From d6b31d72b74b3d41cf758283cb1aafc60ca8f426 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20W=C3=BCrbach?= Date: Thu, 6 Jun 2024 22:34:44 +0200 Subject: [PATCH] feat: use operator --- README.md | 4 +- main.tf | 9 +- modules/base/README.md | 36 ++++- modules/base/humanitec-agent.tf | 81 ++++++++++ modules/base/humanitec-operator.tf | 138 ++++++++++++++++++ modules/base/humanitec.tf | 5 +- .../manifests/humanitec-secret-store.yaml | 11 ++ modules/base/outputs.tf | 5 + modules/base/providers.tf | 18 ++- modules/base/terraform.tfvars.example | 12 +- modules/base/variables.tf | 12 +- modules/portal-backstage/README.md | 5 + modules/portal-backstage/main.tf | 17 ++- modules/portal-backstage/providers.tf | 4 + .../portal-backstage/terraform.tfvars.example | 5 +- modules/portal-backstage/variables.tf | 5 + providers.tf | 22 +++ terraform.tfvars.example | 2 +- variables.tf | 12 +- 19 files changed, 375 insertions(+), 28 deletions(-) create mode 100644 modules/base/humanitec-agent.tf create mode 100644 modules/base/humanitec-operator.tf create mode 100644 modules/base/manifests/humanitec-secret-store.yaml diff --git a/README.md b/README.md index 10b069c..522857a 100644 --- a/README.md +++ b/README.md @@ -221,8 +221,10 @@ Once you are finished with the reference architecture, you can remove all provis | github | ~> 5.38 | | helm | ~> 2.12 | | humanitec | ~> 1.0 | +| kubectl | ~> 2.0 | | kubernetes | ~> 2.25 | | random | ~> 3.5 | +| tls | ~> 4.0 | ### Providers @@ -254,7 +256,7 @@ Once you are finished with the reference architecture, you can remove all provis | aws\_region | AWS region | `string` | n/a | yes | | disk\_size | Disk size in GB to use for EKS nodes | `number` | `20` | no | | github\_org\_id | GitHub org id (required for Backstage) | `string` | `null` | no | -| humanitec\_org\_id | Humanitec Organization ID (required for Backstage) | `string` | `null` | no | +| humanitec\_org\_id | Humanitec Organization ID | `string` | `null` | no | | instance\_types | List of EC2 instances types to use for EKS nodes | `list(string)` | 
[
  "t3.large"
]
| no | | with\_backstage | Deploy Backstage | `bool` | `false` | no | diff --git a/main.tf b/main.tf index f68e04c..073eb3b 100644 --- a/main.tf +++ b/main.tf @@ -3,9 +3,11 @@ module "base" { source = "./modules/base" - region = var.aws_region - instance_types = var.instance_types - disk_size = var.disk_size + humanitec_org_id = var.humanitec_org_id + aws_account_id = var.aws_account_id + aws_region = var.aws_region + instance_types = var.instance_types + disk_size = var.disk_size } # User used for scaffolding and deploying apps @@ -62,6 +64,7 @@ module "portal_backstage" { humanitec_org_id = var.humanitec_org_id humanitec_ci_service_user_token = humanitec_service_user_token.deployer[0].token + humanitec_secret_store_id = module.base.humanitec_secret_store_id github_org_id = var.github_org_id github_app_client_id = module.github_app[0].client_id diff --git a/modules/base/README.md b/modules/base/README.md index 8b325a6..a138ca2 100644 --- a/modules/base/README.md +++ b/modules/base/README.md @@ -10,21 +10,25 @@ Module that provides the reference architecture. | Name | Version | |------|---------| | terraform | >= 1.3.0 | -| aws | >= 4.50 | +| aws | ~> 5.17 | | helm | ~> 2.12 | | humanitec | ~> 1.0 | -| kubernetes | >= 2.0.3 | +| kubectl | ~> 2.0 | +| kubernetes | ~> 2.0 | | random | ~> 3.5 | +| tls | ~> 4.0 | ### Providers | Name | Version | |------|---------| -| aws | >= 4.50 | +| aws | ~> 5.17 | | helm | ~> 2.12 | | humanitec | ~> 1.0 | -| kubernetes | >= 2.0.3 | +| kubectl | ~> 2.0 | +| kubernetes | ~> 2.0 | | random | ~> 3.5 | +| tls | ~> 4.0 | ### Modules @@ -40,18 +44,37 @@ Module that provides the reference architecture. | Name | Type | |------|------| +| [aws_eks_pod_identity_association.humanitec_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_pod_identity_association) | resource | +| [aws_iam_policy.humanitec_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.humanitec_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role.humanitec_svc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.humanitec_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_iam_role_policy_attachment.humanitec_svc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [helm_release.humanitec_agent](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [helm_release.humanitec_operator](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [humanitec_agent.agent](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/agent) | resource | +| [humanitec_key.operator_public_key](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/key) | resource | | [humanitec_resource_account.cluster_account](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_account) | resource | +| [humanitec_resource_definition.agent](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource | | [humanitec_resource_definition.k8s_cluster_driver](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource | | [humanitec_resource_definition.k8s_namespace](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition) | resource | +| [humanitec_resource_definition_criteria.agent](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.default_mysql](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.default_postgres](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.k8s_cluster_driver](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | | [humanitec_resource_definition_criteria.k8s_namespace](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | +| [humanitec_secretstore.main](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/secretstore) | resource | +| [kubectl_manifest.humanitec_operator_secret_store](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource | +| [kubernetes_namespace.agent-namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.humanitec_operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_secret.humanitec_operator](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | | [random_password.external_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | +| [tls_private_key.agent_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [tls_private_key.operator_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | | [aws_elb_hosted_zone_id.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_hosted_zone_id) | data source | +| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.humanitec_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.instance_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [kubernetes_service.ingress_nginx_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/service) | data source | @@ -60,7 +83,10 @@ Module that provides the reference architecture. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| aws\_account\_id | AWS Account (ID) to use | `string` | n/a | yes | +| humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes | | additional\_k8s\_access\_entries | Additional access entries add to the k8s aws-auth configmap | 
list(object({
    id            = string
    principal_arn = string
    groups        = list(string)
  }))
| `[]` | no | +| aws\_region | AWS Region to deploy into | `string` | `"us-east-1"` | no | | capacity\_type | Defines whether to use ON\_DEMAND or SPOT EC2 instances for EKS nodes | `string` | `"ON_DEMAND"` | no | | cluster\_name | Name for the EKS cluster | `string` | `"ref-arch"` | no | | cluster\_version | Version of the EKS cluster to deploy | `string` | `null` | no | @@ -74,7 +100,6 @@ Module that provides the reference architecture. | node\_group\_desired\_size | Desired number of nodes for the EKS node group | `number` | `3` | no | | node\_group\_max\_size | Maximum number of nodes for the EKS node group | `number` | `3` | no | | node\_group\_min\_size | Minimum number of nodes for the EKS node group | `number` | `2` | no | -| region | AWS Region to deploy into | `string` | `"us-east-1"` | no | | vpc\_name | AWS VPC name | `string` | `"ref-arch"` | no | ### Outputs @@ -88,6 +113,7 @@ Module that provides the reference architecture. | eks\_oidc\_provider\_arn | The ARN of the OIDC Provider | | environment | Name of the environment to be deployed into | | humanitec\_resource\_account\_id | Humanitec resource account id for the cluster | +| humanitec\_secret\_store\_id | Humanitec secret store id | | ingress\_nginx\_external\_dns | External DNS entry for the Nginx ingress controller | | vpc\_id | VPC id | diff --git a/modules/base/humanitec-agent.tf b/modules/base/humanitec-agent.tf new file mode 100644 index 0000000..a05a481 --- /dev/null +++ b/modules/base/humanitec-agent.tf @@ -0,0 +1,81 @@ +# Installs the humanitec-agent into the cluster + +# More details https://developer.humanitec.com/integration-and-extensions/humanitec-agent/overview/ + +resource "kubernetes_namespace" "agent-namespace" { + metadata { + labels = { + "app.kubernetes.io/name" = "humanitec-operator" + "app.kubernetes.io/instance" = "humanitec-operator" + } + + name = "humanitec-agent" + } +} + +resource "tls_private_key" "agent_private_key" { + algorithm = "RSA" + rsa_bits = 4096 +} + +locals { + agent_id = "${local.res_def_prefix}agent" +} + +resource "humanitec_agent" "agent" { + id = local.agent_id + description = "reference-architecture-aws" + public_keys = [{ + key = tls_private_key.agent_private_key.public_key_pem + }] +} + +resource "helm_release" "humanitec_agent" { + name = "humanitec-agent" + namespace = kubernetes_namespace.agent-namespace.id + + repository = "oci://ghcr.io/humanitec/charts" + chart = "humanitec-agent" + version = "1.1.0" + wait = true + timeout = 300 + + set { + name = "humanitec.org" + value = var.humanitec_org_id + } + + set { + name = "humanitec.privateKey" + value = tls_private_key.agent_private_key.private_key_pem + } + + depends_on = [ + humanitec_agent.agent + ] +} + +resource "humanitec_resource_definition" "agent" { + id = local.agent_id + name = local.agent_id + type = "agent" + + driver_type = "humanitec/agent" + driver_inputs = { + values_string = jsonencode({ + id = local.agent_id + }) + } + + depends_on = [ + helm_release.humanitec_agent + ] +} + +resource "humanitec_resource_definition_criteria" "agent" { + resource_definition_id = humanitec_resource_definition.agent.id + res_id = "agent" + env_type = var.environment + + force_delete = true +} diff --git a/modules/base/humanitec-operator.tf b/modules/base/humanitec-operator.tf new file mode 100644 index 0000000..66b53c9 --- /dev/null +++ b/modules/base/humanitec-operator.tf @@ -0,0 +1,138 @@ +# Installs the humanitec-operator into the cluster + +# More details https://developer.humanitec.com/integration-and-extensions/humanitec-operator/overview/ + +resource "kubernetes_namespace" "humanitec_operator" { + metadata { + labels = { + "app.kubernetes.io/name" = "humanitec-operator" + "app.kubernetes.io/instance" = "humanitec-operator" + } + + name = "humanitec-operator" + } +} + + +resource "tls_private_key" "operator_private_key" { + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "humanitec_key" "operator_public_key" { + key = tls_private_key.operator_private_key.public_key_pem +} + +resource "kubernetes_secret" "humanitec_operator" { + metadata { + name = "humanitec-operator-private-key" + namespace = kubernetes_namespace.humanitec_operator.id + } + + data = { + privateKey = tls_private_key.operator_private_key.private_key_pem + humanitecOrganisationID = var.humanitec_org_id + } +} + +resource "helm_release" "humanitec_operator" { + name = "humanitec-operator" + namespace = kubernetes_namespace.humanitec_operator.id + + repository = "oci://ghcr.io/humanitec/charts" + chart = "humanitec-operator" + version = "0.2.4" + wait = true + timeout = 300 + + depends_on = [ + humanitec_key.operator_public_key, + kubernetes_secret.humanitec_operator + ] +} + +# Configure the operator to be able to store secrets + +locals { + humanitec_operator_k8s_sa_name = "humanitec-operator-controller-manager" +} + +data "aws_iam_policy_document" "assume_role_policy" { + version = "2012-10-17" + + statement { + actions = ["sts:AssumeRole", "sts:TagSession"] + + principals { + type = "Service" + identifiers = ["pods.eks.amazonaws.com"] + } + } +} + +resource "aws_iam_role" "humanitec_operator" { + name = "humanitec-operator" + description = "Humanitec Operator EKS service account" + assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json +} + +resource "aws_eks_pod_identity_association" "humanitec_operator" { + cluster_name = module.aws_eks.cluster_name + namespace = kubernetes_namespace.humanitec_operator.id + service_account = local.humanitec_operator_k8s_sa_name + role_arn = aws_iam_role.humanitec_operator.arn +} + +data "aws_iam_policy_document" "humanitec_operator" { + version = "2012-10-17" + + statement { + actions = [ + "secretsmanager:GetSecretValue", + "secretsmanager:CreateSecret", + "secretsmanager:DeleteSecret", + "secretsmanager:PutSecretValue" + ] + + resources = ["arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id}:secret:*"] + } +} + +resource "aws_iam_policy" "humanitec_operator" { + name = "humanitec-operator" + description = "Humanitec Operator EKS service account policy" + policy = data.aws_iam_policy_document.humanitec_operator.json +} + +resource "aws_iam_role_policy_attachment" "humanitec_operator" { + role = aws_iam_role.humanitec_operator.name + policy_arn = aws_iam_policy.humanitec_operator.arn +} + + +# Configure a primary secret store + +locals { + humanitec_secret_store_id = var.cluster_name +} + +resource "kubectl_manifest" "humanitec_operator_secret_store" { + yaml_body = templatefile("${path.module}/manifests/humanitec-secret-store.yaml", { + SECRET_STORE_ID = local.humanitec_secret_store_id, + SECRETS_MANAGER_REGION = var.aws_region + }) + override_namespace = kubernetes_namespace.humanitec_operator.id + wait = true + + depends_on = [ + helm_release.humanitec_operator + ] +} + +resource "humanitec_secretstore" "main" { + id = local.humanitec_secret_store_id + primary = true + awssm = { + region = var.aws_region + } +} diff --git a/modules/base/humanitec.tf b/modules/base/humanitec.tf index d950e11..4b29df7 100644 --- a/modules/base/humanitec.tf +++ b/modules/base/humanitec.tf @@ -35,11 +35,14 @@ resource "humanitec_resource_definition" "k8s_cluster_driver" { driver_account = humanitec_resource_account.cluster_account.id driver_inputs = { + secrets_string = jsonencode({ + "agent_url" = "$${resources['agent#agent'].outputs.url}" + }) values_string = jsonencode({ "name" = module.aws_eks.cluster_name "loadbalancer" = local.ingress_address "loadbalancer_hosted_zone" = data.aws_elb_hosted_zone_id.main.id - "region" = var.region + "region" = var.aws_region }) } } diff --git a/modules/base/manifests/humanitec-secret-store.yaml b/modules/base/manifests/humanitec-secret-store.yaml new file mode 100644 index 0000000..f823bde --- /dev/null +++ b/modules/base/manifests/humanitec-secret-store.yaml @@ -0,0 +1,11 @@ +apiVersion: humanitec.io/v1alpha1 +kind: SecretStore +metadata: + name: ${SECRET_STORE_ID} + namespace: humanitec-operator + labels: + app.humanitec.io/default-store: "true" +spec: + awssm: + region: ${SECRETS_MANAGER_REGION} + auth: {} diff --git a/modules/base/outputs.tf b/modules/base/outputs.tf index 858ce5e..72ecc55 100644 --- a/modules/base/outputs.tf +++ b/modules/base/outputs.tf @@ -53,3 +53,8 @@ output "humanitec_resource_account_id" { description = "Humanitec resource account id for the cluster" value = humanitec_resource_account.cluster_account.id } + +output "humanitec_secret_store_id" { + description = "Humanitec secret store id" + value = humanitec_secretstore.main.id +} diff --git a/modules/base/providers.tf b/modules/base/providers.tf index 2ff1e62..d893080 100644 --- a/modules/base/providers.tf +++ b/modules/base/providers.tf @@ -2,11 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.50" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.0.3" + version = "~> 5.17" } helm = { source = "hashicorp/helm" @@ -16,10 +12,22 @@ terraform { source = "humanitec/humanitec" version = "~> 1.0" } + kubectl = { + source = "alekc/kubectl" + version = "~> 2.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.0" + } random = { source = "hashicorp/random" version = "~> 3.5" } + tls = { + source = "hashicorp/tls" + version = "~> 4.0" + } } required_version = ">= 1.3.0" } diff --git a/modules/base/terraform.tfvars.example b/modules/base/terraform.tfvars.example index 55132ff..2ab75ff 100644 --- a/modules/base/terraform.tfvars.example +++ b/modules/base/terraform.tfvars.example @@ -2,6 +2,12 @@ # Additional access entries add to the k8s aws-auth configmap additional_k8s_access_entries = [] +# AWS Account (ID) to use +aws_account_id = "" + +# AWS Region to deploy into +aws_region = "us-east-1" + # Defines whether to use ON_DEMAND or SPOT EC2 instances for EKS nodes capacity_type = "ON_DEMAND" @@ -22,6 +28,9 @@ eks_public_access_cidrs = [ # Name of the environment to be deployed into environment = "development" +# Humanitec Organization ID +humanitec_org_id = "" + # Name of the IAM user to create for Humanitec EKS access iam_role_name = "svc-humanitec" @@ -45,8 +54,5 @@ node_group_max_size = 3 # Minimum number of nodes for the EKS node group node_group_min_size = 2 -# AWS Region to deploy into -region = "us-east-1" - # AWS VPC name vpc_name = "ref-arch" \ No newline at end of file diff --git a/modules/base/variables.tf b/modules/base/variables.tf index 76a2db6..079791f 100644 --- a/modules/base/variables.tf +++ b/modules/base/variables.tf @@ -1,10 +1,20 @@ +variable "humanitec_org_id" { + description = "Humanitec Organization ID" + type = string +} + variable "eks_public_access_cidrs" { description = "List of CIDRs that can access the EKS cluster's public endpoint" type = list(string) default = ["0.0.0.0/0"] } -variable "region" { +variable "aws_account_id" { + description = "AWS Account (ID) to use" + type = string +} + +variable "aws_region" { description = "AWS Region to deploy into" type = string default = "us-east-1" diff --git a/modules/portal-backstage/README.md b/modules/portal-backstage/README.md index d489b35..a5623c4 100644 --- a/modules/portal-backstage/README.md +++ b/modules/portal-backstage/README.md @@ -10,12 +10,14 @@ This module deploys the [Humanitec Reference Architecture Backstage](https://git | Name | Version | |------|---------| | terraform | >= 1.3.0 | +| aws | ~> 5.17 | | humanitec | ~> 1.0 | ### Providers | Name | Version | |------|---------| +| aws | ~> 5.17 | | humanitec | ~> 1.0 | ### Modules @@ -29,6 +31,8 @@ This module deploys the [Humanitec Reference Architecture Backstage](https://git | Name | Type | |------|------| +| [aws_secretsmanager_secret.backstage_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret_version.backstage_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | | [humanitec_application.backstage](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/application) | resource | | [humanitec_resource_definition_criteria.backstage_postgres](https://registry.terraform.io/providers/humanitec/humanitec/latest/docs/resources/resource_definition_criteria) | resource | @@ -44,4 +48,5 @@ This module deploys the [Humanitec Reference Architecture Backstage](https://git | github\_webhook\_secret | GitHub Webhook Secret | `string` | n/a | yes | | humanitec\_ci\_service\_user\_token | Humanitec CI Service User Token | `string` | n/a | yes | | humanitec\_org\_id | Humanitec Organization ID | `string` | n/a | yes | +| humanitec\_secret\_store\_id | Humanitec Secret Store ID | `string` | n/a | yes | diff --git a/modules/portal-backstage/main.tf b/modules/portal-backstage/main.tf index 1fb79be..cbeb970 100644 --- a/modules/portal-backstage/main.tf +++ b/modules/portal-backstage/main.tf @@ -14,11 +14,26 @@ locals { secret_refs = { for key, value in local.secrets : key => { - value = value + ref = aws_secretsmanager_secret.backstage_secret[key].id + store = var.humanitec_secret_store_id + version = aws_secretsmanager_secret_version.backstage_secret[key].version_id } } } + +resource "aws_secretsmanager_secret" "backstage_secret" { + for_each = local.secrets + name = "humanitec-backstage-${each.key}" +} + +resource "aws_secretsmanager_secret_version" "backstage_secret" { + for_each = local.secrets + + secret_id = aws_secretsmanager_secret.backstage_secret[each.key].id + secret_string = each.value +} + module "portal_backstage" { source = "github.com/humanitec-architecture/shared-terraform-modules?ref=v2024-06-12//modules/portal-backstage" diff --git a/modules/portal-backstage/providers.tf b/modules/portal-backstage/providers.tf index 59d13ba..53aa651 100644 --- a/modules/portal-backstage/providers.tf +++ b/modules/portal-backstage/providers.tf @@ -1,5 +1,9 @@ terraform { required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.17" + } humanitec = { source = "humanitec/humanitec" version = "~> 1.0" diff --git a/modules/portal-backstage/terraform.tfvars.example b/modules/portal-backstage/terraform.tfvars.example index 8b207b4..ff7e76f 100644 --- a/modules/portal-backstage/terraform.tfvars.example +++ b/modules/portal-backstage/terraform.tfvars.example @@ -21,4 +21,7 @@ github_webhook_secret = "" humanitec_ci_service_user_token = "" # Humanitec Organization ID -humanitec_org_id = "" \ No newline at end of file +humanitec_org_id = "" + +# Humanitec Secret Store ID +humanitec_secret_store_id = "" \ No newline at end of file diff --git a/modules/portal-backstage/variables.tf b/modules/portal-backstage/variables.tf index 4437cf6..264aa95 100644 --- a/modules/portal-backstage/variables.tf +++ b/modules/portal-backstage/variables.tf @@ -9,6 +9,11 @@ variable "humanitec_ci_service_user_token" { sensitive = true } +variable "humanitec_secret_store_id" { + description = "Humanitec Secret Store ID" + type = string +} + variable "github_org_id" { description = "GitHub org id" type = string diff --git a/providers.tf b/providers.tf index 322760f..662e7ec 100644 --- a/providers.tf +++ b/providers.tf @@ -16,6 +16,10 @@ terraform { source = "humanitec/humanitec" version = "~> 1.0" } + kubectl = { + source = "alekc/kubectl" + version = "~> 2.0" + } kubernetes = { source = "hashicorp/kubernetes" version = "~> 2.25" @@ -24,6 +28,10 @@ terraform { source = "hashicorp/random" version = "~> 3.5" } + tls = { + source = "hashicorp/tls" + version = "~> 4.0" + } } required_version = ">= 1.3.0" } @@ -66,3 +74,17 @@ provider "helm" { } } } + +provider "kubectl" { + host = module.base.eks_cluster_endpoint + cluster_ca_certificate = base64decode(module.base.eks_cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.base.eks_cluster_name] + } + + load_config_file = false +} diff --git a/terraform.tfvars.example b/terraform.tfvars.example index 6ffb111..7c83c6c 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -11,7 +11,7 @@ disk_size = 20 # GitHub org id (required for Backstage) github_org_id = "" -# Humanitec Organization ID (required for Backstage) +# Humanitec Organization ID humanitec_org_id = "" # List of EC2 instances types to use for EKS nodes diff --git a/variables.tf b/variables.tf index 0f0cc79..5c9f117 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,9 @@ +variable "humanitec_org_id" { + description = "Humanitec Organization ID" + type = string + default = null +} + variable "aws_account_id" { description = "AWS Account (ID) to use" type = string @@ -33,9 +39,3 @@ variable "github_org_id" { type = string default = null } - -variable "humanitec_org_id" { - description = "Humanitec Organization ID (required for Backstage)" - type = string - default = null -}