From 98c0d93b21c7a687c37abf42599e9d9acfc5a873 Mon Sep 17 00:00:00 2001 From: maxim Date: Thu, 7 Apr 2022 10:49:24 +0600 Subject: [PATCH] enh: update terraform eks module --- terraform/layer1-aws/.terraform.lock.hcl | 65 +++++-- terraform/layer1-aws/README.md | 97 +++++----- terraform/layer1-aws/aws-eks-auth.tf | 21 ++ terraform/layer1-aws/aws-eks.tf | 219 ++++++++++----------- terraform/layer1-aws/main.tf | 6 +- terraform/layer1-aws/outputs.tf | 14 -- terraform/layer1-aws/providers.tf | 6 + terraform/layer1-aws/variables.tf | 46 ++--- terraform/layer2-k8s/.terraform.lock.hcl | 110 +++++------ terraform/layer2-k8s/README.md | 232 +++++++++++------------ terraform/layer2-k8s/main.tf | 2 +- 11 files changed, 416 insertions(+), 402 deletions(-) create mode 100644 terraform/layer1-aws/aws-eks-auth.tf diff --git a/terraform/layer1-aws/.terraform.lock.hcl b/terraform/layer1-aws/.terraform.lock.hcl index 5b41db55..da77e7a0 100644 --- a/terraform/layer1-aws/.terraform.lock.hcl +++ b/terraform/layer1-aws/.terraform.lock.hcl @@ -1,22 +1,39 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.13.1" + constraints = "1.13.1" + hashes = [ + "h1:6RC15zES07oX9Ue20RrGlssfVeIqyhcHUvn2dHAMu1E=", + "zh:212c030cb975e46e3a85a6850c16773974f4498042a45c73b883b25f6e05962d", + "zh:213d1be8a231b04fdc55fd027479dbf0ae5b7ab891804b64f464db771d091ecd", + "zh:45f37b5c43f85d79973d0b890f774531a65def7f8436e435a4e259198f1c62de", + "zh:5a362871827f8582d6129b9c8b7d73c5e4e181155cef4cba1fe0408880db52db", + "zh:78986fdb4c41ac35815e4d41832d24b41b0aac046c046f21db92205115d16bae", + "zh:a6d07a9f066c386f44d61e7e2e83133663e3049f5c6b153fa5601b85cbb788b1", + "zh:bb307e902d2401df42205d57e36a2e094765b87b12f99a24ec2af411bef3c0fa", + "zh:dc3281f9fab38b8daf76d5f0073d2e323574f03d4cef338d6a363380f7f7bb59", + "zh:eb30e7fef17e7630858070d23a59375ba3a87fceaffde1c722338b1ad88df568", + ] +} + provider "registry.terraform.io/hashicorp/aws" { - version = "3.64.2" - constraints = ">= 2.49.0, >= 2.53.0, >= 3.15.0, >= 3.40.0, >= 3.43.0, 3.64.2" + version = "3.72.0" + constraints = ">= 2.23.0, >= 2.42.0, >= 2.49.0, >= 2.53.0, >= 3.28.0, >= 3.63.0, >= 3.72.0, 3.72.0" hashes = [ - "h1:eXusrZ56Ye4gprLzI3dXBy50DV+sbY5gOoJ7cNuouzA=", - "zh:0b029a2282beabfe410eb2969e18ca773d3473415e442be4dc8ce0eb6d1cd8c5", - "zh:3209de3266a1138f1ccb09f094fdd98b6f55afc06e291db0abe092ec5dbe7640", - "zh:40648266551631cbc15f8a76e80faf300510e3b38c2544d43fc25e37e6802727", - "zh:483c8af92ae70146f2790a70c1a810251e7135aa912b66e769c934eddceebe32", - "zh:4d106d8d415d8df342f3f85e58c35418e6c55e3cb7f02897f832cefac4dca68c", - "zh:972626a6ddb31d5216606d12ab5c30fbf8d51ed2bbe0efcdd7cffa68c1141557", - "zh:a230d55ec52b1695148d40296877ee23e0b302e817154f9b838eb117c87b13fa", - "zh:c95fddfbd7f870db949da0601323e866e0f0fb0d4a93e96725ae5b88029e84d5", - "zh:ea0c7f568074f835f22273c8e7e61e87f5277e32004c72122915fd3c8df49ccc", - "zh:f96d25887e6e2d2ae47659e2c586efea2167995b59a479ae65a02b097da86474", - "zh:fe7502d8e52d3b5ccb2b3c178e7ea894344783093aa71ffb20e978914c976182", + "h1:6pleQtx6+jQE/Kekcr8Ou05yYrdvVSngnwHE0PkBELg=", + "zh:0c4615ff3c6bc9700d8f16a5a644ddfcb666eaddbf2f77d71616008a28e4db75", + "zh:29eb139a8fbb98391652fa1eb4668ad5a13a31d45a6c06fe2b1d66903c4e6509", + "zh:3e73a9cf67d30c400456011cc8ed036bce68df8fd8131d591a929186e43ab80b", + "zh:46090da59293464e1865190b2e67ae63103c9d87a16a5fcb982ce748369666d6", + "zh:4fb25d9b139cb1856e519bff4fd49695285fa63a1d57e1c0efc1791bb36532a8", + "zh:5acd99d2b22cd45f18c93905a6e5122712c48f432db3c3c3518af449c10ae7e6", + "zh:95e53770503127e6de9f71d02e0bafdf0c7e7490f93401e05b6015bc7fa94b29", + "zh:b31524932e804de5ef5613d3646892eb55656f062bcbb9d7c29cf6539f82397e", + "zh:d977b9f8657c3026340295015930ef58caba5c2f59fd2e63e230c0b9ddba1ee7", + "zh:fcb0202ad1b8de19f1cd58d0b60147cae5dd4f869a861f619e8e5d27f8a936a9", + "zh:fe85cf3c44834230c2aaa2d0c622ddde1e33398bbe9f7213011eba68130b1588", ] } @@ -137,6 +154,26 @@ provider "registry.terraform.io/hashicorp/template" { ] } +provider "registry.terraform.io/hashicorp/tls" { + version = "3.2.1" + constraints = ">= 2.2.0" + hashes = [ + "h1:p0vyCZjZqr6qf+CfUVvPSYghrn0/oMDJS4kp3pV26YY=", + "zh:0209adc722f1f2e319018bd2d38a3ef389fa7eaabf40ab3f82e791428712dc64", + "zh:2dbf76857b022ec44eaddb386d976a08b4a053bcc8e815fd601505f33b29b92e", + "zh:301f98065a3b45b1c6d671955d5f92d246e577be0a98e7f7e0553b11b1cd8b92", + "zh:4ee8effc669f9856d137249244b67fdcdc35262ebeab3dad262f42d6ddd39c5c", + "zh:66cdbf20523972e1e5e682b8776b78ad3ab296ad04784da8fe945d183766ac22", + "zh:71798604d4ff22f3c79ec9a8ab61802e969f57456e26ba30bef7d276b88815f7", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9289d10fc5241bfd7a2e5de6ca229840eaa06066a129f483133e0a4517a91600", + "zh:a075e6bd64a452242e712c59d890cc0d5972158c9d71edbe1ac32d10ad051670", + "zh:deb5665f08b271bebe7d18c76cdcdf514ab49f1a85d96e73435728493ae54579", + "zh:e0b0a3c3427ee315582b4d17a6b9d2c09f07f2b86fb09821a7d713b68d4e1200", + "zh:f7519d1c7b1f108c0728036832a58dc06531203e878104f158ebb625b3c9438c", + ] +} + provider "registry.terraform.io/terraform-aws-modules/http" { version = "2.4.1" constraints = ">= 2.4.1" diff --git a/terraform/layer1-aws/README.md b/terraform/layer1-aws/README.md index db507b93..fc1d4510 100644 --- a/terraform/layer1-aws/README.md +++ b/terraform/layer1-aws/README.md @@ -112,21 +112,23 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | 1.0.10 | -| [aws](#requirement\_aws) | 3.64.2 | +| [aws](#requirement\_aws) | 3.72.0 | +| [kubectl](#requirement\_kubectl) | 1.13.1 | | [kubernetes](#requirement\_kubernetes) | 2.6.1 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 3.64.2 | +| [aws](#provider\_aws) | 3.72.0 | +| [kubectl](#provider\_kubectl) | 1.13.1 | ## Modules | Name | Source | Version | |------|--------|---------| | [acm](#module\_acm) | terraform-aws-modules/acm/aws | 3.2.0 | -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 17.23.0 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 18.9.0 | | [pritunl](#module\_pritunl) | ../modules/aws-ec2-pritunl | n/a | | [r53\_zone](#module\_r53\_zone) | terraform-aws-modules/route53/aws//modules/zones | 2.3.0 | | [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.11.0 | @@ -136,58 +138,51 @@ | Name | Type | |------|------| -| [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/ebs_encryption_by_default) | resource | -| [aws_eks_addon.coredns](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/eks_addon) | resource | -| [aws_eks_addon.kube_proxy](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/eks_addon) | resource | -| [aws_eks_addon.vpc_cni](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/eks_addon) | resource | -| [aws_kms_key.eks](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/kms_key) | resource | -| [aws_acm_certificate.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/acm_certificate) | data source | -| [aws_availability_zones.available](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/availability_zones) | data source | -| [aws_caller_identity.current](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/caller_identity) | data source | -| [aws_eks_cluster.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster) | data source | -| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster_auth) | data source | -| [aws_route53_zone.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/route53_zone) | data source | -| [aws_security_group.default](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/security_group) | data source | +| [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/aws/3.72.0/docs/resources/ebs_encryption_by_default) | resource | +| [aws_kms_key.eks](https://registry.terraform.io/providers/aws/3.72.0/docs/resources/kms_key) | resource | +| [kubectl_manifest.this](https://registry.terraform.io/providers/gavinbunney/kubectl/1.13.1/docs/resources/manifest) | resource | +| [aws_acm_certificate.main](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/acm_certificate) | data source | +| [aws_availability_zones.available](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster.main](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/eks_cluster_auth) | data source | +| [aws_route53_zone.main](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/route53_zone) | data source | +| [aws_security_group.default](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/security_group) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [addon\_coredns\_version](#input\_addon\_coredns\_version) | The version of coredns add-on | `string` | `"v1.8.3-eksbuild.1"` | no | -| [addon\_create\_coredns](#input\_addon\_create\_coredns) | Enable coredns add-on or not | `bool` | `true` | no | -| [addon\_create\_kube\_proxy](#input\_addon\_create\_kube\_proxy) | Enable kube-proxy add-on or not | `bool` | `true` | no | -| [addon\_create\_vpc\_cni](#input\_addon\_create\_vpc\_cni) | Enable vpc-cni add-on or not | `bool` | `true` | no | -| [addon\_kube\_proxy\_version](#input\_addon\_kube\_proxy\_version) | The version of kube-proxy add-on | `string` | `"v1.20.4-eksbuild.2"` | no | -| [addon\_vpc\_cni\_version](#input\_addon\_vpc\_cni\_version) | The version of vpc-cni add-on | `string` | `"v1.9.1-eksbuild.1"` | no | -| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no | -| [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no | -| [az\_count](#input\_az\_count) | Count of avaiablity zones, min 2 | `number` | `3` | no | -| [cidr](#input\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no | -| [create\_acm\_certificate](#input\_create\_acm\_certificate) | Whether to create acm certificate or use existing | `bool` | `false` | no | -| [create\_r53\_zone](#input\_create\_r53\_zone) | Create R53 zone for main public domain | `bool` | `false` | no | -| [domain\_name](#input\_domain\_name) | Main public domain name | `any` | n/a | yes | -| [eks\_cluster\_enabled\_log\_types](#input\_eks\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler | `list(string)` | 
[
  "audit"
]
| no | -| [eks\_cluster\_encryption\_config\_enable](#input\_eks\_cluster\_encryption\_config\_enable) | Enable or not encryption for k8s secrets with aws-kms | `bool` | `false` | no | -| [eks\_cluster\_log\_retention\_in\_days](#input\_eks\_cluster\_log\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | -| [eks\_cluster\_version](#input\_eks\_cluster\_version) | Version of the EKS K8S cluster | `string` | `"1.21"` | no | -| [eks\_cluster\_endpoint\_public\_access](#input\_eks\_cluster\_endpoint\_public\_access) | Enable or not public access to cluster endpoint | `bool` | `true` | no | -| [eks\_cluster\_endpoint\_private\_access](#input\_eks\_cluster\_endpoint\_private\_access) | Enable or not private access to cluster endpoint | `bool` | `false` | no | -| [eks\_cluster\_endpoint\_only\_pritunl](#input\_eks\_cluster\_endpoint\_only\_pritunl) | Only Pritunl VPN server will have access to eks endpoint | `bool` | `false` | no | -| [eks\_map\_roles](#input\_eks\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | -| [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `list(any)` | 
[
  "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
]
| no | -| [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no | -| [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no | -| [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes | -| [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 0,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0
}
| no | -| [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 0,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0
}
| no | -| [node\_group\_ondemand](#input\_node\_group\_ondemand) | Default ondemand node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "ON_DEMAND",
  "desired_capacity": 1,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 1
}
| no | -| [node\_group\_spot](#input\_node\_group\_spot) | Spot node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 1,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0
}
| no | -| [pritunl\_vpn\_server\_enable](#input\_pritunl\_vpn\_server\_enable) | Indicates whether or not the Pritunl VPN server is deployed. | `bool` | `false` | no | -| [pritunl\_vpn\_access\_cidr\_blocks](#input\_pritunl\_vpn\_access\_cidr\_blocks) | IP address that will have access to the web console | `string` | `"127.0.0.1/32"` | no | -| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no | -| [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | 
{
  "ap-east-1": "ape1",
  "ap-northeast-1": "apn1",
  "ap-northeast-2": "apn2",
  "ap-south-1": "aps1",
  "ap-southeast-1": "apse1",
  "ap-southeast-2": "apse2",
  "ca-central-1": "cac1",
  "cn-north-1": "cnn1",
  "cn-northwest-1": "cnnw1",
  "eu-central-1": "euc1",
  "eu-north-1": "eun1",
  "eu-west-1": "euw1",
  "eu-west-2": "euw2",
  "eu-west-3": "euw3",
  "sa-east-1": "sae1",
  "us-east-1": "use1",
  "us-east-2": "use2",
  "us-gov-east-1": "usge1",
  "us-gov-west-1": "usgw1",
  "us-west-1": "usw1",
  "us-west-2": "usw2"
}
| no | -| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Flag to create single nat gateway for all AZs | `bool` | `true` | no | -| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `any` | `null` | no | +| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no | +| [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no | +| [az\_count](#input\_az\_count) | Count of avaiablity zones, min 2 | `number` | `3` | no | +| [cidr](#input\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no | +| [create\_acm\_certificate](#input\_create\_acm\_certificate) | Whether to create acm certificate or use existing | `bool` | `false` | no | +| [create\_r53\_zone](#input\_create\_r53\_zone) | Create R53 zone for main public domain | `bool` | `false` | no | +| [domain\_name](#input\_domain\_name) | Main public domain name | `any` | n/a | yes | +| [eks\_addons](#input\_eks\_addons) | A list of installed EKS add-ons | `map` | 
{
  "coredns": {
    "addon_version": "v1.8.4-eksbuild.1",
    "resolve_conflicts": "OVERWRITE"
  },
  "kube-proxy": {
    "addon_version": "v1.21.2-eksbuild.2",
    "resolve_conflicts": "OVERWRITE"
  },
  "vpc-cni": {
    "addon_version": "v1.10.2-eksbuild.1",
    "resolve_conflicts": "OVERWRITE"
  }
}
| no | +| [eks\_cloudwatch\_log\_group\_retention\_in\_days](#input\_eks\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | +| [eks\_cluster\_enabled\_log\_types](#input\_eks\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler | `list(string)` | 
[
  "audit"
]
| no | +| [eks\_cluster\_encryption\_config\_enable](#input\_eks\_cluster\_encryption\_config\_enable) | Enable or not encryption for k8s secrets with aws-kms | `bool` | `false` | no | +| [eks\_cluster\_endpoint\_only\_pritunl](#input\_eks\_cluster\_endpoint\_only\_pritunl) | Only Pritunl VPN server will have access to eks endpoint. | `bool` | `false` | no | +| [eks\_cluster\_endpoint\_private\_access](#input\_eks\_cluster\_endpoint\_private\_access) | Enable or not private access to cluster endpoint | `bool` | `false` | no | +| [eks\_cluster\_endpoint\_public\_access](#input\_eks\_cluster\_endpoint\_public\_access) | Enable or not public access to cluster endpoint | `bool` | `true` | no | +| [eks\_cluster\_version](#input\_eks\_cluster\_version) | Version of the EKS K8S cluster | `string` | `"1.21"` | no | +| [eks\_map\_roles](#input\_eks\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | +| [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `list(any)` | 
[
  "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
]
| no | +| [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no | +| [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no | +| [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes | +| [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 0,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0
}
| no | +| [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 0,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0
}
| no | +| [node\_group\_ondemand](#input\_node\_group\_ondemand) | Default ondemand node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "ON_DEMAND",
  "desired_capacity": 1,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 1
}
| no | +| [node\_group\_spot](#input\_node\_group\_spot) | Spot node group configuration | 
object({
    instance_types       = list(string)
    capacity_type        = string
    max_capacity         = number
    min_capacity         = number
    desired_capacity     = number
    force_update_version = bool
  })
| 
{
  "capacity_type": "SPOT",
  "desired_capacity": 1,
  "force_update_version": true,
  "instance_types": [
    "t3a.medium",
    "t3.medium"
  ],
  "max_capacity": 5,
  "min_capacity": 0
}
| no | +| [pritunl\_vpn\_access\_cidr\_blocks](#input\_pritunl\_vpn\_access\_cidr\_blocks) | IP address that will have access to the web console | `string` | `"127.0.0.1/32"` | no | +| [pritunl\_vpn\_server\_enable](#input\_pritunl\_vpn\_server\_enable) | Indicates whether or not the Pritunl VPN server is deployed. | `bool` | `false` | no | +| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no | +| [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | 
{
  "ap-east-1": "ape1",
  "ap-northeast-1": "apn1",
  "ap-northeast-2": "apn2",
  "ap-south-1": "aps1",
  "ap-southeast-1": "apse1",
  "ap-southeast-2": "apse2",
  "ca-central-1": "cac1",
  "cn-north-1": "cnn1",
  "cn-northwest-1": "cnnw1",
  "eu-central-1": "euc1",
  "eu-north-1": "eun1",
  "eu-west-1": "euw1",
  "eu-west-2": "euw2",
  "eu-west-3": "euw3",
  "sa-east-1": "sae1",
  "us-east-1": "use1",
  "us-east-2": "use2",
  "us-gov-east-1": "usge1",
  "us-gov-west-1": "usgw1",
  "us-west-1": "usw1",
  "us-west-2": "usw2"
}
| no | +| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Flag to create single nat gateway for all AZs | `bool` | `true` | no | +| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `any` | `null` | no | ## Outputs @@ -199,8 +194,6 @@ | [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | Endpoint for EKS control plane. | | [eks\_cluster\_id](#output\_eks\_cluster\_id) | n/a | | [eks\_cluster\_security\_group\_id](#output\_eks\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. | -| [eks\_config\_map\_aws\_auth](#output\_eks\_config\_map\_aws\_auth) | A kubernetes configuration to authenticate to this EKS cluster. | -| [eks\_kubectl\_config](#output\_eks\_kubectl\_config) | kubectl config as generated by the module. | | [eks\_kubectl\_console\_config](#output\_eks\_kubectl\_console\_config) | description | | [eks\_oidc\_provider\_arn](#output\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | | [env](#output\_env) | Suffix for the hostname depending on workspace | diff --git a/terraform/layer1-aws/aws-eks-auth.tf b/terraform/layer1-aws/aws-eks-auth.tf new file mode 100644 index 00000000..fe06a0ed --- /dev/null +++ b/terraform/layer1-aws/aws-eks-auth.tf @@ -0,0 +1,21 @@ +locals { + eks_map_roles = [ + { + rolearn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/administrator" + username = "administrator" + groups = ["system:masters"] + } + ] + eks_map_users = [] + + aws_auth_configmap_yaml = <<-CONTENT + ${chomp(module.eks.aws_auth_configmap_yaml)} + ${indent(4, yamlencode(local.eks_map_roles))} + mapUsers: | + ${indent(4, yamlencode(local.eks_map_users))} + CONTENT +} + +resource "kubectl_manifest" "this" { + yaml_body = local.aws_auth_configmap_yaml +} diff --git a/terraform/layer1-aws/aws-eks.tf b/terraform/layer1-aws/aws-eks.tf index ae1101fb..35f0435b 100644 --- a/terraform/layer1-aws/aws-eks.tf +++ b/terraform/layer1-aws/aws-eks.tf @@ -1,40 +1,15 @@ -locals { - eks_map_roles = concat(var.eks_map_roles, - [ - { - rolearn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/administrator" - username = "administrator" - groups = [ - "system:masters"] - }] - ) - - worker_tags = [ - { - "key" = "k8s.io/cluster-autoscaler/enabled" - "propagate_at_launch" = "false" - "value" = "true" - }, - { - "key" = "k8s.io/cluster-autoscaler/${local.name}" - "propagate_at_launch" = "false" - "value" = "owned" - } - ] -} - #tfsec:ignore:aws-vpc-no-public-egress-sgr tfsec:ignore:aws-eks-enable-control-plane-logging tfsec:ignore:aws-eks-encrypt-secrets tfsec:ignore:aws-eks-no-public-cluster-access tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr module "eks" { source = "terraform-aws-modules/eks/aws" - version = "17.23.0" + version = "18.9.0" cluster_name = local.name cluster_version = var.eks_cluster_version - subnets = module.vpc.intra_subnets + subnet_ids = module.vpc.intra_subnets enable_irsa = true - cluster_enabled_log_types = var.eks_cluster_enabled_log_types - cluster_log_retention_in_days = var.eks_cluster_log_retention_in_days + cluster_enabled_log_types = var.eks_cluster_enabled_log_types + cloudwatch_log_group_retention_in_days = var.eks_cloudwatch_log_group_retention_in_days tags = { ClusterName = local.name @@ -43,6 +18,8 @@ module "eks" { vpc_id = module.vpc.vpc_id + cluster_addons = var.eks_addons + cluster_encryption_config = var.eks_cluster_encryption_config_enable ? [ { provider_key_arn = aws_kms_key.eks[0].arn @@ -54,72 +31,111 @@ module "eks" { cluster_endpoint_private_access = var.eks_cluster_endpoint_private_access cluster_endpoint_public_access_cidrs = var.eks_cluster_endpoint_only_pritunl ? ["${module.pritunl[0].pritunl_endpoint}/32"] : ["0.0.0.0/0"] - map_roles = local.eks_map_roles - write_kubeconfig = var.eks_write_kubeconfig - # Create security group rules to allow communication between pods on workers and pods in managed node groups. - # Set this to true if you have AWS-Managed node groups and Self-Managed worker groups. - # See https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1089 - worker_create_cluster_primary_security_group_rules = true + # Extend cluster security group rules + cluster_security_group_additional_rules = { + egress_nodes_ephemeral_ports_tcp = { + description = "To node 1025-65535" + protocol = "tcp" + from_port = 1025 + to_port = 65535 + type = "egress" + source_node_security_group = true + } + } - workers_additional_policies = var.eks_workers_additional_policies + # Extend node-to-node security group rules + node_security_group_additional_rules = { + ingress_self_all = { + description = "Node to node all ports/protocols" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "ingress" + self = true + } + ingress_cluster_all = { + description = "Cluster to nodes all ports/protocols" + protocol = "-1" + from_port = 1025 + to_port = 65535 + type = "ingress" + source_cluster_security_group = true + } + egress_all = { + description = "Node all egress" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + } - node_groups_defaults = { - ami_type = "AL2_x86_64" - disk_size = 100 + eks_managed_node_group_defaults = { + ami_type = "AL2_x86_64" + disk_size = 100 + iam_role_additional_policies = var.eks_workers_additional_policies } - node_groups = { + eks_managed_node_groups = { spot = { - desired_capacity = var.node_group_spot.desired_capacity - max_capacity = var.node_group_spot.max_capacity - min_capacity = var.node_group_spot.min_capacity - instance_types = var.node_group_spot.instance_types - capacity_type = var.node_group_spot.capacity_type - subnets = module.vpc.private_subnets + name = "${local.name}-spot" + iam_role_name = "${local.name}-spot" + desired_size = var.node_group_spot.desired_capacity + max_size = var.node_group_spot.max_capacity + min_size = var.node_group_spot.min_capacity + instance_types = var.node_group_spot.instance_types + capacity_type = var.node_group_spot.capacity_type + subnet_ids = module.vpc.private_subnets force_update_version = var.node_group_spot.force_update_version - k8s_labels = { + labels = { Environment = local.env nodegroup = "spot" } - additional_tags = { + tags = { Name = "${local.name}-spot" } }, ondemand = { - desired_capacity = var.node_group_ondemand.desired_capacity - max_capacity = var.node_group_ondemand.max_capacity - min_capacity = var.node_group_ondemand.min_capacity - instance_types = var.node_group_ondemand.instance_types - capacity_type = var.node_group_ondemand.capacity_type - subnets = module.vpc.private_subnets + name = "${local.name}-ondemand" + iam_role_name = "${local.name}-ondemand" + desired_size = var.node_group_ondemand.desired_capacity + max_size = var.node_group_ondemand.max_capacity + min_size = var.node_group_ondemand.min_capacity + instance_types = var.node_group_ondemand.instance_types + capacity_type = var.node_group_ondemand.capacity_type + subnet_ids = module.vpc.private_subnets force_update_version = var.node_group_ondemand.force_update_version - k8s_labels = { + labels = { Environment = local.env nodegroup = "ondemand" } - additional_tags = { + tags = { Name = "${local.name}-ondemand" } }, ci = { - desired_capacity = var.node_group_ci.desired_capacity - max_capacity = var.node_group_ci.max_capacity - min_capacity = var.node_group_ci.min_capacity - instance_types = var.node_group_ci.instance_types - capacity_type = var.node_group_ci.capacity_type - subnets = module.vpc.private_subnets + name = "${local.name}-ci" + iam_role_name = "${local.name}-ci" + desired_size = var.node_group_ci.desired_capacity + max_size = var.node_group_ci.max_capacity + min_size = var.node_group_ci.min_capacity + instance_types = var.node_group_ci.instance_types + capacity_type = var.node_group_ci.capacity_type + subnet_ids = module.vpc.private_subnets force_update_version = var.node_group_ci.force_update_version - k8s_labels = { + labels = { Environment = local.env nodegroup = "ci" } - additional_tags = { + tags = { Name = "${local.name}-ci" } taints = [ @@ -127,33 +143,37 @@ module "eks" { key = "nodegroup" value = "ci" effect = "NO_SCHEDULE" - }] + } + ] }, bottlerocket = { - desired_capacity = var.node_group_br.desired_capacity - max_capacity = var.node_group_br.max_capacity - min_capacity = var.node_group_br.min_capacity - instance_types = var.node_group_br.instance_types - capacity_type = var.node_group_br.capacity_type - subnets = module.vpc.private_subnets + name = "${local.name}-bottlerocket" + iam_role_name = "${local.name}-bottlerocket" + desired_size = var.node_group_br.desired_capacity + max_size = var.node_group_br.max_capacity + min_size = var.node_group_br.min_capacity + instance_types = var.node_group_br.instance_types + capacity_type = var.node_group_br.capacity_type + subnet_ids = module.vpc.private_subnets ami_type = "BOTTLEROCKET_x86_64" force_update_version = var.node_group_br.force_update_version - k8s_labels = { + labels = { Environment = local.env nodegroup = "bottlerocket" } - additional_tags = { - Name = "${local.name}-bottlerocket" - } taints = [ { key = "nodegroup" value = "bottlerocket" effect = "NO_SCHEDULE" - }] + } + ] + tags = { + Name = "${local.name}-bottlerocket" + } } } @@ -174,51 +194,4 @@ module "eks" { }) } } - - depends_on = [module.vpc] -} - -resource "aws_eks_addon" "vpc_cni" { - count = var.addon_create_vpc_cni ? 1 : 0 - - cluster_name = module.eks.cluster_id - addon_name = "vpc-cni" - resolve_conflicts = "OVERWRITE" - addon_version = var.addon_vpc_cni_version - - tags = { - Environment = local.env - } - - depends_on = [module.eks] -} - -resource "aws_eks_addon" "kube_proxy" { - count = var.addon_create_kube_proxy ? 1 : 0 - - cluster_name = module.eks.cluster_id - addon_name = "kube-proxy" - resolve_conflicts = "OVERWRITE" - addon_version = var.addon_kube_proxy_version - - tags = { - Environment = local.env - } - - depends_on = [module.eks] -} - -resource "aws_eks_addon" "coredns" { - count = var.addon_create_coredns ? 1 : 0 - - cluster_name = module.eks.cluster_id - addon_name = "coredns" - resolve_conflicts = "OVERWRITE" - addon_version = var.addon_coredns_version - - tags = { - Environment = local.env - } - - depends_on = [module.eks] } diff --git a/terraform/layer1-aws/main.tf b/terraform/layer1-aws/main.tf index c9b789cc..e3894370 100644 --- a/terraform/layer1-aws/main.tf +++ b/terraform/layer1-aws/main.tf @@ -4,12 +4,16 @@ terraform { required_providers { aws = { source = "aws" - version = "3.64.2" + version = "3.72.0" } kubernetes = { source = "kubernetes" version = "2.6.1" } + kubectl = { + source = "gavinbunney/kubectl" + version = "1.13.1" + } } } diff --git a/terraform/layer1-aws/outputs.tf b/terraform/layer1-aws/outputs.tf index a5bddbfb..1eaa99b8 100644 --- a/terraform/layer1-aws/outputs.tf +++ b/terraform/layer1-aws/outputs.tf @@ -89,24 +89,12 @@ output "eks_cluster_security_group_id" { value = module.eks.cluster_security_group_id } -output "eks_kubectl_config" { - description = "kubectl config as generated by the module." - value = module.eks.kubeconfig - sensitive = true -} - output "eks_kubectl_console_config" { value = "aws eks update-kubeconfig --name ${module.eks.cluster_id} --region ${var.region}" description = "description" depends_on = [] } -output "eks_config_map_aws_auth" { - description = "A kubernetes configuration to authenticate to this EKS cluster." - value = module.eks.config_map_aws_auth - sensitive = true -} - output "eks_cluster_id" { value = module.eks.cluster_id } @@ -120,5 +108,3 @@ output "ssl_certificate_arn" { description = "ARN of SSL certificate" value = local.ssl_certificate_arn } - - diff --git a/terraform/layer1-aws/providers.tf b/terraform/layer1-aws/providers.tf index 0fad10bb..64354d57 100644 --- a/terraform/layer1-aws/providers.tf +++ b/terraform/layer1-aws/providers.tf @@ -9,6 +9,12 @@ provider "kubernetes" { token = data.aws_eks_cluster_auth.main.token } +provider "kubectl" { + host = data.aws_eks_cluster.main.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.main.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.main.token +} + data "aws_eks_cluster" "main" { name = module.eks.cluster_id } diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf index 7f9c97c2..4458ca71 100644 --- a/terraform/layer1-aws/variables.tf +++ b/terraform/layer1-aws/variables.tf @@ -96,35 +96,27 @@ variable "eks_cluster_version" { description = "Version of the EKS K8S cluster" } -variable "addon_create_vpc_cni" { - default = true - description = "Enable vpc-cni add-on or not" -} -variable "addon_vpc_cni_version" { - default = "v1.9.1-eksbuild.1" - description = "The version of vpc-cni add-on" -} -variable "addon_create_kube_proxy" { - default = true - description = "Enable kube-proxy add-on or not" -} -variable "addon_kube_proxy_version" { - default = "v1.20.4-eksbuild.2" - description = "The version of kube-proxy add-on" -} -variable "addon_create_coredns" { - default = true - description = "Enable coredns add-on or not" -} -variable "addon_coredns_version" { - default = "v1.8.3-eksbuild.1" - description = "The version of coredns add-on" +variable "eks_addons" { + default = { + coredns = { + resolve_conflicts = "OVERWRITE" + addon_version = "v1.8.4-eksbuild.1" + } + kube-proxy = { + resolve_conflicts = "OVERWRITE" + addon_version = "v1.21.2-eksbuild.2" + } + vpc-cni = { + resolve_conflicts = "OVERWRITE" + addon_version = "v1.10.2-eksbuild.1" + } + } + description = "A list of installed EKS add-ons" } variable "eks_workers_additional_policies" { - type = list(any) - default = [ - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"] + type = list(any) + default = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"] description = "Additional IAM policy attached to EKS worker nodes" } @@ -234,7 +226,7 @@ variable "eks_cluster_enabled_log_types" { description = "A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler" } -variable "eks_cluster_log_retention_in_days" { +variable "eks_cloudwatch_log_group_retention_in_days" { type = number default = 90 description = "Number of days to retain log events. Default retention - 90 days." diff --git a/terraform/layer2-k8s/.terraform.lock.hcl b/terraform/layer2-k8s/.terraform.lock.hcl index 82681551..3ea2ba18 100644 --- a/terraform/layer2-k8s/.terraform.lock.hcl +++ b/terraform/layer2-k8s/.terraform.lock.hcl @@ -19,39 +19,40 @@ provider "registry.terraform.io/gavinbunney/kubectl" { } provider "registry.terraform.io/hashicorp/aws" { - version = "3.64.2" - constraints = "3.64.2" + version = "3.72.0" + constraints = "3.72.0" hashes = [ - "h1:eXusrZ56Ye4gprLzI3dXBy50DV+sbY5gOoJ7cNuouzA=", - "zh:0b029a2282beabfe410eb2969e18ca773d3473415e442be4dc8ce0eb6d1cd8c5", - "zh:3209de3266a1138f1ccb09f094fdd98b6f55afc06e291db0abe092ec5dbe7640", - "zh:40648266551631cbc15f8a76e80faf300510e3b38c2544d43fc25e37e6802727", - "zh:483c8af92ae70146f2790a70c1a810251e7135aa912b66e769c934eddceebe32", - "zh:4d106d8d415d8df342f3f85e58c35418e6c55e3cb7f02897f832cefac4dca68c", - "zh:972626a6ddb31d5216606d12ab5c30fbf8d51ed2bbe0efcdd7cffa68c1141557", - "zh:a230d55ec52b1695148d40296877ee23e0b302e817154f9b838eb117c87b13fa", - "zh:c95fddfbd7f870db949da0601323e866e0f0fb0d4a93e96725ae5b88029e84d5", - "zh:ea0c7f568074f835f22273c8e7e61e87f5277e32004c72122915fd3c8df49ccc", - "zh:f96d25887e6e2d2ae47659e2c586efea2167995b59a479ae65a02b097da86474", - "zh:fe7502d8e52d3b5ccb2b3c178e7ea894344783093aa71ffb20e978914c976182", + "h1:6pleQtx6+jQE/Kekcr8Ou05yYrdvVSngnwHE0PkBELg=", + "zh:0c4615ff3c6bc9700d8f16a5a644ddfcb666eaddbf2f77d71616008a28e4db75", + "zh:29eb139a8fbb98391652fa1eb4668ad5a13a31d45a6c06fe2b1d66903c4e6509", + "zh:3e73a9cf67d30c400456011cc8ed036bce68df8fd8131d591a929186e43ab80b", + "zh:46090da59293464e1865190b2e67ae63103c9d87a16a5fcb982ce748369666d6", + "zh:4fb25d9b139cb1856e519bff4fd49695285fa63a1d57e1c0efc1791bb36532a8", + "zh:5acd99d2b22cd45f18c93905a6e5122712c48f432db3c3c3518af449c10ae7e6", + "zh:95e53770503127e6de9f71d02e0bafdf0c7e7490f93401e05b6015bc7fa94b29", + "zh:b31524932e804de5ef5613d3646892eb55656f062bcbb9d7c29cf6539f82397e", + "zh:d977b9f8657c3026340295015930ef58caba5c2f59fd2e63e230c0b9ddba1ee7", + "zh:fcb0202ad1b8de19f1cd58d0b60147cae5dd4f869a861f619e8e5d27f8a936a9", + "zh:fe85cf3c44834230c2aaa2d0c622ddde1e33398bbe9f7213011eba68130b1588", ] } provider "registry.terraform.io/hashicorp/external" { - version = "2.1.0" + version = "2.2.2" hashes = [ - "h1:LTl5CGW8wiIEe16AC4MtXN/95xWWNDbap70zJsBTk0w=", - "zh:0d83ffb72fbd08986378204a7373d8c43b127049096eaf2765bfdd6b00ad9853", - "zh:7577d6edc67b1e8c2cf62fe6501192df1231d74125d90e51d570d586d95269c5", - "zh:9c669ded5d5affa4b2544952c4b6588dfed55260147d24ced02dca3a2829f328", - "zh:a404d46f2831f90633947ab5d57e19dbfe35b3704104ba6ec80bcf50b058acfd", - "zh:ae1caea1c936d459ceadf287bb5c5bd67b5e2a7819df6f5c4114b7305df7f822", - "zh:afb4f805477694a4b9dde86b268d2c0821711c8aab1c6088f5f992228c4c06fb", - "zh:b993b4a1de8a462643e78f4786789e44ce5064b332fee1cb0d6250ed085561b8", - "zh:c84b2c13fa3ea2c0aa7291243006d560ce480a5591294b9001ce3742fc9c5791", - "zh:c8966f69b7eccccb771704fd5335923692eccc9e0e90cb95d14538fe2e92a3b8", - "zh:d5fe68850d449b811e633a300b114d0617df6d450305e8251643b4d143dc855b", - "zh:ddebfd1e674ba336df09b1f27bbaa0e036c25b7a7087dc8081443f6e5954028b", + "h1:VUkgcWvCliS0HO4kt7oEQhFD2gcx/59XpwMqxfCU1kE=", + "zh:0b84ab0af2e28606e9c0c1289343949339221c3ab126616b831ddb5aaef5f5ca", + "zh:10cf5c9b9524ca2e4302bf02368dc6aac29fb50aeaa6f7758cce9aa36ae87a28", + "zh:56a016ee871c8501acb3f2ee3b51592ad7c3871a1757b098838349b17762ba6b", + "zh:719d6ef39c50e4cffc67aa67d74d195adaf42afcf62beab132dafdb500347d39", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7fbfc4d37435ac2f717b0316f872f558f608596b389b895fcb549f118462d327", + "zh:8ac71408204db606ce63fe8f9aeaf1ddc7751d57d586ec421e62d440c402e955", + "zh:a4cacdb06f114454b6ed0033add28006afa3f65a0ea7a43befe45fc82e6809fb", + "zh:bb5ce3132b52ae32b6cc005bc9f7627b95259b9ffe556de4dad60d47d47f21f0", + "zh:bb60d2976f125ffd232a7ccb4b3f81e7109578b23c9c6179f13a11d125dca82a", + "zh:f9540ecd2e056d6e71b9ea5f5a5cf8f63dd5c25394b9db831083a9d4ea99b372", + "zh:ffd998b55b8a64d4335a090b6956b4bf8855b290f7554dd38db3302de9c41809", ] } @@ -132,21 +133,21 @@ provider "registry.terraform.io/hashicorp/null" { } provider "registry.terraform.io/hashicorp/random" { - version = "3.1.0" + version = "3.1.2" hashes = [ - "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=", - "h1:rKYu5ZUbXwrLG1w81k7H3nce/Ys6yAxXhWcbtk36HjY=", - "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc", - "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626", - "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff", - "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2", - "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992", - "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427", - "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc", - "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f", - "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b", - "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7", - "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a", + "h1:9A6Ghjgad0KjJRxa6nPo8i8uFvwj3Vv0wnEgy49u+24=", + "zh:0daceba867b330d3f8e2c5dc895c4291845a78f31955ce1b91ab2c4d1cd1c10b", + "zh:104050099efd30a630741f788f9576b19998e7a09347decbec3da0b21d64ba2d", + "zh:173f4ef3fdf0c7e2564a3db0fac560e9f5afdf6afd0b75d6646af6576b122b16", + "zh:41d50f975e535f968b3f37170fb07937c15b76d85ba947d0ce5e5ff9530eda65", + "zh:51a5038867e5e60757ed7f513dd6a973068241190d158a81d1b69296efb9cb8d", + "zh:6432a568e97a5a36cc8aebca5a7e9c879a55d3bc71d0da1ab849ad905f41c0be", + "zh:6bac6501394b87138a5e17c9f3a41e46ff7833ad0ba2a96197bb7787e95b641c", + "zh:6c0a7f5faacda644b022e7718e53f5868187435be6d000786d1ca05aa6683a25", + "zh:74c89de3fa6ef3027efe08f8473c2baeb41b4c6cee250ba7aeb5b64e8c79800d", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:b29eabbf0a5298f0e95a1df214c7cfe06ea9bcf362c63b3ad2f72d85da7d4685", + "zh:e891458c7a61e5b964e09616f1a4f87d0471feae1ec04cc51776e7dec1a3abce", ] } @@ -187,19 +188,20 @@ provider "registry.terraform.io/hashicorp/time" { } provider "registry.terraform.io/hashicorp/tls" { - version = "3.1.0" + version = "3.2.1" hashes = [ - "h1:XTU9f6sGMZHOT8r/+LWCz2BZOPH127FBTPjMMEAAu1U=", - "zh:3d46616b41fea215566f4a957b6d3a1aa43f1f75c26776d72a98bdba79439db6", - "zh:623a203817a6dafa86f1b4141b645159e07ec418c82fe40acd4d2a27543cbaa2", - "zh:668217e78b210a6572e7b0ecb4134a6781cc4d738f4f5d09eb756085b082592e", - "zh:95354df03710691773c8f50a32e31fca25f124b7f3d6078265fdf3c4e1384dca", - "zh:9f97ab190380430d57392303e3f36f4f7835c74ea83276baa98d6b9a997c3698", - "zh:a16f0bab665f8d933e95ca055b9c8d5707f1a0dd8c8ecca6c13091f40dc1e99d", - "zh:be274d5008c24dc0d6540c19e22dbb31ee6bfdd0b2cddd4d97f3cd8a8d657841", - "zh:d5faa9dce0a5fc9d26b2463cea5be35f8586ab75030e7fa4d4920cd73ee26989", - "zh:e9b672210b7fb410780e7b429975adcc76dd557738ecc7c890ea18942eb321a5", - "zh:eb1f8368573d2370605d6dbf60f9aaa5b64e55741d96b5fb026dbfe91de67c0d", - "zh:fc1e12b713837b85daf6c3bb703d7795eaf1c5177aebae1afcf811dd7009f4b0", + "h1:p0vyCZjZqr6qf+CfUVvPSYghrn0/oMDJS4kp3pV26YY=", + "zh:0209adc722f1f2e319018bd2d38a3ef389fa7eaabf40ab3f82e791428712dc64", + "zh:2dbf76857b022ec44eaddb386d976a08b4a053bcc8e815fd601505f33b29b92e", + "zh:301f98065a3b45b1c6d671955d5f92d246e577be0a98e7f7e0553b11b1cd8b92", + "zh:4ee8effc669f9856d137249244b67fdcdc35262ebeab3dad262f42d6ddd39c5c", + "zh:66cdbf20523972e1e5e682b8776b78ad3ab296ad04784da8fe945d183766ac22", + "zh:71798604d4ff22f3c79ec9a8ab61802e969f57456e26ba30bef7d276b88815f7", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9289d10fc5241bfd7a2e5de6ca229840eaa06066a129f483133e0a4517a91600", + "zh:a075e6bd64a452242e712c59d890cc0d5972158c9d71edbe1ac32d10ad051670", + "zh:deb5665f08b271bebe7d18c76cdcdf514ab49f1a85d96e73435728493ae54579", + "zh:e0b0a3c3427ee315582b4d17a6b9d2c09f07f2b86fb09821a7d713b68d4e1200", + "zh:f7519d1c7b1f108c0728036832a58dc06531203e878104f158ebb625b3c9438c", ] } diff --git a/terraform/layer2-k8s/README.md b/terraform/layer2-k8s/README.md index 5e0dcbcc..5efb0005 100644 --- a/terraform/layer2-k8s/README.md +++ b/terraform/layer2-k8s/README.md @@ -47,136 +47,136 @@ ## Requirements -| Name | Version | -| ---------------------------------------------------------------------------- | ------- | -| [terraform](#requirement\_terraform) | 1.0.10 | -| [aws](#requirement\_aws) | 3.64.2 | -| [helm](#requirement\_helm) | 2.4.1 | -| [http](#requirement\_http) | 2.1.0 | -| [kubectl](#requirement\_kubectl) | 1.13.1 | -| [kubernetes](#requirement\_kubernetes) | 2.6.1 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | 1.0.10 | +| [aws](#requirement\_aws) | 3.72.0 | +| [helm](#requirement\_helm) | 2.4.1 | +| [http](#requirement\_http) | 2.1.0 | +| [kubectl](#requirement\_kubectl) | 1.13.1 | +| [kubernetes](#requirement\_kubernetes) | 2.6.1 | ## Providers -| Name | Version | -| ---------------------------------------------------------------------- | ------- | -| [aws](#provider\_aws) | 3.64.2 | -| [helm](#provider\_helm) | 2.4.1 | -| [http](#provider\_http) | 2.1.0 | -| [kubectl](#provider\_kubectl) | 1.13.1 | -| [kubernetes](#provider\_kubernetes) | 2.6.1 | -| [random](#provider\_random) | 3.1.0 | -| [terraform](#provider\_terraform) | n/a | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 3.72.0 | +| [helm](#provider\_helm) | 2.4.1 | +| [http](#provider\_http) | 2.1.0 | +| [kubectl](#provider\_kubectl) | 1.13.1 | +| [kubernetes](#provider\_kubernetes) | 2.6.1 | +| [random](#provider\_random) | 3.1.2 | +| [terraform](#provider\_terraform) | n/a | ## Modules -| Name | Source | Version | -| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | ------- | -| [aws\_iam\_autoscaler](#module\_aws\_iam\_autoscaler) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_aws\_loadbalancer\_controller](#module\_aws\_iam\_aws\_loadbalancer\_controller) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_cert\_manager](#module\_aws\_iam\_cert\_manager) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_elastic\_stack](#module\_aws\_iam\_elastic\_stack) | ../modules/aws-iam-user-with-policy | n/a | -| [aws\_iam\_external\_dns](#module\_aws\_iam\_external\_dns) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_external\_secrets](#module\_aws\_iam\_external\_secrets) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_gitlab\_runner](#module\_aws\_iam\_gitlab\_runner) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_kube\_prometheus\_stack\_grafana](#module\_aws\_iam\_kube\_prometheus\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana](#module\_aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a | -| [aws\_load\_balancer\_controller\_namespace](#module\_aws\_load\_balancer\_controller\_namespace) | ../modules/kubernetes-namespace | n/a | -| [aws\_node\_termination\_handler\_namespace](#module\_aws\_node\_termination\_handler\_namespace) | ../modules/kubernetes-namespace | n/a | -| [certmanager\_namespace](#module\_certmanager\_namespace) | ../modules/kubernetes-namespace | n/a | -| [cluster\_autoscaler\_namespace](#module\_cluster\_autoscaler\_namespace) | ../modules/kubernetes-namespace | n/a | -| [elastic\_tls](#module\_elastic\_tls) | ../modules/self-signed-certificate | n/a | -| [elk\_namespace](#module\_elk\_namespace) | ../modules/kubernetes-namespace | n/a | -| [external\_dns\_namespace](#module\_external\_dns\_namespace) | ../modules/kubernetes-namespace | n/a | -| [external\_secrets\_namespace](#module\_external\_secrets\_namespace) | ../modules/kubernetes-namespace | n/a | -| [fargate\_namespace](#module\_fargate\_namespace) | ../modules/kubernetes-namespace | n/a | -| [gitlab\_runner\_namespace](#module\_gitlab\_runner\_namespace) | ../modules/kubernetes-namespace | n/a | -| [ingress\_nginx\_namespace](#module\_ingress\_nginx\_namespace) | ../modules/kubernetes-namespace | n/a | -| [istio\_system\_namespace](#module\_istio\_system\_namespace) | ../modules/kubernetes-namespace | n/a | -| [keda\_namespace](#module\_keda\_namespace) | ../modules/kubernetes-namespace | n/a | -| [kiali\_namespace](#module\_kiali\_namespace) | ../modules/kubernetes-namespace | n/a | -| [kube\_prometheus\_stack\_namespace](#module\_kube\_prometheus\_stack\_namespace) | ../modules/kubernetes-namespace | n/a | -| [loki\_namespace](#module\_loki\_namespace) | ../modules/kubernetes-namespace | n/a | -| [reloader\_namespace](#module\_reloader\_namespace) | ../modules/kubernetes-namespace | n/a | -| [victoria\_metrics\_k8s\_stack\_namespace](#module\_victoria\_metrics\_k8s\_stack\_namespace) | ../modules/kubernetes-namespace | n/a | +| Name | Source | Version | +|------|--------|---------| +| [aws\_iam\_autoscaler](#module\_aws\_iam\_autoscaler) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_aws\_loadbalancer\_controller](#module\_aws\_iam\_aws\_loadbalancer\_controller) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_cert\_manager](#module\_aws\_iam\_cert\_manager) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_elastic\_stack](#module\_aws\_iam\_elastic\_stack) | ../modules/aws-iam-user-with-policy | n/a | +| [aws\_iam\_external\_dns](#module\_aws\_iam\_external\_dns) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_external\_secrets](#module\_aws\_iam\_external\_secrets) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_gitlab\_runner](#module\_aws\_iam\_gitlab\_runner) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_kube\_prometheus\_stack\_grafana](#module\_aws\_iam\_kube\_prometheus\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana](#module\_aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a | +| [aws\_load\_balancer\_controller\_namespace](#module\_aws\_load\_balancer\_controller\_namespace) | ../modules/kubernetes-namespace | n/a | +| [aws\_node\_termination\_handler\_namespace](#module\_aws\_node\_termination\_handler\_namespace) | ../modules/kubernetes-namespace | n/a | +| [certmanager\_namespace](#module\_certmanager\_namespace) | ../modules/kubernetes-namespace | n/a | +| [cluster\_autoscaler\_namespace](#module\_cluster\_autoscaler\_namespace) | ../modules/kubernetes-namespace | n/a | +| [elastic\_tls](#module\_elastic\_tls) | ../modules/self-signed-certificate | n/a | +| [elk\_namespace](#module\_elk\_namespace) | ../modules/kubernetes-namespace | n/a | +| [external\_dns\_namespace](#module\_external\_dns\_namespace) | ../modules/kubernetes-namespace | n/a | +| [external\_secrets\_namespace](#module\_external\_secrets\_namespace) | ../modules/kubernetes-namespace | n/a | +| [fargate\_namespace](#module\_fargate\_namespace) | ../modules/kubernetes-namespace | n/a | +| [gitlab\_runner\_namespace](#module\_gitlab\_runner\_namespace) | ../modules/kubernetes-namespace | n/a | +| [ingress\_nginx\_namespace](#module\_ingress\_nginx\_namespace) | ../modules/kubernetes-namespace | n/a | +| [istio\_system\_namespace](#module\_istio\_system\_namespace) | ../modules/kubernetes-namespace | n/a | +| [keda\_namespace](#module\_keda\_namespace) | ../modules/kubernetes-namespace | n/a | +| [kiali\_namespace](#module\_kiali\_namespace) | ../modules/kubernetes-namespace | n/a | +| [kube\_prometheus\_stack\_namespace](#module\_kube\_prometheus\_stack\_namespace) | ../modules/kubernetes-namespace | n/a | +| [loki\_namespace](#module\_loki\_namespace) | ../modules/kubernetes-namespace | n/a | +| [reloader\_namespace](#module\_reloader\_namespace) | ../modules/kubernetes-namespace | n/a | +| [victoria\_metrics\_k8s\_stack\_namespace](#module\_victoria\_metrics\_k8s\_stack\_namespace) | ../modules/kubernetes-namespace | n/a | ## Resources -| Name | Type | -| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_s3_bucket.elastic_stack](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket.gitlab_runner_cache](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_public_access_block.elastic_stack_public_access_block](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/s3_bucket_public_access_block) | resource | -| [aws_s3_bucket_public_access_block.gitlab_runner_cache_public_access_block](https://registry.terraform.io/providers/aws/3.64.2/docs/resources/s3_bucket_public_access_block) | resource | -| [helm_release.aws_loadbalancer_controller](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.aws_node_termination_handler](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.calico_daemonset](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.cert_manager](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.certificate](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.cluster_issuer](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.elk](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.external_dns](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.external_secrets](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.gitlab_runner](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.ingress_nginx](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.istio_base](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.istiod](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.kedacore](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.kiali](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.loki_stack](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.prometheus_operator](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.reloader](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [helm_release.victoria_metrics_k8s_stack](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | -| [kubectl_manifest.istio_prometheus_service_monitor_cp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.13.1/docs/resources/manifest) | resource | -| [kubectl_manifest.istio_prometheus_service_monitor_dp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.13.1/docs/resources/manifest) | resource | -| [kubectl_manifest.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/1.13.1/docs/resources/manifest) | resource | -| [kubernetes_secret.elasticsearch_certificates](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | -| [kubernetes_secret.elasticsearch_credentials](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | -| [kubernetes_secret.elasticsearch_s3_user_creds](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | -| [kubernetes_secret.kibana_enc_key](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | -| [kubernetes_storage_class.advanced](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/storage_class) | resource | -| [random_string.elasticsearch_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [random_string.kibana_enc_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [random_string.kibana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [random_string.kube_prometheus_stack_grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [random_string.victoria_metrics_k8s_stack_grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/caller_identity) | data source | -| [aws_eks_cluster.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster) | data source | -| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/eks_cluster_auth) | data source | -| [aws_secretsmanager_secret.infra](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret_version.infra](https://registry.terraform.io/providers/aws/3.64.2/docs/data-sources/secretsmanager_secret_version) | data source | -| [http_http.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/hashicorp/http/2.1.0/docs/data-sources/http) | data source | -| [terraform_remote_state.layer1-aws](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | +| Name | Type | +|------|------| +| [aws_s3_bucket.elastic_stack](https://registry.terraform.io/providers/aws/3.72.0/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket.gitlab_runner_cache](https://registry.terraform.io/providers/aws/3.72.0/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_public_access_block.elastic_stack_public_access_block](https://registry.terraform.io/providers/aws/3.72.0/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_public_access_block.gitlab_runner_cache_public_access_block](https://registry.terraform.io/providers/aws/3.72.0/docs/resources/s3_bucket_public_access_block) | resource | +| [helm_release.aws_loadbalancer_controller](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.aws_node_termination_handler](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.calico_daemonset](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.cert_manager](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.certificate](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.cluster_issuer](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.elk](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.external_dns](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.external_secrets](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.gitlab_runner](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.ingress_nginx](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.istio_base](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.istiod](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.kedacore](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.kiali](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.loki_stack](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.prometheus_operator](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.reloader](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [helm_release.victoria_metrics_k8s_stack](https://registry.terraform.io/providers/helm/2.4.1/docs/resources/release) | resource | +| [kubectl_manifest.istio_prometheus_service_monitor_cp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.13.1/docs/resources/manifest) | resource | +| [kubectl_manifest.istio_prometheus_service_monitor_dp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.13.1/docs/resources/manifest) | resource | +| [kubectl_manifest.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/1.13.1/docs/resources/manifest) | resource | +| [kubernetes_secret.elasticsearch_certificates](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | +| [kubernetes_secret.elasticsearch_credentials](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | +| [kubernetes_secret.elasticsearch_s3_user_creds](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | +| [kubernetes_secret.kibana_enc_key](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/secret) | resource | +| [kubernetes_storage_class.advanced](https://registry.terraform.io/providers/kubernetes/2.6.1/docs/resources/storage_class) | resource | +| [random_string.elasticsearch_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [random_string.kibana_enc_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [random_string.kibana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [random_string.kube_prometheus_stack_grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [random_string.victoria_metrics_k8s_stack_grafana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster.main](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/eks_cluster_auth) | data source | +| [aws_secretsmanager_secret.infra](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret_version.infra](https://registry.terraform.io/providers/aws/3.72.0/docs/data-sources/secretsmanager_secret_version) | data source | +| [http_http.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/hashicorp/http/2.1.0/docs/data-sources/http) | data source | +| [terraform_remote_state.layer1-aws](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/data-sources/remote_state) | data source | ## Inputs -| Name | Description | Type | Default | Required | -| ---------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- | ----------- | -------------- | :------: | -| [additional\_allowed\_ips](#input\_additional\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no | -| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no | -| [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version) | Version of cluster autoscaler | `string` | `"v1.21.0"` | no | -| [helm\_release\_history\_size](#input\_helm\_release\_history\_size) | How much helm releases to store | `number` | `5` | no | -| [nginx\_ingress\_ssl\_terminator](#input\_nginx\_ingress\_ssl\_terminator) | Select SSL termination type | `string` | `"lb"` | no | -| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no | -| [remote\_state\_bucket](#input\_remote\_state\_bucket) | Name of the bucket for terraform state | `string` | n/a | yes | -| [remote\_state\_key](#input\_remote\_state\_key) | Key of the remote state for terraform\_remote\_state | `string` | `"layer1-aws"` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_allowed\_ips](#input\_additional\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no | +| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no | +| [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version) | Version of cluster autoscaler | `string` | `"v1.21.0"` | no | +| [helm\_release\_history\_size](#input\_helm\_release\_history\_size) | How much helm releases to store | `number` | `5` | no | +| [nginx\_ingress\_ssl\_terminator](#input\_nginx\_ingress\_ssl\_terminator) | Select SSL termination type | `string` | `"lb"` | no | +| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no | +| [remote\_state\_bucket](#input\_remote\_state\_bucket) | Name of the bucket for terraform state | `string` | n/a | yes | +| [remote\_state\_key](#input\_remote\_state\_key) | Key of the remote state for terraform\_remote\_state | `string` | `"layer1-aws"` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | -| [apm\_domain\_name](#output\_apm\_domain\_name) | APM domain name | -| [elastic\_stack\_bucket\_name](#output\_elastic\_stack\_bucket\_name) | Name of the bucket for ELKS snapshots | -| [elasticsearch\_elastic\_password](#output\_elasticsearch\_elastic\_password) | Password of the superuser 'elastic' | -| [gitlab\_runner\_cache\_bucket\_name](#output\_gitlab\_runner\_cache\_bucket\_name) | Name of the s3 bucket for gitlab-runner cache | -| [kibana\_domain\_name](#output\_kibana\_domain\_name) | Kibana dashboards address | -| [kube\_prometheus\_stack\_alertmanager\_domain\_name](#output\_kube\_prometheus\_stack\_alertmanager\_domain\_name) | Alertmanager ui address | -| [kube\_prometheus\_stack\_get\_grafana\_admin\_password](#output\_kube\_prometheus\_stack\_get\_grafana\_admin\_password) | Command which gets admin password from kubernetes secret | -| [kube\_prometheus\_stack\_grafana\_admin\_password](#output\_kube\_prometheus\_stack\_grafana\_admin\_password) | Grafana admin password | -| [kube\_prometheus\_stack\_grafana\_domain\_name](#output\_kube\_prometheus\_stack\_grafana\_domain\_name) | Grafana dashboards address | -| [kube\_prometheus\_stack\_prometheus\_domain\_name](#output\_kube\_prometheus\_stack\_prometheus\_domain\_name) | Prometheus ui address | +| Name | Description | +|------|-------------| +| [apm\_domain\_name](#output\_apm\_domain\_name) | APM domain name | +| [elastic\_stack\_bucket\_name](#output\_elastic\_stack\_bucket\_name) | Name of the bucket for ELKS snapshots | +| [elasticsearch\_elastic\_password](#output\_elasticsearch\_elastic\_password) | Password of the superuser 'elastic' | +| [gitlab\_runner\_cache\_bucket\_name](#output\_gitlab\_runner\_cache\_bucket\_name) | Name of the s3 bucket for gitlab-runner cache | +| [kibana\_domain\_name](#output\_kibana\_domain\_name) | Kibana dashboards address | +| [kube\_prometheus\_stack\_alertmanager\_domain\_name](#output\_kube\_prometheus\_stack\_alertmanager\_domain\_name) | Alertmanager ui address | +| [kube\_prometheus\_stack\_get\_grafana\_admin\_password](#output\_kube\_prometheus\_stack\_get\_grafana\_admin\_password) | Command which gets admin password from kubernetes secret | +| [kube\_prometheus\_stack\_grafana\_admin\_password](#output\_kube\_prometheus\_stack\_grafana\_admin\_password) | Grafana admin password | +| [kube\_prometheus\_stack\_grafana\_domain\_name](#output\_kube\_prometheus\_stack\_grafana\_domain\_name) | Grafana dashboards address | +| [kube\_prometheus\_stack\_prometheus\_domain\_name](#output\_kube\_prometheus\_stack\_prometheus\_domain\_name) | Prometheus ui address | | [victoria\_metrics\_k8s\_stack\_get\_grafana\_admin\_password](#output\_victoria\_metrics\_k8s\_stack\_get\_grafana\_admin\_password) | Command which gets admin password from kubernetes secret | -| [victoria\_metrics\_k8s\_stack\_grafana\_admin\_password](#output\_victoria\_metrics\_k8s\_stack\_grafana\_admin\_password) | Grafana admin password | -| [victoria\_metrics\_k8s\_stack\_grafana\_domain\_name](#output\_victoria\_metrics\_k8s\_stack\_grafana\_domain\_name) | Grafana dashboards address | +| [victoria\_metrics\_k8s\_stack\_grafana\_admin\_password](#output\_victoria\_metrics\_k8s\_stack\_grafana\_admin\_password) | Grafana admin password | +| [victoria\_metrics\_k8s\_stack\_grafana\_domain\_name](#output\_victoria\_metrics\_k8s\_stack\_grafana\_domain\_name) | Grafana dashboards address | \ No newline at end of file diff --git a/terraform/layer2-k8s/main.tf b/terraform/layer2-k8s/main.tf index eeba7fd6..31fca0c0 100644 --- a/terraform/layer2-k8s/main.tf +++ b/terraform/layer2-k8s/main.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "aws" - version = "3.64.2" + version = "3.72.0" } kubernetes = { source = "kubernetes"