[deploy\_id](#input\_deploy\_id) | Domino Deployment ID. | `string` | `"domino-eks"` | no |
| [domino\_cur](#input\_domino\_cur) | Determines whether to provision domino cost related infrastructures, ie, long term storage | object({
provision_cost_usage_report = optional(bool, false)
}) | `{}` | no |
| [eks](#input\_eks) | creation\_role\_name = Name of the role to import.
k8s\_version = EKS cluster k8s version.
nodes\_master Grants the nodes role system:master access. NOT recomended
kubeconfig = {
extra\_args = Optional extra args when generating kubeconfig.
path = Fully qualified path name to write the kubeconfig file.
}
public\_access = {
enabled = Enable EKS API public endpoint.
cidrs = List of CIDR ranges permitted for accessing the EKS public endpoint.
}
Custom role maps for aws auth configmap
custom\_role\_maps = {
rolearn = string
username = string
groups = list(string)
}
master\_role\_names = IAM role names to be added as masters in eks.
cluster\_addons = EKS cluster addons. vpc-cni is installed separately.
vpc\_cni = Configuration for AWS VPC CNI
ssm\_log\_group\_name = CloudWatch log group to send the SSM session logs to.
identity\_providers = Configuration for IDP(Identity Provider).
} | object({
creation_role_name = optional(string, null)
k8s_version = optional(string, "1.27")
nodes_master = optional(bool, false)
kubeconfig = optional(object({
extra_args = optional(string, "")
path = optional(string, null)
}), {})
public_access = optional(object({
enabled = optional(bool, false)
cidrs = optional(list(string), [])
}), {})
custom_role_maps = optional(list(object({
rolearn = string
username = string
groups = list(string)
})), [])
master_role_names = optional(list(string), [])
cluster_addons = optional(list(string), ["kube-proxy", "coredns", "vpc-cni"])
ssm_log_group_name = optional(string, "session-manager")
vpc_cni = optional(object({
prefix_delegation = optional(bool)
annotate_pod_ip = optional(bool)
}))
identity_providers = optional(list(object({
client_id = string
groups_claim = optional(string, null)
groups_prefix = optional(string, null)
identity_provider_config_name = string
issuer_url = optional(string, null)
required_claims = optional(string, null)
username_claim = optional(string, null)
username_prefix = optional(string, null)
})), [])
}) | `{}` | no |
-| [flyte](#input\_flyte) | enabled = Whether to provision any Flyte related resources | object({
enabled = optional(bool, false)
}) | `{}` | no |
| [ignore\_tags](#input\_ignore\_tags) | Tag keys to be ignored by the aws provider. | `list(string)` | `[]` | no |
| [kms](#input\_kms) | enabled = "Toggle, if set use either the specified KMS key\_id or a Domino-generated one"
key\_id = optional(string, null)
additional\_policies = "Allows setting additional KMS key policies when using a Domino-generated key" | object({
enabled = optional(bool, true)
key_id = optional(string, null)
additional_policies = optional(list(string), [])
}) | `{}` | no |
| [network](#input\_network) | vpc = {
id = Existing vpc id, it will bypass creation by this module.
subnets = {
private = Existing private subnets.
public = Existing public subnets.
pod = Existing pod subnets.
}), {})
}), {})
network\_bits = {
public = Number of network bits to allocate to the public subnet. i.e /27 -> 32 IPs.
private = Number of network bits to allocate to the private subnet. i.e /19 -> 8,192 IPs.
pod = Number of network bits to allocate to the private subnet. i.e /19 -> 8,192 IPs.
}
cidrs = {
vpc = The IPv4 CIDR block for the VPC.
pod = The IPv4 CIDR block for the Pod subnets.
}
use\_pod\_cidr = Use additional pod CIDR range (ie 100.64.0.0/16) for pod networking. | object({
vpc = optional(object({
id = optional(string, null)
subnets = optional(object({
private = optional(list(string), [])
public = optional(list(string), [])
pod = optional(list(string), [])
}), {})
}), {})
network_bits = optional(object({
public = optional(number, 27)
private = optional(number, 19)
pod = optional(number, 19)
}
), {})
cidrs = optional(object({
vpc = optional(string, "10.0.0.0/16")
pod = optional(string, "100.64.0.0/16")
}), {})
use_pod_cidr = optional(bool, true)
}) | `{}` | no |
diff --git a/modules/infra/main.tf b/modules/infra/main.tf
index c04b0d3d..ff3f1006 100644
--- a/modules/infra/main.tf
+++ b/modules/infra/main.tf
@@ -31,7 +31,6 @@ module "storage" {
network_info = module.network.info
kms_info = local.kms_info
storage = var.storage
- flyte = var.flyte
}
data "aws_ec2_instance_type" "all" {
diff --git a/modules/infra/submodules/storage/README.md b/modules/infra/submodules/storage/README.md
index a77c82d7..adfe3252 100644
--- a/modules/infra/submodules/storage/README.md
+++ b/modules/infra/submodules/storage/README.md
@@ -37,8 +37,6 @@ No modules.
| [aws_s3_bucket.backups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket.blobs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket.costs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket.flyte_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket.registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
@@ -59,8 +57,6 @@ No modules.
| [aws_iam_policy_document.blobs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.costs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.flyte_data](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.flyte_metadata](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.registry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -72,7 +68,6 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [deploy\_id](#input\_deploy\_id) | Domino Deployment ID | `string` | n/a | yes |
-| [flyte](#input\_flyte) | enabled = Whether to provision any Flyte related resources | object({
enabled = optional(bool, false)
}) | `{}` | no |
| [kms\_info](#input\_kms\_info) | key\_id = KMS key id.
key\_arn = KMS key arn.
enabled = KMS key is enabled | object({
key_id = string
key_arn = string
enabled = bool
}) | n/a | yes |
| [network\_info](#input\_network\_info) | id = VPC ID.
subnets = {
public = List of public Subnets.
[{
name = Subnet name.
subnet\_id = Subnet ud
az = Subnet availability\_zone
az\_id = Subnet availability\_zone\_id
}]
private = List of private Subnets.
[{
name = Subnet name.
subnet\_id = Subnet ud
az = Subnet availability\_zone
az\_id = Subnet availability\_zone\_id
}]
pod = List of pod Subnets.
[{
name = Subnet name.
subnet\_id = Subnet ud
az = Subnet availability\_zone
az\_id = Subnet availability\_zone\_id
}]
} | object({
vpc_id = string
subnets = object({
public = optional(list(object({
name = string
subnet_id = string
az = string
az_id = string
})), [])
private = list(object({
name = string
subnet_id = string
az = string
az_id = string
}))
pod = optional(list(object({
name = string
subnet_id = string
az = string
az_id = string
})), [])
})
}) | n/a | yes |
| [storage](#input\_storage) | storage = {
efs = {
access\_point\_path = Filesystem path for efs.
backup\_vault = {
create = Create backup vault for EFS toggle.
force\_destroy = Toggle to allow automatic destruction of all backups when destroying.
backup = {
schedule = Cron-style schedule for EFS backup vault (default: once a day at 12pm).
cold\_storage\_after = Move backup data to cold storage after this many days.
delete\_after = Delete backup data after this many days.
}
}
}
s3 = {
force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets.
}
ecr = {
force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories.
}
enable\_remote\_backup = Enable tagging required for cross-account backups
costs\_enabled = Determines whether to provision domino cost related infrastructures, ie, long term storage
}
} | object({
efs = optional(object({
access_point_path = optional(string)
backup_vault = optional(object({
create = optional(bool)
force_destroy = optional(bool)
backup = optional(object({
schedule = optional(string)
cold_storage_after = optional(number)
delete_after = optional(number)
}))
}))
}))
s3 = optional(object({
force_destroy_on_deletion = optional(bool)
}))
ecr = optional(object({
force_destroy_on_deletion = optional(bool)
}))
enable_remote_backup = optional(bool)
costs_enabled = optional(bool)
}) | n/a | yes |
diff --git a/modules/infra/submodules/storage/main.tf b/modules/infra/submodules/storage/main.tf
index 137cbbb7..bb378f33 100644
--- a/modules/infra/submodules/storage/main.tf
+++ b/modules/infra/submodules/storage/main.tf
@@ -24,18 +24,6 @@ locals {
policy_json = data.aws_iam_policy_document.costs[0].json
arn = aws_s3_bucket.costs[0].arn
} : {}
- flyte_metadata = var.flyte.enabled ? {
- bucket_name = aws_s3_bucket.flyte_metadata[0].bucket
- id = aws_s3_bucket.flyte_metadata[0].id
- policy_json = data.aws_iam_policy_document.flyte_metadata[0].json
- arn = aws_s3_bucket.flyte_metadata[0].arn
- } : {}
- flyte_data = var.flyte.enabled ? {
- bucket_name = aws_s3_bucket.flyte_data[0].bucket
- id = aws_s3_bucket.flyte_data[0].id
- policy_json = data.aws_iam_policy_document.flyte_data[0].json
- arn = aws_s3_bucket.flyte_data[0].arn
- } : {}
logs = {
bucket_name = aws_s3_bucket.logs.bucket
id = aws_s3_bucket.logs.id
diff --git a/modules/infra/submodules/storage/s3.tf b/modules/infra/submodules/storage/s3.tf
index 99e9ebee..13c4bdd5 100644
--- a/modules/infra/submodules/storage/s3.tf
+++ b/modules/infra/submodules/storage/s3.tf
@@ -603,69 +603,3 @@ data "aws_iam_policy_document" "costs" {
}
}
}
-
-resource "aws_s3_bucket" "flyte_metadata" {
- count = var.flyte.enabled ? 1 : 0
- bucket = "${var.deploy_id}-flyte-metadata"
- force_destroy = var.storage.s3.force_destroy_on_deletion
- object_lock_enabled = false
-}
-
-data "aws_iam_policy_document" "flyte_metadata" {
- count = var.flyte.enabled ? 1 : 0
-
- statement {
- effect = "Deny"
-
- resources = [
- "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.flyte_metadata[0].bucket}",
- "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.flyte_metadata[0].bucket}/*",
- ]
-
- actions = ["s3:*"]
-
- condition {
- test = "Bool"
- variable = "aws:SecureTransport"
- values = ["false"]
- }
-
- principals {
- type = "AWS"
- identifiers = ["*"]
- }
- }
-}
-
-resource "aws_s3_bucket" "flyte_data" {
- count = var.flyte.enabled ? 1 : 0
- bucket = "${var.deploy_id}-flyte-data"
- force_destroy = var.storage.s3.force_destroy_on_deletion
- object_lock_enabled = false
-}
-
-data "aws_iam_policy_document" "flyte_data" {
- count = var.flyte.enabled ? 1 : 0
-
- statement {
- effect = "Deny"
-
- resources = [
- "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.flyte_data[0].bucket}",
- "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.flyte_data[0].bucket}/*",
- ]
-
- actions = ["s3:*"]
-
- condition {
- test = "Bool"
- variable = "aws:SecureTransport"
- values = ["false"]
- }
-
- principals {
- type = "AWS"
- identifiers = ["*"]
- }
- }
-}
diff --git a/modules/infra/submodules/storage/variables.tf b/modules/infra/submodules/storage/variables.tf
index 56f6b40a..9a535c86 100644
--- a/modules/infra/submodules/storage/variables.tf
+++ b/modules/infra/submodules/storage/variables.tf
@@ -122,14 +122,3 @@ variable "network_info" {
})
})
}
-
-variable "flyte" {
- description = < [additional\_irsa\_configs](#input\_additional\_irsa\_configs) | Input for additional irsa configurations | list(object({
name = string
namespace = string
serviceaccount_name = string
policy = string #json
})) | `[]` | no |
| [eks\_info](#input\_eks\_info) | cluster = {
specs {
name = Cluster name.
account\_id = AWS account id where the cluster resides.
}
oidc = {
arn = OIDC provider ARN.
url = OIDC provider url.
cert = {
thumbprint\_list = OIDC cert thumbprints.
url = OIDC cert URL.
}
} | object({
nodes = object({
roles = list(object({
arn = string
name = string
}))
})
cluster = object({
specs = object({
name = string
account_id = string
})
oidc = object({
arn = string
url = string
cert = object({
thumbprint_list = list(string)
url = string
})
})
})
}) | n/a | yes |
| [external\_dns](#input\_external\_dns) | Config to enable irsa for external-dns | object({
enabled = optional(bool, false)
hosted_zone_name = optional(string, null)
hosted_zone_private = optional(string, false)
namespace = optional(string, "domino-platform")
serviceaccount_name = optional(string, "external-dns")
rm_role_policy = optional(object({
remove = optional(bool, false)
detach_from_role = optional(bool, false)
policy_name = optional(string, "")
}), {})
}) | `{}` | no |
-| [flyte](#input\_flyte) | enabled = Whether to provision any Flyte related resources
eks = {
controlplane\_role = Name of control plane role to create for Flyte
dataplane\_role = Name of data plane role to create for Flyte
} | object({
enabled = optional(bool, false)
}) | `{}` | no |
| [use\_cluster\_odc\_idp](#input\_use\_cluster\_odc\_idp) | Toogle to uset the oidc idp connector in the trust policy.
Set to `true` if the cluster and the hosted zone are in different aws accounts.
`rm_role_policy` used to facilitiate the cleanup if a node attached policy was used previously. | `bool` | `true` | no |
## Outputs
@@ -59,6 +56,5 @@ No modules.
| Name | Description |
|------|-------------|
| [external\_dns](#output\_external\_dns) | External\_dns info |
-| [flyte](#output\_flyte) | Flyte info |
| [roles](#output\_roles) | Roles mapping info |
diff --git a/modules/irsa/flyte.tf b/modules/irsa/flyte.tf
deleted file mode 100644
index 7a92c0f3..00000000
--- a/modules/irsa/flyte.tf
+++ /dev/null
@@ -1,51 +0,0 @@
-resource "aws_iam_role" "flyte_controlplane_role" {
- count = var.flyte.enabled ? 1 : 0
- name = "${local.name_prefix}-flyte-controlplane-role"
- assume_role_policy = jsonencode({
- Version = "2012-10-17"
- Statement = [
- {
- Action = "sts:AssumeRoleWithWebIdentity"
- Effect = "Allow"
- Principal = {
- Federated = local.oidc_provider_arn
- }
- Condition : {
- StringEquals : {
- "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
- "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
- "system:serviceaccount:flyte:flyteadmin",
- "system:serviceaccount:flyte:datacatalog"
- ]
- }
- }
- },
- ]
- })
-}
-
-resource "aws_iam_role" "flyte_dataplane_role" {
- count = var.flyte.enabled ? 1 : 0
- name = "${local.name_prefix}-flyte-dataplane-role"
- assume_role_policy = jsonencode({
- Version = "2012-10-17"
- Statement = [
- {
- Action = "sts:AssumeRoleWithWebIdentity"
- Effect = "Allow"
- Principal = {
- Federated = local.oidc_provider_arn
- }
- Condition : {
- StringEquals : {
- "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
- "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
- "system:serviceaccount:flyte:flytepropeller",
- "system:serviceaccount:*:default"
- ]
- }
- }
- },
- ]
- })
-}
diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf
index 53f09ed4..999e55b1 100644
--- a/modules/irsa/main.tf
+++ b/modules/irsa/main.tf
@@ -5,7 +5,6 @@ locals {
oidc_provider_url = var.use_cluster_odc_idp ? var.eks_info.cluster.oidc.cert.url : aws_iam_openid_connect_provider.this[0].url
oidc_provider_arn = var.use_cluster_odc_idp ? var.eks_info.cluster.oidc.arn : aws_iam_openid_connect_provider.this[0].arn
name_prefix = var.eks_info.cluster.specs.name
- aws_account_id = var.use_cluster_odc_idp ? var.eks_info.cluster.specs.account_id : data.aws_caller_identity.aws_account.account_id
}
resource "aws_iam_openid_connect_provider" "this" {
diff --git a/modules/irsa/outputs.tf b/modules/irsa/outputs.tf
index 03890e0b..4bfc4f1e 100644
--- a/modules/irsa/outputs.tf
+++ b/modules/irsa/outputs.tf
@@ -13,13 +13,3 @@ output "external_dns" {
} : null
}
-output "flyte" {
- description = "Flyte info"
- value = var.flyte.enabled ? {
- eks = {
- account_id = local.aws_account_id
- controlplane_role_arn = aws_iam_role.flyte_controlplane_role[0].arn
- dataplane_role_arn = aws_iam_role.flyte_dataplane_role[0].arn
- }
- } : null
-}
diff --git a/modules/irsa/variables.tf b/modules/irsa/variables.tf
index b338daf2..a3e07a5e 100644
--- a/modules/irsa/variables.tf
+++ b/modules/irsa/variables.tf
@@ -83,18 +83,3 @@ variable "additional_irsa_configs" {
error_message = "Invalid json found in policy"
}
}
-
-variable "flyte" {
- description = <