From da878f89b74e83ab46b3ecabc96e87544e9ce9e7 Mon Sep 17 00:00:00 2001 From: Kilian Date: Wed, 27 Mar 2024 15:44:05 +0100 Subject: [PATCH 01/10] refa: migration to kubernetes --- main.tf | 196 ++++++++++++++++++++++++++------------- outputs.tf | 12 --- tests/cluster.tftest.hcl | 127 ------------------------- tests/ecr.tftest.hcl | 60 ------------ variables.tf | 97 ------------------- 5 files changed, 131 insertions(+), 361 deletions(-) delete mode 100644 tests/cluster.tftest.hcl delete mode 100644 tests/ecr.tftest.hcl diff --git a/main.tf b/main.tf index f90a00e..0060471 100644 --- a/main.tf +++ b/main.tf @@ -1,115 +1,181 @@ ################################ -# IAM Roles # +# Master IAM Roles # ################################ -data "aws_iam_policy_document" "assume_role" { +data "aws_iam_policy_document" "master" { statement { actions = ["sts:AssumeRole"] principals { type = "Service" - identifiers = ["ecs-tasks.amazonaws.com"] + identifiers = ["eks.amazonaws.com"] } } } -resource "aws_iam_role" "execution" { - name = "${var.identifier}-ServiceRoleForECSExecution" - assume_role_policy = data.aws_iam_policy_document.assume_role.json +resource "aws_iam_role" "master" { + name = "${var.identifier}-ServiceRoleForEKSMaster" + assume_role_policy = data.aws_iam_policy_document.master.json tags = var.tags } -resource "aws_iam_role_policy_attachment" "execution" { - role = aws_iam_role.execution.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role" +resource "aws_iam_role_policy_attachment" "cluster" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" + role = aws_iam_role.master.name } -resource "aws_iam_role" "task" { - name = "${var.identifier}-ServiceRoleForECSTask" - assume_role_policy = data.aws_iam_policy_document.assume_role.json - - tags = var.tags +resource "aws_iam_role_policy_attachment" "service" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy" + role = aws_iam_role.master.name } -resource "aws_iam_role_policy_attachment" "task" { - count = length(var.policies) - role = aws_iam_role.task.name - policy_arn = var.policies[count.index] +resource "aws_iam_role_policy_attachment" "controller" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController" + role = aws_iam_role.master.name } ################################ -# CloudWatch # +# Worker IAM Roles # ################################ -resource "aws_cloudwatch_log_group" "main" { - name = "${var.identifier}-fargate" - retention_in_days = try(var.log_config["retention_in_days"], null) +data "aws_iam_policy_document" "worker" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +resource "aws_iam_role" "worker" { + name = "${var.identifier}-ServiceRoleForEKSWorker" + assume_role_policy = data.aws_iam_policy_document.worker.json tags = var.tags } -################################ -# ECR Repository # -################################ +data "aws_iam_policy_document" "autoscaling" { + statement { + effect = "Allow" + + actions = [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeTags", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "ec2:DescribeLaunchTemplateVersions" + ] + + resources = ["*"] + } +} -resource "aws_ecr_repository" "main" { - count = var.image == null ? 1 : 0 - name = "${var.identifier}-cluster" - image_tag_mutability = "MUTABLE" - force_delete = true +resource "aws_iam_policy" "autoscaling" { + name = "ed-eks-autoscaler-policy" + policy = data.aws_iam_policy_document.autoscaling.json tags = var.tags } +resource "aws_iam_role_policy_attachment" "autoscaling" { + policy_arn = aws_iam_policy.autoscaling.arn + role = aws_iam_role.worker.name +} + +resource "aws_iam_role_policy_attachment" "worker_node" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" + role = aws_iam_role.worker.name +} + +resource "aws_iam_role_policy_attachment" "network_interface" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" + role = aws_iam_role.worker.name +} + +resource "aws_iam_role_policy_attachment" "ssm" { + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + role = aws_iam_role.worker.name +} + +resource "aws_iam_role_policy_attachment" "xray" { + policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess" + role = aws_iam_role.worker.name +} + +# TODO give IAM permission to read ECR registries and S3 buckets + ################################ -# ECS Cluster # +# Security Groups # ################################ -resource "aws_ecs_cluster" "main" { - name = var.identifier +################################ +# Kubectl Server # +################################ + +resource "aws_key_pair" "kubectl" { + key_name = "${var.identifier}-kubectl" + public_key = var.public_key tags = var.tags } -resource "aws_ecs_task_definition" "main" { - family = var.identifier - requires_compatibilities = ["FARGATE"] - execution_role_arn = aws_iam_role.execution.arn - task_role_arn = aws_iam_role.task.arn - network_mode = "awsvpc" - cpu = var.cpu - memory = var.memory - container_definitions = jsonencode([{ - name = var.identifier - image = var.image == null ? "${aws_ecr_repository.main[0].repository_url}:latest" : try(var.image["uri"], null) - environment = [for k, v in var.env_variables : {name = k, value = v}] - logConfiguration = { - logDriver = "awslogs" - options = { - awslogs-group = aws_cloudwatch_log_group.main.id - awslogs-region = try(var.log_config["region"], null) - awslogs-stream-prefix = "cluster" - } - } - }]) +resource "aws_instance" "kubectl" { + key_name = aws_key_pair.kubectl.name + instance_type = "t2.micro" + associate_public_ip_address = true + subnet_id = var.subnets[0] + vpc_security_group_ids = [] tags = var.tags } -resource "aws_ecs_service" "main" { - name = var.identifier - cluster = aws_ecs_cluster.main.id - task_definition = aws_ecs_task_definition.main.arn - launch_type = "FARGATE" - desired_count = var.desired_task_count - force_new_deployment = true +################################ +# EKS Cluster # +################################ + +resource "aws_eks_cluster" "main" { + name = var.identifier + role_arn = aws_iam_role.master.arn - network_configuration { - subnets = try(var.network_config["subnets"], null) - assign_public_ip = false - security_groups = var.security_groups + vpc_config { + subnet_ids = var.subnets } tags = var.tags } + + resource "aws_eks_node_group" "main" { + cluster_name = aws_eks_cluster.main.name + node_group_name = var.identifier + node_role_arn = aws_iam_role.worker.arn + subnet_ids = var.subnets + capacity_type = "ON_DEMAND" + disk_size = var.disk_size + instance_types = var.instance_types + + remote_access { + ec2_ssh_key = aws_key_pair.kubectl.name + source_security_group_ids = [] + } + + labels = { + env = var.env + } + + scaling_config { + desired_size = var.desired_size + max_size = var.max_size + min_size = var.min_size + } + + update_config { + max_unavailable = 1 + } + + tags = var.tags +} diff --git a/outputs.tf b/outputs.tf index 6c9dd56..e69de29 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,12 +0,0 @@ -output "ecr_repository" { - description = "Object of the created ECR repository if created." - value = { - uri = try(aws_ecr_repository.main[0].repository_url, null) - arn = try(aws_ecr_repository.main[0].arn, null) - } -} - -output "log_arn" { - description = "ARN of the created CloudWatch log group." - value = try(aws_cloudwatch_log_group.main.arn, null) -} diff --git a/tests/cluster.tftest.hcl b/tests/cluster.tftest.hcl deleted file mode 100644 index ae9951f..0000000 --- a/tests/cluster.tftest.hcl +++ /dev/null @@ -1,127 +0,0 @@ -provider "aws" { - region = "eu-central-1" - default_tags { - tags = { - Environment = "Test" - } - } -} - -run "invalid_identifier" { - command = plan - - variables { - identifier = "ab" - - network_config = { - vpc = "vpc-01234567890abcdef" - subnets = ["subnet-1242421", "subnet-2344898"] - } - - log_config = { - region = "eu-central-1" - retention_in_days = 7 - } - } - - expect_failures = [var.identifier] -} - -run "invalid_vpc" { - command = plan - - variables { - identifier = "abc" - - network_config = { - vpc = "abc-01234567890abcdef" - subnets = ["subnet-1242421", "subnet-2344898"] - } - - log_config = { - region = "eu-central-1" - retention_in_days = 7 - } - } - - expect_failures = [var.network_config] -} - -run "invalid_subnets" { - command = plan - - variables { - identifier = "abc" - - network_config = { - vpc = "vpc-01234567890abcdef" - subnets = ["subnet-1242421", "net-2344898"] - } - - log_config = { - region = "eu-central-1" - retention_in_days = 7 - } - } - - expect_failures = [var.network_config] -} - -run "valid_configuration" { - command = plan - - variables { - identifier = "abc" - - network_config = { - vpc = "vpc-01234567890abcdef" - subnets = ["subnet-1242421", "subnet-2344898"] - } - - log_config = { - region = "eu-central-1" - retention_in_days = 7 - } - } -} - -run "invalid_security_groups" { - command = plan - - variables { - identifier = "abc" - security_groups = ["sg-we32558632", "s23423423432", "sg-893hgo23hg23"] - - network_config = { - vpc = "vpc-01234567890abcdef" - subnets = ["subnet-1242421", "subnet-2344898"] - } - - log_config = { - region = "eu-central-1" - retention_in_days = 7 - } - } - - expect_failures = [var.security_groups] -} - -run "invalid_retention_in_days" { - command = plan - - variables { - identifier = "abc" - - network_config = { - vpc = "vpc-01234567890abcdef" - subnets = ["subnet-1242421", "subnet-2344898"] - } - - log_config = { - region = "eu-central-1" - retention_in_days = 6 - } - } - - expect_failures = [var.log_config] -} diff --git a/tests/ecr.tftest.hcl b/tests/ecr.tftest.hcl deleted file mode 100644 index c181b9f..0000000 --- a/tests/ecr.tftest.hcl +++ /dev/null @@ -1,60 +0,0 @@ -provider "aws" { - region = "eu-central-1" - default_tags { - tags = { - Environment = "Test" - } - } -} - -run "without_repository" { - command = plan - - variables { - identifier = "abc" - - image = null - - network_config = { - vpc = "vpc-01234567890abcdef" - subnets = ["subnet-1242421", "subnet-2344898"] - } - - log_config = { - region = "eu-central-1" - retention_in_days = 7 - } - } - - assert { - condition = length(aws_ecr_repository.main) == 1 - error_message = "ECR repository was not created" - } -} - -run "with_repository" { - command = plan - - variables { - identifier = "abc" - - image = { - uri = "registry.test:latest" - } - - network_config = { - vpc = "vpc-01234567890abcdef" - subnets = ["subnet-1242421", "subnet-2344898"] - } - - log_config = { - region = "eu-central-1" - retention_in_days = 7 - } - } - - assert { - condition = length(aws_ecr_repository.main) == 0 - error_message = "ECR repository was created unexpectedly" - } -} diff --git a/variables.tf b/variables.tf index 4005793..e69de29 100644 --- a/variables.tf +++ b/variables.tf @@ -1,97 +0,0 @@ -variable "identifier" { - description = "Unique identifier to differentiate global resources." - type = string - validation { - condition = length(var.identifier) > 2 - error_message = "Identifier must be at least 3 characters" - } -} - -variable "policies" { - description = "List of IAM policy ARNs for the Fargate task's IAM role." - type = list(string) - default = [] -} - -variable "log_config" { - description = "Object to define logging configuration for the Fargate tasks to CloudWatch." - type = object({ - region = string - retention_in_days = number - }) - validation { - condition = try(var.log_config["retention_in_days"], 1) == 1 || ( - try(var.log_config["retention_in_days"], 3) == 3) || ( - try(var.log_config["retention_in_days"], 5) == 5) || ( - try(var.log_config["retention_in_days"], 7) == 7) || ( - try(var.log_config["retention_in_days"], 14) == 14) || ( - try(var.log_config["retention_in_days"], 30) == 30) || ( - try(var.log_config["retention_in_days"], 365) == 365) || ( - try(var.log_config["retention_in_days"], 0) == 0) - error_message = "Retention in days must be one of these values: 0, 1, 3, 5, 7, 14, 30, 365" - } -} - -variable "image" { - description = "Object of the image which will be pulled by the Fargate tasks to execute." - type = object({ - uri = string - }) - default = null -} - -variable "security_groups" { - description = "List of security group IDs the ECS service will hold." - type = list(string) - default = [] - validation { - condition = !contains([for v in var.security_groups : startswith(v, "sg-")], false) - error_message = "Elements must be valid security group IDs" - } -} - -variable "network_config" { - description = "Object of definition for the network configuration of the ECS service." - type = object({ - vpc = string - subnets = list(string) - }) - validation { - condition = startswith(try(var.network_config["vpc"], null), "vpc-") - error_message = "Must be valid VPC ID" - } - validation { - condition = !contains([for v in var.network_config["subnets"] : startswith(v, "subnet-")], false) - error_message = "Elements in task subnets must be valid subnet IDs" - } -} - -variable "env_variables" { - description = "A map of environment variables for the Fargate task at runtime." - type = map(string) - default = {} -} - -variable "memory" { - description = "Amount of memory in MiB used by each Fargate tasks." - type = number - default = 512 -} - -variable "cpu" { - description = "Number of CPU units used by each Fargate tasks." - type = number - default = 256 -} - -variable "desired_task_count" { - description = "Preferred number of task that shall run." - type = number - default = 1 -} - -variable "tags" { - description = "A map of tags to add to all resources." - type = map(string) - default = {} -} From 5e5061ddf54a7715a7c5f80b9e4eff87943707bf Mon Sep 17 00:00:00 2001 From: kfc-manager Date: Thu, 28 Mar 2024 11:08:35 +0100 Subject: [PATCH 02/10] enha: added variables for EKS --- main.tf | 70 ++++++++++++++++++++++++++++++++------------------- variables.tf | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 115 insertions(+), 26 deletions(-) diff --git a/main.tf b/main.tf index 0060471..3e73b37 100644 --- a/main.tf +++ b/main.tf @@ -113,6 +113,28 @@ resource "aws_iam_role_policy_attachment" "xray" { # Security Groups # ################################ +resource "aws_security_group" "allow_tls" { + name = "${var.identifier}-allow-tls" + description = "Allows TLS inbound traffic." + vpc_id = var.vpc + + tags = var.tags +} + +resource "aws_vpc_security_group_ingress_rule" "ssh" { + security_group_id = aws_security_group.allow_tls.id + from_port = 22 + to_port = 22 + ip_protocol = "tcp" + cidr_ipv4 = "0.0.0.0/0" +} + +resource "aws_vpc_security_group_egress_rule" "internet_access" { + security_group_id = aws_security_group.allow_tls.id + ip_protocol = -1 + cidr_ipv4 = "0.0.0.0/0" +} + ################################ # Kubectl Server # ################################ @@ -129,7 +151,7 @@ resource "aws_instance" "kubectl" { instance_type = "t2.micro" associate_public_ip_address = true subnet_id = var.subnets[0] - vpc_security_group_ids = [] + vpc_security_group_ids = [aws_security_group.allow_tls.id] tags = var.tags } @@ -149,33 +171,29 @@ resource "aws_eks_cluster" "main" { tags = var.tags } - resource "aws_eks_node_group" "main" { - cluster_name = aws_eks_cluster.main.name - node_group_name = var.identifier - node_role_arn = aws_iam_role.worker.arn - subnet_ids = var.subnets - capacity_type = "ON_DEMAND" - disk_size = var.disk_size - instance_types = var.instance_types +resource "aws_eks_node_group" "main" { + cluster_name = aws_eks_cluster.main.name + node_group_name = var.identifier + node_role_arn = aws_iam_role.worker.arn + subnet_ids = var.subnets + capacity_type = "ON_DEMAND" + disk_size = var.disk_size + instance_types = var.instance_types - remote_access { - ec2_ssh_key = aws_key_pair.kubectl.name - source_security_group_ids = [] - } - - labels = { - env = var.env - } + remote_access { + ec2_ssh_key = aws_key_pair.kubectl.name + source_security_group_ids = [aws_security_group.allow_tls.id] + } - scaling_config { - desired_size = var.desired_size - max_size = var.max_size - min_size = var.min_size - } + scaling_config { + desired_size = var.desired_size + max_size = var.max_size + min_size = var.min_size + } - update_config { - max_unavailable = 1 - } + update_config { + max_unavailable = 1 + } - tags = var.tags + tags = var.tags } diff --git a/variables.tf b/variables.tf index e69de29..632677a 100644 --- a/variables.tf +++ b/variables.tf @@ -0,0 +1,71 @@ +variable "identifier" { + description = "Unique identifier to differentiate global resources." + type = string + validation { + condition = length(var.identifier) > 2 + error_message = "Identifier must be at least 3 characters" + } +} + +variable "vpc" { + description = "ID of the subnets' VPC." + type = string + validation { + condition = startswith(var.vpc, "vpc-") + error_message = "Must be valid VPC ID" + } +} + +variable "subnets" { + description = "A list of IDs of subnets for the subnet group and potentially the RDS proxy." + type = list(string) + validation { + condition = length(var.subnets) > 1 + error_message = "List of subnets must contain at least 2 elements" + } + validation { + condition = !contains([for v in var.subnets : startswith(v, "subnet-")], false) + error_message = "Elements must be valid subnet IDs" + } +} + +variable "public_key" { + description = "Public SSH key registered to in EC2 instance to tunnel with corresponding private key into it." + type = string +} + +variable "disk_size" { + description = "Disk size in GiB of the node group." + type = number + default = 20 +} + +variable "instance_types" { + description = "Types of the instances in the node group." + type = list(string) + default = ["t3.small"] +} + +variable "desired_size" { + description = "Desired amount of nodes in the node group." + type= number + default = 1 +} + +variable "min_size" { + description = "Minimum amount of nodes in the node group." + type= number + default = 1 +} + +variable "max_size" { + description = "Maximum amount of nodes in the node group." + type= number + default = 1 +} + +variable "tags" { + description = "A map of tags to add to all resources." + type = map(string) + default = {} +} From bcdae78e569d6fd1a6ece50fdc086fb91c3df3bd Mon Sep 17 00:00:00 2001 From: kfc-manager Date: Wed, 3 Apr 2024 15:24:42 +0200 Subject: [PATCH 03/10] fix: subnet id can be sparatly provided for kubectl server --- main.tf | 2 +- variables.tf | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 3e73b37..e0f97ed 100644 --- a/main.tf +++ b/main.tf @@ -150,7 +150,7 @@ resource "aws_instance" "kubectl" { key_name = aws_key_pair.kubectl.name instance_type = "t2.micro" associate_public_ip_address = true - subnet_id = var.subnets[0] + subnet_id = var.kubectl_subnet vpc_security_group_ids = [aws_security_group.allow_tls.id] tags = var.tags diff --git a/variables.tf b/variables.tf index 632677a..5cc3cdc 100644 --- a/variables.tf +++ b/variables.tf @@ -16,6 +16,15 @@ variable "vpc" { } } +variable "kubectl_subnet" { + description = "The ID of the subnet for the instance which acts as kubectl server." + type = string + validation { + condition = startswith(var.kubectl_subnet, "subnet-") + error_message = "Kubectl subnet must be a valid subnet ID" + } +} + variable "subnets" { description = "A list of IDs of subnets for the subnet group and potentially the RDS proxy." type = list(string) From 0aeb897188635c375fb9135bb18af6faca75b29f Mon Sep 17 00:00:00 2001 From: kfc-manager Date: Wed, 3 Apr 2024 15:38:19 +0200 Subject: [PATCH 04/10] fix: wrong attribute of key pair --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index e0f97ed..685fc08 100644 --- a/main.tf +++ b/main.tf @@ -147,7 +147,7 @@ resource "aws_key_pair" "kubectl" { } resource "aws_instance" "kubectl" { - key_name = aws_key_pair.kubectl.name + key_name = aws_key_pair.kubectl.id instance_type = "t2.micro" associate_public_ip_address = true subnet_id = var.kubectl_subnet @@ -181,7 +181,7 @@ resource "aws_eks_node_group" "main" { instance_types = var.instance_types remote_access { - ec2_ssh_key = aws_key_pair.kubectl.name + ec2_ssh_key = aws_key_pair.kubectl.id source_security_group_ids = [aws_security_group.allow_tls.id] } From 713d29c949343281c186ad81674efcb13ff3ff95 Mon Sep 17 00:00:00 2001 From: kfc-manager Date: Wed, 3 Apr 2024 15:41:18 +0200 Subject: [PATCH 05/10] fix: ami of kubctl server instance not provided --- main.tf | 12 ++++++++++++ variables.tf | 14 +++++++------- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/main.tf b/main.tf index 685fc08..5b2e778 100644 --- a/main.tf +++ b/main.tf @@ -139,6 +139,17 @@ resource "aws_vpc_security_group_egress_rule" "internet_access" { # Kubectl Server # ################################ +data "aws_ami" "amazon_linux" { + most_recent = true + + owners = ["amazon"] + + filter { + name = "image-id" + values = ["ami-03484a09b43a06725"] + } +} + resource "aws_key_pair" "kubectl" { key_name = "${var.identifier}-kubectl" public_key = var.public_key @@ -147,6 +158,7 @@ resource "aws_key_pair" "kubectl" { } resource "aws_instance" "kubectl" { + ami = data.aws_ami.amazon_linux.id key_name = aws_key_pair.kubectl.id instance_type = "t2.micro" associate_public_ip_address = true diff --git a/variables.tf b/variables.tf index 5cc3cdc..c59ca33 100644 --- a/variables.tf +++ b/variables.tf @@ -20,7 +20,7 @@ variable "kubectl_subnet" { description = "The ID of the subnet for the instance which acts as kubectl server." type = string validation { - condition = startswith(var.kubectl_subnet, "subnet-") + condition = startswith(var.kubectl_subnet, "subnet-") error_message = "Kubectl subnet must be a valid subnet ID" } } @@ -57,20 +57,20 @@ variable "instance_types" { variable "desired_size" { description = "Desired amount of nodes in the node group." - type= number - default = 1 + type = number + default = 1 } variable "min_size" { description = "Minimum amount of nodes in the node group." - type= number - default = 1 + type = number + default = 1 } variable "max_size" { description = "Maximum amount of nodes in the node group." - type= number - default = 1 + type = number + default = 1 } variable "tags" { From 21b24e8f80e0b003ad4f97d9e53fdbd04579333e Mon Sep 17 00:00:00 2001 From: kfc-manager Date: Wed, 3 Apr 2024 16:13:46 +0200 Subject: [PATCH 06/10] enha: removed remote kubectl bastion host --- main.tf | 64 --------------------------------------------------------- 1 file changed, 64 deletions(-) diff --git a/main.tf b/main.tf index 5b2e778..cd2c570 100644 --- a/main.tf +++ b/main.tf @@ -109,65 +109,6 @@ resource "aws_iam_role_policy_attachment" "xray" { # TODO give IAM permission to read ECR registries and S3 buckets -################################ -# Security Groups # -################################ - -resource "aws_security_group" "allow_tls" { - name = "${var.identifier}-allow-tls" - description = "Allows TLS inbound traffic." - vpc_id = var.vpc - - tags = var.tags -} - -resource "aws_vpc_security_group_ingress_rule" "ssh" { - security_group_id = aws_security_group.allow_tls.id - from_port = 22 - to_port = 22 - ip_protocol = "tcp" - cidr_ipv4 = "0.0.0.0/0" -} - -resource "aws_vpc_security_group_egress_rule" "internet_access" { - security_group_id = aws_security_group.allow_tls.id - ip_protocol = -1 - cidr_ipv4 = "0.0.0.0/0" -} - -################################ -# Kubectl Server # -################################ - -data "aws_ami" "amazon_linux" { - most_recent = true - - owners = ["amazon"] - - filter { - name = "image-id" - values = ["ami-03484a09b43a06725"] - } -} - -resource "aws_key_pair" "kubectl" { - key_name = "${var.identifier}-kubectl" - public_key = var.public_key - - tags = var.tags -} - -resource "aws_instance" "kubectl" { - ami = data.aws_ami.amazon_linux.id - key_name = aws_key_pair.kubectl.id - instance_type = "t2.micro" - associate_public_ip_address = true - subnet_id = var.kubectl_subnet - vpc_security_group_ids = [aws_security_group.allow_tls.id] - - tags = var.tags -} - ################################ # EKS Cluster # ################################ @@ -192,11 +133,6 @@ resource "aws_eks_node_group" "main" { disk_size = var.disk_size instance_types = var.instance_types - remote_access { - ec2_ssh_key = aws_key_pair.kubectl.id - source_security_group_ids = [aws_security_group.allow_tls.id] - } - scaling_config { desired_size = var.desired_size max_size = var.max_size From d9223fdea6461bb26b0cdf2eff855122a5772efc Mon Sep 17 00:00:00 2001 From: kfc-manager Date: Wed, 3 Apr 2024 16:15:56 +0200 Subject: [PATCH 07/10] refa: removed unused variables --- variables.tf | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/variables.tf b/variables.tf index c59ca33..85630f9 100644 --- a/variables.tf +++ b/variables.tf @@ -16,15 +16,6 @@ variable "vpc" { } } -variable "kubectl_subnet" { - description = "The ID of the subnet for the instance which acts as kubectl server." - type = string - validation { - condition = startswith(var.kubectl_subnet, "subnet-") - error_message = "Kubectl subnet must be a valid subnet ID" - } -} - variable "subnets" { description = "A list of IDs of subnets for the subnet group and potentially the RDS proxy." type = list(string) @@ -38,11 +29,6 @@ variable "subnets" { } } -variable "public_key" { - description = "Public SSH key registered to in EC2 instance to tunnel with corresponding private key into it." - type = string -} - variable "disk_size" { description = "Disk size in GiB of the node group." type = number From 4d2fda20cb88379c52e876c2d0ff536efc29632f Mon Sep 17 00:00:00 2001 From: kfc-manager Date: Wed, 3 Apr 2024 16:54:36 +0200 Subject: [PATCH 08/10] fix: added ECR read permission to worker nodes --- main.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/main.tf b/main.tf index cd2c570..b145df5 100644 --- a/main.tf +++ b/main.tf @@ -97,6 +97,11 @@ resource "aws_iam_role_policy_attachment" "network_interface" { role = aws_iam_role.worker.name } +resource "aws_iam_role_policy_attachment" "ecr" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + role = aws_iam_role.worker.name +} + resource "aws_iam_role_policy_attachment" "ssm" { policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" role = aws_iam_role.worker.name From 199d3c78c2482a4218916189e8706edb449210ee Mon Sep 17 00:00:00 2001 From: kfc-manager Date: Wed, 3 Apr 2024 19:24:34 +0200 Subject: [PATCH 09/10] fix: added policy for deployments and pods show in web console --- main.tf | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/main.tf b/main.tf index b145df5..9080fd1 100644 --- a/main.tf +++ b/main.tf @@ -20,6 +20,28 @@ resource "aws_iam_role" "master" { tags = var.tags } +data "aws_iam_policy_document" "console" { + statement { + effect = "Allow" + + actions = ["eks:AccessKubernetesApi"] + + resources = ["*"] + } +} + +resource "aws_iam_policy" "console" { + name = "${var.identifier}-WebConsoleEKSMonitoring" + policy = data.aws_iam_policy_document.console.json + + tags = var.tags +} + +resource "aws_iam_role_policy_attachment" "console" { + policy_arn = aws_iam_policy.console.arn + role = aws_iam_role.master.name +} + resource "aws_iam_role_policy_attachment" "cluster" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" role = aws_iam_role.master.name From fc28fe004e532fee7779ad89364f4c201e775d4d Mon Sep 17 00:00:00 2001 From: kfc-manager Date: Wed, 3 Apr 2024 19:46:15 +0200 Subject: [PATCH 10/10] refa: removed unused IAM policy --- main.tf | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/main.tf b/main.tf index 9080fd1..b145df5 100644 --- a/main.tf +++ b/main.tf @@ -20,28 +20,6 @@ resource "aws_iam_role" "master" { tags = var.tags } -data "aws_iam_policy_document" "console" { - statement { - effect = "Allow" - - actions = ["eks:AccessKubernetesApi"] - - resources = ["*"] - } -} - -resource "aws_iam_policy" "console" { - name = "${var.identifier}-WebConsoleEKSMonitoring" - policy = data.aws_iam_policy_document.console.json - - tags = var.tags -} - -resource "aws_iam_role_policy_attachment" "console" { - policy_arn = aws_iam_policy.console.arn - role = aws_iam_role.master.name -} - resource "aws_iam_role_policy_attachment" "cluster" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" role = aws_iam_role.master.name