PLAT-8122 Adds use_fips_endpoint var. (#233)

.pre-commit-config.yaml

@@ -19,58 +19,58 @@ repos:
       - id: check-dependabot
       - id: check-github-actions
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.86.0
+    rev: v1.88.4
     hooks:
       - id: terraform_validate
         # See #4 on https://github.com/antonbabenko/pre-commit-terraform#terraform_validate
         exclude: (modules/eks/[^/]+$|modules/infra/submodules/cost-usage-report)
         args:
-          - "--hook-config=--retry-once-with-cleanup=true"
+          - '--hook-config=--retry-once-with-cleanup=true'
       - id: terraform_providers_lock
         args:
           - --tf-init-args=-upgrade
       - id: terraform_docs
         args:
-          - "--args=--lockfile=false"
-          - "--hook-config=--path-to-file=README.md"
-          - "--hook-config=--add-to-existing-file=true"
-          - "--hook-config=--create-file-if-not-exist=true"
-          - "--hook-config=--recursive.enabled=true"
-          - "--hook-config=--recursive.path=submodules"
+          - '--args=--lockfile=false'
+          - '--hook-config=--path-to-file=README.md'
+          - '--hook-config=--add-to-existing-file=true'
+          - '--hook-config=--create-file-if-not-exist=true'
+          - '--hook-config=--recursive.enabled=true'
+          - '--hook-config=--recursive.path=submodules'
       - id: terraform_fmt
       - id: terraform_tflint
         args:
-          - "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"
-          - "--args=--only=terraform_deprecated_interpolation"
-          - "--args=--only=terraform_deprecated_index"
-          - "--args=--only=terraform_unused_declarations"
-          - "--args=--only=terraform_comment_syntax"
-          - "--args=--only=terraform_documented_outputs"
-          - "--args=--only=terraform_documented_variables"
-          - "--args=--only=terraform_typed_variables"
-          - "--args=--only=terraform_module_pinned_source"
-          - "--args=--only=terraform_naming_convention"
-          - "--args=--only=terraform_required_version"
-          - "--args=--only=terraform_required_providers"
-          - "--args=--only=terraform_standard_module_structure"
-          - "--args=--only=terraform_workspace_remote"
-          - "--args=--enable-rule=aws_iam_policy_document_gov_friendly_arns"
-          - "--args=--enable-rule=aws_iam_policy_gov_friendly_arns"
-          - "--args=--enable-rule=aws_iam_role_policy_gov_friendly_arns"
+          - '--args=--config=__GIT_WORKING_DIR__/.tflint.hcl'
+          - '--args=--only=terraform_deprecated_interpolation'
+          - '--args=--only=terraform_deprecated_index'
+          - '--args=--only=terraform_unused_declarations'
+          - '--args=--only=terraform_comment_syntax'
+          - '--args=--only=terraform_documented_outputs'
+          - '--args=--only=terraform_documented_variables'
+          - '--args=--only=terraform_typed_variables'
+          - '--args=--only=terraform_module_pinned_source'
+          - '--args=--only=terraform_naming_convention'
+          - '--args=--only=terraform_required_version'
+          - '--args=--only=terraform_required_providers'
+          - '--args=--only=terraform_standard_module_structure'
+          - '--args=--only=terraform_workspace_remote'
+          - '--args=--enable-rule=aws_iam_policy_document_gov_friendly_arns'
+          - '--args=--enable-rule=aws_iam_policy_gov_friendly_arns'
+          - '--args=--enable-rule=aws_iam_role_policy_gov_friendly_arns'
       - id: terraform_checkov
         args:
-          - "--args=--compact"
-          - "--args=--quiet"
-          - "--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88,CKV2_GHA_1,CKV_AWS_163,CKV_AWS_39,CKV_AWS_38,CKV2_AWS_61,CKV2_AWS_62,CKV_AWS_136,CKV_AWS_329,CKV_AWS_338,CKV_AWS_339,CKV_AWS_341,CKV_AWS_356,CKV2_AWS_19,CKV2_AWS_5,CKV_AWS_150,CKV_AWS_123,CKV2_AWS_65"
+          - '--args=--compact'
+          - '--args=--quiet'
+          - '--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88,CKV2_GHA_1,CKV_AWS_163,CKV_AWS_39,CKV_AWS_38,CKV2_AWS_61,CKV2_AWS_62,CKV_AWS_136,CKV_AWS_329,CKV_AWS_338,CKV_AWS_339,CKV_AWS_341,CKV_AWS_356,CKV2_AWS_19,CKV2_AWS_5,CKV_AWS_150,CKV_AWS_123,CKV2_AWS_65'
       - id: terraform_trivy
         args:
-          - "--args=--severity=HIGH,CRITICAL"
-          - "--args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore"
-          - "--args=--exit-code=1"
+          - '--args=--severity=HIGH,CRITICAL'
+          - '--args=--ignorefile=__GIT_WORKING_DIR__/.trivyignore'
+          - '--args=--exit-code=1'
   - repo: local
     hooks:
       - id: check_aws_partition
         name: Check for hard coded AWS partition
         entry: ./bin/pre-commit/check-aws-partition.sh
         language: script
-        exclude: "^(bin|examples)"
+        exclude: '^(bin|examples)'

examples/deploy/terraform/cluster.tfvars

@@ -18,3 +18,5 @@ eks = {
   vpc_cni            = null
 }
 kms_info = null
+
+use_fips_endpoint = false

examples/deploy/terraform/cluster/README.md

@@ -37,9 +37,10 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_eks"></a> [eks](#input\_eks) | service\_ipv4\_cidr = CIDR for EKS cluster kubernetes\_network\_config.<br>    creation\_role\_name = Name of the role to import.<br>    k8s\_version = EKS cluster k8s version.<br>    kubeconfig = {<br>      extra\_args = Optional extra args when generating kubeconfig.<br>      path       = Fully qualified path name to write the kubeconfig file.<br>    }<br>    public\_access = {<br>      enabled = Enable EKS API public endpoint.<br>      cidrs   = List of CIDR ranges permitted for accessing the EKS public endpoint.<br>    }<br>    Custom role maps for aws auth configmap<br>    custom\_role\_maps = {<br>      rolearn  = string<br>      username = string<br>      groups   = list(string)<br>    }<br>    master\_role\_names  = IAM role names to be added as masters in eks.<br>    cluster\_addons     = EKS cluster addons. vpc-cni is installed separately.<br>    vpc\_cni            = Configuration for AWS VPC CNI<br>    ssm\_log\_group\_name = CloudWatch log group to send the SSM session logs to.<br>    identity\_providers = Configuration for IDP(Identity Provider).<br>  } | <pre>object({<br>    service_ipv4_cidr  = optional(string)<br>    creation_role_name = optional(string, null)<br>    k8s_version        = optional(string)<br>    kubeconfig = optional(object({<br>      extra_args = optional(string)<br>      path       = optional(string)<br>    }), {})<br>    public_access = optional(object({<br>      enabled = optional(bool)<br>      cidrs   = optional(list(string))<br>    }), {})<br>    custom_role_maps = optional(list(object({<br>      rolearn  = string<br>      username = string<br>      groups   = list(string)<br>    })))<br>    master_role_names  = optional(list(string))<br>    cluster_addons     = optional(list(string))<br>    ssm_log_group_name = optional(string)<br>    vpc_cni = optional(object({<br>      prefix_delegation = optional(bool)<br>      annotate_pod_ip   = optional(bool)<br>    }))<br>    identity_providers = optional(list(object({<br>      client_id                     = string<br>      groups_claim                  = optional(string)<br>      groups_prefix                 = optional(string)<br>      identity_provider_config_name = string<br>      issuer_url                    = optional(string)<br>      required_claims               = optional(string)<br>      username_claim                = optional(string)<br>      username_prefix               = optional(string)<br>    })))<br>  })</pre> | `{}` | no |
-| <a name="input_irsa_external_dns"></a> [irsa\_external\_dns](#input\_irsa\_external\_dns) | Mappings for custom IRSA configurations. | <pre>object({<br>    enabled             = optional(bool, false)<br>    hosted_zone_name    = optional(string, null)<br>    namespace           = optional(string, null)<br>    serviceaccount_name = optional(string, null)<br>  })</pre> | `{}` | no |
+| <a name="input_irsa_external_dns"></a> [irsa\_external\_dns](#input\_irsa\_external\_dns) | Mappings for custom IRSA configurations. | <pre>object({<br>    enabled             = optional(bool, false)<br>    hosted_zone_name    = optional(string, null)<br>    namespace           = optional(string, null)<br>    serviceaccount_name = optional(string, null)<br>    rm_role_policy = optional(object({<br>      remove           = optional(bool, false)<br>      detach_from_role = optional(bool, false)<br>      policy_name      = optional(string, "")<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Mappings for custom IRSA configurations. | <pre>list(object({<br>    name                = string<br>    namespace           = string<br>    serviceaccount_name = string<br>    policy              = string #json<br>  }))</pre> | `[]` | no |
 | <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | Overrides the KMS key information. Meant for migrated configurations.<br>    {<br>      key\_id  = KMS key id.<br>      key\_arn = KMS key arn.<br>      enabled = KMS key is enabled.<br>    } | <pre>object({<br>    key_id  = string<br>    key_arn = string<br>    enabled = bool<br>  })</pre> | `null` | no |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 

examples/deploy/terraform/cluster/main.tf

@@ -26,6 +26,7 @@ module "eks" {
   create_eks_role_arn = local.infra.create_eks_role_arn
   tags                = local.infra.tags
   ignore_tags         = local.infra.ignore_tags
+  use_fips_endpoint   = var.use_fips_endpoint
 }
 
 data "aws_caller_identity" "global" {
@@ -39,12 +40,16 @@ locals {
   is_eks_account_same = data.aws_caller_identity.this.account_id == data.aws_caller_identity.global.account_id
 }
 
+moved {
+  from = module.irsa_external_dns[0]
+  to   = module.irsa_external_dns
+}
+
 # If you are enabling the IRSA configuration for external-dns.
 # You will need to add the role created(module.irsa_external_dns.irsa_role) to
 # the following annotation to the `external-dns` service account:
 # `eks.amazonaws.com/role-arn: <<module.irsa_external_dns.irsa_role>>`
 module "irsa_external_dns" {
-  count               = var.irsa_external_dns != null && var.irsa_external_dns.enabled ? 1 : 0
   source              = "./../../../../modules/irsa"
   use_cluster_odc_idp = local.is_eks_account_same
   eks_info            = module.eks.info
@@ -55,8 +60,12 @@ module "irsa_external_dns" {
   }
 }
 
+moved {
+  from = module.irsa_policies[0]
+  to   = module.irsa_policies
+}
+
 module "irsa_policies" {
-  count                   = var.irsa_policies != null ? 1 : 0
   source                  = "./../../../../modules/irsa"
   use_cluster_odc_idp     = true
   eks_info                = module.eks.info
@@ -73,13 +82,15 @@ provider "aws" {
   ignore_tags {
     keys = local.infra.ignore_tags
   }
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 provider "aws" {
   region = local.infra.region
   ignore_tags {
     keys = local.infra.ignore_tags
   }
+  use_fips_endpoint = var.use_fips_endpoint
 }
 terraform {
   required_version = ">= 1.4.0"

examples/deploy/terraform/cluster/variables.tf

@@ -102,7 +102,18 @@ variable "irsa_external_dns" {
     hosted_zone_name    = optional(string, null)
     namespace           = optional(string, null)
     serviceaccount_name = optional(string, null)
+    rm_role_policy = optional(object({
+      remove           = optional(bool, false)
+      detach_from_role = optional(bool, false)
+      policy_name      = optional(string, "")
+    }), {})
   })
 
   default = {}
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}

examples/deploy/terraform/infra.tfvars

@@ -69,3 +69,5 @@ tags = null
 domino_cur = {
   provision_cost_usage_report = false
 }
+
+use_fips_endpoint = false

examples/deploy/terraform/infra/README.md

@@ -39,6 +39,7 @@ No resources.
 | <a name="input_ssh_pvt_key_path"></a> [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes |
 | <a name="input_storage"></a> [storage](#input\_storage) | storage = {<br>      efs = {<br>        access\_point\_path = Filesystem path for efs.<br>        backup\_vault = {<br>          create        = Create backup vault for EFS toggle.<br>          force\_destroy = Toggle to allow automatic destruction of all backups when destroying.<br>          backup = {<br>            schedule           = Cron-style schedule for EFS backup vault (default: once a day at 12pm).<br>            cold\_storage\_after = Move backup data to cold storage after this many days.<br>            delete\_after       = Delete backup data after this many days.<br>          }<br>        }<br>      }<br>      s3 = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets.<br>      }<br>      ecr = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories.<br>      }<br>    }<br>  } | <pre>object({<br>    efs = optional(object({<br>      access_point_path = optional(string, "/domino")<br>      backup_vault = optional(object({<br>        create        = optional(bool, true)<br>        force_destroy = optional(bool, true)<br>        backup = optional(object({<br>          schedule           = optional(string, "0 12 * * ? *")<br>          cold_storage_after = optional(number, 35)<br>          delete_after       = optional(number, 125)<br>        }), {})<br>      }), {})<br>    }), {})<br>    s3 = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {})<br>    ecr = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Deployment tags. | `map(string)` | n/a | yes |
+| <a name="input_use_fips_endpoint"></a> [use\_fips\_endpoint](#input\_use\_fips\_endpoint) | Use aws FIPS endpoints | `bool` | `false` | no |
 
 ## Outputs
 

examples/deploy/terraform/infra/main.tf

@@ -6,15 +6,16 @@ module "infra" {
   bastion                = var.bastion
   default_node_groups    = var.default_node_groups
 
-  network          = var.network
-  eks              = var.eks
-  kms              = var.kms
-  storage          = var.storage
-  region           = var.region
-  ssh_pvt_key_path = var.ssh_pvt_key_path
-  tags             = var.tags
-  ignore_tags      = var.ignore_tags
-  domino_cur       = var.domino_cur
+  network           = var.network
+  eks               = var.eks
+  kms               = var.kms
+  storage           = var.storage
+  region            = var.region
+  ssh_pvt_key_path  = var.ssh_pvt_key_path
+  tags              = var.tags
+  ignore_tags       = var.ignore_tags
+  domino_cur        = var.domino_cur
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 
@@ -24,6 +25,7 @@ provider "aws" {
   ignore_tags {
     keys = var.ignore_tags
   }
+  use_fips_endpoint = var.use_fips_endpoint
 }
 
 terraform {

examples/deploy/terraform/infra/variables.tf

@@ -361,3 +361,9 @@ variable "domino_cur" {
 
   default = {}
 }
+
+variable "use_fips_endpoint" {
+  description = "Use aws FIPS endpoints"
+  type        = bool
+  default     = false
+}

examples/deploy/terraform/nodes.tfvars

@@ -11,3 +11,5 @@ default_node_groups = {
     availability_zone_ids = ["usw2-az1", "usw2-az2"]
   }
 }
+
+use_fips_endpoint = false