diff --git a/modules/eks/iam.tf b/modules/eks/iam.tf index 1ad2dd1..2728b71 100644 --- a/modules/eks/iam.tf +++ b/modules/eks/iam.tf @@ -1,3 +1,7 @@ +locals { + is_production = terraform.workspace == "production" ? true : false +} + # IAM Role for the EKS cluster resource "aws_iam_role" "cluster" { @@ -434,7 +438,7 @@ data "aws_iam_policy_document" "cloudwatch_exporter_assume_role_policy_other_aws # IAM role for Cloudwatch Exporter in development aws account resource "aws_iam_role" "cloudwatch_exporter_development" { - count = terraform.workspace == "development" ? 0 : 1 + count = local.is_production ? 1 : 0 assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json name = "${var.prefix}-CloudwatchExporter" @@ -444,7 +448,7 @@ resource "aws_iam_role" "cloudwatch_exporter_development" { } resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_development" { - count = terraform.workspace == "development" ? 0 : 1 + count = local.is_production ? 1 : 0 name = "${var.prefix}-CloudwatchExporterIAMPolicy" path = "/" description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}" @@ -457,7 +461,7 @@ resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_development" { } resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_development" { - count = terraform.workspace == "development" ? 0 : 1 + count = local.is_production ? 1 : 0 policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_development[0].arn role = aws_iam_role.cloudwatch_exporter_development[0].name @@ -465,7 +469,7 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_develop } resource "aws_iam_policy" "development_cloudwatch_exporter_role_allow_assume_policy" { - count = terraform.workspace == "development" ? 0 : 1 + count = local.is_production ? 1 : 0 name = "development_cloudwatch_exporter_role_allow_assume_policy" path = "/" description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in development AWS account" @@ -492,7 +496,7 @@ POLICY } resource "aws_iam_role_policy_attachment" "development_cloudwatch_exporter_allow_assume_IAMPolicy" { - count = terraform.workspace == "development" ? 0 : 1 + count = local.is_production ? 1 : 0 policy_arn = aws_iam_policy.development_cloudwatch_exporter_role_allow_assume_policy[0].arn role = aws_iam_role.cloudwatch_exporter.name @@ -504,7 +508,7 @@ resource "aws_iam_role_policy_attachment" "development_cloudwatch_exporter_allow # IAM role for Cloudwatch Exporter in pre-production AWS account resource "aws_iam_role" "cloudwatch_exporter_pre_production" { - count = terraform.workspace == "pre-production" ? 0 : 1 + count = local.is_production ? 1 : 0 assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json name = "${var.prefix}-CloudwatchExporter" @@ -514,7 +518,7 @@ resource "aws_iam_role" "cloudwatch_exporter_pre_production" { } resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_pre_production" { - count = terraform.workspace == "pre-production" ? 0 : 1 + count = local.is_production ? 1 : 0 name = "${var.prefix}-CloudwatchExporterIAMPolicy" path = "/" description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}" @@ -527,7 +531,7 @@ resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_pre_production" { } resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_pre_production" { - count = terraform.workspace == "pre-production" ? 0 : 1 + count = local.is_production ? 1 : 0 policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_pre_production[0].arn role = aws_iam_role.cloudwatch_exporter_pre_production[0].name @@ -535,7 +539,7 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_pre_pro } resource "aws_iam_policy" "pre_production_cloudwatch_exporter_role_allow_assume_policy" { - count = terraform.workspace == "pre-production" ? 0 : 1 + count = local.is_production ? 1 : 0 name = "pre_production_cloudwatch_exporter_role_allow_assume_policy" path = "/" description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in pre-production AWS account" @@ -562,7 +566,7 @@ POLICY } resource "aws_iam_role_policy_attachment" "pre_production_cloudwatch_exporter_allow_assume_IAMPolicy" { - count = terraform.workspace == "pre-production" ? 0 : 1 + count = local.is_production ? 1 : 0 policy_arn = aws_iam_policy.pre_production_cloudwatch_exporter_role_allow_assume_policy[0].arn role = aws_iam_role.cloudwatch_exporter.name diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index 1520b2d..133a0e6 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -1,3 +1,7 @@ +locals { + is_production = terraform.workspace == "production" ? true : false +} + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.1.1" @@ -13,8 +17,10 @@ module "vpc" { manage_default_network_acl = var.manage_default_network_acl manage_default_security_group = var.manage_default_security_group manage_default_route_table = var.manage_default_route_table - reuse_nat_ips = true - external_nat_ip_ids = aws_eip.gw.*.id + reuse_nat_ips = local.is_production + external_nat_ip_ids = local.is_production ? aws_eip.gw.*.id : [] + // Lower costs, by lowering availability + single_nat_gateway = local.is_production ? false : true private_subnets = [for cidr_block in cidrsubnets(var.cidr, 2, 2, 2) : cidrsubnets(cidr_block, 1, 1)[0]] private_subnet_tags = merge( @@ -37,7 +43,6 @@ module "vpc" { private_route_table_tags = { for k, v in var.tags : k => v if k != "Name" } public_route_table_tags = { for k, v in var.tags : k => v if k != "Name" } - depends_on = [aws_eip.gw] } resource "aws_flow_log" "vpc_flow_log" { @@ -48,8 +53,8 @@ resource "aws_flow_log" "vpc_flow_log" { } resource "aws_eip" "gw" { - vpc = true - count = length(var.available_zones) + domain = "vpc" + count = terraform.workspace == "development" ? 0 : length(var.available_zones) public_ipv4_pool = var.byoip_pool_id tags = var.tags