diff --git a/modules/eks/main.tf b/modules/eks/main.tf index 5167c63..241ffd8 100644 --- a/modules/eks/main.tf +++ b/modules/eks/main.tf @@ -1,9 +1,10 @@ data "aws_caller_identity" "current" {} module "ebs_csi_irsa_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + version = "6.2.1" - name = "${var.deployment_name}-ebs-csi-controller" + name = "${var.deployment_name}-ebs-csi-controller" attach_ebs_csi_policy = true oidc_providers = { @@ -15,9 +16,10 @@ module "ebs_csi_irsa_role" { } module "k8s_load_balancer_controller_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + version = "6.2.1" - name = "${var.deployment_name}-lb-controller" + name = "${var.deployment_name}-lb-controller" attach_load_balancer_controller_policy = true oidc_providers = { @@ -29,9 +31,10 @@ module "k8s_load_balancer_controller_role" { } module "cluster_autoscaler_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + version = "6.2.1" - name = "${var.deployment_name}-cluster-autoscaler" + name = "${var.deployment_name}-cluster-autoscaler" attach_cluster_autoscaler_policy = true cluster_autoscaler_cluster_names = [module.eks.cluster_name] @@ -53,7 +56,7 @@ module "eks" { name = var.deployment_name kubernetes_version = var.k8s_cluster_version - endpoint_public_access = true + endpoint_public_access = true endpoint_public_access_cidrs = var.k8s_public_access_cidrs enable_irsa = true @@ -79,10 +82,10 @@ module "eks" { service_account_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.deployment_name}-ebs-csi-controller" most_recent = true before_compute = true - configuration_values = jsonencode({ - "sidecars": { - "snapshotter": { - "forceEnable": false + configuration_values = jsonencode({ + "sidecars" : { + "snapshotter" : { + "forceEnable" : false } } }) @@ -96,24 +99,24 @@ module "eks" { # Self Managed Node Group(s) self_managed_node_groups = var.self_managed_node_grps - eks_managed_node_groups = var.managed_node_grps - -# access_entries = { -# allow_support_access = { -# kubernetes_groups = [] -# principal_arn = resource.aws_iam_role.eks_support_role.arn (# from cloud-infra) -# -# policy_associations = { -# single = { -# policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" -# access_scope = { -# namespaces = [] -# type = "cluster" -# } -# } -# } -# } -# } + eks_managed_node_groups = var.managed_node_grps + + # access_entries = { + # allow_support_access = { + # kubernetes_groups = [] + # principal_arn = resource.aws_iam_role.eks_support_role.arn (# from cloud-infra) + # + # policy_associations = { + # single = { + # policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + # access_scope = { + # namespaces = [] + # type = "cluster" + # } + # } + # } + # } + # } tags = var.tags } diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index 3748e56..c0ca861 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -20,126 +20,126 @@ output "cluster_endpoint" { # dfshell output "dfshell_role_arn" { - value = module.dfshell_role[0].arn + value = module.dfshell_role[0].arn description = "The ARN of the AWS Bedrock role" } output "dfshell_service_account_name" { - value = var.dfshell_service_account_name + value = var.dfshell_service_account_name description = "The name of the service account for dfshell" } # worker_portal output "worker_portal_role_arn" { - value = module.worker_portal_role[0].arn + value = module.worker_portal_role[0].arn description = "The ARN of the AWS Bedrock role" } output "worker_portal_service_account_name" { - value = var.worker_portal_service_account_name + value = var.worker_portal_service_account_name description = "The name of the service account for worker_portal" } # operator output "operator_role_arn" { - value = module.operator_role[0].arn + value = module.operator_role[0].arn description = "The ARN of the AWS Bedrock role" } output "operator_service_account_name" { - value = var.operator_service_account_name + value = var.operator_service_account_name description = "The name of the service account for operator" } # server output "server_role_arn" { - value = module.server_role[0].arn + value = module.server_role[0].arn description = "The ARN of the AWS Bedrock role" } output "server_service_account_name" { - value = var.server_service_account_name + value = var.server_service_account_name description = "The name of the service account for server" } # scheduler output "scheduler_role_arn" { - value = module.scheduler_role[0].arn + value = module.scheduler_role[0].arn description = "The ARN of the AWS Bedrock role" } output "scheduler_service_account_name" { - value = var.scheduler_service_account_name + value = var.scheduler_service_account_name description = "The name of the service account for scheduler" } # worker, worker1, worker2 etc. output "worker_role_arn" { - value = module.worker_role[0].arn + value = module.worker_role[0].arn description = "The ARN of the AWS Bedrock role" } output "worker_service_account_name" { - value = var.worker_service_account_name + value = var.worker_service_account_name description = "The name of the service account for worker" } # worker_catalog output "worker_catalog_role_arn" { - value = module.worker_catalog_role[0].arn + value = module.worker_catalog_role[0].arn description = "The ARN of the AWS Bedrock role" } output "worker_catalog_service_account_name" { - value = var.worker_catalog_service_account_name + value = var.worker_catalog_service_account_name description = "The name of the service account for worker_catalog" } # worker_interactive output "worker_interactive_role_arn" { - value = module.worker_interactive_role[0].arn + value = module.worker_interactive_role[0].arn description = "The ARN of the AWS Bedrock role" } output "worker_interactive_service_account_name" { - value = var.worker_interactive_service_account_name + value = var.worker_interactive_service_account_name description = "The name of the service account for worker_interactive" } # worker_singletons output "worker_singletons_role_arn" { - value = module.worker_singletons_role[0].arn + value = module.worker_singletons_role[0].arn description = "The ARN of the AWS Bedrock role" } output "worker_singletons_service_account_name" { - value = var.worker_singletons_service_account_name + value = var.worker_singletons_service_account_name description = "The name of the service account for worker_singletons" } # worker_lineage output "worker_lineage_role_arn" { - value = module.worker_lineage_role[0].arn + value = module.worker_lineage_role[0].arn description = "The ARN of the AWS Bedrock role" } output "worker_lineage_service_account_name" { - value = var.worker_lineage_service_account_name + value = var.worker_lineage_service_account_name description = "The name of the service account for worker_lineage" } # worker_monitor output "worker_monitor_role_arn" { - value = module.worker_monitor_role[0].arn + value = module.worker_monitor_role[0].arn description = "The ARN of the AWS Bedrock role" } output "worker_monitor_service_account_name" { - value = var.worker_monitor_service_account_name + value = var.worker_monitor_service_account_name description = "The name of the service account for worker_monitor" } # storage_worker output "storage_worker_role_arn" { - value = module.storage_worker_role[0].arn + value = module.storage_worker_role[0].arn description = "The ARN of the AWS Bedrock role" } output "storage_worker_service_account_name" { - value = var.storage_worker_service_account_name + value = var.storage_worker_service_account_name description = "The name of the service account for storage_worker" } # Clickhouse backup output "clickhouse_backup_role_name" { - value = module.clickhouse_backup_role.arn + value = module.clickhouse_backup_role.arn description = "The name of the role for clickhouse backups" } diff --git a/modules/eks/roles.tf b/modules/eks/roles.tf index 306c738..efb155d 100644 --- a/modules/eks/roles.tf +++ b/modules/eks/roles.tf @@ -64,9 +64,10 @@ resource "aws_iam_policy" "clickhouse_backup_policy" { # dfshell module "dfshell_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.dfshell_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.dfshell_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -78,9 +79,10 @@ module "dfshell_role" { # worker_portal module "worker_portal_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.worker_portal_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.worker_portal_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -92,9 +94,10 @@ module "worker_portal_role" { # operator module "operator_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.operator_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.operator_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -106,9 +109,10 @@ module "operator_role" { # server module "server_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.server_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.server_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -120,9 +124,10 @@ module "server_role" { # scheduler module "scheduler_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.scheduler_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.scheduler_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -134,9 +139,10 @@ module "scheduler_role" { # worker module "worker_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.worker_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.worker_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -148,9 +154,10 @@ module "worker_role" { # worker_catalog module "worker_catalog_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.worker_catalog_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.worker_catalog_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -162,9 +169,10 @@ module "worker_catalog_role" { # worker_interactive module "worker_interactive_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.worker_interactive_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.worker_interactive_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -176,9 +184,10 @@ module "worker_interactive_role" { # worker_singletons module "worker_singletons_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.worker_singletons_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.worker_singletons_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -190,9 +199,10 @@ module "worker_singletons_role" { # worker_lineage module "worker_lineage_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.worker_lineage_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.worker_lineage_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -204,9 +214,10 @@ module "worker_lineage_role" { # worker_monitor module "worker_monitor_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.worker_monitor_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.worker_monitor_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -218,9 +229,10 @@ module "worker_monitor_role" { # storage_worker module "storage_worker_role" { - count = 1 - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.storage_worker_service_account_name}" + count = 1 + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.storage_worker_service_account_name}" + version = "6.2.1" oidc_providers = { ex = { @@ -231,8 +243,9 @@ module "storage_worker_role" { } module "clickhouse_backup_role" { - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - name = "${var.deployment_name}-${var.clickhouse_backup_service_account_name}" + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" + name = "${var.deployment_name}-${var.clickhouse_backup_service_account_name}" + version = "6.2.1" oidc_providers = { ex = {