diff --git a/.github/workflows/cluster.yaml b/.github/workflows/cluster.yaml deleted file mode 100644 index d3c3680..0000000 --- a/.github/workflows/cluster.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: TF Validate Cluster - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - -env: - TERRAFORM_VERSION: 1.7.5 - -jobs: - build: - runs-on: ubuntu-latest - defaults: - run: - shell: bash - working-directory: ./cluster - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: ${{ env.TERRAFORM_VERSION }} - - name: Init - run: | - rm -rf .terraform - terraform init -backend=false - - name: Format - run: terraform fmt -check - - name: Validate - run: terraform validate -no-color diff --git a/.github/workflows/config.yaml b/.github/workflows/config.yaml deleted file mode 100644 index 9fa1ae3..0000000 --- a/.github/workflows/config.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: TF Validate Config - -on: - push: - branches: [ main ] - pull_request: - branches: [ main ] - -env: - TERRAFORM_VERSION: 1.7.5 - -jobs: - build: - runs-on: ubuntu-latest - defaults: - run: - shell: bash - working-directory: ./config - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: ${{ env.TERRAFORM_VERSION }} - - name: Init - run: | - rm -rf .terraform - terraform init -backend=false - - name: Format - run: terraform fmt -check - - name: Validate - run: terraform validate -no-color \ No newline at end of file diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml new file mode 100644 index 0000000..d922b58 --- /dev/null +++ b/.github/workflows/pre-commit.yaml @@ -0,0 +1,23 @@ +name: Pre-commit hooks + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + +permissions: read-all + +jobs: + pre-commit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Install devbox + uses: jetify-com/devbox-install-action@v0.11.0 + with: + enable-cache: 'true' + + - name: Run pre-commit on all files + run: devbox run -- pre-commit run --verbose --all-files --show-diff-on-failure diff --git a/.gitignore b/.gitignore index 8699f6f..d9624df 100644 --- a/.gitignore +++ b/.gitignore @@ -10,8 +10,8 @@ crash.log crash.*.log # Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject # to change depending on the environment. *.tfvars *.tfvars.json diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..8a2dc60 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,51 @@ +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v5.0.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + exclude: | + (?x)^( + config/README.md| + cluster/README.md + )$ + - id: mixed-line-ending + - id: check-yaml + args: + - --allow-multiple-documents + - id: check-added-large-files + - id: check-executables-have-shebangs + - id: check-shebang-scripts-are-executable + - id: check-merge-conflict + - id: no-commit-to-branch +- repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.96.2 + hooks: + - id: terraform_fmt + - id: terraform_validate + - id: terraform_tflint + - id: terraform_trivy + args: + - --args=--severity MEDIUM,HIGH,CRITICAL + - --args=--skip-dirs="*/.terraform" + - --args=--tf-exclude-downloaded-modules + - id: terraform_checkov + args: + - --args=--quiet + - --args=--download-external-modules False +- repo: local + hooks: + - id: terraform-docs-cluster + name: Generate docs for the Terraform cluster/ + language: system + entry: terraform-docs markdown table cluster/ + pass_filenames: false + files: 'cluster/' + - id: terraform-docs-config + name: Generate docs for the Terraform config/ + language: system + entry: terraform-docs markdown table config/ + pass_filenames: false + files: 'config/' diff --git a/Makefile b/Makefile deleted file mode 100644 index bc5d9ef..0000000 --- a/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -prepare: - @echo === Cluster === - @echo Generate docs - @terraform-docs markdown table cluster - @echo Fixing the formatting - @cd cluster && terraform fmt - @echo Validating Terraform code - @cd cluster && terraform init -backend=false && terraform validate - @echo === Config === - @echo Generate docs - @terraform-docs markdown table config - @echo Fixing the formatting - @cd config && terraform fmt - @echo Validating Terraform code - @cd config && terraform init -backend=false && terraform validate diff --git a/README.md b/README.md index bf134d3..1970eb2 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,8 @@ This repository aims to provide [IaC](https://en.wikipedia.org/wiki/Infrastructu --- -[![Terraform validate](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/cluster.yaml/badge.svg)](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/cluster.yaml/badge.svg) -[![Terraform validate](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/config.yaml/badge.svg)](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/config.yaml/badge.svg) +[![Lint and validate](https://github.com/RADAR-base/RADAR-K8s-Infrastructure/actions/workflows/pre-commit.yaml/badge.svg)](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/pre-commit.yaml/badge.svg) +[![Join our community Slack](https://img.shields.io/badge/slack-radarbase-success.svg?logo=slack)](https://docs.google.com/forms/d/e/1FAIpQLScKNZ-QonmxNkekDMLLbP-b_IrNHyDRuQValBy1BAsLOjEFpg/viewform) # Dependencies @@ -18,6 +18,15 @@ It is recommended that you use RADAR-K8s-Infrastructure as a template and create use this template +## Workspaces + +The definition of resources required for running RADAR-base components is located in the `cluster` directory, while other optional resources are defined in the `config` directory. Please treat each directory as a separate workspace and perform terraform operations individually. The `cluster` resources need to be created and made fully available before you proceed with the creation of the `config` ones. + +To retain the user-specific configurations for future infrastructure updates, modify `terraform.tfvars` within the workspace and push the change to your repository. If needed, additional variables defined in `variables.tf` can also be included there. +| :information_source: Important Notice | +|:----------------------------------------| +|As a best practice, never save raw values of secret variables in your repository. Instead, always encrypt them before committing. If your cluster is no longer in use, run `terraform destroy` to delete all the associated resources and reduce your cloud spending. If you have resources created within `config`, run `terraform destroy` in that directory before running the counterpart in `cluster`.| + ## Configure credentials ``` @@ -28,15 +37,6 @@ export TF_VAR_AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY export TF_VAR_AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN ``` -## Workspaces - -The definition of resources required for running RADAR-base components is located in the `cluster` directory, while other optional resources are defined in the `config` directory. Please treat each directory as a separate workspace and perform terraform operations individually. The `cluster` resources need to be created and made fully available before you proceed with the creation of the `config` ones. - -To retain the user-specific configurations for future infrastructure updates, modify `terraform.tfvars` within the workspace and push the change to your repository. If needed, additional variables defined in `variables.tf` can also be included there. -| :information_source: Important Notice | -|:----------------------------------------| -|As a best practice, never save raw values of secret variables in your repository. Instead, always encrypt them before committing. If your cluster is no longer in use, run `terraform destroy` to delete all the associated resources and reduce your cloud spending. If you have resources created within `config`, run `terraform destroy` in that directory before running the counterpart in `cluster`.| - ## Create the infrastructure ``` @@ -79,7 +79,7 @@ Created resources: ``` # Make sure to use --region if the cluster is deployed in non-default region and --profile if the cluster is deployed in a non-default AWS account -aws eks update-kubeconfig --name [eks_cluster_name] +aws eks update-kubeconfig --name `terraform output eks_cluster_name` --alias `terraform output eks_cluster_name` --role-arn `terraform output assume_eks_admins_role` kubectl get nodes kubectl get pods -A ``` @@ -91,6 +91,7 @@ terraform output ``` Note that output values can be crucial for configuring certain RADAR-base components prior to deployment. For instance, if you are using the nginx-ingress controller with NLB, specify the subnet(s) and the EIP allocation ID as follows: + ```yaml nginx_ingress: _install: true @@ -105,7 +106,6 @@ nginx_ingress: You could also automate this value injection by implementing your own templating strategy to customise `production.yaml`. - ## Configure the cluster (optional) N.B.: To get external DNS, Cert Manager and SMTP working via Route 53 (if chosen as your DNS service), you need to configure your registered top-level domain and its corresponding hosted zone ID via variable `domain_name` in [config/terraform.tfvars](./config/terraform.tfvars). Additionally, set `enable_route53` to `true`. @@ -134,7 +134,13 @@ Created resources (if all enabled): ## Contributing -Make sure to install [terraform-docs](https://github.com/terraform-docs/terraform-docs) and run `make prepare` before making a commit to make sure the documentation is up to date and the code is valid. +The dependencies and linting tools and managed via Devbox, you need to [install it](https://jetify-com.vercel.app/docs/devbox/installing_devbox/#install-devbox) before proceeding. Once that is done you can run + +``` +devbox shell +``` + +To download all of the dependencies and install to Git hooks to lint the configuration before it is commited. In order to support new version of EKS you need to make sure the addons that we use are compatible with the new target version. You can get a list of addons and their EKS compatiblity with running `aws eks describe-addons-versions` and then searching for the addons that are defined in [cluster/data.tf](./cluster/data.tf). diff --git a/cluster/.terraform.lock.hcl b/cluster/.terraform.lock.hcl index 23a0902..9042ee3 100644 --- a/cluster/.terraform.lock.hcl +++ b/cluster/.terraform.lock.hcl @@ -5,7 +5,6 @@ provider "registry.terraform.io/gavinbunney/kubectl" { version = "1.14.0" constraints = "~> 1.14.0" hashes = [ - "h1:ItrWfCZMzM2JmvDncihBMalNLutsAk7kyyxVRaipftY=", "h1:gLFn+RvP37sVzp9qnFCwngRjjFV649r6apjxvJ1E/SE=", "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", @@ -20,26 +19,25 @@ provider "registry.terraform.io/gavinbunney/kubectl" { } provider "registry.terraform.io/hashicorp/aws" { - version = "5.80.0" + version = "5.82.2" constraints = ">= 3.72.0, >= 4.0.0, >= 4.47.0, >= 4.57.0, >= 5.0.0, >= 5.46.0, < 6.0.0" hashes = [ - "h1:N5Wfsf4xe5DJfSeo0G/ulkIxzyfmUIoSj/hAiZ2DaKU=", - "h1:q2pqSs7uPWvxunrBYjyirXARlxFIoxn2Lju42uJbxk4=", - "zh:0b1655e39639d60f2de2860a5df8642f9556ba0ca04529c1b861fde4935cb0df", - "zh:13dc0155e0a11edceee29ce687fc04c5a5a85f3324c67556472713cfd52e5807", - "zh:180f6cb2be44be14cfe329e0649121b774319f083b6e4e8fb749f85090d73121", - "zh:3158d44b74c67465f7f19f22c42b643840c8d18ce833e2ec86e8d93085b06926", - "zh:6351b5bf7cde5dc83e926944891570636069e05ca43341f4d1feda67773469bf", - "zh:6fa9db1532096ba50e842d369b6688979306d2295c7ead49b8a266b0d60962cc", - "zh:85d2fe75def7619ff2cc29102048875039cad088fafb62ecc14c3763e7b1e9d9", - "zh:9028d653f1d7341c6dfe2afe961b6541581e9043a474eac2faf90e6426a24f6d", + "h1:RuPaHbllUB8a2TGTyc149wJfoh6zhIEjUvFYKR6iP2E=", + "zh:0262fc96012fb7e173e1b7beadd46dfc25b1dc7eaef95b90e936fc454724f1c8", + "zh:397413613d27f4f54d16efcbf4f0a43c059bd8d827fe34287522ae182a992f9b", + "zh:436c0c5d56e1da4f0a4c13129e12a0b519d12ab116aed52029b183f9806866f3", + "zh:4d942d173a2553d8d532a333a0482a090f4e82a2238acf135578f163b6e68470", + "zh:624aebc549bfbce06cc2ecfd8631932eb874ac7c10eb8466ce5b9a2fbdfdc724", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9c4e248c442bc60f07f9f089e5361f19936833370dc3c04b27916672b765f0e1", - "zh:a710a3979596e3f3938c3ec6bb748e604724d3a4afa96ed2c14f0a245cc41a11", - "zh:c27936bdf447779d0c0833bf52a9ef618985f5ea8e3e243d6266513520ca31c4", - "zh:c7681134a123486e72eaedc3f8d2d75e267dbbfd45fa7de5aea8f757af57f89b", - "zh:ea717ebad3561fd02591f9eecf30f3df5635405556fba2bdbf29fd42691bebac", - "zh:f4e1e8f23c58c3e8f4371f9c3379a723ab4155246e6b6daad8eb99e16666b2cb", + "zh:9e632dee2dfdf01b371cca7854b1ec63ceefa75790e619b0642b34d5514c6733", + "zh:a07567acb115b60a3df8f6048d12735b9b3bcf85ec92a62f77852e13d5a3c096", + "zh:ab7002df1a1be6432ac0eb1b9f6f0dd3db90973cd5b1b0b33d2dae54553dfbd7", + "zh:bc1ff65e2016b018b3e84db7249b2cd0433cb5c81dc81f9f6158f2197d6b9fde", + "zh:bcad84b1d767f87af6e1ba3dc97fdb8f2ad5de9224f192f1412b09aba798c0a8", + "zh:cf917dceaa0f9d55d9ff181b5dcc4d1e10af21b6671811b315ae2a6eda866a2a", + "zh:d8e90ecfb3216f3cc13ccde5a16da64307abb6e22453aed2ac3067bbf689313b", + "zh:d9054e0e40705df729682ad34c20db8695d57f182c65963abd151c6aba1ab0d3", + "zh:ecf3a4f3c57eb7e89f71b8559e2a71e4cdf94eea0118ec4f2cb37e4f4d71a069", ] } @@ -48,7 +46,6 @@ provider "registry.terraform.io/hashicorp/cloudinit" { constraints = ">= 2.0.0" hashes = [ "h1:HCoabXm6NQwCivl1q24+l9VUufc2mFqNeulsQBA9iFg=", - "h1:Sf1Lt21oTADbzsnlU38ylpkl8YXP0Beznjcy5F/Yx64=", "zh:17c20574de8eb925b0091c9b6a4d859e9d6e399cd890b44cfbc028f4f312ac7a", "zh:348664d9a900f7baf7b091cf94d657e4c968b240d31d9e162086724e6afc19d5", "zh:5a876a468ffabff0299f8348e719cb704daf81a4867f8c6892f3c3c4add2c755", @@ -68,7 +65,6 @@ provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.24.0" constraints = ">= 2.10.0, ~> 2.24.0" hashes = [ - "h1:8Ov9r+eCpuqY9LNjG3I8vKT0hX/FkyzuDxQySZVt9i4=", "h1:u9lRMCdNXcB5/WQTZVMvGhNliW2pKOzj3SOVbu9yPpg=", "zh:0ed83ec390a7e75c4990ebce698f14234de2b6204ed9a01cd042bb7ea5f26564", "zh:195150e4fdab259c70088528006f4604557a051e037ebe8de64e92840f27e40a", @@ -90,7 +86,6 @@ provider "registry.terraform.io/hashicorp/time" { constraints = ">= 0.9.0" hashes = [ "h1:6BhxSYBJdBBKyuqatOGkuPKVenfx6UmLdiI13Pb3his=", - "h1:JzYsPugN8Fb7C4NlfLoFu7BBPuRVT2/fCOdCaxshveI=", "zh:090023137df8effe8804e81c65f636dadf8f9d35b79c3afff282d39367ba44b2", "zh:26f1e458358ba55f6558613f1427dcfa6ae2be5119b722d0b3adb27cd001efea", "zh:272ccc73a03384b72b964918c7afeb22c2e6be22460d92b150aaf28f29a7d511", @@ -111,7 +106,6 @@ provider "registry.terraform.io/hashicorp/tls" { constraints = ">= 3.0.0" hashes = [ "h1:dYSb3V94K5dDMtrBRLPzBpkMTPn+3cXZ/kIJdtFL+2M=", - "h1:n3M50qfWfRSpQV9Pwcvuse03pEizqrmYEryxKky4so4=", "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", diff --git a/cluster/README.md b/cluster/README.md index e87d2fb..dcf110f 100644 --- a/cluster/README.md +++ b/cluster/README.md @@ -11,7 +11,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.80.0 | +| [aws](#provider\_aws) | 5.82.2 | | [kubectl](#provider\_kubectl) | 1.14.0 | | [kubernetes](#provider\_kubernetes) | 2.24.0 | @@ -19,14 +19,14 @@ | Name | Source | Version | |------|--------|---------| -| [allow\_assume\_eks\_admins\_iam\_policy](#module\_allow\_assume\_eks\_admins\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | 5.15.0 | -| [allow\_eks\_access\_iam\_policy](#module\_allow\_eks\_access\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | 5.15.0 | -| [ebs\_csi\_irsa](#module\_ebs\_csi\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.0 | -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 19.13.1 | -| [eks\_admins\_iam\_role](#module\_eks\_admins\_iam\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | 5.15.0 | -| [iam\_user](#module\_iam\_user) | terraform-aws-modules/iam/aws//modules/iam-user | n/a | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | -| [vpc\_cni\_irsa](#module\_vpc\_cni\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.0 | +| [allow\_assume\_eks\_admins\_iam\_policy](#module\_allow\_assume\_eks\_admins\_iam\_policy) | git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-policy | e20e0b9a42084bbc885fd5abb18b8744810bd567 | +| [allow\_eks\_access\_iam\_policy](#module\_allow\_eks\_access\_iam\_policy) | git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-policy | e20e0b9a42084bbc885fd5abb18b8744810bd567 | +| [ebs\_csi\_irsa](#module\_ebs\_csi\_irsa) | git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-role-for-service-accounts-eks | e20e0b9a42084bbc885fd5abb18b8744810bd567 | +| [eks](#module\_eks) | git::https://github.com/terraform-aws-modules/terraform-aws-eks.git | 2cb1fac31b0fc2dd6a236b0c0678df75819c5a3b | +| [eks\_admins\_iam\_role](#module\_eks\_admins\_iam\_role) | git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-assumable-role | e20e0b9a42084bbc885fd5abb18b8744810bd567 | +| [iam\_user](#module\_iam\_user) | git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-user | e20e0b9a42084bbc885fd5abb18b8744810bd567 | +| [vpc](#module\_vpc) | git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git | 573f574c922782bc658f05523d0c902a4792b0a8 | +| [vpc\_cni\_irsa](#module\_vpc\_cni\_irsa) | git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-role-for-service-accounts-eks | e20e0b9a42084bbc885fd5abb18b8744810bd567 | ## Resources @@ -60,10 +60,10 @@ | [create\_dmz\_node\_group](#input\_create\_dmz\_node\_group) | Whether or not to create a DMZ node group with taints | `bool` | `false` | no | | [default\_storage\_class](#input\_default\_storage\_class) | Default storage class used for describing the EBS usage | `string` | `"radar-base-ebs-sc-gp2"` | no | | [dmz\_node\_size](#input\_dmz\_node\_size) | Node size of the DMZ node group | `map(number)` | 
{
  "desired": 1,
  "max": 2,
  "min": 0
}
| no | +| [ecr\_repository\_names](#input\_ecr\_repository\_names) | Default prefixes for ECR repositories if used for hosting the images | `list(string)` | 
[
  "ecr-public*",
  "k8s*",
  "quay*",
  "radarbase*"
]
| no | | [eks\_admins\_group\_users](#input\_eks\_admins\_group\_users) | EKS admin IAM user group | `list(string)` | `[]` | no | | [eks\_cluster\_name](#input\_eks\_cluster\_name) | EKS cluster name | `string` | n/a | yes | | [eks\_kubernetes\_version](#input\_eks\_kubernetes\_version) | Amazon EKS Kubernetes version | `string` | `"1.31"` | no | -| [environment](#input\_environment) | Environment name | `string` | `"dev"` | no | | [instance\_capacity\_type](#input\_instance\_capacity\_type) | Capacity type used by EKS managed node groups | `string` | `"SPOT"` | no | | [instance\_types](#input\_instance\_types) | List of instance types used by EKS managed node groups | `list(any)` | 
[
  "m5.large",
  "m5d.large",
  "m5a.large",
  "m5ad.large",
  "m4.large"
]
| no | | [vpc\_cidr](#input\_vpc\_cidr) | VPC CIDR | `string` | `"10.0.0.0/16"` | no | @@ -75,6 +75,7 @@ | Name | Description | |------|-------------| +| [assume\_eks\_admins\_role](#output\_assume\_eks\_admins\_role) | EKS admin role ARN | | [radar\_base\_default\_storage\_class](#output\_radar\_base\_default\_storage\_class) | n/a | | [radar\_base\_eks\_cluster\_endpoint](#output\_radar\_base\_eks\_cluster\_endpoint) | n/a | | [radar\_base\_eks\_cluster\_kms\_key\_arn](#output\_radar\_base\_eks\_cluster\_kms\_key\_arn) | n/a | diff --git a/cluster/eks.tf b/cluster/eks.tf index b55289c..fac2392 100644 --- a/cluster/eks.tf +++ b/cluster/eks.tf @@ -1,6 +1,5 @@ module "vpc_cni_irsa" { - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "~> 5.0" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-role-for-service-accounts-eks?ref=e20e0b9a42084bbc885fd5abb18b8744810bd567" # commit hash of version 5.48.0 role_name = "${var.eks_cluster_name}-vpc-cni-irsa" attach_vpc_cni_policy = true @@ -17,8 +16,7 @@ module "vpc_cni_irsa" { } module "ebs_csi_irsa" { - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "~> 5.0" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-role-for-service-accounts-eks?ref=e20e0b9a42084bbc885fd5abb18b8744810bd567" # commit hash of version 5.48.0 role_name = "${var.eks_cluster_name}-ebs-csi-irsa" attach_ebs_csi_policy = true @@ -101,8 +99,7 @@ locals { } module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "19.13.1" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-eks.git?ref=2cb1fac31b0fc2dd6a236b0c0678df75819c5a3b" # commit hash of version 19.21.0 cluster_name = var.eks_cluster_name cluster_version = local.eks_core_versions[var.eks_kubernetes_version].cluster_version @@ -224,6 +221,7 @@ module "eks" { } resource "aws_vpc_security_group_ingress_rule" "vpc_endpoints_access" { + description = "Allow ingress traffic to the VPC endpoints from EKS nodes" security_group_id = aws_security_group.vpc_endpoint.id ip_protocol = "-1" referenced_security_group_id = module.eks.node_security_group_id @@ -233,4 +231,4 @@ resource "aws_vpc_security_group_ingress_rule" "vpc_endpoints_access" { depends_on = [ aws_security_group.vpc_endpoint ] -} \ No newline at end of file +} diff --git a/cluster/iam.tf b/cluster/iam.tf index 533684e..8c72618 100644 --- a/cluster/iam.tf +++ b/cluster/iam.tf @@ -1,6 +1,5 @@ module "allow_eks_access_iam_policy" { - source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.15.0" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-policy?ref=e20e0b9a42084bbc885fd5abb18b8744810bd567" # commit hash of version 5.48.0 name = "${var.eks_cluster_name}-allow-eks-access" create_policy = true @@ -41,8 +40,7 @@ module "allow_eks_access_iam_policy" { } module "eks_admins_iam_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.15.0" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-assumable-role?ref=e20e0b9a42084bbc885fd5abb18b8744810bd567" # commit hash of version 5.48.0 role_description = "The administrative role for the EKS cluster" role_name = "${var.eks_cluster_name}-admin-role" @@ -60,8 +58,7 @@ module "eks_admins_iam_role" { module "allow_assume_eks_admins_iam_policy" { - source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.15.0" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-policy?ref=e20e0b9a42084bbc885fd5abb18b8744810bd567" # commit hash of version 5.48.0 name = "${var.eks_cluster_name}-allow-assume-eks-admin-role" create_policy = true @@ -89,7 +86,7 @@ resource "aws_iam_policy_attachment" "eks_admins_policy_attachment" { } module "iam_user" { - source = "terraform-aws-modules/iam/aws//modules/iam-user" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-user?ref=e20e0b9a42084bbc885fd5abb18b8744810bd567" # commit hash of version 5.48.0 name = "${var.eks_cluster_name}-ecr-readonly-user" create_iam_user_login_profile = false @@ -150,7 +147,9 @@ resource "aws_iam_policy" "ecr_access" { "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings" ] - Resource = "*" + Resource = [ + for repository_name in var.ecr_repository_names : "arn:aws:ecr:::repository/${repository_name}" + ] } ] }) @@ -177,4 +176,6 @@ resource "aws_iam_policy" "ecr_pull_through_cache" { }) tags = merge(tomap({ "Name" : "${var.eks_cluster_name}-ecr-pull-through-cache-policy" }), var.common_tags) + + #checkov:skip=CKV_AWS_355,CKV_AWS_290: Temporarly skip these checks } diff --git a/cluster/outputs.tf b/cluster/outputs.tf index 04a1cfb..92df961 100644 --- a/cluster/outputs.tf +++ b/cluster/outputs.tf @@ -10,6 +10,11 @@ output "radar_base_eks_cluster_kms_key_arn" { value = module.eks.kms_key_arn } +output "assume_eks_admins_role" { + description = "EKS admin role ARN" + value = module.allow_assume_eks_admins_iam_policy.arn +} + output "radar_base_eks_dmz_node_group_name" { value = var.create_dmz_node_group ? element(split(":", module.eks.eks_managed_node_groups["dmz-${var.eks_cluster_name}"].node_group_id), 1) : null } diff --git a/cluster/provider.tf b/cluster/provider.tf index 485fb0b..5f1da03 100644 --- a/cluster/provider.tf +++ b/cluster/provider.tf @@ -28,4 +28,4 @@ provider "kubectl" { args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name, "--region", var.AWS_REGION, "--profile", var.AWS_PROFILE] command = "aws" } -} \ No newline at end of file +} diff --git a/cluster/variables.tf b/cluster/variables.tf index 0cd3dc9..8c69d85 100644 --- a/cluster/variables.tf +++ b/cluster/variables.tf @@ -41,12 +41,6 @@ variable "eks_cluster_name" { } } -variable "environment" { - type = string - description = "Environment name" - default = "dev" -} - variable "common_tags" { type = map(string) description = "Common tags associated to resources created" @@ -152,3 +146,14 @@ variable "default_storage_class" { error_message = "Invalid storage class. Allowed values are 'radar-base-ebs-sc-gp2', 'radar-base-ebs-sc-gp3', 'radar-base-ebs-sc-io1' or 'radar-base-ebs-sc-io2'." } } + +variable "ecr_repository_names" { + type = list(string) + description = "Default prefixes for ECR repositories if used for hosting the images" + default = [ + "ecr-public*", + "k8s*", + "quay*", + "radarbase*", + ] +} diff --git a/cluster/vpc.tf b/cluster/vpc.tf index 664dc14..f342b77 100644 --- a/cluster/vpc.tf +++ b/cluster/vpc.tf @@ -1,6 +1,6 @@ module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "~> 5.0" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=573f574c922782bc658f05523d0c902a4792b0a8" # commit hash of version 5.17.0 + name = "${var.eks_cluster_name}-vpc" cidr = var.vpc_cidr @@ -39,27 +39,33 @@ module "vpc" { resource "aws_security_group" "vpc_endpoint" { name_prefix = "${var.eks_cluster_name}-vpc-endpoint-sg-" + description = "This security group is for controlling ingress and egress traffic of VPC endpoints powered by PrivateLink." vpc_id = module.vpc.vpc_id tags = merge(tomap({ "Name" : "${var.eks_cluster_name}-vpc-endpoint-sg" }), var.common_tags) + } resource "aws_security_group_rule" "vpc_endpoint_egress" { security_group_id = aws_security_group.vpc_endpoint.id + description = "Allows unrestricted egress from VPC endpoints to private subnets." type = "egress" protocol = "-1" from_port = 0 to_port = 0 - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = var.vpc_private_subnet_cidr + } resource "aws_security_group_rule" "vpc_endpoint_self_ingress" { security_group_id = aws_security_group.vpc_endpoint.id + description = "Allows unrestricted ingress within the VPC endpoint security group." type = "ingress" protocol = "-1" from_port = 0 to_port = 0 source_security_group_id = aws_security_group.vpc_endpoint.id + } resource "aws_vpc_endpoint" "s3" { diff --git a/config/.terraform.lock.hcl b/config/.terraform.lock.hcl index 2a95a24..85c706e 100644 --- a/config/.terraform.lock.hcl +++ b/config/.terraform.lock.hcl @@ -5,7 +5,6 @@ provider "registry.terraform.io/gavinbunney/kubectl" { version = "1.14.0" constraints = "~> 1.14.0" hashes = [ - "h1:ItrWfCZMzM2JmvDncihBMalNLutsAk7kyyxVRaipftY=", "h1:gLFn+RvP37sVzp9qnFCwngRjjFV649r6apjxvJ1E/SE=", "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", @@ -20,26 +19,25 @@ provider "registry.terraform.io/gavinbunney/kubectl" { } provider "registry.terraform.io/hashicorp/aws" { - version = "5.80.0" + version = "5.82.2" constraints = ">= 4.0.0, >= 4.57.0, >= 5.0.0, < 6.0.0" hashes = [ - "h1:N5Wfsf4xe5DJfSeo0G/ulkIxzyfmUIoSj/hAiZ2DaKU=", - "h1:q2pqSs7uPWvxunrBYjyirXARlxFIoxn2Lju42uJbxk4=", - "zh:0b1655e39639d60f2de2860a5df8642f9556ba0ca04529c1b861fde4935cb0df", - "zh:13dc0155e0a11edceee29ce687fc04c5a5a85f3324c67556472713cfd52e5807", - "zh:180f6cb2be44be14cfe329e0649121b774319f083b6e4e8fb749f85090d73121", - "zh:3158d44b74c67465f7f19f22c42b643840c8d18ce833e2ec86e8d93085b06926", - "zh:6351b5bf7cde5dc83e926944891570636069e05ca43341f4d1feda67773469bf", - "zh:6fa9db1532096ba50e842d369b6688979306d2295c7ead49b8a266b0d60962cc", - "zh:85d2fe75def7619ff2cc29102048875039cad088fafb62ecc14c3763e7b1e9d9", - "zh:9028d653f1d7341c6dfe2afe961b6541581e9043a474eac2faf90e6426a24f6d", + "h1:RuPaHbllUB8a2TGTyc149wJfoh6zhIEjUvFYKR6iP2E=", + "zh:0262fc96012fb7e173e1b7beadd46dfc25b1dc7eaef95b90e936fc454724f1c8", + "zh:397413613d27f4f54d16efcbf4f0a43c059bd8d827fe34287522ae182a992f9b", + "zh:436c0c5d56e1da4f0a4c13129e12a0b519d12ab116aed52029b183f9806866f3", + "zh:4d942d173a2553d8d532a333a0482a090f4e82a2238acf135578f163b6e68470", + "zh:624aebc549bfbce06cc2ecfd8631932eb874ac7c10eb8466ce5b9a2fbdfdc724", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9c4e248c442bc60f07f9f089e5361f19936833370dc3c04b27916672b765f0e1", - "zh:a710a3979596e3f3938c3ec6bb748e604724d3a4afa96ed2c14f0a245cc41a11", - "zh:c27936bdf447779d0c0833bf52a9ef618985f5ea8e3e243d6266513520ca31c4", - "zh:c7681134a123486e72eaedc3f8d2d75e267dbbfd45fa7de5aea8f757af57f89b", - "zh:ea717ebad3561fd02591f9eecf30f3df5635405556fba2bdbf29fd42691bebac", - "zh:f4e1e8f23c58c3e8f4371f9c3379a723ab4155246e6b6daad8eb99e16666b2cb", + "zh:9e632dee2dfdf01b371cca7854b1ec63ceefa75790e619b0642b34d5514c6733", + "zh:a07567acb115b60a3df8f6048d12735b9b3bcf85ec92a62f77852e13d5a3c096", + "zh:ab7002df1a1be6432ac0eb1b9f6f0dd3db90973cd5b1b0b33d2dae54553dfbd7", + "zh:bc1ff65e2016b018b3e84db7249b2cd0433cb5c81dc81f9f6158f2197d6b9fde", + "zh:bcad84b1d767f87af6e1ba3dc97fdb8f2ad5de9224f192f1412b09aba798c0a8", + "zh:cf917dceaa0f9d55d9ff181b5dcc4d1e10af21b6671811b315ae2a6eda866a2a", + "zh:d8e90ecfb3216f3cc13ccde5a16da64307abb6e22453aed2ac3067bbf689313b", + "zh:d9054e0e40705df729682ad34c20db8695d57f182c65963abd151c6aba1ab0d3", + "zh:ecf3a4f3c57eb7e89f71b8559e2a71e4cdf94eea0118ec4f2cb37e4f4d71a069", ] } @@ -47,7 +45,6 @@ provider "registry.terraform.io/hashicorp/helm" { version = "2.11.0" constraints = "~> 2.11.0" hashes = [ - "h1:AOp9vXIM4uT1c/PVwsWTPiLVGlO2SSYrfiirV5rjCMQ=", "h1:zxfRtgpWrVZwjkIBuI+7jc52+u1QBA/k7LQZiCiq3Z8=", "zh:013857c88f3e19a4b162344e21dc51891c4ac8b600da8391f7fb2b6d234961e1", "zh:044fffa233a93cdcf8384afbe9e1ab6c9d0b5b176cbae56ff465eb9611302975", @@ -68,7 +65,6 @@ provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.24.0" constraints = "~> 2.24.0" hashes = [ - "h1:8Ov9r+eCpuqY9LNjG3I8vKT0hX/FkyzuDxQySZVt9i4=", "h1:u9lRMCdNXcB5/WQTZVMvGhNliW2pKOzj3SOVbu9yPpg=", "zh:0ed83ec390a7e75c4990ebce698f14234de2b6204ed9a01cd042bb7ea5f26564", "zh:195150e4fdab259c70088528006f4604557a051e037ebe8de64e92840f27e40a", diff --git a/config/README.md b/config/README.md index f289348..552aebe 100644 --- a/config/README.md +++ b/config/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.80.0 | +| [aws](#provider\_aws) | 5.82.2 | | [helm](#provider\_helm) | 2.11.0 | | [kubectl](#provider\_kubectl) | 1.14.0 | | [kubernetes](#provider\_kubernetes) | 2.24.0 | @@ -21,14 +21,15 @@ | Name | Source | Version | |------|--------|---------| -| [cert\_manager\_irsa](#module\_cert\_manager\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.0 | -| [external\_dns\_irsa](#module\_external\_dns\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.0 | -| [karpenter](#module\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | 19.17.2 | +| [cert\_manager\_irsa](#module\_cert\_manager\_irsa) | git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-role-for-service-accounts-eks | e20e0b9a42084bbc885fd5abb18b8744810bd567 | +| [external\_dns\_irsa](#module\_external\_dns\_irsa) | git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-role-for-service-accounts-eks | e20e0b9a42084bbc885fd5abb18b8744810bd567 | +| [karpenter](#module\_karpenter) | git::https://github.com/terraform-aws-modules/terraform-aws-eks.git//modules/karpenter | 2cb1fac31b0fc2dd6a236b0c0678df75819c5a3b | ## Resources | Name | Type | |------|------| +| [aws_cloudwatch_log_group.msk_broker](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_db_instance.radar_postgres](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource | | [aws_db_subnet_group.rds_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | | [aws_eip.cluster_loadbalancer_eip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | @@ -76,8 +77,8 @@ | [aws_eks_node_groups.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_node_groups) | data source | | [aws_security_group.node](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | | [aws_security_group.vpc_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | +| [aws_subnet.private_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | | [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | -| [aws_subnets.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs @@ -96,6 +97,7 @@ | [enable\_karpenter](#input\_enable\_karpenter) | Do you need Karpenter? [true, false] | `bool` | n/a | yes | | [enable\_metrics](#input\_enable\_metrics) | Do you need Metrics Server? [true, false] | `bool` | n/a | yes | | [enable\_msk](#input\_enable\_msk) | Do you need MSK? [true, false] | `bool` | n/a | yes | +| [enable\_msk\_logging](#input\_enable\_msk\_logging) | Do you need logging on MSK brokers? [true, false] | `bool` | n/a | yes | | [enable\_rds](#input\_enable\_rds) | Do you need RDS? [true, false] | `bool` | n/a | yes | | [enable\_route53](#input\_enable\_route53) | Do you need Route53? [true, false] | `bool` | n/a | yes | | [enable\_s3](#input\_enable\_s3) | Do you need S3? [true, false] | `bool` | n/a | yes | diff --git a/config/data.tf b/config/data.tf index 5a83ed8..5aa8178 100644 --- a/config/data.tf +++ b/config/data.tf @@ -5,17 +5,6 @@ data "aws_vpc" "main" { } } -data "aws_subnets" "public" { - filter { - name = "tag:Name" - values = ["${var.eks_cluster_name}-vpc"] - } - filter { - name = "tag:subnet-type" - values = ["public"] - } -} - data "aws_subnets" "private" { filter { name = "tag:Name" @@ -27,6 +16,11 @@ data "aws_subnets" "private" { } } +data "aws_subnet" "private_subnet" { + for_each = toset(data.aws_subnets.private.ids) + id = each.value +} + data "aws_security_group" "node" { filter { name = "tag:Name" diff --git a/config/eip.tf b/config/eip.tf index f3e0ee9..68656b6 100644 --- a/config/eip.tf +++ b/config/eip.tf @@ -4,6 +4,8 @@ resource "aws_eip" "cluster_loadbalancer_eip" { vpc = true public_ipv4_pool = "amazon" tags = merge(tomap({ "Name" : "${var.eks_cluster_name}-loadbalancer-eip" }), var.common_tags) + + #checkov:skip=CKV2_AWS_19:This EIP will be attached to the NLB when nginx-ingress is deployed } output "radar_base_eip_allocation_id" { @@ -12,4 +14,4 @@ output "radar_base_eip_allocation_id" { output "radar_base_eip_public_dns" { value = var.enable_eip ? aws_eip.cluster_loadbalancer_eip[0].public_dns : null -} \ No newline at end of file +} diff --git a/config/karpenter.tf b/config/karpenter.tf index 305076b..42bbec8 100644 --- a/config/karpenter.tf +++ b/config/karpenter.tf @@ -1,8 +1,7 @@ module "karpenter" { count = var.enable_karpenter ? 1 : 0 - source = "terraform-aws-modules/eks/aws//modules/karpenter" - version = "19.17.2" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-eks.git//modules/karpenter?ref=2cb1fac31b0fc2dd6a236b0c0678df75819c5a3b" # commit hash of version 19.21.0 cluster_name = data.aws_eks_cluster.main.id diff --git a/config/msk.tf b/config/msk.tf index 1c07f49..5acb283 100644 --- a/config/msk.tf +++ b/config/msk.tf @@ -74,6 +74,13 @@ zookeeper.session.timeout.ms=18000 PROPERTIES } +resource "aws_cloudwatch_log_group" "msk_broker" { + count = var.enable_msk_logging ? 1 : 0 + name = "${var.eks_cluster_name}-msk-broker-logs" +} + +#trivy:ignore:AVD-AWS-0074 Logging on MSK brokers can be enabled by setting var.enable_msk_logging to true +#trivy:ignore:AVD-AWS-0179 By default an AWS-managed KMS key is used to encrypt MSK data at rest resource "aws_msk_cluster" "msk_cluster" { count = var.enable_msk ? 1 : 0 @@ -97,6 +104,7 @@ resource "aws_msk_cluster" "msk_cluster" { encryption_info { encryption_in_transit { client_broker = "TLS" + in_cluster = true } } @@ -123,6 +131,18 @@ resource "aws_msk_cluster" "msk_cluster" { arn = aws_msk_configuration.msk_configuration[0].arn revision = 1 } + + dynamic "logging_info" { + for_each = var.enable_msk_logging ? [1] : [] + content { + broker_logs { + cloudwatch_logs { + enabled = var.enable_msk_logging + log_group = aws_cloudwatch_log_group.msk_broker.name + } + } + } + } } output "radar_base_msk_bootstrap_brokers" { diff --git a/config/rds.tf b/config/rds.tf index 4a0f9d7..bac0d79 100644 --- a/config/rds.tf +++ b/config/rds.tf @@ -1,3 +1,9 @@ +locals { + private_cidr_blocks = [ + for subnet_id in data.aws_subnets.private.ids : data.aws_subnet.private_subnet[subnet_id].cidr_block + ] +} + resource "aws_db_subnet_group" "rds_subnet" { count = var.enable_rds ? 1 : 0 @@ -12,25 +18,18 @@ resource "aws_security_group" "rds_access" { description = "This security group is for accessing the RDS DB" vpc_id = data.aws_vpc.main.id - # ingress { - # from_port = 5432 - # to_port = 5432 - # protocol = "tcp" - # cidr_blocks = ["188.28.81.208/32"] - # } - ingress { - from_port = 0 - to_port = 65535 - protocol = "tcp" - security_groups = [data.aws_security_group.node.id] + from_port = 0 + to_port = 65535 + protocol = "tcp" + cidr_blocks = local.private_cidr_blocks } egress { from_port = 0 to_port = 0 protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = local.private_cidr_blocks } tags = merge(tomap({ "Name" : "${var.eks_cluster_name}-rds-access" }), var.common_tags) @@ -40,24 +39,30 @@ resource "aws_security_group" "rds_access" { resource "aws_db_instance" "radar_postgres" { count = var.enable_rds ? 1 : 0 - identifier = "${var.eks_cluster_name}-postgres" - db_name = "radarbase" - engine = "postgres" - engine_version = var.postgres_version - instance_class = "db.t4g.micro" - username = "postgres" - password = var.radar_postgres_password - allocated_storage = 5 - storage_type = "standard" - storage_encrypted = true - skip_final_snapshot = true - publicly_accessible = false - multi_az = false - db_subnet_group_name = aws_db_subnet_group.rds_subnet[0].name - vpc_security_group_ids = [aws_security_group.rds_access[0].id] - performance_insights_enabled = true + identifier = "${var.eks_cluster_name}-postgres" + db_name = "radarbase" + engine = "postgres" + engine_version = var.postgres_version + instance_class = "db.t4g.micro" + username = "postgres" + password = var.radar_postgres_password + allocated_storage = 5 + storage_type = "standard" + storage_encrypted = true + skip_final_snapshot = true + publicly_accessible = false + multi_az = false + db_subnet_group_name = aws_db_subnet_group.rds_subnet[0].name + vpc_security_group_ids = [aws_security_group.rds_access[0].id] + performance_insights_enabled = true + copy_tags_to_snapshot = true + backup_retention_period = 7 + iam_database_authentication_enabled = true + deletion_protection = true # This needs to be set to false before you really want to delete the database with "terraform destroy" tags = merge(tomap({ "Name" : "${var.eks_cluster_name}-postgres" }), var.common_tags) + + #checkov:skip=CKV2_AWS_30: This will result in extra charge and should be only enabled for troubleshooting and stringent auditing } resource "kubectl_manifest" "create_databases_if_not_exist" { diff --git a/config/route53.tf b/config/route53.tf index f9a110e..057791e 100644 --- a/config/route53.tf +++ b/config/route53.tf @@ -12,6 +12,9 @@ resource "aws_route53_zone" "primary" { count = var.enable_route53 && length(var.domain_name) == 1 ? 1 : 0 name = local.domain_name tags = merge(tomap({ "Name" : "${var.eks_cluster_name}-primary-zone" }), var.common_tags) + + #checkov:skip=CKV2_AWS_39: This will result in extra charge and should be only enabled for troubleshooting and stringent auditing + #checkov:skip=CKV2_AWS_38: DNSSEC signing needs to be optional } resource "aws_route53_record" "main" { @@ -37,8 +40,7 @@ resource "aws_route53_record" "this" { module "external_dns_irsa" { count = var.enable_route53 && length(var.domain_name) == 1 ? 1 : 0 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "~> 5.0" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-role-for-service-accounts-eks?ref=e20e0b9a42084bbc885fd5abb18b8744810bd567" # commit hash of version 5.48.0 role_name = "${var.eks_cluster_name}-external-dns-irsa" attach_external_dns_policy = true @@ -57,8 +59,7 @@ module "external_dns_irsa" { module "cert_manager_irsa" { count = var.enable_route53 && length(var.domain_name) == 1 ? 1 : 0 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "~> 5.0" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-role-for-service-accounts-eks?ref=e20e0b9a42084bbc885fd5abb18b8744810bd567" # commit hash of version 5.48.0 role_name = "${var.eks_cluster_name}-cert-manager-irsa" attach_cert_manager_policy = true diff --git a/config/s3.tf b/config/s3.tf index 8f7852c..5aba175 100644 --- a/config/s3.tf +++ b/config/s3.tf @@ -3,6 +3,9 @@ resource "aws_s3_bucket" "this" { bucket = each.value tags = merge(tomap({ "Name" : each.key }), var.common_tags) + + #checkov:skip=CKV2_AWS_6: This is implicitly guranateed and public access is blocked for S3 buckets + #checkov:skip=CKV_AWS_18,CKV_AWS_144,CKV_AWS_21,CKV_AWS_145,CKV2_AWS_61,CKV2_AWS_62: These S3 rules should be applied case by case } resource "aws_s3_bucket_ownership_controls" "this" { @@ -10,7 +13,7 @@ resource "aws_s3_bucket_ownership_controls" "this" { bucket = aws_s3_bucket.this[each.key].id rule { - object_ownership = "BucketOwnerPreferred" + object_ownership = "BucketOwnerEnforced" } depends_on = [aws_s3_bucket.this] diff --git a/config/ses.tf b/config/ses.tf index e4eff10..cab0b0b 100644 --- a/config/ses.tf +++ b/config/ses.tf @@ -102,4 +102,4 @@ output "radar_base_smtp_host" { output "radar_base_smtp_port" { value = var.enable_ses ? 587 : null -} \ No newline at end of file +} diff --git a/config/terraform.tfvars b/config/terraform.tfvars index c895eaa..90b22da 100644 --- a/config/terraform.tfvars +++ b/config/terraform.tfvars @@ -1,12 +1,13 @@ -AWS_REGION = "eu-west-2" -environment = "dev" -domain_name = {} # Pair of top level domain and hosted zone ID for deployed applications, e.g., { "radar-base.org" : "ZABCDEFGHIJKLMNOPQRST" } -with_dmz_pods = false -enable_metrics = false -enable_karpenter = false -enable_msk = false -enable_rds = false -enable_route53 = false -enable_ses = false -enable_s3 = false -enable_eip = false +AWS_REGION = "eu-west-2" +environment = "dev" +domain_name = {} # Pair of top level domain and hosted zone ID for deployed applications, e.g., { "radar-base.org" : "ZABCDEFGHIJKLMNOPQRST" } +with_dmz_pods = false +enable_metrics = false +enable_karpenter = false +enable_msk = false +enable_msk_logging = false +enable_rds = false +enable_route53 = false +enable_ses = false +enable_s3 = false +enable_eip = false diff --git a/config/variables.tf b/config/variables.tf index 857764f..20653ba 100644 --- a/config/variables.tf +++ b/config/variables.tf @@ -131,6 +131,11 @@ variable "enable_msk" { description = "Do you need MSK? [true, false]" } +variable "enable_msk_logging" { + type = bool + description = "Do you need logging on MSK brokers? [true, false]" +} + variable "enable_rds" { type = bool description = "Do you need RDS? [true, false]" diff --git a/devbox.json b/devbox.json new file mode 100644 index 0000000..ce72852 --- /dev/null +++ b/devbox.json @@ -0,0 +1,31 @@ +{ + "$schema": "https://raw.githubusercontent.com/jetify-com/devbox/0.13.6/.schema/devbox.schema.json", + "packages": [ + "terraform-docs@latest", + "terraform@latest", + "pre-commit@latest", + "tflint@latest", + "trivy@latest", + "checkov@latest", + "kubernetes-helm@latest", + ], + "shell": { + "init_hook": [ + "echo 'Welcome to devbox!' > /dev/null", + "pre-commit install", + "cd $DEVBOX_PROJECT_ROOT/cluster && terraform init -upgrade", + "cd $DEVBOX_PROJECT_ROOT/config && terraform init -upgrade", + ], + "scripts": { + "install_cluster": [ + "cd $DEVBOX_PROJECT_ROOT/cluster && terraform apply", + "aws eks update-kubeconfig --name `terraform output eks_cluster_name` --alias `terraform output eks_cluster_name` --role-arn `terraform output assume_eks_admins_role`", + "kubectl --context `terraform output eks_cluster_name` get nodes", + "kubectl --context `terraform output eks_cluster_name` get pods -A" + ], + "install_config": [ + "cd $DEVBOX_PROJECT_ROOT/config && terraform apply", + ], + }, + }, +} diff --git a/devbox.lock b/devbox.lock new file mode 100644 index 0000000..3454007 --- /dev/null +++ b/devbox.lock @@ -0,0 +1,373 @@ +{ + "lockfile_version": "1", + "packages": { + "checkov@latest": { + "last_modified": "2024-12-17T11:43:56Z", + "resolved": "github:NixOS/nixpkgs/4989a246d7a390a859852baddb1013f825435cee#checkov", + "source": "devbox-search", + "version": "3.2.336", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/34qgizhgb7340fp9ssry67lsz3qsn0b0-checkov-3.2.336", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/hr9y9y08ywhb1z6j9j13lka0fnjrj6id-checkov-3.2.336-dist" + } + ], + "store_path": "/nix/store/34qgizhgb7340fp9ssry67lsz3qsn0b0-checkov-3.2.336" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/yzz2a1srrmb73465yhngap6mzfjxm87z-checkov-3.2.336", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/c9811shl3145i4fgrqjwqhvqc5lwqpkz-checkov-3.2.336-dist" + } + ], + "store_path": "/nix/store/yzz2a1srrmb73465yhngap6mzfjxm87z-checkov-3.2.336" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/mi1nwxrxrgyc3ky84vnm8qmcf1z71l67-checkov-3.2.336", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/mwqgah52hix58np5smzrw1b0iccn5dvk-checkov-3.2.336-dist" + } + ], + "store_path": "/nix/store/mi1nwxrxrgyc3ky84vnm8qmcf1z71l67-checkov-3.2.336" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/98ygsbfm2ngzz5czs39lvw6q9rz86a53-checkov-3.2.336", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/ijvaqnsamy7alvlia84p8r6yh8wm1acy-checkov-3.2.336-dist" + } + ], + "store_path": "/nix/store/98ygsbfm2ngzz5czs39lvw6q9rz86a53-checkov-3.2.336" + } + } + }, + "kubernetes-helm@latest": { + "last_modified": "2024-11-28T07:51:56Z", + "resolved": "github:NixOS/nixpkgs/226216574ada4c3ecefcbbec41f39ce4655f78ef#kubernetes-helm", + "source": "devbox-search", + "version": "3.16.3", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/ppr8wia2hmshknp9yfhr7ivqqigqqq4j-kubernetes-helm-3.16.3", + "default": true + } + ], + "store_path": "/nix/store/ppr8wia2hmshknp9yfhr7ivqqigqqq4j-kubernetes-helm-3.16.3" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/vsps7v36p9nbx08v8c7x1a36mmknhacy-kubernetes-helm-3.16.3", + "default": true + } + ], + "store_path": "/nix/store/vsps7v36p9nbx08v8c7x1a36mmknhacy-kubernetes-helm-3.16.3" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/8xbrzsfv1q0kkranniy99fcszpwmjglr-kubernetes-helm-3.16.3", + "default": true + } + ], + "store_path": "/nix/store/8xbrzsfv1q0kkranniy99fcszpwmjglr-kubernetes-helm-3.16.3" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/nyrghdw5xi4kiwbsw6vdvnnyra5cy0x7-kubernetes-helm-3.16.3", + "default": true + } + ], + "store_path": "/nix/store/nyrghdw5xi4kiwbsw6vdvnnyra5cy0x7-kubernetes-helm-3.16.3" + } + } + }, + "pre-commit@latest": { + "last_modified": "2024-12-11T16:51:25Z", + "resolved": "github:NixOS/nixpkgs/5a48e3c2e435e95103d56590188cfed7b70e108c#pre-commit", + "source": "devbox-search", + "version": "4.0.1", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/jbh4llinhndf7h57plssg0ms40f4fk7y-pre-commit-4.0.1", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/zmsci0rj7a6x7zjz55vymljad5sswyrf-pre-commit-4.0.1-dist" + } + ], + "store_path": "/nix/store/jbh4llinhndf7h57plssg0ms40f4fk7y-pre-commit-4.0.1" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/vpzshjjwb4s9cfawv3g29zlagzl5lsb8-pre-commit-4.0.1", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/hsw0bqhqwv8d8qb2228piyvxj2gdzl0z-pre-commit-4.0.1-dist" + } + ], + "store_path": "/nix/store/vpzshjjwb4s9cfawv3g29zlagzl5lsb8-pre-commit-4.0.1" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/kx7jzp4ypyx763n3l5rj9yks2p8x0ihy-pre-commit-4.0.1", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/3m6i4wvfb9lkfx624976ggrghv9qbkvm-pre-commit-4.0.1-dist" + } + ], + "store_path": "/nix/store/kx7jzp4ypyx763n3l5rj9yks2p8x0ihy-pre-commit-4.0.1" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/93i4sz47hjv2zgyjg3mnqv73bq9maw6x-pre-commit-4.0.1", + "default": true + }, + { + "name": "dist", + "path": "/nix/store/0qqa4xv9igqg2s5n6lymzg6ialmn0mri-pre-commit-4.0.1-dist" + } + ], + "store_path": "/nix/store/93i4sz47hjv2zgyjg3mnqv73bq9maw6x-pre-commit-4.0.1" + } + } + }, + "terraform-docs@latest": { + "last_modified": "2024-11-28T07:51:56Z", + "resolved": "github:NixOS/nixpkgs/226216574ada4c3ecefcbbec41f39ce4655f78ef#terraform-docs", + "source": "devbox-search", + "version": "0.19.0", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/9jxrh3ykia6mywnv0qcgbvxlikr5hpd4-terraform-docs-0.19.0", + "default": true + } + ], + "store_path": "/nix/store/9jxrh3ykia6mywnv0qcgbvxlikr5hpd4-terraform-docs-0.19.0" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/4vh1gz6b2q4qz9zjwyngk1cwpx9j1s55-terraform-docs-0.19.0", + "default": true + } + ], + "store_path": "/nix/store/4vh1gz6b2q4qz9zjwyngk1cwpx9j1s55-terraform-docs-0.19.0" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/y4dz04z633irc23v9bkwns90438fnh0j-terraform-docs-0.19.0", + "default": true + } + ], + "store_path": "/nix/store/y4dz04z633irc23v9bkwns90438fnh0j-terraform-docs-0.19.0" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/am9l6va75gfm576nkz6hn2sp64c1g68n-terraform-docs-0.19.0", + "default": true + } + ], + "store_path": "/nix/store/am9l6va75gfm576nkz6hn2sp64c1g68n-terraform-docs-0.19.0" + } + } + }, + "terraform@latest": { + "last_modified": "2024-12-13T21:43:23Z", + "resolved": "github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2#terraform", + "source": "devbox-search", + "version": "1.10.2", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/klr8n653xzzamqr5d90lp3wp76adiwlr-terraform-1.10.2", + "default": true + } + ], + "store_path": "/nix/store/klr8n653xzzamqr5d90lp3wp76adiwlr-terraform-1.10.2" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/bzz0rh5411j9xin9iv1648w2j8a1jn9q-terraform-1.10.2", + "default": true + } + ], + "store_path": "/nix/store/bzz0rh5411j9xin9iv1648w2j8a1jn9q-terraform-1.10.2" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/1nydwdx7zzz1h0wa4fazy5kmckm34300-terraform-1.10.2", + "default": true + } + ], + "store_path": "/nix/store/1nydwdx7zzz1h0wa4fazy5kmckm34300-terraform-1.10.2" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/4r7rridp45wcgrcpdpqdj04k47vlm59r-terraform-1.10.2", + "default": true + } + ], + "store_path": "/nix/store/4r7rridp45wcgrcpdpqdj04k47vlm59r-terraform-1.10.2" + } + } + }, + "tflint@latest": { + "last_modified": "2024-12-03T12:40:06Z", + "resolved": "github:NixOS/nixpkgs/566e53c2ad750c84f6d31f9ccb9d00f823165550#tflint", + "source": "devbox-search", + "version": "0.54.0", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/sabnazxmprkn41jlmjm3rs7nq7lgpx65-tflint-0.54.0", + "default": true + } + ], + "store_path": "/nix/store/sabnazxmprkn41jlmjm3rs7nq7lgpx65-tflint-0.54.0" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/r1ji0p28hi8saglv7xf0jddkxf7cr05n-tflint-0.54.0", + "default": true + } + ], + "store_path": "/nix/store/r1ji0p28hi8saglv7xf0jddkxf7cr05n-tflint-0.54.0" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/5x6g32x9s5vmq392b2i6zivcxwl8zrk0-tflint-0.54.0", + "default": true + } + ], + "store_path": "/nix/store/5x6g32x9s5vmq392b2i6zivcxwl8zrk0-tflint-0.54.0" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/317bjlhpw3qnpnwh18wff0rsgk2lqms4-tflint-0.54.0", + "default": true + } + ], + "store_path": "/nix/store/317bjlhpw3qnpnwh18wff0rsgk2lqms4-tflint-0.54.0" + } + } + }, + "trivy@latest": { + "last_modified": "2024-12-08T11:15:23Z", + "resolved": "github:NixOS/nixpkgs/93dc9803a1ee435e590b02cde9589038d5cc3a4e#trivy", + "source": "devbox-search", + "version": "0.58.0", + "systems": { + "aarch64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/s2qcbkjqafmq0n81jcpmvczhkhcx47la-trivy-0.58.0", + "default": true + } + ], + "store_path": "/nix/store/s2qcbkjqafmq0n81jcpmvczhkhcx47la-trivy-0.58.0" + }, + "aarch64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/6w98v86y1mfgxav9wydqsnpwygwvhiib-trivy-0.58.0", + "default": true + } + ], + "store_path": "/nix/store/6w98v86y1mfgxav9wydqsnpwygwvhiib-trivy-0.58.0" + }, + "x86_64-darwin": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/p6h9gw6qsw0g9xmnzhj4mfdf16jfjnz4-trivy-0.58.0", + "default": true + } + ], + "store_path": "/nix/store/p6h9gw6qsw0g9xmnzhj4mfdf16jfjnz4-trivy-0.58.0" + }, + "x86_64-linux": { + "outputs": [ + { + "name": "out", + "path": "/nix/store/1yk8qv2bp70id52yp220gyy0bv1fp93r-trivy-0.58.0", + "default": true + } + ], + "store_path": "/nix/store/1yk8qv2bp70id52yp220gyy0bv1fp93r-trivy-0.58.0" + } + } + } + } +} diff --git a/misc/vpa.yaml b/misc/vpa.yaml index 498235e..1dc526d 100644 --- a/misc/vpa.yaml +++ b/misc/vpa.yaml @@ -419,6 +419,7 @@ spec: cpu: 2 memory: 2Gi controlledResources: ["cpu", "memory"] +--- # --------------------------------- cert-manager --------------------------------- # apiVersion: "autoscaling.k8s.io/v1" kind: VerticalPodAutoscaler @@ -715,4 +716,4 @@ spec: maxAllowed: cpu: 2 memory: 2Gi - controlledResources: ["cpu", "memory"] \ No newline at end of file + controlledResources: ["cpu", "memory"]