Skip to content
This repository has been archived by the owner on Sep 27, 2024. It is now read-only.

BATIAI-2244 - Updating patching variables to allow for override #133

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@ Note that this example may create resources which cost money. Run `terraform des
| <a name="input_create_cosign_iam_role"></a> [create\_cosign\_iam\_role](#input\_create\_cosign\_iam\_role) | Flag to create Cosign IAM role | `bool` | `false` | no |
| <a name="input_custom_node_policy_arns"></a> [custom\_node\_policy\_arns](#input\_custom\_node\_policy\_arns) | Custom node policy arns | `set(string)` | `[]` | no |
| <a name="input_custom_node_pools"></a> [custom\_node\_pools](#input\_custom\_node\_pools) | n/a | `any` | `{}` | no |
| <a name="input_enable_cms_cloud_ssm_policy"></a> [enable\_cms\_cloud\_ssm\_policy](#input\_enable\_cms\_cloud\_ssm\_policy) | Enables SSM cloud policy for patching OS on instances | `bool` | `false` | no |
| <a name="input_enable_eks_managed_nodes"></a> [enable\_eks\_managed\_nodes](#input\_enable\_eks\_managed\_nodes) | Enables eks managed nodes | `bool` | `false` | no |
| <a name="input_enable_hoplimit"></a> [enable\_hoplimit](#input\_enable\_hoplimit) | Enables a IMDSv2 hop limit of 1 on all nodes. Defaults to false | `bool` | `false` | no |
| <a name="input_enable_self_managed_nodes"></a> [enable\_self\_managed\_nodes](#input\_enable\_self\_managed\_nodes) | Enables self managed nodes | `bool` | `true` | no |
Expand All @@ -192,9 +193,11 @@ Note that this example may create resources which cost money. Run `terraform des
| <a name="input_openid_connect_audiences"></a> [openid\_connect\_audiences](#input\_openid\_connect\_audiences) | OpenID Connect Audiences | `list(string)` | `[]` | no |
| <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | n/a | `list(any)` | n/a | yes |
| <a name="input_s3_bucket_access_grants"></a> [s3\_bucket\_access\_grants](#input\_s3\_bucket\_access\_grants) | A list of s3 bucket names to grant the cluster roles R/W access to | `list(string)` | `null` | no |
| <a name="input_ssm_DevTestImpl_patch_window"></a> [ssm\_DevTestImpl\_patch\_window](#input\_ssm\_DevTestImpl\_patch\_window) | SSM Patching window for Dev, Test, and Impl env instances. For more information: https://cloud.cms.gov/patching-prerequisites | `string` | `"ITOPS-Wave1-Non-Mktplc-DevTestImpl-MW"` | no |
| <a name="input_ssm_iam_patching_policy"></a> [ssm\_iam\_patching\_policy](#input\_ssm\_iam\_patching\_policy) | SSM IAM policy for patching | `string` | `"cms-cloud-ssm-iam-policy-v3"` | no |
| <a name="input_ssm_override_patch_window"></a> [ssm\_override\_patch\_window](#input\_ssm\_override\_patch\_window) | Patching window override variable | `string` | `""` | no |
| <a name="input_ssm_prod_patch_window"></a> [ssm\_prod\_patch\_window](#input\_ssm\_prod\_patch\_window) | SSM Patching window for Prod env instances. For more information: https://cloud.cms.gov/patching-prerequisites | `string` | `"ITOPS-Wave1-Non-Mktplc-Prod-MW"` | no |
| <a name="input_ssm_tag_patch_group"></a> [ssm\_tag\_patch\_group](#input\_ssm\_tag\_patch\_group) | SSM Patching group for instances. For more information: https://cloud.cms.gov/patching-prerequisites | `string` | `"AL2"` | no |
| <a name="input_ssm_tag_patch_window"></a> [ssm\_tag\_patch\_window](#input\_ssm\_tag\_patch\_window) | SSM Patching window for instances. For more information: https://cloud.cms.gov/patching-prerequisites | `string` | `"ITOPS-Wave1-Non-Mktplc-DevTestImpl-MW"` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | Global resource tags to apply to all resources | `map(any)` | `null` | no |
| <a name="input_vpc_cidr_blocks"></a> [vpc\_cidr\_blocks](#input\_vpc\_cidr\_blocks) | List of VPC CIDR blocks | `list(string)` | n/a | yes |
| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | n/a | yes |
Expand Down Expand Up @@ -227,6 +230,7 @@ Note that this example may create resources which cost money. Run `terraform des
| <a name="output_cosign_iam_role_arn"></a> [cosign\_iam\_role\_arn](#output\_cosign\_iam\_role\_arn) | n/a |
| <a name="output_eks_managed_node_group"></a> [eks\_managed\_node\_group](#output\_eks\_managed\_node\_group) | ARNs of all self managed node groups created |
| <a name="output_fargate_profiles"></a> [fargate\_profiles](#output\_fargate\_profiles) | Map of attribute maps for all EKS Fargate Profiles created |
| <a name="output_instance_tags"></a> [instance\_tags](#output\_instance\_tags) | n/a |
| <a name="output_node_security_group_arn"></a> [node\_security\_group\_arn](#output\_node\_security\_group\_arn) | Amazon Resource Name (ARN) of the node shared security group |
| <a name="output_node_security_group_id"></a> [node\_security\_group\_id](#output\_node\_security\_group\_id) | ID of the node shared security group |
| <a name="output_oidc_provider_arn"></a> [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | The ARN of the OIDC Provider if `enable_irsa = true` |
Expand Down
4 changes: 2 additions & 2 deletions iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -186,13 +186,13 @@ resource "aws_iam_policy" "ssm_managed_instance" {
}

data "aws_iam_policy" "ssm_patching_policy" {
count = var.enable_ssm_patching ? 1 : 0
sshaikRC marked this conversation as resolved.
Show resolved Hide resolved
count = (var.enable_ssm_patching || var.enable_cms_cloud_ssm_policy) ? 1 : 0
name = var.ssm_iam_patching_policy
}

# ssm patching policy attachment
resource "aws_iam_role_policy_attachment" "ssm_patching_policy_attachment" {
count = var.enable_ssm_patching ? 1 : 0
count = (var.enable_ssm_patching || var.enable_cms_cloud_ssm_policy) ? 1 : 0
role = aws_iam_role.eks_node.name
policy_arn = data.aws_iam_policy.ssm_patching_policy[0].arn
}
Expand Down
14 changes: 12 additions & 2 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -129,8 +129,18 @@ locals {
## https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#instance_refresh
instance_refresh = lookup(v, "instance_refresh", {})
} }
instance_policy_tags = var.enable_ssm_patching ? { "Patch Group" = var.ssm_tag_patch_group, "Patch Window" = var.ssm_tag_patch_window } : {}
instance_tags = merge(local.instance_policy_tags, var.instance_tags)

# Applying necessary tags for SSM OS patching
patch_group_tags = var.enable_ssm_patching ? { "Patch Group" = var.ssm_tag_patch_group } : {}
patch_window_map = {
prod = var.ssm_prod_patch_window
dev = var.ssm_DevTestImpl_patch_window
test = var.ssm_DevTestImpl_patch_window
nonprod = var.ssm_DevTestImpl_patch_window
impl = var.ssm_DevTestImpl_patch_window
}
patch_window_tags = var.enable_ssm_patching ? { "Patch Window" = var.ssm_override_patch_window != "" ? var.ssm_prod_patch_window : lookup(local.patch_window_map, var.environment, local.patch_window_map["dev"]) } : {}
instance_tags = merge(local.patch_group_tags, local.patch_window_tags, var.instance_tags)

# Allow ingress to the control plane from the delete_ebs_volumes lambda (if it exists)
delete_ebs_volumes_lambda_sg_id = one(data.aws_security_groups.delete_ebs_volumes_lambda_security_group.ids)
Expand Down
4 changes: 4 additions & 0 deletions outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -184,3 +184,7 @@ output "batcave_alb_shared_dns" {
description = "DNS value of ALB created for proxying requests through an ALB in the shared subnet"
value = var.create_alb_shared ? aws_lb.batcave_alb_shared[0].dns_name : ""
}

output "instance_tags" {
value = var.instance_tags
}
22 changes: 20 additions & 2 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,12 @@ variable "enable_ssm_patching" {
description = "Enables Systems Manager to patch nodes"
}

variable "enable_cms_cloud_ssm_policy" {
type = bool
default = false
description = "Enables SSM cloud policy for patching OS on instances"
sshaikRC marked this conversation as resolved.
Show resolved Hide resolved
}

variable "ssm_iam_patching_policy" {
type = string
default = "cms-cloud-ssm-iam-policy-v3"
Expand All @@ -355,8 +361,20 @@ variable "ssm_tag_patch_group" {
description = "SSM Patching group for instances. For more information: https://cloud.cms.gov/patching-prerequisites"
}

variable "ssm_tag_patch_window" {
variable "ssm_DevTestImpl_patch_window" {
type = string
default = "ITOPS-Wave1-Non-Mktplc-DevTestImpl-MW"
description = "SSM Patching window for instances. For more information: https://cloud.cms.gov/patching-prerequisites"
description = "SSM Patching window for Dev, Test, and Impl env instances. For more information: https://cloud.cms.gov/patching-prerequisites"
}

variable "ssm_prod_patch_window" {
type = string
default = "ITOPS-Wave1-Non-Mktplc-Prod-MW"
description = "SSM Patching window for Prod env instances. For more information: https://cloud.cms.gov/patching-prerequisites"
}

variable "ssm_override_patch_window" {
type = string
default = ""
description = "Patching window override variable"
}
Loading