diff --git a/.shared-tools b/.shared-tools index bff6ffc..5296c68 160000 --- a/.shared-tools +++ b/.shared-tools @@ -1 +1 @@ -Subproject commit bff6ffc20b36d0ee4ce9dce68560e671e7065f2a +Subproject commit 5296c68197ad5bf924fdd8220f032f1e260dc634 diff --git a/cik8s-cluster.tf b/cik8s-cluster.tf index 69d429f..cc6af68 100644 --- a/cik8s-cluster.tf +++ b/cik8s-cluster.tf @@ -79,8 +79,7 @@ module "cik8s" { } # https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/CHANGELOG.md aws-ebs-csi-driver = { - addon_version = "v1.28.0-eksbuild.1" - service_account_role_arn = module.cik8s_irsa_ebs.iam_role_arn + addon_version = "v1.28.0-eksbuild.1" } } @@ -256,97 +255,6 @@ module "cik8s" { } } -module "cik8s_iam_role_autoscaler" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "5.39.1" - create_role = true - role_name = "${local.autoscaler_account_name}-cik8s" - provider_url = replace(module.cik8s.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [aws_iam_policy.cluster_autoscaler_cik8s.arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:${local.autoscaler_account_namespace}:${local.autoscaler_account_name}"] - - tags = merge(local.common_tags, { - associated_service = "eks/${module.cik8s.cluster_name}" - }) -} - -module "cik8s_irsa_ebs" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "5.30.0" - create_role = true - role_name = "${local.ebs_account_name}-cik8s" - provider_url = replace(module.cik8s.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [aws_iam_policy.ebs_csi.arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:${local.ebs_account_namespace}:${local.ebs_account_name}"] - - tags = merge(local.common_tags, { - associated_service = "eks/${module.cik8s.cluster_name}" - }) -} - -# Configure the jenkins-infra/kubernetes-management admin service account -module "cik8s_admin_sa" { - providers = { - kubernetes = kubernetes.cik8s - } - source = "./.shared-tools/terraform/modules/kubernetes-admin-sa" - cluster_name = module.cik8s.cluster_name - cluster_hostname = module.cik8s.cluster_endpoint - cluster_ca_certificate_b64 = module.cik8s.cluster_certificate_authority_data -} - -output "kubeconfig_cik8s" { - sensitive = true - value = module.cik8s_admin_sa.kubeconfig -} - -data "aws_eks_cluster" "cik8s" { - name = local.cik8s_cluster_name -} - data "aws_eks_cluster_auth" "cik8s" { name = local.cik8s_cluster_name } - -## No restriction on the resources: either managed outside terraform, or already scoped by conditions -#trivy:ignore:aws-iam-no-policy-wildcards -data "aws_iam_policy_document" "cluster_autoscaler_cik8s" { - # Statements as per https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#full-cluster-autoscaler-features-policy-recommended - statement { - sid = "unrestricted" - effect = "Allow" - - actions = [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeScalingActivities", - "autoscaling:DescribeTags", - "ec2:DescribeInstanceTypes", - "ec2:DescribeLaunchTemplateVersions" - ] - - resources = ["*"] - } - - statement { - sid = "restricted" - effect = "Allow" - - actions = [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "ec2:DescribeImages", - "ec2:GetInstanceTypesFromInstanceRequirements", - "eks:DescribeNodegroup" - ] - - resources = ["*"] - } -} - -resource "aws_iam_policy" "cluster_autoscaler_cik8s" { - name_prefix = "cluster-autoscaler-cik8s" - description = "EKS cluster-autoscaler policy for cluster ${module.cik8s.cluster_name}" - policy = data.aws_iam_policy_document.cluster_autoscaler_cik8s.json -} diff --git a/eks-public-cluster.tf b/eks-public-cluster.tf index e545275..d2d3f95 100644 --- a/eks-public-cluster.tf +++ b/eks-public-cluster.tf @@ -68,8 +68,7 @@ module "eks-public" { } # https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/CHANGELOG.md aws-ebs-csi-driver = { - addon_version = "v1.28.0-eksbuild.1" - service_account_role_arn = module.eks-public_irsa_ebs.iam_role_arn + addon_version = "v1.28.0-eksbuild.1" } } @@ -108,175 +107,7 @@ module "eks-public" { ] } -## No restriction on the resources: either managed outside terraform, or already scoped by conditions -#trivy:ignore:aws-iam-no-policy-wildcards -data "aws_iam_policy_document" "cluster_autoscaler_public" { - statement { - sid = "ec2" - effect = "Allow" - - actions = [ - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeInstanceTypes", - ] - - resources = ["*"] - } - - statement { - sid = "ec2AutoScaling" - effect = "Allow" - - actions = [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - ] - - - resources = ["*"] - } - - statement { - sid = "clusterAutoscalerOwn" - effect = "Allow" - - actions = [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - ] - - resources = ["*"] - - condition { - test = "StringEquals" - variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${module.eks-public.cluster_name}" - values = ["owned"] - } - - condition { - test = "StringEquals" - variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled" - values = ["true"] - } - } -} - -resource "aws_iam_policy" "cluster_autoscaler_public" { - name_prefix = "cluster-autoscaler-public" - description = "EKS cluster-autoscaler policy for cluster ${local.public_cluster_name}" - policy = data.aws_iam_policy_document.cluster_autoscaler_public.json -} - -module "eks_iam_assumable_role_autoscaler_eks_public" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "5.39.1" - create_role = true - role_name = "${local.autoscaler_account_name}-eks-public" - provider_url = replace(module.eks-public.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [aws_iam_policy.cluster_autoscaler_public.arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:${local.autoscaler_account_namespace}:${local.autoscaler_account_name}"] - - tags = merge(local.common_tags, { - associated_service = "eks/${module.eks-public.cluster_name}" - }) -} - -module "eks-public_irsa_nlb" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "5.30.0" - create_role = true - role_name = "${local.nlb_account_name}-eks-public" - provider_url = replace(module.eks-public.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [aws_iam_policy.cluster_nlb.arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:${local.nlb_account_namespace}:${local.nlb_account_name}"] - - tags = merge(local.common_tags, { - associated_service = "eks/${module.eks-public.cluster_name}" - }) -} - -module "eks-public_irsa_ebs" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "5.30.0" - create_role = true - role_name = "${local.ebs_account_name}-eks-public" - provider_url = replace(module.eks-public.cluster_oidc_issuer_url, "https://", "") - role_policy_arns = [aws_iam_policy.ebs_csi.arn] - oidc_fully_qualified_audiences = ["sts.amazonaws.com"] - oidc_fully_qualified_subjects = ["system:serviceaccount:${local.ebs_account_namespace}:${local.ebs_account_name}"] - - tags = merge(local.common_tags, { - associated_service = "eks/${module.eks-public.cluster_name}" - }) -} - -# Configure the jenkins-infra/kubernetes-management admin service account -module "eks_public_admin_sa" { - providers = { - kubernetes = kubernetes.eks-public - } - source = "./.shared-tools/terraform/modules/kubernetes-admin-sa" - cluster_name = module.eks-public.cluster_name - cluster_hostname = module.eks-public.cluster_endpoint - cluster_ca_certificate_b64 = module.eks-public.cluster_certificate_authority_data -} - -output "kubeconfig_eks_public" { - sensitive = true - value = module.eks_public_admin_sa.kubeconfig -} - # Reference to allow configuration of the Terraform's kubernetes provider (in providers.tf) data "aws_eks_cluster_auth" "public-cluster" { name = module.eks-public.cluster_name } - -# Elastic IPs used for the Public Load Balancer (so that the addresses never change) -resource "aws_eip" "lb_public" { - count = length(module.vpc.public_subnets) - domain = "vpc" - - tags = merge(local.common_tags, { - "Name" = "eks-public-loadbalancer-external-${count.index}" - }) -} - -# Custom Storage Classes to ensure that EBS PVC are bound to the correct availability zone -resource "kubernetes_storage_class" "ebs_sc" { - metadata { - name = "ebs-sc" - } - storage_provisioner = "ebs.csi.aws.com" - reclaim_policy = "Delete" - volume_binding_mode = "WaitForFirstConsumer" - allow_volume_expansion = true - allowed_topologies { - match_label_expressions { - key = "topology.ebs.csi.aws.com/zone" - values = ["us-east-2a"] - } - } - - provider = kubernetes.eks-public -} - -resource "kubernetes_storage_class" "ebs_sc_retain" { - metadata { - name = "ebs-sc-retain" - } - storage_provisioner = "ebs.csi.aws.com" - reclaim_policy = "Retain" - volume_binding_mode = "WaitForFirstConsumer" - allow_volume_expansion = true - allowed_topologies { - match_label_expressions { - key = "topology.ebs.csi.aws.com/zone" - values = ["us-east-2a"] - } - } - - provider = kubernetes.eks-public -} diff --git a/providers.tf b/providers.tf index a0bfa9d..3de5b1b 100644 --- a/providers.tf +++ b/providers.tf @@ -20,7 +20,7 @@ provider "kubernetes" { provider "kubernetes" { alias = "cik8s" - host = data.aws_eks_cluster.cik8s.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cik8s.certificate_authority[0].data) + host = module.cik8s.cluster_endpoint + cluster_ca_certificate = base64decode(module.cik8s.cluster_certificate_authority_data) token = data.aws_eks_cluster_auth.cik8s.token }