initial commit

berndonline · Mar 23, 2019 · d2384c8 · d2384c8
1 parent 6c6d63e
commit d2384c8
Show file tree

Hide file tree

Showing 14 changed files with 272 additions and 216 deletions.
diff --git a/autoscaling.tf b/autoscaling.tf
diff --git a/eks-cluster.tf b/eks-cluster.tf
@@ -0,0 +1,65 @@
+resource "aws_iam_role" "eks-cluster" {
+  name = "eks-cluster"
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "eks-cluster-AmazonEKSClusterPolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = "${aws_iam_role.eks-cluster.name}"
+}
+
+resource "aws_iam_role_policy_attachment" "eks-cluster-AmazonEKSServicePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
+  role       = "${aws_iam_role.eks-cluster.name}"
+}
+
+resource "aws_security_group" "eks-cluster" {
+  name        = "eks-cluster"
+  description = "Cluster communication with worker nodes"
+  vpc_id      = "${aws_vpc.eks.id}"
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "eks-cluster"
+  }
+}
+
+resource "aws_security_group_rule" "eks-cluster-ingress-node-https" {
+  description              = "Allow pods to communicate with the cluster API Server"
+  from_port                = 443
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.eks-cluster.id}"
+  source_security_group_id = "${aws_security_group.eks-node.id}"
+  to_port                  = 443
+  type                     = "ingress"
+}
+
+resource "aws_eks_cluster" "eks" {
+  name     = "${var.cluster-name}"
+  role_arn = "${aws_iam_role.eks-cluster.arn}"
+  vpc_config {
+    security_group_ids = ["${aws_security_group.eks-cluster.id}"]
+    subnet_ids         = ["${aws_subnet.demo.*.id}"]
+  }
+  depends_on = [
+    "aws_iam_role_policy_attachment.eks-cluster-AmazonEKSClusterPolicy",
+    "aws_iam_role_policy_attachment.eks-cluster-AmazonEKSServicePolicy",
+  ]
+}
diff --git a/eks-worker-nodes.tf b/eks-worker-nodes.tf
@@ -0,0 +1,124 @@
+resource "aws_iam_role" "eks-node" {
+  name = "eks-node"
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "eks-node-AmazonEKSWorkerNodePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = "${aws_iam_role.eks-node.name}"
+}
+
+resource "aws_iam_role_policy_attachment" "eks-node-AmazonEKS_CNI_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = "${aws_iam_role.eks-node.name}"
+}
+
+resource "aws_iam_role_policy_attachment" "eks-node-AmazonEC2ContainerRegistryReadOnly" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = "${aws_iam_role.eks-node.name}"
+}
+
+resource "aws_iam_instance_profile" "eks-node" {
+  name = "eks-node"
+  role = "${aws_iam_role.eks-node.name}"
+}
+
+resource "aws_security_group" "eks-node" {
+  name        = "eks-node"
+  description = "Security group for all nodes in the cluster"
+  vpc_id      = "${aws_vpc.eks.id}"
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = "${
+    map(
+     "Name", "eks-node",
+     "kubernetes.io/cluster/${var.cluster-name}", "owned",
+    )
+  }"
+}
+
+resource "aws_security_group_rule" "eks-node-ingress-self" {
+  description              = "Allow node to communicate with each other"
+  from_port                = 0
+  protocol                 = "-1"
+  security_group_id        = "${aws_security_group.eks-node.id}"
+  source_security_group_id = "${aws_security_group.eks-node.id}"
+  to_port                  = 65535
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "eks-node-ingress-cluster" {
+  description              = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
+  from_port                = 1025
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.eks-node.id}"
+  source_security_group_id = "${aws_security_group.eks-cluster.id}"
+  to_port                  = 65535
+  type                     = "ingress"
+}
+
+data "aws_ami" "eks-worker" {
+  filter {
+    name   = "name"
+    values = ["amazon-eks-node-${aws_eks_cluster.eks.version}-v*"]
+  }
+  most_recent = true
+  owners      = ["602401143452"] # Amazon EKS AMI Account ID
+}
+
+locals {
+  demo-node-userdata = <<USERDATA
+#!/bin/bash
+set -o xtrace
+/etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.eks.endpoint}' --b64-cluster-ca '${aws_eks_cluster.eks.certificate_authority.0.data}' '${var.cluster-name}'
+USERDATA
+}
+
+resource "aws_launch_configuration" "eks" {
+  associate_public_ip_address = true
+  iam_instance_profile        = "${aws_iam_instance_profile.eks-node.name}"
+  image_id                    = "${data.aws_ami.eks-worker.id}"
+  instance_type               = "m4.large"
+  name_prefix                 = "eks"
+  security_groups             = ["${aws_security_group.eks-node.id}"]
+  user_data_base64            = "${base64encode(local.eks-node-userdata)}"
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_autoscaling_group" "eks" {
+  desired_capacity     = 2
+  launch_configuration = "${aws_launch_configuration.eks.id}"
+  max_size             = 2
+  min_size             = 1
+  name                 = "eks"
+  vpc_zone_identifier  = ["${aws_subnet.eks.*.id}"]
+  tag {
+    key                 = "Name"
+    value               = "eks"
+    propagate_at_launch = true
+  }
+  tag {
+    key                 = "kubernetes.io/cluster/${var.cluster-name}"
+    value               = "owned"
+    propagate_at_launch = true
+  }
+}
diff --git a/eks.tf b/eks.tf
diff --git a/iam.tf b/iam.tf
diff --git a/output.tf b/output.tf
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,55 @@
+locals {
+  config_map_aws_auth = <<CONFIGMAPAWSAUTH
+
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: aws-auth
+  namespace: kube-system
+data:
+  mapRoles: |
+    - rolearn: ${aws_iam_role.eks-node.arn}
+      username: system:node:{{EC2PrivateDNSName}}
+      groups:
+        - system:bootstrappers
+        - system:nodes
+CONFIGMAPAWSAUTH
+
+  kubeconfig = <<KUBECONFIG
+
+
+apiVersion: v1
+clusters:
+- cluster:
+    server: ${aws_eks_cluster.eks.endpoint}
+    certificate-authority-data: ${aws_eks_cluster.eks.certificate_authority.0.data}
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: aws
+  name: aws
+current-context: aws
+kind: Config
+preferences: {}
+users:
+- name: aws
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1alpha1
+      command: aws-iam-authenticator
+      args:
+        - "token"
+        - "-i"
+        - "${var.cluster-name}"
+KUBECONFIG
+}
+
+output "config_map_aws_auth" {
+  value = "${local.config_map_aws_auth}"
+}
+
+output "kubeconfig" {
+  value = "${local.kubeconfig}"
+}
diff --git a/providers.tf b/providers.tf
@@ -0,0 +1,7 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+data "aws_region" "current" {}
+
+data "aws_availability_zones" "available" {}
diff --git a/security.tf b/security.tf
diff --git a/security_api.tf b/security_api.tf