diff --git a/.terraform-docs.yml b/.terraform-docs.yml
index c13e01f..d1b6295 100644
--- a/.terraform-docs.yml
+++ b/.terraform-docs.yml
@@ -1,3 +1,5 @@
+recursive:
+ enabled: true
formatter: "markdown table"
content: |-
{{ .Providers }}
diff --git a/README.md b/README.md
index 79930e4..09a80b5 100644
--- a/README.md
+++ b/README.md
@@ -407,7 +407,6 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | 5.60.0 |
-| [random](#provider\_random) | 3.6.2 |
#### Modules
| Name | Source | Version |
@@ -422,13 +421,11 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 0.12.17, < 2.0.0 |
+| [terraform](#requirement\_terraform) | >= 0.13.0, < 2.0.0 |
| [aws](#requirement\_aws) | > 4.0 |
| [helm](#requirement\_helm) | ~> 2.0 |
| [kubernetes](#requirement\_kubernetes) | ~> 2.0 |
-| [local](#requirement\_local) | ~> 2.0 |
| [null](#requirement\_null) | ~> 3.0 |
-| [random](#requirement\_random) | ~> 3.0 |
#### Inputs
| Name | Description | Type | Default | Required |
@@ -437,8 +434,9 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo
| [apex\_domain](#input\_apex\_domain) | The main domain to either use directly or to configure a subdomain from | `string` | `""` | no |
| [asm\_role](#input\_asm\_role) | DEPRECATED: Use the new bot\_iam\_role input with he same semantics instead. | `string` | `""` | no |
| [boot\_iam\_role](#input\_boot\_iam\_role) | Specify arn of the role to apply to the boot job service account | `string` | `""` | no |
-| [boot\_secrets](#input\_boot\_secrets) | n/a | list(object({
name = string
value = string
type = string
})) | `[]` | no |
+| [boot\_secrets](#input\_boot\_secrets) | n/a | list(object({
name = string
value = string
type = string
})) | `[]` | no |
| [cluster\_name](#input\_cluster\_name) | Variable to provide your desired name for the cluster | `string` | n/a | yes |
+| [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | The oidc provider url for the clustrer | `string` | n/a | yes |
| [create\_and\_configure\_subdomain](#input\_create\_and\_configure\_subdomain) | Flag to create an NS record set for the subdomain in the apex domain's Hosted Zone | `bool` | `false` | no |
| [create\_asm\_role](#input\_create\_asm\_role) | Flag to control AWS Secrets Manager iam roles creation | `bool` | `false` | no |
| [create\_autoscaler\_role](#input\_create\_autoscaler\_role) | Flag to control cluster autoscaler iam role creation | `bool` | `true` | no |
@@ -472,7 +470,7 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo
| [jx\_bot\_username](#input\_jx\_bot\_username) | Bot username used to interact with the Jenkins X cluster git repository | `string` | `""` | no |
| [jx\_git\_operator\_values](#input\_jx\_git\_operator\_values) | Extra values for jx-git-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no |
| [jx\_git\_url](#input\_jx\_git\_url) | URL for the Jenkins X cluster git repository | `string` | `""` | no |
-| [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | [
"/bin/bash",
"-c"
]
| no |
+| [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | [
"/bin/bash",
"-c"
]
| no |
| [manage\_apex\_domain](#input\_manage\_apex\_domain) | Flag to control if apex domain should be managed/updated by this module. Set this to false,if your apex domain is managed in a different AWS account or different provider | `bool` | `true` | no |
| [manage\_subdomain](#input\_manage\_subdomain) | Flag to control subdomain creation/management | `bool` | `true` | no |
| [nginx\_chart\_version](#input\_nginx\_chart\_version) | nginx chart version | `string` | n/a | yes |
@@ -480,7 +478,6 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo
| [nginx\_release\_name](#input\_nginx\_release\_name) | Name of the nginx release name | `string` | `"nginx-ingress"` | no |
| [nginx\_values\_file](#input\_nginx\_values\_file) | Name of the values file which holds the helm chart values | `string` | `"nginx_values.yaml"` | no |
| [production\_letsencrypt](#input\_production\_letsencrypt) | Flag to use the production environment of letsencrypt in the `jx-requirements.yml` file | `bool` | `false` | no |
-| [profile](#input\_profile) | The AWS Profile used to provision the EKS Cluster | `string` | `null` | no |
| [region](#input\_region) | The region to create the resources into | `string` | `"us-east-1"` | no |
| [registry](#input\_registry) | Registry used to store images | `string` | `""` | no |
| [s3\_extra\_tags](#input\_s3\_extra\_tags) | Add new tags for s3 buckets | `map(any)` | `{}` | no |
@@ -508,10 +505,9 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo
| [cluster\_asm\_iam\_role](#output\_cluster\_asm\_iam\_role) | The IAM Role that the External Secrets pod will assume to authenticate (Secrets Manager) |
| [cluster\_autoscaler\_iam\_role](#output\_cluster\_autoscaler\_iam\_role) | The IAM Role that the Jenkins X UI pod will assume to authenticate |
| [cluster\_name](#output\_cluster\_name) | The name of the created cluster |
-| [cluster\_oidc\_issuer\_url](#output\_cluster\_oidc\_issuer\_url) | The Cluster OIDC Issuer URL |
| [cluster\_ssm\_iam\_role](#output\_cluster\_ssm\_iam\_role) | The IAM Role that the External Secrets pod will assume to authenticate (Parameter Store) |
| [cm\_cainjector\_iam\_role](#output\_cm\_cainjector\_iam\_role) | The IAM Role that the CM CA Injector pod will assume to authenticate |
-| [connect](#output\_connect) | "The cluster connection string to use once Terraform apply finishes,
this command is already executed as part of the apply, you may have to provide the region and
profile as environment variables " |
+| [connect](#output\_connect) | "The cluster connection string to use once Terraform apply finishes,
this command is already executed as part of the apply, you may have to provide the region and
profile as environment variables " |
| [controllerbuild\_iam\_role](#output\_controllerbuild\_iam\_role) | The IAM Role that the ControllerBuild pod will assume to authenticate |
| [external\_dns\_iam\_role](#output\_external\_dns\_iam\_role) | The IAM Role that the External DNS pod will assume to authenticate |
| [jx\_requirements](#output\_jx\_requirements) | The jx-requirements rendered output |
diff --git a/local.tf b/local.tf
index 7117133..c4505e3 100644
--- a/local.tf
+++ b/local.tf
@@ -1,10 +1,8 @@
locals {
- generated_seed = random_string.suffix.result
- oidc_provider_url = module.cluster.cluster_oidc_issuer_url
- external_vault = var.vault_url != "" ? true : false
- registry = var.registry != "" ? var.registry : "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com"
- project = data.aws_caller_identity.current.account_id
- tls_secret_name = var.tls_key == "" || var.tls_cert == "" ? "" : "tls-ingress-certificates-ca"
+ external_vault = var.vault_url != "" ? true : false
+ registry = var.registry != "" ? var.registry : "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com"
+ project = data.aws_caller_identity.current.account_id
+ tls_secret_name = var.tls_key == "" || var.tls_cert == "" ? "" : "tls-ingress-certificates-ca"
// ----------------------------------------------------------------------------
// Let's generate jx-requirements.yml
diff --git a/main.tf b/main.tf
index 20c82af..6740b98 100644
--- a/main.tf
+++ b/main.tf
@@ -1,21 +1,3 @@
-// ----------------------------------------------------------------------------
-// Configure providers
-// ----------------------------------------------------------------------------
-provider "helm" {
- kubernetes {
- host = module.cluster.cluster_host
- cluster_ca_certificate = module.cluster.cluster_ca_certificate
- token = module.cluster.cluster_token
- }
-}
-
-resource "random_string" "suffix" {
- length = 8
- special = false
-}
-
-
-
data "aws_caller_identity" "current" {}
// ----------------------------------------------------------------------------
@@ -52,7 +34,6 @@ module "cluster" {
tls_cert = var.tls_cert
tls_key = var.tls_key
local-exec-interpreter = var.local-exec-interpreter
- profile = var.profile
enable_logs_storage = var.enable_logs_storage
expire_logs_after_days = var.expire_logs_after_days
enable_reports_storage = var.enable_reports_storage
@@ -61,6 +42,7 @@ module "cluster" {
use_asm = var.use_asm
boot_iam_role = "${var.asm_role}${var.boot_iam_role}"
enable_acl = var.enable_acl
+ cluster_oidc_issuer_url = var.cluster_oidc_issuer_url
}
// ----------------------------------------------------------------------------
diff --git a/modules/backup/README.md b/modules/backup/README.md
new file mode 100644
index 0000000..40cf9e4
--- /dev/null
+++ b/modules/backup/README.md
@@ -0,0 +1,34 @@
+
+#### Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+| [kubernetes](#provider\_kubernetes) | n/a |
+#### Modules
+
+No modules.
+#### Requirements
+
+No requirements.
+#### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [cluster\_name](#input\_cluster\_name) | Name of the Kubernetes cluster | `string` | n/a | yes |
+| [create\_velero\_role](#input\_create\_velero\_role) | Flag to control velero iam role creation | `bool` | `true` | no |
+| [enable\_acl](#input\_enable\_acl) | Flag to enable ACL instead of bucket ownership for S3 storage | `bool` | n/a | yes |
+| [enable\_backup](#input\_enable\_backup) | Whether or not Velero backups should be enabled | `bool` | `false` | no |
+| [force\_destroy](#input\_force\_destroy) | Flag to determine whether storage buckets get forcefully destroyed | `bool` | `false` | no |
+| [s3\_default\_tags](#input\_s3\_default\_tags) | Default tags for s3 buckets | `map(any)` | {
"Owner": "Jenkins-x"
} | no |
+| [s3\_extra\_tags](#input\_s3\_extra\_tags) | Add new tags for s3 buckets | `map(any)` | `{}` | no |
+| [s3\_kms\_arn](#input\_s3\_kms\_arn) | ARN of the kms key used for encrypting s3 buckets | `string` | `""` | no |
+| [use\_kms\_s3](#input\_use\_kms\_s3) | Flag to determine whether kms should be used for encrypting s3 buckets | `bool` | `false` | no |
+| [velero\_namespace](#input\_velero\_namespace) | Kubernetes namespace for Velero | `string` | `"velero"` | no |
+| [velero\_username](#input\_velero\_username) | The username to be assigned to the Velero IAM user | `string` | `"velero"` | no |
+#### Outputs
+
+| Name | Description |
+|------|-------------|
+| [backup\_bucket\_url](#output\_backup\_bucket\_url) | n/a |
+
\ No newline at end of file
diff --git a/modules/cluster/README.md b/modules/cluster/README.md
new file mode 100644
index 0000000..f7be6ee
--- /dev/null
+++ b/modules/cluster/README.md
@@ -0,0 +1,85 @@
+
+#### Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+| [helm](#provider\_helm) | n/a |
+| [kubernetes](#provider\_kubernetes) | n/a |
+| [null](#provider\_null) | n/a |
+#### Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [iam\_assumable\_role\_bucketrepo](#module\_iam\_assumable\_role\_bucketrepo) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v3.8.0 |
+| [iam\_assumable\_role\_cert\_manager](#module\_iam\_assumable\_role\_cert\_manager) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v3.8.0 |
+| [iam\_assumable\_role\_cluster\_autoscaler](#module\_iam\_assumable\_role\_cluster\_autoscaler) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v3.8.0 |
+| [iam\_assumable\_role\_cm\_cainjector](#module\_iam\_assumable\_role\_cm\_cainjector) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v3.8.0 |
+| [iam\_assumable\_role\_controllerbuild](#module\_iam\_assumable\_role\_controllerbuild) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v3.8.0 |
+| [iam\_assumable\_role\_external\_dns](#module\_iam\_assumable\_role\_external\_dns) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v3.8.0 |
+| [iam\_assumable\_role\_pipeline\_visualizer](#module\_iam\_assumable\_role\_pipeline\_visualizer) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v3.8.0 |
+| [iam\_assumable\_role\_secrets-secrets-manager](#module\_iam\_assumable\_role\_secrets-secrets-manager) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v3.8.0 |
+| [iam\_assumable\_role\_secrets-system-manager](#module\_iam\_assumable\_role\_secrets-system-manager) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v3.8.0 |
+| [iam\_assumable\_role\_tekton\_bot](#module\_iam\_assumable\_role\_tekton\_bot) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> v3.8.0 |
+#### Requirements
+
+No requirements.
+#### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [additional\_tekton\_role\_policy\_arns](#input\_additional\_tekton\_role\_policy\_arns) | Additional Policy ARNs to attach to Tekton IRSA Role | `list(string)` | `[]` | no |
+| [boot\_iam\_role](#input\_boot\_iam\_role) | Specify arn of the role to apply to the boot job service account | `string` | `""` | no |
+| [boot\_secrets](#input\_boot\_secrets) | n/a | list(object({
name = string
value = string
type = string
})) | `[]` | no |
+| [cluster\_name](#input\_cluster\_name) | n/a | `string` | n/a | yes |
+| [cluster\_oidc\_issuer\_url](#input\_cluster\_oidc\_issuer\_url) | The oidc provider url for the clustrer | `string` | n/a | yes |
+| [content](#input\_content) | Interpolated jx-requirements.yml | `string` | `""` | no |
+| [create\_asm\_role](#input\_create\_asm\_role) | Flag to control AWS Secrets Manager iam roles creation | `bool` | `false` | no |
+| [create\_autoscaler\_role](#input\_create\_autoscaler\_role) | Flag to control cluster autoscaler iam role creation | `bool` | `true` | no |
+| [create\_bucketrepo\_role](#input\_create\_bucketrepo\_role) | Flag to control bucketrepo role | `bool` | `true` | no |
+| [create\_cm\_role](#input\_create\_cm\_role) | Flag to control cert manager iam role creation | `bool` | `true` | no |
+| [create\_cmcainjector\_role](#input\_create\_cmcainjector\_role) | Flag to control cert manager ca-injector iam role creation | `bool` | `true` | no |
+| [create\_ctrlb\_role](#input\_create\_ctrlb\_role) | Flag to control controller build iam role creation | `bool` | `true` | no |
+| [create\_exdns\_role](#input\_create\_exdns\_role) | Flag to control external dns iam role creation | `bool` | `true` | no |
+| [create\_pipeline\_vis\_role](#input\_create\_pipeline\_vis\_role) | Flag to control pipeline visualizer role | `bool` | `true` | no |
+| [create\_ssm\_role](#input\_create\_ssm\_role) | Flag to control AWS Parameter Store iam roles creation | `bool` | `false` | no |
+| [create\_tekton\_role](#input\_create\_tekton\_role) | Flag to control tekton iam role creation | `bool` | `true` | no |
+| [enable\_acl](#input\_enable\_acl) | Flag to enable ACL instead of bucket ownership for S3 storage | `bool` | n/a | yes |
+| [enable\_logs\_storage](#input\_enable\_logs\_storage) | ---------------------------------------------------------------------------- Flag Variables ---------------------------------------------------------------------------- | `bool` | `true` | no |
+| [enable\_reports\_storage](#input\_enable\_reports\_storage) | n/a | `bool` | `true` | no |
+| [enable\_repository\_storage](#input\_enable\_repository\_storage) | n/a | `bool` | `true` | no |
+| [enable\_worker\_group](#input\_enable\_worker\_group) | Flag to enable worker group. Setting this to false will provision a node group instead | `bool` | `true` | no |
+| [expire\_logs\_after\_days](#input\_expire\_logs\_after\_days) | Number of days objects in the logs bucket are stored | `number` | `90` | no |
+| [force\_destroy](#input\_force\_destroy) | Flag to determine whether storage buckets get forcefully destroyed. If set to false, empty the bucket first in the aws s3 console, else terraform destroy will fail with BucketNotEmpty error | `bool` | `false` | no |
+| [jx\_bot\_token](#input\_jx\_bot\_token) | Bot token used to interact with the Jenkins X cluster git repository | `string` | `""` | no |
+| [jx\_bot\_username](#input\_jx\_bot\_username) | Bot username used to interact with the Jenkins X cluster git repository | `string` | `""` | no |
+| [jx\_git\_operator\_values](#input\_jx\_git\_operator\_values) | Extra values for jx-git-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no |
+| [jx\_git\_url](#input\_jx\_git\_url) | URL for the Jenins X cluster git repository | `string` | `""` | no |
+| [local-exec-interpreter](#input\_local-exec-interpreter) | If provided, this is a list of interpreter arguments used to execute the command | `list(string)` | [
"/bin/bash",
"-c"
]
| no |
+| [region](#input\_region) | The region to create the resources into | `string` | `"us-east-1"` | no |
+| [s3\_default\_tags](#input\_s3\_default\_tags) | Default tags for s3 buckets | `map(any)` | {
"Owner": "Jenkins-x"
} | no |
+| [s3\_extra\_tags](#input\_s3\_extra\_tags) | Add new tags for s3 buckets | `map(any)` | `{}` | no |
+| [s3\_kms\_arn](#input\_s3\_kms\_arn) | ARN of the kms key used for encrypting s3 buckets | `string` | `""` | no |
+| [subnets](#input\_subnets) | The subnet ids to create EKS cluster in if create\_vpc is false | `list(string)` | `[]` | no |
+| [tls\_cert](#input\_tls\_cert) | Path to TLS certificate or base64-encrypted content | `string` | `""` | no |
+| [tls\_key](#input\_tls\_key) | Path to TLS key or base64-encrypted content | `string` | `""` | no |
+| [use\_asm](#input\_use\_asm) | Flag to specify if AWS Secrets manager is being used | `bool` | `false` | no |
+| [use\_kms\_s3](#input\_use\_kms\_s3) | Flag to determine whether kms should be used for encrypting s3 buckets | `bool` | `false` | no |
+| [vpc\_id](#input\_vpc\_id) | The VPC to create EKS cluster in if create\_vpc is false | `string` | `""` | no |
+#### Outputs
+
+| Name | Description |
+|------|-------------|
+| [cert\_manager\_iam\_role](#output\_cert\_manager\_iam\_role) | The IAM Role that the Cert Manager pod will assume to authenticate |
+| [cluster\_asm\_iam\_role](#output\_cluster\_asm\_iam\_role) | The IAM Role that the External Secrets pod will assume to authenticate (Secrets Manager) |
+| [cluster\_autoscaler\_iam\_role](#output\_cluster\_autoscaler\_iam\_role) | The IAM Role that the Cluster Autoscaler pod will assume to authenticate |
+| [cluster\_ssm\_iam\_role](#output\_cluster\_ssm\_iam\_role) | The IAM Role that the External Secrets pod will assume to authenticate (Parameter Store) |
+| [cm\_cainjector\_iam\_role](#output\_cm\_cainjector\_iam\_role) | The IAM Role that the CM CA Injector pod will assume to authenticate |
+| [controllerbuild\_iam\_role](#output\_controllerbuild\_iam\_role) | The IAM Role that the ControllerBuild pod will assume to authenticate |
+| [external\_dns\_iam\_role](#output\_external\_dns\_iam\_role) | The IAM Role that the External DNS pod will assume to authenticate |
+| [logs\_jenkins\_x](#output\_logs\_jenkins\_x) | ---------------------------------------------------------------------------- Long Term Storage S3 Buckets (Logs, Reports, Repository) ---------------------------------------------------------------------------- |
+| [pipeline\_viz\_iam\_role](#output\_pipeline\_viz\_iam\_role) | The IAM Role that the pipeline visualizer pod will assume to authenticate |
+| [reports\_jenkins\_x](#output\_reports\_jenkins\_x) | n/a |
+| [repository\_jenkins\_x](#output\_repository\_jenkins\_x) | n/a |
+| [tekton\_bot\_iam\_role](#output\_tekton\_bot\_iam\_role) | The IAM Role that the build pods will assume to authenticate |
+
\ No newline at end of file
diff --git a/modules/cluster/irsa.tf b/modules/cluster/irsa.tf
index 7156119..d576683 100644
--- a/modules/cluster/irsa.tf
+++ b/modules/cluster/irsa.tf
@@ -42,7 +42,7 @@ module "iam_assumable_role_tekton_bot" {
version = "~> v3.8.0"
create_role = var.create_tekton_role
role_name = "${local.cluster_trunc}-tekton-bot"
- provider_url = local.oidc_provider_url
+ provider_url = var.cluster_oidc_issuer_url
role_policy_arns = var.create_tekton_role ? concat([aws_iam_policy.tekton-bot[0].arn], var.additional_tekton_role_policy_arns) : [""]
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.jenkins-x-namespace}:tekton-bot"]
}
@@ -78,7 +78,7 @@ module "iam_assumable_role_external_dns" {
version = "~> v3.8.0"
create_role = var.create_exdns_role
role_name = "${local.cluster_trunc}-external-dns"
- provider_url = local.oidc_provider_url
+ provider_url = var.cluster_oidc_issuer_url
role_policy_arns = [var.create_exdns_role ? aws_iam_policy.external-dns[0].arn : ""]
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.jenkins-x-namespace}:external-dns"]
}
@@ -120,7 +120,7 @@ module "iam_assumable_role_cert_manager" {
version = "~> v3.8.0"
create_role = var.create_cm_role
role_name = "${local.cluster_trunc}-cert-manager-cert-manager"
- provider_url = local.oidc_provider_url
+ provider_url = var.cluster_oidc_issuer_url
role_policy_arns = [var.create_cm_role ? aws_iam_policy.cert-manager[0].arn : ""]
oidc_fully_qualified_subjects = ["system:serviceaccount:cert-manager:cert-manager"]
}
@@ -132,7 +132,7 @@ module "iam_assumable_role_cm_cainjector" {
version = "~> v3.8.0"
create_role = var.create_cmcainjector_role
role_name = "${local.cluster_trunc}-cert-manager-cert-manager-cainjector"
- provider_url = local.oidc_provider_url
+ provider_url = var.cluster_oidc_issuer_url
role_policy_arns = [var.create_cmcainjector_role ? aws_iam_policy.cert-manager[0].arn : ""]
oidc_fully_qualified_subjects = ["system:serviceaccount:cert-manager:cert-manager-cainjector"]
}
@@ -144,7 +144,7 @@ module "iam_assumable_role_controllerbuild" {
version = "~> v3.8.0"
create_role = var.create_ctrlb_role
role_name = "${local.cluster_trunc}-build-ctrl"
- provider_url = local.oidc_provider_url
+ provider_url = var.cluster_oidc_issuer_url
role_policy_arns = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonS3FullAccess"]
oidc_fully_qualified_subjects = ["system:serviceaccount:jx:jenkins-x-controllerbuild"]
}
@@ -158,7 +158,7 @@ module "iam_assumable_role_cluster_autoscaler" {
version = "~> v3.8.0"
create_role = var.create_autoscaler_role
role_name = "${local.cluster_trunc}-cluster-autoscaler-cluster-autoscaler"
- provider_url = local.oidc_provider_url
+ provider_url = var.cluster_oidc_issuer_url
role_policy_arns = [var.create_autoscaler_role ? aws_iam_policy.cluster_autoscaler[0].arn : ""]
oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:cluster-autoscaler"]
}
@@ -243,7 +243,7 @@ module "iam_assumable_role_pipeline_visualizer" {
version = "~> v3.8.0"
create_role = var.create_pipeline_vis_role && length(aws_s3_bucket.logs_jenkins_x) > 0
role_name = "${local.cluster_trunc}-jx-pipelines-visualizer"
- provider_url = local.oidc_provider_url
+ provider_url = var.cluster_oidc_issuer_url
role_policy_arns = [var.create_pipeline_vis_role && length(aws_s3_bucket.logs_jenkins_x) > 0 ? aws_iam_policy.pipeline-visualizer[0].arn : ""]
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.jenkins-x-namespace}:jx-pipelines-visualizer"]
}
@@ -273,7 +273,7 @@ module "iam_assumable_role_bucketrepo" {
version = "~> v3.8.0"
create_role = var.create_bucketrepo_role && length(aws_s3_bucket.repository_jenkins_x) > 0
role_name = "${local.cluster_trunc}-jx-bucketrepo"
- provider_url = local.oidc_provider_url
+ provider_url = var.cluster_oidc_issuer_url
role_policy_arns = [var.create_bucketrepo_role && length(aws_s3_bucket.repository_jenkins_x) > 0 ? aws_iam_policy.bucketrepo[0].arn : ""]
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.jenkins-x-namespace}:bucketrepo-bucketrepo"]
}
@@ -319,7 +319,7 @@ module "iam_assumable_role_secrets-secrets-manager" {
version = "~> v3.8.0"
create_role = var.create_asm_role
role_name = "${local.cluster_trunc}-external-secrets-secrets-manager"
- provider_url = local.oidc_provider_url
+ provider_url = var.cluster_oidc_issuer_url
role_policy_arns = [var.create_asm_role ? aws_iam_policy.secrets-manager[0].arn : ""]
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.secret-infra-namespace}:kubernetes-external-secrets", "system:serviceaccount:${local.git-operator-namespace}:jx-boot-job"]
}
@@ -360,7 +360,7 @@ module "iam_assumable_role_secrets-system-manager" {
version = "~> v3.8.0"
create_role = var.create_ssm_role
role_name = "${local.cluster_trunc}-external-secrets-system-manager"
- provider_url = local.oidc_provider_url
+ provider_url = var.cluster_oidc_issuer_url
role_policy_arns = [var.create_ssm_role ? aws_iam_policy.system-manager[0].arn : ""]
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.secret-infra-namespace}:kubernetes-external-secrets"]
}
diff --git a/modules/cluster/local.tf b/modules/cluster/local.tf
index 3c218f7..b82c7ae 100644
--- a/modules/cluster/local.tf
+++ b/modules/cluster/local.tf
@@ -1,13 +1,7 @@
-resource "random_string" "suffix" {
- length = 8
- special = false
-}
-
// ----------------------------------------------------------------------------
// Module local variables
// ----------------------------------------------------------------------------
locals {
- oidc_provider_url = replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")
jenkins-x-namespace = "jx"
cluster_trunc = substr(var.cluster_name, 0, 35)
cert-manager-namespace = "cert-manager"
diff --git a/modules/cluster/main.tf b/modules/cluster/main.tf
index a3c0b1c..5d81a60 100644
--- a/modules/cluster/main.tf
+++ b/modules/cluster/main.tf
@@ -1,32 +1,12 @@
-// ----------------------------------------------------------------------------
-// Query necessary data for the module
-// ----------------------------------------------------------------------------
-data "aws_eks_cluster" "cluster" {
- name = var.cluster_name
-}
-
-data "aws_eks_cluster_auth" "cluster" {
- name = var.cluster_name
-}
-
data "aws_caller_identity" "current" {}
-// ----------------------------------------------------------------------------
-// Define K8s cluster configuration
-// ----------------------------------------------------------------------------
-provider "kubernetes" {
- host = data.aws_eks_cluster.cluster.endpoint
- cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
- token = data.aws_eks_cluster_auth.cluster.token
-}
-
// ----------------------------------------------------------------------------
// Update the kube configuration after the cluster has been created so we can
// connect to it and create the K8s resources
// ----------------------------------------------------------------------------
resource "null_resource" "kubeconfig" {
provisioner "local-exec" {
- command = "aws eks update-kubeconfig --name ${var.cluster_name} --region=${var.region} ${var.profile == null ? "" : format("--profile=%s", var.profile)}"
+ command = "aws eks update-kubeconfig --name ${var.cluster_name} --region=${var.region}"
interpreter = var.local-exec-interpreter
}
}
diff --git a/modules/cluster/outputs.tf b/modules/cluster/outputs.tf
index 84e0dcc..f92f60b 100644
--- a/modules/cluster/outputs.tf
+++ b/modules/cluster/outputs.tf
@@ -60,19 +60,3 @@ output "pipeline_viz_iam_role" {
value = module.iam_assumable_role_pipeline_visualizer.this_iam_role_name
description = "The IAM Role that the pipeline visualizer pod will assume to authenticate"
}
-
-output "cluster_oidc_issuer_url" {
- value = local.oidc_provider_url
-}
-
-output "cluster_host" {
- value = data.aws_eks_cluster.cluster.endpoint
-}
-
-output "cluster_ca_certificate" {
- value = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
-}
-
-output "cluster_token" {
- value = data.aws_eks_cluster_auth.cluster.token
-}
\ No newline at end of file
diff --git a/modules/cluster/storage.tf b/modules/cluster/storage.tf
index 7eaf7f7..57f6a6a 100644
--- a/modules/cluster/storage.tf
+++ b/modules/cluster/storage.tf
@@ -46,7 +46,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "logs_jenkins_x" {
resource "aws_s3_bucket_lifecycle_configuration" "logs_jenkins_x" {
count = var.enable_logs_storage ? 1 : 0
- bucket = aws_s3_bucket.logs_jenkins_x[0].id
+ bucket = aws_s3_bucket.logs_jenkins_x[0].id
rule {
status = "Enabled"
id = "abort_incomplete_uploads"
@@ -59,7 +59,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "logs_jenkins_x" {
id = "delete_old"
expiration {
expired_object_delete_marker = false
- days = var.expire_logs_after_days
+ days = var.expire_logs_after_days
}
}
}
@@ -103,7 +103,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "reports_jenkins_x
resource "aws_s3_bucket_lifecycle_configuration" "reports_jenkins_x" {
count = var.enable_reports_storage ? 1 : 0
- bucket = aws_s3_bucket.reports_jenkins_x[0].id
+ bucket = aws_s3_bucket.reports_jenkins_x[0].id
rule {
status = "Enabled"
id = "abort_incomplete_uploads"
@@ -153,7 +153,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "repository_jenkin
resource "aws_s3_bucket_lifecycle_configuration" "repository_jenkins_x" {
count = var.enable_repository_storage ? 1 : 0
- bucket = aws_s3_bucket.repository_jenkins_x[0].id
+ bucket = aws_s3_bucket.repository_jenkins_x[0].id
rule {
status = "Enabled"
id = "abort_incomplete_uploads"
diff --git a/modules/cluster/variables.tf b/modules/cluster/variables.tf
index 9959623..be85f68 100644
--- a/modules/cluster/variables.tf
+++ b/modules/cluster/variables.tf
@@ -8,11 +8,11 @@ variable "cluster_name" {
type = string
}
-variable "profile" {
- description = "The AWS Profile used to provision the EKS Cluster"
+variable "cluster_oidc_issuer_url" {
+ description = "The oidc provider url for the clustrer"
type = string
- default = null
}
+
// ----------------------------------------------------------------------------
// Flag Variables
// ----------------------------------------------------------------------------
@@ -23,8 +23,8 @@ variable "enable_logs_storage" {
variable "expire_logs_after_days" {
description = "Number of days objects in the logs bucket are stored"
- type = number
- default = 90
+ type = number
+ default = 90
}
variable "enable_worker_group" {
diff --git a/modules/dns/README.md b/modules/dns/README.md
new file mode 100644
index 0000000..ab20969
--- /dev/null
+++ b/modules/dns/README.md
@@ -0,0 +1,33 @@
+
+#### Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+#### Modules
+
+No modules.
+#### Requirements
+
+No requirements.
+#### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [apex\_domain](#input\_apex\_domain) | ---------------------------------------------------------------------------- External DNS Variables ---------------------------------------------------------------------------- | `string` | `""` | no |
+| [create\_and\_configure\_subdomain](#input\_create\_and\_configure\_subdomain) | n/a | `bool` | `false` | no |
+| [enable\_external\_dns](#input\_enable\_external\_dns) | ---------------------------------------------------------------------------- Flag Variables ---------------------------------------------------------------------------- | `bool` | `false` | no |
+| [enable\_tls](#input\_enable\_tls) | n/a | `bool` | `false` | no |
+| [force\_destroy\_subdomain](#input\_force\_destroy\_subdomain) | Flag to determine whether subdomain zone get forcefully destroyed. If set to false, empty the sub domain first in the aws Route 53 console, else terraform destroy will fail with HostedZoneNotEmpty error | `bool` | `false` | no |
+| [manage\_apex\_domain](#input\_manage\_apex\_domain) | Flag to control if apex domain should be managed/updated by this module. Set this to false,if your apex domain is managed in a different AWS account or different provider | `bool` | `true` | no |
+| [manage\_subdomain](#input\_manage\_subdomain) | Flag to control subdomain creation/management | `bool` | `true` | no |
+| [production\_letsencrypt](#input\_production\_letsencrypt) | n/a | `bool` | `false` | no |
+| [subdomain](#input\_subdomain) | n/a | `string` | `""` | no |
+| [tls\_email](#input\_tls\_email) | n/a | `string` | `""` | no |
+#### Outputs
+
+| Name | Description |
+|------|-------------|
+| [domain](#output\_domain) | n/a |
+| [subdomain\_nameservers](#output\_subdomain\_nameservers) | n/a |
+
\ No newline at end of file
diff --git a/modules/health/README.md b/modules/health/README.md
new file mode 100644
index 0000000..4c37132
--- /dev/null
+++ b/modules/health/README.md
@@ -0,0 +1,21 @@
+
+#### Providers
+
+No providers.
+#### Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [jx-health](#module\_jx-health) | github.com/jenkins-x/terraform-jx-health | main |
+#### Requirements
+
+No requirements.
+#### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [install\_kuberhealthy](#input\_install\_kuberhealthy) | Flag to specify if kuberhealthy operator should be installed | `bool` | `false` | no |
+#### Outputs
+
+No outputs.
+
\ No newline at end of file
diff --git a/modules/nginx/README.md b/modules/nginx/README.md
new file mode 100644
index 0000000..5004c8c
--- /dev/null
+++ b/modules/nginx/README.md
@@ -0,0 +1,26 @@
+
+#### Providers
+
+| Name | Version |
+|------|---------|
+| [helm](#provider\_helm) | n/a |
+#### Modules
+
+No modules.
+#### Requirements
+
+No requirements.
+#### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [create\_nginx](#input\_create\_nginx) | Decides whether we want to create nginx resources using terraform or not | `bool` | `false` | no |
+| [create\_nginx\_namespace](#input\_create\_nginx\_namespace) | Boolean to control nginx namespace creation | `bool` | `true` | no |
+| [nginx\_chart\_version](#input\_nginx\_chart\_version) | nginx chart version | `string` | n/a | yes |
+| [nginx\_namespace](#input\_nginx\_namespace) | Name of the nginx namespace | `string` | `"nginx"` | no |
+| [nginx\_release\_name](#input\_nginx\_release\_name) | Name of the nginx release name | `string` | `"nginx-ingress"` | no |
+| [nginx\_values\_file](#input\_nginx\_values\_file) | Name of the values file which holds the helm chart values | `string` | `"nginx_values.yaml"` | no |
+#### Outputs
+
+No outputs.
+
\ No newline at end of file
diff --git a/modules/vault/README.md b/modules/vault/README.md
new file mode 100644
index 0000000..859ad4f
--- /dev/null
+++ b/modules/vault/README.md
@@ -0,0 +1,21 @@
+
+#### Providers
+
+| Name | Version |
+|------|---------|
+| [helm](#provider\_helm) | n/a |
+#### Modules
+
+No modules.
+#### Requirements
+
+No requirements.
+#### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [resource\_count](#input\_resource\_count) | Number of resources to create (0 or 1) | `number` | n/a | yes |
+#### Outputs
+
+No outputs.
+
\ No newline at end of file
diff --git a/outputs.tf b/outputs.tf
index 2947e49..895abf5 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -38,11 +38,6 @@ output "cluster_name" {
description = "The name of the created cluster"
}
-output "cluster_oidc_issuer_url" {
- value = module.cluster.cluster_oidc_issuer_url
- description = "The Cluster OIDC Issuer URL"
-}
-
// ----------------------------------------------------------------------------
// Generated IAM Roles
// ----------------------------------------------------------------------------
diff --git a/variables.tf b/variables.tf
index e814575..dd72b54 100644
--- a/variables.tf
+++ b/variables.tf
@@ -12,10 +12,9 @@ variable "cluster_name" {
type = string
}
-variable "profile" {
- description = "The AWS Profile used to provision the EKS Cluster"
+variable "cluster_oidc_issuer_url" {
+ description = "The oidc provider url for the clustrer"
type = string
- default = null
}
// ----------------------------------------------------------------------------
@@ -99,8 +98,8 @@ variable "enable_logs_storage" {
variable "expire_logs_after_days" {
description = "Number of days objects in the logs bucket are stored"
- type = number
- default = 90
+ type = number
+ default = 90
}
variable "enable_reports_storage" {
diff --git a/versions.tf b/versions.tf
index bf95c28..3a25e47 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,12 +1,22 @@
terraform {
- required_version = ">= 0.12.17, < 2.0.0"
+ required_version = ">= 0.13.0, < 2.0.0"
required_providers {
- aws = "> 4.0"
- kubernetes = "~> 2.0"
- local = "~> 2.0"
- null = "~> 3.0"
- random = "~> 3.0"
- helm = "~> 2.0"
+ aws = {
+ source = "hashicorp/aws"
+ version = "> 4.0"
+ }
+ kubernetes = {
+ source = "hashicorp/kubernetes"
+ version = "~> 2.0"
+ }
+ null = {
+ source = "hashicorp/null"
+ version = "~> 3.0"
+ }
+ helm = {
+ source = "hashicorp/helm"
+ version = "~> 2.0"
+ }
}
}