feat: patch CMK module and updated EksIp6 module
This commit is contained in:
@@ -1,5 +1,5 @@
|
||||
module "BastionRole" {
|
||||
source = "../../modules/security_identity_compliance/iam-role-v2"
|
||||
source = "../modules/security_identity_compliance/iam-role-v2"
|
||||
description = "EKS bastion instance profile"
|
||||
role-name = "BastionInstanceProfile"
|
||||
trusted-entity = "ec2.amazonaws.com"
|
||||
@@ -34,7 +34,7 @@ resource "aws_iam_role_policy_attachment" "BastionProfilePermissions" {
|
||||
|
||||
module "eks-bastion" {
|
||||
depends_on = [module.eks] # essential for initializing kubectl in userdata
|
||||
source = "../../modules/compute/ec2"
|
||||
source = "../modules/compute/ec2"
|
||||
|
||||
additional-tags = {}
|
||||
ami-id = data.aws_ami.this.id
|
||||
@@ -46,7 +46,7 @@ module "eks-bastion" {
|
||||
instance-name = "${var.environment}-eks-bastion-${random_pet.pet.id}"
|
||||
instance-type = "t4g.micro"
|
||||
key-name = aws_key_pair.kp.key_name
|
||||
kms-key-id = ""
|
||||
kms-key-id = module.KmsKeys.cmks.storage.arn
|
||||
root-volume-size = "8"
|
||||
# security-groups = [module.bastion-sg.id, module.eks.cluster_primary_security_group_id]
|
||||
security-groups = [module.bastion-sg.id]
|
||||
@@ -121,11 +121,12 @@ resource "aws_key_pair" "kp" {
|
||||
}
|
||||
|
||||
module "bastion-sg" {
|
||||
source = "../../modules/compute/security_group"
|
||||
source = "../modules/compute/security_group"
|
||||
|
||||
description = "${var.environment}-eks-bastion-${random_pet.pet.id}-sg"
|
||||
egress = {
|
||||
r1 = "-1,-1,-1,0.0.0.0/0,Allow egress"
|
||||
r1 = "-1,-1,-1,0.0.0.0/0,Allow egress ipv4"
|
||||
r2 = "-1,-1,-1,::/0,Allow egress ipv6"
|
||||
}
|
||||
ingress = {
|
||||
r1 = "tcp,22,22,0.0.0.0/0,ssh"
|
||||
@@ -133,14 +134,3 @@ module "bastion-sg" {
|
||||
name = "eks-bastion-${random_pet.pet.id}-sg"
|
||||
vpc-id = module.vpc.vpc_id
|
||||
}
|
||||
|
||||
# my security_group module does not support ipv6_cidr_blocks
|
||||
resource "aws_security_group_rule" "ipv6_egress" {
|
||||
security_group_id = module.bastion-sg.id
|
||||
type = "egress"
|
||||
from_port = -1
|
||||
to_port = -1
|
||||
protocol = "all"
|
||||
ipv6_cidr_blocks = ["::/0"]
|
||||
description = "Allow ipv6 egress"
|
||||
}
|
||||
+40
-43
@@ -68,39 +68,6 @@ module "vpc" {
|
||||
}
|
||||
|
||||
# EKS resources
|
||||
module "CsiPodIdentity" {
|
||||
source = "../../modules/security_identity_compliance/iam-role-v2"
|
||||
description = "EKSCSIDriverRole"
|
||||
role-name = "AmazonEBSCSIDriverRole"
|
||||
trusted-entity = jsonencode(
|
||||
{
|
||||
"Version" : "2012-10-17",
|
||||
"Statement" : [
|
||||
{
|
||||
"Effect" : "Allow",
|
||||
"Principal" : {
|
||||
"Service" : "pods.eks.amazonaws.com"
|
||||
},
|
||||
"Action" : [
|
||||
"sts:AssumeRole",
|
||||
"sts:TagSession"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
)
|
||||
}
|
||||
|
||||
# 2 policies are required for the ebs csi to work
|
||||
resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
|
||||
for_each = toset([
|
||||
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
|
||||
"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
|
||||
])
|
||||
role = module.CsiPodIdentity.name
|
||||
policy_arn = each.value
|
||||
}
|
||||
|
||||
locals {
|
||||
userdata = <<EOT
|
||||
MIME-Version: 1.0
|
||||
@@ -147,6 +114,8 @@ resource "aws_launch_template" "node_lt" {
|
||||
ebs {
|
||||
volume_size = 20
|
||||
volume_type = "gp3"
|
||||
encrypted = true
|
||||
kms_key_id = module.KmsKeys.cmks.eksebs.arn
|
||||
}
|
||||
}
|
||||
# must not specify this # image_id = data.aws_ami.eks_worker.id
|
||||
@@ -190,21 +159,28 @@ module "eks" {
|
||||
source_security_group_id = module.bastion-sg.id
|
||||
}
|
||||
}
|
||||
vpc_id = module.vpc.vpc_id
|
||||
subnet_ids = module.vpc.private_subnets
|
||||
ip_family = "ipv6"
|
||||
create_cni_ipv6_iam_policy = true
|
||||
create_kms_key = true
|
||||
endpoint_private_access = true
|
||||
endpoint_public_access = false
|
||||
enable_irsa = false
|
||||
create_cloudwatch_log_group = false
|
||||
create_node_security_group = true
|
||||
vpc_id = module.vpc.vpc_id
|
||||
subnet_ids = module.vpc.private_subnets
|
||||
ip_family = "ipv6"
|
||||
create_cni_ipv6_iam_policy = true
|
||||
create_kms_key = false
|
||||
create_cloudwatch_log_group = true
|
||||
cloudwatch_log_group_kms_key_id = module.KmsKeys.cmks.log.arn
|
||||
cloudwatch_log_group_retention_in_days = 14
|
||||
endpoint_private_access = true
|
||||
endpoint_public_access = false
|
||||
enable_irsa = false
|
||||
create_node_security_group = true
|
||||
# authentication_mode = "API_AND_CONFIG_MAP" # use access entries and leave this to default
|
||||
upgrade_policy = {
|
||||
support_type = "STANDARD"
|
||||
}
|
||||
|
||||
encryption_config = {
|
||||
resources = ["secrets"]
|
||||
provider_key_arn = module.KmsKeys.cmks.secret.arn
|
||||
}
|
||||
|
||||
addons = {
|
||||
coredns = {}
|
||||
eks-pod-identity-agent = {
|
||||
@@ -294,4 +270,25 @@ resource "aws_security_group_rule" "eks_node_alb_ingress" {
|
||||
security_group_id = module.eks.node_security_group_id
|
||||
ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block]
|
||||
description = "ALB to nginx pods port 80"
|
||||
}
|
||||
|
||||
|
||||
# CMK for encryption
|
||||
|
||||
module "KmsKeys" {
|
||||
source = "../modules/security_identity_compliance/CustomerManagedKmsKeys"
|
||||
|
||||
rotation_period_in_days = 180
|
||||
enable_key_rotation = true
|
||||
deletion_window_in_days = 7
|
||||
name-prefix = "${var.environment}-${var.project}"
|
||||
create_asg_role = false
|
||||
create-allpurpose-key = false
|
||||
create-backup-key = false
|
||||
create-database-key = false
|
||||
create-eksebs-key = true
|
||||
create-log-key = true
|
||||
create-notify-key = false
|
||||
create-secret-key = true
|
||||
create-storage-key = false
|
||||
}
|
||||
@@ -11,4 +11,37 @@ module "aws_lb_controller_pod_identity" {
|
||||
service_account = "aws-load-balancer-controller-sa"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "CsiPodIdentity" {
|
||||
source = "../modules/security_identity_compliance/iam-role-v2"
|
||||
description = "EKSCSIDriverRole"
|
||||
role-name = "AmazonEBSCSIDriverRole"
|
||||
trusted-entity = jsonencode(
|
||||
{
|
||||
"Version" : "2012-10-17",
|
||||
"Statement" : [
|
||||
{
|
||||
"Effect" : "Allow",
|
||||
"Principal" : {
|
||||
"Service" : "pods.eks.amazonaws.com"
|
||||
},
|
||||
"Action" : [
|
||||
"sts:AssumeRole",
|
||||
"sts:TagSession"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
)
|
||||
}
|
||||
|
||||
# 2 policies are required for the ebs csi to work
|
||||
resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
|
||||
for_each = toset([
|
||||
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
|
||||
"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
|
||||
])
|
||||
role = module.CsiPodIdentity.name
|
||||
policy_arn = each.value
|
||||
}
|
||||
@@ -1,12 +1,28 @@
|
||||
variable "aws-region" {}
|
||||
variable "aws-region-short" {}
|
||||
variable "customer-name" {}
|
||||
variable "environment" {}
|
||||
variable "project" {}
|
||||
variable "application" {}
|
||||
variable "eks_master_user_arn" {}
|
||||
|
||||
variable "aws-region" {
|
||||
description = "AWS region"
|
||||
type = string
|
||||
}
|
||||
variable "customer-name" {
|
||||
description = "Owner of application"
|
||||
type = string
|
||||
}
|
||||
variable "environment" {
|
||||
description = "Name of environment (i.e. Prod/Lab)"
|
||||
type = string
|
||||
}
|
||||
variable "project" {
|
||||
description = "Name of project"
|
||||
type = string
|
||||
}
|
||||
variable "application" {
|
||||
description = "Name of application"
|
||||
type = string
|
||||
}
|
||||
variable "eks_master_user_arn" {
|
||||
description = "EKS administrator ARN which will be added to access entry"
|
||||
type = string
|
||||
}
|
||||
variable "eks_cluster_name" {
|
||||
type = string
|
||||
default = "xpk-eks01"
|
||||
default = "acme-eks01"
|
||||
}
|
||||
Reference in New Issue
Block a user