This repository has been archived by the owner on Dec 30, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
6c6d63e
commit d2384c8
Showing
14 changed files
with
272 additions
and
216 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
resource "aws_iam_role" "eks-cluster" { | ||
name = "eks-cluster" | ||
assume_role_policy = <<POLICY | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "eks.amazonaws.com" | ||
}, | ||
"Action": "sts:AssumeRole" | ||
} | ||
] | ||
} | ||
POLICY | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "eks-cluster-AmazonEKSClusterPolicy" { | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" | ||
role = "${aws_iam_role.eks-cluster.name}" | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "eks-cluster-AmazonEKSServicePolicy" { | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy" | ||
role = "${aws_iam_role.eks-cluster.name}" | ||
} | ||
|
||
resource "aws_security_group" "eks-cluster" { | ||
name = "eks-cluster" | ||
description = "Cluster communication with worker nodes" | ||
vpc_id = "${aws_vpc.eks.id}" | ||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
tags = { | ||
Name = "eks-cluster" | ||
} | ||
} | ||
|
||
resource "aws_security_group_rule" "eks-cluster-ingress-node-https" { | ||
description = "Allow pods to communicate with the cluster API Server" | ||
from_port = 443 | ||
protocol = "tcp" | ||
security_group_id = "${aws_security_group.eks-cluster.id}" | ||
source_security_group_id = "${aws_security_group.eks-node.id}" | ||
to_port = 443 | ||
type = "ingress" | ||
} | ||
|
||
resource "aws_eks_cluster" "eks" { | ||
name = "${var.cluster-name}" | ||
role_arn = "${aws_iam_role.eks-cluster.arn}" | ||
vpc_config { | ||
security_group_ids = ["${aws_security_group.eks-cluster.id}"] | ||
subnet_ids = ["${aws_subnet.demo.*.id}"] | ||
} | ||
depends_on = [ | ||
"aws_iam_role_policy_attachment.eks-cluster-AmazonEKSClusterPolicy", | ||
"aws_iam_role_policy_attachment.eks-cluster-AmazonEKSServicePolicy", | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
resource "aws_iam_role" "eks-node" { | ||
name = "eks-node" | ||
assume_role_policy = <<POLICY | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Principal": { | ||
"Service": "ec2.amazonaws.com" | ||
}, | ||
"Action": "sts:AssumeRole" | ||
} | ||
] | ||
} | ||
POLICY | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "eks-node-AmazonEKSWorkerNodePolicy" { | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" | ||
role = "${aws_iam_role.eks-node.name}" | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "eks-node-AmazonEKS_CNI_Policy" { | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" | ||
role = "${aws_iam_role.eks-node.name}" | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "eks-node-AmazonEC2ContainerRegistryReadOnly" { | ||
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" | ||
role = "${aws_iam_role.eks-node.name}" | ||
} | ||
|
||
resource "aws_iam_instance_profile" "eks-node" { | ||
name = "eks-node" | ||
role = "${aws_iam_role.eks-node.name}" | ||
} | ||
|
||
resource "aws_security_group" "eks-node" { | ||
name = "eks-node" | ||
description = "Security group for all nodes in the cluster" | ||
vpc_id = "${aws_vpc.eks.id}" | ||
egress { | ||
from_port = 0 | ||
to_port = 0 | ||
protocol = "-1" | ||
cidr_blocks = ["0.0.0.0/0"] | ||
} | ||
tags = "${ | ||
map( | ||
"Name", "eks-node", | ||
"kubernetes.io/cluster/${var.cluster-name}", "owned", | ||
) | ||
}" | ||
} | ||
|
||
resource "aws_security_group_rule" "eks-node-ingress-self" { | ||
description = "Allow node to communicate with each other" | ||
from_port = 0 | ||
protocol = "-1" | ||
security_group_id = "${aws_security_group.eks-node.id}" | ||
source_security_group_id = "${aws_security_group.eks-node.id}" | ||
to_port = 65535 | ||
type = "ingress" | ||
} | ||
|
||
resource "aws_security_group_rule" "eks-node-ingress-cluster" { | ||
description = "Allow worker Kubelets and pods to receive communication from the cluster control plane" | ||
from_port = 1025 | ||
protocol = "tcp" | ||
security_group_id = "${aws_security_group.eks-node.id}" | ||
source_security_group_id = "${aws_security_group.eks-cluster.id}" | ||
to_port = 65535 | ||
type = "ingress" | ||
} | ||
|
||
data "aws_ami" "eks-worker" { | ||
filter { | ||
name = "name" | ||
values = ["amazon-eks-node-${aws_eks_cluster.eks.version}-v*"] | ||
} | ||
most_recent = true | ||
owners = ["602401143452"] # Amazon EKS AMI Account ID | ||
} | ||
|
||
locals { | ||
demo-node-userdata = <<USERDATA | ||
#!/bin/bash | ||
set -o xtrace | ||
/etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.eks.endpoint}' --b64-cluster-ca '${aws_eks_cluster.eks.certificate_authority.0.data}' '${var.cluster-name}' | ||
USERDATA | ||
} | ||
|
||
resource "aws_launch_configuration" "eks" { | ||
associate_public_ip_address = true | ||
iam_instance_profile = "${aws_iam_instance_profile.eks-node.name}" | ||
image_id = "${data.aws_ami.eks-worker.id}" | ||
instance_type = "m4.large" | ||
name_prefix = "eks" | ||
security_groups = ["${aws_security_group.eks-node.id}"] | ||
user_data_base64 = "${base64encode(local.eks-node-userdata)}" | ||
lifecycle { | ||
create_before_destroy = true | ||
} | ||
} | ||
|
||
resource "aws_autoscaling_group" "eks" { | ||
desired_capacity = 2 | ||
launch_configuration = "${aws_launch_configuration.eks.id}" | ||
max_size = 2 | ||
min_size = 1 | ||
name = "eks" | ||
vpc_zone_identifier = ["${aws_subnet.eks.*.id}"] | ||
tag { | ||
key = "Name" | ||
value = "eks" | ||
propagate_at_launch = true | ||
} | ||
tag { | ||
key = "kubernetes.io/cluster/${var.cluster-name}" | ||
value = "owned" | ||
propagate_at_launch = true | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
locals { | ||
config_map_aws_auth = <<CONFIGMAPAWSAUTH | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: aws-auth | ||
namespace: kube-system | ||
data: | ||
mapRoles: | | ||
- rolearn: ${aws_iam_role.eks-node.arn} | ||
username: system:node:{{EC2PrivateDNSName}} | ||
groups: | ||
- system:bootstrappers | ||
- system:nodes | ||
CONFIGMAPAWSAUTH | ||
|
||
kubeconfig = <<KUBECONFIG | ||
apiVersion: v1 | ||
clusters: | ||
- cluster: | ||
server: ${aws_eks_cluster.eks.endpoint} | ||
certificate-authority-data: ${aws_eks_cluster.eks.certificate_authority.0.data} | ||
name: kubernetes | ||
contexts: | ||
- context: | ||
cluster: kubernetes | ||
user: aws | ||
name: aws | ||
current-context: aws | ||
kind: Config | ||
preferences: {} | ||
users: | ||
- name: aws | ||
user: | ||
exec: | ||
apiVersion: client.authentication.k8s.io/v1alpha1 | ||
command: aws-iam-authenticator | ||
args: | ||
- "token" | ||
- "-i" | ||
- "${var.cluster-name}" | ||
KUBECONFIG | ||
} | ||
|
||
output "config_map_aws_auth" { | ||
value = "${local.config_map_aws_auth}" | ||
} | ||
|
||
output "kubeconfig" { | ||
value = "${local.kubeconfig}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
provider "aws" { | ||
region = "eu-west-1" | ||
} | ||
|
||
data "aws_region" "current" {} | ||
|
||
data "aws_availability_zones" "available" {} |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.