chore(NMY-555): Moved and cleaned up modules (#4)

* chore(NMY-555): Moved and cleaned up modules

* chore: removed old ecr module

modules/elasticache/main.tf

@@ -0,0 +1,41 @@
+module "redis_security_group" {
+  source = "terraform-aws-modules/security-group/aws"
+  version = "~> 3.0"
+
+  name = "allow-redis-${var.name}"
+  description = "allows access to redis cluster"
+  vpc_id = var.vpc_id
+
+  egress_with_self = [
+    {
+      rule = "all-all"
+    },
+  ]
+
+  computed_ingress_with_cidr_blocks = [
+    {
+      rule = "redis-tcp",
+      cidr_blocks = var.source_subnet
+    },
+  ]
+  number_of_computed_ingress_with_cidr_blocks = 1
+}
+
+resource "aws_elasticache_subnet_group" "this" {
+  name = "${var.name}-${var.engine}-subnet-group"
+  subnet_ids = var.subnet_ids
+}
+
+resource "aws_elasticache_cluster" "this" {
+  cluster_id           = var.name
+  engine               = var.engine
+  node_type            = var.node_type
+  num_cache_nodes      = var.number_of_nodes
+  parameter_group_name = var.parameter_group
+  engine_version       = var.engine_version
+  port                 = 6379
+  tags                 = var.tags
+  security_group_ids   = [module.redis_security_group.this_security_group_id]
+  subnet_group_name    = aws_elasticache_subnet_group.this.name
+}
+

modules/elasticache/variables.tf

@@ -0,0 +1,17 @@
+variable "vpc_id" {}
+variable "subnet_ids" {
+  type = list(string)
+}
+variable "source_subnet" {}
+variable "name" {}
+variable "parameter_group" {}
+
+variable "engine" {}
+variable "engine_version" {}
+variable "node_type" {}
+variable "number_of_nodes" {}
+
+variable "tags" {
+  type = map(string)
+}
+

modules/kubernetes/main.tf

@@ -0,0 +1,23 @@
+data "aws_eks_cluster" "this" {
+  name = var.cluster_id
+}
+
+data "aws_eks_cluster_auth" "this" {
+  name = var.cluster_id
+}
+
+
+provider "kubernetes" {
+  host                   = data.aws_eks_cluster.this.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority.0.data)
+  token                  = data.aws_eks_cluster_auth.this.token
+  load_config_file       = false
+}
+
+resource "kubernetes_namespace" "namespaces" {
+  for_each = var.namespaces
+  metadata {
+    name = each.value
+  }
+}
+

modules/kubernetes/variables.tf

@@ -0,0 +1,16 @@
+variable "cluster_id" {
+  type = string
+  description = "name/id of the EKS cluster which will be connected to"
+}
+
+variable "namespaces" {
+  type = set(string)
+  description = "namespaces to create in the cluster"
+}
+
+variable "install_dev_tools" {
+  type = bool
+  description = "Whether to install our devtools or not"
+  default = false
+}
+

modules/msk/main.tf

@@ -0,0 +1,53 @@
+
+
+module "kafka_security_group" {
+  source = "terraform-aws-modules/security-group/aws"
+  version = "~> 3.0"
+
+  name = "allow-kafka-${var.cluster_name}"
+  description = "allows access to kafka brokers"
+  vpc_id = var.vpc_id
+
+  egress_with_self = [
+    {
+      rule = "all-all"
+    },
+  ]
+
+  # allow EKS workloads to access kafka
+  computed_ingress_with_cidr_blocks = [
+    {
+      rule = "kafka-broker-tcp",
+      cidr_blocks = var.source_subnet
+    },
+    {
+      rule = "kafka-broker-tls-tcp",
+      cidr_blocks = var.source_subnet
+    },
+    {
+      rule = "zookeeper-2181-tcp",
+      cidr_blocks = var.source_subnet
+    },
+  ]
+  number_of_computed_ingress_with_cidr_blocks = 3
+}
+
+resource "aws_msk_cluster" "this" {
+  cluster_name = var.cluster_name
+  kafka_version = var.kafka_version
+  number_of_broker_nodes = var.number_of_brokers
+  broker_node_group_info {
+    client_subnets = var.number_of_brokers < length(var.subnet_ids) ? slice(var.subnet_ids, 0, var.number_of_brokers) : var.subnet_ids
+    ebs_volume_size = var.ebs_volume_size
+    instance_type = var.instance_size
+    security_groups = [module.kafka_security_group.this_security_group_id]
+  }
+
+  encryption_info {
+    encryption_in_transit {
+      client_broker = var.TLS_SETTING
+      in_cluster = true
+    }
+  }
+
+}

modules/msk/outputs.tf

@@ -0,0 +1,11 @@
+output "brokers" {
+  value = split(",", aws_msk_cluster.this.bootstrap_brokers)
+}
+
+output "brokers_tls" {
+  value = split(",", aws_msk_cluster.this.bootstrap_brokers_tls)
+}
+
+output "zookeeper" {
+  value = split(",", aws_msk_cluster.this.zookeeper_connect_string)
+}

modules/msk/variables.tf

@@ -0,0 +1,31 @@
+
+variable "cluster_name" {}
+
+variable "kafka_version" {}
+
+variable "number_of_brokers" { 
+  type = number
+}
+
+variable "ebs_volume_size" {
+  type = number
+}
+
+variable "instance_size" {
+  type = string
+}
+
+variable "vpc_id" {}
+
+variable "subnet_ids" {
+  type = list(string)
+}
+
+variable "source_subnet" {
+}
+
+variable "TLS_SETTING" {
+  type = string
+  description = "TLS setting for client broker, can be: TLS, TLS_PLAINTEXT or PLAINTEXT "
+}
+

modules/vault/kubernetes.tf

@@ -0,0 +1,29 @@
+resource "kubernetes_secret" "vault_secret" {
+  metadata {
+    name = "vault-aws-kms-secrets"
+    namespace = var.namespace
+  }
+  data = {
+    access-key = aws_iam_access_key.vault_user_access_key.id
+    access-key-secret = aws_iam_access_key.vault_user_access_key.secret
+    region = var.region
+    kms-id = aws_kms_key.vault_key.id
+    table = aws_dynamodb_table.vault_dynamodb_table.name
+  }
+}
+
+resource "helm_release" "vault" {
+  name = "vault"
+  chart = "vault"
+  repository = "https://helm.releases.hashicorp.com"
+  version = var.vault_version
+  values = [
+    file("${path.module}/values.yaml")]
+
+  namespace = var.namespace
+  depends_on = [
+    aws_dynamodb_table.vault_dynamodb_table,
+    aws_iam_user.vault_user,
+    aws_iam_policy.kms_vault_user_policy
+  ]
+}

modules/vault/main.tf

@@ -0,0 +1,41 @@
+
+resource "aws_kms_key" "vault_key" {
+  description = "Vault key ${var.name}"
+  key_usage   = "ENCRYPT_DECRYPT"
+  tags        = var.common_tags
+}
+
+resource "aws_kms_alias" "vault_alias" {
+  name          = "alias/${var.kms_name}"
+  target_key_id = aws_kms_key.vault_key.id
+}
+
+resource "aws_iam_user" "vault_user" {
+  name = var.username
+  path = "/"
+  tags = var.common_tags
+}
+
+resource "aws_iam_access_key" "vault_user_access_key" {
+  user = aws_iam_user.vault_user.name
+}
+
+
+resource "aws_dynamodb_table" "vault_dynamodb_table" {
+  name = var.dynamodb_name
+  billing_mode = "PAY_PER_REQUEST"
+  tags = var.common_tags
+
+  hash_key = "Path"
+  range_key = "Key"
+
+  attribute {
+    name = "Path"
+    type = "S"
+  }
+
+  attribute {
+    name = "Key"
+    type = "S"
+  }
+}

modules/vault/policies.tf

@@ -0,0 +1,50 @@
+resource "aws_iam_user_policy_attachment" "vault_user_policy" {
+  policy_arn = aws_iam_policy.kms_vault_user_policy.arn
+  user = aws_iam_user.vault_user.name
+}
+
+resource "aws_iam_policy" "kms_vault_user_policy" {
+  name = "${var.username}-to-kms-policy"
+  policy = data.aws_iam_policy_document.kms_use.json
+}
+
+data "aws_iam_policy_document" "kms_use" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
+    ]
+    resources = [
+      aws_kms_key.vault_key.arn
+    ]
+  }
+  statement {
+    effect = "Allow"
+    actions = [
+      "dynamodb:DescribeLimits",
+      "dynamodb:DescribeTimeToLive",
+      "dynamodb:ListTagsOfResource",
+      "dynamodb:DescribeReservedCapacityOfferings",
+      "dynamodb:DescribeReservedCapacity",
+      "dynamodb:ListTables",
+      "dynamodb:BatchGetItem",
+      "dynamodb:BatchWriteItem",
+      "dynamodb:CreateTable",
+      "dynamodb:DeleteItem",
+      "dynamodb:GetItem",
+      "dynamodb:GetRecords",
+      "dynamodb:PutItem",
+      "dynamodb:Query",
+      "dynamodb:UpdateItem",
+      "dynamodb:Scan",
+      "dynamodb:DescribeTable"
+    ]
+    resources = [
+      aws_dynamodb_table.vault_dynamodb_table.arn
+    ]
+  }
+}

modules/vault/values.yaml

@@ -0,0 +1,37 @@
+server:
+    extraSecretEnvironmentVars:
+        - envName: AWS_DEFAULT_REGION
+          secretName: "vault-aws-kms-secrets"
+          secretKey: "region"
+        - envName: AWS_ACCESS_KEY_ID
+          secretName: "vault-aws-kms-secrets"
+          secretKey: "access-key"
+        - envName: AWS_SECRET_ACCESS_KEY
+          secretName: "vault-aws-kms-secrets"
+          secretKey: "access-key-secret"
+        - envName: VAULT_AWSKMS_SEAL_KEY_ID
+          secretName: "vault-aws-kms-secrets"
+          secretKey: "kms-id"
+        - envName: AWS_DYNAMODB_TABLE
+          secretName: "vault-aws-kms-secrets"
+          secretKey: "table"
+
+    authDelegator:
+        enabled: true
+    ha:
+        enabled: true
+        replicas: 3
+        config: |
+            ui = true
+            api_addr = "http://POD_ID:8200"
+            seal "awskms" {}
+            listener "tcp" {
+                tls_disable = 1
+                address = "[::]:8200"
+                cluster_address = "[::]:8201"
+            }
+            storage "dynamodb" {
+                ha_enabled = "true"
+            }
+injector:
+    enabled: false

modules/vault/variables.tf

@@ -0,0 +1,30 @@
+variable "name" {
+  type = string
+}
+variable "username" {
+  type = string
+}
+
+variable "kms_name" {
+  type = string
+}
+
+variable "dynamodb_name" {
+  type = string
+}
+
+variable "namespace" {
+  type = string
+}
+
+variable "region" {
+  type = string
+}
+
+variable "common_tags" {
+  type = map(string)
+}
+
+variable "vault_version" {
+  description = "The version of the hashicorp vault helm chart"
+}