-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathaws_specific_modules.tf
125 lines (100 loc) · 3.01 KB
/
aws_specific_modules.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#
# Include modules only installed on AWS here.
#
module "keycloak" {
count = var.keycloak_enabled == true ? 1 : 0
depends_on = [
module.cluster,
helm_release.ipa-pre-requisites
]
source = "./modules/aws/keycloak"
local_dns_name = local.dns_name
}
# Azure doesn't support arbitrary OIDC, so we can use keycloak on Azure.
module "k8s_dashboard" {
count = var.enable_k8s_dashboard == true && var.keycloak_enabled ? 1 : 0
source = "./modules/aws/k8s_dashboard"
local_dns_name = local.dns_name
ipa_repo = var.ipa_repo
keycloak_client_id = module.keycloak[0].client_id
keycloak_client_secret = module.keycloak[0].client_secret
use_static_ssl_certificates = var.use_static_ssl_certificates
ssl_static_secret_name = var.ssl_static_secret_name
image_registry = var.image_registry
}
data "aws_vpc_endpoint_service" "guardduty" {
service_type = "Interface"
filter {
name = "service-name"
values = ["com.amazonaws.${var.region}.guardduty-data"]
}
}
resource "aws_vpc_endpoint" "eks_vpc_guardduty" {
count = var.create_guardduty_vpc_endpoint ? 1 : 0
vpc_id = local.network[0].indico_vpc_id
service_name = data.aws_vpc_endpoint_service.guardduty.service_name
vpc_endpoint_type = "Interface"
policy = data.aws_iam_policy_document.eks_vpc_guardduty.json
security_group_ids = [aws_security_group.eks_vpc_endpoint_guardduty[0].id]
subnet_ids = local.network[0].private_subnet_ids
private_dns_enabled = true
}
resource "aws_security_group" "eks_vpc_endpoint_guardduty" {
count = var.create_guardduty_vpc_endpoint ? 1 : 0
name_prefix = "${var.label}-vpc-endpoint-guardduty-sg-"
description = "Security Group used by VPC Endpoints."
vpc_id = local.network[0].indico_vpc_id
tags = {
"Name" = "${var.label}-vpc-endpoint-guardduty-sg-"
"GuardDutyManaged" = "false"
}
lifecycle {
create_before_destroy = true
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
data "aws_iam_policy_document" "eks_vpc_guardduty" {
statement {
actions = ["*"]
effect = "Allow"
resources = ["*"]
principals {
type = "AWS"
identifiers = ["*"]
}
}
statement {
actions = ["*"]
effect = "Deny"
resources = ["*"]
principals {
type = "AWS"
identifiers = ["*"]
}
condition {
test = "StringNotEquals"
variable = "aws:PrincipalAccount"
values = [data.aws_caller_identity.current.account_id]
}
}
}
resource "aws_eks_addon" "guardduty" {
depends_on = [
module.cluster,
time_sleep.wait_1_minutes_after_cluster
]
count = var.eks_addon_version_guardduty != null ? 1 : 0
cluster_name = var.label
addon_name = "aws-guardduty-agent"
addon_version = "v1.7.1-eksbuild.1"
resolve_conflicts = "OVERWRITE"
preserve = true
tags = {
"eks_addon" = "guardduty"
}
}