Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
tdevout authored Feb 14, 2022
1 parent 55953e3 commit 8324b3b
Show file tree
Hide file tree
Showing 11 changed files with 590 additions and 0 deletions.
16 changes: 16 additions & 0 deletions data.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
data "aws_iam_policy_document" "workers_assume_role_policy" {
statement {
sid = "EKSWorkerAssumeRole"

actions = [
"sts:AssumeRole",
]

principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}

data "aws_partition" "current" {}
120 changes: 120 additions & 0 deletions eks-cluster.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
resource "aws_iam_role" "workers" {
name = "workers_iam_role"
assume_role_policy = data.aws_iam_policy_document.workers_assume_role_policy.json
managed_policy_arns = ["arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly","arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy","arn:aws:iam::aws:policy/AmazonRoute53DomainsFullAccess","arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess","arn:aws:iam::aws:policy/AmazonRoute53FullAccess","arn:aws:iam::387345988065:policy/Route53TenantPolicy","arn:aws:iam::387345988065:policy/AllowTenantExternalDNSUpdates","arn:aws:iam::aws:policy/AmazonRoute53ResolverFullAccess"]
permissions_boundary = var.permissions_boundary
path = var.iam_path
force_detach_policies = true
}


module "eks" {
source = "terraform-aws-modules/eks/aws"
cluster_name = var.eks.cluster_name
cluster_version = var.eks.cluster_version
subnets = concat(module.vpc.private_subnets,module.vpc.public_subnets)
enable_irsa = true
map_roles = local.map_roles
cluster_endpoint_private_access = true
cluster_endpoint_private_access_cidrs = var.eks.private_access_cidrs
cluster_endpoint_public_access_cidrs = var.eks.public_access_cidrs
tags = {
Environment = "${var.eks.tags.environment}"
}
manage_aws_auth = var.eks.manage_aws_auth
vpc_id = module.vpc.vpc_id

depends_on = [aws_iam_role.workers]
}

data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
}

data "aws_eks_cluster_auth" "cluster" {
name = module.eks.cluster_id
}

data "template_file" "launch_template_userdata" {
template = file("./templates/userdata.sh.tpl")

vars = {
cluster_name = var.eks.cluster_name
endpoint = module.eks.cluster_endpoint
cluster_auth_base64 = module.eks.cluster_certificate_authority_data

bootstrap_extra_args = ""
kubelet_extra_args = ""
}
}

resource "aws_launch_template" "default" {
count = length(var.eks.node_group)
name_prefix = var.environment
description = "${var.eks.cluster_name} Launch-Template"
update_default_version = true
key_name = "eks-cluster"
image_id = var.eks.image_id
block_device_mappings {
device_name = "/dev/xvda"
ebs {
volume_size = "${var.eks.node_group[count.index].disk_size}"
volume_type = "gp2"
delete_on_termination = true
}
}
network_interfaces {
associate_public_ip_address = false
delete_on_termination = true
security_groups = [module.eks.worker_security_group_id]
}
user_data = base64encode(
data.template_file.launch_template_userdata.rendered,
)
tag_specifications {
resource_type = "instance"
tags = {
clusterName = var.eks.cluster_name
environment = var.environment
}
}
tag_specifications {
resource_type = "volume"
tags = {
clusterName = var.eks.cluster_name
environment = var.environment
}
}
tags = {
clusterName = var.eks.cluster_name
environment = var.environment
}
}

resource "aws_eks_node_group" "workers" {
count = length(var.eks.node_group)
node_group_name = "${var.eks.node_group[count.index].name}"
cluster_name = var.eks.cluster_name
node_role_arn = aws_iam_role.workers.arn
subnet_ids = module.vpc.private_subnets
scaling_config {
desired_size = "${var.eks.node_group[count.index].scaling_config.desired_size}"
max_size = "${var.eks.node_group[count.index].scaling_config.max_size}"
min_size = "${var.eks.node_group[count.index].scaling_config.min_size}"
}
instance_types = "${var.eks.node_group[count.index].instance_types}"
launch_template {
id = aws_launch_template.default[count.index].id
version = aws_launch_template.default[count.index].latest_version
}
tags = {
"node_group" = "${var.eks.node_group[count.index].tags.environment}"
}
lifecycle {
create_before_destroy = true
ignore_changes = [scaling_config.0.desired_size]
}
depends_on = [module.eks]
}


3 changes: 3 additions & 0 deletions env/dev/backend.tfvars
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
bucket = "bucket-name"
key = "dev"
region = "us-east-2"
39 changes: 39 additions & 0 deletions env/dev/default.tfvars
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
region = "us-east-2"
environment = "dev"

### vpc cluster
vpc = {
cidr = "10.0.0.0/16"
private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
}

### EKS cluster
eks = {
cluster_name = "cluster-dev"
cluster_version = "1.19"
image_id = "ami-0ad418be69ef09deb"
key_name = "eks-cluster"
private_access_cidrs = ["10.0.0.0/16"]
public_access_cidrs = ["0.0.0.0/0"]
manage_aws_auth = true
tags = {
environment = "dev"
},
node_group = [
{
name = "cluster-dev-node-group-1",
scaling_config = {
desired_size = 2,
max_size = 10,
min_size = 1
},
disk_size = 100,
instance_types = ["t2.medium"],
tags = {
"environment" = "cluster-dev-node-group-1"
}
}
]
}

58 changes: 58 additions & 0 deletions irsa.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
module "iam_assumable_role_admin" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "4.1.0"
create_role = true
role_name = "${var.environment}-cluster-autoscaler"
provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
role_policy_arns = [aws_iam_policy.cluster_autoscaler.arn]
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.k8s_service_account_namespace}:${local.k8s_service_account_name}"]
}

resource "aws_iam_policy" "cluster_autoscaler" {
name_prefix = "${var.environment}-cluster-autoscaler"
description = "EKS cluster-autoscaler policy for cluster ${var.environment}-${var.eks.cluster_name}"
policy = data.aws_iam_policy_document.cluster_autoscaler.json
}

data "aws_iam_policy_document" "cluster_autoscaler" {
statement {
sid = "clusterAutoscalerAll"
effect = "Allow"

actions = [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"ec2:DescribeLaunchTemplateVersions",
"sts:AssumeRoleWithWebIdentity"
]

resources = ["*"]
}

statement {
sid = "clusterAutoscalerOwn"
effect = "Allow"

actions = [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
]

resources = ["*"]

condition {
test = "StringEquals"
variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${var.eks.cluster_name}"
values = ["owned"]
}

condition {
test = "StringEquals"
variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
values = ["true"]
}
}
}
152 changes: 152 additions & 0 deletions kubernetes.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
# Kubernetes provider
# https://learn.hashicorp.com/terraform/kubernetes/provision-eks-cluster#optional-configure-terraform-kubernetes-provider
# To learn how to schedule deployments and services using the provider, go here: https://learn.hashicorp.com/terraform/kubernetes/deploy-nginx-kubernetes

# The Kubernetes provider is included in this file so the EKS module can complete successfully. Otherwise, it throws an error when creating `kubernetes_config_map.aws_auth`.
# You should **not** schedule deployments and services in this workspace. This keeps workspaces modular (one for provision EKS, another for scheduling Kubernetes resources) as per best practices.

provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
exec {
api_version = "client.authentication.k8s.io/v1alpha1"
command = "aws"
args = [
"eks",
"get-token",
"--cluster-name",
data.aws_eks_cluster.cluster.name
]
}
}

provider "helm" {
kubernetes {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
exec {
api_version = "client.authentication.k8s.io/v1alpha1"
args = ["eks", "get-token", "--cluster-name", var.eks.cluster_name]
command = "aws"
}
}
}

resource "helm_release" "metric-server" {
name = "metric-server"
repository = "https://charts.bitnami.com/bitnami"
chart = "metrics-server"
namespace = "kube-system"

depends_on = [aws_eks_node_group.workers]
}

resource "null_resource" "metric_server" {
provisioner "local-exec" {
command = "kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml"
}
depends_on = [aws_eks_node_group.workers]
}

resource "helm_release" "cluster-autoscaler" {
name = "cluster-autoscaler"
repository = "https://kubernetes.github.io/autoscaler"
chart = "cluster-autoscaler"
namespace = "kube-system"


values = [templatefile("./valueOverrideFiles/clusterAutoScaler.yaml.tpl", {
clusterName = var.eks.cluster_name ,
serviceAccount = module.iam_assumable_role_admin.iam_role_arn ,
awsRegion = var.region
cloudProvider = "aws"
fullnameOverride = "cluster-autoscaler"
})]

depends_on = [aws_eks_node_group.workers]
}


resource "helm_release" "prometheus" {
name = "prometheus"
repository = "https://prometheus-community.github.io/helm-charts"
chart = "prometheus"
namespace = "monitoring"
create_namespace = true
values = [
"${file("valueOverrideFiles/prometheus.yaml")}"
]
depends_on = [aws_eks_node_group.workers]
set {
name = "fullnameOverride"
value = "prometheus"
}
}


resource "helm_release" "loki" {
name = "loki"
repository = "https://grafana.github.io/helm-charts"
chart = "loki-stack"
namespace = "monitoring"

create_namespace = true
depends_on = [aws_eks_node_group.workers]
set {
name = "fullnameOverride"
value = "loki"
}
}

resource "helm_release" "grafana" {
name = "grafana"
repository = "https://grafana.github.io/helm-charts"
chart = "grafana"
namespace = "monitoring"
create_namespace = true
depends_on = [aws_eks_node_group.workers]

values = [
"${file("valueOverrideFiles/grafanaValues.yaml")}"
]

set {
name = "fullnameOverride"
value = "grafana"
}
}

resource "helm_release" "ingress-nginx" {
name = "ingress"
repository = "https://kubernetes.github.io/ingress-nginx"
chart = "ingress-nginx"
namespace = "ingress-nginx"
create_namespace = true
depends_on = [aws_eks_node_group.workers]
set {
name = "fullnameOverride"
value = "ingress-nginx"
}
}

resource "helm_release" "cert-manager" {
name = "tls"
repository = "https://charts.jetstack.io"
chart = "cert-manager"
namespace = "cert-manager"
create_namespace = true

depends_on = [aws_eks_node_group.workers]
set {
name = "version"
value = "v1.3.1"
}
set {
name = "installCRDs"
value = true
}
set {
name = "fullnameOverride"
value = "cert-manager"
}
}
Loading

0 comments on commit 8324b3b

Please sign in to comment.