added files for Article 3

Article 3/modules.tf

@@ -0,0 +1,17 @@
+module "network" {
+  source = "./modules/network"
+
+  // pass variables from .tfvars
+  aws_region       = "${var.aws_region}"
+  subnet_count     = "${var.subnet_count}"
+}
+
+module "security_groups" {
+  source = "./modules/security_groups"
+
+  // pass variables from .tfvars
+  accessing_computer_ip   = "${var.accessing_computer_ip}"
+
+  // inputs from modules
+  vpc_id                  = "${module.network.vpc_id}"
+}

Article 3/modules/network/gateways.tf

@@ -0,0 +1,23 @@
+resource "aws_internet_gateway" "example" {
+  vpc_id = "${aws_vpc.example.id}"
+
+  tags {
+    Name = "internet_gateway"
+  }
+}
+
+
+resource "aws_eip" "nat_gateway" {
+  count = "${var.subnet_count}"
+  vpc      = true
+}
+
+resource "aws_nat_gateway" "example" {
+  count = "${var.subnet_count}"
+  allocation_id = "${aws_eip.nat_gateway.*.id[count.index]}"
+  subnet_id = "${aws_subnet.gateway.*.id[count.index]}"
+  tags {
+    Name = "nat_gateway"
+  }
+  depends_on = ["aws_internet_gateway.example"]
+}

Article 3/modules/network/output.tf

@@ -0,0 +1,3 @@
+output "vpc_id" {
+  value = "${aws_vpc.example.id}"
+}

Article 3/modules/network/route_tables.tf

@@ -0,0 +1,51 @@
+resource "aws_route_table" "application" {
+  count = "${var.subnet_count}"
+  vpc_id = "${aws_vpc.example.id}"
+  route {
+    cidr_block = "0.0.0.0/0"
+    nat_gateway_id = "${aws_nat_gateway.example.*.id[count.index]}"
+  }
+  tags {
+    Name = "example_application"
+  }
+}
+
+resource "aws_route_table" "database" {
+  vpc_id = "${aws_vpc.example.id}"
+
+  tags {
+    Name = "example_database"
+  }
+}
+resource "aws_route_table" "gateway" {
+  vpc_id = "${aws_vpc.example.id}"
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = "${aws_internet_gateway.example.id}"
+  }
+  tags {
+    Name = "example_gateway"
+  }
+}
+
+resource "aws_route_table_association" "application" {
+  count = "${var.subnet_count}"
+
+  subnet_id      = "${aws_subnet.application.*.id[count.index]}"
+  route_table_id = "${aws_route_table.application.*.id[count.index]}"
+}
+
+resource "aws_route_table_association" "database" {
+  count = "${var.subnet_count}"
+
+  subnet_id      = "${aws_subnet.database.*.id[count.index]}"
+  route_table_id = "${aws_route_table.database.id}"
+}
+
+resource "aws_route_table_association" "gateway" {
+  count = "${var.subnet_count}"
+
+  subnet_id      = "${aws_subnet.gateway.*.id[count.index]}"
+  route_table_id = "${aws_route_table.gateway.id}"
+}

Article 3/modules/network/subnets.tf

@@ -0,0 +1,38 @@
+data "aws_availability_zones" "available" {}
+
+resource "aws_subnet" "gateway" {
+  count = "${var.subnet_count}"
+  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
+  cidr_block        = "10.0.1${count.index}.0/24"
+  vpc_id            = "${aws_vpc.example.id}"
+  tags = "${
+    map(
+     "Name", "example_gateway"
+    )
+  }"
+}
+resource "aws_subnet" "application" {
+  count = "${var.subnet_count}"
+  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
+  cidr_block        = "10.0.2${count.index}.0/24"
+  vpc_id            = "${aws_vpc.example.id}"
+  tags = "${
+    map(
+     "Name", "example_application",
+     "kubernetes.io/cluster/example", "shared",
+    )
+  }"
+}
+
+resource "aws_subnet" "database" {
+  count = "${var.subnet_count}"
+  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
+  cidr_block        = "10.0.3${count.index}.0/24"
+  vpc_id            = "${aws_vpc.example.id}"
+
+  tags = "${
+    map(
+     "Name", "example_database"
+    )
+  }"
+}

Article 3/modules/network/variables.tf

@@ -0,0 +1,8 @@
+variable "aws_region" {
+ type = "string"
+ description = "Used AWS Region."
+}
+variable "subnet_count" {
+    type        = "string"
+    description = "The number of subnets we want to create per type to ensure high availability."
+}

Article 3/modules/network/vpc.tf

@@ -0,0 +1,11 @@
+resource "aws_vpc" "example" {
+  cidr_block = "10.0.0.0/16"
+  enable_dns_hostnames = true
+  enable_dns_support = true
+  tags = "${
+    map(
+     "Name", "terraform-eks",
+     "kubernetes.io/cluster/example", "shared",
+    )
+  }"
+}

Article 3/modules/security_groups/sg_eks_master.tf

@@ -0,0 +1,17 @@
+
+resource "aws_security_group" "tf-eks-master" {
+    name        = "terraform-eks-cluster"
+    description = "Cluster communication with worker nodes"
+    vpc_id      = "${var.vpc_id}"
+
+    egress {
+        from_port   = 0
+        to_port     = 0
+        protocol    = "-1"
+        cidr_blocks = ["0.0.0.0/0"]
+    }
+
+    tags {
+        Name = "terraform-eks"
+    }
+}

Article 3/modules/security_groups/sg_eks_node.tf

@@ -0,0 +1,17 @@
+    resource "aws_security_group" "tf-eks-node" {
+        name        = "terraform-eks-node"
+        description = "Security group for all nodes in the cluster"
+        vpc_id      = "${var.vpc_id}"
+
+        egress {
+            from_port   = 0
+            to_port     = 0
+            protocol    = "-1"
+            cidr_blocks = ["0.0.0.0/0"]
+        }
+
+        tags {
+            Name = "terraform-eks"
+        }
+    }
+

Article 3/modules/security_groups/sg_rules_eks.tf

@@ -0,0 +1,58 @@
+# Allow inbound traffic from your local workstation external IP
+# to the Kubernetes. You will need to replace A.B.C.D below with
+# your real IP. Services like icanhazip.com can help you find this.
+resource "aws_security_group_rule" "tf-eks-cluster-ingress-workstation-https" {
+  cidr_blocks       = ["${var.accessing_computer_ip}/32"]
+  description       = "Allow workstation to communicate with the cluster API Server"
+  from_port         = 443
+  protocol          = "tcp"
+  security_group_id = "${aws_security_group.tf-eks-master.id}"
+  to_port           = 443
+  type              = "ingress"
+}
+
+########################################################################################
+# Setup worker node security group
+
+resource "aws_security_group_rule" "tf-eks-node-ingress-self" {
+  description              = "Allow node to communicate with each other"
+  from_port                = 0
+  protocol                 = "-1"
+  security_group_id        = "${aws_security_group.tf-eks-node.id}"
+  source_security_group_id = "${aws_security_group.tf-eks-node.id}"
+  to_port                  = 65535
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "tf-eks-node-ingress-cluster" {
+  description              = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
+  from_port                = 1025
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.tf-eks-node.id}"
+  source_security_group_id = "${aws_security_group.tf-eks-master.id}"
+  to_port                  = 65535
+  type                     = "ingress"
+}
+
+# allow worker nodes to access EKS master
+resource "aws_security_group_rule" "tf-eks-cluster-ingress-node-https" {
+  description              = "Allow pods to communicate with the cluster API Server"
+  from_port                = 443
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.tf-eks-node.id}"
+  source_security_group_id = "${aws_security_group.tf-eks-master.id}"
+  to_port                  = 443
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "tf-eks-node-ingress-master" {
+  description              = "Allow cluster control to receive communication from the worker Kubelets"
+  from_port                = 443
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.tf-eks-master.id}"
+  source_security_group_id = "${aws_security_group.tf-eks-node.id}"
+  to_port                  = 443
+  type                     = "ingress"
+}
+
+

Article 3/modules/security_groups/variables.tf

@@ -0,0 +1,9 @@
+variable "accessing_computer_ip" {
+ type = "string"
+ description = "IP of the computer to be allowed to connect to EKS master and nodes."
+}
+
+variable "vpc_id" {
+  type = "string"
+  description = "ID of the VPC used to setup the cluster."
+}

Article 3/provider.tf

@@ -0,0 +1,6 @@
+provider "aws" {
+ region  = "${var.aws_region}"
+ version = "~> 1.55.0"
+ access_key = "${var.aws_access_key}"
+ secret_key = "${var.aws_secret_key}"
+}

Article 3/state_config.tf

@@ -0,0 +1,9 @@
+terraform {
+ backend "s3" {
+   region         = "eu-west-1"
+   bucket         = "tf-article"
+   key            = "terraform.tfstate"
+   encrypt        = "true"
+   dynamodb_table = "tf-article-statelock"
+ }
+}

Article 3/terraform.tfvars

@@ -0,0 +1,5 @@
+aws_region              =   "placeholder"
+aws_access_key          =   "placeholder"
+aws_secret_key          =   "placeholder"
+subnet_count            =   "placeholder"
+accessing_computer_ip   =   "placeholder"

Article 3/variables.tf

@@ -0,0 +1,22 @@
+variable "aws_region" {
+ type = "string"
+ description = "Used AWS Region."
+}
+variable "aws_access_key" {
+ type = "string"
+ description = "The account identification key used by your Terraform client."
+}
+variable "aws_secret_key" {
+ type = "string"
+ description = "The secret key used by your terraform client to access AWS."
+}
+
+variable "subnet_count" {
+    type        = "string"
+    description = "The number of subnets we want to create per type to ensure high availability."
+}
+
+variable "accessing_computer_ip" {
+ type = "string"
+ description = "IP of the computer to be allowed to connect to EKS master and nodes."
+}