refactor: Refactoring to match the rest of terraform-aws-modules (#1583)

main.tf

@@ -0,0 +1,196 @@
+resource "aws_cloudwatch_log_group" "this" {
+  count = length(var.cluster_enabled_log_types) > 0 && var.create_eks ? 1 : 0
+
+  name              = "/aws/eks/${var.cluster_name}/cluster"
+  retention_in_days = var.cluster_log_retention_in_days
+  kms_key_id        = var.cluster_log_kms_key_id
+
+  tags = var.tags
+}
+
+resource "aws_eks_cluster" "this" {
+  count = var.create_eks ? 1 : 0
+
+  name                      = var.cluster_name
+  enabled_cluster_log_types = var.cluster_enabled_log_types
+  role_arn                  = local.cluster_iam_role_arn
+  version                   = var.cluster_version
+
+  vpc_config {
+    security_group_ids      = compact([local.cluster_security_group_id])
+    subnet_ids              = var.subnets
+    endpoint_private_access = var.cluster_endpoint_private_access
+    endpoint_public_access  = var.cluster_endpoint_public_access
+    public_access_cidrs     = var.cluster_endpoint_public_access_cidrs
+  }
+
+  kubernetes_network_config {
+    service_ipv4_cidr = var.cluster_service_ipv4_cidr
+  }
+
+  dynamic "encryption_config" {
+    for_each = toset(var.cluster_encryption_config)
+
+    content {
+      provider {
+        key_arn = encryption_config.value["provider_key_arn"]
+      }
+      resources = encryption_config.value["resources"]
+    }
+  }
+
+  tags = merge(
+    var.tags,
+    var.cluster_tags,
+  )
+
+  timeouts {
+    create = var.cluster_create_timeout
+    delete = var.cluster_delete_timeout
+  }
+
+  depends_on = [
+    aws_security_group_rule.cluster_egress_internet,
+    aws_security_group_rule.cluster_https_worker_ingress,
+    aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy,
+    aws_iam_role_policy_attachment.cluster_AmazonEKSServicePolicy,
+    aws_iam_role_policy_attachment.cluster_AmazonEKSVPCResourceControllerPolicy,
+    aws_cloudwatch_log_group.this
+  ]
+}
+
+resource "aws_security_group" "cluster" {
+  count = var.cluster_create_security_group && var.create_eks ? 1 : 0
+
+  name_prefix = var.cluster_name
+  description = "EKS cluster security group."
+  vpc_id      = var.vpc_id
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = "${var.cluster_name}-eks_cluster_sg"
+    },
+  )
+}
+
+resource "aws_security_group_rule" "cluster_egress_internet" {
+  count = var.cluster_create_security_group && var.create_eks ? 1 : 0
+
+  description       = "Allow cluster egress access to the Internet."
+  protocol          = "-1"
+  security_group_id = local.cluster_security_group_id
+  cidr_blocks       = var.cluster_egress_cidrs
+  from_port         = 0
+  to_port           = 0
+  type              = "egress"
+}
+
+resource "aws_security_group_rule" "cluster_https_worker_ingress" {
+  count = var.cluster_create_security_group && var.create_eks && var.worker_create_security_group ? 1 : 0
+
+  description              = "Allow pods to communicate with the EKS cluster API."
+  protocol                 = "tcp"
+  security_group_id        = local.cluster_security_group_id
+  source_security_group_id = local.worker_security_group_id
+  from_port                = 443
+  to_port                  = 443
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "cluster_private_access_cidrs_source" {
+  for_each = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access && var.cluster_endpoint_private_access_cidrs != null ? toset(var.cluster_endpoint_private_access_cidrs) : []
+
+  description = "Allow private K8S API ingress from custom CIDR source."
+  type        = "ingress"
+  from_port   = 443
+  to_port     = 443
+  protocol    = "tcp"
+  cidr_blocks = [each.value]
+
+  security_group_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
+}
+
+resource "aws_security_group_rule" "cluster_private_access_sg_source" {
+  count = var.create_eks && var.cluster_create_endpoint_private_access_sg_rule && var.cluster_endpoint_private_access && var.cluster_endpoint_private_access_sg != null ? length(var.cluster_endpoint_private_access_sg) : 0
+
+  description              = "Allow private K8S API ingress from custom Security Groups source."
+  type                     = "ingress"
+  from_port                = 443
+  to_port                  = 443
+  protocol                 = "tcp"
+  source_security_group_id = var.cluster_endpoint_private_access_sg[count.index]
+
+  security_group_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
+}
+
+resource "aws_iam_role" "cluster" {
+  count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+
+  name_prefix           = var.cluster_iam_role_name != "" ? null : var.cluster_name
+  name                  = var.cluster_iam_role_name != "" ? var.cluster_iam_role_name : null
+  assume_role_policy    = data.aws_iam_policy_document.cluster_assume_role_policy.json
+  permissions_boundary  = var.permissions_boundary
+  path                  = var.iam_path
+  force_detach_policies = true
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSClusterPolicy" {
+  count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+
+  policy_arn = "${local.policy_arn_prefix}/AmazonEKSClusterPolicy"
+  role       = local.cluster_iam_role_name
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSServicePolicy" {
+  count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+
+  policy_arn = "${local.policy_arn_prefix}/AmazonEKSServicePolicy"
+  role       = local.cluster_iam_role_name
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSVPCResourceControllerPolicy" {
+  count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+
+  policy_arn = "${local.policy_arn_prefix}/AmazonEKSVPCResourceController"
+  role       = local.cluster_iam_role_name
+}
+
+/*
+ Adding a policy to cluster IAM role that allow permissions
+ required to create AWSServiceRoleForElasticLoadBalancing service-linked role by EKS during ELB provisioning
+*/
+
+data "aws_iam_policy_document" "cluster_elb_sl_role_creation" {
+  count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "ec2:DescribeAccountAttributes",
+      "ec2:DescribeInternetGateways",
+      "ec2:DescribeAddresses"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "cluster_elb_sl_role_creation" {
+  count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+
+  name_prefix = "${var.cluster_name}-elb-sl-role-creation"
+  description = "Permissions for EKS to create AWSServiceRoleForElasticLoadBalancing service-linked role"
+  policy      = data.aws_iam_policy_document.cluster_elb_sl_role_creation[0].json
+  path        = var.iam_path
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_elb_sl_role_creation" {
+  count = var.manage_cluster_iam_resources && var.create_eks ? 1 : 0
+
+  policy_arn = aws_iam_policy.cluster_elb_sl_role_creation[0].arn
+  role       = local.cluster_iam_role_name
+}