Skip to content

Commit

Permalink
[DOM-62207] VPC Endpint for ECR and s3 endpoint prefix list to outputs (
Browse files Browse the repository at this point in the history
  • Loading branch information
msingermann-domino authored Nov 21, 2024
1 parent 710fa0d commit b344632
Show file tree
Hide file tree
Showing 13 changed files with 117 additions and 12 deletions.
19 changes: 19 additions & 0 deletions examples/tfvars/ecr_endpoint.tfvars
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
deploy_id = "plantest0016"
region = "us-west-2"
ssh_pvt_key_path = "domino.pem"

default_node_groups = {
compute = {
availability_zone_ids = ["usw2-az1", "usw2-az2"]
}
gpu = {
availability_zone_ids = ["usw2-az1", "usw2-az2"]
}
platform = {
"availability_zone_ids" = ["usw2-az1", "usw2-az2"]
}
}

network = {
create_ecr_endpoint = true
}
3 changes: 2 additions & 1 deletion modules/eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
| [aws_security_group.eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.eks_nodes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.bastion_eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.ecr_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.eks_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
| [aws_security_group_rule.netapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
Expand Down Expand Up @@ -76,7 +77,7 @@
| <a name="input_eks"></a> [eks](#input\_eks) | service\_ipv4\_cidr = CIDR for EKS cluster kubernetes\_network\_config.<br> creation\_role\_name = Name of the role to import.<br> k8s\_version = EKS cluster k8s version.<br> nodes\_master Grants the nodes role system:master access. NOT recomended<br> kubeconfig = {<br> extra\_args = Optional extra args when generating kubeconfig.<br> path = Fully qualified path name to write the kubeconfig file.<br> }<br> public\_access = {<br> enabled = Enable EKS API public endpoint.<br> cidrs = List of CIDR ranges permitted for accessing the EKS public endpoint.<br> }<br> Custom role maps for aws auth configmap<br> custom\_role\_maps = {<br> rolearn = string<br> username = string<br> groups = list(string)<br> }<br> master\_role\_names = IAM role names to be added as masters in eks.<br> cluster\_addons = EKS cluster addons. vpc-cni is installed separately.<br> vpc\_cni = Configuration for AWS VPC CNI<br> ssm\_log\_group\_name = CloudWatch log group to send the SSM session logs to.<br> identity\_providers = Configuration for IDP(Identity Provider).<br> } | <pre>object({<br> service_ipv4_cidr = optional(string, "172.20.0.0/16")<br> creation_role_name = optional(string, null)<br> k8s_version = optional(string, "1.27")<br> nodes_master = optional(bool, false)<br> kubeconfig = optional(object({<br> extra_args = optional(string, "")<br> path = optional(string, null)<br> }), {})<br> public_access = optional(object({<br> enabled = optional(bool, false)<br> cidrs = optional(list(string), [])<br> }), {})<br> custom_role_maps = optional(list(object({<br> rolearn = string<br> username = string<br> groups = list(string)<br> })), [])<br> master_role_names = optional(list(string), [])<br> cluster_addons = optional(list(string), ["kube-proxy", "coredns", "vpc-cni"])<br> ssm_log_group_name = optional(string, "session-manager")<br> vpc_cni = optional(object({<br> prefix_delegation = optional(bool, false)<br> annotate_pod_ip = optional(bool, true)<br> }))<br> identity_providers = optional(list(object({<br> client_id = string<br> groups_claim = optional(string, null)<br> groups_prefix = optional(string, null)<br> identity_provider_config_name = string<br> issuer_url = optional(string, null)<br> required_claims = optional(map(string), null)<br> username_claim = optional(string, null)<br> username_prefix = optional(string, null)<br> })), []),<br> })</pre> | `{}` | no |
| <a name="input_ignore_tags"></a> [ignore\_tags](#input\_ignore\_tags) | Tag keys to be ignored by the aws provider. | `list(string)` | `[]` | no |
| <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | key\_id = KMS key id.<br> key\_arn = KMS key arn.<br> enabled = KMS key is enabled | <pre>object({<br> key_id = string<br> key_arn = string<br> enabled = bool<br> })</pre> | n/a | yes |
| <a name="input_network_info"></a> [network\_info](#input\_network\_info) | id = VPC ID.<br> subnets = {<br> public = List of public Subnets.<br> [{<br> name = Subnet name.<br> subnet\_id = Subnet ud<br> az = Subnet availability\_zone<br> az\_id = Subnet availability\_zone\_id<br> }]<br> private = List of private Subnets.<br> [{<br> name = Subnet name.<br> subnet\_id = Subnet ud<br> az = Subnet availability\_zone<br> az\_id = Subnet availability\_zone\_id<br> }]<br> pod = List of pod Subnets.<br> [{<br> name = Subnet name.<br> subnet\_id = Subnet ud<br> az = Subnet availability\_zone<br> az\_id = Subnet availability\_zone\_id<br> }]<br> } | <pre>object({<br> vpc_id = string<br> subnets = object({<br> public = list(object({<br> name = string<br> subnet_id = string<br> az = string<br> az_id = string<br> }))<br> private = list(object({<br> name = string<br> subnet_id = string<br> az = string<br> az_id = string<br> }))<br> pod = list(object({<br> name = string<br> subnet_id = string<br> az = string<br> az_id = string<br> }))<br> })<br> vpc_cidrs = optional(string, "10.0.0.0/16")<br> })</pre> | n/a | yes |
| <a name="input_network_info"></a> [network\_info](#input\_network\_info) | id = VPC ID.<br> ecr\_endpoint = {<br> security\_group\_id = ECR Endpoint security group id.<br> }<br> subnets = {<br> public = List of public Subnets.<br> [{<br> name = Subnet name.<br> subnet\_id = Subnet ud<br> az = Subnet availability\_zone<br> az\_id = Subnet availability\_zone\_id<br> }]<br> private = List of private Subnets.<br> [{<br> name = Subnet name.<br> subnet\_id = Subnet ud<br> az = Subnet availability\_zone<br> az\_id = Subnet availability\_zone\_id<br> }]<br> pod = List of pod Subnets.<br> [{<br> name = Subnet name.<br> subnet\_id = Subnet ud<br> az = Subnet availability\_zone<br> az\_id = Subnet availability\_zone\_id<br> }]<br> } | <pre>object({<br> vpc_id = string<br> ecr_endpoint = optional(object({<br> security_group_id = optional(string, null)<br> }), null)<br> subnets = object({<br> public = list(object({<br> name = string<br> subnet_id = string<br> az = string<br> az_id = string<br> }))<br> private = list(object({<br> name = string<br> subnet_id = string<br> az = string<br> az_id = string<br> }))<br> pod = list(object({<br> name = string<br> subnet_id = string<br> az = string<br> az_id = string<br> }))<br> })<br> vpc_cidrs = optional(string, "10.0.0.0/16")<br> })</pre> | n/a | yes |
| <a name="input_node_iam_policies"></a> [node\_iam\_policies](#input\_node\_iam\_policies) | Additional IAM Policy Arns for Nodes | `list(string)` | n/a | yes |
| <a name="input_privatelink"></a> [privatelink](#input\_privatelink) | {<br> enabled = Enable Private Link connections.<br> namespace = Namespace for IAM Policy conditions.<br> monitoring\_bucket = Bucket for NLBs monitoring.<br> route53\_hosted\_zone\_name = Hosted zone for External DNS zone.<br> vpc\_endpoint\_services = [{<br> name = Name of the VPC Endpoint Service.<br> ports = List of ports exposing the VPC Endpoint Service. i.e [8080, 8081]<br> cert\_arn = Certificate ARN used by the NLB associated for the given VPC Endpoint Service.<br> private\_dns = Private DNS for the VPC Endpoint Service.<br> }]<br> } | <pre>object({<br> enabled = optional(bool, false)<br> namespace = optional(string, "domino-platform")<br> monitoring_bucket = optional(string, null)<br> route53_hosted_zone_name = optional(string, null)<br> vpc_endpoint_services = optional(list(object({<br> name = optional(string)<br> ports = optional(list(number))<br> cert_arn = optional(string)<br> private_dns = optional(string)<br> })), [])<br> })</pre> | `{}` | no |
| <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
Expand Down
11 changes: 11 additions & 0 deletions modules/eks/node-group.tf
Original file line number Diff line number Diff line change
Expand Up @@ -83,3 +83,14 @@ resource "aws_security_group_rule" "netapp" {
description = "Netapp access from EKS nodes."
source_security_group_id = aws_security_group.eks_nodes.id
}

resource "aws_security_group_rule" "ecr_endpoint" {
count = var.network_info.ecr_endpoint != null ? 1 : 0
security_group_id = var.network_info.ecr_endpoint.security_group_id
protocol = "tcp"
from_port = 443
to_port = 443
type = "ingress"
description = "ECR Endpoint access from EKS nodes."
source_security_group_id = aws_security_group.eks_nodes.id
}
6 changes: 6 additions & 0 deletions modules/eks/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ variable "region" {
variable "network_info" {
description = <<EOF
id = VPC ID.
ecr_endpoint = {
security_group_id = ECR Endpoint security group id.
}
subnets = {
public = List of public Subnets.
[{
Expand All @@ -47,6 +50,9 @@ variable "network_info" {
EOF
type = object({
vpc_id = string
ecr_endpoint = optional(object({
security_group_id = optional(string, null)
}), null)
subnets = object({
public = list(object({
name = string
Expand Down
Loading

0 comments on commit b344632

Please sign in to comment.