Misc changes for cdk migration compatibility (#18)

dominodatalab · Jan 5, 2023 · b7d1856 · b7d1856
1 parent 64e79c9
commit b7d1856
Show file tree

Hide file tree

Showing 8 changed files with 37 additions and 19 deletions.
diff --git a/iam.tf b/iam.tf
@@ -27,13 +27,13 @@ data "aws_iam_policy_document" "route53" {
 
 resource "aws_iam_policy" "route53" {
   count  = var.route53_hosted_zone_name != "" ? 1 : 0
-  name   = "${var.deploy_id}-Route53"
+  name   = "${var.deploy_id}-route53"
   path   = "/"
   policy = data.aws_iam_policy_document.route53[0].json
 }
 
 resource "aws_iam_role_policy_attachment" "route53" {
-  for_each   = var.route53_hosted_zone_name != "" ? toset([for r in module.eks.eks_node_roles : r.name]) : []
+  count      = var.route53_hosted_zone_name != "" ? length(module.eks.eks_node_roles) : 0
   policy_arn = aws_iam_policy.route53[0].arn
-  role       = each.value
+  role       = lookup(module.eks.eks_node_roles[count.index], "name")
 }
diff --git a/main.tf b/main.tf
@@ -124,20 +124,21 @@ module "bastion" {
 }
 
 module "eks" {
-  source                    = "./submodules/eks"
-  deploy_id                 = var.deploy_id
-  region                    = var.region
-  k8s_version               = var.k8s_version
-  vpc_id                    = local.vpc_id
-  private_subnets           = local.private_subnets
-  ssh_pvt_key_path          = aws_key_pair.domino.key_name
-  bastion_security_group_id = try(module.bastion[0].security_group_id, "")
-  create_bastion_sg         = var.bastion != null
-  kubeconfig_path           = local.kubeconfig_path
-  default_node_groups       = var.default_node_groups
-  additional_node_groups    = var.additional_node_groups
-  node_iam_policies         = [module.storage.s3_policy]
-  efs_security_group        = module.storage.efs_security_group
+  source                       = "./submodules/eks"
+  deploy_id                    = var.deploy_id
+  region                       = var.region
+  k8s_version                  = var.k8s_version
+  vpc_id                       = local.vpc_id
+  private_subnets              = local.private_subnets
+  ssh_pvt_key_path             = aws_key_pair.domino.key_name
+  bastion_security_group_id    = try(module.bastion[0].security_group_id, "")
+  create_bastion_sg            = var.bastion != null
+  kubeconfig_path              = local.kubeconfig_path
+  default_node_groups          = var.default_node_groups
+  additional_node_groups       = var.additional_node_groups
+  node_iam_policies            = [module.storage.s3_policy]
+  efs_security_group           = module.storage.efs_security_group
+  update_kubeconfig_extra_args = var.update_kubeconfig_extra_args
 
   depends_on = [
     module.network

diff --git a/submodules/bastion/main.tf b/submodules/bastion/main.tf
@@ -14,6 +14,7 @@ resource "aws_security_group" "bastion" {
 
   lifecycle {
     create_before_destroy = true
+    ignore_changes = [description]
   }
 
   tags = {

diff --git a/submodules/eks/cluster.tf b/submodules/eks/cluster.tf
@@ -46,6 +46,7 @@ resource "aws_security_group" "eks_cluster" {
 
   lifecycle {
     create_before_destroy = true
+    ignore_changes = [description, name]
   }
   tags = {
     "Name"                                            = "${local.eks_cluster_name}-eks-cluster"
@@ -118,7 +119,7 @@ resource "aws_eks_addon" "this" {
 resource "null_resource" "kubeconfig" {
   provisioner "local-exec" {
     when    = create
-    command = "aws eks update-kubeconfig --kubeconfig ${self.triggers.kubeconfig_file} --region ${self.triggers.region} --name ${self.triggers.cluster_name} --alias ${self.triggers.cluster_name}"
+    command = "aws eks update-kubeconfig --kubeconfig ${self.triggers.kubeconfig_file} --region ${self.triggers.region} --name ${self.triggers.cluster_name} --alias ${self.triggers.cluster_name} ${var.update_kubeconfig_extra_args}"
   }
   provisioner "local-exec" {
     when    = destroy

diff --git a/submodules/eks/iam.tf b/submodules/eks/iam.tf
@@ -14,6 +14,9 @@ data "aws_iam_policy_document" "eks_cluster" {
 resource "aws_iam_role" "eks_cluster" {
   name               = "${var.deploy_id}-eks"
   assume_role_policy = data.aws_iam_policy_document.eks_cluster.json
+  lifecycle {
+      ignore_changes = [name]
+  }
 }
 
 resource "aws_iam_role_policy_attachment" "eks_cluster" {

diff --git a/submodules/eks/variables.tf b/submodules/eks/variables.tf
@@ -8,6 +8,12 @@ variable "deploy_id" {
   }
 }
 
+variable "update_kubeconfig_extra_args" {
+  type        = string
+  description = "Optional extra args when generating kubeconfig"
+  default     = ""
+}
+
 variable "region" {
   type        = string
   description = "AWS region for the deployment"

diff --git a/submodules/storage/s3.tf b/submodules/storage/s3.tf
@@ -414,7 +414,7 @@ resource "aws_s3_bucket_request_payment_configuration" "buckets_payer" {
 }
 
 resource "aws_s3_bucket_logging" "buckets_logging" {
-  for_each      = { for k, v in local.s3_buckets : k => v if v.bucket_name != aws_s3_bucket.monitoring.bucket }
+  for_each      = { for k, v in local.s3_buckets : k => v if k != "monitoring" }
   bucket        = each.value.id
   target_bucket = aws_s3_bucket.monitoring.bucket
   target_prefix = "${each.value.bucket_name}/"

diff --git a/variables.tf b/variables.tf
@@ -21,6 +21,12 @@ variable "region" {
   description = "AWS region for the deployment"
 }
 
+variable "update_kubeconfig_extra_args" {
+  type        = string
+  description = "Optional extra args when generating kubeconfig"
+  default     = ""
+}
+
 variable "number_of_azs" {
   type        = number
   description = "Number of AZ to distribute the deployment, EKS needs at least 2."