First version of the module (#1)

.github/auto_assign.yml

@@ -0,0 +1,14 @@
+addReviewers: true
+addAssignees: true
+reviewers:
+  - okgolove
+  - rfvermut
+numberOfReviewers: 0
+assignees:
+  - okgolove
+  - rfvermut
+numberOfAssignees: 1
+
+
+skipKeywords:
+  - wip

.github/workflows/assign.yml

@@ -0,0 +1,10 @@
+name: 'Auto Assign'
+on: pull_request
+
+jobs:
+  add-reviews:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: kentaro-m/[email protected]
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/lint.yml

@@ -0,0 +1,35 @@
+name: Lint
+on: [push, pull_request]
+
+jobs:
+  tflint:
+    name: TFLint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: TFLint
+        uses: docker://wata727/tflint
+
+  fmt:
+    name: Code Format
+    runs-on: ubuntu-latest
+    container:
+      image: hashicorp/terraform:latest
+    steps:
+      - uses: actions/checkout@master
+      - run: terraform fmt --recursive -check=true
+
+  validate:
+    name: Validate
+    runs-on: ubuntu-latest
+    container:
+      image: hashicorp/terraform:latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Validate Code
+        env:
+          AWS_REGION: 'us-east-1'
+          TF_WARN_OUTPUT_ERRORS: 1
+        run: |
+          terraform init
+          terraform validate

.pre-commit-config.yaml

@@ -0,0 +1,7 @@
+- repo: git://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.19.0
+  hooks:
+    - id: terraform_fmt
+    - id: terraform_docs
+    - id: terraform_validate
+    - id: terraform_tflint

README.md

@@ -0,0 +1,31 @@
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:-----:|
+| bastion\_instance\_size | n/a | `string` | `"t3.nano"` | no |
+| bastion\_ssh\_keys | n/a | `list(string)` | n/a | yes |
+| config\_output\_path | n/a | `any` | n/a | yes |
+| eks\_authorized\_roles | n/a | `list(string)` | `[]` | no |
+| extra\_policy\_arn | n/a | `string` | `"arn:aws:iam::aws:policy/AmazonS3FullAccess"` | no |
+| instance\_types | n/a | `list(string)` | n/a | yes |
+| ip\_whitelist | n/a | `list(string)` | `[]` | no |
+| key\_name | n/a | `string` | n/a | yes |
+| kubectl\_assume\_role | n/a | `string` | `""` | no |
+| project\_fqdn | n/a | `string` | n/a | yes |
+| project\_prefix | n/a | `string` | n/a | yes |
+| project\_rev\_fqdn | n/a | `string` | n/a | yes |
+| spot\_price | n/a | `string` | `""` | no |
+| vpc\_cidr | n/a | `string` | `"172.31.0.0/16"` | no |
+| worker\_groups | n/a | `list` | <code><pre>[<br>  {<br>    "instance_type": "t3.large"<br>  },<br>  {<br>    "instance_type": "t3.2xlarge"<br>  }<br>]<br></pre></code> | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| bastion | How to reach bastion |
+| cluster\_name | n/a |
+| eks\_cluster | n/a |
+| kubeconfig\_filename | n/a |
+| vpc | n/a |
+| whitelist\_sg\_id | n/a |
+

bastions.tf

@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) 2019 Risk Focus, Inc. - All Rights Reserved
+ * You may use, distribute and modify this code under the
+ * terms of the Apache License Version 2.0.
+ * http://www.apache.org/licenses
+ */
+
+data "aws_ami" "amazon-linux" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amzn-ami-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  # Amazon
+  owners = ["137112412989"]
+}
+
+data "aws_ami" "ubuntu" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  # Canonical
+  owners = ["099720109477"]
+}
+
+resource "aws_instance" "bastion" {
+  ami           = data.aws_ami.ubuntu.id
+  instance_type = var.bastion_instance_size
+  subnet_id     = module.vpc.public_subnets[0]
+
+  vpc_security_group_ids = [
+    aws_security_group.bastion_sg.id,
+    aws_security_group.bastion_incoming_ssh.id,
+  ]
+
+  key_name  = var.key_name
+  user_data = templatefile("${path.module}/templates/bastion_ssh_keys.sh.tpl", { bastion_ssh_keys = var.bastion_ssh_keys })
+  tags      = local.bastion_tags
+
+  lifecycle {
+    ignore_changes = [
+      ami,
+    ]
+  }
+}
+
+resource "aws_security_group" "allow_ssh_from_bastion" {
+  name        = "${var.project_prefix}-eks-bastion_ssh_access"
+  description = "Allow SSH from bastion"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+    security_groups = [
+      aws_security_group.bastion_sg.id,
+    ]
+  }
+
+  egress {
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+    security_groups = [
+      aws_security_group.bastion_sg.id,
+    ]
+  }
+}
+
+resource "aws_security_group" "bastion_incoming_ssh" {
+  name        = "${var.project_prefix}-eks-bastion_incoming_ssh"
+  description = "Allow SSH to bastion from world"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+
+    cidr_blocks = var.ip_whitelist
+  }
+}
+
+resource "aws_security_group" "bastion_sg" {
+  name        = "${var.project_prefix}-eks-bastion_sg"
+  description = "Bastion SG"
+  vpc_id      = module.vpc.vpc_id
+
+  egress {
+    from_port = 0
+    to_port   = 0
+    protocol  = -1
+
+    # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to
+    # force an interpolation expression to be interpreted as a list by wrapping it
+    # in an extra set of list brackets. That form was supported for compatibility in
+    # v0.11, but is no longer supported in Terraform v0.12.
+    #
+    # If the expression in the following list itself returns a list, remove the
+    # brackets to avoid interpretation as a list of lists. If the expression
+    # returns a single list item then leave it as-is and remove this TODO comment.
+    security_groups = [
+      module.eks.worker_security_group_id,
+    ]
+  }
+}
+
+output "bastion" {
+  description = "How to reach bastion"
+  value       = "ubuntu@${aws_instance.bastion.public_ip}"
+}