enhancement: Add spot instance and managed node group support (#200)

* enhancement: Add spot instance and managed node group support

* chore: fix references to map functions removed in tf 0.15

* fix: Pin the terraform version in the validation gha workflow because of issues with submodules when using TF 0.15

Author: bmonkman

.github/workflows/terraform.yml

@@ -13,6 +13,9 @@ jobs:
     steps:
     - uses: actions/checkout@v2
     - uses: hashicorp/setup-terraform@v1
+      with:
+        terraform_version: 0.14.8 # Required as of Apr 15 2021 because of breaking changes in tf 0.15
+
     - name: Install Zero
       id: install_zero
       run: |

templates/kubernetes/terraform/environments/prod/main.tf

@@ -106,4 +106,8 @@ module "kubernetes" {
   # Should not be less than 2 for production. 2 can handle a significant amount of traffic and should give a reasonable amount of redundancy in the case of
   # needing to do deployments of the controller or unexpected termination of a node with a controller pod on it.
   nginx_ingress_replicas = 2
+
+  # The Node Termination Handler should be enabled when using spot instances in your cluster, as it is responsible for gracefully draining a node that is due to be terminated.
+  # It can also be used to cleanly handle scheduled maintenance events on On-Demand instances, though it runs as a daemonset, so will run 1 pod on each node in your cluster.
+  enable_node_termination_handler = false
 }

templates/kubernetes/terraform/environments/stage/main.tf

@@ -103,4 +103,8 @@ module "kubernetes" {
   cache_store = "<% index .Params `cacheStore` %>"
 
   nginx_ingress_replicas = 1
+
+  # The Node Termination Handler should be enabled when using spot instances in your cluster, as it is responsible for gracefully draining a node that is due to be terminated.
+  # It can also be used to cleanly handle scheduled maintenance events on On-Demand instances, though it runs as a daemonset, so will run 1 pod on each node in your cluster.
+  enable_node_termination_handler = true
 }

templates/kubernetes/terraform/modules/kubernetes/node_termination_handler.tf

@@ -0,0 +1,23 @@
+locals {
+  termination_handler_namespace = "kube-system"
+  termination_handler_helm_values = {
+    jsonLogging : true
+    enablePrometheusServer : (var.metrics_type == "prometheus") ? 1 : 0
+
+    podMonitor : {
+      create : (var.metrics_type == "prometheus")
+    }
+  }
+}
+
+
+resource "helm_release" "node_termination_handler" {
+  count      = var.enable_node_termination_handler ? 1 : 0
+  name       = "node-termination-handler"
+  repository = "https://aws.github.io/eks-charts"
+  chart      = "aws-node-termination-handler"
+  version    = "0.15.0"
+  namespace  = local.termination_handler_namespace
+  values     = [jsonencode(local.termination_handler_helm_values)]
+}
+

templates/kubernetes/terraform/modules/kubernetes/user_auth.tf

@@ -1,16 +1,7 @@
-locals {
-  # To prevent coupling to rds engine names
-  type_map = {
-    "postgres" : "postgres",
-    "mysql" : "mysql",
-  }
-  db_type          = local.type_map[data.aws_db_instance.database.engine]
-}
-
 module "user_auth" {
-  count = length(var.user_auth)
-  source                      = "commitdev/zero/aws//modules/user_auth"
-  version                     = "0.1.21"
+  count   = length(var.user_auth)
+  source  = "commitdev/zero/aws//modules/user_auth"
+  version = "0.1.21"
 
   name                        = var.user_auth[count.index].name
   auth_namespace              = var.user_auth[count.index].auth_namespace

templates/kubernetes/terraform/modules/kubernetes/variables.tf

@@ -70,7 +70,7 @@ variable "metrics_type" {
 
 variable "application_policy_list" {
   description = "Application policies"
-  type        = list
+  type        = list(any)
   default     = []
 }
 
@@ -153,3 +153,9 @@ variable "nginx_ingress_replicas" {
   type        = number
   default     = 2
 }
+
+variable "enable_node_termination_handler" {
+  description = "The Node Termination Handler should be enabled when using spot instances in your cluster, as it is responsible for gracefully draining a node that is due to be terminated. It can also be used to cleanly handle scheduled maintenance events on On-Demand instances, though it runs as a daemonset, so will run 1 pod on each node in your cluster"
+  type        = bool
+  default     = false
+}

templates/terraform/bootstrap/secrets/main.tf

@@ -20,7 +20,7 @@ module "rds_master_secret_stage" {
   name          = "${local.project}-stage-rds-<% index .Params `randomSeed` %>"
   type          = "random"
   random_length = 32
-  tags          = map("rds", "${local.project}-stage")
+  tags          = { rds: "${local.project}-stage" }
 }
 
 module "rds_master_secret_prod" {
@@ -30,7 +30,7 @@ module "rds_master_secret_prod" {
   name          = "${local.project}-prod-rds-<% index .Params `randomSeed` %>"
   type          = "random"
   random_length = 32
-  tags          = map("rds", "${local.project}-prod")
+  tags          = { rds: "${local.project}-prod" }
 }
 
 module "sendgrid_api_key" {
@@ -41,7 +41,7 @@ module "sendgrid_api_key" {
   name  = "${local.project}-sendgrid-<% index .Params `randomSeed` %>"
   type  = "string"
   value = var.sendgrid_api_key
-  tags  = map("sendgrid", local.project)
+  tags  = { sendgrid: local.project }
 }
 
 module "slack_api_key" {
@@ -52,5 +52,5 @@ module "slack_api_key" {
   name  = "${local.project}-slack-<% index .Params `randomSeed` %>"
   type  = "string"
   value = var.slack_api_key
-  tags  = map("slack", local.project)
+  tags  = { slack: local.project }
 }

templates/terraform/environments/prod/main.tf

@@ -29,7 +29,7 @@ provider "aws" {
   allowed_account_ids = [local.account_id]
 }
 
-# remote state of "shared"
+# remote state of "shared" - contains mostly IAM users that will be shared between environments
 data "terraform_remote_state" "shared" {
   backend = "s3"
   config = {
@@ -56,14 +56,11 @@ module "prod" {
   ecr_repositories = [] # Should be created by the staging environment
 
   # EKS configuration
-  eks_cluster_version      = "1.18"
-  eks_worker_instance_type = "t3.medium"
-  eks_worker_asg_min_size  = 2
-  eks_worker_asg_max_size  = 4
-
-  # EKS-Optimized AMI for your region: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html
-  # https://<% index .Params `region` %>.console.aws.amazon.com/systems-manager/parameters/%252Faws%252Fservice%252Feks%252Foptimized-ami%252F1.18%252Famazon-linux-2%252Frecommended%252Fimage_id/description?region=<% index .Params `region` %>
-  eks_worker_ami = "<% index .Params `eksWorkerAMI` %>"
+  eks_cluster_version       = "1.19"
+  eks_worker_instance_types = ["t3.medium"]
+  eks_worker_asg_min_size   = 2
+  eks_worker_asg_max_size   = 4
+  eks_use_spot_instances    = false
 
   # Hosting configuration. Each domain will have a bucket created for it, but may have mulitple aliases pointing to the same bucket.
   # Note that because of the way terraform handles lists, new records should be added to the end of the list.
@@ -101,11 +98,11 @@ module "prod" {
 
   # Logging configuration
   logging_type = "<% index .Params `loggingType` %>"
-  <% if ne (index .Params `loggingType`) "kibana" %># <% end %>logging_es_version = "7.9"
-  <% if ne (index .Params `loggingType`) "kibana" %># <% end %>logging_az_count = "2"
-  <% if ne (index .Params `loggingType`) "kibana" %># <% end %>logging_es_instance_type = "m5.large.elasticsearch"
-  <% if ne (index .Params `loggingType`) "kibana" %># <% end %>logging_es_instance_count = "2" # Must be a mulitple of the az count
-  <% if ne (index .Params `loggingType`) "kibana" %># <% end %>logging_volume_size_in_gb = "50" # Maximum value is limited by the instance type
+  <% if ne (index .Params `loggingType`) "kibana" %># <% end %>logging_es_version          = "7.9"
+  <% if ne (index .Params `loggingType`) "kibana" %># <% end %>logging_az_count            = "2"
+  <% if ne (index .Params `loggingType`) "kibana" %># <% end %>logging_es_instance_type    = "t2.medium.elasticsearch" # The next larger instance type is "m5.large.elasticsearch" - upgrading an existing cluster may require fully recreating though, as m5.large is the first instance size which supports disk encryption
+  <% if ne (index .Params `loggingType`) "kibana" %># <% end %>logging_es_instance_count   = "2" # Must be a mulitple of the az count
+  <% if ne (index .Params `loggingType`) "kibana" %># <% end %>logging_volume_size_in_gb   = "35" # Maximum value is limited by the instance type
   <% if ne (index .Params `loggingType`) "kibana" %># <% end %>logging_create_service_role = false # If in the same AWS account, this would have already been created by the staging env
   # See https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/aes-limits.html
 
@@ -118,9 +115,11 @@ module "prod" {
   ## Check https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html to compare redis or memcached.
   cache_store = "<% index .Params `cacheStore` %>"
 
+<% if ne (index .Params `cacheStore`) "none" %>
   ## See how to define node and instance type: https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/nodes-select-size.html
   cache_cluster_size  = 1
   cache_instance_type = "cache.r6g.large"
+<% end %>
 
   # Roles configuration
   roles = [

…rm/bootstrap/secrets/eks_creator_user.tf …/environments/shared/eks_creator_user.tftemplates/terraform/bootstrap/secrets/eks_creator_user.tf renamed to templates/terraform/environments/shared/eks_creator_user.tf templates/terraform/bootstrap/secrets/eks_creator_user.tf renamed to templates/terraform/environments/shared/eks_creator_user.tf

@@ -18,7 +18,7 @@ data "aws_iam_policy_document" "assumerole_root_only_policy" {
 
     principals {
       type        = "AWS"
-      identifiers = [local.aws_account_id]
+      identifiers = [local.account_id]
     }
   }
 }
@@ -40,6 +40,7 @@ resource "aws_iam_role_policy" "eks_cluster_creator" {
 # Allow the cluster creator role to create a cluster
 data "aws_iam_policy_document" "eks_manage" {
   statement {
+    effect = "Allow"
     actions = [
       "eks:*",
       "ec2:*",
@@ -60,6 +61,7 @@ data "aws_iam_policy_document" "eks_manage" {
   }
 
   statement {
+    effect = "Allow"
     actions = [
       "iam:GetRole",
       "iam:PassRole",
@@ -70,11 +72,41 @@ data "aws_iam_policy_document" "eks_manage" {
       "iam:AttachRolePolicy",
       "iam:DetachRolePolicy",
       "iam:ListAttachedRolePolicies",
-      "iam:ListRolePolicies"
+      "iam:ListRolePolicies",
+      "iam:CreatePolicy",
+      "iam:GetPolicy",
+      "iam:DeletePolicy",
+      "iam:GetPolicyVersion",
+      "iam:ListPolicyVersions",
     ]
     resources = [
-      "arn:aws:iam::${local.aws_account_id}:role/${local.project}-*",
-      "arn:aws:iam::${local.aws_account_id}:role/k8s-${local.project}-*",
+      "arn:aws:iam::${local.account_id}:role/${local.project}-*",
+      "arn:aws:iam::${local.account_id}:role/k8s-${local.project}-*",
+      "arn:aws:iam::${local.account_id}:policy/${local.project}-*",
     ]
   }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["iam:GetRole"]
+    resources = ["arn:aws:iam::${local.account_id}:role/*"]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["iam:CreateServiceLinkedRole"]
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "iam:AWSServiceName"
+
+      values = [
+        "eks.amazonaws.com",
+        "eks-nodegroup.amazonaws.com",
+        "eks-fargate.amazonaws.com",
+      ]
+    }
+  }
+
 }

templates/terraform/environments/shared/main.tf

@@ -26,14 +26,14 @@ locals {
   # Users configuration
   ci_user_name = "${local.project}-ci-user"
   users = [
-        {
-          name  = local.ci_user_name
-          roles = [
-            { name = "deployer", environments = ["stage", "prod"] }
-          ]
-          global_roles       = []
-          create_access_keys = true
-    #    },
+    {
+      name = local.ci_user_name
+      roles = [
+        { name = "deployer", environments = ["stage", "prod"] }
+      ]
+      global_roles       = []
+      create_access_keys = true
+    },
     #    {
     #      name  = "dev1"
     #      roles = [
@@ -58,7 +58,7 @@ locals {
     #      ]
     #      global_roles       = ["mfa-required", "console-allowed"]
     #      create_access_keys = false
-        },
+    #    },
   ]
 }
 
@@ -85,7 +85,7 @@ resource "aws_iam_group_membership" "mfa_required_group" {
 
   group = aws_iam_group.mfa_required.name
 
-  depends_on = [ aws_iam_user.access_user ]
+  depends_on = [aws_iam_user.access_user]
 }
 
 resource "aws_iam_group_membership" "console_allowed_group" {
@@ -97,35 +97,38 @@ resource "aws_iam_group_membership" "console_allowed_group" {
 
   group = aws_iam_group.console_allowed.name
 
-  depends_on = [ aws_iam_user.access_user ]
+  depends_on = [aws_iam_user.access_user]
 }
 
 ## Create access/secret key pair and save to secret manager
 resource "aws_iam_access_key" "access_user" {
-  for_each = { for u in local.users : u.name => u.roles if u.create_access_keys}
+  for_each = { for u in local.users : u.name => u.roles if u.create_access_keys }
 
   user = aws_iam_user.access_user[each.key].name
 
-  depends_on = [ aws_iam_user.access_user ]
+  depends_on = [aws_iam_user.access_user]
 }
 
 module "secret_keys" {
   source  = "commitdev/zero/aws//modules/secret"
   version = "0.0.2"
 
-  for_each = { for u in local.users : u.name => u.roles if u.create_access_keys}
+  for_each = { for u in local.users : u.name => u.roles if u.create_access_keys }
 
-  name   = "${each.key}-aws-keys${local.random_seed}"
-  type   = "map"
-  values = map("access_key_id", aws_iam_access_key.access_user[each.key].id, "secret_key", aws_iam_access_key.access_user[each.key].secret)
-  tags   = map("project", local.project)
+  name = "${each.key}-aws-keys${local.random_seed}"
+  type = "map"
+  values = {
+    access_key_id : aws_iam_access_key.access_user[each.key].id,
+    secret_key : aws_iam_access_key.access_user[each.key].secret
+  }
+  tags = { project : local.project }
 
-  depends_on = [ aws_iam_access_key.access_user ]
+  depends_on = [aws_iam_access_key.access_user]
 }
 
 # Enable AWS CloudTrail to help you audit governance, compliance, and operational risk of your AWS account, with logs stored in S3 bucket.
 module "cloudtrail" {
-  source = "commitdev/zero/aws//modules/cloudtrail"
+  source  = "commitdev/zero/aws//modules/cloudtrail"
   version = "0.1.10"
 
   project = local.project
@@ -141,7 +144,7 @@ output "iam_users" {
 
 output "user_role_mapping" {
   value = [
-    for u in local.users: {
+    for u in local.users : {
       name  = u.name
       roles = u.roles
     }