diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 46f808f6..c4b10347 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -61,7 +61,7 @@ repos: args: - '--args=--compact' - '--args=--quiet' - - '--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88,CKV2_GHA_1,CKV_AWS_163,CKV_AWS_39,CKV_AWS_38,CKV2_AWS_61,CKV2_AWS_62,CKV_AWS_136,CKV_AWS_329,CKV_AWS_338,CKV_AWS_339,CKV_AWS_341,CKV_AWS_356,CKV2_AWS_19,CKV2_AWS_5,CKV_AWS_150,CKV_AWS_123,CKV2_AWS_65' + - '--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88,CKV2_GHA_1,CKV_AWS_163,CKV_AWS_39,CKV_AWS_38,CKV2_AWS_61,CKV2_AWS_62,CKV_AWS_136,CKV_AWS_329,CKV_AWS_338,CKV_AWS_339,CKV_AWS_341,CKV_AWS_356,CKV2_AWS_19,CKV2_AWS_5,CKV_AWS_150,CKV_AWS_123,CKV2_AWS_65,CKV_AWS_67,CKV_AWS_382' - id: terraform_trivy args: - '--args=--severity=HIGH,CRITICAL' diff --git a/modules/eks/main.tf b/modules/eks/main.tf index 76a123fc..679dc33b 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -197,14 +197,24 @@ locals { } : {}) + eks_network_config = aws_eks_cluster.this.kubernetes_network_config[0] + eks_info = { cluster = { specs = { - name = aws_eks_cluster.this.name - endpoint = aws_eks_cluster.this.endpoint - certificate_authority = aws_eks_cluster.this.certificate_authority - kubernetes_network_config = aws_eks_cluster.this.kubernetes_network_config - account_id = data.aws_caller_identity.cluster_aws_account.account_id + name = aws_eks_cluster.this.name + endpoint = aws_eks_cluster.this.endpoint + certificate_authority = aws_eks_cluster.this.certificate_authority + kubernetes_network_config = { + elastic_load_balancing = { + enabled = try(local.eks_network_config.elastic_load_balancing[0].enabled, false) + } + ip_family = local.eks_network_config.ip_family + service_ipv4_cidr = local.eks_network_config.service_ipv4_cidr + service_ipv6_cidr = local.eks_network_config.service_ipv6_cidr + + } + account_id = data.aws_caller_identity.cluster_aws_account.account_id } addons = var.eks.cluster_addons vpc_cni = var.eks.vpc_cni diff --git a/modules/nodes/README.md b/modules/nodes/README.md index 33b774c0..495f14e6 100644 --- a/modules/nodes/README.md +++ b/modules/nodes/README.md @@ -45,7 +45,7 @@ No modules. |------|-------------|------|---------|:--------:| | [additional\_node\_groups](#input\_additional\_node\_groups) | Additional EKS managed node groups definition. |
map(object({| `{}` | no | | [default\_node\_groups](#input\_default\_node\_groups) | EKS managed node groups definition. |
ami = optional(string, null)
bootstrap_extra_args = optional(string, "")
instance_types = list(string)
spot = optional(bool, false)
min_per_az = number
max_per_az = number
max_unavailable_percentage = optional(number, 50)
max_unavailable = optional(number)
desired_per_az = number
availability_zone_ids = list(string)
labels = map(string)
taints = optional(list(object({
key = string
value = optional(string)
effect = string
})), [
{
key = "ebs.csi.aws.com/agent-not-ready",
value = "true",
effect = "NO_EXECUTE"
}
])
tags = optional(map(string), {})
gpu = optional(bool, null)
volume = object({
size = string
type = string
iops = optional(number)
throughput = optional(number, 500)
})
}))
object(| n/a | yes | -| [eks\_info](#input\_eks\_info) | cluster = {
{
compute = object(
{
ami = optional(string, null)
bootstrap_extra_args = optional(string, "")
instance_types = optional(list(string), ["m6i.2xlarge"])
spot = optional(bool, false)
min_per_az = optional(number, 0)
max_per_az = optional(number, 10)
max_unavailable_percentage = optional(number, 50)
max_unavailable = optional(number, null)
desired_per_az = optional(number, 0)
availability_zone_ids = list(string)
labels = optional(map(string), {
"dominodatalab.com/node-pool" = "default"
})
taints = optional(list(object({
key = string
value = optional(string)
effect = string
})), [
{
key = "ebs.csi.aws.com/agent-not-ready",
value = "true",
effect = "NO_EXECUTE"
}
])
tags = optional(map(string), {})
gpu = optional(bool, null)
volume = optional(object({
size = optional(number, 1000)
type = optional(string, "gp3")
iops = optional(number)
throughput = optional(number, 500)
}), {
size = 1000
type = "gp3"
iops = null
throughput = 500
}
)
}),
platform = object(
{
ami = optional(string, null)
bootstrap_extra_args = optional(string, "")
instance_types = optional(list(string), ["m7i-flex.2xlarge"])
spot = optional(bool, false)
min_per_az = optional(number, 1)
max_per_az = optional(number, 10)
max_unavailable_percentage = optional(number, null)
max_unavailable = optional(number, 1)
desired_per_az = optional(number, 1)
availability_zone_ids = list(string)
labels = optional(map(string), {
"dominodatalab.com/node-pool" = "platform"
})
taints = optional(list(object({
key = string
value = optional(string)
effect = string
})), []
)
tags = optional(map(string), {})
gpu = optional(bool, null)
volume = optional(object({
size = optional(number, 100)
type = optional(string, "gp3")
iops = optional(number)
throughput = optional(number)
}), {
size = 100
type = "gp3"
iops = null
throughput = null
}
)
}),
gpu = object(
{
ami = optional(string, null)
bootstrap_extra_args = optional(string, "")
instance_types = optional(list(string), ["g5.2xlarge"])
spot = optional(bool, false)
min_per_az = optional(number, 0)
max_per_az = optional(number, 10)
max_unavailable_percentage = optional(number, 50)
max_unavailable = optional(number, null)
desired_per_az = optional(number, 0)
availability_zone_ids = list(string)
labels = optional(map(string), {
"dominodatalab.com/node-pool" = "default-gpu"
"nvidia.com/gpu" = true
})
taints = optional(list(object({
key = string
value = optional(string)
effect = string
})), [{
key = "nvidia.com/gpu"
value = "true"
effect = "NO_SCHEDULE"
},
{
key = "ebs.csi.aws.com/agent-not-ready",
value = "true",
effect = "NO_EXECUTE"
}
])
tags = optional(map(string), {})
gpu = optional(bool, null)
volume = optional(object({
size = optional(number, 1000)
type = optional(string, "gp3")
iops = optional(number)
throughput = optional(number, 500)
}), {
size = 1000
type = "gp3"
iops = null
throughput = 500
}
)
})
})
object({| n/a | yes | +| [eks\_info](#input\_eks\_info) | cluster = {
k8s_pre_setup_sh_file = string
cluster = object({
addons = optional(list(string), ["kube-proxy", "coredns", "vpc-cni"])
vpc_cni = optional(object({
prefix_delegation = optional(bool, false)
annotate_pod_ip = optional(bool, true)
}))
specs = object({
name = string
endpoint = string
kubernetes_network_config = list(map(any))
certificate_authority = list(map(any))
})
version = string
arn = string
security_group_id = string
endpoint = string
roles = list(object({
name = string
arn = string
}))
custom_roles = list(object({
rolearn = string
username = string
groups = list(string)
}))
oidc = object({
arn = string
url = string
})
})
nodes = object({
security_group_id = string
roles = list(object({
name = string
arn = string
}))
})
kubeconfig = object({
path = string
extra_args = string
})
})
object({| n/a | yes | | [ignore\_tags](#input\_ignore\_tags) | Tag keys to be ignored by the aws provider. | `list(string)` | `[]` | no | | [kms\_info](#input\_kms\_info) | key\_id = KMS key id.
k8s_pre_setup_sh_file = string
cluster = object({
addons = optional(list(string), ["kube-proxy", "coredns", "vpc-cni"])
vpc_cni = optional(object({
prefix_delegation = optional(bool, false)
annotate_pod_ip = optional(bool, true)
}))
specs = object({
name = string
endpoint = string
kubernetes_network_config = object({
elastic_load_balancing = object({
enabled = bool
})
ip_family = string
service_ipv4_cidr = string
service_ipv6_cidr = string
})
certificate_authority = list(map(any))
})
version = string
arn = string
security_group_id = string
endpoint = string
roles = list(object({
name = string
arn = string
}))
custom_roles = list(object({
rolearn = string
username = string
groups = list(string)
}))
oidc = object({
arn = string
url = string
})
})
nodes = object({
security_group_id = string
roles = list(object({
name = string
arn = string
}))
})
kubeconfig = object({
path = string
extra_args = string
})
})
object({| n/a | yes | | [network\_info](#input\_network\_info) | id = VPC ID.
key_id = string
key_arn = string
enabled = bool
})
object({| n/a | yes | diff --git a/modules/nodes/nodes.tf b/modules/nodes/nodes.tf index 22bc9eab..310b7ed7 100644 --- a/modules/nodes/nodes.tf +++ b/modules/nodes/nodes.tf @@ -13,7 +13,7 @@ resource "aws_launch_template" "node_groups" { cluster_endpoint = var.eks_info.cluster.specs.endpoint cluster_auth_base64 = var.eks_info.cluster.specs.certificate_authority[0].data # Optional - cluster_service_ipv4_cidr = var.eks_info.cluster.specs.kubernetes_network_config[0].service_ipv4_cidr != null ? var.eks_info.cluster.specs.kubernetes_network_config[0].service_ipv4_cidr : "" + cluster_service_ipv4_cidr = var.eks_info.cluster.specs.kubernetes_network_config.service_ipv4_cidr != null ? var.eks_info.cluster.specs.kubernetes_network_config.service_ipv4_cidr : "" bootstrap_extra_args = each.value.bootstrap_extra_args pre_bootstrap_user_data = "" post_bootstrap_user_data = "" diff --git a/modules/nodes/variables.tf b/modules/nodes/variables.tf index 22eed85b..80a14374 100644 --- a/modules/nodes/variables.tf +++ b/modules/nodes/variables.tf @@ -109,10 +109,17 @@ variable "eks_info" { annotate_pod_ip = optional(bool, true) })) specs = object({ - name = string - endpoint = string - kubernetes_network_config = list(map(any)) - certificate_authority = list(map(any)) + name = string + endpoint = string + kubernetes_network_config = object({ + elastic_load_balancing = object({ + enabled = bool + }) + ip_family = string + service_ipv4_cidr = string + service_ipv6_cidr = string + }) + certificate_authority = list(map(any)) }) version = string arn = string diff --git a/modules/single-node/README.md b/modules/single-node/README.md index ccb839b6..607b88a2 100644 --- a/modules/single-node/README.md +++ b/modules/single-node/README.md @@ -44,7 +44,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [eks\_info](#input\_eks\_info) | cluster = {
vpc_id = string
subnets = object({
public = list(object({
name = string
subnet_id = string
az = string
az_id = string
}))
private = optional(list(object({
name = string
subnet_id = string
az = string
az_id = string
})), [])
pod = optional(list(object({
name = string
subnet_id = string
az = string
az_id = string
})), [])
})
})
object({| n/a | yes | +| [eks\_info](#input\_eks\_info) | cluster = {
k8s_pre_setup_sh_file = string
cluster = object({
addons = optional(list(string), ["kube-proxy", "coredns", "vpc-cni"])
vpc_cni = optional(object({
prefix_delegation = optional(bool, false)
annotate_pod_ip = optional(bool, true)
}))
specs = object({
name = string
endpoint = string
kubernetes_network_config = list(map(any))
certificate_authority = list(map(any))
})
version = string
arn = string
security_group_id = string
endpoint = string
roles = list(object({
name = string
arn = string
}))
custom_roles = list(object({
rolearn = string
username = string
groups = list(string)
}))
oidc = object({
arn = string
url = string
})
})
nodes = object({
security_group_id = string
roles = list(object({
name = string
arn = string
}))
})
kubeconfig = object({
path = string
extra_args = string
})
})
object({| n/a | yes | | [kms\_info](#input\_kms\_info) | key\_id = KMS key id.
k8s_pre_setup_sh_file = string
cluster = object({
addons = optional(list(string), ["kube-proxy", "coredns", "vpc-cni"])
vpc_cni = optional(object({
prefix_delegation = optional(bool, false)
annotate_pod_ip = optional(bool, true)
}))
specs = object({
name = string
endpoint = string
kubernetes_network_config = object({
elastic_load_balancing = object({
enabled = bool
})
ip_family = string
service_ipv4_cidr = string
service_ipv6_cidr = string
})
certificate_authority = list(map(any))
})
version = string
arn = string
security_group_id = string
endpoint = string
roles = list(object({
name = string
arn = string
}))
custom_roles = list(object({
rolearn = string
username = string
groups = list(string)
}))
oidc = object({
arn = string
url = string
})
})
nodes = object({
security_group_id = string
roles = list(object({
name = string
arn = string
}))
})
kubeconfig = object({
path = string
extra_args = string
})
})
object({| n/a | yes | | [network\_info](#input\_network\_info) | id = VPC ID.
key_id = string
key_arn = string
enabled = bool
})
object({| n/a | yes | | [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes | diff --git a/modules/single-node/single-node.tf b/modules/single-node/single-node.tf index 4ac1cc9b..68116fd4 100644 --- a/modules/single-node/single-node.tf +++ b/modules/single-node/single-node.tf @@ -57,7 +57,7 @@ resource "aws_launch_template" "single_node" { cluster_endpoint = var.eks_info.cluster.specs.endpoint cluster_auth_base64 = var.eks_info.cluster.specs.certificate_authority[0].data # Optional - cluster_service_ipv4_cidr = var.eks_info.cluster.specs.kubernetes_network_config[0].service_ipv4_cidr != null ? var.eks_info.cluster.specs.kubernetes_network_config[0].service_ipv4_cidr : "" + cluster_service_ipv4_cidr = var.eks_info.cluster.specs.kubernetes_network_config.service_ipv4_cidr != null ? var.eks_info.cluster.specs.kubernetes_network_config.service_ipv4_cidr : "" bootstrap_extra_args = local.bootstrap_extra_args pre_bootstrap_user_data = "" post_bootstrap_user_data = "" diff --git a/modules/single-node/variables.tf b/modules/single-node/variables.tf index a41f89bf..5e3e19a2 100644 --- a/modules/single-node/variables.tf +++ b/modules/single-node/variables.tf @@ -109,10 +109,17 @@ variable "eks_info" { annotate_pod_ip = optional(bool, true) })) specs = object({ - name = string - endpoint = string - kubernetes_network_config = list(map(any)) - certificate_authority = list(map(any)) + name = string + endpoint = string + kubernetes_network_config = object({ + elastic_load_balancing = object({ + enabled = bool + }) + ip_family = string + service_ipv4_cidr = string + service_ipv6_cidr = string + }) + certificate_authority = list(map(any)) }) version = string arn = string
vpc_id = string
subnets = object({
public = list(object({
name = string
subnet_id = string
az = string
az_id = string
}))
private = optional(list(object({
name = string
subnet_id = string
az = string
az_id = string
})), [])
pod = optional(list(object({
name = string
subnet_id = string
az = string
az_id = string
})), [])
})
})