From 386b312cbdc4404eb88ec030c3aef1f841fc05a8 Mon Sep 17 00:00:00 2001 From: maxim Date: Fri, 5 Nov 2021 14:48:28 +0600 Subject: [PATCH 1/2] enh: move gitlab-runner and elk-stack s3 buckets from layer1-aws into layer2-k8s --- .../examples/aws-s3-bucket-elastic-stack.tf | 38 ------------- .../aws-s3-bucket-gitlab-runner-cache.tf | 51 ----------------- terraform/layer2-k8s/examples/eks-elk.tf | 46 +++++++++++++-- .../layer2-k8s/examples/eks-gitlab-runner.tf | 57 +++++++++++++++++-- 4 files changed, 91 insertions(+), 101 deletions(-) delete mode 100644 terraform/layer1-aws/examples/aws-s3-bucket-elastic-stack.tf delete mode 100644 terraform/layer1-aws/examples/aws-s3-bucket-gitlab-runner-cache.tf diff --git a/terraform/layer1-aws/examples/aws-s3-bucket-elastic-stack.tf b/terraform/layer1-aws/examples/aws-s3-bucket-elastic-stack.tf deleted file mode 100644 index 501458f9..00000000 --- a/terraform/layer1-aws/examples/aws-s3-bucket-elastic-stack.tf +++ /dev/null @@ -1,38 +0,0 @@ -resource "aws_s3_bucket" "elastic_stack" { - bucket = "${local.name}-elastic-stack" - acl = "private" - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - } - } - } - - tags = { - Name = "${local.name}-elastic-stack" - Environment = local.env - } -} - -resource "aws_s3_bucket_public_access_block" "elastic_stack_public_access_block" { - bucket = aws_s3_bucket.elastic_stack.id - - # Block new public ACLs and uploading public objects - block_public_acls = true - - # Retroactively remove public access granted through public ACLs - ignore_public_acls = true - - # Block new public bucket policies - block_public_policy = true - - # Retroactivley block public and cross-account access if bucket has public policies - restrict_public_buckets = true -} - -output "elastic_stack_bucket_name" { - value = aws_s3_bucket.elastic_stack.id - description = "Name of the bucket for ELKS snapshots" -} diff --git a/terraform/layer1-aws/examples/aws-s3-bucket-gitlab-runner-cache.tf b/terraform/layer1-aws/examples/aws-s3-bucket-gitlab-runner-cache.tf deleted file mode 100644 index f608b2c6..00000000 --- a/terraform/layer1-aws/examples/aws-s3-bucket-gitlab-runner-cache.tf +++ /dev/null @@ -1,51 +0,0 @@ -resource "aws_s3_bucket" "gitlab_runner_cache" { - bucket = "${local.name}-gitlab-runner-cache" - acl = "private" - - server_side_encryption_configuration { - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "aws:kms" - } - } - } - - lifecycle_rule { - id = "gitlab-runner-cache-lifecycle-rule" - enabled = true - - tags = { - "rule" = "gitlab-runner-cache-lifecycle-rule" - } - - expiration { - days = 120 - } - } - - tags = { - Name = "${local.name}-gitlab-runner-cache" - Environment = local.env - } -} - -resource "aws_s3_bucket_public_access_block" "gitlab_runner_cache_public_access_block" { - bucket = aws_s3_bucket.gitlab_runner_cache.id - - # Block new public ACLs and uploading public objects - block_public_acls = true - - # Retroactively remove public access granted through public ACLs - ignore_public_acls = true - - # Block new public bucket policies - block_public_policy = true - - # Retroactivley block public and cross-account access if bucket has public policies - restrict_public_buckets = true -} - -output "gitlab_runner_cache_bucket_name" { - value = aws_s3_bucket.gitlab_runner_cache.id - description = "Name of the s3 bucket for gitlab-runner cache" -} diff --git a/terraform/layer2-k8s/examples/eks-elk.tf b/terraform/layer2-k8s/examples/eks-elk.tf index eb830f07..eb854848 100644 --- a/terraform/layer2-k8s/examples/eks-elk.tf +++ b/terraform/layer2-k8s/examples/eks-elk.tf @@ -4,16 +4,15 @@ locals { repository = lookup(local.helm_charts[index(local.helm_charts.*.id, "elk")], "repository", null) chart_version = lookup(local.helm_charts[index(local.helm_charts.*.id, "elk")], "version", null) } - kibana_domain_name = "kibana-${local.domain_suffix}" - apm_domain_name = "apm-${local.domain_suffix}" - elastic_stack_bucket_name = data.terraform_remote_state.layer1-aws.outputs.elastic_stack_bucket_name + kibana_domain_name = "kibana-${local.domain_suffix}" + apm_domain_name = "apm-${local.domain_suffix}" } data "template_file" "elk" { template = file("${path.module}/templates/elk-values.yaml") vars = { - bucket_name = local.elastic_stack_bucket_name + bucket_name = aws_s3_bucket.elastic_stack.id storage_class_name = kubernetes_storage_class.elk.id snapshot_retention_days = var.elk_snapshot_retention_days index_retention_days = var.elk_index_retention_days @@ -131,6 +130,36 @@ resource "random_string" "kibana_password" { upper = true } +resource "aws_s3_bucket" "elastic_stack" { + bucket = "${local.name}-elastic-stack" + acl = "private" + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } + + tags = { + Name = "${local.name}-elastic-stack" + Environment = local.env + } +} + +resource "aws_s3_bucket_public_access_block" "elastic_stack_public_access_block" { + bucket = aws_s3_bucket.elastic_stack.id + # Block new public ACLs and uploading public objects + block_public_acls = true + # Retroactively remove public access granted through public ACLs + ignore_public_acls = true + # Block new public bucket policies + block_public_policy = true + # Retroactivley block public and cross-account access if bucket has public policies + restrict_public_buckets = true +} + module "aws_iam_elastic_stack" { source = "../modules/aws-iam-user-with-policy" @@ -147,7 +176,7 @@ module "aws_iam_elastic_stack" { "s3:ListBucketVersions" ], "Resource" : [ - "arn:aws:s3:::${local.elastic_stack_bucket_name}" + "arn:aws:s3:::${aws_s3_bucket.elastic_stack.id}" ] }, { @@ -160,7 +189,7 @@ module "aws_iam_elastic_stack" { "s3:ListMultipartUploadParts" ], "Resource" : [ - "arn:aws:s3:::${local.elastic_stack_bucket_name}/*" + "arn:aws:s3:::${aws_s3_bucket.elastic_stack.id}/*" ] } ] @@ -182,3 +211,8 @@ output "elasticsearch_elastic_password" { sensitive = true description = "Password of the superuser 'elastic'" } + +output "elastic_stack_bucket_name" { + value = aws_s3_bucket.elastic_stack.id + description = "Name of the bucket for ELKS snapshots" +} diff --git a/terraform/layer2-k8s/examples/eks-gitlab-runner.tf b/terraform/layer2-k8s/examples/eks-gitlab-runner.tf index afa37503..b9c04e46 100644 --- a/terraform/layer2-k8s/examples/eks-gitlab-runner.tf +++ b/terraform/layer2-k8s/examples/eks-gitlab-runner.tf @@ -4,18 +4,15 @@ locals { repository = lookup(local.helm_charts[index(local.helm_charts.*.id, "gitlab-runner")], "repository", null) chart_version = lookup(local.helm_charts[index(local.helm_charts.*.id, "gitlab-runner")], "version", null) } - gitlab_runner_cache_bucket_name = data.terraform_remote_state.layer1-aws.outputs.gitlab_runner_cache_bucket_name - gitlab_runner_template = templatefile("${path.module}/templates/gitlab-runner-values.tmpl", { registration_token = local.gitlab_registration_token namespace = module.ci_namespace.name role_arn = module.aws_iam_gitlab_runner.role_arn runner_sa = module.eks_rbac_gitlab_runner.sa_name - bucket_name = local.gitlab_runner_cache_bucket_name + bucket_name = aws_s3_bucket.gitlab_runner_cache.id region = local.region }) - } module "eks_rbac_gitlab_runner" { @@ -40,6 +37,49 @@ resource "helm_release" "gitlab_runner" { ] } +resource "aws_s3_bucket" "gitlab_runner_cache" { + bucket = "${local.name}-gitlab-runner-cache" + acl = "private" + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } + + lifecycle_rule { + id = "gitlab-runner-cache-lifecycle-rule" + enabled = true + + tags = { + "rule" = "gitlab-runner-cache-lifecycle-rule" + } + + expiration { + days = 120 + } + } + + tags = { + Name = "${local.name}-gitlab-runner-cache" + Environment = local.env + } +} + +resource "aws_s3_bucket_public_access_block" "gitlab_runner_cache_public_access_block" { + bucket = aws_s3_bucket.gitlab_runner_cache.id + # Block new public ACLs and uploading public objects + block_public_acls = true + # Retroactively remove public access granted through public ACLs + ignore_public_acls = true + # Block new public bucket policies + block_public_policy = true + # Retroactivley block public and cross-account access if bucket has public policies + restrict_public_buckets = true +} + module "aws_iam_gitlab_runner" { source = "../modules/aws-iam-eks-trusted" @@ -62,10 +102,15 @@ module "aws_iam_gitlab_runner" { "s3:*" ], "Resource" : [ - "arn:aws:s3:::${local.gitlab_runner_cache_bucket_name}", - "arn:aws:s3:::${local.gitlab_runner_cache_bucket_name}/*" + "arn:aws:s3:::${aws_s3_bucket.gitlab_runner_cache.id}", + "arn:aws:s3:::${aws_s3_bucket.gitlab_runner_cache.id}/*" ] } ] }) } + +output "gitlab_runner_cache_bucket_name" { + value = aws_s3_bucket.gitlab_runner_cache.id + description = "Name of the s3 bucket for gitlab-runner cache" +} From c1807aaafa0eada45b2f57e2108c9af3f20cbeef Mon Sep 17 00:00:00 2001 From: maxim Date: Fri, 5 Nov 2021 15:20:11 +0600 Subject: [PATCH 2/2] fix gitlab-runner installation --- terraform/layer2-k8s/examples/eks-gitlab-runner.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/layer2-k8s/examples/eks-gitlab-runner.tf b/terraform/layer2-k8s/examples/eks-gitlab-runner.tf index b9c04e46..d0b22e4a 100644 --- a/terraform/layer2-k8s/examples/eks-gitlab-runner.tf +++ b/terraform/layer2-k8s/examples/eks-gitlab-runner.tf @@ -4,12 +4,12 @@ locals { repository = lookup(local.helm_charts[index(local.helm_charts.*.id, "gitlab-runner")], "repository", null) chart_version = lookup(local.helm_charts[index(local.helm_charts.*.id, "gitlab-runner")], "version", null) } - gitlab_runner_template = templatefile("${path.module}/templates/gitlab-runner-values.tmpl", + gitlab_runner_template = templatefile("${path.module}/templates/gitlab-runner-values.yaml", { registration_token = local.gitlab_registration_token namespace = module.ci_namespace.name role_arn = module.aws_iam_gitlab_runner.role_arn - runner_sa = module.eks_rbac_gitlab_runner.sa_name + runner_sa = module.eks_rbac_gitlab_runner.service_account_name bucket_name = aws_s3_bucket.gitlab_runner_cache.id region = local.region })