From da991654825d2b261af666d215a333f0148e33dc Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Wed, 7 Sep 2022 15:20:36 -0600 Subject: [PATCH 01/29] initial refactor commit; wip --- fluent_bit.tf | 90 +++++++++++++++++++++++ istio.tf | 8 +-- main.tf | 192 ++++++++++++++++++++++++++++---------------------- outputs.tf | 44 ++++++------ tags.tf | 12 ++-- variables.tf | 36 ++++++---- 6 files changed, 248 insertions(+), 134 deletions(-) create mode 100644 fluent_bit.tf diff --git a/fluent_bit.tf b/fluent_bit.tf new file mode 100644 index 0000000..c71db8b --- /dev/null +++ b/fluent_bit.tf @@ -0,0 +1,90 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +# resource "aws_iam_role" "fluent_bit" { +# count = var.enable_fluent_bit ? 1 : 0 +# name = format("%s-fbit-role", module.eks.cluster_id) +# description = format("Role used by IRSA and the KSA aws-for-fluent-bit on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) +# assume_role_policy = data.aws_iam_policy_document.fluent_bit_sts.json +# path = "/StreamNative/" +# permissions_boundary = var.permissions_boundary_arn +# tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) +# } + +# resource "aws_iam_policy" "fluent_bit" { +# count = local.create_fluent_bit_policy ? 1 : 0 +# name = format("%s-fluent_bitPolicy", module.eks.cluster_id) +# description = "Policy that defines the permissions for the EBS Container Storage Interface Fluent Bit addon service running in a StreamNative Cloud EKS cluster" +# path = "/StreamNative/" +# policy = data.aws_iam_policy_document.fluent_bit.json +# tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) +# } + +# resource "aws_iam_role_policy_attachment" "fluent_bit_managed" { +# count = var.enable_fluent_bit ? 1 : 0 +# policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEBSfluent_bitDriverPolicy" +# role = aws_iam_role.fluent_bit[0].name +# } + +# resource "aws_iam_role_policy_attachment" "fluent_bit" { +# count = var.enable_fluent_bit ? 1 : 0 +# policy_arn = local.sn_serv_policy_arn != "" ? local.sn_serv_policy_arn : aws_iam_policy.fluent_bit[0].arn +# role = aws_iam_role.fluent_bit[0].name +# } + +# resource "helm_release" "fluent_bit" { +# count = 1 #var.enable_fluent_bit ? 1 : 0 +# atomic = true +# chart = "aws-for-fluent-bit" #var.fluent_bit_helm_chart_name +# cleanup_on_fail = true +# name = "aws-for-fluent-bit" +# namespace = "kube-system" +# repository = "https://aws.github.io/eks-charts" #var.fluent_bit_helm_chart_repository +# timeout = 300 +# version = "0.1.18" #var.fluent_bit_helm_chart_version +# values = [yamlencode({ +# cloudWatch = { +# enabled = true +# region = var.region +# logGroupName = format("/aws/eks/streamnative/%s/logs", module.eks.cluster_id) +# logRetentionDays = 365 +# } +# elasticsearch = { +# enabled = false +# } +# firehose = { +# enabled = false +# } +# kinesis = { +# enabled = false +# } +# })] + +# # dynamic "set" { +# # for_each = var.fluent_bit_settings +# # content { +# # name = set.key +# # value = set.value +# # } +# # } + +# depends_on = [ +# module.eks +# ] +# } \ No newline at end of file diff --git a/istio.tf b/istio.tf index 7a527e1..110d40e 100644 --- a/istio.tf +++ b/istio.tf @@ -20,14 +20,14 @@ locals { lb_annotations = { internet_facing = { - "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internet-facing" - "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" + "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internet-facing" + "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags" = "Vendor=StreamNative" }, internal_only = { "service.beta.kubernetes.io/aws-load-balancer-internal" : "true" - "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internal" - "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" + "service.beta.kubernetes.io/aws-load-balancer-scheme" = "internal" + "service.beta.kubernetes.io/aws-load-balancer-type" = "nlb" "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags" = "Vendor=StreamNative" } } diff --git a/main.tf b/main.tf index 8035c38..f1db80b 100644 --- a/main.tf +++ b/main.tf @@ -19,16 +19,20 @@ data "aws_caller_identity" "current" {} -data "aws_subnet" "private_cidrs" { +data "aws_subnet" "private_subnets" { count = length(var.private_subnet_ids) id = var.private_subnet_ids[count.index] } +resource "random_id" "ng_suffix" { + byte_length = 1 +} + locals { account_id = data.aws_caller_identity.current.account_id cluster_subnet_ids = concat(var.private_subnet_ids, var.public_subnet_ids) oidc_issuer = trimprefix(module.eks.cluster_oidc_issuer_url, "https://") - private_subnet_cidrs = var.enable_node_group_private_networking == false ? [] : [for i, v in var.private_subnet_ids : data.aws_subnet.private_cidrs[i].cidr_block] + private_subnet_cidrs = var.enable_node_group_private_networking == false ? [] : [for i, v in var.private_subnet_ids : data.aws_subnet.private_subnets[i].cidr_block] ## switches for roles default_lb_arn = "arn:${var.aws_partition}:iam::${local.account_id}:policy/StreamNative/StreamNativeCloudLBPolicy" @@ -42,111 +46,129 @@ locals { create_ext_dns_policy = !(var.sncloud_services_iam_policy_arn != "" || var.use_runtime_policy || !var.enable_external_dns) create_ext_sec_policy = !(var.sncloud_services_iam_policy_arn != "" || var.use_runtime_policy || !var.enable_external_secrets) - - func_pool_defaults = { - ami_id = var.func_pool_ami_id - ami_is_eks_optimized = var.func_pool_ami_is_eks_optimized - enable_monintoring = var.enable_func_pool_monitoring - desired_capacity = var.func_pool_desired_size - disk_size = var.func_pool_disk_size - disk_type = var.func_pool_disk_type - instance_types = var.func_pool_instance_types - k8s_labels = merge(var.func_pool_labels, { NodeGroup = "functions" }) - min_capacity = var.func_pool_min_size - max_capacity = var.func_pool_max_size - pre_userdata = var.func_pool_pre_userdata - taints = [{ - key = "reserveGroup" - value = "functions" - effect = "NO_SCHEDULE" - }] + ## Node Group Configuration + node_group_defaults = { + ami_id = var.node_pool_ami_id + block_device_mappings = { + xvdb = { + device_name = var.node_pool_block_device_name + ebs = { + volume_size = var.node_pool_disk_size + volume_type = "gp3" + iops = 3000 + encrypted = true + kms_key_id = local.kms_key + delete_on_termination = true + } + } + } + create_launch_template = true + enable_monitoring = var.enable_node_pool_monitoring + desired_size = var.node_pool_desired_size + labels = var.node_pool_labels + min_size = var.node_pool_min_size + max_size = var.node_pool_max_size + pre_bootstrap_user_data = var.node_pool_pre_userdata + taints = var.node_pool_taints + tags = merge(var.node_pool_tags, { + "k8s.io/cluster-autoscaler/enabled" = "true", + format("k8s.io/cluster-autoscaler/%s", var.cluster_name) = "owned", + "Vendor" = "StreamNative" + }) } - node_pool_defaults = { - ami_id = var.node_pool_ami_id - ami_is_eks_optimized = var.node_pool_ami_is_eks_optimized - enable_monintoring = var.enable_node_pool_monitoring - desired_capacity = var.node_pool_desired_size - disk_size = var.node_pool_disk_size - disk_type = var.node_pool_disk_type - instance_types = var.node_pool_instance_types - k8s_labels = var.node_pool_labels - min_capacity = var.node_pool_min_size - max_capacity = var.node_pool_max_size - pre_userdata = var.node_pool_pre_userdata - taints = [] + ## Create the node groups, one for each instance type AND each availability zone/subnet + node_groups = { + for node_group in flatten([ + for instance_type in var.node_pool_instance_types : [ + for i, j in data.aws_subnet.private_subnet : { + subnet_id = data.aws_subnet.subnet[i].id + instance_type = instance_type, + name = "snc-node-pool-${split(".", instance_type)[1]}-${data.aws_subnet.private_subnet[i].availability_zone}-${random_id.ng_suffix.hex}" + } + ] + ]) : "${node_group.name}" => node_group } - snc_node_config = { for i, v in var.private_subnet_ids : "snc-node-pool${i}" => merge(local.node_pool_defaults, { subnets = [var.private_subnet_ids[i]], name = "snc-node-pool${i}" }) } - snc_extra_node_config = (length(var.extra_node_pool_instance_types) == 0 ? {} : { for i, v in var.private_subnet_ids : "snc-extra-node-pool${i}" => merge(local.node_pool_defaults, { subnets = [var.private_subnet_ids[i]], name = "snc-extra-node-pool${i}", instance_types = var.extra_node_pool_instance_types }) }) - snc_func_config = { for i, v in var.private_subnet_ids : "snc-func-pool${i}" => merge(local.func_pool_defaults, { subnets = [var.private_subnet_ids[i]], name = "snc-func-pool${i}" }) } - node_groups = (var.enable_func_pool ? merge(local.snc_node_config, local.snc_func_config, local.snc_extra_node_config) : merge(local.snc_node_config, local.snc_extra_node_config)) } module "eks" { source = "terraform-aws-modules/eks/aws" - version = "17.24.0" - - cluster_name = var.cluster_name - cluster_version = var.cluster_version - cluster_create_endpoint_private_access_sg_rule = var.enable_node_group_private_networking - cluster_endpoint_private_access = var.enable_node_group_private_networking - cluster_endpoint_private_access_cidrs = local.private_subnet_cidrs - cluster_endpoint_public_access_cidrs = var.allowed_public_cidrs - cluster_enabled_log_types = var.cluster_enabled_log_types - cluster_iam_role_name = var.use_runtime_policy ? aws_iam_role.cluster[0].name : "" - cluster_log_kms_key_id = var.cluster_log_kms_key_id - cluster_log_retention_in_days = var.cluster_log_retention_in_days - enable_irsa = true - openid_connect_audiences = ["sts.amazonaws.com"] - iam_path = "/StreamNative/" - manage_cluster_iam_resources = var.use_runtime_policy ? false : true - manage_worker_iam_resources = true - map_accounts = var.map_additional_aws_accounts - map_roles = var.map_additional_iam_roles - map_users = var.map_additional_iam_users - permissions_boundary = var.permissions_boundary_arn - subnets = local.cluster_subnet_ids - vpc_id = var.vpc_id - wait_for_cluster_timeout = var.wait_for_cluster_timeout // This was added in version 17.1.0, and if set above 0, causes TF to crash. - write_kubeconfig = false - - node_groups = local.node_groups - - node_groups_defaults = { - additional_tags = merge({ - "k8s.io/cluster-autoscaler/enabled" = "true", - format("k8s.io/cluster-autoscaler/%s", var.cluster_name) = "owned", - "Vendor" = "StreamNative" - }, - ) - create_launch_template = true - disk_encrypted = true - disk_kms_key_id = local.kms_key # sourced from csi.tf -> locals{} - } + version = "18.29.0" + + # cluster_endpoint_private_access_cidrs = local.private_subnet_cidrs + # cluster_iam_role_name = var.use_runtime_policy ? aws_iam_role.cluster[0].name : "" + # map_accounts = var.map_additional_aws_accounts + # map_roles = var.map_additional_iam_roles + # map_users = var.map_additional_iam_users + # cluster_create_endpoint_private_access_sg_rule = var.enable_node_group_private_networking + # manage_worker_iam_resources = true + + ### Added these to avoid issues with the module refactor from 17.X to 18.X. Future versions of the terraform-aws-eks module may not require these to be specified. + prefix_separator = "" + iam_role_name = var.cluster_name + cluster_security_group_name = var.cluster_name + cluster_security_group_description = "EKS cluster security group." + ### + cluster_name = var.cluster_name + cluster_version = var.cluster_version + create_cluster_primary_security_group_tags = true + cluster_endpoint_private_access = var.enable_node_group_private_networking + cluster_endpoint_public_access_cidrs = var.allowed_public_cidrs + cluster_enabled_log_types = var.cluster_enabled_log_types + cloudwatch_log_group_kms_key_id = var.cluster_log_kms_key_id + cloudwatch_log_group_retention_in_days = var.cluster_log_retention_in_days + eks_managed_node_groups = local.node_groups + eks_managed_node_group_defaults = local.node_group_defaults + enable_irsa = true + openid_connect_audiences = ["sts.amazonaws.com"] + iam_role_path = "/StreamNative/" + iam_role_arn = var.use_runtime_policy ? aws_iam_role.cluster[0].arn : null + create_iam_role = var.use_runtime_policy ? false : true + iam_role_permissions_boundary = var.permissions_boundary_arn + control_plane_subnet_ids = local.cluster_subnet_ids + vpc_id = var.vpc_id + + + + + node_security_group_tags = merge(var.additional_tags, { + format("k8s.io/cluster/%s", var.cluster_name) = "owned", + "Vendor" = "StreamNative", + "kubernetes.io/cluster/${var.cluster_name}" = null + }) tags = { format("k8s.io/cluster/%s", var.cluster_name) = "owned", "Vendor" = "StreamNative" } + cluster_tags = merge(var.additional_tags, { + format("k8s.io/cluster/%s", var.cluster_name) = "owned", + "Vendor" = "StreamNative" + }) + cluster_security_group_tags = merge(var.additional_tags, { + format("k8s.io/cluster/%s", var.cluster_name) = "owned", + "Vendor" = "StreamNative" + }) + depends_on = [ aws_iam_role.cluster ] } -resource "aws_autoscaling_group_tag" "asg_group_vendor_tags" { - count = length(module.eks.workers_asg_names) +# resource "aws_autoscaling_group_tag" "asg_group_vendor_tags" { +# count = length(module.eks.workers_asg_names) - autoscaling_group_name = module.eks.workers_asg_names[count.index] +# autoscaling_group_name = module.eks.workers_asg_names[count.index] - tag { - key = "Vendor" - value = "StreamNative" +# tag { +# key = "Vendor" +# value = "StreamNative" - propagate_at_launch = true - } -} +# propagate_at_launch = true +# } +# } resource "kubernetes_namespace" "sn_system" { metadata { diff --git a/outputs.tf b/outputs.tf index c963f6f..05959de 100644 --- a/outputs.tf +++ b/outputs.tf @@ -16,10 +16,6 @@ # specific language governing permissions and limitations # under the License. # -output "cloudwatch_log_group_arn" { - value = module.eks.cloudwatch_log_group_arn - description = "Arn of cloudwatch log group created" -} output "eks_cluster_arn" { value = module.eks.cluster_arn @@ -41,10 +37,10 @@ output "eks_cluster_identity_oidc_issuer_arn" { description = "The ARN for the OIDC issuer created by this module" } -output "eks_cluster_identity_oidc_issuer_string" { - value = local.oidc_issuer - description = "A formatted string containing the prefix for the OIDC issuer created by this module. Same as \"cluster_oidc_issuer_url\", but with \"https://\" stripped from the name. This output is typically used in other StreamNative modules that request the \"oidc_issuer\" input." -} +# output "eks_cluster_identity_oidc_issuer_string" { +# value = local.oidc_issuer +# description = "A formatted string containing the prefix for the OIDC issuer created by this module. Same as \"cluster_oidc_issuer_url\", but with \"https://\" stripped from the name. This output is typically used in other StreamNative modules that request the \"oidc_issuer\" input." +# } output "eks_cluster_primary_security_group_id" { value = module.eks.cluster_primary_security_group_id @@ -56,22 +52,22 @@ output "eks_cluster_secondary_security_group_id" { description = "The id of the secondary security group created by this module. This is labled \"Additional Security Groups\" in the EKS console." } -output "node_groups" { - value = module.eks.node_groups - description = "Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys" -} +# output "node_groups" { +# value = module.eks.node_groups +# description = "Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys" +# } -output "worker_iam_role_arn" { - value = module.eks.worker_iam_role_arn - description = "The IAM Role ARN used by the Worker configuration" -} +# output "worker_iam_role_arn" { +# value = module.eks.worker_iam_role_arn +# description = "The IAM Role ARN used by the Worker configuration" +# } -output "worker_security_group_id" { - value = module.eks.worker_security_group_id - description = "Security group ID attached to the EKS node groups" -} +# output "worker_security_group_id" { +# value = module.eks.worker_security_group_id +# description = "Security group ID attached to the EKS node groups" +# } -output "worker_https_ingress_security_group_rule" { - value = module.eks.security_group_rule_cluster_https_worker_ingress - description = "Security group rule responsible for allowing pods to communicate with the EKS cluster API." -} \ No newline at end of file +# output "worker_https_ingress_security_group_rule" { +# value = module.eks.security_group_rule_cluster_https_worker_ingress +# description = "Security group rule responsible for allowing pods to communicate with the EKS cluster API." +# } \ No newline at end of file diff --git a/tags.tf b/tags.tf index b2d4d17..f4a72f5 100644 --- a/tags.tf +++ b/tags.tf @@ -32,9 +32,9 @@ module "vpc_tags" { # # IMPORTANT: If this tag is not present on the SG during a `terraform destroy`, the destroy will fail. # Terraform tries to remove this tag before destroying module.eks, which means we would no longer be able to manage it. -# Because of this, it's recommended to remove this resource from the *.tfstate PRIOR to running a destroy -resource "aws_ec2_tag" "cluster_security_group" { - resource_id = module.eks.cluster_primary_security_group_id - key = "Vendor" - value = "StreamNative" -} \ No newline at end of file +# # Because of this, it's recommended to remove this resource from the *.tfstate PRIOR to running a destroy +# resource "aws_ec2_tag" "cluster_security_group" { +# resource_id = module.eks.cluster_primary_security_group_id +# key = "Vendor" +# value = "StreamNative" +# } \ No newline at end of file diff --git a/variables.tf b/variables.tf index b9fd559..68dcd90 100644 --- a/variables.tf +++ b/variables.tf @@ -372,7 +372,7 @@ variable "func_pool_disk_type" { variable "func_pool_instance_types" { default = ["c6i.large"] - description = "Set of instance types associated with the EKS Node Group. Defaults to [\"t3.large\"]. Terraform will only perform drift detection if a configuration value is provided." + description = "Set of instance types associated with the EKS Node Group. Defaults to [\"c6i.large\"]. Terraform will only perform drift detection if a configuration value is provided." type = list(string) } @@ -394,22 +394,16 @@ variable "func_pool_max_size" { type = number } -variable "func_pool_namespace" { - default = "pulsar-funcs" - description = "The namespace where functions run." - type = string -} - variable "func_pool_pre_userdata" { default = "" description = "The pre-userdata script to run on the function worker nodes." type = string } -variable "func_pool_sa_name" { - default = "default" - description = "The service account name the functions use." - type = string +variable "func_pool_taints" { + default = [] + description = "Taints to apply to the function pool node group." + type = list(map) } variable "hosted_zone_id" { @@ -551,8 +545,14 @@ variable "node_pool_ami_is_eks_optimized" { type = bool } +variable "node_pool_block_device_name" { + default = "/dev/nvme0n1" + description = "The name of the block device to use for the EKS cluster nodes." + type = string +} + variable "node_pool_desired_size" { - default = 1 + default = 0 description = "Desired number of worker nodes in the node pool." type = number } @@ -570,8 +570,8 @@ variable "node_pool_disk_type" { } variable "node_pool_instance_types" { - default = ["c6i.large"] - description = "Set of instance types associated with the EKS Node Group. Defaults to [\"c6i.large\"]." + default = ["c6i.xlarge", "c6i.2xlarge", "c6i.4xlarge", "c6i.8xlarge"] + description = "Set of instance types associated with the EKS Node Groups. Defaults to [\"c6i.xlarge\", \"c6i.2xlarge\", \"c6i.4xlarge\", \"c6i.8xlarge\"]." type = list(string) } @@ -588,7 +588,7 @@ variable "node_pool_labels" { } variable "node_pool_min_size" { - default = 1 + default = 0 description = "The minimum size of the node pool AutoScaling group." type = number } @@ -604,6 +604,12 @@ variable "node_pool_pre_userdata" { type = string } +variable "node_pool_taints" { + default = [] + description = "A list of taints in map format to apply to the node pool." + type = list(map) +} + variable "permissions_boundary_arn" { default = null description = "If required, provide the ARN of the IAM permissions boundary to use for restricting StreamNative's vendor access." From 021912ab4a8fd242832fa7d43e22c4b6a5b36e5e Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Fri, 16 Sep 2022 11:21:36 -0600 Subject: [PATCH 02/29] Refactor mostly finished; more scenario testing required --- README.md | 125 ++++------------ aws_load_balancer_controller.tf | 44 +++--- aws_node_termination_handler.tf | 1 + calico.tf | 53 ------- cert_manager.tf | 41 +++--- cluster_autoscaler.tf | 22 ++- csi.tf | 69 ++------- external_dns.tf | 29 ++-- external_secrets.tf | 121 ---------------- fluent_bit.tf | 90 ------------ istio.tf | 4 +- main.tf | 250 +++++++++++++++++++++----------- metrics_server.tf | 6 +- tags.tf | 40 ----- variables.tf | 219 +++++----------------------- 15 files changed, 306 insertions(+), 808 deletions(-) delete mode 100644 calico.tf delete mode 100644 external_secrets.tf delete mode 100644 fluent_bit.tf delete mode 100644 tags.tf diff --git a/README.md b/README.md index c29a5d2..88a59fd 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,6 @@ For more information on how EKS networking can be configured, refer to the follo - [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html) - [De-mystifying cluster networking for Amazon EKS worker nodes](https://aws.amazon.com/blogs/containers/de-mystifying-cluster-networking-for-amazon-eks-worker-nodes/) - ## Getting Started A bare minimum configuration to execute the module: @@ -77,11 +76,6 @@ module "sn_cluster" { cluster_name = "sn-cluster-${var.region}" cluster_version = "1.20" hosted_zone_id = "Z04554535IN8Z31SKDVQ2" # Change this to your hosted zone ID - node_pool_instance_types = ["c6i.xlarge"] - extra_node_pool_instance_types = ["c6i.2xlarge"] # Defaults to empty list. Means don't create extra node pool - node_pool_desired_size = 2 - node_pool_min_size = 1 - node_pool_max_size = 6 ## Note: EKS requires two subnets, each in their own availability zone public_subnet_ids = ["subnet-abcde012", "subnet-bcde012a"] @@ -190,45 +184,10 @@ We use a [Helm chart](https://github.com/streamnative/charts/tree/master/charts/ _Note: Since this module manages all of the Kubernetes addon dependencies required by StreamNative Platform, it is not necessary to perform all of the [steps outlined in the Helm chart's README.](https://github.com/streamnative/charts/tree/master/charts/sn-platform#steps). Please [reach out](https://support.streamnative.io) to your customer representative if you have questions._ -## Using kubenertes-external-secrets with Amazon Secrets Manager -By default, `kubernetes-external-secrets` is enabled on the EKS cluster and the corresponding IRSA has access to retrieve all secrets created in the cluster's region. To clamp down access, you can specify the ARNs for just the secrets needed by passing a list to the input `asm_secret_arns` in your composition: - -```hcl -module "sn_cluster" { - source = "streamnative/cloud/aws" - - asm_secret_arns = [ - "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes128-1a2b3c", - "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes192-4D5e6F", - "arn:aws:secretsmanager:us-west-2:111122223333:secret:aes256-7g8H9i", - ] -} -``` - -You can also use secret prefixes and wildcards to scope access a bit more granularly, i.e. `"arn:aws:secretsmanager:Region:AccountId:secret:TestEnv/*"` and pass that to the module. Refer to the [Secrets Manager docs](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html) for examples. - -To get an ASM secret on the cluster, create an `ExternalSecret` manifiest yml file: - -```yml -apiVersion: 'kubernetes-client.io/v1' -kind: ExternalSecret -metadata: - name: my-cluster-secret -spec: - backendType: secretsManager - data: - - key: secret-prefix/secret-id - name: my-cluster-secret -``` - -Refer to [the official docs](https://github.com/external-secrets/kubernetes-external-secrets#add-a-secret) for more details. - -You can also disable `kubernetes-external-secrets` by setting the input `enable-external-secret = false` in your composition of the `terraform-aws-cloud` (this) module. [^1]: When running Apache Pulsar in Kubernetes, we make use of EBS backed Kubernetes Persistent Volume Claims (PVC). EBS volumes themselves are zonal, which means [an EC2 instance can only mount a volume that exists in its same AWS Availability Zone](https://aws.amazon.com/blogs/containers/amazon-eks-cluster-multi-zone-auto-scaling-groups/). For this reason we have added node group "zone affinity" functionality into our module, where **an EKS node group is created per AWS Availability Zone**. This is controlled by the number of subnets you pass to the EKS module, creating one node group per subnet. -## Requirements | Name | Version | |------|---------| @@ -249,7 +208,7 @@ You can also disable `kubernetes-external-secrets` by setting the input `enable- | Name | Source | Version | |------|--------|---------| -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 17.24.0 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.29.0 | | [istio](#module\_istio) | github.com/streamnative/terraform-helm-charts//modules/istio-operator | v0.8.4 | | [vpc\_tags](#module\_vpc\_tags) | ./modules/eks-vpc-tags | n/a | @@ -257,21 +216,19 @@ You can also disable `kubernetes-external-secrets` by setting the input `enable- | Name | Type | |------|------| -| [aws_autoscaling_group_tag.asg_group_vendor_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group_tag) | resource | | [aws_ec2_tag.cluster_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource | | [aws_iam_policy.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -281,15 +238,15 @@ You can also disable `kubernetes-external-secrets` by setting the input `enable- | [aws_iam_role_policy_attachment.csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.csi_managed](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.ng_AmazonEKSServicePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.ng_AmazonEKSVPCResourceControllerPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.ng_AmazonEKSWorkerNodePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [helm_release.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | -| [helm_release.calico](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [helm_release.cert_issuer](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [helm_release.csi](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [helm_release.external_dns](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | -| [helm_release.external_secrets](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [helm_release.metrics_server](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [helm_release.node_termination_handler](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [kubernetes_namespace.sn_system](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | @@ -307,10 +264,10 @@ You can also disable `kubernetes-external-secrets` by setting the input `enable- | [aws_iam_policy_document.csi_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.external_dns_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.external_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.external_secrets_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.ng_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_kms_key.ebs_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | -| [aws_subnet.private_cidrs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_subnet.private_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | ## Inputs @@ -324,7 +281,6 @@ You can also disable `kubernetes-external-secrets` by setting the input `enable- | [aws\_load\_balancer\_controller\_helm\_chart\_repository](#input\_aws\_load\_balancer\_controller\_helm\_chart\_repository) | The repository containing the Helm chart to use for the AWS Load Balancer Controller. | `string` | `"https://aws.github.io/eks-charts"` | no | | [aws\_load\_balancer\_controller\_helm\_chart\_version](#input\_aws\_load\_balancer\_controller\_helm\_chart\_version) | The version of the Helm chart to use for the AWS Load Balancer Controller. The current version can be found in github: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/helm/aws-load-balancer-controller/Chart.yaml. | `string` | `"1.4.2"` | no | | [aws\_load\_balancer\_controller\_settings](#input\_aws\_load\_balancer\_controller\_settings) | Additional settings which will be passed to the Helm chart values for the AWS Load Balancer Controller. See https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller for available options. | `map(string)` | `{}` | no | -| [aws\_partition](#input\_aws\_partition) | AWS partition: 'aws', 'aws-cn', or 'aws-us-gov', used when constructing IRSA trust relationship policies. | `string` | `"aws"` | no | | [calico\_helm\_chart\_name](#input\_calico\_helm\_chart\_name) | The name of the Helm chart in the repository for Calico, which is installed alongside the tigera-operator. | `string` | `"tigera-operator"` | no | | [calico\_helm\_chart\_repository](#input\_calico\_helm\_chart\_repository) | The repository containing the calico helm chart. We are currently using a community provided chart, which is a fork of the official chart published by Tigera. This chart isn't as opinionated about namespaces, and should be used until this issue is resolved https://github.com/projectcalico/calico/issues/4812. | `string` | `"https://stevehipwell.github.io/helm-charts/"` | no | | [calico\_helm\_chart\_version](#input\_calico\_helm\_chart\_version) | Helm chart version for Calico. Defaults to "1.0.5". See https://github.com/stevehipwell/helm-charts/tree/master/charts/tigera-operator for available version releases. | `string` | `"1.5.0"` | no | @@ -343,72 +299,52 @@ You can also disable `kubernetes-external-secrets` by setting the input `enable- | [cluster\_log\_retention\_in\_days](#input\_cluster\_log\_retention\_in\_days) | Number of days to retain log events. Defaults to 365 days. | `number` | `365` | no | | [cluster\_name](#input\_cluster\_name) | The name of your EKS cluster and associated resources. Must be 16 characters or less. | `string` | `""` | no | | [cluster\_version](#input\_cluster\_version) | The version of Kubernetes to be installed. | `string` | `"1.20"` | no | +| [create\_iam\_policies](#input\_create\_iam\_policies) | Whether to create IAM policies for the IAM roles. If set to false, the module will default to using existing policy ARNs that must be present in the AWS account | `bool` | `true` | no | | [csi\_helm\_chart\_name](#input\_csi\_helm\_chart\_name) | The name of the Helm chart in the repository for CSI. | `string` | `"aws-ebs-csi-driver"` | no | | [csi\_helm\_chart\_repository](#input\_csi\_helm\_chart\_repository) | The repository containing the CSI helm chart | `string` | `"https://kubernetes-sigs.github.io/aws-ebs-csi-driver/"` | no | | [csi\_helm\_chart\_version](#input\_csi\_helm\_chart\_version) | Helm chart version for CSI | `string` | `"2.8.0"` | no | | [csi\_settings](#input\_csi\_settings) | Additional settings which will be passed to the Helm chart values, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/charts/aws-ebs-csi-driver/values.yaml for available options. | `map(any)` | `{}` | no | +| [disable\_public\_eks\_endpoint](#input\_disable\_public\_eks\_endpoint) | Whether to disable public access to the EKS control plane endpoint. If set to "true", additional configuration is required in order for the cluster to function properly, such as AWS PrivateLink for EC2, ECR, and S3, along with a VPN to access the EKS control plane. It is recommended to keep this setting to "false" unless you are familiar with this type of configuration. | `bool` | `false` | no | +| [disable\_public\_pulsar\_endpoint](#input\_disable\_public\_pulsar\_endpoint) | Whether or not to make the Istio Gateway use a public facing or internal network load balancer. If set to "true", additional configuration is required in order to manage the cluster from the StreamNative console | `bool` | `false` | no | | [disk\_encryption\_kms\_key\_id](#input\_disk\_encryption\_kms\_key\_id) | The KMS Key ARN to use for disk encryption. | `string` | `""` | no | -| [enable\_aws\_load\_balancer\_controller](#input\_enable\_aws\_load\_balancer\_controller) | Whether to enable the AWS Load Balancer Controller addon on the cluster. Defaults to "true", and in most situations is required by StreamNative Cloud. | `bool` | `true` | no | -| [enable\_calico](#input\_enable\_calico) | Enables the Calico networking service on the cluster. Defaults to "false". | `bool` | `false` | no | -| [enable\_cert\_manager](#input\_enable\_cert\_manager) | Enables the Cert-Manager addon service on the cluster. Defaults to "true", and in most situations is required by StreamNative Cloud. | `bool` | `true` | no | -| [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enables the Cluster Autoscaler addon service on the cluster. Defaults to "true", and in most situations is recommened for StreamNative Cloud. | `bool` | `true` | no | -| [enable\_csi](#input\_enable\_csi) | Enables the EBS Container Storage Interface (CSI) driver on the cluster, which allows for EKS manage the lifecycle of persistant volumes in EBS. | `bool` | `true` | no | -| [enable\_external\_dns](#input\_enable\_external\_dns) | Enables the External DNS addon service on the cluster. Defaults to "true", and in most situations is required by StreamNative Cloud. | `bool` | `true` | no | -| [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enables kubernetes-external-secrets addon service on the cluster. Defaults to "false" | `bool` | `false` | no | -| [enable\_func\_pool](#input\_enable\_func\_pool) | Enable an additional dedicated function pool. | `bool` | `true` | no | -| [enable\_func\_pool\_monitoring](#input\_enable\_func\_pool\_monitoring) | Enable CloudWatch monitoring for the dedicated function pool(s). | `bool` | `true` | no | -| [enable\_istio](#input\_enable\_istio) | Enables Istio on the cluster. Set to "true" by default. | `bool` | `true` | no | -| [enable\_metrics\_server](#input\_enable\_metrics\_server) | Enables the Kubernetes Metrics Server addon service on the cluster. Defaults to "true". | `bool` | `true` | no | +| [enable\_bootstrap](#input\_enable\_bootstrap) | Enables bootstrapping of add-ons within the cluster. | `bool` | `true` | no | | [enable\_node\_group\_private\_networking](#input\_enable\_node\_group\_private\_networking) | Enables private networking for the EKS node groups (not the EKS cluster endpoint, which remains public), meaning Kubernetes API requests that originate within the cluster's VPC use a private VPC endpoint for EKS. Defaults to "true". | `bool` | `true` | no | | [enable\_node\_pool\_monitoring](#input\_enable\_node\_pool\_monitoring) | Enable CloudWatch monitoring for the default pool(s). | `bool` | `true` | no | +| [enable\_sncloud\_control\_plane\_access](#input\_enable\_sncloud\_control\_plane\_access) | Whether to enable access to the EKS control plane endpoint. If set to "false", additional configuration is required in order for the cluster to function properly, such as AWS PrivateLink for EC2, ECR, and S3, along with a VPN to access the EKS control plane. It is recommended to keep this setting to "true" unless you are familiar with this type of configuration. | `bool` | `true` | no | | [external\_dns\_helm\_chart\_name](#input\_external\_dns\_helm\_chart\_name) | The name of the Helm chart in the repository for ExternalDNS. | `string` | `"external-dns"` | no | | [external\_dns\_helm\_chart\_repository](#input\_external\_dns\_helm\_chart\_repository) | The repository containing the ExternalDNS helm chart. | `string` | `"https://charts.bitnami.com/bitnami"` | no | | [external\_dns\_helm\_chart\_version](#input\_external\_dns\_helm\_chart\_version) | Helm chart version for ExternalDNS. See https://hub.helm.sh/charts/bitnami/external-dns for updates. | `string` | `"6.5.6"` | no | | [external\_dns\_settings](#input\_external\_dns\_settings) | Additional settings which will be passed to the Helm chart values, see https://hub.helm.sh/charts/bitnami/external-dns. | `map(any)` | `{}` | no | -| [external\_secrets\_helm\_chart\_name](#input\_external\_secrets\_helm\_chart\_name) | The name of the Helm chart in the repository for kubernetes-external-secrets. | `string` | `"kubernetes-external-secrets"` | no | -| [external\_secrets\_helm\_chart\_repository](#input\_external\_secrets\_helm\_chart\_repository) | The repository containing the kubernetes-external-secrets helm chart. | `string` | `"https://external-secrets.github.io/kubernetes-external-secrets"` | no | -| [external\_secrets\_helm\_chart\_version](#input\_external\_secrets\_helm\_chart\_version) | Helm chart version for kubernetes-external-secrets. Defaults to "8.3.0". See https://github.com/external-secrets/kubernetes-external-secrets/tree/master/charts/kubernetes-external-secrets for updates. | `string` | `"8.3.0"` | no | -| [external\_secrets\_settings](#input\_external\_secrets\_settings) | Additional settings which will be passed to the Helm chart values, see https://github.com/external-secrets/kubernetes-external-secrets/tree/master/charts/kubernetes-external-secrets for available options. | `map(any)` | `{}` | no | -| [func\_pool\_ami\_id](#input\_func\_pool\_ami\_id) | The AMI ID to use for the func pool nodes. Defaults to the latest EKS Optimized AMI provided by AWS | `string` | `""` | no | -| [func\_pool\_ami\_is\_eks\_optimized](#input\_func\_pool\_ami\_is\_eks\_optimized) | If the custom AMI is an EKS optimized image, ignored if ami\_id is not set. If this is true then bootstrap.sh is called automatically (max pod logic needs to be manually set), if this is false you need to provide all the node configuration in pre\_userdata | `bool` | `true` | no | -| [func\_pool\_desired\_size](#input\_func\_pool\_desired\_size) | Desired number of worker nodes | `number` | `0` | no | -| [func\_pool\_disk\_size](#input\_func\_pool\_disk\_size) | Disk size in GiB for function worker nodes. Defaults to 20. Terraform will only perform drift detection if a configuration value is provided. | `number` | `50` | no | -| [func\_pool\_disk\_type](#input\_func\_pool\_disk\_type) | Disk type for function worker nodes. Defaults to gp3. | `string` | `"gp3"` | no | -| [func\_pool\_instance\_types](#input\_func\_pool\_instance\_types) | Set of instance types associated with the EKS Node Group. Defaults to ["t3.large"]. Terraform will only perform drift detection if a configuration value is provided. | `list(string)` | 
[
  "c6i.large"
]
| no | -| [func\_pool\_labels](#input\_func\_pool\_labels) | Labels to apply to the function pool node group. Defaults to {}. | `map(string)` | `{}` | no | -| [func\_pool\_max\_size](#input\_func\_pool\_max\_size) | The maximum size of the AutoScaling Group. | `number` | `5` | no | -| [func\_pool\_min\_size](#input\_func\_pool\_min\_size) | The minimum size of the AutoScaling Group. | `number` | `0` | no | -| [func\_pool\_namespace](#input\_func\_pool\_namespace) | The namespace where functions run. | `string` | `"pulsar-funcs"` | no | -| [func\_pool\_pre\_userdata](#input\_func\_pool\_pre\_userdata) | The pre-userdata script to run on the function worker nodes. | `string` | `""` | no | -| [func\_pool\_sa\_name](#input\_func\_pool\_sa\_name) | The service account name the functions use. | `string` | `"default"` | no | | [hosted\_zone\_id](#input\_hosted\_zone\_id) | The ID of the Route53 hosted zone used by the cluster's External DNS configuration. | `string` | n/a | yes | | [iam\_path](#input\_iam\_path) | An IAM Path to be used for all IAM resources created by this module. Changing this from the default will cause issues with StreamNative's Vendor access, if applicable. | `string` | `"/StreamNative/"` | no | | [istio\_mesh\_id](#input\_istio\_mesh\_id) | The ID used by the Istio mesh. This is also the ID of the StreamNative Cloud Pool used for the workload environments. This is required when "enable\_istio\_operator" is set to "true". | `string` | `null` | no | | [istio\_network](#input\_istio\_network) | The name of network used for the Istio deployment. This is required when "enable\_istio\_operator" is set to "true". | `string` | `"default"` | no | -| [istio\_network\_loadbancer](#input\_istio\_network\_loadbancer) | n/a | `string` | `"internet_facing"` | no | | [istio\_profile](#input\_istio\_profile) | The path or name for an Istio profile to load. Set to the profile "default" if not specified. | `string` | `"default"` | no | | [istio\_revision\_tag](#input\_istio\_revision\_tag) | The revision tag value use for the Istio label "istio.io/rev". | `string` | `"sn-stable"` | no | | [istio\_settings](#input\_istio\_settings) | Additional settings which will be passed to the Helm chart values | `map(any)` | `{}` | no | | [istio\_trust\_domain](#input\_istio\_trust\_domain) | The trust domain used for the Istio deployment, which corresponds to the root of a system. This is required when "enable\_istio\_operator" is set to "true". | `string` | `"cluster.local"` | no | | [kiali\_operator\_settings](#input\_kiali\_operator\_settings) | Additional settings which will be passed to the Helm chart values | `map(any)` | `{}` | no | | [map\_additional\_aws\_accounts](#input\_map\_additional\_aws\_accounts) | Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap. | `list(string)` | `[]` | no | -| [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | +| [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | A list of IAM role bindings to add to the aws-auth ConfigMap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | [map\_additional\_iam\_users](#input\_map\_additional\_iam\_users) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap. | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | [metrics\_server\_helm\_chart\_name](#input\_metrics\_server\_helm\_chart\_name) | The name of the helm release to install | `string` | `"metrics-server"` | no | | [metrics\_server\_helm\_chart\_repository](#input\_metrics\_server\_helm\_chart\_repository) | The repository containing the external-metrics helm chart. | `string` | `"https://kubernetes-sigs.github.io/metrics-server"` | no | | [metrics\_server\_helm\_chart\_version](#input\_metrics\_server\_helm\_chart\_version) | Helm chart version for Metrics server | `string` | `"3.8.2"` | no | | [metrics\_server\_settings](#input\_metrics\_server\_settings) | Additional settings which will be passed to the Helm chart values, see https://github.com/external-secrets/kubernetes-external-secrets/tree/master/charts/kubernetes-external-secrets for available options. | `map(any)` | `{}` | no | -| [node\_pool\_ami\_id](#input\_node\_pool\_ami\_id) | The AMI ID to use for the EKS cluster nodes. Defaults to the latest EKS Optimized AMI provided by AWS | `string` | `""` | no | -| [node\_pool\_ami\_is\_eks\_optimized](#input\_node\_pool\_ami\_is\_eks\_optimized) | If the custom AMI is an EKS optimized image, ignored if ami\_id is not set. If this is true then bootstrap.sh is called automatically (max pod logic needs to be manually set), if this is false you need to provide all the node configuration in pre\_userdata | `bool` | `true` | no | -| [node\_pool\_desired\_size](#input\_node\_pool\_desired\_size) | Desired number of worker nodes in the node pool. | `number` | `1` | no | +| [node\_pool\_ami\_id](#input\_node\_pool\_ami\_id) | The AMI ID to use for the EKS cluster nodes. Defaults to the latest EKS Optimized AMI provided by AWS. | `string` | `""` | no | +| [node\_pool\_block\_device\_name](#input\_node\_pool\_block\_device\_name) | The name of the block device to use for the EKS cluster nodes. | `string` | `"/dev/nvme0n1"` | no | +| [node\_pool\_desired\_size](#input\_node\_pool\_desired\_size) | Desired number of worker nodes in the node pool. | `number` | `0` | no | +| [node\_pool\_disk\_iops](#input\_node\_pool\_disk\_iops) | The amount of provisioned IOPS for the worker node root EBS volume. | `number` | `3000` | no | | [node\_pool\_disk\_size](#input\_node\_pool\_disk\_size) | Disk size in GiB for worker nodes in the node pool. Defaults to 50. | `number` | `50` | no | | [node\_pool\_disk\_type](#input\_node\_pool\_disk\_type) | Disk type for worker nodes in the node pool. Defaults to gp3. | `string` | `"gp3"` | no | -| [node\_pool\_instance\_types](#input\_node\_pool\_instance\_types) | Set of instance types associated with the EKS Node Group. Defaults to ["c6i.large"]. | `list(string)` | 
[
  "c6i.large"
]
| no | -| [extra\_node\_pool\_instance\_types](#input\_extra\_node\_pool\_instance\_types) | Set of instance types of an extra node pool. Same properties as default node pool except name and instance types. Defaults to []. | `list(string)` | 
[]
| no | +| [node\_pool\_ebs\_optimized](#input\_node\_pool\_ebs\_optimized) | If true, the launched EC2 instance(s) will be EBS-optimized. Specify this if using a custom AMI with pre-user data. | `bool` | `true` | no | +| [node\_pool\_instance\_types](#input\_node\_pool\_instance\_types) | Set of instance types associated with the EKS Node Groups. Defaults to ["c6i.xlarge", "c6i.2xlarge", "c6i.4xlarge", "c6i.8xlarge"]. | `list(string)` | 
[
  "c6i.xlarge",
  "c6i.2xlarge",
  "c6i.4xlarge",
  "c6i.8xlarge"
]
| no | | [node\_pool\_labels](#input\_node\_pool\_labels) | A map of kubernetes labels to add to the node pool. | `map(string)` | `{}` | no | | [node\_pool\_max\_size](#input\_node\_pool\_max\_size) | The maximum size of the node pool Autoscaling group. | `number` | n/a | yes | -| [node\_pool\_min\_size](#input\_node\_pool\_min\_size) | The minimum size of the node pool AutoScaling group. | `number` | `1` | no | +| [node\_pool\_min\_size](#input\_node\_pool\_min\_size) | The minimum size of the node pool AutoScaling group. | `number` | `0` | no | | [node\_pool\_pre\_userdata](#input\_node\_pool\_pre\_userdata) | The user data to apply to the worker nodes in the node pool. This is applied before the bootstrap.sh script. | `string` | `""` | no | +| [node\_pool\_tags](#input\_node\_pool\_tags) | A map of tags to add to the node groups and supporting resources. | `map(string)` | `{}` | no | +| [node\_pool\_taints](#input\_node\_pool\_taints) | A list of taints in map format to apply to the node pool. | `any` | `{}` | no | | [node\_termination\_handler\_chart\_version](#input\_node\_termination\_handler\_chart\_version) | The version of the Helm chart to use for the AWS Node Termination Handler. | `string` | `"0.18.5"` | no | | [node\_termination\_handler\_helm\_chart\_name](#input\_node\_termination\_handler\_helm\_chart\_name) | The name of the Helm chart to use for the AWS Node Termination Handler. | `string` | `"aws-node-termination-handler"` | no | | [node\_termination\_handler\_helm\_chart\_repository](#input\_node\_termination\_handler\_helm\_chart\_repository) | The repository containing the Helm chart to use for the AWS Node Termination Handler. | `string` | `"https://aws.github.io/eks-charts"` | no | @@ -417,27 +353,20 @@ You can also disable `kubernetes-external-secrets` by setting the input `enable- | [private\_subnet\_ids](#input\_private\_subnet\_ids) | The ids of existing private subnets. | `list(string)` | `[]` | no | | [public\_subnet\_ids](#input\_public\_subnet\_ids) | The ids of existing public subnets. | `list(string)` | `[]` | no | | [region](#input\_region) | The AWS region. | `string` | `null` | no | -| [service\_domain](#input\_service\_domain) | The DNS domain for external service endpoints. This must be set when enabling Istio or else the deployment will fail. | `string` | `null` | no | -| [sncloud\_services\_iam\_policy\_arn](#input\_sncloud\_services\_iam\_policy\_arn) | The IAM policy ARN to be used for all StreamNative Cloud Services that need to interact with AWS services external to EKS. This policy is typically created by the "modules/managed-cloud" sub-module in this repository, as a seperate customer driven process for managing StreamNative's Vendor Access into AWS. If no policy ARN is provided, the module will generate the policies needed by each cluster service we install and expects that the caller identity has appropriate IAM permissions that allow "iam:CreatePolicy" action. Otherwise the module will fail to run properly. Depends upon use | `string` | `""` | no | -| [sncloud\_services\_lb\_policy\_arn](#input\_sncloud\_services\_lb\_policy\_arn) | A custom IAM policy ARN for LB load balancer controller. If not specified, and use\_runt | `string` | `""` | no | -| [use\_runtime\_policy](#input\_use\_runtime\_policy) | Indicates to use the runtime policy and attach a predefined policies as opposed to create roles. Currently defaults to false | `bool` | `false` | no | +| [service\_domain](#input\_service\_domain) | The domain name being used by the environment, needed specifically for Istio's authorization policies. | `string` | n/a | yes | +| [sncloud\_services\_iam\_policy\_arn](#input\_sncloud\_services\_iam\_policy\_arn) | The IAM policy ARN to be used for all StreamNative Cloud Services that need to interact with AWS services external to EKS. This policy is typically created by StreamNative's "terraform-managed-cloud" module, as a seperate customer driven process for managing StreamNative's Vendor Access into AWS. If no policy ARN is provided, the module will default to the expected named policy of "StreamNativeCloudRuntimePolicy". This variable allows for flexibility in the event that the policy name changes, or if a custom policy provided by the customer is preferred. | `string` | `""` | no | +| [sncloud\_services\_lb\_policy\_arn](#input\_sncloud\_services\_lb\_policy\_arn) | A custom IAM policy ARN for LB load balancer controller. This policy is typically created by StreamNative's "terraform-managed-cloud" module, as a seperate customer driven process for managing StreamNative's Vendor Access into AWS. If no policy ARN is provided, the module will default to the expected named policy of "StreamNativeCloudLBPolicy". This variable allows for flexibility in the event that the policy name changes, or if a custom policy provided by the customer is preferred. | `string` | `""` | no | +| [use\_runtime\_policy](#input\_use\_runtime\_policy) | Legacy variable, will be deprecated in future versions. The preference of this module is to have the parent EKS module create and manage the IAM role. However some older configurations may have had the cluster IAM role managed seperately, and this variable allows for backwards compatibility. | `bool` | `true` | no | | [vpc\_id](#input\_vpc\_id) | The ID of the AWS VPC to use. | `string` | `""` | no | -| [wait\_for\_cluster\_timeout](#input\_wait\_for\_cluster\_timeout) | Time in seconds to wait for the newly provisioned EKS cluster's API/healthcheck endpoint to return healthy, before applying the aws-auth configmap. Defaults to 300 seconds in the parent module "terraform-aws-modules/eks/aws", which is often too short. Increase to at least 900 seconds, if needed. See also https://github.com/terraform-aws-modules/terraform-aws-eks/pull/1420. | `number` | `0` | no | ## Outputs | Name | Description | |------|-------------| -| [cloudwatch\_log\_group\_arn](#output\_cloudwatch\_log\_group\_arn) | Arn of cloudwatch log group created | | [eks\_cluster\_arn](#output\_eks\_cluster\_arn) | The ARN for the EKS cluster created by this module | | [eks\_cluster\_id](#output\_eks\_cluster\_id) | The id/name of the EKS cluster created by this module | | [eks\_cluster\_identity\_oidc\_issuer\_arn](#output\_eks\_cluster\_identity\_oidc\_issuer\_arn) | The ARN for the OIDC issuer created by this module | -| [eks\_cluster\_identity\_oidc\_issuer\_string](#output\_eks\_cluster\_identity\_oidc\_issuer\_string) | A formatted string containing the prefix for the OIDC issuer created by this module. Same as "cluster\_oidc\_issuer\_url", but with "https://" stripped from the name. This output is typically used in other StreamNative modules that request the "oidc\_issuer" input. | | [eks\_cluster\_identity\_oidc\_issuer\_url](#output\_eks\_cluster\_identity\_oidc\_issuer\_url) | The URL for the OIDC issuer created by this module | | [eks\_cluster\_primary\_security\_group\_id](#output\_eks\_cluster\_primary\_security\_group\_id) | The id of the primary security group created by the EKS service itself, not by this module. This is labeled "Cluster Security Group" in the EKS console. | | [eks\_cluster\_secondary\_security\_group\_id](#output\_eks\_cluster\_secondary\_security\_group\_id) | The id of the secondary security group created by this module. This is labled "Additional Security Groups" in the EKS console. | -| [node\_groups](#output\_node\_groups) | Outputs from EKS node groups. Map of maps, keyed by var.node\_groups keys | -| [worker\_https\_ingress\_security\_group\_rule](#output\_worker\_https\_ingress\_security\_group\_rule) | Security group rule responsible for allowing pods to communicate with the EKS cluster API. | -| [worker\_iam\_role\_arn](#output\_worker\_iam\_role\_arn) | The IAM Role ARN used by the Worker configuration | -| [worker\_security\_group\_id](#output\_worker\_security\_group\_id) | Security group ID attached to the EKS node groups | diff --git a/aws_load_balancer_controller.tf b/aws_load_balancer_controller.tf index e6f4a44..d218371 100644 --- a/aws_load_balancer_controller.tf +++ b/aws_load_balancer_controller.tf @@ -90,7 +90,7 @@ data "aws_iam_policy_document" "aws_load_balancer_controller" { statement { actions = ["ec2:CreateTags"] effect = "Allow" - resources = ["arn:${var.aws_partition}:ec2:*:*:security-group/*"] + resources = ["arn:${local.aws_partition}:ec2:*:*:security-group/*"] condition { test = "StringEquals" variable = "ec2:CreateAction" @@ -109,7 +109,7 @@ data "aws_iam_policy_document" "aws_load_balancer_controller" { "ec2:DeleteTags" ] effect = "Allow" - resources = ["arn:${var.aws_partition}:ec2:*:*:security-group/*"] + resources = ["arn:${local.aws_partition}:ec2:*:*:security-group/*"] condition { test = "Null" variable = "aws:RequestTag/elbv2.k8s.aws/cluster" @@ -169,9 +169,9 @@ data "aws_iam_policy_document" "aws_load_balancer_controller" { ] effect = "Allow" resources = [ - "arn:${var.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:${var.aws_partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*" + "arn:${local.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:${local.aws_partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:${local.aws_partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*" ] condition { test = "Null" @@ -192,10 +192,10 @@ data "aws_iam_policy_document" "aws_load_balancer_controller" { ] effect = "Allow" resources = [ - "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener/net/*/*/*", - "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener/app/*/*/*", - "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener-rule/net/*/*/*", - "arn:${var.aws_partition}:elasticloadbalancing:*:*:listener-rule/app/*/*/*" + "arn:${local.aws_partition}:elasticloadbalancing:*:*:listener/net/*/*/*", + "arn:${local.aws_partition}:elasticloadbalancing:*:*:listener/app/*/*/*", + "arn:${local.aws_partition}:elasticloadbalancing:*:*:listener-rule/net/*/*/*", + "arn:${local.aws_partition}:elasticloadbalancing:*:*:listener-rule/app/*/*/*" ] } @@ -225,7 +225,7 @@ data "aws_iam_policy_document" "aws_load_balancer_controller" { "elasticloadbalancing:DeregisterTargets" ] effect = "Allow" - resources = ["arn:${var.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*"] + resources = ["arn:${local.aws_partition}:elasticloadbalancing:*:*:targetgroup/*/*"] } statement { @@ -249,7 +249,7 @@ data "aws_iam_policy_document" "aws_load_balancer_controller_sts" { effect = "Allow" principals { type = "Federated" - identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, local.account_id, local.oidc_issuer)] + identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, local.account_id, local.oidc_issuer)] } condition { test = "StringLike" @@ -260,32 +260,30 @@ data "aws_iam_policy_document" "aws_load_balancer_controller_sts" { } resource "aws_iam_role" "aws_load_balancer_controller" { - count = var.enable_aws_load_balancer_controller ? 1 : 0 name = format("%s-lbc-role", module.eks.cluster_id) description = format("Role used by IRSA and the KSA aws-load-balancer-controller on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) assume_role_policy = data.aws_iam_policy_document.aws_load_balancer_controller_sts.json path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) + tags = local.tags } resource "aws_iam_policy" "aws_load_balancer_controller" { - count = local.create_lb_policy ? 1 : 0 + count = var.create_iam_policies ? 1 : 0 name = format("%s-AWSLoadBalancerControllerPolicy", module.eks.cluster_id) description = "Policy that defines the permissions for the AWS Load Balancer Controller addon service running in a StreamNative Cloud EKS cluster" path = "/StreamNative/" policy = data.aws_iam_policy_document.aws_load_balancer_controller.json - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) + tags = local.tags } resource "aws_iam_role_policy_attachment" "aws_load_balancer_controller" { - count = var.enable_aws_load_balancer_controller ? 1 : 0 - policy_arn = local.lb_policy_arn != "" ? local.lb_policy_arn : aws_iam_policy.aws_load_balancer_controller[0].arn - role = aws_iam_role.aws_load_balancer_controller[0].name + policy_arn = var.create_iam_policies ? aws_iam_policy.aws_load_balancer_controller[0].arn : local.default_lb_policy_arn + role = aws_iam_role.aws_load_balancer_controller.name } resource "helm_release" "aws_load_balancer_controller" { - count = var.enable_aws_load_balancer_controller ? 1 : 0 + count = var.enable_bootstrap ? 1 : 0 atomic = true chart = var.aws_load_balancer_controller_helm_chart_name cleanup_on_fail = true @@ -299,11 +297,12 @@ resource "helm_release" "aws_load_balancer_controller" { defaultTags = merge(var.additional_tags, { "Vendor" = "StreamNative" }) + replicaCount = 2 serviceAccount = { create = true name = "aws-load-balancer-controller" annotations = { - "eks.amazonaws.com/role-arn" = aws_iam_role.aws_load_balancer_controller[0].arn + "eks.amazonaws.com/role-arn" = aws_iam_role.aws_load_balancer_controller.arn } } })] @@ -316,11 +315,6 @@ resource "helm_release" "aws_load_balancer_controller" { } } - set { - name = "defaultTags.Vendor" - value = "StreamNative" - } - depends_on = [ module.eks ] diff --git a/aws_node_termination_handler.tf b/aws_node_termination_handler.tf index 21baca4..c7af09d 100644 --- a/aws_node_termination_handler.tf +++ b/aws_node_termination_handler.tf @@ -18,6 +18,7 @@ # resource "helm_release" "node_termination_handler" { + count = var.enable_bootstrap ? 1 : 0 atomic = true chart = var.node_termination_handler_helm_chart_name cleanup_on_fail = true diff --git a/calico.tf b/calico.tf deleted file mode 100644 index 830ca48..0000000 --- a/calico.tf +++ /dev/null @@ -1,53 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -resource "helm_release" "calico" { - count = var.enable_calico ? 1 : 0 - atomic = true - chart = var.calico_helm_chart_name - cleanup_on_fail = true - name = "tigera-operator" - namespace = "kube-system" - repository = var.calico_helm_chart_repository - timeout = 300 - version = var.calico_helm_chart_version - values = [yamlencode({ - installation = { - kubernetesProvider = "EKS" - enabled = true - spec = { - cni = { - type = "AmazonVPC" - } - } - } - })] - - dynamic "set" { - for_each = var.calico_settings - content { - name = set.key - value = set.value - } - } - - depends_on = [ - module.eks - ] -} \ No newline at end of file diff --git a/cert_manager.tf b/cert_manager.tf index 02c0d68..67e493a 100644 --- a/cert_manager.tf +++ b/cert_manager.tf @@ -24,7 +24,7 @@ data "aws_iam_policy_document" "cert_manager" { "route53:GetChange" ] resources = [ - "arn:${var.aws_partition}:route53:::change/*" + "arn:${local.aws_partition}:route53:::change/*" ] effect = "Allow" } @@ -36,7 +36,7 @@ data "aws_iam_policy_document" "cert_manager" { "route53:ListResourceRecordSets" ] resources = [ - "arn:${var.aws_partition}:route53:::hostedzone/${var.hosted_zone_id}" + "arn:${local.aws_partition}:route53:::hostedzone/${var.hosted_zone_id}" ] effect = "Allow" } @@ -61,7 +61,7 @@ data "aws_iam_policy_document" "cert_manager_sts" { effect = "Allow" principals { type = "Federated" - identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, local.account_id, local.oidc_issuer)] + identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, local.account_id, local.oidc_issuer)] } condition { test = "StringLike" @@ -72,32 +72,30 @@ data "aws_iam_policy_document" "cert_manager_sts" { } resource "aws_iam_role" "cert_manager" { - count = var.enable_cert_manager ? 1 : 0 name = format("%s-cm-role", module.eks.cluster_id) description = format("Role assumed by IRSA and the KSA cert-manager on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) assume_role_policy = data.aws_iam_policy_document.cert_manager_sts.json path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) + tags = local.tags } resource "aws_iam_policy" "cert_manager" { - count = local.create_cert_man_policy ? 1 : 0 + count = var.create_iam_policies ? 1 : 0 name = format("%s-CertManagerPolicy", module.eks.cluster_id) description = "Policy that defines the permissions for the Cert-Manager addon service running in a StreamNative Cloud EKS cluster" path = "/StreamNative/" policy = data.aws_iam_policy_document.cert_manager.json - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) + tags = local.tags } resource "aws_iam_role_policy_attachment" "cert_manager" { - count = var.enable_cert_manager ? 1 : 0 - policy_arn = local.sn_serv_policy_arn != "" ? local.sn_serv_policy_arn : aws_iam_policy.cert_manager[0].arn - role = aws_iam_role.cert_manager[0].name + policy_arn = var.create_iam_policies ? aws_iam_policy.cert_manager[0].arn : local.default_service_policy_arn + role = aws_iam_role.cert_manager.name } resource "helm_release" "cert_manager" { - count = var.enable_cert_manager ? 1 : 0 + count = var.enable_bootstrap ? 1 : 0 atomic = true chart = var.cert_manager_helm_chart_name cleanup_on_fail = true @@ -114,7 +112,7 @@ resource "helm_release" "cert_manager" { ] serviceAccount = { annotations = { - "eks.amazonaws.com/role-arn" = aws_iam_role.cert_manager[0].arn + "eks.amazonaws.com/role-arn" = aws_iam_role.cert_manager.arn } } podSecurityContext = { @@ -122,7 +120,6 @@ resource "helm_release" "cert_manager" { } } kubeVersion = var.cluster_version - })] dynamic "set" { @@ -139,23 +136,19 @@ resource "helm_release" "cert_manager" { } resource "helm_release" "cert_issuer" { - count = var.enable_cert_manager ? 1 : 0 + count = var.enable_bootstrap ? 1 : 0 atomic = true chart = "${path.module}/charts/cert-issuer" cleanup_on_fail = true name = "cert-issuer" namespace = kubernetes_namespace.sn_system.metadata[0].name timeout = 300 - - set { - name = "supportEmail" - value = var.cert_issuer_support_email - } - - set { - name = "dns01.region" - value = var.region - } + values = [yamlencode({ + supportEmail = var.cert_issuer_support_email + dns01 = { + region = var.region + } + })] depends_on = [ helm_release.cert_manager diff --git a/cluster_autoscaler.tf b/cluster_autoscaler.tf index 25b42b7..81d9b13 100644 --- a/cluster_autoscaler.tf +++ b/cluster_autoscaler.tf @@ -59,7 +59,7 @@ data "aws_iam_policy_document" "cluster_autoscaler_sts" { effect = "Allow" principals { type = "Federated" - identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, local.account_id, local.oidc_issuer)] + identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, local.account_id, local.oidc_issuer)] } condition { test = "StringLike" @@ -70,28 +70,26 @@ data "aws_iam_policy_document" "cluster_autoscaler_sts" { } resource "aws_iam_role" "cluster_autoscaler" { - count = var.enable_cluster_autoscaler ? 1 : 0 name = format("%s-ca-role", module.eks.cluster_id) description = format("Role used by IRSA and the KSA cluster-autoscaler on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) assume_role_policy = data.aws_iam_policy_document.cluster_autoscaler_sts.json path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) + tags = local.tags } resource "aws_iam_policy" "cluster_autoscaler" { - count = local.create_ca_policy ? 1 : 0 + count = var.create_iam_policies ? 1 : 0 name = format("%s-ClusterAutoscalerPolicy", module.eks.cluster_id) description = "Policy that defines the permissions for the Cluster Autoscaler addon service running in a StreamNative Cloud EKS cluster" path = "/StreamNative/" policy = data.aws_iam_policy_document.cluster_autoscaler.json - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) + tags = local.tags } resource "aws_iam_role_policy_attachment" "cluster_autoscaler" { - count = var.enable_cluster_autoscaler ? 1 : 0 - policy_arn = local.sn_serv_policy_arn != "" ? local.sn_serv_policy_arn : aws_iam_policy.cluster_autoscaler[0].arn - role = aws_iam_role.cluster_autoscaler[0].name + policy_arn = var.create_iam_policies ? aws_iam_policy.cluster_autoscaler[0].arn : local.default_service_policy_arn + role = aws_iam_role.cluster_autoscaler.name } ############ @@ -113,7 +111,7 @@ locals { } resource "helm_release" "cluster_autoscaler" { - count = var.enable_cluster_autoscaler ? 1 : 0 + count = var.enable_bootstrap ? 1 : 0 atomic = true chart = var.cluster_autoscaler_helm_chart_name cleanup_on_fail = true @@ -151,21 +149,21 @@ resource "helm_release" "cluster_autoscaler" { } ] image = { - tag = lookup(local.k8s_to_autoscaler_version, var.cluster_version, "v1.20.1") # image.tag defaults to the version corresponding to var.cluster_version's default value and must manually be updated + tag = lookup(local.k8s_to_autoscaler_version, var.cluster_version, "v1.21.1") # image.tag defaults to the version corresponding to var.cluster_version's default value and must manually be updated } rbac = { create = true pspEnabled = true serviceAccount = { annotations = { - "eks.amazonaws.com/role-arn" = aws_iam_role.cluster_autoscaler[0].arn + "eks.amazonaws.com/role-arn" = aws_iam_role.cluster_autoscaler.arn }, create = true name = "cluster-autoscaler" automountServiceAccountToken = true } } - replicaCount = "1" + replicaCount = "2" resources = { limits = { cpu = "200m" diff --git a/csi.tf b/csi.tf index 25302dc..cbf9baf 100644 --- a/csi.tf +++ b/csi.tf @@ -17,14 +17,6 @@ # under the License. # -data "aws_kms_key" "ebs_default" { - key_id = "alias/aws/ebs" -} - -locals { - kms_key = var.disk_encryption_kms_key_id == "" ? data.aws_kms_key.ebs_default.arn : var.disk_encryption_kms_key_id -} - data "aws_iam_policy_document" "csi" { statement { actions = [ @@ -47,8 +39,8 @@ data "aws_iam_policy_document" "csi" { "ec2:CreateTags" ] resources = [ - "arn:${var.aws_partition}:ec2:*:*:volume/*", - "arn:${var.aws_partition}:ec2:*:*:snapshot/*" + "arn:${local.aws_partition}:ec2:*:*:volume/*", + "arn:${local.aws_partition}:ec2:*:*:snapshot/*" ] effect = "Allow" condition { @@ -62,8 +54,8 @@ data "aws_iam_policy_document" "csi" { "ec2:DeleteTags" ] resources = [ - "arn:${var.aws_partition}:ec2:*:*:volume/*", - "arn:${var.aws_partition}:ec2:*:*:snapshot/*" + "arn:${local.aws_partition}:ec2:*:*:volume/*", + "arn:${local.aws_partition}:ec2:*:*:snapshot/*" ] effect = "Allow" } @@ -162,7 +154,7 @@ data "aws_iam_policy_document" "csi_sts" { effect = "Allow" principals { type = "Federated" - identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, local.account_id, local.oidc_issuer)] + identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, local.account_id, local.oidc_issuer)] } condition { test = "StringEquals" @@ -178,38 +170,35 @@ data "aws_iam_policy_document" "csi_sts" { } resource "aws_iam_role" "csi" { - count = var.enable_csi ? 1 : 0 name = format("%s-csi-role", module.eks.cluster_id) description = format("Role used by IRSA and the KSA ebs-csi-controller-sa on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) assume_role_policy = data.aws_iam_policy_document.csi_sts.json path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) + tags = local.tags } resource "aws_iam_policy" "csi" { - count = local.create_csi_policy ? 1 : 0 + count = var.create_iam_policies ? 1 : 0 name = format("%s-CsiPolicy", module.eks.cluster_id) description = "Policy that defines the permissions for the EBS Container Storage Interface CSI addon service running in a StreamNative Cloud EKS cluster" path = "/StreamNative/" policy = data.aws_iam_policy_document.csi.json - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) + tags = local.tags } resource "aws_iam_role_policy_attachment" "csi_managed" { - count = var.enable_csi ? 1 : 0 - policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" - role = aws_iam_role.csi[0].name + policy_arn = "arn:${local.aws_partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" + role = aws_iam_role.csi.name } resource "aws_iam_role_policy_attachment" "csi" { - count = var.enable_csi ? 1 : 0 - policy_arn = local.sn_serv_policy_arn != "" ? local.sn_serv_policy_arn : aws_iam_policy.csi[0].arn - role = aws_iam_role.csi[0].name + policy_arn = var.create_iam_policies ? aws_iam_policy.csi[0].arn : local.default_service_policy_arn + role = aws_iam_role.csi.name } resource "helm_release" "csi" { - count = var.enable_csi ? 1 : 0 + count = var.enable_bootstrap ? 1 : 0 atomic = true chart = var.csi_helm_chart_name cleanup_on_fail = true @@ -227,7 +216,7 @@ resource "helm_release" "csi" { create = true name = "ebs-csi-controller-sa" annotations = { - "eks.amazonaws.com/role-arn" = aws_iam_role.csi[0].arn + "eks.amazonaws.com/role-arn" = aws_iam_role.csi.arn } } } @@ -245,33 +234,3 @@ resource "helm_release" "csi" { module.eks ] } - -resource "kubernetes_storage_class" "sn_default" { - metadata { - name = "sn-default" - } - storage_provisioner = var.enable_csi ? "ebs.csi.aws.com" : "kubernetes.io/aws-ebs" - parameters = { - type = "gp3" - encrypted = "true" - kmsKeyId = local.kms_key - } - reclaim_policy = "Delete" - allow_volume_expansion = true - volume_binding_mode = "WaitForFirstConsumer" -} - -resource "kubernetes_storage_class" "sn_ssd" { - metadata { - name = "sn-ssd" - } - storage_provisioner = "ebs.csi.aws.com" - parameters = { - type = "gp3" - encrypted = "true" - kmsKeyId = local.kms_key - } - reclaim_policy = "Delete" - allow_volume_expansion = true - volume_binding_mode = "WaitForFirstConsumer" -} diff --git a/external_dns.tf b/external_dns.tf index 6fad519..869c955 100644 --- a/external_dns.tf +++ b/external_dns.tf @@ -24,7 +24,7 @@ data "aws_iam_policy_document" "external_dns" { "route53:ChangeResourceRecordSets" ] resources = [ - "arn:${var.aws_partition}:route53:::hostedzone/${var.hosted_zone_id}" + "arn:${local.aws_partition}:route53:::hostedzone/${var.hosted_zone_id}" ] effect = "Allow" } @@ -51,7 +51,7 @@ data "aws_iam_policy_document" "external_dns_sts" { effect = "Allow" principals { type = "Federated" - identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, local.account_id, local.oidc_issuer)] + identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, local.account_id, local.oidc_issuer)] } condition { test = "StringLike" @@ -62,38 +62,30 @@ data "aws_iam_policy_document" "external_dns_sts" { } resource "aws_iam_role" "external_dns" { - count = var.enable_external_dns ? 1 : 0 name = format("%s-extdns-role", module.eks.cluster_id) description = format("Role used by IRSA and the KSA external-dns on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) assume_role_policy = data.aws_iam_policy_document.external_dns_sts.json path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) + tags = local.tags } resource "aws_iam_policy" "external_dns" { - count = local.create_ext_dns_policy ? 1 : 0 + count = var.create_iam_policies ? 1 : 0 name = format("%s-ExternalDnsPolicy", module.eks.cluster_id) description = "Policy that defines the permissions for the ExternalDNS addon service running in a StreamNative Cloud EKS cluster" path = "/StreamNative/" policy = data.aws_iam_policy_document.external_dns.json - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) + tags = local.tags } resource "aws_iam_role_policy_attachment" "external_dns" { - count = var.enable_external_dns ? 1 : 0 - policy_arn = local.sn_serv_policy_arn != "" ? local.sn_serv_policy_arn : aws_iam_policy.external_dns[0].arn - role = aws_iam_role.external_dns[0].name -} - -locals { - default_sources = ["service", "ingress"] - istio_sources = ["istio-gateway", "istio-virtualservice"] - sources = var.enable_istio ? concat(local.istio_sources, local.default_sources) : local.default_sources + policy_arn = var.create_iam_policies ? aws_iam_policy.external_dns[0].arn : local.default_service_policy_arn + role = aws_iam_role.external_dns.name } resource "helm_release" "external_dns" { - count = var.enable_external_dns ? 1 : 0 + count = var.enable_bootstrap ? 1 : 0 atomic = true chart = var.external_dns_helm_chart_name cleanup_on_fail = true @@ -114,14 +106,15 @@ resource "helm_release" "external_dns" { rbac = { create = true } + replicaCount = 2 serviceAccount = { create = true name = "external-dns" annotations = { - "eks.amazonaws.com/role-arn" = aws_iam_role.external_dns[0].arn + "eks.amazonaws.com/role-arn" = aws_iam_role.external_dns.arn } } - sources = local.sources + sources = ["service", "ingress", "istio-gateway", "istio-virtualservice"] txtOwnerId = module.eks.cluster_id })] diff --git a/external_secrets.tf b/external_secrets.tf deleted file mode 100644 index 8595df9..0000000 --- a/external_secrets.tf +++ /dev/null @@ -1,121 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -data "aws_iam_policy_document" "external_secrets" { - statement { - sid = "ListSecrets" - actions = ["secretsmanager:ListSecrets"] - resources = ["*"] - effect = "Allow" - } - - statement { - sid = "GetSecrets" - actions = [ - "secretsmanager:GetResourcePolicy", - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret", - "secretsmanager:ListSecretVersionIds", - "secretsmanager:ListSecrets", - ] - resources = coalescelist(var.asm_secret_arns, ["arn:${var.aws_partition}:secretsmanager:${var.region}:${local.account_id}:secret:*"]) # Defaults to allow access to all secrets for ASM in the module's region - effect = "Allow" - } -} - -data "aws_iam_policy_document" "external_secrets_sts" { - statement { - actions = [ - "sts:AssumeRoleWithWebIdentity" - ] - effect = "Allow" - principals { - type = "Federated" - identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, local.account_id, local.oidc_issuer)] - } - condition { - test = "StringLike" - values = [format("system:serviceaccount:%s:%s", "kube-system", "external-secrets")] - variable = format("%s:sub", local.oidc_issuer) - } - } -} - -resource "aws_iam_role" "external_secrets" { - count = var.enable_external_secrets ? 1 : 0 - name = format("%s-extsec-role", module.eks.cluster_id) - description = format("Role used by IRSA and the KSA external-secrets on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) - assume_role_policy = data.aws_iam_policy_document.external_secrets_sts.json - path = "/StreamNative/" - permissions_boundary = var.permissions_boundary_arn - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) -} - -resource "aws_iam_policy" "external_secrets" { - count = local.create_ext_sec_policy == "" ? 1 : 0 - name = format("%s-ExternalSecretsPolicy", module.eks.cluster_id) - description = "Policy that defines the permissions for the kubernetes-external-secrets addon service running in a StreamNative Cloud EKS cluster" - path = "/StreamNative/" - policy = data.aws_iam_policy_document.external_secrets.json - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) -} - -resource "aws_iam_role_policy_attachment" "external_secrets" { - count = var.enable_external_secrets ? 1 : 0 - policy_arn = local.sn_serv_policy_arn != "" ? local.sn_serv_policy_arn : aws_iam_policy.external_secrets[0].arn - role = aws_iam_role.external_secrets[0].name -} - -resource "helm_release" "external_secrets" { - count = var.enable_external_secrets ? 1 : 0 - atomic = true - chart = var.external_secrets_helm_chart_name - cleanup_on_fail = true - namespace = "kube-system" - name = "external-secrets" - repository = var.external_secrets_helm_chart_repository - timeout = 300 - version = var.external_secrets_helm_chart_version - values = [yamlencode({ - env = { - AWS_REGION = var.region - } - securityContext = { - fsGroup = 65534 - } - serviceAccount = { - annotations = { - "eks.amazonaws.com/role-arn" = aws_iam_role.external_secrets[0].arn - } - name = "external-secrets" - } - })] - - dynamic "set" { - for_each = var.external_secrets_settings - content { - name = set.key - value = set.value - } - } - - depends_on = [ - module.eks - ] -} diff --git a/fluent_bit.tf b/fluent_bit.tf deleted file mode 100644 index c71db8b..0000000 --- a/fluent_bit.tf +++ /dev/null @@ -1,90 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -# resource "aws_iam_role" "fluent_bit" { -# count = var.enable_fluent_bit ? 1 : 0 -# name = format("%s-fbit-role", module.eks.cluster_id) -# description = format("Role used by IRSA and the KSA aws-for-fluent-bit on StreamNative Cloud EKS cluster %s", module.eks.cluster_id) -# assume_role_policy = data.aws_iam_policy_document.fluent_bit_sts.json -# path = "/StreamNative/" -# permissions_boundary = var.permissions_boundary_arn -# tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) -# } - -# resource "aws_iam_policy" "fluent_bit" { -# count = local.create_fluent_bit_policy ? 1 : 0 -# name = format("%s-fluent_bitPolicy", module.eks.cluster_id) -# description = "Policy that defines the permissions for the EBS Container Storage Interface Fluent Bit addon service running in a StreamNative Cloud EKS cluster" -# path = "/StreamNative/" -# policy = data.aws_iam_policy_document.fluent_bit.json -# tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) -# } - -# resource "aws_iam_role_policy_attachment" "fluent_bit_managed" { -# count = var.enable_fluent_bit ? 1 : 0 -# policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AmazonEBSfluent_bitDriverPolicy" -# role = aws_iam_role.fluent_bit[0].name -# } - -# resource "aws_iam_role_policy_attachment" "fluent_bit" { -# count = var.enable_fluent_bit ? 1 : 0 -# policy_arn = local.sn_serv_policy_arn != "" ? local.sn_serv_policy_arn : aws_iam_policy.fluent_bit[0].arn -# role = aws_iam_role.fluent_bit[0].name -# } - -# resource "helm_release" "fluent_bit" { -# count = 1 #var.enable_fluent_bit ? 1 : 0 -# atomic = true -# chart = "aws-for-fluent-bit" #var.fluent_bit_helm_chart_name -# cleanup_on_fail = true -# name = "aws-for-fluent-bit" -# namespace = "kube-system" -# repository = "https://aws.github.io/eks-charts" #var.fluent_bit_helm_chart_repository -# timeout = 300 -# version = "0.1.18" #var.fluent_bit_helm_chart_version -# values = [yamlencode({ -# cloudWatch = { -# enabled = true -# region = var.region -# logGroupName = format("/aws/eks/streamnative/%s/logs", module.eks.cluster_id) -# logRetentionDays = 365 -# } -# elasticsearch = { -# enabled = false -# } -# firehose = { -# enabled = false -# } -# kinesis = { -# enabled = false -# } -# })] - -# # dynamic "set" { -# # for_each = var.fluent_bit_settings -# # content { -# # name = set.key -# # value = set.value -# # } -# # } - -# depends_on = [ -# module.eks -# ] -# } \ No newline at end of file diff --git a/istio.tf b/istio.tf index 110d40e..cd9aed2 100644 --- a/istio.tf +++ b/istio.tf @@ -34,8 +34,6 @@ locals { } module "istio" { - count = var.enable_istio ? 1 : 0 - source = "github.com/streamnative/terraform-helm-charts//modules/istio-operator?ref=v0.8.4" enable_istio_operator = true @@ -56,7 +54,7 @@ module "istio" { } istio_settings = var.istio_settings - istio_ingress_gateway_service_annotations = lookup(local.lb_annotations, var.istio_network_loadbancer, local.lb_annotations.internet_facing) + istio_ingress_gateway_service_annotations = var.disable_public_pulsar_endpoint ? local.lb_annotations.internal_only : local.lb_annotations.internet_facing kiali_gateway_hosts = ["kiali.${var.service_domain}"] kiali_gateway_tls_secret = "istio-ingressgateway-tls" kiali_operator_settings = var.kiali_operator_settings diff --git a/main.tf b/main.tf index f1db80b..51b300a 100644 --- a/main.tf +++ b/main.tf @@ -19,52 +19,58 @@ data "aws_caller_identity" "current" {} +data "aws_partition" "current" {} + data "aws_subnet" "private_subnets" { count = length(var.private_subnet_ids) id = var.private_subnet_ids[count.index] } -resource "random_id" "ng_suffix" { - byte_length = 1 +data "aws_kms_key" "ebs_default" { + key_id = "alias/aws/ebs" } locals { - account_id = data.aws_caller_identity.current.account_id - cluster_subnet_ids = concat(var.private_subnet_ids, var.public_subnet_ids) - oidc_issuer = trimprefix(module.eks.cluster_oidc_issuer_url, "https://") - private_subnet_cidrs = var.enable_node_group_private_networking == false ? [] : [for i, v in var.private_subnet_ids : data.aws_subnet.private_subnets[i].cidr_block] - - ## switches for roles - default_lb_arn = "arn:${var.aws_partition}:iam::${local.account_id}:policy/StreamNative/StreamNativeCloudLBPolicy" - default_service_arn = "arn:${var.aws_partition}:iam::${local.account_id}:policy/StreamNative/StreamNativeCloudRuntimePolicy" - lb_policy_arn = var.sncloud_services_lb_policy_arn != "" ? var.sncloud_services_lb_policy_arn : (var.use_runtime_policy ? local.default_lb_arn : "") - sn_serv_policy_arn = var.sncloud_services_iam_policy_arn != "" ? var.sncloud_services_iam_policy_arn : (var.use_runtime_policy ? local.default_service_arn : "") - create_lb_policy = !(var.sncloud_services_lb_policy_arn != "" || var.use_runtime_policy || !var.enable_aws_load_balancer_controller) - create_cert_man_policy = !(var.sncloud_services_iam_policy_arn != "" || var.use_runtime_policy || !var.enable_cert_manager) - create_ca_policy = !(var.sncloud_services_iam_policy_arn != "" || var.use_runtime_policy || !var.enable_cluster_autoscaler) - create_csi_policy = !(var.sncloud_services_iam_policy_arn != "" || var.use_runtime_policy || !var.enable_csi) - create_ext_dns_policy = !(var.sncloud_services_iam_policy_arn != "" || var.use_runtime_policy || !var.enable_external_dns) - create_ext_sec_policy = !(var.sncloud_services_iam_policy_arn != "" || var.use_runtime_policy || !var.enable_external_secrets) + aws_partition = data.aws_partition.current.partition + account_id = data.aws_caller_identity.current.account_id + cluster_subnet_ids = concat(var.private_subnet_ids, var.public_subnet_ids) + default_lb_policy_arn = "arn:${local.aws_partition}:iam::${local.account_id}:policy/StreamNative/StreamNativeCloudLBPolicy" + default_service_policy_arn = "arn:${local.aws_partition}:iam::${local.account_id}:policy/StreamNative/StreamNativeCloudRuntimePolicy" + kms_key = var.disk_encryption_kms_key_id == "" ? data.aws_kms_key.ebs_default.arn : var.disk_encryption_kms_key_id + oidc_issuer = trimprefix(module.eks.cluster_oidc_issuer_url, "https://") + private_subnet_cidrs = var.enable_node_group_private_networking == false ? [] : [for i, v in var.private_subnet_ids : data.aws_subnet.private_subnets[i].cidr_block] + + tags = merge( + { + "kubernetes.io/cluster/${var.cluster_name}" = "owned", + "k8s.io/cluster/${var.cluster_name}" = "owned", + "Vendor" = "StreamNative" + }, + var.additional_tags, + ) ## Node Group Configuration node_group_defaults = { ami_id = var.node_pool_ami_id block_device_mappings = { - xvdb = { - device_name = var.node_pool_block_device_name + xvda = { + device_name = "/dev/xvda" ebs = { volume_size = var.node_pool_disk_size volume_type = "gp3" - iops = 3000 + iops = var.node_pool_disk_iops encrypted = true kms_key_id = local.kms_key delete_on_termination = true } } } + create_iam_role = false # We create the IAM role ourselves to reduce complexity in managing the aws-auth configmap create_launch_template = true - enable_monitoring = var.enable_node_pool_monitoring desired_size = var.node_pool_desired_size + ebs_optimized = var.node_pool_ebs_optimized + enable_monitoring = var.enable_node_pool_monitoring + iam_role_arn = aws_iam_role.ng.arn labels = var.node_pool_labels min_size = var.node_pool_min_size max_size = var.node_pool_max_size @@ -73,7 +79,6 @@ locals { tags = merge(var.node_pool_tags, { "k8s.io/cluster-autoscaler/enabled" = "true", format("k8s.io/cluster-autoscaler/%s", var.cluster_name) = "owned", - "Vendor" = "StreamNative" }) } @@ -81,101 +86,102 @@ locals { node_groups = { for node_group in flatten([ for instance_type in var.node_pool_instance_types : [ - for i, j in data.aws_subnet.private_subnet : { - subnet_id = data.aws_subnet.subnet[i].id - instance_type = instance_type, - name = "snc-node-pool-${split(".", instance_type)[1]}-${data.aws_subnet.private_subnet[i].availability_zone}-${random_id.ng_suffix.hex}" + for i, j in data.aws_subnet.private_subnets : { + subnet_ids = [data.aws_subnet.private_subnets[i].id] + instance_types = [instance_type], + name = "snc-${split(".", instance_type)[1]}-${data.aws_subnet.private_subnets[i].availability_zone}" } ] ]) : "${node_group.name}" => node_group } + + ### IAM role bindings + sncloud_control_plane_access = [ + { + rolearn = format("arn:${local.aws_partition}:iam::%s:role/StreamNativeCloudManagementRole", local.account_id) + username = "sn-manager:{{AccountID}}:{{SessionName}}" + groups = ["system:masters"] + } + ] + + # Remove the IAM Path from the role + # Work around for https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/153 + worker_node_role = [ + { + rolearn = replace(aws_iam_role.ng.arn, replace(var.iam_path, "/^//", ""), "") + username = "system:node:{{EC2PrivateDNSName}}" + groups = ["system:bootstrappers", "system:nodes"] + } + ] + + # Switches for different role binding scenarios + role_bindings = var.enable_sncloud_control_plane_access && var.iam_path != "" ? concat(local.sncloud_control_plane_access, local.worker_node_role, var.map_additional_iam_roles) : var.enable_sncloud_control_plane_access && var.iam_path == "" ? concat(local.sncloud_control_plane_access, var.map_additional_iam_roles) : var.enable_sncloud_control_plane_access == false && var.iam_path != "" ? concat(var.map_additional_iam_roles, local.worker_node_role) : var.map_additional_iam_roles + } module "eks" { source = "terraform-aws-modules/eks/aws" version = "18.29.0" - # cluster_endpoint_private_access_cidrs = local.private_subnet_cidrs - # cluster_iam_role_name = var.use_runtime_policy ? aws_iam_role.cluster[0].name : "" - # map_accounts = var.map_additional_aws_accounts - # map_roles = var.map_additional_iam_roles - # map_users = var.map_additional_iam_users - # cluster_create_endpoint_private_access_sg_rule = var.enable_node_group_private_networking - # manage_worker_iam_resources = true - - ### Added these to avoid issues with the module refactor from 17.X to 18.X. Future versions of the terraform-aws-eks module may not require these to be specified. + ############################################################################################## + ### Added these to avoid issues with the module refactor from 17.X to 18.X. ### + ### Future versions of the terraform-aws-eks module may not require these to be specified. ### prefix_separator = "" iam_role_name = var.cluster_name cluster_security_group_name = var.cluster_name cluster_security_group_description = "EKS cluster security group." - ### + ############################################################################################### + + # aws_auth_accounts = var.map_additional_aws_accounts + aws_auth_roles = local.role_bindings + # aws_auth_users = var.map_additional_iam_users cluster_name = var.cluster_name cluster_version = var.cluster_version - create_cluster_primary_security_group_tags = true - cluster_endpoint_private_access = var.enable_node_group_private_networking + create_cluster_primary_security_group_tags = false + cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups + cluster_endpoint_public_access = var.disable_public_eks_endpoint ? false : true cluster_endpoint_public_access_cidrs = var.allowed_public_cidrs cluster_enabled_log_types = var.cluster_enabled_log_types - cloudwatch_log_group_kms_key_id = var.cluster_log_kms_key_id - cloudwatch_log_group_retention_in_days = var.cluster_log_retention_in_days + control_plane_subnet_ids = local.cluster_subnet_ids + create_cloudwatch_log_group = false + create_iam_role = var.use_runtime_policy ? false : true eks_managed_node_groups = local.node_groups eks_managed_node_group_defaults = local.node_group_defaults enable_irsa = true - openid_connect_audiences = ["sts.amazonaws.com"] - iam_role_path = "/StreamNative/" iam_role_arn = var.use_runtime_policy ? aws_iam_role.cluster[0].arn : null - create_iam_role = var.use_runtime_policy ? false : true + iam_role_path = var.iam_path iam_role_permissions_boundary = var.permissions_boundary_arn - control_plane_subnet_ids = local.cluster_subnet_ids + manage_aws_auth_configmap = true + openid_connect_audiences = ["sts.amazonaws.com"] + tags = local.tags vpc_id = var.vpc_id - - - - - node_security_group_tags = merge(var.additional_tags, { - format("k8s.io/cluster/%s", var.cluster_name) = "owned", - "Vendor" = "StreamNative", - "kubernetes.io/cluster/${var.cluster_name}" = null - }) - - tags = { - format("k8s.io/cluster/%s", var.cluster_name) = "owned", - "Vendor" = "StreamNative" - } - - cluster_tags = merge(var.additional_tags, { - format("k8s.io/cluster/%s", var.cluster_name) = "owned", - "Vendor" = "StreamNative" - }) - cluster_security_group_tags = merge(var.additional_tags, { - format("k8s.io/cluster/%s", var.cluster_name) = "owned", - "Vendor" = "StreamNative" - }) - - depends_on = [ - aws_iam_role.cluster - ] } -# resource "aws_autoscaling_group_tag" "asg_group_vendor_tags" { -# count = length(module.eks.workers_asg_names) +### Additional Tags +module "vpc_tags" { + source = "./modules/eks-vpc-tags" + count = var.add_vpc_tags ? 1 : 0 -# autoscaling_group_name = module.eks.workers_asg_names[count.index] - -# tag { -# key = "Vendor" -# value = "StreamNative" + cluster_name = var.cluster_name + vpc_id = var.vpc_id + public_subnet_ids = var.public_subnet_ids + private_subnet_ids = var.private_subnet_ids +} -# propagate_at_launch = true -# } -# } +resource "aws_ec2_tag" "cluster_security_group" { + resource_id = module.eks.cluster_primary_security_group_id + key = "Vendor" + value = "StreamNative" +} +### Kubernetes Configurations resource "kubernetes_namespace" "sn_system" { metadata { name = "sn-system" labels = { - "istio.io/rev" = "sn-stable" + "istio.io/rev" = var.istio_revision_tag } } depends_on = [ @@ -183,6 +189,37 @@ resource "kubernetes_namespace" "sn_system" { ] } +resource "kubernetes_storage_class" "sn_default" { + metadata { + name = "sn-default" + } + storage_provisioner = "ebs.csi.aws.com" + parameters = { + type = "gp3" + encrypted = "true" + kmsKeyId = local.kms_key + } + reclaim_policy = "Delete" + allow_volume_expansion = true + volume_binding_mode = "WaitForFirstConsumer" +} + +resource "kubernetes_storage_class" "sn_ssd" { + metadata { + name = "sn-ssd" + } + storage_provisioner = "ebs.csi.aws.com" + parameters = { + type = "gp3" + encrypted = "true" + kmsKeyId = local.kms_key + } + reclaim_policy = "Delete" + allow_volume_expansion = true + volume_binding_mode = "WaitForFirstConsumer" +} + +### Cluster IAM Role data "aws_iam_policy_document" "cluster_assume_role_policy" { statement { actions = [ @@ -201,25 +238,64 @@ resource "aws_iam_role" "cluster" { name = format("%s-cluster-role", var.cluster_name) description = format("The IAM Role used by the %s EKS cluster", var.cluster_name) assume_role_policy = data.aws_iam_policy_document.cluster_assume_role_policy.json - tags = merge({ "Vendor" = "StreamNative" }, var.additional_tags) + tags = local.tags path = "/StreamNative/" permissions_boundary = var.permissions_boundary_arn } resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSClusterPolicy" { count = var.use_runtime_policy ? 1 : 0 - policy_arn = "arn:${var.aws_partition}:iam::aws:policy/AmazonEKSClusterPolicy" + policy_arn = "arn:${local.aws_partition}:iam::aws:policy/AmazonEKSClusterPolicy" role = aws_iam_role.cluster[0].name } resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSServicePolicy" { count = var.use_runtime_policy ? 1 : 0 - policy_arn = "arn:${var.aws_partition}:iam::aws:policy/AmazonEKSServicePolicy" + policy_arn = "arn:${local.aws_partition}:iam::aws:policy/AmazonEKSServicePolicy" role = aws_iam_role.cluster[0].name } resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSVPCResourceControllerPolicy" { count = var.use_runtime_policy ? 1 : 0 - policy_arn = "arn:${var.aws_partition}:iam::aws:policy/AmazonEKSVPCResourceController" + policy_arn = "arn:${local.aws_partition}:iam::aws:policy/AmazonEKSVPCResourceController" role = aws_iam_role.cluster[0].name } + +### Node Group IAM Role +data "aws_iam_policy_document" "ng_assume_role_policy" { + statement { + sid = "EKSNodeAssumeRole" + actions = [ + "sts:AssumeRole" + ] + effect = "Allow" + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +resource "aws_iam_role" "ng" { + name = format("%s-ng-role", var.cluster_name) + description = format("The IAM Role used by the %s EKS cluster's worker nodes", var.cluster_name) + assume_role_policy = data.aws_iam_policy_document.ng_assume_role_policy.json + tags = local.tags + path = "/StreamNative/" + permissions_boundary = var.permissions_boundary_arn +} + +resource "aws_iam_role_policy_attachment" "ng_AmazonEKSWorkerNodePolicy" { + policy_arn = "arn:${local.aws_partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy" + role = aws_iam_role.ng.name +} + +resource "aws_iam_role_policy_attachment" "ng_AmazonEKSServicePolicy" { + policy_arn = "arn:${local.aws_partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + role = aws_iam_role.ng.name +} + +resource "aws_iam_role_policy_attachment" "ng_AmazonEKSVPCResourceControllerPolicy" { + policy_arn = "arn:${local.aws_partition}:iam::aws:policy/AmazonEKS_CNI_Policy" + role = aws_iam_role.ng.name +} \ No newline at end of file diff --git a/metrics_server.tf b/metrics_server.tf index 5477bbb..974b639 100644 --- a/metrics_server.tf +++ b/metrics_server.tf @@ -18,7 +18,7 @@ # resource "helm_release" "metrics_server" { - count = var.enable_metrics_server ? 1 : 0 + count = var.enable_bootstrap ? 1 : 0 atomic = true chart = var.metrics_server_helm_chart_name cleanup_on_fail = true @@ -27,6 +27,10 @@ resource "helm_release" "metrics_server" { repository = var.metrics_server_helm_chart_repository timeout = 300 version = var.metrics_server_helm_chart_version + values = [yamlencode({ + replicas = 2 + } + )] dynamic "set" { for_each = var.metrics_server_settings diff --git a/tags.tf b/tags.tf deleted file mode 100644 index f4a72f5..0000000 --- a/tags.tf +++ /dev/null @@ -1,40 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -module "vpc_tags" { - source = "./modules/eks-vpc-tags" - count = var.add_vpc_tags ? 1 : 0 - - cluster_name = var.cluster_name - vpc_id = var.vpc_id - public_subnet_ids = var.public_subnet_ids - private_subnet_ids = var.private_subnet_ids -} - -# This tags the primary security group which is managed by AWS EKS (and returned to the parent module.eks), not by this module. -# Without this tag, our permissions prevent us from working with the security group. -# -# IMPORTANT: If this tag is not present on the SG during a `terraform destroy`, the destroy will fail. -# Terraform tries to remove this tag before destroying module.eks, which means we would no longer be able to manage it. -# # Because of this, it's recommended to remove this resource from the *.tfstate PRIOR to running a destroy -# resource "aws_ec2_tag" "cluster_security_group" { -# resource_id = module.eks.cluster_primary_security_group_id -# key = "Vendor" -# value = "StreamNative" -# } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 68dcd90..d64bab4 100644 --- a/variables.tf +++ b/variables.tf @@ -65,12 +65,6 @@ variable "aws_load_balancer_controller_settings" { type = map(string) } -variable "aws_partition" { - default = "aws" - description = "AWS partition: 'aws', 'aws-cn', or 'aws-us-gov', used when constructing IRSA trust relationship policies." - type = string -} - variable "calico_helm_chart_name" { default = "tigera-operator" description = "The name of the Helm chart in the repository for Calico, which is installed alongside the tigera-operator." @@ -208,75 +202,39 @@ variable "csi_settings" { type = map(any) } -variable "disk_encryption_kms_key_id" { - default = "" - description = "The KMS Key ARN to use for disk encryption." - type = string -} - -variable "enable_aws_load_balancer_controller" { +variable "create_iam_policies" { default = true - description = "Whether to enable the AWS Load Balancer Controller addon on the cluster. Defaults to \"true\", and in most situations is required by StreamNative Cloud." + description = "Whether to create IAM policies for the IAM roles. If set to false, the module will default to using existing policy ARNs that must be present in the AWS account" type = bool } -variable "enable_calico" { +variable "disable_public_eks_endpoint" { default = false - description = "Enables the Calico networking service on the cluster. Defaults to \"false\"." - type = bool -} - -variable "enable_cert_manager" { - default = true - description = "Enables the Cert-Manager addon service on the cluster. Defaults to \"true\", and in most situations is required by StreamNative Cloud." - type = bool -} - -variable "enable_cluster_autoscaler" { - default = true - description = "Enables the Cluster Autoscaler addon service on the cluster. Defaults to \"true\", and in most situations is recommened for StreamNative Cloud." - type = bool -} - -variable "enable_csi" { - default = true - description = "Enables the EBS Container Storage Interface (CSI) driver on the cluster, which allows for EKS manage the lifecycle of persistant volumes in EBS." + description = "Whether to disable public access to the EKS control plane endpoint. If set to \"true\", additional configuration is required in order for the cluster to function properly, such as AWS PrivateLink for EC2, ECR, and S3, along with a VPN to access the EKS control plane. It is recommended to keep this setting to \"false\" unless you are familiar with this type of configuration." type = bool } -variable "enable_external_secrets" { +variable "disable_public_pulsar_endpoint" { default = false - description = "Enables kubernetes-external-secrets addon service on the cluster. Defaults to \"false\"" + description = "Whether or not to make the Istio Gateway use a public facing or internal network load balancer. If set to \"true\", additional configuration is required in order to manage the cluster from the StreamNative console" type = bool } -variable "enable_external_dns" { - default = true - description = "Enables the External DNS addon service on the cluster. Defaults to \"true\", and in most situations is required by StreamNative Cloud." - type = bool -} - -variable "enable_func_pool" { - default = true - description = "Enable an additional dedicated function pool." - type = bool -} - -variable "enable_func_pool_monitoring" { - default = true - description = "Enable CloudWatch monitoring for the dedicated function pool(s)." - type = bool +variable "disk_encryption_kms_key_id" { + default = "" + description = "The KMS Key ARN to use for disk encryption." + type = string } -variable "enable_istio" { +variable "enable_bootstrap" { default = true - description = "Enables Istio on the cluster. Set to \"true\" by default." + description = "Enables bootstrapping of add-ons within the cluster." type = bool } -variable "enable_metrics_server" { +variable "enable_sncloud_control_plane_access" { default = true - description = "Enables the Kubernetes Metrics Server addon service on the cluster. Defaults to \"true\"." + description = "Whether to enable access to the EKS control plane endpoint. If set to \"false\", additional configuration is required in order for the cluster to function properly, such as AWS PrivateLink for EC2, ECR, and S3, along with a VPN to access the EKS control plane. It is recommended to keep this setting to \"true\" unless you are familiar with this type of configuration." type = bool } @@ -316,96 +274,6 @@ variable "external_dns_settings" { type = map(any) } -variable "external_secrets_helm_chart_name" { - default = "kubernetes-external-secrets" - description = "The name of the Helm chart in the repository for kubernetes-external-secrets." - type = string -} - -variable "external_secrets_helm_chart_repository" { - default = "https://external-secrets.github.io/kubernetes-external-secrets" - description = "The repository containing the kubernetes-external-secrets helm chart." - type = string -} - -variable "external_secrets_helm_chart_version" { - default = "8.3.0" - description = "Helm chart version for kubernetes-external-secrets. Defaults to \"8.3.0\". See https://github.com/external-secrets/kubernetes-external-secrets/tree/master/charts/kubernetes-external-secrets for updates." - type = string -} - -variable "external_secrets_settings" { - default = {} - description = "Additional settings which will be passed to the Helm chart values, see https://github.com/external-secrets/kubernetes-external-secrets/tree/master/charts/kubernetes-external-secrets for available options." - type = map(any) -} - -variable "func_pool_ami_id" { - default = "" - description = "The AMI ID to use for the func pool nodes. Defaults to the latest EKS Optimized AMI provided by AWS" - type = string -} - -variable "func_pool_ami_is_eks_optimized" { - default = true - description = "If the custom AMI is an EKS optimized image, ignored if ami_id is not set. If this is true then bootstrap.sh is called automatically (max pod logic needs to be manually set), if this is false you need to provide all the node configuration in pre_userdata" - type = bool -} - -variable "func_pool_desired_size" { - default = 0 - description = "Desired number of worker nodes" - type = number -} - -variable "func_pool_disk_size" { - default = 50 - description = "Disk size in GiB for function worker nodes. Defaults to 20. Terraform will only perform drift detection if a configuration value is provided." - type = number -} - -variable "func_pool_disk_type" { - default = "gp3" - description = "Disk type for function worker nodes. Defaults to gp3." - type = string -} - -variable "func_pool_instance_types" { - default = ["c6i.large"] - description = "Set of instance types associated with the EKS Node Group. Defaults to [\"c6i.large\"]. Terraform will only perform drift detection if a configuration value is provided." - type = list(string) -} - -variable "func_pool_labels" { - default = {} - description = "Labels to apply to the function pool node group. Defaults to {}." - type = map(string) -} - -variable "func_pool_min_size" { - default = 0 - description = "The minimum size of the AutoScaling Group." - type = number -} - -variable "func_pool_max_size" { - default = 5 - description = "The maximum size of the AutoScaling Group." - type = number -} - -variable "func_pool_pre_userdata" { - default = "" - description = "The pre-userdata script to run on the function worker nodes." - type = string -} - -variable "func_pool_taints" { - default = [] - description = "Taints to apply to the function pool node group." - type = list(map) -} - variable "hosted_zone_id" { description = "The ID of the Route53 hosted zone used by the cluster's External DNS configuration." type = string @@ -467,7 +335,7 @@ variable "map_additional_aws_accounts" { variable "map_additional_iam_roles" { default = [] - description = "Additional IAM roles to add to `config-map-aws-auth` ConfigMap." + description = "A list of IAM role bindings to add to the aws-auth ConfigMap." type = list(object({ rolearn = string username = string @@ -535,13 +403,19 @@ variable "node_termination_handler_chart_version" { variable "node_pool_ami_id" { default = "" - description = "The AMI ID to use for the EKS cluster nodes. Defaults to the latest EKS Optimized AMI provided by AWS" + description = "The AMI ID to use for the EKS cluster nodes. Defaults to the latest EKS Optimized AMI provided by AWS." type = string } -variable "node_pool_ami_is_eks_optimized" { +variable "node_pool_disk_iops" { + default = 3000 + description = "The amount of provisioned IOPS for the worker node root EBS volume." + type = number +} + +variable "node_pool_ebs_optimized" { default = true - description = "If the custom AMI is an EKS optimized image, ignored if ami_id is not set. If this is true then bootstrap.sh is called automatically (max pod logic needs to be manually set), if this is false you need to provide all the node configuration in pre_userdata" + description = "If true, the launched EC2 instance(s) will be EBS-optimized. Specify this if using a custom AMI with pre-user data." type = bool } @@ -575,12 +449,6 @@ variable "node_pool_instance_types" { type = list(string) } -variable "extra_node_pool_instance_types" { - default = [] - description = "Set of instance types of an extra node pool. Same properties as default node pool except name and instance types." - type = list(string) -} - variable "node_pool_labels" { default = {} description = "A map of kubernetes labels to add to the node pool." @@ -605,9 +473,15 @@ variable "node_pool_pre_userdata" { } variable "node_pool_taints" { - default = [] + default = {} description = "A list of taints in map format to apply to the node pool." - type = list(map) + type = any +} + +variable "node_pool_tags" { + default = {} + description = "A map of tags to add to the node groups and supporting resources." + type = map(string) } variable "permissions_boundary_arn" { @@ -635,26 +509,25 @@ variable "region" { } variable "service_domain" { - default = null - description = "The DNS domain for external service endpoints. This must be set when enabling Istio or else the deployment will fail." + description = "The domain name being used by the environment, needed specifically for Istio's authorization policies." type = string } variable "sncloud_services_iam_policy_arn" { default = "" - description = "The IAM policy ARN to be used for all StreamNative Cloud Services that need to interact with AWS services external to EKS. This policy is typically created by the \"modules/managed-cloud\" sub-module in this repository, as a seperate customer driven process for managing StreamNative's Vendor Access into AWS. If no policy ARN is provided, the module will generate the policies needed by each cluster service we install and expects that the caller identity has appropriate IAM permissions that allow \"iam:CreatePolicy\" action. Otherwise the module will fail to run properly. Depends upon use" + description = "The IAM policy ARN to be used for all StreamNative Cloud Services that need to interact with AWS services external to EKS. This policy is typically created by StreamNative's \"terraform-managed-cloud\" module, as a seperate customer driven process for managing StreamNative's Vendor Access into AWS. If no policy ARN is provided, the module will default to the expected named policy of \"StreamNativeCloudRuntimePolicy\". This variable allows for flexibility in the event that the policy name changes, or if a custom policy provided by the customer is preferred." type = string } variable "sncloud_services_lb_policy_arn" { default = "" - description = "A custom IAM policy ARN for LB load balancer controller. If not specified, and use_runt" + description = "A custom IAM policy ARN for LB load balancer controller. This policy is typically created by StreamNative's \"terraform-managed-cloud\" module, as a seperate customer driven process for managing StreamNative's Vendor Access into AWS. If no policy ARN is provided, the module will default to the expected named policy of \"StreamNativeCloudLBPolicy\". This variable allows for flexibility in the event that the policy name changes, or if a custom policy provided by the customer is preferred." type = string } variable "use_runtime_policy" { - default = false - description = "Indicates to use the runtime policy and attach a predefined policies as opposed to create roles. Currently defaults to false" + default = true + description = "Legacy variable, will be deprecated in future versions. The preference of this module is to have the parent EKS module create and manage the IAM role. However some older configurations may have had the cluster IAM role managed seperately, and this variable allows for backwards compatibility." type = bool } @@ -666,20 +539,4 @@ variable "vpc_id" { condition = length(var.vpc_id) > 4 && substr(var.vpc_id, 0, 4) == "vpc-" error_message = "The value for variable \"vpc_id\" must be a valid VPC id, starting with \"vpc-\"." } -} - -variable "wait_for_cluster_timeout" { - default = 0 - description = "Time in seconds to wait for the newly provisioned EKS cluster's API/healthcheck endpoint to return healthy, before applying the aws-auth configmap. Defaults to 300 seconds in the parent module \"terraform-aws-modules/eks/aws\", which is often too short. Increase to at least 900 seconds, if needed. See also https://github.com/terraform-aws-modules/terraform-aws-eks/pull/1420." - type = number -} - -variable "istio_network_loadbancer" { - type = string - default = "internet_facing" - - validation { - condition = contains(["internet_facing", "internal_only"], var.istio_network_loadbancer) - error_message = "Allowed values for input_parameter are \"internet_facing\" or \"internal_only\"." - } -} +} \ No newline at end of file From c36ac75b7ab0980fa03ba7b75c69823fc98b1e6b Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Mon, 19 Sep 2022 16:04:55 -0600 Subject: [PATCH 03/29] added cluster-name tag --- main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/main.tf b/main.tf index 51b300a..45ac1e4 100644 --- a/main.tf +++ b/main.tf @@ -45,6 +45,7 @@ locals { "kubernetes.io/cluster/${var.cluster_name}" = "owned", "k8s.io/cluster/${var.cluster_name}" = "owned", "Vendor" = "StreamNative" + "cluster-name" = var.cluster_name }, var.additional_tags, ) @@ -79,6 +80,7 @@ locals { tags = merge(var.node_pool_tags, { "k8s.io/cluster-autoscaler/enabled" = "true", format("k8s.io/cluster-autoscaler/%s", var.cluster_name) = "owned", + "cluster-name" = var.cluster_name }) } From c00b996960cb46302e9602812ed192b805d2502d Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Wed, 21 Sep 2022 16:14:39 -0600 Subject: [PATCH 04/29] Updated default scaling config for ngs --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 51b300a..86ad295 100644 --- a/main.tf +++ b/main.tf @@ -76,7 +76,7 @@ locals { max_size = var.node_pool_max_size pre_bootstrap_user_data = var.node_pool_pre_userdata taints = var.node_pool_taints - tags = merge(var.node_pool_tags, { + tags = merge(var.node_pool_tags, local.tags, { "k8s.io/cluster-autoscaler/enabled" = "true", format("k8s.io/cluster-autoscaler/%s", var.cluster_name) = "owned", }) @@ -88,14 +88,14 @@ locals { for instance_type in var.node_pool_instance_types : [ for i, j in data.aws_subnet.private_subnets : { subnet_ids = [data.aws_subnet.private_subnets[i].id] - instance_types = [instance_type], + instance_types = [instance_type] name = "snc-${split(".", instance_type)[1]}-${data.aws_subnet.private_subnets[i].availability_zone}" + desired_size = split(".", instance_type)[1] == "xlarge" ? 1 : 0 } ] ]) : "${node_group.name}" => node_group } - ### IAM role bindings sncloud_control_plane_access = [ { From 721b58aba67a737e18d33bfa470a4feef9ade811 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Thu, 22 Sep 2022 14:55:28 -0600 Subject: [PATCH 05/29] Added enable flag for istio --- istio.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/istio.tf b/istio.tf index cd9aed2..733dba7 100644 --- a/istio.tf +++ b/istio.tf @@ -34,6 +34,7 @@ locals { } module "istio" { + count = var.enable_bootstrap ? 1 : 0 source = "github.com/streamnative/terraform-helm-charts//modules/istio-operator?ref=v0.8.4" enable_istio_operator = true From b4f63b0760820225dc55190da3d6599278311d50 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Thu, 22 Sep 2022 15:02:32 -0600 Subject: [PATCH 06/29] Added wildcard to default hosted zone id --- variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/variables.tf b/variables.tf index d64bab4..fe7433f 100644 --- a/variables.tf +++ b/variables.tf @@ -275,6 +275,7 @@ variable "external_dns_settings" { } variable "hosted_zone_id" { + default = "*" description = "The ID of the Route53 hosted zone used by the cluster's External DNS configuration." type = string } From 18850d344db0e3995d40dc5f970f3f5fea0db408 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Thu, 22 Sep 2022 15:38:18 -0600 Subject: [PATCH 07/29] Added default value for istio service domain --- variables.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index fe7433f..60fb6e3 100644 --- a/variables.tf +++ b/variables.tf @@ -510,7 +510,8 @@ variable "region" { } variable "service_domain" { - description = "The domain name being used by the environment, needed specifically for Istio's authorization policies." + default = "" + description = "When Istio is enabled, the FQDN needed specifically for Istio's authorization policies." type = string } From d6bd9128763987980a5dd356a1a4dd2e0891c788 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Mon, 26 Sep 2022 15:52:05 -0600 Subject: [PATCH 08/29] Added velero --- variables.tf | 54 ++++++++++++++++ velero.tf | 178 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 232 insertions(+) create mode 100644 velero.tf diff --git a/variables.tf b/variables.tf index 60fb6e3..35e623a 100644 --- a/variables.tf +++ b/variables.tf @@ -533,6 +533,60 @@ variable "use_runtime_policy" { type = bool } +variable "velero_backup_schedule" { + default = "0 5 * * *" + description = "The scheduled time for Velero to perform backups. Written in cron expression, defaults to \"0 5 * * *\" or \"at 5:00am every day\"" + type = string +} + +variable "velero_excluded_namespaces" { + default = ["kube-system", "default", "operators", "olm"] + description = "A comma-separated list of namespaces to exclude from Velero backups. Defaults are set to [\"default\", \"kube-system\", \"operators\", \"olm\"]." + type = list(string) +} + +variable "velero_helm_chart_name" { + default = "velero" + description = "The name of the Helm chart to use for Velero" + type = string +} + +variable "velero_helm_chart_repository" { + default = "https://vmware-tanzu.github.io/helm-charts" + description = "The repository containing the Helm chart to use for velero" + type = string +} + +variable "velero_helm_chart_version" { + default = "2.31.8" + description = "The version of the Helm chart to use for Velero. The current version can be found in github: https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero" + type = string +} + +variable "velero_namespace" { + default = "sn-system" + description = "The kubernetes namespace where Velero should be deployed. This is required to set the appropriate policy permissions for IRSA, which grants the Kubernetes Service Account access to use the IAM role. Defaults to \"sn-system\"" + type = string +} + +variable "velero_plugin_version" { + default = "v1.9.2" + description = "Which version of the velero-plugin-for-aws to use." + type = string +} + +variable "velero_policy_arn" { + default = null + description = "The arn for the IAM policy used by the Velero backup addon service. For enhanced security, we allow for IAM policies used by cluster addon services to be created seperately from this module. This is only required if the input \"create_iam_policy_for_velero\" is set to \"false\". If created elsewhere, the expected name of the policy is \"StreamNativeCloudVeleroBackupPolicy\"." + type = string +} + +variable "velero_settings" { + default = {} + description = "Additional settings which will be passed to the Helm chart values for Velero. See https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero for available options" + type = map(string) +} + variable "vpc_id" { default = "" description = "The ID of the AWS VPC to use." diff --git a/velero.tf b/velero.tf new file mode 100644 index 0000000..788c0fa --- /dev/null +++ b/velero.tf @@ -0,0 +1,178 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +resource "aws_s3_bucket" "velero" { + acl = "private" + bucket = format("%s-cluster-backup", var.cluster_name) + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } + + tags = merge({"Attributes" = "backup", "Name" = "velero-backups" }, local.tags) +} + +data "aws_iam_policy_document" "velero" { + statement { + actions = [ + "ec2:DescribeVolumes", + "ec2:DescribeSnapshots", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:CreateSnapshot", + "ec2:DeleteSnapshot" + ] + + resources = ["*"] + } + + statement { + actions = [ + "s3:AbortMultipartUpload", + "s3:DeleteObject*", + "s3:GetObject*", + "s3:PutObject*", + "s3:List*", + ] + + resources = [ + aws_s3_bucket.velero.arn, + "${aws_s3_bucket.velero.arn}/*", + ] + } +} + +data "aws_iam_policy_document" "velero_sts" { + statement { + actions = [ + "sts:AssumeRoleWithWebIdentity" + ] + effect = "Allow" + principals { + type = "Federated" + identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, data.aws_caller_identity.current.account_id, var.oidc_issuer)] + } + condition { + test = "StringLike" + values = [format("system:serviceaccount:%s:%s", var.velero_namespace, "velero")] + variable = format("%s:sub", var.oidc_issuer) + } + } +} + +resource "aws_iam_role" "velero" { + name = format("%s-velero-backup-role", var.cluster_name) + description = format("Role used by IRSA and the KSA velero on StreamNative Cloud EKS cluster %s", var.cluster_name) + assume_role_policy = data.aws_iam_policy_document.velero_sts.json + tags = local.tags + path = "/StreamNative/" + permissions_boundary = var.permissions_boundary_arn +} + +resource "aws_iam_policy" "velero" { + count = var.create_iam_policies ? 1 : 0 + name = format("%s-VeleroBackupPolicy", var.cluster_name) + description = "Policy that defines the permissions for the Velero backup addon service running in a StreamNative Cloud EKS cluster" + path = "/StreamNative/" + policy = data.aws_iam_policy_document.velero.json + tags = local.tags +} + +resource "aws_iam_role_policy_attachment" "velero" { + policy_arn = var.create_iam_policies ? aws_iam_policy.velero[0].arn : local.default_service_policy_arn + role = aws_iam_role.velero.name +} + +resource "helm_release" "velero" { + count = var.enable_bootstrap ? 1 : 0 + atomic = true + chart = var.velero_helm_chart_name + cleanup_on_fail = true + name = "velero" + namespace = var.velero_namespace + repository = var.velero_helm_chart_repository + timeout = 300 + version = var.velero_helm_chart_version + values = [ + yamlencode( + { + "credentials" : { + "useSecret" : "false" + }, + "configuration" : { + "provider" : "aws", + "backupStorageLocation" : { + "name" : "aws" + "bucket" : "${aws_s3_bucket.velero.id}" + "region" : var.region + } + }, + "initContainers" : [ + { + "name" : "velero-plugin-for-aws", + "image" : "velero/velero-plugin-for-aws:${var.velero_plugin_version}", + "imagePullPolicy" : "IfNotPresent", + "volumeMounts" : [ + { + "mountPath" : "/target", + "name" : "plugins" + } + ] + } + ], + "podAnnotations" : { + "eks.amazonaws.com/role-arn" : "${aws_iam_role.velero.arn}" + }, + "podSecurityContext" : { + "fsGroup" : 65534 + }, + "serviceAccount" : { + "server" : { + "name" : "${"velero"}" + "annotations" : { + "eks.amazonaws.com/role-arn" : "${aws_iam_role.velero.arn}" + } + }, + }, + "schedules" : { + "cluster-wide-backup" : { + "schedule" : "${var.velero_backup_schedule}" + "template" : { + "excludedNamespaces" : "${var.velero_excluded_namespaces}" + "storageLocation" : "aws" + "volumeSnapshotLocations" : ["aws"] + } + } + } + } + ) + ] + + dynamic "set" { + for_each = var.velero_settings + content { + name = set.key + value = set.value + } + } +} From 961c11cfc6112400a52f2966ce88b5533d0f19e9 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Mon, 26 Sep 2022 16:03:49 -0600 Subject: [PATCH 09/29] Changed deprecated bucket config --- velero.tf | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/velero.tf b/velero.tf index 788c0fa..bff2464 100644 --- a/velero.tf +++ b/velero.tf @@ -17,19 +17,26 @@ # under the License. # +data "aws_kms_key" "s3_default" { + key_id = "alias/aws/s3" +} + resource "aws_s3_bucket" "velero" { acl = "private" bucket = format("%s-cluster-backup", var.cluster_name) - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - } + tags = merge({"Attributes" = "backup", "Name" = "velero-backups" }, local.tags) +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "velero" { + bucket = aws_s3_bucket.velero.bucket + + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = data.aws_kms_key.s3_default.arn + sse_algorithm = "aws:kms" } } - - tags = merge({"Attributes" = "backup", "Name" = "velero-backups" }, local.tags) } data "aws_iam_policy_document" "velero" { @@ -70,7 +77,7 @@ data "aws_iam_policy_document" "velero_sts" { effect = "Allow" principals { type = "Federated" - identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, data.aws_caller_identity.current.account_id, var.oidc_issuer)] + identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, data.aws_caller_identity.current.account_id, var.oidc_issuer)] } condition { test = "StringLike" From 07e1aabadb910f0700d6056bd772b06dc8b6857b Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Mon, 26 Sep 2022 16:11:33 -0600 Subject: [PATCH 10/29] Fixed velero OIDC inputs --- velero.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/velero.tf b/velero.tf index bff2464..1ea2fb2 100644 --- a/velero.tf +++ b/velero.tf @@ -77,12 +77,12 @@ data "aws_iam_policy_document" "velero_sts" { effect = "Allow" principals { type = "Federated" - identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, data.aws_caller_identity.current.account_id, var.oidc_issuer)] + identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, local.account_id, local.oidc_issuer)] } condition { test = "StringLike" values = [format("system:serviceaccount:%s:%s", var.velero_namespace, "velero")] - variable = format("%s:sub", var.oidc_issuer) + variable = format("%s:sub", local.oidc_issuer) } } } From 09f1ef2d29a594b48cb849b08bcfe55878e20414 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Mon, 26 Sep 2022 16:17:03 -0600 Subject: [PATCH 11/29] Added ACL resource for velero bucket --- velero.tf | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/velero.tf b/velero.tf index 1ea2fb2..9577d20 100644 --- a/velero.tf +++ b/velero.tf @@ -22,10 +22,13 @@ data "aws_kms_key" "s3_default" { } resource "aws_s3_bucket" "velero" { - acl = "private" bucket = format("%s-cluster-backup", var.cluster_name) + tags = merge({ "Attributes" = "backup", "Name" = "velero-backups" }, local.tags) +} - tags = merge({"Attributes" = "backup", "Name" = "velero-backups" }, local.tags) +resource "aws_s3_bucket_acl" "velero" { + bucket = aws_s3_bucket.velero.id + acl = "private" } resource "aws_s3_bucket_server_side_encryption_configuration" "velero" { @@ -33,7 +36,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "velero" { rule { apply_server_side_encryption_by_default { - kms_master_key_id = data.aws_kms_key.s3_default.arn + kms_master_key_id = data.aws_kms_key.s3_default.arn sse_algorithm = "aws:kms" } } From d148c70b9876e03e4b99f3000ca78f5da1cb7a9c Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Wed, 28 Sep 2022 10:49:11 -0600 Subject: [PATCH 12/29] Fixed NG arn to work with iam-authenticator at creation --- main.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 196b14c..3298982 100644 --- a/main.tf +++ b/main.tf @@ -71,7 +71,7 @@ locals { desired_size = var.node_pool_desired_size ebs_optimized = var.node_pool_ebs_optimized enable_monitoring = var.enable_node_pool_monitoring - iam_role_arn = aws_iam_role.ng.arn + iam_role_arn = replace(aws_iam_role.ng.arn, replace(var.iam_path, "/^//", ""), "") # Work around for https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/153 labels = var.node_pool_labels min_size = var.node_pool_min_size max_size = var.node_pool_max_size @@ -107,11 +107,10 @@ locals { } ] - # Remove the IAM Path from the role - # Work around for https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/153 + # Add the worker node role back in with the path so the EKS console reports healthy node status worker_node_role = [ { - rolearn = replace(aws_iam_role.ng.arn, replace(var.iam_path, "/^//", ""), "") + rolearn = aws_iam_role.ng.arn username = "system:node:{{EC2PrivateDNSName}}" groups = ["system:bootstrappers", "system:nodes"] } From 6cba5f8198987d387ddc96264895405cecffe053 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Thu, 29 Sep 2022 17:03:16 -0600 Subject: [PATCH 13/29] Removed old submodules;added tiered storage;updated ng config;misc var defaults --- csi.tf | 4 +- istio.tf | 2 +- main.tf | 31 +- modules/backup-resources/README.md | 61 -- modules/backup-resources/main.tf | 180 ----- modules/backup-resources/outputs.tf | 38 - modules/backup-resources/variables.tf | 116 --- modules/managed-cloud/README.md | 127 ---- .../cloudformation/managed_cloud.yaml | 670 ------------------ .../files/aws_lb_controller.json.tpl | 227 ------ .../files/bootstrap_role_iam_policy.json.tpl | 299 -------- ...bootstrap_role_iam_policy_runtime.json.tpl | 297 -------- .../files/management_role_iam_policy.json.tpl | 140 ---- .../permission_boundary_iam_policy.json.tpl | 145 ---- ...ssion_boundary_iam_policy_runtime.json.tpl | 143 ---- modules/managed-cloud/main.tf | 434 ------------ modules/managed-cloud/outputs.tf | 43 -- modules/managed-cloud/variables.tf | 143 ---- modules/managed-cloud/versions.tf | 29 - modules/vault-resources/README.md | 88 --- modules/vault-resources/main.tf | 156 ---- modules/vault-resources/outputs.tf | 53 -- modules/vault-resources/variables.tf | 86 --- modules/vault-resources/versions.tf | 29 - outputs.tf | 55 +- .../versions.tf => tiered_storage.tf | 29 +- variables.tf | 30 +- velero.tf | 12 +- 28 files changed, 100 insertions(+), 3567 deletions(-) delete mode 100644 modules/backup-resources/README.md delete mode 100644 modules/backup-resources/main.tf delete mode 100644 modules/backup-resources/outputs.tf delete mode 100644 modules/backup-resources/variables.tf delete mode 100644 modules/managed-cloud/README.md delete mode 100644 modules/managed-cloud/cloudformation/managed_cloud.yaml delete mode 100644 modules/managed-cloud/files/aws_lb_controller.json.tpl delete mode 100644 modules/managed-cloud/files/bootstrap_role_iam_policy.json.tpl delete mode 100644 modules/managed-cloud/files/bootstrap_role_iam_policy_runtime.json.tpl delete mode 100644 modules/managed-cloud/files/management_role_iam_policy.json.tpl delete mode 100644 modules/managed-cloud/files/permission_boundary_iam_policy.json.tpl delete mode 100644 modules/managed-cloud/files/permission_boundary_iam_policy_runtime.json.tpl delete mode 100644 modules/managed-cloud/main.tf delete mode 100644 modules/managed-cloud/outputs.tf delete mode 100644 modules/managed-cloud/variables.tf delete mode 100644 modules/managed-cloud/versions.tf delete mode 100644 modules/vault-resources/README.md delete mode 100644 modules/vault-resources/main.tf delete mode 100644 modules/vault-resources/outputs.tf delete mode 100644 modules/vault-resources/variables.tf delete mode 100644 modules/vault-resources/versions.tf rename modules/backup-resources/versions.tf => tiered_storage.tf (57%) diff --git a/csi.tf b/csi.tf index cbf9baf..1990876 100644 --- a/csi.tf +++ b/csi.tf @@ -125,7 +125,7 @@ data "aws_iam_policy_document" "csi" { "kms:ListGrants", "kms:RevokeGrant", ] - resources = [local.kms_key] + resources = [local.ebs_kms_key] effect = "Allow" condition { test = "Bool" @@ -141,7 +141,7 @@ data "aws_iam_policy_document" "csi" { "kms:GenerateDataKey*", "kms:DescribeKey" ] - resources = [local.kms_key] + resources = [local.ebs_kms_key] effect = "Allow" } } diff --git a/istio.tf b/istio.tf index 733dba7..95acdfe 100644 --- a/istio.tf +++ b/istio.tf @@ -34,7 +34,7 @@ locals { } module "istio" { - count = var.enable_bootstrap ? 1 : 0 + count = var.enable_bootstrap ? 1 : 0 source = "github.com/streamnative/terraform-helm-charts//modules/istio-operator?ref=v0.8.4" enable_istio_operator = true diff --git a/main.tf b/main.tf index 3298982..87aaae1 100644 --- a/main.tf +++ b/main.tf @@ -30,13 +30,18 @@ data "aws_kms_key" "ebs_default" { key_id = "alias/aws/ebs" } +data "aws_kms_key" "s3_default" { + key_id = "alias/aws/s3" +} + locals { + s3_kms_key = var.s3_encryption_kms_key_arn == "" ? data.aws_kms_key.s3_default.arn : var.s3_encryption_kms_key_arn aws_partition = data.aws_partition.current.partition account_id = data.aws_caller_identity.current.account_id cluster_subnet_ids = concat(var.private_subnet_ids, var.public_subnet_ids) default_lb_policy_arn = "arn:${local.aws_partition}:iam::${local.account_id}:policy/StreamNative/StreamNativeCloudLBPolicy" default_service_policy_arn = "arn:${local.aws_partition}:iam::${local.account_id}:policy/StreamNative/StreamNativeCloudRuntimePolicy" - kms_key = var.disk_encryption_kms_key_id == "" ? data.aws_kms_key.ebs_default.arn : var.disk_encryption_kms_key_id + ebs_kms_key = var.disk_encryption_kms_key_arn == "" ? data.aws_kms_key.ebs_default.arn : var.disk_encryption_kms_key_arn oidc_issuer = trimprefix(module.eks.cluster_oidc_issuer_url, "https://") private_subnet_cidrs = var.enable_node_group_private_networking == false ? [] : [for i, v in var.private_subnet_ids : data.aws_subnet.private_subnets[i].cidr_block] @@ -51,6 +56,14 @@ locals { ) ## Node Group Configuration + compute_units = { + "large" = "Small" + "xlarge" = "Medium" + "2xlarge" = "Medium" + "4xlarge" = "Large" + "8xlarge" = "Large" + } + node_group_defaults = { ami_id = var.node_pool_ami_id block_device_mappings = { @@ -61,7 +74,7 @@ locals { volume_type = "gp3" iops = var.node_pool_disk_iops encrypted = true - kms_key_id = local.kms_key + kms_key_id = local.ebs_kms_key delete_on_termination = true } } @@ -72,7 +85,6 @@ locals { ebs_optimized = var.node_pool_ebs_optimized enable_monitoring = var.enable_node_pool_monitoring iam_role_arn = replace(aws_iam_role.ng.arn, replace(var.iam_path, "/^//", ""), "") # Work around for https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/153 - labels = var.node_pool_labels min_size = var.node_pool_min_size max_size = var.node_pool_max_size pre_bootstrap_user_data = var.node_pool_pre_userdata @@ -92,7 +104,8 @@ locals { subnet_ids = [data.aws_subnet.private_subnets[i].id] instance_types = [instance_type] name = "snc-${split(".", instance_type)[1]}-${data.aws_subnet.private_subnets[i].availability_zone}" - desired_size = split(".", instance_type)[1] == "xlarge" ? 1 : 0 + desired_size = split(".", instance_type)[1] == "xlarge" ? 1 : 0 + labels = merge(var.node_pool_labels, { "cloud.streamnative.io/instance-type" = lookup(local.compute_units, split(".", instance_type)[1], "null") }) } ] ]) : "${node_group.name}" => node_group @@ -110,7 +123,7 @@ locals { # Add the worker node role back in with the path so the EKS console reports healthy node status worker_node_role = [ { - rolearn = aws_iam_role.ng.arn + rolearn = aws_iam_role.ng.arn username = "system:node:{{EC2PrivateDNSName}}" groups = ["system:bootstrappers", "system:nodes"] } @@ -134,9 +147,7 @@ module "eks" { cluster_security_group_description = "EKS cluster security group." ############################################################################################### - # aws_auth_accounts = var.map_additional_aws_accounts - aws_auth_roles = local.role_bindings - # aws_auth_users = var.map_additional_iam_users + aws_auth_roles = local.role_bindings cluster_name = var.cluster_name cluster_version = var.cluster_version create_cluster_primary_security_group_tags = false @@ -198,7 +209,7 @@ resource "kubernetes_storage_class" "sn_default" { parameters = { type = "gp3" encrypted = "true" - kmsKeyId = local.kms_key + kmsKeyId = local.ebs_kms_key } reclaim_policy = "Delete" allow_volume_expansion = true @@ -213,7 +224,7 @@ resource "kubernetes_storage_class" "sn_ssd" { parameters = { type = "gp3" encrypted = "true" - kmsKeyId = local.kms_key + kmsKeyId = local.ebs_kms_key } reclaim_policy = "Delete" allow_volume_expansion = true diff --git a/modules/backup-resources/README.md b/modules/backup-resources/README.md deleted file mode 100644 index a5760a4..0000000 --- a/modules/backup-resources/README.md +++ /dev/null @@ -1,61 +0,0 @@ -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >=1.0.0 | -| [aws](#requirement\_aws) | >= 3.45.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.45.0 | -| [helm](#provider\_helm) | n/a | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_s3_bucket.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.velero_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [aws\_partition](#input\_aws\_partition) | AWS partition: 'aws', 'aws-cn', or 'aws-us-gov' | `string` | `"aws"` | no | -| [cluster\_name](#input\_cluster\_name) | The name of your EKS cluster and associated resources | `string` | n/a | yes | -| [create\_iam\_policy\_for\_velero](#input\_create\_iam\_policy\_for\_velero) | Whether to create the IAM policy used by the Velero backup addon service running within the EKS cluster. For enhanced security, we allow for these IAM policies to be created seperately from this module. Defaults to "true". If set to "false", you must provide the ARN for the IAM policy needed for Velero. | `bool` | `true` | no | -| [oidc\_issuer](#input\_oidc\_issuer) | The OIDC issuer for the EKS cluster | `string` | n/a | yes | -| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | If required, provide the ARN of the IAM permissions boundary to use for restricting StreamNative's vendor access | `string` | `null` | no | -| [pulsar\_namespace](#input\_pulsar\_namespace) | The namespace where Pulsar is deployed. This is required in order for Velero to backup Pulsar | `string` | n/a | yes | -| [tags](#input\_tags) | Tags to be added to the bucket and corresponding resources | `map(string)` | `{}` | no | -| [velero\_backup\_schedule](#input\_velero\_backup\_schedule) | The scheduled time for Velero to perform backups. Written in cron expression, defaults to "0 5 * * *" or "at 5:00am every day" | `string` | `"0 5 * * *"` | no | -| [velero\_excluded\_namespaces](#input\_velero\_excluded\_namespaces) | A comma-separated list of namespaces to exclude from Velero backups. Defaults are set to ["default", "kube-system", "operators", "olm"]. | `list(string)` | 
[
  "kube-system",
  "default",
  "operators",
  "olm"
]
| no | -| [velero\_helm\_chart\_name](#input\_velero\_helm\_chart\_name) | The name of the Helm chart to use for Velero | `string` | `"velero"` | no | -| [velero\_helm\_chart\_repository](#input\_velero\_helm\_chart\_repository) | The repository containing the Helm chart to use for velero | `string` | `"https://vmware-tanzu.github.io/helm-charts"` | no | -| [velero\_helm\_chart\_version](#input\_velero\_helm\_chart\_version) | The version of the Helm chart to use for Velero The current version can be found in github: https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/Chart.yaml | `string` | `"2.23.12"` | no | -| [velero\_namespace](#input\_velero\_namespace) | The kubernetes namespace where Velero should be deployed. This is required to set the appropriate policy permissions for IRSA, which grants the Kubernetes Service Account access to use the IAM role. Defaults to "sn-system" | `string` | `"sn-system"` | no | -| [velero\_plugin\_version](#input\_velero\_plugin\_version) | Which version of the velero-plugin-for-aws to use. Defaults to v1.3.0 | `string` | `"v1.3.0"` | no | -| [velero\_policy\_arn](#input\_velero\_policy\_arn) | The arn for the IAM policy used by the Velero backup addon service. For enhanced security, we allow for IAM policies used by cluster addon services to be created seperately from this module. This is only required if the input "create\_iam\_policy\_for\_velero" is set to "false". If created elsewhere, the expected name of the policy is "StreamNativeCloudVeleroBackupPolicy". | `string` | `null` | no | -| [velero\_settings](#input\_velero\_settings) | Additional settings which will be passed to the Helm chart values for Velero. See https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero for available options | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [role\_arn](#output\_role\_arn) | The arn of the role used for Velero backups for Pulsar. This needs to be annotated on the corresponding Kubernetes Service account in order for IRSA to work properly, e.g. "eks.amazonaws.com/role-arn" : "" | -| [role\_name](#output\_role\_name) | The name of the role used for Velero backups for Pulsar | -| [s3\_bucket](#output\_s3\_bucket) | The name of the bucket used for Velero backups of Pulsar | -| [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | The arn of the bucket used for Velero backups for Pulsar | diff --git a/modules/backup-resources/main.tf b/modules/backup-resources/main.tf deleted file mode 100644 index 4c35efa..0000000 --- a/modules/backup-resources/main.tf +++ /dev/null @@ -1,180 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -data "aws_caller_identity" "current" {} - -resource "aws_s3_bucket" "velero" { - acl = "private" - bucket = format("%s-velero-backup-%s", var.cluster_name, var.region) - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - } - } - } - - tags = merge({ "Vendor" = "StreamNative", "Attributes" = "backup", "Name" = "velero-backups" }, var.tags) -} - -data "aws_iam_policy_document" "velero" { - statement { - actions = [ - "ec2:DescribeVolumes", - "ec2:DescribeSnapshots", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:CreateSnapshot", - "ec2:DeleteSnapshot" - ] - - resources = ["*"] - } - - statement { - actions = [ - "s3:AbortMultipartUpload", - "s3:DeleteObject*", - "s3:GetObject*", - "s3:PutObject*", - "s3:List*", - ] - - resources = [ - aws_s3_bucket.velero.arn, - "${aws_s3_bucket.velero.arn}/*", - ] - } -} - -data "aws_iam_policy_document" "velero_sts" { - statement { - actions = [ - "sts:AssumeRoleWithWebIdentity" - ] - effect = "Allow" - principals { - type = "Federated" - identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, data.aws_caller_identity.current.account_id, var.oidc_issuer)] - } - condition { - test = "StringLike" - values = [format("system:serviceaccount:%s:%s", var.velero_namespace, "velero")] - variable = format("%s:sub", var.oidc_issuer) - } - } -} - -resource "aws_iam_role" "velero" { - name = format("%s-velero-backup-role", var.cluster_name) - description = format("Role used by IRSA and the KSA velero on StreamNative Cloud EKS cluster %s", var.cluster_name) - assume_role_policy = data.aws_iam_policy_document.velero_sts.json - tags = merge({ "Vendor" = "StreamNative" }, var.tags) - path = "/StreamNative/" - permissions_boundary = var.permissions_boundary_arn -} - -resource "aws_iam_policy" "velero" { - count = var.create_iam_policy_for_velero ? 1 : 0 - name = format("%s-VeleroBackupPolicy", var.cluster_name) - description = "Policy that defines the permissions for the Velero backup addon service running in a StreamNative Cloud EKS cluster" - path = "/StreamNative/" - policy = data.aws_iam_policy_document.velero.json - tags = merge({ "Vendor" = "StreamNative" }, var.tags) -} - -resource "aws_iam_role_policy_attachment" "velero" { - count = var.create_iam_policy_for_velero ? 1 : 0 - policy_arn = var.create_iam_policy_for_velero ? aws_iam_policy.velero[0].arn : var.velero_policy_arn - role = aws_iam_role.velero.name -} - -resource "helm_release" "velero" { - atomic = true - chart = var.velero_helm_chart_name - cleanup_on_fail = true - name = "velero" - namespace = var.velero_namespace - repository = var.velero_helm_chart_repository - timeout = 300 - version = var.velero_helm_chart_version - values = [ - yamlencode( - { - "credentials" : { - "useSecret" : "false" - }, - "configuration" : { - "provider" : "aws", - "backupStorageLocation" : { - "name" : "aws" - "bucket" : "${aws_s3_bucket.velero.id}" - "region" : var.region - } - }, - "initContainers" : [ - { - "name" : "velero-plugin-for-aws", - "image" : "velero/velero-plugin-for-aws:${var.velero_plugin_version}", - "imagePullPolicy" : "IfNotPresent", - "volumeMounts" : [ - { - "mountPath" : "/target", - "name" : "plugins" - } - ] - } - ], - "podAnnotations" : { - "eks.amazonaws.com/role-arn" : "${aws_iam_role.velero.arn}" - }, - "podSecurityContext" : { - "fsGroup" : 65534 - }, - "serviceAccount" : { - "server" : { - "name" : "${"velero"}" - "annotations" : { - "eks.amazonaws.com/role-arn" : "${aws_iam_role.velero.arn}" - } - }, - }, - "schedules" : { - "cluster-wide-backup" : { - "schedule" : "${var.velero_backup_schedule}" - "template" : { - "excludedNamespaces" : "${var.velero_excluded_namespaces}" - "storageLocation" : "aws" - "volumeSnapshotLocations" : ["aws"] - } - } - } - } - ) - ] - - dynamic "set" { - for_each = var.velero_settings - content { - name = set.key - value = set.value - } - } -} diff --git a/modules/backup-resources/outputs.tf b/modules/backup-resources/outputs.tf deleted file mode 100644 index a6adbe3..0000000 --- a/modules/backup-resources/outputs.tf +++ /dev/null @@ -1,38 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -output "role_arn" { - value = aws_iam_role.velero.arn - description = "The arn of the role used for Velero backups for Pulsar. This needs to be annotated on the corresponding Kubernetes Service account in order for IRSA to work properly, e.g. \"eks.amazonaws.com/role-arn\" : \"\"" -} - -output "role_name" { - value = aws_iam_role.velero.name - description = "The name of the role used for Velero backups for Pulsar" -} - -output "s3_bucket" { - value = aws_s3_bucket.velero.bucket - description = "The name of the bucket used for Velero backups of Pulsar" -} - -output "s3_bucket_arn" { - value = aws_s3_bucket.velero.arn - description = "The arn of the bucket used for Velero backups for Pulsar" -} \ No newline at end of file diff --git a/modules/backup-resources/variables.tf b/modules/backup-resources/variables.tf deleted file mode 100644 index db1f64f..0000000 --- a/modules/backup-resources/variables.tf +++ /dev/null @@ -1,116 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -variable "aws_partition" { - default = "aws" - description = "AWS partition: 'aws', 'aws-cn', or 'aws-us-gov'" - type = string -} - -variable "cluster_name" { - description = "The name of your EKS cluster and associated resources" - type = string -} - -variable "create_iam_policy_for_velero" { - default = true - description = "Whether to create the IAM policy used by the Velero backup addon service running within the EKS cluster. For enhanced security, we allow for these IAM policies to be created seperately from this module. Defaults to \"true\". If set to \"false\", you must provide the ARN for the IAM policy needed for Velero." - type = bool -} - -variable "oidc_issuer" { - description = "The OIDC issuer for the EKS cluster" - type = string -} - -variable "permissions_boundary_arn" { - default = null - description = "If required, provide the ARN of the IAM permissions boundary to use for restricting StreamNative's vendor access" - type = string -} - -variable "pulsar_namespace" { - description = "The namespace where Pulsar is deployed. This is required in order for Velero to backup Pulsar" - type = string -} - -variable "region" { - description = "The region where your StreamNative Cloud EKS cluster is deployed" - type = string -} - -variable "velero_backup_schedule" { - default = "0 5 * * *" - description = "The scheduled time for Velero to perform backups. Written in cron expression, defaults to \"0 5 * * *\" or \"at 5:00am every day\"" - type = string -} - -variable "velero_excluded_namespaces" { - default = ["kube-system", "default", "operators", "olm"] - description = "A comma-separated list of namespaces to exclude from Velero backups. Defaults are set to [\"default\", \"kube-system\", \"operators\", \"olm\"]." - type = list(string) -} - -variable "velero_helm_chart_name" { - default = "velero" - description = "The name of the Helm chart to use for Velero" - type = string -} - -variable "velero_helm_chart_repository" { - default = "https://vmware-tanzu.github.io/helm-charts" - description = "The repository containing the Helm chart to use for velero" - type = string -} - -variable "velero_helm_chart_version" { - default = "2.23.12" - description = "The version of the Helm chart to use for Velero The current version can be found in github: https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/Chart.yaml" - type = string -} - -variable "velero_namespace" { - default = "sn-system" - description = "The kubernetes namespace where Velero should be deployed. This is required to set the appropriate policy permissions for IRSA, which grants the Kubernetes Service Account access to use the IAM role. Defaults to \"sn-system\"" - type = string -} - -variable "velero_plugin_version" { - default = "v1.3.0" - description = "Which version of the velero-plugin-for-aws to use. Defaults to v1.3.0" - type = string -} - -variable "velero_policy_arn" { - default = null - description = "The arn for the IAM policy used by the Velero backup addon service. For enhanced security, we allow for IAM policies used by cluster addon services to be created seperately from this module. This is only required if the input \"create_iam_policy_for_velero\" is set to \"false\". If created elsewhere, the expected name of the policy is \"StreamNativeCloudVeleroBackupPolicy\"." - type = string -} - -variable "velero_settings" { - default = {} - description = "Additional settings which will be passed to the Helm chart values for Velero. See https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero for available options" - type = map(string) -} - -variable "tags" { - default = {} - description = "Tags to be added to the bucket and corresponding resources" - type = map(string) -} diff --git a/modules/managed-cloud/README.md b/modules/managed-cloud/README.md deleted file mode 100644 index 929aac8..0000000 --- a/modules/managed-cloud/README.md +++ /dev/null @@ -1,127 +0,0 @@ -# StreamNative Managed Cloud -This Terraform module creates the resources necessary for StreamNative's vendor access into your AWS environment. - -There are three main resources it creates, and one that is optional: - -- [Permission Boundary Policy](https://github.com/streamnative/terraform-aws-cloud/blob/master/modules/managed-cloud/files/permission_boundary_iam_policy.json.tpl): This permission boundary defines the scope of exactly what is possible for StreamNative to do within your AWS account. It is self enforcing with strict requirements, to ensure that points of vulnerability (such as privledge escalation) are locked down and not possible. - -- Management role: This AWS IAM role is used for the day to day management of resources strictly owned by StreamNative. It is limited in its ability to create, modify, and delete resources within AWS. - -- Bootstrap role (temporary/optional): This AWS IAM role is typically only needed for initial provisioning or deprovisioning. It has the ability to create and delete (within the limits of the permission boundary) EC2, EKS, IAM, DynamoDB, Route53, and KMS resources. - -And optionally: - -- Runtime policy: This policy is used by add-ons running in EKS that require an [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) for interacting with AWS services, such as `aws-load-balanacer-controller`, AWS `csi` storage driver,`external-dns`, `external-secrets`, `certificate-manager`, and `cluster-autoscaler`. This policy contains all the actions needed by these services, eliminating the need for `iam:CreatePolicy` as part of the Bootstrap function where it otherwise creates an IAM policy for each service. (at some point, this will become the default behavior) -## Usage - -The module requires only one input to function: - -- `region`: The AWS region where your StreamNative Managed environment is running (this is needed to restrict access to manage certain AWS resources to a particular region) - -And if you are using the Runtime policy: - -- `use_runtime_policy`: Enables the creation of the runtime policy for EKS addon services, allowing for a tighter set of restrictions for the Bootstrap role. - -You can also pass additional policies that StreamNative is allowed to work with by using the `additional_iam_policy_arns` input and providing a list of appropriate arns. - -Assuming you are authenticated and authorized to the correct AWS environment, create a `main.tf` file containing the following: - -```hcl -module "sn_managed_cloud" { - source = "streamnative/cloud/aws//modules/managed-cloud" - - region = - use_runtime_policy = true - - additional_iam_policy_arns = [ - "arn:aws:iam::012345678901:policy/my_custom_policy_that_streamnative_needs_to_use" - ] -} -``` - -And then run `terraform init && terraform apply` accordingly. - -When you are finished, the module will output the ARNs for the resources created by this module. Please provide these ARNs to your StreamNative Engineer when you are ready for us to begin creating your environment. - -## CloudFormation (optional) -If you do not use Terraform or prefer a more AWS native approach to deploying these resources, the [`cloudformation`](https://github.com/streamnative/terraform-aws-cloud/tree/master/modules/managed-cloud/cloudformation) directory contains a stack template file you can use. It creates the same resources mentioned above, just upload the stack and provide the necessary `VendorSupportRoleArn` parameter. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >=1.0.0 | -| [aws](#requirement\_aws) | >= 3.61.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.61.0 | -| [local](#provider\_local) | n/a | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_policy.alb_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.bootstrap_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.management_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.permission_boundary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.runtime_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.bootstrap_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.management_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.bootstrap_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.management_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [local_file.alb_policy](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | -| [local_file.bootstrap_policy](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | -| [local_file.management_policy](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | -| [local_file.permission_boundary_policy](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | -| [local_file.runtime_policy](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | -| [aws_iam_policy_document.runtime_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.streamnative_control_plane_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.streamnative_vendor_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_kms_key.default_ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [additional\_iam\_policy\_arns](#input\_additional\_iam\_policy\_arns) | Provide a list of additional IAM policy arns allowed for use with iam:AttachRolePolicy, defined in the StreamNativePermissionBoundary. | `list(string)` | `[]` | no | -| [create\_bootstrap\_role](#input\_create\_bootstrap\_role) | Whether or not to create the bootstrap role, which is used by StreamNative for the initial deployment of the StreamNative Cloud | `string` | `true` | no | -| [external\_id](#input\_external\_id) | The external ID, provided by StreamNative, which is used for all assume role calls. If not provided, no check for external\_id is added. (NOTE: a future version will force the passing of this parameter) | `string` | `""` | no | -| [partition](#input\_partition) | AWS partition: 'aws', 'aws-cn', or 'aws-us-gov', used when constructing IRSA trust relationship policies. | `string` | `"aws"` | no | -| [region](#input\_region) | The AWS region where your instance of StreamNative Cloud is deployed. Defaults to all regions "*" | `string` | `"*"` | no | -| [runtime\_ebs\_kms\_key\_arns](#input\_runtime\_ebs\_kms\_key\_arns) | when using runtime policy, sets the list of allowed kms key arns, if not set, uses the default ebs kms key | `list(any)` | `[]` | no | -| [runtime\_eks\_cluster\_pattern](#input\_runtime\_eks\_cluster\_pattern) | when using runtime policy, defines the eks clsuter prefix for streamnative clusters | `string` | `"aws*snc"` | no | -| [runtime\_eks\_nodepool\_pattern](#input\_runtime\_eks\_nodepool\_pattern) | when using runtime policy, defines the bucket prefix for streamnative managed buckets (backup and offload) | `string` | `"snc-*-pool*"` | no | -| [runtime\_enable\_secretsmanager](#input\_runtime\_enable\_secretsmanager) | when using runtime policy, allows for secretsmanager access | `bool` | `false` | no | -| [runtime\_hosted\_zone\_allowed\_ids](#input\_runtime\_hosted\_zone\_allowed\_ids) | when using runtime policy, allows for further scoping down policy for allowed hosted zones | `list(any)` | 
[
  "*"
]
| no | -| [runtime\_s3\_bucket\_pattern](#input\_runtime\_s3\_bucket\_pattern) | when using runtime policy, defines the bucket prefix for streamnative managed buckets (backup and offload) | `string` | `"snc-*"` | no | -| [runtime\_vpc\_allowed\_ids](#input\_runtime\_vpc\_allowed\_ids) | when using runtime policy, allows for further scoping down policy for allowed VPC | `list(any)` | 
[
  "*"
]
| no | -| [sn\_policy\_version](#input\_sn\_policy\_version) | The value of SNVersion tag | `string` | `"2.0"` | no | -| [source\_identities](#input\_source\_identities) | Place an additional constraint on source identity, disabled by default and only to be used if specified by StreamNative | `list(any)` | `[]` | no | -| [source\_identity\_test](#input\_source\_identity\_test) | The test to use for source identity | `string` | `"ForAnyValue:StringLike"` | no | -| [streamnative\_google\_account\_id](#input\_streamnative\_google\_account\_id) | The Google Cloud service account ID used by StreamNative for Control Plane operations | `string` | `"108050666045451143798"` | no | -| [streamnative\_vendor\_access\_role\_arns](#input\_streamnative\_vendor\_access\_role\_arns) | A list ARNs provided by StreamNative that enable us to work with the Vendor Access Roles created by this module (StreamNativeCloudBootstrapRole, StreamNativeCloudManagementRole). This is how StreamNative is granted access into your AWS account, and should typically be the default value. | `list(string)` | 
[
  "arn:aws:iam::311022431024:role/cloud-manager"
]
| no | -| [tags](#input\_tags) | Extra tags to apply to the resources created by this module. | `map(string)` | `{}` | no | -| [use\_runtime\_policy](#input\_use\_runtime\_policy) | instead of relying on permission boundary use static runtime policies | `bool` | `false` | no | -| [write\_policy\_files](#input\_write\_policy\_files) | Write the policy files locally to disk for debugging and validation | `bool` | `false` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [aws\_lbc\_policy\_arn](#output\_aws\_lbc\_policy\_arn) | The ARN of the AWS Load Balancer Controller Policy, if enabled | -| [bootstrap\_role\_arn](#output\_bootstrap\_role\_arn) | The ARN of the Bootstrap role, if enabled | -| [management\_role\_arn](#output\_management\_role\_arn) | The ARN of the Management Role | -| [permission\_boundary\_policy\_arn](#output\_permission\_boundary\_policy\_arn) | The ARN of the Permssion Boundary Policy | -| [runtime\_policy\_arn](#output\_runtime\_policy\_arn) | The ARN of the Runtime Policy, if enabled | - \ No newline at end of file diff --git a/modules/managed-cloud/cloudformation/managed_cloud.yaml b/modules/managed-cloud/cloudformation/managed_cloud.yaml deleted file mode 100644 index f3a4783..0000000 --- a/modules/managed-cloud/cloudformation/managed_cloud.yaml +++ /dev/null @@ -1,670 +0,0 @@ -AWSTemplateFormatVersion: "2010-09-09" -Description: "Creates IAM resources used for StreamNative's vendor access" - -Parameters: - VendorSupportRoleArn: - Description: "The IAM Role ARN used by StreamNative for vendor access into your AWS account. This is provided to you by StreamNative." - Type: String - Default: "arn:aws:iam::311022431024:role/cloud-manager" - ControlPlaneSAID: - Description: "The SA ID used by the StreamNative Cloud Control Plane" - Type: String - Default: "108050666045451143798" - -Resources: - BootstrapRole: - Type: "AWS::IAM::Role" - Properties: - Path: "/StreamNative/" - RoleName: "StreamNativeCloudBootstrapRole" - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Sid: AllowStreamNativeVendorAccess - Effect: Allow - Principal: - AWS: - - !Ref VendorSupportRoleArn - Action: sts:AssumeRole - MaxSessionDuration: 3600 - PermissionsBoundary: !Ref PermissionBoundaryPolicy - ManagedPolicyArns: - - !Ref BootstrapPolicy - Description: "This role is used to bootstrap the StreamNative Cloud within the AWS account. It is limited in scope to the attached policy and also the permission boundary." - Tags: - - - Key: "Vendor" - Value: "StreamNative" - - ManagementRole: - Type: "AWS::IAM::Role" - Properties: - Path: "/StreamNative/" - RoleName: "StreamNativeCloudManagementRole" - AssumeRolePolicyDocument: - Version: '2012-10-17' - Statement: - - Sid: AllowStreamNativeVendorAccess - Effect: Allow - Principal: - AWS: - - !Ref VendorSupportRoleArn - Action: sts:AssumeRole - - Sid: AllowStreamNativeControlPlaneAccess - Effect: Allow - Principal: - Federated: accounts.google.com - Action: sts:AssumeRoleWithWebIdentity - Condition: - StringEquals: - accounts.google.com:aud: !Ref ControlPlaneSAID - MaxSessionDuration: 3600 - PermissionsBoundary: !Ref PermissionBoundaryPolicy - ManagedPolicyArns: - - !Ref ManagementPolicy - Description: "This role is used by StreamNative for the day to day management of the StreamNative Cloud deployment." - Tags: - - - Key: "Vendor" - Value: "StreamNative" - - PermissionBoundaryPolicy: - Type: "AWS::IAM::ManagedPolicy" - Properties: - ManagedPolicyName: "StreamNativeCloudPermissionBoundary" - Path: "/StreamNative/" - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowedServices", - "Effect": "Allow", - "Action": [ - "acm:*", - "autoscaling:*", - "cognito-idp:*", - "dynamodb:*", - "ec2:*", - "ecr:*", - "eks:*", - "elasticloadbalancing:*", - "iam:GetInstanceProfile", - "iam:GetOpenIDConnectProvider", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetServerCertificate", - "iam:ListAttachedRolePolicies", - "iam:ListEntitiesForPolicy", - "iam:ListInstanceProfile*", - "iam:ListOpenIDConnectProvider*", - "iam:ListPolicies", - "iam:ListPolicyTags", - "iam:ListPolicyVersions", - "iam:ListRole*", - "iam:ListServerCertificates", - "kms:*", - "logs:*", - "route53:*", - "s3:*", - "shield:*", - "sts:*", - "waf-regional:*", - "wafv2:*" - ], - "Resource": "*" - }, - { - "Sid": "IamRestrictions", - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:AttachRolePolicy", - "iam:CreateOpenIDConnectProvider", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:DeleteInstanceProfile", - "iam:DeleteOpenIDConnectProvider", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteServiceLinkedRole", - "iam:DetachRolePolicy", - "iam:PassRole", - "iam:PutRolePermissionsBoundary", - "iam:RemoveRoleFromInstanceProfile", - "iam:SetDefaultPolicyVersion", - "iam:TagInstanceProfile", - "iam:TagOpenIDConnectProvider", - "iam:TagPolicy", - "iam:TagRole", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "arn:aws:iam::aws:policy/*", - "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/*", - "arn:aws:iam::${AWS::AccountId}:role/StreamNative/*", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*", - "arn:aws:iam::${AWS::AccountId}:oidc-provider/*", - "arn:aws:iam::${AWS::AccountId}:instance-profile/*", - "arn:aws:iam::${AWS::AccountId}:server-certificate/*" - ] - }, - { - "Sid": "RestrictPassRoleToEKS", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "arn:aws:iam::${AWS::AccountId}:role/StreamNative/*", - "Condition": { - "StringEquals": { - "iam:PassedToService": "eks.amazonaws.com" - } - } - }, - { - "Sid": "AllowedIAMManagedPolicies", - "Effect": "Deny", - "Action": [ - "iam:AttachRolePolicy" - ], - "Resource": "arn:aws:iam::${AWS::AccountId}:role/StreamNative/*", - "Condition": { - "ArnNotLike": { - "iam:PolicyARN": [ - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-AWSLoadBalancerControllerPolicy", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-CertManagerPolicy", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-ClusterAutoscalerPolicy", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-CsiPolicy", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-ExternalDnsPolicy", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-ExternalSecretsPolicy", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-TieredStoragePolicy", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-VaultPolicy", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-VeleroBackupPolicy", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-elb-sl-role-*", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*-deny-log-group*", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/StreamNativeCloudPermissionBoundary", - "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", - "arn:aws:iam::aws:policy/AmazonEKSServicePolicy", - "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController", - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - ] - } - } - }, - { - "Sid": "RequirePermissionBoundaryForIamRoles", - "Effect": "Allow", - "Action": [ - "iam:CreateRole" - ], - "Resource": "arn:aws:iam::${AWS::AccountId}:role/StreamNative/*", - "Condition": { - "StringEqualsIgnoreCase": { - "aws:ResourceTag/Vendor": "StreamNative", - "iam:PermissionsBoundary": "arn:aws:iam:::policy/StreamNative/StreamNativeCloudPermissionBoundary" - } - } - }, - { - "Sid": "RestrictChangesToVendorAccess", - "Effect": "Deny", - "Action": [ - "iam:Attach", - "iam:Create*", - "iam:Delete*", - "iam:Put", - "iam:Tag*", - "iam:Untag*", - "iam:Update*", - "iam:Set*" - ], - "Resource": [ - "arn:aws:iam:::policy/StreamNative/StreamNativeCloudPermissionBoundary", - "arn:aws:iam::${AWS::AccountId}:role/StreamNative/StreamNativeBootstrapRole", - "arn:aws:iam::${AWS::AccountId}:role/StreamNative/StreamNativeManagementRole" - ] - } - ] - } - - BootstrapPolicy: - Type: "AWS::IAM::ManagedPolicy" - Properties: - ManagedPolicyName: "StreamNativeCloudBootstrapPolicy" - Path: "/StreamNative/" - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "UnrestrictedServiceAccess", - "Effect": "Allow", - "Action": [ - "acm:ListCertificates", - "acm:ListTagsForCertificate", - "autoscaling:Describe*", - "dynamodb:ListBackups", - "dynamodb:ListGlobalTables", - "dynamodb:ListTables", - "dynamodb:ListTagsOfResource", - "ec2:AuthorizeSecurityGroup*", - "ec2:Describe*", - "ec2:Get*", - "ec2:RevokeSecurityGroup*", - "ec2:RunInstances", - "eks:Describe*", - "eks:List*", - "iam:AttachRolePolicy", - "iam:GetInstanceProfile", - "iam:GetOpenIDConnectProvider", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListEntitiesForPolicy", - "iam:ListInstanceProfile*", - "iam:ListOpenIDConnectProvider*", - "iam:ListPolicies", - "iam:ListPolicyTags", - "iam:ListPolicyVersions", - "iam:ListRole*", - "kms:CreateAlias", - "kms:CreateKey", - "kms:DeleteAlias", - "kms:DescribeKey", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListResourceTags", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "logs:CreateLogGroup", - "logs:DescribeLogGroups", - "logs:ListTagsLogGroup", - "route53:CreateHostedZone", - "route53:ChangeTagsForResource", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListHostedZones", - "route53:ListTagsForResource", - "s3:ListAllMyBuckets", - "s3:ListBucket" - ], - "Resource": "*" - }, - { - "Sid": "ResourceBasedRestictions", - "Effect": "Allow", - "Action": [ - "eks:DeleteNodeGroup", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:DeletePolicy", - "iam:DeletePolicyVersion" - ], - "Resource": [ - "arn:aws:eks:${AWS::Region}:${AWS::AccountId}:nodegroup/*/snc-*-pool*/*", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*" - ] - }, - { - "Sid": "RequireAWSRequestTag", - "Effect": "Allow", - "Action": [ - "acm:AddTagsToCertificate", - "acm:ImportCertificate", - "acm:RemoveTagsFromCertificate", - "acm:RequestCertificate", - "autoscaling:CreateAutoScalingGroup", - "autoscaling:CreateLaunchConfiguration", - "autoscaling:CreateOrUpdateTags", - "autoscaling:DetachInstances", - "autoscaling:SetDesiredCapacity", - "autoscaling:UpdateAutoScalingGroup", - "autoscaling:SuspendProcesses", - "ec2:AllocateAddress", - "ec2:CreateDhcpOptions", - "ec2:CreateEgressOnlyInternetGateway", - "ec2:CreateInternetGateway", - "ec2:CreateLaunchTemplate", - "ec2:CreateNatGateway", - "ec2:CreateNetworkInterface", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateVolume", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:CreateTags", - "ec2:*TransitGateway*", - "eks:Create*", - "eks:RegisterCluster", - "eks:TagResource" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:RequestTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "RequireAWSResourceTag", - "Effect": "Allow", - "Action": [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:ExportCertificate", - "acm:GetCertificate", - "acm:ImportCertificate", - "acm:RemoveTagsFromCertificate", - "acm:ResendValidationEmail", - "autoscaling:AttachInstances", - "autoscaling:CreateOrUpdateTags", - "autoscaling:Delete*", - "ec2:AssignPrivateIpAddresses", - "ec2:Associate*", - "ec2:AttachInternetGateway", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateNatGateway", - "ec2:CreateNetworkInterface", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpcEndpoint", - "ec2:Delete*", - "ec2:Detach*", - "ec2:Disassociate*", - "ec2:Modify*", - "ec2:Release*", - "ec2:Revoke*", - "ec2:RunInstances", - "ec2:TerminateInstances", - "ec2:*TransitGateway*", - "ec2:Update*", - "eks:DeleteAddon", - "eks:DeleteCluster", - "eks:DeleteFargateProfile", - "eks:DeregisterCluster", - "eks:DisassociateIdentityProviderConfig", - "eks:U*", - "logs:DeleteLogGroup", - "logs:PutRetentionPolicy" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "RestrictS3Access", - "Effect": "Allow", - "Action":[ - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:GetAccelerateConfiguration", - "s3:GetAccessPointPolicy", - "s3:GetAccountPublicAccessBlock", - "s3:GetAnalyticsConfiguration", - "s3:GetBucket*", - "s3:GetBucketLocation", - "s3:GetEncryptionConfiguration", - "s3:GetInventoryConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetMetricsConfiguration", - "s3:GetReplicationConfiguration", - "s3:PutAccelerateConfiguration", - "s3:PutAccessPointPolicy", - "s3:PutAccountPublicAccessBlock", - "s3:PutAnalyticsConfiguration", - "s3:PutBucket*", - "s3:PutEncryptionConfiguration", - "s3:PutInventoryConfiguration", - "s3:PutLifecycleConfiguration", - "s3:PutMetricsConfiguration", - "s3:PutReplicationConfiguration" - ], - "Resource": [ - "arn:aws:s3:::*-storage-offload-*", - "arn:aws:s3:::*-backup-*" - ] - }, - { - "Sid": "RestrictDynamoAccess", - "Effect": "Allow", - "Action": [ - "dynamodb:*ContinuousBackups", - "dynamodb:CreateBackup", - "dynamodb:CreateGlobalTable", - "dynamodb:CreateTable*", - "dynamodb:Delete*", - "dynamodb:Describe*", - "dynamodb:RestoreTable*", - "dynamodb:TagResource", - "dynamodb:UntagResource", - "dynamodb:Update*" - ], - "Resource": [ - "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/*vault-table", - "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:global-table/*vault-table" - ] - }, - { - "Sid": "IamRequireRequestTag", - "Effect": "Allow", - "Action": [ - "iam:CreateRole", - "iam:CreateOpenIDConnectProvider", - "iam:TagPolicy", - "iam:TagRole", - "iam:TagInstanceProfile", - "iam:TagOpenIDConnectProvider" - ], - "Resource": [ - "arn:aws:iam::${AWS::AccountId}:role/StreamNative/*", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*", - "arn:aws:iam::${AWS::AccountId}:oidc-provider/*" - ], - "Condition": { - "StringEqualsIgnoreCase": { - "aws:RequestTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "IamRequireResourceTag", - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:DeleteOpenIDConnectProvider", - "iam:DeleteRole", - "iam:DeleteServiceLinkedRole", - "iam:DetachRolePolicy", - "iam:PutRolePermissionsBoundary", - "iam:RemoveRoleFromInstanceProfile", - "iam:SetDefaultPolicyVersion", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "arn:aws:iam::${AWS::AccountId}:role/StreamNative/*", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*", - "arn:aws:iam::${AWS::AccountId}:oidc-provider/*" - ], - "Condition": { - "StringEqualsIgnoreCase": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "AllowAWSServiceRoleCreation", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/*" - }, - { - "Sid": "RestrictPassRoleToEKS", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:PassedToService": "eks.amazonaws.com" - } - } - } - ] - } - - ManagementPolicy: - Type: "AWS::IAM::ManagedPolicy" - Properties: - ManagedPolicyName: "StreamNativeCloudManagementPolicy" - Path: "/StreamNative/" - PolicyDocument: !Sub | - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowedServices", - "Effect": "Allow", - "Action": [ - "acm:List*", - "cloudwatch:Describe*", - "cloudwatch:List*", - "cloudwatch:Get*", - "logs:Describe*", - "logs:List*", - "logs:Filter*", - "logs:StartQuery", - "logs:StopQuery", - "route53:Get*", - "route53:List*" - ], - "Resource": "*" - }, - { - "Sid": "AllowedIAMReadActions", - "Effect": "Allow", - "Action": [ - "iam:GetPolicy*", - "iam:GetRole*", - "iam:ListRole*", - "iam:ListPolic*" - ], - "Resource": [ - "arn:aws:iam::${AWS::AccountId}:role/StreamNative/*", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*", - "arn:aws:iam::aws:policy/*" - ] - }, - { - "Sid": "IamRequireRequestTag", - "Effect": "Allow", - "Action": [ - "iam:CreateRole", - "iam:TagPolicy", - "iam:TagRole" - ], - "Resource": [ - "arn:aws:iam::${AWS::AccountId}:role/StreamNative/*", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*" - ], - "Condition": { - "StringEqualsIgnoreCase": { - "aws:RequestTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "IamRequireResourceTag", - "Effect": "Allow", - "Action": [ - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:PutRolePermissionsBoundary", - "iam:SetDefaultPolicyVersion", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "arn:aws:iam::${AWS::AccountId}:role/StreamNative/*", - "arn:aws:iam::${AWS::AccountId}:policy/StreamNative/*" - ], - "Condition": { - "StringEqualsIgnoreCase": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "RequireResourceTag", - "Effect": "Allow", - "Action": [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "autoscaling:CancelInstanceRefresh", - "autoscaling:Describe*", - "autoscaling:PutScalingPolicy", - "autoscaling:ResumeProcesses", - "autoscaling:SetDesiredCapacity", - "autoscaling:StartInstanceRefresh", - "autoscaling:SuspendProcesses", - "autoscaling:UpdateAutoScalingGroup", - "ec2:Describe*", - "ec2:Get*", - "eks:Describe*", - "eks:List*", - "eks:UpdateNodegroupConfig", - "eks:UpdateNodegroupVersion", - "elasticloadbalancing:Describe*" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEqualsIgnoreCase": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "RequireRequestTag", - "Effect": "Allow", - "Action": [ - "acm:AddTagsToCertificate", - "acm:ImportCertificate" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEqualsIgnoreCase": { - "aws:RequestTag/Vendor": "StreamNative" - } - } - } - ] - } diff --git a/modules/managed-cloud/files/aws_lb_controller.json.tpl b/modules/managed-cloud/files/aws_lb_controller.json.tpl deleted file mode 100644 index e5c07c1..0000000 --- a/modules/managed-cloud/files/aws_lb_controller.json.tpl +++ /dev/null @@ -1,227 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeVpcs", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeInstances", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeTags", - "ec2:GetCoipPoolUsage", - "ec2:DescribeCoipPools", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:DescribeSSLPolicies", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "cognito-idp:DescribeUserPoolClient", - "acm:ListCertificates", - "acm:DescribeCertificate", - "iam:ListServerCertificates", - "iam:GetServerCertificate", - "waf-regional:GetWebACL", - "waf-regional:GetWebACLForResource", - "waf-regional:AssociateWebACL", - "waf-regional:DisassociateWebACL", - "wafv2:GetWebACL", - "wafv2:GetWebACLForResource", - "wafv2:AssociateWebACL", - "wafv2:DisassociateWebACL", - "shield:GetSubscriptionState", - "shield:DescribeProtection", - "shield:CreateProtection", - "shield:DeleteProtection" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSecurityGroup" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": "arn:${partition}:ec2:*:*:security-group/*", - "Condition": { - "StringEquals": { - "ec2:CreateAction": "CreateSecurityGroup" - }, - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Resource": "arn:${partition}:ec2:*:*:security-group/*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - }, - "StringEquals": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:CreateRule", - "elasticloadbalancing:DeleteRule" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:${partition}:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:${partition}:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:${partition}:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:${partition}:elasticloadbalancing:*:*:listener/net/*/*/*", - "arn:${partition}:elasticloadbalancing:*:*:listener/app/*/*/*", - "arn:${partition}:elasticloadbalancing:*:*:listener-rule/net/*/*/*", - "arn:${partition}:elasticloadbalancing:*:*:listener-rule/app/*/*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets" - ], - "Resource": "arn:${partition}:elasticloadbalancing:*:*:targetgroup/*/*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:SetWebAcl", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule" - ], - "Resource": "*" - } - ] -} diff --git a/modules/managed-cloud/files/bootstrap_role_iam_policy.json.tpl b/modules/managed-cloud/files/bootstrap_role_iam_policy.json.tpl deleted file mode 100644 index d297bb7..0000000 --- a/modules/managed-cloud/files/bootstrap_role_iam_policy.json.tpl +++ /dev/null @@ -1,299 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "UnResAccessRO", - "Effect": "Allow", - "Action": [ - "acm:ImportCertificate", - "acm:ListCertificates", - "acm:ListTagsForCertificate", - "autoscaling:Describe*", - "ec2:Describe*", - "ec2:Get*", - "eks:Describe*", - "eks:List*", - "iam:GetInstanceProfile", - "iam:GetOpenIDConnectProvider", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:List*", - "kms:DescribeKey", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListResourceTags", - "logs:Describe*", - "logs:List*", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListHostedZones", - "route53:ListTagsForResource", - "s3:ListAllMyBuckets", - "s3:ListBucket" - ], - "Resource": "*" - }, - { - "Sid": "PEMBResRW", - "Effect": "Allow", - "Action": [ - "iam:AttachRolePolicy" - ], - "Resource": "arn:${partition}:iam::${account_id}:role/StreamNative/*" - }, - { - "Sid": "SecGroupVPC", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroup*", - "ec2:RevokeSecurityGroup*" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "RunInst", - "Effect": "Allow", - "Action": [ - "ec2:RunInstances" - ], - "Resource": "*", - "Condition": { - "ArnLikeIfExists": { - "ec2:Vpc": ${vpc_ids} - } - } - }, - { - "Sid": "UnResAccessRW", - "Effect": "Allow", - "Action": [ - "kms:CreateAlias", - "kms:DeleteAlias", - "kms:ScheduleKeyDeletion", - "logs:CreateLogGroup", - "logs:PutRetentionPolicy", - "route53:CreateHostedZone", - "route53:ChangeTagsForResource" - ], - "Resource": "*" - }, - { - "Sid": "ResBasedRest", - "Effect": "Allow", - "Action": [ - "eks:DeleteNodeGroup", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:DeletePolicy", - "iam:DeletePolicyVersion" - ], - "Resource": [ - "arn:${partition}:eks:${region}:${account_id}:nodegroup/*/${nodepool_pattern}/*", - "arn:${partition}:iam::${account_id}:policy/StreamNative/*" - ] - }, - { - "Sid": "AllowTagSNASG", - "Effect": "Allow", - "Action": [ - "autoscaling:CreateOrUpdateTags", - "eks:TagResource" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws:RequestTag/cluster-name": "${cluster_pattern}" - } - } - }, - { - "Sid": "ReqReqTag", - "Effect": "Allow", - "Action": [ - "acm:AddTagsToCertificate", - "acm:ImportCertificate", - "acm:RemoveTagsFromCertificate", - "acm:RequestCertificate", - "autoscaling:Create*", - "ec2:*TransitGateway*", - "ec2:AllocateAddress", - "ec2:Create*", - "eks:Create*", - "eks:RegisterCluster", - "eks:TagResource", - "kms:CreateKey", - "kms:TagResource" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:RequestTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "ReqResTag", - "Effect": "Allow", - "Action": [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:ExportCertificate", - "acm:GetCertificate", - "acm:ImportCertificate", - "acm:RemoveTagsFromCertificate", - "acm:ResendValidationEmail", - "autoscaling:AttachInstances", - "autoscaling:CreateOrUpdateTags", - "autoscaling:Delete*", - "autoscaling:Detach*", - "autoscaling:Update*", - "autoscaling:Resume*", - "autoscaling:Suspend*", - "autoscaling:SetDesired*", - "ec2:AssignPrivateIpAddresses", - "ec2:Associate*", - "ec2:AttachInternetGateway", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateNatGateway", - "ec2:CreateNetworkInterface", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpcEndpoint", - "ec2:Delete*", - "ec2:Detach*", - "ec2:Disassociate*", - "ec2:Modify*", - "ec2:Release*", - "ec2:Revoke*", - "ec2:TerminateInstances", - "ec2:*TransitGateway*", - "ec2:Update*", - "eks:DeleteAddon", - "eks:DeleteCluster", - "eks:DeleteFargateProfile", - "eks:DeregisterCluster", - "eks:DisassociateIdentityProviderConfig", - "eks:U*", - "elasticloadbalancing:*Listener", - "elasticloadbalancing:*LoadBalancer*", - "elasticloadbalancing:*Rule", - "elasticloadbalancing:*TargetGroup", - "elasticloadbalancing:Set*", - "logs:DeleteLogGroup", - "logs:PutRetentionPolicy" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "RestrictS3Access", - "Effect": "Allow", - "Action":[ - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:Get*", - "s3:List*", - "s3:PutBucket*", - "s3:PutObject*", - "s3:PutLifecycle*", - "s3:PutAccelerateConfiguration", - "s3:PutAccessPointPolicy", - "s3:PutAccountPublicAccessBlock", - "s3:PutAnalyticsConfiguration", - "s3:DeleteBucket*", - "s3:DeleteObject*", - "s3:DeleteLifecycle*" - ], - "Resource": [ - "arn:${partition}:s3:::${bucket_pattern}", - "arn:${partition}:s3:::${bucket_pattern}/*" - ] - }, - { - "Sid": "IamRequireRequestTag", - "Effect": "Allow", - "Action": [ - "iam:CreateRole", - "iam:CreateOpenIDConnectProvider", - "iam:TagPolicy", - "iam:TagRole", - "iam:TagInstanceProfile", - "iam:TagOpenIDConnectProvider" - ], - "Resource": [ - "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "arn:${partition}:iam::${account_id}:policy/StreamNative/*", - "arn:${partition}:iam::${account_id}:oidc-provider/*" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "IamRequireResourceTag", - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:DeleteOpenIDConnectProvider", - "iam:DeleteRole", - "iam:DeleteServiceLinkedRole", - "iam:DetachRolePolicy", - "iam:PutRolePermissionsBoundary", - "iam:RemoveRoleFromInstanceProfile", - "iam:SetDefaultPolicyVersion", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "arn:${partition}:iam::${account_id}:policy/StreamNative/*", - "arn:${partition}:iam::${account_id}:oidc-provider/*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "AllowAWSServiceRoleCreation", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:${partition}:iam::${account_id}:role/aws-service-role/*" - }, - { - "Sid": "RestrictPassRoleToEKS", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": [ - "arn:${partition}:iam::${account_id}:role/StreamNative/*" - ], - "Condition": { - "StringEquals": { - "iam:PassedToService": "eks.amazonaws.com" - } - } - } - ] -} diff --git a/modules/managed-cloud/files/bootstrap_role_iam_policy_runtime.json.tpl b/modules/managed-cloud/files/bootstrap_role_iam_policy_runtime.json.tpl deleted file mode 100644 index 0762b37..0000000 --- a/modules/managed-cloud/files/bootstrap_role_iam_policy_runtime.json.tpl +++ /dev/null @@ -1,297 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "UnResAccessRO", - "Effect": "Allow", - "Action": [ - "acm:ImportCertificate", - "acm:ListCertificates", - "acm:ListTagsForCertificate", - "autoscaling:Describe*", - "ec2:Describe*", - "ec2:Get*", - "eks:Describe*", - "eks:List*", - "iam:GetInstanceProfile", - "iam:GetOpenIDConnectProvider", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:List*", - "kms:DescribeKey", - "kms:GetKeyPolicy", - "kms:GetKeyRotationStatus", - "kms:ListAliases", - "kms:ListResourceTags", - "logs:Describe*", - "logs:List*", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListHostedZones", - "route53:ListTagsForResource", - "s3:ListAllMyBuckets", - "s3:ListBucket" - ], - "Resource": "*" - }, - { - "Sid": "PEMBResRW", - "Effect": "Allow", - "Action": [ - "iam:AttachRolePolicy" - ], - "Resource": "arn:${partition}:iam::${account_id}:role/StreamNative/*" - }, - { - "Sid": "SecGroupVPC", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroup*", - "ec2:RevokeSecurityGroup*" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "RunInst", - "Effect": "Allow", - "Action": [ - "ec2:RunInstances" - ], - "Resource": "*", - "Condition": { - "ArnLikeIfExists": { - "ec2:Vpc": ${vpc_ids} - } - } - }, - { - "Sid": "UnResAccessRW", - "Effect": "Allow", - "Action": [ - "kms:CreateAlias", - "kms:DeleteAlias", - "kms:ScheduleKeyDeletion", - "logs:CreateLogGroup", - "logs:PutRetentionPolicy", - "route53:CreateHostedZone", - "route53:ChangeTagsForResource" - ], - "Resource": "*" - }, - { - "Sid": "ResBasedRest", - "Effect": "Allow", - "Action": [ - "eks:DeleteNodeGroup", - "iam:DeletePolicy", - "iam:DeletePolicyVersion" - ], - "Resource": [ - "arn:${partition}:eks:${region}:${account_id}:nodegroup/*/${nodepool_pattern}/*", - "arn:${partition}:iam::${account_id}:policy/StreamNative/*" - ] - }, - { - "Sid": "AllowTagSNASG", - "Effect": "Allow", - "Action": [ - "autoscaling:CreateOrUpdateTags", - "eks:TagResource" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "aws:RequestTag/cluster-name": "${cluster_pattern}" - } - } - }, - { - "Sid": "ReqReqTag", - "Effect": "Allow", - "Action": [ - "acm:AddTagsToCertificate", - "acm:ImportCertificate", - "acm:RemoveTagsFromCertificate", - "acm:RequestCertificate", - "autoscaling:Create*", - "ec2:*TransitGateway*", - "ec2:AllocateAddress", - "ec2:Create*", - "eks:Create*", - "eks:RegisterCluster", - "eks:TagResource", - "kms:CreateKey", - "kms:TagResource" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:RequestTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "ReqResTag", - "Effect": "Allow", - "Action": [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:ExportCertificate", - "acm:GetCertificate", - "acm:ImportCertificate", - "acm:RemoveTagsFromCertificate", - "acm:ResendValidationEmail", - "autoscaling:AttachInstances", - "autoscaling:CreateOrUpdateTags", - "autoscaling:Delete*", - "autoscaling:Detach*", - "autoscaling:Update*", - "autoscaling:Resume*", - "autoscaling:Suspend*", - "autoscaling:SetDesired*", - "ec2:AssignPrivateIpAddresses", - "ec2:Associate*", - "ec2:AttachInternetGateway", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateNatGateway", - "ec2:CreateNetworkInterface", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpcEndpoint", - "ec2:Delete*", - "ec2:Detach*", - "ec2:Disassociate*", - "ec2:Modify*", - "ec2:Release*", - "ec2:Revoke*", - "ec2:TerminateInstances", - "ec2:*TransitGateway*", - "ec2:Update*", - "eks:DeleteAddon", - "eks:DeleteCluster", - "eks:DeleteFargateProfile", - "eks:DeregisterCluster", - "eks:DisassociateIdentityProviderConfig", - "eks:U*", - "elasticloadbalancing:*Listener", - "elasticloadbalancing:*LoadBalancer*", - "elasticloadbalancing:*Rule", - "elasticloadbalancing:*TargetGroup", - "elasticloadbalancing:Set*", - "logs:DeleteLogGroup", - "logs:PutRetentionPolicy" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "RestrictS3Access", - "Effect": "Allow", - "Action":[ - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:Get*", - "s3:List*", - "s3:PutBucket*", - "s3:PutObject*", - "s3:PutLifecycle*", - "s3:PutAccelerateConfiguration", - "s3:PutAccessPointPolicy", - "s3:PutAccountPublicAccessBlock", - "s3:PutAnalyticsConfiguration", - "s3:DeleteBucket*", - "s3:DeleteObject*", - "s3:DeleteLifecycle*" - ], - "Resource": [ - "arn:${partition}:s3:::${bucket_pattern}", - "arn:${partition}:s3:::${bucket_pattern}/*" - ] - }, - { - "Sid": "IamRequireRequestTag", - "Effect": "Allow", - "Action": [ - "iam:CreateRole", - "iam:CreateOpenIDConnectProvider", - "iam:TagPolicy", - "iam:TagRole", - "iam:TagInstanceProfile", - "iam:TagOpenIDConnectProvider" - ], - "Resource": [ - "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "arn:${partition}:iam::${account_id}:policy/StreamNative/*", - "arn:${partition}:iam::${account_id}:oidc-provider/*" - ], - "Condition": { - "StringEquals": { - "aws:RequestTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "IamRequireResourceTag", - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:DeleteOpenIDConnectProvider", - "iam:DeleteRole", - "iam:DeleteServiceLinkedRole", - "iam:DetachRolePolicy", - "iam:PutRolePermissionsBoundary", - "iam:RemoveRoleFromInstanceProfile", - "iam:SetDefaultPolicyVersion", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "arn:${partition}:iam::${account_id}:policy/StreamNative/*", - "arn:${partition}:iam::${account_id}:oidc-provider/*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "AllowAWSServiceRoleCreation", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:${partition}:iam::${account_id}:role/aws-service-role/*" - }, - { - "Sid": "RestrictPassRoleToEKS", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": [ - "arn:${partition}:iam::${account_id}:role/StreamNative/*" - ], - "Condition": { - "StringEquals": { - "iam:PassedToService": "eks.amazonaws.com" - } - } - } - ] -} diff --git a/modules/managed-cloud/files/management_role_iam_policy.json.tpl b/modules/managed-cloud/files/management_role_iam_policy.json.tpl deleted file mode 100644 index aa24df4..0000000 --- a/modules/managed-cloud/files/management_role_iam_policy.json.tpl +++ /dev/null @@ -1,140 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowedServices", - "Effect": "Allow", - "Action": [ - "acm:List*", - "acm:ImportCertificate", - "cloudwatch:Describe*", - "cloudwatch:List*", - "cloudwatch:Get*", - "logs:Describe*", - "logs:List*", - "logs:Filter*", - "logs:StartQuery", - "logs:StopQuery", - "route53:Get*", - "route53:List*" - ], - "Resource": "*" - }, - { - "Sid": "AllowedIAMReadActions", - "Effect": "Allow", - "Action": [ - "iam:GetPolicy*", - "iam:GetRole*", - "iam:ListRole*", - "iam:ListPolic*" - ], - "Resource": [ - "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "arn:${partition}:iam::${account_id}:policy/StreamNative/*", - "arn:${partition}:iam::aws:policy/*" - ] - }, - { - "Sid": "IamRequireRequestTag", - "Effect": "Allow", - "Action": [ - "iam:CreateRole", - "iam:TagRole" - ], - "Resource": [ - "arn:${partition}:iam::${account_id}:role/StreamNative/*" - ], - "Condition": { - "StringEqualsIgnoreCase": { - "aws:RequestTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "IamAttach", - "Effect": "Allow", - "Action": [ - "iam:AttachRolePolicy" - ], - "Resource": "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "Condition": { - "ArnEquals": { - "iam:PolicyARN": [ - "arn:${partition}:iam::${account_id}:policy/StreamNative/StreamNativeCloudManagementPolicy" - ] - } - } - }, - { - "Sid": "IamRequireResourceTag", - "Effect": "Allow", - "Action": [ - "iam:DeleteRole", - "iam:DetachRolePolicy", - "iam:PutRolePermissionsBoundary", - "iam:SetDefaultPolicyVersion", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "arn:${partition}:iam::${account_id}:policy/StreamNative/*" - ], - "Condition": { - "StringEqualsIgnoreCase": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "RequireResourceTag", - "Effect": "Allow", - "Action": [ - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "autoscaling:CancelInstanceRefresh", - "autoscaling:Describe*", - "autoscaling:PutScalingPolicy", - "autoscaling:ResumeProcesses", - "autoscaling:SetDesiredCapacity", - "autoscaling:StartInstanceRefresh", - "autoscaling:SuspendProcesses", - "autoscaling:UpdateAutoScalingGroup", - "ec2:Describe*", - "ec2:Get*", - "eks:Describe*", - "eks:List*", - "eks:UpdateNodegroupConfig", - "eks:UpdateNodegroupVersion", - "elasticloadbalancing:Describe*" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEqualsIgnoreCase": { - "aws:ResourceTag/Vendor": "StreamNative" - } - } - }, - { - "Sid": "RequireRequestTag", - "Effect": "Allow", - "Action": [ - "acm:AddTagsToCertificate", - "acm:ImportCertificate" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEqualsIgnoreCase": { - "aws:RequestTag/Vendor": "StreamNative" - } - } - } - ] -} diff --git a/modules/managed-cloud/files/permission_boundary_iam_policy.json.tpl b/modules/managed-cloud/files/permission_boundary_iam_policy.json.tpl deleted file mode 100644 index 50b4aca..0000000 --- a/modules/managed-cloud/files/permission_boundary_iam_policy.json.tpl +++ /dev/null @@ -1,145 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowedServices", - "Effect": "Allow", - "Action": [ - "acm:*", - "autoscaling:*", - "cognito-idp:*", - "dynamodb:*", - "ec2:*", - "ecr:*", - "eks:*", - "elasticloadbalancing:*", - "iam:GetInstanceProfile", - "iam:GetOpenIDConnectProvider", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetServerCertificate", - "iam:ListAttachedRolePolicies", - "iam:ListEntitiesForPolicy", - "iam:ListInstanceProfile*", - "iam:ListOpenIDConnectProvider*", - "iam:ListPolicies", - "iam:ListPolicyTags", - "iam:ListPolicyVersions", - "iam:ListRole*", - "iam:ListServerCertificates", - "kms:*", - "logs:*", - "route53:*", - "s3:*", - "shield:*", - "sts:*", - "waf-regional:*", - "wafv2:*" - ], - "Resource": "*" - }, - { - "Sid": "IamRestrictions", - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:CreateOpenIDConnectProvider", - "iam:CreatePolicy", - "iam:CreatePolicyVersion", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:DeleteInstanceProfile", - "iam:DeleteOpenIDConnectProvider", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteServiceLinkedRole", - "iam:DetachRolePolicy", - "iam:PassRole", - "iam:PutRolePermissionsBoundary", - "iam:RemoveRoleFromInstanceProfile", - "iam:SetDefaultPolicyVersion", - "iam:TagInstanceProfile", - "iam:TagOpenIDConnectProvider", - "iam:TagPolicy", - "iam:TagRole", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "arn:${partition}:iam::aws:policy/*", - "arn:${partition}:iam::${account_id}:role/aws-service-role/*", - "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "arn:${partition}:iam::${account_id}:policy/StreamNative/*", - "arn:${partition}:iam::${account_id}:oidc-provider/*", - "arn:${partition}:iam::${account_id}:instance-profile/*", - "arn:${partition}:iam::${account_id}:server-certificate/*" - ] - }, - { - "Sid": "RestrictPassRoleToEKS", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "Condition": { - "StringEquals": { - "iam:PassedToService": "eks.amazonaws.com" - } - } - }, - { - "Sid": "AllowedIAMManagedPolicies", - "Effect": "Allow", - "Action": [ - "iam:AttachRolePolicy" - ], - "Resource": "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "Condition": { - "ForAnyValue:ArnLike": { - "iam:PolicyARN": [ ${allowed_iam_policies} ] - } - } - }, - { - "Sid": "RequirePermissionBoundaryForIamRoles", - "Effect": "Allow", - "Action": [ - "iam:CreateRole" - ], - "Resource": "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "Condition": { - "StringEqualsIgnoreCase": { - "aws:ResourceTag/Vendor": "StreamNative", - "iam:PermissionsBoundary": "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudPermissionBoundary" - } - } - }, - { - "Sid": "RestrictChangesToVendorAccess", - "Effect": "Deny", - "Action": [ - "iam:Create*", - "iam:Delete*", - "iam:Put", - "iam:Tag*", - "iam:Untag*", - "iam:Update*", - "iam:Set*" - ], - "Resource": [ - "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudBootstrapPolicy", - "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudLBPolicy", - "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudManagementPolicy", - "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudPermissionBoundary", - "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudRuntimePolicy", - "arn:${partition}:iam::${account_id}:role/StreamNative/StreamNativeBootstrapRole", - "arn:${partition}:iam::${account_id}:role/StreamNative/StreamNativeManagementRole" - ] - } - ] -} diff --git a/modules/managed-cloud/files/permission_boundary_iam_policy_runtime.json.tpl b/modules/managed-cloud/files/permission_boundary_iam_policy_runtime.json.tpl deleted file mode 100644 index 613e8af..0000000 --- a/modules/managed-cloud/files/permission_boundary_iam_policy_runtime.json.tpl +++ /dev/null @@ -1,143 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowedServices", - "Effect": "Allow", - "Action": [ - "acm:*", - "autoscaling:*", - "cognito-idp:*", - "dynamodb:*", - "ec2:*", - "ecr:*", - "eks:*", - "elasticloadbalancing:*", - "iam:GetInstanceProfile", - "iam:GetOpenIDConnectProvider", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetServerCertificate", - "iam:ListAttachedRolePolicies", - "iam:ListEntitiesForPolicy", - "iam:ListInstanceProfile*", - "iam:ListOpenIDConnectProvider*", - "iam:ListPolicies", - "iam:ListPolicyTags", - "iam:ListPolicyVersions", - "iam:ListRole*", - "iam:ListServerCertificates", - "kms:*", - "logs:*", - "route53:*", - "s3:*", - "shield:*", - "sts:*", - "waf-regional:*", - "wafv2:*" - ], - "Resource": "*" - }, - { - "Sid": "IamRestrictions", - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:CreateOpenIDConnectProvider", - "iam:CreateRole", - "iam:CreateServiceLinkedRole", - "iam:DeleteInstanceProfile", - "iam:DeleteOpenIDConnectProvider", - "iam:DeletePolicy", - "iam:DeletePolicyVersion", - "iam:DeleteRole", - "iam:DeleteServiceLinkedRole", - "iam:DetachRolePolicy", - "iam:PassRole", - "iam:PutRolePermissionsBoundary", - "iam:RemoveRoleFromInstanceProfile", - "iam:SetDefaultPolicyVersion", - "iam:TagInstanceProfile", - "iam:TagOpenIDConnectProvider", - "iam:TagPolicy", - "iam:TagRole", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateOpenIDConnectProviderThumbprint", - "iam:UpdateRole", - "iam:UpdateRoleDescription" - ], - "Resource": [ - "arn:${partition}:iam::aws:policy/*", - "arn:${partition}:iam::${account_id}:role/aws-service-role/*", - "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "arn:${partition}:iam::${account_id}:policy/StreamNative/*", - "arn:${partition}:iam::${account_id}:oidc-provider/*", - "arn:${partition}:iam::${account_id}:instance-profile/*", - "arn:${partition}:iam::${account_id}:server-certificate/*" - ] - }, - { - "Sid": "RestrictPassRoleToEKS", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "Condition": { - "StringEquals": { - "iam:PassedToService": "eks.amazonaws.com" - } - } - }, - { - "Sid": "AllowedIAMManagedPolicies", - "Effect": "Allow", - "Action": [ - "iam:AttachRolePolicy" - ], - "Resource": "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "Condition": { - "ForAnyValue:ArnLike": { - "iam:PolicyARN": [ ${allowed_iam_policies} ] - } - } - }, - { - "Sid": "RequirePermissionBoundaryForIamRoles", - "Effect": "Allow", - "Action": [ - "iam:CreateRole" - ], - "Resource": "arn:${partition}:iam::${account_id}:role/StreamNative/*", - "Condition": { - "StringEqualsIgnoreCase": { - "aws:ResourceTag/Vendor": "StreamNative", - "iam:PermissionsBoundary": "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudPermissionBoundary" - } - } - }, - { - "Sid": "RestrictChangesToVendorAccess", - "Effect": "Deny", - "Action": [ - "iam:Create*", - "iam:Delete*", - "iam:Put", - "iam:Tag*", - "iam:Untag*", - "iam:Update*", - "iam:Set*" - ], - "Resource": [ - "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudBootstrapPolicy", - "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudLBPolicy", - "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudManagementPolicy", - "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudPermissionBoundary", - "arn:${partition}:iam:::policy/StreamNative/StreamNativeCloudRuntimePolicy", - "arn:${partition}:iam::${account_id}:role/StreamNative/StreamNativeBootstrapRole", - "arn:${partition}:iam::${account_id}:role/StreamNative/StreamNativeManagementRole" - ] - } - ] -} diff --git a/modules/managed-cloud/main.tf b/modules/managed-cloud/main.tf deleted file mode 100644 index 5a55357..0000000 --- a/modules/managed-cloud/main.tf +++ /dev/null @@ -1,434 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -data "aws_caller_identity" "current" {} - -data "aws_iam_policy_document" "streamnative_vendor_access" { - statement { - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "AWS" - identifiers = var.streamnative_vendor_access_role_arns - } - } -} - -locals { - account_id = data.aws_caller_identity.current.account_id - external_id = (var.external_id != "" ? [ - { test : "StringEquals", variable : "sts:ExternalId", values : [var.external_id] } - ] : []) - source_identity = (length(var.source_identities) > 0 ? [ - { test : var.source_identity_test, variable : "sts:SourceIdentity", values : var.source_identities } - ] : []) - assume_conditions = concat(local.external_id, local.source_identity) - bootstrap_policy_path = var.use_runtime_policy ? "${path.module}/files/bootstrap_role_iam_policy_runtime.json.tpl" : "${path.module}/files/bootstrap_role_iam_policy.json.tpl" - perm_boundary_policy_path = var.use_runtime_policy ? "${path.module}/files/permission_boundary_iam_policy_runtime.json.tpl" : "${path.module}/files/permission_boundary_iam_policy.json.tpl" - arn_like_vpcs = formatlist("\"arn:%s:ec2:%s:%s:vpc/%s\"", var.partition, var.region, local.account_id, var.runtime_vpc_allowed_ids) - arn_like_vpcs_str = format("[%s]", join(",", local.arn_like_vpcs)) - tag_set = merge({ Vendor = "StreamNative", SNVersion = var.sn_policy_version }, var.tags) - - additional_iam_policy_arns = distinct(compact(var.additional_iam_policy_arns)) - default_allowed_iam_policies = compact([ - "arn:${var.partition}:iam::${local.account_id}:policy/StreamNative/*", - "arn:${var.partition}:iam::aws:policy/AmazonEKSClusterPolicy", - "arn:${var.partition}:iam::aws:policy/AmazonEKSServicePolicy", - "arn:${var.partition}:iam::aws:policy/AmazonEKSVPCResourceController", - "arn:${var.partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy", - "arn:${var.partition}:iam::aws:policy/AmazonEKS_CNI_Policy", - "arn:${var.partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", - "arn:${var.partition}:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" - ]) - allowed_iam_policies = join(", ", formatlist("\"%s\"", distinct(concat(local.additional_iam_policy_arns, local.default_allowed_iam_policies)))) - -} - -data "aws_iam_policy_document" "streamnative_control_plane_access" { - statement { - sid = "AllowStreamNativeVendorAccess" - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "AWS" - identifiers = var.streamnative_vendor_access_role_arns - } - dynamic "condition" { - for_each = local.assume_conditions - content { - test = condition.value["test"] - values = condition.value["values"] - variable = condition.value["variable"] - } - } - } - - statement { - sid = "AllowStreamNativeControlPlaneAccess" - effect = "Allow" - actions = ["sts:AssumeRoleWithWebIdentity"] - - principals { - type = "Federated" - identifiers = [ - "accounts.google.com" - ] - } - condition { - test = "StringEquals" - values = [var.streamnative_google_account_id] - variable = "accounts.google.com:aud" - } - } -} - -###### -#-- Create the IAM Permission Boundary used by all StreamNative -#-- IAM Resources. This restricts what type of access we have -#-- within your AWS Account and is applied to all our IAM Roles -###### -resource "aws_iam_policy" "permission_boundary" { - name = "StreamNativeCloudPermissionBoundary" - description = "This policy sets the permission boundary for StreamNative's vendor access. It defines the limits of what StreamNative can do within this AWS account." - path = "/StreamNative/" - policy = templatefile(local.perm_boundary_policy_path, - { - account_id = local.account_id - allowed_iam_policies = local.allowed_iam_policies - partition = var.partition - region = var.region - }) - tags = local.tag_set -} - -resource "local_file" "permission_boundary_policy" { - count = var.write_policy_files ? 1 : 0 - content = templatefile(local.perm_boundary_policy_path, - { - account_id = local.account_id - allowed_iam_policies = local.allowed_iam_policies - partition = var.partition - region = var.region - }) - filename = "permission_boundary_policy.json" -} - -###### -#-- Create the IAM role for bootstraping of the StreamNative Cloud -#-- This role is only needed for the initial StreamNative Cloud -#-- deployment to an AWS account, or when it is being removed. -###### -resource "aws_iam_role" "bootstrap_role" { - count = var.create_bootstrap_role ? 1 : 0 - name = "StreamNativeCloudBootstrapRole" - description = "This role is used to bootstrap the StreamNative Cloud within the AWS account. It is limited in scope to the attached policy and also the permission boundary." - assume_role_policy = data.aws_iam_policy_document.streamnative_vendor_access.json - path = "/StreamNative/" - permissions_boundary = aws_iam_policy.permission_boundary.arn - tags = local.tag_set -} - -resource "aws_iam_policy" "bootstrap_policy" { - count = var.create_bootstrap_role ? 1 : 0 - name = "StreamNativeCloudBootstrapPolicy" - description = "This policy sets the minimum amount of permissions needed by the StreamNativeCloudBootstrapRole to bootstrap the StreamNative Cloud deployment." - path = "/StreamNative/" - policy = templatefile(local.bootstrap_policy_path, - { - account_id = local.account_id - region = var.region - vpc_ids = local.arn_like_vpcs_str - bucket_pattern = var.runtime_s3_bucket_pattern - nodepool_pattern = var.runtime_eks_nodepool_pattern - cluster_pattern = var.runtime_eks_cluster_pattern - partition = var.partition - }) - tags = local.tag_set -} - -resource "local_file" "bootstrap_policy" { - count = var.write_policy_files ? 1 : 0 - content = templatefile(local.bootstrap_policy_path, - { - account_id = local.account_id - region = var.region - vpc_ids = local.arn_like_vpcs_str - bucket_pattern = var.runtime_s3_bucket_pattern - nodepool_pattern = var.runtime_eks_nodepool_pattern - cluster_pattern = var.runtime_eks_cluster_pattern - }) - filename = "bootstrap_policy.json" -} - -resource "aws_iam_role_policy_attachment" "bootstrap_policy" { - count = var.create_bootstrap_role ? 1 : 0 - policy_arn = aws_iam_policy.bootstrap_policy[0].arn - role = aws_iam_role.bootstrap_role[0].name -} - -###### -#-- Create the IAM role for the management of the StreamNative Cloud -#-- This role is used by StreamNative for management and troubleshooting -#-- of the managed deployment. -###### -resource "aws_iam_policy" "management_role" { - name = "StreamNativeCloudManagementPolicy" - description = "This policy sets the limits for the management role needed for StreamNative's vendor access." - path = "/StreamNative/" - policy = templatefile("${path.module}/files/management_role_iam_policy.json.tpl", - { - account_id = data.aws_caller_identity.current.account_id - partition = var.partition - region = var.region - }) - tags = local.tag_set -} - -resource "local_file" "management_policy" { - count = var.write_policy_files ? 1 : 0 - content = templatefile("${path.module}/files/management_role_iam_policy.json.tpl", - { - account_id = data.aws_caller_identity.current.account_id - region = var.region - partition = var.partition - }) - filename = "management_policy.json" -} - -resource "aws_iam_role" "management_role" { - name = "StreamNativeCloudManagementRole" - description = "This role is used by StreamNative for the day to day management of the StreamNative Cloud deployment." - assume_role_policy = data.aws_iam_policy_document.streamnative_control_plane_access.json - path = "/StreamNative/" - permissions_boundary = aws_iam_policy.permission_boundary.arn - tags = local.tag_set -} - -resource "aws_iam_role_policy_attachment" "management_role" { - policy_arn = aws_iam_policy.management_role.arn - role = aws_iam_role.management_role.name -} - -###### -#-- Creates the IAM Policies used by EKS Cluster add-on services -###### -data "aws_ebs_default_kms_key" "current" {} -data "aws_kms_key" "default_ebs" { - key_id = data.aws_ebs_default_kms_key.current.key_arn -} - -locals { - kms_key_arns = length(var.runtime_ebs_kms_key_arns) > 0 ? var.runtime_ebs_kms_key_arns : [ - data.aws_kms_key.default_ebs.arn - ] -} - -data "aws_iam_policy_document" "runtime_policy" { - statement { - sid = "ro" - effect = "Allow" - actions = [ - "autoscaling:Describe*", - "ec2:DescribeSnapshots", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "route53:GetChange", - "route53:ListHostedZones*", - "route53:ListTagsForResource", - "route53:ListResourceRecordSets", - "route53:ListHostedZones", - "secretsmanager:ListSecrets" - ] - resources = ["*"] - } - - statement { - sid = "r53sc" - effect = "Allow" - actions = [ - "route53:ChangeResourceRecordSets" - ] - resources = var.runtime_hosted_zone_allowed_ids - } - - statement { - sid = "asg" - effect = "Allow" - actions = [ - "autoscaling:UpdateAutoScalingGroup", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:SetDesiredCapacity" - ] - resources = ["*"] - condition { - test = "StringLike" - variable = "autoscaling:ResourceTag/eks:cluster-name" - values = [var.runtime_eks_cluster_pattern] - } - } - statement { - sid = "csik1" - effect = "Allow" - actions = [ - "kms:RevokeGrant", - "kms:ListGrants", - "kms:CreateGrant" - ] - resources = local.kms_key_arns - condition { - test = "Bool" - values = ["true"] - variable = "kms:GrantIsForAWSResource" - } - } - statement { - sid = "csik2" - effect = "Allow" - actions = [ - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:Encrypt", - "kms:DescribeKey", - "kms:Decrypt" - ] - resources = local.kms_key_arns - } - statement { - sid = "s3b" - effect = "Allow" - actions = [ - "s3:ListBucket", - "s3:ListMultipart*", - ] - resources = ["arn:${var.partition}:s3:::${var.runtime_s3_bucket_pattern}"] - } - statement { - sid = "s3o" - effect = "Allow" - actions = [ - "s3:*Object", - "s3:*Multipart*" - ] - resources = local.kms_key_arns - } - statement { - sid = "vbc" - effect = "Allow" - actions = [ - "ec2:CreateVolume", - "ec2:CreateSnapshot" - ] - condition { - test = "StringLike" - values = ["owned"] - variable = "aws:RequestTag/kubernetes.io/cluster/${var.runtime_eks_cluster_pattern}" - } - resources = ["*"] - } - statement { - sid = "vbt" - effect = "Allow" - actions = [ - "ec2:CreateTags" - ] - condition { - test = "StringEquals" - values = ["CreateVolume", "CreateSnapshot"] - variable = "ec2:CreateAction" - } - resources = [ - "arn:${var.partition}:ec2:*:*:volume/*", - "arn:${var.partition}:ec2:*:*:snapshot/*" - ] - } - statement { - sid = "vbd" - effect = "Allow" - actions = [ - "ec2:DeleteSnapshot" - ] - condition { - test = "StringLike" - values = ["owned"] - variable = "aws:ResourceTag/kubernetes.io/cluster/${var.runtime_eks_cluster_pattern}" - } - resources = ["*"] - } - dynamic "statement" { - for_each = var.runtime_enable_secretsmanager ? [1] : [] - - content { - sid = "sm" - effect = "Allow" - actions = [ - "secretsmanager:ListSecretVersionIds", - "secretsmanager:GetSecretValue", - "secretsmanager:GetResourcePolicy", - "secretsmanager:DescribeSecret" - ] - condition { - test = "StringEquals" - values = ["StreamNative"] - variable = "aws:ResourceTag/Vendor" - } - resources = ["*"] - } - } -} - -resource "aws_iam_policy" "runtime_policy" { - count = var.use_runtime_policy ? 1 : 0 - name = "StreamNativeCloudRuntimePolicy" - description = "This policy defines almost all used by StreamNative cluster components" - path = "/StreamNative/" - policy = data.aws_iam_policy_document.runtime_policy.json - tags = local.tag_set -} - -resource "aws_iam_policy" "alb_policy" { - count = var.use_runtime_policy ? 1 : 0 - name = "StreamNativeCloudLBPolicy" - description = "The AWS policy as defined by https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.1/docs/install/iam_policy.json" - path = "/StreamNative/" - policy = templatefile("${path.module}/files/aws_lb_controller.json.tpl", - { - vpc_ids = local.arn_like_vpcs_str - partition = var.partition - }) - tags = local.tag_set -} - -resource "local_file" "runtime_policy" { - count = var.write_policy_files ? 1 : 0 - content = data.aws_iam_policy_document.runtime_policy.json - filename = "runtime_policy.json" -} - -resource "local_file" "alb_policy" { - count = var.write_policy_files ? 1 : 0 - content = templatefile("${path.module}/files/aws_lb_controller.json.tpl", - { - vpc_ids = local.arn_like_vpcs_str - partition = var.partition - }) - filename = "alb_policy.json" -} diff --git a/modules/managed-cloud/outputs.tf b/modules/managed-cloud/outputs.tf deleted file mode 100644 index ef50a18..0000000 --- a/modules/managed-cloud/outputs.tf +++ /dev/null @@ -1,43 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -output "bootstrap_role_arn" { - value = join("", aws_iam_role.bootstrap_role.*.arn) - description = "The ARN of the Bootstrap role, if enabled" -} - -output "management_role_arn" { - value = aws_iam_role.management_role.arn - description = "The ARN of the Management Role" -} - -output "runtime_policy_arn" { - value = join("", aws_iam_policy.runtime_policy.*.arn) - description = "The ARN of the Runtime Policy, if enabled" -} - -output "aws_lbc_policy_arn" { - value = join("", aws_iam_policy.alb_policy.*.arn) - description = "The ARN of the AWS Load Balancer Controller Policy, if enabled" -} - -output "permission_boundary_policy_arn" { - value = aws_iam_policy.permission_boundary.arn - description = "The ARN of the Permssion Boundary Policy" -} diff --git a/modules/managed-cloud/variables.tf b/modules/managed-cloud/variables.tf deleted file mode 100644 index f5ec390..0000000 --- a/modules/managed-cloud/variables.tf +++ /dev/null @@ -1,143 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -variable "additional_iam_policy_arns" { - default = [] - description = "Provide a list of additional IAM policy arns allowed for use with iam:AttachRolePolicy, defined in the StreamNativePermissionBoundary." - type = list(string) -} - -variable "create_bootstrap_role" { - default = true - description = "Whether or not to create the bootstrap role, which is used by StreamNative for the initial deployment of the StreamNative Cloud" - type = string - -} - -variable "partition" { - default = "aws" - description = "AWS partition: 'aws', 'aws-cn', or 'aws-us-gov', used when constructing IRSA trust relationship policies." - type = string -} - -variable "region" { - default = "*" - description = "The AWS region where your instance of StreamNative Cloud is deployed. Defaults to all regions \"*\"" - type = string -} - -variable "external_id" { - default = "" - description = "The external ID, provided by StreamNative, which is used for all assume role calls. If not provided, no check for external_id is added. (NOTE: a future version will force the passing of this parameter)" - type = string -} - -variable "source_identities" { - default = [] - description = "Place an additional constraint on source identity, disabled by default and only to be used if specified by StreamNative" - type = list(any) -} - -variable "source_identity_test" { - default = "ForAnyValue:StringLike" - description = "The test to use for source identity" - type = string -} - -variable "streamnative_google_account_id" { - default = "108050666045451143798" - description = "The Google Cloud service account ID used by StreamNative for Control Plane operations" - type = string -} - - -variable "streamnative_vendor_access_role_arns" { - default = ["arn:aws:iam::311022431024:role/cloud-manager"] - description = "A list ARNs provided by StreamNative that enable us to work with the Vendor Access Roles created by this module (StreamNativeCloudBootstrapRole, StreamNativeCloudManagementRole). This is how StreamNative is granted access into your AWS account, and should typically be the default value." - type = list(string) -} - -variable "use_runtime_policy" { - description = "instead of relying on permission boundary use static runtime policies" - default = false - type = bool -} - -variable "runtime_vpc_allowed_ids" { - description = "when using runtime policy, allows for further scoping down policy for allowed VPC" - default = ["*"] - type = list(any) -} - -variable "runtime_hosted_zone_allowed_ids" { - description = "when using runtime policy, allows for further scoping down policy for allowed hosted zones" - default = ["*"] - type = list(any) -} - -variable "runtime_ebs_kms_key_arns" { - description = "when using runtime policy, sets the list of allowed kms key arns, if not set, uses the default ebs kms key" - default = [] - type = list(any) -} - -variable "runtime_enable_secretsmanager" { - description = "when using runtime policy, allows for secretsmanager access" - default = false - type = bool -} - -variable "runtime_eks_cluster_pattern" { - description = "when using runtime policy, defines the eks clsuter prefix for streamnative clusters" - default = "aws*snc" - type = string -} - -variable "runtime_eks_nodepool_pattern" { - description = "when using runtime policy, defines the bucket prefix for streamnative managed buckets (backup and offload)" - default = "snc-*-pool*" - type = string -} - -variable "runtime_s3_bucket_pattern" { - description = "when using runtime policy, defines the bucket prefix for streamnative managed buckets (backup and offload)" - default = "snc-*" - type = string -} - -variable "sn_policy_version" { - default = "2.0" - description = "The value of SNVersion tag" - type = string -} - - - -variable "tags" { - default = {} - description = "Extra tags to apply to the resources created by this module." - type = map(string) -} - - -variable "write_policy_files" { - default = false - description = "Write the policy files locally to disk for debugging and validation" - type = bool -} diff --git a/modules/managed-cloud/versions.tf b/modules/managed-cloud/versions.tf deleted file mode 100644 index 3485cf0..0000000 --- a/modules/managed-cloud/versions.tf +++ /dev/null @@ -1,29 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -terraform { - required_version = ">=1.0.0" - - required_providers { - aws = { - version = ">= 3.61.0" - source = "hashicorp/aws" - } - } -} \ No newline at end of file diff --git a/modules/vault-resources/README.md b/modules/vault-resources/README.md deleted file mode 100644 index db50fca..0000000 --- a/modules/vault-resources/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# Hashicorp Vault resources for AWS -This terraform module creates the resources needed for running hashicorp vault on EKS. This includes a dynamodb table, kms key, and the needed IAM resources for IRSA. - -Here is an example usage: - -```hcl -module "aws_vault" { - source = "streamnative/cloud/aws//modules/vault_resources" - - cluster_name = "my-eks-cluster" - oidc_issuer = "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E" - pulsar_namespace = "my-pulsar-namespace" - service_account_name = "vault" - - tags = { - Project = "MyApp" - Environment = "Prod" - } -} -``` - -## Important! -This module uses EKS IAM Roles for Service Accounts (IRSA). In order for these resources to work properly, there are two requirements: - -1. You must know the name of the Kubernetes Service Account and the Kubernetes Namespace for your Pulsar Workload. These don't need to exist prior to running this Terraform module, but are necessary for configuring the resources created. -2. You must add an annotation to the Service Account so it can be used by IRSA (IAM Role) created in this module. - -The module output includes the AWS ARN for the IAM role created, e.g. `arn:aws:iam:::role/my-eks-cluster-vault-role`. Using that, you can add the oppropriate annotation to the Service Account with `kubectl`: - -```shell -kubectl annotate serviceaccount -n \ -eks.amazonaws.com/role-arn=arn:aws:iam:::role/my-eks-cluster-vault-role -``` - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >=1.0.0 | -| [aws](#requirement\_aws) | >= 3.61.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.61.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_dynamodb_table.vault_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource | -| [aws_iam_role.vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_kms_alias.vault_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.vault_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.vault_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.vault_sts_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [aws\_partition](#input\_aws\_partition) | AWS partition: 'aws', 'aws-cn', or 'aws-us-gov' | `string` | `"aws"` | no | -| [cluster\_name](#input\_cluster\_name) | The name of your EKS cluster and associated resources | `string` | n/a | yes | -| [dynamo\_billing\_mode](#input\_dynamo\_billing\_mode) | the billing mode for the dynamodb table that will be created | `string` | `"PAY_PER_REQUEST"` | no | -| [dynamo\_provisioned\_capacity](#input\_dynamo\_provisioned\_capacity) | when using "PROVISIONED" billing mode, the specified values will be use for throughput, in all other modes they are ignored | 
object({
    read  = number,
    write = number
  })
| 
{
  "read": 10,
  "write": 10
}
| no | -| [oidc\_issuer](#input\_oidc\_issuer) | The OIDC issuer for the EKS cluster | `string` | n/a | yes | -| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | If required, provide the ARN of the IAM permissions boundary to use for restricting StreamNative's vendor access. | `string` | `null` | no | -| [pulsar\_namespace](#input\_pulsar\_namespace) | The kubernetes namespace where Pulsar has been deployed. This is required to set the appropriate policy permissions for IRSA, which grants the Kubernetes Service Account for Vault access to use the IAM role | `string` | n/a | yes | -| [service\_account\_name](#input\_service\_account\_name) | The name of the kubernetes service account to by vault. Defaults to "vault" | `string` | `"vault"` | no | -| [tags](#input\_tags) | Tags that will be added to resources | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [dynamo\_table\_arn](#output\_dynamo\_table\_arn) | The arn of the dynamodb table used by Vault | -| [dynamo\_table\_name](#output\_dynamo\_table\_name) | The name of the dynamodb table used by Vault | -| [kms\_key\_alias\_arn](#output\_kms\_key\_alias\_arn) | The arn of the kms key alias used by Vault | -| [kms\_key\_alias\_name](#output\_kms\_key\_alias\_name) | The name of the kms key alias used by Vault | -| [kms\_key\_target\_arn](#output\_kms\_key\_target\_arn) | The arn of the kms key used by Vault | -| [role\_arn](#output\_role\_arn) | The arn of the IAM role used by Vault. This needs to be annotated on the corresponding Kubernetes Service account in order for IRSA to work properly, e.g. "eks.amazonaws.com/role-arn" : "" | -| [role\_name](#output\_role\_name) | The name of the IAM role used by Vault | diff --git a/modules/vault-resources/main.tf b/modules/vault-resources/main.tf deleted file mode 100644 index 9e98f89..0000000 --- a/modules/vault-resources/main.tf +++ /dev/null @@ -1,156 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -data "aws_caller_identity" "current" {} - -resource "aws_dynamodb_table" "vault_table" { - name = format("%s-vault-table", var.cluster_name) - billing_mode = var.dynamo_billing_mode - hash_key = "Path" - range_key = "Key" - - attribute { - name = "Path" - type = "S" - } - attribute { - name = "Key" - type = "S" - } - - write_capacity = var.dynamo_billing_mode == "PROVISIONED" ? var.dynamo_provisioned_capacity.write : 0 - read_capacity = var.dynamo_billing_mode == "PROVISIONED" ? var.dynamo_provisioned_capacity.read : 0 - - tags = merge({ "Vendor" = "StreamNative" }, var.tags) -} - -resource "aws_kms_key" "vault_key" { - description = "Key for vault in streamnative pulsar cluster" - tags = merge({ "Vendor" = "StreamNative" }, var.tags) -} - -resource "aws_kms_alias" "vault_key" { - name = format("alias/%s-vault-key", var.cluster_name) - target_key_id = aws_kms_key.vault_key.id -} - -data "aws_iam_policy_document" "vault" { - statement { - actions = [ - "dynamodb:List*", - "dynamodb:DescribeReservedCapacity*", - "dynamodb:DescribeLimits", - "dynamodb:DescribeTimeToLive" - ] - resources = ["*"] - } - - statement { - actions = [ - "dynamodb:DescribeLimits", - "dynamodb:DescribeTimeToLive", - "dynamodb:ListTagsOfResource", - "dynamodb:DescribeReservedCapacityOfferings", - "dynamodb:DescribeReservedCapacity", - "dynamodb:ListTables", - "dynamodb:BatchGetItem", - "dynamodb:BatchWriteItem", - "dynamodb:CreateTable", - "dynamodb:DeleteItem", - "dynamodb:GetItem", - "dynamodb:GetRecords", - "dynamodb:PutItem", - "dynamodb:Query", - "dynamodb:UpdateItem", - "dynamodb:Scan", - "dynamodb:DescribeTable" - ] - resources = [aws_dynamodb_table.vault_table.arn] - } - - statement { - actions = [ - "kms:Encrypt", - "kms:Decrypt", - "kms:DescribeKey" - ] - resources = [aws_kms_key.vault_key.arn] - } - - statement { - actions = [ - "sts:GetCallerIdentity" - ] - resources = ["*"] - } -} - -data "aws_iam_policy_document" "vault_sts" { - statement { - actions = [ - "sts:AssumeRoleWithWebIdentity" - ] - effect = "Allow" - principals { - type = "Federated" - identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, data.aws_caller_identity.current.account_id, var.oidc_issuer)] - } - condition { - test = "StringLike" - values = [format("system:serviceaccount:%s:%s", var.pulsar_namespace, var.service_account_name)] - variable = format("%s:sub", var.oidc_issuer) - } - } -} - -resource "aws_iam_role" "vault" { - name = format("%s-vault-role", var.cluster_name) - description = format("Role used by IRSA and the KSA %s on StreamNative Cloud EKS cluster %s", var.cluster_name, var.service_account_name) - assume_role_policy = data.aws_iam_policy_document.vault_sts.json - path = "/StreamNative/" - permissions_boundary = var.permissions_boundary_arn - tags = merge({ "Vendor" = "StreamNative" }, var.tags) - - lifecycle { - ignore_changes = [ - assume_role_policy - ] - } -} - -resource "aws_iam_policy" "vault" { - count = var.create_iam_policy_for_vault ? 1 : 0 - name = format("%s-VaultPolicy", var.cluster_name) - description = "Policy that defines the permissions for Hashicorp Vault, running in a StreamNative Cloud EKS cluster" - path = "/StreamNative/" - policy = data.aws_iam_policy_document.vault.json - tags = merge({ "Vendor" = "StreamNative" }, var.tags) - - lifecycle { - ignore_changes = [ - policy - ] - } -} - -resource "aws_iam_role_policy_attachment" "vault" { - count = var.create_iam_policy_for_vault ? 1 : 0 - policy_arn = var.create_iam_policy_for_vault ? aws_iam_policy.vault[0].arn : var.iam_policy_arn - role = aws_iam_role.vault.name -} \ No newline at end of file diff --git a/modules/vault-resources/outputs.tf b/modules/vault-resources/outputs.tf deleted file mode 100644 index c6ddfae..0000000 --- a/modules/vault-resources/outputs.tf +++ /dev/null @@ -1,53 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -output "dynamo_table_name" { - value = aws_dynamodb_table.vault_table.id - description = "The name of the dynamodb table used by Vault" -} - -output "dynamo_table_arn" { - value = aws_dynamodb_table.vault_table.arn - description = "The arn of the dynamodb table used by Vault" -} - -output "kms_key_alias_name" { - value = aws_kms_alias.vault_key.name - description = "The name of the kms key alias used by Vault" -} - -output "kms_key_alias_arn" { - value = aws_kms_alias.vault_key.arn - description = "The arn of the kms key alias used by Vault" -} - -output "kms_key_target_arn" { - value = aws_kms_key.vault_key.arn - description = "The arn of the kms key used by Vault" -} - -output "role_arn" { - value = aws_iam_role.vault.arn - description = "The arn of the IAM role used by Vault. This needs to be annotated on the corresponding Kubernetes Service account in order for IRSA to work properly, e.g. \"eks.amazonaws.com/role-arn\" : \"\"" -} - -output "role_name" { - value = aws_iam_role.vault.name - description = "The name of the IAM role used by Vault" -} diff --git a/modules/vault-resources/variables.tf b/modules/vault-resources/variables.tf deleted file mode 100644 index f0bf037..0000000 --- a/modules/vault-resources/variables.tf +++ /dev/null @@ -1,86 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -variable "aws_partition" { - default = "aws" - description = "AWS partition: 'aws', 'aws-cn', or 'aws-us-gov'" - type = string -} - -variable "cluster_name" { - description = "The name of your EKS cluster and associated resources" - type = string -} - -variable "create_iam_policy_for_vault" { - default = true - description = "Whether to create the IAM policy used by Hashicorp Vault. For enhanced security, we allow for these IAM policies to be created seperately from this module. Defaults to \"true\". If set to \"false\", you must provide the ARN for the IAM policy needed for Vault to function." - type = bool -} - -variable "iam_policy_arn" { - default = null - description = "The arn for the IAM policy used by Hasicorp Vault. For enhanced security, we allow for IAM policies used by cluster addon services to be created seperately from this module. This is only required if the input \"create_iam_policy_for_vault\" is set to \"false\". If created elsewhere, the expected name of the policy is \"StreamNativeCloudVaultPolicy\"." - type = string -} - -variable "dynamo_billing_mode" { - default = "PAY_PER_REQUEST" - description = "the billing mode for the dynamodb table that will be created" - type = string -} - -variable "dynamo_provisioned_capacity" { - default = { - read : 10, - write : 10 - } - description = "when using \"PROVISIONED\" billing mode, the specified values will be use for throughput, in all other modes they are ignored" - type = object({ - read = number, - write = number - }) -} - -variable "oidc_issuer" { - description = "The OIDC issuer for the EKS cluster" - type = string -} - -variable "permissions_boundary_arn" { - default = null - description = "If required, provide the ARN of the IAM permissions boundary to use for restricting StreamNative's vendor access." - type = string -} - -variable "pulsar_namespace" { - description = "The kubernetes namespace where Pulsar has been deployed. This is required to set the appropriate policy permissions for IRSA, which grants the Kubernetes Service Account for Vault access to use the IAM role" - type = string -} -variable "tags" { - default = {} - description = "Tags that will be added to resources" - type = map(string) -} - -variable "service_account_name" { - default = "vault" - description = "The name of the kubernetes service account to by vault. Defaults to \"vault\"" - type = string -} diff --git a/modules/vault-resources/versions.tf b/modules/vault-resources/versions.tf deleted file mode 100644 index 3485cf0..0000000 --- a/modules/vault-resources/versions.tf +++ /dev/null @@ -1,29 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -terraform { - required_version = ">=1.0.0" - - required_providers { - aws = { - version = ">= 3.61.0" - source = "hashicorp/aws" - } - } -} \ No newline at end of file diff --git a/outputs.tf b/outputs.tf index 05959de..8fb26fb 100644 --- a/outputs.tf +++ b/outputs.tf @@ -22,6 +22,11 @@ output "eks_cluster_arn" { description = "The ARN for the EKS cluster created by this module" } +output "eks_cluster_endpoint" { + value = module.eks.cluster_endpoint + description = "The endpoint for the EKS cluster created by this module" +} + output "eks_cluster_id" { value = module.eks.cluster_id description = "The id/name of the EKS cluster created by this module" @@ -37,10 +42,15 @@ output "eks_cluster_identity_oidc_issuer_arn" { description = "The ARN for the OIDC issuer created by this module" } -# output "eks_cluster_identity_oidc_issuer_string" { -# value = local.oidc_issuer -# description = "A formatted string containing the prefix for the OIDC issuer created by this module. Same as \"cluster_oidc_issuer_url\", but with \"https://\" stripped from the name. This output is typically used in other StreamNative modules that request the \"oidc_issuer\" input." -# } +output "eks_cluster_identity_oidc_issuer_string" { + value = local.oidc_issuer + description = "A formatted string containing the prefix for the OIDC issuer created by this module. Same as \"cluster_oidc_issuer_url\", but with \"https://\" stripped from the name. This output is typically used in other StreamNative modules that request the \"oidc_issuer\" input." +} + +output "eks_cluster_platform_version" { + value = module.eks.cluster_platform_version + description = "The platform version for the EKS cluster created by this module" +} output "eks_cluster_primary_security_group_id" { value = module.eks.cluster_primary_security_group_id @@ -52,22 +62,27 @@ output "eks_cluster_secondary_security_group_id" { description = "The id of the secondary security group created by this module. This is labled \"Additional Security Groups\" in the EKS console." } -# output "node_groups" { -# value = module.eks.node_groups -# description = "Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys" -# } +output "eks_node_group_iam_role_arn" { + value = aws_iam_role.ng.arn + description = "The IAM Role ARN used by the Worker configuration" +} -# output "worker_iam_role_arn" { -# value = module.eks.worker_iam_role_arn -# description = "The IAM Role ARN used by the Worker configuration" -# } +output "eks_node_group_security_group_id" { + value = module.eks.node_security_group_id + description = "Security group ID attached to the EKS node groups" +} -# output "worker_security_group_id" { -# value = module.eks.worker_security_group_id -# description = "Security group ID attached to the EKS node groups" -# } +output "eks_node_groups" { + value = module.eks.eks_managed_node_groups + description = "Map of all attributes of the EKS node groups created by this module" +} -# output "worker_https_ingress_security_group_rule" { -# value = module.eks.security_group_rule_cluster_https_worker_ingress -# description = "Security group rule responsible for allowing pods to communicate with the EKS cluster API." -# } \ No newline at end of file +output "tiered_storage_s3_bucket_arn" { + value = aws_s3_bucket.tiered_storage.arn + description = "The ARN for the tiered storage S3 bucket created by this module" +} + +output "velero_s3_bucket_arn" { + value = aws_s3_bucket.velero.arn + description = "The ARN for the Velero S3 bucket created by this module" +} diff --git a/modules/backup-resources/versions.tf b/tiered_storage.tf similarity index 57% rename from modules/backup-resources/versions.tf rename to tiered_storage.tf index 3485cf0..d7eb045 100644 --- a/modules/backup-resources/versions.tf +++ b/tiered_storage.tf @@ -17,13 +17,28 @@ # under the License. # -terraform { - required_version = ">=1.0.0" +resource "aws_s3_bucket" "tiered_storage" { + bucket = format("%s-offload", var.cluster_name) + tags = merge({ "Attributes" = "offload" }, local.tags) - required_providers { - aws = { - version = ">= 3.61.0" - source = "hashicorp/aws" + lifecycle { + ignore_changes = [ + bucket, + ] + } +} + +resource "aws_s3_bucket_acl" "tiered_storage" { + bucket = aws_s3_bucket.tiered_storage.id + acl = "private" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "tiered_storage" { + bucket = aws_s3_bucket.tiered_storage.bucket + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = local.s3_kms_key + sse_algorithm = "aws:kms" } } -} \ No newline at end of file +} diff --git a/variables.tf b/variables.tf index 35e623a..f13bb26 100644 --- a/variables.tf +++ b/variables.tf @@ -17,6 +17,12 @@ # under the License. # +variable "s3_encryption_kms_key_arn" { + default = "" + description = "KMS key ARN to use for S3 encryption. If not set, the default AWS S3 key will be used." + type = string +} + variable "additional_tags" { default = {} description = "Additional tags to be added to the resources created by this module." @@ -149,18 +155,6 @@ variable "cluster_enabled_log_types" { type = list(string) } -variable "cluster_log_kms_key_id" { - default = "" - description = "If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html)." - type = string -} - -variable "cluster_log_retention_in_days" { - default = 365 - description = "Number of days to retain log events. Defaults to 365 days." - type = number -} - variable "cluster_name" { default = "" description = "The name of your EKS cluster and associated resources. Must be 16 characters or less." @@ -220,9 +214,9 @@ variable "disable_public_pulsar_endpoint" { type = bool } -variable "disk_encryption_kms_key_id" { +variable "disk_encryption_kms_key_arn" { default = "" - description = "The KMS Key ARN to use for disk encryption." + description = "The KMS Key ARN to use for EBS disk encryption. If not set, the default EBS encryption key will be used." type = string } @@ -433,7 +427,7 @@ variable "node_pool_desired_size" { } variable "node_pool_disk_size" { - default = 50 + default = 100 description = "Disk size in GiB for worker nodes in the node pool. Defaults to 50." type = number } @@ -445,8 +439,8 @@ variable "node_pool_disk_type" { } variable "node_pool_instance_types" { - default = ["c6i.xlarge", "c6i.2xlarge", "c6i.4xlarge", "c6i.8xlarge"] - description = "Set of instance types associated with the EKS Node Groups. Defaults to [\"c6i.xlarge\", \"c6i.2xlarge\", \"c6i.4xlarge\", \"c6i.8xlarge\"]." + default = ["m6i.large", "m6i.xlarge", "m6i.2xlarge", "m6i.4xlarge", "m6i.8xlarge"] + description = "Set of instance types associated with the EKS Node Groups. Defaults to [\"m6i.large\", \"m6i.xlarge\", \"m6i.2xlarge\", \"m6i.4xlarge\", \"m6i.8xlarge\"], which will create empty node groups of each instance type to account for any workload configurable from StreamNative Cloud." type = list(string) } @@ -595,4 +589,4 @@ variable "vpc_id" { condition = length(var.vpc_id) > 4 && substr(var.vpc_id, 0, 4) == "vpc-" error_message = "The value for variable \"vpc_id\" must be a valid VPC id, starting with \"vpc-\"." } -} \ No newline at end of file +} diff --git a/velero.tf b/velero.tf index 9577d20..291edb5 100644 --- a/velero.tf +++ b/velero.tf @@ -17,13 +17,15 @@ # under the License. # -data "aws_kms_key" "s3_default" { - key_id = "alias/aws/s3" -} - resource "aws_s3_bucket" "velero" { bucket = format("%s-cluster-backup", var.cluster_name) tags = merge({ "Attributes" = "backup", "Name" = "velero-backups" }, local.tags) + + lifecycle { + ignore_changes = [ + bucket, + ] + } } resource "aws_s3_bucket_acl" "velero" { @@ -36,7 +38,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "velero" { rule { apply_server_side_encryption_by_default { - kms_master_key_id = data.aws_kms_key.s3_default.arn + kms_master_key_id = local.s3_kms_key sse_algorithm = "aws:kms" } } From b66fe84c036281306841e9a183344fcc4a11c470 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Tue, 4 Oct 2022 10:12:30 -0600 Subject: [PATCH 14/29] Added flag to enable istio explicitly --- istio.tf | 2 +- variables.tf | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/istio.tf b/istio.tf index 95acdfe..069665b 100644 --- a/istio.tf +++ b/istio.tf @@ -34,7 +34,7 @@ locals { } module "istio" { - count = var.enable_bootstrap ? 1 : 0 + count = var.enable_bootstrap || var.enable_istio ? 1 : 0 source = "github.com/streamnative/terraform-helm-charts//modules/istio-operator?ref=v0.8.4" enable_istio_operator = true diff --git a/variables.tf b/variables.tf index f13bb26..62668ce 100644 --- a/variables.tf +++ b/variables.tf @@ -226,6 +226,12 @@ variable "enable_bootstrap" { type = bool } +variable "enable_istio" { + default = true + description = "Allows for enabling the bootstrap of Istio explicity in scenarios where the input \"var.enable_bootstrap\" is set to \"false\"." + type = bool +} + variable "enable_sncloud_control_plane_access" { default = true description = "Whether to enable access to the EKS control plane endpoint. If set to \"false\", additional configuration is required in order for the cluster to function properly, such as AWS PrivateLink for EC2, ECR, and S3, along with a VPN to access the EKS control plane. It is recommended to keep this setting to \"true\" unless you are familiar with this type of configuration." From a0564768b4f3c911ee0c18c26212091115544dc3 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Tue, 4 Oct 2022 10:32:42 -0600 Subject: [PATCH 15/29] added istio source logic for external-dns --- external_dns.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/external_dns.tf b/external_dns.tf index 869c955..1570d7d 100644 --- a/external_dns.tf +++ b/external_dns.tf @@ -84,6 +84,13 @@ resource "aws_iam_role_policy_attachment" "external_dns" { role = aws_iam_role.external_dns.name } + +locals { + default_sources = ["service", "ingress"] + istio_sources = ["istio-gateway", "istio-virtualservice"] + sources = var.enable_istio || var.enable_bootstrap ? concat(local.istio_sources, local.default_sources) : local.default_sources +} + resource "helm_release" "external_dns" { count = var.enable_bootstrap ? 1 : 0 atomic = true @@ -114,7 +121,7 @@ resource "helm_release" "external_dns" { "eks.amazonaws.com/role-arn" = aws_iam_role.external_dns.arn } } - sources = ["service", "ingress", "istio-gateway", "istio-virtualservice"] + sources = local.sources txtOwnerId = module.eks.cluster_id })] From 1bfbcf0e5a5aa00315ddaf65367630ee2fbc166c Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Thu, 6 Oct 2022 12:50:41 -0600 Subject: [PATCH 16/29] Updated velero plugin version --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 62668ce..d7f7c81 100644 --- a/variables.tf +++ b/variables.tf @@ -570,7 +570,7 @@ variable "velero_namespace" { } variable "velero_plugin_version" { - default = "v1.9.2" + default = "v1.5.1" description = "Which version of the velero-plugin-for-aws to use." type = string } From 77f90f4b84a13e8fd560419d08b6268195017cdc Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Thu, 6 Oct 2022 16:06:40 -0600 Subject: [PATCH 17/29] Updated velero config --- variables.tf | 4 +- velero.tf | 101 ++++++++++++++++++++++++++++++++------------------- 2 files changed, 65 insertions(+), 40 deletions(-) diff --git a/variables.tf b/variables.tf index d7f7c81..7ae551d 100644 --- a/variables.tf +++ b/variables.tf @@ -564,8 +564,8 @@ variable "velero_helm_chart_version" { } variable "velero_namespace" { - default = "sn-system" - description = "The kubernetes namespace where Velero should be deployed. This is required to set the appropriate policy permissions for IRSA, which grants the Kubernetes Service Account access to use the IAM role. Defaults to \"sn-system\"" + default = "velero" + description = "The kubernetes namespace where Velero should be deployed." type = string } diff --git a/velero.tf b/velero.tf index 291edb5..b491c77 100644 --- a/velero.tf +++ b/velero.tf @@ -128,51 +128,65 @@ resource "helm_release" "velero" { values = [ yamlencode( { - "credentials" : { - "useSecret" : "false" - }, - "configuration" : { - "provider" : "aws", - "backupStorageLocation" : { - "name" : "aws" - "bucket" : "${aws_s3_bucket.velero.id}" - "region" : var.region + credentials = { + useSecret = "false" + } + configuration = { + provider = "aws" + backupStorageLocation = { + name = "aws" + provider = "velero.io/aws" + bucket = aws_s3_bucket.velero.id + default = true + config = { + region = var.region + kmsKeyId = local.s3_kms_key + } + } + volumeSnapshotLocation = { + name = "aws" + provider = "velero.io/aws" + config = { + region = var.region + } } - }, - "initContainers" : [ + logLevel = "debug" + } + initContainers = [ { - "name" : "velero-plugin-for-aws", - "image" : "velero/velero-plugin-for-aws:${var.velero_plugin_version}", - "imagePullPolicy" : "IfNotPresent", - "volumeMounts" : [ + name = "velero-plugin-for-aws", + image = "velero/velero-plugin-for-aws:${var.velero_plugin_version}" + imagePullPolicy = "IfNotPresent" + volumeMounts = [ { - "mountPath" : "/target", - "name" : "plugins" + mountPath = "/target" + name = "plugins" } ] } - ], - "podAnnotations" : { - "eks.amazonaws.com/role-arn" : "${aws_iam_role.velero.arn}" - }, - "podSecurityContext" : { - "fsGroup" : 65534 - }, - "serviceAccount" : { - "server" : { - "name" : "${"velero"}" - "annotations" : { - "eks.amazonaws.com/role-arn" : "${aws_iam_role.velero.arn}" + ] + podAnnotations = { + "eks.amazonaws.com/role-arn" = aws_iam_role.velero.arn + } + podSecurityContext = { + fsGroup = 1337 + } + serviceAccount = { + server = { + create = true + name = "velero" + annotations = { + "eks.amazonaws.com/role-arn" = aws_iam_role.velero.arn } - }, - }, - "schedules" : { - "cluster-wide-backup" : { - "schedule" : "${var.velero_backup_schedule}" - "template" : { - "excludedNamespaces" : "${var.velero_excluded_namespaces}" - "storageLocation" : "aws" - "volumeSnapshotLocations" : ["aws"] + } + } + schedules = { + cluster-wide-backup = { + schedule = var.velero_backup_schedule + template = { + excludedNamespaces = var.velero_excluded_namespaces + storageLocation = "aws" + volumeSnapshotLocations = ["aws"] } } } @@ -187,4 +201,15 @@ resource "helm_release" "velero" { value = set.value } } + + depends_on = [ + kubernetes_namespace.velero + ] } + + +resource "kubernetes_namespace" "velero" { + metadata { + name = var.velero_namespace + } +} \ No newline at end of file From 2903ee3896d2750493b58b43be43c26ebbd1928b Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Mon, 17 Oct 2022 13:19:38 -0600 Subject: [PATCH 18/29] Added more SG inputs;updated autoscaler perms;removed tiered storage submodule --- cluster_autoscaler.tf | 12 +- main.tf | 10 +- modules/tiered-storage-resources/README.md | 89 ------------- modules/tiered-storage-resources/main.tf | 119 ------------------ modules/tiered-storage-resources/outputs.tf | 38 ------ modules/tiered-storage-resources/variables.tf | 75 ----------- modules/tiered-storage-resources/versions.tf | 29 ----- variables.tf | 40 +++++- velero.tf | 8 +- 9 files changed, 61 insertions(+), 359 deletions(-) delete mode 100644 modules/tiered-storage-resources/README.md delete mode 100644 modules/tiered-storage-resources/main.tf delete mode 100644 modules/tiered-storage-resources/outputs.tf delete mode 100644 modules/tiered-storage-resources/variables.tf delete mode 100644 modules/tiered-storage-resources/versions.tf diff --git a/cluster_autoscaler.tf b/cluster_autoscaler.tf index 81d9b13..49f03e8 100644 --- a/cluster_autoscaler.tf +++ b/cluster_autoscaler.tf @@ -26,7 +26,11 @@ data "aws_iam_policy_document" "cluster_autoscaler" { "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", + "ec2:DescribeImages", + "ec2:DescribeInstanceTypes", "ec2:DescribeLaunchTemplateVersions", + "ec2:GetInstanceTypesFromInstanceRequirements", + "eks:DesribedNodegroup", ] resources = ["*"] @@ -62,10 +66,15 @@ data "aws_iam_policy_document" "cluster_autoscaler_sts" { identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", local.aws_partition, local.account_id, local.oidc_issuer)] } condition { - test = "StringLike" + test = "StringEquals" values = [format("system:serviceaccount:%s:%s", "kube-system", "cluster-autoscaler")] variable = format("%s:sub", local.oidc_issuer) } + condition { + test = "StringEquals" + values = ["sts.amazonaws.com"] + variable = format("%s:aud", local.oidc_issuer) + } } } @@ -107,6 +116,7 @@ locals { "1.20" = "v1.20.1", "1.21" = "v1.21.1", "1.22" = "v1.22.1", + "1.23" = "v1.23.0" } } diff --git a/main.tf b/main.tf index 87aaae1..1d3a10b 100644 --- a/main.tf +++ b/main.tf @@ -150,13 +150,17 @@ module "eks" { aws_auth_roles = local.role_bindings cluster_name = var.cluster_name cluster_version = var.cluster_version - create_cluster_primary_security_group_tags = false - cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups + cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups cluster_endpoint_public_access = var.disable_public_eks_endpoint ? false : true cluster_endpoint_public_access_cidrs = var.allowed_public_cidrs cluster_enabled_log_types = var.cluster_enabled_log_types + cluster_security_group_additional_rules = var.cluster_security_group_additional_rules + cluster_security_group_id = var.cluster_security_group_id control_plane_subnet_ids = local.cluster_subnet_ids create_cloudwatch_log_group = false + create_cluster_primary_security_group_tags = false # Cleaner if we handle the tag in aws_ec2_tag.cluster_security_group + create_cluster_security_group = var.create_cluster_security_group + create_node_security_group = var.create_node_security_group create_iam_role = var.use_runtime_policy ? false : true eks_managed_node_groups = local.node_groups eks_managed_node_group_defaults = local.node_group_defaults @@ -165,6 +169,8 @@ module "eks" { iam_role_path = var.iam_path iam_role_permissions_boundary = var.permissions_boundary_arn manage_aws_auth_configmap = true + node_security_group_id = var.node_security_group_id + node_security_group_additional_rules = var.node_security_group_additional_rules openid_connect_audiences = ["sts.amazonaws.com"] tags = local.tags vpc_id = var.vpc_id diff --git a/modules/tiered-storage-resources/README.md b/modules/tiered-storage-resources/README.md deleted file mode 100644 index 6ea19dc..0000000 --- a/modules/tiered-storage-resources/README.md +++ /dev/null @@ -1,89 +0,0 @@ -# Tiered Storage for AWS -This Terraform module creates the resources needed for tiered storage offloading in Pulsar. This includes an encrypted and private S3 bucket and the IAM resources for IRSA. - -Here is an example usage: - -```hcl -module "tiered_storage" { - source = "streamnative/cloud/aws//modules/tiered_storage" - - cluster_name = "my-eks-cluster" - oidc_issuer = "oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E" - pulsar_namespace = "my-pulsar-namespace" - service_account_name = "my-pulsar-service-account" - - tags = { - Project = "MyApp" - Environment = "Prod" - } -} -``` - -## Important! -This module uses EKS IAM Roles for Service Accounts (IRSA). In order for these resources to work properly, there are two requirements: - -1. You must know the name of the Kubernetes Service Account and the Kubernetes namespace for your Pulsar workload. These don't need to exist prior to running this Terraform module, but are necessary for the resources to work properly. -2. You must add an annotation to the Service Account so it can be used by IRSA (IAM Role) created in this module. - -The module output includes the AWS ARN for the IAM role created. Using that, you can add the oppropriate annotation to the Service Account using `kubectl`: - -```shell -kubectl annotate serviceaccount -n \ -eks.amazonaws.com/role-arn=arn:aws:iam:::role/my-eks-cluster-tiered-storage-role -``` - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >=1.0.0 | -| [aws](#requirement\_aws) | >= 3.61.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3.61.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_policy.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_s3_bucket.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_acl.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | -| [aws_s3_bucket_server_side_encryption_configuration.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.tiered_storage_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [aws\_partition](#input\_aws\_partition) | AWS partition: 'aws', 'aws-cn', or 'aws-us-gov' | `string` | `"aws"` | no | -| [cluster\_name](#input\_cluster\_name) | The name of your EKS cluster and associated resources | `string` | n/a | yes | -| [create\_iam\_policy\_for\_tiered\_storage](#input\_create\_iam\_policy\_for\_tiered\_storage) | Whether to create the IAM policy used by Pulsar's tiered storage offloading. For enhanced security, we allow for these IAM policies to be created seperately from this module. Defaults to "true". If set to "false", you must provide the ARN for the IAM policy needed for tiered storage offloading to function. | `bool` | `true` | no | -| [iam\_policy\_arn](#input\_iam\_policy\_arn) | The arn for the IAM policy used for Pulsar's tiered storage offloading. For enhanced security, we allow for IAM policies used by cluster addon services to be created seperately from this module. This is only required if the input "create\_iam\_policy\_for\_tiered\_storage" is set to "false". If created elsewhere, the expected name of the policy is "StreamNativeCloudTieredStoragedPolicy". | `string` | `null` | no | -| [kms\_key\_id](#input\_kms\_key\_id) | The KMS key ID to use for server side encryption. Defaults to "aws/s3". | `string` | `"aws/s3"` | no | -| [oidc\_issuer](#input\_oidc\_issuer) | The OIDC issuer for the EKS cluster | `string` | n/a | yes | -| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | If required, provide the ARN of the IAM permissions boundary to use for restricting StreamNative's vendor access. | `string` | `null` | no | -| [pulsar\_namespace](#input\_pulsar\_namespace) | The kubernetes namespace where Pulsar has been deployed. This is required to set the appropriate policy permissions for IRSA, which grants the Kubernetes Service Account access to use the IAM role | `string` | n/a | yes | -| [service\_account\_name](#input\_service\_account\_name) | The name of the kubernetes service account to by tiered storage offloading. Defaults to "pulsar". This is required to set the appropriate policy permissions for IRSA, which grants the Kubernetes Service Account access to use the IAM role | `string` | `"pulsar"` | no | -| [tags](#input\_tags) | Tags to be added to the bucket and corresponding resources | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [role\_arn](#output\_role\_arn) | The arn of the role used for Pulsar's tiered storage offloading. This needs to be annotated on the corresponding Kubernetes Service account in order for IRSA to work properly, e.g. "eks.amazonaws.com/role-arn" : "" | -| [role\_name](#output\_role\_name) | The name of the role used for Pulsar's tiered storage offloading | -| [s3\_bucket](#output\_s3\_bucket) | The name of the bucket used for Pulsar's tiered storage offloading | -| [s3\_bucket\_arn](#output\_s3\_bucket\_arn) | The arn of the bucket used for Pulsar's tiered storage offloading | diff --git a/modules/tiered-storage-resources/main.tf b/modules/tiered-storage-resources/main.tf deleted file mode 100644 index 4d868bb..0000000 --- a/modules/tiered-storage-resources/main.tf +++ /dev/null @@ -1,119 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -data "aws_caller_identity" "current" {} - -data "aws_region" "current" {} - -resource "aws_s3_bucket" "tiered_storage" { - bucket = format("%s-storage-offload-%s", var.cluster_name, data.aws_region.current.name) - tags = merge({ "Vendor" = "StreamNative", "Attributes" = "offload", "Name" = "offload" }, var.tags) - - lifecycle { - ignore_changes = [ - bucket, - ] - } -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "tiered_storage" { - bucket = aws_s3_bucket.tiered_storage.bucket - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = var.kms_key_id - sse_algorithm = "aws:kms" - } - } -} - -resource "aws_s3_bucket_acl" "tiered_storage" { - bucket = aws_s3_bucket.tiered_storage.id - acl = "private" -} - -data "aws_iam_policy_document" "tiered_storage" { - statement { - actions = [ - "s3:AbortMultipartUpload", - "s3:DeleteObject*", - "s3:GetObject*", - "s3:PutObject*", - "s3:List*", - ] - - resources = [ - aws_s3_bucket.tiered_storage.arn, - "${aws_s3_bucket.tiered_storage.arn}/*", - ] - } -} - -data "aws_iam_policy_document" "tiered_storage_sts" { - statement { - actions = [ - "sts:AssumeRoleWithWebIdentity" - ] - effect = "Allow" - principals { - type = "Federated" - identifiers = [format("arn:%s:iam::%s:oidc-provider/%s", var.aws_partition, data.aws_caller_identity.current.account_id, var.oidc_issuer)] - } - condition { - test = "StringLike" - values = [format("system:serviceaccount:%s:%s", var.pulsar_namespace, var.service_account_name)] - variable = format("%s:sub", var.oidc_issuer) - } - } -} - -resource "aws_iam_role" "tiered_storage" { - name = format("%s-tiered-storage-role", var.cluster_name) - description = format("Role used by IRSA and the KSA %s on StreamNative Cloud EKS cluster %s", var.cluster_name, var.service_account_name) - assume_role_policy = data.aws_iam_policy_document.tiered_storage_sts.json - path = "/StreamNative/" - permissions_boundary = var.permissions_boundary_arn - tags = merge({ "Vendor" = "StreamNative" }, var.tags) - - lifecycle { - ignore_changes = [ - assume_role_policy - ] - } -} - -resource "aws_iam_policy" "tiered_storage" { - count = var.create_iam_policy_for_tiered_storage ? 1 : 0 - name = format("%s-TieredStoragePolicy", var.cluster_name) - description = "Policy that defines the permissions for Pulsar's tiered storage offloading to S3, running in a StreamNative Cloud EKS cluster" - path = "/StreamNative/" - policy = data.aws_iam_policy_document.tiered_storage.json - tags = merge({ "Vendor" = "StreamNative" }, var.tags) - - lifecycle { - ignore_changes = [ - policy - ] - } -} - -resource "aws_iam_role_policy_attachment" "tiered_storage" { - count = var.create_iam_policy_for_tiered_storage ? 1 : 0 - policy_arn = var.create_iam_policy_for_tiered_storage ? aws_iam_policy.tiered_storage[0].arn : var.iam_policy_arn - role = aws_iam_role.tiered_storage.name -} \ No newline at end of file diff --git a/modules/tiered-storage-resources/outputs.tf b/modules/tiered-storage-resources/outputs.tf deleted file mode 100644 index abea3df..0000000 --- a/modules/tiered-storage-resources/outputs.tf +++ /dev/null @@ -1,38 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -output "role_arn" { - value = aws_iam_role.tiered_storage.arn - description = "The arn of the role used for Pulsar's tiered storage offloading. This needs to be annotated on the corresponding Kubernetes Service account in order for IRSA to work properly, e.g. \"eks.amazonaws.com/role-arn\" : \"\"" -} - -output "role_name" { - value = aws_iam_role.tiered_storage.name - description = "The name of the role used for Pulsar's tiered storage offloading" -} - -output "s3_bucket" { - value = aws_s3_bucket.tiered_storage.bucket - description = "The name of the bucket used for Pulsar's tiered storage offloading" -} - -output "s3_bucket_arn" { - value = aws_s3_bucket.tiered_storage.arn - description = "The arn of the bucket used for Pulsar's tiered storage offloading" -} \ No newline at end of file diff --git a/modules/tiered-storage-resources/variables.tf b/modules/tiered-storage-resources/variables.tf deleted file mode 100644 index bc88b0a..0000000 --- a/modules/tiered-storage-resources/variables.tf +++ /dev/null @@ -1,75 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -variable "aws_partition" { - default = "aws" - description = "AWS partition: 'aws', 'aws-cn', or 'aws-us-gov'" - type = string -} - -variable "cluster_name" { - description = "The name of your EKS cluster and associated resources" - type = string -} - -variable "create_iam_policy_for_tiered_storage" { - default = true - description = "Whether to create the IAM policy used by Pulsar's tiered storage offloading. For enhanced security, we allow for these IAM policies to be created seperately from this module. Defaults to \"true\". If set to \"false\", you must provide the ARN for the IAM policy needed for tiered storage offloading to function." - type = bool -} - -variable "iam_policy_arn" { - default = null - description = "The arn for the IAM policy used for Pulsar's tiered storage offloading. For enhanced security, we allow for IAM policies used by cluster addon services to be created seperately from this module. This is only required if the input \"create_iam_policy_for_tiered_storage\" is set to \"false\". If created elsewhere, the expected name of the policy is \"StreamNativeCloudTieredStoragedPolicy\"." - type = string -} - -variable "kms_key_id" { - default = "aws/s3" - description = "The KMS key ID to use for server side encryption. Defaults to \"aws/s3\"." - type = string -} - -variable "oidc_issuer" { - description = "The OIDC issuer for the EKS cluster" - type = string -} - -variable "permissions_boundary_arn" { - default = null - description = "If required, provide the ARN of the IAM permissions boundary to use for restricting StreamNative's vendor access." - type = string -} - -variable "pulsar_namespace" { - description = "The kubernetes namespace where Pulsar has been deployed. This is required to set the appropriate policy permissions for IRSA, which grants the Kubernetes Service Account access to use the IAM role" - type = string -} - -variable "service_account_name" { - default = "pulsar" - description = "The name of the kubernetes service account to by tiered storage offloading. Defaults to \"pulsar\". This is required to set the appropriate policy permissions for IRSA, which grants the Kubernetes Service Account access to use the IAM role" - type = string -} - -variable "tags" { - default = {} - description = "Tags to be added to the bucket and corresponding resources" - type = map(string) -} diff --git a/modules/tiered-storage-resources/versions.tf b/modules/tiered-storage-resources/versions.tf deleted file mode 100644 index 8016768..0000000 --- a/modules/tiered-storage-resources/versions.tf +++ /dev/null @@ -1,29 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# - -terraform { - required_version = ">=1.0.0" - - required_providers { - aws = { - version = ">= 4.0.0" - source = "hashicorp/aws" - } - } -} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 7ae551d..3b45cbd 100644 --- a/variables.tf +++ b/variables.tf @@ -138,7 +138,7 @@ variable "cluster_autoscaler_helm_chart_repository" { } variable "cluster_autoscaler_helm_chart_version" { - default = "9.19.2" + default = "9.21.0" description = "Helm chart version for the cluster-autoscaler. Defaults to \"9.10.4\". See https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler for more details." type = string } @@ -166,6 +166,18 @@ variable "cluster_name" { } } +variable "cluster_security_group_additional_rules" { + default = {} + description = "Additional rules to add to the cluster security group. Set source_node_security_group = true inside rules to set the node_security_group as source." + type = any +} + +variable "cluster_security_group_id" { + default = "" + description = "The ID of an existing security group to use for the EKS cluster. If not provided, a new security group will be created." + type = string +} + variable "cluster_version" { default = "1.20" description = "The version of Kubernetes to be installed." @@ -196,12 +208,24 @@ variable "csi_settings" { type = map(any) } +variable "create_cluster_security_group" { + default = true + description = "Whether to create a new security group for the EKS cluster. If set to false, you must provide an existing security group via the cluster_security_group_id variable." + type = bool +} + variable "create_iam_policies" { default = true description = "Whether to create IAM policies for the IAM roles. If set to false, the module will default to using existing policy ARNs that must be present in the AWS account" type = bool } +variable "create_node_security_group" { + default = true + description = "Whether to create a new security group for the EKS nodes. If set to false, you must provide an existing security group via the node_security_group_id variable." + type = bool +} + variable "disable_public_eks_endpoint" { default = false description = "Whether to disable public access to the EKS control plane endpoint. If set to \"true\", additional configuration is required in order for the cluster to function properly, such as AWS PrivateLink for EC2, ECR, and S3, along with a VPN to access the EKS control plane. It is recommended to keep this setting to \"false\" unless you are familiar with this type of configuration." @@ -263,7 +287,7 @@ variable "external_dns_helm_chart_repository" { } variable "external_dns_helm_chart_version" { - default = "6.5.6" + default = "6.10.2" description = "Helm chart version for ExternalDNS. See https://hub.helm.sh/charts/bitnami/external-dns for updates." type = string } @@ -378,6 +402,18 @@ variable "metrics_server_settings" { type = map(any) } +variable "node_security_group_additional_rules" { + default = {} + description = "Additional ingress rules to add to the node security group. Set source_cluster_security_group = true inside rules to set the cluster_security_group as source" + type = any +} + +variable "node_security_group_id" { + default = "" + description = "An ID of an existing security group to use for the EKS node groups. If not specified, a new security group will be created." + type = string +} + variable "node_termination_handler_helm_chart_name" { default = "aws-node-termination-handler" description = "The name of the Helm chart to use for the AWS Node Termination Handler." diff --git a/velero.tf b/velero.tf index b491c77..5e51c41 100644 --- a/velero.tf +++ b/velero.tf @@ -139,12 +139,12 @@ resource "helm_release" "velero" { bucket = aws_s3_bucket.velero.id default = true config = { - region = var.region + region = var.region kmsKeyId = local.s3_kms_key } } volumeSnapshotLocation = { - name = "aws" + name = "aws" provider = "velero.io/aws" config = { region = var.region @@ -174,7 +174,7 @@ resource "helm_release" "velero" { serviceAccount = { server = { create = true - name = "velero" + name = "velero" annotations = { "eks.amazonaws.com/role-arn" = aws_iam_role.velero.arn } @@ -202,7 +202,7 @@ resource "helm_release" "velero" { } } - depends_on = [ + depends_on = [ kubernetes_namespace.velero ] } From 1faea93981caefbfea533dffa46a852e8f65db5d Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Mon, 17 Oct 2022 13:25:02 -0600 Subject: [PATCH 19/29] removed calico inputs --- variables.tf | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/variables.tf b/variables.tf index 3b45cbd..ba688b4 100644 --- a/variables.tf +++ b/variables.tf @@ -71,30 +71,6 @@ variable "aws_load_balancer_controller_settings" { type = map(string) } -variable "calico_helm_chart_name" { - default = "tigera-operator" - description = "The name of the Helm chart in the repository for Calico, which is installed alongside the tigera-operator." - type = string -} - -variable "calico_helm_chart_repository" { - default = "https://stevehipwell.github.io/helm-charts/" - description = "The repository containing the calico helm chart. We are currently using a community provided chart, which is a fork of the official chart published by Tigera. This chart isn't as opinionated about namespaces, and should be used until this issue is resolved https://github.com/projectcalico/calico/issues/4812." - type = string -} - -variable "calico_helm_chart_version" { - default = "1.5.0" - description = "Helm chart version for Calico. Defaults to \"1.0.5\". See https://github.com/stevehipwell/helm-charts/tree/master/charts/tigera-operator for available version releases." - type = string -} - -variable "calico_settings" { - default = {} - description = "Additional settings which will be passed to the Helm chart values. See https://github.com/stevehipwell/helm-charts/tree/master/charts/tigera-operator for available options." - type = map(any) -} - variable "cert_manager_helm_chart_name" { default = "cert-manager" description = "The name of the Helm chart in the repository for cert-manager." From cc93459ddc536134314d21977ae9e0ebe318c1d5 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Mon, 17 Oct 2022 14:08:19 -0600 Subject: [PATCH 20/29] removed unneeded RBAC configs --- variables.tf | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/variables.tf b/variables.tf index ba688b4..b002a64 100644 --- a/variables.tf +++ b/variables.tf @@ -328,12 +328,6 @@ variable "kiali_operator_settings" { type = map(any) } -variable "map_additional_aws_accounts" { - default = [] - description = "Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap." - type = list(string) -} - variable "map_additional_iam_roles" { default = [] description = "A list of IAM role bindings to add to the aws-auth ConfigMap." @@ -344,16 +338,6 @@ variable "map_additional_iam_roles" { })) } -variable "map_additional_iam_users" { - default = [] - description = "Additional IAM roles to add to `config-map-aws-auth` ConfigMap." - type = list(object({ - userarn = string - username = string - groups = list(string) - })) -} - variable "metrics_server_helm_chart_name" { default = "metrics-server" description = "The name of the helm release to install" From 74e486a5b35cf42162e41c2d3c3d01470e7cdd3e Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Wed, 19 Oct 2022 10:29:26 -0600 Subject: [PATCH 21/29] Added migration_mode flag for cleaner handling of upgrades --- main.tf | 22 +++++++++++++--------- variables.tf | 12 ++++++++++++ 2 files changed, 25 insertions(+), 9 deletions(-) diff --git a/main.tf b/main.tf index 1d3a10b..9fe3f92 100644 --- a/main.tf +++ b/main.tf @@ -138,19 +138,23 @@ module "eks" { source = "terraform-aws-modules/eks/aws" version = "18.29.0" - ############################################################################################## - ### Added these to avoid issues with the module refactor from 17.X to 18.X. ### - ### Future versions of the terraform-aws-eks module may not require these to be specified. ### - prefix_separator = "" - iam_role_name = var.cluster_name - cluster_security_group_name = var.cluster_name - cluster_security_group_description = "EKS cluster security group." - ############################################################################################### + ###################################################################################################### + ### This section takes into account the breaking changes made in v18.X of the community EKS module ### + ### They are only applicable if migration_mode is set to true, for upgrading existing clusters ### + ###################################################################################################### + prefix_separator = var.migration_mode ? "" : "-" + iam_role_name = var.migration_mode ? var.cluster_name : null + cluster_security_group_name = var.migration_mode ? var.cluster_name : null + cluster_security_group_description = var.migration_mode ? "EKS cluster security group." : "EKS cluster security group" + node_security_group_description = var.migration_mode ? "Security group for all nodes in the cluster." : "EKS node shared security group" + node_security_group_use_name_prefix = var.migration_mode ? false : true + node_security_group_name = var.migration_mode ? var.migration_mode_node_sg_name : null + ###################################################################################################### aws_auth_roles = local.role_bindings cluster_name = var.cluster_name cluster_version = var.cluster_version - cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups + cluster_endpoint_private_access = true # Always set to true here, which enables private networking for the node groups cluster_endpoint_public_access = var.disable_public_eks_endpoint ? false : true cluster_endpoint_public_access_cidrs = var.allowed_public_cidrs cluster_enabled_log_types = var.cluster_enabled_log_types diff --git a/variables.tf b/variables.tf index b002a64..01e09fa 100644 --- a/variables.tf +++ b/variables.tf @@ -362,6 +362,18 @@ variable "metrics_server_settings" { type = map(any) } +variable "migration_mode" { + default = false + description = "Whether to enable migration mode for the cluster. This is used to migrate details from existing security groups, which have had their names and description changed in versions v18.X of the community EKS module." + type = bool +} + +variable "migration_mode_node_sg_name" { + default = null + description = "The name (not ID!) of the existing security group used by worker nodes. This is required when \"migration_mode\" is set to \"true\", otherwise the parent module will attempt to set a new security group name and destroy the existin one." + type = string +} + variable "node_security_group_additional_rules" { default = {} description = "Additional ingress rules to add to the node security group. Set source_cluster_security_group = true inside rules to set the cluster_security_group as source" From aaf78fbb6c9c59af2969b083f58d50ffe95e2189 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Fri, 21 Oct 2022 11:59:32 -0600 Subject: [PATCH 22/29] Increment parent module version; added external-dns domain filtering --- README.md | 67 +++++++++++++++++++++++++++++++++++++------------ external_dns.tf | 1 + main.tf | 2 +- variables.tf | 6 +++++ 4 files changed, 59 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 88a59fd..4669983 100644 --- a/README.md +++ b/README.md @@ -188,6 +188,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir [^1]: When running Apache Pulsar in Kubernetes, we make use of EBS backed Kubernetes Persistent Volume Claims (PVC). EBS volumes themselves are zonal, which means [an EC2 instance can only mount a volume that exists in its same AWS Availability Zone](https://aws.amazon.com/blogs/containers/amazon-eks-cluster-multi-zone-auto-scaling-groups/). For this reason we have added node group "zone affinity" functionality into our module, where **an EKS node group is created per AWS Availability Zone**. This is controlled by the number of subnets you pass to the EKS module, creating one node group per subnet. +## Requirements | Name | Version | |------|---------| @@ -208,7 +209,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | Name | Source | Version | |------|--------|---------| -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.29.0 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.30.2 | | [istio](#module\_istio) | github.com/streamnative/terraform-helm-charts//modules/istio-operator | v0.8.4 | | [vpc\_tags](#module\_vpc\_tags) | ./modules/eks-vpc-tags | n/a | @@ -222,6 +223,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | @@ -229,6 +231,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [aws_iam_role.csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cert_manager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | @@ -241,6 +244,13 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [aws_iam_role_policy_attachment.ng_AmazonEKSServicePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.ng_AmazonEKSVPCResourceControllerPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.ng_AmazonEKSWorkerNodePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_s3_bucket.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_acl.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [helm_release.aws_load_balancer_controller](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [helm_release.cert_issuer](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | @@ -249,7 +259,9 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [helm_release.external_dns](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [helm_release.metrics_server](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [helm_release.node_termination_handler](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | +| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/2.2.0/docs/resources/release) | resource | | [kubernetes_namespace.sn_system](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | | [kubernetes_storage_class.sn_default](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | | [kubernetes_storage_class.sn_ssd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | @@ -265,7 +277,10 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.external_dns_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.ng_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.velero_sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_kms_key.ebs_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | +| [aws_kms_key.s3_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | | [aws_subnet.private_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | @@ -281,10 +296,6 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [aws\_load\_balancer\_controller\_helm\_chart\_repository](#input\_aws\_load\_balancer\_controller\_helm\_chart\_repository) | The repository containing the Helm chart to use for the AWS Load Balancer Controller. | `string` | `"https://aws.github.io/eks-charts"` | no | | [aws\_load\_balancer\_controller\_helm\_chart\_version](#input\_aws\_load\_balancer\_controller\_helm\_chart\_version) | The version of the Helm chart to use for the AWS Load Balancer Controller. The current version can be found in github: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/helm/aws-load-balancer-controller/Chart.yaml. | `string` | `"1.4.2"` | no | | [aws\_load\_balancer\_controller\_settings](#input\_aws\_load\_balancer\_controller\_settings) | Additional settings which will be passed to the Helm chart values for the AWS Load Balancer Controller. See https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller for available options. | `map(string)` | `{}` | no | -| [calico\_helm\_chart\_name](#input\_calico\_helm\_chart\_name) | The name of the Helm chart in the repository for Calico, which is installed alongside the tigera-operator. | `string` | `"tigera-operator"` | no | -| [calico\_helm\_chart\_repository](#input\_calico\_helm\_chart\_repository) | The repository containing the calico helm chart. We are currently using a community provided chart, which is a fork of the official chart published by Tigera. This chart isn't as opinionated about namespaces, and should be used until this issue is resolved https://github.com/projectcalico/calico/issues/4812. | `string` | `"https://stevehipwell.github.io/helm-charts/"` | no | -| [calico\_helm\_chart\_version](#input\_calico\_helm\_chart\_version) | Helm chart version for Calico. Defaults to "1.0.5". See https://github.com/stevehipwell/helm-charts/tree/master/charts/tigera-operator for available version releases. | `string` | `"1.5.0"` | no | -| [calico\_settings](#input\_calico\_settings) | Additional settings which will be passed to the Helm chart values. See https://github.com/stevehipwell/helm-charts/tree/master/charts/tigera-operator for available options. | `map(any)` | `{}` | no | | [cert\_issuer\_support\_email](#input\_cert\_issuer\_support\_email) | The email address to receive notifications from the cert issuer. | `string` | `"certs-support@streamnative.io"` | no | | [cert\_manager\_helm\_chart\_name](#input\_cert\_manager\_helm\_chart\_name) | The name of the Helm chart in the repository for cert-manager. | `string` | `"cert-manager"` | no | | [cert\_manager\_helm\_chart\_repository](#input\_cert\_manager\_helm\_chart\_repository) | The repository containing the cert-manager helm chart. | `string` | `"https://charts.bitnami.com/bitnami"` | no | @@ -292,30 +303,34 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [cert\_manager\_settings](#input\_cert\_manager\_settings) | Additional settings which will be passed to the Helm chart values. See https://github.com/bitnami/charts/tree/master/bitnami/cert-manager for available options. | `map(any)` | `{}` | no | | [cluster\_autoscaler\_helm\_chart\_name](#input\_cluster\_autoscaler\_helm\_chart\_name) | The name of the Helm chart in the repository for cluster-autoscaler. | `string` | `"cluster-autoscaler"` | no | | [cluster\_autoscaler\_helm\_chart\_repository](#input\_cluster\_autoscaler\_helm\_chart\_repository) | The repository containing the cluster-autoscaler helm chart. | `string` | `"https://kubernetes.github.io/autoscaler"` | no | -| [cluster\_autoscaler\_helm\_chart\_version](#input\_cluster\_autoscaler\_helm\_chart\_version) | Helm chart version for the cluster-autoscaler. Defaults to "9.10.4". See https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler for more details. | `string` | `"9.19.2"` | no | +| [cluster\_autoscaler\_helm\_chart\_version](#input\_cluster\_autoscaler\_helm\_chart\_version) | Helm chart version for the cluster-autoscaler. Defaults to "9.10.4". See https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler for more details. | `string` | `"9.21.0"` | no | | [cluster\_autoscaler\_settings](#input\_cluster\_autoscaler\_settings) | Additional settings which will be passed to the Helm chart values for cluster-autoscaler, see https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler for options. | `map(any)` | `{}` | no | | [cluster\_enabled\_log\_types](#input\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). | `list(string)` | 
[
  "api",
  "audit",
  "authenticator",
  "controllerManager",
  "scheduler"
]
| no | -| [cluster\_log\_kms\_key\_id](#input\_cluster\_log\_kms\_key\_id) | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html). | `string` | `""` | no | -| [cluster\_log\_retention\_in\_days](#input\_cluster\_log\_retention\_in\_days) | Number of days to retain log events. Defaults to 365 days. | `number` | `365` | no | | [cluster\_name](#input\_cluster\_name) | The name of your EKS cluster and associated resources. Must be 16 characters or less. | `string` | `""` | no | +| [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | Additional rules to add to the cluster security group. Set source\_node\_security\_group = true inside rules to set the node\_security\_group as source. | `any` | `{}` | no | +| [cluster\_security\_group\_id](#input\_cluster\_security\_group\_id) | The ID of an existing security group to use for the EKS cluster. If not provided, a new security group will be created. | `string` | `""` | no | | [cluster\_version](#input\_cluster\_version) | The version of Kubernetes to be installed. | `string` | `"1.20"` | no | +| [create\_cluster\_security\_group](#input\_create\_cluster\_security\_group) | Whether to create a new security group for the EKS cluster. If set to false, you must provide an existing security group via the cluster\_security\_group\_id variable. | `bool` | `true` | no | | [create\_iam\_policies](#input\_create\_iam\_policies) | Whether to create IAM policies for the IAM roles. If set to false, the module will default to using existing policy ARNs that must be present in the AWS account | `bool` | `true` | no | +| [create\_node\_security\_group](#input\_create\_node\_security\_group) | Whether to create a new security group for the EKS nodes. If set to false, you must provide an existing security group via the node\_security\_group\_id variable. | `bool` | `true` | no | | [csi\_helm\_chart\_name](#input\_csi\_helm\_chart\_name) | The name of the Helm chart in the repository for CSI. | `string` | `"aws-ebs-csi-driver"` | no | | [csi\_helm\_chart\_repository](#input\_csi\_helm\_chart\_repository) | The repository containing the CSI helm chart | `string` | `"https://kubernetes-sigs.github.io/aws-ebs-csi-driver/"` | no | | [csi\_helm\_chart\_version](#input\_csi\_helm\_chart\_version) | Helm chart version for CSI | `string` | `"2.8.0"` | no | | [csi\_settings](#input\_csi\_settings) | Additional settings which will be passed to the Helm chart values, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/charts/aws-ebs-csi-driver/values.yaml for available options. | `map(any)` | `{}` | no | | [disable\_public\_eks\_endpoint](#input\_disable\_public\_eks\_endpoint) | Whether to disable public access to the EKS control plane endpoint. If set to "true", additional configuration is required in order for the cluster to function properly, such as AWS PrivateLink for EC2, ECR, and S3, along with a VPN to access the EKS control plane. It is recommended to keep this setting to "false" unless you are familiar with this type of configuration. | `bool` | `false` | no | | [disable\_public\_pulsar\_endpoint](#input\_disable\_public\_pulsar\_endpoint) | Whether or not to make the Istio Gateway use a public facing or internal network load balancer. If set to "true", additional configuration is required in order to manage the cluster from the StreamNative console | `bool` | `false` | no | -| [disk\_encryption\_kms\_key\_id](#input\_disk\_encryption\_kms\_key\_id) | The KMS Key ARN to use for disk encryption. | `string` | `""` | no | +| [disk\_encryption\_kms\_key\_arn](#input\_disk\_encryption\_kms\_key\_arn) | The KMS Key ARN to use for EBS disk encryption. If not set, the default EBS encryption key will be used. | `string` | `""` | no | | [enable\_bootstrap](#input\_enable\_bootstrap) | Enables bootstrapping of add-ons within the cluster. | `bool` | `true` | no | +| [enable\_istio](#input\_enable\_istio) | Allows for enabling the bootstrap of Istio explicity in scenarios where the input "var.enable\_bootstrap" is set to "false". | `bool` | `true` | no | | [enable\_node\_group\_private\_networking](#input\_enable\_node\_group\_private\_networking) | Enables private networking for the EKS node groups (not the EKS cluster endpoint, which remains public), meaning Kubernetes API requests that originate within the cluster's VPC use a private VPC endpoint for EKS. Defaults to "true". | `bool` | `true` | no | | [enable\_node\_pool\_monitoring](#input\_enable\_node\_pool\_monitoring) | Enable CloudWatch monitoring for the default pool(s). | `bool` | `true` | no | | [enable\_sncloud\_control\_plane\_access](#input\_enable\_sncloud\_control\_plane\_access) | Whether to enable access to the EKS control plane endpoint. If set to "false", additional configuration is required in order for the cluster to function properly, such as AWS PrivateLink for EC2, ECR, and S3, along with a VPN to access the EKS control plane. It is recommended to keep this setting to "true" unless you are familiar with this type of configuration. | `bool` | `true` | no | | [external\_dns\_helm\_chart\_name](#input\_external\_dns\_helm\_chart\_name) | The name of the Helm chart in the repository for ExternalDNS. | `string` | `"external-dns"` | no | | [external\_dns\_helm\_chart\_repository](#input\_external\_dns\_helm\_chart\_repository) | The repository containing the ExternalDNS helm chart. | `string` | `"https://charts.bitnami.com/bitnami"` | no | -| [external\_dns\_helm\_chart\_version](#input\_external\_dns\_helm\_chart\_version) | Helm chart version for ExternalDNS. See https://hub.helm.sh/charts/bitnami/external-dns for updates. | `string` | `"6.5.6"` | no | +| [external\_dns\_helm\_chart\_version](#input\_external\_dns\_helm\_chart\_version) | Helm chart version for ExternalDNS. See https://hub.helm.sh/charts/bitnami/external-dns for updates. | `string` | `"6.10.2"` | no | | [external\_dns\_settings](#input\_external\_dns\_settings) | Additional settings which will be passed to the Helm chart values, see https://hub.helm.sh/charts/bitnami/external-dns. | `map(any)` | `{}` | no | -| [hosted\_zone\_id](#input\_hosted\_zone\_id) | The ID of the Route53 hosted zone used by the cluster's External DNS configuration. | `string` | n/a | yes | +| [hosted\_zone\_domain\_name\_filters](#input\_hosted\_zone\_domain\_name\_filters) | A list domain names of the Route53 hosted zones, used by the cluster's External DNS configuration for domain filtering. | `list(string)` | `[]` | no | +| [hosted\_zone\_id](#input\_hosted\_zone\_id) | The ID of the Route53 hosted zone used by the cluster's External DNS configuration. | `string` | `"*"` | no | | [iam\_path](#input\_iam\_path) | An IAM Path to be used for all IAM resources created by this module. Changing this from the default will cause issues with StreamNative's Vendor access, if applicable. | `string` | `"/StreamNative/"` | no | | [istio\_mesh\_id](#input\_istio\_mesh\_id) | The ID used by the Istio mesh. This is also the ID of the StreamNative Cloud Pool used for the workload environments. This is required when "enable\_istio\_operator" is set to "true". | `string` | `null` | no | | [istio\_network](#input\_istio\_network) | The name of network used for the Istio deployment. This is required when "enable\_istio\_operator" is set to "true". | `string` | `"default"` | no | @@ -324,27 +339,29 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [istio\_settings](#input\_istio\_settings) | Additional settings which will be passed to the Helm chart values | `map(any)` | `{}` | no | | [istio\_trust\_domain](#input\_istio\_trust\_domain) | The trust domain used for the Istio deployment, which corresponds to the root of a system. This is required when "enable\_istio\_operator" is set to "true". | `string` | `"cluster.local"` | no | | [kiali\_operator\_settings](#input\_kiali\_operator\_settings) | Additional settings which will be passed to the Helm chart values | `map(any)` | `{}` | no | -| [map\_additional\_aws\_accounts](#input\_map\_additional\_aws\_accounts) | Additional AWS account numbers to add to `config-map-aws-auth` ConfigMap. | `list(string)` | `[]` | no | | [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | A list of IAM role bindings to add to the aws-auth ConfigMap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | -| [map\_additional\_iam\_users](#input\_map\_additional\_iam\_users) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap. | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | [metrics\_server\_helm\_chart\_name](#input\_metrics\_server\_helm\_chart\_name) | The name of the helm release to install | `string` | `"metrics-server"` | no | | [metrics\_server\_helm\_chart\_repository](#input\_metrics\_server\_helm\_chart\_repository) | The repository containing the external-metrics helm chart. | `string` | `"https://kubernetes-sigs.github.io/metrics-server"` | no | | [metrics\_server\_helm\_chart\_version](#input\_metrics\_server\_helm\_chart\_version) | Helm chart version for Metrics server | `string` | `"3.8.2"` | no | | [metrics\_server\_settings](#input\_metrics\_server\_settings) | Additional settings which will be passed to the Helm chart values, see https://github.com/external-secrets/kubernetes-external-secrets/tree/master/charts/kubernetes-external-secrets for available options. | `map(any)` | `{}` | no | +| [migration\_mode](#input\_migration\_mode) | Whether to enable migration mode for the cluster. This is used to migrate details from existing security groups, which have had their names and description changed in versions v18.X of the community EKS module. | `bool` | `false` | no | +| [migration\_mode\_node\_sg\_name](#input\_migration\_mode\_node\_sg\_name) | The name (not ID!) of the existing security group used by worker nodes. This is required when "migration\_mode" is set to "true", otherwise the parent module will attempt to set a new security group name and destroy the existin one. | `string` | `null` | no | | [node\_pool\_ami\_id](#input\_node\_pool\_ami\_id) | The AMI ID to use for the EKS cluster nodes. Defaults to the latest EKS Optimized AMI provided by AWS. | `string` | `""` | no | | [node\_pool\_block\_device\_name](#input\_node\_pool\_block\_device\_name) | The name of the block device to use for the EKS cluster nodes. | `string` | `"/dev/nvme0n1"` | no | | [node\_pool\_desired\_size](#input\_node\_pool\_desired\_size) | Desired number of worker nodes in the node pool. | `number` | `0` | no | | [node\_pool\_disk\_iops](#input\_node\_pool\_disk\_iops) | The amount of provisioned IOPS for the worker node root EBS volume. | `number` | `3000` | no | -| [node\_pool\_disk\_size](#input\_node\_pool\_disk\_size) | Disk size in GiB for worker nodes in the node pool. Defaults to 50. | `number` | `50` | no | +| [node\_pool\_disk\_size](#input\_node\_pool\_disk\_size) | Disk size in GiB for worker nodes in the node pool. Defaults to 50. | `number` | `100` | no | | [node\_pool\_disk\_type](#input\_node\_pool\_disk\_type) | Disk type for worker nodes in the node pool. Defaults to gp3. | `string` | `"gp3"` | no | | [node\_pool\_ebs\_optimized](#input\_node\_pool\_ebs\_optimized) | If true, the launched EC2 instance(s) will be EBS-optimized. Specify this if using a custom AMI with pre-user data. | `bool` | `true` | no | -| [node\_pool\_instance\_types](#input\_node\_pool\_instance\_types) | Set of instance types associated with the EKS Node Groups. Defaults to ["c6i.xlarge", "c6i.2xlarge", "c6i.4xlarge", "c6i.8xlarge"]. | `list(string)` | 
[
  "c6i.xlarge",
  "c6i.2xlarge",
  "c6i.4xlarge",
  "c6i.8xlarge"
]
| no | +| [node\_pool\_instance\_types](#input\_node\_pool\_instance\_types) | Set of instance types associated with the EKS Node Groups. Defaults to ["m6i.large", "m6i.xlarge", "m6i.2xlarge", "m6i.4xlarge", "m6i.8xlarge"], which will create empty node groups of each instance type to account for any workload configurable from StreamNative Cloud. | `list(string)` | 
[
  "m6i.large",
  "m6i.xlarge",
  "m6i.2xlarge",
  "m6i.4xlarge",
  "m6i.8xlarge"
]
| no | | [node\_pool\_labels](#input\_node\_pool\_labels) | A map of kubernetes labels to add to the node pool. | `map(string)` | `{}` | no | | [node\_pool\_max\_size](#input\_node\_pool\_max\_size) | The maximum size of the node pool Autoscaling group. | `number` | n/a | yes | | [node\_pool\_min\_size](#input\_node\_pool\_min\_size) | The minimum size of the node pool AutoScaling group. | `number` | `0` | no | | [node\_pool\_pre\_userdata](#input\_node\_pool\_pre\_userdata) | The user data to apply to the worker nodes in the node pool. This is applied before the bootstrap.sh script. | `string` | `""` | no | | [node\_pool\_tags](#input\_node\_pool\_tags) | A map of tags to add to the node groups and supporting resources. | `map(string)` | `{}` | no | | [node\_pool\_taints](#input\_node\_pool\_taints) | A list of taints in map format to apply to the node pool. | `any` | `{}` | no | +| [node\_security\_group\_additional\_rules](#input\_node\_security\_group\_additional\_rules) | Additional ingress rules to add to the node security group. Set source\_cluster\_security\_group = true inside rules to set the cluster\_security\_group as source | `any` | `{}` | no | +| [node\_security\_group\_id](#input\_node\_security\_group\_id) | An ID of an existing security group to use for the EKS node groups. If not specified, a new security group will be created. | `string` | `""` | no | | [node\_termination\_handler\_chart\_version](#input\_node\_termination\_handler\_chart\_version) | The version of the Helm chart to use for the AWS Node Termination Handler. | `string` | `"0.18.5"` | no | | [node\_termination\_handler\_helm\_chart\_name](#input\_node\_termination\_handler\_helm\_chart\_name) | The name of the Helm chart to use for the AWS Node Termination Handler. | `string` | `"aws-node-termination-handler"` | no | | [node\_termination\_handler\_helm\_chart\_repository](#input\_node\_termination\_handler\_helm\_chart\_repository) | The repository containing the Helm chart to use for the AWS Node Termination Handler. | `string` | `"https://aws.github.io/eks-charts"` | no | @@ -353,10 +370,20 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [private\_subnet\_ids](#input\_private\_subnet\_ids) | The ids of existing private subnets. | `list(string)` | `[]` | no | | [public\_subnet\_ids](#input\_public\_subnet\_ids) | The ids of existing public subnets. | `list(string)` | `[]` | no | | [region](#input\_region) | The AWS region. | `string` | `null` | no | -| [service\_domain](#input\_service\_domain) | The domain name being used by the environment, needed specifically for Istio's authorization policies. | `string` | n/a | yes | +| [s3\_encryption\_kms\_key\_arn](#input\_s3\_encryption\_kms\_key\_arn) | KMS key ARN to use for S3 encryption. If not set, the default AWS S3 key will be used. | `string` | `""` | no | +| [service\_domain](#input\_service\_domain) | When Istio is enabled, the FQDN needed specifically for Istio's authorization policies. | `string` | `""` | no | | [sncloud\_services\_iam\_policy\_arn](#input\_sncloud\_services\_iam\_policy\_arn) | The IAM policy ARN to be used for all StreamNative Cloud Services that need to interact with AWS services external to EKS. This policy is typically created by StreamNative's "terraform-managed-cloud" module, as a seperate customer driven process for managing StreamNative's Vendor Access into AWS. If no policy ARN is provided, the module will default to the expected named policy of "StreamNativeCloudRuntimePolicy". This variable allows for flexibility in the event that the policy name changes, or if a custom policy provided by the customer is preferred. | `string` | `""` | no | | [sncloud\_services\_lb\_policy\_arn](#input\_sncloud\_services\_lb\_policy\_arn) | A custom IAM policy ARN for LB load balancer controller. This policy is typically created by StreamNative's "terraform-managed-cloud" module, as a seperate customer driven process for managing StreamNative's Vendor Access into AWS. If no policy ARN is provided, the module will default to the expected named policy of "StreamNativeCloudLBPolicy". This variable allows for flexibility in the event that the policy name changes, or if a custom policy provided by the customer is preferred. | `string` | `""` | no | | [use\_runtime\_policy](#input\_use\_runtime\_policy) | Legacy variable, will be deprecated in future versions. The preference of this module is to have the parent EKS module create and manage the IAM role. However some older configurations may have had the cluster IAM role managed seperately, and this variable allows for backwards compatibility. | `bool` | `true` | no | +| [velero\_backup\_schedule](#input\_velero\_backup\_schedule) | The scheduled time for Velero to perform backups. Written in cron expression, defaults to "0 5 * * *" or "at 5:00am every day" | `string` | `"0 5 * * *"` | no | +| [velero\_excluded\_namespaces](#input\_velero\_excluded\_namespaces) | A comma-separated list of namespaces to exclude from Velero backups. Defaults are set to ["default", "kube-system", "operators", "olm"]. | `list(string)` | 
[
  "kube-system",
  "default",
  "operators",
  "olm"
]
| no | +| [velero\_helm\_chart\_name](#input\_velero\_helm\_chart\_name) | The name of the Helm chart to use for Velero | `string` | `"velero"` | no | +| [velero\_helm\_chart\_repository](#input\_velero\_helm\_chart\_repository) | The repository containing the Helm chart to use for velero | `string` | `"https://vmware-tanzu.github.io/helm-charts"` | no | +| [velero\_helm\_chart\_version](#input\_velero\_helm\_chart\_version) | The version of the Helm chart to use for Velero. The current version can be found in github: https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero | `string` | `"2.31.8"` | no | +| [velero\_namespace](#input\_velero\_namespace) | The kubernetes namespace where Velero should be deployed. | `string` | `"velero"` | no | +| [velero\_plugin\_version](#input\_velero\_plugin\_version) | Which version of the velero-plugin-for-aws to use. | `string` | `"v1.5.1"` | no | +| [velero\_policy\_arn](#input\_velero\_policy\_arn) | The arn for the IAM policy used by the Velero backup addon service. For enhanced security, we allow for IAM policies used by cluster addon services to be created seperately from this module. This is only required if the input "create\_iam\_policy\_for\_velero" is set to "false". If created elsewhere, the expected name of the policy is "StreamNativeCloudVeleroBackupPolicy". | `string` | `null` | no | +| [velero\_settings](#input\_velero\_settings) | Additional settings which will be passed to the Helm chart values for Velero. See https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero for available options | `map(string)` | `{}` | no | | [vpc\_id](#input\_vpc\_id) | The ID of the AWS VPC to use. | `string` | `""` | no | ## Outputs @@ -364,9 +391,17 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | Name | Description | |------|-------------| | [eks\_cluster\_arn](#output\_eks\_cluster\_arn) | The ARN for the EKS cluster created by this module | +| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | The endpoint for the EKS cluster created by this module | | [eks\_cluster\_id](#output\_eks\_cluster\_id) | The id/name of the EKS cluster created by this module | | [eks\_cluster\_identity\_oidc\_issuer\_arn](#output\_eks\_cluster\_identity\_oidc\_issuer\_arn) | The ARN for the OIDC issuer created by this module | +| [eks\_cluster\_identity\_oidc\_issuer\_string](#output\_eks\_cluster\_identity\_oidc\_issuer\_string) | A formatted string containing the prefix for the OIDC issuer created by this module. Same as "cluster\_oidc\_issuer\_url", but with "https://" stripped from the name. This output is typically used in other StreamNative modules that request the "oidc\_issuer" input. | | [eks\_cluster\_identity\_oidc\_issuer\_url](#output\_eks\_cluster\_identity\_oidc\_issuer\_url) | The URL for the OIDC issuer created by this module | +| [eks\_cluster\_platform\_version](#output\_eks\_cluster\_platform\_version) | The platform version for the EKS cluster created by this module | | [eks\_cluster\_primary\_security\_group\_id](#output\_eks\_cluster\_primary\_security\_group\_id) | The id of the primary security group created by the EKS service itself, not by this module. This is labeled "Cluster Security Group" in the EKS console. | | [eks\_cluster\_secondary\_security\_group\_id](#output\_eks\_cluster\_secondary\_security\_group\_id) | The id of the secondary security group created by this module. This is labled "Additional Security Groups" in the EKS console. | +| [eks\_node\_group\_iam\_role\_arn](#output\_eks\_node\_group\_iam\_role\_arn) | The IAM Role ARN used by the Worker configuration | +| [eks\_node\_group\_security\_group\_id](#output\_eks\_node\_group\_security\_group\_id) | Security group ID attached to the EKS node groups | +| [eks\_node\_groups](#output\_eks\_node\_groups) | Map of all attributes of the EKS node groups created by this module | +| [tiered\_storage\_s3\_bucket\_arn](#output\_tiered\_storage\_s3\_bucket\_arn) | The ARN for the tiered storage S3 bucket created by this module | +| [velero\_s3\_bucket\_arn](#output\_velero\_s3\_bucket\_arn) | The ARN for the Velero S3 bucket created by this module | diff --git a/external_dns.tf b/external_dns.tf index 1570d7d..31930c1 100644 --- a/external_dns.tf +++ b/external_dns.tf @@ -106,6 +106,7 @@ resource "helm_release" "external_dns" { aws = { region = var.region } + domainFilters = var.hosted_zone_domain_name_filters podSecurityContext = { fsGroup = 65534 runAsUser = 0 diff --git a/main.tf b/main.tf index 9fe3f92..992715e 100644 --- a/main.tf +++ b/main.tf @@ -136,7 +136,7 @@ locals { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "18.29.0" + version = "18.30.2" ###################################################################################################### ### This section takes into account the breaking changes made in v18.X of the community EKS module ### diff --git a/variables.tf b/variables.tf index 01e09fa..f615405 100644 --- a/variables.tf +++ b/variables.tf @@ -280,6 +280,12 @@ variable "hosted_zone_id" { type = string } +variable "hosted_zone_domain_name_filters" { + default = [] + description = "A list domain names of the Route53 hosted zones, used by the cluster's External DNS configuration for domain filtering." + type = list(string) +} + variable "iam_path" { default = "/StreamNative/" description = "An IAM Path to be used for all IAM resources created by this module. Changing this from the default will cause issues with StreamNative's Vendor access, if applicable." From 7a4f8fdb13e9e630dfa9fbf785a83fbc2e7a7b5b Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Fri, 21 Oct 2022 16:17:40 -0600 Subject: [PATCH 23/29] Removed kubernetes.io/cluster tag from all resources --- README.md | 2 +- main.tf | 7 +++---- variables.tf | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 4669983..0d861a2 100644 --- a/README.md +++ b/README.md @@ -374,7 +374,7 @@ _Note: Since this module manages all of the Kubernetes addon dependencies requir | [service\_domain](#input\_service\_domain) | When Istio is enabled, the FQDN needed specifically for Istio's authorization policies. | `string` | `""` | no | | [sncloud\_services\_iam\_policy\_arn](#input\_sncloud\_services\_iam\_policy\_arn) | The IAM policy ARN to be used for all StreamNative Cloud Services that need to interact with AWS services external to EKS. This policy is typically created by StreamNative's "terraform-managed-cloud" module, as a seperate customer driven process for managing StreamNative's Vendor Access into AWS. If no policy ARN is provided, the module will default to the expected named policy of "StreamNativeCloudRuntimePolicy". This variable allows for flexibility in the event that the policy name changes, or if a custom policy provided by the customer is preferred. | `string` | `""` | no | | [sncloud\_services\_lb\_policy\_arn](#input\_sncloud\_services\_lb\_policy\_arn) | A custom IAM policy ARN for LB load balancer controller. This policy is typically created by StreamNative's "terraform-managed-cloud" module, as a seperate customer driven process for managing StreamNative's Vendor Access into AWS. If no policy ARN is provided, the module will default to the expected named policy of "StreamNativeCloudLBPolicy". This variable allows for flexibility in the event that the policy name changes, or if a custom policy provided by the customer is preferred. | `string` | `""` | no | -| [use\_runtime\_policy](#input\_use\_runtime\_policy) | Legacy variable, will be deprecated in future versions. The preference of this module is to have the parent EKS module create and manage the IAM role. However some older configurations may have had the cluster IAM role managed seperately, and this variable allows for backwards compatibility. | `bool` | `true` | no | +| [use\_runtime\_policy](#input\_use\_runtime\_policy) | Legacy variable, will be deprecated in future versions. The preference of this module is to have the parent EKS module create and manage the IAM role. However some older configurations may have had the cluster IAM role managed seperately, and this variable allows for backwards compatibility. | `bool` | `false` | no | | [velero\_backup\_schedule](#input\_velero\_backup\_schedule) | The scheduled time for Velero to perform backups. Written in cron expression, defaults to "0 5 * * *" or "at 5:00am every day" | `string` | `"0 5 * * *"` | no | | [velero\_excluded\_namespaces](#input\_velero\_excluded\_namespaces) | A comma-separated list of namespaces to exclude from Velero backups. Defaults are set to ["default", "kube-system", "operators", "olm"]. | `list(string)` | 
[
  "kube-system",
  "default",
  "operators",
  "olm"
]
| no | | [velero\_helm\_chart\_name](#input\_velero\_helm\_chart\_name) | The name of the Helm chart to use for Velero | `string` | `"velero"` | no | diff --git a/main.tf b/main.tf index 992715e..e4ee2f7 100644 --- a/main.tf +++ b/main.tf @@ -47,10 +47,8 @@ locals { tags = merge( { - "kubernetes.io/cluster/${var.cluster_name}" = "owned", - "k8s.io/cluster/${var.cluster_name}" = "owned", - "Vendor" = "StreamNative" - "cluster-name" = var.cluster_name + "Vendor" = "StreamNative" + "cluster-name" = var.cluster_name }, var.additional_tags, ) @@ -178,6 +176,7 @@ module "eks" { openid_connect_audiences = ["sts.amazonaws.com"] tags = local.tags vpc_id = var.vpc_id + } ### Additional Tags diff --git a/variables.tf b/variables.tf index f615405..b8dc678 100644 --- a/variables.tf +++ b/variables.tf @@ -542,7 +542,7 @@ variable "sncloud_services_lb_policy_arn" { } variable "use_runtime_policy" { - default = true + default = false description = "Legacy variable, will be deprecated in future versions. The preference of this module is to have the parent EKS module create and manage the IAM role. However some older configurations may have had the cluster IAM role managed seperately, and this variable allows for backwards compatibility." type = bool } From 6f8e3f73b416452a74f445439a7310ed67a0c64f Mon Sep 17 00:00:00 2001 From: John Daniel Maguire Date: Mon, 24 Oct 2022 12:10:54 -0300 Subject: [PATCH 24/29] Add arns as outputs --- outputs.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/outputs.tf b/outputs.tf index 8fb26fb..843d98c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -86,3 +86,13 @@ output "velero_s3_bucket_arn" { value = aws_s3_bucket.velero.arn description = "The ARN for the Velero S3 bucket created by this module" } + +output "cert_manager_arn" { + value = aws_iam_role.cert_manager.arn + description = "The ARN for Cert Manager" +} + +output "external_dns_arn" { + value = aws_iam_role.external_dns.arn + description = "The ARN for External DNS" +} From b5a089a241248c4fbd64b3f3590c34be9d982b8c Mon Sep 17 00:00:00 2001 From: John Daniel Maguire Date: Tue, 25 Oct 2022 10:08:19 -0300 Subject: [PATCH 25/29] Expose cluster_certificate_authority_data to communicate with cluster --- outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/outputs.tf b/outputs.tf index 843d98c..68cafa9 100644 --- a/outputs.tf +++ b/outputs.tf @@ -96,3 +96,8 @@ output "external_dns_arn" { value = aws_iam_role.external_dns.arn description = "The ARN for External DNS" } + +output "cluster_certificate_authority_data" { + value = module.eks.cluster_certificate_authority_data + description = "Base64 encoded certificate data required to communicate with the cluster" +} From 5ce7e5b0335901ad1e2120e6e93a3e60ca74b6d0 Mon Sep 17 00:00:00 2001 From: John Daniel Maguire Date: Tue, 25 Oct 2022 10:08:52 -0300 Subject: [PATCH 26/29] Update outputs.tf --- outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 68cafa9..162db73 100644 --- a/outputs.tf +++ b/outputs.tf @@ -97,7 +97,7 @@ output "external_dns_arn" { description = "The ARN for External DNS" } -output "cluster_certificate_authority_data" { +output "eks_cluster_certificate_authority_data" { value = module.eks.cluster_certificate_authority_data description = "Base64 encoded certificate data required to communicate with the cluster" } From 37025c937397dc06218736421464fb7309ad42de Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Wed, 2 Nov 2022 14:01:46 -0600 Subject: [PATCH 27/29] Added default node SG rules --- main.tf | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index e4ee2f7..ed0daf8 100644 --- a/main.tf +++ b/main.tf @@ -109,6 +109,35 @@ locals { ]) : "${node_group.name}" => node_group } + ## Node Security Group Configuration + default_sg_rules = { + ingress_self_all = { + description = "Node to node all ports/protocols" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "ingress" + self = true + } + egress_all = { + description = "Node all egress" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + }, + ingress_cluster = { + description = "Allow workers pods to receive communication from the cluster control plane." + protocol = "tcp" + source_security_group_id = module.eks.cluster_security_group_id + from_port = 1025 + to_port = 65535 + type = "ingress" + } + } + ### IAM role bindings sncloud_control_plane_access = [ { @@ -172,7 +201,7 @@ module "eks" { iam_role_permissions_boundary = var.permissions_boundary_arn manage_aws_auth_configmap = true node_security_group_id = var.node_security_group_id - node_security_group_additional_rules = var.node_security_group_additional_rules + node_security_group_additional_rules = merge(var.node_security_group_additional_rules, local.default_sg_rules) openid_connect_audiences = ["sts.amazonaws.com"] tags = local.tags vpc_id = var.vpc_id From ae7ef66561bc63b8c3a8bc1606a0391d18c18f37 Mon Sep 17 00:00:00 2001 From: John Daniel Maguire Date: Fri, 4 Nov 2022 12:42:51 -0300 Subject: [PATCH 28/29] AWS LB arn --- outputs.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/outputs.tf b/outputs.tf index 162db73..c5b651c 100644 --- a/outputs.tf +++ b/outputs.tf @@ -96,7 +96,12 @@ output "external_dns_arn" { value = aws_iam_role.external_dns.arn description = "The ARN for External DNS" } - + +output "aws_loadbalancer_arn" { + value = aws_iam_role.aws_load_balancer_controller.arn + description = "ARN for loadbalancer" +} + output "eks_cluster_certificate_authority_data" { value = module.eks.cluster_certificate_authority_data description = "Base64 encoded certificate data required to communicate with the cluster" From 206cb00eb3a6fe629f28da12484840dd43b69a99 Mon Sep 17 00:00:00 2001 From: Joey Davenport Date: Mon, 7 Nov 2022 10:03:07 -0700 Subject: [PATCH 29/29] readme updates --- README.md | 62 ++++++++++--------------------------------------------- 1 file changed, 11 insertions(+), 51 deletions(-) diff --git a/README.md b/README.md index 0d861a2..39df92e 100644 --- a/README.md +++ b/README.md @@ -74,8 +74,9 @@ module "sn_cluster" { source = "streamnative/cloud/aws" cluster_name = "sn-cluster-${var.region}" - cluster_version = "1.20" + cluster_version = "1.21" hosted_zone_id = "Z04554535IN8Z31SKDVQ2" # Change this to your hosted zone ID + node_pool_max_size = 3 ## Note: EKS requires two subnets, each in their own availability zone public_subnet_ids = ["subnet-abcde012", "subnet-bcde012a"] @@ -85,72 +86,31 @@ module "sn_cluster" { } ``` -In the example `main.tf` above, we create a StreamNative Platform EKS cluster using Kubernetes version `1.20`, with two node groups (one per subnet[^1]), each group being set with a desired capacity of two and a maximum scaling of six, meaning four `c6i.xlarge` worker nodes in total will initially be created, but depending on cluster usage it can autoscale up to twelve. +In the example `main.tf` above, a StreamNative Platform EKS cluster is created using Kubernetes version `1.21`. -_Note: If you are creating more than one EKS cluster in an AWS account, it is necessary to set the input `create_iam_policies_for_cluster_addon_services = false`. Otherwise Terraform will error stating that resources already exist with the desired name. This is a temporary workaround and will be improved in later versions of the module._ +By default, the cluster will come provisioned with 8 node groups (_reference node topology[^1]_), six of which have a desired capacity set to `0`, and only the "xlarge" node group has a default desired capacity of `1`. All + +In addition, the EKS cluster will be configured to support the following add-ons: -This creates an EKS cluster to your specifications, along with the following addons (and required IAM resources), which are enabled by default: - [AWS CSI Driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) - [AWS Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller) - [AWS Node Terminiation Handler](https://github.com/aws/aws-node-termination-handler) - [cert-manager](https://github.com/jetstack/cert-manager) - [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler) - [external-dns](https://github.com/kubernetes-sigs/external-dns) -- [external-secrets](https://github.com/external-secrets/kubernetes-external-secrets) +- [Istio](https://istio.io/) +- [metrics-server](https://github.com/kubernetes-sigs/metrics-server) +- [Velero](https://velero.io/) (for backup and restore) ## Creating a StreamNative Platform EKS Cluster When deploying StreamNative Platform, there are additional resources to be created alongside (and inside!) the EKS cluster: - StreamNative operators for Pulsar -- Vault Operator -- Vault Resources -- Tiered Storage Resources (optional) +- Vault Configuration & Resources We have made this easy by creating additional Terraform modules that can be included alongside your EKS module composition. Consider adding the following to the example `main.tf` file above: ```hcl -####### -### This module creates resources used for tiered storage offloading in Pulsar -####### -module "sn_tiered_storage_resources" { - source = "streamnative/cloud/aws//modules/tiered-storage-resources" - - cluster_name = module.sn_cluster.eks_cluster_id - oidc_issuer = module.sn_cluster.eks_cluster_oidc_issuer_string - pulsar_namespace = "my-pulsar-namespace" - service_account_name = "pulsar" - - tags = { - Project = "StreamNative Platform" - Environment = var.environment - } - - depends_on = [ - module.sn_cluster - ] -} - -####### -### This module creates resources used by Vault for storing and retrieving secrets related to the Pulsar cluster -####### -module "sn_tiered_storage_vault_resources" { - source = "streamnative/cloud/aws//modules/vault-resources" - - cluster_name = module.sn_cluster.eks_cluster_id - oidc_issuer = module.sn_cluster.eks_cluster_oidc_issuer_string - pulsar_namespace = "my-pulsar-namespace" # The namespace where you will be installing Pulsar - service_account_name = "vault" # The name of the service account used by Vault in the Pulsar namespace - - tags = { - Project = "StreamNative Platform" - Environment = var.environment - } - - depends_on = [ - module.sn_cluster - ] -} - ####### ### This module installs the necessary operators for StreamNative Platform ### See: https://registry.terraform.io/modules/streamnative/charts/helm/latest @@ -185,7 +145,7 @@ We use a [Helm chart](https://github.com/streamnative/charts/tree/master/charts/ _Note: Since this module manages all of the Kubernetes addon dependencies required by StreamNative Platform, it is not necessary to perform all of the [steps outlined in the Helm chart's README.](https://github.com/streamnative/charts/tree/master/charts/sn-platform#steps). Please [reach out](https://support.streamnative.io) to your customer representative if you have questions._ -[^1]: When running Apache Pulsar in Kubernetes, we make use of EBS backed Kubernetes Persistent Volume Claims (PVC). EBS volumes themselves are zonal, which means [an EC2 instance can only mount a volume that exists in its same AWS Availability Zone](https://aws.amazon.com/blogs/containers/amazon-eks-cluster-multi-zone-auto-scaling-groups/). For this reason we have added node group "zone affinity" functionality into our module, where **an EKS node group is created per AWS Availability Zone**. This is controlled by the number of subnets you pass to the EKS module, creating one node group per subnet. +[^1]: When running Apache Pulsar in Kubernetes, we make use of EBS backed Kubernetes Persistent Volume Claims (PVC). EBS volumes themselves are zonal, which means [an EC2 instance can only mount a volume that exists in its same AWS Availability Zone](https://aws.amazon.com/blogs/containers/amazon-eks-cluster-multi-zone-auto-scaling-groups/). For this reason we have added node group "zone affinity" functionality into our module, where **an EKS node group is created per AWS Availability Zone**. This is controlled by the number of subnets you pass to the EKS module, creating one node group per subnet. In addition, we also create node groups based on instance classes, which allows us to perform more fine tuned control around scheduling and resource utilization. To illustrate, if a cluster is being created across 3 availability zones and the default 4 instance classes are being used, then 12 total node groups will be created, all except the nodes belonging to the `xlarge` (which has a default capicty of `1` for initial scheduling of workloads) group will remain empty until a corresponding Pulsar or addon workload is deployed. ## Requirements