feat: patch CMK module and updated EksIp6 module

2026-02-25 18:06:40 +08:00
parent df22fcf46b
commit acd42ff526
7 changed files with 115 additions and 68 deletions
@@ -16,3 +16,4 @@ headdesk-aws/
 vsphere-yige/
 anz-sandbox/
 1.SandboxTesting/
 *.tfvars
@@ -1,5 +1,5 @@
 module "BastionRole" {
-  source                  = "../../modules/security_identity_compliance/iam-role-v2"
+  source                  = "../modules/security_identity_compliance/iam-role-v2"
  description             = "EKS bastion instance profile"
  role-name               = "BastionInstanceProfile"
  trusted-entity          = "ec2.amazonaws.com"
@@ -34,7 +34,7 @@ resource "aws_iam_role_policy_attachment" "BastionProfilePermissions" {
 module "eks-bastion" {
  depends_on = [module.eks] # essential for initializing kubectl in userdata
-  source     = "../../modules/compute/ec2"
+  source     = "../modules/compute/ec2"
  additional-tags  = {}
  ami-id           = data.aws_ami.this.id
@@ -46,7 +46,7 @@ module "eks-bastion" {
  instance-name    = "${var.environment}-eks-bastion-${random_pet.pet.id}"
  instance-type    = "t4g.micro"
  key-name         = aws_key_pair.kp.key_name
-  kms-key-id       = ""
+  kms-key-id       = module.KmsKeys.cmks.storage.arn
  root-volume-size = "8"
  # security-groups  = [module.bastion-sg.id, module.eks.cluster_primary_security_group_id]
  security-groups  = [module.bastion-sg.id]
@@ -121,11 +121,12 @@ resource "aws_key_pair" "kp" {
 }
 module "bastion-sg" {
-  source = "../../modules/compute/security_group"
+  source = "../modules/compute/security_group"
  description = "${var.environment}-eks-bastion-${random_pet.pet.id}-sg"
  egress = {
-    r1 = "-1,-1,-1,0.0.0.0/0,Allow egress"
+    r1 = "-1,-1,-1,0.0.0.0/0,Allow egress ipv4"
    r2 = "-1,-1,-1,::/0,Allow egress ipv6"
  }
  ingress = {
    r1 = "tcp,22,22,0.0.0.0/0,ssh"
@@ -133,14 +134,3 @@ module "bastion-sg" {
  name   = "eks-bastion-${random_pet.pet.id}-sg"
  vpc-id = module.vpc.vpc_id
 }
 # my security_group module does not support ipv6_cidr_blocks
 resource "aws_security_group_rule" "ipv6_egress" {
  security_group_id = module.bastion-sg.id
  type              = "egress"
  from_port         = -1
  to_port           = -1
  protocol          = "all"
  ipv6_cidr_blocks  = ["::/0"]
  description       = "Allow ipv6 egress"
 }
@@ -68,39 +68,6 @@ module "vpc" {
 }
 # EKS resources
 module "CsiPodIdentity" {
  source      = "../../modules/security_identity_compliance/iam-role-v2"
  description = "EKSCSIDriverRole"
  role-name   = "AmazonEBSCSIDriverRole"
  trusted-entity = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Principal" : {
            "Service" : "pods.eks.amazonaws.com"
          },
          "Action" : [
            "sts:AssumeRole",
            "sts:TagSession"
          ]
        }
      ]
    }
  )
 }
 # 2 policies are required for the ebs csi to work
 resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
  for_each = toset([
    "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
    "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
  ])
  role       = module.CsiPodIdentity.name
  policy_arn = each.value
 }
 locals {
  userdata = <<EOT
 MIME-Version: 1.0
@@ -147,6 +114,8 @@ resource "aws_launch_template" "node_lt" {
    ebs {
      volume_size = 20
      volume_type = "gp3"
      encrypted   = true
      kms_key_id  = module.KmsKeys.cmks.eksebs.arn
    }
  }
  # must not specify this # image_id  = data.aws_ami.eks_worker.id
@@ -194,17 +163,24 @@ module "eks" {
  subnet_ids                             = module.vpc.private_subnets
  ip_family                              = "ipv6"
  create_cni_ipv6_iam_policy             = true
-  create_kms_key              = true
+  create_kms_key                         = false
  create_cloudwatch_log_group            = true
  cloudwatch_log_group_kms_key_id        = module.KmsKeys.cmks.log.arn
  cloudwatch_log_group_retention_in_days = 14
  endpoint_private_access                = true
  endpoint_public_access                 = false
  enable_irsa                            = false
  create_cloudwatch_log_group = false
  create_node_security_group             = true
  # authentication_mode         = "API_AND_CONFIG_MAP" # use access entries and leave this to default
  upgrade_policy = {
    support_type = "STANDARD"
  }
  encryption_config = {
    resources        = ["secrets"]
    provider_key_arn = module.KmsKeys.cmks.secret.arn
  }
  addons = {
    coredns = {}
    eks-pod-identity-agent = {
@@ -295,3 +271,24 @@ resource "aws_security_group_rule" "eks_node_alb_ingress" {
  ipv6_cidr_blocks  = [module.vpc.vpc_ipv6_cidr_block]
  description       = "ALB to nginx pods port 80"
 }
 # CMK for encryption
 module "KmsKeys" {
  source = "../modules/security_identity_compliance/CustomerManagedKmsKeys"
  rotation_period_in_days = 180
  enable_key_rotation     = true
  deletion_window_in_days = 7
  name-prefix             = "${var.environment}-${var.project}"
  create_asg_role         = false
  create-allpurpose-key   = false
  create-backup-key       = false
  create-database-key     = false
  create-eksebs-key       = true
  create-log-key          = true
  create-notify-key       = false
  create-secret-key       = true
  create-storage-key      = false
 }
@@ -12,3 +12,36 @@ module "aws_lb_controller_pod_identity" {
    }
  }
 }
 module "CsiPodIdentity" {
  source      = "../modules/security_identity_compliance/iam-role-v2"
  description = "EKSCSIDriverRole"
  role-name   = "AmazonEBSCSIDriverRole"
  trusted-entity = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Principal" : {
            "Service" : "pods.eks.amazonaws.com"
          },
          "Action" : [
            "sts:AssumeRole",
            "sts:TagSession"
          ]
        }
      ]
    }
  )
 }
 # 2 policies are required for the ebs csi to work
 resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
  for_each = toset([
    "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
    "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
  ])
  role       = module.CsiPodIdentity.name
  policy_arn = each.value
 }
@@ -1,12 +1,28 @@
-variable "aws-region" {}
+variable "aws-region" {
-variable "aws-region-short" {}
+  description = "AWS region"
-variable "customer-name" {}
+  type        = string
-variable "environment" {}
+}
-variable "project" {}
+variable "customer-name" {
-variable "application" {}
+  description = "Owner of application"
-variable "eks_master_user_arn" {}
+  type        = string
-
+}
 variable "environment" {
  description = "Name of environment (i.e. Prod/Lab)"
  type        = string
 }
 variable "project" {
  description = "Name of project"
  type        = string
 }
 variable "application" {
  description = "Name of application"
  type        = string
 }
 variable "eks_master_user_arn" {
  description = "EKS administrator ARN which will be added to access entry"
  type        = string
 }
 variable "eks_cluster_name" {
  type    = string
-  default = "xpk-eks01"
+  default = "acme-eks01"
 }
@@ -144,6 +144,12 @@ resource "aws_kms_alias" "storage" {
  target_key_id = aws_kms_key.storage[0].id
 }
 resource "aws_kms_alias" "eks_ebs" {
  count         = var.create-eksebs-key ? 1 : 0
  name          = "alias/${local.prefix}eksebs"
  target_key_id = aws_kms_key.eks_ebs[0].id
 }
 resource "aws_kms_alias" "database" {
  count         = var.create-database-key ? 1 : 0
  name          = "alias/${local.prefix}database"
@@ -28,6 +28,10 @@ output "cmks" {
    storage = {
      alias = one(aws_kms_alias.storage.*.name)
      arn   = one(aws_kms_key.storage.*.arn)
    },
    eksebs = {
      alias = one(aws_kms_alias.eks_ebs.*.name)
      arn   = one(aws_kms_key.eks_ebs.*.arn)
    }
  }
 }