fix: removed keypair module

fix: updated iampolicy principals of kms module feat: added additional_cidr_block
clouddrove · Aug 10, 2023 · 72abff5 · 72abff5
1 parent 1bbff08
commit 72abff5
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 109 deletions.
diff --git a/_example/aws_managed/example.tf b/_example/aws_managed/example.tf
@@ -3,11 +3,12 @@ provider "aws" {
 }
 
 locals {
-  name           = "clouddrove-eks"
-  region         = "eu-west-1"
-  vpc_cidr_block = module.vpc.vpc_cidr_block
-  environment    = "test"
-  label_order    = ["name", "environment"]
+  name                  = "clouddrove-eks"
+  region                = "eu-west-1"
+  vpc_cidr_block        = module.vpc.vpc_cidr_block
+  additional_cidr_block = "172.16.0.0/16"
+  environment           = "test"
+  label_order           = ["name", "environment"]
   tags = {
     "kubernetes.io/cluster/${module.eks.cluster_name}" = "owned"
   }
@@ -122,20 +123,6 @@ module "subnets" {
   ]
 }
 
-################################################################################
-# Keypair module call
-################################################################################
-module "keypair" {
-  source  = "clouddrove/keypair/aws"
-  version = "1.3.0"
-
-  name            = "${local.name}-key"
-  environment     = local.environment
-  label_order     = local.label_order
-  enable_key_pair = true
-  public_key      = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc4AjHFctUATtd5of4u9bJtTgkh9bKogSDjxc9QqbylRORxUa422jO+t1ldTVdyqDRKltxQCJb4v23HZc2kssU5uROxpiF2fzgiHXRduL+RtyOtY2J+rNUdCRmHz4WQySblYpgteIJZpVo2smwdek8xSpjoHXhgxxa9hb4pQQwyjtVGEdH8vdYwtxgPZgPVaJgHVeJgVmhjTf2VGTATaeR9txzHsEPxhe/n1y34mQjX0ygEX8x0RZzlGziD1ih3KPaIHcpTVSYYk4LOoMK38vEI67SIMomskKn4yU043s+t9ZriJwk2V9+oU6tJU/5E1rd0SskXUhTypc3/Znc/rkYtLe8s6Uy26LOrBFzlhnCT7YH1XbCv3rEO+Nn184T4BSHeW2up8UJ1SOEd+WzzynXczdXoQcBN2kaz4dYFpRXchsAB6ejZrbEq7wyZvutf11OiS21XQ67+30lEL2WAO4i95e4sI8AdgwJgzrqVcicr3ImE+BRDkndMn5k1LhNGqwMD3Iuoel84xvinPAcElDLiFmL3BJVA/53bAlUmWqvUGW9SL5JpLUmZgE6kp+Tps7D9jpooGGJKmqgJLkJTzAmTSJh0gea/rT5KwI4j169TQD9xl6wFqns4BdQ4dMKHQCgDx8LbEd96l9F9ruWwQ8EAZBe4nIEKTV9ri+04JVhSQ== [email protected]"
-}
-
 # ################################################################################
 # Security Groups module call
 ################################################################################
@@ -152,15 +139,15 @@ module "ssh" {
     from_port   = 22
     protocol    = "tcp"
     to_port     = 22
-    cidr_blocks = [local.vpc_cidr_block, "172.16.0.0/16"]
+    cidr_blocks = [local.vpc_cidr_block, local.additional_cidr_block]
     description = "Allow ssh traffic."
     },
     {
       rule_count  = 2
       from_port   = 27017
       protocol    = "tcp"
       to_port     = 27017
-      cidr_blocks = ["172.16.0.0/16"]
+      cidr_blocks = [local.additional_cidr_block]
       description = "Allow Mongodb traffic."
     }
   ]
@@ -171,15 +158,15 @@ module "ssh" {
     from_port   = 22
     protocol    = "tcp"
     to_port     = 22
-    cidr_blocks = [local.vpc_cidr_block, "172.16.0.0/16"]
+    cidr_blocks = [local.vpc_cidr_block, local.additional_cidr_block]
     description = "Allow ssh outbound traffic."
     },
     {
       rule_count  = 2
       from_port   = 27017
       protocol    = "tcp"
       to_port     = 27017
-      cidr_blocks = ["172.16.0.0/16"]
+      cidr_blocks = [local.additional_cidr_block]
       description = "Allow Mongodb outbound traffic."
   }]
 }
@@ -239,7 +226,7 @@ module "kms" {
   source  = "clouddrove/kms/aws"
   version = "1.3.0"
 
-  name                = "${local.name}-kmss"
+  name                = "${local.name}-kms"
   environment         = local.environment
   label_order         = local.label_order
   enabled             = true
@@ -255,14 +242,15 @@ data "aws_iam_policy_document" "kms" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["*"]
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
     actions   = ["kms:*"]
     resources = ["*"]
   }
-
 }
 
+data "aws_caller_identity" "current" {}
+
 ################################################################################
 # EKS Module call 
 ################################################################################
@@ -282,12 +270,12 @@ module "eks" {
   subnet_ids                        = module.subnets.private_subnet_id
   allowed_security_groups           = [module.ssh.security_group_id]
   eks_additional_security_group_ids = ["${module.ssh.security_group_id}", "${module.http_https.security_group_id}"]
-  allowed_cidr_blocks               = ["10.0.0.0/16"]
+  allowed_cidr_blocks               = [local.vpc_cidr_block]
+
   # AWS Managed Node Group
   # Node Groups Defaults Values It will Work all Node Groups
   managed_node_group_defaults = {
     subnet_ids                          = module.subnets.private_subnet_id
-    key_name                            = module.keypair.name
     nodes_additional_security_group_ids = [module.ssh.security_group_id]
     tags = {
       "kubernetes.io/cluster/${module.eks.cluster_name}" = "shared"
@@ -310,11 +298,11 @@ module "eks" {
   managed_node_group = {
     critical = {
       name           = "${module.eks.cluster_name}-critical"
-      capacity_type  = "SPOT"
+      capacity_type  = "ON_DEMAND"
       min_size       = 1
       max_size       = 2
       desired_size   = 2
-      instance_types = ["t3.medium"]
+      instance_types = ["t3.medium"]    
     }
 
     application = {

diff --git a/_example/aws_managed_with_fargate/example.tf b/_example/aws_managed_with_fargate/example.tf
@@ -3,11 +3,12 @@ provider "aws" {
 }
 
 locals {
-  name           = "clouddrove-eks"
-  region         = "eu-west-1"
-  vpc_cidr_block = module.vpc.vpc_cidr_block
-  environment    = "test"
-  label_order    = ["name", "environment"]
+  name                  = "clouddrove-eks"
+  region                = "eu-west-1"
+  vpc_cidr_block        = module.vpc.vpc_cidr_block
+  additional_cidr_block = "172.16.0.0/16"
+  environment           = "test"
+  label_order           = ["name", "environment"]
   tags = {
     "kubernetes.io/cluster/${module.eks.cluster_name}" = "owned"
   }
@@ -122,19 +123,6 @@ module "subnets" {
   ]
 }
 
-################################################################################
-# Keypair module call
-################################################################################
-module "keypair" {
-  source  = "clouddrove/keypair/aws"
-  version = "1.3.0"
-
-  name            = "${local.name}-key"
-  environment     = local.environment
-  label_order     = local.label_order
-  enable_key_pair = true
-  public_key      = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc4AjHFctUATtd5of4u9bJtTgkh9bKogSDjxc9QqbylRORxUa422jO+t1ldTVdyqDRKltxQCJb4v23HZc2kssU5uROxpiF2fzgiHXRduL+RtyOtY2J+rNUdCRmHz4WQySblYpgteIJZpVo2smwdek8xSpjoHXhgxxa9hb4pQQwyjtVGEdH8vdYwtxgPZgPVaJgHVeJgVmhjTf2VGTATaeR9txzHsEPxhe/n1y34mQjX0ygEX8x0RZzlGziD1ih3KPaIHcpTVSYYk4LOoMK38vEI67SIMomskKn4yU043s+t9ZriJwk2V9+oU6tJU/5E1rd0SskXUhTypc3/Znc/rkYtLe8s6Uy26LOrBFzlhnCT7YH1XbCv3rEO+Nn184T4BSHeW2up8UJ1SOEd+WzzynXczdXoQcBN2kaz4dYFpRXchsAB6ejZrbEq7wyZvutf11OiS21XQ67+30lEL2WAO4i95e4sI8AdgwJgzrqVcicr3ImE+BRDkndMn5k1LhNGqwMD3Iuoel84xvinPAcElDLiFmL3BJVA/53bAlUmWqvUGW9SL5JpLUmZgE6kp+Tps7D9jpooGGJKmqgJLkJTzAmTSJh0gea/rT5KwI4j169TQD9xl6wFqns4BdQ4dMKHQCgDx8LbEd96l9F9ruWwQ8EAZBe4nIEKTV9ri+04JVhSQ== [email protected]"
-}
 
 # ################################################################################
 # Security Groups module call
@@ -152,15 +140,15 @@ module "ssh" {
     from_port   = 22
     protocol    = "tcp"
     to_port     = 22
-    cidr_blocks = [local.vpc_cidr_block, "172.16.0.0/16"]
+    cidr_blocks = [local.vpc_cidr_block, local.additional_cidr_block]
     description = "Allow ssh traffic."
     },
     {
       rule_count  = 2
       from_port   = 27017
       protocol    = "tcp"
       to_port     = 27017
-      cidr_blocks = ["172.16.0.0/16"]
+      cidr_blocks = [local.additional_cidr_block]
       description = "Allow Mongodb traffic."
     }
   ]
@@ -171,15 +159,15 @@ module "ssh" {
     from_port   = 22
     protocol    = "tcp"
     to_port     = 22
-    cidr_blocks = [local.vpc_cidr_block, "172.16.0.0/16"]
+    cidr_blocks = [local.vpc_cidr_block, local.additional_cidr_block]
     description = "Allow ssh outbound traffic."
     },
     {
       rule_count  = 2
       from_port   = 27017
       protocol    = "tcp"
       to_port     = 27017
-      cidr_blocks = ["172.16.0.0/16"]
+      cidr_blocks = [local.additional_cidr_block]
       description = "Allow Mongodb outbound traffic."
   }]
 }
@@ -239,7 +227,7 @@ module "kms" {
   source  = "clouddrove/kms/aws"
   version = "1.3.0"
 
-  name                = "${local.name}-kmss"
+  name                = "${local.name}-kms"
   environment         = local.environment
   label_order         = local.label_order
   enabled             = true
@@ -255,14 +243,15 @@ data "aws_iam_policy_document" "kms" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["*"]
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
     actions   = ["kms:*"]
     resources = ["*"]
   }
-
 }
 
+data "aws_caller_identity" "current" {}
+
 ################################################################################
 # EKS Module call 
 ################################################################################
@@ -282,12 +271,12 @@ module "eks" {
   subnet_ids                        = module.subnets.private_subnet_id
   allowed_security_groups           = [module.ssh.security_group_id]
   eks_additional_security_group_ids = ["${module.ssh.security_group_id}", "${module.http_https.security_group_id}"]
-  allowed_cidr_blocks               = ["10.0.0.0/16"]
+  allowed_cidr_blocks               = [local.vpc_cidr_block]
+
   # AWS Managed Node Group
   # Node Groups Defaults Values It will Work all Node Groups
   managed_node_group_defaults = {
     subnet_ids                          = module.subnets.private_subnet_id
-    key_name                            = module.keypair.name
     nodes_additional_security_group_ids = [module.ssh.security_group_id]
     tags = {
       "kubernetes.io/cluster/${module.eks.cluster_name}" = "shared"

diff --git a/_example/complete/example.tf b/_example/complete/example.tf
@@ -2,10 +2,12 @@ provider "aws" {
   region = local.region
 }
 locals {
-  name        = "clouddrove-eks"
-  region      = "eu-west-1"
-  environment = "test"
-  label_order = ["name", "environment"]
+  name                  = "clouddrove-eks"
+  region                = "eu-west-1"
+  vpc_cidr_block        = module.vpc.vpc_cidr_block
+  additional_cidr_block = "172.16.0.0/16"
+  environment           = "test"
+  label_order           = ["name", "environment"]
   tags = {
     "kubernetes.io/cluster/${module.eks.cluster_name}" = "shared"
   }
@@ -119,20 +121,6 @@ module "subnets" {
   ]
 }
 
-################################################################################
-# Keypair module call
-################################################################################
-module "keypair" {
-  source  = "clouddrove/keypair/aws"
-  version = "1.3.0"
-
-  name        = "${local.name}-key"
-  environment = local.environment
-  label_order = ["name", "environment"]
-
-  enable_key_pair = true
-  public_key      = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDc4AjHFctUATtd5of4u9bJtTgkh9bKogSDjxc9QqbylRORxUa422jO+t1ldTVdyqDRKltxQCJb4v23HZc2kssU5uROxpiF2fzgiHXRduL+RtyOtY2J+rNUdCRmHz4WQySblYpgteIJZpVo2smwdek8xSpjoHXhgxxa9hb4pQQwyjtVGEdH8vdYwtxgPZgPVaJgHVeJgVmhjTf2VGTATaeR9txzHsEPxhe/n1y34mQjX0ygEX8x0RZzlGziD1ih3KPaIHcpTVSYYk4LOoMK38vEI67SIMomskKn4yU043s+t9ZriJwk2V9+oU6tJU/5E1rd0SskXUhTypc3/Znc/rkYtLe8s6Uy26LOrBFzlhnCT7YH1XbCv3rEO+Nn184T4BSHeW2up8UJ1SOEd+WzzynXczdXoQcBN2kaz4dYFpRXchsAB6ejZrbEq7wyZvutf11OiS21XQ67+30lEL2WAO4i95e4sI8AdgwJgzrqVcicr3ImE+BRDkndMn5k1LhNGqwMD3Iuoel84xvinPAcElDLiFmL3BJVA/53bAlUmWqvUGW9SL5JpLUmZgE6kp+Tps7D9jpooGGJKmqgJLkJTzAmTSJh0gea/rT5KwI4j169TQD9xl6wFqns4BdQ4dMKHQCgDx8LbEd96l9F9ruWwQ8EAZBe4nIEKTV9ri+04JVhSQ== [email protected]"
-}
 
 # ################################################################################
 # Security Groups module call
@@ -150,15 +138,15 @@ module "ssh" {
     from_port   = 22
     protocol    = "tcp"
     to_port     = 22
-    cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
+    cidr_blocks = [module.vpc.vpc_cidr_block, local.additional_cidr_block]
     description = "Allow ssh traffic."
     },
     {
       rule_count  = 2
       from_port   = 27017
       protocol    = "tcp"
       to_port     = 27017
-      cidr_blocks = ["172.16.0.0/16"]
+      cidr_blocks = [local.additional_cidr_block]
       description = "Allow Mongodb traffic."
     }
   ]
@@ -169,15 +157,15 @@ module "ssh" {
     from_port   = 22
     protocol    = "tcp"
     to_port     = 22
-    cidr_blocks = [module.vpc.vpc_cidr_block, "172.16.0.0/16"]
+    cidr_blocks = [module.vpc.vpc_cidr_block, local.additional_cidr_block]
     description = "Allow ssh outbound traffic."
     },
     {
       rule_count  = 2
       from_port   = 27017
       protocol    = "tcp"
       to_port     = 27017
-      cidr_blocks = ["172.16.0.0/16"]
+      cidr_blocks = [local.additional_cidr_block]
       description = "Allow Mongodb outbound traffic."
   }]
 }
@@ -237,7 +225,7 @@ module "kms" {
   source  = "clouddrove/kms/aws"
   version = "1.3.0"
 
-  name                = "${local.name}-kms-nw"
+  name                = "${local.name}-kms"
   environment         = local.environment
   label_order         = local.label_order
   enabled             = true
@@ -253,14 +241,15 @@ data "aws_iam_policy_document" "kms" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = ["*"]
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
     actions   = ["kms:*"]
     resources = ["*"]
   }
-
 }
 
+data "aws_caller_identity" "current" {}
+
 ################################################################################
 # EKS Module call
 ################################################################################
@@ -280,13 +269,12 @@ module "eks" {
   subnet_ids                        = module.subnets.private_subnet_id
   allowed_security_groups           = [module.ssh.security_group_id]
   eks_additional_security_group_ids = ["${module.ssh.security_group_id}", "${module.http_https.security_group_id}"]
-  allowed_cidr_blocks               = ["10.0.0.0/16"]
+  allowed_cidr_blocks               = [local.vpc_cidr_block]
 
   # Self Managed Node Group
   # Node Groups Defaults Values It will Work all Node Groups
   self_node_group_defaults = {
     subnet_ids = module.subnets.private_subnet_id
-    key_name   = module.keypair.name
     propagate_tags = [{
       key                 = "aws-node-termination-handler/managed"
       value               = true
@@ -359,7 +347,6 @@ module "eks" {
   # Node Groups Defaults Values It will Work all Node Groups
   managed_node_group_defaults = {
     subnet_ids                          = module.subnets.private_subnet_id
-    key_name                            = module.keypair.name
     nodes_additional_security_group_ids = [module.ssh.security_group_id]
     tags = {
       "kubernetes.io/cluster/${module.eks.cluster_name}" = "shared"