From eaeb1701dbb0cef0b423f1964626dbba4cd3691b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A5rten=20Svantesson?= Date: Fri, 28 Jun 2024 12:52:02 +0200 Subject: [PATCH] chore!: remove all support for jx2 especially remove cloud vault resources for vault that are not used anymore in jx3 vault configuration also fixing link to documentation BREAKING CHANGE: Don't upgrade to this version if you still use this module with Jenkins X 2. It would break things badly. --- README.md | 66 +---- examples/asm/main.tf | 1 - examples/asm/outputs.tf | 27 -- examples/backend/main.tf | 14 -- examples/backend/outputs.tf | 14 -- examples/basic/main.tf | 29 ++- examples/{jx3 => basic}/nginx_values.yaml | 0 examples/basic/outputs.tf | 74 +++++- examples/basic/variables.tf | 9 +- examples/cluster-access/main.tf | 6 - examples/cluster-access/outputs.tf | 14 -- examples/cluster-access/variables.tf | 4 - examples/customers_certificate/main.tf | 13 - examples/customers_certificate/outputs.tf | 4 - examples/customers_certificate/variables.tf | 18 -- examples/dev-team/main.tf | 15 -- examples/dev-team/outputs.tf | 4 - examples/dev-team/user-alice.tf | 24 -- examples/dev-team/user-bob.tf | 24 -- examples/dev-team/user-group-developers.tf | 35 --- examples/envelope-encryption/main.tf | 2 - examples/envelope-encryption/outputs.tf | 27 -- examples/existing-cluster/main.tf | 1 - examples/existing-cluster/outputs.tf | 27 -- examples/existing-cluster/variables.tf | 5 - examples/jx3/main.tf | 31 --- examples/jx3/outputs.tf | 100 -------- examples/jx3/variables.tf | 14 -- examples/nat/main.tf | 7 - examples/nat/outputs.tf | 4 - examples/nat/variables.tf | 4 - examples/nodegroup/main.tf | 4 - examples/nodegroup/outputs.tf | 4 - examples/nodegroup/variables.tf | 3 - examples/s3-kms/main.tf | 6 - examples/s3-kms/outputs.tf | 4 - examples/s3-kms/variables.tf | 9 - .../worker-group-launch-templates/main.tf | 9 - .../worker-group-launch-templates/outputs.tf | 4 - jenkins-x.yml | 34 --- local.tf | 6 - main.tf | 13 +- modules/backup/main.tf | 15 -- modules/backup/variables.tf | 5 - modules/cluster/charts.tf | 1 - modules/cluster/irsa.tf | 123 +-------- modules/cluster/main.tf | 37 --- modules/cluster/outputs.tf | 8 - modules/cluster/variables.tf | 5 - modules/dns/variables.tf | 5 - modules/health/main.tf | 2 +- modules/health/variables.tf | 5 - modules/nginx/main.tf | 2 +- modules/nginx/variables.tf | 5 - modules/vault/local.tf | 5 - modules/vault/main.tf | 236 ------------------ modules/vault/outputs.tf | 36 --- modules/vault/variables.tf | 83 ------ outputs.tf | 27 -- scripts/aws-asume-role.sh | 37 --- scripts/ci.sh | 26 -- scripts/lint.sh | 11 - scripts/release.sh | 13 - scripts/security.sh | 14 -- templates/jx-requirements.yml.tpl | 26 -- test/terraform_eks_test.go | 13 - variables.tf | 11 - 67 files changed, 122 insertions(+), 1342 deletions(-) delete mode 100644 examples/backend/main.tf delete mode 100644 examples/backend/outputs.tf rename examples/{jx3 => basic}/nginx_values.yaml (100%) delete mode 100644 examples/cluster-access/main.tf delete mode 100644 examples/cluster-access/outputs.tf delete mode 100644 examples/cluster-access/variables.tf delete mode 100644 examples/customers_certificate/main.tf delete mode 100644 examples/customers_certificate/outputs.tf delete mode 100644 examples/customers_certificate/variables.tf delete mode 100644 examples/dev-team/main.tf delete mode 100644 examples/dev-team/outputs.tf delete mode 100644 examples/dev-team/user-alice.tf delete mode 100644 examples/dev-team/user-bob.tf delete mode 100644 examples/dev-team/user-group-developers.tf delete mode 100644 examples/jx3/main.tf delete mode 100644 examples/jx3/outputs.tf delete mode 100644 examples/jx3/variables.tf delete mode 100644 examples/nat/main.tf delete mode 100644 examples/nat/outputs.tf delete mode 100644 examples/nat/variables.tf delete mode 100644 examples/nodegroup/main.tf delete mode 100644 examples/nodegroup/outputs.tf delete mode 100644 examples/nodegroup/variables.tf delete mode 100644 examples/s3-kms/main.tf delete mode 100644 examples/s3-kms/outputs.tf delete mode 100644 examples/s3-kms/variables.tf delete mode 100644 examples/worker-group-launch-templates/main.tf delete mode 100644 examples/worker-group-launch-templates/outputs.tf delete mode 100644 jenkins-x.yml delete mode 100644 modules/vault/main.tf delete mode 100644 modules/vault/outputs.tf delete mode 100755 scripts/aws-asume-role.sh delete mode 100755 scripts/ci.sh delete mode 100755 scripts/lint.sh delete mode 100755 scripts/release.sh delete mode 100755 scripts/security.sh diff --git a/README.md b/README.md index b18d5fe..a5d8743 100644 --- a/README.md +++ b/README.md @@ -85,17 +85,6 @@ module "eks-jx" { output "jx_requirements" { value = module.eks-jx.jx_requirements } - -output "vault_user_id" { - value = module.eks-jx.vault_user_id - description = "The Vault IAM user id" -} - -output "vault_user_secret" { - value = module.eks-jx.vault_user_secret - description = "The Vault IAM user secret" -} - ``` All s3 buckets created by the module use Server-Side Encryption with Amazon S3-Managed Encryption Keys @@ -106,10 +95,6 @@ If you don't specify the value of `s3_kms_arn`, then the default aws managed cmk :warning: **Note**: Using AWS KMS with customer managed keys has cost [considerations](https://aws.amazon.com/blogs/storage/changing-your-amazon-s3-encryption-from-s3-managed-encryption-sse-s3-to-aws-key-management-service-sse-kms/). -Due to the Vault issue [7450](https://github.com/hashicorp/vault/issues/7450), this Terraform module needs for now to create a new IAM user for installing Vault. -It also creates an IAM access key whose id and secret are defined in the output above. -You need the id and secret for running [`jx boot`](#running-jx-boot). - The _jx_requirements_ output is a helper for creating the initial input for `jx boot`. If you do not want Terraform to create a new IAM user or you do not have permissions to create one, you need to provide the name of an existing IAM user. @@ -117,7 +102,6 @@ If you do not want Terraform to create a new IAM user or you do not have permiss ```terraform module "eks-jx" { source = "jenkins-x/eks-jx/aws" - vault_user = "" } ``` @@ -129,7 +113,6 @@ In addition, you should make sure to specify the region via the AWS_REGION envir `export AWS_REGION=us-east-1` and the region variable (make sure the region variable matches the environment variable) The IAM user does not need any permissions attached to it. -For more information, refer to [Configuring Vault for EKS](https://jenkins-x.io/docs/install-setup/installing/boot/clouds/amazon/#configuring-vault-for-eks) in the Jenkins X documentation. Once you have your initial configuration, you can apply it by running: @@ -140,15 +123,6 @@ terraform apply This creates an EKS cluster with all possible configuration options defaulted. -You then need to export the environment variables _VAULT_AWS_ACCESS_KEY_ID_ and _VAULT_AWS_SECRET_ACCESS_KEY_. - -```sh -export VAULT_AWS_ACCESS_KEY_ID=$(terraform output vault_user_id) -export VAULT_AWS_SECRET_ACCESS_KEY=$(terraform output vault_user_secret) -``` - -If you specified _vault_user_ you need to provide the access key id and secret for the specified user. - :warning: **Note**: This example is for getting up and running quickly. It is not intended for a production cluster. Refer to [Production cluster considerations](#production-cluster-considerations) for things to consider when creating a production cluster. @@ -207,9 +181,9 @@ helm template --name cluster-autoscaler --namespace kube-system ./cluster-autosc ### Long Term Storage -You can choose to create S3 buckets for [long term storage](https://jenkins-x.io/docs/install-setup/installing/boot/storage/) of Jenkins X build artefacts with `enable_logs_storage`, `enable_reports_storage` and `enable_repository_storage`. +You can choose to create S3 buckets for [long term storage](https://jenkins-x.io/v3/admin/setup/config/storage/) of Jenkins X build artefacts with `enable_logs_storage`, `enable_reports_storage` and `enable_repository_storage`. -During `terraform apply` the enabledS3 buckets are created, and the _jx_requirements_ output will contain the following section: +During `terraform apply` the enabled S3 buckets are created, and the _jx_requirements_ output will contain the following section: ```yaml storage: @@ -234,9 +208,8 @@ This allows you to remove all generated buckets when running terraform destroy. ### Secrets Management -Vault is the default tool used by Jenkins X for managing secrets. -Part of this module's responsibilities is the creation of all resources required to run the [Vault Operator](https://github.com/banzaicloud/bank-vaults). -These resources are An S3 Bucket, a DynamoDB Table and a KMS Key. +[Vault](https://www.vaultproject.io/) is the default tool used by Jenkins X for managing secrets. +Part of this module's responsibilities is the installation of [Vault Operator](https://github.com/banzaicloud/bank-vaults) which in turn install vault. You can also configure an existing Vault instance for use with Jenkins X. In this case @@ -467,16 +440,6 @@ module "eks-jx" { output "jx_requirements" { value = module.eks-jx.jx_requirements } - -output "vault_user_id" { - value = module.eks-jx.vault_user_id - description = "The Vault IAM user id" -} - -output "vault_user_secret" { - value = module.eks-jx.vault_user_secret - description = "The Vault IAM user secret" -} ``` **Note**: EKS node groups now support using [spot instances](https://aws.amazon.com/blogs/containers/amazon-eks-now-supports-provisioning-and-managing-ec2-spot-instances-in-managed-node-groups/) and [launch templates](https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html) (will be set accordingly with the use of the `enable_spot_instances` variable) @@ -660,7 +623,6 @@ You need to execute the following command before `terraform apply` in order to r ### Support for JX3 Creation of namespaces and service accounts using terraform is no longer required for JX3. -To keep compatibility with JX2, a flag `is_jx2` was introduced, in [v1.6.0](https://github.com/jenkins-x/terraform-aws-eks-jx/releases/tag/v1.6.0). ### Existing VPC @@ -770,7 +732,6 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo | [ignoreLoadBalancer](#input\_ignoreLoadBalancer) | Flag to specify if jx boot will ignore loadbalancer DNS to resolve to an IP | `bool` | `false` | no | | [install\_kuberhealthy](#input\_install\_kuberhealthy) | Flag to specify if kuberhealthy operator should be installed | `bool` | `false` | no | | [iops](#input\_iops) | The IOPS value | `number` | `0` | no | -| [is\_jx2](#input\_is\_jx2) | Flag to specify if jx2 related resources need to be created | `bool` | `true` | no | | [jx\_bot\_token](#input\_jx\_bot\_token) | Bot token used to interact with the Jenkins X cluster git repository | `string` | `""` | no | | [jx\_bot\_username](#input\_jx\_bot\_username) | Bot username used to interact with the Jenkins X cluster git repository | `string` | `""` | no | | [jx\_git\_operator\_values](#input\_jx\_git\_operator\_values) | Extra values for jx-git-operator chart as a list of yaml formated strings | `list(string)` | `[]` | no | @@ -813,7 +774,6 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo | [use\_kms\_s3](#input\_use\_kms\_s3) | Flag to determine whether kms should be used for encrypting s3 buckets | `bool` | `false` | no | | [use\_vault](#input\_use\_vault) | Flag to control vault resource creation | `bool` | `true` | no | | [vault\_url](#input\_vault\_url) | URL to an external Vault instance in case Jenkins X does not create its own system Vault | `string` | `""` | no | -| [vault\_user](#input\_vault\_user) | The AWS IAM Username whose credentials will be used to authenticate the Vault pods against AWS | `string` | `""` | no | | [velero\_namespace](#input\_velero\_namespace) | Kubernetes namespace for Velero | `string` | `"velero"` | no | | [velero\_schedule](#input\_velero\_schedule) | The Velero backup schedule in cron notation to be set in the Velero Schedule CRD (see [default-backup.yaml](https://github.com/jenkins-x/jenkins-x-boot-config/blob/master/systems/velero-backups/templates/default-backup.yaml)) | `string` | `"0 * * * *"` | no | | [velero\_ttl](#input\_velero\_ttl) | The the lifetime of a velero backup to be set in the Velero Schedule CRD (see [default-backup.yaml](https://github.com/jenkins-x/jenkins-x-boot-config/blob/master/systems/velero-backups/templates/default-backup)) | `string` | `"720h0m0s"` | no | @@ -846,11 +806,6 @@ Each example generates a valid _jx-requirements.yml_ file that can be used to bo | [pipeline\_viz\_iam\_role](#output\_pipeline\_viz\_iam\_role) | The IAM Role that the pipeline visualizer pod will assume to authenticate | | [subdomain\_nameservers](#output\_subdomain\_nameservers) | ---------------------------------------------------------------------------- DNS ---------------------------------------------------------------------------- | | [tekton\_bot\_iam\_role](#output\_tekton\_bot\_iam\_role) | The IAM Role that the build pods will assume to authenticate | -| [vault\_dynamodb\_table](#output\_vault\_dynamodb\_table) | The Vault DynamoDB table | -| [vault\_kms\_unseal](#output\_vault\_kms\_unseal) | The Vault KMS Key for encryption | -| [vault\_unseal\_bucket](#output\_vault\_unseal\_bucket) | The Vault storage bucket | -| [vault\_user\_id](#output\_vault\_user\_id) | The Vault IAM user id | -| [vault\_user\_secret](#output\_vault\_user\_secret) | The Vault IAM user secret | | [vpc\_id](#output\_vpc\_id) | The ID of the VPC | @@ -864,19 +819,6 @@ There is no way to provide your own roles or define other Service Accounts by va ## Development -### Releasing - -At the moment, there is no release pipeline defined in [jenkins-x.yml](./jenkins-x.yml). -A Terraform release does not require building an artifact; only a tag needs to be created and pushed. -To make this task easier and there is a helper script `release.sh` which simplifies this process and creates the changelog as well: - -```sh -./scripts/release.sh -``` - -This can be executed on demand whenever a release is required. -For the script to work, the environment variable _$GH_TOKEN_ must be exported and reference a valid GitHub API token. - ## How can I contribute Contributions are very welcome! Check out the [Contribution Guidelines](./CONTRIBUTING.md) for instructions. diff --git a/examples/asm/main.tf b/examples/asm/main.tf index 8c46f42..fd9c145 100644 --- a/examples/asm/main.tf +++ b/examples/asm/main.tf @@ -3,7 +3,6 @@ module "eks-jx" { region = var.region use_vault = var.use_vault use_asm = var.use_asm - is_jx2 = false cluster_version = "1.18" enable_worker_groups_launch_template = true encrypt_volume_self = true diff --git a/examples/asm/outputs.tf b/examples/asm/outputs.tf index ea02695..f8a786d 100644 --- a/examples/asm/outputs.tf +++ b/examples/asm/outputs.tf @@ -1,30 +1,3 @@ -// Vault -output "vault_user_id" { - value = module.eks-jx.vault_user_id - description = "The Vault IAM user id" -} - -output "vault_user_secret" { - value = module.eks-jx.vault_user_secret - description = "The Vault IAM user secret" -} - -output "vault_unseal_bucket" { - value = module.eks-jx.vault_unseal_bucket - description = "The Vault storage bucket" -} - -output "vault_dynamodb_table" { - value = module.eks-jx.vault_dynamodb_table - description = "The Vault DynamoDB table" -} - -output "vault_kms_unseal" { - value = module.eks-jx.vault_kms_unseal - description = "The Vault KMS Key for encryption" -} - - // Storage (backup, logs, reports, repo) output "backup_bucket_url" { value = module.eks-jx.backup_bucket_url diff --git a/examples/backend/main.tf b/examples/backend/main.tf deleted file mode 100644 index e3cc57a..0000000 --- a/examples/backend/main.tf +++ /dev/null @@ -1,14 +0,0 @@ -terraform { - # https://www.terraform.io/docs/backends/types/s3.html - backend "s3" { - region = "" - bucket = "" - key = "terraform.tfstate" - dynamodb_table = "terraform-state-lock" - encrypt = true - } -} - -module "eks-jx" { - source = "jenkins-x/eks-jx/aws" -} diff --git a/examples/backend/outputs.tf b/examples/backend/outputs.tf deleted file mode 100644 index 56cabfd..0000000 --- a/examples/backend/outputs.tf +++ /dev/null @@ -1,14 +0,0 @@ -output "jx_requirements" { - value = module.eks-jx.jx_requirements - description = "The templated jx-requirements.yml" -} - -output "vault_user_id" { - value = module.eks-jx.vault_user_id - description = "The Vault IAM user id if one got created" -} - -output "vault_user_secret" { - value = module.eks-jx.vault_user_secret - description = "The Vault IAM user secret if one got created" -} diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 7d7c949..348e53c 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -1,4 +1,29 @@ +provider "aws" { + region = var.region + profile = var.profile +} + + module "eks-jx" { - source = "jenkins-x/eks-jx/aws" - vault_user = var.vault_user + source = "../../" + install_kuberhealthy = true + create_nginx = true + cluster_version = "1.21" + nginx_chart_version = "3.12.0" + enable_worker_groups_launch_template = true + volume_type = "gp3" + volume_size = "100" + encrypt_volume_self = true + boot_secrets = [ + { + name = "jxBootJobEnvVarSecrets.EXTERNAL_VAULT" + value = "true" + type = "string" + }, + { + name = "jxBootJobEnvVarSecrets.VAULT_ADDR" + value = "http://external-vault:8200" + type = "string" + } + ] } diff --git a/examples/jx3/nginx_values.yaml b/examples/basic/nginx_values.yaml similarity index 100% rename from examples/jx3/nginx_values.yaml rename to examples/basic/nginx_values.yaml diff --git a/examples/basic/outputs.tf b/examples/basic/outputs.tf index cd8f1c3..c4b93fa 100644 --- a/examples/basic/outputs.tf +++ b/examples/basic/outputs.tf @@ -1,4 +1,72 @@ -output "jx_requirements" { - value = module.jx-eks.jx_requirements - description = "The templated jx-requirements.yml" +// VPC +output "vpc_id" { + value = module.eks-jx.vpc_id +} + +// Storage (backup, logs, reports, repo) +output "backup_bucket_url" { + value = module.eks-jx.backup_bucket_url + description = "The bucket where backups from velero will be stored" +} + +output "lts_logs_bucket" { + value = module.eks-jx.lts_logs_bucket + description = "The bucket where logs from builds will be stored" +} + +output "lts_reports_bucket" { + value = module.eks-jx.lts_reports_bucket + description = "The bucket where test reports will be stored" +} + +output "lts_repository_bucket" { + value = module.eks-jx.lts_reports_bucket + description = "The bucket that will serve as artifacts repository" +} + +// IAM Roles +output "cert_manager_iam_role" { + value = module.eks-jx.cert_manager_iam_role + description = "The IAM Role that the Cert Manager pod will assume to authenticate" +} + +output "tekton_bot_iam_role" { + value = module.eks-jx.tekton_bot_iam_role + description = "The IAM Role that the build pods will assume to authenticate" +} + +output "external_dns_iam_role" { + value = module.eks-jx.external_dns_iam_role + description = "The IAM Role that the External DNS pod will assume to authenticate" +} + +output "cm_cainjector_iam_role" { + value = module.eks-jx.cm_cainjector_iam_role + description = "The IAM Role that the CM CA Injector pod will assume to authenticate" +} + +output "controllerbuild_iam_role" { + value = module.eks-jx.controllerbuild_iam_role + description = "The IAM Role that the ControllerBuild pod will assume to authenticate" +} + +output "cluster_autoscaler_iam_role" { + value = module.eks-jx.cluster_autoscaler_iam_role + description = "The IAM Role that the Jenkins X UI pod will assume to authenticate" +} + +output "pipeline_viz_iam_role" { + value = module.eks-jx.pipeline_viz_iam_role + description = "The IAM Role that the pipeline visualizer pod will assume to authenticate" +} + +// Cluster specific output +output "cluster_name" { + value = module.eks-jx.cluster_name + description = "The name of the created cluster" +} + +output "cluster_oidc_issuer_url" { + value = module.eks-jx.cluster_oidc_issuer_url + description = "The Cluster OIDC Issuer URL" } diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf index bdf1773..5509b23 100644 --- a/examples/basic/variables.tf +++ b/examples/basic/variables.tf @@ -1,4 +1,9 @@ -variable "vault_user" { +variable "region" { type = string - default = "" + default = "us-east-1" +} + +variable "profile" { + type = string + default = "default" } diff --git a/examples/cluster-access/main.tf b/examples/cluster-access/main.tf deleted file mode 100644 index c837d03..0000000 --- a/examples/cluster-access/main.tf +++ /dev/null @@ -1,6 +0,0 @@ -# In this example, the public endpoint access is restricted to the cidr blocks specified -module "eks-jx" { - source = "jenkins-x/eks-jx/aws" - vault_user = var.vault_user - cluster_endpoint_public_access_cidrs = ["1.2.3.4/32", "5.6.7.8/32"] -} diff --git a/examples/cluster-access/outputs.tf b/examples/cluster-access/outputs.tf deleted file mode 100644 index 5554309..0000000 --- a/examples/cluster-access/outputs.tf +++ /dev/null @@ -1,14 +0,0 @@ -output "jx_requirements" { - value = module.eks-jx.jx_requirements - description = "The templated jx-requirements.yml" -} - -output "vault_user_id" { - value = module.eks-jx.vault_user_id - description = "The Vault IAM user id" -} - -output "vault_user_secret" { - value = module.eks-jx.vault_user_secret - description = "The Vault IAM user secret" -} diff --git a/examples/cluster-access/variables.tf b/examples/cluster-access/variables.tf deleted file mode 100644 index bdf1773..0000000 --- a/examples/cluster-access/variables.tf +++ /dev/null @@ -1,4 +0,0 @@ -variable "vault_user" { - type = string - default = "" -} diff --git a/examples/customers_certificate/main.tf b/examples/customers_certificate/main.tf deleted file mode 100644 index 306e35f..0000000 --- a/examples/customers_certificate/main.tf +++ /dev/null @@ -1,13 +0,0 @@ -module "eks-jx" { - source = "jenkins-x/eks-jx/aws" - - enable_external_dns = true - apex_domain = "office.com" - subdomain = "subdomain" - enable_tls = true - tls_email = "customer@office.com" - - // Signed Certificate must match the domain: *.subdomain.office.com - tls_cert = var.tls_cert - tls_key = var.tls_key -} diff --git a/examples/customers_certificate/outputs.tf b/examples/customers_certificate/outputs.tf deleted file mode 100644 index 07bda66..0000000 --- a/examples/customers_certificate/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "jx_requirements" { - value = module.eks-jx.jx_requirements - description = "The templated jx-requirements.yml" -} diff --git a/examples/customers_certificate/variables.tf b/examples/customers_certificate/variables.tf deleted file mode 100644 index dd36d01..0000000 --- a/examples/customers_certificate/variables.tf +++ /dev/null @@ -1,18 +0,0 @@ -// ----------------------------- -// Customer's Certificates -// ----------------------------- -// -// tls_key and tls_cert can be as path to file or base64-encrypted content -// - -variable "tls_key" { - description = "Path to TLS key or base64-encrypted content" - type = string - default = "/opt/cert_ca/private.key" -} - -variable "tls_cert" { - description = "Path to TLS certificate or base64-encrypted content" - type = string - default = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVIakNDQWdZQ0ZHWDBOZWVTbXpSaTRYSEtmL1VWMVlPcjdQUStNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1FVXgKQ3pBSkJnTlZCQVlUQWtGVk1STXdFUVlEVlFRSURBcFRiMjFsTFZOMFlYUmxNU0V3SHdZRFZRUUtEQmhKYm5SbApjbTVsZENCWGFXUm5hWFJ6SUZCMGVTQk1kR1F3SGhjTk1qRXdPREV5TURjek9ERXhXaGNOTWpJeE1qSTFNRGN6Ck9ERXhXakJTTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NRMEV4RlRBVEJnTlZCQW9NREU5bVptbGoKWlN3Z1NXNWpMakVmTUIwR0ExVUVBd3dXS2k1emRXSmtiMjFoYVc0dWIyWm1hV05sTG1OdmJUQ0NBU0l3RFFZSgpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFLL0JYdXZKREhrM20xektzWFJHcTJQOFAwdURZeEVHCnB6bXV2RTlXNENCRXJiVi9NdzE2N3puMzB0T3Z4NTNxSjZwazFPMW1ReDRjSFFQbmNTYSt1T1M0LzhHdllzcnIKT1hOZWp4ZVRiUE9mNDNveUQ4bS9vT0J3K0xrc3ZjbWVsR0RZWnlRVmdGZk9DbTdsVEVCUG5zRG4xK0VYdlpQWQpjL3lMeDJmZ1BWTC91Z2FFN2hqL2V0VVhEemdrZGs4di9ZcWp2MVltQlcvaUxuN1A4bFZyRklHNDZ1TmZYcDdZCmUxcWZMZTZPRGE3NEhMTmVOMEFreGlnV1pVZHRTeHI4dk9iQS90VFhCQWR3UmJhY3RONVdhVllXWVJ0YzRrN08KUFBWSDQzQ2gwU3dCQWVwOWdHb2tGbzBSWkY2dmRScHp5SWdmTUsrNVVFM0lGLzRRUHh2c3F6TUNBd0VBQVRBTgpCZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFubktjWVlOU0VGeUZXalNTcHZuKy8vd1I4dWpNakZjTnNLaDhiNjNWCklEWTIvWnpYdkZQWHpoZXpKYm9JNjB2ejJaazYxcmpuU2xBcVlDQ3BmYmwzRFBuNDZwa0plREdraFAwNElRQVUKeXRxcUNaT0p5SlBIdmJraTVRWTBsVmlaMnIxdFR2K2tZSE14YS9odFpDd3hiSHhsd1ZwRDZESjRDZTZCVHBJSAplbVNRRkpWY3dZbVB6bzVpeVR4YmoxelNCbmFpYTlKdXR0ampSZU5iMXZFY1RmdWErUVdKNE9sclh6anNTcEVwCkI4UTBWSjN4VmN1WjBSRk1tQTJEQ1pJemYxWWh3c05ObVRVdzUvUXlSbldEekdsM2tlQlFDNWR2Mkx0QS84TjkKNUxwdXI2RUEvMi93ZVJoMmx4V0FtbW84SnBWRW1PcHZmNG4yUURablp6SGtwMURHZVdUZ0JNMWVVNVBxWjlCVAp3KzNtcE9IYzZGOEF1Vk9iTnVUMXBmbEtNcG5BbEszZmFmL2hYdUdGcXhwUnlLOHkySC9DSDNYNVMxQitxdHhaCm0vOUt4L2V5QUVHenVHNVVhbmRnWWtWbWd2RkVCa1lONDkzcTNmT3hPM01IaFFHNStDOGFzdXVRZGxXWUxwd0YKVUZjU2ZEQ1Q1dExNNzNXd3RCbXUwQ0RtNjRIUnh6ZGJGY3ZqcGc0S1VnMGhOVDRHNDFTS2FZVkhnL3NuWG1QcQpQUmQ3OG54VzVPc1JxdlJIUThvNThTc1NCMldEelNNREhQMlhpemtIUGxUN3lVSmtFWVozMlNydC9OTDZGQXFwCmxSM1RXeEYrZHN0RWVJTFJUeWtHSHp3M3ZrRlFzZzBmc3UwUXRHVDl1WVpBVnNnMVpIRTY0WmM2TzNBNE4rbjEKM2tBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlGYXpDQ0ExT2dBd0lCQWdJVUdBTUVZUEVuV2p5Z0RRWVUrY2ZxcWgwSm9Ta3dEUVlKS29aSWh2Y05BUUVMCkJRQXdSVEVMTUFrR0ExVUVCaE1DUVZVeEV6QVJCZ05WQkFnTUNsTnZiV1V0VTNSaGRHVXhJVEFmQmdOVkJBb00KR0VsdWRHVnlibVYwSUZkcFpHZHBkSE1nVUhSNUlFeDBaREFlRncweU1UQTRNVEl3TnpNMU1UbGFGdzB5TkRBMgpNREV3TnpNMU1UbGFNRVV4Q3pBSkJnTlZCQVlUQWtGVk1STXdFUVlEVlFRSURBcFRiMjFsTFZOMFlYUmxNU0V3Ckh3WURWUVFLREJoSmJuUmxjbTVsZENCWGFXUm5hWFJ6SUZCMGVTQk1kR1F3Z2dJaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUNEd0F3Z2dJS0FvSUNBUUN0VXlQUWZOUEhvZWlWZjlSUkVjc25zUm1PMC94dTlra0xOcTlJbUhMSApSZmdFSWRRdnVEclJoYjZUc3NlcjkrL0FsSG5BbEtqRjVPajNwL0RramR4OW04dEhkL3JtYzRFWFBMS1ZBYnBmCkFIazVueE1jODRwaldCRmxyTVhaK2pqNjV2ZXdtYXEzT2IyZW5jc3lmbDZUdElaUnQzdVB6UVhZZFd6VndraGoKSUFwK3o0VGpVdkNNZ0RjU2pEVEFxc1hCTlI2b05JVThnUnpxd2dKNnF5U2E1U2tuU1ZoaS9FdFdJTjRKRTVmaQozek5WaUFETjJubkVWSXI5RlZYckZUd2hMamlZYVdNNWNKT2JDTHB6aE5LSFFuNmhjOVNrZ3Iwb1I0c1JwVFZBCkFVeWkzSGI1ODlEc0lDZnU2ZXl4MG9mL3Z6eHFUSXB6Y09FTUYvTHBSYVVKUHJvMG1qSHJsUWlXVGFoMVFnRXoKeUpzUkpHSjJLZ25mQ25YTC9WaThVZ09INEhrVTRvdDNSZnlmVjhJZDVDdHBrZGJwT3NGeWxlWU16dHVzZjZ3bwpldXJqQkJKeUJwcVZNci8xZlZBeG94T083UWlZVDNqOVh6WExaQ1R3NDVONzZIUlBOb2VXRElpRmM0M1N1aVVuCjBtM0lIclRnRGVLK1pvTnpqMzVhR3pxbDZKSGhBQmh6di9IelZmRC9vd0hrSSszbmpFZHl5dXlodHNwc0hlREYKNUFUWDNDRDZxSFhjQ0ZkY2hiNWlyMGFOdnlBdmJPYVZlT3QyWEdUaFRjcGQ4WDFYZHZSVUswTG5Ga1licUtrWgpzaElPdzZFK3VWVEhXNDdQYlg5ZjRPSllJdDdlNlo4K1gxL3RsQmRWdGI3VGZVeExZZnBGRytTUDNRZ2d4NXUyCkVRSURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVWNFpHdVFwRk41cEJRckFoTjEyb0JUa3J5K0l3SHdZRFZSMGoKQkJnd0ZvQVVWNFpHdVFwRk41cEJRckFoTjEyb0JUa3J5K0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQWdFQVdGTzNra2h6UnRhSG9FVEx3NUJ0RnQyV3prdHhPYUVCSUIrMHQ5YTR3SHd1ClUyQ0pxaElJSGhVR0JOaFhFaVNDODRzMkM1Z1F1UzJzSmxGMTU3RjVqNzVMbktlRXQ4NTlFeVBlRzc0eFVTOVkKWU1qSjMrYmljNGczZnhIcUZ0OFZVUm1RNmx4bTVINmxxVng3eW9ZYjRSWlBRamhySTd5b2tUVnlFTmdpRXdsNAorbVBDUWt4S1FOVC8wSFZrVDFQbDlWclcvTTZvck1rek56L2hDR2RqaUYvVmN6ekkrN1l4REdrclcvS2ZFT1E2CjZOdFRHdVpPajJHMWJyUjQ0QnZsN0VUWVFxU1gwaHhLSjVpbVhjNDhScW0yRHVTTXBZa0ZDQ1IrSkovNlM3cFYKUXVGOFdrL0lFbHlzSVJDV25pWWwxclRhOWE5bEttRlN0Z1R0ajVMcWh2TVhrbkhmdjdKb3ZRUFFESWhoMzF5WQpUOWorbC9GWW5pYlRvRWNuWFpHUDVXL1BCOHNWYTdTQjQzSnJ0b2YwaEVhL2c0YVVBcTJmVXBuVGZRRmhMdEc0Cm4vY3ZJY3lGbHFrb1NBVElzcEc5V04zOUVudGNuUWU2eU0zc1NGQjJuejd5bUZiRDU4WXVaOEVLY2NUYTIwY3oKZlpkemxpeDNrY1VJTmpGajVwUFRsR2UxVUlLVnJLQnozelJCaWIzRzM0ZkVqeVVybXJzWUpQR2dNdktKTnRzYQpGaWtOR1FLOGQ4SXUrZGNFRWFoUWFsNmdSZkk1cW9aZy9CTGw3bzFGRzhDVGVueEhPQ1NEYjFxQnJNQ3ZPMXY1CklZMzBUaFRzR0ljUmFRTHNXMG50S3BRZlFoT3d2TzZybzNSU0U0K3FkUFQxK3kwaGRvZzFCam1qOUVSTDBSST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" -} diff --git a/examples/dev-team/main.tf b/examples/dev-team/main.tf deleted file mode 100644 index 3cd7596..0000000 --- a/examples/dev-team/main.tf +++ /dev/null @@ -1,15 +0,0 @@ -module "eks-jx" { - source = "jenkins-x/eks-jx/aws" - map_users = [ - { - userarn = aws_iam_user.alice.arn - username = aws_iam_user.alice.name - groups = ["system:masters"] - }, - { - userarn = aws_iam_user.bob.arn - username = aws_iam_user.bob.name - groups = ["system:masters"] - } - ] -} diff --git a/examples/dev-team/outputs.tf b/examples/dev-team/outputs.tf deleted file mode 100644 index 07bda66..0000000 --- a/examples/dev-team/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "jx_requirements" { - value = module.eks-jx.jx_requirements - description = "The templated jx-requirements.yml" -} diff --git a/examples/dev-team/user-alice.tf b/examples/dev-team/user-alice.tf deleted file mode 100644 index 2e491f2..0000000 --- a/examples/dev-team/user-alice.tf +++ /dev/null @@ -1,24 +0,0 @@ -resource "aws_iam_user" "alice" { - name = "alice" -} - -resource "aws_iam_access_key" "alice" { - user = aws_iam_user.alice.name -} - -output "alice_aws_iam_user_arn" { - value = aws_iam_user.alice.arn - description = "IAM ARN for alice" -} - -output "alice_aws_access_key_id" { - value = aws_iam_access_key.alice.id - description = "IAM Access Key ID for alice" -} - -output "alice_aws_secret_access_key" { - value = aws_iam_access_key.alice.secret - description = "IAM Secret Access Key for alice" -} - - diff --git a/examples/dev-team/user-bob.tf b/examples/dev-team/user-bob.tf deleted file mode 100644 index c2e97dd..0000000 --- a/examples/dev-team/user-bob.tf +++ /dev/null @@ -1,24 +0,0 @@ -resource "aws_iam_user" "bob" { - name = "bob" -} - -resource "aws_iam_access_key" "bob" { - user = aws_iam_user.bob.name -} - -output "bob_aws_iam_user_arn" { - value = aws_iam_user.bob.arn - description = "IAM ARN for bob" -} - -output "bob_aws_access_key_id" { - value = aws_iam_access_key.bob.id - description = "IAM Access Key ID for bob" -} - -output "bob_aws_secret_access_key" { - value = aws_iam_access_key.bob.secret - description = "IAM Secret Access Key for bob" -} - - diff --git a/examples/dev-team/user-group-developers.tf b/examples/dev-team/user-group-developers.tf deleted file mode 100644 index b8273eb..0000000 --- a/examples/dev-team/user-group-developers.tf +++ /dev/null @@ -1,35 +0,0 @@ -resource "aws_iam_group" "developers" { - name = "developers" - path = "/users/" -} - -resource "aws_iam_group_membership" "developers" { - name = "developers" - - users = [ - aws_iam_user.alice.name, - aws_iam_user.bob.name, - ] - - group = aws_iam_group.developers.name -} - -resource "aws_iam_group_policy" "developers" { - name = "developers" - group = aws_iam_group.developers.id - - policy = < -} diff --git a/examples/s3-kms/outputs.tf b/examples/s3-kms/outputs.tf deleted file mode 100644 index 07bda66..0000000 --- a/examples/s3-kms/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "jx_requirements" { - value = module.eks-jx.jx_requirements - description = "The templated jx-requirements.yml" -} diff --git a/examples/s3-kms/variables.tf b/examples/s3-kms/variables.tf deleted file mode 100644 index 0321315..0000000 --- a/examples/s3-kms/variables.tf +++ /dev/null @@ -1,9 +0,0 @@ -variable "vault_user" { - type = string - default = "" -} - -variable "use_kms" { - type = string - default = true -} diff --git a/examples/worker-group-launch-templates/main.tf b/examples/worker-group-launch-templates/main.tf deleted file mode 100644 index 233fba2..0000000 --- a/examples/worker-group-launch-templates/main.tf +++ /dev/null @@ -1,9 +0,0 @@ -module "eks-jx" { - source = "jenkins-x/eks-jx/aws" - enable_worker_group = false - enable_worker_groups_launch_template = true - allowed_spot_instance_types = ["m5.large", "m5a.large", "m5d.large", "m5ad.large", "t3.large", "t3a.large"] - lt_desired_nodes_per_subnet = 2 - lt_min_nodes_per_subnet = 2 - lt_max_nodes_per_subnet = 3 -} diff --git a/examples/worker-group-launch-templates/outputs.tf b/examples/worker-group-launch-templates/outputs.tf deleted file mode 100644 index 07bda66..0000000 --- a/examples/worker-group-launch-templates/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "jx_requirements" { - value = module.eks-jx.jx_requirements - description = "The templated jx-requirements.yml" -} diff --git a/jenkins-x.yml b/jenkins-x.yml deleted file mode 100644 index baf61aa..0000000 --- a/jenkins-x.yml +++ /dev/null @@ -1,34 +0,0 @@ -buildPack: none -pipelineConfig: - pipelines: - pullRequest: - pipeline: - environment: - - name: VAULT_USER - valueFrom: - secretKeyRef: - name: aws-bdd-user-creds - key: vault_user - agent: - image: ghcr.io/jenkins-x/terraform-aws:4.0.14 - stages: - - name: ci - options: - volumes: - - name: aws-creds - secret: - secretName: aws-bdd-user-creds - items: - - key: credentials - path: credentials - containerOptions: - volumeMounts: - - mountPath: /tekton/home/.aws - name: aws-creds - steps: - - name: terraform-lint - command: ./scripts/lint.sh - - name: terraform-security-check - command: ./scripts/security.sh - - name: terraform-apply-and-test - command: ./scripts/ci.sh diff --git a/local.tf b/local.tf index 2286efd..7132853 100644 --- a/local.tf +++ b/local.tf @@ -14,8 +14,6 @@ locals { interpolated_content = templatefile("${path.module}/templates/jx-requirements.yml.tpl", { cluster_name = local.cluster_name region = var.region - // jx2 - is_jx2 = var.is_jx2 // Storage Buckets enable_logs_storage = var.enable_logs_storage logs_storage_bucket = length(module.cluster.logs_jenkins_x) > 0 ? module.cluster.logs_jenkins_x[0] : "" @@ -24,10 +22,6 @@ locals { enable_repository_storage = var.enable_repository_storage repository_storage_bucket = length(module.cluster.repository_jenkins_x) > 0 ? module.cluster.repository_jenkins_x[0] : "" // Vault - vault_kms_key = module.vault.kms_vault_unseal - vault_bucket = module.vault.vault_unseal_bucket - vault_dynamodb_table = module.vault.vault_dynamodb_table - vault_user = var.vault_user vault_url = var.vault_url external_vault = local.external_vault use_vault = var.use_vault diff --git a/main.tf b/main.tf index e999b71..91a8fa9 100644 --- a/main.tf +++ b/main.tf @@ -69,7 +69,6 @@ module "cluster" { s3_kms_arn = var.s3_kms_arn s3_extra_tags = var.s3_extra_tags eks_cluster_tags = var.eks_cluster_tags - is_jx2 = var.is_jx2 content = local.content cluster_endpoint_public_access = var.cluster_endpoint_public_access cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs @@ -113,19 +112,13 @@ module "cluster" { } // ---------------------------------------------------------------------------- -// Setup all required resources for using the bank-vaults operator -// See https://github.com/banzaicloud/bank-vaults +// Create vault if neeed +// See https://github.com/bank-vaults/bank-vaults // ---------------------------------------------------------------------------- module "vault" { source = "./modules/vault" - cluster_name = local.cluster_name - vault_user = var.vault_user - force_destroy = var.force_destroy external_vault = local.external_vault use_vault = var.use_vault - region = var.region - enable_acl = var.enable_acl - s3_extra_tags = var.s3_extra_tags } // ---------------------------------------------------------------------------- @@ -162,13 +155,11 @@ module "dns" { module "health" { source = "./modules/health" - is_jx2 = var.is_jx2 install_kuberhealthy = var.install_kuberhealthy } module "nginx" { source = "./modules/nginx" - is_jx2 = var.is_jx2 create_nginx = var.create_nginx nginx_release_name = var.nginx_release_name nginx_namespace = var.nginx_namespace diff --git a/modules/backup/main.tf b/modules/backup/main.tf index 940894d..f934d27 100644 --- a/modules/backup/main.tf +++ b/modules/backup/main.tf @@ -117,24 +117,9 @@ resource "aws_iam_user_policy" "velero" { // ---------------------------------------------------------------------------- // Setup Kubernetes Velero namespace and service account // ---------------------------------------------------------------------------- -resource "kubernetes_namespace" "velero_namespace" { - count = var.enable_backup && var.is_jx2 ? 1 : 0 - - metadata { - name = var.velero_namespace - } - - lifecycle { - ignore_changes = [ - metadata[0].labels, - metadata[0].annotations, - ] - } -} resource "kubernetes_secret" "credentials-velero" { count = var.enable_backup ? 1 : 0 - depends_on = [kubernetes_namespace.velero_namespace[0]] metadata { name = "velero-secret" namespace = var.velero_namespace diff --git a/modules/backup/variables.tf b/modules/backup/variables.tf index 5a1c02a..a86f0cd 100644 --- a/modules/backup/variables.tf +++ b/modules/backup/variables.tf @@ -51,11 +51,6 @@ variable "s3_extra_tags" { default = {} } -variable "is_jx2" { - default = true - type = bool -} - variable "velero_username" { description = "The username to be assigned to the Velero IAM user" type = string diff --git a/modules/cluster/charts.tf b/modules/cluster/charts.tf index 49dcccc..527dfdd 100644 --- a/modules/cluster/charts.tf +++ b/modules/cluster/charts.tf @@ -1,5 +1,4 @@ resource "helm_release" "jx-git-operator" { - count = var.is_jx2 ? 0 : 1 name = "jx-git-operator" chart = "jx-git-operator" namespace = "jx-git-operator" diff --git a/modules/cluster/irsa.tf b/modules/cluster/irsa.tf index 55845fa..ff57953 100644 --- a/modules/cluster/irsa.tf +++ b/modules/cluster/irsa.tf @@ -41,32 +41,11 @@ module "iam_assumable_role_tekton_bot" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "~> v3.8.0" create_role = var.create_tekton_role - role_name = var.is_jx2 ? substr("tf-${var.cluster_name}-sa-role-tekton-bot-${local.generated_seed}", 0, 60) : "${local.cluster_trunc}-tekton-bot" + role_name = "${local.cluster_trunc}-tekton-bot" provider_url = local.oidc_provider_url role_policy_arns = var.create_tekton_role ? concat([aws_iam_policy.tekton-bot[0].arn], var.additional_tekton_role_policy_arns) : [""] oidc_fully_qualified_subjects = ["system:serviceaccount:${local.jenkins-x-namespace}:tekton-bot"] } -resource "kubernetes_service_account" "tekton-bot" { - count = var.is_jx2 ? 1 : 0 - automount_service_account_token = true - depends_on = [ - null_resource.kubeconfig - ] - metadata { - name = "tekton-bot" - namespace = kubernetes_namespace.jx[0].id - annotations = { - "eks.amazonaws.com/role-arn" = module.iam_assumable_role_tekton_bot.this_iam_role_arn - } - } - lifecycle { - ignore_changes = [ - metadata[0].labels, - metadata[0].annotations, - secret - ] - } -} // ---------------------------------------------------------------------------- // External DNS IAM Policy, IAM Role and Service Account // ---------------------------------------------------------------------------- @@ -98,31 +77,10 @@ module "iam_assumable_role_external_dns" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "~> v3.8.0" create_role = var.create_exdns_role - role_name = var.is_jx2 ? substr("tf-${var.cluster_name}-sa-role-external_dns-${local.generated_seed}", 0, 60) : "${local.cluster_trunc}-external-dns" + role_name = "${local.cluster_trunc}-external-dns" provider_url = local.oidc_provider_url role_policy_arns = [var.create_exdns_role ? aws_iam_policy.external-dns[0].arn : ""] - oidc_fully_qualified_subjects = var.is_jx2 ? ["system:serviceaccount:${local.jenkins-x-namespace}:exdns-external-dns"] : ["system:serviceaccount:${local.jenkins-x-namespace}:external-dns"] -} -resource "kubernetes_service_account" "exdns-external-dns" { - count = var.is_jx2 ? 1 : 0 - automount_service_account_token = true - depends_on = [ - null_resource.kubeconfig - ] - metadata { - name = "exdns-external-dns" - namespace = kubernetes_namespace.jx[0].id - annotations = { - "eks.amazonaws.com/role-arn" = module.iam_assumable_role_external_dns.this_iam_role_arn - } - } - lifecycle { - ignore_changes = [ - metadata[0].labels, - metadata[0].annotations, - secret - ] - } + oidc_fully_qualified_subjects = ["system:serviceaccount:${local.jenkins-x-namespace}:external-dns"] } // ---------------------------------------------------------------------------- // Cert Manager IAM Policy, IAM Role and Service Account @@ -161,31 +119,10 @@ module "iam_assumable_role_cert_manager" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "~> v3.8.0" create_role = var.create_cm_role - role_name = var.is_jx2 ? substr("tf-${var.cluster_name}-sa-role-cert_manager-${local.generated_seed}", 0, 60) : "${local.cluster_trunc}-cert-manager-cert-manager" + role_name = "${local.cluster_trunc}-cert-manager-cert-manager" provider_url = local.oidc_provider_url role_policy_arns = [var.create_cm_role ? aws_iam_policy.cert-manager[0].arn : ""] - oidc_fully_qualified_subjects = var.is_jx2 ? ["system:serviceaccount:cert-manager:cm-cert-manager"] : ["system:serviceaccount:cert-manager:cert-manager"] -} -resource "kubernetes_service_account" "cm-cert-manager" { - count = var.is_jx2 ? 1 : 0 - automount_service_account_token = true - depends_on = [ - null_resource.kubeconfig - ] - metadata { - name = "cm-cert-manager" - namespace = kubernetes_namespace.cert_manager[0].id - annotations = { - "eks.amazonaws.com/role-arn" = module.iam_assumable_role_cert_manager.this_iam_role_arn - } - } - lifecycle { - ignore_changes = [ - metadata[0].labels, - metadata[0].annotations, - secret - ] - } + oidc_fully_qualified_subjects = ["system:serviceaccount:cert-manager:cert-manager"] } // ---------------------------------------------------------------------------- // CM CAInjector IAM Role and Service Account (Reuses the Cert Manager IAM Policy) @@ -194,31 +131,10 @@ module "iam_assumable_role_cm_cainjector" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "~> v3.8.0" create_role = var.create_cmcainjector_role - role_name = var.is_jx2 ? substr("tf-${var.cluster_name}-sa-role-cm_cainjector-${local.generated_seed}", 0, 60) : "${local.cluster_trunc}-cert-manager-cert-manager-cainjector" + role_name = "${local.cluster_trunc}-cert-manager-cert-manager-cainjector" provider_url = local.oidc_provider_url role_policy_arns = [var.create_cmcainjector_role ? aws_iam_policy.cert-manager[0].arn : ""] - oidc_fully_qualified_subjects = var.is_jx2 ? ["system:serviceaccount:cert-manager:cm-cainjector"] : ["system:serviceaccount:cert-manager:cert-manager-cainjector"] -} -resource "kubernetes_service_account" "cm-cainjector" { - count = var.is_jx2 ? 1 : 0 - automount_service_account_token = true - depends_on = [ - null_resource.kubeconfig - ] - metadata { - name = "cm-cainjector" - namespace = kubernetes_namespace.cert_manager[0].id - annotations = { - "eks.amazonaws.com/role-arn" = module.iam_assumable_role_cm_cainjector.this_iam_role_arn - } - } - lifecycle { - ignore_changes = [ - metadata[0].labels, - metadata[0].annotations, - secret - ] - } + oidc_fully_qualified_subjects = ["system:serviceaccount:cert-manager:cert-manager-cainjector"] } // ---------------------------------------------------------------------------- // ControllerBuild IAM Policy, IAM Role and Service Account @@ -227,32 +143,11 @@ module "iam_assumable_role_controllerbuild" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "~> v3.8.0" create_role = var.create_ctrlb_role - role_name = var.is_jx2 ? substr("tf-${var.cluster_name}-sa-role-ctrlb-${local.generated_seed}", 0, 60) : "${local.cluster_trunc}-build-ctrl" + role_name = "${local.cluster_trunc}-build-ctrl" provider_url = local.oidc_provider_url role_policy_arns = ["arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonS3FullAccess"] oidc_fully_qualified_subjects = ["system:serviceaccount:jx:jenkins-x-controllerbuild"] } -resource "kubernetes_service_account" "jenkins-x-controllerbuild" { - count = var.is_jx2 ? 1 : 0 - automount_service_account_token = true - depends_on = [ - null_resource.kubeconfig - ] - metadata { - name = "jenkins-x-controllerbuild" - namespace = kubernetes_namespace.jx[0].id - annotations = { - "eks.amazonaws.com/role-arn" = module.iam_assumable_role_controllerbuild.this_iam_role_arn - } - } - lifecycle { - ignore_changes = [ - metadata[0].labels, - metadata[0].annotations, - secret - ] - } -} // ---------------------------------------------------------------------------- // Cluster Autoscaler @@ -262,7 +157,7 @@ module "iam_assumable_role_cluster_autoscaler" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "~> v3.8.0" create_role = var.create_autoscaler_role - role_name = var.is_jx2 ? "tf-${var.cluster_name}-cluster-autoscaler" : "${local.cluster_trunc}-cluster-autoscaler-cluster-autoscaler" + role_name = "${local.cluster_trunc}-cluster-autoscaler-cluster-autoscaler" provider_url = local.oidc_provider_url role_policy_arns = [var.create_autoscaler_role ? aws_iam_policy.cluster_autoscaler[0].arn : ""] oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:cluster-autoscaler"] diff --git a/modules/cluster/main.tf b/modules/cluster/main.tf index 8cd4d6e..dc5b75f 100644 --- a/modules/cluster/main.tf +++ b/modules/cluster/main.tf @@ -156,42 +156,6 @@ resource "null_resource" "kubeconfig" { } } -// ---------------------------------------------------------------------------- -// Create the necessary K8s namespaces that we will need to add the -// Service Accounts later -// ---------------------------------------------------------------------------- -resource "kubernetes_namespace" "jx" { - count = var.is_jx2 ? 1 : 0 - depends_on = [ - null_resource.kubeconfig - ] - metadata { - name = "jx" - } - lifecycle { - ignore_changes = [ - metadata[0].labels, - metadata[0].annotations, - ] - } -} - -resource "kubernetes_namespace" "cert_manager" { - count = var.is_jx2 ? 1 : 0 - depends_on = [ - null_resource.kubeconfig - ] - metadata { - name = "cert-manager" - } - lifecycle { - ignore_changes = [ - metadata[0].labels, - metadata[0].annotations, - ] - } -} - // ---------------------------------------------------------------------------- // Add the Terraform generated jx-requirements.yml to a configmap so it can be // sync'd with the Git repository @@ -199,7 +163,6 @@ resource "kubernetes_namespace" "cert_manager" { // https://www.terraform.io/docs/providers/kubernetes/r/namespace.html // ---------------------------------------------------------------------------- resource "kubernetes_config_map" "jenkins_x_requirements" { - count = var.is_jx2 ? 0 : 1 metadata { name = "terraform-jx-requirements" namespace = "default" diff --git a/modules/cluster/outputs.tf b/modules/cluster/outputs.tf index cb05b9b..a44e3cc 100644 --- a/modules/cluster/outputs.tf +++ b/modules/cluster/outputs.tf @@ -3,14 +3,6 @@ output "vpc_id" { description = "The ID of the VPC" } -output "jx_namespace" { - value = kubernetes_namespace.jx -} - -output "cm_namespace" { - value = kubernetes_namespace.cert_manager -} - output "cluster_oidc_issuer_url" { value = local.oidc_provider_url } diff --git a/modules/cluster/variables.tf b/modules/cluster/variables.tf index c8d00f0..6ad9ee4 100644 --- a/modules/cluster/variables.tf +++ b/modules/cluster/variables.tf @@ -224,11 +224,6 @@ variable "s3_kms_arn" { default = "" } -variable "is_jx2" { - default = true - type = bool -} - variable "content" { description = "Interpolated jx-requirements.yml" type = string diff --git a/modules/dns/variables.tf b/modules/dns/variables.tf index 4eca732..9d59e1f 100644 --- a/modules/dns/variables.tf +++ b/modules/dns/variables.tf @@ -45,11 +45,6 @@ variable "production_letsencrypt" { default = false } -variable "is_jx2" { - default = true - type = bool -} - variable "manage_apex_domain" { description = "Flag to control if apex domain should be managed/updated by this module. Set this to false,if your apex domain is managed in a different AWS account or different provider" default = true diff --git a/modules/health/main.tf b/modules/health/main.tf index c4ede55..46a872e 100644 --- a/modules/health/main.tf +++ b/modules/health/main.tf @@ -1,4 +1,4 @@ module "jx-health" { - count = !var.is_jx2 && var.install_kuberhealthy ? 1 : 0 + count = var.install_kuberhealthy ? 1 : 0 source = "github.com/jenkins-x/terraform-jx-health?ref=main" } diff --git a/modules/health/variables.tf b/modules/health/variables.tf index 1e17744..cbdf5f7 100644 --- a/modules/health/variables.tf +++ b/modules/health/variables.tf @@ -1,8 +1,3 @@ -variable "is_jx2" { - default = true - type = bool -} - variable "install_kuberhealthy" { description = "Flag to specify if kuberhealthy operator should be installed" type = bool diff --git a/modules/nginx/main.tf b/modules/nginx/main.tf index 3618ba7..624aa2e 100644 --- a/modules/nginx/main.tf +++ b/modules/nginx/main.tf @@ -1,5 +1,5 @@ resource "helm_release" "nginx-ingress" { - count = var.create_nginx && !var.is_jx2 ? 1 : 0 + count = var.create_nginx ? 1 : 0 name = var.nginx_release_name chart = "ingress-nginx" namespace = var.nginx_namespace diff --git a/modules/nginx/variables.tf b/modules/nginx/variables.tf index a62d58b..07a3304 100644 --- a/modules/nginx/variables.tf +++ b/modules/nginx/variables.tf @@ -1,8 +1,3 @@ -variable "is_jx2" { - default = true - type = bool -} - variable "create_nginx" { default = false type = bool diff --git a/modules/vault/local.tf b/modules/vault/local.tf index ba78c19..6077a7f 100644 --- a/modules/vault/local.tf +++ b/modules/vault/local.tf @@ -1,9 +1,4 @@ -resource "random_string" "suffix" { - length = 8 - special = false -} locals { - vault_seed = random_string.suffix.result create_vault_resources = var.use_vault && !var.external_vault } diff --git a/modules/vault/main.tf b/modules/vault/main.tf deleted file mode 100644 index 1d24e06..0000000 --- a/modules/vault/main.tf +++ /dev/null @@ -1,236 +0,0 @@ -// ---------------------------------------------------------------------------- -// If the Vault IAM user does exist create one -// See https://www.terraform.io/docs/providers/aws/r/iam_user.html -// ---------------------------------------------------------------------------- - -data "aws_partition" "current" {} -locals { - encryption_algo = var.use_kms_s3 ? "aws:kms" : "AES256" -} - -resource "aws_iam_user" "jenkins-x-vault" { - count = !var.external_vault && var.vault_user == "" && var.use_vault ? 1 : 0 - - name = "jenkins-x-vault" -} - -resource "aws_iam_access_key" "jenkins-x-vault" { - count = !var.external_vault && var.vault_user == "" && var.use_vault ? 1 : 0 - - user = aws_iam_user.jenkins-x-vault[0].name -} - -data "aws_caller_identity" "current" {} - -data "aws_iam_user" "vault_user" { - count = local.create_vault_resources ? 1 : 0 - - user_name = var.vault_user == "" ? aws_iam_user.jenkins-x-vault[0].name : var.vault_user - depends_on = [aws_iam_user.jenkins-x-vault] -} - -// ---------------------------------------------------------------------------- -// Vault S3 bucket -// See https://www.terraform.io/docs/providers/aws/r/s3_bucket.html -// ---------------------------------------------------------------------------- -resource "aws_s3_bucket" "vault-unseal-bucket" { - count = local.create_vault_resources ? 1 : 0 - - bucket_prefix = "vault-unseal-${lower(var.cluster_name)}-" - tags = merge(var.s3_default_tags, var.s3_extra_tags) - force_destroy = var.force_destroy -} - -resource "aws_s3_bucket_acl" "vault-unseal-bucket" { - count = local.create_vault_resources && var.enable_acl ? 1 : 0 - bucket = aws_s3_bucket.vault-unseal-bucket[0].bucket - acl = "private" -} - -resource "aws_s3_bucket_ownership_controls" "vault-unseal-bucket" { - count = local.create_vault_resources && var.enable_acl ? 1 : 0 - bucket = aws_s3_bucket.vault-unseal-bucket[0].bucket - - rule { - object_ownership = "BucketOwnerEnforced" - } -} - -resource "aws_s3_bucket_versioning" "vault-unseal-bucket" { - count = local.create_vault_resources ? 1 : 0 - bucket = aws_s3_bucket.vault-unseal-bucket[0].bucket - versioning_configuration { - status = "Enabled" - } -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "vault-unseal-bucket" { - count = local.create_vault_resources ? 1 : 0 - bucket = aws_s3_bucket.vault-unseal-bucket[0].bucket - - rule { - apply_server_side_encryption_by_default { - sse_algorithm = local.encryption_algo - kms_master_key_id = var.s3_kms_arn - } - } -} - -// ---------------------------------------------------------------------------- -// Vault DynamoDB Table -// See https://www.terraform.io/docs/providers/aws/r/dynamodb_table.html -// ---------------------------------------------------------------------------- -resource "aws_dynamodb_table" "vault-dynamodb-table" { - count = local.create_vault_resources ? 1 : 0 - - name = "vault-unseal-${var.cluster_name}-${local.vault_seed}" - billing_mode = (var.enable_provisioned_dynamodb ? "PROVISIONED" : "PAY_PER_REQUEST") - read_capacity = (var.enable_provisioned_dynamodb ? var.billing_rcu : null) - write_capacity = (var.enable_provisioned_dynamodb ? var.billing_wcu : null) - hash_key = "Path" - range_key = "Key" - - attribute { - name = "Path" - type = "S" - } - - attribute { - name = "Key" - type = "S" - } - - tags = { - Name = "vault-dynamo-db-table" - } - - lifecycle { - ignore_changes = [ - read_capacity, - write_capacity - ] - } -} - -// ---------------------------------------------------------------------------- -// Vault KMS Key -// See https://www.terraform.io/docs/providers/aws/r/kms_key.html -// ---------------------------------------------------------------------------- -resource "aws_kms_key" "kms_vault_unseal" { - count = local.create_vault_resources ? 1 : 0 - - description = "KMS Key for bank vault unseal" - enable_key_rotation = var.enable_key_rotation - policy = < 0 ? data.aws_iam_user.vault_user[0].arn : ""}", - "${data.aws_caller_identity.current.arn}", - "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:root" - ] - }, - "Action": "kms:*", - "Resource": "*" - } - ] -} -POLICY -} - -// ---------------------------------------------------------------------------- -// Permissions that will need to be attached to the provides IAM Username -// We will use this IAM User's private keys to authenticate the Vault pod -// against AWS -// ---------------------------------------------------------------------------- -data "aws_iam_policy_document" "vault_iam_user_policy_document" { - count = local.create_vault_resources ? 1 : 0 - - depends_on = [ - aws_dynamodb_table.vault-dynamodb-table, - aws_s3_bucket.vault-unseal-bucket, - aws_kms_key.kms_vault_unseal, - ] - - statement { - sid = "DynamoDB" - effect = "Allow" - - actions = [ - "dynamodb:DescribeLimits", - "dynamodb:DescribeTimeToLive", - "dynamodb:ListTagsOfResource", - "dynamodb:DescribeReservedCapacityOfferings", - "dynamodb:DescribeReservedCapacity", - "dynamodb:ListTables", - "dynamodb:BatchGetItem", - "dynamodb:BatchWriteItem", - "dynamodb:CreateTable", - "dynamodb:DeleteItem", - "dynamodb:GetItem", - "dynamodb:GetRecords", - "dynamodb:PutItem", - "dynamodb:Query", - "dynamodb:UpdateItem", - "dynamodb:Scan", - "dynamodb:DescribeTable", - ] - - resources = [aws_dynamodb_table.vault-dynamodb-table[0].arn] - } - - statement { - sid = "S3" - effect = "Allow" - - actions = [ - "s3:PutObject", - "s3:GetObject", - ] - - resources = ["${aws_s3_bucket.vault-unseal-bucket[0].arn}/*"] - } - - statement { - sid = "S3List" - effect = "Allow" - - actions = [ - "s3:ListBucket", - ] - - resources = [aws_s3_bucket.vault-unseal-bucket[0].arn] - } - - statement { - sid = "KMS" - effect = "Allow" - - actions = [ - "kms:Encrypt", - "kms:Decrypt", - ] - - resources = [aws_kms_key.kms_vault_unseal[0].arn] - } -} - -resource "aws_iam_policy" "aws_vault_user_policy" { - count = local.create_vault_resources ? 1 : 0 - - name_prefix = "vault_${var.region}-" - description = "Vault Policy for the provided IAM User" - policy = data.aws_iam_policy_document.vault_iam_user_policy_document[0].json -} - -resource "aws_iam_user_policy_attachment" "attach_vault_policy_to_user" { - count = local.create_vault_resources ? 1 : 0 - - user = data.aws_iam_user.vault_user[0].user_name - policy_arn = aws_iam_policy.aws_vault_user_policy[0].arn -} diff --git a/modules/vault/outputs.tf b/modules/vault/outputs.tf deleted file mode 100644 index 43d18b1..0000000 --- a/modules/vault/outputs.tf +++ /dev/null @@ -1,36 +0,0 @@ - -// ---------------------------------------------------------------------------- -// The created KMS Key ID -// ---------------------------------------------------------------------------- -output "kms_vault_unseal" { - value = length(aws_kms_key.kms_vault_unseal) > 0 ? aws_kms_key.kms_vault_unseal[0].id : "" - -} - -// ---------------------------------------------------------------------------- -// The created S3 Bucket ID -// ---------------------------------------------------------------------------- -output "vault_unseal_bucket" { - value = length(aws_s3_bucket.vault-unseal-bucket) > 0 ? aws_s3_bucket.vault-unseal-bucket[0].id : "" -} - -// ---------------------------------------------------------------------------- -// The created DynamoDB ID -// ---------------------------------------------------------------------------- -output "vault_dynamodb_table" { - value = length(aws_dynamodb_table.vault-dynamodb-table) > 0 ? aws_dynamodb_table.vault-dynamodb-table[0].id : "" -} - -// ---------------------------------------------------------------------------- -// The Vault user id if one got created -// ---------------------------------------------------------------------------- -output "vault_user_id" { - value = var.vault_user == "" ? aws_iam_access_key.jenkins-x-vault.*.id : [] -} - -// ---------------------------------------------------------------------------- -// The Vault user secret if one got created -// ---------------------------------------------------------------------------- -output "vault_user_secret" { - value = var.vault_user == "" ? aws_iam_access_key.jenkins-x-vault.*.secret : [] -} diff --git a/modules/vault/variables.tf b/modules/vault/variables.tf index e54ce69..86a6bcd 100644 --- a/modules/vault/variables.tf +++ b/modules/vault/variables.tf @@ -1,33 +1,6 @@ -// ---------------------------------------------------------------------------- -// Required Variables -// ---------------------------------------------------------------------------- -variable "region" { - type = string - default = "us-east-1" -} - -variable "cluster_name" { - type = string -} - -variable "vault_user" { - type = string -} - -variable "force_destroy" { - description = "Flag to determine whether storage buckets get forcefully destroyed. If set to false, empty the bucket first in the aws s3 console, else terraform destroy will fail with BucketNotEmpty error" - type = bool - default = false -} - // ---------------------------------------------------------------------------- // Optional Variables // Optional Variables // ---------------------------------------------------------------------------- -variable "enable_key_rotation" { - description = "Flag to enable kms key rotation" - type = bool - default = true -} variable "external_vault" { description = "Whether or not Jenkins X creates and manages the Vault instance. If set to true a external Vault URL needs to be provided" @@ -35,64 +8,8 @@ variable "external_vault" { default = false } -// ---------------------------------------------------------------------------- -// DynamoDB Variables -// ---------------------------------------------------------------------------- - -variable "billing_rcu" { - description = "The Read Capacity Units of DynamoDB when using PROVISIONED" - type = number - default = 2 -} - -variable "billing_wcu" { - description = "The Write Capacity Units of DynamoDB when using PROVISIONED" - type = number - default = 2 -} - -variable "enable_provisioned_dynamodb" { - description = "Flag to enable provisioned billing for DynamoDB" - type = bool - default = false -} - -variable "use_kms_s3" { - description = "Flag to determine whether kms should be used for encrypting s3 buckets" - type = bool - default = false -} - -variable "s3_kms_arn" { - description = "ARN of the kms key used for encrypting s3 buckets" - type = string - default = "" -} - -variable "s3_default_tags" { - description = "Default tags for s3 buckets" - type = map - default = { Name = "Vault unseal bucket" } -} - -variable "s3_extra_tags" { - description = "Add new tags for s3 buckets" - type = map - default = {} -} - -variable "is_jx2" { - default = true - type = bool -} - variable "use_vault" { description = "Flag to control vault resource creation" type = bool default = true } - -variable "enable_acl" { - description = "Flag to enable ACL instead of bucket ownership for S3 storage" - type = bool -} diff --git a/outputs.tf b/outputs.tf index d11e153..67715a2 100644 --- a/outputs.tf +++ b/outputs.tf @@ -107,33 +107,6 @@ output "ebscsi_addon_iam_role" { value = module.cluster.ebscsi_addon_iam_role description = "The IAM Role that the EBS CSI Driver addon will assume to authenticate" } -// ---------------------------------------------------------------------------- -// Vault Resources -// ---------------------------------------------------------------------------- -output "vault_unseal_bucket" { - value = module.vault.vault_unseal_bucket - description = "The Vault storage bucket" -} - -output "vault_dynamodb_table" { - value = module.vault.vault_dynamodb_table - description = "The Vault DynamoDB table" -} - -output "vault_kms_unseal" { - value = module.vault.kms_vault_unseal - description = "The Vault KMS Key for encryption" -} - -output "vault_user_id" { - value = length(module.vault.vault_user_id) > 0 ? module.vault.vault_user_id[0] : "" - description = "The Vault IAM user id" -} - -output "vault_user_secret" { - value = length(module.vault.vault_user_secret) > 0 ? module.vault.vault_user_secret[0] : "" - description = "The Vault IAM user secret" -} // ---------------------------------------------------------------------------- // DNS diff --git a/scripts/aws-asume-role.sh b/scripts/aws-asume-role.sh deleted file mode 100755 index 9956f0a..0000000 --- a/scripts/aws-asume-role.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/env sh -# -# Creating and exporting temporary security credentials by assuming a specified role. -# It also assumes that MFA authentication is enabled and MFA devide id as well as current -# valid token are provided. -# -# This script needs to be evaluated into the current terminal session to take effect: -# -# eval $(./aws-asume-role.sh ) - -# exit when any command fails -set -e - -if [ $# -ne 3 ]; then - echo "Usage 'eval \$($0 )'" >&2 - exit 1 -fi - -temp_credentials=$(mktemp) -trap "rm -f ${temp_credentials}" EXIT - -unset AWS_ACCESS_KEY_ID -unset AWS_SECRET_ACCESS_KEY -unset AWS_SESSION_TOKEN -unset AWS_TOKEN_EXPIRATION - -aws sts assume-role --role-arn $1 --role-session-name AWSCLI-Session --serial-number $2 --token-code $3 --duration-seconds 3600 > ${temp_credentials} - -acess_key=$(jq -r .Credentials.AccessKeyId ${temp_credentials}) -secret_access_key=$(jq -r .Credentials.SecretAccessKey ${temp_credentials}) -session_token=$(jq -r .Credentials.SessionToken ${temp_credentials}) -token_expiration=$(jq -r .Credentials.Expiration ${temp_credentials}) - -echo export AWS_ACCESS_KEY_ID=${acess_key} -echo export AWS_SECRET_ACCESS_KEY=${secret_access_key} -echo export AWS_SESSION_TOKEN=${session_token} -echo export AWS_TOKEN_EXPIRATION=${token_expiration} diff --git a/scripts/ci.sh b/scripts/ci.sh deleted file mode 100755 index 16521b0..0000000 --- a/scripts/ci.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh - -set -e -set -u - -# Checking AWS Installation -aws --version - -#echo "Installing aws-iam-authenticator" -# Install aws-iam-authenticator to be able to connect to the cluster -#curl -o aws-iam-authenticator https://amazon-eks.s3-us-west-2.amazonaws.com/1.15.10/2020-02-22/bin/linux/amd64/aws-iam-authenticator -#chmod +x ./aws-iam-authenticator -#mkdir -p $HOME/bin && cp ./aws-iam-authenticator $HOME/bin/aws-iam-authenticator && export PATH=$PATH:$HOME/bin -#echo 'export PATH=$PATH:$HOME/bin' >> ~/.bashrc - -# Checking installation -aws-iam-authenticator help - -#echo "Installing the AWS CLI" -# Install the AWS CLI to run commands in tests -#curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" -#unzip awscliv2.zip > /dev/null -#./aws/install - -echo "Running terratest" -TF_VAR_vault_user=$(echo ${VAULT_USER} | tr -d '\n') make test diff --git a/scripts/lint.sh b/scripts/lint.sh deleted file mode 100755 index 582e6be..0000000 --- a/scripts/lint.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -set -e -set -u - -echo "linting terraform" - -terraform init -terraform version -terraform validate - diff --git a/scripts/release.sh b/scripts/release.sh deleted file mode 100755 index 290218c..0000000 --- a/scripts/release.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env bash -# -# Script to release a new Terraform module version. - -set -e - -if [ -z "$GH_TOKEN" ] -then - echo "A valif GitHub token must be set via the environment variable GH_TOKEN" - exit 1 -fi - -docker run -w /app --rm -v $(pwd):/app -e GH_TOKEN=$GH_TOKEN gtramontina/semantic-release:17.0.2 -r https://github.com/jenkins-x/terraform-aws-eks-jx --no-ci \ No newline at end of file diff --git a/scripts/security.sh b/scripts/security.sh deleted file mode 100755 index cc035c2..0000000 --- a/scripts/security.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/bin/sh - -set -e -set -u - -echo "terraform security check" - -#export TFSEC="tfsec" -#curl -L "https://github.com/tfsec/tfsec/releases/download/v0.37.3/tfsec-linux-amd64" > $TFSEC -#chmod +x $TFSEC - -tfsec --version - -tfsec -e AWS002,AWS017 diff --git a/templates/jx-requirements.yml.tpl b/templates/jx-requirements.yml.tpl index 08557c8..8b98f4e 100644 --- a/templates/jx-requirements.yml.tpl +++ b/templates/jx-requirements.yml.tpl @@ -9,9 +9,6 @@ cluster: region: "${region}" registry: "${registry}" project: "${project}" -%{ if is_jx2 } -gitops: true -%{ endif } ingress: domain: "${domain}" ignoreLoadBalancer: ${ignoreLoadBalancer} @@ -21,34 +18,16 @@ ingress: enabled: ${enable_tls} production: ${use_production_letsencrypt} %{ if tls_secret_name != ""}secretName: ${tls_secret_name}%{ endif } -%{ if is_jx2 } -kaniko: true -%{ endif} %{ if use_vault } secretStorage: vault vault: %{ if external_vault } url: ${vault_url} -%{ else } - aws: - iamUserName: "${vault_user}" - dynamoDBTable: "${vault_dynamodb_table}" - dynamoDBRegion: "${region}" - kmsKeyId: "${vault_kms_key}" - kmsRegion: "${region}" - s3Bucket: "${vault_bucket}" - s3Region: "${region}" %{ endif } %{ endif } %{ if use_asm } secretStorage: secretsManager %{ endif } -%{ if enable_backup && is_jx2 } -velero: - namespace: ${velero_namespace} - schedule: "${velero_schedule}" - ttl: "${velero_ttl}" -%{ endif } storage: backup: enabled: ${enable_backup} @@ -64,9 +43,4 @@ storage: repository: enabled: ${enable_repository_storage} url: s3://${repository_storage_bucket} -%{ if is_jx2 } -versionStream: - ref: master - url: https://github.com/jenkins-x/jenkins-x-versions.git -%{ endif } webhook: lighthouse diff --git a/test/terraform_eks_test.go b/test/terraform_eks_test.go index 377ef75..b42ed23 100644 --- a/test/terraform_eks_test.go +++ b/test/terraform_eks_test.go @@ -110,17 +110,4 @@ func TestTerraformEksJX(t *testing.T) { RoleName: aws.String(addRole), }) assert.NoError(t, err) - - // Vault - vaultBucket := terraform.Output(t, tfOptions, "vault_unseal_bucket") - aws2.AssertS3BucketExists(t, region, vaultBucket) - - vaultDynamoTable := terraform.Output(t, tfOptions, "vault_dynamodb_table") - results := aws2.GetDynamoDBTable(t, region, vaultDynamoTable) - assert.NotEmpty(t, results) - - vaultKMS := terraform.Output(t, tfOptions, "vault_kms_unseal") - kmsClient := kms.NewFromConfig(cfg) - _, err = kmsClient.DescribeKey(context.TODO(), &kms.DescribeKeyInput{KeyId: aws.String(vaultKMS)}) - assert.NoError(t, err) } diff --git a/variables.tf b/variables.tf index b4b51d6..fd16f0a 100644 --- a/variables.tf +++ b/variables.tf @@ -27,11 +27,6 @@ variable "cluster_version" { // ---------------------------------------------------------------------------- // Vault // ---------------------------------------------------------------------------- -variable "vault_user" { - description = "The AWS IAM Username whose credentials will be used to authenticate the Vault pods against AWS" - type = string - default = "" -} variable "vault_url" { description = "URL to an external Vault instance in case Jenkins X does not create its own system Vault" @@ -346,12 +341,6 @@ variable "eks_cluster_tags" { default = {} } -variable "is_jx2" { - default = true - type = bool - description = "Flag to specify if jx2 related resources need to be created" -} - variable "ignoreLoadBalancer" { default = false type = bool