refactor(terraform): migrate to opentofu

[Smana]

PR Type

enhancement, documentation

---

Description

• Migrated Terraform configuration to Opentofu, updating all relevant paths and references.
• Configured IAM roles and policies for EKS, Crossplane, and OpenBao.
• Set up AWS launch templates, autoscaling groups, and security groups for OpenBao.
• Added Helm releases for EKS components like Cilium, AWS EBS CSI Driver, and Karpenter.
• Configured Vault PKI and policies for OpenBao management.
• Defined variables and providers for EKS, OpenBao, and network configurations.
• Updated documentation for EKS and OpenBao cluster setup and management.

---

Changes walkthrough 📝

	Relevant files
Enhancement	11 files iam.tf Configure IAM roles and policies for EKS and Crossplane    opentofu/eks/iam.tf Added IAM roles and policies for EBS CSI Driver and Crossplane. Defined multiple AWS IAM policies for Crossplane with specific permissions. Configured OIDC providers for EKS. +291/-1  autoscaling_group.tf Setup AWS launch templates and autoscaling group for OpenBao opentofu/openbao/cluster/autoscaling_group.tf Defined AWS launch templates for development and high-availability modes. Configured autoscaling group with mixed instances policy. Set up traffic source attachments for load balancing. +135/-1  security_group.tf Define security groups and rules for OpenBao                          opentofu/openbao/cluster/security_group.tf Created security groups for NLB and OpenBao ASG. Defined ingress and egress rules for OpenBao API and internal communication. +96/-1    data.tf Add AWS data sources and cloud-init configuration                opentofu/openbao/cluster/data.tf Added data sources for AWS resources like VPC, subnets, and security groups. Configured cloud-init for OpenBao instances. +117/-1  tailscale.tf Configure Tailscale networking and ACLs                                    opentofu/network/tailscale.tf Configured Tailscale ACLs, DNS, and subnet routing. Set up Tailscale subnet router module. +92/-1    helm.tf Setup Helm releases for EKS components                                      opentofu/eks/helm.tf Configured Helm releases for Cilium, AWS EBS CSI Driver, and Karpenter. Set dependencies and values for Helm charts. +80/-1    data.tf Add AWS data sources for EKS configuration                              opentofu/eks/data.tf Added data sources for AWS VPC, subnets, and security groups. Included ECR public authorization token data source. +88/-1    pki.tf Configure Vault PKI for OpenBao management                              opentofu/openbao/management/pki.tf Configured Vault PKI for certificate management. Set up intermediate certificate signing and issuer. +50/-1    admin.hcl Define Vault admin policies for OpenBao                                    opentofu/openbao/management/policies/admin.hcl Defined Vault policies for admin access and identity management. Included capabilities for managing PKI and authentication methods. +79/-1    iam.tf Setup IAM roles and policies for OpenBao instances              opentofu/openbao/cluster/iam.tf Created IAM instance profile and role for OpenBao. Attached policies for SSM and EC2 read-only access. +63/-1    karpenter.tf Setup Karpenter for EKS cluster autoscaling                            opentofu/eks/karpenter.tf Configured Karpenter module for EKS. Set up pod identity association and Kubernetes manifests. +47/-1
Configuration changes	4 files variables.tf Define variables for EKS cluster configuration                      opentofu/eks/variables.tf Defined variables for EKS cluster configuration. Added default values for Kubernetes and AWS settings. +106/-1  variables.tf Define variables for OpenBao cluster configuration              opentofu/openbao/cluster/variables.tf Added variables for OpenBao cluster settings. Included validation for cluster mode. +84/-1    variables.tf Define variables for Vault PKI configuration                          opentofu/openbao/management/variables.tf Added variables for Vault PKI configuration. Defined default values for certificate settings. +63/-1    providers.tf Configure providers for EKS and related services                  opentofu/eks/providers.tf Defined multiple providers for AWS, Flux, GitHub, Helm, and Kubernetes. Configured authentication and connection settings. +53/-1
Additional files (token-limit)	28 files README.md ...                                                                                                            opentofu/network/README.md ... +112/-1  bundle.pem ...                                                                                                            opentofu/openbao/cluster/.tls-backup/bundle.pem ... +42/-0    backup_restore.md ...                                                                                                            opentofu/openbao/management/docs/backup_restore.md ... +138/-1  ca-chain.pem ...                                                                                                            opentofu/openbao/cluster/.tls-backup/ca-chain.pem ... +33/-0    pki_requirements.md ...                                                                                                            opentofu/openbao/cluster/docs/pki_requirements.md ... +150/-1  vault-key.pem ...                                                                                                            opentofu/openbao/cluster/.tls-backup/vault-key.pem ... +28/-0    getting_started.md ...                                                                                                            opentofu/openbao/cluster/docs/getting_started.md ... +106/-1  vault.pem ...                                                                                                            opentofu/openbao/cluster/.tls-backup/vault.pem ... +21/-0    README.md ...                                                                                                            README.md ... +8/-8      intermediate-ca.pem ...                                                                                                            opentofu/openbao/cluster/.tls-backup/intermediate-ca.pem ... +17/-0    root-ca.pem ...                                                                                                            opentofu/openbao/cluster/.tls-backup/root-ca.pem ... +16/-0    approle.md ...                                                                                                            opentofu/openbao/management/docs/approle.md ... +49/-1    README.md ...                                                                                                            dagger/README.md ... +5/-5      io-nodepool.yaml ...                                                                                                            opentofu/eks/kubernetes-manifests/karpenter/io-nodepool.yaml ... +41/-1    cilium.yaml ...                                                                                                            opentofu/eks/helm_values/cilium.yaml ... +56/-1    renovate.json ...                                                                                                            .github/renovate.json ... +3/-3      default-nodepool.yaml ...                                                                                                            opentofu/eks/kubernetes-manifests/karpenter/default-nodepool.yaml ... +32/-1    root-ca-key.pem ...                                                                                                            opentofu/openbao/cluster/.tls-backup/root-ca-key.pem ... +9/-0      intermediate-ca-key.pem ...                                                                                                            opentofu/openbao/cluster/.tls-backup/intermediate-ca-key.pem ... +9/-0      io-ec2nc.yaml ...                                                                                                            opentofu/eks/kubernetes-manifests/karpenter/io-ec2nc.yaml ... +21/-1    cloudinit-config.yaml ...                                                                                                            opentofu/openbao/cluster/scripts/cloudinit-config.yaml ... +22/-1    aws-ebs-csi-driver.yaml ...                                                                                                            opentofu/eks/helm_values/aws-ebs-csi-driver.yaml ... +21/-1    default-ec2nc.yaml ...                                                                                                            opentofu/eks/kubernetes-manifests/karpenter/default-ec2nc.yaml ... +17/-1    openbao-clusterissuer.yaml ...                                                                                                            security/base/cert-manager/openbao-clusterissuer.yaml ... +1/-1      external-secrets.yaml ...                                                                                                            security/base/epis/external-secrets.yaml ... +1/-1      helmrelease.yaml ...                                                                                                            infrastructure/base/aws-load-balancer-controller/helmrelease.yaml ... +1/-1      README.md ...                                                                                                            opentofu/openbao/management/README.md ... +2/-2      karpenter.yaml ...                                                                                                            opentofu/eks/helm_values/karpenter.yaml ... +5/-1

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[github-actions[bot]]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 5 🔵🔵🔵🔵🔵

🧪 No relevant tests

🔒 Security concerns IAM Policy Wildcards: The IAM policies use wildcards extensively, which can grant more permissions than necessary and increase security risks. For example, the policy allows actions like 's3:*' on specific resources, which could be restricted to only necessary actions.

⚡ Recommended focus areas for review Security Concerns The IAM policies defined allow overly broad permissions, which could lead to security risks. It's recommended to adhere to the principle of least privilege. Configuration Issue The autoscaling group configuration does not specify scaling policies based on metrics, which might lead to inefficient resource management. Security Group Configuration The security group configuration allows broad access which might expose the system to security risks.

[github-actions[bot]]

PR Code Suggestions ✨

No code suggestions found for the PR.