Wayfinder v2.6.4 (#57)

* Wayfinder v2.6 (#56) * Wayfinder v2.6.0 and EKS v1.28 * External module updates * Add support for EKS access entries * Update examples with access entries usage * Bump Wayfinder release to v2.6.1 * Update Wayfinder to v2.6.2 * Wayfinder v2.6.3 * Wayfinder v2.6.4
appvia · Feb 23, 2024 · 6bb00f1 · 6bb00f1
1 parent 6c26f9f
commit 6bb00f1
Show file tree

Hide file tree

Showing 25 changed files with 371 additions and 298 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -63,19 +63,19 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_aws_ebs_csi_driver_addon_version"></a> [aws\_ebs\_csi\_driver\_addon\_version](#input\_aws\_ebs\_csi\_driver\_addon\_version) | The version to use for the AWS EBS CSI driver. | `string` | `"v1.21.0-eksbuild.1"` | no |
-| <a name="input_aws_vpc_cni_addon_version"></a> [aws\_vpc\_cni\_addon\_version](#input\_aws\_vpc\_cni\_addon\_version) | AWS VPC CNI Addon version to use. | `string` | `"v1.14.1-eksbuild.1"` | no |
+| <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster. This is required if you use a different IAM Role for Terraform Plan actions. | <pre>map(object({<br>    kubernetes_groups = optional(list(string))<br>    principal_arn     = string<br>    policy_associations = optional(map(object({<br>      policy_arn = string<br>      access_scope = object({<br>        namespaces = optional(list(string))<br>        type       = string<br>      })<br>    })))<br>  }))</pre> | `{}` | no |
+| <a name="input_aws_ebs_csi_driver_addon_version"></a> [aws\_ebs\_csi\_driver\_addon\_version](#input\_aws\_ebs\_csi\_driver\_addon\_version) | The version to use for the AWS EBS CSI driver. | `string` | `"v1.22.1-eksbuild.1"` | no |
+| <a name="input_aws_vpc_cni_addon_version"></a> [aws\_vpc\_cni\_addon\_version](#input\_aws\_vpc\_cni\_addon\_version) | AWS VPC CNI Addon version to use. | `string` | `"v1.15.5-eksbuild.1"` | no |
 | <a name="input_cluster_endpoint_public_access_cidrs"></a> [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS API server endpoint. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | <a name="input_cluster_security_group_additional_rules"></a> [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source. | `any` | `{}` | no |
-| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster. | `string` | `"1.27"` | no |
+| <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster. | `string` | `"1.28"` | no |
 | <a name="input_clusterissuer_email"></a> [clusterissuer\_email](#input\_clusterissuer\_email) | The email address to use for the cert-manager cluster issuer. | `string` | n/a | yes |
-| <a name="input_coredns_addon_version"></a> [coredns\_addon\_version](#input\_coredns\_addon\_version) | CoreDNS Addon version to use. | `string` | `"v1.10.1-eksbuild.6"` | no |
+| <a name="input_coredns_addon_version"></a> [coredns\_addon\_version](#input\_coredns\_addon\_version) | CoreDNS Addon version to use. | `string` | `"v1.10.1-eksbuild.7"` | no |
 | <a name="input_create_localadmin_user"></a> [create\_localadmin\_user](#input\_create\_localadmin\_user) | Whether to create a localadmin user for access to the Wayfinder Portal and API. | `bool` | `true` | no |
 | <a name="input_disable_internet_access"></a> [disable\_internet\_access](#input\_disable\_internet\_access) | Whether to disable internet access for EKS and the Wayfinder ingress controller. | `bool` | `false` | no |
 | <a name="input_disable_local_login"></a> [disable\_local\_login](#input\_disable\_local\_login) | Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. | `bool` | `false` | no |
 | <a name="input_dns_zone_arn"></a> [dns\_zone\_arn](#input\_dns\_zone\_arn) | The AWS Route53 DNS Zone ARN to use (e.g. arn:aws:route53:::hostedzone/ABCDEFG1234567). | `string` | n/a | yes |
 | <a name="input_ebs_csi_kms_cmk_ids"></a> [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | List of KMS CMKs to allow EBS CSI to manage encrypted volumes. This is required if EBS encryption is set at the account level with a default KMS CMK. | `list(string)` | `[]` | no |
-| <a name="input_eks_aws_auth_roles"></a> [eks\_aws\_auth\_roles](#input\_eks\_aws\_auth\_roles) | List of IAM Role maps to add to the aws-auth configmap. This is required if you use a different IAM Role for Terraform Plan actions. | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_eks_ng_capacity_type"></a> [eks\_ng\_capacity\_type](#input\_eks\_ng\_capacity\_type) | The capacity type to use for the EKS managed node group. | `string` | `"ON_DEMAND"` | no |
 | <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | The desired size to use for the EKS managed node group. | `number` | `1` | no |
 | <a name="input_eks_ng_instance_types"></a> [eks\_ng\_instance\_types](#input\_eks\_ng\_instance\_types) | The instance types to use for the EKS managed node group. | `list(string)` | <pre>[<br>  "t3.xlarge"<br>]</pre> | no |
@@ -87,7 +87,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_enable_wf_dnszonemanager"></a> [enable\_wf\_dnszonemanager](#input\_enable\_wf\_dnszonemanager) | Whether to configure admin CloudAccessConfig for DNS zone management in the account Wayfinder is installed in once installed (requires enable\_k8s\_resources and enable\_wf\_cloudaccess) | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment name we are provisioning. | `string` | `"production"` | no |
 | <a name="input_kms_key_administrators"></a> [kms\_key\_administrators](#input\_kms\_key\_administrators) | A list of IAM ARNs for EKS key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available. | `list(string)` | `[]` | no |
-| <a name="input_kube_proxy_addon_version"></a> [kube\_proxy\_addon\_version](#input\_kube\_proxy\_addon\_version) | Kube Proxy Addon version to use. | `string` | `"v1.27.8-eksbuild.4"` | no |
+| <a name="input_kube_proxy_addon_version"></a> [kube\_proxy\_addon\_version](#input\_kube\_proxy\_addon\_version) | Kube Proxy Addon version to use. | `string` | `"v1.28.4-eksbuild.4"` | no |
 | <a name="input_node_security_group_additional_rules"></a> [node\_security\_group\_additional\_rules](#input\_node\_security\_group\_additional\_rules) | List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source. | `any` | `{}` | no |
 | <a name="input_subnet_ids_by_az"></a> [subnet\_ids\_by\_az](#input\_subnet\_ids\_by\_az) | A map of subnet IDs by availability zone. | `map(list(string))` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources created. | `map(string)` | `{}` | no |
@@ -98,7 +98,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_wayfinder_instance_id"></a> [wayfinder\_instance\_id](#input\_wayfinder\_instance\_id) | The instance ID to use for Wayfinder. | `string` | n/a | yes |
 | <a name="input_wayfinder_licence_key"></a> [wayfinder\_licence\_key](#input\_wayfinder\_licence\_key) | The licence key to use for Wayfinder. | `string` | n/a | yes |
 | <a name="input_wayfinder_release_channel"></a> [wayfinder\_release\_channel](#input\_wayfinder\_release\_channel) | The release channel to use for Wayfinder. | `string` | `"wayfinder-releases"` | no |
-| <a name="input_wayfinder_version"></a> [wayfinder\_version](#input\_wayfinder\_version) | The version to use for Wayfinder. | `string` | `"v2.5.1"` | no |
+| <a name="input_wayfinder_version"></a> [wayfinder\_version](#input\_wayfinder\_version) | The version to use for Wayfinder. | `string` | `"v2.6.4"` | no |
 
 ## Outputs
 

diff --git a/autoscaler.tf b/autoscaler.tf
@@ -1,6 +1,6 @@
 module "autoscaler_irsa_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.17.0"
+  version = "5.34.0"
 
   attach_cluster_autoscaler_policy = true
   cluster_autoscaler_cluster_ids   = [module.eks.cluster_name]
@@ -28,7 +28,7 @@ resource "helm_release" "metrics_server" {
   name        = "metrics-server"
   repository  = "https://kubernetes-sigs.github.io/metrics-server"
   chart       = "metrics-server"
-  version     = "3.8.2"
+  version     = "3.12.0"
   max_history = 5
 }
 
@@ -45,7 +45,7 @@ resource "helm_release" "cluster_autoscaler" {
   name        = "autoscaler"
   repository  = "https://kubernetes.github.io/autoscaler"
   chart       = "cluster-autoscaler"
-  version     = "9.19.4"
+  version     = "9.35.0"
   max_history = 5
 
   set {

diff --git a/cert-manager.tf b/cert-manager.tf
@@ -1,6 +1,6 @@
 module "certmanager_irsa_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.17.0"
+  version = "5.34.0"
 
   attach_cert_manager_policy    = true
   cert_manager_hosted_zone_arns = [var.dns_zone_arn]

diff --git a/eks.tf b/eks.tf
@@ -1,18 +1,21 @@
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "19.13.0"
+  version = "20.2.1"
 
   cluster_name    = local.name
   cluster_version = var.cluster_version
-  tags            = local.tags
 
-  cluster_enabled_log_types            = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
-  cluster_endpoint_private_access      = true
-  cluster_endpoint_public_access       = !var.disable_internet_access
-  cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs
-  kms_key_administrators               = var.kms_key_administrators
-  subnet_ids                           = distinct(flatten(values(var.subnet_ids_by_az)))
-  vpc_id                               = var.vpc_id
+  authentication_mode                      = "API_AND_CONFIG_MAP"
+  access_entries                           = var.access_entries
+  cluster_enabled_log_types                = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
+  cluster_endpoint_private_access          = true
+  cluster_endpoint_public_access           = !var.disable_internet_access
+  cluster_endpoint_public_access_cidrs     = var.cluster_endpoint_public_access_cidrs
+  enable_cluster_creator_admin_permissions = var.access_entries != {} ? false : true
+  kms_key_administrators                   = var.kms_key_administrators
+  subnet_ids                               = distinct(flatten(values(var.subnet_ids_by_az)))
+  tags                                     = local.tags
+  vpc_id                                   = var.vpc_id
 
   cluster_addons = {
     coredns = {
@@ -118,14 +121,11 @@ module "eks" {
       ipv6_cidr_blocks = ["::/0"]
     }
   }, var.node_security_group_additional_rules)
-
-  manage_aws_auth_configmap = true
-  aws_auth_roles            = var.eks_aws_auth_roles
 }
 
 module "irsa-ebs-csi-driver" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.17.0"
+  version = "5.34.0"
 
   role_name             = "${local.name}-ebs-csi-driver-irsa"
   attach_ebs_csi_policy = true

diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -34,6 +34,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster. | <pre>map(object({<br>    kubernetes_groups = optional(list(string))<br>    principal_arn     = string<br>    policy_associations = optional(map(object({<br>      policy_arn = string<br>      access_scope = object({<br>        namespaces = optional(list(string))<br>        type       = string<br>      })<br>    })))<br>  }))</pre> | `{}` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | List of availability zones to deploy into. | `list(string)` | <pre>[<br>  "eu-west-2a",<br>  "eu-west-2b",<br>  "eu-west-2c"<br>]</pre> | no |
 | <a name="input_aws_secretsmanager_name"></a> [aws\_secretsmanager\_name](#input\_aws\_secretsmanager\_name) | The name of the AWS Secrets Manager secret to fetch, which contains IDP configuration. | `string` | `"wayfinder-secrets"` | no |
 | <a name="input_clusterissuer_email"></a> [clusterissuer\_email](#input\_clusterissuer\_email) | The email address to use for the cert-manager cluster issuer. | `string` | n/a | yes |
@@ -44,7 +45,6 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_environment"></a> [environment](#input\_environment) | The environment name we are provisioning. | `string` | `"production"` | no |
 | <a name="input_idp_provider"></a> [idp\_provider](#input\_idp\_provider) | The Identity Provider type to configure for Wayfinder (supported: generic, aad). | `string` | `"generic"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to all resources. | `map(any)` | `{}` | no |
-| <a name="input_terraform_plan_role_arn"></a> [terraform\_plan\_role\_arn](#input\_terraform\_plan\_role\_arn) | The ARN of the IAM role used for Terraform plan operations. | `string` | n/a | yes |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | CIDR block for the Wayfinder VPC. | `string` | `"10.0.0.0/21"` | no |
 | <a name="input_vpc_private_subnets"></a> [vpc\_private\_subnets](#input\_vpc\_private\_subnets) | List of private subnets in the Wayfinder VPC. | `list(string)` | <pre>[<br>  "10.0.0.0/24",<br>  "10.0.1.0/24",<br>  "10.0.2.0/24"<br>]</pre> | no |
 | <a name="input_vpc_public_subnets"></a> [vpc\_public\_subnets](#input\_vpc\_public\_subnets) | List of public subnets in the Wayfinder VPC. | `list(string)` | <pre>[<br>  "10.0.3.0/24",<br>  "10.0.4.0/24",<br>  "10.0.5.0/24"<br>]</pre> | no |

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -1,6 +1,7 @@
 module "wayfinder" {
   source = "../../"
 
+  access_entries            = var.access_entries
   clusterissuer_email       = var.clusterissuer_email
   create_localadmin_user    = var.create_localadmin_user
   disable_internet_access   = var.disable_internet_access
@@ -24,14 +25,6 @@ module "wayfinder" {
     azureTenantId = var.idp_provider == "aad" ? jsondecode(data.aws_secretsmanager_secret_version.wayfinder.secret_string)["idpAzureTenantId"] : ""
   }
 
-  eks_aws_auth_roles = [
-    {
-      rolearn  = var.terraform_plan_role_arn
-      username = "terraform-identity-plan"
-      groups   = ["system:masters"]
-    }
-  ]
-
   # cluster_security_group_additional_rules = {
   #   allow_access_from_vpn = {
   #     description = "Allow access to the Wayfinder API from within My Organisation's internal network"

diff --git a/examples/complete/terraform.tfvars.sample b/examples/complete/terraform.tfvars.sample
@@ -1,9 +1,32 @@
+access_entries = {
+  tf_plan = {
+    principal_arn = "arn:aws:iam::123456789012:role/tf-plan"
+    policy_associations = {
+      cluster_admin = {
+        policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+        access_scope = {
+          type = "cluster"
+        }
+      }
+    }
+  }
+  tf_apply = {
+    principal_arn = "arn:aws:iam::123456789012:role/tf-apply"
+    policy_associations = {
+      cluster_admin = {
+        policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+        access_scope = {
+          type = "cluster"
+        }
+      }
+    }
+  }
+}
 clusterissuer_email   = "[email protected]"
 disable_local_login   = true
 dns_zone_name         = "wf.example.com"
 idp_provider          = "generic"
 wayfinder_instance_id = "your-wayfinder-instance-id"
-terraform_plan_role_arn  = "arn:aws:iam::123456789012:role/terraform-plan-role"
 tags = {
   Repository  = "Your Repository URL"
   Provisioner = "Terraform"

diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -1,3 +1,19 @@
+variable "access_entries" {
+  description = "Map of access entries to add to the cluster."
+  type = map(object({
+    kubernetes_groups = optional(list(string))
+    principal_arn     = string
+    policy_associations = optional(map(object({
+      policy_arn = string
+      access_scope = object({
+        namespaces = optional(list(string))
+        type       = string
+      })
+    })))
+  }))
+  default = {}
+}
+
 variable "aws_secretsmanager_name" {
   description = "The name of the AWS Secrets Manager secret to fetch, which contains IDP configuration."
   type        = string
@@ -66,11 +82,6 @@ variable "tags" {
   default     = {}
 }
 
-variable "terraform_plan_role_arn" {
-  description = "The ARN of the IAM role used for Terraform plan operations."
-  type        = string
-}
-
 variable "vpc_cidr" {
   description = "CIDR block for the Wayfinder VPC."
   type        = string

diff --git a/examples/complete/vpc.tf b/examples/complete/vpc.tf
@@ -1,6 +1,6 @@
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "5.0.0"
+  version = "5.5.1"
 
   azs                          = var.availability_zones
   cidr                         = var.vpc_cidr