Merge pull request hashicorp#167 from kawsark/master

rberlind · web-flow · commit dab89f7d6ad0 · 2019-11-07T18:40:32.000-05:00
Minor updates for OpenShift cluster provisioning
diff --git a/governance/first-generation/aws/sentinel.hcl b/governance/first-generation/aws/sentinel.hcl
@@ -0,0 +1,3 @@
+policy "restrict-aws-region" {
+    enforcement_level = "soft-mandatory"
+}
diff --git a/infrastructure-as-code/k8s-cluster-openshift-aws/main.tf b/infrastructure-as-code/k8s-cluster-openshift-aws/main.tf
@@ -203,6 +203,6 @@ resource "vault_kubernetes_auth_backend_role" "role" {
   role_name = "demo"
   bound_service_account_names = ["cats-and-dogs"]
   bound_service_account_namespaces = ["default", "cats-and-dogs"]
-  policies = ["${var.vault_user}"]
-  ttl = 7200
+  token_policies = ["${var.vault_user}"]
+  token_ttl = 7200
 }
diff --git a/infrastructure-as-code/k8s-cluster-openshift-aws/modules/openshift/01-amis.tf b/infrastructure-as-code/k8s-cluster-openshift-aws/modules/openshift/01-amis.tf
@@ -49,6 +49,6 @@ data "aws_ami" "amazonlinux" {
 
   filter {
     name   = "name"
-    values = ["amzn-ami-hvm-*"]
+    values = ["amzn-ami-hvm-2018.03.0.20190611-x86_64-gp2"]
   }
 }
diff --git a/infrastructure-as-code/k8s-cluster-openshift-aws/scripts/postinstall-master.sh b/infrastructure-as-code/k8s-cluster-openshift-aws/scripts/postinstall-master.sh
@@ -3,7 +3,7 @@
 # Note: This script runs after the ansible install, use it to make configuration
 # changes which would otherwise be overwritten by ansible.
 
-sleep 120
+sleep 180
 
 # Create an htpasswd file, we'll use htpasswd auth for OpenShift.
 sudo mkdir -p /etc/origin/master
diff --git a/infrastructure-as-code/k8s-cluster-openshift-aws/scripts/postinstall-node.sh b/infrastructure-as-code/k8s-cluster-openshift-aws/scripts/postinstall-node.sh
@@ -3,7 +3,7 @@
 # Note: This script runs after the ansible install, use it to make configuration
 # changes which would otherwise be overwritten by ansible.
 
-sleep 120
+sleep 180
 
 # Update the docker config to allow OpenShift's local insecure registry. Also
 # use json-file for logging, so our Splunk forwarder can eat the container logs.
diff --git a/infrastructure-as-code/k8s-cluster-openshift-aws/variables.tf b/infrastructure-as-code/k8s-cluster-openshift-aws/variables.tf
@@ -4,6 +4,11 @@ variable "region" {
   default = "us-east-1"
 }
 
+variable "bastion_ami_filter" {
+  description = "The filter for the bastion AMI data source"
+  default = "amzn-ami-hvm-*"
+}
+
 variable "key_name" {
   description = "The name of the key to user for ssh access"
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+policy "restrict-aws-region" {`
	`2`	`+ enforcement_level = "soft-mandatory"`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -203,6 +203,6 @@ resource "vault_kubernetes_auth_backend_role" "role" {`
`203`	`203`	`role_name = "demo"`
`204`	`204`	`bound_service_account_names = ["cats-and-dogs"]`
`205`	`205`	`bound_service_account_namespaces = ["default", "cats-and-dogs"]`
`206`		`- policies = ["${var.vault_user}"]`
`207`		`- ttl = 7200`
	`206`	`+ token_policies = ["${var.vault_user}"]`
	`207`	`+ token_ttl = 7200`
`208`	`208`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,6 @@ data "aws_ami" "amazonlinux" {`
`49`	`49`
`50`	`50`	`filter {`
`51`	`51`	`name = "name"`
`52`		`- values = ["amzn-ami-hvm-*"]`
	`52`	`+ values = ["amzn-ami-hvm-2018.03.0.20190611-x86_64-gp2"]`
`53`	`53`	`}`
`54`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,11 @@ variable "region" {`
`4`	`4`	`default = "us-east-1"`
`5`	`5`	`}`
`6`	`6`
	`7`	`+variable "bastion_ami_filter" {`
	`8`	`+ description = "The filter for the bastion AMI data source"`
	`9`	`+ default = "amzn-ami-hvm-*"`
	`10`	`+}`
	`11`	`+`
`7`	`12`	`variable "key_name" {`
`8`	`13`	`description = "The name of the key to user for ssh access"`
`9`	`14`	`}`