From 6bbb65fcd5dd74af4297d6b3a18ccf870b33c531 Mon Sep 17 00:00:00 2001 From: George Scott Date: Thu, 3 Aug 2023 11:49:04 -0500 Subject: [PATCH 1/8] elasticache, tgt group --- examples/public-dns-external/main.tf | 2 +- examples/public-dns-external/variables.tf | 7 +------ main.tf | 2 +- modules/app_eks/variables.tf | 2 +- modules/redis/main.tf | 4 ++-- variables.tf | 2 +- 6 files changed, 7 insertions(+), 12 deletions(-) diff --git a/examples/public-dns-external/main.tf b/examples/public-dns-external/main.tf index 25bfd84f..656e561d 100644 --- a/examples/public-dns-external/main.tf +++ b/examples/public-dns-external/main.tf @@ -28,7 +28,7 @@ module "wandb_infra" { allowed_inbound_cidr = var.allowed_inbound_cidr allowed_inbound_ipv6_cidr = ["::/0"] - eks_cluster_version = "1.24" + eks_cluster_version = "1.25" kubernetes_public_access = true kubernetes_public_access_cidrs = ["0.0.0.0/0"] diff --git a/examples/public-dns-external/variables.tf b/examples/public-dns-external/variables.tf index 38215e18..c88dc631 100644 --- a/examples/public-dns-external/variables.tf +++ b/examples/public-dns-external/variables.tf @@ -26,12 +26,7 @@ variable "wandb_license" { variable "database_engine_version" { description = "Version for MySQL Auora" type = string - default = "8.0.mysql_aurora.3.01.0" - - validation { - condition = contains(["5.7", "8.0.mysql_aurora.3.01.0", "8.0.mysql_aurora.3.02.0"], var.database_engine_version) - error_message = "We only support MySQL: \"5.7\"; \"8.0.mysql_aurora.3.01.0\"; \"8.0.mysql_aurora.3.02.0\"." - } + default = "8.0.mysql_aurora.3.02.2" } variable "database_instance_class" { diff --git a/main.tf b/main.tf index fbca9f41..bd5ba83f 100644 --- a/main.tf +++ b/main.tf @@ -176,7 +176,7 @@ module "app_lb" { resource "aws_autoscaling_attachment" "autoscaling_attachment" { for_each = module.app_eks.autoscaling_group_names autoscaling_group_name = each.value - alb_target_group_arn = module.app_lb.tg_app_arn + lb_target_group_arn = module.app_lb.tg_app_arn } module "redis" { diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf index 6a4f8f99..e583bc06 100644 --- a/modules/app_eks/variables.tf +++ b/modules/app_eks/variables.tf @@ -28,7 +28,7 @@ variable "cluster_endpoint_public_access_cidrs" { variable "cluster_version" { description = "Indicates AWS EKS cluster version" type = string - default = "1.21" + default = "1.25" } variable "create_elasticache_security_group" { diff --git a/modules/redis/main.tf b/modules/redis/main.tf index bf267209..bab1d375 100644 --- a/modules/redis/main.tf +++ b/modules/redis/main.tf @@ -4,8 +4,8 @@ locals { resource "aws_elasticache_replication_group" "default" { replication_group_id = "${var.namespace}-rep-group" - replication_group_description = "${var.namespace}-rep-group" - number_cache_clusters = 2 + description = "${var.namespace}-rep-group" + num_cache_clusters = 2 port = 6379 node_type = var.node_type diff --git a/variables.tf b/variables.tf index 8faeb633..1aaa719f 100644 --- a/variables.tf +++ b/variables.tf @@ -235,7 +235,7 @@ variable "network_elasticache_subnet_cidrs" { variable "eks_cluster_version" { type = string description = "Indicates EKS cluster version" - default = "1.21" + default = "1.25" } variable "kubernetes_public_access" { From 4120f47f7954a4e6e3f1725cf326e96a795f6497 Mon Sep 17 00:00:00 2001 From: George Scott Date: Thu, 3 Aug 2023 11:52:34 -0500 Subject: [PATCH 2/8] rm sid from iam policy docs (reduce churn) --- modules/app_eks/iam-policy-docs.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf index 2d0f1b70..5160c596 100644 --- a/modules/app_eks/iam-policy-docs.tf +++ b/modules/app_eks/iam-policy-docs.tf @@ -1,6 +1,5 @@ data "aws_iam_policy_document" "node_cloudwatch" { statement { - sid = "bb2" actions = ["cloudwatch:PutMetricData"] effect = "Allow" resources = ["*"] @@ -10,7 +9,6 @@ data "aws_iam_policy_document" "node_cloudwatch" { data "aws_iam_policy_document" "node_IMDSv2" { statement { - sid = "cc3" actions = ["ec2:DescribeInstanceAttribute"] effect = "Allow" resources = ["*"] @@ -20,7 +18,6 @@ data "aws_iam_policy_document" "node_IMDSv2" { // todo: refactor --> v1.16.3 data "aws_iam_policy_document" "node_kms" { statement { - sid = "dd4" actions = [ "kms:Encrypt", "kms:Decrypt", @@ -37,7 +34,6 @@ data "aws_iam_policy_document" "node_kms" { // todo: refactor --> v1.16.3 data "aws_iam_policy_document" "node_sqs" { statement { - sid = "ee5" actions = ["sqs:*"] effect = "Allow" resources = var.bucket_sqs_queue_arn == "" || var.bucket_sqs_queue_arn == null ? ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.node.name}"] : [var.bucket_sqs_queue_arn] @@ -47,7 +43,6 @@ data "aws_iam_policy_document" "node_sqs" { data "aws_iam_policy_document" "node_s3" { statement { - sid = "ff6" actions = ["s3:*"] effect = "Allow" resources = [ From c0a6f02bea4673217c3b2f63f1f64dd11f5c8bd0 Mon Sep 17 00:00:00 2001 From: George Scott Date: Thu, 3 Aug 2023 16:21:55 -0500 Subject: [PATCH 3/8] updates + readme --- README.md | 20 +++---- examples/public-dns-external/main.tf | 2 +- modules/file_storage/main.tf | 59 ++++++++++++++------- modules/file_storage/outputs.tf | 4 ++ modules/secure_storage_connector/outputs.tf | 5 ++ 5 files changed, 61 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index fd632617..ea2c2379 100644 --- a/README.md +++ b/README.md @@ -99,29 +99,31 @@ resources that lack official modules. ### A note on updating EKS cluster version -Users can update the EKS cluster version to the latest version offered by AWS. This can be done using the environment variable `eks_cluster_version`. Note that, cluster and nodegroup version updates can only be done in increments of one version at a time. For example, if your current cluster version is `1.21` and the latest version available is `1.24` - you'd need to: +Users can update the EKS cluster version to the latest version offered by AWS. This can be done using the environment variable `eks_cluster_version`. Note that, cluster and nodegroup version updates can only be done in increments of one version at a time. For example, if your current cluster version is `1.21` and the latest version available is `1.25` - you'd need to: -- Update `1.21` to `1.22`, run `terraform apply`, -- then upgrade to `1.23`, run `tf apply` and -- finally to `1.24`, run `tf apply`. - -You will not be able to upgrade directly from `1.21` to `1.24`. +1. update the cluster version in the app_eks module from `1.21` to `1.22` +2. run `terraform apply` +3. update the cluster version to `1.23` +4. run `terraform apply` +5. update the cluster version to `1.24` +...and so on and so forth. +Upgrades must be executed in step-wise fashion from one version to the next. You cannot skip versions when upgrading EKS. ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | ~> 1.0 | -| [aws](#requirement\_aws) | ~> 3.60 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | ~> 4.6 | | [kubernetes](#requirement\_kubernetes) | ~> 2.6 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | ~> 3.60 | +| [aws](#provider\_aws) | ~> 4.6 | ## Modules diff --git a/examples/public-dns-external/main.tf b/examples/public-dns-external/main.tf index 656e561d..505f299b 100644 --- a/examples/public-dns-external/main.tf +++ b/examples/public-dns-external/main.tf @@ -51,7 +51,7 @@ data "aws_eks_cluster_auth" "app_cluster" { provider "kubernetes" { host = data.aws_eks_cluster.app_cluster.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.app_cluster.certificate_authority.0.data) + cluster_ca_certificate = base64decode(data.aws_eks_cluster.app_cluster.certificate_authority[0].data) token = data.aws_eks_cluster_auth.app_cluster.token } diff --git a/modules/file_storage/main.tf b/modules/file_storage/main.tf index 443d5072..86172d83 100644 --- a/modules/file_storage/main.tf +++ b/modules/file_storage/main.tf @@ -8,30 +8,12 @@ resource "aws_sqs_queue" "file_storage" { # Enable long-polling receive_wait_time_seconds = 10 - # kms_master_key_id = var.kms_key_arn } + resource "aws_s3_bucket" "file_storage" { bucket = "${var.namespace}-file-storage-${random_pet.file_storage.id}" - acl = "private" - - cors_rule { - allowed_headers = ["*"] - allowed_methods = ["GET", "HEAD", "PUT"] - allowed_origins = ["*"] - expose_headers = ["ETag"] - max_age_seconds = 3000 - } - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = var.kms_key_arn - sse_algorithm = var.sse_algorithm - } - } - } force_destroy = !var.deletion_protection @@ -40,6 +22,18 @@ resource "aws_s3_bucket" "file_storage" { depends_on = [aws_sqs_queue.file_storage] } +resource "aws_s3_bucket_server_side_encryption_configuration" "file_storage" { + bucket = aws_s3_bucket.file_storage.id + + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = var.kms_key_arn + sse_algorithm = var.sse_algorithm + } + } +} + + resource "aws_s3_bucket_public_access_block" "file_storage" { bucket = aws_s3_bucket.file_storage.id block_public_acls = true @@ -48,6 +42,33 @@ resource "aws_s3_bucket_public_access_block" "file_storage" { ignore_public_acls = true } +resource "aws_s3_bucket_ownership_controls" "file_storage" { + bucket = aws_s3_bucket.file_storage.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} + +resource "aws_s3_bucket_acl" "file_storage" { + depends_on = [aws_s3_bucket_ownership_controls.file_storage] + + bucket = aws_s3_bucket.file_storage.id + acl = "private" +} + +resource "aws_s3_bucket_cors_configuration" "file_storage" { + bucket = aws_s3_bucket.file_storage.id + + cors_rule { + allowed_headers = ["*"] + allowed_methods = ["GET", "HEAD", "PUT"] + allowed_origins = ["*"] + expose_headers = ["ETag"] + max_age_seconds = 3000 + } +} + + # Give the bucket permission to send messages onto the queue. Looks like we # overide this value. resource "aws_sqs_queue_policy" "file_storage" { diff --git a/modules/file_storage/outputs.tf b/modules/file_storage/outputs.tf index 4be8890a..3e6815e5 100644 --- a/modules/file_storage/outputs.tf +++ b/modules/file_storage/outputs.tf @@ -6,6 +6,10 @@ output "bucket_arn" { value = aws_s3_bucket.file_storage.arn } +output "bucket_id" { + value = aws_s3_bucket.file_storage.id +} + output "bucket_region" { value = aws_s3_bucket.file_storage.region } diff --git a/modules/secure_storage_connector/outputs.tf b/modules/secure_storage_connector/outputs.tf index 93b15db9..86a9e1c0 100644 --- a/modules/secure_storage_connector/outputs.tf +++ b/modules/secure_storage_connector/outputs.tf @@ -2,6 +2,11 @@ output "bucket" { value = data.aws_s3_bucket.file_storage } +output "bucket_id" { + value = data.aws_s3_bucket.file_storage.id +} + output "bucket_kms_key" { value = var.create_kms_key ? aws_kms_key.key[0] : null } + From d34e110180a9a0e1e97fa5e02b6def0566928548 Mon Sep 17 00:00:00 2001 From: George Scott Date: Thu, 3 Aug 2023 16:46:17 -0500 Subject: [PATCH 4/8] fmt + default eks var --- main.tf | 2 +- modules/app_eks/variables.tf | 3 ++- modules/redis/main.tf | 8 ++++---- variables.tf | 5 +++-- 4 files changed, 10 insertions(+), 8 deletions(-) diff --git a/main.tf b/main.tf index bd5ba83f..31442706 100644 --- a/main.tf +++ b/main.tf @@ -176,7 +176,7 @@ module "app_lb" { resource "aws_autoscaling_attachment" "autoscaling_attachment" { for_each = module.app_eks.autoscaling_group_names autoscaling_group_name = each.value - lb_target_group_arn = module.app_lb.tg_app_arn + lb_target_group_arn = module.app_lb.tg_app_arn } module "redis" { diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf index e583bc06..ac157b12 100644 --- a/modules/app_eks/variables.tf +++ b/modules/app_eks/variables.tf @@ -27,8 +27,9 @@ variable "cluster_endpoint_public_access_cidrs" { variable "cluster_version" { description = "Indicates AWS EKS cluster version" + nullable = false type = string - default = "1.25" + } variable "create_elasticache_security_group" { diff --git a/modules/redis/main.tf b/modules/redis/main.tf index bab1d375..4159f95f 100644 --- a/modules/redis/main.tf +++ b/modules/redis/main.tf @@ -3,10 +3,10 @@ locals { } resource "aws_elasticache_replication_group" "default" { - replication_group_id = "${var.namespace}-rep-group" - description = "${var.namespace}-rep-group" - num_cache_clusters = 2 - port = 6379 + replication_group_id = "${var.namespace}-rep-group" + description = "${var.namespace}-rep-group" + num_cache_clusters = 2 + port = 6379 node_type = var.node_type parameter_group_name = "default.redis6.x" diff --git a/variables.tf b/variables.tf index 1aaa719f..f514f61c 100644 --- a/variables.tf +++ b/variables.tf @@ -233,9 +233,10 @@ variable "network_elasticache_subnet_cidrs" { # EKS Cluster # ########################################## variable "eks_cluster_version" { - type = string - description = "Indicates EKS cluster version" default = "1.25" + description = "EKS cluster kubernetes version" + nullable = false + type = string } variable "kubernetes_public_access" { From 8d3558c1e3ee0e9bdb8782098cbbf0739b4540cd Mon Sep 17 00:00:00 2001 From: George Scott Date: Thu, 3 Aug 2023 16:57:42 -0500 Subject: [PATCH 5/8] order --- modules/file_storage/main.tf | 51 ++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/modules/file_storage/main.tf b/modules/file_storage/main.tf index 86172d83..39ced492 100644 --- a/modules/file_storage/main.tf +++ b/modules/file_storage/main.tf @@ -22,17 +22,31 @@ resource "aws_s3_bucket" "file_storage" { depends_on = [aws_sqs_queue.file_storage] } -resource "aws_s3_bucket_server_side_encryption_configuration" "file_storage" { +resource "aws_s3_bucket_acl" "file_storage" { + depends_on = [aws_s3_bucket_ownership_controls.file_storage] + bucket = aws_s3_bucket.file_storage.id + acl = "private" +} - rule { - apply_server_side_encryption_by_default { - kms_master_key_id = var.kms_key_arn - sse_algorithm = var.sse_algorithm - } +resource "aws_s3_bucket_cors_configuration" "file_storage" { + bucket = aws_s3_bucket.file_storage.id + + cors_rule { + allowed_headers = ["*"] + allowed_methods = ["GET", "HEAD", "PUT"] + allowed_origins = ["*"] + expose_headers = ["ETag"] + max_age_seconds = 3000 } } +resource "aws_s3_bucket_ownership_controls" "file_storage" { + bucket = aws_s3_bucket.file_storage.id + rule { + object_ownership = "BucketOwnerPreferred" + } +} resource "aws_s3_bucket_public_access_block" "file_storage" { bucket = aws_s3_bucket.file_storage.id @@ -42,31 +56,18 @@ resource "aws_s3_bucket_public_access_block" "file_storage" { ignore_public_acls = true } -resource "aws_s3_bucket_ownership_controls" "file_storage" { +resource "aws_s3_bucket_server_side_encryption_configuration" "file_storage" { bucket = aws_s3_bucket.file_storage.id + rule { - object_ownership = "BucketOwnerPreferred" + apply_server_side_encryption_by_default { + kms_master_key_id = var.kms_key_arn + sse_algorithm = var.sse_algorithm + } } } -resource "aws_s3_bucket_acl" "file_storage" { - depends_on = [aws_s3_bucket_ownership_controls.file_storage] - bucket = aws_s3_bucket.file_storage.id - acl = "private" -} - -resource "aws_s3_bucket_cors_configuration" "file_storage" { - bucket = aws_s3_bucket.file_storage.id - - cors_rule { - allowed_headers = ["*"] - allowed_methods = ["GET", "HEAD", "PUT"] - allowed_origins = ["*"] - expose_headers = ["ETag"] - max_age_seconds = 3000 - } -} # Give the bucket permission to send messages onto the queue. Looks like we From d6ef64e7f40567c1738e84c73f57f347984aa505 Mon Sep 17 00:00:00 2001 From: George Scott Date: Thu, 3 Aug 2023 17:35:19 -0500 Subject: [PATCH 6/8] eks cluster version --- modules/app_eks/variables.tf | 1 - variables.tf | 1 - 2 files changed, 2 deletions(-) diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf index ac157b12..e80238e2 100644 --- a/modules/app_eks/variables.tf +++ b/modules/app_eks/variables.tf @@ -29,7 +29,6 @@ variable "cluster_version" { description = "Indicates AWS EKS cluster version" nullable = false type = string - } variable "create_elasticache_security_group" { diff --git a/variables.tf b/variables.tf index f514f61c..af47007d 100644 --- a/variables.tf +++ b/variables.tf @@ -233,7 +233,6 @@ variable "network_elasticache_subnet_cidrs" { # EKS Cluster # ########################################## variable "eks_cluster_version" { - default = "1.25" description = "EKS cluster kubernetes version" nullable = false type = string From 61c56bbed59229070044c77ec092408953fc59c6 Mon Sep 17 00:00:00 2001 From: George Scott Date: Fri, 4 Aug 2023 16:27:44 -0500 Subject: [PATCH 7/8] remove "inline_policies" from iam roles --- modules/app_eks/iam-roles.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/app_eks/iam-roles.tf b/modules/app_eks/iam-roles.tf index a060e093..19e99e92 100644 --- a/modules/app_eks/iam-roles.tf +++ b/modules/app_eks/iam-roles.tf @@ -2,8 +2,6 @@ resource "aws_iam_role" "node" { name = "${var.namespace}-node" assume_role_policy = data.aws_iam_policy_document.node_assume.json - // todo: refactor --> v1.16.3 - inline_policy {} } From bf0d571b2f400cdcc60b02a615f0a145a2b7ad72 Mon Sep 17 00:00:00 2001 From: George Scott Date: Fri, 4 Aug 2023 16:29:04 -0500 Subject: [PATCH 8/8] removed extren comments --- modules/app_eks/iam-policy-docs.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf index 5160c596..237e02b6 100644 --- a/modules/app_eks/iam-policy-docs.tf +++ b/modules/app_eks/iam-policy-docs.tf @@ -6,7 +6,6 @@ data "aws_iam_policy_document" "node_cloudwatch" { } } - data "aws_iam_policy_document" "node_IMDSv2" { statement { actions = ["ec2:DescribeInstanceAttribute"] @@ -15,7 +14,6 @@ data "aws_iam_policy_document" "node_IMDSv2" { } } -// todo: refactor --> v1.16.3 data "aws_iam_policy_document" "node_kms" { statement { actions = [ @@ -30,8 +28,6 @@ data "aws_iam_policy_document" "node_kms" { } } - -// todo: refactor --> v1.16.3 data "aws_iam_policy_document" "node_sqs" { statement { actions = ["sqs:*"] @@ -40,7 +36,6 @@ data "aws_iam_policy_document" "node_sqs" { } } - data "aws_iam_policy_document" "node_s3" { statement { actions = ["s3:*"]