Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- provider "aws" {
- profile = "default"
- region = "us-east-1"
- }
- variable "cluster-name" {
- default = "terraform-eks-k8s"
- type = string
- }
- # This data source is included for ease of sample architecture deployment
- # and can be swapped out as necessary.
- data "aws_availability_zones" "available" {
- }
- resource "aws_vpc" "k8s_cluster_vpc" {
- cidr_block = "10.0.0.0/16"
- tags = {
- "Name" = "terraform-eks-k8s-node"
- "kubernetes.io/cluster/${var.cluster-name}" = "shared"
- }
- }
- resource "aws_subnet" "k8sNode" {
- count = 2
- availability_zone = data.aws_availability_zones.available.names[count.index]
- cidr_block = "10.0.${count.index}.0/24"
- vpc_id = aws_vpc.k8s_cluster_vpc.id
- tags = {
- "Name" = "terraform-eks-k8s-node"
- "kubernetes.io/cluster/${var.cluster-name}" = "shared"
- }
- }
- resource "aws_internet_gateway" "k8s_cluster_vpc" {
- vpc_id = aws_vpc.k8s_cluster_vpc.id
- tags = {
- Name = "terraform-eks-k8s"
- }
- }
- resource "aws_route_table" "k8s_route" {
- vpc_id = aws_vpc.k8s_cluster_vpc.id
- route {
- cidr_block = "0.0.0.0/0"
- gateway_id = aws_internet_gateway.k8s_cluster_vpc.id
- }
- }
- resource "aws_route_table_association" "k8s_route" {
- count = 2
- subnet_id = aws_subnet.k8sNode[count.index].id
- route_table_id = aws_route_table.k8s_route.id
- }
- #IAM config
- resource "aws_iam_role" "k8s-node" {
- name = "terraform-eks-k8s-cluster"
- assume_role_policy = <<POLICY
- {
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Principal": {
- "Service": "eks.amazonaws.com"
- },
- "Action": "sts:AssumeRole"
- }
- ]
- }
- POLICY
- }
- resource "aws_iam_role_policy_attachment" "k8s-cluster-AmazonEKSClusterPolicy" {
- policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
- role = aws_iam_role.k8s-node.name
- }
- resource "aws_iam_role_policy_attachment" "k8s-cluster-AmazonEKSServicePolicy" {
- policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
- role = aws_iam_role.k8s-node.name
- }
- resource "aws_security_group" "k8s-cluster" {
- name = "terraform-eks-k8s-cluster"
- description = "Cluster communication with worker nodes"
- vpc_id = aws_vpc.k8s_cluster_vpc.id
- egress {
- from_port = 0
- to_port = 0
- protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"]
- }
- tags = {
- Name = "terraform-eks-k8s"
- }
- }
- # OPTIONAL: Allow inbound traffic from your local workstation external IP
- # to the Kubernetes. You will need to replace A.B.C.D below with
- # your real IP. Services like icanhazip.com can help you find this.
- resource "aws_security_group_rule" "k8s-cluster-ingress-workstation-https" {
- cidr_blocks = ["173.38.220.53/32"]
- description = "Allow workstation to communicate with the cluster API Server"
- from_port = 443
- protocol = "tcp"
- security_group_id = aws_security_group.k8s-cluster.id
- to_port = 443
- type = "ingress"
- }
- resource "aws_eks_cluster" "k8s" {
- name = var.cluster-name
- role_arn = aws_iam_role.k8s-node.arn
- vpc_config {
- security_group_ids = ["${aws_security_group.k8s-cluster.id}"]
- subnet_ids = aws_subnet.k8sNode[*].id
- }
- depends_on = [
- aws_iam_role_policy_attachment.k8s-cluster-AmazonEKSClusterPolicy,
- aws_iam_role_policy_attachment.k8s-cluster-AmazonEKSServicePolicy,
- ]
- }
- #resource "aws_iam_role" "k8s-cluster" {
- # name = "terraform-eks-k8s-cluster"
- #
- # assume_role_policy = <<POLICY
- #{
- # "Version": "2012-10-17",
- # "Statement": [
- # {
- # "Effect": "Allow",
- # "Principal": {
- # "Service": "eks.amazonaws.com"
- # },
- # "Action": "sts:AssumeRole"
- # }
- # ]
- #}
- #POLICY
- #
- #}
- resource "aws_security_group" "k8s-node" {
- name = "terraform-eks-k8s-node"
- description = "Security group for all nodes in the cluster"
- vpc_id = aws_vpc.k8s_cluster_vpc.id
- egress {
- from_port = 0
- to_port = 0
- protocol = "-1"
- cidr_blocks = ["0.0.0.0/0"]
- }
- tags = {
- "Name" = "terraform-eks-k8s-node"
- "kubernetes.io/cluster/${var.cluster-name}" = "owned"
- }
- }
- resource "aws_security_group_rule" "k8s-node-ingress-self" {
- description = "Allow node to communicate with each other"
- from_port = 0
- protocol = "-1"
- security_group_id = aws_security_group.k8s-node.id
- source_security_group_id = aws_security_group.k8s-node.id
- to_port = 65535
- type = "ingress"
- }
- resource "aws_security_group_rule" "k8s-node-ingress-cluster" {
- description = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
- from_port = 1025
- protocol = "tcp"
- security_group_id = aws_security_group.k8s-node.id
- source_security_group_id = aws_security_group.k8s-cluster.id
- to_port = 65535
- type = "ingress"
- }
- data "aws_ami" "eks-worker" {
- filter {
- name = "name"
- values = ["amazon-eks-node-${aws_eks_cluster.k8s.version}-v*"]
- }
- most_recent = true
- owners = ["602401143452"] # Amazon EKS AMI Account ID
- }
- data "aws_region" "current" {
- }
- locals {
- k8s-node-userdata = <<USERDATA
- #!/bin/bash
- set -o xtrace
- /etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.k8s.endpoint}' --b64-cluster-ca '${aws_eks_cluster. k8s.certificate_authority[0].data}' '${var.cluster-name}'
- USERDATA
- }
- resource "aws_launch_configuration" "k8s" {
- associate_public_ip_address = true
- # iam_instance_profile = aws_iam_instance_profile.k8s-node.name
- image_id = data.aws_ami.eks-worker.id
- instance_type = "m4.large"
- name_prefix = "terraform-eks-k8s"
- security_groups = [aws_security_group.k8s-node.id]
- user_data_base64 = base64encode(local.k8s-node-userdata)
- lifecycle {
- create_before_destroy = true
- }
- }
- resource "aws_autoscaling_group" "k8s" {
- desired_capacity = 2
- launch_configuration = aws_launch_configuration.k8s.id
- max_size = 2
- min_size = 1
- name = "terraform-eks-k8s"
- vpc_zone_identifier = aws_subnet.k8sNode[*].id
- tag {
- key = "Name"
- value = "terraform-eks-k8s"
- propagate_at_launch = true
- }
- tag {
- key = "kubernetes.io/cluster/${var.cluster-name}"
- value = "owned"
- propagate_at_launch = true
- }
- }
- locals {
- config_map_aws_auth = <<CONFIGMAPAWSAUTH
- apiVersion: v1
- kind: ConfigMap
- metadata:
- name: aws-auth
- namespace: kube-system
- data:
- mapRoles: |
- - rolearn: ${aws_iam_role.k8s-node.arn}
- username: system:node:{{EC2PrivateDNSName}}
- groups:
- - system:bootstrappers
- - system:nodes
- CONFIGMAPAWSAUTH
- }
- output "config_map_aws_auth" {
- value = local.config_map_aws_auth
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement