Merge pull request #160 from johnbedeir/dev

Fix #158 build-aws-eks-using-terraform
johnbedeir · Nov 1, 2022 · 23aa3a3 · 23aa3a3
2 parents 3ecc192 + cc84467
commit 23aa3a3
Show file tree

Hide file tree

Showing 8 changed files with 289 additions and 0 deletions.
diff --git a/Terraform/AWS/EKS/eks.tf b/Terraform/AWS/EKS/eks.tf
@@ -0,0 +1,47 @@
+# Resource: aws_iam_role
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
+resource "aws_iam_role" "demo" {
+  name = "eks-cluster-demo"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+# Resource: aws_iam_role_policy_attachment
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
+resource "aws_iam_role_policy_attachment" "demo-AmazonEKSClusterPolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.demo.name
+}
+
+# Resource: aws_eks_cluster
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster
+resource "aws_eks_cluster" "demo" {
+  name     = "demo"
+  role_arn = aws_iam_role.demo.arn
+
+  vpc_config {
+    subnet_ids = [
+      aws_subnet.private-eu-central-1a.id,
+      aws_subnet.private-eu-central-1b.id,
+      aws_subnet.public-eu-central-1a.id,
+      aws_subnet.public-eu-central-1b.id
+    ]
+  }
+
+  # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
+  # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
+  depends_on = [aws_iam_role_policy_attachment.demo-AmazonEKSClusterPolicy]
+}
diff --git a/Terraform/AWS/EKS/igw.tf b/Terraform/AWS/EKS/igw.tf
@@ -0,0 +1,9 @@
+# Resource: aws_internet_gateway
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway
+resource "aws_internet_gateway" "igw" {
+  vpc_id = aws_vpc.main.id
+
+  tags = {
+    Name = "igw"
+  }
+}
diff --git a/Terraform/AWS/EKS/nat.tf b/Terraform/AWS/EKS/nat.tf
@@ -0,0 +1,24 @@
+# Resource: aws_eip
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip
+resource "aws_eip" "nat" {
+  vpc = true
+
+  tags = {
+    Name = "nat"
+  }
+}
+
+# Resource: aws_nat_gateway
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway
+resource "aws_nat_gateway" "nat" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = aws_subnet.public-eu-central-1a.id
+
+  tags = {
+    Name = "nat"
+  }
+
+  # To ensure proper ordering, it is recommended to add an explicit dependency
+  # on the Internet Gateway for the VPC.
+  depends_on = [aws_internet_gateway.igw]
+}
diff --git a/Terraform/AWS/EKS/nodes.tf b/Terraform/AWS/EKS/nodes.tf
@@ -0,0 +1,63 @@
+resource "aws_iam_role" "nodes" {
+  name = "eks-node-group-nodes"
+
+  assume_role_policy = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ec2.amazonaws.com"
+      }
+    }]
+    Version = "2012-10-17"
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "nodes-AmazonEKSWorkerNodePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = aws_iam_role.nodes.name
+}
+
+resource "aws_iam_role_policy_attachment" "nodes-AmazonEKS_CNI_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.nodes.name
+}
+
+resource "aws_iam_role_policy_attachment" "nodes-AmazonEC2ContainerRegistryReadOnly" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = aws_iam_role.nodes.name
+}
+
+# Resource: aws_eks_node_group
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group
+resource "aws_eks_node_group" "general" {
+  cluster_name    = aws_eks_cluster.demo.name
+  node_group_name = "general"
+  node_role_arn   = aws_iam_role.nodes.arn
+
+  subnet_ids = [
+    aws_subnet.private-eu-central-1a.id,
+    aws_subnet.private-eu-central-1b.id
+  ]
+
+  capacity_type  = "ON_DEMAND"
+  instance_types = ["t3.small"]
+
+  scaling_config {
+    desired_size = 2
+    max_size     = 5
+    min_size     = 1
+  }
+
+  update_config {
+    max_unavailable = 1
+  }
+
+  # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
+  # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
+  depends_on = [
+    aws_iam_role_policy_attachment.nodes-AmazonEKSWorkerNodePolicy,
+    aws_iam_role_policy_attachment.nodes-AmazonEKS_CNI_Policy,
+    aws_iam_role_policy_attachment.nodes-AmazonEC2ContainerRegistryReadOnly,
+  ]
+}
diff --git a/Terraform/AWS/EKS/provider.tf b/Terraform/AWS/EKS/provider.tf
@@ -0,0 +1,13 @@
+# Configure AWS provider
+provider "aws" {
+  region = "eu-central-1"
+}
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.0"
+    }
+  }
+}
diff --git a/Terraform/AWS/EKS/routes.tf b/Terraform/AWS/EKS/routes.tf
@@ -0,0 +1,75 @@
+# Resource: aws_route_table
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table
+resource "aws_route_table" "private" {
+  vpc_id = aws_vpc.main.id
+
+  route = [
+    {
+      cidr_block                 = "0.0.0.0/0"
+      nat_gateway_id             = aws_nat_gateway.nat.id
+      carrier_gateway_id         = ""
+      destination_prefix_list_id = ""
+      egress_only_gateway_id     = ""
+      gateway_id                 = ""
+      instance_id                = ""
+      ipv6_cidr_block            = ""
+      local_gateway_id           = ""
+      network_interface_id       = ""
+      transit_gateway_id         = ""
+      vpc_endpoint_id            = ""
+      vpc_peering_connection_id  = ""
+    },
+  ]
+
+  tags = {
+    Name = "private"
+  }
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route = [
+    {
+      cidr_block                 = "0.0.0.0/0"
+      gateway_id                 = aws_internet_gateway.igw.id
+      nat_gateway_id             = ""
+      carrier_gateway_id         = ""
+      destination_prefix_list_id = ""
+      egress_only_gateway_id     = ""
+      instance_id                = ""
+      ipv6_cidr_block            = ""
+      local_gateway_id           = ""
+      network_interface_id       = ""
+      transit_gateway_id         = ""
+      vpc_endpoint_id            = ""
+      vpc_peering_connection_id  = ""
+    },
+  ]
+
+  tags = {
+    Name = "public"
+  }
+}
+
+# Resource: aws_route_table_association
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association
+resource "aws_route_table_association" "private-eu-central-1a" {
+  subnet_id      = aws_subnet.private-eu-central-1a.id
+  route_table_id = aws_route_table.private.id
+}
+
+resource "aws_route_table_association" "private-eu-central-1b" {
+  subnet_id      = aws_subnet.private-eu-central-1b.id
+  route_table_id = aws_route_table.private.id
+}
+
+resource "aws_route_table_association" "public-eu-central-1a" {
+  subnet_id      = aws_subnet.public-eu-central-1a.id
+  route_table_id = aws_route_table.public.id
+}
+
+resource "aws_route_table_association" "public-eu-central-1b" {
+  subnet_id      = aws_subnet.public-eu-central-1b.id
+  route_table_id = aws_route_table.public.id
+}
diff --git a/Terraform/AWS/EKS/subnets.tf b/Terraform/AWS/EKS/subnets.tf
@@ -0,0 +1,49 @@
+# Resource: aws_subnet
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet
+resource "aws_subnet" "private-eu-central-1a" {
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = "10.0.0.0/19"
+  availability_zone = "eu-central-1a"
+
+  tags = {
+    "Name"                            = "private-eu-central-1a"
+    "kubernetes.io/role/internal-elb" = "1"
+    "kubernetes.io/cluster/demo"      = "owned"
+  }
+}
+
+resource "aws_subnet" "private-eu-central-1b" {
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = "10.0.32.0/19"
+  availability_zone = "eu-central-1b"
+
+  tags = {
+    "Name"                            = "private-eu-central-1b"
+    "kubernetes.io/role/internal-elb" = "1"
+    "kubernetes.io/cluster/demo"      = "owned"
+  }
+}
+
+resource "aws_subnet" "public-eu-central-1a" {
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = "10.0.64.0/19"
+  availability_zone = "eu-central-1a"
+
+  tags = {
+    "Name"                       = "public-eu-central-1a"
+    "kubernetes.io/role/elb"     = "1"
+    "kubernetes.io/cluster/demo" = "owned"
+  }
+}
+
+resource "aws_subnet" "public-eu-central-1b" {
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = "10.0.96.0/19"
+  availability_zone = "eu-central-1b"
+
+  tags = {
+    "Name"                       = "public-eu-central-1b"
+    "kubernetes.io/role/elb"     = "1"
+    "kubernetes.io/cluster/demo" = "owned"
+  }
+}
diff --git a/Terraform/AWS/EKS/vpc.tf b/Terraform/AWS/EKS/vpc.tf
@@ -0,0 +1,9 @@
+# Resource: aws_vpc
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc
+resource "aws_vpc" "main" {
+  cidr_block = "10.0.0.0/16"
+
+  tags = {
+    Name = "main"
+  }
+}