diff --git a/.github/workflows/build_push.yml b/.github/workflows/build_push.yml index 9233274..8b199c7 100644 --- a/.github/workflows/build_push.yml +++ b/.github/workflows/build_push.yml @@ -22,8 +22,10 @@ jobs: docker tag ghcr.io/gabrielpalmar/hivebox:$(cat version.txt) ghcr.io/gabrielpalmar/hivebox:latest - name: Push Docker image to GHCR + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + echo "$GITHUB_TOKEN" | docker login ghcr.io -u ${{ github.actor }} --password-stdin docker push ghcr.io/gabrielpalmar/hivebox:$(cat version.txt) docker push ghcr.io/gabrielpalmar/hivebox:latest @@ -55,13 +57,15 @@ jobs: helm package ./helm-chart - name: Push Helm Chart to GHCR + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | CHART_FILE="hivebox-$(cat version.txt).tgz" if [ ! -f "$CHART_FILE" ]; then echo "Helm chart $CHART_FILE not found" exit 1 fi - echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin + echo "$GITHUB_TOKEN" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin helm push $CHART_FILE oci://ghcr.io/gabrielpalmar/hivebox-helm-charts - name: Add job summary diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index 2db0c65..b5e5ba9 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -35,13 +35,7 @@ jobs: pip install vcrpy - name: Run tests - run: | - python tests/test_main.py - TEST_EXIT_CODE=$? - if [ $TEST_EXIT_CODE -ne 0 ]; then - echo "Tests failed!" - exit $TEST_EXIT_CODE - fi + run: python tests/test_main.py - name: Stop Docker container run: docker stop $(docker ps -q) \ No newline at end of file diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index 76244e8..f8b350b 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -36,7 +36,7 @@ jobs: working-directory: ${{ github.workspace }} - name: Analyze with SonarQube - uses: SonarSource/sonarqube-scan-action@master + uses: SonarSource/sonarqube-scan-action@v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/Dockerfile b/Dockerfile index f2e35ed..a28753f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,14 +10,12 @@ COPY version.txt requirements.txt /app/ RUN pip install --no-cache-dir -r /app/requirements.txt --require-hashes && \ chown -R appuser:appgroup /app -ENV FLASK_APP=app.main.py:app \ +ENV FLASK_APP=app.main:app \ PYTHONUNBUFFERED=1 \ REDIS_PORT=6379 \ REDIS_DB=0 \ CACHE_TTL=300 \ MINIO_PORT=9000 \ - MINIO_ACCESS_KEY=minioadmin \ - MINIO_SECRET_KEY=minioadmin \ REDIS_HOST=redis \ MINIO_HOST=minio diff --git a/app/opensense.py b/app/opensense.py index 930240f..54f12d9 100644 --- a/app/opensense.py +++ b/app/opensense.py @@ -9,8 +9,6 @@ # Use shared Redis client redis_client, REDIS_AVAILABLE = create_redis_client() -_sensor_stats = {"total_sensors": 0, "null_count": 0} - def classify_temperature(average): '''Classify temperature based on ranges using dictionary approach''' # Define temperature ranges and their classifications @@ -135,11 +133,11 @@ def get_temperature(): return f"Error: API request failed - {e}\n", {"total_sensors": 0, "null_count": 0} # Process the data (keeping the existing logic) - _sensor_stats["total_sensors"] = sum(1 for d in data if isinstance(d, dict) and "sensors" in d) + sensor_stats = {"total_sensors": 0, "null_count": 0} + sensor_stats["total_sensors"] = sum(1 for d in data if isinstance(d, dict) and "sensors" in d) res = [d.get('sensors') for d in data if isinstance(d, dict) and 'sensors' in d] temp_list = [] - _sensor_stats["null_count"] = 0 for sensor_list in res: for measure in sensor_list: @@ -149,9 +147,9 @@ def get_temperature(): try: temp_list.append(float(last['value'])) except (TypeError, ValueError): - _sensor_stats["null_count"] += 1 + sensor_stats["null_count"] += 1 else: - _sensor_stats["null_count"] += 1 + sensor_stats["null_count"] += 1 average = sum(temp_list) / len(temp_list) if temp_list else 0.0 @@ -169,4 +167,4 @@ def get_temperature(): except redis.RedisError as e: print(f"Redis error while caching data: {e}") - return result, _sensor_stats + return result, sensor_stats diff --git a/app/storage.py b/app/storage.py index 8708972..836fede 100644 --- a/app/storage.py +++ b/app/storage.py @@ -8,11 +8,14 @@ MINIO_HOST = os.getenv('MINIO_HOST', 'localhost') MINIO_PORT = int(os.environ.get('MINIO_PORT', 9000)) -MINIO_ACCESS_KEY = os.environ.get('MINIO_ACCESS_KEY', 'minioadmin') -MINIO_SECRET_KEY = os.environ.get('MINIO_SECRET_KEY', 'minioadmin') +MINIO_ACCESS_KEY = os.environ.get('MINIO_ACCESS_KEY', '') +MINIO_SECRET_KEY = os.environ.get('MINIO_SECRET_KEY', '') def store_temperature_data(): '''Function to upload temperature data to MinIO.''' + if not MINIO_ACCESS_KEY or not MINIO_SECRET_KEY: + return "Error: MINIO_ACCESS_KEY and MINIO_SECRET_KEY must be set\n" + try: client = Minio(f"{MINIO_HOST}:{MINIO_PORT}", access_key=MINIO_ACCESS_KEY, diff --git a/helm-chart/templates/cronjob.yaml b/helm-chart/templates/cronjob.yaml index 0894aab..0adf3a5 100644 --- a/helm-chart/templates/cronjob.yaml +++ b/helm-chart/templates/cronjob.yaml @@ -21,15 +21,19 @@ spec: args: - | set -eu - while true; do + MAX_RETRIES=60 + COUNTER=0 + while [ $COUNTER -lt $MAX_RETRIES ]; do if curl -sSf -m 3 http://hivebox-service/version >/dev/null; then echo "Hivebox service is up!" exit 0 - else - echo "Waiting for Hivebox service to be available..." - sleep 5 fi + echo "Waiting for Hivebox service... ($COUNTER/$MAX_RETRIES)" + sleep 5 + COUNTER=$((COUNTER+1)) done + echo "Timed out waiting for Hivebox service" + exit 1 securityContext: {{- include "common.containerSecurityContext" . | nindent 16 }} resources: diff --git a/helm-chart/templates/deployment.yaml b/helm-chart/templates/deployment.yaml index a133bae..0bfb5dd 100644 --- a/helm-chart/templates/deployment.yaml +++ b/helm-chart/templates/deployment.yaml @@ -40,6 +40,16 @@ spec: value: {{ .Values.services.redis | quote }} - name: MINIO_HOST value: {{ .Values.services.minio | quote }} + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + name: minio-credentials + key: access-key + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + name: minio-credentials + key: secret-key securityContext: {{- include "common.containerSecurityContext" . | nindent 12 }} resources: @@ -130,9 +140,15 @@ spec: command: ["minio", "server", "/data"] env: - name: MINIO_ROOT_USER - value: {{ .Values.minio.accessKey | quote }} + valueFrom: + secretKeyRef: + name: minio-credentials + key: access-key - name: MINIO_ROOT_PASSWORD - value: {{ .Values.minio.secretKey | quote }} + valueFrom: + secretKeyRef: + name: minio-credentials + key: secret-key securityContext: {{- include "common.containerSecurityContext" . | nindent 12 }} resources: diff --git a/helm-chart/templates/ingress.yaml b/helm-chart/templates/ingress.yaml index eaaff86..18d00db 100644 --- a/helm-chart/templates/ingress.yaml +++ b/helm-chart/templates/ingress.yaml @@ -1,3 +1,4 @@ +{{- if .Values.ingress.enabled }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -18,4 +19,5 @@ spec: service: name: {{ .Values.ingress.serviceName | default "hivebox-service" }} port: - number: {{ .Values.ingress.servicePort | default 80 }} \ No newline at end of file + number: {{ .Values.ingress.servicePort | default 80 }} +{{- end }} diff --git a/helm-chart/templates/secrets.yaml b/helm-chart/templates/secrets.yaml new file mode 100644 index 0000000..3581c44 --- /dev/null +++ b/helm-chart/templates/secrets.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: minio-credentials + labels: + app: minio +type: Opaque +data: + access-key: {{ .Values.minio.accessKey | b64enc | quote }} + secret-key: {{ .Values.minio.secretKey | b64enc | quote }} diff --git a/kustomize/base/cronjob.yaml b/kustomize/base/cronjob.yaml index 4e4ed5a..b37b6dc 100644 --- a/kustomize/base/cronjob.yaml +++ b/kustomize/base/cronjob.yaml @@ -24,15 +24,19 @@ spec: args: - | set -eu - while true; do + MAX_RETRIES=60 + COUNTER=0 + while [ $COUNTER -lt $MAX_RETRIES ]; do if curl -sSf -m 3 http://hivebox-service/version >/dev/null; then echo "Hivebox service is up!" exit 0 - else - echo "Waiting for Hivebox service to be available..." - sleep 5 fi + echo "Waiting for Hivebox service... ($COUNTER/$MAX_RETRIES)" + sleep 5 + COUNTER=$((COUNTER+1)) done + echo "Timed out waiting for Hivebox service" + exit 1 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/kustomize/base/deployment.yaml b/kustomize/base/deployment.yaml index a3a2db0..7ba9562 100644 --- a/kustomize/base/deployment.yaml +++ b/kustomize/base/deployment.yaml @@ -29,6 +29,16 @@ spec: value: redis-service - name: MINIO_HOST value: minio-service + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + name: minio-credentials + key: access-key + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + name: minio-credentials + key: secret-key securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true @@ -136,9 +146,15 @@ spec: command: ["minio", "server", "/data"] env: - name: MINIO_ROOT_USER - value: minioadmin + valueFrom: + secretKeyRef: + name: minio-credentials + key: access-key - name: MINIO_ROOT_PASSWORD - value: minioadmin + valueFrom: + secretKeyRef: + name: minio-credentials + key: secret-key securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml index 571af57..bad8e1a 100644 --- a/kustomize/base/kustomization.yaml +++ b/kustomize/base/kustomization.yaml @@ -6,6 +6,7 @@ resources: - service.yaml - ingress.yaml - cronjob.yaml + - secrets.yaml metadata: labels: app: hivebox diff --git a/kustomize/base/secrets.yaml b/kustomize/base/secrets.yaml new file mode 100644 index 0000000..f58c41b --- /dev/null +++ b/kustomize/base/secrets.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: minio-credentials + labels: + app: minio +type: Opaque +data: + # Base64 encoded values - replace with your actual credentials + # echo -n 'minioadmin' | base64 = bWluaW9hZG1pbg== + access-key: bWluaW9hZG1pbg== + secret-key: bWluaW9hZG1pbg== diff --git a/terraform/.gitignore b/terraform/.gitignore deleted file mode 100644 index 73d14d6..0000000 --- a/terraform/.gitignore +++ /dev/null @@ -1,27 +0,0 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log -crash.*.log - -# Exclude all .tfvars files, which are likely to contain sensitive data -*.tfvars -*.tfvars.json - -# Ignore override files as they are usually used to override resources locally -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Ignore CLI configuration files -.terraformrc -terraform.rc - -# Ignore lock file (optional - some teams commit this) -.terraform.lock.hcl diff --git a/terraform/README.md b/terraform/README.md deleted file mode 100644 index 8dcc82f..0000000 --- a/terraform/README.md +++ /dev/null @@ -1,356 +0,0 @@ -# HiveBox EKS Terraform Infrastructure - -This directory contains Terraform modules for deploying the HiveBox application infrastructure on AWS using Amazon EKS (Elastic Kubernetes Service). - -## Architecture Overview - -The infrastructure creates: - -- **VPC**: Multi-AZ VPC with public and private subnets, NAT Gateways, and Internet Gateway -- **EKS Cluster**: Managed Kubernetes control plane with configurable logging and addons -- **EKS Node Group**: Auto-scaling worker nodes with customizable instance types -- **Security Groups**: Network security for cluster, nodes, and load balancer -- **IAM Roles**: Proper IAM roles for cluster and nodes, with optional IRSA support - -**In-Cluster Services** (deployed via Helm/Kustomize): -- **Valkey/Redis**: Runs as a deployment inside the cluster (redis-service) -- **MinIO**: Runs as a deployment inside the cluster (minio-service) -- **HiveBox Application**: Your Flask application with all components - -## Module Structure - -``` -terraform/ -├── main.tf # Root module configuration -├── variables.tf # Input variables -├── outputs.tf # Output values -├── terraform.tfvars.example # Example configuration values -├── README.md # This file -└── modules/ - ├── vpc/ # VPC and networking - ├── eks/ # EKS cluster - ├── node-group/ # EKS node group - ├── security-groups/ # Security groups - └── iam/ # IAM roles and policies -``` - -## Prerequisites - -Before deploying, ensure you have: - -1. **AWS CLI** configured with appropriate credentials - ```bash - aws configure --profile Gabriel-Admin - ``` - -2. **Terraform** version >= 1.5.0 - ```bash - terraform version - ``` - -3. **kubectl** for Kubernetes management - ```bash - kubectl version --client - ``` - -4. **Sufficient AWS permissions** to create VPC, EKS, IAM roles, and security groups - -## Quick Start - -### 1. Configure Variables - -```bash -cd terraform - -# Copy example configuration -cp terraform.tfvars.example terraform.tfvars - -# Edit configuration -# Update these values in terraform.tfvars: -# - cluster_public_access_cidrs: Restrict to your IP for security -# - common_tags: Add your team/owner information -``` - -### 2. Deploy Infrastructure - -```bash -# Initialize Terraform -terraform init - -# Review planned changes -terraform plan - -# Deploy infrastructure -terraform apply -# Type 'yes' when prompted -``` - -**Deployment time:** 15-20 minutes - -### 3. Configure kubectl - -After deployment completes: - -```bash -# Use the output command -terraform output -raw configure_kubectl | bash - -# Or manually -aws eks update-kubeconfig \ - --region us-east-2 \ - --name hivebox-eks \ - --profile Gabriel-Admin - -# Verify access -kubectl get nodes -``` - -### 4. Deploy HiveBox Application - -The Terraform infrastructure only creates the EKS cluster. Your application components run inside Kubernetes. - -#### Using Helm - -```bash -cd ../helm-chart - -helm upgrade --install hivebox . --namespace hivebox --create-namespace -``` - -#### Using Kustomize - -```bash -cd ../kustomize - -# For production -kubectl apply -k overlays/prod - -# For staging -kubectl apply -k overlays/staging -``` - -#### Verify Deployment - -```bash -# Check all resources -kubectl get all -n hivebox - -# Check pods -kubectl get pods -n hivebox - -# Expected pods: -# - hivebox-app (2 replicas) -# - redis/valkey (1 replica) -# - minio (1 replica) - -# View logs -kubectl logs -n hivebox -l app=hivebox --tail=50 -``` - -## Architecture Details - -### Network Architecture - -``` -Internet - │ - ▼ -┌─────────────────┐ -│ Internet Gateway│ -└────────┬────────┘ - │ - ▼ -┌──────────────────────────────────────┐ -│ Public Subnets (2 AZs) │ -│ - NAT Gateways │ -└────────┬─────────────────────────────┘ - │ - ▼ -┌──────────────────────────────────────┐ -│ Private Subnets (2 AZs) │ -│ - EKS Worker Nodes │ -│ - HiveBox Pods │ -│ - Redis/Valkey Pods │ -│ - MinIO Pods │ -└──────────────────────────────────────┘ -``` - -### In-Cluster Services - -All application components run inside Kubernetes: - -| Service | Type | Port | Purpose | -|---------|------|------|---------| -| **HiveBox** | Deployment (2 replicas) | 5000 | Main Flask application | -| **Valkey/Redis** | Deployment (1 replica) | 6379 | In-memory caching | -| **MinIO** | Deployment (1 replica) | 9000 | Object storage | - -Communication between services uses Kubernetes ClusterIP services (DNS-based service discovery). - -## Important Configuration Variables - -### EKS Cluster - -| Variable | Default | Description | -|----------|---------|-------------| -| `cluster_name` | `hivebox-eks` | Name of the EKS cluster | -| `kubernetes_version` | `1.31` | Kubernetes version | -| `cluster_endpoint_public_access` | `true` | Enable public API endpoint | -| `cluster_public_access_cidrs` | `["0.0.0.0/0"]` | IPs allowed to access API | - -### Node Group - -| Variable | Default | Description | -|----------|---------|-------------| -| `node_group_desired_size` | `2` | Desired number of nodes | -| `node_group_min_size` | `1` | Minimum nodes | -| `node_group_max_size` | `4` | Maximum nodes | -| `node_group_instance_types` | `["t3.medium"]` | EC2 instance types | - -## Outputs - -After deployment, view outputs: - -```bash -# View all outputs -terraform output - -# Important outputs: -terraform output cluster_name -terraform output cluster_endpoint -terraform output in_cluster_services -``` - -## Infrastructure Costs - -### Current Configuration (~$140/month) -- **EKS Cluster**: $73/month (control plane) -- **2x t3.medium instances**: ~$60/month -- **2x NAT Gateways**: ~$65/month -- **Data Transfer**: ~$5/month -- **Total**: ~$203/month - -### Cost Optimization Tips - -For development/testing: - -```hcl -# Use smaller instances -node_group_instance_types = ["t3.small"] - -# Use SPOT instances (save 70%) -node_group_capacity_type = "SPOT" - -# Reduce node count -node_group_desired_size = 1 -node_group_min_size = 1 -``` - -## Cleanup - -To destroy all resources: - -```bash -cd terraform - -# IMPORTANT: Delete Kubernetes resources first -kubectl delete namespace hivebox - -# Destroy Terraform infrastructure -terraform destroy -# Type 'yes' when prompted -``` - -**Warning:** This is irreversible. Ensure you have backups of any important data. - -## Security Best Practices - -1. **Restrict API Access**: Update `cluster_public_access_cidrs` to your IP - ```hcl - cluster_public_access_cidrs = ["YOUR_IP/32"] - ``` - -2. **Use Private Subnets**: EKS nodes run in private subnets by default - -3. **Enable Logging**: All control plane logs are enabled for auditing - -4. **IAM Roles**: Least privilege IAM roles for cluster and nodes - -## Troubleshooting - -### Cannot create cluster - -**Error**: `Error creating EKS Cluster` - -**Solution**: Check AWS credentials and IAM permissions - -### Nodes not joining cluster - -**Solution**: -1. Verify security groups allow communication -2. Check IAM role has required policies -3. Verify VPC CNI addon is installed - -```bash -kubectl get pods -n kube-system | grep aws-node -``` - -### Application cannot connect to Redis/MinIO - -**Solution**: Ensure services are deployed and running - -```bash -# Check services -kubectl get svc -n hivebox - -# Should see: -# - hivebox-service -# - redis-service -# - minio-service - -# Check pods -kubectl get pods -n hivebox -``` - -## Maintenance - -### Updating Kubernetes Version - -1. Update `kubernetes_version` in `terraform.tfvars` -2. Apply changes: - ```bash - terraform apply - ``` - -**Note**: Upgrade one minor version at a time (1.30 → 1.31). - -### Scaling Nodes - -Update node count: - -```hcl -node_group_desired_size = 3 -``` - -Then apply: -```bash -terraform apply -``` - -## Additional Resources - -- [AWS EKS Documentation](https://docs.aws.amazon.com/eks/) -- [Terraform AWS Provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) -- [Kubernetes Documentation](https://kubernetes.io/docs/) - -## Support - -For issues or questions: -1. Check Terraform plan output -2. Review CloudWatch logs -3. Verify AWS service quotas -4. Consult module documentation in `modules/*/` - -## License - -This infrastructure code is part of the HiveBox project. diff --git a/terraform/main.tf b/terraform/main.tf deleted file mode 100644 index a019e63..0000000 --- a/terraform/main.tf +++ /dev/null @@ -1,122 +0,0 @@ -terraform { - required_version = ">= 1.5.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 6.0" - } - tls = { - source = "hashicorp/tls" - version = "~> 4.0" - } - } - - # Optional: Configure S3 backend for state management - # Uncomment and configure this after creating the backend resources - # backend "s3" { - # bucket = "hivebox-terraform-state" - # key = "eks/terraform.tfstate" - # region = "us-east-2" - # encrypt = true - # dynamodb_table = "terraform-state-lock" - # } -} - -# Configure the AWS Provider -provider "aws" { - region = var.aws_region - profile = var.aws_profile - - default_tags { - tags = var.common_tags - } -} - -# Local variables -locals { - cluster_name = var.cluster_name - - common_tags = merge( - var.common_tags, - { - ManagedBy = "Terraform" - Project = "HiveBox" - } - ) -} - -# VPC Module -module "vpc" { - source = "./modules/vpc" - - cluster_name = local.cluster_name - vpc_cidr = var.vpc_cidr - availability_zones_count = var.availability_zones_count - tags = local.common_tags -} - -# IAM Roles Module (must be created before EKS) -module "iam" { - source = "./modules/iam" - - cluster_name = local.cluster_name - oidc_provider_arn = "" # Will be populated after EKS cluster creation - namespace = var.kubernetes_namespace - service_account_name = var.kubernetes_service_account - create_irsa_role = var.create_irsa_role - tags = local.common_tags -} - -# Security Groups Module -module "security_groups" { - source = "./modules/security-groups" - - cluster_name = local.cluster_name - vpc_id = module.vpc.vpc_id - tags = local.common_tags - - depends_on = [module.vpc] -} - -# EKS Cluster Module -module "eks" { - source = "./modules/eks" - - cluster_name = local.cluster_name - cluster_version = var.kubernetes_version - cluster_role_arn = module.iam.cluster_role_arn - private_subnet_ids = module.vpc.private_subnet_ids - public_subnet_ids = module.vpc.public_subnet_ids - cluster_security_group_id = module.security_groups.cluster_security_group_id - endpoint_private_access = var.cluster_endpoint_private_access - endpoint_public_access = var.cluster_endpoint_public_access - public_access_cidrs = var.cluster_public_access_cidrs - enabled_cluster_log_types = var.cluster_log_types - tags = local.common_tags - - depends_on = [module.vpc, module.iam, module.security_groups] -} - -# EKS Node Group Module -module "node_group" { - source = "./modules/node-group" - - cluster_name = module.eks.cluster_name - node_role_arn = module.iam.node_group_role_arn - subnet_ids = module.vpc.private_subnet_ids - kubernetes_version = var.kubernetes_version - desired_size = var.node_group_desired_size - max_size = var.node_group_max_size - min_size = var.node_group_min_size - instance_types = var.node_group_instance_types - capacity_type = var.node_group_capacity_type - disk_size = var.node_group_disk_size - tags = local.common_tags - - depends_on = [module.eks] -} - -# Note: MinIO and Valkey/Redis will be deployed as in-cluster Kubernetes resources -# using your existing Helm charts or Kustomize manifests. -# No AWS ElastiCache or S3 resources are created by this Terraform configuration. diff --git a/terraform/modules/eks/main.tf b/terraform/modules/eks/main.tf deleted file mode 100644 index 27668c7..0000000 --- a/terraform/modules/eks/main.tf +++ /dev/null @@ -1,89 +0,0 @@ -# EKS Cluster Module - -resource "aws_eks_cluster" "main" { - name = var.cluster_name - version = var.cluster_version - role_arn = var.cluster_role_arn - - vpc_config { - subnet_ids = concat(var.private_subnet_ids, var.public_subnet_ids) - endpoint_private_access = var.endpoint_private_access - endpoint_public_access = var.endpoint_public_access - public_access_cidrs = var.public_access_cidrs - security_group_ids = [var.cluster_security_group_id] - } - - enabled_cluster_log_types = var.enabled_cluster_log_types - - encryption_config { - provider { - key_arn = var.kms_key_arn - } - resources = ["secrets"] - } - - tags = var.tags - - depends_on = [ - var.cluster_role_arn - ] -} - -# OIDC Provider for IRSA (IAM Roles for Service Accounts) -data "tls_certificate" "cluster" { - url = aws_eks_cluster.main.identity[0].oidc[0].issuer -} - -resource "aws_iam_openid_connect_provider" "cluster" { - client_id_list = ["sts.amazonaws.com"] - thumbprint_list = [data.tls_certificate.cluster.certificates[0].sha1_fingerprint] - url = aws_eks_cluster.main.identity[0].oidc[0].issuer - - tags = var.tags -} - -# EKS Add-ons -resource "aws_eks_addon" "vpc_cni" { - cluster_name = aws_eks_cluster.main.name - addon_name = "vpc-cni" - addon_version = var.vpc_cni_version - resolve_conflicts_on_create = "OVERWRITE" - resolve_conflicts_on_update = "OVERWRITE" - - tags = var.tags -} - -resource "aws_eks_addon" "coredns" { - cluster_name = aws_eks_cluster.main.name - addon_name = "coredns" - addon_version = var.coredns_version - resolve_conflicts_on_create = "OVERWRITE" - resolve_conflicts_on_update = "OVERWRITE" - - tags = var.tags - - depends_on = [ - aws_eks_addon.vpc_cni - ] -} - -resource "aws_eks_addon" "kube_proxy" { - cluster_name = aws_eks_cluster.main.name - addon_name = "kube-proxy" - addon_version = var.kube_proxy_version - resolve_conflicts_on_create = "OVERWRITE" - resolve_conflicts_on_update = "OVERWRITE" - - tags = var.tags -} - -# EBS CSI Driver for persistent storage -resource "aws_eks_addon" "ebs_csi_driver" { - cluster_name = aws_eks_cluster.main.name - addon_name = "aws-ebs-csi-driver" - addon_version = var.ebs_csi_driver_version - resolve_conflicts_on_create = "OVERWRITE" - resolve_conflicts_on_update = "OVERWRITE" - - tags = var.tags -} diff --git a/terraform/modules/eks/outputs.tf b/terraform/modules/eks/outputs.tf deleted file mode 100644 index 405444a..0000000 --- a/terraform/modules/eks/outputs.tf +++ /dev/null @@ -1,45 +0,0 @@ -output "cluster_id" { - description = "ID of the EKS cluster" - value = aws_eks_cluster.main.id -} - -output "cluster_name" { - description = "Name of the EKS cluster" - value = aws_eks_cluster.main.name -} - -output "cluster_arn" { - description = "ARN of the EKS cluster" - value = aws_eks_cluster.main.arn -} - -output "cluster_endpoint" { - description = "Endpoint for EKS cluster API server" - value = aws_eks_cluster.main.endpoint -} - -output "cluster_version" { - description = "Kubernetes version of the cluster" - value = aws_eks_cluster.main.version -} - -output "cluster_certificate_authority_data" { - description = "Base64 encoded certificate data for cluster authentication" - value = aws_eks_cluster.main.certificate_authority[0].data - sensitive = true -} - -output "cluster_oidc_issuer_url" { - description = "OIDC issuer URL for the cluster" - value = aws_eks_cluster.main.identity[0].oidc[0].issuer -} - -output "oidc_provider_arn" { - description = "ARN of the OIDC provider for IRSA" - value = aws_iam_openid_connect_provider.cluster.arn -} - -output "cluster_security_group_id" { - description = "Security group ID attached to the EKS cluster" - value = aws_eks_cluster.main.vpc_config[0].cluster_security_group_id -} diff --git a/terraform/modules/eks/variables.tf b/terraform/modules/eks/variables.tf deleted file mode 100644 index f578c31..0000000 --- a/terraform/modules/eks/variables.tf +++ /dev/null @@ -1,90 +0,0 @@ -variable "cluster_name" { - description = "Name of the EKS cluster" - type = string -} - -variable "cluster_version" { - description = "Kubernetes version for EKS cluster" - type = string - default = "1.31" -} - -variable "cluster_role_arn" { - description = "ARN of the IAM role for EKS cluster" - type = string -} - -variable "private_subnet_ids" { - description = "List of private subnet IDs" - type = list(string) -} - -variable "public_subnet_ids" { - description = "List of public subnet IDs" - type = list(string) -} - -variable "cluster_security_group_id" { - description = "ID of the cluster security group" - type = string -} - -variable "endpoint_private_access" { - description = "Enable private API server endpoint" - type = bool - default = true -} - -variable "endpoint_public_access" { - description = "Enable public API server endpoint" - type = bool - default = true -} - -variable "public_access_cidrs" { - description = "List of CIDR blocks that can access the public API server endpoint" - type = list(string) - default = ["0.0.0.0/0"] -} - -variable "enabled_cluster_log_types" { - description = "List of control plane logging types to enable" - type = list(string) - default = ["api", "audit", "authenticator", "controllerManager", "scheduler"] -} - -variable "kms_key_arn" { - description = "ARN of KMS key for secrets encryption (optional)" - type = string - default = "" -} - -variable "vpc_cni_version" { - description = "Version of VPC CNI addon" - type = string - default = null -} - -variable "coredns_version" { - description = "Version of CoreDNS addon" - type = string - default = null -} - -variable "kube_proxy_version" { - description = "Version of kube-proxy addon" - type = string - default = null -} - -variable "ebs_csi_driver_version" { - description = "Version of EBS CSI driver addon" - type = string - default = null -} - -variable "tags" { - description = "Tags to apply to all resources" - type = map(string) - default = {} -} diff --git a/terraform/modules/elasticache/main.tf b/terraform/modules/elasticache/main.tf deleted file mode 100644 index 28ff48a..0000000 --- a/terraform/modules/elasticache/main.tf +++ /dev/null @@ -1,177 +0,0 @@ -# ElastiCache Redis Module -# Replaces the in-cluster Valkey/Redis deployment - -resource "aws_elasticache_subnet_group" "redis" { - name = "${var.cluster_name}-redis-subnet-group" - subnet_ids = var.subnet_ids - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-redis-subnet-group" - } - ) -} - -resource "aws_elasticache_parameter_group" "redis" { - name = "${var.cluster_name}-redis-params" - family = var.parameter_group_family - - # Custom parameters based on application requirements - dynamic "parameter" { - for_each = var.parameters - content { - name = parameter.value.name - value = parameter.value.value - } - } - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-redis-params" - } - ) -} - -# Redis Replication Group (supports both single node and cluster mode) -resource "aws_elasticache_replication_group" "redis" { - replication_group_id = "${var.cluster_name}-redis" - description = "Redis cache for ${var.cluster_name} application" - - engine = "redis" - engine_version = var.redis_version - node_type = var.node_type - num_cache_clusters = var.num_cache_nodes - port = 6379 - parameter_group_name = aws_elasticache_parameter_group.redis.name - subnet_group_name = aws_elasticache_subnet_group.redis.name - security_group_ids = [var.security_group_id] - - # Automatic failover must be enabled for multi-AZ - automatic_failover_enabled = var.num_cache_nodes > 1 ? true : false - multi_az_enabled = var.multi_az_enabled - - # Backup and maintenance - snapshot_retention_limit = var.snapshot_retention_limit - snapshot_window = var.snapshot_window - maintenance_window = var.maintenance_window - auto_minor_version_upgrade = var.auto_minor_version_upgrade - - # Encryption - at_rest_encryption_enabled = var.at_rest_encryption_enabled - transit_encryption_enabled = var.transit_encryption_enabled - auth_token = var.auth_token_enabled ? var.auth_token : null - - # Logging - dynamic "log_delivery_configuration" { - for_each = var.enable_cloudwatch_logs ? [1] : [] - content { - destination = aws_cloudwatch_log_group.redis[0].name - destination_type = "cloudwatch-logs" - log_format = "json" - log_type = "slow-log" - } - } - - dynamic "log_delivery_configuration" { - for_each = var.enable_cloudwatch_logs ? [1] : [] - content { - destination = aws_cloudwatch_log_group.redis[0].name - destination_type = "cloudwatch-logs" - log_format = "json" - log_type = "engine-log" - } - } - - # Notification topic for events (optional) - notification_topic_arn = var.notification_topic_arn - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-redis" - } - ) -} - -# CloudWatch Log Group for Redis logs -resource "aws_cloudwatch_log_group" "redis" { - count = var.enable_cloudwatch_logs ? 1 : 0 - name = "/aws/elasticache/${var.cluster_name}-redis" - retention_in_days = var.log_retention_days - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-redis-logs" - } - ) -} - -# CloudWatch alarms for monitoring -resource "aws_cloudwatch_metric_alarm" "redis_cpu" { - count = var.enable_alarms ? 1 : 0 - alarm_name = "${var.cluster_name}-redis-cpu-utilization" - alarm_description = "Redis CPU utilization is too high" - comparison_operator = "GreaterThanThreshold" - evaluation_periods = 2 - metric_name = "CPUUtilization" - namespace = "AWS/ElastiCache" - period = 300 - statistic = "Average" - threshold = var.cpu_threshold - treat_missing_data = "notBreaching" - - dimensions = { - ReplicationGroupId = aws_elasticache_replication_group.redis.id - } - - alarm_actions = var.alarm_actions - - tags = var.tags -} - -resource "aws_cloudwatch_metric_alarm" "redis_memory" { - count = var.enable_alarms ? 1 : 0 - alarm_name = "${var.cluster_name}-redis-memory-utilization" - alarm_description = "Redis memory utilization is too high" - comparison_operator = "GreaterThanThreshold" - evaluation_periods = 2 - metric_name = "DatabaseMemoryUsagePercentage" - namespace = "AWS/ElastiCache" - period = 300 - statistic = "Average" - threshold = var.memory_threshold - treat_missing_data = "notBreaching" - - dimensions = { - ReplicationGroupId = aws_elasticache_replication_group.redis.id - } - - alarm_actions = var.alarm_actions - - tags = var.tags -} - -resource "aws_cloudwatch_metric_alarm" "redis_evictions" { - count = var.enable_alarms ? 1 : 0 - alarm_name = "${var.cluster_name}-redis-evictions" - alarm_description = "Redis evictions are too high" - comparison_operator = "GreaterThanThreshold" - evaluation_periods = 2 - metric_name = "Evictions" - namespace = "AWS/ElastiCache" - period = 300 - statistic = "Average" - threshold = var.evictions_threshold - treat_missing_data = "notBreaching" - - dimensions = { - ReplicationGroupId = aws_elasticache_replication_group.redis.id - } - - alarm_actions = var.alarm_actions - - tags = var.tags -} diff --git a/terraform/modules/elasticache/outputs.tf b/terraform/modules/elasticache/outputs.tf deleted file mode 100644 index 7a2ba6f..0000000 --- a/terraform/modules/elasticache/outputs.tf +++ /dev/null @@ -1,34 +0,0 @@ -output "redis_endpoint" { - description = "Primary endpoint for Redis cluster" - value = aws_elasticache_replication_group.redis.primary_endpoint_address -} - -output "redis_port" { - description = "Port number for Redis" - value = aws_elasticache_replication_group.redis.port -} - -output "redis_reader_endpoint" { - description = "Reader endpoint for Redis cluster (for read replicas)" - value = aws_elasticache_replication_group.redis.reader_endpoint_address -} - -output "redis_configuration_endpoint" { - description = "Configuration endpoint for Redis cluster (cluster mode enabled)" - value = aws_elasticache_replication_group.redis.configuration_endpoint_address -} - -output "redis_replication_group_id" { - description = "ID of the Redis replication group" - value = aws_elasticache_replication_group.redis.id -} - -output "redis_replication_group_arn" { - description = "ARN of the Redis replication group" - value = aws_elasticache_replication_group.redis.arn -} - -output "redis_member_clusters" { - description = "List of member cluster IDs" - value = aws_elasticache_replication_group.redis.member_clusters -} diff --git a/terraform/modules/elasticache/variables.tf b/terraform/modules/elasticache/variables.tf deleted file mode 100644 index 69ab22d..0000000 --- a/terraform/modules/elasticache/variables.tf +++ /dev/null @@ -1,161 +0,0 @@ -variable "cluster_name" { - description = "Name of the EKS cluster" - type = string -} - -variable "subnet_ids" { - description = "List of subnet IDs for ElastiCache" - type = list(string) -} - -variable "security_group_id" { - description = "Security group ID for ElastiCache" - type = string -} - -variable "redis_version" { - description = "Redis engine version" - type = string - default = "7.1" -} - -variable "node_type" { - description = "Instance type for Redis nodes" - type = string - default = "cache.t3.micro" -} - -variable "num_cache_nodes" { - description = "Number of cache nodes (1 for standalone, 2+ for replication)" - type = number - default = 2 -} - -variable "parameter_group_family" { - description = "Redis parameter group family" - type = string - default = "redis7" -} - -variable "parameters" { - description = "List of Redis parameters to apply" - type = list(object({ - name = string - value = string - })) - default = [ - { - name = "maxmemory-policy" - value = "allkeys-lru" - } - ] -} - -variable "multi_az_enabled" { - description = "Enable Multi-AZ for automatic failover" - type = bool - default = true -} - -variable "snapshot_retention_limit" { - description = "Number of days to retain snapshots" - type = number - default = 5 -} - -variable "snapshot_window" { - description = "Daily time range for snapshots (UTC)" - type = string - default = "03:00-05:00" -} - -variable "maintenance_window" { - description = "Weekly time range for maintenance (UTC)" - type = string - default = "sun:05:00-sun:07:00" -} - -variable "auto_minor_version_upgrade" { - description = "Enable automatic minor version upgrades" - type = bool - default = true -} - -variable "at_rest_encryption_enabled" { - description = "Enable encryption at rest" - type = bool - default = true -} - -variable "transit_encryption_enabled" { - description = "Enable encryption in transit (TLS)" - type = bool - default = true -} - -variable "auth_token_enabled" { - description = "Enable Redis AUTH token" - type = bool - default = false -} - -variable "auth_token" { - description = "Redis AUTH token (required if auth_token_enabled is true)" - type = string - default = null - sensitive = true -} - -variable "enable_cloudwatch_logs" { - description = "Enable CloudWatch logging" - type = bool - default = true -} - -variable "log_retention_days" { - description = "CloudWatch log retention in days" - type = number - default = 7 -} - -variable "notification_topic_arn" { - description = "ARN of SNS topic for notifications" - type = string - default = "" -} - -variable "enable_alarms" { - description = "Enable CloudWatch alarms" - type = bool - default = true -} - -variable "cpu_threshold" { - description = "CPU utilization threshold for alarm" - type = number - default = 75 -} - -variable "memory_threshold" { - description = "Memory utilization threshold for alarm" - type = number - default = 80 -} - -variable "evictions_threshold" { - description = "Evictions threshold for alarm" - type = number - default = 1000 -} - -variable "alarm_actions" { - description = "List of ARNs to notify when alarm triggers" - type = list(string) - default = [] -} - -variable "tags" { - description = "Tags to apply to all resources" - type = map(string) - default = {} -} diff --git a/terraform/modules/iam/main.tf b/terraform/modules/iam/main.tf deleted file mode 100644 index 14f2206..0000000 --- a/terraform/modules/iam/main.tf +++ /dev/null @@ -1,95 +0,0 @@ -# IAM Roles for EKS Cluster and Node Groups - -# EKS Cluster IAM Role -resource "aws_iam_role" "cluster" { - name = "${var.cluster_name}-cluster-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "eks.amazonaws.com" - } - }] - }) - - tags = var.tags -} - -# Attach required policies to EKS cluster role -resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSClusterPolicy" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" - role = aws_iam_role.cluster.name -} - -resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSVPCResourceController" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController" - role = aws_iam_role.cluster.name -} - -# EKS Node Group IAM Role -resource "aws_iam_role" "node_group" { - name = "${var.cluster_name}-node-group-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "ec2.amazonaws.com" - } - }] - }) - - tags = var.tags -} - -# Attach required policies to node group role -resource "aws_iam_role_policy_attachment" "node_group_AmazonEKSWorkerNodePolicy" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" - role = aws_iam_role.node_group.name -} - -resource "aws_iam_role_policy_attachment" "node_group_AmazonEKS_CNI_Policy" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" - role = aws_iam_role.node_group.name -} - -resource "aws_iam_role_policy_attachment" "node_group_AmazonEC2ContainerRegistryReadOnly" { - policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - role = aws_iam_role.node_group.name -} - -# EBS CSI Driver policy (for persistent volumes) -resource "aws_iam_role_policy_attachment" "node_group_AmazonEBSCSIDriverPolicy" { - policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" - role = aws_iam_role.node_group.name -} - -# IRSA (IAM Roles for Service Accounts) Role for application pods (optional) -resource "aws_iam_role" "pod_execution" { - count = var.create_irsa_role ? 1 : 0 - name = "${var.cluster_name}-pod-execution-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Action = "sts:AssumeRoleWithWebIdentity" - Effect = "Allow" - Principal = { - Federated = var.oidc_provider_arn - } - Condition = { - StringEquals = { - "${replace(var.oidc_provider_arn, "/^(.*provider/)/", "")}:sub" = "system:serviceaccount:${var.namespace}:${var.service_account_name}" - "${replace(var.oidc_provider_arn, "/^(.*provider/)/", "")}:aud" = "sts.amazonaws.com" - } - } - }] - }) - - tags = var.tags -} diff --git a/terraform/modules/iam/outputs.tf b/terraform/modules/iam/outputs.tf deleted file mode 100644 index f627dc4..0000000 --- a/terraform/modules/iam/outputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "cluster_role_arn" { - description = "ARN of the EKS cluster IAM role" - value = aws_iam_role.cluster.arn -} - -output "cluster_role_name" { - description = "Name of the EKS cluster IAM role" - value = aws_iam_role.cluster.name -} - -output "node_group_role_arn" { - description = "ARN of the EKS node group IAM role" - value = aws_iam_role.node_group.arn -} - -output "node_group_role_name" { - description = "Name of the EKS node group IAM role" - value = aws_iam_role.node_group.name -} - -output "pod_execution_role_arn" { - description = "ARN of the pod execution IAM role (IRSA - if created)" - value = var.create_irsa_role ? aws_iam_role.pod_execution[0].arn : null -} diff --git a/terraform/modules/iam/variables.tf b/terraform/modules/iam/variables.tf deleted file mode 100644 index 1621166..0000000 --- a/terraform/modules/iam/variables.tf +++ /dev/null @@ -1,34 +0,0 @@ -variable "cluster_name" { - description = "Name of the EKS cluster" - type = string -} - -variable "oidc_provider_arn" { - description = "ARN of the OIDC provider for IRSA" - type = string - default = "" -} - -variable "namespace" { - description = "Kubernetes namespace for the application" - type = string - default = "hivebox" -} - -variable "service_account_name" { - description = "Name of the Kubernetes service account" - type = string - default = "hivebox-sa" -} - -variable "create_irsa_role" { - description = "Whether to create IRSA role for service accounts" - type = bool - default = false -} - -variable "tags" { - description = "Tags to apply to all resources" - type = map(string) - default = {} -} diff --git a/terraform/modules/node-group/main.tf b/terraform/modules/node-group/main.tf deleted file mode 100644 index 83ee6ae..0000000 --- a/terraform/modules/node-group/main.tf +++ /dev/null @@ -1,113 +0,0 @@ -# EKS Node Group Module - -resource "aws_eks_node_group" "main" { - cluster_name = var.cluster_name - node_group_name = "${var.cluster_name}-node-group" - node_role_arn = var.node_role_arn - subnet_ids = var.subnet_ids - version = var.kubernetes_version - - scaling_config { - desired_size = var.desired_size - max_size = var.max_size - min_size = var.min_size - } - - update_config { - max_unavailable_percentage = var.max_unavailable_percentage - } - - instance_types = var.instance_types - capacity_type = var.capacity_type - disk_size = var.disk_size - - # Remote access configuration (optional) - dynamic "remote_access" { - for_each = var.ec2_ssh_key != "" ? [1] : [] - content { - ec2_ssh_key = var.ec2_ssh_key - source_security_group_ids = var.ssh_security_group_ids - } - } - - # Launch template configuration - dynamic "launch_template" { - for_each = var.launch_template_id != "" ? [1] : [] - content { - id = var.launch_template_id - version = var.launch_template_version - } - } - - labels = merge( - var.labels, - { - "node-group" = "${var.cluster_name}-node-group" - } - ) - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-node-group" - } - ) - - # Taint configuration for dedicated workloads (optional) - dynamic "taint" { - for_each = var.taints - content { - key = taint.value.key - value = taint.value.value - effect = taint.value.effect - } - } - - lifecycle { - create_before_destroy = true - ignore_changes = [scaling_config[0].desired_size] - } - - depends_on = [ - var.node_role_arn - ] -} - -# Auto Scaling Group Tags for Cluster Autoscaler -resource "aws_autoscaling_group_tag" "cluster_autoscaler_enabled" { - for_each = toset( - data.aws_autoscaling_groups.node_group.names - ) - - autoscaling_group_name = each.value - - tag { - key = "k8s.io/cluster-autoscaler/enabled" - value = "true" - propagate_at_launch = false - } -} - -resource "aws_autoscaling_group_tag" "cluster_autoscaler_cluster_name" { - for_each = toset( - data.aws_autoscaling_groups.node_group.names - ) - - autoscaling_group_name = each.value - - tag { - key = "k8s.io/cluster-autoscaler/${var.cluster_name}" - value = "owned" - propagate_at_launch = false - } -} - -# Data source to get ASG names -data "aws_autoscaling_groups" "node_group" { - filter { - name = "tag:eks:nodegroup-name" - values = [aws_eks_node_group.main.node_group_name] - } - - depends_on = [aws_eks_node_group.main] -} diff --git a/terraform/modules/node-group/outputs.tf b/terraform/modules/node-group/outputs.tf deleted file mode 100644 index e680aad..0000000 --- a/terraform/modules/node-group/outputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "node_group_id" { - description = "ID of the EKS node group" - value = aws_eks_node_group.main.id -} - -output "node_group_arn" { - description = "ARN of the EKS node group" - value = aws_eks_node_group.main.arn -} - -output "node_group_status" { - description = "Status of the EKS node group" - value = aws_eks_node_group.main.status -} - -output "node_group_resources" { - description = "Resources associated with the node group" - value = aws_eks_node_group.main.resources -} - -output "autoscaling_group_names" { - description = "Names of the Auto Scaling Groups" - value = data.aws_autoscaling_groups.node_group.names -} diff --git a/terraform/modules/node-group/variables.tf b/terraform/modules/node-group/variables.tf deleted file mode 100644 index 2dafb4f..0000000 --- a/terraform/modules/node-group/variables.tf +++ /dev/null @@ -1,108 +0,0 @@ -variable "cluster_name" { - description = "Name of the EKS cluster" - type = string -} - -variable "node_role_arn" { - description = "ARN of the IAM role for node group" - type = string -} - -variable "subnet_ids" { - description = "List of subnet IDs for node group" - type = list(string) -} - -variable "kubernetes_version" { - description = "Kubernetes version for node group" - type = string - default = null -} - -variable "desired_size" { - description = "Desired number of worker nodes" - type = number - default = 2 -} - -variable "max_size" { - description = "Maximum number of worker nodes" - type = number - default = 4 -} - -variable "min_size" { - description = "Minimum number of worker nodes" - type = number - default = 1 -} - -variable "max_unavailable_percentage" { - description = "Maximum percentage of nodes unavailable during update" - type = number - default = 33 -} - -variable "instance_types" { - description = "List of instance types for node group" - type = list(string) - default = ["t3.medium"] -} - -variable "capacity_type" { - description = "Type of capacity (ON_DEMAND or SPOT)" - type = string - default = "ON_DEMAND" -} - -variable "disk_size" { - description = "Disk size in GiB for worker nodes" - type = number - default = 20 -} - -variable "ec2_ssh_key" { - description = "EC2 Key Pair name for SSH access to nodes" - type = string - default = "" -} - -variable "ssh_security_group_ids" { - description = "List of security group IDs allowed to SSH to nodes" - type = list(string) - default = [] -} - -variable "launch_template_id" { - description = "ID of custom launch template (optional)" - type = string - default = "" -} - -variable "launch_template_version" { - description = "Version of launch template to use" - type = string - default = "$Latest" -} - -variable "labels" { - description = "Kubernetes labels to apply to nodes" - type = map(string) - default = {} -} - -variable "taints" { - description = "List of Kubernetes taints to apply to nodes" - type = list(object({ - key = string - value = string - effect = string - })) - default = [] -} - -variable "tags" { - description = "Tags to apply to all resources" - type = map(string) - default = {} -} diff --git a/terraform/modules/s3/main.tf b/terraform/modules/s3/main.tf deleted file mode 100644 index a60c366..0000000 --- a/terraform/modules/s3/main.tf +++ /dev/null @@ -1,210 +0,0 @@ -# S3 Module for Object Storage -# Replaces MinIO for temperature data storage - -resource "aws_s3_bucket" "main" { - bucket = var.bucket_name - force_destroy = var.force_destroy - - tags = merge( - var.tags, - { - Name = var.bucket_name - } - ) -} - -# Bucket versioning -resource "aws_s3_bucket_versioning" "main" { - bucket = aws_s3_bucket.main.id - - versioning_configuration { - status = var.versioning_enabled ? "Enabled" : "Disabled" - } -} - -# Server-side encryption -resource "aws_s3_bucket_server_side_encryption_configuration" "main" { - bucket = aws_s3_bucket.main.id - - rule { - apply_server_side_encryption_by_default { - sse_algorithm = var.kms_key_id != "" ? "aws:kms" : "AES256" - kms_master_key_id = var.kms_key_id != "" ? var.kms_key_id : null - } - bucket_key_enabled = var.kms_key_id != "" ? true : false - } -} - -# Block public access -resource "aws_s3_bucket_public_access_block" "main" { - bucket = aws_s3_bucket.main.id - - block_public_acls = var.block_public_access - block_public_policy = var.block_public_access - ignore_public_acls = var.block_public_access - restrict_public_buckets = var.block_public_access -} - -# Lifecycle rules for data management -resource "aws_s3_bucket_lifecycle_configuration" "main" { - count = var.enable_lifecycle_rules ? 1 : 0 - bucket = aws_s3_bucket.main.id - - rule { - id = "transition-to-ia" - status = "Enabled" - - transition { - days = var.transition_to_ia_days - storage_class = "STANDARD_IA" - } - - filter { - prefix = var.lifecycle_prefix - } - } - - rule { - id = "transition-to-glacier" - status = "Enabled" - - transition { - days = var.transition_to_glacier_days - storage_class = "GLACIER" - } - - filter { - prefix = var.lifecycle_prefix - } - } - - rule { - id = "expire-old-data" - status = var.enable_expiration ? "Enabled" : "Disabled" - - expiration { - days = var.expiration_days - } - - filter { - prefix = var.lifecycle_prefix - } - } - - # Clean up incomplete multipart uploads - rule { - id = "abort-incomplete-multipart-upload" - status = "Enabled" - - abort_incomplete_multipart_upload { - days_after_initiation = 7 - } - - filter {} - } -} - -# CORS configuration (if needed for web access) -resource "aws_s3_bucket_cors_configuration" "main" { - count = var.enable_cors ? 1 : 0 - bucket = aws_s3_bucket.main.id - - cors_rule { - allowed_headers = var.cors_allowed_headers - allowed_methods = var.cors_allowed_methods - allowed_origins = var.cors_allowed_origins - expose_headers = var.cors_expose_headers - max_age_seconds = var.cors_max_age_seconds - } -} - -# Bucket policy for access control -resource "aws_s3_bucket_policy" "main" { - bucket = aws_s3_bucket.main.id - policy = data.aws_iam_policy_document.bucket_policy.json -} - -data "aws_iam_policy_document" "bucket_policy" { - # Allow SSL requests only - statement { - sid = "DenyInsecureTransport" - effect = "Deny" - - principals { - type = "*" - identifiers = ["*"] - } - - actions = [ - "s3:*" - ] - - resources = [ - aws_s3_bucket.main.arn, - "${aws_s3_bucket.main.arn}/*" - ] - - condition { - test = "Bool" - variable = "aws:SecureTransport" - values = ["false"] - } - } - - # Additional custom policy statements - dynamic "statement" { - for_each = var.additional_policy_statements - content { - sid = statement.value.sid - effect = statement.value.effect - actions = statement.value.actions - resources = statement.value.resources - - dynamic "principals" { - for_each = statement.value.principals - content { - type = principals.value.type - identifiers = principals.value.identifiers - } - } - - dynamic "condition" { - for_each = lookup(statement.value, "conditions", []) - content { - test = condition.value.test - variable = condition.value.variable - values = condition.value.values - } - } - } - } -} - -# Logging bucket (optional) -resource "aws_s3_bucket" "logs" { - count = var.enable_logging ? 1 : 0 - bucket = "${var.bucket_name}-logs" - force_destroy = var.force_destroy - - tags = merge( - var.tags, - { - Name = "${var.bucket_name}-logs" - } - ) -} - -resource "aws_s3_bucket_logging" "main" { - count = var.enable_logging ? 1 : 0 - bucket = aws_s3_bucket.main.id - - target_bucket = aws_s3_bucket.logs[0].id - target_prefix = "s3-access-logs/" -} - -# CloudWatch metrics for monitoring -resource "aws_s3_bucket_metric" "main" { - count = var.enable_metrics ? 1 : 0 - bucket = aws_s3_bucket.main.id - name = "EntireBucket" -} diff --git a/terraform/modules/s3/outputs.tf b/terraform/modules/s3/outputs.tf deleted file mode 100644 index 97bde69..0000000 --- a/terraform/modules/s3/outputs.tf +++ /dev/null @@ -1,34 +0,0 @@ -output "bucket_id" { - description = "ID of the S3 bucket" - value = aws_s3_bucket.main.id -} - -output "bucket_arn" { - description = "ARN of the S3 bucket" - value = aws_s3_bucket.main.arn -} - -output "bucket_domain_name" { - description = "Domain name of the S3 bucket" - value = aws_s3_bucket.main.bucket_domain_name -} - -output "bucket_regional_domain_name" { - description = "Regional domain name of the S3 bucket" - value = aws_s3_bucket.main.bucket_regional_domain_name -} - -output "bucket_region" { - description = "Region of the S3 bucket" - value = aws_s3_bucket.main.region -} - -output "logs_bucket_id" { - description = "ID of the S3 logs bucket (if enabled)" - value = var.enable_logging ? aws_s3_bucket.logs[0].id : null -} - -output "logs_bucket_arn" { - description = "ARN of the S3 logs bucket (if enabled)" - value = var.enable_logging ? aws_s3_bucket.logs[0].arn : null -} diff --git a/terraform/modules/s3/variables.tf b/terraform/modules/s3/variables.tf deleted file mode 100644 index 0fcf669..0000000 --- a/terraform/modules/s3/variables.tf +++ /dev/null @@ -1,138 +0,0 @@ -variable "bucket_name" { - description = "Name of the S3 bucket" - type = string -} - -variable "force_destroy" { - description = "Allow bucket to be destroyed even if it contains objects" - type = bool - default = false -} - -variable "versioning_enabled" { - description = "Enable bucket versioning" - type = bool - default = true -} - -variable "kms_key_id" { - description = "KMS key ID for encryption (optional, uses AES256 if not specified)" - type = string - default = "" -} - -variable "block_public_access" { - description = "Block all public access to the bucket" - type = bool - default = true -} - -variable "enable_lifecycle_rules" { - description = "Enable lifecycle rules for data management" - type = bool - default = true -} - -variable "lifecycle_prefix" { - description = "Prefix for lifecycle rules" - type = string - default = "" -} - -variable "transition_to_ia_days" { - description = "Days until transition to Infrequent Access storage" - type = number - default = 30 -} - -variable "transition_to_glacier_days" { - description = "Days until transition to Glacier storage" - type = number - default = 90 -} - -variable "enable_expiration" { - description = "Enable object expiration" - type = bool - default = false -} - -variable "expiration_days" { - description = "Days until objects expire (deleted)" - type = number - default = 365 -} - -variable "enable_cors" { - description = "Enable CORS configuration" - type = bool - default = false -} - -variable "cors_allowed_headers" { - description = "List of allowed headers for CORS" - type = list(string) - default = ["*"] -} - -variable "cors_allowed_methods" { - description = "List of allowed methods for CORS" - type = list(string) - default = ["GET", "PUT", "POST", "DELETE"] -} - -variable "cors_allowed_origins" { - description = "List of allowed origins for CORS" - type = list(string) - default = ["*"] -} - -variable "cors_expose_headers" { - description = "List of headers to expose in CORS" - type = list(string) - default = ["ETag"] -} - -variable "cors_max_age_seconds" { - description = "Max age for CORS preflight requests" - type = number - default = 3000 -} - -variable "additional_policy_statements" { - description = "Additional IAM policy statements for bucket policy" - type = list(object({ - sid = string - effect = string - actions = list(string) - resources = list(string) - principals = list(object({ - type = string - identifiers = list(string) - })) - conditions = optional(list(object({ - test = string - variable = string - values = list(string) - }))) - })) - default = [] -} - -variable "enable_logging" { - description = "Enable S3 access logging" - type = bool - default = false -} - -variable "enable_metrics" { - description = "Enable CloudWatch metrics" - type = bool - default = true -} - -variable "tags" { - description = "Tags to apply to all resources" - type = map(string) - default = {} -} diff --git a/terraform/modules/security-groups/main.tf b/terraform/modules/security-groups/main.tf deleted file mode 100644 index 5ef4a4c..0000000 --- a/terraform/modules/security-groups/main.tf +++ /dev/null @@ -1,128 +0,0 @@ -# Security Groups for EKS and Application Load Balancer - -# EKS Cluster Security Group -resource "aws_security_group" "cluster" { - name = "${var.cluster_name}-cluster-sg" - description = "Security group for EKS cluster" - vpc_id = var.vpc_id - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - description = "Allow all outbound traffic" - } - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-cluster-sg" - } - ) -} - -# Node Group Security Group -resource "aws_security_group" "node_group" { - name = "${var.cluster_name}-node-sg" - description = "Security group for EKS node group" - vpc_id = var.vpc_id - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - description = "Allow all outbound traffic" - } - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-node-sg" - "kubernetes.io/cluster/${var.cluster_name}" = "owned" - } - ) -} - -# Allow nodes to communicate with each other -resource "aws_security_group_rule" "node_to_node" { - type = "ingress" - from_port = 0 - to_port = 65535 - protocol = "-1" - security_group_id = aws_security_group.node_group.id - source_security_group_id = aws_security_group.node_group.id - description = "Allow nodes to communicate with each other" -} - -# Allow worker nodes to receive communication from cluster control plane -resource "aws_security_group_rule" "cluster_to_node" { - type = "ingress" - from_port = 1025 - to_port = 65535 - protocol = "tcp" - security_group_id = aws_security_group.node_group.id - source_security_group_id = aws_security_group.cluster.id - description = "Allow worker nodes to receive communication from cluster control plane" -} - -# Allow cluster control plane to receive communication from worker nodes -resource "aws_security_group_rule" "node_to_cluster" { - type = "ingress" - from_port = 443 - to_port = 443 - protocol = "tcp" - security_group_id = aws_security_group.cluster.id - source_security_group_id = aws_security_group.node_group.id - description = "Allow cluster control plane to receive communication from worker nodes" -} - -# Application Load Balancer Security Group -resource "aws_security_group" "alb" { - name = "${var.cluster_name}-alb-sg" - description = "Security group for Application Load Balancer" - vpc_id = var.vpc_id - - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - description = "Allow HTTP traffic from internet" - } - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - description = "Allow HTTPS traffic from internet" - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - description = "Allow all outbound traffic" - } - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-alb-sg" - } - ) -} - -# Allow ALB to communicate with nodes -resource "aws_security_group_rule" "alb_to_nodes" { - type = "ingress" - from_port = 0 - to_port = 65535 - protocol = "tcp" - security_group_id = aws_security_group.node_group.id - source_security_group_id = aws_security_group.alb.id - description = "Allow ALB to communicate with nodes" -} diff --git a/terraform/modules/security-groups/outputs.tf b/terraform/modules/security-groups/outputs.tf deleted file mode 100644 index 35c5f2b..0000000 --- a/terraform/modules/security-groups/outputs.tf +++ /dev/null @@ -1,14 +0,0 @@ -output "cluster_security_group_id" { - description = "ID of the EKS cluster security group" - value = aws_security_group.cluster.id -} - -output "node_security_group_id" { - description = "ID of the EKS node group security group" - value = aws_security_group.node_group.id -} - -output "alb_security_group_id" { - description = "ID of the Application Load Balancer security group" - value = aws_security_group.alb.id -} diff --git a/terraform/modules/security-groups/variables.tf b/terraform/modules/security-groups/variables.tf deleted file mode 100644 index ee1bc82..0000000 --- a/terraform/modules/security-groups/variables.tf +++ /dev/null @@ -1,15 +0,0 @@ -variable "cluster_name" { - description = "Name of the EKS cluster" - type = string -} - -variable "vpc_id" { - description = "ID of the VPC" - type = string -} - -variable "tags" { - description = "Tags to apply to all resources" - type = map(string) - default = {} -} diff --git a/terraform/modules/vpc/main.tf b/terraform/modules/vpc/main.tf deleted file mode 100644 index 7924307..0000000 --- a/terraform/modules/vpc/main.tf +++ /dev/null @@ -1,148 +0,0 @@ -# VPC Module for EKS Cluster -# Creates a VPC with public and private subnets across multiple AZs - -data "aws_availability_zones" "available" { - state = "available" -} - -# VPC -resource "aws_vpc" "main" { - cidr_block = var.vpc_cidr - enable_dns_hostnames = true - enable_dns_support = true - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-vpc" - "kubernetes.io/cluster/${var.cluster_name}" = "shared" - } - ) -} - -# Internet Gateway -resource "aws_internet_gateway" "main" { - vpc_id = aws_vpc.main.id - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-igw" - } - ) -} - -# Public Subnets -resource "aws_subnet" "public" { - count = var.availability_zones_count - vpc_id = aws_vpc.main.id - cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index) - availability_zone = data.aws_availability_zones.available.names[count.index] - map_public_ip_on_launch = true - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-public-${data.aws_availability_zones.available.names[count.index]}" - "kubernetes.io/cluster/${var.cluster_name}" = "shared" - "kubernetes.io/role/elb" = "1" - } - ) -} - -# Private Subnets -resource "aws_subnet" "private" { - count = var.availability_zones_count - vpc_id = aws_vpc.main.id - cidr_block = cidrsubnet(var.vpc_cidr, 8, count.index + var.availability_zones_count) - availability_zone = data.aws_availability_zones.available.names[count.index] - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-private-${data.aws_availability_zones.available.names[count.index]}" - "kubernetes.io/cluster/${var.cluster_name}" = "shared" - "kubernetes.io/role/internal-elb" = "1" - } - ) -} - -# Elastic IPs for NAT Gateways -resource "aws_eip" "nat" { - count = var.availability_zones_count - domain = "vpc" - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-nat-eip-${count.index + 1}" - } - ) - - depends_on = [aws_internet_gateway.main] -} - -# NAT Gateways -resource "aws_nat_gateway" "main" { - count = var.availability_zones_count - allocation_id = aws_eip.nat[count.index].id - subnet_id = aws_subnet.public[count.index].id - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-nat-${count.index + 1}" - } - ) - - depends_on = [aws_internet_gateway.main] -} - -# Route Table for Public Subnets -resource "aws_route_table" "public" { - vpc_id = aws_vpc.main.id - - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.main.id - } - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-public-rt" - } - ) -} - -# Route Table Associations for Public Subnets -resource "aws_route_table_association" "public" { - count = var.availability_zones_count - subnet_id = aws_subnet.public[count.index].id - route_table_id = aws_route_table.public.id -} - -# Route Tables for Private Subnets -resource "aws_route_table" "private" { - count = var.availability_zones_count - vpc_id = aws_vpc.main.id - - route { - cidr_block = "0.0.0.0/0" - nat_gateway_id = aws_nat_gateway.main[count.index].id - } - - tags = merge( - var.tags, - { - Name = "${var.cluster_name}-private-rt-${count.index + 1}" - } - ) -} - -# Route Table Associations for Private Subnets -resource "aws_route_table_association" "private" { - count = var.availability_zones_count - subnet_id = aws_subnet.private[count.index].id - route_table_id = aws_route_table.private[count.index].id -} diff --git a/terraform/modules/vpc/outputs.tf b/terraform/modules/vpc/outputs.tf deleted file mode 100644 index ea9543d..0000000 --- a/terraform/modules/vpc/outputs.tf +++ /dev/null @@ -1,29 +0,0 @@ -output "vpc_id" { - description = "ID of the VPC" - value = aws_vpc.main.id -} - -output "vpc_cidr" { - description = "CIDR block of the VPC" - value = aws_vpc.main.cidr_block -} - -output "public_subnet_ids" { - description = "IDs of the public subnets" - value = aws_subnet.public[*].id -} - -output "private_subnet_ids" { - description = "IDs of the private subnets" - value = aws_subnet.private[*].id -} - -output "nat_gateway_ids" { - description = "IDs of the NAT Gateways" - value = aws_nat_gateway.main[*].id -} - -output "internet_gateway_id" { - description = "ID of the Internet Gateway" - value = aws_internet_gateway.main.id -} diff --git a/terraform/modules/vpc/variables.tf b/terraform/modules/vpc/variables.tf deleted file mode 100644 index 48876d3..0000000 --- a/terraform/modules/vpc/variables.tf +++ /dev/null @@ -1,22 +0,0 @@ -variable "vpc_cidr" { - description = "CIDR block for VPC" - type = string - default = "10.0.0.0/16" -} - -variable "cluster_name" { - description = "Name of the EKS cluster" - type = string -} - -variable "availability_zones_count" { - description = "Number of availability zones to use" - type = number - default = 2 -} - -variable "tags" { - description = "Tags to apply to all resources" - type = map(string) - default = {} -} diff --git a/terraform/outputs.tf b/terraform/outputs.tf deleted file mode 100644 index 744cb23..0000000 --- a/terraform/outputs.tf +++ /dev/null @@ -1,119 +0,0 @@ -# VPC Outputs -output "vpc_id" { - description = "ID of the VPC" - value = module.vpc.vpc_id -} - -output "vpc_cidr" { - description = "CIDR block of the VPC" - value = module.vpc.vpc_cidr -} - -output "private_subnet_ids" { - description = "IDs of the private subnets" - value = module.vpc.private_subnet_ids -} - -output "public_subnet_ids" { - description = "IDs of the public subnets" - value = module.vpc.public_subnet_ids -} - -# EKS Cluster Outputs -output "cluster_name" { - description = "Name of the EKS cluster" - value = module.eks.cluster_name -} - -output "cluster_endpoint" { - description = "Endpoint for EKS cluster API server" - value = module.eks.cluster_endpoint -} - -output "cluster_version" { - description = "Kubernetes version of the cluster" - value = module.eks.cluster_version -} - -output "cluster_certificate_authority_data" { - description = "Base64 encoded certificate data for cluster authentication" - value = module.eks.cluster_certificate_authority_data - sensitive = true -} - -output "cluster_oidc_issuer_url" { - description = "OIDC issuer URL for the cluster" - value = module.eks.cluster_oidc_issuer_url -} - -output "oidc_provider_arn" { - description = "ARN of the OIDC provider for IRSA" - value = module.eks.oidc_provider_arn -} - -# Node Group Outputs -output "node_group_id" { - description = "ID of the EKS node group" - value = module.node_group.node_group_id -} - -output "node_group_status" { - description = "Status of the EKS node group" - value = module.node_group.node_group_status -} - -output "autoscaling_group_names" { - description = "Names of the Auto Scaling Groups" - value = module.node_group.autoscaling_group_names -} - -# IAM Outputs -output "cluster_role_arn" { - description = "ARN of the EKS cluster IAM role" - value = module.iam.cluster_role_arn -} - -output "node_group_role_arn" { - description = "ARN of the EKS node group IAM role" - value = module.iam.node_group_role_arn -} - -output "pod_execution_role_arn" { - description = "ARN of the pod execution IAM role (IRSA - if created)" - value = module.iam.pod_execution_role_arn -} - -# Security Group Outputs -output "cluster_security_group_id" { - description = "ID of the EKS cluster security group" - value = module.security_groups.cluster_security_group_id -} - -output "node_security_group_id" { - description = "ID of the EKS node group security group" - value = module.security_groups.node_security_group_id -} - -output "alb_security_group_id" { - description = "ID of the Application Load Balancer security group" - value = module.security_groups.alb_security_group_id -} - -# Kubeconfig Command -output "configure_kubectl" { - description = "Command to configure kubectl for the EKS cluster" - value = "aws eks update-kubeconfig --region ${var.aws_region} --name ${module.eks.cluster_name} --profile ${var.aws_profile}" -} - -# In-Cluster Services Note -output "in_cluster_services" { - description = "Services running inside the Kubernetes cluster" - value = { - note = "MinIO and Valkey/Redis run as in-cluster services. Deploy them using Helm or Kustomize." - redis_host = "redis-service (ClusterIP service in hivebox namespace)" - redis_port = 6379 - minio_host = "minio-service (ClusterIP service in hivebox namespace)" - minio_port = 9000 - namespace = var.kubernetes_namespace - } -} diff --git a/terraform/terraform.tfvars.example b/terraform/terraform.tfvars.example deleted file mode 100644 index 4047507..0000000 --- a/terraform/terraform.tfvars.example +++ /dev/null @@ -1,50 +0,0 @@ -# AWS Provider Configuration -# Copy this file to terraform.tfvars and customize the values -# DO NOT commit terraform.tfvars to version control - -aws_region = "us-east-2" -aws_profile = "Gabriel-Admin" - -# Common Tags -common_tags = { - Environment = "production" - Project = "HiveBox" - Team = "DevOps" - Owner = "YourName" - ManagedBy = "Terraform" -} - -# EKS Cluster Configuration -cluster_name = "hivebox-eks" -kubernetes_version = "1.31" -cluster_endpoint_private_access = true -cluster_endpoint_public_access = true - -# Restrict public access to specific IPs for better security -# cluster_public_access_cidrs = ["YOUR_IP/32"] -cluster_public_access_cidrs = ["0.0.0.0/0"] - -cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] - -# VPC Configuration -vpc_cidr = "10.0.0.0/16" -availability_zones_count = 2 # Use 2 AZs for high availability - -# Node Group Configuration -node_group_desired_size = 2 -node_group_max_size = 4 -node_group_min_size = 1 -node_group_instance_types = ["t3.medium"] # Suitable for moderate workloads -node_group_capacity_type = "ON_DEMAND" # or "SPOT" for cost savings -node_group_disk_size = 20 - -# Kubernetes Application Configuration -kubernetes_namespace = "hivebox" -kubernetes_service_account = "hivebox-sa" -create_irsa_role = false # Set to true if you need IRSA for AWS service access - -# NOTE: MinIO and Valkey/Redis will run as in-cluster services -# Deploy them using your existing Helm charts or Kustomize manifests -# They will use: -# - redis-service (ClusterIP) on port 6379 -# - minio-service (ClusterIP) on port 9000 diff --git a/terraform/variables.tf b/terraform/variables.tf deleted file mode 100644 index 3ff3754..0000000 --- a/terraform/variables.tf +++ /dev/null @@ -1,129 +0,0 @@ -# AWS Provider Configuration -variable "aws_region" { - description = "AWS region for resources" - type = string - default = "us-east-2" -} - -variable "aws_profile" { - description = "AWS CLI profile to use" - type = string - default = "Gabriel-Admin" -} - -# Common Tags -variable "common_tags" { - description = "Common tags to apply to all resources" - type = map(string) - default = { - Environment = "production" - Project = "HiveBox" - ManagedBy = "Terraform" - } -} - -# EKS Cluster Configuration -variable "cluster_name" { - description = "Name of the EKS cluster" - type = string - default = "hivebox-eks" -} - -variable "kubernetes_version" { - description = "Kubernetes version for EKS cluster" - type = string - default = "1.31" -} - -variable "cluster_endpoint_private_access" { - description = "Enable private API server endpoint" - type = bool - default = true -} - -variable "cluster_endpoint_public_access" { - description = "Enable public API server endpoint" - type = bool - default = true -} - -variable "cluster_public_access_cidrs" { - description = "List of CIDR blocks that can access the public API server endpoint" - type = list(string) - default = ["0.0.0.0/0"] -} - -variable "cluster_log_types" { - description = "List of control plane logging types to enable" - type = list(string) - default = ["api", "audit", "authenticator", "controllerManager", "scheduler"] -} - -# VPC Configuration -variable "vpc_cidr" { - description = "CIDR block for VPC" - type = string - default = "10.0.0.0/16" -} - -variable "availability_zones_count" { - description = "Number of availability zones to use" - type = number - default = 2 -} - -# Node Group Configuration -variable "node_group_desired_size" { - description = "Desired number of worker nodes" - type = number - default = 2 -} - -variable "node_group_max_size" { - description = "Maximum number of worker nodes" - type = number - default = 4 -} - -variable "node_group_min_size" { - description = "Minimum number of worker nodes" - type = number - default = 1 -} - -variable "node_group_instance_types" { - description = "List of instance types for node group" - type = list(string) - default = ["t3.medium"] -} - -variable "node_group_capacity_type" { - description = "Type of capacity (ON_DEMAND or SPOT)" - type = string - default = "ON_DEMAND" -} - -variable "node_group_disk_size" { - description = "Disk size in GiB for worker nodes" - type = number - default = 20 -} - -# Kubernetes Application Configuration -variable "kubernetes_namespace" { - description = "Kubernetes namespace for the HiveBox application" - type = string - default = "hivebox" -} - -variable "kubernetes_service_account" { - description = "Name of the Kubernetes service account for IRSA" - type = string - default = "hivebox-sa" -} - -variable "create_irsa_role" { - description = "Whether to create IRSA role for service accounts" - type = bool - default = false -}