-
Notifications
You must be signed in to change notification settings - Fork 25
/
main.tf
88 lines (81 loc) · 3.14 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# The cluster-services module is responsible for Kubernetes objects within the
# EKS cluster.
#
# Any AWS resources relating to the cluster belong in
# ../cluster-infrastructure, not in this module.
#
# See https://github.com/alphagov/govuk-infrastructure/blob/main/docs/architecture/decisions/0003-split-terraform-state-into-separate-aws-cluster-and-kubernetes-resource-phases.md
terraform {
cloud {
organization = "govuk"
workspaces {
tags = ["cluster-services", "eks", "aws"]
}
}
required_version = "~> 1.5"
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.0"
}
helm = {
source = "hashicorp/helm"
version = "~> 2.0"
}
tfe = {
source = "hashicorp/tfe"
version = "~> 0.55.0"
}
# The AWS provider is only used here for remote state in remote.tf. Please
# do not add AWS resources to this module.
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "eu-west-1"
default_tags {
tags = {
Product = "GOV.UK"
System = "EKS cluster services"
Environment = var.govuk_environment
Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk"
cluster = "govuk"
repository = "govuk-infrastructure"
terraform_deployment = basename(abspath(path.root))
}
}
}
data "aws_eks_cluster_auth" "cluster_token" {
name = "govuk"
}
provider "kubernetes" {
host = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.cluster_endpoint
cluster_ca_certificate = base64decode(data.tfe_outputs.cluster_infrastructure.nonsensitive_values.cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.cluster_token.token
}
provider "helm" {
# TODO: If/when TF makes provider configs a first-class language object,
# reuse the identical config from above.
kubernetes {
host = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.cluster_endpoint
cluster_ca_certificate = base64decode(data.tfe_outputs.cluster_infrastructure.nonsensitive_values.cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.cluster_token.token
}
}
locals {
monitoring_ns = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.monitoring_namespace
services_ns = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.cluster_services_namespace
external_dns_zone_name = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.external_dns_zone_name
alb_ingress_annotations = {
"alb.ingress.kubernetes.io/scheme" = "internet-facing"
"alb.ingress.kubernetes.io/target-type" = "ip"
"alb.ingress.kubernetes.io/listen-ports" = jsonencode([{ HTTP = 80 }, { HTTPS = 443 }])
"alb.ingress.kubernetes.io/ssl-redirect" = "443"
"alb.ingress.kubernetes.io/ssl-policy" = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}
dex_host = "dex.${local.external_dns_zone_name}"
prometheus_internal_url = "http://kube-prometheus-stack-prometheus:9090"
}