diff --git a/README.md b/README.md index 84f29d2c..b2501b9b 100644 --- a/README.md +++ b/README.md @@ -1,73 +1,387 @@ -# tf_cod -Terraform repo used for Clusters On Demand (COD) +## Requirements -## pre-commit setup +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13.5 | +| [argocd](#requirement\_argocd) | 6.0.2 | +| [aws](#requirement\_aws) | 5.68.0 | +| [github](#requirement\_github) | 5.34.0 | +| [helm](#requirement\_helm) | >= 2.15.0 | +| [htpasswd](#requirement\_htpasswd) | 1.0.4 | +| [keycloak](#requirement\_keycloak) | 4.3.1 | +| [kubectl](#requirement\_kubectl) | 1.14.0 | +| [kubernetes](#requirement\_kubernetes) | >= 2.33.0 | +| [random](#requirement\_random) | ~>3.5.1 | +| [time](#requirement\_time) | 0.9.1 | +| [vault](#requirement\_vault) | 3.22.0 | -1. Make sure you install the python requirements for this repo. +## Providers - `pip install -r smoketests/requirements.txt` +| Name | Version | +|------|---------| +| [argocd](#provider\_argocd) | 6.0.2 | +| [aws](#provider\_aws) | 5.68.0 | +| [aws.aws-indico-devops](#provider\_aws.aws-indico-devops) | 5.68.0 | +| [aws.dns-control](#provider\_aws.dns-control) | 5.68.0 | +| [external](#provider\_external) | 2.3.4 | +| [github](#provider\_github) | 5.34.0 | +| [helm](#provider\_helm) | 2.16.1 | +| [htpasswd](#provider\_htpasswd) | 1.0.4 | +| [kubectl](#provider\_kubectl) | 1.14.0 | +| [kubernetes](#provider\_kubernetes) | 2.33.0 | +| [local](#provider\_local) | 2.5.2 | +| [null](#provider\_null) | 3.2.3 | +| [random](#provider\_random) | 3.5.1 | +| [time](#provider\_time) | 0.9.1 | +| [tls](#provider\_tls) | 4.0.6 | +| [vault](#provider\_vault) | 3.22.0 | -2. Install/Setup pre-commit +## Modules - `pre-commit install` +| Name | Source | Version | +|------|--------|---------| +| [argo-registration](#module\_argo-registration) | app.terraform.io/indico/indico-argo-registration/mod | 1.2.2 | +| [cluster](#module\_cluster) | app.terraform.io/indico/indico-aws-eks-cluster/mod | 8.2.3 | +| [efs-storage](#module\_efs-storage) | app.terraform.io/indico/indico-aws-efs/mod | 2.0.0 | +| [efs-storage-local-registry](#module\_efs-storage-local-registry) | app.terraform.io/indico/indico-aws-efs/mod | 0.0.1 | +| [fsx-storage](#module\_fsx-storage) | app.terraform.io/indico/indico-aws-fsx/mod | 2.0.0 | +| [harness\_delegate](#module\_harness\_delegate) | ./modules/harness | n/a | +| [k8s\_dashboard](#module\_k8s\_dashboard) | ./modules/aws/k8s_dashboard | n/a | +| [keycloak](#module\_keycloak) | ./modules/aws/keycloak | n/a | +| [kms\_key](#module\_kms\_key) | app.terraform.io/indico/indico-aws-kms/mod | 2.1.2 | +| [lambda-sns-forwarder](#module\_lambda-sns-forwarder) | app.terraform.io/indico/indico-lambda-sns-forwarder/mod | 2.0.0 | +| [networking](#module\_networking) | app.terraform.io/indico/indico-aws-network/mod | 2.1.0 | +| [public\_networking](#module\_public\_networking) | app.terraform.io/indico/indico-aws-network/mod | 1.2.2 | +| [s3-storage](#module\_s3-storage) | app.terraform.io/indico/indico-aws-buckets/mod | 3.3.1 | +| [secrets-operator-setup](#module\_secrets-operator-setup) | ./modules/common/vault-secrets-operator-setup | n/a | +| [security-group](#module\_security-group) | app.terraform.io/indico/indico-aws-security-group/mod | 3.0.0 | +| [sqs\_sns](#module\_sqs\_sns) | app.terraform.io/indico/indico-aws-sqs-sns/mod | 1.2.0 | -## Smoketests +## Resources -Whenever `tf_cod` has a commit to it, a Dockerfile located in [smoketests/Dockerfile](smoketests/Dockefile) gets built via a [drone job](https://drone.devops.indico.io/IndicoDataSolutions/tf_cod) +| Name | Type | +|------|------| +| [argocd_application.ipa](https://registry.terraform.io/providers/oboukili/argocd/6.0.2/docs/resources/application) | resource | +| [aws_acm_certificate.alb](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/acm_certificate) | resource | +| [aws_acm_certificate_validation.alb](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/acm_certificate_validation) | resource | +| [aws_efs_access_point.local-registry](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/efs_access_point) | resource | +| [aws_eks_addon.guardduty](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/eks_addon) | resource | +| [aws_key_pair.kp](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/key_pair) | resource | +| [aws_route53_record.alb](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_route53_record.alertmanager-caa](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_route53_record.grafana-caa](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_route53_record.ipa-app-caa](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_route53_record.prometheus-caa](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/route53_record) | resource | +| [aws_security_group.eks_vpc_endpoint_guardduty](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/security_group) | resource | +| [aws_vpc_endpoint.eks_vpc_guardduty](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/vpc_endpoint) | resource | +| [aws_wafv2_web_acl.wafv2-acl](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/resources/wafv2_web_acl) | resource | +| [github_repository_file.alb-values-yaml](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/resources/repository_file) | resource | +| [github_repository_file.argocd-application-yaml](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/resources/repository_file) | resource | +| [github_repository_file.crds-values-yaml](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/resources/repository_file) | resource | +| [github_repository_file.custom-application-yaml](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/resources/repository_file) | resource | +| [github_repository_file.pre-reqs-values-yaml](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/resources/repository_file) | resource | +| [github_repository_file.smoketest-application-yaml](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/resources/repository_file) | resource | +| [helm_release.external-secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.ipa-crds](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.ipa-pre-requisites](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.ipa-vso](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.keda-monitoring](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.local-registry](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.monitoring](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.nfs-provider](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.opentelemetry-collector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.terraform-smoketests](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [htpasswd_password.hash](https://registry.terraform.io/providers/loafoe/htpasswd/1.0.4/docs/resources/password) | resource | +| [kubectl_manifest.gp2-storageclass](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource | +| [kubectl_manifest.nfs_server](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource | +| [kubectl_manifest.nfs_server_service](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource | +| [kubectl_manifest.nfs_volume](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource | +| [kubectl_manifest.snapshot-cluster-role](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource | +| [kubectl_manifest.snapshot-cluster-role-binding](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource | +| [kubectl_manifest.snapshot-service-account](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource | +| [kubernetes_cluster_role_binding.cod-role-bindings](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource | +| [kubernetes_cluster_role_binding.devops-rbac-bindings](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource | +| [kubernetes_cluster_role_binding.eng-qa-rbac-bindings](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource | +| [kubernetes_config_map.terraform-variables](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | +| [kubernetes_job.snapshot-restore-job](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/job) | resource | +| [kubernetes_namespace.local-registry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_persistent_volume.local-registry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/persistent_volume) | resource | +| [kubernetes_persistent_volume_claim.local-registry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/persistent_volume_claim) | resource | +| [kubernetes_secret.harbor-pull-secret](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | +| [kubernetes_secret.issuer-secret](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | +| [kubernetes_secret.readapi](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | +| [kubernetes_storage_class_v1.local-registry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class_v1) | resource | +| [null_resource.enable-oidc](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.get_nfs_server_ip](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.s3-delete-data-bucket](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.s3-delete-data-pgbackup-bucket](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.update_storage_class](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.wait-for-tf-cod-chart-build](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [random_password.monitoring-password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | +| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | +| [random_password.salt](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | +| [time_sleep.wait_1_minutes_after_crds](https://registry.terraform.io/providers/hashicorp/time/0.9.1/docs/resources/sleep) | resource | +| [time_sleep.wait_1_minutes_after_pre_reqs](https://registry.terraform.io/providers/hashicorp/time/0.9.1/docs/resources/sleep) | resource | +| [tls_private_key.pk](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster.local](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster.thanos](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/eks_cluster) | data source | +| [aws_eks_cluster_auth.local](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/eks_cluster_auth) | data source | +| [aws_eks_cluster_auth.thanos](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/eks_cluster_auth) | data source | +| [aws_iam_policy_document.eks_vpc_guardduty](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/iam_policy_document) | data source | +| [aws_route53_zone.primary](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/route53_zone) | data source | +| [aws_vpc_endpoint_service.guardduty](https://registry.terraform.io/providers/hashicorp/aws/5.68.0/docs/data-sources/vpc_endpoint_service) | data source | +| [external_external.git_information](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source | +| [github_repository.argo-github-repo](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/data-sources/repository) | data source | +| [github_repository_file.data-crds-values](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/data-sources/repository_file) | data source | +| [github_repository_file.data-pre-reqs-values](https://registry.terraform.io/providers/integrations/github/5.34.0/docs/data-sources/repository_file) | data source | +| [local_file.nfs_ip](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source | +| [vault_kv_secret_v2.account-robot-credentials](https://registry.terraform.io/providers/hashicorp/vault/3.22.0/docs/data-sources/kv_secret_v2) | data source | +| [vault_kv_secret_v2.delegate_secrets](https://registry.terraform.io/providers/hashicorp/vault/3.22.0/docs/data-sources/kv_secret_v2) | data source | +| [vault_kv_secret_v2.harbor-api-token](https://registry.terraform.io/providers/hashicorp/vault/3.22.0/docs/data-sources/kv_secret_v2) | data source | +| [vault_kv_secret_v2.readapi_secret](https://registry.terraform.io/providers/hashicorp/vault/3.22.0/docs/data-sources/kv_secret_v2) | data source | +| [vault_kv_secret_v2.zerossl_data](https://registry.terraform.io/providers/hashicorp/vault/3.22.0/docs/data-sources/kv_secret_v2) | data source | -This Dockerfile contains the smoketests that validate that the input variables [./variables.tf](variables.tf) are indeed used to configure the infrastructure. The Dockerfile contains the `aws` cli as well as the `az` cli, along with `kubectl`. The tests may freely use these cli tools since there is a policy which enables it to run without special authentication in the same way that the boto3 blob api works. +## Inputs -The (pytest) tests are in 3 categories: +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [acm\_arn](#input\_acm\_arn) | arn of a pre-existing acm certificate | `string` | `""` | no | +| [additional\_tags](#input\_additional\_tags) | Additonal tags to add to each resource | `map(string)` | `null` | no | +| [alerting\_email\_enabled](#input\_alerting\_email\_enabled) | enable alerts via email | `bool` | `false` | no | +| [alerting\_email\_from](#input\_alerting\_email\_from) | alerting\_email\_from. | `string` | `"blank"` | no | +| [alerting\_email\_host](#input\_alerting\_email\_host) | alerting\_email\_host | `string` | `"blank"` | no | +| [alerting\_email\_password](#input\_alerting\_email\_password) | alerting\_email\_password | `string` | `"blank"` | no | +| [alerting\_email\_to](#input\_alerting\_email\_to) | alerting\_email\_to | `string` | `"blank"` | no | +| [alerting\_email\_username](#input\_alerting\_email\_username) | alerting\_email\_username | `string` | `"blank"` | no | +| [alerting\_enabled](#input\_alerting\_enabled) | enable alerts | `bool` | `false` | no | +| [alerting\_pagerduty\_enabled](#input\_alerting\_pagerduty\_enabled) | enable alerts via pagerduty | `bool` | `false` | no | +| [alerting\_pagerduty\_integration\_key](#input\_alerting\_pagerduty\_integration\_key) | Secret pagerduty\_integration\_key. | `string` | `"blank"` | no | +| [alerting\_slack\_channel](#input\_alerting\_slack\_channel) | Slack channel for sending notifications from alertmanager. | `string` | `"blank"` | no | +| [alerting\_slack\_enabled](#input\_alerting\_slack\_enabled) | enable alerts via slack | `bool` | `false` | no | +| [alerting\_slack\_token](#input\_alerting\_slack\_token) | Secret url with embedded token needed for slack webhook delivery. | `string` | `"blank"` | no | +| [applications](#input\_applications) | n/a |
map(object({
name = string
repo = string
chart = string
version = string
values = string,
namespace = string,
createNamespace = bool,
vaultPath = string
}))
| `{}` | no | +| [argo\_branch](#input\_argo\_branch) | Branch to use on argo\_repo | `string` | `""` | no | +| [argo\_enabled](#input\_argo\_enabled) | n/a | `bool` | `true` | no | +| [argo\_github\_team\_owner](#input\_argo\_github\_team\_owner) | The GitHub Team that has owner-level access to this Argo Project | `string` | `"devops-core-admins"` | no | +| [argo\_host](#input\_argo\_host) | n/a | `string` | `"argo.devops.indico.io"` | no | +| [argo\_namespace](#input\_argo\_namespace) | n/a | `string` | `"argo"` | no | +| [argo\_password](#input\_argo\_password) | n/a | `string` | `"not used"` | no | +| [argo\_path](#input\_argo\_path) | Path within the argo\_repo containing yaml | `string` | `"."` | no | +| [argo\_repo](#input\_argo\_repo) | Argo Github Repository containing the IPA Application | `string` | `""` | no | +| [argo\_username](#input\_argo\_username) | n/a | `string` | `"admin"` | no | +| [aws\_access\_key](#input\_aws\_access\_key) | The AWS access key to use for deployment | `string` | n/a | yes | +| [aws\_account](#input\_aws\_account) | The Name of the AWS Acccount this cluster lives in | `string` | n/a | yes | +| [aws\_primary\_dns\_role\_arn](#input\_aws\_primary\_dns\_role\_arn) | The AWS arn for the role needed to manage route53 DNS in a different account. | `string` | `""` | no | +| [aws\_secret\_key](#input\_aws\_secret\_key) | The AWS secret key to use for deployment | `string` | n/a | yes | +| [aws\_session\_token](#input\_aws\_session\_token) | The AWS session token to use for deployment | `string` | `null` | no | +| [az\_count](#input\_az\_count) | Number of availability zones for nodes | `number` | `2` | no | +| [azure\_indico\_io\_client\_id](#input\_azure\_indico\_io\_client\_id) | Old provider configuration to remove orphaned readapi resources | `string` | `""` | no | +| [azure\_indico\_io\_client\_secret](#input\_azure\_indico\_io\_client\_secret) | n/a | `string` | `""` | no | +| [azure\_indico\_io\_subscription\_id](#input\_azure\_indico\_io\_subscription\_id) | n/a | `string` | `""` | no | +| [azure\_indico\_io\_tenant\_id](#input\_azure\_indico\_io\_tenant\_id) | n/a | `string` | `""` | no | +| [azure\_readapi\_client\_id](#input\_azure\_readapi\_client\_id) | n/a | `string` | `""` | no | +| [azure\_readapi\_client\_secret](#input\_azure\_readapi\_client\_secret) | n/a | `string` | `""` | no | +| [azure\_readapi\_subscription\_id](#input\_azure\_readapi\_subscription\_id) | n/a | `string` | `""` | no | +| [azure\_readapi\_tenant\_id](#input\_azure\_readapi\_tenant\_id) | n/a | `string` | `""` | no | +| [bucket\_versioning](#input\_bucket\_versioning) | Enable bucket object versioning | `bool` | `true` | no | +| [cluster\_api\_endpoint\_public](#input\_cluster\_api\_endpoint\_public) | If enabled this allow public access to the cluster api endpoint. | `bool` | `true` | no | +| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | `"indico-cluster"` | no | +| [cluster\_node\_policies](#input\_cluster\_node\_policies) | Additonal IAM policies to add to the cluster IAM role | `list(any)` |
[
"IAMReadOnlyAccess"
]
| no | +| [crds-values-yaml-b64](#input\_crds-values-yaml-b64) | n/a | `string` | `"Cg=="` | no | +| [create\_guardduty\_vpc\_endpoint](#input\_create\_guardduty\_vpc\_endpoint) | If true this will create a vpc endpoint for guardduty. | `bool` | `true` | no | +| [csi\_driver\_nfs\_version](#input\_csi\_driver\_nfs\_version) | Version of csi-driver-nfs helm chart | `string` | `"v4.0.9"` | no | +| [default\_tags](#input\_default\_tags) | Default tags to add to each resource | `map(string)` | `null` | no | +| [deletion\_protection\_enabled](#input\_deletion\_protection\_enabled) | Enable deletion protection if set to true | `bool` | `true` | no | +| [devops\_tools\_cluster\_ca\_certificate](#input\_devops\_tools\_cluster\_ca\_certificate) | n/a | `string` | `"provided from the varset devops-tools-cluster"` | no | +| [devops\_tools\_cluster\_host](#input\_devops\_tools\_cluster\_host) | n/a | `string` | `"provided from the varset devops-tools-cluster"` | no | +| [direct\_connect](#input\_direct\_connect) | Sets up the direct connect configuration if true; else use public subnets | `bool` | `false` | no | +| [dns\_zone\_name](#input\_dns\_zone\_name) | Name of the dns zone used to control DNS | `string` | `""` | no | +| [domain\_host](#input\_domain\_host) | domain host name. | `string` | `""` | no | +| [domain\_suffix](#input\_domain\_suffix) | Domain suffix | `string` | `"indico.io"` | no | +| [efs\_filesystem\_name](#input\_efs\_filesystem\_name) | The filesystem name of an existing efs instance | `string` | `""` | no | +| [efs\_type](#input\_efs\_type) | n/a | `string` | `"create"` | no | +| [eks\_addon\_version\_guardduty](#input\_eks\_addon\_version\_guardduty) | enable guardduty | `bool` | `true` | no | +| [eks\_cluster\_iam\_role](#input\_eks\_cluster\_iam\_role) | Name of the IAM role to assign to the EKS cluster; will be created if not supplied | `string` | `null` | no | +| [eks\_cluster\_nodes\_iam\_role](#input\_eks\_cluster\_nodes\_iam\_role) | Name of the IAM role to assign to the EKS cluster nodes; will be created if not supplied | `string` | `null` | no | +| [enable\_firewall](#input\_enable\_firewall) | If enabled this will create firewall and internet gateway | `bool` | `false` | no | +| [enable\_k8s\_dashboard](#input\_enable\_k8s\_dashboard) | n/a | `bool` | `true` | no | +| [enable\_readapi](#input\_enable\_readapi) | ReadAPI stuff | `bool` | `true` | no | +| [enable\_s3\_access\_logging](#input\_enable\_s3\_access\_logging) | If true this will enable access logging on the s3 buckets | `bool` | `true` | no | +| [enable\_s3\_backup](#input\_enable\_s3\_backup) | Allow backing up data bucket on s3 | `bool` | `true` | no | +| [enable\_vpc\_flow\_logs](#input\_enable\_vpc\_flow\_logs) | If enabled this will create flow logs for the VPC | `bool` | `true` | no | +| [enable\_waf](#input\_enable\_waf) | enables aws alb controller for app-edge, also creates waf rules. | `bool` | `false` | no | +| [enable\_weather\_station](#input\_enable\_weather\_station) | whether or not to enable the weather station internal metrics collection service | `bool` | `false` | no | +| [environment](#input\_environment) | The environment of the cluster, determines which account readapi to use, options production/development | `string` | `"development"` | no | +| [existing\_kms\_key](#input\_existing\_kms\_key) | Name of kms key if it exists in the account (eg. 'alias/') | `string` | `""` | no | +| [external\_secrets\_version](#input\_external\_secrets\_version) | Version of external-secrets helm chart | `string` | `"0.10.5"` | no | +| [firewall\_allow\_list](#input\_firewall\_allow\_list) | n/a | `list(string)` |
[
".cognitiveservices.azure.com"
]
| no | +| [firewall\_subnet\_cidrs](#input\_firewall\_subnet\_cidrs) | CIDR ranges for the firewall subnets | `list(string)` | `[]` | no | +| [fsx\_deployment\_type](#input\_fsx\_deployment\_type) | The deployment type to launch | `string` | `"PERSISTENT_1"` | no | +| [fsx\_rox\_arn](#input\_fsx\_rox\_arn) | ARN of the ROX FSx Lustre file system | `string` | `null` | no | +| [fsx\_rox\_id](#input\_fsx\_rox\_id) | ID of the existing FSx Lustre file system for ROX | `string` | `null` | no | +| [fsx\_rwx\_arn](#input\_fsx\_rwx\_arn) | ARN of the RWX FSx Lustre file system | `string` | `null` | no | +| [fsx\_rwx\_dns\_name](#input\_fsx\_rwx\_dns\_name) | DNS name for the RWX FSx Lustre file system | `string` | `null` | no | +| [fsx\_rwx\_id](#input\_fsx\_rwx\_id) | ID of the existing FSx Lustre file system for RWX | `string` | `null` | no | +| [fsx\_rwx\_mount\_name](#input\_fsx\_rwx\_mount\_name) | Mount name for the RWX FSx Lustre file system | `string` | `null` | no | +| [fsx\_rwx\_security\_group\_ids](#input\_fsx\_rwx\_security\_group\_ids) | Security group IDs for the RWX FSx Lustre file system | `list(string)` | `[]` | no | +| [fsx\_rwx\_subnet\_ids](#input\_fsx\_rwx\_subnet\_ids) | Subnet IDs for the RWX FSx Lustre file system | `list(string)` | `[]` | no | +| [fsx\_type](#input\_fsx\_type) | n/a | `string` | `"create"` | no | +| [git\_pat](#input\_git\_pat) | n/a | `string` | `""` | no | +| [harbor\_pull\_secret\_b64](#input\_harbor\_pull\_secret\_b64) | Harbor pull secret from Vault | `string` | n/a | yes | +| [harness\_delegate](#input\_harness\_delegate) | n/a | `bool` | `false` | no | +| [harness\_delegate\_replicas](#input\_harness\_delegate\_replicas) | n/a | `number` | `1` | no | +| [harness\_mount\_path](#input\_harness\_mount\_path) | n/a | `string` | `"harness"` | no | +| [hibernation\_enabled](#input\_hibernation\_enabled) | n/a | `bool` | `false` | no | +| [image\_registry](#input\_image\_registry) | docker image registry to use for pulling images. | `string` | `"harbor.devops.indico.io"` | no | +| [include\_efs](#input\_include\_efs) | Create efs | `bool` | `true` | no | +| [include\_fsx](#input\_include\_fsx) | Create a fsx file system(s) | `bool` | `false` | no | +| [include\_pgbackup](#input\_include\_pgbackup) | Create a read only FSx file system | `bool` | `true` | no | +| [include\_rox](#input\_include\_rox) | Create a read only FSx file system | `bool` | `false` | no | +| [indico\_aws\_access\_key\_id](#input\_indico\_aws\_access\_key\_id) | The AWS access key for controlling dns in an alternate account | `string` | `""` | no | +| [indico\_aws\_secret\_access\_key](#input\_indico\_aws\_secret\_access\_key) | The AWS secret key for controlling dns in an alternate account | `string` | `""` | no | +| [indico\_aws\_session\_token](#input\_indico\_aws\_session\_token) | The AWS session token to use for deployment in an alternate account | `string` | `null` | no | +| [indico\_devops\_aws\_access\_key\_id](#input\_indico\_devops\_aws\_access\_key\_id) | The Indico-Devops account access key | `string` | `""` | no | +| [indico\_devops\_aws\_region](#input\_indico\_devops\_aws\_region) | The Indico-Devops devops cluster region | `string` | `""` | no | +| [indico\_devops\_aws\_secret\_access\_key](#input\_indico\_devops\_aws\_secret\_access\_key) | The Indico-Devops account secret | `string` | `""` | no | +| [indico\_devops\_aws\_session\_token](#input\_indico\_devops\_aws\_session\_token) | Indico-Devops account AWS session token to use for deployment | `string` | `null` | no | +| [instance\_volume\_size](#input\_instance\_volume\_size) | The size of EBS volume to attach to the cluster nodes | `number` | `60` | no | +| [instance\_volume\_type](#input\_instance\_volume\_type) | The type of EBS volume to attach to the cluster nodes | `string` | `"gp2"` | no | +| [internal\_elb\_use\_public\_subnets](#input\_internal\_elb\_use\_public\_subnets) | If enabled, this will use public subnets for the internal elb. Otherwise use the private subnets | `bool` | `true` | no | +| [ipa\_crds\_version](#input\_ipa\_crds\_version) | n/a | `string` | `"0.2.1"` | no | +| [ipa\_enabled](#input\_ipa\_enabled) | n/a | `bool` | `true` | no | +| [ipa\_pre\_reqs\_version](#input\_ipa\_pre\_reqs\_version) | n/a | `string` | `"0.4.0"` | no | +| [ipa\_repo](#input\_ipa\_repo) | n/a | `string` | `"https://harbor.devops.indico.io/chartrepo/indico-charts"` | no | +| [ipa\_smoketest\_enabled](#input\_ipa\_smoketest\_enabled) | n/a | `bool` | `true` | no | +| [ipa\_smoketest\_repo](#input\_ipa\_smoketest\_repo) | n/a | `string` | `"https://harbor.devops.indico.io/chartrepo/indico-charts"` | no | +| [ipa\_smoketest\_values](#input\_ipa\_smoketest\_values) | n/a | `string` | `"Cg=="` | no | +| [ipa\_smoketest\_version](#input\_ipa\_smoketest\_version) | n/a | `string` | `"0.1.8"` | no | +| [ipa\_values](#input\_ipa\_values) | n/a | `string` | `""` | no | +| [ipa\_version](#input\_ipa\_version) | n/a | `string` | `"0.12.1"` | no | +| [is\_alternate\_account\_domain](#input\_is\_alternate\_account\_domain) | domain name is controlled by a different aws account | `string` | `"false"` | no | +| [is\_aws](#input\_is\_aws) | n/a | `bool` | `true` | no | +| [is\_azure](#input\_is\_azure) | n/a | `bool` | `false` | no | +| [k8s\_version](#input\_k8s\_version) | The EKS version to use | `string` | `"1.31"` | no | +| [keda\_version](#input\_keda\_version) | n/a | `string` | `"2.15.2"` | no | +| [keycloak\_enabled](#input\_keycloak\_enabled) | n/a | `bool` | `true` | no | +| [kms\_encrypt\_secrets](#input\_kms\_encrypt\_secrets) | Encrypt EKS secrets with KMS | `bool` | `true` | no | +| [label](#input\_label) | The unique string to be prepended to resources names | `string` | `"indico"` | no | +| [lambda\_sns\_forwarder\_destination\_endpoint](#input\_lambda\_sns\_forwarder\_destination\_endpoint) | destination URL for the lambda sns forwarder | `string` | `""` | no | +| [lambda\_sns\_forwarder\_enabled](#input\_lambda\_sns\_forwarder\_enabled) | If enabled a lamda will be provisioned to forward sns messages to an external endpoint. | `bool` | `false` | no | +| [lambda\_sns\_forwarder\_function\_variables](#input\_lambda\_sns\_forwarder\_function\_variables) | A map of variables for the lambda\_sns\_forwarder code to use | `map(any)` | `{}` | no | +| [lambda\_sns\_forwarder\_github\_branch](#input\_lambda\_sns\_forwarder\_github\_branch) | The github branch / tag containing the lambda\_sns\_forwarder code to use | `string` | `"main"` | no | +| [lambda\_sns\_forwarder\_github\_organization](#input\_lambda\_sns\_forwarder\_github\_organization) | The github organization containing the lambda\_sns\_forwarder code to use | `string` | `"IndicoDataSolutions"` | no | +| [lambda\_sns\_forwarder\_github\_repository](#input\_lambda\_sns\_forwarder\_github\_repository) | The github repository containing the lambda\_sns\_forwarder code to use | `string` | `""` | no | +| [lambda\_sns\_forwarder\_github\_zip\_path](#input\_lambda\_sns\_forwarder\_github\_zip\_path) | Full path to the lambda zip file | `string` | `"zip/lambda.zip"` | no | +| [lambda\_sns\_forwarder\_topic\_arn](#input\_lambda\_sns\_forwarder\_topic\_arn) | SNS topic to triger lambda forwarder. | `string` | `""` | no | +| [load\_vpc\_id](#input\_load\_vpc\_id) | This is required if loading a network rather than creating one. | `string` | `""` | no | +| [local\_registry\_enabled](#input\_local\_registry\_enabled) | n/a | `bool` | `false` | no | +| [local\_registry\_version](#input\_local\_registry\_version) | n/a | `string` | `"unused"` | no | +| [message](#input\_message) | The commit message for updates | `string` | `"Managed by Terraform"` | no | +| [monitoring\_enabled](#input\_monitoring\_enabled) | n/a | `bool` | `true` | no | +| [monitoring\_version](#input\_monitoring\_version) | n/a | `string` | `"3.0.0"` | no | +| [name](#input\_name) | Name to use in all cluster resources names | `string` | `"indico"` | no | +| [network\_allow\_public](#input\_network\_allow\_public) | If enabled this will create public subnets, IGW, and NAT gateway. | `bool` | `true` | no | +| [network\_module](#input\_network\_module) | n/a | `string` | `"networking"` | no | +| [network\_type](#input\_network\_type) | n/a | `string` | `"create"` | no | +| [nfs\_subdir\_external\_provisioner\_version](#input\_nfs\_subdir\_external\_provisioner\_version) | Version of nfs\_subdir\_external\_provisioner\_version helm chart | `string` | `"4.0.18"` | no | +| [node\_bootstrap\_arguments](#input\_node\_bootstrap\_arguments) | Additional arguments when bootstrapping the EKS node. | `string` | `""` | no | +| [node\_disk\_size](#input\_node\_disk\_size) | The root device size for the worker nodes. | `string` | `"150"` | no | +| [node\_groups](#input\_node\_groups) | n/a | `any` | n/a | yes | +| [node\_user\_data](#input\_node\_user\_data) | Additional user data used when bootstrapping the EC2 instance. | `string` | `""` | no | +| [oidc\_client\_id](#input\_oidc\_client\_id) | n/a | `string` | `"kube-oidc-proxy"` | no | +| [oidc\_config\_name](#input\_oidc\_config\_name) | n/a | `string` | `"indico-google-ws"` | no | +| [oidc\_enabled](#input\_oidc\_enabled) | Enable OIDC Auhentication | `bool` | `true` | no | +| [oidc\_groups\_claim](#input\_oidc\_groups\_claim) | n/a | `string` | `"groups"` | no | +| [oidc\_groups\_prefix](#input\_oidc\_groups\_prefix) | n/a | `string` | `"oidcgroup:"` | no | +| [oidc\_issuer\_url](#input\_oidc\_issuer\_url) | n/a | `string` | `"https://keycloak.devops.indico.io/auth/realms/GoogleAuth"` | no | +| [oidc\_username\_claim](#input\_oidc\_username\_claim) | n/a | `string` | `"sub"` | no | +| [oidc\_username\_prefix](#input\_oidc\_username\_prefix) | n/a | `string` | `"oidcuser:"` | no | +| [on\_prem\_test](#input\_on\_prem\_test) | n/a | `bool` | `false` | no | +| [opentelemetry\_collector\_version](#input\_opentelemetry\_collector\_version) | n/a | `string` | `"0.108.0"` | no | +| [per\_unit\_storage\_throughput](#input\_per\_unit\_storage\_throughput) | Throughput for each 1 TiB or storage (max 200) for RWX FSx | `number` | `100` | no | +| [performance\_bucket](#input\_performance\_bucket) | Add permission to connect to indico-locust-benchmark-test-results | `bool` | `false` | no | +| [pre-reqs-values-yaml-b64](#input\_pre-reqs-values-yaml-b64) | n/a | `string` | `"Cg=="` | no | +| [private\_subnet\_cidrs](#input\_private\_subnet\_cidrs) | CIDR ranges for the private subnets | `list(string)` | n/a | yes | +| [private\_subnet\_tag\_name](#input\_private\_subnet\_tag\_name) | n/a | `string` | `"Name"` | no | +| [private\_subnet\_tag\_value](#input\_private\_subnet\_tag\_value) | n/a | `string` | `"*private*"` | no | +| [public\_ip](#input\_public\_ip) | Should the cluster manager have a public IP assigned | `bool` | `true` | no | +| [public\_subnet\_cidrs](#input\_public\_subnet\_cidrs) | CIDR ranges for the public subnets | `list(string)` | n/a | yes | +| [public\_subnet\_tag\_name](#input\_public\_subnet\_tag\_name) | n/a | `string` | `"Name"` | no | +| [public\_subnet\_tag\_value](#input\_public\_subnet\_tag\_value) | n/a | `string` | `"*public*"` | no | +| [readapi\_customer](#input\_readapi\_customer) | Name of the customer readapi is being deployed in behalf. | `string` | `null` | no | +| [region](#input\_region) | The AWS region in which to launch the indico stack | `string` | `"us-east-1"` | no | +| [restore\_snapshot\_enabled](#input\_restore\_snapshot\_enabled) | Flag for restoring cluster from snapshot | `bool` | `false` | no | +| [restore\_snapshot\_name](#input\_restore\_snapshot\_name) | Name of snapshot in account's s3 bucket | `string` | `""` | no | +| [s3\_endpoint\_enabled](#input\_s3\_endpoint\_enabled) | If set to true, an S3 VPC endpoint will be created. If this variable is set, the `region` variable must also be set | `bool` | `false` | no | +| [secrets\_operator\_enabled](#input\_secrets\_operator\_enabled) | Use to enable the secrets operator which is used for maintaining thanos connection | `bool` | `true` | no | +| [sg\_tag\_name](#input\_sg\_tag\_name) | n/a | `string` | `"Name"` | no | +| [sg\_tag\_value](#input\_sg\_tag\_value) | n/a | `string` | `"*-allow-subnets"` | no | +| [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | Skip taking a final snapshot before deletion; not recommended to enable | `bool` | `false` | no | +| [snapshot\_id](#input\_snapshot\_id) | The ebs snapshot of read-only data to use | `string` | `""` | no | +| [sqs\_sns](#input\_sqs\_sns) | Flag for enabling SQS/SNS | `bool` | `true` | no | +| [ssl\_static\_secret\_name](#input\_ssl\_static\_secret\_name) | secret\_name for static ssl certificate | `string` | `"indico-ssl-static-cert"` | no | +| [storage\_capacity](#input\_storage\_capacity) | Storage capacity in GiB for RWX FSx | `number` | `1200` | no | +| [storage\_gateway\_size](#input\_storage\_gateway\_size) | The size of the storage gateway VM | `string` | `"m5.xlarge"` | no | +| [submission\_expiry](#input\_submission\_expiry) | The number of days to retain submissions | `number` | `30` | no | +| [subnet\_az\_zones](#input\_subnet\_az\_zones) | Availability zones for the subnets | `list(string)` | n/a | yes | +| [terraform\_smoketests\_enabled](#input\_terraform\_smoketests\_enabled) | n/a | `bool` | `true` | no | +| [terraform\_vault\_mount\_path](#input\_terraform\_vault\_mount\_path) | n/a | `string` | `"terraform"` | no | +| [thanos\_cluster\_ca\_certificate](#input\_thanos\_cluster\_ca\_certificate) | n/a | `string` | `"provided from the varset thanos"` | no | +| [thanos\_cluster\_host](#input\_thanos\_cluster\_host) | n/a | `string` | `"provided from the varset thanos"` | no | +| [thanos\_cluster\_name](#input\_thanos\_cluster\_name) | n/a | `string` | `"thanos"` | no | +| [thanos\_enabled](#input\_thanos\_enabled) | n/a | `bool` | `true` | no | +| [thanos\_grafana\_admin\_password](#input\_thanos\_grafana\_admin\_password) | n/a | `string` | `"provided from the varset thanos"` | no | +| [thanos\_grafana\_admin\_username](#input\_thanos\_grafana\_admin\_username) | n/a | `string` | `"provided from the varset devops-tools-cluster"` | no | +| [uploads\_expiry](#input\_uploads\_expiry) | The number of days to retain uploads | `number` | `30` | no | +| [use\_acm](#input\_use\_acm) | create cluster that will use acm | `bool` | `false` | no | +| [use\_nlb](#input\_use\_nlb) | If true this will create a NLB loadbalancer instead of a classic VPC ELB | `bool` | `false` | no | +| [use\_static\_ssl\_certificates](#input\_use\_static\_ssl\_certificates) | use static ssl certificates for clusters which cannot use certmanager and external dns. | `bool` | `false` | no | +| [vault\_address](#input\_vault\_address) | n/a | `string` | `"https://vault.devops.indico.io"` | no | +| [vault\_mount\_path](#input\_vault\_mount\_path) | n/a | `string` | `"terraform"` | no | +| [vault\_password](#input\_vault\_password) | n/a | `any` | n/a | yes | +| [vault\_secrets\_operator\_version](#input\_vault\_secrets\_operator\_version) | n/a | `string` | `"0.7.0"` | no | +| [vault\_username](#input\_vault\_username) | n/a | `any` | n/a | yes | +| [vpc\_cidr](#input\_vpc\_cidr) | The VPC for the entire indico stack | `string` | n/a | yes | +| [vpc\_flow\_logs\_iam\_role\_arn](#input\_vpc\_flow\_logs\_iam\_role\_arn) | The IAM role to use for the flow logs | `string` | `""` | no | +| [vpc\_name](#input\_vpc\_name) | The VPC name | `string` | `"indico_vpc"` | no | -1. AWS Tests located in [smoketests/aws/test_aws.py](smoketests/aws/test_aws.py) -2. Azure Tests located in [smoketests/azure/test_azure.py](smoketests/azure/test_azure.py) -3. Common Tests located in [smoketests/common/test_common.py](smoketests/common/test_common.py) +## Outputs -### Automatic Variable Mapping - -Whenever the `tf_cod` has a commit, a `pre-commit` hook runs and generates the file called [tf-smoketest-variables.tf](./tf-smoketest-variables.tf) which will contain a configmap mapping all variables to their supplied values, for example: - -```terraform -resource "kubernetes_config_map" "terraform-variables" { - depends_on = [null_resource.sleep-5-minutes] - metadata { - name = "terraform-variables" - } - data = { - is_azure = "${jsonencode(var.is_azure)}" - is_aws = "${jsonencode(var.is_aws)}" - label = "${jsonencode(var.label)}" - message = "${jsonencode(var.message)}" - applications = "${jsonencode(var.applications)}" - region = "${jsonencode(var.region)}" - direct_connect = "${jsonencode(var.direct_connect)}" - additional_tags = "${jsonencode(var.additional_tags)}" - default_tags = "${jsonencode(var.default_tags)}" - ... -``` - -The container is then deployed into the cluster using the [Helm Chart](./smoketsts/helm-chart) and creates a Job which in turn mounts the configmap as environment variables. - -```python -# obtain the region and node_groups -region = os.environ['region'] -node_groups = os.environ['node_groups'] -``` - -These values can then be used to validate the inputs against the generated infrastructure. - -### Example Test validating az_count - -```python - def test_autoscaling_groups(self, cloudProvider, account, region, name): - p = Process(account, region, name) - az_count = int(os.environ['az_count']) - output = p.run( - ["aws", "autoscaling", "describe-auto-scaling-groups", "--region", self.region, "--max-items", "2048", "--filters", self.cluster_filter, "--output", "json",], stdout=subprocess.PIPE) - autoscaling_groups = p.parseResult(output, 'AutoScalingGroups') - assert len(autoscaling_groups) > 0, f"No autoscaling groups found for {name}" - for ag in autoscaling_groups: - availability_zones = ag['AvailabilityZones'] - ag_name = ag['AutoScalingGroupName'] - assert len(availability_zones) == az_count, f"Mismatching az_count for {ag_name}" -``` +| Name | Description | +|------|-------------| +| [acm\_arn](#output\_acm\_arn) | arn of the acm | +| [api\_models\_s3\_bucket\_name](#output\_api\_models\_s3\_bucket\_name) | Name of the api-models s3 bucket | +| [argo\_branch](#output\_argo\_branch) | n/a | +| [argo\_path](#output\_argo\_path) | n/a | +| [argo\_repo](#output\_argo\_repo) | n/a | +| [cluster\_name](#output\_cluster\_name) | n/a | +| [cluster\_region](#output\_cluster\_region) | n/a | +| [data\_s3\_bucket\_name](#output\_data\_s3\_bucket\_name) | Name of the data s3 bucket | +| [dns\_name](#output\_dns\_name) | n/a | +| [efs\_filesystem\_id](#output\_efs\_filesystem\_id) | ID of the EFS filesystem | +| [fsx\_rox\_id](#output\_fsx\_rox\_id) | Read only filesystem | +| [fsx\_rwx\_id](#output\_fsx\_rwx\_id) | Read write filesystem | +| [fsx\_storage\_fsx\_rwx\_dns\_name](#output\_fsx\_storage\_fsx\_rwx\_dns\_name) | n/a | +| [fsx\_storage\_fsx\_rwx\_mount\_name](#output\_fsx\_storage\_fsx\_rwx\_mount\_name) | n/a | +| [fsx\_storage\_fsx\_rwx\_subnet\_id](#output\_fsx\_storage\_fsx\_rwx\_subnet\_id) | n/a | +| [fsx\_storage\_fsx\_rwx\_volume\_handle](#output\_fsx\_storage\_fsx\_rwx\_volume\_handle) | n/a | +| [git\_branch](#output\_git\_branch) | n/a | +| [git\_sha](#output\_git\_sha) | n/a | +| [harbor-api-token](#output\_harbor-api-token) | n/a | +| [harness\_delegate\_name](#output\_harness\_delegate\_name) | n/a | +| [ipa\_version](#output\_ipa\_version) | n/a | +| [key\_pem](#output\_key\_pem) | Generated private key for key pair | +| [kube\_ca\_certificate](#output\_kube\_ca\_certificate) | n/a | +| [kube\_host](#output\_kube\_host) | n/a | +| [kube\_token](#output\_kube\_token) | n/a | +| [local\_registry\_password](#output\_local\_registry\_password) | n/a | +| [local\_registry\_username](#output\_local\_registry\_username) | n/a | +| [monitoring-password](#output\_monitoring-password) | n/a | +| [monitoring-username](#output\_monitoring-username) | n/a | +| [monitoring\_enabled](#output\_monitoring\_enabled) | n/a | +| [ns](#output\_ns) | n/a | +| [s3\_role\_id](#output\_s3\_role\_id) | ID of the S3 role | +| [smoketest\_chart\_version](#output\_smoketest\_chart\_version) | n/a | +| [wafv2\_arn](#output\_wafv2\_arn) | arn of the wafv2 acl | +| [zerossl](#output\_zerossl) | n/a | diff --git a/main.tf b/main.tf index 4a7c71ca..84b11ba7 100644 --- a/main.tf +++ b/main.tf @@ -262,8 +262,9 @@ resource "null_resource" "s3-delete-data-pgbackup-bucket" { module "efs-storage" { count = var.include_efs == true ? 1 : 0 source = "app.terraform.io/indico/indico-aws-efs/mod" - version = "0.0.1" - label = var.label + version = "2.0.0" + label = var.efs_filesystem_name == "" ? var.label : var.efs_filesystem_name + efs_type = var.efs_type additional_tags = merge(var.additional_tags, { "type" = "local-efs-storage" }) security_groups = var.network_module == "networking" ? [local.network[0].all_subnets_sg_id] : [module.security-group.all_subnets_sg_id] private_subnet_ids = flatten([local.network[0].private_subnet_ids]) diff --git a/tf-smoketest-variables.tf b/tf-smoketest-variables.tf index 64646870..6c5a9d2d 100644 --- a/tf-smoketest-variables.tf +++ b/tf-smoketest-variables.tf @@ -183,6 +183,8 @@ resource "kubernetes_config_map" "terraform-variables" { fsx_rwx_arn = "${jsonencode(var.fsx_rwx_arn)}" fsx_rox_id = "${jsonencode(var.fsx_rox_id)}" fsx_rox_arn = "${jsonencode(var.fsx_rox_arn)}" + efs_filesystem_name = "${jsonencode(var.efs_filesystem_name)}" + efs_type = "${jsonencode(var.efs_type)}" } } diff --git a/variables.tf b/variables.tf index feb08be4..b5700b28 100644 --- a/variables.tf +++ b/variables.tf @@ -1119,4 +1119,20 @@ variable "fsx_rox_arn" { description = "ARN of the ROX FSx Lustre file system" type = string default = null +} + +variable "efs_filesystem_name" { + type = string + default = "" + description = "The filesystem name of an existing efs instance" +} + +variable "efs_type" { + type = string + default = "create" + + validation { + condition = var.efs_type == "create" || var.efs_type == "load" + error_message = "${var.efs_type} not valid. Type must be either create or load" + } } \ No newline at end of file