diff --git a/README.md b/README.md
index 6f39dde6..4a06731d 100644
--- a/README.md
+++ b/README.md
@@ -112,10 +112,6 @@ Upgrades must be executed in step-wise fashion from one version to the next. You
-### Notes on EKS Add-ons
-If a terraform apply fails because an add-on is already installed, remove the add-on using the AWS console or the AWS
-CLI and re-run the apply. Running pods will not be impacted.
-
## Requirements
| Name | Version |
@@ -139,16 +135,19 @@ CLI and re-run the apply. Running pods will not be impacted.
| [app\_lb](#module\_app\_lb) | ./modules/app_lb | n/a |
| [database](#module\_database) | ./modules/database | n/a |
| [file\_storage](#module\_file\_storage) | ./modules/file_storage | n/a |
+| [iam\_role](#module\_iam\_role) | ./modules/iam_role | n/a |
| [kms](#module\_kms) | ./modules/kms | n/a |
| [networking](#module\_networking) | ./modules/networking | n/a |
| [private\_link](#module\_private\_link) | ./modules/private_link | n/a |
| [redis](#module\_redis) | ./modules/redis | n/a |
+| [s3\_endpoint](#module\_s3\_endpoint) | ./modules/endpoint | n/a |
| [wandb](#module\_wandb) | wandb/wandb/helm | 1.2.0 |
## Resources
| Name | Type |
|------|------|
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_s3_bucket.file_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
| [aws_sqs_queue.file_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/sqs_queue) | data source |
@@ -159,9 +158,10 @@ CLI and re-run the apply. Running pods will not be impacted.
| [acm\_certificate\_arn](#input\_acm\_certificate\_arn) | The ARN of an existing ACM certificate. | `string` | `null` | no |
| [allowed\_inbound\_cidr](#input\_allowed\_inbound\_cidr) | CIDRs allowed to access wandb-server. | `list(string)` | n/a | yes |
| [allowed\_inbound\_ipv6\_cidr](#input\_allowed\_inbound\_ipv6\_cidr) | CIDRs allowed to access wandb-server. | `list(string)` | n/a | yes |
+| [allowed\_private\_endpoint\_cidr](#input\_allowed\_private\_endpoint\_cidr) | Private CIDRs allowed to access wandb-server. | `list(string)` | `[]` | no |
| [app\_wandb\_env](#input\_app\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no |
| [aws\_loadbalancer\_controller\_tags](#input\_aws\_loadbalancer\_controller\_tags) | (Optional) A map of AWS tags to apply to all resources managed by the load balancer controller | `map(string)` | `{}` | no |
-| [bucket\_kms\_key\_arn](#input\_bucket\_kms\_key\_arn) | The Amazon Resource Name of the KMS key with which S3 storage bucket objects will be encrypted. | `string` | `""` | no |
+| [bucket\_kms\_key\_arn](#input\_bucket\_kms\_key\_arn) | n/a | `string` | `""` | no |
| [bucket\_name](#input\_bucket\_name) | n/a | `string` | `""` | no |
| [create\_bucket](#input\_create\_bucket) | ######################################### External Bucket # ######################################### Most users will not need these settings. They are ment for users who want a bucket and sqs that are in a different account. | `bool` | `true` | no |
| [create\_elasticache](#input\_create\_elasticache) | Boolean indicating whether to provision an elasticache instance (true) or not (false). | `bool` | `true` | no |
@@ -171,9 +171,10 @@ CLI and re-run the apply. Running pods will not be impacted.
| [database\_engine\_version](#input\_database\_engine\_version) | Version for MySQL Auora | `string` | `"8.0.mysql_aurora.3.05.2"` | no |
| [database\_innodb\_lru\_scan\_depth](#input\_database\_innodb\_lru\_scan\_depth) | Specifies the innodb\_lru\_scan\_depth value to set for the database | `number` | `128` | no |
| [database\_instance\_class](#input\_database\_instance\_class) | Instance type to use by database master instance. | `string` | `"db.r5.large"` | no |
+| [database\_kms\_key\_arn](#input\_database\_kms\_key\_arn) | n/a | `string` | `""` | no |
| [database\_master\_username](#input\_database\_master\_username) | Specifies the master\_username value to set for the database | `string` | `"wandb"` | no |
| [database\_name](#input\_database\_name) | Specifies the name of the database | `string` | `"wandb_local"` | no |
-| [database\_performance\_insights\_kms\_key\_arn](#input\_database\_performance\_insights\_kms\_key\_arn) | Specifies an existing KMS key ARN to encrypt the performance insights data if performance\_insights\_enabled is was enabled out of band | `string` | `null` | no |
+| [database\_performance\_insights\_kms\_key\_arn](#input\_database\_performance\_insights\_kms\_key\_arn) | Specifies an existing KMS key ARN to encrypt the performance insights data if performance\_insights\_enabled is was enabled out of band | `string` | `""` | no |
| [database\_snapshot\_identifier](#input\_database\_snapshot\_identifier) | Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot | `string` | `null` | no |
| [database\_sort\_buffer\_size](#input\_database\_sort\_buffer\_size) | Specifies the sort\_buffer\_size value to set for the database | `number` | `67108864` | no |
| [deletion\_protection](#input\_deletion\_protection) | If the instance should have deletion protection enabled. The database / S3 can't be deleted when this value is set to `true`. | `bool` | `true` | no |
@@ -183,6 +184,7 @@ CLI and re-run the apply. Running pods will not be impacted.
| [elasticache\_node\_type](#input\_elasticache\_node\_type) | The type of the redis cache node to deploy | `string` | `"cache.t2.medium"` | no |
| [enable\_dummy\_dns](#input\_enable\_dummy\_dns) | Boolean indicating whether or not to enable dummy DNS for the old alb | `bool` | `false` | no |
| [enable\_operator\_alb](#input\_enable\_operator\_alb) | Boolean indicating whether to use operatore ALB (true) or not (false). | `bool` | `false` | no |
+| [enable\_yace](#input\_enable\_yace) | deploy yet another cloudwatch exporter to fetch aws resources metrics | `bool` | `true` | no |
| [external\_dns](#input\_external\_dns) | Using external DNS. A `subdomain` must also be specified if this value is true. | `bool` | `false` | no |
| [extra\_fqdn](#input\_extra\_fqdn) | Additional fqdn's must be in the same hosted zone as `domain_name`. | `list(string)` | `[]` | no |
| [kms\_key\_alias](#input\_kms\_key\_alias) | KMS key alias for AWS KMS Customer managed key. | `string` | `null` | no |
@@ -212,6 +214,7 @@ CLI and re-run the apply. Running pods will not be impacted.
| [other\_wandb\_env](#input\_other\_wandb\_env) | Extra environment variables for W&B | `map(any)` | `{}` | no |
| [parquet\_wandb\_env](#input\_parquet\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no |
| [private\_link\_allowed\_account\_ids](#input\_private\_link\_allowed\_account\_ids) | List of AWS account IDs allowed to access the VPC Endpoint Service | `list(string)` | `[]` | no |
+| [private\_only\_traffic](#input\_private\_only\_traffic) | Enable private only traffic from customer private network | `bool` | `false` | no |
| [public\_access](#input\_public\_access) | Is this instance accessable a public domain. | `bool` | `false` | no |
| [size](#input\_size) | Deployment size | `string` | `null` | no |
| [ssl\_policy](#input\_ssl\_policy) | SSL policy to use on ALB listener | `string` | `"ELBSecurityPolicy-FS-1-2-Res-2020-10"` | no |
@@ -222,6 +225,7 @@ CLI and re-run the apply. Running pods will not be impacted.
| [system\_reserved\_pid](#input\_system\_reserved\_pid) | (Optional) The amount of 'system-reserved' process ids [pid] to pass to the kubelet. For example: 1000. A value of -1 disables the flag. | `number` | `500` | no |
| [use\_internal\_queue](#input\_use\_internal\_queue) | n/a | `bool` | `false` | no |
| [weave\_wandb\_env](#input\_weave\_wandb\_env) | Extra environment variables for W&B | `map(string)` | `{}` | no |
+| [yace\_sa\_name](#input\_yace\_sa\_name) | n/a | `string` | `"wandb-yace"` | no |
| [zone\_id](#input\_zone\_id) | Domain for creating the Weights & Biases subdomain on. | `string` | n/a | yes |
## Outputs
@@ -273,14 +277,19 @@ module "wandb" {
```
### Alow customer specific customer-managed keys for S3 and RDS
+
- we can provide external kms key to encrypt database, redis and S3 buckets.
-- To provide kms keys we need to provide kms arn values in
+- To provide kms keys we need to provide kms arn values in
+
```
-db_kms_key_arn
+database_kms_key_arn
bucket_kms_key_arn
```
+
### In order to allow cross account KMS keys. we need to allow kms keys to be accessed by WandB account.
+
this can be donw by adding the following policy document.
+
```
{
"Sid": "Allow use of the key",
diff --git a/main.tf b/main.tf
index b7966bcc..c91e230f 100644
--- a/main.tf
+++ b/main.tf
@@ -11,19 +11,19 @@ locals {
default_kms_key = module.kms.key.arn
s3_kms_key_arn = length(var.bucket_kms_key_arn) > 0 ? var.bucket_kms_key_arn : local.default_kms_key
- db_kms_key_arn = length(var.db_kms_key_arn) > 0 ? var.db_kms_key_arn : local.default_kms_key
+ database_kms_key_arn = length(var.database_kms_key_arn) > 0 ? var.database_kms_key_arn : local.default_kms_key
database_performance_insights_kms_key_arn = length(var.database_performance_insights_kms_key_arn) > 0 ? var.database_performance_insights_kms_key_arn : local.default_kms_key
use_external_bucket = var.bucket_name != ""
use_internal_queue = local.use_external_bucket || var.use_internal_queue
}
module "file_storage" {
- count = var.create_bucket ? 1 : 0
- source = "./modules/file_storage"
- namespace = var.namespace
- create_queue = !local.use_internal_queue
- sse_algorithm = "aws:kms"
- kms_key_arn = local.s3_kms_key_arn
+ count = var.create_bucket ? 1 : 0
+ source = "./modules/file_storage"
+ namespace = var.namespace
+ create_queue = !local.use_internal_queue
+ sse_algorithm = "aws:kms"
+ kms_key_arn = local.s3_kms_key_arn
deletion_protection = var.deletion_protection
}
@@ -71,7 +71,7 @@ module "database" {
source = "./modules/database"
namespace = var.namespace
- kms_key_arn = local.db_kms_key_arn
+ kms_key_arn = local.database_kms_key_arn
performance_insights_kms_key_arn = local.database_performance_insights_kms_key_arn
database_name = var.database_name
@@ -230,7 +230,7 @@ module "redis" {
redis_subnet_group_name = local.network_elasticache_subnet_group_name
vpc_subnets_cidr_blocks = local.network_elasticache_subnet_cidrs
node_type = try(local.deployment_size[var.size].cache, var.elasticache_node_type)
- kms_key_arn = local.db_kms_key_arn
+ kms_key_arn = local.database_kms_key_arn
}
locals {
@@ -261,10 +261,10 @@ module "wandb" {
spec = {
values = {
global = {
- host = local.url
- license = var.license
+ host = local.url
+ license = var.license
cloudProvider = "aws"
- extraEnv = var.other_wandb_env
+ extraEnv = var.other_wandb_env
bucket = {
provider = "s3"
diff --git a/variables.tf b/variables.tf
index 2e5ddf2c..fd73db38 100644
--- a/variables.tf
+++ b/variables.tf
@@ -80,7 +80,14 @@ variable "database_performance_insights_kms_key_arn" {
description = "Specifies an existing KMS key ARN to encrypt the performance insights data if performance_insights_enabled is was enabled out of band"
nullable = true
type = string
-
+}
+variable "database_kms_key_arn" {
+ type = string
+ default = ""
+ validation {
+ condition = can(regex("^arn:aws:kms:[a-z0-9-]+:[0-9]+:key/[a-zA-Z0-9-_]+$", var.database_kms_key_arn)) || var.database_kms_key_arn == ""
+ error_message = "Invalid value for db kms ARN"
+ }
}
##########################################
@@ -271,13 +278,13 @@ variable "allowed_private_endpoint_cidr" {
description = "Private CIDRs allowed to access wandb-server."
nullable = false
type = list(string)
- default = []
+ default = []
}
variable "private_only_traffic" {
description = "Enable private only traffic from customer private network"
- type = bool
- default = false
+ type = bool
+ default = false
}
##########################################
@@ -464,18 +471,6 @@ variable "enable_yace" {
}
variable "yace_sa_name" {
- type = string
+ type = string
default = "wandb-yace"
}
-
-##########################################
-# New Vars for Encryption #
-##########################################
-variable "db_kms_key_arn" {
- type = string
- default = ""
- validation {
- condition = can(regex("^arn:aws:kms:[a-z0-9-]+:[0-9]+:key/[a-zA-Z0-9-_]+$", var.db_kms_key_arn)) || var.db_kms_key_arn == ""
- error_message = "Invalid value for db kms ARN"
- }
-}
\ No newline at end of file