terraform.aws-baseline-infra/examples/eks-managed-nodegroup/bastion.tf

78 lines
2.2 KiB
Terraform
Raw Normal View History

module "bastion" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "5.5.0"
name = "lab-ken2026-eks-bastion"
instance_type = "t3.micro"
ami = data.aws_ami.this.id
ignore_ami_changes = true
subnet_id = var.subnet_ids[0]
vpc_security_group_ids = [module.sg.id, module.eks.cluster_primary_security_group_id]
create_iam_instance_profile = true
iam_role_description = "IAM role for EC2 instance"
iam_role_policies = {
SSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
CloudwatchAgent = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
Admin = "arn:aws:iam::aws:policy/AdministratorAccess"
}
key_name = "kf-key"
ebs_optimized = true
root_block_device = [
{
encrypted = true
volume_type = "gp3"
volume_size = 10
},
]
volume_tags = data.aws_default_tags.this.tags
# IMDSv2 requirement
metadata_options = {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 2
}
user_data = <<EOF
#!/bin/bash
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
chmod 755 kubectl
mv kubectl /usr/local/bin/
EOF
}
module "sg" {
source = "../../modules/compute/security_group"
description = "Security group for web server"
egress = {
r1 = "tcp,0,65535,0.0.0.0/0,Allow outbound tcp traffic"
r2 = "udp,0,65535,0.0.0.0/0,Allow outbound udp traffic"
r3 = "icmp,0,-1,0.0.0.0/0,Allow icmp echo reply"
}
ingress = {
r1 = "icmp,8,-1,0.0.0.0/0,Allow ICMP traffic"
}
name = "lab-ken2026-eks-bastion-sg"
vpc-id = var.vpc_id
}
data "aws_default_tags" "this" {}
data "aws_ami" "this" {
most_recent = true
name_regex = "al2023-ami-202.*"
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "root-device-type"
values = ["ebs"]
}
filter {
name = "architecture"
values = ["x86_64"]
}
owners = ["910595266909"] # AWS
}