From cca389ababe8fd43b705b629d7972560f4efde9e Mon Sep 17 00:00:00 2001 From: Max Williams Date: Thu, 30 Jan 2020 12:27:35 +0100 Subject: [PATCH 01/47] Switch Validate github action to use env vars (#718) * Switch Validate github action to use env vars * update changelog after release * Update CHANGELOG.md Co-Authored-By: Thierno IB. BARRY Co-authored-by: Thierno IB. BARRY --- .github/workflows/lint.yml | 6 +++++- CHANGELOG.md | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 2ef163cdd0..57e27e7cc4 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -40,9 +40,13 @@ jobs: env: AWS_REGION: 'us-east-1' TF_WARN_OUTPUT_ERRORS: 1 + TF_VAR_vpc_id: 'vpc-123456' + TF_VAR_subnets: '["subnet-12345a"]' + TF_VAR_workers_ami_id: 'ami-123456' + TF_VAR_cluster_name: 'test_cluster' run: | terraform init - terraform validate -var "region=${AWS_REGION}" -var "vpc_id=vpc-123456" -var "subnets=[\"subnet-12345a\"]" -var "workers_ami_id=ami-123456" -var "cluster_ingress_cidrs=[]" -var "cluster_name=test_cluster" + terraform validate - name: Validate Examples run: | for example in $(find examples -maxdepth 1 -mindepth 1 -type d); do diff --git a/CHANGELOG.md b/CHANGELOG.md index 35cc46cd12..b472d5703b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ project adheres to [Semantic Versioning](http://semver.org/). ## [[v8.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.2.0...HEAD)] - 2020-xx-xx] - Write your awesome change here (by @you) +- [CI] Switch `Validate` github action to use env vars (by @max-rocket-internet) # History From 9032dce006bc381d0884cb6b5e48803126954a04 Mon Sep 17 00:00:00 2001 From: Max Williams Date: Thu, 30 Jan 2020 15:21:20 +0100 Subject: [PATCH 02/47] Add example for IRSA and cluster-autoscaler (#710) * Add example for IRSA * remove unused SGs * remove helm setup part * simplification and use module * fix fmt error * remove unused resource --- CHANGELOG.md | 1 + examples/irsa/README.md | 63 ++++++++++++++ .../irsa/cluster-autoscaler-chart-values.yaml | 10 +++ examples/irsa/irsa.tf | 57 +++++++++++++ examples/irsa/locals.tf | 5 ++ examples/irsa/main.tf | 82 +++++++++++++++++++ examples/irsa/outputs.tf | 3 + examples/irsa/variables.tf | 3 + 8 files changed, 224 insertions(+) create mode 100644 examples/irsa/README.md create mode 100644 examples/irsa/cluster-autoscaler-chart-values.yaml create mode 100644 examples/irsa/irsa.tf create mode 100644 examples/irsa/locals.tf create mode 100644 examples/irsa/main.tf create mode 100644 examples/irsa/outputs.tf create mode 100644 examples/irsa/variables.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index b472d5703b..cf088d2fd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - Include ability to configure custom os-specific command for waiting until kube cluster is healthy (@sanjeevgiri) - Disable creation of ingress rules if worker nodes security groups are exists (@andjelx) - [CI] Update pre-commit and re-generate docs to work with terraform-docs >= 0.8.1 (@barryib) +- Added example `examples/irsa` for IAM Roles for Service Accounts (by @max-rocket-internet) ## [[v8.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...v8.1.0)] - 2020-01-17] diff --git a/examples/irsa/README.md b/examples/irsa/README.md new file mode 100644 index 0000000000..0af4d7b440 --- /dev/null +++ b/examples/irsa/README.md @@ -0,0 +1,63 @@ +# IAM Roles for Service Accounts + +This example shows how to create an IAM role to be used for a Kubernetes `ServiceAccount`. It will create a policy and role to be used by the [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler) using the [public Helm chart](https://github.com/helm/charts/tree/master/stable/cluster-autoscaler). + +The AWS documentation for IRSA is here: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + +## Setup + +Run Terraform: + +``` +terraform init +terraform apply +``` + +Set kubectl context to the new cluster: `export KUBECONFIG=kubeconfig_test-eks-irsa` + +Check that there is a node that is `Ready`: + +``` +$ kubectl get nodes +NAME STATUS ROLES AGE VERSION +ip-10-0-2-190.us-west-2.compute.internal Ready 6m39s v1.14.8-eks-b8860f +``` + +Replace `` with your AWS account ID in `cluster-autoscaler-chart-values.yaml`. There is output from terraform for this. + +Install the chart using the provided values file: + +``` +helm install --name cluster-autoscaler --namespace kube-system stable/cluster-autoscaler --values=cluster-autoscaler-chart-values.yaml +``` + +## Verify + +Ensure the cluster-autoscaler pod is running: + +``` +$ kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler" +NAME READY STATUS RESTARTS AGE +cluster-autoscaler-aws-cluster-autoscaler-5545d4b97-9ztpm 1/1 Running 0 3m +``` + +Observe the `AWS_*` environment variables that were added to the pod automatically by EKS: + +``` +kubectl --namespace=kube-system get pods -l "app.kubernetes.io/name=aws-cluster-autoscaler" -o yaml | grep -A3 AWS_ROLE_ARN + +- name: AWS_ROLE_ARN + value: arn:aws:iam::xxxxxxxxx:role/cluster-autoscaler +- name: AWS_WEB_IDENTITY_TOKEN_FILE + value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token +``` + +Verify it is working by checking the logs, you should see that it has discovered the autoscaling group successfully: + +``` +kubectl --namespace=kube-system logs -l "app.kubernetes.io/name=aws-cluster-autoscaler" + +I0128 14:59:00.901513 1 auto_scaling_groups.go:354] Regenerating instance to ASG map for ASGs: [test-eks-irsa-worker-group-12020012814125354700000000e] +I0128 14:59:00.969875 1 auto_scaling_groups.go:138] Registering ASG test-eks-irsa-worker-group-12020012814125354700000000e +I0128 14:59:00.969906 1 aws_manager.go:263] Refreshed ASG list, next refresh after 2020-01-28 15:00:00.969901767 +0000 UTC m=+61.310501783 +``` diff --git a/examples/irsa/cluster-autoscaler-chart-values.yaml b/examples/irsa/cluster-autoscaler-chart-values.yaml new file mode 100644 index 0000000000..71b18c43a0 --- /dev/null +++ b/examples/irsa/cluster-autoscaler-chart-values.yaml @@ -0,0 +1,10 @@ +awsRegion: us-west-2 + +rbac: + create: true + serviceAccountAnnotations: + eks.amazonaws.com/role-arn: "arn:aws:iam:::role/cluster-autoscaler" + +autoDiscovery: + clusterName: test-eks-irsa + enabled: true diff --git a/examples/irsa/irsa.tf b/examples/irsa/irsa.tf new file mode 100644 index 0000000000..8ba8f06823 --- /dev/null +++ b/examples/irsa/irsa.tf @@ -0,0 +1,57 @@ +module "iam_assumable_role_admin" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "~> v2.6.0" + create_role = true + role_name = "cluster-autoscaler" + provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "") + role_policy_arns = [aws_iam_policy.cluster_autoscaler.arn] + oidc_fully_qualified_subjects = ["system:serviceaccount:${local.k8s_service_account_namespace}:${local.k8s_service_account_name}"] +} + +resource "aws_iam_policy" "cluster_autoscaler" { + name_prefix = "cluster-autoscaler" + description = "EKS cluster-autoscaler policy for cluster ${module.eks.cluster_id}" + policy = data.aws_iam_policy_document.cluster_autoscaler.json +} + +data "aws_iam_policy_document" "cluster_autoscaler" { + statement { + sid = "clusterAutoscalerAll" + effect = "Allow" + + actions = [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeTags", + "ec2:DescribeLaunchTemplateVersions", + ] + + resources = ["*"] + } + + statement { + sid = "clusterAutoscalerOwn" + effect = "Allow" + + actions = [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + ] + + resources = ["*"] + + condition { + test = "StringEquals" + variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${module.eks.cluster_id}" + values = ["owned"] + } + + condition { + test = "StringEquals" + variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled" + values = ["true"] + } + } +} diff --git a/examples/irsa/locals.tf b/examples/irsa/locals.tf new file mode 100644 index 0000000000..9cdc8af713 --- /dev/null +++ b/examples/irsa/locals.tf @@ -0,0 +1,5 @@ +locals { + cluster_name = "test-eks-irsa" + k8s_service_account_namespace = "kube-system" + k8s_service_account_name = "cluster-autoscaler-aws-cluster-autoscaler" +} diff --git a/examples/irsa/main.tf b/examples/irsa/main.tf new file mode 100644 index 0000000000..0938a0596e --- /dev/null +++ b/examples/irsa/main.tf @@ -0,0 +1,82 @@ +terraform { + required_version = ">= 0.12.0" +} + +provider "aws" { + version = ">= 2.28.1" + region = var.region +} + +provider "local" { + version = "~> 1.2" +} + +provider "null" { + version = "~> 2.1" +} + +provider "template" { + version = "~> 2.1" +} + +data "aws_eks_cluster" "cluster" { + name = module.eks.cluster_id +} + +data "aws_eks_cluster_auth" "cluster" { + name = module.eks.cluster_id +} + +provider "kubernetes" { + host = data.aws_eks_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token + load_config_file = false + version = "~> 1.10" +} + +data "aws_availability_zones" "available" {} + +data "aws_caller_identity" "current" {} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "2.6.0" + name = "test-vpc" + cidr = "10.0.0.0/16" + azs = data.aws_availability_zones.available.names + public_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + enable_dns_hostnames = true + + tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + } + + public_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/elb" = "1" + } +} + +module "eks" { + source = "../.." + cluster_name = local.cluster_name + subnets = module.vpc.public_subnets + vpc_id = module.vpc.vpc_id + enable_irsa = true + + worker_groups = [ + { + name = "worker-group-1" + instance_type = "t2.medium" + asg_desired_capacity = 1 + tags = [ + { + "key" = "k8s.io/cluster-autoscaler/enabled" + "propagate_at_launch" = "false" + "value" = "true" + } + ] + } + ] +} diff --git a/examples/irsa/outputs.tf b/examples/irsa/outputs.tf new file mode 100644 index 0000000000..ef2ab9577a --- /dev/null +++ b/examples/irsa/outputs.tf @@ -0,0 +1,3 @@ +output "aws_account_id" { + value = data.aws_caller_identity.current.account_id +} diff --git a/examples/irsa/variables.tf b/examples/irsa/variables.tf new file mode 100644 index 0000000000..81b8dbe73e --- /dev/null +++ b/examples/irsa/variables.tf @@ -0,0 +1,3 @@ +variable "region" { + default = "us-west-2" +} From 92b5c2ad3fe7906b9a71f23376cde7a13348a57a Mon Sep 17 00:00:00 2001 From: "Thierno IB. BARRY" Date: Thu, 30 Jan 2020 15:50:56 +0100 Subject: [PATCH 03/47] bump pre-commit-terraform version (#724) --- .pre-commit-config.yaml | 2 +- CHANGELOG.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9381459513..1b77bc2d98 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.24.0 + rev: v1.25.0 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/CHANGELOG.md b/CHANGELOG.md index cf088d2fd4..47eb0dcbd3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - Write your awesome change here (by @you) - [CI] Switch `Validate` github action to use env vars (by @max-rocket-internet) +- [CI] Bump pre-commit-terraform version (by @barryib) # History From 626a393ab964677e3b4fb1336ad9d8cef4c26406 Mon Sep 17 00:00:00 2001 From: Max Williams Date: Tue, 4 Feb 2020 19:34:17 +0100 Subject: [PATCH 04/47] Remove of autoscaling IAM policy related stuff (#716) * Disable management of autoscaling IAM policy by default * remove completely * update changelog notes * fix pre-commit stuff * misc updates * fmt * fix changelog * Removal of tags and update docs * Change after updating terraform-docs * Add second tag --- CHANGELOG.md | 10 ++++- README.md | 10 ++--- docs/autoscaling.md | 76 +++++++++++++++++++++++++++++++----- docs/faq.md | 2 +- docs/spot-instances.md | 4 -- examples/irsa/main.tf | 5 +++ local.tf | 1 - node_groups.tf | 9 ++--- outputs.tf | 10 ----- variables.tf | 12 ------ workers.tf | 80 -------------------------------------- workers_launch_template.tf | 23 ----------- 12 files changed, 87 insertions(+), 155 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 47eb0dcbd3..3a9985361b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,9 +9,14 @@ project adheres to [Semantic Versioning](http://semver.org/). ## [[v8.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.2.0...HEAD)] - 2020-xx-xx] -- Write your awesome change here (by @you) - [CI] Switch `Validate` github action to use env vars (by @max-rocket-internet) - [CI] Bump pre-commit-terraform version (by @barryib) +- Added example `examples/irsa` for IAM Roles for Service Accounts (by @max-rocket-internet) +- **Breaking:** Removal of autoscaling IAM policy and tags (by @max-rocket-internet) + +#### Important notes + +Autoscaling policy and tags have been removed from this module. This reduces complexity and increases security as the policy was attached to the node group IAM role. To manage it outside of this module either follow the example in `examples/irsa` to attach an IAM role to the cluster-autoscaler `serviceAccount` or create the policy outside this module and pass it in using the `workers_additional_policies` variable. # History @@ -20,7 +25,8 @@ project adheres to [Semantic Versioning](http://semver.org/). - Include ability to configure custom os-specific command for waiting until kube cluster is healthy (@sanjeevgiri) - Disable creation of ingress rules if worker nodes security groups are exists (@andjelx) - [CI] Update pre-commit and re-generate docs to work with terraform-docs >= 0.8.1 (@barryib) -- Added example `examples/irsa` for IAM Roles for Service Accounts (by @max-rocket-internet) + +# History ## [[v8.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...v8.1.0)] - 2020-01-17] diff --git a/README.md b/README.md index 95a2245e2d..8c4a916905 100644 --- a/README.md +++ b/README.md @@ -161,14 +161,13 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | Name | Description | Type | Default | Required | |------|-------------|------|---------|:-----:| -| attach\_worker\_autoscaling\_policy | Whether to attach the module managed cluster autoscaling iam policy to the default worker IAM role. This requires `manage_worker_autoscaling_policy = true` | `bool` | `true` | no | | attach\_worker\_cni\_policy | Whether to attach the Amazon managed `AmazonEKS_CNI_Policy` IAM policy to the default worker IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster. | `bool` | `true` | no | | cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"15m"` | no | | cluster\_delete\_timeout | Timeout value when deleting the EKS cluster. | `string` | `"15m"` | no | | cluster\_enabled\_log\_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no | | cluster\_endpoint\_private\_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no | | cluster\_endpoint\_public\_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. | `bool` | `true` | no | -| cluster\_endpoint\_public\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| cluster\_endpoint\_public\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | cluster\_iam\_role\_name | IAM role name for the cluster. Only applicable if manage\_cluster\_iam\_resources is set to false. | `string` | `""` | no | | cluster\_log\_kms\_key\_id | If a KMS Key ARN is set, this key will be used to encrypt the corresponding log group. Please be sure that the KMS Key has an appropriate key policy (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) | `string` | `""` | no | | cluster\_log\_retention\_in\_days | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | @@ -187,11 +186,10 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | kubeconfig\_name | Override the default name used for items kubeconfig. | `string` | `""` | no | | manage\_aws\_auth | Whether to apply the aws-auth configmap file. | `bool` | `true` | no | | manage\_cluster\_iam\_resources | Whether to let the module manage cluster IAM resources. If set to false, cluster\_iam\_role\_name must be specified. | `bool` | `true` | no | -| manage\_worker\_autoscaling\_policy | Whether to let the module manage the cluster autoscaling iam policy. | `bool` | `true` | no | | manage\_worker\_iam\_resources | Whether to let the module manage worker IAM resources. If set to false, iam\_instance\_profile\_name must be specified for workers. | `bool` | `true` | no | | map\_accounts | Additional AWS account numbers to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | `list(string)` | `[]` | no | -| map\_roles | Additional IAM roles to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | -| map\_users | Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | +| map\_roles | Additional IAM roles to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | +| map\_users | Additional IAM users to add to the aws-auth configmap. See examples/basic/variables.tf for example format. | 
list(object({
    userarn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | node\_groups | Map of map of node groups to create. See `node_groups` module's documentation for more details | `any` | `{}` | no | | node\_groups\_defaults | Map of values to be applied to all node groups. See `node_groups` module's documentaton for more details | `any` | `{}` | no | | permissions\_boundary | If provided, all IAM roles will be created with this permissions boundary attached. | `string` | n/a | yes | @@ -233,8 +231,6 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | kubeconfig\_filename | The filename of the generated kubectl config. | | node\_groups | Outputs from EKS node groups. Map of maps, keyed by var.node\_groups keys | | oidc\_provider\_arn | The ARN of the OIDC Provider if `enable_irsa = true`. | -| worker\_autoscaling\_policy\_arn | ARN of the worker autoscaling IAM policy if `manage_worker_autoscaling_policy = true` | -| worker\_autoscaling\_policy\_name | Name of the worker autoscaling IAM policy if `manage_worker_autoscaling_policy = true` | | worker\_iam\_instance\_profile\_arns | default IAM instance profile ARN for EKS worker groups | | worker\_iam\_instance\_profile\_names | default IAM instance profile name for EKS worker groups | | worker\_iam\_role\_arn | default IAM role ARN for EKS worker groups | diff --git a/docs/autoscaling.md b/docs/autoscaling.md index 2aabab83d2..d13d40941c 100644 --- a/docs/autoscaling.md +++ b/docs/autoscaling.md @@ -1,12 +1,72 @@ # Autoscaling -Autoscaling of worker nodes can be easily enabled by setting the `autoscaling_enabled` variable to `true` for a worker group in the `worker_groups` map. -This will add the required tags to the autoscaling group for the [cluster-autoscaler](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler). -One should also set `protect_from_scale_in` to `true` for such worker groups, to ensure that cluster-autoscaler is solely responsible for scaling events. +To enable worker node autoscaling you will need to do a few things: -You will also need to install the cluster-autoscaler into your cluster. The easiest way to do this is with [helm](https://helm.sh/). +- Add the [required tags](https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler/cloudprovider/aws#auto-discovery-setup) to the worker group +- Install the cluster-autoscaler +- Give the cluster-autoscaler access via an IAM policy -The [helm chart](https://github.com/helm/charts/tree/master/stable/cluster-autoscaler) for the cluster-autoscaler requires some specific settings to work in an EKS cluster. These settings are supplied via YAML values file when installing the helm chart. Here is an example values file: +It's probably easiest to follow the example in [examples/irsa](../examples/irsa), this will install the cluster-autoscaler using [Helm](https://helm.sh/) and use IRSA to attach a policy. + +If you don't want to use IRSA then you will need to attach the IAM policy to the worker node IAM role or add AWS credentials to the cluster-autoscaler environment variables. Here is some example terraform code for the policy: + +```hcl +resource "aws_iam_role_policy_attachment" "workers_autoscaling" { + policy_arn = aws_iam_policy.worker_autoscaling.arn + role = module.my_cluster.worker_iam_role_name[0] +} + +resource "aws_iam_policy" "worker_autoscaling" { + name_prefix = "eks-worker-autoscaling-${module.my_cluster.cluster_id}" + description = "EKS worker node autoscaling policy for cluster ${module.my_cluster.cluster_id}" + policy = data.aws_iam_policy_document.worker_autoscaling.json + path = var.iam_path +} + +data "aws_iam_policy_document" "worker_autoscaling" { + statement { + sid = "eksWorkerAutoscalingAll" + effect = "Allow" + + actions = [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeTags", + "ec2:DescribeLaunchTemplateVersions", + ] + + resources = ["*"] + } + + statement { + sid = "eksWorkerAutoscalingOwn" + effect = "Allow" + + actions = [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + ] + + resources = ["*"] + + condition { + test = "StringEquals" + variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${module.my_cluster.cluster_id}" + values = ["owned"] + } + + condition { + test = "StringEquals" + variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled" + values = ["true"] + } + } +} +``` + +And example values for the [helm chart](https://github.com/helm/charts/tree/master/stable/cluster-autoscaler): ```yaml rbac: @@ -26,10 +86,6 @@ To install the chart, simply run helm with the `--values` option: helm install stable/cluster-autoscaler --values=path/to/your/values-file.yaml ``` -`NOTE` +## Notes There is a variable `asg_desired_capacity` given in the `local.tf` file, currently it can be used to change the desired worker(s) capacity in the autoscaling group but currently it is being ignored in terraform to reduce the [complexities](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/510#issuecomment-531700442) and the feature of scaling up and down the cluster nodes is being handled by the cluster autoscaler. - -## See More - -[Using AutoScalingGroup MixedInstancesPolicy](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#using-autoscalinggroup-mixedinstancespolicy) diff --git a/docs/faq.md b/docs/faq.md index d793f28fea..34d0aa6633 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -56,7 +56,7 @@ The safest and easiest option is to set `asg_min_size` and `asg_max_size` to 0 o The module is configured to ignore this value. Unfortunately Terraform does not support variables within the `lifecycle` block. -The setting is ignored to allow the cluster autoscaler to work correctly and so that terraform applys do not accidentally remove running workers. +The setting is ignored to allow the cluster autoscaler to work correctly and so that terraform apply does not accidentally remove running workers. You can change the desired count via the CLI or console if you're not using the cluster autoscaler. diff --git a/docs/spot-instances.md b/docs/spot-instances.md index 06ca2e8068..1a5da6e79e 100644 --- a/docs/spot-instances.md +++ b/docs/spot-instances.md @@ -32,7 +32,6 @@ Example worker group configuration that uses an ASG with launch configuration fo name = "on-demand-1" instance_type = "m4.xlarge" asg_max_size = 1 - autoscaling_enabled = true kubelet_extra_args = "--node-labels=kubernetes.io/lifecycle=normal" suspended_processes = ["AZRebalance"] }, @@ -41,7 +40,6 @@ Example worker group configuration that uses an ASG with launch configuration fo spot_price = "0.199" instance_type = "c4.xlarge" asg_max_size = 20 - autoscaling_enabled = true kubelet_extra_args = "--node-labels=kubernetes.io/lifecycle=spot" suspended_processes = ["AZRebalance"] }, @@ -50,7 +48,6 @@ Example worker group configuration that uses an ASG with launch configuration fo spot_price = "0.20" instance_type = "m4.xlarge" asg_max_size = 20 - autoscaling_enabled = true kubelet_extra_args = "--node-labels=kubernetes.io/lifecycle=spot" suspended_processes = ["AZRebalance"] } @@ -67,7 +64,6 @@ Launch Template support is a recent addition to both AWS and this module. It mig name = "on-demand-1" instance_type = "m4.xlarge" asg_max_size = 10 - autoscaling_enabled = true kubelet_extra_args = "--node-labels=spot=false" suspended_processes = ["AZRebalance"] } diff --git a/examples/irsa/main.tf b/examples/irsa/main.tf index 0938a0596e..2121a589ec 100644 --- a/examples/irsa/main.tf +++ b/examples/irsa/main.tf @@ -75,6 +75,11 @@ module "eks" { "key" = "k8s.io/cluster-autoscaler/enabled" "propagate_at_launch" = "false" "value" = "true" + }, + { + "key" = "k8s.io/cluster-autoscaler/${local.cluster_name}" + "propagate_at_launch" = "false" + "value" = "true" } ] } diff --git a/local.tf b/local.tf index 609185816f..2487de3009 100644 --- a/local.tf +++ b/local.tf @@ -49,7 +49,6 @@ locals { public_ip = false # Associate a public ip address with a worker kubelet_extra_args = "" # This string is passed directly to kubelet if set. Useful for adding labels or taints. subnets = var.subnets # A list of subnets to place the worker nodes in. i.e. ["subnet-123", "subnet-456", "subnet-789"] - autoscaling_enabled = false # Sets whether policy and matching tags will be added to allow autoscaling. additional_security_group_ids = [] # A list of additional security group ids to include in worker launch config protect_from_scale_in = false # Prevent AWS from scaling in, so that cluster-autoscaler is solely responsible. iam_instance_profile_name = "" # A custom IAM instance profile name. Used when manage_worker_iam_resources is set to false. Incompatible with iam_role_id. diff --git a/node_groups.tf b/node_groups.tf index 6c7b438cfb..2c689c3818 100644 --- a/node_groups.tf +++ b/node_groups.tf @@ -9,11 +9,10 @@ data "null_data_source" "node_groups" { # Ensure these resources are created before "unlocking" the data source. # `depends_on` causes a refresh on every run so is useless here. # [Re]creating or removing these resources will trigger recreation of Node Group resources - aws_auth = coalescelist(kubernetes_config_map.aws_auth[*].id, [""])[0] - role_NodePolicy = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEKSWorkerNodePolicy[*].id, [""])[0] - role_CNI_Policy = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEKS_CNI_Policy[*].id, [""])[0] - role_Container = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEC2ContainerRegistryReadOnly[*].id, [""])[0] - role_autoscaling = coalescelist(aws_iam_role_policy_attachment.workers_autoscaling[*].id, [""])[0] + aws_auth = coalescelist(kubernetes_config_map.aws_auth[*].id, [""])[0] + role_NodePolicy = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEKSWorkerNodePolicy[*].id, [""])[0] + role_CNI_Policy = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEKS_CNI_Policy[*].id, [""])[0] + role_Container = coalescelist(aws_iam_role_policy_attachment.workers_AmazonEC2ContainerRegistryReadOnly[*].id, [""])[0] } } diff --git a/outputs.tf b/outputs.tf index 59a4077569..b1f8c3c049 100644 --- a/outputs.tf +++ b/outputs.tf @@ -153,16 +153,6 @@ output "worker_iam_role_arn" { )[0] } -output "worker_autoscaling_policy_name" { - description = "Name of the worker autoscaling IAM policy if `manage_worker_autoscaling_policy = true`" - value = concat(aws_iam_policy.worker_autoscaling[*].name, [""])[0] -} - -output "worker_autoscaling_policy_arn" { - description = "ARN of the worker autoscaling IAM policy if `manage_worker_autoscaling_policy = true`" - value = concat(aws_iam_policy.worker_autoscaling[*].arn, [""])[0] -} - output "node_groups" { description = "Outputs from EKS node groups. Map of maps, keyed by var.node_groups keys" value = module.node_groups.node_groups diff --git a/variables.tf b/variables.tf index 195cc58b47..b9fa6c4c0a 100644 --- a/variables.tf +++ b/variables.tf @@ -264,18 +264,6 @@ variable "workers_role_name" { default = "" } -variable "manage_worker_autoscaling_policy" { - description = "Whether to let the module manage the cluster autoscaling iam policy." - type = bool - default = true -} - -variable "attach_worker_autoscaling_policy" { - description = "Whether to attach the module managed cluster autoscaling iam policy to the default worker IAM role. This requires `manage_worker_autoscaling_policy = true`" - type = bool - default = true -} - variable "attach_worker_cni_policy" { description = "Whether to attach the Amazon managed `AmazonEKS_CNI_Policy` IAM policy to the default worker IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster." type = bool diff --git a/workers.tf b/workers.tf index b6e6f69f9e..839452ed43 100644 --- a/workers.tf +++ b/workers.tf @@ -104,29 +104,6 @@ resource "aws_autoscaling_group" "workers" { "value" = "owned" "propagate_at_launch" = true }, - { - "key" = "k8s.io/cluster-autoscaler/${lookup( - var.worker_groups[count.index], - "autoscaling_enabled", - local.workers_group_defaults["autoscaling_enabled"], - ) ? "enabled" : "disabled"}" - "value" = "true" - "propagate_at_launch" = false - }, - { - "key" = "k8s.io/cluster-autoscaler/${aws_eks_cluster.this[0].name}" - "value" = aws_eks_cluster.this[0].name - "propagate_at_launch" = false - }, - { - "key" = "k8s.io/cluster-autoscaler/node-template/resources/ephemeral-storage" - "value" = "${lookup( - var.worker_groups[count.index], - "root_volume_size", - local.workers_group_defaults["root_volume_size"], - )}Gi" - "propagate_at_launch" = false - }, ], local.asg_tags, lookup( @@ -357,60 +334,3 @@ resource "aws_iam_role_policy_attachment" "workers_additional_policies" { role = aws_iam_role.workers[0].name policy_arn = var.workers_additional_policies[count.index] } - -resource "aws_iam_role_policy_attachment" "workers_autoscaling" { - count = var.manage_worker_iam_resources && var.manage_worker_autoscaling_policy && var.attach_worker_autoscaling_policy && var.create_eks ? 1 : 0 - policy_arn = aws_iam_policy.worker_autoscaling[0].arn - role = aws_iam_role.workers[0].name -} - -resource "aws_iam_policy" "worker_autoscaling" { - count = var.manage_worker_iam_resources && var.manage_worker_autoscaling_policy && var.create_eks ? 1 : 0 - name_prefix = "eks-worker-autoscaling-${aws_eks_cluster.this[0].name}" - description = "EKS worker node autoscaling policy for cluster ${aws_eks_cluster.this[0].name}" - policy = data.aws_iam_policy_document.worker_autoscaling[0].json - path = var.iam_path -} - -data "aws_iam_policy_document" "worker_autoscaling" { - count = var.manage_worker_iam_resources && var.manage_worker_autoscaling_policy && var.create_eks ? 1 : 0 - statement { - sid = "eksWorkerAutoscalingAll" - effect = "Allow" - - actions = [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeLaunchTemplateVersions", - ] - - resources = ["*"] - } - - statement { - sid = "eksWorkerAutoscalingOwn" - effect = "Allow" - - actions = [ - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - ] - - resources = ["*"] - - condition { - test = "StringEquals" - variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${aws_eks_cluster.this[0].name}" - values = ["owned"] - } - - condition { - test = "StringEquals" - variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled" - values = ["true"] - } - } -} diff --git a/workers_launch_template.tf b/workers_launch_template.tf index 519a289942..ba51baaf9d 100644 --- a/workers_launch_template.tf +++ b/workers_launch_template.tf @@ -179,29 +179,6 @@ resource "aws_autoscaling_group" "workers_launch_template" { "value" = "owned" "propagate_at_launch" = true }, - { - "key" = "k8s.io/cluster-autoscaler/${lookup( - var.worker_groups_launch_template[count.index], - "autoscaling_enabled", - local.workers_group_defaults["autoscaling_enabled"], - ) ? "enabled" : "disabled"}" - "value" = "true" - "propagate_at_launch" = false - }, - { - "key" = "k8s.io/cluster-autoscaler/${aws_eks_cluster.this[0].name}" - "value" = aws_eks_cluster.this[0].name - "propagate_at_launch" = false - }, - { - "key" = "k8s.io/cluster-autoscaler/node-template/resources/ephemeral-storage" - "value" = "${lookup( - var.worker_groups_launch_template[count.index], - "root_volume_size", - local.workers_group_defaults["root_volume_size"], - )}Gi" - "propagate_at_launch" = false - }, ], local.asg_tags, lookup( From 415e123d93b1ec55df1e6125881996a43ac546a6 Mon Sep 17 00:00:00 2001 From: Daniele Lisi Date: Thu, 6 Feb 2020 03:45:45 -0800 Subject: [PATCH 05/47] Add iam:GetOpenIDConnectProvider grant to docs/iam-permissions.md (#728) * Add iam:GetOpenIDConnectProvider grant to docs/iam-permissions.md * Update CHANGELOG.md --- CHANGELOG.md | 1 + docs/iam-permissions.md | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a9985361b..83bc914b86 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - [CI] Bump pre-commit-terraform version (by @barryib) - Added example `examples/irsa` for IAM Roles for Service Accounts (by @max-rocket-internet) - **Breaking:** Removal of autoscaling IAM policy and tags (by @max-rocket-internet) +- Add `iam:GetOpenIDConnectProvider` grant to the required IAM permissions in `docs/iam-permissions.md` (by @danielelisi) #### Important notes diff --git a/docs/iam-permissions.md b/docs/iam-permissions.md index 4fbc828447..9c15083409 100644 --- a/docs/iam-permissions.md +++ b/docs/iam-permissions.md @@ -97,6 +97,7 @@ Following IAM permissions are the minimum permissions needed for your IAM user o "iam:DeleteServiceLinkedRole", "iam:DetachRolePolicy", "iam:GetInstanceProfile", + "iam:GetOpenIDConnectProvider", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", @@ -118,4 +119,4 @@ Following IAM permissions are the minimum permissions needed for your IAM user o } ] } -``` \ No newline at end of file +``` From 6c42d23c23d501c62bac6d8f0d9039f7c46a8307 Mon Sep 17 00:00:00 2001 From: ivanguravel Date: Thu, 6 Feb 2020 18:46:38 +0200 Subject: [PATCH 06/47] Detailed description for enabling Windows nodes for AWS EKS (#727) * Update faq.md detailed algorithm for building EKS cluster with Windows nodes * small description fix * Update docs/faq.md Co-Authored-By: Max Williams * Update faq.md * Update faq.md * Update CHANGELOG.md * Update docs/faq.md Co-Authored-By: Max Williams * Update docs/faq.md Co-Authored-By: Max Williams * Update docs/faq.md Co-Authored-By: Max Williams * Update docs/faq.md Co-Authored-By: Max Williams * Update CHANGELOG.md Co-Authored-By: Max Williams Co-authored-by: Max Williams --- CHANGELOG.md | 1 + docs/faq.md | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 83bc914b86..fb62a4d343 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ project adheres to [Semantic Versioning](http://semver.org/). ## [[v8.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.2.0...HEAD)] - 2020-xx-xx] +- Added instructions for how to add Windows nodes (by @ivanguravel) - [CI] Switch `Validate` github action to use env vars (by @max-rocket-internet) - [CI] Bump pre-commit-terraform version (by @barryib) - Added example `examples/irsa` for IAM Roles for Service Accounts (by @max-rocket-internet) diff --git a/docs/faq.md b/docs/faq.md index 34d0aa6633..b57af69791 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -104,3 +104,43 @@ module "eks" { To enable Windows support for your EKS cluster, you should apply some configs manually. See the [Enabling Windows Support (Windows/MacOS/Linux)](https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html#enable-windows-support). Windows worker nodes requires additional cluster role (eks:kube-proxy-windows). If you are adding windows workers to existing cluster, you should apply config-map-aws-auth again. + +#### Example configuration + +Amazon EKS clusters must contain one or more Linux worker nodes to run core system pods that only run on Linux, such as coredns and the VPC resource controller. + +1. Build AWS EKS cluster with the next workers configuration (default Linux): + +``` +worker_groups = [ + { + name = "worker-group-linux" + instance_type = "m5.large" + platform = "linux" + asg_desired_capacity = 2 + }, + ] +``` + +2. Apply commands from https://docs.aws.amazon.com/eks/latest/userguide/windows-support.html#enable-windows-support (use tab with name `Windows`) + +3. Add one more worker group for Windows with required field `platform = "windows"` and update your cluster. Worker group example: + +``` +worker_groups = [ + { + name = "worker-group-linux" + instance_type = "m5.large" + platform = "linux" + asg_desired_capacity = 2 + }, + { + name = "worker-group-windows" + instance_type = "m5.large" + platform = "windows" + asg_desired_capacity = 1 + }, + ] +``` + +4. Wtih `kubectl get nodes` you can see cluster with mixed (Linux/Windows) nodes support. From a9c73b277e8edf0681e5100ed7f42a240686ff2a Mon Sep 17 00:00:00 2001 From: Daniele Lisi Date: Fri, 7 Feb 2020 06:33:28 -0800 Subject: [PATCH 07/47] Add `iam:{Create,Delete}OpenIDProviderConnect` to required IAM policies (#729) --- CHANGELOG.md | 2 +- docs/iam-permissions.md | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb62a4d343..0213bb492d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - [CI] Bump pre-commit-terraform version (by @barryib) - Added example `examples/irsa` for IAM Roles for Service Accounts (by @max-rocket-internet) - **Breaking:** Removal of autoscaling IAM policy and tags (by @max-rocket-internet) -- Add `iam:GetOpenIDConnectProvider` grant to the required IAM permissions in `docs/iam-permissions.md` (by @danielelisi) +- Add `iam:{Create,Delete,Get}OpenIDConnectProvider` grants to the list of required IAM permissions in `docs/iam-permissions.md` (by @danielelisi) #### Important notes diff --git a/docs/iam-permissions.md b/docs/iam-permissions.md index 9c15083409..f0e161140c 100644 --- a/docs/iam-permissions.md +++ b/docs/iam-permissions.md @@ -86,11 +86,13 @@ Following IAM permissions are the minimum permissions needed for your IAM user o "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", + "iam:CreateOpenIDConnectProvider", "iam:CreateServiceLinkedRole", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:CreateRole", "iam:DeleteInstanceProfile", + "iam:DeleteOpenIDConnectProvider", "iam:DeletePolicy", "iam:DeleteRole", "iam:DeleteRolePolicy", From 10ca272e5b7ce006a721c99ef8906720ff5cd6ee Mon Sep 17 00:00:00 2001 From: Matthias Splieth Date: Fri, 14 Feb 2020 10:10:29 +0100 Subject: [PATCH 08/47] Add option to set the name of a node group manually (#739) --- CHANGELOG.md | 1 + modules/node_groups/README.md | 1 + modules/node_groups/node_groups.tf | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0213bb492d..3fd48e438d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - Added example `examples/irsa` for IAM Roles for Service Accounts (by @max-rocket-internet) - **Breaking:** Removal of autoscaling IAM policy and tags (by @max-rocket-internet) - Add `iam:{Create,Delete,Get}OpenIDConnectProvider` grants to the list of required IAM permissions in `docs/iam-permissions.md` (by @danielelisi) +- Add an `name` parameter to be able to manually name EKS Managed Node Groups (by @splieth) #### Important notes diff --git a/modules/node_groups/README.md b/modules/node_groups/README.md index 5681ff769e..6ac8842f35 100644 --- a/modules/node_groups/README.md +++ b/modules/node_groups/README.md @@ -28,6 +28,7 @@ The role ARN specified in `var.default_iam_role_arn` will be used by default. In | key\_name | Key name for workers. Set to empty string to disable remote access | string | `var.workers_group_defaults[key_name]` | | max\_capacity | Max number of workers | number | `var.workers_group_defaults[asg_max_size]` | | min\_capacity | Min number of workers | number | `var.workers_group_defaults[asg_min_size]` | +| name | Name of the node group | string | Auto generated | | source\_security\_group\_ids | Source security groups for remote access to workers | list(string) | If key\_name is specified: THE REMOTE ACCESS WILL BE OPENED TO THE WORLD | | subnets | Subnets to contain workers | list(string) | `var.workers_group_defaults[subnets]` | | version | Kubernetes version | string | Provider default behavior | diff --git a/modules/node_groups/node_groups.tf b/modules/node_groups/node_groups.tf index e42a4ee6c4..62dc6bff98 100644 --- a/modules/node_groups/node_groups.tf +++ b/modules/node_groups/node_groups.tf @@ -1,7 +1,7 @@ resource "aws_eks_node_group" "workers" { for_each = local.node_groups_expanded - node_group_name = join("-", [var.cluster_name, each.key, random_pet.node_groups[each.key].id]) + node_group_name = lookup(each.value, "name", join("-", [var.cluster_name, each.key, random_pet.node_groups[each.key].id])) cluster_name = var.cluster_name node_role_arn = each.value["iam_role_arn"] From f2cc9f503919d5a0a4a16fe3c8336d6d155fe48f Mon Sep 17 00:00:00 2001 From: Ryan Ooi Date: Thu, 27 Feb 2020 18:23:41 +0800 Subject: [PATCH 09/47] Revert #631. Add back manage security group flag (#722) * Revert #631 * fix README lint * fix README lint for bool --- CHANGELOG.md | 1 + README.md | 2 ++ cluster.tf | 6 +++--- local.tf | 4 ++-- variables.tf | 12 ++++++++++++ workers.tf | 12 ++++++------ 6 files changed, 26 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fd48e438d..26ff3f3a1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ project adheres to [Semantic Versioning](http://semver.org/). ## Next release ## [[v8.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.2.0...HEAD)] - 2020-xx-xx] +- Revert #631. Add back manage security group flags. (by @ryanooi) - Added instructions for how to add Windows nodes (by @ivanguravel) - [CI] Switch `Validate` github action to use env vars (by @max-rocket-internet) diff --git a/README.md b/README.md index 8c4a916905..97ac363496 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | Name | Description | Type | Default | Required | |------|-------------|------|---------|:-----:| | attach\_worker\_cni\_policy | Whether to attach the Amazon managed `AmazonEKS_CNI_Policy` IAM policy to the default worker IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster. | `bool` | `true` | no | +| cluster\_create\_security\_group | Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`. | `bool` | `true` | no | | cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"15m"` | no | | cluster\_delete\_timeout | Timeout value when deleting the EKS cluster. | `string` | `"15m"` | no | | cluster\_enabled\_log\_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no | @@ -203,6 +204,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | worker\_ami\_owner\_id | The ID of the owner for the AMI to use for the AWS EKS workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"602401143452"` | no | | worker\_ami\_owner\_id\_windows | The ID of the owner for the AMI to use for the AWS EKS Windows workers. Valid values are an AWS account ID, 'self' (the current account), or an AWS owner alias (e.g. 'amazon', 'aws-marketplace', 'microsoft'). | `string` | `"801119661308"` | no | | worker\_create\_initial\_lifecycle\_hooks | Whether to create initial lifecycle hooks provided in worker groups. | `bool` | `false` | no | +| worker\_create\_security\_group | Whether to create a security group for the workers or attach the workers to `worker_security_group_id`. | `bool` | `true` | no | | worker\_groups | A list of maps defining worker group configurations to be defined using AWS Launch Configurations. See workers\_group\_defaults for valid keys. | `any` | `[]` | no | | worker\_groups\_launch\_template | A list of maps defining worker group configurations to be defined using AWS Launch Templates. See workers\_group\_defaults for valid keys. | `any` | `[]` | no | | worker\_security\_group\_id | If provided, all workers will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the EKS cluster. | `string` | `""` | no | diff --git a/cluster.tf b/cluster.tf index 0739f49439..c5439adea7 100644 --- a/cluster.tf +++ b/cluster.tf @@ -50,7 +50,7 @@ resource "null_resource" "wait_for_cluster" { } resource "aws_security_group" "cluster" { - count = var.cluster_security_group_id == "" && var.create_eks ? 1 : 0 + count = var.cluster_create_security_group && var.create_eks ? 1 : 0 name_prefix = var.cluster_name description = "EKS cluster security group." vpc_id = var.vpc_id @@ -63,7 +63,7 @@ resource "aws_security_group" "cluster" { } resource "aws_security_group_rule" "cluster_egress_internet" { - count = var.cluster_security_group_id == "" && var.create_eks ? 1 : 0 + count = var.cluster_create_security_group && var.create_eks ? 1 : 0 description = "Allow cluster egress access to the Internet." protocol = "-1" security_group_id = local.cluster_security_group_id @@ -74,7 +74,7 @@ resource "aws_security_group_rule" "cluster_egress_internet" { } resource "aws_security_group_rule" "cluster_https_worker_ingress" { - count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0 + count = var.cluster_create_security_group && var.create_eks ? 1 : 0 description = "Allow pods to communicate with the EKS cluster API." protocol = "tcp" security_group_id = local.cluster_security_group_id diff --git a/local.tf b/local.tf index 2487de3009..8ed32f8541 100644 --- a/local.tf +++ b/local.tf @@ -8,10 +8,10 @@ locals { ) ] - cluster_security_group_id = var.cluster_security_group_id == "" ? join("", aws_security_group.cluster.*.id) : var.cluster_security_group_id + cluster_security_group_id = var.cluster_create_security_group ? join("", aws_security_group.cluster.*.id) : var.cluster_security_group_id cluster_iam_role_name = var.manage_cluster_iam_resources ? join("", aws_iam_role.cluster.*.name) : var.cluster_iam_role_name cluster_iam_role_arn = var.manage_cluster_iam_resources ? join("", aws_iam_role.cluster.*.arn) : join("", data.aws_iam_role.custom_cluster_iam_role.*.arn) - worker_security_group_id = var.worker_security_group_id == "" ? join("", aws_security_group.workers.*.id) : var.worker_security_group_id + worker_security_group_id = var.worker_create_security_group ? join("", aws_security_group.workers.*.id) : var.worker_security_group_id default_iam_role_id = concat(aws_iam_role.workers.*.id, [""])[0] kubeconfig_name = var.kubeconfig_name == "" ? "eks_${var.cluster_name}" : var.kubeconfig_name diff --git a/variables.tf b/variables.tf index b9fa6c4c0a..9ba78b441a 100644 --- a/variables.tf +++ b/variables.tf @@ -204,6 +204,18 @@ variable "wait_for_cluster_cmd" { default = "until curl -k -s $ENDPOINT/healthz >/dev/null; do sleep 4; done" } +variable "cluster_create_security_group" { + description = "Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`." + type = bool + default = true +} + +variable "worker_create_security_group" { + description = "Whether to create a security group for the workers or attach the workers to `worker_security_group_id`." + type = bool + default = true +} + variable "worker_create_initial_lifecycle_hooks" { description = "Whether to create initial lifecycle hooks provided in worker groups." type = bool diff --git a/workers.tf b/workers.tf index 839452ed43..8d20bd8e12 100644 --- a/workers.tf +++ b/workers.tf @@ -220,7 +220,7 @@ resource "random_pet" "workers" { } resource "aws_security_group" "workers" { - count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0 + count = var.worker_create_security_group && var.create_eks ? 1 : 0 name_prefix = aws_eks_cluster.this[0].name description = "Security group for all nodes in the cluster." vpc_id = var.vpc_id @@ -234,7 +234,7 @@ resource "aws_security_group" "workers" { } resource "aws_security_group_rule" "workers_egress_internet" { - count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0 + count = var.worker_create_security_group && var.create_eks ? 1 : 0 description = "Allow nodes all egress to the Internet." protocol = "-1" security_group_id = local.worker_security_group_id @@ -245,7 +245,7 @@ resource "aws_security_group_rule" "workers_egress_internet" { } resource "aws_security_group_rule" "workers_ingress_self" { - count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0 + count = var.worker_create_security_group && var.create_eks ? 1 : 0 description = "Allow node to communicate with each other." protocol = "-1" security_group_id = local.worker_security_group_id @@ -256,7 +256,7 @@ resource "aws_security_group_rule" "workers_ingress_self" { } resource "aws_security_group_rule" "workers_ingress_cluster" { - count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0 + count = var.worker_create_security_group && var.create_eks ? 1 : 0 description = "Allow workers pods to receive communication from the cluster control plane." protocol = "tcp" security_group_id = local.worker_security_group_id @@ -267,7 +267,7 @@ resource "aws_security_group_rule" "workers_ingress_cluster" { } resource "aws_security_group_rule" "workers_ingress_cluster_kubelet" { - count = var.worker_security_group_id == "" && var.create_eks ? var.worker_sg_ingress_from_port > 10250 ? 1 : 0 : 0 + count = var.worker_create_security_group && var.create_eks ? var.worker_sg_ingress_from_port > 10250 ? 1 : 0 : 0 description = "Allow workers Kubelets to receive communication from the cluster control plane." protocol = "tcp" security_group_id = local.worker_security_group_id @@ -278,7 +278,7 @@ resource "aws_security_group_rule" "workers_ingress_cluster_kubelet" { } resource "aws_security_group_rule" "workers_ingress_cluster_https" { - count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0 + count = var.worker_create_security_group && var.create_eks ? 1 : 0 description = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane." protocol = "tcp" security_group_id = local.worker_security_group_id From 3e4483517269f26591e3d54ea86233a5b5e97268 Mon Sep 17 00:00:00 2001 From: Dawid Rogaczewski Date: Thu, 27 Feb 2020 11:31:20 +0100 Subject: [PATCH 10/47] change default value for wait_for_cluster_cmd (#750) * change wait_for_cluster_cmd method change default method for wait_for_cluster_cmd from curl to wget to solve https://github.com/terraform-aws-modules/terraform-aws-eks/issues/741 * Update CHANGELOG.md * update docs Co-authored-by: Max Williams --- CHANGELOG.md | 1 + README.md | 2 +- variables.tf | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 26ff3f3a1e..82479d4835 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - **Breaking:** Removal of autoscaling IAM policy and tags (by @max-rocket-internet) - Add `iam:{Create,Delete,Get}OpenIDConnectProvider` grants to the list of required IAM permissions in `docs/iam-permissions.md` (by @danielelisi) - Add an `name` parameter to be able to manually name EKS Managed Node Groups (by @splieth) +- Change variable default `wait_for_cluster_cmd` from curl to wget (by @daroga0002) #### Important notes diff --git a/README.md b/README.md index 97ac363496..3f4b265cb9 100644 --- a/README.md +++ b/README.md @@ -197,7 +197,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | subnets | A list of subnets to place the EKS cluster and workers within. | `list(string)` | n/a | yes | | tags | A map of tags to add to all resources. | `map(string)` | `{}` | no | | vpc\_id | VPC where the cluster and workers will be deployed. | `string` | n/a | yes | -| wait\_for\_cluster\_cmd | Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT | `string` | `"until curl -k -s $ENDPOINT/healthz \u003e/dev/null; do sleep 4; done"` | no | +| wait\_for\_cluster\_cmd | Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT | `string` | `"until wget --no-check-certificate -O - -q $ENDPOINT/healthz \u003e/dev/null; do sleep 4; done"` | no | | worker\_additional\_security\_group\_ids | A list of additional security group ids to attach to worker instances | `list(string)` | `[]` | no | | worker\_ami\_name\_filter | Name filter for AWS EKS worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no | | worker\_ami\_name\_filter\_windows | Name filter for AWS EKS Windows worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no | diff --git a/variables.tf b/variables.tf index 9ba78b441a..b53766d912 100644 --- a/variables.tf +++ b/variables.tf @@ -201,7 +201,7 @@ variable "cluster_delete_timeout" { variable "wait_for_cluster_cmd" { description = "Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT" type = string - default = "until curl -k -s $ENDPOINT/healthz >/dev/null; do sleep 4; done" + default = "until wget --no-check-certificate -O - -q $ENDPOINT/healthz >/dev/null; do sleep 4; done" } variable "cluster_create_security_group" { From dda244994df974b7769dd078c060680161d36966 Mon Sep 17 00:00:00 2001 From: Andres De Castro Date: Thu, 27 Feb 2020 05:36:32 -0500 Subject: [PATCH 11/47] Pin version for kubernetes provider across examples to exactly 1.10.0 (#735) * Update README.md * Update main.tf * Update main.tf * Update main.tf * Update main.tf * Update main.tf * Update README.md * Update README.md * Update CHANGELOG.md Co-authored-by: Max Williams --- CHANGELOG.md | 1 + README.md | 2 +- examples/basic/main.tf | 2 +- examples/irsa/main.tf | 2 +- examples/launch_templates/main.tf | 2 +- examples/managed_node_groups/main.tf | 2 +- examples/spot_instances/main.tf | 2 +- 7 files changed, 7 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 82479d4835..8f05a81033 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - **Breaking:** Removal of autoscaling IAM policy and tags (by @max-rocket-internet) - Add `iam:{Create,Delete,Get}OpenIDConnectProvider` grants to the list of required IAM permissions in `docs/iam-permissions.md` (by @danielelisi) - Add an `name` parameter to be able to manually name EKS Managed Node Groups (by @splieth) +- Pinned kubernetes provider version to exactly 1.10.0 across all examples and README.md's (by @andres-de-castro) - Change variable default `wait_for_cluster_cmd` from curl to wget (by @daroga0002) #### Important notes diff --git a/README.md b/README.md index 3f4b265cb9..f87546259d 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(element(concat(data.aws_eks_cluster.cluster[*].certificate_authority.0.data, list("")), 0)) token = element(concat(data.aws_eks_cluster_auth.cluster[*].token, list("")), 0) load_config_file = false - version = "~> 1.10" + version = "1.10" } # This cluster will not be created diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 05b36f6a48..6a89c3fa41 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -36,7 +36,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) token = data.aws_eks_cluster_auth.cluster.token load_config_file = false - version = "~> 1.10" + version = "1.10" } data "aws_availability_zones" "available" { diff --git a/examples/irsa/main.tf b/examples/irsa/main.tf index 2121a589ec..61cc54d6b3 100644 --- a/examples/irsa/main.tf +++ b/examples/irsa/main.tf @@ -32,7 +32,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) token = data.aws_eks_cluster_auth.cluster.token load_config_file = false - version = "~> 1.10" + version = "1.10" } data "aws_availability_zones" "available" {} diff --git a/examples/launch_templates/main.tf b/examples/launch_templates/main.tf index 1c95a9fd83..534f2078bd 100644 --- a/examples/launch_templates/main.tf +++ b/examples/launch_templates/main.tf @@ -36,7 +36,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) token = data.aws_eks_cluster_auth.cluster.token load_config_file = false - version = "~> 1.10" + version = "1.10" } data "aws_availability_zones" "available" { diff --git a/examples/managed_node_groups/main.tf b/examples/managed_node_groups/main.tf index c31abb36b5..c2b8c236f0 100644 --- a/examples/managed_node_groups/main.tf +++ b/examples/managed_node_groups/main.tf @@ -36,7 +36,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) token = data.aws_eks_cluster_auth.cluster.token load_config_file = false - version = "~> 1.10" + version = "1.10" } data "aws_availability_zones" "available" { diff --git a/examples/spot_instances/main.tf b/examples/spot_instances/main.tf index 8382d14c90..0dbb23e571 100644 --- a/examples/spot_instances/main.tf +++ b/examples/spot_instances/main.tf @@ -36,7 +36,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) token = data.aws_eks_cluster_auth.cluster.token load_config_file = false - version = "~> 1.10" + version = "1.10" } data "aws_availability_zones" "available" { From da53b5cab317f67b3f10e42c3bfd09993a2d9877 Mon Sep 17 00:00:00 2001 From: Igor Konforti Date: Thu, 27 Feb 2020 11:41:41 +0100 Subject: [PATCH 12/47] changing timeout (#736) * change timeout * Update README.md Co-authored-by: Max Williams --- CHANGELOG.md | 1 + README.md | 2 +- variables.tf | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f05a81033..8827deaf0f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ project adheres to [Semantic Versioning](http://semver.org/). ## [[v8.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.2.0...HEAD)] - 2020-xx-xx] - Revert #631. Add back manage security group flags. (by @ryanooi) +- changed timeout for creating EKS (by @confiq) - Added instructions for how to add Windows nodes (by @ivanguravel) - [CI] Switch `Validate` github action to use env vars (by @max-rocket-internet) - [CI] Bump pre-commit-terraform version (by @barryib) diff --git a/README.md b/README.md index f87546259d..1c0a958f0e 100644 --- a/README.md +++ b/README.md @@ -163,7 +163,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a |------|-------------|------|---------|:-----:| | attach\_worker\_cni\_policy | Whether to attach the Amazon managed `AmazonEKS_CNI_Policy` IAM policy to the default worker IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster. | `bool` | `true` | no | | cluster\_create\_security\_group | Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`. | `bool` | `true` | no | -| cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"15m"` | no | +| cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"30m"` | no | | cluster\_delete\_timeout | Timeout value when deleting the EKS cluster. | `string` | `"15m"` | no | | cluster\_enabled\_log\_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no | | cluster\_endpoint\_private\_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no | diff --git a/variables.tf b/variables.tf index b53766d912..eac18e5eeb 100644 --- a/variables.tf +++ b/variables.tf @@ -189,7 +189,7 @@ variable "kubeconfig_name" { variable "cluster_create_timeout" { description = "Timeout value when creating the EKS cluster." type = string - default = "15m" + default = "30m" } variable "cluster_delete_timeout" { From 908c656cf5da50d576d77696efac1d76dfb86a07 Mon Sep 17 00:00:00 2001 From: Max Williams Date: Thu, 27 Feb 2020 13:26:13 +0100 Subject: [PATCH 13/47] New release: v9.0.0 (#752) * New release: v9.0.0 * Resolve comments from barryib --- CHANGELOG.md | 24 ++++++++++++------------ version | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8827deaf0f..5bf92ef9e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,25 +7,29 @@ project adheres to [Semantic Versioning](http://semver.org/). ## Next release -## [[v8.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.2.0...HEAD)] - 2020-xx-xx] -- Revert #631. Add back manage security group flags. (by @ryanooi) +## [[v9.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v9.0.0...HEAD)] - 2020-xx-xx] + +- Write your awesome change here (by @you) + +# History -- changed timeout for creating EKS (by @confiq) +## [[v9.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.2.0...v9.0.0)] - 2020-02-27] + +- **Breaking:** Removal of autoscaling IAM policy and tags (by @max-rocket-internet) +- Revert #631. Add back manage security group flags. (by @ryanooi) +- Changed timeout for creating EKS (by @confiq) - Added instructions for how to add Windows nodes (by @ivanguravel) - [CI] Switch `Validate` github action to use env vars (by @max-rocket-internet) - [CI] Bump pre-commit-terraform version (by @barryib) - Added example `examples/irsa` for IAM Roles for Service Accounts (by @max-rocket-internet) -- **Breaking:** Removal of autoscaling IAM policy and tags (by @max-rocket-internet) - Add `iam:{Create,Delete,Get}OpenIDConnectProvider` grants to the list of required IAM permissions in `docs/iam-permissions.md` (by @danielelisi) -- Add an `name` parameter to be able to manually name EKS Managed Node Groups (by @splieth) +- Add a `name` parameter to be able to manually name EKS Managed Node Groups (by @splieth) - Pinned kubernetes provider version to exactly 1.10.0 across all examples and README.md's (by @andres-de-castro) - Change variable default `wait_for_cluster_cmd` from curl to wget (by @daroga0002) #### Important notes -Autoscaling policy and tags have been removed from this module. This reduces complexity and increases security as the policy was attached to the node group IAM role. To manage it outside of this module either follow the example in `examples/irsa` to attach an IAM role to the cluster-autoscaler `serviceAccount` or create the policy outside this module and pass it in using the `workers_additional_policies` variable. - -# History +Autoscaling policy and tags have been removed from this module. This reduces complexity and increases security as the policy was attached to the node group IAM role. To manage it outside of this module either follow the example in `examples/irsa` to attach an IAM role to the cluster-autoscaler `serviceAccount` or create [the policy](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v8.2.0/workers.tf#L361-L416) outside this module and pass it in using the `workers_additional_policies` variable. ## [[v8.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.1.0...v8.2.0)] - 2020-01-29] @@ -33,8 +37,6 @@ Autoscaling policy and tags have been removed from this module. This reduces com - Disable creation of ingress rules if worker nodes security groups are exists (@andjelx) - [CI] Update pre-commit and re-generate docs to work with terraform-docs >= 0.8.1 (@barryib) -# History - ## [[v8.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...v8.1.0)] - 2020-01-17] - Fix index reference on destroy for output `oidc_provider_arn` (@stevie-) @@ -82,8 +84,6 @@ For security group whitelisting change. After upgrade, have to remove `cluster_c terraform import module.eks.aws_security_group_rule.cluster_https_worker_ingress _ingress_tcp_443_443_ ``` -# History - ## [[v7.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v7.0.1...v7.0.0)] - 2019-12-11] - Test against minimum versions specified in `versions.tf` (by @dpiddockcmp) diff --git a/version b/version index 7c330f2dc9..40ed13353f 100644 --- a/version +++ b/version @@ -1 +1 @@ -v8.2.0 +v9.0.0 From 81ded922c811ca4b1f1ca299d083b367698e7c69 Mon Sep 17 00:00:00 2001 From: SW Date: Wed, 4 Mar 2020 15:59:58 +0100 Subject: [PATCH 14/47] cluster-autoscaler shouldn't be scheduled on spot (#755) * cluster-autoscaler shouldn't be scheduled on spot Update documentation to schedule cluster-autoscaler on normal instances. * Update CHANGELOG.md --- CHANGELOG.md | 2 +- docs/spot-instances.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5bf92ef9e7..5268625b78 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ project adheres to [Semantic Versioning](http://semver.org/). ## [[v9.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v9.0.0...HEAD)] - 2020-xx-xx] -- Write your awesome change here (by @you) +- Fix doc about spot instances, cluster-autoscaler should be scheduled on normal instances instead of spot (by @simowaer) # History diff --git a/docs/spot-instances.md b/docs/spot-instances.md index 1a5da6e79e..e8a31e45ab 100644 --- a/docs/spot-instances.md +++ b/docs/spot-instances.md @@ -12,7 +12,7 @@ In the following examples at least 1 worker group that uses on-demand instances ```yaml nodeSelector: - kubernetes.io/lifecycle: spot + kubernetes.io/lifecycle: normal ``` Notes: From 276e41f7440e1811f3fa44ebe3ee3e13cf89cac1 Mon Sep 17 00:00:00 2001 From: Craig Rueda Date: Fri, 6 Mar 2020 03:54:12 -0800 Subject: [PATCH 15/47] Adding encrypted option to root_block_device of launch_configuration (#761) * Adding encrypted option to root_block_device of launch_configuration * Updating CHANGELOG.md * Setting back to empty string --- CHANGELOG.md | 1 + workers.tf | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5268625b78..fb88268f50 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ project adheres to [Semantic Versioning](http://semver.org/). ## [[v9.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v9.0.0...HEAD)] - 2020-xx-xx] - Fix doc about spot instances, cluster-autoscaler should be scheduled on normal instances instead of spot (by @simowaer) +- Adding `encrypted` option to worker's root_block_device as read from the worker configurations (by @craig-rueda) # History diff --git a/workers.tf b/workers.tf index 8d20bd8e12..4c1a6a05f4 100644 --- a/workers.tf +++ b/workers.tf @@ -185,6 +185,11 @@ resource "aws_launch_configuration" "workers" { ) root_block_device { + encrypted = lookup( + var.worker_groups[count.index], + "root_encrypted", + local.workers_group_defaults["root_encrypted"], + ) volume_size = lookup( var.worker_groups[count.index], "root_volume_size", From 8382f2c4e81cbbdc97f76bee828b855fd0d34787 Mon Sep 17 00:00:00 2001 From: Yecheng Fu Date: Mon, 9 Mar 2020 23:02:53 +0800 Subject: [PATCH 16/47] use the correct policy arns if the region is in CN (#765) --- CHANGELOG.md | 1 + cluster.tf | 4 ++-- data.tf | 2 ++ local.tf | 1 + workers.tf | 6 +++--- 5 files changed, 9 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb88268f50..a248bba146 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - Fix doc about spot instances, cluster-autoscaler should be scheduled on normal instances instead of spot (by @simowaer) - Adding `encrypted` option to worker's root_block_device as read from the worker configurations (by @craig-rueda) +- Use correct policy arns for CN regions (cn-north-1, cn-northwest-1) (by @cofyc) # History diff --git a/cluster.tf b/cluster.tf index c5439adea7..a327e920b6 100644 --- a/cluster.tf +++ b/cluster.tf @@ -96,12 +96,12 @@ resource "aws_iam_role" "cluster" { resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSClusterPolicy" { count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0 - policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" + policy_arn = "${local.policy_arn_prefix}/AmazonEKSClusterPolicy" role = local.cluster_iam_role_name } resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSServicePolicy" { count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0 - policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy" + policy_arn = "${local.policy_arn_prefix}/AmazonEKSServicePolicy" role = local.cluster_iam_role_name } diff --git a/data.tf b/data.tf index f43ac9e680..d945c52833 100644 --- a/data.tf +++ b/data.tf @@ -221,3 +221,5 @@ data "aws_iam_instance_profile" "custom_worker_group_launch_template_iam_instanc local.workers_group_defaults["iam_instance_profile_name"], ) } + +data "aws_region" "current" {} diff --git a/local.tf b/local.tf index 8ed32f8541..a959cc3360 100644 --- a/local.tf +++ b/local.tf @@ -22,6 +22,7 @@ locals { default_ami_id_linux = data.aws_ami.eks_worker.id default_ami_id_windows = data.aws_ami.eks_worker_windows.id + policy_arn_prefix = contains(["cn-northwest-1", "cn-north-1"], data.aws_region.current.name) ? "arn:aws-cn:iam::aws:policy" : "arn:aws:iam::aws:policy" workers_group_defaults_defaults = { name = "count.index" # Name of the worker group. Literal count.index will never be used but if name is not set, the count.index interpolation will be used. tags = [] # A list of map defining extra tags to be applied to the worker group autoscaling group. diff --git a/workers.tf b/workers.tf index 4c1a6a05f4..c198c5bca4 100644 --- a/workers.tf +++ b/workers.tf @@ -318,19 +318,19 @@ resource "aws_iam_instance_profile" "workers" { resource "aws_iam_role_policy_attachment" "workers_AmazonEKSWorkerNodePolicy" { count = var.manage_worker_iam_resources && var.create_eks ? 1 : 0 - policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" + policy_arn = "${local.policy_arn_prefix}/AmazonEKSWorkerNodePolicy" role = aws_iam_role.workers[0].name } resource "aws_iam_role_policy_attachment" "workers_AmazonEKS_CNI_Policy" { count = var.manage_worker_iam_resources && var.attach_worker_cni_policy && var.create_eks ? 1 : 0 - policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" + policy_arn = "${local.policy_arn_prefix}/AmazonEKS_CNI_Policy" role = aws_iam_role.workers[0].name } resource "aws_iam_role_policy_attachment" "workers_AmazonEC2ContainerRegistryReadOnly" { count = var.manage_worker_iam_resources && var.create_eks ? 1 : 0 - policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + policy_arn = "${local.policy_arn_prefix}/AmazonEC2ContainerRegistryReadOnly" role = aws_iam_role.workers[0].name } From 6784824595ee4fba0660e049dc1cdfa564d83976 Mon Sep 17 00:00:00 2001 From: Craig Rueda Date: Mon, 9 Mar 2020 15:25:05 -0700 Subject: [PATCH 17/47] 'root_encrypted' -> bool (#766) --- local.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/local.tf b/local.tf index a959cc3360..2151439569 100644 --- a/local.tf +++ b/local.tf @@ -67,7 +67,7 @@ locals { launch_template_version = "$Latest" # The lastest version of the launch template to use in the autoscaling group launch_template_placement_tenancy = "default" # The placement tenancy for instances launch_template_placement_group = "" # The name of the placement group into which to launch the instances, if any. - root_encrypted = "" # Whether the volume should be encrypted or not + root_encrypted = false # Whether the volume should be encrypted or not eni_delete = true # Delete the Elastic Network Interface (ENI) on termination (if set to false you will have to manually delete before destroying) cpu_credits = "standard" # T2/T3 unlimited mode, can be 'standard' or 'unlimited'. Used 'standard' mode as default to avoid paying higher costs market_type = null From 198294c0b6451f3908cbe0fce192071829588338 Mon Sep 17 00:00:00 2001 From: Siddarth Prakash <1428486+sidprak@users.noreply.github.com> Date: Mon, 9 Mar 2020 18:31:52 -0400 Subject: [PATCH 18/47] Add support for ASG max instance lifetime (#769) Co-authored-by: Thierno IB. BARRY --- CHANGELOG.md | 1 + local.tf | 1 + workers.tf | 5 +++++ workers_launch_template.tf | 5 +++++ 4 files changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a248bba146..f2ec8e8416 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - Fix doc about spot instances, cluster-autoscaler should be scheduled on normal instances instead of spot (by @simowaer) - Adding `encrypted` option to worker's root_block_device as read from the worker configurations (by @craig-rueda) - Use correct policy arns for CN regions (cn-north-1, cn-northwest-1) (by @cofyc) +- Add support for ASG max instance lifetime (by @sidprak) # History diff --git a/local.tf b/local.tf index 2151439569..e4969f7408 100644 --- a/local.tf +++ b/local.tf @@ -79,6 +79,7 @@ locals { spot_allocation_strategy = "lowest-price" # Valid options are 'lowest-price' and 'capacity-optimized'. If 'lowest-price', the Auto Scaling group launches instances using the Spot pools with the lowest price, and evenly allocates your instances across the number of Spot pools. If 'capacity-optimized', the Auto Scaling group launches instances using Spot pools that are optimally chosen based on the available Spot capacity. spot_instance_pools = 10 # "Number of Spot pools per availability zone to allocate capacity. EC2 Auto Scaling selects the cheapest Spot pools and evenly allocates Spot capacity across the number of Spot pools that you specify." spot_max_price = "" # Maximum price per unit hour that the user is willing to pay for the Spot instances. Default is the on-demand price + max_instance_lifetime = 0 # Maximum number of seconds instances can run in the ASG. 0 is unlimited. } workers_group_defaults = merge( diff --git a/workers.tf b/workers.tf index c198c5bca4..a4b9a3c222 100644 --- a/workers.tf +++ b/workers.tf @@ -73,6 +73,11 @@ resource "aws_autoscaling_group" "workers" { "termination_policies", local.workers_group_defaults["termination_policies"] ) + max_instance_lifetime = lookup( + var.worker_groups_launch_template[count.index], + "max_instance_lifetime", + local.workers_group_defaults["max_instance_lifetime"], + ) dynamic "initial_lifecycle_hook" { for_each = var.worker_create_initial_lifecycle_hooks ? lookup(var.worker_groups[count.index], "asg_initial_lifecycle_hooks", local.workers_group_defaults["asg_initial_lifecycle_hooks"]) : [] diff --git a/workers_launch_template.tf b/workers_launch_template.tf index ba51baaf9d..e3eb2ef4e1 100644 --- a/workers_launch_template.tf +++ b/workers_launch_template.tf @@ -72,6 +72,11 @@ resource "aws_autoscaling_group" "workers_launch_template" { "termination_policies", local.workers_group_defaults["termination_policies"] ) + max_instance_lifetime = lookup( + var.worker_groups_launch_template[count.index], + "max_instance_lifetime", + local.workers_group_defaults["max_instance_lifetime"], + ) dynamic mixed_instances_policy { iterator = item From f465e55721e31390fc64650c7c7eea517e862234 Mon Sep 17 00:00:00 2001 From: Arie Lev <34907201+ArieLevs@users.noreply.github.com> Date: Tue, 10 Mar 2020 12:20:11 +0200 Subject: [PATCH 19/47] Add ASG cooldown and health_check_grace_period (#770) * Add default_cooldown/health_check oprions * Update CHANGELOG.md * Update CHANGELOG.md Co-Authored-By: Thierno IB. BARRY Co-authored-by: Thierno IB. BARRY --- CHANGELOG.md | 1 + local.tf | 2 ++ workers.tf | 10 ++++++++++ workers_launch_template.tf | 10 ++++++++++ 4 files changed, 23 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2ec8e8416..983081f041 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - Adding `encrypted` option to worker's root_block_device as read from the worker configurations (by @craig-rueda) - Use correct policy arns for CN regions (cn-north-1, cn-northwest-1) (by @cofyc) - Add support for ASG max instance lifetime (by @sidprak) +- Add `default_cooldown` and `health_check_grace_period` options to workers ASG (by @ArieLevs) # History diff --git a/local.tf b/local.tf index e4969f7408..11751767b7 100644 --- a/local.tf +++ b/local.tf @@ -33,6 +33,8 @@ locals { asg_force_delete = false # Enable forced deletion for the autoscaling group. asg_initial_lifecycle_hooks = [] # Initital lifecycle hook for the autoscaling group. asg_recreate_on_change = false # Recreate the autoscaling group when the Launch Template or Launch Configuration change. + default_cooldown = null # The amount of time, in seconds, after a scaling activity completes before another scaling activity can start. + health_check_grace_period = null # Time in seconds after instance comes into service before checking health. instance_type = "m4.large" # Size of the workers instances. spot_price = "" # Cost of spot instance. placement_tenancy = "" # The tenancy of the instance. Valid values are "default" or "dedicated". diff --git a/workers.tf b/workers.tf index a4b9a3c222..66a19515c2 100644 --- a/workers.tf +++ b/workers.tf @@ -78,6 +78,16 @@ resource "aws_autoscaling_group" "workers" { "max_instance_lifetime", local.workers_group_defaults["max_instance_lifetime"], ) + default_cooldown = lookup( + var.worker_groups[count.index], + "default_cooldown", + local.workers_group_defaults["default_cooldown"] + ) + health_check_grace_period = lookup( + var.worker_groups[count.index], + "health_check_grace_period", + local.workers_group_defaults["health_check_grace_period"] + ) dynamic "initial_lifecycle_hook" { for_each = var.worker_create_initial_lifecycle_hooks ? lookup(var.worker_groups[count.index], "asg_initial_lifecycle_hooks", local.workers_group_defaults["asg_initial_lifecycle_hooks"]) : [] diff --git a/workers_launch_template.tf b/workers_launch_template.tf index e3eb2ef4e1..52ec738588 100644 --- a/workers_launch_template.tf +++ b/workers_launch_template.tf @@ -77,6 +77,16 @@ resource "aws_autoscaling_group" "workers_launch_template" { "max_instance_lifetime", local.workers_group_defaults["max_instance_lifetime"], ) + default_cooldown = lookup( + var.worker_groups_launch_template[count.index], + "default_cooldown", + local.workers_group_defaults["default_cooldown"] + ) + health_check_grace_period = lookup( + var.worker_groups_launch_template[count.index], + "health_check_grace_period", + local.workers_group_defaults["health_check_grace_period"] + ) dynamic mixed_instances_policy { iterator = item From 2715b01e4e3979070af9faf7d9763e4b529a9121 Mon Sep 17 00:00:00 2001 From: "Thierno IB. BARRY" Date: Tue, 10 Mar 2020 22:01:01 +0100 Subject: [PATCH 20/47] fix max_instance_lifetime for workers (#771) * fix max_instance_lifetime for workers * update changelog * update changelog --- CHANGELOG.md | 1 + workers.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 983081f041..13f79d2f24 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - Use correct policy arns for CN regions (cn-north-1, cn-northwest-1) (by @cofyc) - Add support for ASG max instance lifetime (by @sidprak) - Add `default_cooldown` and `health_check_grace_period` options to workers ASG (by @ArieLevs) +- Fix support for ASG max instance lifetime for workers (by @barryib) # History diff --git a/workers.tf b/workers.tf index 66a19515c2..ce2b27c601 100644 --- a/workers.tf +++ b/workers.tf @@ -74,7 +74,7 @@ resource "aws_autoscaling_group" "workers" { local.workers_group_defaults["termination_policies"] ) max_instance_lifetime = lookup( - var.worker_groups_launch_template[count.index], + var.worker_groups[count.index], "max_instance_lifetime", local.workers_group_defaults["max_instance_lifetime"], ) From 23c005e5ef6107a52af37e6c17e9d572ebc3d81d Mon Sep 17 00:00:00 2001 From: Wolodja Wentland Date: Wed, 11 Mar 2020 11:26:06 +0000 Subject: [PATCH 21/47] Add EKS Secret envelope encryption support (#772) This adds support for configuring EKS clusters that utilise envelope encryption for Secrets: - https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/ - https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth/ --- CHANGELOG.md | 1 + README.md | 3 +- cluster.tf | 11 +++ examples/secrets_encryption/main.tf | 118 +++++++++++++++++++++++ examples/secrets_encryption/outputs.tf | 24 +++++ examples/secrets_encryption/variables.tf | 52 ++++++++++ variables.tf | 9 ++ versions.tf | 2 +- 8 files changed, 218 insertions(+), 2 deletions(-) create mode 100644 examples/secrets_encryption/main.tf create mode 100644 examples/secrets_encryption/outputs.tf create mode 100644 examples/secrets_encryption/variables.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 13f79d2f24..86cfb3dd72 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - Add support for ASG max instance lifetime (by @sidprak) - Add `default_cooldown` and `health_check_grace_period` options to workers ASG (by @ArieLevs) - Fix support for ASG max instance lifetime for workers (by @barryib) +- Add support for envelope encryption of Secrets (by @babilen5) # History diff --git a/README.md b/README.md index 1c0a958f0e..7b2ad00b04 100644 --- a/README.md +++ b/README.md @@ -150,7 +150,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | Name | Version | |------|---------| -| aws | >= 2.44.0 | +| aws | >= 2.52.0 | | kubernetes | >= 1.6.2 | | local | >= 1.2 | | null | >= 2.1 | @@ -166,6 +166,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"30m"` | no | | cluster\_delete\_timeout | Timeout value when deleting the EKS cluster. | `string` | `"15m"` | no | | cluster\_enabled\_log\_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no | +| cluster\_encryption\_config | Configuration block with encryption configuration for the cluster. See examples/secrets\_encryption/main.tf for example format | 
list(object({
    provider_key_arn = string
    resources        = list(string)
  }))
| `[]` | no | | cluster\_endpoint\_private\_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no | | cluster\_endpoint\_public\_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. | `bool` | `true` | no | | cluster\_endpoint\_public\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | diff --git a/cluster.tf b/cluster.tf index a327e920b6..2e0ca6862a 100644 --- a/cluster.tf +++ b/cluster.tf @@ -27,6 +27,17 @@ resource "aws_eks_cluster" "this" { delete = var.cluster_delete_timeout } + dynamic encryption_config { + for_each = toset(var.cluster_encryption_config) + + content { + provider { + key_arn = encryption_config.value["provider_key_arn"] + } + resources = encryption_config.value["resources"] + } + } + depends_on = [ aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy, aws_iam_role_policy_attachment.cluster_AmazonEKSServicePolicy, diff --git a/examples/secrets_encryption/main.tf b/examples/secrets_encryption/main.tf new file mode 100644 index 0000000000..67057e24b8 --- /dev/null +++ b/examples/secrets_encryption/main.tf @@ -0,0 +1,118 @@ +terraform { + required_version = ">= 0.12.0" +} + +provider "aws" { + version = ">= 2.52.0" + region = var.region +} + +provider "random" { + version = "~> 2.1" +} + +provider "local" { + version = "~> 1.2" +} + +provider "null" { + version = "~> 2.1" +} + +provider "template" { + version = "~> 2.1" +} + +data "aws_eks_cluster" "cluster" { + name = module.eks.cluster_id +} + +data "aws_eks_cluster_auth" "cluster" { + name = module.eks.cluster_id +} + +provider "kubernetes" { + host = data.aws_eks_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token + load_config_file = false + version = "1.10" +} + +data "aws_availability_zones" "available" { +} + +locals { + cluster_name = "test-eks-${random_string.suffix.result}" +} + +resource "random_string" "suffix" { + length = 8 + special = false +} + +resource "aws_kms_key" "eks" { + description = "EKS Secret Encryption Key" +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "2.6.0" + + name = "test-vpc" + cidr = "10.0.0.0/16" + azs = data.aws_availability_zones.available.names + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + + tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + } + + public_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/elb" = "1" + } + + private_subnet_tags = { + "kubernetes.io/cluster/${local.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = "1" + } +} + +module "eks" { + source = "../.." + cluster_name = local.cluster_name + subnets = module.vpc.private_subnets + + cluster_encryption_config = [ + { + provider_key_arn = aws_kms_key.eks.arn + resources = ["secrets"] + } + ] + + tags = { + Environment = "test" + GithubRepo = "terraform-aws-eks" + GithubOrg = "terraform-aws-modules" + } + + vpc_id = module.vpc.vpc_id + + worker_groups = [ + { + name = "worker-group-1" + instance_type = "t2.small" + additional_userdata = "echo foo bar" + asg_desired_capacity = 2 + }, + ] + + map_roles = var.map_roles + map_users = var.map_users + map_accounts = var.map_accounts +} diff --git a/examples/secrets_encryption/outputs.tf b/examples/secrets_encryption/outputs.tf new file mode 100644 index 0000000000..51ddb024a2 --- /dev/null +++ b/examples/secrets_encryption/outputs.tf @@ -0,0 +1,24 @@ +output "cluster_endpoint" { + description = "Endpoint for EKS control plane." + value = module.eks.cluster_endpoint +} + +output "cluster_security_group_id" { + description = "Security group ids attached to the cluster control plane." + value = module.eks.cluster_security_group_id +} + +output "kubectl_config" { + description = "kubectl config as generated by the module." + value = module.eks.kubeconfig +} + +output "config_map_aws_auth" { + description = "A kubernetes configuration to authenticate to this EKS cluster." + value = module.eks.config_map_aws_auth +} + +output "region" { + description = "AWS region." + value = var.region +} diff --git a/examples/secrets_encryption/variables.tf b/examples/secrets_encryption/variables.tf new file mode 100644 index 0000000000..7085aeabd4 --- /dev/null +++ b/examples/secrets_encryption/variables.tf @@ -0,0 +1,52 @@ +variable "region" { + default = "us-west-2" +} + +variable "map_accounts" { + description = "Additional AWS account numbers to add to the aws-auth configmap." + type = list(string) + + default = [ + "777777777777", + "888888888888", + ] +} + +variable "map_roles" { + description = "Additional IAM roles to add to the aws-auth configmap." + type = list(object({ + rolearn = string + username = string + groups = list(string) + })) + + default = [ + { + rolearn = "arn:aws:iam::66666666666:role/role1" + username = "role1" + groups = ["system:masters"] + }, + ] +} + +variable "map_users" { + description = "Additional IAM users to add to the aws-auth configmap." + type = list(object({ + userarn = string + username = string + groups = list(string) + })) + + default = [ + { + userarn = "arn:aws:iam::66666666666:user/user1" + username = "user1" + groups = ["system:masters"] + }, + { + userarn = "arn:aws:iam::66666666666:user/user2" + username = "user2" + groups = ["system:masters"] + }, + ] +} diff --git a/variables.tf b/variables.tf index eac18e5eeb..0ba56ac58c 100644 --- a/variables.tf +++ b/variables.tf @@ -311,3 +311,12 @@ variable "eks_oidc_root_ca_thumbprint" { description = "Thumbprint of Root CA for EKS OIDC, Valid until 2037" default = "9e99a48a9960b14926bb7f3b02e22da2b0ab7280" } + +variable "cluster_encryption_config" { + description = "Configuration block with encryption configuration for the cluster. See examples/secrets_encryption/main.tf for example format" + type = list(object({ + provider_key_arn = string + resources = list(string) + })) + default = [] +} diff --git a/versions.tf b/versions.tf index 95fb1ef19e..f73abd331e 100644 --- a/versions.tf +++ b/versions.tf @@ -2,7 +2,7 @@ terraform { required_version = ">= 0.12.9" required_providers { - aws = ">= 2.44.0" + aws = ">= 2.52.0" local = ">= 1.2" null = ">= 2.1" template = ">= 2.1" From 7dc56e976bf0f8c48820085a4cdee37e676ca2b8 Mon Sep 17 00:00:00 2001 From: Scott Crooks Date: Wed, 11 Mar 2020 17:06:55 +0100 Subject: [PATCH 22/47] EKS 1.15 Support (#776) * chore(eks): Support EKS 1.15 * docs(changelog): Adding entry to CHANGELOG * chore(examples): Removing VPC tags from merged PR #772 * docs(changelog): Adding 'breaking' to CHANGELOG entry --- .pre-commit-config.yaml | 2 +- CHANGELOG.md | 1 + README.md | 2 +- examples/basic/main.tf | 4 ---- examples/irsa/main.tf | 4 ---- examples/launch_templates/main.tf | 4 ---- examples/managed_node_groups/main.tf | 4 ---- examples/secrets_encryption/main.tf | 4 ---- examples/spot_instances/main.tf | 4 ---- variables.tf | 2 +- 10 files changed, 4 insertions(+), 27 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1b77bc2d98..71ccc545ba 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.25.0 + rev: v1.27.0 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/CHANGELOG.md b/CHANGELOG.md index 86cfb3dd72..a3fe093129 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - Add `default_cooldown` and `health_check_grace_period` options to workers ASG (by @ArieLevs) - Fix support for ASG max instance lifetime for workers (by @barryib) - Add support for envelope encryption of Secrets (by @babilen5) +- **Breaking:** Added support for EKS 1.15 (by @sc250024) # History diff --git a/README.md b/README.md index 7b2ad00b04..b370a2e3d6 100644 --- a/README.md +++ b/README.md @@ -175,7 +175,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | cluster\_log\_retention\_in\_days | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no | | cluster\_name | Name of the EKS cluster. Also used as a prefix in names of related resources. | `string` | n/a | yes | | cluster\_security\_group\_id | If provided, the EKS cluster will be attached to this security group. If not given, a security group will be created with necessary ingress/egress to work with the workers | `string` | `""` | no | -| cluster\_version | Kubernetes version to use for the EKS cluster. | `string` | `"1.14"` | no | +| cluster\_version | Kubernetes version to use for the EKS cluster. | `string` | `"1.15"` | no | | config\_output\_path | Where to save the Kubectl config file (if `write_kubeconfig = true`). Assumed to be a directory if the value ends with a forward slash `/`. | `string` | `"./"` | no | | create\_eks | Controls if EKS resources should be created (it affects almost all resources) | `bool` | `true` | no | | eks\_oidc\_root\_ca\_thumbprint | Thumbprint of Root CA for EKS OIDC, Valid until 2037 | `string` | `"9e99a48a9960b14926bb7f3b02e22da2b0ab7280"` | no | diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 6a89c3fa41..ee1d9bc251 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -111,10 +111,6 @@ module "vpc" { single_nat_gateway = true enable_dns_hostnames = true - tags = { - "kubernetes.io/cluster/${local.cluster_name}" = "shared" - } - public_subnet_tags = { "kubernetes.io/cluster/${local.cluster_name}" = "shared" "kubernetes.io/role/elb" = "1" diff --git a/examples/irsa/main.tf b/examples/irsa/main.tf index 61cc54d6b3..0fd934d44f 100644 --- a/examples/irsa/main.tf +++ b/examples/irsa/main.tf @@ -48,10 +48,6 @@ module "vpc" { public_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] enable_dns_hostnames = true - tags = { - "kubernetes.io/cluster/${local.cluster_name}" = "shared" - } - public_subnet_tags = { "kubernetes.io/cluster/${local.cluster_name}" = "shared" "kubernetes.io/role/elb" = "1" diff --git a/examples/launch_templates/main.tf b/examples/launch_templates/main.tf index 534f2078bd..a8d0ec62fe 100644 --- a/examples/launch_templates/main.tf +++ b/examples/launch_templates/main.tf @@ -60,10 +60,6 @@ module "vpc" { azs = data.aws_availability_zones.available.names public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] enable_dns_hostnames = true - - tags = { - "kubernetes.io/cluster/${local.cluster_name}" = "shared" - } } module "eks" { diff --git a/examples/managed_node_groups/main.tf b/examples/managed_node_groups/main.tf index c2b8c236f0..adb5cfe70c 100644 --- a/examples/managed_node_groups/main.tf +++ b/examples/managed_node_groups/main.tf @@ -64,10 +64,6 @@ module "vpc" { single_nat_gateway = true enable_dns_hostnames = true - tags = { - "kubernetes.io/cluster/${local.cluster_name}" = "shared" - } - public_subnet_tags = { "kubernetes.io/cluster/${local.cluster_name}" = "shared" "kubernetes.io/role/elb" = "1" diff --git a/examples/secrets_encryption/main.tf b/examples/secrets_encryption/main.tf index 67057e24b8..5c4b861be0 100644 --- a/examples/secrets_encryption/main.tf +++ b/examples/secrets_encryption/main.tf @@ -68,10 +68,6 @@ module "vpc" { single_nat_gateway = true enable_dns_hostnames = true - tags = { - "kubernetes.io/cluster/${local.cluster_name}" = "shared" - } - public_subnet_tags = { "kubernetes.io/cluster/${local.cluster_name}" = "shared" "kubernetes.io/role/elb" = "1" diff --git a/examples/spot_instances/main.tf b/examples/spot_instances/main.tf index 0dbb23e571..cfac972f57 100644 --- a/examples/spot_instances/main.tf +++ b/examples/spot_instances/main.tf @@ -60,10 +60,6 @@ module "vpc" { azs = data.aws_availability_zones.available.names public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] enable_dns_hostnames = true - - tags = { - "kubernetes.io/cluster/${local.cluster_name}" = "shared" - } } module "eks" { diff --git a/variables.tf b/variables.tf index 0ba56ac58c..925b7b3109 100644 --- a/variables.tf +++ b/variables.tf @@ -28,7 +28,7 @@ variable "cluster_security_group_id" { variable "cluster_version" { description = "Kubernetes version to use for the EKS cluster." type = string - default = "1.14" + default = "1.15" } variable "config_output_path" { From 2a8e45fe2c54f0bc6a4fc68b5b61930ad22943f9 Mon Sep 17 00:00:00 2001 From: Christian Kemper Date: Wed, 11 Mar 2020 23:34:21 +0000 Subject: [PATCH 23/47] defaults lookup before falling back on default ami based on platform (#756) * defaulting to data lookup if worker_group_defaults have no ami_id entry * using coalesce instead of lookup and also using local instead of var. * adding defaults support for specifying windows based amis --- CHANGELOG.md | 1 + local.tf | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a3fe093129..e333fa6661 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ project adheres to [Semantic Versioning](http://semver.org/). ## [[v9.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v9.0.0...HEAD)] - 2020-xx-xx] +- Ensuring that ami lookup hierarchy is worker_group_launch_templates and worker_groups -> worker_group_defaults -> and finally aws ami lookup (by @ck3mp3r) - Fix doc about spot instances, cluster-autoscaler should be scheduled on normal instances instead of spot (by @simowaer) - Adding `encrypted` option to worker's root_block_device as read from the worker configurations (by @craig-rueda) - Use correct policy arns for CN regions (cn-north-1, cn-northwest-1) (by @cofyc) diff --git a/local.tf b/local.tf index 11751767b7..704b5cdcb2 100644 --- a/local.tf +++ b/local.tf @@ -19,14 +19,15 @@ locals { worker_group_count = length(var.worker_groups) worker_group_launch_template_count = length(var.worker_groups_launch_template) - default_ami_id_linux = data.aws_ami.eks_worker.id - default_ami_id_windows = data.aws_ami.eks_worker_windows.id + default_ami_id_linux = coalesce(local.workers_group_defaults.ami_id, data.aws_ami.eks_worker.id) + default_ami_id_windows = coalesce(local.workers_group_defaults.ami_id_windows, data.aws_ami.eks_worker_windows.id) policy_arn_prefix = contains(["cn-northwest-1", "cn-north-1"], data.aws_region.current.name) ? "arn:aws-cn:iam::aws:policy" : "arn:aws:iam::aws:policy" workers_group_defaults_defaults = { name = "count.index" # Name of the worker group. Literal count.index will never be used but if name is not set, the count.index interpolation will be used. tags = [] # A list of map defining extra tags to be applied to the worker group autoscaling group. - ami_id = "" # AMI ID for the eks workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI based on platform. + ami_id = "" # AMI ID for the eks linux based workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI based on platform. + ami_id_windows = "" # AMI ID for the eks windows based workers. If none is provided, Terraform will search for the latest version of their EKS optimized worker AMI based on platform. asg_desired_capacity = "1" # Desired worker capacity in the autoscaling group and changing its value will not affect the autoscaling group's desired capacity because the cluster-autoscaler manages up and down scaling of the nodes. Cluster-autoscaler add nodes when pods are in pending state and remove the nodes when they are not required by modifying the desirec_capacity of the autoscaling group. Although an issue exists in which if the value of the asg_min_size is changed it modifies the value of asg_desired_capacity. asg_max_size = "3" # Maximum worker capacity in the autoscaling group. asg_min_size = "1" # Minimum worker capacity in the autoscaling group. NOTE: Change in this paramater will affect the asg_desired_capacity, like changing its value to 2 will change asg_desired_capacity value to 2 but bringing back it to 1 will not affect the asg_desired_capacity. From 2a78825ef79753e6ea78687bfedd8e9b684187bd Mon Sep 17 00:00:00 2001 From: pierresteiner <32190738+pierresteiner@users.noreply.github.com> Date: Thu, 12 Mar 2020 10:34:13 +0100 Subject: [PATCH 24/47] Remove assumption (#779) * Remove assumption This is not needed since 8.0.0 right? * Update CHANGELOG.md Co-authored-by: Thierno IB. BARRY --- CHANGELOG.md | 1 + README.md | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e333fa6661..19b346234c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ project adheres to [Semantic Versioning](http://semver.org/). ## [[v9.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v9.0.0...HEAD)] - 2020-xx-xx] +- Remove obsolete assumption from README (kubectl & aws-iam-authenticator) (by @pierresteiner) - Ensuring that ami lookup hierarchy is worker_group_launch_templates and worker_groups -> worker_group_defaults -> and finally aws ami lookup (by @ck3mp3r) - Fix doc about spot instances, cluster-autoscaler should be scheduled on normal instances instead of spot (by @simowaer) - Adding `encrypted` option to worker's root_block_device as read from the worker configurations (by @craig-rueda) diff --git a/README.md b/README.md index b370a2e3d6..a21694b5ce 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,6 @@ Read the [AWS docs on EKS to get connected to the k8s dashboard](https://docs.aw * You want to create an EKS cluster and an autoscaling group of workers for the cluster. * You want these resources to exist within security groups that allow communication and coordination. These can be user provided or created within the module. * You've created a Virtual Private Cloud (VPC) and subnets where you intend to put the EKS resources. The VPC satisfies [EKS requirements](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html). -* If `manage_aws_auth = true`, it's required that both [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) (>=1.10) and [`aws-iam-authenticator`](https://github.com/kubernetes-sigs/aws-iam-authenticator#4-set-up-kubectl-to-use-authentication-tokens-provided-by-aws-iam-authenticator-for-kubernetes) are installed and on your shell's PATH. ## Usage example From 4c0c4c49a611e0d7dcaff334fc7862c31732d1f0 Mon Sep 17 00:00:00 2001 From: Dawid Rogaczewski Date: Thu, 12 Mar 2020 11:50:41 +0100 Subject: [PATCH 25/47] change conditional for irsa.tf (#783) --- CHANGELOG.md | 1 + irsa.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 19b346234c..5388e9878d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ project adheres to [Semantic Versioning](http://semver.org/). - Add `default_cooldown` and `health_check_grace_period` options to workers ASG (by @ArieLevs) - Fix support for ASG max instance lifetime for workers (by @barryib) - Add support for envelope encryption of Secrets (by @babilen5) +- Fix issue with terraform plan phase when IRSA was enabled and create_eks switches to false (by @daroga0002) - **Breaking:** Added support for EKS 1.15 (by @sc250024) # History diff --git a/irsa.tf b/irsa.tf index 08096d8f08..11c0cc735c 100644 --- a/irsa.tf +++ b/irsa.tf @@ -8,7 +8,7 @@ # https://github.com/terraform-providers/terraform-provider-aws/issues/10104 resource "aws_iam_openid_connect_provider" "oidc_provider" { - count = var.enable_irsa ? 1 : 0 + count = var.enable_irsa && var.create_eks ? 1 : 0 client_id_list = ["sts.amazonaws.com"] thumbprint_list = [var.eks_oidc_root_ca_thumbprint] url = flatten(concat(aws_eks_cluster.this[*].identity[*].oidc.0.issuer, [""]))[0] From ca3d1e1199b2e19c67c7c36fcb1f60c010575208 Mon Sep 17 00:00:00 2001 From: "Thierno IB. BARRY" Date: Thu, 12 Mar 2020 13:29:03 +0100 Subject: [PATCH 26/47] New release 10.0.0 (#780) * prepare 10.0.0 release * remove unused version file --- CHANGELOG.md | 98 ++++++++++++++++++++++++++++++---------------------- version | 1 - 2 files changed, 57 insertions(+), 42 deletions(-) delete mode 100644 version diff --git a/CHANGELOG.md b/CHANGELOG.md index 5388e9878d..343031df6c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,23 +7,39 @@ project adheres to [Semantic Versioning](http://semver.org/). ## Next release -## [[v9.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v9.0.0...HEAD)] - 2020-xx-xx] +## [[v10.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v10.0.0...HEAD)] - 2020-xx-xx + +- Write your awesome change here (GH-xxxx) + +## History + +## [[v10.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v9.0.0...v10.0.0)] - 2020-03-12 + +BREAKING CHANGES: + +- Added support for EKS 1.15 (by @sc250024) + +ENHANCEMENTS: -- Remove obsolete assumption from README (kubectl & aws-iam-authenticator) (by @pierresteiner) - Ensuring that ami lookup hierarchy is worker_group_launch_templates and worker_groups -> worker_group_defaults -> and finally aws ami lookup (by @ck3mp3r) -- Fix doc about spot instances, cluster-autoscaler should be scheduled on normal instances instead of spot (by @simowaer) - Adding `encrypted` option to worker's root_block_device as read from the worker configurations (by @craig-rueda) -- Use correct policy arns for CN regions (cn-north-1, cn-northwest-1) (by @cofyc) - Add support for ASG max instance lifetime (by @sidprak) - Add `default_cooldown` and `health_check_grace_period` options to workers ASG (by @ArieLevs) -- Fix support for ASG max instance lifetime for workers (by @barryib) - Add support for envelope encryption of Secrets (by @babilen5) + +BUG FIXES: + - Fix issue with terraform plan phase when IRSA was enabled and create_eks switches to false (by @daroga0002) -- **Breaking:** Added support for EKS 1.15 (by @sc250024) +- Remove obsolete assumption from README (kubectl & aws-iam-authenticator) (by @pierresteiner) +- Fix doc about spot instances, cluster-autoscaler should be scheduled on normal instances instead of spot (by @simowaer) +- Use correct policy arns for CN regions (cn-north-1, cn-northwest-1) (by @cofyc) +- Fix support for ASG max instance lifetime for workers (by @barryib) + +NOTES: -# History +From EKS 1.15, the VPC tag `kubernetes.io/cluster/: shared` is no longer required. So we droped those tags from exemples. -## [[v9.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.2.0...v9.0.0)] - 2020-02-27] +## [[v9.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.2.0...v9.0.0)] - 2020-02-27 - **Breaking:** Removal of autoscaling IAM policy and tags (by @max-rocket-internet) - Revert #631. Add back manage security group flags. (by @ryanooi) @@ -41,19 +57,19 @@ project adheres to [Semantic Versioning](http://semver.org/). Autoscaling policy and tags have been removed from this module. This reduces complexity and increases security as the policy was attached to the node group IAM role. To manage it outside of this module either follow the example in `examples/irsa` to attach an IAM role to the cluster-autoscaler `serviceAccount` or create [the policy](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v8.2.0/workers.tf#L361-L416) outside this module and pass it in using the `workers_additional_policies` variable. -## [[v8.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.1.0...v8.2.0)] - 2020-01-29] +## [[v8.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.1.0...v8.2.0)] - 2020-01-29 - Include ability to configure custom os-specific command for waiting until kube cluster is healthy (@sanjeevgiri) - Disable creation of ingress rules if worker nodes security groups are exists (@andjelx) - [CI] Update pre-commit and re-generate docs to work with terraform-docs >= 0.8.1 (@barryib) -## [[v8.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...v8.1.0)] - 2020-01-17] +## [[v8.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...v8.1.0)] - 2020-01-17 - Fix index reference on destroy for output `oidc_provider_arn` (@stevie-) - Add support for restricting access to the public API endpoint (@sidprak) - Add an `ignore_lifecycle` rule to prevent Terraform from scaling down ASG behind AWS EKS Managed Node Group (by @davidalger) -## [[v8.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...v7.0.1)] - 2020-01-09] +## [[v8.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...v7.0.1)] - 2020-01-09 - **Breaking:** Change logic of security group whitelisting. Will always whitelist worker security group on control plane security group either provide one or create new one. See Important notes below for upgrade notes (by @ryanooi) - **Breaking:** Configure the aws-auth configmap using the terraform kubernetes providers. See Important notes below for upgrade notes (by @sdehaes) @@ -94,14 +110,14 @@ For security group whitelisting change. After upgrade, have to remove `cluster_c terraform import module.eks.aws_security_group_rule.cluster_https_worker_ingress _ingress_tcp_443_443_ ``` -## [[v7.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v7.0.1...v7.0.0)] - 2019-12-11] +## [[v7.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v7.0.1...v7.0.0)] - 2019-12-11 - Test against minimum versions specified in `versions.tf` (by @dpiddockcmp) - Updated `instance_profile_names` and `instance_profile_arns` outputs to also consider launch template as well as asg (by @ankitwal) - Fix broken terraform plan/apply on a cluster < 1.14 (by @hodduc) - Updated application of `aws-auth` configmap to create `kube_config.yaml` and `aws_auth_configmap.yaml` in sequence (and not parallel) to `kubectl apply` (by @knittingdev) -## [[v7.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.2...v7.0.0)] - 2019-10-30] +## [[v7.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.2...v7.0.0)] - 2019-10-30 - **Breaking:** Allow for specifying a custom AMI for the worker nodes. (by @bmcstdio) - Added support for Windows workers AMIs (by @hodduc) @@ -115,20 +131,20 @@ terraform import module.eks.aws_security_group_rule.cluster_https_worker_ingress An AMI is now specified using the whole name, for example `amazon-eks-node-1.14-v20190927`. -## [[v6.0.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.1...v6.0.2)] - 2019-10-07] +## [[v6.0.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.1...v6.0.2)] - 2019-10-07 - Added `tags` to `aws_eks_cluster` introduced by terraform-provider-aws 2.31.0 (by @morganchristiansson) - Add option to enable lifecycle hooks creation (by @barryib) - Remove helm chart value `sslCertPath` described in `docs/autoscaling.md` (by @wi1dcard) - Attaching of IAM policies for autoscaler and CNI to the worker nodes now optional (by @dpiddockcmp) -## [[v6.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.0...v6.0.1)] - 2019-09-25] +## [[v6.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.0...v6.0.1)] - 2019-09-25 - Added support for different workers AMI's, i.e. with GPU support (by @rvoitenko) - Use null as default value for `target_group_arns` attribute of worker autoscaling group (by @tatusl) - Output empty string when cluster identity is empty (by @tbarry) -## [[v6.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...v6.0.0)] - 2019-09-17] +## [[v6.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...v6.0.0)] - 2019-09-17 - Added `market_type` to `workers_launch_template.tf` allow the usage of spot nodegroups without mixed instances policy. - Added support for log group tag in `./cluster.tf` (@lucas-giaco) @@ -156,11 +172,11 @@ You will need to move worker groups from `worker_groups_launch_template_mixed` t Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [""]`. -## [[v5.1.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...v5.1.1)] - 2019-07-30] +## [[v5.1.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...v5.1.1)] - 2019-07-30 - Added new tag in `worker.tf` with autoscaling_enabled = true flag (by @insider89) -## [[v5.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.0.0...v5.1.0)] - 2019-07-30] +## [[v5.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.0.0...v5.1.0)] - 2019-07-30 - Option to set a KMS key for the log group and encrypt it (by @till-krauss) - Output the name of the cloudwatch log group (by @gbooth27) @@ -170,7 +186,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Update default override instance types to work with Cluster Autoscaler (by @nauxliu on behalf of RightCapital) - Examples now specify `enable_dns_hostnames = true`, as per [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) (by @karolinepauls) -## [[v5.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.2...v5.0.0)] - 2019-06-19] +## [[v5.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.2...v5.0.0)] - 2019-06-19 - Added Termination Policy Option to worker ASGs (by @undeadops) - Update EBS optimized instances type (by @gloutsch) @@ -184,17 +200,17 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Change override instance_types to list (by @nauxliu on behalf of RightCapital) - Fix toggle for IAM instance profile creation for mixed launch templates (by @jnozo) -## [[v4.0.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.1...v4.0.2)] - 2019-05-07] +## [[v4.0.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.1...v4.0.2)] - 2019-05-07 - Added 2 new examples, also tidy up basic example (by @max-rocket-internet) - Updates to travis, PR template (by @max-rocket-internet) - Fix typo in data.tf (by @max-rocket-internet) - Add missing launch template items in `aws_auth.tf` (by @max-rocket-internet) -## [[v4.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.0...v4.0.1)] - 2019-05-07] +## [[v4.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.0...v4.0.1)] - 2019-05-07 - Fix annoying typo: worker_group_xx vs worker_groups_xx (by @max-rocket-internet) -## [[v4.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v3.0.0...v4.0.0)] - 2019-05-07] +## [[v4.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v3.0.0...v4.0.0)] - 2019-05-07 - Added support for custom service linked role for Auto Scaling group (by @voanhduy1512) - Added support for custom IAM roles for cluster and workers (by @erks) @@ -209,7 +225,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Switch to https for the pre-commit repos (by @rothandrew) - Add instructions on how to enable the docker bridge network (by @rothandrew) -## [[v3.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.3.1...v3.0.0)] - 2019-04-15] +## [[v3.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.3.1...v3.0.0)] - 2019-04-15 - Fixed: Ability to destroy clusters due to security groups being attached to ENI's (by @whiskeyjimbo) - Added outputs for worker IAM instance profile(s) (by @soapergem) @@ -217,13 +233,13 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Updated vpc module version and aws provider version. (by @chenrui333) - Upgraded default kubernetes version from 1.11 to 1.12 (by @stijndehaes) -## [[v2.3.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.3.0...v2.3.1)] - 2019-03-26] +## [[v2.3.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.3.0...v2.3.1)] - 2019-03-26 - Added support for eks public and private endpoints (by @stijndehaes) - Added minimum inbound traffic rule to the cluster worker security group as per the [EKS security group requirements](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) (by @sc250024) - (Breaking Change) Replaced `enable_docker_bridge` with a generic option called `bootstrap_extra_args` to resolve [310](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/310) (by @max-rocket-internet) -## [[v2.3.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.1...v2.3.0)] - 2019-03-20] +## [[v2.3.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.1...v2.3.0)] - 2019-03-20 - Allow additional policies to be attached to worker nodes (by @rottenbytes) - Ability to specify a placement group for each worker group (by @matheuss) @@ -235,13 +251,13 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Added optional name filter variable to be able to pin worker AMI to a release (by @max-rocket-internet) - Added `--enable-docker-bridge` option for bootstrap.sh in AMI (by @michaelmccord) -## [[v2.2.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.1...v2.2.2)] - 2019-02-25] +## [[v2.2.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.1...v2.2.2)] - 2019-02-25 - Ability to specify a path for IAM roles (by @tekn0ir) -## [[v2.2.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.0...v2.2.1)] - 2019-02-18] +## [[v2.2.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.0...v2.2.1)] - 2019-02-18 -## [[v2.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.1.0...v2.2.0)] - 2019-02-07] +## [[v2.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.1.0...v2.2.0)] - 2019-02-07 - Ability to specify a permissions_boundary for IAM roles (by @dylanhellems) - Ability to configure force_delete for the worker group ASG (by @stefansedich) @@ -253,7 +269,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Fixed a bug where worker group defaults were being used for launch template user data (by @leonsodhi-lf) - Managed_aws_auth option is true, the aws-auth configmap file is no longer created, and write_aws_auth_config must be set to true to generate config_map. (by @yutachaos) -## [[v2.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.0.0...v2.1.0)] - 2019-01-15] +## [[v2.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.0.0...v2.1.0)] - 2019-01-15 - Initial support for worker groups based on Launch Templates (by @skang0601) - Updated the `update_config_map_aws_auth` resource to trigger when the EKS cluster endpoint changes. This likely means that a new cluster was spun up so our ConfigMap won't exist (fixes #234) (by @elatt) @@ -261,7 +277,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Fixed zsh-specific syntax in retry loop for aws auth config map (by @marcelloromani) - Fix: fail deployment if applying the aws auth config map still fails after 10 attempts (by @marcelloromani) -## [[v2.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.8.0...v2.0.0)] - 2018-12-14] +## [[v2.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.8.0...v2.0.0)] - 2018-12-14 - (Breaking Change) New input variables `map_accounts_count`, `map_roles_count` and `map_users_count` to allow using computed values as part of `map_accounts`, `map_roles` and `map_users` configs (by @chili-man on behalf of OpenGov). - (Breaking Change) New variables `cluster_create_security_group` and `worker_create_security_group` to stop `value of 'count' cannot be computed` error. @@ -272,7 +288,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Travis fixes (by @RothAndrew) - Fixed some Windows compatibility issues (by @RothAndrew) -## [[v1.8.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.7.0...v1.8.0)] - 2018-12-04] +## [[v1.8.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.7.0...v1.8.0)] - 2018-12-04 - Support for using AWS Launch Templates to define autoscaling groups (by @skang0601) - `suspended_processes` to `worker_groups` input (by @bkmeneguello) @@ -286,7 +302,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Removed providers from `main.tf`. (by @max-rocket-internet) - Removed `configure_kubectl_session` references in documentation [#171](https://github.com/terraform-aws-modules/terraform-aws-eks/pull/171) (by @dominik-k) -## [[v1.7.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.6.0...v1.7.0)] - 2018-10-09] +## [[v1.7.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.6.0...v1.7.0)] - 2018-10-09 - Worker groups can be created with a specified IAM profile. (from @laverya) - exposed `aws_eks_cluster` create and destroy timeouts (by @RGPosadas) @@ -297,7 +313,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Cosmetic syntax changes to improve readability. (by @max-rocket-internet) - add `protect_from_scale_in` to solve issue #134 (by @kinghajj) -## [[v1.6.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.5.0...v1.6.0)] - 2018-09-04] +## [[v1.6.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.5.0...v1.6.0)] - 2018-09-04 - add support for [`amazon-eks-node-*` AMI with bootstrap script](https://aws.amazon.com/blogs/opensource/improvements-eks-worker-node-provisioning/) (by @erks) - expose `kubelet_extra_args` worker group option (replacing `kubelet_node_labels`) to allow specifying arbitrary kubelet options (e.g. taints and labels) (by @erks) @@ -308,7 +324,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - **Breaking change** Removed support for `eks-worker-*` AMI. The cluster specifying a custom AMI based off of `eks-worker-*` AMI will have to rebuild the AMI from `amazon-eks-node-*`. (by @erks) - **Breaking change** Removed `kubelet_node_labels` worker group option in favor of `kubelet_extra_args`. (by @erks) -## [[v1.5.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.4.0...v1.5.0)] - 2018-08-30] +## [[v1.5.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.4.0...v1.5.0)] - 2018-08-30 - add spot_price option to aws_launch_configuration - add enable_monitoring option to aws_launch_configuration @@ -319,20 +335,20 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ If you are upgrading from 1.4 you should fix state after upgrade: `terraform state rm module.eks.data.http.workstation_external_ip` - Can now selectively override keys in `workers_group_defaults` variable rather than callers maintaining a duplicate of the whole map. (by @dpiddockcmp) -## [[v1.4.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.3.0...v1.4.0)] - 2018-08-02] +## [[v1.4.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.3.0...v1.4.0)] - 2018-08-02 - manage eks workers' root volume size and type. - `workers_asg_names` added to outputs. (kudos to @laverya) - New top level variable `worker_group_count` added to replace the use of `length(var.worker_groups)`. This allows using computed values as part of worker group configs. (complaints to @laverya) -## [[v1.3.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.2.0...v1.3.0)] - 2018-07-11] +## [[v1.3.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.2.0...v1.3.0)] - 2018-07-11 - New variables `map_accounts`, `map_roles` and `map_users` in order to manage additional entries in the `aws-auth` configmap. (by @max-rocket-internet) - kubelet_node_labels worker group option allows setting --node-labels= in kubelet. (Hat-tip, @bshelton229 👒) - `worker_iam_role_arn` added to outputs. Sweet, @hatemosphere 🔥 - Worker subnets able to be specified as a dedicated list per autoscaling group. (up top, @bshelton229 🙏) -## [[v1.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.1.0...v1.2.0)] - 2018-07-01] +## [[v1.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.1.0...v1.2.0)] - 2018-07-01 - new variable `pre_userdata` added to worker launch configuration allows to run scripts before the plugin does anything. (W00t, @jimbeck 🦉) - kubeconfig made much more flexible. (Bang up job, @sdavids13 💥) @@ -340,7 +356,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Providing security groups didn't behave as expected. This has been fixed. (Good catch, @jimbeck 🔧) - workstation cidr to be allowed by created security group is now more flexible. (A welcome addition, @jimbeck 🔐) -## [[v1.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.0.0...v1.1.0)] - 2018-06-25] +## [[v1.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.0.0...v1.1.0)] - 2018-06-25 - new variable `worker_sg_ingress_from_port` allows to change the minimum port number from which pods will accept communication (Thanks, @ilyasotkov 👏). - expanded on worker example to show how multiple worker autoscaling groups can be created. @@ -351,13 +367,13 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - `kube-proxy` restart no longer needed in userdata. Good catch, @hatemosphere 🔥 - worker ASG reattachment wasn't possible when using `name`. Moved to `name_prefix` to allow recreation of resources. Kudos again, @hatemosphere 🐧 -## [[v1.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.2.0...v1.0.0)] - 2018-06-11] +## [[v1.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.2.0...v1.0.0)] - 2018-06-11 - security group id can be provided for either/both of the cluster and the workers. If not provided, security groups will be created with sufficient rules to allow cluster-worker communication. - kudos to @tanmng on the idea ⭐ - outputs of security group ids and worker ASG arns added for working with these resources outside the module. - Worker build out refactored to allow multiple autoscaling groups each having differing specs. If none are given, a single ASG is created with a set of sane defaults - big thanks to @kppullin 🥨 -## [[v0.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.1.1...v0.2.0)] - 2018-06-08] +## [[v0.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.1.1...v0.2.0)] - 2018-06-08 - ability to specify extra userdata code to execute following kubelet services start. - EBS optimization used whenever possible for the given instance type. @@ -365,7 +381,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - files rendered from dedicated templates to separate out raw code and config from `hcl` - `workers_ami_id` is now made optional. If not specified, the module will source the latest AWS supported EKS AMI instead. -## [[v0.1.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.1.0...v0.1.1)] - 2018-06-07] +## [[v0.1.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.1.0...v0.1.1)] - 2018-06-07 - Pre-commit hooks fixed and working. - Made progress on CI, advancing the build to the final `kitchen test` stage before failing. diff --git a/version b/version deleted file mode 100644 index 40ed13353f..0000000000 --- a/version +++ /dev/null @@ -1 +0,0 @@ -v9.0.0 From 9fb1a20d82daddd9da29002811640049e00d228c Mon Sep 17 00:00:00 2001 From: "Thierno IB. BARRY" Date: Tue, 17 Mar 2020 14:22:22 +0100 Subject: [PATCH 27/47] improvement: automate changelog management (#786) --- .chglog/CHANGELOG.tpl.md | 66 +++ .chglog/config.yml | 48 ++ .github/CONTRIBUTING.md | 34 ++ .github/PULL_REQUEST_TEMPLATE.md | 1 - .github/semantic.yml | 14 + .github/workflows/changelog-check.yaml | 20 + CHANGELOG.md => CHANGELOG.pre-v11.0.0.md | 78 ++- CONTRIBUTING.md | 13 - Makefile | 17 + README.md | 3 +- tools/semtag | 627 +++++++++++++++++++++++ 11 files changed, 863 insertions(+), 58 deletions(-) create mode 100644 .chglog/CHANGELOG.tpl.md create mode 100644 .chglog/config.yml create mode 100644 .github/CONTRIBUTING.md create mode 100644 .github/semantic.yml create mode 100644 .github/workflows/changelog-check.yaml rename CHANGELOG.md => CHANGELOG.pre-v11.0.0.md (85%) delete mode 100644 CONTRIBUTING.md create mode 100644 Makefile create mode 100755 tools/semtag diff --git a/.chglog/CHANGELOG.tpl.md b/.chglog/CHANGELOG.tpl.md new file mode 100644 index 0000000000..52d22241c0 --- /dev/null +++ b/.chglog/CHANGELOG.tpl.md @@ -0,0 +1,66 @@ +# Change Log + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/) and this +project adheres to [Semantic Versioning](http://semver.org/). + +{{ if .Versions -}} + +## [Unreleased] +{{ if .Unreleased.CommitGroups -}} +{{ range .Unreleased.CommitGroups -}} +{{ .Title }}: +{{ range .Commits -}} +{{- if .Subject -}} +- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} +{{- end -}} +{{ end }} +{{ end -}} +{{ else }} +{{ range .Unreleased.Commits -}} +{{- if .Subject -}} +- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} +{{- end -}} +{{ end }} +{{ end -}} +{{ end -}} + +{{ range .Versions }} + +## {{ if .Tag.Previous }}[{{ .Tag.Name }}]{{ else }}{{ .Tag.Name }}{{ end }} - {{ datetime "2006-01-02" .Tag.Date }} +{{ if .CommitGroups -}} +{{ range .CommitGroups -}} +{{ .Title }}: +{{ range .Commits -}} +{{- if .Subject -}} +- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} +{{- end -}} +{{ end }} +{{ end -}} +{{ else }} +{{ range .Commits -}} +{{- if .Subject -}} +- {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} +{{- end -}} +{{ end }} +{{ end -}} + +{{- if .NoteGroups -}} +{{ range .NoteGroups -}} +{{ .Title }}: +{{ range .Notes }} +{{ .Body }} +{{ end }} +{{ end -}} +{{ end -}} +{{ end -}} + +{{- if .Versions }} +[Unreleased]: {{ .Info.RepositoryURL }}/compare/{{ $latest := index .Versions 0 }}{{ $latest.Tag.Name }}...HEAD +{{ range .Versions -}} +{{ if .Tag.Previous -}} +[{{ .Tag.Name }}]: {{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }} +{{ end -}} +{{ end -}} +{{ end -}} diff --git a/.chglog/config.yml b/.chglog/config.yml new file mode 100644 index 0000000000..e9fff99ed6 --- /dev/null +++ b/.chglog/config.yml @@ -0,0 +1,48 @@ +style: github +template: CHANGELOG.tpl.md +info: + title: CHANGELOG + repository_url: https://github.com/terraform-aws-modules/terraform-aws-eks +options: + + commits: + sort_by: Type + filters: + Type: + - feat + - fix + - improvement + - docs + - refactor + - test + - ci + - chore + + commit_groups: + group_by: Type + title_maps: + feat: FEATURES + fix: BUG FIXES + improvement: ENHANCEMENTS + docs: DOCS + refactor: REFACTORS + test: TESTS + ci: CI + chore: CHORES + + header: + pattern: "^(\\.+)\\s*:\\s*(.+)$" + pattern_maps: + - Type + - Subject + + notes: + keywords: + - BREAKING CHANGE + - NOTES + + refs: + actions: + - Closes + - Fixes + - Resolves diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md new file mode 100644 index 0000000000..0323f79ab1 --- /dev/null +++ b/.github/CONTRIBUTING.md @@ -0,0 +1,34 @@ +# Contributing + +When contributing to this repository, please first discuss the change you wish to make via issue, +email, or any other method with the owners of this repository before making a change. + +Please note we have a code of conduct, please follow it in all your interactions with the project. + +## Pull Request Process + +1. Ensure any install or build dependencies are removed before the end of the layer when doing a build. +2. Update the README.md with details of changes to the interface, this includes new environment variables, exposed ports, useful file locations and container parameters. +3. Once all outstanding comments and checklist items have been addressed, your contribution will be merged! Merged PRs will be included in the next release. The terraform-aws-eks mainteners takes care of updating the CHANGELOG as they merge. + +## Checklists for contributions + +- [ ] Add [sementics prefix](#semantic-pull-requests) to your PR or Commits (at leats one of your commit groups) +- [ ] CI tests are passing +- [ ] README.md has been updated after any changes to variables and outputs. See https://github.com/terraform-aws-modules/terraform-aws-eks/#doc-generation + +## Semantic Pull Requests + +To generate changelog, Pull Requests or Commits must have sementic and must follow conventional specs below: + +- `feat:` for new features +- `fix:` for bug fixes +- `improvement:` for enhancements +- `docs:` for documentation and examples +- `refactor:` for code refactoring +- `test:` for tests +- `ci:` for CI purpose +- `chore:` for chores stuff + +There is a special prefix `skip changelog` which is skipped during changelog generation. It can be used for `skip changelog: update changelog` commit message by example. + diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 9310a74454..6a10d8fa5f 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -6,6 +6,5 @@ Please explain the changes you made here and link to any relevant issues. ### Checklist -- [ ] Change added to CHANGELOG.md. All changes must be added and breaking changes and highlighted - [ ] CI tests are passing - [ ] README.md has been updated after any changes to variables and outputs. See https://github.com/terraform-aws-modules/terraform-aws-eks/#doc-generation diff --git a/.github/semantic.yml b/.github/semantic.yml new file mode 100644 index 0000000000..e0c83c7166 --- /dev/null +++ b/.github/semantic.yml @@ -0,0 +1,14 @@ +# By default types specified in commitizen/conventional-commit-types is used. +# See: https://github.com/commitizen/conventional-commit-types/blob/v2.3.0/index.json +# You can override the valid types +types: + - feat + - fix + - improvement + - docs + - refactor + - test + - ci + - chore + - skip changelog + - skip ci diff --git a/.github/workflows/changelog-check.yaml b/.github/workflows/changelog-check.yaml new file mode 100644 index 0000000000..34fe6056c3 --- /dev/null +++ b/.github/workflows/changelog-check.yaml @@ -0,0 +1,20 @@ +name: CHANGELOG Checks +on: + pull_request: + paths: + - CHANGELOG.md + +jobs: + changelog-check: + name: CHANGELOG Check + runs-on: ubuntu-latest + steps: + - name: Fail the check if changelog change + run: |- + echo "Thank you for your contribution!" + echo "" + echo "The 'CHANGELOG.md' file contents are handled by the maintainers during merge. This is to prevent pull request merge conflicts." + echo "Please see the Contributing Guide for additional pull request review items." + echo "" + echo "Remove any changes to the 'CHANGELOG.md' file and commit them in this pull request." + exit 1 diff --git a/CHANGELOG.md b/CHANGELOG.pre-v11.0.0.md similarity index 85% rename from CHANGELOG.md rename to CHANGELOG.pre-v11.0.0.md index 343031df6c..4d49358a52 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.pre-v11.0.0.md @@ -5,15 +5,7 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). -## Next release - -## [[v10.?.?](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v10.0.0...HEAD)] - 2020-xx-xx - -- Write your awesome change here (GH-xxxx) - -## History - -## [[v10.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v9.0.0...v10.0.0)] - 2020-03-12 +## [v10.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v9.0.0...v10.0.0) - 2020-03-12 BREAKING CHANGES: @@ -39,7 +31,7 @@ NOTES: From EKS 1.15, the VPC tag `kubernetes.io/cluster/: shared` is no longer required. So we droped those tags from exemples. -## [[v9.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.2.0...v9.0.0)] - 2020-02-27 +## [v9.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.2.0...v9.0.0) - 2020-02-27 - **Breaking:** Removal of autoscaling IAM policy and tags (by @max-rocket-internet) - Revert #631. Add back manage security group flags. (by @ryanooi) @@ -57,19 +49,19 @@ From EKS 1.15, the VPC tag `kubernetes.io/cluster/: shared` is no Autoscaling policy and tags have been removed from this module. This reduces complexity and increases security as the policy was attached to the node group IAM role. To manage it outside of this module either follow the example in `examples/irsa` to attach an IAM role to the cluster-autoscaler `serviceAccount` or create [the policy](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v8.2.0/workers.tf#L361-L416) outside this module and pass it in using the `workers_additional_policies` variable. -## [[v8.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.1.0...v8.2.0)] - 2020-01-29 +## [v8.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.1.0...v8.2.0) - 2020-01-29 - Include ability to configure custom os-specific command for waiting until kube cluster is healthy (@sanjeevgiri) - Disable creation of ingress rules if worker nodes security groups are exists (@andjelx) - [CI] Update pre-commit and re-generate docs to work with terraform-docs >= 0.8.1 (@barryib) -## [[v8.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...v8.1.0)] - 2020-01-17 +## [v8.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...v8.1.0) - 2020-01-17 - Fix index reference on destroy for output `oidc_provider_arn` (@stevie-) - Add support for restricting access to the public API endpoint (@sidprak) - Add an `ignore_lifecycle` rule to prevent Terraform from scaling down ASG behind AWS EKS Managed Node Group (by @davidalger) -## [[v8.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...v7.0.1)] - 2020-01-09 +## [v8.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v8.0.0...v7.0.1) - 2020-01-09 - **Breaking:** Change logic of security group whitelisting. Will always whitelist worker security group on control plane security group either provide one or create new one. See Important notes below for upgrade notes (by @ryanooi) - **Breaking:** Configure the aws-auth configmap using the terraform kubernetes providers. See Important notes below for upgrade notes (by @sdehaes) @@ -110,14 +102,14 @@ For security group whitelisting change. After upgrade, have to remove `cluster_c terraform import module.eks.aws_security_group_rule.cluster_https_worker_ingress _ingress_tcp_443_443_ ``` -## [[v7.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v7.0.1...v7.0.0)] - 2019-12-11 +## [v7.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v7.0.1...v7.0.0) - 2019-12-11 - Test against minimum versions specified in `versions.tf` (by @dpiddockcmp) - Updated `instance_profile_names` and `instance_profile_arns` outputs to also consider launch template as well as asg (by @ankitwal) - Fix broken terraform plan/apply on a cluster < 1.14 (by @hodduc) - Updated application of `aws-auth` configmap to create `kube_config.yaml` and `aws_auth_configmap.yaml` in sequence (and not parallel) to `kubectl apply` (by @knittingdev) -## [[v7.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.2...v7.0.0)] - 2019-10-30 +## [v7.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.2...v7.0.0) - 2019-10-30 - **Breaking:** Allow for specifying a custom AMI for the worker nodes. (by @bmcstdio) - Added support for Windows workers AMIs (by @hodduc) @@ -131,20 +123,20 @@ terraform import module.eks.aws_security_group_rule.cluster_https_worker_ingress An AMI is now specified using the whole name, for example `amazon-eks-node-1.14-v20190927`. -## [[v6.0.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.1...v6.0.2)] - 2019-10-07 +## [v6.0.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.1...v6.0.2) - 2019-10-07 - Added `tags` to `aws_eks_cluster` introduced by terraform-provider-aws 2.31.0 (by @morganchristiansson) - Add option to enable lifecycle hooks creation (by @barryib) - Remove helm chart value `sslCertPath` described in `docs/autoscaling.md` (by @wi1dcard) - Attaching of IAM policies for autoscaler and CNI to the worker nodes now optional (by @dpiddockcmp) -## [[v6.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.0...v6.0.1)] - 2019-09-25 +## [v6.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v6.0.0...v6.0.1) - 2019-09-25 - Added support for different workers AMI's, i.e. with GPU support (by @rvoitenko) - Use null as default value for `target_group_arns` attribute of worker autoscaling group (by @tatusl) - Output empty string when cluster identity is empty (by @tbarry) -## [[v6.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...v6.0.0)] - 2019-09-17 +## [v6.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...v6.0.0) - 2019-09-17 - Added `market_type` to `workers_launch_template.tf` allow the usage of spot nodegroups without mixed instances policy. - Added support for log group tag in `./cluster.tf` (@lucas-giaco) @@ -172,11 +164,11 @@ You will need to move worker groups from `worker_groups_launch_template_mixed` t Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [""]`. -## [[v5.1.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...v5.1.1)] - 2019-07-30 +## [v5.1.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.1.0...v5.1.1) - 2019-07-30 - Added new tag in `worker.tf` with autoscaling_enabled = true flag (by @insider89) -## [[v5.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.0.0...v5.1.0)] - 2019-07-30 +## [v5.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v5.0.0...v5.1.0) - 2019-07-30 - Option to set a KMS key for the log group and encrypt it (by @till-krauss) - Output the name of the cloudwatch log group (by @gbooth27) @@ -186,7 +178,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Update default override instance types to work with Cluster Autoscaler (by @nauxliu on behalf of RightCapital) - Examples now specify `enable_dns_hostnames = true`, as per [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) (by @karolinepauls) -## [[v5.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.2...v5.0.0)] - 2019-06-19 +## [v5.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.2...v5.0.0) - 2019-06-19 - Added Termination Policy Option to worker ASGs (by @undeadops) - Update EBS optimized instances type (by @gloutsch) @@ -200,17 +192,17 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Change override instance_types to list (by @nauxliu on behalf of RightCapital) - Fix toggle for IAM instance profile creation for mixed launch templates (by @jnozo) -## [[v4.0.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.1...v4.0.2)] - 2019-05-07 +## [v4.0.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.1...v4.0.2) - 2019-05-07 - Added 2 new examples, also tidy up basic example (by @max-rocket-internet) - Updates to travis, PR template (by @max-rocket-internet) - Fix typo in data.tf (by @max-rocket-internet) - Add missing launch template items in `aws_auth.tf` (by @max-rocket-internet) -## [[v4.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.0...v4.0.1)] - 2019-05-07 +## [v4.0.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v4.0.0...v4.0.1) - 2019-05-07 - Fix annoying typo: worker_group_xx vs worker_groups_xx (by @max-rocket-internet) -## [[v4.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v3.0.0...v4.0.0)] - 2019-05-07 +## [v4.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v3.0.0...v4.0.0) - 2019-05-07 - Added support for custom service linked role for Auto Scaling group (by @voanhduy1512) - Added support for custom IAM roles for cluster and workers (by @erks) @@ -225,7 +217,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Switch to https for the pre-commit repos (by @rothandrew) - Add instructions on how to enable the docker bridge network (by @rothandrew) -## [[v3.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.3.1...v3.0.0)] - 2019-04-15 +## [v3.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.3.1...v3.0.0) - 2019-04-15 - Fixed: Ability to destroy clusters due to security groups being attached to ENI's (by @whiskeyjimbo) - Added outputs for worker IAM instance profile(s) (by @soapergem) @@ -233,13 +225,13 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Updated vpc module version and aws provider version. (by @chenrui333) - Upgraded default kubernetes version from 1.11 to 1.12 (by @stijndehaes) -## [[v2.3.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.3.0...v2.3.1)] - 2019-03-26 +## [v2.3.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.3.0...v2.3.1) - 2019-03-26 - Added support for eks public and private endpoints (by @stijndehaes) - Added minimum inbound traffic rule to the cluster worker security group as per the [EKS security group requirements](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) (by @sc250024) - (Breaking Change) Replaced `enable_docker_bridge` with a generic option called `bootstrap_extra_args` to resolve [310](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/310) (by @max-rocket-internet) -## [[v2.3.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.1...v2.3.0)] - 2019-03-20 +## [v2.3.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.1...v2.3.0) - 2019-03-20 - Allow additional policies to be attached to worker nodes (by @rottenbytes) - Ability to specify a placement group for each worker group (by @matheuss) @@ -251,13 +243,13 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Added optional name filter variable to be able to pin worker AMI to a release (by @max-rocket-internet) - Added `--enable-docker-bridge` option for bootstrap.sh in AMI (by @michaelmccord) -## [[v2.2.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.1...v2.2.2)] - 2019-02-25 +## [v2.2.2](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.1...v2.2.2) - 2019-02-25 - Ability to specify a path for IAM roles (by @tekn0ir) -## [[v2.2.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.0...v2.2.1)] - 2019-02-18 +## [v2.2.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.2.0...v2.2.1) - 2019-02-18 -## [[v2.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.1.0...v2.2.0)] - 2019-02-07 +## [v2.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.1.0...v2.2.0) - 2019-02-07 - Ability to specify a permissions_boundary for IAM roles (by @dylanhellems) - Ability to configure force_delete for the worker group ASG (by @stefansedich) @@ -269,7 +261,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Fixed a bug where worker group defaults were being used for launch template user data (by @leonsodhi-lf) - Managed_aws_auth option is true, the aws-auth configmap file is no longer created, and write_aws_auth_config must be set to true to generate config_map. (by @yutachaos) -## [[v2.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.0.0...v2.1.0)] - 2019-01-15 +## [v2.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v2.0.0...v2.1.0) - 2019-01-15 - Initial support for worker groups based on Launch Templates (by @skang0601) - Updated the `update_config_map_aws_auth` resource to trigger when the EKS cluster endpoint changes. This likely means that a new cluster was spun up so our ConfigMap won't exist (fixes #234) (by @elatt) @@ -277,7 +269,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Fixed zsh-specific syntax in retry loop for aws auth config map (by @marcelloromani) - Fix: fail deployment if applying the aws auth config map still fails after 10 attempts (by @marcelloromani) -## [[v2.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.8.0...v2.0.0)] - 2018-12-14 +## [v2.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.8.0...v2.0.0) - 2018-12-14 - (Breaking Change) New input variables `map_accounts_count`, `map_roles_count` and `map_users_count` to allow using computed values as part of `map_accounts`, `map_roles` and `map_users` configs (by @chili-man on behalf of OpenGov). - (Breaking Change) New variables `cluster_create_security_group` and `worker_create_security_group` to stop `value of 'count' cannot be computed` error. @@ -288,7 +280,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Travis fixes (by @RothAndrew) - Fixed some Windows compatibility issues (by @RothAndrew) -## [[v1.8.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.7.0...v1.8.0)] - 2018-12-04 +## [v1.8.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.7.0...v1.8.0) - 2018-12-04 - Support for using AWS Launch Templates to define autoscaling groups (by @skang0601) - `suspended_processes` to `worker_groups` input (by @bkmeneguello) @@ -302,7 +294,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Removed providers from `main.tf`. (by @max-rocket-internet) - Removed `configure_kubectl_session` references in documentation [#171](https://github.com/terraform-aws-modules/terraform-aws-eks/pull/171) (by @dominik-k) -## [[v1.7.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.6.0...v1.7.0)] - 2018-10-09 +## [v1.7.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.6.0...v1.7.0) - 2018-10-09 - Worker groups can be created with a specified IAM profile. (from @laverya) - exposed `aws_eks_cluster` create and destroy timeouts (by @RGPosadas) @@ -313,7 +305,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Cosmetic syntax changes to improve readability. (by @max-rocket-internet) - add `protect_from_scale_in` to solve issue #134 (by @kinghajj) -## [[v1.6.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.5.0...v1.6.0)] - 2018-09-04 +## [v1.6.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.5.0...v1.6.0) - 2018-09-04 - add support for [`amazon-eks-node-*` AMI with bootstrap script](https://aws.amazon.com/blogs/opensource/improvements-eks-worker-node-provisioning/) (by @erks) - expose `kubelet_extra_args` worker group option (replacing `kubelet_node_labels`) to allow specifying arbitrary kubelet options (e.g. taints and labels) (by @erks) @@ -324,7 +316,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - **Breaking change** Removed support for `eks-worker-*` AMI. The cluster specifying a custom AMI based off of `eks-worker-*` AMI will have to rebuild the AMI from `amazon-eks-node-*`. (by @erks) - **Breaking change** Removed `kubelet_node_labels` worker group option in favor of `kubelet_extra_args`. (by @erks) -## [[v1.5.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.4.0...v1.5.0)] - 2018-08-30 +## [v1.5.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.4.0...v1.5.0) - 2018-08-30 - add spot_price option to aws_launch_configuration - add enable_monitoring option to aws_launch_configuration @@ -335,20 +327,20 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ If you are upgrading from 1.4 you should fix state after upgrade: `terraform state rm module.eks.data.http.workstation_external_ip` - Can now selectively override keys in `workers_group_defaults` variable rather than callers maintaining a duplicate of the whole map. (by @dpiddockcmp) -## [[v1.4.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.3.0...v1.4.0)] - 2018-08-02 +## [v1.4.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.3.0...v1.4.0) - 2018-08-02 - manage eks workers' root volume size and type. - `workers_asg_names` added to outputs. (kudos to @laverya) - New top level variable `worker_group_count` added to replace the use of `length(var.worker_groups)`. This allows using computed values as part of worker group configs. (complaints to @laverya) -## [[v1.3.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.2.0...v1.3.0)] - 2018-07-11 +## [v1.3.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.2.0...v1.3.0) - 2018-07-11 - New variables `map_accounts`, `map_roles` and `map_users` in order to manage additional entries in the `aws-auth` configmap. (by @max-rocket-internet) - kubelet_node_labels worker group option allows setting --node-labels= in kubelet. (Hat-tip, @bshelton229 👒) - `worker_iam_role_arn` added to outputs. Sweet, @hatemosphere 🔥 - Worker subnets able to be specified as a dedicated list per autoscaling group. (up top, @bshelton229 🙏) -## [[v1.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.1.0...v1.2.0)] - 2018-07-01 +## [v1.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.1.0...v1.2.0) - 2018-07-01 - new variable `pre_userdata` added to worker launch configuration allows to run scripts before the plugin does anything. (W00t, @jimbeck 🦉) - kubeconfig made much more flexible. (Bang up job, @sdavids13 💥) @@ -356,7 +348,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - Providing security groups didn't behave as expected. This has been fixed. (Good catch, @jimbeck 🔧) - workstation cidr to be allowed by created security group is now more flexible. (A welcome addition, @jimbeck 🔐) -## [[v1.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.0.0...v1.1.0)] - 2018-06-25 +## [v1.1.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v1.0.0...v1.1.0) - 2018-06-25 - new variable `worker_sg_ingress_from_port` allows to change the minimum port number from which pods will accept communication (Thanks, @ilyasotkov 👏). - expanded on worker example to show how multiple worker autoscaling groups can be created. @@ -367,13 +359,13 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - `kube-proxy` restart no longer needed in userdata. Good catch, @hatemosphere 🔥 - worker ASG reattachment wasn't possible when using `name`. Moved to `name_prefix` to allow recreation of resources. Kudos again, @hatemosphere 🐧 -## [[v1.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.2.0...v1.0.0)] - 2018-06-11 +## [v1.0.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.2.0...v1.0.0) - 2018-06-11 - security group id can be provided for either/both of the cluster and the workers. If not provided, security groups will be created with sufficient rules to allow cluster-worker communication. - kudos to @tanmng on the idea ⭐ - outputs of security group ids and worker ASG arns added for working with these resources outside the module. - Worker build out refactored to allow multiple autoscaling groups each having differing specs. If none are given, a single ASG is created with a set of sane defaults - big thanks to @kppullin 🥨 -## [[v0.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.1.1...v0.2.0)] - 2018-06-08 +## [v0.2.0](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.1.1...v0.2.0) - 2018-06-08 - ability to specify extra userdata code to execute following kubelet services start. - EBS optimization used whenever possible for the given instance type. @@ -381,7 +373,7 @@ Map roles need to rename `role_arn` to `rolearn` and `group = ""` to `groups = [ - files rendered from dedicated templates to separate out raw code and config from `hcl` - `workers_ami_id` is now made optional. If not specified, the module will source the latest AWS supported EKS AMI instead. -## [[v0.1.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.1.0...v0.1.1)] - 2018-06-07 +## [v0.1.1](https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v0.1.0...v0.1.1) - 2018-06-07 - Pre-commit hooks fixed and working. - Made progress on CI, advancing the build to the final `kitchen test` stage before failing. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md deleted file mode 100644 index b81ce2db90..0000000000 --- a/CONTRIBUTING.md +++ /dev/null @@ -1,13 +0,0 @@ -# Contributing - -When contributing to this repository, please first discuss the change you wish to make via issue, -email, or any other method with the owners of this repository before making a change. - -Please note we have a code of conduct, please follow it in all your interactions with the project. - -## Pull Request Process - -1. Ensure any install or build dependencies are removed before the end of the layer when doing a build. -2. Update the README.md with details of changes to the interface, this includes new environment variables, exposed ports, useful file locations and container parameters. -3. Increase the version numbers in any examples files and the README.md to the new version that this Pull Request would represent. The versioning scheme we use is [SemVer](http://semver.org/). -4. You may merge the Pull Request in once you have the sign-off of two other developers, or if you do not have permission to do that, you may request the second reviewer to merge it for you. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000000..92c13f71f7 --- /dev/null +++ b/Makefile @@ -0,0 +1,17 @@ +.PHONY: changelog release + +SEMTAG=tools/semtag + +CHANGELOG_FILE=CHANGELOG.md +TAG_QUERY=v11.0.0.. + +scope ?= "minor" + +changelog-unrelease: + git-chglog -o $(CHANGELOG_FILE) $(TAG_QUERY) + +changelog: + git-chglog -o $(CHANGELOG_FILE) --next-tag `$(SEMTAG) final -s $(scope) -o -f` $(TAG_QUERY) + +release: + $(SEMTAG) final -s $(scope) diff --git a/README.md b/README.md index a21694b5ce..930961a988 100644 --- a/README.md +++ b/README.md @@ -132,7 +132,8 @@ Full contributing [guidelines are covered here](https://github.com/terraform-aws ## Change log -The [changelog](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/CHANGELOG.md) captures all important release notes. +- The [changelog](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/CHANGELOG.md) captures all important release notes from v11.0.0 +- For older release notes, refer to [changelog.pre-v11.0.0.md](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/CHANGELOG.pre-v11.0.0.md) ## Authors diff --git a/tools/semtag b/tools/semtag new file mode 100755 index 0000000000..568d4241ad --- /dev/null +++ b/tools/semtag @@ -0,0 +1,627 @@ +#!/usr/bin/env bash +# +# Thanks to @pnikosis for this script https://github.com/pnikosis/semtag +# +PROG=semtag +PROG_VERSION="v0.1.0" + +SEMVER_REGEX="^v?(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(\-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$" +IDENTIFIER_REGEX="^\-([0-9A-Za-z-]+)\.([0-9A-Za-z-]+)*$" + +# Global variables +FIRST_VERSION="v0.0.0" +finalversion=$FIRST_VERSION +lastversion=$FIRST_VERSION +hasversiontag="false" +scope="patch" +displayonly="false" +forcetag="false" +forcedversion= +versionname= +identifier= + +HELP="\ +Usage: + $PROG + $PROG getlast + $PROG getfinal + $PROG (final|alpha|beta|candidate) [-s (major|minor|patch|auto) | -o] + $PROG --help + $PROG --version +Options: + -s The scope that must be increased, can be major, minor or patch. + The resulting version will match X.Y.Z(-PRERELEASE)(+BUILD) + where X, Y and Z are positive integers, PRERELEASE is an optionnal + string composed of alphanumeric characters describing if the build is + a release candidate, alpha or beta version, with a number. + BUILD is also an optional string composed of alphanumeric + characters and hyphens. + Setting the scope as 'auto', the script will chose the scope between + 'minor' and 'patch', depending on the amount of lines added (<10% will + choose patch). + -v Specifies manually the version to be tagged, must be a valid semantic version + in the format X.Y.Z where X, Y and Z are positive integers. + -o Output the version only, shows the bumped version, but doesn't tag. + -f Forces to tag, even if there are unstaged or uncommited changes. +Commands: + --help Print this help message. + --version Prints the program's version. + get Returns both current final version and last tagged version. + getlast Returns the latest tagged version. + getfinal Returns the latest tagged final version. + getcurrent Returns the current version, based on the latest one, if there are uncommited or + unstaged changes, they will be reflected in the version, adding the number of + pending commits, current branch and commit hash. + final Tags the current build as a final version, this only can be done on the master branch. + candidate Tags the current build as a release candidate, the tag will contain all + the commits from the last final version. + alpha Tags the current build as an alpha version, the tag will contain all + the commits from the last final version. + beta Tags the current build as a beta version, the tag will contain all + the commits from the last final version." + +# Commands and options +ACTION="getlast" +ACTION="$1" +shift + +# We get the parameters +while getopts "v:s:of" opt; do + case $opt in + v) + forcedversion="$OPTARG" + ;; + s) + scope="$OPTARG" + ;; + o) + displayonly="true" + ;; + f) + forcetag="true" + ;; + \?) + echo "Invalid option: -$OPTARG" >&2 + exit 1 + ;; + :) + echo "Option -$OPTARG requires an argument." >&2 + exit 1 + ;; + esac +done + +# Gets a string with the version and returns an array of maximum size of 5 with all the parts of the sematinc version +# $1 The string containing the version in semantic format +# $2 The variable to store the result array: +# position 0: major number +# position 1: minor number +# position 2: patch number +# position 3: identifier (or prerelease identifier) +# position 4: build info +function explode_version { + local __version=$1 + local __result=$2 + if [[ $__version =~ $SEMVER_REGEX ]] ; then + local __major=${BASH_REMATCH[1]} + local __minor=${BASH_REMATCH[2]} + local __patch=${BASH_REMATCH[3]} + local __prere=${BASH_REMATCH[4]} + local __build=${BASH_REMATCH[5]} + eval "$__result=(\"$__major\" \"$__minor\" \"$__patch\" \"$__prere\" \"$__build\")" + else + eval "$__result=" + fi +} + +# Compare two versions and returns -1, 0 or 1 +# $1 The first version to compare +# $2 The second version to compare +# $3 The variable where to store the result +function compare_versions { + local __first + local __second + explode_version $1 __first + explode_version $2 __second + local lv=$3 + + # Compares MAJOR, MINOR and PATCH + for i in 0 1 2; do + local __numberfirst=${__first[$i]} + local __numbersecond=${__second[$i]} + case $(($__numberfirst - $__numbersecond)) in + 0) + ;; + -[0-9]*) + eval "$lv=-1" + return 0 + ;; + [0-9]*) + eval "$lv=1" + return 0 + ;; + esac + done + + # Identifiers should compare with the ASCII order. + local __identifierfirst=${__first[3]} + local __identifiersecond=${__second[3]} + if [[ -n "$__identifierfirst" ]] && [[ -n "$__identifiersecond" ]]; then + if [[ "$__identifierfirst" > "$__identifiersecond" ]]; then + eval "$lv=1" + return 0 + elif [[ "$__identifierfirst" < "$__identifiersecond" ]]; then + eval "$lv=-1" + return 0 + fi + elif [[ -z "$__identifierfirst" ]] && [[ -n "$__identifiersecond" ]]; then + eval "$lv=1" + return 0 + elif [[ -n "$__identifierfirst" ]] && [[ -z "$__identifiersecond" ]]; then + eval "$lv=-1" + return 0 + fi + + eval "$lv=0" +} + +# Returns the last version of two +# $1 The first version to compare +# $2 The second version to compare +# $3 The variable where to store the last one +function get_latest_of_two { + local __first=$1 + local __second=$2 + local __result + local __latest=$3 + compare_versions $__first $__second __result + case $__result in + 0) + eval "$__latest=$__second" + ;; + -1) + eval "$__latest=$__second" + ;; + 1) + eval "$__latest=$__first" + ;; + esac +} + +# Assigns a 2 size array with the identifier, having the identifier at pos 0, and the number in pos 1 +# $1 The identifier in the format -id.# +# $2 The vferiable where to store the 2 size array +function explode_identifier { + local __identifier=$1 + local __result=$2 + if [[ $__identifier =~ $IDENTIFIER_REGEX ]] ; then + local __id=${BASH_REMATCH[1]} + local __number=${BASH_REMATCH[2]} + if [[ -z "$__number" ]]; then + __number=1 + fi + eval "$__result=(\"$__id\" \"$__number\")" + else + eval "$__result=" + fi +} + +# Gets a list of tags and assigns the base and latest versions +# Receives an array with the tags containing the versions +# Assigns to the global variables finalversion and lastversion the final version and the latest version +function get_latest { + local __taglist=("$@") + local __tagsnumber=${#__taglist[@]} + local __current + case $__tagsnumber in + 0) + finalversion=$FIRST_VERSION + lastversion=$FIRST_VERSION + ;; + 1) + __current=${__taglist[0]} + explode_version $__current ver + if [ -n "$ver" ]; then + if [ -n "${ver[3]}" ]; then + finalversion=$FIRST_VERSION + else + finalversion=$__current + fi + lastversion=$__current + else + finalversion=$FIRST_VERSION + lastversion=$FIRST_VERSION + fi + ;; + *) + local __lastpos=$(($__tagsnumber-1)) + for i in $(seq 0 $__lastpos) + do + __current=${__taglist[i]} + explode_version ${__taglist[i]} ver + if [ -n "$ver" ]; then + if [ -z "${ver[3]}" ]; then + get_latest_of_two $finalversion $__current finalversion + get_latest_of_two $lastversion $finalversion lastversion + else + get_latest_of_two $lastversion $__current lastversion + fi + fi + done + ;; + esac + + if git rev-parse -q --verify "refs/tags/$lastversion" >/dev/null; then + hasversiontag="true" + else + hasversiontag="false" + fi +} + +# Gets the next version given the provided scope +# $1 The version that is going to be bumped +# $2 The scope to bump +# $3 The variable where to stoer the result +function get_next_version { + local __exploded + local __fromversion=$1 + local __scope=$2 + local __result=$3 + explode_version $__fromversion __exploded + case $__scope in + major) + __exploded[0]=$((${__exploded[0]}+1)) + __exploded[1]=0 + __exploded[2]=0 + ;; + minor) + __exploded[1]=$((${__exploded[1]}+1)) + __exploded[2]=0 + ;; + patch) + __exploded[2]=$((${__exploded[2]}+1)) + ;; + esac + + eval "$__result=v${__exploded[0]}.${__exploded[1]}.${__exploded[2]}" +} + +function bump_version { + ## First we try to get the next version based on the existing last one + if [ "$scope" == "auto" ]; then + get_scope_auto scope + fi + + local __candidatefromlast=$FIRST_VERSION + local __explodedlast + explode_version $lastversion __explodedlast + if [[ -n "${__explodedlast[3]}" ]]; then + # Last version is not final + local __idlast + explode_identifier ${__explodedlast[3]} __idlast + + # We get the last, given the desired id based on the scope + __candidatefromlast="v${__explodedlast[0]}.${__explodedlast[1]}.${__explodedlast[2]}" + if [[ -n "$identifier" ]]; then + local __nextid="$identifier.1" + if [ "$identifier" == "${__idlast[0]}" ]; then + # We target the same identifier as the last so we increase one + __nextid="$identifier.$(( ${__idlast[1]}+1 ))" + __candidatefromlast="$__candidatefromlast-$__nextid" + else + # Different identifiers, we make sure we are assigning a higher identifier, if not, we increase the version + __candidatefromlast="$__candidatefromlast-$__nextid" + local __comparedwithlast + compare_versions $__candidatefromlast $lastversion __comparedwithlast + if [ "$__comparedwithlast" == -1 ]; then + get_next_version $__candidatefromlast $scope __candidatefromlast + __candidatefromlast="$__candidatefromlast-$__nextid" + fi + fi + fi + fi + + # Then we try to get the version based on the latest final one + local __candidatefromfinal=$FIRST_VERSION + get_next_version $finalversion $scope __candidatefromfinal + if [[ -n "$identifier" ]]; then + __candidatefromfinal="$__candidatefromfinal-$identifier.1" + fi + + # Finally we compare both candidates + local __resultversion + local __result + compare_versions $__candidatefromlast $__candidatefromfinal __result + case $__result in + 0) + __resultversion=$__candidatefromlast + ;; + -1) + __resultversion="$__candidatefromfinal" + ;; + 1) + __resultversion=$__candidatefromlast + ;; + esac + + eval "$1=$__resultversion" +} + +function increase_version { + local __version= + + if [ -z $forcedversion ]; then + bump_version __version + else + if [[ $forcedversion =~ $SEMVER_REGEX ]] ; then + compare_versions $forcedversion $lastversion __result + if [ $__result -le 0 ]; then + echo "Version can't be lower than last version: $lastversion" + exit 1 + fi + else + echo "Non valid version to bump" + exit 1 + fi + __version=$forcedversion + fi + + if [ "$displayonly" == "true" ]; then + echo "$__version" + else + if [ "$forcetag" == "false" ]; then + check_git_dirty_status + fi + local __commitlist + if [ "$finalversion" == "$FIRST_VERSION" ] || [ "$hasversiontag" != "true" ]; then + __commitlist="$(git log --pretty=oneline | cat)" + else + __commitlist="$(git log --pretty=oneline $finalversion... | cat)" + fi + + # If we are forcing a bump, we add bump to the commit list + if [[ -z $__commitlist && "$forcetag" == "true" ]]; then + __commitlist="bump" + fi + + if [[ -z $__commitlist ]]; then + echo "No commits since the last final version, not bumping version" + else + if [[ -z $versionname ]]; then + versionname=$(date -u +"%Y-%m-%dT%H:%M:%SZ") + fi + local __message="$versionname +$__commitlist" + + # We check we have info on the user + local __username=$(git config user.name) + if [ -z "$__username" ]; then + __username=$(id -u -n) + git config user.name $__username + fi + local __useremail=$(git config user.email) + if [ -z "$__useremail" ]; then + __useremail=$(hostname) + git config user.email "$__username@$__useremail" + fi + + git tag -a $__version -m "$__message" + + # If we have a remote, we push there + local __remotes=$(git remote) + if [[ -n $__remotes ]]; then + for __remote in $__remotes; do + git push $__remote $__version > /dev/null + if [ $? -eq 0 ]; then + echo "$__version pushed to $__remote" + else + echo "Error pushing the tag $__version to $__remote" + exit 1 + fi + done + else + echo "$__version" + fi + fi + fi +} + +function check_git_dirty_status { + local __repostatus= + get_work_tree_status __repostatus + + if [ "$__repostatus" == "uncommitted" ]; then + echo "ERROR: You have uncommitted changes" + git status --porcelain + exit 1 + fi + + if [ "$__repostatus" == "unstaged" ]; then + echo "ERROR: You have unstaged changes" + git status --porcelain + exit 1 + fi +} + +# Get the total amount of lines of code in the repo +function get_total_lines { + local __empty_id="$(git hash-object -t tree /dev/null)" + local __changes="$(git diff --numstat $__empty_id | cat)" + local __added_deleted=$1 + get_changed_lines "$__changes" $__added_deleted +} + +# Get the total amount of lines of code since the provided tag +function get_sincetag_lines { + local __sincetag=$1 + local __changes="$(git diff --numstat $__sincetag | cat)" + local __added_deleted=$2 + get_changed_lines "$__changes" $__added_deleted +} + +function get_changed_lines { + local __changes_numstat=$1 + local __result=$2 + IFS=$'\n' read -rd '' -a __changes_array <<<"$__changes_numstat" + local __diff_regex="^([0-9]+)[[:space:]]+([0-9]+)[[:space:]]+.+$" + + local __total_added=0 + local __total_deleted=0 + for i in "${__changes_array[@]}" + do + if [[ $i =~ $__diff_regex ]] ; then + local __added=${BASH_REMATCH[1]} + local __deleted=${BASH_REMATCH[2]} + __total_added=$(( $__total_added+$__added )) + __total_deleted=$(( $__total_deleted+$__deleted )) + fi + done + eval "$2=( $__total_added $__total_deleted )" +} + +function get_scope_auto { + local __verbose=$2 + local __total=0 + local __since=0 + local __scope= + + get_total_lines __total + get_sincetag_lines $finalversion __since + + local __percentage=0 + if [ "$__total" != "0" ]; then + local __percentage=$(( 100*$__since/$__total )) + if [ $__percentage -gt "10" ]; then + __scope="minor" + else + __scope="patch" + fi + fi + + eval "$1=$__scope" + if [[ -n "$__verbose" ]]; then + echo "[Auto Scope] Percentage of lines changed: $__percentage" + echo "[Auto Scope] : $__scope" + fi +} + +function get_work_tree_status { + # Update the index + git update-index -q --ignore-submodules --refresh > /dev/null + eval "$1=" + + if ! git diff-files --quiet --ignore-submodules -- > /dev/null + then + eval "$1=unstaged" + fi + + if ! git diff-index --cached --quiet HEAD --ignore-submodules -- > /dev/null + then + eval "$1=uncommitted" + fi +} + +function get_current { + if [ "$hasversiontag" == "true" ]; then + local __commitcount="$(git rev-list $lastversion.. --count)" + else + local __commitcount="$(git rev-list --count HEAD)" + fi + local __status= + get_work_tree_status __status + + if [ "$__commitcount" == "0" ] && [ -z "$__status" ]; then + eval "$1=$lastversion" + else + local __buildinfo="$(git rev-parse --short HEAD)" + local __currentbranch="$(git rev-parse --abbrev-ref HEAD)" + if [ "$__currentbranch" != "master" ]; then + __buildinfo="$__currentbranch.$__buildinfo" + fi + + local __suffix= + if [ "$__commitcount" != "0" ]; then + if [ -n "$__suffix" ]; then + __suffix="$__suffix." + fi + __suffix="$__suffix$__commitcount" + fi + if [ -n "$__status" ]; then + if [ -n "$__suffix" ]; then + __suffix="$__suffix." + fi + __suffix="$__suffix$__status" + fi + + __suffix="$__suffix+$__buildinfo" + if [ "$lastversion" == "$finalversion" ]; then + scope="patch" + identifier= + local __bumped= + bump_version __bumped + eval "$1=$__bumped-dev.$__suffix" + else + eval "$1=$lastversion.$__suffix" + fi + fi +} + +function init { + git fetch > /dev/null + TAGS="$(git tag)" + IFS=$'\n' read -rd '' -a TAG_ARRAY <<<"$TAGS" + + get_latest ${TAG_ARRAY[@]} + currentbranch="$(git rev-parse --abbrev-ref HEAD)" +} + +case $ACTION in + --help) + echo -e "$HELP" + ;; + --version) + echo -e "${PROG}: $PROG_VERSION" + ;; + final) + init + diff=$(git diff master | cat) + if [ "$forcetag" == "false" ]; then + if [ -n "$diff" ]; then + echo "ERROR: Branch must be updated with master for final versions" + exit 1 + fi + fi + increase_version + ;; + alpha|beta) + init + identifier="$ACTION" + increase_version + ;; + candidate) + init + identifier="rc" + increase_version + ;; + getlast) + init + echo "$lastversion" + ;; + getfinal) + init + echo "$finalversion" + ;; + getcurrent) + init + get_current current + echo "$current" + ;; + get) + init + echo "Current final version: $finalversion" + echo "Last tagged version: $lastversion" + ;; + *) + echo "'$ACTION' is not a valid command, see --help for available commands." + ;; +esac From 3c064aa2a975a2fa71a7bd9e5944ff60a26c5b2e Mon Sep 17 00:00:00 2001 From: "Thierno IB. BARRY" Date: Tue, 17 Mar 2020 15:16:57 +0100 Subject: [PATCH 28/47] fix: fix git-chglog configuration (#802) --- .chglog/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.chglog/config.yml b/.chglog/config.yml index e9fff99ed6..4e569d466c 100644 --- a/.chglog/config.yml +++ b/.chglog/config.yml @@ -31,7 +31,7 @@ options: chore: CHORES header: - pattern: "^(\\.+)\\s*:\\s*(.+)$" + pattern: "^(.+)\\s*:\\s*(.+)$" pattern_maps: - Type - Subject From a6583a33714723ea71da26eb5951eef6afbfd5fa Mon Sep 17 00:00:00 2001 From: "Thierno IB. BARRY" Date: Tue, 17 Mar 2020 15:29:59 +0100 Subject: [PATCH 29/47] fix: fix git-chglog template to format changelog `Type` nicely (#803) --- .chglog/CHANGELOG.tpl.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.chglog/CHANGELOG.tpl.md b/.chglog/CHANGELOG.tpl.md index 52d22241c0..7662c4d6c7 100644 --- a/.chglog/CHANGELOG.tpl.md +++ b/.chglog/CHANGELOG.tpl.md @@ -14,14 +14,14 @@ project adheres to [Semantic Versioning](http://semver.org/). {{ range .Commits -}} {{- if .Subject -}} - {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} -{{- end -}} +{{ end -}} {{ end }} {{ end -}} {{ else }} {{ range .Unreleased.Commits -}} {{- if .Subject -}} - {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} -{{- end -}} +{{ end -}} {{ end }} {{ end -}} {{ end -}} @@ -35,14 +35,14 @@ project adheres to [Semantic Versioning](http://semver.org/). {{ range .Commits -}} {{- if .Subject -}} - {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} -{{- end -}} +{{ end -}} {{ end }} {{ end -}} {{ else }} {{ range .Commits -}} {{- if .Subject -}} - {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }} -{{- end -}} +{{ end -}} {{ end }} {{ end -}} From cd8a825a5a89743fa051263121507e15982eae93 Mon Sep 17 00:00:00 2001 From: Max Williams Date: Tue, 17 Mar 2020 16:36:34 +0100 Subject: [PATCH 30/47] test: remove unused kitchen test related stuff (#787) Co-authored-by: Thierno IB. BARRY --- .gitignore | 2 -- .kitchen.yml | 20 -------------------- .ruby-version | 1 - Gemfile | 9 --------- README.md | 22 ---------------------- test/integration/default/test_eks.rb | 9 --------- 6 files changed, 63 deletions(-) delete mode 100644 .kitchen.yml delete mode 100644 .ruby-version delete mode 100644 Gemfile delete mode 100644 test/integration/default/test_eks.rb diff --git a/.gitignore b/.gitignore index 6128b4ba23..6b31084d05 100644 --- a/.gitignore +++ b/.gitignore @@ -3,8 +3,6 @@ .terraform/ **/inspec.lock *.gem -.kitchen/ -.kitchen.local.yml Gemfile.lock terraform.tfstate.d/ eks-admin-cluster-role-binding.yaml diff --git a/.kitchen.yml b/.kitchen.yml deleted file mode 100644 index b185344d90..0000000000 --- a/.kitchen.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -driver: - name: "terraform" - root_module_directory: "examples/basic" - -provisioner: - name: "terraform" - -platforms: - - name: "aws" - -verifier: - name: "awspec" - -suites: - - name: "default" - verifier: - name: "awspec" - patterns: - - "test/integration/default/test_eks.rb" diff --git a/.ruby-version b/.ruby-version deleted file mode 100644 index 7bf4b6a8ae..0000000000 --- a/.ruby-version +++ /dev/null @@ -1 +0,0 @@ -2.4.6 diff --git a/Gemfile b/Gemfile deleted file mode 100644 index 57a0c15c31..0000000000 --- a/Gemfile +++ /dev/null @@ -1,9 +0,0 @@ -# frozen_string_literal: true - -ruby '2.4.6' - -source 'https://rubygems.org/' do - gem 'awspec', '~> 1.4.2' - gem 'kitchen-terraform', '~> 3.2' - gem 'kitchen-verifier-awspec', '~> 0.1.1' -end diff --git a/README.md b/README.md index 930961a988..3bac8faaeb 100644 --- a/README.md +++ b/README.md @@ -94,28 +94,6 @@ module "eks" { * [IAM Permissions](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/iam-permissions.md): Minimum IAM permissions needed to setup EKS Cluster. * [FAQ](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/faq.md): Frequently Asked Questions -## Testing - -This module has been packaged with [awspec](https://github.com/k1LoW/awspec) tests through [kitchen](https://kitchen.ci/) and [kitchen-terraform](https://newcontext-oss.github.io/kitchen-terraform/). To run them: - -1. Install [rvm](https://rvm.io/rvm/install) and the ruby version specified in the [Gemfile](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/Gemfile). -2. Install bundler and the gems from our Gemfile: - - ```bash - gem install bundler && bundle install - ``` - -3. Ensure your AWS environment is configured (i.e. credentials and region) for test. -4. Test using `bundle exec kitchen test` from the root of the repo. - -For now, connectivity to the kubernetes cluster is not tested but will be in the -future. Once the test fixture has converged, you can query the test cluster from -that terminal session with -```bash -kubectl get nodes --watch --kubeconfig kubeconfig -``` -(using default settings `config_output_path = "./"` & `write_kubeconfig = true`) - ## Doc generation Code formatting and documentation for variables and outputs is generated using [pre-commit-terraform hooks](https://github.com/antonbabenko/pre-commit-terraform) which uses [terraform-docs](https://github.com/segmentio/terraform-docs). diff --git a/test/integration/default/test_eks.rb b/test/integration/default/test_eks.rb deleted file mode 100644 index acf27844f6..0000000000 --- a/test/integration/default/test_eks.rb +++ /dev/null @@ -1,9 +0,0 @@ -# frozen_string_literal: true - -require 'awspec' - -# rubocop:disable LineLength -state_file = 'terraform.tfstate.d/kitchen-terraform-default-aws/terraform.tfstate' -tf_state = JSON.parse(File.open(state_file).read) -region = tf_state['modules'][0]['outputs']['region']['value'] -ENV['AWS_REGION'] = region From 2c98a00b21100238580283a05a7ca5222b91b712 Mon Sep 17 00:00:00 2001 From: Daniel Piddock <33028589+dpiddockcmp@users.noreply.github.com> Date: Tue, 17 Mar 2020 19:06:09 +0100 Subject: [PATCH 31/47] improvement: Add timeout to default wait_for_cluster_cmd (#791) --- README.md | 2 +- variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3bac8faaeb..70e6225d60 100644 --- a/README.md +++ b/README.md @@ -176,7 +176,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | subnets | A list of subnets to place the EKS cluster and workers within. | `list(string)` | n/a | yes | | tags | A map of tags to add to all resources. | `map(string)` | `{}` | no | | vpc\_id | VPC where the cluster and workers will be deployed. | `string` | n/a | yes | -| wait\_for\_cluster\_cmd | Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT | `string` | `"until wget --no-check-certificate -O - -q $ENDPOINT/healthz \u003e/dev/null; do sleep 4; done"` | no | +| wait\_for\_cluster\_cmd | Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT | `string` | `"for i in `seq 1 60`; do wget --no-check-certificate -O - -q $ENDPOINT/healthz \u003e/dev/null \u0026\u0026 exit 0 \|\| true; sleep 5; done; echo TIMEOUT \u0026\u0026 exit 1"` | no | | worker\_additional\_security\_group\_ids | A list of additional security group ids to attach to worker instances | `list(string)` | `[]` | no | | worker\_ami\_name\_filter | Name filter for AWS EKS worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no | | worker\_ami\_name\_filter\_windows | Name filter for AWS EKS Windows worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no | diff --git a/variables.tf b/variables.tf index 925b7b3109..c77bdcd479 100644 --- a/variables.tf +++ b/variables.tf @@ -201,7 +201,7 @@ variable "cluster_delete_timeout" { variable "wait_for_cluster_cmd" { description = "Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT" type = string - default = "until wget --no-check-certificate -O - -q $ENDPOINT/healthz >/dev/null; do sleep 4; done" + default = "for i in `seq 1 60`; do wget --no-check-certificate -O - -q $ENDPOINT/healthz >/dev/null && exit 0 || true; sleep 5; done; echo TIMEOUT && exit 1" } variable "cluster_create_security_group" { From e8a1ce17d8a664babafb0963569af61a77c4cd76 Mon Sep 17 00:00:00 2001 From: Daniel Piddock <33028589+dpiddockcmp@users.noreply.github.com> Date: Wed, 18 Mar 2020 08:54:57 +0100 Subject: [PATCH 32/47] fix: Create `false` and avoid waiting forever for a non-existent cluster to respond (#789) --- cluster.tf | 2 +- examples/create_false/main.tf | 30 ++++++++++++++++++++++++++++++ examples/create_false/variables.tf | 3 +++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 examples/create_false/main.tf create mode 100644 examples/create_false/variables.tf diff --git a/cluster.tf b/cluster.tf index 2e0ca6862a..c558e52a66 100644 --- a/cluster.tf +++ b/cluster.tf @@ -46,7 +46,7 @@ resource "aws_eks_cluster" "this" { } resource "null_resource" "wait_for_cluster" { - count = var.manage_aws_auth ? 1 : 0 + count = var.create_eks && var.manage_aws_auth ? 1 : 0 depends_on = [ aws_eks_cluster.this[0] diff --git a/examples/create_false/main.tf b/examples/create_false/main.tf new file mode 100644 index 0000000000..86604aacdd --- /dev/null +++ b/examples/create_false/main.tf @@ -0,0 +1,30 @@ +provider "aws" { + region = var.region +} + +data "aws_eks_cluster" "cluster" { + count = 0 + name = module.eks.cluster_id +} + +data "aws_eks_cluster_auth" "cluster" { + count = 0 + name = module.eks.cluster_id +} + +provider "kubernetes" { + host = element(concat(data.aws_eks_cluster.cluster[*].endpoint, list("")), 0) + cluster_ca_certificate = base64decode(element(concat(data.aws_eks_cluster.cluster[*].certificate_authority.0.data, list("")), 0)) + token = element(concat(data.aws_eks_cluster_auth.cluster[*].token, list("")), 0) + load_config_file = false + version = "~> 1.11" +} + +module "eks" { + source = "../.." + create_eks = false + + vpc_id = "" + cluster_name = "" + subnets = [] +} diff --git a/examples/create_false/variables.tf b/examples/create_false/variables.tf new file mode 100644 index 0000000000..81b8dbe73e --- /dev/null +++ b/examples/create_false/variables.tf @@ -0,0 +1,3 @@ +variable "region" { + default = "us-west-2" +} From 3957a7c02c9bf1d3f392bdf31a8f13af3bd7df25 Mon Sep 17 00:00:00 2001 From: Daniel Piddock <33028589+dpiddockcmp@users.noreply.github.com> Date: Wed, 18 Mar 2020 08:58:19 +0100 Subject: [PATCH 33/47] improvement: Generate `aws-auth` configmap's roles from Object. No more string concat. (#790) Do not use string concat to generate a YAML data structure Co-authored-by: Thierno IB. BARRY --- aws_auth.tf | 114 +++++++++++++++++++++----------------- templates/worker-role.tpl | 8 --- 2 files changed, 62 insertions(+), 60 deletions(-) delete mode 100644 templates/worker-role.tpl diff --git a/aws_auth.tf b/aws_auth.tf index 487763b68e..6c41f753e0 100644 --- a/aws_auth.tf +++ b/aws_auth.tf @@ -1,52 +1,61 @@ data "aws_caller_identity" "current" { } -data "template_file" "launch_template_worker_role_arns" { - count = var.create_eks ? local.worker_group_launch_template_count : 0 - template = file("${path.module}/templates/worker-role.tpl") +locals { + auth_launch_template_worker_roles = [ + for index in range(0, var.create_eks ? local.worker_group_launch_template_count : 0) : { + worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element( + coalescelist( + aws_iam_instance_profile.workers_launch_template.*.role, + data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name, + ), + index + )}" + platform = lookup( + var.worker_groups_launch_template[index], + "platform", + local.workers_group_defaults["platform"] + ) + } + ] - vars = { - worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element( - coalescelist( - aws_iam_instance_profile.workers_launch_template.*.role, - data.aws_iam_instance_profile.custom_worker_group_launch_template_iam_instance_profile.*.role_name, - ), - count.index, - )}" - platform = lookup( - var.worker_groups_launch_template[count.index], - "platform", - local.workers_group_defaults["platform"] - ) - } -} - -data "template_file" "worker_role_arns" { - count = var.create_eks ? local.worker_group_count : 0 - template = file("${path.module}/templates/worker-role.tpl") - - vars = { - worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element( - coalescelist( - aws_iam_instance_profile.workers.*.role, - data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name, - [""] - ), - count.index, - )}" - platform = lookup( - var.worker_groups[count.index], - "platform", - local.workers_group_defaults["platform"] - ) - } -} - -data "template_file" "node_group_arns" { - count = var.create_eks ? length(module.node_groups.aws_auth_roles) : 0 - template = file("${path.module}/templates/worker-role.tpl") + auth_worker_roles = [ + for index in range(0, var.create_eks ? local.worker_group_count : 0) : { + worker_role_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${element( + coalescelist( + aws_iam_instance_profile.workers.*.role, + data.aws_iam_instance_profile.custom_worker_group_iam_instance_profile.*.role_name, + [""] + ), + index, + )}" + platform = lookup( + var.worker_groups[index], + "platform", + local.workers_group_defaults["platform"] + ) + } + ] - vars = module.node_groups.aws_auth_roles[count.index] + # Convert to format needed by aws-auth ConfigMap + configmap_roles = [ + for role in concat( + local.auth_launch_template_worker_roles, + local.auth_worker_roles, + module.node_groups.aws_auth_roles, + ) : + { + rolearn = role["worker_role_arn"] + username = "system:node:{{EC2PrivateDNSName}}" + groups = concat( + [ + "system:bootstrappers", + "system:nodes", + ], + role["platform"] == "windows" ? ["eks:kube-proxy-windows"] : [] + ) + } + ] } resource "kubernetes_config_map" "aws_auth" { @@ -59,12 +68,13 @@ resource "kubernetes_config_map" "aws_auth" { } data = { - mapRoles = < Date: Wed, 18 Mar 2020 09:04:17 +0100 Subject: [PATCH 34/47] fix: Do not recreate cluster when no SG given (#798) --- cluster.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster.tf b/cluster.tf index c558e52a66..c5be4b657a 100644 --- a/cluster.tf +++ b/cluster.tf @@ -15,7 +15,7 @@ resource "aws_eks_cluster" "this" { tags = var.tags vpc_config { - security_group_ids = [local.cluster_security_group_id] + security_group_ids = compact([local.cluster_security_group_id]) subnet_ids = var.subnets endpoint_private_access = var.cluster_endpoint_private_access endpoint_public_access = var.cluster_endpoint_public_access From 89401f1623c7d88ccd41f9a1b9bf03802f2c3aab Mon Sep 17 00:00:00 2001 From: Daniel Piddock <33028589+dpiddockcmp@users.noreply.github.com> Date: Wed, 18 Mar 2020 09:09:32 +0100 Subject: [PATCH 35/47] fix: Add node_group direct dependency on eks_cluster (#796) Setting `manage_aws_auth = false` removes the ordering dependency between node_group and eks_cluster generating an error on first apply. This fixes that use case. Fixes #793 --- node_groups.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/node_groups.tf b/node_groups.tf index 2c689c3818..5c2b92eb4e 100644 --- a/node_groups.tf +++ b/node_groups.tf @@ -4,7 +4,7 @@ data "null_data_source" "node_groups" { count = var.create_eks ? 1 : 0 inputs = { - cluster_name = var.cluster_name + cluster_name = aws_eks_cluster.this[0].name # Ensure these resources are created before "unlocking" the data source. # `depends_on` causes a refresh on every run so is useless here. From 0c1ed0e6e9f5dbf34dfde0549f4409ab6af66383 Mon Sep 17 00:00:00 2001 From: Daniel Piddock <33028589+dpiddockcmp@users.noreply.github.com> Date: Wed, 18 Mar 2020 13:56:51 +0100 Subject: [PATCH 36/47] Improvement: Require kubernetes provider >=1.11.1 (#784) BREAKING CHANGE: The terraform-aws-eks module now require at least kubernetes `1.11.1`. This may cause terraform to fail to init if users have set version = "1.10" like we had in the examples. --- README.md | 2 +- examples/basic/main.tf | 2 +- examples/irsa/main.tf | 2 +- examples/launch_templates/main.tf | 2 +- examples/managed_node_groups/main.tf | 2 +- examples/secrets_encryption/main.tf | 2 +- examples/spot_instances/main.tf | 2 +- versions.tf | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 70e6225d60..a5ee7f8d14 100644 --- a/README.md +++ b/README.md @@ -129,7 +129,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | Name | Version | |------|---------| | aws | >= 2.52.0 | -| kubernetes | >= 1.6.2 | +| kubernetes | >= 1.11.1 | | local | >= 1.2 | | null | >= 2.1 | | random | >= 2.1 | diff --git a/examples/basic/main.tf b/examples/basic/main.tf index ee1d9bc251..4ce49b95b9 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -36,7 +36,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) token = data.aws_eks_cluster_auth.cluster.token load_config_file = false - version = "1.10" + version = "~> 1.11" } data "aws_availability_zones" "available" { diff --git a/examples/irsa/main.tf b/examples/irsa/main.tf index 0fd934d44f..849db9c28f 100644 --- a/examples/irsa/main.tf +++ b/examples/irsa/main.tf @@ -32,7 +32,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) token = data.aws_eks_cluster_auth.cluster.token load_config_file = false - version = "1.10" + version = "~> 1.11" } data "aws_availability_zones" "available" {} diff --git a/examples/launch_templates/main.tf b/examples/launch_templates/main.tf index a8d0ec62fe..d76a13c561 100644 --- a/examples/launch_templates/main.tf +++ b/examples/launch_templates/main.tf @@ -36,7 +36,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) token = data.aws_eks_cluster_auth.cluster.token load_config_file = false - version = "1.10" + version = "~> 1.11" } data "aws_availability_zones" "available" { diff --git a/examples/managed_node_groups/main.tf b/examples/managed_node_groups/main.tf index adb5cfe70c..eed19c24ff 100644 --- a/examples/managed_node_groups/main.tf +++ b/examples/managed_node_groups/main.tf @@ -36,7 +36,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) token = data.aws_eks_cluster_auth.cluster.token load_config_file = false - version = "1.10" + version = "~> 1.11" } data "aws_availability_zones" "available" { diff --git a/examples/secrets_encryption/main.tf b/examples/secrets_encryption/main.tf index 5c4b861be0..1a639e1d20 100644 --- a/examples/secrets_encryption/main.tf +++ b/examples/secrets_encryption/main.tf @@ -36,7 +36,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) token = data.aws_eks_cluster_auth.cluster.token load_config_file = false - version = "1.10" + version = "~> 1.11" } data "aws_availability_zones" "available" { diff --git a/examples/spot_instances/main.tf b/examples/spot_instances/main.tf index cfac972f57..5d6b5eee5c 100644 --- a/examples/spot_instances/main.tf +++ b/examples/spot_instances/main.tf @@ -36,7 +36,7 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) token = data.aws_eks_cluster_auth.cluster.token load_config_file = false - version = "1.10" + version = "~> 1.11" } data "aws_availability_zones" "available" { diff --git a/versions.tf b/versions.tf index f73abd331e..fd052bbe15 100644 --- a/versions.tf +++ b/versions.tf @@ -7,6 +7,6 @@ terraform { null = ">= 2.1" template = ">= 2.1" random = ">= 2.1" - kubernetes = ">= 1.6.2" + kubernetes = ">= 1.11.1" } } From d75e493e27399c0ba39a370a62eeb2adf24bf18c Mon Sep 17 00:00:00 2001 From: betajobot Date: Wed, 18 Mar 2020 21:34:12 +0100 Subject: [PATCH 37/47] [ci skip] Create "LICENSE". --- LICENSE | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/LICENSE b/LICENSE index ab6dbd68ad..51fca54c2a 100644 --- a/LICENSE +++ b/LICENSE @@ -1,19 +1,11 @@ -Copyright (c) 2018 Brandon O'Connor - Run at Scale +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: + http://www.apache.org/licenses/LICENSE-2.0 -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. From b135f920a1b14e71c3ff21b4713ba1d2a0f673d1 Mon Sep 17 00:00:00 2001 From: betajobot Date: Wed, 18 Mar 2020 21:34:12 +0100 Subject: [PATCH 38/47] [ci skip] Create ".editorconfig". --- .editorconfig | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .editorconfig diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000000..88cb251903 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,30 @@ +# EditorConfig is awesome: http://EditorConfig.org +# Uses editorconfig to maintain consistent coding styles + +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +charset = utf-8 +end_of_line = lf +indent_size = 2 +indent_style = space +insert_final_newline = true +max_line_length = 80 +trim_trailing_whitespace = true + +[*.{tf,tfvars}] +indent_size = 2 +indent_style = space + +[*.md] +max_line_length = 0 +trim_trailing_whitespace = false + +[Makefile] +tab_width = 2 +indent_style = tab + +[COMMIT_EDITMSG] +max_line_length = 0 From 0c23191cd374ac4868f77cd1c8906b31ab2ee36f Mon Sep 17 00:00:00 2001 From: Betajobot <28572351+betajobot@users.noreply.github.com> Date: Wed, 18 Mar 2020 21:56:21 +0100 Subject: [PATCH 39/47] skip changelog - Removed some files (#811) --- .prettierignore | 1 - CODE_OF_CONDUCT.md | 46 ---------------------------------------------- 2 files changed, 47 deletions(-) delete mode 100644 .prettierignore delete mode 100644 CODE_OF_CONDUCT.md diff --git a/.prettierignore b/.prettierignore deleted file mode 100644 index 08ce6f3485..0000000000 --- a/.prettierignore +++ /dev/null @@ -1 +0,0 @@ -**/*.* diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md deleted file mode 100644 index 7730bca7f3..0000000000 --- a/CODE_OF_CONDUCT.md +++ /dev/null @@ -1,46 +0,0 @@ -# Contributor Covenant Code of Conduct - -## Our Pledge - -In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. - -## Our Standards - -Examples of behavior that contributes to creating a positive environment include: - -- Using welcoming and inclusive language -- Being respectful of differing viewpoints and experiences -- Gracefully accepting constructive criticism -- Focusing on what is best for the community -- Showing empathy towards other community members - -Examples of unacceptable behavior by participants include: - -- The use of sexualized language or imagery and unwelcome sexual attention or advances -- Trolling, insulting/derogatory comments, and personal or political attacks -- Public or private harassment -- Publishing others' private information, such as a physical or electronic address, without explicit permission -- Other conduct which could reasonably be considered inappropriate in a professional setting - -## Our Responsibilities - -Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. - -Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. - -## Scope - -This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. - -## Enforcement - -Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at brandon@atscale.run. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. - -Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. - -## Attribution - -This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] - -[homepage]: http://contributor-covenant.org -[version]: http://contributor-covenant.org/version/1/4/ From 9951c87a86b02e0f61a4d1560ad2e6e9596000ed Mon Sep 17 00:00:00 2001 From: slimm609 Date: Thu, 19 Mar 2020 11:22:22 -0400 Subject: [PATCH 40/47] fix: add ip address when manage_aws_auth is true and public_access is false (#745) --- README.md | 1 + cluster.tf | 12 ++++++++++++ variables.tf | 6 ++++++ 3 files changed, 19 insertions(+) diff --git a/README.md b/README.md index a5ee7f8d14..1db97d7ec4 100644 --- a/README.md +++ b/README.md @@ -146,6 +146,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | cluster\_enabled\_log\_types | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | `list(string)` | `[]` | no | | cluster\_encryption\_config | Configuration block with encryption configuration for the cluster. See examples/secrets\_encryption/main.tf for example format | 
list(object({
    provider_key_arn = string
    resources        = list(string)
  }))
| `[]` | no | | cluster\_endpoint\_private\_access | Indicates whether or not the Amazon EKS private API server endpoint is enabled. | `bool` | `false` | no | +| cluster\_endpoint\_private\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS private API server endpoint, when public access is disabled | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | cluster\_endpoint\_public\_access | Indicates whether or not the Amazon EKS public API server endpoint is enabled. | `bool` | `true` | no | | cluster\_endpoint\_public\_access\_cidrs | List of CIDR blocks which can access the Amazon EKS public API server endpoint. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | cluster\_iam\_role\_name | IAM role name for the cluster. Only applicable if manage\_cluster\_iam\_resources is set to false. | `string` | `""` | no | diff --git a/cluster.tf b/cluster.tf index c5be4b657a..cd5e6cd5c7 100644 --- a/cluster.tf +++ b/cluster.tf @@ -45,6 +45,18 @@ resource "aws_eks_cluster" "this" { ] } +resource "aws_security_group_rule" "cluster_private_access" { + count = var.create_eks && var.manage_aws_auth && var.cluster_endpoint_private_access && var.cluster_endpoint_public_access == false ? 1 : 0 + type = "ingress" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = var.cluster_endpoint_private_access_cidrs + + security_group_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id +} + + resource "null_resource" "wait_for_cluster" { count = var.create_eks && var.manage_aws_auth ? 1 : 0 diff --git a/variables.tf b/variables.tf index c77bdcd479..2bd5c6eff3 100644 --- a/variables.tf +++ b/variables.tf @@ -234,6 +234,12 @@ variable "iam_path" { default = "/" } +variable "cluster_endpoint_private_access_cidrs" { + description = "List of CIDR blocks which can access the Amazon EKS private API server endpoint, when public access is disabled" + type = list(string) + default = ["0.0.0.0/0"] +} + variable "cluster_endpoint_private_access" { description = "Indicates whether or not the Amazon EKS private API server endpoint is enabled." type = bool From e768c6c1038b8545fa7f4746dc6f04422783fee5 Mon Sep 17 00:00:00 2001 From: "Thierno IB. BARRY" Date: Thu, 19 Mar 2020 21:43:20 +0100 Subject: [PATCH 41/47] ci: Restrict sementic PR to validate PR title only (#804) --- .github/semantic.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/semantic.yml b/.github/semantic.yml index e0c83c7166..d8a21f9f41 100644 --- a/.github/semantic.yml +++ b/.github/semantic.yml @@ -1,3 +1,17 @@ +# Always validate the PR title, and ignore the commits +titleOnly: true + +# Always validate all commits, and ignore the PR title +commitsOnly: false + +# Always validate the PR title AND all the commits +titleAndCommits: false + +# Require at least one commit to be valid +# this is only relevant when using commitsOnly: true or titleAndCommits: true, +# which validate all commits by default +anyCommit: false + # By default types specified in commitizen/conventional-commit-types is used. # See: https://github.com/commitizen/conventional-commit-types/blob/v2.3.0/index.json # You can override the valid types @@ -12,3 +26,7 @@ types: - chore - skip changelog - skip ci + +# Allow use of Merge commits (eg on github: "Merge branch 'master' into feature/ride-unicorns") +# this is only relevant when using commitsOnly: true (or titleAndCommits: true) +allowMergeCommits: false From de1419b597f6db444146535a633b0e7a945bcd3d Mon Sep 17 00:00:00 2001 From: Viacheslav Vasilyev Date: Fri, 20 Mar 2020 22:34:33 +0200 Subject: [PATCH 42/47] feat: Add interpreter option to `wait_for_cluster_cmd` (#795) Co-authored-by: Vasilyev, Viacheslav Co-authored-by: Thierno IB. BARRY --- README.md | 1 + cluster.tf | 3 ++- variables.tf | 6 ++++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1db97d7ec4..e978504e61 100644 --- a/README.md +++ b/README.md @@ -178,6 +178,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a | tags | A map of tags to add to all resources. | `map(string)` | `{}` | no | | vpc\_id | VPC where the cluster and workers will be deployed. | `string` | n/a | yes | | wait\_for\_cluster\_cmd | Custom local-exec command to execute for determining if the eks cluster is healthy. Cluster endpoint will be available as an environment variable called ENDPOINT | `string` | `"for i in `seq 1 60`; do wget --no-check-certificate -O - -q $ENDPOINT/healthz \u003e/dev/null \u0026\u0026 exit 0 \|\| true; sleep 5; done; echo TIMEOUT \u0026\u0026 exit 1"` | no | +| wait\_for\_cluster\_interpreter | Custom local-exec command line interpreter for the command to determining if the eks cluster is healthy. | `list(string)` | 
[
  "/bin/sh",
  "-c"
]
| no | | worker\_additional\_security\_group\_ids | A list of additional security group ids to attach to worker instances | `list(string)` | `[]` | no | | worker\_ami\_name\_filter | Name filter for AWS EKS worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no | | worker\_ami\_name\_filter\_windows | Name filter for AWS EKS Windows worker AMI. If not provided, the latest official AMI for the specified 'cluster\_version' is used. | `string` | `""` | no | diff --git a/cluster.tf b/cluster.tf index cd5e6cd5c7..b3897c2246 100644 --- a/cluster.tf +++ b/cluster.tf @@ -65,7 +65,8 @@ resource "null_resource" "wait_for_cluster" { ] provisioner "local-exec" { - command = var.wait_for_cluster_cmd + command = var.wait_for_cluster_cmd + interpreter = var.wait_for_cluster_interpreter environment = { ENDPOINT = aws_eks_cluster.this[0].endpoint } diff --git a/variables.tf b/variables.tf index 2bd5c6eff3..3d6f8fabd2 100644 --- a/variables.tf +++ b/variables.tf @@ -204,6 +204,12 @@ variable "wait_for_cluster_cmd" { default = "for i in `seq 1 60`; do wget --no-check-certificate -O - -q $ENDPOINT/healthz >/dev/null && exit 0 || true; sleep 5; done; echo TIMEOUT && exit 1" } +variable "wait_for_cluster_interpreter" { + description = "Custom local-exec command line interpreter for the command to determining if the eks cluster is healthy." + type = list(string) + default = ["/bin/sh", "-c"] +} + variable "cluster_create_security_group" { description = "Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`." type = bool From 49b0667cd91e15f7c98dba67ad7e5aa5a6f54b5d Mon Sep 17 00:00:00 2001 From: "Sam \"Bo\" Beckwith III" Date: Tue, 24 Mar 2020 17:19:41 -0500 Subject: [PATCH 43/47] fix: Fix destroy failure when talking to EKS endpoint on private network (#815) --- cluster.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cluster.tf b/cluster.tf index b3897c2246..55a1747cfe 100644 --- a/cluster.tf +++ b/cluster.tf @@ -61,7 +61,8 @@ resource "null_resource" "wait_for_cluster" { count = var.create_eks && var.manage_aws_auth ? 1 : 0 depends_on = [ - aws_eks_cluster.this[0] + aws_eks_cluster.this[0], + aws_security_group_rule.cluster_private_access, ] provisioner "local-exec" { From de00694a6323389a42f20240de5b3bf4775059d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Hidalgo=20Garc=C3=ADa?= Date: Tue, 24 Mar 2020 17:28:59 -0500 Subject: [PATCH 44/47] feat: Add support for additional volumes in launch templates and launch configurations (#800) Co-authored-by: Jaime Hidalgo Co-authored-by: Thierno IB. BARRY --- local.tf | 1 + workers.tf | 30 ++++++++++++++++++++++++++++++ workers_launch_template.tf | 37 +++++++++++++++++++++++++++++++++++++ 3 files changed, 68 insertions(+) diff --git a/local.tf b/local.tf index 704b5cdcb2..4ea1b72ffb 100644 --- a/local.tf +++ b/local.tf @@ -64,6 +64,7 @@ locals { service_linked_role_arn = "" # Arn of custom service linked role that Auto Scaling group will use. Useful when you have encrypted EBS termination_policies = [] # A list of policies to decide how the instances in the auto scale group should be terminated. platform = "linux" # Platform of workers. either "linux" or "windows" + additional_ebs_volumes = [] # A list of additional volumes to be attached to the instances on this Auto Scaling group. Each volume should be an object with the following: block_device_name (required), volume_size, volume_type, iops, encrypted, kms_key_id (only on launch-template), delete_on_termination. Optional values are grabbed from root volume or from defaults # Settings for launch templates root_block_device_name = data.aws_ami.eks_worker.root_device_name # Root device name for workers. If non is provided, will assume default AMI was used. root_kms_key_id = "" # The KMS key to use when encrypting the root storage device diff --git a/workers.tf b/workers.tf index ce2b27c601..2eed088c4f 100644 --- a/workers.tf +++ b/workers.tf @@ -223,6 +223,36 @@ resource "aws_launch_configuration" "workers" { delete_on_termination = true } + dynamic "ebs_block_device" { + for_each = lookup(var.worker_groups[count.index], "additional_ebs_volumes", local.workers_group_defaults["additional_ebs_volumes"]) + + content { + device_name = ebs_block_device.value.block_device_name + volume_size = lookup( + ebs_block_device.value, + "volume_size", + local.workers_group_defaults["root_volume_size"], + ) + volume_type = lookup( + ebs_block_device.value, + "volume_type", + local.workers_group_defaults["root_volume_type"], + ) + iops = lookup( + ebs_block_device.value, + "iops", + local.workers_group_defaults["root_iops"], + ) + encrypted = lookup( + ebs_block_device.value, + "encrypted", + local.workers_group_defaults["root_encrypted"], + ) + delete_on_termination = lookup(ebs_block_device.value, "delete_on_termination", true) + } + + } + lifecycle { create_before_destroy = true } diff --git a/workers_launch_template.tf b/workers_launch_template.tf index 52ec738588..4eea118167 100644 --- a/workers_launch_template.tf +++ b/workers_launch_template.tf @@ -351,6 +351,43 @@ resource "aws_launch_template" "workers_launch_template" { } } + dynamic "block_device_mappings" { + for_each = lookup(var.worker_groups_launch_template[count.index], "additional_ebs_volumes", local.workers_group_defaults["additional_ebs_volumes"]) + content { + device_name = block_device_mappings.value.block_device_name + + ebs { + volume_size = lookup( + block_device_mappings.value, + "volume_size", + local.workers_group_defaults["root_volume_size"], + ) + volume_type = lookup( + block_device_mappings.value, + "volume_type", + local.workers_group_defaults["root_volume_type"], + ) + iops = lookup( + block_device_mappings.value, + "iops", + local.workers_group_defaults["root_iops"], + ) + encrypted = lookup( + block_device_mappings.value, + "encrypted", + local.workers_group_defaults["root_encrypted"], + ) + kms_key_id = lookup( + block_device_mappings.value, + "kms_key_id", + local.workers_group_defaults["root_kms_key_id"], + ) + delete_on_termination = lookup(block_device_mappings.value, "delete_on_termination", true) + } + } + + } + tag_specifications { resource_type = "volume" From 4cc57532846290d66b700a4c68d3ffd5364ee884 Mon Sep 17 00:00:00 2001 From: Albert Lloveras Date: Tue, 31 Mar 2020 01:09:41 +1100 Subject: [PATCH 45/47] improvement: Use `aws_partition` to build IAM policy ARNs (#820) * Use aws_partition to build IAM policy ARNs * Update broken link to CONTRIBUTING.md in README.md --- README.md | 2 +- data.tf | 2 +- local.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e978504e61..8363392e9b 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ And install `terraform-docs` with `go get github.com/segmentio/terraform-docs` o Report issues/questions/feature requests on in the [issues](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/new) section. -Full contributing [guidelines are covered here](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/CONTRIBUTING.md). +Full contributing [guidelines are covered here](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/.github/CONTRIBUTING.md). ## Change log diff --git a/data.tf b/data.tf index d945c52833..7e1aa918b4 100644 --- a/data.tf +++ b/data.tf @@ -222,4 +222,4 @@ data "aws_iam_instance_profile" "custom_worker_group_launch_template_iam_instanc ) } -data "aws_region" "current" {} +data "aws_partition" "current" {} diff --git a/local.tf b/local.tf index 4ea1b72ffb..658290b06e 100644 --- a/local.tf +++ b/local.tf @@ -22,7 +22,7 @@ locals { default_ami_id_linux = coalesce(local.workers_group_defaults.ami_id, data.aws_ami.eks_worker.id) default_ami_id_windows = coalesce(local.workers_group_defaults.ami_id_windows, data.aws_ami.eks_worker_windows.id) - policy_arn_prefix = contains(["cn-northwest-1", "cn-north-1"], data.aws_region.current.name) ? "arn:aws-cn:iam::aws:policy" : "arn:aws:iam::aws:policy" + policy_arn_prefix = "arn:${data.aws_partition.current.partition}:iam::aws:policy" workers_group_defaults_defaults = { name = "count.index" # Name of the worker group. Literal count.index will never be used but if name is not set, the count.index interpolation will be used. tags = [] # A list of map defining extra tags to be applied to the worker group autoscaling group. From c8195c53481e858b854e745258e9db14ae52f54d Mon Sep 17 00:00:00 2001 From: Ilya Nemakov Date: Mon, 30 Mar 2020 19:27:56 +0300 Subject: [PATCH 46/47] feat: Add instance tag specifications to Launch Template (#822) --- workers_launch_template.tf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/workers_launch_template.tf b/workers_launch_template.tf index 4eea118167..947bd19a6d 100644 --- a/workers_launch_template.tf +++ b/workers_launch_template.tf @@ -403,6 +403,21 @@ resource "aws_launch_template" "workers_launch_template" { ) } + tag_specifications { + resource_type = "instance" + + tags = merge( + { + "Name" = "${aws_eks_cluster.this[0].name}-${lookup( + var.worker_groups_launch_template[count.index], + "name", + count.index, + )}-eks_asg" + }, + var.tags, + ) + } + tags = var.tags lifecycle { From eaa4d2c697e78a3e65d1f877ba46a39c1daa5f2f Mon Sep 17 00:00:00 2001 From: "Thierno IB. BARRY" Date: Tue, 31 Mar 2020 00:53:35 +0200 Subject: [PATCH 47/47] skip changelog: Prepare for release 11.0.0 (#819) --- .chglog/config.yml | 2 +- CHANGELOG.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 CHANGELOG.md diff --git a/.chglog/config.yml b/.chglog/config.yml index 4e569d466c..16a95bc100 100644 --- a/.chglog/config.yml +++ b/.chglog/config.yml @@ -4,7 +4,6 @@ info: title: CHANGELOG repository_url: https://github.com/terraform-aws-modules/terraform-aws-eks options: - commits: sort_by: Type filters: @@ -20,6 +19,7 @@ options: commit_groups: group_by: Type + sort_by: Type title_maps: feat: FEATURES fix: BUG FIXES diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000000..b5511b9e54 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,43 @@ +# Change Log + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/) and this +project adheres to [Semantic Versioning](http://semver.org/). + + +## [Unreleased] + + + + +## [v11.0.0] - 2020-03-31 +FEATURES: +- Add instance tag specifications to Launch Template ([#822](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/822)) +- Add support for additional volumes in launch templates and launch configurations ([#800](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/800)) +- Add interpreter option to `wait_for_cluster_cmd` ([#795](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/795)) + +ENHANCEMENTS: +- Use `aws_partition` to build IAM policy ARNs ([#820](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/820)) +- Generate `aws-auth` configmap's roles from Object. No more string concat. ([#790](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/790)) +- Add timeout to default wait_for_cluster_cmd ([#791](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/791)) +- automate changelog management ([#786](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/786)) + +BUG FIXES: +- Fix destroy failure when talking to EKS endpoint on private network ([#815](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/815)) +- add ip address when manage_aws_auth is true and public_access is false ([#745](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/745)) +- Add node_group direct dependency on eks_cluster ([#796](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/796)) +- Do not recreate cluster when no SG given ([#798](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/798)) +- Create `false` and avoid waiting forever for a non-existent cluster to respond ([#789](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/789)) +- fix git-chglog template to format changelog `Type` nicely ([#803](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/803)) +- fix git-chglog configuration ([#802](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/802)) + +CI: +- Restrict sementic PR to validate PR title only ([#804](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/804)) + +TESTS: +- remove unused kitchen test related stuff ([#787](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/787)) + + +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v11.0.0...HEAD +[v11.0.0]: https://github.com/terraform-aws-modules/terraform-aws-eks/compare/v10.0.0...v11.0.0