Merge pull request 2i2c-org#4740 from consideRatio/pr/terraform-refactor

terraform, aws: add reference comments and use non-deprecated eksctl tag

terraform/aws/aws-ce-grafana-backend-iam.tf

@@ -1,3 +1,4 @@
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
 resource "aws_iam_role" "aws_ce_grafana_backend_iam_role" {
   count = var.enable_aws_ce_grafana_backend_iam ? 1 : 0
 

terraform/aws/bucket-access.tf

@@ -115,11 +115,12 @@ locals {
 
 
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
 data "aws_iam_policy_document" "bucket_policy" {
   for_each = local.bucket_role_actions_lists
 
-  // Only one policy document can be declared per bucket, so we provide multiple
-  // "statement" in this policy.
+  # Only one policy document can be declared per bucket, so we provide multiple
+  # "statement" in this policy.
   dynamic "statement" {
     for_each = { for index, bra in each.value : "${bra.bucket}.${bra.role}" => bra }
 
@@ -141,8 +142,10 @@ data "aws_iam_policy_document" "bucket_policy" {
   }
 }
 
-// There can only be one of these per bucket, if more are defined they will end
-// up replacing each other without terraform indicating there is trouble.
+# There can only be one of these per bucket, if more are defined they will end
+# up replacing each other without terraform indicating there is trouble.
+#
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy
 resource "aws_s3_bucket_policy" "user_bucket_access" {
   for_each = local.bucket_role_actions_lists
   bucket   = aws_s3_bucket.user_buckets[each.key].id

terraform/aws/buckets.tf

@@ -1,9 +1,11 @@
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket
 resource "aws_s3_bucket" "user_buckets" {
   for_each = var.user_buckets
   bucket   = lower("${var.cluster_name}-${each.key}")
   tags     = merge(var.tags, each.value.tags)
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration
 resource "aws_s3_bucket_lifecycle_configuration" "user_bucket_expiry" {
   for_each = var.user_buckets
   bucket   = lower("${var.cluster_name}-${each.key}")

terraform/aws/budget-alerts.tf

@@ -1,3 +1,4 @@
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/budgets_budget
 resource "aws_budgets_budget" "budgets" {
   count = var.default_budget_alert.enabled ? 1 : 0
 

terraform/aws/cd.tf

@@ -1,13 +1,19 @@
-// Resources required for continuously deploying hubs to this cluster
+/*
+  Resources required for continuously deploying hubs to this cluster
+*/
+
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user
 resource "aws_iam_user" "continuous_deployer" {
   name = "hub-continuous-deployer"
   tags = var.tags
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key
 resource "aws_iam_access_key" "continuous_deployer" {
   user = aws_iam_user.continuous_deployer.name
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy
 resource "aws_iam_user_policy" "continuous_deployer" {
   name = "eks-readonly"
   user = aws_iam_user.continuous_deployer.name

terraform/aws/db.tf

@@ -1,3 +1,4 @@
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets
 data "aws_subnets" "cluster_subnets" {
   count = var.db_enabled ? 1 : 0
 
@@ -12,8 +13,8 @@ data "aws_subnets" "cluster_subnets" {
   }
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
 resource "aws_security_group" "db" {
-
   count = var.db_enabled ? 1 : 0
 
   name        = "db"
@@ -41,6 +42,7 @@ resource "aws_security_group" "db" {
   }
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group
 resource "aws_db_subnet_group" "db" {
   count = var.db_enabled ? 1 : 0
 
@@ -49,8 +51,8 @@ resource "aws_db_subnet_group" "db" {
   tags = var.tags
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
 resource "aws_db_instance" "db" {
-
   count = var.db_enabled ? 1 : 0
 
   instance_class         = var.db_instance_class
@@ -71,6 +73,7 @@ resource "aws_db_instance" "db" {
   tags = var.tags
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group
 resource "aws_db_parameter_group" "db" {
   count  = var.db_enabled ? 1 : 0
   name   = var.db_instance_identifier
@@ -86,19 +89,22 @@ resource "aws_db_parameter_group" "db" {
   }
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password
 resource "random_password" "db_root_password" {
   count = var.db_enabled ? 1 : 0
   # mysql passwords can't be longer than 41 chars lololol
   length = 41
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password
 resource "random_password" "db_readonly_password" {
   count   = var.db_enabled ? 1 : 0
   special = var.db_user_password_special_chars
   # mysql passwords can't be longer than 41 chars lololol
   length = 41
 }
 
+# ref: https://registry.terraform.io/providers/petoju/mysql/latest/docs
 provider "mysql" {
   # We only want to set this up if db is enabled, otherwise there is no
   # mysql endpoint for this provider to connect to. These are all still 'required'
@@ -110,6 +116,7 @@ provider "mysql" {
   password = var.db_enabled ? random_password.db_root_password[0].result : ""
 }
 
+# ref: https://registry.terraform.io/providers/petoju/mysql/latest/docs/resources/user
 resource "mysql_user" "user" {
   count = var.db_enabled && var.db_engine == "mysql" ? 1 : 0
 
@@ -118,6 +125,7 @@ resource "mysql_user" "user" {
   plaintext_password = random_password.db_readonly_password[0].result
 }
 
+# ref: https://registry.terraform.io/providers/petoju/mysql/latest/docs/resources/grant
 resource "mysql_grant" "user" {
   count = var.db_enabled && var.db_engine == "mysql" ? 1 : 0
 

terraform/aws/efs.tf

@@ -4,6 +4,7 @@
 // the nodes. We create a mount target for each EFS, in each subnet, even if we
 // primarily put all our nodes in one - this allows for GPU nodes to be spread
 // out across AZ when needed
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets
 data "aws_subnets" "cluster_node_subnets" {
 
   filter {
@@ -17,11 +18,12 @@ data "aws_subnets" "cluster_node_subnets" {
   }
 
   filter {
-    name   = "tag:eksctl.cluster.k8s.io/v1alpha1/cluster-name"
+    name   = "tag:alpha.eksctl.io/cluster-name"
     values = [var.cluster_name]
   }
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group
 data "aws_security_group" "cluster_nodes_shared_security_group" {
 
   filter {
@@ -34,14 +36,15 @@ data "aws_security_group" "cluster_nodes_shared_security_group" {
   }
 
   filter {
-    name   = "tag:eksctl.cluster.k8s.io/v1alpha1/cluster-name"
+    name   = "tag:alpha.eksctl.io/cluster-name"
     values = [var.cluster_name]
   }
 }
 
 # This allows supporting running multiple EFS instances in a cluster
 # for an accurate cost allocation per hub of home directory storage.
 # https://github.com/2i2c-org/infrastructure/issues/4453
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system
 resource "aws_efs_file_system" "hub_homedirs" {
   for_each = var.filestores
   tags = merge(var.tags, each.value.tags, {
@@ -99,6 +102,7 @@ locals {
   ]
 }
 
+# ref: https://registry.terraform.io/providers/-/aws/latest/docs/resources/efs_mount_target
 resource "aws_efs_mount_target" "hub_homedirs" {
   for_each = tomap({
     for mount_target in local.efs_mount_targets : "${mount_target.subnet_id}.${mount_target.name}" => mount_target
@@ -115,6 +119,7 @@ output "nfs_server_dns_map" {
 
 # Enable automatic backups for user homedirectories
 # Documented in https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html#automatic-backups
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_backup_policy
 resource "aws_efs_backup_policy" "hub_homedirs" {
   for_each       = aws_efs_file_system.hub_homedirs
   file_system_id = each.value.id

terraform/aws/grafana-athena-iam.tf

@@ -1,3 +1,4 @@
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
 resource "aws_iam_role" "grafana_athena_role" {
   count = var.enable_grafana_athena_iam ? 1 : 0
 

terraform/aws/irsa.tf

@@ -7,7 +7,10 @@
   - RolePolicyAttachment - if extra_iam_policy is declared
 */
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity
 data "aws_caller_identity" "current" {}
+
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition
 data "aws_partition" "current" {}
 
 
@@ -32,6 +35,7 @@ locals {
 
 
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
 data "aws_iam_policy_document" "irsa_role_assume" {
   for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr }
   statement {
@@ -55,6 +59,7 @@ data "aws_iam_policy_document" "irsa_role_assume" {
   }
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
 resource "aws_iam_role" "irsa_role" {
   for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr }
   name     = "${var.cluster_name}-${each.key}"
@@ -63,8 +68,7 @@ resource "aws_iam_role" "irsa_role" {
   assume_role_policy = data.aws_iam_policy_document.irsa_role_assume[each.key].json
 }
 
-
-
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
 resource "aws_iam_policy" "extra_user_policy" {
   for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.cloud_permissions.extra_iam_policy != "" }
   name     = "${var.cluster_name}-${each.key}-extra-user-policy"
@@ -74,6 +78,7 @@ resource "aws_iam_policy" "extra_user_policy" {
   policy      = each.value.cloud_permissions.extra_iam_policy
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
 resource "aws_iam_role_policy_attachment" "extra_user_policy" {
   for_each   = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.cloud_permissions.extra_iam_policy != "" }
   role       = aws_iam_role.irsa_role[each.key].name

terraform/aws/main.tf

@@ -26,12 +26,15 @@ terraform {
   }
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/random/latest/docs
 provider "random" {}
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
 provider "aws" {
   region = var.region
 }
 
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster
 data "aws_eks_cluster" "cluster" {
   name = var.cluster_name
 }

terraform/aws/projects/template.tfvars

@@ -4,10 +4,8 @@
    - no default scratch buckets support
 */
 
-region = "{{ cluster_region }}"
-
-cluster_name = "{{ cluster_name }}"
-
+region                 = "{{ cluster_region }}"
+cluster_name           = "{{ cluster_name }}"
 cluster_nodes_location = "{{ cluster_region }}a"
 
 # Tip: uncomment and fill the missing info in the lines below if you want