xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity

feat: patch CMK module and updated EksIp6 module

Browse Source
This commit is contained in:
xpk
2026-02-25 18:06:40 +08:00
parent df22fcf46b
commit acd42ff526
7 changed files with 115 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+1
View File
@@ -16,3 +16,4 @@ headdesk-aws/
vsphere-yige/ vsphere-yige/
anz-sandbox/ anz-sandbox/
1.SandboxTesting/ 1.SandboxTesting/
*.tfvars
EksIp6Nginxpod/eks-bastion.tf
+6 -16
View File
@@ -1,5 +1,5 @@
module "BastionRole" { module "BastionRole" {
source = "../../modules/security_identity_compliance/iam-role-v2" source = "../modules/security_identity_compliance/iam-role-v2"
description = "EKS bastion instance profile" description = "EKS bastion instance profile"
role-name = "BastionInstanceProfile" role-name = "BastionInstanceProfile"
trusted-entity = "ec2.amazonaws.com" trusted-entity = "ec2.amazonaws.com"
@@ -34,7 +34,7 @@ resource "aws_iam_role_policy_attachment" "BastionProfilePermissions" {
module "eks-bastion" { module "eks-bastion" {
depends_on = [module.eks] # essential for initializing kubectl in userdata depends_on = [module.eks] # essential for initializing kubectl in userdata
source = "../../modules/compute/ec2" source = "../modules/compute/ec2"
additional-tags = {} additional-tags = {}
ami-id = data.aws_ami.this.id ami-id = data.aws_ami.this.id
@@ -46,7 +46,7 @@ module "eks-bastion" {
instance-name = "${var.environment}-eks-bastion-${random_pet.pet.id}" instance-name = "${var.environment}-eks-bastion-${random_pet.pet.id}"
instance-type = "t4g.micro" instance-type = "t4g.micro"
key-name = aws_key_pair.kp.key_name key-name = aws_key_pair.kp.key_name
kms-key-id = "" kms-key-id = module.KmsKeys.cmks.storage.arn
root-volume-size = "8" root-volume-size = "8"
# security-groups = [module.bastion-sg.id, module.eks.cluster_primary_security_group_id] # security-groups = [module.bastion-sg.id, module.eks.cluster_primary_security_group_id]
security-groups = [module.bastion-sg.id] security-groups = [module.bastion-sg.id]
@@ -121,11 +121,12 @@ resource "aws_key_pair" "kp" {
} }
module "bastion-sg" { module "bastion-sg" {
source = "../../modules/compute/security_group" source = "../modules/compute/security_group"
description = "${var.environment}-eks-bastion-${random_pet.pet.id}-sg" description = "${var.environment}-eks-bastion-${random_pet.pet.id}-sg"
egress = { egress = {
r1 = "-1,-1,-1,0.0.0.0/0,Allow egress" r1 = "-1,-1,-1,0.0.0.0/0,Allow egress ipv4"
r2 = "-1,-1,-1,::/0,Allow egress ipv6"
} }
ingress = { ingress = {
r1 = "tcp,22,22,0.0.0.0/0,ssh" r1 = "tcp,22,22,0.0.0.0/0,ssh"
@@ -133,14 +134,3 @@ module "bastion-sg" {
name = "eks-bastion-${random_pet.pet.id}-sg" name = "eks-bastion-${random_pet.pet.id}-sg"
vpc-id = module.vpc.vpc_id vpc-id = module.vpc.vpc_id
} }
# my security_group module does not support ipv6_cidr_blocks
resource "aws_security_group_rule" "ipv6_egress" {
security_group_id = module.bastion-sg.id
type = "egress"
from_port = -1
to_port = -1
protocol = "all"
ipv6_cidr_blocks = ["::/0"]
description = "Allow ipv6 egress"
}
EksIp6Nginxpod/main.tf
+40 -43
View File
@@ -68,39 +68,6 @@ module "vpc" {
} }
# EKS resources # EKS resources
module "CsiPodIdentity" {
source = "../../modules/security_identity_compliance/iam-role-v2"
description = "EKSCSIDriverRole"
role-name = "AmazonEBSCSIDriverRole"
trusted-entity = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "pods.eks.amazonaws.com"
},
"Action" : [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
)
}
# 2 policies are required for the ebs csi to work
resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
for_each = toset([
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
])
role = module.CsiPodIdentity.name
policy_arn = each.value
}
locals { locals {
userdata = <<EOT userdata = <<EOT
MIME-Version: 1.0 MIME-Version: 1.0
@@ -147,6 +114,8 @@ resource "aws_launch_template" "node_lt" {
ebs { ebs {
volume_size = 20 volume_size = 20
volume_type = "gp3" volume_type = "gp3"
encrypted = true
kms_key_id = module.KmsKeys.cmks.eksebs.arn
} }
} }
# must not specify this # image_id = data.aws_ami.eks_worker.id # must not specify this # image_id = data.aws_ami.eks_worker.id
@@ -190,21 +159,28 @@ module "eks" {
source_security_group_id = module.bastion-sg.id source_security_group_id = module.bastion-sg.id
} }
} }
vpc_id = module.vpc.vpc_id vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets subnet_ids = module.vpc.private_subnets
ip_family = "ipv6" ip_family = "ipv6"
create_cni_ipv6_iam_policy = true create_cni_ipv6_iam_policy = true
create_kms_key = true create_kms_key = false
endpoint_private_access = true create_cloudwatch_log_group = true
endpoint_public_access = false cloudwatch_log_group_kms_key_id = module.KmsKeys.cmks.log.arn
enable_irsa = false cloudwatch_log_group_retention_in_days = 14
create_cloudwatch_log_group = false endpoint_private_access = true
create_node_security_group = true endpoint_public_access = false
enable_irsa = false
create_node_security_group = true
# authentication_mode = "API_AND_CONFIG_MAP" # use access entries and leave this to default # authentication_mode = "API_AND_CONFIG_MAP" # use access entries and leave this to default
upgrade_policy = { upgrade_policy = {
support_type = "STANDARD" support_type = "STANDARD"
} }
encryption_config = {
resources = ["secrets"]
provider_key_arn = module.KmsKeys.cmks.secret.arn
}
addons = { addons = {
coredns = {} coredns = {}
eks-pod-identity-agent = { eks-pod-identity-agent = {
@@ -294,4 +270,25 @@ resource "aws_security_group_rule" "eks_node_alb_ingress" {
security_group_id = module.eks.node_security_group_id security_group_id = module.eks.node_security_group_id
ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block] ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block]
description = "ALB to nginx pods port 80" description = "ALB to nginx pods port 80"
}
# CMK for encryption
module "KmsKeys" {
source = "../modules/security_identity_compliance/CustomerManagedKmsKeys"
rotation_period_in_days = 180
enable_key_rotation = true
deletion_window_in_days = 7
name-prefix = "${var.environment}-${var.project}"
create_asg_role = false
create-allpurpose-key = false
create-backup-key = false
create-database-key = false
create-eksebs-key = true
create-log-key = true
create-notify-key = false
create-secret-key = true
create-storage-key = false
} }
EksIp6Nginxpod/pod_identities.tf
+33
View File
@@ -11,4 +11,37 @@ module "aws_lb_controller_pod_identity" {
service_account = "aws-load-balancer-controller-sa" service_account = "aws-load-balancer-controller-sa"
} }
} }
}
module "CsiPodIdentity" {
source = "../modules/security_identity_compliance/iam-role-v2"
description = "EKSCSIDriverRole"
role-name = "AmazonEBSCSIDriverRole"
trusted-entity = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "pods.eks.amazonaws.com"
},
"Action" : [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
)
}
# 2 policies are required for the ebs csi to work
resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
for_each = toset([
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
])
role = module.CsiPodIdentity.name
policy_arn = each.value
} }
EksIp6Nginxpod/variables.tf
+25 -9
View File
@@ -1,12 +1,28 @@
variable "aws-region" {} variable "aws-region" {
variable "aws-region-short" {} description = "AWS region"
variable "customer-name" {} type = string
variable "environment" {} }
variable "project" {} variable "customer-name" {
variable "application" {} description = "Owner of application"
variable "eks_master_user_arn" {} type = string
}
variable "environment" {
description = "Name of environment (i.e. Prod/Lab)"
type = string
}
variable "project" {
description = "Name of project"
type = string
}
variable "application" {
description = "Name of application"
type = string
}
variable "eks_master_user_arn" {
description = "EKS administrator ARN which will be added to access entry"
type = string
}
variable "eks_cluster_name" { variable "eks_cluster_name" {
type = string type = string
default = "xpk-eks01" default = "acme-eks01"
} }
modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
+6
View File
@@ -144,6 +144,12 @@ resource "aws_kms_alias" "storage" {
target_key_id = aws_kms_key.storage[0].id target_key_id = aws_kms_key.storage[0].id
} }
resource "aws_kms_alias" "eks_ebs" {
count = var.create-eksebs-key ? 1 : 0
name = "alias/${local.prefix}eksebs"
target_key_id = aws_kms_key.eks_ebs[0].id
}
resource "aws_kms_alias" "database" { resource "aws_kms_alias" "database" {
count = var.create-database-key ? 1 : 0 count = var.create-database-key ? 1 : 0
name = "alias/${local.prefix}database" name = "alias/${local.prefix}database"
modules/security_identity_compliance/CustomerManagedKmsKeys/outputs.tf
+4
View File
@@ -28,6 +28,10 @@ output "cmks" {
storage = { storage = {
alias = one(aws_kms_alias.storage.*.name) alias = one(aws_kms_alias.storage.*.name)
arn = one(aws_kms_key.storage.*.arn) arn = one(aws_kms_key.storage.*.arn)
},
eksebs = {
alias = one(aws_kms_alias.eks_ebs.*.name)
arn = one(aws_kms_key.eks_ebs.*.arn)
} }
} }
} }