Add kubernetes module for aws

docs/CloudPrivileges.md

@@ -14,68 +14,90 @@ To create a policy in the AWS console, open IAM > Policies and choose Create pol
 
 ```json
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:*Address",
-                "ec2:*InternetGateway",
-                "ec2:*Ipv6Addresses",
-                "ec2:*KeyPair",
-                "ec2:*NatGateway",
-                "ec2:*PrivateIpAddresses",
-                "ec2:*RouteTable",
-                "ec2:*SecurityGroup*",
-                "ec2:*Subnet*",
-                "ec2:*SubnetCidrBlock",
-                "ec2:*Tags",
-                "ec2:*Volume",
-                "ec2:*VpcCidrBlock",
-                "ec2:CreateRoute",
-                "ec2:CreateVpc",
-                "ec2:DeleteRoute",
-                "ec2:DeleteVpc",
-                "ec2:Describe*",
-                "ec2:Get*",
-                "ec2:ModifyVpcAttribute",
-                "ec2:ReplaceRouteTableAssociation",
-                "ec2:RunInstances",
-                "ec2:StartInstances",
-                "ec2:StopInstances",
-                "ec2:TerminateInstances",
-                "elasticloadbalancing:*",
-                "iam:AddRoleToInstanceProfile",
-                "iam:AttachRolePolicy",
-                "iam:CreateInstanceProfile",
-                "iam:CreatePolicy",
-                "iam:CreateRole",
-                "iam:DeleteInstanceProfile",
-                "iam:DeletePolicy",
-                "iam:DeleteRole",
-                "iam:DetachRolePolicy",
-                "iam:GetInstanceProfile",
-                "iam:GetPolicy",
-                "iam:GetPolicyVersion",
-                "iam:GetRole",
-                "iam:ListAttachedRolePolicies",
-                "iam:ListInstanceProfilesForRole",
-                "iam:ListPolicyVersions",
-                "iam:PassRole",
-                "iam:RemoveRoleFromInstanceProfile",
-                "iam:TagRole",
-                "route53:*HostedZone*",
-                "route53:ChangeResourceRecordSets",
-                "route53:ChangeTagsForResource",
-                "route53:Get*",
-                "route53:List*",
-                "s3:GetBucketLocation",
-                "s3:GetObject",
-                "s3:ListBucket"
-            ],
-            "Resource": "*"
-        }
-    ]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:*Address",
+        "ec2:*InternetGateway",
+        "ec2:*Ipv6Addresses",
+        "ec2:*KeyPair",
+        "ec2:*NatGateway",
+        "ec2:*PrivateIpAddresses",
+        "ec2:*RouteTable",
+        "ec2:*SecurityGroup*",
+        "ec2:*Subnet*",
+        "ec2:*SubnetCidrBlock",
+        "ec2:*Tags",
+        "ec2:*Volume",
+        "ec2:*VpcCidrBlock",
+        "ec2:CreateRoute",
+        "ec2:CreateVpc",
+        "ec2:DeleteRoute",
+        "ec2:DeleteVpc",
+        "ec2:Describe*",
+        "ec2:Get*",
+        "ec2:ModifyVpcAttribute",
+        "ec2:ReplaceRouteTableAssociation",
+        "ec2:RunInstances",
+        "ec2:StartInstances",
+        "ec2:StopInstances",
+        "ec2:TerminateInstances",
+        "elasticloadbalancing:*",
+        "iam:AddRoleToInstanceProfile",
+        "iam:AttachRolePolicy",
+        "iam:CreateInstanceProfile",
+        "iam:CreatePolicy",
+        "iam:CreateRole",
+        "iam:DeleteInstanceProfile",
+        "iam:DeletePolicy",
+        "iam:DeleteRole",
+        "iam:DetachRolePolicy",
+        "iam:GetInstanceProfile",
+        "iam:GetPolicy",
+        "iam:GetPolicyVersion",
+        "iam:GetRole",
+        "iam:ListAttachedRolePolicies",
+        "iam:ListInstanceProfilesForRole",
+        "iam:ListPolicyVersions",
+        "iam:PassRole",
+        "iam:RemoveRoleFromInstanceProfile",
+        "iam:TagRole",
+        "route53:*HostedZone*",
+        "route53:ChangeResourceRecordSets",
+        "route53:ChangeTagsForResource",
+        "route53:Get*",
+        "route53:List*",
+        "s3:GetBucketLocation",
+        "s3:GetObject",
+        "s3:ListBucket",
+        // Following permissions are needed when using kubernetes module
+        "eks:*",
+        "autoscaling:*",
+        "ec2:Associate*",
+        "ec2:AttachInternetGateway",
+        "ec2:AttachNetworkInterface",
+        "ec2:DetachInternetGateway",
+        "ec2:DetachNetworkInterface",
+        "ec2:*LaunchTemplate*",
+        "iam:CreateServiceLinkedRole",
+        "iam:CreatePolicyVersion",
+        "iam:DeleteServiceLinkedRole",
+        "iam:PutRolePolicy",
+        "iam:TagRole",
+        "iam:UntagRole",
+        "iam:UpdateAssumeRolePolicy",
+        // Following permissions are needed if cluster_enabled_log_types is enabled in kubernetes module
+        "logs:CreateLogGroup",
+        "logs:DescribeLogGroups",
+        "logs:DeleteLogGroup",
+        "logs:ListTagsLogGroup",
+        "logs:PutRetentionPolicy"
+      ],
+      "Resource": "*"
+    }
+  ]
 }
 ```
 
@@ -95,33 +117,31 @@ Please keep your subscription ID in the `assignableScopes` array.
 
 ```json
 {
-    "properties": {
-        "roleName": "Scalar Terraform Runner",
-        "description": "",
-        "assignableScopes": [
-            "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  "properties": {
+    "roleName": "Scalar Terraform Runner",
+    "description": "",
+    "assignableScopes": ["/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"],
+    "permissions": [
+      {
+        "actions": [
+          "Microsoft.Authorization/roleAssignments/*",
+          "Microsoft.Compute/availabilitySets/*",
+          "Microsoft.Compute/disks/*",
+          "Microsoft.Compute/virtualMachines/*",
+          "Microsoft.Network/loadBalancers/*",
+          "Microsoft.Network/networkInterfaces/*",
+          "Microsoft.Network/networkSecurityGroups/*",
+          "Microsoft.Network/privateDnsZones/*",
+          "Microsoft.Network/publicIPAddresses/*",
+          "Microsoft.Network/virtualNetworks/*",
+          "Microsoft.Resources/subscriptions/resourceGroups/*"
         ],
-        "permissions": [
-            {
-                "actions": [
-                    "Microsoft.Authorization/roleAssignments/*",
-                    "Microsoft.Compute/availabilitySets/*",
-                    "Microsoft.Compute/disks/*",
-                    "Microsoft.Compute/virtualMachines/*",
-                    "Microsoft.Network/loadBalancers/*",
-                    "Microsoft.Network/networkInterfaces/*",
-                    "Microsoft.Network/networkSecurityGroups/*",
-                    "Microsoft.Network/privateDnsZones/*",
-                    "Microsoft.Network/publicIPAddresses/*",
-                    "Microsoft.Network/virtualNetworks/*",
-                    "Microsoft.Resources/subscriptions/resourceGroups/*"
-                ],
-                "notActions": [],
-                "dataActions": [],
-                "notDataActions": []
-            }
-        ]
-    }
+        "notActions": [],
+        "dataActions": [],
+        "notDataActions": []
+      }
+    ]
+  }
 }
 ```
 

examples/aws/kubernetes/aws.tf

@@ -0,0 +1,4 @@
+provider "aws" {
+  version = "~> 2.0"
+  region  = var.region
+}

examples/aws/kubernetes/backend.tf.s3

@@ -0,0 +1,7 @@
+terraform {
+  backend "s3" {
+    bucket = "example-scalar-tfstate"
+    key    = "kubernetes/terraform.tfstate"
+    region = "ap-northeast-1"
+  }
+}

examples/aws/kubernetes/example.tfvars

@@ -0,0 +1,47 @@
+region = "ap-northeast-1"
+
+kubernetes_cluster = {
+  # name                                 = "scalar-kubernetes"
+  # kubernetes_version                   = "1.16"
+  # cluster_enabled_log_types            = ""
+  # cluster_log_retention_in_days        = "90"
+  # cluster_log_kms_key_id               = ""
+  # cluster_endpoint_private_access      = "true"
+  # cluster_endpoint_public_access       = "true"
+  # cluster_endpoint_public_access_cidrs = "0.0.0.0/0"
+  # cluster_create_timeout               = "30m"
+  # cluster_delete_timeout               = "15m"
+  # cluster_encryption_config_enabled    = "false"
+  # cluster_encryption_config_resources  = ""
+  # cluster_encryption_config_kms_key_id = ""
+  # use_fargate_profile                  = "false"
+  # manage_aws_auth                      = "true"
+}
+
+kubernetes_node_groups = {
+  default_node_pool = {
+    # name                           = "default"
+    # node_count                     = "3"
+    # vm_size                        = "m5.large"
+    # os_disk_size_gb                = "64"
+    # cluster_auto_scaling_min_count = "3"
+    # cluster_auto_scaling_max_count = "6"
+    # kubernetes_labels = {}
+  }
+
+  scalar_apps_pool = {
+    # name                           = "scalardlpool"
+    # node_count                     = "3"
+    # vm_size                        = "m5.large"
+    # os_disk_size_gb                = "64"
+    # cluster_auto_scaling_min_count = "3"
+    # cluster_auto_scaling_max_count = "6"
+    # kubernetes_labels = {
+      # agentpool = "scalardlpool"
+    # }
+  }
+}
+
+custom_tags = {
+  # "environment" = "example"
+}

examples/aws/kubernetes/locals.tf

@@ -0,0 +1,18 @@
+locals {
+  network = {
+    cidr   = data.terraform_remote_state.network.outputs.network_cidr
+    name   = data.terraform_remote_state.network.outputs.network_name
+    id     = data.terraform_remote_state.network.outputs.network_id
+    region = data.terraform_remote_state.network.outputs.region
+
+    public_subnet_ids  = join(",", data.terraform_remote_state.network.outputs.subnet_map["public"])
+    private_subnet_ids = join(",", data.terraform_remote_state.network.outputs.subnet_map["private"])
+    subnet_ids         = join(",", data.terraform_remote_state.network.outputs.subnet_map["kubernetes"])
+
+    bastion_ip      = data.terraform_remote_state.network.outputs.bastion_ip
+    user_name       = data.terraform_remote_state.network.outputs.user_name
+    internal_domain = data.terraform_remote_state.network.outputs.internal_domain
+  }
+
+  custom_tags = data.terraform_remote_state.network.outputs.custom_tags
+}

examples/aws/kubernetes/main.tf

@@ -0,0 +1,12 @@
+module "kubernetes" {
+  # source = "git@github.com:scalar-labs/scalar-terraform.git//modules/aws/kubernetes?ref=v1.0.0"
+  source = "../../../modules/aws/kubernetes"
+
+  # Required Variables (Use network remote state)
+  network = local.network
+
+  kubernetes_cluster     = var.kubernetes_cluster
+  kubernetes_node_groups = var.kubernetes_node_groups
+
+  custom_tags = var.custom_tags
+}

examples/aws/kubernetes/output.tf

@@ -0,0 +1,22 @@
+output "inventory_ini" {
+  value = <<EOF
+[bastion]
+${local.network.bastion_ip}
+
+[bastion:vars]
+ansible_user=${local.network.user_name}
+ansible_python_interpreter=/usr/bin/python3
+
+[all:vars]
+internal_domain=${local.network.internal_domain}
+EOF
+}
+
+output "kube_config" {
+  value       = module.kubernetes.kube_config
+  description = "kubectl configuration e.g: ~/.kube/config"
+}
+
+output "config_map_aws_auth" {
+  value = module.kubernetes.config_map_aws_auth
+}

examples/aws/kubernetes/remote.tf

@@ -0,0 +1,7 @@
+data "terraform_remote_state" "network" {
+  backend = "local"
+
+  config = {
+    path = "../network/terraform.tfstate"
+  }
+}

examples/aws/kubernetes/remote.tf.s3

@@ -0,0 +1,9 @@
+data "terraform_remote_state" "network" {
+  backend = "s3"
+
+  config = {
+    bucket = "example-scalar-tfstate"
+    key    = "network/terraform.tfstate"
+    region = "ap-northeast-1"
+  }
+}

examples/aws/kubernetes/vars.tf

@@ -0,0 +1,27 @@
+# General Settings
+variable "region" {
+  default = "ap-northeast-1"
+}
+
+variable "network" {
+  type    = map
+  default = {}
+}
+
+variable "kubernetes_cluster" {
+  type    = map
+  default = {}
+}
+
+variable "kubernetes_node_groups" {
+  type = any
+  default = {
+    default_node_pool = {}
+    scalar_apps_pool  = {}
+  }
+}
+
+variable "custom_tags" {
+  type    = map
+  default = {}
+}

examples/aws/kubernetes/versions.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12"
+}

modules/aws/kubernetes/README.md

@@ -0,0 +1,17 @@
+# Kubernetes AWS Module
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| custom_tags | The map of custom tags | `map` | `{}` | no |
+| kubernetes_cluster | Custom definition kubernetes properties that include the name of the cluster, kubernetes version, etc.. | `map` | `{}` | no |
+| kubernetes_node_groups | Map of map of node groups to create | `any` | <pre>{<br>  "default_node_pool": {},<br>  "scalar_apps_pool": {}<br>}</pre> | no |
+| network | Custom definition for network and bastion | `map` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| config_map_aws_auth | A kubernetes configuration to authenticate to this EKS cluster. |
+| kube_config | kubectl configuration e.g: ~/.kube/config |