From ca8207f8a00cdd8eee8c6aa465f6e7df29617fbb Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 24 Jul 2023 19:23:31 -0400 Subject: [PATCH] chore: Remove remaining modules from project, update workflows now that modules are removed --- .github/workflows/pre-commit.yml | 66 +------------- .pre-commit-config.yaml | 11 +-- examples/fully-private-cluster/main.tf | 40 +++----- modules/irsa/README.md | 75 --------------- modules/irsa/main.tf | 91 ------------------- modules/irsa/outputs.tf | 19 ---- modules/irsa/variables.tf | 73 --------------- modules/irsa/versions.tf | 14 --- .../kubernetes-addons/helm-addon/README.md | 57 ------------ modules/kubernetes-addons/helm-addon/main.tf | 81 ----------------- .../kubernetes-addons/helm-addon/outputs.tf | 24 ----- .../kubernetes-addons/helm-addon/variables.tf | 39 -------- .../kubernetes-addons/helm-addon/versions.tf | 10 -- tfsec.yaml | 8 -- 14 files changed, 17 insertions(+), 591 deletions(-) delete mode 100644 modules/irsa/README.md delete mode 100644 modules/irsa/main.tf delete mode 100644 modules/irsa/outputs.tf delete mode 100644 modules/irsa/variables.tf delete mode 100644 modules/irsa/versions.tf delete mode 100644 modules/kubernetes-addons/helm-addon/README.md delete mode 100644 modules/kubernetes-addons/helm-addon/main.tf delete mode 100644 modules/kubernetes-addons/helm-addon/outputs.tf delete mode 100644 modules/kubernetes-addons/helm-addon/variables.tf delete mode 100644 modules/kubernetes-addons/helm-addon/versions.tf delete mode 100644 tfsec.yaml diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 834f6350ec..d83a821639 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -60,9 +60,6 @@ jobs: - uses: dorny/paths-filter@v2 id: changes with: - # We only need to check Terraform files for the current directory - # because the `preCommitMaxVersion` job will run the full, - # exhaustive checks (always) filters: | src: - '${{ matrix.directory }}/*.tf' @@ -87,71 +84,10 @@ jobs: directory: ${{ matrix.directory }} - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory != '.' && steps.changes.outputs.src== 'true' }} - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - tflint-version: ${{ env.TFLINT_VERSION }} - args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*' - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory == '.' && steps.changes.outputs.src== 'true' }} - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - tflint-version: ${{ env.TFLINT_VERSION }} - args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)' - - preCommitMaxVersion: - name: Max TF pre-commit - runs-on: ubuntu-latest - needs: collectInputs - steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - - name: Remove default Terraform - run: rm -rf $(which terraform) - - - name: Checkout - uses: actions/checkout@v3 - - - uses: dorny/paths-filter@v2 - id: changes - with: - filters: | - src: - - '**/*.tf' - - - name: Config Terraform plugin cache - if: steps.changes.outputs.src== 'true' - run: mkdir --parents ${{ env.TERRAFORM_DOCS_VERSION }} - - - name: Cache Terraform - uses: actions/cache@v3 - if: steps.changes.outputs.src== 'true' - with: - path: ${{ env.TF_PLUGIN_CACHE_DIR }} - key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} - restore-keys: ${{ runner.os }}-terraform- - - - name: Install tfsec - if: steps.changes.outputs.src== 'true' - run: curl -sSLo ./tfsec https://github.com/aquasecurity/tfsec/releases/download/${{ env.TFSEC_VERSION }}/tfsec-$(uname)-amd64 && chmod +x tfsec && sudo mv tfsec /usr/bin/ - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.2.7 - if: steps.changes.outputs.src== 'true' - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 if: steps.changes.outputs.src== 'true' with: terraform-version: ${{ steps.minMax.outputs.maxVersion }} terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} tflint-version: ${{ env.TFLINT_VERSION }} + args: '--files ${{ matrix.directory }}/*' diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 08b92035ba..6c01aee6e1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -32,9 +32,8 @@ repos: - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' - id: terraform_validate - exclude: docs - # - id: terraform_tfsec - # files: ^examples/ # only scan `examples/*` which are the implementation - # args: - # - --args=--config-file=__GIT_WORKING_DIR__/tfsec.yaml - # - --args=--concise-output + exclude: (docs|modules) + - id: terraform_tfsec + args: + - --args=--config-file=__GIT_WORKING_DIR__/tfsec.yaml + - --args=--concise-output diff --git a/examples/fully-private-cluster/main.tf b/examples/fully-private-cluster/main.tf index 7490e5e534..20ae9ef062 100644 --- a/examples/fully-private-cluster/main.tf +++ b/examples/fully-private-cluster/main.tf @@ -77,39 +77,21 @@ module "vpc" { tags = local.tags } -module "vpc_endpoints_sg" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 5.0" - - name = "${local.name}-vpc-endpoints" - description = "Security group for VPC endpoint access" - vpc_id = module.vpc.vpc_id - - ingress_with_cidr_blocks = [ - { - rule = "https-443-tcp" - description = "VPC CIDR HTTPS" - cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks) - }, - ] - - egress_with_cidr_blocks = [ - { - rule = "https-443-tcp" - description = "All egress HTTPS" - cidr_blocks = "0.0.0.0/0" - }, - ] - - tags = local.tags -} - module "vpc_endpoints" { source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" version = "~> 5.0" - vpc_id = module.vpc.vpc_id - security_group_ids = [module.vpc_endpoints_sg.security_group_id] + vpc_id = module.vpc.vpc_id + + # Security group + create_security_group = true + security_group_name_prefix = "${local.name}-vpc-endpoints-" + security_group_rules = { + ingress_https = { + description = "HTTPS from VPC" + cidr_blocks = [module.vpc.private_subnets_cidr_blocks] + } + } endpoints = merge({ s3 = { diff --git a/modules/irsa/README.md b/modules/irsa/README.md deleted file mode 100644 index f3a3d49e0c..0000000000 --- a/modules/irsa/README.md +++ /dev/null @@ -1,75 +0,0 @@ -# IRSA (IAM roles for Kubernetes Service Accounts) - -This Terraform module creates the following resources - -1. Kubernetes Namespace for Kubernetes Addon -2. Service Account for Kubernetes Addon -3. IAM Role for Service Account with OIDC assume role policy -4. Creates default policy required for Addon -5. Attaches the additional IAM policies provided by consumer module - -## Learn more - -## Blogs - -- [Introducing fine-grained IAM roles for service accounts](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/) -- [Cross account IAM roles for Kubernetes service accounts](https://aws.amazon.com/blogs/containers/cross-account-iam-roles-for-kubernetes-service-accounts/) -- [Enabling cross-account access to Amazon EKS cluster resources](https://aws.amazon.com/blogs/containers/enabling-cross-account-access-to-amazon-eks-cluster-resources/) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 3.72 | -| [kubernetes](#requirement\_kubernetes) | >= 2.10 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.72 | -| [kubernetes](#provider\_kubernetes) | >= 2.10 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_role.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [kubernetes_namespace_v1.irsa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource | -| [kubernetes_secret_v1.irsa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource | -| [kubernetes_service_account_v1.irsa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [create\_kubernetes\_namespace](#input\_create\_kubernetes\_namespace) | Should the module create the namespace | `bool` | `true` | no | -| [create\_kubernetes\_service\_account](#input\_create\_kubernetes\_service\_account) | Should the module create the Service Account | `bool` | `true` | no | -| [create\_service\_account\_secret\_token](#input\_create\_service\_account\_secret\_token) | Should the module create a secret for the service account (from k8s version 1.24 service account doesn't automatically create secret of the token) | `bool` | `false` | no | -| [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster ID | `string` | n/a | yes | -| [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | EKS OIDC Provider ARN e.g., arn:aws:iam:::oidc-provider/ | `string` | n/a | yes | -| [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM permissions boundary for IRSA roles | `string` | `""` | no | -| [irsa\_iam\_policies](#input\_irsa\_iam\_policies) | IAM Policies for IRSA IAM role | `list(string)` | `[]` | no | -| [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA | `string` | `""` | no | -| [irsa\_iam\_role\_path](#input\_irsa\_iam\_role\_path) | IAM role path for IRSA roles | `string` | `"/"` | no | -| [kubernetes\_namespace](#input\_kubernetes\_namespace) | Kubernetes Namespace name | `string` | n/a | yes | -| [kubernetes\_service\_account](#input\_kubernetes\_service\_account) | Kubernetes Service Account Name | `string` | n/a | yes | -| [kubernetes\_svc\_image\_pull\_secrets](#input\_kubernetes\_svc\_image\_pull\_secrets) | list(string) of kubernetes imagePullSecrets | `list(string)` | `[]` | no | -| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [irsa\_iam\_role\_arn](#output\_irsa\_iam\_role\_arn) | IAM role ARN for your service account | -| [irsa\_iam\_role\_name](#output\_irsa\_iam\_role\_name) | IAM role name for your service account | -| [namespace](#output\_namespace) | IRSA Namespace | -| [service\_account](#output\_service\_account) | IRSA Service Account | - diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf deleted file mode 100644 index f7f2ed785a..0000000000 --- a/modules/irsa/main.tf +++ /dev/null @@ -1,91 +0,0 @@ -locals { - eks_oidc_issuer_url = replace(var.eks_oidc_provider_arn, "/^(.*provider/)/", "") -} - -resource "kubernetes_namespace_v1" "irsa" { - count = var.create_kubernetes_namespace && var.kubernetes_namespace != "kube-system" ? 1 : 0 - metadata { - name = var.kubernetes_namespace - } - - timeouts { - delete = "15m" - } - - lifecycle { - ignore_changes = [ - metadata[0].labels, - metadata[0].annotations, - ] - } -} - -resource "kubernetes_secret_v1" "irsa" { - count = var.create_kubernetes_service_account && var.create_service_account_secret_token ? 1 : 0 - metadata { - name = format("%s-token-secret", try(kubernetes_service_account_v1.irsa[0].metadata[0].name, var.kubernetes_service_account)) - namespace = try(kubernetes_namespace_v1.irsa[0].metadata[0].name, var.kubernetes_namespace) - annotations = { - "kubernetes.io/service-account.name" = try(kubernetes_service_account_v1.irsa[0].metadata[0].name, var.kubernetes_service_account) - "kubernetes.io/service-account.namespace" = try(kubernetes_namespace_v1.irsa[0].metadata[0].name, var.kubernetes_namespace) - } - } - - type = "kubernetes.io/service-account-token" -} - -resource "kubernetes_service_account_v1" "irsa" { - count = var.create_kubernetes_service_account ? 1 : 0 - metadata { - name = var.kubernetes_service_account - namespace = try(kubernetes_namespace_v1.irsa[0].metadata[0].name, var.kubernetes_namespace) - annotations = var.irsa_iam_policies != null ? { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa[0].arn } : null - } - - dynamic "image_pull_secret" { - for_each = var.kubernetes_svc_image_pull_secrets != null ? var.kubernetes_svc_image_pull_secrets : [] - content { - name = image_pull_secret.value - } - } - - automount_service_account_token = true -} - -# NOTE: Don't change the condition from StringLike to StringEquals. We are using wild characters for service account hence StringLike is required. -resource "aws_iam_role" "irsa" { - count = var.irsa_iam_policies != null ? 1 : 0 - - name = try(coalesce(var.irsa_iam_role_name, format("%s-%s-%s", var.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa")), null) - description = "AWS IAM Role for the Kubernetes service account ${var.kubernetes_service_account}." - assume_role_policy = jsonencode({ - "Version" : "2012-10-17", - "Statement" : [ - { - "Effect" : "Allow", - "Principal" : { - "Federated" : var.eks_oidc_provider_arn - }, - "Action" : "sts:AssumeRoleWithWebIdentity", - "Condition" : { - "StringLike" : { - "${local.eks_oidc_issuer_url}:sub" : "system:serviceaccount:${var.kubernetes_namespace}:${var.kubernetes_service_account}", - "${local.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com" - } - } - } - ] - }) - path = var.irsa_iam_role_path - force_detach_policies = true - permissions_boundary = var.irsa_iam_permissions_boundary - - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "irsa" { - count = var.irsa_iam_policies != null ? length(var.irsa_iam_policies) : 0 - - policy_arn = var.irsa_iam_policies[count.index] - role = aws_iam_role.irsa[0].name -} diff --git a/modules/irsa/outputs.tf b/modules/irsa/outputs.tf deleted file mode 100644 index 9311a6c055..0000000000 --- a/modules/irsa/outputs.tf +++ /dev/null @@ -1,19 +0,0 @@ -output "irsa_iam_role_arn" { - description = "IAM role ARN for your service account" - value = try(aws_iam_role.irsa[0].arn, null) -} - -output "irsa_iam_role_name" { - description = "IAM role name for your service account" - value = try(aws_iam_role.irsa[0].name, null) -} - -output "namespace" { - description = "IRSA Namespace" - value = try(kubernetes_namespace_v1.irsa[0].id, var.kubernetes_namespace) -} - -output "service_account" { - description = "IRSA Service Account" - value = try(kubernetes_service_account_v1.irsa[0].id, var.kubernetes_service_account) -} diff --git a/modules/irsa/variables.tf b/modules/irsa/variables.tf deleted file mode 100644 index 60bf1fe823..0000000000 --- a/modules/irsa/variables.tf +++ /dev/null @@ -1,73 +0,0 @@ -variable "kubernetes_namespace" { - description = "Kubernetes Namespace name" - type = string -} - -variable "create_kubernetes_namespace" { - description = "Should the module create the namespace" - type = bool - default = true -} - -variable "create_kubernetes_service_account" { - description = "Should the module create the Service Account" - type = bool - default = true -} - -variable "create_service_account_secret_token" { - description = "Should the module create a secret for the service account (from k8s version 1.24 service account doesn't automatically create secret of the token)" - type = bool - default = false -} - -variable "kubernetes_service_account" { - description = "Kubernetes Service Account Name" - type = string -} - -variable "kubernetes_svc_image_pull_secrets" { - description = "list(string) of kubernetes imagePullSecrets" - type = list(string) - default = [] -} - -variable "irsa_iam_policies" { - type = list(string) - description = "IAM Policies for IRSA IAM role" - default = [] -} - -variable "irsa_iam_role_name" { - type = string - description = "IAM role name for IRSA" - default = "" -} - -variable "irsa_iam_role_path" { - description = "IAM role path for IRSA roles" - type = string - default = "/" -} - -variable "irsa_iam_permissions_boundary" { - description = "IAM permissions boundary for IRSA roles" - type = string - default = "" -} - -variable "eks_oidc_provider_arn" { - description = "EKS OIDC Provider ARN e.g., arn:aws:iam:::oidc-provider/" - type = string -} - -variable "eks_cluster_id" { - description = "EKS Cluster ID" - type = string -} - -variable "tags" { - description = "Additional tags (e.g. `map('BusinessUnit`,`XYZ`)" - type = map(string) - default = {} -} diff --git a/modules/irsa/versions.tf b/modules/irsa/versions.tf deleted file mode 100644 index d2ddf87cc2..0000000000 --- a/modules/irsa/versions.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_version = ">= 1.0.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.72" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.10" - } - } -} diff --git a/modules/kubernetes-addons/helm-addon/README.md b/modules/kubernetes-addons/helm-addon/README.md deleted file mode 100644 index 450840992d..0000000000 --- a/modules/kubernetes-addons/helm-addon/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# Helm AddOn - -## Introduction - -Helm Addon module can be used to provision a generic Helm Chart as an Add-On for an EKS cluster provisioned using the EKS Blueprints. This module does the following: - -1. Create an IAM role for Service Accounts with the provided configuration for the [`irsa`](./../../irsa) module. -2. If `manage_via_gitops` is set to `false`, provision the helm chart for the add-on based on the configuration provided for the `helm_config` as defined in the [helm provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs) documentation. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [helm](#requirement\_helm) | >= 2.4.1 | - -## Providers - -| Name | Version | -|------|---------| -| [helm](#provider\_helm) | >= 2.4.1 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [irsa](#module\_irsa) | ../../irsa | n/a | - -## Resources - -| Name | Type | -|------|------| -| [helm_release.addon](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [addon\_context](#input\_addon\_context) | Input configuration for the addon | `any` | n/a | yes | -| [helm\_config](#input\_helm\_config) | Helm chart config. Repository and version required. See https://registry.terraform.io/providers/hashicorp/helm/latest/docs | `any` | n/a | yes | -| [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | `any` | `{}` | no | -| [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA | `string` | `""` | no | -| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps | `bool` | `false` | no | -| [set\_sensitive\_values](#input\_set\_sensitive\_values) | Forced set\_sensitive values | `any` | `[]` | no | -| [set\_values](#input\_set\_values) | Forced set values | `any` | `[]` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [helm\_release](#output\_helm\_release) | Map of attributes of the Helm release created without sensitive outputs | -| [irsa\_arn](#output\_irsa\_arn) | IAM role ARN for the service account | -| [irsa\_name](#output\_irsa\_name) | IAM role name for the service account | -| [release\_metadata](#output\_release\_metadata) | Map of attributes of the Helm release metadata | -| [service\_account](#output\_service\_account) | Name of Kubernetes service account | - diff --git a/modules/kubernetes-addons/helm-addon/main.tf b/modules/kubernetes-addons/helm-addon/main.tf deleted file mode 100644 index 34994f7d8f..0000000000 --- a/modules/kubernetes-addons/helm-addon/main.tf +++ /dev/null @@ -1,81 +0,0 @@ -resource "helm_release" "addon" { - count = var.manage_via_gitops ? 0 : 1 - name = var.helm_config["name"] - repository = try(var.helm_config["repository"], null) - chart = var.helm_config["chart"] - version = try(var.helm_config["version"], null) - timeout = try(var.helm_config["timeout"], 1200) - values = try(var.helm_config["values"], null) - create_namespace = length(var.irsa_config) > 0 ? false : try(var.helm_config["create_namespace"], false) - namespace = var.helm_config["namespace"] - lint = try(var.helm_config["lint"], false) - description = try(var.helm_config["description"], "") - repository_key_file = try(var.helm_config["repository_key_file"], "") - repository_cert_file = try(var.helm_config["repository_cert_file"], "") - repository_username = try(var.helm_config["repository_username"], "") - repository_password = try(var.helm_config["repository_password"], "") - verify = try(var.helm_config["verify"], false) - keyring = try(var.helm_config["keyring"], "") - disable_webhooks = try(var.helm_config["disable_webhooks"], false) - reuse_values = try(var.helm_config["reuse_values"], false) - reset_values = try(var.helm_config["reset_values"], false) - force_update = try(var.helm_config["force_update"], false) - recreate_pods = try(var.helm_config["recreate_pods"], false) - cleanup_on_fail = try(var.helm_config["cleanup_on_fail"], false) - max_history = try(var.helm_config["max_history"], 0) - atomic = try(var.helm_config["atomic"], false) - skip_crds = try(var.helm_config["skip_crds"], false) - render_subchart_notes = try(var.helm_config["render_subchart_notes"], true) - disable_openapi_validation = try(var.helm_config["disable_openapi_validation"], false) - wait = try(var.helm_config["wait"], true) - wait_for_jobs = try(var.helm_config["wait_for_jobs"], false) - dependency_update = try(var.helm_config["dependency_update"], false) - replace = try(var.helm_config["replace"], false) - - postrender { - binary_path = try(var.helm_config["postrender"], "") - } - - dynamic "set" { - iterator = each_item - for_each = try(var.helm_config["set"], null) != null ? distinct(concat(var.set_values, var.helm_config["set"])) : var.set_values - - content { - name = each_item.value.name - value = each_item.value.value - type = try(each_item.value.type, null) - } - } - - dynamic "set_sensitive" { - iterator = each_item - for_each = try(var.helm_config["set_sensitive"], null) != null ? concat(var.helm_config["set_sensitive"], var.set_sensitive_values) : var.set_sensitive_values - - content { - name = each_item.value.name - value = each_item.value.value - type = try(each_item.value.type, null) - } - } - depends_on = [module.irsa] -} - -module "irsa" { - source = "../../irsa" - - count = length(var.irsa_config) > 0 ? 1 : 0 - - create_kubernetes_namespace = try(var.irsa_config.create_kubernetes_namespace, true) - create_kubernetes_service_account = try(var.irsa_config.create_kubernetes_service_account, true) - create_service_account_secret_token = try(var.irsa_config.create_service_account_secret_token, false) - kubernetes_namespace = lookup(var.irsa_config, "kubernetes_namespace", "") - kubernetes_service_account = lookup(var.irsa_config, "kubernetes_service_account", "") - kubernetes_svc_image_pull_secrets = try(var.irsa_config.kubernetes_svc_image_pull_secrets, null) - irsa_iam_policies = lookup(var.irsa_config, "irsa_iam_policies", null) - irsa_iam_role_name = var.irsa_iam_role_name - irsa_iam_role_path = lookup(var.addon_context, "irsa_iam_role_path", null) - irsa_iam_permissions_boundary = lookup(var.addon_context, "irsa_iam_permissions_boundary", null) - eks_cluster_id = var.addon_context.eks_cluster_id - eks_oidc_provider_arn = var.addon_context.eks_oidc_provider_arn - tags = var.addon_context.tags -} diff --git a/modules/kubernetes-addons/helm-addon/outputs.tf b/modules/kubernetes-addons/helm-addon/outputs.tf deleted file mode 100644 index 97124e4a35..0000000000 --- a/modules/kubernetes-addons/helm-addon/outputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "helm_release" { - description = "Map of attributes of the Helm release created without sensitive outputs" - value = try({ for k, v in helm_release.addon : k => v if k != "repository_password" }, {}) -} - -output "release_metadata" { - description = "Map of attributes of the Helm release metadata" - value = try(helm_release.addon[0].metadata, null) -} - -output "irsa_arn" { - description = "IAM role ARN for the service account" - value = try(module.irsa[0].irsa_iam_role_arn, null) -} - -output "irsa_name" { - description = "IAM role name for the service account" - value = try(module.irsa[0].irsa_iam_role_name, null) -} - -output "service_account" { - description = "Name of Kubernetes service account" - value = try(coalesce(try(module.irsa[0].service_account, null), lookup(var.irsa_config, "kubernetes_service_account", null)), null) -} diff --git a/modules/kubernetes-addons/helm-addon/variables.tf b/modules/kubernetes-addons/helm-addon/variables.tf deleted file mode 100644 index d8d706e8fd..0000000000 --- a/modules/kubernetes-addons/helm-addon/variables.tf +++ /dev/null @@ -1,39 +0,0 @@ -variable "helm_config" { - description = "Helm chart config. Repository and version required. See https://registry.terraform.io/providers/hashicorp/helm/latest/docs" - type = any -} - -variable "set_values" { - description = "Forced set values" - type = any - default = [] -} - -variable "set_sensitive_values" { - description = "Forced set_sensitive values" - type = any - default = [] -} - -variable "manage_via_gitops" { - description = "Determines if the add-on should be managed via GitOps" - type = bool - default = false -} - -variable "irsa_iam_role_name" { - description = "IAM role name for IRSA" - type = string - default = "" -} - -variable "irsa_config" { - description = "Input configuration for IRSA module" - type = any - default = {} -} - -variable "addon_context" { - description = "Input configuration for the addon" - type = any -} diff --git a/modules/kubernetes-addons/helm-addon/versions.tf b/modules/kubernetes-addons/helm-addon/versions.tf deleted file mode 100644 index 278a4fbb4d..0000000000 --- a/modules/kubernetes-addons/helm-addon/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.0.0" - - required_providers { - helm = { - source = "hashicorp/helm" - version = ">= 2.4.1" - } - } -} diff --git a/tfsec.yaml b/tfsec.yaml deleted file mode 100644 index 73b3338dc6..0000000000 --- a/tfsec.yaml +++ /dev/null @@ -1,8 +0,0 @@ -exclude: - - aws-iam-no-policy-wildcards # Wildcards required in addon IAM policies - - aws-vpc-no-excessive-port-access # VPC settings left up to user implementation for recommended practices - - aws-vpc-no-public-ingress-acl # VPC settings left up to user implementation for recommended practices - - aws-eks-no-public-cluster-access-to-cidr # Public access enabled for better example usability, users are recommended to disable if possible - - aws-eks-no-public-cluster-access # Public access enabled for better example usability, users are recommended to disable if possible - - aws-eks-encrypt-secrets # Module defaults to encrypting secrets with CMK, but this is not hardcoded and therefore a spurious error - - aws-vpc-no-public-egress-sgr # Added in v1.22