fix: external-dns cluster role didn't have permission to perform acti… (#260)

* fix: external-dns cluster role didn't have permission to perform actions against the newer version of the ingress resource

* docs: update cert-manager docs

* fix: upgrade provider in remote-state terraform to prevent errors due to old syntax with new provider versions

* fix: typo

Author: bmonkman

README.md

@@ -73,7 +73,7 @@ infrastructure:
 EC2 instance sizing can be configured in [templates/terraform/environments/stage/main.tf](templates/terraform/environments/stage/main.tf)
 
 ## Other links
-Project board: [zenhub][zenhub-board]
+[Project board](https://github.com/orgs/commitdev/projects/6/views/2)
 
 <!-- Links -->
 [zero]: https://github.com/commitdev/zero
@@ -83,6 +83,5 @@ Project board: [zenhub][zenhub-board]
 <!-- External Links -->
 [aws-cli]: https://docs.aws.amazon.com/polly/latest/dg/setup-aws-cli.html
 [aws-route53]: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html
-[zenhub-board]: https://app.zenhub.com/workspaces/commit-zero-5da8decc7046a60001c6db44/board?filterLogic=any&repos=203630543,247773730,257676371,258369081
 [sendgrid]: https://signup.sendgrid.com
 [sendgrid-apikey]: https://app.sendgrid.com/settings/api_keys

doc-site/docs/about/overview.md

@@ -4,12 +4,12 @@ sidebar_label: Overview
 sidebar_position: 1
 ---
 
-The Zero-awk-eks stack is designed with scalability and maintainability in mind, this repo is a series of templates indented to be filled in with modules parameters, and executed by zero 
+The Zero-awk-eks stack is designed with scalability and maintainability in mind, this repo is a series of templates indented to be filled in with modules parameters, and executed by zero
 This is a [Zero][zero] module which sets up a
 hosting environment on AWS running Kubernetes. It will generate terraform output
-which describes the environment mapped in this [architecture diagram][arch-diagram]. 
+which describes the environment mapped in this [architecture diagram][arch-diagram].
 
-### **Resource List**: 
+### **Resource List**:
 [Link][resource-list]
 
 ### **Prerequisites**
@@ -24,6 +24,9 @@ which describes the environment mapped in this [architecture diagram][arch-diagr
 _Optional Prerequisites_
 - [Sendgrid account][sendgrid] with developer [API key][sendgrid-apikey]: this will enable transactional email sending with simple API calls.
 
+### Other links
+[Project board](https://github.com/orgs/commitdev/projects/6/views/2)
+
 
 <!-- Links -->
 [zero]: https://github.com/commitdev/zero
@@ -32,6 +35,5 @@ _Optional Prerequisites_
 <!-- External Links -->
 [aws-cli]: https://docs.aws.amazon.com/polly/latest/dg/setup-aws-cli.html
 [aws-route53]: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html
-[zenhub-board]: https://app.zenhub.com/workspaces/commit-zero-5da8decc7046a60001c6db44/board?filterLogic=any&repos=203630543,247773730,257676371,258369081
 [sendgrid]: https://signup.sendgrid.com
-[sendgrid-apikey]: https://app.sendgrid.com/settings/api_keys
+[sendgrid-apikey]: https://app.sendgrid.com/settings/api_keys

doc-site/docs/components/kubernetes/cert-manager.md

@@ -5,20 +5,36 @@ sidebar_position: 2
 ---
 
 ## Overview
-cert-manager is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as Let’s Encrypt and more.
+`cert-manager` is a native Kubernetes certificate management controller. It can help with issuing certificates from a variety of sources, such as [Let's Encrypt](https://letsencrypt.org) and more.
 
-For any ingresses that specify that they need TLS, cert-manager will automatically provision a certificate using Lets Encrypt, and handle renewing it automatically on a regular basis. Alongside external-dns, this allows you to make sure your new domains are always secured using HTTPS.
+For any ingresses that specify that they need TLS, `cert-manager` will automatically provision a certificate using Let's Encrypt, and handle renewing it automatically on a regular basis. Alongside [external-dns](https://github.com/kubernetes-sigs/external-dns), this allows you to make sure your new domains are always secured using HTTPS.
 
 ## How It Works
-The sub-component ingress-shim watches Ingress resources across your cluster. If it observes an Ingress with annotations described in the Supported Annotations section, it will ensure a Certificate resource with the name provided in the tls.secretName field and configured as described on the Ingress exists. For example:
+`cert-manager` watches `Ingress` resources across your cluster. If it observes an `Ingress` with one of it's annotations, it will ensure a Certificate resource with the name provided in the tls.secretName field exists. See the example below.
+
+Zero sets up two `ClusterIssuer`s by default which provide different ways of verifying your certificates.
+- `clusterissuer-letsencrypt-production` uses the HTTP issuer, which requires Let's Encrypt to do an HTTP call to your service to verify it.
+- `clusterissuer-letsencrypt-production-dns` uses the DNS issuer, which creates a DNS record Let's Encrypt will check to verify that you own the domain.
+
+:::note
+The name "production" in the clusterissuers refers to the fact that we are using the "production" version of Let's Encrypt, which is what we want in almost all cases unless we are testing Let's Encrypt itself.
+:::
+
+In the case of the HTTP `ClusterIssuer`, external-dns working properly will be required, since that is what will create a Route53 DNS record that points at the load balancer in front of your cluster. Both `external-dns` and `cert-manager` are configured by annotations and configuration in the `Ingress`.
+
+
+
+## Example
 
 ```yaml
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
-    # add an annotation indicating the issuer to use.
-    cert-manager.io/cluster-issuer: nameOfClusterIssuer
+    # This annotation is for cert-manager, it specifies which certificate issuer to use
+    cert-manager.io/cluster-issuer: clusterissuer-letsencrypt-production
+    # This annotation is for external-dns
+    external-dns.alpha.kubernetes.io/hostname: example.com
   name: myIngress
   namespace: myIngress
 spec:
@@ -39,7 +55,8 @@ spec:
     secretName: myingress-cert # < cert-manager will store the created certificate in this secret.
 ```
 
+
 ## Documentation
-Checkout [Cert-manager's documentation][docs] for more information.
+Checkout [`cert-manager`'s documentation][docs] for more information.
 
-[docs]: https://cert-manager.io/docs/
+[docs]: https://cert-manager.io/docs/

templates/kubernetes/terraform/modules/kubernetes/external_dns.tf

@@ -56,23 +56,18 @@ resource "kubernetes_cluster_role" "external_dns" {
   rule {
     verbs      = ["get", "list", "watch"]
     api_groups = [""]
-    resources  = ["pods", "services"]
+    resources  = ["pods", "services", "endpoints"]
   }
   rule {
     verbs      = ["get", "list", "watch"]
-    api_groups = ["extensions"]
+    api_groups = ["extensions", "networking.k8s.io"]
     resources  = ["ingresses"]
   }
   rule {
-    verbs      = ["list"]
+    verbs      = ["list", "watch"]
     api_groups = [""]
     resources  = ["nodes"]
   }
-  rule {
-    verbs      = ["get", "list", "watch"]
-    api_groups = [""]
-    resources  = ["endpoints"]
-  }
 }
 
 resource "kubernetes_cluster_role_binding" "external_dns" {

templates/terraform/bootstrap/remote-state/main.tf

@@ -1,21 +1,40 @@
+terraform {
+  required_version = ">= 0.14"
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = ">= 4.0.0"
+    }
+  }
+}
+
 provider "aws" {
   region              = "<% index .Params `region` %>"
   allowed_account_ids = ["<% index .Params `accountId` %>"]
 }
 
 resource "aws_s3_bucket" "terraform_remote_state" {
   bucket = "<% .Name %>-${var.environment}-terraform-state"
+}
+
+resource "aws_s3_bucket_acl" "terraform_remote_state" {
+  bucket = aws_s3_bucket.terraform_remote_state.id
   acl    = "private"
+}
 
-  versioning {
-    enabled = true
+resource "aws_s3_bucket_versioning" "terraform_remote_state" {
+  bucket = aws_s3_bucket.terraform_remote_state.id
+  versioning_configuration {
+    status = "Enabled"
   }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "terraform_remote_state" {
+  bucket = aws_s3_bucket.terraform_remote_state.id
 
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm = "AES256"
-      }
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "AES256"
     }
   }
 }