From 7cd0e33a2a3cabc3d93baef144b0d479ef8f835a Mon Sep 17 00:00:00 2001 From: Charles Bushong Date: Thu, 21 Dec 2023 13:43:07 -0500 Subject: [PATCH 1/5] Adding pre-commit config --- .github/workflows/pre-commit.yaml | 47 +++++++++++++++++++++++++++++++ .pre-commit-config.yaml | 18 ++++++++++-- 2 files changed, 62 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/pre-commit.yaml diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml new file mode 100644 index 0000000..5dbd054 --- /dev/null +++ b/.github/workflows/pre-commit.yaml @@ -0,0 +1,47 @@ +on: + pull_request: + push: + branches: [main] + +jobs: + pre_commit: + name: Run pre-commit and commit any autocorrections + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.6.6 + - name: Setup Terragrunt + uses: autero1/action-terragrunt@v1.1.0 + with: + terragrunt_version: 0.54.8 + # To avoid rate-limiting + token: ${{ secrets.GITHUB_TOKEN }} + - uses: terraform-linters/setup-tflint@v3 + name: TFLint - Setup + with: + tflint_version: latest + + - name: TFLint - Init + run: tflint --init + env: + # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting + GITHUB_TOKEN: ${{ github.token }} + - name: TFLint - Show version + run: tflint --version + - uses: actions/setup-python@v4 + with: + python-version: 3.x + - name: Terraform Docs - Install + run: | + curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v0.17.0/terraform-docs-v0.17.0-$(uname)-amd64.tar.gz + tar -xzf terraform-docs.tar.gz -- terraform-docs + chmod +x terraform-docs + echo $PATH + mv terraform-docs /usr/local/bin/terraform-docs + terraform-docs --version + - uses: pre-commit/action@v3.0.0 + - uses: pre-commit-ci/lite-action@v1.0.1 + if: always() diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 11d16c9..ab25c67 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ # See https://pre-commit.com/hooks.html for more hooks repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: v4.5.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer @@ -10,10 +10,22 @@ repos: args: ["--allow-multiple-documents"] - id: check-added-large-files - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases + rev: v1.85.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases hooks: - id: terraform_fmt # args: ["--enable require-variable-braces,deprecate-which"] - id: terraform_tflint - exclude: .* + args: + - "--args=--fix" - id: terragrunt_fmt - id: terraform_docs +ci: + autofix_commit_msg: | + [pre-commit.ci] auto fixes from pre-commit.com hooks + + for more information, see https://pre-commit.ci + autofix_prs: true + autoupdate_branch: '' + autoupdate_commit_msg: '[pre-commit.ci] pre-commit autoupdate' + autoupdate_schedule: weekly + skip: [terraform_fmt, terraform_tflint, terragrunt_fmt, terraform_docs] + submodules: false From a55f98468d3238be0c0cdbc696b2aeaf5b6f510e Mon Sep 17 00:00:00 2001 From: Charles Bushong Date: Thu, 21 Dec 2023 13:43:37 -0500 Subject: [PATCH 2/5] Adding markdown files --- LICENSE.md | 34 ++++++++++++++++++++++++++++++++++ README.md | 5 +++++ SECURITY.md | 17 +++++++++++++++++ 3 files changed, 56 insertions(+) create mode 100644 LICENSE.md create mode 100644 README.md create mode 100644 SECURITY.md diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..f2a0872 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,34 @@ +# License + +As a work of the [United States government](https://www.usa.gov/), this project +is in the public domain within the United States of America. + +Additionally, we waive copyright and related rights in the work worldwide +through the CC0 1.0 Universal public domain dedication. + +## CC0 1.0 Universal Summary + +This is a human-readable summary of the [Legal Code (read the full +text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode). + +### No Copyright + +The person who associated a work with this deed has dedicated the work to the +public domain by waiving all of their rights to the work worldwide under +copyright law, including all related and neighboring rights, to the extent +allowed by law. + +You can copy, modify, distribute, and perform the work, even for commercial +purposes, all without asking permission. + +### Other Information + +In no way are the patent or trademark rights of any person affected by CC0, nor +are the rights that other persons may have in the work or in how the work is +used, such as publicity or privacy rights. + +Unless expressly stated otherwise, the person who associated a work with this +deed makes no warranties about the work, and disclaims liability for all uses +of the work, to the fullest extent permitted by applicable law. When using or +citing the work, you should not imply endorsement by the author or the +affirmer. diff --git a/README.md b/README.md new file mode 100644 index 0000000..3a6728b --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# batcave-tf-karpenter + + + + diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..90e23aa --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Security and Responsible Disclosure Policy + +*Submit a vulnerability:* Unfortunately, we cannot accept secure submissions via +email or via GitHub Issues. Please use our website to submit vulnerabilities at +[https://hhs.responsibledisclosure.com](https://hhs.responsibledisclosure.com). +HHS maintains an acknowledgements page to recognize your efforts on behalf of +the American public, but you are also welcome to submit anonymously. + +Review the HHS Disclosure Policy and websites in scope: +[https://www.hhs.gov/vulnerability-disclosure-policy/index.html](https://www.hhs.gov/vulnerability-disclosure-policy/index.html). + +This policy describes *what systems and types of research* are covered under this +policy, *how to send* us vulnerability reports, and *how long* we ask security +researchers to wait before publicly disclosing vulnerabilities. + +If you have other cybersecurity related questions, please contact us at +[csirc@hhs.gov.](mailto:csirc@hhs.gov). From 9b866e27ef17a0cb88361de5cd70b26382512bff Mon Sep 17 00:00:00 2001 From: "pre-commit-ci-lite[bot]" <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com> Date: Thu, 21 Dec 2023 18:44:32 +0000 Subject: [PATCH 3/5] [pre-commit.ci lite] apply automatic fixes --- .github/workflows/format-validate.yaml | 6 +-- README.md | 55 ++++++++++++++++++++++++++ eniconfig.tf | 4 +- karpenter.tf | 5 +-- karpenter.yaml | 2 +- output.tf | 1 - test.yaml | 2 +- test/test.yaml | 2 +- values.yaml | 2 +- variables.tf | 3 -- 10 files changed, 66 insertions(+), 16 deletions(-) diff --git a/.github/workflows/format-validate.yaml b/.github/workflows/format-validate.yaml index 4b2045b..b307407 100644 --- a/.github/workflows/format-validate.yaml +++ b/.github/workflows/format-validate.yaml @@ -3,17 +3,17 @@ name: 'Terraform Format-Validate' on: pull_request: types: [opened, reopened] - + # Allows you to run this workflow manually from the Actions tab workflow_dispatch: - + permissions: contents: read jobs: terraform-format-validate: runs-on: ubuntu-latest - + steps: - uses: actions/checkout@v3 - uses: hashicorp/setup-terraform@v2 diff --git a/README.md b/README.md index 3a6728b..e495cf4 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,60 @@ # batcave-tf-karpenter +## Requirements +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [helm](#provider\_helm) | n/a | +| [kubernetes](#provider\_kubernetes) | n/a | +| [null](#provider\_null) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [iam\_assumable\_role\_karpenter](#module\_iam\_assumable\_role\_karpenter) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 4.7.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_instance_profile.karpenter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | +| [aws_iam_policy.karpenter_contoller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.ssm_managed_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role_policy_attachment.karpenter_contoller_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.karpenter_ssm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [helm_release.karpenter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [kubernetes_manifest.eniconfig_subnets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | +| [null_resource.rotate_nodes_after_eniconfig_creation](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cluster\_endpoint](#input\_cluster\_endpoint) | n/a | `string` | `""` | no | +| [cluster\_name](#input\_cluster\_name) | n/a | `any` | n/a | yes | +| [helm\_create\_namespace](#input\_helm\_create\_namespace) | n/a | `bool` | `true` | no | +| [helm\_namespace](#input\_helm\_namespace) | n/a | `string` | `"karpenter"` | no | +| [iam\_path](#input\_iam\_path) | n/a | `string` | `"/delegatedadmin/developer/"` | no | +| [permissions\_boundary](#input\_permissions\_boundary) | n/a | `string` | `"arn:aws:iam::373346310182:policy/cms-cloud-admin/developer-boundary-policy"` | no | +| [provider\_url](#input\_provider\_url) | n/a | `string` | `""` | no | +| [rotate\_nodes\_after\_eniconfig\_creation](#input\_rotate\_nodes\_after\_eniconfig\_creation) | n/a | `bool` | `true` | no | +| [vpc\_eni\_subnets](#input\_vpc\_eni\_subnets) | n/a | `map(any)` | n/a | yes | +| [worker\_iam\_role\_name](#input\_worker\_iam\_role\_name) | n/a | `string` | `""` | no | +| [worker\_security\_group\_id](#input\_worker\_security\_group\_id) | n/a | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [hr\_manifest](#output\_hr\_manifest) | The rendered manifest of the release as JSON | +| [karpenter\_iam](#output\_karpenter\_iam) | n/a | diff --git a/eniconfig.tf b/eniconfig.tf index e3c3d2b..2de335d 100644 --- a/eniconfig.tf +++ b/eniconfig.tf @@ -29,12 +29,12 @@ resource "kubernetes_manifest" "eniconfig_subnets" { "apiVersion" = "crd.k8s.amazonaws.com/v1alpha1" "kind" = "ENIConfig" "metadata" = { - "name" = "${each.key}" + "name" = each.key } "spec" = { "subnet" = "eni-${each.value}" "securityGroups" = [ - "${var.worker_security_group_id}" + var.worker_security_group_id ] } } diff --git a/karpenter.tf b/karpenter.tf index 513e7b8..d0c903f 100644 --- a/karpenter.tf +++ b/karpenter.tf @@ -8,7 +8,7 @@ data "aws_eks_cluster" "cluster" { provider "helm" { kubernetes { host = data.aws_eks_cluster.cluster.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data) exec { api_version = "client.authentication.k8s.io/v1alpha1" args = ["eks", "get-token", "--cluster-name", data.aws_eks_cluster.cluster.name] @@ -27,7 +27,7 @@ resource "helm_release" "karpenter" { version = "0.6.1" values = [ - "${file("values.yaml")}" + file("values.yaml") ] set { name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" @@ -44,4 +44,3 @@ resource "helm_release" "karpenter" { value = var.cluster_endpoint } } - diff --git a/karpenter.yaml b/karpenter.yaml index 956f092..e698261 100644 --- a/karpenter.yaml +++ b/karpenter.yaml @@ -41,7 +41,7 @@ # subnetSelector: # ContainerSubnet: "true" # ttlSecondsAfterEmpty: 30 - + --- apiVersion: karpenter.sh/v1alpha5 kind: Provisioner diff --git a/output.tf b/output.tf index 36c6fe9..4bc927c 100644 --- a/output.tf +++ b/output.tf @@ -7,4 +7,3 @@ output "hr_manifest" { value = helm_release.karpenter sensitive = true } - diff --git a/test.yaml b/test.yaml index 0ee0e9c..26418d1 100644 --- a/test.yaml +++ b/test.yaml @@ -16,4 +16,4 @@ spec: kubernetes.io/cluster/batcave-dev: 'shared' securityGroupSelector: Name: sg-0ae8da89426d04ac6 - ttlSecondsAfterEmpty: 30 \ No newline at end of file + ttlSecondsAfterEmpty: 30 diff --git a/test/test.yaml b/test/test.yaml index d2e4f95..a4a5e22 100644 --- a/test/test.yaml +++ b/test/test.yaml @@ -18,4 +18,4 @@ spec: image: public.ecr.aws/eks-distro/kubernetes/pause:3.2 resources: requests: - cpu: 1 \ No newline at end of file + cpu: 1 diff --git a/values.yaml b/values.yaml index 57d8c60..bc58b8d 100644 --- a/values.yaml +++ b/values.yaml @@ -8,4 +8,4 @@ webhook: tolerations: - key: "CriticalAddonsOnly" operator: "Exists" - effect: "NoSchedule" \ No newline at end of file + effect: "NoSchedule" diff --git a/variables.tf b/variables.tf index afe7a7e..564706f 100644 --- a/variables.tf +++ b/variables.tf @@ -28,9 +28,6 @@ variable "helm_create_namespace" { type = bool default = true } -variable "helm_name" { - default = "karpenter" -} variable "cluster_endpoint" { default = "" } From a4dd20c484ff1f25bff80324d3e609e312cfbd07 Mon Sep 17 00:00:00 2001 From: Charles Bushong Date: Thu, 21 Dec 2023 13:44:50 -0500 Subject: [PATCH 4/5] Remove old format check --- .github/workflows/format-validate.yaml | 31 -------------------------- 1 file changed, 31 deletions(-) delete mode 100644 .github/workflows/format-validate.yaml diff --git a/.github/workflows/format-validate.yaml b/.github/workflows/format-validate.yaml deleted file mode 100644 index b307407..0000000 --- a/.github/workflows/format-validate.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: 'Terraform Format-Validate' - -on: - pull_request: - types: [opened, reopened] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -permissions: - contents: read - -jobs: - terraform-format-validate: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - uses: hashicorp/setup-terraform@v2 - - - name: Terraform fmt - id: fmt - run: terraform fmt -check -diff - - - name: Terraform Init - id: init - run: terraform init - - - name: Terraform Validate - id: validate - run: terraform validate From c80523f39bf471e80631f8add002511b63e5da3b Mon Sep 17 00:00:00 2001 From: Charles Bushong Date: Thu, 21 Dec 2023 13:53:56 -0500 Subject: [PATCH 5/5] Fix vars --- README.md | 20 +++++++++++++------- main.tf | 21 +++++++++++++++++++++ variables.tf | 11 +++++++++-- 3 files changed, 43 insertions(+), 9 deletions(-) create mode 100644 main.tf diff --git a/README.md b/README.md index e495cf4..cb87495 100644 --- a/README.md +++ b/README.md @@ -3,16 +3,22 @@ ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.2 | +| [aws](#requirement\_aws) | >= 4.61.0 | +| [helm](#requirement\_helm) | >= 2.11.0 | +| [kubernetes](#requirement\_kubernetes) | >= 2.10.0 | +| [null](#requirement\_null) | >= 3.1.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | -| [helm](#provider\_helm) | n/a | -| [kubernetes](#provider\_kubernetes) | n/a | -| [null](#provider\_null) | n/a | +| [aws](#provider\_aws) | >= 4.61.0 | +| [helm](#provider\_helm) | >= 2.11.0 | +| [kubernetes](#provider\_kubernetes) | >= 2.10.0 | +| [null](#provider\_null) | >= 3.1.0 | ## Modules @@ -40,7 +46,7 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cluster\_endpoint](#input\_cluster\_endpoint) | n/a | `string` | `""` | no | -| [cluster\_name](#input\_cluster\_name) | n/a | `any` | n/a | yes | +| [cluster\_name](#input\_cluster\_name) | n/a | `string` | n/a | yes | | [helm\_create\_namespace](#input\_helm\_create\_namespace) | n/a | `bool` | `true` | no | | [helm\_namespace](#input\_helm\_namespace) | n/a | `string` | `"karpenter"` | no | | [iam\_path](#input\_iam\_path) | n/a | `string` | `"/delegatedadmin/developer/"` | no | @@ -48,7 +54,7 @@ No requirements. | [provider\_url](#input\_provider\_url) | n/a | `string` | `""` | no | | [rotate\_nodes\_after\_eniconfig\_creation](#input\_rotate\_nodes\_after\_eniconfig\_creation) | n/a | `bool` | `true` | no | | [vpc\_eni\_subnets](#input\_vpc\_eni\_subnets) | n/a | `map(any)` | n/a | yes | -| [worker\_iam\_role\_name](#input\_worker\_iam\_role\_name) | n/a | `string` | `""` | no | +| [worker\_iam\_role\_name](#input\_worker\_iam\_role\_name) | n/a | `string` | n/a | yes | | [worker\_security\_group\_id](#input\_worker\_security\_group\_id) | n/a | `string` | n/a | yes | ## Outputs diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..66697bf --- /dev/null +++ b/main.tf @@ -0,0 +1,21 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.61.0" + } + null = { + source = "hashicorp/null" + version = ">= 3.1.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10.0" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.11.0" + } + } + required_version = ">= 1.2" +} diff --git a/variables.tf b/variables.tf index 564706f..6d40448 100644 --- a/variables.tf +++ b/variables.tf @@ -1,21 +1,26 @@ -variable "cluster_name" {} +variable "cluster_name" { + type = string +} variable "provider_url" { default = "" + type = string } ### Karpenter IAM variables variable "worker_iam_role_name" { - default = "" + type = string } variable "iam_path" { default = "/delegatedadmin/developer/" + type = string } variable "permissions_boundary" { default = "arn:aws:iam::373346310182:policy/cms-cloud-admin/developer-boundary-policy" + type = string } @@ -23,6 +28,7 @@ variable "permissions_boundary" { variable "helm_namespace" { default = "karpenter" + type = string } variable "helm_create_namespace" { type = bool @@ -30,6 +36,7 @@ variable "helm_create_namespace" { } variable "cluster_endpoint" { default = "" + type = string } variable "vpc_eni_subnets" {