Set nullable inputs for k8s and helm providers and set conditional provisioning of s3 permissions for ec2 instance

Author: burmek

.terraform.lock.hcl

@@ -1,10 +1,11 @@
 data "aws_availability_zones" "available" {}
 
-/*
+
 data "aws_eks_cluster_auth" "this" {
+  count = var.enable_eks ? 1 : 0
   name = module.comet_eks[0].cluster_name
 }
-*/
+
 
 locals {
   resource_name = "comet-${var.environment}"
@@ -52,10 +53,12 @@ module "vpc" {
 module "comet_ec2" {
   source = "./modules/comet_ec2"
   count  = var.enable_ec2 ? 1 : 0
+
+  s3_enabled = var.enable_s3
 
   vpc_id = module.vpc.vpc_id
-  allinone_ami = "ami-05842f1afbf311a43"
-  allinone_subnet = module.vpc.public_subnets[count.index % length(module.vpc.public_subnets)]
+  comet_ec2_ami = "ami-05842f1afbf311a43"
+  comet_ec2_subnet = module.vpc.public_subnets[count.index % length(module.vpc.public_subnets)]
 
   comet_ml_s3_bucket  = var.s3_bucket_name
 }
@@ -81,7 +84,7 @@ module "comet_elasticache" {
   vpc_private_subnets = module.vpc.private_subnets
 
   # index is used on the module refs becuase of the count usage in the toggle: "After the count apply the resource becomes a group, so later in the reference use 0-index of the group"
-  elasticache_allow_ec2_sg = var.enable_ec2 ? module.comet_ec2[0].allinone_sg_id : null
+  elasticache_allow_ec2_sg = var.enable_ec2 ? module.comet_ec2[0].comet_ec2_sg_id : null
   elasticache_allow_eks_sg = var.enable_eks ? module.comet_eks[0].nodegroup_sg_id : null
 }
 
@@ -97,7 +100,7 @@ module "comet_rds" {
   vpc_private_subnets = module.vpc.private_subnets
 
   # index is used on the module refs becuase of the count usage in the toggle: "After the count apply the resource becomes a group, so later in the reference use 0-index of the group"
-  rds_allow_ec2_sg = var.enable_ec2 ? module.comet_ec2[0].allinone_sg_id : null
+  rds_allow_ec2_sg = var.enable_ec2 ? module.comet_ec2[0].comet_ec2_sg_id : null
   rds_allow_eks_sg = var.enable_eks ? module.comet_eks[0].nodegroup_sg_id : null
 
 }

.terraform/providers/registry.terraform.io/hashicorp/helm/2.10.1/darwin_amd64/terraform-provider-helm_v2.10.1_x5

@@ -10,22 +10,20 @@ locals {
   }
 }
 
-resource "aws_instance" "allinone" {
-  ami           = var.allinone_ami
-  instance_type = var.allinone_instance_type
+resource "aws_instance" "comet_ec2" {
+  ami           = var.comet_ec2_ami
+  instance_type = var.comet_ec2_instance_type
   key_name      = var.key_name
-  count         = var.allinone_instance_count
-  iam_instance_profile = aws_iam_instance_profile.comet-ml-s3-access-profile.name
-  # Recommended place it in a private subnet along with a bastion host
-  #subnet_id     = module.vpc.private_subnets[count.index % length(module.vpc.private_subnets)]
-  subnet_id     = var.allinone_subnet
+  count         = var.comet_ec2_instance_count
+  iam_instance_profile = aws_iam_instance_profile.comet-ec2-instance-profile.name
+  subnet_id     = var.comet_ec2_subnet
 
   # need enable multiple SGs
-  vpc_security_group_ids = [aws_security_group.allinone_sg.id]
+  vpc_security_group_ids = [aws_security_group.comet_ec2_sg.id]
 
   root_block_device {
-    volume_type = var.allinone_volume_type
-    volume_size = var.allinone_volume_size
+    volume_type = var.comet_ec2_volume_type
+    volume_size = var.comet_ec2_volume_size
   }
 
   tags = merge(local.tags, {
@@ -37,23 +35,23 @@ resource "aws_instance" "allinone" {
   }
 }
 
-resource "aws_security_group" "allinone_sg" {
+resource "aws_security_group" "comet_ec2_sg" {
   name        = "comet_${var.environment}_ec2_sg"
   description = "Comet EC2 instance security group"
   vpc_id      = var.vpc_id
 }
 
-resource "aws_vpc_security_group_ingress_rule" "allinone_ingress_ssh" {
-  security_group_id = aws_security_group.allinone_sg.id
+resource "aws_vpc_security_group_ingress_rule" "comet_ec2_ingress_ssh" {
+  security_group_id = aws_security_group.comet_ec2_sg.id
 
   from_port   = local.ssh_port
   to_port     = local.ssh_port
   ip_protocol    = "tcp"
   cidr_ipv4 = local.cidr_anywhere
 }
 
-resource "aws_vpc_security_group_ingress_rule" "allinone_ingress_http" {
-  security_group_id = aws_security_group.allinone_sg.id
+resource "aws_vpc_security_group_ingress_rule" "comet_ec2_ingress_http" {
+  security_group_id = aws_security_group.comet_ec2_sg.id
 
   from_port   = local.http_port
   to_port     = local.http_port
@@ -64,8 +62,8 @@ resource "aws_vpc_security_group_ingress_rule" "allinone_ingress_http" {
 }
 
 /* SG rule to allow ingress from LB SG; add later
-resource "aws_vpc_security_group_ingress_rule" "allinone_ingress_http" {
-  security_group_id = aws_security_group.allinone_sg.id
+resource "aws_vpc_security_group_ingress_rule" "comet_ec2_ingress_http" {
+  security_group_id = aws_security_group.comet_ec2_sg.id
   
   from_port   = local.http_port
   to_port     = local.http_port
@@ -74,25 +72,38 @@ resource "aws_vpc_security_group_ingress_rule" "allinone_ingress_http" {
 }
 */
 
-resource "aws_vpc_security_group_egress_rule" "allinone_egress_any" {
-  security_group_id = aws_security_group.allinone_sg.id
+resource "aws_vpc_security_group_egress_rule" "comet_ec2_egress_any" {
+  security_group_id = aws_security_group.comet_ec2_sg.id
   ip_protocol    = "-1"
   cidr_ipv4 = local.cidr_anywhere
 }
 
-resource "aws_iam_role" "comet-ml-allinone-s3-access-role" {
+resource "aws_iam_role" "comet-ec2-s3-access-role" {
   name               = "comet-ml-s3-role"
-  assume_role_policy = file("${path.module}/templates/assume-role.json")
+  assume_role_policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Action": "sts:AssumeRole",
+        "Principal": {
+          "Service": "ec2.amazonaws.com"
+        },
+        "Effect": "Allow",
+        "Sid": ""
+      }
+    ]
+  })
 }
 
-resource "aws_iam_instance_profile" "comet-ml-s3-access-profile" {
-  name  = "${var.environment}-comet-ml-s3-access-profile"
-  role  = aws_iam_role.comet-ml-allinone-s3-access-role.name
+resource "aws_iam_instance_profile" "comet-ec2-instance-profile" {
+  name  = "${var.environment}-comet-ec2-instance-profile"
+  role  = aws_iam_role.comet-ec2-s3-access-role.name
 }
 
 resource "aws_iam_policy" "comet-ml-s3-policy" {
-  name        = "comet-ml-s3-access-policy"
-  description = "comet-ml-s3-access-policy"
+  count       = var.s3_enabled ? 1 : 0
+  name        = "comet-s3-access-policy"
+  description = "comet-s3-access-policy"
   policy = jsonencode({
     "Version": "2012-10-17",
     "Statement": [
@@ -109,6 +120,7 @@ resource "aws_iam_policy" "comet-ml-s3-policy" {
 }
 
 resource "aws_iam_role_policy_attachment" "comet-ml-s3-access-attachment" {
-    role       = aws_iam_role.comet-ml-allinone-s3-access-role.name
-    policy_arn = aws_iam_policy.comet-ml-s3-policy.arn
+  count      = var.s3_enabled ? 1 : 0
+  role       = aws_iam_role.comet-ec2-s3-access-role.name
+  policy_arn = aws_iam_policy.comet-ml-s3-policy[0].arn
 }

main.tf

@@ -1,4 +1,4 @@
-output "allinone_sg_id" {
-  value       = aws_security_group.allinone_sg.id
-  description = "ID of the security group associated with the allinone instance"
+output "comet_ec2_sg_id" {
+  value       = aws_security_group.comet_ec2_sg.id
+  description = "ID of the security group associated with the comet_ec2 instance"
 }

modules/comet_ec2/main.tf

@@ -10,13 +10,13 @@ variable "vpc_id" {
   #default     = ""
 }
 
-variable "allinone_ami" {
+variable "comet_ec2_ami" {
   description = "AMI for the EC2 instance"
   type        = string
   default     = ""
 }
 
-variable "allinone_instance_type" {
+variable "comet_ec2_instance_type" {
   description = "Instance type for the EC2 instance"
   type        = string
   default     = "m5.4xlarge"
@@ -28,30 +28,36 @@ variable "key_name" {
   default     = ""
 }
 
-variable "allinone_instance_count" {
+variable "comet_ec2_instance_count" {
   description = "Number of EC2 instances to provision"
   type        = number
   default     = 1
 }
 
-variable "allinone_volume_type" {
+variable "comet_ec2_volume_type" {
   description = "EBS volume type for the EC2 instance root volume"
   type        = string
   default     = "gp2"
 }
 
-variable "allinone_volume_size" {
+variable "comet_ec2_volume_size" {
   description = "Size, in gibibytes (GiB), for the EC2 instance root volume"
   type        = number
   default     = 1024
 }
 
-variable "allinone_subnet" {
+variable "comet_ec2_subnet" {
   description = "ID of VPC subnet to launch EC2 instance in"
   type        = string
   default     = ""
 }
 
+variable "s3_enabled" {
+  description = "Indicates if S3 bucket is being provisioned for Comet"
+  type        = bool
+  default     = null
+}
+
 variable "comet_ml_s3_bucket" {
   description = "Name of the S3 bucket provisioned for Comet"
   type        = string

modules/comet_ec2/outputs.tf

@@ -2,18 +2,16 @@ provider "aws" {
   region = var.region
 }
 
-/*
 provider "kubernetes" {
-  host                   = module.eks_deployment[0].cluster_endpoint
-  cluster_ca_certificate = base64decode(module.eks_deployment[0].cluster_certificate_authority_data)
-  token                  = data.aws_eks_cluster_auth.this.token
+  host                   = var.enable_eks ? module.comet_eks[0].cluster_endpoint : null
+  cluster_ca_certificate = var.enable_eks ? base64decode(module.comet_eks[0].cluster_certificate_authority_data) : null
+  token                  = var.enable_eks ? data.aws_eks_cluster_auth.this[0].token : null
 }
 
 provider "helm" {
   kubernetes {
-    host                   = module.eks_deployment[0].cluster_endpoint
-    cluster_ca_certificate = base64decode(module.eks_deployment[0].cluster_certificate_authority_data)
-    token                  = data.aws_eks_cluster_auth.this.token
+    host                   = var.enable_eks ? module.comet_eks[0].cluster_endpoint : null
+    cluster_ca_certificate = var.enable_eks ? base64decode(module.comet_eks[0].cluster_certificate_authority_data) : null
+    token                  = var.enable_eks ? data.aws_eks_cluster_auth.this[0].token : null
   }
-}
-*/
+}