Merge pull request #53 from uc-cdis/master

merge from ctds
chicagopcdc · Mar 22, 2022 · 5900e6f · 5900e6f
2 parents 5019fc4 + d4c55fa
commit 5900e6f
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 1 deletion.
diff --git a/kube/services/argo-wrapper/argo-wrapper-deploy.yaml b/kube/services/argo-wrapper/argo-wrapper-deploy.yaml
@@ -35,9 +35,19 @@ spec:
                   values:
                   - argo-wrapper
               topologyKey: "kubernetes.io/hostname"
+      volumes:
+        - name: argo-config
+          configMap:
+            name: manifest-argo
+
       containers:
       - name: argo-wrapper
         GEN3_ARGO-WRAPPER_IMAGE
         imagePullPolicy: Always
         ports:
         - containerPort: 8000
+        volumeMounts:
+          - name: argo-config
+            readOnly: true
+            mountPath: /argo.json
+            subPath: argo.json
diff --git a/tf_files/aws/eks/root.tf b/tf_files/aws/eks/root.tf
@@ -44,4 +44,7 @@ module "eks" {
   workflow_asg_max_size            = "${var.workflow_asg_max_size}"
   workflow_asg_min_size            = "${var.workflow_asg_min_size}"
   deploy_workflow                  = "${var.deploy_workflow}"
+  fips                             = "${var.fips}"
+  fips_ami_kms                     = "${var.fips_ami_kms}"
+  fips_enabled_ami                 = "${var.fips_enabled_ami}"
 }
diff --git a/tf_files/aws/eks/variables.tf b/tf_files/aws/eks/variables.tf
@@ -142,4 +142,20 @@ variable "activation_id" {
 
 variable "customer_id" {
   default = ""
+}
+
+# This controls whether or not we use FIPS enabled AMI's
+variable "fips" {
+  default = false
+}
+
+# the key that was used to encrypt the FIPS enabled AMI
+# This is needed to ASG can decrypt the ami 
+variable "fips_ami_kms" {
+  default = "arn:aws:kms:us-east-1:707767160287:key/mrk-697897f040ef45b0aa3cebf38a916f99"
+}
+
+# This is the FIPS enabled AMI in cdistest account.
+variable "fips_enabled_ami" {
+  default = "ami-0de87e3680dcb13ec"
 }
diff --git a/tf_files/aws/modules/eks/cloud.tf b/tf_files/aws/modules/eks/cloud.tf
@@ -8,6 +8,7 @@ locals{
   # if AZs are explicitly defined as a variable, use those. Otherwise use all the AZs of the current region
   # NOTE: the syntax should improve with Terraform 12
   azs = "${split(",", length(var.availability_zones) != 0 ? join(",", var.availability_zones) : join(",", data.aws_availability_zones.available.names))}"
+  ami = "${var.fips ? var.fips_enabled_ami : data.aws_ami.eks_worker.id}"
 }
 
 module "jupyter_pool" {
@@ -399,6 +400,12 @@ resource "aws_iam_role_policy_attachment" "bucket_read" {
   role       = "${aws_iam_role.eks_node_role.name}"
 }
 
+# Amazon SSM Policy 
+resource "aws_iam_role_policy_attachment" "eks-policy-AmazonSSMManagedInstanceCore" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  role       = "${aws_iam_role.eks_node_role.name}"
+}
+
 resource "aws_iam_instance_profile" "eks_node_instance_profile" {
   name = "${var.vpc_name}_EKS_workers"
   role = "${aws_iam_role.eks_node_role.name}"
@@ -512,7 +519,7 @@ resource "aws_security_group_rule" "workflow_nodes_interpool_communications" {
 resource "aws_launch_configuration" "eks_launch_configuration" {
   associate_public_ip_address = false
   iam_instance_profile        = "${aws_iam_instance_profile.eks_node_instance_profile.name}"
-  image_id                    = "${data.aws_ami.eks_worker.id}"
+  image_id                    = "${local.ami}"
   instance_type               = "${var.instance_type}"
   name_prefix                 = "eks-${var.vpc_name}"
   security_groups             = ["${aws_security_group.eks_nodes_sg.id}", "${aws_security_group.ssh.id}"]
@@ -529,8 +536,24 @@ resource "aws_launch_configuration" "eks_launch_configuration" {
   }
 }
 
+# Create a new iam service linked role that we can grant access to KMS keys in other accounts
+# Needed if we need to bring up custom AMI's that have been encrypted using a kms key
+resource "aws_iam_service_linked_role" "autoscaling" {
+  aws_service_name = "autoscaling.amazonaws.com"
+  custom_suffix = "${var.vpc_name}"
+}
+
+# Remember to grant access to the account in the KMS key policy too
+resource "aws_kms_grant" "kms" {
+  count = "${var.fips ? 1 : 0}"
+  name              = "kms-cmk-eks"
+  key_id            = "${var.fips_ami_kms}"
+  grantee_principal = "${aws_iam_service_linked_role.autoscaling.arn}"
+  operations        = ["Encrypt", "Decrypt", "ReEncryptFrom", "ReEncryptTo", "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "DescribeKey", "CreateGrant"]
+}
 
 resource "aws_autoscaling_group" "eks_autoscaling_group" {
+  service_linked_role_arn = "${aws_iam_service_linked_role.autoscaling.arn}"
   desired_capacity     = 2
   launch_configuration = "${aws_launch_configuration.eks_launch_configuration.id}"
   max_size             = 10

diff --git a/tf_files/aws/modules/eks/variables.tf b/tf_files/aws/modules/eks/variables.tf
@@ -152,3 +152,18 @@ variable "activation_id" {
 variable "customer_id" {
   default = ""
 }
+
+variable "fips" {
+  default = false
+}
+
+# the key that was used to encrypt the FIPS enabled AMI
+# This is needed to ASG can decrypt the ami 
+variable "fips_ami_kms" {
+  default = "arn:aws:kms:us-east-1:707767160287:key/mrk-697897f040ef45b0aa3cebf38a916f99"
+}
+
+# This is the FIPS enabled AMI in cdistest account.
+variable "fips_enabled_ami" {
+  default = "ami-0de87e3680dcb13ec"
+}