addressing the review comments

Author: nandajavarma

install/infra/modules/eks/database.tf

@@ -1,30 +1,23 @@
 resource "random_password" "password" {
-  count = var.enable_external_database ? 1 : 0
+  count = var.create_external_database ? 1 : 0
 
   length           = 16
   special          = true
   override_special = "!#$%&*()-_=+[]{}<>:?"
 }
 
 resource "aws_db_subnet_group" "gitpod_subnets" {
-  count = var.enable_external_database ? 1 : 0
+  count = var.create_external_database ? 1 : 0
 
   name       = "db-sg-${var.cluster_name}"
   subnet_ids = [module.vpc.public_subnets[2], module.vpc.public_subnets[3]]
 }
 
 resource "aws_security_group" "rdssg" {
-  count = var.enable_external_database ? 1 : 0
+  count = var.create_external_database ? 1 : 0
 
   name   = "dh-sg-${var.cluster_name}"
   vpc_id = module.vpc.vpc_id
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
 }
 
 resource "aws_security_group_rule" "db-ingress-nodes" {
@@ -38,7 +31,7 @@ resource "aws_security_group_rule" "db-ingress-nodes" {
 }
 
 resource "aws_db_instance" "gitpod" {
-  count = var.enable_external_database ? 1 : 0
+  count = var.create_external_database ? 1 : 0
 
   allocated_storage      = 20
   max_allocated_storage  = 120
@@ -53,5 +46,5 @@ resource "aws_db_instance" "gitpod" {
   parameter_group_name   = "default.mysql5.7"
   db_subnet_group_name   = aws_db_subnet_group.gitpod_subnets[0].name
   skip_final_snapshot    = true
-  publicly_accessible    = true
+  publicly_accessible    = false
 }

install/infra/modules/eks/kubernetes.tf

@@ -56,13 +56,6 @@ resource "aws_security_group" "nodes" {
   name   = "nodes-sg-${var.cluster_name}"
   vpc_id = module.vpc.vpc_id
 
-  ingress {
-    from_port   = 0
-    to_port     = 6443
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
   egress {
     from_port   = 0
     to_port     = 0

install/infra/modules/eks/output.tf

@@ -77,7 +77,7 @@ output "registry_backend" {
     region            = aws_s3_bucket.gitpod-registry-backend[0].region
     endpoint          = "s3.${aws_s3_bucket.gitpod-registry-backend[0].region}.amazonaws.com"
     bucket_name       = aws_s3_bucket.gitpod-registry-backend[0].id
-    access_key_id     = aws_iam_access_key.bucket_storage_user[0].id
-    secret_access_key = aws_iam_access_key.bucket_storage_user[0].secret
+    access_key_id     = aws_iam_access_key.bucket_registry_user[0].id
+    secret_access_key = aws_iam_access_key.bucket_registry_user[0].secret
   }, "No s3 bucket created for registry backend.")
 }

install/infra/modules/eks/registry.tf

@@ -1,5 +1,5 @@
 resource "aws_ecr_repository" "gitpod" {
-  count = var.enable_external_registry ? 1 : 0
+  count = var.create_external_registry ? 1 : 0
 
   name                 = "registry-${var.cluster_name}"
   image_tag_mutability = "MUTABLE"
@@ -10,6 +10,6 @@ resource "aws_ecr_repository" "gitpod" {
 }
 
 data "aws_ecr_authorization_token" "gitpod" {
-  count       = var.enable_external_registry ? 1 : 0
+  count       = var.create_external_registry ? 1 : 0
   registry_id = aws_ecr_repository.gitpod[0].registry_id
 }

install/infra/modules/eks/storage.tf

@@ -1,66 +1,141 @@
 resource "aws_s3_bucket" "gitpod-storage" {
-  count = var.enable_external_storage ? 1 : 0
+  count = var.create_external_storage ? 1 : 0
 
   force_destroy = true
   bucket        = "bucket-${var.cluster_name}"
-  acl           = "private"
 }
 
-resource "aws_s3_bucket" "gitpod-registry-backend" {
-  count = var.enable_external_storage_for_registry_backend ? 1 : 0
+resource "aws_s3_bucket_acl" "gitpod-storage" {
+  count = var.create_external_storage ? 1 : 0
 
-  force_destroy = true
-  bucket        = "reg-bucket-${var.cluster_name}"
-  acl           = "private"
+  bucket = aws_s3_bucket.gitpod-storage[count.index].id
+  acl    = "private"
 }
 
 resource "aws_s3_bucket_versioning" "storage" {
-  count = var.enable_external_storage ? 1 : 0
+  count = var.create_external_storage ? 1 : 0
 
   bucket = aws_s3_bucket.gitpod-storage[0].id
   versioning_configuration {
     status = "Enabled"
   }
 }
 
-resource "aws_s3_bucket_versioning" "registry" {
-  count = var.enable_external_storage_for_registry_backend ? 1 : 0
-
-  bucket = aws_s3_bucket.gitpod-registry-backend[0].id
-  versioning_configuration {
-    status = "Enabled"
-  }
-}
-
 data "aws_iam_policy_document" "s3_policy" {
-  count = var.enable_external_storage ? 1 : 0
+  count = var.create_external_storage ? 1 : 0
   statement {
-    actions   = ["s3:*"]
-    resources = ["*"]
+    actions   = [
+      "s3:PutObject",
+      "s3:ListMultipartUploadParts",
+      "s3:GetObject",
+      "s3:DeleteObject",
+      "s3:AbortMultipartUpload"
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.gitpod-storage[count.index].id}",
+    ]
     effect    = "Allow"
   }
 }
 
 resource "aws_iam_policy" "policy" {
-  count       = var.enable_external_storage ? 1 : 0
+  count       = var.create_external_storage ? 1 : 0
   name        = "spolicy-${var.cluster_name}"
   description = "Gitpod ${var.cluster_name} object storage bucket policy"
   policy      = data.aws_iam_policy_document.s3_policy[0].json
 }
 
 resource "aws_iam_user" "bucket_storage" {
-  count = var.enable_external_storage ? 1 : 0
+  count = var.create_external_storage ? 1 : 0
   name  = "suser-${var.cluster_name}"
 
 }
 
 resource "aws_iam_user_policy_attachment" "attachment" {
-  count      = var.enable_external_storage ? 1 : 0
+  count      = var.create_external_storage ? 1 : 0
   user       = aws_iam_user.bucket_storage[0].name
   policy_arn = aws_iam_policy.policy[0].arn
 }
 
+resource "aws_iam_user_policy_attachment" "full_access_attachment" {
+  count      = var.create_external_storage ? 1 : 0
+  user       = aws_iam_user.bucket_storage[0].name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+}
+
 resource "aws_iam_access_key" "bucket_storage_user" {
-  count = var.enable_external_storage ? 1 : 0
+  count = var.create_external_storage ? 1 : 0
   user  = aws_iam_user.bucket_storage[0].name
 }
+
+// s3 bucket for registry backend
+
+resource "aws_s3_bucket" "gitpod-registry-backend" {
+  count = var.create_external_storage_for_registry_backend ? 1 : 0
+
+  force_destroy = true
+  bucket        = "reg-bucket-${var.cluster_name}"
+}
+
+resource "aws_s3_bucket_acl" "gitpod-registry-storage" {
+  count = var.create_external_storage_for_registry_backend ? 1 : 0
+
+  bucket = aws_s3_bucket.gitpod-registry-backend[count.index].id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_versioning" "registry" {
+  count = var.create_external_storage_for_registry_backend ? 1 : 0
+
+  bucket = aws_s3_bucket.gitpod-registry-backend[0].id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+data "aws_iam_policy_document" "s3_policy_registry" {
+  count = var.create_external_storage_for_registry_backend ? 1 : 0
+  statement {
+    actions   = [
+      "s3:PutObject",
+      "s3:ListMultipartUploadParts",
+      "s3:GetObject",
+      "s3:DeleteObject",
+      "s3:AbortMultipartUpload"
+    ]
+    resources = [
+      "arn:aws:s3:::${aws_s3_bucket.gitpod-registry-backend[count.index].id}",
+    ]
+    effect    = "Allow"
+  }
+}
+
+resource "aws_iam_policy" "policy_registry" {
+  count       = var.create_external_storage_for_registry_backend ? 1 : 0
+  name        = "registry-policy-${var.cluster_name}"
+  description = "Gitpod ${var.cluster_name} registry backend storage bucket policy"
+  policy      = data.aws_iam_policy_document.s3_policy_registry[count.index].json
+}
+
+resource "aws_iam_user" "bucket_registry" {
+  count = var.create_external_storage_for_registry_backend ? 1 : 0
+  name  = "registry-user-${var.cluster_name}"
+
+}
+
+resource "aws_iam_user_policy_attachment" "registry_attachment" {
+  count      = var.create_external_storage_for_registry_backend ? 1 : 0
+  user       = aws_iam_user.bucket_registry[count.index].name
+  policy_arn = aws_iam_policy.policy_registry[count.index].arn
+}
+
+resource "aws_iam_user_policy_attachment" "full_access_registry_attachment" {
+  count      = var.create_external_storage_for_registry_backend ? 1 : 0
+  user       = aws_iam_user.bucket_registry[count.index].name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+}
+
+resource "aws_iam_access_key" "bucket_registry_user" {
+  count = var.create_external_storage_for_registry_backend ? 1 : 0
+  user  = aws_iam_user.bucket_registry[count.index].name
+}

install/infra/modules/eks/variables.tf

@@ -51,22 +51,22 @@ variable "vpc_cidr" {
   default = "10.100.0.0/16"
 }
 
-variable "enable_external_database" {
+variable "create_external_database" {
   default     = true
-  description = "Set this to false to avoid creating an RDS database to use with Gitpod instead of inclsuter mysql"
+  description = "Create a mysql RDS database"
 }
 
-variable "enable_external_storage" {
+variable "create_external_storage" {
   default     = true
-  description = "Set this to false to avoid creating an s3 storage to use with Gitpod instead of incluster minio"
+  description = "Create an S3 bucket"
 }
 
-variable "enable_external_storage_for_registry_backend" {
+variable "create_external_storage_for_registry_backend" {
   default     = false
-  description = "Set this to true to create a separate s3 storage to use with Gitpod as registry backend"
+  description = "Create an S3 bucket for registry backend"
 }
 
-variable "enable_external_registry" {
+variable "create_external_registry" {
   default     = false
-  description = "Set this to true to create an AWS ECR registry to use with Gitpod(Not officially supported)"
+  description = "Create an EKS registry(Not officially supported)"
 }

install/infra/single-cluster/aws/cluster.tf

@@ -8,10 +8,10 @@ module "eks" {
   image_id                 = var.image_id
   cluster_version          = var.cluster_version
   kubeconfig               = var.kubeconfig
-  enable_external_database = var.enable_external_database
-  enable_external_storage  = var.enable_external_storage
+  create_external_database = var.create_external_database
+  create_external_storage  = var.create_external_storage
   service_machine_type     = "m6i.xlarge"
   workspace_machine_type   = "m6i.2xlarge"
 
-  enable_external_storage_for_registry_backend = var.enable_external_storage_for_registry_backend
+  create_external_storage_for_registry_backend = var.create_external_storage_for_registry_backend
 }

install/infra/single-cluster/aws/main.tf

@@ -1,6 +1,6 @@
 terraform {
   backend "s3" {
-    bucket = "gitpod-tf"
+    bucket = "nan-tf-bucket"
     key    = "aws/terraform.state"
   }
 }

install/infra/single-cluster/aws/terraform.tfvars

@@ -1,9 +1,9 @@
 
 # the cluster_name should be of length less than 16 characters
-cluster_name = "nan-cluster"
+cluster_name = "nan"
 
 # a route53 zone and certificate request will be created for this domain
-domain_name = "nan-cluster.gitpod-self-hosted.com"
+domain_name = "nan-cluster.doptig.com"
 
 region = "eu-west-1"
 
@@ -18,9 +18,9 @@ vpc_availability_zones = ["eu-west-1c", "eu-west-1b"]
 cluster_version = "1.22"
 image_id = "ami-0793b4124359a6ad7"
 
-enable_external_database = true
-enable_external_storage  = true
+create_external_database = true
+create_external_storage  = true
 
 # if you want to create a separate s3 bucket to use as registry backend,
 # set the following to true. You can re-use the above bucket or incluster registry otherwise.
-enable_external_storage_for_registry_backend  = false
+create_external_storage_for_registry_backend  = false

install/infra/single-cluster/aws/variables.tf

@@ -37,19 +37,19 @@ variable "domain_name" {
   description = "Domain name to associate with the Gitpod installation"
 }
 
-variable "enable_external_database" {
+variable "create_external_database" {
   default     = true
-  description = "Set this to false to avoid creating an RDS database to use with Gitpod instead of inclsuter mysql"
+  description = "Create a mysql RDS database"
 }
 
-variable "enable_external_storage" {
+variable "create_external_storage" {
   default     = true
-  description = "Set this to false to avoid creating an s3 storage to use with Gitpod instead of incluster minio"
+  description = "Create an S3 bucket"
 }
 
-variable "enable_external_storage_for_registry_backend" {
+variable "create_external_storage_for_registry_backend" {
   default     = false
-  description = "Set this to true to create a separate S3 bucket to use as registry backend(if not, you can use the same bucket as above or the incluster registry)"
+  description = "Create an S3 bucket for registry backend"
 }
 
 variable "cluster_version" {