From 439e42a5c5629cd41d98353124eeeeae5a5cc18c Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 7 Jan 2025 11:25:18 +0000 Subject: [PATCH 01/11] Patching Signed-off-by: GitHub --- .../cloudwatch-log-groups.tf | 4 +-- .../ec2-instances.tf | 35 ------------------ .../eks-cluster.tf | 4 +-- .../eks-pod-identities.tf | 2 +- .../environment-configuration.tf | 16 ++++----- .../helm-charts-actions-runners.tf | 16 ++++----- .../helm-charts-system.tf | 18 +++++----- .../iam-policies.tf | 20 +++++------ .../analytical-platform-compute/iam-roles.tf | 36 +++++++++---------- .../analytical-platform-compute/locals.tf | 3 +- .../analytical-platform-compute/s3-buckets.tf | 8 ++--- .../security-groups.tf | 16 --------- .../vpc-endpoints.tf | 2 +- .../analytical-platform-compute/vpc.tf | 2 +- 14 files changed, 65 insertions(+), 117 deletions(-) delete mode 100644 terraform/environments/analytical-platform-compute/ec2-instances.tf diff --git a/terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf b/terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf index 7b72c421439..7df68788bff 100644 --- a/terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf +++ b/terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf @@ -3,7 +3,7 @@ module "eks_log_group" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/cloudwatch/aws//modules/log-group" - version = "5.6.1" + version = "5.7.0" name = local.eks_cloudwatch_log_group_name kms_key_id = module.eks_cluster_logs_kms.key_arn @@ -17,7 +17,7 @@ module "managed_prometheus_log_group" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/cloudwatch/aws//modules/log-group" - version = "5.6.1" + version = "5.7.0" name = local.amp_cloudwatch_log_group_name kms_key_id = module.managed_prometheus_logs_kms.key_arn diff --git a/terraform/environments/analytical-platform-compute/ec2-instances.tf b/terraform/environments/analytical-platform-compute/ec2-instances.tf deleted file mode 100644 index 4104af0a722..00000000000 --- a/terraform/environments/analytical-platform-compute/ec2-instances.tf +++ /dev/null @@ -1,35 +0,0 @@ -module "debug_instance" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - - source = "terraform-aws-modules/ec2-instance/aws" - version = "5.7.1" - - name = "network-debug" - ami = "ami-0e8d228ad90af673b" # Ubuntu Server 24.04 LTS - instance_type = "t3.micro" - subnet_id = element(module.vpc.private_subnets, 0) - vpc_security_group_ids = [module.debug_instance_security_group.security_group_id] - associate_public_ip_address = false - - root_block_device = [ - { - encrypted = true - volume_type = "gp3" - volume_size = 8 - } - ] - - create_iam_instance_profile = true - iam_role_policies = { - SSMCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" - } - - metadata_options = { - http_endpoint = "enabled" - http_put_response_hop_limit = 1 - http_tokens = "required" - instance_metadata_tags = "enabled" - } - - tags = local.tags -} diff --git a/terraform/environments/analytical-platform-compute/eks-cluster.tf b/terraform/environments/analytical-platform-compute/eks-cluster.tf index d5e7be40b72..4002185eb1c 100644 --- a/terraform/environments/analytical-platform-compute/eks-cluster.tf +++ b/terraform/environments/analytical-platform-compute/eks-cluster.tf @@ -6,7 +6,7 @@ module "eks" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/eks/aws" - version = "20.29.0" + version = "20.31.6" cluster_name = local.eks_cluster_name cluster_version = local.environment_configuration.eks_cluster_version @@ -172,7 +172,7 @@ module "karpenter" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/eks/aws//modules/karpenter" - version = "20.29.0" + version = "20.31.6" cluster_name = module.eks.cluster_name diff --git a/terraform/environments/analytical-platform-compute/eks-pod-identities.tf b/terraform/environments/analytical-platform-compute/eks-pod-identities.tf index 8b219126c30..ddb4efc92c4 100644 --- a/terraform/environments/analytical-platform-compute/eks-pod-identities.tf +++ b/terraform/environments/analytical-platform-compute/eks-pod-identities.tf @@ -7,7 +7,7 @@ module "aws_cloudwatch_metrics_pod_identity" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/eks-pod-identity/aws" - version = "1.7.0" + version = "1.9.0" name = "aws-cloudwatch-metrics" diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index 6009114ee9a..6f8516379c8 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -21,15 +21,15 @@ locals { /* EKS */ eks_sso_access_role = "modernisation-platform-sandbox" eks_cluster_version = "1.31" - eks_node_version = "1.26.2-360b7a38" + eks_node_version = "1.29.0-c55d099c" eks_cluster_addon_versions = { - coredns = "v1.11.3-eksbuild.2" - kube_proxy = "v1.31.2-eksbuild.2" - aws_ebs_csi_driver = "v1.36.0-eksbuild.1" - aws_efs_csi_driver = "v2.0.9-eksbuild.1" - aws_guardduty_agent = "v1.7.1-eksbuild.2" - eks_pod_identity_agent = "v1.3.2-eksbuild.2" - vpc_cni = "v1.19.0-eksbuild.1" + coredns = "v1.11.4-eksbuild.2" + kube_proxy = "v1.31.3-eksbuild.2" + aws_ebs_csi_driver = "v1.38.1-eksbuild.1" + aws_efs_csi_driver = "v2.1.3-eksbuild.1" + aws_guardduty_agent = "v1.8.1-eksbuild.2" + eks_pod_identity_agent = "v1.3.4-eksbuild.1" + vpc_cni = "v1.19.2-eksbuild.1" } /* Data Engineering Airflow */ diff --git a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf index e37b997235b..a46f470120b 100644 --- a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf +++ b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf @@ -6,7 +6,7 @@ resource "helm_release" "actions_runner_mojas_airflow" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-airflow" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-4" + version = "2.321.0" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ @@ -32,7 +32,7 @@ resource "helm_release" "actions_runner_mojas_airflow_create_a_pipeline" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-airflow-create-a-pipeline" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-4" + version = "2.321.0" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ @@ -57,7 +57,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-create-a-derived-table" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-4" + version = "2.321.0" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ @@ -81,7 +81,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_non_spot" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-create-a-derived-table-non-spot" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-4" + version = "2.321.0" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ @@ -109,7 +109,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_dpr" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-create-a-derived-table-dpr" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-4" + version = "2.321.0" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ @@ -133,7 +133,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_dpr_pp" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-create-a-derived-table-dpr-pp" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-4" + version = "2.321.0" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ @@ -157,7 +157,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds_test" /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-create-a-derived-table-emds-test" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-4" + version = "2.321.0" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ @@ -181,7 +181,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-create-a-derived-table-emds" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-4" + version = "2.321.0" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ diff --git a/terraform/environments/analytical-platform-compute/helm-charts-system.tf b/terraform/environments/analytical-platform-compute/helm-charts-system.tf index 546726a9de2..51f3c8e75bf 100644 --- a/terraform/environments/analytical-platform-compute/helm-charts-system.tf +++ b/terraform/environments/analytical-platform-compute/helm-charts-system.tf @@ -4,7 +4,7 @@ resource "helm_release" "kyverno" { name = "kyverno" repository = "https://kyverno.github.io/kyverno" chart = "kyverno" - version = "3.3.3" + version = "3.3.4" namespace = kubernetes_namespace.kyverno.metadata[0].name values = [ templatefile( @@ -71,7 +71,7 @@ resource "helm_release" "amazon_prometheus_proxy" { name = "amazon-prometheus-proxy" repository = "https://prometheus-community.github.io/helm-charts" chart = "kube-prometheus-stack" - version = "66.2.1" + version = "67.8.0" namespace = kubernetes_namespace.aws_observability.metadata[0].name values = [ templatefile( @@ -96,7 +96,7 @@ resource "helm_release" "cluster_autoscaler" { name = "cluster-autoscaler" repository = "https://kubernetes.github.io/autoscaler" chart = "cluster-autoscaler" - version = "9.43.2" + version = "9.45.0" namespace = kubernetes_namespace.cluster_autoscaler.metadata[0].name values = [ @@ -119,7 +119,7 @@ resource "helm_release" "karpenter_crd" { name = "karpenter-crd" repository = "oci://public.ecr.aws/karpenter" chart = "karpenter-crd" - version = "1.0.8" + version = "1.1.1" namespace = kubernetes_namespace.karpenter.metadata[0].name values = [ @@ -141,7 +141,7 @@ resource "helm_release" "karpenter" { name = "karpenter" repository = "oci://public.ecr.aws/karpenter" chart = "karpenter" - version = "1.0.8" + version = "1.1.1" namespace = kubernetes_namespace.karpenter.metadata[0].name values = [ @@ -209,7 +209,7 @@ resource "helm_release" "cert_manager" { name = "cert-manager" repository = "https://charts.jetstack.io" chart = "cert-manager" - version = "v1.16.1" + version = "v1.16.2" namespace = kubernetes_namespace.cert_manager.metadata[0].name values = [ templatefile( @@ -262,7 +262,7 @@ resource "helm_release" "ingress_nginx" { name = "ingress-nginx" repository = "https://kubernetes.github.io/ingress-nginx" chart = "ingress-nginx" - version = "4.11.3" + version = "4.12.0" namespace = kubernetes_namespace.ingress_nginx.metadata[0].name values = [ templatefile( @@ -283,7 +283,7 @@ resource "helm_release" "external_secrets" { name = "external-secrets" repository = "https://charts.external-secrets.io" chart = "external-secrets" - version = "0.10.5" + version = "0.12.1" namespace = kubernetes_namespace.external_secrets.metadata[0].name values = [ templatefile( @@ -310,7 +310,7 @@ resource "helm_release" "keda" { name = "keda" repository = "https://kedacore.github.io/charts" chart = "keda" - version = "2.16.0" + version = "2.16.1" namespace = kubernetes_namespace.keda.metadata[0].name values = [ templatefile( diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 607480dde57..9370d3e9957 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -18,7 +18,7 @@ module "eks_cluster_logs_kms_access_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.48.0" + version = "5.52.1" name_prefix = "eks-cluster-logs-kms-access" @@ -45,7 +45,7 @@ module "karpenter_sqs_kms_access_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.48.0" + version = "5.52.1" name_prefix = "karpenter-sqs-kms-access" @@ -71,7 +71,7 @@ module "amazon_prometheus_proxy_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.48.0" + version = "5.52.1" name_prefix = "amazon-prometheus-proxy" @@ -98,7 +98,7 @@ module "managed_prometheus_kms_access_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.48.0" + version = "5.52.1" name_prefix = "managed-prometheus-kms-access" @@ -147,7 +147,7 @@ module "mlflow_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.48.0" + version = "5.52.1" name_prefix = "mlflow" @@ -168,7 +168,7 @@ module "gha_mojas_airflow_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.48.0" + version = "5.52.1" name_prefix = "github-actions-mojas-airflow" @@ -258,7 +258,7 @@ module "analytical_platform_lake_formation_share_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.48.0" + version = "5.52.1" name_prefix = "analytical-platform-lake-formation-sharing-policy" @@ -292,7 +292,7 @@ module "quicksight_vpc_connection_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.48.0" + version = "5.52.1" name_prefix = "quicksight-vpc-connection" @@ -341,7 +341,7 @@ module "data_production_mojap_derived_bucket_lake_formation_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.48.0" + version = "5.52.1" name_prefix = "analytical-platform-data-bucket-lake-formation-policy" @@ -446,7 +446,7 @@ module "copy_apdp_cadet_metadata_to_compute_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.48.0" + version = "5.52.1" name_prefix = "copy-apdp-cadet-metadata-to-compute-" diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index a27fc18735e..fa5769a590c 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -3,7 +3,7 @@ module "vpc_cni_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.48.0" + version = "5.52.1" role_name_prefix = "vpc-cni" attach_vpc_cni_policy = true @@ -24,7 +24,7 @@ module "ebs_csi_driver_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.48.0" + version = "5.52.1" role_name_prefix = "ebs-csi-driver" attach_ebs_csi_policy = true @@ -44,7 +44,7 @@ module "efs_csi_driver_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.48.0" + version = "5.52.1" role_name_prefix = "efs-csi-driver" attach_efs_csi_policy = true @@ -64,7 +64,7 @@ module "aws_for_fluent_bit_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.48.0" + version = "5.52.1" role_name_prefix = "aws-for-fluent-bit" @@ -88,7 +88,7 @@ module "amazon_prometheus_proxy_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.48.0" + version = "5.52.1" role_name_prefix = "amazon-prometheus-proxy" @@ -111,7 +111,7 @@ module "cluster_autoscaler_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.48.0" + version = "5.52.1" role_name_prefix = "cluster-autoscaler" @@ -133,7 +133,7 @@ module "external_dns_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.48.0" + version = "5.52.1" role_name_prefix = "external-dns" attach_external_dns_policy = true @@ -154,7 +154,7 @@ module "cert_manager_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.48.0" + version = "5.52.1" role_name_prefix = "cert-manager" attach_cert_manager_policy = true @@ -175,7 +175,7 @@ module "external_secrets_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.48.0" + version = "5.52.1" role_name_prefix = "external-secrets" attach_external_secrets_policy = true @@ -196,7 +196,7 @@ module "mlflow_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.48.0" + version = "5.52.1" role_name_prefix = "mlflow" @@ -219,7 +219,7 @@ module "gha_mojas_airflow_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" - version = "5.48.0" + version = "5.52.1" name = "github-actions-mojas-airflow" @@ -237,7 +237,7 @@ module "lake_formation_share_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.48.0" + version = "5.52.1" create_role = true role_requires_mfa = false @@ -264,7 +264,7 @@ module "analytical_platform_ui_service_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.48.0" + version = "5.52.1" create_role = true @@ -287,7 +287,7 @@ module "analytical_platform_control_panel_service_role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.48.0" + version = "5.52.1" allow_self_assume_role = true trusted_role_arns = [ @@ -310,7 +310,7 @@ module "analytical_platform_data_eng_dba_service_role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.48.0" + version = "5.52.1" allow_self_assume_role = false trusted_role_arns = formatlist("arn:aws:iam::%s:root", [local.environment_management.account_ids[local.analytical_platform_environment], local.environment_management.account_ids["analytical-platform-management-production"]]) @@ -330,7 +330,7 @@ module "quicksight_vpc_connection_iam_role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.48.0" + version = "5.52.1" create_role = true role_name_prefix = "quicksight-vpc-connection" @@ -348,7 +348,7 @@ module "lake_formation_to_data_production_mojap_derived_tables_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.48.0" + version = "5.52.1" create_role = true role_requires_mfa = false @@ -378,7 +378,7 @@ module "copy_apdp_cadet_metadata_to_compute_assumable_role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.48.0" + version = "5.52.1" allow_self_assume_role = false trusted_role_arns = [ diff --git a/terraform/environments/analytical-platform-compute/locals.tf b/terraform/environments/analytical-platform-compute/locals.tf index 78e3b560296..169a6155552 100644 --- a/terraform/environments/analytical-platform-compute/locals.tf +++ b/terraform/environments/analytical-platform-compute/locals.tf @@ -17,7 +17,7 @@ locals { eks_cloudwatch_log_group_retention_in_days = 400 /* Kube Prometheus Stack */ - prometheus_operator_crd_version = "v0.78.1" + prometheus_operator_crd_version = "v0.79.2" /* Mapping Analytical Platform Environments to Modernisation Platform */ @@ -31,5 +31,4 @@ locals { ) /* Environment Configuration */ environment_configuration = local.environment_configurations[local.environment] - } diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 03712ea8813..f19a7bcc407 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -3,7 +3,7 @@ module "mlflow_bucket" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.2" + version = "4.3.0" bucket = "mojap-compute-${local.environment}-mlflow" @@ -46,7 +46,7 @@ module "mojap_compute_logs_bucket_eu_west_2" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.2" + version = "4.3.0" bucket = "mojap-compute-${local.environment}-logs-eu-west-2" @@ -101,7 +101,7 @@ module "mojap_compute_logs_bucket_eu_west_1" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.2" + version = "4.3.0" providers = { aws = aws.analytical-platform-compute-eu-west-1 @@ -164,7 +164,7 @@ module "mojap_compute_athena_query_results_bucket_eu_west_2" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.2" + version = "4.3.0" bucket = "mojap-compute-${local.environment}-athena-query-results-eu-west-2" diff --git a/terraform/environments/analytical-platform-compute/security-groups.tf b/terraform/environments/analytical-platform-compute/security-groups.tf index eb52972deeb..4812bcc7da0 100644 --- a/terraform/environments/analytical-platform-compute/security-groups.tf +++ b/terraform/environments/analytical-platform-compute/security-groups.tf @@ -55,19 +55,3 @@ module "quicksight_shared_vpc_security_group" { tags = local.tags } - -/* This security group is temporary and will be retired when we're satisfied with DataSync end-to-end */ -module "debug_instance_security_group" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - - source = "terraform-aws-modules/security-group/aws" - version = "5.2.0" - - name = "debug-instance" - vpc_id = module.vpc.vpc_id - - egress_cidr_blocks = ["0.0.0.0/0"] - egress_rules = ["all-all"] - - tags = local.tags -} diff --git a/terraform/environments/analytical-platform-compute/vpc-endpoints.tf b/terraform/environments/analytical-platform-compute/vpc-endpoints.tf index e096613bece..1580ccb3973 100644 --- a/terraform/environments/analytical-platform-compute/vpc-endpoints.tf +++ b/terraform/environments/analytical-platform-compute/vpc-endpoints.tf @@ -3,7 +3,7 @@ module "vpc_endpoints" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" - version = "5.15.0" + version = "5.17.0" vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets diff --git a/terraform/environments/analytical-platform-compute/vpc.tf b/terraform/environments/analytical-platform-compute/vpc.tf index 5a7d3df1099..dc3a9673094 100644 --- a/terraform/environments/analytical-platform-compute/vpc.tf +++ b/terraform/environments/analytical-platform-compute/vpc.tf @@ -6,7 +6,7 @@ module "vpc" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/vpc/aws" - version = "5.15.0" + version = "5.17.0" name = local.our_vpc_name azs = slice(data.aws_availability_zones.available.names, 0, 3) From e587accd8f0d9d61539a13a7b9a81028e4f8ac12 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 7 Jan 2025 12:51:16 +0000 Subject: [PATCH 02/11] promote karpenter to v1 Signed-off-by: GitHub --- .../src/helm/charts/karpenter-configuration/Chart.yaml | 2 +- .../templates/ec2-node-class-bottlerocket-general.yaml | 2 +- .../templates/ec2-node-class-bottlerocket-gpu.yaml | 2 +- .../templates/node-pool-airflow-high-memory.yaml | 2 +- .../templates/node-pool-general-on-demand.yaml | 2 +- .../templates/node-pool-general-spot.yaml | 2 +- .../templates/node-pool-gpu-on-demand.yaml | 2 +- .../karpenter-configuration/templates/node-pool-gpu-spot.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml index 649c63ed2ae..e5dbc1b39bd 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml @@ -3,4 +3,4 @@ apiVersion: v2 name: karpenter-configuration description: A Helm chart to deploy Karpenter's configuration type: application -version: 2.3.0 +version: 3.0.0 diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-general.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-general.yaml index bfaafdb48a3..882be619d42 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-general.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-general.yaml @@ -1,5 +1,5 @@ --- -apiVersion: karpenter.k8s.aws/v1beta1 +apiVersion: karpenter.k8s.aws/v1 kind: EC2NodeClass metadata: name: bottlerocket-general diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-gpu.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-gpu.yaml index be59088d0df..947b9e40c2f 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-gpu.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-gpu.yaml @@ -1,5 +1,5 @@ --- -apiVersion: karpenter.k8s.aws/v1beta1 +apiVersion: karpenter.k8s.aws/v1 kind: EC2NodeClass metadata: name: bottlerocket-gpu diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml index bdf49b77d92..0834ee2ea3d 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml @@ -13,7 +13,7 @@ spec: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "airflow-high-memory" spec: nodeClassRef: - apiVersion: karpenter.k8s.aws/v1beta1 + apiVersion: karpenter.k8s.aws/v1 kind: EC2NodeClass name: bottlerocket-general taints: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml index f9401e55efc..346c7d44944 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml @@ -13,7 +13,7 @@ spec: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "general-on-demand" spec: nodeClassRef: - apiVersion: karpenter.k8s.aws/v1beta1 + apiVersion: karpenter.k8s.aws/v1 kind: EC2NodeClass name: bottlerocket-general taints: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml index 792f049909a..c67ac4d33f4 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml @@ -13,7 +13,7 @@ spec: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "general-spot" spec: nodeClassRef: - apiVersion: karpenter.k8s.aws/v1beta1 + apiVersion: karpenter.k8s.aws/v1 kind: EC2NodeClass name: bottlerocket-general taints: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml index 98cd1594723..1bdf5f14449 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml @@ -13,7 +13,7 @@ spec: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "gpu-on-demand" spec: nodeClassRef: - apiVersion: karpenter.k8s.aws/v1beta1 + apiVersion: karpenter.k8s.aws/v1 kind: EC2NodeClass name: bottlerocket-gpu taints: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml index fcefdfeb057..ee8dfb1859e 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml @@ -13,7 +13,7 @@ spec: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "gpu-spot" spec: nodeClassRef: - apiVersion: karpenter.k8s.aws/v1beta1 + apiVersion: karpenter.k8s.aws/v1 kind: EC2NodeClass name: bottlerocket-gpu taints: From abd116b1ae621193bfdca335faafecb6793ed6ac Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 7 Jan 2025 13:22:54 +0000 Subject: [PATCH 03/11] promote karpenter to v1 Signed-off-by: GitHub --- .../templates/node-pool-airflow-high-memory.yaml | 2 +- .../templates/node-pool-general-on-demand.yaml | 2 +- .../templates/node-pool-general-spot.yaml | 2 +- .../templates/node-pool-gpu-on-demand.yaml | 2 +- .../karpenter-configuration/templates/node-pool-gpu-spot.yaml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml index 0834ee2ea3d..f48da556499 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml @@ -1,5 +1,5 @@ --- -apiVersion: karpenter.sh/v1beta1 +apiVersion: karpenter.sh/v1 kind: NodePool metadata: name: airflow-high-memory diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml index 346c7d44944..6f4ef79f96f 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml @@ -1,5 +1,5 @@ --- -apiVersion: karpenter.sh/v1beta1 +apiVersion: karpenter.sh/v1 kind: NodePool metadata: name: general-on-demand diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml index c67ac4d33f4..61a77a7618e 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml @@ -1,5 +1,5 @@ --- -apiVersion: karpenter.sh/v1beta1 +apiVersion: karpenter.sh/v1 kind: NodePool metadata: name: general-spot diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml index 1bdf5f14449..235b0a79433 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml @@ -1,5 +1,5 @@ --- -apiVersion: karpenter.sh/v1beta1 +apiVersion: karpenter.sh/v1 kind: NodePool metadata: name: gpu-on-demand diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml index ee8dfb1859e..ede59893385 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml @@ -1,5 +1,5 @@ --- -apiVersion: karpenter.sh/v1beta1 +apiVersion: karpenter.sh/v1 kind: NodePool metadata: name: gpu-spot From 5542f8afac0b10c9d0c95dd9d8dff6e7fa4705bc Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 7 Jan 2025 13:47:22 +0000 Subject: [PATCH 04/11] bump chart Signed-off-by: GitHub --- .../src/helm/charts/karpenter-configuration/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml index e5dbc1b39bd..ef25734ac18 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml @@ -3,4 +3,4 @@ apiVersion: v2 name: karpenter-configuration description: A Helm chart to deploy Karpenter's configuration type: application -version: 3.0.0 +version: 3.0.1 From ac5958b73034e2dfa0c066e1eb78ccbe4f23eb31 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 7 Jan 2025 14:01:37 +0000 Subject: [PATCH 05/11] Update to node pools Signed-off-by: GitHub --- .../src/helm/charts/karpenter-configuration/Chart.yaml | 2 +- .../templates/node-pool-airflow-high-memory.yaml | 2 +- .../templates/node-pool-general-on-demand.yaml | 2 +- .../templates/node-pool-general-spot.yaml | 2 +- .../templates/node-pool-gpu-on-demand.yaml | 2 +- .../karpenter-configuration/templates/node-pool-gpu-spot.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml index ef25734ac18..2a7fe4a28e0 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml @@ -3,4 +3,4 @@ apiVersion: v2 name: karpenter-configuration description: A Helm chart to deploy Karpenter's configuration type: application -version: 3.0.1 +version: 3.1.0 diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml index f48da556499..ebdb41aacfb 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml @@ -13,7 +13,7 @@ spec: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "airflow-high-memory" spec: nodeClassRef: - apiVersion: karpenter.k8s.aws/v1 + group: karpenter.k8s.aws kind: EC2NodeClass name: bottlerocket-general taints: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml index 6f4ef79f96f..845ee26a3ad 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml @@ -13,7 +13,7 @@ spec: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "general-on-demand" spec: nodeClassRef: - apiVersion: karpenter.k8s.aws/v1 + group: karpenter.k8s.aws kind: EC2NodeClass name: bottlerocket-general taints: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml index 61a77a7618e..49b5caa791f 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml @@ -13,7 +13,7 @@ spec: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "general-spot" spec: nodeClassRef: - apiVersion: karpenter.k8s.aws/v1 + group: karpenter.k8s.aws kind: EC2NodeClass name: bottlerocket-general taints: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml index 235b0a79433..da727c99e95 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml @@ -13,7 +13,7 @@ spec: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "gpu-on-demand" spec: nodeClassRef: - apiVersion: karpenter.k8s.aws/v1 + group: karpenter.k8s.aws kind: EC2NodeClass name: bottlerocket-gpu taints: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml index ede59893385..62b2cdd6a8b 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml @@ -13,7 +13,7 @@ spec: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "gpu-spot" spec: nodeClassRef: - apiVersion: karpenter.k8s.aws/v1 + group: karpenter.k8s.aws kind: EC2NodeClass name: bottlerocket-gpu taints: From a08a774fc3a5fd9cd65451b2dab069a6775f0c2f Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 7 Jan 2025 16:27:40 +0000 Subject: [PATCH 06/11] Update versions Signed-off-by: GitHub --- .../environment-configuration.tf | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index 6f8516379c8..47ceee3ba07 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -66,15 +66,15 @@ locals { /* EKS */ eks_sso_access_role = "modernisation-platform-developer" eks_cluster_version = "1.31" - eks_node_version = "1.26.2-360b7a38" + eks_node_version = "1.29.0-c55d099c" eks_cluster_addon_versions = { - coredns = "v1.11.3-eksbuild.2" - kube_proxy = "v1.31.2-eksbuild.2" - aws_ebs_csi_driver = "v1.36.0-eksbuild.1" - aws_efs_csi_driver = "v2.0.9-eksbuild.1" - aws_guardduty_agent = "v1.7.1-eksbuild.2" - eks_pod_identity_agent = "v1.3.2-eksbuild.2" - vpc_cni = "v1.19.0-eksbuild.1" + coredns = "v1.11.4-eksbuild.2" + kube_proxy = "v1.31.3-eksbuild.2" + aws_ebs_csi_driver = "v1.38.1-eksbuild.1" + aws_efs_csi_driver = "v2.1.3-eksbuild.1" + aws_guardduty_agent = "v1.8.1-eksbuild.2" + eks_pod_identity_agent = "v1.3.4-eksbuild.1" + vpc_cni = "v1.19.2-eksbuild.1" } /* Data Engineering Airflow */ @@ -110,15 +110,15 @@ locals { /* EKS */ eks_sso_access_role = "modernisation-platform-developer" eks_cluster_version = "1.31" - eks_node_version = "1.26.2-360b7a38" + eks_node_version = "1.29.0-c55d099c" eks_cluster_addon_versions = { - coredns = "v1.11.3-eksbuild.2" - kube_proxy = "v1.31.2-eksbuild.2" - aws_ebs_csi_driver = "v1.36.0-eksbuild.1" - aws_efs_csi_driver = "v2.0.9-eksbuild.1" - aws_guardduty_agent = "v1.7.1-eksbuild.2" - eks_pod_identity_agent = "v1.3.2-eksbuild.2" - vpc_cni = "v1.19.0-eksbuild.1" + coredns = "v1.11.4-eksbuild.2" + kube_proxy = "v1.31.3-eksbuild.2" + aws_ebs_csi_driver = "v1.38.1-eksbuild.1" + aws_efs_csi_driver = "v2.1.3-eksbuild.1" + aws_guardduty_agent = "v1.8.1-eksbuild.2" + eks_pod_identity_agent = "v1.3.4-eksbuild.1" + vpc_cni = "v1.19.2-eksbuild.1" } /* Data Engineering Airflow */ From 770fafd1df8bddd28811f63012f741ac6d137da8 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 7 Jan 2025 17:20:01 +0000 Subject: [PATCH 07/11] Adding smoke test Signed-off-by: GitHub --- .../airflow-kubernetes-smoke-test/pod.yaml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml diff --git a/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml b/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml new file mode 100644 index 00000000000..75f4c6900a4 --- /dev/null +++ b/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: airflow-kubernetes-smoke-test + namespace: airflow +spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool + operator: In + values: + - general-spot + tolerations: + - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool + operator: Equal + value: general-spot + effect: NoSchedule + restartPolicy: Never + containers: + - name: main + image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0 + command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"] + resources: + requests: + memory: 64Mi + cpu: 100m + limits: + memory: 128Mi + cpu: 200m + From dd2aedbfa56f2dceff6c13a6f5c145b5c2e39f3f Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 7 Jan 2025 17:39:57 +0000 Subject: [PATCH 08/11] checkov skips Signed-off-by: GitHub --- .../airflow-kubernetes-smoke-test/pod.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml b/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml index 75f4c6900a4..dab5bd34758 100644 --- a/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml +++ b/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml @@ -4,6 +4,21 @@ kind: Pod metadata: name: airflow-kubernetes-smoke-test namespace: airflow + annotations: + # These Chekov checks are skipped because they are not relevant to this pod, its used for smoke testing by the platform team + checkov.io/skip1: CKV_K8S_43 + checkov.io/skip2: CKV_K8S_9 + checkov.io/skip3: CKV_K8S_31 + checkov.io/skip4: CKV_K8S_15 + checkov.io/skip5: CKV_K8S_8 + checkov.io/skip6: CKV_K8S_30 + checkov.io/skip7: CKV_K8S_37 + checkov.io/skip8: CKV_K8S_40 + checkov.io/skip9: CKV_K8S_20 + checkov.io/skip10: CKV_K8S_28 + checkov.io/skip11: CKV_K8S_22 + checkov.io/skip12: CKV_K8S_38 + checkov.io/skip13: CKV2_K8S_6 spec: securityContext: runAsNonRoot: true From 9a4187e738ec52fa5511056139c075ab65175ad5 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 7 Jan 2025 18:02:24 +0000 Subject: [PATCH 09/11] Enable read-only root filesystem in pod.yaml --- .../contrib/airflow-kubernetes-smoke-test/pod.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml b/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml index dab5bd34758..dedacbca0f9 100644 --- a/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml +++ b/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml @@ -21,6 +21,7 @@ metadata: checkov.io/skip13: CKV2_K8S_6 spec: securityContext: + readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 affinity: From 04d95581b999aba1f8c369c6d5e4d1a91e53eb03 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 7 Jan 2025 18:07:25 +0000 Subject: [PATCH 10/11] Move readOnlyRootFilesystem to container securityContext --- .../contrib/airflow-kubernetes-smoke-test/pod.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml b/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml index dedacbca0f9..061f35361b8 100644 --- a/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml +++ b/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml @@ -21,7 +21,6 @@ metadata: checkov.io/skip13: CKV2_K8S_6 spec: securityContext: - readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 affinity: @@ -50,4 +49,5 @@ spec: limits: memory: 128Mi cpu: 200m - + securityContext: + readOnlyRootFilesystem: true From 07b8ddfbc3df05b6d694305e46b2f702f00db243 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 8 Jan 2025 09:23:18 +0000 Subject: [PATCH 11/11] delete pod Signed-off-by: GitHub --- .../airflow-kubernetes-smoke-test/pod.yaml | 53 ------------------- 1 file changed, 53 deletions(-) delete mode 100644 terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml diff --git a/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml b/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml deleted file mode 100644 index 061f35361b8..00000000000 --- a/terraform/environments/analytical-platform-compute/contrib/airflow-kubernetes-smoke-test/pod.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: v1 -kind: Pod -metadata: - name: airflow-kubernetes-smoke-test - namespace: airflow - annotations: - # These Chekov checks are skipped because they are not relevant to this pod, its used for smoke testing by the platform team - checkov.io/skip1: CKV_K8S_43 - checkov.io/skip2: CKV_K8S_9 - checkov.io/skip3: CKV_K8S_31 - checkov.io/skip4: CKV_K8S_15 - checkov.io/skip5: CKV_K8S_8 - checkov.io/skip6: CKV_K8S_30 - checkov.io/skip7: CKV_K8S_37 - checkov.io/skip8: CKV_K8S_40 - checkov.io/skip9: CKV_K8S_20 - checkov.io/skip10: CKV_K8S_28 - checkov.io/skip11: CKV_K8S_22 - checkov.io/skip12: CKV_K8S_38 - checkov.io/skip13: CKV2_K8S_6 -spec: - securityContext: - runAsNonRoot: true - runAsUser: 1000 - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool - operator: In - values: - - general-spot - tolerations: - - key: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool - operator: Equal - value: general-spot - effect: NoSchedule - restartPolicy: Never - containers: - - name: main - image: ghcr.io/ministryofjustice/analytical-platform-airflow-python-base:1.4.0 - command: ["/bin/sh", "-c", "date && cat /etc/os-release && sleep 120"] - resources: - requests: - memory: 64Mi - cpu: 100m - limits: - memory: 128Mi - cpu: 200m - securityContext: - readOnlyRootFilesystem: true