From 84f6ec5232718416a3469ce337c371bd886bb410 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Tue, 26 Apr 2022 16:21:05 -0600 Subject: [PATCH 1/4] Added ability for finer grained subnet configuration --- modules/vpc/README.md | 12 +++++++----- modules/vpc/main.tf | 4 ++-- modules/vpc/variables.tf | 18 ++++++++++++------ 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/modules/vpc/README.md b/modules/vpc/README.md index 7daa4cb..c09afd0 100644 --- a/modules/vpc/README.md +++ b/modules/vpc/README.md @@ -17,13 +17,13 @@ For this reason, we recommend managing the tags externally of the resource itsel | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >=1.0.0 | -| [aws](#requirement\_aws) | >= 3.45.0 | +| [aws](#requirement\_aws) | >= 3.64.2 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.45.0 | +| [aws](#provider\_aws) | >= 3.64.2 | ## Modules @@ -52,11 +52,13 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [num\_azs](#input\_num\_azs) | The number of availability zones to provision | `number` | `2` | no | -| [private\_subnet\_start](#input\_private\_subnet\_start) | n/a | `number` | `10` | no | +| [private\_subnet\_start](#input\_private\_subnet\_start) | The starting octet for the private subnet CIDR blocks generated by this module. | `number` | `10` | no | | [public\_subnet\_auto\_ip](#input\_public\_subnet\_auto\_ip) | n/a | `bool` | `false` | no | -| [public\_subnet\_start](#input\_public\_subnet\_start) | n/a | `number` | `20` | no | +| [public\_subnet\_start](#input\_public\_subnet\_start) | The starting octet for the public subnet CIDR blocks generated by this module. | `number` | `20` | no | | [region](#input\_region) | n/a | `string` | n/a | yes | -| [vpc\_cidr](#input\_vpc\_cidr) | n/a | `any` | n/a | yes | +| [subnet\_newbits](#input\_subnet\_newbits) | The number of bits to added to the VPC CIDR prefix. For instance, if your VPC CIDR is a /16 and you set this number to 8, the subnets will be /24s. | `number` | `8` | no | +| [tags](#input\_tags) | Additional to apply to the resources. Note that this module sets the tags Name, Type, and Vendor by default. They can be overwritten, but it is not recommended. | `map(string)` | `{}` | no | +| [vpc\_cidr](#input\_vpc\_cidr) | The CIDR range to be used by the AWS VPC. We recommend using a /16 prefix to automatically generate /24 subnets. If you are using a smaller or larger prefix, refer to the subnet\_newbits variable to ensure that the generated subnet ranges are a valid for EKS (minimum /24 is recommended). | `string` | n/a | yes | | [vpc\_name](#input\_vpc\_name) | The name used for the VPC and associated resources | `string` | n/a | yes | ## Outputs diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf index 52177ab..07d25bb 100644 --- a/modules/vpc/main.tf +++ b/modules/vpc/main.tf @@ -35,7 +35,7 @@ resource "aws_vpc" "vpc" { resource "aws_subnet" "public" { count = var.num_azs vpc_id = aws_vpc.vpc.id - cidr_block = cidrsubnet(var.vpc_cidr, 8, var.public_subnet_start + count.index) + cidr_block = cidrsubnet(var.vpc_cidr, var.subnet_newbits, var.public_subnet_start + count.index) availability_zone = data.aws_availability_zones.available.names[count.index] map_public_ip_on_launch = var.public_subnet_auto_ip tags = merge({ "Vendor" = "StreamNative", "Type" = "public", Name = format("%s-public-sbn-%s", var.vpc_name, count.index) }, var.tags) @@ -48,7 +48,7 @@ resource "aws_subnet" "public" { resource "aws_subnet" "private" { count = var.num_azs vpc_id = aws_vpc.vpc.id - cidr_block = cidrsubnet(var.vpc_cidr, 8, var.private_subnet_start + count.index) + cidr_block = cidrsubnet(var.vpc_cidr, var.subnet_newbits, var.private_subnet_start + count.index) availability_zone = data.aws_availability_zones.available.names[count.index] tags = merge({ "Vendor" = "StreamNative", "Type" = "private", Name = format("%s-private-sbn-%s", var.vpc_name, count.index) }, var.tags) diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf index 29e7838..88bb995 100644 --- a/modules/vpc/variables.tf +++ b/modules/vpc/variables.tf @@ -37,13 +37,21 @@ variable "num_azs" { } variable "private_subnet_start" { - type = number default = 10 + description = "The starting octet for the private subnet CIDR blocks generated by this module." + type = number } variable "public_subnet_start" { - type = number default = 20 + description = "The starting octet for the public subnet CIDR blocks generated by this module." + type = number +} + +variable "subnet_newbits" { + default = 8 + description = "The number of bits to added to the VPC CIDR prefix. For instance, if your VPC CIDR is a /16 and you set this number to 8, the subnets will be /24s." + type = number } variable "public_subnet_auto_ip" { @@ -58,8 +66,6 @@ variable "tags" { } variable "vpc_cidr" { - validation { - condition = can(regex("^10\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/16", var.vpc_cidr)) - error_message = "The vpc_cidr must be a 10.x.x.x range with /16 CIDR." - } + description = "The CIDR range to be used by the AWS VPC. We recommend using a /16 prefix to automatically generate /24 subnets. If you are using a smaller or larger prefix, refer to the subnet_newbits variable to ensure that the generated subnet ranges are a valid for EKS (minimum /24 is recommended)." + type = string } From 18318c212e0f5ad33c11bbaf4883ec444316ec1a Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Thu, 28 Apr 2022 14:06:48 -0600 Subject: [PATCH 2/4] Modified node group conf for custom AMI support --- README.md | 21 +++++-- main.tf | 156 +++++++++------------------------------------------ variables.tf | 78 ++++++++++++++++++++++++-- 3 files changed, 116 insertions(+), 139 deletions(-) diff --git a/README.md b/README.md index 234a4cf..fb46469 100644 --- a/README.md +++ b/README.md @@ -328,7 +328,7 @@ You can also disable `kubernetes-external-secrets` by setting the input `enable- | [cluster\_autoscaler\_settings](#input\_cluster\_autoscaler\_settings) | Additional settings which will be passed to the Helm chart values for cluster-autoscaler, see https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler for options. | `map(any)` | `{}` | no | | [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). | `list(string)` | 
[
  "api",
  "audit",
  "authenticator",
  "controllerManager",
  "scheduler"
]
| no | | [cluster\_log\_kms\_key\_id](#input\_cluster\_log\_kms\_key\_id) | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html). | `string` | `""` | no | -| [cluster\_log\_retention\_in\_days](#input\_cluster\_log\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | +| [cluster\_log\_retention\_in\_days](#input\_cluster\_log\_retention\_in\_days) | Number of days to retain log events. Defaults to 365 days. | `number` | `365` | no | | [cluster\_name](#input\_cluster\_name) | The name of your EKS cluster and associated resources. Must be 16 characters or less. | `string` | `""` | no | | [cluster\_version](#input\_cluster\_version) | The version of Kubernetes to be installed. | `string` | `"1.20"` | no | | [csi\_helm\_chart\_name](#input\_csi\_helm\_chart\_name) | The name of the Helm chart in the repository for CSI. | `string` | `"aws-ebs-csi-driver"` | no | @@ -345,8 +345,10 @@ You can also disable `kubernetes-external-secrets` by setting the input `enable- | [enable\_external\_dns](#input\_enable\_external\_dns) | Enables the External DNS addon service on the cluster. Defaults to "true", and in most situations is required by StreamNative Cloud. | `bool` | `true` | no | | [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enables kubernetes-external-secrets addon service on the cluster. Defaults to "true", and in most situations is required by StreamNative Cloud. | `bool` | `true` | no | | [enable\_func\_pool](#input\_enable\_func\_pool) | Enable an additional dedicated function pool. | `bool` | `false` | no | +| [enable\_func\_pool\_monitoring](#input\_enable\_func\_pool\_monitoring) | Enable CloudWatch monitoring for the dedicated function pool(s). | `bool` | `true` | no | | [enable\_istio](#input\_enable\_istio) | Enables Istio on the cluster. Set to "false" by default. | `bool` | `false` | no | | [enable\_node\_group\_private\_networking](#input\_enable\_node\_group\_private\_networking) | Enables private networking for the EKS node groups (not the EKS cluster endpoint, which remains public), meaning Kubernetes API requests that originate within the cluster's VPC use a private VPC endpoint for EKS. Defaults to "true". | `bool` | `true` | no | +| [enable\_node\_pool\_monitoring](#input\_enable\_node\_pool\_monitoring) | Enable CloudWatch monitoring for the default pool(s). | `bool` | `true` | no | | [external\_dns\_helm\_chart\_name](#input\_external\_dns\_helm\_chart\_name) | The name of the Helm chart in the repository for ExternalDNS. | `string` | `"external-dns"` | no | | [external\_dns\_helm\_chart\_repository](#input\_external\_dns\_helm\_chart\_repository) | The repository containing the ExternalDNS helm chart. | `string` | `"https://charts.bitnami.com/bitnami"` | no | | [external\_dns\_helm\_chart\_version](#input\_external\_dns\_helm\_chart\_version) | Helm chart version for ExternalDNS. Defaults to "4.9.0". See https://hub.helm.sh/charts/bitnami/external-dns for updates. | `string` | `"5.5.2"` | no | @@ -355,15 +357,20 @@ You can also disable `kubernetes-external-secrets` by setting the input `enable- | [external\_secrets\_helm\_chart\_repository](#input\_external\_secrets\_helm\_chart\_repository) | The repository containing the kubernetes-external-secrets helm chart. | `string` | `"https://external-secrets.github.io/kubernetes-external-secrets"` | no | | [external\_secrets\_helm\_chart\_version](#input\_external\_secrets\_helm\_chart\_version) | Helm chart version for kubernetes-external-secrets. Defaults to "8.3.0". See https://github.com/external-secrets/kubernetes-external-secrets/tree/master/charts/kubernetes-external-secrets for updates. | `string` | `"8.3.0"` | no | | [external\_secrets\_settings](#input\_external\_secrets\_settings) | Additional settings which will be passed to the Helm chart values, see https://github.com/external-secrets/kubernetes-external-secrets/tree/master/charts/kubernetes-external-secrets for available options. | `map(any)` | `{}` | no | -| [func\_pool\_desired\_size](#input\_func\_pool\_desired\_size) | Desired number of worker nodes | `number` | `1` | no | +| [func\_pool\_ami\_id](#input\_func\_pool\_ami\_id) | The AMI ID to use for the func pool nodes. Defaults to the latest EKS Optimized AMI provided by AWS | `string` | `""` | no | +| [func\_pool\_ami\_is\_eks\_optimized](#input\_func\_pool\_ami\_is\_eks\_optimized) | If the custom AMI is an EKS optimized image, ignored if ami\_id is not set. If this is true then bootstrap.sh is called automatically (max pod logic needs to be manually set), if this is false you need to provide all the node configuration in pre\_userdata | `bool` | `true` | no | +| [func\_pool\_desired\_size](#input\_func\_pool\_desired\_size) | Desired number of worker nodes | `number` | `0` | no | | [func\_pool\_disk\_size](#input\_func\_pool\_disk\_size) | Disk size in GiB for function worker nodes. Defaults to 20. Terraform will only perform drift detection if a configuration value is provided. | `number` | `50` | no | | [func\_pool\_disk\_type](#input\_func\_pool\_disk\_type) | Disk type for function worker nodes. Defaults to gp3. | `string` | `"gp3"` | no | | [func\_pool\_instance\_types](#input\_func\_pool\_instance\_types) | Set of instance types associated with the EKS Node Group. Defaults to ["t3.large"]. Terraform will only perform drift detection if a configuration value is provided. | `list(string)` | 
[
  "c6i.large"
]
| no | +| [func\_pool\_labels](#input\_func\_pool\_labels) | Labels to apply to the function pool node group. Defaults to {}. | `map(string)` | `{}` | no | | [func\_pool\_max\_size](#input\_func\_pool\_max\_size) | The maximum size of the AutoScaling Group. | `number` | `5` | no | -| [func\_pool\_min\_size](#input\_func\_pool\_min\_size) | The minimum size of the AutoScaling Group. | `number` | `1` | no | +| [func\_pool\_min\_size](#input\_func\_pool\_min\_size) | The minimum size of the AutoScaling Group. | `number` | `0` | no | | [func\_pool\_namespace](#input\_func\_pool\_namespace) | The namespace where functions run. | `string` | `"pulsar-funcs"` | no | +| [func\_pool\_pre\_userdata](#input\_func\_pool\_pre\_userdata) | The pre-userdata script to run on the function worker nodes. | `string` | `""` | no | | [func\_pool\_sa\_name](#input\_func\_pool\_sa\_name) | The service account name the functions use. | `string` | `"default"` | no | | [hosted\_zone\_id](#input\_hosted\_zone\_id) | The ID of the Route53 hosted zone used by the cluster's External DNS configuration. | `string` | n/a | yes | +| [iam\_path](#input\_iam\_path) | An IAM Path to be used for all IAM resources created by this module. Changing this from the default will cause issues with StreamNative's Vendor access, if applicable. | `string` | `"/StreamNative/"` | no | | [istio\_mesh\_id](#input\_istio\_mesh\_id) | The ID used by the Istio mesh. This is also the ID of the StreamNative Cloud Pool used for the workload environments. This is required when "enable\_istio\_operator" is set to "true". | `string` | `null` | no | | [istio\_network](#input\_istio\_network) | The name of network used for the Istio deployment. This is required when "enable\_istio\_operator" is set to "true". | `string` | `"default"` | no | | [istio\_profile](#input\_istio\_profile) | The path or name for an Istio profile to load. Set to the profile "default" if not specified. | `string` | `"default"` | no | @@ -374,12 +381,16 @@ You can also disable `kubernetes-external-secrets` by setting the input `enable- | [map\_additional\_aws\_accounts](#input\_map\_additional\_aws\_accounts) | Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap. | `list(string)` | `[]` | no | | [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | [map\_additional\_iam\_users](#input\_map\_additional\_iam\_users) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap. | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | -| [node\_pool\_desired\_size](#input\_node\_pool\_desired\_size) | Desired number of worker nodes in the node pool. | `number` | n/a | yes | +| [node\_pool\_ami\_id](#input\_node\_pool\_ami\_id) | The AMI ID to use for the EKS cluster nodes. Defaults to the latest EKS Optimized AMI provided by AWS | `string` | `""` | no | +| [node\_pool\_ami\_is\_eks\_optimized](#input\_node\_pool\_ami\_is\_eks\_optimized) | If the custom AMI is an EKS optimized image, ignored if ami\_id is not set. If this is true then bootstrap.sh is called automatically (max pod logic needs to be manually set), if this is false you need to provide all the node configuration in pre\_userdata | `bool` | `true` | no | +| [node\_pool\_desired\_size](#input\_node\_pool\_desired\_size) | Desired number of worker nodes in the node pool. | `number` | `1` | no | | [node\_pool\_disk\_size](#input\_node\_pool\_disk\_size) | Disk size in GiB for worker nodes in the node pool. Defaults to 50. | `number` | `50` | no | | [node\_pool\_disk\_type](#input\_node\_pool\_disk\_type) | Disk type for worker nodes in the node pool. Defaults to gp3. | `string` | `"gp3"` | no | | [node\_pool\_instance\_types](#input\_node\_pool\_instance\_types) | Set of instance types associated with the EKS Node Group. Defaults to ["c6i.large"]. | `list(string)` | 
[
  "c6i.large"
]
| no | +| [node\_pool\_labels](#input\_node\_pool\_labels) | A map of kubernetes labels to add to the node pool. | `map(string)` | `{}` | no | | [node\_pool\_max\_size](#input\_node\_pool\_max\_size) | The maximum size of the node pool Autoscaling group. | `number` | n/a | yes | -| [node\_pool\_min\_size](#input\_node\_pool\_min\_size) | The minimum size of the node pool AutoScaling group. | `number` | n/a | yes | +| [node\_pool\_min\_size](#input\_node\_pool\_min\_size) | The minimum size of the node pool AutoScaling group. | `number` | `1` | no | +| [node\_pool\_pre\_userdata](#input\_node\_pool\_pre\_userdata) | The user data to apply to the worker nodes in the node pool. This is applied before the bootstrap.sh script. | `string` | `""` | no | | [node\_termination\_handler\_chart\_version](#input\_node\_termination\_handler\_chart\_version) | The version of the Helm chart to use for the AWS Node Termination Handler. | `string` | `"0.16.0"` | no | | [node\_termination\_handler\_helm\_chart\_name](#input\_node\_termination\_handler\_helm\_chart\_name) | The name of the Helm chart to use for the AWS Node Termination Handler. | `string` | `"aws-node-termination-handler"` | no | | [node\_termination\_handler\_helm\_chart\_repository](#input\_node\_termination\_handler\_helm\_chart\_repository) | The repository containing the Helm chart to use for the AWS Node Termination Handler. | `string` | `"https://aws.github.io/eks-charts"` | no | diff --git a/main.tf b/main.tf index cb1969c..be46e3c 100644 --- a/main.tf +++ b/main.tf @@ -31,16 +31,17 @@ locals { private_subnet_cidrs = var.enable_node_group_private_networking == false ? [] : [for i, v in var.private_subnet_ids : data.aws_subnet.private_cidrs[i].cidr_block] func_pool_defaults = { - create_launch_template = true - desired_capacity = coalesce(var.func_pool_desired_size, var.node_pool_desired_size) - disk_size = var.func_pool_disk_size - disk_encrypted = true - disk_kms_key_id = local.kms_key # sourced from csi.tf -> locals{} - disk_type = var.func_pool_disk_type - instance_types = coalesce(var.func_pool_instance_types, var.node_pool_instance_types) - k8s_labels = { NodeGroup = "functions" } - min_capacity = coalesce(var.func_pool_min_size, var.node_pool_min_size) - max_capacity = coalesce(var.func_pool_max_size, var.node_pool_max_size) + ami_id = var.func_pool_ami_id + ami_is_eks_optimized = var.func_pool_ami_is_eks_optimized + enable_monintoring = var.enable_func_pool_monitoring + desired_capacity = var.func_pool_desired_size + disk_size = var.func_pool_disk_size + disk_type = var.func_pool_disk_type + instance_types = var.func_pool_instance_types + k8s_labels = merge(var.func_pool_labels, { NodeGroup = "functions" }) + min_capacity = var.func_pool_min_size + max_capacity = var.func_pool_max_size + pre_userdata = var.func_pool_pre_userdata taints = [{ key = "reserveGroup" value = "functions" @@ -49,17 +50,18 @@ locals { } node_pool_defaults = { - create_launch_template = true - desired_capacity = var.node_pool_desired_size - disk_size = var.node_pool_disk_size - disk_encrypted = true - disk_kms_key_id = local.kms_key # sourced from csi.tf -> locals{} - disk_type = var.node_pool_disk_type - instance_types = var.node_pool_instance_types - k8s_labels = {} - min_capacity = var.node_pool_min_size - max_capacity = var.node_pool_max_size - taints = [] + ami_id = var.node_pool_ami_id + ami_is_eks_optimized = var.node_pool_ami_is_eks_optimized + enable_monintoring = var.enable_node_pool_monitoring + desired_capacity = var.node_pool_desired_size + disk_size = var.node_pool_disk_size + disk_type = var.node_pool_disk_type + instance_types = var.node_pool_instance_types + k8s_labels = var.node_pool_labels + min_capacity = var.node_pool_min_size + max_capacity = var.node_pool_max_size + pre_userdata = var.node_pool_pre_userdata + taints = [] } snc_node_config = { for i, v in var.private_subnet_ids : "snc-node-pool${i}" => merge(local.node_pool_defaults, { subnets = [var.private_subnet_ids[i]], name = "snc-node-pool${i}" }) } @@ -71,7 +73,6 @@ module "eks" { source = "terraform-aws-modules/eks/aws" version = "17.24.0" - # cluster_iam_role_name = aws_iam_role.cluster.name cluster_name = var.cluster_name cluster_version = var.cluster_version cluster_create_endpoint_private_access_sg_rule = var.enable_node_group_private_networking @@ -82,7 +83,7 @@ module "eks" { cluster_log_kms_key_id = var.cluster_log_kms_key_id cluster_log_retention_in_days = var.cluster_log_retention_in_days enable_irsa = true - iam_path = "/StreamNative/" + iam_path = var.iam_path manage_cluster_iam_resources = true manage_worker_iam_resources = true map_accounts = var.map_additional_aws_accounts @@ -93,7 +94,6 @@ module "eks" { vpc_id = var.vpc_id wait_for_cluster_timeout = var.wait_for_cluster_timeout // This was added in version 17.1.0, and if set above 0, causes TF to crash. write_kubeconfig = false - # workers_role_name = aws_iam_role.nodes.name node_groups = local.node_groups @@ -104,7 +104,9 @@ module "eks" { "Vendor" = "StreamNative" }, ) - # iam_role_arn = aws_iam_role.nodes.arn + create_launch_template = true + disk_encrypted = true + disk_kms_key_id = local.kms_key # sourced from csi.tf -> locals{} } tags = { @@ -125,107 +127,3 @@ resource "kubernetes_namespace" "sn_system" { module.eks ] } - -###### -### IAM Resources for the EKS Cluster -###### -# data "aws_iam_policy_document" "cluster_assume_role_policy" { -# statement { -# actions = [ -# "sts:AssumeRole" -# ] -# effect = "Allow" -# principals { -# type = "Service" -# identifiers = ["eks.amazonaws.com"] -# } -# } -# } - -# data "aws_iam_policy_document" "cluster_elb_sl_role_creation" { -# statement { -# effect = "Allow" -# actions = [ -# "ec2:DescribeAccountAttributes", -# "ec2:DescribeInternetGateways", -# "ec2:DescribeAddresses" -# ] -# resources = ["*"] -# } -# } - -# resource "aws_iam_policy" "cluster_elb_sl_role_creation" { -# name_prefix = "${var.cluster_name}-elb-sl-role-creation" -# description = "Permissions for EKS to create AWSServiceRoleForElasticLoadBalancing service-linked role" -# policy = data.aws_iam_policy_document.cluster_elb_sl_role_creation.json -# tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) -# } - -# resource "aws_iam_role" "cluster" { -# name = format("%s-cluster-role", var.cluster_name) -# description = format("The IAM Role used by the %s EKS cluster", var.cluster_name) -# assume_role_policy = data.aws_iam_policy_document.cluster_assume_role_policy.json -# tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) -# path = "/StreamNative/" -# permissions_boundary = format("arn:aws:iam::%s:policy/StreamNativePermissionBoundary", local.account_id) -# } - -# resource "aws_iam_role_policy_attachment" "cluster_elb_sl_role_creation" { -# policy_arn = aws_iam_policy.cluster_elb_sl_role_creation.arn -# role = aws_iam_role.cluster.name -# } - -# resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSClusterPolicy" { -# policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" -# role = aws_iam_role.cluster.name -# } - -# resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSServicePolicy" { -# policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy" -# role = aws_iam_role.cluster.name -# } - -# resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSVPCResourceControllerPolicy" { -# policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController" -# role = aws_iam_role.cluster.name -# } - -# ###### -# ### IAM Resources for the node groups -# ###### -# data "aws_iam_policy_document" "nodes_assume_role_policy" { -# statement { -# actions = [ -# "sts:AssumeRole" -# ] -# effect = "Allow" -# principals { -# type = "Service" -# identifiers = ["ec2.amazonaws.com"] -# } -# } -# } - -# resource "aws_iam_role" "nodes" { -# name = format("%s-nodes-role", var.cluster_name) -# description = format("The IAM Role used by the %s EKS cluster's node groups", var.cluster_name) -# assume_role_policy = data.aws_iam_policy_document.nodes_assume_role_policy.json -# tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) -# path = "/StreamNative/" -# permissions_boundary = format("arn:aws:iam::%s:policy/StreamNativePermissionBoundary", local.account_id) -# } - -# resource "aws_iam_role_policy_attachment" "nodes_AmazonEKSnodeNodePolicy" { -# policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" -# role = aws_iam_role.nodes.name -# } - -# resource "aws_iam_role_policy_attachment" "nodes_AmazonEKS_CNI_Policy" { -# policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" -# role = aws_iam_role.nodes.name -# } - -# resource "aws_iam_role_policy_attachment" "nodes_AmazonEC2ContainerRegistryReadOnly" { -# policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" -# role = aws_iam_role.nodes.name -# } diff --git a/variables.tf b/variables.tf index edaeb14..6e0b4ed 100644 --- a/variables.tf +++ b/variables.tf @@ -162,8 +162,8 @@ variable "cluster_log_kms_key_id" { } variable "cluster_log_retention_in_days" { - default = 90 - description = "Number of days to retain log events. Default retention - 90 days." + default = 365 + description = "Number of days to retain log events. Defaults to 365 days." type = number } @@ -267,6 +267,12 @@ variable "enable_func_pool" { type = bool } +variable "enable_func_pool_monitoring" { + default = true + description = "Enable CloudWatch monitoring for the dedicated function pool(s)." + type = bool +} + variable "enable_istio" { default = false description = "Enables Istio on the cluster. Set to \"false\" by default." @@ -279,6 +285,12 @@ variable "enable_node_group_private_networking" { type = bool } +variable "enable_node_pool_monitoring" { + default = true + description = "Enable CloudWatch monitoring for the default pool(s)." + type = bool +} + variable "external_dns_helm_chart_name" { default = "external-dns" description = "The name of the Helm chart in the repository for ExternalDNS." @@ -327,10 +339,22 @@ variable "external_secrets_settings" { type = map(any) } +variable "func_pool_ami_id" { + default = "" + description = "The AMI ID to use for the func pool nodes. Defaults to the latest EKS Optimized AMI provided by AWS" + type = string +} + +variable "func_pool_ami_is_eks_optimized" { + default = true + description = "If the custom AMI is an EKS optimized image, ignored if ami_id is not set. If this is true then bootstrap.sh is called automatically (max pod logic needs to be manually set), if this is false you need to provide all the node configuration in pre_userdata" + type = bool +} + variable "func_pool_desired_size" { - type = number - default = 1 + default = 0 description = "Desired number of worker nodes" + type = number } variable "func_pool_disk_size" { @@ -351,8 +375,14 @@ variable "func_pool_instance_types" { type = list(string) } +variable "func_pool_labels" { + default = {} + description = "Labels to apply to the function pool node group. Defaults to {}." + type = map(string) +} + variable "func_pool_min_size" { - default = 1 + default = 0 description = "The minimum size of the AutoScaling Group." type = number } @@ -369,6 +399,12 @@ variable "func_pool_namespace" { type = string } +variable "func_pool_pre_userdata" { + default = "" + description = "The pre-userdata script to run on the function worker nodes." + type = string +} + variable "func_pool_sa_name" { default = "default" description = "The service account name the functions use." @@ -380,6 +416,12 @@ variable "hosted_zone_id" { type = string } +variable "iam_path" { + default = "/StreamNative/" + description = "An IAM Path to be used for all IAM resources created by this module. Changing this from the default will cause issues with StreamNative's Vendor access, if applicable." + type = string +} + variable "istio_mesh_id" { default = null description = "The ID used by the Istio mesh. This is also the ID of the StreamNative Cloud Pool used for the workload environments. This is required when \"enable_istio_operator\" is set to \"true\"." @@ -472,7 +514,20 @@ variable "node_termination_handler_chart_version" { type = string } +variable "node_pool_ami_id" { + default = "" + description = "The AMI ID to use for the EKS cluster nodes. Defaults to the latest EKS Optimized AMI provided by AWS" + type = string +} + +variable "node_pool_ami_is_eks_optimized" { + default = true + description = "If the custom AMI is an EKS optimized image, ignored if ami_id is not set. If this is true then bootstrap.sh is called automatically (max pod logic needs to be manually set), if this is false you need to provide all the node configuration in pre_userdata" + type = bool +} + variable "node_pool_desired_size" { + default = 1 description = "Desired number of worker nodes in the node pool." type = number } @@ -495,7 +550,14 @@ variable "node_pool_instance_types" { type = list(string) } +variable "node_pool_labels" { + default = {} + description = "A map of kubernetes labels to add to the node pool." + type = map(string) +} + variable "node_pool_min_size" { + default = 1 description = "The minimum size of the node pool AutoScaling group." type = number } @@ -505,6 +567,12 @@ variable "node_pool_max_size" { type = number } +variable "node_pool_pre_userdata" { + default = "" + description = "The user data to apply to the worker nodes in the node pool. This is applied before the bootstrap.sh script." + type = string +} + variable "permissions_boundary_arn" { default = null description = "If required, provide the ARN of the IAM permissions boundary to use for restricting StreamNative's vendor access." From 0c27344fe0ef04b830f3fd2ff75419ac32ac99a2 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Tue, 14 Jun 2022 13:52:56 -0600 Subject: [PATCH 3/4] Fixed bad bitnami repo; improved resource dependency logic --- main.tf | 2 +- variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 5a345b1..51b3fcf 100644 --- a/main.tf +++ b/main.tf @@ -129,7 +129,7 @@ module "eks" { } depends_on = [ - aws_iam_role.cluster + aws_ec2_tag.cluster_security_group ] } diff --git a/variables.tf b/variables.tf index 26c1537..4c3bf04 100644 --- a/variables.tf +++ b/variables.tf @@ -292,7 +292,7 @@ variable "external_dns_helm_chart_name" { } variable "external_dns_helm_chart_repository" { - default = "https://charts.bitnami.com/bitnami" + default = "https://raw.githubusercontent.com/bitnami/charts/eb5f9a9513d987b519f0ecd732e7031241c50328/bitnami" description = "The repository containing the ExternalDNS helm chart." type = string } From 94eba53b57bfce30d596b0182dfe19dd37937527 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Mon, 27 Jun 2022 16:22:32 -0600 Subject: [PATCH 4/4] Revert bad dependency change --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 51b3fcf..5a345b1 100644 --- a/main.tf +++ b/main.tf @@ -129,7 +129,7 @@ module "eks" { } depends_on = [ - aws_ec2_tag.cluster_security_group + aws_iam_role.cluster ] }