diff --git a/config.tfvars b/config.tfvars index 8786f1d7..10cac785 100644 --- a/config.tfvars +++ b/config.tfvars @@ -71,16 +71,22 @@ max_cluster_capacity = 5 # create_external_dns = true # If you desire to access the cluster with additional roles other than the one used for cluster creation, -# you can define them below. -#eks_additional_roles = [ -# { -# rolearn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME" -# username = "ROLE_NAME" -# groups = [ -# "system:masters" -# ] +# you can define them below. For more information visit https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html +#eks_additional_roles = { +# user = { +# kubernetes_group = [] +# principal_arn = "arn:aws:iam::121212121212:role/test-policy-role" +# policy_associations = { +# admin = { +# policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" +# access_scope = { +# namespaces = [] +# type = "cluster" +# } +# } +# } # } -#] +#} # List of addtional namespaces to be created in the cluster #additional_namespaces = ["extra_namespace"] diff --git a/docs/docs/userguide/configuration/CONFIGURATION.md b/docs/docs/userguide/configuration/CONFIGURATION.md index 7c224ce3..87d46a79 100644 --- a/docs/docs/userguide/configuration/CONFIGURATION.md +++ b/docs/docs/userguide/configuration/CONFIGURATION.md @@ -207,21 +207,27 @@ When the EKS cluster is created, only the entity that created the cluster can ac resources inside the cluster. To enable access for additional roles, you can add them to the config file: ```terraform -eks_additional_roles = [ - { - rolearn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME" - username = "ROLE_NAME" - groups = [ - "system:masters" - ] +eks_additional_roles = { + user = { + kubernetes_group = [] + principal_arn = "arn:aws:iam::121212121212:role/test-policy-role" + policy_associations = { + admin = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + namespaces = [] + type = "cluster" + } + } + } } -] +} ``` -!!! info "Permissions in AWS EKS" +!!! info "Access Entries in AWS EKS" - For additional information regarding the authorisation in EKS cluster, follow the official - [AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html){.external}. + For additional information regarding adding access entries in EKS cluster, follow the official + [AWS documentation](https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries){.external}. ### Logging S3 bucket name diff --git a/modules/AWS/dynamodb/provider_version.tf b/modules/AWS/dynamodb/provider_version.tf index 15ed9e10..b2603df2 100644 --- a/modules/AWS/dynamodb/provider_version.tf +++ b/modules/AWS/dynamodb/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } \ No newline at end of file diff --git a/modules/AWS/eks/autoscaling.tf b/modules/AWS/eks/autoscaling.tf index 5e5b004c..f315c33a 100644 --- a/modules/AWS/eks/autoscaling.tf +++ b/modules/AWS/eks/autoscaling.tf @@ -1,6 +1,6 @@ module "autoscaler_iam_role" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "4.13.2" + version = "5.41.0" create_role = true role_name = "${var.cluster_name}-autoscaler" @@ -16,7 +16,7 @@ module "autoscaler_iam_role" { resource "aws_iam_policy" "cluster_autoscaler" { name_prefix = "cluster-autoscaler" - description = "EKS cluster-autoscaler policy for cluster ${module.eks.cluster_id}" + description = "EKS cluster-autoscaler policy for cluster ${module.eks.cluster_name}" policy = data.aws_iam_policy_document.cluster_autoscaler.json } @@ -55,7 +55,7 @@ data "aws_iam_policy_document" "cluster_autoscaler" { condition { test = "StringEquals" - variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${module.eks.cluster_id}" + variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${module.eks.cluster_name}" values = [ "owned" ] diff --git a/modules/AWS/eks/locals.tf b/modules/AWS/eks/locals.tf index 0650aa9c..3e580b60 100644 --- a/modules/AWS/eks/locals.tf +++ b/modules/AWS/eks/locals.tf @@ -5,7 +5,7 @@ locals { autoscaler_service_account_namespace = "kube-system" autoscaler_service_account_name = "cluster-autoscaler-aws-cluster-autoscaler-chart" - autoscaler_version = "9.25.0" + autoscaler_version = "9.37.0" ami_type = "AL2_x86_64" @@ -23,4 +23,6 @@ locals { use_downtime = var.cluster_downtime_start != null && var.cluster_downtime_stop != null ? true : false + + iam_access_entries = var.additional_roles != null ? var.additional_roles : null } diff --git a/modules/AWS/eks/main.tf b/modules/AWS/eks/main.tf index 3e59d8f4..1ce21df7 100644 --- a/modules/AWS/eks/main.tf +++ b/modules/AWS/eks/main.tf @@ -24,7 +24,7 @@ module "nodegroup_launch_template" { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "18.30.2" + version = "~> 20.0" # Configure cluster cluster_version = var.eks_version @@ -36,22 +36,37 @@ module "eks" { cluster_addons = { kube-proxy = {} vpc-cni = { - resolve_conflicts = "OVERWRITE" + resolve_conflicts_on_create = "OVERWRITE" } aws-ebs-csi-driver = { - resolve_conflicts = "OVERWRITE" + resolve_conflicts_on_create = "OVERWRITE" + configuration_values = jsonencode({ + defaultStorageClass = { + enabled = true + } + }) } } # We're creating eks managed nodegroup, hence aws-auth is handled by EKS - manage_aws_auth_configmap = true - aws_auth_roles = var.additional_roles + enable_cluster_creator_admin_permissions = true + authentication_mode = "API_AND_CONFIG_MAP" + access_entries = local.iam_access_entries + + cluster_endpoint_public_access = true # Enables IAM roles for service accounts - required for autoscaler and potentially Atlassian apps # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html enable_irsa = true iam_role_use_name_prefix = false + # we won't use kms key to encrypt secrets in etcd + # and may want to revisit this in future + # to and make it configurable (requires kms permissions) + create_kms_key = false + cluster_encryption_config = {} + + # Networking vpc_id = var.vpc_id subnet_ids = var.subnets @@ -73,7 +88,7 @@ module "eks" { subnet_ids = slice(var.subnets, 0, 1) capacity_type = "ON_DEMAND" create_launch_template = false - launch_template_name = data.aws_launch_template.nodes.name + launch_template_id = data.aws_launch_template.nodes.id launch_template_version = module.nodegroup_launch_template.version create_iam_role = false iam_role_arn = aws_iam_role.node_group.arn diff --git a/modules/AWS/eks/outputs.tf b/modules/AWS/eks/outputs.tf index 3191db1e..4be9221d 100644 --- a/modules/AWS/eks/outputs.tf +++ b/modules/AWS/eks/outputs.tf @@ -2,10 +2,6 @@ output "cluster_name" { value = var.cluster_name } -output "cluster_id" { - value = module.eks.cluster_id -} - output "cluster_oidc_issuer_url" { value = module.eks.cluster_oidc_issuer_url } diff --git a/modules/AWS/eks/provider_version.tf b/modules/AWS/eks/provider_version.tf index 5470c2fe..e07ae9d1 100644 --- a/modules/AWS/eks/provider_version.tf +++ b/modules/AWS/eks/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } diff --git a/modules/AWS/eks/providers.tf b/modules/AWS/eks/providers.tf index 6e1a728e..cc20d08b 100644 --- a/modules/AWS/eks/providers.tf +++ b/modules/AWS/eks/providers.tf @@ -1,9 +1,11 @@ data "aws_eks_cluster" "cluster" { - name = module.eks.cluster_id + name = module.eks.cluster_name + depends_on = [module.eks.cluster_name] } data "aws_eks_cluster_auth" "cluster" { - name = module.eks.cluster_id + name = module.eks.cluster_name + depends_on = [module.eks.cluster_name] } provider "kubernetes" { diff --git a/modules/AWS/eks/variables.tf b/modules/AWS/eks/variables.tf index f1e75b5c..7d58760b 100644 --- a/modules/AWS/eks/variables.tf +++ b/modules/AWS/eks/variables.tf @@ -9,10 +9,10 @@ variable "cluster_name" { variable "eks_version" { description = "EKS K8s version" - type = number + type = string validation { - condition = can(regex("^1\\.2[7-9]", var.eks_version)) - error_message = "Invalid EKS K8S version. Valid versions are from 1.27 to 1.29." + condition = can(regex("^1\\.3[0-9]", var.eks_version)) + error_message = "Invalid EKS K8S version. Valid versions are from 1.30 to 1.39." } } @@ -86,7 +86,7 @@ variable "cluster_downtime_timezone" { variable "additional_roles" { description = "Additional roles that have access to the cluster." - type = list(object({ rolearn = string, username = string, groups = list(string) })) + type = map(any) } variable "osquery_secret_name" { diff --git a/modules/AWS/external-dns/provider_version.tf b/modules/AWS/external-dns/provider_version.tf index 5470c2fe..e07ae9d1 100644 --- a/modules/AWS/external-dns/provider_version.tf +++ b/modules/AWS/external-dns/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } diff --git a/modules/AWS/ingress/locals.tf b/modules/AWS/ingress/locals.tf index cb4030f2..48f7bdfb 100644 --- a/modules/AWS/ingress/locals.tf +++ b/modules/AWS/ingress/locals.tf @@ -1,5 +1,5 @@ locals { - ingress_version = "4.10.1" + ingress_version = "4.11.1" ingress_name = "ingress-nginx" ingress_namespace = "ingress-nginx" domain_supplied = var.ingress_domain != null ? true : false diff --git a/modules/AWS/ingress/provider_version.tf b/modules/AWS/ingress/provider_version.tf index 15ed9e10..b2603df2 100644 --- a/modules/AWS/ingress/provider_version.tf +++ b/modules/AWS/ingress/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } \ No newline at end of file diff --git a/modules/AWS/nfs/locals.tf b/modules/AWS/nfs/locals.tf index 4e422ada..eb540c62 100644 --- a/modules/AWS/nfs/locals.tf +++ b/modules/AWS/nfs/locals.tf @@ -4,5 +4,5 @@ locals { nfs_name = "${var.product}-nfs" # The name of the NFS storage class. - storage_class = "gp2" -} \ No newline at end of file + storage_class = "ebs-csi-default-sc" +} diff --git a/modules/AWS/nfs/main.tf b/modules/AWS/nfs/main.tf index c76547a2..40495acd 100644 --- a/modules/AWS/nfs/main.tf +++ b/modules/AWS/nfs/main.tf @@ -3,7 +3,7 @@ resource "aws_ebs_volume" "shared_home" { snapshot_id = var.shared_home_snapshot_id != null ? var.shared_home_snapshot_id : null size = tonumber(regex("\\d+", var.shared_home_size)) - type = local.storage_class + type = "gp2" tags = { Name = "${var.product}-nfs-shared-home" diff --git a/modules/AWS/nfs/provider_version.tf b/modules/AWS/nfs/provider_version.tf index 6d653485..e07ae9d1 100644 --- a/modules/AWS/nfs/provider_version.tf +++ b/modules/AWS/nfs/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.12.1" + version = "~> 2.14" } } } diff --git a/modules/AWS/rds/provider_version.tf b/modules/AWS/rds/provider_version.tf index 5470c2fe..e07ae9d1 100644 --- a/modules/AWS/rds/provider_version.tf +++ b/modules/AWS/rds/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } diff --git a/modules/AWS/s3/provider_version.tf b/modules/AWS/s3/provider_version.tf index 15ed9e10..b2603df2 100644 --- a/modules/AWS/s3/provider_version.tf +++ b/modules/AWS/s3/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } \ No newline at end of file diff --git a/modules/AWS/vpc/main.tf b/modules/AWS/vpc/main.tf index fb12e159..17a3df65 100644 --- a/modules/AWS/vpc/main.tf +++ b/modules/AWS/vpc/main.tf @@ -4,7 +4,7 @@ data "aws_availability_zones" "available" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "3.10.0" + version = "5.9.0" name = var.vpc_name cidr = var.vpc_cidr diff --git a/modules/AWS/vpc/provider_version.tf b/modules/AWS/vpc/provider_version.tf index 15ed9e10..b2603df2 100644 --- a/modules/AWS/vpc/provider_version.tf +++ b/modules/AWS/vpc/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } \ No newline at end of file diff --git a/modules/common/provider_version.tf b/modules/common/provider_version.tf index 15ed9e10..b2603df2 100644 --- a/modules/common/provider_version.tf +++ b/modules/common/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } \ No newline at end of file diff --git a/modules/common/variables.tf b/modules/common/variables.tf index 44f6187e..738ebb2e 100644 --- a/modules/common/variables.tf +++ b/modules/common/variables.tf @@ -14,7 +14,7 @@ variable "environment_name" { variable "eks_version" { description = "EKS K8s version" - type = number + type = string } variable "tags" { @@ -83,7 +83,7 @@ variable "enable_ssh_tcp" { variable "eks_additional_roles" { description = "Additional roles that have access to the cluster." - type = list(object({ rolearn = string, username = string, groups = list(string) })) + type = map(any) } variable "whitelist_cidr" { diff --git a/modules/products/bamboo/provider_version.tf b/modules/products/bamboo/provider_version.tf index 15ed9e10..b2603df2 100644 --- a/modules/products/bamboo/provider_version.tf +++ b/modules/products/bamboo/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } \ No newline at end of file diff --git a/modules/products/bitbucket/provider_version.tf b/modules/products/bitbucket/provider_version.tf index 15ed9e10..b2603df2 100644 --- a/modules/products/bitbucket/provider_version.tf +++ b/modules/products/bitbucket/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } \ No newline at end of file diff --git a/modules/products/confluence/local_home_storage.tf b/modules/products/confluence/local_home_storage.tf index 157e49c8..b0ece9de 100644 --- a/modules/products/confluence/local_home_storage.tf +++ b/modules/products/confluence/local_home_storage.tf @@ -9,7 +9,7 @@ resource "aws_ebs_volume" "local_home" { availability_zone = var.eks.availability_zone snapshot_id = var.local_home_snapshot_id size = data.aws_ebs_snapshot.local_home_snapshot[count.index].volume_size - type = local.storage_class + type = "gp2" tags = { Name = "local-home-confluence-${count.index}" } diff --git a/modules/products/confluence/locals.tf b/modules/products/confluence/locals.tf index a6d782bf..b03667b9 100644 --- a/modules/products/confluence/locals.tf +++ b/modules/products/confluence/locals.tf @@ -144,6 +144,6 @@ locals { } }) : yamlencode({}) - storage_class = "gp2" - opensearch_storage_class = "gp2" + storage_class = "ebs-csi-default-sc" + opensearch_storage_class = "ebs-csi-default-sc" } diff --git a/modules/products/confluence/opensearch_storage.tf b/modules/products/confluence/opensearch_storage.tf index 6a89f56c..9e050971 100644 --- a/modules/products/confluence/opensearch_storage.tf +++ b/modules/products/confluence/opensearch_storage.tf @@ -11,7 +11,7 @@ resource "aws_ebs_volume" "opensearch" { availability_zone = var.eks.availability_zone snapshot_id = var.opensearch_snapshot_id size = data.aws_ebs_snapshot.opensearch_snapshot[0].volume_size - type = local.opensearch_storage_class + type = "gp2" tags = { Name = "confluence-opensearch" } diff --git a/modules/products/confluence/provider_version.tf b/modules/products/confluence/provider_version.tf index 6a371b9d..0b2e4449 100644 --- a/modules/products/confluence/provider_version.tf +++ b/modules/products/confluence/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } random = { source = "hashicorp/random" diff --git a/modules/products/crowd/provider_version.tf b/modules/products/crowd/provider_version.tf index 15ed9e10..b2603df2 100644 --- a/modules/products/crowd/provider_version.tf +++ b/modules/products/crowd/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } \ No newline at end of file diff --git a/modules/products/jira/local_home_storage.tf b/modules/products/jira/local_home_storage.tf index 78ddb2a6..6ecd4ad7 100644 --- a/modules/products/jira/local_home_storage.tf +++ b/modules/products/jira/local_home_storage.tf @@ -9,7 +9,7 @@ resource "aws_ebs_volume" "local_home" { availability_zone = var.eks.availability_zone snapshot_id = var.local_home_snapshot_id size = data.aws_ebs_snapshot.local_home_snapshot[count.index].volume_size - type = local.storage_class + type = "gp2" tags = { Name = "local-home-jira-${count.index}" } diff --git a/modules/products/jira/locals.tf b/modules/products/jira/locals.tf index ada5b76e..af660144 100644 --- a/modules/products/jira/locals.tf +++ b/modules/products/jira/locals.tf @@ -56,5 +56,5 @@ locals { # DC App Performance Toolkit analytics dcapt_analytics_property = ["-Dcom.atlassian.dcapt.deployment=terraform"] - storage_class = "gp2" + storage_class = "ebs-csi-default-sc" } diff --git a/modules/products/jira/provider_version.tf b/modules/products/jira/provider_version.tf index 15ed9e10..b2603df2 100644 --- a/modules/products/jira/provider_version.tf +++ b/modules/products/jira/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { version = "~> 2.7" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } \ No newline at end of file diff --git a/modules/tfstate/provider_version.tf b/modules/tfstate/provider_version.tf index 15ed9e10..42161482 100644 --- a/modules/tfstate/provider_version.tf +++ b/modules/tfstate/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { - version = "~> 2.7" + version = "~> 2.31" } helm = { - version = "~> 2.4" + version = "~> 2.14" } } } \ No newline at end of file diff --git a/permissions/policy.json b/permissions/policy.json index 09615879..fc2dcf45 100644 --- a/permissions/policy.json +++ b/permissions/policy.json @@ -44,6 +44,7 @@ "Action": [ "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeTags", @@ -67,7 +68,14 @@ "eks:CreateCluster", "eks:TagResource", "eks:UntagResource", - "eks:ListTagsForResource" + "eks:ListTagsForResource", + "eks:CreateAccessEntry", + "eks:DeleteAccessEntry", + "eks:DescribeAddonVersions", + "eks:DescribeAccessEntry", + "eks:AssociateAccessPolicy", + "eks:DisassociateAccessPolicy", + "eks:ListAssociatedAccessPolicies" ], "Resource": [ "arn:aws:eks:*:123456789012:nodegroup/atlas-*", @@ -96,6 +104,14 @@ "arn:aws:dynamodb:*:123456789012:table/atl_dc_*_tf_lock" ] }, + { + "Sid": "s3list", + "Effect": "Allow", + "Action": [ + "s3:ListAllMyBuckets" + ], + "Resource": "*" + }, { "Sid": "s3bucket", "Effect": "Allow", @@ -207,7 +223,10 @@ "ec2:DescribeSnapshots", "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkInterfaces", - "ec2:RevokeSecurityGroupIngress" + "ec2:RevokeSecurityGroupIngress", + "ec2:DescribeAddressesAttribute", + "ec2:CreateNetworkAclEntry", + "ec2:DeleteNetworkAclEntry" ], "Resource": "*" }, @@ -237,7 +256,17 @@ "autoscaling:CreateOrUpdateTags", "autoscaling:DeleteTags", "autoscaling:DescribeTags", - "autoscaling:DescribeAutoScalingGroups" + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DeleteAutoScalingGroup" + ], + "Resource": "*" + }, + { + "Sid": "iamlist", + "Effect": "Allow", + "Action": [ + "iam:ListPolicies", + "iam:ListRoles" ], "Resource": "*" }, @@ -282,4 +311,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/provider_version.tf b/provider_version.tf index b977a0ee..817a3e4e 100644 --- a/provider_version.tf +++ b/provider_version.tf @@ -1,13 +1,13 @@ terraform { required_providers { aws = { - version = "~> 4.36" + version = "~> 5.0" } kubernetes = { - version = "~> 2.7" + version = "~> 2.31" } helm = { - version = "~> 2.4" + version = "~> 2.14" } random = { source = "hashicorp/random" diff --git a/test/e2etest/test-config.tfvars.tmpl b/test/e2etest/test-config.tfvars.tmpl index d231306f..5da2f950 100644 --- a/test/e2etest/test-config.tfvars.tmpl +++ b/test/e2etest/test-config.tfvars.tmpl @@ -141,22 +141,26 @@ bitbucket_termination_grace_period = 0 {{if .additional_role }} # Enable access to additional role -eks_additional_roles = [ - { - rolearn = "{{ .additional_role }}" - username = "additional_role" - groups = [ - "system:masters" - ] - } -] +eks_additional_roles = { + user = { + kubernetes_group = [] + principal_arn = "{{ .additional_role }}" + policy_associations = { + admin = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + namespaces = [] + type = "cluster" + } + } + } + } +} {{end}} ################################################################################ # Crowd Settings ################################################################################ -# remove this once Crowd Helm chart is fixed -crowd_version_tag = "5.1.2" crowd_cpu = "1" crowd_mem = "1Gi" crowd_min_heap = "512m" diff --git a/test/unittest/eks_test.go b/test/unittest/eks_test.go index 792d95d6..56463f6e 100644 --- a/test/unittest/eks_test.go +++ b/test/unittest/eks_test.go @@ -44,23 +44,23 @@ func TestEksVariablesPopulatedWithValidValues(t *testing.T) { maxClusterCapacity := plan.RawPlan.Variables["max_cluster_capacity"].Value additionalRoles := plan.RawPlan.Variables["additional_roles"].Value s3Role := "aws_iam_role.s3_confluence_storage_role[0]" - s3Policy := "aws_iam_policy.s3_confluence_storage[0]" - s3PolicyAttachment := "aws_iam_role_policy_attachment.confluence_s3_storage[0]" - s3Bucket := "aws_s3_bucket.confluence_storage_bucket[0]" - s3BucketAcl := "aws_s3_bucket_acl.confluence_storage_acl[0]" + s3Policy := "aws_iam_policy.s3_confluence_storage[0]" + s3PolicyAttachment := "aws_iam_role_policy_attachment.confluence_s3_storage[0]" + s3Bucket := "aws_s3_bucket.confluence_storage_bucket[0]" + s3BucketAcl := "aws_s3_bucket_acl.confluence_storage_acl[0]" assert.Equal(t, "dummy-cluster-name", clusterName) assert.Equal(t, "dummy_vpc_id", vpcId) assert.Equal(t, []interface{}{"subnet1", "subnet2"}, subnets) assert.Equal(t, []interface{}{"a", "b"}, instanceTypes) - assert.Equal(t, []interface{}{map[string]interface{}{"rolearn": "dcdarn", "username": "additional_role", "groups": []interface{}{"system:masters"}}}, additionalRoles) + assert.Equal(t, EksWithValidValues["additional_roles"], additionalRoles) assert.Equal(t, "1", minClusterCapacity) assert.Equal(t, "10", maxClusterCapacity) assert.Contains(t, plan.ResourcePlannedValuesMap, s3Role) - assert.Contains(t, plan.ResourcePlannedValuesMap, s3Policy) - assert.Contains(t, plan.ResourcePlannedValuesMap, s3PolicyAttachment) - assert.Contains(t, plan.ResourcePlannedValuesMap, s3Bucket) - assert.Contains(t, plan.ResourcePlannedValuesMap, s3BucketAcl) + assert.Contains(t, plan.ResourcePlannedValuesMap, s3Policy) + assert.Contains(t, plan.ResourcePlannedValuesMap, s3PolicyAttachment) + assert.Contains(t, plan.ResourcePlannedValuesMap, s3Bucket) + assert.Contains(t, plan.ResourcePlannedValuesMap, s3BucketAcl) } func TestEksClusterNameInvalid(t *testing.T) { diff --git a/test/unittest/monitoring_test.go b/test/unittest/monitoring_test.go index 9da2a46a..876fe85e 100644 --- a/test/unittest/monitoring_test.go +++ b/test/unittest/monitoring_test.go @@ -14,23 +14,17 @@ func TestMonitoringEnabled(t *testing.T) { t.Parallel() tfOptions := GenerateTFOptions(map[string]interface{}{ - "region_name": "us-west-2", - "environment_name": "staging", - "eks_version": "1.28", - "tags": map[string]string{"key1": "value1", "key2": "value2"}, - "instance_types": []string{"t2.micro", "t3.small"}, - "instance_disk_size": 50, - "max_cluster_capacity": 10, - "min_cluster_capacity": 2, - "domain": "example.com", - "namespace": "namespace", - "eks_additional_roles": []map[string]interface{}{ - { - "rolearn": "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME", - "username": "ROLE_NAME", - "groups": []string{"system:masters"}, - }, - }, + "region_name": "us-west-2", + "environment_name": "staging", + "eks_version": "1.30", + "tags": map[string]string{"key1": "value1", "key2": "value2"}, + "instance_types": []string{"t2.micro", "t3.small"}, + "instance_disk_size": 50, + "max_cluster_capacity": 10, + "min_cluster_capacity": 2, + "domain": "example.com", + "namespace": "namespace", + "eks_additional_roles": map[string]interface{}{}, "whitelist_cidr": []string{"10.0.0.0/16"}, "enable_https_ingress": false, "enable_ssh_tcp": false, diff --git a/test/unittest/test_variables.go b/test/unittest/test_variables.go index 9185a152..2f7016b4 100644 --- a/test/unittest/test_variables.go +++ b/test/unittest/test_variables.go @@ -40,7 +40,7 @@ var EksWithValidValues = map[string]interface{}{ "osquery_fleet_enrollment_host": "dummy-host", "kinesis_log_producers_role_arns": "{\"eu\": \"eu,\",\"non-eu\": \"non-eu\"}", "cluster_name": "dummy-cluster-name", - "eks_version": 1.28, + "eks_version": "1.30", "vpc_id": "dummy_vpc_id", "subnets": []string{"subnet1", "subnet2"}, "region": "us-east-1", @@ -51,10 +51,21 @@ var EksWithValidValues = map[string]interface{}{ "instance_types": []string{"a", "b"}, "min_cluster_capacity": 1, "max_cluster_capacity": 10, - "additional_roles": []interface{}{map[string]interface{}{ - "rolearn": "dcdarn", - "username": "additional_role", - "groups": []interface{}{"system:masters"}}}, + "additional_roles": map[string]interface{}{ + "user": map[string]interface{}{ + "kubernetes_group": []interface{}{}, + "principal_arn": "arn:aws:iam::123456789012:role/test-terraform-policy-role", + "policy_associations": map[string]interface{}{ + "admin": map[string]interface{}{ + "policy_arn": "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy", + "access_scope": map[string]interface{}{ + "namespaces": []interface{}{}, + "type": "cluster", + }, + }, + }, + }, + }, } var EksWithUnsupportedKinesisRegion = map[string]interface{}{ @@ -65,7 +76,7 @@ var EksWithUnsupportedKinesisRegion = map[string]interface{}{ "osquery_fleet_enrollment_host": "dummy-host", "kinesis_log_producers_role_arns": "{\"eu\": \"eu,\",\"non-eu\": \"non-eu\"}", "cluster_name": "dummy-cluster-name", - "eks_version": 1.28, + "eks_version": "1.30", "vpc_id": "dummy_vpc_id", "subnets": []string{"subnet1", "subnet2"}, "region": "eu-west-2", @@ -76,7 +87,7 @@ var EksWithUnsupportedKinesisRegion = map[string]interface{}{ "instance_types": []string{"a", "b"}, "min_cluster_capacity": 1, "max_cluster_capacity": 10, - "additional_roles": []string{}, + "additional_roles": map[string]interface{}{}, } var EksWithInvalidClusterName = map[string]interface{}{ @@ -87,7 +98,7 @@ var EksWithInvalidClusterName = map[string]interface{}{ "osquery_fleet_enrollment_host": "dummy-host", "kinesis_log_producers_role_arns": "{\"eu\": \"eu,\",\"non-eu\": \"non-eu\"}", "cluster_name": "cluster name with invalid spaces", - "eks_version": 1.28, + "eks_version": "1.30", "vpc_id": "dummy_vpc_id", "subnets": []string{"subnet1", "subnet2"}, "region": "us-east-1", @@ -98,7 +109,7 @@ var EksWithInvalidClusterName = map[string]interface{}{ "instance_types": []string{"a", "b"}, "min_cluster_capacity": 1, "max_cluster_capacity": 10, - "additional_roles": []string{}, + "additional_roles": map[string]interface{}{}, } var EksWithInvalidClusterVersion = map[string]interface{}{ @@ -120,7 +131,7 @@ var EksWithInvalidClusterVersion = map[string]interface{}{ "instance_types": []string{"a", "b"}, "min_cluster_capacity": 1, "max_cluster_capacity": 10, - "additional_roles": []string{}, + "additional_roles": map[string]interface{}{}, } var EksWithMaxCapacityOverLimit = map[string]interface{}{ @@ -131,7 +142,7 @@ var EksWithMaxCapacityOverLimit = map[string]interface{}{ "osquery_fleet_enrollment_host": "dummy-host", "kinesis_log_producers_role_arns": "{\"eu\": \"eu,\",\"non-eu\": \"non-eu\"}", "cluster_name": "dummy-cluster-name", - "eks_version": 1.28, + "eks_version": "1.30", "vpc_id": "dummy_vpc_id", "subnets": []string{"subnet1", "subnet2"}, "region": "us-east-1", @@ -142,7 +153,7 @@ var EksWithMaxCapacityOverLimit = map[string]interface{}{ "instance_types": []string{"a", "b"}, "min_cluster_capacity": 1, "max_cluster_capacity": 21, - "additional_roles": []string{}, + "additional_roles": map[string]interface{}{}, } var EksWithMaxCapacityUnderLimit = map[string]interface{}{ @@ -153,7 +164,7 @@ var EksWithMaxCapacityUnderLimit = map[string]interface{}{ "osquery_fleet_enrollment_host": "dummy-host", "kinesis_log_producers_role_arns": "{\"eu\": \"eu,\",\"non-eu\": \"non-eu\"}", "cluster_name": "dummy-cluster-name", - "eks_version": 1.28, + "eks_version": "1.30", "vpc_id": "dummy_vpc_id", "subnets": []string{"subnet1", "subnet2"}, "region": "us-east-1", @@ -164,7 +175,7 @@ var EksWithMaxCapacityUnderLimit = map[string]interface{}{ "instance_types": []string{"a", "b"}, "min_cluster_capacity": 1, "max_cluster_capacity": 0, - "additional_roles": []string{}, + "additional_roles": map[string]interface{}{}, } var EksWithMinCapacityUnderLimit = map[string]interface{}{ @@ -175,7 +186,7 @@ var EksWithMinCapacityUnderLimit = map[string]interface{}{ "osquery_fleet_enrollment_host": "dummy-host", "kinesis_log_producers_role_arns": "{\"eu\": \"eu,\",\"non-eu\": \"non-eu\"}", "cluster_name": "dummy-cluster-name", - "eks_version": 1.28, + "eks_version": "1.30", "vpc_id": "dummy_vpc_id", "subnets": []string{"subnet1", "subnet2"}, "region": "us-east-1", @@ -186,7 +197,7 @@ var EksWithMinCapacityUnderLimit = map[string]interface{}{ "instance_types": []string{"a", "b"}, "min_cluster_capacity": 0, "max_cluster_capacity": 10, - "additional_roles": []string{}, + "additional_roles": map[string]interface{}{}, } var EksWithMinCapacityOverLimit = map[string]interface{}{ @@ -197,7 +208,7 @@ var EksWithMinCapacityOverLimit = map[string]interface{}{ "osquery_fleet_enrollment_host": "dummy-host", "kinesis_log_producers_role_arns": "{\"eu\": \"eu,\",\"non-eu\": \"non-eu\"}", "cluster_name": "dummy-cluster-name", - "eks_version": 1.28, + "eks_version": "1.30", "vpc_id": "dummy_vpc_id", "subnets": []string{"subnet1", "subnet2"}, "region": "us-east-1", @@ -208,7 +219,7 @@ var EksWithMinCapacityOverLimit = map[string]interface{}{ "instance_types": []string{"a", "b"}, "min_cluster_capacity": 21, "max_cluster_capacity": 10, - "additional_roles": []string{}, + "additional_roles": map[string]interface{}{}, } var EksDefaultModuleVariable = map[string]interface{}{ diff --git a/variables.tf b/variables.tf index a72f1a1b..05d9010d 100644 --- a/variables.tf +++ b/variables.tf @@ -24,11 +24,11 @@ variable "environment_name" { variable "eks_version" { description = "EKS K8s version" - default = 1.29 - type = number + default = "1.30" + type = string validation { - condition = can(regex("^1\\.2[7-9]", var.eks_version)) - error_message = "Invalid EKS K8S version. Valid versions are from 1.27 to 1.29." + condition = can(regex("^1\\.3[0-9]$", var.eks_version)) + error_message = "Invalid EKS K8S version. Valid versions are from 1.30 to 1.39." } } @@ -131,8 +131,8 @@ variable "logging_bucket" { variable "eks_additional_roles" { description = "Additional roles that have access to the cluster." - default = [] - type = list(object({ rolearn = string, username = string, groups = list(string) })) + default = {} + type = map(any) } variable "whitelist_cidr" {