diff --git a/terraform/layer1-aws/aws-eks.tf b/terraform/layer1-aws/aws-eks.tf index 5e0e47a8..3b204137 100644 --- a/terraform/layer1-aws/aws-eks.tf +++ b/terraform/layer1-aws/aws-eks.tf @@ -1,3 +1,28 @@ +locals { + eks_map_roles = concat(var.eks_map_roles, + [ + { + rolearn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/administrator" + username = "administrator" + groups = [ + "system:masters"] + }] + ) + + worker_tags = [ + { + "key" = "k8s.io/cluster-autoscaler/enabled" + "propagate_at_launch" = "false" + "value" = "true" + }, + { + "key" = "k8s.io/cluster-autoscaler/${local.name}" + "propagate_at_launch" = "false" + "value" = "true" + } + ] +} + module "eks" { source = "terraform-aws-modules/eks/aws" version = "17.1.0" @@ -7,6 +32,9 @@ module "eks" { subnets = module.vpc.intra_subnets enable_irsa = true + cluster_enabled_log_types = var.eks_cluster_enabled_log_types + cluster_log_retention_in_days = var.eks_cluster_log_retention_in_days + tags = { ClusterName = local.name Environment = local.env @@ -33,18 +61,8 @@ module "eks" { kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=spot" public_ip = false additional_userdata = file("${path.module}/templates/eks-x86-nodes-userdata.sh") - tags = [ - { - "key" = "k8s.io/cluster-autoscaler/enabled" - "propagate_at_launch" = "false" - "value" = "true" - }, - { - "key" = "k8s.io/cluster-autoscaler/${local.name}" - "propagate_at_launch" = "false" - "value" = "true" - } - ] + + tags = local.worker_tags }, { name = "ondemand" @@ -56,18 +74,8 @@ module "eks" { kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=ondemand" public_ip = false additional_userdata = file("${path.module}/templates/eks-x86-nodes-userdata.sh") - tags = [ - { - "key" = "k8s.io/cluster-autoscaler/enabled" - "propagate_at_launch" = "true" - "value" = "true" - }, - { - "key" = "k8s.io/cluster-autoscaler/${local.name}" - "propagate_at_launch" = "true" - "value" = "true" - } - ] + + tags = local.worker_tags }, { name = "ci" @@ -81,27 +89,33 @@ module "eks" { kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=spot --node-labels=purpose=ci --register-with-taints=purpose=ci:NoSchedule" public_ip = true additional_userdata = file("${path.module}/templates/eks-x86-nodes-userdata.sh") - tags = [ - { - "key" = "k8s.io/cluster-autoscaler/enabled" - "propagate_at_launch" = "false" - "value" = "true" - }, - { - "key" = "k8s.io/cluster-autoscaler/${local.name}" - "propagate_at_launch" = "false" - "value" = "true" - }, + + tags = concat(local.worker_tags, [{ + "key" = "k8s.io/cluster-autoscaler/node-template/label/purpose" + "propagate_at_launch" = "true" + "value" = "ci" + }]) + }, + ] + + fargate_profiles = { + default = { + name = "fargate" + + selectors = [ { - "key" = "k8s.io/cluster-autoscaler/node-template/label/purpose" - "propagate_at_launch" = "true" - "value" = "ci" + namespace = "fargate" } ] - }, - ] - map_roles = local.eks_map_roles + subnets = module.vpc.private_subnets + + tags = merge(local.tags, { + Namespace = "fargate" + }) + } + } + map_roles = local.eks_map_roles write_kubeconfig = var.eks_write_kubeconfig } diff --git a/terraform/layer1-aws/aws-vpc.tf b/terraform/layer1-aws/aws-vpc.tf index 0f00bf1e..fdf9478b 100644 --- a/terraform/layer1-aws/aws-vpc.tf +++ b/terraform/layer1-aws/aws-vpc.tf @@ -1,12 +1,10 @@ locals { - cidr_subnets = [for cidr_block in cidrsubnets(var.cidr, 2, 2, 2, 2) : cidrsubnets(cidr_block, 4, 4, 4, 4)] - + cidr_subnets = [for cidr_block in cidrsubnets(var.cidr, 2, 2, 2, 2) : cidrsubnets(cidr_block, 4, 4, 4, 4)] private_subnets = chunklist(local.cidr_subnets[0], var.az_count)[0] public_subnets = chunklist(local.cidr_subnets[1], var.az_count)[0] database_subnets = chunklist(local.cidr_subnets[2], var.az_count)[0] intra_subnets = chunklist(local.cidr_subnets[3], var.az_count)[0] - - azs = data.aws_availability_zones.available.names + azs = data.aws_availability_zones.available.names } module "vpc" { @@ -79,5 +77,4 @@ module "vpc" { Name = "${local.name}-intra" destination = "intra" } - } diff --git a/terraform/layer1-aws/locals.tf b/terraform/layer1-aws/locals.tf index 126b37bb..9717fbb3 100644 --- a/terraform/layer1-aws/locals.tf +++ b/terraform/layer1-aws/locals.tf @@ -1,5 +1,6 @@ # Use this as name base for all resources: locals { + # COMMON env = terraform.workspace == "default" ? var.environment : terraform.workspace short_region = var.short_region[var.region] name = "${var.name}-${local.env}-${local.short_region}" @@ -15,14 +16,4 @@ locals { ssl_certificate_arn = var.create_acm_certificate ? module.acm.this_acm_certificate_arn : data.aws_acm_certificate.main[0].arn zone_id = var.create_r53_zone ? keys(module.r53_zone.this_route53_zone_zone_id)[0] : (var.zone_id != null ? var.zone_id : data.aws_route53_zone.main[0].zone_id) - - eks_map_roles = concat(var.eks_map_roles, - [ - { - rolearn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/administrator" - username = "administrator" - groups = [ - "system:masters"] - }] - ) } diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf index 266efd4b..7e7957ce 100644 --- a/terraform/layer1-aws/variables.tf +++ b/terraform/layer1-aws/variables.tf @@ -69,6 +69,7 @@ variable "region" { } variable "az_count" { + type = number description = "Count of avaiablity zones, min 2" default = 3 } @@ -136,6 +137,24 @@ variable "eks_write_kubeconfig" { description = "Flag for eks module to write kubeconfig" } +variable "eks_cluster_enabled_log_types" { + type = list(string) + default = ["audit"] + description = "A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler" +} + +variable "eks_cluster_log_retention_in_days" { + type = number + default = 90 + description = "Number of days to retain log events. Default retention - 90 days." +} + +variable "eks_cluster_encryption_config_enable" { + type = bool + default = false + description = "Enable or not encryption for k8s secrets with aws-kms" +} + # ECR variable "ecr_repos" { type = list(any) @@ -144,12 +163,8 @@ variable "ecr_repos" { } variable "ecr_repo_retention_count" { + type = number default = 50 description = "number of images to store in ECR" } -variable "eks_cluster_encryption_config_enable" { - type = bool - default = false - description = "Enable or not encryption for k8s secrets with aws-kms" -} diff --git a/terraform/layer2-k8s/templates/prometheus-values.tmpl b/terraform/layer2-k8s/templates/prometheus-values.tmpl index c8eac4cd..4c1a216d 100644 --- a/terraform/layer2-k8s/templates/prometheus-values.tmpl +++ b/terraform/layer2-k8s/templates/prometheus-values.tmpl @@ -127,7 +127,7 @@ grafana: logs: logs: ## Dashboard for quick search application logs for loki with two datasources loki and prometheus - https://grafana.com/grafana/dashboards/12019 - url: https://s3.amazonaws.com/grafana-dashboards.maddevs.org/common/aws-eks-base/loki-dashboard-quick-search.json + url: https://grafana-dashboards.maddevs.org/common/aws-eks-base/loki-dashboard-quick-search.json k8s: nginx-ingress: