siddharthbarhate · siddharthbarhate · May 10, 2023 · May 12, 2023 · May 25, 2023
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,29 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.1.0
+    hooks:
+      - id: trailing-whitespace
+        args: ['--markdown-linebreak-ext=md']
+      - id: end-of-file-fixer
+      - id: check-merge-conflict
+      - id: detect-private-key
+      - id: detect-aws-credentials
+        args: ['--allow-missing-credentials']
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.77.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+        args:
+          - '--args=--lockfile=false'
+          - --hook-config=--add-to-existing-file=true
+          - --hook-config=--create-file-if-not-exist=true
+
+      - id: terraform_tflint
+        args:
+          - --args=--config=.tflint.hcl
+      - id: terraform_tfsec
+        files: ^examples/ # only scan `examples/*` which are the implementation
+        args:
+          - --args=--config-file=__GIT_WORKING_DIR__/tfsec.yaml
+          - --args=--concise-output
diff --git a/README.md b/README.md
@@ -0,0 +1,113 @@
+## Terraform EKS Reference
+
+Terraform reference to deploy a production ready EKS cluster. This reference takes care of provisioning a secure VPC network with VPN , deploy an EKS cluster and configure it with required resources,controllers and utilities to start deploying applications.
+
+## Requirements and Prerequisites
+
+1. An AWS account
+2. A system with [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) and [kubectl](https://kubernetes.io/docs/tasks/tools/) installed
+
+This repository contains Terraform configuration files for deploying a set of modules in a specific order. The tfstate module must be deployed first, followed by main module.
+
+## Deploying the tfstate Module
+
+The tfstate module is used for storing the Terraform state file remotely, which is a recommended practice to ensure consistency and collaboration among team members.
+
+To deploy the tfstate module, navigate to the **tfstate** directory and run the following commands:
+
+1. terraform init
+2. terraform plan
+3. terraform apply
+
+Once you have provided the required input, Terraform will create the necessary resources for the tfstate module.
+
+## Deploying the EKS Cluster
+
+After the tfstate module has been deployed, you can deploy the the EKS cluster setup. Creating an EKS cluster involves several steps, including setting up a Virtual Private Cloud (VPC), creating an EKS cluster, configuring an EKS node group, and bootstrapping the cluster.
+
+### VPC
+
+The [squareops/vpc/aws](https://registry.terraform.io/modules/squareops/vpc/aws/latest) module available on the Terraform Registry is designed to create and manage Virtual Private Cloud (VPC) resources in AWS (Amazon Web Services).
+
+The module can be used to create a new VPC along with its associated resources such as Subnets, Route Tables, Security Groups, Network ACL(s) (NACL), and Internet Gateway (IGW). It offers a simplified and standardized way to create VPC infrastructure, while also providing flexibility to customize VPC resources based on specific requirements.
+
+The [squareops/vpc/aws](https://registry.terraform.io/modules/squareops/vpc/aws/latest) module offers a range of configuration options, including the ability to specify CIDR blocks for VPC and subnet ranges, assign names and tags to VPC resources, enable DNS support, and configure NAT gateways. Additionally, the module provides pre-configured modules for creating subnets in different availability zones(AZs), route tables, and security groups.
+
+By using this module, AWS users can save time and effort in setting up VPC infrastructure, and ensure that their VPCs are created in a consistent and reproducible manner. The module is open source and maintained by [SquareOps](https://squareops.com/), a consulting company that specializes in cloud infrastructure and DevOps automation.
+
+### EKS
+
+The [squareops/eks/aws](https://registry.terraform.io/modules/squareops/eks/aws/latest) module available on the Terraform Registry is designed to create and manage an EKS (Elastic Kubernetes Service) cluster in AWS (Amazon Web Services).
+
+The module provides a simplified and standardized way to create and manage the kubernetes control plane and worker nodes in EKS. It automates the process of creating the necessary EKS resources such as security groups, IAM roles and policies, and the EKS cluster itself.
+
+The [squareops/eks/aws](https://registry.terraform.io/modules/squareops/eks/aws/latest) module offers a range of configuration options, such as the ability to specify the number of worker nodes, instance types, and desired capacity. It also provides pre-configured modules for configuring worker node groups with different instance types, adding custom tags.
+
+By using this module, AWS users can set up a kubernetes cluster on EKS in a simple, efficient, and reproducible manner. It also ensures that the EKS cluster is created with the best practices in mind, and that it is secured according to industry standards. The module is open source and maintained by [SquareOps](https://squareops.com/), a consulting company that specializes in cloud infrastructure and DevOps automation.
+
+### EKS-BOOTSTRAP
+
+The [squareops/eks-bootstrap/aws](https://registry.terraform.io/modules/squareops/eks-bootstrap/aws/latest) module available on the Terraform Registry is designed to bootstrap an EKS (Elastic Kubernetes Service) cluster in AWS (Amazon Web Services) with the necessary resources to run a kubernetes workload.
+
+The module provides a simplified and standardized way to create the kubernetes worker nodes in EKS, and to deploy the necessary add-ons and configurations to run kubernetes workloads. It automates the process of creating the necessary EKS resources.
+
+By using this module, AWS users can save time and ensure that their kubernetes workloads are deployed in a consistent and reproducible manner. It also ensures that the EKS cluster is created with the best practices in mind, and that it is secured according to industry standards. The module is open source and maintained by [SquareOps](https://squareops.com/), a consulting company that specializes in cloud infrastructure and DevOps automation.
+
+
+# terraform-eks-reference
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_eks"></a> [eks](#module\_eks) | squareops/eks/aws | 1.0.3 |
+| <a name="module_eks_bootstrap"></a> [eks\_bootstrap](#module\_eks\_bootstrap) | squareops/eks-bootstrap/aws | 1.1.0 |
+| <a name="module_key_pair_eks"></a> [key\_pair\_eks](#module\_key\_pair\_eks) | squareops/keypair/aws | 1.0.2 |
+| <a name="module_key_pair_vpn"></a> [key\_pair\_vpn](#module\_key\_pair\_vpn) | squareops/keypair/aws | 1.0.2 |
+| <a name="module_managed_node_group_production"></a> [managed\_node\_group\_production](#module\_managed\_node\_group\_production) | squareops/eks/aws//modules/managed-nodegroup | 1.0.3 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | squareops/vpc/aws | 2.1.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_cluster_endpoint"></a> [cluster\_endpoint](#output\_cluster\_endpoint) | Endpoint for EKS Control Plane |
+| <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | EKS Cluster Name |
+| <a name="output_cluster_oidc_issuer_url"></a> [cluster\_oidc\_issuer\_url](#output\_cluster\_oidc\_issuer\_url) | The URL on the EKS cluster for the OpenID Connect identity provider |
+| <a name="output_cluster_security_group_id"></a> [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security group IDs attached to the cluster control plane |
+| <a name="output_database_subnets"></a> [database\_subnets](#output\_database\_subnets) | List of IDs of Database Subnets |
+| <a name="output_efs_id"></a> [efs\_id](#output\_efs\_id) | The ID of the EFS |
+| <a name="output_intra_subnets"></a> [intra\_subnets](#output\_intra\_subnets) | List of IDs of Intra Subnets |
+| <a name="output_kms_policy_arn"></a> [kms\_policy\_arn](#output\_kms\_policy\_arn) | ARN of KMS policy |
+| <a name="output_nginx_ingress_controller_dns_hostname"></a> [nginx\_ingress\_controller\_dns\_hostname](#output\_nginx\_ingress\_controller\_dns\_hostname) | NGINX Ingress Controller DNS Hostname |
+| <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | List of IDs of Private Subnets |
+| <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | List of IDs of Public Subnets |
+| <a name="output_vpc_cidr_block"></a> [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of VPC |
+| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+| <a name="output_vpn_host_public_ip"></a> [vpn\_host\_public\_ip](#output\_vpn\_host\_public\_ip) | Public IP Adress of VPN Server |
+| <a name="output_vpn_security_group"></a> [vpn\_security\_group](#output\_vpn\_security\_group) | Security Group ID of VPN Server |
+| <a name="output_worker_iam_role_arn"></a> [worker\_iam\_role\_arn](#output\_worker\_iam\_role\_arn) | ARN of the EKS Worker Role |
+| <a name="output_worker_iam_role_name"></a> [worker\_iam\_role\_name](#output\_worker\_iam\_role\_name) | The name of the EKS Worker IAM role |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/eks.tf b/eks.tf
@@ -12,13 +12,14 @@ module "eks" {
   name                                 = local.name
   vpc_id                               = module.vpc.vpc_id
   environment                          = local.environment
+  cluster_version                      = "1.24"
   kms_key_arn                          = ""
-  cluster_version                      = "1.23"
   cluster_log_types                    = ["api", "scheduler"]
   cluster_log_retention_in_days        = 30
   cluster_endpoint_public_access       = true
   cluster_endpoint_public_access_cidrs = ["0.0.0.0/0"]
 }
+
 data "aws_eks_cluster" "cluster" {
   name = module.eks.cluster_name
 }
@@ -32,18 +33,18 @@ module "managed_node_group_production" {
   version                = "1.0.3"
   depends_on             = [module.vpc, module.eks]
   name                   = "Infra"
+  environment            = local.environment
+  eks_cluster_name       = module.eks.cluster_name
+  eks_nodes_keypair_name = module.key_pair_eks.key_pair_name
+  subnet_ids             = [module.vpc.private_subnets[0]]
+  kms_policy_arn         = module.eks.kms_policy_arn
+  worker_iam_role_name   = module.eks.worker_iam_role_name
   min_size               = 1
   max_size               = 3
   desired_size           = 1
-  subnet_ids             = [module.vpc.private_subnets[0]]
-  environment            = local.environment
-  kms_key_arn            = ""
   capacity_type          = "SPOT"
   instance_types         = ["t3a.large", "t2.large", "t2.xlarge", "t3.large", "m5.large"]
-  kms_policy_arn         = module.eks.kms_policy_arn
-  eks_cluster_name       = module.eks.cluster_name
-  worker_iam_role_name   = module.eks.worker_iam_role_name
-  eks_nodes_keypair_name = module.key_pair_eks.key_pair_name
+  kms_key_arn            = ""
   k8s_labels = {
     "Infra-Services" = "true"
   }
@@ -53,50 +54,50 @@ module "managed_node_group_production" {
 
 
 module "eks_bootstrap" {
-  source                        = "squareops/eks-bootstrap/aws"
-  version                       = "1.1.0"
-  name                          = local.name
-  vpc_id                        = module.vpc.vpc_id
-  environment                   = local.environment
-  kms_key_arn                   = ""
-  keda_enabled                  = true
-  istio_enabled                 = false
-  kms_policy_arn                = module.eks.kms_policy_arn # eks module will create kms_policy_arn
-  eks_cluster_name              = module.eks.cluster_name
-  reloader_enabled              = true
-  karpenter_enabled             = true
-  single_az_sc_config           = [{ name = "infra-service-sc", zone = "us-east-2a" }]
-  cert_manager_enabled          = true
-  worker_iam_role_name          = module.eks.worker_iam_role_name
-  ingress_nginx_enabled         = true
-  metrics_server_enabled        = false
-  external_secrets_enabled      = true
-  amazon_eks_vpc_cni_enabled    = true
-  cluster_autoscaler_enabled    = true
-  service_monitor_crd_enabled   = true
-  karpenter_provisioner_enabled = false
+  source                                        = "squareops/eks-bootstrap/aws"
+  version                                       = "1.1.0"
+  name                                          = local.name
+  environment                                   = local.environment
+  eks_cluster_name                              = module.eks.cluster_name
+  vpc_id                                        = module.vpc.vpc_id
+  kms_key_arn                                   = ""
+  worker_iam_role_name                          = module.eks.worker_iam_role_name
+  kms_policy_arn                                = module.eks.kms_policy_arn # eks module will create kms_policy_arn
+  keda_enabled                                  = true
+  istio_enabled                                 = false
+  reloader_enabled                              = true
+  metrics_server_enabled                        = false
+  external_secrets_enabled                      = true
+  amazon_eks_vpc_cni_enabled                    = true
+  service_monitor_crd_enabled                   = true
+  cert_manager_enabled                          = true
+  cert_manager_letsencrypt_email                = "admin@example.com"
+  cert_manager_install_letsencrypt_http_issuers = true
+  ingress_nginx_enabled                         = true
+  internal_ingress_nginx_enabled                = true
+  efs_storage_class_enabled                     = false
+  single_az_sc_config                           = [{ name = "infra-service-sc", zone = "us-east-2a" }]
+  amazon_eks_aws_ebs_csi_driver_enabled         = true
+  single_az_ebs_gp3_storage_class_enabled       = true
+  cluster_autoscaler_enabled                    = true
+  cluster_propotional_autoscaler_enabled        = true
+  aws_node_termination_handler_enabled          = true
+  karpenter_enabled                             = true
+  karpenter_provisioner_enabled                 = false
   karpenter_provisioner_config = {
     private_subnet_name    = format("%s-%s-private-subnet", local.environment, local.name)
     instance_capacity_type = ["spot"]
     excluded_instance_type = ["nano", "micro", "small"]
   }
-  cert_manager_letsencrypt_email                = "rohit.kumar@squareops.com"
-  internal_ingress_nginx_enabled                = true
-  efs_storage_class_enabled                     = false
-  aws_node_termination_handler_enabled          = true
-  amazon_eks_aws_ebs_csi_driver_enabled         = true
-  cluster_propotional_autoscaler_enabled        = true
-  single_az_ebs_gp3_storage_class_enabled       = true
-  cert_manager_install_letsencrypt_http_issuers = true
-  velero_enabled                                = true
+  velero_enabled = true
   velero_config = {
     namespaces                      = "" # If you want full cluster backup, leave it blank else provide namespace.
-    slack_notification_token        = "4559734786594-qQ8486bluEuvmxrYxRatsM8R"
+    slack_notification_token        = "4559734786594"
     slack_notification_channel_name = "demo-notifications"
     retention_period_in_days        = 45
     schedule_backup_cron_time       = "* 1 * * *"
-    velero_backup_name              = "clusterback"
+    velero_backup_name              = "clusterbackup"
     backup_bucket_name              = "velero-backup"
   }
 
-}  
+}
diff --git a/output.tf b/output.tf
@@ -4,32 +4,32 @@ output "vpc_id" {
 }
 
 output "vpc_cidr_block" {
-  description = "AWS Region"
+  description = "The CIDR block of VPC"
   value       = module.vpc.vpc_cidr_block
 }
 
 output "public_subnets" {
-  description = "List of IDs of public subnets"
+  description = "List of IDs of Public Subnets"
   value       = module.vpc.public_subnets
 }
 
 output "private_subnets" {
-  description = "List of IDs of private subnets"
+  description = "List of IDs of Private Subnets"
   value       = module.vpc.private_subnets
 }
 
 output "database_subnets" {
-  description = "List of IDs of database subnets"
+  description = "List of IDs of Database Subnets"
   value       = module.vpc.database_subnets
 }
 
 output "intra_subnets" {
-  description = "List of IDs of Intra subnets"
+  description = "List of IDs of Intra Subnets"
   value       = module.vpc.intra_subnets
 }
 
 output "vpn_host_public_ip" {
-  description = "IP Adress of VPN Server"
+  description = "Public IP Adress of VPN Server"
   value       = module.vpc.vpn_host_public_ip
 }
 
@@ -39,25 +39,20 @@ output "vpn_security_group" {
 }
 
 output "cluster_name" {
-  description = "Kubernetes Cluster Name"
+  description = "EKS Cluster Name"
   value       = module.eks.cluster_name
 }
 
 output "cluster_endpoint" {
-  description = "Endpoint for EKS control plane"
+  description = "Endpoint for EKS Control Plane"
   value       = module.eks.cluster_endpoint
 }
 
 output "cluster_security_group_id" {
-  description = "Security group ids attached to the cluster control plane"
+  description = "Security group IDs attached to the cluster control plane"
   value       = module.eks.cluster_security_group_id
 }
 
-output "cluster_arn" {
-  description = "Name of the kubeconfig context"
-  value       = module.eks.cluster_arn
-}
-
 output "cluster_oidc_issuer_url" {
   description = "The URL on the EKS cluster for the OpenID Connect identity provider"
   value       = module.eks.cluster_oidc_issuer_url
@@ -83,12 +78,7 @@ output "nginx_ingress_controller_dns_hostname" {
   value       = module.eks_bootstrap.nginx_ingress_controller_dns_hostname
 }
 
-output "ebs_encryption" {
-  description = "Is AWS EBS encryption is enabled or not?"
-  value       = "Encrypted by default"
-}
-
 output "efs_id" {
   value       = module.eks_bootstrap.efs_id
-  description = "EFS ID"
-}
+  description = "The ID of the EFS"
+}