Adding a lot of stuff.

2022-07-12 22:32:18 +02:00
parent 188cf2679c
commit 621e04fb94
35 changed files with 704 additions and 43 deletions
--- a/infra/config.hcl
+++ b/infra/config.hcl
@ -42,30 +42,6 @@ locals {
    }
  }

-  /*
-    ⋮ 22 │  eks_cluster_security_group_additional_rules = {
-    ⋮ 23 │    egress_nodes_ephemeral_ports_tcp = {
-    ⋮ 24 │      description                = "Nginx validation webhook"
-    ⋮ 25 │      protocol                   = "tcp"
-    ⋮ 26 │      from_port                  = 8443
-    ⋮ 27 │      to_port                    = 8443
-    ⋮ 28 │      type                       = "egress"
-    ⋮ 29 │      source_node_security_group = true
-    ⋮ 30 │    }
-    ⋮ 31 │  }
-    ⋮ 32 │
- 22 ⋮ 33 │  eks_node_security_group_additional_rules = {
-    ⋮ 34 │    ingress_cluster_api_validation_webhooks = {
-    ⋮ 35 │      description                   = "Control Plane to validation nginx webhook"
-    ⋮ 36 │      protocol                      = "tcp"
-    ⋮ 37 │      from_port                     = 8443
-    ⋮ 38 │      to_port                       = 8443
-    ⋮ 39 │      type                          = "ingress"
-    ⋮ 40 │      source_cluster_security_group = true
-    ⋮ 41 │    }
-
-  */
-
  eks_cluster_security_group_additional_rules = {
    egress_nodes_ephemeral_ports_tcp = {
      description                = "Validation webhooks"
@ -150,6 +126,7 @@ locals {
        type                              = "nlb"
        proxy-protocol                    = ""
        nlb-target-type                   = ""
+        eip-allocations                   = ""
      }
      internal = {
        dns_record                        = "*"
@ -159,6 +136,18 @@ locals {
        type                              = "nlb"
        proxy-protocol                    = ""
        nlb-target-type                   = ""
+        eip-allocations                   = ""
+      }
+    }
+  }
+
+  elastic_ips = {
+    "eks_public_nlb" = {
+      count = length(local.azs)
+      vpc   = true
+      tags = {
+        cluster = local.eks_cluster_name
+        usage   = "eks_public_nlb"
      }
    }
  }
--- a/infra/eks-cert-manager/.terraform.lock.hcl
+++ b/infra/eks-cert-manager/.terraform.lock.hcl
@ -0,0 +1,40 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.4.0"
+  constraints = "~> 4.4.0"
+  hashes = [
+    "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
+    "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
+    "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
+    "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
+    "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
+    "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
+    "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
+    "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
+    "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
+    "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
+    "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
+    "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "2.4.1"
+  constraints = "2.4.1"
+  hashes = [
+    "h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=",
+    "zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14",
+    "zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5",
+    "zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526",
+    "zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772",
+    "zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd",
+    "zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e",
+    "zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0",
+    "zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3",
+    "zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f",
+    "zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67",
+    "zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e",
+  ]
+}
--- a/infra/eks-cert-manager/terragrunt.hcl
+++ b/infra/eks-cert-manager/terragrunt.hcl
@ -0,0 +1,32 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_repo_root()}//modules/eks-cert-manager"
+}
+
+dependency "eks" {
+  config_path = "../eks"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    cluster_id                         = "fake-cluster-id"
+    cluster_endpoint                   = "https://fake-cluster-endpoint.eks.amazonaws.com"
+    cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE="
+  }
+}
+
+locals {
+  config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
+}
+
+generate = local.config_vars.generate
+
+inputs = {
+  cluster_id                         = dependency.eks.outputs.cluster_id
+  cluster_endpoint                   = dependency.eks.outputs.cluster_endpoint
+  cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data
+  namespace                          = "cert-manager"
+  create_namespace                   = "true"
+}
--- a/infra/eks-external-secrets/.terraform.lock.hcl
+++ b/infra/eks-external-secrets/.terraform.lock.hcl
@ -0,0 +1,60 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.4.0"
+  constraints = "~> 4.4.0"
+  hashes = [
+    "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
+    "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
+    "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
+    "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
+    "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
+    "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
+    "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
+    "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
+    "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
+    "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
+    "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
+    "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "2.4.1"
+  constraints = "2.4.1"
+  hashes = [
+    "h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=",
+    "zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14",
+    "zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5",
+    "zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526",
+    "zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772",
+    "zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd",
+    "zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e",
+    "zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0",
+    "zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3",
+    "zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f",
+    "zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67",
+    "zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "2.10.0"
+  constraints = "2.10.0"
+  hashes = [
+    "h1:HGCh+b5R/yytVhuJoAMipLJb2wlTwNHlv3MiyHYBwzg=",
+    "zh:0b011e77f02bc05194062c0a39f321a4f1bea0bae61787b0c1f5808f6efb2a26",
+    "zh:288ad46e240c5d1218909a9100ca8bd2197c8615558bbe7b393ba35877d5e4f0",
+    "zh:3e5554791ed103b6190efebe332fd3722796e6a59cf081f87ef1debb4e0b6ae3",
+    "zh:98e42cb48624be7eb2e16b5d8fc5044d7207943b6d13905bc3d3c006aa231cc7",
+    "zh:b1c800fd3971051d9deb4824f933e506ae288458e425be8ea449c9d40c7b0663",
+    "zh:bca1802585ecbc36bfcc700b6fa7c6ff96b2b8c4aca23c58df939a5002a05b4d",
+    "zh:c2f6bf46cd95d00f2bb1634afff92eeb269d27d83eea80b8cfceca1afdcd3033",
+    "zh:d2ccfbf3a9bf2ede8be6242c023173efd85a882cd3956a941f140c5718047412",
+    "zh:da19cd4a124f4ffc092e19f5b7a10ac4cce98db40cf855ea0d4a682f3df83a1f",
+    "zh:e3a2020453a86f80ad2b3f792e91a35fe272b907485a59c02d19269a1bdfe2fd",
+    "zh:f0659ca86e0dc0dd76b7f4497db8e58144ee9f0943b6d14dc57193d25ee22ced",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
--- a/infra/eks-external-secrets/terragrunt.hcl
+++ b/infra/eks-external-secrets/terragrunt.hcl
@ -0,0 +1,33 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_repo_root()}//modules/eks-external-secrets"
+}
+
+dependency "eks" {
+  config_path = "../eks"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    cluster_id                         = "fake-cluster-id"
+    cluster_endpoint                   = "https://fake-cluster-endpoint.eks.amazonaws.com"
+    cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE="
+  }
+}
+
+locals {
+  config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
+}
+
+generate = local.config_vars.generate
+
+inputs = {
+  cluster_id                         = dependency.eks.outputs.cluster_id
+  cluster_endpoint                   = dependency.eks.outputs.cluster_endpoint
+  cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data
+
+  # Enable this only if kube-prometheus-stack is set-up on the cluster.
+  service_monitor = true
+}
--- a/infra/eks-kube-prometheus-stack/.terraform.lock.hcl
+++ b/infra/eks-kube-prometheus-stack/.terraform.lock.hcl
@ -0,0 +1,40 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.4.0"
+  constraints = "~> 4.4.0"
+  hashes = [
+    "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
+    "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
+    "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
+    "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
+    "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
+    "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
+    "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
+    "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
+    "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
+    "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
+    "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
+    "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "2.4.1"
+  constraints = "2.4.1"
+  hashes = [
+    "h1:Gqwrr+yKWR79esN39X9eRCddxMNapmaGMynLfjrUJJo=",
+    "zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14",
+    "zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5",
+    "zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526",
+    "zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772",
+    "zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd",
+    "zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e",
+    "zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0",
+    "zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3",
+    "zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f",
+    "zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67",
+    "zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e",
+  ]
+}
--- a/infra/eks-kube-prometheus-stack/terragrunt.hcl
+++ b/infra/eks-kube-prometheus-stack/terragrunt.hcl
@ -0,0 +1,43 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_repo_root()}//modules/eks-kube-prometheus-stack"
+}
+
+dependency "eks" {
+  config_path = "../eks"
+
+  # Configure mock outputs for the `validate` and `plan` commands that are returned when there are no outputs available
+  # (e.g the module hasn't been applied yet)
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    cluster_id                         = "fake-cluster-id"
+    cluster_endpoint                   = "https://fake-cluster-endpoint.eks.amazonaws.com"
+    cluster_certificate_authority_data = "ZmFrZS1jYS1jZXJ0LWRhdGE="
+  }
+}
+
+dependency "private_dns" {
+  config_path = "../dns-private"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    dns_zone = {
+      name    = "fake.zone.com"
+      zone_id = "ZXXXXXXXXXXXXXXXXXXX"
+    }
+  }
+}
+
+locals {
+  config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
+}
+
+inputs = {
+  cluster_id                         = dependency.eks.outputs.cluster_id
+  cluster_endpoint                   = dependency.eks.outputs.cluster_endpoint
+  cluster_certificate_authority_data = dependency.eks.outputs.cluster_certificate_authority_data
+  domain                             = dependency.private_dns.outputs.dns_zone.name
+}
--- a/infra/eks/terragrunt.hcl
+++ b/infra/eks/terragrunt.hcl
@ -35,7 +35,7 @@ inputs = {
  eks_managed_node_groups         = local.config_vars.locals.node_groups

  # Extend node-to-node security group rules
-  node_security_group_additional_rules = local.config_vars.locals.eks_node_security_group_additional_rules
+  node_security_group_additional_rules    = local.config_vars.locals.eks_node_security_group_additional_rules
  cluster_security_group_additional_rules = local.config_vars.locals.eks_cluster_security_group_additional_rules

  create_cloudwatch_log_group = false
--- a/infra/elastic-ips/.terraform.lock.hcl
+++ b/infra/elastic-ips/.terraform.lock.hcl
@ -0,0 +1,21 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.4.0"
+  constraints = "~> 4.4.0"
+  hashes = [
+    "h1:xUXge6/Bn/CzSjZpmQIr7/FwANKj+3cIEnxYlgS1xFo=",
+    "zh:087e8e1b9c3d2c9d547181aa88f75fd42d9800eea6d37c0276b1208c427113ff",
+    "zh:25c3deac14f06a7da5d4d8b56dd5e25a24b5c3bb6bb7a585145d7df1a6e5bc3f",
+    "zh:5bd23fc03cd51eca3f1e4e4414624dcc4f075eca5cf5aabf06b54b4edded5c50",
+    "zh:8399507975a422a84b93b24c07db34cc9342f54aa693eace1b451c6b1ab54b87",
+    "zh:9618bed0832433fee57579d4a001479b08e2092d0c08539edb897f57f6ea0114",
+    "zh:b0b9060bc367c5fb6175c7ae59382fd6107ab0c0bad6e40cd3205127d8e6717d",
+    "zh:b160122057659cceb72f78a86483f71d59742502dad23b770dc4248b8e94edd4",
+    "zh:cb927f4622ef9bf439b867aef760c948839e1cec2ddb8bdba7abfc5183124360",
+    "zh:e37ce5054a5838eda190f286a62eeb7146087863e38b1a205aa0eb12a5e765b9",
+    "zh:e38856fd703b2f6e08a35cbe5ddab9a734c9608d2372411bfa6ef1b05ffeb758",
+    "zh:f342e638d9672d969ed3946b9f0650cf327690b35e0812b2ddae97bd32c2d946",
+  ]
+}
--- a/infra/elastic-ips/terragrunt.hcl
+++ b/infra/elastic-ips/terragrunt.hcl
@ -0,0 +1,17 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_repo_root()}//modules/eip-set"
+}
+
+locals {
+  config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))
+}
+
+generate = local.config_vars.generate
+
+inputs = {
+  eips = local.config_vars.locals.elastic_ips
+}
--- a/infra/ingress-controller/terragrunt.hcl
+++ b/infra/ingress-controller/terragrunt.hcl
@ -63,6 +63,22 @@ dependency "private_dns" {
  }
 }

+dependency "eips" {
+  config_path = "../elastic-ips"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    eip_groups = {
+      eks_public_nlb = {
+        eips = [
+          { allocation_id = "eipalloc-xxxxxxxxxxxxxxxxx" },
+          { allocation_id = "eipalloc-yyyyyyyyyyyyyyyyy" }
+        ]
+      }
+    }
+  }
+}
+
 locals {
  config_vars = read_terragrunt_config(find_in_parent_folders("config.hcl"))

@ -72,17 +88,17 @@ locals {
  lb_config_public = merge(
    local.eks_ingress_controller.load_balancer_config.public,
    {
-      type            = "external"
-      proxy-protocol  = "*"
-      nlb-target-type = "instance"
+      type                   = "external"
+      enable-proxy-protocol  = true
+      nlb-target-type        = "instance"
    }
  )
  lb_config_internal = merge(
    local.eks_ingress_controller.load_balancer_config.internal,
    {
-      type            = "external"
-      proxy-protocol  = "*"
-      nlb-target-type = "instance"
+      type                   = "external"
+      enable-proxy-protocol  = true
+      nlb-target-type        = "instance"
    }
  )
 }
@ -105,6 +121,13 @@ inputs = {
  load_balancer_config = {
    public   = local.lb_config_public,
    internal = local.lb_config_internal,
+    public = merge(local.lb_config_public, {
+      "eip-allocations" = join(", ", dependency.eips.outputs.eip_groups.eks_public_nlb.eips.*.allocation_id),
+      "name"            = "${dependency.eks.outputs.cluster_id}-public"
+    })
+    internal = merge(local.lb_config_internal, {
+      "name" = "${dependency.eks.outputs.cluster_id}-internal"
+    })
  }

  enable_internal_lb = local.eks_ingress_controller.enable_internal_lb