Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat/opensearch iam role #22

Merged
merged 22 commits into from
Jul 18, 2024
Merged

Feat/opensearch iam role #22

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
c123496
Creating a new module that can be used to create an IAM role for acce…
AidanHilt Feb 26, 2024
8b272c4
I think the first draft is finished
AidanHilt Feb 26, 2024
7554f56
Added some needed changes
AidanHilt Feb 27, 2024
19052cc
Just a bunch of stuff for IRSA
AidanHilt Mar 4, 2024
e4e9814
Syntax
AidanHilt Mar 4, 2024
fc42a54
More syntax
AidanHilt Mar 4, 2024
79517a1
Maybe this will work?
AidanHilt Mar 4, 2024
5665318
Removing everything, let's look at the OG error with a fresh pair of …
AidanHilt Mar 4, 2024
0c4ca59
Beginning to think I don't really understand Terraform
AidanHilt Mar 4, 2024
ef35397
If this is it, I'm going to be embarassed
AidanHilt Mar 4, 2024
cc7c111
I think I'm dumb
AidanHilt Mar 4, 2024
7fc7408
Adding OIDC provider ARN output to commons module
AidanHilt Mar 4, 2024
72abcac
Adding the role and policies to terraform, should be able to start te…
AidanHilt May 23, 2024
60a4626
Ignoring lifecycle changes for buckets
AidanHilt May 23, 2024
b5b768d
Got to ignore the kube_bucket too
AidanHilt May 23, 2024
2132d56
That was embarassing
AidanHilt May 23, 2024
1991fe4
Updating the karpenter Helm chart version
AidanHilt May 28, 2024
454299b
Merge branch 'master' of https://github.com/uc-cdis/gen3-terraform in…
AidanHilt May 28, 2024
4ee968e
Silly syntax error
AidanHilt May 28, 2024
428f5f4
More silly syntax stuff
AidanHilt May 28, 2024
a73e295
We need access the <cluster>/*, not <cluster>
AidanHilt Jun 4, 2024
c3ef239
Merge branch 'master' into feat/opensearch-iam-role
AidanHilt Jul 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 29 additions & 25 deletions tf_files/aws/commons/kube.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ resource "aws_db_instance" "db_fence" {
db_subnet_group_name = aws_db_subnet_group.private_group.id
vpc_security_group_ids = [module.cdis_vpc.security_group_local_id]
allow_major_version_upgrade = var.fence_allow_major_version_upgrade
final_snapshot_identifier = "${replace(var.vpc_name,"_", "-")}-fencedb"
final_snapshot_identifier = "${replace(var.vpc_name, "_", "-")}-fencedb"
maintenance_window = var.fence_maintenance_window
backup_retention_period = var.fence_backup_retention_period
backup_window = var.fence_backup_window
Expand All @@ -29,9 +29,9 @@ resource "aws_db_instance" "db_fence" {
max_allocated_storage = var.fence_max_allocated_storage

tags = {
Environment = var.vpc_name
Organization = var.organization_name
}
Environment = var.vpc_name
Organization = var.organization_name
}

lifecycle {
prevent_destroy = true
Expand All @@ -56,7 +56,7 @@ resource "aws_db_instance" "db_sheepdog" {
db_subnet_group_name = aws_db_subnet_group.private_group.id
vpc_security_group_ids = [module.cdis_vpc.security_group_local_id]
allow_major_version_upgrade = var.sheepdog_allow_major_version_upgrade
final_snapshot_identifier = "${replace(var.vpc_name,"_", "-")}-sheepdogdb"
final_snapshot_identifier = "${replace(var.vpc_name, "_", "-")}-sheepdogdb"
maintenance_window = var.sheepdog_maintenance_window
backup_retention_period = var.sheepdog_backup_retention_period
backup_window = var.sheepdog_backup_window
Expand All @@ -66,8 +66,8 @@ resource "aws_db_instance" "db_sheepdog" {
max_allocated_storage = var.sheepdog_max_allocated_storage

tags = {
Environment = var.vpc_name
Organization = var.organization_name
Environment = var.vpc_name
Organization = var.organization_name
}

lifecycle {
Expand All @@ -93,7 +93,7 @@ resource "aws_db_instance" "db_indexd" {
db_subnet_group_name = aws_db_subnet_group.private_group.id
vpc_security_group_ids = [module.cdis_vpc.security_group_local_id]
allow_major_version_upgrade = var.indexd_allow_major_version_upgrade
final_snapshot_identifier = "${replace(var.vpc_name,"_", "-")}-indexddb"
final_snapshot_identifier = "${replace(var.vpc_name, "_", "-")}-indexddb"
maintenance_window = var.indexd_maintenance_window
backup_retention_period = var.indexd_backup_retention_period
backup_window = var.indexd_backup_window
Expand All @@ -103,8 +103,8 @@ resource "aws_db_instance" "db_indexd" {
max_allocated_storage = var.indexd_max_allocated_storage

tags = {
Environment = var.vpc_name
Organization = var.organization_name
Environment = var.vpc_name
Organization = var.organization_name
}

lifecycle {
Expand All @@ -118,7 +118,7 @@ resource "aws_db_instance" "db_indexd" {
# and https://www.postgresql.org/docs/9.6/static/runtime-config-query.html#RUNTIME-CONFIG-QUERY-ENABLE
# for detail parameter descriptions
locals {
pg_family_version = replace( var.engine_version ,"/\\.[0-9]/", "" )
pg_family_version = replace(var.engine_version, "/\\.[0-9]/", "")
}

resource "aws_db_parameter_group" "rds-cdis-pg" {
Expand Down Expand Up @@ -164,38 +164,38 @@ resource "aws_db_parameter_group" "rds-cdis-pg" {
}

lifecycle {
ignore_changes = all
ignore_changes = all
}
}

resource "aws_kms_key" "kube_key" {
description = "encryption/decryption key for kubernete"
enable_key_rotation = true
description = "encryption/decryption key for kubernete"
enable_key_rotation = true

tags = {
Environment = var.vpc_name
Organization = var.organization_name
Environment = var.vpc_name
Organization = var.organization_name
}
}

resource "aws_kms_alias" "kube_key" {
name = "alias/${var.vpc_name}-k8s"
target_key_id = aws_kms_key.kube_key.key_id
name = "alias/${var.vpc_name}-k8s"
target_key_id = aws_kms_key.kube_key.key_id
}

resource "aws_key_pair" "automation_dev" {
key_name = "${var.vpc_name}_automation_dev"
public_key = var.kube_ssh_key
key_name = "${var.vpc_name}_automation_dev"
public_key = var.kube_ssh_key
}

resource "aws_s3_bucket" "kube_bucket" {
# S3 buckets are in a global namespace, so dns style naming
bucket = "kube-${replace(var.vpc_name,"_", "-")}-gen3"
bucket = "kube-${replace(var.vpc_name, "_", "-")}-gen3"

tags = {
Name = "kube-${replace(var.vpc_name,"_", "-")}-gen3"
Environment = var.vpc_name
Organization = var.organization_name
Name = "kube-${replace(var.vpc_name, "_", "-")}-gen3"
Environment = var.vpc_name
Organization = var.organization_name
}

lifecycle {
Expand All @@ -212,6 +212,10 @@ resource "aws_s3_bucket" "kube_bucket" {
resource "aws_s3_bucket_server_side_encryption_configuration" "kube_bucket" {
bucket = aws_s3_bucket.kube_bucket.bucket

lifecycle {
ignore_changes = all
}

rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
Expand All @@ -233,7 +237,7 @@ resource "aws_s3_bucket_public_access_block" "kube_bucket_privacy" {
# modify the permissions there as necessary. Ugh.
data "aws_iam_policy_document" "configbucket_reader" {
statement {
actions = ["s3:Get*","s3:List*"]
actions = ["s3:Get*", "s3:List*"]
effect = "Allow"
resources = ["arn:aws:s3:::${var.users_bucket_name}", "arn:aws:s3:::${var.users_bucket_name}/${var.config_folder}/*", "arn:aws:s3:::qualys-agentpackage", "arn:aws:s3:::qualys-agentpackage/*"]
}
Expand Down
21 changes: 17 additions & 4 deletions tf_files/aws/commons/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,15 +46,28 @@ output "data-bucket_name" {
}

output "kubeconfig" {
value = module.eks[0].kubeconfig
sensitive = true
value = module.eks[0].kubeconfig
sensitive = true
}

output "config_map_aws_auth" {
value = module.eks[0].config_map_aws_auth
sensitive = true
value = module.eks[0].config_map_aws_auth
sensitive = true
}

output "cluster_oidc_provider_url" {
value = module.eks[0].cluster_oidc_provider_url
}

output "cluster_oidc_provider_arn" {
value = module.eks[0].cluster_oidc_provider_arn
}

output "opensearch_cluster_arn" {
value = module.commons_vpc_es[0].es_arn
}


##
# aws_rds_aurora_cluster
##
Expand Down
8 changes: 8 additions & 0 deletions tf_files/aws/eks/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,11 @@ output "kubeconfig" {
output "config_map_aws_auth" {
value = module.eks[0].config_map_aws_auth
}

output "cluster_oidc_provider_url" {
value = module.eks[0].cluster_oidc_provider_url
}

output "cluster_oidc_provider_arn" {
value = module.eks[0].cluster_oidc_provider_arn
}
56 changes: 28 additions & 28 deletions tf_files/aws/generic_commons/root.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@ terraform {
}
required_providers {
kubectl = {
source = "gavinbunney/kubectl"
source = "gavinbunney/kubectl"
}
}
}

provider "aws" {
profile = "cdistest"
region = var.region
region = var.region
}

provider "kubernetes" {
Expand Down Expand Up @@ -57,7 +57,7 @@ provider "kubectl" {


locals {
azs = slice(data.aws_availability_zones.available.names, 0, 3)
azs = slice(data.aws_availability_zones.available.names, 0, 3)

tags = {
Name = var.vpc_name
Expand Down Expand Up @@ -155,7 +155,7 @@ module "eks" {
################################################################################

module "karpenter" {
source = "terraform-aws-modules/eks/aws//modules/karpenter"
source = "terraform-aws-modules/eks/aws//modules/karpenter"

cluster_name = module.eks.cluster_name
irsa_oidc_provider_arn = module.eks.oidc_provider_arn
Expand All @@ -176,7 +176,7 @@ resource "helm_release" "karpenter" {
repository_username = data.aws_ecrpublic_authorization_token.token.user_name
repository_password = data.aws_ecrpublic_authorization_token.token.password
chart = "karpenter"
version = "v0.21.1"
version = "v0.27.0"

set {
name = "settings.aws.clusterName"
Expand Down Expand Up @@ -291,14 +291,14 @@ module "vpc" {
name = var.vpc_name
cidr = var.vpc_cidr

azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 2, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 8, k + 192)]
intra_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 8, k + 195)]
database_subnets = [cidrsubnet(var.vpc_cidr, 8, 198)]
create_database_subnet_group = false
azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 2, k)]
public_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 8, k + 192)]
intra_subnets = [for k, v in local.azs : cidrsubnet(var.vpc_cidr, 8, k + 195)]
database_subnets = [cidrsubnet(var.vpc_cidr, 8, 198)]
create_database_subnet_group = false




enable_nat_gateway = true
single_nat_gateway = true
Expand All @@ -324,7 +324,7 @@ module "vpc" {
resource "aws_db_subnet_group" "database" {
name = "${var.vpc_name}-subnet-group"
description = "Database subnet group for ${var.vpc_name}"
subnet_ids = [ module.vpc.database_subnets[0], module.vpc.intra_subnets[0], module.vpc.intra_subnets[1] ]
subnet_ids = [module.vpc.database_subnets[0], module.vpc.intra_subnets[0], module.vpc.intra_subnets[1]]

tags = local.tags
}
Expand All @@ -333,12 +333,12 @@ resource "aws_db_subnet_group" "database" {
module "es" {
source = "git::[email protected]:uc-cdis/cloud-automation.git//tf_files-1.0/aws/commons_vpc_es?ref=44404bf7b3a68c2eff31972a4de3b2d987d7a142"

vpc_name = var.vpc_name
vpc_name = var.vpc_name
es_linked_role = false
depends_on = [
module.vpc,
aws_cloudwatch_log_group.main_log_group
]
]
}

resource "aws_iam_user" "es_user" {
Expand All @@ -350,11 +350,11 @@ resource "aws_iam_user" "es_user" {
}

resource "aws_iam_access_key" "es_user_key" {
user = "${aws_iam_user.es_user.name}"
user = aws_iam_user.es_user.name
}

resource "aws_cloudwatch_log_group" "main_log_group" {
name = "${var.vpc_name}"
name = var.vpc_name
retention_in_days = "1827"

tags = {
Expand All @@ -367,13 +367,13 @@ resource "aws_cloudwatch_log_group" "main_log_group" {
module "aurora_postgresql_v2" {
source = "terraform-aws-modules/rds-aurora/aws"

name = "${var.vpc_name}-postgres-cluster"
engine = data.aws_rds_engine_version.postgresql.engine
engine_mode = "provisioned"
engine_version = data.aws_rds_engine_version.postgresql.version
storage_encrypted = true
master_username = "postgres"
master_password = random_password.master.result
name = "${var.vpc_name}-postgres-cluster"
engine = data.aws_rds_engine_version.postgresql.engine
engine_mode = "provisioned"
engine_version = data.aws_rds_engine_version.postgresql.version
storage_encrypted = true
master_username = "postgres"
master_password = random_password.master.result
manage_master_user_password = false

vpc_id = module.vpc.vpc_id
Expand Down Expand Up @@ -414,9 +414,9 @@ resource "random_password" "master" {

resource "null_resource" "kubeconfig" {
provisioner "local-exec" {
command = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --region ${var.region}"
command = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --region ${var.region}"
}
depends_on = [ module.eks ]
depends_on = [module.eks]
}

resource "aws_iam_role" "aws_load_balancer_controller" {
Expand All @@ -439,7 +439,7 @@ resource "null_resource" "aws_load_balancer_controller" {
provisioner "local-exec" {
command = "kubectl apply -k \"github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master\" && kubectl create sa aws-load-balancer-controller -n kube-system && kubectl annotate sa -n kube-system aws-load-balancer-controller eks.amazonaws.com/role-arn=${aws_iam_role.aws_load_balancer_controller.arn}"
}
depends_on = [
depends_on = [
module.eks,
aws_iam_role.aws_load_balancer_controller
]
Expand Down Expand Up @@ -477,7 +477,7 @@ resource "helm_release" "aws_load_balancer_controller" {
value = "aws-load-balancer-controller"
}

depends_on = [
depends_on = [
module.eks,
null_resource.aws_load_balancer_controller
]
Expand Down
4 changes: 4 additions & 0 deletions tf_files/aws/modules/commons-vpc-es/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,7 @@ output "kibana_endpoint" {
output "es_endpoint" {
value = aws_elasticsearch_domain.gen3_metadata.endpoint
}

output "es_arn" {
value = aws_elasticsearch_domain.gen3_metadata.arn
}
18 changes: 13 additions & 5 deletions tf_files/aws/modules/eks/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,31 @@
output "kubeconfig" {
value = templatefile("${path.module}/kubeconfig.tpl", {vpc_name = var.vpc_name, eks_name = aws_eks_cluster.eks_cluster.id, eks_endpoint = aws_eks_cluster.eks_cluster.endpoint, eks_cert = aws_eks_cluster.eks_cluster.certificate_authority.0.data,})
value = templatefile("${path.module}/kubeconfig.tpl", { vpc_name = var.vpc_name, eks_name = aws_eks_cluster.eks_cluster.id, eks_endpoint = aws_eks_cluster.eks_cluster.endpoint, eks_cert = aws_eks_cluster.eks_cluster.certificate_authority.0.data, })
sensitive = true
}

output "config_map_aws_auth" {
value = local.config-map-aws-auth
value = local.config-map-aws-auth
sensitive = true
}

output "cluster_endpoint" {
value = aws_eks_cluster.eks_cluster.endpoint
value = aws_eks_cluster.eks_cluster.endpoint
sensitive = true
}

output "cluster_certificate_authority_data" {
value = aws_eks_cluster.eks_cluster.certificate_authority.0.data
value = aws_eks_cluster.eks_cluster.certificate_authority.0.data
sensitive = true
}

output "cluster_name" {
value = aws_eks_cluster.eks_cluster.name
}

output "cluster_oidc_provider_url" {
value = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer
}

output "cluster_oidc_provider_arn" {
value = aws_iam_openid_connect_provider.identity_provider[0].arn
}
Loading