diff --git a/6.artifactory-aws-install/artifactory.tf b/6.artifactory-aws-install/artifactory.tf index d420aa0..2f6d297 100644 --- a/6.artifactory-aws-install/artifactory.tf +++ b/6.artifactory-aws-install/artifactory.tf @@ -44,6 +44,7 @@ resource "helm_release" "artifactory" { depends_on = [ aws_db_instance.artifactory_db, aws_s3_bucket.artifactory_binarystore, + module.eks, helm_release.metrics_server ] diff --git a/6.artifactory-aws-install/eks.tf b/6.artifactory-aws-install/eks.tf index ac4e405..af62b13 100644 --- a/6.artifactory-aws-install/eks.tf +++ b/6.artifactory-aws-install/eks.tf @@ -9,7 +9,7 @@ resource "aws_security_group_rule" "allow_management_from_my_ip" { from_port = 0 to_port = 65535 protocol = "-1" - cidr_blocks = [var.cluster_public_access_cidrs] + cidr_blocks = var.cluster_public_access_cidrs security_group_id = module.eks.cluster_security_group_id description = "Allow all traffic from my public IP for management" } @@ -22,11 +22,12 @@ module "eks" { enable_cluster_creator_admin_permissions = true cluster_endpoint_public_access = true - cluster_endpoint_public_access_cidrs = [var.cluster_public_access_cidrs] + cluster_endpoint_public_access_cidrs = var.cluster_public_access_cidrs cluster_addons = { aws-ebs-csi-driver = { - service_account_role_arn = module.irsa-ebs-csi.iam_role_arn + most_recent = true + service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn } } @@ -37,6 +38,7 @@ module "eks" { ami_type = "AL2_ARM_64" iam_role_additional_policies = { AmazonS3FullAccess = "arn:aws:iam::aws:policy/AmazonS3FullAccess" + AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" } block_device_mappings = { xvda = { @@ -56,8 +58,8 @@ module "eks" { } eks_managed_node_groups = { - one = { - name = "node-group-artifactory" + artifactory = { + name = "artifactory-node-group" instance_types = ["m7g.large"] @@ -70,8 +72,8 @@ module "eks" { } } - two = { - name = "node-group-nginx" + nginx = { + name = "nginx-node-group" instance_types = ["c7g.large"] @@ -90,21 +92,33 @@ module "eks" { } } -# https://aws.amazon.com/blogs/containers/amazon-ebs-csi-driver-is-now-generally-available-in-amazon-eks-add-ons/ -data "aws_iam_policy" "ebs_csi_policy" { - arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" +# Create the gp3 storage class and make it the default +resource "kubernetes_storage_class" "gp3_storage_class" { + metadata { + name = "gp3" + annotations = { + "storageclass.kubernetes.io/is-default-class" = "true" + } + } + storage_provisioner = "ebs.csi.aws.com" + volume_binding_mode = "WaitForFirstConsumer" + allow_volume_expansion = true + parameters = { + "fsType" = "ext4" + "type" = "gp3" + } } -module "irsa-ebs-csi" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" +module "ebs_csi_irsa_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - create_role = true - role_name = "AmazonEKSTFEBSCSIRole-${module.eks.cluster_name}" - provider_url = module.eks.oidc_provider - role_policy_arns = [data.aws_iam_policy.ebs_csi_policy.arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"] + role_name = "ebs-csi-${module.eks.cluster_name}" + attach_ebs_csi_policy = true - tags = { - Group = var.common_tag + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"] + } } } diff --git a/6.artifactory-aws-install/rds.tf b/6.artifactory-aws-install/rds.tf index 4d30668..12822f2 100644 --- a/6.artifactory-aws-install/rds.tf +++ b/6.artifactory-aws-install/rds.tf @@ -16,8 +16,9 @@ resource "aws_db_instance" "artifactory_db" { instance_class = "db.m7g.large" # Change as needed based on expected load storage_type = "gp3" # Using gp3 for storage type - allocated_storage = 50 # Set desired storage size in GB + allocated_storage = 50 # Set desired storage size in GB max_allocated_storage = 100 # Set maximum size for storage autoscaling (optional) + storage_encrypted = true db_name = var.db_name username = var.db_username diff --git a/6.artifactory-aws-install/variables.tf b/6.artifactory-aws-install/variables.tf index bb8410f..a1300e8 100644 --- a/6.artifactory-aws-install/variables.tf +++ b/6.artifactory-aws-install/variables.tf @@ -6,7 +6,7 @@ variable "region" { # WARNING: CIDR "0.0.0.0/0" is full public access to the cluster. You should use a more restrictive CIDR variable "cluster_public_access_cidrs" { - default = "0.0.0.0/0" + default = ["0.0.0.0/0"] } variable "vpc_cidr" { diff --git a/7.jfrog-platform-aws-install/README.md b/7.jfrog-platform-aws-install/README.md index 5520e8c..1fa7306 100644 --- a/7.jfrog-platform-aws-install/README.md +++ b/7.jfrog-platform-aws-install/README.md @@ -8,8 +8,6 @@ The resources are split between individual files for easy and clear separation. The [jfrog-values.yaml](jfrog-values.yaml) file has the values that Helm will use to configure the JFrog Platform installation. -*IMPORTANT:* The Xray RabbitMQ is not using a persistent volume due to the lack of EBS provisioner in the EKS cluster. This will be fixed in a later version. - 1. Initialize the Terraform configuration by running the following command ```shell terraform init diff --git a/7.jfrog-platform-aws-install/eks.tf b/7.jfrog-platform-aws-install/eks.tf index 18ee5b3..c8cca02 100644 --- a/7.jfrog-platform-aws-install/eks.tf +++ b/7.jfrog-platform-aws-install/eks.tf @@ -9,7 +9,7 @@ resource "aws_security_group_rule" "allow_management_from_my_ip" { from_port = 0 to_port = 65535 protocol = "-1" - cidr_blocks = [var.cluster_public_access_cidrs] + cidr_blocks = var.cluster_public_access_cidrs security_group_id = module.eks.cluster_security_group_id description = "Allow all traffic from my public IP for management" } @@ -22,11 +22,12 @@ module "eks" { enable_cluster_creator_admin_permissions = true cluster_endpoint_public_access = true - cluster_endpoint_public_access_cidrs = [var.cluster_public_access_cidrs] + cluster_endpoint_public_access_cidrs = var.cluster_public_access_cidrs cluster_addons = { aws-ebs-csi-driver = { - service_account_role_arn = module.irsa-ebs-csi.iam_role_arn + most_recent = true + service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn } } @@ -37,6 +38,7 @@ module "eks" { ami_type = "AL2_ARM_64" iam_role_additional_policies = { AmazonS3FullAccess = "arn:aws:iam::aws:policy/AmazonS3FullAccess" + AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" } block_device_mappings = { xvda = { @@ -104,21 +106,33 @@ module "eks" { } } -# https://aws.amazon.com/blogs/containers/amazon-ebs-csi-driver-is-now-generally-available-in-amazon-eks-add-ons/ -data "aws_iam_policy" "ebs_csi_policy" { - arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" +# Create the gp3 storage class and make it the default +resource "kubernetes_storage_class" "gp3_storage_class" { + metadata { + name = "gp3" + annotations = { + "storageclass.kubernetes.io/is-default-class" = "true" + } + } + storage_provisioner = "ebs.csi.aws.com" + volume_binding_mode = "WaitForFirstConsumer" + allow_volume_expansion = true + parameters = { + "fsType" = "ext4" + "type" = "gp3" + } } -module "irsa-ebs-csi" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" +module "ebs_csi_irsa_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - create_role = true - role_name = "AmazonEKSTFEBSCSIRole-${module.eks.cluster_name}" - provider_url = module.eks.oidc_provider - role_policy_arns = [data.aws_iam_policy.ebs_csi_policy.arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"] + role_name = "ebs-csi-${module.eks.cluster_name}" + attach_ebs_csi_policy = true - tags = { - Group = var.common_tag + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"] + } } } diff --git a/7.jfrog-platform-aws-install/jfrog-platform.tf b/7.jfrog-platform-aws-install/jfrog-platform.tf index f5c707b..a1889be 100644 --- a/7.jfrog-platform-aws-install/jfrog-platform.tf +++ b/7.jfrog-platform-aws-install/jfrog-platform.tf @@ -44,6 +44,7 @@ resource "helm_release" "jfrog_platform" { depends_on = [ aws_db_instance.artifactory_db, aws_s3_bucket.artifactory_binarystore, + module.eks, helm_release.metrics_server ] @@ -93,6 +94,9 @@ resource "helm_release" "jfrog_platform" { # Wait for the release to complete deployment wait = true + + # Increase the timeout to 10 minutes for the JFrog Platform to deploy + timeout = 600 } data "kubernetes_resources" "nginx_service" { diff --git a/7.jfrog-platform-aws-install/jfrog-values.yaml b/7.jfrog-platform-aws-install/jfrog-values.yaml index ba091ac..3794e75 100644 --- a/7.jfrog-platform-aws-install/jfrog-values.yaml +++ b/7.jfrog-platform-aws-install/jfrog-values.yaml @@ -82,8 +82,6 @@ xray: # RabbitMQ is required for Xray rabbitmq: enabled: true - persistence: - enabled: false # Disable persistence for RabbitMQ until issue with EBS provisioning is fixed # Run on nodes marked with the label "group=xray" nodeSelector: diff --git a/7.jfrog-platform-aws-install/rds.tf b/7.jfrog-platform-aws-install/rds.tf index cf9fc68..f098481 100644 --- a/7.jfrog-platform-aws-install/rds.tf +++ b/7.jfrog-platform-aws-install/rds.tf @@ -18,6 +18,7 @@ resource "aws_db_instance" "artifactory_db" { storage_type = "gp3" # Using gp3 for storage type allocated_storage = 50 # Set desired storage size in GB max_allocated_storage = 100 # Set maximum size for storage autoscaling (optional) + storage_encrypted = true db_name = var.artifactory_db_name username = var.artifactory_db_username @@ -41,6 +42,7 @@ resource "aws_db_instance" "xray_db" { storage_type = "gp3" # Using gp3 for storage type allocated_storage = 50 # Set desired storage size in GB max_allocated_storage = 100 # Set maximum size for storage autoscaling (optional) + storage_encrypted = true db_name = var.xray_db_name username = var.xray_db_username