terraform - incremenetal progress setting up eks cluster and node groups

terraform/eks.tf

@@ -8,12 +8,6 @@ module "eks" {
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
 
-  # Enable cluster encryption
-  cluster_encryption_config = {
-    provider_key_arn = aws_kms_key.eks.arn
-    resources        = ["secrets"]
-  }
-
   # Allow egress traffic from EKS cluster control plane to worker nodes
   cluster_security_group_additional_rules = {
     egress_nodes_ephemeral_ports_tcp = {
@@ -48,22 +42,6 @@ module "eks" {
       desired_size = 2
 
       instance_types = ["t3.medium"] # Not suitable for production
-
-      # Disk encryption for EBS volumes
-      block_device_mappings = {
-        xvda = {
-          device_name = "/dev/xvda"
-          ebs = {
-            encrypted  = true
-            kms_key_id = aws_kms_key.eks.arn
-          }
-        }
-      }
-
-      # Add update configuration
-      update_config = {
-        max_unavailable_percentage = 33
-      }
     }
   }
 
@@ -76,62 +54,4 @@ module "eks" {
       groups   = ["system:masters"]
     }
   ]
-
-
 }
-
-# Add KMS key for cluster encryption
-resource "aws_kms_key" "eks" {
-  description             = "EKS Secret Encryption Key"
-  deletion_window_in_days = 30
-  enable_key_rotation     = true
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Sid    = "Enable IAM User Permissions"
-        Effect = "Allow"
-        Principal = {
-          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
-        }
-        Action = [
-          "kms:Create*",
-          "kms:Describe*",
-          "kms:Enable*",
-          "kms:List*",
-          "kms:Put*"
-        ]
-        Resource = "*"
-      },
-      {
-        Sid    = "Allow EKS to use the key"
-        Effect = "Allow"
-        Principal = {
-          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS"
-        }
-        Action = [
-          "kms:Encrypt",
-          "kms:Decrypt",
-          "kms:ReEncrypt*",
-          "kms:GenerateDataKey*",
-          "kms:DescribeKey"
-        ]
-        Resource = "*"
-      }
-    ]
-  })
-
-  tags = {
-    Name        = "eks-secrets-key"
-    Environment = "production"
-    ManagedBy   = "terraform"
-    Owner       = "samuelberston"
-  }
-}
-
-# Alias for the key 
-resource "aws_kms_alias" "eks" {
-  name          = "alias/eks-secrets"
-  target_key_id = aws_kms_key.eks.key_id
-}

terraform/iam.tf

@@ -4,7 +4,7 @@ resource "aws_iam_policy" "eks_cluster_creation" {
   description = "Policy for creating EKS cluster and related resources"
 
   policy = jsonencode({
-    Version = "2012-10-17"
+    Version = "2012-10-17",
     Statement = [
       {
         Effect = "Allow"
@@ -13,6 +13,7 @@ resource "aws_iam_policy" "eks_cluster_creation" {
           "kms:TagResource",
           "kms:CreateAlias",
           "kms:DeleteAlias",
+          "kms:DescribeKey",
           "kms:UpdateAlias",
           "kms:GetKeyPolicy",
           "kms:PutKeyPolicy",
@@ -45,13 +46,28 @@ resource "aws_iam_policy" "eks_cluster_creation" {
           "eks:DescribeCluster",
           "eks:CreateCluster",
           "eks:DeleteCluster",
+          "eks:DescribeCluster",
           "eks:UpdateClusterVersion",
           "eks:UpdateClusterConfig",
           "eks:ListClusters",
           "eks:TagResource",
-          "eks:UntagResource"
+          "eks:UntagResource",
+          "eks:CreateNodeGroup",
+          "eks:DescribeNodegroup",
+          "eks:CreateNodegroup",
+          "eks:DeleteNodegroup",
+          "eks:UpdateNodegroupConfig",
+          "eks:UpdateNodegroupVersion",
+          "eks:ListNodegroups",
+          "eks:AssociateEncryptionConfig",
+        ]
+        Resource = [
+          "arn:aws:eks:*:${data.aws_caller_identity.current.account_id}:nodegroup/*/*/*",
+          "arn:aws:eks:*:${data.aws_caller_identity.current.account_id}:cluster/*",
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*",  # Added for IAM role access
+          "arn:aws:kms:*:${data.aws_caller_identity.current.account_id}:key/*",  # Added for KMS key access
+          "arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*"  # Added for CloudWatch Logs access        
         ]
-        Resource = "*"
       }
     ]
   })

terraform/main.tf

@@ -1,22 +1,29 @@
 terraform {
+
   required_providers {
+
     aws = {
       source  = "hashicorp/aws"
       version = "~> 5.0"
     }
+
     tls = {
       source  = "hashicorp/tls"
       version = "~> 3.0"
     }
+
   }
+
   required_version = ">= 1.0.0"
+
   backend "s3" {
     bucket         = "secure-auth-tf-state-bucket"
     key            = "state/terraform.tfstate" # Path in the bucket where the state file is stored
     region         = "us-west-1"               # AWS region where the S3 bucket is located
     dynamodb_table = "terraform-state-locks"   # DynamoDB table for state locking
     encrypt        = true                      # Enable encryption for state file
   }
+
 }
 
 provider "aws" {

terraform/vpc.tf

@@ -13,7 +13,12 @@ module "vpc" {
   enable_dns_hostnames = true
   enable_dns_support   = true
 
-  enable_flow_log = true
+  # Add IAM role for VPC flow logs
+  enable_flow_log                      = true
+  create_flow_log_cloudwatch_iam_role = true
+  create_flow_log_cloudwatch_log_group = true
+  flow_log_destination_type            = "cloud-watch-logs"
+  flow_log_cloudwatch_log_group_name_prefix = "/aws/vpc-flow-logs/"
 
   tags = {
     Environment = "production"