todd-dsm · February 10, 2022 22:30
diff --git a/tf-diff.tf b/tf-diff.tf
 # NETWORKING
 resource "aws_vpc" "vpc_network" {
  cidr_block                       = var.host_cidr
  enable_dns_hostnames             = true
  enable_dns_support               = true
  assign_generated_ipv6_cidr_block = true # REQd

  tags = {
    "Name"                                      = var.project
    "kubernetes.io/cluster/${var.cluster_apps}" = "shared"
  }
 }

 # SUBNETS
 resource "aws_subnet" "vpc_network" {
  vpc_id                          = aws_vpc.vpc_network.id
  count                           = var.minDistSize
  assign_ipv6_address_on_creation = true # REQd

  # Get AZs from Region
  availability_zone = data.aws_availability_zones.available.names[count.index]
  cidr_block      = cidrsubnet(var.host_cidr, 2, count.index)
  ipv6_cidr_block = cidrsubnet(aws_vpc.vpc_network.ipv6_cidr_block, 8, count.index)  # REQd
 ...
  tags = {
    "Name"                                      = var.project
    "kubernetes.io/role/elb"                    = "1"
    "kubernetes.io/role/elb-internal"           = "1"
    "kubernetes.io/cluster/kube-test"           = "shared"


 # ROUTE ASSOCIATIONS
 resource "aws_route_table_association" "vpc_network" {
  count          = length(aws_subnet.vpc_network)
  subnet_id      = aws_subnet.vpc_network[count.index].id
  route_table_id = aws_route_table.vpc_network.id
 }

 # SECURITY GROUPS
 resource "aws_security_group" "ssh-ports" {
  name   = "inter-subnet-traffic"
  vpc_id = aws_vpc.vpc_network.id
  ingress {
    description = "IPv4 ICMP TESTING"
    from_port   = "-1"
    to_port     = "-1"
    protocol    = "icmp"
    self        = true
  }
  ingress {
    description = "IPv6 ICMP TESTING"
    from_port   = "-1"
    to_port     = "-1"
    protocol    = "icmpv6" # REQd
    self        = true
  }
  # Allow all outbound traffic: for now
  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"] # REQd
  }
 }
 # ---------------------------------------------------------|------------------------------------------------------------


 # EKS CONTROLLER
 resource "aws_eks_cluster" "kube-test" {
  name     = "kube-test"
  role_arn = aws_iam_role.kube-test-cluster.arn

  kubernetes_network_config {
    ip_family = "ipv6" # REQd: tf AWS Provider version = "~> 3.72.0"
  }
 ...
 }

 # Add the "DescribeAddresses" parameter to the LB role
 kube-test-controller.tf
 data "aws_iam_policy_document" "kube-test-cluster_elb_sl_role_creation" {
     effect = "Allow"
     actions = [
       "ec2:DescribeAccountAttributes",
 +      "ec2:DescribeAddresses",            #REQd
       "ec2:DescribeInternetGateways"
     ]
     resources = ["*"]

 resource "aws_iam_role_policy_attachment" "kube-test-cluster_elb_sl_role_creatio
   role       = aws_iam_role.kube-test-cluster.name
 }


 /*
  ---------------------------------------------------------|------------------------------------------------------------
                                                    EKS CloudWatch Metrics
           Helpful for Diagnostics when working with AWS Support. Otherwise use something better, like Datadog.
  ---------------------------------------------------------|------------------------------------------------------------
 */
 resource "aws_iam_role_policy_attachment" "kube-test-cluster-cw-metrics" {
  policy_arn = aws_iam_policy.kube-test-cluster-cw-metrics.arn
  role       = aws_iam_role.kube-test-cluster.name
 }

 resource "aws_iam_policy" "kube-test-cluster-cw-metrics" {
  name        = "cw-metrics-kube-test-nodes-${var.envBuild}"
  path        = "/"
  description = "Allows EKS to push metrics to CloudWatch."

  policy = <<EOF
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
 }
 EOF
 }

 # ---------------------------------------------------------|------------------------------------------------------------
 # These permissions are required for the assignment of IPv6 addresses. 
 # The VPC CNI “aws-node” and “kube-proxy” pods run in the host network that allow them to be assigned IPv6 addresses, 
 # while the other Pods like CoreDNS relay on CNI (Conatiner Network Interface) plugins like VPC CNI to get 
 # IP addresses assigned.
 # REF: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md#ipv6-mode

 # EKS MANAGED NODE GROUP
 /*
  ---------------------------------------------------------|------------------------------------------------------------
                                                 IAM Role for CNI/IPv6
  ---------------------------------------------------------|------------------------------------------------------------
 */
 resource "aws_iam_role_policy_attachment" "kube-test-nodes-worker_node_cni_ipv6_policy" {
  policy_arn = aws_iam_policy.kube-test-nodes-cni-ipv6.arn
  role       = aws_iam_role.apps_node_group_kube-test.name
 }

 resource "aws_iam_policy" "kube-test-nodes-cni-ipv6" {
  name        = "cni-ipv6-kube-test-nodes-${var.envBuild}"
  path        = "/"
  description = "Allows CNI pod to assign IPv6 addresses to pods that are not using the host network."

  policy = <<EOF
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ec2:AssignIpv6Addresses",
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeInstanceTypes"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*:*:network-interface/*",
            "Effect": "Allow"
        }
   ]
 }
 EOF
 }
	# NETWORKING
	resource "aws_vpc" "vpc_network" {
	cidr_block = var.host_cidr
	enable_dns_hostnames = true
	enable_dns_support = true
	assign_generated_ipv6_cidr_block = true # REQd

	tags = {
	"Name" = var.project
	"kubernetes.io/cluster/${var.cluster_apps}" = "shared"
	}
	}

	# SUBNETS
	resource "aws_subnet" "vpc_network" {
	vpc_id = aws_vpc.vpc_network.id
	count = var.minDistSize
	assign_ipv6_address_on_creation = true # REQd

	# Get AZs from Region
	availability_zone = data.aws_availability_zones.available.names[count.index]
	cidr_block = cidrsubnet(var.host_cidr, 2, count.index)
	ipv6_cidr_block = cidrsubnet(aws_vpc.vpc_network.ipv6_cidr_block, 8, count.index) # REQd
	...
	tags = {
	"Name" = var.project
	"kubernetes.io/role/elb" = "1"
	"kubernetes.io/role/elb-internal" = "1"
	"kubernetes.io/cluster/kube-test" = "shared"


	# ROUTE ASSOCIATIONS
	resource "aws_route_table_association" "vpc_network" {
	count = length(aws_subnet.vpc_network)
	subnet_id = aws_subnet.vpc_network[count.index].id
	route_table_id = aws_route_table.vpc_network.id
	}

	# SECURITY GROUPS
	resource "aws_security_group" "ssh-ports" {
	name = "inter-subnet-traffic"
	vpc_id = aws_vpc.vpc_network.id
	ingress {
	description = "IPv4 ICMP TESTING"
	from_port = "-1"
	to_port = "-1"
	protocol = "icmp"
	self = true
	}
	ingress {
	description = "IPv6 ICMP TESTING"
	from_port = "-1"
	to_port = "-1"
	protocol = "icmpv6" # REQd
	self = true
	}
	# Allow all outbound traffic: for now
	egress {
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["0.0.0.0/0"]
	ipv6_cidr_blocks = ["::/0"] # REQd
	}
	}
	# ---------------------------------------------------------\|------------------------------------------------------------


	# EKS CONTROLLER
	resource "aws_eks_cluster" "kube-test" {
	name = "kube-test"
	role_arn = aws_iam_role.kube-test-cluster.arn

	kubernetes_network_config {
	ip_family = "ipv6" # REQd: tf AWS Provider version = "~> 3.72.0"
	}
	...
	}

	# Add the "DescribeAddresses" parameter to the LB role
	kube-test-controller.tf
	data "aws_iam_policy_document" "kube-test-cluster_elb_sl_role_creation" {
	effect = "Allow"
	actions = [
	"ec2:DescribeAccountAttributes",
	+ "ec2:DescribeAddresses", #REQd
	"ec2:DescribeInternetGateways"
	]
	resources = ["*"]

	resource "aws_iam_role_policy_attachment" "kube-test-cluster_elb_sl_role_creatio
	role = aws_iam_role.kube-test-cluster.name
	}


	/*
	---------------------------------------------------------\|------------------------------------------------------------
	EKS CloudWatch Metrics
	Helpful for Diagnostics when working with AWS Support. Otherwise use something better, like Datadog.
	---------------------------------------------------------\|------------------------------------------------------------
	*/
	resource "aws_iam_role_policy_attachment" "kube-test-cluster-cw-metrics" {
	policy_arn = aws_iam_policy.kube-test-cluster-cw-metrics.arn
	role = aws_iam_role.kube-test-cluster.name
	}

	resource "aws_iam_policy" "kube-test-cluster-cw-metrics" {
	name = "cw-metrics-kube-test-nodes-${var.envBuild}"
	path = "/"
	description = "Allows EKS to push metrics to CloudWatch."

	policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Action": [
	"cloudwatch:PutMetricData"
	],
	"Resource": "*",
	"Effect": "Allow"
	}
	]
	}
	EOF
	}

	# ---------------------------------------------------------\|------------------------------------------------------------
	# These permissions are required for the assignment of IPv6 addresses.
	# The VPC CNI “aws-node” and “kube-proxy” pods run in the host network that allow them to be assigned IPv6 addresses,
	# while the other Pods like CoreDNS relay on CNI (Conatiner Network Interface) plugins like VPC CNI to get
	# IP addresses assigned.
	# REF: https://github.com/aws/amazon-vpc-cni-k8s/blob/master/docs/iam-policy.md#ipv6-mode

	# EKS MANAGED NODE GROUP
	/*
	---------------------------------------------------------\|------------------------------------------------------------
	IAM Role for CNI/IPv6
	---------------------------------------------------------\|------------------------------------------------------------
	*/
	resource "aws_iam_role_policy_attachment" "kube-test-nodes-worker_node_cni_ipv6_policy" {
	policy_arn = aws_iam_policy.kube-test-nodes-cni-ipv6.arn
	role = aws_iam_role.apps_node_group_kube-test.name
	}

	resource "aws_iam_policy" "kube-test-nodes-cni-ipv6" {
	name = "cni-ipv6-kube-test-nodes-${var.envBuild}"
	path = "/"
	description = "Allows CNI pod to assign IPv6 addresses to pods that are not using the host network."

	policy = <<EOF
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Action": [
	"ec2:AssignIpv6Addresses",
	"ec2:DescribeInstances",
	"ec2:DescribeTags",
	"ec2:DescribeNetworkInterfaces",
	"ec2:DescribeInstanceTypes"
	],
	"Resource": "*",
	"Effect": "Allow"
	},
	{
	"Action": [
	"ec2:CreateTags"
	],
	"Resource": "arn:aws:ec2:::network-interface/*",
	"Effect": "Allow"
	}
	]
	}
	EOF
	}