terraform.aws-baseline-infra/examples/eks-lab/eks/main.tf

data "terraform_remote_state" "vpc" {
  backend = "local"
  config = {
    path = "../network/terraform.tfstate"
  }
}

resource "aws_iam_role" "eks-cluster-role" {
  name = "${local.resource-prefix}-cluster-role"
  assume_role_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "eks.amazonaws.com"
        },
        "Action" : "sts:AssumeRole"
      }
    ]
    }
  )
  managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"]
  tags                = local.default-tags
}

resource "aws_eks_cluster" "eks-cluster" {
  name     = "${local.resource-prefix}-cluster01"
  role_arn = aws_iam_role.eks-cluster-role.arn
  vpc_config {
    subnet_ids              = data.terraform_remote_state.vpc.outputs.private-subnet-ids
    endpoint_private_access = true
    endpoint_public_access  = false
  }
  enabled_cluster_log_types = ["api", "audit"]
  kubernetes_network_config {
    service_ipv4_cidr = "172.16.0.0/16"
    ip_family         = "ipv4"
  }
  tags = local.default-tags
}


resource "aws_eks_addon" "eks-addons" {
  # for_each     = toset(["vpc-cni", "coredns", "kube-proxy", "aws-ebs-csi-driver"])
  # latest version as on 2023-02-17 failed to deploy
  for_each = {
    "aws-ebs-csi-driver" : {
      "version" : "v1.15.0-eksbuild.1"
    },
    "vpc-cni" : {
      "version" : "v1.12.2-eksbuild.1"
    },
    "coredns" : {
      "version" : "v1.9.3-eksbuild.2"
    },
    "kube-proxy" : {
      "version" : "v1.24.9-eksbuild.2"
    }
  }
  cluster_name  = aws_eks_cluster.eks-cluster.name
  addon_name    = each.key
  # addon_version = each.value["version"]
  tags          = local.default-tags
}

resource "aws_iam_role" "eks-nodegroup-role" {
  name = "${local.resource-prefix}-nodegroup-role"
  assume_role_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "ec2.amazonaws.com"
        },
        "Action" : "sts:AssumeRole"
      }
    ]
    }
  )
  managed_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
    "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
  ]
  tags = local.default-tags
}

data "aws_ssm_parameter" "eks_ami_release_version" {
  name = "/aws/service/eks/optimized-ami/${aws_eks_cluster.eks-cluster.version}/amazon-linux-2/recommended/release_version"
}

# manually generate the key: ssh-keygen -ted25519 -f eks-node-sshkey
# file() can only read pre-existing file
resource "aws_key_pair" "eks-node-sshkey" {
  key_name   = "${local.resource-prefix}-eks-node-sshkey"
  public_key = file("${path.module}/eks-node-sshkey.pub")
}

resource "aws_security_group" "eks-node-sg" {
  name        = "${local.resource-prefix}-eks-node-sg"
  description = "Allow ssh to EKS nodes"
  vpc_id      = data.terraform_remote_state.vpc.outputs.vpc-id

  ingress {
    description = "SSH from VPC"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = [data.terraform_remote_state.vpc.outputs.vpc-cidr]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = local.default-tags
}

resource "aws_eks_node_group" "eks-nodegroup" {
  cluster_name           = aws_eks_cluster.eks-cluster.name
  node_group_name_prefix = "${local.resource-prefix}-eks-ng"
  node_role_arn          = aws_iam_role.eks-nodegroup-role.arn
  subnet_ids             = data.terraform_remote_state.vpc.outputs.private-subnet-ids
  version                = aws_eks_cluster.eks-cluster.version
  release_version        = nonsensitive(data.aws_ssm_parameter.eks_ami_release_version.value)
  instance_types         = ["t3.small"]
  scaling_config {
    desired_size = 1
    max_size     = 2
    min_size     = 1
  }

  update_config {
    max_unavailable = 1
  }
  remote_access {
    ec2_ssh_key               = aws_key_pair.eks-node-sshkey.key_name
    source_security_group_ids = [aws_security_group.eks-node-sg.id]
  }
  tags = local.default-tags
}

# ec2 instance for EKS management
data "aws_ami" "ubuntu" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-*-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  owners = ["099720109477"] # Canonical
}

resource "aws_security_group" "eks-bast-sg" {
  name        = "${local.resource-prefix}-eks-bast-sg"
  description = "Allow ssh to EKS bast"
  vpc_id      = data.terraform_remote_state.vpc.outputs.vpc-id

  ingress {
    description = "SSH from VPC"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["223.18.148.85/32"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = local.default-tags
}


resource "aws_iam_role" "eks-bast-role" {
  name = "${local.resource-prefix}-bast-role"
  assume_role_policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "Service" : "ec2.amazonaws.com"
        },
        "Action" : "sts:AssumeRole"
      }
    ]
  })
  inline_policy {
    name = "eks-bast-policy"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [
        {
          Action   = ["eks:*", "ecr:*"]
          Effect   = "Allow"
          Resource = "*"
        },
      ]
    })
  }

  managed_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
  tags                = local.default-tags
}


resource "aws_iam_instance_profile" "eks-bast-iam-profile" {
  name = "eksBastIamProfile"
  role = aws_iam_role.eks-bast-role.name
}

resource "aws_instance" "eks-bast" {
  ami                         = data.aws_ami.ubuntu.id
  instance_type               = "t3.micro"
  associate_public_ip_address = true
  ebs_optimized               = true
  key_name                    = aws_key_pair.eks-node-sshkey.key_name
  vpc_security_group_ids      = [aws_security_group.eks-bast-sg.id, aws_eks_cluster.eks-cluster.vpc_config[0].cluster_security_group_id]
  subnet_id                   = data.terraform_remote_state.vpc.outputs.public-subnet-ids[0]
  iam_instance_profile        = aws_iam_instance_profile.eks-bast-iam-profile.name
  root_block_device {
    volume_size = 8
    volume_type = "gp3"
    tags        = local.default-tags
  }
  tags      = merge(local.default-tags, { "Name" : "${local.resource-prefix}-eks-bast" })
  user_data = <<EOF
#!/bin/bash
echo "Install unzip"
apt install unzip -y
echo "Install eksctl"
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
mv /tmp/eksctl /usr/local/bin
echo "Install kubectl"
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
mv kubectl /usr/local/bin/
chmod 755 /usr/local/bin/kubectl
echo "Install awscliv2"
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
EOF

}
NEW: EKS sample code 2023-02-21 12:26:31 +08:00			`data "terraform_remote_state" "vpc" {`
			`backend = "local"`
			`config = {`
			`path = "../network/terraform.tfstate"`
			`}`
			`}`

			`resource "aws_iam_role" "eks-cluster-role" {`
			`name = "${local.resource-prefix}-cluster-role"`
			`assume_role_policy = jsonencode({`
			`"Version" : "2012-10-17",`
			`"Statement" : [`
			`{`
			`"Effect" : "Allow",`
			`"Principal" : {`
			`"Service" : "eks.amazonaws.com"`
			`},`
			`"Action" : "sts:AssumeRole"`
			`}`
			`]`
			`}`
			`)`
			`managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"]`
			`tags = local.default-tags`
			`}`

			`resource "aws_eks_cluster" "eks-cluster" {`
			`name = "${local.resource-prefix}-cluster01"`
			`role_arn = aws_iam_role.eks-cluster-role.arn`
			`vpc_config {`
			`subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids`
			`endpoint_private_access = true`
			`endpoint_public_access = false`
			`}`
			`enabled_cluster_log_types = ["api", "audit"]`
			`kubernetes_network_config {`
			`service_ipv4_cidr = "172.16.0.0/16"`
			`ip_family = "ipv4"`
			`}`
			`tags = local.default-tags`
			`}`


			`resource "aws_eks_addon" "eks-addons" {`
			`# for_each = toset(["vpc-cni", "coredns", "kube-proxy", "aws-ebs-csi-driver"])`
			`# latest version as on 2023-02-17 failed to deploy`
			`for_each = {`
			`"aws-ebs-csi-driver" : {`
			`"version" : "v1.15.0-eksbuild.1"`
			`},`
			`"vpc-cni" : {`
			`"version" : "v1.12.2-eksbuild.1"`
			`},`
			`"coredns" : {`
			`"version" : "v1.9.3-eksbuild.2"`
			`},`
			`"kube-proxy" : {`
			`"version" : "v1.24.9-eksbuild.2"`
			`}`
			`}`
			`cluster_name = aws_eks_cluster.eks-cluster.name`
			`addon_name = each.key`
			`# addon_version = each.value["version"]`
			`tags = local.default-tags`
			`}`

			`resource "aws_iam_role" "eks-nodegroup-role" {`
			`name = "${local.resource-prefix}-nodegroup-role"`
			`assume_role_policy = jsonencode({`
			`"Version" : "2012-10-17",`
			`"Statement" : [`
			`{`
			`"Effect" : "Allow",`
			`"Principal" : {`
			`"Service" : "ec2.amazonaws.com"`
			`},`
			`"Action" : "sts:AssumeRole"`
			`}`
			`]`
			`}`
			`)`
			`managed_policy_arns = [`
			`"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",`
			`"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",`
			`"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",`
			`"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"`
			`]`
			`tags = local.default-tags`
			`}`

			`data "aws_ssm_parameter" "eks_ami_release_version" {`
			`name = "/aws/service/eks/optimized-ami/${aws_eks_cluster.eks-cluster.version}/amazon-linux-2/recommended/release_version"`
			`}`

			`# manually generate the key: ssh-keygen -ted25519 -f eks-node-sshkey`
			`# file() can only read pre-existing file`
			`resource "aws_key_pair" "eks-node-sshkey" {`
			`key_name = "${local.resource-prefix}-eks-node-sshkey"`
			`public_key = file("${path.module}/eks-node-sshkey.pub")`
			`}`

			`resource "aws_security_group" "eks-node-sg" {`
			`name = "${local.resource-prefix}-eks-node-sg"`
			`description = "Allow ssh to EKS nodes"`
			`vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id`

			`ingress {`
			`description = "SSH from VPC"`
			`from_port = 22`
			`to_port = 22`
			`protocol = "tcp"`
			`cidr_blocks = [data.terraform_remote_state.vpc.outputs.vpc-cidr]`
			`}`

			`egress {`
			`from_port = 0`
			`to_port = 0`
			`protocol = "-1"`
			`cidr_blocks = ["0.0.0.0/0"]`
			`}`

			`tags = local.default-tags`
			`}`

			`resource "aws_eks_node_group" "eks-nodegroup" {`
			`cluster_name = aws_eks_cluster.eks-cluster.name`
			`node_group_name_prefix = "${local.resource-prefix}-eks-ng"`
			`node_role_arn = aws_iam_role.eks-nodegroup-role.arn`
			`subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids`
			`version = aws_eks_cluster.eks-cluster.version`
			`release_version = nonsensitive(data.aws_ssm_parameter.eks_ami_release_version.value)`
			`instance_types = ["t3.small"]`
			`scaling_config {`
			`desired_size = 1`
			`max_size = 2`
			`min_size = 1`
			`}`

			`update_config {`
			`max_unavailable = 1`
			`}`
			`remote_access {`
			`ec2_ssh_key = aws_key_pair.eks-node-sshkey.key_name`
			`source_security_group_ids = [aws_security_group.eks-node-sg.id]`
			`}`
			`tags = local.default-tags`
			`}`

			`# ec2 instance for EKS management`
			`data "aws_ami" "ubuntu" {`
			`most_recent = true`

			`filter {`
			`name = "name"`
			`values = ["ubuntu/images/hvm-ssd/ubuntu--amd64-server-"]`
			`}`

			`filter {`
			`name = "virtualization-type"`
			`values = ["hvm"]`
			`}`

			`owners = ["099720109477"] # Canonical`
			`}`

			`resource "aws_security_group" "eks-bast-sg" {`
			`name = "${local.resource-prefix}-eks-bast-sg"`
			`description = "Allow ssh to EKS bast"`
			`vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id`

			`ingress {`
			`description = "SSH from VPC"`
			`from_port = 22`
			`to_port = 22`
			`protocol = "tcp"`
			`cidr_blocks = ["223.18.148.85/32"]`
			`}`

			`egress {`
			`from_port = 0`
			`to_port = 0`
			`protocol = "-1"`
			`cidr_blocks = ["0.0.0.0/0"]`
			`}`

			`tags = local.default-tags`
			`}`


			`resource "aws_iam_role" "eks-bast-role" {`
			`name = "${local.resource-prefix}-bast-role"`
			`assume_role_policy = jsonencode({`
			`"Version" : "2012-10-17",`
			`"Statement" : [`
			`{`
			`"Effect" : "Allow",`
			`"Principal" : {`
			`"Service" : "ec2.amazonaws.com"`
			`},`
			`"Action" : "sts:AssumeRole"`
			`}`
			`]`
			`})`
			`inline_policy {`
			`name = "eks-bast-policy"`

			`policy = jsonencode({`
			`Version = "2012-10-17"`
			`Statement = [`
			`{`
			`Action = ["eks:", "ecr:"]`
			`Effect = "Allow"`
			`Resource = "*"`
			`},`
			`]`
			`})`
			`}`

			`managed_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]`
			`tags = local.default-tags`
			`}`


			`resource "aws_iam_instance_profile" "eks-bast-iam-profile" {`
			`name = "eksBastIamProfile"`
			`role = aws_iam_role.eks-bast-role.name`
			`}`

			`resource "aws_instance" "eks-bast" {`
			`ami = data.aws_ami.ubuntu.id`
			`instance_type = "t3.micro"`
			`associate_public_ip_address = true`
			`ebs_optimized = true`
			`key_name = aws_key_pair.eks-node-sshkey.key_name`
			`vpc_security_group_ids = [aws_security_group.eks-bast-sg.id, aws_eks_cluster.eks-cluster.vpc_config[0].cluster_security_group_id]`
			`subnet_id = data.terraform_remote_state.vpc.outputs.public-subnet-ids[0]`
			`iam_instance_profile = aws_iam_instance_profile.eks-bast-iam-profile.name`
			`root_block_device {`
			`volume_size = 8`
			`volume_type = "gp3"`
			`tags = local.default-tags`
			`}`
			`tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-eks-bast" })`
			`user_data = <<EOF`
			`#!/bin/bash`
			`echo "Install unzip"`
			`apt install unzip -y`
			`echo "Install eksctl"`
			`curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" \| tar xz -C /tmp`
			`mv /tmp/eksctl /usr/local/bin`
			`echo "Install kubectl"`
			`curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"`
			`mv kubectl /usr/local/bin/`
			`chmod 755 /usr/local/bin/kubectl`
			`echo "Install awscliv2"`
			`curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"`
			`unzip awscliv2.zip`
			`sudo ./aws/install`
			`EOF`

			`}`