diff --git a/.github/scripts/plan-examples.py b/.github/scripts/plan-examples.py index 1dd0805950..c854baa187 100644 --- a/.github/scripts/plan-examples.py +++ b/.github/scripts/plan-examples.py @@ -10,9 +10,11 @@ def get_examples(): """ exclude = { 'examples/appmesh-mtls', # excluded until Rout53 is setup - 'examples/privatelink-access', 'examples/blue-green-upgrade/environment', - 'examples/blue-green-upgrade/modules/eks_cluster' + 'examples/blue-green-upgrade/modules/eks_cluster', + 'examples/istio-multi-cluster/1.cluster1', # relies on remote state + 'examples/istio-multi-cluster/2.cluster2', # relies on remote state + 'examples/privatelink-access', } projects = { diff --git a/examples/agones-game-controller/main.tf b/examples/agones-game-controller/main.tf index 22c5ea20ed..46b1c4c6fb 100644 --- a/examples/agones-game-controller/main.tf +++ b/examples/agones-game-controller/main.tf @@ -52,10 +52,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = local.cluster_version diff --git a/examples/appmesh-mtls/main.tf b/examples/appmesh-mtls/main.tf index 2743ab474f..c085674731 100644 --- a/examples/appmesh-mtls/main.tf +++ b/examples/appmesh-mtls/main.tf @@ -64,10 +64,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/argocd/main.tf b/examples/argocd/main.tf index 7752ed8a47..20438794d4 100644 --- a/examples/argocd/main.tf +++ b/examples/argocd/main.tf @@ -49,10 +49,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/blue-green-upgrade/modules/eks_cluster/main.tf b/examples/blue-green-upgrade/modules/eks_cluster/main.tf index 5c258157bc..6bc975ff7a 100644 --- a/examples/blue-green-upgrade/modules/eks_cluster/main.tf +++ b/examples/blue-green-upgrade/modules/eks_cluster/main.tf @@ -310,14 +310,9 @@ data "aws_secretsmanager_secret_version" "admin_password_version" { secret_id = data.aws_secretsmanager_secret.argocd.id } -# data "aws_ecrpublic_authorization_token" "token" { -# provider = aws.virginia -# } - -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.15.2" + version = "~> 19.16" cluster_name = local.name cluster_version = local.cluster_version diff --git a/examples/elastic-fabric-adapter/main.tf b/examples/elastic-fabric-adapter/main.tf index 83872d1b8d..f0476d7d71 100644 --- a/examples/elastic-fabric-adapter/main.tf +++ b/examples/elastic-fabric-adapter/main.tf @@ -61,10 +61,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/external-secrets/main.tf b/examples/external-secrets/main.tf index f0af4c49c8..3b64f7163d 100644 --- a/examples/external-secrets/main.tf +++ b/examples/external-secrets/main.tf @@ -68,10 +68,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/fargate-serverless/main.tf b/examples/fargate-serverless/main.tf index a718f822cd..237b140cda 100644 --- a/examples/fargate-serverless/main.tf +++ b/examples/fargate-serverless/main.tf @@ -48,10 +48,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/fully-private-cluster/main.tf b/examples/fully-private-cluster/main.tf index 7cb6b917fd..bfb0800510 100644 --- a/examples/fully-private-cluster/main.tf +++ b/examples/fully-private-cluster/main.tf @@ -21,10 +21,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/ipv4-prefix-delegation/main.tf b/examples/ipv4-prefix-delegation/main.tf index 55745cd96d..3789038877 100644 --- a/examples/ipv4-prefix-delegation/main.tf +++ b/examples/ipv4-prefix-delegation/main.tf @@ -47,10 +47,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/ipv6-eks-cluster/main.tf b/examples/ipv6-eks-cluster/main.tf index 1d5d0e5ae4..4940364b51 100644 --- a/examples/ipv6-eks-cluster/main.tf +++ b/examples/ipv6-eks-cluster/main.tf @@ -47,10 +47,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/istio-multi-cluster/0.certs-tool/.gitignore b/examples/istio-multi-cluster/0.certs-tool/.gitignore index 1503cc8a55..b2290143a4 100644 --- a/examples/istio-multi-cluster/0.certs-tool/.gitignore +++ b/examples/istio-multi-cluster/0.certs-tool/.gitignore @@ -1 +1 @@ -certs \ No newline at end of file +certs diff --git a/examples/istio-multi-cluster/1.cluster1/main.tf b/examples/istio-multi-cluster/1.cluster1/main.tf index 4c036284e9..0fcb4b57f1 100644 --- a/examples/istio-multi-cluster/1.cluster1/main.tf +++ b/examples/istio-multi-cluster/1.cluster1/main.tf @@ -56,10 +56,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.15" + version = "~> 19.16" cluster_name = local.cluster_name cluster_version = "1.27" diff --git a/examples/istio-multi-cluster/2.cluster2/main.tf b/examples/istio-multi-cluster/2.cluster2/main.tf index f054b4c126..613742f173 100644 --- a/examples/istio-multi-cluster/2.cluster2/main.tf +++ b/examples/istio-multi-cluster/2.cluster2/main.tf @@ -57,10 +57,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.15" + version = "~> 19.16" cluster_name = local.cluster_name cluster_version = "1.27" diff --git a/examples/istio/main.tf b/examples/istio/main.tf index fcfb039541..74615dcf15 100644 --- a/examples/istio/main.tf +++ b/examples/istio/main.tf @@ -50,10 +50,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.15" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/karpenter/main.tf b/examples/karpenter/main.tf index b00bbf52bb..5b9d732940 100644 --- a/examples/karpenter/main.tf +++ b/examples/karpenter/main.tf @@ -71,10 +71,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/multi-tenancy-with-teams/main.tf b/examples/multi-tenancy-with-teams/main.tf index fbc22b96f0..3631a4340f 100644 --- a/examples/multi-tenancy-with-teams/main.tf +++ b/examples/multi-tenancy-with-teams/main.tf @@ -48,10 +48,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/private-public-ingress/main.tf b/examples/private-public-ingress/main.tf index 691bd92163..1a77cf8fdd 100644 --- a/examples/private-public-ingress/main.tf +++ b/examples/private-public-ingress/main.tf @@ -5,34 +5,48 @@ provider "aws" { provider "kubernetes" { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.this.token + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } } provider "helm" { kubernetes { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.this.token + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } } } provider "kubectl" { - apply_retry_count = 10 + apply_retry_count = 5 host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) load_config_file = false - token = data.aws_eks_cluster_auth.this.token -} -data "aws_eks_cluster_auth" "this" { - name = module.eks.cluster_name + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } } data "aws_availability_zones" "available" {} locals { - region = "eu-west-1" - name = "eks-private-public-ingress" + name = basename(path.cwd) + region = "us-west-2" vpc_cidr = "10.0.0.0/16" azs = slice(data.aws_availability_zones.available.names, 0, 3) @@ -43,8 +57,43 @@ locals { } } -resource "aws_security_group" "ingress_nginx_external_sg" { - name = "ingress-nginx-external-sg" +################################################################################ +# Cluster +################################################################################ + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 19.16" + + cluster_name = local.name + cluster_version = "1.27" + cluster_endpoint_public_access = true + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + eks_managed_node_groups = { + core_node_group = { + instance_types = ["m5.large"] + + ami_type = "BOTTLEROCKET_x86_64" + platform = "bottlerocket" + + min_size = 3 + max_size = 3 + desired_size = 3 + } + } + + tags = local.tags +} + +################################################################################ +# EKS Blueprints Addons +################################################################################ + +resource "aws_security_group" "ingress_nginx_external" { + name = "ingress-nginx-external" description = "Allow public HTTP and HTTPS traffic" vpc_id = module.vpc.vpc_id @@ -68,12 +117,12 @@ resource "aws_security_group" "ingress_nginx_external_sg" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } + + tags = local.tags } -/* -Deploy the ingress-nginx controller, exposed by an internet facing Network Load Balancer -*/ -module "eks_blueprints_kubernetes_addons_nginx_external" { +# ingress-nginx controller, exposed by an internet facing Network Load Balancer +module "ingres_nginx_external" { source = "aws-ia/eks-blueprints-addons/aws" version = "~> 1.0" @@ -83,7 +132,6 @@ module "eks_blueprints_kubernetes_addons_nginx_external" { oidc_provider_arn = module.eks.oidc_provider_arn enable_ingress_nginx = true - ingress_nginx = { name = "ingress-nginx-external" values = [ @@ -94,7 +142,7 @@ module "eks_blueprints_kubernetes_addons_nginx_external" { annotations: service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing - service.beta.kubernetes.io/aws-load-balancer-security-groups: ${aws_security_group.ingress_nginx_external_sg.id} + service.beta.kubernetes.io/aws-load-balancer-security-groups: ${aws_security_group.ingress_nginx_external.id} service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: true loadBalancerClass: service.k8s.aws/nlb topologySpreadConstraints: @@ -119,8 +167,8 @@ module "eks_blueprints_kubernetes_addons_nginx_external" { } } -resource "aws_security_group" "ingress_nginx_internal_sg" { - name = "ingress-nginx-internal-sg" +resource "aws_security_group" "ingress_nginx_internal" { + name = "ingress-nginx-internal" description = "Allow local HTTP and HTTPS traffic" vpc_id = module.vpc.vpc_id @@ -144,12 +192,12 @@ resource "aws_security_group" "ingress_nginx_internal_sg" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } + + tags = local.tags } -/* -Deploy the ingress-nginx controller, exposed by an internal Network Load Balancer -*/ -module "eks_blueprints_kubernetes_addons_nginx_internal" { +# ingress-nginx controller, exposed by an internal Network Load Balancer +module "ingres_nginx_internal" { source = "aws-ia/eks-blueprints-addons/aws" version = "~> 1.6.0" @@ -170,7 +218,7 @@ module "eks_blueprints_kubernetes_addons_nginx_internal" { annotations: service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip service.beta.kubernetes.io/aws-load-balancer-scheme: internal - service.beta.kubernetes.io/aws-load-balancer-security-groups: ${aws_security_group.ingress_nginx_internal_sg.id} + service.beta.kubernetes.io/aws-load-balancer-security-groups: ${aws_security_group.ingress_nginx_internal.id} service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: true loadBalancerClass: service.k8s.aws/nlb topologySpreadConstraints: @@ -210,40 +258,15 @@ module "eks_blueprints_kubernetes_addons" { } tags = local.tags - - depends_on = [module.eks] } -module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "~> 19.15.3" - - cluster_name = local.name - cluster_version = "1.27" - cluster_endpoint_public_access = true - - vpc_id = module.vpc.vpc_id - subnet_ids = slice(module.vpc.private_subnets, 0, 3) - - eks_managed_node_groups = { - core_node_group = { - instance_types = ["m5.large"] - - ami_type = "BOTTLEROCKET_x86_64" - platform = "bottlerocket" - - min_size = 3 - max_size = 3 - desired_size = 3 - } - } - - tags = local.tags -} +################################################################################ +# Supporting Resources +################################################################################ module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "5.0.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr diff --git a/examples/private-public-ingress/versions.tf b/examples/private-public-ingress/versions.tf index 41659b9847..a2f5c89e44 100644 --- a/examples/private-public-ingress/versions.tf +++ b/examples/private-public-ingress/versions.tf @@ -1,18 +1,18 @@ terraform { - required_version = ">= 1.0.0" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.72" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.10" + version = ">= 4.47" } helm = { source = "hashicorp/helm" - version = ">= 2.4.1" + version = ">= 2.9" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.20" } kubectl = { source = "gavinbunney/kubectl" diff --git a/examples/privatelink-access/eks.tf b/examples/privatelink-access/eks.tf index 2536c8b79c..e698ed35a0 100644 --- a/examples/privatelink-access/eks.tf +++ b/examples/privatelink-access/eks.tf @@ -4,7 +4,7 @@ module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.15" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/stateful/main.tf b/examples/stateful/main.tf index 0e55773389..320c1cd7a7 100644 --- a/examples/stateful/main.tf +++ b/examples/stateful/main.tf @@ -53,10 +53,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" @@ -122,12 +121,20 @@ module "eks" { Name=attachment.device,Values=${local.second_volume_name} \ --query Volumes[].Attachments[].State \ --output text) - sleep 5 done + # Get the volume ID + VOLUME_ID=$(aws ec2 describe-volumes \ + --region ${local.region} \ + --filters \ + Name=attachment.instance-id,Values=$${EC2_INSTANCE_ID} \ + Name=attachment.device,Values=${local.second_volume_name} \ + --query Volumes[].Attachments[].VolumeId \ + --output text | sed 's/-//') + # Mount the containerd directories to the 2nd volume - SECOND_VOL=$(lsblk -o NAME,TYPE -d | awk '/disk/ {print $1}' | sed -n '2 p') + SECOND_VOL=$(lsblk -o NAME,SERIAL -d |awk -v id="$${VOLUME_ID}" '$2 ~ id {print $1}') systemctl stop containerd mkfs -t ext4 /dev/$${SECOND_VOL} rm -rf /var/lib/containerd/* @@ -161,26 +168,19 @@ module "eks" { } } - # The virtual device name (ephemeralN). Instance store volumes are numbered - # starting from 0. An instance type with 2 available instance store volumes - # can specify mappings for ephemeral0 and ephemeral1. The number of available - # instance store volumes depends on the instance type. After you connect to - # the instance, you must mount the volume - here, we are using user data to automatically - # mount the volume(s) during instance creation. - # # NVMe instance store volumes are automatically enumerated and assigned a device - # name. Including them in your block device mapping has no effect. pre_bootstrap_user_data = <<-EOT - IDX=1 - DEVICES=$(lsblk -o NAME,TYPE -dsn | awk '/disk/ {print $1}') - for DEV in $DEVICES - do - mkfs.xfs /dev/$${DEV} - mkdir -p /local$${IDX} - echo /dev/$${DEV} /local$${IDX} xfs defaults,noatime 1 2 >> /etc/fstab - IDX=$(($${IDX} + 1)) - done - mount -a + cat <<-EOF > /etc/profile.d/bootstrap.sh + #!/bin/sh + + # Configure NVMe volumes in RAID0 configuration + # https://github.com/awslabs/amazon-eks-ami/blob/056e31f8c7477e893424abce468cb32bbcd1f079/files/bootstrap.sh#L35C121-L35C126 + # Mount will be: /mnt/k8s-disks + export LOCAL_DISKS='raid0' + EOF + + # Source extra environment variables in bootstrap script + sed -i '/^set -o errexit/a\\nsource /etc/profile.d/bootstrap.sh' /etc/eks/bootstrap.sh EOT } } @@ -213,7 +213,7 @@ module "eks_blueprints_addons" { } enable_velero = true - # An S3 Bucket ARN is required. This can be declared with or without a Prefix. + # An S3 Bucket ARN is required. This can be declared with or without a prefix velero = { s3_backup_location = local.velero_s3_backup_location } diff --git a/examples/tls-with-aws-pca-issuer/main.tf b/examples/tls-with-aws-pca-issuer/main.tf index 6231115d9e..98ebde2d9a 100644 --- a/examples/tls-with-aws-pca-issuer/main.tf +++ b/examples/tls-with-aws-pca-issuer/main.tf @@ -62,10 +62,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/vpc-cni-custom-networking/main.tf b/examples/vpc-cni-custom-networking/main.tf index 04b02d234a..d508261314 100644 --- a/examples/vpc-cni-custom-networking/main.tf +++ b/examples/vpc-cni-custom-networking/main.tf @@ -62,10 +62,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27" diff --git a/examples/wireguard-with-cilium/destroy.sh b/examples/wireguard-with-cilium/destroy.sh deleted file mode 100755 index dd4567a6b2..0000000000 --- a/examples/wireguard-with-cilium/destroy.sh +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -terraform destroy -target=module.eks -auto-approve -terraform destroy -auto-approve diff --git a/examples/wireguard-with-cilium/main.tf b/examples/wireguard-with-cilium/main.tf index be860c6447..1b6f28e54c 100644 --- a/examples/wireguard-with-cilium/main.tf +++ b/examples/wireguard-with-cilium/main.tf @@ -62,10 +62,9 @@ locals { # Cluster ################################################################################ -#tfsec:ignore:aws-eks-enable-control-plane-logging module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.13" + version = "~> 19.16" cluster_name = local.name cluster_version = "1.27"