diff --git a/apps/04-golang-pgsql/handlers/views/index.html b/apps/04-golang-pgsql/handlers/views/index.html index b8a50ed6..31ef6b0b 100644 --- a/apps/04-golang-pgsql/handlers/views/index.html +++ b/apps/04-golang-pgsql/handlers/views/index.html @@ -1,6 +1,6 @@ - Example Bank Global + CPF Payment App Example Bank GlobalCPF Payment App diff --git a/bundles/banking-eks-demo/README.md b/bundles/banking-eks-demo/README.md new file mode 100644 index 00000000..051a4731 --- /dev/null +++ b/bundles/banking-eks-demo/README.md @@ -0,0 +1,175 @@ +### The Banking Demo + +The goal is to show off a variety of features in Code Pipes including: +- base environment template with classifications for dev/prod and promotion sequence +- enforcement of different policies on the 2 envs (CC-Best-Practices and CC-SOC2) +- use the dependency mechanism for an RDS PostgreSQL DB +- Deployment to AppRunner that includes Terraform outputs being passed to the deployment +- App Integration that has some checks and builds a container pushed to ECR +- Promotion of multiple versions of the app from Dev to Prod + +#### Setup Notes + +###### ECR +The docker container built from the banking-app is being pushed to a private ECR repo in the vanguard-sso acct (543332486884.dkr.ecr.us-east-1.amazonaws.com/banking-app) +The repo (i.e. banking-app) needs to be pre-created in ECR before any of this works. Also some permisssions need to be granted on the repo to enable the cross-account sharing required. +(see note below) + +#### Env Template and Classification Setup +Used tools/cust-acct-setup to create CP LZ in each account (doug-test-cust and doug-test1) + +``` +$ codepipes env template create -n eks-base -r https://github.com/cldcvr/codepipes-tutorials -v branch:main --dir /tfs/aws-eks-vpc --tfversion 1.3.7 +id: f222be09-0bd7-4792-a842-35648a9acd00 + +# dev env with policy CC-Best (bd04a6ca-9043-4135-9299-d490c42dfe12) +$ codepipes class create -n Dev -p bd04a6ca-9043-4135-9299-d490c42dfe12 -t aws_region=us-east-1 +id: e28ed565-b5f5-4cbf-94a1-1620ca736bd1 + +# prod env with SOC2 (61755ba8-41c5-4ff8-80ce-58133190b25a) +$ codepipes class create -n Prod -p 61755ba8-41c5-4ff8-80ce-58133190b25a -t aws_region=us-east-1 -a e28ed565-b5f5-4cbf-94a1-1620ca736bd1 +id: 56799bc5-7970-4a41-a7e5-e46fa7f7f66a + +# then into the UI: +- added the credentials with the classifications attached +- created the env set under environments tab + +``` + +#### Dependency Setup +``` +$ codepipes comp create -i Postgres-Database -f rds-comp-vars.yml -m terraform-aws-modules/rds/aws -v 5.6.0 +id: c0bb89b7-b917-4ec3-b7f5-ba16cf8f3b73 + +$ cpi dependency create --name PostgresDB -o DB_HOST:"DB Host name" -o DB_PORT:"DB Port" -o DB_USER:"DB Username" -o DB_PASSWORD:"DB Password" -o DB_NAME:"DB Name" +id: 0cf23a62-3e0c-4132-afd0-56661f995bcf + +$ cpi dep resolver create --dep 0cf23a62-3e0c-4132-afd0-56661f995bcf -p c0bb89b7-b917-4ec3-b7f5-ba16cf8f3b73 -o DB_HOST:db_instance_address -o DB_PORT:db_instance_port -o DB_USER:db_instance_username -o DB_PASSWORD:db_instance_password -o DB_NAME:db_instance_name +id: c5006096-eb98-49ae-b98b-f0fb8009cbde + +``` +NOTE: The example component inputs configuration file - rds-comp-var.yml - used here has RDS deletion protection enabled. This is because this demo was bing tested in an environment with some SOC2 controls enabled (including a verification that delete protection was enabled for RDS). + +There is also a shell script that will do this: create-deps.sh: +``` +# create_deps.sh +$ ./create-deps.sh 3b9f3ca3-cb95-484f-b418-29e07dc3891f +Using config file: /Users/doug/.codepipes.yml +Value for 'organization' set to '3b9f3ca3-cb95-484f-b418-29e07dc3891f' +Created component: 2ebbc145-8489-49a5-8d49-6676de2bad3c +Created dependency: 33492720-992c-487d-80f3-60ec95f5e080 +Created resolver: 7f45818c-010d-4da4-a6ea-57e803750784 +``` + +#### Code Pipes Project/Env/App setup + +###### Environments + +1. Create project +2. Create an environment set using the "AppRunner-Base" template from the project page in UI. + +This should end up creating two environments ( dev & prod ). Inheriting the policy sets from classifications. + +##### credentials +1. You will need AWS credentials (i.e. access key/secret) for the Dev and Prod envs (AWS-Dev, AWS-Prod) +2. You will need AWS credentials for the AWS acct where the ECR container is (AWS-VG-SSO) +3. Github credentials +4. Assign all credentials as following + - **AWS-Dev**: Apply to Project As Cloud + - use to run dev-infra deployment + - use to run app dev-deployment + - use to run app integration + - **AWS-Prod**: Apply to Prod-Env As Cloud + - use to run prod-infra deployment + - use to run app prod-deployment + - **AWS-VG-SSO**: Apply to Project As Container + - use to run app integration and write the container image in ECR + - use to access container image (ECR) in app dev-deployment pipeline + - use to access container image (ECR) in app prod-deployment pipeline + - **GitHub**: Apply to Project As Git + - workaround for an unknown bug. the flow should work without this as we are using a public repo. + +###### Application +Apply bundle from "bundles/banking-demo" repo "github.com/cldcvr/codepipes-tutorials" +``` +$ codepipes bundle plan +Using config file: /Users/doug/.codepipes.yml +Processing plan for bundle: + Repo: https://github.com/cldcvr/codepipes-tutorials + Directory: /bundles/banking-demo + Bundle File: (default) + Revision: branch:main + +Organization: 5fbf2111-9e53-4a53-a9b8-9dada882b372 +Project: Banking-Demo (New) + +$ codepipes bundle apply --skipPipelines +``` + +Note: Bundle apply should create the app entity, app integration entity, and the app deployment entities in both the environments from the set above. + +#### Deploy +1. Run deploy pipeline of both development and production environment +2. Run app integration pipeline +3. Run app promotion to development environment +4. Run app promotion to production environment + +###### Issue #1: +Availability Zones: UnauthorizedOperation: +The IAM user created by the cust-acct-setup doesn't have perms for this - added PowerUserAccess (Ultimately had to give AdminAccess - TBD figure out least amount of permissions for this) + +#### Cross-Account ECR sharing setup +Need to setup cross-account sharing for the ECR image (app int pushes to one AWS acct and it used by the 2 other accounts) +I followed this: +https://docs.aws.amazon.com/apprunner/latest/dg/service-source-image.html + +Here is the policy I put on the source acct: +``` +{ + "Version": "2008-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::276634098631:user/codepipes", + "arn:aws:iam::276634098631:root" + ] + }, + "Action": [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:DescribeImages", + "ecr:GetAuthorizationToken", + "ecr:GetDownloadUrlForLayer" + ] + }, + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::565172557751:root", + "arn:aws:iam::565172557751:user/codepipes" + ] + }, + "Action": [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:DescribeImages", + "ecr:GetAuthorizationToken", + "ecr:GetDownloadUrlForLayer" + ] + } + ] +} +``` + +### Issues + +1. UI is very confusing with respect to using classifications with creds and variables as they don't show up anywhere. After the envs are created, each env shows no variables even though there is a var on the classification. + +2. CLI doesn't show the classification ID in the creds get output + +3. UI won't let me edit the git repo info (i.e. branch) on the env . Doing from CLI returns success but values aren't UPDATED!!! + + diff --git a/bundles/banking-eks-demo/app-banking-app.yaml b/bundles/banking-eks-demo/app-banking-app.yaml new file mode 100755 index 00000000..8a0558e8 --- /dev/null +++ b/bundles/banking-eks-demo/app-banking-app.yaml @@ -0,0 +1,29 @@ +schema_version: v1.0.0 +application: + name: banking-app + artifacts: + - id: fc0498a5-6157-41fd-a391-e12a72e2b34b + name: banking-app-src + gitCode: + type: branch + identifier: pranay/VAN-3958 + repo: https://github.com/cldcvr/codepipes-tutorials + dir: /apps/04-golang-pgsql/ + driver: github + - id: eac84f49-6b31-4c03-85b8-7bf3a07f4627 + name: banking-app-image + containerImage: + provider: elastic_container_registry + host: 543332486884.dkr.ecr.us-east-1.amazonaws.com + repo: banking-app + reference: latest + versionTagPattern: "[a-fO-9]+" + dependsOn: + PostgresDB: + dependencyName: PostgresDB + outputs: + DB_HOST: DB_HOST + DB_NAME: DB_NAME + DB_PASSWORD: DB_PASSWORD + DB_PORT: DB_PORT + DB_USER: DB_USER diff --git a/bundles/banking-eks-demo/create-deps.sh b/bundles/banking-eks-demo/create-deps.sh new file mode 100755 index 00000000..3b81bd0e --- /dev/null +++ b/bundles/banking-eks-demo/create-deps.sh @@ -0,0 +1,65 @@ +#!/usr/bin/env bash + +set -e +# set -x + +function execute { + set +e + local __return=$1 + local cmd="$2" + local cutdelim=':' + local cutfield=2 + local extra_grep= + [[ $# -ge 3 ]] && cutdelim="$3" + [[ $# -ge 4 ]] && cutfield=$4 + [[ $# -eq 5 ]] && extra_grep="$5" + + if [[ -z ${extra_grep} ]]; then + rv=$(eval "${cmd} 2>&1" | grep -v Using) + else + rv=$(eval "${cmd} 2>&1" | grep -v Using | grep -v ${extra_grep}) + fi + exit=$? + if [[ ${exit} -eq 1 ]]; then + eval "$__return=''" + return 0 + fi + + if [[ ${exit} -ne 0 ]]; then + echo "Error executing: ${cmd}" + echo "Error is: ${rv}" + else + output=$(eval "echo ${rv//[$'\t\r\n']}" | cut -d "${cutdelim}" -f ${cutfield}) + eval "$__return='${output}'" + fi + set -e + return ${exit} +} + +[[ -z ${1} ]] && echo "Org ID is missing" && exit 1 +codepipes state set organization $1 + +# Delete the dependency +execute DEP_ID "codepipes dep list" " " 1 "ID" +if [[ -n ${DEP_ID} ]]; then + # Delete the resolver + execute RES_ID "codepipes dep resolver list --dep ${DEP_ID}" " " 1 "ID" + [[ -n ${RES_ID} ]] && codepipes dep resolver delete --dep ${DEP_ID} $RES_ID + codepipes dep delete ${DEP_ID} +fi + +# Delete the component +execute COMP_ID "codepipes comp list" " " 1 "ID" +[[ -n ${COMP_ID} ]] && codepipes comp delete $COMP_ID + +# Create the component +execute COMP_ID "codepipes comp create -i Postgres-Database -f rds-comp-vars.yml -m terraform-aws-modules/rds/aws -v 5.6.0" +echo "Created component: ${COMP_ID}" + +# Create the dependency +execute DEP_ID 'codepipes dependency create --name PostgresDB -o DB_HOST:"DB Host name" -o DB_PORT:"DB Port" -o DB_USER:"DB Username" -o DB_PASSWORD:"DB Password" -o DB_NAME:"DB Name"' +echo "Created dependency: ${DEP_ID}" + +# Create the resolver +execute RES_ID "codepipes dep resolver create --dep ${DEP_ID} -p ${COMP_ID} -o DB_HOST:db_instance_address -o DB_PORT:db_instance_port -o DB_USER:db_instance_username -o DB_PASSWORD:db_instance_password -o DB_NAME:db_instance_name" +echo "Created resolver: ${RES_ID}" diff --git a/bundles/banking-eks-demo/deployment-banking-app-dev.yaml b/bundles/banking-eks-demo/deployment-banking-app-dev.yaml new file mode 100755 index 00000000..1b664b78 --- /dev/null +++ b/bundles/banking-eks-demo/deployment-banking-app-dev.yaml @@ -0,0 +1,20 @@ +schema_version: v1.0.0 +deployment: + name: banking-app-dev + deploymentConfig: + artifact: + id: eac84f49-6b31-4c03-85b8-7bf3a07f4627 + containerImage: + reference: v1.0.0 + template: + moduleRefId: aws:basic-eks-regional@1 + inputs: + cluster: ${terraform.cluster_name.value} + region: ${terraform.cluster_region.value} + roleArn: ${terraform.eks_arn.value} + env: + DB_SSLMODE: disable +application: + import: app-banking-app.yaml +environment: + import: environment-dev-eks-base.yaml diff --git a/bundles/banking-eks-demo/deployment-banking-app-prod.yaml b/bundles/banking-eks-demo/deployment-banking-app-prod.yaml new file mode 100755 index 00000000..60e260bc --- /dev/null +++ b/bundles/banking-eks-demo/deployment-banking-app-prod.yaml @@ -0,0 +1,20 @@ +schema_version: v1.0.0 +deployment: + name: banking-app-prod + deploymentConfig: + artifact: + id: eac84f49-6b31-4c03-85b8-7bf3a07f4627 + containerImage: + reference: v1.0.0 + template: + moduleRefId: aws:basic-eks-regional@1 + inputs: + cluster: ${terraform.cluster_name.value} + region: ${terraform.cluster_region.value} + roleArn: ${terraform.eks_arn.value} + env: + DB_SSLMODE: disable +application: + import: app-banking-app.yaml +environment: + import: environment-prod-eks-base.yaml diff --git a/bundles/banking-eks-demo/environment-dev-eks-base.yaml b/bundles/banking-eks-demo/environment-dev-eks-base.yaml new file mode 100755 index 00000000..ef31d244 --- /dev/null +++ b/bundles/banking-eks-demo/environment-dev-eks-base.yaml @@ -0,0 +1,11 @@ +schema_version: v1.0.0 +environment: + name: Dev-eks-base + description: Dev environment for EKS-base + revision: + type: branch + identifier: pranay/VAN-3958 + repo: https://github.com/cldcvr/codepipes-tutorials + dir: /tfs/aws-eks-vpc + driver: github + tfVersion: 1.3.7 diff --git a/bundles/banking-eks-demo/environment-prod-eks-base.yaml b/bundles/banking-eks-demo/environment-prod-eks-base.yaml new file mode 100755 index 00000000..76739c89 --- /dev/null +++ b/bundles/banking-eks-demo/environment-prod-eks-base.yaml @@ -0,0 +1,11 @@ +schema_version: v1.0.0 +environment: + name: Prod-eks-base + description: Prod environment for eks-base + revision: + type: branch + identifier: pranay/VAN-3958 + repo: https://github.com/cldcvr/codepipes-tutorials + dir: /tfs/aws-eks-vpc + driver: github + tfVersion: 1.3.7 diff --git a/bundles/banking-eks-demo/index.yaml b/bundles/banking-eks-demo/index.yaml new file mode 100755 index 00000000..384c1a03 --- /dev/null +++ b/bundles/banking-eks-demo/index.yaml @@ -0,0 +1,8 @@ +schema_version: v1.0.0 +project: + name: Banking-Demo +deployments: + - import: deployment-banking-app-dev.yaml + - import: deployment-banking-app-prod.yaml +integrations: + - import: integration-banking-app-integration-pipeline.yaml diff --git a/bundles/banking-eks-demo/integration-banking-app-integration-pipeline.yaml b/bundles/banking-eks-demo/integration-banking-app-integration-pipeline.yaml new file mode 100755 index 00000000..3ca8efc2 --- /dev/null +++ b/bundles/banking-eks-demo/integration-banking-app-integration-pipeline.yaml @@ -0,0 +1,23 @@ +schema_version: v1.0.0 +integration: + name: banking-app-integration-pipeline + inputAppArtifact: + id: fc0498a5-6157-41fd-a391-e12a72e2b34b + outputAppArtifact: + id: eac84f49-6b31-4c03-85b8-7bf3a07f4627 + config: + buildPlatform: aws + vars: + GO_BASE_IMAGE: public.ecr.aws/p0k3r4s4/golang:1.19-alpine + RUNTIME_BASE_IMAGE: public.ecr.aws/p0k3r4s4/alpine + VERSION: v1.0.0 + pipeline: + - moduleRefId: aws:docker-build-n-push@1 + inputs: + docker_build_args: + - --build-arg GO_BASE_IMAGE=$GO_BASE_IMAGE + - --build-arg RUNTIME_BASE_IMAGE=$RUNTIME_BASE_IMAGE + - --build-arg VERSION=$VERSION + use_github_tag: false +application: + import: app-banking-app.yaml diff --git a/bundles/banking-eks-demo/rds-comp-vars.yml b/bundles/banking-eks-demo/rds-comp-vars.yml new file mode 100644 index 00000000..148a9e0c --- /dev/null +++ b/bundles/banking-eks-demo/rds-comp-vars.yml @@ -0,0 +1,21 @@ +terraform: + insensitive: + identifier: "banking-app-db" + engine: "postgres" + engine_version: "14" + family: "postgres14" + major_engine_version: "14" + instance_class: "db.t3.micro" + allocated_storage: "10" + max_allocated_storage: "20" + db_name: "db1" + username: "dbuser" + port: "5432" + skip_final_snapshot: true + vpc_security_group_ids: "[\"${aws_security_group.dbsg.id}\"]" + db_subnet_group_name: "\"${aws_db_subnet_group.database.name}\"" + deletion_protection: true + iam_database_authentication_enabled: true + create_cloudwatch_log_group: true + enabled_cloudwatch_logs_exports: "[\"postgresql\", \"upgrade\"]" + backup_retention_period: "1" diff --git a/tfs/aws-eks-vpc/README.md b/tfs/aws-eks-vpc/README.md new file mode 100644 index 00000000..1d85e9f6 --- /dev/null +++ b/tfs/aws-eks-vpc/README.md @@ -0,0 +1,118 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12 | +| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [aws](#requirement\_aws) | 3.74 | +| [helm](#requirement\_helm) | 2.1.2 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 3.74 | +| [helm](#provider\_helm) | 2.1.2 | +| [http](#provider\_http) | n/a | +| [kubernetes](#provider\_kubernetes) | n/a | +| [null](#provider\_null) | n/a | +| [random](#provider\_random) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [container-insights](#module\_container-insights) | Young-ook/eks/aws//modules/container-insights | 1.4.13 | + +## Resources + +| Name | Type | +|------|------| +| [aws_acm_certificate.main](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/acm_certificate) | resource | +| [aws_acm_certificate_validation.main](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/acm_certificate_validation) | resource | +| [aws_db_instance.default](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/db_instance) | resource | +| [aws_db_subnet_group.database](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/db_subnet_group) | resource | +| [aws_eks_cluster.demo](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/eks_cluster) | resource | +| [aws_eks_node_group.demo](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/eks_node_group) | resource | +| [aws_elasticache_cluster.demo](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/elasticache_cluster) | resource | +| [aws_elasticache_subnet_group.redis](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/elasticache_subnet_group) | resource | +| [aws_iam_instance_profile.node](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_instance_profile) | resource | +| [aws_iam_openid_connect_provider.cluster](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_openid_connect_provider) | resource | +| [aws_iam_policy.AWSLoadBalancerControllerIAMPolicy](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_policy) | resource | +| [aws_iam_policy.AWSVisualEditorPolicy](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_policy) | resource | +| [aws_iam_role.cluster](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role) | resource | +| [aws_iam_role.node](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.cluster-AWSVisualEditorPolicy](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.cluster-AmazonEKSClusterPolicy](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.cluster-AmazonEKSServicePolicy](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.cluster-AmazonEKSVPCResourceController](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.cluster-AmazonVPCFullAccess](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.node-AWSLoadBalancerControllerIAMPolicy](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role_policy_attachment) | resource | +| [aws_iam_role_policy_attachment.node-AmazonVPCFullAccess](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/iam_role_policy_attachment) | resource | +| [aws_internet_gateway.demo](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/internet_gateway) | resource | +| [aws_route53_record.main](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/route53_record) | resource | +| [aws_route_table.demo](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/route_table) | resource | +| [aws_route_table_association.demo](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/route_table_association) | resource | +| [aws_security_group.dbsg](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/security_group) | resource | +| [aws_security_group.demo-cluster](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/security_group) | resource | +| [aws_security_group.redissg](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/security_group) | resource | +| [aws_security_group_rule.demo-cluster-ingress-workstation-https](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/security_group_rule) | resource | +| [aws_subnet.dbsubnet](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/subnet) | resource | +| [aws_subnet.demo](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/subnet) | resource | +| [aws_subnet.redissubnet](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/subnet) | resource | +| [aws_vpc.demo](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/resources/vpc) | resource | +| [helm_release.aws_alb_controller](https://registry.terraform.io/providers/hashicorp/helm/2.1.2/docs/resources/release) | resource | +| [kubernetes_config_map.aws_auth](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | +| [null_resource.delete_ingress](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.wait_for_cluster](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [random_string.cluster](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [random_string.role](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/data-sources/availability_zones) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster_auth.cluster_auth](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/data-sources/eks_cluster_auth) | data source | +| [aws_route53_zone.main](https://registry.terraform.io/providers/hashicorp/aws/3.74/docs/data-sources/route53_zone) | data source | +| [http_http.workstation-external-ip](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source | +| [null_data_source.cluster](https://registry.terraform.io/providers/hashicorp/null/latest/docs/data-sources/data_source) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_region](#input\_aws\_region) | n/a | `string` | `"us-east-2"` | no | +| [certificate\_enabled](#input\_certificate\_enabled) | n/a | `bool` | `false` | no | +| [cluster-name](#input\_cluster-name) | n/a | `string` | `"codepipes-demo"` | no | +| [cluster\_ipv4\_cidr](#input\_cluster\_ipv4\_cidr) | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `"10.0.0.0/16"` | no | +| [domain\_name](#input\_domain\_name) | n/a | `string` | `null` | no | +| [map\_additional\_iam\_roles](#input\_map\_additional\_iam\_roles) | Additional IAM roles to add to `config-map-aws-auth` ConfigMap | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | +| [node-group-name](#input\_node-group-name) | n/a | `string` | `"codepipes-cdn-node-group"` | no | +| [role-eks-demo-node](#input\_role-eks-demo-node) | n/a | `string` | `"codepipes-cdn-eks-demo-node"` | no | +| [vpc-eks-tag-name](#input\_vpc-eks-tag-name) | n/a | `string` | `"codepipes-cdn-eks-demo-tag-name"` | no | +| [wait\_for\_cluster\_cmd](#input\_wait\_for\_cluster\_cmd) | Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT | `string` | `" apk add curl; for i in `seq 1 60`; do curl -k $ENDPOINT/healthz >/dev/null && exit 0 || true; sleep 5; done; echo TIMEOUT && exit 1"` | no | +| [wait\_for\_cluster\_interpreter](#input\_wait\_for\_cluster\_interpreter) | Custom local-exec command line interpreter for the command to determining if the eks cluster is healthy. | `list(string)` | 
[
  "/bin/sh",
  "-c"
]
| no | + +## Outputs + +| Name | Description | +|------|-------------| +| [certificate\_arn](#output\_certificate\_arn) | The ARN of the certificate that is being validated. | +| [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for your Kubernetes API server. | +| [cluster\_name](#output\_cluster\_name) | Name of the cluster | +| [cluster\_region](#output\_cluster\_region) | Cluster Region | +| [config\_map\_aws\_auth](#output\_config\_map\_aws\_auth) | Generated AWS Auth Config Map | +| [eks\_arn](#output\_eks\_arn) | ARN of the cluster role. | +| [kubeconfig](#output\_kubeconfig) | kubeconfig file | +| [node\_arn](#output\_node\_arn) | ARN of the node role. | +| [rds\_instance\_address](#output\_rds\_instance\_address) | The hostname of the RDS instance. | +| [rds\_instance\_endpoint](#output\_rds\_instance\_endpoint) | The connection endpoint in address:port format. | +| [rds\_instance\_id](#output\_rds\_instance\_id) | The RDS instance id. | +| [redis\_endpoint](#output\_redis\_endpoint) | Elasticache redis connection endpoint in address:port format. | +| [redis\_hostname](#output\_redis\_hostname) | Elasticache redis address | +| [redis\_port](#output\_redis\_port) | Elasticache redis address | +| [redis\_security\_group\_id](#output\_redis\_security\_group\_id) | ID of the elasticache security group. | +| [security\_group\_id](#output\_security\_group\_id) | ID of the db security group. | +| [subnet\_group\_id](#output\_subnet\_group\_id) | The db subnet group name. | + \ No newline at end of file diff --git a/tfs/aws-eks-vpc/aws-auth.tf b/tfs/aws-eks-vpc/aws-auth.tf new file mode 100644 index 00000000..46209722 --- /dev/null +++ b/tfs/aws-eks-vpc/aws-auth.tf @@ -0,0 +1,55 @@ +locals { + workers_role_arns = [aws_iam_role.cluster.arn, aws_iam_role.node.arn] + + # Add worker nodes role ARNs (could be from many un-managed worker groups) to the ConfigMap + # Note that we don't need to do this for managed Node Groups since EKS adds their roles to the ConfigMap automatically + map_worker_roles = [ + for role_arn in local.workers_role_arns : { + rolearn : role_arn + username : "${role_arn}-user" + groups : [ + "system:bootstrappers", + "system:masters" + ] + } + ] +} + + +provider "kubernetes" { + host = local.cluster_endpoint + cluster_ca_certificate = base64decode(aws_eks_cluster.demo.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster_auth.token +} + +locals { + cluster_endpoint = aws_eks_cluster.demo.endpoint +} + +resource "kubernetes_config_map" "aws_auth" { + depends_on = [aws_eks_cluster.demo] + + metadata { + name = "aws-auth" + namespace = "kube-system" + } + + data = { + mapRoles = yamlencode(distinct(concat(local.map_worker_roles))) + } +} + +resource "null_resource" "wait_for_cluster" { + depends_on = [ + aws_eks_cluster.demo, + aws_security_group.demo-cluster + ] + + provisioner "local-exec" { + command = var.wait_for_cluster_cmd + interpreter = var.wait_for_cluster_interpreter + environment = { + ENDPOINT = aws_eks_cluster.demo.endpoint + } + } +} diff --git a/tfs/aws-eks-vpc/certificates.tf b/tfs/aws-eks-vpc/certificates.tf new file mode 100644 index 00000000..1a079615 --- /dev/null +++ b/tfs/aws-eks-vpc/certificates.tf @@ -0,0 +1,36 @@ +resource "aws_acm_certificate" "main" { + count = var.certificate_enabled ? 1 : 0 + domain_name = "*.${var.domain_name}" + validation_method = "DNS" +} + +data "aws_route53_zone" "main" { + count = var.certificate_enabled ? 1 : 0 + name = var.domain_name + private_zone = false +} + +resource "aws_route53_record" "main" { + for_each = { + for dvo in flatten([ + for cert in aws_acm_certificate.main: cert.domain_validation_options + ]): dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = data.aws_route53_zone.main[0].zone_id +} + +resource "aws_acm_certificate_validation" "main" { + count = var.certificate_enabled ? 1 : 0 + certificate_arn = aws_acm_certificate.main[count.index].arn + validation_record_fqdns = [for record in aws_route53_record.main : record.fqdn] +} \ No newline at end of file diff --git a/tfs/aws-eks-vpc/db.tf b/tfs/aws-eks-vpc/db.tf new file mode 100644 index 00000000..893afda3 --- /dev/null +++ b/tfs/aws-eks-vpc/db.tf @@ -0,0 +1,38 @@ +resource "aws_db_subnet_group" "database" { + depends_on =[aws_subnet.dbsubnet] + name = "aws_db_subnet_group-demo-${random_string.role.id}" + subnet_ids = aws_subnet.dbsubnet[*].id + tags = { + Name = "DB subnet group" + } +} + +resource "aws_security_group" "dbsg" { + depends_on =[aws_subnet.dbsubnet] + name = "db-${random_string.role.id}" + description = "security group for db" + vpc_id = aws_vpc.demo.id + + + # Allowing traffic only for Postgres and that too from same VPC only. + ingress { + description = "POSTGRES" + from_port = 5432 + to_port = 5432 + protocol = "tcp" + cidr_blocks = [var.cluster_ipv4_cidr] + } + + + # Allowing all outbound traffic + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "db-sg" + } +} diff --git a/tfs/aws-eks-vpc/eks-cluster.tf b/tfs/aws-eks-vpc/eks-cluster.tf new file mode 100644 index 00000000..4af95a39 --- /dev/null +++ b/tfs/aws-eks-vpc/eks-cluster.tf @@ -0,0 +1,61 @@ +# +# EKS Cluster Resources +# * IAM Role to allow EKS service to manage other AWS services +# * EC2 Security Group to allow networking traffic with EKS cluster +# * EKS Cluster + +# resource "aws_cloudwatch_log_group" "demo" { +# # The log group name format is /aws/eks//cluster +# # Reference: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html +# name = "/aws/eks/${aws_eks_cluster.demo.name}/cluster" +# retention_in_days = 7 +# # ... potentially other configuration ... +# } + +resource "aws_security_group" "demo-cluster" { + depends_on = [aws_vpc.demo] + name = "eks-demo-cluster-sg-${random_string.cluster.id}" + description = "Cluster communication with worker nodes" + vpc_id = aws_vpc.demo.id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "terraform-eks-demo" + } +} + +resource "aws_security_group_rule" "demo-cluster-ingress-workstation-https" { + depends_on = [aws_security_group.demo-cluster] + cidr_blocks = [local.workstation-external-cidr] + description = "Allow workstation to communicate with the cluster API Server" + from_port = 443 + protocol = "tcp" + security_group_id = aws_security_group.demo-cluster.id + to_port = 443 + type = "ingress" +} + +resource "aws_eks_cluster" "demo" { + enabled_cluster_log_types = ["api", "audit","authenticator","controllerManager","scheduler"] + name = "${var.cluster-name}-${random_string.cluster.id}" + role_arn = aws_iam_role.cluster.arn + + vpc_config { + security_group_ids = [aws_security_group.demo-cluster.id] + subnet_ids = aws_subnet.demo[*].id + } + + depends_on = [ + aws_internet_gateway.demo, + aws_security_group.demo-cluster, + aws_iam_role_policy_attachment.cluster-AmazonEKSClusterPolicy, + aws_iam_role_policy_attachment.cluster-AmazonEKSVPCResourceController, + aws_iam_role_policy_attachment.cluster-AmazonVPCFullAccess, + ] +} diff --git a/tfs/aws-eks-vpc/eks-worker-nodes.tf b/tfs/aws-eks-vpc/eks-worker-nodes.tf new file mode 100644 index 00000000..809e9337 --- /dev/null +++ b/tfs/aws-eks-vpc/eks-worker-nodes.tf @@ -0,0 +1,90 @@ +# +# EKS Worker Nodes Resources +# * IAM role allowing Kubernetes actions to access other AWS services +# * EKS Node Group to launch worker nodes +# + +resource "aws_eks_node_group" "demo" { + cluster_name = aws_eks_cluster.demo.name + node_group_name = var.node-group-name + node_role_arn = aws_iam_role.node.arn + subnet_ids = aws_subnet.demo[*].id + + scaling_config { + desired_size = 1 + max_size = 1 + min_size = 1 + } + + depends_on = [ + kubernetes_config_map.aws_auth, + aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy, + aws_iam_role_policy_attachment.node-AmazonEKS_CNI_Policy, + aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly, + ] + +} + +resource "null_resource" "delete_ingress" { + triggers = { + cluster_delete_name = aws_eks_cluster.demo.name + cluster_region = var.aws_region + } + depends_on = [ + helm_release.aws_alb_controller, + aws_security_group.demo-cluster, + aws_iam_role_policy_attachment.cluster-AmazonEKSClusterPolicy, + aws_iam_role_policy_attachment.cluster-AmazonEKSVPCResourceController, + aws_iam_role_policy_attachment.cluster-AmazonVPCFullAccess, + aws_iam_role_policy_attachment.cluster-AmazonEKSServicePolicy, + aws_iam_role_policy_attachment.node-AmazonEKSWorkerNodePolicy, + aws_iam_role_policy_attachment.node-AmazonEC2ContainerRegistryReadOnly, + aws_iam_role_policy_attachment.node-AmazonVPCFullAccess, + aws_iam_instance_profile.node, + aws_iam_role_policy_attachment.node-AWSLoadBalancerControllerIAMPolicy, + aws_iam_role_policy_attachment.cluster-AWSVisualEditorPolicy, + aws_iam_openid_connect_provider.cluster, + aws_iam_role.cluster, + aws_iam_role.node, + aws_iam_policy.AWSLoadBalancerControllerIAMPolicy, + aws_route_table_association.demo, + module.container-insights, + aws_route_table.demo, + aws_security_group_rule.demo-cluster-ingress-workstation-https + ] + + provisioner "local-exec" { + when = destroy + command = <