Skip to content

Commit

Permalink
Merge pull request #127 from sassoftware/staging
Browse files Browse the repository at this point in the history
March Release - 3.3.0
  • Loading branch information
riragh authored Mar 18, 2022
2 parents 4288b17 + acfbb58 commit 5c90f2f
Show file tree
Hide file tree
Showing 11 changed files with 65 additions and 77 deletions.
25 changes: 15 additions & 10 deletions docs/CONFIG-VARS.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,21 +60,24 @@ You can use either static credentials or the name of an AWS profile. If both are

## Admin Access

By default, the API of the AWS resources that are being created is only accessible through authenticated AWS clients (for example, the AWS Portal, the AWS CLI, etc.).
To enable access for other administrative client applications (for example `kubectl`, `psql`, etc.), you must open the AWS firewall to allow access from your source IP addresses.
To do this, specify ranges of IP addresses in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).
Contact your Network Administrator to find the public CIDR range of your network.
By default, the pubic endpoints of the AWS resources that are being created are only accessible through authenticated AWS clients (for example, the AWS Portal, the AWS CLI, etc.).
To enable access for other administrative client applications (for example `kubectl`, `psql`, etc.), you can set Security Group rules to control access from your source IP addresses.

Please note that these values are used to add Ingress rules into to an AWS Security Group that by default gets created by terraform. If you specify a pre-existing [Security Group](#use_existing), you need to add your access CIDRs to that Security Group yourself. The values in this section will not be applied.
To set these permissions as part of this Terraform script, specify ranges of IP addresses in [CIDR notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). Contact your Network Administrator to find the public CIDR range of your network.

You can use `default_public_access_cidrs` to set a default range for all created resources. To set different ranges for other resources, define the appropriate variable. Use an empty list `[]` to disallow access explicitly.
NOTE: When deploying infrastructure into a private network (e.g. a VPN), with no public endpoints, the options documented in this block are not applicable.

NOTE: The script will either create a new Security Group, or use an existing Security Group, if specified in the `security_group_id` variable.

You can use `default_public_access_cidrs` to set a default range for all created resources. To set different ranges for other resources, define the appropriate variable. Use an empty list [] to disallow access explicitly.

| <div style="width:50px">Name</div> | <div style="width:150px">Description</div> | <div style="width:50px">Type</div> | <div style="width:75px">Default</div> | <div style="width:150px">Notes</div> |
| :--- | :--- | :--- | :--- | :--- |
| default_public_access_cidrs | IP address ranges that are allowed to access all created cloud resources | list of strings | | Used to to set a default for all resources. |
| cluster_endpoint_public_access_cidrs | IP address ranges that are allowed to access the AKS cluster API | list of strings | | Used to enable client admin access to the cluster, with `kubectl` for example. |
| vm_public_access_cidrs | IP address ranges that are allowed to access the VMs | list of strings | | Opens port 22 for SSH access to the jump VM and/or NFS VM. |
| postgres_access_cidrs | IP address ranges that are allowed to access the AWS PostgreSQL server | list of strings |||
| default_public_access_cidrs | IP address ranges that are allowed to access all created cloud resources | list of strings | | Set a default for all resources. |
| cluster_endpoint_public_access_cidrs | IP address ranges that are allowed to access the AKS cluster API | list of strings | | For client admin access to the cluster api (by kubectl, for example). Only used with `cluster_api_mode=public` |
| vm_public_access_cidrs | IP address ranges that are allowed to access the VMs | list of strings | | Opens port 22 for SSH access to the jump server and/or NFS VM by adding Ingress Rule on the Security Group. Only used with `create_jump_public_ip=true` or `create_nfs_public_ip=true`. |
| postgres_access_cidrs | IP address ranges that are allowed to access the AWS PostgreSQL server | list of strings || Opens port 5432 by adding Ingress Rule on the Security Group. Only used when creating postgres instances.|

## Networking
| Name | Description | Type | Default | Notes |
| :--- | ---: | ---: | ---: | ---: |
Expand Down Expand Up @@ -202,6 +205,7 @@ Custom policy:
| tags | Map of common tags to be placed on all AWS resources created by this script | map | { project_name = "viya" } | |
| autoscaling_enabled | Enable cluster autoscaling | bool | true | |
| ssh_public_key | File name of public ssh key for jump and nfs VM | string | "~/.ssh/id_rsa.pub" | Required with `create_jump_vm=true` or `storage_type=standard` |
| cluster_api_mode | Public or private IP for the cluster api| string|"public"|Valid Values: "public", "private" |

## Node Pools

Expand Down Expand Up @@ -306,6 +310,7 @@ Each server element, like `foo = {}`, can contain none, some, or all of the para
| parameters | additional parameters for PostgreSQL server | list(map(string)) | [] | More details can be found [here](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html#Appendix.PostgreSQL.CommonDBATasks.Parameters) |
| options | additional options for PostgreSQL server | any | [] | |


Here is a sample of the `postgres_servers` variable with the `default` entry only overriding the `administrator_password` parameter and the `cps` entry overriding all of the parameters:

```terraform
Expand Down
11 changes: 4 additions & 7 deletions docs/user/BYOnetwork.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ You have the option to use existing network resources with SAS Viya 4 Terraform

| Scenario|Required Variables|Additional Requirements|Resources to be Created|
| :--- | :--- | :--- | :--- |
| 1. When you have to work with an existing VPC | `vpc_id` | <ul><li>VPC does not contain any Subnets or other [Network components](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Networking.html)</li><li>VPC block size must be IPv4 with '/16' netmask (supports 65,536 IP addresses)</li><li>`DNS hostnames` and `DNS resolution` are enabled</li><li>[`subnets`](../CONFIG-VARS.md#networking) CIDR blocks must match with VPC IPv4 CIDR block</li></ul> | Subnets, NAT Gateway and Security Group|
| 2. When you want to configure all components of your VPC network - Subnets, Routes & associations, Internet and NAT Gateways | `vpc_id`, <br>`subnet_ids` and <br>`nat_id` | <ul><li>This must be a <b>fully functional AWS VPC Network</b></li><li>VPC block size must be IPv4 with '/16' netmask (supports 65,536 IP addresses)</li><li>`DNS hostnames` and `DNS resolution` are enabled</li><li>`subnet_ids` CIDR blocks must match with VPC IPv4 CIDR block</li><li>Subnets Availability Zones must be within the [location](../CONFIG-VARS.md#required-variables)</li><li>AWS Tags with `<prefix>` value replaced with the [prefix](../CONFIG-VARS.md#required-variables) input value for <br>- Public Subnets:<ul><li>`{"kubernetes.io/role/elb"="1"}`</li><li>`{"kubernetes.io/cluster/<prefix>-eks"="shared"}`</li></ul>-Private Subnets:<ul><li>`{"kubernetes.io/role/internal-elb"="1"}`</li><li>`{"kubernetes.io/cluster/<prefix>-eks"="shared"}`</li></ul>See [AWS docs](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for background on subnet tag requirements to match EKS Cluster name| Security Group |
| 3. When you want to configure all components of your VPC network and Security Groups | `vpc_id`,<br>`subnet_ids`, <br>`nat_id`, <br>`security_group_id`, <br>`cluster_security_group_id`, and <br>`workers_security_group_id` |<ul><li>all requirements from Scenarios #2 and [these pre-defined Security Groups](#security-groups)</li></ul>| None |
||||||
| 1. To work with an existing VPC | `vpc_id` | <ul><li>VPC does not contain any Subnets or other [Network components](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Networking.html)</li><li>VPC block size must be IPv4 with '/16' netmask (supports 65,536 IP addresses)</li><li>`DNS hostnames` and `DNS resolution` are enabled</li><li>[`subnets`](../CONFIG-VARS.md#networking) CIDR blocks must match with VPC IPv4 CIDR block</li></ul> | Subnets, NAT Gateway and Security Group|
| 2. To configure all components of your VPC network - Subnets, Routes & associations, Internet and NAT Gateways | `vpc_id`, <br>`subnet_ids` and <br>`nat_id` | <ul><li>all requirements from Scenario #1</li><li>Subnets Availability Zones must be within the [location](../CONFIG-VARS.md#required-variables)</li><li>AWS Tags with `<prefix>` value replaced with the [prefix](../CONFIG-VARS.md#required-variables) input value for <br>- Public Subnets:<ul><li>`{"kubernetes.io/role/elb"="1"}`</li><li>`{"kubernetes.io/cluster/<prefix>-eks"="shared"}`</li></ul>-Private Subnets:<ul><li>`{"kubernetes.io/role/internal-elb"="1"}`</li><li>`{"kubernetes.io/cluster/<prefix>-eks"="shared"}`</li></ul>See [AWS docs](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for background on subnet tag requirements to match EKS Cluster name| Security Group |
| 3. To configure all components of your VPC network and Security Groups | `vpc_id`,<br>`subnet_ids`, <br>`nat_id`, <br>`security_group_id`, <br>`cluster_security_group_id`, and <br>`workers_security_group_id` |<ul><li>all requirements from Scenarios #2 and [these pre-defined Security Groups](#security-groups)</li></ul>| None |


### Security Groups

Expand All @@ -23,7 +23,6 @@ This Security Group is used to set external access to the Jump/NFS VMs and Postg
| Inbound PostgreSQL external | TCP | 5432 | <optional> the value you would set for the [`postgres_public_access_cidrs`](../CONFIG-VARS.md#admin-access) variable | |
| Inbound ssh access for JUMP/NFS VMs | TCP | 22 | the value you would set for the [`vm_public_access_cidrs`](../CONFIG-VARS.md#admin-access) variable ||


#### Cluster Security Group

Allow communication from Node VMs to Cluster control plane.
Expand All @@ -49,8 +48,6 @@ This security group also needs the following tag:

For more information on these Security Groups, please see https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html.



When creating your BYO Network resources you should consult with your Network Administrator and use any of these methods to create a working AWS VPC Network:
- [AWS QuickStarts for VPC](https://aws.amazon.com/quickstart/architecture/vpc/)
- See the "simple-vpc" and "complete-vpc" examples in [terraform-aws-vpc module](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples)
Expand Down
25 changes: 9 additions & 16 deletions locals.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@

locals {

# General
Expand All @@ -7,25 +8,17 @@ locals {

cluster_name = "${var.prefix}-eks"

# Infrastructure Mode
is_standard = var.infra_mode == "standard" ? true : false
is_private = var.infra_mode == "private" ? true : false

# CIDRs
default_public_access_cidrs = local.is_private ? [] : (var.default_public_access_cidrs == null ? [] : var.default_public_access_cidrs)
vm_public_access_cidrs = local.is_private ? [] : (var.vm_public_access_cidrs == null ? local.default_public_access_cidrs : var.vm_public_access_cidrs)
cluster_endpoint_public_access_cidrs = local.is_private ? [] : (var.cluster_endpoint_public_access_cidrs == null ? local.default_public_access_cidrs : var.cluster_endpoint_public_access_cidrs)
cluster_endpoint_private_access_cidrs = var.cluster_endpoint_private_access_cidrs == null ? [var.vpc_cidr] : var.cluster_endpoint_private_access_cidrs
postgres_public_access_cidrs = local.is_private ? [] : (var.postgres_public_access_cidrs == null ? local.default_public_access_cidrs : var.postgres_public_access_cidrs)

# IPs
create_jump_public_ip = var.create_jump_public_ip == null ? local.is_standard : var.create_jump_public_ip
create_nfs_public_ip = var.create_nfs_public_ip == null ? local.is_standard : var.create_nfs_public_ip
default_public_access_cidrs = var.default_public_access_cidrs == null ? [] : var.default_public_access_cidrs
vm_public_access_cidrs = var.vm_public_access_cidrs == null ? local.default_public_access_cidrs : var.vm_public_access_cidrs
cluster_endpoint_public_access_cidrs = var.cluster_api_mode == "private" ? [] : (var.cluster_endpoint_public_access_cidrs == null ? local.default_public_access_cidrs : var.cluster_endpoint_public_access_cidrs)
cluster_endpoint_private_access_cidrs = var.cluster_endpoint_private_access_cidrs == null ? distinct(concat(module.vpc.public_subnet_cidrs, module.vpc.private_subnet_cidrs)) : var.cluster_endpoint_private_access_cidrs
postgres_public_access_cidrs = var.postgres_public_access_cidrs == null ? local.default_public_access_cidrs : var.postgres_public_access_cidrs

# Subnets
jump_vm_subnet = local.create_jump_public_ip ? module.vpc.public_subnets[0] : module.vpc.private_subnets[0]
nfs_vm_subnet = local.create_nfs_public_ip ? module.vpc.public_subnets[0] : module.vpc.private_subnets[0]
nfs_vm_subnet_az = local.create_nfs_public_ip ? module.vpc.public_subnet_azs[0] : module.vpc.private_subnet_azs[0]
jump_vm_subnet = var.create_jump_public_ip ? module.vpc.public_subnets[0] : module.vpc.private_subnets[0]
nfs_vm_subnet = var.create_nfs_public_ip ? module.vpc.public_subnets[0] : module.vpc.private_subnets[0]
nfs_vm_subnet_az = var.create_nfs_public_ip ? module.vpc.public_subnet_azs[0] : module.vpc.private_subnet_azs[0]

ssh_public_key = ( var.create_jump_vm || var.storage_type == "standard"
? file(var.ssh_public_key)
Expand Down
8 changes: 1 addition & 7 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,6 @@ module "vpc" {
security_group_id = local.security_group_id
cidr = var.vpc_cidr
azs = data.aws_availability_zones.available.names
vpc_private_enabled = local.is_private
existing_subnet_ids = var.subnet_ids
subnets = var.subnets
existing_nat_id = var.nat_id
Expand All @@ -88,7 +87,7 @@ module "eks" {
cluster_create_endpoint_private_access_sg_rule = true # NOTE: If true cluster_endpoint_private_access_cidrs must always be set
cluster_endpoint_private_access_sg = [local.security_group_id]
cluster_endpoint_private_access_cidrs = local.cluster_endpoint_private_access_cidrs
cluster_endpoint_public_access = local.is_standard
cluster_endpoint_public_access = var.cluster_api_mode == "public" ? true : false
cluster_endpoint_public_access_cidrs = local.cluster_endpoint_public_access_cidrs
write_kubeconfig = false
subnets = module.vpc.private_subnets
Expand All @@ -109,13 +108,8 @@ module "eks" {
tags = var.autoscaling_enabled ? [ { key = "k8s.io/cluster-autoscaler/${local.cluster_name}", value = "owned", propagate_at_launch = true }, { key = "k8s.io/cluster-autoscaler/enabled", value = "true", propagate_at_launch = true} ] : null
metadata_http_tokens = "required"
metadata_http_put_response_hop_limit = 1
bootstrap_extra_args = local.is_private ? "--apiserver-endpoint ${data.aws_eks_cluster.cluster.endpoint} --b64-cluster-ca" + base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) : ""
iam_instance_profile_name = var.workers_iam_role_name
}

# Added to support EBS CSI driver
# workers_additional_policies = [var.workers_iam_role_name == null ? module.iam_policy.0.arn : null]

worker_groups = local.worker_groups
}

Expand Down
18 changes: 8 additions & 10 deletions modules/aws_vpc/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ data "aws_subnet" "database" {
# Public subnet
################
resource "aws_subnet" "public" {
count = var.vpc_private_enabled ? 0 : local.existing_public_subnets ? 0 : length(var.subnets["public"])
count = local.existing_public_subnets ? 0 : length(var.subnets["public"])
vpc_id = local.vpc_id
cidr_block = element(var.subnets["public"], count.index)
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
Expand All @@ -96,7 +96,7 @@ resource "aws_subnet" "public" {
# Internet Gateway
###################
resource "aws_internet_gateway" "this" {
count = var.vpc_private_enabled ? 0 : var.existing_nat_id == null ? 1 : 0
count = var.existing_nat_id == null ? 1 : 0

vpc_id = local.vpc_id

Expand All @@ -112,7 +112,7 @@ resource "aws_internet_gateway" "this" {
# Publiс routes
################
resource "aws_route_table" "public" {
count = var.vpc_private_enabled ? 0 : local.existing_public_subnets ? 0 : 1
count = local.existing_public_subnets ? 0 : 1
vpc_id = local.vpc_id

tags = merge(
Expand All @@ -124,12 +124,11 @@ resource "aws_route_table" "public" {
)
},
var.tags,
var.public_subnet_tags,
)
}

resource "aws_route" "public_internet_gateway" {
count = var.vpc_private_enabled ? 0 : var.existing_nat_id == null ? 1 : 0
count = var.existing_nat_id == null ? 1 : 0

route_table_id = aws_route_table.public[0].id
destination_cidr_block = "0.0.0.0/0"
Expand All @@ -151,7 +150,7 @@ resource "aws_route_table_association" "private" {
}

resource "aws_route_table_association" "public" {
count = var.vpc_private_enabled ? 0 : local.existing_public_subnets ? 0 :length(var.subnets["public"])
count = local.existing_public_subnets ? 0 :length(var.subnets["public"])

subnet_id = element(aws_subnet.public.*.id, count.index)
route_table_id = element(aws_route_table.public.*.id, 0)
Expand Down Expand Up @@ -205,7 +204,6 @@ resource "aws_route_table" "private" {
)
},
var.tags,
var.private_subnet_tags,
)
}

Expand Down Expand Up @@ -247,7 +245,7 @@ resource "aws_db_subnet_group" "database" {
}

resource "aws_eip" "nat" {
count = var.vpc_private_enabled ? 0 : var.existing_nat_id == null ? 1 : 0
count = var.existing_nat_id == null ? 1 : 0

vpc = true

Expand All @@ -269,7 +267,7 @@ data "aws_nat_gateway" "nat_gateway" {
}

resource "aws_nat_gateway" "nat_gateway" {
count = var.vpc_private_enabled ? 0 : var.existing_nat_id == null ? 1 : 0
count = var.existing_nat_id == null ? 1 : 0

allocation_id = element(aws_eip.nat.*.id, 0)
subnet_id = local.existing_public_subnets ? element(data.aws_subnet.public.*.id, 0) : element(aws_subnet.public.*.id,0)
Expand All @@ -289,7 +287,7 @@ resource "aws_nat_gateway" "nat_gateway" {
}

resource "aws_route" "private_nat_gateway" {
count = var.vpc_private_enabled ? 0 : var.existing_nat_id == null ? 1 : 0
count = var.existing_nat_id == null ? 1 : 0

route_table_id = element(aws_route_table.private.*.id, count.index)
destination_cidr_block = "0.0.0.0/0"
Expand Down
Loading

0 comments on commit 5c90f2f

Please sign in to comment.