-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathkops.tf
175 lines (151 loc) · 6.22 KB
/
kops.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
locals {
kops_env_config = {
KOPS_CLUSTER_NAME = local.cluster_dns
KOPS_STATE_STORE = "s3://${aws_s3_bucket.kops_state.id}"
AWS_ACCESS_KEY_ID = var.external_account ? join("", aws_iam_access_key.kops.*.id) : ""
AWS_SECRET_ACCESS_KEY = var.external_account ? join("", aws_iam_access_key.kops.*.secret) : ""
AWS_DEFAULT_REGION = local.aws_region
}
kops_cluster_config = templatefile("${path.module}/templates/cluster.yaml", {
cluster_name = local.cluster_name
cluster_dns = local.cluster_dns
cluster_zone_id = local.cluster_zone_id
dns_type = var.cluster_dns_type
k8s_version = var.kubernetes_version
etcd_version = var.etcd_version
cluster_cidr = "100.64.0.0/10"
namespace = var.namespace
stage = var.stage
region = var.region
addons = var.kops_addons
aws_region = local.aws_region
aws_zones = slice(data.aws_availability_zones.available.names, 0, var.max_availability_zones)
kops_bucket_name = aws_s3_bucket.kops_state.id
vpc_id = local.vpc_id
vpc_cidr = local.vpc_cidr
ssh_access = length(var.ssh_access_cidrs) > 0 ? var.ssh_access_cidrs : [local.vpc_cidr]
api_access = distinct(concat(var.create_public_api_record ? ["0.0.0.0/0"] : [], length(var.api_access_cidrs) > 0 ? var.api_access_cidrs : [var.cluster_dns_type != "Private" ? "0.0.0.0/0" : local.vpc_cidr]))
certificate_arn = local.certificate_arn
lb_type = var.cluster_dns_type == "Private" ? "Internal" : "Public"
enable_psp = var.enable_pod_security_policies
bastion_public_name = var.bastion_public_name
public_subnet_ids = local.public_subnet_ids
private_subnet_ids = local.private_subnet_ids
public_subnet_cidrs = local.public_subnet_cidrs
private_subnet_cidrs = local.private_subnet_cidrs
etcd_members = data.null_data_source.master_info.*.outputs.name
etcd_main_volume_type = var.etcd_main_storage_type
etcd_main_volume_iops = var.etcd_main_storage_iops
etcd_main_volume_size = var.etcd_main_storage_size
etcd_event_volume_type = var.etcd_events_storage_type
etcd_event_volume_iops = var.etcd_events_storage_iops
etcd_event_volume_size = var.etcd_events_storage_size
max_requests_in_flight = var.max_requests_in_flight
max_mutating_requests_in_flight = var.max_mutating_requests_in_flight
has_external_policies = length(var.external_master_policies) > 0
external_master_policies = var.external_master_policies
additional_master_policies = var.additional_master_policies == "" ? "" : indent(6, var.additional_master_policies)
openid_connect_enabled = var.openid_connect_enabled
oidc_issuer_url = var.oidc_issuer_url
oidc_client_id = var.oidc_client_id
oidc_username_claim = var.oidc_username_claim
oidc_username_prefix = var.oidc_username_prefix
oidc_groups_claim = var.oidc_groups_claim
oidc_groups_prefix = var.oidc_groups_prefix
oidc_ca_file = var.oidc_ca_file
oidc_ca_content = var.oidc_ca_content
oidc_required_claims = var.oidc_required_claims
})
kops_configs = concat(
[data.null_data_source.bastion_instance_group.outputs],
data.null_data_source.master_instance_groups.*.outputs,
data.null_data_source.instance_groups.*.outputs,
)
kops_triggers = {
cluster = jsonencode(local.kops_cluster_config)
igs_hash = md5(jsonencode(local.kops_configs))
}
}
module "ssh_key_pair" {
source = "git::https://github.com/cloudposse/terraform-aws-key-pair.git?ref=tags/0.9.0"
namespace = var.namespace
stage = var.stage
attributes = local.attributes
tags = local.tags
ssh_public_key_path = format("%s/ssh", var.secrets_path)
generate_ssh_key = "true"
name = "kops"
}
resource "null_resource" "replace_cluster" {
depends_on = [
null_resource.wait_for_iam,
aws_s3_bucket_public_access_block.block,
]
provisioner "local-exec" {
environment = local.kops_env_config
command = "echo -e ${self.triggers.cluster} | kops replace --force -f -"
}
triggers = local.kops_triggers
}
resource "null_resource" "replace_config" {
count = length(local.kops_configs)
depends_on = [null_resource.replace_cluster]
provisioner "local-exec" {
environment = local.kops_env_config
command = "echo -e \"${self.triggers.content}\" | kops replace --force -f -"
}
triggers = {
content = local.kops_configs[count.index].rendered
}
}
resource "null_resource" "kops_update_cluster" {
depends_on = [
null_resource.replace_cluster,
null_resource.replace_config,
]
provisioner "local-exec" {
environment = local.kops_env_config
command = <<EOF
kops create secret sshpublickey admin -i ${self.triggers.key_filename};
kops update cluster --yes
EOF
}
triggers = merge(local.kops_triggers, {
key_filename = module.ssh_key_pair.public_key_filename
})
}
resource "null_resource" "cluster_kops_auth" {
depends_on = [
module.public_api_record.fqdn,
null_resource.kops_update_cluster,
]
provisioner "local-exec" {
environment = local.kops_env_config
command = "${self.triggers.path}/scripts/auth.sh ${self.triggers.auth} ${self.triggers.cluster}"
}
triggers = {
path = path.module
cluster = local.cluster_dns
auth = var.kops_auth_method
reauth = var.kops_auth_always ? uuid() : 0
}
}
resource "null_resource" "cluster_startup" {
count = var.enable_kops_validation ? 1 : 0
depends_on = [null_resource.cluster_kops_auth]
provisioner "local-exec" {
# This is only required during the initial setup
environment = local.kops_env_config
command = "${self.triggers.path}/scripts/wait-for-cluster.sh"
}
triggers = {
path = path.module
}
}
resource "null_resource" "kops_delete_cluster" {
provisioner "local-exec" {
when = destroy
command = "kops delete cluster --yes"
environment = local.kops_env_config
}
}