Code Monkey home page Code Monkey logo

kuberocketci / terraform-aws-platform Goto Github PK

View Code? Open in Web Editor NEW
2.0 3.0 5.0 124 KB

Automate the deployment of AWS resources necessary for a secure and scalable Amazon Elastic Kubernetes Service (EKS) cluster with Terraform. Optimized for performance and cost, this repository follows AWS EKS Best Practices.

Home Page: https://docs.kuberocketci.io./docs/operator-guide/infrastructure-providers/aws/deploy-aws-eks

License: Apache License 2.0

HCL 100.00%
aws-eks cloud-native cost-optimization eks iac idp infrastructure-as-code terraform kuberocketci

terraform-aws-platform's Introduction

Deploy EKS Cluster using Terraform

This project is primarily focused on creating and managing AWS EKS cluster and AWS resources like VPCs, EKS clusters, IAM roles, and S3 buckets using Terraform scripts. The repository consists of various components:

.pre-commit-config.yaml: This file is used to configure pre-commit hooks. Pre-commit hooks are scripts that run automatically every time you make a commit. They are used to enforce certain code standards and prevent bad commits.

argo-cd/: This directory contains the Terraform scripts for creating and managing internal and external AWS IAM Roles for Argo CD.

docs/: This directory contains the EKSDeployerRole.md file and provides information about the EKS Deployer Role.

eks/: This directory contains Terraform scripts for creating and managing an EKS cluster. The .terraform-version file specifies the version of Terraform to use.

examples/: This directory contains example .tfvars files that can be used as templates for creating your own .tfvars files.

iam/: This directory contains Terraform scripts for creating and managing IAM roles. The iam-deployer/ and kaniko/ directories inside this directory contain specific scripts for the IAM Deployer and Kaniko roles respectively.

LICENSE: This is the license file for the project. It specifies the terms under which others can use, modify, and distribute your software.

s3-backend/: This directory contains the Terraform configuration for setting up an S3 backend. The S3 backend is used to store the Terraform state file in a centralized location, which is crucial for managing shared resources in a team environment.

vpc/: This directory contains Terraform scripts for creating and managing a VPC (Virtual Private Cloud).

Each of these components plays a crucial role in the project. The eks/, iam/, and vpc/ directories are particularly important as they contain the Terraform scripts for creating and managing the main resources of the project.

You can follow our official documentation to get started with the deployment.

Pre-Requisites

You need to have Terraform installed on your machine. Also, you should have an AWS account and the necessary IAM role with permissions to create and manage AWS resources.

Installation

To install, clone the repository to your local machine. You will then need to initialize Terraform using the terraform init command. Next, fill in the required fields in the tfvars file templates. Once the tfvars files are set up, you can run terraform apply with the appropriate tfvars file to create the resources.

Usage

You can use the provided Terraform scripts to create and manage your AWS resources. The scripts are organized by resource type (VPC, EKS, IAM, etc.), and you can modify the .tf and .tfvars files as needed to fit your requirements. To apply the configurations, use terraform apply with the appropriate tfvars file.

Terraform Version

The current Terraform version used in this project is 1.5.4. Please ensure you have this version installed to avoid any compatibility issues.

License

This project is licensed under the Apache License 2.0. This permissive license allows you to freely use, modify, and distribute the software, subject to certain conditions. See the LICENSE file for more details.

Contributing

Contributions are welcome! Feel free to submit a pull request with any changes or improvements to the scripts. Please ensure your code adheres to the existing style for consistency.

terraform-aws-platform's People

Contributors

artem-zahumonnyi avatar sergk avatar nikolaymarusenko avatar daniil-nedostup avatar epmd-edp avatar

Stargazers

Truc Pham avatar avatar

Watchers

James Cloos avatar Olesia Ivanenko avatar avatar

Forkers

lisfo4ka stanislavbabkin rolika4 suyambuganesh82 daniil-nedostup

terraform-aws-platform's Issues

Update ALB Module for Security Group Configuration

Current Configuration:

module "alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = "8.7.0"

  name = "${var.platform_name}-ingress-alb"

  vpc_id                = var.vpc_id
  subnets               = var.public_subnets_id
  create_security_group = false
  security_groups       = var.infra_public_security_group_ids
  enable_http2          = false
}

Proposed Changes:

module "alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = "8.7.0"

  name = "${var.platform_name}-ingress-alb"

  vpc_id                = var.vpc_id
  subnets               = var.public_subnets_id
  create_security_group = false
  security_groups       = compact(concat(tolist([local.cluster_security_group_id]), var.infra_public_security_group_ids))
  enable_http2          = false
}

Remove Method to Install Argo CD on EKS

I suggest to move away from using the kubernetes_addons module for deploying Argo CD on our EKS cluster, previously outlined like this:

module "kubernetes_addons" {
  source = "github.com/aws-ia/terraform-aws-eks-blueprints//modules/kubernetes-addons?ref=v4.32.1"
}

Add Access Policy Management Permissions to EKSDeployerRole

Description:

In order to enhance the management capabilities of our EKS deployments, we need to extend the permissions of the EKSDeployerRole Role. This is crucial for dynamically managing access policies related to our EKS clusters, particularly for associating and disassociating access policies with access entries as our deployment requirements evolve.

Required Permissions:

The following permissions need to be added to the EKSDeployerRole to support these operations:

eks:ListAccessPolicies
eks:AssociateAccessPolicy
eks:DisassociateAccessPolicy

These permissions are essential for:

Listing Access Policies: To retrieve and audit current access policies associated with our EKS clusters.
Associating Access Policies: To add new access policies to access entries, ensuring that new services or users get the required permissions seamlessly.
Disassociating Access Policies: To remove access policies from access entries, which is critical for revoking permissions when they are no longer needed or when roles and responsibilities change.

Implement AWS IAM Policy and Role for ESO Access to SSM Parameters

  1. AWS IAM Policy for ESO Access to SSM
resource "aws_iam_policy" "get_ssm_for_eso" {
  name   = "AWSIRSA_${replace(title(local.cluster_name), "-", "")}_ESO_to_SSM"
  policy = data.aws_iam_policy_document.get_ssm_for_eso.json

  tags = local.tags
}
  1. IAM Role for ESO with the Required Policy
module "externalsecrets_irsa" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  version = "5.28.0"

  role_name                     = "AWSIRSA_${replace(title(local.cluster_name), "-", "")}_ExternalSecretOperatorAccess"
  assume_role_condition_test    = "StringLike"
  role_permissions_boundary_arn = var.role_permissions_boundary_arn
  role_policy_arns = {
    get_ssm_for_eso = aws_iam_policy.get_ssm_for_eso.arn
  }

  oidc_providers = {
    main = {
      provider_arn               = module.eks.oidc_provider_arn
      namespace_service_accounts = ["*"]
    }
  }

  tags = local.tags
}
  1. IAM Policy Document for ESO Access to SSM
data "aws_iam_policy_document" "get_ssm_for_eso" {
  version = "2012-10-17"

  statement {
    sid    = "VisualEditor0"
    effect = "Allow"
    actions = [
      "ssm:GetParameter",
      "ssm:GetParameters",
      "ssm:GetParametersByPath",
    ]
    resources = [
      "arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/edp/*"
    ]
  }
}
  1. Data Source for AWS Caller Identity
data "aws_caller_identity" "current" {}

Enhance Default Network ACL and Security Group Configuration in VPC Module

Current Configuration:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.1.2"

  name = var.platform_name

  create_vpc = true

  cidr            = var.platform_cidr
  azs             = var.subnet_azs
  private_subnets = var.private_cidrs
  public_subnets  = var.public_cidrs

  map_public_ip_on_launch = false
  enable_dns_hostnames    = true
  enable_dns_support      = true
  enable_nat_gateway      = true
  single_nat_gateway      = true
  one_nat_gateway_per_az  = false

  tags = var.tags
}

Proposed Changes:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.1.2"

  name = var.platform_name

  create_vpc = true

  cidr            = var.platform_cidr
  azs             = var.subnet_azs
  private_subnets = var.private_cidrs
  public_subnets  = var.public_cidrs

  map_public_ip_on_launch    = false
  enable_dns_hostnames       = true
  enable_dns_support         = true
  enable_nat_gateway         = true
  single_nat_gateway         = true
  one_nat_gateway_per_az     = false
  manage_default_network_acl = false

  default_security_group_ingress = [
    {
      self = true
    }
  ]
  default_security_group_egress = [
    {
      self        = false
      cidr_blocks = "0.0.0.0/0"
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
    }
  ]

  tags = var.tags
}

Update IAM Policy Document for Kaniko to Use Tekton Service Account

We need to update our aws_iam_policy_document for Kaniko in our Terraform configuration to align with a change in the service account being used.

Current Configuration:

data "aws_iam_policy_document" "kaniko_policy" {
  count = var.create_iam_kaniko ? 1 : 0

  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      type        = "Federated"
      identifiers = [var.oidc_provider_arn]
    }

    condition {
      test     = "StringEquals"
      variable = "${local.oidc_issuer_url}:sub"

      values = [
        "system:serviceaccount:${var.namespace}:edp-kaniko",  # <---
      ]
    }
  }
}

Proposed Change:

data "aws_iam_policy_document" "kaniko_policy" {
  count = var.create_iam_kaniko ? 1 : 0

  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      type        = "Federated"
      identifiers = [var.oidc_provider_arn]
    }

    condition {
      test     = "StringEquals"
      variable = "${local.oidc_issuer_url}:sub"

      values = [
        "system:serviceaccount:${var.namespace}:tekton",  # <---
      ]
    }
  }
}

Add Argo CD Agents module

Add the ability to use Master and Agent AWS IAM Roles for the Argo CD instance.
It allows the user to manage components on the external Kubernetes clusters via one Argo CD instance.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.