Write Kubernetes Terraform module for Azure and AWS

- Written Terraform module for Azure Kubernetes Service (AKS) and supporting infra. - Updated Terraform module for Amazon EKS. - Tested Kubernetes Terraform module on both AWS and Azure
sloopstash · Jan 23, 2025 · 1b7d50c · 1b7d50c
1 parent 83d1a62
commit 1b7d50c
Show file tree

Hide file tree

Showing 10 changed files with 219 additions and 17 deletions.
diff --git a/main.tf b/main.tf
@@ -1,7 +1,8 @@
 terraform {
   required_version = "v1.0.1"
   required_providers {
-    aws = "5.42.0"
+    aws = "5.84.0"
+    azurerm = "4.16.0"
   }
   backend "local" {}
 }
@@ -17,5 +18,10 @@ module "aws_kubernetes" {
   source = "./module/kubernetes/aws"
   environment = var.environment
   ssh_public_key = var.ssh_public_key
-  ec2_ami_id = var.aws_ec2_ami_id
+}
+module "azure_kubernetes" {
+  source = "./module/kubernetes/azure"
+  environment = var.environment
+  ssh_public_key = var.ssh_public_key
+  subscription_id = var.azure_subscription_id
 }
diff --git a/module/kubernetes/aws/main.tf b/module/kubernetes/aws/main.tf
@@ -293,10 +293,10 @@ resource "aws_subnet" "kubernetes_vpc_eks_cp_sn_1" {
 }
 resource "aws_route_table_association" "kubernetes_vpc_eks_cp_sn_1_rtt_ass" {
   depends_on = [
-    aws_route_table.kubernetes_vpc_pvt_rtt,
+    aws_route_table.kubernetes_vpc_pub_rtt,
     aws_subnet.kubernetes_vpc_eks_cp_sn_1
   ]
-  route_table_id = aws_route_table.kubernetes_vpc_pvt_rtt.id
+  route_table_id = aws_route_table.kubernetes_vpc_pub_rtt.id
   subnet_id = aws_subnet.kubernetes_vpc_eks_cp_sn_1.id
 }
 resource "aws_subnet" "kubernetes_vpc_eks_cp_sn_2" {
@@ -314,10 +314,10 @@ resource "aws_subnet" "kubernetes_vpc_eks_cp_sn_2" {
 }
 resource "aws_route_table_association" "kubernetes_vpc_eks_cp_sn_2_rtt_ass" {
   depends_on = [
-    aws_route_table.kubernetes_vpc_pvt_rtt,
+    aws_route_table.kubernetes_vpc_pub_rtt,
     aws_subnet.kubernetes_vpc_eks_cp_sn_2
   ]
-  route_table_id = aws_route_table.kubernetes_vpc_pvt_rtt.id
+  route_table_id = aws_route_table.kubernetes_vpc_pub_rtt.id
   subnet_id = aws_subnet.kubernetes_vpc_eks_cp_sn_2.id
 }
 resource "aws_subnet" "kubernetes_vpc_eks_nd_sn_1" {
@@ -463,7 +463,10 @@ resource "aws_security_group" "kubernetes_vpc_loadbalancer_sg" {
   }
 }
 resource "aws_security_group" "kubernetes_vpc_eks_sg" {
-  depends_on = [aws_vpc.kubernetes_vpc_net]
+  depends_on = [
+    aws_vpc.kubernetes_vpc_net,
+    aws_security_group.kubernetes_vpc_bastion_sg
+  ]
   name = "kubernetes-vpc-eks-sg"
   vpc_id = aws_vpc.kubernetes_vpc_net.id
   ingress {
@@ -560,7 +563,6 @@ resource "aws_ecr_repository" "kubernetes_ecr_nginx_repo" {
 resource "aws_eks_cluster" "kubernetes_eks_ct" {
   depends_on = [
     aws_iam_role.kubernetes_iam_eks_rl,
-    aws_vpc.kubernetes_vpc_net,
     aws_subnet.kubernetes_vpc_eks_cp_sn_1,
     aws_subnet.kubernetes_vpc_eks_cp_sn_2,
     aws_subnet.kubernetes_vpc_eks_nd_sn_1,
@@ -580,17 +582,28 @@ resource "aws_eks_cluster" "kubernetes_eks_ct" {
     ]
     security_group_ids = [aws_security_group.kubernetes_vpc_eks_sg.id]
   }
-  version = "1.28"
+  version = "1.29"
   access_config {
     authentication_mode = "API_AND_CONFIG_MAP"
     bootstrap_cluster_creator_admin_permissions = true
   }
   bootstrap_self_managed_addons = true
+  kubernetes_network_config {
+    elastic_load_balancing {
+      enabled = false
+    }
+    ip_family = "ipv4"
+  }
+  storage_config {
+    block_storage {
+      enabled = false
+    }
+  }
   compute_config {
     enabled = false
   }
-  kubernetes_network_config {
-    ip_family = "ipv4"
+  zonal_shift_config {
+    enabled = false
   }
   tags = {
     Name = "kubernetes-eks-ct"
@@ -603,7 +616,6 @@ resource "aws_eks_cluster" "kubernetes_eks_ct" {
 resource "aws_eks_node_group" "kubernetes_eks_gnr_ng" {
   depends_on = [
     aws_iam_role.kubernetes_iam_ec2_rl,
-    aws_vpc.kubernetes_vpc_net,
     aws_subnet.kubernetes_vpc_eks_nd_sn_1,
     aws_subnet.kubernetes_vpc_eks_nd_sn_2,
     aws_security_group.kubernetes_vpc_bastion_sg,
@@ -617,7 +629,7 @@ resource "aws_eks_node_group" "kubernetes_eks_gnr_ng" {
     aws_subnet.kubernetes_vpc_eks_nd_sn_1.id,
     aws_subnet.kubernetes_vpc_eks_nd_sn_2.id
   ]
-  version = "1.28"
+  version = "1.29"
   ami_type = "AL2_x86_64"
   capacity_type = "ON_DEMAND"
   instance_types = ["t3a.small"]

diff --git a/module/kubernetes/aws/variables.tf b/module/kubernetes/aws/variables.tf
@@ -6,7 +6,3 @@ variable "ssh_public_key" {
   type = string
   description = "SSH public key."
 }
-variable "ec2_ami_id" {
-  type = string
-  description = "EC2 AMI identifier."
-}
diff --git a/module/kubernetes/azure/main.tf b/module/kubernetes/azure/main.tf
@@ -0,0 +1,163 @@
+provider "azurerm" {
+  subscription_id = var.subscription_id
+  resource_provider_registrations = "none"
+  features {}
+}
+
+resource "azurerm_resource_group" "kubernetes_rg" {
+  name = "kubernetes-rg"
+  location = "Central India"
+  tags = {
+    Name = "kubernetes-rg"
+    Environment = var.environment
+    Stack = "kubernetes"
+    Region = "centralindia"
+    Organization = "sloopstash"
+  }
+}
+resource "azurerm_virtual_network" "kubernetes_vnet" {
+  depends_on = [azurerm_resource_group.kubernetes_rg]
+  name = "kubernetes-vnet"
+  resource_group_name = azurerm_resource_group.kubernetes_rg.name
+  location = azurerm_resource_group.kubernetes_rg.location
+  address_space = [var.environment == "prd" ? "11.11.0.0/16" : "12.11.0.0/16"]
+  encryption {
+    enforcement = "AllowUnencrypted"
+  }
+  tags = {
+    Name = "kubernetes-vnet"
+    Environment = var.environment
+    Stack = "kubernetes"
+    Region = "centralindia"
+    Organization = "sloopstash"
+  }
+}
+resource "azurerm_subnet" "kubernetes_vnet_bastion_sn_1" {
+  depends_on = [
+    azurerm_resource_group.kubernetes_rg,
+    azurerm_virtual_network.kubernetes_vnet
+  ]
+  name = "kubernetes-vnet-bastion-sn-1"
+  resource_group_name = azurerm_resource_group.kubernetes_rg.name
+  virtual_network_name = azurerm_virtual_network.kubernetes_vnet.name
+  address_prefixes = [var.environment == "prd" ? "11.11.1.0/24" : "12.11.1.0/24"]
+}
+resource "azurerm_subnet" "kubernetes_vnet_bastion_sn_2" {
+  depends_on = [
+    azurerm_resource_group.kubernetes_rg,
+    azurerm_virtual_network.kubernetes_vnet
+  ]
+  name = "kubernetes-vnet-bastion-sn-2"
+  resource_group_name = azurerm_resource_group.kubernetes_rg.name
+  virtual_network_name = azurerm_virtual_network.kubernetes_vnet.name
+  address_prefixes = [var.environment == "prd" ? "11.11.2.0/24" : "12.11.2.0/24"]
+}
+resource "azurerm_subnet" "kubernetes_vnet_aks_nd_sn_1" {
+  depends_on = [
+    azurerm_resource_group.kubernetes_rg,
+    azurerm_virtual_network.kubernetes_vnet
+  ]
+  name = "kubernetes-vnet-aks-nd-sn-1"
+  resource_group_name = azurerm_resource_group.kubernetes_rg.name
+  virtual_network_name = azurerm_virtual_network.kubernetes_vnet.name
+  address_prefixes = [var.environment == "prd" ? "11.11.9.0/24" : "12.11.9.0/24"]
+}
+resource "azurerm_subnet" "kubernetes_vnet_aks_nd_sn_2" {
+  depends_on = [
+    azurerm_resource_group.kubernetes_rg,
+    azurerm_virtual_network.kubernetes_vnet
+  ]
+  name = "kubernetes-vnet-aks-nd-sn-2"
+  resource_group_name = azurerm_resource_group.kubernetes_rg.name
+  virtual_network_name = azurerm_virtual_network.kubernetes_vnet.name
+  address_prefixes = [var.environment == "prd" ? "11.11.10.0/24" : "12.11.10.0/24"]
+}
+resource "azurerm_network_security_group" "kubernetes_bastion_nsg" {
+  depends_on = [azurerm_resource_group.kubernetes_rg]
+  name = "kubernetes-bastion-nsg"
+  resource_group_name = azurerm_resource_group.kubernetes_rg.name
+  location = azurerm_resource_group.kubernetes_rg.location
+  security_rule {
+    name = "AllowAnySSHInbound"
+    direction = "Inbound"
+    access = "Allow"
+    priority = 110
+    protocol = "Tcp"
+    source_address_prefix = "*"
+    source_port_range = "*"
+    destination_address_prefix = "*"
+    destination_port_range = 22
+  }
+  tags = {
+    Name = "kubernetes-bastion-nsg"
+    Environment = var.environment
+    Stack = "kubernetes"
+    Region = "centralindia"
+    Organization = "sloopstash"
+  }
+}
+# resource "azurerm_kubernetes_cluster" "kubernetes_aks_ct" {
+#   depends_on = [
+#     azurerm_resource_group.kubernetes_rg,
+#     azurerm_subnet.kubernetes_vnet_aks_nd_sn_1,
+#     azurerm_subnet.kubernetes_vnet_aks_nd_sn_2
+#   ]
+#   name = "kubernetes-aks-ct"
+#   resource_group_name = azurerm_resource_group.kubernetes_rg.name
+#   location = azurerm_resource_group.kubernetes_rg.location
+#   kubernetes_version = "1.28.15"
+#   sku_tier = "Free"
+#   identity {
+#     type = "SystemAssigned"
+#   }
+#   open_service_mesh_enabled = false
+#   private_cluster_enabled = false
+#   dns_prefix = "kubernetes-aks-ct-api-endpoint"
+#   api_server_access_profile {
+#     authorized_ip_ranges = ["0.0.0.0/0"]
+#   }
+#   network_profile {
+#     network_plugin = "kubenet"
+#     network_policy = "calico"
+#     ip_versions = ["IPv4"]
+#     load_balancer_sku = "standard"
+#   }
+#   node_resource_group = "kubernetes-aks-ct-rg"
+#   default_node_pool {
+#     name = "nodepool1"
+#     vm_size = "Standard_D2as_v4"
+#     type = "VirtualMachineScaleSets"
+#     os_sku = "AzureLinux"
+#     vnet_subnet_id = azurerm_subnet.kubernetes_vnet_aks_nd_sn_1.id
+#     node_public_ip_enabled = false
+#     ultra_ssd_enabled = false
+#     host_encryption_enabled = false
+#     orchestrator_version = "1.28.15"
+#     workload_runtime = "OCIContainer"
+#     auto_scaling_enabled = true
+#     max_count = 1
+#     min_count = 1
+#     node_count = 1
+#     max_pods = 50
+#   }
+#   automatic_upgrade_channel = "patch"
+#   node_os_upgrade_channel = "NodeImage"
+#   maintenance_window {
+#     allowed {
+#       day = "Sunday"
+#       hours = [1,2]
+#     }
+#   }
+#   role_based_access_control_enabled = true
+#   azure_policy_enabled = false
+#   image_cleaner_enabled = false
+#   oidc_issuer_enabled = false
+#   run_command_enabled = true
+#   tags = {
+#     Name = "kubernetes-aks-ct"
+#     Environment = var.environment
+#     Stack = "kubernetes"
+#     Region = "centralindia"
+#     Organization = "sloopstash"
+#   }
+# }
diff --git a/module/kubernetes/azure/outputs.tf b/module/kubernetes/azure/outputs.tf
@@ -0,0 +1,4 @@
+output "kubernetes_eks_ct_fqdn" {
+  depends_on = [azurerm_kubernetes_cluster.kubernetes_aks_ct]
+  value = azurerm_kubernetes_cluster.kubernetes_aks_ct.fqdn
+}
diff --git a/module/kubernetes/azure/variables.tf b/module/kubernetes/azure/variables.tf
@@ -0,0 +1,12 @@
+variable "environment" {
+  type = string
+  description = "Environment."
+}
+variable "ssh_public_key" {
+  type = string
+  description = "SSH public key."
+}
+variable "subscription_id" {
+  type = string
+  description = "Subscription identifier."
+}
diff --git a/outputs.tf b/outputs.tf
@@ -4,3 +4,6 @@ output "aws_crm" {
 output "aws_kubernetes" {
   value = module.aws_kubernetes
 }
+output "azure_kubernetes" {
+  value = module.azure_kubernetes
+}
diff --git a/var/PRD.tfvars b/var/PRD.tfvars
@@ -1,3 +1,4 @@
 environment = "prd"
 aws_s3_bucket_prefix="<AMAZON_S3_BUCKET_PREFIX>"
 aws_ec2_ami_id="<AMAZON_EC2_AMI_ID>"
+azure_subscription_id="<AZURE_SUBSCRIPTION_ID>"
diff --git a/var/STG.tfvars b/var/STG.tfvars
@@ -1,3 +1,4 @@
 environment = "prd"
 aws_s3_bucket_prefix="<AMAZON_S3_BUCKET_PREFIX>"
 aws_ec2_ami_id="<AMAZON_EC2_AMI_ID>"
+azure_subscription_id="<AZURE_SUBSCRIPTION_ID>"
diff --git a/variables.tf b/variables.tf
@@ -14,3 +14,7 @@ variable "aws_ec2_ami_id" {
   type = string
   description = "Amazon EC2 AMI identifier."
 }
+variable "azure_subscription_id" {
+  type = string
+  description = "Azure subscription identifier."
+}