Initial commit.

2022-02-11 14:42:37 +01:00
commit 38ae6b41ac
17 changed files with 655 additions and 0 deletions
--- a/eks/.terraform.lock.hcl
+++ b/eks/.terraform.lock.hcl
@ -0,0 +1,57 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.74.1"
+  constraints = "~> 3.27"
+  hashes = [
+    "h1:0/ImOh63jJHOqiA165x+99N+MR0Rz7x4Nlcbnpys4Ww=",
+    "zh:2de9a8c19e07ea3b12c3fe5fe23ffa71354f90683d1f3ded41f2f318e8bad401",
+    "zh:3f651572f9ad067e119ed083d25455627ae121d36e737823f1d89445949f8ca0",
+    "zh:468c5954ea646e8edbf70c5a3dbce3d9591a47259f3cf3bdfb2c8728a5e3a083",
+    "zh:5b379f4803268d3a2cde0bd8a2b6b0a3752e0a22d2cb15a9a28c6a8852d17840",
+    "zh:5f1271620def1e199afad2377e37ab194f5d5ea51ff804c0e7d468fc4a48b741",
+    "zh:770783d8d743f28ecaeaf7485f9d602071d610278e33347a692ebb75ae690a8f",
+    "zh:aecfa7b52f39cbfb1ef53576935ad6cc05deebf82d0b8b6b82c10727469d1c85",
+    "zh:c905af45fc8cb64fe566c5b35241baf5e5850e137ebbd59a3298321648d05046",
+    "zh:d7dabb6a110073c8adaf34af288a485714b4be7185304d491f042827a77f9d5f",
+    "zh:e8ccc2ef2465164ce467f32d58e5ffad74da92cc3733551aef5e0d839532e3d4",
+    "zh:f1c2c9145383ab8675eab68398b53cf33edb2665d64ef2e48e0444771fa5849e",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.1.0"
+  hashes = [
+    "h1:EYZdckuGU3n6APs97nS2LxZm3dDtGqyM4qaIvsmac8o=",
+    "zh:0f1ec65101fa35050978d483d6e8916664b7556800348456ff3d09454ac1eae2",
+    "zh:36e42ac19f5d68467aacf07e6adcf83c7486f2e5b5f4339e9671f68525fc87ab",
+    "zh:6db9db2a1819e77b1642ec3b5e95042b202aee8151a0256d289f2e141bf3ceb3",
+    "zh:719dfd97bb9ddce99f7d741260b8ece2682b363735c764cac83303f02386075a",
+    "zh:7598bb86e0378fd97eaa04638c1a4c75f960f62f69d3662e6d80ffa5a89847fe",
+    "zh:ad0a188b52517fec9eca393f1e2c9daea362b33ae2eb38a857b6b09949a727c1",
+    "zh:c46846c8df66a13fee6eff7dc5d528a7f868ae0dcf92d79deaac73cc297ed20c",
+    "zh:dc1a20a2eec12095d04bf6da5321f535351a594a636912361db20eb2a707ccc4",
+    "zh:e57ab4771a9d999401f6badd8b018558357d3cbdf3d33cc0c4f83e818ca8e94b",
+    "zh:ebdcde208072b4b0f8d305ebf2bfdc62c926e0717599dcf8ec2fd8c5845031c3",
+    "zh:ef34c52b68933bedd0868a13ccfd59ff1c820f299760b3c02e008dc95e2ece91",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version = "3.1.0"
+  hashes = [
+    "h1:fUJX8Zxx38e2kBln+zWr1Tl41X+OuiE++REjrEyiOM4=",
+    "zh:3d46616b41fea215566f4a957b6d3a1aa43f1f75c26776d72a98bdba79439db6",
+    "zh:623a203817a6dafa86f1b4141b645159e07ec418c82fe40acd4d2a27543cbaa2",
+    "zh:668217e78b210a6572e7b0ecb4134a6781cc4d738f4f5d09eb756085b082592e",
+    "zh:95354df03710691773c8f50a32e31fca25f124b7f3d6078265fdf3c4e1384dca",
+    "zh:9f97ab190380430d57392303e3f36f4f7835c74ea83276baa98d6b9a997c3698",
+    "zh:a16f0bab665f8d933e95ca055b9c8d5707f1a0dd8c8ecca6c13091f40dc1e99d",
+    "zh:be274d5008c24dc0d6540c19e22dbb31ee6bfdd0b2cddd4d97f3cd8a8d657841",
+    "zh:d5faa9dce0a5fc9d26b2463cea5be35f8586ab75030e7fa4d4920cd73ee26989",
+    "zh:e9b672210b7fb410780e7b429975adcc76dd557738ecc7c890ea18942eb321a5",
+    "zh:eb1f8368573d2370605d6dbf60f9aaa5b64e55741d96b5fb026dbfe91de67c0d",
+    "zh:fc1e12b713837b85daf6c3bb703d7795eaf1c5177aebae1afcf811dd7009f4b0",
+  ]
+}
--- a/eks/eks.tf
+++ b/eks/eks.tf
@ -0,0 +1,38 @@
+resource "aws_eks_cluster" "eks_cluster" {
+  name = "eks-cluster-${var.environment}"
+
+  role_arn = aws_iam_role.eks_role.arn
+
+  vpc_config {  
+    subnet_ids = [for subnet in aws_subnet.subnets : subnet.id]
+  }
+}
+
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
+resource "aws_eks_node_group" "eks_cluster" {
+  cluster_name    = aws_eks_cluster.eks_cluster.name
+  node_group_name = "eks_cluster-${var.environment}"
+  node_role_arn   = aws_iam_role.eks_role.arn
+  subnet_ids      = [for subnet in aws_subnet.subnets : subnet.id]
+
+  instance_types = ["t2.small"] # Free tiers
+
+  remote_access {
+    ec2_ssh_key = aws_key_pair.ssh.id
+    # TODO: define source_security_group_ids; Undefined but with a key, port 22 is opened WW.
+  }
+
+  scaling_config {
+    desired_size = 1
+    max_size     = 1
+    min_size     = 1
+  }
+
+  # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
+  # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
+  depends_on = [
+    aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
+    aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
+    aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
+  ]
+}
--- a/eks/output.tf
+++ b/eks/output.tf
@ -0,0 +1,17 @@
+output "region" {
+  description = "AWS region"
+  value       = var.aws_region
+}
+
+output "cluster_name" {
+  description = "Kubernetes Cluster Name"
+  value       = aws_eks_cluster.eks_cluster.name
+}
+
+output "vpc" {
+  value = aws_vpc.main
+}
+
+output "eks" {
+  value = aws_eks_cluster.eks_cluster
+}
--- a/eks/provider.tf
+++ b/eks/provider.tf
@ -0,0 +1,15 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.27"
+    }
+  }
+
+  required_version = ">= 0.14.9"
+}
+
+provider "aws" {
+    profile = var.aws_profile
+    region = var.aws_region
+}
--- a/eks/roles.tf
+++ b/eks/roles.tf
@ -0,0 +1,45 @@
+resource "aws_iam_role" "eks_role" {
+  name = "eks"
+
+  assume_role_policy = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "eks.amazonaws.com"
+      }
+    },{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ec2.amazonaws.com"
+      }
+    }]
+    Version = "2012-10-17"
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "eks-AmazonEKSClusterPolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.eks_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks-AmazonEKSVPCResourceController" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
+  role       = aws_iam_role.eks_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks-AmazonEKSWorkerNodePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = aws_iam_role.eks_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks-AmazonEKS_CNI_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.eks_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks-AmazonEC2ContainerRegistryReadOnly" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = aws_iam_role.eks_role.name
+}
--- a/eks/security.tf
+++ b/eks/security.tf
@ -0,0 +1,29 @@
+# A basic security group for our nginx server (running on NodePort 31234)
+
+# resource "aws_security_group_rule" "public_out" {
+#   type        = "egress"
+#   from_port   = 0
+#   to_port     = 0
+#   protocol    = "-1"
+#   cidr_blocks = ["0.0.0.0/0"]
+#  
+#   security_group_id = aws_eks_cluster.eks_cluster.vpc_config[0].cluster_security_group_id
+# }
+
+resource "aws_security_group_rule" "public_in_ssh" {
+  type              = "ingress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_eks_cluster.eks_cluster.vpc_config[0].cluster_security_group_id
+}
+
+resource "aws_security_group_rule" "public_in_http" {
+  type              = "ingress"
+  from_port         = 31234
+  to_port           = 31234
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_eks_cluster.eks_cluster.vpc_config[0].cluster_security_group_id
+}
--- a/eks/sshkeys.tf
+++ b/eks/sshkeys.tf
@ -0,0 +1,19 @@
+resource "tls_private_key" "ssh" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "aws_key_pair" "ssh" {
+  key_name   = "ec2-terraform"
+  public_key = tls_private_key.ssh.public_key_openssh
+}
+
+resource "local_file" "pem_file" {
+  filename = pathexpand("~/.ssh/${aws_key_pair.ssh.key_name}.pem")
+  file_permission = "400"
+  directory_permission = "700"
+  sensitive_content = tls_private_key.ssh.private_key_pem
+}
+
+
+# ssh -i ~/.ssh/ec2-terraform.pem -l ec2-user 52.47.91.179
--- a/eks/variables.tf
+++ b/eks/variables.tf
@ -0,0 +1,33 @@
+variable "aws_profile" {
+    type = string
+    default = "aws-infra"
+}
+
+variable "aws_region" {
+    type = string
+    default = "eu-west-3"
+}
+
+variable "environment" {
+    type = string
+    default = "prod"
+}
+
+# AZ can be seen using: aws ec2 describe-availability-zones --region eu-west-3
+variable "vpc_subnets" {
+    type = map(object({
+        cidr_block        = string
+        availability_zone = string
+    }))
+
+    default = {
+        "alpha" = { 
+            cidr_block        = "10.0.1.0/24"
+            availability_zone = "eu-west-3b"
+        }
+        "beta" = {
+            cidr_block        = "10.0.2.0/24"
+            availability_zone = "eu-west-3c"
+        }
+    }
+}
--- a/eks/vpc.tf
+++ b/eks/vpc.tf
@ -0,0 +1,44 @@
+resource "aws_vpc" "main" {
+  cidr_block = "10.0.0.0/16"
+
+  enable_dns_hostnames = true
+
+  tags = {
+    Name = "vpc-${var.environment}"
+    Env = var.environment
+  }
+}
+
+resource "aws_subnet" "subnets" {
+  vpc_id     = aws_vpc.main.id
+  for_each   = var.vpc_subnets
+  cidr_block = each.value.cidr_block
+  availability_zone = each.value.availability_zone
+
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "${each.key}-${var.environment}"
+    Env = var.environment
+    "kubernetes.io/cluster/eks-cluster-${var.environment}" = "shared"
+  }
+}
+
+resource "aws_internet_gateway" "nat_gateway" {
+  vpc_id = aws_vpc.main.id
+}
+
+resource "aws_route_table" "nat_gateway" {
+  vpc_id = aws_vpc.main.id
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.nat_gateway.id
+  }
+}
+
+resource "aws_route_table_association" "nat_gateway" {
+  for_each = aws_subnet.subnets
+
+  subnet_id = each.value.id
+  route_table_id = aws_route_table.nat_gateway.id
+}