-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy patheks.tf
227 lines (201 loc) · 7.08 KB
/
eks.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
# aws eks --region "eu-central-1" update-kubeconfig --name "personal-website-eks-cluster-0"
# ssh beachten: default user of amazon-eks-optimized-ami: ec2-user
# eks plattform version is listed in webconsole (here eks.3)
# traditional, general and recommended architecture see work-file at the end
# https://docs.google.com/document/d/1DTcB9U96oek2tyPTgPJWxOWZ1kEjzKMjrBzd7PYh-HM/edit?usp=sharing
# (here not realized)
output "cluster_name" {
description = "Kubernetes Cluster Name"
value = var.cluster_name
}
#subnets
# general
# The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances
# in the private subnet can't. Instead, the instances in the private subnet can access the Internet by using a network address
# translation (NAT) gateway that resides in the public subnet. The database servers can connect to the Internet for software updates
# using the NAT gateway, but the Internet cannot establish connections to the database servers.
# tags are important, see
# https://aws.amazon.com/premiumsupport/knowledge-center/eks-vpc-subnet-discovery/
# https://github.com/kubernetes/kubernetes/issues/29298#issuecomment-356826381
resource "aws_subnet" "eks_subnet_0" {
vpc_id = aws_vpc.vpc_dev_main.id
cidr_block = "10.0.1.0/24"
availability_zone = "${var.region}${var.availability-zone}"
map_public_ip_on_launch = true
tags = {
"kubernetes.io/cluster/${var.cluster_name}" = "shared"
"kubernetes.io/role/elb" = "1"
}
}
resource "aws_route_table_association" "rt-association_eks_subnet_0" {
subnet_id = aws_subnet.eks_subnet_0.id
route_table_id = aws_route_table.rt_public_dev_main.id
}
resource "aws_subnet" "eks_subnet_1" {
vpc_id = aws_vpc.vpc_dev_main.id
cidr_block = "10.0.2.0/24"
availability_zone = "${var.region}${var.availability-zone_second}"
map_public_ip_on_launch = true
tags = {
"kubernetes.io/cluster/${var.cluster_name}" = "shared"
"kubernetes.io/role/elb" = "1"
}
}
resource "aws_route_table_association" "rt-association_private_subnet_eks_2_dev_main" {
subnet_id = aws_subnet.eks_subnet_1.id
route_table_id = aws_route_table.rt_public_dev_main.id
}
# control plane
resource "aws_iam_role" "eks_iam_role_assume_role" {
name = "eks_iam_role_assume_role"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
## main-role policy-attachments
resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.eks_iam_role_assume_role.name
}
resource "aws_iam_role_policy_attachment" "eks_service_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
role = aws_iam_role.eks_iam_role_assume_role.name
}
# This security group controls networking access to the Kubernetes masters.
# Needs to be configured also with an ingress rule to allow traffic from the worker nodes.
resource "aws_security_group" "eks_sg_control_plan_0" {
name = "eks_sg_control_plan_0"
description = "Allow communication between control plane and workers"
vpc_id = aws_vpc.vpc_dev_main.id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [
"10.0.0.0/16",
"172.16.0.0/12",
"192.168.0.0/16",
]
}
}
## create control plane
resource "aws_eks_cluster" "eks_control_plane" {
name = var.cluster_name
role_arn = aws_iam_role.eks_iam_role_assume_role.arn
vpc_config {
security_group_ids = [aws_security_group.eks_sg_control_plan_0.id]
subnet_ids = [aws_subnet.eks_subnet_0.id, aws_subnet.eks_subnet_1.id]
# kubectl is accessable from outside
# this is the default setting
endpoint_private_access = false
endpoint_public_access = true
}
depends_on = [
aws_iam_role_policy_attachment.eks_cluster_policy,
aws_iam_role_policy_attachment.eks_service_policy,
]
tags = {
Name = "eks_control_plane"
environment = var.env
}
}
# worker node setup
## worker worker-nodes-main-role
resource "aws_iam_role" "eks_iam_role_0" {
name = "eks_iam_role_0"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
## policies for worker-nodes-main-role
resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.eks_iam_role_0.name
}
resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = aws_iam_role.eks_iam_role_0.name
}
resource "aws_iam_role_policy_attachment" "eks_ec2_container_registry_readonly_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.eks_iam_role_0.name
}
resource "aws_iam_role_policy_attachment" "eks_ec2_full_access_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
role = aws_iam_role.eks_iam_role_0.name
}
# resource "aws_iam_role_policy_attachment" "main-node-alb-ingress_policy" {
# policy_arn = aws_iam_policy.alb-ingress.arn
# role = aws_iam_role.eks_iam_role_0.name
# }
# This security group controls networking access to the Kubernetes worker nodes.
resource "aws_security_group" "eks_sg_internode_communication_0" {
name = "eks_sg_nodes_0"
description = "allow nodes to communicate with each other"
vpc_id = aws_vpc.vpc_dev_main.id
egress {
from_port = 0
to_port = 0
protocol = "-1"
description = "allow nodes to communicate with each other"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_eks_node_group" "eks_nodegroup_0" {
cluster_name = var.cluster_name
node_group_name = "eks-node-group-0"
node_role_arn = aws_iam_role.eks_iam_role_0.arn
subnet_ids = [aws_subnet.eks_subnet_0.id, aws_subnet.eks_subnet_1.id]
ami_type = "AL2_x86_64"
disk_size = "20"
# a = amd
instance_types = ["m5a.large"]
# ssh is open to the internet -> see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
# remote_access {
# ec2_ssh_key = aws_key_pair.ssh.key_name
# }
scaling_config {
desired_size = 1
max_size = 1
min_size = 1
}
tags = {
Name = "eks_nodegroup_0"
environment = var.env
}
depends_on = [
aws_eks_cluster.eks_control_plane,
aws_iam_role_policy_attachment.eks_worker_node_policy,
aws_iam_role_policy_attachment.eks_cni_policy,
aws_iam_role_policy_attachment.eks_ec2_container_registry_readonly_policy,
aws_iam_role_policy_attachment.eks_ec2_full_access_policy,
]
}