Encrypt RDS, return RabbitMQ PVC and some alignments

6.artifactory-aws-install/artifactory.tf

@@ -44,6 +44,7 @@ resource "helm_release" "artifactory" {
   depends_on = [
     aws_db_instance.artifactory_db,
     aws_s3_bucket.artifactory_binarystore,
+    module.eks,
     helm_release.metrics_server
   ]
 

6.artifactory-aws-install/eks.tf

@@ -9,7 +9,7 @@ resource "aws_security_group_rule" "allow_management_from_my_ip" {
     from_port         = 0
     to_port           = 65535
     protocol          = "-1"
-    cidr_blocks       = [var.cluster_public_access_cidrs]
+    cidr_blocks       = var.cluster_public_access_cidrs
     security_group_id = module.eks.cluster_security_group_id
     description       = "Allow all traffic from my public IP for management"
 }
@@ -22,11 +22,12 @@ module "eks" {
 
     enable_cluster_creator_admin_permissions = true
     cluster_endpoint_public_access           = true
-    cluster_endpoint_public_access_cidrs     = [var.cluster_public_access_cidrs]
+    cluster_endpoint_public_access_cidrs     = var.cluster_public_access_cidrs
 
     cluster_addons = {
         aws-ebs-csi-driver = {
-            service_account_role_arn = module.irsa-ebs-csi.iam_role_arn
+            most_recent = true
+            service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
         }
     }
 
@@ -37,6 +38,7 @@ module "eks" {
         ami_type = "AL2_ARM_64"
         iam_role_additional_policies = {
             AmazonS3FullAccess = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+            AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
         }
         block_device_mappings = {
             xvda = {
@@ -56,8 +58,8 @@ module "eks" {
     }
 
     eks_managed_node_groups = {
-        one = {
-            name = "node-group-artifactory"
+        artifactory = {
+            name = "artifactory-node-group"
 
             instance_types = ["m7g.large"]
 
@@ -70,8 +72,8 @@ module "eks" {
             }
         }
 
-        two = {
-            name = "node-group-nginx"
+        nginx = {
+            name = "nginx-node-group"
 
             instance_types = ["c7g.large"]
 
@@ -90,21 +92,33 @@ module "eks" {
     }
 }
 
-# https://aws.amazon.com/blogs/containers/amazon-ebs-csi-driver-is-now-generally-available-in-amazon-eks-add-ons/
-data "aws_iam_policy" "ebs_csi_policy" {
-    arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+# Create the gp3 storage class and make it the default
+resource "kubernetes_storage_class" "gp3_storage_class" {
+    metadata {
+        name = "gp3"
+        annotations = {
+            "storageclass.kubernetes.io/is-default-class" = "true"
+        }
+    }
+    storage_provisioner = "ebs.csi.aws.com"
+    volume_binding_mode = "WaitForFirstConsumer"
+    allow_volume_expansion = true
+    parameters = {
+        "fsType" = "ext4"
+        "type" = "gp3"
+    }
 }
 
-module "irsa-ebs-csi" {
-    source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+module "ebs_csi_irsa_role" {
+    source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
-    create_role                   = true
-    role_name                     = "AmazonEKSTFEBSCSIRole-${module.eks.cluster_name}"
-    provider_url                  = module.eks.oidc_provider
-    role_policy_arns              = [data.aws_iam_policy.ebs_csi_policy.arn]
-    oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"]
+    role_name             = "ebs-csi-${module.eks.cluster_name}"
+    attach_ebs_csi_policy = true
 
-    tags = {
-        Group = var.common_tag
+    oidc_providers = {
+        ex = {
+            provider_arn               = module.eks.oidc_provider_arn
+            namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+        }
     }
 }

6.artifactory-aws-install/rds.tf

@@ -16,8 +16,9 @@ resource "aws_db_instance" "artifactory_db" {
   instance_class         = "db.m7g.large" # Change as needed based on expected load
 
   storage_type           = "gp3"        # Using gp3 for storage type
-  allocated_storage      = 50          # Set desired storage size in GB
+  allocated_storage      = 50           # Set desired storage size in GB
   max_allocated_storage  = 100          # Set maximum size for storage autoscaling (optional)
+  storage_encrypted      = true
 
   db_name                = var.db_name
   username               = var.db_username

6.artifactory-aws-install/variables.tf

@@ -6,7 +6,7 @@ variable "region" {
 
 # WARNING: CIDR "0.0.0.0/0" is full public access to the cluster. You should use a more restrictive CIDR
 variable "cluster_public_access_cidrs" {
-  default = "0.0.0.0/0"
+  default = ["0.0.0.0/0"]
 }
 
 variable "vpc_cidr" {

7.jfrog-platform-aws-install/README.md

@@ -8,8 +8,6 @@ The resources are split between individual files for easy and clear separation.
 
 The [jfrog-values.yaml](jfrog-values.yaml) file has the values that Helm will use to configure the JFrog Platform installation.
 
-*IMPORTANT:* The Xray RabbitMQ is not using a persistent volume due to the lack of EBS provisioner in the EKS cluster. This will be fixed in a later version.
-
 1. Initialize the Terraform configuration by running the following command
 ```shell
 terraform init

7.jfrog-platform-aws-install/eks.tf

@@ -9,7 +9,7 @@ resource "aws_security_group_rule" "allow_management_from_my_ip" {
     from_port         = 0
     to_port           = 65535
     protocol          = "-1"
-    cidr_blocks       = [var.cluster_public_access_cidrs]
+    cidr_blocks       = var.cluster_public_access_cidrs
     security_group_id = module.eks.cluster_security_group_id
     description       = "Allow all traffic from my public IP for management"
 }
@@ -22,11 +22,12 @@ module "eks" {
 
     enable_cluster_creator_admin_permissions = true
     cluster_endpoint_public_access           = true
-    cluster_endpoint_public_access_cidrs     = [var.cluster_public_access_cidrs]
+    cluster_endpoint_public_access_cidrs     = var.cluster_public_access_cidrs
 
     cluster_addons = {
         aws-ebs-csi-driver = {
-            service_account_role_arn = module.irsa-ebs-csi.iam_role_arn
+            most_recent = true
+            service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
         }
     }
 
@@ -37,6 +38,7 @@ module "eks" {
         ami_type = "AL2_ARM_64"
         iam_role_additional_policies = {
             AmazonS3FullAccess = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+            AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
         }
         block_device_mappings = {
             xvda = {
@@ -104,21 +106,33 @@ module "eks" {
     }
 }
 
-# https://aws.amazon.com/blogs/containers/amazon-ebs-csi-driver-is-now-generally-available-in-amazon-eks-add-ons/
-data "aws_iam_policy" "ebs_csi_policy" {
-    arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+# Create the gp3 storage class and make it the default
+resource "kubernetes_storage_class" "gp3_storage_class" {
+    metadata {
+        name = "gp3"
+        annotations = {
+            "storageclass.kubernetes.io/is-default-class" = "true"
+        }
+    }
+    storage_provisioner = "ebs.csi.aws.com"
+    volume_binding_mode = "WaitForFirstConsumer"
+    allow_volume_expansion = true
+    parameters = {
+        "fsType" = "ext4"
+        "type" = "gp3"
+    }
 }
 
-module "irsa-ebs-csi" {
-    source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+module "ebs_csi_irsa_role" {
+    source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
-    create_role                   = true
-    role_name                     = "AmazonEKSTFEBSCSIRole-${module.eks.cluster_name}"
-    provider_url                  = module.eks.oidc_provider
-    role_policy_arns              = [data.aws_iam_policy.ebs_csi_policy.arn]
-    oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"]
+    role_name             = "ebs-csi-${module.eks.cluster_name}"
+    attach_ebs_csi_policy = true
 
-    tags = {
-        Group = var.common_tag
+    oidc_providers = {
+        ex = {
+            provider_arn               = module.eks.oidc_provider_arn
+            namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+        }
     }
 }

7.jfrog-platform-aws-install/jfrog-platform.tf

@@ -44,6 +44,7 @@ resource "helm_release" "jfrog_platform" {
   depends_on = [
     aws_db_instance.artifactory_db,
     aws_s3_bucket.artifactory_binarystore,
+    module.eks,
     helm_release.metrics_server
   ]
 
@@ -93,6 +94,9 @@ resource "helm_release" "jfrog_platform" {
 
   # Wait for the release to complete deployment
   wait = true
+
+  # Increase the timeout to 10 minutes for the JFrog Platform to deploy
+  timeout = 600
 }
 
 data "kubernetes_resources" "nginx_service" {

7.jfrog-platform-aws-install/jfrog-values.yaml

@@ -82,8 +82,6 @@ xray:
 # RabbitMQ is required for Xray
 rabbitmq:
   enabled: true
-  persistence:
-    enabled: false # Disable persistence for RabbitMQ until issue with EBS provisioning is fixed
 
   # Run on nodes marked with the label "group=xray"
   nodeSelector:

7.jfrog-platform-aws-install/rds.tf

@@ -18,6 +18,7 @@ resource "aws_db_instance" "artifactory_db" {
   storage_type           = "gp3"       # Using gp3 for storage type
   allocated_storage      = 50          # Set desired storage size in GB
   max_allocated_storage  = 100         # Set maximum size for storage autoscaling (optional)
+  storage_encrypted      = true
 
   db_name                = var.artifactory_db_name
   username               = var.artifactory_db_username
@@ -41,6 +42,7 @@ resource "aws_db_instance" "xray_db" {
   storage_type           = "gp3"       # Using gp3 for storage type
   allocated_storage      = 50          # Set desired storage size in GB
   max_allocated_storage  = 100         # Set maximum size for storage autoscaling (optional)
+  storage_encrypted      = true
 
   db_name                = var.xray_db_name
   username               = var.xray_db_username