diff --git a/docs/reference/services/app-orchestration/amazon-ecs-cluster.md b/docs/reference/services/app-orchestration/amazon-ecs-cluster.md index b03b9ba70..4c1397a12 100644 --- a/docs/reference/services/app-orchestration/amazon-ecs-cluster.md +++ b/docs/reference/services/app-orchestration/amazon-ecs-cluster.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon ECS Cluster -View Source +View Source Release Notes @@ -108,9 +108,9 @@ For info on finding your Docker container logs and custom metrics in CloudWatch, ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -118,7 +118,7 @@ For info on finding your Docker container logs and custom metrics in CloudWatch, If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -126,7 +126,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -153,7 +153,7 @@ For information on how to manage your ECS cluster, see the documentation in the module "ecs_cluster" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-cluster?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-cluster?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -287,10 +287,6 @@ module "ecs_cluster" { # Instances. Can be one of standard, gp2, gp3, io1, io2, sc1 or st1. cluster_instance_root_volume_type = "gp2" - # When set, name the IAM role for the ECS cluster using this variable. When - # null, the IAM role name will be derived from var.cluster_name. - custom_iam_role_name = null - # A list of custom tags to apply to the EC2 Instances in this ASG. Each item # in this list should be a map with the parameters key, value, and # propagate_at_launch. @@ -455,7 +451,7 @@ module "ecs_cluster" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-cluster?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-cluster?ref=v2.6.0" } inputs = { @@ -592,10 +588,6 @@ inputs = { # Instances. Can be one of standard, gp2, gp3, io1, io2, sc1 or st1. cluster_instance_root_volume_type = "gp2" - # When set, name the IAM role for the ECS cluster using this variable. When - # null, the IAM role name will be derived from var.cluster_name. - custom_iam_role_name = null - # A list of custom tags to apply to the EC2 Instances in this ASG. Each item # in this list should be a map with the parameters key, value, and # propagate_at_launch. @@ -1050,15 +1042,6 @@ The volume type for the root volume for each of the ECS Cluster's EC2 Instances. - - - -When set, name the IAM role for the ECS cluster using this variable. When null, the IAM role name will be derived from cluster_name. - - - - - @@ -1501,11 +1484,11 @@ The CloudWatch Dashboard metric widget for the ECS cluster workers' Memory utili diff --git a/docs/reference/services/app-orchestration/amazon-ecs-fargate-cluster.md b/docs/reference/services/app-orchestration/amazon-ecs-fargate-cluster.md index 348fd0cba..9d58fc6ac 100644 --- a/docs/reference/services/app-orchestration/amazon-ecs-fargate-cluster.md +++ b/docs/reference/services/app-orchestration/amazon-ecs-fargate-cluster.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon ECS Fargate Cluster -View Source +View Source Release Notes @@ -64,9 +64,9 @@ To understand core concepts like what is ECS, and the different cluster types, s ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -74,7 +74,7 @@ To understand core concepts like what is ECS, and the different cluster types, s If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -82,7 +82,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -106,7 +106,7 @@ For information on how to manage your ECS cluster, see the documentation in the module "ecs_fargate_cluster" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-fargate-cluster?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-fargate-cluster?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -141,7 +141,7 @@ module "ecs_fargate_cluster" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-fargate-cluster?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-fargate-cluster?ref=v2.6.0" } inputs = { @@ -251,11 +251,11 @@ The name of the ECS cluster. diff --git a/docs/reference/services/app-orchestration/amazon-ecs-service.md b/docs/reference/services/app-orchestration/amazon-ecs-service.md index cce468eae..8cdf16253 100644 --- a/docs/reference/services/app-orchestration/amazon-ecs-service.md +++ b/docs/reference/services/app-orchestration/amazon-ecs-service.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon ECS Service -View Source +View Source Release Notes @@ -63,10 +63,10 @@ more, see the documentation in the ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -74,14 +74,14 @@ more, see the documentation in the If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). ### Production deployment If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -105,7 +105,7 @@ For information on how to manage your ECS service, see the documentation in the module "ecs_service" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-service?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-service?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -637,7 +637,7 @@ module "ecs_service" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-service?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ecs-service?ref=v2.6.0" } inputs = { @@ -3028,11 +3028,11 @@ The names of the ECS service's load balancer's target groups diff --git a/docs/reference/services/app-orchestration/amazon-eks-core-services.md b/docs/reference/services/app-orchestration/amazon-eks-core-services.md index 484dedc15..01b493d57 100644 --- a/docs/reference/services/app-orchestration/amazon-eks-core-services.md +++ b/docs/reference/services/app-orchestration/amazon-eks-core-services.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon EKS Core Services -View Source +View Source Release Notes @@ -68,9 +68,9 @@ For information on each of the core services deployed by this service, see the d ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -78,7 +78,7 @@ For information on each of the core services deployed by this service, see the d If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -86,7 +86,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -108,7 +108,7 @@ If you want to deploy this repo in production, check out the following resources module "eks_core_services" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-core-services?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-core-services?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -149,60 +149,17 @@ module "eks_core_services" { # OPTIONAL VARIABLES # ---------------------------------------------------------------------------------------------------- - # Labels to add to each object of the chart. - alb_ingress_controller_additional_labels = {} - # ARN of IAM Role to assume to create and control ALB's. This is useful if # your VPC is shared from another account and needs to be created somewhere # else. alb_ingress_controller_alb_iam_role_arn = null - # Custom AWS API endpoints (serviceID1=URL1,serviceID2=URL2). - alb_ingress_controller_aws_api_endpoints = null - - # Custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst). - alb_ingress_controller_aws_api_throttle = null - - # Maximum retries for AWS APIs. - alb_ingress_controller_aws_max_retries = null - - # Backend security group ID. If empty, controller will auto-create one. - alb_ingress_controller_backend_security_group = null - # The version of the aws-load-balancer-controller helmchart to use. alb_ingress_controller_chart_version = "1.4.1" - # Configurations specific to the kubernetes cluster. - alb_ingress_controller_cluster = {"dnsDomain":"cluster.local"} - - # RBAC permissions configuration for secret resources. - alb_ingress_controller_cluster_secrets_permissions = null - - # Whether to configure default anti-affinity to prevent co-location on the - # same node. Ignored if custom affinity is set. - alb_ingress_controller_configure_default_affinity = true - - # Whether to create the IngressClass resource. - alb_ingress_controller_create_ingress_class_resource = true - - # Default SSL policy to use for TLS/HTTPS listeners. - alb_ingress_controller_default_ssl_policy = null - # Tags to apply to all AWS resources managed by this controller alb_ingress_controller_default_tags = {} - # Annotations for the controller deployment. - alb_ingress_controller_deployment_annotations = {} - - # Disables the usage of kubernetes.io/ingress.class annotation. - alb_ingress_controller_disable_ingress_class_annotation = null - - # Disables the usage of alb.ingress.kubernetes.io/group.name annotation. - alb_ingress_controller_disable_ingress_group_name_annotation = null - - # The dnsPolicy for pods in the deployment. - alb_ingress_controller_dns_policy = null - # The repository of the aws-load-balancer-controller docker image that should # be deployed. alb_ingress_controller_docker_image_repo = "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller" @@ -220,54 +177,6 @@ module "eks_core_services" { # The key is the tag name and the value is the tag value. alb_ingress_controller_eks_fargate_profile_tags = {} - # Enable shared security group for backend traffic. - alb_ingress_controller_enable_backend_security_group = null - - # Enable cert-manager for webhook TLS certificates. - alb_ingress_controller_enable_cert_manager = false - - # Enable k8s EndpointSlices for IP targets instead of Endpoints. - alb_ingress_controller_enable_endpoint_slices = null - - # Whether targetHealth readiness gate will get injected to the pod spec for - # matching endpoint pods. - alb_ingress_controller_enable_pod_readiness_gate_inject = null - - # Enables restricted Security Group rules for the load balancers managed by - # the controller. - alb_ingress_controller_enable_restricted_sg_rules = false - - # Enable Shield addon for ALB. - alb_ingress_controller_enable_shield = null - - # Enable WAF addon for ALB. - alb_ingress_controller_enable_waf = null - - # Enable WAF V2 addon for ALB. - alb_ingress_controller_enable_wafv2 = null - - # Environment variables to set for the controller pod. - alb_ingress_controller_env = {} - - # List of tag keys on AWS resources that will be managed externally. - alb_ingress_controller_external_managed_tags = [] - - # Additional volume mounts for the controller container. - alb_ingress_controller_extra_volume_mounts = [] - - # Additional volumes for the controller pod. - alb_ingress_controller_extra_volumes = [] - - # Feature gates to enable or disable on the AWS Load Balancer Controller. Each - # key is a feature gate name and the value is a boolean. - alb_ingress_controller_feature_gates = {} - - # Override the full name of the chart. - alb_ingress_controller_full_name_override = "" - - # Whether the controller should be started in hostNetwork mode. - alb_ingress_controller_host_network = false - # A map of custom tags to apply to the Controller IAM Policies if enabled. The # key is the tag name and the value is the tag value. alb_ingress_controller_iam_policy_tags = {} @@ -276,48 +185,6 @@ module "eks_core_services" { # is the tag name and the value is the tag value. alb_ingress_controller_iam_role_tags = {} - # The image pull policy for the controller Docker image. - alb_ingress_controller_image_pull_policy = "IfNotPresent" - - # List of image pull secret names for the controller Pod. - alb_ingress_controller_image_pull_secrets = [] - - # The ingress class this controller will satisfy. - alb_ingress_controller_ingress_class = "alb" - - # Configurations specific to the ingress class. - alb_ingress_controller_ingress_class_config = null - - # IngressClassParams that enforce settings for a set of Ingresses. - alb_ingress_controller_ingress_class_params = {"create":true,"name":null,"spec":{}} - - # Maximum number of concurrently running reconcile loops for ingress. - alb_ingress_controller_ingress_max_concurrent_reconciles = null - - # Whether to reuse existing TLS secret for chart upgrade. - alb_ingress_controller_keep_tls_secret = true - - # Liveness probe configuration for the controller. - alb_ingress_controller_liveness_probe = {"failureThreshold":2,"httpGet":{"path":"/healthz","port":61779,"scheme":"HTTP"},"initialDelaySeconds":30,"timeoutSeconds":10} - - # Set the controller log level (info, debug). - alb_ingress_controller_log_level = null - - # The address the metric endpoint binds to. - alb_ingress_controller_metrics_bind_addr = "" - - # Override the name of the chart. - alb_ingress_controller_name_override = "" - - # Node selector for the controller Pod. - alb_ingress_controller_node_selector = {} - - # Object selector for webhook. - alb_ingress_controller_object_selector = null - - # Pod disruption budget configuration for the controller pods. - alb_ingress_controller_pod_disruption_budget = {} - # Configure affinity rules for the ALB Ingress Controller Pod to control which # nodes to schedule on. Each item in the list should be a map with the keys # `key`, `values`, and `operator`, corresponding to the 3 properties of @@ -325,75 +192,11 @@ module "eks_core_services" { # the node. alb_ingress_controller_pod_node_affinity = [] - # Number of replicas of the ingress controller Pod to deploy. - alb_ingress_controller_pod_replica_count = 1 - - # Security context for the controller Pod. - alb_ingress_controller_pod_security_context = {"fsGroup":65534} - # Configure tolerations rules to allow the ALB Ingress Controller Pod to # schedule on nodes that have been tainted. Each item in the list specifies a # toleration rule. alb_ingress_controller_pod_tolerations = [] - # PriorityClass to indicate the importance of controller pods. - alb_ingress_controller_priority_class_name = "system-cluster-critical" - - # CPU and memory resource requests and limits for the controller Pod. - alb_ingress_controller_resources = {} - - # Security context for the controller container. - alb_ingress_controller_security_context = {"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true} - - # Automount API credentials for the service account. - alb_ingress_controller_service_account_automount_token = true - - # List of image pull secrets to add to the service account. - alb_ingress_controller_service_account_image_pull_secrets = [] - - # Annotations to add to the webhook service resource. - alb_ingress_controller_service_annotations = {} - - # Maximum number of concurrently running reconcile loops for service. - alb_ingress_controller_service_max_concurrent_reconciles = null - - # ServiceMonitor configuration for Prometheus. - alb_ingress_controller_service_monitor = null - - # Period at which the controller forces the repopulation of its local object - # stores. - alb_ingress_controller_sync_period = null - - # Maximum number of concurrently running reconcile loops for - # targetGroupBinding. - alb_ingress_controller_targetgroup_binding_max_concurrent_reconciles = null - - # Maximum duration of exponential backoff for targetGroupBinding reconcile - # failures. - alb_ingress_controller_targetgroup_binding_max_exponential_backoff_delay = null - - # Time period for the controller pod to do a graceful shutdown. - alb_ingress_controller_termination_grace_period_seconds = 10 - - # Topology spread constraints for the controller Pod. - alb_ingress_controller_topology_spread_constraints = {} - - # Update strategy for the controller deployment. - alb_ingress_controller_update_strategy = {} - - # Namespace the controller watches for updates to Kubernetes objects. If - # empty, all namespaces are watched. - alb_ingress_controller_watch_namespace = null - - # The TCP port the Webhook server binds to. - alb_ingress_controller_webhook_bind_port = null - - # Array of namespace selectors for the webhook. - alb_ingress_controller_webhook_namespace_selectors = null - - # TLS cert/key for the webhook. - alb_ingress_controller_webhook_tls = null - # Minimum time to wait after a scale up event before any node is considered # for scale down. autoscaler_down_delay_after_add = "10m" @@ -470,7 +273,7 @@ module "eks_core_services" { # The version of the cluster-autoscaler helm chart to deploy. Note that this # is different from the app/container version, which is sepecified with # var.cluster_autoscaler_version. - cluster_autoscaler_chart_version = "9.56.0" + cluster_autoscaler_chart_version = "9.46.6" # Map of extra arguments to pass to the container. cluster_autoscaler_container_extra_args = {} @@ -539,7 +342,7 @@ module "eks_core_services" { # major/minor version (e.g., v1.20) of your Kubernetes Installation. See # https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases # for a list of versions. - cluster_autoscaler_version = "v1.34.0" + cluster_autoscaler_version = "v1.32.0" # When set to true, create a new dedicated IAM Role for the cluster # autoscaler. When set to true, var.iam_role_for_service_accounts_config is @@ -904,10 +707,20 @@ module "eks_core_services" { # use short-lived authentication tokens that can expire in the middle of an # 'apply' or 'destroy', and since the native Kubernetes provider in Terraform # doesn't have a way to fetch up-to-date tokens, we recommend using an - # exec-based provider as a workaround. The aws CLI is used to fetch tokens, - # and must be installed and on your PATH. + # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token + # input variable to control whether kubergrunt or aws is used to fetch tokens. use_exec_plugin_for_auth = true + # EKS clusters use short-lived authentication tokens that can expire in the + # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based + # plugin to fetch an up-to-date token. If this variable is set to true, we'll + # use kubergrunt to fetch the token (in which case, kubergrunt must be + # installed and on PATH); if this variable is set to false, we'll use the aws + # CLI to fetch the token (in which case, aws must be installed and on PATH). + # Note this functionality is only enabled if use_exec_plugin_for_auth is set + # to true. + use_kubergrunt_to_fetch_token = true + # When true, all IAM policies will be managed as dedicated policies rather # than inline policies attached to the IAM roles. Dedicated managed policies # are friendlier to automated policy checkers, which may scan a single @@ -930,7 +743,7 @@ module "eks_core_services" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-core-services?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-core-services?ref=v2.6.0" } inputs = { @@ -974,60 +787,17 @@ inputs = { # OPTIONAL VARIABLES # ---------------------------------------------------------------------------------------------------- - # Labels to add to each object of the chart. - alb_ingress_controller_additional_labels = {} - # ARN of IAM Role to assume to create and control ALB's. This is useful if # your VPC is shared from another account and needs to be created somewhere # else. alb_ingress_controller_alb_iam_role_arn = null - # Custom AWS API endpoints (serviceID1=URL1,serviceID2=URL2). - alb_ingress_controller_aws_api_endpoints = null - - # Custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst). - alb_ingress_controller_aws_api_throttle = null - - # Maximum retries for AWS APIs. - alb_ingress_controller_aws_max_retries = null - - # Backend security group ID. If empty, controller will auto-create one. - alb_ingress_controller_backend_security_group = null - # The version of the aws-load-balancer-controller helmchart to use. alb_ingress_controller_chart_version = "1.4.1" - # Configurations specific to the kubernetes cluster. - alb_ingress_controller_cluster = {"dnsDomain":"cluster.local"} - - # RBAC permissions configuration for secret resources. - alb_ingress_controller_cluster_secrets_permissions = null - - # Whether to configure default anti-affinity to prevent co-location on the - # same node. Ignored if custom affinity is set. - alb_ingress_controller_configure_default_affinity = true - - # Whether to create the IngressClass resource. - alb_ingress_controller_create_ingress_class_resource = true - - # Default SSL policy to use for TLS/HTTPS listeners. - alb_ingress_controller_default_ssl_policy = null - # Tags to apply to all AWS resources managed by this controller alb_ingress_controller_default_tags = {} - # Annotations for the controller deployment. - alb_ingress_controller_deployment_annotations = {} - - # Disables the usage of kubernetes.io/ingress.class annotation. - alb_ingress_controller_disable_ingress_class_annotation = null - - # Disables the usage of alb.ingress.kubernetes.io/group.name annotation. - alb_ingress_controller_disable_ingress_group_name_annotation = null - - # The dnsPolicy for pods in the deployment. - alb_ingress_controller_dns_policy = null - # The repository of the aws-load-balancer-controller docker image that should # be deployed. alb_ingress_controller_docker_image_repo = "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller" @@ -1045,54 +815,6 @@ inputs = { # The key is the tag name and the value is the tag value. alb_ingress_controller_eks_fargate_profile_tags = {} - # Enable shared security group for backend traffic. - alb_ingress_controller_enable_backend_security_group = null - - # Enable cert-manager for webhook TLS certificates. - alb_ingress_controller_enable_cert_manager = false - - # Enable k8s EndpointSlices for IP targets instead of Endpoints. - alb_ingress_controller_enable_endpoint_slices = null - - # Whether targetHealth readiness gate will get injected to the pod spec for - # matching endpoint pods. - alb_ingress_controller_enable_pod_readiness_gate_inject = null - - # Enables restricted Security Group rules for the load balancers managed by - # the controller. - alb_ingress_controller_enable_restricted_sg_rules = false - - # Enable Shield addon for ALB. - alb_ingress_controller_enable_shield = null - - # Enable WAF addon for ALB. - alb_ingress_controller_enable_waf = null - - # Enable WAF V2 addon for ALB. - alb_ingress_controller_enable_wafv2 = null - - # Environment variables to set for the controller pod. - alb_ingress_controller_env = {} - - # List of tag keys on AWS resources that will be managed externally. - alb_ingress_controller_external_managed_tags = [] - - # Additional volume mounts for the controller container. - alb_ingress_controller_extra_volume_mounts = [] - - # Additional volumes for the controller pod. - alb_ingress_controller_extra_volumes = [] - - # Feature gates to enable or disable on the AWS Load Balancer Controller. Each - # key is a feature gate name and the value is a boolean. - alb_ingress_controller_feature_gates = {} - - # Override the full name of the chart. - alb_ingress_controller_full_name_override = "" - - # Whether the controller should be started in hostNetwork mode. - alb_ingress_controller_host_network = false - # A map of custom tags to apply to the Controller IAM Policies if enabled. The # key is the tag name and the value is the tag value. alb_ingress_controller_iam_policy_tags = {} @@ -1101,48 +823,6 @@ inputs = { # is the tag name and the value is the tag value. alb_ingress_controller_iam_role_tags = {} - # The image pull policy for the controller Docker image. - alb_ingress_controller_image_pull_policy = "IfNotPresent" - - # List of image pull secret names for the controller Pod. - alb_ingress_controller_image_pull_secrets = [] - - # The ingress class this controller will satisfy. - alb_ingress_controller_ingress_class = "alb" - - # Configurations specific to the ingress class. - alb_ingress_controller_ingress_class_config = null - - # IngressClassParams that enforce settings for a set of Ingresses. - alb_ingress_controller_ingress_class_params = {"create":true,"name":null,"spec":{}} - - # Maximum number of concurrently running reconcile loops for ingress. - alb_ingress_controller_ingress_max_concurrent_reconciles = null - - # Whether to reuse existing TLS secret for chart upgrade. - alb_ingress_controller_keep_tls_secret = true - - # Liveness probe configuration for the controller. - alb_ingress_controller_liveness_probe = {"failureThreshold":2,"httpGet":{"path":"/healthz","port":61779,"scheme":"HTTP"},"initialDelaySeconds":30,"timeoutSeconds":10} - - # Set the controller log level (info, debug). - alb_ingress_controller_log_level = null - - # The address the metric endpoint binds to. - alb_ingress_controller_metrics_bind_addr = "" - - # Override the name of the chart. - alb_ingress_controller_name_override = "" - - # Node selector for the controller Pod. - alb_ingress_controller_node_selector = {} - - # Object selector for webhook. - alb_ingress_controller_object_selector = null - - # Pod disruption budget configuration for the controller pods. - alb_ingress_controller_pod_disruption_budget = {} - # Configure affinity rules for the ALB Ingress Controller Pod to control which # nodes to schedule on. Each item in the list should be a map with the keys # `key`, `values`, and `operator`, corresponding to the 3 properties of @@ -1150,75 +830,11 @@ inputs = { # the node. alb_ingress_controller_pod_node_affinity = [] - # Number of replicas of the ingress controller Pod to deploy. - alb_ingress_controller_pod_replica_count = 1 - - # Security context for the controller Pod. - alb_ingress_controller_pod_security_context = {"fsGroup":65534} - # Configure tolerations rules to allow the ALB Ingress Controller Pod to # schedule on nodes that have been tainted. Each item in the list specifies a # toleration rule. alb_ingress_controller_pod_tolerations = [] - # PriorityClass to indicate the importance of controller pods. - alb_ingress_controller_priority_class_name = "system-cluster-critical" - - # CPU and memory resource requests and limits for the controller Pod. - alb_ingress_controller_resources = {} - - # Security context for the controller container. - alb_ingress_controller_security_context = {"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true} - - # Automount API credentials for the service account. - alb_ingress_controller_service_account_automount_token = true - - # List of image pull secrets to add to the service account. - alb_ingress_controller_service_account_image_pull_secrets = [] - - # Annotations to add to the webhook service resource. - alb_ingress_controller_service_annotations = {} - - # Maximum number of concurrently running reconcile loops for service. - alb_ingress_controller_service_max_concurrent_reconciles = null - - # ServiceMonitor configuration for Prometheus. - alb_ingress_controller_service_monitor = null - - # Period at which the controller forces the repopulation of its local object - # stores. - alb_ingress_controller_sync_period = null - - # Maximum number of concurrently running reconcile loops for - # targetGroupBinding. - alb_ingress_controller_targetgroup_binding_max_concurrent_reconciles = null - - # Maximum duration of exponential backoff for targetGroupBinding reconcile - # failures. - alb_ingress_controller_targetgroup_binding_max_exponential_backoff_delay = null - - # Time period for the controller pod to do a graceful shutdown. - alb_ingress_controller_termination_grace_period_seconds = 10 - - # Topology spread constraints for the controller Pod. - alb_ingress_controller_topology_spread_constraints = {} - - # Update strategy for the controller deployment. - alb_ingress_controller_update_strategy = {} - - # Namespace the controller watches for updates to Kubernetes objects. If - # empty, all namespaces are watched. - alb_ingress_controller_watch_namespace = null - - # The TCP port the Webhook server binds to. - alb_ingress_controller_webhook_bind_port = null - - # Array of namespace selectors for the webhook. - alb_ingress_controller_webhook_namespace_selectors = null - - # TLS cert/key for the webhook. - alb_ingress_controller_webhook_tls = null - # Minimum time to wait after a scale up event before any node is considered # for scale down. autoscaler_down_delay_after_add = "10m" @@ -1295,7 +911,7 @@ inputs = { # The version of the cluster-autoscaler helm chart to deploy. Note that this # is different from the app/container version, which is sepecified with # var.cluster_autoscaler_version. - cluster_autoscaler_chart_version = "9.56.0" + cluster_autoscaler_chart_version = "9.46.6" # Map of extra arguments to pass to the container. cluster_autoscaler_container_extra_args = {} @@ -1364,7 +980,7 @@ inputs = { # major/minor version (e.g., v1.20) of your Kubernetes Installation. See # https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases # for a list of versions. - cluster_autoscaler_version = "v1.34.0" + cluster_autoscaler_version = "v1.32.0" # When set to true, create a new dedicated IAM Role for the cluster # autoscaler. When set to true, var.iam_role_for_service_accounts_config is @@ -1710,1047 +1326,299 @@ inputs = { schedule_alb_ingress_controller_on_fargate = false # When true, the cluster autoscaler pods will be scheduled on Fargate. It is - # recommended to run the cluster autoscaler on Fargate to avoid the autoscaler - # scaling down a node where it is running (and thus shutting itself down - # during a scale down event). However, since Fargate is only supported on a - # handful of regions, we don't default to true here. - schedule_cluster_autoscaler_on_fargate = false - - # When true, the external-dns pods will be scheduled on Fargate. - schedule_external_dns_on_fargate = false - - # Configure Kubernetes Services to lookup external DNS records. This can be - # useful to bind friendly internal service names to domains (e.g. the RDS - # database endpoint). - service_dns_mappings = {} - - # If this variable is set to true, then use an exec-based plugin to - # authenticate and fetch tokens for EKS. This is useful because EKS clusters - # use short-lived authentication tokens that can expire in the middle of an - # 'apply' or 'destroy', and since the native Kubernetes provider in Terraform - # doesn't have a way to fetch up-to-date tokens, we recommend using an - # exec-based provider as a workaround. The aws CLI is used to fetch tokens, - # and must be installed and on your PATH. - use_exec_plugin_for_auth = true - - # When true, all IAM policies will be managed as dedicated policies rather - # than inline policies attached to the IAM roles. Dedicated managed policies - # are friendlier to automated policy checkers, which may scan a single - # resource for findings. As such, it is important to avoid inline policies - # when targeting compliance with various security standards. - use_managed_iam_policies = true - -} - - -``` - - - - - - -## Reference - - - - - -### Required - - - - -The AWS region in which all resources will be created - - - - - - - -The name of the EKS cluster where the core services will be deployed into. - - - - - - - -Configuration for using the IAM role with Service Accounts feature to provide permissions to the applications. This expects a map with two properties: `openid_connect_provider_arn` and `openid_connect_provider_url`. The `openid_connect_provider_arn` is the ARN of the OpenID Connect Provider for EKS to retrieve IAM credentials, while `openid_connect_provider_url` is the URL. Set to null if you do not wish to use IAM role with Service Accounts. - - - - -```hcl -object({ - openid_connect_provider_arn = string - openid_connect_provider_url = string - }) -``` - - - - - - - -ARN of IAM Role to use as the Pod execution role for Fargate. Required if any of the services are being scheduled on Fargate. Set to null if none of the Pods are being scheduled on Fargate. - - - - - - - -The ID of the VPC where the EKS cluster is deployed. - - - - - - - -The subnet IDs to use for EKS worker nodes. Used when provisioning Pods on to Fargate. Required if any of the services are being scheduled on Fargate. Set to empty list if none of the Pods are being scheduled on Fargate. - - - - -### Optional - - - - -Labels to add to each object of the chart. - - - - - - - - -ARN of IAM Role to assume to create and control ALB's. This is useful if your VPC is shared from another account and needs to be created somewhere else. - - - - - - - - -Custom AWS API endpoints (serviceID1=URL1,serviceID2=URL2). - - - - - - - - -Custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst). - - - - - - - - -Maximum retries for AWS APIs. - - - - - - - - -Backend security group ID. If empty, controller will auto-create one. - - - - - - - - -The version of the aws-load-balancer-controller helmchart to use. - - - - - - - - -Configurations specific to the kubernetes cluster. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - -```hcl -{ - dnsDomain = "cluster.local" -} -``` - - - - - - - -RBAC permissions configuration for secret resources. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - - - - - -Whether to configure default anti-affinity to prevent co-location on the same node. Ignored if custom affinity is set. - - - - - - - - -Whether to create the IngressClass resource. - - - - - - - - -Default SSL policy to use for TLS/HTTPS listeners. - - - - - - - - -Tags to apply to all AWS resources managed by this controller - - - - - - - - -Annotations for the controller deployment. - - - - - - - - -Disables the usage of kubernetes.io/ingress.class annotation. - - - - - - - - -Disables the usage of alb.ingress.kubernetes.io/group.name annotation. - - - - - - - - -The dnsPolicy for pods in the deployment. - - - - - - - - -The repository of the aws-load-balancer-controller docker image that should be deployed. - - - - - - - - -The tag of the aws-load-balancer-controller docker image that should be deployed. - - - - - - - - -A map of custom tags to apply to the Controller Fargate Profile IAM Execution Role if enabled. The key is the tag name and the value is the tag value. - - - - - - - - -A map of custom tags to apply to the Controller Fargate Profile if enabled. The key is the tag name and the value is the tag value. - - - - - - - - -Enable shared security group for backend traffic. - - - - - - - - -Enable cert-manager for webhook TLS certificates. - - - - - - - - -Enable k8s EndpointSlices for IP targets instead of Endpoints. - - - - - - - - -Whether targetHealth readiness gate will get injected to the pod spec for matching endpoint pods. - - - - - - - - -Enables restricted Security Group rules for the load balancers managed by the controller. - - - - - - - - -Enable Shield addon for ALB. - - - - - - - - -Enable WAF addon for ALB. - - - - - - - - -Enable WAF V2 addon for ALB. - - - - - - - - -Environment variables to set for the controller pod. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - - - - - -List of tag keys on AWS resources that will be managed externally. - - - - - - - - -Additional volume mounts for the controller container. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - - - - - -Additional volumes for the controller pod. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - - - - - -Feature gates to enable or disable on the AWS Load Balancer Controller. Each key is a feature gate name and the value is a boolean. - - - - - - - - -Override the full name of the chart. - - - - - - - - -Whether the controller should be started in hostNetwork mode. - - - - - - - - -A map of custom tags to apply to the Controller IAM Policies if enabled. The key is the tag name and the value is the tag value. - - - - - - - - -A map of custom tags to apply to the Controller IAM Role if enabled. The key is the tag name and the value is the tag value. - - - - - - - - -The image pull policy for the controller Docker image. - - - - - - - - -List of image pull secret names for the controller Pod. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - - - - - -The ingress class this controller will satisfy. - - - - - - - - -Configurations specific to the ingress class. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - - - - - -IngressClassParams that enforce settings for a set of Ingresses. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - -```hcl -{ - create = true, - name = null, - spec = {} -} -``` - - - - - - - -Maximum number of concurrently running reconcile loops for ingress. - - - - - - - - -Whether to reuse existing TLS secret for chart upgrade. - - - - - - - - -Liveness probe configuration for the controller. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - -```hcl -{ - failureThreshold = 2, - httpGet = { - path = "/healthz", - port = 61779, - scheme = "HTTP" - }, - initialDelaySeconds = 30, - timeoutSeconds = 10 -} -``` - - - - - - - -Set the controller log level (info, debug). - - - - - - - - -The address the metric endpoint binds to. - - - - - - - - -Override the name of the chart. - - - - - - - - -Node selector for the controller Pod. - - - - - - - - -Object selector for webhook. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - - - - - -Pod disruption budget configuration for the controller pods. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - - - - - -Configure affinity rules for the ALB Ingress Controller Pod to control which nodes to schedule on. Each item in the list should be a map with the keys `key`, `values`, and `operator`, corresponding to the 3 properties of matchExpressions. Note that all expressions must be satisfied to schedule on the node. - - - - -```hcl -list(object({ - key = string - values = list(string) - operator = string - })) -``` - - - - -
- - -```hcl - - Each item in the list represents a matchExpression for requiredDuringSchedulingIgnoredDuringExecution. - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/affinity-and-anti-affinity for the various - configuration option. - - Example: - - [ - { - "key" = "node-label-key" - "values" = ["node-label-value", "another-node-label-value"] - "operator" = "In" - } - ] - - Translates to: - - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-label-key - operator: In - values: - - node-label-value - - another-node-label-value - -``` -
- - - - - - + # recommended to run the cluster autoscaler on Fargate to avoid the autoscaler + # scaling down a node where it is running (and thus shutting itself down + # during a scale down event). However, since Fargate is only supported on a + # handful of regions, we don't default to true here. + schedule_cluster_autoscaler_on_fargate = false -Number of replicas of the ingress controller Pod to deploy. + # When true, the external-dns pods will be scheduled on Fargate. + schedule_external_dns_on_fargate = false - - - + # Configure Kubernetes Services to lookup external DNS records. This can be + # useful to bind friendly internal service names to domains (e.g. the RDS + # database endpoint). + service_dns_mappings = {} - - + # If this variable is set to true, then use an exec-based plugin to + # authenticate and fetch tokens for EKS. This is useful because EKS clusters + # use short-lived authentication tokens that can expire in the middle of an + # 'apply' or 'destroy', and since the native Kubernetes provider in Terraform + # doesn't have a way to fetch up-to-date tokens, we recommend using an + # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token + # input variable to control whether kubergrunt or aws is used to fetch tokens. + use_exec_plugin_for_auth = true -Security context for the controller Pod. + # EKS clusters use short-lived authentication tokens that can expire in the + # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based + # plugin to fetch an up-to-date token. If this variable is set to true, we'll + # use kubergrunt to fetch the token (in which case, kubergrunt must be + # installed and on PATH); if this variable is set to false, we'll use the aws + # CLI to fetch the token (in which case, aws must be installed and on PATH). + # Note this functionality is only enabled if use_exec_plugin_for_auth is set + # to true. + use_kubergrunt_to_fetch_token = true - - + # When true, all IAM policies will be managed as dedicated policies rather + # than inline policies attached to the IAM roles. Dedicated managed policies + # are friendlier to automated policy checkers, which may scan a single + # resource for findings. As such, it is important to avoid inline policies + # when targeting compliance with various security standards. + use_managed_iam_policies = true -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` +} - - -```hcl -{ - fsGroup = 65534 -} ``` - - - - - + + -Configure tolerations rules to allow the ALB Ingress Controller Pod to schedule on nodes that have been tainted. Each item in the list specifies a toleration rule. - - -```hcl -list(map(any)) -``` +## Reference - - - -
+ + -```hcl +### Required - Each item in the list represents a particular toleration. See - https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ for the various rules you can specify. - - Example: - - [ - { - key = "node.kubernetes.io/unreachable" - operator = "Exists" - effect = "NoExecute" - tolerationSeconds = 6000 - } - ] + + -``` -
+The AWS region in which all resources will be created - + - + -PriorityClass to indicate the importance of controller pods. +The name of the EKS cluster where the core services will be deployed into. - - + -CPU and memory resource requests and limits for the controller Pod. +Configuration for using the IAM role with Service Accounts feature to provide permissions to the applications. This expects a map with two properties: `openid_connect_provider_arn` and `openid_connect_provider_url`. The `openid_connect_provider_arn` is the ARN of the OpenID Connect Provider for EKS to retrieve IAM credentials, while `openid_connect_provider_url` is the URL. Set to null if you do not wish to use IAM role with Service Accounts. ```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. +object({ + openid_connect_provider_arn = string + openid_connect_provider_url = string + }) ``` - - + -Security context for the controller container. +ARN of IAM Role to use as the Pod execution role for Fargate. Required if any of the services are being scheduled on Fargate. Set to null if none of the Pods are being scheduled on Fargate. - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` + - - + + -```hcl -{ - allowPrivilegeEscalation = false, - readOnlyRootFilesystem = true, - runAsNonRoot = true -} -``` +The ID of the VPC where the EKS cluster is deployed. - + - + -Automount API credentials for the service account. +The subnet IDs to use for EKS worker nodes. Used when provisioning Pods on to Fargate. Required if any of the services are being scheduled on Fargate. Set to empty list if none of the Pods are being scheduled on Fargate. - - +### Optional + + -List of image pull secrets to add to the service account. +ARN of IAM Role to assume to create and control ALB's. This is useful if your VPC is shared from another account and needs to be created somewhere else. - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - + - + -Annotations to add to the webhook service resource. +The version of the aws-load-balancer-controller helmchart to use. - + - + -Maximum number of concurrently running reconcile loops for service. +Tags to apply to all AWS resources managed by this controller - + - + -ServiceMonitor configuration for Prometheus. +The repository of the aws-load-balancer-controller docker image that should be deployed. - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - + - + -Period at which the controller forces the repopulation of its local object stores. +The tag of the aws-load-balancer-controller docker image that should be deployed. - + - + -Maximum number of concurrently running reconcile loops for targetGroupBinding. +A map of custom tags to apply to the Controller Fargate Profile IAM Execution Role if enabled. The key is the tag name and the value is the tag value. - + - + -Maximum duration of exponential backoff for targetGroupBinding reconcile failures. +A map of custom tags to apply to the Controller Fargate Profile if enabled. The key is the tag name and the value is the tag value. - + - + -Time period for the controller pod to do a graceful shutdown. +A map of custom tags to apply to the Controller IAM Policies if enabled. The key is the tag name and the value is the tag value. - + - + -Topology spread constraints for the controller Pod. +A map of custom tags to apply to the Controller IAM Role if enabled. The key is the tag name and the value is the tag value. - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - + -Update strategy for the controller deployment. +Configure affinity rules for the ALB Ingress Controller Pod to control which nodes to schedule on. Each item in the list should be a map with the keys `key`, `values`, and `operator`, corresponding to the 3 properties of matchExpressions. Note that all expressions must be satisfied to schedule on the node. ```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. +list(object({ + key = string + values = list(string) + operator = string + })) ``` - - - - - + + +
-Namespace the controller watches for updates to Kubernetes objects. If empty, all namespaces are watched. - - - +```hcl - - + Each item in the list represents a matchExpression for requiredDuringSchedulingIgnoredDuringExecution. + https://kubernetes.io/docs/concepts/configuration/assign-pod-node/affinity-and-anti-affinity for the various + configuration option. + + Example: + + [ + { + "key" = "node-label-key" + "values" = ["node-label-value", "another-node-label-value"] + "operator" = "In" + } + ] + + Translates to: + + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-label-key + operator: In + values: + - node-label-value + - another-node-label-value -The TCP port the Webhook server binds to. +``` +
- - + - + -Array of namespace selectors for the webhook. +Configure tolerations rules to allow the ALB Ingress Controller Pod to schedule on nodes that have been tainted. Each item in the list specifies a toleration rule. ```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. +list(map(any)) ``` - - + + +
- - -TLS cert/key for the webhook. +```hcl - - + Each item in the list represents a particular toleration. See + https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ for the various rules you can specify. + + Example: + + [ + { + key = "node.kubernetes.io/unreachable" + operator = "Exists" + effect = "NoExecute" + tolerationSeconds = 6000 + } + ] -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. ``` +
- - + @@ -3021,7 +1889,7 @@ Restrict the cluster autoscaler to a list of absolute ASG ARNs upon initial appl The version of the cluster-autoscaler helm chart to deploy. Note that this is different from the app/container version, which is sepecified with cluster_autoscaler_version. - + @@ -3289,7 +2157,7 @@ The name of the service account to create for the cluster autoscaler. Which version of the cluster autoscaler to install. This should match the major/minor version (e.g., v1.20) of your Kubernetes Installation. See https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases for a list of versions. - + @@ -6583,7 +5451,16 @@ map(object({ -If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. The aws CLI is used to fetch tokens, and must be installed and on your PATH. +If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens. + + + + + + + + +EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true. @@ -6623,11 +5500,11 @@ A list of names of Kubernetes PriorityClass objects created by this module. diff --git a/docs/reference/services/app-orchestration/amazon-eks-workers.md b/docs/reference/services/app-orchestration/amazon-eks-workers.md index 578051841..6cdfd12ba 100644 --- a/docs/reference/services/app-orchestration/amazon-eks-workers.md +++ b/docs/reference/services/app-orchestration/amazon-eks-workers.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon EKS Workers -View Source +View Source Release Notes @@ -68,9 +68,9 @@ more, see the documentation in the [terraform-aws-eks](https://github.com/gruntw ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -78,7 +78,7 @@ more, see the documentation in the [terraform-aws-eks](https://github.com/gruntw If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -86,7 +86,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -96,17 +96,11 @@ If you want to deploy this repo in production, check out the following resources ## Manage -### Migrating from AL2 to AL2023 - -**IMPORTANT**: Starting with EKS 1.33, this module defaults to Amazon Linux 2023 (AL2023) instead of Amazon Linux 2 (AL2). If you have existing clusters using AL2, see the [AL2 to AL2023 Migration Guide](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/services/eks-workers/AL2-TO-AL2023-MIGRATION.md) for detailed migration instructions. - -### Worker Management - For information on registering the worker IAM role to the EKS control plane, refer to the -[IAM Roles and Kubernetes API Access](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/services/eks-workers/core-concepts.md#iam-roles-and-kubernetes-api-access) section of the documentation. +[IAM Roles and Kubernetes API Access](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/services/eks-workers/core-concepts.md#iam-roles-and-kubernetes-api-access) section of the documentation. For information on how to perform a blue-green deployment of the worker pools, refer to the -[How do I perform a blue green release to roll out new versions of the module](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/services/eks-workers/core-concepts.md#how-do-i-perform-a-blue-green-release-to-roll-out-new-versions-of-the-module) +[How do I perform a blue green release to roll out new versions of the module](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/services/eks-workers/core-concepts.md#how-do-i-perform-a-blue-green-release-to-roll-out-new-versions-of-the-module) section of the documentation. For information on how to manage your EKS cluster, including how to deploy Pods on Fargate, how to associate IAM roles @@ -127,7 +121,7 @@ to Pod, how to upgrade your EKS cluster, and more, see the documentation in the module "eks_workers" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-workers?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-workers?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -200,7 +194,7 @@ module "eks_workers" { # Default value for asg_ami_type field of autoscaling_group_configurations. # See the AWS documentation for valid values. Docs: # https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType - asg_default_ami_type = "AL2023_x86_64_STANDARD" + asg_default_ami_type = "AL2_x86_64" # Default value for enable_detailed_monitoring field of # autoscaling_group_configurations. @@ -495,12 +489,6 @@ module "eks_workers" { # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. high_worker_memory_utilization_treat_missing_data = "missing" - # Whether to attach the default IAM policies (AmazonEKSWorkerNodePolicy, - # AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly) to the Managed - # Node Group IAM role. Set to false if your existing IAM role already has - # these policies attached. - managed_node_group_attach_default_iam_policies = true - # Whether or not to create an AWS Security Group for the Managed Node Groups. # By default this is created. managed_node_group_create_security_group = true @@ -526,7 +514,7 @@ module "eks_workers" { # Default value for ami_type field of managed_node_group_configurations. See # the AWS documentation for valid values. Docs: # https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType - node_group_default_ami_type = "AL2023_x86_64_STANDARD" + node_group_default_ami_type = "AL2_x86_64" # Default value for capacity_type field of managed_node_group_configurations. node_group_default_capacity_type = "ON_DEMAND" @@ -653,8 +641,8 @@ module "eks_workers" { # use short-lived authentication tokens that can expire in the middle of an # 'apply' or 'destroy', and since the native Kubernetes provider in Terraform # doesn't have a way to fetch up-to-date tokens, we recommend using an - # exec-based provider as a workaround. The aws CLI is used to fetch tokens, - # and must be installed and on your PATH. + # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token + # input variable to control whether kubergrunt or aws is used to fetch tokens. use_exec_plugin_for_auth = true # Set this variable to true to enable the use of Instance Metadata Service @@ -664,6 +652,16 @@ module "eks_workers" { # IMDSv1. use_imdsv1 = false + # EKS clusters use short-lived authentication tokens that can expire in the + # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based + # plugin to fetch an up-to-date token. If this variable is set to true, we'll + # use kubergrunt to fetch the token (in which case, kubergrunt must be + # installed and on PATH); if this variable is set to false, we'll use the aws + # CLI to fetch the token (in which case, aws must be installed and on PATH). + # Note this functionality is only enabled if use_exec_plugin_for_auth is set + # to true. + use_kubergrunt_to_fetch_token = true + # When true, all IAM policies will be managed as dedicated policies rather # than inline policies attached to the IAM roles. Dedicated managed policies # are friendlier to automated policy checkers, which may scan a single @@ -702,7 +700,7 @@ module "eks_workers" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-workers?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-workers?ref=v2.6.0" } inputs = { @@ -778,7 +776,7 @@ inputs = { # Default value for asg_ami_type field of autoscaling_group_configurations. # See the AWS documentation for valid values. Docs: # https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType - asg_default_ami_type = "AL2023_x86_64_STANDARD" + asg_default_ami_type = "AL2_x86_64" # Default value for enable_detailed_monitoring field of # autoscaling_group_configurations. @@ -1073,12 +1071,6 @@ inputs = { # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. high_worker_memory_utilization_treat_missing_data = "missing" - # Whether to attach the default IAM policies (AmazonEKSWorkerNodePolicy, - # AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly) to the Managed - # Node Group IAM role. Set to false if your existing IAM role already has - # these policies attached. - managed_node_group_attach_default_iam_policies = true - # Whether or not to create an AWS Security Group for the Managed Node Groups. # By default this is created. managed_node_group_create_security_group = true @@ -1104,7 +1096,7 @@ inputs = { # Default value for ami_type field of managed_node_group_configurations. See # the AWS documentation for valid values. Docs: # https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType - node_group_default_ami_type = "AL2023_x86_64_STANDARD" + node_group_default_ami_type = "AL2_x86_64" # Default value for capacity_type field of managed_node_group_configurations. node_group_default_capacity_type = "ON_DEMAND" @@ -1231,8 +1223,8 @@ inputs = { # use short-lived authentication tokens that can expire in the middle of an # 'apply' or 'destroy', and since the native Kubernetes provider in Terraform # doesn't have a way to fetch up-to-date tokens, we recommend using an - # exec-based provider as a workaround. The aws CLI is used to fetch tokens, - # and must be installed and on your PATH. + # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token + # input variable to control whether kubergrunt or aws is used to fetch tokens. use_exec_plugin_for_auth = true # Set this variable to true to enable the use of Instance Metadata Service @@ -1242,6 +1234,16 @@ inputs = { # IMDSv1. use_imdsv1 = false + # EKS clusters use short-lived authentication tokens that can expire in the + # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based + # plugin to fetch an up-to-date token. If this variable is set to true, we'll + # use kubergrunt to fetch the token (in which case, kubergrunt must be + # installed and on PATH); if this variable is set to false, we'll use the aws + # CLI to fetch the token (in which case, aws must be installed and on PATH). + # Note this functionality is only enabled if use_exec_plugin_for_auth is set + # to true. + use_kubergrunt_to_fetch_token = true + # When true, all IAM policies will be managed as dedicated policies rather # than inline policies attached to the IAM roles. Dedicated managed policies # are friendlier to automated policy checkers, which may scan a single @@ -1663,7 +1665,7 @@ Custom name for the IAM role for the Self-managed workers. When null, a default Default value for asg_ami_type field of autoscaling_group_configurations. See the AWS documentation for valid values. Docs: https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType - + @@ -2507,15 +2509,6 @@ Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on - - - -Whether to attach the default IAM policies (AmazonEKSWorkerNodePolicy, AmazonEKS_CNI_Policy, AmazonEC2ContainerRegistryReadOnly) to the Managed Node Group IAM role. Set to false if your existing IAM role already has these policies attached. - - - - - @@ -2558,7 +2551,7 @@ ARN of the IAM role to use if iam_role_already_exists = true. When null, uses ma Default value for ami_type field of managed_node_group_configurations. See the AWS documentation for valid values. Docs: https://docs.aws.amazon.com/eks/latest/APIReference/API_Nodegroup.html#AmazonEKS-Type-Nodegroup-amiType - + @@ -2814,7 +2807,7 @@ The tenancy of the servers in the self-managed worker ASG. Must be one of: defau -If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. The aws CLI is used to fetch tokens, and must be installed and on your PATH. +If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens. @@ -2829,6 +2822,15 @@ Set this variable to true to enable the use of Instance Metadata Service Version + + + +EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true. + + + + + @@ -2994,11 +2996,11 @@ The list of names of the ASGs that were deployed to act as EKS workers. diff --git a/docs/reference/services/app-orchestration/amazon-eks.md b/docs/reference/services/app-orchestration/amazon-eks.md index 5d2741eaa..73ec25e94 100644 --- a/docs/reference/services/app-orchestration/amazon-eks.md +++ b/docs/reference/services/app-orchestration/amazon-eks.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon EKS -View Source +View Source Release Notes @@ -68,9 +68,9 @@ more, see the documentation in the [terraform-aws-eks](https://github.com/gruntw ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -78,7 +78,7 @@ more, see the documentation in the [terraform-aws-eks](https://github.com/gruntw If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -86,7 +86,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -116,7 +116,7 @@ To add and manage additional worker groups, refer to the [eks-workers module](/r module "eks_cluster" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-cluster?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-cluster?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -347,12 +347,6 @@ module "eks_cluster" { # use the key `default`. cloud_init_parts = {} - # ARN of an existing IAM role to use for the EKS cluster. When null, a new - # role will be created. WARNING: This can ONLY be set during initial cluster - # creation. Changing this value on an existing cluster will DESTROY and - # RECREATE the cluster (destructive operation). - cluster_iam_role_arn = null - # ARN of permissions boundary to apply to the cluster IAM role - the IAM role # created for the EKS cluster. cluster_iam_role_permissions_boundary = null @@ -394,15 +388,6 @@ module "eks_cluster" { # cluster to be created. cluster_network_config_service_ipv4_cidr = null - # ID of an existing security group to use for the EKS cluster control plane. - # When null or empty, a new security group will be created. This is the - # primary cluster security group; additional security groups can be provided - # via the additional_security_groups_for_control_plane variable. - cluster_security_group_id = null - - # Specify the log class of the cloudwatch log group - control_plane_cloudwatch_log_group_class = "STANDARD" - # The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for # encrypting log data in the CloudWatch log group for EKS control plane logs. control_plane_cloudwatch_log_group_kms_key_id = null @@ -592,18 +577,15 @@ module "eks_cluster" { # When set to true, the module configures EKS add-ons # (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html) - # specified with `eks_addons`. + # specified with `eks_addons`. VPC CNI configurations with + # `use_vpc_cni_customize_script` isn't fully supported with addons, as the + # automated add-on lifecycles could potentially undo the configuration + # changes. enable_eks_addons = false # Enable fail2ban to block brute force log in attempts. Defaults to true. enable_fail2ban = true - # Set to true to enable several basic CloudWatch alarms around CPU usage, - # memory usage, and disk space usage for worker ASGs. If set to true, make - # sure to specify SNS topics to send notifications to using - # var.alarms_sns_topic_arn. - enable_worker_cloudwatch_alarms = true - # Set to true to send worker system logs to CloudWatch. This is useful in # combination with # https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts @@ -689,10 +671,16 @@ module "eks_cluster" { # the user. iam_user_to_rbac_group_mapping = {} + # The URL from which to download Kubergrunt if it's not installed already. Use + # to specify a version of kubergrunt that is compatible with your specified + # kubernetes version. Ex. + # 'https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_' + kubergrunt_download_url = "https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_" + # Version of Kubernetes to use. Refer to EKS docs for list of available # versions # (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html). - kubernetes_version = "1.34" + kubernetes_version = "1.32" # Configure one or more Node Groups to manage the EC2 instances in this # cluster. Set to empty object ({}) if you do not wish to configure managed @@ -807,8 +795,8 @@ module "eks_cluster" { num_worker_vpc_subnet_ids = null # When true, configures control plane services to run on Fargate so that the - # cluster can run without worker nodes. If true, requires - # create_default_fargate_iam_role be set to true. + # cluster can run without worker nodes. If true, requires kubergrunt to be + # available on the system, and create_default_fargate_iam_role be set to true. schedule_control_plane_services_on_fargate = false # ARN for KMS Key to use for envelope encryption of Kubernetes Secrets. By @@ -840,12 +828,33 @@ module "eks_cluster" { # The tenancy of this server. Must be one of: default, dedicated, or host. tenancy = "default" + # When set to true, the sync-core-components command will skip updating + # coredns. This variable is ignored if `use_kubergrunt_sync_components` is + # false. + upgrade_cluster_script_skip_coredns = false + + # When set to true, the sync-core-components command will skip updating + # kube-proxy. This variable is ignored if `use_kubergrunt_sync_components` is + # false. + upgrade_cluster_script_skip_kube_proxy = false + + # When set to true, the sync-core-components command will skip updating + # aws-vpc-cni. This variable is ignored if `use_kubergrunt_sync_components` is + # false. + upgrade_cluster_script_skip_vpc_cni = false + + # When set to true, the sync-core-components command will wait until the new + # versions are rolled out in the cluster. This variable is ignored if + # `use_kubergrunt_sync_components` is false. + upgrade_cluster_script_wait_for_rollout = true + # If this variable is set to true, then use an exec-based plugin to # authenticate and fetch tokens for EKS. This is useful because EKS clusters # use short-lived authentication tokens that can expire in the middle of an # 'apply' or 'destroy', and since the native Kubernetes provider in Terraform # doesn't have a way to fetch up-to-date tokens, we recommend using an - # exec-based provider as a workaround. + # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token + # input variable to control whether kubergrunt or aws is used to fetch tokens. use_exec_plugin_for_auth = true # Set this variable to true to enable the use of Instance Metadata Service @@ -855,6 +864,26 @@ module "eks_cluster" { # IMDSv1. use_imdsv1 = false + # When set to true, this will enable kubergrunt based component syncing. This + # step ensures that the core EKS components that are installed are upgraded to + # a matching version everytime the cluster's Kubernetes version is updated. + use_kubergrunt_sync_components = true + + # EKS clusters use short-lived authentication tokens that can expire in the + # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based + # plugin to fetch an up-to-date token. If this variable is set to true, we'll + # use kubergrunt to fetch the token (in which case, kubergrunt must be + # installed and on PATH); if this variable is set to false, we'll use the aws + # CLI to fetch the token (in which case, aws must be installed and on PATH). + # Note this functionality is only enabled if use_exec_plugin_for_auth is set + # to true. + use_kubergrunt_to_fetch_token = true + + # When set to true, this will enable kubergrunt verification to wait for the + # Kubernetes API server to come up before completing. If false, reverts to a + # 30 second timed wait instead. + use_kubergrunt_verification = true + # When true, all IAM policies will be managed as dedicated policies rather # than inline policies attached to the IAM roles. Dedicated managed policies # are friendlier to automated policy checkers, which may scan a single @@ -862,13 +891,37 @@ module "eks_cluster" { # when targeting compliance with various security standards. use_managed_iam_policies = true - # When true, assumes prefix delegation mode is in use for the AWS VPC CNI - # component of the EKS cluster when computing max pods allowed on the node. In - # prefix delegation mode, each ENI will be allocated 16 IP addresses (/28) - # instead of 1, allowing you to pack more Pods per node. This should be set to - # true when the vpc-cni EKS addon is configured with - # ENABLE_PREFIX_DELEGATION=true. - use_prefix_mode_to_calculate_max_pods = false + # When set to true, this will enable management of the aws-vpc-cni + # configuration options using kubergrunt running as a local-exec provisioner. + # If you set this to false, the vpc_cni_* variables will be ignored. + use_vpc_cni_customize_script = true + + # When true, enable prefix delegation mode for the AWS VPC CNI component of + # the EKS cluster. In prefix delegation mode, each ENI will be allocated 16 IP + # addresses (/28) instead of 1, allowing you to pack more Pods per node. Note + # that by default, AWS VPC CNI will always preallocate 1 full prefix - this + # means that you can potentially take up 32 IP addresses from the VPC network + # space even if you only have 1 Pod on the node. You can tweak this behavior + # by configuring the var.vpc_cni_warm_ip_target input variable. + vpc_cni_enable_prefix_delegation = true + + # The minimum number of IP addresses (free and used) each node should start + # with. When null, defaults to the aws-vpc-cni application setting (currently + # 16 as of version 1.9.0). For example, if this is set to 25, every node will + # allocate 2 prefixes (32 IP addresses). On the other hand, if this was set to + # the default value, then each node will allocate only 1 prefix (16 IP + # addresses). + vpc_cni_minimum_ip_target = null + + # The number of free IP addresses each node should maintain. When null, + # defaults to the aws-vpc-cni application setting (currently 16 as of version + # 1.9.0). In prefix delegation mode, determines whether the node will + # preallocate another full prefix. For example, if this is set to 5 and a node + # is currently has 9 Pods scheduled, then the node will NOT preallocate a new + # prefix block of 16 IP addresses. On the other hand, if this was set to the + # default value, then the node will allocate a new block when the first pod is + # scheduled. + vpc_cni_warm_ip_target = null # The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for # encrypting worker system log data. Only used if @@ -922,7 +975,7 @@ module "eks_cluster" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-cluster?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-cluster?ref=v2.6.0" } inputs = { @@ -1156,12 +1209,6 @@ inputs = { # use the key `default`. cloud_init_parts = {} - # ARN of an existing IAM role to use for the EKS cluster. When null, a new - # role will be created. WARNING: This can ONLY be set during initial cluster - # creation. Changing this value on an existing cluster will DESTROY and - # RECREATE the cluster (destructive operation). - cluster_iam_role_arn = null - # ARN of permissions boundary to apply to the cluster IAM role - the IAM role # created for the EKS cluster. cluster_iam_role_permissions_boundary = null @@ -1203,15 +1250,6 @@ inputs = { # cluster to be created. cluster_network_config_service_ipv4_cidr = null - # ID of an existing security group to use for the EKS cluster control plane. - # When null or empty, a new security group will be created. This is the - # primary cluster security group; additional security groups can be provided - # via the additional_security_groups_for_control_plane variable. - cluster_security_group_id = null - - # Specify the log class of the cloudwatch log group - control_plane_cloudwatch_log_group_class = "STANDARD" - # The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for # encrypting log data in the CloudWatch log group for EKS control plane logs. control_plane_cloudwatch_log_group_kms_key_id = null @@ -1401,18 +1439,15 @@ inputs = { # When set to true, the module configures EKS add-ons # (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html) - # specified with `eks_addons`. + # specified with `eks_addons`. VPC CNI configurations with + # `use_vpc_cni_customize_script` isn't fully supported with addons, as the + # automated add-on lifecycles could potentially undo the configuration + # changes. enable_eks_addons = false # Enable fail2ban to block brute force log in attempts. Defaults to true. enable_fail2ban = true - # Set to true to enable several basic CloudWatch alarms around CPU usage, - # memory usage, and disk space usage for worker ASGs. If set to true, make - # sure to specify SNS topics to send notifications to using - # var.alarms_sns_topic_arn. - enable_worker_cloudwatch_alarms = true - # Set to true to send worker system logs to CloudWatch. This is useful in # combination with # https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts @@ -1498,10 +1533,16 @@ inputs = { # the user. iam_user_to_rbac_group_mapping = {} + # The URL from which to download Kubergrunt if it's not installed already. Use + # to specify a version of kubergrunt that is compatible with your specified + # kubernetes version. Ex. + # 'https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_' + kubergrunt_download_url = "https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_" + # Version of Kubernetes to use. Refer to EKS docs for list of available # versions # (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html). - kubernetes_version = "1.34" + kubernetes_version = "1.32" # Configure one or more Node Groups to manage the EC2 instances in this # cluster. Set to empty object ({}) if you do not wish to configure managed @@ -1616,8 +1657,8 @@ inputs = { num_worker_vpc_subnet_ids = null # When true, configures control plane services to run on Fargate so that the - # cluster can run without worker nodes. If true, requires - # create_default_fargate_iam_role be set to true. + # cluster can run without worker nodes. If true, requires kubergrunt to be + # available on the system, and create_default_fargate_iam_role be set to true. schedule_control_plane_services_on_fargate = false # ARN for KMS Key to use for envelope encryption of Kubernetes Secrets. By @@ -1649,12 +1690,33 @@ inputs = { # The tenancy of this server. Must be one of: default, dedicated, or host. tenancy = "default" + # When set to true, the sync-core-components command will skip updating + # coredns. This variable is ignored if `use_kubergrunt_sync_components` is + # false. + upgrade_cluster_script_skip_coredns = false + + # When set to true, the sync-core-components command will skip updating + # kube-proxy. This variable is ignored if `use_kubergrunt_sync_components` is + # false. + upgrade_cluster_script_skip_kube_proxy = false + + # When set to true, the sync-core-components command will skip updating + # aws-vpc-cni. This variable is ignored if `use_kubergrunt_sync_components` is + # false. + upgrade_cluster_script_skip_vpc_cni = false + + # When set to true, the sync-core-components command will wait until the new + # versions are rolled out in the cluster. This variable is ignored if + # `use_kubergrunt_sync_components` is false. + upgrade_cluster_script_wait_for_rollout = true + # If this variable is set to true, then use an exec-based plugin to # authenticate and fetch tokens for EKS. This is useful because EKS clusters # use short-lived authentication tokens that can expire in the middle of an # 'apply' or 'destroy', and since the native Kubernetes provider in Terraform # doesn't have a way to fetch up-to-date tokens, we recommend using an - # exec-based provider as a workaround. + # exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token + # input variable to control whether kubergrunt or aws is used to fetch tokens. use_exec_plugin_for_auth = true # Set this variable to true to enable the use of Instance Metadata Service @@ -1664,6 +1726,26 @@ inputs = { # IMDSv1. use_imdsv1 = false + # When set to true, this will enable kubergrunt based component syncing. This + # step ensures that the core EKS components that are installed are upgraded to + # a matching version everytime the cluster's Kubernetes version is updated. + use_kubergrunt_sync_components = true + + # EKS clusters use short-lived authentication tokens that can expire in the + # middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based + # plugin to fetch an up-to-date token. If this variable is set to true, we'll + # use kubergrunt to fetch the token (in which case, kubergrunt must be + # installed and on PATH); if this variable is set to false, we'll use the aws + # CLI to fetch the token (in which case, aws must be installed and on PATH). + # Note this functionality is only enabled if use_exec_plugin_for_auth is set + # to true. + use_kubergrunt_to_fetch_token = true + + # When set to true, this will enable kubergrunt verification to wait for the + # Kubernetes API server to come up before completing. If false, reverts to a + # 30 second timed wait instead. + use_kubergrunt_verification = true + # When true, all IAM policies will be managed as dedicated policies rather # than inline policies attached to the IAM roles. Dedicated managed policies # are friendlier to automated policy checkers, which may scan a single @@ -1671,13 +1753,37 @@ inputs = { # when targeting compliance with various security standards. use_managed_iam_policies = true - # When true, assumes prefix delegation mode is in use for the AWS VPC CNI - # component of the EKS cluster when computing max pods allowed on the node. In - # prefix delegation mode, each ENI will be allocated 16 IP addresses (/28) - # instead of 1, allowing you to pack more Pods per node. This should be set to - # true when the vpc-cni EKS addon is configured with - # ENABLE_PREFIX_DELEGATION=true. - use_prefix_mode_to_calculate_max_pods = false + # When set to true, this will enable management of the aws-vpc-cni + # configuration options using kubergrunt running as a local-exec provisioner. + # If you set this to false, the vpc_cni_* variables will be ignored. + use_vpc_cni_customize_script = true + + # When true, enable prefix delegation mode for the AWS VPC CNI component of + # the EKS cluster. In prefix delegation mode, each ENI will be allocated 16 IP + # addresses (/28) instead of 1, allowing you to pack more Pods per node. Note + # that by default, AWS VPC CNI will always preallocate 1 full prefix - this + # means that you can potentially take up 32 IP addresses from the VPC network + # space even if you only have 1 Pod on the node. You can tweak this behavior + # by configuring the var.vpc_cni_warm_ip_target input variable. + vpc_cni_enable_prefix_delegation = true + + # The minimum number of IP addresses (free and used) each node should start + # with. When null, defaults to the aws-vpc-cni application setting (currently + # 16 as of version 1.9.0). For example, if this is set to 25, every node will + # allocate 2 prefixes (32 IP addresses). On the other hand, if this was set to + # the default value, then each node will allocate only 1 prefix (16 IP + # addresses). + vpc_cni_minimum_ip_target = null + + # The number of free IP addresses each node should maintain. When null, + # defaults to the aws-vpc-cni application setting (currently 16 as of version + # 1.9.0). In prefix delegation mode, determines whether the node will + # preallocate another full prefix. For example, if this is set to 5 and a node + # is currently has 9 Pods scheduled, then the node will NOT preallocate a new + # prefix block of 16 IP addresses. On the other hand, if this was set to the + # default value, then the node will allocate a new block when the first pod is + # scheduled. + vpc_cni_warm_ip_target = null # The ID (ARN, alias ARN, AWS ID) of a customer managed KMS Key to use for # encrypting worker system log data. Only used if @@ -2431,15 +2537,6 @@ map(object({ - - - -ARN of an existing IAM role to use for the EKS cluster. When null, a new role will be created. WARNING: This can ONLY be set during initial cluster creation. Changing this value on an existing cluster will DESTROY and RECREATE the cluster (destructive operation). - - - - - @@ -2535,24 +2632,6 @@ The CIDR block to assign Kubernetes pod and service IP addresses from. If you do - - - -ID of an existing security group to use for the EKS cluster control plane. When null or empty, a new security group will be created. This is the primary cluster security group; additional security groups can be provided via the additional_security_groups_for_control_plane variable. - - - - - - - - -Specify the log class of the cloudwatch log group - - - - - @@ -3301,7 +3380,7 @@ When set to true, the module configures and install the EBS CSI Driver as an EKS -When set to true, the module configures EKS add-ons (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html) specified with `eks_addons`. +When set to true, the module configures EKS add-ons (https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html) specified with `eks_addons`. VPC CNI configurations with `use_vpc_cni_customize_script` isn't fully supported with addons, as the automated add-on lifecycles could potentially undo the configuration changes. @@ -3316,15 +3395,6 @@ Enable fail2ban to block brute force log in attempts. Defaults to true. - - - -Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage for worker ASGs. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn. - - - - - @@ -3540,13 +3610,22 @@ map(list(string)) + + + +The URL from which to download Kubergrunt if it's not installed already. Use to specify a version of kubergrunt that is compatible with your specified kubernetes version. Ex. 'https://github.com/gruntwork-io/kubergrunt/releases/download/v0.18.1/kubergrunt_<platform>' + + + + + Version of Kubernetes to use. Refer to EKS docs for list of available versions (https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html). - + @@ -3901,7 +3980,7 @@ Number of subnets provided in the worker_ -When true, configures control plane services to run on Fargate so that the cluster can run without worker nodes. If true, requires create_default_fargate_iam_role be set to true. +When true, configures control plane services to run on Fargate so that the cluster can run without worker nodes. If true, requires kubergrunt to be available on the system, and create_default_fargate_iam_role be set to true. @@ -3952,10 +4031,46 @@ The tenancy of this server. Must be one of: default, dedicated, or host. + + + +When set to true, the sync-core-components command will skip updating coredns. This variable is ignored if `use_kubergrunt_sync_components` is false. + + + + + + + + +When set to true, the sync-core-components command will skip updating kube-proxy. This variable is ignored if `use_kubergrunt_sync_components` is false. + + + + + + + + +When set to true, the sync-core-components command will skip updating aws-vpc-cni. This variable is ignored if `use_kubergrunt_sync_components` is false. + + + + + + + + +When set to true, the sync-core-components command will wait until the new versions are rolled out in the cluster. This variable is ignored if `use_kubergrunt_sync_components` is false. + + + + + -If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. +If this variable is set to true, then use an exec-based plugin to authenticate and fetch tokens for EKS. This is useful because EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy', and since the native Kubernetes provider in Terraform doesn't have a way to fetch up-to-date tokens, we recommend using an exec-based provider as a workaround. Use the use_kubergrunt_to_fetch_token input variable to control whether kubergrunt or aws is used to fetch tokens. @@ -3970,6 +4085,33 @@ Set this variable to true to enable the use of Instance Metadata Service Version + + + +When set to true, this will enable kubergrunt based component syncing. This step ensures that the core EKS components that are installed are upgraded to a matching version everytime the cluster's Kubernetes version is updated. + + + + + + + + +EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To avoid this issue, we use an exec-based plugin to fetch an up-to-date token. If this variable is set to true, we'll use kubergrunt to fetch the token (in which case, kubergrunt must be installed and on PATH); if this variable is set to false, we'll use the aws CLI to fetch the token (in which case, aws must be installed and on PATH). Note this functionality is only enabled if use_exec_plugin_for_auth is set to true. + + + + + + + + +When set to true, this will enable kubergrunt verification to wait for the Kubernetes API server to come up before completing. If false, reverts to a 30 second timed wait instead. + + + + + @@ -3979,13 +4121,40 @@ When true, all IAM policies will be managed as dedicated policies rather than in - + -When true, assumes prefix delegation mode is in use for the AWS VPC CNI component of the EKS cluster when computing max pods allowed on the node. In prefix delegation mode, each ENI will be allocated 16 IP addresses (/28) instead of 1, allowing you to pack more Pods per node. This should be set to true when the vpc-cni EKS addon is configured with ENABLE_PREFIX_DELEGATION=true. +When set to true, this will enable management of the aws-vpc-cni configuration options using kubergrunt running as a local-exec provisioner. If you set this to false, the vpc_cni_* variables will be ignored. - + + + + + + +When true, enable prefix delegation mode for the AWS VPC CNI component of the EKS cluster. In prefix delegation mode, each ENI will be allocated 16 IP addresses (/28) instead of 1, allowing you to pack more Pods per node. Note that by default, AWS VPC CNI will always preallocate 1 full prefix - this means that you can potentially take up 32 IP addresses from the VPC network space even if you only have 1 Pod on the node. You can tweak this behavior by configuring the vpc_cni_warm_ip_target input variable. + + + + + + + + +The minimum number of IP addresses (free and used) each node should start with. When null, defaults to the aws-vpc-cni application setting (currently 16 as of version 1.9.0). For example, if this is set to 25, every node will allocate 2 prefixes (32 IP addresses). On the other hand, if this was set to the default value, then each node will allocate only 1 prefix (16 IP addresses). + + + + + + + + +The number of free IP addresses each node should maintain. When null, defaults to the aws-vpc-cni application setting (currently 16 as of version 1.9.0). In prefix delegation mode, determines whether the node will preallocate another full prefix. For example, if this is set to 5 and a node is currently has 9 Pods scheduled, then the node will NOT preallocate a new prefix block of 16 IP addresses. On the other hand, if this was set to the default value, then the node will allocate a new block when the first pod is scheduled. + + + @@ -4212,11 +4381,11 @@ The ID of the AWS Security Group associated with the self-managed EKS workers. diff --git a/docs/reference/services/app-orchestration/argo-cd.md b/docs/reference/services/app-orchestration/argo-cd.md index 44f32e0e4..2d24d8641 100644 --- a/docs/reference/services/app-orchestration/argo-cd.md +++ b/docs/reference/services/app-orchestration/argo-cd.md @@ -16,13 +16,13 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Gruntwork GitOps "GruntOps" GitOps is an operational framework that is built around DevOps best practices for a standardized approach to managing the lifecycle of Kubernetes based deployments. GitOps provides a unified approach to the deployment and management of container workloads, with Git being the single source of truth for the state of the container infrastructure. GitOps is a very developer-centric workflow that works best when adopted by individuals and teams that follow a git based development lifecycle. The core principles of GitOps have been at the center of Gruntwork from the beginning! -View Source +View Source Release Notes @@ -40,7 +40,7 @@ GitOps is an operational framework that is built around DevOps best practices fo module "eks_argocd" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-argocd?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-argocd?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # OPTIONAL VARIABLES @@ -137,7 +137,7 @@ module "eks_argocd" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-argocd?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-argocd?ref=v2.6.0" } inputs = { @@ -438,11 +438,11 @@ A list of the subnets into which the Argo CD pods will be launched. These should diff --git a/docs/reference/services/app-orchestration/auto-scaling-group-asg.md b/docs/reference/services/app-orchestration/auto-scaling-group-asg.md index 2e1a445bf..4d3d7d132 100644 --- a/docs/reference/services/app-orchestration/auto-scaling-group-asg.md +++ b/docs/reference/services/app-orchestration/auto-scaling-group-asg.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Auto Scaling Group -View Source +View Source Release Notes @@ -55,7 +55,7 @@ access to this repo, email [support@gruntwork.io](mailto:support@gruntwork.io). * [ASG Documentation](https://docs.aws.amazon.com/autoscaling/ec2/userguide/what-is-amazon-ec2-auto-scaling.html): Amazon’s docs for ASG that cover core concepts such as launch templates and auto scaling groups. -* [User Data](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/services/asg-service/core-concepts.md) +* [User Data](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/services/asg-service/core-concepts.md) ## Deploy @@ -63,7 +63,7 @@ access to this repo, email [support@gruntwork.io](mailto:support@gruntwork.io). If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -71,7 +71,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -90,7 +90,7 @@ If you want to deploy this repo in production, check out the following resources module "asg_service" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/asg-service?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/asg-service?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -497,7 +497,7 @@ module "asg_service" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/asg-service?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/asg-service?ref=v2.6.0" } inputs = { @@ -2346,11 +2346,11 @@ The ID of the Security Group that belongs to the ASG. diff --git a/docs/reference/services/app-orchestration/ec-2-instance.md b/docs/reference/services/app-orchestration/ec-2-instance.md index e7b3e696c..a0c8a2535 100644 --- a/docs/reference/services/app-orchestration/ec-2-instance.md +++ b/docs/reference/services/app-orchestration/ec-2-instance.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # EC2 Instance -View Source +View Source Release Notes @@ -58,9 +58,9 @@ If you’ve never used the Service Catalog before, make sure to read ### Core concepts -* [How do I update my instance?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/services/ec2-instance/core-concepts.md#how-do-i-update-my-instance) -* [How do I use User Data?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/services/ec2-instance/core-concepts.md#how-do-i-use-user-data) -* [How do I mount an EBS volume?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/services/ec2-instance/core-concepts.md#how-do-i-mount-an-ebs-volume) +* [How do I update my instance?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/services/ec2-instance/core-concepts.md#how-do-i-update-my-instance) +* [How do I use User Data?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/services/ec2-instance/core-concepts.md#how-do-i-use-user-data) +* [How do I mount an EBS volume?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/services/ec2-instance/core-concepts.md#how-do-i-mount-an-ebs-volume) ### The EC2 Instance AMI @@ -85,7 +85,7 @@ This template configures the AMI to: If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -93,7 +93,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog, configure CI / CD for your apps and @@ -113,7 +113,7 @@ If you want to deploy this repo in production, check out the following resources module "ec_2_instance" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ec2-instance?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ec2-instance?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -272,9 +272,6 @@ module "ec_2_instance" { # 'ubuntu'. default_user = "ubuntu" - # If true, enables EC2 Instance Termination Protection. - disable_api_termination = false - # DNS Time To Live in seconds. dns_ttl = 300 @@ -412,11 +409,8 @@ module "ec_2_instance" { # If set to true, the root volume will be encrypted. Default is set to false root_volume_encrypted = false - # The ID of the KMS key to use for encrypting the root volume. Only used if - # root_volume_encrypted is true. If null, the default EBS encryption key for - # the account will be used. See - # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id - # for more information. + # Optional Amazon Resource Name (ARN) of the KMS Key to use when encrypting + # the volume root_volume_kms_key_id = null # The size of the root volume, in gigabytes. @@ -475,7 +469,7 @@ module "ec_2_instance" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ec2-instance?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/ec2-instance?ref=v2.6.0" } inputs = { @@ -637,9 +631,6 @@ inputs = { # 'ubuntu'. default_user = "ubuntu" - # If true, enables EC2 Instance Termination Protection. - disable_api_termination = false - # DNS Time To Live in seconds. dns_ttl = 300 @@ -777,11 +768,8 @@ inputs = { # If set to true, the root volume will be encrypted. Default is set to false root_volume_encrypted = false - # The ID of the KMS key to use for encrypting the root volume. Only used if - # root_volume_encrypted is true. If null, the default EBS encryption key for - # the account will be used. See - # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id - # for more information. + # Optional Amazon Resource Name (ARN) of the KMS Key to use when encrypting + # the volume root_volume_kms_key_id = null # The size of the root volume, in gigabytes. @@ -1187,15 +1175,6 @@ The default OS user for the EC2 instance AMI. For AWS Ubuntu AMIs, which is what - - - -If true, enables EC2 Instance Termination Protection. - - - - - @@ -1478,7 +1457,7 @@ If set to true, the root volume will be encrypted. Default is set to false -The ID of the KMS key to use for encrypting the root volume. Only used if root_volume_encrypted is true. If null, the default EBS encryption key for the account will be used. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#kms_key_id for more information. +Optional Amazon Resource Name (ARN) of the KMS Key to use when encrypting the volume @@ -1654,11 +1633,11 @@ The input parameters for the EBS volumes. diff --git a/docs/reference/services/app-orchestration/helm-service.md b/docs/reference/services/app-orchestration/helm-service.md index e82c763e9..dc8075ce4 100644 --- a/docs/reference/services/app-orchestration/helm-service.md +++ b/docs/reference/services/app-orchestration/helm-service.md @@ -15,11 +15,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Helm Service -View Source +View Source Release Notes @@ -63,9 +63,9 @@ If you’ve never used the Service Catalog before, make sure to read ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -73,7 +73,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -81,7 +81,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -100,7 +100,7 @@ If you want to deploy this repo in production, check out the following resources module "helm_service" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/helm-service?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/helm-service?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -198,7 +198,7 @@ module "helm_service" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/helm-service?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/helm-service?ref=v2.6.0" } inputs = { @@ -497,11 +497,11 @@ Number of seconds to wait for Pods to become healthy before marking the deployme diff --git a/docs/reference/services/app-orchestration/karpenter.md b/docs/reference/services/app-orchestration/karpenter.md index 49e222cef..fb417caf3 100644 --- a/docs/reference/services/app-orchestration/karpenter.md +++ b/docs/reference/services/app-orchestration/karpenter.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # EKS Karpenter -View Source +View Source Release Notes @@ -61,9 +61,9 @@ For detailed information on how Karpenter is deployed to EKS, see the documentat ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -71,7 +71,7 @@ For detailed information on how Karpenter is deployed to EKS, see the documentat If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -79,7 +79,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -101,7 +101,7 @@ If you want to deploy this repo in production, check out the following resources module "eks_karpenter" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-karpenter?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-karpenter?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -271,7 +271,7 @@ module "eks_karpenter" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-karpenter?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/eks-karpenter?ref=v2.6.0" } inputs = { @@ -869,11 +869,11 @@ The name of the Karpenter Node IAM Role. diff --git a/docs/reference/services/app-orchestration/kubernetes-namespace.md b/docs/reference/services/app-orchestration/kubernetes-namespace.md index ed4c6ed81..49771a717 100644 --- a/docs/reference/services/app-orchestration/kubernetes-namespace.md +++ b/docs/reference/services/app-orchestration/kubernetes-namespace.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Kubernetes Namespace -View Source +View Source Release Notes @@ -65,9 +65,9 @@ subscriber and don’t have access to this repo, email [support@gruntwork.io](ma ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -75,7 +75,7 @@ subscriber and don’t have access to this repo, email [support@gruntwork.io](ma If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -83,7 +83,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -102,7 +102,7 @@ If you want to deploy this repo in production, check out the following resources module "k_8_s_namespace" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/k8s-namespace?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/k8s-namespace?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -166,7 +166,7 @@ module "k_8_s_namespace" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/k8s-namespace?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/k8s-namespace?ref=v2.6.0" } inputs = { @@ -427,11 +427,11 @@ The name of the rbac role that grants read only permissions on the namespace. diff --git a/docs/reference/services/app-orchestration/kubernetes-service.md b/docs/reference/services/app-orchestration/kubernetes-service.md index abf87b9d0..928a79cc8 100644 --- a/docs/reference/services/app-orchestration/kubernetes-service.md +++ b/docs/reference/services/app-orchestration/kubernetes-service.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Kubernetes Service -View Source +View Source Release Notes @@ -74,9 +74,9 @@ don’t have access to this repo, email [support@gruntwork.io](mailto:support@gr ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -84,7 +84,7 @@ don’t have access to this repo, email [support@gruntwork.io](mailto:support@gr If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -92,7 +92,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -111,7 +111,7 @@ If you want to deploy this repo in production, check out the following resources module "k_8_s_service" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/k8s-service?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/k8s-service?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -513,7 +513,7 @@ module "k_8_s_service" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/k8s-service?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/k8s-service?ref=v2.6.0" } inputs = { @@ -2062,11 +2062,11 @@ Number of seconds to wait for Pods to become healthy before marking the deployme diff --git a/docs/reference/services/app-orchestration/lambda.md b/docs/reference/services/app-orchestration/lambda.md index dd506452c..608811c82 100644 --- a/docs/reference/services/app-orchestration/lambda.md +++ b/docs/reference/services/app-orchestration/lambda.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Lambda -View Source +View Source Release Notes @@ -59,9 +59,9 @@ documentation in the [terraform-aws-lambda](https://github.com/gruntwork-io/terr ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): The main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): The main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -69,7 +69,7 @@ documentation in the [terraform-aws-lambda](https://github.com/gruntwork-io/terr If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -77,7 +77,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -101,7 +101,7 @@ If you want to deploy this repo in production, check out the following resources module "lambda" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/lambda?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/lambda?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -254,10 +254,6 @@ module "lambda" { # with Service Accounts. iam_policy = null - # The name to use for the IAM role created for the lambda function. If null, - # default to the function name (var.name). - iam_role_name = null - # The ECR image URI containing the function's deployment package. Example: # 01234501234501.dkr.ecr.us-east-1.amazonaws.com/image_name:image_tag image_uri = null @@ -275,10 +271,6 @@ module "lambda" { # can have a maximum of 5 Layers attached to each function. layers = [] - # Time to wait after creating managed policy, to avoid AWS eventual - # consistency racing. Default: 60s. - managed_policy_waiting_time = "60s" - # The name for the alarm's associated metric. metric_name = "Errors" @@ -411,7 +403,7 @@ module "lambda" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/lambda?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/lambda?ref=v2.6.0" } inputs = { @@ -567,10 +559,6 @@ inputs = { # with Service Accounts. iam_policy = null - # The name to use for the IAM role created for the lambda function. If null, - # default to the function name (var.name). - iam_role_name = null - # The ECR image URI containing the function's deployment package. Example: # 01234501234501.dkr.ecr.us-east-1.amazonaws.com/image_name:image_tag image_uri = null @@ -588,10 +576,6 @@ inputs = { # can have a maximum of 5 Layers attached to each function. layers = [] - # Time to wait after creating managed policy, to avoid AWS eventual - # consistency racing. Default: 60s. - managed_policy_waiting_time = "60s" - # The name for the alarm's associated metric. metric_name = "Errors" @@ -1041,15 +1025,6 @@ map(object({ - - - -The name to use for the IAM role created for the lambda function. If null, default to the function name (name). - - - - - @@ -1086,15 +1061,6 @@ The list of Lambda Layer Version ARNs to attach to your Lambda Function. You can - - - -Time to wait after creating managed policy, to avoid AWS eventual consistency racing. Default: 60s. - - - - - @@ -1457,11 +1423,11 @@ Latest published version of your Lambda Function diff --git a/docs/reference/services/app-orchestration/public-static-website.md b/docs/reference/services/app-orchestration/public-static-website.md index 7614f6e11..2462a11b4 100644 --- a/docs/reference/services/app-orchestration/public-static-website.md +++ b/docs/reference/services/app-orchestration/public-static-website.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Public Static Website -View Source +View Source Release Notes @@ -60,7 +60,7 @@ If you’ve never used the Service Catalog before, make sure to read ### Core concepts This module deploys a public website, so the S3 bucket and objects with it are readable by the public. It also is -hosted in a Public Hosted Zone in Route 53. You may provide a `hosted_zone_id` in [variables](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/services/public-static-website/variables.tf), +hosted in a Public Hosted Zone in Route 53. You may provide a `hosted_zone_id` in [variables](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/services/public-static-website/variables.tf), or you may provide the `base_domain_name` associated with your Public Hosted Zone in Route 53, optionally along with any tags that must match that zone in `base_domain_name_tags`. If you do the latter, this module will find the hosted zone id for you. @@ -71,17 +71,17 @@ website, and how to configure SSL, check out the documentation for the and [s3-cloudfront](https://github.com/gruntwork-io/terraform-aws-static-assets/tree/master/modules/s3-cloudfront) modules. -* [Quick Start](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/services/public-static-website/core-concepts.md#quick-start) +* [Quick Start](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/services/public-static-website/core-concepts.md#quick-start) * [How to test the website](https://github.com/gruntwork-io/terraform-aws-static-assets/blob/master/modules/s3-static-website/core-concepts.md#how-to-test-the-website) -* [How to configure HTTPS (SSL) or a CDN?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/services/public-static-website/core-concepts.md#how-to-configure-https-ssl-or-a-cdn) +* [How to configure HTTPS (SSL) or a CDN?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/services/public-static-website/core-concepts.md#how-to-configure-https-ssl-or-a-cdn) * [How to handle www + root domains](https://github.com/gruntwork-io/terraform-aws-static-assets/blob/master/modules/s3-static-website/core-concepts.md#how-do-i-handle-www—root-domains) * [How do I configure Cross Origin Resource Sharing (CORS)?](https://github.com/gruntwork-io/terraform-aws-static-assets/blob/master/modules/s3-static-website/core-concepts.md#how-do-i-configure-cross-origin-resource-sharing-cors) ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -89,7 +89,7 @@ modules. If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -97,7 +97,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing/services/public-static-website/example-website): +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing/services/public-static-website/example-website): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -116,7 +116,7 @@ If you want to deploy this repo in production, check out the following resources module "public_static_website" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/public-static-website?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/public-static-website?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -332,7 +332,7 @@ module "public_static_website" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/public-static-website?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/services/public-static-website?ref=v2.6.0" } inputs = { @@ -1090,11 +1090,11 @@ The ARN of the created S3 bucket associated with the website. diff --git a/docs/reference/services/ci-cd-pipeline/ecs-deploy-runner.md b/docs/reference/services/ci-cd-pipeline/ecs-deploy-runner.md index 254ceb2f3..029fc90fa 100644 --- a/docs/reference/services/ci-cd-pipeline/ecs-deploy-runner.md +++ b/docs/reference/services/ci-cd-pipeline/ecs-deploy-runner.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # ECS Deploy Runner -View Source +View Source Release Notes @@ -77,7 +77,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -85,7 +85,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [shared account ecs-deploy-runner configuration in the for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production/infrastructure-live/shared/us-west-2/mgmt/ecs-deploy-runner/): +* [shared account ecs-deploy-runner configuration in the for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production/infrastructure-live/shared/us-west-2/mgmt/ecs-deploy-runner/): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -104,7 +104,7 @@ If you want to deploy this repo in production, check out the following resources module "ecs_deploy_runner" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/ecs-deploy-runner?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/ecs-deploy-runner?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -440,7 +440,7 @@ module "ecs_deploy_runner" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/ecs-deploy-runner?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/ecs-deploy-runner?ref=v2.6.0" } inputs = { @@ -2541,11 +2541,11 @@ Security Group ID of the ECS task diff --git a/docs/reference/services/ci-cd-pipeline/jenkins.md b/docs/reference/services/ci-cd-pipeline/jenkins.md index 6c9bbff1b..31a92009a 100644 --- a/docs/reference/services/ci-cd-pipeline/jenkins.md +++ b/docs/reference/services/ci-cd-pipeline/jenkins.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Jenkins CI Server -View Source +View Source Release Notes @@ -68,7 +68,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -76,7 +76,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -98,7 +98,7 @@ If you want to deploy this repo in production, check out the following resources module "jenkins" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/jenkins?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/jenkins?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -452,7 +452,7 @@ module "jenkins" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/jenkins?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/jenkins?ref=v2.6.0" } inputs = { @@ -1644,11 +1644,11 @@ The ID of the Security Group attached to the Jenkins EC2 Instance diff --git a/docs/reference/services/data-storage/amazon-aurora.md b/docs/reference/services/data-storage/amazon-aurora.md index d93564459..3012097e3 100644 --- a/docs/reference/services/data-storage/amazon-aurora.md +++ b/docs/reference/services/data-storage/amazon-aurora.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon Aurora -View Source +View Source Release Notes @@ -71,7 +71,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -79,7 +79,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -102,7 +102,7 @@ If you want to deploy this repo in production, check out the following resources module "aurora" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/aurora?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/aurora?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -135,12 +135,6 @@ module "aurora" { # database to be reachable. allow_connections_from_cidr_blocks = [] - # The list of IPv6 CIDR blocks to allow network access to Aurora from for - # dual-stack configurations. In the standard Gruntwork VPC setup with - # dual-stack enabled, these should be the IPv6 CIDR blocks of the private app - # subnets, plus the private subnets in the mgmt VPC. - allow_connections_from_ipv6_cidr_blocks = [] - # The list of IDs or Security Groups to allow network access to Aurora from. # All security groups must either be in the VPC specified by var.vpc_id, or a # peered VPC with the VPC specified by var.vpc_id. One of @@ -162,45 +156,23 @@ module "aurora" { # the engine is allowed. Default value is true. auto_minor_version_upgrade = true - # The number of days to retain recovery points in the destination backup vault - # before automatic deletion. Only used if var.backup_destination_vault_arn is - # set. - backup_destination_retention_days = 90 + # How often, in seconds, the backup job is expected to run. This is the same + # as var.schedule_expression, but unfortunately, Terraform offers no way to + # convert rate expressions to seconds. We add a CloudWatch alarm that triggers + # if the metric in var.create_snapshot_cloudwatch_metric_namespace isn't + # updated within this time period, as that indicates the backup failed to run. + backup_job_alarm_period = 3600 - # The ARN of a destination backup vault for cross-account or cross-region - # copies. If null, no cross-account copy is configured. - backup_destination_vault_arn = null + # Sets how the backup job alarm should handle entering the INSUFFICIENT_DATA + # state. Based on + # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. + # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. + backup_job_alarm_treat_missing_data = "missing" # How many days to keep backup snapshots around before cleaning them up. Max: # 35 backup_retention_period = 30 - # A CRON expression specifying when AWS Backup should run the backup job (e.g. - # cron(0 0 * * ? *) for daily at midnight UTC). Required if var.enable_backup - # is true. - backup_schedule = null - - # The name of the IAM service role for AWS Backup. Defaults to - # '-backup-service-role' if not specified. - backup_service_role_name = null - - # The number of days to retain recovery points in the source backup vault - # before automatic deletion. - backup_source_retention_days = 30 - - # The ARN of a KMS key used to encrypt the backup vault. If null, the default - # AWS Backup encryption will be used. - backup_vault_kms_key_arn = null - - # The name of the AWS Backup vault to create. Defaults to - # '-backup-vault' if not specified. - backup_vault_name = null - - # An optional vault access policy to attach to the backup vault. Useful for - # granting cross-account access. Set to null to skip. See the backup-vault - # module for the expected structure. - backup_vault_policy = null - # The Certificate Authority (CA) certificate bundle to use on the Aurora DB # instances. Possible values: rds-ca-2019 (default if nothing is specified), # rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, rds-ca-ecc384-g1. @@ -211,6 +183,13 @@ module "aurora" { # IAM roles. cluster_iam_roles = [] + # The interval, in seconds, between points when Enhanced Monitoring metrics + # are collected for the cluster instances. To disable collecting Enhanced + # Monitoring metrics, specify 0. Allowed values: 0, 1, 5, 15, 30, 60. Enhanced + # Monitoring metrics are useful when you want to see how different processes + # or threads on a DB instance use the CPU. + cluster_monitoring_interval = null + # Specifies whether cluster level Performance Insights is enabled or not. On # Aurora MySQL, Performance Insights is not supported on db.t2 or db.t3 DB # instance classes. @@ -232,6 +211,12 @@ module "aurora" { # the RDS endpoints. create_route53_entry = false + # The namespace to use for the CloudWatch metric we report every time a new + # RDS snapshot is created. We add a CloudWatch alarm on this metric to notify + # us if the backup job fails to run for any reason. Defaults to the cluster + # name. + create_snapshot_cloudwatch_metric_namespace = null + # A map of custom tags to apply to the RDS cluster and all associated # resources created for it. The key is the tag name and the value is the tag # value. @@ -296,28 +281,26 @@ module "aurora" { # value in db_config_secrets_manager_id. db_name = null - # If true, delete all automated backups when the DB cluster is deleted. If - # false, automated backups are retained until the retention period expires. - # Defaults to true. - delete_automated_backups = null - - # If set to true, create an AWS Backup vault and plan to periodically back up - # the Aurora DB. Supports optional cross-account copy via - # var.backup_destination_vault_arn. - enable_backup = false - # Set to true to enable several basic CloudWatch alarms around CPU usage, # memory usage, and disk space usage. If set to true, make sure to specify SNS # topics to send notifications to using var.alarms_sns_topic_arn. enable_cloudwatch_alarms = true + # When true, enable CloudWatch metrics for the manual snapshots created for + # the purpose of sharing with another account. + enable_cloudwatch_metrics = true + # Enable deletion protection on the database instance. If this is enabled, the # database cannot be deleted. enable_deletion_protection = false - # If true, enables the HTTP endpoint used for Data API. Only valid when - # engine_mode is set to serverless. - enable_http_endpoint = null + # Whether to enable global write forwarding on this Aurora cluster. When + # enabled on a secondary cluster in a global database, write SQL statements + # are forwarded to the primary cluster. Only applies to secondary clusters; + # setting this on the primary cluster has no effect. Supported on Aurora MySQL + # version 2.08.1+. See + # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database-write-forwarding.html + enable_global_write_forwarding = null # Set to true to enable alarms related to performance, such as read and write # latency alarms. Set to false to disable those alarms if you aren't sure what @@ -325,6 +308,11 @@ module "aurora" { # too unpredictable. enable_perf_alarms = true + # When true, enable CloudWatch alarms for the manual snapshots created for the + # purpose of sharing with another account. Only used if + # var.share_snapshot_with_another_account is true. + enable_share_snapshot_cloudwatch_alarms = true + # If non-empty, the Aurora cluster will export the specified logs to # Cloudwatch. Must be zero or more of: audit, error, general and slowquery enabled_cloudwatch_logs_exports = [] @@ -336,11 +324,7 @@ module "aurora" { # value here overrides the value in db_config_secrets_manager_id. engine = null - # The DB engine mode of the DB cluster: either provisioned or serverless. Note - # that serverless (v1) is deprecated and no longer available for new clusters. - # For Aurora Serverless v2, use provisioned with - # scaling_configuration_min_capacity_V2 and - # scaling_configuration_max_capacity_V2. + # The version of aurora to run - provisioned or serverless. engine_mode = "provisioned" # The Amazon Aurora DB engine version for the selected engine and engine_mode. @@ -508,11 +492,6 @@ module "aurora" { # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_PIT.html restore_source_cluster_identifier = null - # Only used if 'restore_source_cluster_identifier' is non-empty. Date and time - # in UTC format to restore the database cluster to (e.g, - # 2009-09-07T23:45:00Z). When null, the latest restorable time will be used. - restore_to_time = null - # Only used if 'restore_source_cluster_identifier' is non-empty. Type of # restore to be performed. Valid options are 'full-copy' and 'copy-on-write'. # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Clone.html @@ -544,6 +523,26 @@ module "aurora" { # is set to serverless. scaling_configuration_seconds_until_auto_pause = 300 + # The maximum number of snapshots to keep around for the purpose of cross + # account sharing. Once this number is exceeded, a lambda function will delete + # the oldest snapshots. Only used if var.share_snapshot_with_another_account + # is true. + share_snapshot_max_snapshots = 30 + + # An expression that defines how often to run the lambda function to take + # snapshots for the purpose of cross account sharing. For example, cron(0 20 * + # * ? *) or rate(5 minutes). Required if + # var.share_snapshot_with_another_account is true + share_snapshot_schedule_expression = null + + # The ID of the AWS Account that the snapshot should be shared with. Required + # if var.share_snapshot_with_another_account is true. + share_snapshot_with_account_id = null + + # If set to true, take periodic snapshots of the Aurora DB that should be + # shared with another account. + share_snapshot_with_another_account = false + # Determines whether a final DB snapshot is created before the DB instance is # deleted. Be very careful setting this to true; if you do, and you delete # this DB instance, you will not have any backups of the data! You almost @@ -585,7 +584,7 @@ module "aurora" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/aurora?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/aurora?ref=v2.6.0" } inputs = { @@ -621,12 +620,6 @@ inputs = { # database to be reachable. allow_connections_from_cidr_blocks = [] - # The list of IPv6 CIDR blocks to allow network access to Aurora from for - # dual-stack configurations. In the standard Gruntwork VPC setup with - # dual-stack enabled, these should be the IPv6 CIDR blocks of the private app - # subnets, plus the private subnets in the mgmt VPC. - allow_connections_from_ipv6_cidr_blocks = [] - # The list of IDs or Security Groups to allow network access to Aurora from. # All security groups must either be in the VPC specified by var.vpc_id, or a # peered VPC with the VPC specified by var.vpc_id. One of @@ -648,45 +641,23 @@ inputs = { # the engine is allowed. Default value is true. auto_minor_version_upgrade = true - # The number of days to retain recovery points in the destination backup vault - # before automatic deletion. Only used if var.backup_destination_vault_arn is - # set. - backup_destination_retention_days = 90 + # How often, in seconds, the backup job is expected to run. This is the same + # as var.schedule_expression, but unfortunately, Terraform offers no way to + # convert rate expressions to seconds. We add a CloudWatch alarm that triggers + # if the metric in var.create_snapshot_cloudwatch_metric_namespace isn't + # updated within this time period, as that indicates the backup failed to run. + backup_job_alarm_period = 3600 - # The ARN of a destination backup vault for cross-account or cross-region - # copies. If null, no cross-account copy is configured. - backup_destination_vault_arn = null + # Sets how the backup job alarm should handle entering the INSUFFICIENT_DATA + # state. Based on + # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. + # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. + backup_job_alarm_treat_missing_data = "missing" # How many days to keep backup snapshots around before cleaning them up. Max: # 35 backup_retention_period = 30 - # A CRON expression specifying when AWS Backup should run the backup job (e.g. - # cron(0 0 * * ? *) for daily at midnight UTC). Required if var.enable_backup - # is true. - backup_schedule = null - - # The name of the IAM service role for AWS Backup. Defaults to - # '-backup-service-role' if not specified. - backup_service_role_name = null - - # The number of days to retain recovery points in the source backup vault - # before automatic deletion. - backup_source_retention_days = 30 - - # The ARN of a KMS key used to encrypt the backup vault. If null, the default - # AWS Backup encryption will be used. - backup_vault_kms_key_arn = null - - # The name of the AWS Backup vault to create. Defaults to - # '-backup-vault' if not specified. - backup_vault_name = null - - # An optional vault access policy to attach to the backup vault. Useful for - # granting cross-account access. Set to null to skip. See the backup-vault - # module for the expected structure. - backup_vault_policy = null - # The Certificate Authority (CA) certificate bundle to use on the Aurora DB # instances. Possible values: rds-ca-2019 (default if nothing is specified), # rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, rds-ca-ecc384-g1. @@ -697,6 +668,13 @@ inputs = { # IAM roles. cluster_iam_roles = [] + # The interval, in seconds, between points when Enhanced Monitoring metrics + # are collected for the cluster instances. To disable collecting Enhanced + # Monitoring metrics, specify 0. Allowed values: 0, 1, 5, 15, 30, 60. Enhanced + # Monitoring metrics are useful when you want to see how different processes + # or threads on a DB instance use the CPU. + cluster_monitoring_interval = null + # Specifies whether cluster level Performance Insights is enabled or not. On # Aurora MySQL, Performance Insights is not supported on db.t2 or db.t3 DB # instance classes. @@ -718,6 +696,12 @@ inputs = { # the RDS endpoints. create_route53_entry = false + # The namespace to use for the CloudWatch metric we report every time a new + # RDS snapshot is created. We add a CloudWatch alarm on this metric to notify + # us if the backup job fails to run for any reason. Defaults to the cluster + # name. + create_snapshot_cloudwatch_metric_namespace = null + # A map of custom tags to apply to the RDS cluster and all associated # resources created for it. The key is the tag name and the value is the tag # value. @@ -782,28 +766,26 @@ inputs = { # value in db_config_secrets_manager_id. db_name = null - # If true, delete all automated backups when the DB cluster is deleted. If - # false, automated backups are retained until the retention period expires. - # Defaults to true. - delete_automated_backups = null - - # If set to true, create an AWS Backup vault and plan to periodically back up - # the Aurora DB. Supports optional cross-account copy via - # var.backup_destination_vault_arn. - enable_backup = false - # Set to true to enable several basic CloudWatch alarms around CPU usage, # memory usage, and disk space usage. If set to true, make sure to specify SNS # topics to send notifications to using var.alarms_sns_topic_arn. enable_cloudwatch_alarms = true + # When true, enable CloudWatch metrics for the manual snapshots created for + # the purpose of sharing with another account. + enable_cloudwatch_metrics = true + # Enable deletion protection on the database instance. If this is enabled, the # database cannot be deleted. enable_deletion_protection = false - # If true, enables the HTTP endpoint used for Data API. Only valid when - # engine_mode is set to serverless. - enable_http_endpoint = null + # Whether to enable global write forwarding on this Aurora cluster. When + # enabled on a secondary cluster in a global database, write SQL statements + # are forwarded to the primary cluster. Only applies to secondary clusters; + # setting this on the primary cluster has no effect. Supported on Aurora MySQL + # version 2.08.1+. See + # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database-write-forwarding.html + enable_global_write_forwarding = null # Set to true to enable alarms related to performance, such as read and write # latency alarms. Set to false to disable those alarms if you aren't sure what @@ -811,6 +793,11 @@ inputs = { # too unpredictable. enable_perf_alarms = true + # When true, enable CloudWatch alarms for the manual snapshots created for the + # purpose of sharing with another account. Only used if + # var.share_snapshot_with_another_account is true. + enable_share_snapshot_cloudwatch_alarms = true + # If non-empty, the Aurora cluster will export the specified logs to # Cloudwatch. Must be zero or more of: audit, error, general and slowquery enabled_cloudwatch_logs_exports = [] @@ -822,11 +809,7 @@ inputs = { # value here overrides the value in db_config_secrets_manager_id. engine = null - # The DB engine mode of the DB cluster: either provisioned or serverless. Note - # that serverless (v1) is deprecated and no longer available for new clusters. - # For Aurora Serverless v2, use provisioned with - # scaling_configuration_min_capacity_V2 and - # scaling_configuration_max_capacity_V2. + # The version of aurora to run - provisioned or serverless. engine_mode = "provisioned" # The Amazon Aurora DB engine version for the selected engine and engine_mode. @@ -994,11 +977,6 @@ inputs = { # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_PIT.html restore_source_cluster_identifier = null - # Only used if 'restore_source_cluster_identifier' is non-empty. Date and time - # in UTC format to restore the database cluster to (e.g, - # 2009-09-07T23:45:00Z). When null, the latest restorable time will be used. - restore_to_time = null - # Only used if 'restore_source_cluster_identifier' is non-empty. Type of # restore to be performed. Valid options are 'full-copy' and 'copy-on-write'. # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Clone.html @@ -1030,6 +1008,26 @@ inputs = { # is set to serverless. scaling_configuration_seconds_until_auto_pause = 300 + # The maximum number of snapshots to keep around for the purpose of cross + # account sharing. Once this number is exceeded, a lambda function will delete + # the oldest snapshots. Only used if var.share_snapshot_with_another_account + # is true. + share_snapshot_max_snapshots = 30 + + # An expression that defines how often to run the lambda function to take + # snapshots for the purpose of cross account sharing. For example, cron(0 20 * + # * ? *) or rate(5 minutes). Required if + # var.share_snapshot_with_another_account is true + share_snapshot_schedule_expression = null + + # The ID of the AWS Account that the snapshot should be shared with. Required + # if var.share_snapshot_with_another_account is true. + share_snapshot_with_account_id = null + + # If set to true, take periodic snapshots of the Aurora DB that should be + # shared with another account. + share_snapshot_with_another_account = false + # Determines whether a final DB snapshot is created before the DB instance is # deleted. Be very careful setting this to true; if you do, and you delete # this DB instance, you will not have any backups of the data! You almost @@ -1113,15 +1111,6 @@ The list of network CIDR blocks to allow network access to Aurora from. One of < - - - -The list of IPv6 CIDR blocks to allow network access to Aurora from for dual-stack configurations. In the standard Gruntwork VPC setup with dual-stack enabled, these should be the IPv6 CIDR blocks of the private app subnets, plus the private subnets in the mgmt VPC. - - - - - @@ -1158,112 +1147,72 @@ Configure the auto minor version upgrade behavior. This is applied to the cluste - + -The number of days to retain recovery points in the destination backup vault before automatic deletion. Only used if backup_destination_vault_arn is set. +How often, in seconds, the backup job is expected to run. This is the same as schedule_expression, but unfortunately, Terraform offers no way to convert rate expressions to seconds. We add a CloudWatch alarm that triggers if the metric in create_snapshot_cloudwatch_metric_namespace isn't updated within this time period, as that indicates the backup failed to run. - - - - - - -The ARN of a destination backup vault for cross-account or cross-region copies. If null, no cross-account copy is configured. - - - - - - - + + +
-How many days to keep backup snapshots around before cleaning them up. Max: 35 - - - +```hcl - - + Default to hourly -A CRON expression specifying when AWS Backup should run the backup job (e.g. cron(0 0 * * ? *) for daily at midnight UTC). Required if enable_backup is true. +``` +
- - + - + -The name of the IAM service role for AWS Backup. Defaults to '<name>-backup-service-role' if not specified. +Sets how the backup job alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - + - + -The number of days to retain recovery points in the source backup vault before automatic deletion. +How many days to keep backup snapshots around before cleaning them up. Max: 35 - - - -The ARN of a KMS key used to encrypt the backup vault. If null, the default AWS Backup encryption will be used. - - - - - - + -The name of the AWS Backup vault to create. Defaults to '<name>-backup-vault' if not specified. +The Certificate Authority (CA) certificate bundle to use on the Aurora DB instances. Possible values: rds-ca-2019 (default if nothing is specified), rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, rds-ca-ecc384-g1. - + -An optional vault access policy to attach to the backup vault. Useful for granting cross-account access. Set to null to skip. See the backup-vault module for the expected structure. +List of IAM role ARNs to attach to the cluster. Be sure these roles exists. They will not be created here. Serverless aurora does not support attaching IAM roles. - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - + - + -The Certificate Authority (CA) certificate bundle to use on the Aurora DB instances. Possible values: rds-ca-2019 (default if nothing is specified), rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, rds-ca-ecc384-g1. +The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the cluster instances. To disable collecting Enhanced Monitoring metrics, specify 0. Allowed values: 0, 1, 5, 15, 30, 60. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU. - - - -List of IAM role ARNs to attach to the cluster. Be sure these roles exists. They will not be created here. Serverless aurora does not support attaching IAM roles. - - - - - @@ -1309,6 +1258,15 @@ Set to true if you want a DNS record automatically created and pointed at the RD + + + +The namespace to use for the CloudWatch metric we report every time a new RDS snapshot is created. We add a CloudWatch alarm on this metric to notify us if the backup job fails to run for any reason. Defaults to the cluster name. + + + + + @@ -1779,28 +1737,19 @@ The name for your database of up to 8 alpha-numeric characters. If you do not pr - - - -If true, delete all automated backups when the DB cluster is deleted. If false, automated backups are retained until the retention period expires. Defaults to true. - - - - - - + -If set to true, create an AWS Backup vault and plan to periodically back up the Aurora DB. Supports optional cross-account copy via backup_destination_vault_arn. +Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn. - + - + -Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn. +When true, enable CloudWatch metrics for the manual snapshots created for the purpose of sharing with another account. @@ -1815,10 +1764,10 @@ Enable deletion protection on the database instance. If this is enabled, the dat - + -If true, enables the HTTP endpoint used for Data API. Only valid when engine_mode is set to serverless. +Whether to enable global write forwarding on this Aurora cluster. When enabled on a secondary cluster in a global database, write SQL statements are forwarded to the primary cluster. Only applies to secondary clusters; setting this on the primary cluster has no effect. Supported on Aurora MySQL version 2.08.1+. See https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database-write-forwarding.html @@ -1833,6 +1782,15 @@ Set to true to enable alarms related to performance, such as read and write late + + + +When true, enable CloudWatch alarms for the manual snapshots created for the purpose of sharing with another account. Only used if share_snapshot_with_another_account is true. + + + + + @@ -1854,7 +1812,7 @@ The name of the database engine to be used for this DB cluster. Valid Values: au -The DB engine mode of the DB cluster: either provisioned or serverless. Note that serverless (v1) is deprecated and no longer available for new clusters. For Aurora Serverless v2, use provisioned with scaling_configuration_min_capacity_V2 and scaling_configuration_max_capacity_V2. +The version of aurora to run - provisioned or serverless. @@ -2221,15 +2179,6 @@ If non-empty, the Aurora cluster will be restored from the given source cluster - - - -Only used if 'restore_source_cluster_identifier' is non-empty. Date and time in UTC format to restore the database cluster to (e.g, 2009-09-07T23:45:00Z). When null, the latest restorable time will be used. - - - - - @@ -2283,6 +2232,42 @@ The time, in seconds, before an Aurora DB cluster in serverless mode is paused. + + + +The maximum number of snapshots to keep around for the purpose of cross account sharing. Once this number is exceeded, a lambda function will delete the oldest snapshots. Only used if share_snapshot_with_another_account is true. + + + + + + + + +An expression that defines how often to run the lambda function to take snapshots for the purpose of cross account sharing. For example, cron(0 20 * * ? *) or rate(5 minutes). Required if share_snapshot_with_another_account is true + + + + + + + + +The ID of the AWS Account that the snapshot should be shared with. Required if share_snapshot_with_another_account is true. + + + + + + + + +If set to true, take periodic snapshots of the Aurora DB that should be shared with another account. + + + + + @@ -2343,26 +2328,10 @@ A list of all the CloudWatch Dashboard metric widgets available in this module. - + -A list of ARNs of the AWS Backup plans created. Only populated if enable_backup is true. - - - - - - - -The ARN of the IAM service role used by AWS Backup. - - - - - - - -A map of backup vault names to their ARNs. Only populated if enable_backup is true. +The ARN of the AWS Lambda Function used for cleaning up manual snapshots taken for sharing with secondary accounts. @@ -2399,6 +2368,14 @@ The unique resource ID assigned to the cluster e.g. cluster-POBCBQUFQC56EBAAWXGF + + + +The ARN of the AWS Lambda Function used for periodically taking snapshots to share with secondary accounts. + + + + @@ -2495,17 +2472,25 @@ ID of security group created by aurora module. + + + +The ARN of the AWS Lambda Function used for sharing manual snapshots with secondary accounts. + + + + diff --git a/docs/reference/services/data-storage/amazon-ecr-repositories.md b/docs/reference/services/data-storage/amazon-ecr-repositories.md index 0de07185c..e8c0e33df 100644 --- a/docs/reference/services/data-storage/amazon-ecr-repositories.md +++ b/docs/reference/services/data-storage/amazon-ecr-repositories.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon ECR Repositories -View Source +View Source Release Notes @@ -60,7 +60,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -68,7 +68,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -87,7 +87,7 @@ If you want to deploy this repo in production, check out the following resources module "ecr_repos" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/ecr-repos?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/ecr-repos?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -179,7 +179,7 @@ module "ecr_repos" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/ecr-repos?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/ecr-repos?ref=v2.6.0" } inputs = { @@ -562,11 +562,11 @@ A list of IAM policy actions necessary for ECR write access. diff --git a/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md b/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md index 9c89d99be..1141d5466 100644 --- a/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md +++ b/docs/reference/services/data-storage/amazon-elasti-cache-for-memcached.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon ElastiCache for Memcached -View Source +View Source Release Notes @@ -64,7 +64,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -72,7 +72,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -91,7 +91,7 @@ If you want to deploy this repo in production, check out the following resources module "memcached" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/memcached?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/memcached?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -131,13 +131,7 @@ module "memcached" { # Based on # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - alarm_high_cpu_utilization_treat_missing_data = "missing" - - # Sets how this alarm should handle entering the INSUFFICIENT_DATA state. - # Based on - # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. - # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - alarm_low_memory_available_treat_missing_data = "missing" + alarm_treat_missing_data = "missing" # The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and # disk space usage) should send notifications. @@ -193,7 +187,7 @@ module "memcached" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/memcached?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/memcached?ref=v2.6.0" } inputs = { @@ -236,13 +230,7 @@ inputs = { # Based on # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - alarm_high_cpu_utilization_treat_missing_data = "missing" - - # Sets how this alarm should handle entering the INSUFFICIENT_DATA state. - # Based on - # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. - # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - alarm_low_memory_available_treat_missing_data = "missing" + alarm_treat_missing_data = "missing" # The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and # disk space usage) should send notifications. @@ -351,16 +339,7 @@ The ID of the VPC in which to deploy RDS. ### Optional - - - -Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - - - - - - + Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. @@ -490,11 +469,11 @@ The configuration endpoint to allow host discovery. diff --git a/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md b/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md index 2c5af85d6..34d8e1a95 100644 --- a/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md +++ b/docs/reference/services/data-storage/amazon-elasti-cache-for-redis.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon ElastiCache for Redis -View Source +View Source Release Notes @@ -67,7 +67,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -75,7 +75,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -94,7 +94,7 @@ If you want to deploy this repo in production, check out the following resources module "redis" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/redis?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/redis?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -135,12 +135,6 @@ module "redis" { # OPTIONAL VARIABLES # ---------------------------------------------------------------------------------------------------- - # Sets how this alarm should handle entering the INSUFFICIENT_DATA state. - # Based on - # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. - # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - alarm_high_cpu_utilization_treat_missing_data = "missing" - # Trigger an alarm if the amount of free memory, in Bytes, on the node drops # below this threshold alarm_low_memory_available_threshold = 100000000 @@ -149,7 +143,7 @@ module "redis" { # Based on # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - alarm_low_memory_available_treat_missing_data = "missing" + alarm_treat_missing_data = "missing" # The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and # disk space usage) should send notifications. @@ -276,7 +270,7 @@ module "redis" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/redis?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/redis?ref=v2.6.0" } inputs = { @@ -320,12 +314,6 @@ inputs = { # OPTIONAL VARIABLES # ---------------------------------------------------------------------------------------------------- - # Sets how this alarm should handle entering the INSUFFICIENT_DATA state. - # Based on - # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. - # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - alarm_high_cpu_utilization_treat_missing_data = "missing" - # Trigger an alarm if the amount of free memory, in Bytes, on the node drops # below this threshold alarm_low_memory_available_threshold = 100000000 @@ -334,7 +322,7 @@ inputs = { # Based on # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - alarm_low_memory_available_treat_missing_data = "missing" + alarm_treat_missing_data = "missing" # The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and # disk space usage) should send notifications. @@ -522,15 +510,6 @@ The ID of the VPC in which to deploy RDS. ### Optional - - - -Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - - - - - @@ -552,7 +531,7 @@ Trigger an alarm if the amount of free memory, in Bytes, on the node drops below - + Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. @@ -855,11 +834,11 @@ Security Group ID used for redis cluster. diff --git a/docs/reference/services/data-storage/amazon-elasticsearch.md b/docs/reference/services/data-storage/amazon-elasticsearch.md index 167f26dc3..4a8329995 100644 --- a/docs/reference/services/data-storage/amazon-elasticsearch.md +++ b/docs/reference/services/data-storage/amazon-elasticsearch.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon Elasticsearch Service -View Source +View Source Release Notes @@ -63,7 +63,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -76,7 +76,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -101,7 +101,7 @@ If you want to deploy this repo in production, check out the following resources module "elasticsearch" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/elasticsearch?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/elasticsearch?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -128,7 +128,7 @@ module "elasticsearch" { volume_size = # The type of EBS volumes to use in the cluster. Must be one of: standard, - # gp2, gp3, io1, sc1, or st1. For a comparison of EBS volume types, see + # gp2, io1, sc1, or st1. For a comparison of EBS volume types, see # https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html. volume_type = @@ -345,7 +345,8 @@ module "elasticsearch" { internal_user_database_enabled = false # The baseline input/output (I/O) performance of EBS volumes attached to data - # nodes. Applicable only if var.volume_type is gp3 or io1. + # nodes. Must be between 1000 and 4000. Applicable only if var.volume_type is + # io1. iops = null # Whether the cluster is publicly accessible. @@ -437,10 +438,6 @@ module "elasticsearch" { # first one is used. subnet_ids = [] - # The throughput (in MiB/s) of EBS volumes attached to data nodes. Valid - # values are between 125 and 1000. Applicable only if var.volume_type is gp3. - throughput = null - # The name of the TLS security policy that needs to be applied to the HTTPS # endpoint. Valid values are Policy-Min-TLS-1-0-2019-07 and # Policy-Min-TLS-1-2-2019-07. Terraform performs drift detection if this is @@ -478,7 +475,7 @@ module "elasticsearch" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/elasticsearch?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/elasticsearch?ref=v2.6.0" } inputs = { @@ -508,7 +505,7 @@ inputs = { volume_size = # The type of EBS volumes to use in the cluster. Must be one of: standard, - # gp2, gp3, io1, sc1, or st1. For a comparison of EBS volume types, see + # gp2, io1, sc1, or st1. For a comparison of EBS volume types, see # https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html. volume_type = @@ -725,7 +722,8 @@ inputs = { internal_user_database_enabled = false # The baseline input/output (I/O) performance of EBS volumes attached to data - # nodes. Applicable only if var.volume_type is gp3 or io1. + # nodes. Must be between 1000 and 4000. Applicable only if var.volume_type is + # io1. iops = null # Whether the cluster is publicly accessible. @@ -817,10 +815,6 @@ inputs = { # first one is used. subnet_ids = [] - # The throughput (in MiB/s) of EBS volumes attached to data nodes. Valid - # values are between 125 and 1000. Applicable only if var.volume_type is gp3. - throughput = null - # The name of the TLS security policy that needs to be applied to the HTTPS # endpoint. Valid values are Policy-Min-TLS-1-0-2019-07 and # Policy-Min-TLS-1-2-2019-07. Terraform performs drift detection if this is @@ -891,7 +885,7 @@ The size in GiB of the EBS volume for each node in the cluster (e.g. 10, or 512) -The type of EBS volumes to use in the cluster. Must be one of: standard, gp2, gp3, io1, sc1, or st1. For a comparison of EBS volume types, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html. +The type of EBS volumes to use in the cluster. Must be one of: standard, gp2, io1, sc1, or st1. For a comparison of EBS volume types, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-volume-types.html. @@ -1314,7 +1308,7 @@ Whether the internal user database is enabled. Enable this to use master account -The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only if volume_type is gp3 or io1. +The baseline input/output (I/O) performance of EBS volumes attached to data nodes. Must be between 1000 and 4000. Applicable only if volume_type is io1. @@ -1500,15 +1494,6 @@ Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on - - - -The throughput (in MiB/s) of EBS volumes attached to data nodes. Valid values are between 125 and 1000. Applicable only if volume_type is gp3. - - - - - @@ -1593,11 +1578,11 @@ Domain-specific endpoint for Kibana without https scheme. diff --git a/docs/reference/services/data-storage/amazon-rds-replica.md b/docs/reference/services/data-storage/amazon-rds-replica.md index 1dc03d343..30dca59e2 100644 --- a/docs/reference/services/data-storage/amazon-rds-replica.md +++ b/docs/reference/services/data-storage/amazon-rds-replica.md @@ -16,13 +16,13 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # RDS Read Replicas Module This module creates a read replica (read-only copy) of a DB instance. -View Source +View Source Release Notes @@ -48,7 +48,7 @@ This module creates a read replica (read-only copy) of a DB instance. module "rds_replica" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/rds-replica?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/rds-replica?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -80,11 +80,6 @@ module "rds_replica" { # database to be reachable. allow_connections_from_cidr_blocks = [] - # The list of IPv6 CIDR blocks to allow network access to RDS read replicas - # from for dual-stack configurations. If not set, read replica instances will - # use the same security group as the master instance. - allow_connections_from_ipv6_cidr_blocks = [] - # The list of IDs or Security Groups to allow network access to RDS from. All # security groups must either be in the VPC specified by var.vpc_id, or a # peered VPC with the VPC specified by var.vpc_id. One of @@ -355,7 +350,7 @@ module "rds_replica" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/rds-replica?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/rds-replica?ref=v2.6.0" } inputs = { @@ -390,11 +385,6 @@ inputs = { # database to be reachable. allow_connections_from_cidr_blocks = [] - # The list of IPv6 CIDR blocks to allow network access to RDS read replicas - # from for dual-stack configurations. If not set, read replica instances will - # use the same security group as the master instance. - allow_connections_from_ipv6_cidr_blocks = [] - # The list of IDs or Security Groups to allow network access to RDS from. All # security groups must either be in the VPC specified by var.vpc_id, or a # peered VPC with the VPC specified by var.vpc_id. One of @@ -712,15 +702,6 @@ The list of network CIDR blocks to allow network access to RDS from. One of - - - -The list of IPv6 CIDR blocks to allow network access to RDS read replicas from for dual-stack configurations. If not set, read replica instances will use the same security group as the master instance. - - - - - @@ -1687,11 +1668,11 @@ A list of IDs of the RDS DB instance's read replicas. diff --git a/docs/reference/services/data-storage/amazon-rds.md b/docs/reference/services/data-storage/amazon-rds.md index 249c2ca27..833633a0c 100644 --- a/docs/reference/services/data-storage/amazon-rds.md +++ b/docs/reference/services/data-storage/amazon-rds.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon Relational Database Service -View Source +View Source Release Notes @@ -69,7 +69,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -77,12 +77,12 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. -* [How do I pass database configuration securely?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/data-stores/rds/core-concepts.md#how-do-i-pass-database-configuration-securely) +* [How do I pass database configuration securely?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/data-stores/rds/core-concepts.md#how-do-i-pass-database-configuration-securely) ## Sample Usage @@ -103,7 +103,7 @@ If you want to deploy this repo in production, check out the following resources module "rds" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/rds?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/rds?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -142,16 +142,6 @@ module "rds" { # database to be reachable. allow_connections_from_cidr_blocks = [] - # The list of IPv6 CIDR blocks to allow network access to RDS from for - # dual-stack configurations. Should typically be the IPv6 CIDR blocks of the - # private app subnet in this VPC plus the private subnet in the mgmt VPC. - allow_connections_from_ipv6_cidr_blocks = [] - - # The list of IPv6 CIDR blocks to allow network access to RDS read replicas - # from for dual-stack configurations. If not set, read replica instances will - # use the same security group as the master instance. - allow_connections_from_ipv6_cidr_blocks_to_read_replicas = [] - # The list of IDs or Security Groups to allow network access to RDS from. All # security groups must either be in the VPC specified by var.vpc_id, or a # peered VPC with the VPC specified by var.vpc_id. One of @@ -192,45 +182,23 @@ module "rds" { # if not specified. aws_db_security_group_name = null - # The number of days to retain recovery points in the destination backup vault - # before automatic deletion. Only used if var.backup_destination_vault_arn is - # set. - backup_destination_retention_days = 90 + # How often, in seconds, the backup job is expected to run. This is the same + # as var.schedule_expression, but unfortunately, Terraform offers no way to + # convert rate expressions to seconds. We add a CloudWatch alarm that triggers + # if the metric in var.create_snapshot_cloudwatch_metric_namespace isn't + # updated within this time period, as that indicates the backup failed to run. + backup_job_alarm_period = 3600 - # The ARN of a destination backup vault for cross-account or cross-region - # copies. If null, no cross-account copy is configured. - backup_destination_vault_arn = null + # Sets how the backup job alarm should handle entering the INSUFFICIENT_DATA + # state. Based on + # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. + # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. + backup_job_alarm_treat_missing_data = "missing" # How many days to keep backup snapshots around before cleaning them up. Must # be 1 or greater to support read replicas. backup_retention_period = 30 - # A CRON expression specifying when AWS Backup should run the backup job (e.g. - # cron(0 0 * * ? *) for daily at midnight UTC). Required if var.enable_backup - # is true. - backup_schedule = null - - # The name of the IAM service role for AWS Backup. Defaults to - # '-backup-service-role' if not specified. - backup_service_role_name = null - - # The number of days to retain recovery points in the source backup vault - # before automatic deletion. - backup_source_retention_days = 30 - - # The ARN of a KMS key used to encrypt the backup vault. If null, the default - # AWS Backup encryption will be used. - backup_vault_kms_key_arn = null - - # The name of the AWS Backup vault to create. Defaults to - # '-backup-vault' if not specified. - backup_vault_name = null - - # An optional vault access policy to attach to the backup vault. Useful for - # granting cross-account access. Set to null to skip. See the backup-vault - # module for the expected structure. - backup_vault_policy = null - # The daily time range during which automated backups are created (e.g. # 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup # runs. @@ -269,6 +237,12 @@ module "rds" { # the RDS endpoints. create_route53_entry = false + # The namespace to use for the CloudWatch metric we report every time a new + # RDS snapshot is created. We add a CloudWatch alarm on this metric to notify + # us if the backup job fails to run for any reason. Defaults to the cluster + # name. + create_snapshot_cloudwatch_metric_namespace = null + # Timeout for DB creating creating_timeout = "40m" @@ -330,16 +304,15 @@ module "rds" { # Timeout for DB deleting deleting_timeout = "60m" - # If set to true, create an AWS Backup vault and plan to periodically back up - # the RDS DB. Supports optional cross-account copy via - # var.backup_destination_vault_arn. - enable_backup = false - # Set to true to enable several basic CloudWatch alarms around CPU usage, # memory usage, and disk space usage. If set to true, make sure to specify SNS # topics to send notifications to using var.alarms_sns_topic_arn. enable_cloudwatch_alarms = true + # When true, enable CloudWatch metrics for the manual snapshots created for + # the purpose of sharing with another account. + enable_cloudwatch_metrics = true + # Enable deletion protection on the RDS instance. If this is enabled, the # database cannot be deleted prior to disabling enable_deletion_protection = false @@ -350,6 +323,11 @@ module "rds" { # too unpredictable. enable_perf_alarms = true + # When true, enable CloudWatch alarms for the manual snapshots created for the + # purpose of sharing with another account. Only used if + # var.share_snapshot_with_another_account is true. + enable_share_snapshot_cloudwatch_alarms = true + # List of log types to enable for exporting to CloudWatch logs. If omitted, no # logs will be exported. Valid values (depending on engine): alert, audit, # error, general, listener, slowquery, trace, postgresql (PostgreSQL) and @@ -394,12 +372,6 @@ module "rds" { # taken per disk I/O operation), in seconds, is above this threshold. high_read_latency_threshold = 5 - # Sets how this alarm should handle entering the INSUFFICIENT_DATA state. - # Based on - # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. - # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - high_read_latency_treat_missing_data = "missing" - # The period, in seconds, over which to measure the write latency. high_write_latency_period = 60 @@ -407,12 +379,6 @@ module "rds" { # taken per disk I/O operation), in seconds, is above this threshold. high_write_latency_threshold = 5 - # Sets how this alarm should handle entering the INSUFFICIENT_DATA state. - # Based on - # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. - # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - high_write_latency_treat_missing_data = "missing" - # The ID of the Route 53 hosted zone into which the Route 53 DNS record should # be written hosted_zone_id = null @@ -556,6 +522,26 @@ module "rds" { # database. replica_domain_name = null + # The maximum number of snapshots to keep around for the purpose of cross + # account sharing. Once this number is exceeded, a lambda function will delete + # the oldest snapshots. Only used if var.share_snapshot_with_another_account + # is true. + share_snapshot_max_snapshots = 30 + + # An expression that defines how often to run the lambda function to take + # snapshots for the purpose of cross account sharing. For example, cron(0 20 * + # * ? *) or rate(5 minutes). Required if + # var.share_snapshot_with_another_account is true + share_snapshot_schedule_expression = null + + # The ID of the AWS Account that the snapshot should be shared with. Required + # if var.share_snapshot_with_another_account is true. + share_snapshot_with_account_id = null + + # If set to true, take periodic snapshots of the RDS DB that should be shared + # with another account. + share_snapshot_with_another_account = false + # Determines whether a final DB snapshot is created before the DB instance is # deleted. Be very careful setting this to true; if you do, and you delete # this DB instance, you will not have any backups of the data! You almost @@ -637,7 +623,7 @@ module "rds" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/rds?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/rds?ref=v2.6.0" } inputs = { @@ -679,16 +665,6 @@ inputs = { # database to be reachable. allow_connections_from_cidr_blocks = [] - # The list of IPv6 CIDR blocks to allow network access to RDS from for - # dual-stack configurations. Should typically be the IPv6 CIDR blocks of the - # private app subnet in this VPC plus the private subnet in the mgmt VPC. - allow_connections_from_ipv6_cidr_blocks = [] - - # The list of IPv6 CIDR blocks to allow network access to RDS read replicas - # from for dual-stack configurations. If not set, read replica instances will - # use the same security group as the master instance. - allow_connections_from_ipv6_cidr_blocks_to_read_replicas = [] - # The list of IDs or Security Groups to allow network access to RDS from. All # security groups must either be in the VPC specified by var.vpc_id, or a # peered VPC with the VPC specified by var.vpc_id. One of @@ -729,45 +705,23 @@ inputs = { # if not specified. aws_db_security_group_name = null - # The number of days to retain recovery points in the destination backup vault - # before automatic deletion. Only used if var.backup_destination_vault_arn is - # set. - backup_destination_retention_days = 90 + # How often, in seconds, the backup job is expected to run. This is the same + # as var.schedule_expression, but unfortunately, Terraform offers no way to + # convert rate expressions to seconds. We add a CloudWatch alarm that triggers + # if the metric in var.create_snapshot_cloudwatch_metric_namespace isn't + # updated within this time period, as that indicates the backup failed to run. + backup_job_alarm_period = 3600 - # The ARN of a destination backup vault for cross-account or cross-region - # copies. If null, no cross-account copy is configured. - backup_destination_vault_arn = null + # Sets how the backup job alarm should handle entering the INSUFFICIENT_DATA + # state. Based on + # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. + # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. + backup_job_alarm_treat_missing_data = "missing" # How many days to keep backup snapshots around before cleaning them up. Must # be 1 or greater to support read replicas. backup_retention_period = 30 - # A CRON expression specifying when AWS Backup should run the backup job (e.g. - # cron(0 0 * * ? *) for daily at midnight UTC). Required if var.enable_backup - # is true. - backup_schedule = null - - # The name of the IAM service role for AWS Backup. Defaults to - # '-backup-service-role' if not specified. - backup_service_role_name = null - - # The number of days to retain recovery points in the source backup vault - # before automatic deletion. - backup_source_retention_days = 30 - - # The ARN of a KMS key used to encrypt the backup vault. If null, the default - # AWS Backup encryption will be used. - backup_vault_kms_key_arn = null - - # The name of the AWS Backup vault to create. Defaults to - # '-backup-vault' if not specified. - backup_vault_name = null - - # An optional vault access policy to attach to the backup vault. Useful for - # granting cross-account access. Set to null to skip. See the backup-vault - # module for the expected structure. - backup_vault_policy = null - # The daily time range during which automated backups are created (e.g. # 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup # runs. @@ -806,6 +760,12 @@ inputs = { # the RDS endpoints. create_route53_entry = false + # The namespace to use for the CloudWatch metric we report every time a new + # RDS snapshot is created. We add a CloudWatch alarm on this metric to notify + # us if the backup job fails to run for any reason. Defaults to the cluster + # name. + create_snapshot_cloudwatch_metric_namespace = null + # Timeout for DB creating creating_timeout = "40m" @@ -867,16 +827,15 @@ inputs = { # Timeout for DB deleting deleting_timeout = "60m" - # If set to true, create an AWS Backup vault and plan to periodically back up - # the RDS DB. Supports optional cross-account copy via - # var.backup_destination_vault_arn. - enable_backup = false - # Set to true to enable several basic CloudWatch alarms around CPU usage, # memory usage, and disk space usage. If set to true, make sure to specify SNS # topics to send notifications to using var.alarms_sns_topic_arn. enable_cloudwatch_alarms = true + # When true, enable CloudWatch metrics for the manual snapshots created for + # the purpose of sharing with another account. + enable_cloudwatch_metrics = true + # Enable deletion protection on the RDS instance. If this is enabled, the # database cannot be deleted prior to disabling enable_deletion_protection = false @@ -887,6 +846,11 @@ inputs = { # too unpredictable. enable_perf_alarms = true + # When true, enable CloudWatch alarms for the manual snapshots created for the + # purpose of sharing with another account. Only used if + # var.share_snapshot_with_another_account is true. + enable_share_snapshot_cloudwatch_alarms = true + # List of log types to enable for exporting to CloudWatch logs. If omitted, no # logs will be exported. Valid values (depending on engine): alert, audit, # error, general, listener, slowquery, trace, postgresql (PostgreSQL) and @@ -931,12 +895,6 @@ inputs = { # taken per disk I/O operation), in seconds, is above this threshold. high_read_latency_threshold = 5 - # Sets how this alarm should handle entering the INSUFFICIENT_DATA state. - # Based on - # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. - # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - high_read_latency_treat_missing_data = "missing" - # The period, in seconds, over which to measure the write latency. high_write_latency_period = 60 @@ -944,12 +902,6 @@ inputs = { # taken per disk I/O operation), in seconds, is above this threshold. high_write_latency_threshold = 5 - # Sets how this alarm should handle entering the INSUFFICIENT_DATA state. - # Based on - # https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. - # Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - high_write_latency_treat_missing_data = "missing" - # The ID of the Route 53 hosted zone into which the Route 53 DNS record should # be written hosted_zone_id = null @@ -1093,6 +1045,26 @@ inputs = { # database. replica_domain_name = null + # The maximum number of snapshots to keep around for the purpose of cross + # account sharing. Once this number is exceeded, a lambda function will delete + # the oldest snapshots. Only used if var.share_snapshot_with_another_account + # is true. + share_snapshot_max_snapshots = 30 + + # An expression that defines how often to run the lambda function to take + # snapshots for the purpose of cross account sharing. For example, cron(0 20 * + # * ? *) or rate(5 minutes). Required if + # var.share_snapshot_with_another_account is true + share_snapshot_schedule_expression = null + + # The ID of the AWS Account that the snapshot should be shared with. Required + # if var.share_snapshot_with_another_account is true. + share_snapshot_with_account_id = null + + # If set to true, take periodic snapshots of the RDS DB that should be shared + # with another account. + share_snapshot_with_another_account = false + # Determines whether a final DB snapshot is created before the DB instance is # deleted. Be very careful setting this to true; if you do, and you delete # this DB instance, you will not have any backups of the data! You almost @@ -1232,24 +1204,6 @@ The list of network CIDR blocks to allow network access to RDS from. One of - - - -The list of IPv6 CIDR blocks to allow network access to RDS from for dual-stack configurations. Should typically be the IPv6 CIDR blocks of the private app subnet in this VPC plus the private subnet in the mgmt VPC. - - - - - - - - -The list of IPv6 CIDR blocks to allow network access to RDS read replicas from for dual-stack configurations. If not set, read replica instances will use the same security group as the master instance. - - - - - @@ -1313,94 +1267,45 @@ The name of the aws_db_security_group that is created. Defaults to - + -The number of days to retain recovery points in the destination backup vault before automatic deletion. Only used if backup_destination_vault_arn is set. +How often, in seconds, the backup job is expected to run. This is the same as schedule_expression, but unfortunately, Terraform offers no way to convert rate expressions to seconds. We add a CloudWatch alarm that triggers if the metric in create_snapshot_cloudwatch_metric_namespace isn't updated within this time period, as that indicates the backup failed to run. - - - - - - -The ARN of a destination backup vault for cross-account or cross-region copies. If null, no cross-account copy is configured. - - - - - - - + + +
-How many days to keep backup snapshots around before cleaning them up. Must be 1 or greater to support read replicas. - - - +```hcl - - + Default to hourly -A CRON expression specifying when AWS Backup should run the backup job (e.g. cron(0 0 * * ? *) for daily at midnight UTC). Required if enable_backup is true. +``` +
- - + - + -The name of the IAM service role for AWS Backup. Defaults to '<name>-backup-service-role' if not specified. +Sets how the backup job alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - + - + -The number of days to retain recovery points in the source backup vault before automatic deletion. +How many days to keep backup snapshots around before cleaning them up. Must be 1 or greater to support read replicas. - - - -The ARN of a KMS key used to encrypt the backup vault. If null, the default AWS Backup encryption will be used. - - - - - - - - -The name of the AWS Backup vault to create. Defaults to '<name>-backup-vault' if not specified. - - - - - - - - -An optional vault access policy to attach to the backup vault. Useful for granting cross-account access. Set to null to skip. See the backup-vault module for the expected structure. - - - - -```hcl -Any types represent complex values of variable type. For details, please consult `variables.tf` in the source repo. -``` - - - - - @@ -1508,6 +1413,15 @@ Set to true if you want a DNS record automatically created and pointed at the RD + + + +The namespace to use for the CloudWatch metric we report every time a new RDS snapshot is created. We add a CloudWatch alarm on this metric to notify us if the backup job fails to run for any reason. Defaults to the cluster name. + + + + + @@ -1933,19 +1847,19 @@ Timeout for DB deleting - + -If set to true, create an AWS Backup vault and plan to periodically back up the RDS DB. Supports optional cross-account copy via backup_destination_vault_arn. +Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn. - + - + -Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn. +When true, enable CloudWatch metrics for the manual snapshots created for the purpose of sharing with another account. @@ -1969,6 +1883,15 @@ Set to true to enable alarms related to performance, such as read and write late + + + +When true, enable CloudWatch alarms for the manual snapshots created for the purpose of sharing with another account. Only used if share_snapshot_with_another_account is true. + + + + + @@ -2059,15 +1982,6 @@ Trigger an alarm if the DB instance read latency (average amount of time taken p - - - -Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - - - - - @@ -2086,15 +2000,6 @@ Trigger an alarm if the DB instance write latency (average amount of time taken - - - -Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'. - - - - - @@ -2398,6 +2303,42 @@ The domain name to create a route 53 record for the read replicas of the RDS dat + + + +The maximum number of snapshots to keep around for the purpose of cross account sharing. Once this number is exceeded, a lambda function will delete the oldest snapshots. Only used if share_snapshot_with_another_account is true. + + + + + + + + +An expression that defines how often to run the lambda function to take snapshots for the purpose of cross account sharing. For example, cron(0 20 * * ? *) or rate(5 minutes). Required if share_snapshot_with_another_account is true + + + + + + + + +The ID of the AWS Account that the snapshot should be shared with. Required if share_snapshot_with_another_account is true. + + + + + + + + +If set to true, take periodic snapshots of the RDS DB that should be shared with another account. + + + + + @@ -2539,30 +2480,6 @@ A list of all the CloudWatch Dashboard metric widgets available in this module. - - - -A list of ARNs of the AWS Backup plans created. Only populated if enable_backup is true. - - - - - - - -The ARN of the IAM service role used by AWS Backup. - - - - - - - -A map of backup vault names to their ARNs. Only populated if enable_backup is true. - - - - @@ -2721,11 +2638,11 @@ The ID of the Security Group that controls access to the RDS DB instance. diff --git a/docs/reference/services/data-storage/s-3-bucket.md b/docs/reference/services/data-storage/s-3-bucket.md index 074089bd4..23e8587d7 100644 --- a/docs/reference/services/data-storage/s-3-bucket.md +++ b/docs/reference/services/data-storage/s-3-bucket.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # S3 Bucket -View Source +View Source Release Notes @@ -59,7 +59,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -67,7 +67,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -88,7 +88,7 @@ If you want to deploy this repo in production, check out the following resources module "s_3_bucket" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/s3-bucket?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/s3-bucket?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -327,7 +327,7 @@ module "s_3_bucket" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/s3-bucket?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/s3-bucket?ref=v2.6.0" } inputs = { @@ -1259,11 +1259,11 @@ The name of the replica S3 bucket. diff --git a/docs/reference/services/landing-zone/aws-app-account-baseline-wrapper.md b/docs/reference/services/landing-zone/aws-app-account-baseline-wrapper.md index e87246736..eed97cd64 100644 --- a/docs/reference/services/landing-zone/aws-app-account-baseline-wrapper.md +++ b/docs/reference/services/landing-zone/aws-app-account-baseline-wrapper.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Account Baseline for app accounts -View Source +View Source Release Notes @@ -57,13 +57,13 @@ If you’ve never used the Service Catalog before, make sure to read * Learn more about each individual module, click the link in the [Features](#features) section. * [How to configure a production-grade AWS account structure](https://docs.gruntwork.io/guides/build-it-yourself/landing-zone/) -* [How to use multi-region services](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/landingzone/account-baseline-root/core-concepts.md#how-to-use-multi-region-services) +* [How to use multi-region services](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/landingzone/account-baseline-root/core-concepts.md#how-to-use-multi-region-services) ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -71,7 +71,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing/landingzone folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing/landingzone): The +* [examples/for-learning-and-testing/landingzone folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing/landingzone): The `examples/for-learning-and-testing/landingzone` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -79,7 +79,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end integrated tech stack on top of the Gruntwork Service Catalog. @@ -100,7 +100,7 @@ If you want to deploy this repo in production, check out the following resources module "account_baseline_app" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-app?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-app?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -950,7 +950,7 @@ module "account_baseline_app" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-app?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-app?ref=v2.6.0" } inputs = { @@ -4118,11 +4118,11 @@ A map of ARNs of the service linked roles created from diff --git a/docs/reference/services/landing-zone/aws-root-account-baseline-wrapper.md b/docs/reference/services/landing-zone/aws-root-account-baseline-wrapper.md index 74a5f1d40..1dbab8500 100644 --- a/docs/reference/services/landing-zone/aws-root-account-baseline-wrapper.md +++ b/docs/reference/services/landing-zone/aws-root-account-baseline-wrapper.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Account Baseline for root account -View Source +View Source Release Notes @@ -58,16 +58,16 @@ If you’ve never used the Service Catalog before, make sure to read * Learn more about each individual module, click the link in the [Features](#features) section * [How to configure a production-grade AWS account structure](https://docs.gruntwork.io/guides/build-it-yourself/landing-zone/) -* [How to create child accounts](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/core-concepts.md#creating-child-accounts) -* [How to aggregate AWS Config and CloudTrail data in a logs account](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/core-concepts.md#aggregating-aws-config-and-cloudtrail-data-in-a-logs-account) -* [Why does this module use account-level AWS Config Rules?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/core-concepts.md#why-does-this-module-use-account-level-aws-config-rules) -* [How to use multi-region services](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/core-concepts.md#how-to-use-multi-region-services) +* [How to create child accounts](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/core-concepts.md#creating-child-accounts) +* [How to aggregate AWS Config and CloudTrail data in a logs account](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/core-concepts.md#aggregating-aws-config-and-cloudtrail-data-in-a-logs-account) +* [Why does this module use account-level AWS Config Rules?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/core-concepts.md#why-does-this-module-use-account-level-aws-config-rules) +* [How to use multi-region services](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/core-concepts.md#how-to-use-multi-region-services) ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -75,7 +75,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing/landingzone folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing/landingzone): The +* [examples/for-learning-and-testing/landingzone folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing/landingzone): The `examples/for-learning-and-testing/landingzone` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -83,7 +83,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end integrated tech stack on top of the Gruntwork Service Catalog. @@ -104,7 +104,7 @@ If you want to deploy this repo in production, check out the following resources module "account_baseline_root" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-root?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-root?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -1017,7 +1017,7 @@ module "account_baseline_root" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-root?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-root?ref=v2.6.0" } inputs = { @@ -4632,11 +4632,11 @@ A map of user name to that user's AWS Web Console password, encrypted with that diff --git a/docs/reference/services/landing-zone/aws-security-account-baseline-wrapper.md b/docs/reference/services/landing-zone/aws-security-account-baseline-wrapper.md index f29286b10..e91ea3bb2 100644 --- a/docs/reference/services/landing-zone/aws-security-account-baseline-wrapper.md +++ b/docs/reference/services/landing-zone/aws-security-account-baseline-wrapper.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Account Baseline for security account -View Source +View Source Release Notes @@ -59,13 +59,13 @@ If you’ve never used the Service Catalog before, make sure to read * Learn more about each individual module, click the link in the [Features](#features) section. * [How to configure a production-grade AWS account structure](https://docs.gruntwork.io/guides/build-it-yourself/landing-zone/) -* [How to use multi-region services](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/landingzone/account-baseline-root/core-concepts.md#how-to-use-multi-region-services) +* [How to use multi-region services](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/landingzone/account-baseline-root/core-concepts.md#how-to-use-multi-region-services) ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -73,7 +73,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing/landingzone folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing/landingzone): The +* [examples/for-learning-and-testing/landingzone folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing/landingzone): The `examples/for-learning-and-testing/landingzone` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -81,7 +81,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -101,7 +101,7 @@ If you want to deploy this repo in production, check out the following resources module "account_baseline_security" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-security?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-security?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -1067,7 +1067,7 @@ module "account_baseline_security" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-security?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/account-baseline-security?ref=v2.6.0" } inputs = { @@ -4750,11 +4750,11 @@ A map of usernames to that user's AWS Web Console password, encrypted with that diff --git a/docs/reference/services/landing-zone/gruntwork-access.md b/docs/reference/services/landing-zone/gruntwork-access.md index 39776640a..d927f63fc 100644 --- a/docs/reference/services/landing-zone/gruntwork-access.md +++ b/docs/reference/services/landing-zone/gruntwork-access.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Gruntwork Access -View Source +View Source Release Notes @@ -63,7 +63,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -71,7 +71,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog, configure CI / CD for your apps and @@ -91,7 +91,7 @@ If you want to deploy this repo in production, check out the following resources module "gruntwork_access" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/gruntwork-access?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/gruntwork-access?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -146,7 +146,7 @@ module "gruntwork_access" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/gruntwork-access?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/gruntwork-access?ref=v2.6.0" } inputs = { @@ -295,11 +295,11 @@ The name of the IAM role diff --git a/docs/reference/services/landing-zone/iam-users-and-iam-groups.md b/docs/reference/services/landing-zone/iam-users-and-iam-groups.md index 973a001e0..54c732d40 100644 --- a/docs/reference/services/landing-zone/iam-users-and-iam-groups.md +++ b/docs/reference/services/landing-zone/iam-users-and-iam-groups.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # IAM Users and IAM Groups -View Source +View Source Release Notes @@ -74,9 +74,9 @@ If you’ve never used the Service Catalog before, make sure to read ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -84,7 +84,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing/landingzone folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing/landingzone): The +* [examples/for-learning-and-testing/landingzone folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing/landingzone): The `examples/for-learning-and-testing/landingzone` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -92,7 +92,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -113,7 +113,7 @@ If you want to deploy this repo in production, check out the following resources module "iam_users_and_groups" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/iam-users-and-groups?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/iam-users-and-groups?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -334,7 +334,7 @@ module "iam_users_and_groups" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/iam-users-and-groups?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/landingzone/iam-users-and-groups?ref=v2.6.0" } inputs = { @@ -1136,11 +1136,11 @@ A map of usernames to that user's AWS Web Console password, encrypted with that diff --git a/docs/reference/services/networking/elastic-load-balancer-elb.md b/docs/reference/services/networking/elastic-load-balancer-elb.md index 2c280db2b..8d5c40248 100644 --- a/docs/reference/services/networking/elastic-load-balancer-elb.md +++ b/docs/reference/services/networking/elastic-load-balancer-elb.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Application Load Balancer -View Source +View Source Release Notes @@ -62,7 +62,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -70,7 +70,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -89,7 +89,7 @@ If you want to deploy this repo in production, check out the following resources module "alb" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/alb?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/alb?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -136,9 +136,6 @@ module "alb" { # Valid values are AMAZON_ISSUED and IMPORTED. acm_cert_types = ["AMAZON_ISSUED","IMPORTED"] - # Add additional security groups to the ALB - additional_security_group_ids = [] - # List of additional SSL certs (non-ACM and ACM) to bind to the given listener # port. Note that this must not overlap with the certificates defined in # var.https_listener_ports_and_ssl_certs and @@ -298,7 +295,7 @@ module "alb" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/alb?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/alb?ref=v2.6.0" } inputs = { @@ -348,9 +345,6 @@ inputs = { # Valid values are AMAZON_ISSUED and IMPORTED. acm_cert_types = ["AMAZON_ISSUED","IMPORTED"] - # Add additional security groups to the ALB - additional_security_group_ids = [] - # List of additional SSL certs (non-ACM and ACM) to bind to the given listener # port. Note that this must not overlap with the certificates defined in # var.https_listener_ports_and_ssl_certs and @@ -601,15 +595,6 @@ When looking up the ACM certs passed in via https_listener_ports_and_acm_ssl_cer - - - -Add additional security groups to the ALB - - - - - @@ -1055,11 +1040,11 @@ The AWS-managed DNS name assigned to the ALB. diff --git a/docs/reference/services/networking/management-vpc.md b/docs/reference/services/networking/management-vpc.md index 0daf75051..6dba329f9 100644 --- a/docs/reference/services/networking/management-vpc.md +++ b/docs/reference/services/networking/management-vpc.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Management VPC -View Source +View Source Release Notes @@ -65,9 +65,9 @@ documentation in the [terraform-aws-vpc](https://github.com/gruntwork-io/terrafo ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): The main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): The main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -75,7 +75,7 @@ documentation in the [terraform-aws-vpc](https://github.com/gruntwork-io/terrafo If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -83,7 +83,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized or direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -105,7 +105,7 @@ If you want to deploy this repo in production, check out the following resources module "vpc_mgmt" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/vpc-mgmt?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/vpc-mgmt?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -221,12 +221,6 @@ module "vpc_mgmt" { # If set to false, the default security groups will NOT be created. enable_default_security_group = false - # The list of ports to exclude from the inbound allow all rules in Network - # ACLs. This is useful for adhering to certain compliance standards like CIS - # or SOC2 that explicitly deny any allow rule for administrative ports (22, - # 3389). - exclude_ports_from_inbound_all = [] - # Specifies the number of days you want to retain log events. Possible values # are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, # 1827, 2192, 2557, 2922, 3288, 3653, and 0. If you select 0, the events in @@ -333,7 +327,7 @@ module "vpc_mgmt" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/vpc-mgmt?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/vpc-mgmt?ref=v2.6.0" } inputs = { @@ -452,12 +446,6 @@ inputs = { # If set to false, the default security groups will NOT be created. enable_default_security_group = false - # The list of ports to exclude from the inbound allow all rules in Network - # ACLs. This is useful for adhering to certain compliance standards like CIS - # or SOC2 that explicitly deny any allow rule for administrative ports (22, - # 3389). - exclude_ports_from_inbound_all = [] - # Specifies the number of days you want to retain log events. Possible values # are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, # 1827, 2192, 2557, 2922, 3288, 3653, and 0. If you select 0, the events in @@ -825,15 +813,6 @@ If set to false, the default security groups will NOT be created. - - - -The list of ports to exclude from the inbound allow all rules in Network ACLs. This is useful for adhering to certain compliance standards like CIS or SOC2 that explicitly deny any allow rule for administrative ports (22, 3389). - - - - - @@ -1108,11 +1087,11 @@ Indicates whether or not the VPC has finished creating diff --git a/docs/reference/services/networking/route-53-hosted-zones.md b/docs/reference/services/networking/route-53-hosted-zones.md index d520ce5cb..caf24eb6a 100644 --- a/docs/reference/services/networking/route-53-hosted-zones.md +++ b/docs/reference/services/networking/route-53-hosted-zones.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Route 53 Hosted Zones -View Source +View Source Release Notes @@ -105,7 +105,7 @@ If you’ve never used the Service Catalog before, make sure to read ::: -* [Should you use AWS Route 53 or CloudMap for your DNS entries?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/networking/route53/core-concepts.md#should-i-use-route53-or-cloud-map) +* [Should you use AWS Route 53 or CloudMap for your DNS entries?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/networking/route53/core-concepts.md#should-i-use-route53-or-cloud-map) * [AWS Cloud Map Documentation](https://docs.aws.amazon.com/cloud-map/latest/dg/what-is-cloud-map.html): Amazon’s docs for AWS Cloud Map that cover core concepts and configuration. * [Route 53 Documentation](https://docs.aws.amazon.com/route53/): Amazon’s docs for Route 53 that cover core concepts @@ -117,7 +117,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -125,7 +125,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -144,7 +144,7 @@ If you want to deploy this repo in production, check out the following resources module "route_53" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/route53?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/route53?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # OPTIONAL VARIABLES @@ -183,7 +183,7 @@ module "route_53" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/route53?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/route53?ref=v2.6.0" } inputs = { @@ -515,12 +515,6 @@ Any types represent complex values of variable type. For details, please consult Whether or not to create ACM TLS certificates for the domain. When true, Route53 certificates will automatically be created for the root domain. Defaults to true. provision_certificates = bool - - Whether or not the certificate can be exported. Valid values are "ENABLED" or "DISABLED". - This setting is immutable after creation - changing it forces certificate replacement. - Note: exportable public certificates incur additional AWS charges. - Requires AWS provider >= 6.4.0. - export = string ``` @@ -627,11 +621,11 @@ A map of domains to resource arns and hosted zones of the created Service Discov diff --git a/docs/reference/services/networking/sns-topics.md b/docs/reference/services/networking/sns-topics.md index e5c46e8be..804d9c9bb 100644 --- a/docs/reference/services/networking/sns-topics.md +++ b/docs/reference/services/networking/sns-topics.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Amazon Simple Notification Service -View Source +View Source Release Notes @@ -48,8 +48,8 @@ If you’ve never used the Service Catalog before, make sure to read ::: * [SNS Documentation](https://docs.aws.amazon.com/sns/): Amazon’s docs for SNS that cover core concepts and configuration -* [How do SNS topics work?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/networking/sns-topics/core-concepts.md#how-do-sns-topics-work) -* [How do I get notified when a message is published to an SNS Topic?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/networking/sns-topics/core-concepts.md#how-do-i-get-notified) +* [How do SNS topics work?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/networking/sns-topics/core-concepts.md#how-do-sns-topics-work) +* [How do I get notified when a message is published to an SNS Topic?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/networking/sns-topics/core-concepts.md#how-do-i-get-notified) ## Deploy @@ -57,7 +57,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -65,7 +65,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -84,7 +84,7 @@ If you want to deploy this repo in production, check out the following resources module "sns_topics" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/sns-topics?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/sns-topics?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -112,22 +112,12 @@ module "sns_topics" { # A list of protocols that can be used to subscribe to the SNS topic. allow_subscribe_protocols = ["http","https","email","email-json","sms","sqs","application","lambda"] - # **Requires `enable_fifo = true`.** Flag to enable content-based - # deduplication for the SNS topic. If set to true, messages with identical - # content will be treated as duplicates and only delivered once. For more see - # the [Amazon - # Docs](https://docs.aws.amazon.com/sns/latest/dg/fifo-message-dedup.html) - content_based_deduplication = null - # Set to false to have this module create no resources. This weird parameter # exists solely because Terraform does not support conditional modules. # Therefore, this is a hack to allow you to conditionally decide if the # resources should be created or not. create_resources = true - # Delivery policy for sns topic. - delivery_policy = null - # The display name of the SNS topic display_name = "" @@ -135,36 +125,15 @@ module "sns_topics" { # This will use the CloudWatchNotification class for richer messages. enable_advanced_formatting = false - # Flag to indicate if the SNS topic is FIFO. This will append `.fifo` to the - # name of the topic. - enable_fifo = false - - # ARN of the http failure feedback role - when using delivery policy for sns - # topic. - http_failure_feedback_role_arn = null - - # ARN of the http success feedback role - when using delivery policy for sns - # topic. - http_success_feedback_role_arn = null - # The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a # custom CMK kms_master_key_id = "alias/aws/sns" - # **Requires `enable_fifo = true`.** The number of days (up to 365) for Amazon - # SNS to retain messages. This will be used to create the archive policy for - # the SNS topic. For more see the [Amazon - # Docs](https://docs.aws.amazon.com/sns/latest/dg/message-archiving-and-replay-topic-owner.html) - message_retention_period = null - # The ARN of a Secrets Manager entry that contains the Slack Webhook URL # (e.g., https://hooks.slack.com/services/FOO/BAR/BAZ) that SNS messages are # sent to. slack_webhook_url_secrets_manager_arn = null - # A map of key value pairs to apply as tags to the SNS topic. - tags = {} - } @@ -180,7 +149,7 @@ module "sns_topics" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/sns-topics?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/sns-topics?ref=v2.6.0" } inputs = { @@ -211,22 +180,12 @@ inputs = { # A list of protocols that can be used to subscribe to the SNS topic. allow_subscribe_protocols = ["http","https","email","email-json","sms","sqs","application","lambda"] - # **Requires `enable_fifo = true`.** Flag to enable content-based - # deduplication for the SNS topic. If set to true, messages with identical - # content will be treated as duplicates and only delivered once. For more see - # the [Amazon - # Docs](https://docs.aws.amazon.com/sns/latest/dg/fifo-message-dedup.html) - content_based_deduplication = null - # Set to false to have this module create no resources. This weird parameter # exists solely because Terraform does not support conditional modules. # Therefore, this is a hack to allow you to conditionally decide if the # resources should be created or not. create_resources = true - # Delivery policy for sns topic. - delivery_policy = null - # The display name of the SNS topic display_name = "" @@ -234,36 +193,15 @@ inputs = { # This will use the CloudWatchNotification class for richer messages. enable_advanced_formatting = false - # Flag to indicate if the SNS topic is FIFO. This will append `.fifo` to the - # name of the topic. - enable_fifo = false - - # ARN of the http failure feedback role - when using delivery policy for sns - # topic. - http_failure_feedback_role_arn = null - - # ARN of the http success feedback role - when using delivery policy for sns - # topic. - http_success_feedback_role_arn = null - # The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a # custom CMK kms_master_key_id = "alias/aws/sns" - # **Requires `enable_fifo = true`.** The number of days (up to 365) for Amazon - # SNS to retain messages. This will be used to create the archive policy for - # the SNS topic. For more see the [Amazon - # Docs](https://docs.aws.amazon.com/sns/latest/dg/message-archiving-and-replay-topic-owner.html) - message_retention_period = null - # The ARN of a Secrets Manager entry that contains the Slack Webhook URL # (e.g., https://hooks.slack.com/services/FOO/BAR/BAZ) that SNS messages are # sent to. slack_webhook_url_secrets_manager_arn = null - # A map of key value pairs to apply as tags to the SNS topic. - tags = {} - } @@ -343,15 +281,6 @@ A list of protocols that can be used to subscribe to the SNS topic. - - - -**Requires `enable_fifo = true`.** Flag to enable content-based deduplication for the SNS topic. If set to true, messages with identical content will be treated as duplicates and only delivered once. For more see the [Amazon Docs](https://docs.aws.amazon.com/sns/latest/dg/fifo-message-dedup.html) - - - - - @@ -361,15 +290,6 @@ Set to false to have this module create no resources. This weird parameter exist - - - -Delivery policy for sns topic. - - - - - @@ -388,33 +308,6 @@ Set to true to enable advanced formatting for CloudWatch alarms in Slack. This w - - - -Flag to indicate if the SNS topic is FIFO. This will append `.fifo` to the name of the topic. - - - - - - - - -ARN of the http failure feedback role - when using delivery policy for sns topic. - - - - - - - - -ARN of the http success feedback role - when using delivery policy for sns topic. - - - - - @@ -424,15 +317,6 @@ The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CM - - - -**Requires `enable_fifo = true`.** The number of days (up to 365) for Amazon SNS to retain messages. This will be used to create the archive policy for the SNS topic. For more see the [Amazon Docs](https://docs.aws.amazon.com/sns/latest/dg/message-archiving-and-replay-topic-owner.html) - - - - - @@ -442,15 +326,6 @@ The ARN of a Secrets Manager entry that contains the Slack Webhook URL (e.g., ht - - - -A map of key value pairs to apply as tags to the SNS topic. - - - - - @@ -468,11 +343,11 @@ The ARN of the SNS topic. diff --git a/docs/reference/services/networking/virtual-private-cloud-vpc.md b/docs/reference/services/networking/virtual-private-cloud-vpc.md index 649419b1f..43e040048 100644 --- a/docs/reference/services/networking/virtual-private-cloud-vpc.md +++ b/docs/reference/services/networking/virtual-private-cloud-vpc.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # VPC -View Source +View Source Release Notes @@ -65,9 +65,9 @@ documentation in the [terraform-aws-vpc](https://github.com/gruntwork-io/terrafo ### Repo organization -* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules): The main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. -* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples): This folder contains working examples of how to use the submodules. -* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/test): Automated tests for the modules and examples. +* [modules](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules): The main implementation code for this repo, broken down into multiple standalone, orthogonal submodules. +* [examples](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples): This folder contains working examples of how to use the submodules. +* [test](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/test): Automated tests for the modules and examples. ## Deploy @@ -75,7 +75,7 @@ documentation in the [terraform-aws-vpc](https://github.com/gruntwork-io/terrafo If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -83,7 +83,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog. @@ -105,7 +105,7 @@ If you want to deploy this repo in production, check out the following resources module "vpc" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/vpc?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/vpc?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -384,12 +384,6 @@ module "vpc" { # 'var.create_transit_subnets = true'. Defaults false. enable_private_nat = false - # The list of ports to exclude from the inbound allow all rules in Network - # ACLs. This is useful for adhering to certain compliance standards like CIS - # or SOC2 that explicitly deny any allow rule for administrative ports (22, - # 3389). - exclude_ports_from_inbound_all = [] - # Additional IAM policies to apply to the S3 bucket to store flow logs. You # can use this to grant read/write access beyond what is provided to the VPC. # This should be a map, where each key is a unique statement ID (SID), and @@ -867,7 +861,7 @@ module "vpc" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/vpc?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/networking/vpc?ref=v2.6.0" } inputs = { @@ -1149,12 +1143,6 @@ inputs = { # 'var.create_transit_subnets = true'. Defaults false. enable_private_nat = false - # The list of ports to exclude from the inbound allow all rules in Network - # ACLs. This is useful for adhering to certain compliance standards like CIS - # or SOC2 that explicitly deny any allow rule for administrative ports (22, - # 3389). - exclude_ports_from_inbound_all = [] - # Additional IAM policies to apply to the S3 bucket to store flow logs. You # can use this to grant read/write access beyond what is provided to the VPC. # This should be a map, where each key is a unique statement ID (SID), and @@ -2228,15 +2216,6 @@ If set to false, the default security groups will NOT be created. - - - -The list of ports to exclude from the inbound allow all rules in Network ACLs. This is useful for adhering to certain compliance standards like CIS or SOC2 that explicitly deny any allow rule for administrative ports (22, 3389). - - - - - @@ -3633,11 +3612,11 @@ Indicates whether or not the VPC has finished creating diff --git a/docs/reference/services/security/bastion.md b/docs/reference/services/security/bastion.md index 02f4f6c88..d9a72ed23 100644 --- a/docs/reference/services/security/bastion.md +++ b/docs/reference/services/security/bastion.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Bastion Host -View Source +View Source Release Notes @@ -87,7 +87,7 @@ The bastion host AMI is defined using the [Packer](https://www.packer.io/) templ If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -95,7 +95,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog, configure CI / CD for your apps and @@ -115,7 +115,7 @@ If you want to deploy this repo in production, check out the following resources module "bastion_host" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/bastion-host?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/bastion-host?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -346,7 +346,7 @@ module "bastion_host" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/bastion-host?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/bastion-host?ref=v2.6.0" } inputs = { @@ -1076,11 +1076,11 @@ The fully qualified name of the bastion host. diff --git a/docs/reference/services/security/open-vpn.md b/docs/reference/services/security/open-vpn.md index ff3aac549..48343d223 100644 --- a/docs/reference/services/security/open-vpn.md +++ b/docs/reference/services/security/open-vpn.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # OpenVPN Server -View Source +View Source Release Notes @@ -74,7 +74,7 @@ documentation in the [package-openvpn](https://github.com/gruntwork-io/terraform If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -82,7 +82,7 @@ If you just want to try this repo out for experimenting and learning, check out If you want to deploy this repo in production, check out the following resources: -* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-production): The `examples/for-production` folder contains sample code +* [examples/for-production folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-production): The `examples/for-production` folder contains sample code optimized for direct usage in production. This is code from the [Gruntwork Reference Architecture](https://gruntwork.io/reference-architecture/), and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog, configure CI / CD for your apps and @@ -102,7 +102,7 @@ If you want to deploy this repo in production, check out the following resources module "openvpn_server" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/openvpn-server?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/openvpn-server?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -441,7 +441,7 @@ module "openvpn_server" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/openvpn-server?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/openvpn-server?ref=v2.6.0" } inputs = { @@ -1539,11 +1539,11 @@ The security group ID of the OpenVPN server. diff --git a/docs/reference/services/security/tailscale-subnet-router.md b/docs/reference/services/security/tailscale-subnet-router.md index 46702c18f..86080d557 100644 --- a/docs/reference/services/security/tailscale-subnet-router.md +++ b/docs/reference/services/security/tailscale-subnet-router.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # Tailscale Subnet Router -View Source +View Source Release Notes @@ -77,7 +77,7 @@ If you’ve never used the Service Catalog before, make sure to read If you just want to try this repo out for experimenting and learning, check out the following resources: -* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/examples/for-learning-and-testing): The +* [examples/for-learning-and-testing folder](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/examples/for-learning-and-testing): The `examples/for-learning-and-testing` folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage). @@ -94,7 +94,7 @@ access services within your VPC through the tailnet. ### What AMI should I use? -Any AMI can be used with this module, provided that the [install-tailscale](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/mgmt/tailscale-subnet-router/scripts/install-tailscale.sh) script is installed +Any AMI can be used with this module, provided that the [install-tailscale](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/mgmt/tailscale-subnet-router/scripts/install-tailscale.sh) script is installed into the AMI. The `install-tailscale` script ensures that Tailscale is installed with the `init-tailscale-subnet-router` boot script, which can be used to load the auth key from AWS Secrets Manager to authenticate to Tailscale at boot time. @@ -150,7 +150,7 @@ resource "aws_iam_role_policy_attachment" "attachment" { module "tailscale_subnet_router" { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/tailscale-subnet-router?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/tailscale-subnet-router?ref=v2.6.0" # ---------------------------------------------------------------------------------------------------- # REQUIRED VARIABLES @@ -386,7 +386,7 @@ module "tailscale_subnet_router" { # ------------------------------------------------------------------------------------------------------ terraform { - source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/tailscale-subnet-router?ref=v2.5.0" + source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/mgmt/tailscale-subnet-router?ref=v2.6.0" } inputs = { @@ -1094,11 +1094,11 @@ ID of the primary security group attached to the Tailscale relay server. diff --git a/docs/reference/services/security/tls-scripts.md b/docs/reference/services/security/tls-scripts.md index 24fcf6abc..f34d634fa 100644 --- a/docs/reference/services/security/tls-scripts.md +++ b/docs/reference/services/security/tls-scripts.md @@ -16,11 +16,11 @@ import TabItem from '@theme/TabItem'; import VersionBadge from '../../../../src/components/VersionBadge.tsx'; import { HclListItem, HclListItemDescription, HclListItemTypeDetails, HclListItemDefaultValue, HclGeneralListItem } from '../../../../src/components/HclListItem.tsx'; - + # TLS Scripts -View Source +View Source Release Notes @@ -54,33 +54,33 @@ If you’ve never used the Service Catalog before, make sure to read ### About TLS -* [How does TLS/SSL work?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#how-does-tlsssl-work) -* [What are commercial or public Certificate Authorities?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#what-are-commercial-or-public-certificate-authorities) -* [How does Gruntwork generate a TLS cert for private services?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#how-does-gruntwork-generate-a-tls-cert-for-private-services) +* [How does TLS/SSL work?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#how-does-tlsssl-work) +* [What are commercial or public Certificate Authorities?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#what-are-commercial-or-public-certificate-authorities) +* [How does Gruntwork generate a TLS cert for private services?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#how-does-gruntwork-generate-a-tls-cert-for-private-services) ### About the scripts specifically -* [How does create-tls-cert work?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#how-does-create-tls-cert-work) -* [How does download-rds-ca-certs work?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#how-does-download-rds-ca-certs-work) -* [How does generate-trust-stores work?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#how-does-generate-trust-stores-work) +* [How does create-tls-cert work?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#how-does-create-tls-cert-work) +* [How does download-rds-ca-certs work?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#how-does-download-rds-ca-certs-work) +* [How does generate-trust-stores work?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#how-does-generate-trust-stores-work) ## Deploy ### Running -* [How do I run these scripts using Docker?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#how-do-i-run-these-scripts-using-docker) -* [How do I create self-signed TLS certs?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#how-do-i-create-self-signed-tls-certs) -* [Should I store certs in AWS Secrets Manager or Amazon Certificate Manager?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#should-i-store-certs-in-aws-secrets-manager-or-amazon-certificate-manager) -* [Generating self-signed certs for local dev and testing](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#generating-self-signed-certs-for-local-dev-and-testing) -* [Generating self-signed certs for prod, encrypting certs locally with KMS](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#generating-self-signed-certs-for-prod-encrypting-certs-locally-with-kms) -* [Generating self-signed certs for prod, using AWS Secrets Manager for storage](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#generating-self-signed-certs-for-prod-using-aws-secrets-manager-for-storage) -* [Generating self-signed certs for prod, using Amazon Certificate Manager for storage](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#generating-self-signed-certs-for-prod-using-amazon-certificate-manager-for-storage) -* [How do I download CA public keys for validating RDS TLS connections?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#how-do-i-download-CA-public-keys-for-validating-rds-tls-connections) -* [How do I generate key stores and trust stores to manage TLS certificates for JVM apps?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#how-do-i-generate-key-stores-and-trust-stores-to-manage-tls-certificates-for-jvm-apps) +* [How do I run these scripts using Docker?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#how-do-i-run-these-scripts-using-docker) +* [How do I create self-signed TLS certs?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#how-do-i-create-self-signed-tls-certs) +* [Should I store certs in AWS Secrets Manager or Amazon Certificate Manager?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#should-i-store-certs-in-aws-secrets-manager-or-amazon-certificate-manager) +* [Generating self-signed certs for local dev and testing](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#generating-self-signed-certs-for-local-dev-and-testing) +* [Generating self-signed certs for prod, encrypting certs locally with KMS](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#generating-self-signed-certs-for-prod-encrypting-certs-locally-with-kms) +* [Generating self-signed certs for prod, using AWS Secrets Manager for storage](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#generating-self-signed-certs-for-prod-using-aws-secrets-manager-for-storage) +* [Generating self-signed certs for prod, using Amazon Certificate Manager for storage](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#generating-self-signed-certs-for-prod-using-amazon-certificate-manager-for-storage) +* [How do I download CA public keys for validating RDS TLS connections?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#how-do-i-download-CA-public-keys-for-validating-rds-tls-connections) +* [How do I generate key stores and trust stores to manage TLS certificates for JVM apps?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#how-do-i-generate-key-stores-and-trust-stores-to-manage-tls-certificates-for-jvm-apps) ### Testing -* [How do I test these scripts using Docker?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.5.0/modules/tls-scripts/core-concepts.md#how-do-i-test-these-scripts-using-docker) +* [How do I test these scripts using Docker?](https://github.com/gruntwork-io/terraform-aws-service-catalog/tree/v2.6.0/modules/tls-scripts/core-concepts.md#how-do-i-test-these-scripts-using-docker) @@ -105,11 +105,11 @@ If you’ve never used the Service Catalog before, make sure to read