diff --git a/helm-values/aws-cicd.yaml b/helm-values/aws-cicd.yaml new file mode 100644 index 0000000..7de89fd --- /dev/null +++ b/helm-values/aws-cicd.yaml @@ -0,0 +1,233 @@ +# This is a development override file. +# It overrides the default Tip-Wlan parent chart behaviour +# +# It can be tweaked, based on the need to support different +# dev environments. +# This file expects to have a GlusterFS storage solution running +# before "helm install" is performed. +################################################################# +# Global configuration overrides. +# +# These overrides will affect all helm charts (ie. applications) +# that are listed below and are 'enabled'. +################################################################# +shared: + service: + srv-https-annotations: &srv-https-annotations + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/group.name: wlan-testcluster + alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-east-1:289708231103:certificate/eeab0cc5-f6d1-4bf2-a125-9dbf10daed42" + alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' + alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}' + +global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + nodePortPrefixExt: 304 + nsPrefix: tip + # image pull policy + pullPolicy: Always + repository: tip-tip-wlan-cloud-docker-repo.jfrog.io + # override default mount path root directory + # referenced by persistent volumes and log files + persistence: + # flag to enable debugging - application support required + debugEnabled: true +# Annotations for namespace +annotations: { + "helm.sh/resource-policy": keep +} +#createReleaseNamespace: false +# Docker registry secret +dockerRegistrySecret: ewoJImF1dGhzIjogewoJCSJ0aXAtdGlwLXdsYW4tY2xvdWQtZG9ja2VyLXJlcG8uamZyb2cuaW8iOiB7CgkJCSJhdXRoIjogImRHbHdMWEpsWVdRNmRHbHdMWEpsWVdRPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTkuMDMuOCAobGludXgpIgoJfQp9 +################################################################# +# Enable/disable and configure helm charts (ie. applications) +# to customize the TIP-WLAN deployment. +################################################################# +opensync-gw-static: + enabled: false +common: + efs-provisioner: + enabled: false + provisioner: + efsFileSystemId: fs-49a5104c + awsRegion: us-west-2 + efsDnsName: fs-49a5104c.efs.us-west-2.amazonaws.com + storageClass: aws-efs +opensync-gw-cloud: + service: + type: LoadBalancer + annotations: + external-dns.alpha.kubernetes.io/hostname: wlan-filestore.testcluster.lab.wlan.tip.build,opensync-controller.testcluster.lab.wlan.tip.build,opensync-redirector.testcluster.lab.wlan.tip.build + service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "alb-logs-tip-wlan-testcluster-xqgkeyjvjk" + service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: "opensync-gw-cloud" + enabled: true + externalhostaddress: + ovsdb: opensync-controller.testcluster.lab.wlan.tip.build + mqtt: opensync-mqtt-broker.testcluster.lab.wlan.tip.build + persistence: + enabled: false + filestore: + url: "https://wlan-filestore.testcluster.lab.wlan.tip.build" +opensync-mqtt-broker: + service: + type: LoadBalancer + annotations: + external-dns.alpha.kubernetes.io/hostname: "opensync-mqtt-broker.testcluster.lab.wlan.tip.build" + service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "alb-logs-tip-wlan-testcluster-xqgkeyjvjk" + service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: "opensync-mqtt-broker" + enabled: true + replicaCount: 1 + persistence: + enabled: true + storageClass: "gp2" +wlan-cloud-graphql-gw: + enabled: true + ingress: + annotations: + <<: *srv-https-annotations + enabled: true + alb_https_redirect: true + hosts: + - host: wlan-graphql.testcluster.lab.wlan.tip.build + paths: [ + /* + ] + env: + portalsvc: wlan-portal-svc.testcluster.lab.wlan.tip.build +wlan-cloud-static-portal: + enabled: true + env: + graphql: https://wlan-graphql.testcluster.lab.wlan.tip.build + service: + type: NodePort + ingress: + annotations: + <<: *srv-https-annotations + alb.ingress.kubernetes.io/load-balancer-attributes: access_logs.s3.enabled=true,access_logs.s3.bucket=alb-logs-tip-wlan-testcluster-xqgkeyjvjk,access_logs.s3.prefix=wlan-testcluster + alb_https_redirect: true + hosts: + - host: wlan-ui.testcluster.lab.wlan.tip.build + paths: [ + /* + ] +wlan-portal-service: + service: + type: NodePort + nodePort_static: false + enabled: true + persistence: + enabled: true + storageClass: gp2 + accessMode: ReadWriteOnce + filestoreSize: 10Gi + tsp: + host: wlan-portal-svc.testcluster.lab.wlan.tip.build + ingress: + enabled: true + alb_https_redirect: true + tls: [] + annotations: + <<: *srv-https-annotations + alb.ingress.kubernetes.io/backend-protocol: HTTPS + alb.ingress.kubernetes.io/healthcheck-protocol: HTTPS + alb.ingress.kubernetes.io/healthcheck-port: traffic-port + alb.ingress.kubernetes.io/healthcheck-path: /ping + hosts: + - host: wlan-portal-svc.testcluster.lab.wlan.tip.build + paths: [ + /* + ] +wlan-prov-service: + enabled: true + creds: + enabled: true + db: + postgresUser: + password: postgres + tipUser: + password: tip_password + schema_repo: + username: tip-read + password: tip-read + postgres: + singleDataSourceUsername: tip_user + singleDataSourcePassword: tip_password + singleDataSourceSslKeyPassword: mypassword +wlan-ssc-service: + enabled: true + creds: + sslKeyPassword: mypassword + sslKeystorePassword: mypassword + sslTruststorePassword: mypassword + cassandra: + tip_user: tip_user + tip_password: tip_password + schema_repo: + username: tip-read + password: tip-read +wlan-spc-service: + enabled: true + creds: + sslKeyPassword: mypassword + sslKeystorePassword: mypassword + sslTruststorePassword: mypassword +wlan-port-forwarding-gateway-service: + enabled: true + creds: + websocketSessionTokenEncKey: MyToKeN0MyToKeN1 + externallyVisible: + host: api.wlan.testcluster.lab.wlan.tip.build + port: 30401 +zookeeper: + enabled: true + replicaCount: 1 + persistence: + enabled: true + storageClass: "gp2" +kafka: + enabled: true + replicaCount: 1 + persistence: + enabled: true + storageClass: "gp2" + creds: + sslKeystorePassword: mypassword + sslTruststorePassword: mypassword + sslKeyPassword: mypassword +cassandra: + enabled: true + config: + replicaCount: 3 + seedCount: 2 + persistence: + enabled: true + storageClass: "gp2" + resources: + requests: + cpu: 500m + memory: 3800Mi + limits: + cpu: 1000m + memory: 3800Mi + creds: + sslKeystorePassword: mypassword + sslTruststorePassword: mypassword +postgresql: + enabled: true + postgresqlPassword: postgres +## NOTE: If we are using glusterfs as Storage class, we don't really need +## replication turned on, since the data is anyway replicated on glusterfs nodes +## Replication is useful: +## a. When we use HostPath as storage mechanism +## b. If master goes down and one of the slave is promoted as master + replication: + enabled: true + slaveReplicas: 1 + persistence: + enabled: true + storageClass: "gp2" diff --git a/helmfile/cloud-sdk/envs/common/cluster-autoscaler.yaml.gotmpl b/helmfile/cloud-sdk/envs/common/cluster-autoscaler.yaml.gotmpl index 7742f58..4c7d018 100644 --- a/helmfile/cloud-sdk/envs/common/cluster-autoscaler.yaml.gotmpl +++ b/helmfile/cloud-sdk/envs/common/cluster-autoscaler.yaml.gotmpl @@ -10,7 +10,7 @@ rbac: create: true pspEnabled: true serviceAccountAnnotations: - eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Environment.Values.eks.accountID }}:role/tip-wlan-main-cluster-autoscaler + eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Environment.Values.eks.accountID }}:role/{{ .Environment.Values.eks.clusterName }}-cluster-autoscaler extraArgs: balance-similar-node-groups: true skip-nodes-with-system-pods: false \ No newline at end of file diff --git a/helmfile/cloud-sdk/envs/common/external-dns.yaml.gotmpl b/helmfile/cloud-sdk/envs/common/external-dns.yaml.gotmpl index 0b2e43c..17f4d5a 100644 --- a/helmfile/cloud-sdk/envs/common/external-dns.yaml.gotmpl +++ b/helmfile/cloud-sdk/envs/common/external-dns.yaml.gotmpl @@ -6,8 +6,9 @@ domainFilters: - {{ .Environment.Values.domain }} sources: - ingress +- service txtOwnerId: /hostedzone/{{ .Environment.Values.eks.hostedZoneId }} policy: sync rbac: serviceAccountAnnotations: - eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Environment.Values.eks.accountID }}:role/tip-wlan-main-external-dns \ No newline at end of file + eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Environment.Values.eks.accountID }}:role/{{ .Environment.Values.eks.clusterName }}-external-dns diff --git a/helmfile/cloud-sdk/helmfile.yaml b/helmfile/cloud-sdk/helmfile.yaml index 8f50964..739f456 100644 --- a/helmfile/cloud-sdk/helmfile.yaml +++ b/helmfile/cloud-sdk/helmfile.yaml @@ -1,6 +1,6 @@ repositories: - name: stable - url: https://kubernetes-charts.storage.googleapis.com + url: https://charts.helm.sh/stable - name: kiwigrid url: https://kiwigrid.github.io - name: nginx @@ -31,7 +31,7 @@ environments: clusterName: tip-wlan-main region: us-east-2 accountID: 289708231103 - hostedZoneId: Z09534373UTXT2L1YL912 + hostedZoneId: Z054431439VV8JBXTLZ8B certificateARN: arn:aws:acm:us-east-2:289708231103:certificate/510429bd-1a3d-4c43-90ce-8e340795a888 - monitoring: namespace: monitoring @@ -49,6 +49,8 @@ environments: enabled: true - external-dns: enabled: true + - alb-ingress: + enabled: true helmDefaults: force: false @@ -292,3 +294,17 @@ releases: kubernetes.io/ingress.class: nginx-sso hosts: - kibana.{{ .Environment.Values.domain }} +- name: aws-load-balancer-controller + <<: *default + condition: alb-ingress.enabled + chart: eks/aws-load-balancer-controller + version: 1.0.5 + values: + - serviceAccount: + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::{{ .Values.eks.accountID }}:role/{{ .Values.eks.clusterName }}-alb-ingress + clusterName: {{ .Values.eks.clusterName }} + enableShield: false + enableWaf: false + enableWafv2: false + logLevel: debug diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/alb_ingress_controller.tf b/terraform/wifi-289708231103/cloudsdk_cicd/alb_ingress_controller.tf new file mode 100644 index 0000000..346c296 --- /dev/null +++ b/terraform/wifi-289708231103/cloudsdk_cicd/alb_ingress_controller.tf @@ -0,0 +1,224 @@ +module "alb_ingress_iam_role" { + source = "git::https://github.com/terraform-aws-modules/terraform-aws-iam.git//modules/iam-assumable-role-with-oidc?ref=v2.12.0" + role_name = "${module.eks.cluster_id}-alb-ingress" + provider_url = local.oidc_provider_url + role_policy_arns = [ + aws_iam_policy.alb_ingress_iam_policy.arn, + ] + create_role = true +} + +resource "aws_iam_policy" "alb_ingress_iam_policy" { + name_prefix = "alb-ingress-iam-policy-" + description = "ALB ingress policy for cluster ${local.cluster_name}" + policy = data.aws_iam_policy_document.alb_ingress_iam_policy.json +} + +data "aws_iam_policy_document" "alb_ingress_iam_policy" { + statement { + actions = [ + "iam:CreateServiceLinkedRole", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeInternetGateways", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeTags", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:DescribeTags" + ] + effect = "Allow" + resources = ["*"] + } + + statement { + actions = [ + "cognito-idp:DescribeUserPoolClient", + "acm:ListCertificates", + "acm:DescribeCertificate", + "iam:ListServerCertificates", + "iam:GetServerCertificate", + "waf-regional:GetWebACL", + "waf-regional:GetWebACLForResource", + "waf-regional:AssociateWebACL", + "waf-regional:DisassociateWebACL", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL", + "shield:GetSubscriptionState", + "shield:DescribeProtection", + "shield:CreateProtection", + "shield:DeleteProtection" + ] + effect = "Allow" + resources = ["*"] + } + + statement { + actions = [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ] + effect = "Allow" + resources = ["*"] + } + + statement { + actions = [ + "ec2:CreateSecurityGroup" + ] + effect = "Allow" + resources = ["*"] + } + + statement { + actions = [ + "ec2:CreateTags" + ] + effect = "Allow" + resources = ["arn:aws:ec2:*:*:security-group/*"] + condition { + test = "StringEquals" + values = ["CreateSecurityGroup"] + variable = "ec2:CreateAction" + } + + condition { + test = "Null" + values = ["false"] + variable = "aws:RequestTag/elbv2.k8s.aws/cluster" + } + } + + statement { + actions = [ + "ec2:CreateTags", + "ec2:DeleteTags" + ] + effect = "Allow" + resources = ["arn:aws:ec2:*:*:security-group/*"] + + condition { + test = "Null" + values = ["true"] + variable = "aws:RequestTag/elbv2.k8s.aws/cluster" + } + + condition { + test = "Null" + values = ["false"] + variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" + } + } + + statement { + actions = [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "ec2:DeleteSecurityGroup" + ] + effect = "Allow" + resources = ["arn:aws:ec2:*:*:security-group/*"] + + condition { + test = "Null" + values = ["false"] + variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" + } + } + + statement { + actions = [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup" + ] + effect = "Allow" + resources = ["*"] + + condition { + test = "Null" + values = ["false"] + variable = "aws:RequestTag/elbv2.k8s.aws/cluster" + } + } + + statement { + actions = [ + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:DeleteRule" + ] + effect = "Allow" + resources = ["*"] + } + + statement { + actions = [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ] + effect = "Allow" + resources = [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ] + condition { + test = "Null" + values = ["true"] + variable = "aws:RequestTag/elbv2.k8s.aws/cluster" + } + condition { + test = "Null" + values = ["false"] + variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" + } + } + + statement { + actions = [ + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:DeleteTargetGroup" + ] + effect = "Allow" + resources = ["*"] + condition { + test = "Null" + values = ["false"] + variable = "aws:ResourceTag/elbv2.k8s.aws/cluster" + } + } + + statement { + actions = [ + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule" + ] + effect = "Allow" + resources = ["*"] + } +} diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_filestore_nlb.tf b/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_filestore_nlb.tf deleted file mode 100644 index e2a1d2b..0000000 --- a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_filestore_nlb.tf +++ /dev/null @@ -1,68 +0,0 @@ -resource "aws_lb" "cloudsdk_filestore" { - name = "${var.deployment}-filestore" - load_balancer_type = "network" - internal = false - enable_cross_zone_load_balancing = true - subnets = module.vpc_main.public_subnets - enable_deletion_protection = false - idle_timeout = 30 - tags = local.tags -} - -resource "aws_lb_target_group" "cloudsdk_filestore" { - name = "${var.deployment}-filestore" - port = var.service_ingress["filestore"]["internal_port"] - protocol = var.service_ingress["filestore"]["internal_protocol"] - vpc_id = module.vpc_main.vpc_id - deregistration_delay = 20 - proxy_protocol_v2 = false - - health_check { - interval = 30 - protocol = var.service_ingress["filestore"]["internal_protocol"] - healthy_threshold = 2 - unhealthy_threshold = 2 - port = var.service_ingress["filestore"]["internal_port"] - } - - tags = local.tags -} - -resource "aws_autoscaling_attachment" "cloudsdk_filestore" { - for_each = toset(module.eks.workers_asg_names) - autoscaling_group_name = each.key - alb_target_group_arn = aws_lb_target_group.cloudsdk_filestore.arn -} - -resource "aws_lb_listener" "cloudsdk_filestore" { - load_balancer_arn = aws_lb.cloudsdk_filestore.arn - port = var.service_ingress["filestore"]["external_port"] - protocol = var.service_ingress["filestore"]["external_protocol"] - - default_action { - target_group_arn = aws_lb_target_group.cloudsdk_filestore.arn - type = "forward" - } -} - -resource "aws_security_group_rule" "cloudsdk_filestore" { - security_group_id = module.eks.worker_security_group_id - from_port = var.service_ingress["filestore"]["internal_port"] - to_port = var.service_ingress["filestore"]["internal_port"] - protocol = "TCP" - type = "ingress" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] -} - -resource "aws_route53_record" "cloudsdk_filestore" { - name = format("wlan-filestore.%s.%s", var.deployment, var.base_domain) - type = "A" - zone_id = aws_route53_zone.cloudsdk.zone_id - allow_overwrite = true - alias { - name = aws_lb.cloudsdk_filestore.dns_name - zone_id = aws_lb.cloudsdk_filestore.zone_id - evaluate_target_health = true - } -} \ No newline at end of file diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_graphql_alb.tf b/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_graphql_alb.tf deleted file mode 100644 index a7008c7..0000000 --- a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_graphql_alb.tf +++ /dev/null @@ -1,94 +0,0 @@ -resource "aws_alb" "cloudsdk_graphql" { - name = "${var.deployment}-graphql" - internal = false - security_groups = [aws_security_group.cloudsdk_lb.id] - enable_cross_zone_load_balancing = true - subnets = module.vpc_main.public_subnets - enable_deletion_protection = false - idle_timeout = 30 - tags = local.tags - - access_logs { - bucket = aws_s3_bucket.alb_logs.id - prefix = "${var.deployment}-graphql" - enabled = true - } -} - -resource "aws_alb_target_group" "cloudsdk_graphql" { - name = "${var.deployment}-graphql" - port = var.service_ingress["graphql"]["internal_port"] - protocol = var.service_ingress["graphql"]["internal_protocol"] - vpc_id = module.vpc_main.vpc_id - deregistration_delay = 20 - proxy_protocol_v2 = false - - health_check { - path = var.service_ingress["graphql"]["healthcheck_path"] - interval = 30 - protocol = var.service_ingress["graphql"]["internal_protocol"] - matcher = "200" - timeout = 5 - healthy_threshold = 2 - unhealthy_threshold = 2 - port = var.service_ingress["graphql"]["internal_port"] - } - - tags = local.tags -} - -resource "aws_autoscaling_attachment" "cloudsdk_graphql" { - for_each = toset(module.eks.workers_asg_names) - autoscaling_group_name = each.key - alb_target_group_arn = aws_alb_target_group.cloudsdk_graphql.arn -} - -resource "aws_alb_listener" "cloudsdk_graphql_http" { - load_balancer_arn = aws_alb.cloudsdk_graphql.arn - port = "80" - protocol = "HTTP" - - default_action { - type = "redirect" - - redirect { - protocol = var.service_ingress["graphql"]["external_protocol"] - status_code = "HTTP_301" - port = var.service_ingress["graphql"]["external_port"] - } - } -} - -resource "aws_alb_listener" "cloudsdk_graphql_https" { - load_balancer_arn = aws_alb.cloudsdk_graphql.arn - port = var.service_ingress["graphql"]["external_port"] - protocol = var.service_ingress["graphql"]["external_protocol"] - ssl_policy = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" - certificate_arn = aws_acm_certificate.cloudsdk.arn - - default_action { - target_group_arn = aws_alb_target_group.cloudsdk_graphql.arn - type = "forward" - } -} - -resource "aws_security_group_rule" "cloudsdk_graphql" { - security_group_id = module.eks.worker_security_group_id - from_port = var.service_ingress["graphql"]["internal_port"] - to_port = var.service_ingress["graphql"]["internal_port"] - protocol = "TCP" - source_security_group_id = aws_security_group.cloudsdk_lb.id - type = "ingress" -} - -resource "aws_route53_record" "cloudsdk_graphql" { - name = format("wlan-graphql.%s.%s", var.deployment, var.base_domain) - type = "A" - zone_id = aws_route53_zone.cloudsdk.zone_id - allow_overwrite = true - alias { - name = var.ingress_lb - zone_id = aws_alb.cloudsdk_graphql.zone_id - evaluate_target_health = true - } -} \ No newline at end of file diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_gwcontroller_nlb.tf b/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_gwcontroller_nlb.tf deleted file mode 100644 index c765114..0000000 --- a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_gwcontroller_nlb.tf +++ /dev/null @@ -1,68 +0,0 @@ -resource "aws_lb" "cloudsdk_gwcontroller" { - name = "${var.deployment}-gwcontroller" - load_balancer_type = "network" - internal = false - enable_cross_zone_load_balancing = true - subnets = module.vpc_main.public_subnets - enable_deletion_protection = false - idle_timeout = 30 - tags = local.tags -} - -resource "aws_lb_target_group" "cloudsdk_gwcontroller" { - name = "${var.deployment}-gwcontroller" - port = var.service_ingress["gwcontroller"]["internal_port"] - protocol = var.service_ingress["gwcontroller"]["internal_protocol"] - vpc_id = module.vpc_main.vpc_id - deregistration_delay = 20 - proxy_protocol_v2 = false - - health_check { - interval = 30 - protocol = var.service_ingress["gwcontroller"]["internal_protocol"] - healthy_threshold = 2 - unhealthy_threshold = 2 - port = "traffic-port" - } - - tags = local.tags -} - -resource "aws_autoscaling_attachment" "cloudsdk_gwcontroller" { - for_each = toset(module.eks.workers_asg_names) - autoscaling_group_name = each.key - alb_target_group_arn = aws_lb_target_group.cloudsdk_gwcontroller.arn -} - -resource "aws_lb_listener" "cloudsdk_gwcontroller" { - load_balancer_arn = aws_lb.cloudsdk_gwcontroller.arn - port = var.service_ingress["gwcontroller"]["external_port"] - protocol = var.service_ingress["gwcontroller"]["external_protocol"] - - default_action { - target_group_arn = aws_lb_target_group.cloudsdk_gwcontroller.arn - type = "forward" - } -} - -resource "aws_security_group_rule" "cloudsdk_gwcontroller" { - security_group_id = module.eks.worker_security_group_id - from_port = var.service_ingress["gwcontroller"]["internal_port"] - to_port = var.service_ingress["gwcontroller"]["internal_port"] - protocol = "TCP" - type = "ingress" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] -} - -resource "aws_route53_record" "cloudsdk_gwcontroller" { - name = format("opensync-controller.%s.%s", var.deployment, var.base_domain) - type = "A" - zone_id = aws_route53_zone.cloudsdk.zone_id - allow_overwrite = true - alias { - name = aws_lb.cloudsdk_gwcontroller.dns_name - zone_id = aws_lb.cloudsdk_gwcontroller.zone_id - evaluate_target_health = true - } -} \ No newline at end of file diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_gwredirector_nlb.tf b/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_gwredirector_nlb.tf deleted file mode 100644 index 3977c21..0000000 --- a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_gwredirector_nlb.tf +++ /dev/null @@ -1,68 +0,0 @@ -resource "aws_lb" "cloudsdk_gwredirector" { - name = "${var.deployment}-gwredirector" - load_balancer_type = "network" - internal = false - enable_cross_zone_load_balancing = true - subnets = module.vpc_main.public_subnets - enable_deletion_protection = false - idle_timeout = 30 - tags = local.tags -} - -resource "aws_lb_target_group" "cloudsdk_gwredirector" { - name = "${var.deployment}-gwredirector" - port = var.service_ingress["gwredirector"]["internal_port"] - protocol = var.service_ingress["gwredirector"]["internal_protocol"] - vpc_id = module.vpc_main.vpc_id - deregistration_delay = 20 - proxy_protocol_v2 = false - - health_check { - interval = 30 - protocol = var.service_ingress["gwredirector"]["internal_protocol"] - healthy_threshold = 2 - unhealthy_threshold = 2 - port = "traffic-port" - } - - tags = local.tags -} - -resource "aws_autoscaling_attachment" "cloudsdk_gwredirector" { - for_each = toset(module.eks.workers_asg_names) - autoscaling_group_name = each.key - alb_target_group_arn = aws_lb_target_group.cloudsdk_gwredirector.arn -} - -resource "aws_lb_listener" "cloudsdk_gwredirector" { - load_balancer_arn = aws_lb.cloudsdk_gwredirector.arn - port = var.service_ingress["gwredirector"]["external_port"] - protocol = var.service_ingress["gwredirector"]["external_protocol"] - - default_action { - target_group_arn = aws_lb_target_group.cloudsdk_gwredirector.arn - type = "forward" - } -} - -resource "aws_security_group_rule" "cloudsdk_gwredirector" { - security_group_id = module.eks.worker_security_group_id - from_port = var.service_ingress["gwredirector"]["internal_port"] - to_port = var.service_ingress["gwredirector"]["internal_port"] - protocol = "TCP" - type = "ingress" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] -} - -resource "aws_route53_record" "cloudsdk_gwredirector" { - name = format("opensync-redirector.%s.%s", var.deployment, var.base_domain) - type = "A" - zone_id = aws_route53_zone.cloudsdk.zone_id - allow_overwrite = true - alias { - name = aws_lb.cloudsdk_gwredirector.dns_name - zone_id = aws_lb.cloudsdk_gwredirector.zone_id - evaluate_target_health = true - } -} \ No newline at end of file diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_lb_shared_resources.tf b/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_lb_shared_resources.tf index eb9dedd..61a8613 100644 --- a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_lb_shared_resources.tf +++ b/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_lb_shared_resources.tf @@ -1,34 +1,14 @@ -resource "aws_security_group" "cloudsdk_lb" { - name = "cloudsdk-${var.deployment}-lb" - description = "SG for EKS LBs servicing ${local.cluster_name}/${var.deployment}} EKS cluster" - vpc_id = module.vpc_main.vpc_id - tags = local.tags -} - -resource "aws_security_group_rule" "cloudsdk_lb_egress" { - from_port = 0 - to_port = 65535 - protocol = -1 - security_group_id = aws_security_group.cloudsdk_lb.id - type = "egress" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] -} - -resource "aws_security_group_rule" "cloudsdk_lb_ingress_http" { - for_each = toset(["80", "443"]) - from_port = each.key - to_port = each.key - protocol = "TCP" - security_group_id = aws_security_group.cloudsdk_lb.id - type = "ingress" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] +resource "random_string" "random_suffix" { + length = 10 + special = false + upper = false + lower = true + number = false } resource "aws_s3_bucket" "alb_logs" { - bucket_prefix = "alb-logs-" - acl = "private" + bucket = "alb-logs-${var.org}-${var.project}-${var.deployment}-${random_string.random_suffix.result}" + acl = "private" versioning { enabled = false @@ -86,12 +66,12 @@ data "aws_iam_policy_document" "alb_logs_policy" { resources = ["${aws_s3_bucket.alb_logs.arn}/*"] - // Elastic Load Balancing Account ID in us-east-2 - // https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html + // Elastic Load Balancing Account ID https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html principals { type = "AWS" identifiers = [ - "arn:aws:iam::033677994240:root", + "arn:aws:iam::127311923021:root", # us-east-1 + "arn:aws:iam::033677994240:root", # us-east-2 ] } } @@ -130,4 +110,4 @@ resource "aws_route53_record" "aws_route53_zone_cloudsdk_main_glue" { type = "NS" zone_id = data.terraform_remote_state.route_53.outputs.zone_id records = aws_route53_zone.cloudsdk.name_servers -} \ No newline at end of file +} diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_mqtt_nlb.tf b/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_mqtt_nlb.tf deleted file mode 100644 index 9d5272d..0000000 --- a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_mqtt_nlb.tf +++ /dev/null @@ -1,68 +0,0 @@ -resource "aws_lb" "cloudsdk_mqtt" { - name = "${var.deployment}-mqtt" - load_balancer_type = "network" - internal = false - enable_cross_zone_load_balancing = true - subnets = module.vpc_main.public_subnets - enable_deletion_protection = false - idle_timeout = 30 - tags = local.tags -} - -resource "aws_lb_target_group" "cloudsdk_mqtt" { - name = "${var.deployment}-mqtt" - port = var.service_ingress["mqtt"]["internal_port"] - protocol = var.service_ingress["mqtt"]["internal_protocol"] - vpc_id = module.vpc_main.vpc_id - deregistration_delay = 20 - proxy_protocol_v2 = false - - health_check { - interval = 30 - protocol = var.service_ingress["mqtt"]["internal_protocol"] - healthy_threshold = 2 - unhealthy_threshold = 2 - port = var.service_ingress["mqtt"]["internal_port"] - } - - tags = local.tags -} - -resource "aws_autoscaling_attachment" "cloudsdk_mqtt" { - for_each = toset(module.eks.workers_asg_names) - autoscaling_group_name = each.key - alb_target_group_arn = aws_lb_target_group.cloudsdk_mqtt.arn -} - -resource "aws_lb_listener" "cloudsdk_mqtt" { - load_balancer_arn = aws_lb.cloudsdk_mqtt.arn - port = var.service_ingress["mqtt"]["external_port"] - protocol = var.service_ingress["mqtt"]["internal_protocol"] - - default_action { - target_group_arn = aws_lb_target_group.cloudsdk_mqtt.arn - type = "forward" - } -} - -resource "aws_security_group_rule" "cloudsdk_mqtt" { - security_group_id = module.eks.worker_security_group_id - from_port = var.service_ingress["mqtt"]["internal_port"] - to_port = var.service_ingress["mqtt"]["internal_port"] - protocol = "TCP" - type = "ingress" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] -} - -resource "aws_route53_record" "cloudsdk_mqtt" { - name = format("opensync-mqtt-broker.%s.%s", var.deployment, var.base_domain) - type = "A" - zone_id = aws_route53_zone.cloudsdk.zone_id - allow_overwrite = true - alias { - name = aws_lb.cloudsdk_mqtt.dns_name - zone_id = aws_lb.cloudsdk_mqtt.zone_id - evaluate_target_health = true - } -} \ No newline at end of file diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_portal_alb.tf b/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_portal_alb.tf deleted file mode 100644 index a32eaa2..0000000 --- a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_portal_alb.tf +++ /dev/null @@ -1,94 +0,0 @@ -resource "aws_alb" "cloudsdk_portal" { - name = "${var.deployment}-portal" - internal = false - security_groups = [aws_security_group.cloudsdk_lb.id] - enable_cross_zone_load_balancing = true - subnets = module.vpc_main.public_subnets - enable_deletion_protection = false - idle_timeout = 30 - tags = local.tags - - access_logs { - bucket = aws_s3_bucket.alb_logs.id - prefix = "${var.deployment}-portal" - enabled = true - } -} - -resource "aws_alb_target_group" "cloudsdk_portal" { - name = "${var.deployment}-portal" - port = var.service_ingress["portal"]["internal_port"] - protocol = var.service_ingress["portal"]["internal_protocol"] - vpc_id = module.vpc_main.vpc_id - deregistration_delay = 20 - proxy_protocol_v2 = false - - health_check { - path = var.service_ingress["portal"]["healthcheck_path"] - interval = 30 - protocol = var.service_ingress["portal"]["internal_protocol"] - matcher = "200" - timeout = 5 - healthy_threshold = 2 - unhealthy_threshold = 2 - port = var.service_ingress["portal"]["internal_port"] - } - - tags = local.tags -} - -resource "aws_autoscaling_attachment" "cloudsdk_portal" { - for_each = toset(module.eks.workers_asg_names) - autoscaling_group_name = each.key - alb_target_group_arn = aws_alb_target_group.cloudsdk_portal.arn -} - -resource "aws_alb_listener" "cloudsdk_portal_http" { - load_balancer_arn = aws_alb.cloudsdk_portal.arn - port = "80" - protocol = "HTTP" - - default_action { - type = "redirect" - - redirect { - protocol = var.service_ingress["portal"]["external_protocol"] - status_code = "HTTP_301" - port = var.service_ingress["portal"]["external_port"] - } - } -} - -resource "aws_alb_listener" "cloudsdk_portal_https" { - load_balancer_arn = aws_alb.cloudsdk_portal.arn - port = var.service_ingress["portal"]["external_port"] - protocol = var.service_ingress["portal"]["external_protocol"] - ssl_policy = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" - certificate_arn = aws_acm_certificate.cloudsdk.arn - - default_action { - target_group_arn = aws_alb_target_group.cloudsdk_portal.arn - type = "forward" - } -} - -resource "aws_security_group_rule" "cloudsdk_portal" { - security_group_id = module.eks.worker_security_group_id - from_port = var.service_ingress["portal"]["internal_port"] - to_port = var.service_ingress["portal"]["internal_port"] - protocol = "TCP" - source_security_group_id = aws_security_group.cloudsdk_lb.id - type = "ingress" -} - -resource "aws_route53_record" "cloudsdk_portal" { - name = format("wlan-ui.%s.%s", var.deployment, var.base_domain) - type = "A" - zone_id = aws_route53_zone.cloudsdk.zone_id - allow_overwrite = true - alias { - name = var.ingress_lb - zone_id = aws_alb.cloudsdk_portal.zone_id - evaluate_target_health = true - } -} \ No newline at end of file diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_serviceport_alb.tf b/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_serviceport_alb.tf deleted file mode 100644 index c79aadd..0000000 --- a/terraform/wifi-289708231103/cloudsdk_cicd/cloudsdk_serviceport_alb.tf +++ /dev/null @@ -1,94 +0,0 @@ -resource "aws_alb" "cloudsdk_serviceport" { - name = "${var.deployment}-serviceport" - internal = false - security_groups = [aws_security_group.cloudsdk_lb.id] - enable_cross_zone_load_balancing = true - subnets = module.vpc_main.public_subnets - enable_deletion_protection = false - idle_timeout = 30 - tags = local.tags - - access_logs { - bucket = aws_s3_bucket.alb_logs.id - prefix = "${var.deployment}-serviceport" - enabled = true - } -} - -resource "aws_alb_target_group" "cloudsdk_serviceport" { - name = "${var.deployment}-serviceport" - port = var.service_ingress["serviceport"]["internal_port"] - protocol = var.service_ingress["serviceport"]["internal_protocol"] - vpc_id = module.vpc_main.vpc_id - deregistration_delay = 20 - proxy_protocol_v2 = false - - health_check { - path = var.service_ingress["serviceport"]["healthcheck_path"] - interval = 30 - protocol = var.service_ingress["serviceport"]["internal_protocol"] - matcher = "200" - timeout = 5 - healthy_threshold = 2 - unhealthy_threshold = 2 - port = var.service_ingress["serviceport"]["internal_port"] - } - - tags = local.tags -} - -resource "aws_autoscaling_attachment" "cloudsdk_serviceport" { - for_each = toset(module.eks.workers_asg_names) - autoscaling_group_name = each.key - alb_target_group_arn = aws_alb_target_group.cloudsdk_serviceport.arn -} - -resource "aws_alb_listener" "cloudsdk_serviceport_http" { - load_balancer_arn = aws_alb.cloudsdk_serviceport.arn - port = "80" - protocol = "HTTP" - - default_action { - type = "redirect" - - redirect { - protocol = var.service_ingress["serviceport"]["external_protocol"] - status_code = "HTTP_301" - port = var.service_ingress["serviceport"]["external_port"] - } - } -} - -resource "aws_alb_listener" "cloudsdk_serviceport_https" { - load_balancer_arn = aws_alb.cloudsdk_serviceport.arn - port = var.service_ingress["serviceport"]["external_port"] - protocol = var.service_ingress["serviceport"]["external_protocol"] - ssl_policy = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06" - certificate_arn = aws_acm_certificate.cloudsdk.arn - - default_action { - target_group_arn = aws_alb_target_group.cloudsdk_serviceport.arn - type = "forward" - } -} - -resource "aws_security_group_rule" "cloudsdk_serviceport" { - security_group_id = module.eks.worker_security_group_id - from_port = var.service_ingress["serviceport"]["internal_port"] - to_port = var.service_ingress["serviceport"]["internal_port"] - protocol = "TCP" - source_security_group_id = aws_security_group.cloudsdk_lb.id - type = "ingress" -} - -resource "aws_route53_record" "cloudsdk_serviceport" { - name = format("wlan-portal-svc.%s.%s", var.deployment, var.base_domain) - type = "A" - zone_id = aws_route53_zone.cloudsdk.zone_id - allow_overwrite = true - alias { - name = aws_alb.cloudsdk_serviceport.dns_name - zone_id = aws_alb.cloudsdk_serviceport.zone_id - evaluate_target_health = true - } -} \ No newline at end of file diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/efs.tf b/terraform/wifi-289708231103/cloudsdk_cicd/efs.tf new file mode 100644 index 0000000..545f2e3 --- /dev/null +++ b/terraform/wifi-289708231103/cloudsdk_cicd/efs.tf @@ -0,0 +1,37 @@ +resource "aws_security_group" "efs" { + name = "${var.org}-${var.project}-${var.env}-efs" + description = "${var.org}-${var.project}-${var.env}-efs" + vpc_id = module.vpc_main.vpc_id + + tags = { + Name = "${var.org}-${var.project}-${var.env}" + Project = var.project + Environment = var.env + } +} + +resource "aws_security_group_rule" "efs_ingress" { + from_port = 2049 + to_port = 2049 + protocol = "tcp" + type = "ingress" + security_group_id = aws_security_group.efs.id + source_security_group_id = module.eks.worker_security_group_id +} + +resource "aws_efs_file_system" "default" { + creation_token = "${var.org}-${var.project}-${var.env}-default" + + tags = { + Name = "${var.org}-${var.project}-${var.env}-default" + Project = var.project + Environment = var.env + } +} + +resource "aws_efs_mount_target" "default" { + for_each = toset(module.vpc_main.private_subnets) + file_system_id = aws_efs_file_system.default.id + subnet_id = each.key + security_groups = [aws_security_group.efs.id] +} diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/eks.tf b/terraform/wifi-289708231103/cloudsdk_cicd/eks.tf index fea42a0..ef42c03 100644 --- a/terraform/wifi-289708231103/cloudsdk_cicd/eks.tf +++ b/terraform/wifi-289708231103/cloudsdk_cicd/eks.tf @@ -87,7 +87,7 @@ locals { "Env" = var.env "Project" = var.project } - user_roles = [ + user_roles = [ { userarn = aws_iam_user.gh-actions-user.arn username = aws_iam_user.gh-actions-user.name diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/outputs.tf b/terraform/wifi-289708231103/cloudsdk_cicd/outputs.tf index ce1616c..b639e1a 100644 --- a/terraform/wifi-289708231103/cloudsdk_cicd/outputs.tf +++ b/terraform/wifi-289708231103/cloudsdk_cicd/outputs.tf @@ -2,6 +2,10 @@ output "cluster_autoscaler_role_arn" { value = module.cluster_autoscaler_cluster_role.this_iam_role_arn } +output "alb_ingress_controller_role_arn" { + value = module.alb_ingress_iam_role.this_iam_role_arn +} + output "external_dns_role_arn" { value = module.external_dns_cluster_role.this_iam_role_arn } @@ -17,3 +21,15 @@ output "vpc_private_subnets_ids" { output "vpc_private_route_table_ids" { value = module.vpc_main.private_route_table_ids } + +output "lb_s3_bucket_logging" { + value = aws_s3_bucket.alb_logs.id +} + +output "efs_id" { + value = aws_efs_file_system.default.id +} + +output "efs_dns" { + value = aws_efs_file_system.default.dns_name +} diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/terraform.tfvars b/terraform/wifi-289708231103/cloudsdk_cicd/terraform.tfvars index 189e4fb..0b5ef10 100644 --- a/terraform/wifi-289708231103/cloudsdk_cicd/terraform.tfvars +++ b/terraform/wifi-289708231103/cloudsdk_cicd/terraform.tfvars @@ -22,57 +22,3 @@ eks_admin_roles = ["AWSReservedSSO_SystemAdministrator_622371b0ceece6f8"] base_domain = "lab.wlan.tip.build" deployment = "cicd" - -service_ingress = { - "filestore" : { - "external_port" : 443, - "internal_port" : 30227, - "external_protocol" : "TCP", - "internal_protocol" : "TCP", - "healthcheck_path" : "", - }, - "graphql" : { - "external_port" : 443, - "internal_port" : 30223, - "external_protocol" : "HTTPS", - "internal_protocol" : "HTTP", - "healthcheck_path" : "/graphql", - }, - "serviceport" : { - "external_port" : 443, - "internal_port" : 30251, - "external_protocol" : "HTTPS", - "internal_protocol" : "HTTPS", - "healthcheck_path" : "/ping", - }, - "portal" : { - "external_port" : 443, - "internal_port" : 30233, - "external_protocol" : "HTTPS", - "internal_protocol" : "HTTP", - "healthcheck_path" : "/", - }, - "gwcontroller" : { - "external_port" : 6640, - "internal_port" : 30229, - "external_protocol" : "TCP", - "internal_protocol" : "TCP", - "healthcheck_path" : "", - }, - "gwredirector" : { - "external_port" : 6643, - "internal_port" : 30230, - "external_protocol" : "TCP", - "internal_protocol" : "TCP", - "healthcheck_path" : "", - }, - "mqtt" : { - "external_port" : 1883, - "internal_port" : 30231, - "external_protocol" : "TCP", - "internal_protocol" : "TCP", - "healthcheck_path" : "", - }, -} - -ingress_lb = "a46650fef61b84171825228af3cfc4b2-1416366176.us-east-2.elb.amazonaws.com" \ No newline at end of file diff --git a/terraform/wifi-289708231103/cloudsdk_cicd/variables.tf b/terraform/wifi-289708231103/cloudsdk_cicd/variables.tf index 35f4f93..99b2f8e 100644 --- a/terraform/wifi-289708231103/cloudsdk_cicd/variables.tf +++ b/terraform/wifi-289708231103/cloudsdk_cicd/variables.tf @@ -75,19 +75,3 @@ variable "deployment" { description = "Deployment name" type = string } - -variable "service_ingress" { - description = "Load balancer configuration for ELK services" - type = map(object({ - internal_protocol = string - internal_port = number - external_protocol = string - external_port = number - healthcheck_path = string - })) -} - -variable "ingress_lb" { - description = "Ingress LB dns endpoint" - type = string -}