Merge pull request #3 from Grupo-G03-4SOAT-FIAP/feature/87/terraform

ci: Melhorias no Terraform

main.tf

@@ -1,29 +1,67 @@
-provider "aws" {
-  region = local.region
-}
-
 locals {
   region = "us-east-1"
+
+  tags = {
+    Project     = "rms"
+    Terraform   = "true"
+    Environment = "prod"
+  }
 }
 
+/*
+# Command shortcuts
+terraform init
+terraform fmt
+terraform validate
+terraform plan
+terraform apply
+terraform apply --auto-approve
+terraform apply -var "name=value"
+terraform show
+terraform destroy
+terraform destroy --auto-approve
+*/
+
 module "network" {
   source = "./modules/network"
+
+  region = local.region
+  tags   = local.tags
 }
 
 module "db" {
   source = "./modules/db"
 
+  region = local.region
+
   vpc_id          = module.network.vpc_id
   public_subnets  = module.network.public_subnets
   private_subnets = module.network.private_subnets
+
+  tags = local.tags
 }
 
 module "cluster_k8s" {
   source = "./modules/cluster_k8s"
 
+  region = local.region
+
   vpc_id          = module.network.vpc_id
   public_subnets  = module.network.public_subnets
   private_subnets = module.network.private_subnets
+
+  app_namespace       = "rms" # O "name" do namespace do k8s onde será executada a sua aplicação
+  serviceaccount_name = "eksdemo-secretmanager-sa"
+
+  tags = local.tags
+}
+
+module "secrets_mercadopago" {
+  source = "./modules/secrets-mercadopago"
+
+  region              = local.region
+  role_name_to_attach = module.cluster_k8s.serviceaccount_role_name
+  tags                = local.tags
 }
 
 # Baseado no tutorial "Build and use a local module" do portal HashiCorp Developer em 

modules/cluster_k8s/main.tf

@@ -28,17 +28,10 @@ provider "helm" {
   }
 }
 
-data "aws_availability_zones" "available" {}
-
 locals {
-  # name   = basename(path.cwd)
-  name   = "rms-eks"
-  region = "us-east-1"
-
-  tags = {
-    Blueprint  = local.name
-    GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints"
-  }
+  name   = "rms-prd-k8scluster"
+  region = var.region
+  tags   = var.tags
 }
 
 ################################################################################
@@ -47,7 +40,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.5"
+  version = "~> 20.8"
 
   cluster_name                   = local.name
   cluster_version                = "1.29"
@@ -67,7 +60,7 @@ module "eks" {
   subnet_ids = var.private_subnets
 
   eks_managed_node_groups = {
-    initial = {
+    default = {
       instance_types = ["t3.medium"] # A instance_type do Free Tier é t2.micro
 
       min_size     = 1
@@ -83,9 +76,12 @@ module "eks" {
 # EKS Blueprints Addons
 ################################################################################
 
+# Terraform module which provisions addons on Amazon EKS clusters
+# https://registry.terraform.io/modules/aws-ia/eks-blueprints-addons/aws/latest
+
 module "eks_blueprints_addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
-  version = "~> 1.15"
+  version = "~> 1.16"
 
   cluster_name      = module.eks.cluster_name
   cluster_endpoint  = module.eks.cluster_endpoint
@@ -116,7 +112,7 @@ resource "helm_release" "csi-secrets-store" {
   namespace  = "kube-system"
 
   # Optional Values
-  # https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html#optional-values
+  # See https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html#optional-values
   set {
     name  = "syncSecret.enabled"
     value = "true"
@@ -145,11 +141,57 @@ resource "helm_release" "secrets-provider-aws" {
   ]
 }
 
+################################################################################
+# Namespaces
+################################################################################
+
+# Declare o(s) namespaces caso deseje que o Terraform exclua os Services, 
+# e consequentemente os Load Balancers atrelados a eles, ao fazer "terraform destroy"
+
+resource "kubernetes_namespace_v1" "rms" {
+  metadata {
+    name = var.app_namespace
+  }
+
+  depends_on = [
+    module.eks
+  ]
+}
+
 ################################################################################
 # Supporting Resources
 ################################################################################
 
+# Configuração de uma conta de serviço do Kubernetes para assumir um perfil do IAM
+# Todos os Pods configurados para usar a conta de serviço podem então acessar quaisquer AWS service (Serviço da AWS) para os quais a função tenha permissões de acesso.
+# https://docs.aws.amazon.com/pt_br/eks/latest/userguide/associate-service-account-role.html
+
+resource "aws_iam_role" "serviceaccount_role" {
+  name = "eksdemo-secretsmanager-role"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = module.eks.oidc_provider_arn
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "${module.eks.oidc_provider}:aud" : "sts.amazonaws.com",
+            "${module.eks.oidc_provider}:sub" : "system:serviceaccount:${var.app_namespace}:${var.serviceaccount_name}"
+          }
+        }
+      },
+    ]
+  })
 
+  tags = local.tags
+}
 
 # NOTAS
 

modules/cluster_k8s/outputs.tf

@@ -18,6 +18,26 @@ output "cluster_name" {
   value       = module.eks.cluster_name
 }
 
+output "oidc_provider" {
+  description = "The OpenID Connect identity provider"
+  value       = module.eks.oidc_provider
+}
+
+output "oidc_provider_arn" {
+  description = "The ARN of the OIDC Provider"
+  value       = module.eks.oidc_provider_arn
+}
+
+output "serviceaccount_role_name" {
+  description = "Friendly name of the role"
+  value       = aws_iam_role.serviceaccount_role.name
+}
+
+output "serviceaccount_role_arn" {
+  description = "Amazon Resource Name (ARN) specifying the role."
+  value       = aws_iam_role.serviceaccount_role.arn
+}
+
 output "configure_kubectl" {
   description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
   value       = "aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}"

modules/cluster_k8s/variables.tf

@@ -1,3 +1,14 @@
+variable "region" {
+  default     = "us-east-1"
+  description = "AWS region"
+}
+
+variable "tags" {
+  description = "Tags to set."
+  type        = map(string)
+  default     = {}
+}
+
 variable "vpc_id" {
   description = "The ID of the VPC"
   type        = string
@@ -12,3 +23,14 @@ variable "private_subnets" {
   description = "A list of private subnets inside the VPC"
   type        = list(string)
 }
+
+variable "app_namespace" {
+  description = "In Kubernetes, namespaces provides a mechanism for isolating groups of resources within a single cluster."
+  type        = string
+}
+
+variable "serviceaccount_name" {
+  description = "A service account provides an identity for processes that run in a Pod, and maps to a ServiceAccount object."
+  default     = "iam-sa" # eksdemo-secretmanager-sa
+  type        = string
+}

modules/cluster_k8s/versions.tf

@@ -4,22 +4,15 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.39"
+      version = ">= 5.40"
     }
     helm = {
       source  = "hashicorp/helm"
       version = ">= 2.12"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
-      version = ">= 2.26"
+      version = ">= 2.27"
     }
   }
-
-  # ##  Used for end-to-end testing on project; update to suit your needs
-  # backend "s3" {
-  #   bucket = "terraform-ssp-github-actions-state"
-  #   region = "us-west-2"
-  #   key    = "e2e/istio/terraform.tfstate"
-  # }
 }

modules/db/main.tf

@@ -6,11 +6,7 @@ resource "aws_db_subnet_group" "rms" {
   name       = "rms-prod-subnetgroup"
   subnet_ids = var.public_subnets
 
-  tags = {
-    Project     = "rms"
-    Terraform   = "true"
-    Environment = "prod"
-  }
+  tags = var.tags
 }
 
 resource "aws_security_group" "rds" {
@@ -31,11 +27,7 @@ resource "aws_security_group" "rds" {
     cidr_blocks = ["0.0.0.0/0"]
   }
 
-  tags = {
-    Project     = "rms"
-    Terraform   = "true"
-    Environment = "prod"
-  }
+  tags = var.tags
 }
 
 resource "aws_db_parameter_group" "rms" {
@@ -63,11 +55,7 @@ resource "aws_db_instance" "rms" {
   publicly_accessible         = true
   skip_final_snapshot         = true
 
-  tags = {
-    Project     = "rms"
-    Terraform   = "true"
-    Environment = "prod"
-  }
+  tags = var.tags
 }
 
 # Use the output of the `master_user_secret` object, which includes `secret_arn`,

modules/db/variables.tf

@@ -3,6 +3,12 @@ variable "region" {
   description = "AWS region"
 }
 
+variable "tags" {
+  description = "Tags to set."
+  type        = map(string)
+  default     = {}
+}
+
 variable "vpc_id" {
   description = "The ID of the VPC"
   type        = string