Skip to content

Commit

Permalink
PLAT-6279: CDK->Terraform conversion process changes for deployer com…
Browse files Browse the repository at this point in the history
…patibility (#134)

* Move iam out of main.tf, make order match deployer

* Add variables missing relative to deployer

* Adding missing outputs relative to deployer

* Reorg slightly to better match deployer config

* Move main.tf to a json file so deployer can upgrade it

* Update variable description
  • Loading branch information
Secretions authored Mar 15, 2023
1 parent c92d6e2 commit 542a0c3
Show file tree
Hide file tree
Showing 14 changed files with 157 additions and 126 deletions.
8 changes: 4 additions & 4 deletions convert/data/bastion_resources.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ resources:
rule_sg: bastionsg
rule_sg_stack: vpc_stack
sg: UnmanagedSG
tf: module.domino_eks.module.eks.aws_security_group_rule.bastion_eks["eks_nodes_ssh_from_bastion"]
tf: module.eks.module.eks.aws_security_group_rule.bastion_eks["eks_nodes_ssh_from_bastion"]
vpc_stack:
- cf: bastionsg
tf: module.domino_eks.module.bastion[0].aws_security_group.bastion
tf: module.eks.module.bastion[0].aws_security_group.bastion
- cf_sgr:
rule: _egress_all_0_0_0.0.0.0/0
sg: bastionsg
tf: module.domino_eks.module.bastion[0].aws_security_group_rule.bastion_outbound
tf: module.eks.module.bastion[0].aws_security_group_rule.bastion_outbound
- cf_sgr:
rule: _ingress_tcp_22_22_0.0.0.0/0
sg: bastionsg
tf: module.domino_eks.module.bastion[0].aws_security_group_rule.bastion["bastion_inbound_ssh"]
tf: module.eks.module.bastion[0].aws_security_group_rule.bastion["bastion_inbound_ssh"]
8 changes: 4 additions & 4 deletions convert/data/efs_backup_resources.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ type: optional
resources:
efs_stack:
- cf: efsbackup
tf: module.domino_eks.module.storage.aws_backup_vault.efs[0]
tf: module.eks.module.storage.aws_backup_vault.efs[0]
- cf: efsbackupplan
tf: module.domino_eks.module.storage.aws_backup_plan.efs[0]
tf: module.eks.module.storage.aws_backup_plan.efs[0]
- cf: efsbackuprole
tf: module.domino_eks.module.storage.aws_iam_role.efs_backup_role[0]
tf: module.eks.module.storage.aws_iam_role.efs_backup_role[0]
- cf_backupselection: efsbackupselection
tf: module.domino_eks.module.storage.aws_backup_selection.efs[0]
tf: module.eks.module.storage.aws_backup_selection.efs[0]
2 changes: 1 addition & 1 deletion convert/data/monitoring_bucket_resources.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ type: optional
resources:
s3_stack:
- cf: monitoring
tf: module.domino_eks.module.storage.aws_s3_bucket.monitoring
tf: module.eks.module.storage.aws_s3_bucket.monitoring
2 changes: 1 addition & 1 deletion convert/data/per_az.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ type: availability_zone
resources:
efs_stack:
- cf: EfsEfsMountTarget%az_count_plus%
tf: module.domino_eks.module.storage.aws_efs_mount_target.eks[%az_count%]
tf: module.eks.module.storage.aws_efs_mount_target.eks[%az_count%]
vpc_stack:
- cf: VPC%cf_stack_key%PublicSubnet%az_count_plus%Subnet
tf: aws_subnet.public[%az_count%]
Expand Down
30 changes: 15 additions & 15 deletions convert/data/resource_template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,39 +2,39 @@ name: resource_template
resources:
efs_stack:
- cf: Efs
tf: module.domino_eks.module.storage.aws_efs_file_system.eks
tf: module.eks.module.storage.aws_efs_file_system.eks
- cf: Efsaccesspoint
tf: module.domino_eks.module.storage.aws_efs_access_point.eks
tf: module.eks.module.storage.aws_efs_access_point.eks
eks_stack:
- cf: eks
tf: module.domino_eks.module.eks.aws_eks_cluster.this
tf: module.eks.module.eks.aws_eks_cluster.this
- cf: EKSSG
tf: module.domino_eks.module.eks.aws_security_group.eks_cluster
tf: module.eks.module.eks.aws_security_group.eks_cluster
- cf: eksRole
tf: module.domino_eks.module.eks.aws_iam_role.eks_cluster
- tf: module.domino_eks.module.eks.aws_cloudwatch_log_group.eks_cluster
tf: module.eks.module.eks.aws_iam_role.eks_cluster
- tf: module.eks.module.eks.aws_cloudwatch_log_group.eks_cluster
value: /aws/eks/%stack_name%/cluster
- cf: S3
tf: module.domino_eks.module.storage.aws_iam_policy.s3
- tf: module.domino_eks.module.eks.aws_eks_addon.this["coredns"]
tf: module.eks.module.storage.aws_iam_policy.s3
- tf: module.eks.module.eks.aws_eks_addon.this["coredns"]
value: '%stack_name%:coredns'
- tf: module.domino_eks.module.eks.aws_eks_addon.vpc_cni
- tf: module.eks.module.eks.aws_eks_addon.vpc_cni
value: '%stack_name%:vpc-cni'
- tf: module.domino_eks.module.eks.aws_eks_addon.this["kube-proxy"]
- tf: module.eks.module.eks.aws_eks_addon.this["kube-proxy"]
value: '%stack_name%:kube-proxy'
- cf: eksCreationRole
tf: aws_iam_role.grandfathered_creation_role
- cf: '%cf_stack_key%kubernetessecretsenvelopekey'
tf: module.domino_eks.module.eks.aws_kms_key.eks_cluster
tf: module.eks.module.eks.aws_kms_key.eks_cluster
s3_stack:
- cf: backups
tf: module.domino_eks.module.storage.aws_s3_bucket.backups
tf: module.eks.module.storage.aws_s3_bucket.backups
- cf: blobs
tf: module.domino_eks.module.storage.aws_s3_bucket.blobs
tf: module.eks.module.storage.aws_s3_bucket.blobs
- cf: logs
tf: module.domino_eks.module.storage.aws_s3_bucket.logs
tf: module.eks.module.storage.aws_s3_bucket.logs
- cf: registry
tf: module.domino_eks.module.storage.aws_s3_bucket.registry
tf: module.eks.module.storage.aws_s3_bucket.registry
vpc_stack:
- cf: VPC
tf: aws_vpc.cdk_vpc
Expand Down
2 changes: 1 addition & 1 deletion convert/data/route53_resources.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ type: optional
resources:
eks_stack:
- cf: route53
tf: module.domino_eks.aws_iam_policy.route53[0]
tf: module.eks.aws_iam_policy.route53[0]
8 changes: 4 additions & 4 deletions convert/data/unmanaged_nodegroup.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,16 @@ resources:
rule: _egress_tcp_443_443_
rule_sg: UnmanagedSG
sg: EKSSG
tf: module.domino_eks.module.eks.aws_security_group_rule.eks_cluster["egress_nodes_443"]
tf: module.eks.module.eks.aws_security_group_rule.eks_cluster["egress_nodes_443"]
- cf_sgr:
rule: _ingress_tcp_443_443_
rule_sg: UnmanagedSG
sg: EKSSG
tf: module.domino_eks.module.eks.aws_security_group_rule.eks_cluster["ingress_nodes_443"]
tf: module.eks.module.eks.aws_security_group_rule.eks_cluster["ingress_nodes_443"]
- cf: UnmanagedSG
tf: module.domino_eks.module.eks.aws_security_group.eks_nodes
tf: module.eks.module.eks.aws_security_group.eks_nodes
- cf_sgr:
rule: _ingress_tcp_443_443_
rule_sg: EKSSG
sg: UnmanagedSG
tf: module.domino_eks.module.eks.aws_security_group_rule.node["ingress_cluster_443"]
tf: module.eks.module.eks.aws_security_group_rule.node["ingress_cluster_443"]
6 changes: 3 additions & 3 deletions convert/requirements.txt
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
boto3~=1.26.22
PyYAML~=6.0
retry~=0.9.2
boto3>=1.26.22
PyYAML>=6.0
retry>=0.9.2
24 changes: 24 additions & 0 deletions convert/terraform/iam.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
data "aws_caller_identity" "admin" {}
data "aws_partition" "current" {}

resource "aws_iam_role" "grandfathered_creation_role" {
name = var.grandfathered_creation_role

assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.admin.account_id}:root"
}
},
]
})

lifecycle {
ignore_changes = [name, inline_policy]
}
}
44 changes: 0 additions & 44 deletions convert/terraform/main.tf

This file was deleted.

66 changes: 66 additions & 0 deletions convert/terraform/main.tf.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
{
"//": "This file is JSON for compatibility with Domino tooling",
"module": {
"eks": {
"source": "github.com/dominodatalab/terraform-aws-eks.git?ref=v1.3.0",
"deploy_id": "${var.deploy_id}",
"region": "${var.region}",
"tags": "${var.tags}",
"k8s_version": "${var.k8s_version}",
"default_node_groups": "${var.default_node_groups}",
"route53_hosted_zone_name": "${var.route53_hosted_zone_name}",
"bastion": {},
"s3_force_destroy_on_deletion": "${var.s3_force_destroy_on_deletion}",
"ssh_pvt_key_path": "${var.ssh_key_path}",
"kubeconfig_path": "${var.kubeconfig_path}",
"use_kms": "${var.use_kms}",
"kms_key_id": "${var.kms_key_id}",
"ecr_force_destroy_on_deletion": "${var.ecr_force_destroy_on_deletion}",
"eks_master_role_names": "${var.eks_master_role_names}",
"vpc_id": "${var.vpc_id}",
"public_subnets": "${var.public_subnet_ids}",
"private_subnets": "${var.private_subnet_ids}",
"pod_subnets": "${var.pod_subnet_ids}",
"update_kubeconfig_extra_args": "--role-arn ${aws_iam_role.grandfathered_creation_role.arn}",
"eks_custom_role_maps": "${var.eks_custom_role_maps}"
}
},
"output": {
"KEY_PAIR_NAME": {
"value": "${module.eks.domino_key_pair.key_name}"
},
"S3_BUCKET_NAME": {
"value": "${module.eks.s3_buckets.blobs.bucket_name}"
},
"S3_LOG_SNAPS_BUCKET_NAME": {
"value": "${module.eks.s3_buckets.logs.bucket_name}"
},
"S3_BACKUPS_BUCKET_NAME": {
"value": "${module.eks.s3_buckets.backups.bucket_name}"
},
"S3_REGISTRY_BUCKET_NAME": {
"value": "${module.eks.s3_buckets.registry.bucket_name}"
},
"S3_MONITORING_BUCKET_NAME": {
"value": "${module.eks.s3_buckets.monitoring.bucket_name}"
},
"EXECUTOR_EFS_FS_ID": {
"value": "${module.eks.efs_file_system.id}"
},
"EXECUTOR_EFS_AP_ID": {
"value": "${module.eks.efs_access_point.id}"
},
"BASTION_IP": {
"value": "${module.eks.bastion_ip}"
},
"KMS_KEY_ID": {
"value": "${module.eks.kms_key_id}"
},
"KMS_KEY_ARN": {
"value": "${module.eks.kms_key_arn}"
},
"CONTAINER_REGISTRY": {
"value": "${module.eks.container_registry}"
}
}
}
47 changes: 1 addition & 46 deletions convert/terraform/outputs.tf
Original file line number Diff line number Diff line change
@@ -1,49 +1,4 @@
output "domino_eks" {
description = "EKS module outputs"
value = module.domino_eks
}

output "KEY_PAIR_NAME" {
description = "Name of Provisioned AWS Keypair"
value = module.domino_eks.domino_key_pair.key_name
}

output "S3_BUCKET_NAME" {
description = "Blobs bucket name"
value = module.domino_eks.s3_buckets.blobs.bucket_name
}

output "S3_LOG_SNAPS_BUCKET_NAME" {
description = "Log bucket name"
value = module.domino_eks.s3_buckets.logs.bucket_name
}

output "S3_BACKUPS_BUCKET_NAME" {
description = "Backup bucket name"
value = module.domino_eks.s3_buckets.backups.bucket_name
}

output "S3_REGISTRY_BUCKET_NAME" {
description = "Docker Registry bucket name"
value = module.domino_eks.s3_buckets.registry.bucket_name
}

output "S3_MONITORING_BUCKET_NAME" {
description = "Monitoring bucket name"
value = module.domino_eks.s3_buckets.monitoring.bucket_name
}

output "EXECUTOR_EFS_FS_ID" {
description = "EFS filesystem ID"
value = module.domino_eks.efs_file_system.id
}

output "EXECUTOR_EFS_AP_ID" {
description = "EFS access point ID"
value = module.domino_eks.efs_access_point.id
}

output "BASTION_IP" {
description = "Bastion instance IP address"
value = module.domino_eks.bastion_ip
value = module.eks
}
34 changes: 32 additions & 2 deletions convert/terraform/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -116,17 +116,47 @@ variable "eks_master_role_names" {

variable "eks_custom_role_maps" {
type = list(object({rolearn = string, username = string, groups = list(string)}))
description = "blah"
description = "Custom role maps for aws auth configmap"
default = []
}

variable "eks_cluster_auto_sg" {
type = string
description = "Atomatically generated security group with name in the form of eks-cluster-sg-<clustername>"
type = string
}

variable "s3_force_destroy_on_deletion" {
type = bool
description = "Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets"
default = false
}

variable "use_kms" {
type = bool
description = "If set, use either the specified KMS key or a Domino-generated one"
default = false
}

variable "kms_key_id" {
type = string
description = "If use_kms is set, use the specified KMS key"
default = null
}

variable "ecr_force_destroy_on_deletion" {
type = bool
description = "Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories"
default = false
}

variable "kubeconfig_path" {
type = string
description = "fully qualified path name to write the kubeconfig file"
default = ""
}

variable "flow_log_bucket_arn" {
type = string
description = "Bucket for vpc flow logging"
default = ""
}
2 changes: 1 addition & 1 deletion convert/terraform/vpc.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ resource "aws_vpc" "cdk_vpc" {

resource "aws_flow_log" "flowlog" {
count = var.flow_logging ? 1 : 0
log_destination = module.domino_eks.s3_buckets["monitoring"].arn
log_destination = var.flow_log_bucket_arn
vpc_id = aws_vpc.cdk_vpc.id
max_aggregation_interval = 600
log_destination_type = "s3"
Expand Down

0 comments on commit 542a0c3

Please sign in to comment.