Skip to content

Commit

Permalink
Improved dependency configuration (cloudposse#185)
Browse files Browse the repository at this point in the history
  • Loading branch information
Nuru authored May 20, 2023
1 parent 2dceddc commit c0993cc
Show file tree
Hide file tree
Showing 12 changed files with 652 additions and 345 deletions.
31 changes: 30 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -282,7 +282,34 @@ Other examples:
kubernetes_version = var.kubernetes_version
oidc_provider_enabled = true
addons = [
// https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#vpc-cni-latest-available-version
{
addon_name = "vpc-cni"
addon_version = var.vpc_cni_version
resolve_conflicts = "NONE"
service_account_role_arn = null
},
// https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html
{
addon_name = "kube-proxy"
addon_version = var.kube_proxy_version
resolve_conflicts = "NONE"
service_account_role_arn = null
},
// https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html
{
addon_name = "coredns"
addon_version = var.coredns_version
resolve_conflicts = "NONE"
service_account_role_arn = null
},
]
addons_depends_on = [module.eks_node_group]
context = module.label.context
cluster_depends_on = [module.subnets]
}
```

Expand Down Expand Up @@ -452,6 +479,7 @@ Available targets:
|------|-------------|------|---------|:--------:|
| <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| <a name="input_addons"></a> [addons](#input\_addons) | Manages [`aws_eks_addon`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) resources | <pre>list(object({<br> addon_name = string<br> addon_version = string<br> resolve_conflicts = string<br> service_account_role_arn = string<br> }))</pre> | `[]` | no |
| <a name="input_addons_depends_on"></a> [addons\_depends\_on](#input\_addons\_depends\_on) | If provided, all addons will depend on this object, and therefore not be installed until this object is finalized.<br>This is useful if you want to ensure that addons are not applied before some other condition is met, e.g. node groups are created.<br>See [issue #170](https://github.com/cloudposse/terraform-aws-eks-cluster/issues/170) for more details. | `any` | `null` | no |
| <a name="input_allowed_cidr_blocks"></a> [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | A list of IPv4 CIDRs to allow access to the cluster.<br>The length of this list must be known at "plan" time. | `list(string)` | `[]` | no |
| <a name="input_allowed_security_group_ids"></a> [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the cluster. | `list(string)` | `[]` | no |
| <a name="input_allowed_security_groups"></a> [allowed\_security\_groups](#input\_allowed\_security\_groups) | DEPRECATED: Use `allowed_security_group_ids` instead.<br>Historical description: List of Security Group IDs to be allowed to connect to the EKS cluster.<br>Historical default: `[]` | `list(string)` | `[]` | no |
Expand All @@ -461,6 +489,7 @@ Available targets:
| <a name="input_aws_auth_yaml_strip_quotes"></a> [aws\_auth\_yaml\_strip\_quotes](#input\_aws\_auth\_yaml\_strip\_quotes) | If true, remove double quotes from the generated aws-auth ConfigMap YAML to reduce spurious diffs in plans | `bool` | `true` | no |
| <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | If provided, the KMS Key ID to use to encrypt AWS CloudWatch logs | `string` | `null` | no |
| <a name="input_cluster_attributes"></a> [cluster\_attributes](#input\_cluster\_attributes) | Override label module default cluster attributes | `list(string)` | <pre>[<br> "cluster"<br>]</pre> | no |
| <a name="input_cluster_depends_on"></a> [cluster\_depends\_on](#input\_cluster\_depends\_on) | If provided, the EKS will depend on this object, and therefore not be created until this object is finalized.<br>This is useful if you want to ensure that the cluster is not created before some other condition is met, e.g. VPNs into the subnet are created. | `any` | `null` | no |
| <a name="input_cluster_encryption_config_enabled"></a> [cluster\_encryption\_config\_enabled](#input\_cluster\_encryption\_config\_enabled) | Set to `true` to enable Cluster Encryption Configuration | `bool` | `true` | no |
| <a name="input_cluster_encryption_config_kms_key_deletion_window_in_days"></a> [cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days](#input\_cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days) | Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction | `number` | `10` | no |
| <a name="input_cluster_encryption_config_kms_key_enable_key_rotation"></a> [cluster\_encryption\_config\_kms\_key\_enable\_key\_rotation](#input\_cluster\_encryption\_config\_kms\_key\_enable\_key\_rotation) | Cluster Encryption Config KMS Key Resource argument - enable kms key rotation | `bool` | `true` | no |
Expand Down Expand Up @@ -508,7 +537,7 @@ Available targets:
| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | If provided, all IAM roles will be created with this permissions boundary attached | `string` | `null` | no |
| <a name="input_public_access_cidrs"></a> [public\_access\_cidrs](#input\_public\_access\_cidrs) | Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |
| <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| <a name="input_region"></a> [region](#input\_region) | AWS Region | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | OBSOLETE (not needed): AWS Region | `string` | `null` | no |
| <a name="input_service_ipv4_cidr"></a> [service\_ipv4\_cidr](#input\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from.<br>You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. | `string` | `null` | no |
| <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs to launch the cluster in | `list(string)` | n/a | yes |
Expand Down
27 changes: 27 additions & 0 deletions README.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -241,8 +241,35 @@ usage: |2-
kubernetes_version = var.kubernetes_version
oidc_provider_enabled = true
addons = [
// https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#vpc-cni-latest-available-version
{
addon_name = "vpc-cni"
addon_version = var.vpc_cni_version
resolve_conflicts = "NONE"
service_account_role_arn = null
},
// https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html
{
addon_name = "kube-proxy"
addon_version = var.kube_proxy_version
resolve_conflicts = "NONE"
service_account_role_arn = null
},
// https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html
{
addon_name = "coredns"
addon_version = var.coredns_version
resolve_conflicts = "NONE"
service_account_role_arn = null
},
]
addons_depends_on = [module.eks_node_group]
context = module.label.context
cluster_depends_on = [module.subnets]
}
```
Expand Down
4 changes: 3 additions & 1 deletion docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@
|------|-------------|------|---------|:--------:|
| <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br>This is for some rare cases where resources want additional configuration of tags<br>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| <a name="input_addons"></a> [addons](#input\_addons) | Manages [`aws_eks_addon`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) resources | <pre>list(object({<br> addon_name = string<br> addon_version = string<br> resolve_conflicts = string<br> service_account_role_arn = string<br> }))</pre> | `[]` | no |
| <a name="input_addons_depends_on"></a> [addons\_depends\_on](#input\_addons\_depends\_on) | If provided, all addons will depend on this object, and therefore not be installed until this object is finalized.<br>This is useful if you want to ensure that addons are not applied before some other condition is met, e.g. node groups are created.<br>See [issue #170](https://github.com/cloudposse/terraform-aws-eks-cluster/issues/170) for more details. | `any` | `null` | no |
| <a name="input_allowed_cidr_blocks"></a> [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | A list of IPv4 CIDRs to allow access to the cluster.<br>The length of this list must be known at "plan" time. | `list(string)` | `[]` | no |
| <a name="input_allowed_security_group_ids"></a> [allowed\_security\_group\_ids](#input\_allowed\_security\_group\_ids) | A list of IDs of Security Groups to allow access to the cluster. | `list(string)` | `[]` | no |
| <a name="input_allowed_security_groups"></a> [allowed\_security\_groups](#input\_allowed\_security\_groups) | DEPRECATED: Use `allowed_security_group_ids` instead.<br>Historical description: List of Security Group IDs to be allowed to connect to the EKS cluster.<br>Historical default: `[]` | `list(string)` | `[]` | no |
Expand All @@ -72,6 +73,7 @@
| <a name="input_aws_auth_yaml_strip_quotes"></a> [aws\_auth\_yaml\_strip\_quotes](#input\_aws\_auth\_yaml\_strip\_quotes) | If true, remove double quotes from the generated aws-auth ConfigMap YAML to reduce spurious diffs in plans | `bool` | `true` | no |
| <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | If provided, the KMS Key ID to use to encrypt AWS CloudWatch logs | `string` | `null` | no |
| <a name="input_cluster_attributes"></a> [cluster\_attributes](#input\_cluster\_attributes) | Override label module default cluster attributes | `list(string)` | <pre>[<br> "cluster"<br>]</pre> | no |
| <a name="input_cluster_depends_on"></a> [cluster\_depends\_on](#input\_cluster\_depends\_on) | If provided, the EKS will depend on this object, and therefore not be created until this object is finalized.<br>This is useful if you want to ensure that the cluster is not created before some other condition is met, e.g. VPNs into the subnet are created. | `any` | `null` | no |
| <a name="input_cluster_encryption_config_enabled"></a> [cluster\_encryption\_config\_enabled](#input\_cluster\_encryption\_config\_enabled) | Set to `true` to enable Cluster Encryption Configuration | `bool` | `true` | no |
| <a name="input_cluster_encryption_config_kms_key_deletion_window_in_days"></a> [cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days](#input\_cluster\_encryption\_config\_kms\_key\_deletion\_window\_in\_days) | Cluster Encryption Config KMS Key Resource argument - key deletion windows in days post destruction | `number` | `10` | no |
| <a name="input_cluster_encryption_config_kms_key_enable_key_rotation"></a> [cluster\_encryption\_config\_kms\_key\_enable\_key\_rotation](#input\_cluster\_encryption\_config\_kms\_key\_enable\_key\_rotation) | Cluster Encryption Config KMS Key Resource argument - enable kms key rotation | `bool` | `true` | no |
Expand Down Expand Up @@ -119,7 +121,7 @@
| <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | If provided, all IAM roles will be created with this permissions boundary attached | `string` | `null` | no |
| <a name="input_public_access_cidrs"></a> [public\_access\_cidrs](#input\_public\_access\_cidrs) | Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. | `list(string)` | <pre>[<br> "0.0.0.0/0"<br>]</pre> | no |
| <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| <a name="input_region"></a> [region](#input\_region) | AWS Region | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | OBSOLETE (not needed): AWS Region | `string` | `null` | no |
| <a name="input_service_ipv4_cidr"></a> [service\_ipv4\_cidr](#input\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from.<br>You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. | `string` | `null` | no |
| <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | A list of subnet IDs to launch the cluster in | `list(string)` | n/a | yes |
Expand Down
24 changes: 20 additions & 4 deletions examples/complete/fixtures.us-east-2.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,7 @@ stage = "test"

name = "eks"

# When updating the Kubernetes version, also update the API and client-go version in test/src/go.mod
kubernetes_version = "1.22"

# oidc_provider_enabled is required to be true for VPC CNI addon
oidc_provider_enabled = true

enabled_cluster_log_types = ["audit"]
Expand All @@ -29,11 +27,29 @@ kubernetes_labels = {}

cluster_encryption_config_enabled = true

# When updating the Kubernetes version, also update the API and client-go version in test/src/go.mod
kubernetes_version = "1.26"

addons = [
// https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#vpc-cni-latest-available-version
{
addon_name = "vpc-cni"
addon_version = null
resolve_conflicts = "NONE"
service_account_role_arn = null
}
},
// https://docs.aws.amazon.com/eks/latest/userguide/managing-kube-proxy.html
{
addon_name = "kube-proxy"
addon_version = null
resolve_conflicts = "NONE"
service_account_role_arn = null
},
// https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html
{
addon_name = "coredns"
addon_version = null
resolve_conflicts = "NONE"
service_account_role_arn = null
},
]
15 changes: 9 additions & 6 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -29,22 +29,23 @@ locals {

module "vpc" {
source = "cloudposse/vpc/aws"
version = "1.1.0"
version = "2.1.0"

cidr_block = "172.16.0.0/16"
tags = local.tags
ipv4_primary_cidr_block = "172.16.0.0/16"
tags = local.tags

context = module.this.context
}

module "subnets" {
source = "cloudposse/dynamic-subnets/aws"
version = "2.0.2"
version = "2.3.0"

availability_zones = var.availability_zones
vpc_id = module.vpc.vpc_id
igw_id = [module.vpc.igw_id]
ipv4_cidr_block = [module.vpc.vpc_cidr_block]
max_nats = 1
nat_gateway_enabled = true
nat_instance_enabled = false
tags = local.tags
Expand All @@ -57,7 +58,6 @@ module "subnets" {
module "eks_cluster" {
source = "../../"

region = var.region
vpc_id = module.vpc.vpc_id
subnet_ids = concat(module.subnets.private_subnet_ids, module.subnets.public_subnet_ids)
kubernetes_version = var.kubernetes_version
Expand All @@ -73,7 +73,8 @@ module "eks_cluster" {
cluster_encryption_config_kms_key_policy = var.cluster_encryption_config_kms_key_policy
cluster_encryption_config_resources = var.cluster_encryption_config_resources

addons = var.addons
addons = var.addons
addons_depends_on = [module.eks_node_group]

# We need to create a new Security Group only if the EKS cluster is used with unmanaged worker nodes.
# EKS creates a managed Security Group for the cluster automatically, places the control plane and managed nodes into the security group,
Expand All @@ -95,6 +96,8 @@ module "eks_cluster" {
apply_config_map_aws_auth = var.apply_config_map_aws_auth

context = module.this.context

cluster_depends_on = [module.subnets]
}

module "eks_node_group" {
Expand Down
22 changes: 18 additions & 4 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -95,14 +95,20 @@ resource "aws_eks_cluster" "default" {
}

depends_on = [
aws_iam_role.default,
aws_iam_role_policy_attachment.cluster_elb_service_role,
aws_iam_role_policy_attachment.amazon_eks_cluster_policy,
aws_iam_role_policy_attachment.amazon_eks_service_policy,
aws_kms_alias.cluster,
aws_security_group.default,
aws_security_group_rule.egress,
aws_security_group_rule.ingress_cidr_blocks,
aws_security_group_rule.ingress_security_groups,
aws_security_group_rule.ingress_workers,
aws_cloudwatch_log_group.default
aws_cloudwatch_log_group.default,
var.associated_security_group_ids,
var.cluster_depends_on,
var.subnet_ids,
]
}

Expand All @@ -118,16 +124,16 @@ resource "aws_eks_cluster" "default" {

data "tls_certificate" "cluster" {
count = local.enabled && var.oidc_provider_enabled ? 1 : 0
url = one(aws_eks_cluster.default[*].identity.0.oidc.0.issuer)
url = one(aws_eks_cluster.default[*].identity[0].oidc[0].issuer)
}

resource "aws_iam_openid_connect_provider" "default" {
count = local.enabled && var.oidc_provider_enabled ? 1 : 0
url = one(aws_eks_cluster.default[*].identity.0.oidc.0.issuer)
url = one(aws_eks_cluster.default[*].identity[0].oidc[0].issuer)
tags = module.label.tags

client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [one(data.tls_certificate.cluster[*].certificates.0.sha1_fingerprint)]
thumbprint_list = [one(data.tls_certificate.cluster[*].certificates[0].sha1_fingerprint)]
}

resource "aws_eks_addon" "cluster" {
Expand All @@ -143,4 +149,12 @@ resource "aws_eks_addon" "cluster" {
service_account_role_arn = lookup(each.value, "service_account_role_arn", null)

tags = module.label.tags

depends_on = [
var.addons_depends_on,
aws_eks_cluster.default,
# OIDC provider is prerequisite for some addons. See, for example,
# https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html
aws_iam_openid_connect_provider.default,
]
}
Loading

0 comments on commit c0993cc

Please sign in to comment.