This is an automated email from the ASF dual-hosted git repository. omartushevskyi pushed a commit to branch DLAB-terraform in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
commit 5d23bfbd59f3c9180951aafd7024e67d0ca2d9c7 Author: Oleh Martushevskyi <[email protected]> AuthorDate: Mon Jul 1 18:20:50 2019 +0300 [DLAB-572]: added Terraform scripts for K8S infrastructure provisioning and configuration --- .../terraform/aws/main/main.tf | 24 ++++ .../terraform/aws/main/variables.tf | 71 +++++++++++ .../aws/modules/ssn-k8s/auto_scaling_groups.tf | 96 ++++++++++++++ .../aws/modules/ssn-k8s/files/assume-policy.json | 13 ++ .../aws/modules/ssn-k8s/files/masters-user-data.sh | 138 +++++++++++++++++++++ .../aws/modules/ssn-k8s/files/ssn-policy.json.tpl | 43 +++++++ .../aws/modules/ssn-k8s/files/workers-user-data.sh | 47 +++++++ .../terraform/aws/modules/ssn-k8s/lb.tf | 33 +++++ .../terraform/aws/modules/ssn-k8s/role_policy.tf | 30 +++++ .../terraform/aws/modules/ssn-k8s/s3.tf | 8 ++ .../aws/modules/ssn-k8s/security_groups.tf | 47 +++++++ .../terraform/aws/modules/ssn-k8s/variables.tf | 33 +++++ .../terraform/aws/modules/ssn-k8s/vpc.tf | 54 ++++++++ 13 files changed, 637 insertions(+) diff --git a/infrastructure-provisioning/terraform/aws/main/main.tf b/infrastructure-provisioning/terraform/aws/main/main.tf new file mode 100644 index 0000000..881b333 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/main/main.tf @@ -0,0 +1,24 @@ +provider "aws" { + region = var.region +} + +module "ssn-k8s" { + source = "../modules/ssn-k8s" + service_base_name = var.service_base_name + vpc_id = var.vpc_id + vpc_cidr = var.vpc_cidr + subnet_id = var.subnet_id + env_os = var.env_os + ami = var.ami + key_name = var.key_name + region = var.region + zone = var.zone + masters_count = var.masters_count + workers_count = var.workers_count + root_volume_size = var.root_volume_size + allowed_cidrs = var.allowed_cidrs + subnet_cidr = var.subnet_cidr + masters_shape = var.masters_shape + workers_shape = var.workers_shape + os-user = var.os-user +} diff --git a/infrastructure-provisioning/terraform/aws/main/variables.tf b/infrastructure-provisioning/terraform/aws/main/variables.tf new file mode 100644 index 0000000..6f86c42 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/main/variables.tf @@ -0,0 +1,71 @@ +variable "region" { + default = "us-west-2" +} + +variable "zone" { + default = "a" +} + +variable "service_base_name" { + default = "k8s" +} + +variable "vpc_id" { + default = "" +} + +variable "vpc_cidr" { + default = "172.31.0.0/16" +} + +variable "subnet_id" { + default = "" +} + +variable "subnet_cidr" { + default = "172.31.0.0/24" +} + +variable "env_os" { + default = "debian" +} + +variable "ami" { + type = "map" + default = { + "debian" = "ami-08692d171e3cf02d6", + "redhat" = "" + } +} + +variable "key_name" { + default = "BDCC-DSS-POC" +} + +variable "masters_count" { + default = 3 +} + +variable "workers_count" { + default = 2 +} + +variable "root_volume_size" { + default = 30 +} + +variable "allowed_cidrs" { + default = ["0.0.0.0/0"] +} + +variable "masters_shape" { + default = "t2.medium" +} + +variable "workers_shape" { + default = "t2.medium" +} + +variable "os-user" { + default = "dlab-user" +} \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/auto_scaling_groups.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/auto_scaling_groups.tf new file mode 100644 index 0000000..7ba0971 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/auto_scaling_groups.tf @@ -0,0 +1,96 @@ +data "template_file" "k8s-masters-user-data" { + template = file("../modules/ssn-k8s/files/masters-user-data.sh") + vars = { + k8s-asg = "${var.service_base_name}-master" + k8s-region = var.region + k8s-bucket-name = aws_s3_bucket.k8s-bucket.id + k8s-eip = aws_eip.k8s-lb-eip.public_ip + k8s-tg-arn = aws_lb_target_group.k8s-lb-target-group.arn + k8s-os-user = var.os-user + } +} + +data "template_file" "k8s-workers-user-data" { + template = file("../modules/ssn-k8s/files/workers-user-data.sh") + vars = { + k8s-bucket-name = aws_s3_bucket.k8s-bucket.id + k8s-os-user = var.os-user + } +} + +resource "aws_launch_configuration" "as_conf_masters" { + name = "${var.service_base_name}-as-conf-masters" + image_id = var.ami[var.env_os] + instance_type = var.masters_shape + key_name = var.key_name + security_groups = [aws_security_group.k8s-sg.id] + iam_instance_profile = aws_iam_instance_profile.k8s-profile.name + root_block_device { + volume_type = "gp2" + volume_size = var.root_volume_size + delete_on_termination = true + } + + lifecycle { + create_before_destroy = true + } + user_data = data.template_file.k8s-masters-user-data.rendered +} + +resource "aws_launch_configuration" "as_conf_workers" { + name = "${var.service_base_name}-as-conf-workers" + image_id = var.ami[var.env_os] + instance_type = var.workers_shape + key_name = var.key_name + security_groups = [aws_security_group.k8s-sg.id] + iam_instance_profile = aws_iam_instance_profile.k8s-profile.name + root_block_device { + volume_type = "gp2" + volume_size = var.root_volume_size + delete_on_termination = true + } + + lifecycle { + create_before_destroy = true + } + user_data = data.template_file.k8s-workers-user-data.rendered +} + +resource "aws_autoscaling_group" "autoscaling_group_masters" { + name = "${var.service_base_name}-master" + launch_configuration = aws_launch_configuration.as_conf_masters.name + min_size = var.masters_count + max_size = var.masters_count + vpc_zone_identifier = [data.aws_subnet.k8s-subnet-data.id] + target_group_arns = [aws_lb_target_group.k8s-lb-target-group.arn] + + lifecycle { + create_before_destroy = true + } + tags = [ + { + key = "Name" + value = "${var.service_base_name}-master" + propagate_at_launch = true + } + ] +} + +resource "aws_autoscaling_group" "autoscaling_group_workers" { + name = "${var.service_base_name}-worker" + launch_configuration = aws_launch_configuration.as_conf_workers.name + min_size = var.workers_count + max_size = var.workers_count + vpc_zone_identifier = [data.aws_subnet.k8s-subnet-data.id] + + lifecycle { + create_before_destroy = true + } + tags = [ + { + key = "Name" + value = "${var.service_base_name}-worker" + propagate_at_launch = true + } + ] +} \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/assume-policy.json b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/assume-policy.json new file mode 100644 index 0000000..680b6f8 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/assume-policy.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Effect": "Allow", + "Sid": "" + } + ] +} \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/masters-user-data.sh b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/masters-user-data.sh new file mode 100644 index 0000000..0dd15d1 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/masters-user-data.sh @@ -0,0 +1,138 @@ +#!/bin/bash +set -ex + +check_tokens () { +RUN=`aws s3 ls s3://${k8s-bucket-name}/k8s/masters/ > /dev/null && echo "true" || echo "false"` +sleep 5 +} + +check_elb_status () { +RUN=`aws elbv2 describe-target-health --target-group-arn ${k8s-tg-arn} --region ${k8s-region} | \ + jq -r '.TargetHealthDescriptions[].TargetHealth.State' | \ + grep "^healthy" > /dev/null && echo "true" || echo "false"` +sleep 5 +} + +# Creating DLab user +sudo useradd -m -G sudo -s /bin/bash ${k8s-os-user} +sudo bash -c 'echo "${k8s-os-user} ALL = NOPASSWD:ALL" >> /etc/sudoers' +sudo mkdir /home/${k8s-os-user}/.ssh +sudo bash -c 'cat /home/ubuntu/.ssh/authorized_keys > /home/${k8s-os-user}/.ssh/authorized_keys' +sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/ +sudo chmod 700 /home/${k8s-os-user}/.ssh +sudo chmod 600 /home/${k8s-os-user}/.ssh/authorized_keys + +sudo apt-get update +sudo apt-get install -y python-pip jq +sudo pip install -U pip +sudo pip install awscli + +local_ip=`curl http://169.254.169.254/latest/meta-data/local-ipv4` +first_master_ip=`aws autoscaling describe-auto-scaling-instances --region ${k8s-region} --output text --query \ + "AutoScalingInstances[?AutoScalingGroupName=='${k8s-asg}'].InstanceId" | xargs -n1 aws ec2 \ + describe-instances --instance-ids $ID --region ${k8s-region} --query \ + "Reservations[].Instances[].PrivateIpAddress" --output text | sort | head -n1` + +# installing Docker +sudo bash -c 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -' +sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" +sudo apt-get update +sudo apt-get install -y docker-ce +sudo systemctl enable docker +# installing kubeadm, kubelet and kubectl +sudo apt-get install -y apt-transport-https curl +sudo bash -c 'curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -' +sudo bash -c 'echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list' +sudo apt-get update +sudo apt-get install -y kubelet kubeadm kubectl + +check_tokens +if [[ $local_ip == $first_master_ip ]] && [[ $RUN == "false" ]];then +cat <<EOF > /tmp/kubeadm-config.yaml +apiVersion: kubeadm.k8s.io/v1beta2 +kind: ClusterConfiguration +kubernetesVersion: stable +apiServerCertSANs: + - ${k8s-eip} +controlPlaneEndpoint: "${k8s-eip}:6443" +EOF +sudo kubeadm init --config=/tmp/kubeadm-config.yaml --upload-certs +while check_elb_status +do + if [[ $RUN == "false" ]]; + then + echo "Waiting for LB healthy status..." + else + echo "LB status is healthy!" + break + fi +done +sudo mkdir -p /home/${k8s-os-user}/.kube +sudo cp -i /etc/kubernetes/admin.conf /home/${k8s-os-user}/.kube/config +sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/.kube +sudo kubeadm token create --print-join-command > /tmp/join_command +sudo kubeadm init phase upload-certs --upload-certs | grep -v "upload-certs" > /tmp/cert_key +sudo -i -u ${k8s-os-user} kubectl apply -f \ + "https://cloud.weave.works/k8s/net?k8s-version=$(sudo -i -u ${k8s-os-user} kubectl version | base64 | tr -d '\n')" +sleep 60 +aws s3 cp /tmp/join_command s3://${k8s-bucket-name}/k8s/masters/join_command +aws s3 cp /tmp/cert_key s3://${k8s-bucket-name}/k8s/masters/cert_key +sudo rm -f /tmp/join_command +sudo rm -f /tmp/cert_key +else +while check_tokens +do + if [[ $RUN == "false" ]]; + then + echo "Waiting for initial cluster initialization..." + else + echo "Initial cluster initialized!" + break + fi +done +aws s3 cp s3://${k8s-bucket-name}/k8s/masters/join_command /tmp/join_command +aws s3 cp s3://${k8s-bucket-name}/k8s/masters/cert_key /tmp/cert_key +join_command=`cat /tmp/join_command` +cert_key=`cat /tmp/cert_key` +sudo $join_command --control-plane --certificate-key $cert_key +sudo mkdir -p /home/${k8s-os-user}/.kube +sudo cp -i /etc/kubernetes/admin.conf /home/${k8s-os-user}/.kube/config +sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/.kube +fi +cat <<EOF > /tmp/update_files.sh +#!/bin/bash +sudo kubeadm token create --print-join-command > /tmp/join_command +sudo kubeadm init phase upload-certs --upload-certs | grep -v "upload-certs" > /tmp/cert_key +aws s3 cp /tmp/join_command s3://${k8s-bucket-name}/k8s/masters/join_command +aws s3 cp /tmp/cert_key s3://${k8s-bucket-name}/k8s/masters/cert_key +sudo rm -f /tmp/join_command +sudo rm -f /tmp/cert_key +EOF +sudo mv /tmp/update_files.sh /usr/local/bin/update_files.sh +sudo chmod 755 /usr/local/bin/update_files.sh +sudo bash -c 'echo "0 0 * * * root /usr/local/bin/update_files.sh" >> /etc/crontab' + +cat <<EOF > /tmp/remove-etcd-member.sh +#!/bin/bash +hostname=\$(/bin/hostname) +not_ready_node=\$(/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl get nodes | grep NotReady | grep master | awk '{print \$1}') +if [[ \$not_ready_node != "" ]]; then +etcd_pod_name=\$(/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl get pods -n kube-system | /bin/grep etcd \ + | /bin/grep "\$hostname" | /usr/bin/awk '{print \$1}') +etcd_member_id=\$(/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl -n kube-system exec -it \$etcd_pod_name \ + -- /bin/sh -c "ETCDCTL_API=3 etcdctl member list --endpoints=https://[127.0.0.1]:2379 \ + --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \ + --key=/etc/kubernetes/pki/etcd/healthcheck-client.key" | /bin/grep ", \$not_ready_node" | /usr/bin/awk -F',' '{print \$1}') +/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl -n kube-system exec -it \$etcd_pod_name \ + -- /bin/sh -c "ETCDCTL_API=3 etcdctl member remove \$etcd_member_id --endpoints=https://[127.0.0.1]:2379 \ + --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \ + --key=/etc/kubernetes/pki/etcd/healthcheck-client.key" +/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl delete node \$not_ready_node + +fi + +EOF +sudo mv /tmp/remove-etcd-member.sh /usr/local/bin/remove-etcd-member.sh +sudo chmod 755 /usr/local/bin/remove-etcd-member.sh +sleep 600 +sudo bash -c 'echo "* * * * * root /usr/local/bin/remove-etcd-member.sh >> /var/log/cron_k8s.log 2>&1" >> /etc/crontab' diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/ssn-policy.json.tpl b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/ssn-policy.json.tpl new file mode 100644 index 0000000..3532064 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/ssn-policy.json.tpl @@ -0,0 +1,43 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "arn:aws:s3:::*" + }, + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetBucketLocation", + "s3:PutBucketPolicy", + "s3:PutEncryptionConfiguration" + ], + "Resource": [ + "${bucket_arn}" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:HeadObject", + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject" + ], + "Resource": [ + "${bucket_arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingInstances", + "ec2:DescribeInstances", + "elasticloadbalancing:DescribeTargetHealth" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/workers-user-data.sh b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/workers-user-data.sh new file mode 100644 index 0000000..d85a99e --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/workers-user-data.sh @@ -0,0 +1,47 @@ +#!/bin/bash +set -e + +check_tokens () { +RUN=`aws s3 ls s3://${k8s-bucket-name}/k8s/masters/ > /dev/null && echo "true" || echo "false"` +sleep 5 +} + +# Creating DLab user +sudo useradd -m -G sudo -s /bin/bash ${k8s-os-user} +sudo bash -c 'echo "${k8s-os-user} ALL = NOPASSWD:ALL" >> /etc/sudoers' +sudo mkdir /home/${k8s-os-user}/.ssh +sudo bash -c 'cat /home/ubuntu/.ssh/authorized_keys > /home/${k8s-os-user}/.ssh/authorized_keys' +sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/ +sudo chmod 700 /home/${k8s-os-user}/.ssh +sudo chmod 600 /home/${k8s-os-user}/.ssh/authorized_keys + +sudo apt-get update +sudo apt-get install -y python-pip +sudo pip install -U pip +sudo pip install awscli + +# installing Docker +sudo bash -c 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -' +sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" +sudo apt-get update +sudo apt-get install -y docker-ce +sudo systemctl enable docker +# installing kubeadm, kubelet and kubectl +sudo apt-get install -y apt-transport-https curl +sudo bash -c 'curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -' +sudo bash -c 'echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list' +sudo apt-get update +sudo apt-get install -y kubelet kubeadm kubectl +while check_tokens +do + if [[ $RUN == "false" ]]; + then + echo "Waiting for initial cluster initialization..." + else + echo "Initial cluster initialized!" + break + fi +done +aws s3 cp s3://${k8s-bucket-name}/k8s/masters/join_command /tmp/join_command +join_command=`cat /tmp/join_command` +sudo $join_command diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/lb.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/lb.tf new file mode 100644 index 0000000..277d893 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/lb.tf @@ -0,0 +1,33 @@ +resource "aws_lb" "k8s-lb" { + name = "${var.service_base_name}-lb" + load_balancer_type = "network" + + subnet_mapping { + subnet_id = data.aws_subnet.k8s-subnet-data.id + allocation_id = aws_eip.k8s-lb-eip.id + } + tags = { + Name = "${var.service_base_name}-lb" + } +} + +resource "aws_lb_target_group" "k8s-lb-target-group" { + name = "${var.service_base_name}-lb-target-group" + port = 6443 + protocol = "TCP" + vpc_id = data.aws_vpc.k8s-vpc-data.id + tags = { + Name = "${var.service_base_name}-lb-target-group" + } +} + +resource "aws_lb_listener" "k8s-lb-listener" { + load_balancer_arn = aws_lb.k8s-lb.arn + port = "6443" + protocol = "TCP" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.k8s-lb-target-group.arn + } +} \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/role_policy.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/role_policy.tf new file mode 100644 index 0000000..bb7ce24 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/role_policy.tf @@ -0,0 +1,30 @@ +data "template_file" "k8s-s3-policy" { + template = file("../modules/ssn-k8s/files/ssn-policy.json.tpl") + vars = { + bucket_arn = aws_s3_bucket.k8s-bucket.arn + } +} + +resource "aws_iam_policy" "k8s-policy" { + name = "${var.service_base_name}-policy" + description = "Policy for K8S" + policy = data.template_file.k8s-s3-policy.rendered +} + +resource "aws_iam_role" "k8s-role" { + name = "${var.service_base_name}-role" + assume_role_policy = file("../modules/ssn-k8s/files/assume-policy.json") + tags = { + Name = "${var.service_base_name}-role" + } +} + +resource "aws_iam_role_policy_attachment" "k8s-attach" { + role = aws_iam_role.k8s-role.name + policy_arn = aws_iam_policy.k8s-policy.arn +} + +resource "aws_iam_instance_profile" "k8s-profile" { + name = "${var.service_base_name}-instance-profile" + role = aws_iam_role.k8s-role.name +} \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/s3.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/s3.tf new file mode 100644 index 0000000..70fc57a --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/s3.tf @@ -0,0 +1,8 @@ +resource "aws_s3_bucket" "k8s-bucket" { + bucket = "${var.service_base_name}-ssn-bucket" + acl = "private" + tags = { + Name = "${var.service_base_name}-ssn-bucket" + } + # force_destroy = true +} diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/security_groups.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/security_groups.tf new file mode 100644 index 0000000..b4a3ea9 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/security_groups.tf @@ -0,0 +1,47 @@ +data "aws_eip" "k8s-lb-eip" { + id = aws_eip.k8s-lb-eip.id + depends_on = [aws_lb_listener.k8s-lb-listener] +} + +resource "aws_security_group" "k8s-sg" { + name = "${var.service_base_name}-sg" + description = "SG for K8S cluster" + vpc_id = data.aws_vpc.k8s-vpc-data.id + + ingress { + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = [data.aws_vpc.k8s-vpc-data.cidr_block] + } + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = var.allowed_cidrs + } + ingress { + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = ["0.0.0.0/0"] + description = "Need to be changed in the future" + } + ingress { + from_port = 0 + to_port = 0 + protocol = -1 + cidr_blocks = ["${data.aws_eip.k8s-lb-eip.public_ip}/32", "${data.aws_eip.k8s-lb-eip.private_ip}/32"] + } + + egress { + from_port = 0 + protocol = -1 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.service_base_name}-sg" + } +} \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/variables.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/variables.tf new file mode 100644 index 0000000..ac20f77 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/variables.tf @@ -0,0 +1,33 @@ +variable "service_base_name" {} + +variable "vpc_id" {} + +variable "vpc_cidr" {} + +variable "subnet_id" {} + +variable "subnet_cidr" {} + +variable "env_os" {} + +variable "ami" {} + +variable "key_name" {} + +variable "region" {} + +variable "zone" {} + +variable "masters_count" {} + +variable "workers_count" {} + +variable "root_volume_size" {} + +variable "allowed_cidrs" {} + +variable "masters_shape" {} + +variable "workers_shape" {} + +variable "os-user" {} \ No newline at end of file diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/vpc.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/vpc.tf new file mode 100644 index 0000000..c5ce7c1 --- /dev/null +++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/vpc.tf @@ -0,0 +1,54 @@ +resource "aws_vpc" "k8s-vpc" { + count = var.vpc_id == "" ? 1 : 0 + cidr_block = var.vpc_cidr + instance_tenancy = "default" + enable_dns_hostnames = true + enable_dns_support = true + + tags = { + Name = "${var.service_base_name}-vpc" + } +} + +resource "aws_internet_gateway" "k8s-igw" { + count = var.vpc_id == "" ? 1 : 0 + vpc_id = aws_vpc.k8s-vpc.0.id + + tags = { + Name = "${var.service_base_name}-igw" + } +} + +resource "aws_route" "k8s-r" { + count = var.vpc_id == "" ? 1 : 0 + route_table_id = aws_vpc.k8s-vpc.0.main_route_table_id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.k8s-igw.0.id +} + +data "aws_vpc" "k8s-vpc-data" { + id = var.vpc_id == "" ? aws_vpc.k8s-vpc.0.id : var.vpc_id +} + +resource "aws_subnet" "k8s-subnet" { + count = var.subnet_id == "" ? 1 : 0 + vpc_id = data.aws_vpc.k8s-vpc-data.id + availability_zone = "${var.region}${var.zone}" + cidr_block = var.subnet_cidr + map_public_ip_on_launch = true + + tags = { + Name = "${var.service_base_name}-subnet" + } +} + +data "aws_subnet" "k8s-subnet-data" { + id = var.subnet_id == "" ? aws_subnet.k8s-subnet.0.id : var.subnet_id +} + +resource "aws_eip" "k8s-lb-eip" { + vpc = true + tags = { + Name = "${var.service_base_name}-eip" + } +} \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
