Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions infrastructure/aws/backend.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@

terraform {
backend "s3" {
bucket = "tf-state-0269fb2df210b43c"
key = "infrastructure.tfstate"
region = "us-east-1"
bucket = "tf-state-0269fb2df210b43c"
key = "infrastructure.tfstate"
region = "us-east-1"
encrypt = true
}
}
6 changes: 3 additions & 3 deletions infrastructure/aws/backend/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ resource "aws_s3_bucket" "tf_state" {
force_destroy = var.force_destroy

tags = {
Name = "Terraform State"
ManagedBy = "Terraform"
Purpose = "Terraform remote state storage"
Name = "Terraform State"
ManagedBy = "Terraform"
Purpose = "Terraform remote state storage"
}
}

Expand Down
12 changes: 12 additions & 0 deletions infrastructure/aws/iam_policies_agent_static_scopes.tf
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,18 @@ resource "aws_iam_policy" "agent_static_scopes" {
"wafv2:GetWebACL"
]
Resource = "arn:aws:wafv2:us-east-1:*:global/webacl/*/*"
},
{
# Lambda@Edge function associations on CloudFront cache behaviors.
# CloudFront validates these permissions for the caller when
# creating/updating a distribution that references a Lambda@Edge function.
Sid = "LambdaEdgeAssociation"
Effect = "Allow"
Action = [
"lambda:GetFunction",
"lambda:EnableReplication*"
]
Resource = "arn:aws:lambda:us-east-1:*:function:*"
}
]
})
Expand Down
146 changes: 77 additions & 69 deletions infrastructure/aws/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@
# VPC
###############################################################################
module "vpc" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/vpc?ref=v4.5.2"

organization = var.organization
account = var.account
vpc = var.vpc
organization = var.organization
account = var.account
vpc = var.vpc
}

###############################################################################
Expand All @@ -18,7 +18,7 @@ module "vpc" {
# aws_vpc_vpc_id / aws_subnets_private_ids references below.
###############################################################################
module "eks" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/eks?ref=v4.5.2"

name = local.cluster_name
aws_vpc_vpc_id = module.vpc.vpc_id
Expand All @@ -39,7 +39,7 @@ module "eks" {
# Route53 DNS
###############################################################################
module "dns" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/dns?ref=v4.5.2"

depends_on = [module.vpc]

Expand All @@ -51,7 +51,7 @@ module "dns" {
# ALB Controller
###############################################################################
module "alb_controller" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/aws_load_balancer_controller?ref=v4.5.2"

depends_on = [module.eks]

Expand All @@ -64,10 +64,10 @@ module "alb_controller" {
# Istio
###############################################################################
module "istio" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/istio?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/istio?ref=v4.5.2"

service_type = "LoadBalancer"
istiod_replicas = 2
service_type = "LoadBalancer"
istiod_replicas = 2

depends_on = [module.alb_controller]
}
Expand All @@ -76,52 +76,52 @@ module "istio" {
# Prometheus
###############################################################################
module "prometheus" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/prometheus?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/prometheus?ref=v4.5.2"
}

###############################################################################
# IAM Roles
###############################################################################
module "external_dns_iam" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/external_dns?ref=v4.5.2"

hosted_zone_public_id = module.dns.public_zone_id
hosted_zone_private_id = module.dns.private_zone_id
hosted_zone_public_id = module.dns.public_zone_id
hosted_zone_private_id = module.dns.private_zone_id
aws_iam_openid_connect_provider_arn = module.eks.eks_oidc_provider_arn
cluster_name = module.eks.eks_cluster_name
cluster_name = module.eks.eks_cluster_name
}

module "cert_manager_iam" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/cert_manager?ref=v4.5.2"

hosted_zone_public_id = module.dns.public_zone_id
hosted_zone_private_id = module.dns.private_zone_id
hosted_zone_public_id = module.dns.public_zone_id
hosted_zone_private_id = module.dns.private_zone_id
aws_iam_openid_connect_provider_arn = module.eks.eks_oidc_provider_arn
cluster_name = module.eks.eks_cluster_name
cluster_name = module.eks.eks_cluster_name
}

module "alb_controller_iam" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/aws_load_balancer_controller_iam?ref=v4.5.2"

cluster_name = module.eks.eks_cluster_name
aws_iam_openid_connect_provider_arn = module.eks.eks_oidc_provider_arn
}

module "agent_iam" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/agent?ref=v4.5.2"

aws_iam_openid_connect_provider_arn = module.eks.eks_oidc_provider_arn
agent_namespace = var.agent_namespace
cluster_name = module.eks.eks_cluster_name

additional_policies = {
"static_scopes_policy" = aws_iam_policy.agent_static_scopes.arn
"rds_policy"= aws_iam_policy.nullplatform_rds_policy.arn
"rds_secret_manager_policy"= aws_iam_policy.nullplatform_rds_secretsmanager_policy.arn
"rds_s3_policy"= aws_iam_policy.nullplatform_rds_s3_policy.arn
"rds_sg_policy"= aws_iam_policy.nullplatform_rds_sg_policy.arn
"s3_policy"= aws_iam_policy.nullplatform_s3_policy.arn
"s3_iam_policy"= aws_iam_policy.nullplatform_s3_iam_policy.arn
"static_scopes_policy" = aws_iam_policy.agent_static_scopes.arn
"rds_policy" = aws_iam_policy.nullplatform_rds_policy.arn
"rds_secret_manager_policy" = aws_iam_policy.nullplatform_rds_secretsmanager_policy.arn
"rds_s3_policy" = aws_iam_policy.nullplatform_rds_s3_policy.arn
"rds_sg_policy" = aws_iam_policy.nullplatform_rds_sg_policy.arn
"s3_policy" = aws_iam_policy.nullplatform_s3_policy.arn
"s3_iam_policy" = aws_iam_policy.nullplatform_s3_iam_policy.arn
}

# Lambda scope uses assume-role: the agent assumes this dedicated role
Expand All @@ -131,33 +131,48 @@ module "agent_iam" {
assume_role_arns = [aws_iam_role.nullplatform_lambda.arn]
}

module "ecr_iam" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ecr?ref=v4.3.0"
module "build_user" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/build-user?ref=feat/separate-build-user-from-asset-repositories"

cluster_name = module.eks.eks_cluster_name
}

module "ecr_iam" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/ecr?ref=feat/separate-build-user-from-asset-repositories"

cluster_name = module.eks.eks_cluster_name
build_workflow_group_name = module.build_user.group_name
}

module "s3_assets_iam" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/iam/s3-assets?ref=feat/separate-build-user-from-asset-repositories"

cluster_name = module.eks.eks_cluster_name
build_workflow_group_name = module.build_user.group_name
assets_bucket = "lambda-files-aws-services"
}

###############################################################################
# External DNS
###############################################################################
module "external_dns_public" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/external_dns?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/external_dns?ref=v4.5.2"

depends_on = [module.alb_controller]

type = "public"
zone_type = "public"
type = "public"
zone_type = "public"
dns_provider_name = var.dns_provider_name
domain_filters = module.dns.public_zone_name
zone_id_filter = module.dns.public_zone_id
policy = var.policy
sources = var.sources
aws_region = var.aws_region
aws_iam_role_arn = module.external_dns_iam.nullplatform_external_dns_role_arn
domain_filters = module.dns.public_zone_name
zone_id_filter = module.dns.public_zone_id
policy = var.policy
sources = var.sources
aws_region = var.aws_region
aws_iam_role_arn = module.external_dns_iam.nullplatform_external_dns_role_arn
}

module "external_dns_private" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/external_dns?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/external_dns?ref=v4.5.2"

depends_on = [module.alb_controller, module.external_dns_public]

Expand All @@ -177,39 +192,39 @@ module "external_dns_private" {
# Cert Manager
###############################################################################
module "cert_manager" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/commons/cert_manager?ref=v4.5.2"

depends_on = [module.alb_controller]

cloud_provider = var.cloud_provider
aws_sa_arn = module.cert_manager_iam.nullplatform_cert_manager_role_arn
hosted_zone_name = module.dns.public_zone_name
cloud_provider = var.cloud_provider
aws_sa_arn = module.cert_manager_iam.nullplatform_cert_manager_role_arn
hosted_zone_name = module.dns.public_zone_name
private_domain_name = module.dns.private_zone_name
account_slug = var.organization_slug
aws_region = var.aws_region
account_slug = var.organization_slug
aws_region = var.aws_region
}

###############################################################################
# Security
###############################################################################
module "security" {
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//infrastructure/aws/security?ref=v4.5.2"

depends_on = [module.eks]

cluster_name = module.eks.eks_cluster_name
vpc_id = module.vpc.vpc_id
health_check_rules_enabled = true
gateway_internal_enabled = true
cluster_security_group_id = module.eks.eks_cluster_primary_security_group_id
gateway_port = 443
cluster_name = module.eks.eks_cluster_name
vpc_id = module.vpc.vpc_id
health_check_rules_enabled = true
gateway_internal_enabled = true
cluster_security_group_id = module.eks.eks_cluster_primary_security_group_id
gateway_port = 443
}

###############################################################################
# Nullplatform Agent API Key
###############################################################################
module "agent_api_key" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/api_key?ref=v4.5.2"

nrn = var.nrn
type = "agent"
Expand All @@ -219,26 +234,26 @@ module "agent_api_key" {
# Nullplatform Base
###############################################################################
module "base" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/base?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/base?ref=v4.5.2"

np_api_key = module.agent_api_key.api_key
k8s_provider = var.k8s_provider
np_api_key = module.agent_api_key.api_key
k8s_provider = var.k8s_provider
gateway_public_aws_security_group_id = module.security.public_gateway_security_group_id
gateway_private_aws_security_group_id = module.security.private_gateway_security_group_id
gateway_enabled = true
gateway_internal_enabled = true
gateway_public_aws_name = "k8s-np-aws-services-public"
gateway_internal_aws_name = "k8s-np-aws-services-int"

metrics_server_enabled = true
metrics_server_enabled = true

}

###############################################################################
# Nullplatform Agent
###############################################################################
module "agent" {
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/agent?ref=v4.3.0"
source = "git::https://github.com/nullplatform/tofu-modules.git//nullplatform/agent?ref=v4.5.2"

depends_on = [module.base]

Expand All @@ -262,13 +277,6 @@ module "agent" {
"https://github.com/nullplatform/services-postgresql-k-8-s.git#proposal/align-with-services-s-3",
"https://github.com/nullplatform/scopes-lambda.git#feature/assume-role-support"
]

# Account defaults for the Lambda scope, consumed by the scope's
# assume-role resolution (fallback level 4) and placeholder bootstrap.
extra_envs = {
ASSUME_ROLE_ARN_DEFAULT = aws_iam_role.nullplatform_lambda.arn
PLACEHOLDER_IMAGE_URI_DEFAULT = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.aws_region}.amazonaws.com/aws-lambda/nullplatform-lambda-placeholder:latest-amd64"
}
}

###############################################################################
Expand All @@ -287,8 +295,8 @@ resource "aws_s3_bucket_policy" "static" {
Version = "2012-10-17"
Statement = [
{
Sid = "AllowCloudFrontServicePrincipalReadOnly"
Effect = "Allow"
Sid = "AllowCloudFrontServicePrincipalReadOnly"
Effect = "Allow"
Principal = {
Service = "cloudfront.amazonaws.com"
}
Expand Down
16 changes: 11 additions & 5 deletions infrastructure/aws/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,18 @@ output "ecr_application_role_arn" {
}

output "ecr_build_workflow_access_key_id" {
description = "Access key ID for the CI/CD build workflow IAM user (consumed by nullplatform/asset/ecr)"
value = module.ecr_iam.build_workflow_access_key_id
description = "Access key ID for the CI/CD build workflow IAM user (created by the build-user module; consumed by nullplatform/asset/ecr and asset/s3)"
value = module.build_user.build_workflow_access_key_id
}

output "ecr_build_workflow_access_key_secret" {
description = "Secret access key for the CI/CD build workflow IAM user (consumed by nullplatform/asset/ecr)"
value = module.ecr_iam.build_workflow_access_key_secret
description = "Secret access key for the CI/CD build workflow IAM user (created by the build-user module; consumed by nullplatform/asset/ecr and asset/s3)"
value = module.build_user.build_workflow_access_key_secret
sensitive = true
}
}

output "lambda_assume_role_arn" {
description = "ARN of the Lambda assume-role; consumed by nullplatform-bindings to publish the AWS IAM provider (selector \"lambda\")"
value = aws_iam_role.nullplatform_lambda.arn
}

10 changes: 7 additions & 3 deletions nullplatform-bindings/locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,15 +25,19 @@ locals {
service_specification_slug_aws_s3_bucket = local.service_specs["aws_s3_bucket"].slug
service_specification_slug_postgres_db = local.service_specs["postgres_db_k8s"].slug

vpc_id = data.terraform_remote_state.infrastructure[0].outputs.vpc_id
vpc_subnets_ids = data.terraform_remote_state.infrastructure[0].outputs.vpc_subnets_ids
vpc_security_groups_ids = data.terraform_remote_state.infrastructure[0].outputs.vpc_security_groups_ids
vpc_id = data.terraform_remote_state.infrastructure[0].outputs.vpc_id
vpc_subnets_ids = data.terraform_remote_state.infrastructure[0].outputs.vpc_subnets_ids
vpc_security_groups_ids = data.terraform_remote_state.infrastructure[0].outputs.vpc_security_groups_ids

# ECR IAM (created by infrastructure/aws module "ecr_iam", consumed by asset_repository)
ecr_application_role_arn = data.terraform_remote_state.infrastructure[0].outputs.ecr_application_role_arn
ecr_build_workflow_access_key_id = data.terraform_remote_state.infrastructure[0].outputs.ecr_build_workflow_access_key_id
ecr_build_workflow_access_key_secret = data.terraform_remote_state.infrastructure[0].outputs.ecr_build_workflow_access_key_secret

# Lambda assume-role ARN (created in infrastructure/aws), published to the AWS
# IAM provider below so the Lambda scope resolves it by selector "lambda".
lambda_assume_role_arn = data.terraform_remote_state.infrastructure[0].outputs.lambda_assume_role_arn

##############################################################################
# Notification API keys catalog
#
Expand Down
Loading