forked from terraform-aws-modules/terraform-aws-eks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathworkers.tf
139 lines (124 loc) · 6.37 KB
/
workers.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
resource "aws_security_group" "workers" {
count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0
name_prefix = aws_eks_cluster.this[0].name
description = "Security group for all nodes in the cluster."
vpc_id = var.vpc_id
tags = merge(
var.tags,
{
"Name" = "${aws_eks_cluster.this[0].name}-eks_worker_sg"
"kubernetes.io/cluster/${aws_eks_cluster.this[0].name}" = "owned"
"karpenter.sh/discovery" = aws_eks_cluster.this[0].name
},
)
}
resource "aws_security_group_rule" "workers_egress_whole_internet" {
count = var.worker_security_group_id == "" && var.create_eks && var.allow_all_egress ? 1 : 0
description = "Allow nodes all egress to the Internet."
protocol = "-1"
security_group_id = local.worker_security_group_id
cidr_blocks = ["0.0.0.0/0"]
from_port = 0
to_port = 0
type = "egress"
}
resource "aws_security_group_rule" "workers_egress_cidr_blocks_internet" {
count = var.worker_security_group_id == "" && var.create_eks && !var.allow_all_egress ? 1 : 0
description = "Allow nodes all egress to these cidr blocks."
protocol = "-1"
security_group_id = local.worker_security_group_id
cidr_blocks = var.egress_cidr_blocks_allowed
from_port = 0
to_port = 0
type = "egress"
}
resource "aws_security_group_rule" "workers_egress_internet_ports" {
count = var.worker_security_group_id == "" && var.create_eks && !var.allow_all_egress ? length(var.egress_ports_allowed) : 0
description = "Allow nodes all egress to the Internet on these ports."
protocol = "tcp"
security_group_id = local.worker_security_group_id
cidr_blocks = ["0.0.0.0/0"]
from_port = var.egress_ports_allowed[count.index]
to_port = var.egress_ports_allowed[count.index]
type = "egress"
}
resource "aws_security_group_rule" "workers_egress_custom_rules" {
count = var.worker_security_group_id == "" && var.create_eks && !var.allow_all_egress ? length(var.egress_custom_allowed) : 0
description = "Allow nodes all egress to these custom blocks and ports."
protocol = "tcp"
security_group_id = local.worker_security_group_id
cidr_blocks = var.egress_custom_allowed[count.index].cidr_blocks
from_port = var.egress_custom_allowed[count.index].from_port
to_port = var.egress_custom_allowed[count.index].to_port
type = "egress"
}
resource "aws_security_group_rule" "workers_ingress_self" {
count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0
description = "Allow node to communicate with each other."
protocol = "-1"
security_group_id = local.worker_security_group_id
source_security_group_id = local.worker_security_group_id
from_port = 0
to_port = 65535
type = "ingress"
}
resource "aws_security_group_rule" "workers_ingress_cluster" {
count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0
description = "Allow workers pods to receive communication from the cluster control plane."
protocol = "tcp"
security_group_id = local.worker_security_group_id
source_security_group_id = local.cluster_security_group_id
from_port = var.worker_sg_ingress_from_port
to_port = 65535
type = "ingress"
}
resource "aws_security_group_rule" "workers_ingress_cluster_kubelet" {
count = var.worker_security_group_id == "" && var.create_eks ? var.worker_sg_ingress_from_port > 10250 ? 1 : 0 : 0
description = "Allow workers Kubelets to receive communication from the cluster control plane."
protocol = "tcp"
security_group_id = local.worker_security_group_id
source_security_group_id = local.cluster_security_group_id
from_port = 10250
to_port = 10250
type = "ingress"
}
resource "aws_security_group_rule" "workers_ingress_cluster_https" {
count = var.worker_security_group_id == "" && var.create_eks ? 1 : 0
description = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane."
protocol = "tcp"
security_group_id = local.worker_security_group_id
source_security_group_id = local.cluster_security_group_id
from_port = 443
to_port = 443
type = "ingress"
}
resource "aws_iam_role" "workers" {
count = var.manage_worker_iam_resources && var.create_eks ? 1 : 0
name_prefix = var.workers_role_name != "" ? null : aws_eks_cluster.this[0].name
name = var.workers_role_name != "" ? var.workers_role_name : null
assume_role_policy = data.aws_iam_policy_document.workers_assume_role_policy.json
permissions_boundary = var.permissions_boundary
path = var.iam_path
force_detach_policies = true
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "workers_AmazonEKSWorkerNodePolicy" {
count = var.manage_worker_iam_resources && var.create_eks ? 1 : 0
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.workers[0].name
}
resource "aws_iam_role_policy_attachment" "workers_AmazonEKS_CNI_Policy" {
count = var.manage_worker_iam_resources && var.attach_worker_cni_policy && var.create_eks ? 1 : 0
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = aws_iam_role.workers[0].name
}
resource "aws_iam_role_policy_attachment" "workers_AmazonEC2ContainerRegistryReadOnly" {
count = var.manage_worker_iam_resources && var.create_eks ? 1 : 0
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.workers[0].name
}
resource "aws_iam_role_policy_attachment" "workers_additional_policies" {
count = var.manage_worker_iam_resources && var.create_eks ? length(var.workers_additional_policies) : 0
role = aws_iam_role.workers[0].name
policy_arn = var.workers_additional_policies[count.index]
}