From b28f0319cf3dfbb388b74074e50c6c0348b2d93c Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 14 Nov 2023 13:27:17 +0000 Subject: [PATCH] removed cross account requirements --- Makefile | 65 ++++++++-- main.tf | 24 +--- modules/eks/iam.tf | 268 +++++++++++++++++++-------------------- modules/eks/outputs.tf | 8 -- modules/eks/providers.tf | 11 -- outputs.tf | 26 ++-- variables.tf | 10 -- 7 files changed, 201 insertions(+), 211 deletions(-) delete mode 100644 modules/eks/providers.tf diff --git a/Makefile b/Makefile index 9e895e9..50f9516 100644 --- a/Makefile +++ b/Makefile @@ -2,34 +2,73 @@ -include .env export +deploy: + ./scripts/deploy.sh + +uninstall: + ./scripts/uninstall_all_deployments.sh + fmt: - terraform fmt --recursive + aws-vault exec $$AWS_VAULT_PROFILE -- terraform fmt --recursive init: - terraform init -upgrade -reconfigure \ - --backend-config="key=terraform.production.state" + aws-vault exec $$AWS_VAULT_PROFILE -- terraform init -reconfigure \ + --backend-config="key=terraform.$$ENV.state" + +init-upgrade: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform init -upgrade \ + --backend-config="key=terraform.$$ENV.state" + +# How to use +# IMPORT_ARGUMENT=module.foo.bar some_resource make import +import: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform import $$IMPORT_ARGUMENT + +workspace-list: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace list + +workspace-select: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace select $$ENV || \ + aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace new $$ENV validate: - terraform validate + aws-vault exec $$AWS_VAULT_PROFILE -- terraform validate + +plan-out: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform plan -no-color > $$ENV.tfplan plan: - terraform plan + aws-vault exec $$AWS_VAULT_PROFILE -- terraform plan + +refresh: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform refresh + +output: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform output -json apply: - terraform apply + aws-vault exec $$AWS_VAULT_PROFILE -- terraform apply + ./scripts/publish_terraform_outputs.sh -deploy: - ./scripts/deploy.sh +state-list: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform state list -uninstall: - ./scripts/uninstall_all_deployments.sh +show: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform show -no-color destroy: - terraform destroy + aws-vault exec $$AWS_VAULT_PROFILE -- terraform destroy + +clean: + rm -rf .terraform/ terraform.tfstate* + +tfenv: + tfenv use $(cat versions.tf 2> /dev/null | grep required_version | cut -d "\"" -f 2 | cut -d " " -f 2) && tfenv pin generate_diagrams: docker run -it --rm -v "${PWD}":/app/ -w /app/documentation/diagrams/ mjdk/diagrams scripts/architecture_diagram.py docker run -it --rm -v "${PWD}":/app/ -w /app/documentation/diagrams/ mjdk/diagrams scripts/detailed_eks_diagram.py -.PHONY: init validate plan apply deploy uninstall destroy - +.PHONY: + fmt init workspace-list workspace-select validate plan-out plan \ + refresh output apply state-list show destroy clean tfenv diff --git a/main.tf b/main.tf index 3e148bb..7f5eb1a 100644 --- a/main.tf +++ b/main.tf @@ -15,24 +15,6 @@ provider "aws" { } } -provider "aws" { - region = var.aws_region - alias = "development" - - assume_role { - role_arn = var.assume_role_development - } -} - -provider "aws" { - region = var.aws_region - alias = "pre_production" - - assume_role { - role_arn = var.assume_role_pre_production - } -} - data "aws_availability_zones" "available_zones" { count = var.enabled ? 1 : 0 state = "available" @@ -90,8 +72,8 @@ module "eks" { tags = module.eks_label.tags providers = { - aws = aws.main - aws.development = aws.development - aws.pre_production = aws.pre_production + aws = aws.main + # aws.development = aws.development + # aws.pre_production = aws.pre_production } } diff --git a/modules/eks/iam.tf b/modules/eks/iam.tf index 1ad2dd1..b78c05a 100644 --- a/modules/eks/iam.tf +++ b/modules/eks/iam.tf @@ -433,140 +433,140 @@ data "aws_iam_policy_document" "cloudwatch_exporter_assume_role_policy_other_aws # IAM role for Cloudwatch Exporter in development aws account -resource "aws_iam_role" "cloudwatch_exporter_development" { - count = terraform.workspace == "development" ? 0 : 1 - assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json - name = "${var.prefix}-CloudwatchExporter" - - tags = var.tags - - provider = aws.development -} - -resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_development" { - count = terraform.workspace == "development" ? 0 : 1 - name = "${var.prefix}-CloudwatchExporterIAMPolicy" - path = "/" - description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}" - - policy = data.template_file.cloudwatch_exporter_iam_policy.rendered - - tags = var.tags - - provider = aws.development -} - -resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_development" { - count = terraform.workspace == "development" ? 0 : 1 - policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_development[0].arn - role = aws_iam_role.cloudwatch_exporter_development[0].name - - provider = aws.development -} - -resource "aws_iam_policy" "development_cloudwatch_exporter_role_allow_assume_policy" { - count = terraform.workspace == "development" ? 0 : 1 - name = "development_cloudwatch_exporter_role_allow_assume_policy" - path = "/" - description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in development AWS account" - - policy = <