Software factory module for uds-core + uds-swf. Deploys EKS cluster, VPC, Bastion, and other resources required for UDS SWF.
example uds runner usage:
# from the root of the repo
# bootstrap module should be run first and backend files staged before running this module
export ENV=dev
#or run
uds run set-env --set ENV=dev
# apply-swf will also run init
# do not need to set ENV if 'uds run set-env' was run previously
uds run main:apply-swf --set ENV=$ENV
# or
uds run main:apply-swfexample terraform usage:
# from the root this module
env=dev
root_module=swf
pushd "iac/${root_module}"
# first time init or switching to a different ENV with a different s3 backend
# you can just run 'terraform init' on subsequent runs if you are not changing the backend or ENV context
terraform init --reconfigure --backend-config=../env/${env}/backends/${root_module}-backend.tfconfig
# var-file path relative to current working directory
terraform apply -var-file ../env/${env}/tfvars/common.terraform.tfvars -var-file ../env/${env}/tfvars/${root_module}.terraform.tfvars -auto-approve
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 5.36.0 |
| cloudinit | >= 2.0.0 |
| kubernetes | >= 2.10.0 |
| local | >= 2.1.0 |
| null | >= 3.1.0 |
| random | >= 3.1.0 |
| time | >= 0.9.1 |
| tls | >= 3.0.0 |
| Name | Version |
|---|---|
| aws | >= 5.36.0 |
| local | >= 2.1.0 |
| random | >= 3.1.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_entries | Map of access entries to add to the cluster | any |
{} |
no |
| access_log_expire_days | Number of days to wait before deleting access logs | number |
30 |
no |
| admin_roles | List of IAM roles to add as administrators to the EKS cluster via access entry | list(string) |
[] |
no |
| admin_users | List of IAM users to add as administrators to the EKS cluster via access entry | list(string) |
[] |
no |
| artifactory_bucket_names | List of buckets to create for Artifactory | list(string) |
[] |
no |
| artifactory_db_idenitfier_prefix | The prefix to use for the RDS instance identifier | string |
"artifactory-db" |
no |
| artifactory_db_name | Name of the artifactory database. | string |
"artifactorydb" |
no |
| artifactory_db_snapshot | The snapshot to restore the RDS instance from | string |
"" |
no |
| artifactory_kms_key_alias | KMS Key Alias name prefix | string |
"artifactory" |
no |
| artifactory_namespace | Namespace Artifactory is deployed to | string |
"artifactory" |
no |
| artifactory_rds_instance_class | The instance class to use for the RDS instance | string |
"db.t4g.large" |
no |
| artifactory_s3_bucket_force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
| artifactory_service_account_names | List of service accounts to create for Artifactory | list(string) |
[ |
no |
| artifactory_storage_type | Set the persistence storage type | string |
"file-system" |
no |
| artifatory_license_key_secret_id | The license secret for artifatory | string |
"" |
no |
| authentication_mode | The authentication mode for the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP |
string |
"API" |
no |
| aws_admin_usernames | A list of one or more AWS usernames with authorized access to KMS and EKS resources, will automatically add the user running the terraform as an admin | list(string) |
[] |
no |
| aws_load_balancer_controller | AWS Loadbalancer Controller Helm Chart config | any |
{} |
no |
| aws_node_termination_handler | AWS Node Termination Handler config for aws-ia/eks-blueprints-addon/aws | any |
{} |
no |
| bastion_instance_type | value for the instance type of the EKS worker nodes | string |
"m5.xlarge" |
no |
| bastion_ssh_user | The SSH user to use for the bastion | string |
"ec2-user" |
no |
| bastion_tenancy | The tenancy of the bastion | string |
"dedicated" |
no |
| cluster_addons | Nested of eks native add-ons and their associated parameters. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_add-on for supported values. See https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/examples/complete/main.tf#L44-L60 for upstream example. to see available eks marketplace addons available for your cluster's version run: aws eks describe-addon-versions --kubernetes-version $k8s_cluster_version --query 'addons[].{MarketplaceProductUrl: marketplaceInformation.productUrl, Name: addonName, Owner: owner Publisher: publisher, Type: type}' --output table |
any |
{} |
no |
| cluster_autoscaler | Cluster Autoscaler Helm Chart config | any |
{} |
no |
| cluster_endpoint_public_access | Whether to enable public access to the EKS cluster | bool |
false |
no |
| cluster_version | Kubernetes version to use for EKS cluster | string |
"1.29" |
no |
| confluence_db_idenitfier_prefix | The prefix to use for the RDS instance identifier | string |
"confluence-db" |
no |
| confluence_db_name | Name of the Confluence database. | string |
"confluencedb" |
no |
| confluence_db_snapshot | The snapshot to restore the RDS instance from | string |
"" |
no |
| confluence_kms_key_alias | KMS Key Alias name prefix | string |
"confluence" |
no |
| confluence_local_home_pvc_size | Size of the local home pvc | string |
"50Gi" |
no |
| confluence_rds_instance_class | The instance class to use for the RDS instance | string |
"db.t4g.large" |
no |
| create_kubernetes_resources | If true, kubernetes resources related to non-marketplace addons to will be created | bool |
false |
no |
| create_ssm_parameters | Create SSM parameters for values from eks blueprints addons | bool |
true |
no |
| dataplane_wait_duration | The duration to wait for the EKS cluster to be ready before creating the node groups | string |
"30s" |
no |
| ebs_storageclass_reclaim_policy | Reclaim policy for gp3 storage class, valid options are Delete and Retain | string |
"Delete" |
no |
| efs_storageclass_reclaim_policy | Reclaim policy for EFS storage class, valid options are Delete and Retain | string |
"Delete" |
no |
| eks_worker_tenancy | The tenancy of the EKS worker nodes | string |
"dedicated" |
no |
| enable_admin_roles_prefix_or_suffix | Indicates whether or not to add the admin_roles with a prefix or suffix | bool |
true |
no |
| enable_amazon_eks_aws_ebs_csi_driver | Enable EKS Managed AWS EBS CSI Driver add-on | bool |
false |
no |
| enable_amazon_eks_aws_efs_csi_driver | Enable EFS CSI add-on | bool |
false |
no |
| enable_aws_load_balancer_controller | Enable AWS Loadbalancer Controller add-on | bool |
false |
no |
| enable_aws_node_termination_handler | Enable AWS Node Termination Handler add-on | bool |
false |
no |
| enable_cluster_autoscaler | Enable Cluster autoscaler add-on | bool |
false |
no |
| enable_cluster_creator_admin_permissions | Indicates whether or not to add the cluster creator (the identity used by Terraform) as an administrator via access entry | bool |
true |
no |
| enable_external_secrets | Enable External Secrets add-on | bool |
false |
no |
| enable_gp3_default_storage_class | Enable gp3 as default storage class | bool |
false |
no |
| enable_metrics_server | Enable metrics server add-on | bool |
false |
no |
| enable_nat_gateway | If true, NAT Gateways will be created | bool |
false |
no |
| enable_secrets_store_csi_driver | Enable k8s Secret Store CSI Driver add-on | bool |
false |
no |
| enable_sqs_events_on_access_log_access | If true, generates an SQS event whenever on object is created in the Access Log bucket, which happens whenever a server access log is generated by any entity. This will potentially generate a lot of events, so use with caution. | bool |
false |
no |
| external_secrets | External Secrets config for aws-ia/eks-blueprints-addon/aws | any |
{} |
no |
| external_secrets_kms_key_arns | List of KMS Key ARNs that are used by Secrets Manager that contain secrets to mount using External Secrets | list(string) |
[] |
no |
| external_secrets_secrets_manager_arns | List of Secrets Manager ARNs that contain secrets to mount using External Secrets | list(string) |
[] |
no |
| external_secrets_ssm_parameter_arns | List of Systems Manager Parameter ARNs that contain secrets to mount using External Secrets | list(string) |
[] |
no |
| gitaly_ng_name | Name of the UDS SWF node group | string |
"gitaly_ng" |
no |
| gitaly_pv_match_labels | List of labels to match the pv to | list(string) |
[] |
no |
| gitaly_pvc_size | Size of the gitaly pvc | string |
"50Gi" |
no |
| gitlab_bucket_names | List of buckets to create for GitLab | list(string) |
[ |
no |
| gitlab_db_idenitfier_prefix | The prefix to use for the RDS instance identifier | string |
"gitlab-db" |
no |
| gitlab_db_name | Name of the GitLab database. | string |
"gitlabdb" |
no |
| gitlab_db_snapshot | The snapshot to restore the RDS instance from | string |
"" |
no |
| gitlab_elasticache_cluster_name | ElastiCache Cluster Name | string |
"gitlab" |
no |
| gitlab_kms_key_alias | KMS Key Alias name prefix | string |
"gitlab" |
no |
| gitlab_namespace | Namespace GitLab is deployed to | string |
"gitlab" |
no |
| gitlab_rds_instance_class | The instance class to use for the RDS instance | string |
"db.t4g.large" |
no |
| gitlab_runner_namespace | Namespace GitLab Runner is deployed to | string |
"gitlab-runner" |
no |
| gitlab_s3_bucket_force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
| iam_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for IAM roles | string |
null |
no |
| jenkins_persistence_existing_claim | Name of the pre-existing PVC that jenkins will be restored from | string |
"" |
no |
| jenkins_pvc_size | Size of the Loki backend pvc | string |
"50Gi" |
no |
| jira_db_idenitfier_prefix | The prefix to use for the RDS instance identifier | string |
"jira-db" |
no |
| jira_db_name | Name of the Jira database. | string |
"jiradb" |
no |
| jira_db_snapshot | The snapshot to restore the RDS instance from | string |
"" |
no |
| jira_kms_key_alias | KMS Key Alias name prefix | string |
"jira" |
no |
| jira_local_home_pvc_size | Size of the local home pvc | string |
"50Gi" |
no |
| jira_rds_instance_class | The instance class to use for the RDS instance | string |
"db.t4g.large" |
no |
| keycloak_db_idenitfier_prefix | The prefix to use for the RDS instance identifier | string |
"keycloak-db" |
no |
| keycloak_db_name | Name of the Keycloak database. | string |
"keycloakdb" |
no |
| keycloak_db_snapshot | The snapshot to restore the RDS instance from | string |
"" |
no |
| keycloak_enabled | Enable Keycloak dedicated nodegroup | bool |
false |
no |
| keycloak_kms_key_alias | KMS Key Alias name prefix | string |
"keycloak" |
no |
| keycloak_rds_instance_class | The instance class to use for the RDS instance | string |
"db.t4g.large" |
no |
| kms_key_deletion_window | Waiting period for scheduled KMS Key deletion. Can be 7-30 days. | number |
7 |
no |
| loki_backend_pvc_size | Size of the Loki backend pvc | string |
"50Gi" |
no |
| loki_bucket_names | List of buckets to create for Loki | list(string) |
[ |
no |
| loki_kms_key_alias | KMS Key Alias name prefix | string |
"loki" |
no |
| loki_namespace | Namespace loki is deployed to | string |
"loki" |
no |
| loki_s3_bucket_force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
| loki_service_account_names | List of service accounts to create for loki | list(string) |
[ |
no |
| loki_write_pvc_size | Size of the Loki write pvc | string |
"50Gi" |
no |
| mattermost_bucket_names | List of buckets to create for Mattermost | list(string) |
[ |
no |
| mattermost_db_idenitfier_prefix | The prefix to use for the RDS instance identifier | string |
"mattermost-db" |
no |
| mattermost_db_name | Name of the Mattermost database. | string |
"mattermostdb" |
no |
| mattermost_db_snapshot | The snapshot to restore the RDS instance from | string |
"" |
no |
| mattermost_kms_key_alias | KMS Key Alias name prefix | string |
"mattermost" |
no |
| mattermost_namespace | Namespace Mattermost is deployed to | string |
"mattermost" |
no |
| mattermost_rds_instance_class | The instance class to use for the RDS instance | string |
"db.t4g.large" |
no |
| mattermost_s3_bucket_force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
| mattermost_service_account_names | List of service accounts to create for Mattermost | list(string) |
[ |
no |
| metrics_server | Metrics Server config for aws-ia/eks-blueprints-addon/aws | any |
{} |
no |
| name | Name, e.g. 'app' or 'jenkins' | string |
"narwhal-delivery-iac-swf" |
no |
| namespace | Namespace, which could be your organization name or abbreviation, e.g. 'eg' or 'cp' | string |
"du" |
no |
| notification_webhook_secret_id | The secret id for the slack webhook, staged in secrets manager | string |
"" |
no |
| num_azs | The number of AZs to use | number |
3 |
no |
| prefix | name prefix to prepend to most resources, if not defined, created as: 'namespace-stage-name' | string |
"" |
no |
| prometheus_pvc_size | Size of the Prometheus pvc | string |
"50Gi" |
no |
| rds_deletion_protection | Sets deletion protection for RDS instances | bool |
false |
no |
| recovery_window | Number of days to wait before deleting the secret | number |
7 |
no |
| region | The AWS region to deploy into | string |
n/a | yes |
| secondary_cidr_blocks | A list of secondary CIDR blocks for the VPC | list(string) |
[] |
no |
| secrets_store_csi_driver | k8s Secret Store CSI Driver Helm Chart config | any |
{} |
no |
| single_nat_gateway | If true, a single NAT Gateway will be created | bool |
false |
no |
| stage | Stage, e.g. 'prod', 'staging', 'dev', or 'test' | string |
"test" |
no |
| suffix | name suffix to append to most resources, if not defined, randomly generated | string |
"" |
no |
| tags | A map of tags to apply to all resources | map(string) |
{} |
no |
| uds_config_output_file_name | The name of the UDS config file when templating | string |
"" |
no |
| uds_config_output_path | The path to output the UDS config file when templating | string |
"" |
no |
| uds_swf_ng_name | Name of the UDS SWF node group | string |
"uds_ng" |
no |
| users | This needs to be a list of users that will be on your ec2 instances that need password changes. | list(string) |
[] |
no |
| velero_bucket_names | List of buckets to create for Velero | list(string) |
[ |
no |
| velero_kms_key_alias | KMS Key Alias name prefix | string |
"velero" |
no |
| velero_namespace | Namespace Velero is deployed to | string |
"velero" |
no |
| velero_s3_bucket_force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
| velero_service_account_names | List of service accounts to create for Velero | list(string) |
[ |
no |
| vpc_cidr | The CIDR block for the VPC | string |
n/a | yes |
| vpc_subnets | A list of subnet objects to do subnet math things on - see https://github.com/hashicorp/terraform-cidr-subnets | list(map(any)) |
[ |
no |
| zarf_s3_bucket_force_destroy | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | bool |
false |
no |
| zarf_version | The version of Zarf to use | string |
"" |
no |
| Name | Description |
|---|---|
| bastion | Bastion module output data |
| eks | EKS module output data |
| vpc | VPC module output data |
| zarf | Zarf module output data |