Vpc upgrade version aws module (#456)

ManagedKube · Feb 7, 2024 · 30de94a · 30de94a
1 parent 5939067
commit 30de94a
Show file tree

Hide file tree

Showing 5 changed files with 106 additions and 79 deletions.
diff --git a/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/main.tf b/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/main.tf
@@ -21,7 +21,7 @@ module "kms_cloudtrail" {
 }
 
 module "cloudtrail_s3_bucket" {
-  source  = "github.com/ManagedKube/terraform-aws-cloudtrail-s3-bucket.git//?ref=0.24.0"
+  source  = "github.com/ManagedKube/terraform-aws-cloudtrail-s3-bucket.git//?ref=0.25.0"
   #version = "master"
   force_destroy          = var.force_destroy
   versioning_enabled     = var.versioning_enabled
@@ -107,4 +107,4 @@ module "cis_alarms" {
   version        = "0.14.3"
   log_group_name = aws_cloudwatch_log_group.default.name
   metrics        = module.metric_configs.map_configs
-}
+}
diff --git a/terraform-modules/aws/cluster-autoscaler/main.tf b/terraform-modules/aws/cluster-autoscaler/main.tf
@@ -1,87 +1,81 @@
-module "iam_assumable_role_admin" {
-  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                       = "3.6.0"
-  create_role                   = true
-  role_name                     = "cluster-autoscaler-${var.cluster_name}"
-  provider_url                  = replace(var.eks_cluster_oidc_issuer_url, "https://", "")
-  role_policy_arns              = [aws_iam_policy.cluster_autoscaler.arn]
-  oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_service_account_namespace}:${var.k8s_service_account_name}"]
-}
+ module "iam_assumable_role_admin" {
+   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+   version                       = "5.33.0"
+   create_role                   = true
+   role_name                     = "cluster-autoscaler-${var.cluster_name}"
+   provider_url                  = replace(var.eks_cluster_oidc_issuer_url, "https://", "")
+   role_policy_arns              = [aws_iam_policy.cluster_autoscaler.arn]
+   oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_service_account_namespace}:${var.k8s_service_account_name}"]
+ }
 
-resource "aws_iam_policy" "cluster_autoscaler" {
-  name_prefix = "cluster-autoscaler-${var.cluster_name}"
-  description = "EKS cluster-autoscaler policy for cluster ${var.eks_cluster_id}"
-  policy      = data.aws_iam_policy_document.cluster_autoscaler.json
-}
+ resource "aws_iam_policy" "cluster_autoscaler" {
+   name_prefix = "cluster-autoscaler-${var.cluster_name}"
+   description = "EKS cluster-autoscaler policy for cluster ${var.eks_cluster_id}"
+   policy      = data.aws_iam_policy_document.cluster_autoscaler.json
+ }
 
-data "aws_iam_policy_document" "cluster_autoscaler" {
-  statement {
-    sid    = "clusterAutoscalerAll"
-    effect = "Allow"
+ data "aws_iam_policy_document" "cluster_autoscaler" {
+   statement {
+     sid    = "clusterAutoscalerAll"
+     effect = "Allow"
 
-    actions = [
-      "autoscaling:DescribeAutoScalingGroups",
-      "autoscaling:DescribeAutoScalingInstances",
-      "autoscaling:DescribeLaunchConfigurations",
-      "autoscaling:DescribeTags",
-      "ec2:DescribeLaunchTemplateVersions",
-    ]
+     actions = [
+       "autoscaling:DescribeAutoScalingGroups",
+       "autoscaling:DescribeAutoScalingInstances",
+       "autoscaling:DescribeLaunchConfigurations",
+       "autoscaling:DescribeTags",
+       "ec2:DescribeLaunchTemplateVersions",
+     ]
 
-    resources = ["*"]
-  }
+     resources = ["*"]
+   }
 
-  statement {
-    sid    = "clusterAutoscalerOwn"
-    effect = "Allow"
+   statement {
+     sid    = "clusterAutoscalerOwn"
+     effect = "Allow"
 
-    actions = [
-      "autoscaling:SetDesiredCapacity",
-      "autoscaling:TerminateInstanceInAutoScalingGroup",
-      "autoscaling:UpdateAutoScalingGroup",
-    ]
+     actions = [
+       "autoscaling:SetDesiredCapacity",
+       "autoscaling:TerminateInstanceInAutoScalingGroup",
+       "autoscaling:UpdateAutoScalingGroup",
+     ]
 
-    resources = ["*"]
+     resources = ["*"]
 
-    condition {
-      test     = "StringEquals"
-      variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${var.eks_cluster_id}"
-      values   = ["owned"]
-    }
+     condition {
+       test     = "StringEquals"
+       variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${var.eks_cluster_id}"
+       values   = ["owned"]
+     }
 
-    condition {
-      test     = "StringEquals"
-      variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
-      values   = ["true"]
-    }
-  }
-}
+     condition {
+       test     = "StringEquals"
+       variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
+       values   = ["true"]
+     }
+   }
+ }
 
-data "aws_caller_identity" "current" {}
+ data "aws_caller_identity" "current" {}
 
-#
-# Helm - cluster-autoscaler
-#
-data "template_file" "helm_values" {
-  template = file("${path.module}/helm_values.yaml.tpl")
-  vars = {
-    awsAccountID       = data.aws_caller_identity.current.account_id
-    awsRegion          = var.aws_region
-    clusterName        = var.cluster_name
-    serviceAccountName = var.k8s_service_account_name
-  }
-}
+ module "cluster-autoscaler" {
+   source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/helm_generic?ref=v1.0.9"
 
-module "cluster-autoscaler" {
-  source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/helm_generic?ref=v1.0.9"
-
-  repository          = "https://kubernetes.github.io/autoscaler"
-  official_chart_name = "cluster-autoscaler"
-  user_chart_name     = "cluster-autoscaler"
-  helm_version        = var.cluster-autoscaler_helm_version
-  namespace           = "kube-system"
-  helm_values         = data.template_file.helm_values.rendered
-
-  depends_on = [
-    module.iam_assumable_role_admin
-  ]
-}
+   repository          = "https://kubernetes.github.io/autoscaler"
+   official_chart_name = "cluster-autoscaler"
+   user_chart_name     = "cluster-autoscaler"
+   helm_version        = var.cluster-autoscaler_helm_version
+   namespace           = "kube-system"
+   helm_values         = templatefile(
+                               "${path.module}/helm_values.yaml.tpl",
+                               {
+                                 awsAccountID       = data.aws_caller_identity.current.account_id
+                                 awsRegion          = var.aws_region
+                                 clusterName        = var.cluster_name
+                                 serviceAccountName = var.k8s_service_account_name
+                               }
+                             )
+   depends_on = [
+     module.iam_assumable_role_admin
+   ]
+ }
diff --git a/terraform-modules/aws/vpc/README.md b/terraform-modules/aws/vpc/README.md
@@ -10,7 +10,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.2.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.0.0 |
 
 ## Resources
 
@@ -23,13 +23,21 @@ No resources.
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | n/a | `string` | `"us-east-1"` | no |
 | <a name="input_azs"></a> [azs](#input\_azs) | n/a | `list(any)` | <pre>[<br>  "us-east-1a",<br>  "us-east-1b",<br>  "us-east-1c"<br>]</pre> | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The cluster name for the Kubernetes tags on the subnets | `string` | `"none"` | no |
+| <a name="input_default_security_group_egress"></a> [default\_security\_group\_egress](#input\_default\_security\_group\_egress) | List of maps of egress rules to set on the default security group | `list(map(string))` | <pre>[<br>  {<br>    "cidr_blocks": "10.0.0.0/8",<br>    "description": "rfc1918: Private Address Space",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "self": false,<br>    "to_port": 0<br>  },<br>  {<br>    "cidr_blocks": "172.16.0.0/12",<br>    "description": "rfc1918: Private Address Space",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "self": false,<br>    "to_port": 0<br>  },<br>  {<br>    "cidr_blocks": "192.168.0.0/16",<br>    "description": "rfc1918: Private Address Space",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "self": false,<br>    "to_port": 0<br>  },<br>  {<br>    "cidr_blocks": "100.64.0.0/10",<br>    "description": "rfc6598: Private Address Space",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "self": false,<br>    "to_port": 0<br>  }<br>]</pre> | no |
+| <a name="input_default_security_group_ingress"></a> [default\_security\_group\_ingress](#input\_default\_security\_group\_ingress) | List of maps of ingress rules to set on the default security group | `list(map(string))` | <pre>[<br>  {<br>    "cidr_blocks": "10.0.0.0/8",<br>    "description": "rfc1918: Private Address Space",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "self": false,<br>    "to_port": 0<br>  },<br>  {<br>    "cidr_blocks": "172.16.0.0/12",<br>    "description": "rfc1918: Private Address Space",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "self": false,<br>    "to_port": 0<br>  },<br>  {<br>    "cidr_blocks": "192.168.0.0/16",<br>    "description": "rfc1918: Private Address Space",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "self": false,<br>    "to_port": 0<br>  },<br>  {<br>    "cidr_blocks": "100.64.0.0/10",<br>    "description": "rfc6598: Private Address Space",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "self": false,<br>    "to_port": 0<br>  }<br>]</pre> | no |
+| <a name="input_default_security_group_name"></a> [default\_security\_group\_name](#input\_default\_security\_group\_name) | Name to be used on the default security group | `string` | `"default"` | no |
+| <a name="input_default_security_group_tags"></a> [default\_security\_group\_tags](#input\_default\_security\_group\_tags) | Additional tags for the default security group | `map(any)` | `{}` | no |
 | <a name="input_enable_dns_hostnames"></a> [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Enable dns hostname resolution | `bool` | `true` | no |
 | <a name="input_enable_dns_support"></a> [enable\_dns\_support](#input\_enable\_dns\_support) | Enable dns support | `bool` | `true` | no |
 | <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | n/a | `bool` | `true` | no |
 | <a name="input_enable_vpn_gateway"></a> [enable\_vpn\_gateway](#input\_enable\_vpn\_gateway) | n/a | `bool` | `true` | no |
 | <a name="input_environment_name"></a> [environment\_name](#input\_environment\_name) | n/a | `any` | n/a | yes |
 | <a name="input_external_nat_ip_ids"></a> [external\_nat\_ip\_ids](#input\_external\_nat\_ip\_ids) | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse\_nat\_ips) | `list(string)` | `[]` | no |
 | <a name="input_k8s_worker_subnets"></a> [k8s\_worker\_subnets](#input\_k8s\_worker\_subnets) | list of alternate secondary cidrs for kubernetes workers | `list(string)` | <pre>[<br>  "100.64.0.0/20",<br>  "100.64.16.0/20",<br>  "100.64.32.0/20"<br>]</pre> | no |
+| <a name="input_manage_default_network_acl"></a> [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `true` | no |
+| <a name="input_manage_default_route_table"></a> [manage\_default\_route\_table](#input\_manage\_default\_route\_table) | Should be true to manage default route table | `bool` | `true` | no |
+| <a name="input_manage_default_security_group"></a> [manage\_default\_security\_group](#input\_manage\_default\_security\_group) | Should be true to adopt and manage default security group | `bool` | `true` | no |
+| <a name="input_map_public_ip_on_launch"></a> [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false` | `bool` | `false` | no |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | n/a | `list(any)` | <pre>[<br>  "10.0.1.0/24",<br>  "10.0.2.0/24",<br>  "10.0.3.0/24"<br>]</pre> | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | n/a | `list(any)` | <pre>[<br>  "10.0.101.0/24",<br>  "10.0.102.0/24",<br>  "10.0.103.0/24"<br>]</pre> | no |
 | <a name="input_reuse_nat_ips"></a> [reuse\_nat\_ips](#input\_reuse\_nat\_ips) | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no |
@@ -42,7 +50,11 @@ No resources.
 | Name | Description |
 |------|-------------|
 | <a name="output_k8s_subnets"></a> [k8s\_subnets](#output\_k8s\_subnets) | A list of private k8s subnets |
+| <a name="output_private_route_table_ids"></a> [private\_route\_table\_ids](#output\_private\_route\_table\_ids) | A list of route table ids for private subnets |
 | <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | A list of private subnets |
+| <a name="output_public_route_table_ids"></a> [public\_route\_table\_ids](#output\_public\_route\_table\_ids) | A list of route table ids for public subnets |
 | <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | A list of public subnets |
 | <a name="output_vpc_cidr_block"></a> [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC |
 | <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+| <a name="output_vpc_name"></a> [vpc\_name](#output\_vpc\_name) | name of vpc |
+| <a name="output_vpc_secondary_cidr_blocks"></a> [vpc\_secondary\_cidr\_blocks](#output\_vpc\_secondary\_cidr\_blocks) | List of secondary CIDR blocks of the VPC |
diff --git a/terraform-modules/aws/vpc/main.tf b/terraform-modules/aws/vpc/main.tf
@@ -1,6 +1,6 @@
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "3.7.0"
+  version = "5.0.0"
 
   name = var.environment_name
   cidr = var.vpc_cidr
@@ -47,5 +47,9 @@ module "vpc" {
   default_security_group_egress   = var.default_security_group_egress
   default_security_group_ingress  = var.default_security_group_ingress
   default_security_group_tags     = var.default_security_group_tags
+
+  map_public_ip_on_launch         = var.map_public_ip_on_launch
+  manage_default_network_acl      = var.manage_default_network_acl
+  manage_default_route_table      = var.manage_default_route_table
 
 }
diff --git a/terraform-modules/aws/vpc/variables.tf b/terraform-modules/aws/vpc/variables.tf
@@ -172,3 +172,20 @@ variable "default_security_group_tags" {
   default = {}
 }
 
+variable "map_public_ip_on_launch" {
+  description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address. Default is `false`"
+  type        = bool
+  default     = false
+}
+
+variable "manage_default_network_acl" {
+  description = "Should be true to adopt and manage Default Network ACL"
+  type        = bool
+  default     = true
+}
+
+variable "manage_default_route_table" {
+  description = "Should be true to manage default route table"
+  type        = bool
+  default     = true
+}