From 084da207b25c37c3ac06d54b7602abdd5893831c Mon Sep 17 00:00:00 2001 From: Geoff Squire Date: Mon, 1 May 2023 14:26:01 +1000 Subject: [PATCH 01/40] Node metadata (#293) * Pass node metadata options to EKS nodes * Fixed metadata_options block in EKS node templates * metadata_options var deafults to empty map * metadata_options var fixed type * Allow EBS volume encryption in odc_eks * Fixed odc_eks variables * Encrypt spot volumes in odc_eks * Validate node metadata_options * Fixed typo in metadata_options variable * Updated readme for odc_eks node options * terraform fmt updates --- odc_eks/README.md | 2 ++ odc_eks/main.tf | 3 +++ odc_eks/modules/eks/variables.tf | 11 +++++++++++ odc_eks/modules/eks/worker_image.tf | 18 ++++++++++++++++++ odc_eks/variables.tf | 18 ++++++++++++++++++ 5 files changed, 52 insertions(+) diff --git a/odc_eks/README.md b/odc_eks/README.md index c784a300..485103af 100644 --- a/odc_eks/README.md +++ b/odc_eks/README.md @@ -147,6 +147,7 @@ module "odc_eks" { | max_spot_price | The max in USD you want to pay for each spot instance per hour. Check market price for your instance type to set its value | string | "0.40" | No | | volume_size | The Disk size for your on-demand nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this. | number | 20 | No | | volume_type | Override EBS volume type for your root ebs volume e.g. gp2, gp3. If not provided, defaults to GP2 in all regions. | string | "" | No | +| volume_encrypted | Whether to encrypt the root EBS volume for nodes. Falls back on AWS EC2 default if not provided. | bool | null | No | | spot_volume_size | The Disk size for your spot nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this. | number | 20 | No | | extra_kubelet_args | Additional kubelet command-line arguments | string | "--arg1=value --arg2" | No | | extra_bootstrap_args | Additional bootstrap command-line arguments | string | "--arg1 value --arg2=value --arg3" | No | @@ -155,6 +156,7 @@ module "odc_eks" { | enabled_cluster_log_types | List of the desired control plane logging to enable, defaults to none | list(string) | [] | No | | enable_custom_cluster_log_group | Create a custom CloudWatch Log Group for the cluster. If you supply `enabled_cluster_log_types` but leave this false, EKS will create a log group automatically with default retention values. | bool | false | No | | log_retention_period | Specifies the number of days to retain cluster log event in CloudWatch, if enabled by `enable_custom_cluster_log_group` | number | 30 | No | +| metadata_options | Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options. | map(any) | {} | No | ### Outputs | Name | Description | Sensitive | diff --git a/odc_eks/main.tf b/odc_eks/main.tf index bd03798c..f56b24dd 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -98,6 +98,7 @@ module "eks" { extra_kubelet_args = var.extra_kubelet_args extra_bootstrap_args = var.extra_bootstrap_args extra_userdata = var.extra_userdata + volume_encrypted = var.volume_encrypted volume_size = var.volume_size volume_type = var.volume_type spot_volume_size = var.spot_volume_size @@ -109,4 +110,6 @@ module "eks" { tags = var.tags node_extra_tags = var.node_extra_tags + + metadata_options = var.metadata_options } diff --git a/odc_eks/modules/eks/variables.tf b/odc_eks/modules/eks/variables.tf index 9ab9bcee..cf042846 100644 --- a/odc_eks/modules/eks/variables.tf +++ b/odc_eks/modules/eks/variables.tf @@ -80,6 +80,11 @@ variable "max_spot_price" { default = "0.40" } +variable "volume_encrypted" { + default = null + type = bool +} + variable "volume_size" { default = 20 } @@ -168,3 +173,9 @@ variable "node_extra_tags" { description = "Additional tags for EKS nodes (e.g. `map('StackName','XYZ')`" default = {} } + +variable "metadata_options" { + description = "Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options" + type = map(any) + default = {} +} \ No newline at end of file diff --git a/odc_eks/modules/eks/worker_image.tf b/odc_eks/modules/eks/worker_image.tf index 88874a03..9fce01b7 100644 --- a/odc_eks/modules/eks/worker_image.tf +++ b/odc_eks/modules/eks/worker_image.tf @@ -51,6 +51,14 @@ resource "aws_launch_template" "node" { user_data = base64encode(local.eks-node-userdata) instance_type = var.default_worker_instance_type + metadata_options { + http_endpoint = lookup(var.metadata_options, "http_endpoint", null) + http_tokens = lookup(var.metadata_options, "http_tokens", null) + http_put_response_hop_limit = lookup(var.metadata_options, "http_put_response_hop_limit", null) + http_protocol_ipv6 = lookup(var.metadata_options, "http_protocol_ipv6", null) + instance_metadata_tags = lookup(var.metadata_options, "instance_metadata_tags", null) + } + iam_instance_profile { name = aws_iam_instance_profile.eks_node.id } @@ -68,6 +76,7 @@ resource "aws_launch_template" "node" { block_device_mappings { device_name = "/dev/xvda" ebs { + encrypted = var.volume_encrypted != null ? var.volume_encrypted : null volume_size = var.volume_size volume_type = var.volume_type != "" ? var.volume_type : null } @@ -82,6 +91,14 @@ resource "aws_launch_template" "spot" { user_data = base64encode(local.eks-spot-userdata) instance_type = var.default_worker_instance_type + metadata_options { + http_endpoint = lookup(var.metadata_options, "http_endpoint", null) + http_tokens = lookup(var.metadata_options, "http_tokens", null) + http_put_response_hop_limit = lookup(var.metadata_options, "http_put_response_hop_limit", null) + http_protocol_ipv6 = lookup(var.metadata_options, "http_protocol_ipv6", null) + instance_metadata_tags = lookup(var.metadata_options, "instance_metadata_tags", null) + } + iam_instance_profile { name = aws_iam_instance_profile.eks_node.id } @@ -106,6 +123,7 @@ resource "aws_launch_template" "spot" { block_device_mappings { device_name = "/dev/xvda" ebs { + encrypted = var.volume_encrypted != null ? var.volume_encrypted : null volume_size = var.spot_volume_size volume_type = var.volume_type != "" ? var.volume_type : null } diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf index a6338d1f..7613454a 100644 --- a/odc_eks/variables.tf +++ b/odc_eks/variables.tf @@ -225,6 +225,12 @@ variable "max_spot_price" { type = string } +variable "volume_encrypted" { + default = null + type = bool + description = "Whether to encrypt the root EBS volume." +} + variable "volume_size" { default = 20 type = number @@ -291,3 +297,15 @@ variable "log_retention_period" { description = "Retention period in days of enabled EKS cluster logs" default = 30 } + +variable "metadata_options" { + description = "Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options" + type = map(any) + default = {} + + # If http_tokens is required then http_endpoint must be enabled. + validation { + condition = lookup(var.metadata_options, "http_tokens", null) != "required" || lookup(var.metadata_options, "http_endpoint", null) == "enabled" + error_message = "If http_tokens is required for nodes then http_endpoint must be enabled." + } +} \ No newline at end of file From 3847e15e10ec7cc73647e5686a6d1001519fbf6a Mon Sep 17 00:00:00 2001 From: lbodor Date: Thu, 7 Sep 2023 22:10:30 +1000 Subject: [PATCH 02/40] Updates for AWS provider v5 Clients will need to update their Terraform state manually using the following commands: ```bash terraform state rm module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.private_s3 terraform state rm module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.public_s3 ``` See Terraform AWS VPC module upgrade instructions at https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/fbd4ff646b4caaa6fcc1fb71bc88d377cc8b3b48/UPGRADE-3.0.md?plain=1#L25. --- CHANGELOG.md | 13 +++++++++++- odc_eks/main.tf | 54 +++++++++++++++++++++++++++++++++++++++---------- odc_eks/waf.tf | 6 +++--- 3 files changed, 58 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 46ee18a6..62a368a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,14 @@ +# master + +* The update to the version of Terraform AWS VPC module will require the following manual edits to the state file: + +```bash +terraform state rm module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.private_s3 +terraform state rm module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.public_s3 +``` + +See Terraform AWS VPC module upgrade instructions at https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/fbd4ff646b4caaa6fcc1fb71bc88d377cc8b3b48/UPGRADE-3.0.md?plain=1#L25. + # v1.10.0 odc_eks - Optional vpc creation update procedure Making VPC creation optional has added a `count` to the `module.odc_eks.module.vpc` resource path. @@ -50,4 +61,4 @@ terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_associ terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_association.private_s3[1] module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.private_s3[1] terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_association.private_s3[2] module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.private_s3[2] terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_association.public_s3[0] module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.public_s3[0] -``` \ No newline at end of file +``` diff --git a/odc_eks/main.tf b/odc_eks/main.tf index f56b24dd..2896c02d 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -13,10 +13,20 @@ module "odc_eks_label" { locals { cluster_id = (var.cluster_id != "") ? var.cluster_id : module.odc_eks_label.id + + tags = merge( + { + Name = "${local.cluster_id}-vpc" + owner = var.owner + namespace = var.namespace + environment = var.environment + }, + var.tags + ) } module "vpc" { - source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v2.70.0" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.1.1" count = var.create_vpc ? 1 : 0 @@ -53,17 +63,39 @@ module "vpc" { enable_nat_gateway = var.enable_nat_gateway create_igw = var.create_igw create_database_subnet_group = true - enable_s3_endpoint = var.enable_s3_endpoint - tags = merge( - { - Name = "${local.cluster_id}-vpc" - owner = var.owner - namespace = var.namespace - environment = var.environment - }, - var.tags - ) + manage_default_security_group = false + manage_default_network_acl = false + manage_default_route_table = false + + tags = local.tags +} + +moved { + from = module.vpc[0].aws_vpc_endpoint.s3[0] + to = module.vpc_endpoints[0].aws_vpc_endpoint.this["s3"] +} + +module "vpc_endpoints" { + source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v5.1.1" + count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0 + + vpc_id = module.vpc[0].vpc_id + security_group_ids = [ module.vpc[0].default_security_group_id ] + + endpoints = { + s3 = { + service = "s3" + service_type = "Gateway" + + route_table_ids = flatten([ + module.vpc[0].private_route_table_ids, + module.vpc[0].public_route_table_ids + ]) + + tags = local.tags + } + } } # Creates network and Kuberenetes master nodes diff --git a/odc_eks/waf.tf b/odc_eks/waf.tf index ab08cddd..151e23b0 100644 --- a/odc_eks/waf.tf +++ b/odc_eks/waf.tf @@ -429,8 +429,8 @@ resource "aws_kinesis_firehose_delivery_stream" "waf_delivery_stream" { role_arn = aws_iam_role.waf_firehose_role[0].arn bucket_arn = data.aws_s3_bucket.waf_log_bucket[0].arn - buffer_size = var.waf_firehose_buffer_size - buffer_interval = var.waf_firehose_buffer_interval + buffering_size = var.waf_firehose_buffer_size + buffering_interval = var.waf_firehose_buffer_interval prefix = "logs/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/hour=!{timestamp:HH}/" error_output_prefix = "errors/year=!{timestamp:yyyy}/month=!{timestamp:MM}/day=!{timestamp:dd}/hour=!{timestamp:HH}/!{firehose:error-output-type}" @@ -518,4 +518,4 @@ resource "aws_wafregional_web_acl_association" "alb" { resource_arn = "arn:aws:elasticloadbalancing:ap-southeast-1::loadbalancer/app//" # ARN of the ALB web_acl_id = "${aws_wafregional_web_acl.waf_webacl.id}" } -*/ \ No newline at end of file +*/ From d7f881b8b68f2206d6ca702189f4788352863b10 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Wed, 24 Apr 2024 01:07:58 +0000 Subject: [PATCH 03/40] Update iam role to include ecr pull through cache permissions --- odc_eks/modules/eks/worker_policy.tf | 30 ++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/odc_eks/modules/eks/worker_policy.tf b/odc_eks/modules/eks/worker_policy.tf index 3a480909..0c1585ec 100644 --- a/odc_eks/modules/eks/worker_policy.tf +++ b/odc_eks/modules/eks/worker_policy.tf @@ -49,11 +49,41 @@ resource "aws_iam_policy" "eks_kube2iam" { } +resource "aws_iam_policy" "ecr_pullthrough_cache" { + name = "${var.cluster_id}-ecr-pull-through-cache" + path = "/" + description = "Enables cluster to use ecr pull-through cache" + + policy = <<-EOF + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ecr:BatchImportUpstreamImage", + "ecr:CreateRepository", + "ecr:TagResource", + "ecr:CreatePullThroughCacheRule" + ], + "Effect": "Allow", + "Resource": "*" + } + ] + } + EOF + +} + resource "aws_iam_role_policy_attachment" "eks_node_kube2iam" { policy_arn = aws_iam_policy.eks_kube2iam.arn role = aws_iam_role.eks_node.name } +resource "aws_iam_role_policy_attachment" "eks_node_pullthrough" { + policy_arn = aws_iam_policy.ecr_pullthrough_cache.arn + role = aws_iam_role.eks_node.name +} + resource "aws_iam_role_policy_attachment" "eks_node_AmazonEKSWorkerNodePolicy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" role = aws_iam_role.eks_node.name From 40a9c1ad44d78a9ce98582da407116f7239c9859 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Wed, 24 Apr 2024 01:55:28 +0000 Subject: [PATCH 04/40] Create enable flag to turn on/off additional node permissions --- odc_eks/modules/eks/variables.tf | 6 ++++++ odc_eks/modules/eks/worker_policy.tf | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/odc_eks/modules/eks/variables.tf b/odc_eks/modules/eks/variables.tf index cf042846..568b4bce 100644 --- a/odc_eks/modules/eks/variables.tf +++ b/odc_eks/modules/eks/variables.tf @@ -138,6 +138,12 @@ variable "log_retention_period" { default = 30 } +variable "enable_ecr_pullthough_cache_permissions" { + type = bool + description = "Create additional cluster node IAM permissions to allow cluster to use ecr pull-through cache rules." + default = false +} + #-------------------------------------------------------------- # Tags #-------------------------------------------------------------- diff --git a/odc_eks/modules/eks/worker_policy.tf b/odc_eks/modules/eks/worker_policy.tf index 0c1585ec..b48c75c0 100644 --- a/odc_eks/modules/eks/worker_policy.tf +++ b/odc_eks/modules/eks/worker_policy.tf @@ -50,9 +50,10 @@ resource "aws_iam_policy" "eks_kube2iam" { } resource "aws_iam_policy" "ecr_pullthrough_cache" { + count = (var.enable_ecr_pullthough_cache_permissions ? 1 : 0) name = "${var.cluster_id}-ecr-pull-through-cache" path = "/" - description = "Enables cluster to use ecr pull-through cache" + description = "Enables cluster to use ecr pull-through cache." policy = <<-EOF { @@ -80,6 +81,7 @@ resource "aws_iam_role_policy_attachment" "eks_node_kube2iam" { } resource "aws_iam_role_policy_attachment" "eks_node_pullthrough" { + count = (var.enable_ecr_pullthough_cache_permissions ? 1 : 0) policy_arn = aws_iam_policy.ecr_pullthrough_cache.arn role = aws_iam_role.eks_node.name } From 42641cd06503aec5c85423c8e87b38c5def220a7 Mon Sep 17 00:00:00 2001 From: Stacy Horton Date: Mon, 29 Apr 2024 16:50:11 +1000 Subject: [PATCH 05/40] Remove --cloud-provider kubelet arg --- odc_eks/modules/eks/worker_image.tf | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/odc_eks/modules/eks/worker_image.tf b/odc_eks/modules/eks/worker_image.tf index 9fce01b7..b2aa431d 100644 --- a/odc_eks/modules/eks/worker_image.tf +++ b/odc_eks/modules/eks/worker_image.tf @@ -24,9 +24,8 @@ set -o xtrace id=$(curl http://169.254.169.254/latest/meta-data/instance-id -s) ami=$(curl http://169.254.169.254/latest/meta-data/ami-id -s) /etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.eks.endpoint}' --b64-cluster-ca '${aws_eks_cluster.eks.certificate_authority[0].data}' '${aws_eks_cluster.eks.id}' ${var.extra_bootstrap_args} \ ---kubelet-extra-args \ - "--node-labels=cluster=${aws_eks_cluster.eks.id},nodegroup=${var.node_group_name},nodetype=ondemand,instance-id=$id,ami-id=$ami \ - --cloud-provider=aws ${var.extra_kubelet_args}" + --kubelet-extra-args "--node-labels=cluster=${aws_eks_cluster.eks.id},nodegroup=${var.node_group_name},nodetype=ondemand,instance-id=$id,ami-id=$ami \ + ${var.extra_kubelet_args}" ${var.extra_userdata} USERDATA @@ -37,9 +36,8 @@ set -o xtrace id=$(curl http://169.254.169.254/latest/meta-data/instance-id -s) ami=$(curl http://169.254.169.254/latest/meta-data/ami-id -s) /etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.eks.endpoint}' --b64-cluster-ca '${aws_eks_cluster.eks.certificate_authority[0].data}' '${aws_eks_cluster.eks.id}' ${var.extra_bootstrap_args} \ ---kubelet-extra-args \ - "--node-labels=cluster=${aws_eks_cluster.eks.id},nodegroup=${var.node_group_name},nodetype=spot,instance-id=$id,ami-id=$ami \ - --cloud-provider=aws ${var.extra_kubelet_args}" + --kubelet-extra-args "--node-labels=cluster=${aws_eks_cluster.eks.id},nodegroup=${var.node_group_name},nodetype=spot,instance-id=$id,ami-id=$ami \ + ${var.extra_kubelet_args}" ${var.extra_userdata} USERDATA From c102e31b1b13ffc1c0bee7fe5f1fffe15cb54ccc Mon Sep 17 00:00:00 2001 From: Ben Lewis Date: Mon, 6 May 2024 14:28:50 +1000 Subject: [PATCH 06/40] Enable EKS API access config EKS supports access configuration via two methods: a config map, and an API resource. The old config map style is a bit messy (split across terraform stages, that info needs to propagate across e.g. for enabling fargate, and prone to unvalidated errors). This change enables progressive migration to aws_eks_access_entry resources. --- odc_eks/modules/eks/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/odc_eks/modules/eks/main.tf b/odc_eks/modules/eks/main.tf index bf8a78a4..aa55320f 100644 --- a/odc_eks/modules/eks/main.tf +++ b/odc_eks/modules/eks/main.tf @@ -10,6 +10,10 @@ resource "aws_eks_cluster" "eks" { subnet_ids = var.eks_subnet_ids } + access_config { + authentication_mode = "API_AND_CONFIG_MAP" + } + depends_on = [ aws_iam_role_policy_attachment.eks-cluster-AmazonEKSClusterPolicy, aws_iam_role_policy_attachment.eks-cluster-AmazonEKSServicePolicy, From 634aedcd8bc773701da41b903224b45f280ad18d Mon Sep 17 00:00:00 2001 From: lbodor Date: Mon, 13 May 2024 14:35:01 +1000 Subject: [PATCH 07/40] Bump terraform-aws-vpc module version --- odc_eks/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 2896c02d..6dcc5cd4 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -26,7 +26,7 @@ locals { } module "vpc" { - source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.1.1" + source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.5.2" count = var.create_vpc ? 1 : 0 From bb0260a9425e46d7b55054f3ced96d5925037c08 Mon Sep 17 00:00:00 2001 From: lbodor Date: Mon, 13 May 2024 14:46:42 +1000 Subject: [PATCH 08/40] Pass `local.tags` to module `vpc_endpoints` --- odc_eks/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 6dcc5cd4..aca2285d 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -92,10 +92,10 @@ module "vpc_endpoints" { module.vpc[0].private_route_table_ids, module.vpc[0].public_route_table_ids ]) - - tags = local.tags } } + + tags = local.tags } # Creates network and Kuberenetes master nodes From 0cba4aa218a61229f9429e36a911fa10ede0c51f Mon Sep 17 00:00:00 2001 From: Stacy Horton Date: Tue, 14 May 2024 15:47:17 +1000 Subject: [PATCH 09/40] Fix a simple terraform error --- odc_eks/modules/eks/worker_policy.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/modules/eks/worker_policy.tf b/odc_eks/modules/eks/worker_policy.tf index b48c75c0..d824f87b 100644 --- a/odc_eks/modules/eks/worker_policy.tf +++ b/odc_eks/modules/eks/worker_policy.tf @@ -82,7 +82,7 @@ resource "aws_iam_role_policy_attachment" "eks_node_kube2iam" { resource "aws_iam_role_policy_attachment" "eks_node_pullthrough" { count = (var.enable_ecr_pullthough_cache_permissions ? 1 : 0) - policy_arn = aws_iam_policy.ecr_pullthrough_cache.arn + policy_arn = aws_iam_policy.ecr_pullthrough_cache[0].arn role = aws_iam_role.eks_node.name } From fdf968b45681e7f2339fb8632e08eded867b1f9e Mon Sep 17 00:00:00 2001 From: Stacy Horton Date: Fri, 19 Jul 2024 12:04:07 +1000 Subject: [PATCH 10/40] This is required to match previous functionality --- odc_eks/modules/eks/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/odc_eks/modules/eks/main.tf b/odc_eks/modules/eks/main.tf index aa55320f..1261c68f 100644 --- a/odc_eks/modules/eks/main.tf +++ b/odc_eks/modules/eks/main.tf @@ -12,6 +12,7 @@ resource "aws_eks_cluster" "eks" { access_config { authentication_mode = "API_AND_CONFIG_MAP" + bootstrap_cluster_creator_admin_permissions = true } depends_on = [ From 1d3566f3f56c7dd418e5585cdaab3ad8b8b111b6 Mon Sep 17 00:00:00 2001 From: Stacy Horton Date: Fri, 19 Jul 2024 13:57:08 +1000 Subject: [PATCH 11/40] Format fixes --- odc_eks/main.tf | 6 +++--- odc_eks/modules/eks/main.tf | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index aca2285d..1cdb2b4c 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -73,15 +73,15 @@ module "vpc" { moved { from = module.vpc[0].aws_vpc_endpoint.s3[0] - to = module.vpc_endpoints[0].aws_vpc_endpoint.this["s3"] + to = module.vpc_endpoints[0].aws_vpc_endpoint.this["s3"] } module "vpc_endpoints" { source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v5.1.1" count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0 - vpc_id = module.vpc[0].vpc_id - security_group_ids = [ module.vpc[0].default_security_group_id ] + vpc_id = module.vpc[0].vpc_id + security_group_ids = [module.vpc[0].default_security_group_id] endpoints = { s3 = { diff --git a/odc_eks/modules/eks/main.tf b/odc_eks/modules/eks/main.tf index 1261c68f..85f85614 100644 --- a/odc_eks/modules/eks/main.tf +++ b/odc_eks/modules/eks/main.tf @@ -11,7 +11,7 @@ resource "aws_eks_cluster" "eks" { } access_config { - authentication_mode = "API_AND_CONFIG_MAP" + authentication_mode = "API_AND_CONFIG_MAP" bootstrap_cluster_creator_admin_permissions = true } From 9c140b784a5361360334f2a8c68f80d3f1c0275f Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 01:49:29 +0000 Subject: [PATCH 12/40] Add VPC flow logs --- odc_eks/main.tf | 21 ++++++++++++++++- odc_eks/variables.tf | 36 ++++++++++++++++++++++++++++- odc_eks/vpc_support.tf | 51 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 106 insertions(+), 2 deletions(-) create mode 100644 odc_eks/vpc_support.tf diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 1cdb2b4c..e64644bf 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -28,6 +28,10 @@ locals { module "vpc" { source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.5.2" + locals { + log_group_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${flow_log_cloudwatch_log_group_name_prefix}:*" + } + count = var.create_vpc ? 1 : 0 name = "${local.cluster_id}-vpc" @@ -68,7 +72,22 @@ module "vpc" { manage_default_network_acl = false manage_default_route_table = false - tags = local.tags + enable_flow_log = var.create_vpc_flow_logs + flow_log_destination_type = "s3" + flow_log_max_agreegation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null + flow_log_traffic_type = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null + flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_log_format : null + flow_log_destination_arn = (var.create_vpc_flow_logs) ? "arn:aws:s3:::${var.flow_log_s3_bucket_name}" : null + + tags = merge( + { + Name = "${local.cluster_id}-vpc-flow-logs" + owner = var.owner + namespace = var.namespace + environment = var.environment + }, + var.tags + ) } moved { diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf index 7613454a..bddc85f5 100644 --- a/odc_eks/variables.tf +++ b/odc_eks/variables.tf @@ -167,13 +167,47 @@ variable "enable_nat_gateway" { default = true } - variable "create_igw" { type = bool description = "Whether to provision an Internet Gateway in the VPC. Default is true (False for private routing)" default = true } +variable "create_vpc_flow_logs" { + type = bool + description = "Whether to create VPC flow logs. Default is set to 'false'" + default = false +} + +variable "flow_log_max_aggregation_interval" { + description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds" + type = number + default = 600 +} + +variable "flow_log_traffic_type" { + description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL" + type = string + default = "ALL" +} + +variable "flow_log_file_format" { + description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`" + type = string + default = "plain-text" +} + +variable "create_flow_log_s3_bucket" { + type = bool + description = "Whether to create a S3 bucket for the vpc flow logs. Default is set to 'false'" + default = false +} + +variable "flow_log_s3_bucket_name" { + description = "The name of the bucket used to store the logs" + type = string + default = "" +} # EC2 Worker Roles # ================== diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf new file mode 100644 index 00000000..9dcca4df --- /dev/null +++ b/odc_eks/vpc_support.tf @@ -0,0 +1,51 @@ +################################################################################ +# Supporting Resources +################################################################################ +locals { + log_destination = split(",", var.flow_log_destination) +} + +resource "random_pet" "this" { + length = 2 +} + +# S3 Bucket +module "s3_bucket" { + count = (var.create_vpc_flow_logs && var.create_flow_log_s3_bucket) ? 1 : 0 + source = "terraform-aws-modules/s3-bucket/aws" + version = "~> 3.0" + + bucket = var.flow_log_s3_bucket_name + policy = data.aws_iam_policy_document.flow_log_s3.json + + tags = var.tags +} + +data "aws_iam_policy_document" "flow_log_s3" { + count = (var.create_vpc_flow_logs && var.create_flow_log_s3_bucket) ? 1 : 0 + statement { + sid = "AWSLogDeliveryWrite" + + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + + actions = ["s3:PutObject"] + + resources = ["arn:aws:s3:::${var.flow_log_s3_bucket_name}/AWSLogs/*"] + } + + statement { + sid = "AWSLogDeliveryAclCheck" + + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + + actions = ["s3:GetBucketAcl"] + + resources = ["arn:aws:s3:::${var.flow_log_s3_bucket_name}"] + } +} \ No newline at end of file From fe05ee84832af48b0c76fb3eeb97b6e8024605e3 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 01:56:36 +0000 Subject: [PATCH 13/40] Update variables --- odc_eks/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf index bddc85f5..ecb84b8c 100644 --- a/odc_eks/variables.tf +++ b/odc_eks/variables.tf @@ -209,6 +209,7 @@ variable "flow_log_s3_bucket_name" { default = "" } + # EC2 Worker Roles # ================== variable "enable_ec2_ssm" { From 95280dde66eb85608cb5c707f0bb53a7cd544dd5 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 03:28:21 +0000 Subject: [PATCH 14/40] Move local out of module and into main locals block --- odc_eks/main.tf | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index e64644bf..950b7f29 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -23,15 +23,13 @@ locals { }, var.tags ) + + log_group_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${flow_log_cloudwatch_log_group_name_prefix}:*" + } module "vpc" { source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.5.2" - - locals { - log_group_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${flow_log_cloudwatch_log_group_name_prefix}:*" - } - count = var.create_vpc ? 1 : 0 name = "${local.cluster_id}-vpc" From 80117794cafe2a7d29ecd9ab656fe11734eea858 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 03:37:00 +0000 Subject: [PATCH 15/40] Rename variable --- odc_eks/main.tf | 2 +- odc_eks/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 950b7f29..6da135b1 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -72,7 +72,7 @@ module "vpc" { enable_flow_log = var.create_vpc_flow_logs flow_log_destination_type = "s3" - flow_log_max_agreegation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null + flow_log_max_agreegation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_agg_interval : null flow_log_traffic_type = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_log_format : null flow_log_destination_arn = (var.create_vpc_flow_logs) ? "arn:aws:s3:::${var.flow_log_s3_bucket_name}" : null diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf index ecb84b8c..a1a5527a 100644 --- a/odc_eks/variables.tf +++ b/odc_eks/variables.tf @@ -179,7 +179,7 @@ variable "create_vpc_flow_logs" { default = false } -variable "flow_log_max_aggregation_interval" { +variable "flow_log_max_agg_interval" { description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds" type = number default = 600 From 179e7070a16bc5c354e3fd5e86b0b3bb18125e10 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 03:45:07 +0000 Subject: [PATCH 16/40] Update variable name --- odc_eks/main.tf | 2 +- odc_eks/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 6da135b1..60b01bbd 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -72,7 +72,7 @@ module "vpc" { enable_flow_log = var.create_vpc_flow_logs flow_log_destination_type = "s3" - flow_log_max_agreegation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_agg_interval : null + flow_log_max_aggregation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null flow_log_traffic_type = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_log_format : null flow_log_destination_arn = (var.create_vpc_flow_logs) ? "arn:aws:s3:::${var.flow_log_s3_bucket_name}" : null diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf index a1a5527a..ecb84b8c 100644 --- a/odc_eks/variables.tf +++ b/odc_eks/variables.tf @@ -179,7 +179,7 @@ variable "create_vpc_flow_logs" { default = false } -variable "flow_log_max_agg_interval" { +variable "flow_log_max_aggregation_interval" { description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds" type = number default = 600 From 316ddbf655775e7b59b1d841f55702fcb8bcfc21 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 04:13:10 +0000 Subject: [PATCH 17/40] Remove variable --- odc_eks/main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 60b01bbd..91e774cc 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -24,8 +24,6 @@ locals { var.tags ) - log_group_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${flow_log_cloudwatch_log_group_name_prefix}:*" - } module "vpc" { From fb8d4e5c61951d54655e79270f09250e42523c9c Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 04:18:29 +0000 Subject: [PATCH 18/40] Fix spelling mistake --- odc_eks/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 91e774cc..837da9de 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -72,7 +72,7 @@ module "vpc" { flow_log_destination_type = "s3" flow_log_max_aggregation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null flow_log_traffic_type = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null - flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_log_format : null + flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_file_format : null flow_log_destination_arn = (var.create_vpc_flow_logs) ? "arn:aws:s3:::${var.flow_log_s3_bucket_name}" : null tags = merge( From fee63c8a6d370ce96b5259b5efc778e0fec75148 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 04:21:34 +0000 Subject: [PATCH 19/40] Remove local --- odc_eks/vpc_support.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf index 9dcca4df..74e9ac21 100644 --- a/odc_eks/vpc_support.tf +++ b/odc_eks/vpc_support.tf @@ -1,10 +1,6 @@ ################################################################################ # Supporting Resources ################################################################################ -locals { - log_destination = split(",", var.flow_log_destination) -} - resource "random_pet" "this" { length = 2 } From 0ec9265e76263dba3bb92bca4c3ce3f977faba33 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 04:25:58 +0000 Subject: [PATCH 20/40] Add list index --- odc_eks/vpc_support.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf index 74e9ac21..4c15401d 100644 --- a/odc_eks/vpc_support.tf +++ b/odc_eks/vpc_support.tf @@ -12,7 +12,7 @@ module "s3_bucket" { version = "~> 3.0" bucket = var.flow_log_s3_bucket_name - policy = data.aws_iam_policy_document.flow_log_s3.json + policy = data.aws_iam_policy_document.flow_log_s3[0].json tags = var.tags } From da208fb289f31d8ac1203564c7d463a02f575356 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 05:41:11 +0000 Subject: [PATCH 21/40] Update tagging --- odc_eks/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 837da9de..e1d28380 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -75,7 +75,7 @@ module "vpc" { flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_file_format : null flow_log_destination_arn = (var.create_vpc_flow_logs) ? "arn:aws:s3:::${var.flow_log_s3_bucket_name}" : null - tags = merge( + vpc_flow_log_tags = merge( { Name = "${local.cluster_id}-vpc-flow-logs" owner = var.owner From c85f4b6a0daf1f5f585a41cbb9def5e737ba6291 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 06:16:55 +0000 Subject: [PATCH 22/40] change index --- odc_eks/vpc_support.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf index 4c15401d..df4991df 100644 --- a/odc_eks/vpc_support.tf +++ b/odc_eks/vpc_support.tf @@ -12,7 +12,7 @@ module "s3_bucket" { version = "~> 3.0" bucket = var.flow_log_s3_bucket_name - policy = data.aws_iam_policy_document.flow_log_s3[0].json + policy = data.aws_iam_policy_document.flow_log_s3[1].json tags = var.tags } From 4d29697de90919360bc4017d601918b61846f962 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 06:17:23 +0000 Subject: [PATCH 23/40] change index --- odc_eks/vpc_support.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf index df4991df..87a9c6f6 100644 --- a/odc_eks/vpc_support.tf +++ b/odc_eks/vpc_support.tf @@ -18,7 +18,7 @@ module "s3_bucket" { } data "aws_iam_policy_document" "flow_log_s3" { - count = (var.create_vpc_flow_logs && var.create_flow_log_s3_bucket) ? 1 : 0 + count = (var.create_vpc_flow_logs && var.create_flow_log_s3_bucket) ? 1 : 0 statement { sid = "AWSLogDeliveryWrite" From cda400ea5105484de2a673f9648acb018e438f9e Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 06:20:15 +0000 Subject: [PATCH 24/40] change index --- odc_eks/vpc_support.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf index 87a9c6f6..aaa00062 100644 --- a/odc_eks/vpc_support.tf +++ b/odc_eks/vpc_support.tf @@ -12,7 +12,7 @@ module "s3_bucket" { version = "~> 3.0" bucket = var.flow_log_s3_bucket_name - policy = data.aws_iam_policy_document.flow_log_s3[1].json + policy = data.aws_iam_policy_document.flow_log_s3[0].json tags = var.tags } From 1817740ceda3b70f1a27b764cfb643dfb87cebcd Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 06:41:12 +0000 Subject: [PATCH 25/40] test removal of bucket --- odc_eks/vpc_support.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf index aaa00062..36f29e1f 100644 --- a/odc_eks/vpc_support.tf +++ b/odc_eks/vpc_support.tf @@ -14,6 +14,8 @@ module "s3_bucket" { bucket = var.flow_log_s3_bucket_name policy = data.aws_iam_policy_document.flow_log_s3[0].json + force_destroy = false + tags = var.tags } From c969888f21754c078988385646700851d17e93e9 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 06:49:50 +0000 Subject: [PATCH 26/40] test removal of bucket --- odc_eks/vpc_support.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf index 36f29e1f..e3e60680 100644 --- a/odc_eks/vpc_support.tf +++ b/odc_eks/vpc_support.tf @@ -14,7 +14,7 @@ module "s3_bucket" { bucket = var.flow_log_s3_bucket_name policy = data.aws_iam_policy_document.flow_log_s3[0].json - force_destroy = false + force_destroy = true tags = var.tags } From 41a08407956a63873b0feb20d0418e252743fb7f Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 07:37:39 +0000 Subject: [PATCH 27/40] force policy attachment --- odc_eks/vpc_support.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf index e3e60680..6932c20a 100644 --- a/odc_eks/vpc_support.tf +++ b/odc_eks/vpc_support.tf @@ -12,6 +12,7 @@ module "s3_bucket" { version = "~> 3.0" bucket = var.flow_log_s3_bucket_name + attach_policy = true policy = data.aws_iam_policy_document.flow_log_s3[0].json force_destroy = true From 504b2753559d2ad25a971b8338106dc10de44180 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 08:36:59 +0000 Subject: [PATCH 28/40] Add additional condition --- odc_eks/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index e1d28380..184a2121 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -73,7 +73,7 @@ module "vpc" { flow_log_max_aggregation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null flow_log_traffic_type = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_file_format : null - flow_log_destination_arn = (var.create_vpc_flow_logs) ? "arn:aws:s3:::${var.flow_log_s3_bucket_name}" : null + flow_log_destination_arn = (var.create_vpc_flow_logs) ? (var.create_flow_log_s3_bucket ? module.s3_bucket.arn : "arn:aws:s3:::${var.flow_log_s3_bucket_name}") : null vpc_flow_log_tags = merge( { From d01a5cdae9ec2c2f5fa398f951f32c77c9bf3d8d Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 08:42:42 +0000 Subject: [PATCH 29/40] fix attribute name --- odc_eks/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 184a2121..83df12e2 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -73,7 +73,7 @@ module "vpc" { flow_log_max_aggregation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null flow_log_traffic_type = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_file_format : null - flow_log_destination_arn = (var.create_vpc_flow_logs) ? (var.create_flow_log_s3_bucket ? module.s3_bucket.arn : "arn:aws:s3:::${var.flow_log_s3_bucket_name}") : null + flow_log_destination_arn = (var.create_vpc_flow_logs) ? (var.create_flow_log_s3_bucket ? module.s3_bucket.s3_bucket_arn : "arn:aws:s3:::${var.flow_log_s3_bucket_name}") : null vpc_flow_log_tags = merge( { From 8ce58ff1a6105369fed6dd3fd83d9766b0172a5b Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 08:54:29 +0000 Subject: [PATCH 30/40] fix attribute name --- odc_eks/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 83df12e2..a05bd27c 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -73,7 +73,7 @@ module "vpc" { flow_log_max_aggregation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null flow_log_traffic_type = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_file_format : null - flow_log_destination_arn = (var.create_vpc_flow_logs) ? (var.create_flow_log_s3_bucket ? module.s3_bucket.s3_bucket_arn : "arn:aws:s3:::${var.flow_log_s3_bucket_name}") : null + flow_log_destination_arn = (var.create_vpc_flow_logs) ? (var.create_flow_log_s3_bucket ? module.s3_bucket[0].s3_bucket_arn : "arn:aws:s3:::${var.flow_log_s3_bucket_name}") : null vpc_flow_log_tags = merge( { From c87b9f04f4c6c49c08a06d5644ac46fa43a4de98 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Thu, 5 Sep 2024 23:13:05 +0000 Subject: [PATCH 31/40] add subnet naming --- odc_eks/main.tf | 21 ++++++++++++--------- odc_eks/variables.tf | 18 ++++++++++++++++++ 2 files changed, 30 insertions(+), 9 deletions(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index a05bd27c..5ef8c1ad 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -28,14 +28,17 @@ locals { module "vpc" { source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.5.2" - count = var.create_vpc ? 1 : 0 - - name = "${local.cluster_id}-vpc" - cidr = var.vpc_cidr - azs = data.aws_availability_zones.available.names - public_subnets = var.public_subnet_cidrs - private_subnets = var.private_subnet_cidrs - database_subnets = var.database_subnet_cidrs + count = var.create_vpc ? 1 : 0 + + name = "${local.cluster_id}-vpc" + cidr = var.vpc_cidr + azs = data.aws_availability_zones.available.names + public_subnets = var.public_subnet_cidrs + private_subnets = var.private_subnet_cidrs + database_subnets = var.database_subnet_cidrs + public_subnet_names = (length(var.public_subnet_names) == length(var.public_subnet_cidrs)) ? var.public_subnet_names : null + private_subnet_names = (length(var.private_subnet_names) == length(var.private_subnet_cidrs)) ? var.private_subnet_names : null + database_subnet_names = (length(var.database_subnet_names) == length(var.database_subnet_cidrs)) ? var.database_subnet_names : null secondary_cidr_blocks = var.secondary_cidr_blocks map_public_ip_on_launch = var.map_public_ip_on_launch @@ -74,7 +77,7 @@ module "vpc" { flow_log_traffic_type = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_file_format : null flow_log_destination_arn = (var.create_vpc_flow_logs) ? (var.create_flow_log_s3_bucket ? module.s3_bucket[0].s3_bucket_arn : "arn:aws:s3:::${var.flow_log_s3_bucket_name}") : null - + vpc_flow_log_tags = merge( { Name = "${local.cluster_id}-vpc-flow-logs" diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf index ecb84b8c..8fc9f322 100644 --- a/odc_eks/variables.tf +++ b/odc_eks/variables.tf @@ -125,6 +125,12 @@ variable "public_subnet_cidrs" { default = [] } +variable "public_subnet_names" { + type = list(string) + description = "list of public subnet names to use" + default = [] +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" type = bool @@ -137,12 +143,24 @@ variable "private_subnet_cidrs" { default = [] } +variable "private_subnet_names" { + type = list(string) + description = "list of private subnet names to use" + default = [] +} + variable "database_subnet_cidrs" { description = "List of database cidrs, for all available availability zones. Example: 10.0.0.0/24 and 10.0.1.0/24" type = list(string) default = [] } +variable "database_subnet_names" { + type = list(string) + description = "list of database subnet names to use" + default = [] +} + variable "private_subnet_elb_role" { type = string description = "ELB role for private subnets " From abe9fee383dc5615da1487539b98798b93f53962 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Fri, 6 Sep 2024 00:29:35 +0000 Subject: [PATCH 32/40] Add single NAT option --- odc_eks/main.tf | 1 + odc_eks/variables.tf | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 5ef8c1ad..7070ba22 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -64,6 +64,7 @@ module "vpc" { enable_dns_support = true enable_nat_gateway = var.enable_nat_gateway + single_nat_gateway = var.single_nat_gateway create_igw = var.create_igw create_database_subnet_group = true diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf index 8fc9f322..6e4a9001 100644 --- a/odc_eks/variables.tf +++ b/odc_eks/variables.tf @@ -185,6 +185,12 @@ variable "enable_nat_gateway" { default = true } +variable "single_nat_gateway" { + description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks" + type = bool + default = false +} + variable "create_igw" { type = bool description = "Whether to provision an Internet Gateway in the VPC. Default is true (False for private routing)" From 17a21a0583f89a339a3a0aab80ead655eb566798 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Fri, 6 Sep 2024 01:21:29 +0000 Subject: [PATCH 33/40] add tags back in --- odc_eks/main.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 7070ba22..39d7cfe9 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -72,6 +72,8 @@ module "vpc" { manage_default_network_acl = false manage_default_route_table = false + tags = local.tags + enable_flow_log = var.create_vpc_flow_logs flow_log_destination_type = "s3" flow_log_max_aggregation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null From 3804f197fa68306caec4c385d7989e2454919028 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Fri, 6 Sep 2024 01:35:07 +0000 Subject: [PATCH 34/40] Add S3 bucket prefix --- odc_eks/main.tf | 2 +- odc_eks/variables.tf | 6 ++++++ odc_eks/vpc_support.tf | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 39d7cfe9..8aa0e245 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -79,7 +79,7 @@ module "vpc" { flow_log_max_aggregation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null flow_log_traffic_type = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_file_format : null - flow_log_destination_arn = (var.create_vpc_flow_logs) ? (var.create_flow_log_s3_bucket ? module.s3_bucket[0].s3_bucket_arn : "arn:aws:s3:::${var.flow_log_s3_bucket_name}") : null + flow_log_destination_arn = (var.create_vpc_flow_logs) ? (var.create_flow_log_s3_bucket ? "${module.s3_bucket[0].s3_bucket_arn}/${var.flow_log_s3_bucket_prefix}" : "arn:aws:s3:::${var.flow_log_s3_bucket_name}/${var.flow_log_s3_bucket_prefix}") : null vpc_flow_log_tags = merge( { diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf index 6e4a9001..4406a740 100644 --- a/odc_eks/variables.tf +++ b/odc_eks/variables.tf @@ -233,6 +233,12 @@ variable "flow_log_s3_bucket_name" { default = "" } +variable "flow_log_s3_bucket_prefix" { + description = "The name of the prefix used to store the logs on S3" + type = string + default = "" +} + # EC2 Worker Roles # ================== diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf index 6932c20a..197e69f7 100644 --- a/odc_eks/vpc_support.tf +++ b/odc_eks/vpc_support.tf @@ -32,7 +32,7 @@ data "aws_iam_policy_document" "flow_log_s3" { actions = ["s3:PutObject"] - resources = ["arn:aws:s3:::${var.flow_log_s3_bucket_name}/AWSLogs/*"] + resources = ["arn:aws:s3:::${var.flow_log_s3_bucket_name}/${var.flow_log_s3_bucket_prefix}/AWSLogs/*"] } statement { From ab66b04a7e5ae6cce7add686160ceba8105b185e Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Fri, 6 Sep 2024 03:09:10 +0000 Subject: [PATCH 35/40] Update readme --- odc_eks/README.md | 167 ++++++++++++++++++++++++++-------------------- 1 file changed, 94 insertions(+), 73 deletions(-) diff --git a/odc_eks/README.md b/odc_eks/README.md index 485103af..de5102f8 100644 --- a/odc_eks/README.md +++ b/odc_eks/README.md @@ -20,7 +20,7 @@ Terraform module designed to provision an Open Data Cube EKS cluster on AWS. The module provisions the following resources: -- Creates AWS EKS cluster in a VPC with subnets +- Creates AWS EKS cluster in a VPC with subnets, and optionally VPC Flow Logs (S3) - (Optionally) Creates VPC resources using [terraform-aws-vpc](https://github.com/terraform-aws-modules/terraform-aws-vpc) module with the default configuration and internet facing resources, _or_ - (Optionally) Use a supplied VPC and subnets configured and _tagged_ as required by AWS EKS - see [VPC considerations](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) and the requirements on subnet tagging for the [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) @@ -98,65 +98,86 @@ module "odc_eks" { waf_enable_url_whitelist_string_match_set = true waf_url_whitelist_uri_prefix = "/user" waf_url_whitelist_url_host = app.example.domain.com + + # VPC Flow Logs + create_vpc_flow_logs = true + flow_log_max_aggregation_interval = 60 + flow_log_traffic_type = "ALL" + flow_log_file_format = "plain-text" + create_flow_log_s3_bucket = false + flow_log_s3_bucket_name = "dea-test-vpc-logs" + flow_log_s3_bucket_prefix = "a-prefix" } ``` ## Variables ### Inputs -| Name | Description | Type | Default | Required | -| ---------------------------- | ------------- | :----: | :-----: | :-----: | -| owner | The owner of the environment | string | | Yes | -| namespace | The unique namespace for the environment, which could be your organization name or abbreviation, e.g. 'odc' | string | | Yes | -| environment | The name of the environment - e.g. dev, stage | string | | Yes | -| region | The AWS region to provision resources | string | "ap-southeast-2" | No | -| cluster_id | The name of your cluster. Used for the resource naming as identifier | string | | Yes | -| cluster_version | EKS Cluster version to use | string | | Yes | -| admin_access_CIDRs | Locks ssh and api access to these IPs | map(string) | {} | No | -| user_custom_policy | The IAM custom policy to create and attach to EKS user role | string | "" | No | -| user_additional_policy_arn | The list of pre-defined IAM policy required to EKS user role | list(string) | [] | No | -| domain_name | The domain name to be used by applications deployed to the cluster and using ingress | string | | Yes | -| create_vpc | Create a default VPC and subnet configuration | bool | true | No | -| vpc_cidr | The network CIDR you wish to use for the VPC module subnets. Default is set to 10.0.0.0/16 for most use-cases. Requires create_vpc = true | string | "10.0.0.0/16" | No | -| secondary_cidr_blocks | Secondary VPC CIDRs, optional, default no secondary CIDRs | list(string) | [] | No | -| public_subnet_cidrs | List of public cidrs, for all available availability zones. Used by VPC module to set up public subnets. Requires create_vpc = true | list(string) | ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"] | No | -| private_subnet_cidrs | List of private cidrs, for all available availability zones. Used by VPC module to set up private subnets. Requires create_vpc = true | list(string) | ["10.0.32.0/19", "10.0.64.0/19", "10.0.96.0/19"] | No | -| database_subnet_cidrs | List of database cidrs, for all available availability zones. Used by VPC module to set up database subnets. Requires create_vpc = true | list(string) | ["10.0.20.0/22", "10.0.24.0/22", "10.0.28.0/22"] | No | -| private_subnet_elb_role | ELB role for private subnets | string | "internal-elb" | No | -| public_subnet_elb_role | ELB role for public subnets | string | "elb" | No | -| vpc_id | Supplied VPC to use. Requires create_vpc = false | string | "" | No | -| private_subnets | Private subnet ids for supplied VPC. Requires create_vpc = false | list(string) | [] | No | -| public_subnets | Public subnet ids for supplied VPC. Requires create_vpc = false | list(string) | [] | No | -| database_subnets | Supplied VPC to use. Requires create_vpc = false | list(string) | [] | No | -| public_route_table_ids | List of public_route_table_ids for supplied VPC. Requires create_vpc = false | list(string) | [] | No | -| private_route_table_ids | List of private_route_table_ids for supplied VPC. Requires create_vpc = false | list(string) | [] | No | -| map_public_ip_on_launch | Should be false if you do not want to auto-assign public IP on launch | bool | true | No | -| enable_s3_endpoint | Whether to provision an S3 endpoint to the VPC. Default is set to 'true' | bool | true | No | -| enable_nat_gateway | Whether to provision a NAT Gateway in the VPC. Default is set to 'true' | bool | true | No | -| create_igw | Whether to provision an Internet Gateway in the VPC. Default is true (False for private routing) | bool | true | No | -| enable_ec2_ssm | Enables the IAM policy required for AWS EC2 System Manager in the EKS Node IAM role created | bool | true | No | -| ami_image_id | This variable can be used to deploy a patched / customised version of the Amazon EKS image | string | "" | No | -| node_group_name | Autoscaling node group name. This name is used to tag instances and ASGs | string | "eks" | No | -| default_worker_instance_type | The Worker instance type that the cluster nodes will run, for production we recommend something with a good network capability, as most of the Open Data Cube work is I/O bound, For example r4.4xlarge or c5n.4xlarge | string | | Yes | -| min_nodes | The minimum number of on-demand nodes to run | number | 0 | No | -| desired_nodes | Desired number of nodes only used when first launching the cluster afterwards you should scale with something like cluster-autoscaler | number | 0 | No | -| max_nodes | Max number of nodes you want to run, useful for controlling max cost of the cluster | number | 0 | No | -| spot_nodes_enabled | Creates a second set of Autoscaling groups (one per AZ) that are configured to run Spot instances, these instances are cheaper but can be removed any-time. Useful for fault tolerant processing work | bool | false | No | -| min_spot_nodes | The minimum number of spot nodes to run | bool | 0 | No | -| max_spot_nodes | Max number of spot you want to run, useful for controlling max cost of the cluster | number | 0 | No | -| max_spot_price | The max in USD you want to pay for each spot instance per hour. Check market price for your instance type to set its value | string | "0.40" | No | -| volume_size | The Disk size for your on-demand nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this. | number | 20 | No | -| volume_type | Override EBS volume type for your root ebs volume e.g. gp2, gp3. If not provided, defaults to GP2 in all regions. | string | "" | No | -| volume_encrypted | Whether to encrypt the root EBS volume for nodes. Falls back on AWS EC2 default if not provided. | bool | null | No | -| spot_volume_size | The Disk size for your spot nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this. | number | 20 | No | -| extra_kubelet_args | Additional kubelet command-line arguments | string | "--arg1=value --arg2" | No | -| extra_bootstrap_args | Additional bootstrap command-line arguments | string | "--arg1 value --arg2=value --arg3" | No | -| extra_userdata | Additional EC2 user data commands that will be passed to EKS nodes | string | <. Requires create_vpc = true | list(string) | ["public-subnet-a", "public-subnet-b", "public-subnet-c"] | No | +| private_subnet_names | List of names for each private subnet. For each subnet, creates the tag Name=. Requires create_vpc = true | list(string) | ["private-subnet-a", "private-subnet-b", "private-subnet-c"] | No | +| database_subnet_names | List of names for each database subnet. For each subnet, creates the tag Name=. Requires create_vpc = true | list(string) | ["database-subnet-a", "database-subnet-b", "database-subnet-c"] | No | +| private_subnet_elb_role | ELB role for private subnets | string | "internal-elb" | No | +| public_subnet_elb_role | ELB role for public subnets | string | "elb" | No | +| vpc_id | Supplied VPC to use. Requires create_vpc = false | string | "" | No | +| private_subnets | Private subnet ids for supplied VPC. Requires create_vpc = false | list(string) | [] | No | +| public_subnets | Public subnet ids for supplied VPC. Requires create_vpc = false | list(string) | [] | No | +| database_subnets | Supplied VPC to use. Requires create_vpc = false | list(string) | [] | No | +| public_route_table_ids | List of public_route_table_ids for supplied VPC. Requires create_vpc = false | list(string) | [] | No | +| private_route_table_ids | List of private_route_table_ids for supplied VPC. Requires create_vpc = false | list(string) | [] | No | +| map_public_ip_on_launch | Should be false if you do not want to auto-assign public IP on launch | bool | true | No | +| enable_s3_endpoint | Whether to provision an S3 endpoint to the VPC. Default is set to 'true' | bool | true | No | +| enable_nat_gateway | Whether to provision a NAT Gateway in the VPC. Default is set to 'true' | bool | true | No | +| single_nat_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool | false | No | +| create_igw | Whether to provision an Internet Gateway in the VPC. Default is true (False for private routing) | bool | true | No | +| enable_ec2_ssm | Enables the IAM policy required for AWS EC2 System Manager in the EKS Node IAM role created | bool | true | No | +| ami_image_id | This variable can be used to deploy a patched / customised version of the Amazon EKS image | string | "" | No | +| node_group_name | Autoscaling node group name. This name is used to tag instances and ASGs | string | "eks" | No | +| default_worker_instance_type | The Worker instance type that the cluster nodes will run, for production we recommend something with a good network capability, as most of the Open Data Cube work is I/O bound, For example r4.4xlarge or c5n.4xlarge | string | | Yes | +| min_nodes | The minimum number of on-demand nodes to run | number | 0 | No | +| desired_nodes | Desired number of nodes only used when first launching the cluster afterwards you should scale with something like cluster-autoscaler | number | 0 | No | +| max_nodes | Max number of nodes you want to run, useful for controlling max cost of the cluster | number | 0 | No | +| spot_nodes_enabled | Creates a second set of Autoscaling groups (one per AZ) that are configured to run Spot instances, these instances are cheaper but can be removed any-time. Useful for fault tolerant processing work | bool | false | No | +| min_spot_nodes | The minimum number of spot nodes to run | bool | 0 | No | +| max_spot_nodes | Max number of spot you want to run, useful for controlling max cost of the cluster | number | 0 | No | +| max_spot_price | The max in USD you want to pay for each spot instance per hour. Check market price for your instance type to set its value | string | "0.40" | No | +| volume_size | The Disk size for your on-demand nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this. | number | 20 | No | +| volume_type | Override EBS volume type for your root ebs volume e.g. gp2, gp3. If not provided, defaults to GP2 in all regions. | string | "" | No | +| volume_encrypted | Whether to encrypt the root EBS volume for nodes. Falls back on AWS EC2 default if not provided. | bool | null | No | +| spot_volume_size | The Disk size for your spot nodes. If you're getting pods evicted for ephemeral storage saving, you should increase this. | number | 20 | No | +| extra_kubelet_args | Additional kubelet command-line arguments | string | "--arg1=value --arg2" | No | +| extra_bootstrap_args | Additional bootstrap command-line arguments | string | "--arg1 value --arg2=value --arg3" | No | +| extra_userdata | Additional EC2 user data commands that will be passed to EKS nodes | string | < Date: Fri, 6 Sep 2024 03:26:50 +0000 Subject: [PATCH 36/40] Test tags --- odc_eks/main.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 8aa0e245..3881922e 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -72,8 +72,6 @@ module "vpc" { manage_default_network_acl = false manage_default_route_table = false - tags = local.tags - enable_flow_log = var.create_vpc_flow_logs flow_log_destination_type = "s3" flow_log_max_aggregation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null From 39d9221a6aa86ab3a5485f4e553c97660c6a37d3 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Fri, 6 Sep 2024 03:41:17 +0000 Subject: [PATCH 37/40] Rename attribute for consistency --- odc_eks/README.md | 4 ++-- odc_eks/variables.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/odc_eks/README.md b/odc_eks/README.md index de5102f8..b18ab4df 100644 --- a/odc_eks/README.md +++ b/odc_eks/README.md @@ -100,7 +100,7 @@ module "odc_eks" { waf_url_whitelist_url_host = app.example.domain.com # VPC Flow Logs - create_vpc_flow_logs = true + create_flow_log = true flow_log_max_aggregation_interval = 60 flow_log_traffic_type = "ALL" flow_log_file_format = "plain-text" @@ -170,7 +170,7 @@ module "odc_eks" { | enable_custom_cluster_log_group | Create a custom CloudWatch Log Group for the cluster. If you supply `enabled_cluster_log_types` but leave this false, EKS will create a log group automatically with default retention values. | bool | false | No | | log_retention_period | Specifies the number of days to retain cluster log event in CloudWatch, if enabled by `enable_custom_cluster_log_group` | number | 30 | No | | metadata_options | Metadata options for the EKS node launch templates. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options. | map(any) | {} | No | -| create_vpc_flow_logs | Whether to create VPC flow logs. | bool | false | No | +| create_flow_log | Whether to create VPC flow logs. | bool | false | No | | flow_log_max_aggregation_interval | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds | number | 600 | No | | flow_log_traffic_type | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL | string | ALL | No | | flow_log_file_format | The format for the flow log. Valid values: `plain-text`, `parquet` | string | plain-text | No | diff --git a/odc_eks/variables.tf b/odc_eks/variables.tf index 4406a740..73107567 100644 --- a/odc_eks/variables.tf +++ b/odc_eks/variables.tf @@ -197,7 +197,7 @@ variable "create_igw" { default = true } -variable "create_vpc_flow_logs" { +variable "create_flow_log" { type = bool description = "Whether to create VPC flow logs. Default is set to 'false'" default = false From 646d1e4572399b6854810f8c3f8405e7235ea997 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Fri, 6 Sep 2024 03:46:46 +0000 Subject: [PATCH 38/40] Rename attribute for consistency --- odc_eks/main.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/odc_eks/main.tf b/odc_eks/main.tf index 3881922e..525d9e1b 100644 --- a/odc_eks/main.tf +++ b/odc_eks/main.tf @@ -72,12 +72,12 @@ module "vpc" { manage_default_network_acl = false manage_default_route_table = false - enable_flow_log = var.create_vpc_flow_logs + enable_flow_log = var.create_flow_log flow_log_destination_type = "s3" - flow_log_max_aggregation_interval = (var.create_vpc_flow_logs) ? var.flow_log_max_aggregation_interval : null - flow_log_traffic_type = (var.create_vpc_flow_logs) ? var.flow_log_traffic_type : null - flow_log_file_format = (var.create_vpc_flow_logs) ? var.flow_log_file_format : null - flow_log_destination_arn = (var.create_vpc_flow_logs) ? (var.create_flow_log_s3_bucket ? "${module.s3_bucket[0].s3_bucket_arn}/${var.flow_log_s3_bucket_prefix}" : "arn:aws:s3:::${var.flow_log_s3_bucket_name}/${var.flow_log_s3_bucket_prefix}") : null + flow_log_max_aggregation_interval = (var.create_flow_log) ? var.flow_log_max_aggregation_interval : null + flow_log_traffic_type = (var.create_flow_log) ? var.flow_log_traffic_type : null + flow_log_file_format = (var.create_flow_log) ? var.flow_log_file_format : null + flow_log_destination_arn = (var.create_flow_log) ? (var.create_flow_log_s3_bucket ? "${module.s3_bucket[0].s3_bucket_arn}/${var.flow_log_s3_bucket_prefix}" : "arn:aws:s3:::${var.flow_log_s3_bucket_name}/${var.flow_log_s3_bucket_prefix}") : null vpc_flow_log_tags = merge( { From 1ab0a3025989523dcc3adb7fbe176b5782ecba86 Mon Sep 17 00:00:00 2001 From: lars-fillmore <97861771+lars-fillmore@users.noreply.github.com> Date: Fri, 6 Sep 2024 03:59:11 +0000 Subject: [PATCH 39/40] Rename attribute for consistency --- odc_eks/vpc_support.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/odc_eks/vpc_support.tf b/odc_eks/vpc_support.tf index 197e69f7..7838ffd2 100644 --- a/odc_eks/vpc_support.tf +++ b/odc_eks/vpc_support.tf @@ -7,7 +7,7 @@ resource "random_pet" "this" { # S3 Bucket module "s3_bucket" { - count = (var.create_vpc_flow_logs && var.create_flow_log_s3_bucket) ? 1 : 0 + count = (var.create_flow_log && var.create_flow_log_s3_bucket) ? 1 : 0 source = "terraform-aws-modules/s3-bucket/aws" version = "~> 3.0" @@ -21,7 +21,7 @@ module "s3_bucket" { } data "aws_iam_policy_document" "flow_log_s3" { - count = (var.create_vpc_flow_logs && var.create_flow_log_s3_bucket) ? 1 : 0 + count = (var.create_flow_log && var.create_flow_log_s3_bucket) ? 1 : 0 statement { sid = "AWSLogDeliveryWrite" From e8e8d53018000e4a9f3a0c5837add30d7c33bb02 Mon Sep 17 00:00:00 2001 From: Stacy Horton Date: Tue, 1 Oct 2024 13:35:22 +1000 Subject: [PATCH 40/40] Fix for admin_permissions trying to recreate clusters --- odc_eks/modules/eks/main.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/odc_eks/modules/eks/main.tf b/odc_eks/modules/eks/main.tf index 85f85614..810944a6 100644 --- a/odc_eks/modules/eks/main.tf +++ b/odc_eks/modules/eks/main.tf @@ -31,6 +31,14 @@ resource "aws_eks_cluster" "eks" { }, var.tags ) + + lifecycle { + ignore_changes = [ + # When the access_config was added recently it defaulted to false but didn't affect the cluster setting. + # Changing this from false to true will cause and existing cluster to be recreated so let's ignore this change to avoid that. + access_config[0].bootstrap_cluster_creator_admin_permissions, + ] + } } resource "null_resource" "wait_for_cluster" {