diff --git a/.github/workflows/aws-eks-utils-image.yml b/.github/workflows/aws-eks-utils-image.yml
index a242a424..7cfc012a 100644
--- a/.github/workflows/aws-eks-utils-image.yml
+++ b/.github/workflows/aws-eks-utils-image.yml
@@ -1,9 +1,9 @@
-name: 'aws-eks-utils'
+name: 'Build docker image aws-eks-utils'
on:
push:
branches:
- - 'main'
+ - main
paths:
- 'docker/aws-eks-utils/Dockerfile'
@@ -13,14 +13,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repo
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
- name: Login to DockerHub
- uses: docker/login-action@v1
+ uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and Push
- uses: docker/build-push-action@v2
+ uses: docker/build-push-action@v5
with:
push: true
context: docker/aws-eks-utils/
diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml
index 7c829134..fa052547 100644
--- a/.github/workflows/terraform-ci.yml
+++ b/.github/workflows/terraform-ci.yml
@@ -17,7 +17,7 @@ jobs:
PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
- name: Terraform Init l1
working-directory: ./terraform/layer1-aws
run: terraform init -backend=false
@@ -47,7 +47,7 @@ jobs:
PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
- name: Terraform Format
run: terraform fmt -recursive -write=false -check .
working-directory: ./terraform
@@ -62,7 +62,7 @@ jobs:
PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
- name: Terraform tflint l1
working-directory: ./terraform/layer1-aws
run: tflint --no-color
@@ -79,16 +79,16 @@ jobs:
options: --user root
steps:
- name: Checkout
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
- name: Download init for l1
- uses: actions/download-artifact@v2
+ uses: actions/download-artifact@v4
with:
name: l1
path: ./terraform/layer1-aws/.terraform
- name: tfsec l1
working-directory: ./terraform
run: tfsec layer1-aws
- - uses: geekyeggo/delete-artifact@v1
+ - uses: geekyeggo/delete-artifact@v5
with:
name: l1
failOnError: false
diff --git a/.github/workflows/terraform-utils-image.yml b/.github/workflows/terraform-utils-image.yml
index 14387e64..e0d4ee75 100644
--- a/.github/workflows/terraform-utils-image.yml
+++ b/.github/workflows/terraform-utils-image.yml
@@ -1,4 +1,4 @@
-name: 'Terraform-utils'
+name: 'Build docker image terraform-utils'
on:
push:
@@ -13,14 +13,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repo
- uses: actions/checkout@v2
+ uses: actions/checkout@v4
- name: Login to DockerHub
- uses: docker/login-action@v1
+ uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and Push
- uses: docker/build-push-action@v2
+ uses: docker/build-push-action@v5
with:
push: true
context: docker/terraform-utils/
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 6ddfa296..89087a5d 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,5 @@
image:
- name: hashicorp/terraform:0.14.6
+ name: hashicorp/terraform:1.8.3
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
@@ -38,7 +38,7 @@ terraform_validate:
- terraform validate -no-color .
terraform_tflint:
- image:
+ image:
name: wata727/tflint
entrypoint:
- '/usr/bin/env'
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 00e95032..9bd389d0 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.76.0
+ rev: v1.89.1
hooks:
- id: terraform_fmt
- id: terraform_docs
@@ -8,7 +8,7 @@ repos:
# - id: terraform_tflint
# - id: terraform_tfsec
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v4.3.0
+ rev: v4.6.0
hooks:
- id: check-merge-conflict
- id: trailing-whitespace
diff --git a/docker/aws-eks-utils/Dockerfile b/docker/aws-eks-utils/Dockerfile
index 5bcd9347..c77eb353 100644
--- a/docker/aws-eks-utils/Dockerfile
+++ b/docker/aws-eks-utils/Dockerfile
@@ -1,25 +1,27 @@
-FROM public.ecr.aws/docker/library/alpine:3.15.4
+FROM public.ecr.aws/docker/library/ubuntu:22.04 as sessionmanagerplugin
-ARG TERRAFORM_VERSION="1.1.8"
-ARG TERRAGRUNT_VERSION="0.39.1"
-ARG HELM_VERSION="3.8.2"
+RUN apt-get update \
+ && apt-get install -y curl \
+ && curl -Lo "session-manager-plugin.deb" "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" \
+ && dpkg -i "session-manager-plugin.deb"
+
+FROM public.ecr.aws/docker/library/alpine:3.19.1
+
+ARG TERRAFORM_VERSION="1.8.3"
+ARG TERRAGRUNT_VERSION="0.58.5"
+ARG HELM_VERSION="3.15.0"
ARG HELMFILE_VERSION="0.144.0"
-ARG KUBECTL_VERSION="1.22.0"
+ARG KUBECTL_VERSION="1.30.1"
ENV BASE_URL="https://get.helm.sh"
ENV TAR_FILE="helm-v${HELM_VERSION}-linux-amd64.tar.gz"
#Install python and pip
-RUN echo "**** install Python ****" && \
- apk add --no-cache python3 && \
- if [ ! -e /usr/bin/python ]; then ln -sf python3 /usr/bin/python ; fi && \
- \
- echo "**** install pip ****" && \
- python3 -m ensurepip && \
- pip3 install --no-cache --upgrade pip setuptools wheel && \
- if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi
+RUN echo "**** install Python and pip ****" && \
+ apk add --update --no-cache python3 py3-pip py3-setuptools py3-wheel
#Install additional packages and helm
-RUN apk add --update --no-cache openssl git jq bash curl wget unzip ca-certificates && \
+RUN echo "**** install additional packages and helm ****" && \
+ apk add --update --no-cache openssl git jq bash curl wget unzip ca-certificates && \
curl -L ${BASE_URL}/${TAR_FILE} |tar xvz && \
mv linux-amd64/helm /usr/bin/helm && \
chmod +x /usr/bin/helm
@@ -27,34 +29,47 @@ RUN apk add --update --no-cache openssl git jq bash curl wget unzip ca-certifica
WORKDIR /tmp
#Install tfenv for terraform
-RUN git clone https://github.com/tfutils/tfenv.git /usr/bin/.tfenv && \
+RUN echo "**** install tfenv for terraform ****" && \
+ git clone https://github.com/tfutils/tfenv.git /usr/bin/.tfenv && \
ln -s /usr/bin/.tfenv/bin/* /usr/bin
#Intall tgenv for terragrunt
-RUN git clone https://github.com/cunymatthieu/tgenv.git /usr/bin/.tgenv && \
+RUN echo "**** install tgenv for terragrunt ****" && \
+ git clone https://github.com/cunymatthieu/tgenv.git /usr/bin/.tgenv && \
ln -s /usr/bin/.tgenv/bin/* /usr/bin
#Install terraform
-RUN tfenv install $TERRAFORM_VERSION
+RUN echo "**** install terraform ****" && \
+ tfenv install $TERRAFORM_VERSION
#Install terragrunt
-RUN tgenv install $TERRAGRUNT_VERSION
+RUN echo "**** install terragrunt ****" && \
+ tgenv install $TERRAGRUNT_VERSION
#Install aws-cli
-RUN pip install awscli --upgrade
+RUN echo "**** install aws-cli ****" && \
+ pip install awscli --upgrade --break-system-packages
+
+#Install aws session-manager plugin for cli
+RUN echo "**** install aws session manager plugin for cli ****"
+COPY --from=sessionmanagerplugin /usr/local/sessionmanagerplugin/bin/session-manager-plugin /usr/local/bin/
#Install kubectl
-RUN wget https://storage.googleapis.com/kubernetes-release/release/v"$KUBECTL_VERSION"/bin/linux/amd64/kubectl \
- && chmod +x kubectl && mv kubectl /bin/kubectl
+RUN echo "**** install kubectl ****" && \
+ wget https://storage.googleapis.com/kubernetes-release/release/v"$KUBECTL_VERSION"/bin/linux/amd64/kubectl && \
+ chmod +x kubectl && mv kubectl /bin/kubectl
#Install docker
-RUN apk add --no-cache --update docker
+RUN echo "**** install docker ****" && \
+ apk add --no-cache --update docker
#Install helmfile
-RUN wget https://github.com/roboll/helmfile/releases/download/v${HELMFILE_VERSION}/helmfile_linux_amd64 \
+RUN echo "**** install helmfile ****" && \
+ wget https://github.com/roboll/helmfile/releases/download/v${HELMFILE_VERSION}/helmfile_linux_amd64 \
&& chmod +x helmfile_linux_amd64 && mv helmfile_linux_amd64 /bin/helmfile
# Install ssh
-RUN apk add openssh
+RUN echo "**** install openssh ****" && \
+ apk add openssh
ENTRYPOINT [""]
diff --git a/docker/postgresql-backups/Dockerfile b/docker/postgresql-backups/Dockerfile
index 00adb386..8e634f42 100644
--- a/docker/postgresql-backups/Dockerfile
+++ b/docker/postgresql-backups/Dockerfile
@@ -1,18 +1,12 @@
-FROM public.ecr.aws/docker/library/postgres:12-alpine
+FROM public.ecr.aws/docker/library/postgres:16-alpine
#Install python and pip
-RUN echo "**** install Python ****" && \
- apk add --no-cache python3 && \
- if [ ! -e /usr/bin/python ]; then ln -sf python3 /usr/bin/python ; fi && \
- \
- echo "**** install pip ****" && \
- python3 -m ensurepip && \
- pip3 install --no-cache --upgrade pip setuptools wheel && \
- if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi
+RUN echo "**** install Python and pip ****" && \
+ apk add --update --no-cache python3 py3-pip py3-setuptools py3-wheel
COPY requirements.txt .
-RUN pip install --upgrade --no-cache-dir -r requirements.txt
+RUN pip install --upgrade --no-cache-dir --break-system-packages -r requirements.txt
COPY backup.py .
diff --git a/docker/postgresql-exporter-script/Dockerfile b/docker/postgresql-exporter-script/Dockerfile
index 9efab53f..286b75b0 100644
--- a/docker/postgresql-exporter-script/Dockerfile
+++ b/docker/postgresql-exporter-script/Dockerfile
@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/postgres:12-alpine
+FROM public.ecr.aws/docker/library/postgres:16-alpine
WORKDIR /app
diff --git a/docker/terraform-utils/Dockerfile b/docker/terraform-utils/Dockerfile
index 90a1a797..3b3f6384 100644
--- a/docker/terraform-utils/Dockerfile
+++ b/docker/terraform-utils/Dockerfile
@@ -1,5 +1,5 @@
-FROM public.ecr.aws/docker/library/alpine:3.15.4
-ARG TERRAFORM_VERSION="1.1.8"
+FROM public.ecr.aws/docker/library/alpine:3.19.1
+ARG TERRAFORM_VERSION="1.8.3"
WORKDIR /tmp
diff --git a/terraform/.terraform-version b/terraform/.terraform-version
index 661e7aea..a7ee35a3 100644
--- a/terraform/.terraform-version
+++ b/terraform/.terraform-version
@@ -1 +1 @@
-1.7.3
+1.8.3
diff --git a/terraform/modules/aws-acm/README.md b/terraform/modules/aws-acm/README.md
new file mode 100644
index 00000000..141c12d7
--- /dev/null
+++ b/terraform/modules/aws-acm/README.md
@@ -0,0 +1,36 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [acm](#module\_acm) | terraform-aws-modules/acm/aws | 5.0.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_acm_certificate.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [create\_acm\_certificate](#input\_create\_acm\_certificate) | n/a | `bool` | `false` | no |
+| [domain\_name](#input\_domain\_name) | Main public domain name | `string` | n/a | yes |
+| [validation\_method](#input\_validation\_method) | Which method to use for validation. DNS or EMAIL are valid. This parameter must not be set for certificates that were imported into ACM and then into Terraform. | `string` | `"DNS"` | no |
+| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [ssl\_certificate\_arn](#output\_ssl\_certificate\_arn) | n/a |
diff --git a/terraform/modules/aws-acm/main.tf b/terraform/modules/aws-acm/main.tf
index 81b41b24..9a6070a1 100644
--- a/terraform/modules/aws-acm/main.tf
+++ b/terraform/modules/aws-acm/main.tf
@@ -10,12 +10,13 @@ data "aws_acm_certificate" "main" {
module "acm" {
source = "terraform-aws-modules/acm/aws"
- version = "4.3.2"
+ version = "5.0.1"
create_certificate = var.create_acm_certificate
- domain_name = var.domain_name
- zone_id = var.zone_id
+ domain_name = var.domain_name
+ zone_id = var.zone_id
+ validation_method = var.validation_method
subject_alternative_names = [
"*.${var.domain_name}"]
}
diff --git a/terraform/modules/aws-acm/outputs.tf b/terraform/modules/aws-acm/outputs.tf
new file mode 100644
index 00000000..f1fdd930
--- /dev/null
+++ b/terraform/modules/aws-acm/outputs.tf
@@ -0,0 +1,3 @@
+output "ssl_certificate_arn" {
+ value = var.create_acm_certificate ? module.acm.acm_certificate_arn : data.aws_acm_certificate.main[0].arn
+}
diff --git a/terraform/modules/aws-acm/variables.tf b/terraform/modules/aws-acm/variables.tf
index 4ba055d0..14005ca5 100644
--- a/terraform/modules/aws-acm/variables.tf
+++ b/terraform/modules/aws-acm/variables.tf
@@ -12,3 +12,8 @@ variable "zone_id" {
default = ""
description = "R53 zone id for public domain"
}
+
+variable "validation_method" {
+ default = "DNS"
+ description = "Which method to use for validation. DNS or EMAIL are valid. This parameter must not be set for certificates that were imported into ACM and then into Terraform."
+}
diff --git a/terraform/modules/aws-cis-benchmark-alerts/README.md b/terraform/modules/aws-cis-benchmark-alerts/README.md
new file mode 100644
index 00000000..6e94021d
--- /dev/null
+++ b/terraform/modules/aws-cis-benchmark-alerts/README.md
@@ -0,0 +1,34 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [eventbridge](#module\_eventbridge) | terraform-aws-modules/eventbridge/aws | 3.3.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_sns_topic.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_policy.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
+| [aws_sns_topic_subscription.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_cis\_benchmark\_alerts](#input\_aws\_cis\_benchmark\_alerts) | AWS CIS Benchmark alerts configuration | `any` | {
"email": "demo@example.com",
"enabled": "false",
"rules": {
"aws_config_changes_enabled": true,
"cloudtrail_configuration_changes_enabled": true,
"console_login_failed_enabled": true,
"consolelogin_without_mfa_enabled": true,
"iam_policy_changes_enabled": true,
"kms_cmk_delete_or_disable_enabled": true,
"nacl_changes_enabled": true,
"network_gateway_changes_enabled": true,
"organization_changes_enabled": true,
"parameter_store_actions_enabled": true,
"route_table_changes_enabled": true,
"s3_bucket_policy_changes_enabled": true,
"secrets_manager_actions_enabled": true,
"security_group_changes_enabled": true,
"unauthorized_api_calls_enabled": true,
"usage_of_root_account_enabled": true,
"vpc_changes_enabled": true
}
} | no |
+| [name](#input\_name) | Project name, required to create unique resource names | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
diff --git a/terraform/modules/aws-cis-benchmark-alerts/main.tf b/terraform/modules/aws-cis-benchmark-alerts/main.tf
index f91fcfcc..bd35dd54 100644
--- a/terraform/modules/aws-cis-benchmark-alerts/main.tf
+++ b/terraform/modules/aws-cis-benchmark-alerts/main.tf
@@ -1,7 +1,7 @@
module "eventbridge" {
count = var.aws_cis_benchmark_alerts.enabled ? 1 : 0
source = "terraform-aws-modules/eventbridge/aws"
- version = "1.17.3"
+ version = "3.3.1"
create_bus = false
diff --git a/terraform/modules/aws-ebs-encryption-default/README.md b/terraform/modules/aws-ebs-encryption-default/README.md
new file mode 100644
index 00000000..ed3f75b4
--- /dev/null
+++ b/terraform/modules/aws-ebs-encryption-default/README.md
@@ -0,0 +1,29 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [enable](#input\_enable) | n/a | `bool` | `false` | no |
+
+## Outputs
+
+No outputs.
diff --git a/terraform/modules/aws-eks/README.md b/terraform/modules/aws-eks/README.md
new file mode 100644
index 00000000..8fc7359e
--- /dev/null
+++ b/terraform/modules/aws-eks/README.md
@@ -0,0 +1,58 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [aws\_ebs\_csi\_driver](#module\_aws\_ebs\_csi\_driver) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.39.1 |
+| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.20.0 |
+| [vpc\_cni\_irsa](#module\_vpc\_cni\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.39.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
+| [eks\_cloudwatch\_log\_group\_retention\_in\_days](#input\_eks\_cloudwatch\_log\_group\_retention\_in\_days) | Number of days to retain log events. Default retention - 90 days. | `number` | `90` | no |
+| [eks\_cluster\_enabled\_log\_types](#input\_eks\_cluster\_enabled\_log\_types) | A list of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging documentation (https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html). Possible values: api, audit, authenticator, controllerManager, scheduler | `list(string)` | [
"audit"
]
| no |
+| [eks\_cluster\_encryption\_config\_enable](#input\_eks\_cluster\_encryption\_config\_enable) | Enable or not encryption for k8s secrets with aws-kms | `bool` | `false` | no |
+| [eks\_cluster\_endpoint\_only\_pritunl](#input\_eks\_cluster\_endpoint\_only\_pritunl) | Only Pritunl VPN server will have access to eks endpoint. | `bool` | `false` | no |
+| [eks\_cluster\_endpoint\_private\_access](#input\_eks\_cluster\_endpoint\_private\_access) | Enable or not private access to cluster endpoint | `bool` | `true` | no |
+| [eks\_cluster\_endpoint\_public\_access](#input\_eks\_cluster\_endpoint\_public\_access) | Enable or not public access to cluster endpoint | `bool` | `true` | no |
+| [eks\_cluster\_version](#input\_eks\_cluster\_version) | Version of the EKS K8S cluster | `string` | `"1.29"` | no |
+| [env](#input\_env) | Environment name | `string` | n/a | yes |
+| [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets inside the VPC | `list(any)` | n/a | yes |
+| [name](#input\_name) | Name, required to create unique resource names | `string` | n/a | yes |
+| [node\_group\_default](#input\_node\_group\_default) | Default node group configuration | object({
instance_type = string
max_capacity = number
min_capacity = number
desired_capacity = number
capacity_rebalance = bool
use_mixed_instances_policy = bool
mixed_instances_policy = any
}) | {
"capacity_rebalance": true,
"desired_capacity": 2,
"instance_type": "t4g.medium",
"max_capacity": 3,
"min_capacity": 2,
"mixed_instances_policy": {
"instances_distribution": {
"on_demand_base_capacity": 0,
"on_demand_percentage_above_base_capacity": 0
},
"override": [
{
"instance_type": "t4g.small"
},
{
"instance_type": "t4g.medium"
}
]
},
"use_mixed_instances_policy": true
} | no |
+| [private\_subnets](#input\_private\_subnets) | A list of private subnets inside the VPC | `list(any)` | n/a | yes |
+| [public\_subnets](#input\_public\_subnets) | A list of public subnets inside the VPC | `list(any)` | n/a | yes |
+| [region](#input\_region) | Infrastructure region | `string` | n/a | yes |
+| [tags](#input\_tags) | A map of additional tags to add to resources | `any` | `{}` | no |
+| [vpc\_id](#input\_vpc\_id) | The ID of the VPC where cluster will created | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [eks\_cluster\_endpoint](#output\_eks\_cluster\_endpoint) | Endpoint for EKS control plane. |
+| [eks\_cluster\_id](#output\_eks\_cluster\_id) | n/a |
+| [eks\_cluster\_security\_group\_id](#output\_eks\_cluster\_security\_group\_id) | Security group ids attached to the cluster control plane. |
+| [eks\_kubectl\_console\_config](#output\_eks\_kubectl\_console\_config) | description |
+| [eks\_oidc\_provider\_arn](#output\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider |
+| [node\_group\_default\_iam\_role\_arn](#output\_node\_group\_default\_iam\_role\_arn) | n/a |
+| [node\_group\_default\_iam\_role\_name](#output\_node\_group\_default\_iam\_role\_name) | n/a |
diff --git a/terraform/modules/aws-eks/main.tf b/terraform/modules/aws-eks/main.tf
index e8aa4076..edbe3e16 100644
--- a/terraform/modules/aws-eks/main.tf
+++ b/terraform/modules/aws-eks/main.tf
@@ -1,18 +1,7 @@
-data "aws_ami" "eks_default_arm64" {
- most_recent = true
- owners = ["amazon"]
-
- filter {
- name = "name"
- values = ["amazon-eks-arm64-node-${var.eks_cluster_version}-v*"]
-
- }
-}
-
#tfsec:ignore:aws-vpc-no-public-egress-sgr tfsec:ignore:aws-eks-enable-control-plane-logging tfsec:ignore:aws-eks-encrypt-secrets tfsec:ignore:aws-eks-no-public-cluster-access tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr
module "eks" {
source = "terraform-aws-modules/eks/aws"
- version = "20.8.4"
+ version = "20.20.0"
cluster_name = var.name
cluster_version = var.eks_cluster_version
@@ -54,13 +43,13 @@ module "eks" {
node_security_group_tags = { "karpenter.sh/discovery" = var.name }
self_managed_node_group_defaults = {
- ami_id = data.aws_ami.eks_default_arm64.id
+ ami_type = "AL2023_ARM_64_STANDARD"
block_device_mappings = {
xvda = {
device_name = "/dev/xvda"
ebs = {
delete_on_termination = true
- encrypted = false
+ encrypted = true
volume_size = 100
volume_type = "gp3"
}
@@ -77,17 +66,35 @@ module "eks" {
}
self_managed_node_groups = {
default = {
- name = "${var.name}-default"
- iam_role_name = "${var.name}-default"
- desired_size = var.node_group_default.desired_capacity
- max_size = var.node_group_default.max_capacity
- min_size = var.node_group_default.min_capacity
- subnet_ids = var.private_subnets
-
- bootstrap_extra_args = "--kubelet-extra-args '--node-labels=nodegroup=default --register-with-taints=CriticalAddonsOnly=true:NoSchedule'"
+ name = "${var.name}-default"
+ iam_role_name = "${var.name}-default"
+ desired_size = var.node_group_default.desired_capacity
+ max_size = var.node_group_default.max_capacity
+ min_size = var.node_group_default.min_capacity
+ subnet_ids = var.private_subnets
capacity_rebalance = var.node_group_default.capacity_rebalance
use_mixed_instances_policy = var.node_group_default.use_mixed_instances_policy
mixed_instances_policy = var.node_group_default.mixed_instances_policy
+ cloudinit_pre_nodeadm = [
+ {
+ content_type = "application/node.eks.aws"
+ content = <<-EOT
+ ---
+ apiVersion: node.eks.aws/v1alpha1
+ kind: NodeConfig
+ spec:
+ kubelet:
+ config:
+ shutdownGracePeriod: 30s
+ featureGates:
+ DisableKubeletCloudCredentialProviders: true
+ registerWithTaints:
+ - key: CriticalAddonsOnly
+ value: "true"
+ effect: NoSchedule
+ EOT
+ }
+ ]
}
}
fargate_profiles = {
@@ -113,7 +120,7 @@ module "eks" {
module "vpc_cni_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
- version = "5.17.0"
+ version = "5.39.1"
role_name = "${var.name}-vpc-cni"
attach_vpc_cni_policy = true
@@ -131,7 +138,7 @@ module "vpc_cni_irsa" {
module "aws_ebs_csi_driver" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
- version = "5.17.0"
+ version = "5.39.1"
role_name = "${var.name}-aws-ebs-csi-driver"
attach_ebs_csi_policy = true
diff --git a/terraform/modules/aws-iam-eks-trusted/README.md b/terraform/modules/aws-iam-eks-trusted/README.md
index 8458b1c2..e1cb24f1 100644
--- a/terraform/modules/aws-iam-eks-trusted/README.md
+++ b/terraform/modules/aws-iam-eks-trusted/README.md
@@ -1,4 +1,3 @@
-
## Requirements
No requirements.
@@ -34,4 +33,3 @@ No modules.
| Name | Description |
|------|-------------|
| [role\_arn](#output\_role\_arn) | This role ARN |
-
\ No newline at end of file
diff --git a/terraform/modules/aws-iam-user-with-policy/README.md b/terraform/modules/aws-iam-user-with-policy/README.md
index 558fa39c..e958d678 100644
--- a/terraform/modules/aws-iam-user-with-policy/README.md
+++ b/terraform/modules/aws-iam-user-with-policy/README.md
@@ -1,4 +1,3 @@
-
## Requirements
No requirements.
@@ -34,4 +33,3 @@ No modules.
|------|-------------|
| [access\_key\_id](#output\_access\_key\_id) | AWS ACCESS\_KEY\_ID |
| [access\_secret\_key](#output\_access\_secret\_key) | AWS ACCESS\_SECRET\_KEY |
-
\ No newline at end of file
diff --git a/terraform/modules/aws-password-policy/README.md b/terraform/modules/aws-password-policy/README.md
new file mode 100644
index 00000000..69c3a397
--- /dev/null
+++ b/terraform/modules/aws-password-policy/README.md
@@ -0,0 +1,29 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_account_password_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_account\_password\_policy](#input\_aws\_account\_password\_policy) | n/a | `any` | {
"allow_users_to_change_password": true,
"hard_expiry": false,
"max_password_age": 90,
"minimum_password_length": 14,
"password_reuse_prevention": 10,
"require_lowercase_characters": true,
"require_numbers": true,
"require_symbols": true,
"require_uppercase_characters": true
} | no |
+
+## Outputs
+
+No outputs.
diff --git a/terraform/modules/aws-pritunl/README.md b/terraform/modules/aws-pritunl/README.md
index 923de690..57714d07 100644
--- a/terraform/modules/aws-pritunl/README.md
+++ b/terraform/modules/aws-pritunl/README.md
@@ -1,75 +1,58 @@
-
## Requirements
No requirements.
## Providers
-| Name | Version |
-| ------------------------------------------------- | ------- |
-| [aws](#provider\_aws) | n/a |
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
## Modules
-| Name | Source | Version |
-| ----------------------------------------------------------------------- | --------------------------------------------------------- | ------- |
-| [backup\_role](#module\_backup\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | 4.14.0 |
-| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | 4.8.0 |
-| [efs\_sg](#module\_efs\_sg) | terraform-aws-modules/security-group/aws | 4.8.0 |
-| [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | 4.14.0 |
-| [this\_role](#module\_this\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | 4.14.0 |
+| Name | Source | Version |
+|------|--------|---------|
+| [backup\_role](#module\_backup\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | 5.39.1 |
+| [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | 5.1.2 |
+| [efs\_sg](#module\_efs\_sg) | terraform-aws-modules/security-group/aws | 4.8.0 |
+| [iam\_policy](#module\_iam\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | 5.39.1 |
+| [this\_role](#module\_this\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | 5.39.1 |
## Resources
-| Name | Type |
-| -------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
-| [aws_autoscaling_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
-| [aws_backup_plan.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource |
-| [aws_backup_selection.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
-| [aws_backup_vault.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
-| [aws_efs_file_system.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |
-| [aws_efs_mount_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource |
-| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
-| [aws_iam_instance_profile.this_instance_profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
-| [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
-| [aws_ami.amazon_linux_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
-| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| Name | Type |
+|------|------|
+| [aws_autoscaling_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
+| [aws_backup_plan.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_plan) | resource |
+| [aws_backup_selection.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_selection) | resource |
+| [aws_backup_vault.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/backup_vault) | resource |
+| [aws_efs_file_system.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system) | resource |
+| [aws_efs_mount_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_mount_target) | resource |
+| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
+| [aws_iam_instance_profile.this_instance_profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_launch_template.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template) | resource |
+| [aws_ami.amazon_linux_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
## Inputs
-| Name | Description | Type | Default | Required |
-| ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | :------: |
-| [encrypted](#input\_encrypted) | Encrypt or not EFS | `bool` | `true` | no |
-| [environment](#input\_environment) | Environment name | `string` | `"infra"` | no |
-| [ingress\_with\_cidr\_blocks](#input\_ingress\_with\_cidr\_blocks) | A list of Pritunl server security group rules where source is CIDR | list(object({
protocol = string
from_port = string
to_port = string
cidr_blocks = string
})) | `[]` | no |
-| [ingress\_with\_source\_security\_group\_id](#input\_ingress\_with\_source\_security\_group\_id) | A list of Pritunl server security group rules where source is another security group | list(object({
protocol = string
from_port = string
to_port = string
security_groups = string
})) | `[]` | no |
-| [instance\_type](#input\_instance\_type) | Pritunl server instance type | `string` | `"t3.small"` | no |
-| [kms\_key\_id](#input\_kms\_key\_id) | KMS key ID in case of using CMK | `any` | `null` | no |
-| [name](#input\_name) | Name used for all resources in this module | `string` | `"pritunl"` | no |
-| [private\_subnets](#input\_private\_subnets) | A list of private subnets where EFS will be created | `list(any)` | n/a | yes |
-| [public\_subnets](#input\_public\_subnets) | A list of public subnets where Pritunl server will be run | `list(any)` | n/a | yes |
-| [vpc\_id](#input\_vpc\_id) | ID of the VPC where to create security groups | `string` | n/a | yes |
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [encrypted](#input\_encrypted) | Encrypt or not EFS | `bool` | `true` | no |
+| [environment](#input\_environment) | Environment name | `string` | `"infra"` | no |
+| [ingress\_with\_cidr\_blocks](#input\_ingress\_with\_cidr\_blocks) | A list of Pritunl server security group rules where source is CIDR | list(object({
protocol = string
from_port = string
to_port = string
cidr_blocks = string
})) | `[]` | no |
+| [ingress\_with\_source\_security\_group\_id](#input\_ingress\_with\_source\_security\_group\_id) | A list of Pritunl server security group rules where source is another security group | list(object({
protocol = string
from_port = string
to_port = string
security_groups = string
})) | `[]` | no |
+| [instance\_type](#input\_instance\_type) | Pritunl server instance type | `string` | `"t3.small"` | no |
+| [kms\_key\_id](#input\_kms\_key\_id) | KMS key ID in case of using CMK | `any` | `null` | no |
+| [name](#input\_name) | Name used for all resources in this module | `string` | `"pritunl"` | no |
+| [private\_subnets](#input\_private\_subnets) | A list of private subnets where EFS will be created | `list(any)` | n/a | yes |
+| [public\_subnets](#input\_public\_subnets) | A list of public subnets where Pritunl server will be run | `list(any)` | n/a | yes |
+| [vpc\_id](#input\_vpc\_id) | ID of the VPC where to create security groups | `string` | n/a | yes |
## Outputs
-| Name | Description |
-| ---------------------------------------------------------------------------------------------------------- | ----------- |
-| [pritunl\_endpoint](#output\_pritunl\_endpoint) | n/a |
-| [pritunl\_security\_group](#output\_pritunl\_security\_group) | n/a |
-
-
-## Architecture diagram
-
-
-
-## Description
-* AWS ASG is used to automatically run "broken" instance again
-* The entire logic is located in user-data script:
- * Install MongoDB
- * Install Pritunl-server
- * Configure sysctl
- * Attache Elastic IP
- * Disable source-destination check, because this instance will forward traffic
- * Mount EFS filesystem into directory with MongoDB data. We don't want to care about AZ and EBS disks
-* AWS Backup is configured to backup EFS storage
+| Name | Description |
+|------|-------------|
+| [pritunl\_endpoint](#output\_pritunl\_endpoint) | n/a |
+| [pritunl\_security\_group](#output\_pritunl\_security\_group) | n/a |
diff --git a/terraform/modules/aws-pritunl/iam.tf b/terraform/modules/aws-pritunl/iam.tf
index 2424b212..4d4f702c 100644
--- a/terraform/modules/aws-pritunl/iam.tf
+++ b/terraform/modules/aws-pritunl/iam.tf
@@ -56,7 +56,7 @@ data "aws_iam_policy_document" "this" {
module "iam_policy" {
source = "terraform-aws-modules/iam/aws//modules/iam-policy"
- version = "4.14.0"
+ version = "5.39.1"
name = var.name
path = "/"
@@ -67,7 +67,7 @@ module "iam_policy" {
module "this_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
- version = "4.14.0"
+ version = "5.39.1"
trusted_role_services = [
"ec2.amazonaws.com"
@@ -91,7 +91,7 @@ resource "aws_iam_instance_profile" "this_instance_profile" {
module "backup_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
- version = "4.14.0"
+ version = "5.39.1"
trusted_role_services = [
"backup.amazonaws.com"
diff --git a/terraform/modules/aws-pritunl/security_groups.tf b/terraform/modules/aws-pritunl/security_groups.tf
index 1df4c1f4..000c3955 100644
--- a/terraform/modules/aws-pritunl/security_groups.tf
+++ b/terraform/modules/aws-pritunl/security_groups.tf
@@ -1,6 +1,6 @@
module "ec2_sg" {
source = "terraform-aws-modules/security-group/aws"
- version = "4.8.0"
+ version = "5.1.2"
name = var.name
description = "${var.name} security group"
diff --git a/terraform/modules/aws-r53/README.md b/terraform/modules/aws-r53/README.md
new file mode 100644
index 00000000..27b76e6a
--- /dev/null
+++ b/terraform/modules/aws-r53/README.md
@@ -0,0 +1,34 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [r53\_zone](#module\_r53\_zone) | terraform-aws-modules/route53/aws//modules/zones | 2.11.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_route53_zone.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [create\_r53\_zone](#input\_create\_r53\_zone) | Create R53 zone for main public domain | `bool` | `false` | no |
+| [domain\_name](#input\_domain\_name) | Main public domain name | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [route53\_zone\_id](#output\_route53\_zone\_id) | ID of domain zone |
diff --git a/terraform/modules/aws-r53/main.tf b/terraform/modules/aws-r53/main.tf
index 5420d038..a544ea03 100644
--- a/terraform/modules/aws-r53/main.tf
+++ b/terraform/modules/aws-r53/main.tf
@@ -7,7 +7,7 @@ data "aws_route53_zone" "main" {
module "r53_zone" {
source = "terraform-aws-modules/route53/aws//modules/zones"
- version = "2.10.2"
+ version = "2.11.1"
create = var.create_r53_zone
diff --git a/terraform/modules/aws-vpc/README.md b/terraform/modules/aws-vpc/README.md
new file mode 100644
index 00000000..ee7de899
--- /dev/null
+++ b/terraform/modules/aws-vpc/README.md
@@ -0,0 +1,40 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.8.1 |
+| [vpc\_gateway\_endpoints](#module\_vpc\_gateway\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | 5.8.1 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [azs](#input\_azs) | A list of availability zones names or ids in the region | `list(any)` | n/a | yes |
+| [cidr](#input\_cidr) | The IPv4 CIDR block for the VPC | `string` | n/a | yes |
+| [name](#input\_name) | Name, required to create unique resource names | `string` | n/a | yes |
+| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
+| [tags](#input\_tags) | A map of additional tags to add to resources | `any` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [vpc\_cidr](#output\_vpc\_cidr) | CIDR block of infra VPC |
+| [vpc\_database\_subnets](#output\_vpc\_database\_subnets) | Database subnets of infra VPC |
+| [vpc\_id](#output\_vpc\_id) | ID of infra VPC |
+| [vpc\_intra\_subnets](#output\_vpc\_intra\_subnets) | Private intra subnets |
+| [vpc\_name](#output\_vpc\_name) | Name of infra VPC |
+| [vpc\_private\_subnets](#output\_vpc\_private\_subnets) | Private subnets of infra VPC |
+| [vpc\_public\_subnets](#output\_vpc\_public\_subnets) | Public subnets of infra VPC |
diff --git a/terraform/modules/aws-vpc/main.tf b/terraform/modules/aws-vpc/main.tf
index d3f9f994..8a8d9ec3 100644
--- a/terraform/modules/aws-vpc/main.tf
+++ b/terraform/modules/aws-vpc/main.tf
@@ -9,7 +9,7 @@ locals {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
- version = "5.7.1"
+ version = "5.8.1"
name = var.name
cidr = var.cidr
@@ -84,7 +84,7 @@ module "vpc" {
module "vpc_gateway_endpoints" {
source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
- version = "5.7.1"
+ version = "5.8.1"
vpc_id = module.vpc.vpc_id
diff --git a/terraform/modules/aws-wafv2-top-10-owasp-rules/README.md b/terraform/modules/aws-wafv2-top-10-owasp-rules/README.md
index cf3354be..ad8279bd 100644
--- a/terraform/modules/aws-wafv2-top-10-owasp-rules/README.md
+++ b/terraform/modules/aws-wafv2-top-10-owasp-rules/README.md
@@ -1,68 +1,42 @@
-There are 2 implementations of AWS WAF: AWS WAF Classic and AWS WAFv2. AWS recommends using AWS WAFv2 for new installations.
-This terraform module creates AWS WAFv2 rule-group with rules that cover *OWASP TOP 10 security issues* (https://d0.awsstatic.com/whitepapers/Security/aws-waf-owasp.pdf).
+## Requirements
-For a CloudFront distribution, AWS WAF is available globally, but you must use the Region US East (N. Virginia) for all of your work. You must create your web ACL using the Region US East (N. Virginia). You must also use this Region to create any other resources that you use in your web ACL, like rule groups, IP sets, and regex pattern sets.
+No requirements.
-Example of using this module:
-```bash
-module "wafv2_owasp_top_10_rules" {
- source = "../modules/aws-wafv2-top-10-owasp-rules"
+## Providers
- name = "${var.name}-${local.env}"
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
- waf_scope = "CLOUDFRONT"
+## Modules
- max_expected_uri_size = "512"
- max_expected_query_string_size = "1024"
- max_expected_body_size = "4096"
- max_expected_cookie_size = "4093"
+No modules.
- csrf_expected_header = "x-csrf-token"
- csrf_expected_size = "36"
+## Resources
- cloudwatch_metrics_enabled = true
- blacklisted_cidrs = ["10.0.0.0/8", "192.168.0.0/16", "169.254.0.0/16", "172.16.0.0/16", "127.0.0.1/32"]
-}
+| Name | Type |
+|------|------|
+| [aws_wafv2_ip_set.owasp_10_detect_blacklisted_ips](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_ip_set) | resource |
+| [aws_wafv2_rule_group.owasp_top10_rules](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_rule_group) | resource |
-resource "aws_wafv2_web_acl" "example" {
- name = "${var.name}-${local.env}-webacl"
- scope = "CLOUDFRONT"
+## Inputs
- default_action {
- allow {}
- }
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [blacklisted\_cidrs](#input\_blacklisted\_cidrs) | A list of blacklister CIDR blocks | `list(string)` | [
"10.0.0.0/8",
"192.168.0.0/16",
"169.254.0.0/16",
"172.16.0.0/16",
"127.0.0.1/32"
]
| no |
+| [cloudwatch\_metrics\_enabled](#input\_cloudwatch\_metrics\_enabled) | Enable or not using AWS Cloudwatch metrics | `bool` | `false` | no |
+| [csrf\_expected\_header](#input\_csrf\_expected\_header) | The custom HTTP request header, where the CSRF token value is expected to be encountered | `string` | `"x-csrf-token"` | no |
+| [csrf\_expected\_size](#input\_csrf\_expected\_size) | The size in bytes of the CSRF token value. For example if it's a canonically formatted UUIDv4 value the expected size would be 36 bytes/ASCII characters. | `string` | `"36"` | no |
+| [max\_expected\_body\_size](#input\_max\_expected\_body\_size) | Maximum number of bytes allowed in the body of the request. If you do not plan to allow large uploads, set it to the largest payload value that makes sense for your web application. Accepting unnecessarily large values can cause performance issues, if large payloads are used as an attack vector against your web application. | `string` | `"4096"` | no |
+| [max\_expected\_cookie\_size](#input\_max\_expected\_cookie\_size) | Maximum number of bytes allowed in the cookie header. The maximum size should be less than 4096, the size is determined by the amount of information your web application stores in cookies. If you only pass a session token via cookies, set the size to no larger than the serialized size of the session token and cookie metadata. | `string` | `"4093"` | no |
+| [max\_expected\_query\_string\_size](#input\_max\_expected\_query\_string\_size) | Maximum number of bytes allowed in the query string component of the HTTP request. Normally the of query string parameters following the ? in a URL is much larger than the URI , but still bounded by the of the parameters your web application uses and their values. | `string` | `"1024"` | no |
+| [max\_expected\_uri\_size](#input\_max\_expected\_uri\_size) | Maximum number of bytes allowed in the URI component of the HTTP request. Generally the maximum possible value is determined by the server operating system (maps to file system paths), the web server software, or other middleware components. Choose a value that accomodates the largest URI segment you use in practice in your web application. | `string` | `"512"` | no |
+| [name](#input\_name) | Name used for all resources in this module | `string` | n/a | yes |
+| [waf\_scope](#input\_waf\_scope) | One API can be used for both global and regional applications. Possible values are CLOUDFRONT and REGIONAL. REGIONAL is used for ALBs, API Gateway | `string` | `"CLOUDFRONT"` | no |
+| [wafv2\_rule\_action](#input\_wafv2\_rule\_action) | Default rules action | `string` | `"block"` | no |
- rule {
- name = "owasp_top10_rules"
- priority = 1
+## Outputs
- override_action {
- none {}
- }
-
- statement {
- rule_group_reference_statement {
- arn = module.wafv2_owasp_top_10_rules.rule_group_arn
- }
- }
-
- visibility_config {
- cloudwatch_metrics_enabled = true
- metric_name = "owasp-top10-security-issues"
- sampled_requests_enabled = true
- }
- }
-
- visibility_config {
- cloudwatch_metrics_enabled = true
- metric_name = "${var.name}-${local.env}-webacl"
- sampled_requests_enabled = false
- }
-}
-
-resource "aws_cloudfront_distribution" "example" {
- ...
- web_acl_id = aws_wafv2_web_acl.example.arn
- ...
-}
-```
+| Name | Description |
+|------|-------------|
+| [rule\_group\_arn](#output\_rule\_group\_arn) | n/a |
diff --git a/terraform/modules/k8s-addons/README.md b/terraform/modules/k8s-addons/README.md
index 6922c3b2..8f3bec17 100644
--- a/terraform/modules/k8s-addons/README.md
+++ b/terraform/modules/k8s-addons/README.md
@@ -1,23 +1,16 @@
## Requirements
-| Name | Version |
-|------|---------|
-| [terraform](#requirement\_terraform) | 1.4.4 |
-| [aws](#requirement\_aws) | 4.62.0 |
-| [helm](#requirement\_helm) | 2.6.0 |
-| [http](#requirement\_http) | 3.2.1 |
-| [kubectl](#requirement\_kubectl) | 1.14.0 |
-| [kubernetes](#requirement\_kubernetes) | 2.19.0 |
+No requirements.
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 4.62.0 |
-| [helm](#provider\_helm) | 2.6.0 |
-| [http](#provider\_http) | 3.2.1 |
-| [kubectl](#provider\_kubectl) | 1.14.0 |
-| [kubernetes](#provider\_kubernetes) | 2.19.0 |
+| [aws](#provider\_aws) | n/a |
+| [helm](#provider\_helm) | n/a |
+| [http](#provider\_http) | n/a |
+| [kubectl](#provider\_kubectl) | n/a |
+| [kubernetes](#provider\_kubernetes) | n/a |
| [random](#provider\_random) | n/a |
| [tls](#provider\_tls) | n/a |
@@ -25,77 +18,70 @@
| Name | Source | Version |
|------|--------|---------|
-| [aws\_iam\_aws\_loadbalancer\_controller](#module\_aws\_iam\_aws\_loadbalancer\_controller) | ../modules/aws-iam-eks-trusted | n/a |
-| [aws\_iam\_cert\_manager](#module\_aws\_iam\_cert\_manager) | ../modules/aws-iam-eks-trusted | n/a |
-| [aws\_iam\_elastic\_stack](#module\_aws\_iam\_elastic\_stack) | ../modules/aws-iam-user-with-policy | n/a |
-| [aws\_iam\_external\_dns](#module\_aws\_iam\_external\_dns) | ../modules/aws-iam-eks-trusted | n/a |
-| [aws\_iam\_gitlab\_runner](#module\_aws\_iam\_gitlab\_runner) | ../modules/aws-iam-eks-trusted | n/a |
-| [aws\_iam\_kube\_prometheus\_stack\_grafana](#module\_aws\_iam\_kube\_prometheus\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a |
-| [aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana](#module\_aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana) | ../modules/aws-iam-eks-trusted | n/a |
-| [aws\_load\_balancer\_controller\_namespace](#module\_aws\_load\_balancer\_controller\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [certmanager\_namespace](#module\_certmanager\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [elastic\_tls](#module\_elastic\_tls) | ../modules/self-signed-certificate | n/a |
-| [elk\_namespace](#module\_elk\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [external\_dns\_namespace](#module\_external\_dns\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [external\_secrets\_namespace](#module\_external\_secrets\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [fargate\_namespace](#module\_fargate\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [gitlab\_runner\_namespace](#module\_gitlab\_runner\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [ingress\_nginx\_namespace](#module\_ingress\_nginx\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [istio\_system\_namespace](#module\_istio\_system\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [karpenter](#module\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | 19.21.0 |
-| [karpenter\_namespace](#module\_karpenter\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [keda\_namespace](#module\_keda\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [kiali\_namespace](#module\_kiali\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [kube\_prometheus\_stack\_namespace](#module\_kube\_prometheus\_stack\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [loki\_namespace](#module\_loki\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [reloader\_namespace](#module\_reloader\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
-| [victoria\_metrics\_k8s\_stack\_namespace](#module\_victoria\_metrics\_k8s\_stack\_namespace) | ../modules/eks-kubernetes-namespace | n/a |
+| [aws\_iam\_aws\_loadbalancer\_controller](#module\_aws\_iam\_aws\_loadbalancer\_controller) | ../aws-iam-eks-trusted | n/a |
+| [aws\_iam\_cert\_manager](#module\_aws\_iam\_cert\_manager) | ../aws-iam-eks-trusted | n/a |
+| [aws\_iam\_elastic\_stack](#module\_aws\_iam\_elastic\_stack) | ../aws-iam-user-with-policy | n/a |
+| [aws\_iam\_external\_dns](#module\_aws\_iam\_external\_dns) | ../aws-iam-eks-trusted | n/a |
+| [aws\_iam\_gitlab\_runner](#module\_aws\_iam\_gitlab\_runner) | ../aws-iam-eks-trusted | n/a |
+| [aws\_iam\_kube\_prometheus\_stack\_grafana](#module\_aws\_iam\_kube\_prometheus\_stack\_grafana) | ../aws-iam-eks-trusted | n/a |
+| [aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana](#module\_aws\_iam\_victoria\_metrics\_k8s\_stack\_grafana) | ../aws-iam-eks-trusted | n/a |
+| [aws\_load\_balancer\_controller\_namespace](#module\_aws\_load\_balancer\_controller\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [certmanager\_namespace](#module\_certmanager\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [elastic\_tls](#module\_elastic\_tls) | ../self-signed-certificate | n/a |
+| [elk\_namespace](#module\_elk\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [external\_dns\_namespace](#module\_external\_dns\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [external\_secrets\_namespace](#module\_external\_secrets\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [fargate\_namespace](#module\_fargate\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [gitlab\_runner\_namespace](#module\_gitlab\_runner\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [ingress\_nginx\_namespace](#module\_ingress\_nginx\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [istio\_system\_namespace](#module\_istio\_system\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [keda\_namespace](#module\_keda\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [kiali\_namespace](#module\_kiali\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [kube\_prometheus\_stack\_namespace](#module\_kube\_prometheus\_stack\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [loki\_namespace](#module\_loki\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [reloader\_namespace](#module\_reloader\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [victoria\_metrics\_k8s\_stack\_namespace](#module\_victoria\_metrics\_k8s\_stack\_namespace) | ../eks-kubernetes-namespace | n/a |
## Resources
| Name | Type |
|------|------|
-| [aws_route53_record.default_ingress](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/route53_record) | resource |
-| [aws_s3_bucket.elastic_stack](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket.gitlab_runner_cache](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_acl.elastic_stack_acl](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_acl.gitlab_runner_acl](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_lifecycle_configuration.gitlab_runner_lifecycle](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_lifecycle_configuration) | resource |
-| [aws_s3_bucket_public_access_block.elastic_stack_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_public_access_block.gitlab_runner_cache_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.elastic_stack_encryption](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.gitlab_runner_encryption](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
-| [helm_release.aws_loadbalancer_controller](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.certificate](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.cluster_issuer](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.elk](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.external_dns](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.external_secrets](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.gitlab_runner](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.istio_base](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.istiod](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.karpenter](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.kedacore](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.kiali](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.loki_stack](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.prometheus_operator](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [helm_release.victoria_metrics_k8s_stack](https://registry.terraform.io/providers/hashicorp/helm/2.6.0/docs/resources/release) | resource |
-| [kubectl_manifest.istio_prometheus_service_monitor_cp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
-| [kubectl_manifest.istio_prometheus_service_monitor_dp](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
-| [kubectl_manifest.karpenter_ec2nodeclass_private](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
-| [kubectl_manifest.karpenter_ec2nodeclass_public](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
-| [kubectl_manifest.karpenter_nodepool_ci](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
-| [kubectl_manifest.karpenter_nodepool_default](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
-| [kubectl_manifest.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/gavinbunney/kubectl/1.14.0/docs/resources/manifest) | resource |
-| [kubernetes_ingress_v1.default](https://registry.terraform.io/providers/hashicorp/kubernetes/2.19.0/docs/resources/ingress_v1) | resource |
-| [kubernetes_secret.elasticsearch_certificates](https://registry.terraform.io/providers/hashicorp/kubernetes/2.19.0/docs/resources/secret) | resource |
-| [kubernetes_secret.elasticsearch_credentials](https://registry.terraform.io/providers/hashicorp/kubernetes/2.19.0/docs/resources/secret) | resource |
-| [kubernetes_secret.elasticsearch_s3_user_creds](https://registry.terraform.io/providers/hashicorp/kubernetes/2.19.0/docs/resources/secret) | resource |
-| [kubernetes_secret.kibana_enc_key](https://registry.terraform.io/providers/hashicorp/kubernetes/2.19.0/docs/resources/secret) | resource |
-| [kubernetes_storage_class.advanced](https://registry.terraform.io/providers/hashicorp/kubernetes/2.19.0/docs/resources/storage_class) | resource |
+| [aws_route53_record.default_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_s3_bucket.elastic_stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket.gitlab_runner_cache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_acl.elastic_stack_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_acl.gitlab_runner_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource |
+| [aws_s3_bucket_lifecycle_configuration.gitlab_runner_lifecycle](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
+| [aws_s3_bucket_public_access_block.elastic_stack_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_public_access_block.gitlab_runner_cache_public_access_block](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.elastic_stack_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.gitlab_runner_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [helm_release.aws_loadbalancer_controller](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.cert_manager](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.certificate](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.cluster_issuer](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.elk](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.external_dns](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.external_secrets](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.gitlab_runner](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.istio_base](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.istiod](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.kedacore](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.kiali](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.loki_stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.prometheus_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.reloader](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.victoria_metrics_k8s_stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubectl_manifest.istio_prometheus_service_monitor_cp](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.istio_prometheus_service_monitor_dp](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource |
+| [kubernetes_ingress_v1.default](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress_v1) | resource |
+| [kubernetes_secret.elasticsearch_certificates](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret.elasticsearch_credentials](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret.elasticsearch_s3_user_creds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_secret.kibana_enc_key](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_storage_class.advanced](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [random_string.elasticsearch_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [random_string.kibana_enc_key](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
| [random_string.kibana_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
@@ -106,38 +92,37 @@
| [tls_private_key.aws_loadbalancer_controller_webhook](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_private_key.aws_loadbalancer_controller_webhook_ca](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
| [tls_self_signed_cert.aws_loadbalancer_controller_webhook_ca](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/caller_identity) | data source |
-| [aws_ecrpublic_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/ecrpublic_authorization_token) | data source |
-| [aws_eks_cluster.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/eks_cluster) | data source |
-| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/eks_cluster_auth) | data source |
-| [aws_secretsmanager_secret.infra](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/secretsmanager_secret) | data source |
-| [aws_secretsmanager_secret_version.infra](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/secretsmanager_secret_version) | data source |
-| [http_http.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/hashicorp/http/3.2.1/docs/data-sources/http) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
+| [aws_secretsmanager_secret.infra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source |
+| [aws_secretsmanager_secret_version.infra](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source |
+| [http_http.kube_prometheus_stack_operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [additional\_allowed\_ips](#input\_additional\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no |
-| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no |
+| [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list(any)` | `[]` | no |
| [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no |
-| [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version) | Version of cluster autoscaler | `string` | `"v1.25.0"` | no |
-| [domain\_name](#input\_domain\_name) | Main public domain name | `any` | n/a | yes |
-| [eks\_cluster\_id](#input\_eks\_cluster\_id) | ID of the created EKS cluster. | `any` | n/a | yes |
-| [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | `any` | n/a | yes |
-| [environment](#input\_environment) | Env name | `string` | `"demo"` | no |
-| [helm\_charts\_path](#input\_helm\_charts\_path) | where to find the helm charts | `string` | `"../../helm-charts/"` | no |
-| [helm\_release\_history\_size](#input\_helm\_release\_history\_size) | How much helm releases to store | `number` | `5` | no |
-| [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes |
+| [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version) | Version of cluster autoscaler | `string` | `"v1.28.0"` | no |
+| [domain\_name](#input\_domain\_name) | Main public domain name | `string` | n/a | yes |
+| [eks\_cluster\_id](#input\_eks\_cluster\_id) | ID of the created EKS cluster. | `string` | n/a | yes |
+| [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | `string` | n/a | yes |
+| [environment](#input\_environment) | Environment name | `string` | `"demo"` | no |
+| [helm\_charts\_path](#input\_helm\_charts\_path) | where to find the helm charts | `string` | n/a | yes |
+| [helm\_release\_history\_size](#input\_helm\_release\_history\_size) | How much helm releases to store | `string` | `3` | no |
+| [name](#input\_name) | Name, required to create unique resource names | `string` | n/a | yes |
+| [name\_wo\_region](#input\_name\_wo\_region) | Project name, required to create unique resource names without region suffix | `string` | n/a | yes |
| [nginx\_ingress\_ssl\_terminator](#input\_nginx\_ingress\_ssl\_terminator) | Select SSL termination type | `string` | `"lb"` | no |
| [node\_group\_default\_iam\_role\_arn](#input\_node\_group\_default\_iam\_role\_arn) | The IAM Role ARN of a default nodegroup | `string` | `""` | no |
| [node\_group\_default\_iam\_role\_name](#input\_node\_group\_default\_iam\_role\_name) | The IAM Role name of a default nodegroup | `string` | `""` | no |
| [region](#input\_region) | Default infrastructure region | `string` | `"us-east-1"` | no |
-| [short\_region](#input\_short\_region) | The abbreviated name of the region, required to form unique resource names | `map` | {
"ap-east-1": "ape1",
"ap-northeast-1": "apn1",
"ap-northeast-2": "apn2",
"ap-south-1": "aps1",
"ap-southeast-1": "apse1",
"ap-southeast-2": "apse2",
"ca-central-1": "cac1",
"cn-north-1": "cnn1",
"cn-northwest-1": "cnnw1",
"eu-central-1": "euc1",
"eu-north-1": "eun1",
"eu-west-1": "euw1",
"eu-west-2": "euw2",
"eu-west-3": "euw3",
"sa-east-1": "sae1",
"us-east-1": "use1",
"us-east-2": "use2",
"us-gov-east-1": "usge1",
"us-gov-west-1": "usgw1",
"us-west-1": "usw1",
"us-west-2": "usw2"
} | no |
-| [ssl\_certificate\_arn](#input\_ssl\_certificate\_arn) | ARN of ACM SSL certificate | `any` | n/a | yes |
-| [vpc\_cidr](#input\_vpc\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no |
-| [vpc\_id](#input\_vpc\_id) | ID of infra VPC | `any` | n/a | yes |
-| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `any` | `null` | no |
+| [ssl\_certificate\_arn](#input\_ssl\_certificate\_arn) | ARN of ACM SSL certificate | `string` | n/a | yes |
+| [vpc\_cidr](#input\_vpc\_cidr) | CIDR block of VPC | `string` | `"10.0.0.0/16"` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID where resources are located | `string` | n/a | yes |
+| [zone\_id](#input\_zone\_id) | R53 zone id for public domain | `string` | `null` | no |
## Outputs
diff --git a/terraform/modules/k8s-addons/demo.tfvars.example b/terraform/modules/k8s-addons/demo.tfvars.example
deleted file mode 100644
index bc460b79..00000000
--- a/terraform/modules/k8s-addons/demo.tfvars.example
+++ /dev/null
@@ -1,23 +0,0 @@
-##########
-# Common
-##########
-name = "example"
-environment = "demo"
-domain_name = "example.org"
-zone_id =
-
-ssl_certificate_arn =
-
-##########
-# Network
-##########
-region = "us-east-1"
-vpc_id =
-vpc_cidr =
-
-allowed_ips = [
- "0.0.0.0/0"
-]
-
-eks_cluster_id =
-eks_oidc_provider_arn =
diff --git a/terraform/modules/k8s-addons/eks-aws-loadbalancer-controller.tf b/terraform/modules/k8s-addons/eks-aws-loadbalancer-controller.tf
index 159c603d..395451b7 100644
--- a/terraform/modules/k8s-addons/eks-aws-loadbalancer-controller.tf
+++ b/terraform/modules/k8s-addons/eks-aws-loadbalancer-controller.tf
@@ -411,6 +411,7 @@ resource "helm_release" "aws_loadbalancer_controller" {
version = local.aws_load_balancer_controller.chart_version
namespace = module.aws_load_balancer_controller_namespace[count.index].name
max_history = var.helm_release_history_size
+ wait = true
values = [
local.aws_load_balancer_controller_values
@@ -428,7 +429,6 @@ resource "helm_release" "aws_loadbalancer_controller" {
value = tls_private_key.aws_loadbalancer_controller_webhook[0].private_key_pem
}
- depends_on = [helm_release.karpenter]
}
resource "kubernetes_ingress_v1" "default" {
@@ -468,7 +468,7 @@ resource "kubernetes_ingress_v1" "default" {
}
wait_for_load_balancer = true
- depends_on = [helm_release.aws_loadbalancer_controller, helm_release.ingress_nginx, module.aws_iam_aws_loadbalancer_controller, tls_locally_signed_cert.aws_loadbalancer_controller_webhook]
+ depends_on = [helm_release.ingress_nginx, module.aws_iam_aws_loadbalancer_controller]
}
resource "aws_route53_record" "default_ingress" {
diff --git a/terraform/modules/k8s-addons/eks-ingress-nginx-controller.tf b/terraform/modules/k8s-addons/eks-ingress-nginx-controller.tf
index 2c53e917..720b1c1b 100644
--- a/terraform/modules/k8s-addons/eks-ingress-nginx-controller.tf
+++ b/terraform/modules/k8s-addons/eks-ingress-nginx-controller.tf
@@ -208,11 +208,12 @@ resource "helm_release" "ingress_nginx" {
version = local.ingress_nginx.chart_version
namespace = module.ingress_nginx_namespace[count.index].name
max_history = var.helm_release_history_size
+ wait = true
values = [
local.ingress_nginx_general_values,
var.nginx_ingress_ssl_terminator == "lb" ? local.ingress_nginx_and_aws_load_balancer_controller : local.ingress_pod_ssl_termination_values
]
- depends_on = [kubectl_manifest.kube_prometheus_stack_operator_crds]
+ depends_on = [kubectl_manifest.kube_prometheus_stack_operator_crds, helm_release.aws_loadbalancer_controller]
}
diff --git a/terraform/modules/k8s-addons/eks-karpenter.tf b/terraform/modules/k8s-addons/eks-karpenter.tf
deleted file mode 100644
index c3568104..00000000
--- a/terraform/modules/k8s-addons/eks-karpenter.tf
+++ /dev/null
@@ -1,278 +0,0 @@
-locals {
- karpenter = {
- name = local.helm_releases[index(local.helm_releases.*.id, "karpenter")].id
- enabled = local.helm_releases[index(local.helm_releases.*.id, "karpenter")].enabled
- chart = local.helm_releases[index(local.helm_releases.*.id, "karpenter")].chart
- repository = local.helm_releases[index(local.helm_releases.*.id, "karpenter")].repository
- chart_version = local.helm_releases[index(local.helm_releases.*.id, "karpenter")].chart_version
- namespace = local.helm_releases[index(local.helm_releases.*.id, "karpenter")].namespace
- }
-
- karpenter_values = < [aws](#provider\_aws) | n/a |
+| [helm](#provider\_helm) | n/a |
+| [kubectl](#provider\_kubectl) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [namespace](#module\_namespace) | ../eks-kubernetes-namespace | n/a |
+| [this](#module\_this) | terraform-aws-modules/eks/aws//modules/karpenter | 20.17.2 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubectl_manifest.ec2nodeclass_private](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.ec2nodeclass_public](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource |
+| [kubectl_manifest.nodepool](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ecrpublic_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecrpublic_authorization_token) | data source |
+| [aws_eks_cluster.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [eks\_cluster\_id](#input\_eks\_cluster\_id) | ID of the created EKS cluster. | `string` | n/a | yes |
+| [eks\_oidc\_provider\_arn](#input\_eks\_oidc\_provider\_arn) | ARN of EKS oidc provider | `string` | n/a | yes |
+| [helm](#input\_helm) | The configuratin of the Karpenter helm release | `any` | `{}` | no |
+| [name](#input\_name) | Name, required to create unique resource names | `string` | n/a | yes |
+| [node\_group\_default\_iam\_role\_arn](#input\_node\_group\_default\_iam\_role\_arn) | The IAM Role ARN of a default nodegroup | `string` | `""` | no |
+| [node\_group\_default\_iam\_role\_name](#input\_node\_group\_default\_iam\_role\_name) | The IAM Role name of a default nodegroup | `string` | `""` | no |
+| [nodepools](#input\_nodepools) | Kubernetes manifests to create Karpenter Nodepool objects | `any` | `[]` | no |
+
+## Outputs
+
+No outputs.
diff --git a/terraform/modules/k8s-karpenter/main.tf b/terraform/modules/k8s-karpenter/main.tf
new file mode 100644
index 00000000..897abe8f
--- /dev/null
+++ b/terraform/modules/k8s-karpenter/main.tf
@@ -0,0 +1,151 @@
+locals {
+ eks_cluster_endpoint = data.aws_eks_cluster.main.endpoint
+ karpenter = {
+ name = try(var.helm.release_name, "karpenter")
+ enabled = true
+ chart = try(var.helm.chart_name, "karpenter")
+ repository = try(var.helm.repository, "oci://public.ecr.aws/karpenter")
+ chart_version = try(var.helm.chart_version, "0.37.0")
+ namespace = try(var.helm.namespace, "karpenter")
+ }
+
+ karpenter_values = < nodepool if local.karpenter.enabled }
+
+ yaml_body = yamlencode(each.value)
+ override_namespace = local.karpenter.namespace
+
+ depends_on = [kubectl_manifest.ec2nodeclass_private, kubectl_manifest.ec2nodeclass_public]
+}
+
+resource "helm_release" "this" {
+ count = local.karpenter.enabled ? 1 : 0
+
+ name = local.karpenter.name
+ chart = local.karpenter.chart
+ repository = local.karpenter.repository
+ version = local.karpenter.chart_version
+ namespace = module.namespace[count.index].name
+ max_history = 3
+ repository_username = data.aws_ecrpublic_authorization_token.token.user_name
+ repository_password = data.aws_ecrpublic_authorization_token.token.password
+
+ values = [
+ local.karpenter_values
+ ]
+}
diff --git a/terraform/modules/k8s-karpenter/providers.tf b/terraform/modules/k8s-karpenter/providers.tf
new file mode 100644
index 00000000..c156377d
--- /dev/null
+++ b/terraform/modules/k8s-karpenter/providers.tf
@@ -0,0 +1,33 @@
+provider "kubernetes" {
+ host = data.aws_eks_cluster.main.endpoint
+ cluster_ca_certificate = base64decode(data.aws_eks_cluster.main.certificate_authority.0.data)
+ token = data.aws_eks_cluster_auth.main.token
+}
+
+provider "kubectl" {
+ host = data.aws_eks_cluster.main.endpoint
+ cluster_ca_certificate = base64decode(data.aws_eks_cluster.main.certificate_authority.0.data)
+ token = data.aws_eks_cluster_auth.main.token
+}
+
+provider "helm" {
+ kubernetes {
+ host = data.aws_eks_cluster.main.endpoint
+ cluster_ca_certificate = base64decode(data.aws_eks_cluster.main.certificate_authority.0.data)
+ token = data.aws_eks_cluster_auth.main.token
+ }
+
+ experiments {
+ manifest = false
+ }
+}
+
+data "aws_eks_cluster" "main" {
+ name = var.eks_cluster_id
+}
+
+data "aws_eks_cluster_auth" "main" {
+ name = var.eks_cluster_id
+}
+
+data "aws_caller_identity" "current" {}
diff --git a/terraform/modules/k8s-karpenter/variables.tf b/terraform/modules/k8s-karpenter/variables.tf
new file mode 100644
index 00000000..595acec1
--- /dev/null
+++ b/terraform/modules/k8s-karpenter/variables.tf
@@ -0,0 +1,38 @@
+variable "name" {
+ type = string
+ description = "Name, required to create unique resource names"
+}
+
+variable "eks_cluster_id" {
+ type = string
+ description = "ID of the created EKS cluster."
+}
+
+variable "eks_oidc_provider_arn" {
+ type = string
+ description = "ARN of EKS oidc provider"
+}
+
+variable "node_group_default_iam_role_arn" {
+ type = string
+ description = "The IAM Role ARN of a default nodegroup"
+ default = ""
+}
+
+variable "node_group_default_iam_role_name" {
+ type = string
+ description = "The IAM Role name of a default nodegroup"
+ default = ""
+}
+
+variable "helm" {
+ type = any
+ description = "The configuratin of the Karpenter helm release"
+ default = {}
+}
+
+variable "nodepools" {
+ type = any
+ description = "Kubernetes manifests to create Karpenter Nodepool objects"
+ default = []
+}
diff --git a/terraform/modules/self-signed-certificate/README.md b/terraform/modules/self-signed-certificate/README.md
index 9737e09d..adc18b8c 100644
--- a/terraform/modules/self-signed-certificate/README.md
+++ b/terraform/modules/self-signed-certificate/README.md
@@ -1,4 +1,3 @@
-
## Requirements
No requirements.
@@ -39,4 +38,3 @@ No modules.
| [cert\_pem](#output\_cert\_pem) | n/a |
| [p8](#output\_p8) | n/a |
| [private\_key\_pem](#output\_private\_key\_pem) | n/a |
-
diff --git a/terragrunt/.terraform-version b/terragrunt/.terraform-version
index 661e7aea..a7ee35a3 100644
--- a/terragrunt/.terraform-version
+++ b/terragrunt/.terraform-version
@@ -1 +1 @@
-1.7.3
+1.8.3
diff --git a/terragrunt/.terragrunt-version b/terragrunt/.terragrunt-version
index 31c6e218..0d816f8e 100644
--- a/terragrunt/.terragrunt-version
+++ b/terragrunt/.terragrunt-version
@@ -1 +1 @@
-0.56.5
+0.58.5
diff --git a/terragrunt/ACCOUNT_ID/aws-users-password-policy/terragrunt.hcl b/terragrunt/ACCOUNT_ID/aws-users-password-policy/terragrunt.hcl
index e6808a55..fdd31175 100644
--- a/terragrunt/ACCOUNT_ID/aws-users-password-policy/terragrunt.hcl
+++ b/terragrunt/ACCOUNT_ID/aws-users-password-policy/terragrunt.hcl
@@ -8,7 +8,7 @@ generate "providers_versions" {
if_exists = "overwrite"
contents = <