self_mg_node_group = { + self_managed_node_groups = { uds_core_ng = { ami_type = "BOTTLEROCKET_x86_64" ami_id = data.aws_ami.eks_default_bottlerocket.id @@ -229,7 +204,55 @@ locals { } } - self_managed_node_groups = var.enable_self_managed_nodegroups ? local.uds_core_self_mg_node_group : null + default_cluster_addons = { + vpc-cni = { + most_recent = true + before_compute = true + configuration_values = <<-JSON + { + "env": { + "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true", + "ENABLE_PREFIX_DELEGATION": "true", + "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone", + "WARM_PREFIX_TARGET": "1", + "ANNOTATE_POD_IP": "true", + "POD_SECURITY_GROUP_ENFORCING_MODE": "standard" + }, + "enableNetworkPolicy": "true" + } + JSON + } + coredns = { + most_recent = true + timeouts = { + create = "10m" + delete = "10m" + } + } + kube-proxy = { + most_recent = true + } + aws-ebs-csi-driver = { + most_recent = true + configuration_values = <<-JSON + "defaultStorageClass": { + "enabled": true + } + JSON + timeouts = { + create = "10m" + delete = "10m" + } + } + # consider using '"useFIPS": "true"' under configuration_values for aws_efs_csi_driver + aws-efs-csi-driver = { + most_recent = true + timeouts = { + create = "10m" + delete = "10m" + } + } + } vpc_cni_addon_irsa_extra_config = { "vpc-cni" = merge( @@ -242,6 +265,7 @@ locals { cluster_addons = merge( var.cluster_addons, + local.default_cluster_addons, local.vpc_cni_addon_irsa_extra_config ) } @@ -288,10 +312,6 @@ module "ssm_kms_key" { tags = local.tags } -locals { - ssm_parameter_kms_key_arn = var.create_ssm_parameters ? module.ssm_kms_key.key_arn : "" -} - module "eks" { source = "../.." @@ -309,10 +329,6 @@ module "eks" { cluster_version = var.cluster_version dataplane_wait_duration = var.dataplane_wait_duration - ######################## EKS Managed Node Group ################################### - eks_managed_node_group_defaults = local.eks_managed_node_group_defaults - eks_managed_node_groups = local.eks_managed_node_groups - ######################## Self Managed Node Group ################################### self_managed_node_group_defaults = local.self_managed_node_group_defaults self_managed_node_groups = local.self_managed_node_groups @@ -329,80 +345,47 @@ module "eks" { cluster_addons = local.cluster_addons # AWS EKS EBS CSI Driver - enable_amazon_eks_aws_ebs_csi_driver = var.enable_amazon_eks_aws_ebs_csi_driver - enable_gp3_default_storage_class = var.enable_gp3_default_storage_class - ebs_storageclass_reclaim_policy = var.ebs_storageclass_reclaim_policy + enable_amazon_eks_aws_ebs_csi_driver = true # AWS EKS EFS CSI Driver - enable_amazon_eks_aws_efs_csi_driver = var.enable_amazon_eks_aws_efs_csi_driver + enable_amazon_eks_aws_efs_csi_driver = true efs_vpc_cidr_blocks = module.vpc.private_subnets_cidr_blocks - efs_storageclass_reclaim_policy = var.efs_storageclass_reclaim_policy + efs_storageclass_reclaim_policy = "Retain" #--------------------------------------------------------------- # EKS Blueprints - blueprints curated helm charts #--------------------------------------------------------------- - create_kubernetes_resources = var.create_kubernetes_resources - create_ssm_parameters = var.create_ssm_parameters - ssm_parameter_kms_key_arn = local.ssm_parameter_kms_key_arn + create_kubernetes_resources = false + create_ssm_parameters = true + ssm_parameter_kms_key_arn = module.ssm_kms_key.key_arn # AWS EKS node termination handler - enable_aws_node_termination_handler = var.enable_aws_node_termination_handler - aws_node_termination_handler = var.aws_node_termination_handler - + enable_aws_node_termination_handler = true # k8s Metrics Server - enable_metrics_server = var.enable_metrics_server - metrics_server = var.metrics_server - + enable_metrics_server = false # k8s Cluster Autoscaler - enable_cluster_autoscaler = var.enable_cluster_autoscaler - cluster_autoscaler = var.cluster_autoscaler - + enable_cluster_autoscaler = true # AWS Load Balancer Controller - enable_aws_load_balancer_controller = var.enable_aws_load_balancer_controller - aws_load_balancer_controller = var.aws_load_balancer_controller - + enable_aws_load_balancer_controller = true # k8s Secrets Store CSI Driver - enable_secrets_store_csi_driver = var.enable_secrets_store_csi_driver - secrets_store_csi_driver = var.secrets_store_csi_driver - + enable_secrets_store_csi_driver = false # External Secrets - enable_external_secrets = var.enable_external_secrets - external_secrets = var.external_secrets - external_secrets_ssm_parameter_arns = var.external_secrets_ssm_parameter_arns - external_secrets_secrets_manager_arns = var.external_secrets_secrets_manager_arns - external_secrets_kms_key_arns = var.external_secrets_kms_key_arns - - + enable_external_secrets = false # Karpenter - enable_karpenter = var.enable_karpenter - karpenter = var.karpenter - + enable_karpenter = false # Bottlerocket update operator - enable_bottlerocket_update_operator = var.enable_bottlerocket_update_operator - bottlerocket_update_operator = var.bottlerocket_update_operator - bottlerocket_shadow = var.bottlerocket_shadow - + enable_bottlerocket_update_operator = true # AWS Cloudwatch Metrics - enable_aws_cloudwatch_metrics = var.enable_aws_cloudwatch_metrics - aws_cloudwatch_metrics = var.aws_cloudwatch_metrics - + enable_aws_cloudwatch_metrics = true # AWS FSX CSI Driver - enable_aws_fsx_csi_driver = var.enable_aws_fsx_csi_driver - aws_fsx_csi_driver = var.aws_fsx_csi_driver - + enable_aws_fsx_csi_driver = false # AWS Private CA Issuer - enable_aws_privateca_issuer = var.enable_aws_privateca_issuer - aws_privateca_issuer = var.aws_privateca_issuer - + enable_aws_privateca_issuer = false # Cert Manager - enable_cert_manager = var.enable_cert_manager - cert_manager = var.cert_manager - cert_manager_route53_hosted_zone_arns = var.cert_manager_route53_hosted_zone_arns - + enable_cert_manager = false # External DNS - enable_external_dns = var.enable_external_dns - external_dns = var.external_dns + enable_external_dns = false } module "ebs_kms_key" { diff --git a/locals.tf b/locals.tf new file mode 100644 index 0000000..ddfdde9 --- /dev/null +++ b/locals.tf @@ -0,0 +1,248 @@ +locals { + cluster_name = "${coalesce(var.cluster_name, var.name)}-${lower(random_id.default.hex)}" + cluster_version = "1.30" + admin_arns = distinct(concat( + [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}"], + [data.aws_iam_session_context.current.issuer_arn] + )) + + ############ + # cluster_addons additional logic + ############ + + # ebs_csi_driver_addon_extra_config is used to merge in the service_account_role_arn to the existing aws-ebs-csi-driver config in cluster_addons + should_config_ebs_csi_driver = ( + var.enable_amazon_eks_aws_ebs_csi_driver && + var.cluster_addons["aws-ebs-csi-driver"] != null + ) + + # Merge in the service_account_role_arn to the existing aws-ebs-csi-driver config + ebs_csi_driver_addon_extra_config = local.should_config_ebs_csi_driver ? { + "aws-ebs-csi-driver" = merge( + var.cluster_addons["aws-ebs-csi-driver"], + { + service_account_role_arn = module.ebs_csi_driver_irsa[0].iam_role_arn + } + ) + } : {} + + should_config_efs_csi_driver = ( + var.enable_amazon_eks_aws_efs_csi_driver && + var.cluster_addons["aws-efs-csi-driver"] != null + ) + + # Merge in the service_account_role_arn to the existing aws-ebs-csi-driver config + efs_csi_driver_addon_extra_config = local.should_config_efs_csi_driver ? { + "aws-efs-csi-driver" = merge( + var.cluster_addons["aws-efs-csi-driver"], + { + service_account_role_arn = module.efs_csi_driver_irsa[0].iam_role_arn + } + ) + } : {} + + # Check conditions for whether ENI configs should be created for VPC CNI. + # Conditions include: VPC CNI configured in var.cluster_addons, custom subnet should be provided, and the number of custom subnets should match the number of availability zones. + should_create_eni_configs = ( + var.create_eni_configs && + var.cluster_addons["vpc-cni"] != null && + length(var.vpc_cni_custom_subnet) != 0 && + length(var.vpc_cni_custom_subnet) == length(var.azs) + ) + + # Define ENI Configurations if should_create_eni_configs evaluates to true. + eniConfig = local.should_create_eni_configs ? { + create = true, + region = var.aws_region, + subnets = { for az, subnet in zipmap(var.azs, var.vpc_cni_custom_subnet) : az => { + id = subnet, + securityGroups = compact([ + module.aws_eks.cluster_primary_security_group_id, + module.aws_eks.node_security_group_id, + module.aws_eks.cluster_security_group_id + ]) + } } + } : null + + # Merge extra configuration for VPC CNI if should_create_eni_configs evaluates to true. + # This merges at a deeper level to preserve existing keys like 'most_recent' and 'before_compute'. + vpc_cni_addon_extra_config = local.should_create_eni_configs ? { + "vpc-cni" = merge( + var.cluster_addons["vpc-cni"], + { + configuration_values = jsonencode(merge( + jsondecode(var.cluster_addons["vpc-cni"].configuration_values), + { eniConfig = local.eniConfig } + )) + } + ) + } : {} + + cluster_addons = merge( + var.cluster_addons, + local.ebs_csi_driver_addon_extra_config, + local.efs_csi_driver_addon_extra_config, + local.vpc_cni_addon_extra_config + ) +} + +locals { + self_managed_node_group_defaults = { + iam_role_permissions_boundary = var.iam_role_permissions_boundary + instance_type = null + update_launch_template_default_version = true + use_mixed_instances_policy = true + + instance_requirements = { + allowed_instance_types = ["m6i.4xlarge", "m5a.4xlarge"] #this should be adjusted to the appropriate instance family if reserved instances are being utilized + memory_mib = { + min = 64000 + } + vcpu_count = { + min = 16 + } + } + + placement = { + tenancy = "dedicated" + } + + # bootstrap_extra_args used only when you pass custom_ami_id. Allows you to change the Container Runtime for Nodes + # e.g., bootstrap_extra_args="--use-max-pods false --container-runtime containerd" + bootstrap_extra_args = "--use-max-pods false" + + iam_role_additional_policies = { + AmazonEKSVPCResourceController = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSVPCResourceController", + AmazonElasticFileSystemFullAccess = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonElasticFileSystemFullAccess", + AmazonSSMManagedInstanceCore = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonSSMManagedInstanceCore", + AmazonEKSWorkerNodePolicy = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy", + AmazonEC2ContainerRegistryReadOnly = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", + AmazonEKS_CNI_Policy = "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEKS_CNI_Policy" + } + + # enable discovery of autoscaling groups by cluster-autoscaler + autoscaling_group_tags = merge( + { + "k8s.io/cluster-autoscaler/enabled" : true, + "k8s.io/cluster-autoscaler/${local.cluster_name}" : "owned" + }) + + metadata_options = { + #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options + http_endpoint = "enabled" + http_put_response_hop_limit = 2 + http_tokens = "optional" # set to "enabled" to enforce IMDSv2, default for upstream terraform-aws-eks module + } + + tags = { + subnet_type = "private", + cluster = local.cluster_name + "aws-node-termination-handler/managed" = true # only need this if NTH is enabled. This is due to aws blueprints using this resource and causing the tags to flap on every apply https://github.com/aws-ia/terraform-aws-eks-blueprints-addons/blob/257677adeed1be54326637cf919cf24df6ad7c06/main.tf#L1554-L1564 + } + } + + self_managed_node_groups = { + uds_core_ng = { + ami_type = "BOTTLEROCKET_x86_64" + ami_id = data.aws_ami.eks_default_bottlerocket.id + instance_type = null # conflicts with instance_requirements settings + min_size = 3 + max_size = 5 + desired_size = 3 + key_name = module.self_managed_node_group_keypair.key_pair_name + + block_device_mappings = { + xvda = { + device_name = "/dev/xvda" + ebs = { + volume_size = 100 + volume_type = "gp3" + } + } + xvdb = { + device_name = "/dev/xvdb" + ebs = { + volume_size = 100 + volume_type = "gp3" + #need to add and create EBS key + } + } + } + + bootstrap_extra_args = <<-EOT + # The admin host container provides SSH access and runs with "superpowers". + # It is disabled by default, enabled here for easy SSH access into bottlerocket nodes with the keypair created by the module. + [settings.host-containers.admin] + enabled = true + + # The control host container provides out-of-band access via SSM. + # It is enabled by default, and can be disabled if you do not expect to use SSM. + # This could leave you with no way to access the API and change settings on an existing node! + [settings.host-containers.control] + enabled = true + + # extra args added + [settings.kernel] + lockdown = "integrity" + + [settings.kubernetes.node-labels] + # label1 = "sso" + # label2 = "uds-core" + + [settings.kubernetes.node-taints] + # dedicated = "experimental:PreferNoSchedule" + # special = "true:NoSchedule" + EOT + } + } + + default_cluster_addons = { + vpc-cni = { + most_recent = true + before_compute = true + configuration_values = <<-JSON + { + "env": { + "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG": "true", + "ENABLE_PREFIX_DELEGATION": "true", + "ENI_CONFIG_LABEL_DEF": "topology.kubernetes.io/zone", + "WARM_PREFIX_TARGET": "1", + "ANNOTATE_POD_IP": "true", + "POD_SECURITY_GROUP_ENFORCING_MODE": "standard" + }, + "enableNetworkPolicy": "true" + } + JSON + } + coredns = { + most_recent = true + timeouts = { + create = "10m" + delete = "10m" + } + } + kube-proxy = { + most_recent = true + } + aws-ebs-csi-driver = { + most_recent = true + configuration_values = <<-JSON + "defaultStorageClass": { + "enabled": true + } + JSON + timeouts = { + create = "10m" + delete = "10m" + } + } + # consider using '"useFIPS": "true"' under configuration_values for aws_efs_csi_driver + aws-efs-csi-driver = { + most_recent = true + timeouts = { + create = "10m" + delete = "10m" + } + } + } +} diff --git a/main.tf b/main.tf index 2d7277b..7c8260d 100644 --- a/main.tf +++ b/main.tf @@ -1,109 +1,14 @@ -data "aws_partition" "current" {} -data "aws_caller_identity" "current" {} - -data "aws_iam_session_context" "current" { - # This data source provides information on the IAM source role of an STS assumed role - # For non-role ARNs, this data source simply passes the ARN through issuer ARN - # Ref https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2327#issuecomment-1355581682 - # Ref https://github.com/hashicorp/terraform-provider-aws/issues/28381 - arn = data.aws_caller_identity.current.arn -} + ############################################################### # EKS Cluster ############################################################### -locals { - cluster_name = coalesce(var.cluster_name, var.name) - admin_arns = distinct(concat( - [for admin_user in var.aws_admin_usernames : "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:user/${admin_user}"], - [data.aws_iam_session_context.current.issuer_arn] - )) - - ############ - # cluster_addons additional logic - ############ - - # ebs_csi_driver_addon_extra_config is used to merge in the service_account_role_arn to the existing aws-ebs-csi-driver config in cluster_addons - should_config_ebs_csi_driver = ( - var.enable_amazon_eks_aws_ebs_csi_driver && - var.cluster_addons["aws-ebs-csi-driver"] != null - ) - - # Merge in the service_account_role_arn to the existing aws-ebs-csi-driver config - ebs_csi_driver_addon_extra_config = local.should_config_ebs_csi_driver ? { - "aws-ebs-csi-driver" = merge( - var.cluster_addons["aws-ebs-csi-driver"], - { - service_account_role_arn = module.ebs_csi_driver_irsa[0].iam_role_arn - } - ) - } : {} - - should_config_efs_csi_driver = ( - var.enable_amazon_eks_aws_efs_csi_driver && - var.cluster_addons["aws-efs-csi-driver"] != null - ) - - # Merge in the service_account_role_arn to the existing aws-ebs-csi-driver config - efs_csi_driver_addon_extra_config = local.should_config_efs_csi_driver ? { - "aws-efs-csi-driver" = merge( - var.cluster_addons["aws-efs-csi-driver"], - { - service_account_role_arn = module.efs_csi_driver_irsa[0].iam_role_arn - } - ) - } : {} - - # Check conditions for whether ENI configs should be created for VPC CNI. - # Conditions include: VPC CNI configured in var.cluster_addons, custom subnet should be provided, and the number of custom subnets should match the number of availability zones. - should_create_eni_configs = ( - var.create_eni_configs && - var.cluster_addons["vpc-cni"] != null && - length(var.vpc_cni_custom_subnet) != 0 && - length(var.vpc_cni_custom_subnet) == length(var.azs) - ) - - # Define ENI Configurations if should_create_eni_configs evaluates to true. - eniConfig = local.should_create_eni_configs ? { - create = true, - region = var.aws_region, - subnets = { for az, subnet in zipmap(var.azs, var.vpc_cni_custom_subnet) : az => { - id = subnet, - securityGroups = compact([ - module.aws_eks.cluster_primary_security_group_id, - module.aws_eks.node_security_group_id, - module.aws_eks.cluster_security_group_id - ]) - } } - } : null - - # Merge extra configuration for VPC CNI if should_create_eni_configs evaluates to true. - # This merges at a deeper level to preserve existing keys like 'most_recent' and 'before_compute'. - vpc_cni_addon_extra_config = local.should_create_eni_configs ? { - "vpc-cni" = merge( - var.cluster_addons["vpc-cni"], - { - configuration_values = jsonencode(merge( - jsondecode(var.cluster_addons["vpc-cni"].configuration_values), - { eniConfig = local.eniConfig } - )) - } - ) - } : {} - - cluster_addons = merge( - var.cluster_addons, - local.ebs_csi_driver_addon_extra_config, - local.efs_csi_driver_addon_extra_config, - local.vpc_cni_addon_extra_config - ) -} module "aws_eks" { - source = "git::https://github.com/terraform-aws-modules/terraform-aws-eks.git?ref=v20.24.0" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-eks.git?ref=v20.30.0" cluster_name = local.cluster_name - cluster_version = var.cluster_version + cluster_version = local.cluster_version vpc_id = var.vpc_id subnet_ids = var.private_subnet_ids @@ -118,12 +23,10 @@ module "aws_eks" { cluster_endpoint_private_access = var.cluster_endpoint_private_access - self_managed_node_group_defaults = var.self_managed_node_group_defaults - self_managed_node_groups = var.self_managed_node_groups - eks_managed_node_groups = var.eks_managed_node_groups - eks_managed_node_group_defaults = var.eks_managed_node_group_defaults + self_managed_node_group_defaults = local.self_managed_node_group_defaults + self_managed_node_groups = local.self_managed_node_groups - dataplane_wait_duration = var.dataplane_wait_duration + dataplane_wait_duration = "30s" cluster_timeouts = var.cluster_timeouts cluster_addons = local.cluster_addons @@ -218,3 +121,84 @@ module "efs_csi_driver_irsa" { tags = var.tags } + +###################################################### +# EKS Self Managed Node Group Dependencies +###################################################### +module "self_managed_node_group_keypair" { + source = "git::https://github.com/terraform-aws-modules/terraform-aws-key-pair?ref=v2.0.3" + + key_name_prefix = "${local.cluster_name}-self-managed-ng-" + create_private_key = true + + tags = var.tags +} + +module "self_managed_node_group_secret_key_secrets_manager_secret" { + source = "git::https://github.com/terraform-aws-modules/terraform-aws-secrets-manager.git?ref=v1.1.2" + + name = module.self_managed_node_group_keypair.key_pair_name + description = "Secret key for self managed node group keypair" + recovery_window_in_days = 0 # 0 - no recovery window, delete immediately when deleted + + block_public_policy = true + + ignore_secret_changes = true + secret_string = module.self_managed_node_group_keypair.private_key_openssh + + tags = var.tags +} + +###################################################### +# vpc-cni irsa role +###################################################### +module "vpc_cni_ipv4_irsa_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.39" + + role_name_prefix = "${local.cluster_name}-vpc-cni-" + attach_vpc_cni_policy = true + vpc_cni_enable_ipv4 = true + + oidc_providers = { + main = { + provider_arn = module.aws_eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:aws-node"] + } + } + + # extra policy to attach to the role + role_policy_arns = { + vpc_cni_logging = aws_iam_policy.vpc_cni_logging.arn + } + + tags = var.tags +} + +resource "aws_iam_policy" "vpc_cni_logging" { + # checkov:skip=CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" + # checkov:skip=CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints" + name = "${var.name}-vpc-cni-logging-${lower(random_id.default.hex)}" + description = "Additional test policy" + + policy = jsonencode( + { + Version = "2012-10-17" + Statement = [ + { + Sid = "CloudWatchLogging" + Effect = "Allow" + Action = [ + "logs:DescribeLogGroups", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ] + Resource = "*" + } + ] + } + ) + + tags = var.tags +} diff --git a/variables.tf b/variables.tf index e4edd25..90cd16e 100644 --- a/variables.tf +++ b/variables.tf @@ -124,12 +124,6 @@ variable "cluster_additional_security_group_ids" { default = [] } -variable "dataplane_wait_duration" { - description = "Duration to wait after the EKS cluster has become active before creating the dataplane components (EKS managed nodegroup(s), self-managed nodegroup(s), Fargate profile(s))" - type = string - default = "4m" -} - ################################################################################ # Cluster Security Group ################################################################################