2023-12-20 08:12:21 +08:00
|
|
|
module "bastion" {
|
|
|
|
source = "terraform-aws-modules/ec2-instance/aws"
|
|
|
|
version = "5.5.0"
|
|
|
|
name = "lab-ken2026-eks-bastion"
|
|
|
|
instance_type = "t3.micro"
|
|
|
|
ami = data.aws_ami.this.id
|
|
|
|
ignore_ami_changes = true
|
|
|
|
subnet_id = var.subnet_ids[0]
|
2023-12-20 12:03:49 +08:00
|
|
|
vpc_security_group_ids = [module.sg.id, module.eks.cluster_primary_security_group_id]
|
2023-12-20 08:12:21 +08:00
|
|
|
create_iam_instance_profile = true
|
|
|
|
iam_role_description = "IAM role for EC2 instance"
|
|
|
|
iam_role_policies = {
|
|
|
|
SSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
|
|
|
|
CloudwatchAgent = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
|
|
|
|
Admin = "arn:aws:iam::aws:policy/AdministratorAccess"
|
|
|
|
}
|
|
|
|
key_name = "kf-key"
|
|
|
|
ebs_optimized = true
|
|
|
|
root_block_device = [
|
|
|
|
{
|
|
|
|
encrypted = true
|
|
|
|
volume_type = "gp3"
|
|
|
|
volume_size = 10
|
|
|
|
},
|
|
|
|
]
|
|
|
|
volume_tags = data.aws_default_tags.this.tags
|
|
|
|
# IMDSv2 requirement
|
|
|
|
metadata_options = {
|
|
|
|
http_endpoint = "enabled"
|
|
|
|
http_tokens = "required"
|
|
|
|
http_put_response_hop_limit = 2
|
|
|
|
}
|
2023-12-20 12:03:49 +08:00
|
|
|
user_data = <<EOF
|
|
|
|
#!/bin/bash
|
|
|
|
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
|
|
|
|
chmod 755 kubectl
|
|
|
|
mv kubectl /usr/local/bin/
|
|
|
|
EOF
|
2023-12-20 08:12:21 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
module "sg" {
|
|
|
|
source = "../../modules/compute/security_group"
|
|
|
|
description = "Security group for web server"
|
|
|
|
egress = {
|
|
|
|
r1 = "tcp,0,65535,0.0.0.0/0,Allow outbound tcp traffic"
|
|
|
|
r2 = "udp,0,65535,0.0.0.0/0,Allow outbound udp traffic"
|
|
|
|
r3 = "icmp,0,-1,0.0.0.0/0,Allow icmp echo reply"
|
|
|
|
}
|
|
|
|
ingress = {
|
|
|
|
r1 = "icmp,8,-1,0.0.0.0/0,Allow ICMP traffic"
|
|
|
|
}
|
|
|
|
name = "lab-ken2026-eks-bastion-sg"
|
|
|
|
vpc-id = var.vpc_id
|
|
|
|
}
|
|
|
|
|
|
|
|
data "aws_default_tags" "this" {}
|
|
|
|
|
|
|
|
data "aws_ami" "this" {
|
|
|
|
most_recent = true
|
|
|
|
name_regex = "al2023-ami-202.*"
|
|
|
|
|
|
|
|
filter {
|
|
|
|
name = "virtualization-type"
|
|
|
|
values = ["hvm"]
|
|
|
|
}
|
|
|
|
|
|
|
|
filter {
|
|
|
|
name = "root-device-type"
|
|
|
|
values = ["ebs"]
|
|
|
|
}
|
|
|
|
|
|
|
|
filter {
|
|
|
|
name = "architecture"
|
|
|
|
values = ["x86_64"]
|
|
|
|
}
|
|
|
|
|
|
|
|
owners = ["910595266909"] # AWS
|
|
|
|
}
|