Merge branch 'main' into add_monitor_fsxn_with_arvest

Author: kcantrel

EKS/FSxN-as-PVC-for-EKS/README.md

@@ -76,14 +76,14 @@ Run the following commands to clone the repo and change into the directory where
 terraform files are located:
 ```bash
 git clone https://github.com/NetApp/FSx-ONTAP-samples-scripts.git
-cd FSx-ONTAP-samples-scripts/Solutions/FSxN-as-PVC-for-EKS/terraform
+cd FSx-ONTAP-samples-scripts/EKS/FSxN-as-PVC-for-EKS/terraform
 ```
 ### Make any desired changes to the variables.tf file.
 Variables that can be changed include:
 - aws_region - The AWS region where you want to deploy the resources.
 - aws_secrets_region - The region where the fsx password secret will be created.
 - fsx_name - The name you want applied to the FSx for NetApp ONTAP File System. Must not already exist.
-- fsx_password_secret_name - A base name of the AWS SecretsManager secret that will hold the FSxN password.
+- secret_name_prefix - The base name of the AWS SecretsManager secrets that will be created that will hold the FSxN adminstrator, and SVM, passwords.
 A random string will be appended to this name to ensure uniqueness.
 - fsx_storage_capacity - The storage capacity of the FSx for NetApp ONTAP File System.
 Read the "description" of the variable to see the valid range.
@@ -109,32 +109,23 @@ the following is an example of last part of the output of a successful deploymen
 ```bash
 Outputs:
 
-eks-cluster-name = "fsx-eks-DB0H69vL"
-eks-jump-server = "Instance ID: i-0e99a61431a39d327, Public IP: 54.244.16.198"
-fsx-id = "fs-0887a493cXXXXXXXX"
-fsx-management-ip = "198.19.255.174"
-fsx-password-secret-arn = "arn:aws:secretsmanager:us-west-2:759995400000:secret:fsx-eks-secret-3b8bde97-Fst5rj"
-fsx-password-secret-name = "fsx-eks-secret-3b8bde97"
+Outputs:
+
+eks-cluster-name = "eksfs-eks-lutuycvJ"
+eks-jump-server = "Instance ID: i-00de97f46e3c9a617, Public IP: 54.213.93.236"
+fsx-id = "fs-04f1b48f8da639a7f"
+fsx-management-ip = "198.19.255.245"
+fsx-password-secret-arn = "arn:aws:secretsmanager:us-west-2:759995470648:secret:keith-eksfs-fsxn-55fd4eb7-4Oy2ab"
+fsx-password-secret-name = "eksfs-fsxn-55fd4eb7"
 fsx-svm-name = "ekssvm"
 region = "us-west-2"
-vpc-id = "vpc-03ed6b1867d76e1a9"
+svm-password-secret-arn = "arn:aws:secretsmanager:us-west-2:759995470648:secret:keith-eksfs-svm-6ad11609-nApoUp"
+svm-password-secret-name = "eksfs-svm-6ad11609"
+vpc-id = "vpc-0791cc0566462082b"
 ```
 :bulb: **Tip:** You will use the values in the commands below, so probably a good idea to copy the output somewhere
 so you can easily reference it later.
 
-> [!IMPORTANT]
-> Note that an FSxN File System was created, with a vserver (a.k.a. SVM). The default username
-> for the FSxN File System is 'fsxadmin'. And the default username for the vserver is 'vsadmin'. The
-> password for both of these users is the same and is what is stored in the AWS SecretsManager secret
-> shown above. Since Terraform was used to create the secret, the password is stored in
-> plain text in its "state" database and therefore it is **HIGHLY** recommended that you change
-> the password to something else by first changing the passwords via the AWS Management Console and
-> then updating the password in the AWS SecretsManager secret. You can update the 'username' key in
-> the secret if you want, but it must be a vserver admin user, not a system level user. This secret
-> is used by Astra Trident and it will always login via the vserver management LIF and therefore it
-> must be a vserver admin user. If you want to create a separate secret for the 'fsxadmin' user,
-> feel free to do so.
-
 ### SSH to the jump server to complete the setup
 Use the following command to 'ssh' to the jump server:
 ```bash
@@ -164,7 +155,7 @@ Note that if you are using an SSO to authenticate with AWS, then the actual user
 you need to add is slightly different than what is output from the above command.
 The following command will take the output from the above command and format it correctly:
 
-:warning: **Warning:** Only run this command if you are using an SSO to authenticate with aws.
+:warning: **Caution:** Only run this command if you are using an SSO to authenticate with aws.
 ```bash
 user_ARN=$(aws sts get-caller-identity | jq -r '.Arn' | awk -F: '{split($6, parts, "/"); printf "arn:aws:iam::%s:role/aws-reserved/sso.amazonaws.com/%s\n", $5, parts[2]}')
 echo $user_ARN
@@ -246,12 +237,12 @@ other files you'll need to complete the setup.
 After making the following substitutions in the commands below:
 - \<fsx-id> with the FSxN ID.
 - \<fsx-svm-name> with the name of the SVM that was created.
-- \<secret-arn> with the ARN of the AWS SecretsManager secret that holds the FSxN password.
+- \<secret-arn> with the ARN of the AWS SecretsManager secret that holds the SVM password (not the FSxN password).
 
 Run them to configure Trident to use the FSxN file system that was
 created earlier using the `terraform --apply` command:
 ```
-cd ~/FSx-ONTAP-samples-scripts/Solutions/FSxN-as-PVC-for-EKS
+cd ~/FSx-ONTAP-samples-scripts/EKS/FSxN-as-PVC-for-EKS
 mkdir temp
 export FSX_ID=<fsx-id>
 export FSX_SVM_NAME=<fsx-svm-name>
@@ -281,7 +272,7 @@ kubectl get tridentbackendconfig -n trident --output=json | jq '.items[] | .stat
 ```
 Once you have resolved any issues, you can remove the failed backend by running:
 
-:warning: **Warning:** Only run this command if the backend is in a failed state and you are ready to get rid of it.
+:warning: **Caution:** Only run this command if the backend is in a failed state and you are ready to get rid of it.
 ```bash
 kubectl delete -n trident -f temp/backend-tbc-ontap-nas.yaml
 ```
@@ -336,7 +327,7 @@ You will want to login as the 'fsxadmin' user, using the password stored in the
 You can find the IP address of the FSxN file system in the output from the `terraform apply` command, or
 from the AWS console. Here is an example of logging in and listing all the volumes on the system:
 ```bash
-ubuntu@ip-10-0-4-125:~/FSx-ONTAP-samples-scripts/Solutions/FSxN-as-PVC-for-EKS$ ssh -l fsxadmin 198.19.255.174
+ubuntu@ip-10-0-4-125:~/FSx-ONTAP-samples-scripts/EKS/FSxN-as-PVC-for-EKS$ ssh -l fsxadmin 198.19.255.174
 ([email protected]) Password:
 
 FsxId0887a493c777c5122::> volume show

EKS/FSxN-as-PVC-for-EKS/terraform/eks-cluster.tf

@@ -81,7 +81,7 @@ resource "aws_iam_policy" "trident_policy" {
         {
             "Action": "secretsmanager:GetSecretValue",
             "Effect": "Allow",
-            "Resource": aws_secretsmanager_secret_version.fsx_secret_password.arn
+            "Resource": module.svm_rotate_secret.secret_arn
         }
     ],
   })
@@ -122,11 +122,3 @@ data "cloudinit_config" "cloudinit" {
     content      = file("scripts/iscsi.sh")
   }
 }
-
-data "aws_eks_cluster" "eks" {
-  name = module.eks.cluster_name
-}
-
-data "aws_eks_cluster_auth" "eks" {
-  name = module.eks.cluster_name
-}

EKS/FSxN-as-PVC-for-EKS/terraform/fsx.tf

@@ -1,53 +1,40 @@
 #
-# Generate a random password for FSx
-resource "random_string" "fsx_password" {
-  length           = 8
-  min_lower        = 1
-  min_numeric      = 1
-  min_special      = 0
-  min_upper        = 1
-  numeric          = true
-  special          = true
-  override_special = "@$%^&*()_+="
-}
-
-provider "aws" {
-  alias = "secrets_provider"
-  region = var.aws_secrets_region
-}
-#
-# Store the password in AWS Secrets Manager
-resource "aws_secretsmanager_secret" "fsx_secret_password" {
-  provider = aws.secrets_provider
-  name = "${var.fsx_password_secret_name}-${random_id.id.hex}"
-}
-resource "aws_secretsmanager_secret_version" "fsx_secret_password" {
-  provider = aws.secrets_provider
-  secret_id = aws_secretsmanager_secret.fsx_secret_password.id
-  secret_string =  jsonencode({username = "vsadmin", password = random_string.fsx_password.result})
+# Instantiate an AWS secret for the FSx ONTAP file system. It will set the initial password for the file system.
+module "fsxn_rotate_secret" {
+    source = "github.com/Netapp/FSx-ONTAP-samples-scripts/Management-Utilities/fsxn-rotate-secret/terraform"
+    fsx_region = var.aws_region
+    secret_region = var.aws_secrets_region
+    aws_account_id = var.aws_account_id
+    secret_name_prefix = var.secret_name_prefix
+    fsx_id = aws_fsx_ontap_file_system.eksfs.id
 }
 #
-# Note that this allows traffic from both the private and public subnets. However
-# the security groups only allow traffic from the public subnet over port 22 when
-# the source has the jump server SG assigned to it. So, basically, it only allows traffic
-# from the jump server from the public subnet.
+# Create a FSxN file system.
 resource "aws_fsx_ontap_file_system" "eksfs" {
   storage_capacity    = var.fsxn_storage_capacity
   subnet_ids          = module.vpc.private_subnets
   deployment_type     = "MULTI_AZ_1"
   throughput_capacity = var.fsxn_throughput_capacity
   preferred_subnet_id = module.vpc.private_subnets[0]
   security_group_ids  = [aws_security_group.fsx_sg.id]
-  fsx_admin_password = random_string.fsx_password.result
-  route_table_ids    = concat(module.vpc.private_route_table_ids, module.vpc.public_route_table_ids)
+  route_table_ids     = concat(module.vpc.private_route_table_ids, module.vpc.public_route_table_ids)
   tags = {
     Name = var.fsx_name
   }
 }
 #
+# Instantiate an AWS secret for the storage virtual machine. It will set the initial password for the SVM.
+module "svm_rotate_secret" {
+    source = "github.com/Netapp/FSx-ONTAP-samples-scripts/Management-Utilities/fsxn-rotate-secret/terraform"
+    fsx_region = var.aws_region
+    secret_region = var.aws_secrets_region
+    aws_account_id = var.aws_account_id
+    secret_name_prefix = var.secret_name_prefix
+    svm_id = aws_fsx_ontap_storage_virtual_machine.ekssvm.id
+}
+#
 # Create a vserver and assign the 'vsadmin' the same password as fsxadmin.
 resource "aws_fsx_ontap_storage_virtual_machine" "ekssvm" {
   file_system_id = aws_fsx_ontap_file_system.eksfs.id
   name           = "ekssvm"
-  svm_admin_password = random_string.fsx_password.result
 }

EKS/FSxN-as-PVC-for-EKS/terraform/outputs.tf

@@ -1,14 +1,21 @@
 output "region" {
-  description = "AWS region"
   value       = var.aws_region
 }
 
 output "fsx-password-secret-name" {
-   value = aws_secretsmanager_secret.fsx_secret_password.name
+   value = module.fsxn_rotate_secret.secret_name
 }
 
 output "fsx-password-secret-arn" {
-  value = aws_secretsmanager_secret_version.fsx_secret_password.arn
+  value = module.fsxn_rotate_secret.secret_arn
+}
+
+output "svm-password-secret-name" {
+  value = module.svm_rotate_secret.secret_name
+}
+
+output "svm-password-secret-arn" {
+  value = module.svm_rotate_secret.secret_arn
 }
 
 output "fsx-svm-name" {
@@ -24,7 +31,7 @@ output "fsx-management-ip" {
 }
 
 output "eks-cluster-name" {
-  value = data.aws_eks_cluster.eks.id
+  value = module.eks.cluster_name
 }
 
 output "vpc-id" {

EKS/FSxN-as-PVC-for-EKS/terraform/variables.tf

@@ -1,35 +1,42 @@
 variable "aws_region" {
-  default = "us-west-2"
-  description = "aws region where you want the resources deployed."
+  description = "The AWS region where you want the resources deployed."
+  type        = string
 }
 
 variable "aws_secrets_region" {
-  default     = "us-west-2"
-  description = "The region where you want the FSxN secret stored within AWS Secrets Manager."
+  description = "The AWS region where you want the FSxN and SVM secrets stored within AWS Secrets Manager."
+  type        = string
+}
+
+variable "aws_account_id" {
+  description = "The AWS account ID. Used to create very specific permissions in the IAM role for the EKS cluster."
+  type       = string
 }
 
 variable "fsx_name" {
-  default     = "eksfs"
   description = "The name you want assigned to the FSxN file system."
+  default     = "eksfs"
 }
 
-variable "fsx_password_secret_name" {
+variable "secret_name_prefix" {
+  description = "The base name of the secrets (FSxN and SVM) to create within the AWS Secrets Manager. A random string will be appended to the end of the secreate name to ensure no name conflict."
   default     = "fsx-eks-secret"
-  description = "The base name of the secret to create within the AWS Secrets Manager that will contain the FSxN password. A random string will be appended to the end of the secreate name to ensure no name conflict."
 }
 
 variable "fsxn_storage_capacity" {
-  default = 1024
   description = "The storage capacity, in GiBs, to be allocated to the FSxN clsuter. Must be at least 1024, and less than 196608."
+  type        = number
+  default     = 1024
   validation {
     condition = var.fsxn_storage_capacity >= 1024 && var.fsxn_storage_capacity < 196608
     error_message = "The storage capacity must be at least 1024, and less than 196608."
   }
 }
 
 variable "fsxn_throughput_capacity" {
-  default = 128
   description = "The throughput capacity to be allocated to the FSxN cluster. Must be 128, 256, 512, 1024, 2048, 4096."
+  type        = string   # Set to a string so it can be used in a "contains()" function.
+  default     = 128
   validation {
     condition = contains([128, 256, 512, 1024, 2048, 4096], var.fsxn_throughput_capacity)
     error_message = "The throughput capacity must be 128, 256, 512, 1024, 2048, or 4096."
@@ -38,34 +45,38 @@ variable "fsxn_throughput_capacity" {
 #
 # Keep in mind that key pairs are regional, so pick one that is in the region specified above.
 variable "key_pair_name" {
-  default = "MUST REPLACE WITH YOUR KEY PAIR NAME"
   description = "The key pair to associate with the jump server."
+  default     = "MUST REPLACE WITH YOUR KEY PAIR NAME"
+  type        = string
   validation {
     condition = var.key_pair_name != "MUST REPLACE WITH YOUR KEY PAIR NAME"
     error_message = "You must specify a key pair name."
   }
 }
 
 variable "secure_ips" {
-  default = ["0.0.0.0/0"]
   description = "List of CIDRs that are allowed to ssh into the jump server."
+  default = ["0.0.0.0/0"]
 }
 
 ################################################################################
 # Don't change any variables below this line.
 ################################################################################
 
 variable "trident_version" {
-  default     = "v24.2.0-eksbuild.1"
   description = "The version of Astra Trident to 'add-on' to the EKS cluster."
+  default     = "v24.2.0-eksbuild.1"
+  type        = string
 }
 
 variable "kubernetes_version" {
-  default     = 1.29
   description = "kubernetes version"
+  default     = 1.29
+  type        = string
 }
 
 variable "vpc_cidr" {
-  default     = "10.0.0.0/16"
   description = "default CIDR range of the VPC"
+  default     = "10.0.0.0/16"
+  type        = string
 }