feat(terraform): various terraform tweaks

.github/workflows/terraform.yml

@@ -8,10 +8,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.3.8
+
       - name: Terraform fmt
-        id: fmt
-        run: terraform fmt -check
+        run: make fmt

.gitignore

@@ -4,6 +4,7 @@
 **/.terraform.lock.hcl
 **/terraform.tfstate
 */**/terraform.tfstate.backup
+.plugin-cache/*
 .vscode
 .DS_Store
 deprecated-*

Makefile

@@ -0,0 +1,17 @@
+default: help
+
+.PHONY: help
+help: ## print targets and their descrptions
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+.PHONY: fmt
+fmt: ## terraform fmt
+	terraform fmt -recursive -write .
+
+.PHONY: validate
+validate: ## terraform validate
+	@for dir in $(shell find . -name "*.tf" -not -path "*.terraform*" -printf '%h ' | uniq); do \
+		echo "====> $$dir"; \
+		terraform -chdir=$$dir init -backend=false || exit 1; \
+		terraform -chdir=$$dir validate || exit 1; \
+	done

aws-github/terraform/aws/eks/main.tf

@@ -75,7 +75,7 @@ module "eks" {
   control_plane_subnet_ids = module.vpc.intra_subnets
 
   manage_aws_auth_configmap = true
-  
+
   aws_auth_roles = [
     # managed node group is automatically added to the configmap
     {
@@ -374,7 +374,7 @@ module "argocd" {
     argocd = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
   }
   assume_role_condition_test = "StringLike"
-  allow_self_assume_role = true
+  allow_self_assume_role     = true
   oidc_providers = {
     main = {
       provider_arn               = module.eks.oidc_provider_arn
@@ -605,7 +605,7 @@ module "kubefirst_api" {
     kubefirst = "arn:aws:iam::aws:policy/AmazonEC2FullAccess",
   }
   assume_role_condition_test = "StringLike"
-  allow_self_assume_role = true
+  allow_self_assume_role     = true
   oidc_providers = {
     main = {
       provider_arn               = module.eks.oidc_provider_arn

aws-github/terraform/aws/eks/outputs.tf

@@ -2,6 +2,6 @@ output "node_iam_role_name" {
   value = module.eks.eks_managed_node_groups.default_node_group.iam_role_name
 }
 
-output "external_dns_policy_arn"{
+output "external_dns_policy_arn" {
   value = aws_iam_policy.external_dns.arn
 }

aws-github/terraform/aws/modules/bootstrap/bootstrap.tf

@@ -29,7 +29,7 @@ data "vault_generic_secret" "external_dns" {
 
 resource "kubernetes_secret_v1" "external_dns" {
   metadata {
-    name = "external-dns-secrets"
+    name      = "external-dns-secrets"
     namespace = kubernetes_namespace_v1.external_dns.metadata.0.name
   }
   data = {

aws-github/terraform/aws/modules/workload-cluster/main.tf

@@ -3,8 +3,8 @@ data "aws_availability_zones" "available" {}
 
 locals {
   cluster_version = "1.26"
-  vpc_cidr = "10.0.0.0/16"
-  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+  vpc_cidr        = "10.0.0.0/16"
+  azs             = slice(data.aws_availability_zones.available.names, 0, 3)
   tags = {
     kubefirst = "true"
   }
@@ -18,14 +18,14 @@ module "iam_node_group_role" {
 
   create_role = true
 
-  role_name_prefix  = "${var.cluster_name}-node-group"
+  role_name_prefix = "${var.cluster_name}-node-group"
 
   custom_role_policy_arns = [
     "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
     "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
     "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
   ]
-   number_of_custom_role_policy_arns = 3
+  number_of_custom_role_policy_arns = 3
 }
 
 module "eks" {
@@ -71,7 +71,7 @@ module "eks" {
   control_plane_subnet_ids = module.vpc.intra_subnets
 
   manage_aws_auth_configmap = false
-  
+
   # aws_auth_roles = [
   #   # managed node group is automatically added to the configmap
   #   {
@@ -437,11 +437,11 @@ resource "vault_generic_secret" "clusters" {
 
   data_json = jsonencode(
     {
-      cluster_ca_certificate  = module.eks.cluster_certificate_authority_data
-      host                    = module.eks.cluster_endpoint
-      cluster_name            = var.cluster_name
-      environment             = var.cluster_name
-      argocd_role_arn         = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/argocd-<CLUSTER_NAME>"
+      cluster_ca_certificate = module.eks.cluster_certificate_authority_data
+      host                   = module.eks.cluster_endpoint
+      cluster_name           = var.cluster_name
+      environment            = var.cluster_name
+      argocd_role_arn        = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/argocd-<CLUSTER_NAME>"
     }
   )
 }

aws-github/terraform/users/modules/user/main.tf

@@ -25,7 +25,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
-  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
+  depends_on           = [vault_generic_endpoint.user_password] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -41,7 +41,7 @@ resource "vault_generic_endpoint" "user_password" {
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
   lifecycle {
-    ignore_changes=[data_json]
+    ignore_changes = [data_json]
   }
 
   # note: this resource includes the initial password and only gets applied once
@@ -109,7 +109,7 @@ variable "team_id" {
 }
 
 resource "github_team_membership" "team_membership" {
-  count = var.user_disabled == true ? 0 : 1
+  count    = var.user_disabled == true ? 0 : 1
   team_id  = var.team_id
   username = var.github_username
 }

aws-github/terraform/vault/oidc-clients.tf

@@ -11,7 +11,7 @@ module "argo" {
   redirect_uris = [
     "<ARGO_WORKFLOWS_INGRESS_URL>/oauth2/callback",
   ]
-  secret_mount_path = "secret"
+  secret_mount_path = vault_mount.secret.path
 }
 
 module "argocd" {
@@ -27,7 +27,7 @@ module "argocd" {
   redirect_uris = [
     "<ARGOCD_INGRESS_URL>/auth/callback",
   ]
-  secret_mount_path = "secret"
+  secret_mount_path = vault_mount.secret.path
 }
 
 module "console" {
@@ -43,7 +43,7 @@ module "console" {
   redirect_uris = [
     "https://kubefirst.<DOMAIN_NAME>/api/auth/callback/vault",
   ]
-  secret_mount_path = "secret"
+  secret_mount_path = vault_mount.secret.path
 }
 
 # todo kubectl-oidc

aws-github/terraform/vault/secrets.tf

@@ -5,100 +5,65 @@ resource "random_password" "chartmuseum_password" {
 }
 
 resource "vault_generic_secret" "chartmuseum_secrets" {
-  path = "secret/chartmuseum"
+  path = "${vault_mount.secret.path}/chartmuseum"
 
   data_json = jsonencode(
     {
       BASIC_AUTH_USER = "kbot",
       BASIC_AUTH_PASS = random_password.chartmuseum_password.result,
     }
   )
-
-  depends_on = [vault_mount.secret]
 }
 
 resource "vault_generic_secret" "crossplane_secrets" {
-  path = "secret/crossplane"
+  path = "${vault_mount.secret.path}/crossplane"
 
   data_json = jsonencode(
     {
-      VAULT_ADDR            = "http://vault.vault.svc.cluster.local:8200"
-      VAULT_TOKEN           = var.vault_token
-      password              = var.github_token
-      username              = "<GITHUB_USER>"
+      VAULT_ADDR  = "http://vault.vault.svc.cluster.local:8200"
+      VAULT_TOKEN = var.vault_token
+      password    = var.github_token
+      username    = "<GITHUB_USER>"
     }
   )
-
-  depends_on = [vault_mount.secret]
 }
 
 resource "vault_generic_secret" "docker_config" {
-  path = "secret/dockerconfigjson"
+  path = "${vault_mount.secret.path}/dockerconfigjson"
 
   data_json = jsonencode(
     {
       dockerconfig = jsonencode({ "auths" : { "ghcr.io" : { "auth" : "${var.b64_docker_auth}" } } }),
     }
   )
-
-  depends_on = [vault_mount.secret]
 }
 
 resource "vault_generic_secret" "regsitry_auth" {
-  path = "secret/registry-auth"
+  path = "${vault_mount.secret.path}/registry-auth"
 
   data_json = jsonencode(
     {
       auth = jsonencode({ "auths" : { "ghcr.io" : { "auth" : "${var.b64_docker_auth}" } } }),
     }
   )
-
-  depends_on = [vault_mount.secret]
-}
-resource "vault_generic_secret" "development_metaphor" {
-  path = "secret/development/metaphor"
-  # note: these secrets are not actually sensitive.
-  # do not hardcode passwords in git under normal circumstances.
-  data_json = <<EOT
-{
-  "SECRET_ONE" : "development secret 1",
-  "SECRET_TWO" : "development secret 2"
-}
-EOT
-
-  depends_on = [vault_mount.secret]
-}
-
-resource "vault_generic_secret" "staging_metaphor" {
-  path = "secret/staging/metaphor"
-  # note: these secrets are not actually sensitive.
-  # do not hardcode passwords in git under normal circumstances.
-  data_json = <<EOT
-{
-  "SECRET_ONE" : "staging secret 1",
-  "SECRET_TWO" : "staging secret 2"
 }
-EOT
 
-  depends_on = [vault_mount.secret]
-}
+resource "vault_generic_secret" "metaphor" {
+  for_each = toset(["development", "staging", "production"])
 
-resource "vault_generic_secret" "production_metaphor" {
-  path = "secret/production/metaphor"
+  path = "${vault_mount.secret.path}/${each.key}/metaphor"
   # note: these secrets are not actually sensitive.
   # do not hardcode passwords in git under normal circumstances.
-  data_json = <<EOT
-{
-  "SECRET_ONE" : "production secret 1",
-  "SECRET_TWO" : "production secret 2"
-}
-EOT
-
-  depends_on = [vault_mount.secret]
+  data_json = jsonencode(
+    {
+      SECRET_ONE = "${each.key} secret 1"
+      SECRET_TWO = "${each.key} secret 2"
+    }
+  )
 }
 
 resource "vault_generic_secret" "ci_secrets" {
-  path = "secret/ci-secrets"
+  path = "${vault_mount.secret.path}/ci-secrets"
 
   data_json = jsonencode(
     {
@@ -108,12 +73,10 @@ resource "vault_generic_secret" "ci_secrets" {
       PERSONAL_ACCESS_TOKEN = var.github_token,
     }
   )
-
-  depends_on = [vault_mount.secret]
 }
 
 resource "vault_generic_secret" "atlantis_secrets" {
-  path = "secret/atlantis"
+  path = "${vault_mount.secret.path}/atlantis"
 
   # variables that appear duplicated are for circumstances where both terraform
   # and seperately the terraform provider each need the value
@@ -142,6 +105,4 @@ resource "vault_generic_secret" "atlantis_secrets" {
       VAULT_TOKEN                         = var.vault_token,
     }
   )
-
-  depends_on = [vault_mount.secret]
 }

aws-gitlab/terraform/aws/eks/main.tf

@@ -87,7 +87,7 @@ module "eks" {
     # See https://github.com/aws/containers-roadmap/issues/1666 for more context
     iam_role_attach_cni_policy = true
   }
-  iam_role_additional_policies =  {
+  iam_role_additional_policies = {
 
   }
 

aws-gitlab/terraform/aws/eks/outputs.tf

@@ -2,6 +2,6 @@ output "node_iam_role_name" {
   value = module.eks.eks_managed_node_groups.default_node_group.iam_role_name
 }
 
-output "external_dns_policy_arn"{
+output "external_dns_policy_arn" {
   value = aws_iam_policy.external_dns.arn
 }

aws-gitlab/terraform/users/modules/user/main.tf

@@ -34,7 +34,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
-  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
+  depends_on           = [vault_generic_endpoint.user_password] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -50,7 +50,7 @@ resource "vault_generic_endpoint" "user_password" {
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
   lifecycle {
-    ignore_changes=[data_json]
+    ignore_changes = [data_json]
   }
 
   # note: this resource includes the initial password and only gets applied once

aws-gitlab/terraform/vault/oidc-clients.tf

@@ -11,7 +11,7 @@ module "argo" {
   redirect_uris = [
     "<ARGO_WORKFLOWS_INGRESS_URL>/oauth2/callback",
   ]
-  secret_mount_path = "secret"
+  secret_mount_path = vault_mount.secret.path
 }
 
 module "argocd" {
@@ -27,7 +27,7 @@ module "argocd" {
   redirect_uris = [
     "<ARGOCD_INGRESS_URL>/auth/callback",
   ]
-  secret_mount_path = "secret"
+  secret_mount_path = vault_mount.secret.path
 }
 
 module "console" {
@@ -43,7 +43,7 @@ module "console" {
   redirect_uris = [
     "https://kubefirst.<DOMAIN_NAME>/api/auth/callback/vault",
   ]
-  secret_mount_path = "secret"
+  secret_mount_path = vault_mount.secret.path
 }
 
 # todo kubectl-oidc