data "terraform_remote_state" "vpc" { backend = "local" config = { path = "../network/terraform.tfstate" } } resource "aws_iam_role" "eks-cluster-role" { name = "${local.resource-prefix}-cluster-role" assume_role_policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "Service" : "eks.amazonaws.com" }, "Action" : "sts:AssumeRole" } ] } ) managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"] tags = local.default-tags } resource "aws_eks_cluster" "eks-cluster" { name = "${local.resource-prefix}-cluster01" role_arn = aws_iam_role.eks-cluster-role.arn vpc_config { subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids endpoint_private_access = true endpoint_public_access = false } enabled_cluster_log_types = ["api", "audit"] kubernetes_network_config { service_ipv4_cidr = "172.16.0.0/16" ip_family = "ipv4" } tags = local.default-tags } resource "aws_eks_addon" "eks-addons" { # for_each = toset(["vpc-cni", "coredns", "kube-proxy", "aws-ebs-csi-driver"]) # latest version as on 2023-02-17 failed to deploy for_each = { "aws-ebs-csi-driver" : { "version" : "v1.15.0-eksbuild.1" }, "vpc-cni" : { "version" : "v1.12.2-eksbuild.1" }, "coredns" : { "version" : "v1.9.3-eksbuild.2" }, "kube-proxy" : { "version" : "v1.24.9-eksbuild.2" } } cluster_name = aws_eks_cluster.eks-cluster.name addon_name = each.key # addon_version = each.value["version"] tags = local.default-tags } resource "aws_iam_role" "eks-nodegroup-role" { name = "${local.resource-prefix}-nodegroup-role" assume_role_policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "Service" : "ec2.amazonaws.com" }, "Action" : "sts:AssumeRole" } ] } ) managed_policy_arns = [ "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy" ] tags = local.default-tags } data "aws_ssm_parameter" "eks_ami_release_version" { name = "/aws/service/eks/optimized-ami/${aws_eks_cluster.eks-cluster.version}/amazon-linux-2/recommended/release_version" } # manually generate the key: ssh-keygen -ted25519 -f eks-node-sshkey # file() can only read pre-existing file resource "aws_key_pair" "eks-node-sshkey" { key_name = "${local.resource-prefix}-eks-node-sshkey" public_key = file("${path.module}/eks-node-sshkey.pub") } resource "aws_security_group" "eks-node-sg" { name = "${local.resource-prefix}-eks-node-sg" description = "Allow ssh to EKS nodes" vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id ingress { description = "SSH from VPC" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = [data.terraform_remote_state.vpc.outputs.vpc-cidr] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = local.default-tags } resource "aws_eks_node_group" "eks-nodegroup" { cluster_name = aws_eks_cluster.eks-cluster.name node_group_name_prefix = "${local.resource-prefix}-eks-ng" node_role_arn = aws_iam_role.eks-nodegroup-role.arn subnet_ids = data.terraform_remote_state.vpc.outputs.private-subnet-ids version = aws_eks_cluster.eks-cluster.version release_version = nonsensitive(data.aws_ssm_parameter.eks_ami_release_version.value) instance_types = ["t3.small"] scaling_config { desired_size = 1 max_size = 2 min_size = 1 } update_config { max_unavailable = 1 } remote_access { ec2_ssh_key = aws_key_pair.eks-node-sshkey.key_name source_security_group_ids = [aws_security_group.eks-node-sg.id] } tags = local.default-tags } # ec2 instance for EKS management data "aws_ami" "ubuntu" { most_recent = true filter { name = "name" values = ["ubuntu/images/hvm-ssd/ubuntu-*-amd64-server-*"] } filter { name = "virtualization-type" values = ["hvm"] } owners = ["099720109477"] # Canonical } resource "aws_security_group" "eks-bast-sg" { name = "${local.resource-prefix}-eks-bast-sg" description = "Allow ssh to EKS bast" vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id ingress { description = "SSH from VPC" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["223.18.148.85/32"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = local.default-tags } resource "aws_iam_role" "eks-bast-role" { name = "${local.resource-prefix}-bast-role" assume_role_policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "Service" : "ec2.amazonaws.com" }, "Action" : "sts:AssumeRole" } ] }) inline_policy { name = "eks-bast-policy" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = ["eks:*", "ecr:*"] Effect = "Allow" Resource = "*" }, ] }) } managed_policy_arns = ["arn:aws:iam::aws:policy/ReadOnlyAccess"] tags = local.default-tags } resource "aws_iam_instance_profile" "eks-bast-iam-profile" { name = "eksBastIamProfile" role = aws_iam_role.eks-bast-role.name } resource "aws_instance" "eks-bast" { ami = data.aws_ami.ubuntu.id instance_type = "t3.micro" associate_public_ip_address = true ebs_optimized = true key_name = aws_key_pair.eks-node-sshkey.key_name vpc_security_group_ids = [aws_security_group.eks-bast-sg.id, aws_eks_cluster.eks-cluster.vpc_config[0].cluster_security_group_id] subnet_id = data.terraform_remote_state.vpc.outputs.public-subnet-ids[0] iam_instance_profile = aws_iam_instance_profile.eks-bast-iam-profile.name root_block_device { volume_size = 8 volume_type = "gp3" tags = local.default-tags } tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-eks-bast" }) user_data = <