From 542a0c361d9d76470c95a391cb085ff586f631f4 Mon Sep 17 00:00:00 2001 From: Secretions Date: Tue, 14 Mar 2023 17:57:41 -0700 Subject: [PATCH] PLAT-6279: CDK->Terraform conversion process changes for deployer compatibility (#134) * Move iam out of main.tf, make order match deployer * Add variables missing relative to deployer * Adding missing outputs relative to deployer * Reorg slightly to better match deployer config * Move main.tf to a json file so deployer can upgrade it * Update variable description --- convert/data/bastion_resources.yaml | 8 +-- convert/data/efs_backup_resources.yaml | 8 +-- convert/data/monitoring_bucket_resources.yaml | 2 +- convert/data/per_az.yaml | 2 +- convert/data/resource_template.yaml | 30 ++++----- convert/data/route53_resources.yaml | 2 +- convert/data/unmanaged_nodegroup.yaml | 8 +-- convert/requirements.txt | 6 +- convert/terraform/iam.tf | 24 +++++++ convert/terraform/main.tf | 44 ------------- convert/terraform/main.tf.json | 66 +++++++++++++++++++ convert/terraform/outputs.tf | 47 +------------ convert/terraform/variables.tf | 34 +++++++++- convert/terraform/vpc.tf | 2 +- 14 files changed, 157 insertions(+), 126 deletions(-) create mode 100644 convert/terraform/iam.tf delete mode 100755 convert/terraform/main.tf create mode 100755 convert/terraform/main.tf.json diff --git a/convert/data/bastion_resources.yaml b/convert/data/bastion_resources.yaml index 3bd4efdb..e8180507 100644 --- a/convert/data/bastion_resources.yaml +++ b/convert/data/bastion_resources.yaml @@ -7,15 +7,15 @@ resources: rule_sg: bastionsg rule_sg_stack: vpc_stack sg: UnmanagedSG - tf: module.domino_eks.module.eks.aws_security_group_rule.bastion_eks["eks_nodes_ssh_from_bastion"] + tf: module.eks.module.eks.aws_security_group_rule.bastion_eks["eks_nodes_ssh_from_bastion"] vpc_stack: - cf: bastionsg - tf: module.domino_eks.module.bastion[0].aws_security_group.bastion + tf: module.eks.module.bastion[0].aws_security_group.bastion - cf_sgr: rule: _egress_all_0_0_0.0.0.0/0 sg: bastionsg - tf: module.domino_eks.module.bastion[0].aws_security_group_rule.bastion_outbound + tf: module.eks.module.bastion[0].aws_security_group_rule.bastion_outbound - cf_sgr: rule: _ingress_tcp_22_22_0.0.0.0/0 sg: bastionsg - tf: module.domino_eks.module.bastion[0].aws_security_group_rule.bastion["bastion_inbound_ssh"] + tf: module.eks.module.bastion[0].aws_security_group_rule.bastion["bastion_inbound_ssh"] diff --git a/convert/data/efs_backup_resources.yaml b/convert/data/efs_backup_resources.yaml index f5cca0c9..9f765aef 100644 --- a/convert/data/efs_backup_resources.yaml +++ b/convert/data/efs_backup_resources.yaml @@ -3,10 +3,10 @@ type: optional resources: efs_stack: - cf: efsbackup - tf: module.domino_eks.module.storage.aws_backup_vault.efs[0] + tf: module.eks.module.storage.aws_backup_vault.efs[0] - cf: efsbackupplan - tf: module.domino_eks.module.storage.aws_backup_plan.efs[0] + tf: module.eks.module.storage.aws_backup_plan.efs[0] - cf: efsbackuprole - tf: module.domino_eks.module.storage.aws_iam_role.efs_backup_role[0] + tf: module.eks.module.storage.aws_iam_role.efs_backup_role[0] - cf_backupselection: efsbackupselection - tf: module.domino_eks.module.storage.aws_backup_selection.efs[0] + tf: module.eks.module.storage.aws_backup_selection.efs[0] diff --git a/convert/data/monitoring_bucket_resources.yaml b/convert/data/monitoring_bucket_resources.yaml index 3edd16c3..861c54bc 100644 --- a/convert/data/monitoring_bucket_resources.yaml +++ b/convert/data/monitoring_bucket_resources.yaml @@ -3,4 +3,4 @@ type: optional resources: s3_stack: - cf: monitoring - tf: module.domino_eks.module.storage.aws_s3_bucket.monitoring + tf: module.eks.module.storage.aws_s3_bucket.monitoring diff --git a/convert/data/per_az.yaml b/convert/data/per_az.yaml index c8417500..58fc9391 100644 --- a/convert/data/per_az.yaml +++ b/convert/data/per_az.yaml @@ -3,7 +3,7 @@ type: availability_zone resources: efs_stack: - cf: EfsEfsMountTarget%az_count_plus% - tf: module.domino_eks.module.storage.aws_efs_mount_target.eks[%az_count%] + tf: module.eks.module.storage.aws_efs_mount_target.eks[%az_count%] vpc_stack: - cf: VPC%cf_stack_key%PublicSubnet%az_count_plus%Subnet tf: aws_subnet.public[%az_count%] diff --git a/convert/data/resource_template.yaml b/convert/data/resource_template.yaml index fee71cba..71d80934 100644 --- a/convert/data/resource_template.yaml +++ b/convert/data/resource_template.yaml @@ -2,39 +2,39 @@ name: resource_template resources: efs_stack: - cf: Efs - tf: module.domino_eks.module.storage.aws_efs_file_system.eks + tf: module.eks.module.storage.aws_efs_file_system.eks - cf: Efsaccesspoint - tf: module.domino_eks.module.storage.aws_efs_access_point.eks + tf: module.eks.module.storage.aws_efs_access_point.eks eks_stack: - cf: eks - tf: module.domino_eks.module.eks.aws_eks_cluster.this + tf: module.eks.module.eks.aws_eks_cluster.this - cf: EKSSG - tf: module.domino_eks.module.eks.aws_security_group.eks_cluster + tf: module.eks.module.eks.aws_security_group.eks_cluster - cf: eksRole - tf: module.domino_eks.module.eks.aws_iam_role.eks_cluster - - tf: module.domino_eks.module.eks.aws_cloudwatch_log_group.eks_cluster + tf: module.eks.module.eks.aws_iam_role.eks_cluster + - tf: module.eks.module.eks.aws_cloudwatch_log_group.eks_cluster value: /aws/eks/%stack_name%/cluster - cf: S3 - tf: module.domino_eks.module.storage.aws_iam_policy.s3 - - tf: module.domino_eks.module.eks.aws_eks_addon.this["coredns"] + tf: module.eks.module.storage.aws_iam_policy.s3 + - tf: module.eks.module.eks.aws_eks_addon.this["coredns"] value: '%stack_name%:coredns' - - tf: module.domino_eks.module.eks.aws_eks_addon.vpc_cni + - tf: module.eks.module.eks.aws_eks_addon.vpc_cni value: '%stack_name%:vpc-cni' - - tf: module.domino_eks.module.eks.aws_eks_addon.this["kube-proxy"] + - tf: module.eks.module.eks.aws_eks_addon.this["kube-proxy"] value: '%stack_name%:kube-proxy' - cf: eksCreationRole tf: aws_iam_role.grandfathered_creation_role - cf: '%cf_stack_key%kubernetessecretsenvelopekey' - tf: module.domino_eks.module.eks.aws_kms_key.eks_cluster + tf: module.eks.module.eks.aws_kms_key.eks_cluster s3_stack: - cf: backups - tf: module.domino_eks.module.storage.aws_s3_bucket.backups + tf: module.eks.module.storage.aws_s3_bucket.backups - cf: blobs - tf: module.domino_eks.module.storage.aws_s3_bucket.blobs + tf: module.eks.module.storage.aws_s3_bucket.blobs - cf: logs - tf: module.domino_eks.module.storage.aws_s3_bucket.logs + tf: module.eks.module.storage.aws_s3_bucket.logs - cf: registry - tf: module.domino_eks.module.storage.aws_s3_bucket.registry + tf: module.eks.module.storage.aws_s3_bucket.registry vpc_stack: - cf: VPC tf: aws_vpc.cdk_vpc diff --git a/convert/data/route53_resources.yaml b/convert/data/route53_resources.yaml index a9f5b43b..ac7484c8 100644 --- a/convert/data/route53_resources.yaml +++ b/convert/data/route53_resources.yaml @@ -3,4 +3,4 @@ type: optional resources: eks_stack: - cf: route53 - tf: module.domino_eks.aws_iam_policy.route53[0] + tf: module.eks.aws_iam_policy.route53[0] diff --git a/convert/data/unmanaged_nodegroup.yaml b/convert/data/unmanaged_nodegroup.yaml index 82d08b1f..b6c2c5c1 100644 --- a/convert/data/unmanaged_nodegroup.yaml +++ b/convert/data/unmanaged_nodegroup.yaml @@ -6,16 +6,16 @@ resources: rule: _egress_tcp_443_443_ rule_sg: UnmanagedSG sg: EKSSG - tf: module.domino_eks.module.eks.aws_security_group_rule.eks_cluster["egress_nodes_443"] + tf: module.eks.module.eks.aws_security_group_rule.eks_cluster["egress_nodes_443"] - cf_sgr: rule: _ingress_tcp_443_443_ rule_sg: UnmanagedSG sg: EKSSG - tf: module.domino_eks.module.eks.aws_security_group_rule.eks_cluster["ingress_nodes_443"] + tf: module.eks.module.eks.aws_security_group_rule.eks_cluster["ingress_nodes_443"] - cf: UnmanagedSG - tf: module.domino_eks.module.eks.aws_security_group.eks_nodes + tf: module.eks.module.eks.aws_security_group.eks_nodes - cf_sgr: rule: _ingress_tcp_443_443_ rule_sg: EKSSG sg: UnmanagedSG - tf: module.domino_eks.module.eks.aws_security_group_rule.node["ingress_cluster_443"] + tf: module.eks.module.eks.aws_security_group_rule.node["ingress_cluster_443"] diff --git a/convert/requirements.txt b/convert/requirements.txt index 3f4a68d1..7d4c0240 100644 --- a/convert/requirements.txt +++ b/convert/requirements.txt @@ -1,3 +1,3 @@ -boto3~=1.26.22 -PyYAML~=6.0 -retry~=0.9.2 +boto3>=1.26.22 +PyYAML>=6.0 +retry>=0.9.2 diff --git a/convert/terraform/iam.tf b/convert/terraform/iam.tf new file mode 100644 index 00000000..85ece811 --- /dev/null +++ b/convert/terraform/iam.tf @@ -0,0 +1,24 @@ +data "aws_caller_identity" "admin" {} +data "aws_partition" "current" {} + +resource "aws_iam_role" "grandfathered_creation_role" { + name = var.grandfathered_creation_role + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.admin.account_id}:root" + } + }, + ] + }) + + lifecycle { + ignore_changes = [name, inline_policy] + } +} diff --git a/convert/terraform/main.tf b/convert/terraform/main.tf deleted file mode 100755 index 6f577f9a..00000000 --- a/convert/terraform/main.tf +++ /dev/null @@ -1,44 +0,0 @@ -data "aws_caller_identity" "admin" {} -data "aws_partition" "current" {} - -resource "aws_iam_role" "grandfathered_creation_role" { - name = var.grandfathered_creation_role - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = "sts:AssumeRole" - Effect = "Allow" - Sid = "" - Principal = { - AWS = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.admin.account_id}:root" - } - }, - ] - }) - - lifecycle { - ignore_changes = [name, inline_policy] - } -} - -module "domino_eks" { - source = "github.com/dominodatalab/terraform-aws-eks.git?ref=v1.3.0" - deploy_id = var.deploy_id - region = var.region - default_node_groups = var.default_node_groups - k8s_version = var.k8s_version - route53_hosted_zone_name = var.route53_hosted_zone_name - eks_master_role_names = var.eks_master_role_names - s3_force_destroy_on_deletion = var.s3_force_destroy_on_deletion - bastion = {} - ssh_pvt_key_path = var.ssh_key_path - tags = var.tags - vpc_id = var.vpc_id - public_subnets = var.public_subnet_ids - private_subnets = var.private_subnet_ids - pod_subnets = var.pod_subnet_ids - update_kubeconfig_extra_args = "--role-arn ${aws_iam_role.grandfathered_creation_role.arn}" - eks_custom_role_maps = var.eks_custom_role_maps -} diff --git a/convert/terraform/main.tf.json b/convert/terraform/main.tf.json new file mode 100755 index 00000000..eaca4e3b --- /dev/null +++ b/convert/terraform/main.tf.json @@ -0,0 +1,66 @@ +{ + "//": "This file is JSON for compatibility with Domino tooling", + "module": { + "eks": { + "source": "github.com/dominodatalab/terraform-aws-eks.git?ref=v1.3.0", + "deploy_id": "${var.deploy_id}", + "region": "${var.region}", + "tags": "${var.tags}", + "k8s_version": "${var.k8s_version}", + "default_node_groups": "${var.default_node_groups}", + "route53_hosted_zone_name": "${var.route53_hosted_zone_name}", + "bastion": {}, + "s3_force_destroy_on_deletion": "${var.s3_force_destroy_on_deletion}", + "ssh_pvt_key_path": "${var.ssh_key_path}", + "kubeconfig_path": "${var.kubeconfig_path}", + "use_kms": "${var.use_kms}", + "kms_key_id": "${var.kms_key_id}", + "ecr_force_destroy_on_deletion": "${var.ecr_force_destroy_on_deletion}", + "eks_master_role_names": "${var.eks_master_role_names}", + "vpc_id": "${var.vpc_id}", + "public_subnets": "${var.public_subnet_ids}", + "private_subnets": "${var.private_subnet_ids}", + "pod_subnets": "${var.pod_subnet_ids}", + "update_kubeconfig_extra_args": "--role-arn ${aws_iam_role.grandfathered_creation_role.arn}", + "eks_custom_role_maps": "${var.eks_custom_role_maps}" + } + }, + "output": { + "KEY_PAIR_NAME": { + "value": "${module.eks.domino_key_pair.key_name}" + }, + "S3_BUCKET_NAME": { + "value": "${module.eks.s3_buckets.blobs.bucket_name}" + }, + "S3_LOG_SNAPS_BUCKET_NAME": { + "value": "${module.eks.s3_buckets.logs.bucket_name}" + }, + "S3_BACKUPS_BUCKET_NAME": { + "value": "${module.eks.s3_buckets.backups.bucket_name}" + }, + "S3_REGISTRY_BUCKET_NAME": { + "value": "${module.eks.s3_buckets.registry.bucket_name}" + }, + "S3_MONITORING_BUCKET_NAME": { + "value": "${module.eks.s3_buckets.monitoring.bucket_name}" + }, + "EXECUTOR_EFS_FS_ID": { + "value": "${module.eks.efs_file_system.id}" + }, + "EXECUTOR_EFS_AP_ID": { + "value": "${module.eks.efs_access_point.id}" + }, + "BASTION_IP": { + "value": "${module.eks.bastion_ip}" + }, + "KMS_KEY_ID": { + "value": "${module.eks.kms_key_id}" + }, + "KMS_KEY_ARN": { + "value": "${module.eks.kms_key_arn}" + }, + "CONTAINER_REGISTRY": { + "value": "${module.eks.container_registry}" + } + } +} diff --git a/convert/terraform/outputs.tf b/convert/terraform/outputs.tf index fd53ab65..6efaef3b 100644 --- a/convert/terraform/outputs.tf +++ b/convert/terraform/outputs.tf @@ -1,49 +1,4 @@ output "domino_eks" { description = "EKS module outputs" - value = module.domino_eks -} - -output "KEY_PAIR_NAME" { - description = "Name of Provisioned AWS Keypair" - value = module.domino_eks.domino_key_pair.key_name -} - -output "S3_BUCKET_NAME" { - description = "Blobs bucket name" - value = module.domino_eks.s3_buckets.blobs.bucket_name -} - -output "S3_LOG_SNAPS_BUCKET_NAME" { - description = "Log bucket name" - value = module.domino_eks.s3_buckets.logs.bucket_name -} - -output "S3_BACKUPS_BUCKET_NAME" { - description = "Backup bucket name" - value = module.domino_eks.s3_buckets.backups.bucket_name -} - -output "S3_REGISTRY_BUCKET_NAME" { - description = "Docker Registry bucket name" - value = module.domino_eks.s3_buckets.registry.bucket_name -} - -output "S3_MONITORING_BUCKET_NAME" { - description = "Monitoring bucket name" - value = module.domino_eks.s3_buckets.monitoring.bucket_name -} - -output "EXECUTOR_EFS_FS_ID" { - description = "EFS filesystem ID" - value = module.domino_eks.efs_file_system.id -} - -output "EXECUTOR_EFS_AP_ID" { - description = "EFS access point ID" - value = module.domino_eks.efs_access_point.id -} - -output "BASTION_IP" { - description = "Bastion instance IP address" - value = module.domino_eks.bastion_ip + value = module.eks } diff --git a/convert/terraform/variables.tf b/convert/terraform/variables.tf index 42a2d0f0..35b597f3 100644 --- a/convert/terraform/variables.tf +++ b/convert/terraform/variables.tf @@ -116,17 +116,47 @@ variable "eks_master_role_names" { variable "eks_custom_role_maps" { type = list(object({rolearn = string, username = string, groups = list(string)})) - description = "blah" + description = "Custom role maps for aws auth configmap" default = [] } variable "eks_cluster_auto_sg" { - type = string description = "Atomatically generated security group with name in the form of eks-cluster-sg-" + type = string } variable "s3_force_destroy_on_deletion" { + type = bool description = "Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets" + default = false +} + +variable "use_kms" { type = bool + description = "If set, use either the specified KMS key or a Domino-generated one" default = false } + +variable "kms_key_id" { + type = string + description = "If use_kms is set, use the specified KMS key" + default = null +} + +variable "ecr_force_destroy_on_deletion" { + type = bool + description = "Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories" + default = false +} + +variable "kubeconfig_path" { + type = string + description = "fully qualified path name to write the kubeconfig file" + default = "" +} + +variable "flow_log_bucket_arn" { + type = string + description = "Bucket for vpc flow logging" + default = "" +} diff --git a/convert/terraform/vpc.tf b/convert/terraform/vpc.tf index 8cf757f4..d21c8e54 100644 --- a/convert/terraform/vpc.tf +++ b/convert/terraform/vpc.tf @@ -6,7 +6,7 @@ resource "aws_vpc" "cdk_vpc" { resource "aws_flow_log" "flowlog" { count = var.flow_logging ? 1 : 0 - log_destination = module.domino_eks.s3_buckets["monitoring"].arn + log_destination = var.flow_log_bucket_arn vpc_id = aws_vpc.cdk_vpc.id max_aggregation_interval = 600 log_destination_type = "s3"