From a5b3306c1047f7dd84c48f083dda5debd01f7035 Mon Sep 17 00:00:00 2001 From: Bal Purewal Date: Fri, 5 Apr 2024 08:38:25 +0100 Subject: [PATCH] used terradocs to update readme for eks and vpc modules --- .../infrastructure_modules/eks/README.md | 21 +++++++------------ .../infrastructure_modules/vpc/README.md | 20 ++++++++---------- 2 files changed, 17 insertions(+), 24 deletions(-) diff --git a/aws/modules/infrastructure_modules/eks/README.md b/aws/modules/infrastructure_modules/eks/README.md index aebff279..73274179 100644 --- a/aws/modules/infrastructure_modules/eks/README.md +++ b/aws/modules/infrastructure_modules/eks/README.md @@ -35,18 +35,20 @@ and: https://github.com/terraform-aws-modules/terraform-aws-eks/issues/920 | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 5.0 | +| [null](#provider\_null) | n/a | ## Modules | Name | Source | Version | |------|--------|---------| -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.16 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.20 | | [eks\_kms\_key](#module\_eks\_kms\_key) | ../../resource_modules/identity/kms_key | n/a | ## Resources | Name | Type | |------|------| +| [null_resource.cis_bootstrap_validation](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.eks_secret_encryption_kms_key_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -55,28 +57,21 @@ and: https://github.com/terraform-aws-modules/terraform-aws-eks/issues/920 | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [cis\_bootstrap\_image](#input\_cis\_bootstrap\_image) | CIS Bootstrap image, required if enable\_cis\_bootstrap is set to true | `string` | `""` | no | | [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Switch to enable private access | `bool` | n/a | yes | | [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Switch to enable public access | `bool` | n/a | yes | | [cluster\_name](#input\_cluster\_name) | Name of the cluster and resources | `string` | n/a | yes | +| [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source | `any` | 
{
  "egress_nodes_ephemeral_ports_tcp": {
    "description": "Node all egress",
    "from_port": 0,
    "protocol": "-1",
    "source_node_security_group": true,
    "to_port": 0,
    "type": "egress"
  }
}
| no | | [cluster\_single\_az](#input\_cluster\_single\_az) | Spin up the cluster in a single AZ | `bool` | n/a | yes | | [cluster\_version](#input\_cluster\_version) | Cluster Kubernetes Version | `string` | n/a | yes | | [eks\_desired\_nodes](#input\_eks\_desired\_nodes) | The initial starting number of nodes, per AZ if 'cluster\_single\_az' is false | `string` | `2` | no | | [eks\_maximum\_nodes](#input\_eks\_maximum\_nodes) | The maximum number of nodes in the cluster, per AZ if 'cluster\_single\_az' is false | `string` | `3` | no | | [eks\_minimum\_nodes](#input\_eks\_minimum\_nodes) | The minimum number of nodes in the cluster, per AZ if 'cluster\_single\_az' is false | `string` | `1` | no | | [eks\_node\_size](#input\_eks\_node\_size) | Configure desired no of nodes for the cluster | `string` | `"t3.small"` | no | +| [eks\_node\_tenancy](#input\_eks\_node\_tenancy) | The tenancy of the node instance to use for EKS | `string` | `"default"` | no | | [eks\_node\_type](#input\_eks\_node\_type) | The type of nodes to use for EKS | `string` | `"ON_DEMAND"` | no | -| [firewall\_alert\_log\_retention](#input\_firewall\_alert\_log\_retention) | The firewall alert log retention in days | `number` | `7` | no | -| [firewall\_allowed\_domain\_targets](#input\_firewall\_allowed\_domain\_targets) | The list of allowed domains which can make it through the firewall | `list(string)` | 
[
  "."
]
| no | -| [firewall\_deletion\_protection](#input\_firewall\_deletion\_protection) | Whether to protect the firewall from deletion | `bool` | `true` | no | -| [firewall\_flow\_log\_retention](#input\_firewall\_flow\_log\_retention) | The firewall flow log retention in days | `number` | `7` | no | -| [flow\_log\_allow\_ssl\_requests\_only](#input\_flow\_log\_allow\_ssl\_requests\_only) | Set to 'true' to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no | -| [flow\_log\_expiry\_days](#input\_flow\_log\_expiry\_days) | Number of days after which to expunge the objects | `number` | `90` | no | -| [flow\_log\_force\_destroy](#input\_flow\_log\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | `bool` | `false` | no | -| [glacier\_transition\_days](#input\_glacier\_transition\_days) | Number of days after which to move the data to the glacier storage tier | `number` | `60` | no | -| [noncurrent\_version\_expiry\_days](#input\_noncurrent\_version\_expiry\_days) | Specifies when noncurrent object versions expire | `number` | `90` | no | -| [noncurrent\_version\_transition\_days](#input\_noncurrent\_version\_transition\_days) | Specifies when noncurrent object versions transitions | `number` | `30` | no | +| [enable\_cis\_bootstrap](#input\_enable\_cis\_bootstrap) | Set to true to enable the CIS Boostrap, false to disable. | `bool` | `false` | no | | [region](#input\_region) | AWS region | `string` | n/a | yes | -| [standard\_transition\_days](#input\_standard\_transition\_days) | Number of days to persist in the standard storage tier before moving to the infrequent access tier | `number` | `30` | no | | [tags](#input\_tags) | Map of infrastructure tags. | `map(string)` | n/a | yes | | [vpc\_id](#input\_vpc\_id) | The VPC ID to use for the Cluster and resources | `string` | n/a | yes | | [vpc\_private\_subnets](#input\_vpc\_private\_subnets) | The VPC Private Subnets to place EKS nodes into | `list(string)` | n/a | yes | @@ -85,7 +80,7 @@ and: https://github.com/terraform-aws-modules/terraform-aws-eks/issues/920 | Name | Description | |------|-------------| -| [aws\_general\_eks\_roles](#output\_aws\_general\_eks\_roles) | The EKS General Roles | +| [aws\_general\_eks\_roles](#output\_aws\_general\_eks\_roles) | The EKS General Role ARNs | | [cluster\_certificate\_authority\_data](#output\_cluster\_certificate\_authority\_data) | base64 encoded certificate data required to communicate with your cluster | | [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for EKS control plane. | | [cluster\_id](#output\_cluster\_id) | EKS cluster ID. | diff --git a/aws/modules/infrastructure_modules/vpc/README.md b/aws/modules/infrastructure_modules/vpc/README.md index 19476433..0e28e23e 100644 --- a/aws/modules/infrastructure_modules/vpc/README.md +++ b/aws/modules/infrastructure_modules/vpc/README.md @@ -36,13 +36,13 @@ downstream module: https://github.com/cloudposse/terraform-aws-vpc-flow-logs-s3- | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3 | -| [aws](#requirement\_aws) | > 5.0 | +| [aws](#requirement\_aws) | >= 5.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | > 5.0 | +| [aws](#provider\_aws) | >= 5.0 | ## Modules @@ -68,6 +68,7 @@ downstream module: https://github.com/cloudposse/terraform-aws-vpc-flow-logs-s3- | [aws_route.ingress_routes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route.public_to_firewall_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | +| [aws_route.public_to_internet_gw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource | | [aws_route_table.ingress_route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.network_firewall](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | | [aws_route_table.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | @@ -85,26 +86,23 @@ downstream module: https://github.com/cloudposse/terraform-aws-vpc-flow-logs-s3- | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [firewall\_alert\_log\_retention](#input\_firewall\_alert\_log\_retention) | The firewall alert log retention in days | `number` | `7` | no | -| [firewall\_allowed\_domain\_targets](#input\_firewall\_allowed\_domain\_targets) | The list of allowed domains which can make it through the firewall | `list(string)` | `[]` | no | +| [firewall\_allowed\_domain\_targets](#input\_firewall\_allowed\_domain\_targets) | The list of allowed domains which can make it through the firewall, e.g. '.foo.com' | `list(string)` | `[]` | no | | [firewall\_deletion\_protection](#input\_firewall\_deletion\_protection) | Whether to protect the firewall from deletion | `bool` | `true` | no | +| [firewall\_enabled](#input\_firewall\_enabled) | Whether to enable the Firewall | `bool` | `true` | no | | [firewall\_flow\_log\_retention](#input\_firewall\_flow\_log\_retention) | The firewall flow log retention in days | `number` | `7` | no | -| [flow\_log\_allow\_ssl\_requests\_only](#input\_flow\_log\_allow\_ssl\_requests\_only) | Set to 'true' to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no | -| [flow\_log\_expiry\_days](#input\_flow\_log\_expiry\_days) | Number of days after which to expunge the objects | `number` | `90` | no | -| [flow\_log\_force\_destroy](#input\_flow\_log\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | `bool` | `false` | no | -| [flow\_log\_glacier\_transition\_days](#input\_flow\_log\_glacier\_transition\_days) | Number of days after which to move the data to the glacier storage tier | `number` | `60` | no | -| [flow\_log\_noncurrent\_version\_expiry\_days](#input\_flow\_log\_noncurrent\_version\_expiry\_days) | Specifies when noncurrent object versions expire | `number` | `90` | no | -| [flow\_log\_noncurrent\_version\_transition\_days](#input\_flow\_log\_noncurrent\_version\_transition\_days) | Specifies when noncurrent object versions transitions | `number` | `30` | no | -| [flow\_log\_standard\_transition\_days](#input\_flow\_log\_standard\_transition\_days) | Number of days to persist in the standard storage tier before moving to the infrequent access tier | `number` | `30` | no | | [region](#input\_region) | AWS region | `string` | n/a | yes | | [tags](#input\_tags) | Map of infrastructure tags. | `map(string)` | n/a | yes | | [vpc\_cidr](#input\_vpc\_cidr) | The VPC CIDR to create | `string` | n/a | yes | +| [vpc\_instance\_tenancy](#input\_vpc\_instance\_tenancy) | The default tenancy of instances, either 'default' or 'dedicated' | `string` | `"default"` | no | | [vpc\_name](#input\_vpc\_name) | Name of the VPC and resources | `string` | n/a | yes | +| [vpc\_nat\_gateway\_per\_az](#input\_vpc\_nat\_gateway\_per\_az) | Whether to spin up a NAT Gateway per-AZ or just use one. Note: There are running costs associated with NAT Gateways. For Production-like environments this should be true | `bool` | `true` | no | ## Outputs | Name | Description | |------|-------------| | [id](#output\_id) | The ID of the VPC Created by this module. | +| [private\_route\_table\_ids](#output\_private\_route\_table\_ids) | The IDs of the private routing tables | | [private\_subnet\_ids](#output\_private\_subnet\_ids) | The IDs of the private subnets created by this module. | -| [public\_subnet\_ids](#output\_public\_subnet\_ids) | The IDs of the public subnets created by this module. | +| [public\_subnet\_ids](#output\_public\_subnet\_ids) | The IDs of the public subnets created by this module. |