feat!: (IAC-1190) Update Providers, Modules, & Binaries

Dockerfile

@@ -1,9 +1,9 @@
-ARG TERRAFORM_VERSION=1.4.5
-ARG AWS_CLI_VERSION=2.11.21
+ARG TERRAFORM_VERSION=1.6.3
+ARG AWS_CLI_VERSION=2.13.33
 FROM hashicorp/terraform:$TERRAFORM_VERSION as terraform
 
 FROM amazon/aws-cli:$AWS_CLI_VERSION
-ARG KUBECTL_VERSION=1.26.7
+ARG KUBECTL_VERSION=1.26.10
 
 WORKDIR /viya4-iac-aws
 

README.md

@@ -47,10 +47,10 @@ The following are also required:
 
 #### Terraform Requirements:
 
-- [Terraform](https://www.terraform.io/downloads.html) v1.4.5
-- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) - v1.26.7
+- [Terraform](https://www.terraform.io/downloads.html) v1.6.3
+- [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) - v1.26.10
 - [jq](https://stedolan.github.io/jq/) v1.6
-- [AWS CLI](https://aws.amazon.com/cli) (optional; useful as an alternative to the AWS Web Console) v2.7.22
+- [AWS CLI](https://aws.amazon.com/cli) (optional; useful as an alternative to the AWS Web Console) v2.13.33
 
 #### Docker Requirements:
 

docs/user/TerraformAWSAuthentication.md

@@ -1,6 +1,6 @@
 # Authenticating Terraform to Access AWS
 
-In order to create and destroy AWS resources on your behalf, Terraform needs a AWS account that has sufficient permissions to perform all the actions defined in the Terraform manifest. You will need an AWS account IAM user that has at a mininum the permissions listed in [this policy](../../files/policies/devops-iac-eks-policy.json).
+In order to create and destroy AWS resources on your behalf, Terraform needs a AWS account that has sufficient permissions to perform all the actions defined in the Terraform manifest. You will need an AWS account IAM user that has at a minimum the permissions listed in [this policy](../../files/policies/devops-iac-eks-policy.json).
 
 You can either use static credentials (including temporary credentials with session token) or a [profile with a credentials file](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html).
 
@@ -28,7 +28,7 @@ TF_VAR_aws_secret_access_key=<your_aws_secret_access_key>
 TF_VAR_aws_session_token=<your_aws_session_token>
 ```
 
-> **NOTE** `AWS_SESSION_TOKEN` is optional and is only required when using you are using temporary AWS credentials. See the [AWS documention](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) on environment variables for more information.
+> **NOTE** `AWS_SESSION_TOKEN` is optional and is only required when using you are using temporary AWS credentials. See the [AWS documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) on environment variables for more information.
 
 ## Using AWS Profile with Credentials File
 

docs/user/TerraformUsage.md

@@ -54,7 +54,7 @@ terraform apply
 
 This command can take a few minutes to complete. Once it has completed, Terraform output values are written to the console. The `kubeconfig` file for the cluster is written to `[prefix]-eks-kubeconfig.conf` in the current directory, `$(pwd)`.
 
-### Display Terrafrom Output
+### Display Terraform Output
 
 Once the cloud resources have been created using the `terraform apply` command, Terraform output values can be displayed again later at any time by running the following command:
 
@@ -68,7 +68,7 @@ After provisioning the infrastructure, you can make additional changes by modify
 
 ### Tear Down Cloud Resources
 
-To destroy all the cloud resources created with the previous comamnds, run the following command:
+To destroy all the cloud resources created with the previous commands, run the following command:
 
 ```bash
 terraform destroy

files/custom-data/additional_userdata.sh

@@ -22,12 +22,12 @@ FILESYSTEM_BLOCK_SIZE=${FILESYSTEM_BLOCK_SIZE:-4096}  # Bytes
 STRIDE=$(expr $RAID_CHUNK_SIZE \* 1024 / $FILESYSTEM_BLOCK_SIZE || true)
 STRIPE_WIDTH=$(expr $SSD_NVME_DEVICE_COUNT \* $STRIDE || true)
 
-# Checking if provisioning already happend
+# Checking if provisioning already happened
 if [[ "$(ls -A /pv-disks)" ]]
 then
   echo 'Volumes already present in "/pv-disks"'
   echo -e "\n$(ls -Al /pv-disks | tail -n +2)\n"
-  echo "I assume that provisioning already happend, doing nothing!"
+  echo "I assume that provisioning already happened, doing nothing!"
   exit 0
 fi
 

locals.tf

@@ -61,7 +61,7 @@ locals {
   # Kubernetes
   kubeconfig_filename = "${local.cluster_name}-kubeconfig.conf"
   kubeconfig_path     = var.iac_tooling == "docker" ? "/workspace/${local.kubeconfig_filename}" : local.kubeconfig_filename
-  kubeconfig_ca_cert  = data.aws_eks_cluster.cluster.certificate_authority[0].data
+  kubeconfig_ca_cert  = module.eks.cluster_certificate_authority_data
 
   # Mapping node_pools to node_groups
   default_node_pool = {
@@ -169,10 +169,10 @@ locals {
 
   postgres_outputs = length(module.postgresql) != 0 ? { for k, v in module.postgresql :
     k => {
-      "server_name" : module.postgresql[k].db_instance_id,
+      "server_name" : module.postgresql[k].db_instance_identifier,
       "fqdn" : module.postgresql[k].db_instance_address,
       "admin" : module.postgresql[k].db_instance_username,
-      "password" : module.postgresql[k].db_instance_password,
+      "password" : local.postgres_servers[k].administrator_password,
       "server_port" : module.postgresql[k].db_instance_port
       "ssl_enforcement_enabled" : local.postgres_servers[k].ssl_enforcement_enabled,
       "internal" : false

main.tf

@@ -17,12 +17,8 @@ provider "aws" {
 
 }
 
-data "aws_eks_cluster" "cluster" {
-  name = module.eks.cluster_id
-}
-
 data "aws_eks_cluster_auth" "cluster" {
-  name = module.eks.cluster_id
+  name = module.eks.cluster_name
 }
 
 data "aws_availability_zones" "available" {}
@@ -62,7 +58,7 @@ provider "kubernetes" {
   # delay the initialization of the k8s provider until the cluster is ready with a defined endpoint value.
   # It establishes a dependency on the entire EKS cluster being ready and also provides a desired input to
   # the kubernetes provider.
-  host                   = data.aws_eks_cluster.cluster.endpoint
+  host                   = module.eks.cluster_endpoint
   cluster_ca_certificate = base64decode(local.kubeconfig_ca_cert)
   token                  = data.aws_eks_cluster_auth.cluster.token
 }
@@ -95,7 +91,7 @@ module "vpc" {
 # EKS Setup - https://github.com/terraform-aws-modules/terraform-aws-eks
 module "eks" {
   source                               = "terraform-aws-modules/eks/aws"
-  version                              = "18.31.2"
+  version                              = "19.19.1"
   cluster_name                         = local.cluster_name
   cluster_version                      = var.kubernetes_version
   cluster_enabled_log_types            = [] # disable cluster control plan logging
@@ -153,6 +149,12 @@ module "eks" {
       ipv6_cidr_blocks = ["::/0"]
     }
   }
+  # We already set our own rules above, no need to use Amazon's defaults.
+  node_security_group_enable_recommended_rules = false
+
+  # enabled by default in v19, setting to false to preserve original behavior.
+  create_kms_key = false
+  cluster_encryption_config = []
 
   ################################################################################
   # Handle BYO IAM Roles & Policies
@@ -161,9 +163,9 @@ module "eks" {
   create_iam_role = var.cluster_iam_role_arn == null ? true : false
   iam_role_arn    = var.cluster_iam_role_arn
 
-  iam_role_additional_policies = [
-    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-  ]
+  iam_role_additional_policies = {
+    "additional": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  }
 
   ## Use this to define any values that are common and applicable to all Node Groups
   eks_managed_node_group_defaults = {
@@ -220,13 +222,13 @@ module "kubeconfig" {
   ca_crt       = local.kubeconfig_ca_cert
   sg_id        = local.cluster_security_group_id
 
-  depends_on = [module.eks.cluster_id] # The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready.
+  depends_on = [module.eks.cluster_name] # The name/id of the EKS cluster. Will block on cluster creation until the cluster is really ready.
 }
 
-# Database Setup - https://registry.terraform.io/modules/terraform-aws-modules/rds/aws/5.9.0
+# Database Setup - https://registry.terraform.io/modules/terraform-aws-modules/rds/aws/6.2.0
 module "postgresql" {
   source  = "terraform-aws-modules/rds/aws"
-  version = "5.9.0"
+  version = "6.2.0"
 
   for_each = local.postgres_servers != null ? length(local.postgres_servers) != 0 ? local.postgres_servers : {} : {}
 
@@ -274,11 +276,11 @@ module "postgresql" {
   options    = each.value.options
 
   # Flags for module to flag if postgres should be created or not.
-  create_db_instance        = true
-  create_db_subnet_group    = true
-  create_db_parameter_group = true
-  create_db_option_group    = true
-  create_random_password    = false
+  create_db_instance          = true
+  create_db_subnet_group      = true
+  create_db_parameter_group   = true
+  create_db_option_group      = true
+  manage_master_user_password = false
 
 }
 # Resource Groups - https://www.terraform.io/docs/providers/aws/r/resourcegroups_group.html

modules/aws_autoscaling/main.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = "5.25.0"
     }
   }
 }
@@ -69,7 +69,7 @@ resource "aws_iam_policy" "worker_autoscaling" {
 
 module "iam_assumable_role_with_oidc" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version = "4.24.1"
+  version = "5.30.2"
 
   create_role                   = true
   role_name                     = "${var.prefix}-cluster-autoscaler"

modules/aws_ebs_csi/main.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = "5.25.0"
     }
   }
 }
@@ -167,7 +167,7 @@ EOT
 
 module "iam_assumable_role_with_oidc" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version = "4.24.1"
+  version = "5.30.2"
 
   create_role                    = true
   role_name                      = "${var.prefix}-ebs-csi-role"

modules/aws_vm/main.tf

@@ -7,7 +7,7 @@
 locals {
   device_name = [
     # "/dev/sdb", - NOTE: These are skipped, Ubuntu Server 20.04 LTS
-    # "/dev/sdc",         uses these for ephmeral storage.
+    # "/dev/sdc",         uses these for ephemeral storage.
     "/dev/sdd",
     "/dev/sde",
     "/dev/sdf",

modules/kubeconfig/main.tf

@@ -6,11 +6,11 @@ terraform {
   required_providers {
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "~> 2.20"
+      version = "2.23.0"
     }
     local = {
       source  = "hashicorp/local"
-      version = "~> 2.4"
+      version = "2.4.0"
     }
   }
 }

outputs.tf

@@ -145,7 +145,7 @@ output "ebs_csi_account" {
 }
 
 output "k8s_version" {
-  value = data.aws_eks_cluster.cluster.version
+  value = module.eks.cluster_version
 }
 
 output "aws_shared_credentials_file" {

security.tf

@@ -175,7 +175,7 @@ resource "aws_security_group_rule" "worker_self" {
   count = var.workers_security_group_id == null ? 1 : 0
 
   type              = "ingress"
-  description       = "Allow node to comunicate with each other."
+  description       = "Allow node to communicate with each other."
   from_port         = 0
   protocol          = "-1"
   self              = true

versions.tf

@@ -6,7 +6,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.4.0"
+      version = "5.25.0"
     }
     random = {
       source  = "hashicorp/random"
@@ -26,7 +26,7 @@ terraform {
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = "2.20.0"
+      version = "2.23.0"
     }
     tls = {
       source  = "hashicorp/tls"