make EIP, SES and Route53 optional configuration

.github/workflows/cluster.yaml

@@ -1,4 +1,4 @@
-name: Validate Cluster
+name: TF Validate Cluster
 
 on:
   push:

.github/workflows/config.yaml

@@ -1,4 +1,4 @@
-name: Validate Config
+name: TF Validate Config
 
 on:
   push:

README.md

@@ -1,6 +1,11 @@
 # RADAR-K8s-Infrastructure
 This repository aims to provide [IaC](https://en.wikipedia.org/wiki/Infrastructure_as_code) templates for [RADAR-Kubernetes](https://github.com/RADAR-base/RADAR-Kubernetes) users who intend to deploy the platform to Kubernetes clusters supported by cloud providers such as [AWS](https://aws.amazon.com/eks/). 
 
+---
+
+[![Terraform validate](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/cluster.yaml/badge.svg)](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/cluster.yaml/badge.svg)
+[![Terraform validate](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/config.yaml/badge.svg)](https://github.com/phidatalab/RADAR-K8s-Infrastructure/actions/workflows/config.yaml/badge.svg)
+
 # Dependencies
 [Terraform](https://developer.hashicorp.com/terraform/downloads) >= 1.4
 
@@ -19,9 +24,6 @@ export TF_VAR_AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
 export TF_VAR_AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN
 ```
 
-## Configure your domain name (optional)
-To get DNS and SMTP working, you need to replace `change-me-radar-base-dummy-domain.net` with your registered second-level domain name for variable `domain_name` in `variables.tf`.
-
 ## Workspaces
 The definition of resources required for running RADAR-base components is located in the `cluster` directory, while other optional resources are defined in the `config` directory. Please treat each directory as a separate workspace and perform terraform operations individually. The `cluster` resources need to be created and made fully available before you proceed with the creation of the `config` ones.
 | :information_source:  Important Notice  |
@@ -49,6 +51,8 @@ terraform apply --auto-approve
 ```
 
 ## Configure the cluster (optional)
+N.B., to get external DNS, Cert Manager and SMTP working via Route 53 (if chosen as your DNS service), you need to replace `change-me-radar-base-dummy-domain.net` with your registered second-level domain name for variable `domain_name` in `config/variables.tf`.
+
 ```
 cd config
 ```

cluster/eks.tf

@@ -34,42 +34,6 @@ module "ebs_csi_irsa" {
   tags = merge(tomap({ "Name" : "radar-base-ebs-csi-irsa" }), var.common_tags)
 }
 
-module "external_dns_irsa" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "~> 5.0"
-
-  role_name                     = "radar-base-external-dns-irsa"
-  attach_external_dns_policy    = true
-  external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/${aws_route53_zone.primary.id}"]
-
-  oidc_providers = {
-    ex = {
-      provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["kube-system:external-dns"]
-    }
-  }
-
-  tags = merge(tomap({ "Name" : "radar-base-external-dns-irsa" }), var.common_tags)
-}
-
-module "cert_manager_irsa" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "~> 5.0"
-
-  role_name                     = "${var.environment}-radar-base-cert-manager-irsa"
-  attach_cert_manager_policy    = true
-  cert_manager_hosted_zone_arns = ["arn:aws:route53:::hostedzone/${aws_route53_zone.primary.id}"]
-
-  oidc_providers = {
-    main = {
-      provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["kube-system:cert-manager"]
-    }
-  }
-
-  tags = merge(tomap({ "Name" : "radar-base-cert-manager-irsa" }), var.common_tags)
-}
-
 provider "kubernetes" {
   host                   = module.eks.cluster_endpoint
   cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
@@ -229,7 +193,6 @@ module "eks" {
   ]
 
   tags = merge(tomap({ "Name" : var.eks_cluster_name }), var.common_tags)
-
 }
 
 output "radar_base_eks_cluster_name" {

cluster/iam.tf

@@ -166,32 +166,3 @@ resource "aws_iam_policy" "ecr_pull_through_cache" {
 
   tags = merge(tomap({ "Name" : "radar-base-ecr-pull-through-cache-policy" }), var.common_tags)
 }
-
-resource "aws_iam_user" "smtp_user" {
-  name = "${var.environment}-radar-base-smtp-user"
-  tags = merge(tomap({ "Name" : "radar-base-smtp-user" }), var.common_tags)
-}
-
-resource "aws_iam_access_key" "smtp_user_key" {
-  user = aws_iam_user.smtp_user.name
-}
-
-resource "aws_iam_policy" "smtp_user_policy" {
-  name = "${var.environment}-radar-base-smtp-user-policy"
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Effect   = "Allow"
-        Action   = ["ses:SendRawEmail"]
-        Resource = "*"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_user_policy_attachment" "smtp_user_policy_attach" {
-  user       = aws_iam_user.smtp_user.name
-  policy_arn = aws_iam_policy.smtp_user_policy.arn
-}

cluster/variables.tf

@@ -103,9 +103,3 @@ variable "eks_admins_group_users" {
   description = "EKS admin IAM user group"
   default     = []
 }
-
-variable "domain_name" {
-  type        = string
-  description = "Top level domain for deployed applications"
-  default     = "change-me-radar-base-dummy-domain.net"
-}

config/data.tf

@@ -63,3 +63,8 @@ data "aws_eks_node_group" "worker" {
     element(split("-", [for asg in data.aws_autoscaling_groups.main.names : asg if startswith(asg, "eks-worker-")][0]), 2),
   ]) # This is really hacky and there's gonna be a better way of extracting this.
 }
+
+locals {
+  aws_account = element(split(":", data.aws_eks_cluster.main.arn), 4)
+  oidc_issuer = element(split("//", data.aws_eks_cluster.main.identity[0].oidc[0].issuer), 1)
+}

config/karpenter.tf

@@ -1,8 +1,3 @@
-locals {
-  aws_account = element(split(":", data.aws_eks_cluster.main.arn), 4)
-  oidc_issuer = element(split("//", data.aws_eks_cluster.main.identity[0].oidc[0].issuer), 1)
-}
-
 provider "kubernetes" {
   host                   = data.aws_eks_cluster.main.endpoint
   cluster_ca_certificate = base64decode(data.aws_eks_cluster.main.certificate_authority[0].data)

cluster/route53.tf → config/route53.tf

@@ -59,6 +59,42 @@ resource "aws_route53_record" "s3" {
   records = ["${var.environment}.${var.domain_name}"]
 }
 
+module "external_dns_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "~> 5.0"
+
+  role_name                     = "${var.environment}-radar-base-external-dns-irsa"
+  attach_external_dns_policy    = true
+  external_dns_hosted_zone_arns = ["arn:aws:route53:::hostedzone/${aws_route53_zone.primary.id}"]
+
+  oidc_providers = {
+    ex = {
+      provider_arn               = join("", ["arn:aws:iam::", local.aws_account, ":oidc-provider/", local.oidc_issuer])
+      namespace_service_accounts = ["kube-system:external-dns"]
+    }
+  }
+
+  tags = merge(tomap({ "Name" : "radar-base-external-dns-irsa" }), var.common_tags)
+}
+
+module "cert_manager_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "~> 5.0"
+
+  role_name                     = "${var.environment}-radar-base-cert-manager-irsa"
+  attach_cert_manager_policy    = true
+  cert_manager_hosted_zone_arns = ["arn:aws:route53:::hostedzone/${aws_route53_zone.primary.id}"]
+
+  oidc_providers = {
+    main = {
+      provider_arn               = join("", ["arn:aws:iam::", local.aws_account, ":oidc-provider/", local.oidc_issuer])
+      namespace_service_accounts = ["kube-system:cert-manager"]
+    }
+  }
+
+  tags = merge(tomap({ "Name" : "radar-base-cert-manager-irsa" }), var.common_tags)
+}
+
 output "radar_base_route53_hosted_zone_id" {
   value = aws_route53_zone.primary.zone_id
 }

config/s3.tf

@@ -12,25 +12,70 @@ resource "aws_vpc_endpoint_route_table_association" "route_table_association" {
 
 resource "aws_s3_bucket" "intermediate_output_storage" {
   bucket = "radar-base-${var.environment}-intermediate-output-storage"
-  acl    = "private"
 
   tags = merge(tomap({ "Name" : "radar-base-eks-intermediate-output-storage" }), var.common_tags)
 }
 
+resource "aws_s3_bucket_ownership_controls" "intermediate_output" {
+  bucket = aws_s3_bucket.intermediate_output_storage.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+
+  depends_on = [aws_s3_bucket.intermediate_output_storage]
+}
+
+resource "aws_s3_bucket_acl" "intermediate_output" {
+  bucket = aws_s3_bucket.intermediate_output_storage.id
+  acl    = "private"
+
+  depends_on = [aws_s3_bucket_ownership_controls.intermediate_output]
+}
+
 resource "aws_s3_bucket" "output_storage" {
   bucket = "radar-base-${var.environment}-output-storage"
-  acl    = "private"
 
   tags = merge(tomap({ "Name" : "radar-base-eks-output-storage" }), var.common_tags)
 }
 
+resource "aws_s3_bucket_ownership_controls" "output" {
+  bucket = aws_s3_bucket.output_storage.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+
+  depends_on = [aws_s3_bucket.output_storage]
+}
+
+resource "aws_s3_bucket_acl" "output" {
+  bucket = aws_s3_bucket.output_storage.id
+  acl    = "private"
+
+  depends_on = [aws_s3_bucket_ownership_controls.output]
+}
+
 resource "aws_s3_bucket" "velero_backups" {
   bucket = "radar-base-${var.environment}-velero-backups"
-  acl    = "private"
 
   tags = merge(tomap({ "Name" : "radar-base-eks-velero-backups" }), var.common_tags)
 }
 
+resource "aws_s3_bucket_ownership_controls" "velero" {
+  bucket = aws_s3_bucket.velero_backups.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+
+  depends_on = [aws_s3_bucket.velero_backups]
+}
+
+resource "aws_s3_bucket_acl" "velero" {
+  bucket = aws_s3_bucket.velero_backups.id
+  acl    = "private"
+
+  depends_on = [aws_s3_bucket_ownership_controls.velero]
+}
+
 resource "aws_s3_bucket_server_side_encryption_configuration" "intermediate_output_storage_encryption" {
   bucket = aws_s3_bucket.intermediate_output_storage.id
 

cluster/ses.tf → config/ses.tf

@@ -13,6 +13,8 @@ resource "aws_route53_record" "smtp_dkim_record" {
   type    = "CNAME"
   ttl     = "600"
   records = ["${aws_ses_domain_dkim.smtp_dkim.dkim_tokens[count.index]}.dkim.amazonses.com"]
+
+  depends_on = [aws_route53_zone.primary]
 }
 
 resource "aws_ses_domain_mail_from" "smtp_mail_from" {
@@ -26,6 +28,8 @@ resource "aws_route53_record" "smtp_mail_from_mx" {
   type    = "MX"
   ttl     = "600"
   records = ["10 feedback-smtp.${var.AWS_REGION}.amazonses.com"]
+
+  depends_on = [aws_route53_zone.primary]
 }
 
 resource "aws_route53_record" "smtp_mail_from_txt" {
@@ -34,6 +38,37 @@ resource "aws_route53_record" "smtp_mail_from_txt" {
   type    = "TXT"
   ttl     = "600"
   records = ["v=spf1 include:amazonses.com ~all"]
+
+  depends_on = [aws_route53_zone.primary]
+}
+
+resource "aws_iam_user" "smtp_user" {
+  name = "${var.environment}-radar-base-smtp-user"
+  tags = merge(tomap({ "Name" : "radar-base-smtp-user" }), var.common_tags)
+}
+
+resource "aws_iam_access_key" "smtp_user_key" {
+  user = aws_iam_user.smtp_user.name
+}
+
+resource "aws_iam_policy" "smtp_user_policy" {
+  name = "${var.environment}-radar-base-smtp-user-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = ["ses:SendRawEmail"]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_user_policy_attachment" "smtp_user_policy_attach" {
+  user       = aws_iam_user.smtp_user.name
+  policy_arn = aws_iam_policy.smtp_user_policy.arn
 }
 
 output "radar_base_smtp_username" {

config/variables.tf

@@ -43,6 +43,12 @@ variable "common_tags" {
   }
 }
 
+variable "domain_name" {
+  type        = string
+  description = "Top level domain for deployed applications"
+  default     = "change-me-radar-base-dummy-domain.net"
+}
+
 variable "instance_capacity_type" {
   type        = string
   description = "Capacity type used by EKS managed node groups"