Feat/merge upstream awsprovider update

CHANGELOG.md

@@ -1,3 +1,14 @@
+# master
+
+* The update to the version of Terraform AWS VPC module will require the following manual edits to the state file:
+
+```bash
+terraform state rm module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.private_s3
+terraform state rm module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.public_s3
+```
+
+See Terraform AWS VPC module upgrade instructions at https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/fbd4ff646b4caaa6fcc1fb71bc88d377cc8b3b48/UPGRADE-3.0.md?plain=1#L25.
+
 # v1.10.0 odc_eks - Optional vpc creation update procedure
 
 Making VPC creation optional has added a `count` to the `module.odc_eks.module.vpc` resource path.
@@ -50,4 +61,4 @@ terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_associ
 terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_association.private_s3[1] module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.private_s3[1]
 terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_association.private_s3[2] module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.private_s3[2]
 terraform state mv module.odc_eks.module.vpc.aws_vpc_endpoint_route_table_association.public_s3[0] module.odc_eks.module.vpc[0].aws_vpc_endpoint_route_table_association.public_s3[0]
-```
+```

odc_eks/main.tf

@@ -13,19 +13,32 @@ module "odc_eks_label" {
 
 locals {
   cluster_id = (var.cluster_id != "") ? var.cluster_id : module.odc_eks_label.id
-}
 
-module "vpc" {
-  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v2.70.0"
+  tags = merge(
+    {
+      Name        = "${local.cluster_id}-vpc"
+      owner       = var.owner
+      namespace   = var.namespace
+      environment = var.environment
+    },
+    var.tags
+  )
 
-  count = var.create_vpc ? 1 : 0
+}
 
-  name             = "${local.cluster_id}-vpc"
-  cidr             = var.vpc_cidr
-  azs              = data.aws_availability_zones.available.names
-  public_subnets   = var.public_subnet_cidrs
-  private_subnets  = var.private_subnet_cidrs
-  database_subnets = var.database_subnet_cidrs
+module "vpc" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.5.2"
+  count  = var.create_vpc ? 1 : 0
+
+  name                  = "${local.cluster_id}-vpc"
+  cidr                  = var.vpc_cidr
+  azs                   = data.aws_availability_zones.available.names
+  public_subnets        = var.public_subnet_cidrs
+  private_subnets       = var.private_subnet_cidrs
+  database_subnets      = var.database_subnet_cidrs
+  public_subnet_names   = (length(var.public_subnet_names) == length(var.public_subnet_cidrs)) ? var.public_subnet_names : null
+  private_subnet_names  = (length(var.private_subnet_names) == length(var.private_subnet_cidrs)) ? var.private_subnet_names : null
+  database_subnet_names = (length(var.database_subnet_names) == length(var.database_subnet_cidrs)) ? var.database_subnet_names : null
 
   secondary_cidr_blocks   = var.secondary_cidr_blocks
   map_public_ip_on_launch = var.map_public_ip_on_launch
@@ -51,13 +64,24 @@ module "vpc" {
   enable_dns_support   = true
 
   enable_nat_gateway           = var.enable_nat_gateway
+  single_nat_gateway           = var.single_nat_gateway
   create_igw                   = var.create_igw
   create_database_subnet_group = true
-  enable_s3_endpoint           = var.enable_s3_endpoint
 
-  tags = merge(
+  manage_default_security_group = false
+  manage_default_network_acl    = false
+  manage_default_route_table    = false
+
+  enable_flow_log                   = var.create_flow_log
+  flow_log_destination_type         = "s3"
+  flow_log_max_aggregation_interval = (var.create_flow_log) ? var.flow_log_max_aggregation_interval : null
+  flow_log_traffic_type             = (var.create_flow_log) ? var.flow_log_traffic_type : null
+  flow_log_file_format              = (var.create_flow_log) ? var.flow_log_file_format : null
+  flow_log_destination_arn          = (var.create_flow_log) ? (var.create_flow_log_s3_bucket ? "${module.s3_bucket[0].s3_bucket_arn}/${var.flow_log_s3_bucket_prefix}" : "arn:aws:s3:::${var.flow_log_s3_bucket_name}/${var.flow_log_s3_bucket_prefix}") : null
+
+  vpc_flow_log_tags = merge(
     {
-      Name        = "${local.cluster_id}-vpc"
+      Name        = "${local.cluster_id}-vpc-flow-logs"
       owner       = var.owner
       namespace   = var.namespace
       environment = var.environment
@@ -66,6 +90,33 @@ module "vpc" {
   )
 }
 
+moved {
+  from = module.vpc[0].aws_vpc_endpoint.s3[0]
+  to   = module.vpc_endpoints[0].aws_vpc_endpoint.this["s3"]
+}
+
+module "vpc_endpoints" {
+  source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v5.1.1"
+  count  = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
+
+  vpc_id             = module.vpc[0].vpc_id
+  security_group_ids = [module.vpc[0].default_security_group_id]
+
+  endpoints = {
+    s3 = {
+      service      = "s3"
+      service_type = "Gateway"
+
+      route_table_ids = flatten([
+        module.vpc[0].private_route_table_ids,
+        module.vpc[0].public_route_table_ids
+      ])
+    }
+  }
+
+  tags = local.tags
+}
+
 # Creates network and Kuberenetes master nodes
 module "eks" {
   source             = "./modules/eks"

odc_eks/modules/eks/main.tf

@@ -10,6 +10,11 @@ resource "aws_eks_cluster" "eks" {
     subnet_ids         = var.eks_subnet_ids
   }
 
+  access_config {
+    authentication_mode                         = "API_AND_CONFIG_MAP"
+    bootstrap_cluster_creator_admin_permissions = true
+  }
+
   depends_on = [
     aws_iam_role_policy_attachment.eks-cluster-AmazonEKSClusterPolicy,
     aws_iam_role_policy_attachment.eks-cluster-AmazonEKSServicePolicy,
@@ -26,6 +31,14 @@ resource "aws_eks_cluster" "eks" {
     },
     var.tags
   )
+
+  lifecycle {
+    ignore_changes = [
+      # When the access_config was added recently it defaulted to false but didn't affect the cluster setting.
+      # Changing this from false to true will cause and existing cluster to be recreated so let's ignore this change to avoid that.
+      access_config[0].bootstrap_cluster_creator_admin_permissions,
+    ]
+  }
 }
 
 resource "null_resource" "wait_for_cluster" {

odc_eks/modules/eks/variables.tf

@@ -138,6 +138,12 @@ variable "log_retention_period" {
   default     = 30
 }
 
+variable "enable_ecr_pullthough_cache_permissions" {
+  type        = bool
+  description = "Create additional cluster node IAM permissions to allow cluster to use ecr pull-through cache rules."
+  default     = false
+}
+
 #--------------------------------------------------------------
 # Tags
 #--------------------------------------------------------------

odc_eks/modules/eks/worker_image.tf

@@ -92,11 +92,11 @@ resource "aws_launch_template" "spot" {
   instance_type = var.default_worker_instance_type
 
   metadata_options {
-    http_endpoint               = var.metadata_options.http_endpoint
-    http_tokens                 = var.metadata_options.http_tokens
-    http_put_response_hop_limit = var.metadata_options.http_put_response_hop_limit
-    http_protocol_ipv6          = var.metadata_options.http_protocol_ipv6
-    instance_metadata_tags      = var.metadata_options.instance_metadata_tags
+    http_endpoint               = lookup(var.metadata_options, "http_endpoint", null)
+    http_tokens                 = lookup(var.metadata_options, "http_tokens", null)
+    http_put_response_hop_limit = lookup(var.metadata_options, "http_put_response_hop_limit", null)
+    http_protocol_ipv6          = lookup(var.metadata_options, "http_protocol_ipv6", null)
+    instance_metadata_tags      = lookup(var.metadata_options, "instance_metadata_tags", null)
   }
 
   iam_instance_profile {

odc_eks/modules/eks/worker_policy.tf

@@ -49,11 +49,43 @@ resource "aws_iam_policy" "eks_kube2iam" {
 
 }
 
+resource "aws_iam_policy" "ecr_pullthrough_cache" {
+  count       = (var.enable_ecr_pullthough_cache_permissions ? 1 : 0)
+  name        = "${var.cluster_id}-ecr-pull-through-cache"
+  path        = "/"
+  description = "Enables cluster to use ecr pull-through cache."
+
+  policy = <<-EOF
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": [
+            "ecr:BatchImportUpstreamImage",
+            "ecr:CreateRepository",
+            "ecr:TagResource",
+            "ecr:CreatePullThroughCacheRule"
+          ],
+          "Effect": "Allow",
+          "Resource": "*"
+        }
+      ]
+    }
+  EOF
+
+}
+
 resource "aws_iam_role_policy_attachment" "eks_node_kube2iam" {
   policy_arn = aws_iam_policy.eks_kube2iam.arn
   role       = aws_iam_role.eks_node.name
 }
 
+resource "aws_iam_role_policy_attachment" "eks_node_pullthrough" {
+  count      = (var.enable_ecr_pullthough_cache_permissions ? 1 : 0)
+  policy_arn = aws_iam_policy.ecr_pullthrough_cache[0].arn
+  role       = aws_iam_role.eks_node.name
+}
+
 resource "aws_iam_role_policy_attachment" "eks_node_AmazonEKSWorkerNodePolicy" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
   role       = aws_iam_role.eks_node.name

odc_eks/variables.tf

@@ -126,6 +126,12 @@ variable "public_subnet_cidrs" {
   default     = []
 }
 
+variable "public_subnet_names" {
+  type        = list(string)
+  description = "list of public subnet names to use"
+  default     = []
+}
+
 variable "map_public_ip_on_launch" {
   description = "Should be false if you do not want to auto-assign public IP on launch"
   type        = bool
@@ -138,12 +144,24 @@ variable "private_subnet_cidrs" {
   default     = []
 }
 
+variable "private_subnet_names" {
+  type        = list(string)
+  description = "list of private subnet names to use"
+  default     = []
+}
+
 variable "database_subnet_cidrs" {
   description = "List of database cidrs, for all available availability zones. Example: 10.0.0.0/24 and 10.0.1.0/24"
   type        = list(string)
   default     = []
 }
 
+variable "database_subnet_names" {
+  type        = list(string)
+  description = "list of database subnet names to use"
+  default     = []
+}
+
 variable "private_subnet_elb_role" {
   type        = string
   description = "ELB role for private subnets "
@@ -168,13 +186,60 @@ variable "enable_nat_gateway" {
   default     = true
 }
 
+variable "single_nat_gateway" {
+  description = "Should be true if you want to provision a single shared NAT Gateway across all of your private networks"
+  type        = bool
+  default     = false
+}
 
 variable "create_igw" {
   type        = bool
   description = "Whether to provision an Internet Gateway in the VPC. Default is true (False for private routing)"
   default     = true
 }
 
+variable "create_flow_log" {
+  type        = bool
+  description = "Whether to create VPC flow logs. Default is set to 'false'"
+  default     = false
+}
+
+variable "flow_log_max_aggregation_interval" {
+  description = "The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds"
+  type        = number
+  default     = 600
+}
+
+variable "flow_log_traffic_type" {
+  description = "The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL"
+  type        = string
+  default     = "ALL"
+}
+
+variable "flow_log_file_format" {
+  description = "(Optional) The format for the flow log. Valid values: `plain-text`, `parquet`"
+  type        = string
+  default     = "plain-text"
+}
+
+variable "create_flow_log_s3_bucket" {
+  type        = bool
+  description = "Whether to create a S3 bucket for the vpc flow logs. Default is set to 'false'"
+  default     = false
+}
+
+variable "flow_log_s3_bucket_name" {
+  description = "The name of the bucket used to store the logs"
+  type        = string
+  default     = ""
+}
+
+variable "flow_log_s3_bucket_prefix" {
+  description = "The name of the prefix used to store the logs on S3"
+  type        = string
+  default     = ""
+}
+
 
 # EC2 Worker Roles
 # ==================
@@ -333,7 +398,7 @@ variable "addon_vpccni_resolve_create" {
   description = "How to resolve conflicts on add-on creation (NONE, OVERWRITE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE"], var.addon_vpccni_resolve_create)
     error_message = "The addon_vpccni_resolve_create value must be one of ('NONE', 'OVERWRITE')"
@@ -344,7 +409,7 @@ variable "addon_vpccni_resolve_update" {
   description = "How to resolve conflicts on add-on update (NONE, OVERWRITE, PRESERVE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE", "PRESERVE"], var.addon_vpccni_resolve_update)
     error_message = "The addon_vpccni_resolve_update value must be one of ('NONE', 'OVERWRITE', 'PRESERVE')"
@@ -377,7 +442,7 @@ variable "addon_kubeproxy_resolve_create" {
   description = "How to resolve conflicts on add-on creation (NONE, OVERWRITE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE"], var.addon_kubeproxy_resolve_create)
     error_message = "The addon_kubeproxy_resolve_create value must be one of ('NONE', 'OVERWRITE')"
@@ -388,7 +453,7 @@ variable "addon_kubeproxy_resolve_update" {
   description = "How to resolve conflicts on add-on update (NONE, OVERWRITE, PRESERVE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE", "PRESERVE"], var.addon_kubeproxy_resolve_update)
     error_message = "The addon_kubeproxy_resolve_update value must be one of ('NONE', 'OVERWRITE', 'PRESERVE')"
@@ -417,7 +482,7 @@ variable "addon_coredns_resolve_create" {
   description = "How to resolve conflicts on add-on creation (NONE, OVERWRITE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE"], var.addon_coredns_resolve_create)
     error_message = "The addon_coredns_resolve_create value must be one of ('NONE', 'OVERWRITE')"
@@ -428,7 +493,7 @@ variable "addon_coredns_resolve_update" {
   description = "How to resolve conflicts on add-on update (NONE, OVERWRITE, PRESERVE)"
   type        = string
   default     = "OVERWRITE"
-  
+
   validation {
     condition     = contains(["NONE", "OVERWRITE", "PRESERVE"], var.addon_coredns_resolve_update)
     error_message = "The addon_coredns_resolve_update value must be one of ('NONE', 'OVERWRITE', 'PRESERVE')"