-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added modules for vpc and eks #2
base: master
Are you sure you want to change the base?
Added modules for vpc and eks #2
Conversation
@@ -0,0 +1,54 @@ | |||
|
|||
resource "aws_iam_role" "eks_control_plane_role" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extract to a services/iam/role module
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
resource "aws_eks_cluster" "eks_cluster" { | ||
name = "${var.context.app_name}-eks_cluster" | ||
role_arn = aws_iam_role.eks_control_plane_role.arn | ||
enabled_cluster_log_types = ["api", "audit"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this need to be configurable? Are there other options besides "api" and "audit"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes there are other value too like authenticator, controller, etc and I have parameterized it now instead of specific values
|
||
vpc_config { | ||
subnet_ids = var.eks_cluster_settings.subnet_ids | ||
endpoint_private_access = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this need to be configurable? when would we want to set this to false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have made this value as configurable, ideally we should never set it to false unless we want completely public eks cluster, setting to false would mean the eks control pane and nodegroups would communicate over public internet, ideal setting would be to set this to true along with endpoint_public_access = true which would result in the cluster endpoint publicly accessible but communication between control pane and node groups will happen through aws backbone network w/o ever going over the public internet.
vpc_config { | ||
subnet_ids = var.eks_cluster_settings.subnet_ids | ||
endpoint_private_access = true | ||
endpoint_public_access = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this need to be configurable? when would we want to set this to false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have made this value as configurable, we should set this to false if we want a completely private cluster endpoint which can be accessed only from within the vpc or connected networks(viz. vpn and DC), optimal settings are
endpoint_private_access = true
endpoint_public_access = true
this being the best of both worlds where cluster to nodegroup communication is private, however, the cluster endpoint is publicly accessible and can be further safeguarded using "public_access_cidrs" to allow access to the cluster endpoint only from specific ip-s
@@ -0,0 +1,54 @@ | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this module should be:
services/eks/cluster/base/v1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -0,0 +1,26 @@ | |||
|
|||
resource "aws_vpc" "vpc" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename module services/network/vpc/base/v1
state = "available" | ||
} | ||
|
||
resource "aws_subnet" "private-sub" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extract to module
services/network/subnet/base/v1
route_table_id = aws_route_table.privateRT.id | ||
} | ||
|
||
resource "aws_subnet" "public-sub" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it looks like you are trying to create a special kind of vpc template that has a set number of subnets (private and public)
extract this to another module:
/services/network/vpc/public/v1
where you have both private and public subnet
we could create another vpc template for private-only subnet called this:
/services/network/vpc/private/v1
nat_gateway_id = aws_nat_gateway.ngw.id | ||
} | ||
|
||
resource "aws_route_table" "publicRT" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extract to module /services/network/route-table/base/v1
) | ||
} | ||
|
||
resource "aws_route" "private-route" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extract to module /services/network/route/base/v1
you can create another one for internet route
services/network/route/internet/v1
which will route through an internet gateway
No description provided.