uc-cdis · emalinowski · Dec 19, 2024 · Dec 4, 2024 · Dec 9, 2024 · Dec 18, 2024
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-10-03T17:34:00Z",
+  "generated_at": "2024-12-18T18:14:28Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -104,8 +104,22 @@
         "hashed_secret": "83c1003f406f34fba4d6279a948fee3abc802884",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 590,
+        "line_number": 606,
         "type": "Hex High Entropy String"
+      },
+      {
+        "hashed_secret": "5f37b464630ca819545597dfecfe92f9af949024",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 1093,
+        "type": "Base64 High Entropy String"
+      },
+      {
+        "hashed_secret": "7df08c85c2a839267ad00554d22d17a1c616fae4",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 1098,
+        "type": "Base64 High Entropy String"
       }
     ],
     "tf_files/aws/eks/sample.tfvars": [
@@ -200,7 +214,7 @@
         "hashed_secret": "83c1003f406f34fba4d6279a948fee3abc802884",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 119,
+        "line_number": 123,
         "type": "Hex High Entropy String"
       }
     ],
@@ -294,12 +308,44 @@
         "type": "Hex High Entropy String"
       }
     ],
+    "tf_files/aws/modules/waf/variables.tf": [
+      {
+        "hashed_secret": "5f37b464630ca819545597dfecfe92f9af949024",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 19,
+        "type": "Base64 High Entropy String"
+      },
+      {
+        "hashed_secret": "7df08c85c2a839267ad00554d22d17a1c616fae4",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 24,
+        "type": "Base64 High Entropy String"
+      }
+    ],
+    "tf_files/aws/waf/variables.tf": [
+      {
+        "hashed_secret": "5f37b464630ca819545597dfecfe92f9af949024",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 23,
+        "type": "Base64 High Entropy String"
+      },
+      {
+        "hashed_secret": "7df08c85c2a839267ad00554d22d17a1c616fae4",
+        "is_secret": false,
+        "is_verified": false,
+        "line_number": 28,
+        "type": "Base64 High Entropy String"
+      }
+    ],
     "tf_files/gen3/values.tftpl": [
       {
         "hashed_secret": "9b5925ea817163740dfb287a9894e8ab3aba2c18",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 135,
+        "line_number": 143,
         "type": "Secret Keyword"
       }
     ],

diff --git a/tf_files/aws/commons/cloud.tf b/tf_files/aws/commons/cloud.tf
@@ -99,13 +99,6 @@ module "cdis_vpc" {
   commons_log_retention          = var.commons_log_retention
 }
 
-# logs bucket for elb logs
-module "elb_logs" {
-  source          = "../modules/s3-logs"
-  log_bucket_name = "logs-${var.vpc_name}-gen3"
-  environment     = var.vpc_name
-}
-
 
 module "config_files" {
   source                        = "../../shared/modules/k8s_configs"
@@ -131,8 +124,6 @@ module "config_files" {
   sheepdog_indexd_password      = var.sheepdog_indexd_password != "" ? var.sheepdog_indexd_password : random_password.sheepdog_indexd_password.result
   sheepdog_oauth2_client_id     = var.sheepdog_oauth2_client_id
   sheepdog_oauth2_client_secret = var.sheepdog_oauth2_client_secret
-  kube_bucket_name              = aws_s3_bucket.kube_bucket.id
-  logs_bucket_name              = module.elb_logs.log_bucket_name
   gitops_path                   = var.gitops_path
   ssl_certificate_id            = var.aws_cert_name
   aws_user_key                  = module.cdis_vpc.es_user_key

diff --git a/tf_files/aws/commons/eks.tf b/tf_files/aws/commons/eks.tf
@@ -6,6 +6,7 @@ module "eks" {
   ec2_keyname                      = var.ec2_keyname
   instance_type                    = var.instance_type
   peering_cidr                     = var.peering_cidr
+  csoc_managed                     = var.csoc_managed
   secondary_cidr_block             = var.secondary_cidr_block
   users_policy                     = var.users_policy
   worker_drive_size                = var.worker_drive_size
@@ -48,5 +49,6 @@ module "eks" {
   ci_run                           = var.ci_run
   eks_public_access                = var.eks_public_access
   enable_vpc_endpoints             = var.enable_vpc_endpoints
+  spot_linked_role                 = var.spot_linked_role
   depends_on                       = [module.cdis_vpc.vpc_id, module.cdis_vpc.vpc_peering_id, module.cdis_vpc.squid_auto]
 }
diff --git a/tf_files/aws/commons/helm.tf b/tf_files/aws/commons/helm.tf
@@ -55,3 +55,42 @@ module "gen3_deployment" {
   upload_bucket           = var.upload_bucket
   namespace               = var.namespace
 }
+
+
+# Deploy ArgoCD 
+resource helm_release "argocd" {
+  count      = var.deploy_argocd ? 1 : 0
+  name       = "argocd"
+  chart      = "argo-cd"
+  repository = "https://argoproj.github.io/argo-helm"
+  version = var.argocd_version
+  namespace  = var.namespace
+
+  values = [
+    <<-EOT
+    server.basehref: "/argocd/"
+    EOT
+  ]
+}
+
+# Deploy External Secrets Operator
+resource helm_release "external-secrets" {
+  count      = var.deploy_external_secrets_operator ? 1 : 0
+  name       = "external-secrets"
+  chart      = "external-secrets"
+  repository = "https://external-secrets.github.io/kubernetes-external-secrets"
+  version    = var.external_secrets_operator_version
+  namespace  = "external-secrets"
+
+  values = [
+    <<-EOT
+    serviceAccount:
+      create: true
+      name: external-secrets
+    syncPolicy:
+      automated:
+        prune: true
+        selfHeal: true
+    EOT
+  ]
+}
diff --git a/tf_files/aws/commons/kube.tf b/tf_files/aws/commons/kube.tf
@@ -188,49 +188,6 @@ resource "aws_key_pair" "automation_dev" {
   public_key = var.kube_ssh_key
 }
 
-resource "aws_s3_bucket" "kube_bucket" {
-  # S3 buckets are in a global namespace, so dns style naming
-  bucket = "kube-${replace(var.vpc_name, "_", "-")}-gen3"
-
-  tags = {
-    Name         = "kube-${replace(var.vpc_name, "_", "-")}-gen3"
-    Environment  = var.vpc_name
-    Organization = var.organization_name
-  }
-
-  lifecycle {
-    # allow same bucket between stacks
-    ignore_changes = [tags, bucket]
-  }
-}
-
-#resource "aws_s3_bucket_acl" "kube_bucket" {
-#  bucket = aws_s3_bucket.kube_bucket.id
-#  acl    = "private"
-#}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "kube_bucket" {
-  bucket = aws_s3_bucket.kube_bucket.bucket
-
-  lifecycle {
-    ignore_changes = all
-  }
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-resource "aws_s3_bucket_public_access_block" "kube_bucket_privacy" {
-  bucket                  = aws_s3_bucket.kube_bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
 
 # user.yaml bucket read policy
 # This bucket is in the 'bionimbus' account -

diff --git a/tf_files/aws/commons/variables.tf b/tf_files/aws/commons/variables.tf
@@ -460,6 +460,22 @@ variable "deploy_alarms" {
   default = true
 }
 
+variable "deploy_argocd" {
+  default = true
+}
+
+variable "argocd_version" {
+  default = ""
+}
+
+variable "deploy_external_secrets_operator" {
+  default = true
+}
+
+variable "external_secrets_operator_version" {
+  default = ""
+}
+
 variable "ec2_keyname" {
   default = "[email protected]"
 }
@@ -488,7 +504,7 @@ variable "worker_drive_size" {
 }
 
 variable "eks_version" {
-  default = "1.25"
+  default = "1.31"
 }
 
 variable "workers_subnet_size" {
@@ -649,6 +665,11 @@ variable "es_linked_role" {
   default     = true
 }
 
+
+variable "spot_linked_role" {
+  default = false
+}
+
 ### Aurora
 
 variable "cluster_identifier" {

diff --git a/tf_files/aws/modules/eks/cloud.tf b/tf_files/aws/modules/eks/cloud.tf
@@ -488,6 +488,19 @@ resource "aws_security_group_rule" "https_nodes_to_plane" {
   description              = "from the workers to the control plane"
 }
 
+# CSOC talk to Control plane
+resource "aws_security_group_rule" "https_csoc_to_plane" {
+  count                    = var.csoc_managed ? 1 : 0
+  type                     = "ingress"
+  from_port                = 443
+  to_port                  = 443
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.eks_control_plane_sg.id
+  cidr_blocks              = [var.peering_cidr]
+  depends_on               = [aws_security_group.eks_nodes_sg, aws_security_group.eks_control_plane_sg]
+  description              = "from the CSOC to the control plane"
+}
+
 # Control plane to the workers
 resource "aws_security_group_rule" "communication_plane_to_nodes" {
   type                     = "ingress"