Govcloud

alb.tf

@@ -1,6 +1,6 @@
 resource "helm_release" "aws_load_balancer" {
   count      = var.aws_load_balancer_controller_enabled ? 1 : 0
-  name       = var.alb_name
+  name       = local.alb_name
   namespace  = "kube-system"
   repository = "https://aws.github.io/eks-charts"
   chart      = "aws-load-balancer-controller"
@@ -21,7 +21,7 @@ vpcId: ${aws_vpc.vpc.id}
 serviceAccount:
   controller:
     create: true
-    name: ${var.alb_name}
+    name: ${local.alb_name}
     ## Enable if EKS IAM for SA is used
     annotations:
       eks.amazonaws.com/role-arn: "${module.iam_assumable_role_alb.this_iam_role_arn}"

cluster.tf

@@ -44,7 +44,9 @@ resource "aws_eks_addon" "core" {
   resolve_conflicts = "OVERWRITE"
 
   depends_on = [
-    kubernetes_config_map.aws_auth
+    kubernetes_config_map.aws_auth,
+    aws_autoscaling_group.nodes_blue,
+    aws_autoscaling_group.nodes_green,
   ]
 }
 
@@ -74,11 +76,11 @@ POLICY
 }
 
 resource "aws_iam_role_policy_attachment" "cluster-AmazonEKSClusterPolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  policy_arn = "arn:${local.arn_env}:iam::aws:policy/AmazonEKSClusterPolicy"
   role       = aws_iam_role.cluster.name
 }
 
 resource "aws_iam_role_policy_attachment" "cluster-AmazonEKSServicePolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
+  policy_arn = "arn:${local.arn_env}:iam::aws:policy/AmazonEKSServicePolicy"
   role       = aws_iam_role.cluster.name
 }

fargate.tf

@@ -32,6 +32,6 @@ resource "aws_iam_role" "fargate" {
 }
 
 resource "aws_iam_role_policy_attachment" "fargate-AmazonEKSFargatePodExecutionRolePolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
+  policy_arn = "arn:${local.arn_env}:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
   role       = aws_iam_role.fargate.name
 }

iam.tf

@@ -61,12 +61,12 @@ module "iam_assumable_role_alb" {
   source           = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
   version          = "3.6.0"
   create_role      = true
-  role_name        = "${var.environment_name}-${var.alb_name}"
+  role_name        = "${var.environment_name}-${local.alb_name}"
   provider_url     = replace(aws_iam_openid_connect_provider.cluster.url, "https://", "")
   role_policy_arns = [aws_iam_policy.alb.arn]
   # namespace and service account name
   oidc_fully_qualified_subjects = [
-    "system:serviceaccount:kube-system:${var.alb_name}"
+    "system:serviceaccount:kube-system:${local.alb_name}"
   ]
   tags = local.tags
 }
@@ -156,7 +156,7 @@ resource "aws_iam_policy" "alb" {
             "Action": [
                 "ec2:CreateTags"
             ],
-            "Resource": "arn:aws:ec2:*:*:security-group/*",
+            "Resource": "arn:${local.arn_env}:ec2:*:*:security-group/*",
             "Condition": {
                 "StringEquals": {
                     "ec2:CreateAction": "CreateSecurityGroup"
@@ -172,7 +172,7 @@ resource "aws_iam_policy" "alb" {
                 "ec2:CreateTags",
                 "ec2:DeleteTags"
             ],
-            "Resource": "arn:aws:ec2:*:*:security-group/*",
+            "Resource": "arn:${local.arn_env}:ec2:*:*:security-group/*",
             "Condition": {
                 "Null": {
                     "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
@@ -224,9 +224,9 @@ resource "aws_iam_policy" "alb" {
                 "elasticloadbalancing:RemoveTags"
             ],
             "Resource": [
-                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
-                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+                "arn:${local.arn_env}:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:${local.arn_env}:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:${local.arn_env}:elasticloadbalancing:*:*:loadbalancer/app/*/*"
             ],
             "Condition": {
                 "Null": {
@@ -242,10 +242,10 @@ resource "aws_iam_policy" "alb" {
                 "elasticloadbalancing:RemoveTags"
             ],
             "Resource": [
-                "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
-                "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
+                "arn:${local.arn_env}:elasticloadbalancing:*:*:listener/net/*/*/*",
+                "arn:${local.arn_env}:elasticloadbalancing:*:*:listener/app/*/*/*",
+                "arn:${local.arn_env}:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
+                "arn:${local.arn_env}:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
             ]
         },
         {
@@ -273,7 +273,7 @@ resource "aws_iam_policy" "alb" {
                 "elasticloadbalancing:RegisterTargets",
                 "elasticloadbalancing:DeregisterTargets"
             ],
-            "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
+            "Resource": "arn:${local.arn_env}:elasticloadbalancing:*:*:targetgroup/*/*"
         },
         {
             "Effect": "Allow",
@@ -327,8 +327,8 @@ resource "aws_iam_policy" "ebs" {
         "ec2:CreateTags"
       ],
       "Resource": [
-        "arn:aws:ec2:*:*:volume/*",
-        "arn:aws:ec2:*:*:snapshot/*"
+        "arn:${local.arn_env}:ec2:*:*:volume/*",
+        "arn:${local.arn_env}:ec2:*:*:snapshot/*"
       ],
       "Condition": {
         "StringEquals": {
@@ -345,8 +345,8 @@ resource "aws_iam_policy" "ebs" {
         "ec2:DeleteTags"
       ],
       "Resource": [
-        "arn:aws:ec2:*:*:volume/*",
-        "arn:aws:ec2:*:*:snapshot/*"
+        "arn:${local.arn_env}:ec2:*:*:volume/*",
+        "arn:${local.arn_env}:ec2:*:*:snapshot/*"
       ]
     },
     {

karpenter.tf

@@ -1,5 +1,5 @@
 data "aws_iam_policy" "ssm_managed_instance" {
-  arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  arn = "arn:${local.arn_env}:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }
 
 resource "aws_iam_role_policy_attachment" "karpenter_ssm_policy" {

kubernetes.tf

@@ -61,7 +61,7 @@ CONFIGMAPAWSAUTH
 
     mapUsers = <<CONFIGMAPAWSUSERS
 %{for user in var.iam_users~}
-- userarn: arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/${user}
+- userarn: arn:${local.arn_env}:iam::${data.aws_caller_identity.current.account_id}:user/${user}
   username: ${user}
   groups:
     - system:masters

locals.tf

@@ -1,5 +1,8 @@
 locals {
+  alb_name = "aws-load-balancer-controller"
+  arn_env  = var.govcloud ? "aws-us-gov" : "aws"
+
   tags = merge(var.tags, {
     "KubespotEnvironment" = var.environment_name
   })
-}
+}

node.tf

@@ -22,8 +22,6 @@ resource "aws_launch_configuration" "nodes_blue" {
   user_data_base64            = base64encode(local.node-userdata)
   associate_public_ip_address = var.nodes_in_public_subnet
 
-  key_name = var.ec2_keypair
-
   root_block_device {
     volume_size = var.nodes_blue_root_device_size
     encrypted   = true
@@ -82,8 +80,6 @@ resource "aws_launch_configuration" "nodes_green" {
   user_data_base64            = base64encode(local.node-userdata)
   associate_public_ip_address = var.nodes_in_public_subnet
 
-  key_name = var.ec2_keypair
-
   root_block_device {
     volume_size = var.nodes_green_root_device_size
     encrypted   = true

node_role.tf

@@ -16,23 +16,23 @@ resource "aws_iam_role" "node" {
 }
 
 resource "aws_iam_role_policy_attachment" "node-AmazonEKSWorkerNodePolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  policy_arn = "arn:${local.arn_env}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
   role       = aws_iam_role.node.name
 }
 
 resource "aws_iam_role_policy_attachment" "node-AmazonEKS_CNI_Policy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  policy_arn = "arn:${local.arn_env}:iam::aws:policy/AmazonEKS_CNI_Policy"
   role       = aws_iam_role.node.name
 }
 
 resource "aws_iam_role_policy_attachment" "node-AmazonEC2ContainerRegistryReadOnly" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  policy_arn = "arn:${local.arn_env}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
   role       = aws_iam_role.node.name
 }
 
 resource "aws_iam_role_policy_attachment" "aws_node_oidc" {
   role       = aws_iam_role.node_oidc.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  policy_arn = "arn:${local.arn_env}:iam::aws:policy/AmazonEKS_CNI_Policy"
 }
 
 resource "aws_iam_role_policy_attachment" "node_role_policies" {

variables.tf

@@ -8,11 +8,6 @@ variable "cluster_version" {
   description = "Desired Kubernetes master version"
 }
 
-variable "alb_name" {
-  default     = "aws-load-balancer-controller"
-  description = "Release name of the ALB controller chart"
-}
-
 variable "aws_load_balancer_controller_enabled" {
   default     = true
   description = "Enable ALB controller by default"
@@ -90,11 +85,6 @@ variable "eips" {
   description = "List of Elastic IPs"
 }
 
-variable "ec2_keypair" {
-  default     = "opszero"
-  description = "Key name of the Key Pair to use for the EKS nodes"
-}
-
 variable "iam_users" {
   default     = []
   description = "List of IAM users"
@@ -342,16 +332,16 @@ variable "efs_enabled" {
 variable "sso_roles" {
   default = {
     admin_roles = [
-      // "arn:aws:iam::12345:role/AWSReservedSSO_AD-EKS-Admins_b2abd90bad1696ac"
+      // "arn:${local.arn_env}:iam::12345:role/AWSReservedSSO_AD-EKS-Admins_b2abd90bad1696ac"
     ]
     readonly_roles = [
-      // "arn:aws:iam::12345:role/AWSReservedSSO_AD-EKS-ReadOnly_2c5eb8d559b68cb5"
+      // "arn:${local.arn_env}:iam::12345:role/AWSReservedSSO_AD-EKS-ReadOnly_2c5eb8d559b68cb5"
     ]
     dev_roles = [
-      // "arn:aws:iam::12345:role/AWSReservedSSO_AD-EKS-Developers_ac2b0d744059fcd6"
+      // "arn:${local.arn_env}:iam::12345:role/AWSReservedSSO_AD-EKS-Developers_ac2b0d744059fcd6"
     ]
     monitoring_roles = [
-      // "arn:aws:iam::12345:role/AWSReservedSSO_AD-EKS-Monitoring-Admins_ac2b0d744059fcd6"
+      // "arn:${local.arn_env}:iam::12345:role/AWSReservedSSO_AD-EKS-Monitoring-Admins_ac2b0d744059fcd6"
     ]
   }
   description = "Terraform object of the IAM roles"
@@ -456,3 +446,10 @@ variable "alb_controller_version" {
   description = "The chart version of the ALB controller helm chart"
   default     = "1.4.4"
 }
+
+
+variable "govcloud" {
+  type        = bool
+  description = "Set if the environment is govcloud"
+  default     = false
+}