Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added modules for vpc and eks #2

Open
wants to merge 6 commits into
base: master
Choose a base branch
from

Conversation

supratim-persistent
Copy link
Collaborator

No description provided.

@@ -0,0 +1,54 @@

resource "aws_iam_role" "eks_control_plane_role" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extract to a services/iam/role module

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

resource "aws_eks_cluster" "eks_cluster" {
name = "${var.context.app_name}-eks_cluster"
role_arn = aws_iam_role.eks_control_plane_role.arn
enabled_cluster_log_types = ["api", "audit"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this need to be configurable? Are there other options besides "api" and "audit"?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes there are other value too like authenticator, controller, etc and I have parameterized it now instead of specific values


vpc_config {
subnet_ids = var.eks_cluster_settings.subnet_ids
endpoint_private_access = true
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this need to be configurable? when would we want to set this to false?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have made this value as configurable, ideally we should never set it to false unless we want completely public eks cluster, setting to false would mean the eks control pane and nodegroups would communicate over public internet, ideal setting would be to set this to true along with endpoint_public_access = true which would result in the cluster endpoint publicly accessible but communication between control pane and node groups will happen through aws backbone network w/o ever going over the public internet.

vpc_config {
subnet_ids = var.eks_cluster_settings.subnet_ids
endpoint_private_access = true
endpoint_public_access = true
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this need to be configurable? when would we want to set this to false?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have made this value as configurable, we should set this to false if we want a completely private cluster endpoint which can be accessed only from within the vpc or connected networks(viz. vpn and DC), optimal settings are
endpoint_private_access = true
endpoint_public_access = true
this being the best of both worlds where cluster to nodegroup communication is private, however, the cluster endpoint is publicly accessible and can be further safeguarded using "public_access_cidrs" to allow access to the cluster endpoint only from specific ip-s

@@ -0,0 +1,54 @@

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this module should be:

services/eks/cluster/base/v1

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@@ -0,0 +1,26 @@

resource "aws_vpc" "vpc" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rename module services/network/vpc/base/v1

state = "available"
}

resource "aws_subnet" "private-sub" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extract to module

services/network/subnet/base/v1

route_table_id = aws_route_table.privateRT.id
}

resource "aws_subnet" "public-sub" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like you are trying to create a special kind of vpc template that has a set number of subnets (private and public)

extract this to another module:

/services/network/vpc/public/v1

where you have both private and public subnet

we could create another vpc template for private-only subnet called this:

/services/network/vpc/private/v1

nat_gateway_id = aws_nat_gateway.ngw.id
}

resource "aws_route_table" "publicRT" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extract to module /services/network/route-table/base/v1

)
}

resource "aws_route" "private-route" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extract to module /services/network/route/base/v1

you can create another one for internet route

services/network/route/internet/v1

which will route through an internet gateway

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants