From bc7c957307a852c94a6f6f4400a215101052fcac Mon Sep 17 00:00:00 2001 From: Aastha Gupta <71313011+velotioaastha@users.noreply.github.com> Date: Wed, 10 Jul 2024 08:06:18 -0400 Subject: [PATCH 1/8] feat: Support for encrypting the database and bucket with CMK (#182) * added changed to add encrytion feature for s3 and db, with same and different kms keys and with external kms keys and external bucket. * added changed to add encrytion feature for s3 and db, with same and different kms keys and with external kms keys and external bucket. * added changed to add encrytion feature for s3 and db, with same and different kms keys and with external kms keys and external bucket. * added changes for encryption as per the new requirements. * added changes for encryption as per the new requirements. * Added readme doc for keys encryption * Resolved PR comments * removed create_kms boolean and updated conditions * added changes to update validation block. * added changes to update validation block. * added changed to add encrytion feature for s3 and db, with same and different kms keys and with external kms keys and external bucket. * added changed to add encrytion feature for s3 and db, with same and different kms keys and with external kms keys and external bucket. * added changed to add encrytion feature for s3 and db, with same and different kms keys and with external kms keys and external bucket. * added changes for encryption as per the new requirements. * added changes for encryption as per the new requirements. * Added readme doc for keys encryption * Resolved PR comments * removed create_kms boolean and updated conditions * added changes to update validation block. * added changes to update validation block. * update db kms key arn validation * fix terraform lint --------- Co-authored-by: Aastha Gupta Co-authored-by: Aastha Gupta --- README.md | 29 ++++++++++++++++++++++++ main.tf | 37 ++++++++++++++++-------------- modules/app_eks/iam-policies.tf | 6 ++--- modules/app_eks/iam-roles.tf | 8 +++---- modules/database/main.tf | 2 +- modules/iam_role/main.tf | 14 ++++++------ outputs.tf | 2 +- variables.tf | 40 ++++++++++++++++++++++----------- versions.tf | 2 +- 9 files changed, 93 insertions(+), 47 deletions(-) diff --git a/README.md b/README.md index 3f9de70e7..6f39dde65 100644 --- a/README.md +++ b/README.md @@ -272,6 +272,35 @@ module "wandb" { } ``` +### Alow customer specific customer-managed keys for S3 and RDS +- we can provide external kms key to encrypt database, redis and S3 buckets. +- To provide kms keys we need to provide kms arn values in +``` +db_kms_key_arn +bucket_kms_key_arn +``` +### In order to allow cross account KMS keys. we need to allow kms keys to be accessed by WandB account. +this can be donw by adding the following policy document. +``` +{ + "Sid": "Allow use of the key", + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam:::root" + ] + }, + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ], + "Resource": "*" + } +``` + ### Upgrading from 2.x -> 3.x - No changes required by you diff --git a/main.tf b/main.tf index 31a7ca757..b3ce58c3a 100644 --- a/main.tf +++ b/main.tf @@ -8,20 +8,23 @@ module "kms" { } locals { - kms_key_arn = module.kms.key.arn - use_external_bucket = var.bucket_name != "" - use_internal_queue = local.use_external_bucket || var.use_internal_queue + + default_kms_key = module.kms.key.arn + s3_kms_key_arn = length(var.bucket_kms_key_arn) > 0 ? var.bucket_kms_key_arn : local.default_kms_key + db_kms_key_arn = length(var.db_kms_key_arn) > 0 ? var.db_kms_key_arn : local.default_kms_key + database_performance_insights_kms_key_arn = length(var.database_performance_insights_kms_key_arn) > 0 ? var.database_performance_insights_kms_key_arn : local.default_kms_key + use_external_bucket = var.bucket_name != "" + use_internal_queue = local.use_external_bucket || var.use_internal_queue } module "file_storage" { - count = var.create_bucket ? 1 : 0 - source = "./modules/file_storage" - - create_queue = !local.use_internal_queue + count = var.create_bucket ? 1 : 0 + source = "./modules/file_storage" + namespace = var.namespace + create_queue = !local.use_internal_queue + sse_algorithm = "aws:kms" + kms_key_arn = local.s3_kms_key_arn deletion_protection = var.deletion_protection - kms_key_arn = local.kms_key_arn - namespace = var.namespace - sse_algorithm = "aws:kms" } locals { @@ -68,8 +71,8 @@ module "database" { source = "./modules/database" namespace = var.namespace - kms_key_arn = local.kms_key_arn - performance_insights_kms_key_arn = var.database_performance_insights_kms_key_arn + kms_key_arn = local.db_kms_key_arn + performance_insights_kms_key_arn = local.database_performance_insights_kms_key_arn database_name = var.database_name master_username = var.database_master_username @@ -95,7 +98,7 @@ locals { fqdn = var.subdomain == null ? var.domain_name : "${var.subdomain}.${var.domain_name}" } -# Create SSL Ceritifcation if applicable +#Create SSL Ceritifcation if applicable module "acm" { source = "terraform-aws-modules/acm/aws" version = "~> 3.0" @@ -124,7 +127,7 @@ module "app_eks" { fqdn = local.domain_filter namespace = var.namespace - kms_key_arn = local.kms_key_arn + kms_key_arn = local.default_kms_key instance_types = try([local.deployment_size[var.size].node_instance], var.kubernetes_instance_types) desired_capacity = try(local.deployment_size[var.size].node_count, var.kubernetes_node_count) @@ -132,7 +135,7 @@ module "app_eks" { map_roles = var.kubernetes_map_roles map_users = var.kubernetes_map_users - bucket_kms_key_arn = local.use_external_bucket ? var.bucket_kms_key_arn : local.kms_key_arn + bucket_kms_key_arn = local.s3_kms_key_arn bucket_arn = data.aws_s3_bucket.file_storage.arn bucket_sqs_queue_arn = local.use_internal_queue ? null : data.aws_sqs_queue.file_storage.0.arn @@ -227,7 +230,7 @@ module "redis" { redis_subnet_group_name = local.network_elasticache_subnet_group_name vpc_subnets_cidr_blocks = local.network_elasticache_subnet_cidrs node_type = try(local.deployment_size[var.size].cache, var.elasticache_node_type) - kms_key_arn = local.kms_key_arn + kms_key_arn = local.db_kms_key_arn } locals { @@ -267,7 +270,7 @@ module "wandb" { provider = "s3" name = local.bucket_name region = data.aws_s3_bucket.file_storage.region - kmsKey = local.use_external_bucket ? var.bucket_kms_key_arn : local.kms_key_arn + kmsKey = local.s3_kms_key_arn } mysql = { diff --git a/modules/app_eks/iam-policies.tf b/modules/app_eks/iam-policies.tf index 6ce0528ac..a46b9ecdd 100644 --- a/modules/app_eks/iam-policies.tf +++ b/modules/app_eks/iam-policies.tf @@ -48,13 +48,13 @@ resource "aws_iam_policy" "secrets_manager" { resource "aws_iam_policy" "irsa" { name = "${var.namespace}-irsa-policy" description = "IRSA IAM Policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ { - Effect = "Allow" - Action = [ + Effect = "Allow" + Action = [ "s3:*", "kms:*", ] diff --git a/modules/app_eks/iam-roles.tf b/modules/app_eks/iam-roles.tf index 9654b4cec..fd2dfc4d3 100644 --- a/modules/app_eks/iam-roles.tf +++ b/modules/app_eks/iam-roles.tf @@ -8,15 +8,15 @@ resource "aws_iam_role" "node" { resource "aws_iam_role" "irsa" { name = "${var.namespace}-irsa-role" assume_role_policy = jsonencode({ - Version = "2012-10-17" + Version = "2012-10-17" Statement = [ { - Sid = "" - Effect = "Allow" + Sid = "" + Effect = "Allow" Principal = { Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${aws_iam_openid_connect_provider.eks.url}" } - Action = "sts:AssumeRoleWithWebIdentity" + Action = "sts:AssumeRoleWithWebIdentity" Condition = { StringLike = { "${aws_iam_openid_connect_provider.eks.url}:sub" = "system:serviceaccount:${var.namespace}:*" diff --git a/modules/database/main.tf b/modules/database/main.tf index c5d7b8bbf..f60e984d7 100644 --- a/modules/database/main.tf +++ b/modules/database/main.tf @@ -9,7 +9,7 @@ resource "random_string" "master_password" { } locals { - engine_version_tag = "80" + engine_version_tag = "80" parameter_family = "aurora-mysql8.0" parameter_group_name = "${var.namespace}-aurora-db-${local.engine_version_tag}-parameter-group" parameter_cluster_name = "${var.namespace}-aurora-${local.engine_version_tag}-cluster-parameter-group" diff --git a/modules/iam_role/main.tf b/modules/iam_role/main.tf index 68005c22e..42c15c0cb 100644 --- a/modules/iam_role/main.tf +++ b/modules/iam_role/main.tf @@ -3,15 +3,15 @@ data "aws_caller_identity" "current" {} resource "aws_iam_role" "irsa" { name = "${var.namespace}-yace-irsa-role" assume_role_policy = jsonencode({ - Version = "2012-10-17" + Version = "2012-10-17" Statement = [ { - Sid = "" - Effect = "Allow" + Sid = "" + Effect = "Allow" Principal = { Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${var.aws_iam_openid_connect_provider_url}" } - Action = ["sts:AssumeRoleWithWebIdentity"] + Action = ["sts:AssumeRoleWithWebIdentity"] Condition = { StringLike = { "${var.aws_iam_openid_connect_provider_url}:sub" = "system:serviceaccount:default:${var.yace_sa_name}" @@ -27,13 +27,13 @@ resource "aws_iam_role" "irsa" { resource "aws_iam_policy" "irsa" { name = "${var.namespace}-yace-irsa-policy" description = "IRSA IAM Policy" - + policy = jsonencode({ Version = "2012-10-17" Statement = [ { - Effect = "Allow" - Action = [ + Effect = "Allow" + Action = [ "tag:GetResources", "cloudwatch:GetMetricData", "cloudwatch:GetMetricStatistics", diff --git a/outputs.tf b/outputs.tf index ed5227032..188e49f14 100644 --- a/outputs.tf +++ b/outputs.tf @@ -48,7 +48,7 @@ output "internal_app_port" { } output "kms_key_arn" { - value = local.kms_key_arn + value = local.default_kms_key description = "The Amazon Resource Name of the KMS key used to encrypt data at rest." } diff --git a/variables.tf b/variables.tf index 2f9aacc62..2e5ddf2cb 100644 --- a/variables.tf +++ b/variables.tf @@ -1,6 +1,6 @@ -########################################## -# Common # -########################################## +# ########################################## +# # Common # +# ########################################## variable "namespace" { type = string description = "String used for prefix resources." @@ -76,7 +76,7 @@ variable "database_innodb_lru_scan_depth" { } variable "database_performance_insights_kms_key_arn" { - default = null + default = "" description = "Specifies an existing KMS key ARN to encrypt the performance insights data if performance_insights_enabled is was enabled out of band" nullable = true type = string @@ -401,11 +401,13 @@ variable "bucket_name" { type = string default = "" } - variable "bucket_kms_key_arn" { - type = string - description = "The Amazon Resource Name of the KMS key with which S3 storage bucket objects will be encrypted." - default = "" + type = string + default = "" + validation { + condition = can(regex("^arn:aws:kms:[a-z0-9-]+:[0-9]+:key/[a-zA-Z0-9-_]+$", var.bucket_kms_key_arn)) || var.bucket_kms_key_arn == "" + error_message = "Invalid value for bucket kms ARN" + } } ########################################## @@ -423,9 +425,9 @@ variable "elasticache_node_type" { default = "cache.t2.medium" } -# ########################################## -# # Weights & Biases # -# ########################################## +########################################## +# Weights & Biases # +########################################## variable "license" { type = string description = "Weights & Biases license key." @@ -456,12 +458,24 @@ variable "parquet_wandb_env" { } variable "enable_yace" { - type = bool + type = bool description = "deploy yet another cloudwatch exporter to fetch aws resources metrics" - default = true + default = true } variable "yace_sa_name" { type = string default = "wandb-yace" +} + +########################################## +# New Vars for Encryption # +########################################## +variable "db_kms_key_arn" { + type = string + default = "" + validation { + condition = can(regex("^arn:aws:kms:[a-z0-9-]+:[0-9]+:key/[a-zA-Z0-9-_]+$", var.db_kms_key_arn)) || var.db_kms_key_arn == "" + error_message = "Invalid value for db kms ARN" + } } \ No newline at end of file diff --git a/versions.tf b/versions.tf index 1ffbef449..f13ff0d03 100644 --- a/versions.tf +++ b/versions.tf @@ -10,4 +10,4 @@ terraform { version = "~> 2.23" } } -} +} \ No newline at end of file From 3d817815a32b200bbccc355e833f3149565c1a85 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Wed, 10 Jul 2024 12:06:52 +0000 Subject: [PATCH 2/8] chore(release): version 4.20.0 [skip ci] ## [4.20.0](https://github.com/wandb/terraform-aws-wandb/compare/v4.19.0...v4.20.0) (2024-07-10) ### Features * Support for encrypting the database and bucket with CMK ([#182](https://github.com/wandb/terraform-aws-wandb/issues/182)) ([bc7c957](https://github.com/wandb/terraform-aws-wandb/commit/bc7c957307a852c94a6f6f4400a215101052fcac)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0ebb69d3a..4ffa47110 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [4.20.0](https://github.com/wandb/terraform-aws-wandb/compare/v4.19.0...v4.20.0) (2024-07-10) + + +### Features + +* Support for encrypting the database and bucket with CMK ([#182](https://github.com/wandb/terraform-aws-wandb/issues/182)) ([bc7c957](https://github.com/wandb/terraform-aws-wandb/commit/bc7c957307a852c94a6f6f4400a215101052fcac)) + ## [4.19.0](https://github.com/wandb/terraform-aws-wandb/compare/v4.18.0...v4.19.0) (2024-07-09) From 91017d4e1d21140be24102b7e5129b4498183749 Mon Sep 17 00:00:00 2001 From: Daniel Panzella Date: Thu, 11 Jul 2024 07:24:05 -0700 Subject: [PATCH 3/8] fix: Pass cloudprovider value to the helm charts (#240) --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index b3ce58c3a..b7966bccd 100644 --- a/main.tf +++ b/main.tf @@ -263,7 +263,7 @@ module "wandb" { global = { host = local.url license = var.license - + cloudProvider = "aws" extraEnv = var.other_wandb_env bucket = { From 7c5a2d43dfab0552dfdec59d0cd11fce52c51dba Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 11 Jul 2024 14:24:34 +0000 Subject: [PATCH 4/8] chore(release): version 4.20.1 [skip ci] ### [4.20.1](https://github.com/wandb/terraform-aws-wandb/compare/v4.20.0...v4.20.1) (2024-07-11) ### Bug Fixes * Pass cloudprovider value to the helm charts ([#240](https://github.com/wandb/terraform-aws-wandb/issues/240)) ([91017d4](https://github.com/wandb/terraform-aws-wandb/commit/91017d4e1d21140be24102b7e5129b4498183749)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ffa47110..cb2a02e14 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +### [4.20.1](https://github.com/wandb/terraform-aws-wandb/compare/v4.20.0...v4.20.1) (2024-07-11) + + +### Bug Fixes + +* Pass cloudprovider value to the helm charts ([#240](https://github.com/wandb/terraform-aws-wandb/issues/240)) ([91017d4](https://github.com/wandb/terraform-aws-wandb/commit/91017d4e1d21140be24102b7e5129b4498183749)) + ## [4.20.0](https://github.com/wandb/terraform-aws-wandb/compare/v4.19.0...v4.20.0) (2024-07-10) From 7aba49119e24ffe68bc7e35dddde127040bfef3e Mon Sep 17 00:00:00 2001 From: Zachary Blasczyk <77289967+zacharyblasczyk@users.noreply.github.com> Date: Thu, 11 Jul 2024 09:42:52 -0500 Subject: [PATCH 5/8] fix: AWS VPC CNI revert (#236) * fix: AWS VPC CNI revert * Add Depends on. --- modules/app_eks/add-ons.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/app_eks/add-ons.tf b/modules/app_eks/add-ons.tf index 56503d6c7..3db67c0f7 100644 --- a/modules/app_eks/add-ons.tf +++ b/modules/app_eks/add-ons.tf @@ -72,9 +72,12 @@ resource "aws_eks_addon" "kube_proxy" { } resource "aws_eks_addon" "vpc_cni" { + depends_on = [ + module.eks + ] cluster_name = var.namespace addon_name = "vpc-cni" - addon_version = "v1.18.0-eksbuild.1" + addon_version = "v1.18.2-eksbuild.1" resolve_conflicts = "OVERWRITE" service_account_role_arn = aws_iam_role.oidc.arn } From a745466564d82aff498710a7d60c8c1450d31d0e Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 11 Jul 2024 14:43:19 +0000 Subject: [PATCH 6/8] chore(release): version 4.20.2 [skip ci] ### [4.20.2](https://github.com/wandb/terraform-aws-wandb/compare/v4.20.1...v4.20.2) (2024-07-11) ### Bug Fixes * AWS VPC CNI revert ([#236](https://github.com/wandb/terraform-aws-wandb/issues/236)) ([7aba491](https://github.com/wandb/terraform-aws-wandb/commit/7aba49119e24ffe68bc7e35dddde127040bfef3e)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index cb2a02e14..9c26373a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +### [4.20.2](https://github.com/wandb/terraform-aws-wandb/compare/v4.20.1...v4.20.2) (2024-07-11) + + +### Bug Fixes + +* AWS VPC CNI revert ([#236](https://github.com/wandb/terraform-aws-wandb/issues/236)) ([7aba491](https://github.com/wandb/terraform-aws-wandb/commit/7aba49119e24ffe68bc7e35dddde127040bfef3e)) + ### [4.20.1](https://github.com/wandb/terraform-aws-wandb/compare/v4.20.0...v4.20.1) (2024-07-11) From 8f20d3e3a455f348c2f9eb11582ffff592929cf7 Mon Sep 17 00:00:00 2001 From: Zachary Blasczyk <77289967+zacharyblasczyk@users.noreply.github.com> Date: Thu, 11 Jul 2024 10:24:44 -0500 Subject: [PATCH 7/8] fix: Naming Conventions (#241) * fix: Naming Conventions * formating --- README.md | 25 +++++++++++++++++-------- main.tf | 24 ++++++++++++------------ variables.tf | 29 ++++++++++++----------------- 3 files changed, 41 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 6f39dde65..4a06731d9 100644 --- a/README.md +++ b/README.md @@ -112,10 +112,6 @@ Upgrades must be executed in step-wise fashion from one version to the next. You -### Notes on EKS Add-ons -If a terraform apply fails because an add-on is already installed, remove the add-on using the AWS console or the AWS -CLI and re-run the apply. Running pods will not be impacted. - ## Requirements | Name | Version | @@ -139,16 +135,19 @@ CLI and re-run the apply. Running pods will not be impacted. | [app\_lb](#module\_app\_lb) | ./modules/app_lb | n/a | | [database](#module\_database) | ./modules/database | n/a | | [file\_storage](#module\_file\_storage) | ./modules/file_storage | n/a | +| [iam\_role](#module\_iam\_role) | ./modules/iam_role | n/a | | [kms](#module\_kms) | ./modules/kms | n/a | | [networking](#module\_networking) | ./modules/networking | n/a | | [private\_link](#module\_private\_link) | ./modules/private_link | n/a | | [redis](#module\_redis) | ./modules/redis | n/a | +| [s3\_endpoint](#module\_s3\_endpoint) | ./modules/endpoint | n/a | | [wandb](#module\_wandb) | wandb/wandb/helm | 1.2.0 | ## Resources | Name | Type | |------|------| +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_s3_bucket.file_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | | [aws_sqs_queue.file_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sqs_queue) | data source | @@ -159,9 +158,10 @@ CLI and re-run the apply. Running pods will not be impacted. | [acm\_certificate\_arn](#input\_acm\_certificate\_arn) | The ARN of an existing ACM certificate. | `string` | `null` | no | | [allowed\_inbound\_cidr](#input\_allowed\_inbound\_cidr) | CIDRs allowed to access wandb-server. | `list(string)` | n/a | yes | | [allowed\_inbound\_ipv6\_cidr](#input\_allowed\_inbound\_ipv6\_cidr) | CIDRs allowed to access wandb-server. | `list(string)` | n/a | yes | +| [allowed\_private\_endpoint\_cidr](#input\_allowed\_private\_endpoint\_cidr) | Private CIDRs allowed to access wandb-server. | `list(string)` | `[]` | no | | [app\_wandb\_env](#input\_app\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no | | [aws\_loadbalancer\_controller\_tags](#input\_aws\_loadbalancer\_controller\_tags) | (Optional) A map of AWS tags to apply to all resources managed by the load balancer controller | `map(string)` | `{}` | no | -| [bucket\_kms\_key\_arn](#input\_bucket\_kms\_key\_arn) | The Amazon Resource Name of the KMS key with which S3 storage bucket objects will be encrypted. | `string` | `""` | no | +| [bucket\_kms\_key\_arn](#input\_bucket\_kms\_key\_arn) | n/a | `string` | `""` | no | | [bucket\_name](#input\_bucket\_name) | n/a | `string` | `""` | no | | [create\_bucket](#input\_create\_bucket) | ######################################### External Bucket # ######################################### Most users will not need these settings. They are ment for users who want a bucket and sqs that are in a different account. | `bool` | `true` | no | | [create\_elasticache](#input\_create\_elasticache) | Boolean indicating whether to provision an elasticache instance (true) or not (false). | `bool` | `true` | no | @@ -171,9 +171,10 @@ CLI and re-run the apply. Running pods will not be impacted. | [database\_engine\_version](#input\_database\_engine\_version) | Version for MySQL Auora | `string` | `"8.0.mysql_aurora.3.05.2"` | no | | [database\_innodb\_lru\_scan\_depth](#input\_database\_innodb\_lru\_scan\_depth) | Specifies the innodb\_lru\_scan\_depth value to set for the database | `number` | `128` | no | | [database\_instance\_class](#input\_database\_instance\_class) | Instance type to use by database master instance. | `string` | `"db.r5.large"` | no | +| [database\_kms\_key\_arn](#input\_database\_kms\_key\_arn) | n/a | `string` | `""` | no | | [database\_master\_username](#input\_database\_master\_username) | Specifies the master\_username value to set for the database | `string` | `"wandb"` | no | | [database\_name](#input\_database\_name) | Specifies the name of the database | `string` | `"wandb_local"` | no | -| [database\_performance\_insights\_kms\_key\_arn](#input\_database\_performance\_insights\_kms\_key\_arn) | Specifies an existing KMS key ARN to encrypt the performance insights data if performance\_insights\_enabled is was enabled out of band | `string` | `null` | no | +| [database\_performance\_insights\_kms\_key\_arn](#input\_database\_performance\_insights\_kms\_key\_arn) | Specifies an existing KMS key ARN to encrypt the performance insights data if performance\_insights\_enabled is was enabled out of band | `string` | `""` | no | | [database\_snapshot\_identifier](#input\_database\_snapshot\_identifier) | Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot | `string` | `null` | no | | [database\_sort\_buffer\_size](#input\_database\_sort\_buffer\_size) | Specifies the sort\_buffer\_size value to set for the database | `number` | `67108864` | no | | [deletion\_protection](#input\_deletion\_protection) | If the instance should have deletion protection enabled. The database / S3 can't be deleted when this value is set to `true`. | `bool` | `true` | no | @@ -183,6 +184,7 @@ CLI and re-run the apply. Running pods will not be impacted. | [elasticache\_node\_type](#input\_elasticache\_node\_type) | The type of the redis cache node to deploy | `string` | `"cache.t2.medium"` | no | | [enable\_dummy\_dns](#input\_enable\_dummy\_dns) | Boolean indicating whether or not to enable dummy DNS for the old alb | `bool` | `false` | no | | [enable\_operator\_alb](#input\_enable\_operator\_alb) | Boolean indicating whether to use operatore ALB (true) or not (false). | `bool` | `false` | no | +| [enable\_yace](#input\_enable\_yace) | deploy yet another cloudwatch exporter to fetch aws resources metrics | `bool` | `true` | no | | [external\_dns](#input\_external\_dns) | Using external DNS. A `subdomain` must also be specified if this value is true. | `bool` | `false` | no | | [extra\_fqdn](#input\_extra\_fqdn) | Additional fqdn's must be in the same hosted zone as `domain_name`. | `list(string)` | `[]` | no | | [kms\_key\_alias](#input\_kms\_key\_alias) | KMS key alias for AWS KMS Customer managed key. | `string` | `null` | no | @@ -212,6 +214,7 @@ CLI and re-run the apply. Running pods will not be impacted. | [other\_wandb\_env](#input\_other\_wandb\_env) | Extra environment variables for W&B | `map(any)` | `{}` | no | | [parquet\_wandb\_env](#input\_parquet\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no | | [private\_link\_allowed\_account\_ids](#input\_private\_link\_allowed\_account\_ids) | List of AWS account IDs allowed to access the VPC Endpoint Service | `list(string)` | `[]` | no | +| [private\_only\_traffic](#input\_private\_only\_traffic) | Enable private only traffic from customer private network | `bool` | `false` | no | | [public\_access](#input\_public\_access) | Is this instance accessable a public domain. | `bool` | `false` | no | | [size](#input\_size) | Deployment size | `string` | `null` | no | | [ssl\_policy](#input\_ssl\_policy) | SSL policy to use on ALB listener | `string` | `"ELBSecurityPolicy-FS-1-2-Res-2020-10"` | no | @@ -222,6 +225,7 @@ CLI and re-run the apply. Running pods will not be impacted. | [system\_reserved\_pid](#input\_system\_reserved\_pid) | (Optional) The amount of 'system-reserved' process ids [pid] to pass to the kubelet. For example: 1000. A value of -1 disables the flag. | `number` | `500` | no | | [use\_internal\_queue](#input\_use\_internal\_queue) | n/a | `bool` | `false` | no | | [weave\_wandb\_env](#input\_weave\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no | +| [yace\_sa\_name](#input\_yace\_sa\_name) | n/a | `string` | `"wandb-yace"` | no | | [zone\_id](#input\_zone\_id) | Domain for creating the Weights & Biases subdomain on. | `string` | n/a | yes | ## Outputs @@ -273,14 +277,19 @@ module "wandb" { ``` ### Alow customer specific customer-managed keys for S3 and RDS + - we can provide external kms key to encrypt database, redis and S3 buckets. -- To provide kms keys we need to provide kms arn values in +- To provide kms keys we need to provide kms arn values in + ``` -db_kms_key_arn +database_kms_key_arn bucket_kms_key_arn ``` + ### In order to allow cross account KMS keys. we need to allow kms keys to be accessed by WandB account. + this can be donw by adding the following policy document. + ``` { "Sid": "Allow use of the key", diff --git a/main.tf b/main.tf index b7966bccd..c91e230f8 100644 --- a/main.tf +++ b/main.tf @@ -11,19 +11,19 @@ locals { default_kms_key = module.kms.key.arn s3_kms_key_arn = length(var.bucket_kms_key_arn) > 0 ? var.bucket_kms_key_arn : local.default_kms_key - db_kms_key_arn = length(var.db_kms_key_arn) > 0 ? var.db_kms_key_arn : local.default_kms_key + database_kms_key_arn = length(var.database_kms_key_arn) > 0 ? var.database_kms_key_arn : local.default_kms_key database_performance_insights_kms_key_arn = length(var.database_performance_insights_kms_key_arn) > 0 ? var.database_performance_insights_kms_key_arn : local.default_kms_key use_external_bucket = var.bucket_name != "" use_internal_queue = local.use_external_bucket || var.use_internal_queue } module "file_storage" { - count = var.create_bucket ? 1 : 0 - source = "./modules/file_storage" - namespace = var.namespace - create_queue = !local.use_internal_queue - sse_algorithm = "aws:kms" - kms_key_arn = local.s3_kms_key_arn + count = var.create_bucket ? 1 : 0 + source = "./modules/file_storage" + namespace = var.namespace + create_queue = !local.use_internal_queue + sse_algorithm = "aws:kms" + kms_key_arn = local.s3_kms_key_arn deletion_protection = var.deletion_protection } @@ -71,7 +71,7 @@ module "database" { source = "./modules/database" namespace = var.namespace - kms_key_arn = local.db_kms_key_arn + kms_key_arn = local.database_kms_key_arn performance_insights_kms_key_arn = local.database_performance_insights_kms_key_arn database_name = var.database_name @@ -230,7 +230,7 @@ module "redis" { redis_subnet_group_name = local.network_elasticache_subnet_group_name vpc_subnets_cidr_blocks = local.network_elasticache_subnet_cidrs node_type = try(local.deployment_size[var.size].cache, var.elasticache_node_type) - kms_key_arn = local.db_kms_key_arn + kms_key_arn = local.database_kms_key_arn } locals { @@ -261,10 +261,10 @@ module "wandb" { spec = { values = { global = { - host = local.url - license = var.license + host = local.url + license = var.license cloudProvider = "aws" - extraEnv = var.other_wandb_env + extraEnv = var.other_wandb_env bucket = { provider = "s3" diff --git a/variables.tf b/variables.tf index 2e5ddf2cb..fd73db38a 100644 --- a/variables.tf +++ b/variables.tf @@ -80,7 +80,14 @@ variable "database_performance_insights_kms_key_arn" { description = "Specifies an existing KMS key ARN to encrypt the performance insights data if performance_insights_enabled is was enabled out of band" nullable = true type = string - +} +variable "database_kms_key_arn" { + type = string + default = "" + validation { + condition = can(regex("^arn:aws:kms:[a-z0-9-]+:[0-9]+:key/[a-zA-Z0-9-_]+$", var.database_kms_key_arn)) || var.database_kms_key_arn == "" + error_message = "Invalid value for db kms ARN" + } } ########################################## @@ -271,13 +278,13 @@ variable "allowed_private_endpoint_cidr" { description = "Private CIDRs allowed to access wandb-server." nullable = false type = list(string) - default = [] + default = [] } variable "private_only_traffic" { description = "Enable private only traffic from customer private network" - type = bool - default = false + type = bool + default = false } ########################################## @@ -464,18 +471,6 @@ variable "enable_yace" { } variable "yace_sa_name" { - type = string + type = string default = "wandb-yace" } - -########################################## -# New Vars for Encryption # -########################################## -variable "db_kms_key_arn" { - type = string - default = "" - validation { - condition = can(regex("^arn:aws:kms:[a-z0-9-]+:[0-9]+:key/[a-zA-Z0-9-_]+$", var.db_kms_key_arn)) || var.db_kms_key_arn == "" - error_message = "Invalid value for db kms ARN" - } -} \ No newline at end of file From e03de160f4b4e4e2ad1f0229a71942f3e9c409fe Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 11 Jul 2024 15:25:13 +0000 Subject: [PATCH 8/8] chore(release): version 4.20.3 [skip ci] ### [4.20.3](https://github.com/wandb/terraform-aws-wandb/compare/v4.20.2...v4.20.3) (2024-07-11) ### Bug Fixes * Naming Conventions ([#241](https://github.com/wandb/terraform-aws-wandb/issues/241)) ([8f20d3e](https://github.com/wandb/terraform-aws-wandb/commit/8f20d3e3a455f348c2f9eb11582ffff592929cf7)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c26373a7..6ff8e3ffa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +### [4.20.3](https://github.com/wandb/terraform-aws-wandb/compare/v4.20.2...v4.20.3) (2024-07-11) + + +### Bug Fixes + +* Naming Conventions ([#241](https://github.com/wandb/terraform-aws-wandb/issues/241)) ([8f20d3e](https://github.com/wandb/terraform-aws-wandb/commit/8f20d3e3a455f348c2f9eb11582ffff592929cf7)) + ### [4.20.2](https://github.com/wandb/terraform-aws-wandb/compare/v4.20.1...v4.20.2) (2024-07-11)