fix: Update EKS module min version to fix race condition during destr…

…oy (#1926)
aws-ia · Apr 22, 2024 · 2630956 · 2630956
1 parent bdbf6e3
commit 2630956
Show file tree

Hide file tree

Showing 27 changed files with 104 additions and 112 deletions.
diff --git a/docs/_partials/destroy.md b/docs/_partials/destroy.md
@@ -1,9 +1,4 @@
 ```sh
-# Necessary to avoid removing Terraform's permissions too soon before its finished
-# cleaning up the resources it deployed inside the cluster
-terraform state rm 'module.eks.aws_eks_access_entry.this["cluster_creator"]' || true
-terraform state rm 'module.eks.aws_eks_access_policy_association.this["cluster_creator_admin"]' || true
-
 terraform destroy -target="module.eks_blueprints_addons" -auto-approve
 terraform destroy -target="module.eks" -auto-approve
 terraform destroy -auto-approve

diff --git a/docs/cSpell_dict.txt b/docs/cSpell_dict.txt
@@ -113,6 +113,7 @@ nics
 nodegroup
 nodeport
 nvme
+odcr
 oidc
 persistentvolume
 pkce
@@ -125,6 +126,7 @@ readyz
 reclaimpolicy
 redop
 replicaset
+resourcegroups
 rdmap
 rolearn
 rollouts
@@ -144,6 +146,7 @@ tcpdump
 templatefile
 tfstate
 tfvars
+timeadd
 tolerations
 tolist
 toset

diff --git a/patterns/agones-game-controller/main.tf b/patterns/agones-game-controller/main.tf
@@ -42,7 +42,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.0"
+  version = "~> 20.8"
 
   cluster_name                   = local.name
   cluster_version                = local.cluster_version
@@ -128,7 +128,7 @@ module "eks" {
 
 module "eks_blueprints_addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
-  version = "~> 1.7"
+  version = "~> 1.16"
 
   cluster_name      = module.eks.cluster_name
   cluster_endpoint  = module.eks.cluster_endpoint

diff --git a/patterns/aws-vpc-cni-network-policy/main.tf b/patterns/aws-vpc-cni-network-policy/main.tf
@@ -49,7 +49,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.0"
+  version = "~> 20.8"
 
   cluster_name                   = local.name
   cluster_version                = "1.29" # Must be 1.25 or higher
@@ -75,42 +75,13 @@ module "eks" {
   tags = local.tags
 }
 
-################################################################################
-# Supporting Resources
-################################################################################
-
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
-
-  name = local.name
-  cidr = local.vpc_cidr
-
-  azs             = local.azs
-  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
-  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
-
-  enable_nat_gateway = true
-  single_nat_gateway = true
-
-  public_subnet_tags = {
-    "kubernetes.io/role/elb" = 1
-  }
-
-  private_subnet_tags = {
-    "kubernetes.io/role/internal-elb" = 1
-  }
-
-  tags = local.tags
-}
-
 ################################################################################
 # EKS Addons (demo application)
 ################################################################################
 
 module "addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
-  version = "~> 1.0"
+  version = "~> 1.16"
 
   cluster_name      = module.eks.cluster_name
   cluster_endpoint  = module.eks.cluster_endpoint
@@ -288,5 +259,35 @@ resource "kubernetes_network_policy_v1" "allow_client_to_backend" {
       }
     }
   }
+
   depends_on = [module.addons]
 }
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  public_subnet_tags = {
+    "kubernetes.io/role/elb" = 1
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/role/internal-elb" = 1
+  }
+
+  tags = local.tags
+}
diff --git a/patterns/elastic-fabric-adapter/main.tf b/patterns/elastic-fabric-adapter/main.tf
@@ -39,7 +39,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.4"
+  version = "~> 20.8"
 
   cluster_name                   = local.name
   cluster_version                = "1.29"
@@ -134,7 +134,7 @@ module "eks" {
 
 module "eks_blueprints_addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
-  version = "~> 1.14"
+  version = "~> 1.16"
 
   cluster_name      = module.eks.cluster_name
   cluster_endpoint  = module.eks.cluster_endpoint

diff --git a/patterns/external-secrets/main.tf b/patterns/external-secrets/main.tf
@@ -58,7 +58,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.0"
+  version = "~> 20.8"
 
   cluster_name                   = local.name
   cluster_version                = "1.29"
@@ -90,7 +90,7 @@ module "eks" {
 
 module "eks_blueprints_addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
-  version = "~> 1.14"
+  version = "~> 1.16"
 
   cluster_name      = module.eks.cluster_name
   cluster_endpoint  = module.eks.cluster_endpoint

diff --git a/patterns/fargate-serverless/main.tf b/patterns/fargate-serverless/main.tf
@@ -50,7 +50,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.0"
+  version = "~> 20.8"
 
   cluster_name                   = local.name
   cluster_version                = "1.29"
@@ -96,7 +96,7 @@ module "eks" {
 
 module "eks_blueprints_addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
-  version = "~> 1.14"
+  version = "~> 1.16"
 
   cluster_name      = module.eks.cluster_name
   cluster_endpoint  = module.eks.cluster_endpoint

diff --git a/patterns/fully-private-cluster/main.tf b/patterns/fully-private-cluster/main.tf
@@ -23,7 +23,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.0"
+  version = "~> 20.8"
 
   cluster_name    = local.name
   cluster_version = "1.29"

diff --git a/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/main.tf b/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/main.tf
@@ -46,7 +46,7 @@ locals {
   gitops_addons_revision = var.gitops_addons_revision
 
   authentication_mode = var.authentication_mode
-  
+
   argocd_namespace = "argocd"
 
   aws_addons = {
@@ -109,7 +109,7 @@ locals {
       aws_vpc_id       = module.vpc.vpc_id
     },
     {
-      argocd_namespace    = local.argocd_namespace
+      argocd_namespace = local.argocd_namespace
     },
     {
       addons_repo_url      = local.gitops_addons_url
@@ -153,7 +153,7 @@ data "aws_iam_policy_document" "eks_assume" {
       type        = "Service"
       identifiers = ["pods.eks.amazonaws.com"]
     }
-    actions = ["sts:AssumeRole","sts:TagSession"]
+    actions = ["sts:AssumeRole", "sts:TagSession"]
   }
 }
 resource "aws_iam_role" "argocd_hub" {
@@ -164,7 +164,7 @@ data "aws_iam_policy_document" "aws_assume_policy" {
   statement {
     effect    = "Allow"
     resources = ["*"]
-    actions   = ["sts:AssumeRole","sts:TagSession"]
+    actions   = ["sts:AssumeRole", "sts:TagSession"]
   }
 }
 resource "aws_iam_policy" "aws_assume_policy" {
@@ -244,9 +244,9 @@ module "eks" {
   subnet_ids = module.vpc.private_subnets
 
   authentication_mode = local.authentication_mode
-  
+
   enable_cluster_creator_admin_permissions = true
-  
+
   eks_managed_node_groups = {
     initial = {
       instance_types = ["t3.medium"]

diff --git a/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/variables.tf b/patterns/gitops/multi-cluster-hub-spoke-argocd/hub/variables.tf
@@ -19,7 +19,7 @@ variable "addons" {
   default = {
     enable_aws_load_balancer_controller = true
     enable_metrics_server               = true
-    enable_argocd = true
+    enable_argocd                       = true
   }
 }
 

diff --git a/patterns/gitops/multi-cluster-hub-spoke-argocd/spokes/main.tf b/patterns/gitops/multi-cluster-hub-spoke-argocd/spokes/main.tf
@@ -70,8 +70,8 @@ locals {
   gitops_workload_revision = var.gitops_workload_revision
   gitops_workload_url      = "${local.gitops_workload_org}/${local.gitops_workload_repo}"
 
-  authentication_mode = var.authentication_mode  
-  
+  authentication_mode = var.authentication_mode
+
   aws_addons = {
     enable_cert_manager                          = try(var.addons.enable_cert_manager, false)
     enable_aws_efs_csi_driver                    = try(var.addons.enable_aws_efs_csi_driver, false)
@@ -194,7 +194,7 @@ resource "aws_iam_role" "spoke" {
 
 data "aws_iam_policy_document" "assume_role_policy" {
   statement {
-    actions = ["sts:AssumeRole","sts:TagSession"]
+    actions = ["sts:AssumeRole", "sts:TagSession"]
     principals {
       type        = "AWS"
       identifiers = [data.terraform_remote_state.cluster_hub.outputs.argocd_iam_role_arn]
@@ -254,7 +254,7 @@ module "eks" {
 
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
-  
+
   authentication_mode = local.authentication_mode
 
   # Cluster access entry
@@ -264,13 +264,13 @@ module "eks" {
   access_entries = {
     # One access entry with a policy associated
     example = {
-      principal_arn     = aws_iam_role.spoke.arn
+      principal_arn = aws_iam_role.spoke.arn
 
       policy_associations = {
         argocd = {
           policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
           access_scope = {
-            type       = "cluster"
+            type = "cluster"
           }
         }
       }
@@ -290,7 +290,7 @@ module "eks" {
   cluster_addons = {
     eks-pod-identity-agent = {
       most_recent = true
-    }  
+    }
     vpc-cni = {
       # Specify the VPC CNI addon should be deployed before compute to ensure
       # the addon is configured before data plane compute resources are created

diff --git a/patterns/gitops/multi-cluster-hub-spoke-argocd/spokes/variables.tf b/patterns/gitops/multi-cluster-hub-spoke-argocd/spokes/variables.tf
@@ -72,4 +72,4 @@ variable "authentication_mode" {
   description = "The authentication mode for the cluster. Valid values are CONFIG_MAP, API or API_AND_CONFIG_MAP"
   type        = string
   default     = "API"
-}
+}
diff --git a/patterns/ipv6-eks-cluster/main.tf b/patterns/ipv6-eks-cluster/main.tf
@@ -23,7 +23,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.0"
+  version = "~> 20.8"
 
   cluster_name                   = local.name
   cluster_version                = "1.29"

diff --git a/patterns/istio/main.tf b/patterns/istio/main.tf
@@ -52,7 +52,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.0"
+  version = "~> 20.8"
 
   cluster_name                   = local.name
   cluster_version                = "1.29"
@@ -117,7 +117,7 @@ resource "kubernetes_namespace_v1" "istio_system" {
 
 module "eks_blueprints_addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
-  version = "~> 1.14"
+  version = "~> 1.16"
 
   cluster_name      = module.eks.cluster_name
   cluster_endpoint  = module.eks.cluster_endpoint

diff --git a/patterns/karpenter/main.tf b/patterns/karpenter/main.tf
@@ -59,7 +59,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.0"
+  version = "~> 20.8"
 
   cluster_name                   = local.name
   cluster_version                = "1.29"
@@ -102,7 +102,7 @@ module "eks" {
 
 module "eks_blueprints_addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
-  version = "~> 1.14"
+  version = "~> 1.16"
 
   cluster_name      = module.eks.cluster_name
   cluster_endpoint  = module.eks.cluster_endpoint