xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

HistoryPurge: Clearing out 238 old commits

Browse Source
This commit is contained in:
xpk 2024-10-24 23:06:25 +08:00
commit a9c0c1e61e
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
649 changed files with 63886 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.gitignore vendored Normal file
View File

@ -0,0 +1,17 @@
*.tfstate.backup
*.backup
*.tfstate
*.tfstate.lock
**/*.tfstate
**/*.backup
.terraform/
.DS_Store
*.iml
.idea
.terraform.lock.hcl
*.log
examples/
experimental/
headdesk-aws/
vsphere-yige/
anz-sandbox/

3
.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "modules/ApplicationIntegration/terraform-aws-apigateway-v2"]
path = modules/ApplicationIntegration/terraform-aws-apigateway-v2
url = https://github.com/terraform-aws-modules/terraform-aws-apigateway-v2.git

12
LICENSE Normal file
View File

@ -0,0 +1,12 @@
BSD Zero Clause License
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.

6
README.md Normal file
View File

@ -0,0 +1,6 @@
# terraform.aws-baseline-infra
terraform modules for deploying baseline resources.
## Repo info
URL: https://xpk.headdesk.me/git/xpk/terraform.aws-baseline-infra

20
examples/awsbackup/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,20 @@
# This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/hashicorp/aws" {
version = "5.47.0"
constraints = "~> 5.0"
hashes = [
"h1:oBap1Z3sKRRzRqKjkILpql/fa0gssLL/iqjDu62105I=",
"zh:0a22081994a733ef564fefdf9660e172af97ea2d2e34bcdaa4868300436248e8",
"zh:4a1be5a820a33baeaf81dc33d37e46a0f813f5395247f6449646fae7c9608a53",
"zh:8e156edfe38e2aed76c02e835eb6ba1fa4444feacdb824500cfdbad76abd0582",
"zh:9062035afc3d592dbbbd7f7cb41d4ce077e06584251aac50d116c04b4e3b4d3b",
"zh:a3abedd6b5640bf20d0d39ecaa938e382cbfe54dfb129c3fc291d9d695d9dffc",
"zh:b8ee3c37f497410a307e102638f8ce1cc1c77099498ff5438e506ce604cdf8dd",
"zh:c64d812bfdff6e7a6729bc035f6f8c86e69a01e9409fe1db551a233e320dc9e5",
"zh:c8df7f2993fdfc1bd15ab48eb280f4d11c5526c632c3beb62f014c0079715160",
"zh:cf413154640dcd5ee7286b43e395495f8f44d72f717cf2a20234c240cba528fa",
"zh:f5186377a986b96150611d891700d49125367b4ad3ab534b429305e8fdaa8dcc",
]
}

40
examples/awsbackup/main.tf Normal file
View File

@ -0,0 +1,40 @@
module "aws-backup" {
source = "../../modules/storage/aws-backup"
daily-backup-cron = var.daily-backup-cron
monthly-backup-cron = var.monthly-backup-cron
daily-backup-retention = var.daily-backup-retention
monthly-backup-retention = var.monthly-backup-retention
service-opt-in = {
"Aurora" : {
enabled = false
}
"DynamoDB" : {
enabled = true
}
"EBS" : {
enabled = false
}
"EC2" : {
enabled = true
}
"EFS" : {
enabled = true
}
"FSx" : {
enabled = false
}
"Redshift" : {
enabled = true
}
"RDS" : {
enabled = true
}
"VirtualMachine" : {
enabled = false
}
"S3" : {
enabled = false
}
}
}

23
examples/awsbackup/provider.tf Normal file
View File

@ -0,0 +1,23 @@
provider "aws" {
region = var.aws-region
default_tags {
tags = {
ServiceProvider = "RackspaceTechnology"
Environment = var.environment
Project = var.project
Application = var.application
Owner = var.owner
TerraformDir = "${reverse(split("/", path.cwd))[1]}/${reverse(split("/", path.cwd))[0]}"
}
}
}
terraform {
required_version = ">= 1.3.9"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}

11
examples/awsbackup/terraform.tfvars Normal file
View File

@ -0,0 +1,11 @@
aws-region = "ap-east-1"
customer-name = "ken2026"
environment = "dev"
project = "iac"
application = "backup"
owner = "ken2026"
daily-backup-retention = 31
daily-backup-cron = "cron(0 20 * * ? *)"
monthly-backup-retention = 365
monthly-backup-cron = "cron(0 20 1 * ? *)"
# cron(Minutes Hours Day-of-month Month Day-of-week Year)

11
examples/awsbackup/variables.tf Normal file
View File

@ -0,0 +1,11 @@
variable "aws-region" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
variable "owner" {}
variable "daily-backup-retention" {}
variable "daily-backup-cron" {}
variable "monthly-backup-retention" {}
variable "monthly-backup-cron" {}

BIN
examples/backup.tar Normal file
View File

Binary file not shown.

12
examples/baseline-resources/README.md Normal file
View File

@ -0,0 +1,12 @@
# Root module for creating baseline resources including:
- iam password policy
- delete default VPCs in all region
- create cloudtrail
- enable aws config in all region
- enable guardduty
- enable securityhub
- disable s3 public access
- require EBS encryption
## If AWS organisation is in use
If you are using AWS organisation, setup delegated admin for guardduty and securityhub. This allows centralised management.

51
examples/baseline-resources/main.tf Normal file
View File

@ -0,0 +1,51 @@
module "iam-baseline" {
# iam password policy, baseline roles, access analyzer, cloudhealth role
source = "../../modules/security_identity_compliance/roles_iam_resources"
customer-name = var.customer-name
default-tags = local.default-tags
create-cloudhealth-resources = false
}
module "cloudtrail" {
# Create cloudtrail
source = "../../modules/security_identity_compliance/cloudtrail_cwlogs"
resource-prefix = local.resource-prefix
default-tags = local.default-tags
}
module "delete-default-vpcs" {
# delete default VPCs in all regions
source = "../../modules/networking/delete-default-vpcs"
}
module "enable-aws-config" {
# enable aws config in all regions and setup aggregation
source = "../../modules/security_identity_compliance/aws_config"
resource-prefix = local.resource-prefix
default-tags = local.default-tags
}
module "enable-guardduty" {
/* enable guardduty
If you are using AWS organisation, GD delegated admin should be configured
on the landing zone security account. This allows centralised management.
See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
*/
source = "../../modules/security_identity_compliance/guardduty"
default-tags = local.default-tags
}
module "enable-securityhub" {
/* enable security hub
If you are using AWS organisation, SH deleted admin should be configured
on the landing zone security account. This allows centralised management.
https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html
*/
source = "../../modules/security_identity_compliance/security_hub"
}
module "default-account-settings" {
# other default account settings
source = "../../modules/security_identity_compliance/other-default-settings"
}

13
examples/baseline-resources/provider.tf Normal file
View File

@ -0,0 +1,13 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = "~> 1.2.5"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.75.2"
}
}
}

5
examples/baseline-resources/terraform.tfvars Normal file
View File

@ -0,0 +1,5 @@
aws-region = "ap-southeast-1"
customer-name = "ken2026"
environment = "lab"
project = "terraform-dev"
application = "infra"

19
examples/baseline-resources/variables.tf Normal file
View File

@ -0,0 +1,19 @@
variable "aws-region" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
locals {
default-tags = {
ServiceProvider = "RackspaceTechnology"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = trimprefix(path.cwd, "/my/work/xpk-git/")
BuildDate = formatdate("YYYYMMDD", timestamp())
}
resource-prefix = "${var.environment}-substr(${var.aws-region},0,2)-${var.customer-name}-${var.project}"
}

32
examples/bea-adc/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,32 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.46.0"
constraints = ">= 3.25.0, >= 3.75.2"
hashes = [
"h1:EZB4OgvytV38JpWyye9zoMQ0bfT9yB9xSXM5NY3Lrws=",
"zh:1678e6a4bdb3d81a6713adc62ca0fdb8250c584e10c10d1daca72316e9db8df2",
"zh:329903acf86ef6072502736dff4c43c2b50f762a958f76aa924e2d74c7fca1e3",
"zh:33db8131fe0ec7e1d9f30bc9f65c2440e9c1f708d681b6062757a351f1df7ce6",
"zh:3a3b010bc393784c16f4b6cdce7f76db93d5efa323fce4920bfea9e9ba6abe44",
"zh:979e2713a5759a7483a065e149e3cb69db9225326fc0457fa3fc3a48aed0c63f",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:9efcf0067e16ad53da7504178a05eb2118770b4ae00c193c10ecad4cbfce308e",
"zh:a10655bf1b6376ab7f3e55efadf54dc70f7bd07ca11369557c312095076f9d62",
"zh:b0394dd42cbd2a718a7dd7ae0283f04769aaf8b3d52664e141da59c0171a11ab",
"zh:b958e614c2cf6d9c05a6ad5e94dc5c04b97ebfb84415da068be5a081b5ebbe24",
"zh:ba5069e624210c63ad9e633a8eb0108b21f2322bc4967ba2b82d09168c466888",
"zh:d7dfa597a17186e7f4d741dd7111849f1c0dd6f7ebc983043d8262d2fb37b408",
"zh:e8a641ca2c99f96d64fa2725875e797273984981d3e54772a2823541c44e3cd3",
"zh:f89898b7067c4246293a8007f59f5cfcac7b8dd251d39886c7a53ba596251466",
"zh:fb1e1df1d5cc208e08a850f8e84423bce080f01f5e901791c79df369d3ed52f2",
]
}
provider "registry.terraform.io/hashicorp/random" {
version = "3.4.3"
hashes = [
"h1:xZGZf18JjMS06pFa4NErzANI98qi59SEcBsOcS2P2yQ=",
]
}

1
examples/bea-adc/.terraform/modules/modules.json Normal file
View File

@ -0,0 +1 @@
{"Modules":[{"Key":"vpc-subnets.vpc-ep","Source":"../vpc-endpoints","Dir":"../../modules/networking/vpc-endpoints"},{"Key":"","Source":"","Dir":"."},{"Key":"adconnector","Source":"../../modules/security_identity_compliance/ds-adconnector","Dir":"../../modules/security_identity_compliance/ds-adconnector"},{"Key":"vpc-subnets","Source":"../../modules/networking/vpc_subnets","Dir":"../../modules/networking/vpc_subnets"}]}

1
examples/bea-adc/.terraform/providers/registry.terraform.io/hashicorp/aws/4.46.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.46.0/linux_amd64

1
examples/bea-adc/.terraform/providers/registry.terraform.io/hashicorp/random/3.4.3/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/random/3.4.3/linux_amd64

7
examples/bea-adc/README.md Normal file
View File

@ -0,0 +1,7 @@
# bea-adc
Module to deploy network resources and ad connector for use with AWS SSO
## Input variables
The variable adc-service-account-password needs to be supplied via environment variable. This prevents terraform
from saving the password in tfstate or in the source code.

15
examples/bea-adc/locals.tf Normal file
View File

@ -0,0 +1,15 @@
data "aws_caller_identity" "this" {}
locals {
default-tags = merge({
ServiceProvider = "None"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = trimprefix(path.cwd, "/my/work/xpk-git/")
CreatedBy = data.aws_caller_identity.this.arn
BuildDate = formatdate("YYYYMMDD", timestamp())
})
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
}

48
examples/bea-adc/main.tf Normal file
View File

@ -0,0 +1,48 @@
module "vpc-subnets" {
source = "../../modules/networking/vpc_subnets"
application = var.application
aws-region = var.aws-region
customer-name = var.customer-name
default-tags = local.default-tags
environment = var.environment
project = var.project
vpc-cidr = var.vpc-cidr
number-of-private-subnets-per-az = var.number-of-private-subnets-per-az
number-of-public-subnets-per-az = var.number-of-public-subnets-per-az
create-nat-gateway = false
enable-flow-log = true
vpcflowlog-retain-days = 90
vpcflowlog-cwl-loggroup-key-arn = ""
create-free-vpc-endpoints = false
}
# S3 flow log needs to be created separately. it's not supported by vpc_subnets module
resource "aws_flow_log" "vpc-log-s3" {
log_destination = var.vpc-flowlog-bucket-arn
log_destination_type = "s3"
traffic_type = "ALL"
vpc_id = module.vpc-subnets.vpc_id
}
/*
After adc is deployed by terraform, the following tasks need to be performed manually.
They cannot be managed by terraform
1. Edit security group created for adconnector. SG name is d-???_controllers
2. Enable client LDAPS communication
3. Setup maintenance notification through SNS
4. Enable SSO application. Setting enable_sso in member account results in error. alias is deliberately not set
*/
module "adconnector" {
source = "../../modules/security_identity_compliance/ds-adconnector"
adc-dns-ips = var.adc-dns-ips
adc-domainname = var.adc-domainname
adc-service-account-password = var.adc-service-account-password
adc-service-account-username = var.adc-service-account-username
adc-size = var.adc-size
adc-subnet-ids = module.vpc-subnets.private-subnet-ids
adc-vpc-id = module.vpc-subnets.vpc_id
default-tags = local.default-tags
}

11
examples/bea-adc/outputs.tf Normal file
View File

@ -0,0 +1,11 @@
output "directory-id" {
value = module.adconnector.directory-id
}
output "security-group-id" {
value = module.adconnector.security-group-id
}
output "customer-dns-ip" {
value = module.adconnector.customer-dns-ip
}

13
examples/bea-adc/provider.tf Normal file
View File

@ -0,0 +1,13 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.25"
}
}
}

784
examples/bea-adc/terraform.tfstate Normal file
View File

@ -0,0 +1,784 @@
{
"version": 4,
"terraform_version": "1.3.5",
"serial": 108,
"lineage": "5eba630b-18b8-6c2f-5853-88d98c7ecb23",
"outputs": {
"customer-dns-ip": {
"value": [
"10.37.54.214"
],
"type": [
"tuple",
[
"string"
]
]
},
"directory-id": {
"value": "d-c46722ff8d",
"type": "string"
},
"security-group-id": {
"value": "sg-0afbb1f6e8efde66b",
"type": "string"
}
},
"resources": [
{
"mode": "data",
"type": "aws_caller_identity",
"name": "this",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"account_id": "040216112220",
"arn": "arn:aws:iam::040216112220:user/ken2026",
"id": "040216112220",
"user_id": "AIDAQSXIRFROOXYISSIEQ"
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_secretsmanager_secret",
"name": "secretmanager",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:secretsmanager:ap-east-1:040216112220:secret:adc-service-account-password-bYmPI5",
"description": "",
"id": "arn:aws:secretsmanager:ap-east-1:040216112220:secret:adc-service-account-password-bYmPI5",
"kms_key_id": "",
"name": "adc-service-account-password",
"policy": "",
"rotation_enabled": false,
"rotation_lambda_arn": "",
"rotation_rules": [],
"tags": {}
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_secretsmanager_secret_version",
"name": "adc-service-account-password",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:secretsmanager:ap-east-1:040216112220:secret:adc-service-account-password-bYmPI5",
"id": "arn:aws:secretsmanager:ap-east-1:040216112220:secret:adc-service-account-password-bYmPI5|AWSCURRENT",
"secret_binary": "",
"secret_id": "arn:aws:secretsmanager:ap-east-1:040216112220:secret:adc-service-account-password-bYmPI5",
"secret_string": "{\"password\":\"CyyeooA.MwWVYzmIbtVG\u003cuyLOg\"}",
"version_id": "0ef037d0-d0b3-441e-8931-8d12a8326940",
"version_stage": "AWSCURRENT",
"version_stages": [
"AWSCURRENT"
]
},
"sensitive_attributes": []
}
]
},
{
"module": "module.adconnector",
"mode": "managed",
"type": "aws_directory_service_directory",
"name": "connector",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"access_url": "d-c46722ff8d.awsapps.com",
"alias": "d-c46722ff8d",
"connect_settings": [
{
"availability_zones": [
"ap-east-1a",
"ap-east-1b"
],
"connect_ips": [
"10.37.54.15",
"10.37.54.218"
],
"customer_dns_ips": [
"10.37.54.214"
],
"customer_username": "svc-awssso-adconnector",
"subnet_ids": [
"subnet-0bb56e6f48ead7ab8",
"subnet-0ce4d8183d810dcc2"
],
"vpc_id": "vpc-0d81f835ba4c7c987"
}
],
"description": "ADConnector",
"desired_number_of_domain_controllers": 0,
"dns_ip_addresses": [
"10.37.54.15",
"10.37.54.218"
],
"edition": "",
"enable_sso": false,
"id": "d-c46722ff8d",
"name": "acme.local",
"password": "CyyeooA.MwWVYzmIbtVG\u003cuyLOg",
"security_group_id": "sg-0afbb1f6e8efde66b",
"short_name": "acme",
"size": "Small",
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"timeouts": null,
"type": "ADConnector",
"vpc_settings": []
},
"sensitive_attributes": [
[
{
"type": "get_attr",
"value": "password"
}
]
],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozNjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInVwZGF0ZSI6MzYwMDAwMDAwMDAwMH19",
"dependencies": [
"data.aws_caller_identity.this",
"data.aws_secretsmanager_secret.secretmanager",
"data.aws_secretsmanager_secret_version.adc-service-account-password",
"module.vpc-subnets.aws_subnet.private-subnets",
"module.vpc-subnets.aws_vpc.vpc",
"module.vpc-subnets.data.aws_availability_zones.available-az"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "data",
"type": "aws_availability_zones",
"name": "available-az",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"all_availability_zones": null,
"exclude_names": null,
"exclude_zone_ids": null,
"filter": null,
"group_names": [
"ap-east-1"
],
"id": "ap-east-1",
"names": [
"ap-east-1a",
"ap-east-1b",
"ap-east-1c"
],
"state": "available",
"timeouts": null,
"zone_ids": [
"ape1-az1",
"ape1-az2",
"ape1-az3"
]
},
"sensitive_attributes": []
}
]
},
{
"module": "module.vpc-subnets",
"mode": "data",
"type": "aws_caller_identity",
"name": "this",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"account_id": "040216112220",
"arn": "arn:aws:iam::040216112220:user/ken2026",
"id": "040216112220",
"user_id": "AIDAQSXIRFROOXYISSIEQ"
},
"sensitive_attributes": []
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_cloudwatch_log_group",
"name": "vpcflowlog-loggroup",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"arn": "arn:aws:logs:ap-east-1:040216112220:log-group:vpcflowlog/vpc-0d81f835ba4c7c987/20221212063458987800000001",
"id": "vpcflowlog/vpc-0d81f835ba4c7c987/20221212063458987800000001",
"kms_key_id": "",
"name": "vpcflowlog/vpc-0d81f835ba4c7c987/20221212063458987800000001",
"name_prefix": "vpcflowlog/vpc-0d81f835ba4c7c987/",
"retention_in_days": 90,
"skip_destroy": false,
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_default_security_group",
"name": "default-sg",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:security-group/sg-09101f3abd257889b",
"description": "default VPC security group",
"egress": [
{
"cidr_blocks": [],
"description": "Allow traffic going to this SG",
"from_port": 0,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": true,
"to_port": 0
}
],
"id": "sg-09101f3abd257889b",
"ingress": [
{
"cidr_blocks": [],
"description": "Allow traffic coming from this SG",
"from_port": 0,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": true,
"to_port": 0
}
],
"name": "default",
"name_prefix": "",
"owner_id": "040216112220",
"revoke_rules_on_delete": false,
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-defaultsg",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-defaultsg",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"vpc_id": "vpc-0d81f835ba4c7c987"
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_flow_log",
"name": "vpc-flowlog",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:vpc-flow-log/fl-02f430d7b36edca16",
"destination_options": [],
"eni_id": null,
"iam_role_arn": "arn:aws:iam::040216112220:role/service/preview-ap-bea-sso-vpcflowlog",
"id": "fl-02f430d7b36edca16",
"log_destination": "arn:aws:logs:ap-east-1:040216112220:log-group:vpcflowlog/vpc-0d81f835ba4c7c987/20221212063458987800000001",
"log_destination_type": "cloud-watch-logs",
"log_format": "${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}",
"log_group_name": "vpcflowlog/vpc-0d81f835ba4c7c987/20221212063458987800000001",
"max_aggregation_interval": 600,
"subnet_id": null,
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-vpcflowlog",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-vpcflowlog",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"traffic_type": "ALL",
"transit_gateway_attachment_id": null,
"transit_gateway_id": null,
"vpc_id": "vpc-0d81f835ba4c7c987"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_cloudwatch_log_group.vpcflowlog-loggroup",
"module.vpc-subnets.aws_iam_role.vpcflowlog-role",
"module.vpc-subnets.aws_vpc.vpc"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_iam_role",
"name": "vpcflowlog-role",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::040216112220:role/service/preview-ap-bea-sso-vpcflowlog",
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"vpc-flow-logs.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
"create_date": "2022-12-12T06:34:48Z",
"description": "",
"force_detach_policies": false,
"id": "preview-ap-bea-sso-vpcflowlog",
"inline_policy": [
{
"name": "preview-ap-bea-sso-vpcflowlog",
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\"\n }\n ]\n}\n"
}
],
"managed_policy_arns": [],
"max_session_duration": 3600,
"name": "preview-ap-bea-sso-vpcflowlog",
"name_prefix": "",
"path": "/service/",
"permissions_boundary": null,
"tags": {},
"tags_all": {},
"unique_id": "AROAQSXIRFROBSK2XWEUN"
},
"sensitive_attributes": [],
"private": "bnVsbA=="
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "vpcflowlog-role-policy",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "preview-ap-bea-sso-vpcflowlog:preview-ap-bea-sso-vpcflowlog",
"name": "preview-ap-bea-sso-vpcflowlog",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\"\n }\n ]\n}\n",
"role": "preview-ap-bea-sso-vpcflowlog"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"module.vpc-subnets.aws_iam_role.vpcflowlog-role"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_route_table",
"name": "private-route-table",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:route-table/rtb-0bdeffdac8e3215f4",
"id": "rtb-0bdeffdac8e3215f4",
"owner_id": "040216112220",
"propagating_vgws": [],
"route": [
{
"carrier_gateway_id": "",
"cidr_block": "0.0.0.0/0",
"core_network_arn": "",
"destination_prefix_list_id": "",
"egress_only_gateway_id": "",
"gateway_id": "igw-060da6481bbc4cedd",
"instance_id": "",
"ipv6_cidr_block": "",
"local_gateway_id": "",
"nat_gateway_id": "",
"network_interface_id": "",
"transit_gateway_id": "",
"vpc_endpoint_id": "",
"vpc_peering_connection_id": ""
}
],
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-privateroutetable",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-privateroutetable",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-0d81f835ba4c7c987"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMDAsImRlbGV0ZSI6MzAwMDAwMDAwMDAwLCJ1cGRhdGUiOjEyMDAwMDAwMDAwMH19",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_route_table_association",
"name": "private_route_association",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-067b22e8a44ffa92b",
"route_table_id": "rtb-0bdeffdac8e3215f4",
"subnet_id": "subnet-0bb56e6f48ead7ab8"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_route_table.private-route-table",
"module.vpc-subnets.aws_subnet.private-subnets",
"module.vpc-subnets.aws_vpc.vpc",
"module.vpc-subnets.data.aws_availability_zones.available-az"
]
},
{
"index_key": 1,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-08e5c1bfc024792a9",
"route_table_id": "rtb-0bdeffdac8e3215f4",
"subnet_id": "subnet-0ce4d8183d810dcc2"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_route_table.private-route-table",
"module.vpc-subnets.aws_subnet.private-subnets",
"module.vpc-subnets.aws_vpc.vpc",
"module.vpc-subnets.data.aws_availability_zones.available-az"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_subnet",
"name": "private-subnets",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:subnet/subnet-0bb56e6f48ead7ab8",
"assign_ipv6_address_on_creation": false,
"availability_zone": "ap-east-1a",
"availability_zone_id": "ape1-az1",
"cidr_block": "10.37.54.0/25",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": false,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-0bb56e6f48ead7ab8",
"ipv6_cidr_block": "",
"ipv6_cidr_block_association_id": "",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-private-1a-1",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-private-1a-1",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-0d81f835ba4c7c987"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc",
"module.vpc-subnets.data.aws_availability_zones.available-az"
]
},
{
"index_key": 1,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:subnet/subnet-0ce4d8183d810dcc2",
"assign_ipv6_address_on_creation": false,
"availability_zone": "ap-east-1b",
"availability_zone_id": "ape1-az2",
"cidr_block": "10.37.54.128/25",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": false,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-0ce4d8183d810dcc2",
"ipv6_cidr_block": "",
"ipv6_cidr_block_association_id": "",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-private-1b-2",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-private-1b-2",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-0d81f835ba4c7c987"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc",
"module.vpc-subnets.data.aws_availability_zones.available-az"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_vpc",
"name": "vpc",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:vpc/vpc-0d81f835ba4c7c987",
"assign_generated_ipv6_cidr_block": false,
"cidr_block": "10.37.54.0/24",
"default_network_acl_id": "acl-0de827d3ddc477c49",
"default_route_table_id": "rtb-0424596d3c3a61221",
"default_security_group_id": "sg-09101f3abd257889b",
"dhcp_options_id": "dopt-005007bcb610d7cdc",
"enable_classiclink": false,
"enable_classiclink_dns_support": false,
"enable_dns_hostnames": true,
"enable_dns_support": true,
"enable_network_address_usage_metrics": false,
"id": "vpc-0d81f835ba4c7c987",
"instance_tenancy": "default",
"ipv4_ipam_pool_id": null,
"ipv4_netmask_length": null,
"ipv6_association_id": "",
"ipv6_cidr_block": "",
"ipv6_cidr_block_network_border_group": "",
"ipv6_ipam_pool_id": "",
"ipv6_netmask_length": 0,
"main_route_table_id": "rtb-0424596d3c3a61221",
"owner_id": "040216112220",
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-vpc",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-vpc",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
"dependencies": [
"data.aws_caller_identity.this"
],
"create_before_destroy": true
}
]
}
],
"check_results": null
}

790
examples/bea-adc/terraform.tfstate.backup Normal file
View File

@ -0,0 +1,790 @@
{
"version": 4,
"terraform_version": "1.3.5",
"serial": 107,
"lineage": "5eba630b-18b8-6c2f-5853-88d98c7ecb23",
"outputs": {
"customer-dns-ip": {
"value": [
"10.37.54.214"
],
"type": [
"tuple",
[
"string"
]
]
},
"directory-id": {
"value": "d-c46722ff8d",
"type": "string"
},
"security-group-id": {
"value": "sg-0afbb1f6e8efde66b",
"type": "string"
}
},
"resources": [
{
"mode": "data",
"type": "aws_caller_identity",
"name": "this",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"account_id": "040216112220",
"arn": "arn:aws:iam::040216112220:user/ken2026",
"id": "040216112220",
"user_id": "AIDAQSXIRFROOXYISSIEQ"
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_secretsmanager_secret",
"name": "secretmanager",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:secretsmanager:ap-east-1:040216112220:secret:adc-service-account-password-bYmPI5",
"description": "",
"id": "arn:aws:secretsmanager:ap-east-1:040216112220:secret:adc-service-account-password-bYmPI5",
"kms_key_id": "",
"name": "adc-service-account-password",
"policy": "",
"rotation_enabled": false,
"rotation_lambda_arn": "",
"rotation_rules": [],
"tags": {}
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_secretsmanager_secret_version",
"name": "adc-service-account-password",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:secretsmanager:ap-east-1:040216112220:secret:adc-service-account-password-bYmPI5",
"id": "arn:aws:secretsmanager:ap-east-1:040216112220:secret:adc-service-account-password-bYmPI5|AWSCURRENT",
"secret_binary": "",
"secret_id": "arn:aws:secretsmanager:ap-east-1:040216112220:secret:adc-service-account-password-bYmPI5",
"secret_string": "{\"password\":\"CyyeooA.MwWVYzmIbtVG\u003cuyLOg\"}",
"version_id": "0ef037d0-d0b3-441e-8931-8d12a8326940",
"version_stage": "AWSCURRENT",
"version_stages": [
"AWSCURRENT"
]
},
"sensitive_attributes": []
}
]
},
{
"module": "module.adconnector",
"mode": "managed",
"type": "aws_directory_service_directory",
"name": "connector",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"access_url": "d-c46722ff8d.awsapps.com",
"alias": "d-c46722ff8d",
"connect_settings": [
{
"availability_zones": [
"ap-east-1a",
"ap-east-1b"
],
"connect_ips": [
"10.37.54.15",
"10.37.54.218"
],
"customer_dns_ips": [
"10.37.54.214"
],
"customer_username": "svc-awssso-adconnector",
"subnet_ids": [
"subnet-0bb56e6f48ead7ab8",
"subnet-0ce4d8183d810dcc2"
],
"vpc_id": "vpc-0d81f835ba4c7c987"
}
],
"description": "ADConnector",
"desired_number_of_domain_controllers": 0,
"dns_ip_addresses": [
"10.37.54.15",
"10.37.54.218"
],
"edition": "",
"enable_sso": false,
"id": "d-c46722ff8d",
"name": "acme.local",
"password": "CyyeooA.MwWVYzmIbtVG\u003cuyLOg",
"security_group_id": "sg-0afbb1f6e8efde66b",
"short_name": "acme",
"size": "Small",
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"timeouts": null,
"type": "ADConnector",
"vpc_settings": []
},
"sensitive_attributes": [
[
{
"type": "get_attr",
"value": "password"
}
]
],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozNjAwMDAwMDAwMDAwLCJkZWxldGUiOjM2MDAwMDAwMDAwMDAsInVwZGF0ZSI6MzYwMDAwMDAwMDAwMH19",
"dependencies": [
"data.aws_caller_identity.this",
"data.aws_secretsmanager_secret_version.adc-service-account-password",
"module.vpc-subnets.aws_subnet.private-subnets",
"module.vpc-subnets.aws_vpc.vpc",
"module.vpc-subnets.data.aws_availability_zones.available-az"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "data",
"type": "aws_availability_zones",
"name": "available-az",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"all_availability_zones": null,
"exclude_names": null,
"exclude_zone_ids": null,
"filter": null,
"group_names": [
"ap-east-1"
],
"id": "ap-east-1",
"names": [
"ap-east-1a",
"ap-east-1b",
"ap-east-1c"
],
"state": "available",
"timeouts": null,
"zone_ids": [
"ape1-az1",
"ape1-az2",
"ape1-az3"
]
},
"sensitive_attributes": []
}
]
},
{
"module": "module.vpc-subnets",
"mode": "data",
"type": "aws_caller_identity",
"name": "this",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"account_id": "040216112220",
"arn": "arn:aws:iam::040216112220:user/ken2026",
"id": "040216112220",
"user_id": "AIDAQSXIRFROOXYISSIEQ"
},
"sensitive_attributes": []
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_cloudwatch_log_group",
"name": "vpcflowlog-loggroup",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"arn": "arn:aws:logs:ap-east-1:040216112220:log-group:vpcflowlog/vpc-0d81f835ba4c7c987/20221212063458987800000001",
"id": "vpcflowlog/vpc-0d81f835ba4c7c987/20221212063458987800000001",
"kms_key_id": "",
"name": "vpcflowlog/vpc-0d81f835ba4c7c987/20221212063458987800000001",
"name_prefix": "vpcflowlog/vpc-0d81f835ba4c7c987/",
"retention_in_days": 90,
"skip_destroy": false,
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_default_security_group",
"name": "default-sg",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:security-group/sg-09101f3abd257889b",
"description": "default VPC security group",
"egress": [
{
"cidr_blocks": [],
"description": "Allow traffic going to this SG",
"from_port": 0,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": true,
"to_port": 0
}
],
"id": "sg-09101f3abd257889b",
"ingress": [
{
"cidr_blocks": [],
"description": "Allow traffic coming from this SG",
"from_port": 0,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": true,
"to_port": 0
}
],
"name": "default",
"name_prefix": "",
"owner_id": "040216112220",
"revoke_rules_on_delete": false,
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-defaultsg",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-defaultsg",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"vpc_id": "vpc-0d81f835ba4c7c987"
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_flow_log",
"name": "vpc-flowlog",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:vpc-flow-log/fl-02f430d7b36edca16",
"destination_options": [],
"eni_id": null,
"iam_role_arn": "arn:aws:iam::040216112220:role/service/preview-ap-bea-sso-vpcflowlog",
"id": "fl-02f430d7b36edca16",
"log_destination": "arn:aws:logs:ap-east-1:040216112220:log-group:vpcflowlog/vpc-0d81f835ba4c7c987/20221212063458987800000001",
"log_destination_type": "cloud-watch-logs",
"log_format": "${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}",
"log_group_name": "vpcflowlog/vpc-0d81f835ba4c7c987/20221212063458987800000001",
"max_aggregation_interval": 600,
"subnet_id": null,
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-vpcflowlog",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-vpcflowlog",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"traffic_type": "ALL",
"transit_gateway_attachment_id": null,
"transit_gateway_id": null,
"vpc_id": "vpc-0d81f835ba4c7c987"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_cloudwatch_log_group.vpcflowlog-loggroup",
"module.vpc-subnets.aws_iam_role.vpcflowlog-role",
"module.vpc-subnets.aws_vpc.vpc"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_iam_role",
"name": "vpcflowlog-role",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::040216112220:role/service/preview-ap-bea-sso-vpcflowlog",
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"vpc-flow-logs.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
"create_date": "2022-12-12T06:34:48Z",
"description": "",
"force_detach_policies": false,
"id": "preview-ap-bea-sso-vpcflowlog",
"inline_policy": [
{
"name": "preview-ap-bea-sso-vpcflowlog",
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\"\n }\n ]\n}\n"
}
],
"managed_policy_arns": [],
"max_session_duration": 3600,
"name": "preview-ap-bea-sso-vpcflowlog",
"name_prefix": "",
"path": "/service/",
"permissions_boundary": null,
"tags": {},
"tags_all": {},
"unique_id": "AROAQSXIRFROBSK2XWEUN"
},
"sensitive_attributes": [],
"private": "bnVsbA=="
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "vpcflowlog-role-policy",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "preview-ap-bea-sso-vpcflowlog:preview-ap-bea-sso-vpcflowlog",
"name": "preview-ap-bea-sso-vpcflowlog",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": [\n \"logs:CreateLogGroup\",\n \"logs:CreateLogStream\",\n \"logs:PutLogEvents\",\n \"logs:DescribeLogGroups\",\n \"logs:DescribeLogStreams\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\"\n }\n ]\n}\n",
"role": "preview-ap-bea-sso-vpcflowlog"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"module.vpc-subnets.aws_iam_role.vpcflowlog-role"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_route_table",
"name": "private-route-table",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:route-table/rtb-0bdeffdac8e3215f4",
"id": "rtb-0bdeffdac8e3215f4",
"owner_id": "040216112220",
"propagating_vgws": [],
"route": [
{
"carrier_gateway_id": "",
"cidr_block": "0.0.0.0/0",
"core_network_arn": "",
"destination_prefix_list_id": "",
"egress_only_gateway_id": "",
"gateway_id": "igw-060da6481bbc4cedd",
"instance_id": "",
"ipv6_cidr_block": "",
"local_gateway_id": "",
"nat_gateway_id": "",
"network_interface_id": "",
"transit_gateway_id": "",
"vpc_endpoint_id": "",
"vpc_peering_connection_id": ""
}
],
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-privateroutetable",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-privateroutetable",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-0d81f835ba4c7c987"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjozMDAwMDAwMDAwMDAsImRlbGV0ZSI6MzAwMDAwMDAwMDAwLCJ1cGRhdGUiOjEyMDAwMDAwMDAwMH19",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_route_table_association",
"name": "private_route_association",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-067b22e8a44ffa92b",
"route_table_id": "rtb-0bdeffdac8e3215f4",
"subnet_id": "subnet-0bb56e6f48ead7ab8"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_route_table.private-route-table",
"module.vpc-subnets.aws_subnet.private-subnets",
"module.vpc-subnets.aws_vpc.vpc",
"module.vpc-subnets.data.aws_availability_zones.available-az"
]
},
{
"index_key": 1,
"schema_version": 0,
"attributes": {
"gateway_id": "",
"id": "rtbassoc-08e5c1bfc024792a9",
"route_table_id": "rtb-0bdeffdac8e3215f4",
"subnet_id": "subnet-0ce4d8183d810dcc2"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_route_table.private-route-table",
"module.vpc-subnets.aws_subnet.private-subnets",
"module.vpc-subnets.aws_vpc.vpc",
"module.vpc-subnets.data.aws_availability_zones.available-az"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_subnet",
"name": "private-subnets",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"index_key": 0,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:subnet/subnet-0bb56e6f48ead7ab8",
"assign_ipv6_address_on_creation": false,
"availability_zone": "ap-east-1a",
"availability_zone_id": "ape1-az1",
"cidr_block": "10.37.54.0/25",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": false,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-0bb56e6f48ead7ab8",
"ipv6_cidr_block": "",
"ipv6_cidr_block_association_id": "",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-private-1a-1",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-private-1a-1",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-0d81f835ba4c7c987"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc",
"module.vpc-subnets.data.aws_availability_zones.available-az"
]
},
{
"index_key": 1,
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:subnet/subnet-0ce4d8183d810dcc2",
"assign_ipv6_address_on_creation": false,
"availability_zone": "ap-east-1b",
"availability_zone_id": "ape1-az2",
"cidr_block": "10.37.54.128/25",
"customer_owned_ipv4_pool": "",
"enable_dns64": false,
"enable_resource_name_dns_a_record_on_launch": false,
"enable_resource_name_dns_aaaa_record_on_launch": false,
"id": "subnet-0ce4d8183d810dcc2",
"ipv6_cidr_block": "",
"ipv6_cidr_block_association_id": "",
"ipv6_native": false,
"map_customer_owned_ip_on_launch": false,
"map_public_ip_on_launch": false,
"outpost_arn": "",
"owner_id": "040216112220",
"private_dns_hostname_type_on_launch": "ip-name",
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-private-1b-2",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-private-1b-2",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"timeouts": null,
"vpc_id": "vpc-0d81f835ba4c7c987"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMH0sInNjaGVtYV92ZXJzaW9uIjoiMSJ9",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc",
"module.vpc-subnets.data.aws_availability_zones.available-az"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_vpc",
"name": "vpc",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-east-1:040216112220:vpc/vpc-0d81f835ba4c7c987",
"assign_generated_ipv6_cidr_block": false,
"cidr_block": "10.37.54.0/24",
"default_network_acl_id": "acl-0de827d3ddc477c49",
"default_route_table_id": "rtb-0424596d3c3a61221",
"default_security_group_id": "sg-09101f3abd257889b",
"dhcp_options_id": "dopt-005007bcb610d7cdc",
"enable_classiclink": false,
"enable_classiclink_dns_support": false,
"enable_dns_hostnames": true,
"enable_dns_support": true,
"enable_network_address_usage_metrics": false,
"id": "vpc-0d81f835ba4c7c987",
"instance_tenancy": "default",
"ipv4_ipam_pool_id": null,
"ipv4_netmask_length": null,
"ipv6_association_id": "",
"ipv6_cidr_block": "",
"ipv6_cidr_block_network_border_group": "",
"ipv6_ipam_pool_id": "",
"ipv6_netmask_length": 0,
"main_route_table_id": "rtb-0424596d3c3a61221",
"owner_id": "040216112220",
"tags": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-vpc",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "sso",
"BuildDate": "20221212",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "preview",
"Name": "preview-ap-bea-sso-vpc",
"Project": "sso",
"ServiceProvider": "None",
"TerraformDir": "terraform.aws-baseline-infra/examples/bea-adc",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
"dependencies": [
"data.aws_caller_identity.this"
],
"create_before_destroy": true
}
]
}
],
"check_results": [
{
"object_kind": "resource",
"config_addr": "module.vpc-subnets.module.vpc-ep.data.aws_vpc.this-vpc",
"status": "pass",
"objects": null
}
]
}

15
examples/bea-adc/terraform.tfvars Normal file
View File

@ -0,0 +1,15 @@
aws-region = "ap-east-1"
aws-region-short = "ape1"
customer-name = "bea"
environment = "preview"
project = "sso"
application = "sso"
vpc-cidr = "10.37.54.0/24"
number-of-public-subnets-per-az = 0
number-of-private-subnets-per-az = 1
vpc-flowlog-bucket-arn = "arn:aws:s3:::prd-vpc-flow-logs-894849410890"
adc-domainname = "hkbea.com"
adc-size = "Large"
adc-dns-ips = ["10.135.72.66", "10.135.72.67"]
adc-service-account-username = "AWSSSOPRD"
adc-enable-sso = true

22
examples/bea-adc/variables.tf Normal file
View File

@ -0,0 +1,22 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
variable "vpc-cidr" {}
variable "number-of-private-subnets-per-az" {}
variable "number-of-public-subnets-per-az" {}
variable vpc-flowlog-bucket-arn {}
variable "adc-domainname" {}
variable "adc-size" {}
variable "adc-dns-ips" {}
variable "adc-service-account-username" {}
variable "adc-service-account-password" {
type = string
sensitive = true
description = "Please supply ad svc account with environment variable (i.e. export TG_VAR_adc-service-account-password=xxx"
default = ""
}
variable "adc-enable-sso" {}

25
examples/bea-sso-preview/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,25 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.45.0"
constraints = ">= 3.25.0"
hashes = [
"h1:J/XjRsEJIpxi+mczXQfnH3nvfACv3LRDtrthQJCIibY=",
"zh:22da03786f25658a000d1bcc28c780816a97e7e8a1f59fff6eee7d452830e95e",
"zh:2543be56eee0491eb0c79ca1c901dcbf71da26625961fe719f088263fef062f4",
"zh:31a1da1e3beedfd88c3c152ab505bdcf330427f26b75835885526f7bb75c4857",
"zh:4409afe50f225659d5f378fe9303a45052953a1219f7f1acc82b69d07528b7ba",
"zh:4dadec3b783f10d2f8eef3dab5e817baae9c932a7967d45fe3d77fcbcbdaa438",
"zh:55be80d6e24828dcb0db7a0226fb275415c1c0ad63dd2f33b76f3ac0cd64e6a6",
"zh:560bba29efb7dbe0bfcc937369d88817aa31a8d18aa25395b1afe2576cb04495",
"zh:6caacc202e83438ff63d5d96733e283f44e349668d96c6b1c5c7df463ebf85cc",
"zh:6cabab83a61d5b4ac801c5a5d57556a0e76ec8dc879d28cf777509db5f6a657e",
"zh:96c4528bf9c16edb8841b68479ec51c499ed7fa680462fa28caeab3fc168bb43",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:cdc0b47ff840d708fbf75abfe86d23dc7f1dffdd233a771822a17b5c637f4769",
"zh:d9a9583e82776d1ebb6cf6c3d47acc2b302f8778f470ceffe7579dc794eb1feb",
"zh:e9367ca9f6f6418a23cdf8d01f29dd0c4f614e78499f52a767a422e4c334b915",
"zh:f6d355a2fb3bcebb597f68bbca4fa2aaa364efd29240236c582375e219d77656",
]
}

1
examples/bea-sso-preview/.terraform/modules/modules.json Normal file
View File

@ -0,0 +1 @@
{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"sso","Source":"../../modules/security_identity_compliance/sso-permissionsets","Dir":"../../modules/security_identity_compliance/sso-permissionsets"}]}

1
examples/bea-sso-preview/.terraform/providers/registry.terraform.io/hashicorp/aws/4.45.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.45.0/linux_amd64

15
examples/bea-sso-preview/locals.tf Normal file
View File

@ -0,0 +1,15 @@
data "aws_caller_identity" "this" {}
locals {
default-tags = merge({
ServiceProvider = "None"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = trimprefix(path.cwd, "/my/work/xpk-git/")
CreatedBy = data.aws_caller_identity.this.arn
BuildDate = formatdate("YYYYMMDD", timestamp())
})
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
}

28
examples/bea-sso-preview/main.tf Normal file
View File

@ -0,0 +1,28 @@
module sso {
source = "../../modules/security_identity_compliance/sso-permissionsets"
for_each = { for item in local.items : item.name => item }
default-tags = local.default-tags
pset-name = each.value.name
pset-desc = each.value.desc
pset-managed-policy-arn = each.value.mpolicy
pset-session-duration = each.value.session
}
locals {
csv_data = <<-CSV
name,desc,mpolicy,session
ViewOnly,View only access,arn:aws:iam::aws:policy/job-function/ViewOnlyAccess,PT4H
ReadOnly,Read only access,arn:aws:iam::aws:policy/ReadOnlyAccess,PT4H
FullAccess,Full admin access,arn:aws:iam::aws:policy/AdministratorAccess,PT4H
NetworkAdmin,Network admin access,arn:aws:iam::aws:policy/job-function/NetworkAdministrator,PT4H
DatabaseAdmin,Database admin access,arn:aws:iam::aws:policy/job-function/DatabaseAdministrator,PT4H
BillingAdmin,Billing admin access,arn:aws:iam::aws:policy/job-function/Billing,PT4H
SecurityAudit,Security admin access,arn:aws:iam::aws:policy/SecurityAudit,PT4H
PowerUser,Full access excluding IAM,arn:aws:iam::aws:policy/PowerUserAccess,PT4H
CSV
items = csvdecode(local.csv_data)
}

13
examples/bea-sso-preview/provider.tf Normal file
View File

@ -0,0 +1,13 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.25"
}
}
}

64
examples/bea-sso-preview/sso-users.tf Normal file
View File

@ -0,0 +1,64 @@
data "aws_ssoadmin_instances" "sso1" {}
locals {
csv_data2 = <<-CSV
username,email,lastName,firstName
user1,user1@acme.local,Doe,John
user2,user2@acme.local,Smith,Jane
CSV
users = csvdecode(local.csv_data2)
}
resource "aws_identitystore_user" "sso-user" {
for_each = { for item in local.users : item.username => item }
identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
display_name = "${each.value.firstName} ${each.value.lastName}"
user_name = each.value.username
nickname = each.value.username
emails {
primary = true
value = each.value.email
}
name {
family_name = each.value.lastName
given_name = each.value.firstName
}
}
resource "aws_identitystore_group" "sso-group" {
identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
display_name = "Viewers"
description = "Users with view permission"
}
resource "aws_identitystore_group_membership" "sso-group-membership" {
for_each = aws_identitystore_user.sso-user
identity_store_id = tolist(data.aws_ssoadmin_instances.sso1.identity_store_ids)[0]
group_id = aws_identitystore_group.sso-group.group_id
member_id = each.value.user_id
}
locals {
csv_data3 = <<-CSV
seq,groupName,permission,accountId
1,Viewers,ViewOnly,865184416664
2,Viewers,ViewOnly,572802010687
CSV
accounts = csvdecode(local.csv_data3)
}
resource "aws_ssoadmin_account_assignment" "pset-assignment" {
for_each = { for item in local.accounts : item.seq => item }
instance_arn = tolist(data.aws_ssoadmin_instances.sso1.arns)[0]
permission_set_arn = module.sso[each.value.permission].pset-arn
principal_id = aws_identitystore_group.sso-group.group_id
principal_type = "GROUP"
target_id = each.value.accountId
target_type = "AWS_ACCOUNT"
}

9
examples/bea-sso-preview/terraform.tfstate Normal file
View File

@ -0,0 +1,9 @@
{
"version": 4,
"terraform_version": "1.3.5",
"serial": 66,
"lineage": "b72dc65d-13d0-2661-89b8-fa46cc9e8bbd",
"outputs": {},
"resources": [],
"check_results": null
}

1033
examples/bea-sso-preview/terraform.tfstate.backup Normal file
View File

File diff suppressed because it is too large Load Diff

7
examples/bea-sso-preview/terraform.tfvars Normal file
View File

@ -0,0 +1,7 @@
aws-region = "ap-east-1"
aws-region-short = "ape1"
customer-name = "bea"
environment = "preview"
project = "security"
application = "sso"

6
examples/bea-sso-preview/variables.tf Normal file
View File

@ -0,0 +1,6 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}

39
examples/deployer.ec2/main.tf Normal file
View File

@ -0,0 +1,39 @@
module "deployer-ec2" {
source = "../../modules/compute/ec2"
additional_tags = { "Backup" : "None" }
# ami-id = "ami-072e4595d41025d94"
ami-id = data.aws_ami.ami-lookup.id
default-tags = local.default-tags
ebs-encrypted = true
asso-eip = false
instance-name = "rackspace-deployer-ec2-test"
instance-type = "t3.micro"
key-name = "whk1-ec2-key-555344966285"
asso-public-ip = false
root-volume-size = 15
security-groups = ["sg-03282995027b7a9fc"]
subnet-id = "subnet-07e4392828a70b1f9"
instance-profile = "TerraformRole"
}
data "aws_ami" "ami-lookup" {
most_recent = true
filter {
name = "name"
values = ["CIS Amazon Linux 2 Kernel 5.10*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "architecture"
values = ["x86_64"]
}
owners = ["211372476111"] # CIS
}

8
examples/deployer.ec2/terraform.tfvars Normal file
View File

@ -0,0 +1,8 @@
aws-region = "ap-southeast-1"
customer-name = "bea"
environment = "dev"
project = "iac"
application = "terraform"
CostCenter = "none"
DynamicAddressGroup = ""
Owner = "Rackspace"

25
examples/deployer.ec2/variables.tf Normal file
View File

@ -0,0 +1,25 @@
variable "aws-region" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
variable "owner" {}
variable "costcenter" {}
variable "DynamicAddressGroup" {}
locals {
default-tags = {
ServiceProvider = "RackspaceTechnology"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
BuildDate = formatdate("YYYYMMDD", timestamp())
Owner = var.owner
CostCenter = var.costcenter
DynamicAddressGroup = var.DynamicAddressGroup
}
resource-prefix = "${var.environment}-substr(${var.aws-region},0,2)-${var.customer-name}-${var.project}"
}

10
examples/eks-lab-ip6/eks/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,10 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.55.0"
constraints = ">= 3.25.0"
hashes = [
"h1:VHfmrKCb4oTW/+rWGKKqipoMOPd4tPxlGwMp0/Flx/s=",
]
}

1
examples/eks-lab-ip6/eks/.terraform/providers/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64

119
examples/eks-lab-ip6/eks/README.md Normal file
View File

@ -0,0 +1,119 @@
# eks-lab/eks
This layer creates the following resources
- EKS cluster using ipv6 for service network
- EKS nodegroup
- EKS bastion
- Install eksctl, kubectl, awscliv2, helm on EKS bastion with user_data script
Be patient. EKS cluster takes 12min to provision. Node group will take another 5 min. And the cluster addon takes another ?? min.
## Worker node instance size
Choose t3.large at the minimum. This is due to AWS's limitation on number of IPs. Smaller instanecs are limited with 6 IP
which is not enough. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#AvailableIpPerENI
## How to use eksctl and kubectl
By default, AWS EKS are installed with an aws-auth configmap which allows only the cluster creator
to work with the cluster. Therefore, one must first assume to the creator IAM role before running eksctl or kubectl.
For example, to create kube config, run these commands:
```bash
export AWS_ACCESS_KEY_ID=xxxx AWS_SECRET_ACCESS_KEY="yyyy" AWS_DEFAULT_REGION=ap-northeast-1
aws eks update-kubeconfig --name lab-apne1-xpk-iac-cluster01
```
## Edit configmap/aws-auth
```
kubectl edit -n kube-system configmap/aws-auth
```
Add a group with system:master role
```yaml
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::040216112220:role/clusterCreator
username: system:node:Template:EC2PrivateDNSName
- groups:
- system:masters
rolearn: arn:aws:iam::040216112220:role/lab-apne1-xpk-iac-bast-role
username: lab-apne1-xpk-iac-bast-role
kind: ConfigMap
metadata:
creationTimestamp: "2022-12-29T11:02:15Z"
name: aws-auth
namespace: kube-system
resourceVersion: "59670"
uid: 7cf9d889-8ed2-4c8d-ac0f-092184cede8a
```
## Addon updates
When updating addons, please select advanced options and choose preserve settings.
## Install ALB ingress controller
AWS provides documentation on how to deploy a sample application with ingress (ALB)
https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
That depends on the load balancer container, which can be deployed by
```bash
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/install/iam_policy.json
aws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicy \
--policy-document file://iam_policy.json
```
Create an openid provider on iam
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
```
eksctl create iamserviceaccount \
--cluster=lab-apne1-xpk-iac-cluster01 \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--role-name AmazonEKSLoadBalancerControllerRole \
--attach-policy-arn=arn:aws:iam::040216112220:policy/AWSLoadBalancerControllerIAMPolicy \
--approve
helm repo add eks https://aws.github.io/eks-charts
helm repo update
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
-n kube-system \
--set clusterName=lab-apne1-xpk-iac-cluster01 \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller
```
## Tag subnets
Reference: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
The following tags are set in the network layer:
On private subnets:
Key kubernetes.io/role/internal-elb
Value 1
On public subnets:
Key kubernetes.io/role/elb
Value 1
## Install sample app the 2048 game
See https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
```bash
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/examples/2048/2048_full.yaml
edit the file
kubectl apply -f 2048_full.yaml
kubectl get ingress/ingress-2048 -n game-2048
```
In a moment, the lb address should be displayed
```bash
root@ip-192-168-123-187:~# kubectl get ingress/ingress-2048 -n game-2048
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress-2048 alb * internal-k8s-game2048-ingress2-5f196824a1-20502803.ap-northeast-1.elb.amazonaws.com 80 7s
```

7
examples/eks-lab-ip6/eks/eks-node-sshkey Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDQnEGn3cwEav+pMKXYvP3KjDYpB+Po/wpcrmQZnh31wgAAAJDu9hUF7vYV
BQAAAAtzc2gtZWQyNTUxOQAAACDQnEGn3cwEav+pMKXYvP3KjDYpB+Po/wpcrmQZnh31wg
AAAEBcvMSW9eqRM2Kd3obuJfHma+nzrsMiRSHO09wjSg4KF9CcQafdzARq/6kwpdi8/cqM
NikH4+j/ClyuZBmeHfXCAAAADWtuQGlzbS56b28ubG8=
-----END OPENSSH PRIVATE KEY-----

1
examples/eks-lab-ip6/eks/eks-node-sshkey.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINCcQafdzARq/6kwpdi8/cqMNikH4+j/ClyuZBmeHfXC kn@ism.zoo.lo

18
examples/eks-lab-ip6/eks/locals.tf Normal file
View File

@ -0,0 +1,18 @@
data "aws_caller_identity" "this" {}
locals {
default-tags = merge({
ServiceProvider = "None"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = "${local.path-cwd-list[length(local.path-cwd-list) - 2]}/${local.path-cwd-list[length(local.path-cwd-list) - 1]}"
CreatedBy = data.aws_caller_identity.this.arn
BuildDate = formatdate("YYYYMMDD", timestamp())
})
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
path-cwd-list = split("/", path.cwd)
}

306
examples/eks-lab-ip6/eks/main.tf Normal file
View File

@ -0,0 +1,306 @@
data "terraform_remote_state" "vpc" {
backend = "local"
config = {
path = "../network/terraform.tfstate"
}
}
resource "aws_iam_role" "eks-cluster-role" {
name = "${local.resource-prefix}-cluster-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "eks.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
}
)
managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"]
tags = local.default-tags
}
resource "aws_eks_cluster" "eks-cluster" {
name = "${local.resource-prefix}-cluster01"
role_arn = aws_iam_role.eks-cluster-role.arn
vpc_config {
subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids
endpoint_private_access = true
endpoint_public_access = false
}
enabled_cluster_log_types = ["api", "audit"]
kubernetes_network_config {
ip_family = "ipv6"
}
tags = local.default-tags
}
resource "aws_eks_addon" "eks-addons" {
# for_each = toset(["vpc-cni", "coredns", "kube-proxy", "aws-ebs-csi-driver"])
# latest version as on 2023-02-17 failed to deploy
for_each = {
"aws-ebs-csi-driver" : {
"version" : "v1.15.0-eksbuild.1"
},
"vpc-cni" : {
"version" : "v1.12.2-eksbuild.1"
},
"coredns" : {
"version" : "v1.9.3-eksbuild.2"
},
"kube-proxy" : {
"version" : "v1.24.9-eksbuild.1"
}
}
cluster_name = aws_eks_cluster.eks-cluster.name
addon_name = each.key
addon_version = each.value["version"]
}
resource "aws_iam_role" "eks-nodegroup-role" {
name = "${local.resource-prefix}-nodegroup-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "ec2.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
}
)
managed_policy_arns = [
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
]
inline_policy {
name = "IP6CniAccess"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"ec2:AssignIpv6Addresses",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstanceTypes"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*:*:network-interface/*"
]
}
]
})
}
inline_policy {
name = "AlbIngressAccess"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"elasticloadbalancing:*"
],
"Resource" : "*"
}
]
})
}
tags = local.default-tags
}
data "aws_ssm_parameter" "eks_ami_release_version" {
name = "/aws/service/eks/optimized-ami/${aws_eks_cluster.eks-cluster.version}/amazon-linux-2/recommended/release_version"
}
# manually generate the key: ssh-keygen -ted25519 -f eks-node-sshkey
# file() can only read pre-existing file
resource "aws_key_pair" "eks-node-sshkey" {
key_name = "${local.resource-prefix}-eks-node-sshkey"
public_key = file("${path.module}/eks-node-sshkey.pub")
}
resource "aws_security_group" "eks-node-sg" {
name = "${local.resource-prefix}-eks-node-sg"
description = "Allow ssh to EKS nodes"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
ingress {
description = "SSH from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [data.terraform_remote_state.vpc.outputs.vpc-cidr]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = local.default-tags
}
resource "aws_eks_node_group" "eks-nodegroup" {
cluster_name = aws_eks_cluster.eks-cluster.name
node_group_name_prefix = "${local.resource-prefix}-eks-ng"
node_role_arn = aws_iam_role.eks-nodegroup-role.arn
subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids
version = aws_eks_cluster.eks-cluster.version
release_version = nonsensitive(data.aws_ssm_parameter.eks_ami_release_version.value)
instance_types = ["t3.large"] # see README.md
scaling_config {
desired_size = 1
max_size = 2
min_size = 1
}
update_config {
max_unavailable = 1
}
remote_access {
ec2_ssh_key = aws_key_pair.eks-node-sshkey.key_name
source_security_group_ids = [aws_security_group.eks-node-sg.id]
}
tags = local.default-tags
}
# ec2 instance for EKS management
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-*-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_security_group" "eks-bast-sg" {
name = "${local.resource-prefix}-eks-bast-sg"
description = "Allow ssh to EKS bast"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
ingress {
description = "SSH from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["223.18.148.85/32"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = local.default-tags
}
resource "aws_iam_role" "eks-bast-role" {
name = "${local.resource-prefix}-bast-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "ec2.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
})
inline_policy {
name = "eks-bast-policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["eks:*", "ecr:*"]
Effect = "Allow"
Resource = "*"
},
]
})
}
managed_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
tags = local.default-tags
}
resource "aws_iam_instance_profile" "eks-bast-iam-profile" {
name = "eksBastIamProfile"
role = aws_iam_role.eks-bast-role.name
}
resource "aws_instance" "eks-bast" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
associate_public_ip_address = true
ebs_optimized = true
key_name = aws_key_pair.eks-node-sshkey.key_name
vpc_security_group_ids = [aws_security_group.eks-bast-sg.id, aws_eks_cluster.eks-cluster.vpc_config[0].cluster_security_group_id]
subnet_id = data.terraform_remote_state.vpc.outputs.public-subnet-ids[0]
iam_instance_profile = aws_iam_instance_profile.eks-bast-iam-profile.name
root_block_device {
volume_size = 8
volume_type = "gp3"
tags = local.default-tags
}
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-eks-bast" })
user_data = <<EOF
#!/bin/bash
echo "Install unzip"
apt install unzip -y
echo "Install eksctl"
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
mv /tmp/eksctl /usr/local/bin
echo "Install kubectl"
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
mv kubectl /usr/local/bin/
chmod 755 /usr/local/bin/kubectl
echo "Install awscliv2"
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
echo "Install helm"
curl -q https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
EOF
}

9
examples/eks-lab-ip6/eks/outputs.tf Normal file
View File

@ -0,0 +1,9 @@
/*
output eks-cluster-sg {
value = aws_eks_cluster.eks-cluster.vpc_config.*.cluster_security_group_id
}
*/
output eks-bast-ip {
value = aws_instance.eks-bast.public_ip
}

13
examples/eks-lab-ip6/eks/provider.tf Normal file
View File

@ -0,0 +1,13 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.25"
}
}
}

6
examples/eks-lab-ip6/eks/terraform.tfvars Normal file
View File

@ -0,0 +1,6 @@
aws-region = "ap-northeast-1"
aws-region-short = "apne1"
customer-name = "xpk"
environment = "lab"
project = "iac"
application = "eks"

6
examples/eks-lab-ip6/eks/variables.tf Normal file
View File

@ -0,0 +1,6 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}

10
examples/eks-lab-ip6/network/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,10 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.55.0"
constraints = ">= 3.25.0"
hashes = [
"h1:VHfmrKCb4oTW/+rWGKKqipoMOPd4tPxlGwMp0/Flx/s=",
]
}

1
examples/eks-lab-ip6/network/.terraform/providers/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64

10
examples/eks-lab-ip6/network/README.md Normal file
View File

@ -0,0 +1,10 @@
# eks-lab/network
This module creates the following resources
- VPC
- Public and private subnets
- NAT gateway
Ipv6 is enabled on EKS subnets. See
https://docs.aws.amazon.com/eks/latest/userguide/cni-ipv6.html
https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy
https://aws.amazon.com/premiumsupport/knowledge-center/eks-failed-create-pod-sandbox/

18
examples/eks-lab-ip6/network/locals.tf Normal file
View File

@ -0,0 +1,18 @@
data "aws_caller_identity" "this" {}
locals {
default-tags = merge({
ServiceProvider = "None"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = "${local.path-cwd-list[length(local.path-cwd-list) - 2]}/${local.path-cwd-list[length(local.path-cwd-list) - 1]}"
CreatedBy = data.aws_caller_identity.this.arn
BuildDate = formatdate("YYYYMMDD", timestamp())
})
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
path-cwd-list = split("/", path.cwd)
}

133
examples/eks-lab-ip6/network/main.tf Normal file
View File

@ -0,0 +1,133 @@
# Create VPC and subnets
resource "aws_vpc" "vpc1" {
cidr_block = "192.168.123.0/24"
assign_generated_ipv6_cidr_block = true
enable_dns_support = true
enable_dns_hostnames = true
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpc1" })
}
data "aws_availability_zones" "azs" {
state = "available"
}
# kubernetes tag is needed for alb ingress controller
resource "aws_subnet" "private-subnets" {
count = 2
availability_zone = data.aws_availability_zones.azs.names[count.index]
vpc_id = aws_vpc.vpc1.id
cidr_block = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index)
assign_ipv6_address_on_creation = true
# ipv6 subnets must be a /64
ipv6_cidr_block = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index)
enable_resource_name_dns_a_record_on_launch = true
tags = merge(local.default-tags,
{ "Name" : "${local.resource-prefix}-private-${data.aws_availability_zones.azs.names[count.index]}" },
{ "kubernetes.io/role/internal-elb" : "1" }
)
}
# kubernetes tag is needed for alb ingress controller
resource "aws_subnet" "public-subnets" {
count = 2
availability_zone = data.aws_availability_zones.azs.names[count.index]
vpc_id = aws_vpc.vpc1.id
cidr_block = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index + 2)
assign_ipv6_address_on_creation = true
# ipv6 subnets must be a /64
ipv6_cidr_block = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index + 2)
enable_resource_name_dns_a_record_on_launch = true
tags = merge(local.default-tags,
{ "Name" : "${local.resource-prefix}-public-${data.aws_availability_zones.azs.names[count.index]}" },
{ "kubernetes.io/role/elb" : "1" }
)
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.vpc1.id
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-igw" })
}
resource "aws_eip" "ngw-ip" {
vpc = true
}
resource "aws_nat_gateway" "ngw" {
allocation_id = aws_eip.ngw-ip.id
subnet_id = aws_subnet.public-subnets[0].id
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-ngw" })
}
resource "aws_route_table" "public-rtb" {
vpc_id = aws_vpc.vpc1.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.igw.id
}
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-public-rtb" })
}
resource "aws_route_table" "private-rtb" {
vpc_id = aws_vpc.vpc1.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_nat_gateway.ngw.id
}
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-private-rtb" })
}
resource "aws_route_table_association" "public-rtb-asso" {
count = length(aws_subnet.public-subnets)
subnet_id = aws_subnet.public-subnets[count.index].id
route_table_id = aws_route_table.public-rtb.id
}
resource "aws_route_table_association" "private-rtb-asso" {
count = length(aws_subnet.private-subnets)
subnet_id = aws_subnet.private-subnets[count.index].id
route_table_id = aws_route_table.private-rtb.id
}
resource "aws_vpc_endpoint" "eks-vpcep" {
vpc_id = aws_vpc.vpc1.id
service_name = "com.amazonaws.${var.aws-region}.eks"
vpc_endpoint_type = "Interface"
security_group_ids = [aws_security_group.generic-ep-sg.id]
private_dns_enabled = true
subnet_ids = aws_subnet.private-subnets.*.id
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpcep-eks" })
}
resource "aws_security_group" "generic-ep-sg" {
name = "HttpsAccessToVpcEndpoints"
description = "HttpsAccessToVpcEndpoints"
vpc_id = aws_vpc.vpc1.id
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [aws_vpc.vpc1.cidr_block]
}
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
ipv6_cidr_blocks = [aws_vpc.vpc1.ipv6_cidr_block]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = merge({ "Name" : "VpcEpAccess" }, local.default-tags)
}

19
examples/eks-lab-ip6/network/outputs.tf Normal file
View File

@ -0,0 +1,19 @@
output vpc-cidr {
value = aws_vpc.vpc1.cidr_block
}
output vpc-cidr6 {
value = aws_vpc.vpc1.ipv6_cidr_block
}
output vpc-id {
value = aws_vpc.vpc1.id
}
output private-subnet-ids {
value = aws_subnet.private-subnets.*.id
}
output public-subnet-ids {
value = aws_subnet.public-subnets.*.id
}

13
examples/eks-lab-ip6/network/provider.tf Normal file
View File

@ -0,0 +1,13 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.25"
}
}
}

6
examples/eks-lab-ip6/network/terraform.tfvars Normal file
View File

@ -0,0 +1,6 @@
aws-region = "ap-northeast-1"
aws-region-short = "apne1"
customer-name = "xpk"
environment = "lab"
project = "iac"
application = "eks"

6
examples/eks-lab-ip6/network/variables.tf Normal file
View File

@ -0,0 +1,6 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}

1
examples/eks-lab/.terraform/modules/modules.json Normal file
View File

@ -0,0 +1 @@
{"Modules":[{"Key":"vpc-subnets.vpc-ep","Source":"../vpc-endpoints","Dir":"../../modules/networking/vpc-endpoints"},{"Key":"vpc-subnets","Source":"../../modules/networking/vpc_subnets","Dir":"../../modules/networking/vpc_subnets"},{"Key":"","Source":"","Dir":"."}]}

1
examples/eks-lab/.terraform/providers/registry.terraform.io/hashicorp/aws/4.54.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.54.0/linux_amd64

1
examples/eks-lab/.terraform/providers/registry.terraform.io/hashicorp/local/2.3.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/local/2.3.0/linux_amd64

1
examples/eks-lab/.terraform/providers/registry.terraform.io/hashicorp/null/3.2.1/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/null/3.2.1/linux_amd64

1
examples/eks-lab/.terraform/providers/registry.terraform.io/hashicorp/template/2.2.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/template/2.2.0/linux_amd64

1
examples/eks-lab/.terraform/providers/registry.terraform.io/hashicorp/tls/4.0.4/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/tls/4.0.4/linux_amd64

10
examples/eks-lab/eks/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,10 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.55.0"
constraints = ">= 3.25.0"
hashes = [
"h1:VHfmrKCb4oTW/+rWGKKqipoMOPd4tPxlGwMp0/Flx/s=",
]
}

1
examples/eks-lab/eks/.terraform/providers/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64

94
examples/eks-lab/eks/README.md Normal file
View File

@ -0,0 +1,94 @@
# eks-lab
This module creates the following resources
- VPC
- Public and private subnets
- NAT gateway
- EKS cluster
- EKS nodegroup
- EKS bastion
- Install eksctl and kubectl on EKS bastion
## How to use eksctl and kubectl
By default, AWS EKS are installed with an aws-auth configmap which allows only the cluster creator
to work with the cluster. Therefore, one must first assume to the creator IAM role before running eksctl or kubectl.
For example, to create kube config, run these commands:
```bash
export AWS_ACCESS_KEY_ID=xxxx AWS_SECRET_ACCESS_KEY="yyyy" AWS_DEFAULT_REGION=ap-northeast-1
aws eks update-kubeconfig --name lab-apne1-xpk-iac-cluster01
```
## Configure VPC CNI to use custom networking
```bash
kubectl set env daemonset aws-node -n kube-system AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG=true
kubectl set env daemonset aws-node -n kube-system ENI_CONFIG_LABEL_DEF=failure-domain.beta.kubernetes.io/zone
cat <<EOF | kubectl apply -f -
apiVersion: crd.k8s.amazonaws.com/v1alpha1
kind: ENIConfig
metadata:
name: ap-northeast-1a
spec:
subnet: subnet-0d015cc72715685ca
EOF
cat <<EOF | kubectl apply -f -
apiVersion: crd.k8s.amazonaws.com/v1alpha1
kind: ENIConfig
metadata:
name: ap-northeast-1c
spec:
subnet: subnet-030ee2c3e2b730fcc
EOF
```
Then redeploy the nodegroup
```bash
terraform apply -replace="aws_eks_node_group.eks-nodegroup"
```
If successfully done, you will start to see 100.64.0.0 addresses being used on the EKS worker nodes. You can also see it with kubectl:
```bash
root@ip-192-168-123-48:~# kubectl get pods --all-namespaces -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
kube-system aws-node-5892k 1/1 Running 0 4m9s 192.168.123.245 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system coredns-5fc8d4cdcf-c75z6 1/1 Running 0 13m 100.64.9.249 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system coredns-5fc8d4cdcf-h5lnl 1/1 Running 0 13m 100.64.13.41 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system ebs-csi-controller-d6bff959-8459z 6/6 Running 0 13m 100.64.8.74 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system ebs-csi-controller-d6bff959-vnwlf 6/6 Running 0 5m28s 100.64.11.124 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system ebs-csi-node-h7w8r 3/3 Running 0 4m9s 100.64.11.188 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
kube-system kube-proxy-vgmdf 1/1 Running 0 4m9s 192.168.123.245 ip-192-168-123-245.ap-northeast-1.compute.internal <none> <none>
```
## Edit configmap/aws-auth
```
kubectl edit -n kube-system configmap/aws-auth
```
Add a group with system:master role
```yaml
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::040216112220:role/clusterCreator
username: system:node:Template:EC2PrivateDNSName
- groups:
- system:masters
rolearn: arn:aws:iam::040216112220:role/lab-apne1-xpk-iac-bast-role
username: lab-apne1-xpk-iac-bast-role
kind: ConfigMap
metadata:
creationTimestamp: "2022-12-29T11:02:15Z"
name: aws-auth
namespace: kube-system
resourceVersion: "59670"
uid: 7cf9d889-8ed2-4c8d-ac0f-092184cede8a
```
## Addon updates
When updating addons, please select advanced options and choose preserve settings.

7
examples/eks-lab/eks/eks-node-sshkey Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDQnEGn3cwEav+pMKXYvP3KjDYpB+Po/wpcrmQZnh31wgAAAJDu9hUF7vYV
BQAAAAtzc2gtZWQyNTUxOQAAACDQnEGn3cwEav+pMKXYvP3KjDYpB+Po/wpcrmQZnh31wg
AAAEBcvMSW9eqRM2Kd3obuJfHma+nzrsMiRSHO09wjSg4KF9CcQafdzARq/6kwpdi8/cqM
NikH4+j/ClyuZBmeHfXCAAAADWtuQGlzbS56b28ubG8=
-----END OPENSSH PRIVATE KEY-----

1
examples/eks-lab/eks/eks-node-sshkey.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINCcQafdzARq/6kwpdi8/cqMNikH4+j/ClyuZBmeHfXC kn@ism.zoo.lo

18
examples/eks-lab/eks/locals.tf Normal file
View File

@ -0,0 +1,18 @@
data "aws_caller_identity" "this" {}
locals {
default-tags = merge({
ServiceProvider = "None"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = "${local.path-cwd-list[length(local.path-cwd-list) - 2]}/${local.path-cwd-list[length(local.path-cwd-list) - 1]}"
CreatedBy = data.aws_caller_identity.this.arn
BuildDate = formatdate("YYYYMMDD", timestamp())
})
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
path-cwd-list = split("/", path.cwd)
}

261
examples/eks-lab/eks/main.tf Normal file
View File

@ -0,0 +1,261 @@
data "terraform_remote_state" "vpc" {
backend = "local"
config = {
path = "../network/terraform.tfstate"
}
}
resource "aws_iam_role" "eks-cluster-role" {
name = "${local.resource-prefix}-cluster-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "eks.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
}
)
managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"]
tags = local.default-tags
}
resource "aws_eks_cluster" "eks-cluster" {
name = "${local.resource-prefix}-cluster01"
role_arn = aws_iam_role.eks-cluster-role.arn
vpc_config {
subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids
endpoint_private_access = true
endpoint_public_access = false
}
enabled_cluster_log_types = ["api", "audit"]
kubernetes_network_config {
service_ipv4_cidr = "172.16.0.0/16"
ip_family = "ipv4"
}
tags = local.default-tags
}
resource "aws_eks_addon" "eks-addons" {
# for_each = toset(["vpc-cni", "coredns", "kube-proxy", "aws-ebs-csi-driver"])
# latest version as on 2023-02-17 failed to deploy
for_each = {
"aws-ebs-csi-driver" : {
"version" : "v1.15.0-eksbuild.1"
},
"vpc-cni" : {
"version" : "v1.12.2-eksbuild.1"
},
"coredns" : {
"version" : "v1.9.3-eksbuild.2"
},
"kube-proxy" : {
"version" : "v1.24.9-eksbuild.2"
}
}
cluster_name = aws_eks_cluster.eks-cluster.name
addon_name = each.key
# addon_version = each.value["version"]
tags = local.default-tags
}
resource "aws_iam_role" "eks-nodegroup-role" {
name = "${local.resource-prefix}-nodegroup-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "ec2.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
}
)
managed_policy_arns = [
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
]
tags = local.default-tags
}
data "aws_ssm_parameter" "eks_ami_release_version" {
name = "/aws/service/eks/optimized-ami/${aws_eks_cluster.eks-cluster.version}/amazon-linux-2/recommended/release_version"
}
# manually generate the key: ssh-keygen -ted25519 -f eks-node-sshkey
# file() can only read pre-existing file
resource "aws_key_pair" "eks-node-sshkey" {
key_name = "${local.resource-prefix}-eks-node-sshkey"
public_key = file("${path.module}/eks-node-sshkey.pub")
}
resource "aws_security_group" "eks-node-sg" {
name = "${local.resource-prefix}-eks-node-sg"
description = "Allow ssh to EKS nodes"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
ingress {
description = "SSH from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [data.terraform_remote_state.vpc.outputs.vpc-cidr]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = local.default-tags
}
resource "aws_eks_node_group" "eks-nodegroup" {
cluster_name = aws_eks_cluster.eks-cluster.name
node_group_name_prefix = "${local.resource-prefix}-eks-ng"
node_role_arn = aws_iam_role.eks-nodegroup-role.arn
subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids
version = aws_eks_cluster.eks-cluster.version
release_version = nonsensitive(data.aws_ssm_parameter.eks_ami_release_version.value)
instance_types = ["t3.small"]
scaling_config {
desired_size = 1
max_size = 2
min_size = 1
}
update_config {
max_unavailable = 1
}
remote_access {
ec2_ssh_key = aws_key_pair.eks-node-sshkey.key_name
source_security_group_ids = [aws_security_group.eks-node-sg.id]
}
tags = local.default-tags
}
# ec2 instance for EKS management
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-*-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
resource "aws_security_group" "eks-bast-sg" {
name = "${local.resource-prefix}-eks-bast-sg"
description = "Allow ssh to EKS bast"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
ingress {
description = "SSH from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["223.18.148.85/32"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = local.default-tags
}
resource "aws_iam_role" "eks-bast-role" {
name = "${local.resource-prefix}-bast-role"
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"Service" : "ec2.amazonaws.com"
},
"Action" : "sts:AssumeRole"
}
]
})
inline_policy {
name = "eks-bast-policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["eks:*", "ecr:*"]
Effect = "Allow"
Resource = "*"
},
]
})
}
managed_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
tags = local.default-tags
}
resource "aws_iam_instance_profile" "eks-bast-iam-profile" {
name = "eksBastIamProfile"
role = aws_iam_role.eks-bast-role.name
}
resource "aws_instance" "eks-bast" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
associate_public_ip_address = true
ebs_optimized = true
key_name = aws_key_pair.eks-node-sshkey.key_name
vpc_security_group_ids = [aws_security_group.eks-bast-sg.id, aws_eks_cluster.eks-cluster.vpc_config[0].cluster_security_group_id]
subnet_id = data.terraform_remote_state.vpc.outputs.public-subnet-ids[0]
iam_instance_profile = aws_iam_instance_profile.eks-bast-iam-profile.name
root_block_device {
volume_size = 8
volume_type = "gp3"
tags = local.default-tags
}
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-eks-bast" })
user_data = <<EOF
#!/bin/bash
echo "Install unzip"
apt install unzip -y
echo "Install eksctl"
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
mv /tmp/eksctl /usr/local/bin
echo "Install kubectl"
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
mv kubectl /usr/local/bin/
chmod 755 /usr/local/bin/kubectl
echo "Install awscliv2"
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
EOF
}

9
examples/eks-lab/eks/outputs.tf Normal file
View File

@ -0,0 +1,9 @@
/*
output eks-cluster-sg {
value = aws_eks_cluster.eks-cluster.vpc_config.*.cluster_security_group_id
}
*/
output eks-bast-ip {
value = aws_instance.eks-bast.public_ip
}

13
examples/eks-lab/eks/provider.tf Normal file
View File

@ -0,0 +1,13 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.25"
}
}
}

9
examples/eks-lab/eks/terraform.tfstate Normal file
View File

@ -0,0 +1,9 @@
{
"version": 4,
"terraform_version": "1.3.7",
"serial": 113,
"lineage": "61b12344-3edc-e800-e200-edd57322a557",
"outputs": {},
"resources": [],
"check_results": null
}

1101
examples/eks-lab/eks/terraform.tfstate.backup Normal file
View File

File diff suppressed because it is too large Load Diff

6
examples/eks-lab/eks/terraform.tfvars Normal file
View File

@ -0,0 +1,6 @@
aws-region = "ap-northeast-1"
aws-region-short = "apne1"
customer-name = "xpk"
environment = "lab"
project = "iac"
application = "eks"

6
examples/eks-lab/eks/variables.tf Normal file
View File

@ -0,0 +1,6 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}

25
examples/eks-lab/network/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,25 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/aws" {
version = "4.55.0"
constraints = ">= 3.25.0, >= 3.75.2"
hashes = [
"h1:VHfmrKCb4oTW/+rWGKKqipoMOPd4tPxlGwMp0/Flx/s=",
"zh:0866f25575bad3b9c313cd778c94fc65e79d335af2d20a3480f79d7731d93b7b",
"zh:2c05c16155cbc054622cf83e4b6614fef35935b00b238e4c21ee225e6c896770",
"zh:2efba66649fb12af0492c6cce4e2361fe9139df648734264f61a9a1ef754df53",
"zh:3c60bb53e3b65d7f86699fae0797a55a9aa41b8ba377aaff4daf23d1661393a9",
"zh:41f6dcd90b54b623d523df8fb4a30779cfe22e9ab59516bc05b29291a7af0946",
"zh:4b8330b154e9e2d035dd5488abcac25efec1fa6055d3a70894a8c0384f0579d6",
"zh:595f263706cf1fb6b8447e2ec343638de4360841a15e6bff6ccbb0ff86c7ce74",
"zh:5dfc5b858a43cf45fde5542eb673f6104c14cdc3d73843d1b87a9e44545cbad4",
"zh:7bbe05cf30521f0110603bb84995a4025ce7810626010276600e4b402143df27",
"zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
"zh:a490e68c63504d3301d6dcb700c95778d93bb2baa6632a46c5a1d62862a7067c",
"zh:c4f9f6659148528375c8a822163925c9aae490ccce2e6301cefbbab009531971",
"zh:ef66070f957408f1c924ddfd5dbd0d34bce16efd9e36ccecbf699de72beb131f",
"zh:f7ba5e3e62a2b51b24e326797a89fdd86bafaea7d1912738d514c9903c14d7f2",
"zh:ffc20b7d9f7bd331fb6451d0fc92c68196383d7115e69380de6566cc268cb9b9",
]
}

1
examples/eks-lab/network/.terraform/modules/modules.json Normal file
View File

@ -0,0 +1 @@
{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"vpc-subnets","Source":"../../../modules/networking/vpc_subnets","Dir":"../../../modules/networking/vpc_subnets"},{"Key":"vpc-subnets.vpc-ep","Source":"../vpc-endpoints","Dir":"../../../modules/networking/vpc-endpoints"}]}

1
examples/eks-lab/network/.terraform/providers/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64 Symbolic link
View File

@ -0,0 +1 @@
/home/kn/.terraform.d/plugin-cache/registry.terraform.io/hashicorp/aws/4.55.0/linux_amd64

8
examples/eks-lab/network/README.md Normal file
View File

@ -0,0 +1,8 @@
# eks-lab/network
This module creates the following resources
- VPC
- Public and private subnets
- NAT gateway
A secondary CIDR range is added to the VPC. Later on in the EKS layer, EKS will be configured to use the secondary CIDR.
See https://aws.amazon.com/premiumsupport/knowledge-center/eks-multiple-cidr-ranges/

18
examples/eks-lab/network/locals.tf Normal file
View File

@ -0,0 +1,18 @@
data "aws_caller_identity" "this" {}
locals {
default-tags = merge({
ServiceProvider = "None"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = "${local.path-cwd-list[length(local.path-cwd-list) - 2]}/${local.path-cwd-list[length(local.path-cwd-list) - 1]}"
CreatedBy = data.aws_caller_identity.this.arn
BuildDate = formatdate("YYYYMMDD", timestamp())
})
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
path-cwd-list = split("/", path.cwd)
}

55
examples/eks-lab/network/main.tf Normal file
View File

@ -0,0 +1,55 @@
# Create VPC and subnets
module "vpc-subnets" {
source = "../../../modules/networking/vpc_subnets"
application = var.application
aws-region = var.aws-region
customer-name = var.customer-name
default-tags = local.default-tags
environment = var.environment
project = var.project
vpc-cidr = "192.168.123.0/24"
vpcflowlog-cwl-loggroup-key-arn = ""
number-of-private-subnets-per-az = 1
number-of-public-subnets-per-az = 1
create-nat-gateway = true
create-free-vpc-endpoints = true
enable-flow-log = false
}
# secondary CIDR for EKS
# https://aws.amazon.com/premiumsupport/knowledge-center/eks-multiple-cidr-ranges/
resource "aws_vpc_ipv4_cidr_block_association" "secondary_cidr" {
vpc_id = module.vpc-subnets.vpc_id
cidr_block = "100.64.0.0/16"
}
resource "aws_subnet" "cidr2-subnet1a" {
vpc_id = module.vpc-subnets.vpc_id
cidr_block = "100.64.0.0/21"
tags = merge(local.default-tags, {"Name" : "${local.resource-prefix}-private-1a-eks"})
}
resource "aws_route_table_association" "cidr2-subnet1a-rtb-asso" {
subnet_id = aws_subnet.cidr2-subnet1a.id
route_table_id = module.vpc-subnets.private-rtb-id
}
resource "aws_subnet" "cidr2-subnet1c" {
vpc_id = module.vpc-subnets.vpc_id
cidr_block = "100.64.8.0/21"
tags = merge(local.default-tags, {"Name" : "${local.resource-prefix}-private-1c-eks"})
}
resource "aws_route_table_association" "cidr2-subnet1c-rtb-asso" {
subnet_id = aws_subnet.cidr2-subnet1c.id
route_table_id = module.vpc-subnets.private-rtb-id
}
resource "aws_vpc_endpoint" "eks-vpcep" {
vpc_id = module.vpc-subnets.vpc_id
service_name = "com.amazonaws.${var.aws-region}.eks"
vpc_endpoint_type = "Interface"
tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpcep-eks" })
}

15
examples/eks-lab/network/outputs.tf Normal file
View File

@ -0,0 +1,15 @@
output vpc-cidr {
value = module.vpc-subnets.vpc-cidr
}
output vpc-id {
value = module.vpc-subnets.vpc_id
}
output private-subnet-ids {
value = module.vpc-subnets.private-subnet-ids
}
output public-subnet-ids {
value = module.vpc-subnets.public-subnet-ids
}

13
examples/eks-lab/network/provider.tf Normal file
View File

@ -0,0 +1,13 @@
provider "aws" {
region = var.aws-region
}
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.25"
}
}
}

16
examples/eks-lab/network/terraform.tfstate Normal file
View File

@ -0,0 +1,16 @@
{
"version": 4,
"terraform_version": "1.3.7",
"serial": 70,
"lineage": "ee2778d9-f9d6-f368-21c3-1a1e2778fc15",
"outputs": {},
"resources": [],
"check_results": [
{
"object_kind": "resource",
"config_addr": "module.vpc-subnets.module.vpc-ep.data.aws_vpc.this-vpc",
"status": "unknown",
"objects": null
}
]
}

125
examples/eks-lab/network/terraform.tfstate.backup Normal file
View File

@ -0,0 +1,125 @@
{
"version": 4,
"terraform_version": "1.3.7",
"serial": 63,
"lineage": "ee2778d9-f9d6-f368-21c3-1a1e2778fc15",
"outputs": {},
"resources": [
{
"mode": "data",
"type": "aws_caller_identity",
"name": "this",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"account_id": "040216112220",
"arn": "arn:aws:iam::040216112220:user/ken2026",
"id": "040216112220",
"user_id": "AIDAQSXIRFROOXYISSIEQ"
},
"sensitive_attributes": []
}
]
},
{
"mode": "managed",
"type": "aws_vpc_ipv4_cidr_block_association",
"name": "secondary_cidr",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"cidr_block": "100.64.0.0/16",
"id": "vpc-cidr-assoc-023e2a1c53aa39448",
"ipv4_ipam_pool_id": null,
"ipv4_netmask_length": null,
"timeouts": null,
"vpc_id": "vpc-0ea2750f798358708"
},
"sensitive_attributes": [],
"private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6NjAwMDAwMDAwMDAwfX0=",
"dependencies": [
"data.aws_caller_identity.this",
"module.vpc-subnets.aws_vpc.vpc"
]
}
]
},
{
"module": "module.vpc-subnets",
"mode": "managed",
"type": "aws_vpc",
"name": "vpc",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:ap-northeast-1:040216112220:vpc/vpc-0ea2750f798358708",
"assign_generated_ipv6_cidr_block": false,
"cidr_block": "192.168.123.0/24",
"default_network_acl_id": "acl-071f6e3e57003c3ea",
"default_route_table_id": "rtb-094b1da133f919558",
"default_security_group_id": "sg-00852e5eba267541f",
"dhcp_options_id": "dopt-090c9f839527a4c07",
"enable_classiclink": false,
"enable_classiclink_dns_support": false,
"enable_dns_hostnames": true,
"enable_dns_support": true,
"enable_network_address_usage_metrics": false,
"id": "vpc-0ea2750f798358708",
"instance_tenancy": "default",
"ipv4_ipam_pool_id": null,
"ipv4_netmask_length": null,
"ipv6_association_id": "",
"ipv6_cidr_block": "",
"ipv6_cidr_block_network_border_group": "",
"ipv6_ipam_pool_id": "",
"ipv6_netmask_length": 0,
"main_route_table_id": "rtb-094b1da133f919558",
"owner_id": "040216112220",
"tags": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-ap-xpk-iac-vpc",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab/network",
"TerraformMode": "managed"
},
"tags_all": {
"Application": "eks",
"BuildDate": "20230217",
"CreatedBy": "arn:aws:iam::040216112220:user/ken2026",
"Environment": "lab",
"Name": "lab-ap-xpk-iac-vpc",
"Project": "iac",
"ServiceProvider": "None",
"TerraformDir": "eks-lab/network",
"TerraformMode": "managed"
}
},
"sensitive_attributes": [],
"private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==",
"dependencies": [
"data.aws_caller_identity.this"
],
"create_before_destroy": true
}
]
}
],
"check_results": [
{
"object_kind": "resource",
"config_addr": "module.vpc-subnets.module.vpc-ep.data.aws_vpc.this-vpc",
"status": "unknown",
"objects": null
}
]
}

6
examples/eks-lab/network/terraform.tfvars Normal file
View File

@ -0,0 +1,6 @@
aws-region = "ap-northeast-1"
aws-region-short = "apne1"
customer-name = "xpk"
environment = "lab"
project = "iac"
application = "eks"

6
examples/eks-lab/network/variables.tf Normal file
View File

@ -0,0 +1,6 @@
variable "aws-region" {}
variable "aws-region-short" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}

15
examples/eks-managed-nodegroup/README.md Normal file
View File

@ -0,0 +1,15 @@
# eks-managed-nodegroup
Create EKS cluster using managed nodegroup. Then performed EKS control plane upgrades.
## Versions and upgrade notes
Based on 1-4 t3.medium worker node with no app pods
| eks-ver | coredns | kube-proxy | vpc-cni | AMI-version | upgrade notes |
|---------|--------------------|---------------------|--------------------|------------------|---------------------------------------------------------------------|
| 1.25 | v1.9.3-eksbuild.10 | v1.25.16-eksbuild.1 | v1.15.4-eksbuild.1 | 1.25.15-20231201 | N/A |
| 1.26 | v1.9.3-eksbuild.10 | v1.26.11-eksbuild.1 | v1.15.4-eksbuild.1 | 1.26.10-20231201 | from 1.25, set cluster_version = "1.26". nodes are recreated. 23min |
| 1.27 | v1.10.1-eksbuild.6 | v1.27.6-eksbuild.2 | v1.15.4-eksbuild.1 | 1.27.7-20231201 | from 1.26, set cluster_version = "1.27". nodes are recreated. 16min |
| 1.28 | v1.10.1-eksbuild.6 | v1.28.4-eksbuild.1 | v1.15.4-eksbuild.1 | 1.28.3-20231201 | from 1.27, set cluster_version = "1.28". nodes are recreated. 26min |
## References
https://repost.aws/knowledge-center/eks-plan-upgrade-cluster

78
examples/eks-managed-nodegroup/bastion.tf Normal file
View File

@ -0,0 +1,78 @@
module "bastion" {
source = "terraform-aws-modules/ec2-instance/aws"
version = "5.5.0"
name = "lab-ken2026-eks-bastion"
instance_type = "t3.micro"
ami = data.aws_ami.this.id
ignore_ami_changes = true
subnet_id = var.subnet_ids[0]
vpc_security_group_ids = [module.sg.id, module.eks.cluster_primary_security_group_id]
create_iam_instance_profile = true
iam_role_description = "IAM role for EC2 instance"
iam_role_policies = {
SSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
CloudwatchAgent = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
Admin = "arn:aws:iam::aws:policy/AdministratorAccess"
}
key_name = "kf-key"
ebs_optimized = true
root_block_device = [
{
encrypted = true
volume_type = "gp3"
volume_size = 10
},
]
volume_tags = data.aws_default_tags.this.tags
# IMDSv2 requirement
metadata_options = {
http_endpoint = "enabled"
http_tokens = "required"
http_put_response_hop_limit = 2
}
user_data = <<EOF
#!/bin/bash
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
chmod 755 kubectl
mv kubectl /usr/local/bin/
EOF
}
module "sg" {
source = "../../modules/compute/security_group"
description = "Security group for web server"
egress = {
r1 = "tcp,0,65535,0.0.0.0/0,Allow outbound tcp traffic"
r2 = "udp,0,65535,0.0.0.0/0,Allow outbound udp traffic"
r3 = "icmp,0,-1,0.0.0.0/0,Allow icmp echo reply"
}
ingress = {
r1 = "icmp,8,-1,0.0.0.0/0,Allow ICMP traffic"
}
name = "lab-ken2026-eks-bastion-sg"
vpc-id = var.vpc_id
}
data "aws_default_tags" "this" {}
data "aws_ami" "this" {
most_recent = true
name_regex = "al2023-ami-202.*"
filter {
name = "virtualization-type"
values = ["hvm"]
}
filter {
name = "root-device-type"
values = ["ebs"]
}
filter {
name = "architecture"
values = ["x86_64"]
}
owners = ["910595266909"] # AWS
}

3
examples/eks-managed-nodegroup/locals.tf Normal file
View File

@ -0,0 +1,3 @@
locals {
resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
}

189
examples/eks-managed-nodegroup/main.tf Normal file
View File

@ -0,0 +1,189 @@
provider "kubernetes" {
host = module.eks.cluster_endpoint
cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
exec {
api_version = "client.authentication.k8s.io/v1beta1"
command = "aws"
# This requires the awscli to be installed locally where Terraform is executed
args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
}
}
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "19.21.0"
cluster_name = "lab-ken2026-eks01"
cluster_endpoint_public_access = true
cluster_version = "1.27"
cluster_addons = {
coredns = {
preserve = true
most_recent = true
timeouts = {
create = "25m"
delete = "10m"
}
}
kube-proxy = {
most_recent = true
}
vpc-cni = {
most_recent = true
}
}
create_kms_key = false
cluster_encryption_config = {
resources = ["secrets"]
provider_key_arn = module.kms.key_arn
}
iam_role_additional_policies = {
additional = aws_iam_policy.additional.arn
}
vpc_id = var.vpc_id
subnet_ids = var.subnet_ids
control_plane_subnet_ids = var.control_plane_subnet_ids
# Extend cluster security group rules
cluster_security_group_additional_rules = {
ingress_nodes_ephemeral_ports_tcp = {
description = "Nodes on ephemeral ports"
protocol = "tcp"
from_port = 1025
to_port = 65535
type = "ingress"
source_node_security_group = true
}
# Test: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2319
ingress_source_security_group_id = {
description = "Ingress from another computed security group"
protocol = "tcp"
from_port = 22
to_port = 22
type = "ingress"
source_security_group_id = aws_security_group.additional.id
}
}
# requires terraform be ran inside VPC
# manage_aws_auth_configmap = true
#
# aws_auth_roles = [
# {
# rolearn = module.eks_managed_node_group.iam_role_arn
# username = "system:node:{{EC2PrivateDNSName}}"
# groups = [
# "system:bootstrappers",
# "system:nodes",
# ]
# },
# {
# rolearn = "arn:aws:iam::040216112220:role/rackLE"
# username = "rackLE"
# groups = ["system:masters"]
# }
# ]
#
# aws_auth_users = [
# {
# userarn = var.eks_master_user_arn
# username = "eksmaster"
# groups = ["system:masters"]
# }
# ]
#
# aws_auth_accounts = [
# data.aws_caller_identity.current.account_id
# ]
}
module "eks_managed_node_group" {
source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
version = "19.21.0"
name = "eks-mng"
cluster_name = module.eks.cluster_name
cluster_version = module.eks.cluster_version
subnet_ids = var.subnet_ids
cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
vpc_security_group_ids = [
module.eks.cluster_security_group_id,
aws_security_group.additional.id
]
ami_type = "AL2_x86_64"
instance_types = ["t3.medium"]
iam_role_additional_policies = {
SsmInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
# this will get added to what AWS provides
bootstrap_extra_args = <<-EOT
# extra args added
[settings.kernel]
lockdown = "integrity"
[settings.kubernetes.node-labels]
"label1" = "foo"
"label2" = "bar"
EOT
min_size = 0
desired_size = 1
max_size = 2
}
module "kms" {
source = "terraform-aws-modules/kms/aws"
version = "~> 1.5"
aliases = ["eks/${local.resource-prefix}"]
description = "${local.resource-prefix} cluster encryption key"
enable_default_policy = true
key_owners = [data.aws_caller_identity.current.arn]
}
resource "aws_security_group" "additional" {
name_prefix = "${local.resource-prefix}-sg"
vpc_id = var.vpc_id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
]
}
}
resource "aws_iam_policy" "additional" {
name = "${local.resource-prefix}-policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
data "aws_caller_identity" "current" {}

30
examples/eks-managed-nodegroup/provider.tf Normal file
View File

@ -0,0 +1,30 @@
provider "aws" {
region = var.aws-region
default_tags {
tags = {
ServiceProvider = "RackspaceTechnology"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
TerraformDir = "${reverse(split("/", path.cwd))[1]}/${reverse(split("/", path.cwd))[0]}"
}
}
}
terraform {
required_version = ">= 1.3.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.0"
}
}
backend "s3" {
bucket = "lab-ken2026-tf-state"
key = "experimental/eks-upgrade-test.tfstate"
region = "ap-east-1"
encrypt = true
}
}

0
examples/eks-managed-nodegroup/terraform.tfstate Normal file
View File

2389
examples/eks-managed-nodegroup/terraform.tfstate.backup Normal file
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More