mirror of
https://github.com/inspec/inspec
synced 2024-12-03 01:49:37 +00:00
b3fafab1e6
* add aws_eks_cluster Signed-off-by: Timothy van Zadelhoff timothy.inspec@theothersolution.nl * disable ABC check on fetch_from_api Signed-off-by: Timothy van Zadelhoff <timothy.inspec@theothersolution.nl> * add status predicates * Change docs for status attribute Signed-off-by: Timothy van Zadelhoff <timothy.inspec@theothersolution.nl> * Add integration tests Signed-off-by: Timothy van Zadelhoff <timothy.inspec@theothersolution.nl> * Adjust EKS build code to almost work Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * EKS only uses private subnets - integration tests pass Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Correct AWS Exception class for resource search miss in unit test Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Update unit test to reflect AWS resource-standard miss behavior, returning nil for most properties Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
173 lines
4.7 KiB
HCL
173 lines
4.7 KiB
HCL
# Contains resources and outputs related to testing the aws_eks_cluster resources.
|
|
|
|
#======================================================#
|
|
# EKS variables
|
|
#======================================================#
|
|
variable "eks_map_accounts" {
|
|
description = "Additional AWS account numbers to add to the aws-auth configmap."
|
|
type = "list"
|
|
|
|
default = [
|
|
"777777777777",
|
|
"888888888888",
|
|
]
|
|
}
|
|
|
|
variable "eks_map_roles" {
|
|
description = "Additional IAM roles to add to the aws-auth configmap."
|
|
type = "list"
|
|
|
|
default = [
|
|
{
|
|
role_arn = "arn:aws:iam::66666666666:role/role1"
|
|
username = "role1"
|
|
group = "system:masters"
|
|
},
|
|
]
|
|
}
|
|
|
|
variable "eks_map_users" {
|
|
description = "Additional IAM users to add to the aws-auth configmap."
|
|
type = "list"
|
|
|
|
default = [
|
|
{
|
|
user_arn = "arn:aws:iam::66666666666:user/user1"
|
|
username = "user1"
|
|
group = "system:masters"
|
|
},
|
|
{
|
|
user_arn = "arn:aws:iam::66666666666:user/user2"
|
|
username = "user2"
|
|
group = "system:masters"
|
|
},
|
|
]
|
|
}
|
|
|
|
#======================================================#
|
|
# EKS Cluster
|
|
#======================================================#
|
|
|
|
locals {
|
|
cluster_name = "test-eks-inspec-${terraform.env}"
|
|
|
|
worker_groups = [
|
|
{
|
|
instance_type = "t2.small"
|
|
additional_userdata = "echo foo bar"
|
|
subnets = "${join(",", module.eks_vpc.private_subnets)}"
|
|
additional_security_group_ids = "${aws_security_group.eks_worker_group_mgmt_one.id},${aws_security_group.eks_worker_group_mgmt_two.id}"
|
|
},
|
|
]
|
|
tags = {
|
|
Environment = "test-eks-${terraform.env}"
|
|
}
|
|
}
|
|
|
|
resource "aws_security_group" "eks_worker_group_mgmt_one" {
|
|
name_prefix = "eks_worker_group_mgmt_one-${terraform.env}"
|
|
description = "SG to be applied to all *nix machines"
|
|
vpc_id = "${module.eks_vpc.vpc_id}"
|
|
|
|
ingress {
|
|
from_port = 22
|
|
to_port = 22
|
|
protocol = "tcp"
|
|
|
|
cidr_blocks = [
|
|
"10.0.0.0/8",
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "aws_security_group" "eks_worker_group_mgmt_two" {
|
|
name_prefix = "eks_worker_group_mgmt_two-${terraform.env}"
|
|
vpc_id = "${module.eks_vpc.vpc_id}"
|
|
|
|
ingress {
|
|
from_port = 22
|
|
to_port = 22
|
|
protocol = "tcp"
|
|
|
|
cidr_blocks = [
|
|
"192.168.0.0/16",
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "aws_security_group" "eks_all_worker_mgmt" {
|
|
name_prefix = "eks_all_worker_management-${terraform.env}"
|
|
vpc_id = "${module.eks_vpc.vpc_id}"
|
|
|
|
ingress {
|
|
from_port = 22
|
|
to_port = 22
|
|
protocol = "tcp"
|
|
|
|
cidr_blocks = [
|
|
"10.0.0.0/8",
|
|
"172.16.0.0/12",
|
|
"192.168.0.0/16",
|
|
]
|
|
}
|
|
}
|
|
|
|
module "eks_vpc" {
|
|
source = "terraform-aws-modules/vpc/aws"
|
|
version = "1.14.0"
|
|
name = "eks-test-vpc"
|
|
cidr = "10.0.0.0/16"
|
|
azs = ["${data.aws_availability_zones.available.names[0]}", "${data.aws_availability_zones.available.names[1]}", "${data.aws_availability_zones.available.names[2]}"]
|
|
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
|
|
public_subnets = []
|
|
enable_nat_gateway = false
|
|
tags = "${merge(local.tags, map("kubernetes.io/cluster/${local.cluster_name}", "shared"))}"
|
|
}
|
|
|
|
output "eks_vpc_id" {
|
|
value = "${module.eks_vpc.vpc_id}"
|
|
}
|
|
|
|
output "eks_vpc_subnets" {
|
|
value = "${module.eks_vpc.private_subnets}"
|
|
}
|
|
|
|
module "eks" {
|
|
source = "terraform-aws-modules/eks/aws"
|
|
version = "1.6.0"
|
|
cluster_name = "${local.cluster_name}"
|
|
subnets = ["${module.eks_vpc.private_subnets}"]
|
|
tags = "${local.tags}"
|
|
vpc_id = "${module.eks_vpc.vpc_id}"
|
|
worker_groups = "${local.worker_groups}"
|
|
worker_group_count = "1"
|
|
worker_additional_security_group_ids = ["${aws_security_group.eks_all_worker_mgmt.id}"]
|
|
map_roles = "${var.eks_map_roles}"
|
|
map_users = "${var.eks_map_users}"
|
|
map_accounts = "${var.eks_map_accounts}"
|
|
manage_aws_auth = false
|
|
}
|
|
|
|
output "eks_cluster_id" {
|
|
value = "${module.eks.cluster_id}"
|
|
}
|
|
|
|
output "eks_cluster_name" {
|
|
value = "${module.eks.cluster_id}"
|
|
}
|
|
|
|
output "eks_cluster_security_group_id" {
|
|
value = "${module.eks.cluster_security_group_id}"
|
|
}
|
|
|
|
output "eks_worker_security_group_id" {
|
|
value = "${module.eks.worker_security_group_id}"
|
|
}
|
|
|
|
output "eks_cluster_endpoint" {
|
|
value = "${module.eks.cluster_endpoint}"
|
|
}
|
|
|
|
output "eks_cluster_certificate" {
|
|
value = "${module.eks.cluster_certificate_authority_data}"
|
|
}
|