Merge pull request #25 from truefoundry/variable-refactor

Variable refactor
truefoundry · Nov 21, 2024 · a7b2500 · a7b2500
2 parents faa4ff0 + 338a163
commit a7b2500
Show file tree

Hide file tree

Showing 7 changed files with 29 additions and 42 deletions.
diff --git a/README.md b/README.md
@@ -54,7 +54,6 @@ Truefoundry AWS Control Plane Module
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_name"></a> [account\_name](#input\_account\_name) | AWS Account Name | `string` | n/a | yes |
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | AWS Account ID | `string` | n/a | yes |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | EKS Cluster region | `string` | n/a | yes |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Cluster name | `string` | n/a | yes |
@@ -65,16 +64,13 @@ Truefoundry AWS Control Plane Module
 | <a name="input_master_user_password_rotate_immediately"></a> [master\_user\_password\_rotate\_immediately](#input\_master\_user\_password\_rotate\_immediately) | Rotate master user password immediately | `bool` | `false` | no |
 | <a name="input_master_user_password_rotation_automatically_after_days"></a> [master\_user\_password\_rotation\_automatically\_after\_days](#input\_master\_user\_password\_rotation\_automatically\_after\_days) | Rotate master user password automatically after days | `number` | `90` | no |
 | <a name="input_master_user_password_rotation_duration"></a> [master\_user\_password\_rotation\_duration](#input\_master\_user\_password\_rotation\_duration) | Master user password rotation duration | `string` | `"3h"` | no |
-| <a name="input_mlfoundry_k8s_namespace"></a> [mlfoundry\_k8s\_namespace](#input\_mlfoundry\_k8s\_namespace) | The k8s mlfoundry namespace | `string` | n/a | yes |
-| <a name="input_mlfoundry_k8s_service_account"></a> [mlfoundry\_k8s\_service\_account](#input\_mlfoundry\_k8s\_service\_account) | The k8s mlfoundry service account name | `string` | n/a | yes |
-| <a name="input_mlfoundry_name"></a> [mlfoundry\_name](#input\_mlfoundry\_name) | Name of mlfoundry deployment | `string` | n/a | yes |
-| <a name="input_svcfoundry_k8s_namespace"></a> [svcfoundry\_k8s\_namespace](#input\_svcfoundry\_k8s\_namespace) | The k8s svcfoundry namespace | `string` | n/a | yes |
-| <a name="input_svcfoundry_k8s_service_account"></a> [svcfoundry\_k8s\_service\_account](#input\_svcfoundry\_k8s\_service\_account) | The k8s svcfoundry service account name | `string` | n/a | yes |
-| <a name="input_svcfoundry_name"></a> [svcfoundry\_name](#input\_svcfoundry\_name) | Name of svcfoundry deployment | `string` | n/a | yes |
+| <a name="input_mlfoundry_k8s_namespace"></a> [mlfoundry\_k8s\_namespace](#input\_mlfoundry\_k8s\_namespace) | The k8s mlfoundry namespace | `string` | `"truefoundry"` | no |
+| <a name="input_mlfoundry_k8s_service_account"></a> [mlfoundry\_k8s\_service\_account](#input\_mlfoundry\_k8s\_service\_account) | The k8s mlfoundry service account name | `string` | `"mlfoundry-server"` | no |
+| <a name="input_svcfoundry_k8s_namespace"></a> [svcfoundry\_k8s\_namespace](#input\_svcfoundry\_k8s\_namespace) | The k8s svcfoundry namespace | `string` | `"truefoundry"` | no |
+| <a name="input_svcfoundry_k8s_service_account"></a> [svcfoundry\_k8s\_service\_account](#input\_svcfoundry\_k8s\_service\_account) | The k8s svcfoundry service account name | `string` | `"servicefoundry-server"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags common to all the resources created | `map(string)` | `{}` | no |
-| <a name="input_tfy_workflow_admin_k8s_namespace"></a> [tfy\_workflow\_admin\_k8s\_namespace](#input\_tfy\_workflow\_admin\_k8s\_namespace) | The k8s tfy workflow admin namespace | `string` | n/a | yes |
-| <a name="input_tfy_workflow_admin_k8s_service_account"></a> [tfy\_workflow\_admin\_k8s\_service\_account](#input\_tfy\_workflow\_admin\_k8s\_service\_account) | The k8s tfy workflow admin service account name | `string` | n/a | yes |
-| <a name="input_tfy_workflow_admin_name"></a> [tfy\_workflow\_admin\_name](#input\_tfy\_workflow\_admin\_name) | Name of tfy workflow admin deployment | `string` | n/a | yes |
+| <a name="input_tfy_workflow_admin_k8s_namespace"></a> [tfy\_workflow\_admin\_k8s\_namespace](#input\_tfy\_workflow\_admin\_k8s\_namespace) | The k8s tfy workflow admin namespace | `string` | `"truefoundry"` | no |
+| <a name="input_tfy_workflow_admin_k8s_service_account"></a> [tfy\_workflow\_admin\_k8s\_service\_account](#input\_tfy\_workflow\_admin\_k8s\_service\_account) | The k8s tfy workflow admin service account name | `string` | `"tfy-workflow-admin"` | no |
 | <a name="input_truefoundry_artifact_buckets_will_read"></a> [truefoundry\_artifact\_buckets\_will\_read](#input\_truefoundry\_artifact\_buckets\_will\_read) | A list of bucket IDs mlfoundry will need read access to, in order to show the stored artifacts. It accepts any valid IAM resource, including ARNs with wildcards, so you can do something like arn:aws:s3:::bucket-prefix-* | `list(string)` | `[]` | no |
 | <a name="input_truefoundry_cloudwatch_log_exports"></a> [truefoundry\_cloudwatch\_log\_exports](#input\_truefoundry\_cloudwatch\_log\_exports) | Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported | `list(string)` | <pre>[<br/>  "postgresql",<br/>  "upgrade"<br/>]</pre> | no |
 | <a name="input_truefoundry_db_allocated_storage"></a> [truefoundry\_db\_allocated\_storage](#input\_truefoundry\_db\_allocated\_storage) | Storage for RDS. Minimum storage allowed for gp3 volumes is 20GB | `string` | `"20"` | no |
@@ -87,14 +83,14 @@ Truefoundry AWS Control Plane Module
 | <a name="input_truefoundry_db_engine_version"></a> [truefoundry\_db\_engine\_version](#input\_truefoundry\_db\_engine\_version) | Truefoundry DB Postgres version | `string` | `"13.14"` | no |
 | <a name="input_truefoundry_db_ingress_cidr_blocks"></a> [truefoundry\_db\_ingress\_cidr\_blocks](#input\_truefoundry\_db\_ingress\_cidr\_blocks) | CIDR blocks allowed to connect to the database | `list(string)` | `[]` | no |
 | <a name="input_truefoundry_db_ingress_security_group"></a> [truefoundry\_db\_ingress\_security\_group](#input\_truefoundry\_db\_ingress\_security\_group) | SG allowed to connect to the database | `string` | n/a | yes |
-| <a name="input_truefoundry_db_instance_class"></a> [truefoundry\_db\_instance\_class](#input\_truefoundry\_db\_instance\_class) | Instance class for RDS | `string` | n/a | yes |
-| <a name="input_truefoundry_db_max_allocated_storage"></a> [truefoundry\_db\_max\_allocated\_storage](#input\_truefoundry\_db\_max\_allocated\_storage) | Max allowed storage for RDS when autoscaling is enabled | `string` | n/a | yes |
+| <a name="input_truefoundry_db_instance_class"></a> [truefoundry\_db\_instance\_class](#input\_truefoundry\_db\_instance\_class) | Instance class for RDS | `string` | `"db.t3.medium"` | no |
+| <a name="input_truefoundry_db_max_allocated_storage"></a> [truefoundry\_db\_max\_allocated\_storage](#input\_truefoundry\_db\_max\_allocated\_storage) | Max allowed storage for RDS when autoscaling is enabled | `string` | `"30"` | no |
 | <a name="input_truefoundry_db_multiple_az"></a> [truefoundry\_db\_multiple\_az](#input\_truefoundry\_db\_multiple\_az) | Enable Multi-az (standby) instances for RDS instances | `bool` | `false` | no |
 | <a name="input_truefoundry_db_override_name"></a> [truefoundry\_db\_override\_name](#input\_truefoundry\_db\_override\_name) | Override name for truefoundry db.This is the name of the RDS resources in AWS . truefoundry\_db\_enable\_override must be set true | `string` | `""` | no |
 | <a name="input_truefoundry_db_publicly_accessible"></a> [truefoundry\_db\_publicly\_accessible](#input\_truefoundry\_db\_publicly\_accessible) | Make database publicly accessible. Subnets and SG must match | `string` | `false` | no |
 | <a name="input_truefoundry_db_skip_final_snapshot"></a> [truefoundry\_db\_skip\_final\_snapshot](#input\_truefoundry\_db\_skip\_final\_snapshot) | n/a | `bool` | `false` | no |
 | <a name="input_truefoundry_db_storage_encrypted"></a> [truefoundry\_db\_storage\_encrypted](#input\_truefoundry\_db\_storage\_encrypted) | n/a | `bool` | `true` | no |
-| <a name="input_truefoundry_db_storage_iops"></a> [truefoundry\_db\_storage\_iops](#input\_truefoundry\_db\_storage\_iops) | Provisioned IOPS for the db | `number` | n/a | yes |
+| <a name="input_truefoundry_db_storage_iops"></a> [truefoundry\_db\_storage\_iops](#input\_truefoundry\_db\_storage\_iops) | Provisioned IOPS for the db | `number` | `0` | no |
 | <a name="input_truefoundry_db_storage_type"></a> [truefoundry\_db\_storage\_type](#input\_truefoundry\_db\_storage\_type) | Storage type for truefoundry db | `string` | `"gp3"` | no |
 | <a name="input_truefoundry_db_subnet_ids"></a> [truefoundry\_db\_subnet\_ids](#input\_truefoundry\_db\_subnet\_ids) | List of subnets where the RDS database will be deployed | `list(string)` | n/a | yes |
 | <a name="input_truefoundry_iam_role_enabled"></a> [truefoundry\_iam\_role\_enabled](#input\_truefoundry\_iam\_role\_enabled) | variable to enable/disable truefoundry iam role creation | `bool` | `true` | no |

diff --git a/iam-ecr.tf b/iam-ecr.tf
@@ -43,7 +43,7 @@ data "aws_iam_policy_document" "svcfoundry_access_to_ecr" {
 resource "aws_iam_policy" "svcfoundry_access_to_ecr" {
   count       = var.truefoundry_iam_role_enabled ? 1 : 0
   name_prefix = "${local.svcfoundry_unique_name}-access-to-ecr"
-  description = "ECR access for ${var.svcfoundry_name} on ${var.cluster_name}"
+  description = "ECR access for ${var.svcfoundry_k8s_service_account} on ${var.cluster_name}"
   policy      = data.aws_iam_policy_document.svcfoundry_access_to_ecr.json
   tags        = local.tags
 }
diff --git a/iam-rds.tf b/iam-rds.tf
@@ -15,7 +15,7 @@ data "aws_iam_policy_document" "truefoundry_db_iam_auth_policy_document" {
 resource "aws_iam_policy" "truefoundry_db_iam_auth_policy" {
   count       = var.truefoundry_iam_role_enabled ? 1 : 0
   name_prefix = "${local.svcfoundry_unique_name}-db-iam-auth-policy"
-  description = "IAM based authentication policy for ${var.svcfoundry_name} and ${var.mlfoundry_name} in cluster ${var.cluster_name}"
+  description = "IAM based authentication policy for ${var.svcfoundry_k8s_service_account} and ${var.mlfoundry_k8s_service_account} in cluster ${var.cluster_name}"
   policy      = data.aws_iam_policy_document.truefoundry_db_iam_auth_policy_document.json
   tags        = local.tags
 }
diff --git a/iam-sa.tf b/iam-sa.tf
@@ -15,7 +15,7 @@ module "truefoundry_oidc_iam" {
     "system:serviceaccount:${var.truefoundry_k8s_namespace}:${var.truefoundry_service_account}",
   ]
 
-  role_description = "Truefoundry IAM role for ${var.svcfoundry_name}, ${var.mlfoundry_name} and ${var.tfy_workflow_admin_name} in cluster ${var.cluster_name}"
+  role_description = "Truefoundry IAM role for ${var.svcfoundry_k8s_service_account}, ${var.mlfoundry_k8s_service_account} and ${var.tfy_workflow_admin_k8s_service_account} in cluster ${var.cluster_name}"
   role_policy_arns = [
     aws_iam_policy.truefoundry_bucket_policy[0].arn,
     aws_iam_policy.svcfoundry_access_to_ssm[0].arn,

diff --git a/iam-ssm.tf b/iam-ssm.tf
@@ -15,17 +15,17 @@ data "aws_iam_policy_document" "svcfoundry_access_to_ssm" {
       "ssm:GetParameter",
     ]
     resources = [
-      "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/${var.account_name}/${var.svcfoundry_name}/*",
-      "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/${var.account_name}/${aws_db_instance.truefoundry_db[0].id}/*",
-      "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/${var.account_name}/truefoundry/dockerhub/IMAGE_PULL_CREDENTIALS",
+      "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/*/${var.svcfoundry_k8s_service_account}/*",
+      "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/*/${aws_db_instance.truefoundry_db[0].id}/*",
+      "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/*/truefoundry/dockerhub/IMAGE_PULL_CREDENTIALS",
     ]
   }
 }
 
 resource "aws_iam_policy" "svcfoundry_access_to_ssm" {
   count       = var.truefoundry_iam_role_enabled ? 1 : 0
   name_prefix = "${local.svcfoundry_unique_name}-access-to-ssm"
-  description = "SSM read access for ${var.svcfoundry_name} on ${var.cluster_name}"
+  description = "SSM read access for ${var.svcfoundry_k8s_service_account} on ${var.cluster_name}"
   policy      = data.aws_iam_policy_document.svcfoundry_access_to_ssm.json
   tags        = local.tags
 }
@@ -51,7 +51,7 @@ data "aws_iam_policy_document" "svcfoundry_access_to_multitenant_ssm" {
 resource "aws_iam_policy" "svcfoundry_access_to_multitenant_ssm" {
   count       = var.truefoundry_iam_role_enabled ? 1 : 0
   name_prefix = "${local.svcfoundry_unique_name}-access-to-multitenant-ssm"
-  description = "SSM read access for ${var.svcfoundry_name} to all multitenant params on ${var.cluster_name}"
+  description = "SSM read access for ${var.svcfoundry_k8s_service_account} to all multitenant params on ${var.cluster_name}"
   policy      = data.aws_iam_policy_document.svcfoundry_access_to_multitenant_ssm.json
   tags        = local.tags
 }

diff --git a/locals.tf b/locals.tf
@@ -5,8 +5,8 @@ locals {
 
   truefoundry_db_unique_name = var.truefoundry_db_enable_override ? var.truefoundry_db_override_name : "${var.cluster_name}-db"
 
-  svcfoundry_unique_name = "${var.cluster_name}-${var.svcfoundry_name}"
-  mlfoundry_unique_name  = "${var.cluster_name}-${var.mlfoundry_name}"
+  svcfoundry_unique_name = "${var.cluster_name}-${var.svcfoundry_k8s_service_account}"
+  mlfoundry_unique_name  = "${var.cluster_name}-${var.mlfoundry_k8s_service_account}"
 
   truefoundry_db_port            = 5432
   truefoundry_db_master_username = "root"

diff --git a/variables.tf b/variables.tf
@@ -21,11 +21,6 @@ variable "aws_account_id" {
   type        = string
 }
 
-variable "account_name" {
-  description = "AWS Account Name"
-  type        = string
-}
-
 variable "tags" {
   type        = map(string)
   default     = {}
@@ -76,6 +71,7 @@ variable "truefoundry_db_subnet_ids" {
 variable "truefoundry_db_instance_class" {
   type        = string
   description = "Instance class for RDS"
+  default     = "db.t3.medium"
 }
 
 variable "truefoundry_db_publicly_accessible" {
@@ -99,6 +95,7 @@ variable "truefoundry_db_allocated_storage" {
 variable "truefoundry_db_max_allocated_storage" {
   type        = string
   description = "Max allowed storage for RDS when autoscaling is enabled"
+  default     = "30"
 }
 
 variable "truefoundry_db_storage_type" {
@@ -110,6 +107,7 @@ variable "truefoundry_db_storage_type" {
 variable "truefoundry_db_storage_iops" {
   type        = number
   description = "Provisioned IOPS for the db"
+  default     = 0
 }
 
 variable "truefoundry_db_skip_final_snapshot" {
@@ -138,6 +136,7 @@ variable "truefoundry_db_enable_override" {
   type        = bool
   default     = false
 }
+
 variable "truefoundry_db_override_name" {
   description = "Override name for truefoundry db.This is the name of the RDS resources in AWS . truefoundry_db_enable_override must be set true"
   type        = string
@@ -261,57 +260,49 @@ variable "truefoundry_s3_cors_origins" {
 ##################################################################################
 ## MLfoundry service account
 ##################################################################################
-variable "mlfoundry_name" {
-  description = "Name of mlfoundry deployment"
-  type        = string
-}
 
 variable "mlfoundry_k8s_service_account" {
   description = "The k8s mlfoundry service account name"
   type        = string
+  default     = "mlfoundry-server"
 }
 
 variable "mlfoundry_k8s_namespace" {
   description = "The k8s mlfoundry namespace"
   type        = string
+  default     = "truefoundry"
 }
 
 ##################################################################################
 ## Servicefoundry service account
 ##################################################################################
 
-variable "svcfoundry_name" {
-  description = "Name of svcfoundry deployment"
-  type        = string
-}
-
 variable "svcfoundry_k8s_service_account" {
   description = "The k8s svcfoundry service account name"
   type        = string
+  default     = "servicefoundry-server"
 }
 
 variable "svcfoundry_k8s_namespace" {
   description = "The k8s svcfoundry namespace"
   type        = string
+  default     = "truefoundry"
 }
 
 ##################################################################################
 ## TFy workflow admin service account
 ##################################################################################
 
-variable "tfy_workflow_admin_name" {
-  description = "Name of tfy workflow admin deployment"
-  type        = string
-}
-
 variable "tfy_workflow_admin_k8s_service_account" {
   description = "The k8s tfy workflow admin service account name"
   type        = string
+  default     = "tfy-workflow-admin"
 }
 
 variable "tfy_workflow_admin_k8s_namespace" {
   description = "The k8s tfy workflow admin namespace"
   type        = string
+  default     = "truefoundry"
 }
 
 ##################################################################################