From aca3587fcfe1283b53f87728b4481ae54f1a0202 Mon Sep 17 00:00:00 2001 From: Kashif Saadat Date: Wed, 10 Jan 2024 22:45:23 +0000 Subject: [PATCH 1/4] Wayfinder v2.5.1 (#50) * Wayfinder v2.5.1 and EKS v1.27 * Bump EKS addon versions --- README.md | 12 ++++++------ variables.tf | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index dae6aaf..528e74e 100644 --- a/README.md +++ b/README.md @@ -63,13 +63,13 @@ The `terraform-docs` utility is used to generate this README. Follow the below s | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_ebs\_csi\_driver\_addon\_version](#input\_aws\_ebs\_csi\_driver\_addon\_version) | The version to use for the AWS EBS CSI driver. | `string` | `"v1.20.0-eksbuild.1"` | no | -| [aws\_vpc\_cni\_addon\_version](#input\_aws\_vpc\_cni\_addon\_version) | AWS VPC CNI Addon version to use. | `string` | `"v1.13.4-eksbuild.1"` | no | +| [aws\_ebs\_csi\_driver\_addon\_version](#input\_aws\_ebs\_csi\_driver\_addon\_version) | The version to use for the AWS EBS CSI driver. | `string` | `"v1.21.0-eksbuild.1"` | no | +| [aws\_vpc\_cni\_addon\_version](#input\_aws\_vpc\_cni\_addon\_version) | AWS VPC CNI Addon version to use. | `string` | `"v1.14.1-eksbuild.1"` | no | | [cluster\_endpoint\_public\_access\_cidrs](#input\_cluster\_endpoint\_public\_access\_cidrs) | List of CIDR blocks which can access the Amazon EKS API server endpoint. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [cluster\_security\_group\_additional\_rules](#input\_cluster\_security\_group\_additional\_rules) | List of additional security group rules to add to the cluster security group created. Set `source_node_security_group = true` inside rules to set the `node_security_group` as source. | `any` | `{}` | no | -| [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster. | `string` | `"1.26"` | no | +| [cluster\_version](#input\_cluster\_version) | The Kubernetes version to use for the EKS cluster. | `string` | `"1.27"` | no | | [clusterissuer\_email](#input\_clusterissuer\_email) | The email address to use for the cert-manager cluster issuer. | `string` | n/a | yes | -| [coredns\_addon\_version](#input\_coredns\_addon\_version) | CoreDNS Addon version to use. | `string` | `"v1.9.3-eksbuild.9"` | no | +| [coredns\_addon\_version](#input\_coredns\_addon\_version) | CoreDNS Addon version to use. | `string` | `"v1.10.1-eksbuild.6"` | no | | [create\_localadmin\_user](#input\_create\_localadmin\_user) | Whether to create a localadmin user for access to the Wayfinder Portal and API. | `bool` | `true` | no | | [disable\_internet\_access](#input\_disable\_internet\_access) | Whether to disable internet access for EKS and the Wayfinder ingress controller. | `bool` | `false` | no | | [disable\_local\_login](#input\_disable\_local\_login) | Whether to disable local login for Wayfinder. Note: An IDP must be configured within Wayfinder, otherwise you will not be able to log in. | `bool` | `false` | no | @@ -86,7 +86,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s | [enable\_wf\_dnszonemanager](#input\_enable\_wf\_dnszonemanager) | Whether to configure admin CloudAccessConfig for DNS zone management in the account Wayfinder is installed in once installed (requires enable\_k8s\_resources and enable\_wf\_cloudaccess) | `bool` | `false` | no | | [environment](#input\_environment) | The environment name we are provisioning. | `string` | `"production"` | no | | [kms\_key\_administrators](#input\_kms\_key\_administrators) | A list of IAM ARNs for EKS key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available. | `list(string)` | `[]` | no | -| [kube\_proxy\_addon\_version](#input\_kube\_proxy\_addon\_version) | Kube Proxy Addon version to use. | `string` | `"v1.26.9-eksbuild.2"` | no | +| [kube\_proxy\_addon\_version](#input\_kube\_proxy\_addon\_version) | Kube Proxy Addon version to use. | `string` | `"v1.27.8-eksbuild.4"` | no | | [node\_security\_group\_additional\_rules](#input\_node\_security\_group\_additional\_rules) | List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source. | `any` | `{}` | no | | [subnet\_ids](#input\_subnet\_ids) | A list of private Subnet IDs to launch the Wayfinder EKS Nodes onto. | `list(string)` | n/a | yes | | [tags](#input\_tags) | A map of tags to add to all resources created. | `map(string)` | `{}` | no | @@ -97,7 +97,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s | [wayfinder\_instance\_id](#input\_wayfinder\_instance\_id) | The instance ID to use for Wayfinder. | `string` | n/a | yes | | [wayfinder\_licence\_key](#input\_wayfinder\_licence\_key) | The licence key to use for Wayfinder. | `string` | n/a | yes | | [wayfinder\_release\_channel](#input\_wayfinder\_release\_channel) | The release channel to use for Wayfinder. | `string` | `"wayfinder-releases"` | no | -| [wayfinder\_version](#input\_wayfinder\_version) | The version to use for Wayfinder. | `string` | `"v2.4.6"` | no | +| [wayfinder\_version](#input\_wayfinder\_version) | The version to use for Wayfinder. | `string` | `"v2.5.1"` | no | ## Outputs diff --git a/variables.tf b/variables.tf index 5e46e14..e414a10 100644 --- a/variables.tf +++ b/variables.tf @@ -18,7 +18,7 @@ variable "cluster_security_group_additional_rules" { variable "cluster_version" { description = "The Kubernetes version to use for the EKS cluster." type = string - default = "1.26" + default = "1.27" } variable "create_localadmin_user" { @@ -208,29 +208,29 @@ variable "wayfinder_release_channel" { variable "wayfinder_version" { description = "The version to use for Wayfinder." type = string - default = "v2.4.6" + default = "v2.5.1" } variable "aws_ebs_csi_driver_addon_version" { description = "The version to use for the AWS EBS CSI driver." type = string - default = "v1.20.0-eksbuild.1" + default = "v1.21.0-eksbuild.1" } variable "coredns_addon_version" { description = "CoreDNS Addon version to use." type = string - default = "v1.9.3-eksbuild.9" + default = "v1.10.1-eksbuild.6" } variable "kube_proxy_addon_version" { description = "Kube Proxy Addon version to use." type = string - default = "v1.26.9-eksbuild.2" + default = "v1.27.8-eksbuild.4" } variable "aws_vpc_cni_addon_version" { description = "AWS VPC CNI Addon version to use." type = string - default = "v1.13.4-eksbuild.1" + default = "v1.14.1-eksbuild.1" } From 2fae75c82d62a964f560311963ef558a44c52450 Mon Sep 17 00:00:00 2001 From: Kashif Saadat Date: Thu, 11 Jan 2024 16:57:32 +0000 Subject: [PATCH 2/4] Correct the CostsEstimates feature type on Wayfinder's cloud access (#52) --- wayfinder-cloudaccess.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wayfinder-cloudaccess.tf b/wayfinder-cloudaccess.tf index 60311c3..75f004f 100644 --- a/wayfinder-cloudaccess.tf +++ b/wayfinder-cloudaccess.tf @@ -36,7 +36,7 @@ resource "kubectl_manifest" "wayfinder_aws_cloudinfo_cloudaccessconfig" { permission = "CloudInfo" region = data.aws_region.current.name role_arn = module.wayfinder_cloudaccess[0].cloud_info_role_arns.aws - type = "CostEstimates" + type = "CostsEstimates" }) } From c0248d42c6b6ef2fcdf2cd8d7a3f23da4bab7f4d Mon Sep 17 00:00:00 2001 From: Mark Hughes Date: Wed, 24 Jan 2024 15:53:06 +0000 Subject: [PATCH 3/4] Updates for v2.6 - Add describe VPCs to DNS zone manager for private Route53 zones (#54) --- modules/cloudaccess/wf_dns_zone_manager_policy.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/modules/cloudaccess/wf_dns_zone_manager_policy.json b/modules/cloudaccess/wf_dns_zone_manager_policy.json index 423da74..36af814 100644 --- a/modules/cloudaccess/wf_dns_zone_manager_policy.json +++ b/modules/cloudaccess/wf_dns_zone_manager_policy.json @@ -41,6 +41,13 @@ ], "Effect": "Allow", "Resource": "*" + }, + { + "Action": [ + "ec2:DescribeVpcs" + ], + "Effect": "Allow", + "Resource": "*" } ] } From 0143fc08c32c9a5f57c9c87f200405147ff52818 Mon Sep 17 00:00:00 2001 From: Kashif Saadat Date: Wed, 31 Jan 2024 17:27:16 +0000 Subject: [PATCH 4/4] Create a Node Group per Availability Zone (#55) * Create a node group per AZ. * Update examples to pass required subnet_ids_by_az var to module --- README.md | 7 ++++--- eks.tf | 17 ++++++++++------- examples/complete/data.tf | 23 +++++++++++++++++++++++ examples/complete/main.tf | 2 +- examples/complete/vpc.tf | 2 ++ examples/quickstart/data.tf | 23 +++++++++++++++++++++++ examples/quickstart/main.tf | 2 +- examples/quickstart/vpc.tf | 2 ++ variables.tf | 17 ++++++++++++----- 9 files changed, 78 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 528e74e..d703e44 100644 --- a/README.md +++ b/README.md @@ -77,9 +77,10 @@ The `terraform-docs` utility is used to generate this README. Follow the below s | [ebs\_csi\_kms\_cmk\_ids](#input\_ebs\_csi\_kms\_cmk\_ids) | List of KMS CMKs to allow EBS CSI to manage encrypted volumes. This is required if EBS encryption is set at the account level with a default KMS CMK. | `list(string)` | `[]` | no | | [eks\_aws\_auth\_roles](#input\_eks\_aws\_auth\_roles) | List of IAM Role maps to add to the aws-auth configmap. This is required if you use a different IAM Role for Terraform Plan actions. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | [eks\_ng\_capacity\_type](#input\_eks\_ng\_capacity\_type) | The capacity type to use for the EKS managed node group. | `string` | `"ON_DEMAND"` | no | -| [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | The desired size to use for the EKS managed node group. | `number` | `2` | no | +| [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | The desired size to use for the EKS managed node group. | `number` | `1` | no | | [eks\_ng\_instance\_types](#input\_eks\_ng\_instance\_types) | The instance types to use for the EKS managed node group. | `list(string)` | 
[
  "t3.xlarge"
]
| no | -| [eks\_ng\_minimum\_size](#input\_eks\_ng\_minimum\_size) | The minimum size to use for the EKS managed node group. | `number` | `2` | no | +| [eks\_ng\_maximum\_size](#input\_eks\_ng\_maximum\_size) | The maximum size to use for the EKS managed node group. | `number` | `10` | no | +| [eks\_ng\_minimum\_size](#input\_eks\_ng\_minimum\_size) | The minimum size to use for the EKS managed node group. | `number` | `1` | no | | [enable\_k8s\_resources](#input\_enable\_k8s\_resources) | Whether to enable the creation of Kubernetes resources for Wayfinder (helm and kubectl manifest deployments). | `bool` | `true` | no | | [enable\_wf\_cloudaccess](#input\_enable\_wf\_cloudaccess) | Whether to configure CloudIdentity resource in Wayfinder for the configured AWS IRSA identity once installed (requires enable\_k8s\_resources) | `bool` | `true` | no | | [enable\_wf\_costestimates](#input\_enable\_wf\_costestimates) | Whether to configure admin CloudAccessConfig for cost estimates in the account Wayfinder is installed in once installed (requires enable\_k8s\_resources and enable\_wf\_cloudaccess) | `bool` | `true` | no | @@ -88,7 +89,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s | [kms\_key\_administrators](#input\_kms\_key\_administrators) | A list of IAM ARNs for EKS key administrators. If no value is provided, the current caller identity is used to ensure at least one key admin is available. | `list(string)` | `[]` | no | | [kube\_proxy\_addon\_version](#input\_kube\_proxy\_addon\_version) | Kube Proxy Addon version to use. | `string` | `"v1.27.8-eksbuild.4"` | no | | [node\_security\_group\_additional\_rules](#input\_node\_security\_group\_additional\_rules) | List of additional security group rules to add to the node security group created. Set `source_cluster_security_group = true` inside rules to set the `cluster_security_group` as source. | `any` | `{}` | no | -| [subnet\_ids](#input\_subnet\_ids) | A list of private Subnet IDs to launch the Wayfinder EKS Nodes onto. | `list(string)` | n/a | yes | +| [subnet\_ids\_by\_az](#input\_subnet\_ids\_by\_az) | A map of subnet IDs by availability zone. | `map(list(string))` | `{}` | no | | [tags](#input\_tags) | A map of tags to add to all resources created. | `map(string)` | `{}` | no | | [vpc\_id](#input\_vpc\_id) | The VPC ID for the Wayfinder EKS Cluster to be built within. | `string` | n/a | yes | | [wayfinder\_domain\_name\_api](#input\_wayfinder\_domain\_name\_api) | The domain name to use for the Wayfinder API (e.g. api.wayfinder.example.com). | `string` | n/a | yes | diff --git a/eks.tf b/eks.tf index b683995..08e2c1d 100644 --- a/eks.tf +++ b/eks.tf @@ -11,7 +11,7 @@ module "eks" { cluster_endpoint_public_access = !var.disable_internet_access cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs kms_key_administrators = var.kms_key_administrators - subnet_ids = var.subnet_ids + subnet_ids = distinct(flatten(values(var.subnet_ids_by_az))) vpc_id = var.vpc_id cluster_addons = { @@ -57,12 +57,15 @@ module "eks" { } eks_managed_node_groups = { - compute = { - capacity_type = var.eks_ng_capacity_type - instance_types = var.eks_ng_instance_types - desired_size = var.eks_ng_desired_size - max_size = 10 - min_size = var.eks_ng_minimum_size + for az, subnet_ids in var.subnet_ids_by_az : az => { + name = "compute-${az}" + capacity_type = var.eks_ng_capacity_type + desired_size = var.eks_ng_desired_size + instance_types = var.eks_ng_instance_types + launch_template_name = "compute-${az}" + max_size = var.eks_ng_maximum_size + min_size = var.eks_ng_minimum_size + subnet_ids = subnet_ids } } diff --git a/examples/complete/data.tf b/examples/complete/data.tf index 98332fc..e691c93 100644 --- a/examples/complete/data.tf +++ b/examples/complete/data.tf @@ -11,3 +11,26 @@ data "aws_secretsmanager_secret" "wayfinder" { data "aws_secretsmanager_secret_version" "wayfinder" { secret_id = data.aws_secretsmanager_secret.wayfinder.id } + +data "aws_subnets" "private_subnets_by_az" { + for_each = toset(var.availability_zones) + filter { + name = "vpc-id" + values = [module.vpc.vpc_id] + } + filter { + name = "availability-zone" + values = [each.key] + } + tags = { + Tier = "Private" + } + + depends_on = [module.vpc] +} + +locals { + private_subnets_by_az = { + for az, subnet in data.aws_subnets.private_subnets_by_az : az => subnet.ids + } +} diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 832b07b..bde21ef 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -8,7 +8,7 @@ module "wayfinder" { dns_zone_arn = data.aws_route53_zone.selected.arn environment = var.environment kms_key_administrators = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] - subnet_ids = module.vpc.private_subnets + subnet_ids_by_az = local.private_subnets_by_az tags = var.tags vpc_id = module.vpc.vpc_id wayfinder_domain_name_api = "api.${var.dns_zone_name}" diff --git a/examples/complete/vpc.tf b/examples/complete/vpc.tf index 82e8450..f611707 100755 --- a/examples/complete/vpc.tf +++ b/examples/complete/vpc.tf @@ -17,9 +17,11 @@ module "vpc" { public_subnet_tags = merge({ "kubernetes.io/role/elb" = 1 + Tier = "Public" }, var.tags) private_subnet_tags = merge({ "kubernetes.io/role/internal-elb" = 1 + Tier = "Private" }, var.tags) } diff --git a/examples/quickstart/data.tf b/examples/quickstart/data.tf index 1552f56..26618a3 100644 --- a/examples/quickstart/data.tf +++ b/examples/quickstart/data.tf @@ -3,3 +3,26 @@ data "aws_caller_identity" "current" {} data "aws_route53_zone" "selected" { name = var.dns_zone_name } + +data "aws_subnets" "private_subnets_by_az" { + for_each = toset(var.availability_zones) + filter { + name = "vpc-id" + values = [module.vpc.vpc_id] + } + filter { + name = "availability-zone" + values = [each.key] + } + tags = { + Tier = "Private" + } + + depends_on = [module.vpc] +} + +locals { + private_subnets_by_az = { + for az, subnet in data.aws_subnets.private_subnets_by_az : az => subnet.ids + } +} diff --git a/examples/quickstart/main.tf b/examples/quickstart/main.tf index 3b527e5..0303f8c 100644 --- a/examples/quickstart/main.tf +++ b/examples/quickstart/main.tf @@ -7,7 +7,7 @@ module "wayfinder" { dns_zone_arn = data.aws_route53_zone.selected.arn environment = var.environment kms_key_administrators = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] - subnet_ids = module.vpc.private_subnets + subnet_ids_by_az = local.private_subnets_by_az tags = var.tags vpc_id = module.vpc.vpc_id wayfinder_domain_name_api = "api.${var.dns_zone_name}" diff --git a/examples/quickstart/vpc.tf b/examples/quickstart/vpc.tf index 82e8450..f611707 100755 --- a/examples/quickstart/vpc.tf +++ b/examples/quickstart/vpc.tf @@ -17,9 +17,11 @@ module "vpc" { public_subnet_tags = merge({ "kubernetes.io/role/elb" = 1 + Tier = "Public" }, var.tags) private_subnet_tags = merge({ "kubernetes.io/role/internal-elb" = 1 + Tier = "Private" }, var.tags) } diff --git a/variables.tf b/variables.tf index e414a10..c725d61 100644 --- a/variables.tf +++ b/variables.tf @@ -69,7 +69,7 @@ variable "eks_ng_capacity_type" { variable "eks_ng_desired_size" { description = "The desired size to use for the EKS managed node group." type = number - default = 2 + default = 1 } variable "eks_ng_instance_types" { @@ -78,10 +78,16 @@ variable "eks_ng_instance_types" { default = ["t3.xlarge"] } +variable "eks_ng_maximum_size" { + description = "The maximum size to use for the EKS managed node group." + type = number + default = 10 +} + variable "eks_ng_minimum_size" { description = "The minimum size to use for the EKS managed node group." type = number - default = 2 + default = 1 } variable "enable_k8s_resources" { @@ -126,9 +132,10 @@ variable "node_security_group_additional_rules" { default = {} } -variable "subnet_ids" { - description = "A list of private Subnet IDs to launch the Wayfinder EKS Nodes onto." - type = list(string) +variable "subnet_ids_by_az" { + description = "A map of subnet IDs by availability zone." + type = map(list(string)) + default = {} } variable "tags" {