xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity

feat: patch CMK module and updated EksIp6 module

Browse Source
This commit is contained in:
xpk
2026-02-25 18:06:40 +08:00
parent df22fcf46b
commit acd42ff526
7 changed files with 115 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+1
View File
@@ -16,3 +16,4 @@ headdesk-aws/
vsphere-yige/
anz-sandbox/
1.SandboxTesting/
*.tfvars
EksIp6Nginxpod/eks-bastion.tf
+6 -16
View File
@@ -1,5 +1,5 @@
module "BastionRole" {
source = "../../modules/security_identity_compliance/iam-role-v2"
source = "../modules/security_identity_compliance/iam-role-v2"
description = "EKS bastion instance profile"
role-name = "BastionInstanceProfile"
trusted-entity = "ec2.amazonaws.com"
@@ -34,7 +34,7 @@ resource "aws_iam_role_policy_attachment" "BastionProfilePermissions" {
module "eks-bastion" {
depends_on = [module.eks] # essential for initializing kubectl in userdata
source = "../../modules/compute/ec2"
source = "../modules/compute/ec2"
additional-tags = {}
ami-id = data.aws_ami.this.id
@@ -46,7 +46,7 @@ module "eks-bastion" {
instance-name = "${var.environment}-eks-bastion-${random_pet.pet.id}"
instance-type = "t4g.micro"
key-name = aws_key_pair.kp.key_name
kms-key-id = ""
kms-key-id = module.KmsKeys.cmks.storage.arn
root-volume-size = "8"
# security-groups = [module.bastion-sg.id, module.eks.cluster_primary_security_group_id]
security-groups = [module.bastion-sg.id]
@@ -121,11 +121,12 @@ resource "aws_key_pair" "kp" {
}
module "bastion-sg" {
source = "../../modules/compute/security_group"
source = "../modules/compute/security_group"
description = "${var.environment}-eks-bastion-${random_pet.pet.id}-sg"
egress = {
r1 = "-1,-1,-1,0.0.0.0/0,Allow egress"
r1 = "-1,-1,-1,0.0.0.0/0,Allow egress ipv4"
r2 = "-1,-1,-1,::/0,Allow egress ipv6"
}
ingress = {
r1 = "tcp,22,22,0.0.0.0/0,ssh"
@@ -133,14 +134,3 @@ module "bastion-sg" {
name = "eks-bastion-${random_pet.pet.id}-sg"
vpc-id = module.vpc.vpc_id
}
# my security_group module does not support ipv6_cidr_blocks
resource "aws_security_group_rule" "ipv6_egress" {
security_group_id = module.bastion-sg.id
type = "egress"
from_port = -1
to_port = -1
protocol = "all"
ipv6_cidr_blocks = ["::/0"]
description = "Allow ipv6 egress"
}
EksIp6Nginxpod/main.tf
+40 -43
View File
@@ -68,39 +68,6 @@ module "vpc" {
}
# EKS resources
module "CsiPodIdentity" {
source = "../../modules/security_identity_compliance/iam-role-v2"
description = "EKSCSIDriverRole"
role-name = "AmazonEBSCSIDriverRole"
trusted-entity = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "pods.eks.amazonaws.com"
},
"Action" : [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
)
}
# 2 policies are required for the ebs csi to work
resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
for_each = toset([
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
])
role = module.CsiPodIdentity.name
policy_arn = each.value
}
locals {
userdata = <<EOT
MIME-Version: 1.0
@@ -147,6 +114,8 @@ resource "aws_launch_template" "node_lt" {
ebs {
volume_size = 20
volume_type = "gp3"
encrypted = true
kms_key_id = module.KmsKeys.cmks.eksebs.arn
}
}
# must not specify this # image_id = data.aws_ami.eks_worker.id
@@ -190,21 +159,28 @@ module "eks" {
source_security_group_id = module.bastion-sg.id
}
}
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
ip_family = "ipv6"
create_cni_ipv6_iam_policy = true
create_kms_key = true
endpoint_private_access = true
endpoint_public_access = false
enable_irsa = false
create_cloudwatch_log_group = false
create_node_security_group = true
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
ip_family = "ipv6"
create_cni_ipv6_iam_policy = true
create_kms_key = false
create_cloudwatch_log_group = true
cloudwatch_log_group_kms_key_id = module.KmsKeys.cmks.log.arn
cloudwatch_log_group_retention_in_days = 14
endpoint_private_access = true
endpoint_public_access = false
enable_irsa = false
create_node_security_group = true
# authentication_mode = "API_AND_CONFIG_MAP" # use access entries and leave this to default
upgrade_policy = {
support_type = "STANDARD"
}
encryption_config = {
resources = ["secrets"]
provider_key_arn = module.KmsKeys.cmks.secret.arn
}
addons = {
coredns = {}
eks-pod-identity-agent = {
@@ -294,4 +270,25 @@ resource "aws_security_group_rule" "eks_node_alb_ingress" {
security_group_id = module.eks.node_security_group_id
ipv6_cidr_blocks = [module.vpc.vpc_ipv6_cidr_block]
description = "ALB to nginx pods port 80"
}
# CMK for encryption
module "KmsKeys" {
source = "../modules/security_identity_compliance/CustomerManagedKmsKeys"
rotation_period_in_days = 180
enable_key_rotation = true
deletion_window_in_days = 7
name-prefix = "${var.environment}-${var.project}"
create_asg_role = false
create-allpurpose-key = false
create-backup-key = false
create-database-key = false
create-eksebs-key = true
create-log-key = true
create-notify-key = false
create-secret-key = true
create-storage-key = false
}
EksIp6Nginxpod/pod_identities.tf
+33
View File
@@ -11,4 +11,37 @@ module "aws_lb_controller_pod_identity" {
service_account = "aws-load-balancer-controller-sa"
}
}
}
module "CsiPodIdentity" {
source = "../modules/security_identity_compliance/iam-role-v2"
description = "EKSCSIDriverRole"
role-name = "AmazonEBSCSIDriverRole"
trusted-entity = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "pods.eks.amazonaws.com"
},
"Action" : [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
)
}
# 2 policies are required for the ebs csi to work
resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
for_each = toset([
"arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
])
role = module.CsiPodIdentity.name
policy_arn = each.value
}
EksIp6Nginxpod/variables.tf
+25 -9
View File
@@ -1,12 +1,28 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
variable "eks_master_user_arn" {}
variable "aws-region" {
description = "AWS region"
type = string
}
variable "customer-name" {
description = "Owner of application"
type = string
}
variable "environment" {
description = "Name of environment (i.e. Prod/Lab)"
type = string
}
variable "project" {
description = "Name of project"
type = string
}
variable "application" {
description = "Name of application"
type = string
}
variable "eks_master_user_arn" {
description = "EKS administrator ARN which will be added to access entry"
type = string
}
variable "eks_cluster_name" {
type = string
default = "xpk-eks01"
default = "acme-eks01"
}
modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
+6
View File
@@ -144,6 +144,12 @@ resource "aws_kms_alias" "storage" {
target_key_id = aws_kms_key.storage[0].id
}
resource "aws_kms_alias" "eks_ebs" {
count = var.create-eksebs-key ? 1 : 0
name = "alias/${local.prefix}eksebs"
target_key_id = aws_kms_key.eks_ebs[0].id
}
resource "aws_kms_alias" "database" {
count = var.create-database-key ? 1 : 0
name = "alias/${local.prefix}database"
modules/security_identity_compliance/CustomerManagedKmsKeys/outputs.tf
+4
View File
@@ -28,6 +28,10 @@ output "cmks" {
storage = {
alias = one(aws_kms_alias.storage.*.name)
arn = one(aws_kms_key.storage.*.arn)
},
eksebs = {
alias = one(aws_kms_alias.eks_ebs.*.name)
arn = one(aws_kms_key.eks_ebs.*.arn)
}
}
}