fix: add PV node affinity, AKS security hardening, and configurable ECS public IP

- EKS: add node_affinity to PV ensuring pod schedules in same AZ as EBS volume
- GKE: add node_affinity to PV ensuring pod schedules in same zone as GCE disk
- AKS: enable RBAC and add api_server_access_profile with configurable IP ranges
- ECS: make assign_public_ip configurable via variable (default: true)

Author: akshaydeo

docs/deployment-guides/k8s.mdx

@@ -11,7 +11,7 @@ Bifrost also provides a ready-to-use Terraform module that handles all the infra
 You can use it directly from GitHub:
 ```hcl
 module "bifrost" {
-  source         = "github.com/maximhq/bifrost//terraform/modules/bifrost"
+  source         = "github.com/maximhq/bifrost//terraform/modules/bifrost?ref=terraform/v0.1.0"
   cloud_provider = "aws"          # "aws" | "gcp" | "azure" | "kubernetes"
   service        = "eks"          # AWS: "ecs" | "eks", GCP: "gke" | "cloud-run", Azure: "aks" | "aci", K8s: "deployment"
   region         = "us-east-1"

terraform/README.md

@@ -8,7 +8,7 @@ Reference the module directly from GitHub. Pin to a specific release tag using `
 
 ```hcl
 module "bifrost" {
-  source         = "github.com/maximhq/bifrost//terraform/modules/bifrost?ref=v1.4.6"
+  source         = "github.com/maximhq/bifrost//terraform/modules/bifrost?ref=terraform/v0.1.0"
   cloud_provider = "aws"       # "aws" | "gcp" | "azure" | "kubernetes"
   service        = "ecs"       # AWS: "ecs" | "eks", GCP: "gke" | "cloud-run", Azure: "aks" | "aci", K8s: "deployment"
   region         = "us-east-1"

terraform/modules/bifrost/aws/services/ecs/main.tf

@@ -97,7 +97,7 @@ resource "aws_ecs_service" "bifrost" {
   network_configuration {
     subnets          = var.subnet_ids
     security_groups  = var.security_group_ids
-    assign_public_ip = true
+    assign_public_ip = var.assign_public_ip
   }
 
   dynamic "load_balancer" {

terraform/modules/bifrost/aws/services/ecs/variables.tf

@@ -114,3 +114,9 @@ variable "autoscaling_memory_threshold" {
   description = "Target memory utilization percentage for autoscaling."
   type        = number
 }
+
+variable "assign_public_ip" {
+  description = "Assign a public IP to the ECS task. Set to false for private subnet deployments."
+  type        = bool
+  default     = true
+}

terraform/modules/bifrost/aws/services/eks/main.tf

@@ -250,6 +250,18 @@ resource "kubernetes_persistent_volume" "bifrost_data" {
         fs_type   = "ext4"
       }
     }
+
+    node_affinity {
+      required {
+        node_selector_term {
+          match_expressions {
+            key      = "topology.kubernetes.io/zone"
+            operator = "In"
+            values   = [local.availability_zone]
+          }
+        }
+      }
+    }
   }
 
   depends_on = [aws_ebs_volume.bifrost_data]

terraform/modules/bifrost/azure/services/aks/main.tf

@@ -25,6 +25,12 @@ resource "azurerm_kubernetes_cluster" "this" {
   dns_prefix          = var.name_prefix
   tags                = var.tags
 
+  role_based_access_control_enabled = true
+
+  api_server_access_profile {
+    authorized_ip_ranges = var.api_server_authorized_ip_ranges
+  }
+
   default_node_pool {
     name           = "default"
     node_count     = var.node_count

terraform/modules/bifrost/azure/services/aks/variables.tf

@@ -134,3 +134,9 @@ variable "identity_id" {
   description = "User assigned identity ID for the AKS cluster."
   type        = string
 }
+
+variable "api_server_authorized_ip_ranges" {
+  description = "IP ranges authorized to access the AKS API server."
+  type        = list(string)
+  default     = ["0.0.0.0/0"]
+}

terraform/modules/bifrost/gcp/services/gke/main.tf

@@ -146,6 +146,18 @@ resource "kubernetes_persistent_volume" "bifrost" {
         pd_name = google_compute_disk.bifrost.name
       }
     }
+
+    node_affinity {
+      required {
+        node_selector_term {
+          match_expressions {
+            key      = "topology.kubernetes.io/zone"
+            operator = "In"
+            values   = ["${var.region}-a"]
+          }
+        }
+      }
+    }
   }
 
   depends_on = [google_compute_disk.bifrost]