Update to eks helm terraform module (#99)

Jake Neyer · web-flow · commit ca931c0e9baf · 2023-08-11T15:35:07.000-04:00
diff --git a/helm/charts/polytomic/templates/cache-pvc.yaml b/helm/charts/polytomic/templates/cache-pvc.yaml
@@ -47,4 +47,4 @@ spec:
     requests:
       storage: {{ .Values.polytomic.cache.size }}
 {{- end }}
-{{- end -}}
+{{- end -}}
diff --git a/helm/charts/polytomic/templates/sync-depoyment.yaml b/helm/charts/polytomic/templates/sync-depoyment.yaml
@@ -70,7 +70,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-      {{ if and (index .Values "nfs-server-provisioner" "enabled") (.Values.polytomic.cache.enabled) }}
+      {{ if .Values.polytomic.cache.enabled }}
       - name: cache-volume
         persistentVolumeClaim:
           claimName: {{ .Values.polytomic.cache.volume_name }}
diff --git a/helm/charts/polytomic/templates/worker-deployment.yaml b/helm/charts/polytomic/templates/worker-deployment.yaml
@@ -70,7 +70,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-      {{ if and (index .Values "nfs-server-provisioner" "enabled") (.Values.polytomic.cache.enabled) }}
+      {{ if .Values.polytomic.cache.enabled }}
       - name: cache-volume
         persistentVolumeClaim:
           claimName: {{ .Values.polytomic.cache.volume_name }}
diff --git a/terraform/examples/eks-complete/app/main.tf b/terraform/examples/eks-complete/app/main.tf
@@ -1,13 +1,16 @@
 locals {
-  region                   = "us-west-2"
-  prefix                   = "polytomic"
-  url                      = "polytomic.${local.domain}"
-  domain                   = "example.com"
-  polytomic_deployment     = "deployment"
-  polytomic_deployment_key = "key"
-  polytomic_image          = "568237466542.dkr.ecr.us-west-2.amazonaws.com/polytomic-onprem"
-  polytomic_image_tag      = "latest"
-  polytomic_root_user      = "user@example.com"
+  region                         = "us-west-2"
+  prefix                         = "polytomic"
+  url                            = "polytomic.${local.domain}"
+  domain                         = "example.com"
+  polytomic_deployment           = "deployment"
+  polytomic_deployment_key       = "key"
+  polytomic_image                = "568237466542.dkr.ecr.us-west-2.amazonaws.com/polytomic-onprem"
+  polytomic_image_tag            = "latest"
+  polytomic_root_user            = "user@example.com"
+  polytomic_bucket               = "polytomic-bucket"
+  polytomic_google_client_id     = "google-client-id"
+  polytomic_google_client_secret = "google-client-secret"
 }
 
 
@@ -62,18 +65,24 @@ module "addons" {
 module "eks_helm" {
   source = "github.com/polytomic/on-premises/terraform/modules/eks-helm"
 
-  certificate_arn          = aws_acm_certificate.cert.arn
-  subnets                  = join(",", data.terraform_remote_state.eks.outputs.public_subnets)
-  polytomic_url            = local.url
-  polytomic_deployment     = local.polytomic_deployment
-  polytomic_deployment_key = local.polytomic_deployment_key
-  polytomic_image          = local.polytomic_image
-  polytomic_image_tag      = local.polytomic_image_tag
-  polytomic_root_user      = local.polytomic_root_user
-  redis_host               = data.terraform_remote_state.eks.outputs.redis_host
-  redis_port               = data.terraform_remote_state.eks.outputs.redis_port
-  postgres_host            = data.terraform_remote_state.eks.outputs.postgres_host
-  postgres_password        = data.terraform_remote_state.eks.outputs.postgres_password
+  certificate_arn                    = aws_acm_certificate.cert.arn
+  subnets                            = join(",", data.terraform_remote_state.eks.outputs.public_subnets)
+  polytomic_url                      = local.url
+  polytomic_deployment               = local.polytomic_deployment
+  polytomic_deployment_key           = local.polytomic_deployment_key
+  polytomic_image                    = local.polytomic_image
+  polytomic_image_tag                = local.polytomic_image_tag
+  polytomic_root_user                = local.polytomic_root_user
+  redis_host                         = data.terraform_remote_state.eks.outputs.redis_host
+  redis_port                         = data.terraform_remote_state.eks.outputs.redis_port
+  postgres_host                      = data.terraform_remote_state.eks.outputs.postgres_host
+  postgres_password                  = data.terraform_remote_state.eks.outputs.postgres_password
+  polytomic_google_client_id         = local.polytomic_google_client_id
+  polytomic_google_client_secret     = local.polytomic_google_client_secret
+  polytomic_bucket                   = data.terraform_remote_state.eks.outputs.bucket
+  polytomic_bucket_region            = local.region
+  efs_id                             = data.terraform_remote_state.eks.outputs.filesystem_id
+  polytomic_service_account_role_arn = module.addons.polytomic_role_arn
 
   depends_on = [
     module.addons
diff --git a/terraform/examples/eks-complete/cluster/main.tf b/terraform/examples/eks-complete/cluster/main.tf
@@ -1,7 +1,8 @@
 locals {
-  region  = "us-west-2"
-  prefix  = "polytomic"
-  vpc_azs = ["us-west-2a", "us-west-2b", "us-west-2c"]
+  region           = "us-west-2"
+  prefix           = "polytomic"
+  vpc_azs          = ["us-west-2a", "us-west-2b", "us-west-2c"]
+  polytomic_bucket = "polytomic"
 }
 
 provider "aws" {
@@ -12,8 +13,9 @@ provider "aws" {
 module "eks" {
   source = "github.com/polytomic/on-premises/terraform/modules/eks"
 
-  prefix  = local.prefix
-  region  = local.region
-  vpc_azs = local.vpc_azs
+  prefix      = local.prefix
+  region      = local.region
+  vpc_azs     = local.vpc_azs
+  bucket_name = local.polytomic_bucket
 }
 
diff --git a/terraform/examples/eks-complete/cluster/outputs.tf b/terraform/examples/eks-complete/cluster/outputs.tf
@@ -48,3 +48,7 @@ output "postgres_host" {
 output "filesystem_id" {
   value = module.eks.filesystem_id
 }
+
+output "bucket" {
+  value = module.eks.bucket
+}
diff --git a/terraform/examples/gke-complete/cluster/main.tf b/terraform/examples/gke-complete/cluster/main.tf
@@ -1,6 +1,7 @@
 locals {
-  project_id = ""
-  region     = "us-east1"
+  project_id       = ""
+  region           = "us-east1"
+  polytomic_bucket = "polytomic"
 }
 
 provider "google" {
diff --git a/terraform/modules/eks-addons/README.md b/terraform/modules/eks-addons/README.md
@@ -6,6 +6,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | n/a |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | n/a |
 
@@ -17,14 +18,17 @@ No requirements.
 | <a name="module_ebs_csi_node_irsa_role"></a> [ebs\_csi\_node\_irsa\_role](#module\_ebs\_csi\_node\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_lb_role"></a> [lb\_role](#module\_lb\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
+| <a name="module_polytomic_role"></a> [polytomic\_role](#module\_polytomic\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.polytomic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [helm_release.efs-driver](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.lb](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_service_account.service-account](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
+| [aws_iam_policy_document.polytomic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
@@ -39,4 +43,6 @@ No requirements.
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_polytomic_role_arn"></a> [polytomic\_role\_arn](#output\_polytomic\_role\_arn) | n/a |
diff --git a/terraform/modules/eks-addons/main.tf b/terraform/modules/eks-addons/main.tf
@@ -146,3 +146,34 @@ storageClasses:
 EOF
   ]
 }
+
+
+module "polytomic_role" {
+  source    = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  role_name = "${var.prefix}_iam_eks"
+
+  role_policy_arns = {
+    policy = aws_iam_policy.polytomic.arn
+  }
+
+  oidc_providers = {
+    ex = {
+      provider_arn               = var.oidc_provider_arn
+      namespace_service_accounts = ["polytomic:polytomic"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "polytomic" {
+  name        = "${var.prefix}-polytomic"
+  description = "Policy for Polytomic"
+  policy      = data.aws_iam_policy_document.polytomic.json
+}
+
+data "aws_iam_policy_document" "polytomic" {
+  statement {
+    actions   = ["s3:*"]
+    resources = ["*"]
+    effect    = "Allow"
+  }
+}
diff --git a/terraform/modules/eks-addons/outputs.tf b/terraform/modules/eks-addons/outputs.tf
@@ -0,0 +1,3 @@
+output "polytomic_role_arn" {
+  value = module.polytomic_role.iam_role_arn
+}
diff --git a/terraform/modules/eks-helm/README.md b/terraform/modules/eks-helm/README.md
@@ -23,13 +23,18 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_certificate_arn"></a> [certificate\_arn](#input\_certificate\_arn) | The arn of the certificate to use for the polytomic deployment | `any` | n/a | yes |
+| <a name="input_efs_id"></a> [efs\_id](#input\_efs\_id) | ID of the EFS volume to use for the polytomic deployment | `any` | n/a | yes |
+| <a name="input_polytomic_api_key"></a> [polytomic\_api\_key](#input\_polytomic\_api\_key) | The api key for the polytomic deployment | `string` | `""` | no |
+| <a name="input_polytomic_bucket"></a> [polytomic\_bucket](#input\_polytomic\_bucket) | The operational bucket for the polytomic deployment | `any` | n/a | yes |
+| <a name="input_polytomic_bucket_region"></a> [polytomic\_bucket\_region](#input\_polytomic\_bucket\_region) | The operational bucket regoin for the polytomic deployment | `any` | n/a | yes |
 | <a name="input_polytomic_deployment"></a> [polytomic\_deployment](#input\_polytomic\_deployment) | The name of the polytomic deployment | `any` | n/a | yes |
 | <a name="input_polytomic_deployment_key"></a> [polytomic\_deployment\_key](#input\_polytomic\_deployment\_key) | The key for the polytomic deployment | `any` | n/a | yes |
 | <a name="input_polytomic_google_client_id"></a> [polytomic\_google\_client\_id](#input\_polytomic\_google\_client\_id) | The google client id for the polytomic deployment | `any` | n/a | yes |
 | <a name="input_polytomic_google_client_secret"></a> [polytomic\_google\_client\_secret](#input\_polytomic\_google\_client\_secret) | The google client secret for the polytomic deployment | `any` | n/a | yes |
 | <a name="input_polytomic_image"></a> [polytomic\_image](#input\_polytomic\_image) | The image to use for the polytomic container | `any` | n/a | yes |
 | <a name="input_polytomic_image_tag"></a> [polytomic\_image\_tag](#input\_polytomic\_image\_tag) | The tag to use for the polytomic container | `any` | n/a | yes |
 | <a name="input_polytomic_root_user"></a> [polytomic\_root\_user](#input\_polytomic\_root\_user) | The root user for the polytomic deployment | `string` | `"root"` | no |
+| <a name="input_polytomic_service_account_role_arn"></a> [polytomic\_service\_account\_role\_arn](#input\_polytomic\_service\_account\_role\_arn) | ARN of the role to use for the polytomic deployment service account | `any` | n/a | yes |
 | <a name="input_polytomic_url"></a> [polytomic\_url](#input\_polytomic\_url) | The url for the polytomic deployment | `any` | n/a | yes |
 | <a name="input_postgres_host"></a> [postgres\_host](#input\_postgres\_host) | The host for the postgres deployment | `any` | n/a | yes |
 | <a name="input_postgres_password"></a> [postgres\_password](#input\_postgres\_password) | The password for the postgres deployment | `any` | n/a | yes |
diff --git a/terraform/modules/eks-helm/main.tf b/terraform/modules/eks-helm/main.tf
@@ -36,8 +36,13 @@ polytomic:
   deployment:
     name: ${var.polytomic_deployment}
     key: ${var.polytomic_deployment_key}
+    api_key: ${var.polytomic_api_key}
   
   auth:
+    methods:
+    - google
+    - microsoft
+    - sso
     root_user: ${var.polytomic_root_user}
     url: https://${var.polytomic_url}
     single_player: false
@@ -54,12 +59,22 @@ polytomic:
     username: polytomic
     password: ${var.postgres_password}
     host: ${var.postgres_host}
+
+
+  s3:
+    operational_bucket: "s3://${var.polytomic_bucket}"
+    record_log_bucket: ${var.polytomic_bucket}
+    region: "${var.polytomic_bucket_region}"
   
   jobs:
     image: ${var.polytomic_image}
 
   cache:
     storage_class: efs-sc
+    enabled: true
+    type: static
+    efs_id: ${var.efs_id}
+    size: 10Gi
 
 redis:
   enabled: false
@@ -70,6 +85,14 @@ postgresql:
 nfs-server-provisioner:
   enabled: false
 
+minio:
+  enabled: false
+
+
+serviceAccount:
+  annotations:
+      eks.amazonaws.com/role-arn: ${var.polytomic_service_account_role_arn}
+      eks.amazonaws.com/sts-regional-endpoints: "true"
 EOF
   ]
 
diff --git a/terraform/modules/eks-helm/vars.tf b/terraform/modules/eks-helm/vars.tf
@@ -61,3 +61,25 @@ variable "subnets" {
   description = "The subnets to use for the polytomic deployment"
   type        = string
 }
+
+
+variable "polytomic_bucket" {
+  description = "The operational bucket for the polytomic deployment"
+}
+
+variable "polytomic_bucket_region" {
+  description = "The operational bucket regoin for the polytomic deployment"
+}
+
+variable "efs_id" {
+  description = "ID of the EFS volume to use for the polytomic deployment"
+}
+
+variable "polytomic_service_account_role_arn" {
+  description = "ARN of the role to use for the polytomic deployment service account"
+}
+
+variable "polytomic_api_key" {
+  default     = ""
+  description = "The api key for the polytomic deployment"
+}
diff --git a/terraform/modules/eks/README.md b/terraform/modules/eks/README.md
@@ -13,12 +13,13 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_database"></a> [database](#module\_database) | terraform-aws-modules/rds/aws | n/a |
+| <a name="module_database"></a> [database](#module\_database) | terraform-aws-modules/rds/aws | 5.9.0 |
 | <a name="module_database_sg"></a> [database\_sg](#module\_database\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
 | <a name="module_efs"></a> [efs](#module\_efs) | cloudposse/efs/aws | n/a |
 | <a name="module_efs_sg"></a> [efs\_sg](#module\_efs\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
 | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | n/a |
 | <a name="module_redis"></a> [redis](#module\_redis) | umotif-public/elasticache-redis/aws | n/a |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | n/a |
 
 ## Resources
@@ -33,6 +34,7 @@ No requirements.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | The name of the bucket to create | `string` | `"polytomic-bucket"` | no |
 | <a name="input_create_efs"></a> [create\_efs](#input\_create\_efs) | Whether to create an EFS instance | `bool` | `true` | no |
 | <a name="input_create_postgres"></a> [create\_postgres](#input\_create\_postgres) | Whether to create a postgres instance | `bool` | `true` | no |
 | <a name="input_create_redis"></a> [create\_redis](#input\_create\_redis) | Whether to create a redis instance | `bool` | `true` | no |
@@ -45,7 +47,7 @@ No requirements.
 | <a name="input_database_deletion_protection"></a> [database\_deletion\_protection](#input\_database\_deletion\_protection) | Database deletion protection | `bool` | `true` | no |
 | <a name="input_database_enabled_cloudwatch_logs_exports"></a> [database\_enabled\_cloudwatch\_logs\_exports](#input\_database\_enabled\_cloudwatch\_logs\_exports) | Database enabled cloudwatch logs exports | `list` | <pre>[<br>  "postgresql",<br>  "upgrade"<br>]</pre> | no |
 | <a name="input_database_engine"></a> [database\_engine](#input\_database\_engine) | Database engine | `string` | `"postgres"` | no |
-| <a name="input_database_engine_version"></a> [database\_engine\_version](#input\_database\_engine\_version) | Database engine version | `string` | `"14.1"` | no |
+| <a name="input_database_engine_version"></a> [database\_engine\_version](#input\_database\_engine\_version) | Database engine version | `string` | `"14.3"` | no |
 | <a name="input_database_family"></a> [database\_family](#input\_database\_family) | Database family | `string` | `"postgres14"` | no |
 | <a name="input_database_instance_class"></a> [database\_instance\_class](#input\_database\_instance\_class) | Database instance class | `string` | `"db.t3.small"` | no |
 | <a name="input_database_maintenance_window"></a> [database\_maintenance\_window](#input\_database\_maintenance\_window) | Database maintenance window | `string` | `"Mon:00:00-Mon:03:00"` | no |
@@ -90,6 +92,7 @@ No requirements.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_bucket"></a> [bucket](#output\_bucket) | n/a |
 | <a name="output_cluster_arn"></a> [cluster\_arn](#output\_cluster\_arn) | Cluster ARN |
 | <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | Cluster name |
 | <a name="output_filesystem_id"></a> [filesystem\_id](#output\_filesystem\_id) | n/a |
diff --git a/terraform/modules/eks/bucket.tf b/terraform/modules/eks/bucket.tf
@@ -0,0 +1,29 @@
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+
+  bucket = "${var.prefix}-${var.bucket_name}"
+  acl    = "private"
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+  control_object_ownership = true
+  object_ownership         = "BucketOwnerPreferred"
+
+  server_side_encryption_configuration = {
+    rule = {
+      apply_server_side_encryption_by_default = {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  tags = merge(
+    var.tags,
+    {
+      Name = "${var.prefix}${var.bucket_name}"
+    }
+  )
+}
diff --git a/terraform/modules/eks/database.tf b/terraform/modules/eks/database.tf
@@ -1,5 +1,6 @@
 module "database" {
-  source = "terraform-aws-modules/rds/aws"
+  source  = "terraform-aws-modules/rds/aws"
+  version = "5.9.0"
 
   count = var.create_postgres ? 1 : 0
 
diff --git a/terraform/modules/eks/outputs.tf b/terraform/modules/eks/outputs.tf
@@ -47,3 +47,7 @@ output "postgres_host" {
 output "filesystem_id" {
   value = module.efs[0].id
 }
+
+output "bucket" {
+  value = module.s3_bucket.s3_bucket_id
+}
diff --git a/terraform/modules/eks/vars.tf b/terraform/modules/eks/vars.tf

Original file line number	Diff line number	Diff line change
`@@ -48,3 +48,7 @@ output "postgres_host" {`
`48`	`48`	`output "filesystem_id" {`
`49`	`49`	`value = module.eks.filesystem_id`
`50`	`50`	`}`
	`51`	`+`
	`52`	`+output "bucket" {`
	`53`	`+ value = module.eks.bucket`
	`54`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`locals {`
`2`		`- project_id = ""`
`3`		`- region = "us-east1"`
	`2`	`+ project_id = ""`
	`3`	`+ region = "us-east1"`
	`4`	`+ polytomic_bucket = "polytomic"`
`4`	`5`	`}`
`5`	`6`
`6`	`7`	`provider "google" {`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+output "polytomic_role_arn" {`
	`2`	`+ value = module.polytomic_role.iam_role_arn`
	`3`	`+}`