From 1a5e97bd3d848d2d413d5994bfea5151d552b960 Mon Sep 17 00:00:00 2001 From: Max Xu Date: Sun, 28 Jul 2024 12:33:07 +0800 Subject: [PATCH 01/31] Disable aws_iam_policy_document when enable_resource_creation is false --- aws_load_balancer_controller.tf | 4 ++++ cert_manager.tf | 4 ++++ cluster_autoscaler.tf | 4 ++++ csi.tf | 4 ++++ external_dns.tf | 4 ++++ 5 files changed, 20 insertions(+) diff --git a/aws_load_balancer_controller.tf b/aws_load_balancer_controller.tf index 704314e..9837cb2 100644 --- a/aws_load_balancer_controller.tf +++ b/aws_load_balancer_controller.tf @@ -13,6 +13,8 @@ # limitations under the License. data "aws_iam_policy_document" "aws_load_balancer_controller" { + count = var.enable_resource_creation ? 1 : 0 + statement { actions = [ "iam:CreateServiceLinkedRole", @@ -237,6 +239,8 @@ data "aws_iam_policy_document" "aws_load_balancer_controller" { } data "aws_iam_policy_document" "aws_load_balancer_controller_sts" { + count = var.enable_resource_creation ? 1 : 0 + statement { actions = [ "sts:AssumeRoleWithWebIdentity" diff --git a/cert_manager.tf b/cert_manager.tf index 5342301..9e8e971 100644 --- a/cert_manager.tf +++ b/cert_manager.tf @@ -13,6 +13,8 @@ # limitations under the License. data "aws_iam_policy_document" "cert_manager" { + count = var.enable_resource_creation ? 1 : 0 + statement { sid = "Changes" actions = [ @@ -49,6 +51,8 @@ data "aws_iam_policy_document" "cert_manager" { } data "aws_iam_policy_document" "cert_manager_sts" { + count = var.enable_resource_creation ? 1 : 0 + statement { actions = [ "sts:AssumeRoleWithWebIdentity" diff --git a/cluster_autoscaler.tf b/cluster_autoscaler.tf index 429a0e5..45476f4 100644 --- a/cluster_autoscaler.tf +++ b/cluster_autoscaler.tf @@ -13,6 +13,8 @@ # limitations under the License. data "aws_iam_policy_document" "cluster_autoscaler" { + count = var.enable_resource_creation ? 1 : 0 + statement { effect = "Allow" @@ -51,6 +53,8 @@ data "aws_iam_policy_document" "cluster_autoscaler" { } data "aws_iam_policy_document" "cluster_autoscaler_sts" { + count = var.enable_resource_creation ? 1 : 0 + statement { actions = [ "sts:AssumeRoleWithWebIdentity" diff --git a/csi.tf b/csi.tf index d546674..05be30f 100644 --- a/csi.tf +++ b/csi.tf @@ -13,6 +13,8 @@ # limitations under the License. data "aws_iam_policy_document" "csi" { + count = var.enable_resource_creation ? 1 : 0 + statement { actions = [ "ec2:CreateSnapshot", @@ -142,6 +144,8 @@ data "aws_iam_policy_document" "csi" { } data "aws_iam_policy_document" "csi_sts" { + count = var.enable_resource_creation ? 1 : 0 + statement { actions = [ "sts:AssumeRoleWithWebIdentity" diff --git a/external_dns.tf b/external_dns.tf index 507006d..741a006 100644 --- a/external_dns.tf +++ b/external_dns.tf @@ -13,6 +13,8 @@ # limitations under the License. data "aws_iam_policy_document" "external_dns" { + count = var.enable_resource_creation ? 1 : 0 + statement { sid = "ChangeResourceRecordSets" actions = [ @@ -39,6 +41,8 @@ data "aws_iam_policy_document" "external_dns" { } data "aws_iam_policy_document" "external_dns_sts" { + count = var.enable_resource_creation ? 1 : 0 + statement { actions = [ "sts:AssumeRoleWithWebIdentity" From 6b35c23cc6bdc9ec1f86dbdc2910f3d3077f2bce Mon Sep 17 00:00:00 2001 From: Max Xu Date: Wed, 14 Aug 2024 22:55:45 +0800 Subject: [PATCH 02/31] Upgrade to terraform-aws-modules v20.23.0 --- main.tf | 18 ++++++++++++++---- variables.tf | 30 ++++++++++++++++++++++++++++++ versions.tf | 4 ++-- 3 files changed, 46 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index ea64211..c597562 100644 --- a/main.tf +++ b/main.tf @@ -147,6 +147,7 @@ locals { subnet_ids = local.node_group_subnet_ids instance_types = [var.v3_node_group_core_instance_type] name = "snc-core" + use_name_prefix = true taints = local.v3_node_taints desired_size = var.node_pool_desired_size min_size = var.node_pool_min_size @@ -159,6 +160,7 @@ locals { }) node_groups = var.enable_v3_node_migration ? merge(local.v3_node_groups, local.v2_node_groups) : var.enable_v3_node_groups ? local.v3_node_groups : local.v2_node_groups + eks_managed_node_groups = var.node_groups != null ? var.node_groups : local.node_groups ## Node Security Group Configuration default_sg_rules = { @@ -214,7 +216,7 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "18.30.2" #"19.6.0" + version = "20.23.0" ###################################################################################################### ### This section takes into account the breaking changes made in v18.X of the community EKS module ### @@ -229,7 +231,6 @@ module "eks" { node_security_group_name = var.migration_mode ? var.migration_mode_node_sg_name : null ###################################################################################################### - aws_auth_roles = local.role_bindings cluster_name = var.cluster_name cluster_version = var.cluster_version cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups @@ -244,19 +245,28 @@ module "eks" { create_cluster_security_group = var.create_cluster_security_group create_node_security_group = var.create_node_security_group create_iam_role = var.use_runtime_policy ? false : true - eks_managed_node_groups = local.node_groups + eks_managed_node_groups = local.eks_managed_node_groups eks_managed_node_group_defaults = local.node_group_defaults enable_irsa = true iam_role_arn = var.use_runtime_policy ? aws_iam_role.cluster[0].arn : null iam_role_path = var.iam_path iam_role_permissions_boundary = var.permissions_boundary_arn - manage_aws_auth_configmap = var.manage_aws_auth_configmap node_security_group_id = var.node_security_group_id node_security_group_additional_rules = merge(var.node_security_group_additional_rules, local.default_sg_rules) openid_connect_audiences = ["sts.amazonaws.com"] tags = local.tags vpc_id = var.vpc_id cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr + + bootstrap_self_managed_addons = var.bootstrap_self_managed_addons +} + +module "eks_auth" { + source = "terraform-aws-modules/eks/aws//modules/aws-auth" + version = "20.20.0" + + manage_aws_auth_configmap = var.manage_aws_auth_configmap + aws_auth_roles = local.role_bindings } ### Additional Tags diff --git a/variables.tf b/variables.tf index bcf2566..ad41b49 100644 --- a/variables.tf +++ b/variables.tf @@ -659,3 +659,33 @@ variable "cluster_service_ipv4_cidr" { type = string default = null } + +variable "bootstrap_self_managed_addons" { + description = "Indicates whether or not to bootstrap self-managed addons after the cluster has been created" + type = bool + default = null +} + +# Sample +/** +node_groups = { + snc_core = { + name = "snc-core" + use_name_prefix = true + + launch_template_name = "snc-core" + launch_template_use_name_prefix = true + + instance_types = ["m6i.large"] + + min_size = 2 + max_size = 5 + desired_size = 2 + } + } +**/ +variable "node_groups" { + description = "Map of EKS managed node group definitions to create" + type = any + default = null +} diff --git a/versions.tf b/versions.tf index 75013ed..86d218d 100644 --- a/versions.tf +++ b/versions.tf @@ -13,11 +13,11 @@ # limitations under the License. terraform { - required_version = ">=1.1.0" + required_version = ">=1.3.2" required_providers { aws = { - version = ">=3.61.0" + version = "5.61.0" source = "hashicorp/aws" } helm = { From 73b28eb6d5c3930e825587cf1011489c3e313bfb Mon Sep 17 00:00:00 2001 From: Max Xu Date: Thu, 5 Sep 2024 00:03:20 +0800 Subject: [PATCH 03/31] Fix count access --- aws_load_balancer_controller.tf | 4 ++-- cert_manager.tf | 4 ++-- cluster_autoscaler.tf | 4 ++-- csi.tf | 4 ++-- external_dns.tf | 4 ++-- variables.tf | 1 + 6 files changed, 11 insertions(+), 10 deletions(-) diff --git a/aws_load_balancer_controller.tf b/aws_load_balancer_controller.tf index 9837cb2..5fd7d52 100644 --- a/aws_load_balancer_controller.tf +++ b/aws_load_balancer_controller.tf @@ -262,7 +262,7 @@ resource "aws_iam_role" "aws_load_balancer_controller" { count = var.enable_resource_creation ? 1 : 0 name = format("%s-lbc-role", module.eks.cluster_id) description = format("Role used by IRSA and the KSA aws-load-balancer-controller on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) - assume_role_policy = data.aws_iam_policy_document.aws_load_balancer_controller_sts.json + assume_role_policy = data.aws_iam_policy_document.aws_load_balancer_controller_sts.0.json path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn tags = local.tags @@ -279,7 +279,7 @@ resource "aws_iam_policy" "aws_load_balancer_controller" { name = format("%s-AWSLoadBalancerControllerPolicy", module.eks.cluster_id) description = "Policy that defines the permissions for the AWS Load Balancer Controller addon service running in a StreamNative Cloud EKS cluster" path = "/StreamNative/" - policy = data.aws_iam_policy_document.aws_load_balancer_controller.json + policy = data.aws_iam_policy_document.aws_load_balancer_controller.0.json tags = local.tags } diff --git a/cert_manager.tf b/cert_manager.tf index 9e8e971..9f6924e 100644 --- a/cert_manager.tf +++ b/cert_manager.tf @@ -74,7 +74,7 @@ resource "aws_iam_role" "cert_manager" { count = var.enable_resource_creation ? 1 : 0 name = format("%s-cm-role", module.eks.cluster_id) description = format("Role assumed by IRSA and the KSA cert-manager on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) - assume_role_policy = data.aws_iam_policy_document.cert_manager_sts.json + assume_role_policy = data.aws_iam_policy_document.cert_manager_sts.0.json path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn tags = local.tags @@ -91,7 +91,7 @@ resource "aws_iam_policy" "cert_manager" { name = format("%s-CertManagerPolicy", module.eks.cluster_id) description = "Policy that defines the permissions for the Cert-Manager addon service running in a StreamNative Cloud EKS cluster" path = "/StreamNative/" - policy = data.aws_iam_policy_document.cert_manager.json + policy = data.aws_iam_policy_document.cert_manager.0.json tags = local.tags } diff --git a/cluster_autoscaler.tf b/cluster_autoscaler.tf index 45476f4..497720f 100644 --- a/cluster_autoscaler.tf +++ b/cluster_autoscaler.tf @@ -81,7 +81,7 @@ resource "aws_iam_role" "cluster_autoscaler" { count = var.enable_resource_creation ? 1 : 0 name = format("%s-ca-role", module.eks.cluster_id) description = format("Role used by IRSA and the KSA cluster-autoscaler on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) - assume_role_policy = data.aws_iam_policy_document.cluster_autoscaler_sts.json + assume_role_policy = data.aws_iam_policy_document.cluster_autoscaler_sts.0.json path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn tags = local.tags @@ -98,7 +98,7 @@ resource "aws_iam_policy" "cluster_autoscaler" { name = format("%s-ClusterAutoscalerPolicy", module.eks.cluster_id) description = "Policy that defines the permissions for the Cluster Autoscaler addon service running in a StreamNative Cloud EKS cluster" path = "/StreamNative/" - policy = data.aws_iam_policy_document.cluster_autoscaler.json + policy = data.aws_iam_policy_document.cluster_autoscaler.0.json tags = local.tags } diff --git a/csi.tf b/csi.tf index 05be30f..477ebb3 100644 --- a/csi.tf +++ b/csi.tf @@ -172,7 +172,7 @@ resource "aws_iam_role" "csi" { count = var.enable_resource_creation ? 1 : 0 name = format("%s-csi-role", module.eks.cluster_id) description = format("Role used by IRSA and the KSA ebs-csi-controller-sa on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) - assume_role_policy = data.aws_iam_policy_document.csi_sts.json + assume_role_policy = data.aws_iam_policy_document.csi_sts.0.json path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn tags = local.tags @@ -189,7 +189,7 @@ resource "aws_iam_policy" "csi" { name = format("%s-CsiPolicy", module.eks.cluster_id) description = "Policy that defines the permissions for the EBS Container Storage Interface CSI addon service running in a StreamNative Cloud EKS cluster" path = "/StreamNative/" - policy = data.aws_iam_policy_document.csi.json + policy = data.aws_iam_policy_document.csi.0.json tags = local.tags } diff --git a/external_dns.tf b/external_dns.tf index 741a006..f620fbe 100644 --- a/external_dns.tf +++ b/external_dns.tf @@ -64,7 +64,7 @@ resource "aws_iam_role" "external_dns" { count = var.enable_resource_creation ? 1 : 0 name = format("%s-extdns-role", module.eks.cluster_id) description = format("Role used by IRSA and the KSA external-dns on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) - assume_role_policy = data.aws_iam_policy_document.external_dns_sts.json + assume_role_policy = data.aws_iam_policy_document.external_dns_sts.0.json path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn tags = local.tags @@ -81,7 +81,7 @@ resource "aws_iam_policy" "external_dns" { name = format("%s-ExternalDnsPolicy", module.eks.cluster_id) description = "Policy that defines the permissions for the ExternalDNS addon service running in a StreamNative Cloud EKS cluster" path = "/StreamNative/" - policy = data.aws_iam_policy_document.external_dns.json + policy = data.aws_iam_policy_document.external_dns.0.json tags = local.tags } diff --git a/variables.tf b/variables.tf index ad41b49..194312f 100644 --- a/variables.tf +++ b/variables.tf @@ -675,6 +675,7 @@ node_groups = { launch_template_name = "snc-core" launch_template_use_name_prefix = true + launch_template_version = 9 instance_types = ["m6i.large"] From a4cbf64e7e293a8129adfb8d8eca4b9393b4faa4 Mon Sep 17 00:00:00 2001 From: Max Xu Date: Thu, 5 Sep 2024 00:31:43 +0800 Subject: [PATCH 04/31] Defaulting node groups --- main.tf | 8 +++++++- variables.tf | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index c597562..e4c39c3 100644 --- a/main.tf +++ b/main.tf @@ -160,7 +160,13 @@ locals { }) node_groups = var.enable_v3_node_migration ? merge(local.v3_node_groups, local.v2_node_groups) : var.enable_v3_node_groups ? local.v3_node_groups : local.v2_node_groups - eks_managed_node_groups = var.node_groups != null ? var.node_groups : local.node_groups + defaulted_node_groups = tomap({ + for k, v in var.node_groups : k => merge( + v, + contains(keys(v), "subnet_ids") ? {} : { "subnet_ids" = local.node_group_subnet_ids }, + ) + }) + eks_managed_node_groups = var.node_groups != null ? local.defaulted_node_groups : local.node_groups ## Node Security Group Configuration default_sg_rules = { diff --git a/variables.tf b/variables.tf index 194312f..8c71381 100644 --- a/variables.tf +++ b/variables.tf @@ -666,7 +666,7 @@ variable "bootstrap_self_managed_addons" { default = null } -# Sample +# Example /** node_groups = { snc_core = { @@ -683,7 +683,7 @@ node_groups = { max_size = 5 desired_size = 2 } - } +} **/ variable "node_groups" { description = "Map of EKS managed node group definitions to create" From 38466192f69d27b9a53f64b8c5766c2e95e2948e Mon Sep 17 00:00:00 2001 From: Max Xu Date: Thu, 5 Sep 2024 21:54:10 +0800 Subject: [PATCH 05/31] Use object --- main.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index e4c39c3..7bc14c3 100644 --- a/main.tf +++ b/main.tf @@ -117,7 +117,7 @@ locals { } ## Create the node groups, one for each instance type AND each availability zone/subnet - v2_node_groups = tomap({ + v2_node_groups = { for node_group in flatten([ for instance_type in var.node_pool_instance_types : [ for i, j in data.aws_subnet.private_subnets : { @@ -132,7 +132,7 @@ locals { } ] ]) : "${node_group.name}" => node_group - }) + } v3_node_taints = var.enable_v3_node_taints ? { "core" = { @@ -142,7 +142,7 @@ locals { } } : {} - v3_node_groups = tomap({ + v3_node_groups = { "snc-core" = { subnet_ids = local.node_group_subnet_ids instance_types = [var.v3_node_group_core_instance_type] @@ -157,15 +157,15 @@ locals { "cloud.streamnative.io/instance-group" = "Core" })) } - }) + } node_groups = var.enable_v3_node_migration ? merge(local.v3_node_groups, local.v2_node_groups) : var.enable_v3_node_groups ? local.v3_node_groups : local.v2_node_groups - defaulted_node_groups = tomap({ + defaulted_node_groups = { for k, v in var.node_groups : k => merge( v, contains(keys(v), "subnet_ids") ? {} : { "subnet_ids" = local.node_group_subnet_ids }, ) - }) + } eks_managed_node_groups = var.node_groups != null ? local.defaulted_node_groups : local.node_groups ## Node Security Group Configuration From 85999a69dd626138c5d64a61fe871115c1f7868c Mon Sep 17 00:00:00 2001 From: Max Xu Date: Thu, 5 Sep 2024 23:21:22 +0800 Subject: [PATCH 06/31] Resolve true and false result expressions must have consistent types --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 7bc14c3..48aad15 100644 --- a/main.tf +++ b/main.tf @@ -166,7 +166,7 @@ locals { contains(keys(v), "subnet_ids") ? {} : { "subnet_ids" = local.node_group_subnet_ids }, ) } - eks_managed_node_groups = var.node_groups != null ? local.defaulted_node_groups : local.node_groups + eks_managed_node_groups = [local.defaulted_node_groups, local.node_groups][var.node_groups != null ? 0 : 1] ## Node Security Group Configuration default_sg_rules = { From 96efbd3cac27e7f15475e1d747e7685e617aa3aa Mon Sep 17 00:00:00 2001 From: Max Xu Date: Fri, 6 Sep 2024 00:30:02 +0800 Subject: [PATCH 07/31] Add cluster_iam --- main.tf | 44 ++++++++++++++++++++++++-------------------- variables.tf | 19 +++++++++++++++++-- 2 files changed, 41 insertions(+), 22 deletions(-) diff --git a/main.tf b/main.tf index 48aad15..fbb9703 100644 --- a/main.tf +++ b/main.tf @@ -144,14 +144,14 @@ locals { v3_node_groups = { "snc-core" = { - subnet_ids = local.node_group_subnet_ids - instance_types = [var.v3_node_group_core_instance_type] - name = "snc-core" + subnet_ids = local.node_group_subnet_ids + instance_types = [var.v3_node_group_core_instance_type] + name = "snc-core" use_name_prefix = true - taints = local.v3_node_taints - desired_size = var.node_pool_desired_size - min_size = var.node_pool_min_size - max_size = var.node_pool_max_size + taints = local.v3_node_taints + desired_size = var.node_pool_desired_size + min_size = var.node_pool_min_size + max_size = var.node_pool_max_size labels = tomap(merge(var.node_pool_labels, { "cloud.streamnative.io/instance-type" = "Small" "cloud.streamnative.io/instance-group" = "Core" @@ -229,7 +229,6 @@ module "eks" { ### They are only applicable if migration_mode is set to true, for upgrading existing clusters ### ###################################################################################################### prefix_separator = var.migration_mode ? "" : "-" - iam_role_name = var.migration_mode ? var.cluster_name : null cluster_security_group_name = var.migration_mode ? var.cluster_name : null cluster_security_group_description = var.migration_mode ? "EKS cluster security group." : "EKS cluster security group" node_security_group_description = var.migration_mode ? "Security group for all nodes in the cluster." : "EKS node shared security group" @@ -237,6 +236,13 @@ module "eks" { node_security_group_name = var.migration_mode ? var.migration_mode_node_sg_name : null ###################################################################################################### + iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn) + create_iam_role = try(var.cluster_iam.create_iam_role, true) + iam_role_use_name_prefix = try(var.cluster_iam.iam_role_use_name_prefix, true) + iam_role_name = try(var.cluster_iam.iam_role_name, null) + iam_role_path = var.iam_path + iam_role_permissions_boundary = var.permissions_boundary_arn + cluster_name = var.cluster_name cluster_version = var.cluster_version cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups @@ -250,19 +256,17 @@ module "eks" { create_cluster_primary_security_group_tags = false # Cleaner if we handle the tag in aws_ec2_tag.cluster_security_group create_cluster_security_group = var.create_cluster_security_group create_node_security_group = var.create_node_security_group - create_iam_role = var.use_runtime_policy ? false : true - eks_managed_node_groups = local.eks_managed_node_groups - eks_managed_node_group_defaults = local.node_group_defaults - enable_irsa = true - iam_role_arn = var.use_runtime_policy ? aws_iam_role.cluster[0].arn : null - iam_role_path = var.iam_path - iam_role_permissions_boundary = var.permissions_boundary_arn - node_security_group_id = var.node_security_group_id - node_security_group_additional_rules = merge(var.node_security_group_additional_rules, local.default_sg_rules) - openid_connect_audiences = ["sts.amazonaws.com"] tags = local.tags - vpc_id = var.vpc_id - cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr + + eks_managed_node_groups = local.eks_managed_node_groups + eks_managed_node_group_defaults = local.node_group_defaults + enable_irsa = true + + vpc_id = var.vpc_id + node_security_group_id = var.node_security_group_id + node_security_group_additional_rules = merge(var.node_security_group_additional_rules, local.default_sg_rules) + openid_connect_audiences = ["sts.amazonaws.com"] + cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr bootstrap_self_managed_addons = var.bootstrap_self_managed_addons } diff --git a/variables.tf b/variables.tf index 8c71381..7e8be34 100644 --- a/variables.tf +++ b/variables.tf @@ -666,8 +666,7 @@ variable "bootstrap_self_managed_addons" { default = null } -# Example -/** +/** Example node_groups = { snc_core = { name = "snc-core" @@ -690,3 +689,19 @@ variable "node_groups" { type = any default = null } + + + +/** Example +cluster_iam = { + create_iam_role = true + iam_role_use_name_prefix = false + iam_role_name = "" + iam_role_arn = "" +} +**/ +variable "cluster_iam" { + description = "Cluster IAM settings" + type = any + default = null +} From 67d8420a87b0158dd6f31bd62bf1206a45704ff8 Mon Sep 17 00:00:00 2001 From: Max Xu Date: Fri, 6 Sep 2024 00:35:48 +0800 Subject: [PATCH 08/31] Fix try at least have one result --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index fbb9703..54d9610 100644 --- a/main.tf +++ b/main.tf @@ -236,7 +236,7 @@ module "eks" { node_security_group_name = var.migration_mode ? var.migration_mode_node_sg_name : null ###################################################################################################### - iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn) + iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn, null) create_iam_role = try(var.cluster_iam.create_iam_role, true) iam_role_use_name_prefix = try(var.cluster_iam.iam_role_use_name_prefix, true) iam_role_name = try(var.cluster_iam.iam_role_name, null) From 6b9bff4db50ede5a1aaa0bfffb7e72e1edfb8845 Mon Sep 17 00:00:00 2001 From: Max Xu Date: Sun, 8 Sep 2024 23:15:19 +0800 Subject: [PATCH 09/31] Add cluster_networking --- cert_manager.tf | 2 +- cluster_autoscaler.tf | 2 +- external_dns.tf | 2 +- main.tf | 54 ++++++++++++++----------------- variables.tf | 74 ++++++++++++++++++++++++++++++++----------- 5 files changed, 81 insertions(+), 53 deletions(-) diff --git a/cert_manager.tf b/cert_manager.tf index 9f6924e..0a9c711 100644 --- a/cert_manager.tf +++ b/cert_manager.tf @@ -52,7 +52,7 @@ data "aws_iam_policy_document" "cert_manager" { data "aws_iam_policy_document" "cert_manager_sts" { count = var.enable_resource_creation ? 1 : 0 - + statement { actions = [ "sts:AssumeRoleWithWebIdentity" diff --git a/cluster_autoscaler.tf b/cluster_autoscaler.tf index 497720f..0170883 100644 --- a/cluster_autoscaler.tf +++ b/cluster_autoscaler.tf @@ -14,7 +14,7 @@ data "aws_iam_policy_document" "cluster_autoscaler" { count = var.enable_resource_creation ? 1 : 0 - + statement { effect = "Allow" diff --git a/external_dns.tf b/external_dns.tf index f620fbe..b7bcb8b 100644 --- a/external_dns.tf +++ b/external_dns.tf @@ -42,7 +42,7 @@ data "aws_iam_policy_document" "external_dns" { data "aws_iam_policy_document" "external_dns_sts" { count = var.enable_resource_creation ? 1 : 0 - + statement { actions = [ "sts:AssumeRoleWithWebIdentity" diff --git a/main.tf b/main.tf index 54d9610..38d7bd9 100644 --- a/main.tf +++ b/main.tf @@ -222,19 +222,7 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "20.23.0" - - ###################################################################################################### - ### This section takes into account the breaking changes made in v18.X of the community EKS module ### - ### They are only applicable if migration_mode is set to true, for upgrading existing clusters ### - ###################################################################################################### - prefix_separator = var.migration_mode ? "" : "-" - cluster_security_group_name = var.migration_mode ? var.cluster_name : null - cluster_security_group_description = var.migration_mode ? "EKS cluster security group." : "EKS cluster security group" - node_security_group_description = var.migration_mode ? "Security group for all nodes in the cluster." : "EKS node shared security group" - node_security_group_use_name_prefix = var.migration_mode ? false : true - node_security_group_name = var.migration_mode ? var.migration_mode_node_sg_name : null - ###################################################################################################### + version = "20.24.0" iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn, null) create_iam_role = try(var.cluster_iam.create_iam_role, true) @@ -243,37 +231,40 @@ module "eks" { iam_role_path = var.iam_path iam_role_permissions_boundary = var.permissions_boundary_arn - cluster_name = var.cluster_name - cluster_version = var.cluster_version - cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups - cluster_endpoint_public_access = var.disable_public_eks_endpoint ? false : true - cluster_endpoint_public_access_cidrs = var.allowed_public_cidrs - cluster_enabled_log_types = var.cluster_enabled_log_types - cluster_security_group_additional_rules = var.cluster_security_group_additional_rules - cluster_security_group_id = var.cluster_security_group_id + cluster_name = var.cluster_name + cluster_version = var.cluster_version + cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups + cluster_endpoint_public_access = var.disable_public_eks_endpoint ? false : true + cluster_endpoint_public_access_cidrs = var.allowed_public_cidrs + enable_irsa = true + openid_connect_audiences = ["sts.amazonaws.com"] + bootstrap_self_managed_addons = var.bootstrap_self_managed_addons + + vpc_id = var.vpc_id control_plane_subnet_ids = local.cluster_subnet_ids - create_cloudwatch_log_group = false + cluster_service_ipv4_cidr = try(var.cluster_networking.cluster_service_ipv4_cidr, var.cluster_service_ipv4_cidr, null) + cluster_security_group_id = try(var.cluster_networking.cluster_security_group_id, var.cluster_security_group_id, "") + cluster_additional_security_group_ids = try(var.cluster_networking.cluster_additional_security_group_ids, []) + create_cluster_security_group = try(var.cluster_networking.create_cluster_security_group, var.create_cluster_security_group, true) + cluster_security_group_name = try(var.cluster_networking.cluster_security_group_name, var.cluster_name, null) + cluster_security_group_additional_rules = try(var.cluster_networking.cluster_security_group_additional_rules, var.cluster_security_group_additional_rules, {}) create_cluster_primary_security_group_tags = false # Cleaner if we handle the tag in aws_ec2_tag.cluster_security_group - create_cluster_security_group = var.create_cluster_security_group - create_node_security_group = var.create_node_security_group - tags = local.tags eks_managed_node_groups = local.eks_managed_node_groups eks_managed_node_group_defaults = local.node_group_defaults - enable_irsa = true - vpc_id = var.vpc_id node_security_group_id = var.node_security_group_id + create_node_security_group = var.create_node_security_group node_security_group_additional_rules = merge(var.node_security_group_additional_rules, local.default_sg_rules) - openid_connect_audiences = ["sts.amazonaws.com"] - cluster_service_ipv4_cidr = var.cluster_service_ipv4_cidr - bootstrap_self_managed_addons = var.bootstrap_self_managed_addons + cluster_enabled_log_types = var.cluster_enabled_log_types + create_cloudwatch_log_group = false + tags = local.tags } module "eks_auth" { source = "terraform-aws-modules/eks/aws//modules/aws-auth" - version = "20.20.0" + version = "20.24.0" manage_aws_auth_configmap = var.manage_aws_auth_configmap aws_auth_roles = local.role_bindings @@ -360,6 +351,7 @@ moved { ### Cluster IAM Role data "aws_iam_policy_document" "cluster_assume_role_policy" { + count = var.use_runtime_policy ? 1 : 0 statement { actions = [ "sts:AssumeRole" diff --git a/variables.tf b/variables.tf index 7e8be34..cb3a4b0 100644 --- a/variables.tf +++ b/variables.tf @@ -666,18 +666,70 @@ variable "bootstrap_self_managed_addons" { default = null } +/** Example +cluster_iam = { + create_iam_role = true + iam_role_use_name_prefix = false + iam_role_name = "" + iam_role_arn = "" +} +**/ +variable "cluster_iam" { + description = "Cluster IAM settings" + type = any + default = null +} + +/** Example +cluster_networking = { + cluster_service_ipv4_cidr = null + + cluster_security_group_id = "" + cluster_additional_security_group_ids = [] + create_cluster_security_group = true + cluster_security_group_name = null + cluster_security_group_additional_rules = {} + cluster_security_group_description = "" + create_cluster_primary_security_group_tags = false +} +**/ +variable "cluster_networking" { + description = "Cluster Networking settings" + type = any + default = null +} + /** Example node_groups = { snc_core = { - name = "snc-core" + name = "snc-core" use_name_prefix = true + create_iam_role = false + iam_role_arn = null + iam_role_name = null + iam_role_use_name_prefix = true + iam_role_path = null + iam_role_description = "" + iam_role_permissions_boundary = null + iam_role_tags = {} + iam_role_attach_cni_policy = true + iam_role_additional_policies = {} + create_iam_role_policy = true + iam_role_policy_statements = [] + + create_launch_template = true + use_custom_launch_template = true + launch_template_id = "" launch_template_name = "snc-core" launch_template_use_name_prefix = true - launch_template_version = 9 + launch_template_version = null + launch_template_default_version = null + update_launch_template_default_version = true + launch_template_description = "" + vpc_security_group_ids = [] instance_types = ["m6i.large"] - min_size = 2 max_size = 5 desired_size = 2 @@ -689,19 +741,3 @@ variable "node_groups" { type = any default = null } - - - -/** Example -cluster_iam = { - create_iam_role = true - iam_role_use_name_prefix = false - iam_role_name = "" - iam_role_arn = "" -} -**/ -variable "cluster_iam" { - description = "Cluster IAM settings" - type = any - default = null -} From 52777c046916f7a06feef98fb243d32b2ec55b4a Mon Sep 17 00:00:00 2001 From: Max Xu Date: Sun, 8 Sep 2024 23:28:14 +0800 Subject: [PATCH 10/31] Fix count index --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 38d7bd9..5f77a40 100644 --- a/main.tf +++ b/main.tf @@ -368,7 +368,7 @@ resource "aws_iam_role" "cluster" { count = var.use_runtime_policy ? 1 : 0 name = format("%s-cluster-role", var.cluster_name) description = format("The IAM Role used by the %s EKS cluster", var.cluster_name) - assume_role_policy = data.aws_iam_policy_document.cluster_assume_role_policy.json + assume_role_policy = data.aws_iam_policy_document.cluster_assume_role_policy[0].json tags = local.tags path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn From 2c33543faf6854fcabdf160c639f3b8c7d1a428a Mon Sep 17 00:00:00 2001 From: Max Xu Date: Sun, 8 Sep 2024 23:50:28 +0800 Subject: [PATCH 11/31] Fix cluster_security_group_name default value --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 5f77a40..4bb6800 100644 --- a/main.tf +++ b/main.tf @@ -246,7 +246,7 @@ module "eks" { cluster_security_group_id = try(var.cluster_networking.cluster_security_group_id, var.cluster_security_group_id, "") cluster_additional_security_group_ids = try(var.cluster_networking.cluster_additional_security_group_ids, []) create_cluster_security_group = try(var.cluster_networking.create_cluster_security_group, var.create_cluster_security_group, true) - cluster_security_group_name = try(var.cluster_networking.cluster_security_group_name, var.cluster_name, null) + cluster_security_group_name = try(var.cluster_networking.cluster_security_group_name, null) cluster_security_group_additional_rules = try(var.cluster_networking.cluster_security_group_additional_rules, var.cluster_security_group_additional_rules, {}) create_cluster_primary_security_group_tags = false # Cleaner if we handle the tag in aws_ec2_tag.cluster_security_group From 5ed0e9fa0426d7a3f471d248575e1258fab6c639 Mon Sep 17 00:00:00 2001 From: Max Xu Date: Wed, 18 Sep 2024 16:02:17 +0800 Subject: [PATCH 12/31] Upgrade aws provider version --- main.tf | 2 +- versions.tf | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index 4bb6800..bcf8b5b 100644 --- a/main.tf +++ b/main.tf @@ -222,7 +222,7 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "20.24.0" + version = "20.24.1" iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn, null) create_iam_role = try(var.cluster_iam.create_iam_role, true) diff --git a/versions.tf b/versions.tf index 86d218d..566945e 100644 --- a/versions.tf +++ b/versions.tf @@ -13,20 +13,20 @@ # limitations under the License. terraform { - required_version = ">=1.3.2" + required_version = ">= 1.3.2" required_providers { aws = { - version = "5.61.0" source = "hashicorp/aws" + version = ">= 5.61" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.32" } helm = { source = "hashicorp/helm" version = "2.2.0" } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">=2.6.1" - } } } From 2478fbcf09e14ac8b0242f0a350fedcafc576956 Mon Sep 17 00:00:00 2001 From: Max Xu Date: Thu, 19 Sep 2024 21:44:17 +0800 Subject: [PATCH 13/31] Update --- main.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index bcf8b5b..f6a7960 100644 --- a/main.tf +++ b/main.tf @@ -224,13 +224,6 @@ module "eks" { source = "terraform-aws-modules/eks/aws" version = "20.24.1" - iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn, null) - create_iam_role = try(var.cluster_iam.create_iam_role, true) - iam_role_use_name_prefix = try(var.cluster_iam.iam_role_use_name_prefix, true) - iam_role_name = try(var.cluster_iam.iam_role_name, null) - iam_role_path = var.iam_path - iam_role_permissions_boundary = var.permissions_boundary_arn - cluster_name = var.cluster_name cluster_version = var.cluster_version cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups @@ -240,6 +233,13 @@ module "eks" { openid_connect_audiences = ["sts.amazonaws.com"] bootstrap_self_managed_addons = var.bootstrap_self_managed_addons + iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn, null) + create_iam_role = try(var.cluster_iam.create_iam_role, true) + iam_role_use_name_prefix = try(var.cluster_iam.iam_role_use_name_prefix, true) + iam_role_name = try(var.cluster_iam.iam_role_name, null) + iam_role_path = try(var.cluster_iam.iam_role_path, var.iam_path, "/StreamNative/") + iam_role_permissions_boundary = try(var.cluster_iam.iam_role_permissions_boundary, var.permissions_boundary_arn, null) + vpc_id = var.vpc_id control_plane_subnet_ids = local.cluster_subnet_ids cluster_service_ipv4_cidr = try(var.cluster_networking.cluster_service_ipv4_cidr, var.cluster_service_ipv4_cidr, null) From 24600fd9a7aa3a3ab9ce3fd6c0d52380251494d1 Mon Sep 17 00:00:00 2001 From: Max Xu Date: Thu, 19 Sep 2024 22:04:42 +0800 Subject: [PATCH 14/31] Update CI --- .github/workflows/terraform.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 24722a0..bf67aae 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -11,12 +11,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Terraform - uses: hashicorp/setup-terraform@v1.3.2 + uses: hashicorp/setup-terraform@v3 with: - terraform_version: 1.1.x + terraform_version: "1.5.5" - name: Terraform fmt run: terraform fmt -recursive -write=false -check -diff . @@ -27,13 +27,13 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - terraform_version: [1.1.x] + terraform_version: ["1.5.5"] steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Terraform ${{ matrix.terraform_version }} - uses: hashicorp/setup-terraform@v1.3.2 + uses: hashicorp/setup-terraform@v3 with: terraform_version: ${{ matrix.terraform_version }} From a8df79ef91e4233166f95ad2c027847f69156a4e Mon Sep 17 00:00:00 2001 From: Max Xu Date: Fri, 20 Sep 2024 17:28:15 +0800 Subject: [PATCH 15/31] Update docs --- README.md | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 20ad5ce..c325056 100644 --- a/README.md +++ b/README.md @@ -168,24 +168,25 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >=1.1.0 | -| [aws](#requirement\_aws) | >=3.61.0 | +| [terraform](#requirement\_terraform) | >= 1.3.2 | +| [aws](#requirement\_aws) | >= 5.61 | | [helm](#requirement\_helm) | 2.2.0 | -| [kubernetes](#requirement\_kubernetes) | >=2.6.1 | +| [kubernetes](#requirement\_kubernetes) | >= 2.32 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.49.0 | +| [aws](#provider\_aws) | 5.61.0 | | [helm](#provider\_helm) | 2.2.0 | -| [kubernetes](#provider\_kubernetes) | 2.16.1 | +| [kubernetes](#provider\_kubernetes) | 2.32.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.30.2 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.24.1 | +| [eks\_auth](#module\_eks\_auth) | terraform-aws-modules/eks/aws//modules/aws-auth | 20.24.0 | | [istio](#module\_istio) | github.com/streamnative/terraform-helm-charts//modules/istio-operator | v0.8.6 | | [vpc\_tags](#module\_vpc\_tags) | ./modules/eks-vpc-tags | n/a | @@ -266,12 +267,13 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir |------|-------------|------|---------|:--------:| | [add\_vpc\_tags](#input\_add\_vpc\_tags) | Adds tags to VPC resources necessary for ingress resources within EKS to perform auto-discovery of subnets. Defaults to "true". Note that this may cause resource cycling (delete and recreate) if you are using Terraform to manage your VPC resources without having a `lifecycle { ignore_changes = [ tags ] }` block defined within them, since the VPC resources will want to manage the tags themselves and remove the ones added by this module. | `bool` | `true` | no | | [additional\_tags](#input\_additional\_tags) | Additional tags to be added to the resources created by this module. | `map(any)` | `{}` | no | -| [allowed\_public\_cidrs](#input\_allowed\_public\_cidrs) | List of CIDR blocks that are allowed to access the EKS cluster's public endpoint. Defaults to "0.0.0.0/0" (any). | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [allowed\_public\_cidrs](#input\_allowed\_public\_cidrs) | List of CIDR blocks that are allowed to access the EKS cluster's public endpoint. Defaults to "0.0.0.0/0" (any). | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [asm\_secret\_arns](#input\_asm\_secret\_arns) | The a list of ARNs for secrets stored in ASM. This grants the kubernetes-external-secrets controller select access to secrets used by resources within the EKS cluster. If no arns are provided via this input, the IAM policy will allow read access to all secrets created in the provided region. | `list(string)` | `[]` | no | | [aws\_load\_balancer\_controller\_helm\_chart\_name](#input\_aws\_load\_balancer\_controller\_helm\_chart\_name) | The name of the Helm chart to use for the AWS Load Balancer Controller. | `string` | `"aws-load-balancer-controller"` | no | | [aws\_load\_balancer\_controller\_helm\_chart\_repository](#input\_aws\_load\_balancer\_controller\_helm\_chart\_repository) | The repository containing the Helm chart to use for the AWS Load Balancer Controller. | `string` | `"https://aws.github.io/eks-charts"` | no | | [aws\_load\_balancer\_controller\_helm\_chart\_version](#input\_aws\_load\_balancer\_controller\_helm\_chart\_version) | The version of the Helm chart to use for the AWS Load Balancer Controller. The current version can be found in github: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/helm/aws-load-balancer-controller/Chart.yaml. | `string` | `"1.4.2"` | no | | [aws\_load\_balancer\_controller\_settings](#input\_aws\_load\_balancer\_controller\_settings) | Additional settings which will be passed to the Helm chart values for the AWS Load Balancer Controller. See https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller for available options. | `map(string)` | `{}` | no | +| [bootstrap\_self\_managed\_addons](#input\_bootstrap\_self\_managed\_addons) | Indicates whether or not to bootstrap self-managed addons after the cluster has been created | `bool` | `null` | no | | [cert\_issuer\_support\_email](#input\_cert\_issuer\_support\_email) | The email address to receive notifications from the cert issuer. | `string` | `"certs-support@streamnative.io"` | no | | [cert\_manager\_helm\_chart\_name](#input\_cert\_manager\_helm\_chart\_name) | The name of the Helm chart in the repository for cert-manager. | `string` | `"cert-manager"` | no | | [cert\_manager\_helm\_chart\_repository](#input\_cert\_manager\_helm\_chart\_repository) | The repository containing the cert-manager helm chart. | `string` | `"https://charts.bitnami.com/bitnami"` | no | @@ -284,8 +286,10 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [cluster\_autoscaler\_helm\_chart\_repository](#input\_cluster\_autoscaler\_helm\_chart\_repository) | The repository containing the cluster-autoscaler helm chart. | `string` | `"https://kubernetes.github.io/autoscaler"` | no | | [cluster\_autoscaler\_helm\_chart\_version](#input\_cluster\_autoscaler\_helm\_chart\_version) | Helm chart version for the cluster-autoscaler. Defaults to "9.10.4". See https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler for more details. | `string` | `"9.21.0"` | no | | [cluster\_autoscaler\_settings](#input\_cluster\_autoscaler\_settings) | Additional settings which will be passed to the Helm chart values for cluster-autoscaler, see https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler for options. | `map(any)` | `{}` | no | -| [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). | `list(string)` | 
[
  "api",
  "audit",
  "authenticator",
  "controllerManager",
  "scheduler"
]
| no | +| [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). | `list(string)` | 
[
  "api",
  "audit",
  "authenticator",
  "controllerManager",
  "scheduler"
]
| no | +| [cluster\_iam](#input\_cluster\_iam) | Cluster IAM settings | `any` | `null` | no | | [cluster\_name](#input\_cluster\_name) | The name of your EKS cluster and associated resources. Must be 16 characters or less. | `string` | `""` | no | +| [cluster\_networking](#input\_cluster\_networking) | Cluster Networking settings | `any` | `null` | no | | [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | Additional rules to add to the cluster security group. Set source\_node\_security\_group = true inside rules to set the node\_security\_group as source. | `any` | `{}` | no | | [cluster\_security\_group\_id](#input\_cluster\_security\_group\_id) | The ID of an existing security group to use for the EKS cluster. If not provided, a new security group will be created. | `string` | `""` | no | | [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks | `string` | `null` | no | @@ -327,13 +331,14 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [istio\_trust\_domain](#input\_istio\_trust\_domain) | The trust domain used for the Istio deployment, which corresponds to the root of a system. This is required when "enable\_istio\_operator" is set to "true". | `string` | `"cluster.local"` | no | | [kiali\_operator\_settings](#input\_kiali\_operator\_settings) | Additional settings which will be passed to the Helm chart values | `map(any)` | `{}` | no | | [manage\_aws\_auth\_configmap](#input\_manage\_aws\_auth\_configmap) | Whether to manage the aws\_auth configmap | `bool` | `true` | no | -| [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | A list of IAM role bindings to add to the aws-auth ConfigMap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | +| [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | A list of IAM role bindings to add to the aws-auth ConfigMap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | [metrics\_server\_helm\_chart\_name](#input\_metrics\_server\_helm\_chart\_name) | The name of the helm release to install | `string` | `"metrics-server"` | no | | [metrics\_server\_helm\_chart\_repository](#input\_metrics\_server\_helm\_chart\_repository) | The repository containing the external-metrics helm chart. | `string` | `"https://kubernetes-sigs.github.io/metrics-server"` | no | | [metrics\_server\_helm\_chart\_version](#input\_metrics\_server\_helm\_chart\_version) | Helm chart version for Metrics server | `string` | `"3.8.2"` | no | | [metrics\_server\_settings](#input\_metrics\_server\_settings) | Additional settings which will be passed to the Helm chart values, see https://github.com/external-secrets/kubernetes-external-secrets/tree/master/charts/kubernetes-external-secrets for available options. | `map(any)` | `{}` | no | | [migration\_mode](#input\_migration\_mode) | Whether to enable migration mode for the cluster. This is used to migrate details from existing security groups, which have had their names and description changed in versions v18.X of the community EKS module. | `bool` | `false` | no | | [migration\_mode\_node\_sg\_name](#input\_migration\_mode\_node\_sg\_name) | The name (not ID!) of the existing security group used by worker nodes. This is required when "migration\_mode" is set to "true", otherwise the parent module will attempt to set a new security group name and destroy the existin one. | `string` | `null` | no | +| [node\_groups](#input\_node\_groups) | Map of EKS managed node group definitions to create | `any` | `null` | no | | [node\_pool\_ami\_id](#input\_node\_pool\_ami\_id) | The AMI ID to use for the EKS cluster nodes. Defaults to the latest EKS Optimized AMI provided by AWS. | `string` | `""` | no | | [node\_pool\_azs](#input\_node\_pool\_azs) | A list of availability zones to use for the EKS node group. If not set, the module will use the same availability zones with the cluster. | `list(string)` | `[]` | no | | [node\_pool\_block\_device\_name](#input\_node\_pool\_block\_device\_name) | The name of the block device to use for the EKS cluster nodes. | `string` | `"/dev/nvme0n1"` | no | @@ -342,7 +347,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [node\_pool\_disk\_size](#input\_node\_pool\_disk\_size) | Disk size in GiB for worker nodes in the node pool. Defaults to 50. | `number` | `100` | no | | [node\_pool\_disk\_type](#input\_node\_pool\_disk\_type) | Disk type for worker nodes in the node pool. Defaults to gp3. | `string` | `"gp3"` | no | | [node\_pool\_ebs\_optimized](#input\_node\_pool\_ebs\_optimized) | If true, the launched EC2 instance(s) will be EBS-optimized. Specify this if using a custom AMI with pre-user data. | `bool` | `true` | no | -| [node\_pool\_instance\_types](#input\_node\_pool\_instance\_types) | Set of instance types associated with the EKS Node Groups. Defaults to ["m6i.large", "m6i.xlarge", "m6i.2xlarge", "m6i.4xlarge", "m6i.8xlarge"], which will create empty node groups of each instance type to account for any workload configurable from StreamNative Cloud. | `list(string)` | 
[
  "m6i.large",
  "m6i.xlarge",
  "m6i.2xlarge",
  "m6i.4xlarge",
  "m6i.8xlarge"
]
| no | +| [node\_pool\_instance\_types](#input\_node\_pool\_instance\_types) | Set of instance types associated with the EKS Node Groups. Defaults to ["m6i.large", "m6i.xlarge", "m6i.2xlarge", "m6i.4xlarge", "m6i.8xlarge"], which will create empty node groups of each instance type to account for any workload configurable from StreamNative Cloud. | `list(string)` | 
[
  "m6i.large",
  "m6i.xlarge",
  "m6i.2xlarge",
  "m6i.4xlarge",
  "m6i.8xlarge"
]
| no | | [node\_pool\_labels](#input\_node\_pool\_labels) | A map of kubernetes labels to add to the node pool. | `map(string)` | `{}` | no | | [node\_pool\_max\_size](#input\_node\_pool\_max\_size) | The maximum size of the node pool Autoscaling group. | `number` | n/a | yes | | [node\_pool\_min\_size](#input\_node\_pool\_min\_size) | The minimum size of the node pool AutoScaling group. | `number` | `0` | no | @@ -366,7 +371,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [use\_runtime\_policy](#input\_use\_runtime\_policy) | Legacy variable, will be deprecated in future versions. The preference of this module is to have the parent EKS module create and manage the IAM role. However some older configurations may have had the cluster IAM role managed seperately, and this variable allows for backwards compatibility. | `bool` | `false` | no | | [v3\_node\_group\_core\_instance\_type](#input\_v3\_node\_group\_core\_instance\_type) | The instance to use for the core node group | `string` | `"m6i.large"` | no | | [velero\_backup\_schedule](#input\_velero\_backup\_schedule) | The scheduled time for Velero to perform backups. Written in cron expression, defaults to "0 5 * * *" or "at 5:00am every day" | `string` | `"0 5 * * *"` | no | -| [velero\_excluded\_namespaces](#input\_velero\_excluded\_namespaces) | A comma-separated list of namespaces to exclude from Velero backups. Defaults are set to ["default", "kube-system", "operators", "olm"]. | `list(string)` | 
[
  "kube-system",
  "default",
  "operators",
  "olm"
]
| no | +| [velero\_excluded\_namespaces](#input\_velero\_excluded\_namespaces) | A comma-separated list of namespaces to exclude from Velero backups. Defaults are set to ["default", "kube-system", "operators", "olm"]. | `list(string)` | 
[
  "kube-system",
  "default",
  "operators",
  "olm"
]
| no | | [velero\_helm\_chart\_name](#input\_velero\_helm\_chart\_name) | The name of the Helm chart to use for Velero | `string` | `"velero"` | no | | [velero\_helm\_chart\_repository](#input\_velero\_helm\_chart\_repository) | The repository containing the Helm chart to use for velero | `string` | `"https://vmware-tanzu.github.io/helm-charts"` | no | | [velero\_helm\_chart\_version](#input\_velero\_helm\_chart\_version) | The version of the Helm chart to use for Velero. The current version can be found in github: https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero | `string` | `"2.31.8"` | no | From 858b4ed57c7d47c39979733e225cb24d728030fc Mon Sep 17 00:00:00 2001 From: Max Xu Date: Fri, 20 Sep 2024 17:34:08 +0800 Subject: [PATCH 16/31] Update --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index f6a7960..3198282 100644 --- a/main.tf +++ b/main.tf @@ -264,7 +264,7 @@ module "eks" { module "eks_auth" { source = "terraform-aws-modules/eks/aws//modules/aws-auth" - version = "20.24.0" + version = "20.24.1" manage_aws_auth_configmap = var.manage_aws_auth_configmap aws_auth_roles = local.role_bindings From b44ca98ea284827d7cb1bd313830b7ee1c0a75ae Mon Sep 17 00:00:00 2001 From: Darrell Pappa Date: Mon, 23 Sep 2024 13:36:27 -0400 Subject: [PATCH 17/31] Changed output to eks_cluster_name --- README.md | 6 +++--- examples/example-with-vpc/main.tf | 4 ++-- examples/root-example/main.tf | 4 ++-- examples/streamnative-platform/main.tf | 14 +++++++------- outputs.tf | 6 +++--- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index c325056..8fce3b7 100644 --- a/README.md +++ b/README.md @@ -56,11 +56,11 @@ A bare minimum configuration to execute the module: ```hcl data "aws_eks_cluster" "cluster" { - name = module.eks_cluster.eks_cluster_id + name = module.eks_cluster.eks_cluster_name } data "aws_eks_cluster_auth" "cluster" { - name = module.eks_cluster.eks_cluster_id + name = module.eks_cluster.eks_cluster_name } provider "aws" { @@ -393,7 +393,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [eks\_cluster\_arn](#output\_eks\_cluster\_arn) | The ARN for the EKS cluster created by this module | | [eks\_cluster\_certificate\_authority\_data](#output\_eks\_cluster\_certificate\_authority\_data) | Base64 encoded certificate data required to communicate with the cluster | | [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | The endpoint for the EKS cluster created by this module | -| [eks\_cluster\_id](#output\_eks\_cluster\_id) | The id/name of the EKS cluster created by this module | +| [eks\_cluster\_name](#output\_eks\_cluster\_name) | The name of the EKS cluster created by this module | | [eks\_cluster\_identity\_oidc\_issuer\_arn](#output\_eks\_cluster\_identity\_oidc\_issuer\_arn) | The ARN for the OIDC issuer created by this module | | [eks\_cluster\_identity\_oidc\_issuer\_string](#output\_eks\_cluster\_identity\_oidc\_issuer\_string) | A formatted string containing the prefix for the OIDC issuer created by this module. Same as "cluster\_oidc\_issuer\_url", but with "https://" stripped from the name. This output is typically used in other StreamNative modules that request the "oidc\_issuer" input. | | [eks\_cluster\_identity\_oidc\_issuer\_url](#output\_eks\_cluster\_identity\_oidc\_issuer\_url) | The URL for the OIDC issuer created by this module | diff --git a/examples/example-with-vpc/main.tf b/examples/example-with-vpc/main.tf index e6480c7..635dc74 100644 --- a/examples/example-with-vpc/main.tf +++ b/examples/example-with-vpc/main.tf @@ -35,11 +35,11 @@ terraform { ### These data sources are required by the Kubernetes and Helm providers in order to connect to the newly provisioned cluster ####### data "aws_eks_cluster" "cluster" { - name = module.sn_cluster.eks_cluster_id + name = module.sn_cluster.eks_cluster_name } data "aws_eks_cluster_auth" "cluster" { - name = module.sn_cluster.eks_cluster_id + name = module.sn_cluster.eks_cluster_name } data "aws_caller_identity" "current" {} diff --git a/examples/root-example/main.tf b/examples/root-example/main.tf index 5cfd1f4..ea591db 100644 --- a/examples/root-example/main.tf +++ b/examples/root-example/main.tf @@ -25,11 +25,11 @@ variable "region" { ### These data sources are required by the Kubernetes and Helm providers in order to connect to the newly provisioned cluster ####### data "aws_eks_cluster" "cluster" { - name = module.sn_cluster.eks_cluster_id + name = module.sn_cluster.eks_cluster_name } data "aws_eks_cluster_auth" "cluster" { - name = module.sn_cluster.eks_cluster_id + name = module.sn_cluster.eks_cluster_name } provider "aws" { diff --git a/examples/streamnative-platform/main.tf b/examples/streamnative-platform/main.tf index e8614d9..06199f4 100644 --- a/examples/streamnative-platform/main.tf +++ b/examples/streamnative-platform/main.tf @@ -47,11 +47,11 @@ provider "kubernetes" { } data "aws_eks_cluster" "cluster" { - name = module.sn_cluster.eks_cluster_id + name = module.sn_cluster.eks_cluster_name } data "aws_eks_cluster_auth" "cluster" { - name = module.sn_cluster.eks_cluster_id + name = module.sn_cluster.eks_cluster_name } data "aws_caller_identity" "current" {} @@ -131,7 +131,7 @@ module "sn_bootstrap" { module "sn_tiered_storage_resources" { source = "github.com/streamnative/terraform-aws-cloud//modules/tiered-storage-resources?ref=v2.2.4-alpha" - cluster_name = module.sn_cluster.eks_cluster_id + cluster_name = module.sn_cluster.eks_cluster_name oidc_issuer = module.sn_cluster.eks_cluster_identity_oidc_issuer_string pulsar_namespace = local.pulsar_namespace @@ -151,7 +151,7 @@ module "sn_tiered_storage_resources" { module "sn_tiered_storage_vault_resources" { source = "github.com/streamnative/terraform-aws-cloud//modules/vault-resources?ref=v2.2.4-alpha" - cluster_name = module.sn_cluster.eks_cluster_id + cluster_name = module.sn_cluster.eks_cluster_name oidc_issuer = module.sn_cluster.eks_cluster_identity_oidc_issuer_string pulsar_namespace = local.pulsar_namespace @@ -183,11 +183,11 @@ output "cleanup_for_destroying_cluster" { } output "connect_to_cluster" { - value = format("aws eks update-kubeconfig --name %s --kubeconfig ~/.kube/config --region %s", module.sn_cluster.eks_cluster_id, local.region) + value = format("aws eks update-kubeconfig --name %s --kubeconfig ~/.kube/config --region %s", module.sn_cluster.eks_cluster_name, local.region) } -output "eks_cluster_id" { - value = module.sn_cluster.eks_cluster_id +output "eks_cluster_name" { + value = module.sn_cluster.eks_cluster_name } output "vpc_id" { diff --git a/outputs.tf b/outputs.tf index 1dbb45a..164ee16 100644 --- a/outputs.tf +++ b/outputs.tf @@ -22,9 +22,9 @@ output "eks_cluster_endpoint" { description = "The endpoint for the EKS cluster created by this module" } -output "eks_cluster_id" { - value = module.eks.cluster_id - description = "The id/name of the EKS cluster created by this module" +output "eks_cluster_name" { + value = module.eks.cluster_name + description = "The name of the EKS cluster created by this module" } output "eks_cluster_identity_oidc_issuer_url" { From 052a35442d2e41ce329626c1243c566c6daf5dc2 Mon Sep 17 00:00:00 2001 From: Darrell Pappa Date: Mon, 23 Sep 2024 15:08:08 -0400 Subject: [PATCH 18/31] Set use_name_prefix to true for v2 node groups. Check for null var.node_groups --- main.tf | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/main.tf b/main.tf index 3198282..802b231 100644 --- a/main.tf +++ b/main.tf @@ -121,14 +121,15 @@ locals { for node_group in flatten([ for instance_type in var.node_pool_instance_types : [ for i, j in data.aws_subnet.private_subnets : { - subnet_ids = [data.aws_subnet.private_subnets[i].id] - instance_types = [instance_type] - name = "snc-${split(".", instance_type)[1]}-${data.aws_subnet.private_subnets[i].availability_zone}" - taints = {} - desired_size = var.node_pool_desired_size - min_size = var.node_pool_min_size - max_size = var.node_pool_max_size - labels = tomap(merge(var.node_pool_labels, { "cloud.streamnative.io/instance-type" = lookup(local.compute_units, split(".", instance_type)[1], "null") })) + subnet_ids = [data.aws_subnet.private_subnets[i].id] + instance_types = [instance_type] + name = "snc-${split(".", instance_type)[1]}-${data.aws_subnet.private_subnets[i].availability_zone}" + use_name_prefix = true + taints = {} + desired_size = var.node_pool_desired_size + min_size = var.node_pool_min_size + max_size = var.node_pool_max_size + labels = tomap(merge(var.node_pool_labels, { "cloud.streamnative.io/instance-type" = lookup(local.compute_units, split(".", instance_type)[1], "null") })) } ] ]) : "${node_group.name}" => node_group @@ -160,12 +161,12 @@ locals { } node_groups = var.enable_v3_node_migration ? merge(local.v3_node_groups, local.v2_node_groups) : var.enable_v3_node_groups ? local.v3_node_groups : local.v2_node_groups - defaulted_node_groups = { + defaulted_node_groups = var.node_groups != null ? { for k, v in var.node_groups : k => merge( v, contains(keys(v), "subnet_ids") ? {} : { "subnet_ids" = local.node_group_subnet_ids }, ) - } + } : {} eks_managed_node_groups = [local.defaulted_node_groups, local.node_groups][var.node_groups != null ? 0 : 1] ## Node Security Group Configuration From 0d3b7a19557dd19c3123406ccaa5896b229d20dc Mon Sep 17 00:00:00 2001 From: Max Xu Date: Tue, 24 Sep 2024 20:28:46 +0800 Subject: [PATCH 19/31] Remove unused examples --- .github/workflows/terraform.yml | 9 +- README.md | 6 +- examples/example-with-vpc/main.tf | 128 --------------- examples/root-example/main.tf | 2 +- examples/streamnative-platform/main.tf | 207 ------------------------- 5 files changed, 9 insertions(+), 343 deletions(-) delete mode 100644 examples/example-with-vpc/main.tf delete mode 100644 examples/streamnative-platform/main.tf diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index bf67aae..8199cfb 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -1,4 +1,5 @@ -name: "TF GH Action" +name: Terraform + on: - pull_request @@ -38,10 +39,10 @@ jobs: terraform_version: ${{ matrix.terraform_version }} - name: Terraform Validate Root - run: cd "${GITHUB_WORKSPACE}" && terraform init -backend=false && AWS_REGION=us-east-1 terraform validate -no-color + run: cd "${GITHUB_WORKSPACE}" && terraform init -backend=false && AWS_REGION=us-east-1 terraform validate - name: Terraform Validate Modules - run: for module in modules/*/; do cd "${GITHUB_WORKSPACE}/${module}" && terraform init -backend=false && AWS_REGION=us-east-1 terraform validate -no-color ; done + run: for module in modules/*/; do cd "${GITHUB_WORKSPACE}/${module}" && terraform init -backend=false && AWS_REGION=us-east-1 terraform validate; done - name: Terraform Validate Examples - run: for example in examples/*/; do cd "${GITHUB_WORKSPACE}/${example}" && terraform init -backend=false && AWS_REGION=us-east-1 terraform validate -no-color ; done + run: for example in examples/*/; do cd "${GITHUB_WORKSPACE}/${example}" && terraform init -backend=false && AWS_REGION=us-east-1 terraform validate; done diff --git a/README.md b/README.md index 8fce3b7..80d798f 100644 --- a/README.md +++ b/README.md @@ -177,7 +177,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.61.0 | +| [aws](#provider\_aws) | 5.68.0 | | [helm](#provider\_helm) | 2.2.0 | | [kubernetes](#provider\_kubernetes) | 2.32.0 | @@ -186,7 +186,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | Name | Source | Version | |------|--------|---------| | [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.24.1 | -| [eks\_auth](#module\_eks\_auth) | terraform-aws-modules/eks/aws//modules/aws-auth | 20.24.0 | +| [eks\_auth](#module\_eks\_auth) | terraform-aws-modules/eks/aws//modules/aws-auth | 20.24.1 | | [istio](#module\_istio) | github.com/streamnative/terraform-helm-charts//modules/istio-operator | v0.8.6 | | [vpc\_tags](#module\_vpc\_tags) | ./modules/eks-vpc-tags | n/a | @@ -393,10 +393,10 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [eks\_cluster\_arn](#output\_eks\_cluster\_arn) | The ARN for the EKS cluster created by this module | | [eks\_cluster\_certificate\_authority\_data](#output\_eks\_cluster\_certificate\_authority\_data) | Base64 encoded certificate data required to communicate with the cluster | | [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | The endpoint for the EKS cluster created by this module | -| [eks\_cluster\_name](#output\_eks\_cluster\_name) | The name of the EKS cluster created by this module | | [eks\_cluster\_identity\_oidc\_issuer\_arn](#output\_eks\_cluster\_identity\_oidc\_issuer\_arn) | The ARN for the OIDC issuer created by this module | | [eks\_cluster\_identity\_oidc\_issuer\_string](#output\_eks\_cluster\_identity\_oidc\_issuer\_string) | A formatted string containing the prefix for the OIDC issuer created by this module. Same as "cluster\_oidc\_issuer\_url", but with "https://" stripped from the name. This output is typically used in other StreamNative modules that request the "oidc\_issuer" input. | | [eks\_cluster\_identity\_oidc\_issuer\_url](#output\_eks\_cluster\_identity\_oidc\_issuer\_url) | The URL for the OIDC issuer created by this module | +| [eks\_cluster\_name](#output\_eks\_cluster\_name) | The name of the EKS cluster created by this module | | [eks\_cluster\_platform\_version](#output\_eks\_cluster\_platform\_version) | The platform version for the EKS cluster created by this module | | [eks\_cluster\_primary\_security\_group\_id](#output\_eks\_cluster\_primary\_security\_group\_id) | The id of the primary security group created by the EKS service itself, not by this module. This is labeled "Cluster Security Group" in the EKS console. | | [eks\_cluster\_secondary\_security\_group\_id](#output\_eks\_cluster\_secondary\_security\_group\_id) | The id of the secondary security group created by this module. This is labled "Additional Security Groups" in the EKS console. | diff --git a/examples/example-with-vpc/main.tf b/examples/example-with-vpc/main.tf deleted file mode 100644 index 635dc74..0000000 --- a/examples/example-with-vpc/main.tf +++ /dev/null @@ -1,128 +0,0 @@ -# Copyright 2023 StreamNative, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -terraform { - required_version = ">=1.0.0" - - required_providers { - aws = { - version = ">= 3.45.0" - source = "hashicorp/aws" - } - helm = { - source = "hashicorp/helm" - version = "2.2.0" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = "2.2.0" - } - } -} - -####### -### These data sources are required by the Kubernetes and Helm providers in order to connect to the newly provisioned cluster -####### -data "aws_eks_cluster" "cluster" { - name = module.sn_cluster.eks_cluster_name -} - -data "aws_eks_cluster_auth" "cluster" { - name = module.sn_cluster.eks_cluster_name -} - -data "aws_caller_identity" "current" {} - -####### -### The "random_pet" resource and locals block assist in building out the Cluster Name, as well the variables defined -####### - -variable "environment" { - default = "test" -} - -variable "region" { - default = "us-west-2" -} -resource "random_pet" "cluster_name" { - length = 1 -} - -locals { - account_id = data.aws_caller_identity.current.account_id - cluster_name = format("sn-%s-%s-%s", random_pet.cluster_name.id, var.environment, var.region) -} - -####### -### The providers can be configured to dynamically retrieve the cluster connection configuration after it's been created -####### -provider "aws" { - region = var.region -} - -provider "helm" { - kubernetes { - host = data.aws_eks_cluster.cluster.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.cluster.token - } -} - -provider "kubernetes" { - host = data.aws_eks_cluster.cluster.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.cluster.token - insecure = false - config_path = pathexpand("~/.kube/${local.cluster_name}-config") -} - -module "vpc" { - source = "streamnative/cloud/aws//modules/vpc" - - num_azs = 3 # The number of availabiltiy zones to create. - vpc_cidr = "10.80.0.0/16" # The module will automatically create subnets based on this cidr and assign them to their respective AZs. - vpc_name = local.cluster_name - region = var.region -} - -module "sn_cluster" { - source = "streamnative/cloud/aws" - - add_vpc_tags = true # This will add the necessary tags to the VPC resources for Ingress controller auto-discovery - cluster_name = local.cluster_name - cluster_version = "1.20" - hosted_zone_id = "Z04554535IN8Z31SKDVQ2" # Change this to your hosted zone ID - kubeconfig_output_path = pathexpand("~/.kube/${local.cluster_name}-config") - node_pool_instance_types = ["c6i.xlarge"] - node_pool_desired_size = 3 - node_pool_min_size = 1 - node_pool_max_size = 3 - - map_additional_iam_roles = [ # Map your IAM admin role for access within the Cluster - { - rolearn = "arn:aws:iam::123456789012:role/my-aws-admin-role" - username = "management-admin" - groups = ["system:masters"] - } - ] - - private_subnet_ids = module.vpc.private_subnet_ids # Use the list of private subnets created by the VPC module - public_subnet_ids = module.vpc.public_subnet_ids # Use the list of public subnets created by the VPC module - region = var.region - vpc_id = module.vpc.vpc_id # Use the VPC ID created by the VPC module - - depends_on = [ - module.vpc # Adding a dependency on the VPC module allows for a cleaner destroy - ] -} \ No newline at end of file diff --git a/examples/root-example/main.tf b/examples/root-example/main.tf index ea591db..fad3ce8 100644 --- a/examples/root-example/main.tf +++ b/examples/root-example/main.tf @@ -55,7 +55,7 @@ provider "kubernetes" { ### Create the StreamNative Platform Cluster ####### module "sn_cluster" { - source = "streamnative/cloud/aws" + source = "../.." add_vpc_tags = true # This will add the necessary tags to the VPC resources for Ingress controller auto-discovery cluster_name = local.cluster_name diff --git a/examples/streamnative-platform/main.tf b/examples/streamnative-platform/main.tf deleted file mode 100644 index 06199f4..0000000 --- a/examples/streamnative-platform/main.tf +++ /dev/null @@ -1,207 +0,0 @@ -# Copyright 2023 StreamNative, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -####### -### This section contains configurable inputs to satisfy your cluster specifications -####### -locals { - availability_zones = 3 # Number of AZs to use. EKS requires a minimum of 2. - desired_num_nodes = 3 # The desired node count for the node groups. This module creates a node group for each availability zone. - environment = "dev" # This is used for naming of resources created by this module. - hosted_zone_id = "*" # Specify the hosted zone ID where you want DNS records to be created and managed. This scopes access to the External DNS service. - instance_type = ["c6i.xlarge"] - max_num_nodes = 12 # The maximum number of nodes to create across all node groups. This module creates a node group for each availability zone. - pulsar_namespace = "pulsar" # The module doesn't create a namespace for Pulsar, but it uses it for scoping access to the Tiered Storage Bucket - region = "us-west-2" # Specify the region where the cluster is located - vpc_cidr = "10.80.0.0/16" # If creating a VPC, specify the CIDR range to use -} - -provider "aws" { - region = local.region -} - -provider "helm" { - kubernetes { - host = data.aws_eks_cluster.cluster.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.cluster.token - } -} - -provider "kubernetes" { - host = data.aws_eks_cluster.cluster.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.cluster.token - insecure = false -} - -data "aws_eks_cluster" "cluster" { - name = module.sn_cluster.eks_cluster_name -} - -data "aws_eks_cluster_auth" "cluster" { - name = module.sn_cluster.eks_cluster_name -} - -data "aws_caller_identity" "current" {} - -####### -### Randomly generate a pet name for the cluster. This is useful for development environments, but is not required. Update local.cluster_name if you want to use a more specific name. -####### -resource "random_pet" "cluster_name" { - length = 1 -} - -####### -### Creates a VPC for the StreamNative Platform EKS cluster -### -### NOTE! NOTE! NOTE! -### -### If you are applying this for the first time, you will need to target the VPC module PRIOR to applying the entire module. -### This is because the subnet IDs passed to the `sn_cluster` module are computed, which a downstream module cannot handle. -### -### Example: -### -### terraform apply -target=module.vpc -### -### After you apply the targeted VPC module, you can then proceed with `terraform apply` on the entire module. -####### -module "vpc" { - source = "github.com/streamnative/terraform-aws-cloud//modules/vpc?ref=v2.2.4-alpha" - - num_azs = local.availability_zones - vpc_cidr = local.vpc_cidr - vpc_name = local.cluster_name - region = local.region -} - -######## -### Creates an EKS cluster for StreamNative Platform -######## -module "sn_cluster" { - source = "github.com/streamnative/terraform-aws-cloud?ref=v2.2.4-alpha" - - cluster_name = local.cluster_name - cluster_version = "1.20" - hosted_zone_id = local.hosted_zone_id - map_additional_iam_roles = local.cluster_role_mapping - node_pool_instance_types = local.instance_type - node_pool_desired_size = floor(local.desired_num_nodes / length(module.vpc.private_subnet_ids)) # Floor here to keep the desired count lower, autoscaling will take care of the rest - node_pool_min_size = 1 - node_pool_max_size = ceil(local.max_num_nodes / length(module.vpc.private_subnet_ids)) # Ceiling here to keep the upper limits on the high end - public_subnet_ids = module.vpc.public_subnet_ids - private_subnet_ids = module.vpc.private_subnet_ids - region = local.region - vpc_id = module.vpc.vpc_id - - depends_on = [ - module.vpc, - ] -} - -######## -### Installs the required operators on the EKS cluster for StreamNative Platform -######## -module "sn_bootstrap" { - source = "github.com/streamnative/terraform-helm-charts?ref=v0.8.1" - - enable_function_mesh_operator = true - enable_pulsar_operator = true - enable_vault_operator = true - - depends_on = [ - module.sn_cluster - ] -} - -####### -### Creates resources used for tiered storage offloading in Pulsar -####### -module "sn_tiered_storage_resources" { - source = "github.com/streamnative/terraform-aws-cloud//modules/tiered-storage-resources?ref=v2.2.4-alpha" - - cluster_name = module.sn_cluster.eks_cluster_name - oidc_issuer = module.sn_cluster.eks_cluster_identity_oidc_issuer_string - pulsar_namespace = local.pulsar_namespace - - tags = { - Project = "StreamNative Platform" - Environment = local.environment - } - - depends_on = [ - module.sn_cluster - ] -} - -####### -### Creates resources used by Vault for storing and retrieving secrets related to the Pulsar cluster -####### -module "sn_tiered_storage_vault_resources" { - source = "github.com/streamnative/terraform-aws-cloud//modules/vault-resources?ref=v2.2.4-alpha" - - cluster_name = module.sn_cluster.eks_cluster_name - oidc_issuer = module.sn_cluster.eks_cluster_identity_oidc_issuer_string - pulsar_namespace = local.pulsar_namespace - - tags = { - Project = "StreamNative Platform" - Environment = local.environment - } - - depends_on = [ - module.sn_cluster - ] -} - -### Helpers -locals { - cluster_name = format("sn-%s-%s-%s", random_pet.cluster_name.id, local.environment, local.region) - cluster_role_mapping = [ - { - rolearn = module.sn_cluster.worker_iam_role_arn # The module creates IAM resources with the path "/StreamNative/". However the parent module is configured to remove the path from the worker nodes in the role mapping, which causes an erroneous node group health error in the EKS console. - username = "system:node:{{EC2PrivateDNSName}}" - groups = ["system:bootstrappers", "system:nodes"] - } - ] -} - -output "cleanup_for_destroying_cluster" { - description = "If you need to DESTROY the cluster, this command to clean up k8s resources from the tfstate, allowing you to cleanly proceed with a `terraform destroy`" - value = "for i in $(tf state list | grep -E 'kubernetes|helm'); do tf state rm $i; done" -} - -output "connect_to_cluster" { - value = format("aws eks update-kubeconfig --name %s --kubeconfig ~/.kube/config --region %s", module.sn_cluster.eks_cluster_name, local.region) -} - -output "eks_cluster_name" { - value = module.sn_cluster.eks_cluster_name -} - -output "vpc_id" { - value = module.vpc.vpc_id -} - -output "public_subnet_ids" { - value = module.vpc.public_subnet_ids -} - -output "private_subnet_ids" { - value = module.vpc.public_subnet_ids -} - -output "worker_iam_role_arn" { - value = module.sn_cluster.worker_iam_role_arn -} From a64388d9051cb5baf1dc4e499c1d0dfef2854b5a Mon Sep 17 00:00:00 2001 From: Max Xu Date: Tue, 24 Sep 2024 20:37:07 +0800 Subject: [PATCH 20/31] Using 20.24.2 --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 802b231..536bdf3 100644 --- a/main.tf +++ b/main.tf @@ -223,7 +223,7 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "20.24.1" + version = "20.24.2" cluster_name = var.cluster_name cluster_version = var.cluster_version @@ -265,7 +265,7 @@ module "eks" { module "eks_auth" { source = "terraform-aws-modules/eks/aws//modules/aws-auth" - version = "20.24.1" + version = "20.24.2" manage_aws_auth_configmap = var.manage_aws_auth_configmap aws_auth_roles = local.role_bindings From 7d57a26bba72f7e40c07e8e2ccc77cd3f1dbbd66 Mon Sep 17 00:00:00 2001 From: mitch-hamm Date: Thu, 26 Sep 2024 08:15:20 -0700 Subject: [PATCH 21/31] Update main.tf --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 536bdf3..e867edb 100644 --- a/main.tf +++ b/main.tf @@ -250,6 +250,7 @@ module "eks" { cluster_security_group_name = try(var.cluster_networking.cluster_security_group_name, null) cluster_security_group_additional_rules = try(var.cluster_networking.cluster_security_group_additional_rules, var.cluster_security_group_additional_rules, {}) create_cluster_primary_security_group_tags = false # Cleaner if we handle the tag in aws_ec2_tag.cluster_security_group + attach_cluster_encryption_policy = false #Don't create the policy eks_managed_node_groups = local.eks_managed_node_groups eks_managed_node_group_defaults = local.node_group_defaults From 4f77606931437ec96528df04c4e6a3f1356d4fbd Mon Sep 17 00:00:00 2001 From: mitch-hamm Date: Fri, 27 Sep 2024 11:25:28 -0700 Subject: [PATCH 22/31] Set encryption off by default --- main.tf | 1 + variables.tf | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/main.tf b/main.tf index e867edb..bff2f37 100644 --- a/main.tf +++ b/main.tf @@ -260,6 +260,7 @@ module "eks" { node_security_group_additional_rules = merge(var.node_security_group_additional_rules, local.default_sg_rules) cluster_enabled_log_types = var.cluster_enabled_log_types + cluster_encryption_config = var.cluster_encryption_config create_cloudwatch_log_group = false tags = local.tags } diff --git a/variables.tf b/variables.tf index cb3a4b0..8e9f254 100644 --- a/variables.tf +++ b/variables.tf @@ -257,6 +257,12 @@ variable "enable_v3_node_groups" { type = bool } +variable "cluster_encryption_config" { + default = {} + description = "Configuration block with encryption configuration for the cluster. To disable secret encryption, set this value to `{}`" + type = any +} + variable "enable_v3_node_migration" { default = false description = "Enable v3 node and v2 node groups at the same time. Intended for use with migration to v3 nodes." From d47b13cb5d29d434efbfa0ee8bc8964c1bb87c0d Mon Sep 17 00:00:00 2001 From: Max Xu Date: Tue, 8 Oct 2024 22:21:36 +0800 Subject: [PATCH 23/31] Revert "Set encryption off by default" This reverts commit 4f77606931437ec96528df04c4e6a3f1356d4fbd. --- main.tf | 1 - variables.tf | 6 ------ 2 files changed, 7 deletions(-) diff --git a/main.tf b/main.tf index bff2f37..e867edb 100644 --- a/main.tf +++ b/main.tf @@ -260,7 +260,6 @@ module "eks" { node_security_group_additional_rules = merge(var.node_security_group_additional_rules, local.default_sg_rules) cluster_enabled_log_types = var.cluster_enabled_log_types - cluster_encryption_config = var.cluster_encryption_config create_cloudwatch_log_group = false tags = local.tags } diff --git a/variables.tf b/variables.tf index 8e9f254..cb3a4b0 100644 --- a/variables.tf +++ b/variables.tf @@ -257,12 +257,6 @@ variable "enable_v3_node_groups" { type = bool } -variable "cluster_encryption_config" { - default = {} - description = "Configuration block with encryption configuration for the cluster. To disable secret encryption, set this value to `{}`" - type = any -} - variable "enable_v3_node_migration" { default = false description = "Enable v3 node and v2 node groups at the same time. Intended for use with migration to v3 nodes." From 50bfc4864f47e01d830bbb5f057480260afaa07a Mon Sep 17 00:00:00 2001 From: Max Xu Date: Tue, 8 Oct 2024 22:22:08 +0800 Subject: [PATCH 24/31] Revert "Update main.tf" This reverts commit 7d57a26bba72f7e40c07e8e2ccc77cd3f1dbbd66. --- main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/main.tf b/main.tf index e867edb..536bdf3 100644 --- a/main.tf +++ b/main.tf @@ -250,7 +250,6 @@ module "eks" { cluster_security_group_name = try(var.cluster_networking.cluster_security_group_name, null) cluster_security_group_additional_rules = try(var.cluster_networking.cluster_security_group_additional_rules, var.cluster_security_group_additional_rules, {}) create_cluster_primary_security_group_tags = false # Cleaner if we handle the tag in aws_ec2_tag.cluster_security_group - attach_cluster_encryption_policy = false #Don't create the policy eks_managed_node_groups = local.eks_managed_node_groups eks_managed_node_group_defaults = local.node_group_defaults From cff881c1592ea6b8712db89e7d13f3555180db08 Mon Sep 17 00:00:00 2001 From: Max Xu Date: Tue, 8 Oct 2024 22:25:50 +0800 Subject: [PATCH 25/31] Set cluster_encryption_policy_path to StreamNative --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index 536bdf3..4b924f6 100644 --- a/main.tf +++ b/main.tf @@ -233,6 +233,7 @@ module "eks" { enable_irsa = true openid_connect_audiences = ["sts.amazonaws.com"] bootstrap_self_managed_addons = var.bootstrap_self_managed_addons + cluster_encryption_policy_path = "/StreamNative/" iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn, null) create_iam_role = try(var.cluster_iam.create_iam_role, true) From 443c69e67d5167d90fd18d613df8e696c914e1fb Mon Sep 17 00:00:00 2001 From: Max Xu Date: Tue, 15 Oct 2024 19:15:14 +0800 Subject: [PATCH 26/31] Set enable_cluster_creator_admin_permissions and nodes update_config --- main.tf | 33 +++++++++++++++++++++------------ versions.tf | 4 ++-- 2 files changed, 23 insertions(+), 14 deletions(-) diff --git a/main.tf b/main.tf index 4b924f6..3bfa6ad 100644 --- a/main.tf +++ b/main.tf @@ -99,6 +99,9 @@ locals { } } } + update_config = { + max_unavailable = 1 + } create_iam_role = false # We create the IAM role ourselves to reduce complexity in managing the aws-auth configmap create_launch_template = true desired_size = var.node_pool_desired_size @@ -200,6 +203,11 @@ locals { ### IAM role bindings sncloud_control_plane_access = [ + { + rolearn = format("arn:${local.aws_partition}:iam::%s:role/StreamNativeCloudBootstrapRole", local.account_id) + username = "sn-manager:{{AccountID}}:{{SessionName}}" + groups = ["system:masters"] + }, { rolearn = format("arn:${local.aws_partition}:iam::%s:role/StreamNativeCloudManagementRole", local.account_id) username = "sn-manager:{{AccountID}}:{{SessionName}}" @@ -223,17 +231,18 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "20.24.2" - - cluster_name = var.cluster_name - cluster_version = var.cluster_version - cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups - cluster_endpoint_public_access = var.disable_public_eks_endpoint ? false : true - cluster_endpoint_public_access_cidrs = var.allowed_public_cidrs - enable_irsa = true - openid_connect_audiences = ["sts.amazonaws.com"] - bootstrap_self_managed_addons = var.bootstrap_self_managed_addons - cluster_encryption_policy_path = "/StreamNative/" + version = "20.26.0" + + cluster_name = var.cluster_name + cluster_version = var.cluster_version + cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups + cluster_endpoint_public_access = var.disable_public_eks_endpoint ? false : true + cluster_endpoint_public_access_cidrs = var.allowed_public_cidrs + enable_irsa = true + openid_connect_audiences = ["sts.amazonaws.com"] + bootstrap_self_managed_addons = var.bootstrap_self_managed_addons + enable_cluster_creator_admin_permissions = true + cluster_encryption_policy_path = "/StreamNative/" iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn, null) create_iam_role = try(var.cluster_iam.create_iam_role, true) @@ -266,7 +275,7 @@ module "eks" { module "eks_auth" { source = "terraform-aws-modules/eks/aws//modules/aws-auth" - version = "20.24.2" + version = "20.26.0" manage_aws_auth_configmap = var.manage_aws_auth_configmap aws_auth_roles = local.role_bindings diff --git a/versions.tf b/versions.tf index 566945e..41e96f6 100644 --- a/versions.tf +++ b/versions.tf @@ -18,7 +18,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.61" + version = ">= 5.70" } kubernetes = { source = "hashicorp/kubernetes" @@ -26,7 +26,7 @@ terraform { } helm = { source = "hashicorp/helm" - version = "2.2.0" + version = ">= 2.16" } } } From 7d8d6e5c25aabcaeb211d1e1e1e159aebf787d1a Mon Sep 17 00:00:00 2001 From: Max Xu Date: Tue, 15 Oct 2024 23:54:33 +0800 Subject: [PATCH 27/31] Add node group iam role It's removed in https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2858/files#diff-dc46acf24afd63ef8c556b77c126ccc6e578bc87e3aa09a931f33d9bf2532fbbL480 --- main.tf | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/main.tf b/main.tf index 3bfa6ad..825e34d 100644 --- a/main.tf +++ b/main.tf @@ -81,7 +81,8 @@ locals { } : {} ) - node_pool_taints = merge(var.node_pool_taints, local.computed_node_taints) + node_pool_taints = merge(var.node_pool_taints, local.computed_node_taints) + node_group_iam_role_arn = replace(aws_iam_role.ng.arn, replace(var.iam_path, "/^//", ""), "") # Work around for https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/153 node_group_defaults = { create_security_group = false @@ -103,11 +104,11 @@ locals { max_unavailable = 1 } create_iam_role = false # We create the IAM role ourselves to reduce complexity in managing the aws-auth configmap + iam_role_arn = local.node_group_iam_role_arn create_launch_template = true desired_size = var.node_pool_desired_size ebs_optimized = var.node_pool_ebs_optimized enable_monitoring = var.enable_node_pool_monitoring - iam_role_arn = replace(aws_iam_role.ng.arn, replace(var.iam_path, "/^//", ""), "") # Work around for https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/153 min_size = var.node_pool_min_size max_size = var.node_pool_max_size pre_bootstrap_user_data = var.node_pool_pre_userdata @@ -217,6 +218,11 @@ locals { # Add the worker node role back in with the path so the EKS console reports healthy node status worker_node_role = [ + { + rolearn = local.node_group_iam_role_arn + username = "system:node:{{EC2PrivateDNSName}}" + groups = ["system:bootstrappers", "system:nodes"] + }, { rolearn = aws_iam_role.ng.arn username = "system:node:{{EC2PrivateDNSName}}" @@ -226,7 +232,6 @@ locals { # Switches for different role binding scenarios role_bindings = var.enable_sncloud_control_plane_access && var.iam_path != "" ? concat(local.sncloud_control_plane_access, local.worker_node_role, var.map_additional_iam_roles) : var.enable_sncloud_control_plane_access && var.iam_path == "" ? concat(local.sncloud_control_plane_access, var.map_additional_iam_roles) : var.enable_sncloud_control_plane_access == false && var.iam_path != "" ? concat(var.map_additional_iam_roles, local.worker_node_role) : var.map_additional_iam_roles - } module "eks" { @@ -242,7 +247,7 @@ module "eks" { openid_connect_audiences = ["sts.amazonaws.com"] bootstrap_self_managed_addons = var.bootstrap_self_managed_addons enable_cluster_creator_admin_permissions = true - cluster_encryption_policy_path = "/StreamNative/" + cluster_encryption_policy_path = var.iam_path iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn, null) create_iam_role = try(var.cluster_iam.create_iam_role, true) @@ -381,7 +386,7 @@ resource "aws_iam_role" "cluster" { description = format("The IAM Role used by the %s EKS cluster", var.cluster_name) assume_role_policy = data.aws_iam_policy_document.cluster_assume_role_policy[0].json tags = local.tags - path = "/StreamNative/" + path = var.iam_path permissions_boundary = var.permissions_boundary_arn } @@ -423,7 +428,7 @@ resource "aws_iam_role" "ng" { description = format("The IAM Role used by the %s EKS cluster's worker nodes", var.cluster_name) assume_role_policy = data.aws_iam_policy_document.ng_assume_role_policy.json tags = local.tags - path = "/StreamNative/" + path = var.iam_path permissions_boundary = var.permissions_boundary_arn } From 699dc44f3a78663acde6b16cf22ddb8eef6a4a49 Mon Sep 17 00:00:00 2001 From: mitch-hamm Date: Wed, 16 Oct 2024 13:51:15 -0700 Subject: [PATCH 28/31] Set encryption config as empty by default after failed testing --- main.tf | 1 + variables.tf | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/main.tf b/main.tf index 825e34d..fefa4a1 100644 --- a/main.tf +++ b/main.tf @@ -248,6 +248,7 @@ module "eks" { bootstrap_self_managed_addons = var.bootstrap_self_managed_addons enable_cluster_creator_admin_permissions = true cluster_encryption_policy_path = var.iam_path + cluster_encryption_config = var.cluster_encryption_config iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn, null) create_iam_role = try(var.cluster_iam.create_iam_role, true) diff --git a/variables.tf b/variables.tf index cb3a4b0..5c53eea 100644 --- a/variables.tf +++ b/variables.tf @@ -126,6 +126,12 @@ variable "cluster_enabled_log_types" { type = list(string) } +variable "cluster_encryption_config" { + description = "Configuration block with encryption configuration for the cluster. To disable secret encryption, set this value to `{}`" + type = any + default = {} +} + variable "cluster_name" { default = "" description = "The name of your EKS cluster and associated resources. Must be 16 characters or less." From 572a19eb44667d74a89a903cb9d5afd7d2265058 Mon Sep 17 00:00:00 2001 From: Yisheng Cai Date: Wed, 11 Sep 2024 00:34:43 +0800 Subject: [PATCH 29/31] feat: Expose route tables info (#138) ### Motivation Allow downstream module can obtain route tables info ### Modifications - Expose route tables info - Add type tag on route tables resources ### Verifying this change - [x] Make sure that the change passes the CI checks. *(Please pick either of the following options)* This change is a trivial rework / code cleanup without any test coverage. *(or)* This change is already covered by existing tests, such as *(please describe tests)*. *(or)* This change added tests and can be verified as follows: *(example:)* - *Added integration tests for end-to-end deployment with large payloads (10MB)* - *Extended integration test for recovery after broker failure* ### Documentation Check the box below. Need to update docs? - [ ] `doc-required` (If you need help on updating docs, create a doc issue) - [x] `no-need-doc` (Please explain why) - [ ] `doc` (If this PR contains doc changes) --- modules/vpc/main.tf | 4 ++-- modules/vpc/outputs.tf | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index afe0dad..964c894 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -96,7 +96,7 @@ resource "aws_route_table" "public_route_table" { count = 1 vpc_id = aws_vpc.vpc.id - tags = merge({ "Vendor" = "StreamNative", Name = format("%s-public-rtb", var.vpc_name) }, var.tags) + tags = merge({ "Vendor" = "StreamNative", "Type" = "public", Name = format("%s-public-rtb", var.vpc_name) }, var.tags) lifecycle { ignore_changes = [tags] @@ -122,7 +122,7 @@ resource "aws_route_table" "private_route_table" { count = var.disable_nat_gateway ? 0 : local.num_azs vpc_id = aws_vpc.vpc.id - tags = merge({ "Vendor" = "StreamNative", Name = format("%s-private-rtb-%s", var.vpc_name, count.index) }, var.tags) + tags = merge({ "Vendor" = "StreamNative", "Type" = "private", Name = format("%s-private-rtb-%s", var.vpc_name, count.index) }, var.tags) lifecycle { ignore_changes = [tags] diff --git a/modules/vpc/outputs.tf b/modules/vpc/outputs.tf index 3325f0a..90eb4cd 100644 --- a/modules/vpc/outputs.tf +++ b/modules/vpc/outputs.tf @@ -22,6 +22,14 @@ output "public_subnet_ids" { description = "A list of public subnet ID's created by this module" } +output "private_route_table_ids" { + value = aws_route_table.private_route_table.*.id +} + +output "public_route_table_ids" { + value = aws_route_table.public_route_table.*.id +} + output "vpc_id" { value = aws_vpc.vpc.id description = "The ID of the VPC created by this module" From 161c5bc6ce72e0aaa64bb4de6458d077b2307fc3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 11 Sep 2024 00:37:15 +0800 Subject: [PATCH 30/31] chore(master): release 3.2.0 (#139) :robot: I have created a release *beep* *boop* --- ## [3.2.0](https://github.com/streamnative/terraform-aws-cloud/compare/v3.1.0...v3.2.0) (2024-09-10) ### Features * Expose route tables info ([#138](https://github.com/streamnative/terraform-aws-cloud/issues/138)) ([13d1412](https://github.com/streamnative/terraform-aws-cloud/commit/13d141209539f4ef25eae9f87284eba0c0397170)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 95bdeb4..56b2f12 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [3.2.0](https://github.com/streamnative/terraform-aws-cloud/compare/v3.1.0...v3.2.0) (2024-09-10) + + +### Features + +* Expose route tables info ([#138](https://github.com/streamnative/terraform-aws-cloud/issues/138)) ([13d1412](https://github.com/streamnative/terraform-aws-cloud/commit/13d141209539f4ef25eae9f87284eba0c0397170)) + ## [3.1.0](https://github.com/streamnative/terraform-aws-cloud/compare/v3.0.0...v3.1.0) (2024-06-30) From bf627ad19b3862068703d21f9a06590b6f23e084 Mon Sep 17 00:00:00 2001 From: Max Xu Date: Fri, 25 Oct 2024 14:59:11 +0800 Subject: [PATCH 31/31] docs: update tf docs --- README.md | 35 ++++++++++++++++++----------------- main.tf | 2 +- variables.tf | 2 +- 3 files changed, 20 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 80d798f..76f0ec5 100644 --- a/README.md +++ b/README.md @@ -169,24 +169,24 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.2 | -| [aws](#requirement\_aws) | >= 5.61 | -| [helm](#requirement\_helm) | 2.2.0 | +| [aws](#requirement\_aws) | >= 5.70 | +| [helm](#requirement\_helm) | >= 2.16 | | [kubernetes](#requirement\_kubernetes) | >= 2.32 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.68.0 | -| [helm](#provider\_helm) | 2.2.0 | -| [kubernetes](#provider\_kubernetes) | 2.32.0 | +| [aws](#provider\_aws) | 5.71.0 | +| [helm](#provider\_helm) | 2.16.0 | +| [kubernetes](#provider\_kubernetes) | 2.33.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.24.1 | -| [eks\_auth](#module\_eks\_auth) | terraform-aws-modules/eks/aws//modules/aws-auth | 20.24.1 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.26.0 | +| [eks\_auth](#module\_eks\_auth) | terraform-aws-modules/eks/aws//modules/aws-auth | 20.26.0 | | [istio](#module\_istio) | github.com/streamnative/terraform-helm-charts//modules/istio-operator | v0.8.6 | | [vpc\_tags](#module\_vpc\_tags) | ./modules/eks-vpc-tags | n/a | @@ -226,16 +226,16 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [aws_s3_bucket.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | | [aws_s3_bucket_server_side_encryption_configuration.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_server_side_encryption_configuration.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | -| [helm_release.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | -| [helm_release.cert_issuer](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | -| [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | -| [helm_release.cilium](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | -| [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | -| [helm_release.csi](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | -| [helm_release.external_dns](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | -| [helm_release.metrics_server](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | -| [helm_release.node_termination_handler](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | -| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | +| [helm_release.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.cert_issuer](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.cilium](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.csi](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.external_dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.metrics_server](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.node_termination_handler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_namespace.sn_system](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_storage_class.sn_default](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | @@ -287,6 +287,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [cluster\_autoscaler\_helm\_chart\_version](#input\_cluster\_autoscaler\_helm\_chart\_version) | Helm chart version for the cluster-autoscaler. Defaults to "9.10.4". See https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler for more details. | `string` | `"9.21.0"` | no | | [cluster\_autoscaler\_settings](#input\_cluster\_autoscaler\_settings) | Additional settings which will be passed to the Helm chart values for cluster-autoscaler, see https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler for options. | `map(any)` | `{}` | no | | [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). | `list(string)` | 
[
  "api",
  "audit",
  "authenticator",
  "controllerManager",
  "scheduler"
]
| no | +| [cluster\_encryption\_config](#input\_cluster\_encryption\_config) | Configuration block with encryption configuration for the cluster. To disable secret encryption, set this value to `{}` | `any` | `{}` | no | | [cluster\_iam](#input\_cluster\_iam) | Cluster IAM settings | `any` | `null` | no | | [cluster\_name](#input\_cluster\_name) | The name of your EKS cluster and associated resources. Must be 16 characters or less. | `string` | `""` | no | | [cluster\_networking](#input\_cluster\_networking) | Cluster Networking settings | `any` | `null` | no | diff --git a/main.tf b/main.tf index fefa4a1..b1fc370 100644 --- a/main.tf +++ b/main.tf @@ -247,8 +247,8 @@ module "eks" { openid_connect_audiences = ["sts.amazonaws.com"] bootstrap_self_managed_addons = var.bootstrap_self_managed_addons enable_cluster_creator_admin_permissions = true - cluster_encryption_policy_path = var.iam_path cluster_encryption_config = var.cluster_encryption_config + cluster_encryption_policy_path = var.iam_path iam_role_arn = try(var.cluster_iam.iam_role_arn, aws_iam_role.cluster[0].arn, null) create_iam_role = try(var.cluster_iam.create_iam_role, true) diff --git a/variables.tf b/variables.tf index 5c53eea..937dbe9 100644 --- a/variables.tf +++ b/variables.tf @@ -129,7 +129,7 @@ variable "cluster_enabled_log_types" { variable "cluster_encryption_config" { description = "Configuration block with encryption configuration for the cluster. To disable secret encryption, set this value to `{}`" type = any - default = {} + default = {} } variable "cluster_name" {