Feature/eks fargate profile (#97)

halfb00t · web-flow · commit 857d5115c876 · 2021-08-12T11:58:04.000+06:00
* #94 bumped provider versions * #94 updated lock files * #94 updated acm, eks and r53 modules versions * #95 added fargate profile Also added cluster logs parameter for eks and moved local variables to locals.tf. * #95 fixed grafana dashboard url * #96 added fargate profile Also added cluster logs parameter for eks and moved local variables to locals.tf. * #96 moved locals for eks and vpc back to separate files * #96 decided to put only audit logs for eks as a default value
diff --git a/terraform/layer1-aws/aws-eks.tf b/terraform/layer1-aws/aws-eks.tf
@@ -1,3 +1,28 @@
+locals {
+  eks_map_roles = concat(var.eks_map_roles,
+    [
+      {
+        rolearn  = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/administrator"
+        username = "administrator"
+        groups = [
+        "system:masters"]
+    }]
+  )
+
+  worker_tags = [
+    {
+      "key"                 = "k8s.io/cluster-autoscaler/enabled"
+      "propagate_at_launch" = "false"
+      "value"               = "true"
+    },
+    {
+      "key"                 = "k8s.io/cluster-autoscaler/${local.name}"
+      "propagate_at_launch" = "false"
+      "value"               = "true"
+    }
+  ]
+}
+
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "17.1.0"
@@ -7,6 +32,9 @@ module "eks" {
   subnets         = module.vpc.intra_subnets
   enable_irsa     = true
 
+  cluster_enabled_log_types     = var.eks_cluster_enabled_log_types
+  cluster_log_retention_in_days = var.eks_cluster_log_retention_in_days
+
   tags = {
     ClusterName = local.name
     Environment = local.env
@@ -33,18 +61,8 @@ module "eks" {
       kubelet_extra_args      = "--node-labels=node.kubernetes.io/lifecycle=spot"
       public_ip               = false
       additional_userdata     = file("${path.module}/templates/eks-x86-nodes-userdata.sh")
-      tags = [
-        {
-          "key"                 = "k8s.io/cluster-autoscaler/enabled"
-          "propagate_at_launch" = "false"
-          "value"               = "true"
-        },
-        {
-          "key"                 = "k8s.io/cluster-autoscaler/${local.name}"
-          "propagate_at_launch" = "false"
-          "value"               = "true"
-        }
-      ]
+
+      tags = local.worker_tags
     },
     {
       name                 = "ondemand"
@@ -56,18 +74,8 @@ module "eks" {
       kubelet_extra_args   = "--node-labels=node.kubernetes.io/lifecycle=ondemand"
       public_ip            = false
       additional_userdata  = file("${path.module}/templates/eks-x86-nodes-userdata.sh")
-      tags = [
-        {
-          "key"                 = "k8s.io/cluster-autoscaler/enabled"
-          "propagate_at_launch" = "true"
-          "value"               = "true"
-        },
-        {
-          "key"                 = "k8s.io/cluster-autoscaler/${local.name}"
-          "propagate_at_launch" = "true"
-          "value"               = "true"
-        }
-      ]
+
+      tags = local.worker_tags
     },
     {
       name                    = "ci"
@@ -81,27 +89,33 @@ module "eks" {
       kubelet_extra_args      = "--node-labels=node.kubernetes.io/lifecycle=spot --node-labels=purpose=ci --register-with-taints=purpose=ci:NoSchedule"
       public_ip               = true
       additional_userdata     = file("${path.module}/templates/eks-x86-nodes-userdata.sh")
-      tags = [
-        {
-          "key"                 = "k8s.io/cluster-autoscaler/enabled"
-          "propagate_at_launch" = "false"
-          "value"               = "true"
-        },
-        {
-          "key"                 = "k8s.io/cluster-autoscaler/${local.name}"
-          "propagate_at_launch" = "false"
-          "value"               = "true"
-        },
+
+      tags = concat(local.worker_tags, [{
+        "key"                 = "k8s.io/cluster-autoscaler/node-template/label/purpose"
+        "propagate_at_launch" = "true"
+        "value"               = "ci"
+      }])
+    },
+  ]
+
+  fargate_profiles = {
+    default = {
+      name = "fargate"
+
+      selectors = [
         {
-          "key"                 = "k8s.io/cluster-autoscaler/node-template/label/purpose"
-          "propagate_at_launch" = "true"
-          "value"               = "ci"
+          namespace = "fargate"
         }
       ]
-    },
-  ]
 
-  map_roles = local.eks_map_roles
+      subnets = module.vpc.private_subnets
+
+      tags = merge(local.tags, {
+        Namespace = "fargate"
+      })
+    }
+  }
 
+  map_roles        = local.eks_map_roles
   write_kubeconfig = var.eks_write_kubeconfig
 }
diff --git a/terraform/layer1-aws/aws-vpc.tf b/terraform/layer1-aws/aws-vpc.tf
@@ -1,12 +1,10 @@
 locals {
-  cidr_subnets = [for cidr_block in cidrsubnets(var.cidr, 2, 2, 2, 2) : cidrsubnets(cidr_block, 4, 4, 4, 4)]
-
+  cidr_subnets     = [for cidr_block in cidrsubnets(var.cidr, 2, 2, 2, 2) : cidrsubnets(cidr_block, 4, 4, 4, 4)]
   private_subnets  = chunklist(local.cidr_subnets[0], var.az_count)[0]
   public_subnets   = chunklist(local.cidr_subnets[1], var.az_count)[0]
   database_subnets = chunklist(local.cidr_subnets[2], var.az_count)[0]
   intra_subnets    = chunklist(local.cidr_subnets[3], var.az_count)[0]
-
-  azs = data.aws_availability_zones.available.names
+  azs              = data.aws_availability_zones.available.names
 }
 
 module "vpc" {
@@ -79,5 +77,4 @@ module "vpc" {
     Name        = "${local.name}-intra"
     destination = "intra"
   }
-
 }
diff --git a/terraform/layer1-aws/locals.tf b/terraform/layer1-aws/locals.tf
@@ -1,5 +1,6 @@
 # Use this as name base for all resources:
 locals {
+  # COMMON
   env            = terraform.workspace == "default" ? var.environment : terraform.workspace
   short_region   = var.short_region[var.region]
   name           = "${var.name}-${local.env}-${local.short_region}"
@@ -15,14 +16,4 @@ locals {
   ssl_certificate_arn = var.create_acm_certificate ? module.acm.this_acm_certificate_arn : data.aws_acm_certificate.main[0].arn
 
   zone_id = var.create_r53_zone ? keys(module.r53_zone.this_route53_zone_zone_id)[0] : (var.zone_id != null ? var.zone_id : data.aws_route53_zone.main[0].zone_id)
-
-  eks_map_roles = concat(var.eks_map_roles,
-    [
-      {
-        rolearn  = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/administrator"
-        username = "administrator"
-        groups = [
-        "system:masters"]
-    }]
-  )
 }
diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf
@@ -69,6 +69,7 @@ variable "region" {
 }
 
 variable "az_count" {
+  type        = number
   description = "Count of avaiablity zones, min 2"
   default     = 3
 }
@@ -136,6 +137,24 @@ variable "eks_write_kubeconfig" {
   description = "Flag for eks module to write kubeconfig"
 }
 
+variable "eks_cluster_enabled_log_types" {
+  type        = list(string)
+  default     = ["audit"]
+  description = "A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler"
+}
+
+variable "eks_cluster_log_retention_in_days" {
+  type        = number
+  default     = 90
+  description = "Number of days to retain log events. Default retention - 90 days."
+}
+
+variable "eks_cluster_encryption_config_enable" {
+  type        = bool
+  default     = false
+  description = "Enable or not encryption for k8s secrets with aws-kms"
+}
+
 # ECR
 variable "ecr_repos" {
   type        = list(any)
@@ -144,12 +163,8 @@ variable "ecr_repos" {
 }
 
 variable "ecr_repo_retention_count" {
+  type        = number
   default     = 50
   description = "number of images to store in ECR"
 }
 
-variable "eks_cluster_encryption_config_enable" {
-  type        = bool
-  default     = false
-  description = "Enable or not encryption for k8s secrets with aws-kms"
-}
diff --git a/terraform/layer2-k8s/templates/prometheus-values.tmpl b/terraform/layer2-k8s/templates/prometheus-values.tmpl
@@ -127,7 +127,7 @@ grafana:
     logs:
       logs:
         ## Dashboard for quick search application logs for loki with two datasources loki and prometheus - https://grafana.com/grafana/dashboards/12019
-        url: https://s3.amazonaws.com/grafana-dashboards.maddevs.org/common/aws-eks-base/loki-dashboard-quick-search.json
+        url: https://grafana-dashboards.maddevs.org/common/aws-eks-base/loki-dashboard-quick-search.json
 
     k8s:
       nginx-ingress:

Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,10 @@`
`1`	`1`	`locals {`
`2`		`- cidr_subnets = [for cidr_block in cidrsubnets(var.cidr, 2, 2, 2, 2) : cidrsubnets(cidr_block, 4, 4, 4, 4)]`
`3`		`-`
	`2`	`+ cidr_subnets = [for cidr_block in cidrsubnets(var.cidr, 2, 2, 2, 2) : cidrsubnets(cidr_block, 4, 4, 4, 4)]`
`4`	`3`	`private_subnets = chunklist(local.cidr_subnets[0], var.az_count)[0]`
`5`	`4`	`public_subnets = chunklist(local.cidr_subnets[1], var.az_count)[0]`
`6`	`5`	`database_subnets = chunklist(local.cidr_subnets[2], var.az_count)[0]`
`7`	`6`	`intra_subnets = chunklist(local.cidr_subnets[3], var.az_count)[0]`
`8`		`-`
`9`		`- azs = data.aws_availability_zones.available.names`
	`7`	`+ azs = data.aws_availability_zones.available.names`
`10`	`8`	`}`
`11`	`9`
`12`	`10`	`module "vpc" {`
`@@ -79,5 +77,4 @@ module "vpc" {`
`79`	`77`	`Name = "${local.name}-intra"`
`80`	`78`	`destination = "intra"`
`81`	`79`	`}`
`82`		`-`
`83`	`80`	`}`