diff --git a/iam.tf b/iam.tf index 9dc78529..05c7d404 100644 --- a/iam.tf +++ b/iam.tf @@ -27,13 +27,13 @@ data "aws_iam_policy_document" "route53" { resource "aws_iam_policy" "route53" { count = var.route53_hosted_zone_name != "" ? 1 : 0 - name = "${var.deploy_id}-Route53" + name = "${var.deploy_id}-route53" path = "/" policy = data.aws_iam_policy_document.route53[0].json } resource "aws_iam_role_policy_attachment" "route53" { - for_each = var.route53_hosted_zone_name != "" ? toset([for r in module.eks.eks_node_roles : r.name]) : [] + count = var.route53_hosted_zone_name != "" ? length(module.eks.eks_node_roles) : 0 policy_arn = aws_iam_policy.route53[0].arn - role = each.value + role = lookup(module.eks.eks_node_roles[count.index], "name") } diff --git a/main.tf b/main.tf index d3e4cc2f..eadaa158 100644 --- a/main.tf +++ b/main.tf @@ -124,20 +124,21 @@ module "bastion" { } module "eks" { - source = "./submodules/eks" - deploy_id = var.deploy_id - region = var.region - k8s_version = var.k8s_version - vpc_id = local.vpc_id - private_subnets = local.private_subnets - ssh_pvt_key_path = aws_key_pair.domino.key_name - bastion_security_group_id = try(module.bastion[0].security_group_id, "") - create_bastion_sg = var.bastion != null - kubeconfig_path = local.kubeconfig_path - default_node_groups = var.default_node_groups - additional_node_groups = var.additional_node_groups - node_iam_policies = [module.storage.s3_policy] - efs_security_group = module.storage.efs_security_group + source = "./submodules/eks" + deploy_id = var.deploy_id + region = var.region + k8s_version = var.k8s_version + vpc_id = local.vpc_id + private_subnets = local.private_subnets + ssh_pvt_key_path = aws_key_pair.domino.key_name + bastion_security_group_id = try(module.bastion[0].security_group_id, "") + create_bastion_sg = var.bastion != null + kubeconfig_path = local.kubeconfig_path + default_node_groups = var.default_node_groups + additional_node_groups = var.additional_node_groups + node_iam_policies = [module.storage.s3_policy] + efs_security_group = module.storage.efs_security_group + update_kubeconfig_extra_args = var.update_kubeconfig_extra_args depends_on = [ module.network diff --git a/submodules/bastion/main.tf b/submodules/bastion/main.tf index a7fb0402..6d33d95b 100644 --- a/submodules/bastion/main.tf +++ b/submodules/bastion/main.tf @@ -14,6 +14,7 @@ resource "aws_security_group" "bastion" { lifecycle { create_before_destroy = true + ignore_changes = [description] } tags = { diff --git a/submodules/eks/cluster.tf b/submodules/eks/cluster.tf index de5388b9..8c2471fd 100755 --- a/submodules/eks/cluster.tf +++ b/submodules/eks/cluster.tf @@ -46,6 +46,7 @@ resource "aws_security_group" "eks_cluster" { lifecycle { create_before_destroy = true + ignore_changes = [description, name] } tags = { "Name" = "${local.eks_cluster_name}-eks-cluster" @@ -118,7 +119,7 @@ resource "aws_eks_addon" "this" { resource "null_resource" "kubeconfig" { provisioner "local-exec" { when = create - command = "aws eks update-kubeconfig --kubeconfig ${self.triggers.kubeconfig_file} --region ${self.triggers.region} --name ${self.triggers.cluster_name} --alias ${self.triggers.cluster_name}" + command = "aws eks update-kubeconfig --kubeconfig ${self.triggers.kubeconfig_file} --region ${self.triggers.region} --name ${self.triggers.cluster_name} --alias ${self.triggers.cluster_name} ${var.update_kubeconfig_extra_args}" } provisioner "local-exec" { when = destroy diff --git a/submodules/eks/iam.tf b/submodules/eks/iam.tf index 5a75b300..016e64b9 100644 --- a/submodules/eks/iam.tf +++ b/submodules/eks/iam.tf @@ -14,6 +14,9 @@ data "aws_iam_policy_document" "eks_cluster" { resource "aws_iam_role" "eks_cluster" { name = "${var.deploy_id}-eks" assume_role_policy = data.aws_iam_policy_document.eks_cluster.json + lifecycle { + ignore_changes = [name] + } } resource "aws_iam_role_policy_attachment" "eks_cluster" { diff --git a/submodules/eks/variables.tf b/submodules/eks/variables.tf index a7a12dbd..a4e09fd8 100755 --- a/submodules/eks/variables.tf +++ b/submodules/eks/variables.tf @@ -8,6 +8,12 @@ variable "deploy_id" { } } +variable "update_kubeconfig_extra_args" { + type = string + description = "Optional extra args when generating kubeconfig" + default = "" +} + variable "region" { type = string description = "AWS region for the deployment" diff --git a/submodules/storage/s3.tf b/submodules/storage/s3.tf index d4cb4ae4..8e2d673f 100644 --- a/submodules/storage/s3.tf +++ b/submodules/storage/s3.tf @@ -414,7 +414,7 @@ resource "aws_s3_bucket_request_payment_configuration" "buckets_payer" { } resource "aws_s3_bucket_logging" "buckets_logging" { - for_each = { for k, v in local.s3_buckets : k => v if v.bucket_name != aws_s3_bucket.monitoring.bucket } + for_each = { for k, v in local.s3_buckets : k => v if k != "monitoring" } bucket = each.value.id target_bucket = aws_s3_bucket.monitoring.bucket target_prefix = "${each.value.bucket_name}/" diff --git a/variables.tf b/variables.tf index a7a27a1f..29cba13d 100755 --- a/variables.tf +++ b/variables.tf @@ -21,6 +21,12 @@ variable "region" { description = "AWS region for the deployment" } +variable "update_kubeconfig_extra_args" { + type = string + description = "Optional extra args when generating kubeconfig" + default = "" +} + variable "number_of_azs" { type = number description = "Number of AZ to distribute the deployment, EKS needs at least 2."