Update EKS AMIs

The AMIs we're currently using for our node groups will soon be
unsupported, so this commit updates them to the new standard version,
along with updating the EKS module itself to enable that.

Author: liam-lloyd

archivematica/prod_cluster/archivematica_deployment.tf

@@ -88,7 +88,7 @@ resource "kubernetes_deployment" "archivematica_prod" {
             value = "archivematica.permanent.org"
           }
           env {
-            name  = "DJANGO_SECRET_KEY"
+            name = "DJANGO_SECRET_KEY"
             value_from {
               secret_key_ref {
                 name     = "prod-archivematica-secrets"
@@ -243,7 +243,7 @@ resource "kubernetes_deployment" "archivematica_prod" {
           image = local.desired_images["archivematica-mcp-server-prod"]
           name  = "archivematica-mcp-server-prod"
           env {
-            name  = "DJANGO_SECRET_KEY"
+            name = "DJANGO_SECRET_KEY"
             value_from {
               secret_key_ref {
                 name     = "prod-archivematica-secrets"
@@ -364,7 +364,7 @@ resource "kubernetes_deployment" "archivematica_prod" {
           }
         }
         init_container {
-          image   = local.desired_images["archivematica-storage-service-prod"]
+          image = local.desired_images["archivematica-storage-service-prod"]
           name  = "archivematica-storage-service-create-user"
           env {
             name  = "DJANGO_SETTINGS_MODULE"

archivematica/prod_cluster/eks-cluster.tf

@@ -1,46 +1,31 @@
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "19.0.4"
-
-  cluster_name    = local.cluster_name
-  cluster_version = "1.32"
-
-  vpc_id                         = var.vpc_id
-  subnet_ids                     = var.subnet_ids
-  cluster_endpoint_public_access = true
-  cluster_security_group_id      = var.security_group_id
-  aws_auth_users = [
-    {
-      userarn  = "arn:aws:iam::364159549467:user/liam"
-      username = "liam"
-      groups   = ["system:masters"]
+  version = "21.2.0"
+
+  name               = local.cluster_name
+  kubernetes_version = "1.32"
+
+  vpc_id                 = var.vpc_id
+  subnet_ids             = var.subnet_ids
+  endpoint_public_access = true
+  security_group_id      = var.security_group_id
+  access_entries = {
+    liam = {
+      principal_arn     = "arn:aws:iam::364159549467:user/liam"
+      user_name         = "liam"
+      kubernetes_groups = ["eks-admins"]
     },
-    {
-      userarn  = "arn:aws:iam::364159549467:user/cecilia"
-      username = "cecilia"
-      groups   = ["system:masters"]
-    }
-  ]
-
-  eks_managed_node_group_defaults = {
-    ami_type = "AL2_x86_64"
-
-    block_device_mappings = {
-      xvda = {
-        device_name = "/dev/xvda"
-        ebs = {
-          volume_size           = 32
-          volume_type           = "gp2"
-          delete_on_termination = true
-          encrypted             = true
-        }
-      }
+    cecilia = {
+      principal_arn     = "arn:aws:iam::364159549467:user/cecilia"
+      user_name         = "cecilia"
+      kubernetes_groups = ["eks-admins"]
     }
   }
 
   eks_managed_node_groups = {
     one = {
-      name = "node-group-1"
+      name     = "node-group-1"
+      ami_type = "AL2023_x86_64_STANDARD"
 
       vpc_security_group_ids = [var.security_group_id]
 
@@ -49,6 +34,35 @@ module "eks" {
       min_size     = 3
       max_size     = 3
       desired_size = 3
+      block_device_mappings = {
+        xvda = {
+          device_name = "/dev/xvda"
+          ebs = {
+            volume_size           = 32
+            volume_type           = "gp2"
+            delete_on_termination = true
+            encrypted             = true
+          }
+        }
+      }
     }
   }
 }
+
+resource "kubernetes_cluster_role_binding" "eks_admins_cluster_admin" {
+  metadata {
+    name = "eks-admins-cluster-admin"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+  }
+
+  subject {
+    kind      = "Group"
+    name      = "eks-admins"
+    api_group = "rbac.authorization.k8s.io"
+  }
+}

archivematica/prod_cluster/load_balancer.tf

@@ -1,5 +1,5 @@
 module "lb_role" {
-  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
   version = "5.60.0"
 
   role_name                              = "prod_archivematica_lb"

archivematica/prod_cluster/locals.tf

@@ -1,6 +1,6 @@
 locals {
   current_archivematica_prod_deploy = data.kubernetes_resource.archivematica_prod.object
-  current_mcp_client_prod_deploy = data.kubernetes_resource.mcp_client_prod.object
+  current_mcp_client_prod_deploy    = data.kubernetes_resource.mcp_client_prod.object
 
   current_containers = concat(
     try(local.current_archivematica_prod_deploy.spec.template.spec.containers),

archivematica/prod_cluster/terraform.tf

@@ -10,7 +10,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.46.0"
+      version = "~> 6.14.1"
     }
 
     random = {
@@ -39,5 +39,5 @@ terraform {
     }
   }
 
-  required_version = "~> 1.3"
+  required_version = "~> 1.5"
 }

archivematica/prod_cluster/variables.tf

@@ -74,6 +74,6 @@ variable "whitelisted_cidrs" {
 
 variable "image_overrides" {
   description = "A map of docker images to be updated"
-  type = map(string)
-  default = {}
+  type        = map(string)
+  default     = {}
 }

archivematica/test_cluster/eks-cluster.tf

@@ -1,46 +1,49 @@
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "19.0.4"
+  version = "21.2.0"
 
-  cluster_name    = local.cluster_name
-  cluster_version = "1.32"
+  name    = local.cluster_name
+  kubernetes_version = "1.32"
 
   vpc_id                         = var.vpc_id
   subnet_ids                     = var.subnet_ids
-  cluster_endpoint_public_access = true
-  cluster_security_group_id      = var.dev_security_group_id
-  aws_auth_users = [
-    {
-      userarn  = "arn:aws:iam::364159549467:user/liam"
-      username = "liam"
-      groups   = ["system:masters"]
+  endpoint_public_access = true
+  security_group_id      = var.dev_security_group_id
+  access_entries = {
+    liam = {
+      principal_arn     = "arn:aws:iam::364159549467:user/liam"
+      user_name         = "liam"
+      kubernetes_groups = ["eks-admins"]
     },
-    {
-      userarn  = "arn:aws:iam::364159549467:user/cecilia"
-      username = "cecilia"
-      groups   = ["system:masters"]
+    cecilia = {
+      principal_arn     = "arn:aws:iam::364159549467:user/cecilia"
+      user_name         = "cecilia"
+      kubernetes_groups = ["eks-admins"]
     }
-  ]
-
-  eks_managed_node_group_defaults = {
-    ami_type = "AL2_x86_64"
-
-    block_device_mappings = {
-      xvda = {
-        device_name = "/dev/xvda"
-        ebs = {
-          volume_size           = 32
-          volume_type           = "gp2"
-          delete_on_termination = true
-          encrypted             = true
-        }
-      }
+  }
+
+  addons = {
+    coredns = {
+      most_recent                 = true
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts           = "OVERWRITE"
+    }
+    kube-proxy = {
+      most_recent                 = true
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts           = "OVERWRITE"
+    }
+    vpc-cni = {
+      most_recent                 = true
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts           = "OVERWRITE"
     }
   }
 
   eks_managed_node_groups = {
     one = {
       name = "node-group-1"
+      ami_type = "AL2023_x86_64_STANDARD"
 
       vpc_security_group_ids = [var.dev_security_group_id, var.staging_security_group_id]
 
@@ -49,6 +52,36 @@ module "eks" {
       min_size     = 3
       max_size     = 3
       desired_size = 3
+
+      block_device_mappings = {
+        xvda = {
+          device_name = "/dev/xvda"
+          ebs = {
+            volume_size           = 32
+            volume_type           = "gp2"
+            delete_on_termination = true
+            encrypted             = true
+          }
+        }
+      }
     }
   }
 }
+
+resource "kubernetes_cluster_role_binding" "eks_admins_cluster_admin" {
+  metadata {
+    name = "eks-admins-cluster-admin"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+  }
+
+  subject {
+    kind      = "Group"
+    name      = "eks-admins"
+    api_group = "rbac.authorization.k8s.io"
+  }
+}

archivematica/test_cluster/terraform.tf

@@ -10,7 +10,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.46.0"
+      version = "~> 6.14.1"
     }
 
     random = {
@@ -39,5 +39,5 @@ terraform {
     }
   }
 
-  required_version = "~> 1.3"
+  required_version = "~> 1.5"
 }