diff --git a/examples/from-private-vpc/main.tf b/examples/from-private-vpc/main.tf index c2d21be..c36d2a3 100644 --- a/examples/from-private-vpc/main.tf +++ b/examples/from-private-vpc/main.tf @@ -95,26 +95,26 @@ data "aws_eks_addon_version" "core-dns" { } resource "aws_eks_addon" "vpc-cni" { - cluster_name = data.aws_eks_cluster.this.id - addon_name = "vpc-cni" - addon_version = data.aws_eks_addon_version.vpc-cni.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "vpc-cni" + addon_version = data.aws_eks_addon_version.vpc-cni.version + resolve_conflicts_on_update = "OVERWRITE" service_account_role_arn = module.vpc_cni_ipv4_irsa_role.iam_role_arn } resource "aws_eks_addon" "core-dns" { - cluster_name = module.eks.cluster_id - addon_name = "coredns" - addon_version = data.aws_eks_addon_version.core-dns.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "coredns" + addon_version = data.aws_eks_addon_version.core-dns.version + resolve_conflicts_on_update = "OVERWRITE" } resource "aws_eks_addon" "kube-proxy" { - cluster_name = module.eks.cluster_id - addon_name = "kube-proxy" - addon_version = data.aws_eks_addon_version.kube-proxy.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "kube-proxy" + addon_version = data.aws_eks_addon_version.kube-proxy.version + resolve_conflicts_on_update = "OVERWRITE" } ################################################################################ diff --git a/examples/from-private-vpc/versions.tf b/examples/from-private-vpc/versions.tf index 1d697f0..06fcc91 100644 --- a/examples/from-private-vpc/versions.tf +++ b/examples/from-private-vpc/versions.tf @@ -10,7 +10,7 @@ terraform { } aws = { source = "hashicorp/aws" - version = "~> 3.75" + version = "~> 5.28" } } } diff --git a/examples/from-private-vpc/vpc/main.tf b/examples/from-private-vpc/vpc/main.tf index 1b5ed09..8c71135 100644 --- a/examples/from-private-vpc/vpc/main.tf +++ b/examples/from-private-vpc/vpc/main.tf @@ -14,7 +14,7 @@ locals { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 2.70" + version = "~> 5.2.0" create_vpc = true name = var.vpc_name diff --git a/examples/from-scratch-eks-blueprint/main.tf b/examples/from-scratch-eks-blueprint/main.tf index 6d9aa80..a52854d 100644 --- a/examples/from-scratch-eks-blueprint/main.tf +++ b/examples/from-scratch-eks-blueprint/main.tf @@ -25,7 +25,7 @@ provider "aws" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 2.70" + version = "~> 5.2.0" create_vpc = true name = var.vpc_name diff --git a/examples/from-scratch-with-eks-addon/main.tf b/examples/from-scratch-with-eks-addon/main.tf index 359da67..65d418d 100644 --- a/examples/from-scratch-with-eks-addon/main.tf +++ b/examples/from-scratch-with-eks-addon/main.tf @@ -18,7 +18,7 @@ locals { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 2.70" + version = "~> 5.2.0" create_vpc = true name = var.vpc_name @@ -30,7 +30,6 @@ module "vpc" { single_nat_gateway = true enable_dns_hostnames = true enable_dns_support = true - enable_s3_endpoint = true tags = { "kubernetes.io/cluster/${var.cluster_name}" = "shared", @@ -47,6 +46,21 @@ module "vpc" { } } +module "vpc_endpoints" { + source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" + version = "~> 5.2.0" + + vpc_id = module.vpc.vpc_id + + endpoints = { + s3 = { + service = "s3" + service_type = "Gateway" + tags = { Name = "s3-vpc-endpoint" } + }, + } +} + ################################################################################ # Create EKS cluster ################################################################################ @@ -161,34 +175,34 @@ data "aws_eks_addon_version" "core-dns" { } resource "aws_eks_addon" "ebs_csi" { - cluster_name = data.aws_eks_cluster.this.id - addon_name = "aws-ebs-csi-driver" - addon_version = data.aws_eks_addon_version.ebs_csi.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "aws-ebs-csi-driver" + addon_version = data.aws_eks_addon_version.ebs_csi.version + resolve_conflicts_on_update = "OVERWRITE" service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn } resource "aws_eks_addon" "vpc-cni" { - cluster_name = data.aws_eks_cluster.this.id - addon_name = "vpc-cni" - addon_version = data.aws_eks_addon_version.vpc-cni.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "vpc-cni" + addon_version = data.aws_eks_addon_version.vpc-cni.version + resolve_conflicts_on_update = "OVERWRITE" service_account_role_arn = module.vpc_cni_ipv4_irsa_role.iam_role_arn } resource "aws_eks_addon" "core-dns" { - cluster_name = module.eks.cluster_id - addon_name = "coredns" - addon_version = data.aws_eks_addon_version.core-dns.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "coredns" + addon_version = data.aws_eks_addon_version.core-dns.version + resolve_conflicts_on_update = "OVERWRITE" } resource "aws_eks_addon" "kube-proxy" { - cluster_name = module.eks.cluster_id - addon_name = "kube-proxy" - addon_version = data.aws_eks_addon_version.kube-proxy.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "kube-proxy" + addon_version = data.aws_eks_addon_version.kube-proxy.version + resolve_conflicts_on_update = "OVERWRITE" } ################################################################################ diff --git a/examples/from-scratch-with-eks-addon/versions.tf b/examples/from-scratch-with-eks-addon/versions.tf index 1d697f0..06fcc91 100644 --- a/examples/from-scratch-with-eks-addon/versions.tf +++ b/examples/from-scratch-with-eks-addon/versions.tf @@ -10,7 +10,7 @@ terraform { } aws = { source = "hashicorp/aws" - version = "~> 3.75" + version = "~> 5.28" } } } diff --git a/examples/from-scratch-with-private-link/main.tf b/examples/from-scratch-with-private-link/main.tf index 45f203d..7289566 100644 --- a/examples/from-scratch-with-private-link/main.tf +++ b/examples/from-scratch-with-private-link/main.tf @@ -18,7 +18,7 @@ locals { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 2.70" + version = "~> 5.2.0" create_vpc = true name = var.vpc_name @@ -30,7 +30,6 @@ module "vpc" { single_nat_gateway = true enable_dns_hostnames = true enable_dns_support = true - enable_s3_endpoint = true tags = { "kubernetes.io/cluster/${var.cluster_name}" = "shared", @@ -47,6 +46,21 @@ module "vpc" { } } +module "vpc_endpoints" { + source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" + version = "~> 5.2.0" + + vpc_id = module.vpc.vpc_id + + endpoints = { + s3 = { + service = "s3" + service_type = "Gateway" + tags = { Name = "s3-vpc-endpoint" } + }, + } +} + ################################################################################ # Create the privatelink resources (NLB, TargetGroup) ################################################################################ @@ -57,6 +71,8 @@ resource "aws_lb" "this" { load_balancer_type = "network" subnets = module.vpc.private_subnets + security_groups = [aws_security_group.this.id] + enable_deletion_protection = false enable_cross_zone_load_balancing = true @@ -74,11 +90,12 @@ resource "aws_vpc_endpoint_service_allowed_principal" "service_to_client" { } resource "aws_lb_target_group" "this" { - name = "${var.cluster_name}-nlb-tg" - port = var.target_group.Port - target_type = "ip" - protocol = var.target_group.Protocol - vpc_id = module.vpc.vpc_id + name = "${var.cluster_name}-nlb-tg" + port = 443 + target_type = "ip" + protocol = "TCP" + vpc_id = module.vpc.vpc_id + preserve_client_ip = "true" depends_on = [ aws_lb.this @@ -88,8 +105,8 @@ resource "aws_lb_target_group" "this" { resource "aws_lb_listener" "this" { load_balancer_arn = aws_lb.this.arn - protocol = var.target_group.Protocol - port = var.target_group.Port + protocol = "TCP" + port = 443 default_action { type = "forward" target_group_arn = aws_lb_target_group.this.arn @@ -97,17 +114,26 @@ resource "aws_lb_listener" "this" { } resource "aws_security_group" "this" { - description = "Allow connection between NLB and target" + description = "Allow inbound/outbound traffic between NLB and OfAS VPC" vpc_id = module.vpc.vpc_id } -resource "aws_security_group_rule" "ingress" { +resource "aws_security_group_rule" "egress" { security_group_id = aws_security_group.this.id - from_port = var.target_group.Port - to_port = var.target_group.Port - protocol = var.target_group.Protocol + from_port = 0 + to_port = 65535 + protocol = "-1" + type = "egress" + cidr_blocks = [var.vpc_cidr] +} + +resource "aws_security_group_rule" "ingress_https" { + security_group_id = aws_security_group.this.id + from_port = 443 + to_port = 443 + protocol = "TCP" type = "ingress" - cidr_blocks = ["0.0.0.0/0"] + cidr_blocks = [var.vpc_cidr] } @@ -161,7 +187,7 @@ module "eks" { } ingress_node_9443 = { description = "Cluster API to load balancer webhook" - protocol = "tcp" + protocol = "TCP" from_port = 9443 to_port = 9443 type = "ingress" @@ -220,26 +246,26 @@ data "aws_eks_addon_version" "core-dns" { } resource "aws_eks_addon" "vpc-cni" { - cluster_name = data.aws_eks_cluster.this.id - addon_name = "vpc-cni" - addon_version = data.aws_eks_addon_version.vpc-cni.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "vpc-cni" + addon_version = data.aws_eks_addon_version.vpc-cni.version + resolve_conflicts_on_update = "OVERWRITE" service_account_role_arn = module.vpc_cni_ipv4_irsa_role.iam_role_arn } resource "aws_eks_addon" "core-dns" { - cluster_name = module.eks.cluster_id - addon_name = "coredns" - addon_version = data.aws_eks_addon_version.core-dns.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "coredns" + addon_version = data.aws_eks_addon_version.core-dns.version + resolve_conflicts_on_update = "OVERWRITE" } resource "aws_eks_addon" "kube-proxy" { - cluster_name = module.eks.cluster_id - addon_name = "kube-proxy" - addon_version = data.aws_eks_addon_version.kube-proxy.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "kube-proxy" + addon_version = data.aws_eks_addon_version.kube-proxy.version + resolve_conflicts_on_update = "OVERWRITE" } ################################################################################ diff --git a/examples/from-scratch-with-private-link/versions.tf b/examples/from-scratch-with-private-link/versions.tf index 1d697f0..06fcc91 100644 --- a/examples/from-scratch-with-private-link/versions.tf +++ b/examples/from-scratch-with-private-link/versions.tf @@ -10,7 +10,7 @@ terraform { } aws = { source = "hashicorp/aws" - version = "~> 3.75" + version = "~> 5.28" } } } diff --git a/examples/from-scratch/main.tf b/examples/from-scratch/main.tf index 066a8f9..6210573 100644 --- a/examples/from-scratch/main.tf +++ b/examples/from-scratch/main.tf @@ -18,7 +18,7 @@ locals { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 2.70" + version = "~> 5.2.0" create_vpc = true name = var.vpc_name @@ -30,7 +30,6 @@ module "vpc" { single_nat_gateway = true enable_dns_hostnames = true enable_dns_support = true - enable_s3_endpoint = true tags = { "kubernetes.io/cluster/${var.cluster_name}" = "shared", @@ -47,6 +46,21 @@ module "vpc" { } } +module "vpc_endpoints" { + source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" + version = "~> 5.2.0" + + vpc_id = module.vpc.vpc_id + + endpoints = { + s3 = { + service = "s3" + service_type = "Gateway" + tags = { Name = "s3-vpc-endpoint" } + }, + } +} + ################################################################################ # Create EKS cluster ################################################################################ @@ -233,26 +247,26 @@ data "aws_eks_addon_version" "core-dns" { } resource "aws_eks_addon" "vpc-cni" { - cluster_name = data.aws_eks_cluster.this.id - addon_name = "vpc-cni" - addon_version = data.aws_eks_addon_version.vpc-cni.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "vpc-cni" + addon_version = data.aws_eks_addon_version.vpc-cni.version + resolve_conflicts_on_update = "OVERWRITE" service_account_role_arn = module.vpc_cni_ipv4_irsa_role.iam_role_arn } resource "aws_eks_addon" "core-dns" { - cluster_name = module.eks.cluster_id - addon_name = "coredns" - addon_version = data.aws_eks_addon_version.core-dns.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "coredns" + addon_version = data.aws_eks_addon_version.core-dns.version + resolve_conflicts_on_update = "OVERWRITE" } resource "aws_eks_addon" "kube-proxy" { - cluster_name = module.eks.cluster_id - addon_name = "kube-proxy" - addon_version = data.aws_eks_addon_version.kube-proxy.version - resolve_conflicts = "OVERWRITE" + cluster_name = module.eks.cluster_id + addon_name = "kube-proxy" + addon_version = data.aws_eks_addon_version.kube-proxy.version + resolve_conflicts_on_update = "OVERWRITE" } ################################################################################ diff --git a/examples/from-scratch/versions.tf b/examples/from-scratch/versions.tf index 1d697f0..06fcc91 100644 --- a/examples/from-scratch/versions.tf +++ b/examples/from-scratch/versions.tf @@ -10,7 +10,7 @@ terraform { } aws = { source = "hashicorp/aws" - version = "~> 3.75" + version = "~> 5.28" } } } diff --git a/examples/import-eks-cluster/eks-cluster/main.tf b/examples/import-eks-cluster/eks-cluster/main.tf index 513b7a5..4653d84 100644 --- a/examples/import-eks-cluster/eks-cluster/main.tf +++ b/examples/import-eks-cluster/eks-cluster/main.tf @@ -18,7 +18,7 @@ locals { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 2.70" + version = "~> 5.2.0" create_vpc = true name = var.vpc_name diff --git a/examples/import-eks-cluster/versions.tf b/examples/import-eks-cluster/versions.tf index 1d697f0..06fcc91 100644 --- a/examples/import-eks-cluster/versions.tf +++ b/examples/import-eks-cluster/versions.tf @@ -10,7 +10,7 @@ terraform { } aws = { source = "hashicorp/aws" - version = "~> 3.75" + version = "~> 5.28" } } } diff --git a/examples/import-ocean-cluster/versions.tf b/examples/import-ocean-cluster/versions.tf index 1d697f0..06fcc91 100644 --- a/examples/import-ocean-cluster/versions.tf +++ b/examples/import-ocean-cluster/versions.tf @@ -10,7 +10,7 @@ terraform { } aws = { source = "hashicorp/aws" - version = "~> 3.75" + version = "~> 5.28" } } }