diff --git a/kubernetes/cloud/amazon/terraform/eks-cluster.tf b/kubernetes/cloud/amazon/terraform/eks-cluster.tf deleted file mode 100644 index 91834c7..0000000 --- a/kubernetes/cloud/amazon/terraform/eks-cluster.tf +++ /dev/null @@ -1,33 +0,0 @@ -module "eks" { - source = "terraform-aws-modules/eks/aws" - cluster_name = var.cluster_name - subnets = module.vpc.private_subnets - cluster_create_timeout = "1h" - - vpc_id = module.vpc.vpc_id - worker_additional_security_group_ids = [aws_security_group.all_worker_mgmt.id] - worker_groups = [ - { - name = "worker-group-1" - instance_type = "t2.small" - additional_userdata = "echo foo bar" - asg_desired_capacity = 2 - additional_security_group_ids = [aws_security_group.worker_group_mgmt_one.id] - }, - ] -} - -data "aws_eks_cluster" "cluster" { - name = module.eks.cluster_id -} - -data "aws_eks_cluster_auth" "cluster" { - name = module.eks.cluster_id -} - -module "kubernetes" { - source = "./modules/kubernetes/" - host = data.aws_eks_cluster.cluster.endpoint - token = data.aws_eks_cluster_auth.cluster.token - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) -} \ No newline at end of file diff --git a/kubernetes/cloud/amazon/terraform/main.tf b/kubernetes/cloud/amazon/terraform/main.tf new file mode 100644 index 0000000..5de04b9 --- /dev/null +++ b/kubernetes/cloud/amazon/terraform/main.tf @@ -0,0 +1,182 @@ +terraform { + required_version = ">= 0.12.0" +} + +provider "aws" { + version = ">= 2.28.1" + region = var.region +} + +provider "null" { + version = "~> 2.1" +} + +provider "template" { + version = "~> 2.1" +} + +data "aws_eks_cluster" "cluster" { + name = module.eks.cluster_id +} + +data "aws_eks_cluster_auth" "cluster" { + name = module.eks.cluster_id +} + +data "aws_availability_zones" "available" { +} + +resource "aws_security_group" "worker_group_mgmt_one" { + name_prefix = "worker_group_mgmt_one" + vpc_id = module.vpc.vpc_id + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + + cidr_blocks = [ + "10.0.0.0/8", + ] + } +} + +resource "aws_security_group" "all_worker_mgmt" { + name_prefix = "all_worker_management" + vpc_id = module.vpc.vpc_id + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + + cidr_blocks = [ + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16", + ] + } +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "2.6.0" + + name = "test-vpc" + cidr = "10.0.0.0/16" + azs = data.aws_availability_zones.available.names + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + + public_subnet_tags = { + "kubernetes.io/cluster/${var.cluster_name}" = "shared" + "kubernetes.io/role/elb" = "1" + } + + private_subnet_tags = { + "kubernetes.io/cluster/${var.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = "1" + } +} + +module "eks" { + source = "terraform-aws-modules/eks/aws" + cluster_name = var.cluster_name + cluster_version = "1.17" + subnets = module.vpc.private_subnets + version = "12.2.0" + cluster_create_timeout = "1h" + cluster_endpoint_private_access = true + + vpc_id = module.vpc.vpc_id + + worker_groups = [ + { + name = "worker-group-1" + instance_type = "t2.small" + additional_userdata = "echo foo bar" + asg_desired_capacity = 2 + additional_security_group_ids = [aws_security_group.worker_group_mgmt_one.id] + }, + ] + + worker_additional_security_group_ids = [aws_security_group.all_worker_mgmt.id] + map_roles = var.map_roles + map_users = var.map_users + map_accounts = var.map_accounts +} + + + +provider "kubernetes" { + host = data.aws_eks_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token + load_config_file = false + version = "~> 1.11" +} + +resource "kubernetes_deployment" "example" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits { + cpu = "0.5" + memory = "512Mi" + } + requests { + cpu = "250m" + memory = "50Mi" + } + } + } + } + } + } +} + +resource "kubernetes_service" "example" { + metadata { + name = "terraform-example" + } + spec { + selector = { + test = "MyExampleApp" + } + port { + port = 80 + target_port = 80 + } + + type = "LoadBalancer" + } +} \ No newline at end of file diff --git a/kubernetes/cloud/amazon/terraform/modules/kubernetes/kubernetes.tf b/kubernetes/cloud/amazon/terraform/modules/kubernetes/kubernetes.tf deleted file mode 100644 index e7645cf..0000000 --- a/kubernetes/cloud/amazon/terraform/modules/kubernetes/kubernetes.tf +++ /dev/null @@ -1,72 +0,0 @@ -# # Kubernetes provider -# # https://learn.hashicorp.com/terraform/kubernetes/provision-eks-cluster#optional-configure-terraform-kubernetes-provider -# # To learn how to schedule deployments and services using the provider, go here: ttps://learn.hashicorp.com/terraform/kubernetes/deploy-nginx-kubernetes. - -provider "kubernetes" { - load_config_file = "false" - host = var.host - token = var.token - cluster_ca_certificate = var.cluster_ca_certificate -} - -resource "kubernetes_deployment" "example" { - metadata { - name = "terraform-example" - labels = { - test = "MyExampleApp" - } - } - - spec { - replicas = 3 - - selector { - match_labels = { - test = "MyExampleApp" - } - } - - template { - metadata { - labels = { - test = "MyExampleApp" - } - } - - spec { - container { - image = "nginx:1.7.8" - name = "example" - - resources { - limits { - cpu = "0.5" - memory = "512Mi" - } - requests { - cpu = "250m" - memory = "50Mi" - } - } - } - } - } - } -} - -resource "kubernetes_service" "example" { - metadata { - name = "terraform-example" - } - spec { - selector = { - test = "MyExampleApp" - } - port { - port = 80 - target_port = 80 - } - - type = "LoadBalancer" - } -} \ No newline at end of file diff --git a/kubernetes/cloud/amazon/terraform/modules/kubernetes/variables.tf b/kubernetes/cloud/amazon/terraform/modules/kubernetes/variables.tf deleted file mode 100644 index fba9fb0..0000000 --- a/kubernetes/cloud/amazon/terraform/modules/kubernetes/variables.tf +++ /dev/null @@ -1,9 +0,0 @@ - -variable "host" { -} - -variable "token" { -} - -variable "cluster_ca_certificate" { -} diff --git a/kubernetes/cloud/amazon/terraform/readme.md b/kubernetes/cloud/amazon/terraform/readme.md index 2b5f66f..1658ab8 100644 --- a/kubernetes/cloud/amazon/terraform/readme.md +++ b/kubernetes/cloud/amazon/terraform/readme.md @@ -11,7 +11,7 @@ We'll need the Amazon CLI to gather information so we can build our Terraform fi ``` # Run Amazon CLI -docker run -it --rm -v ${PWD}:/work -w /work --entrypoint /bin/sh amazon/aws-cli:2.0.17 +docker run -it --rm -v ${PWD}:/work -w /work --entrypoint /bin/sh amazon/aws-cli:2.0.43 # some handy tools :) yum install -y jq gzip nano tar git unzip wget @@ -26,6 +26,8 @@ yum install -y jq gzip nano tar git unzip wget aws configure +Default region name: ap-southeast-2 +Default output format: json ``` # Terraform CLI @@ -33,17 +35,16 @@ aws configure ``` # Get Terraform -curl -o /tmp/terraform.zip -LO https://releases.hashicorp.com/terraform/0.12.28/terraform_0.12.28_linux_amd64.zip +curl -o /tmp/terraform.zip -LO https://releases.hashicorp.com/terraform/0.13.1/terraform_0.13.1_linux_amd64.zip unzip /tmp/terraform.zip chmod +x terraform && mv terraform /usr/local/bin/ -cd kubernetes/cloud/amazon/terraform/ - +terraform ``` -# Generate SSH key +# Generate SSH key for our EC2 workers ``` -ssh-keygen -t rsa -b 4096 -N "VeryStrongSecret123!" -C "your_email@example.com" -q -f ~/.ssh/id_rsa +ssh-keygen -t rsa -b 4096 -N 'VeryStrongSecret123!' -C "your_email@example.com" -q -f ~/.ssh/id_rsa SSH_KEY=$(cat ~/.ssh/id_rsa.pub) ``` @@ -52,11 +53,12 @@ SSH_KEY=$(cat ~/.ssh/id_rsa.pub) Documentation on all the Kubernetes fields for terraform [here](https://www.terraform.io/docs/providers/aws/r/eks_cluster.html) ``` +cd kubernetes/cloud/amazon/terraform + terraform init -terraform plan -var access_key=$access_key -var secret_key=$secret_key - -terraform apply -var access_key=$access_key -var secret_key=$secret_key +terraform plan +terraform apply ``` @@ -79,5 +81,5 @@ kubectl get svc # Clean up ``` -terraform destroy -var access_key=$access_key -var secret_key=$secret_key +terraform destroy ``` \ No newline at end of file diff --git a/kubernetes/cloud/amazon/terraform/security-groups.tf b/kubernetes/cloud/amazon/terraform/security-groups.tf deleted file mode 100644 index 37c57f4..0000000 --- a/kubernetes/cloud/amazon/terraform/security-groups.tf +++ /dev/null @@ -1,46 +0,0 @@ -resource "aws_security_group" "worker_group_mgmt_one" { - name_prefix = "worker_group_mgmt_one" - vpc_id = module.vpc.vpc_id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - - cidr_blocks = [ - "10.0.0.0/8", - ] - } -} - -resource "aws_security_group" "worker_group_mgmt_two" { - name_prefix = "worker_group_mgmt_two" - vpc_id = module.vpc.vpc_id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - - cidr_blocks = [ - "192.168.0.0/16", - ] - } -} - -resource "aws_security_group" "all_worker_mgmt" { - name_prefix = "all_worker_management" - vpc_id = module.vpc.vpc_id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - - cidr_blocks = [ - "10.0.0.0/8", - "172.16.0.0/12", - "192.168.0.0/16", - ] - } -} diff --git a/kubernetes/cloud/amazon/terraform/variables.tf b/kubernetes/cloud/amazon/terraform/variables.tf index 0405c34..30943c1 100644 --- a/kubernetes/cloud/amazon/terraform/variables.tf +++ b/kubernetes/cloud/amazon/terraform/variables.tf @@ -6,3 +6,52 @@ variable "region" { variable "cluster_name" { default = "getting-started-eks" } + +variable "map_accounts" { + description = "Additional AWS account numbers to add to the aws-auth configmap." + type = list(string) + + default = [ + "777777777777", + "888888888888", + ] +} + +variable "map_roles" { + description = "Additional IAM roles to add to the aws-auth configmap." + type = list(object({ + rolearn = string + username = string + groups = list(string) + })) + + default = [ + { + rolearn = "arn:aws:iam::66666666666:role/role1" + username = "role1" + groups = ["system:masters"] + }, + ] +} + +variable "map_users" { + description = "Additional IAM users to add to the aws-auth configmap." + type = list(object({ + userarn = string + username = string + groups = list(string) + })) + + default = [ + { + userarn = "arn:aws:iam::66666666666:user/user1" + username = "user1" + groups = ["system:masters"] + }, + { + userarn = "arn:aws:iam::66666666666:user/user2" + username = "user2" + groups = ["system:masters"] + }, + ] +} \ No newline at end of file diff --git a/kubernetes/cloud/amazon/terraform/versions.tf b/kubernetes/cloud/amazon/terraform/versions.tf deleted file mode 100644 index e7275f4..0000000 --- a/kubernetes/cloud/amazon/terraform/versions.tf +++ /dev/null @@ -1,19 +0,0 @@ -terraform { - required_version = ">= 0.12" -} - -provider "random" { - version = "~> 2.1" -} - -provider "local" { - version = "~> 1.2" -} - -provider "null" { - version = "~> 2.1" -} - -provider "template" { - version = "~> 2.1" -} \ No newline at end of file diff --git a/kubernetes/cloud/amazon/terraform/vpc.tf b/kubernetes/cloud/amazon/terraform/vpc.tf deleted file mode 100644 index 72c6254..0000000 --- a/kubernetes/cloud/amazon/terraform/vpc.tf +++ /dev/null @@ -1,34 +0,0 @@ -provider "aws" { - version = ">= 2.28.1" - region = "ap-southeast-2" -} - -data "aws_availability_zones" "available" {} - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "2.6.0" - - name = "training-vpc" - cidr = "10.0.0.0/16" - azs = data.aws_availability_zones.available.names - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] - enable_nat_gateway = true - single_nat_gateway = true - enable_dns_hostnames = true - - tags = { - "kubernetes.io/cluster/${var.cluster_name}" = "shared" - } - - public_subnet_tags = { - "kubernetes.io/cluster/${var.cluster_name}" = "shared" - "kubernetes.io/role/elb" = "1" - } - - private_subnet_tags = { - "kubernetes.io/cluster/${var.cluster_name}" = "shared" - "kubernetes.io/role/internal-elb" = "1" - } -}