xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

NEW: EKS sample code

Browse Source
This commit is contained in:
xpk 2023-02-21 12:26:31 +08:00
parent c92c22f4bd
commit 734b81fc2b
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
59 changed files with 6705 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
examples/eks-lab-ip6/eks/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,10 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.55.0"
constraints = ">= 3.25.0"
hashes = [
"h1:VHfmrKCb4oTW/+rWGKKqipoMOPd4tPxlGwMp0/Flx/s=",
]
}

1
examples/eks-lab-ip6/eks/.terraform/providers/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64

119
examples/eks-lab-ip6/eks/README.md Normal file
View File

@ -0,0 +1,119 @@
# eks-lab/eks
This layer creates the following resources
- EKS cluster using ipv6 for service network
- EKS nodegroup
- EKS bastion
- Install eksctl, kubectl, awscliv2, helm on EKS bastion with user_data script
Be patient. EKS cluster takes 12min to provision. Node group will take another 5 min. And the cluster addon takes another ?? min.
## Worker node instance size
Choose t3.large at the minimum. This is due to AWS's limitation on number of IPs. Smaller instanecs are limited with 6 IP
which is not enough. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI
## How to use eksctl and kubectl
By default, AWS EKS are installed with an aws-auth configmap which allows only the cluster creator
to work with the cluster. Therefore, one must first assume to the creator IAM role before running eksctl or kubectl.
For example, to create kube config, run these commands:
```bash
export AWS_ACCESS_KEY_ID=xxxx AWS_SECRET_ACCESS_KEY="yyyy" AWS_DEFAULT_REGION=ap-northeast-1
aws eks update-kubeconfig --name lab-apne1-xpk-iac-cluster01
```
## Edit configmap/aws-auth
```
kubectl edit -n kube-system configmap/aws-auth
```
Add a group with system:master role
```yaml
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::040216112220:role/clusterCreator
username: system:node:Template:EC2PrivateDNSName
- groups:
- system:masters
rolearn: arn:aws:iam::040216112220:role/lab-apne1-xpk-iac-bast-role
username: lab-apne1-xpk-iac-bast-role
kind: ConfigMap
metadata:
creationTimestamp: "2022-12-29T11:02:15Z"
name: aws-auth
namespace: kube-system
resourceVersion: "59670"
uid: 7cf9d889-8ed2-4c8d-ac0f-092184cede8a
```
## Addon updates
When updating addons, please select advanced options and choose preserve settings.
## Install ALB ingress controller
AWS provides documentation on how to deploy a sample application with ingress (ALB)
https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
That depends on the load balancer container, which can be deployed by
```bash
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/install/iam_policy.json
aws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicy \
--policy-document file://iam_policy.json
```
Create an openid provider on iam
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
```
eksctl create iamserviceaccount \
--cluster=lab-apne1-xpk-iac-cluster01 \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--role-name AmazonEKSLoadBalancerControllerRole \
--attach-policy-arn=arn:aws:iam::040216112220:policy/AWSLoadBalancerControllerIAMPolicy \
--approve
helm repo add eks https://aws.github.io/eks-charts
helm repo update
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
-n kube-system \
--set clusterName=lab-apne1-xpk-iac-cluster01 \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller
```
## Tag subnets
Reference: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
The following tags are set in the network layer:
On private subnets:
Key kubernetes.io/role/internal-elb
Value 1
On public subnets:
Key kubernetes.io/role/elb
Value 1
## Install sample app the 2048 game
See https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
```bash
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/examples/2048/2048_full.yaml
edit the file
kubectl apply -f 2048_full.yaml
kubectl get ingress/ingress-2048 -n game-2048
```
In a moment, the lb address should be displayed
```bash
root@ip-192-168-123-187:~# kubectl get ingress/ingress-2048 -n game-2048
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-2048 alb * internal-k8s-game2048-ingress2-5f196824a1-20502803.ap-northeast-1.elb.amazonaws.com 80 7s
```

7
examples/eks-lab-ip6/eks/eks-node-sshkey Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDQnEGn3cwEav+pMKXYvP3KjDYpB+Po/wpcrmQZnh31wgAAAJDu9hUF7vYV
BQAAAAtzc2gtZWQyNTUxOQAAACDQnEGn3cwEav+pMKXYvP3KjDYpB+Po/wpcrmQZnh31wg
AAAEBcvMSW9eqRM2Kd3obuJfHma+nzrsMiRSHO09wjSg4KF9CcQafdzARq/6kwpdi8/cqM
NikH4+j/ClyuZBmeHfXCAAAADWtuQGlzbS56b28ubG8=
-----END OPENSSH PRIVATE KEY-----

1
examples/eks-lab-ip6/eks/eks-node-sshkey.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINCcQafdzARq/6kwpdi8/cqMNikH4+j/ClyuZBmeHfXC kn@ism.zoo.lo

18
examples/eks-lab-ip6/eks/locals.tf Normal file
View File

@ -0,0 +1,18 @@
data "aws_caller_identity" "this" {}
locals {
default-tags = merge({
ServiceProvider = "None"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = "${local.path-cwd-list[length(local.path-cwd-list) - 2]}/${local.path-cwd-list[length(local.path-cwd-list) - 1]}"
CreatedBy = data.aws_caller_identity.this.arn
BuildDate = formatdate("YYYYMMDD", timestamp())
})
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
path-cwd-list = split("/", path.cwd)
}

306
examples/eks-lab-ip6/eks/main.tf Normal file
View File

@ -0,0 +1,306 @@
data "terraform_remote_state" "vpc" {
backend = "local"
config = {
path = "../network/terraform.tfstate"
}
}
resource "aws_iam_role" "eks-cluster-role" {
name = "${local.resource-prefix}-cluster-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "eks.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
}
)
managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"]
tags = local.default-tags
}
resource "aws_eks_cluster" "eks-cluster" {
name = "${local.resource-prefix}-cluster01"
role_arn = aws_iam_role.eks-cluster-role.arn
vpc_config {
subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids
endpoint_private_access = true
endpoint_public_access = false
}
enabled_cluster_log_types = ["api", "audit"]
kubernetes_network_config {
ip_family = "ipv6"
}
tags = local.default-tags
}
resource "aws_eks_addon" "eks-addons" {
# for_each = toset(["vpc-cni", "coredns", "kube-proxy", "aws-ebs-csi-driver"])
# latest version as on 2023-02-17 failed to deploy
for_each = {
"aws-ebs-csi-driver" : {
"version" : "v1.15.0-eksbuild.1"
},
"vpc-cni" : {
"version" : "v1.12.2-eksbuild.1"
},
"coredns" : {
"version" : "v1.9.3-eksbuild.2"
},
"kube-proxy" : {
"version" : "v1.24.9-eksbuild.1"
}
}
cluster_name = aws_eks_cluster.eks-cluster.name
addon_name = each.key
addon_version = each.value["version"]
}
resource "aws_iam_role" "eks-nodegroup-role" {
name = "${local.resource-prefix}-nodegroup-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "ec2.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
}
)
managed_policy_arns = [
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
]
inline_policy {
name = "IP6CniAccess"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"ec2:AssignIpv6Addresses",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstanceTypes"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*:*:network-interface/*"
]
}
]
})
}
inline_policy {
name = "AlbIngressAccess"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"elasticloadbalancing:*"
],
"Resource" : "*"
}
]
})
}
tags = local.default-tags
}
data "aws_ssm_parameter" "eks_ami_release_version" {
name = "/aws/service/eks/optimized-ami/${aws_eks_cluster.eks-cluster.version}/amazon-linux-2/recommended/release_version"
}
# manually generate the key: ssh-keygen -ted25519 -f eks-node-sshkey
# file() can only read pre-existing file
resource "aws_key_pair" "eks-node-sshkey" {
key_name = "${local.resource-prefix}-eks-node-sshkey"
public_key = file("${path.module}/eks-node-sshkey.pub")
}
resource "aws_security_group" "eks-node-sg" {
name = "${local.resource-prefix}-eks-node-sg"
description = "Allow ssh to EKS nodes"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
ingress {
description = "SSH from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [data.terraform_remote_state.vpc.outputs.vpc-cidr]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = local.default-tags
}
resource "aws_eks_node_group" "eks-nodegroup" {
cluster_name = aws_eks_cluster.eks-cluster.name
node_group_name_prefix = "${local.resource-prefix}-eks-ng"
node_role_arn = aws_iam_role.eks-nodegroup-role.arn
subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids
version = aws_eks_cluster.eks-cluster.version
release_version = nonsensitive(data.aws_ssm_parameter.eks_ami_release_version.value)
instance_types = ["t3.large"] # see README.md
scaling_config {
desired_size = 1
max_size = 2
min_size = 1
}
update_config {
max_unavailable = 1
}
remote_access {
ec2_ssh_key = aws_key_pair.eks-node-sshkey.key_name
source_security_group_ids = [aws_security_group.eks-node-sg.id]
}
tags = local.default-tags
}
# ec2 instance for EKS management
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-*-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_security_group" "eks-bast-sg" {
name = "${local.resource-prefix}-eks-bast-sg"
description = "Allow ssh to EKS bast"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
ingress {
description = "SSH from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["223.18.148.85/32"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = local.default-tags
}
resource "aws_iam_role" "eks-bast-role" {
name = "${local.resource-prefix}-bast-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "ec2.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
})
inline_policy {
name = "eks-bast-policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["eks:*", "ecr:*"]
Effect = "Allow"
Resource = "*"
},
]
})
}
managed_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
tags = local.default-tags
}
resource "aws_iam_instance_profile" "eks-bast-iam-profile" {
name = "eksBastIamProfile"
role = aws_iam_role.eks-bast-role.name
}
resource "aws_instance" "eks-bast" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
associate_public_ip_address = true
ebs_optimized = true
key_name = aws_key_pair.eks-node-sshkey.key_name
vpc_security_group_ids = [aws_security_group.eks-bast-sg.id, aws_eks_cluster.eks-cluster.vpc_config[0].cluster_security_group_id]
subnet_id = data.terraform_remote_state.vpc.outputs.public-subnet-ids[0]
iam_instance_profile = aws_iam_instance_profile.eks-bast-iam-profile.name
root_block_device {
volume_size = 8
volume_type = "gp3"
tags = local.default-tags
}
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-eks-bast" })
user_data = <<EOF
#!/bin/bash
echo "Install unzip"
apt install unzip -y
echo "Install eksctl"
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
mv /tmp/eksctl /usr/local/bin
echo "Install kubectl"
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
mv kubectl /usr/local/bin/
chmod 755 /usr/local/bin/kubectl
echo "Install awscliv2"
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
echo "Install helm"
curl -q https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
EOF
}

9
examples/eks-lab-ip6/eks/outputs.tf Normal file
View File

@ -0,0 +1,9 @@
/*
output eks-cluster-sg {
value = aws_eks_cluster.eks-cluster.vpc_config.*.cluster_security_group_id
}
*/
output eks-bast-ip {
value = aws_instance.eks-bast.public_ip
}

13
examples/eks-lab-ip6/eks/provider.tf Normal file
View File

@ -0,0 +1,13 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.25"
}
}
}

1078
examples/eks-lab-ip6/eks/terraform.tfstate Normal file
View File

File diff suppressed because it is too large Load Diff

1078
examples/eks-lab-ip6/eks/terraform.tfstate.backup Normal file
View File

File diff suppressed because it is too large Load Diff

6
examples/eks-lab-ip6/eks/terraform.tfvars Normal file
View File

@ -0,0 +1,6 @@
aws-region = "ap-northeast-1"
aws-region-short = "apne1"
customer-name = "xpk"
environment = "lab"
project = "iac"
application = "eks"

6
examples/eks-lab-ip6/eks/variables.tf Normal file
View File

@ -0,0 +1,6 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}

10
examples/eks-lab-ip6/network/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,10 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.55.0"
constraints = ">= 3.25.0"
hashes = [
"h1:VHfmrKCb4oTW/+rWGKKqipoMOPd4tPxlGwMp0/Flx/s=",
]
}

1
examples/eks-lab-ip6/network/.terraform/providers/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64

10
examples/eks-lab-ip6/network/README.md Normal file
View File

@ -0,0 +1,10 @@
# eks-lab/network
This module creates the following resources
- VPC
- Public and private subnets
- NAT gateway
Ipv6 is enabled on EKS subnets. See
https://docs.aws.amazon.com/eks/latest/userguide/cni-ipv6.html
https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy
https://aws.amazon.com/premiumsupport/knowledge-center/eks-failed-create-pod-sandbox/

18
examples/eks-lab-ip6/network/locals.tf Normal file
View File

@ -0,0 +1,18 @@
data "aws_caller_identity" "this" {}
locals {
default-tags = merge({
ServiceProvider = "None"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = "${local.path-cwd-list[length(local.path-cwd-list) - 2]}/${local.path-cwd-list[length(local.path-cwd-list) - 1]}"
CreatedBy = data.aws_caller_identity.this.arn
BuildDate = formatdate("YYYYMMDD", timestamp())
})
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
path-cwd-list = split("/", path.cwd)
}

133
examples/eks-lab-ip6/network/main.tf Normal file
View File

@ -0,0 +1,133 @@
# Create VPC and subnets
resource "aws_vpc" "vpc1" {
cidr_block = "192.168.123.0/24"
assign_generated_ipv6_cidr_block = true
enable_dns_support = true
enable_dns_hostnames = true
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpc1" })
}
data "aws_availability_zones" "azs" {
state = "available"
}
# kubernetes tag is needed for alb ingress controller
resource "aws_subnet" "private-subnets" {
count = 2
availability_zone = data.aws_availability_zones.azs.names[count.index]
vpc_id = aws_vpc.vpc1.id
cidr_block = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index)
assign_ipv6_address_on_creation = true
# ipv6 subnets must be a /64
ipv6_cidr_block = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index)
enable_resource_name_dns_a_record_on_launch = true
tags = merge(local.default-tags,
{ "Name" : "${local.resource-prefix}-private-${data.aws_availability_zones.azs.names[count.index]}" },
{ "kubernetes.io/role/internal-elb" : "1" }
)
}
# kubernetes tag is needed for alb ingress controller
resource "aws_subnet" "public-subnets" {
count = 2
availability_zone = data.aws_availability_zones.azs.names[count.index]
vpc_id = aws_vpc.vpc1.id
cidr_block = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index + 2)
assign_ipv6_address_on_creation = true
# ipv6 subnets must be a /64
ipv6_cidr_block = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index + 2)
enable_resource_name_dns_a_record_on_launch = true
tags = merge(local.default-tags,
{ "Name" : "${local.resource-prefix}-public-${data.aws_availability_zones.azs.names[count.index]}" },
{ "kubernetes.io/role/elb" : "1" }
)
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc1.id
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-igw" })
}
resource "aws_eip" "ngw-ip" {
vpc = true
}
resource "aws_nat_gateway" "ngw" {
allocation_id = aws_eip.ngw-ip.id
subnet_id = aws_subnet.public-subnets[0].id
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-ngw" })
}
resource "aws_route_table" "public-rtb" {
vpc_id = aws_vpc.vpc1.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-public-rtb" })
}
resource "aws_route_table" "private-rtb" {
vpc_id = aws_vpc.vpc1.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_nat_gateway.ngw.id
}
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-private-rtb" })
}
resource "aws_route_table_association" "public-rtb-asso" {
count = length(aws_subnet.public-subnets)
subnet_id = aws_subnet.public-subnets[count.index].id
route_table_id = aws_route_table.public-rtb.id
}
resource "aws_route_table_association" "private-rtb-asso" {
count = length(aws_subnet.private-subnets)
subnet_id = aws_subnet.private-subnets[count.index].id
route_table_id = aws_route_table.private-rtb.id
}
resource "aws_vpc_endpoint" "eks-vpcep" {
vpc_id = aws_vpc.vpc1.id
service_name = "com.amazonaws.${var.aws-region}.eks"
vpc_endpoint_type = "Interface"
security_group_ids = [aws_security_group.generic-ep-sg.id]
private_dns_enabled = true
subnet_ids = aws_subnet.private-subnets.*.id
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpcep-eks" })
}
resource "aws_security_group" "generic-ep-sg" {
name = "HttpsAccessToVpcEndpoints"
description = "HttpsAccessToVpcEndpoints"
vpc_id = aws_vpc.vpc1.id
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [aws_vpc.vpc1.cidr_block]
}
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
ipv6_cidr_blocks = [aws_vpc.vpc1.ipv6_cidr_block]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = merge({ "Name" : "VpcEpAccess" }, local.default-tags)
}

19
examples/eks-lab-ip6/network/outputs.tf Normal file
View File

@ -0,0 +1,19 @@
output vpc-cidr {
value = aws_vpc.vpc1.cidr_block
}
output vpc-cidr6 {
value = aws_vpc.vpc1.ipv6_cidr_block
}
output vpc-id {
value = aws_vpc.vpc1.id
}
output private-subnet-ids {
value = aws_subnet.private-subnets.*.id
}
output public-subnet-ids {
value = aws_subnet.public-subnets.*.id
}

13
examples/eks-lab-ip6/network/provider.tf Normal file
View File

@ -0,0 +1,13 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.25"
}
}
}

966
examples/eks-lab-ip6/network/terraform.tfstate Normal file
View File

@ -0,0 +1,966 @@
{
"version": 4,
"terraform_version": "1.3.7",
"serial": 107,
"lineage": "65963b11-e76c-9a8d-95d5-827c62984fca",
"outputs": {
"private-subnet-ids": {
"value": [
"subnet-0a9f75c427054ca39",
"subnet-03837a4f086fe607a"
],
"type": [
"tuple",
[
"string",
"string"
]
]
},
"public-subnet-ids": {
"value": [
"subnet-0836e26b02828e6b7",
"subnet-0269d50d924f5c3ad"
],
"type": [
"tuple",
[
"string",
"string"
]
]
},
"vpc-cidr": {
"value": "192.168.123.0/24",
"type": "string"
},
"vpc-cidr6": {
"value": "2406:da14:ece:ed00::/56",
"type": "string"
},
"vpc-id": {
"value": "vpc-051d8405604cd730d",
"type": "string"
}
},
"resources": [
{
"mode": "data",
"type": "aws_availability_zones",
"name": "azs",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"all_availability_zones": null,
"exclude_names": null,
"exclude_zone_ids": null,
"filter": null,
"group_names": [
"ap-northeast-1"
],
"id": "ap-northeast-1",
"names": [
"ap-northeast-1a",
"ap-northeast-1c",
"ap-northeast-1d"
],
"state": "available",
"timeouts": null,
"zone_ids": [
"apne1-az4",
"apne1-az1",
"apne1-az2"
]
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_caller_identity",
"name": "this",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"account_id": "040216112220",
"arn": "arn:aws:iam::040216112220:user/ken2026",
"id": "040216112220",
"user_id": "AIDAQSXIRFROOXYISSIEQ"
},
"sensitive_attributes": []
}
]
},
{
"mode": "managed",
"type": "aws_eip",
"name": "ngw-ip",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"address": null,
"allocation_id": "eipalloc-0f20fcbac83515afe",
"associate_with_private_ip": null,
"association_id": "eipassoc-078c7da22f4bbb437",
"carrier_ip": "",
"customer_owned_ip": "",
"customer_owned_ipv4_pool": "",
"domain": "vpc",
"id": "eipalloc-0f20fcbac83515afe",
"instance": "",
"network_border_group": "ap-northeast-1",
"network_interface": "eni-05bcb407c70c05922",
"private_dns": "ip-192-168-123-165.ap-northeast-1.compute.internal",
"private_ip": "192.168.123.165",
"public_dns": "ec2-35-72-134-157.ap-northeast-1.compute.amazonaws.com",
"public_ip": "35.72.134.157",
"public_ipv4_pool": "amazon",
"tags": {},
"tags_all": {},
"timeouts": null,
"vpc": true
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjoxODAwMDAwMDAwMDAsInJlYWQiOjkwMDAwMDAwMDAwMCwidXBkYXRlIjozMDAwMDAwMDAwMDB9fQ=="
}
]
},
{
"mode": "managed",
"type": "aws_internet_gateway",
"name": "igw",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:internet-gateway/igw-0aa724367074ec9ed",
"id": "igw-0aa724367074ec9ed",
"owner_id": "040216112220",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-igw",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-igw",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_nat_gateway",
"name": "ngw",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"allocation_id": "eipalloc-0f20fcbac83515afe",
"connectivity_type": "public",
"id": "nat-0e71f2f627b948b71",
"network_interface_id": "eni-05bcb407c70c05922",
"private_ip": "192.168.123.165",
"public_ip": "35.72.134.157",
"subnet_id": "subnet-0836e26b02828e6b7",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-ngw",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-ngw",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_eip.ngw-ip",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_route_table",
"name": "private-rtb",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:route-table/rtb-07c6f2df276e905ad",
"id": "rtb-07c6f2df276e905ad",
"owner_id": "040216112220",
"propagating_vgws": [],
"route": [
{
"carrier_gateway_id": "",
"cidr_block": "0.0.0.0/0",
"core_network_arn": "",
"destination_prefix_list_id": "",
"egress_only_gateway_id": "",
"gateway_id": "nat-0e71f2f627b948b71",
"instance_id": "",
"ipv6_cidr_block": "",
"local_gateway_id": "",
"nat_gateway_id": "",
"network_interface_id": "",
"transit_gateway_id": "",
"vpc_endpoint_id": "",
"vpc_peering_connection_id": ""
}
],
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-rtb",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-rtb",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMDAsImRlbGV0ZSI6MzAwMDAwMDAwMDAwLCJ1cGRhdGUiOjEyMDAwMDAwMDAwMH19",
"dependencies": [
"aws_eip.ngw-ip",
"aws_nat_gateway.ngw",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_route_table",
"name": "public-rtb",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:route-table/rtb-034d9f535055a4176",
"id": "rtb-034d9f535055a4176",
"owner_id": "040216112220",
"propagating_vgws": [],
"route": [
{
"carrier_gateway_id": "",
"cidr_block": "0.0.0.0/0",
"core_network_arn": "",
"destination_prefix_list_id": "",
"egress_only_gateway_id": "",
"gateway_id": "igw-0aa724367074ec9ed",
"instance_id": "",
"ipv6_cidr_block": "",
"local_gateway_id": "",
"nat_gateway_id": "",
"network_interface_id": "",
"transit_gateway_id": "",
"vpc_endpoint_id": "",
"vpc_peering_connection_id": ""
}
],
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-rtb",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-rtb",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMDAsImRlbGV0ZSI6MzAwMDAwMDAwMDAwLCJ1cGRhdGUiOjEyMDAwMDAwMDAwMH19",
"dependencies": [
"aws_internet_gateway.igw",
"aws_vpc.vpc1",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_route_table_association",
"name": "private-rtb-asso",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-0dfc003a6278c114e",
"route_table_id": "rtb-07c6f2df276e905ad",
"subnet_id": "subnet-0a9f75c427054ca39"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_eip.ngw-ip",
"aws_nat_gateway.ngw",
"aws_route_table.private-rtb",
"aws_subnet.private-subnets",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
},
{
"index_key": 1,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-09392b94bd7f431e0",
"route_table_id": "rtb-07c6f2df276e905ad",
"subnet_id": "subnet-03837a4f086fe607a"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_eip.ngw-ip",
"aws_nat_gateway.ngw",
"aws_route_table.private-rtb",
"aws_subnet.private-subnets",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_route_table_association",
"name": "public-rtb-asso",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-09ae17e308831a882",
"route_table_id": "rtb-034d9f535055a4176",
"subnet_id": "subnet-0836e26b02828e6b7"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_internet_gateway.igw",
"aws_route_table.public-rtb",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
},
{
"index_key": 1,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-07044aba885edbae2",
"route_table_id": "rtb-034d9f535055a4176",
"subnet_id": "subnet-0269d50d924f5c3ad"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_internet_gateway.igw",
"aws_route_table.public-rtb",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_security_group",
"name": "generic-ep-sg",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:security-group/sg-0158a37b2b0205723",
"description": "HttpsAccessToVpcEndpoints",
"egress": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "",
"from_port": 0,
"ipv6_cidr_blocks": [
"::/0"
],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": false,
"to_port": 0
}
],
"id": "sg-0158a37b2b0205723",
"ingress": [
{
"cidr_blocks": [
"192.168.123.0/24"
],
"description": "TLS from VPC",
"from_port": 443,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 443
},
{
"cidr_blocks": [],
"description": "TLS from VPC",
"from_port": 443,
"ipv6_cidr_blocks": [
"2406:da14:ece:ed00::/56"
],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 443
}
],
"name": "HttpsAccessToVpcEndpoints",
"name_prefix": "",
"owner_id": "040216112220",
"revoke_rules_on_delete": false,
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "VpcEpAccess",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "VpcEpAccess",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6OTAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0=",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_subnet",
"name": "private-subnets",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:subnet/subnet-0a9f75c427054ca39",
"assign_ipv6_address_on_creation": true,
"availability_zone": "ap-northeast-1a",
"availability_zone_id": "apne1-az4",
"cidr_block": "192.168.123.0/26",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": true,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-0a9f75c427054ca39",
"ipv6_cidr_block": "2406:da14:ece:ed00::/64",
"ipv6_cidr_block_association_id": "subnet-cidr-assoc-00cad72145ee3a291",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-ap-northeast-1a",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed",
"kubernetes.io/role/internal-elb": "1"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-ap-northeast-1a",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed",
"kubernetes.io/role/internal-elb": "1"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
},
{
"index_key": 1,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:subnet/subnet-03837a4f086fe607a",
"assign_ipv6_address_on_creation": true,
"availability_zone": "ap-northeast-1c",
"availability_zone_id": "apne1-az1",
"cidr_block": "192.168.123.64/26",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": true,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-03837a4f086fe607a",
"ipv6_cidr_block": "2406:da14:ece:ed01::/64",
"ipv6_cidr_block_association_id": "subnet-cidr-assoc-07dded145177dd88e",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-ap-northeast-1c",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed",
"kubernetes.io/role/internal-elb": "1"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-ap-northeast-1c",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed",
"kubernetes.io/role/internal-elb": "1"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_subnet",
"name": "public-subnets",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:subnet/subnet-0836e26b02828e6b7",
"assign_ipv6_address_on_creation": true,
"availability_zone": "ap-northeast-1a",
"availability_zone_id": "apne1-az4",
"cidr_block": "192.168.123.128/26",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": true,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-0836e26b02828e6b7",
"ipv6_cidr_block": "2406:da14:ece:ed02::/64",
"ipv6_cidr_block_association_id": "subnet-cidr-assoc-0aab88c4cbb3f46a6",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-ap-northeast-1a",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed",
"kubernetes.io/role/elb": "1"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-ap-northeast-1a",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed",
"kubernetes.io/role/elb": "1"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
},
{
"index_key": 1,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:subnet/subnet-0269d50d924f5c3ad",
"assign_ipv6_address_on_creation": true,
"availability_zone": "ap-northeast-1c",
"availability_zone_id": "apne1-az1",
"cidr_block": "192.168.123.192/26",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": true,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-0269d50d924f5c3ad",
"ipv6_cidr_block": "2406:da14:ece:ed03::/64",
"ipv6_cidr_block_association_id": "subnet-cidr-assoc-0eff3d18663a8bb79",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-ap-northeast-1c",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed",
"kubernetes.io/role/elb": "1"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-ap-northeast-1c",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed",
"kubernetes.io/role/elb": "1"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_vpc",
"name": "vpc1",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:vpc/vpc-051d8405604cd730d",
"assign_generated_ipv6_cidr_block": true,
"cidr_block": "192.168.123.0/24",
"default_network_acl_id": "acl-0260219cc561ae7f6",
"default_route_table_id": "rtb-08e8cbe49390375f5",
"default_security_group_id": "sg-0b56a9c27e73084bb",
"dhcp_options_id": "dopt-090c9f839527a4c07",
"enable_classiclink": false,
"enable_classiclink_dns_support": false,
"enable_dns_hostnames": true,
"enable_dns_support": true,
"enable_network_address_usage_metrics": false,
"id": "vpc-051d8405604cd730d",
"instance_tenancy": "default",
"ipv4_ipam_pool_id": null,
"ipv4_netmask_length": null,
"ipv6_association_id": "vpc-cidr-assoc-00a8c007b42a44f67",
"ipv6_cidr_block": "2406:da14:ece:ed00::/56",
"ipv6_cidr_block_network_border_group": "ap-northeast-1",
"ipv6_ipam_pool_id": "",
"ipv6_netmask_length": 0,
"main_route_table_id": "rtb-08e8cbe49390375f5",
"owner_id": "040216112220",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-vpc1",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-vpc1",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
"dependencies": [
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_vpc_endpoint",
"name": "eks-vpcep",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:vpc-endpoint/vpce-0a37185de88ad0767",
"auto_accept": null,
"cidr_blocks": [],
"dns_entry": [
{
"dns_name": "vpce-0a37185de88ad0767-dyxcih00.eks.ap-northeast-1.vpce.amazonaws.com",
"hosted_zone_id": "Z2E726K9Y6RL4W"
},
{
"dns_name": "vpce-0a37185de88ad0767-dyxcih00-ap-northeast-1c.eks.ap-northeast-1.vpce.amazonaws.com",
"hosted_zone_id": "Z2E726K9Y6RL4W"
},
{
"dns_name": "vpce-0a37185de88ad0767-dyxcih00-ap-northeast-1a.eks.ap-northeast-1.vpce.amazonaws.com",
"hosted_zone_id": "Z2E726K9Y6RL4W"
},
{
"dns_name": "eks.ap-northeast-1.amazonaws.com",
"hosted_zone_id": "Z0423227199F7H6UENLXS"
}
],
"dns_options": [
{
"dns_record_ip_type": "ipv4"
}
],
"id": "vpce-0a37185de88ad0767",
"ip_address_type": "ipv4",
"network_interface_ids": [
"eni-04a27c78fb4bc730f",
"eni-08f40839bc1aeebde"
],
"owner_id": "040216112220",
"policy": "{\"Statement\":[{\"Action\":\"*\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":\"*\"}]}",
"prefix_list_id": null,
"private_dns_enabled": true,
"requester_managed": false,
"route_table_ids": [],
"security_group_ids": [
"sg-0158a37b2b0205723"
],
"service_name": "com.amazonaws.ap-northeast-1.eks",
"state": "available",
"subnet_ids": [
"subnet-03837a4f086fe607a",
"subnet-0a9f75c427054ca39"
],
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-vpcep-eks",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-vpcep-eks",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_endpoint_type": "Interface",
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6NjAwMDAwMDAwMDAwLCJ1cGRhdGUiOjYwMDAwMDAwMDAwMH19",
"dependencies": [
"aws_security_group.generic-ep-sg",
"aws_subnet.private-subnets",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
}
],
"check_results": null
}

958
examples/eks-lab-ip6/network/terraform.tfstate.backup Normal file
View File

@ -0,0 +1,958 @@
{
"version": 4,
"terraform_version": "1.3.7",
"serial": 103,
"lineage": "65963b11-e76c-9a8d-95d5-827c62984fca",
"outputs": {
"private-subnet-ids": {
"value": [
"subnet-0a9f75c427054ca39",
"subnet-03837a4f086fe607a"
],
"type": [
"tuple",
[
"string",
"string"
]
]
},
"public-subnet-ids": {
"value": [
"subnet-0836e26b02828e6b7",
"subnet-0269d50d924f5c3ad"
],
"type": [
"tuple",
[
"string",
"string"
]
]
},
"vpc-cidr": {
"value": "192.168.123.0/24",
"type": "string"
},
"vpc-cidr6": {
"value": "2406:da14:ece:ed00::/56",
"type": "string"
},
"vpc-id": {
"value": "vpc-051d8405604cd730d",
"type": "string"
}
},
"resources": [
{
"mode": "data",
"type": "aws_availability_zones",
"name": "azs",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"all_availability_zones": null,
"exclude_names": null,
"exclude_zone_ids": null,
"filter": null,
"group_names": [
"ap-northeast-1"
],
"id": "ap-northeast-1",
"names": [
"ap-northeast-1a",
"ap-northeast-1c",
"ap-northeast-1d"
],
"state": "available",
"timeouts": null,
"zone_ids": [
"apne1-az4",
"apne1-az1",
"apne1-az2"
]
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_caller_identity",
"name": "this",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"account_id": "040216112220",
"arn": "arn:aws:iam::040216112220:user/ken2026",
"id": "040216112220",
"user_id": "AIDAQSXIRFROOXYISSIEQ"
},
"sensitive_attributes": []
}
]
},
{
"mode": "managed",
"type": "aws_eip",
"name": "ngw-ip",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"address": null,
"allocation_id": "eipalloc-0f20fcbac83515afe",
"associate_with_private_ip": null,
"association_id": "eipassoc-078c7da22f4bbb437",
"carrier_ip": "",
"customer_owned_ip": "",
"customer_owned_ipv4_pool": "",
"domain": "vpc",
"id": "eipalloc-0f20fcbac83515afe",
"instance": "",
"network_border_group": "ap-northeast-1",
"network_interface": "eni-05bcb407c70c05922",
"private_dns": "ip-192-168-123-165.ap-northeast-1.compute.internal",
"private_ip": "192.168.123.165",
"public_dns": "ec2-35-72-134-157.ap-northeast-1.compute.amazonaws.com",
"public_ip": "35.72.134.157",
"public_ipv4_pool": "amazon",
"tags": {},
"tags_all": {},
"timeouts": null,
"vpc": true
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiZGVsZXRlIjoxODAwMDAwMDAwMDAsInJlYWQiOjkwMDAwMDAwMDAwMCwidXBkYXRlIjozMDAwMDAwMDAwMDB9fQ=="
}
]
},
{
"mode": "managed",
"type": "aws_internet_gateway",
"name": "igw",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:internet-gateway/igw-0aa724367074ec9ed",
"id": "igw-0aa724367074ec9ed",
"owner_id": "040216112220",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-igw",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-igw",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_nat_gateway",
"name": "ngw",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"allocation_id": "eipalloc-0f20fcbac83515afe",
"connectivity_type": "public",
"id": "nat-0e71f2f627b948b71",
"network_interface_id": "eni-05bcb407c70c05922",
"private_ip": "192.168.123.165",
"public_ip": "35.72.134.157",
"subnet_id": "subnet-0836e26b02828e6b7",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-ngw",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-ngw",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_eip.ngw-ip",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_route_table",
"name": "private-rtb",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:route-table/rtb-07c6f2df276e905ad",
"id": "rtb-07c6f2df276e905ad",
"owner_id": "040216112220",
"propagating_vgws": [],
"route": [
{
"carrier_gateway_id": "",
"cidr_block": "0.0.0.0/0",
"core_network_arn": "",
"destination_prefix_list_id": "",
"egress_only_gateway_id": "",
"gateway_id": "nat-0e71f2f627b948b71",
"instance_id": "",
"ipv6_cidr_block": "",
"local_gateway_id": "",
"nat_gateway_id": "",
"network_interface_id": "",
"transit_gateway_id": "",
"vpc_endpoint_id": "",
"vpc_peering_connection_id": ""
}
],
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-rtb",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-rtb",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMDAsImRlbGV0ZSI6MzAwMDAwMDAwMDAwLCJ1cGRhdGUiOjEyMDAwMDAwMDAwMH19",
"dependencies": [
"aws_eip.ngw-ip",
"aws_nat_gateway.ngw",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_route_table",
"name": "public-rtb",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:route-table/rtb-034d9f535055a4176",
"id": "rtb-034d9f535055a4176",
"owner_id": "040216112220",
"propagating_vgws": [],
"route": [
{
"carrier_gateway_id": "",
"cidr_block": "0.0.0.0/0",
"core_network_arn": "",
"destination_prefix_list_id": "",
"egress_only_gateway_id": "",
"gateway_id": "igw-0aa724367074ec9ed",
"instance_id": "",
"ipv6_cidr_block": "",
"local_gateway_id": "",
"nat_gateway_id": "",
"network_interface_id": "",
"transit_gateway_id": "",
"vpc_endpoint_id": "",
"vpc_peering_connection_id": ""
}
],
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-rtb",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-rtb",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMDAsImRlbGV0ZSI6MzAwMDAwMDAwMDAwLCJ1cGRhdGUiOjEyMDAwMDAwMDAwMH19",
"dependencies": [
"aws_internet_gateway.igw",
"aws_vpc.vpc1",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_route_table_association",
"name": "private-rtb-asso",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-0dfc003a6278c114e",
"route_table_id": "rtb-07c6f2df276e905ad",
"subnet_id": "subnet-0a9f75c427054ca39"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_eip.ngw-ip",
"aws_nat_gateway.ngw",
"aws_route_table.private-rtb",
"aws_subnet.private-subnets",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
},
{
"index_key": 1,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-09392b94bd7f431e0",
"route_table_id": "rtb-07c6f2df276e905ad",
"subnet_id": "subnet-03837a4f086fe607a"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_eip.ngw-ip",
"aws_nat_gateway.ngw",
"aws_route_table.private-rtb",
"aws_subnet.private-subnets",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_route_table_association",
"name": "public-rtb-asso",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-09ae17e308831a882",
"route_table_id": "rtb-034d9f535055a4176",
"subnet_id": "subnet-0836e26b02828e6b7"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_internet_gateway.igw",
"aws_route_table.public-rtb",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
},
{
"index_key": 1,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-07044aba885edbae2",
"route_table_id": "rtb-034d9f535055a4176",
"subnet_id": "subnet-0269d50d924f5c3ad"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_internet_gateway.igw",
"aws_route_table.public-rtb",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_security_group",
"name": "generic-ep-sg",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:security-group/sg-0158a37b2b0205723",
"description": "HttpsAccessToVpcEndpoints",
"egress": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "",
"from_port": 0,
"ipv6_cidr_blocks": [
"::/0"
],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": false,
"to_port": 0
}
],
"id": "sg-0158a37b2b0205723",
"ingress": [
{
"cidr_blocks": [
"192.168.123.0/24"
],
"description": "TLS from VPC",
"from_port": 443,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 443
},
{
"cidr_blocks": [],
"description": "TLS from VPC",
"from_port": 443,
"ipv6_cidr_blocks": [
"2406:da14:ece:ed00::/56"
],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 443
}
],
"name": "HttpsAccessToVpcEndpoints",
"name_prefix": "",
"owner_id": "040216112220",
"revoke_rules_on_delete": false,
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "VpcEpAccess",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "VpcEpAccess",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6OTAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0=",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_subnet",
"name": "private-subnets",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:subnet/subnet-0a9f75c427054ca39",
"assign_ipv6_address_on_creation": true,
"availability_zone": "ap-northeast-1a",
"availability_zone_id": "apne1-az4",
"cidr_block": "192.168.123.0/26",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": true,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-0a9f75c427054ca39",
"ipv6_cidr_block": "2406:da14:ece:ed00::/64",
"ipv6_cidr_block_association_id": "subnet-cidr-assoc-00cad72145ee3a291",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-ap-northeast-1a",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-ap-northeast-1a",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
},
{
"index_key": 1,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:subnet/subnet-03837a4f086fe607a",
"assign_ipv6_address_on_creation": true,
"availability_zone": "ap-northeast-1c",
"availability_zone_id": "apne1-az1",
"cidr_block": "192.168.123.64/26",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": true,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-03837a4f086fe607a",
"ipv6_cidr_block": "2406:da14:ece:ed01::/64",
"ipv6_cidr_block_association_id": "subnet-cidr-assoc-07dded145177dd88e",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-ap-northeast-1c",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-private-ap-northeast-1c",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_subnet",
"name": "public-subnets",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:subnet/subnet-0836e26b02828e6b7",
"assign_ipv6_address_on_creation": true,
"availability_zone": "ap-northeast-1a",
"availability_zone_id": "apne1-az4",
"cidr_block": "192.168.123.128/26",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": true,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-0836e26b02828e6b7",
"ipv6_cidr_block": "2406:da14:ece:ed02::/64",
"ipv6_cidr_block_association_id": "subnet-cidr-assoc-0aab88c4cbb3f46a6",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-ap-northeast-1a",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-ap-northeast-1a",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
},
{
"index_key": 1,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:subnet/subnet-0269d50d924f5c3ad",
"assign_ipv6_address_on_creation": true,
"availability_zone": "ap-northeast-1c",
"availability_zone_id": "apne1-az1",
"cidr_block": "192.168.123.192/26",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": true,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-0269d50d924f5c3ad",
"ipv6_cidr_block": "2406:da14:ece:ed03::/64",
"ipv6_cidr_block_association_id": "subnet-cidr-assoc-0eff3d18663a8bb79",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-ap-northeast-1c",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-public-ap-northeast-1c",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_vpc",
"name": "vpc1",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:vpc/vpc-051d8405604cd730d",
"assign_generated_ipv6_cidr_block": true,
"cidr_block": "192.168.123.0/24",
"default_network_acl_id": "acl-0260219cc561ae7f6",
"default_route_table_id": "rtb-08e8cbe49390375f5",
"default_security_group_id": "sg-0b56a9c27e73084bb",
"dhcp_options_id": "dopt-090c9f839527a4c07",
"enable_classiclink": false,
"enable_classiclink_dns_support": false,
"enable_dns_hostnames": true,
"enable_dns_support": true,
"enable_network_address_usage_metrics": false,
"id": "vpc-051d8405604cd730d",
"instance_tenancy": "default",
"ipv4_ipam_pool_id": null,
"ipv4_netmask_length": null,
"ipv6_association_id": "vpc-cidr-assoc-00a8c007b42a44f67",
"ipv6_cidr_block": "2406:da14:ece:ed00::/56",
"ipv6_cidr_block_network_border_group": "ap-northeast-1",
"ipv6_ipam_pool_id": "",
"ipv6_netmask_length": 0,
"main_route_table_id": "rtb-08e8cbe49390375f5",
"owner_id": "040216112220",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-vpc1",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-vpc1",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
"dependencies": [
"data.aws_caller_identity.this"
]
}
]
},
{
"mode": "managed",
"type": "aws_vpc_endpoint",
"name": "eks-vpcep",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:vpc-endpoint/vpce-0a37185de88ad0767",
"auto_accept": null,
"cidr_blocks": [],
"dns_entry": [
{
"dns_name": "vpce-0a37185de88ad0767-dyxcih00.eks.ap-northeast-1.vpce.amazonaws.com",
"hosted_zone_id": "Z2E726K9Y6RL4W"
},
{
"dns_name": "vpce-0a37185de88ad0767-dyxcih00-ap-northeast-1c.eks.ap-northeast-1.vpce.amazonaws.com",
"hosted_zone_id": "Z2E726K9Y6RL4W"
},
{
"dns_name": "vpce-0a37185de88ad0767-dyxcih00-ap-northeast-1a.eks.ap-northeast-1.vpce.amazonaws.com",
"hosted_zone_id": "Z2E726K9Y6RL4W"
},
{
"dns_name": "eks.ap-northeast-1.amazonaws.com",
"hosted_zone_id": "Z0423227199F7H6UENLXS"
}
],
"dns_options": [
{
"dns_record_ip_type": "ipv4"
}
],
"id": "vpce-0a37185de88ad0767",
"ip_address_type": "ipv4",
"network_interface_ids": [
"eni-04a27c78fb4bc730f",
"eni-08f40839bc1aeebde"
],
"owner_id": "040216112220",
"policy": "{\"Statement\":[{\"Action\":\"*\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":\"*\"}]}",
"prefix_list_id": null,
"private_dns_enabled": true,
"requester_managed": false,
"route_table_ids": [],
"security_group_ids": [
"sg-0158a37b2b0205723"
],
"service_name": "com.amazonaws.ap-northeast-1.eks",
"state": "available",
"subnet_ids": [
"subnet-03837a4f086fe607a",
"subnet-0a9f75c427054ca39"
],
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-vpcep-eks",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-apne1-xpk-iac-vpcep-eks",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab-ip6/network",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_endpoint_type": "Interface",
"vpc_id": "vpc-051d8405604cd730d"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6NjAwMDAwMDAwMDAwLCJ1cGRhdGUiOjYwMDAwMDAwMDAwMH19",
"dependencies": [
"aws_security_group.generic-ep-sg",
"aws_subnet.private-subnets",
"aws_subnet.public-subnets",
"aws_vpc.vpc1",
"data.aws_availability_zones.azs",
"data.aws_caller_identity.this"
]
}
]
}
],
"check_results": null
}

6
examples/eks-lab-ip6/network/terraform.tfvars Normal file
View File

@ -0,0 +1,6 @@
aws-region = "ap-northeast-1"
aws-region-short = "apne1"
customer-name = "xpk"
environment = "lab"
project = "iac"
application = "eks"

6
examples/eks-lab-ip6/network/variables.tf Normal file
View File

@ -0,0 +1,6 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}

1
examples/eks-lab/.terraform/modules/modules.json Normal file
View File

@ -0,0 +1 @@
{"Modules":[{"Key":"vpc-subnets.vpc-ep","Source":"../vpc-endpoints","Dir":"../../modules/networking/vpc-endpoints"},{"Key":"vpc-subnets","Source":"../../modules/networking/vpc_subnets","Dir":"../../modules/networking/vpc_subnets"},{"Key":"","Source":"","Dir":"."}]}

1
examples/eks-lab/.terraform/providers/registry.terraform.io/hashicorp/aws/4.54.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.54.0/linux_amd64

1
examples/eks-lab/.terraform/providers/registry.terraform.io/hashicorp/local/2.3.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/local/2.3.0/linux_amd64

1
examples/eks-lab/.terraform/providers/registry.terraform.io/hashicorp/null/3.2.1/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/null/3.2.1/linux_amd64

1
examples/eks-lab/.terraform/providers/registry.terraform.io/hashicorp/template/2.2.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/template/2.2.0/linux_amd64

1
examples/eks-lab/.terraform/providers/registry.terraform.io/hashicorp/tls/4.0.4/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/tls/4.0.4/linux_amd64

10
examples/eks-lab/eks/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,10 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.55.0"
constraints = ">= 3.25.0"
hashes = [
"h1:VHfmrKCb4oTW/+rWGKKqipoMOPd4tPxlGwMp0/Flx/s=",
]
}

1
examples/eks-lab/eks/.terraform/providers/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64

94
examples/eks-lab/eks/README.md Normal file
View File

@ -0,0 +1,94 @@
# eks-lab
This module creates the following resources
- VPC
- Public and private subnets
- NAT gateway
- EKS cluster
- EKS nodegroup
- EKS bastion
- Install eksctl and kubectl on EKS bastion
## How to use eksctl and kubectl
By default, AWS EKS are installed with an aws-auth configmap which allows only the cluster creator
to work with the cluster. Therefore, one must first assume to the creator IAM role before running eksctl or kubectl.
For example, to create kube config, run these commands:
```bash
export AWS_ACCESS_KEY_ID=xxxx AWS_SECRET_ACCESS_KEY="yyyy" AWS_DEFAULT_REGION=ap-northeast-1
aws eks update-kubeconfig --name lab-apne1-xpk-iac-cluster01
```
## Configure VPC CNI to use custom networking
```bash
kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true
kubectl set env daemonset aws-node -n kube-system ENI_CONFIG_LABEL_DEF=failure-domain.beta.kubernetes.io/zone
cat <<EOF | kubectl apply -f -
apiVersion: crd.k8s.amazonaws.com/v1alpha1
kind: ENIConfig
metadata:
name: ap-northeast-1a
spec:
subnet: subnet-0d015cc72715685ca
EOF
cat <<EOF | kubectl apply -f -
apiVersion: crd.k8s.amazonaws.com/v1alpha1
kind: ENIConfig
metadata:
name: ap-northeast-1c
spec:
subnet: subnet-030ee2c3e2b730fcc
EOF
```
Then redeploy the nodegroup
```bash
terraform apply -replace="aws_eks_node_group.eks-nodegroup"
```
If successfully done, you will start to see 100.64.0.0 addresses being used on the EKS worker nodes. You can also see it with kubectl:
```bash
root@ip-192-168-123-48:~# kubectl get pods --all-namespaces -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
kube-system aws-node-5892k 1/1 Running 0 4m9s 192.168.123.245 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system coredns-5fc8d4cdcf-c75z6 1/1 Running 0 13m 100.64.9.249 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system coredns-5fc8d4cdcf-h5lnl 1/1 Running 0 13m 100.64.13.41 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system ebs-csi-controller-d6bff959-8459z 6/6 Running 0 13m 100.64.8.74 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system ebs-csi-controller-d6bff959-vnwlf 6/6 Running 0 5m28s 100.64.11.124 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system ebs-csi-node-h7w8r 3/3 Running 0 4m9s 100.64.11.188 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system kube-proxy-vgmdf 1/1 Running 0 4m9s 192.168.123.245 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
```
## Edit configmap/aws-auth
```
kubectl edit -n kube-system configmap/aws-auth
```
Add a group with system:master role
```yaml
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::040216112220:role/clusterCreator
username: system:node:Template:EC2PrivateDNSName
- groups:
- system:masters
rolearn: arn:aws:iam::040216112220:role/lab-apne1-xpk-iac-bast-role
username: lab-apne1-xpk-iac-bast-role
kind: ConfigMap
metadata:
creationTimestamp: "2022-12-29T11:02:15Z"
name: aws-auth
namespace: kube-system
resourceVersion: "59670"
uid: 7cf9d889-8ed2-4c8d-ac0f-092184cede8a
```
## Addon updates
When updating addons, please select advanced options and choose preserve settings.

7
examples/eks-lab/eks/eks-node-sshkey Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDQnEGn3cwEav+pMKXYvP3KjDYpB+Po/wpcrmQZnh31wgAAAJDu9hUF7vYV
BQAAAAtzc2gtZWQyNTUxOQAAACDQnEGn3cwEav+pMKXYvP3KjDYpB+Po/wpcrmQZnh31wg
AAAEBcvMSW9eqRM2Kd3obuJfHma+nzrsMiRSHO09wjSg4KF9CcQafdzARq/6kwpdi8/cqM
NikH4+j/ClyuZBmeHfXCAAAADWtuQGlzbS56b28ubG8=
-----END OPENSSH PRIVATE KEY-----

1
examples/eks-lab/eks/eks-node-sshkey.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINCcQafdzARq/6kwpdi8/cqMNikH4+j/ClyuZBmeHfXC kn@ism.zoo.lo

18
examples/eks-lab/eks/locals.tf Normal file
View File

@ -0,0 +1,18 @@
data "aws_caller_identity" "this" {}
locals {
default-tags = merge({
ServiceProvider = "None"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = "${local.path-cwd-list[length(local.path-cwd-list) - 2]}/${local.path-cwd-list[length(local.path-cwd-list) - 1]}"
CreatedBy = data.aws_caller_identity.this.arn
BuildDate = formatdate("YYYYMMDD", timestamp())
})
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
path-cwd-list = split("/", path.cwd)
}

261
examples/eks-lab/eks/main.tf Normal file
View File

@ -0,0 +1,261 @@
data "terraform_remote_state" "vpc" {
backend = "local"
config = {
path = "../network/terraform.tfstate"
}
}
resource "aws_iam_role" "eks-cluster-role" {
name = "${local.resource-prefix}-cluster-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "eks.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
}
)
managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"]
tags = local.default-tags
}
resource "aws_eks_cluster" "eks-cluster" {
name = "${local.resource-prefix}-cluster01"
role_arn = aws_iam_role.eks-cluster-role.arn
vpc_config {
subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids
endpoint_private_access = true
endpoint_public_access = false
}
enabled_cluster_log_types = ["api", "audit"]
kubernetes_network_config {
service_ipv4_cidr = "172.16.0.0/16"
ip_family = "ipv4"
}
tags = local.default-tags
}
resource "aws_eks_addon" "eks-addons" {
# for_each = toset(["vpc-cni", "coredns", "kube-proxy", "aws-ebs-csi-driver"])
# latest version as on 2023-02-17 failed to deploy
for_each = {
"aws-ebs-csi-driver" : {
"version" : "v1.15.0-eksbuild.1"
},
"vpc-cni" : {
"version" : "v1.12.2-eksbuild.1"
},
"coredns" : {
"version" : "v1.9.3-eksbuild.2"
},
"kube-proxy" : {
"version" : "v1.24.9-eksbuild.2"
}
}
cluster_name = aws_eks_cluster.eks-cluster.name
addon_name = each.key
# addon_version = each.value["version"]
tags = local.default-tags
}
resource "aws_iam_role" "eks-nodegroup-role" {
name = "${local.resource-prefix}-nodegroup-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "ec2.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
}
)
managed_policy_arns = [
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
]
tags = local.default-tags
}
data "aws_ssm_parameter" "eks_ami_release_version" {
name = "/aws/service/eks/optimized-ami/${aws_eks_cluster.eks-cluster.version}/amazon-linux-2/recommended/release_version"
}
# manually generate the key: ssh-keygen -ted25519 -f eks-node-sshkey
# file() can only read pre-existing file
resource "aws_key_pair" "eks-node-sshkey" {
key_name = "${local.resource-prefix}-eks-node-sshkey"
public_key = file("${path.module}/eks-node-sshkey.pub")
}
resource "aws_security_group" "eks-node-sg" {
name = "${local.resource-prefix}-eks-node-sg"
description = "Allow ssh to EKS nodes"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
ingress {
description = "SSH from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [data.terraform_remote_state.vpc.outputs.vpc-cidr]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = local.default-tags
}
resource "aws_eks_node_group" "eks-nodegroup" {
cluster_name = aws_eks_cluster.eks-cluster.name
node_group_name_prefix = "${local.resource-prefix}-eks-ng"
node_role_arn = aws_iam_role.eks-nodegroup-role.arn
subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids
version = aws_eks_cluster.eks-cluster.version
release_version = nonsensitive(data.aws_ssm_parameter.eks_ami_release_version.value)
instance_types = ["t3.small"]
scaling_config {
desired_size = 1
max_size = 2
min_size = 1
}
update_config {
max_unavailable = 1
}
remote_access {
ec2_ssh_key = aws_key_pair.eks-node-sshkey.key_name
source_security_group_ids = [aws_security_group.eks-node-sg.id]
}
tags = local.default-tags
}
# ec2 instance for EKS management
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-*-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_security_group" "eks-bast-sg" {
name = "${local.resource-prefix}-eks-bast-sg"
description = "Allow ssh to EKS bast"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
ingress {
description = "SSH from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["223.18.148.85/32"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = local.default-tags
}
resource "aws_iam_role" "eks-bast-role" {
name = "${local.resource-prefix}-bast-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "ec2.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
})
inline_policy {
name = "eks-bast-policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["eks:*", "ecr:*"]
Effect = "Allow"
Resource = "*"
},
]
})
}
managed_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
tags = local.default-tags
}
resource "aws_iam_instance_profile" "eks-bast-iam-profile" {
name = "eksBastIamProfile"
role = aws_iam_role.eks-bast-role.name
}
resource "aws_instance" "eks-bast" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
associate_public_ip_address = true
ebs_optimized = true
key_name = aws_key_pair.eks-node-sshkey.key_name
vpc_security_group_ids = [aws_security_group.eks-bast-sg.id, aws_eks_cluster.eks-cluster.vpc_config[0].cluster_security_group_id]
subnet_id = data.terraform_remote_state.vpc.outputs.public-subnet-ids[0]
iam_instance_profile = aws_iam_instance_profile.eks-bast-iam-profile.name
root_block_device {
volume_size = 8
volume_type = "gp3"
tags = local.default-tags
}
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-eks-bast" })
user_data = <<EOF
#!/bin/bash
echo "Install unzip"
apt install unzip -y
echo "Install eksctl"
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
mv /tmp/eksctl /usr/local/bin
echo "Install kubectl"
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
mv kubectl /usr/local/bin/
chmod 755 /usr/local/bin/kubectl
echo "Install awscliv2"
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
EOF
}

9
examples/eks-lab/eks/outputs.tf Normal file
View File

@ -0,0 +1,9 @@
/*
output eks-cluster-sg {
value = aws_eks_cluster.eks-cluster.vpc_config.*.cluster_security_group_id
}
*/
output eks-bast-ip {
value = aws_instance.eks-bast.public_ip
}

13
examples/eks-lab/eks/provider.tf Normal file
View File

@ -0,0 +1,13 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.25"
}
}
}

9
examples/eks-lab/eks/terraform.tfstate Normal file
View File

@ -0,0 +1,9 @@
{
"version": 4,
"terraform_version": "1.3.7",
"serial": 113,
"lineage": "61b12344-3edc-e800-e200-edd57322a557",
"outputs": {},
"resources": [],
"check_results": null
}

1101
examples/eks-lab/eks/terraform.tfstate.backup Normal file
View File

File diff suppressed because it is too large Load Diff

6
examples/eks-lab/eks/terraform.tfvars Normal file
View File

@ -0,0 +1,6 @@
aws-region = "ap-northeast-1"
aws-region-short = "apne1"
customer-name = "xpk"
environment = "lab"
project = "iac"
application = "eks"

6
examples/eks-lab/eks/variables.tf Normal file
View File

@ -0,0 +1,6 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}

25
examples/eks-lab/network/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,25 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.55.0"
constraints = ">= 3.25.0, >= 3.75.2"
hashes = [
"h1:VHfmrKCb4oTW/+rWGKKqipoMOPd4tPxlGwMp0/Flx/s=",
"zh:0866f25575bad3b9c313cd778c94fc65e79d335af2d20a3480f79d7731d93b7b",
"zh:2c05c16155cbc054622cf83e4b6614fef35935b00b238e4c21ee225e6c896770",
"zh:2efba66649fb12af0492c6cce4e2361fe9139df648734264f61a9a1ef754df53",
"zh:3c60bb53e3b65d7f86699fae0797a55a9aa41b8ba377aaff4daf23d1661393a9",
"zh:41f6dcd90b54b623d523df8fb4a30779cfe22e9ab59516bc05b29291a7af0946",
"zh:4b8330b154e9e2d035dd5488abcac25efec1fa6055d3a70894a8c0384f0579d6",
"zh:595f263706cf1fb6b8447e2ec343638de4360841a15e6bff6ccbb0ff86c7ce74",
"zh:5dfc5b858a43cf45fde5542eb673f6104c14cdc3d73843d1b87a9e44545cbad4",
"zh:7bbe05cf30521f0110603bb84995a4025ce7810626010276600e4b402143df27",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:a490e68c63504d3301d6dcb700c95778d93bb2baa6632a46c5a1d62862a7067c",
"zh:c4f9f6659148528375c8a822163925c9aae490ccce2e6301cefbbab009531971",
"zh:ef66070f957408f1c924ddfd5dbd0d34bce16efd9e36ccecbf699de72beb131f",
"zh:f7ba5e3e62a2b51b24e326797a89fdd86bafaea7d1912738d514c9903c14d7f2",
"zh:ffc20b7d9f7bd331fb6451d0fc92c68196383d7115e69380de6566cc268cb9b9",
]
}

1
examples/eks-lab/network/.terraform/modules/modules.json Normal file
View File

@ -0,0 +1 @@
{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"vpc-subnets","Source":"../../../modules/networking/vpc_subnets","Dir":"../../../modules/networking/vpc_subnets"},{"Key":"vpc-subnets.vpc-ep","Source":"../vpc-endpoints","Dir":"../../../modules/networking/vpc-endpoints"}]}

1
examples/eks-lab/network/.terraform/providers/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64

8
examples/eks-lab/network/README.md Normal file
View File

@ -0,0 +1,8 @@
# eks-lab/network
This module creates the following resources
- VPC
- Public and private subnets
- NAT gateway
A secondary CIDR range is added to the VPC. Later on in the EKS layer, EKS will be configured to use the secondary CIDR.
See https://aws.amazon.com/premiumsupport/knowledge-center/eks-multiple-cidr-ranges/

18
examples/eks-lab/network/locals.tf Normal file
View File

@ -0,0 +1,18 @@
data "aws_caller_identity" "this" {}
locals {
default-tags = merge({
ServiceProvider = "None"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = "${local.path-cwd-list[length(local.path-cwd-list) - 2]}/${local.path-cwd-list[length(local.path-cwd-list) - 1]}"
CreatedBy = data.aws_caller_identity.this.arn
BuildDate = formatdate("YYYYMMDD", timestamp())
})
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
path-cwd-list = split("/", path.cwd)
}

55
examples/eks-lab/network/main.tf Normal file
View File

@ -0,0 +1,55 @@
# Create VPC and subnets
module "vpc-subnets" {
source = "../../../modules/networking/vpc_subnets"
application = var.application
aws-region = var.aws-region
customer-name = var.customer-name
default-tags = local.default-tags
environment = var.environment
project = var.project
vpc-cidr = "192.168.123.0/24"
vpcflowlog-cwl-loggroup-key-arn = ""
number-of-private-subnets-per-az = 1
number-of-public-subnets-per-az = 1
create-nat-gateway = true
create-free-vpc-endpoints = true
enable-flow-log = false
}
# secondary CIDR for EKS
# https://aws.amazon.com/premiumsupport/knowledge-center/eks-multiple-cidr-ranges/
resource "aws_vpc_ipv4_cidr_block_association" "secondary_cidr" {
vpc_id = module.vpc-subnets.vpc_id
cidr_block = "100.64.0.0/16"
}
resource "aws_subnet" "cidr2-subnet1a" {
vpc_id = module.vpc-subnets.vpc_id
cidr_block = "100.64.0.0/21"
tags = merge(local.default-tags, {"Name" : "${local.resource-prefix}-private-1a-eks"})
}
resource "aws_route_table_association" "cidr2-subnet1a-rtb-asso" {
subnet_id = aws_subnet.cidr2-subnet1a.id
route_table_id = module.vpc-subnets.private-rtb-id
}
resource "aws_subnet" "cidr2-subnet1c" {
vpc_id = module.vpc-subnets.vpc_id
cidr_block = "100.64.8.0/21"
tags = merge(local.default-tags, {"Name" : "${local.resource-prefix}-private-1c-eks"})
}
resource "aws_route_table_association" "cidr2-subnet1c-rtb-asso" {
subnet_id = aws_subnet.cidr2-subnet1c.id
route_table_id = module.vpc-subnets.private-rtb-id
}
resource "aws_vpc_endpoint" "eks-vpcep" {
vpc_id = module.vpc-subnets.vpc_id
service_name = "com.amazonaws.${var.aws-region}.eks"
vpc_endpoint_type = "Interface"
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpcep-eks" })
}

15
examples/eks-lab/network/outputs.tf Normal file
View File

@ -0,0 +1,15 @@
output vpc-cidr {
value = module.vpc-subnets.vpc-cidr
}
output vpc-id {
value = module.vpc-subnets.vpc_id
}
output private-subnet-ids {
value = module.vpc-subnets.private-subnet-ids
}
output public-subnet-ids {
value = module.vpc-subnets.public-subnet-ids
}

13
examples/eks-lab/network/provider.tf Normal file
View File

@ -0,0 +1,13 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.25"
}
}
}

16
examples/eks-lab/network/terraform.tfstate Normal file
View File

@ -0,0 +1,16 @@
{
"version": 4,
"terraform_version": "1.3.7",
"serial": 70,
"lineage": "ee2778d9-f9d6-f368-21c3-1a1e2778fc15",
"outputs": {},
"resources": [],
"check_results": [
{
"object_kind": "resource",
"config_addr": "module.vpc-subnets.module.vpc-ep.data.aws_vpc.this-vpc",
"status": "unknown",
"objects": null
}
]
}

125
examples/eks-lab/network/terraform.tfstate.backup Normal file
View File

@ -0,0 +1,125 @@
{
"version": 4,
"terraform_version": "1.3.7",
"serial": 63,
"lineage": "ee2778d9-f9d6-f368-21c3-1a1e2778fc15",
"outputs": {},
"resources": [
{
"mode": "data",
"type": "aws_caller_identity",
"name": "this",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"account_id": "040216112220",
"arn": "arn:aws:iam::040216112220:user/ken2026",
"id": "040216112220",
"user_id": "AIDAQSXIRFROOXYISSIEQ"
},
"sensitive_attributes": []
}
]
},
{
"mode": "managed",
"type": "aws_vpc_ipv4_cidr_block_association",
"name": "secondary_cidr",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"cidr_block": "100.64.0.0/16",
"id": "vpc-cidr-assoc-023e2a1c53aa39448",
"ipv4_ipam_pool_id": null,
"ipv4_netmask_length": null,
"timeouts": null,
"vpc_id": "vpc-0ea2750f798358708"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6NjAwMDAwMDAwMDAwfX0=",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_vpc",
"name": "vpc",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:vpc/vpc-0ea2750f798358708",
"assign_generated_ipv6_cidr_block": false,
"cidr_block": "192.168.123.0/24",
"default_network_acl_id": "acl-071f6e3e57003c3ea",
"default_route_table_id": "rtb-094b1da133f919558",
"default_security_group_id": "sg-00852e5eba267541f",
"dhcp_options_id": "dopt-090c9f839527a4c07",
"enable_classiclink": false,
"enable_classiclink_dns_support": false,
"enable_dns_hostnames": true,
"enable_dns_support": true,
"enable_network_address_usage_metrics": false,
"id": "vpc-0ea2750f798358708",
"instance_tenancy": "default",
"ipv4_ipam_pool_id": null,
"ipv4_netmask_length": null,
"ipv6_association_id": "",
"ipv6_cidr_block": "",
"ipv6_cidr_block_network_border_group": "",
"ipv6_ipam_pool_id": "",
"ipv6_netmask_length": 0,
"main_route_table_id": "rtb-094b1da133f919558",
"owner_id": "040216112220",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-ap-xpk-iac-vpc",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-ap-xpk-iac-vpc",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab/network",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
"dependencies": [
"data.aws_caller_identity.this"
],
"create_before_destroy": true
}
]
}
],
"check_results": [
{
"object_kind": "resource",
"config_addr": "module.vpc-subnets.module.vpc-ep.data.aws_vpc.this-vpc",
"status": "unknown",
"objects": null
}
]
}

6
examples/eks-lab/network/terraform.tfvars Normal file
View File

@ -0,0 +1,6 @@
aws-region = "ap-northeast-1"
aws-region-short = "apne1"
customer-name = "xpk"
environment = "lab"
project = "iac"
application = "eks"

6
examples/eks-lab/network/variables.tf Normal file
View File

@ -0,0 +1,6 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}

4
modules/networking/vpc-endpoints/main.tf
View File

@ -1,7 +1,7 @@
resource "aws_vpc_endpoint" "vpc-interface-ep" { resource "aws_vpc_endpoint" "vpc-interface-ep" {
for_each = toset(var.interface-ep-services) for_each = toset(var.interface-ep-services)
vpc_id = data.aws_vpc.this-vpc.id vpc_id = data.aws_vpc.this-vpc.id
service_name = "com.amazonaws.ap-east-1.${each.value}" service_name = "com.amazonaws.${var.aws-region}.${each.value}"
vpc_endpoint_type = "Interface" vpc_endpoint_type = "Interface"
security_group_ids = [ security_group_ids = [
@ -41,7 +41,7 @@ resource "aws_security_group" "generic-ep-sg" {
resource "aws_vpc_endpoint" "vpc-gateway-ep" { resource "aws_vpc_endpoint" "vpc-gateway-ep" {
for_each = toset(var.gateway-ep-services) for_each = toset(var.gateway-ep-services)
vpc_id = data.aws_vpc.this-vpc.id vpc_id = data.aws_vpc.this-vpc.id
service_name = "com.amazonaws.ap-east-1.${each.value}" service_name = "com.amazonaws.${var.aws-region}.${each.value}"
vpc_endpoint_type = "Gateway" vpc_endpoint_type = "Gateway"
tags = merge({"Name": "${var.resource-prefix}-vpcep-${each.value}"},var.default-tags) tags = merge({"Name": "${var.resource-prefix}-vpcep-${each.value}"},var.default-tags)

1
modules/networking/vpc-endpoints/variables.tf
View File

@ -9,3 +9,4 @@ variable gateway-ep-services {
} }
variable default-tags {} variable default-tags {}
variable resource-prefix {} variable resource-prefix {}
variable aws-region {}

12
modules/networking/vpc_subnets/outputs.tf
View File

@ -17,3 +17,15 @@ output public-subnet-ids {
output private-subnet-ids { output private-subnet-ids {
value = aws_subnet.private-subnets.*.id value = aws_subnet.private-subnets.*.id
} }
output vpc-cidr {
value = aws_vpc.vpc.cidr_block
}
output private-rtb-id {
value = aws_route_table.private-route-table[0].id
}
output public-rtb-id {
value = aws_route_table.public-route-table[0].id
}

13
modules/networking/vpc_subnets/vpc.tf
View File

@ -15,7 +15,7 @@ locals {
private-subnets = slice(local.simple-divide, var.number-of-public-subnets-per-az * local.no-az, local.total-no-subnets) private-subnets = slice(local.simple-divide, var.number-of-public-subnets-per-az * local.no-az, local.total-no-subnets)
} }
resource aws_subnet private-subnets { resource "aws_subnet" "private-subnets" {
count = length(local.private-subnets) count = length(local.private-subnets)
# count = length(var.private-subnet-cidrs) # count = length(var.private-subnet-cidrs)
# count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names) # count = var.number-of-private-subnets-per-az * length(data.aws_availability_zones.available-az.names)
@ -32,7 +32,7 @@ resource aws_subnet private-subnets {
) )
} }
resource aws_subnet public-subnets { resource "aws_subnet" "public-subnets" {
count = length(local.public-subnets) count = length(local.public-subnets)
# count = length(var.public-subnet-cidrs) # count = length(var.public-subnet-cidrs)
# count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names) # count = var.number-of-public-subnets-per-az * length(data.aws_availability_zones.available-az.names)
@ -100,7 +100,7 @@ resource "aws_nat_gateway" "ngw" {
depends_on = [aws_internet_gateway.igw] depends_on = [aws_internet_gateway.igw]
} }
resource aws_route_table public-route-table { resource "aws_route_table" "public-route-table" {
count = var.number-of-public-subnets-per-az > 0 ? 1 : 0 count = var.number-of-public-subnets-per-az > 0 ? 1 : 0
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
tags = merge( tags = merge(
@ -111,7 +111,7 @@ resource aws_route_table public-route-table {
) )
} }
resource aws_route_table private-route-table { resource "aws_route_table" "private-route-table" {
count = var.number-of-private-subnets-per-az > 0 ? 1 : 0 count = var.number-of-private-subnets-per-az > 0 ? 1 : 0
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
tags = merge( tags = merge(
@ -155,7 +155,7 @@ harden default security group. the default sg created by aws allows all egress.
this resource limits ingress and egress from and to itself this resource limits ingress and egress from and to itself
*/ */
resource "aws_default_security_group" default-sg { resource "aws_default_security_group" "default-sg" {
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
ingress { ingress {
protocol = -1 protocol = -1
@ -180,7 +180,7 @@ resource "aws_default_security_group" default-sg {
} }
# Enable gateway endpoints which are free # Enable gateway endpoints which are free
module vpc-ep { module "vpc-ep" {
count = var.create-free-vpc-endpoints ? 1 : 0 count = var.create-free-vpc-endpoints ? 1 : 0
source = "../vpc-endpoints" source = "../vpc-endpoints"
@ -189,4 +189,5 @@ module vpc-ep {
interface-ep-services = [] interface-ep-services = []
resource-prefix = local.resource-prefix resource-prefix = local.resource-prefix
vpc-id = aws_vpc.vpc.id vpc-id = aws_vpc.vpc.id
aws-region = var.aws-region
} }