chore: Module terraform rework (#864)

* Initial work to convert Terraform to true modules * Properly handle outputs from lab Terraform * Better handling of missing environment output * Fix EKS pod identity partition data source * Fix kubectl provider in inferentia Terraform * Fix kubectl provider in crossplane Terraform * Fixed OpenSearch module Terraform
aws-samples · Mar 22, 2024 · 33eab94 · 33eab94
1 parent f87df6a
commit 33eab94
Show file tree

Hide file tree

Showing 75 changed files with 1,266 additions and 499 deletions.
diff --git a/lab/bin/reset-environment b/lab/bin/reset-environment
@@ -113,7 +113,7 @@ kubectl wait --for=condition=Ready --timeout=240s pods -l app.kubernetes.io/crea
 
 # Addons
 mkdir -p /eks-workshop/terraform
-cp $manifests_path/.workshop/terraform/base.tf /eks-workshop/terraform
+cp -R $manifests_path/.workshop/terraform/* /eks-workshop/terraform
 
 export TF_VAR_eks_cluster_id="$EKS_CLUSTER_NAME"
 
@@ -126,7 +126,7 @@ tf_dir=$(realpath --relative-to="$PWD" '/eks-workshop/terraform')
 terraform -chdir="$tf_dir" init -upgrade
 terraform -chdir="$tf_dir" destroy --auto-approve
 
-rm -rf /eks-workshop/terraform/addon*.tf
+rm -rf /eks-workshop/terraform/lab
 
 rm -rf /eks-workshop/hooks
 
@@ -138,7 +138,17 @@ if [ ! -z "$module" ]; then
     cp "$module_path/.workshop/cleanup.sh" /eks-workshop/hooks
   fi
 
-  if [ -f "$module_path/.workshop/terraform/addon.tf" ]; then
+  if [ -f "$module_path/.workshop/terraform/main.tf" ]; then
+    logmessage "Creating infrastructure for next lab..."
+
+    rm -rf /eks-workshop/terraform/lab
+
+    cp -R $module_path/.workshop/terraform /eks-workshop/terraform/lab
+
+    terraform -chdir="$tf_dir" init -upgrade
+    terraform -chdir="$tf_dir" apply -refresh=false --auto-approve
+  elif [ -f "$module_path/.workshop/terraform/addon.tf" ]; then
+    # This is the deprecated legacy code path that will be removed
     logmessage "Creating infrastructure for next lab..."
 
     cp -R $module_path/.workshop/terraform/* /eks-workshop/terraform

diff --git a/manifests/.workshop/terraform/base.tf b/manifests/.workshop/terraform/base.tf
@@ -77,11 +77,12 @@ locals {
     env        = var.eks_cluster_id
   }
 
-  eks_cluster_id        = data.aws_eks_cluster.eks_cluster.id
-  eks_oidc_issuer_url   = replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")
-  eks_cluster_endpoint  = data.aws_eks_cluster.eks_cluster.endpoint
-  eks_cluster_version   = data.aws_eks_cluster.eks_cluster.version
-  eks_oidc_provider_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.eks_oidc_issuer_url}"
+  eks_cluster_id            = data.aws_eks_cluster.eks_cluster.id
+  eks_oidc_issuer_url       = replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")
+  eks_cluster_endpoint      = data.aws_eks_cluster.eks_cluster.endpoint
+  eks_cluster_version       = data.aws_eks_cluster.eks_cluster.version
+  eks_oidc_provider_arn     = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.eks_oidc_issuer_url}"
+  cluster_security_group_id = data.aws_eks_cluster.eks_cluster.vpc_config[0].cluster_security_group_id
 
   addon_context = {
     aws_caller_identity_account_id = data.aws_caller_identity.current.account_id
@@ -96,34 +97,4 @@ locals {
     irsa_iam_role_path             = "/"
     irsa_iam_permissions_boundary  = ""
   }
-
-  amazon_container_image_registry_uris = {
-    af-south-1     = "877085696533.dkr.ecr.af-south-1.amazonaws.com",
-    ap-east-1      = "800184023465.dkr.ecr.ap-east-1.amazonaws.com",
-    ap-northeast-1 = "602401143452.dkr.ecr.ap-northeast-1.amazonaws.com",
-    ap-northeast-2 = "602401143452.dkr.ecr.ap-northeast-2.amazonaws.com",
-    ap-northeast-3 = "602401143452.dkr.ecr.ap-northeast-3.amazonaws.com",
-    ap-south-1     = "602401143452.dkr.ecr.ap-south-1.amazonaws.com",
-    ap-southeast-1 = "602401143452.dkr.ecr.ap-southeast-1.amazonaws.com",
-    ap-southeast-2 = "602401143452.dkr.ecr.ap-southeast-2.amazonaws.com",
-    ap-southeast-3 = "296578399912.dkr.ecr.ap-southeast-3.amazonaws.com",
-    ca-central-1   = "602401143452.dkr.ecr.ca-central-1.amazonaws.com",
-    cn-north-1     = "918309763551.dkr.ecr.cn-north-1.amazonaws.com.cn",
-    cn-northwest-1 = "961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn",
-    eu-central-1   = "602401143452.dkr.ecr.eu-central-1.amazonaws.com",
-    eu-north-1     = "602401143452.dkr.ecr.eu-north-1.amazonaws.com",
-    eu-south-1     = "590381155156.dkr.ecr.eu-south-1.amazonaws.com",
-    eu-west-1      = "602401143452.dkr.ecr.eu-west-1.amazonaws.com",
-    eu-west-2      = "602401143452.dkr.ecr.eu-west-2.amazonaws.com",
-    eu-west-3      = "602401143452.dkr.ecr.eu-west-3.amazonaws.com",
-    me-south-1     = "558608220178.dkr.ecr.me-south-1.amazonaws.com",
-    me-central-1   = "759879836304.dkr.ecr.me-central-1.amazonaws.com",
-    sa-east-1      = "602401143452.dkr.ecr.sa-east-1.amazonaws.com",
-    us-east-1      = "602401143452.dkr.ecr.us-east-1.amazonaws.com",
-    us-east-2      = "602401143452.dkr.ecr.us-east-2.amazonaws.com",
-    us-gov-east-1  = "151742754352.dkr.ecr.us-gov-east-1.amazonaws.com",
-    us-gov-west-1  = "013241004608.dkr.ecr.us-gov-west-1.amazonaws.com",
-    us-west-1      = "602401143452.dkr.ecr.us-west-1.amazonaws.com",
-    us-west-2      = "602401143452.dkr.ecr.us-west-2.amazonaws.com"
-  }
 }
diff --git a/manifests/.workshop/terraform/lab.tf b/manifests/.workshop/terraform/lab.tf
@@ -0,0 +1,10 @@
+module "lab" {
+  source = "./lab"
+
+  eks_cluster_id            = local.eks_cluster_id
+  eks_cluster_version       = local.eks_cluster_version
+  cluster_security_group_id = local.cluster_security_group_id
+  addon_context             = local.addon_context
+  tags                      = local.tags
+  resources_precreated      = var.resources_precreated
+}
diff --git a/manifests/.workshop/terraform/lab/vars.tf b/manifests/.workshop/terraform/lab/vars.tf
@@ -0,0 +1,23 @@
+variable "eks_cluster_id" {
+  type = string
+}
+
+variable "eks_cluster_version" {
+  type = string
+}
+
+variable "cluster_security_group_id" {
+  type = any
+}
+
+variable "addon_context" {
+  type = any
+}
+
+variable "tags" {
+  type = any
+}
+
+variable "resources_precreated" {
+  type = bool
+}
diff --git a/manifests/.workshop/terraform/outputs.tf b/manifests/.workshop/terraform/outputs.tf
@@ -0,0 +1,3 @@
+output "environment" {
+  value = try(module.lab.environment, "")
+}
diff --git a/...l/inferentia/.workshop/terraform/addon.tf → ...ml/inferentia/.workshop/terraform/main.tf b/...l/inferentia/.workshop/terraform/addon.tf → ...ml/inferentia/.workshop/terraform/main.tf
@@ -1,14 +1,25 @@
+terraform {
+  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.14"
+    }
+  }
+}
+
 provider "aws" {
   region = "us-east-1"
   alias  = "virginia"
 }
 
+data "aws_region" "current" {}
+
 data "aws_ecrpublic_authorization_token" "token" {
   provider = aws.virginia
 }
 
 module "eks_blueprints_addons" {
-  source = "aws-ia/eks-blueprints-addons/aws"
+  source  = "aws-ia/eks-blueprints-addons/aws"
   version = "1.12.0"
 
   enable_karpenter = true
@@ -20,16 +31,16 @@ module "eks_blueprints_addons" {
     repository_password = data.aws_ecrpublic_authorization_token.token.password
   }
 
-  cluster_name      = local.eks_cluster_id
-  cluster_endpoint  = local.eks_cluster_endpoint
-  cluster_version   = local.eks_cluster_version
-  oidc_provider_arn = local.eks_oidc_provider_arn
+  cluster_name      = var.addon_context.eks_cluster_id
+  cluster_endpoint  = var.addon_context.aws_eks_cluster_endpoint
+  cluster_version   = var.eks_cluster_version
+  oidc_provider_arn = var.addon_context.eks_oidc_provider_arn
 }
 
 data "aws_subnets" "private" {
   tags = {
     created-by = "eks-workshop-v2"
-    env        = local.addon_context.eks_cluster_id
+    env        = var.addon_context.eks_cluster_id
   }
 
   filter {
@@ -42,24 +53,24 @@ resource "aws_s3_bucket" "inference" {
   bucket_prefix = "eksworkshop-inference"
   force_destroy = true
 
-  tags = local.tags
+  tags = var.tags
 }
 
 
 module "iam_assumable_role_inference" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
   version                       = "~> v5.5.0"
   create_role                   = true
-  role_name                     = "${local.addon_context.eks_cluster_id}-inference"
-  provider_url                  = local.addon_context.eks_oidc_issuer_url
+  role_name                     = "${var.addon_context.eks_cluster_id}-inference"
+  provider_url                  = var.addon_context.eks_oidc_issuer_url
   role_policy_arns              = [aws_iam_policy.inference.arn]
   oidc_fully_qualified_subjects = ["system:serviceaccount:aiml:inference"]
 
-  tags = local.tags
+  tags = var.tags
 }
 
 resource "aws_iam_policy" "inference" {
-  name        = "${local.addon_context.eks_cluster_id}-inference"
+  name        = "${var.addon_context.eks_cluster_id}-inference"
   path        = "/"
   description = "IAM policy for the inferenct workload"
 

diff --git a/manifests/modules/aiml/inferentia/.workshop/terraform/vars.tf b/manifests/modules/aiml/inferentia/.workshop/terraform/vars.tf
@@ -0,0 +1,23 @@
+variable "eks_cluster_id" {
+  type = string
+}
+
+variable "eks_cluster_version" {
+  type = string
+}
+
+variable "cluster_security_group_id" {
+  type = any
+}
+
+variable "addon_context" {
+  type = any
+}
+
+variable "tags" {
+  type = any
+}
+
+variable "resources_precreated" {
+  type = bool
+}
diff --git a/...olplanes/ack/.workshop/terraform/addon.tf → ...rolplanes/ack/.workshop/terraform/main.tf b/...olplanes/ack/.workshop/terraform/addon.tf → ...rolplanes/ack/.workshop/terraform/main.tf
@@ -7,6 +7,9 @@ provider "aws" {
   alias  = "virginia"
 }
 
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
 data "aws_ecrpublic_authorization_token" "token" {
   provider = aws.virginia
 }
@@ -18,21 +21,21 @@ module "dynamodb_ack_addon" {
   version = "2.1.0"
 
   # Cluster Info
-  cluster_name      = local.addon_context.eks_cluster_id
-  cluster_endpoint  = local.addon_context.aws_eks_cluster_endpoint
-  oidc_provider_arn = local.addon_context.eks_oidc_provider_arn
+  cluster_name      = var.addon_context.eks_cluster_id
+  cluster_endpoint  = var.addon_context.aws_eks_cluster_endpoint
+  oidc_provider_arn = var.addon_context.eks_oidc_provider_arn
 
   ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name
   ecrpublic_token    = data.aws_ecrpublic_authorization_token.token.password
 
   # Controllers to enable
   enable_dynamodb = true
 
-  tags = local.tags
+  tags = var.tags
 }
 
 resource "aws_iam_policy" "carts_dynamo" {
-  name        = "${local.addon_context.eks_cluster_id}-carts-dynamo"
+  name        = "${var.addon_context.eks_cluster_id}-carts-dynamo"
   path        = "/"
   description = "DynamoDB policy for AWS Sample Carts Application"
 
@@ -51,7 +54,7 @@ resource "aws_iam_policy" "carts_dynamo" {
   ]
 }
 EOF
-  tags   = local.tags
+  tags   = var.tags
 }
 
 module "eks_blueprints_addons" {
@@ -63,10 +66,10 @@ module "eks_blueprints_addons" {
     wait = true
   }
 
-  cluster_name      = local.addon_context.eks_cluster_id
-  cluster_endpoint  = local.addon_context.aws_eks_cluster_endpoint
-  cluster_version   = local.eks_cluster_version
-  oidc_provider_arn = local.addon_context.eks_oidc_provider_arn
+  cluster_name      = var.addon_context.eks_cluster_id
+  cluster_endpoint  = var.addon_context.aws_eks_cluster_endpoint
+  cluster_version   = var.eks_cluster_version
+  oidc_provider_arn = var.addon_context.eks_oidc_provider_arn
 }
 
 output "environment" {

diff --git a/manifests/modules/automation/controlplanes/ack/.workshop/terraform/vars.tf b/manifests/modules/automation/controlplanes/ack/.workshop/terraform/vars.tf
@@ -0,0 +1,23 @@
+variable "eks_cluster_id" {
+  type = string
+}
+
+variable "eks_cluster_version" {
+  type = string
+}
+
+variable "cluster_security_group_id" {
+  type = any
+}
+
+variable "addon_context" {
+  type = any
+}
+
+variable "tags" {
+  type = any
+}
+
+variable "resources_precreated" {
+  type = bool
+}