-
Notifications
You must be signed in to change notification settings - Fork 41
/
main.tf
217 lines (198 loc) · 7.62 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
// ----------------------------------------------------------------------------
// Query necessary data for the module
// ----------------------------------------------------------------------------
data "aws_eks_cluster" "cluster" {
name = var.create_eks ? module.eks.cluster_id : var.cluster_name
}
data "aws_eks_cluster_auth" "cluster" {
name = var.create_eks ? module.eks.cluster_id : var.cluster_name
}
data "aws_availability_zones" "available" {}
data "aws_caller_identity" "current" {}
// ----------------------------------------------------------------------------
// Define K8s cluster configuration
// ----------------------------------------------------------------------------
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
token = data.aws_eks_cluster_auth.cluster.token
}
// ----------------------------------------------------------------------------
// Create the AWS VPC
// See https://github.com/terraform-aws-modules/terraform-aws-vpc
// ----------------------------------------------------------------------------
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 2.70"
create_vpc = var.create_vpc
name = var.vpc_name
cidr = var.vpc_cidr_block
azs = data.aws_availability_zones.available.names
public_subnets = var.public_subnets
private_subnets = var.private_subnets
enable_dns_hostnames = true
enable_nat_gateway = var.enable_nat_gateway
single_nat_gateway = var.single_nat_gateway
tags = {
"kubernetes.io/cluster/${var.cluster_name}" = "shared"
}
public_subnet_tags = {
"kubernetes.io/cluster/${var.cluster_name}" = "shared"
"kubernetes.io/role/elb" = "1"
}
private_subnet_tags = {
"kubernetes.io/cluster/${var.cluster_name}" = "shared"
"kubernetes.io/role/internal-elb" = "1"
}
}
// ----------------------------------------------------------------------------
// Create the EKS cluster with extra EC2ContainerRegistryPowerUser policy
// See https://github.com/terraform-aws-modules/terraform-aws-eks
// ----------------------------------------------------------------------------
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = ">= 14.0, < 18.0"
create_eks = var.create_eks
cluster_name = var.cluster_name
cluster_version = var.cluster_version
subnets = var.create_vpc ? (var.cluster_in_private_subnet ? module.vpc.private_subnets : module.vpc.public_subnets) : var.subnets
vpc_id = var.create_vpc ? module.vpc.vpc_id : var.vpc_id
enable_irsa = true
worker_groups_launch_template = var.enable_worker_group && var.enable_worker_groups_launch_template ? [
for subnet in(var.create_vpc ? module.vpc.public_subnets : var.subnets) :
{
subnets = [subnet]
asg_desired_capacity = var.lt_desired_nodes_per_subnet
asg_min_size = var.lt_min_nodes_per_subnet
asg_max_size = var.lt_max_nodes_per_subnet
spot_price = (var.enable_spot_instances ? var.spot_price : null)
instance_type = var.node_machine_type
root_encrypted = var.encrypt_volume_self
override_instance_types = var.allowed_spot_instance_types
autoscaling_enabled = "true"
public_ip = true
tags = [
{
key = "k8s.io/cluster-autoscaler/enabled"
propagate_at_launch = "false"
value = "true"
},
{
key = "k8s.io/cluster-autoscaler/${var.cluster_name}"
propagate_at_launch = "false"
value = "true"
}
]
}
] : []
worker_groups = var.enable_worker_group && !var.enable_worker_groups_launch_template ? [
{
name = "worker-group-${var.cluster_name}"
instance_type = var.node_machine_type
asg_desired_capacity = var.desired_node_count
asg_min_size = var.min_node_count
asg_max_size = var.max_node_count
spot_price = (var.enable_spot_instances ? var.spot_price : null)
key_name = (var.enable_key_name ? var.key_name : null)
root_volume_type = var.volume_type
root_volume_size = var.volume_size
root_iops = var.iops
tags = [
{
key = "k8s.io/cluster-autoscaler/enabled"
propagate_at_launch = "false"
value = "true"
},
{
key = "k8s.io/cluster-autoscaler/${var.cluster_name}"
propagate_at_launch = "false"
value = "true"
}
]
}
] : []
node_groups = !var.enable_worker_group ? local.node_groups_extended : {}
workers_additional_policies = [
"arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
]
map_users = var.map_users
map_roles = var.map_roles
map_accounts = var.map_accounts
cluster_endpoint_private_access = var.cluster_endpoint_private_access
cluster_endpoint_public_access = var.cluster_endpoint_public_access
cluster_endpoint_private_access_cidrs = var.cluster_endpoint_private_access_cidrs
cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs
cluster_encryption_config = var.cluster_encryption_config
}
// ----------------------------------------------------------------------------
// Update the kube configuration after the cluster has been created so we can
// connect to it and create the K8s resources
// ----------------------------------------------------------------------------
resource "null_resource" "kubeconfig" {
depends_on = [
module.eks
]
provisioner "local-exec" {
command = "aws eks update-kubeconfig --name ${var.cluster_name} --region=${var.region}"
interpreter = var.local-exec-interpreter
}
}
// ----------------------------------------------------------------------------
// Create the necessary K8s namespaces that we will need to add the
// Service Accounts later
// ----------------------------------------------------------------------------
resource "kubernetes_namespace" "jx" {
count = var.is_jx2 ? 1 : 0
depends_on = [
null_resource.kubeconfig
]
metadata {
name = "jx"
}
lifecycle {
ignore_changes = [
metadata[0].labels,
metadata[0].annotations,
]
}
}
resource "kubernetes_namespace" "cert_manager" {
count = var.is_jx2 ? 1 : 0
depends_on = [
null_resource.kubeconfig
]
metadata {
name = "cert-manager"
}
lifecycle {
ignore_changes = [
metadata[0].labels,
metadata[0].annotations,
]
}
}
// ----------------------------------------------------------------------------
// Add the Terraform generated jx-requirements.yml to a configmap so it can be
// sync'd with the Git repository
//
// https://www.terraform.io/docs/providers/kubernetes/r/namespace.html
// ----------------------------------------------------------------------------
resource "kubernetes_config_map" "jenkins_x_requirements" {
count = var.is_jx2 ? 0 : 1
metadata {
name = "terraform-jx-requirements"
namespace = "default"
}
data = {
"jx-requirements.yml" = var.content
}
lifecycle {
ignore_changes = [
metadata,
data
]
}
depends_on = [
module.eks
]
}