Revert to MongoDB. Upgrade Kubernetes to 1.22. Bump Terraform module …

…and Helm versions (#6) * revert from DynamoDB to MongoDB * default eks to a1.large instances * bump terraform aws module versions * revert ec2 instance type to t3.large * bump kubernetes cluster version to 1.22.6 * bump tutor_contrib_s3_version to v0.2.1 * switch cluster version from numerical literal to string * kubernetes cluster version = 1.22 * parameterize helm release ingress-nginx and bump version from 3 to 4.1 * testing * rename parameter * switch version to stable * add back creation of region ssl certs for ELB * add back dns data declarations * revert to explicit version number * refactor kubernetes clb ingress code * smooth of version syntax * more version smoothing
cookiecutter-openedx · Apr 22, 2022 · 60072fe · 60072fe
1 parent 3f58925
commit 60072fe
Show file tree

Hide file tree

Showing 16 changed files with 179 additions and 156 deletions.
diff --git a/cookiecutter.json b/cookiecutter.json
@@ -4,6 +4,7 @@
     "environment_name": "prod",
     "environment_subdomain": "courses",
     "environment_add_bastion": ["N", "Y"],
+    "environment_add_documentdb": ["N", "Y"],
     "global_platform_name": "yourschool",
     "global_platform_description": "Your School",
     "global_platform_region": "usa_east",
@@ -22,11 +23,11 @@
     "ci_build_xblock_repository": "edx-ora2",
     "ci_build_xblock_ref": "master",
     "ci_deploy_OPENEDX_COMMON_VERSION": "open-release/{{ cookiecutter.ci_build_open_edx_version }}",
-    "ci_deploy_hastexo_tutor_contrib_s3_version": "v0.2.0",
+    "ci_deploy_hastexo_tutor_contrib_s3_version": "v0.2.1",
     "ci_deploy_EMAIL_HOST": "email-smtp.{{ cookiecutter.global_aws_region|lower|replace(' ', '-') }}.amazonaws.com",
     "ci_deploy_EMAIL_PORT": 587,
     "ci_deploy_EMAIL_USE_TLS": "true",
-    "kubernetes_cluster_version": "1.21",
+    "kubernetes_cluster_version": "1.22",
     "kubernetes_cluster_compute_type": ["EC2", "Fargate"],
     "kubernetes_cluster_load_balancer_type": ["ALB", "CLB"],
     "kubernetes_cluster_ingress_controller_version": "v2.4.1",
@@ -60,19 +61,21 @@
     "terraform_required_version": "~> 1.1",
     "terraform_aws_modules_acm": "~> 3.4",
     "terraform_aws_modules_cloudfront": "~> 2.9",
-    "terraform_aws_modules_eks": "~> 18.15",
-    "terraform_aws_modules_iam": "~> 4.14",
+    "terraform_aws_modules_eks": "~> 18.20",
+    "terraform_aws_modules_iam": "~> 4.21",
+    "terraform_aws_modules_iam_assumable_role_with_oidc": "~> 4.21",
     "terraform_aws_modules_rds": "~> 4.2.0",
-    "terraform_aws_modules_s3": "~> 3.0",
+    "terraform_aws_modules_s3": "~> 3.1",
     "terraform_aws_modules_sg": "~> 4.9",
-    "terraform_aws_modules_vpc": "~> 3.13",
-    "terraform_helm_ingress_nginx": "~> 4",
-    "terraform_helm_cert_manager": "v1.7.1",
-    "terraform_helm_alb_controller_chart_version": "1.4.1",
-    "terraform_helm_aws_efs_csi_driver_version": "1.3.6",
-    "terraform_provider_kubernetes_version": "~> 2.9",
-    "terraform_provider_hashicorp_aws_version": "~> 4.6",
-    "terraform_provider_hashicorp_helm_version": "~> 2.4",
+    "terraform_aws_modules_vpc": "~> 3.14",
+    "terraform_helm_ingress_nginx": "~> 4.1",
+    "terraform_helm_cert_manager": "~> 1.8",
+    "terraform_helm_cert_manager_image_tag": "v1.8.0",
+    "terraform_helm_alb_controller_chart_version": "~> 1.4",
+    "terraform_helm_aws_efs_csi_driver_version": "~> 1.3",
+    "terraform_provider_kubernetes_version": "~> 2.10",
+    "terraform_provider_hashicorp_aws_version": "~> 4.11",
+    "terraform_provider_hashicorp_helm_version": "~> 2.5",
     "terraform_provider_hashicorp_local_version": "~> 2.2",
     "terraform_provider_hashicorp_random_version": "~> 3.1"
 }
diff --git a/hooks/post_gen_project.py b/hooks/post_gen_project.py
@@ -20,10 +20,23 @@ def remove_bastion():
     if os.path.exists(terragrunt_dir_path):
         shutil.rmtree(terragrunt_dir_path)
 
+def remove_dynamodb():
+    module_dir_path = os.path.join("terraform", "modules", "mongodb")
+    if os.path.exists(module_dir_path):
+        shutil.rmtree(module_dir_path)
+
+    terragrunt_dir_path = os.path.join("terraform", "environments", "{{ cookiecutter.environment_name }}", "mongodb")
+    if os.path.exists(terragrunt_dir_path):
+        shutil.rmtree(terragrunt_dir_path)
+
+
 def main():
     if "{{ cookiecutter.environment_add_bastion }}".upper() != "Y":
         remove_bastion()
 
+    if "{{ cookiecutter.environment_add_documentdb }}".upper() != "Y":
+        remove_dynamodb()
+
     print(SUCCESS + "Your Open edX devops repo has been initialized." + TERMINATOR)
 
 

diff --git a/tests/test.sh b/tests/test.sh
@@ -10,7 +10,7 @@
 #------------------------------------------------------------------------------
 
 GITHUB_REPO="gh:lpm0073/cookiecutter-openedx-devops"
-GITHUB_BRANCH="main"
+GITHUB_BRANCH="mcdanie_20220422_mongodb"
 OUTPUT_FOLDER="/Users/mcdaniel/github/stepwisemath.ai/"
 
 cookiecutter --checkout $GITHUB_BRANCH \

diff --git a/...r.github_repo_name}}/.github/workflows/tutor_deploy_{{cookiecutter.environment_name}}.yml b/...r.github_repo_name}}/.github/workflows/tutor_deploy_{{cookiecutter.environment_name}}.yml
@@ -120,10 +120,15 @@ jobs:
       # Also note that we are using jq to add a prefix of "TUTOR_" to each of the parameter names
       #
       # see: https://github.com/{{ cookiecutter.github_account_name }}/{{ cookiecutter.github_repo_name }}/blob/main/terraform/modules/mongodb/main.tf
-      - name: MongoDB
-        run: |-
-          echo "TUTOR_RUN_MONGODB=false" >> $GITHUB_ENV
-          kubectl get secret mongodb-admin -n $NAMESPACE  -o json | jq  '.data | map_values(@base64d)' | jq -r 'keys[] as $k | "TUTOR_\($k|ascii_upcase)=\(.[$k])"' >> $GITHUB_ENV
+
+      #--------------------------------------------------------------------
+      # UN-COMMENT THIS BLOCK TO USE DYNAMODB INSTEAD OF MONGODB
+      #--------------------------------------------------------------------
+      #- name: MongoDB
+      #  run: |-
+      #    echo "TUTOR_RUN_MONGODB=false" >> $GITHUB_ENV
+      #    kubectl get secret mongodb-admin -n $NAMESPACE  -o json | jq  '.data | map_values(@base64d)' | jq -r 'keys[] as $k | "TUTOR_\($k|ascii_upcase)=\(.[$k])"' >> $GITHUB_ENV
+      #--------------------------------------------------------------------
 
       # retrieve the Redis connection parameter that we created in Terraform:
       #   REDIS_HOST: redis.{{ cookiecutter.environment_subdomain }}.{{ cookiecutter.global_root_domain }}

diff --git a/...e}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/cluster-issuer.yml b/...e}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/cluster-issuer.yml
@@ -5,6 +5,7 @@
 # date: Aug-2021
 #
 # usage: setup SSL certs for EKS load balancer worker node instances.
+#        see https://cert-manager.io/docs/
 #------------------------------------------------------------------------------
 ---
 apiVersion: cert-manager.io/v1

diff --git a/...epo_name}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/ingress.yml b/...epo_name}}/ci/tutor-deploy/environments/{{cookiecutter.environment_name}}/k8s/ingress.yml
@@ -5,6 +5,7 @@
 # date: Aug-2021
 #
 # usage: setup nginx for EKS load balancer.
+#        see https://cert-manager.io/docs/
 #------------------------------------------------------------------------------
 apiVersion: networking.k8s.io/v1
 kind: Ingress

diff --git a/...utter.github_repo_name}}/terraform/environments/{{cookiecutter.environment_name}}/env.hcl b/...utter.github_repo_name}}/terraform/environments/{{cookiecutter.environment_name}}/env.hcl
@@ -48,7 +48,7 @@ locals {
   #
   # see: https://aws.amazon.com/ec2/instance-types/
   #----------------------------------------------------------------------------
-  kubernetes_version = {{ cookiecutter.kubernetes_cluster_version }}
+  kubernetes_version = "{{ cookiecutter.kubernetes_cluster_version }}"
   eks_worker_group_instance_type = "t3.large"
   eks_worker_group_min_size = 1
   eks_worker_group_max_size = 2

diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes/main.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes/main.tf
@@ -31,6 +31,48 @@ locals {
   }
 }
 
+resource "aws_security_group" "worker_group_mgmt" {
+  name_prefix = "${var.environment_namespace}-eks_worker_group_mgmt"
+  description = "openedx_devops: Ingress CLB worker group management"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description = "openedx_devops: Ingress CLB"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+
+    cidr_blocks = [
+      "10.0.0.0/8",
+    ]
+  }
+
+  tags = var.tags
+
+}
+
+resource "aws_security_group" "all_worker_mgmt" {
+  name_prefix = "${var.environment_namespace}-eks_all_worker_management"
+  description = "openedx_devops: Ingress CLB worker management"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description = "openedx_devops: Ingress CLB"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+
+    cidr_blocks = [
+      "10.0.0.0/8",
+      "172.16.0.0/12",
+      "192.168.0.0/16",
+    ]
+  }
+
+  tags = var.tags
+
+}
+
 module "eks" {
   source                          = "terraform-aws-modules/eks/aws"
   version                         = "{{ cookiecutter.terraform_aws_modules_eks }}"

diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/acm.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/acm.tf
diff --git a/....github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager-values.yaml.tpl b/....github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager-values.yaml.tpl
@@ -3,10 +3,10 @@ global:
     enabled: true
     useAppArmor: true
 image:
-  tag: v1.4.0
+  tag: {{ cookiecutter.terraform_helm_cert_manager_image_tag }}
 webhook:
   image:
-    tag: v1.4.0
+    tag: {{ cookiecutter.terraform_helm_cert_manager_image_tag }}
 prometheus:
   enabled: false
 installCRDs: true

diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/cert-manager.tf
@@ -5,10 +5,11 @@
 # date: Aug-2021
 #
 # usage: Add tls certs for EKS cluster load balancer
+#        see https://cert-manager.io/docs/
 #------------------------------------------------------------------------------
 module "cert_manager_irsa" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                       = "~> 4.1"
+  version                       = "{{ cookiecutter.terraform_aws_modules_iam_assumable_role_with_oidc }}"
   create_role                   = true
   role_name                     = "${var.environment_namespace}-cert_manager-irsa"
   provider_url                  = replace(data.aws_eks_cluster.eks.identity[0].oidc[0].issuer, "https://", "")
@@ -30,7 +31,7 @@ resource "helm_release" "cert-manager" {
 
   chart      = "cert-manager"
   repository = "https://charts.jetstack.io"
-  version    = "v1.4.0"
+  version    = "{{ cookiecutter.terraform_helm_cert_manager }}"
   values = [data.template_file.cert-manager-values.rendered
   ]
 }

diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/ingress.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/ingress.tf
diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/main.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_ingress_clb/main.tf
@@ -7,6 +7,10 @@
 # usage: build an EKS cluster load balancer
 #------------------------------------------------------------------------------
 
+#data "tls_certificate" "cluster" {
+#  url = data.aws_eks_cluster.eks.identity[0].oidc[0].issuer
+#}
+
 data "aws_eks_cluster" "eks" {
   name = var.environment_namespace
 }
@@ -25,48 +29,35 @@ provider "kubernetes" {
   token                  = data.aws_eks_cluster_auth.cluster.token
 }
 
-resource "aws_security_group" "worker_group_mgmt" {
-  name_prefix = "${var.environment_namespace}-eks_worker_group_mgmt"
-  description = "openedx_devops: Ingress CLB worker group management"
-  vpc_id      = var.vpc_id
-
-  ingress {
-    description = "openedx_devops: Ingress CLB"
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-
-    cidr_blocks = [
-      "10.0.0.0/8",
-    ]
+provider "helm" {
+  kubernetes {
+    host                   = data.aws_eks_cluster.cluster.endpoint
+    cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+    token                  = data.aws_eks_cluster_auth.cluster.token
   }
-
-  tags = var.tags
-
 }
 
-resource "aws_security_group" "all_worker_mgmt" {
-  name_prefix = "${var.environment_namespace}-eks_all_worker_management"
-  description = "openedx_devops: Ingress CLB worker management"
-  vpc_id      = var.vpc_id
-
-  ingress {
-    description = "openedx_devops: Ingress CLB"
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-
-    cidr_blocks = [
-      "10.0.0.0/8",
-      "172.16.0.0/12",
-      "192.168.0.0/16",
-    ]
+data "kubernetes_service" "ingress_nginx_controller" {
+  metadata {
+    name      = "ingress-nginx-controller"
+    namespace = "ingress-nginx"
   }
+  depends_on = [helm_release.nginx]
+}
 
-  tags = var.tags
+data "aws_elb_hosted_zone_id" "main" {}
 
-}
+resource "helm_release" "nginx" {
+  name             = "ingress-nginx"
+  namespace        = "ingress-nginx"
+  create_namespace = true
 
-data "tls_certificate" "cluster" {
-  url = data.aws_eks_cluster.eks.identity[0].oidc[0].issuer
+  chart      = "ingress-nginx"
+  repository = "https://kubernetes.github.io/ingress-nginx"
+  version    = "{{ cookiecutter.terraform_helm_ingress_nginx }}"
+
+  set {
+    name  = "service.type"
+    value = "ClusterIP"
+  }
 }
diff --git a/...aform/modules/kubernetes_secrets/admin.tf → ...dules/kubernetes_secrets/admin_openedx.tf b/...aform/modules/kubernetes_secrets/admin.tf → ...dules/kubernetes_secrets/admin_openedx.tf
diff --git a/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_secrets/oauth.tf b/{{cookiecutter.github_repo_name}}/terraform/modules/kubernetes_secrets/oauth.tf