From 6bf777e8b17b94fd02e5358ef44121a3c314846d Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 6 Sep 2024 11:15:48 +0200 Subject: [PATCH 1/3] terraform, aws: reference non-deprecated eksctl tag available since 2019 --- terraform/aws/efs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/aws/efs.tf b/terraform/aws/efs.tf index 30fcd73192..cd14e5ee81 100644 --- a/terraform/aws/efs.tf +++ b/terraform/aws/efs.tf @@ -17,7 +17,7 @@ data "aws_subnets" "cluster_node_subnets" { } filter { - name = "tag:eksctl.cluster.k8s.io/v1alpha1/cluster-name" + name = "tag:alpha.eksctl.io/cluster-name" values = [var.cluster_name] } } @@ -34,7 +34,7 @@ data "aws_security_group" "cluster_nodes_shared_security_group" { } filter { - name = "tag:eksctl.cluster.k8s.io/v1alpha1/cluster-name" + name = "tag:alpha.eksctl.io/cluster-name" values = [var.cluster_name] } } From 29aa4285c7576a25d76c1298c3f5695da44c315f Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 6 Sep 2024 11:18:02 +0200 Subject: [PATCH 2/3] terraform, aws: add reference docs links for resources --- terraform/aws/aws-ce-grafana-backend-iam.tf | 1 + terraform/aws/bucket-access.tf | 11 +++++++---- terraform/aws/buckets.tf | 2 ++ terraform/aws/budget-alerts.tf | 1 + terraform/aws/cd.tf | 8 +++++++- terraform/aws/db.tf | 12 ++++++++++-- terraform/aws/efs.tf | 5 +++++ terraform/aws/grafana-athena-iam.tf | 1 + terraform/aws/irsa.tf | 9 +++++++-- terraform/aws/main.tf | 3 +++ 10 files changed, 44 insertions(+), 9 deletions(-) diff --git a/terraform/aws/aws-ce-grafana-backend-iam.tf b/terraform/aws/aws-ce-grafana-backend-iam.tf index 225a600655..f283912bbd 100644 --- a/terraform/aws/aws-ce-grafana-backend-iam.tf +++ b/terraform/aws/aws-ce-grafana-backend-iam.tf @@ -1,3 +1,4 @@ +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role resource "aws_iam_role" "aws_ce_grafana_backend_iam_role" { count = var.enable_aws_ce_grafana_backend_iam ? 1 : 0 diff --git a/terraform/aws/bucket-access.tf b/terraform/aws/bucket-access.tf index 85d914619e..f50ce5ae6c 100644 --- a/terraform/aws/bucket-access.tf +++ b/terraform/aws/bucket-access.tf @@ -115,11 +115,12 @@ locals { +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document data "aws_iam_policy_document" "bucket_policy" { for_each = local.bucket_role_actions_lists - // Only one policy document can be declared per bucket, so we provide multiple - // "statement" in this policy. + # Only one policy document can be declared per bucket, so we provide multiple + # "statement" in this policy. dynamic "statement" { for_each = { for index, bra in each.value : "${bra.bucket}.${bra.role}" => bra } @@ -141,8 +142,10 @@ data "aws_iam_policy_document" "bucket_policy" { } } -// There can only be one of these per bucket, if more are defined they will end -// up replacing each other without terraform indicating there is trouble. +# There can only be one of these per bucket, if more are defined they will end +# up replacing each other without terraform indicating there is trouble. +# +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy resource "aws_s3_bucket_policy" "user_bucket_access" { for_each = local.bucket_role_actions_lists bucket = aws_s3_bucket.user_buckets[each.key].id diff --git a/terraform/aws/buckets.tf b/terraform/aws/buckets.tf index aa263b25f5..08bc6353c3 100644 --- a/terraform/aws/buckets.tf +++ b/terraform/aws/buckets.tf @@ -1,9 +1,11 @@ +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket resource "aws_s3_bucket" "user_buckets" { for_each = var.user_buckets bucket = lower("${var.cluster_name}-${each.key}") tags = merge(var.tags, each.value.tags) } +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration resource "aws_s3_bucket_lifecycle_configuration" "user_bucket_expiry" { for_each = var.user_buckets bucket = lower("${var.cluster_name}-${each.key}") diff --git a/terraform/aws/budget-alerts.tf b/terraform/aws/budget-alerts.tf index a480afc0fc..89b9ef2e0a 100644 --- a/terraform/aws/budget-alerts.tf +++ b/terraform/aws/budget-alerts.tf @@ -1,3 +1,4 @@ +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/budgets_budget resource "aws_budgets_budget" "budgets" { count = var.default_budget_alert.enabled ? 1 : 0 diff --git a/terraform/aws/cd.tf b/terraform/aws/cd.tf index 35cff0d24c..dc595ac373 100644 --- a/terraform/aws/cd.tf +++ b/terraform/aws/cd.tf @@ -1,13 +1,19 @@ -// Resources required for continuously deploying hubs to this cluster +/* + Resources required for continuously deploying hubs to this cluster +*/ + +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user resource "aws_iam_user" "continuous_deployer" { name = "hub-continuous-deployer" tags = var.tags } +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key resource "aws_iam_access_key" "continuous_deployer" { user = aws_iam_user.continuous_deployer.name } +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy resource "aws_iam_user_policy" "continuous_deployer" { name = "eks-readonly" user = aws_iam_user.continuous_deployer.name diff --git a/terraform/aws/db.tf b/terraform/aws/db.tf index 6ac8f3d8db..fd765e0f23 100644 --- a/terraform/aws/db.tf +++ b/terraform/aws/db.tf @@ -1,3 +1,4 @@ +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets data "aws_subnets" "cluster_subnets" { count = var.db_enabled ? 1 : 0 @@ -12,8 +13,8 @@ data "aws_subnets" "cluster_subnets" { } } +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group resource "aws_security_group" "db" { - count = var.db_enabled ? 1 : 0 name = "db" @@ -41,6 +42,7 @@ resource "aws_security_group" "db" { } } +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group resource "aws_db_subnet_group" "db" { count = var.db_enabled ? 1 : 0 @@ -49,8 +51,8 @@ resource "aws_db_subnet_group" "db" { tags = var.tags } +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance resource "aws_db_instance" "db" { - count = var.db_enabled ? 1 : 0 instance_class = var.db_instance_class @@ -71,6 +73,7 @@ resource "aws_db_instance" "db" { tags = var.tags } +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group resource "aws_db_parameter_group" "db" { count = var.db_enabled ? 1 : 0 name = var.db_instance_identifier @@ -86,12 +89,14 @@ resource "aws_db_parameter_group" "db" { } } +# ref: https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password resource "random_password" "db_root_password" { count = var.db_enabled ? 1 : 0 # mysql passwords can't be longer than 41 chars lololol length = 41 } +# ref: https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password resource "random_password" "db_readonly_password" { count = var.db_enabled ? 1 : 0 special = var.db_user_password_special_chars @@ -99,6 +104,7 @@ resource "random_password" "db_readonly_password" { length = 41 } +# ref: https://registry.terraform.io/providers/petoju/mysql/latest/docs provider "mysql" { # We only want to set this up if db is enabled, otherwise there is no # mysql endpoint for this provider to connect to. These are all still 'required' @@ -110,6 +116,7 @@ provider "mysql" { password = var.db_enabled ? random_password.db_root_password[0].result : "" } +# ref: https://registry.terraform.io/providers/petoju/mysql/latest/docs/resources/user resource "mysql_user" "user" { count = var.db_enabled && var.db_engine == "mysql" ? 1 : 0 @@ -118,6 +125,7 @@ resource "mysql_user" "user" { plaintext_password = random_password.db_readonly_password[0].result } +# ref: https://registry.terraform.io/providers/petoju/mysql/latest/docs/resources/grant resource "mysql_grant" "user" { count = var.db_enabled && var.db_engine == "mysql" ? 1 : 0 diff --git a/terraform/aws/efs.tf b/terraform/aws/efs.tf index cd14e5ee81..51177698bc 100644 --- a/terraform/aws/efs.tf +++ b/terraform/aws/efs.tf @@ -4,6 +4,7 @@ // the nodes. We create a mount target for each EFS, in each subnet, even if we // primarily put all our nodes in one - this allows for GPU nodes to be spread // out across AZ when needed +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets data "aws_subnets" "cluster_node_subnets" { filter { @@ -22,6 +23,7 @@ data "aws_subnets" "cluster_node_subnets" { } } +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group data "aws_security_group" "cluster_nodes_shared_security_group" { filter { @@ -42,6 +44,7 @@ data "aws_security_group" "cluster_nodes_shared_security_group" { # This allows supporting running multiple EFS instances in a cluster # for an accurate cost allocation per hub of home directory storage. # https://github.com/2i2c-org/infrastructure/issues/4453 +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system resource "aws_efs_file_system" "hub_homedirs" { for_each = var.filestores tags = merge(var.tags, each.value.tags, { @@ -99,6 +102,7 @@ locals { ] } +# ref: https://registry.terraform.io/providers/-/aws/latest/docs/resources/efs_mount_target resource "aws_efs_mount_target" "hub_homedirs" { for_each = tomap({ for mount_target in local.efs_mount_targets : "${mount_target.subnet_id}.${mount_target.name}" => mount_target @@ -115,6 +119,7 @@ output "nfs_server_dns_map" { # Enable automatic backups for user homedirectories # Documented in https://docs.aws.amazon.com/efs/latest/ug/awsbackup.html#automatic-backups +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_backup_policy resource "aws_efs_backup_policy" "hub_homedirs" { for_each = aws_efs_file_system.hub_homedirs file_system_id = each.value.id diff --git a/terraform/aws/grafana-athena-iam.tf b/terraform/aws/grafana-athena-iam.tf index 24e5bb233d..196f830253 100644 --- a/terraform/aws/grafana-athena-iam.tf +++ b/terraform/aws/grafana-athena-iam.tf @@ -1,3 +1,4 @@ +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role resource "aws_iam_role" "grafana_athena_role" { count = var.enable_grafana_athena_iam ? 1 : 0 diff --git a/terraform/aws/irsa.tf b/terraform/aws/irsa.tf index 6f8c60a7df..986e7cdbda 100644 --- a/terraform/aws/irsa.tf +++ b/terraform/aws/irsa.tf @@ -7,7 +7,10 @@ - RolePolicyAttachment - if extra_iam_policy is declared */ +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity data "aws_caller_identity" "current" {} + +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition data "aws_partition" "current" {} @@ -32,6 +35,7 @@ locals { +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document data "aws_iam_policy_document" "irsa_role_assume" { for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr } statement { @@ -55,6 +59,7 @@ data "aws_iam_policy_document" "irsa_role_assume" { } } +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role resource "aws_iam_role" "irsa_role" { for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr } name = "${var.cluster_name}-${each.key}" @@ -63,8 +68,7 @@ resource "aws_iam_role" "irsa_role" { assume_role_policy = data.aws_iam_policy_document.irsa_role_assume[each.key].json } - - +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy resource "aws_iam_policy" "extra_user_policy" { for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.cloud_permissions.extra_iam_policy != "" } name = "${var.cluster_name}-${each.key}-extra-user-policy" @@ -74,6 +78,7 @@ resource "aws_iam_policy" "extra_user_policy" { policy = each.value.cloud_permissions.extra_iam_policy } +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment resource "aws_iam_role_policy_attachment" "extra_user_policy" { for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.cloud_permissions.extra_iam_policy != "" } role = aws_iam_role.irsa_role[each.key].name diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf index 75e3966c93..4828b48b33 100644 --- a/terraform/aws/main.tf +++ b/terraform/aws/main.tf @@ -26,12 +26,15 @@ terraform { } } +# ref: https://registry.terraform.io/providers/hashicorp/random/latest/docs provider "random" {} +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs provider "aws" { region = var.region } +# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster data "aws_eks_cluster" "cluster" { name = var.cluster_name } From a1d62341a4796e44cbd4209ebd576916f94707d4 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 6 Sep 2024 11:18:48 +0200 Subject: [PATCH 3/3] terraform, aws: remove some line breaks --- terraform/aws/projects/template.tfvars | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/terraform/aws/projects/template.tfvars b/terraform/aws/projects/template.tfvars index 787c7d3c8a..a1ea06f7b9 100644 --- a/terraform/aws/projects/template.tfvars +++ b/terraform/aws/projects/template.tfvars @@ -4,10 +4,8 @@ - no default scratch buckets support */ -region = "{{ cluster_region }}" - -cluster_name = "{{ cluster_name }}" - +region = "{{ cluster_region }}" +cluster_name = "{{ cluster_name }}" cluster_nodes_location = "{{ cluster_region }}a" # Tip: uncomment and fill the missing info in the lines below if you want