Merge pull request #309 from sassoftware/staging

8.6.0 - October 31, 2024

Author: dhoucgitter

Dockerfile

@@ -1,9 +1,9 @@
-ARG TERRAFORM_VERSION=1.8.5
-ARG AWS_CLI_VERSION=2.16.5
-FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform
+ARG TERRAFORM_VERSION=1.9.6
+ARG AWS_CLI_VERSION=2.17.58
+FROM hashicorp/terraform:$TERRAFORM_VERSION AS terraform
 
 FROM amazon/aws-cli:$AWS_CLI_VERSION
-ARG KUBECTL_VERSION=1.29.7
+ARG KUBECTL_VERSION=1.29.8
 
 WORKDIR /viya4-iac-aws
 

README.md

@@ -47,10 +47,10 @@ The following are also required:
 
 #### Terraform Requirements:
 
-- [Terraform](https://www.terraform.io/downloads.html) v1.8.3
-- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) - v1.29.7
+- [Terraform](https://www.terraform.io/downloads.html) v1.9.6
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) - v1.29.8
 - [jq](https://stedolan.github.io/jq/) v1.6
-- [AWS CLI](https://aws.amazon.com/cli) (optional; useful as an alternative to the AWS Web Console) v2.15.46
+- [AWS CLI](https://aws.amazon.com/cli) (optional; useful as an alternative to the AWS Web Console) v2.17.58
 
 #### Docker Requirements:
 

container-structure-test.yaml

@@ -17,14 +17,14 @@ commandTests:
   - name: "terraform version"
     command: "terraform"
     args: ["--version"]
-    expectedOutput: ["Terraform v1.8.5"]
+    expectedOutput: ["Terraform v1.9.6"]
   - name: "aws-cli version"
     command: "sh"
     args:
       - -c
       - |
         aws --version
-    expectedOutput: ["aws-cli/2.16.5"]
+    expectedOutput: ["aws-cli/2.17.58"]
 
 metadataTest:
   workdir: "/viya4-iac-aws"

main.tf

@@ -50,6 +50,8 @@ provider-selections: ${data.external.iac_tooling_version.result["provider_select
 outdated: ${data.external.iac_tooling_version.result["terraform_outdated"]}
 EOT
   }
+
+  depends_on = [module.kubeconfig.kube_config]
 }
 
 # EKS Provider
@@ -91,7 +93,7 @@ module "vpc" {
 # EKS Setup - https://github.com/terraform-aws-modules/terraform-aws-eks
 module "eks" {
   source                               = "terraform-aws-modules/eks/aws"
-  version                              = "~> 19.0"
+  version                              = "~> 20.0"
   cluster_name                         = local.cluster_name
   cluster_version                      = var.kubernetes_version
   cluster_enabled_log_types            = [] # disable cluster control plan logging
@@ -163,6 +165,36 @@ module "eks" {
   create_iam_role = var.cluster_iam_role_arn == null ? true : false
   iam_role_arn    = var.cluster_iam_role_arn
 
+  # Cluster access entry
+  # To add the current caller identity as an administrator
+  enable_cluster_creator_admin_permissions = true
+
+  access_entries = {
+    # access entry with cluster and namespace scoped policies
+    cluster_creator = {
+      kubernetes_groups = ["rbac.authorization.k8s.io"]
+      principal_arn     = data.aws_caller_identity.terraform.arn
+      user_name         = local.aws_caller_identity_user_name
+      type              = "STANDARD"
+
+      policy_associations = {
+        cluster_creator_assoc = {
+          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+          access_scope = {
+            type = "cluster"
+          }
+        },
+        namespace_creator_assoc = {
+          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
+          access_scope = {
+            type       = "namespace"
+            namespaces = ["kube-system"]
+          }
+        }
+      },
+    },
+  }
+
   iam_role_additional_policies = {
     "additional" : "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
   }
@@ -222,7 +254,7 @@ module "kubeconfig" {
   ca_crt       = local.kubeconfig_ca_cert
   sg_id        = local.cluster_security_group_id
 
-  depends_on = [module.eks.cluster_name] # The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready.
+  depends_on = [module.eks] # Will block on EKS cluster creation until the cluster is completely ready.
 }
 
 # Normally, the use of local-exec below is avoided. It is used here to patch the gp2 storage class as the default storage class for EKS 1.30 and later clusters.
@@ -233,7 +265,7 @@ resource "terraform_data" "run_command" {
     command = "kubectl --kubeconfig=${local.kubeconfig_path} patch storageclass gp2 --patch '{\"metadata\": {\"annotations\":{\"storageclass.kubernetes.io/is-default-class\":\"true\"}}}' "
   }
 
-  depends_on = [module.kubeconfig] 
+  depends_on = [module.kubeconfig.kube_config]
 }
 
 # Database Setup - https://registry.terraform.io/modules/terraform-aws-modules/rds/aws/6.2.0

modules/aws_autoscaling/main.tf

@@ -33,7 +33,7 @@ data "aws_iam_policy_document" "worker_autoscaling" {
       "autoscaling:SetDesiredCapacity",
       "autoscaling:TerminateInstanceInAutoScalingGroup",
       "autoscaling:UpdateAutoScalingGroup"
-      
+
     ]
 
     resources = ["*"]

modules/aws_vm/main.tf

@@ -81,12 +81,12 @@ resource "aws_instance" "vm" {
     delete_on_termination = var.os_disk_delete_on_termination
     iops                  = var.os_disk_iops
     encrypted             = var.enable_ebs_encryption
-    tags                  = merge(
-                              {
-                                Name : "${var.name}-root-vol"
-                              },
-                              var.tags
-                            )
+    tags = merge(
+      {
+        Name : "${var.name}-root-vol"
+      },
+      var.tags
+    )
   }
 
   tags = merge(var.tags, tomap({ Name : "${var.name}-vm" }))

modules/aws_vpc/main.tf

@@ -7,13 +7,13 @@ locals {
   vpc_id           = var.vpc_id == null ? aws_vpc.vpc[0].id : data.aws_vpc.vpc[0].id
   existing_subnets = length(var.existing_subnet_ids) > 0 ? true : false
 
-  existing_public_subnets   = local.existing_subnets && contains(keys(var.existing_subnet_ids), "public") ? (length(var.existing_subnet_ids["public"]) > 0 ? true : false) : false
-  existing_private_subnets  = local.existing_subnets && contains(keys(var.existing_subnet_ids), "private") ? (length(var.existing_subnet_ids["private"]) > 0 ? true : false) : false
-  existing_database_subnets = local.existing_subnets && contains(keys(var.existing_subnet_ids), "database") ? (length(var.existing_subnet_ids["database"]) > 0 ? true : false) : false
+  existing_public_subnets        = local.existing_subnets && contains(keys(var.existing_subnet_ids), "public") ? (length(var.existing_subnet_ids["public"]) > 0 ? true : false) : false
+  existing_private_subnets       = local.existing_subnets && contains(keys(var.existing_subnet_ids), "private") ? (length(var.existing_subnet_ids["private"]) > 0 ? true : false) : false
+  existing_database_subnets      = local.existing_subnets && contains(keys(var.existing_subnet_ids), "database") ? (length(var.existing_subnet_ids["database"]) > 0 ? true : false) : false
   existing_control_plane_subnets = local.existing_subnets && contains(keys(var.existing_subnet_ids), "control_plane") ? (length(var.existing_subnet_ids["control_plane"]) > 0 ? true : false) : false
 
   #  public_subnets  = local.existing_public_subnets ? data.aws_subnet.public : aws_subnet.public # not used keeping for ref
-  private_subnets = local.existing_private_subnets ? data.aws_subnet.private : aws_subnet.private
+  private_subnets       = local.existing_private_subnets ? data.aws_subnet.private : aws_subnet.private
   control_plane_subnets = local.existing_control_plane_subnets ? data.aws_subnet.control_plane : aws_subnet.control_plane
 
   # Use private subnets if we are not creating db subnets and there are no existing db subnets
@@ -53,7 +53,7 @@ resource "aws_vpc_endpoint" "private_endpoints" {
   service_name        = "com.amazonaws.${var.region}.${each.key}"
   vpc_endpoint_type   = each.value
   security_group_ids  = each.value == "Interface" ? [var.security_group_id] : null
-  private_dns_enabled = each.value == "Interface" ? true : null
+  private_dns_enabled = each.value == "Interface" ? each.key != "s3" ? true : null : false
 
   tags = merge(
     {

modules/aws_vpc/variables.tf

@@ -126,7 +126,7 @@ variable "vpc_private_endpoints" {
     "ec2"                  = "Interface",
     "ecr.api"              = "Interface",
     "ecr.dkr"              = "Interface",
-    "s3"                   = "Gateway",
+    "s3"                   = "Interface",
     "logs"                 = "Interface",
     "sts"                  = "Interface",
     "elasticloadbalancing" = "Interface",

modules/kubeconfig/main.tf

@@ -88,6 +88,7 @@ resource "kubernetes_cluster_role_binding" "kubernetes_crb" {
 
   depends_on = [
     data.aws_security_group.selected,
+    local_file.kubeconfig
   ]
 }