Merge branch 'vnext'

appvia · Jan 31, 2024 · 6c26f9f · 6c26f9f
2 parents 257b30a + 0143fc0
commit 6c26f9f
Show file tree

Hide file tree

Showing 10 changed files with 85 additions and 17 deletions.
diff --git a/README.md b/README.md
@@ -77,9 +77,10 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_ebs_csi_kms_cmk_ids"></a> [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | List of KMS CMKs to allow EBS CSI to manage encrypted volumes. This is required if EBS encryption is set at the account level with a default KMS CMK. | `list(string)` | `[]` | no |
 | <a name="input_eks_aws_auth_roles"></a> [eks\_aws\_auth\_roles](#input\_eks\_aws\_auth\_roles) | List of IAM Role maps to add to the aws-auth configmap. This is required if you use a different IAM Role for Terraform Plan actions. | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_eks_ng_capacity_type"></a> [eks\_ng\_capacity\_type](#input\_eks\_ng\_capacity\_type) | The capacity type to use for the EKS managed node group. | `string` | `"ON_DEMAND"` | no |
-| <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | The desired size to use for the EKS managed node group. | `number` | `2` | no |
+| <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | The desired size to use for the EKS managed node group. | `number` | `1` | no |
 | <a name="input_eks_ng_instance_types"></a> [eks\_ng\_instance\_types](#input\_eks\_ng\_instance\_types) | The instance types to use for the EKS managed node group. | `list(string)` | <pre>[<br>  "t3.xlarge"<br>]</pre> | no |
-| <a name="input_eks_ng_minimum_size"></a> [eks\_ng\_minimum\_size](#input\_eks\_ng\_minimum\_size) | The minimum size to use for the EKS managed node group. | `number` | `2` | no |
+| <a name="input_eks_ng_maximum_size"></a> [eks\_ng\_maximum\_size](#input\_eks\_ng\_maximum\_size) | The maximum size to use for the EKS managed node group. | `number` | `10` | no |
+| <a name="input_eks_ng_minimum_size"></a> [eks\_ng\_minimum\_size](#input\_eks\_ng\_minimum\_size) | The minimum size to use for the EKS managed node group. | `number` | `1` | no |
 | <a name="input_enable_k8s_resources"></a> [enable\_k8s\_resources](#input\_enable\_k8s\_resources) | Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments). | `bool` | `true` | no |
 | <a name="input_enable_wf_cloudaccess"></a> [enable\_wf\_cloudaccess](#input\_enable\_wf\_cloudaccess) | Whether to configure CloudIdentity resource in Wayfinder for the configured AWS IRSA identity once installed (requires enable\_k8s\_resources) | `bool` | `true` | no |
 | <a name="input_enable_wf_costestimates"></a> [enable\_wf\_costestimates](#input\_enable\_wf\_costestimates) | Whether to configure admin CloudAccessConfig for cost estimates in the account Wayfinder is installed in once installed (requires enable\_k8s\_resources and enable\_wf\_cloudaccess) | `bool` | `true` | no |
@@ -88,7 +89,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_kms_key_administrators"></a> [kms\_key\_administrators](#input\_kms\_key\_administrators) | A list of IAM ARNs for EKS key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available. | `list(string)` | `[]` | no |
 | <a name="input_kube_proxy_addon_version"></a> [kube\_proxy\_addon\_version](#input\_kube\_proxy\_addon\_version) | Kube Proxy Addon version to use. | `string` | `"v1.27.8-eksbuild.4"` | no |
 | <a name="input_node_security_group_additional_rules"></a> [node\_security\_group\_additional\_rules](#input\_node\_security\_group\_additional\_rules) | List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source. | `any` | `{}` | no |
-| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | A list of private Subnet IDs to launch the Wayfinder EKS Nodes onto. | `list(string)` | n/a | yes |
+| <a name="input_subnet_ids_by_az"></a> [subnet\_ids\_by\_az](#input\_subnet\_ids\_by\_az) | A map of subnet IDs by availability zone. | `map(list(string))` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources created. | `map(string)` | `{}` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC ID for the Wayfinder EKS Cluster to be built within. | `string` | n/a | yes |
 | <a name="input_wayfinder_domain_name_api"></a> [wayfinder\_domain\_name\_api](#input\_wayfinder\_domain\_name\_api) | The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com). | `string` | n/a | yes |

diff --git a/eks.tf b/eks.tf
@@ -11,7 +11,7 @@ module "eks" {
   cluster_endpoint_public_access       = !var.disable_internet_access
   cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs
   kms_key_administrators               = var.kms_key_administrators
-  subnet_ids                           = var.subnet_ids
+  subnet_ids                           = distinct(flatten(values(var.subnet_ids_by_az)))
   vpc_id                               = var.vpc_id
 
   cluster_addons = {
@@ -57,12 +57,15 @@ module "eks" {
   }
 
   eks_managed_node_groups = {
-    compute = {
-      capacity_type  = var.eks_ng_capacity_type
-      instance_types = var.eks_ng_instance_types
-      desired_size   = var.eks_ng_desired_size
-      max_size       = 10
-      min_size       = var.eks_ng_minimum_size
+    for az, subnet_ids in var.subnet_ids_by_az : az => {
+      name                 = "compute-${az}"
+      capacity_type        = var.eks_ng_capacity_type
+      desired_size         = var.eks_ng_desired_size
+      instance_types       = var.eks_ng_instance_types
+      launch_template_name = "compute-${az}"
+      max_size             = var.eks_ng_maximum_size
+      min_size             = var.eks_ng_minimum_size
+      subnet_ids           = subnet_ids
     }
   }
 

diff --git a/examples/complete/data.tf b/examples/complete/data.tf
@@ -11,3 +11,26 @@ data "aws_secretsmanager_secret" "wayfinder" {
 data "aws_secretsmanager_secret_version" "wayfinder" {
   secret_id = data.aws_secretsmanager_secret.wayfinder.id
 }
+
+data "aws_subnets" "private_subnets_by_az" {
+  for_each = toset(var.availability_zones)
+  filter {
+    name   = "vpc-id"
+    values = [module.vpc.vpc_id]
+  }
+  filter {
+    name   = "availability-zone"
+    values = [each.key]
+  }
+  tags = {
+    Tier = "Private"
+  }
+
+  depends_on = [module.vpc]
+}
+
+locals {
+  private_subnets_by_az = {
+    for az, subnet in data.aws_subnets.private_subnets_by_az : az => subnet.ids
+  }
+}
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -8,7 +8,7 @@ module "wayfinder" {
   dns_zone_arn              = data.aws_route53_zone.selected.arn
   environment               = var.environment
   kms_key_administrators    = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
-  subnet_ids                = module.vpc.private_subnets
+  subnet_ids_by_az          = local.private_subnets_by_az
   tags                      = var.tags
   vpc_id                    = module.vpc.vpc_id
   wayfinder_domain_name_api = "api.${var.dns_zone_name}"

diff --git a/examples/complete/vpc.tf b/examples/complete/vpc.tf
@@ -17,9 +17,11 @@ module "vpc" {
 
   public_subnet_tags = merge({
     "kubernetes.io/role/elb" = 1
+    Tier                     = "Public"
   }, var.tags)
 
   private_subnet_tags = merge({
     "kubernetes.io/role/internal-elb" = 1
+    Tier                              = "Private"
   }, var.tags)
 }
diff --git a/examples/quickstart/data.tf b/examples/quickstart/data.tf
@@ -3,3 +3,26 @@ data "aws_caller_identity" "current" {}
 data "aws_route53_zone" "selected" {
   name = var.dns_zone_name
 }
+
+data "aws_subnets" "private_subnets_by_az" {
+  for_each = toset(var.availability_zones)
+  filter {
+    name   = "vpc-id"
+    values = [module.vpc.vpc_id]
+  }
+  filter {
+    name   = "availability-zone"
+    values = [each.key]
+  }
+  tags = {
+    Tier = "Private"
+  }
+
+  depends_on = [module.vpc]
+}
+
+locals {
+  private_subnets_by_az = {
+    for az, subnet in data.aws_subnets.private_subnets_by_az : az => subnet.ids
+  }
+}
diff --git a/examples/quickstart/main.tf b/examples/quickstart/main.tf
@@ -7,7 +7,7 @@ module "wayfinder" {
   dns_zone_arn              = data.aws_route53_zone.selected.arn
   environment               = var.environment
   kms_key_administrators    = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
-  subnet_ids                = module.vpc.private_subnets
+  subnet_ids_by_az          = local.private_subnets_by_az
   tags                      = var.tags
   vpc_id                    = module.vpc.vpc_id
   wayfinder_domain_name_api = "api.${var.dns_zone_name}"

diff --git a/examples/quickstart/vpc.tf b/examples/quickstart/vpc.tf
@@ -17,9 +17,11 @@ module "vpc" {
 
   public_subnet_tags = merge({
     "kubernetes.io/role/elb" = 1
+    Tier                     = "Public"
   }, var.tags)
 
   private_subnet_tags = merge({
     "kubernetes.io/role/internal-elb" = 1
+    Tier                              = "Private"
   }, var.tags)
 }
diff --git a/modules/cloudaccess/wf_dns_zone_manager_policy.json b/modules/cloudaccess/wf_dns_zone_manager_policy.json
@@ -41,6 +41,13 @@
             ],
             "Effect": "Allow",
             "Resource": "*"
+        },
+        {
+            "Action": [
+                "ec2:DescribeVpcs"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
         }
     ]
 }
diff --git a/variables.tf b/variables.tf
@@ -69,7 +69,7 @@ variable "eks_ng_capacity_type" {
 variable "eks_ng_desired_size" {
   description = "The desired size to use for the EKS managed node group."
   type        = number
-  default     = 2
+  default     = 1
 }
 
 variable "eks_ng_instance_types" {
@@ -78,10 +78,16 @@ variable "eks_ng_instance_types" {
   default     = ["t3.xlarge"]
 }
 
+variable "eks_ng_maximum_size" {
+  description = "The maximum size to use for the EKS managed node group."
+  type        = number
+  default     = 10
+}
+
 variable "eks_ng_minimum_size" {
   description = "The minimum size to use for the EKS managed node group."
   type        = number
-  default     = 2
+  default     = 1
 }
 
 variable "enable_k8s_resources" {
@@ -126,9 +132,10 @@ variable "node_security_group_additional_rules" {
   default     = {}
 }
 
-variable "subnet_ids" {
-  description = "A list of private Subnet IDs to launch the Wayfinder EKS Nodes onto."
-  type        = list(string)
+variable "subnet_ids_by_az" {
+  description = "A map of subnet IDs by availability zone."
+  type        = map(list(string))
+  default     = {}
 }
 
 variable "tags" {