From 995340744de734322af9a7f492230f79b486372b Mon Sep 17 00:00:00 2001 From: Andrew S Date: Fri, 26 Nov 2021 15:22:59 +0600 Subject: [PATCH 1/3] feat: Moved bottlerocket to managed node groups #227 --- terraform/layer1-aws/aws-eks.tf | 57 ++++++++++++++----------------- terraform/layer1-aws/variables.tf | 34 +++++++++--------- 2 files changed, 42 insertions(+), 49 deletions(-) diff --git a/terraform/layer1-aws/aws-eks.tf b/terraform/layer1-aws/aws-eks.tf index 4197da01..cdd65c71 100644 --- a/terraform/layer1-aws/aws-eks.tf +++ b/terraform/layer1-aws/aws-eks.tf @@ -125,41 +125,34 @@ module "eks" { value = "ci" effect = "NO_SCHEDULE" }] - } - } + }, + bottlerocket = { + desired_capacity = var.node_group_br.desired_capacity + max_capacity = var.node_group_br.max_capacity + min_capacity = var.node_group_br.min_capacity + instance_types = var.node_group_br.instance_types + capacity_type = var.node_group_br.capacity_type + subnets = module.vpc.private_subnets - worker_groups_launch_template = [ - { - name = "bottlerocket-spot" - ami_id = data.aws_ami.bottlerocket_ami.id - override_instance_types = var.worker_group_bottlerocket.instance_types - spot_instance_pools = var.worker_group_bottlerocket.spot_instance_pools - asg_max_size = var.worker_group_bottlerocket.max_capacity - asg_min_size = var.worker_group_bottlerocket.min_capacity - asg_desired_capacity = var.worker_group_bottlerocket.desired_capacity - subnets = module.vpc.private_subnets - public_ip = false - userdata_template_file = "${path.module}/templates/userdata-bottlerocket.tpl" - userdata_template_extra_args = { - enable_admin_container = false - enable_control_container = true + ami_type = "BOTTLEROCKET_x86_64" + + force_update_version = var.node_group_br.force_update_version + + k8s_labels = { + Environment = local.env + nodegroup = "bottlerocket" } - additional_userdata = < Date: Fri, 26 Nov 2021 15:26:15 +0600 Subject: [PATCH 2/3] feat: Updated README.md #227 --- terraform/layer1-aws/README.md | 182 ++++++++++++++++----------------- 1 file changed, 90 insertions(+), 92 deletions(-) diff --git a/terraform/layer1-aws/README.md b/terraform/layer1-aws/README.md index 691b468f..36d93dec 100644 --- a/terraform/layer1-aws/README.md +++ b/terraform/layer1-aws/README.md @@ -1,109 +1,107 @@ - ## Requirements -| Name | Version | -| ---------------------------------------------------------------------------- | ------- | -| [terraform](#requirement\_terraform) | 1.0.10 | -| [aws](#requirement\_aws) | 3.64.2 | -| [kubernetes](#requirement\_kubernetes) | 2.6.1 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | 1.0.10 | +| [aws](#requirement\_aws) | 3.64.2 | +| [kubernetes](#requirement\_kubernetes) | 2.6.1 | ## Providers -| Name | Version | -| ------------------------------------------------- | ------- | -| [aws](#provider\_aws) | 3.64.2 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 3.64.2 | ## Modules -| Name | Source | Version | -| ------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | ------- | -| [acm](#module\_acm) | terraform-aws-modules/acm/aws | 3.2.0 | -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 17.23.0 | -| [pritunl](#module\_pritunl) | ../modules/aws-ec2-pritunl | n/a | -| [r53\_zone](#module\_r53\_zone) | terraform-aws-modules/route53/aws//modules/zones | 2.3.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.11.0 | -| [vpc\_gateway\_endpoints](#module\_vpc\_gateway\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | 3.11.0 | +| Name | Source | Version | +|------|--------|---------| +| [acm](#module\_acm) | terraform-aws-modules/acm/aws | 3.2.0 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 17.23.0 | +| [pritunl](#module\_pritunl) | ../modules/aws-ec2-pritunl | n/a | +| [r53\_zone](#module\_r53\_zone) | terraform-aws-modules/route53/aws//modules/zones | 2.3.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.11.0 | +| [vpc\_gateway\_endpoints](#module\_vpc\_gateway\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | 3.11.0 | ## Resources -| Name | Type | -| --------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/ebs_encryption_by_default) | resource | -| [aws_eks_addon.coredns](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/eks_addon) | resource | -| [aws_eks_addon.kube_proxy](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/eks_addon) | resource | -| [aws_eks_addon.vpc_cni](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/eks_addon) | resource | -| [aws_kms_key.eks](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/kms_key) | resource | -| [aws_acm_certificate.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/acm_certificate) | data source | -| [aws_ami.bottlerocket_ami](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/ami) | data source | -| [aws_availability_zones.available](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/availability_zones) | data source | -| [aws_caller_identity.current](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/caller_identity) | data source | -| [aws_eks_cluster.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster) | data source | -| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster_auth) | data source | -| [aws_route53_zone.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/route53_zone) | data source | -| [aws_security_group.default](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/security_group) | data source | +| Name | Type | +|------|------| +| [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/ebs_encryption_by_default) | resource | +| [aws_eks_addon.coredns](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/eks_addon) | resource | +| [aws_eks_addon.kube_proxy](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/eks_addon) | resource | +| [aws_eks_addon.vpc_cni](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/eks_addon) | resource | +| [aws_kms_key.eks](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/kms_key) | resource | +| [aws_acm_certificate.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/acm_certificate) | data source | +| [aws_ami.bottlerocket_ami](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/ami) | data source | +| [aws_availability_zones.available](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster_auth) | data source | +| [aws_route53_zone.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/route53_zone) | data source | +| [aws_security_group.default](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/security_group) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| ------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | -| [addon\_coredns\_version](#input\_addon\_coredns\_version) | The version of coredns add-on | `string` | `"v1.8.3-eksbuild.1"` | no | -| [addon\_create\_coredns](#input\_addon\_create\_coredns) | Enable coredns add-on or not | `bool` | `true` | no | -| [addon\_create\_kube\_proxy](#input\_addon\_create\_kube\_proxy) | Enable kube-proxy add-on or not | `bool` | `true` | no | -| [addon\_create\_vpc\_cni](#input\_addon\_create\_vpc\_cni) | Enable vpc-cni add-on or not | `bool` | `true` | no | -| [addon\_kube\_proxy\_version](#input\_addon\_kube\_proxy\_version) | The version of kube-proxy add-on | `string` | `"v1.20.4-eksbuild.2"` | no | -| [addon\_vpc\_cni\_version](#input\_addon\_vpc\_cni\_version) | The version of vpc-cni add-on | `string` | `"v1.9.1-eksbuild.1"` | no | -| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no | -| [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no | -| [az\_count](#input\_az\_count) | Count of avaiablity zones, min 2 | `number` | `3` | no | -| [cidr](#input\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no | -| [create\_acm\_certificate](#input\_create\_acm\_certificate) | Whether to create acm certificate or use existing | `bool` | `false` | no | -| [create\_r53\_zone](#input\_create\_r53\_zone) | Create R53 zone for main public domain | `bool` | `false` | no | -| [domain\_name](#input\_domain\_name) | Main public domain name | `any` | n/a | yes | -| [eks\_cluster\_enabled\_log\_types](#input\_eks\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler | `list(string)` | 
[
  "audit"
]
| no | -| [eks\_cluster\_encryption\_config\_enable](#input\_eks\_cluster\_encryption\_config\_enable) | Enable or not encryption for k8s secrets with aws-kms | `bool` | `false` | no | -| [eks\_cluster\_log\_retention\_in\_days](#input\_eks\_cluster\_log\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | -| [eks\_cluster\_version](#input\_eks\_cluster\_version) | Version of the EKS K8S cluster | `string` | `"1.21"` | no | -| [eks\_map\_roles](#input\_eks\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | -| [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `list(any)` | 
[
  "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
]
| no | -| [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no | -| [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no | -| [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes | -| [node\_group\_ci](#input\_node\_group\_ci) | Node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 0,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0
}
| no | -| [node\_group\_ondemand](#input\_node\_group\_ondemand) | Node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "ON_DEMAND",
  "desired_capacity": 1,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 1
}
| no | -| [node\_group\_spot](#input\_node\_group\_spot) | Node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 1,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0
}
| no | -| [pritunl\_vpn\_server\_enable](#input\_pritunl\_vpn\_server\_enable) | Indicates whether or not the Pritunl VPN server is deployed. | `bool` | `false` | no | -| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no | -| [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | 
{
  "ap-east-1": "ape1",
  "ap-northeast-1": "apn1",
  "ap-northeast-2": "apn2",
  "ap-south-1": "aps1",
  "ap-southeast-1": "apse1",
  "ap-southeast-2": "apse2",
  "ca-central-1": "cac1",
  "cn-north-1": "cnn1",
  "cn-northwest-1": "cnnw1",
  "eu-central-1": "euc1",
  "eu-north-1": "eun1",
  "eu-west-1": "euw1",
  "eu-west-2": "euw2",
  "eu-west-3": "euw3",
  "sa-east-1": "sae1",
  "us-east-1": "use1",
  "us-east-2": "use2",
  "us-gov-east-1": "usge1",
  "us-gov-west-1": "usgw1",
  "us-west-1": "usw1",
  "us-west-2": "usw2"
}
| no | -| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Flag to create single nat gateway for all AZs | `bool` | `true` | no | -| [worker\_group\_bottlerocket](#input\_worker\_group\_bottlerocket) | Bottlerocket worker group configuration | 
object({
    instance_types      = list(string)
    capacity_type       = string
    max_capacity        = number
    min_capacity        = number
    desired_capacity    = number
    spot_instance_pools = number
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 0,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0,
  "spot_instance_pools": 2
}
| no | -| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `any` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [addon\_coredns\_version](#input\_addon\_coredns\_version) | The version of coredns add-on | `string` | `"v1.8.3-eksbuild.1"` | no | +| [addon\_create\_coredns](#input\_addon\_create\_coredns) | Enable coredns add-on or not | `bool` | `true` | no | +| [addon\_create\_kube\_proxy](#input\_addon\_create\_kube\_proxy) | Enable kube-proxy add-on or not | `bool` | `true` | no | +| [addon\_create\_vpc\_cni](#input\_addon\_create\_vpc\_cni) | Enable vpc-cni add-on or not | `bool` | `true` | no | +| [addon\_kube\_proxy\_version](#input\_addon\_kube\_proxy\_version) | The version of kube-proxy add-on | `string` | `"v1.20.4-eksbuild.2"` | no | +| [addon\_vpc\_cni\_version](#input\_addon\_vpc\_cni\_version) | The version of vpc-cni add-on | `string` | `"v1.9.1-eksbuild.1"` | no | +| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no | +| [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no | +| [az\_count](#input\_az\_count) | Count of avaiablity zones, min 2 | `number` | `3` | no | +| [cidr](#input\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no | +| [create\_acm\_certificate](#input\_create\_acm\_certificate) | Whether to create acm certificate or use existing | `bool` | `false` | no | +| [create\_r53\_zone](#input\_create\_r53\_zone) | Create R53 zone for main public domain | `bool` | `false` | no | +| [domain\_name](#input\_domain\_name) | Main public domain name | `any` | n/a | yes | +| [eks\_cluster\_enabled\_log\_types](#input\_eks\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler | `list(string)` | 
[
  "audit"
]
| no | +| [eks\_cluster\_encryption\_config\_enable](#input\_eks\_cluster\_encryption\_config\_enable) | Enable or not encryption for k8s secrets with aws-kms | `bool` | `false` | no | +| [eks\_cluster\_log\_retention\_in\_days](#input\_eks\_cluster\_log\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | +| [eks\_cluster\_version](#input\_eks\_cluster\_version) | Version of the EKS K8S cluster | `string` | `"1.21"` | no | +| [eks\_map\_roles](#input\_eks\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | +| [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `list(any)` | 
[
  "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
]
| no | +| [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no | +| [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no | +| [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes | +| [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 0,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0
}
| no | +| [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 0,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0
}
| no | +| [node\_group\_ondemand](#input\_node\_group\_ondemand) | Default ondemand node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "ON_DEMAND",
  "desired_capacity": 1,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 1
}
| no | +| [node\_group\_spot](#input\_node\_group\_spot) | Spot node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 1,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0
}
| no | +| [pritunl\_vpn\_server\_enable](#input\_pritunl\_vpn\_server\_enable) | Indicates whether or not the Pritunl VPN server is deployed. | `bool` | `false` | no | +| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no | +| [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | 
{
  "ap-east-1": "ape1",
  "ap-northeast-1": "apn1",
  "ap-northeast-2": "apn2",
  "ap-south-1": "aps1",
  "ap-southeast-1": "apse1",
  "ap-southeast-2": "apse2",
  "ca-central-1": "cac1",
  "cn-north-1": "cnn1",
  "cn-northwest-1": "cnnw1",
  "eu-central-1": "euc1",
  "eu-north-1": "eun1",
  "eu-west-1": "euw1",
  "eu-west-2": "euw2",
  "eu-west-3": "euw3",
  "sa-east-1": "sae1",
  "us-east-1": "use1",
  "us-east-2": "use2",
  "us-gov-east-1": "usge1",
  "us-gov-west-1": "usgw1",
  "us-west-1": "usw1",
  "us-west-2": "usw2"
}
| no | +| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Flag to create single nat gateway for all AZs | `bool` | `true` | no | +| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `any` | `null` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | -| [allowed\_ips](#output\_allowed\_ips) | List of allowed ip's, used for direct ssh access to instances. | -| [az\_count](#output\_az\_count) | Count of avaiablity zones, min 2 | -| [domain\_name](#output\_domain\_name) | Domain name | -| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | Endpoint for EKS control plane. | -| [eks\_cluster\_id](#output\_eks\_cluster\_id) | n/a | -| [eks\_cluster\_security\_group\_id](#output\_eks\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. | -| [eks\_config\_map\_aws\_auth](#output\_eks\_config\_map\_aws\_auth) | A kubernetes configuration to authenticate to this EKS cluster. | -| [eks\_kubectl\_config](#output\_eks\_kubectl\_config) | kubectl config as generated by the module. | -| [eks\_kubectl\_console\_config](#output\_eks\_kubectl\_console\_config) | description | -| [eks\_oidc\_provider\_arn](#output\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | -| [env](#output\_env) | Suffix for the hostname depending on workspace | -| [name](#output\_name) | Project name, required to form unique resource names | -| [name\_wo\_region](#output\_name\_wo\_region) | Project name, required to form unique resource names without short region | -| [region](#output\_region) | Target region for all infrastructure resources | -| [route53\_zone\_id](#output\_route53\_zone\_id) | ID of domain zone | -| [short\_region](#output\_short\_region) | The abbreviated name of the region, required to form unique resource names | -| [ssl\_certificate\_arn](#output\_ssl\_certificate\_arn) | ARN of SSL certificate | -| [vpc\_cidr](#output\_vpc\_cidr) | CIDR block of infra VPC | -| [vpc\_database\_subnets](#output\_vpc\_database\_subnets) | Database subnets of infra VPC | -| [vpc\_id](#output\_vpc\_id) | ID of infra VPC | -| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | Private intra subnets | -| [vpc\_name](#output\_vpc\_name) | Name of infra VPC | -| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | Private subnets of infra VPC | -| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | Public subnets of infra VPC | - \ No newline at end of file +| Name | Description | +|------|-------------| +| [allowed\_ips](#output\_allowed\_ips) | List of allowed ip's, used for direct ssh access to instances. | +| [az\_count](#output\_az\_count) | Count of avaiablity zones, min 2 | +| [domain\_name](#output\_domain\_name) | Domain name | +| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | Endpoint for EKS control plane. | +| [eks\_cluster\_id](#output\_eks\_cluster\_id) | n/a | +| [eks\_cluster\_security\_group\_id](#output\_eks\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. | +| [eks\_config\_map\_aws\_auth](#output\_eks\_config\_map\_aws\_auth) | A kubernetes configuration to authenticate to this EKS cluster. | +| [eks\_kubectl\_config](#output\_eks\_kubectl\_config) | kubectl config as generated by the module. | +| [eks\_kubectl\_console\_config](#output\_eks\_kubectl\_console\_config) | description | +| [eks\_oidc\_provider\_arn](#output\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | +| [env](#output\_env) | Suffix for the hostname depending on workspace | +| [name](#output\_name) | Project name, required to form unique resource names | +| [name\_wo\_region](#output\_name\_wo\_region) | Project name, required to form unique resource names without short region | +| [region](#output\_region) | Target region for all infrastructure resources | +| [route53\_zone\_id](#output\_route53\_zone\_id) | ID of domain zone | +| [short\_region](#output\_short\_region) | The abbreviated name of the region, required to form unique resource names | +| [ssl\_certificate\_arn](#output\_ssl\_certificate\_arn) | ARN of SSL certificate | +| [vpc\_cidr](#output\_vpc\_cidr) | CIDR block of infra VPC | +| [vpc\_database\_subnets](#output\_vpc\_database\_subnets) | Database subnets of infra VPC | +| [vpc\_id](#output\_vpc\_id) | ID of infra VPC | +| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | Private intra subnets | +| [vpc\_name](#output\_vpc\_name) | Name of infra VPC | +| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | Private subnets of infra VPC | +| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | Public subnets of infra VPC | From 930e714c78190d05b5e6ee0e4f3350500e1bac0d Mon Sep 17 00:00:00 2001 From: Andrew S Date: Fri, 26 Nov 2021 16:49:36 +0600 Subject: [PATCH 3/3] feat: Removed old bottlerocket configs #227 --- terraform/layer1-aws/aws-eks-bottlerocket.tf | 8 ------ .../templates/userdata-bottlerocket.tpl | 26 ------------------- 2 files changed, 34 deletions(-) delete mode 100644 terraform/layer1-aws/aws-eks-bottlerocket.tf delete mode 100644 terraform/layer1-aws/templates/userdata-bottlerocket.tpl diff --git a/terraform/layer1-aws/aws-eks-bottlerocket.tf b/terraform/layer1-aws/aws-eks-bottlerocket.tf deleted file mode 100644 index 910716b5..00000000 --- a/terraform/layer1-aws/aws-eks-bottlerocket.tf +++ /dev/null @@ -1,8 +0,0 @@ -data "aws_ami" "bottlerocket_ami" { - most_recent = true - owners = ["amazon"] - filter { - name = "name" - values = ["bottlerocket-aws-k8s-${var.eks_cluster_version}-x86_64-*"] - } -} diff --git a/terraform/layer1-aws/templates/userdata-bottlerocket.tpl b/terraform/layer1-aws/templates/userdata-bottlerocket.tpl deleted file mode 100644 index 9a78dedf..00000000 --- a/terraform/layer1-aws/templates/userdata-bottlerocket.tpl +++ /dev/null @@ -1,26 +0,0 @@ -# https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#description-of-settings -${pre_userdata} -[settings.kubernetes] -api-server = "${endpoint}" -cluster-certificate = "${cluster_auth_base64}" -cluster-name = "${cluster_name}" - -${additional_userdata} - -# Hardening based on https://github.com/bottlerocket-os/bottlerocket/blob/develop/SECURITY_GUIDANCE.md - -# Enable kernel lockdown in "integrity" mode. -# This prevents modifications to the running kernel, even by privileged users. -[settings.kernel] -lockdown = "integrity" - -# The admin host container provides SSH access and runs with "superpowers". -# It is disabled by default, but can be disabled explicitly. -[settings.host-containers.admin] -enabled = ${enable_admin_container} - -# The control host container provides out-of-band access via SSM. -# It is enabled by default, and can be disabled if you do not expect to use SSM. -# This could leave you with no way to access the API and change settings on an existing node! -[settings.host-containers.control] -enabled = ${enable_control_container}