From c123496d028dbcb11af051e4a2770f9249a164f1 Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Mon, 26 Feb 2024 16:09:23 -0500 Subject: [PATCH 01/20] Creating a new module that can be used to create an IAM role for accessing Opensearch clusters using IRSA --- tf_files/aws/commons/outputs.tf | 16 +++++++++--- tf_files/aws/eks/outputs.tf | 4 +++ .../aws/modules/commons-vpc-es/outputs.tf | 4 +++ tf_files/aws/modules/eks/outputs.tf | 14 +++++++---- tf_files/aws/opensearch-iam-role/data.tf | 25 +++++++++++++++++++ tf_files/aws/opensearch-iam-role/root.tf | 14 +++++++++++ tf_files/aws/opensearch-iam-role/variables.tf | 8 ++++++ 7 files changed, 76 insertions(+), 9 deletions(-) create mode 100644 tf_files/aws/opensearch-iam-role/data.tf create mode 100644 tf_files/aws/opensearch-iam-role/root.tf create mode 100644 tf_files/aws/opensearch-iam-role/variables.tf diff --git a/tf_files/aws/commons/outputs.tf b/tf_files/aws/commons/outputs.tf index 83a0c718..9dc34b0f 100644 --- a/tf_files/aws/commons/outputs.tf +++ b/tf_files/aws/commons/outputs.tf @@ -46,13 +46,21 @@ output "data-bucket_name" { } output "kubeconfig" { - value = module.eks[0].kubeconfig - sensitive = true + value = module.eks[0].kubeconfig + sensitive = true } output "config_map_aws_auth" { - value = module.eks[0].config_map_aws_auth - sensitive = true + value = module.eks[0].config_map_aws_auth + sensitive = true +} + +output "cluster_oidc_provider_url" { + value = module.eks[0].cluster_oidc_provider_url +} + +output "opensearch_cluster_arn" { + value = module.commons_vpc_es.es_arn } ## diff --git a/tf_files/aws/eks/outputs.tf b/tf_files/aws/eks/outputs.tf index 660ad81c..5b936849 100644 --- a/tf_files/aws/eks/outputs.tf +++ b/tf_files/aws/eks/outputs.tf @@ -5,3 +5,7 @@ output "kubeconfig" { output "config_map_aws_auth" { value = module.eks[0].config_map_aws_auth } + +output "cluster_oidc_provider_url" { + value = module.eks[0].cluster_oidc_provider_url +} diff --git a/tf_files/aws/modules/commons-vpc-es/outputs.tf b/tf_files/aws/modules/commons-vpc-es/outputs.tf index 52fef4f4..06f58ce8 100644 --- a/tf_files/aws/modules/commons-vpc-es/outputs.tf +++ b/tf_files/aws/modules/commons-vpc-es/outputs.tf @@ -5,3 +5,7 @@ output "kibana_endpoint" { output "es_endpoint" { value = aws_elasticsearch_domain.gen3_metadata.endpoint } + +output "es_arn" { + value = aws_elasticsearch_domain.gen3_metadata.arn +} diff --git a/tf_files/aws/modules/eks/outputs.tf b/tf_files/aws/modules/eks/outputs.tf index 215d3e20..c4694a80 100644 --- a/tf_files/aws/modules/eks/outputs.tf +++ b/tf_files/aws/modules/eks/outputs.tf @@ -1,23 +1,27 @@ output "kubeconfig" { - value = templatefile("${path.module}/kubeconfig.tpl", {vpc_name = var.vpc_name, eks_name = aws_eks_cluster.eks_cluster.id, eks_endpoint = aws_eks_cluster.eks_cluster.endpoint, eks_cert = aws_eks_cluster.eks_cluster.certificate_authority.0.data,}) + value = templatefile("${path.module}/kubeconfig.tpl", { vpc_name = var.vpc_name, eks_name = aws_eks_cluster.eks_cluster.id, eks_endpoint = aws_eks_cluster.eks_cluster.endpoint, eks_cert = aws_eks_cluster.eks_cluster.certificate_authority.0.data, }) sensitive = true } output "config_map_aws_auth" { - value = local.config-map-aws-auth + value = local.config-map-aws-auth sensitive = true } output "cluster_endpoint" { - value = aws_eks_cluster.eks_cluster.endpoint + value = aws_eks_cluster.eks_cluster.endpoint sensitive = true } output "cluster_certificate_authority_data" { - value = aws_eks_cluster.eks_cluster.certificate_authority.0.data + value = aws_eks_cluster.eks_cluster.certificate_authority.0.data sensitive = true } - + output "cluster_name" { value = aws_eks_cluster.eks_cluster.name } + +output "cluster_oidc_provider_url" { + value = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer +} diff --git a/tf_files/aws/opensearch-iam-role/data.tf b/tf_files/aws/opensearch-iam-role/data.tf new file mode 100644 index 00000000..51397e82 --- /dev/null +++ b/tf_files/aws/opensearch-iam-role/data.tf @@ -0,0 +1,25 @@ +data "aws_iam_policy_document" "opensearch_cluster_access" { + statement { + actions = ["es:*"] + resources = ["${var.opensearch_cluster_arn}"] + effect = "Allow" + } +} + +data "aws_iam_policy_document" "opensearch_assume_role" { + statement { + actions = ["sts:AssumeRoleWithWebIdentity"] + effect = "Allow" + + condition { + test = "StringEquals" + variable = var.oidc_url + values = ["system:serviceaccount:kube-system:aws-node"] + } + + principals { + identifiers = [aws_iam_openid_connect_provider.eks.arn] + type = "Federated" + } + } +} diff --git a/tf_files/aws/opensearch-iam-role/root.tf b/tf_files/aws/opensearch-iam-role/root.tf new file mode 100644 index 00000000..6526546c --- /dev/null +++ b/tf_files/aws/opensearch-iam-role/root.tf @@ -0,0 +1,14 @@ +resource "aws_iam_role" "opensearch_iam_role" { + name = "${var.environment}-elasticsearch-access-role" + assume_role_policy = data.aws_iam_policy_document.opensearch_assume_role.json +} + +resource "aws_iam_policy" "opensearch_iam_role_policy" { + name = "opensearch_access_policy" + policy = data.aws_iam_policy_document.opensearch_cluster_access.json +} + +resource "aws_iam_role_policy_attachment" "opensearch" { + role = aws_iam_role.opensearch_iam_role + policy_arn = aws_iam_policy.opensearch_iam_role_policy.arn +} diff --git a/tf_files/aws/opensearch-iam-role/variables.tf b/tf_files/aws/opensearch-iam-role/variables.tf new file mode 100644 index 00000000..50187000 --- /dev/null +++ b/tf_files/aws/opensearch-iam-role/variables.tf @@ -0,0 +1,8 @@ +# The ARN for a commons' OpenSearch cluster +variable "opensearch_cluster_arn" {} + +# The name of the environment +variable "environment" {} + +# The URL for the cluster's OIDC provider +variable "oidc_url" {} From 8b272c463f3b204dced088b95aa571d9c71544bf Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Mon, 26 Feb 2024 17:28:57 -0500 Subject: [PATCH 02/20] I think the first draft is finished --- tf_files/aws/opensearch-iam-role/data.tf | 12 ++++++++---- tf_files/aws/opensearch-iam-role/variables.tf | 3 +++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/tf_files/aws/opensearch-iam-role/data.tf b/tf_files/aws/opensearch-iam-role/data.tf index 51397e82..42f2d92f 100644 --- a/tf_files/aws/opensearch-iam-role/data.tf +++ b/tf_files/aws/opensearch-iam-role/data.tf @@ -1,3 +1,7 @@ +locals { + oidc_url = replace(var.oidc_url, "https://", "") +} + data "aws_iam_policy_document" "opensearch_cluster_access" { statement { actions = ["es:*"] @@ -12,13 +16,13 @@ data "aws_iam_policy_document" "opensearch_assume_role" { effect = "Allow" condition { - test = "StringEquals" - variable = var.oidc_url - values = ["system:serviceaccount:kube-system:aws-node"] + test = "StringLike" + variable = "${locals.oidc_url}:sub" + values = ["system:serviceaccount:*:es-proxy"] } principals { - identifiers = [aws_iam_openid_connect_provider.eks.arn] + identifiers = ["${var.oidc_provider_arn}"] type = "Federated" } } diff --git a/tf_files/aws/opensearch-iam-role/variables.tf b/tf_files/aws/opensearch-iam-role/variables.tf index 50187000..4b81deb2 100644 --- a/tf_files/aws/opensearch-iam-role/variables.tf +++ b/tf_files/aws/opensearch-iam-role/variables.tf @@ -6,3 +6,6 @@ variable "environment" {} # The URL for the cluster's OIDC provider variable "oidc_url" {} + +# The ARN of the cluster's OIDC provider +variable "oidc_provider_arn" {} From 7554f56970219444ab575b7df96fe65a11fb7735 Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Tue, 27 Feb 2024 14:03:13 -0500 Subject: [PATCH 03/20] Added some needed changes --- tf_files/aws/opensearch-iam-role/data.tf | 2 +- tf_files/aws/opensearch-iam-role/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tf_files/aws/opensearch-iam-role/data.tf b/tf_files/aws/opensearch-iam-role/data.tf index 42f2d92f..34603c40 100644 --- a/tf_files/aws/opensearch-iam-role/data.tf +++ b/tf_files/aws/opensearch-iam-role/data.tf @@ -1,5 +1,5 @@ locals { - oidc_url = replace(var.oidc_url, "https://", "") + oidc_url = replace(var.oidc_provider_url, "https://", "") } data "aws_iam_policy_document" "opensearch_cluster_access" { diff --git a/tf_files/aws/opensearch-iam-role/variables.tf b/tf_files/aws/opensearch-iam-role/variables.tf index 4b81deb2..13237986 100644 --- a/tf_files/aws/opensearch-iam-role/variables.tf +++ b/tf_files/aws/opensearch-iam-role/variables.tf @@ -5,7 +5,7 @@ variable "opensearch_cluster_arn" {} variable "environment" {} # The URL for the cluster's OIDC provider -variable "oidc_url" {} +variable "oidc_provider_url" {} # The ARN of the cluster's OIDC provider variable "oidc_provider_arn" {} From 19052cc6e8862e6791470209fe8d328057fda9ca Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Mon, 4 Mar 2024 11:57:20 -0500 Subject: [PATCH 04/20] Just a bunch of stuff for IRSA --- tf_files/aws/eks/outputs.tf | 4 ++++ tf_files/aws/modules/eks/outputs.tf | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/tf_files/aws/eks/outputs.tf b/tf_files/aws/eks/outputs.tf index 5b936849..f468764e 100644 --- a/tf_files/aws/eks/outputs.tf +++ b/tf_files/aws/eks/outputs.tf @@ -9,3 +9,7 @@ output "config_map_aws_auth" { output "cluster_oidc_provider_url" { value = module.eks[0].cluster_oidc_provider_url } + +output "cluster_oidc_provider_arn" { + value = module.eks[0].cluster_oidc_provider_arn +} diff --git a/tf_files/aws/modules/eks/outputs.tf b/tf_files/aws/modules/eks/outputs.tf index c4694a80..25862d7b 100644 --- a/tf_files/aws/modules/eks/outputs.tf +++ b/tf_files/aws/modules/eks/outputs.tf @@ -25,3 +25,7 @@ output "cluster_name" { output "cluster_oidc_provider_url" { value = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer } + +output "cluster_oidc_provider_arn" { + value = aws_iam_openid_connect_provider.identity_provider.arn +} From e4e98147dbb62059e15f944a1410310f74a6c83c Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Mon, 4 Mar 2024 13:52:55 -0500 Subject: [PATCH 05/20] Syntax --- tf_files/aws/commons/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/commons/outputs.tf b/tf_files/aws/commons/outputs.tf index 9dc34b0f..a28cd4dc 100644 --- a/tf_files/aws/commons/outputs.tf +++ b/tf_files/aws/commons/outputs.tf @@ -60,7 +60,7 @@ output "cluster_oidc_provider_url" { } output "opensearch_cluster_arn" { - value = module.commons_vpc_es.es_arn + value = module.commons_vpc_es[0].es_arn } ## From fc42a54beef59f152b9eff6dbbeeae04014474a7 Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Mon, 4 Mar 2024 14:09:52 -0500 Subject: [PATCH 06/20] More syntax --- tf_files/aws/modules/eks/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/modules/eks/outputs.tf b/tf_files/aws/modules/eks/outputs.tf index 25862d7b..cd0d529a 100644 --- a/tf_files/aws/modules/eks/outputs.tf +++ b/tf_files/aws/modules/eks/outputs.tf @@ -27,5 +27,5 @@ output "cluster_oidc_provider_url" { } output "cluster_oidc_provider_arn" { - value = aws_iam_openid_connect_provider.identity_provider.arn + value = aws_iam_openid_connect_provider[0].identity_provider.arn } From 79517a175f6b544c632ffae50cbcd2122b18468a Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Mon, 4 Mar 2024 14:18:22 -0500 Subject: [PATCH 07/20] Maybe this will work? --- tf_files/aws/modules/eks/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/modules/eks/outputs.tf b/tf_files/aws/modules/eks/outputs.tf index cd0d529a..ab6a4f71 100644 --- a/tf_files/aws/modules/eks/outputs.tf +++ b/tf_files/aws/modules/eks/outputs.tf @@ -27,5 +27,5 @@ output "cluster_oidc_provider_url" { } output "cluster_oidc_provider_arn" { - value = aws_iam_openid_connect_provider[0].identity_provider.arn + value = aws_iam_openid_connect_provider[count.index].identity_provider.arn } From 5665318171b13e3ad7b10825061e74fe38d9a83f Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Mon, 4 Mar 2024 14:21:20 -0500 Subject: [PATCH 08/20] Removing everything, let's look at the OG error with a fresh pair of eyes --- tf_files/aws/modules/eks/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/modules/eks/outputs.tf b/tf_files/aws/modules/eks/outputs.tf index ab6a4f71..25862d7b 100644 --- a/tf_files/aws/modules/eks/outputs.tf +++ b/tf_files/aws/modules/eks/outputs.tf @@ -27,5 +27,5 @@ output "cluster_oidc_provider_url" { } output "cluster_oidc_provider_arn" { - value = aws_iam_openid_connect_provider[count.index].identity_provider.arn + value = aws_iam_openid_connect_provider.identity_provider.arn } From 0c4ca59108121099eeb30ca0f5a6d8ebef1be49e Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Mon, 4 Mar 2024 14:30:34 -0500 Subject: [PATCH 09/20] Beginning to think I don't really understand Terraform --- tf_files/aws/modules/eks/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/modules/eks/outputs.tf b/tf_files/aws/modules/eks/outputs.tf index 25862d7b..3ed80b15 100644 --- a/tf_files/aws/modules/eks/outputs.tf +++ b/tf_files/aws/modules/eks/outputs.tf @@ -27,5 +27,5 @@ output "cluster_oidc_provider_url" { } output "cluster_oidc_provider_arn" { - value = aws_iam_openid_connect_provider.identity_provider.arn + value = aws_iam_openid_connect_provider.this[0].identity_provider.arn } From ef353974072513536e58cbb85ed28fd9eba8459c Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Mon, 4 Mar 2024 14:32:31 -0500 Subject: [PATCH 10/20] If this is it, I'm going to be embarassed --- tf_files/aws/modules/eks/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/modules/eks/outputs.tf b/tf_files/aws/modules/eks/outputs.tf index 3ed80b15..27372f5c 100644 --- a/tf_files/aws/modules/eks/outputs.tf +++ b/tf_files/aws/modules/eks/outputs.tf @@ -27,5 +27,5 @@ output "cluster_oidc_provider_url" { } output "cluster_oidc_provider_arn" { - value = aws_iam_openid_connect_provider.this[0].identity_provider.arn + value = aws_eks_cluster.aws_iam_openid_connect_provider.identity_provider.arn } From cc7c1113d705681082703b4efe3cbb090ee8ae84 Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Mon, 4 Mar 2024 15:14:38 -0500 Subject: [PATCH 11/20] I think I'm dumb --- tf_files/aws/modules/eks/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/modules/eks/outputs.tf b/tf_files/aws/modules/eks/outputs.tf index 27372f5c..2d36a931 100644 --- a/tf_files/aws/modules/eks/outputs.tf +++ b/tf_files/aws/modules/eks/outputs.tf @@ -27,5 +27,5 @@ output "cluster_oidc_provider_url" { } output "cluster_oidc_provider_arn" { - value = aws_eks_cluster.aws_iam_openid_connect_provider.identity_provider.arn + value = aws_iam_openid_connect_provider.identity_provider[0].arn } From 7fc7408978fcc486985cc8d0e32c5a0810224900 Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Mon, 4 Mar 2024 15:44:27 -0500 Subject: [PATCH 12/20] Adding OIDC provider ARN output to commons module --- tf_files/aws/commons/outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tf_files/aws/commons/outputs.tf b/tf_files/aws/commons/outputs.tf index a28cd4dc..3ce1eafe 100644 --- a/tf_files/aws/commons/outputs.tf +++ b/tf_files/aws/commons/outputs.tf @@ -59,10 +59,15 @@ output "cluster_oidc_provider_url" { value = module.eks[0].cluster_oidc_provider_url } +output "cluster_oidc_provider_arn" { + value = module.eks[0].cluster_oidc_provider_arn +} + output "opensearch_cluster_arn" { value = module.commons_vpc_es[0].es_arn } + ## # aws_rds_aurora_cluster ## From 72abcac266113ff38ac812459361fffe1c02e168 Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Thu, 23 May 2024 14:45:06 -0400 Subject: [PATCH 13/20] Adding the role and policies to terraform, should be able to start testing --- tf_files/aws/opensearch-iam-role/data.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tf_files/aws/opensearch-iam-role/data.tf b/tf_files/aws/opensearch-iam-role/data.tf index 34603c40..80ade604 100644 --- a/tf_files/aws/opensearch-iam-role/data.tf +++ b/tf_files/aws/opensearch-iam-role/data.tf @@ -27,3 +27,14 @@ data "aws_iam_policy_document" "opensearch_assume_role" { } } } + +resource "aws_iam_policy" "opensearch_access_policy" { + name = "opensearch-access-policy" + policy = data.aws_iam_policy_document.opensearch_cluster_access.json +} + +resource "aws_iam_role" "opensearch_access_role" { + name = "opensearch-access-role" + assume_role_policy = data.aws_iam_policy_document.opensearch_assume_role.json + managed_policy_arns = [aws_iam_policy.opensearch_access_policy.arn] +} From 60a4626d1b389c25b25bd79532f9b165c7700965 Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Thu, 23 May 2024 17:03:17 -0400 Subject: [PATCH 14/20] Ignoring lifecycle changes for buckets --- tf_files/aws/modules/upload-data-bucket/s3.tf | 44 ++++++++++--------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/tf_files/aws/modules/upload-data-bucket/s3.tf b/tf_files/aws/modules/upload-data-bucket/s3.tf index b387bd8f..e41f3dc3 100644 --- a/tf_files/aws/modules/upload-data-bucket/s3.tf +++ b/tf_files/aws/modules/upload-data-bucket/s3.tf @@ -13,6 +13,10 @@ resource "aws_s3_bucket" "data_bucket" { resource "aws_s3_bucket_server_side_encryption_configuration" "data_bucket" { bucket = aws_s3_bucket.data_bucket.bucket + lifecycle { + ignore_changes = all + } + rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" @@ -27,11 +31,11 @@ resource "aws_s3_bucket_logging" "data_bucket" { } resource "aws_s3_bucket_public_access_block" "data_bucket_privacy" { - bucket = aws_s3_bucket.data_bucket.id - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true + bucket = aws_s3_bucket.data_bucket.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true } ##create an event for SNS @@ -39,8 +43,8 @@ resource "aws_s3_bucket_notification" "bucket_notification" { bucket = aws_s3_bucket.data_bucket.id topic { - topic_arn = module.data-bucket-queue.data-bucket_name - events = ["s3:ObjectCreated:Put", "s3:ObjectCreated:Post", "s3:ObjectCreated:Copy", "s3:ObjectCreated:CompleteMultipartUpload" ] + topic_arn = module.data-bucket-queue.data-bucket_name + events = ["s3:ObjectCreated:Put", "s3:ObjectCreated:Post", "s3:ObjectCreated:Copy", "s3:ObjectCreated:CompleteMultipartUpload"] } } @@ -70,23 +74,23 @@ resource "aws_s3_bucket_lifecycle_configuration" "log_bucket" { bucket = aws_s3_bucket.log_bucket.bucket rule { - status = "Enabled" - id = "log" + status = "Enabled" + id = "log" - filter { - and { - prefix = "/" + filter { + and { + prefix = "/" - tags = { - rule = "log" - autoclean = "true" - } + tags = { + rule = "log" + autoclean = "true" } } + } - expiration { - days = 120 - } + expiration { + days = 120 + } } } @@ -102,7 +106,7 @@ resource "aws_s3_bucket_public_access_block" "data_bucket_logs_privacy" { ## We want could trail to put additional logs in this log bucket resource "aws_s3_bucket_policy" "log_bucket_writer_by_ct" { bucket = aws_s3_bucket.log_bucket.id - policy =< Date: Thu, 23 May 2024 17:07:04 -0400 Subject: [PATCH 15/20] Got to ignore the kube_bucket too --- tf_files/aws/commons/kube.tf | 54 +++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 25 deletions(-) diff --git a/tf_files/aws/commons/kube.tf b/tf_files/aws/commons/kube.tf index 2e2cc7e0..ef18652a 100644 --- a/tf_files/aws/commons/kube.tf +++ b/tf_files/aws/commons/kube.tf @@ -19,7 +19,7 @@ resource "aws_db_instance" "db_fence" { db_subnet_group_name = aws_db_subnet_group.private_group.id vpc_security_group_ids = [module.cdis_vpc.security_group_local_id] allow_major_version_upgrade = var.fence_allow_major_version_upgrade - final_snapshot_identifier = "${replace(var.vpc_name,"_", "-")}-fencedb" + final_snapshot_identifier = "${replace(var.vpc_name, "_", "-")}-fencedb" maintenance_window = var.fence_maintenance_window backup_retention_period = var.fence_backup_retention_period backup_window = var.fence_backup_window @@ -29,9 +29,9 @@ resource "aws_db_instance" "db_fence" { max_allocated_storage = var.fence_max_allocated_storage tags = { - Environment = var.vpc_name - Organization = var.organization_name - } + Environment = var.vpc_name + Organization = var.organization_name + } lifecycle { prevent_destroy = true @@ -56,7 +56,7 @@ resource "aws_db_instance" "db_sheepdog" { db_subnet_group_name = aws_db_subnet_group.private_group.id vpc_security_group_ids = [module.cdis_vpc.security_group_local_id] allow_major_version_upgrade = var.sheepdog_allow_major_version_upgrade - final_snapshot_identifier = "${replace(var.vpc_name,"_", "-")}-sheepdogdb" + final_snapshot_identifier = "${replace(var.vpc_name, "_", "-")}-sheepdogdb" maintenance_window = var.sheepdog_maintenance_window backup_retention_period = var.sheepdog_backup_retention_period backup_window = var.sheepdog_backup_window @@ -66,8 +66,8 @@ resource "aws_db_instance" "db_sheepdog" { max_allocated_storage = var.sheepdog_max_allocated_storage tags = { - Environment = var.vpc_name - Organization = var.organization_name + Environment = var.vpc_name + Organization = var.organization_name } lifecycle { @@ -93,7 +93,7 @@ resource "aws_db_instance" "db_indexd" { db_subnet_group_name = aws_db_subnet_group.private_group.id vpc_security_group_ids = [module.cdis_vpc.security_group_local_id] allow_major_version_upgrade = var.indexd_allow_major_version_upgrade - final_snapshot_identifier = "${replace(var.vpc_name,"_", "-")}-indexddb" + final_snapshot_identifier = "${replace(var.vpc_name, "_", "-")}-indexddb" maintenance_window = var.indexd_maintenance_window backup_retention_period = var.indexd_backup_retention_period backup_window = var.indexd_backup_window @@ -103,8 +103,8 @@ resource "aws_db_instance" "db_indexd" { max_allocated_storage = var.indexd_max_allocated_storage tags = { - Environment = var.vpc_name - Organization = var.organization_name + Environment = var.vpc_name + Organization = var.organization_name } lifecycle { @@ -118,7 +118,7 @@ resource "aws_db_instance" "db_indexd" { # and https://www.postgresql.org/docs/9.6/static/runtime-config-query.html#RUNTIME-CONFIG-QUERY-ENABLE # for detail parameter descriptions locals { - pg_family_version = replace( var.engine_version ,"/\\.[0-9]/", "" ) + pg_family_version = replace(var.engine_version, "/\\.[0-9]/", "") } resource "aws_db_parameter_group" "rds-cdis-pg" { @@ -164,38 +164,42 @@ resource "aws_db_parameter_group" "rds-cdis-pg" { } lifecycle { - ignore_changes = all + ignore_changes = all } } resource "aws_kms_key" "kube_key" { - description = "encryption/decryption key for kubernete" - enable_key_rotation = true + description = "encryption/decryption key for kubernete" + enable_key_rotation = true tags = { - Environment = var.vpc_name - Organization = var.organization_name + Environment = var.vpc_name + Organization = var.organization_name } } resource "aws_kms_alias" "kube_key" { - name = "alias/${var.vpc_name}-k8s" - target_key_id = aws_kms_key.kube_key.key_id + name = "alias/${var.vpc_name}-k8s" + target_key_id = aws_kms_key.kube_key.key_id } resource "aws_key_pair" "automation_dev" { - key_name = "${var.vpc_name}_automation_dev" - public_key = var.kube_ssh_key + key_name = "${var.vpc_name}_automation_dev" + public_key = var.kube_ssh_key } resource "aws_s3_bucket" "kube_bucket" { # S3 buckets are in a global namespace, so dns style naming - bucket = "kube-${replace(var.vpc_name,"_", "-")}-gen3" + bucket = "kube-${replace(var.vpc_name, "_", "-")}-gen3" + + lifecycle { + ignore_changes = all + } tags = { - Name = "kube-${replace(var.vpc_name,"_", "-")}-gen3" - Environment = var.vpc_name - Organization = var.organization_name + Name = "kube-${replace(var.vpc_name, "_", "-")}-gen3" + Environment = var.vpc_name + Organization = var.organization_name } lifecycle { @@ -233,7 +237,7 @@ resource "aws_s3_bucket_public_access_block" "kube_bucket_privacy" { # modify the permissions there as necessary. Ugh. data "aws_iam_policy_document" "configbucket_reader" { statement { - actions = ["s3:Get*","s3:List*"] + actions = ["s3:Get*", "s3:List*"] effect = "Allow" resources = ["arn:aws:s3:::${var.users_bucket_name}", "arn:aws:s3:::${var.users_bucket_name}/${var.config_folder}/*", "arn:aws:s3:::qualys-agentpackage", "arn:aws:s3:::qualys-agentpackage/*"] } From 2132d56df28c0a34a8bc4037acabf0b7447938f3 Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Thu, 23 May 2024 17:09:48 -0400 Subject: [PATCH 16/20] That was embarassing --- tf_files/aws/commons/kube.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tf_files/aws/commons/kube.tf b/tf_files/aws/commons/kube.tf index ef18652a..f8196a94 100644 --- a/tf_files/aws/commons/kube.tf +++ b/tf_files/aws/commons/kube.tf @@ -192,10 +192,6 @@ resource "aws_s3_bucket" "kube_bucket" { # S3 buckets are in a global namespace, so dns style naming bucket = "kube-${replace(var.vpc_name, "_", "-")}-gen3" - lifecycle { - ignore_changes = all - } - tags = { Name = "kube-${replace(var.vpc_name, "_", "-")}-gen3" Environment = var.vpc_name @@ -216,6 +212,10 @@ resource "aws_s3_bucket" "kube_bucket" { resource "aws_s3_bucket_server_side_encryption_configuration" "kube_bucket" { bucket = aws_s3_bucket.kube_bucket.bucket + lifecycle { + ignore_changes = all + } + rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" From 1991fe4c4452e399a541a22eacc44fcce0492049 Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Tue, 28 May 2024 13:20:30 -0400 Subject: [PATCH 17/20] Updating the karpenter Helm chart version --- tf_files/aws/generic_commons/root.tf | 56 ++++++++++++++-------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/tf_files/aws/generic_commons/root.tf b/tf_files/aws/generic_commons/root.tf index 0e07d009..726ff9d1 100644 --- a/tf_files/aws/generic_commons/root.tf +++ b/tf_files/aws/generic_commons/root.tf @@ -5,14 +5,14 @@ terraform { } required_providers { kubectl = { - source = "gavinbunney/kubectl" + source = "gavinbunney/kubectl" } } } provider "aws" { profile = "cdistest" - region = var.region + region = var.region } provider "kubernetes" { @@ -57,7 +57,7 @@ provider "kubectl" { locals { - azs = slice(data.aws_availability_zones.available.names, 0, 3) + azs = slice(data.aws_availability_zones.available.names, 0, 3) tags = { Name = var.vpc_name @@ -155,7 +155,7 @@ module "eks" { ################################################################################ module "karpenter" { - source = "terraform-aws-modules/eks/aws//modules/karpenter" + source = "terraform-aws-modules/eks/aws//modules/karpenter" cluster_name = module.eks.cluster_name irsa_oidc_provider_arn = module.eks.oidc_provider_arn @@ -176,7 +176,7 @@ resource "helm_release" "karpenter" { repository_username = data.aws_ecrpublic_authorization_token.token.user_name repository_password = data.aws_ecrpublic_authorization_token.token.password chart = "karpenter" - version = "v0.21.1" + version = "v0.27.0" set { name = "settings.aws.clusterName" @@ -291,14 +291,14 @@ module "vpc" { name = var.vpc_name cidr = var.vpc_cidr - azs = local.azs - private_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 2, k)] - public_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 8, k + 192)] - intra_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 8, k + 195)] - database_subnets = [cidrsubnet(var.vpc_cidr, 8, 198)] - create_database_subnet_group = false + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 2, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 8, k + 192)] + intra_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 8, k + 195)] + database_subnets = [cidrsubnet(var.vpc_cidr, 8, 198)] + create_database_subnet_group = false + - enable_nat_gateway = true single_nat_gateway = true @@ -324,7 +324,7 @@ module "vpc" { resource "aws_db_subnet_group" "database" { name = "${var.vpc_name}-subnet-group" description = "Database subnet group for ${var.vpc_name}" - subnet_ids = [ module.vpc.database_subnets[0], module.vpc.intra_subnets[0], module.vpc.intra_subnets[1] ] + subnet_ids = [module.vpc.database_subnets[0], module.vpc.intra_subnets[0], module.vpc.intra_subnets[1]] tags = local.tags } @@ -333,12 +333,12 @@ resource "aws_db_subnet_group" "database" { module "es" { source = "git::git@github.com:uc-cdis/cloud-automation.git//tf_files-1.0/aws/commons_vpc_es?ref=44404bf7b3a68c2eff31972a4de3b2d987d7a142" - vpc_name = var.vpc_name + vpc_name = var.vpc_name es_linked_role = false depends_on = [ module.vpc, aws_cloudwatch_log_group.main_log_group - ] + ] } resource "aws_iam_user" "es_user" { @@ -350,11 +350,11 @@ resource "aws_iam_user" "es_user" { } resource "aws_iam_access_key" "es_user_key" { - user = "${aws_iam_user.es_user.name}" + user = aws_iam_user.es_user.name } resource "aws_cloudwatch_log_group" "main_log_group" { - name = "${var.vpc_name}" + name = var.vpc_name retention_in_days = "1827" tags = { @@ -367,13 +367,13 @@ resource "aws_cloudwatch_log_group" "main_log_group" { module "aurora_postgresql_v2" { source = "terraform-aws-modules/rds-aurora/aws" - name = "${var.vpc_name}-postgres-cluster" - engine = data.aws_rds_engine_version.postgresql.engine - engine_mode = "provisioned" - engine_version = data.aws_rds_engine_version.postgresql.version - storage_encrypted = true - master_username = "postgres" - master_password = random_password.master.result + name = "${var.vpc_name}-postgres-cluster" + engine = data.aws_rds_engine_version.postgresql.engine + engine_mode = "provisioned" + engine_version = data.aws_rds_engine_version.postgresql.version + storage_encrypted = true + master_username = "postgres" + master_password = random_password.master.result manage_master_user_password = false vpc_id = module.vpc.vpc_id @@ -414,9 +414,9 @@ resource "random_password" "master" { resource "null_resource" "kubeconfig" { provisioner "local-exec" { - command = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --region ${var.region}" + command = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --region ${var.region}" } - depends_on = [ module.eks ] + depends_on = [module.eks] } resource "aws_iam_role" "aws_load_balancer_controller" { @@ -439,7 +439,7 @@ resource "null_resource" "aws_load_balancer_controller" { provisioner "local-exec" { command = "kubectl apply -k \"github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master\" && kubectl create sa aws-load-balancer-controller -n kube-system && kubectl annotate sa -n kube-system aws-load-balancer-controller eks.amazonaws.com/role-arn=${aws_iam_role.aws_load_balancer_controller.arn}" } - depends_on = [ + depends_on = [ module.eks, aws_iam_role.aws_load_balancer_controller ] @@ -477,7 +477,7 @@ resource "helm_release" "aws_load_balancer_controller" { value = "aws-load-balancer-controller" } - depends_on = [ + depends_on = [ module.eks, null_resource.aws_load_balancer_controller ] From 4ee968e94fd202b3cf50ad0d69042d2e766fe283 Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Tue, 28 May 2024 15:47:39 -0400 Subject: [PATCH 18/20] Silly syntax error --- tf_files/aws/opensearch-iam-role/data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/opensearch-iam-role/data.tf b/tf_files/aws/opensearch-iam-role/data.tf index 80ade604..be3dd7c7 100644 --- a/tf_files/aws/opensearch-iam-role/data.tf +++ b/tf_files/aws/opensearch-iam-role/data.tf @@ -17,7 +17,7 @@ data "aws_iam_policy_document" "opensearch_assume_role" { condition { test = "StringLike" - variable = "${locals.oidc_url}:sub" + variable = "${local.oidc_url}:sub" values = ["system:serviceaccount:*:es-proxy"] } From 428f5f49b6e5a61fbe4357293a4c6743fe80f8ae Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Tue, 28 May 2024 15:53:35 -0400 Subject: [PATCH 19/20] More silly syntax stuff --- tf_files/aws/opensearch-iam-role/root.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/opensearch-iam-role/root.tf b/tf_files/aws/opensearch-iam-role/root.tf index 6526546c..ed6986e9 100644 --- a/tf_files/aws/opensearch-iam-role/root.tf +++ b/tf_files/aws/opensearch-iam-role/root.tf @@ -9,6 +9,6 @@ resource "aws_iam_policy" "opensearch_iam_role_policy" { } resource "aws_iam_role_policy_attachment" "opensearch" { - role = aws_iam_role.opensearch_iam_role + role = aws_iam_role.opensearch_iam_role.name policy_arn = aws_iam_policy.opensearch_iam_role_policy.arn } From a73e2950414fa71694bacaec8de06770d9d08421 Mon Sep 17 00:00:00 2001 From: Aidan Hilt Date: Tue, 4 Jun 2024 16:05:06 -0400 Subject: [PATCH 20/20] We need access the /*, not --- tf_files/aws/opensearch-iam-role/data.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf_files/aws/opensearch-iam-role/data.tf b/tf_files/aws/opensearch-iam-role/data.tf index be3dd7c7..93db370f 100644 --- a/tf_files/aws/opensearch-iam-role/data.tf +++ b/tf_files/aws/opensearch-iam-role/data.tf @@ -5,7 +5,7 @@ locals { data "aws_iam_policy_document" "opensearch_cluster_access" { statement { actions = ["es:*"] - resources = ["${var.opensearch_cluster_arn}"] + resources = ["${var.opensearch_cluster_arn}/*"] effect = "Allow" } }