Address review comments

dspace-group · Dec 9, 2024 · 67e5494 · 67e5494
1 parent 4db6d12
commit 67e5494
Show file tree

Hide file tree

Showing 9 changed files with 42 additions and 59 deletions.
diff --git a/modules/eks/cloudwatch.tf b/modules/eks/cloudwatch.tf
diff --git a/modules/eks/cluster-auth.tf b/modules/eks/cluster-auth.tf
@@ -14,9 +14,6 @@ resource "kubernetes_config_map" "aws_auth" {
     mapRoles = yamlencode(
       distinct(concat(
         # local.managed_node_group_aws_auth_config_map,
-        # local.self_managed_node_group_aws_auth_config_map,
-        # local.windows_node_group_aws_auth_config_map,
-        # local.fargate_profiles_aws_auth_config_map,
         var.map_roles,
       ))
     )

diff --git a/modules/eks/cluster.tf b/modules/eks/cluster.tf
@@ -38,6 +38,6 @@ resource "aws_eks_cluster" "eks" {
 
   depends_on = [
     aws_iam_role_policy_attachment.cluster_role,
-    aws_cloudwatch_log_group.cluster
+    # aws_cloudwatch_log_group.cluster
   ]
 }
diff --git a/modules/eks/data.tf b/modules/eks/data.tf
@@ -31,20 +31,20 @@ data "aws_iam_policy_document" "eks_key" {
     principals {
       type = "AWS"
       identifiers = [
-        "arn:${local.context.aws_partition_id}:iam::${local.context.aws_caller_identity_account_id}:root"
+        "arn:${data.aws_partition.current.id}:iam::${data.aws_caller_identity.current.account_id}:root"
       ]
     }
 
     condition {
       test     = "StringEquals"
       variable = "kms:CallerAccount"
-      values   = [local.context.aws_caller_identity_account_id]
+      values   = [data.aws_caller_identity.current.account_id]
     }
 
     condition {
       test     = "StringEquals"
       variable = "kms:ViaService"
-      values   = ["eks.${local.context.aws_region_name}.amazonaws.com"]
+      values   = ["eks.${data.aws_region.current.name}.amazonaws.com"]
     }
   }
 
@@ -62,7 +62,7 @@ data "aws_iam_policy_document" "eks_key" {
     principals {
       type = "AWS"
       identifiers = [
-        "arn:${local.context.aws_partition_id}:iam::${local.context.aws_caller_identity_account_id}:root"
+        "arn:${data.aws_partition.current.id}:iam::${data.aws_caller_identity.current.account_id}:root"
       ]
     }
   }
@@ -101,8 +101,6 @@ data "aws_iam_policy_document" "eks_key" {
     }
   }
 
-  # Permission to allow AWS services that are integrated with AWS KMS to use the CMK,
-  # particularly services that use grants.
   statement {
     sid    = "Allow attachment of persistent resources"
     effect = "Allow"
@@ -139,3 +137,7 @@ data "aws_iam_policy_document" "assume_role_policy" {
     }
   }
 }
+
+data "tls_certificate" "cluster_certificate" {
+  url = aws_eks_cluster.eks.identity[0].oidc[0].issuer
+}
diff --git a/modules/eks/iam.tf b/modules/eks/iam.tf
@@ -1,11 +1,3 @@
-locals {
-  cluster_iam_role_name        = "${var.cluster_name}-cluster-role"
-  cluster_iam_role_pathed_name = local.cluster_iam_role_name
-  policy_arn_prefix            = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
-
-  cluster_encryption_policy_name = "${local.cluster_iam_role_name}-ClusterEncryption"
-}
-
 resource "aws_iam_role" "cluster_role" {
   name        = local.cluster_iam_role_name
   path        = null
@@ -15,35 +7,33 @@ resource "aws_iam_role" "cluster_role" {
   permissions_boundary  = null
   force_detach_policies = true
 
-  # cloudwatch related inline_policy
-  dynamic "inline_policy" {
-    for_each = [1]
-    content {
-      name = local.cluster_iam_role_name
-
-      policy = jsonencode({
-        Version = "2012-10-17"
-        Statement = [
-          {
-            Action   = ["logs:CreateLogGroup"]
-            Effect   = "Deny"
-            Resource = aws_cloudwatch_log_group.cluster.arn
-          },
-        ]
-      })
-    }
-  }
+  # # cloudwatch related inline_policy
+  # dynamic "inline_policy" {
+  #   for_each = [1]
+  #   content {
+  #     name = local.cluster_iam_role_name
+
+  #     policy = jsonencode({
+  #       Version = "2012-10-17"
+  #       Statement = [
+  #         {
+  #           Action   = ["logs:CreateLogGroup"]
+  #           Effect   = "Deny"
+  #           Resource = aws_cloudwatch_log_group.cluster.arn
+  #         },
+  #       ]
+  #     })
+  #   }
+  # }
 
   tags = var.tags
 }
 
-# Policies attached ref https://docs.aws.amazon.com/eks/latest/userguide/service_IAM_role.html
 resource "aws_iam_role_policy_attachment" "cluster_role" {
   for_each = toset([
     "${local.policy_arn_prefix}/AmazonEKSClusterPolicy",
     "${local.policy_arn_prefix}/AmazonEKSVPCResourceController",
   ])
-
   policy_arn = each.value
   role       = aws_iam_role.cluster_role.name
 }
diff --git a/modules/eks/kms.tf b/modules/eks/kms.tf
@@ -1,4 +1,3 @@
-# Create a KMS customer managed key
 resource "aws_kms_key" "cluster" {
   description             = "${var.cluster_name} EKS cluster secret encryption key"
   policy                  = data.aws_iam_policy_document.eks_key.json
@@ -7,7 +6,6 @@ resource "aws_kms_key" "cluster" {
   tags                    = var.tags
 }
 
-# Assign an alias to the key
 resource "aws_kms_alias" "cluster" {
   name          = "alias/${var.cluster_name}"
   target_key_id = aws_kms_key.cluster.key_id

diff --git a/modules/eks/locals.tf b/modules/eks/locals.tf
@@ -1,11 +1,8 @@
 locals {
-  prefix_separator            = "-"
-  dns_suffix                  = data.aws_partition.current.dns_suffix
-  cluster_iam_role_pathed_arn = "arn:${local.context.aws_partition_id}:iam::${local.context.aws_caller_identity_account_id}:role/${local.cluster_iam_role_pathed_name}"
-  context = {
-    aws_partition_id               = data.aws_partition.current.id
-    aws_caller_identity_account_id = data.aws_caller_identity.current.account_id
-    aws_region_name                = data.aws_region.current.name
-  }
-
+  prefix_separator               = "-"
+  dns_suffix                     = data.aws_partition.current.dns_suffix
+  cluster_iam_role_name          = "${var.cluster_name}-cluster-role"
+  policy_arn_prefix              = "arn:${data.aws_partition.current.partition}:iam::aws:policy"
+  cluster_encryption_policy_name = "${local.cluster_iam_role_name}-ClusterEncryption"
+  cluster_iam_role_pathed_arn    = "arn:${data.aws_partition.current.id}:iam::${data.aws_caller_identity.current.account_id}:role/${local.cluster_iam_role_name}"
 }
diff --git a/modules/eks/oidc.tf b/modules/eks/oidc.tf
@@ -1,6 +1,4 @@
-data "tls_certificate" "cluster_certificate" {
-  url = aws_eks_cluster.eks.identity[0].oidc[0].issuer
-}
+
 
 resource "aws_iam_openid_connect_provider" "oidc_provider" {
   client_id_list  = distinct(compact(concat(["sts.${local.dns_suffix}"], [])))

diff --git a/modules/eks/versions.tf b/modules/eks/versions.tf
@@ -10,5 +10,13 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = ">= 2.10"
     }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "= 4.0.5"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = "= 3.4.3"
+    }
   }
 }