optional transition to IA + fix

aneoconsulting · Feb 13, 2024 · 0cbc22e · 0cbc22e
1 parent 867261b
commit 0cbc22e
Show file tree

Hide file tree

Showing 11 changed files with 50 additions and 18 deletions.
diff --git a/kubernetes/aws/eks/README.md b/kubernetes/aws/eks/README.md
@@ -92,6 +92,19 @@
 | <a name="input_cluster_log_retention_in_days"></a> [cluster\_log\_retention\_in\_days](#input\_cluster\_log\_retention\_in\_days) | Logs retention in days | `number` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_ebs_kms_key_id"></a> [ebs\_kms\_key\_id](#input\_ebs\_kms\_key\_id) | KMS key id to encrypt/decrypt EBS | `string` | n/a | yes |
+| <a name="input_efs_csi_external_provisioner_image"></a> [efs\_csi\_external\_provisioner\_image](#input\_efs\_csi\_external\_provisioner\_image) | EFS CSI external provisioner image name | `string` | n/a | yes |
+| <a name="input_efs_csi_external_provisioner_tag"></a> [efs\_csi\_external\_provisioner\_tag](#input\_efs\_csi\_external\_provisioner\_tag) | EFS CSI external provisioner image tag | `string` | n/a | yes |
+| <a name="input_efs_csi_image"></a> [efs\_csi\_image](#input\_efs\_csi\_image) | EFS CSI image name | `string` | n/a | yes |
+| <a name="input_efs_csi_image_pull_secrets"></a> [efs\_csi\_image\_pull\_secrets](#input\_efs\_csi\_image\_pull\_secrets) | Image pull secret used to pull EFS CSI images | `string` | `null` | no |
+| <a name="input_efs_csi_liveness_probe_image"></a> [efs\_csi\_liveness\_probe\_image](#input\_efs\_csi\_liveness\_probe\_image) | EFS CSI liveness probe image name | `string` | n/a | yes |
+| <a name="input_efs_csi_liveness_probe_tag"></a> [efs\_csi\_liveness\_probe\_tag](#input\_efs\_csi\_liveness\_probe\_tag) | EFS CSI liveness probe image tag | `string` | n/a | yes |
+| <a name="input_efs_csi_name"></a> [efs\_csi\_name](#input\_efs\_csi\_name) | EFS CSI name | `string` | `null` | no |
+| <a name="input_efs_csi_namespace"></a> [efs\_csi\_namespace](#input\_efs\_csi\_namespace) | EFS CSI namespace | `string` | `null` | no |
+| <a name="input_efs_csi_node_driver_registrar_image"></a> [efs\_csi\_node\_driver\_registrar\_image](#input\_efs\_csi\_node\_driver\_registrar\_image) | EFS CSI node driver registrar image name | `string` | n/a | yes |
+| <a name="input_efs_csi_node_driver_registrar_tag"></a> [efs\_csi\_node\_driver\_registrar\_tag](#input\_efs\_csi\_node\_driver\_registrar\_tag) | EFS CSI node driver registrar image tag | `string` | n/a | yes |
+| <a name="input_efs_csi_repository"></a> [efs\_csi\_repository](#input\_efs\_csi\_repository) | EFS CSI helm repository | `string` | n/a | yes |
+| <a name="input_efs_csi_tag"></a> [efs\_csi\_tag](#input\_efs\_csi\_tag) | EFS CSI image tag | `string` | n/a | yes |
+| <a name="input_efs_csi_version"></a> [efs\_csi\_version](#input\_efs\_csi\_version) | EFS CSI helm version | `string` | n/a | yes |
 | <a name="input_eks_managed_node_groups"></a> [eks\_managed\_node\_groups](#input\_eks\_managed\_node\_groups) | List of EKS managed node groups | `any` | `null` | no |
 | <a name="input_fargate_profiles"></a> [fargate\_profiles](#input\_fargate\_profiles) | List of fargate profiles | `any` | `null` | no |
 | <a name="input_instance_refresh_image"></a> [instance\_refresh\_image](#input\_instance\_refresh\_image) | Instance refresh image name | `string` | n/a | yes |

diff --git a/kubernetes/aws/eks/efs-csi.tf b/kubernetes/aws/eks/efs-csi.tf
@@ -199,9 +199,12 @@ resource "helm_release" "efs_csi" {
     name  = "sidecars.csiProvisioner.image.tag"
     value = var.efs_csi_external_provisioner_tag
   }
-  set {
-    name  = "imagePullSecrets"
-    value = var.efs_csi_image_pull_secrets
+  dynamic "set" {
+    for_each = toset(compact([var.efs_csi_image_pull_secrets]))
+    content {
+      name  = "imagePullSecrets"
+      value = each.key
+    }
   }
   set {
     name  = "node.serviceAccount.create"

diff --git a/kubernetes/aws/eks/variables.tf b/kubernetes/aws/eks/variables.tf
@@ -287,10 +287,18 @@ variable "efs_csi_image_pull_secrets" {
 variable "efs_csi_repository" {
   description = "EFS CSI helm repository"
   type        = string
+  validation {
+    condition     = var.efs_csi_repository != null
+    error_message = "Should not be null."
+  }
 }
 variable "efs_csi_version" {
   description = "EFS CSI helm version"
   type        = string
+  validation {
+    condition     = var.efs_csi_version != null
+    error_message = "Should not be null."
+  }
 }
 
 # Encryption keys

diff --git a/monitoring/onpremise/grafana/README.md b/monitoring/onpremise/grafana/README.md
@@ -41,10 +41,10 @@ No modules.
 | <a name="input_docker_image"></a> [docker\_image](#input\_docker\_image) | Docker image for Grafana | <pre>object({<br>    image              = string<br>    tag                = string<br>    image_pull_secrets = string<br>  })</pre> | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace of ArmoniK monitoring | `string` | n/a | yes |
 | <a name="input_node_selector"></a> [node\_selector](#input\_node\_selector) | Node selector for Grafana | `any` | `{}` | no |
-| <a name="input_persistent_volume"></a> [persistent\_volume](#input\_persistent\_volume) | Persistent volume info | <pre>object({<br>    storage_provisioner = string<br>    volume_binding_mode = string<br>    parameters          = map(string)<br>    # Resources for PVC<br>    resources = object({<br>      limits = object({<br>        storage = string<br>      })<br>      requests = object({<br>        storage = string<br>      })<br>    })<br>  })</pre> | n/a | yes |
+| <a name="input_persistent_volume"></a> [persistent\_volume](#input\_persistent\_volume) | Persistent volume info | <pre>object({<br>    storage_provisioner = string<br>    volume_binding_mode = string<br>    parameters          = map(string)<br>    # Resources for PVC<br>    resources = object({<br>      limits = object({<br>        storage = string<br>      })<br>      requests = object({<br>        storage = string<br>      })<br>    })<br>  })</pre> | `null` | no |
 | <a name="input_port"></a> [port](#input\_port) | Port for Grafana service | `string` | n/a | yes |
 | <a name="input_prometheus_url"></a> [prometheus\_url](#input\_prometheus\_url) | Prometheus URL | `string` | n/a | yes |
-| <a name="input_security_context"></a> [security\_context](#input\_security\_context) | security context for MongoDB pods | <pre>object({<br>    run_as_user = number<br>    fs_group    = number<br>  })</pre> | n/a | yes |
+| <a name="input_security_context"></a> [security\_context](#input\_security\_context) | security context for Grafana pods | <pre>object({<br>    run_as_user = number<br>    fs_group    = number<br>  })</pre> | <pre>{<br>  "fs_group": 999,<br>  "run_as_user": 999<br>}</pre> | no |
 | <a name="input_service_type"></a> [service\_type](#input\_service\_type) | Service type which can be: ClusterIP, NodePort or LoadBalancer | `string` | n/a | yes |
 
 ## Outputs

diff --git a/monitoring/onpremise/prometheus/README.md b/monitoring/onpremise/prometheus/README.md
@@ -43,8 +43,8 @@ No modules.
 | <a name="input_metrics_exporter_url"></a> [metrics\_exporter\_url](#input\_metrics\_exporter\_url) | URL of metrics exporter | `string` | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace of ArmoniK monitoring | `string` | n/a | yes |
 | <a name="input_node_selector"></a> [node\_selector](#input\_node\_selector) | Node selector for Prometheus | `any` | `{}` | no |
-| <a name="input_persistent_volume"></a> [persistent\_volume](#input\_persistent\_volume) | Persistent volume info | <pre>object({<br>    storage_provisioner = string<br>    volume_binding_mode = string<br>    parameters          = map(string)<br>    # Resources for PVC<br>    resources = object({<br>      limits = object({<br>        storage = string<br>      })<br>      requests = object({<br>        storage = string<br>      })<br>    })<br>  })</pre> | n/a | yes |
-| <a name="input_security_context"></a> [security\_context](#input\_security\_context) | security context for MongoDB pods | <pre>object({<br>    run_as_user = number<br>    fs_group    = number<br>  })</pre> | n/a | yes |
+| <a name="input_persistent_volume"></a> [persistent\_volume](#input\_persistent\_volume) | Persistent volume info | <pre>object({<br>    storage_provisioner = string<br>    volume_binding_mode = string<br>    parameters          = map(string)<br>    # Resources for PVC<br>    resources = object({<br>      limits = object({<br>        storage = string<br>      })<br>      requests = object({<br>        storage = string<br>      })<br>    })<br>  })</pre> | `null` | no |
+| <a name="input_security_context"></a> [security\_context](#input\_security\_context) | security context for Prometheus pods | <pre>object({<br>    run_as_user = number<br>    fs_group    = number<br>  })</pre> | <pre>{<br>  "fs_group": 65534,<br>  "run_as_user": 65534<br>}</pre> | no |
 | <a name="input_service_type"></a> [service\_type](#input\_service\_type) | Service type which can be: ClusterIP, NodePort or LoadBalancer | `string` | n/a | yes |
 
 ## Outputs

diff --git a/storage/aws/efs/README.md b/storage/aws/efs/README.md
@@ -39,7 +39,7 @@ No modules.
 | <a name="input_provisioned_throughput_in_mibps"></a> [provisioned\_throughput\_in\_mibps](#input\_provisioned\_throughput\_in\_mibps) | The throughput, measured in MiB/s, that you want to provision for the file system. Only applicable with throughput\_mode set to provisioned | `number` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags for resource | `any` | `{}` | no |
 | <a name="input_throughput_mode"></a> [throughput\_mode](#input\_throughput\_mode) | Throughput mode for the file system. Defaults to bursting. Valid values: bursting, elastic, and provisioned. When using provisioned, also set provisioned\_throughput\_in\_mibps | `string` | `"bursting"` | no |
-| <a name="input_transition_to_ia"></a> [transition\_to\_ia](#input\_transition\_to\_ia) | Describes the period of time that a file is not accessed, after which it transitions to IA storage | `string` | `"AFTER_7_DAYS"` | no |
+| <a name="input_transition_to_ia"></a> [transition\_to\_ia](#input\_transition\_to\_ia) | Describes the period of time that a file is not accessed, after which it transitions to IA storage | `string` | `null` | no |
 | <a name="input_vpc_cidr_block_private"></a> [vpc\_cidr\_block\_private](#input\_vpc\_cidr\_block\_private) | AWS VPC private cidr block | `set(string)` | n/a | yes |
 | <a name="input_vpc_cidr_blocks"></a> [vpc\_cidr\_blocks](#input\_vpc\_cidr\_blocks) | AWS VPC cidr block | `set(string)` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | AWS VPC id | `string` | n/a | yes |

diff --git a/storage/aws/efs/main.tf b/storage/aws/efs/main.tf
@@ -19,9 +19,14 @@ resource "aws_efs_file_system" "efs" {
   performance_mode                = var.performance_mode
   throughput_mode                 = var.throughput_mode
   provisioned_throughput_in_mibps = var.provisioned_throughput_in_mibps
-  lifecycle_policy {
-    transition_to_ia = var.transition_to_ia
+
+  dynamic "lifecycle_policy" {
+    for_each = toset(compact([var.transition_to_ia]))
+    content {
+      transition_to_ia = each.key
+    }
   }
+
   tags = local.tags
 }
 

diff --git a/storage/aws/efs/outputs.tf b/storage/aws/efs/outputs.tf
@@ -1,9 +1,11 @@
 output "id" {
   description = "EFS id"
   value       = aws_efs_file_system.efs.id
+  depends_on  = [aws_efs_mount_target.efs, aws_efs_access_point.efs]
 }
 
 output "kms_key_id" {
   description = "KMS used to encrypt EFS"
   value       = aws_efs_file_system.efs.kms_key_id
+  depends_on  = [aws_efs_mount_target.efs, aws_efs_access_point.efs]
 }
diff --git a/storage/aws/efs/variables.tf b/storage/aws/efs/variables.tf
@@ -68,15 +68,15 @@ variable "provisioned_throughput_in_mibps" {
 variable "transition_to_ia" {
   description = "Describes the period of time that a file is not accessed, after which it transitions to IA storage"
   type        = string
-  default     = "AFTER_7_DAYS"
+  default     = null
   validation {
-    condition = contains([
+    condition = var.transition_to_ia != null ? contains([
       "AFTER_7_DAYS",
       "AFTER_14_DAYS",
       "AFTER_30_DAYS",
       "AFTER_60_DAYS",
       "AFTER_90_DAYS"
-    ], var.transition_to_ia)
+    ], var.transition_to_ia) : true
     error_message = "Possible values for the parameter transition_to_ia are \"AFTER_7_DAYS\" | \"AFTER_14_DAYS\" | \"AFTER_30_DAYS\", \"AFTER_60_DAYS\" | \"AFTER_90_DAYS\"."
   }
 }

diff --git a/storage/onpremise/mongodb/README.md b/storage/onpremise/mongodb/README.md
@@ -56,9 +56,10 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_mongodb"></a> [mongodb](#input\_mongodb) | Parameters of MongoDB | <pre>object({<br>    image              = string<br>    tag                = string<br>    node_selector      = any<br>    image_pull_secrets = string<br>    replicas_number    = number<br>    security_context = object({<br>      run_as_user = number<br>      fs_group    = number<br>    })<br>  })</pre> | n/a | yes |
+| <a name="input_mongodb"></a> [mongodb](#input\_mongodb) | Parameters of MongoDB | <pre>object({<br>    image              = string<br>    tag                = string<br>    node_selector      = any<br>    image_pull_secrets = string<br>    replicas_number    = number<br>  })</pre> | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace of ArmoniK resources | `string` | n/a | yes |
-| <a name="input_persistent_volume"></a> [persistent\_volume](#input\_persistent\_volume) | Persistent volume info | <pre>object({<br>    storage_provisioner = string<br>    volume_binding_mode = string<br>    parameters          = map(string)<br>    # Resources for PVC<br>    resources = object({<br>      limits = object({<br>        storage = string<br>      })<br>      requests = object({<br>        storage = string<br>      })<br>    })<br>  })</pre> | n/a | yes |
+| <a name="input_persistent_volume"></a> [persistent\_volume](#input\_persistent\_volume) | Persistent volume info | <pre>object({<br>    storage_provisioner = string<br>    volume_binding_mode = string<br>    parameters          = map(string)<br>    # Resources for PVC<br>    resources = object({<br>      limits = object({<br>        storage = string<br>      })<br>      requests = object({<br>        storage = string<br>      })<br>    })<br>  })</pre> | `null` | no |
+| <a name="input_security_context"></a> [security\_context](#input\_security\_context) | security context for MongoDB pods | <pre>object({<br>    run_as_user = number<br>    fs_group    = number<br>  })</pre> | <pre>{<br>  "fs_group": 999,<br>  "run_as_user": 999<br>}</pre> | no |
 | <a name="input_validity_period_hours"></a> [validity\_period\_hours](#input\_validity\_period\_hours) | Validity period of the certificate in hours | `string` | `"8760"` | no |
 
 ## Outputs

diff --git a/storage/onpremise/mongodb/main.tf b/storage/onpremise/mongodb/main.tf
@@ -51,10 +51,10 @@ resource "kubernetes_deployment" "mongodb" {
           }
         }
         security_context {
-          run_as_user     = var.mongodb.security_context.run_as_user
+          run_as_user     = var.security_context.run_as_user
           run_as_non_root = true
-          run_as_group    = var.mongodb.security_context.fs_group
-          fs_group        = var.mongodb.security_context.fs_group
+          run_as_group    = var.security_context.fs_group
+          fs_group        = var.security_context.fs_group
         }
         container {
           name              = "mongodb"