261 lines
7.1 KiB
Terraform
261 lines
7.1 KiB
Terraform
|
data "terraform_remote_state" "vpc" {
|
||
|
backend = "local"
|
||
|
config = {
|
||
|
path = "../network/terraform.tfstate"
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource "aws_iam_role" "eks-cluster-role" {
|
||
|
name = "${local.resource-prefix}-cluster-role"
|
||
|
assume_role_policy = jsonencode({
|
||
|
"Version" : "2012-10-17",
|
||
|
"Statement" : [
|
||
|
{
|
||
|
"Effect" : "Allow",
|
||
|
"Principal" : {
|
||
|
"Service" : "eks.amazonaws.com"
|
||
|
},
|
||
|
"Action" : "sts:AssumeRole"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
)
|
||
|
managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"]
|
||
|
tags = local.default-tags
|
||
|
}
|
||
|
|
||
|
resource "aws_eks_cluster" "eks-cluster" {
|
||
|
name = "${local.resource-prefix}-cluster01"
|
||
|
role_arn = aws_iam_role.eks-cluster-role.arn
|
||
|
vpc_config {
|
||
|
subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids
|
||
|
endpoint_private_access = true
|
||
|
endpoint_public_access = false
|
||
|
}
|
||
|
enabled_cluster_log_types = ["api", "audit"]
|
||
|
kubernetes_network_config {
|
||
|
service_ipv4_cidr = "172.16.0.0/16"
|
||
|
ip_family = "ipv4"
|
||
|
}
|
||
|
tags = local.default-tags
|
||
|
}
|
||
|
|
||
|
|
||
|
resource "aws_eks_addon" "eks-addons" {
|
||
|
# for_each = toset(["vpc-cni", "coredns", "kube-proxy", "aws-ebs-csi-driver"])
|
||
|
# latest version as on 2023-02-17 failed to deploy
|
||
|
for_each = {
|
||
|
"aws-ebs-csi-driver" : {
|
||
|
"version" : "v1.15.0-eksbuild.1"
|
||
|
},
|
||
|
"vpc-cni" : {
|
||
|
"version" : "v1.12.2-eksbuild.1"
|
||
|
},
|
||
|
"coredns" : {
|
||
|
"version" : "v1.9.3-eksbuild.2"
|
||
|
},
|
||
|
"kube-proxy" : {
|
||
|
"version" : "v1.24.9-eksbuild.2"
|
||
|
}
|
||
|
}
|
||
|
cluster_name = aws_eks_cluster.eks-cluster.name
|
||
|
addon_name = each.key
|
||
|
# addon_version = each.value["version"]
|
||
|
tags = local.default-tags
|
||
|
}
|
||
|
|
||
|
resource "aws_iam_role" "eks-nodegroup-role" {
|
||
|
name = "${local.resource-prefix}-nodegroup-role"
|
||
|
assume_role_policy = jsonencode({
|
||
|
"Version" : "2012-10-17",
|
||
|
"Statement" : [
|
||
|
{
|
||
|
"Effect" : "Allow",
|
||
|
"Principal" : {
|
||
|
"Service" : "ec2.amazonaws.com"
|
||
|
},
|
||
|
"Action" : "sts:AssumeRole"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
)
|
||
|
managed_policy_arns = [
|
||
|
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
|
||
|
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
|
||
|
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
|
||
|
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
|
||
|
]
|
||
|
tags = local.default-tags
|
||
|
}
|
||
|
|
||
|
data "aws_ssm_parameter" "eks_ami_release_version" {
|
||
|
name = "/aws/service/eks/optimized-ami/${aws_eks_cluster.eks-cluster.version}/amazon-linux-2/recommended/release_version"
|
||
|
}
|
||
|
|
||
|
# manually generate the key: ssh-keygen -ted25519 -f eks-node-sshkey
|
||
|
# file() can only read pre-existing file
|
||
|
resource "aws_key_pair" "eks-node-sshkey" {
|
||
|
key_name = "${local.resource-prefix}-eks-node-sshkey"
|
||
|
public_key = file("${path.module}/eks-node-sshkey.pub")
|
||
|
}
|
||
|
|
||
|
resource "aws_security_group" "eks-node-sg" {
|
||
|
name = "${local.resource-prefix}-eks-node-sg"
|
||
|
description = "Allow ssh to EKS nodes"
|
||
|
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
|
||
|
|
||
|
ingress {
|
||
|
description = "SSH from VPC"
|
||
|
from_port = 22
|
||
|
to_port = 22
|
||
|
protocol = "tcp"
|
||
|
cidr_blocks = [data.terraform_remote_state.vpc.outputs.vpc-cidr]
|
||
|
}
|
||
|
|
||
|
egress {
|
||
|
from_port = 0
|
||
|
to_port = 0
|
||
|
protocol = "-1"
|
||
|
cidr_blocks = ["0.0.0.0/0"]
|
||
|
}
|
||
|
|
||
|
tags = local.default-tags
|
||
|
}
|
||
|
|
||
|
resource "aws_eks_node_group" "eks-nodegroup" {
|
||
|
cluster_name = aws_eks_cluster.eks-cluster.name
|
||
|
node_group_name_prefix = "${local.resource-prefix}-eks-ng"
|
||
|
node_role_arn = aws_iam_role.eks-nodegroup-role.arn
|
||
|
subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids
|
||
|
version = aws_eks_cluster.eks-cluster.version
|
||
|
release_version = nonsensitive(data.aws_ssm_parameter.eks_ami_release_version.value)
|
||
|
instance_types = ["t3.small"]
|
||
|
scaling_config {
|
||
|
desired_size = 1
|
||
|
max_size = 2
|
||
|
min_size = 1
|
||
|
}
|
||
|
|
||
|
update_config {
|
||
|
max_unavailable = 1
|
||
|
}
|
||
|
remote_access {
|
||
|
ec2_ssh_key = aws_key_pair.eks-node-sshkey.key_name
|
||
|
source_security_group_ids = [aws_security_group.eks-node-sg.id]
|
||
|
}
|
||
|
tags = local.default-tags
|
||
|
}
|
||
|
|
||
|
# ec2 instance for EKS management
|
||
|
data "aws_ami" "ubuntu" {
|
||
|
most_recent = true
|
||
|
|
||
|
filter {
|
||
|
name = "name"
|
||
|
values = ["ubuntu/images/hvm-ssd/ubuntu-*-amd64-server-*"]
|
||
|
}
|
||
|
|
||
|
filter {
|
||
|
name = "virtualization-type"
|
||
|
values = ["hvm"]
|
||
|
}
|
||
|
|
||
|
owners = ["099720109477"] # Canonical
|
||
|
}
|
||
|
|
||
|
resource "aws_security_group" "eks-bast-sg" {
|
||
|
name = "${local.resource-prefix}-eks-bast-sg"
|
||
|
description = "Allow ssh to EKS bast"
|
||
|
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
|
||
|
|
||
|
ingress {
|
||
|
description = "SSH from VPC"
|
||
|
from_port = 22
|
||
|
to_port = 22
|
||
|
protocol = "tcp"
|
||
|
cidr_blocks = ["223.18.148.85/32"]
|
||
|
}
|
||
|
|
||
|
egress {
|
||
|
from_port = 0
|
||
|
to_port = 0
|
||
|
protocol = "-1"
|
||
|
cidr_blocks = ["0.0.0.0/0"]
|
||
|
}
|
||
|
|
||
|
tags = local.default-tags
|
||
|
}
|
||
|
|
||
|
|
||
|
resource "aws_iam_role" "eks-bast-role" {
|
||
|
name = "${local.resource-prefix}-bast-role"
|
||
|
assume_role_policy = jsonencode({
|
||
|
"Version" : "2012-10-17",
|
||
|
"Statement" : [
|
||
|
{
|
||
|
"Effect" : "Allow",
|
||
|
"Principal" : {
|
||
|
"Service" : "ec2.amazonaws.com"
|
||
|
},
|
||
|
"Action" : "sts:AssumeRole"
|
||
|
}
|
||
|
]
|
||
|
})
|
||
|
inline_policy {
|
||
|
name = "eks-bast-policy"
|
||
|
|
||
|
policy = jsonencode({
|
||
|
Version = "2012-10-17"
|
||
|
Statement = [
|
||
|
{
|
||
|
Action = ["eks:*", "ecr:*"]
|
||
|
Effect = "Allow"
|
||
|
Resource = "*"
|
||
|
},
|
||
|
]
|
||
|
})
|
||
|
}
|
||
|
|
||
|
managed_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
|
||
|
tags = local.default-tags
|
||
|
}
|
||
|
|
||
|
|
||
|
resource "aws_iam_instance_profile" "eks-bast-iam-profile" {
|
||
|
name = "eksBastIamProfile"
|
||
|
role = aws_iam_role.eks-bast-role.name
|
||
|
}
|
||
|
|
||
|
resource "aws_instance" "eks-bast" {
|
||
|
ami = data.aws_ami.ubuntu.id
|
||
|
instance_type = "t3.micro"
|
||
|
associate_public_ip_address = true
|
||
|
ebs_optimized = true
|
||
|
key_name = aws_key_pair.eks-node-sshkey.key_name
|
||
|
vpc_security_group_ids = [aws_security_group.eks-bast-sg.id, aws_eks_cluster.eks-cluster.vpc_config[0].cluster_security_group_id]
|
||
|
subnet_id = data.terraform_remote_state.vpc.outputs.public-subnet-ids[0]
|
||
|
iam_instance_profile = aws_iam_instance_profile.eks-bast-iam-profile.name
|
||
|
root_block_device {
|
||
|
volume_size = 8
|
||
|
volume_type = "gp3"
|
||
|
tags = local.default-tags
|
||
|
}
|
||
|
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-eks-bast" })
|
||
|
user_data = <<EOF
|
||
|
#!/bin/bash
|
||
|
echo "Install unzip"
|
||
|
apt install unzip -y
|
||
|
echo "Install eksctl"
|
||
|
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
|
||
|
mv /tmp/eksctl /usr/local/bin
|
||
|
echo "Install kubectl"
|
||
|
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
|
||
|
mv kubectl /usr/local/bin/
|
||
|
chmod 755 /usr/local/bin/kubectl
|
||
|
echo "Install awscliv2"
|
||
|
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
|
||
|
unzip awscliv2.zip
|
||
|
sudo ./aws/install
|
||
|
EOF
|
||
|
|
||
|
}
|