From 1537a77fa529aeac6292649957c36ff60898c72a Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 24 Jul 2023 19:23:31 -0400 Subject: [PATCH 1/2] chore: Remove remaining modules from project, update workflows now that modules are removed --- .github/workflows/pre-commit.yml | 66 +------------- .pre-commit-config.yaml | 7 +- modules/irsa/README.md | 75 --------------- modules/irsa/main.tf | 91 ------------------- modules/irsa/outputs.tf | 19 ---- modules/irsa/variables.tf | 73 --------------- modules/irsa/versions.tf | 14 --- .../kubernetes-addons/helm-addon/README.md | 57 ------------ modules/kubernetes-addons/helm-addon/main.tf | 81 ----------------- .../kubernetes-addons/helm-addon/outputs.tf | 24 ----- .../kubernetes-addons/helm-addon/variables.tf | 39 -------- .../kubernetes-addons/helm-addon/versions.tf | 10 -- tfsec.yaml | 8 -- 13 files changed, 2 insertions(+), 562 deletions(-) delete mode 100644 modules/irsa/README.md delete mode 100644 modules/irsa/main.tf delete mode 100644 modules/irsa/outputs.tf delete mode 100644 modules/irsa/variables.tf delete mode 100644 modules/irsa/versions.tf delete mode 100644 modules/kubernetes-addons/helm-addon/README.md delete mode 100644 modules/kubernetes-addons/helm-addon/main.tf delete mode 100644 modules/kubernetes-addons/helm-addon/outputs.tf delete mode 100644 modules/kubernetes-addons/helm-addon/variables.tf delete mode 100644 modules/kubernetes-addons/helm-addon/versions.tf delete mode 100644 tfsec.yaml diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 834f6350ec..d83a821639 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -60,9 +60,6 @@ jobs: - uses: dorny/paths-filter@v2 id: changes with: - # We only need to check Terraform files for the current directory - # because the `preCommitMaxVersion` job will run the full, - # exhaustive checks (always) filters: | src: - '${{ matrix.directory }}/*.tf' @@ -87,71 +84,10 @@ jobs: directory: ${{ matrix.directory }} - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory != '.' && steps.changes.outputs.src== 'true' }} - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - tflint-version: ${{ env.TFLINT_VERSION }} - args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*' - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 - # Run only validate pre-commit check on min version supported - if: ${{ matrix.directory == '.' && steps.changes.outputs.src== 'true' }} - with: - terraform-version: ${{ steps.minMax.outputs.minVersion }} - tflint-version: ${{ env.TFLINT_VERSION }} - args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)' - - preCommitMaxVersion: - name: Max TF pre-commit - runs-on: ubuntu-latest - needs: collectInputs - steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - - name: Remove default Terraform - run: rm -rf $(which terraform) - - - name: Checkout - uses: actions/checkout@v3 - - - uses: dorny/paths-filter@v2 - id: changes - with: - filters: | - src: - - '**/*.tf' - - - name: Config Terraform plugin cache - if: steps.changes.outputs.src== 'true' - run: mkdir --parents ${{ env.TERRAFORM_DOCS_VERSION }} - - - name: Cache Terraform - uses: actions/cache@v3 - if: steps.changes.outputs.src== 'true' - with: - path: ${{ env.TF_PLUGIN_CACHE_DIR }} - key: ${{ runner.os }}-terraform-${{ hashFiles('**/.terraform.lock.hcl') }} - restore-keys: ${{ runner.os }}-terraform- - - - name: Install tfsec - if: steps.changes.outputs.src== 'true' - run: curl -sSLo ./tfsec https://github.com/aquasecurity/tfsec/releases/download/${{ env.TFSEC_VERSION }}/tfsec-$(uname)-amd64 && chmod +x tfsec && sudo mv tfsec /usr/bin/ - - - name: Terraform min/max versions - id: minMax - uses: clowdhaus/terraform-min-max@v1.2.7 - if: steps.changes.outputs.src== 'true' - - - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 if: steps.changes.outputs.src== 'true' with: terraform-version: ${{ steps.minMax.outputs.maxVersion }} terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} tflint-version: ${{ env.TFLINT_VERSION }} + args: '--files ${{ matrix.directory }}/*' diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 08b92035ba..bb917c2349 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -32,9 +32,4 @@ repos: - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' - id: terraform_validate - exclude: docs - # - id: terraform_tfsec - # files: ^examples/ # only scan `examples/*` which are the implementation - # args: - # - --args=--config-file=__GIT_WORKING_DIR__/tfsec.yaml - # - --args=--concise-output + exclude: (docs|modules) diff --git a/modules/irsa/README.md b/modules/irsa/README.md deleted file mode 100644 index f3a3d49e0c..0000000000 --- a/modules/irsa/README.md +++ /dev/null @@ -1,75 +0,0 @@ -# IRSA (IAM roles for Kubernetes Service Accounts) - -This Terraform module creates the following resources - -1. Kubernetes Namespace for Kubernetes Addon -2. Service Account for Kubernetes Addon -3. IAM Role for Service Account with OIDC assume role policy -4. Creates default policy required for Addon -5. Attaches the additional IAM policies provided by consumer module - -## Learn more - -## Blogs - -- [Introducing fine-grained IAM roles for service accounts](https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/) -- [Cross account IAM roles for Kubernetes service accounts](https://aws.amazon.com/blogs/containers/cross-account-iam-roles-for-kubernetes-service-accounts/) -- [Enabling cross-account access to Amazon EKS cluster resources](https://aws.amazon.com/blogs/containers/enabling-cross-account-access-to-amazon-eks-cluster-resources/) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 3.72 | -| [kubernetes](#requirement\_kubernetes) | >= 2.10 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.72 | -| [kubernetes](#provider\_kubernetes) | >= 2.10 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_role.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [kubernetes_namespace_v1.irsa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource | -| [kubernetes_secret_v1.irsa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource | -| [kubernetes_service_account_v1.irsa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [create\_kubernetes\_namespace](#input\_create\_kubernetes\_namespace) | Should the module create the namespace | `bool` | `true` | no | -| [create\_kubernetes\_service\_account](#input\_create\_kubernetes\_service\_account) | Should the module create the Service Account | `bool` | `true` | no | -| [create\_service\_account\_secret\_token](#input\_create\_service\_account\_secret\_token) | Should the module create a secret for the service account (from k8s version 1.24 service account doesn't automatically create secret of the token) | `bool` | `false` | no | -| [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS Cluster ID | `string` | n/a | yes | -| [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | EKS OIDC Provider ARN e.g., arn:aws:iam:::oidc-provider/ | `string` | n/a | yes | -| [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM permissions boundary for IRSA roles | `string` | `""` | no | -| [irsa\_iam\_policies](#input\_irsa\_iam\_policies) | IAM Policies for IRSA IAM role | `list(string)` | `[]` | no | -| [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA | `string` | `""` | no | -| [irsa\_iam\_role\_path](#input\_irsa\_iam\_role\_path) | IAM role path for IRSA roles | `string` | `"/"` | no | -| [kubernetes\_namespace](#input\_kubernetes\_namespace) | Kubernetes Namespace name | `string` | n/a | yes | -| [kubernetes\_service\_account](#input\_kubernetes\_service\_account) | Kubernetes Service Account Name | `string` | n/a | yes | -| [kubernetes\_svc\_image\_pull\_secrets](#input\_kubernetes\_svc\_image\_pull\_secrets) | list(string) of kubernetes imagePullSecrets | `list(string)` | `[]` | no | -| [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit`,`XYZ`) | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [irsa\_iam\_role\_arn](#output\_irsa\_iam\_role\_arn) | IAM role ARN for your service account | -| [irsa\_iam\_role\_name](#output\_irsa\_iam\_role\_name) | IAM role name for your service account | -| [namespace](#output\_namespace) | IRSA Namespace | -| [service\_account](#output\_service\_account) | IRSA Service Account | - diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf deleted file mode 100644 index f7f2ed785a..0000000000 --- a/modules/irsa/main.tf +++ /dev/null @@ -1,91 +0,0 @@ -locals { - eks_oidc_issuer_url = replace(var.eks_oidc_provider_arn, "/^(.*provider/)/", "") -} - -resource "kubernetes_namespace_v1" "irsa" { - count = var.create_kubernetes_namespace && var.kubernetes_namespace != "kube-system" ? 1 : 0 - metadata { - name = var.kubernetes_namespace - } - - timeouts { - delete = "15m" - } - - lifecycle { - ignore_changes = [ - metadata[0].labels, - metadata[0].annotations, - ] - } -} - -resource "kubernetes_secret_v1" "irsa" { - count = var.create_kubernetes_service_account && var.create_service_account_secret_token ? 1 : 0 - metadata { - name = format("%s-token-secret", try(kubernetes_service_account_v1.irsa[0].metadata[0].name, var.kubernetes_service_account)) - namespace = try(kubernetes_namespace_v1.irsa[0].metadata[0].name, var.kubernetes_namespace) - annotations = { - "kubernetes.io/service-account.name" = try(kubernetes_service_account_v1.irsa[0].metadata[0].name, var.kubernetes_service_account) - "kubernetes.io/service-account.namespace" = try(kubernetes_namespace_v1.irsa[0].metadata[0].name, var.kubernetes_namespace) - } - } - - type = "kubernetes.io/service-account-token" -} - -resource "kubernetes_service_account_v1" "irsa" { - count = var.create_kubernetes_service_account ? 1 : 0 - metadata { - name = var.kubernetes_service_account - namespace = try(kubernetes_namespace_v1.irsa[0].metadata[0].name, var.kubernetes_namespace) - annotations = var.irsa_iam_policies != null ? { "eks.amazonaws.com/role-arn" : aws_iam_role.irsa[0].arn } : null - } - - dynamic "image_pull_secret" { - for_each = var.kubernetes_svc_image_pull_secrets != null ? var.kubernetes_svc_image_pull_secrets : [] - content { - name = image_pull_secret.value - } - } - - automount_service_account_token = true -} - -# NOTE: Don't change the condition from StringLike to StringEquals. We are using wild characters for service account hence StringLike is required. -resource "aws_iam_role" "irsa" { - count = var.irsa_iam_policies != null ? 1 : 0 - - name = try(coalesce(var.irsa_iam_role_name, format("%s-%s-%s", var.eks_cluster_id, trim(var.kubernetes_service_account, "-*"), "irsa")), null) - description = "AWS IAM Role for the Kubernetes service account ${var.kubernetes_service_account}." - assume_role_policy = jsonencode({ - "Version" : "2012-10-17", - "Statement" : [ - { - "Effect" : "Allow", - "Principal" : { - "Federated" : var.eks_oidc_provider_arn - }, - "Action" : "sts:AssumeRoleWithWebIdentity", - "Condition" : { - "StringLike" : { - "${local.eks_oidc_issuer_url}:sub" : "system:serviceaccount:${var.kubernetes_namespace}:${var.kubernetes_service_account}", - "${local.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com" - } - } - } - ] - }) - path = var.irsa_iam_role_path - force_detach_policies = true - permissions_boundary = var.irsa_iam_permissions_boundary - - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "irsa" { - count = var.irsa_iam_policies != null ? length(var.irsa_iam_policies) : 0 - - policy_arn = var.irsa_iam_policies[count.index] - role = aws_iam_role.irsa[0].name -} diff --git a/modules/irsa/outputs.tf b/modules/irsa/outputs.tf deleted file mode 100644 index 9311a6c055..0000000000 --- a/modules/irsa/outputs.tf +++ /dev/null @@ -1,19 +0,0 @@ -output "irsa_iam_role_arn" { - description = "IAM role ARN for your service account" - value = try(aws_iam_role.irsa[0].arn, null) -} - -output "irsa_iam_role_name" { - description = "IAM role name for your service account" - value = try(aws_iam_role.irsa[0].name, null) -} - -output "namespace" { - description = "IRSA Namespace" - value = try(kubernetes_namespace_v1.irsa[0].id, var.kubernetes_namespace) -} - -output "service_account" { - description = "IRSA Service Account" - value = try(kubernetes_service_account_v1.irsa[0].id, var.kubernetes_service_account) -} diff --git a/modules/irsa/variables.tf b/modules/irsa/variables.tf deleted file mode 100644 index 60bf1fe823..0000000000 --- a/modules/irsa/variables.tf +++ /dev/null @@ -1,73 +0,0 @@ -variable "kubernetes_namespace" { - description = "Kubernetes Namespace name" - type = string -} - -variable "create_kubernetes_namespace" { - description = "Should the module create the namespace" - type = bool - default = true -} - -variable "create_kubernetes_service_account" { - description = "Should the module create the Service Account" - type = bool - default = true -} - -variable "create_service_account_secret_token" { - description = "Should the module create a secret for the service account (from k8s version 1.24 service account doesn't automatically create secret of the token)" - type = bool - default = false -} - -variable "kubernetes_service_account" { - description = "Kubernetes Service Account Name" - type = string -} - -variable "kubernetes_svc_image_pull_secrets" { - description = "list(string) of kubernetes imagePullSecrets" - type = list(string) - default = [] -} - -variable "irsa_iam_policies" { - type = list(string) - description = "IAM Policies for IRSA IAM role" - default = [] -} - -variable "irsa_iam_role_name" { - type = string - description = "IAM role name for IRSA" - default = "" -} - -variable "irsa_iam_role_path" { - description = "IAM role path for IRSA roles" - type = string - default = "/" -} - -variable "irsa_iam_permissions_boundary" { - description = "IAM permissions boundary for IRSA roles" - type = string - default = "" -} - -variable "eks_oidc_provider_arn" { - description = "EKS OIDC Provider ARN e.g., arn:aws:iam:::oidc-provider/" - type = string -} - -variable "eks_cluster_id" { - description = "EKS Cluster ID" - type = string -} - -variable "tags" { - description = "Additional tags (e.g. `map('BusinessUnit`,`XYZ`)" - type = map(string) - default = {} -} diff --git a/modules/irsa/versions.tf b/modules/irsa/versions.tf deleted file mode 100644 index d2ddf87cc2..0000000000 --- a/modules/irsa/versions.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - required_version = ">= 1.0.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.72" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.10" - } - } -} diff --git a/modules/kubernetes-addons/helm-addon/README.md b/modules/kubernetes-addons/helm-addon/README.md deleted file mode 100644 index 450840992d..0000000000 --- a/modules/kubernetes-addons/helm-addon/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# Helm AddOn - -## Introduction - -Helm Addon module can be used to provision a generic Helm Chart as an Add-On for an EKS cluster provisioned using the EKS Blueprints. This module does the following: - -1. Create an IAM role for Service Accounts with the provided configuration for the [`irsa`](./../../irsa) module. -2. If `manage_via_gitops` is set to `false`, provision the helm chart for the add-on based on the configuration provided for the `helm_config` as defined in the [helm provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs) documentation. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [helm](#requirement\_helm) | >= 2.4.1 | - -## Providers - -| Name | Version | -|------|---------| -| [helm](#provider\_helm) | >= 2.4.1 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [irsa](#module\_irsa) | ../../irsa | n/a | - -## Resources - -| Name | Type | -|------|------| -| [helm_release.addon](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [addon\_context](#input\_addon\_context) | Input configuration for the addon | `any` | n/a | yes | -| [helm\_config](#input\_helm\_config) | Helm chart config. Repository and version required. See https://registry.terraform.io/providers/hashicorp/helm/latest/docs | `any` | n/a | yes | -| [irsa\_config](#input\_irsa\_config) | Input configuration for IRSA module | `any` | `{}` | no | -| [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA | `string` | `""` | no | -| [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps | `bool` | `false` | no | -| [set\_sensitive\_values](#input\_set\_sensitive\_values) | Forced set\_sensitive values | `any` | `[]` | no | -| [set\_values](#input\_set\_values) | Forced set values | `any` | `[]` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [helm\_release](#output\_helm\_release) | Map of attributes of the Helm release created without sensitive outputs | -| [irsa\_arn](#output\_irsa\_arn) | IAM role ARN for the service account | -| [irsa\_name](#output\_irsa\_name) | IAM role name for the service account | -| [release\_metadata](#output\_release\_metadata) | Map of attributes of the Helm release metadata | -| [service\_account](#output\_service\_account) | Name of Kubernetes service account | - diff --git a/modules/kubernetes-addons/helm-addon/main.tf b/modules/kubernetes-addons/helm-addon/main.tf deleted file mode 100644 index 34994f7d8f..0000000000 --- a/modules/kubernetes-addons/helm-addon/main.tf +++ /dev/null @@ -1,81 +0,0 @@ -resource "helm_release" "addon" { - count = var.manage_via_gitops ? 0 : 1 - name = var.helm_config["name"] - repository = try(var.helm_config["repository"], null) - chart = var.helm_config["chart"] - version = try(var.helm_config["version"], null) - timeout = try(var.helm_config["timeout"], 1200) - values = try(var.helm_config["values"], null) - create_namespace = length(var.irsa_config) > 0 ? false : try(var.helm_config["create_namespace"], false) - namespace = var.helm_config["namespace"] - lint = try(var.helm_config["lint"], false) - description = try(var.helm_config["description"], "") - repository_key_file = try(var.helm_config["repository_key_file"], "") - repository_cert_file = try(var.helm_config["repository_cert_file"], "") - repository_username = try(var.helm_config["repository_username"], "") - repository_password = try(var.helm_config["repository_password"], "") - verify = try(var.helm_config["verify"], false) - keyring = try(var.helm_config["keyring"], "") - disable_webhooks = try(var.helm_config["disable_webhooks"], false) - reuse_values = try(var.helm_config["reuse_values"], false) - reset_values = try(var.helm_config["reset_values"], false) - force_update = try(var.helm_config["force_update"], false) - recreate_pods = try(var.helm_config["recreate_pods"], false) - cleanup_on_fail = try(var.helm_config["cleanup_on_fail"], false) - max_history = try(var.helm_config["max_history"], 0) - atomic = try(var.helm_config["atomic"], false) - skip_crds = try(var.helm_config["skip_crds"], false) - render_subchart_notes = try(var.helm_config["render_subchart_notes"], true) - disable_openapi_validation = try(var.helm_config["disable_openapi_validation"], false) - wait = try(var.helm_config["wait"], true) - wait_for_jobs = try(var.helm_config["wait_for_jobs"], false) - dependency_update = try(var.helm_config["dependency_update"], false) - replace = try(var.helm_config["replace"], false) - - postrender { - binary_path = try(var.helm_config["postrender"], "") - } - - dynamic "set" { - iterator = each_item - for_each = try(var.helm_config["set"], null) != null ? distinct(concat(var.set_values, var.helm_config["set"])) : var.set_values - - content { - name = each_item.value.name - value = each_item.value.value - type = try(each_item.value.type, null) - } - } - - dynamic "set_sensitive" { - iterator = each_item - for_each = try(var.helm_config["set_sensitive"], null) != null ? concat(var.helm_config["set_sensitive"], var.set_sensitive_values) : var.set_sensitive_values - - content { - name = each_item.value.name - value = each_item.value.value - type = try(each_item.value.type, null) - } - } - depends_on = [module.irsa] -} - -module "irsa" { - source = "../../irsa" - - count = length(var.irsa_config) > 0 ? 1 : 0 - - create_kubernetes_namespace = try(var.irsa_config.create_kubernetes_namespace, true) - create_kubernetes_service_account = try(var.irsa_config.create_kubernetes_service_account, true) - create_service_account_secret_token = try(var.irsa_config.create_service_account_secret_token, false) - kubernetes_namespace = lookup(var.irsa_config, "kubernetes_namespace", "") - kubernetes_service_account = lookup(var.irsa_config, "kubernetes_service_account", "") - kubernetes_svc_image_pull_secrets = try(var.irsa_config.kubernetes_svc_image_pull_secrets, null) - irsa_iam_policies = lookup(var.irsa_config, "irsa_iam_policies", null) - irsa_iam_role_name = var.irsa_iam_role_name - irsa_iam_role_path = lookup(var.addon_context, "irsa_iam_role_path", null) - irsa_iam_permissions_boundary = lookup(var.addon_context, "irsa_iam_permissions_boundary", null) - eks_cluster_id = var.addon_context.eks_cluster_id - eks_oidc_provider_arn = var.addon_context.eks_oidc_provider_arn - tags = var.addon_context.tags -} diff --git a/modules/kubernetes-addons/helm-addon/outputs.tf b/modules/kubernetes-addons/helm-addon/outputs.tf deleted file mode 100644 index 97124e4a35..0000000000 --- a/modules/kubernetes-addons/helm-addon/outputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "helm_release" { - description = "Map of attributes of the Helm release created without sensitive outputs" - value = try({ for k, v in helm_release.addon : k => v if k != "repository_password" }, {}) -} - -output "release_metadata" { - description = "Map of attributes of the Helm release metadata" - value = try(helm_release.addon[0].metadata, null) -} - -output "irsa_arn" { - description = "IAM role ARN for the service account" - value = try(module.irsa[0].irsa_iam_role_arn, null) -} - -output "irsa_name" { - description = "IAM role name for the service account" - value = try(module.irsa[0].irsa_iam_role_name, null) -} - -output "service_account" { - description = "Name of Kubernetes service account" - value = try(coalesce(try(module.irsa[0].service_account, null), lookup(var.irsa_config, "kubernetes_service_account", null)), null) -} diff --git a/modules/kubernetes-addons/helm-addon/variables.tf b/modules/kubernetes-addons/helm-addon/variables.tf deleted file mode 100644 index d8d706e8fd..0000000000 --- a/modules/kubernetes-addons/helm-addon/variables.tf +++ /dev/null @@ -1,39 +0,0 @@ -variable "helm_config" { - description = "Helm chart config. Repository and version required. See https://registry.terraform.io/providers/hashicorp/helm/latest/docs" - type = any -} - -variable "set_values" { - description = "Forced set values" - type = any - default = [] -} - -variable "set_sensitive_values" { - description = "Forced set_sensitive values" - type = any - default = [] -} - -variable "manage_via_gitops" { - description = "Determines if the add-on should be managed via GitOps" - type = bool - default = false -} - -variable "irsa_iam_role_name" { - description = "IAM role name for IRSA" - type = string - default = "" -} - -variable "irsa_config" { - description = "Input configuration for IRSA module" - type = any - default = {} -} - -variable "addon_context" { - description = "Input configuration for the addon" - type = any -} diff --git a/modules/kubernetes-addons/helm-addon/versions.tf b/modules/kubernetes-addons/helm-addon/versions.tf deleted file mode 100644 index 278a4fbb4d..0000000000 --- a/modules/kubernetes-addons/helm-addon/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.0.0" - - required_providers { - helm = { - source = "hashicorp/helm" - version = ">= 2.4.1" - } - } -} diff --git a/tfsec.yaml b/tfsec.yaml deleted file mode 100644 index 73b3338dc6..0000000000 --- a/tfsec.yaml +++ /dev/null @@ -1,8 +0,0 @@ -exclude: - - aws-iam-no-policy-wildcards # Wildcards required in addon IAM policies - - aws-vpc-no-excessive-port-access # VPC settings left up to user implementation for recommended practices - - aws-vpc-no-public-ingress-acl # VPC settings left up to user implementation for recommended practices - - aws-eks-no-public-cluster-access-to-cidr # Public access enabled for better example usability, users are recommended to disable if possible - - aws-eks-no-public-cluster-access # Public access enabled for better example usability, users are recommended to disable if possible - - aws-eks-encrypt-secrets # Module defaults to encrypting secrets with CMK, but this is not hardcoded and therefore a spurious error - - aws-vpc-no-public-egress-sgr # Added in v1.22 From 5ee83c37cada7e4974f3f7d29f4c6e358d3cd459 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Tue, 25 Jul 2023 16:08:15 -0400 Subject: [PATCH 2/2] fix: Corrections to pass CI checks --- examples/fully-private-cluster/README.md | 5 +-- examples/fully-private-cluster/main.tf | 40 ------------------------ examples/privatelink-access/variables.tf | 1 - 3 files changed, 1 insertion(+), 45 deletions(-) diff --git a/examples/fully-private-cluster/README.md b/examples/fully-private-cluster/README.md index ad1d0d0f29..f6dce6b25d 100644 --- a/examples/fully-private-cluster/README.md +++ b/examples/fully-private-cluster/README.md @@ -29,15 +29,12 @@ Ensure that you have the following tools installed locally: Since this is a Fully Private Amazon EKS Cluster, make sure that you'll have access to the Amazon VPC where the cluster will be deployed, otherwise you won't be able to access it. -For this example, we'll be using an Amazon Cloud9 environment to run Terraform and manage the Amazon EKS Cluster. The Cloud9 environment is already running in the Default VPC, we'll setup a VPC peering between the Default and the Cluster VPC in order to have access to the Kubernetes API and manage our EKS Cluster. - +See the [`privatelink-access`](https://github.com/aws-ia/terraform-aws-eks-blueprints/tree/main/examples/privatelink-access) pattern for using AWS PrivateLink to access the private cluster from another VPC. To provision this example: ```sh terraform init -terraform apply -target module.vpc -target module.vpc_endpoints -target module.vpc_endpoints_sg -terraform apply -target module.eks terraform apply ``` diff --git a/examples/fully-private-cluster/main.tf b/examples/fully-private-cluster/main.tf index dd2116caf0..7cb6b917fd 100644 --- a/examples/fully-private-cluster/main.tf +++ b/examples/fully-private-cluster/main.tf @@ -116,43 +116,3 @@ module "vpc_endpoints" { tags = local.tags } - -resource "aws_vpc_peering_connection" "this" { - peer_vpc_id = module.vpc.vpc_id - vpc_id = module.vpc.default_vpc_id - auto_accept = true - - accepter { - allow_remote_vpc_dns_resolution = true - } - - requester { - allow_remote_vpc_dns_resolution = true - } -} - -resource "aws_route" "default_to_eks" { - route_table_id = module.vpc.default_vpc_default_route_table_id - destination_cidr_block = module.vpc.vpc_cidr_block - vpc_peering_connection_id = aws_vpc_peering_connection.this.id - depends_on = [module.vpc] -} - -resource "aws_route" "eks_to_default" { - for_each = { for rt in module.vpc.private_route_table_ids : rt => rt } - - route_table_id = each.value - destination_cidr_block = module.vpc.default_vpc_cidr_block - vpc_peering_connection_id = aws_vpc_peering_connection.this.id - depends_on = [module.vpc] -} - -resource "aws_vpc_security_group_ingress_rule" "this" { - for_each = { for sg in concat([module.eks.cluster_security_group_id, module.eks.cluster_primary_security_group_id]) : sg => sg } - security_group_id = each.value - - cidr_ipv4 = module.vpc.default_vpc_cidr_block - from_port = 443 - to_port = 443 - ip_protocol = "tcp" -} diff --git a/examples/privatelink-access/variables.tf b/examples/privatelink-access/variables.tf index 8b13789179..e69de29bb2 100644 --- a/examples/privatelink-access/variables.tf +++ b/examples/privatelink-access/variables.tf @@ -1 +0,0 @@ -