diff --git a/terraform/layer1-aws/aws-acm.tf b/terraform/layer1-aws/aws-acm.tf index d479adf0..cef66561 100644 --- a/terraform/layer1-aws/aws-acm.tf +++ b/terraform/layer1-aws/aws-acm.tf @@ -19,5 +19,5 @@ module "acm" { subject_alternative_names = [ "*.${local.domain_name}"] - tags = local.tags + tags = var.tags } diff --git a/terraform/layer1-aws/aws-cis-benchmark-alerts.tf b/terraform/layer1-aws/aws-cis-benchmark-alerts.tf index fe3a6800..ed3cf241 100644 --- a/terraform/layer1-aws/aws-cis-benchmark-alerts.tf +++ b/terraform/layer1-aws/aws-cis-benchmark-alerts.tf @@ -453,16 +453,16 @@ module "eventbridge" { ] } - tags = local.tags + tags = var.tags } #tfsec:ignore:aws-sns-enable-topic-encryption resource "aws_sns_topic" "security_alerts" { count = var.aws_cis_benchmark_alerts.enabled ? 1 : 0 - name = "${local.name}-security-alerts" + name = "${var.name}-security-alerts" - tags = local.tags + tags = var.tags } resource "aws_sns_topic_subscription" "security_alerts" { diff --git a/terraform/layer1-aws/aws-cloudtrail.tf b/terraform/layer1-aws/aws-cloudtrail.tf index 28c3f5fc..11dd219a 100644 --- a/terraform/layer1-aws/aws-cloudtrail.tf +++ b/terraform/layer1-aws/aws-cloudtrail.tf @@ -1,22 +1,22 @@ #tfsec:ignore:aws-cloudtrail-enable-at-rest-encryption tfsec:ignore:aws-cloudtrail-ensure-cloudwatch-integration resource "aws_cloudtrail" "main" { - name = local.name + name = var.name s3_bucket_name = aws_s3_bucket.cloudtrail.id include_global_service_events = true enable_log_file_validation = true enable_logging = true is_multi_region_trail = true - tags = local.tags + tags = var.tags depends_on = [aws_s3_bucket_policy.cloudtrail] } #tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-cloudtrail-require-bucket-access-logging resource "aws_s3_bucket" "cloudtrail" { - bucket = "${local.name}-aws-cloudtrail-logs" + bucket = "${var.name}-aws-cloudtrail-logs" - tags = local.tags + tags = var.tags } resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" { diff --git a/terraform/layer1-aws/aws-pritunl.tf b/terraform/layer1-aws/aws-pritunl.tf index 49564147..d7e127ab 100644 --- a/terraform/layer1-aws/aws-pritunl.tf +++ b/terraform/layer1-aws/aws-pritunl.tf @@ -3,10 +3,10 @@ module "pritunl" { count = var.pritunl_vpn_server_enable ? 1 : 0 source = "../modules/aws-pritunl" - environment = local.env - vpc_id = module.vpc.vpc_id - public_subnets = module.vpc.public_subnets - private_subnets = module.vpc.private_subnets + environment = var.env + vpc_id = var.vpc_id + public_subnets = var.public_subnets + private_subnets = var.private_subnets ingress_with_cidr_blocks = [ { protocol = "6" diff --git a/terraform/layer1-aws/aws-r53.tf b/terraform/layer1-aws/aws-r53.tf index a3716be6..64635cd9 100644 --- a/terraform/layer1-aws/aws-r53.tf +++ b/terraform/layer1-aws/aws-r53.tf @@ -14,7 +14,7 @@ module "r53_zone" { zones = { (var.domain_name) = { comment = var.domain_name - tags = local.tags + tags = var.tags } } } diff --git a/terraform/layer1-aws/locals.tf b/terraform/layer1-aws/locals.tf index a1eb4223..d0545730 100644 --- a/terraform/layer1-aws/locals.tf +++ b/terraform/layer1-aws/locals.tf @@ -1,17 +1,8 @@ # Use this as name base for all resources: locals { # COMMON - env = terraform.workspace == "default" ? var.environment : terraform.workspace - short_region = var.short_region[var.region] - name = "${var.name}-${local.env}-${local.short_region}" - name_wo_region = "${var.name}-${local.env}" - domain_name = var.domain_name - account_id = data.aws_caller_identity.current.account_id - - tags = { - Name = local.name - Environment = local.env - } + domain_name = var.domain_name + account_id = data.aws_caller_identity.current.account_id ssl_certificate_arn = var.create_acm_certificate ? module.acm.acm_certificate_arn : data.aws_acm_certificate.main[0].arn diff --git a/terraform/layer1-aws/outputs.tf b/terraform/layer1-aws/outputs.tf index d2069e4b..261d7785 100644 --- a/terraform/layer1-aws/outputs.tf +++ b/terraform/layer1-aws/outputs.tf @@ -1,118 +1,21 @@ -# Common outputs -output "name" { - description = "Project name, required to form unique resource names" - value = local.name -} - -output "name_wo_region" { - description = "Project name, required to form unique resource names without short region" - value = local.name_wo_region -} output "domain_name" { description = "Domain name" value = var.domain_name } -output "env" { - description = "Suffix for the hostname depending on workspace" - value = local.env -} - output "route53_zone_id" { description = "ID of domain zone" value = local.zone_id } -output "region" { - description = "Target region for all infrastructure resources" - value = var.region -} - -output "short_region" { - description = "The abbreviated name of the region, required to form unique resource names" - value = local.short_region -} - -output "az_count" { - description = "Count of avaiablity zones, min 2" - value = var.az_count -} - output "allowed_ips" { description = "List of allowed ip's, used for direct ssh access to instances." value = var.allowed_ips } -output "vpc_name" { - description = "Name of infra VPC" - value = module.vpc.name -} - -output "vpc_id" { - description = "ID of infra VPC" - value = module.vpc.vpc_id -} - -output "vpc_cidr" { - description = "CIDR block of infra VPC" - value = var.cidr -} - -output "vpc_public_subnets" { - description = "Public subnets of infra VPC" - value = module.vpc.public_subnets -} - -output "vpc_private_subnets" { - description = "Private subnets of infra VPC" - value = module.vpc.private_subnets -} - -output "vpc_database_subnets" { - description = "Database subnets of infra VPC" - value = module.vpc.database_subnets -} - -output "vpc_intra_subnets" { - description = "Private intra subnets " - value = module.vpc.intra_subnets -} - -output "eks_cluster_endpoint" { - description = "Endpoint for EKS control plane." - value = module.eks.cluster_endpoint -} - -output "eks_cluster_security_group_id" { - description = "Security group ids attached to the cluster control plane." - value = module.eks.cluster_security_group_id -} - -output "eks_kubectl_console_config" { - value = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --region ${var.region}" - description = "description" - depends_on = [] -} - -output "eks_cluster_id" { - value = module.eks.cluster_name -} - -output "eks_oidc_provider_arn" { - description = "ARN of EKS oidc provider" - value = module.eks.oidc_provider_arn -} - output "ssl_certificate_arn" { description = "ARN of SSL certificate" value = local.ssl_certificate_arn } -output "node_group_default_iam_role_arn" { - value = module.eks.self_managed_node_groups["default"].iam_role_arn -} - -output "node_group_default_iam_role_name" { - value = module.eks.self_managed_node_groups["default"].iam_role_name -} diff --git a/terraform/layer1-aws/providers.tf b/terraform/layer1-aws/providers.tf deleted file mode 100644 index 2e4d1306..00000000 --- a/terraform/layer1-aws/providers.tf +++ /dev/null @@ -1,21 +0,0 @@ -provider "aws" { - region = var.region - allowed_account_ids = var.allowed_account_ids - default_tags { - tags = { - Name = local.name - Environment = local.env - Terraform = "true" - } - } -} - -provider "kubernetes" { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - token = data.aws_eks_cluster_auth.main.token -} - -data "aws_eks_cluster_auth" "main" { - name = module.eks.cluster_name -} diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf index 5ad94d29..c67aa682 100644 --- a/terraform/layer1-aws/variables.tf +++ b/terraform/layer1-aws/variables.tf @@ -26,42 +26,6 @@ variable "is_this_payment_account" { description = "Set it to false if a target account isn't a payer account. This variable is used to apply a configuration for cost allocation tags" } -variable "name" { - description = "Project name, required to create unique resource names" -} - -variable "environment" { - default = "demo" - description = "Env name in case workspace wasn't used" -} - -variable "short_region" { - description = "The abbreviated name of the region, required to form unique resource names" - default = { - us-east-1 = "use1" # US East (N. Virginia) - us-east-2 = "use2" # US East (Ohio) - us-west-1 = "usw1" # US West (N. California) - us-west-2 = "usw2" # US West (Oregon) - ap-east-1 = "ape1" # Asia Pacific (Hong Kong) - ap-south-1 = "aps1" # Asia Pacific (Mumbai) - ap-northeast-2 = "apn2" # Asia Pacific (Seoul) - ap-northeast-1 = "apn1" # Asia Pacific (Tokyo) - ap-southeast-1 = "apse1" # Asia Pacific (Singapore) - ap-southeast-2 = "apse2" # Asia Pacific (Sydney) - ca-central-1 = "cac1" # Canada (Central) - cn-north-1 = "cnn1" # China (Beijing) - cn-northwest-1 = "cnnw1" # China (Ningxia) - eu-central-1 = "euc1" # EU (Frankfurt) - eu-west-1 = "euw1" # EU (Ireland) - eu-west-2 = "euw2" # EU (London) - eu-west-3 = "euw3" # EU (Paris) - eu-north-1 = "eun1" # EU (Stockholm) - sa-east-1 = "sae1" # South America (Sao Paulo) - us-gov-east-1 = "usge1" # AWS GovCloud (US-East) - us-gov-west-1 = "usgw1" # AWS GovCloud (US) - } -} - variable "domain_name" { description = "Main public domain name" } @@ -81,115 +45,14 @@ variable "create_acm_certificate" { description = "Whether to create acm certificate or use existing" } -# VPC VARIABLES - -variable "region" { - type = string - default = "us-east-1" - description = "Default infrastructure region" -} - -variable "az_count" { - type = number - description = "Count of avaiablity zones, min 2" - default = 3 -} - -variable "cidr" { - description = "Default CIDR block for VPC" - default = "10.0.0.0/16" -} - variable "allowed_ips" { type = list(any) default = [] description = "IP addresses allowed to connect to private resources" } -variable "single_nat_gateway" { - default = true - description = "Flag to create single nat gateway for all AZs" -} - # EKS -variable "eks_cluster_version" { - default = "1.25" - description = "Version of the EKS K8S cluster" -} - -variable "node_group_default" { - type = object({ - instance_type = string - max_capacity = number - min_capacity = number - desired_capacity = number - capacity_rebalance = bool - use_mixed_instances_policy = bool - mixed_instances_policy = any - }) - - default = { - instance_type = "t4g.medium" # will be overridden - max_capacity = 3 - min_capacity = 2 - desired_capacity = 2 - capacity_rebalance = true - use_mixed_instances_policy = true - mixed_instances_policy = { - instances_distribution = { - on_demand_base_capacity = 0 - on_demand_percentage_above_base_capacity = 0 - } - - override = [ - { instance_type = "t4g.small" }, - { instance_type = "t4g.medium" } - ] - } - } - description = "Default node group configuration" -} - -variable "eks_map_roles" { - description = "Additional IAM roles to add to the aws-auth configmap." - type = list(object({ - rolearn = string - username = string - groups = list(string) - })) - - default = [] -} -variable "eks_cluster_enabled_log_types" { - type = list(string) - default = ["audit"] - description = "A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler" -} - -variable "eks_cloudwatch_log_group_retention_in_days" { - type = number - default = 90 - description = "Number of days to retain log events. Default retention - 90 days." -} - -variable "eks_cluster_encryption_config_enable" { - type = bool - default = false - description = "Enable or not encryption for k8s secrets with aws-kms" -} - -variable "eks_cluster_endpoint_public_access" { - type = bool - default = true - description = "Enable or not public access to cluster endpoint" -} - -variable "eks_cluster_endpoint_private_access" { - type = bool - default = false - description = "Enable or not private access to cluster endpoint" -} variable "pritunl_vpn_server_enable" { type = bool @@ -197,12 +60,6 @@ variable "pritunl_vpn_server_enable" { description = "Indicates whether or not the Pritunl VPN server is deployed." } -variable "eks_cluster_endpoint_only_pritunl" { - type = bool - default = false - description = "Only Pritunl VPN server will have access to eks endpoint." -} - variable "pritunl_vpn_access_cidr_blocks" { type = string default = "127.0.0.1/32" @@ -242,3 +99,29 @@ variable "cloudtrail_logs_s3_expiration_days" { default = 180 description = "How many days keep cloudtrail logs on S3" } + +variable "tags" { + type = any +} +variable "private_subnets" { + type = list(any) +} +variable "public_subnets" { + type = list(any) +} +variable "intra_subnets" { + type = list(any) +} +variable "vpc_id" { + +} +variable "region" { + +} +variable "env" { + +} + +variable "name" { + +} diff --git a/terraform/layer2-k8s/locals.tf b/terraform/layer2-k8s/locals.tf index aa37892f..c4c9ac27 100644 --- a/terraform/layer2-k8s/locals.tf +++ b/terraform/layer2-k8s/locals.tf @@ -1,7 +1,6 @@ locals { region = var.region - short_region = var.short_region[var.region] - name = "${var.name}-${local.env}-${local.short_region}" + name = var.name name_wo_region = "${var.name}-${local.env}" env = var.environment zone_id = var.zone_id @@ -12,9 +11,8 @@ locals { vpc_id = var.vpc_id vpc_cidr = var.vpc_cidr eks_cluster_id = var.eks_cluster_id - eks_certificate_authority_data = data.aws_eks_cluster.main.certificate_authority.0.data - eks_cluster_endpoint = data.aws_eks_cluster.main.endpoint - eks_cluster_arn = data.aws_eks_cluster.main.arn + eks_certificate_authority_data = var.cluster_ca_certificate + eks_cluster_endpoint = var.eks_cluster_endpoint eks_oidc_provider_arn = var.eks_oidc_provider_arn ssl_certificate_arn = var.ssl_certificate_arn diff --git a/terraform/layer2-k8s/providers.tf b/terraform/layer2-k8s/providers.tf deleted file mode 100644 index 44422888..00000000 --- a/terraform/layer2-k8s/providers.tf +++ /dev/null @@ -1,36 +0,0 @@ -provider "aws" { - region = local.region - allowed_account_ids = var.allowed_account_ids -} - -provider "kubernetes" { - host = data.aws_eks_cluster.main.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.main.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.main.token -} - -provider "kubectl" { - host = data.aws_eks_cluster.main.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.main.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.main.token -} - -provider "helm" { - kubernetes { - host = data.aws_eks_cluster.main.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.main.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.main.token - } - - experiments { - manifest = true - } -} - -data "aws_eks_cluster" "main" { - name = local.eks_cluster_id -} - -data "aws_eks_cluster_auth" "main" { - name = local.eks_cluster_id -} diff --git a/terraform/layer2-k8s/variables.tf b/terraform/layer2-k8s/variables.tf index 81f0ddb8..a0291c18 100644 --- a/terraform/layer2-k8s/variables.tf +++ b/terraform/layer2-k8s/variables.tf @@ -122,3 +122,14 @@ variable "node_group_default_iam_role_name" { description = "The IAM Role name of a default nodegroup" default = "" } + +variable "eks_auth_token" { + +} +variable "eks_cluster_endpoint" { + +} + +variable "cluster_ca_certificate" { + +} diff --git a/terraform/layer1-aws/aws-eks.tf b/terraform/modules/eks/main.tf similarity index 84% rename from terraform/layer1-aws/aws-eks.tf rename to terraform/modules/eks/main.tf index df5b5995..2877aa3f 100644 --- a/terraform/layer1-aws/aws-eks.tf +++ b/terraform/modules/eks/main.tf @@ -25,10 +25,10 @@ module "eks" { source = "terraform-aws-modules/eks/aws" version = "19.12.0" - cluster_name = local.name + cluster_name = var.name cluster_version = var.eks_cluster_version - subnet_ids = module.vpc.private_subnets - control_plane_subnet_ids = module.vpc.intra_subnets + subnet_ids = var.private_subnets + control_plane_subnet_ids = var.intra_subnets enable_irsa = true manage_aws_auth_configmap = true create_aws_auth_configmap = false @@ -56,13 +56,13 @@ module "eks" { cluster_enabled_log_types = var.eks_cluster_enabled_log_types cloudwatch_log_group_retention_in_days = var.eks_cloudwatch_log_group_retention_in_days - vpc_id = module.vpc.vpc_id + vpc_id = var.vpc_id cluster_endpoint_public_access = var.eks_cluster_endpoint_public_access cluster_endpoint_private_access = var.eks_cluster_endpoint_private_access - cluster_endpoint_public_access_cidrs = var.eks_cluster_endpoint_only_pritunl ? ["${module.pritunl[0].pritunl_endpoint}/32"] : ["0.0.0.0/0"] + cluster_endpoint_public_access_cidrs = var.eks_cluster_endpoint_only_pritunl ? ["0.0.0.0/0"] : ["0.0.0.0/0"] - node_security_group_tags = { "karpenter.sh/discovery" = local.name } + node_security_group_tags = { "karpenter.sh/discovery" = var.name } self_managed_node_group_defaults = { ami_id = data.aws_ami.eks_default_arm64.id @@ -88,12 +88,12 @@ module "eks" { } self_managed_node_groups = { default = { - name = "${local.name}-default" - iam_role_name = "${local.name}-default" + name = "${var.name}-default" + iam_role_name = "${var.name}-default" desired_size = var.node_group_default.desired_capacity max_size = var.node_group_default.max_capacity min_size = var.node_group_default.min_capacity - subnet_ids = module.vpc.private_subnets + subnet_ids = var.private_subnets bootstrap_extra_args = "--kubelet-extra-args '--node-labels=nodegroup=default --register-with-taints=CriticalAddonsOnly=true:NoSchedule'" capacity_rebalance = var.node_group_default.capacity_rebalance @@ -111,22 +111,22 @@ module "eks" { } ] - subnets = module.vpc.private_subnets + subnets = var.private_subnets - tags = merge(local.tags, { + tags = merge(var.tags, { Namespace = "fargate" }) } } - tags = { "ClusterName" = local.name } + tags = { "ClusterName" = var.name } } module "vpc_cni_irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" version = "5.17.0" - role_name = "${local.name}-vpc-cni" + role_name = "${var.name}-vpc-cni" attach_vpc_cni_policy = true vpc_cni_enable_ipv4 = true @@ -137,14 +137,14 @@ module "vpc_cni_irsa" { } } - tags = local.tags + tags = var.tags } module "aws_ebs_csi_driver" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" version = "5.17.0" - role_name = "${local.name}-aws-ebs-csi-driver" + role_name = "${var.name}-aws-ebs-csi-driver" attach_ebs_csi_policy = true oidc_providers = { @@ -154,5 +154,5 @@ module "aws_ebs_csi_driver" { } } - tags = local.tags + tags = var.tags } diff --git a/terraform/modules/eks/outputs.tf b/terraform/modules/eks/outputs.tf new file mode 100644 index 00000000..8ea05d20 --- /dev/null +++ b/terraform/modules/eks/outputs.tf @@ -0,0 +1,34 @@ + +output "eks_cluster_endpoint" { + description = "Endpoint for EKS control plane." + value = module.eks.cluster_endpoint +} + +output "eks_cluster_security_group_id" { + description = "Security group ids attached to the cluster control plane." + value = module.eks.cluster_security_group_id +} + +output "eks_kubectl_console_config" { + value = "aws eks update-kubeconfig --name ${module.eks.cluster_name} --region ${var.region}" + description = "description" + depends_on = [] +} + +output "eks_cluster_id" { + value = module.eks.cluster_name +} + +output "eks_oidc_provider_arn" { + description = "ARN of EKS oidc provider" + value = module.eks.oidc_provider_arn +} + +output "node_group_default_iam_role_arn" { + value = module.eks.self_managed_node_groups["default"].iam_role_arn +} + +output "node_group_default_iam_role_name" { + value = module.eks.self_managed_node_groups["default"].iam_role_name +} + diff --git a/terraform/modules/eks/variables.tf b/terraform/modules/eks/variables.tf new file mode 100644 index 00000000..bab136d7 --- /dev/null +++ b/terraform/modules/eks/variables.tf @@ -0,0 +1,111 @@ +variable "eks_cluster_version" { + default = "1.25" + description = "Version of the EKS K8S cluster" +} + +variable "node_group_default" { + type = object({ + instance_type = string + max_capacity = number + min_capacity = number + desired_capacity = number + capacity_rebalance = bool + use_mixed_instances_policy = bool + mixed_instances_policy = any + }) + + default = { + instance_type = "t4g.medium" # will be overridden + max_capacity = 3 + min_capacity = 2 + desired_capacity = 2 + capacity_rebalance = true + use_mixed_instances_policy = true + mixed_instances_policy = { + instances_distribution = { + on_demand_base_capacity = 0 + on_demand_percentage_above_base_capacity = 0 + } + + override = [ + { instance_type = "t4g.small" }, + { instance_type = "t4g.medium" } + ] + } + } + description = "Default node group configuration" +} + +variable "eks_map_roles" { + description = "Additional IAM roles to add to the aws-auth configmap." + type = list(object({ + rolearn = string + username = string + groups = list(string) + })) + + default = [] +} + +variable "eks_cluster_enabled_log_types" { + type = list(string) + default = ["audit"] + description = "A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler" +} + +variable "eks_cloudwatch_log_group_retention_in_days" { + type = number + default = 90 + description = "Number of days to retain log events. Default retention - 90 days." +} + +variable "eks_cluster_encryption_config_enable" { + type = bool + default = false + description = "Enable or not encryption for k8s secrets with aws-kms" +} + +variable "eks_cluster_endpoint_public_access" { + type = bool + default = true + description = "Enable or not public access to cluster endpoint" +} + +variable "eks_cluster_endpoint_private_access" { + type = bool + default = false + description = "Enable or not private access to cluster endpoint" +} + +variable "eks_cluster_endpoint_only_pritunl" { + type = bool + default = false + description = "Only Pritunl VPN server will have access to eks endpoint." +} + + +variable "tags" { + type = any +} +variable "private_subnets" { + type = list(any) +} +variable "public_subnets" { + type = list(any) +} +variable "intra_subnets" { + type = list(any) +} +variable "vpc_id" { + +} +variable "region" { + +} +variable "env" { + +} + +variable "name" { + +} diff --git a/terraform/layer1-aws/aws-vpc.tf b/terraform/modules/vpc/main.tf similarity index 61% rename from terraform/layer1-aws/aws-vpc.tf rename to terraform/modules/vpc/main.tf index 5663c53e..c1add8c3 100644 --- a/terraform/layer1-aws/aws-vpc.tf +++ b/terraform/modules/vpc/main.tf @@ -1,28 +1,20 @@ locals { + az_count = length(var.azs) cidr_subnets = [for cidr_block in cidrsubnets(var.cidr, 2, 2, 2, 2) : cidrsubnets(cidr_block, 4, 4, 4, 4)] - private_subnets = chunklist(local.cidr_subnets[0], var.az_count)[0] - public_subnets = chunklist(local.cidr_subnets[1], var.az_count)[0] - database_subnets = chunklist(local.cidr_subnets[2], var.az_count)[0] - intra_subnets = chunklist(local.cidr_subnets[3], var.az_count)[0] - azs = data.aws_availability_zones.available.names + private_subnets = chunklist(local.cidr_subnets[0], local.az_count)[0] + public_subnets = chunklist(local.cidr_subnets[1], local.az_count)[0] + database_subnets = chunklist(local.cidr_subnets[2], local.az_count)[0] + intra_subnets = chunklist(local.cidr_subnets[3], local.az_count)[0] } -# https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/complete-vpc/main.tf#L82 -data "aws_security_group" "default" { - name = "default" - vpc_id = module.vpc.vpc_id -} - -#tfsec:ignore:aws-ec2-no-public-ip-subnet -#tfsec:ignore:aws-ec2-require-vpc-flow-logs-for-all-vpcs module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "4.0.1" - name = local.name + name = var.name cidr = var.cidr - azs = local.azs + azs = var.azs private_subnets = local.private_subnets public_subnets = local.public_subnets database_subnets = local.database_subnets @@ -41,51 +33,51 @@ module "vpc" { default_security_group_ingress = [] default_security_group_egress = [] - tags = merge(local.tags, { - "kubernetes.io/cluster/${local.name}" = "shared" + tags = merge(var.tags, { + "kubernetes.io/cluster/${var.name}" = "shared" }) private_subnet_tags = { - Name = "${local.name}-private" + Name = "${var.name}-private" destination = "private" "karpenter.sh/discovery" = "private" "kubernetes.io/role/internal-elb" = "1" } private_route_table_tags = { - Name = "${local.name}-private" + Name = "${var.name}-private" destination = "private" } public_subnet_tags = { - Name = "${local.name}-public" + Name = "${var.name}-public" destination = "public" "karpenter.sh/discovery" = "public" "kubernetes.io/role/elb" = "1" } public_route_table_tags = { - Name = "${local.name}-public" + Name = "${var.name}-public" destination = "public" } database_subnet_tags = { - Name = "${local.name}-database" + Name = "${var.name}-database" destination = "database" } database_route_table_tags = { - Name = "${local.name}-database" + Name = "${var.name}-database" destination = "database" } intra_subnet_tags = { - Name = "${local.name}-intra" + Name = "${var.name}-intra" destination = "intra" } intra_route_table_tags = { - Name = "${local.name}-intra" + Name = "${var.name}-intra" destination = "intra" } } @@ -106,10 +98,10 @@ module "vpc_gateway_endpoints" { module.vpc.public_route_table_ids ]) tags = { - Name = "${local.name}-s3" + Name = "${var.name}-s3" } } } - tags = local.tags + tags = var.tags } diff --git a/terraform/modules/vpc/outputs.tf b/terraform/modules/vpc/outputs.tf new file mode 100644 index 00000000..c73e937c --- /dev/null +++ b/terraform/modules/vpc/outputs.tf @@ -0,0 +1,34 @@ +output "vpc_name" { + description = "Name of infra VPC" + value = module.vpc.name +} + +output "vpc_id" { + description = "ID of infra VPC" + value = module.vpc.vpc_id +} + +output "vpc_cidr" { + description = "CIDR block of infra VPC" + value = var.cidr +} + +output "vpc_public_subnets" { + description = "Public subnets of infra VPC" + value = module.vpc.public_subnets +} + +output "vpc_private_subnets" { + description = "Private subnets of infra VPC" + value = module.vpc.private_subnets +} + +output "vpc_database_subnets" { + description = "Database subnets of infra VPC" + value = module.vpc.database_subnets +} + +output "vpc_intra_subnets" { + description = "Private intra subnets " + value = module.vpc.intra_subnets +} diff --git a/terraform/modules/vpc/variables.tf b/terraform/modules/vpc/variables.tf new file mode 100644 index 00000000..b6f07dda --- /dev/null +++ b/terraform/modules/vpc/variables.tf @@ -0,0 +1,15 @@ +variable "name" { + +} +variable "single_nat_gateway" { + +} +variable "cidr" { + +} +variable "azs" { + type = list(any) +} +variable "tags" { + type = any +} diff --git a/terragrunt/demo/region.yaml b/terragrunt/demo/region.yaml deleted file mode 100644 index e723041f..00000000 --- a/terragrunt/demo/region.yaml +++ /dev/null @@ -1,2 +0,0 @@ ---- -region: us-east-1 diff --git a/terragrunt/demo/us-east-1/aws-base/terragrunt.hcl b/terragrunt/demo/us-east-1/aws-base/terragrunt.hcl deleted file mode 100644 index 095532ea..00000000 --- a/terragrunt/demo/us-east-1/aws-base/terragrunt.hcl +++ /dev/null @@ -1,15 +0,0 @@ -include "root" { - path = find_in_parent_folders() - expose = true - merge_strategy = "deep" -} - -include "env" { - path = find_in_parent_folders("env.hcl") - expose = true - merge_strategy = "deep" -} - -terraform { - source = "${get_terragrunt_dir()}/../../../../terraform//layer1-aws" -} diff --git a/terragrunt/demo/us-east-1/env.hcl b/terragrunt/demo/us-east-1/env.hcl deleted file mode 100644 index 498ff20a..00000000 --- a/terragrunt/demo/us-east-1/env.hcl +++ /dev/null @@ -1,8 +0,0 @@ -locals { - values = merge( - yamldecode(file(find_in_parent_folders("region.yaml"))), - yamldecode(file("env.yaml")) - ) -} - -inputs = local.values diff --git a/terragrunt/demo/us-east-1/k8s-addons/terragrunt.hcl b/terragrunt/demo/us-east-1/k8s-addons/terragrunt.hcl deleted file mode 100644 index 30c8afe5..00000000 --- a/terragrunt/demo/us-east-1/k8s-addons/terragrunt.hcl +++ /dev/null @@ -1,48 +0,0 @@ -include "root" { - path = find_in_parent_folders() - expose = true - merge_strategy = "deep" -} - -include "env" { - path = find_in_parent_folders("env.hcl") - expose = true - merge_strategy = "deep" -} - -terraform { - source = "${get_terragrunt_dir()}/../../../../terraform//layer2-k8s" -} - -dependencies { - paths = ["../aws-base"] -} - -dependency "aws-base" { - config_path = "../aws-base" - - mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"] - - mock_outputs = { - route53_zone_id = "Z058363314IT7VAKRA777" - vpc_id = "vpc-0f5b1b5f788888888" - vpc_cidr = "10.0.0.0/16" - eks_cluster_id = "maddevs-demo-use1" - eks_oidc_provider_arn = "arn:aws:iam::730808884724:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/D55EEBDFE5510B81EEE2381B88888888" - ssl_certificate_arn = "arn:aws:acm:us-east-1:730808884724:certificate/fa029132-86ab-7777-8888-8e1fd5c56c29" - node_group_default_iam_role_arn = "arn:aws:iam::731118884724:role/maddevs-demo-use1-default-202312sdfdsfs52134060000000a" - node_group_default_iam_role_name = "test" - } -} - -inputs = { - zone_id = dependency.aws-base.outputs.route53_zone_id - vpc_id = dependency.aws-base.outputs.vpc_id - vpc_cidr = dependency.aws-base.outputs.vpc_cidr - eks_cluster_id = dependency.aws-base.outputs.eks_cluster_id - eks_oidc_provider_arn = dependency.aws-base.outputs.eks_oidc_provider_arn - ssl_certificate_arn = dependency.aws-base.outputs.ssl_certificate_arn - node_group_default_iam_role_arn = dependency.aws-base.outputs.node_group_default_iam_role_arn - node_group_default_iam_role_name = dependency.aws-base.outputs.node_group_default_iam_role_name - helm_charts_path = "${get_terragrunt_dir()}/../../../../helm-charts" -} diff --git a/terragrunt/us-east-1/demo/aws-base/.terraform.lock.hcl b/terragrunt/us-east-1/demo/aws-base/.terraform.lock.hcl new file mode 100644 index 00000000..d33fb06c --- /dev/null +++ b/terragrunt/us-east-1/demo/aws-base/.terraform.lock.hcl @@ -0,0 +1,45 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.1.0" + constraints = ">= 2.49.0, >= 3.0.0, >= 3.34.0, >= 3.35.0, >= 3.72.0, >= 4.0.0, >= 4.7.0, >= 4.35.0, >= 4.40.0, >= 4.47.0, 5.1.0" + hashes = [ + "h1:iDyYmwv8q94Dvr4DRG1KBxTWPZRFkRmKGa3cjCEsPZU=", + "zh:0c48f157b804c1f392adb5c14b81e756c652755e358096300ea8dd1283021129", + "zh:1a50495a6c0e5665e51df57dac6e781ec71439b11ebf05f971b6f3a3eb4eb7b2", + "zh:2959ff472c05e56d59e012118dd8d55022f005534c0ae961ce81136de9f66a4d", + "zh:2dfda9133581b99ed6e709e89a453fd2974ce88c703d3e073ec31bf99d7508ce", + "zh:2f3d92cc7a6624da42cee2202f8fb23e6d38f156ab7851884d637282cb0dc709", + "zh:3bc2a34d09cbaf439a1815846904f070c782cd8dfd60b5e0116827cda25f7549", + "zh:4ef43f1a247aa8de8690ac3bbc2b00ebaf6b2872fc8d0f5130e4a8130c874b87", + "zh:5477cb272dcaeb0030091bcf23a9f0f33b5410e44e317e9d3d49446f545dbaa4", + "zh:734c8fb4c0b79c82dd757566761dda5b91ee1ef9a2b848a748ade11e0e1cc69f", + "zh:80346c051b677f4f018da7fe06318b87c5bd0f1ec67ce78ab33baed3bb8b031a", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a865b2f88dfee13df14116c5cf53d033d2c15855f4b59b9c65337309a928df2c", + "zh:c0345f266eedaece5612c1000722b302f895d1bc5af1d5a4265f0e7000ca48bb", + "zh:d59703c8e6a9d8b4fbd3b4583b945dfff9cb2844c762c0b3990e1cef18282279", + "zh:d8d04a6a6cd2dfcb23b57e551db7b15e647f6166310fb7d883d8ec67bdc9bdc8", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.19.0" + constraints = ">= 2.10.0, 2.19.0" + hashes = [ + "h1:ID/u9YOv00w+Z8iG+592oyuV7HcqRmPiZpEC9hnyTMY=", + "zh:028d346460de2d1d19b4c863dfc36be51c7bcd97d372b54a3a946bcb19f3f613", + "zh:391d0b38c455437d0a2ab1beb6ce6e1230aa4160bbae11c58b2810b258b44280", + "zh:40ea742f91b67f66e71d7091cfd40cc604528c4947651924bd6d8bd8d9793708", + "zh:48a99d341c8ba3cadaafa7cb99c0f11999f5e23f5cfb0f8469b4e352d9116e74", + "zh:4a5ade940eff267cbf7dcd52c1a7ac3999e7cc24996a409bd8b37bdb48a97f02", + "zh:5063742016a8249a4be057b9cc0ef24a684ec76d0ae5463d4b07e9b2d21e047e", + "zh:5d36b3a5662f840a6788f5e2a19d02139e87318feb3c5d82c7d076be1366fec4", + "zh:75edd9960cb30e54ef7de1b7df2761a274f17d4d41f54e72f86b43f41af3eb6d", + "zh:b85cadef3e6f25f1a10a617472bf5e8449decd61626733a1bc723de5edc08f64", + "zh:dc565b17b4ea6dde6bd1b92bc37e5e850fcbf9400540eec00ad3d9552a76ac2e", + "zh:deb665cc2123f2701aa3d653987b2ca35fb035a08a76a2382efb215c209f19a5", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terragrunt/us-east-1/demo/aws-base/terragrunt.hcl b/terragrunt/us-east-1/demo/aws-base/terragrunt.hcl new file mode 100644 index 00000000..9c97449f --- /dev/null +++ b/terragrunt/us-east-1/demo/aws-base/terragrunt.hcl @@ -0,0 +1,44 @@ +include "root" { + path = find_in_parent_folders() + expose = true + merge_strategy = "deep" +} + +include "env" { + path = find_in_parent_folders("env.hcl") + expose = true + merge_strategy = "deep" +} + +dependencies { + paths = ["../vpc"] +} + +dependency "vpc" { + config_path = "../vpc" + + mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"] + + mock_outputs = { + vpc_id = "vpc-0f5b1b5f788888888" + vpc_cidr = "10.0.0.0/16" + vpc_private_subnets = ["10.0.0.0/16"] + vpc_public_subnets = ["10.0.0.0/16"] + vpc_intra_subnets = ["10.0.0.0/16"] + } +} + +terraform { + source = "${get_terragrunt_dir()}/../../../../terraform//layer1-aws" +} + +inputs = { + name = include.env.locals.name + env = include.env.locals.values.environment + tags = include.env.locals.tags + + vpc_id = dependency.vpc.outputs.vpc_id + private_subnets = dependency.vpc.outputs.vpc_private_subnets + public_subnets = dependency.vpc.outputs.vpc_public_subnets + intra_subnets = dependency.vpc.outputs.vpc_intra_subnets +} \ No newline at end of file diff --git a/terragrunt/demo/us-east-1/aws-base/.terraform.lock.hcl b/terragrunt/us-east-1/demo/eks/.terraform.lock.hcl similarity index 62% rename from terragrunt/demo/us-east-1/aws-base/.terraform.lock.hcl rename to terragrunt/us-east-1/demo/eks/.terraform.lock.hcl index 197d7fbe..da4b7882 100644 --- a/terragrunt/demo/us-east-1/aws-base/.terraform.lock.hcl +++ b/terragrunt/us-east-1/demo/eks/.terraform.lock.hcl @@ -2,25 +2,25 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.1.0" - constraints = ">= 2.49.0, >= 3.0.0, >= 3.34.0, >= 3.35.0, >= 3.72.0, >= 4.0.0, >= 4.7.0, >= 4.35.0, >= 4.40.0, >= 4.47.0, 5.1.0" + version = "5.36.0" + constraints = ">= 3.72.0, >= 4.0.0, >= 4.47.0" hashes = [ - "h1:iDyYmwv8q94Dvr4DRG1KBxTWPZRFkRmKGa3cjCEsPZU=", - "zh:0c48f157b804c1f392adb5c14b81e756c652755e358096300ea8dd1283021129", - "zh:1a50495a6c0e5665e51df57dac6e781ec71439b11ebf05f971b6f3a3eb4eb7b2", - "zh:2959ff472c05e56d59e012118dd8d55022f005534c0ae961ce81136de9f66a4d", - "zh:2dfda9133581b99ed6e709e89a453fd2974ce88c703d3e073ec31bf99d7508ce", - "zh:2f3d92cc7a6624da42cee2202f8fb23e6d38f156ab7851884d637282cb0dc709", - "zh:3bc2a34d09cbaf439a1815846904f070c782cd8dfd60b5e0116827cda25f7549", - "zh:4ef43f1a247aa8de8690ac3bbc2b00ebaf6b2872fc8d0f5130e4a8130c874b87", - "zh:5477cb272dcaeb0030091bcf23a9f0f33b5410e44e317e9d3d49446f545dbaa4", - "zh:734c8fb4c0b79c82dd757566761dda5b91ee1ef9a2b848a748ade11e0e1cc69f", - "zh:80346c051b677f4f018da7fe06318b87c5bd0f1ec67ce78ab33baed3bb8b031a", + "h1:54QgAU2vY65WZsiZ9FligQfIf7hQUvwse4ezMwVMwgg=", + "zh:0da8409db879b2c400a7d9ed1311ba6d9eb1374ea08779eaf0c5ad0af00ac558", + "zh:1b7521567e1602bfff029f88ccd2a182cdf97861c9671478660866472c3333fa", + "zh:1cab4e6f3a1d008d01df44a52132a90141389e77dbb4ec4f6ac1119333242ecf", + "zh:1df9f73595594ce8293fb21287bcacf5583ae82b9f3a8e5d704109b8cf691646", + "zh:2b5909268db44b6be95ff6f9dc80d5f87ca8f63ba530fe66723c5fdeb17695fc", + "zh:37dd731eeb0bc1b20e3ec3a0cb5eb7a730edab425058ff40f2243438acc82830", + "zh:3e94c76a2b607a1174d10f5712aed16cb32216ac1c91bd6f21749d61a14045ac", + "zh:40e6ba3184d2d3bf283a07feed8b79c1bbc537a91215cac7b3521b9ccb3e503e", + "zh:67e52353fea47eb97825f6eb6fddd1935e0ff3b53a8861d23a70c2babf83ae51", + "zh:6d2e2f390e0c7b2cd2344b1d5d6eec8a1c11cf35d19f1d6f341286f2449e9e10", + "zh:7005483c43926800fad5bb18e27be883dac4339edb83a8f18ccdc7edf86fafc2", + "zh:7073fa7ccaa9b07c2cf7b24550a90e11f4880afd5c53afd51278eff0154692a0", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a865b2f88dfee13df14116c5cf53d033d2c15855f4b59b9c65337309a928df2c", - "zh:c0345f266eedaece5612c1000722b302f895d1bc5af1d5a4265f0e7000ca48bb", - "zh:d59703c8e6a9d8b4fbd3b4583b945dfff9cb2844c762c0b3990e1cef18282279", - "zh:d8d04a6a6cd2dfcb23b57e551db7b15e647f6166310fb7d883d8ec67bdc9bdc8", + "zh:a6d48620e526c766faec9aeb20c40a98c1810c69b6699168d725f721dfe44846", + "zh:e29b651b5f39324656f466cd24a54861795cc423a1b58372f4e1d2d2112d10a0", ] } @@ -45,21 +45,21 @@ provider "registry.terraform.io/hashicorp/cloudinit" { } provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.19.0" - constraints = ">= 2.10.0, 2.19.0" + version = "2.25.2" + constraints = ">= 2.10.0" hashes = [ - "h1:ID/u9YOv00w+Z8iG+592oyuV7HcqRmPiZpEC9hnyTMY=", - "zh:028d346460de2d1d19b4c863dfc36be51c7bcd97d372b54a3a946bcb19f3f613", - "zh:391d0b38c455437d0a2ab1beb6ce6e1230aa4160bbae11c58b2810b258b44280", - "zh:40ea742f91b67f66e71d7091cfd40cc604528c4947651924bd6d8bd8d9793708", - "zh:48a99d341c8ba3cadaafa7cb99c0f11999f5e23f5cfb0f8469b4e352d9116e74", - "zh:4a5ade940eff267cbf7dcd52c1a7ac3999e7cc24996a409bd8b37bdb48a97f02", - "zh:5063742016a8249a4be057b9cc0ef24a684ec76d0ae5463d4b07e9b2d21e047e", - "zh:5d36b3a5662f840a6788f5e2a19d02139e87318feb3c5d82c7d076be1366fec4", - "zh:75edd9960cb30e54ef7de1b7df2761a274f17d4d41f54e72f86b43f41af3eb6d", - "zh:b85cadef3e6f25f1a10a617472bf5e8449decd61626733a1bc723de5edc08f64", - "zh:dc565b17b4ea6dde6bd1b92bc37e5e850fcbf9400540eec00ad3d9552a76ac2e", - "zh:deb665cc2123f2701aa3d653987b2ca35fb035a08a76a2382efb215c209f19a5", + "h1:T1WAQt40cAk721H0AM/eZ5YuodJaIfS8r3Tu7rKCJJE=", + "zh:044788ac936e0e8ece8f78a2e4e366ecd435ea8235388eaf2cbc8e7975d9d970", + "zh:24f5ff01df91f51f00ee7ff39430adeb63bb2ca4ea0042e68f06d6b65808c02f", + "zh:49984aa0aa1faa8c4f01e8faa039322f1e6fdaeab0b7e32f5c6e96edfde36a38", + "zh:4eeceaff56bac9fc782e7e33f157fa2c7e9a47b2c3c3d12da2642c312ace73f6", + "zh:4f49b6419345960d5af475e0200c243af4c9c140b0ee64799fe1fc9b023c49ea", + "zh:7958414d516867a2263a978792a24843f80023fb233cf051ff4095adc9803d85", + "zh:c633a755fc95e9ff0cd73656f052947afd85883a0987dde5198113aa48474156", + "zh:cbfe958d119795004ce1e8001449d01c056fa2a062b51d07843d98be216337d7", + "zh:cfb85392e18768578d4c943438897083895719be678227fd90efbe3500702a56", + "zh:d705a661ed5da425dd236a48645bec39fe78a67d2e70e8460b720417cbf260ac", + "zh:ddd7a01263da3793df4f3b5af65f166307eed5acf525e51e058cda59009cc856", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } diff --git a/terragrunt/us-east-1/demo/eks/terragrunt.hcl b/terragrunt/us-east-1/demo/eks/terragrunt.hcl new file mode 100644 index 00000000..199acd02 --- /dev/null +++ b/terragrunt/us-east-1/demo/eks/terragrunt.hcl @@ -0,0 +1,70 @@ +include "root" { + path = find_in_parent_folders() + expose = true + merge_strategy = "deep" +} + +include "env" { + path = find_in_parent_folders("env.hcl") + expose = true + merge_strategy = "deep" +} + +dependencies { + paths = ["../vpc"] +} + +dependency "vpc" { + config_path = "../vpc" + + mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"] + + mock_outputs = { + vpc_id = "vpc-0f5b1b5f788888888" + vpc_cidr = "10.0.0.0/16" + vpc_private_subnets = ["10.0.0.0/16"] + vpc_public_subnets = ["10.0.0.0/16"] + vpc_intra_subnets = ["10.0.0.0/16"] + } +} + +generate "provider-k8s" { + path = "provider-k8s.tf" + if_exists = "overwrite_terragrunt" + contents = <<-EOF + provider "kubernetes" { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.main.token + } + + data "aws_eks_cluster_auth" "main" { + name = module.eks.cluster_name + } + + data "aws_caller_identity" "current" {} + output "eks_auth_token" { + sensitive = true + value = data.aws_eks_cluster_auth.main.token + } + output "cluster_ca_certificate" { + sensitive = true + value = base64decode(module.eks.cluster_certificate_authority_data) + } + EOF +} + +terraform { + source = "${get_terragrunt_dir()}/../../../../terraform//modules/eks" +} + +inputs = { + name = include.env.locals.name + env = include.env.locals.values.environment + tags = include.env.locals.tags + + vpc_id = dependency.vpc.outputs.vpc_id + private_subnets = dependency.vpc.outputs.vpc_private_subnets + public_subnets = dependency.vpc.outputs.vpc_public_subnets + intra_subnets = dependency.vpc.outputs.vpc_intra_subnets +} \ No newline at end of file diff --git a/terragrunt/us-east-1/demo/env.hcl b/terragrunt/us-east-1/demo/env.hcl new file mode 100644 index 00000000..27ba8a0b --- /dev/null +++ b/terragrunt/us-east-1/demo/env.hcl @@ -0,0 +1,33 @@ +locals { + values = merge( + yamldecode(file(find_in_parent_folders("region.yaml"))), + yamldecode(file("env.yaml")) + ) + name = "${local.values.name}-${local.values.environment}-${local.values.short_region[local.values.region]}" + name_wo_region = "${local.values.name}-${local.values.environment}" + tags = { + Name = local.values.name + Environment = local.values.environment + } +} + +inputs = local.values + +generate "provider-aws" { + path = "provider-aws.tf" + if_exists = "overwrite_terragrunt" + contents = <<-EOF + provider "aws" { + region = "${local.values.region}" + default_tags { + tags = { + Name = "${local.name}" + Environment = "${local.values.environment}" + Terraform = "true" + } + } + } + EOF +} + + diff --git a/terragrunt/demo/us-east-1/env.yaml b/terragrunt/us-east-1/demo/env.yaml similarity index 70% rename from terragrunt/demo/us-east-1/env.yaml rename to terragrunt/us-east-1/demo/env.yaml index 31c9bb24..33149714 100644 --- a/terragrunt/demo/us-east-1/env.yaml +++ b/terragrunt/us-east-1/demo/env.yaml @@ -3,8 +3,10 @@ name : "maddevs" domain_name: "maddevs.org" environment: "demo" -az_count : 3 allowed_ips: - "0.0.0.0/0" +cidr_block: "10.0.0.0/16" single_nat_gateway: true + +eks_cluster_version: "1.29" diff --git a/terragrunt/demo/us-east-1/k8s-addons/.terraform.lock.hcl b/terragrunt/us-east-1/demo/k8s-addons/.terraform.lock.hcl similarity index 75% rename from terragrunt/demo/us-east-1/k8s-addons/.terraform.lock.hcl rename to terragrunt/us-east-1/demo/k8s-addons/.terraform.lock.hcl index 3f1a7284..b5846098 100644 --- a/terragrunt/demo/us-east-1/k8s-addons/.terraform.lock.hcl +++ b/terragrunt/us-east-1/demo/k8s-addons/.terraform.lock.hcl @@ -19,25 +19,25 @@ provider "registry.terraform.io/gavinbunney/kubectl" { } provider "registry.terraform.io/hashicorp/aws" { - version = "5.1.0" - constraints = "5.1.0" + version = "4.62.0" + constraints = ">= 4.57.0, 4.62.0" hashes = [ - "h1:iDyYmwv8q94Dvr4DRG1KBxTWPZRFkRmKGa3cjCEsPZU=", - "zh:0c48f157b804c1f392adb5c14b81e756c652755e358096300ea8dd1283021129", - "zh:1a50495a6c0e5665e51df57dac6e781ec71439b11ebf05f971b6f3a3eb4eb7b2", - "zh:2959ff472c05e56d59e012118dd8d55022f005534c0ae961ce81136de9f66a4d", - "zh:2dfda9133581b99ed6e709e89a453fd2974ce88c703d3e073ec31bf99d7508ce", - "zh:2f3d92cc7a6624da42cee2202f8fb23e6d38f156ab7851884d637282cb0dc709", - "zh:3bc2a34d09cbaf439a1815846904f070c782cd8dfd60b5e0116827cda25f7549", - "zh:4ef43f1a247aa8de8690ac3bbc2b00ebaf6b2872fc8d0f5130e4a8130c874b87", - "zh:5477cb272dcaeb0030091bcf23a9f0f33b5410e44e317e9d3d49446f545dbaa4", - "zh:734c8fb4c0b79c82dd757566761dda5b91ee1ef9a2b848a748ade11e0e1cc69f", - "zh:80346c051b677f4f018da7fe06318b87c5bd0f1ec67ce78ab33baed3bb8b031a", + "h1:H/nY2teFoN9LU+Xtc1dx7TGS6w2HrARs0Q7cFb6vbus=", + "zh:12059dc2b639797b9facb6397ac6aec563891634be8e5aadf3a457590c1147d4", + "zh:1b3515d70b6998359d0a6d3b3c287940ab2e5c59cd02f95c7d9dab7df76e86b6", + "zh:423a1d3afdb6b625f2e3b06770ef4324740d400ff1a0d6d566c87d3f841d74fc", + "zh:58612b5a27d929dd1dff04d18d840b9cc59d45fed06247f0c2f87c1e5d3257d9", + "zh:5b243cd2250dd097293e06c1cc85e805565194e53f594ccd070252c7af644f54", + "zh:61ad9739e7d6fca8fddef269cb2ba7285f0632f5f27660755662550e1f69e4bb", + "zh:6700d86f5bfcae8491c87a7769b211a079dbf6dfb325bde76bf407aca3e76ff4", + "zh:67c7925f3b7ac1988c2aee8965b1f6f04738984cf8ae302b88215549793d14c1", + "zh:686770264b907b3e4c75fd751f8ea717a7e393d2fbde0950c4703fa809e573f0", + "zh:740236fda351a8f4976ddbd37e543c8d746a409e3a6aa290a8c5ff774b264455", + "zh:88ace13281a344044624ed088125c30f1a803188bf95874d09ca7e95725d5727", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a865b2f88dfee13df14116c5cf53d033d2c15855f4b59b9c65337309a928df2c", - "zh:c0345f266eedaece5612c1000722b302f895d1bc5af1d5a4265f0e7000ca48bb", - "zh:d59703c8e6a9d8b4fbd3b4583b945dfff9cb2844c762c0b3990e1cef18282279", - "zh:d8d04a6a6cd2dfcb23b57e551db7b15e647f6166310fb7d883d8ec67bdc9bdc8", + "zh:a4810a034f5def017607b0b079c7867c983da653928bd9f67edbc18575c0b629", + "zh:e1c10e1641b5f17fec61910d6c3514e241f650ced84523f09cb16271a9a1e651", + "zh:f63593ee2e01a2e1096ae9959fa43f0521114b3335f6440170f0d35d1969e8a2", ] } @@ -61,21 +61,21 @@ provider "registry.terraform.io/hashicorp/external" { } provider "registry.terraform.io/hashicorp/helm" { - version = "2.12.1" - constraints = "2.12.1" + version = "2.6.0" + constraints = "2.6.0" hashes = [ - "h1:aBfcqM4cbywa7TAxfT1YoFS+Cst9waerlm4XErFmJlk=", - "zh:1d623fb1662703f2feb7860e3c795d849c77640eecbc5a776784d08807b15004", - "zh:253a5bc62ba2c4314875139e3fbd2feaad5ef6b0fb420302a474ab49e8e51a38", - "zh:282358f4ad4f20d0ccaab670b8645228bfad1c03ac0d0df5889f0aea8aeac01a", - "zh:4fd06af3091a382b3f0d8f0a60880f59640d2b6d9d6a31f9a873c6f1bde1ec50", - "zh:6816976b1830f5629ae279569175e88b497abbbac30ee809948a1f923c67a80d", - "zh:7d82c4150cdbf48cfeec867be94c7b9bd7682474d4df0ebb7e24e148f964844f", - "zh:83f062049eea2513118a4c6054fb06c8600bac96196f25aed2cc21898ec86e93", - "zh:a79eec0cf4c08fca79e44033ec6e470f25ff23c3e2c7f9bc707ed7771c1072c0", - "zh:b2b2d904b2821a6e579910320605bc478bbef063579a23fbfdd6fcb5871b81f8", - "zh:e91177ca06a15487fc570cb81ecef6359aa399459ea2aa7c4f7367ba86f6fcad", - "zh:e976bcb82996fc4968f8382bbcb6673efb1f586bf92074058a232028d97825b1", + "h1:i+fbwv8Vk8n5kQc+spEtzvCNF4yo2exzSAZhL0ipFuo=", + "zh:0ac248c28acc1a4fd11bd26a85e48ab78dd6abf0f7ac842bf1cd7edd05ac6cf8", + "zh:3d32c8deae3740d8c5310136cc11c8afeffc350fbf88afaca0c34a223a5246f5", + "zh:4055a27489733d19ca7fa2dfce14d323fe99ae9dede7d0fea21ee6db0b9ca74b", + "zh:58a8ed39653fd4c874a2ecb128eccfa24c94266a00e349fd7fb13e22ad81f381", + "zh:6c81508044913f25083de132d0ff81d083732aba07c506cc2db05aa0cefcde2c", + "zh:7db5d18093047bfc4fe597f79610c0a281b21db0d61b0bacb3800585e976f814", + "zh:8269207b7422db99e7be80a5352d111966c3dfc7eb98511f11c8ff7b2e813456", + "zh:b1d7ababfb2374e72532308ff442cc906b79256b66b3fe7a98d42c68c4ddf9c5", + "zh:ca63e226cbdc964a5d63ef21189f059ce45c3fa4a5e972204d6916a9177d2b44", + "zh:d205a72d60e8cc362943d66f5bcdd6b6aaaa9aab2b89fd83bf6f1978ac0b1e4c", + "zh:db47dc579a0e68e5bfe3a61f2e950e6e2af82b1f388d1069de014a937962b56a", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } diff --git a/terragrunt/us-east-1/demo/k8s-addons/terragrunt.hcl b/terragrunt/us-east-1/demo/k8s-addons/terragrunt.hcl new file mode 100644 index 00000000..648e8883 --- /dev/null +++ b/terragrunt/us-east-1/demo/k8s-addons/terragrunt.hcl @@ -0,0 +1,81 @@ +include "root" { + path = find_in_parent_folders() + expose = true + merge_strategy = "deep" +} + +include "env" { + path = find_in_parent_folders("env.hcl") + expose = true + merge_strategy = "deep" +} + +terraform { + source = "${get_terragrunt_dir()}/../../../../terraform//layer2-k8s" +} + +dependencies { + paths = ["../aws-base", "../vpc", "../eks"] +} + +dependency "aws-base" { + config_path = "../aws-base" + + mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"] + + mock_outputs = { + route53_zone_id = "Z058363314IT7VAKRA777" + ssl_certificate_arn = "arn:aws:acm:us-east-1:730808884724:certificate/fa029132-86ab-7777-8888-8e1fd5c56c29" + } +} + +dependency "vpc" { + config_path = "../vpc" + + mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"] + + mock_outputs = { + vpc_id = "vpc-0f5b1b5f788888888" + vpc_cidr = "10.0.0.0/16" + vpc_private_subnets = ["10.0.0.0/16"] + vpc_public_subnets = ["10.0.0.0/16"] + vpc_intra_subnets = ["10.0.0.0/16"] + } +} + +dependency "eks" { + config_path = "../eks" + + mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"] + + mock_outputs = { + eks_cluster_id = "test" + eks_oidc_provider_arn = "arn:aws:iam::11111111:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/D55EEBDFE5510B81EEE2381B88888888" + node_group_default_iam_role_arn = "arn::" + node_group_default_iam_role_name = "test" + eks_auth_token = "test" + cluster_ca_certificate = "test" + eks_cluster_endpoint = "test" + } +} + +generate "provider_kubernetes" { + path = "provider_kubernetes.tf" + if_exists = "overwrite" + contents = file(find_in_parent_folders("provider_kubernetes.hcl")) +} + +inputs = { + zone_id = dependency.aws-base.outputs.route53_zone_id + ssl_certificate_arn = dependency.aws-base.outputs.ssl_certificate_arn + vpc_id = dependency.vpc.outputs.vpc_id + vpc_cidr = dependency.vpc.outputs.vpc_cidr + eks_cluster_id = dependency.eks.outputs.eks_cluster_id + eks_oidc_provider_arn = dependency.eks.outputs.eks_oidc_provider_arn + node_group_default_iam_role_arn = dependency.eks.outputs.node_group_default_iam_role_arn + node_group_default_iam_role_name = dependency.eks.outputs.node_group_default_iam_role_name + eks_auth_token = dependency.eks.outputs.eks_auth_token + cluster_ca_certificate = dependency.eks.outputs.cluster_ca_certificate + eks_cluster_endpoint = dependency.eks.outputs.eks_cluster_endpoint + helm_charts_path = "${get_terragrunt_dir()}/../../../../helm-charts" +} diff --git a/terragrunt/us-east-1/demo/vpc/.terraform.lock.hcl b/terragrunt/us-east-1/demo/vpc/.terraform.lock.hcl new file mode 100644 index 00000000..7978959a --- /dev/null +++ b/terragrunt/us-east-1/demo/vpc/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.36.0" + constraints = ">= 4.35.0" + hashes = [ + "h1:54QgAU2vY65WZsiZ9FligQfIf7hQUvwse4ezMwVMwgg=", + "zh:0da8409db879b2c400a7d9ed1311ba6d9eb1374ea08779eaf0c5ad0af00ac558", + "zh:1b7521567e1602bfff029f88ccd2a182cdf97861c9671478660866472c3333fa", + "zh:1cab4e6f3a1d008d01df44a52132a90141389e77dbb4ec4f6ac1119333242ecf", + "zh:1df9f73595594ce8293fb21287bcacf5583ae82b9f3a8e5d704109b8cf691646", + "zh:2b5909268db44b6be95ff6f9dc80d5f87ca8f63ba530fe66723c5fdeb17695fc", + "zh:37dd731eeb0bc1b20e3ec3a0cb5eb7a730edab425058ff40f2243438acc82830", + "zh:3e94c76a2b607a1174d10f5712aed16cb32216ac1c91bd6f21749d61a14045ac", + "zh:40e6ba3184d2d3bf283a07feed8b79c1bbc537a91215cac7b3521b9ccb3e503e", + "zh:67e52353fea47eb97825f6eb6fddd1935e0ff3b53a8861d23a70c2babf83ae51", + "zh:6d2e2f390e0c7b2cd2344b1d5d6eec8a1c11cf35d19f1d6f341286f2449e9e10", + "zh:7005483c43926800fad5bb18e27be883dac4339edb83a8f18ccdc7edf86fafc2", + "zh:7073fa7ccaa9b07c2cf7b24550a90e11f4880afd5c53afd51278eff0154692a0", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a6d48620e526c766faec9aeb20c40a98c1810c69b6699168d725f721dfe44846", + "zh:e29b651b5f39324656f466cd24a54861795cc423a1b58372f4e1d2d2112d10a0", + ] +} diff --git a/terragrunt/us-east-1/demo/vpc/terragrunt.bak b/terragrunt/us-east-1/demo/vpc/terragrunt.bak new file mode 100644 index 00000000..01f3dbcc --- /dev/null +++ b/terragrunt/us-east-1/demo/vpc/terragrunt.bak @@ -0,0 +1,96 @@ +include "root" { + path = find_in_parent_folders() + expose = true + merge_strategy = "deep" +} + +include "env" { + path = find_in_parent_folders("env.hcl") + expose = true + merge_strategy = "deep" +} + +locals { + az_count = length(include.env.locals.values.azs) + cidr_subnets = [for cidr_block in cidrsubnets(include.env.locals.values.cidr_block, 2, 2, 2, 2) : cidrsubnets(cidr_block, 4, 4, 4, 4)] + private_subnets = chunklist(local.cidr_subnets[0], local.az_count)[0] + public_subnets = chunklist(local.cidr_subnets[1], local.az_count)[0] + database_subnets = chunklist(local.cidr_subnets[2], local.az_count)[0] + intra_subnets = chunklist(local.cidr_subnets[3], local.az_count)[0] +} + +terraform { + source = "tfr:///terraform-aws-modules/vpc/aws//?version=5.5.1" +} + +inputs = { + name = include.env.locals.values.name + cidr = include.env.locals.values.cidr_block + + azs = include.env.locals.values.azs + private_subnets = local.private_subnets + public_subnets = local.public_subnets + database_subnets = local.database_subnets + intra_subnets = local.intra_subnets + + single_nat_gateway = include.env.locals.values.single_nat_gateway + enable_nat_gateway = true + enable_vpn_gateway = false + enable_dns_hostnames = true + enable_dns_support = true + map_public_ip_on_launch = true + + create_database_subnet_group = false + + manage_default_security_group = true + default_security_group_ingress = [] + default_security_group_egress = [] + + tags = merge(include.env.locals.tags, { + "kubernetes.io/cluster/${include.env.locals.values.name}" = "shared" + }) + + private_subnet_tags = { + Name = "${include.env.locals.values.name}-private" + destination = "private" + "karpenter.sh/discovery" = "private" + "kubernetes.io/role/internal-elb" = "1" + } + + private_route_table_tags = { + Name = "${include.env.locals.values.name}-private" + destination = "private" + } + + public_subnet_tags = { + Name = "${include.env.locals.values.name}-public" + destination = "public" + "karpenter.sh/discovery" = "public" + "kubernetes.io/role/elb" = "1" + } + + public_route_table_tags = { + Name = "${include.env.locals.values.name}-public" + destination = "public" + } + + database_subnet_tags = { + Name = "${include.env.locals.values.name}-database" + destination = "database" + } + + database_route_table_tags = { + Name = "${include.env.locals.values.name}-database" + destination = "database" + } + + intra_subnet_tags = { + Name = "${include.env.locals.values.name}-intra" + destination = "intra" + } + + intra_route_table_tags = { + Name = "${include.env.locals.values.name}-intra" + destination = "intra" + } +} \ No newline at end of file diff --git a/terragrunt/us-east-1/demo/vpc/terragrunt.hcl b/terragrunt/us-east-1/demo/vpc/terragrunt.hcl new file mode 100644 index 00000000..db0adbeb --- /dev/null +++ b/terragrunt/us-east-1/demo/vpc/terragrunt.hcl @@ -0,0 +1,24 @@ +include "root" { + path = find_in_parent_folders() + expose = true + merge_strategy = "deep" +} + +include "env" { + path = find_in_parent_folders("env.hcl") + expose = true + merge_strategy = "deep" +} + +terraform { + source = "${get_terragrunt_dir()}/../../../../terraform//modules/vpc" +} + +inputs = { + name = include.env.locals.name + cidr = include.env.locals.values.cidr_block + + azs = include.env.locals.values.azs + single_nat_gateway = include.env.locals.values.single_nat_gateway + tags = include.env.locals.tags +} diff --git a/terragrunt/us-east-1/provider_kubernetes.hcl b/terragrunt/us-east-1/provider_kubernetes.hcl new file mode 100644 index 00000000..b44c18b7 --- /dev/null +++ b/terragrunt/us-east-1/provider_kubernetes.hcl @@ -0,0 +1,25 @@ + +provider "kubernetes" { + host = var.eks_cluster_endpoint + cluster_ca_certificate = var.cluster_ca_certificate + token = var.eks_auth_token +} + +provider "kubectl" { + host = var.eks_cluster_endpoint + cluster_ca_certificate = var.cluster_ca_certificate + token = var.eks_auth_token +} + +provider "helm" { + kubernetes { + host = var.eks_cluster_endpoint + cluster_ca_certificate = var.cluster_ca_certificate + token = var.eks_auth_token + } + + experiments { + manifest = true + } +} + diff --git a/terragrunt/us-east-1/region.yaml b/terragrunt/us-east-1/region.yaml new file mode 100644 index 00000000..df336efa --- /dev/null +++ b/terragrunt/us-east-1/region.yaml @@ -0,0 +1,29 @@ +--- +region: us-east-1 +azs: + - us-east-1a + - us-east-1b + - us-east-1c + +short_region: + us-east-1: "use1" # US East (N. Virginia) + us-east-2: "use2" # US East (Ohio) + us-west-1: "usw1" # US West (N. California) + us-west-2: "usw2" # US West (Oregon) + ap-east-1: "ape1" # Asia Pacific (Hong Kong) + ap-south-1: "aps1" # Asia Pacific (Mumbai) + ap-northeast-2: "apn2" # Asia Pacific (Seoul) + ap-northeast-1: "apn1" # Asia Pacific (Tokyo) + ap-southeast-1: "apse1" # Asia Pacific (Singapore) + ap-southeast-2: "apse2" # Asia Pacific (Sydney) + ca-central-1: "cac1" # Canada (Central) + cn-north-1: "cnn1" # China (Beijing) + cn-northwest-1: "cnnw1" # China (Ningxia) + eu-central-1: "euc1" # EU (Frankfurt) + eu-west-1: "euw1" # EU (Ireland) + eu-west-2: "euw2" # EU (London) + eu-west-3: "euw3" # EU (Paris) + eu-north-1: "eun1" # EU (Stockholm) + sa-east-1: "sae1" # South America (Sao Paulo) + us-gov-east-1: "usge1" # AWS GovCloud (US-East) + us-gov-west-1: "usgw1" # AWS GovCloud (US)