From cc14d196318d4fe9601e914462f5ae1c8f7f0350 Mon Sep 17 00:00:00 2001 From: Poh Peng Ric Wang <7760361+thepoppingone@users.noreply.github.com> Date: Fri, 23 Jun 2023 19:09:39 +0800 Subject: [PATCH] Refactor fargate profile to only create securitygrouppolicy optionally, and create it part of fargate EKS cluster deployment (#72) * Refactor fargate profile to only create securitygrouppolicy optionally, and create it part of fargate EKS cluster deployment * Add correct var type * add toset * Set variable type to list of strings * Add fix for fargate logger error * Add default name for fargate logging policly --------- Co-authored-by: Poh Peng --- README.md | 5 +++ fargate_profile.tf | 59 ++++++++++++++++++++++++++-- modules/fargate_profile/README.md | 2 +- modules/fargate_profile/main.tf | 3 +- modules/fargate_profile/variables.tf | 3 +- 5 files changed, 65 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 33926b6f..6a72e4f9 100644 --- a/README.md +++ b/README.md @@ -224,6 +224,7 @@ module "karpenter" { | Name | Type | |------|------| +| [aws_iam_policy.fargate_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.workers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy.ebs_csi_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | @@ -231,11 +232,13 @@ module "karpenter" { | [aws_iam_role_policy_attachment.workers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_service_linked_role.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource | | [kubernetes_config_map_v1.amazon_vpc_cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource | +| [kubernetes_manifest.fargate_node_security_group_policy](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | | [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_arn.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.ec2_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.eks_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.fargate_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.kms_csi_ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.kms_ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | @@ -309,7 +312,9 @@ module "karpenter" { | [cluster\_iam\_role\_name](#output\_cluster\_iam\_role\_name) | IAM Role Name used by Cluster | | [cluster\_name](#output\_cluster\_name) | EKS Cluster name created | | [cluster\_oidc\_issuer\_url](#output\_cluster\_oidc\_issuer\_url) | The URL on the EKS cluster for the OpenID Connect identity provider | +| [cluster\_platform\_version](#output\_cluster\_platform\_version) | Platform version of the EKS Cluster | | [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security Group ID of the master nodes | +| [cluster\_version](#output\_cluster\_version) | Version of the EKS Cluster | | [ebs\_kms\_key\_arn](#output\_ebs\_kms\_key\_arn) | KMS Key ARN used for EBS encryption | | [ebs\_kms\_key\_id](#output\_ebs\_kms\_key\_id) | KMS Key ID used for EBS encryption | | [fargate\_namespaces\_for\_security\_group](#output\_fargate\_namespaces\_for\_security\_group) | value for fargate\_namespaces\_for\_security\_group | diff --git a/fargate_profile.tf b/fargate_profile.tf index 2540719b..54591451 100644 --- a/fargate_profile.tf +++ b/fargate_profile.tf @@ -8,6 +8,10 @@ locals { default_fargate_profiles = merge( { essentials = { + iam_role_name = "fargate_profile_essentials" + iam_role_additional_policies = { + additional = aws_iam_policy.fargate_logging.arn + } subnet_ids = var.subnet_ids selectors = [ for ns_value in local.essentials_namespaces : { @@ -18,6 +22,10 @@ locals { }, { for subnet in var.subnet_ids : "kube-system-${substr(data.aws_subnet.subnets[subnet].availability_zone, -2, -1)}" => { + iam_role_name = "fargate_profile_${substr(data.aws_subnet.subnets[subnet].availability_zone, -2, -1)}" + iam_role_additional_policies = { + additional = aws_iam_policy.fargate_logging.arn + } selectors = [ { namespace = "kube-system" } ] @@ -44,8 +52,53 @@ module "fargate_profiles" { create_aws_observability_ns = var.create_aws_observability_ns create_fargate_logger_configmap = var.create_fargate_logger_configmap - eks_worker_security_group_id = module.eks.node_security_group_id - fargate_namespaces_for_security_group = local.fargate_namespaces - tags = var.tags } + +resource "kubernetes_manifest" "fargate_node_security_group_policy" { + + count = var.fargate_cluster && var.create_node_security_group ? 1 : 0 + + manifest = { + apiVersion = "vpcresources.k8s.aws/v1beta1" + kind = "SecurityGroupPolicy" + metadata = { + name = "fargate-node-default-namespace-sg" + namespace = "kube-system" + } + spec = { + podSelector = { + matchLabels = {} + } + securityGroups = { + groupIds = [module.eks.node_security_group_id] + } + } + } +} + +resource "aws_iam_policy" "fargate_logging" { + name = "fargate_logging_cloudwatch_default" + path = "/" + description = "AWS recommended cloudwatch perms policy" + + policy = data.aws_iam_policy_document.fargate_logging.json +} + +#tfsec:ignore:aws-iam-no-policy-wildcards +data "aws_iam_policy_document" "fargate_logging" { + #checkov:skip=CKV_AWS_111:Restricted to Cloudwatch Actions only + #checkov:skip=CKV_AWS_356: Only logs actions + statement { + sid = "" + effect = "Allow" + resources = ["*"] + + actions = [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:DescribeLogStreams", + "logs:PutLogEvents", + ] + } +} diff --git a/modules/fargate_profile/README.md b/modules/fargate_profile/README.md index 92114d38..248169b9 100644 --- a/modules/fargate_profile/README.md +++ b/modules/fargate_profile/README.md @@ -92,7 +92,7 @@ module "fargate_profile" { | [cluster\_name](#input\_cluster\_name) | EKS Cluster name | `string` | n/a | yes | | [create\_aws\_observability\_ns](#input\_create\_aws\_observability\_ns) | value to determine if aws-observability namespace is created | `bool` | `true` | no | | [create\_fargate\_logger\_configmap](#input\_create\_fargate\_logger\_configmap) | value to determine if create\_fargate\_logger\_configmap is created | `bool` | `true` | no | -| [eks\_worker\_security\_group\_id](#input\_eks\_worker\_security\_group\_id) | Security Group ID of the worker nodes | `string` | n/a | yes | +| [eks\_worker\_security\_group\_id](#input\_eks\_worker\_security\_group\_id) | Security Group ID of the worker nodes | `string` | `""` | no | | [fargate\_namespaces\_for\_security\_group](#input\_fargate\_namespaces\_for\_security\_group) | List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes | `list(string)` | `[]` | no | | [fargate\_profile\_defaults](#input\_fargate\_profile\_defaults) | Map of Fargate Profile default configurations | `any` | `{}` | no | | [fargate\_profiles](#input\_fargate\_profiles) | Map of maps of `fargate_profiles` to create | `any` | `{}` | no | diff --git a/modules/fargate_profile/main.tf b/modules/fargate_profile/main.tf index 3417979a..ba999ded 100644 --- a/modules/fargate_profile/main.tf +++ b/modules/fargate_profile/main.tf @@ -23,8 +23,7 @@ module "fargate_profile" { tags = merge(var.tags, lookup(each.value, "tags", {})) } - - +## Only used when needed for testing pods running in a namespace which requires access to the managed nodes resource "kubernetes_manifest" "sg" { for_each = toset(var.fargate_namespaces_for_security_group) diff --git a/modules/fargate_profile/variables.tf b/modules/fargate_profile/variables.tf index 524f202c..2dd28000 100644 --- a/modules/fargate_profile/variables.tf +++ b/modules/fargate_profile/variables.tf @@ -55,7 +55,7 @@ variable "create_fargate_logger_configmap" { ### Fargate Selector Namespaces ## ################################## variable "fargate_namespaces_for_security_group" { - description = "List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes" + description = "List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes" # remember to `toset` the list before parsing into this variable type = list(string) default = [] } @@ -63,4 +63,5 @@ variable "fargate_namespaces_for_security_group" { variable "eks_worker_security_group_id" { description = "Security Group ID of the worker nodes" type = string + default = "" }