From 67c4c710f0d3bc74992f8f3e4a0129eddd4c1d19 Mon Sep 17 00:00:00 2001 From: Justin Brooks Date: Sat, 21 Oct 2023 02:40:20 -0400 Subject: [PATCH] feat: external dns --- main.tf | 34 +++++++++++++++++-- .../external_dns/AllowExternalDNSUpdates.json | 19 +++++++++++ modules/app_eks/external_dns/external_dns.tf | 32 +++++++++++++++++ modules/app_eks/external_dns/iam.tf | 32 +++++++++++++++++ modules/app_eks/external_dns/variables.tf | 14 ++++++++ modules/app_eks/lb_controller/iam.tf | 6 ++-- modules/app_eks/lb_controller/oidc.tf | 9 ----- modules/app_eks/lb_controller/variables.tf | 7 ++-- modules/app_eks/main.tf | 25 ++++++++++++-- modules/app_eks/variables.tf | 4 +++ modules/database/output.tf | 6 +++- modules/redis/outputs.tf | 10 +++++- 12 files changed, 177 insertions(+), 21 deletions(-) create mode 100644 modules/app_eks/external_dns/AllowExternalDNSUpdates.json create mode 100644 modules/app_eks/external_dns/external_dns.tf create mode 100644 modules/app_eks/external_dns/iam.tf create mode 100644 modules/app_eks/external_dns/variables.tf delete mode 100644 modules/app_eks/lb_controller/oidc.tf diff --git a/main.tf b/main.tf index 14187d44..4cb49865 100644 --- a/main.tf +++ b/main.tf @@ -115,6 +115,8 @@ locals { module "app_eks" { source = "./modules/app_eks" + fqdn = local.fqdn + namespace = var.namespace kms_key_arn = local.kms_key_arn @@ -200,17 +202,43 @@ module "redis" { # global = { # host = local.url # license = var.license + +# bucket = { +# provider = "s3" +# name = local.bucket_name +# region = data.aws_s3_bucket.file_storage.region +# kmsKey = local.kms_key_arn +# } + +# mysql = { +# host = module.database.endpoint +# password = module.database.password +# username = module.database.username +# database = module.database.database_name +# port = module.database.port +# } + +# redis = { +# host = module.redis.0.host +# port = "${module.redis.0.port}?tls=true" +# } # } # ingress = { # class = "alb" # annotations = { -# "alb.ingress.kubernetes.io/scheme" = "internet-facing" -# "alb.ingress.kubernetes.io/target-type" = "ip" -# # "app.kubernetes.io/instance" = "${var.namespace}-lb-2" +# "alb.ingress.kubernetes.io/load-balancer-name" = "${var.namespace}-alb-k8s" +# "alb.ingress.kubernetes.io/inbound-cidrs" = "0.0.0.0/0" +# "alb.ingress.kubernetes.io/scheme" = "internet-facing" +# "alb.ingress.kubernetes.io/target-type" = "ip" +# "alb.ingress.kubernetes.io/listen-ports" = "[{\\\"HTTPS\\\": 443}]" +# "alb.ingress.kubernetes.io/certificate-arn" = local.acm_certificate_arn # } # } + +# mysql = { install = false } +# redis = { install = false } # } # } # } diff --git a/modules/app_eks/external_dns/AllowExternalDNSUpdates.json b/modules/app_eks/external_dns/AllowExternalDNSUpdates.json new file mode 100644 index 00000000..93553544 --- /dev/null +++ b/modules/app_eks/external_dns/AllowExternalDNSUpdates.json @@ -0,0 +1,19 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["route53:ChangeResourceRecordSets"], + "Resource": ["arn:aws:route53:::hostedzone/*"] + }, + { + "Effect": "Allow", + "Action": [ + "route53:ListHostedZones", + "route53:ListResourceRecordSets", + "route53:ListTagsForResource" + ], + "Resource": ["*"] + } + ] +} diff --git a/modules/app_eks/external_dns/external_dns.tf b/modules/app_eks/external_dns/external_dns.tf new file mode 100644 index 00000000..15f826ae --- /dev/null +++ b/modules/app_eks/external_dns/external_dns.tf @@ -0,0 +1,32 @@ +resource "helm_release" "external_dns" { + name = "external-dns" + namespace = "kube-system" + chart = "external-dns" + version = "1.13.1" + repository = "https://kubernetes-sigs.github.io/external-dns" + + set { + name = "rbac.create" + value = "true" + } + + set { + name = "serviceAccount.create" + value = "true" + } + + set { + name = "serviceAccount.name" + value = "external-dns" + } + + set { + name = "domainFilters[0]" + value = var.fqdn + } + + set { + name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" + value = aws_iam_role.default.arn + } +} \ No newline at end of file diff --git a/modules/app_eks/external_dns/iam.tf b/modules/app_eks/external_dns/iam.tf new file mode 100644 index 00000000..50cb5927 --- /dev/null +++ b/modules/app_eks/external_dns/iam.tf @@ -0,0 +1,32 @@ +data "aws_iam_policy_document" "default" { + statement { + actions = ["sts:AssumeRoleWithWebIdentity"] + effect = "Allow" + + condition { + test = "StringEquals" + variable = "${replace(var.oidc_provider.url, "https://", "")}:sub" + values = ["system:serviceaccount:kube-system:external-dns"] + } + + principals { + identifiers = [var.oidc_provider.arn] + type = "Federated" + } + } +} + +resource "aws_iam_role" "default" { + assume_role_policy = data.aws_iam_policy_document.default.json + name = "${var.namespace}-external-dns" +} + +resource "aws_iam_policy" "default" { + policy = file("${path.module}/AllowExternalDNSUpdates.json") + name = "${var.namespace}-AllowExternalDNSUpdates" +} + +resource "aws_iam_role_policy_attachment" "default" { + role = aws_iam_role.default.name + policy_arn = aws_iam_policy.default.arn +} diff --git a/modules/app_eks/external_dns/variables.tf b/modules/app_eks/external_dns/variables.tf new file mode 100644 index 00000000..4e33cb7f --- /dev/null +++ b/modules/app_eks/external_dns/variables.tf @@ -0,0 +1,14 @@ +variable "namespace" { + type = string +} + +variable "oidc_provider" { + type = object({ + arn = string + url = string + }) +} + +variable "fqdn" { + type = string +} diff --git a/modules/app_eks/lb_controller/iam.tf b/modules/app_eks/lb_controller/iam.tf index b33c1ac2..c6186fb2 100644 --- a/modules/app_eks/lb_controller/iam.tf +++ b/modules/app_eks/lb_controller/iam.tf @@ -5,12 +5,12 @@ data "aws_iam_policy_document" "default" { condition { test = "StringEquals" - variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub" + variable = "${replace(var.oidc_provider.url, "https://", "")}:sub" values = ["system:serviceaccount:kube-system:aws-load-balancer-controller"] } principals { - identifiers = [aws_iam_openid_connect_provider.eks.arn] + identifiers = [var.oidc_provider.arn] type = "Federated" } } @@ -18,7 +18,7 @@ data "aws_iam_policy_document" "default" { resource "aws_iam_role" "default" { assume_role_policy = data.aws_iam_policy_document.default.json - name = "aws-load-balancer-controller" + name = "${var.namespace}-aws-lb-controller" } resource "aws_iam_policy" "default" { diff --git a/modules/app_eks/lb_controller/oidc.tf b/modules/app_eks/lb_controller/oidc.tf deleted file mode 100644 index 7dabf896..00000000 --- a/modules/app_eks/lb_controller/oidc.tf +++ /dev/null @@ -1,9 +0,0 @@ -data "tls_certificate" "eks" { - url = var.oidc_issuer -} - -resource "aws_iam_openid_connect_provider" "eks" { - client_id_list = ["sts.amazonaws.com"] - thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint] - url = var.oidc_issuer -} diff --git a/modules/app_eks/lb_controller/variables.tf b/modules/app_eks/lb_controller/variables.tf index 76835b39..be3e27a4 100644 --- a/modules/app_eks/lb_controller/variables.tf +++ b/modules/app_eks/lb_controller/variables.tf @@ -2,6 +2,9 @@ variable "namespace" { type = string } -variable "oidc_issuer" { - type = string +variable "oidc_provider" { + type = object({ + arn = string + url = string + }) } diff --git a/modules/app_eks/main.tf b/modules/app_eks/main.tf index bfeb6853..161a27b7 100644 --- a/modules/app_eks/main.tf +++ b/modules/app_eks/main.tf @@ -121,11 +121,32 @@ resource "aws_security_group_rule" "elasticache" { type = "ingress" } +data "tls_certificate" "eks" { + url = module.eks.cluster_oidc_issuer_url +} + +resource "aws_iam_openid_connect_provider" "eks" { + client_id_list = ["sts.amazonaws.com"] + thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint] + url = module.eks.cluster_oidc_issuer_url +} + module "lb_controller" { source = "./lb_controller" - namespace = "namespace" - oidc_issuer = module.eks.cluster_oidc_issuer_url + namespace = var.namespace + oidc_provider = aws_iam_openid_connect_provider.eks + + depends_on = [module.eks] +} + +module "external_dns" { + source = "./external_dns" + + namespace = var.namespace + oidc_provider = aws_iam_openid_connect_provider.eks + fqdn = var.fqdn + depends_on = [module.eks] } diff --git a/modules/app_eks/variables.tf b/modules/app_eks/variables.tf index a1736ccf..35ef7701 100644 --- a/modules/app_eks/variables.tf +++ b/modules/app_eks/variables.tf @@ -8,6 +8,10 @@ variable "bucket_kms_key_arn" { type = string } +variable "fqdn" { + type = string +} + variable "bucket_sqs_queue_arn" { default = "" type = string diff --git a/modules/database/output.tf b/modules/database/output.tf index a950db26..e597073d 100644 --- a/modules/database/output.tf +++ b/modules/database/output.tf @@ -31,4 +31,8 @@ output "connection_string_reader" { output "security_group_id" { description = "The security group ID of the cluster" value = module.aurora.security_group_id -} \ No newline at end of file +} + +output "port" { + value = module.aurora.cluster_port +} diff --git a/modules/redis/outputs.tf b/modules/redis/outputs.tf index 8089742b..61dba224 100644 --- a/modules/redis/outputs.tf +++ b/modules/redis/outputs.tf @@ -4,4 +4,12 @@ output "connection_string" { output "security_group_id" { value = aws_security_group.redis.id -} \ No newline at end of file +} + +output "host" { + value = aws_elasticache_replication_group.default.primary_endpoint_address +} + +output "port" { + value = aws_elasticache_replication_group.default.port +}