diff --git a/.github/workflows/cluster.yaml b/.github/workflows/cluster.yaml deleted file mode 100644 index d3c3680..0000000 --- a/.github/workflows/cluster.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: TF Validate Cluster - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - -env: - TERRAFORM_VERSION: 1.7.5 - -jobs: - build: - runs-on: ubuntu-latest - defaults: - run: - shell: bash - working-directory: ./cluster - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: ${{ env.TERRAFORM_VERSION }} - - name: Init - run: | - rm -rf .terraform - terraform init -backend=false - - name: Format - run: terraform fmt -check - - name: Validate - run: terraform validate -no-color diff --git a/.github/workflows/config.yaml b/.github/workflows/config.yaml deleted file mode 100644 index 9fa1ae3..0000000 --- a/.github/workflows/config.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: TF Validate Config - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - -env: - TERRAFORM_VERSION: 1.7.5 - -jobs: - build: - runs-on: ubuntu-latest - defaults: - run: - shell: bash - working-directory: ./config - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: ${{ env.TERRAFORM_VERSION }} - - name: Init - run: | - rm -rf .terraform - terraform init -backend=false - - name: Format - run: terraform fmt -check - - name: Validate - run: terraform validate -no-color \ No newline at end of file diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml new file mode 100644 index 0000000..98e3a74 --- /dev/null +++ b/.github/workflows/pre-commit.yaml @@ -0,0 +1,21 @@ +name: Pre-commit hooks + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +jobs: + pre-commit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Install devbox + uses: jetify-com/devbox-install-action@v0.11.0 + with: + enable-cache: 'true' + + - name: Run pre-commit on all files + run: devbox run -- pre-commit run --verbose --all-files --show-diff-on-failure diff --git a/.gitignore b/.gitignore index 8699f6f..d9624df 100644 --- a/.gitignore +++ b/.gitignore @@ -10,8 +10,8 @@ crash.log crash.*.log # Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject # to change depending on the environment. *.tfvars *.tfvars.json diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..acc8626 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,50 @@ +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + exclude: | + (?x)^( + config/README.md| + cluster/README.md + )$ + - id: mixed-line-ending + - id: check-yaml + args: + - --allow-multiple-documents + - id: check-added-large-files + - id: check-executables-have-shebangs + - id: check-shebang-scripts-are-executable + - id: check-merge-conflict + - id: no-commit-to-branch +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.96.2 + hooks: + - id: terraform_fmt + - id: terraform_validate + - id: terraform_tflint + # - id: terraform_trivy + # args: + # - --args=--severity CRITICAL + # - --args=--skip-dirs="**/.terraform" + # - id: terraform_checkov + # args: + # - --args=--quiet + # - --args=--skip-check CKV_AWS_23,CKV_AWS_355,CKV_AWS_290 # Temporarly skip these checks, Helm chart testing isn't needed for the repo +- repo: local + hooks: + - id: terraform-docs-cluster + name: Generate docs for the Terraform cluster/ + language: system + entry: terraform-docs markdown table cluster/ + pass_filenames: false + files: 'cluster/' + - id: terraform-docs-config + name: Generate docs for the Terraform config/ + language: system + entry: terraform-docs markdown table config/ + pass_filenames: false + files: 'config/' diff --git a/Makefile b/Makefile deleted file mode 100644 index d652a2f..0000000 --- a/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -prepare: - @echo === Cluster === - @echo Generate docs - @terraform-docs markdown table cluster - @echo Fixing the formatting - @cd cluster && terraform fmt - @echo Validating Terraform code - @cd cluster && terraform validate - @echo === Config === - @echo Generate docs - @terraform-docs markdown table config - @echo Fixing the formatting - @cd config && terraform fmt - @echo Validating Terraform code - @cd config && terraform validate diff --git a/README.md b/README.md index a2a8a4c..ba6a599 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,8 @@ This repository aims to provide [IaC](https://en.wikipedia.org/wiki/Infrastructu --- -[![Terraform validate](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/cluster.yaml/badge.svg)](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/cluster.yaml/badge.svg) -[![Terraform validate](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/config.yaml/badge.svg)](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/config.yaml/badge.svg) +[![Lint and validate](https://github.com/RADAR-base/RADAR-K8s-Infrastructure/actions/workflows/pre-commit.yaml/badge.svg)](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/pre-commit.yaml/badge.svg) +[![Join our community Slack](https://img.shields.io/badge/slack-radarbase-success.svg?logo=slack)](https://docs.google.com/forms/d/e/1FAIpQLScKNZ-QonmxNkekDMLLbP-b_IrNHyDRuQValBy1BAsLOjEFpg/viewform) # Dependencies @@ -18,6 +18,15 @@ It is recommended that you use RADAR-K8s-Infrastructure as a template and create use this template +## Workspaces + +The definition of resources required for running RADAR-base components is located in the `cluster` directory, while other optional resources are defined in the `config` directory. Please treat each directory as a separate workspace and perform terraform operations individually. The `cluster` resources need to be created and made fully available before you proceed with the creation of the `config` ones. + +To retain the user-specific configurations for future infrastructure updates, modify `terraform.tfvars` within the workspace and push the change to your repository. If needed, additional variables defined in `variables.tf` can also be included there. +| :information_source: Important Notice | +|:----------------------------------------| +|As a best practice, never save raw values of secret variables in your repository. Instead, always encrypt them before committing. If your cluster is no longer in use, run `terraform destroy` to delete all the associated resources and reduce your cloud spending. If you have resources created within `config`, run `terraform destroy` in that directory before running the counterpart in `cluster`.| + ## Configure credentials ``` @@ -28,15 +37,6 @@ export TF_VAR_AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY export TF_VAR_AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN ``` -## Workspaces - -The definition of resources required for running RADAR-base components is located in the `cluster` directory, while other optional resources are defined in the `config` directory. Please treat each directory as a separate workspace and perform terraform operations individually. The `cluster` resources need to be created and made fully available before you proceed with the creation of the `config` ones. - -To retain the user-specific configurations for future infrastructure updates, modify `terraform.tfvars` within the workspace and push the change to your repository. If needed, additional variables defined in `variables.tf` can also be included there. -| :information_source: Important Notice | -|:----------------------------------------| -|As a best practice, never save raw values of secret variables in your repository. Instead, always encrypt them before committing. If your cluster is no longer in use, run `terraform destroy` to delete all the associated resources and reduce your cloud spending. If you have resources created within `config`, run `terraform destroy` in that directory before running the counterpart in `cluster`.| - ## Create the infrastructure ``` @@ -79,7 +79,7 @@ Created resources: ``` # Make sure to use --region if the cluster is deployed in non-default region and --profile if the cluster is deployed in a non-default AWS account -aws eks update-kubeconfig --name [eks_cluster_name] +aws eks update-kubeconfig --name `terraform output eks_cluster_name` --alias `terraform output eks_cluster_name` --role-arn `terraform output assume_eks_admins_role` kubectl get nodes kubectl get pods -A ``` @@ -91,6 +91,7 @@ terraform output ``` Note that output values can be crucial for configuring certain RADAR-base components prior to deployment. For instance, if you are using the nginx-ingress controller with NLB, specify the subnet(s) and the EIP allocation ID as follows: + ```yaml nginx_ingress: _install: true @@ -105,7 +106,6 @@ nginx_ingress: You could also automate this value injection by implementing your own templating strategy to customise `production.yaml`. - ## Configure the cluster (optional) N.B.: To get external DNS, Cert Manager and SMTP working via Route 53 (if chosen as your DNS service), you need to configure your registered top-level domain and its corresponding hosted zone ID via variable `domain_name` in [config/terraform.tfvars](./config/terraform.tfvars). Additionally, set `enable_route53` to `true`. @@ -134,7 +134,13 @@ Created resources (if all enabled): ## Contributing -Make sure to install [terraform-docs](https://github.com/terraform-docs/terraform-docs) and run `make prepare` before making a commit to make sure the documentation is up to date and the code is valid. +The dependencies and linting tools and managed via Devbox, you need to [install it](https://jetify-com.vercel.app/docs/devbox/installing_devbox/#install-devbox) before proceeding. Once that is done you can run + +``` +devbox shell +``` + +To download all of the dependencies and install to Git hooks to lint the configuration before it is commited. In order to support new version of EKS you need to make sure the addons that we use are compatible with the new target version. You can get a list of addons and their EKS compatiblity with running `aws eks describe-addons-versions` and then searching for the addons that are defined in `cluster/data.tf`. diff --git a/cluster/.terraform.lock.hcl b/cluster/.terraform.lock.hcl index 22af172..9042ee3 100644 --- a/cluster/.terraform.lock.hcl +++ b/cluster/.terraform.lock.hcl @@ -19,25 +19,25 @@ provider "registry.terraform.io/gavinbunney/kubectl" { } provider "registry.terraform.io/hashicorp/aws" { - version = "5.80.0" + version = "5.82.2" constraints = ">= 3.72.0, >= 4.0.0, >= 4.47.0, >= 4.57.0, >= 5.0.0, >= 5.46.0, < 6.0.0" hashes = [ - "h1:N5Wfsf4xe5DJfSeo0G/ulkIxzyfmUIoSj/hAiZ2DaKU=", - "zh:0b1655e39639d60f2de2860a5df8642f9556ba0ca04529c1b861fde4935cb0df", - "zh:13dc0155e0a11edceee29ce687fc04c5a5a85f3324c67556472713cfd52e5807", - "zh:180f6cb2be44be14cfe329e0649121b774319f083b6e4e8fb749f85090d73121", - "zh:3158d44b74c67465f7f19f22c42b643840c8d18ce833e2ec86e8d93085b06926", - "zh:6351b5bf7cde5dc83e926944891570636069e05ca43341f4d1feda67773469bf", - "zh:6fa9db1532096ba50e842d369b6688979306d2295c7ead49b8a266b0d60962cc", - "zh:85d2fe75def7619ff2cc29102048875039cad088fafb62ecc14c3763e7b1e9d9", - "zh:9028d653f1d7341c6dfe2afe961b6541581e9043a474eac2faf90e6426a24f6d", + "h1:RuPaHbllUB8a2TGTyc149wJfoh6zhIEjUvFYKR6iP2E=", + "zh:0262fc96012fb7e173e1b7beadd46dfc25b1dc7eaef95b90e936fc454724f1c8", + "zh:397413613d27f4f54d16efcbf4f0a43c059bd8d827fe34287522ae182a992f9b", + "zh:436c0c5d56e1da4f0a4c13129e12a0b519d12ab116aed52029b183f9806866f3", + "zh:4d942d173a2553d8d532a333a0482a090f4e82a2238acf135578f163b6e68470", + "zh:624aebc549bfbce06cc2ecfd8631932eb874ac7c10eb8466ce5b9a2fbdfdc724", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9c4e248c442bc60f07f9f089e5361f19936833370dc3c04b27916672b765f0e1", - "zh:a710a3979596e3f3938c3ec6bb748e604724d3a4afa96ed2c14f0a245cc41a11", - "zh:c27936bdf447779d0c0833bf52a9ef618985f5ea8e3e243d6266513520ca31c4", - "zh:c7681134a123486e72eaedc3f8d2d75e267dbbfd45fa7de5aea8f757af57f89b", - "zh:ea717ebad3561fd02591f9eecf30f3df5635405556fba2bdbf29fd42691bebac", - "zh:f4e1e8f23c58c3e8f4371f9c3379a723ab4155246e6b6daad8eb99e16666b2cb", + "zh:9e632dee2dfdf01b371cca7854b1ec63ceefa75790e619b0642b34d5514c6733", + "zh:a07567acb115b60a3df8f6048d12735b9b3bcf85ec92a62f77852e13d5a3c096", + "zh:ab7002df1a1be6432ac0eb1b9f6f0dd3db90973cd5b1b0b33d2dae54553dfbd7", + "zh:bc1ff65e2016b018b3e84db7249b2cd0433cb5c81dc81f9f6158f2197d6b9fde", + "zh:bcad84b1d767f87af6e1ba3dc97fdb8f2ad5de9224f192f1412b09aba798c0a8", + "zh:cf917dceaa0f9d55d9ff181b5dcc4d1e10af21b6671811b315ae2a6eda866a2a", + "zh:d8e90ecfb3216f3cc13ccde5a16da64307abb6e22453aed2ac3067bbf689313b", + "zh:d9054e0e40705df729682ad34c20db8695d57f182c65963abd151c6aba1ab0d3", + "zh:ecf3a4f3c57eb7e89f71b8559e2a71e4cdf94eea0118ec4f2cb37e4f4d71a069", ] } diff --git a/cluster/README.md b/cluster/README.md index 17daba8..3427faf 100644 --- a/cluster/README.md +++ b/cluster/README.md @@ -11,7 +11,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.80.0 | +| [aws](#provider\_aws) | 5.82.2 | | [kubectl](#provider\_kubectl) | 1.14.0 | | [kubernetes](#provider\_kubernetes) | 2.24.0 | @@ -19,12 +19,12 @@ | Name | Source | Version | |------|--------|---------| -| [allow\_assume\_eks\_admins\_iam\_policy](#module\_allow\_assume\_eks\_admins\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | 5.15.0 | -| [allow\_eks\_access\_iam\_policy](#module\_allow\_eks\_access\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | 5.15.0 | +| [allow\_assume\_eks\_admins\_iam\_policy](#module\_allow\_assume\_eks\_admins\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | 5.48.0 | +| [allow\_eks\_access\_iam\_policy](#module\_allow\_eks\_access\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | 5.48.0 | | [ebs\_csi\_irsa](#module\_ebs\_csi\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.0 | | [eks](#module\_eks) | terraform-aws-modules/eks/aws | 19.13.1 | -| [eks\_admins\_iam\_role](#module\_eks\_admins\_iam\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | 5.15.0 | -| [iam\_user](#module\_iam\_user) | terraform-aws-modules/iam/aws//modules/iam-user | n/a | +| [eks\_admins\_iam\_role](#module\_eks\_admins\_iam\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | 5.48.0 | +| [iam\_user](#module\_iam\_user) | terraform-aws-modules/iam/aws//modules/iam-user | 5.48.0 | | [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | | [vpc\_cni\_irsa](#module\_vpc\_cni\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.0 | @@ -56,26 +56,23 @@ | [AWS\_REGION](#input\_AWS\_REGION) | Target AWS region | `string` | `"eu-west-2"` | no | | [AWS\_SECRET\_ACCESS\_KEY](#input\_AWS\_SECRET\_ACCESS\_KEY) | AWS secret key associated with the access key | `string` | `""` | no | | [AWS\_SESSION\_TOKEN](#input\_AWS\_SESSION\_TOKEN) | Session token for temporary security credentials from AWS STS | `string` | `""` | no | -| [common\_tags](#input\_common\_tags) | Common tags associated to resources created | `map(string)` | 
{
  "Environment": "dev",
  "Project": "radar-base"
}
| no | +| [common\_tags](#input\_common\_tags) | Common tags associated to resources created | `map(string)` | 
{
  "Environment": "dev",
  "Project": "radar-base"
}
| no | | [create\_dmz\_node\_group](#input\_create\_dmz\_node\_group) | Whether or not to create a DMZ node group with taints | `bool` | `false` | no | | [defaut\_storage\_class](#input\_defaut\_storage\_class) | Default storage class used for describing the EBS usage | `string` | `"radar-base-ebs-sc-gp2"` | no | -| [dmz\_node\_size](#input\_dmz\_node\_size) | Node size of the DMZ node group | `map(number)` | 
{
  "desired": 1,
  "max": 2,
  "min": 0
}
| no | +| [dmz\_node\_size](#input\_dmz\_node\_size) | Node size of the DMZ node group | `map(number)` | 
{
  "desired": 1,
  "max": 2,
  "min": 0
}
| no | | [eks\_admins\_group\_users](#input\_eks\_admins\_group\_users) | EKS admin IAM user group | `list(string)` | `[]` | no | | [eks\_cluster\_name](#input\_eks\_cluster\_name) | EKS cluster name | `string` | n/a | yes | | [eks\_kubernetes\_version](#input\_eks\_kubernetes\_version) | Amazon EKS Kubernetes version | `string` | `"1.31"` | no | -| [environment](#input\_environment) | Environment name | `string` | `"dev"` | no | | [instance\_capacity\_type](#input\_instance\_capacity\_type) | Capacity type used by EKS managed node groups | `string` | `"SPOT"` | no | -| [instance\_types](#input\_instance\_types) | List of instance types used by EKS managed node groups | `list(any)` | 
[
  "m5.large",
  "m5d.large",
  "m5a.large",
  "m5ad.large",
  "m4.large"
]
| no | -| [worker\_node\_size](#input\_worker\_node\_size) | Node size of the worker node group | `map(number)` | 
{
  "desired": 2,
  "max": 10,
  "min": 0
}
| no | +| [instance\_types](#input\_instance\_types) | List of instance types used by EKS managed node groups | `list(any)` | 
[
  "m5.large",
  "m5d.large",
  "m5a.large",
  "m5ad.large",
  "m4.large"
]
| no | +| [worker\_node\_size](#input\_worker\_node\_size) | Node size of the worker node group | `map(number)` | 
{
  "desired": 2,
  "max": 10,
  "min": 0
}
| no | ## Outputs | Name | Description | |------|-------------| -| [radar\_base\_ebs\_storage\_class\_gp2](#output\_radar\_base\_ebs\_storage\_class\_gp2) | n/a | -| [radar\_base\_ebs\_storage\_class\_gp3](#output\_radar\_base\_ebs\_storage\_class\_gp3) | n/a | -| [radar\_base\_ebs\_storage\_class\_io1](#output\_radar\_base\_ebs\_storage\_class\_io1) | n/a | -| [radar\_base\_ebs\_storage\_class\_io2](#output\_radar\_base\_ebs\_storage\_class\_io2) | n/a | +| [assume\_eks\_admins\_role](#output\_assume\_eks\_admins\_role) | EKS admin role ARN | +| [radar\_base\_default\_storage\_class](#output\_radar\_base\_default\_storage\_class) | n/a | | [radar\_base\_eks\_cluser\_endpoint](#output\_radar\_base\_eks\_cluser\_endpoint) | n/a | | [radar\_base\_eks\_cluser\_kms\_key\_arn](#output\_radar\_base\_eks\_cluser\_kms\_key\_arn) | n/a | | [radar\_base\_eks\_cluster\_name](#output\_radar\_base\_eks\_cluster\_name) | n/a | diff --git a/cluster/ebs.tf b/cluster/ebs.tf index 8649949..30cc62c 100644 --- a/cluster/ebs.tf +++ b/cluster/ebs.tf @@ -2,7 +2,7 @@ resource "kubectl_manifest" "ebs_storage_classes" { for_each = local.storage_classes yaml_body = <<-YAML - apiVersion: storage.k8s.io/v1 + apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: ${each.value} diff --git a/cluster/eks.tf b/cluster/eks.tf index b55289c..a7b5578 100644 --- a/cluster/eks.tf +++ b/cluster/eks.tf @@ -233,4 +233,4 @@ resource "aws_vpc_security_group_ingress_rule" "vpc_endpoints_access" { depends_on = [ aws_security_group.vpc_endpoint ] -} \ No newline at end of file +} diff --git a/cluster/iam.tf b/cluster/iam.tf index 533684e..a76f06a 100644 --- a/cluster/iam.tf +++ b/cluster/iam.tf @@ -1,6 +1,6 @@ module "allow_eks_access_iam_policy" { source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.15.0" + version = "5.48.0" name = "${var.eks_cluster_name}-allow-eks-access" create_policy = true @@ -42,7 +42,7 @@ module "allow_eks_access_iam_policy" { module "eks_admins_iam_role" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.15.0" + version = "5.48.0" role_description = "The administrative role for the EKS cluster" role_name = "${var.eks_cluster_name}-admin-role" @@ -61,7 +61,7 @@ module "eks_admins_iam_role" { module "allow_assume_eks_admins_iam_policy" { source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.15.0" + version = "5.48.0" name = "${var.eks_cluster_name}-allow-assume-eks-admin-role" create_policy = true @@ -89,7 +89,8 @@ resource "aws_iam_policy_attachment" "eks_admins_policy_attachment" { } module "iam_user" { - source = "terraform-aws-modules/iam/aws//modules/iam-user" + source = "terraform-aws-modules/iam/aws//modules/iam-user" + version = "5.48.0" name = "${var.eks_cluster_name}-ecr-readonly-user" create_iam_user_login_profile = false diff --git a/cluster/outputs.tf b/cluster/outputs.tf index c56e41f..7a892bc 100644 --- a/cluster/outputs.tf +++ b/cluster/outputs.tf @@ -10,6 +10,11 @@ output "radar_base_eks_cluser_kms_key_arn" { value = module.eks.kms_key_arn } +output "assume_eks_admins_role" { + description = "EKS admin role ARN" + value = module.allow_assume_eks_admins_iam_policy.arn +} + output "radar_base_eks_dmz_node_group_name" { value = var.create_dmz_node_group ? element(split(":", module.eks.eks_managed_node_groups["dmz-${var.eks_cluster_name}"].node_group_id), 1) : null } diff --git a/cluster/provider.tf b/cluster/provider.tf index 485fb0b..5f1da03 100644 --- a/cluster/provider.tf +++ b/cluster/provider.tf @@ -28,4 +28,4 @@ provider "kubectl" { args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name, "--region", var.AWS_REGION, "--profile", var.AWS_PROFILE] command = "aws" } -} \ No newline at end of file +} diff --git a/cluster/variables.tf b/cluster/variables.tf index e487a71..36a5b56 100644 --- a/cluster/variables.tf +++ b/cluster/variables.tf @@ -41,12 +41,6 @@ variable "eks_cluster_name" { } } -variable "environment" { - type = string - description = "Environment name" - default = "dev" -} - variable "common_tags" { type = map(string) description = "Common tags associated to resources created" diff --git a/config/.terraform.lock.hcl b/config/.terraform.lock.hcl index 11e625f..85c706e 100644 --- a/config/.terraform.lock.hcl +++ b/config/.terraform.lock.hcl @@ -19,25 +19,25 @@ provider "registry.terraform.io/gavinbunney/kubectl" { } provider "registry.terraform.io/hashicorp/aws" { - version = "5.80.0" + version = "5.82.2" constraints = ">= 4.0.0, >= 4.57.0, >= 5.0.0, < 6.0.0" hashes = [ - "h1:N5Wfsf4xe5DJfSeo0G/ulkIxzyfmUIoSj/hAiZ2DaKU=", - "zh:0b1655e39639d60f2de2860a5df8642f9556ba0ca04529c1b861fde4935cb0df", - "zh:13dc0155e0a11edceee29ce687fc04c5a5a85f3324c67556472713cfd52e5807", - "zh:180f6cb2be44be14cfe329e0649121b774319f083b6e4e8fb749f85090d73121", - "zh:3158d44b74c67465f7f19f22c42b643840c8d18ce833e2ec86e8d93085b06926", - "zh:6351b5bf7cde5dc83e926944891570636069e05ca43341f4d1feda67773469bf", - "zh:6fa9db1532096ba50e842d369b6688979306d2295c7ead49b8a266b0d60962cc", - "zh:85d2fe75def7619ff2cc29102048875039cad088fafb62ecc14c3763e7b1e9d9", - "zh:9028d653f1d7341c6dfe2afe961b6541581e9043a474eac2faf90e6426a24f6d", + "h1:RuPaHbllUB8a2TGTyc149wJfoh6zhIEjUvFYKR6iP2E=", + "zh:0262fc96012fb7e173e1b7beadd46dfc25b1dc7eaef95b90e936fc454724f1c8", + "zh:397413613d27f4f54d16efcbf4f0a43c059bd8d827fe34287522ae182a992f9b", + "zh:436c0c5d56e1da4f0a4c13129e12a0b519d12ab116aed52029b183f9806866f3", + "zh:4d942d173a2553d8d532a333a0482a090f4e82a2238acf135578f163b6e68470", + "zh:624aebc549bfbce06cc2ecfd8631932eb874ac7c10eb8466ce5b9a2fbdfdc724", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9c4e248c442bc60f07f9f089e5361f19936833370dc3c04b27916672b765f0e1", - "zh:a710a3979596e3f3938c3ec6bb748e604724d3a4afa96ed2c14f0a245cc41a11", - "zh:c27936bdf447779d0c0833bf52a9ef618985f5ea8e3e243d6266513520ca31c4", - "zh:c7681134a123486e72eaedc3f8d2d75e267dbbfd45fa7de5aea8f757af57f89b", - "zh:ea717ebad3561fd02591f9eecf30f3df5635405556fba2bdbf29fd42691bebac", - "zh:f4e1e8f23c58c3e8f4371f9c3379a723ab4155246e6b6daad8eb99e16666b2cb", + "zh:9e632dee2dfdf01b371cca7854b1ec63ceefa75790e619b0642b34d5514c6733", + "zh:a07567acb115b60a3df8f6048d12735b9b3bcf85ec92a62f77852e13d5a3c096", + "zh:ab7002df1a1be6432ac0eb1b9f6f0dd3db90973cd5b1b0b33d2dae54553dfbd7", + "zh:bc1ff65e2016b018b3e84db7249b2cd0433cb5c81dc81f9f6158f2197d6b9fde", + "zh:bcad84b1d767f87af6e1ba3dc97fdb8f2ad5de9224f192f1412b09aba798c0a8", + "zh:cf917dceaa0f9d55d9ff181b5dcc4d1e10af21b6671811b315ae2a6eda866a2a", + "zh:d8e90ecfb3216f3cc13ccde5a16da64307abb6e22453aed2ac3067bbf689313b", + "zh:d9054e0e40705df729682ad34c20db8695d57f182c65963abd151c6aba1ab0d3", + "zh:ecf3a4f3c57eb7e89f71b8559e2a71e4cdf94eea0118ec4f2cb37e4f4d71a069", ] } diff --git a/config/README.md b/config/README.md index e9f9d8c..24c9b3b 100644 --- a/config/README.md +++ b/config/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.80.0 | +| [aws](#provider\_aws) | 5.82.2 | | [helm](#provider\_helm) | 2.11.0 | | [kubectl](#provider\_kubectl) | 1.14.0 | | [kubernetes](#provider\_kubernetes) | 2.24.0 | @@ -77,7 +77,6 @@ | [aws_security_group.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | | [aws_security_group.vpc_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | | [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | -| [aws_subnets.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs @@ -89,7 +88,7 @@ | [AWS\_REGION](#input\_AWS\_REGION) | Target AWS region | `string` | `"eu-west-2"` | no | | [AWS\_SECRET\_ACCESS\_KEY](#input\_AWS\_SECRET\_ACCESS\_KEY) | AWS secret key associated with the access key | `string` | n/a | yes | | [AWS\_SESSION\_TOKEN](#input\_AWS\_SESSION\_TOKEN) | Session token for temporary security credentials from AWS STS | `string` | `""` | no | -| [common\_tags](#input\_common\_tags) | Common tags associated to resources created | `map(string)` | 
{
  "Environment": "dev",
  "Project": "radar-base"
}
| no | +| [common\_tags](#input\_common\_tags) | Common tags associated to resources created | `map(string)` | 
{
  "Environment": "dev",
  "Project": "radar-base"
}
| no | | [domain\_name](#input\_domain\_name) | Pair of top level domain and hosted zone ID for deployed applications | `map(string)` | `{}` | no | | [eks\_cluster\_name](#input\_eks\_cluster\_name) | EKS cluster name | `string` | n/a | yes | | [enable\_eip](#input\_enable\_eip) | Do you need EIP? [true, false] | `bool` | n/a | yes | diff --git a/config/data.tf b/config/data.tf index 5a83ed8..2c9f8b1 100644 --- a/config/data.tf +++ b/config/data.tf @@ -5,17 +5,6 @@ data "aws_vpc" "main" { } } -data "aws_subnets" "public" { - filter { - name = "tag:Name" - values = ["${var.eks_cluster_name}-vpc"] - } - filter { - name = "tag:subnet-type" - values = ["public"] - } -} - data "aws_subnets" "private" { filter { name = "tag:Name" diff --git a/config/eip.tf b/config/eip.tf index f3e0ee9..cea222e 100644 --- a/config/eip.tf +++ b/config/eip.tf @@ -12,4 +12,4 @@ output "radar_base_eip_allocation_id" { output "radar_base_eip_public_dns" { value = var.enable_eip ? aws_eip.cluster_loadbalancer_eip[0].public_dns : null -} \ No newline at end of file +} diff --git a/config/ses.tf b/config/ses.tf index e4eff10..cab0b0b 100644 --- a/config/ses.tf +++ b/config/ses.tf @@ -102,4 +102,4 @@ output "radar_base_smtp_host" { output "radar_base_smtp_port" { value = var.enable_ses ? 587 : null -} \ No newline at end of file +} diff --git a/devbox.json b/devbox.json new file mode 100644 index 0000000..ce72852 --- /dev/null +++ b/devbox.json @@ -0,0 +1,31 @@ +{ + "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.13.6/.schema/devbox.schema.json", + "packages": [ + "terraform-docs@latest", + "terraform@latest", + "pre-commit@latest", + "tflint@latest", + "trivy@latest", + "checkov@latest", + "kubernetes-helm@latest", + ], + "shell": { + "init_hook": [ + "echo 'Welcome to devbox!' > /dev/null", + "pre-commit install", + "cd $DEVBOX_PROJECT_ROOT/cluster && terraform init -upgrade", + "cd $DEVBOX_PROJECT_ROOT/config && terraform init -upgrade", + ], + "scripts": { + "install_cluster": [ + "cd $DEVBOX_PROJECT_ROOT/cluster && terraform apply", + "aws eks update-kubeconfig --name `terraform output eks_cluster_name` --alias `terraform output eks_cluster_name` --role-arn `terraform output assume_eks_admins_role`", + "kubectl --context `terraform output eks_cluster_name` get nodes", + "kubectl --context `terraform output eks_cluster_name` get pods -A" + ], + "install_config": [ + "cd $DEVBOX_PROJECT_ROOT/config && terraform apply", + ], + }, + }, +} diff --git a/devbox.lock b/devbox.lock new file mode 100644 index 0000000..3454007 --- /dev/null +++ b/devbox.lock @@ -0,0 +1,373 @@ +{ + "lockfile_version": "1", + "packages": { + "checkov@latest": { + "last_modified": "2024-12-17T11:43:56Z", + "resolved": "github:NixOS/nixpkgs/4989a246d7a390a859852baddb1013f825435cee#checkov", + "source": "devbox-search", + "version": "3.2.336", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/34qgizhgb7340fp9ssry67lsz3qsn0b0-checkov-3.2.336", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/hr9y9y08ywhb1z6j9j13lka0fnjrj6id-checkov-3.2.336-dist" + } + ], + "store_path": "/nix/store/34qgizhgb7340fp9ssry67lsz3qsn0b0-checkov-3.2.336" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/yzz2a1srrmb73465yhngap6mzfjxm87z-checkov-3.2.336", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/c9811shl3145i4fgrqjwqhvqc5lwqpkz-checkov-3.2.336-dist" + } + ], + "store_path": "/nix/store/yzz2a1srrmb73465yhngap6mzfjxm87z-checkov-3.2.336" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/mi1nwxrxrgyc3ky84vnm8qmcf1z71l67-checkov-3.2.336", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/mwqgah52hix58np5smzrw1b0iccn5dvk-checkov-3.2.336-dist" + } + ], + "store_path": "/nix/store/mi1nwxrxrgyc3ky84vnm8qmcf1z71l67-checkov-3.2.336" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/98ygsbfm2ngzz5czs39lvw6q9rz86a53-checkov-3.2.336", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/ijvaqnsamy7alvlia84p8r6yh8wm1acy-checkov-3.2.336-dist" + } + ], + "store_path": "/nix/store/98ygsbfm2ngzz5czs39lvw6q9rz86a53-checkov-3.2.336" + } + } + }, + "kubernetes-helm@latest": { + "last_modified": "2024-11-28T07:51:56Z", + "resolved": "github:NixOS/nixpkgs/226216574ada4c3ecefcbbec41f39ce4655f78ef#kubernetes-helm", + "source": "devbox-search", + "version": "3.16.3", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/ppr8wia2hmshknp9yfhr7ivqqigqqq4j-kubernetes-helm-3.16.3", + "default": true + } + ], + "store_path": "/nix/store/ppr8wia2hmshknp9yfhr7ivqqigqqq4j-kubernetes-helm-3.16.3" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/vsps7v36p9nbx08v8c7x1a36mmknhacy-kubernetes-helm-3.16.3", + "default": true + } + ], + "store_path": "/nix/store/vsps7v36p9nbx08v8c7x1a36mmknhacy-kubernetes-helm-3.16.3" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/8xbrzsfv1q0kkranniy99fcszpwmjglr-kubernetes-helm-3.16.3", + "default": true + } + ], + "store_path": "/nix/store/8xbrzsfv1q0kkranniy99fcszpwmjglr-kubernetes-helm-3.16.3" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/nyrghdw5xi4kiwbsw6vdvnnyra5cy0x7-kubernetes-helm-3.16.3", + "default": true + } + ], + "store_path": "/nix/store/nyrghdw5xi4kiwbsw6vdvnnyra5cy0x7-kubernetes-helm-3.16.3" + } + } + }, + "pre-commit@latest": { + "last_modified": "2024-12-11T16:51:25Z", + "resolved": "github:NixOS/nixpkgs/5a48e3c2e435e95103d56590188cfed7b70e108c#pre-commit", + "source": "devbox-search", + "version": "4.0.1", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/jbh4llinhndf7h57plssg0ms40f4fk7y-pre-commit-4.0.1", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/zmsci0rj7a6x7zjz55vymljad5sswyrf-pre-commit-4.0.1-dist" + } + ], + "store_path": "/nix/store/jbh4llinhndf7h57plssg0ms40f4fk7y-pre-commit-4.0.1" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/vpzshjjwb4s9cfawv3g29zlagzl5lsb8-pre-commit-4.0.1", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/hsw0bqhqwv8d8qb2228piyvxj2gdzl0z-pre-commit-4.0.1-dist" + } + ], + "store_path": "/nix/store/vpzshjjwb4s9cfawv3g29zlagzl5lsb8-pre-commit-4.0.1" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/kx7jzp4ypyx763n3l5rj9yks2p8x0ihy-pre-commit-4.0.1", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/3m6i4wvfb9lkfx624976ggrghv9qbkvm-pre-commit-4.0.1-dist" + } + ], + "store_path": "/nix/store/kx7jzp4ypyx763n3l5rj9yks2p8x0ihy-pre-commit-4.0.1" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/93i4sz47hjv2zgyjg3mnqv73bq9maw6x-pre-commit-4.0.1", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/0qqa4xv9igqg2s5n6lymzg6ialmn0mri-pre-commit-4.0.1-dist" + } + ], + "store_path": "/nix/store/93i4sz47hjv2zgyjg3mnqv73bq9maw6x-pre-commit-4.0.1" + } + } + }, + "terraform-docs@latest": { + "last_modified": "2024-11-28T07:51:56Z", + "resolved": "github:NixOS/nixpkgs/226216574ada4c3ecefcbbec41f39ce4655f78ef#terraform-docs", + "source": "devbox-search", + "version": "0.19.0", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/9jxrh3ykia6mywnv0qcgbvxlikr5hpd4-terraform-docs-0.19.0", + "default": true + } + ], + "store_path": "/nix/store/9jxrh3ykia6mywnv0qcgbvxlikr5hpd4-terraform-docs-0.19.0" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/4vh1gz6b2q4qz9zjwyngk1cwpx9j1s55-terraform-docs-0.19.0", + "default": true + } + ], + "store_path": "/nix/store/4vh1gz6b2q4qz9zjwyngk1cwpx9j1s55-terraform-docs-0.19.0" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/y4dz04z633irc23v9bkwns90438fnh0j-terraform-docs-0.19.0", + "default": true + } + ], + "store_path": "/nix/store/y4dz04z633irc23v9bkwns90438fnh0j-terraform-docs-0.19.0" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/am9l6va75gfm576nkz6hn2sp64c1g68n-terraform-docs-0.19.0", + "default": true + } + ], + "store_path": "/nix/store/am9l6va75gfm576nkz6hn2sp64c1g68n-terraform-docs-0.19.0" + } + } + }, + "terraform@latest": { + "last_modified": "2024-12-13T21:43:23Z", + "resolved": "github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2#terraform", + "source": "devbox-search", + "version": "1.10.2", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/klr8n653xzzamqr5d90lp3wp76adiwlr-terraform-1.10.2", + "default": true + } + ], + "store_path": "/nix/store/klr8n653xzzamqr5d90lp3wp76adiwlr-terraform-1.10.2" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/bzz0rh5411j9xin9iv1648w2j8a1jn9q-terraform-1.10.2", + "default": true + } + ], + "store_path": "/nix/store/bzz0rh5411j9xin9iv1648w2j8a1jn9q-terraform-1.10.2" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/1nydwdx7zzz1h0wa4fazy5kmckm34300-terraform-1.10.2", + "default": true + } + ], + "store_path": "/nix/store/1nydwdx7zzz1h0wa4fazy5kmckm34300-terraform-1.10.2" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/4r7rridp45wcgrcpdpqdj04k47vlm59r-terraform-1.10.2", + "default": true + } + ], + "store_path": "/nix/store/4r7rridp45wcgrcpdpqdj04k47vlm59r-terraform-1.10.2" + } + } + }, + "tflint@latest": { + "last_modified": "2024-12-03T12:40:06Z", + "resolved": "github:NixOS/nixpkgs/566e53c2ad750c84f6d31f9ccb9d00f823165550#tflint", + "source": "devbox-search", + "version": "0.54.0", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/sabnazxmprkn41jlmjm3rs7nq7lgpx65-tflint-0.54.0", + "default": true + } + ], + "store_path": "/nix/store/sabnazxmprkn41jlmjm3rs7nq7lgpx65-tflint-0.54.0" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/r1ji0p28hi8saglv7xf0jddkxf7cr05n-tflint-0.54.0", + "default": true + } + ], + "store_path": "/nix/store/r1ji0p28hi8saglv7xf0jddkxf7cr05n-tflint-0.54.0" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/5x6g32x9s5vmq392b2i6zivcxwl8zrk0-tflint-0.54.0", + "default": true + } + ], + "store_path": "/nix/store/5x6g32x9s5vmq392b2i6zivcxwl8zrk0-tflint-0.54.0" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/317bjlhpw3qnpnwh18wff0rsgk2lqms4-tflint-0.54.0", + "default": true + } + ], + "store_path": "/nix/store/317bjlhpw3qnpnwh18wff0rsgk2lqms4-tflint-0.54.0" + } + } + }, + "trivy@latest": { + "last_modified": "2024-12-08T11:15:23Z", + "resolved": "github:NixOS/nixpkgs/93dc9803a1ee435e590b02cde9589038d5cc3a4e#trivy", + "source": "devbox-search", + "version": "0.58.0", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/s2qcbkjqafmq0n81jcpmvczhkhcx47la-trivy-0.58.0", + "default": true + } + ], + "store_path": "/nix/store/s2qcbkjqafmq0n81jcpmvczhkhcx47la-trivy-0.58.0" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/6w98v86y1mfgxav9wydqsnpwygwvhiib-trivy-0.58.0", + "default": true + } + ], + "store_path": "/nix/store/6w98v86y1mfgxav9wydqsnpwygwvhiib-trivy-0.58.0" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/p6h9gw6qsw0g9xmnzhj4mfdf16jfjnz4-trivy-0.58.0", + "default": true + } + ], + "store_path": "/nix/store/p6h9gw6qsw0g9xmnzhj4mfdf16jfjnz4-trivy-0.58.0" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/1yk8qv2bp70id52yp220gyy0bv1fp93r-trivy-0.58.0", + "default": true + } + ], + "store_path": "/nix/store/1yk8qv2bp70id52yp220gyy0bv1fp93r-trivy-0.58.0" + } + } + } + } +} diff --git a/misc/vpa.yaml b/misc/vpa.yaml index 498235e..1dc526d 100644 --- a/misc/vpa.yaml +++ b/misc/vpa.yaml @@ -419,6 +419,7 @@ spec: cpu: 2 memory: 2Gi controlledResources: ["cpu", "memory"] +--- # --------------------------------- cert-manager --------------------------------- # apiVersion: "autoscaling.k8s.io/v1" kind: VerticalPodAutoscaler @@ -715,4 +716,4 @@ spec: maxAllowed: cpu: 2 memory: 2Gi - controlledResources: ["cpu", "memory"] \ No newline at end of file + controlledResources: ["cpu", "memory"]