External Deployments Module + Policy Options (#272)

.circleci/config.yml

@@ -34,6 +34,7 @@ commands:
     steps:
       - terraform/install:
           terraform_version: << parameters.terraform_version >>
+
   install_hcledit:
     description: "Install HCL edit"
     parameters:
@@ -47,54 +48,62 @@ commands:
           environment:
             HCLEDIT_VERSION: << parameters.hcledit_version >>
           command: bash ci-deploy.sh install_hcledit
+
   set_mod_source_current:
     description: "Set up module source to current branch."
     steps:
       - run:
           name: Set module source to current branch
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_mod_src_circle_branch
+
   set_infra_imports:
     description: "Set up root infra module imports."
     steps:
       - run:
           name: Set root infra module imports
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_infra_imports
+
   pre_upgrade_updates:
     description: "Updates necessary for upgrade."
     steps:
       - run:
           name: Manual updates
           working_directory: tests/deploy
           command: bash ci-deploy.sh pre_upgrade_updates
+
   set_cluster_imports:
     description: "Set up root cluster module imports."
     steps:
       - run:
           name: Set root cluster module imports
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_cluster_imports
+
   set_nodes_imports:
     description: "Set up root nodes module imports."
     steps:
       - run:
           name: Set root nodes module imports
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_nodes_imports
+
   set_mod_source_latest_rel:
     description: "Set up module source to current branch"
     steps:
       - run:
           name: Set module source to latest published release
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_mod_src_latest_rel
+
   set_aws_creds:
     description: "Sets short-lived creds"
     steps:
       - aws-cli/setup:
           role-arn: "${AWS_IAM_ROLE}"
           session-duration: "900"
+
   set_tf_vars:
     description: "Sets Terraform variables"
     steps:
@@ -105,21 +114,31 @@ commands:
           name: Bootstrap terraform vars
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_tf_vars
-  set_tf_mods:
+
+  setup_tf_mods:
     description: "Bootstrap modules using the CI branch"
     steps:
       - run:
           name: Bootstrap terraform module using the CI branch
           working_directory: tests/deploy
           command: bash ci-deploy.sh setup_modules_ci_branch
-  set_tf_mods_latest_rel:
+
+  setup_tf_mods_latest_rel:
     description: "Bootstrap modules using latest release"
     steps:
       - run:
           name: Bootstrap terraform module using latest release
           working_directory: tests/deploy
           command: bash ci-deploy.sh setup_modules_latest_rel
 
+  setup_tf_mods_upgrade:
+    description: "Upgrade existing modules using current branch"
+    steps:
+      - run:
+          name: Bootstrap terraform module using latest release
+          working_directory: tests/deploy
+          command: bash ci-deploy.sh setup_modules_upgrade
+
   install_helm:
     description: "Install Helm"
     parameters:
@@ -132,34 +151,39 @@ commands:
           environment:
             HELM_VERSION: << parameters.helm_version >>
           command: bash ci-deploy.sh install_helm
+
   tf_init_apply:
     description: "Terraform Init, Validate, Apply"
     steps:
       - run:
           name: Terraform init/validate/apply
           working_directory: tests/deploy
           command: bash ci-deploy.sh deploy
+
   tf_deploy_infra:
     description: "Terraform deploy Infra"
     steps:
       - run:
           name: Terraform deploy Infra
           working_directory: tests/deploy
           command: bash ci-deploy.sh deploy_infra
+
   tf_deploy_cluster:
     description: "Terraform deploy Cluster"
     steps:
       - run:
           name: Terraform deploy Cluster
           working_directory: tests/deploy
           command: bash ci-deploy.sh deploy_cluster
+
   tf_deploy_nodes:
     description: "Terraform deploy Nodes"
     steps:
       - run:
           name: Terraform deploy Nodes
           working_directory: tests/deploy
           command: bash ci-deploy.sh deploy_nodes
+
   tf_deploy_single_node:
     description: "Terraform deploy single-node"
     steps:
@@ -171,13 +195,15 @@ commands:
           name: Deploy single-node
           working_directory: tests/deploy
           command: bash ci-deploy.sh deploy_single_node
+
   tf_destroy_single_node:
     description: "Terraform destroy single-node"
     steps:
       - run:
           name: Destroy single-node
           working_directory: tests/deploy
           command: bash ci-deploy.sh destroy_single_node
+
   tf_deploy:
     description: "Terraform deploy"
     steps:
@@ -187,6 +213,7 @@ commands:
       - tf_deploy_infra
       - tf_deploy_cluster
       - tf_deploy_nodes
+
   tf_destroy:
     description: "Terraform destroy"
     steps:
@@ -195,13 +222,31 @@ commands:
           working_directory: tests/deploy
           command: bash ci-deploy.sh destroy
           when: always
+
   tf_plan_test:
     steps:
       - set_aws_creds
       - run:
           name: Terraform plan test
           working_directory: tests/plan
           command: bash tf-plan-test.sh
+
+  store_deploy_artifacts:
+    parameters:
+      path:
+        type: string
+        default: deploy
+    steps:
+      - run:
+          name: Store artifacts
+          when: always
+          command: |
+            mkdir -p /tmp/artifacts/<< parameters.path >>/{cluster,infra,nodes}
+            cp tests/deploy/deploy-test/terraform/{cluster,infra,nodes}.tfvars /tmp/artifacts/<< parameters.path >>/
+            cp tests/deploy/deploy-test/terraform/cluster/main.tf /tmp/artifacts/<< parameters.path >>/cluster/
+            cp tests/deploy/deploy-test/terraform/infra/main.tf /tmp/artifacts/<< parameters.path >>/infra/
+            cp tests/deploy/deploy-test/terraform/nodes/main.tf /tmp/artifacts/<< parameters.path >>/nodes/
+
 jobs:
   tf-plan-test:
     docker:
@@ -214,6 +259,7 @@ jobs:
       - install_tf:
           terraform_version: << parameters.terraform_version >>
       - tf_plan_test
+
   test-deploy:
     docker:
       - image: cimg/aws:2023.04.1
@@ -228,13 +274,17 @@ jobs:
           terraform_version: << parameters.terraform_version >>
       - install_helm:
           helm_version: << parameters.helm_version >>
-      - set_tf_mods
+      - setup_tf_mods
       - set_tf_vars
       - set_mod_source_current
       - tf_deploy
+      - store_deploy_artifacts
       - tf_deploy_single_node
       - tf_destroy_single_node
       - tf_destroy
+      - store_artifacts:
+          path: /tmp/artifacts/
+
   test-upgrade:
     docker:
       - image: cimg/aws:2023.04.1
@@ -251,17 +301,24 @@ jobs:
           terraform_version: << parameters.terraform_version >>
       - install_helm:
           helm_version: << parameters.helm_version >>
-      - set_tf_mods_latest_rel
+      - setup_tf_mods_latest_rel
       - set_tf_vars
       - set_mod_source_latest_rel
       - tf_deploy
+      - store_deploy_artifacts
+      - setup_tf_mods_upgrade
+      - set_tf_vars
       - set_mod_source_current
       - pre_upgrade_updates
       - set_infra_imports
       - set_cluster_imports
       - set_nodes_imports
       - tf_deploy
+      - store_deploy_artifacts:
+          path: upgrade
       - tf_destroy
+      - store_artifacts:
+          path: /tmp/artifacts/
 
 workflows:
   test-deploy-workflow:
@@ -272,6 +329,7 @@ workflows:
           context: aws-oidc
           terraform_version: << pipeline.parameters.terraform_version >>
           helm_version: << pipeline.parameters.helm_version >>
+
   test-upgrade-workflow:
     when:
       equal: ["test-upgrade-workflow", << pipeline.parameters.GHA_Action >>]
@@ -281,6 +339,7 @@ workflows:
           terraform_version: << pipeline.parameters.terraform_version >>
           helm_version: << pipeline.parameters.helm_version >>
           hcledit_version: << pipeline.parameters.hcledit_version >>
+
   examples-plan-test-workflow:
     when:
       equal:

.pre-commit-config.yaml

@@ -1,4 +1,5 @@
 ## NOTE: Changes(rename/add/delete) to pre-commit ids need to be replicated in .github/workflows/terraform-checks.yml(GHA).
+default_stages: [commit]
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.6.0
@@ -61,7 +62,7 @@ repos:
         args:
           - "--args=--compact"
           - "--args=--quiet"
-          - "--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88,CKV2_GHA_1,CKV_AWS_163,CKV_AWS_39,CKV_AWS_38,CKV2_AWS_61,CKV2_AWS_62,CKV_AWS_136,CKV_AWS_329,CKV_AWS_338,CKV_AWS_339,CKV_AWS_341,CKV_AWS_356,CKV2_AWS_19,CKV2_AWS_5,CKV_AWS_150,CKV_AWS_123,CKV2_AWS_65,CKV2_AWS_67,CKV2_AWS_57,CKV_AWS_149,CKV_AWS_117,CKV_AWS_116,CKV_AWS_173,CKV_AWS_115,CKV_AWS_7,CKV_AWS_124"
+          - "--args=--skip-check CKV_CIRCLECIPIPELINES_2,CKV_CIRCLECIPIPELINES_6,CKV2_AWS_11,CKV2_AWS_12,CKV2_AWS_6,CKV_AWS_107,CKV_AWS_109,CKV_AWS_111,CKV_AWS_135,CKV_AWS_144,CKV_AWS_145,CKV_AWS_158,CKV_AWS_18,CKV_AWS_184,CKV_AWS_19,CKV_AWS_21,CKV_AWS_66,CKV_AWS_88,CKV2_GHA_1,CKV_AWS_163,CKV_AWS_39,CKV_AWS_38,CKV2_AWS_61,CKV2_AWS_62,CKV_AWS_136,CKV_AWS_329,CKV_AWS_338,CKV_AWS_339,CKV_AWS_341,CKV_AWS_356,CKV2_AWS_19,CKV2_AWS_5,CKV_AWS_150,CKV_AWS_123,CKV2_AWS_65,CKV2_AWS_67,CKV2_AWS_57,CKV_AWS_149,CKV_AWS_117,CKV_AWS_116,CKV_AWS_173,CKV_AWS_115,CKV_AWS_7,CKV_AWS_124"
       - id: terraform_trivy
         args:
           - "--args=--severity=HIGH,CRITICAL"

examples/deploy/meta.sh

@@ -11,13 +11,13 @@ declare -a MOD_DIRS=(
 
 declare -A COMP_MODS
 COMP_MODS["infra"]="infra"
-COMP_MODS["cluster"]="eks irsa_external_dns irsa_policies irsa_external_deployments_operator"
+COMP_MODS["cluster"]="eks irsa_external_dns irsa_policies external_deployments_operator"
 COMP_MODS["nodes"]="nodes"
 
 declare -A MOD_ADD
 MOD_ADD["irsa_external_dns"]="irsa"
 MOD_ADD["irsa_policies"]="irsa"
-MOD_ADD["irsa_external_deployments_operator"]="irsa"
+MOD_ADD["external_deployments_operator"]="external-deployments"
 
 INFRA_DIR="${MOD_DIRS[0]}"
 CLUSTER_DIR="${MOD_DIRS[1]}"

examples/deploy/terraform/cluster/README.md

@@ -21,7 +21,7 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_eks"></a> [eks](#module\_eks) | ./../../../../modules/eks | n/a |
-| <a name="module_irsa_external_deployments_operator"></a> [irsa\_external\_deployments\_operator](#module\_irsa\_external\_deployments\_operator) | ./../../../../modules/irsa | n/a |
+| <a name="module_external_deployments_operator"></a> [external\_deployments\_operator](#module\_external\_deployments\_operator) | ./../../../../modules/external-deployments | n/a |
 | <a name="module_irsa_external_dns"></a> [irsa\_external\_dns](#module\_irsa\_external\_dns) | ./../../../../modules/irsa | n/a |
 | <a name="module_irsa_policies"></a> [irsa\_policies](#module\_irsa\_policies) | ./../../../../modules/irsa | n/a |
 
@@ -38,7 +38,7 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_eks"></a> [eks](#input\_eks) | service\_ipv4\_cidr = CIDR for EKS cluster kubernetes\_network\_config.<br>    creation\_role\_name = Name of the role to import.<br>    k8s\_version = EKS cluster k8s version.<br>    kubeconfig = {<br>      extra\_args = Optional extra args when generating kubeconfig.<br>      path       = Fully qualified path name to write the kubeconfig file.<br>    }<br>    public\_access = {<br>      enabled = Enable EKS API public endpoint.<br>      cidrs   = List of CIDR ranges permitted for accessing the EKS public endpoint.<br>    }<br>    Custom role maps for aws auth configmap<br>    custom\_role\_maps = {<br>      rolearn  = string<br>      username = string<br>      groups   = list(string)<br>    }<br>    master\_role\_names  = IAM role names to be added as masters in eks.<br>    cluster\_addons     = EKS cluster addons. vpc-cni is installed separately.<br>    vpc\_cni            = Configuration for AWS VPC CNI<br>    ssm\_log\_group\_name = CloudWatch log group to send the SSM session logs to.<br>    identity\_providers = Configuration for IDP(Identity Provider).<br>  } | <pre>object({<br>    service_ipv4_cidr  = optional(string)<br>    creation_role_name = optional(string, null)<br>    k8s_version        = optional(string)<br>    kubeconfig = optional(object({<br>      extra_args = optional(string)<br>      path       = optional(string)<br>    }), {})<br>    public_access = optional(object({<br>      enabled = optional(bool)<br>      cidrs   = optional(list(string))<br>    }), {})<br>    custom_role_maps = optional(list(object({<br>      rolearn  = string<br>      username = string<br>      groups   = list(string)<br>    })))<br>    master_role_names  = optional(list(string))<br>    cluster_addons     = optional(list(string))<br>    ssm_log_group_name = optional(string)<br>    vpc_cni = optional(object({<br>      prefix_delegation = optional(bool)<br>      annotate_pod_ip   = optional(bool)<br>    }))<br>    identity_providers = optional(list(object({<br>      client_id                     = string<br>      groups_claim                  = optional(string)<br>      groups_prefix                 = optional(string)<br>      identity_provider_config_name = string<br>      issuer_url                    = optional(string)<br>      required_claims               = optional(string)<br>      username_claim                = optional(string)<br>      username_prefix               = optional(string)<br>    })))<br>  })</pre> | `{}` | no |
-| <a name="input_irsa_external_deployments_operator"></a> [irsa\_external\_deployments\_operator](#input\_irsa\_external\_deployments\_operator) | Config to create IRSA role for the external deployments operator. | <pre>object({<br>    enabled              = optional(bool, false)<br>    namespace            = optional(string, "domino-compute")<br>    service_account_name = optional(string, "pham-juno-operator")<br>  })</pre> | `{}` | no |
+| <a name="input_external_deployments_operator"></a> [external\_deployments\_operator](#input\_external\_deployments\_operator) | Config to create IRSA role for the external deployments operator. | <pre>object({<br>    enabled                         = optional(bool, false)<br>    namespace                       = optional(string, "domino-compute")<br>    operator_service_account_name   = optional(string, "pham-juno-operator")<br>    operator_role_suffix            = optional(string, "external-deployments-operator")<br>    repository_suffix               = optional(string, "external-deployments")<br>    bucket_suffix                   = optional(string, "external-deployments")<br>    enable_assume_any_external_role = optional(bool, true)<br>    enable_in_account_deployments   = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_irsa_external_dns"></a> [irsa\_external\_dns](#input\_irsa\_external\_dns) | Mappings for custom IRSA configurations. | <pre>object({<br>    enabled             = optional(bool, false)<br>    hosted_zone_name    = optional(string, null)<br>    namespace           = optional(string, null)<br>    serviceaccount_name = optional(string, null)<br>    rm_role_policy = optional(object({<br>      remove           = optional(bool, false)<br>      detach_from_role = optional(bool, false)<br>      policy_name      = optional(string, "")<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Mappings for custom IRSA configurations. | <pre>list(object({<br>    name                = string<br>    namespace           = string<br>    serviceaccount_name = string<br>    policy              = string #json<br>  }))</pre> | `[]` | no |
 | <a name="input_kms_info"></a> [kms\_info](#input\_kms\_info) | Overrides the KMS key information. Meant for migrated configurations.<br>    {<br>      key\_id  = KMS key id.<br>      key\_arn = KMS key arn.<br>      enabled = KMS key is enabled.<br>    } | <pre>object({<br>    key_id  = string<br>    key_arn = string<br>    enabled = bool<br>  })</pre> | `null` | no |
@@ -49,7 +49,7 @@
 | Name | Description |
 |------|-------------|
 | <a name="output_eks"></a> [eks](#output\_eks) | EKS details. |
-| <a name="output_external_deployments_operator"></a> [external\_deployments\_operator](#output\_external\_deployments\_operator) | "External\_deployments\_operator info"<br>  {<br>    irsa\_role = irsa role arn<br>    service\_account\_name = service account name<br>  } |
+| <a name="output_external_deployments_operator"></a> [external\_deployments\_operator](#output\_external\_deployments\_operator) | External deployments operator details. |
 | <a name="output_external_dns_irsa_role_arn"></a> [external\_dns\_irsa\_role\_arn](#output\_external\_dns\_irsa\_role\_arn) | "External\_dns info"<br>  {<br>    irsa\_role = irsa role arn.<br>    zone\_id   = hosted zone id for external\_dns Iam policy<br>    zone\_name = hosted zone name for external\_dns Iam policy<br>  } |
 | <a name="output_infra"></a> [infra](#output\_infra) | Infra details. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/deploy/terraform/cluster/main.tf

@@ -73,16 +73,14 @@ module "irsa_policies" {
   additional_irsa_configs = var.irsa_policies
 }
 
-# If you are enabling the IRSA configuration for external-deployments-operator
-module "irsa_external_deployments_operator" {
-  source                        = "./../../../../modules/irsa"
-  use_cluster_odc_idp           = local.is_eks_account_same
-  eks_info                      = module.eks.info
-  external_deployments_operator = var.irsa_external_deployments_operator
-
-  providers = {
-    aws = aws.global
-  }
+module "external_deployments_operator" {
+  count = var.external_deployments_operator.enabled ? 1 : 0
+
+  source               = "./../../../../modules/external-deployments"
+  eks_info             = module.eks.info
+  kms_info             = local.kms
+  region               = local.infra.region
+  external_deployments = var.external_deployments_operator
 }
 
 # Provider configuration for the account where the hosted zone is defined.

examples/deploy/terraform/cluster/outputs.tf

@@ -21,12 +21,6 @@ output "external_dns_irsa_role_arn" {
 }
 
 output "external_deployments_operator" {
-  description = <<EOF
-  "External_deployments_operator info"
-  {
-    irsa_role = irsa role arn
-    service_account_name = service account name
-  }
-  EOF
-  value       = module.irsa_external_deployments_operator
+  description = "External deployments operator details."
+  value       = module.external_deployments_operator
 }

examples/deploy/terraform/cluster/variables.tf

@@ -118,13 +118,18 @@ variable "use_fips_endpoint" {
   default     = false
 }
 
-variable "irsa_external_deployments_operator" {
+variable "external_deployments_operator" {
   description = "Config to create IRSA role for the external deployments operator."
 
   type = object({
-    enabled              = optional(bool, false)
-    namespace            = optional(string, "domino-compute")
-    service_account_name = optional(string, "pham-juno-operator")
+    enabled                         = optional(bool, false)
+    namespace                       = optional(string, "domino-compute")
+    operator_service_account_name   = optional(string, "pham-juno-operator")
+    operator_role_suffix            = optional(string, "external-deployments-operator")
+    repository_suffix               = optional(string, "external-deployments")
+    bucket_suffix                   = optional(string, "external-deployments")
+    enable_assume_any_external_role = optional(bool, true)
+    enable_in_account_deployments   = optional(bool, true)
   })
 
   default = {}