Skip to content

Commit

Permalink
Update versions of Terraform providers and modules and bump EKS versi…
Browse files Browse the repository at this point in the history 
…on (#423)

* Update EKS version and providers/modules versions

* Disable secrets encryption

* Change additional eks role example

* Fix formatting

* Remove unnecessary policies

* Add elasticloadbalancing:DescribeLoadBalancers to the policy

* Update modules/AWS/eks/main.tf

Co-authored-by: Yifei Zhang <[email protected]>

* Remove duplicated permission

---------

Co-authored-by: Yevhen Ivantsov <[email protected]>
Co-authored-by: Yifei Zhang <[email protected]>
  • Loading branch information
@bianchi2 @yzha645
3 people authored Jul 31, 2024
1 parent 6ee0c68 commit 5e358f3
Show file tree
Hide file tree
Showing 40 changed files with 217 additions and 152 deletions.
24 changes: 15 additions & 9 deletions config.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,16 +71,22 @@ max_cluster_capacity = 5
# create_external_dns = true

# If you desire to access the cluster with additional roles other than the one used for cluster creation,
# you can define them below.
#eks_additional_roles = [
# {
# rolearn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
# username = "ROLE_NAME"
# groups = [
# "system:masters"
# ]
# you can define them below. For more information visit https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html
#eks_additional_roles = {
# user = {
# kubernetes_group = []
# principal_arn = "arn:aws:iam::121212121212:role/test-policy-role"
# policy_associations = {
# admin = {
# policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
# access_scope = {
# namespaces = []
# type = "cluster"
# }
# }
# }
# }
#]
#}

# List of addtional namespaces to be created in the cluster
#additional_namespaces = ["extra_namespace"]
Expand Down
28 changes: 17 additions & 11 deletions docs/docs/userguide/configuration/CONFIGURATION.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,21 +207,27 @@ When the EKS cluster is created, only the entity that created the cluster can ac
resources inside the cluster. To enable access for additional roles, you can add them to the config file:

```terraform
eks_additional_roles = [
{
rolearn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
username = "ROLE_NAME"
groups = [
"system:masters"
]
eks_additional_roles = {
user = {
kubernetes_group = []
principal_arn = "arn:aws:iam::121212121212:role/test-policy-role"
policy_associations = {
admin = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope = {
namespaces = []
type = "cluster"
}
}
}
}
]
}
```

!!! info "Permissions in AWS EKS"
!!! info "Access Entries in AWS EKS"

For additional information regarding the authorisation in EKS cluster, follow the official
[AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html){.external}.
For additional information regarding adding access entries in EKS cluster, follow the official
[AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries){.external}.

### Logging S3 bucket name

Expand Down
4 changes: 2 additions & 2 deletions modules/AWS/dynamodb/provider_version.tf
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
terraform {
required_providers {
aws = {
version = "~> 4.36"
version = "~> 5.0"
}
kubernetes = {
version = "~> 2.7"
}
helm = {
version = "~> 2.4"
version = "~> 2.14"
}
}
}
6 changes: 3 additions & 3 deletions modules/AWS/eks/autoscaling.tf
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module "autoscaler_iam_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "4.13.2"
version = "5.41.0"

create_role = true
role_name = "${var.cluster_name}-autoscaler"
Expand All @@ -16,7 +16,7 @@ module "autoscaler_iam_role" {

resource "aws_iam_policy" "cluster_autoscaler" {
name_prefix = "cluster-autoscaler"
description = "EKS cluster-autoscaler policy for cluster ${module.eks.cluster_id}"
description = "EKS cluster-autoscaler policy for cluster ${module.eks.cluster_name}"
policy = data.aws_iam_policy_document.cluster_autoscaler.json
}

Expand Down Expand Up @@ -55,7 +55,7 @@ data "aws_iam_policy_document" "cluster_autoscaler" {

condition {
test = "StringEquals"
variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${module.eks.cluster_id}"
variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${module.eks.cluster_name}"
values = [
"owned"
]
Expand Down
4 changes: 3 additions & 1 deletion modules/AWS/eks/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ locals {
autoscaler_service_account_namespace = "kube-system"
autoscaler_service_account_name = "cluster-autoscaler-aws-cluster-autoscaler-chart"

autoscaler_version = "9.25.0"
autoscaler_version = "9.37.0"

ami_type = "AL2_x86_64"

Expand All @@ -23,4 +23,6 @@ locals {


use_downtime = var.cluster_downtime_start != null && var.cluster_downtime_stop != null ? true : false

iam_access_entries = var.additional_roles != null ? var.additional_roles : null
}
27 changes: 21 additions & 6 deletions modules/AWS/eks/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ module "nodegroup_launch_template" {

module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "18.30.2"
version = "~> 20.0"

# Configure cluster
cluster_version = var.eks_version
Expand All @@ -36,22 +36,37 @@ module "eks" {
cluster_addons = {
kube-proxy = {}
vpc-cni = {
resolve_conflicts = "OVERWRITE"
resolve_conflicts_on_create = "OVERWRITE"
}
aws-ebs-csi-driver = {
resolve_conflicts = "OVERWRITE"
resolve_conflicts_on_create = "OVERWRITE"
configuration_values = jsonencode({
defaultStorageClass = {
enabled = true
}
})
}
}

# We're creating eks managed nodegroup, hence aws-auth is handled by EKS
manage_aws_auth_configmap = true
aws_auth_roles = var.additional_roles
enable_cluster_creator_admin_permissions = true
authentication_mode = "API_AND_CONFIG_MAP"
access_entries = local.iam_access_entries

cluster_endpoint_public_access = true

# Enables IAM roles for service accounts - required for autoscaler and potentially Atlassian apps
# https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
enable_irsa = true
iam_role_use_name_prefix = false

# we won't use kms key to encrypt secrets in etcd
# and may want to revisit this in future
# to and make it configurable (requires kms permissions)
create_kms_key = false
cluster_encryption_config = {}


# Networking
vpc_id = var.vpc_id
subnet_ids = var.subnets
Expand All @@ -73,7 +88,7 @@ module "eks" {
subnet_ids = slice(var.subnets, 0, 1)
capacity_type = "ON_DEMAND"
create_launch_template = false
launch_template_name = data.aws_launch_template.nodes.name
launch_template_id = data.aws_launch_template.nodes.id
launch_template_version = module.nodegroup_launch_template.version
create_iam_role = false
iam_role_arn = aws_iam_role.node_group.arn
Expand Down
4 changes: 0 additions & 4 deletions modules/AWS/eks/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,6 @@ output "cluster_name" {
value = var.cluster_name
}

output "cluster_id" {
value = module.eks.cluster_id
}

output "cluster_oidc_issuer_url" {
value = module.eks.cluster_oidc_issuer_url
}
Expand Down
4 changes: 2 additions & 2 deletions modules/AWS/eks/provider_version.tf
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
terraform {
required_providers {
aws = {
version = "~> 4.36"
version = "~> 5.0"
}
kubernetes = {
version = "~> 2.7"
}
helm = {
version = "~> 2.4"
version = "~> 2.14"
}
}
}
6 changes: 4 additions & 2 deletions modules/AWS/eks/providers.tf
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
name = module.eks.cluster_name
depends_on = [module.eks.cluster_name]
}

data "aws_eks_cluster_auth" "cluster" {
name = module.eks.cluster_id
name = module.eks.cluster_name
depends_on = [module.eks.cluster_name]
}

provider "kubernetes" {
Expand Down
8 changes: 4 additions & 4 deletions modules/AWS/eks/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ variable "cluster_name" {

variable "eks_version" {
description = "EKS K8s version"
type = number
type = string
validation {
condition = can(regex("^1\\.2[7-9]", var.eks_version))
error_message = "Invalid EKS K8S version. Valid versions are from 1.27 to 1.29."
condition = can(regex("^1\\.3[0-9]", var.eks_version))
error_message = "Invalid EKS K8S version. Valid versions are from 1.30 to 1.39."
}
}

Expand Down Expand Up @@ -86,7 +86,7 @@ variable "cluster_downtime_timezone" {

variable "additional_roles" {
description = "Additional roles that have access to the cluster."
type = list(object({ rolearn = string, username = string, groups = list(string) }))
type = map(any)
}

variable "osquery_secret_name" {
Expand Down
4 changes: 2 additions & 2 deletions modules/AWS/external-dns/provider_version.tf
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
terraform {
required_providers {
aws = {
version = "~> 4.36"
version = "~> 5.0"
}
kubernetes = {
version = "~> 2.7"
}
helm = {
version = "~> 2.4"
version = "~> 2.14"
}
}
}
2 changes: 1 addition & 1 deletion modules/AWS/ingress/locals.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
locals {
ingress_version = "4.10.1"
ingress_version = "4.11.1"
ingress_name = "ingress-nginx"
ingress_namespace = "ingress-nginx"
domain_supplied = var.ingress_domain != null ? true : false
Expand Down
4 changes: 2 additions & 2 deletions modules/AWS/ingress/provider_version.tf
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
terraform {
required_providers {
aws = {
version = "~> 4.36"
version = "~> 5.0"
}
kubernetes = {
version = "~> 2.7"
}
helm = {
version = "~> 2.4"
version = "~> 2.14"
}
}
}
4 changes: 2 additions & 2 deletions modules/AWS/nfs/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,5 @@ locals {
nfs_name = "${var.product}-nfs"

# The name of the NFS storage class.
storage_class = "gp2"
}
storage_class = "ebs-csi-default-sc"
}
2 changes: 1 addition & 1 deletion modules/AWS/nfs/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ resource "aws_ebs_volume" "shared_home" {

snapshot_id = var.shared_home_snapshot_id != null ? var.shared_home_snapshot_id : null
size = tonumber(regex("\\d+", var.shared_home_size))
type = local.storage_class
type = "gp2"

tags = {
Name = "${var.product}-nfs-shared-home"
Expand Down
4 changes: 2 additions & 2 deletions modules/AWS/nfs/provider_version.tf
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
terraform {
required_providers {
aws = {
version = "~> 4.36"
version = "~> 5.0"
}
kubernetes = {
version = "~> 2.7"
}
helm = {
version = "~> 2.12.1"
version = "~> 2.14"
}
}
}
4 changes: 2 additions & 2 deletions modules/AWS/rds/provider_version.tf
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
terraform {
required_providers {
aws = {
version = "~> 4.36"
version = "~> 5.0"
}
kubernetes = {
version = "~> 2.7"
}
helm = {
version = "~> 2.4"
version = "~> 2.14"
}
}
}
4 changes: 2 additions & 2 deletions modules/AWS/s3/provider_version.tf
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
terraform {
required_providers {
aws = {
version = "~> 4.36"
version = "~> 5.0"
}
kubernetes = {
version = "~> 2.7"
}
helm = {
version = "~> 2.4"
version = "~> 2.14"
}
}
}
2 changes: 1 addition & 1 deletion modules/AWS/vpc/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ data "aws_availability_zones" "available" {

module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "3.10.0"
version = "5.9.0"

name = var.vpc_name
cidr = var.vpc_cidr
Expand Down
4 changes: 2 additions & 2 deletions modules/AWS/vpc/provider_version.tf
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
terraform {
required_providers {
aws = {
version = "~> 4.36"
version = "~> 5.0"
}
kubernetes = {
version = "~> 2.7"
}
helm = {
version = "~> 2.4"
version = "~> 2.14"
}
}
}
Loading

0 comments on commit 5e358f3

Please sign in to comment.