avx-pmarie-aws-infra/infra/config.hcl

locals {
  # Common tags
  environment = "dev"
  source      = "terraform"
  repository  = "avx-pmarie-aws-infra"

  # VPC
  vpc_name = "avx-pmarie-aws-infra-vpc"
  cidr     = "10.88.0.0/16"

  azs             = ["eu-west-3a", "eu-west-3b"]
  private_subnets = ["10.88.0.0/24", "10.88.1.0/24"]
  public_subnets  = ["10.88.128.0/24", "10.88.129.0/24"]

  enable_nat_gateway = true
  enable_vpn_gateway = false

  # EKS
  eks_cluster_name    = "avx-pmarie-eks"
  eks_cluster_version = "1.22"
  enable_irsa         = true

  node_group_defaults = {
    disk_size      = 50
    instance_types = ["t3.small"]
  }

  node_groups = {
    "eks-${local.environment}" = {
      min_size     = 1
      max_size     = 10
      desired_size = 3

      bootstrap_extra_args = "--container-runtime containerd"

      instance_types = ["t3.small"]
      tags = {
        environment = local.environment
        repository  = local.repository
        source      = local.source
      }
    }
  }

  /*
    ⋮ 22 │  eks_cluster_security_group_additional_rules = {
    ⋮ 23 │    egress_nodes_ephemeral_ports_tcp = {
    ⋮ 24 │      description                = "Nginx validation webhook"
    ⋮ 25 │      protocol                   = "tcp"
    ⋮ 26 │      from_port                  = 8443
    ⋮ 27 │      to_port                    = 8443
    ⋮ 28 │      type                       = "egress"
    ⋮ 29 │      source_node_security_group = true
    ⋮ 30 │    }
    ⋮ 31 │  }
    ⋮ 32 │
 22 ⋮ 33 │  eks_node_security_group_additional_rules = {
    ⋮ 34 │    ingress_cluster_api_validation_webhooks = {
    ⋮ 35 │      description                   = "Control Plane to validation nginx webhook"
    ⋮ 36 │      protocol                      = "tcp"
    ⋮ 37 │      from_port                     = 8443
    ⋮ 38 │      to_port                       = 8443
    ⋮ 39 │      type                          = "ingress"
    ⋮ 40 │      source_cluster_security_group = true
    ⋮ 41 │    }

  */

  eks_cluster_security_group_additional_rules = {
    egress_nodes_ephemeral_ports_tcp = {
      description                = "Validation webhooks"
      protocol                   = "tcp"
      from_port                  = 1024
      to_port                    = 65535
      type                       = "egress"
      source_node_security_group = true
    }
  }

  eks_node_security_group_additional_rules = {
    ingress_cluster_api_validation_webhooks = {
      description                   = "Control Plane to webhooks"
      protocol                      = "tcp"
      from_port                     = 1024
      to_port                       = 65535
      type                          = "ingress"
      source_cluster_security_group = true
    }
    ingress_self_all = {
      description = "Node to node all ports/protocols"
      protocol    = "-1"
      from_port   = 0
      to_port     = 0
      type        = "ingress"
      self        = true
    }
    egress_all = {
      description      = "Node all egress"
      protocol         = "-1"
      from_port        = 0
      to_port          = 0
      type             = "egress"
      cidr_blocks      = ["0.0.0.0/0"]
      ipv6_cidr_blocks = ["::/0"]
    }
  }

  # EKS aws auth
  eks_aws_auth_additional_roles = [{
    rolearn  = "arn:aws:iam::563042046245:role/AWSReservedSSO_SubAccountAdmin_6abfb8362d0dfbc0"
    username = "sre-admins"
    groups   = ["system:masters"]
    }, {
    rolearn  = "arn:aws:iam::${get_aws_account_id()}:role/k8s_admin"
    username = "admins"
    groups   = ["system:masters"]
  }]

  # EKS addon CSI EBS
  eks_addon_versions = {
    aws-ebs-csi-driver = "v1.7.0-eksbuild.0"
  }

  # AWS load balancer
  aws_load_balancer_service_account_name = "aws-load-balancer"
  aws_load_balancer_namespace            = "aws-load-balancer"
  aws_load_balancer_iam_role_prefix      = "AWSLoadBalancerController"

  # DNS
  dns_public_domain  = "aws.mkz.me"
  dns_private_domain = "aws-priv.mkz.me"

  # Ingress
  eks_ingress_controller = {
    namespace          = "nginx-ingress"
    create_namespace   = true
    enable_internal_lb = true
    ingress_config = {
      use-proxy-protocol         = false
      proxy-real-ip-cidr         = "0.0.0.0/0"
      use-forwarded-headers      = false
      compute-full-forwarded-for = false
    }
    load_balancer_config = {
      public = {
        dns_record                        = "*"
        backend-protocol                  = "tcp"
        connection-idle-timeout           = "60"
        cross-zone-load-balancing-enabled = true
        type                              = "nlb"
        proxy-protocol                    = ""
        nlb-target-type                   = ""
      }
      internal = {
        dns_record                        = "*"
        backend-protocol                  = "tcp"
        connection-idle-timeout           = "60"
        cross-zone-load-balancing-enabled = true
        type                              = "nlb"
        proxy-protocol                    = ""
        nlb-target-type                   = ""
      }
    }
  }
}
Initial commit. 2022-07-01 14:12:11 +02:00			`locals {`
			`# Common tags`
			`environment = "dev"`
			`source = "terraform"`
			`repository = "avx-pmarie-aws-infra"`

			`# VPC`
			`vpc_name = "avx-pmarie-aws-infra-vpc"`
			`cidr = "10.88.0.0/16"`

			`azs = ["eu-west-3a", "eu-west-3b"]`
			`private_subnets = ["10.88.0.0/24", "10.88.1.0/24"]`
			`public_subnets = ["10.88.128.0/24", "10.88.129.0/24"]`

			`enable_nat_gateway = true`
			`enable_vpn_gateway = false`

			`# EKS`
			`eks_cluster_name = "avx-pmarie-eks"`
			`eks_cluster_version = "1.22"`
			`enable_irsa = true`

			`node_group_defaults = {`
			`disk_size = 50`
			`instance_types = ["t3.small"]`
			`}`

			`node_groups = {`
			`"eks-${local.environment}" = {`
			`min_size = 1`
			`max_size = 10`
			`desired_size = 3`

			`bootstrap_extra_args = "--container-runtime containerd"`

			`instance_types = ["t3.small"]`
			`tags = {`
			`environment = local.environment`
			`repository = local.repository`
			`source = local.source`
			`}`
			`}`
			`}`

			`/*`
			`⋮ 22 │ eks_cluster_security_group_additional_rules = {`
			`⋮ 23 │ egress_nodes_ephemeral_ports_tcp = {`
			`⋮ 24 │ description = "Nginx validation webhook"`
			`⋮ 25 │ protocol = "tcp"`
			`⋮ 26 │ from_port = 8443`
			`⋮ 27 │ to_port = 8443`
			`⋮ 28 │ type = "egress"`
			`⋮ 29 │ source_node_security_group = true`
			`⋮ 30 │ }`
			`⋮ 31 │ }`
			`⋮ 32 │`
			`22 ⋮ 33 │ eks_node_security_group_additional_rules = {`
			`⋮ 34 │ ingress_cluster_api_validation_webhooks = {`
			`⋮ 35 │ description = "Control Plane to validation nginx webhook"`
			`⋮ 36 │ protocol = "tcp"`
			`⋮ 37 │ from_port = 8443`
			`⋮ 38 │ to_port = 8443`
			`⋮ 39 │ type = "ingress"`
			`⋮ 40 │ source_cluster_security_group = true`
			`⋮ 41 │ }`

			`*/`

			`eks_cluster_security_group_additional_rules = {`
			`egress_nodes_ephemeral_ports_tcp = {`
			`description = "Validation webhooks"`
			`protocol = "tcp"`
			`from_port = 1024`
			`to_port = 65535`
			`type = "egress"`
			`source_node_security_group = true`
			`}`
			`}`

			`eks_node_security_group_additional_rules = {`
			`ingress_cluster_api_validation_webhooks = {`
			`description = "Control Plane to webhooks"`
			`protocol = "tcp"`
			`from_port = 1024`
			`to_port = 65535`
			`type = "ingress"`
			`source_cluster_security_group = true`
			`}`
			`ingress_self_all = {`
			`description = "Node to node all ports/protocols"`
			`protocol = "-1"`
			`from_port = 0`
			`to_port = 0`
			`type = "ingress"`
			`self = true`
			`}`
			`egress_all = {`
			`description = "Node all egress"`
			`protocol = "-1"`
			`from_port = 0`
			`to_port = 0`
			`type = "egress"`
			`cidr_blocks = ["0.0.0.0/0"]`
			`ipv6_cidr_blocks = ["::/0"]`
			`}`
			`}`

			`# EKS aws auth`
			`eks_aws_auth_additional_roles = [{`
			`rolearn = "arn:aws:iam::563042046245:role/AWSReservedSSO_SubAccountAdmin_6abfb8362d0dfbc0"`
			`username = "sre-admins"`
			`groups = ["system:masters"]`
			`}, {`
			`rolearn = "arn:aws:iam::${get_aws_account_id()}:role/k8s_admin"`
			`username = "admins"`
			`groups = ["system:masters"]`
			`}]`

			`# EKS addon CSI EBS`
			`eks_addon_versions = {`
			`aws-ebs-csi-driver = "v1.7.0-eksbuild.0"`
			`}`

			`# AWS load balancer`
			`aws_load_balancer_service_account_name = "aws-load-balancer"`
			`aws_load_balancer_namespace = "aws-load-balancer"`
			`aws_load_balancer_iam_role_prefix = "AWSLoadBalancerController"`

			`# DNS`
			`dns_public_domain = "aws.mkz.me"`
			`dns_private_domain = "aws-priv.mkz.me"`

			`# Ingress`
			`eks_ingress_controller = {`
			`namespace = "nginx-ingress"`
			`create_namespace = true`
			`enable_internal_lb = true`
			`ingress_config = {`
			`use-proxy-protocol = false`
			`proxy-real-ip-cidr = "0.0.0.0/0"`
			`use-forwarded-headers = false`
			`compute-full-forwarded-for = false`
			`}`
			`load_balancer_config = {`
			`public = {`
			`dns_record = "*"`
			`backend-protocol = "tcp"`
			`connection-idle-timeout = "60"`
			`cross-zone-load-balancing-enabled = true`
			`type = "nlb"`
			`proxy-protocol = ""`
			`nlb-target-type = ""`
			`}`
			`internal = {`
			`dns_record = "*"`
			`backend-protocol = "tcp"`
			`connection-idle-timeout = "60"`
			`cross-zone-load-balancing-enabled = true`
			`type = "nlb"`
			`proxy-protocol = ""`
			`nlb-target-type = ""`
			`}`
			`}`
			`}`
			`}`