From b2825ea77abe06274a47b69de8d3d244154d189c Mon Sep 17 00:00:00 2001 From: BryanFauble <17128019+BryanFauble@users.noreply.github.com> Date: Tue, 28 May 2024 15:40:50 -0700 Subject: [PATCH] Try different set of VPC rules --- main.tf | 333 +++++++++++++++++++++++++++----------------------------- 1 file changed, 159 insertions(+), 174 deletions(-) diff --git a/main.tf b/main.tf index 79c8c666..663db4ee 100644 --- a/main.tf +++ b/main.tf @@ -1,174 +1,159 @@ -resource "aws_iam_role" "admin_role" { - name = "eks_admin_role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::766808016710:root" # Replace YOUR_AWS_ACCOUNT_ID with your actual AWS account ID - } - Action = "sts:AssumeRole" - }, - ] - }) - - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "admin_policy" { - role = aws_iam_role.admin_role.name - policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess" -} - - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - - name = "spacelift-created-vpc" - cidr = var.cidr - - azs = var.azs - private_subnets = var.private_subnet_cidrs - public_subnets = var.public_subnet_cidrs - - private_subnet_tags = { - Name = "private" - } - - # When removing the Internet gateway it might have allocated from elastic IP addresses - # Turn off the nat_gateway to force the IP addresses to be removed - # > "Network vpc-0f30cfca319ebc521 has some mapped public address(es). Please unmap those public address(es) before detaching the gateway."" - create_igw = true - enable_nat_gateway = true - enable_vpn_gateway = false - single_nat_gateway = true - - # Disable inbound rules for the default network ACL - default_network_acl_ingress = [ - { - "action" : "deny", - "cidr_block" : "0.0.0.0/0", - "from_port" : 0, - "protocol" : "-1", - "rule_no" : 100, - "to_port" : 0 - }, - { - "action" : "deny", - "from_port" : 0, - "ipv6_cidr_block" : "::/0", - "protocol" : "-1", - "rule_no" : 101, - "to_port" : 0 - } - ] - - tags = merge( - var.tags, - { - Terraform = "true" - Environment = "dev" - } - ) -} - -module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "~> 20.10" - # version = "~> 20.9" - - depends_on = [module.vpc] - - cluster_name = var.cluster_name - cluster_version = var.cluster_version - - cluster_endpoint_public_access = true - - cluster_addons = { - coredns = { - most_recent = true - } - kube-proxy = { - most_recent = true - } - vpc-cni = { - most_recent = true - } - aws-ebs-csi-driver = { - most_recent = true - } - } - - vpc_id = module.vpc.vpc_id - subnet_ids = module.vpc.private_subnets - cluster_security_group_id = module.vpc.default_security_group_id - - - # EKS Managed Node Group(s) - eks_managed_node_group_defaults = { - instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"] - } - - eks_managed_node_groups = { - one = { - name = var.eks_nodeGroup - desired_size = 1 - min_size = 0 - max_size = 2 - - instance_types = ["t3.large"] - capacity_type = "SPOT" - iam_role_additional_policies = { - AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy", - SecretsManagerReadWrite = "arn:aws:iam::aws:policy/SecretsManagerReadWrite" - } - } - # , - # two = { - # name = "seqera" - # desired_size = 1 - # min_size = 0 - # max_size = 10 - - # instance_types = ["t3.large"] - # capacity_type = "SPOT" - # } - } - iam_role_additional_policies = { - AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy", - SecretsManagerReadWrite = "arn:aws:iam::aws:policy/SecretsManagerReadWrite" - } - - # Cluster access entry - # To add the current caller identity as an administrator - enable_cluster_creator_admin_permissions = true - authentication_mode = "API" - - - access_entries = { - # One access entry with a policy associated - eks_admin_role = { - kubernetes_groups = [] - principal_arn = "arn:aws:iam::766808016710:role/eks_admin_role" - - policy_associations = { - eks_admin_role = { - policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" - access_scope = { - type = "cluster" - } - } - } - } - # https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html#access-policy-permissions - # TODO: Additional roles that need to be created: - # AmazonEKSAdminViewPolicy? - # AmazonEKSEditPolicy - # AmazonEKSViewPolicy - - } - tags = var.tags -} - +resource "aws_iam_role" "admin_role" { + name = "eks_admin_role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::766808016710:root" # Replace YOUR_AWS_ACCOUNT_ID with your actual AWS account ID + } + Action = "sts:AssumeRole" + }, + ] + }) + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "admin_policy" { + role = aws_iam_role.admin_role.name + policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess" +} + + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + + name = "spacelift-created-vpc" + cidr = var.cidr + + azs = var.azs + private_subnets = var.private_subnet_cidrs + public_subnets = var.public_subnet_cidrs + + private_subnet_tags = { + Name = "private" + } + + # When removing the Internet gateway it might have allocated from elastic IP addresses + # Turn off the nat_gateway to force the IP addresses to be removed + # > "Network vpc-0f30cfca319ebc521 has some mapped public address(es). Please unmap those public address(es) before detaching the gateway."" + create_igw = true + enable_nat_gateway = true + enable_vpn_gateway = false + single_nat_gateway = true + + manage_default_security_group = true + # default_security_group_egress = [] + default_security_group_ingress = [] + + tags = merge( + var.tags, + { + Terraform = "true" + Environment = "dev" + } + ) +} + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 20.10" + # version = "~> 20.9" + + depends_on = [module.vpc] + + cluster_name = var.cluster_name + cluster_version = var.cluster_version + + cluster_endpoint_public_access = true + + cluster_addons = { + coredns = { + most_recent = true + } + kube-proxy = { + most_recent = true + } + vpc-cni = { + most_recent = true + } + aws-ebs-csi-driver = { + most_recent = true + } + } + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + control_plane_subnet_ids = module.vpc.intra_subnets + cluster_security_group_id = module.vpc.default_security_group_id + + + # EKS Managed Node Group(s) + eks_managed_node_group_defaults = { + instance_types = ["m6i.large", "m5.large", "m5n.large", "m5zn.large"] + } + + eks_managed_node_groups = { + one = { + name = var.eks_nodeGroup + desired_size = 1 + min_size = 0 + max_size = 2 + + instance_types = ["t3.large"] + capacity_type = "SPOT" + iam_role_additional_policies = { + AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy", + SecretsManagerReadWrite = "arn:aws:iam::aws:policy/SecretsManagerReadWrite" + } + } + # , + # two = { + # name = "seqera" + # desired_size = 1 + # min_size = 0 + # max_size = 10 + + # instance_types = ["t3.large"] + # capacity_type = "SPOT" + # } + } + iam_role_additional_policies = { + AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy", + SecretsManagerReadWrite = "arn:aws:iam::aws:policy/SecretsManagerReadWrite" + } + + # Cluster access entry + # To add the current caller identity as an administrator + enable_cluster_creator_admin_permissions = true + authentication_mode = "API" + + + access_entries = { + # One access entry with a policy associated + eks_admin_role = { + kubernetes_groups = [] + principal_arn = "arn:aws:iam::766808016710:role/eks_admin_role" + + policy_associations = { + eks_admin_role = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + type = "cluster" + } + } + } + } + # https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html#access-policy-permissions + # TODO: Additional roles that need to be created: + # AmazonEKSAdminViewPolicy? + # AmazonEKSEditPolicy + # AmazonEKSViewPolicy + + } + tags = var.tags +} +