Merge pull request #6 from OneideLuizSchneider/v1.31

EKS 1.31
OneideLuizSchneider · Nov 9, 2024 · 3b57dfe · 3b57dfe
2 parents a8e44be + bb165c6
commit 3b57dfe
Show file tree

Hide file tree

Showing 14 changed files with 88 additions and 123 deletions.
diff --git a/.github/workflows/terraform-plan.yml b/.github/workflows/terraform-plan.yml
diff --git a/.github/workflows/validate-terraform.yml b/.github/workflows/validate-terraform.yml
@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.1.7
+
+      - name: Terraform Fmt
+        id: fmt
+        run: cd terraform && terraform fmt -check -diff
+        continue-on-error: false
+
+      - name: Terraform Init
+        id: init
+        run: cd terraform && terraform init
+        continue-on-error: false
+
+      - name: Terraform Validate
+        id: validate
+        run: cd terraform && terraform validate -no-color
+        continue-on-error: false
diff --git a/.gitignore b/.gitignore
@@ -1,9 +1,10 @@
 # Local .terraform directories
-**/.terraform/*
+.terraform
 
 # .tfstate files
 *.tfstate
 *.tfstate.*
+.terraform.lock.hcl
 
 # Crash log files
 crash.log

diff --git a/README.md b/README.md
@@ -46,6 +46,9 @@
   - Documentation: <https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html>
 
 \
+\
+***Obs***: This is a widely open cluster, for Production env. the Cluster should be fully Private running under private subnets.
+
 \
 AWS Official Documentation: <https://docs.aws.amazon.com/eks/index.html>
 \

diff --git a/files/eks-console-full-access.yaml b/files/eks-console-full-access.yaml
@@ -41,4 +41,4 @@ subjects:
 roleRef:
   kind: ClusterRole
   name: eks-console-dashboard-full-access-clusterrole
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io
diff --git a/files/eks-console-restricted-access.yaml b/files/eks-console-restricted-access.yaml
@@ -68,4 +68,4 @@ subjects:
 roleRef:
   kind: Role
   name: eks-console-dashboard-restricted-access-role
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io
diff --git a/files/kubeconfig-template.yml b/files/kubeconfig-template.yml
diff --git a/terraform/eks-cluster.tf b/terraform/eks-cluster.tf
@@ -1,7 +1,7 @@
 resource "aws_eks_cluster" "eks" {
-  name            = "${var.eks_cluster_name}-${var.env}"
-  version         = local.eks_version
-  role_arn        = aws_iam_role.eks.arn
+  name     = "${var.eks_cluster_name}-${var.env}"
+  version  = local.eks_version
+  role_arn = aws_iam_role.eks.arn
 
   vpc_config {
     security_group_ids      = [aws_security_group.eks_cluster.id]

diff --git a/terraform/iam-roles-node-groups.tf b/terraform/iam-roles-node-groups.tf
@@ -47,16 +47,19 @@ resource "aws_iam_role_policy" "node-group-ClusterAutoscalerPolicy" {
     Statement = [
       {
         Action = [
-            "autoscaling:DescribeAutoScalingGroups",
-            "autoscaling:DescribeAutoScalingInstances",
-            "autoscaling:DescribeLaunchConfigurations",
-            "autoscaling:DescribeTags",
-            "autoscaling:SetDesiredCapacity",
-            "autoscaling:TerminateInstanceInAutoScalingGroup"
+          "autoscaling:DescribeAutoScalingGroups",
+          "autoscaling:DescribeAutoScalingInstances",
+          "autoscaling:DescribeLaunchConfigurations",
+          "autoscaling:DescribeTags",
+          "autoscaling:SetDesiredCapacity",
+          "autoscaling:TerminateInstanceInAutoScalingGroup",
+          "autoscaling:DescribeScalingActivities",
+          "ec2:DescribeLaunchTemplateVersions",
+          "eks:DescribeNodegroup"
         ]
         Effect   = "Allow"
         Resource = "*"
       },
     ]
   })
-}
+}
diff --git a/terraform/node-group-sg.tf b/terraform/node-group-sg.tf
@@ -4,10 +4,10 @@ resource "aws_security_group" "eks_nodes" {
   vpc_id      = local.vpc_id
 
   ingress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    self        = true
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
+    self      = true
   }
 
   ingress {

diff --git a/terraform/node-group.tf b/terraform/node-group.tf
@@ -4,7 +4,7 @@ resource "aws_eks_node_group" "private" {
   node_role_arn   = aws_iam_role.node-group.arn
   subnet_ids      = local.subnets
 
-  labels          = {
+  labels = {
     "type" = "private"
   }
 
@@ -21,7 +21,8 @@ resource "aws_eks_node_group" "private" {
     aws_iam_role_policy_attachment.node-group-AmazonEKS_CNI_Policy,
     aws_iam_role_policy_attachment.node-group-AmazonEC2ContainerRegistryReadOnly,
     aws_iam_role_policy_attachment.node-group-AmazonSSMManagedInstanceCore,
-    aws_iam_role_policy_attachment.node-group-CloudWatchAgentServerPolicy
+    aws_iam_role_policy_attachment.node-group-CloudWatchAgentServerPolicy,
+    aws_iam_role_policy.node-group-ClusterAutoscalerPolicy
   ]
 
   tags = {

diff --git a/terraform/output.tf b/terraform/output.tf
@@ -1,7 +1,7 @@
 output "eks-endpoint" {
-    value = aws_eks_cluster.eks.endpoint
+  value = aws_eks_cluster.eks.endpoint
 }
 
 output "kubeconfig-certificate-authority-data" {
-    value = aws_eks_cluster.eks.certificate_authority[0].data
+  value = aws_eks_cluster.eks.certificate_authority[0].data
 }
diff --git a/terraform/provider.tf b/terraform/provider.tf
@@ -1,14 +1,16 @@
 terraform {
+  required_version = ">= 1.1.7"
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.3"
+      version = "~> 5.73"
     }
   }
 }
 
 provider "aws" {
-  region  = local.region
+  region     = local.region
   access_key = local.access_key
   secret_key = local.secret_key
 

diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -1,32 +1,37 @@
 variable "env" {
-  type = string
+  type    = string
   default = "staging"
 }
 
 variable "cluster_version" {
-  type = string
-  default = "v3"
+  type    = string
+  default = "v31"
 }
 
 variable "eks_cluster_name" {
-  type = string
+  type    = string
   default = "cluster-name"
 }
 
-locals{
-    access_key = "..."
-    secret_key = "..."
-    region = "..."
+variable "eks_cluster_version" {
+  type    = string
+  default = "1.31"
+}
+
+locals {
+  access_key = "..."
+  secret_key = "..."
+  region     = "..."
 
-    vpc_id = "..."
-    subnets = ["..."]
-    internal_ip_range = "0.0.0.0/0"
+  vpc_id            = "..."
+  subnets           = ["..."]
+  internal_ip_range = "0.0.0.0/0"
 
-    eks_version = "1.27"
-    cluster_name = "${var.eks_cluster_name}-${var.env}-${var.cluster_version}"     
-    cluster_enabled_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
-    asg_desired_capacity = 1
-    asg_max_size = 2
-    asg_min_size = 1
-    instance_type = ["..."]
+  eks_version               = var.eks_cluster_version
+  cluster_name              = "${var.eks_cluster_name}-${var.env}-${var.cluster_version}"
+  cluster_enabled_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
+  asg_desired_capacity      = 1
+  asg_max_size              = 2
+  asg_min_size              = 1
+  instance_type             = ["..."]
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -46,6 +46,9 @@ @@
       - Documentation: <https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html>
     \
+    \
+    ***Obs***: This is a widely open cluster, for Production env. the Cluster should be fully Private running under private subnets.
     \
     AWS Official Documentation: <https://docs.aws.amazon.com/eks/index.html>
     \
@@ Expand Down @@