enh: Feat/upgrade terraform terragrunt providers modules (#330)

* feat: Upgrade terraform, terragrunt, providers, modules * feat: Upgrade terraform, terragrunt, providers, modules and terraform-docs * update provider in layer2 * fixed mistake version module
maddevsio · Aug 24, 2023 · 0bba0f8 · 0bba0f8
1 parent 1260aff
commit 0bba0f8
Show file tree

Hide file tree

Showing 15 changed files with 85 additions and 319 deletions.
diff --git a/terraform/.terraform-version b/terraform/.terraform-version
@@ -1 +1 @@
-1.1.8
+1.4.4
diff --git a/terraform/layer1-aws/README.md b/terraform/layer1-aws/README.md
diff --git a/terraform/layer1-aws/aws-acm.tf b/terraform/layer1-aws/aws-acm.tf
@@ -10,7 +10,7 @@ data "aws_acm_certificate" "main" {
 
 module "acm" {
   source  = "terraform-aws-modules/acm/aws"
-  version = "3.3.0"
+  version = "4.3.2"
 
   create_certificate = var.create_acm_certificate
 

diff --git a/terraform/layer1-aws/aws-cis-benchmark-alerts.tf b/terraform/layer1-aws/aws-cis-benchmark-alerts.tf
@@ -1,7 +1,7 @@
 module "eventbridge" {
   count   = var.aws_cis_benchmark_alerts.enabled ? 1 : 0
   source  = "terraform-aws-modules/eventbridge/aws"
-  version = "1.14.0"
+  version = "1.17.3"
 
   create_bus = false
 

diff --git a/terraform/layer1-aws/aws-eks.tf b/terraform/layer1-aws/aws-eks.tf
@@ -4,42 +4,13 @@ locals {
     "k8s.io/cluster-autoscaler/${local.name}" = "owned"
   }
 
-  eks_addons = merge({
-    vpc-cni = {
-      resolve_conflicts        = "OVERWRITE"
-      addon_version            = data.aws_eks_addon_version.vpc_cni.version
-      service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
-    },
-    aws-ebs-csi-driver = {
-      resolve_conflicts        = "OVERWRITE"
-      addon_version            = data.aws_eks_addon_version.aws_ebs_csi_driver.version
-      service_account_role_arn = module.aws_ebs_csi_driver.iam_role_arn
-    },
-    coredns = {
-      resolve_conflicts = "OVERWRITE"
-      addon_version     = data.aws_eks_addon_version.coredns.version
-    },
-    kube-proxy = {
-      resolve_conflicts = "OVERWRITE"
-      addon_version     = data.aws_eks_addon_version.kube_proxy.version
-    }
-  })
-
   eks_map_roles = [
     {
       rolearn  = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/administrator"
       username = "administrator"
       groups   = ["system:masters"]
     }
   ]
-  eks_map_users = []
-
-  aws_auth_configmap_yaml = <<-CONTENT
-    ${chomp(module.eks.aws_auth_configmap_yaml)}
-        ${indent(4, yamlencode(local.eks_map_roles))}
-      mapUsers: |
-        ${indent(4, yamlencode(local.eks_map_users))}
-    CONTENT
 }
 
 data "aws_ami" "eks_default_bottlerocket" {
@@ -55,12 +26,32 @@ data "aws_ami" "eks_default_bottlerocket" {
 #tfsec:ignore:aws-vpc-no-public-egress-sgr tfsec:ignore:aws-eks-enable-control-plane-logging tfsec:ignore:aws-eks-encrypt-secrets tfsec:ignore:aws-eks-no-public-cluster-access tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "18.9.0"
-
-  cluster_name    = local.name
-  cluster_version = var.eks_cluster_version
-  subnet_ids      = module.vpc.intra_subnets
-  enable_irsa     = true
+  version = "19.12.0"
+
+  cluster_name              = local.name
+  cluster_version           = var.eks_cluster_version
+  subnet_ids                = module.vpc.private_subnets
+  control_plane_subnet_ids  = module.vpc.intra_subnets
+  enable_irsa               = true
+  manage_aws_auth_configmap = true
+  create_aws_auth_configmap = false
+  aws_auth_roles            = local.eks_map_roles
+  cluster_addons = {
+    coredns = {
+      most_recent = true
+    }
+    kube-proxy = {
+      most_recent = true
+    }
+    vpc-cni = {
+      most_recent              = true
+      service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
+    }
+    aws-ebs-csi-driver = {
+      most_recent              = true
+      service_account_role_arn = module.aws_ebs_csi_driver.iam_role_arn
+    }
+  }
 
   cluster_enabled_log_types              = var.eks_cluster_enabled_log_types
   cloudwatch_log_group_retention_in_days = var.eks_cloudwatch_log_group_retention_in_days
@@ -72,60 +63,10 @@ module "eks" {
 
   vpc_id = module.vpc.vpc_id
 
-  cluster_addons = local.eks_addons
-
-  cluster_encryption_config = var.eks_cluster_encryption_config_enable ? [
-    {
-      provider_key_arn = aws_kms_key.eks[0].arn
-      resources        = ["secrets"]
-    }
-  ] : []
-
   cluster_endpoint_public_access       = var.eks_cluster_endpoint_public_access
   cluster_endpoint_private_access      = var.eks_cluster_endpoint_private_access
   cluster_endpoint_public_access_cidrs = var.eks_cluster_endpoint_only_pritunl ? ["${module.pritunl[0].pritunl_endpoint}/32"] : ["0.0.0.0/0"]
 
-  # Extend cluster security group rules
-  cluster_security_group_additional_rules = {
-    egress_nodes_ephemeral_ports_tcp = {
-      description                = "To node 1025-65535"
-      protocol                   = "tcp"
-      from_port                  = 1025
-      to_port                    = 65535
-      type                       = "egress"
-      source_node_security_group = true
-    }
-  }
-
-  # Extend node-to-node security group rules
-  node_security_group_additional_rules = {
-    ingress_self_all = {
-      description = "Node to node all ports/protocols"
-      protocol    = "-1"
-      from_port   = 0
-      to_port     = 0
-      type        = "ingress"
-      self        = true
-    }
-    ingress_cluster_all = {
-      description                   = "Cluster to nodes all ports/protocols"
-      protocol                      = "-1"
-      from_port                     = 1025
-      to_port                       = 65535
-      type                          = "ingress"
-      source_cluster_security_group = true
-    }
-    egress_all = {
-      description      = "Node all egress"
-      protocol         = "-1"
-      from_port        = 0
-      to_port          = 0
-      type             = "egress"
-      cidr_blocks      = ["0.0.0.0/0"]
-      ipv6_cidr_blocks = ["::/0"]
-    }
-  }
-
   self_managed_node_group_defaults = {
     block_device_mappings = {
       xvda = {
@@ -148,7 +89,6 @@ module "eks" {
     }
     iam_role_attach_cni_policy = false
   }
-
   self_managed_node_groups = {
     spot = {
       name          = "${local.name}-spot"
@@ -227,7 +167,6 @@ module "eks" {
       tags = merge(local.eks_worker_tags, { "k8s.io/cluster-autoscaler/node-template/label/nodegroup" = "bottlerocket" })
     }
   }
-
   fargate_profiles = {
     default = {
       name = "fargate"
@@ -250,7 +189,7 @@ module "eks" {
 
 module "vpc_cni_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "4.14.0"
+  version = "5.17.0"
 
   role_name             = "${local.name}-vpc-cni"
   attach_vpc_cni_policy = true
@@ -268,7 +207,7 @@ module "vpc_cni_irsa" {
 
 module "aws_ebs_csi_driver" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "4.14.0"
+  version = "5.17.0"
 
   role_name             = "${local.name}-aws-ebs-csi-driver"
   attach_ebs_csi_policy = true
@@ -282,32 +221,3 @@ module "aws_ebs_csi_driver" {
 
   tags = local.tags
 }
-
-resource "aws_kms_key" "eks" {
-  count       = var.eks_cluster_encryption_config_enable ? 1 : 0
-  description = "EKS Secret Encryption Key"
-}
-
-resource "kubectl_manifest" "aws_auth_configmap" {
-  yaml_body = local.aws_auth_configmap_yaml
-}
-
-data "aws_eks_addon_version" "aws_ebs_csi_driver" {
-  addon_name         = "aws-ebs-csi-driver"
-  kubernetes_version = var.eks_cluster_version
-}
-
-data "aws_eks_addon_version" "coredns" {
-  addon_name         = "coredns"
-  kubernetes_version = var.eks_cluster_version
-}
-
-data "aws_eks_addon_version" "kube_proxy" {
-  addon_name         = "kube-proxy"
-  kubernetes_version = var.eks_cluster_version
-}
-
-data "aws_eks_addon_version" "vpc_cni" {
-  addon_name         = "vpc-cni"
-  kubernetes_version = var.eks_cluster_version
-}
diff --git a/terraform/layer1-aws/aws-r53.tf b/terraform/layer1-aws/aws-r53.tf
@@ -7,7 +7,7 @@ data "aws_route53_zone" "main" {
 
 module "r53_zone" {
   source  = "terraform-aws-modules/route53/aws//modules/zones"
-  version = "2.5.0"
+  version = "2.10.2"
 
   create = var.create_r53_zone
 

diff --git a/terraform/layer1-aws/aws-vpc.tf b/terraform/layer1-aws/aws-vpc.tf
@@ -17,7 +17,7 @@ data "aws_security_group" "default" {
 #tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "3.12.0"
+  version = "4.0.1"
 
   name = local.name
   cidr = var.cidr
@@ -89,7 +89,7 @@ module "vpc" {
 
 module "vpc_gateway_endpoints" {
   source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
-  version = "3.12.0"
+  version = "4.0.1"
 
   vpc_id = module.vpc.vpc_id
 

diff --git a/terraform/layer1-aws/main.tf b/terraform/layer1-aws/main.tf
@@ -1,18 +1,14 @@
 terraform {
-  required_version = "1.1.8"
+  required_version = "1.4.4"
 
   required_providers {
     aws = {
       source  = "aws"
-      version = "4.10.0"
+      version = "4.62.0"
     }
     kubernetes = {
       source  = "kubernetes"
-      version = "2.10.0"
-    }
-    kubectl = {
-      source  = "gavinbunney/kubectl"
-      version = "1.14.0"
+      version = "2.19.0"
     }
   }
 }

diff --git a/terraform/layer1-aws/outputs.tf b/terraform/layer1-aws/outputs.tf
@@ -90,13 +90,13 @@ output "eks_cluster_security_group_id" {
 }
 
 output "eks_kubectl_console_config" {
-  value       = "aws eks update-kubeconfig --name ${module.eks.cluster_id} --region ${var.region}"
+  value       = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --region ${var.region}"
   description = "description"
   depends_on  = []
 }
 
 output "eks_cluster_id" {
-  value = module.eks.cluster_id
+  value = module.eks.cluster_name
 }
 
 output "eks_oidc_provider_arn" {

diff --git a/terraform/layer1-aws/providers.tf b/terraform/layer1-aws/providers.tf
@@ -4,21 +4,11 @@ provider "aws" {
 }
 
 provider "kubernetes" {
-  host                   = data.aws_eks_cluster.main.endpoint
-  cluster_ca_certificate = base64decode(data.aws_eks_cluster.main.certificate_authority.0.data)
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
   token                  = data.aws_eks_cluster_auth.main.token
 }
 
-provider "kubectl" {
-  host                   = data.aws_eks_cluster.main.endpoint
-  cluster_ca_certificate = base64decode(data.aws_eks_cluster.main.certificate_authority.0.data)
-  token                  = data.aws_eks_cluster_auth.main.token
-}
-
-data "aws_eks_cluster" "main" {
-  name = module.eks.cluster_id
-}
-
 data "aws_eks_cluster_auth" "main" {
-  name = module.eks.cluster_id
+  name = module.eks.cluster_name
 }
diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf
@@ -113,8 +113,10 @@ variable "eks_cluster_version" {
 }
 
 variable "eks_workers_additional_policies" {
-  type        = list(any)
-  default     = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]
+  type = map(string)
+  default = {
+    additional = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  }
   description = "Additional IAM policy attached to EKS worker nodes"
 }
 

diff --git a/terraform/layer2-k8s/README.md b/terraform/layer2-k8s/README.md
@@ -126,7 +126,6 @@
 | <a name="input_eks_cluster_id"></a> [eks\_cluster\_id](#input\_eks\_cluster\_id) | ID of the created EKS cluster. | `any` | n/a | yes |
 | <a name="input_eks_oidc_provider_arn"></a> [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | `any` | n/a | yes |
 | <a name="input_environment"></a> [environment](#input\_environment) | Env name | `string` | `"demo"` | no |
-| <a name="input_helm_charts_path"></a> [helm\_charts\_path](#input\_helm\_charts\_path) | where to find the helm charts | `string` | `"../../helm-charts/"` | no |
 | <a name="input_helm_release_history_size"></a> [helm\_release\_history\_size](#input\_helm\_release\_history\_size) | How much helm releases to store | `number` | `5` | no |
 | <a name="input_name"></a> [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes |
 | <a name="input_nginx_ingress_ssl_terminator"></a> [nginx\_ingress\_ssl\_terminator](#input\_nginx\_ingress\_ssl\_terminator) | Select SSL termination type | `string` | `"lb"` | no |

diff --git a/terraform/layer2-k8s/main.tf b/terraform/layer2-k8s/main.tf
@@ -1,22 +1,22 @@
 terraform {
-  required_version = "1.1.8"
+  required_version = "1.4.4"
 
   required_providers {
     aws = {
       source  = "aws"
-      version = "4.10.0"
+      version = "4.62.0"
     }
     kubernetes = {
       source  = "kubernetes"
-      version = "2.10.0"
+      version = "2.19.0"
     }
     helm = {
       source  = "helm"
-      version = "2.5.1"
+      version = "2.6.0"
     }
     http = {
       source  = "hashicorp/http"
-      version = "2.1.0"
+      version = "3.2.1"
     }
     kubectl = {
       source  = "gavinbunney/kubectl"

diff --git a/terragrunt/.terraform-version b/terragrunt/.terraform-version
@@ -1 +1 @@
-1.1.8
+1.4.4
diff --git a/terragrunt/.terragrunt-version b/terragrunt/.terragrunt-version
@@ -1 +1 @@
-0.39.1
+0.45.0