terraform.aws-baseline-infra/examples/eks-managed-nodegroup/main.tf

provider "kubernetes" {
  host                   = module.eks.cluster_endpoint
  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)

  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    command     = "aws"
    # This requires the awscli to be installed locally where Terraform is executed
    args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
  }
}

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "19.21.0"

  cluster_name                   = "lab-ken2026-eks01"
  cluster_endpoint_public_access = true
  cluster_version                = "1.27"

  cluster_addons = {
    coredns = {
      preserve    = true
      most_recent = true

      timeouts = {
        create = "25m"
        delete = "10m"
      }
    }
    kube-proxy = {
      most_recent = true
    }
    vpc-cni = {
      most_recent = true
    }
  }

  create_kms_key = false
  cluster_encryption_config = {
    resources        = ["secrets"]
    provider_key_arn = module.kms.key_arn
  }

  iam_role_additional_policies = {
    additional = aws_iam_policy.additional.arn
  }

  vpc_id                   = var.vpc_id
  subnet_ids               = var.subnet_ids
  control_plane_subnet_ids = var.control_plane_subnet_ids

  # Extend cluster security group rules
  cluster_security_group_additional_rules = {
    ingress_nodes_ephemeral_ports_tcp = {
      description                = "Nodes on ephemeral ports"
      protocol                   = "tcp"
      from_port                  = 1025
      to_port                    = 65535
      type                       = "ingress"
      source_node_security_group = true
    }
    # Test: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2319
    ingress_source_security_group_id = {
      description              = "Ingress from another computed security group"
      protocol                 = "tcp"
      from_port                = 22
      to_port                  = 22
      type                     = "ingress"
      source_security_group_id = aws_security_group.additional.id
    }
  }

  # requires terraform be ran inside VPC
#    manage_aws_auth_configmap = true
#
#    aws_auth_roles = [
#      {
#        rolearn  = module.eks_managed_node_group.iam_role_arn
#        username = "system:node:{{EC2PrivateDNSName}}"
#        groups = [
#          "system:bootstrappers",
#          "system:nodes",
#        ]
#      },
#      {
#        rolearn  = "arn:aws:iam::040216112220:role/rackLE"
#        username = "rackLE"
#        groups   = ["system:masters"]
#      }
#    ]
#
#    aws_auth_users = [
#      {
#        userarn  = var.eks_master_user_arn
#        username = "eksmaster"
#        groups   = ["system:masters"]
#      }
#    ]
#
#    aws_auth_accounts = [
#      data.aws_caller_identity.current.account_id
#    ]

}

module "eks_managed_node_group" {
  source  = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
  version = "19.21.0"

  name            = "eks-mng"
  cluster_name    = module.eks.cluster_name
  cluster_version = module.eks.cluster_version

  subnet_ids                        = var.subnet_ids
  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
  vpc_security_group_ids = [
    module.eks.cluster_security_group_id,
    aws_security_group.additional.id
  ]

  ami_type       = "AL2_x86_64"
  instance_types = ["t3.medium"]
  iam_role_additional_policies = {
    SsmInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
  }

  # this will get added to what AWS provides
  bootstrap_extra_args = <<-EOT
    # extra args added
    [settings.kernel]
    lockdown = "integrity"

    [settings.kubernetes.node-labels]
    "label1" = "foo"
    "label2" = "bar"
  EOT

  min_size     = 0
  desired_size = 1
  max_size     = 2
}


module "kms" {
  source  = "terraform-aws-modules/kms/aws"
  version = "~> 1.5"

  aliases               = ["eks/${local.resource-prefix}"]
  description           = "${local.resource-prefix} cluster encryption key"
  enable_default_policy = true
  key_owners            = [data.aws_caller_identity.current.arn]
}

resource "aws_security_group" "additional" {
  name_prefix = "${local.resource-prefix}-sg"
  vpc_id      = var.vpc_id

  ingress {
    from_port = 22
    to_port   = 22
    protocol  = "tcp"
    cidr_blocks = [
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/16",
    ]
  }
}

resource "aws_iam_policy" "additional" {
  name = "${local.resource-prefix}-policy"

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "ec2:Describe*",
        ]
        Effect   = "Allow"
        Resource = "*"
      },
    ]
  })
}


data "aws_caller_identity" "current" {}
HistoryPurge: Clearing out 238 old commits 2024-10-24 23:06:25 +08:00			`provider "kubernetes" {`
			`host = module.eks.cluster_endpoint`
			`cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)`

			`exec {`
			`api_version = "client.authentication.k8s.io/v1beta1"`
			`command = "aws"`
			`# This requires the awscli to be installed locally where Terraform is executed`
			`args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]`
			`}`
			`}`

			`module "eks" {`
			`source = "terraform-aws-modules/eks/aws"`
			`version = "19.21.0"`

			`cluster_name = "lab-ken2026-eks01"`
			`cluster_endpoint_public_access = true`
			`cluster_version = "1.27"`

			`cluster_addons = {`
			`coredns = {`
			`preserve = true`
			`most_recent = true`

			`timeouts = {`
			`create = "25m"`
			`delete = "10m"`
			`}`
			`}`
			`kube-proxy = {`
			`most_recent = true`
			`}`
			`vpc-cni = {`
			`most_recent = true`
			`}`
			`}`

			`create_kms_key = false`
			`cluster_encryption_config = {`
			`resources = ["secrets"]`
			`provider_key_arn = module.kms.key_arn`
			`}`

			`iam_role_additional_policies = {`
			`additional = aws_iam_policy.additional.arn`
			`}`

			`vpc_id = var.vpc_id`
			`subnet_ids = var.subnet_ids`
			`control_plane_subnet_ids = var.control_plane_subnet_ids`

			`# Extend cluster security group rules`
			`cluster_security_group_additional_rules = {`
			`ingress_nodes_ephemeral_ports_tcp = {`
			`description = "Nodes on ephemeral ports"`
			`protocol = "tcp"`
			`from_port = 1025`
			`to_port = 65535`
			`type = "ingress"`
			`source_node_security_group = true`
			`}`
			`# Test: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2319`
			`ingress_source_security_group_id = {`
			`description = "Ingress from another computed security group"`
			`protocol = "tcp"`
			`from_port = 22`
			`to_port = 22`
			`type = "ingress"`
			`source_security_group_id = aws_security_group.additional.id`
			`}`
			`}`

			`# requires terraform be ran inside VPC`
			`# manage_aws_auth_configmap = true`
			`#`
			`# aws_auth_roles = [`
			`# {`
			`# rolearn = module.eks_managed_node_group.iam_role_arn`
			`# username = "system:node:{{EC2PrivateDNSName}}"`
			`# groups = [`
			`# "system:bootstrappers",`
			`# "system:nodes",`
			`# ]`
			`# },`
			`# {`
			`# rolearn = "arn:aws:iam::040216112220:role/rackLE"`
			`# username = "rackLE"`
			`# groups = ["system:masters"]`
			`# }`
			`# ]`
			`#`
			`# aws_auth_users = [`
			`# {`
			`# userarn = var.eks_master_user_arn`
			`# username = "eksmaster"`
			`# groups = ["system:masters"]`
			`# }`
			`# ]`
			`#`
			`# aws_auth_accounts = [`
			`# data.aws_caller_identity.current.account_id`
			`# ]`

			`}`

			`module "eks_managed_node_group" {`
			`source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"`
			`version = "19.21.0"`

			`name = "eks-mng"`
			`cluster_name = module.eks.cluster_name`
			`cluster_version = module.eks.cluster_version`

			`subnet_ids = var.subnet_ids`
			`cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id`
			`vpc_security_group_ids = [`
			`module.eks.cluster_security_group_id,`
			`aws_security_group.additional.id`
			`]`

			`ami_type = "AL2_x86_64"`
			`instance_types = ["t3.medium"]`
			`iam_role_additional_policies = {`
			`SsmInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"`
			`}`

			`# this will get added to what AWS provides`
			`bootstrap_extra_args = <<-EOT`
			`# extra args added`
			`[settings.kernel]`
			`lockdown = "integrity"`

			`[settings.kubernetes.node-labels]`
			`"label1" = "foo"`
			`"label2" = "bar"`
			`EOT`

			`min_size = 0`
			`desired_size = 1`
			`max_size = 2`
			`}`


			`module "kms" {`
			`source = "terraform-aws-modules/kms/aws"`
			`version = "~> 1.5"`

			`aliases = ["eks/${local.resource-prefix}"]`
			`description = "${local.resource-prefix} cluster encryption key"`
			`enable_default_policy = true`
			`key_owners = [data.aws_caller_identity.current.arn]`
			`}`

			`resource "aws_security_group" "additional" {`
			`name_prefix = "${local.resource-prefix}-sg"`
			`vpc_id = var.vpc_id`

			`ingress {`
			`from_port = 22`
			`to_port = 22`
			`protocol = "tcp"`
			`cidr_blocks = [`
			`"10.0.0.0/8",`
			`"172.16.0.0/12",`
			`"192.168.0.0/16",`
			`]`
			`}`
			`}`

			`resource "aws_iam_policy" "additional" {`
			`name = "${local.resource-prefix}-policy"`

			`policy = jsonencode({`
			`Version = "2012-10-17"`
			`Statement = [`
			`{`
			`Action = [`
			`"ec2:Describe*",`
			`]`
			`Effect = "Allow"`
			`Resource = "*"`
			`},`
			`]`
			`})`
			`}`


			`data "aws_caller_identity" "current" {}`