locals { # Common tags environment = "dev" source = "terraform" repository = "avx-pmarie-aws-infra" # VPC vpc_name = "avx-pmarie-aws-infra-vpc" cidr = "10.88.0.0/16" azs = ["eu-west-3a", "eu-west-3b"] private_subnets = ["10.88.0.0/24", "10.88.1.0/24"] public_subnets = ["10.88.128.0/24", "10.88.129.0/24"] enable_nat_gateway = true enable_vpn_gateway = false # EKS eks_cluster_name = "avx-pmarie-eks" eks_cluster_version = "1.22" enable_irsa = true node_group_defaults = { disk_size = 50 instance_types = ["t3.small"] } node_groups = { "eks-${local.environment}" = { min_size = 1 max_size = 10 desired_size = 3 bootstrap_extra_args = "--container-runtime containerd" instance_types = ["t3.small"] tags = { environment = local.environment repository = local.repository source = local.source } } } /* ⋮ 22 │ eks_cluster_security_group_additional_rules = { ⋮ 23 │ egress_nodes_ephemeral_ports_tcp = { ⋮ 24 │ description = "Nginx validation webhook" ⋮ 25 │ protocol = "tcp" ⋮ 26 │ from_port = 8443 ⋮ 27 │ to_port = 8443 ⋮ 28 │ type = "egress" ⋮ 29 │ source_node_security_group = true ⋮ 30 │ } ⋮ 31 │ } ⋮ 32 │ 22 ⋮ 33 │ eks_node_security_group_additional_rules = { ⋮ 34 │ ingress_cluster_api_validation_webhooks = { ⋮ 35 │ description = "Control Plane to validation nginx webhook" ⋮ 36 │ protocol = "tcp" ⋮ 37 │ from_port = 8443 ⋮ 38 │ to_port = 8443 ⋮ 39 │ type = "ingress" ⋮ 40 │ source_cluster_security_group = true ⋮ 41 │ } */ eks_cluster_security_group_additional_rules = { egress_nodes_ephemeral_ports_tcp = { description = "Validation webhooks" protocol = "tcp" from_port = 1024 to_port = 65535 type = "egress" source_node_security_group = true } } eks_node_security_group_additional_rules = { ingress_cluster_api_validation_webhooks = { description = "Control Plane to webhooks" protocol = "tcp" from_port = 1024 to_port = 65535 type = "ingress" source_cluster_security_group = true } ingress_self_all = { description = "Node to node all ports/protocols" protocol = "-1" from_port = 0 to_port = 0 type = "ingress" self = true } egress_all = { description = "Node all egress" protocol = "-1" from_port = 0 to_port = 0 type = "egress" cidr_blocks = ["0.0.0.0/0"] ipv6_cidr_blocks = ["::/0"] } } # EKS aws auth eks_aws_auth_additional_roles = [{ rolearn = "arn:aws:iam::563042046245:role/AWSReservedSSO_SubAccountAdmin_6abfb8362d0dfbc0" username = "sre-admins" groups = ["system:masters"] }, { rolearn = "arn:aws:iam::${get_aws_account_id()}:role/k8s_admin" username = "admins" groups = ["system:masters"] }] # EKS addon CSI EBS eks_addon_versions = { aws-ebs-csi-driver = "v1.7.0-eksbuild.0" } # AWS load balancer aws_load_balancer_service_account_name = "aws-load-balancer" aws_load_balancer_namespace = "aws-load-balancer" aws_load_balancer_iam_role_prefix = "AWSLoadBalancerController" # DNS dns_public_domain = "aws.mkz.me" dns_private_domain = "aws-priv.mkz.me" # Ingress eks_ingress_controller = { namespace = "nginx-ingress" create_namespace = true enable_internal_lb = true ingress_config = { use-proxy-protocol = false proxy-real-ip-cidr = "0.0.0.0/0" use-forwarded-headers = false compute-full-forwarded-for = false } load_balancer_config = { public = { dns_record = "*" backend-protocol = "tcp" connection-idle-timeout = "60" cross-zone-load-balancing-enabled = true type = "nlb" proxy-protocol = "" nlb-target-type = "" } internal = { dns_record = "*" backend-protocol = "tcp" connection-idle-timeout = "60" cross-zone-load-balancing-enabled = true type = "nlb" proxy-protocol = "" nlb-target-type = "" } } } }