provider "kubernetes" { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) exec { api_version = "client.authentication.k8s.io/v1beta1" command = "aws" # This requires the awscli to be installed locally where Terraform is executed args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] } } module "eks" { source = "terraform-aws-modules/eks/aws" version = "19.21.0" cluster_name = "lab-ken2026-eks01" cluster_endpoint_public_access = true cluster_version = "1.27" cluster_addons = { coredns = { preserve = true most_recent = true timeouts = { create = "25m" delete = "10m" } } kube-proxy = { most_recent = true } vpc-cni = { most_recent = true } } create_kms_key = false cluster_encryption_config = { resources = ["secrets"] provider_key_arn = module.kms.key_arn } iam_role_additional_policies = { additional = aws_iam_policy.additional.arn } vpc_id = var.vpc_id subnet_ids = var.subnet_ids control_plane_subnet_ids = var.control_plane_subnet_ids # Extend cluster security group rules cluster_security_group_additional_rules = { ingress_nodes_ephemeral_ports_tcp = { description = "Nodes on ephemeral ports" protocol = "tcp" from_port = 1025 to_port = 65535 type = "ingress" source_node_security_group = true } # Test: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2319 ingress_source_security_group_id = { description = "Ingress from another computed security group" protocol = "tcp" from_port = 22 to_port = 22 type = "ingress" source_security_group_id = aws_security_group.additional.id } } # requires terraform be ran inside VPC # manage_aws_auth_configmap = true # # aws_auth_roles = [ # { # rolearn = module.eks_managed_node_group.iam_role_arn # username = "system:node:{{EC2PrivateDNSName}}" # groups = [ # "system:bootstrappers", # "system:nodes", # ] # }, # { # rolearn = "arn:aws:iam::040216112220:role/rackLE" # username = "rackLE" # groups = ["system:masters"] # } # ] # # aws_auth_users = [ # { # userarn = var.eks_master_user_arn # username = "eksmaster" # groups = ["system:masters"] # } # ] # # aws_auth_accounts = [ # data.aws_caller_identity.current.account_id # ] } module "eks_managed_node_group" { source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group" version = "19.21.0" name = "eks-mng" cluster_name = module.eks.cluster_name cluster_version = module.eks.cluster_version subnet_ids = var.subnet_ids cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id vpc_security_group_ids = [ module.eks.cluster_security_group_id, aws_security_group.additional.id ] ami_type = "AL2_x86_64" instance_types = ["t3.medium"] iam_role_additional_policies = { SsmInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" } # this will get added to what AWS provides bootstrap_extra_args = <<-EOT # extra args added [settings.kernel] lockdown = "integrity" [settings.kubernetes.node-labels] "label1" = "foo" "label2" = "bar" EOT min_size = 0 desired_size = 1 max_size = 2 } module "kms" { source = "terraform-aws-modules/kms/aws" version = "~> 1.5" aliases = ["eks/${local.resource-prefix}"] description = "${local.resource-prefix} cluster encryption key" enable_default_policy = true key_owners = [data.aws_caller_identity.current.arn] } resource "aws_security_group" "additional" { name_prefix = "${local.resource-prefix}-sg" vpc_id = var.vpc_id ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", ] } } resource "aws_iam_policy" "additional" { name = "${local.resource-prefix}-policy" policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "ec2:Describe*", ] Effect = "Allow" Resource = "*" }, ] }) } data "aws_caller_identity" "current" {}