Skip to content

Commit

Permalink
Merge pull request #44 from arunlalp/master
Browse files Browse the repository at this point in the history
[Feat] Added EKS Module
  • Loading branch information
techiescamp authored Aug 13, 2024
2 parents d016270 + bd43305 commit c8c271b
Show file tree
Hide file tree
Showing 7 changed files with 432 additions and 0 deletions.
18 changes: 18 additions & 0 deletions infra/eks-cluster/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
provider "aws" {
region = var.region
}

module "eks-cluster" {
source = "../modules/eks"
cluster_name = var.cluster_name
role_name = var.role_name
vpc_subnets = var.vpc_subnets
node_group_name = var.node_group_name
node_instance_type = var.node_instance_type
node_disk_size = var.node_disk_size
policy_arns = var.policy_arns
eks_addons = var.eks_addons
principal_arn = var.principal_arn
kubernetes_groups = var.kubernetes_groups
access_policy_arn = var.access_policy_arn
}
Empty file added infra/eks-cluster/outputs.tf
Empty file.
59 changes: 59 additions & 0 deletions infra/eks-cluster/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
variable "region" {
type = string
description = "Region of the EC2 instance"
}

variable "cluster_name" {
description = "The name of the EKS cluster"
type = string
}

variable "role_name" {
description = "Name of the IAM role for EKS"
type = string
}

variable "vpc_subnets" {
description = "List of VPC subnet IDs"
type = list(string)
}

variable "node_group_name" {
description = "The name of the node group"
type = string
}

variable "node_instance_type" {
description = "EC2 instance type for the node group"
type = list(string)
}

variable "node_disk_size" {
description = "Disk size for the node group instances"
type = number
}

variable "policy_arns" {
description = "List of IAM policy ARNs to attach to the roles"
type = list(string)
}

variable "eks_addons" {
description = "List of EKS addons and their versions"
type = map(string)
}

variable "principal_arn" {
description = "The ARN of the principal"
type = string
}

variable "kubernetes_groups" {
description = "Kubernetes groups"
type = list(string)
}

variable "access_policy_arn" {
description = "The ARN of the access policy"
type = string
}
198 changes: 198 additions & 0 deletions modules/eks/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,198 @@
resource "aws_eks_cluster" "eks_cluster" {
name = var.cluster_name
role_arn = aws_iam_role.cluster_role.arn

vpc_config {
subnet_ids = var.vpc_subnets
endpoint_private_access = true
endpoint_public_access = true
}

access_config {
authentication_mode = "API_AND_CONFIG_MAP"
bootstrap_cluster_creator_admin_permissions = true
}

depends_on = [
aws_iam_role_policy_attachment.AmazonEKSClusterPolicy,
aws_iam_role_policy_attachment.AmazonEKSVPCResourceController,
]
}

output "endpoint" {
value = aws_eks_cluster.eks_cluster.endpoint
}

output "kubeconfig-certificate-authority-data" {
value = aws_eks_cluster.eks_cluster.certificate_authority[0].data
}

data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"

principals {
type = "Service"
identifiers = ["eks.amazonaws.com"]
}

actions = ["sts:AssumeRole"]
}
}

resource "aws_iam_role" "cluster_role" {
name = var.role_name
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}

resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
policy_arn = var.policy_arns[0]
role = aws_iam_role.cluster_role.name
}

resource "aws_iam_role_policy_attachment" "AmazonEKSVPCResourceController" {
policy_arn = var.policy_arns[1]
role = aws_iam_role.cluster_role.name
}

data "tls_certificate" "tls_cert" {
url = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer
}

resource "aws_iam_openid_connect_provider" "eks_oidc_provider" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.tls_certificate.tls_cert.certificates[0].sha1_fingerprint]
url = data.tls_certificate.tls_cert.url
}

data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
effect = "Allow"

condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks_oidc_provider.url, "https://", "")}:sub"
values = ["system:serviceaccount:kube-system:aws-node"]
}

principals {
identifiers = [aws_iam_openid_connect_provider.eks_oidc_provider.arn]
type = "Federated"
}
}
}

resource "aws_eks_addon" "coredns" {
cluster_name = aws_eks_cluster.eks_cluster.name
addon_name = "coredns"
addon_version = var.eks_addons["coredns"]
resolve_conflicts_on_update = "PRESERVE"
}

resource "aws_iam_role" "vpc_cni_role" {
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
name = "vpc-cni-role"
}

resource "aws_iam_role_policy_attachment" "vpc_cni_policy" {
policy_arn = var.policy_arns[3]
role = aws_iam_role.vpc_cni_role.name
}

resource "aws_eks_addon" "vpc-cni" {
cluster_name = aws_eks_cluster.eks_cluster.name
addon_name = "vpc-cni"
addon_version = var.eks_addons["vpc-cni"]
resolve_conflicts_on_update = "PRESERVE"
service_account_role_arn = aws_iam_role.vpc_cni_role.arn
}

resource "aws_eks_addon" "kube-proxy" {
cluster_name = aws_eks_cluster.eks_cluster.name
addon_name = "kube-proxy"
addon_version = var.eks_addons["kube-proxy"]
resolve_conflicts_on_update = "PRESERVE"
}

resource "aws_eks_addon" "eks-pod-identity-agent" {
cluster_name = aws_eks_cluster.eks_cluster.name
addon_name = "eks-pod-identity-agent"
addon_version = var.eks_addons["eks-pod-identity-agent"]
resolve_conflicts_on_update = "PRESERVE"
}

resource "aws_eks_node_group" "node_group" {
cluster_name = aws_eks_cluster.eks_cluster.name
node_group_name = var.node_group_name
version = aws_eks_cluster.eks_cluster.version
node_role_arn = aws_iam_role.node-group-iam-role.arn
subnet_ids = var.vpc_subnets
capacity_type = "ON_DEMAND"
disk_size = var.node_disk_size
instance_types = var.node_instance_type

scaling_config {
desired_size = 1
max_size = 2
min_size = 1
}

update_config {
max_unavailable = 1
}

depends_on = [
aws_iam_role_policy_attachment.AmazonEKSWorkerNodePolicy,
aws_iam_role_policy_attachment.AmazonEKS_CNI_Policy,
aws_iam_role_policy_attachment.AmazonEC2ContainerRegistryReadOnly,
]
}

resource "aws_iam_role" "node-group-iam-role" {
name = "eks-node-group-role"

assume_role_policy = jsonencode({
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}]
Version = "2012-10-17"
})
}

resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
policy_arn = var.policy_arns[2]
role = aws_iam_role.node-group-iam-role.name
}

resource "aws_iam_role_policy_attachment" "AmazonEKS_CNI_Policy" {
policy_arn = var.policy_arns[3]
role = aws_iam_role.node-group-iam-role.name
}

resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
policy_arn = var.policy_arns[4]
role = aws_iam_role.node-group-iam-role.name
}

resource "aws_eks_access_entry" "access_entry" {
cluster_name = aws_eks_cluster.eks_cluster.name
principal_arn = var.principal_arn
kubernetes_groups = var.kubernetes_groups
type = "STANDARD"
}

resource "aws_eks_access_policy_association" "access_association" {
cluster_name = aws_eks_cluster.eks_cluster.name
policy_arn = var.access_policy_arn
principal_arn = aws_eks_access_entry.access_entry.principal_arn

access_scope {
type = "cluster"
}
}

79 changes: 79 additions & 0 deletions modules/eks/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
output "cluster_name" {
description = "The name of the EKS cluster"
value = aws_eks_cluster.eks_cluster.name
}

output "cluster_endpoint" {
description = "The endpoint of the EKS cluster"
value = aws_eks_cluster.eks_cluster.endpoint
}

output "cluster_certificate_authority_data" {
description = "The certificate authority data for the cluster"
value = aws_eks_cluster.eks_cluster.certificate_authority[0].data
}

output "cluster_arn" {
description = "The ARN of the EKS cluster"
value = aws_eks_cluster.eks_cluster.arn
}

output "oidc_provider_arn" {
description = "The ARN of the OIDC provider"
value = aws_iam_openid_connect_provider.eks_oidc_provider.arn
}

output "node_group_name" {
description = "The name of the EKS node group"
value = aws_eks_node_group.node_group.node_group_name
}

output "node_group_instance_types" {
description = "The instance types used in the EKS node group"
value = aws_eks_node_group.node_group.instance_types
}

output "node_group_disk_size" {
description = "The disk size for the EKS node group instances"
value = aws_eks_node_group.node_group.disk_size
}

output "iam_role_name" {
description = "The name of the IAM role used for the EKS cluster"
value = aws_iam_role.cluster_role.name
}

output "vpc_subnets" {
description = "The VPC subnets used by the EKS cluster"
value = aws_eks_cluster.eks_cluster.vpc_config[0].subnet_ids
}

output "coredns_addon_version" {
description = "The version of the CoreDNS addon"
value = aws_eks_addon.coredns.addon_version
}

output "vpc_cni_addon_version" {
description = "The version of the VPC CNI addon"
value = aws_eks_addon.vpc-cni.addon_version
}

output "kube_proxy_addon_version" {
description = "The version of the kube-proxy addon"
value = aws_eks_addon.kube-proxy.addon_version
}

output "eks_pod_identity_agent_addon_version" {
description = "The version of the EKS Pod Identity Agent addon"
value = aws_eks_addon.eks-pod-identity-agent.addon_version
}

output "access_entry_principal_arn" {
description = "The ARN of the principal for the access entry"
value = aws_eks_access_entry.access_entry.principal_arn
}

output "access_policy_arn" {
description = "The ARN of the access policy associated with the EKS cluster"
value = aws_eks_access_policy_association.access_association.policy_arn
}
Loading

0 comments on commit c8c271b

Please sign in to comment.