Skip to content

Commit

Permalink
Enable cluster encryption by default (cloudposse#111)
Browse files Browse the repository at this point in the history
* Updates

* Updates

* Updates
  • Loading branch information
aknysh authored Apr 1, 2021
1 parent 1513d1b commit 0e88a75
Show file tree
Hide file tree
Showing 10 changed files with 268 additions and 198 deletions.
7 changes: 7 additions & 0 deletions .github/mergify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,10 @@ pull_request_rules:
changes_requested: true
approved: true
message: "This Pull Request has been updated, so we're dismissing all reviews."

- name: "close Pull Requests without files changed"
conditions:
- "#files=0"
actions:
close:
message: "This pull request has been automatically closed by Mergify because there are no longer any changes."
4 changes: 3 additions & 1 deletion .github/workflows/auto-format.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ on:
jobs:
auto-format:
runs-on: ubuntu-latest
container: cloudposse/build-harness:slim-latest
container: cloudposse/build-harness:latest
steps:
# Checkout the pull request branch
# "An action in a workflow run can’t trigger a new workflow run. For example, if an action pushes code using
Expand All @@ -29,6 +29,8 @@ jobs:
- name: Auto Format
if: github.event.pull_request.state == 'open'
shell: bash
env:
GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
run: make BUILD_HARNESS_PATH=/build-harness PACKAGES_PREFER_HOST=true -f /build-harness/templates/Makefile.build-harness pr/auto-format/host

# Commit changes (if any) to the PR branch
Expand Down
24 changes: 15 additions & 9 deletions .github/workflows/auto-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,23 @@ name: auto-release
on:
push:
branches:
- master
- master

jobs:
publish:
runs-on: ubuntu-latest
steps:
# Drafts your next Release notes as Pull Requests are merged into "master"
- uses: release-drafter/release-drafter@v5
with:
publish: true
prerelease: false
config-name: auto-release.yml
env:
GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
# Get PR from merged commit to master
- uses: actions-ecosystem/action-get-merged-pull-request@v1
id: get-merged-pull-request
with:
github_token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
# Drafts your next Release notes as Pull Requests are merged into "master"
- uses: release-drafter/release-drafter@v5
if: "!contains(steps.get-merged-pull-request.outputs.labels, 'no-release')"
with:
publish: true
prerelease: false
config-name: auto-release.yml
env:
GITHUB_TOKEN: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.

Copyright 2018-2020 Cloud Posse, LLC
Copyright 2018-2021 Cloud Posse, LLC

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
184 changes: 95 additions & 89 deletions README.md

Large diffs are not rendered by default.

184 changes: 95 additions & 89 deletions docs/terraform.md

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion examples/complete/fixtures.us-east-2.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ stage = "test"

name = "eks"

kubernetes_version = "1.17"
kubernetes_version = "1.19"

oidc_provider_enabled = true

Expand All @@ -27,3 +27,5 @@ min_size = 2
disk_size = 20

kubernetes_labels = {}

cluster_encryption_config_enabled = true
17 changes: 11 additions & 6 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ provider "aws" {

module "label" {
source = "cloudposse/label/null"
version = "0.22.0"
version = "0.24.1"
attributes = ["cluster"]

context = module.this.context
Expand All @@ -30,12 +30,11 @@ locals {
private_subnets_additional_tags = {
"kubernetes.io/role/internal-elb" : 1
}

}

module "vpc" {
source = "cloudposse/vpc/aws"
version = "0.17.0"
version = "0.21.1"

cidr_block = "172.16.0.0/16"
tags = local.tags
Expand All @@ -45,7 +44,7 @@ module "vpc" {

module "subnets" {
source = "cloudposse/dynamic-subnets/aws"
version = "0.28.0"
version = "0.38.0"

availability_zones = var.availability_zones
vpc_id = module.vpc.vpc_id
Expand All @@ -60,7 +59,6 @@ module "subnets" {
context = module.this.context
}


module "eks_cluster" {
source = "../../"

Expand All @@ -73,6 +71,13 @@ module "eks_cluster" {
enabled_cluster_log_types = var.enabled_cluster_log_types
cluster_log_retention_period = var.cluster_log_retention_period

cluster_encryption_config_enabled = var.cluster_encryption_config_enabled
cluster_encryption_config_kms_key_id = var.cluster_encryption_config_kms_key_id
cluster_encryption_config_kms_key_enable_key_rotation = var.cluster_encryption_config_kms_key_enable_key_rotation
cluster_encryption_config_kms_key_deletion_window_in_days = var.cluster_encryption_config_kms_key_deletion_window_in_days
cluster_encryption_config_kms_key_policy = var.cluster_encryption_config_kms_key_policy
cluster_encryption_config_resources = var.cluster_encryption_config_resources

context = module.this.context
}

Expand All @@ -90,7 +95,7 @@ data "null_data_source" "wait_for_cluster_and_kubernetes_configmap" {

module "eks_node_group" {
source = "cloudposse/eks-node-group/aws"
version = "0.8.0"
version = "0.19.0"

subnet_ids = module.subnets.private_subnet_ids
cluster_name = data.null_data_source.wait_for_cluster_and_kubernetes_configmap.outputs["cluster_name"]
Expand Down
36 changes: 36 additions & 0 deletions examples/complete/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -98,3 +98,39 @@ variable "min_size" {
type = number
description = "The minimum size of the AutoScaling Group"
}

variable "cluster_encryption_config_enabled" {
type = bool
default = true
description = "Set to `true` to enable Cluster Encryption Configuration"
}

variable "cluster_encryption_config_kms_key_id" {
type = string
default = ""
description = "KMS Key ID to use for cluster encryption config"
}

variable "cluster_encryption_config_kms_key_enable_key_rotation" {
type = bool
default = true
description = "Cluster Encryption Config KMS Key Resource argument - enable kms key rotation"
}

variable "cluster_encryption_config_kms_key_deletion_window_in_days" {
type = number
default = 10
description = "Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction"
}

variable "cluster_encryption_config_kms_key_policy" {
type = string
default = null
description = "Cluster Encryption Config KMS Key Resource argument - key policy"
}

variable "cluster_encryption_config_resources" {
type = list(any)
default = ["secrets"]
description = "Cluster Encryption Config Resources to encrypt, e.g. ['secrets']"
}
4 changes: 2 additions & 2 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -135,14 +135,14 @@ variable "kubernetes_config_map_ignore_role_changes" {

variable "cluster_encryption_config_enabled" {
type = bool
default = false
default = true
description = "Set to `true` to enable Cluster Encryption Configuration"
}

variable "cluster_encryption_config_kms_key_id" {
type = string
default = ""
description = "Specify KMS Key Id ARN to use for cluster encryption config"
description = "KMS Key ID to use for cluster encryption config"
}

variable "cluster_encryption_config_kms_key_enable_key_rotation" {
Expand Down

0 comments on commit 0e88a75

Please sign in to comment.