From 9811d9fdb12edd66e57e8064bb3e496d0105cf06 Mon Sep 17 00:00:00 2001 From: Vedant Pareek Date: Thu, 21 Nov 2024 18:39:23 +0530 Subject: [PATCH 1/2] Variable refactor --- iam-ecr.tf | 2 +- iam-rds.tf | 2 +- iam-sa.tf | 2 +- iam-ssm.tf | 10 +++++----- locals.tf | 4 ++-- variables.tf | 29 ++++++++++------------------- 6 files changed, 20 insertions(+), 29 deletions(-) diff --git a/iam-ecr.tf b/iam-ecr.tf index 42957ca..923d3b6 100644 --- a/iam-ecr.tf +++ b/iam-ecr.tf @@ -43,7 +43,7 @@ data "aws_iam_policy_document" "svcfoundry_access_to_ecr" { resource "aws_iam_policy" "svcfoundry_access_to_ecr" { count = var.truefoundry_iam_role_enabled ? 1 : 0 name_prefix = "${local.svcfoundry_unique_name}-access-to-ecr" - description = "ECR access for ${var.svcfoundry_name} on ${var.cluster_name}" + description = "ECR access for ${var.svcfoundry_k8s_service_account} on ${var.cluster_name}" policy = data.aws_iam_policy_document.svcfoundry_access_to_ecr.json tags = local.tags } \ No newline at end of file diff --git a/iam-rds.tf b/iam-rds.tf index 47cefd3..4a07bcf 100644 --- a/iam-rds.tf +++ b/iam-rds.tf @@ -15,7 +15,7 @@ data "aws_iam_policy_document" "truefoundry_db_iam_auth_policy_document" { resource "aws_iam_policy" "truefoundry_db_iam_auth_policy" { count = var.truefoundry_iam_role_enabled ? 1 : 0 name_prefix = "${local.svcfoundry_unique_name}-db-iam-auth-policy" - description = "IAM based authentication policy for ${var.svcfoundry_name} and ${var.mlfoundry_name} in cluster ${var.cluster_name}" + description = "IAM based authentication policy for ${var.svcfoundry_k8s_service_account} and ${var.mlfoundry_k8s_service_account} in cluster ${var.cluster_name}" policy = data.aws_iam_policy_document.truefoundry_db_iam_auth_policy_document.json tags = local.tags } \ No newline at end of file diff --git a/iam-sa.tf b/iam-sa.tf index fd09709..41d64f6 100644 --- a/iam-sa.tf +++ b/iam-sa.tf @@ -15,7 +15,7 @@ module "truefoundry_oidc_iam" { "system:serviceaccount:${var.truefoundry_k8s_namespace}:${var.truefoundry_service_account}", ] - role_description = "Truefoundry IAM role for ${var.svcfoundry_name}, ${var.mlfoundry_name} and ${var.tfy_workflow_admin_name} in cluster ${var.cluster_name}" + role_description = "Truefoundry IAM role for ${var.svcfoundry_k8s_service_account}, ${var.mlfoundry_k8s_service_account} and ${var.tfy_workflow_admin_k8s_service_account} in cluster ${var.cluster_name}" role_policy_arns = [ aws_iam_policy.truefoundry_bucket_policy[0].arn, aws_iam_policy.svcfoundry_access_to_ssm[0].arn, diff --git a/iam-ssm.tf b/iam-ssm.tf index 0f03f9a..ecd91fd 100644 --- a/iam-ssm.tf +++ b/iam-ssm.tf @@ -15,9 +15,9 @@ data "aws_iam_policy_document" "svcfoundry_access_to_ssm" { "ssm:GetParameter", ] resources = [ - "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/${var.account_name}/${var.svcfoundry_name}/*", - "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/${var.account_name}/${aws_db_instance.truefoundry_db[0].id}/*", - "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/${var.account_name}/truefoundry/dockerhub/IMAGE_PULL_CREDENTIALS", + "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/*/${var.svcfoundry_k8s_service_account}/*", + "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/*/${aws_db_instance.truefoundry_db[0].id}/*", + "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/*/truefoundry/dockerhub/IMAGE_PULL_CREDENTIALS", ] } } @@ -25,7 +25,7 @@ data "aws_iam_policy_document" "svcfoundry_access_to_ssm" { resource "aws_iam_policy" "svcfoundry_access_to_ssm" { count = var.truefoundry_iam_role_enabled ? 1 : 0 name_prefix = "${local.svcfoundry_unique_name}-access-to-ssm" - description = "SSM read access for ${var.svcfoundry_name} on ${var.cluster_name}" + description = "SSM read access for ${var.svcfoundry_k8s_service_account} on ${var.cluster_name}" policy = data.aws_iam_policy_document.svcfoundry_access_to_ssm.json tags = local.tags } @@ -51,7 +51,7 @@ data "aws_iam_policy_document" "svcfoundry_access_to_multitenant_ssm" { resource "aws_iam_policy" "svcfoundry_access_to_multitenant_ssm" { count = var.truefoundry_iam_role_enabled ? 1 : 0 name_prefix = "${local.svcfoundry_unique_name}-access-to-multitenant-ssm" - description = "SSM read access for ${var.svcfoundry_name} to all multitenant params on ${var.cluster_name}" + description = "SSM read access for ${var.svcfoundry_k8s_service_account} to all multitenant params on ${var.cluster_name}" policy = data.aws_iam_policy_document.svcfoundry_access_to_multitenant_ssm.json tags = local.tags } diff --git a/locals.tf b/locals.tf index 6dca556..5b1817c 100644 --- a/locals.tf +++ b/locals.tf @@ -5,8 +5,8 @@ locals { truefoundry_db_unique_name = var.truefoundry_db_enable_override ? var.truefoundry_db_override_name : "${var.cluster_name}-db" - svcfoundry_unique_name = "${var.cluster_name}-${var.svcfoundry_name}" - mlfoundry_unique_name = "${var.cluster_name}-${var.mlfoundry_name}" + svcfoundry_unique_name = "${var.cluster_name}-${var.svcfoundry_k8s_service_account}" + mlfoundry_unique_name = "${var.cluster_name}-${var.mlfoundry_k8s_service_account}" truefoundry_db_port = 5432 truefoundry_db_master_username = "root" diff --git a/variables.tf b/variables.tf index 05f4e1c..672c511 100644 --- a/variables.tf +++ b/variables.tf @@ -21,11 +21,6 @@ variable "aws_account_id" { type = string } -variable "account_name" { - description = "AWS Account Name" - type = string -} - variable "tags" { type = map(string) default = {} @@ -76,6 +71,7 @@ variable "truefoundry_db_subnet_ids" { variable "truefoundry_db_instance_class" { type = string description = "Instance class for RDS" + default = "db.t3.medium" } variable "truefoundry_db_publicly_accessible" { @@ -99,6 +95,7 @@ variable "truefoundry_db_allocated_storage" { variable "truefoundry_db_max_allocated_storage" { type = string description = "Max allowed storage for RDS when autoscaling is enabled" + default = "30" } variable "truefoundry_db_storage_type" { @@ -110,6 +107,7 @@ variable "truefoundry_db_storage_type" { variable "truefoundry_db_storage_iops" { type = number description = "Provisioned IOPS for the db" + default = 0 } variable "truefoundry_db_skip_final_snapshot" { @@ -138,6 +136,7 @@ variable "truefoundry_db_enable_override" { type = bool default = false } + variable "truefoundry_db_override_name" { description = "Override name for truefoundry db.This is the name of the RDS resources in AWS . truefoundry_db_enable_override must be set true" type = string @@ -261,57 +260,49 @@ variable "truefoundry_s3_cors_origins" { ################################################################################## ## MLfoundry service account ################################################################################## -variable "mlfoundry_name" { - description = "Name of mlfoundry deployment" - type = string -} variable "mlfoundry_k8s_service_account" { description = "The k8s mlfoundry service account name" type = string + default = "mlfoundry-server" } variable "mlfoundry_k8s_namespace" { description = "The k8s mlfoundry namespace" type = string + default = "truefoundry" } ################################################################################## ## Servicefoundry service account ################################################################################## -variable "svcfoundry_name" { - description = "Name of svcfoundry deployment" - type = string -} - variable "svcfoundry_k8s_service_account" { description = "The k8s svcfoundry service account name" type = string + default = "servicefoundry-server" } variable "svcfoundry_k8s_namespace" { description = "The k8s svcfoundry namespace" type = string + default = "truefoundry" } ################################################################################## ## TFy workflow admin service account ################################################################################## -variable "tfy_workflow_admin_name" { - description = "Name of tfy workflow admin deployment" - type = string -} - variable "tfy_workflow_admin_k8s_service_account" { description = "The k8s tfy workflow admin service account name" type = string + default = "tfy-workflow-admin" } variable "tfy_workflow_admin_k8s_namespace" { description = "The k8s tfy workflow admin namespace" type = string + default = "truefoundry" } ################################################################################## From 338a1631fa355fc59a0dbeafb60f52014c419899 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 21 Nov 2024 13:11:17 +0000 Subject: [PATCH 2/2] terraform-docs: automated action --- README.md | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index e6a549d..3c9f27e 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,6 @@ Truefoundry AWS Control Plane Module | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [account\_name](#input\_account\_name) | AWS Account Name | `string` | n/a | yes | | [aws\_account\_id](#input\_aws\_account\_id) | AWS Account ID | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | EKS Cluster region | `string` | n/a | yes | | [cluster\_name](#input\_cluster\_name) | Cluster name | `string` | n/a | yes | @@ -65,16 +64,13 @@ Truefoundry AWS Control Plane Module | [master\_user\_password\_rotate\_immediately](#input\_master\_user\_password\_rotate\_immediately) | Rotate master user password immediately | `bool` | `false` | no | | [master\_user\_password\_rotation\_automatically\_after\_days](#input\_master\_user\_password\_rotation\_automatically\_after\_days) | Rotate master user password automatically after days | `number` | `90` | no | | [master\_user\_password\_rotation\_duration](#input\_master\_user\_password\_rotation\_duration) | Master user password rotation duration | `string` | `"3h"` | no | -| [mlfoundry\_k8s\_namespace](#input\_mlfoundry\_k8s\_namespace) | The k8s mlfoundry namespace | `string` | n/a | yes | -| [mlfoundry\_k8s\_service\_account](#input\_mlfoundry\_k8s\_service\_account) | The k8s mlfoundry service account name | `string` | n/a | yes | -| [mlfoundry\_name](#input\_mlfoundry\_name) | Name of mlfoundry deployment | `string` | n/a | yes | -| [svcfoundry\_k8s\_namespace](#input\_svcfoundry\_k8s\_namespace) | The k8s svcfoundry namespace | `string` | n/a | yes | -| [svcfoundry\_k8s\_service\_account](#input\_svcfoundry\_k8s\_service\_account) | The k8s svcfoundry service account name | `string` | n/a | yes | -| [svcfoundry\_name](#input\_svcfoundry\_name) | Name of svcfoundry deployment | `string` | n/a | yes | +| [mlfoundry\_k8s\_namespace](#input\_mlfoundry\_k8s\_namespace) | The k8s mlfoundry namespace | `string` | `"truefoundry"` | no | +| [mlfoundry\_k8s\_service\_account](#input\_mlfoundry\_k8s\_service\_account) | The k8s mlfoundry service account name | `string` | `"mlfoundry-server"` | no | +| [svcfoundry\_k8s\_namespace](#input\_svcfoundry\_k8s\_namespace) | The k8s svcfoundry namespace | `string` | `"truefoundry"` | no | +| [svcfoundry\_k8s\_service\_account](#input\_svcfoundry\_k8s\_service\_account) | The k8s svcfoundry service account name | `string` | `"servicefoundry-server"` | no | | [tags](#input\_tags) | AWS Tags common to all the resources created | `map(string)` | `{}` | no | -| [tfy\_workflow\_admin\_k8s\_namespace](#input\_tfy\_workflow\_admin\_k8s\_namespace) | The k8s tfy workflow admin namespace | `string` | n/a | yes | -| [tfy\_workflow\_admin\_k8s\_service\_account](#input\_tfy\_workflow\_admin\_k8s\_service\_account) | The k8s tfy workflow admin service account name | `string` | n/a | yes | -| [tfy\_workflow\_admin\_name](#input\_tfy\_workflow\_admin\_name) | Name of tfy workflow admin deployment | `string` | n/a | yes | +| [tfy\_workflow\_admin\_k8s\_namespace](#input\_tfy\_workflow\_admin\_k8s\_namespace) | The k8s tfy workflow admin namespace | `string` | `"truefoundry"` | no | +| [tfy\_workflow\_admin\_k8s\_service\_account](#input\_tfy\_workflow\_admin\_k8s\_service\_account) | The k8s tfy workflow admin service account name | `string` | `"tfy-workflow-admin"` | no | | [truefoundry\_artifact\_buckets\_will\_read](#input\_truefoundry\_artifact\_buckets\_will\_read) | A list of bucket IDs mlfoundry will need read access to, in order to show the stored artifacts. It accepts any valid IAM resource, including ARNs with wildcards, so you can do something like arn:aws:s3:::bucket-prefix-* | `list(string)` | `[]` | no | | [truefoundry\_cloudwatch\_log\_exports](#input\_truefoundry\_cloudwatch\_log\_exports) | Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported | `list(string)` | 
[
  "postgresql",
  "upgrade"
]
| no | | [truefoundry\_db\_allocated\_storage](#input\_truefoundry\_db\_allocated\_storage) | Storage for RDS. Minimum storage allowed for gp3 volumes is 20GB | `string` | `"20"` | no | @@ -87,14 +83,14 @@ Truefoundry AWS Control Plane Module | [truefoundry\_db\_engine\_version](#input\_truefoundry\_db\_engine\_version) | Truefoundry DB Postgres version | `string` | `"13.14"` | no | | [truefoundry\_db\_ingress\_cidr\_blocks](#input\_truefoundry\_db\_ingress\_cidr\_blocks) | CIDR blocks allowed to connect to the database | `list(string)` | `[]` | no | | [truefoundry\_db\_ingress\_security\_group](#input\_truefoundry\_db\_ingress\_security\_group) | SG allowed to connect to the database | `string` | n/a | yes | -| [truefoundry\_db\_instance\_class](#input\_truefoundry\_db\_instance\_class) | Instance class for RDS | `string` | n/a | yes | -| [truefoundry\_db\_max\_allocated\_storage](#input\_truefoundry\_db\_max\_allocated\_storage) | Max allowed storage for RDS when autoscaling is enabled | `string` | n/a | yes | +| [truefoundry\_db\_instance\_class](#input\_truefoundry\_db\_instance\_class) | Instance class for RDS | `string` | `"db.t3.medium"` | no | +| [truefoundry\_db\_max\_allocated\_storage](#input\_truefoundry\_db\_max\_allocated\_storage) | Max allowed storage for RDS when autoscaling is enabled | `string` | `"30"` | no | | [truefoundry\_db\_multiple\_az](#input\_truefoundry\_db\_multiple\_az) | Enable Multi-az (standby) instances for RDS instances | `bool` | `false` | no | | [truefoundry\_db\_override\_name](#input\_truefoundry\_db\_override\_name) | Override name for truefoundry db.This is the name of the RDS resources in AWS . truefoundry\_db\_enable\_override must be set true | `string` | `""` | no | | [truefoundry\_db\_publicly\_accessible](#input\_truefoundry\_db\_publicly\_accessible) | Make database publicly accessible. Subnets and SG must match | `string` | `false` | no | | [truefoundry\_db\_skip\_final\_snapshot](#input\_truefoundry\_db\_skip\_final\_snapshot) | n/a | `bool` | `false` | no | | [truefoundry\_db\_storage\_encrypted](#input\_truefoundry\_db\_storage\_encrypted) | n/a | `bool` | `true` | no | -| [truefoundry\_db\_storage\_iops](#input\_truefoundry\_db\_storage\_iops) | Provisioned IOPS for the db | `number` | n/a | yes | +| [truefoundry\_db\_storage\_iops](#input\_truefoundry\_db\_storage\_iops) | Provisioned IOPS for the db | `number` | `0` | no | | [truefoundry\_db\_storage\_type](#input\_truefoundry\_db\_storage\_type) | Storage type for truefoundry db | `string` | `"gp3"` | no | | [truefoundry\_db\_subnet\_ids](#input\_truefoundry\_db\_subnet\_ids) | List of subnets where the RDS database will be deployed | `list(string)` | n/a | yes | | [truefoundry\_iam\_role\_enabled](#input\_truefoundry\_iam\_role\_enabled) | variable to enable/disable truefoundry iam role creation | `bool` | `true` | no |