From 724d3104fc114aae161e84f09ee592989dd2067d Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Thu, 9 Jun 2022 11:42:46 -0400 Subject: [PATCH 1/5] refactor: Upgrade to v18 of EKS module --- .gitignore | 23 +++---- .terraform.lock.hcl | 137 --------------------------------------- README.md | 2 +- eks-cluster.tf | 108 +++++++++++++++++++++--------- kubernetes.tf => main.tf | 29 +++++++-- outputs.tf | 17 ++--- security-groups.tf | 26 ++------ variables.tf | 5 ++ versions.tf | 14 +--- vpc.tf | 41 +++--------- 10 files changed, 143 insertions(+), 259 deletions(-) delete mode 100644 .terraform.lock.hcl rename kubernetes.tf => main.tf (52%) create mode 100644 variables.tf diff --git a/.gitignore b/.gitignore index 7a3e2fd0..e9308c8e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,18 +1,22 @@ # Local .terraform directories **/.terraform/* +# Terraform lockfile +.terraform.lock.hcl + # .tfstate files *.tfstate *.tfstate.* +*.tfplan # Crash log files crash.log -# Ignore any .tfvars files that are generated automatically for each Terraform run. Most -# .tfvars files are managed as part of configuration and so should be included in -# version control. -# -# example.tfvars +# Exclude all .tfvars files, which are likely to contain sentitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars # Ignore override files as they are usually used to override resources locally and so # are not checked in @@ -21,9 +25,6 @@ override.tf.json *_override.tf *_override.tf.json -# Include override files you do wish to add to version control using negated pattern -# -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* +# Ignore CLI configuration files +.terraformrc +terraform.rc diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl deleted file mode 100644 index a12b034a..00000000 --- a/.terraform.lock.hcl +++ /dev/null @@ -1,137 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "3.71.0" - constraints = ">= 3.15.0, >= 3.20.0, >= 3.56.0" - hashes = [ - "h1:5+M8SPZlb3FxcmAX4RykKzNrTHkpjoP1UpHcenOXcxo=", - "zh:173134d8861a33ed60a48942ad2b96b9d06e85c506d7f927bead47a28f4ebdd2", - "zh:2996c8e96930f526f1761e99d14c0b18d83e287b1362aa2fa1444cf848ece613", - "zh:43903da1e0a809a1fb5832e957dbe2321b86630d6bfdd8b47728647a72fd912d", - "zh:43e71fd8924e7f7b56a0b2a82e29edf07c53c2b41ee7bb442a2f1c27e03e86ae", - "zh:4f4c73711f64a3ff85f88bf6b2594e5431d996b7a59041ff6cbc352f069fc122", - "zh:5045241b8695ffbd0730bdcd91393b10ffd0cfbeaad6254036e42ead6687d8fd", - "zh:6a8811a0fb1035c09aebf1f9b15295523a9a7a2627fd783f50c6168a82e192dd", - "zh:8d273c04d7a8c36d4366329adf041c480a0f1be10a7269269c88413300aebdb8", - "zh:b90505897ae4943a74de2b88b6a9e7d97bf6dc325a0222235996580edff28656", - "zh:ea5e422942ac6fc958229d27d4381c89d21d70c5c2c67a6c06ff357bcded76f6", - "zh:f1536d7ff2d3bfd668e3ac33d8956b4f988f87fdfdcc371c7d94b98d5dba53e2", - ] -} - -provider "registry.terraform.io/hashicorp/cloudinit" { - version = "2.2.0" - constraints = ">= 2.0.0" - hashes = [ - "h1:siiI0wK6/jUDdA5P8ifTO0yc9YmXHml4hz5K9I9N+MA=", - "zh:76825122171f9ea2287fd27e23e80a7eb482f6491a4f41a096d77b666896ee96", - "zh:795a36dee548e30ca9c9d474af9ad6d29290e0a9816154ad38d55381cd0ab12d", - "zh:9200f02cb917fb99e44b40a68936fd60d338e4d30a718b7e2e48024a795a61b9", - "zh:a33cf255dc670c20678063aa84218e2c1b7a67d557f480d8ec0f68bc428ed472", - "zh:ba3c1b2cd0879286c1f531862c027ec04783ece81de67c9a3b97076f1ce7f58f", - "zh:bd575456394428a1a02191d2e46af0c00e41fd4f28cfe117d57b6aeb5154a0fb", - "zh:c68dd1db83d8437c36c92dc3fc11d71ced9def3483dd28c45f8640cfcd59de9a", - "zh:cbfe34a90852ed03cc074601527bb580a648127255c08589bc3ef4bf4f2e7e0c", - "zh:d6ffd7398c6d1f359b96f5b757e77b99b339fbb91df1b96ac974fe71bc87695c", - "zh:d9c15285f847d7a52df59e044184fb3ba1b7679fd0386291ed183782683d9517", - "zh:f7dd02f6d36844da23c9a27bb084503812c29c1aec4aba97237fec16860fdc8c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.7.1" - constraints = ">= 1.11.1, >= 2.0.1" - hashes = [ - "h1:/zifejk3MfLSDQr5J6sc3EHrnFwAVEDH9LrewWMRqe4=", - "zh:0da320fd81ece6696f7cceda35e459ee97cae8955088af38fc7f2feab1dce924", - "zh:37d304b8b992518c9c12e8f10437b9d4a0cc5a823c9421ac794ad2347c4d1122", - "zh:3d4e12fb9588c3b2e782d392fea758c6982e5d653154bec951e949155bcbc169", - "zh:6bb32b8d5cccf3e3ae7c124ed27df76dc7653ca760c132addeee15272630c930", - "zh:94775153b90e285876fc17261e8f5338a1ff732f4133336cc68754acb74570b6", - "zh:a665d1336765cdf8620a8797fd4e7e3cecf789e96e59ba80634336a4390df377", - "zh:aa8b35e9958cb89f01c115e8866a07d5468fb53f1c227d673e94f7ee8fb76242", - "zh:b7a571336387d773a74ed6eefa3843ff78d3662f2745c99c95008002a1341662", - "zh:c50d661782175d50ea4952fe943b0e4a3e33c27aa69e5ff21b3cbfa513e90d0a", - "zh:e0999b349cc772c75876adbc2a13b5dc256d3ecd7e4aa91baee5fdfcecaa7465", - "zh:e1399aec06a7aa98e9b0f64b4281697247f338a8a40b79f5f6ebfd43bf4ce1e2", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.1.0" - constraints = ">= 1.4.0, 2.1.0" - hashes = [ - "h1:KfieWtVyGWwplSoLIB5usKAUnrIkDQBkWaR5TI+4WYg=", - "zh:0f1ec65101fa35050978d483d6e8916664b7556800348456ff3d09454ac1eae2", - "zh:36e42ac19f5d68467aacf07e6adcf83c7486f2e5b5f4339e9671f68525fc87ab", - "zh:6db9db2a1819e77b1642ec3b5e95042b202aee8151a0256d289f2e141bf3ceb3", - "zh:719dfd97bb9ddce99f7d741260b8ece2682b363735c764cac83303f02386075a", - "zh:7598bb86e0378fd97eaa04638c1a4c75f960f62f69d3662e6d80ffa5a89847fe", - "zh:ad0a188b52517fec9eca393f1e2c9daea362b33ae2eb38a857b6b09949a727c1", - "zh:c46846c8df66a13fee6eff7dc5d528a7f868ae0dcf92d79deaac73cc297ed20c", - "zh:dc1a20a2eec12095d04bf6da5321f535351a594a636912361db20eb2a707ccc4", - "zh:e57ab4771a9d999401f6badd8b018558357d3cbdf3d33cc0c4f83e818ca8e94b", - "zh:ebdcde208072b4b0f8d305ebf2bfdc62c926e0717599dcf8ec2fd8c5845031c3", - "zh:ef34c52b68933bedd0868a13ccfd59ff1c820f299760b3c02e008dc95e2ece91", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.1.0" - constraints = "3.1.0" - hashes = [ - "h1:xhbHC6in3nQryvTQBWKxebi3inG5OCgHgc4fRxL0ymc=", - "zh:02a1675fd8de126a00460942aaae242e65ca3380b5bb192e8773ef3da9073fd2", - "zh:53e30545ff8926a8e30ad30648991ca8b93b6fa496272cd23b26763c8ee84515", - "zh:5f9200bf708913621d0f6514179d89700e9aa3097c77dac730e8ba6e5901d521", - "zh:9ebf4d9704faba06b3ec7242c773c0fbfe12d62db7d00356d4f55385fc69bfb2", - "zh:a6576c81adc70326e4e1c999c04ad9ca37113a6e925aefab4765e5a5198efa7e", - "zh:a8a42d13346347aff6c63a37cda9b2c6aa5cc384a55b2fe6d6adfa390e609c53", - "zh:c797744d08a5307d50210e0454f91ca4d1c7621c68740441cf4579390452321d", - "zh:cecb6a304046df34c11229f20a80b24b1603960b794d68361a67c5efe58e62b8", - "zh:e1371aa1e502000d9974cfaff5be4cfa02f47b17400005a16f14d2ef30dc2a70", - "zh:fc39cc1fe71234a0b0369d5c5c7f876c71b956d23d7d6f518289737a001ba69b", - "zh:fea4227271ebf7d9e2b61b89ce2328c7262acd9fd190e1fd6d15a591abfa848e", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.1.0" - constraints = "3.1.0" - hashes = [ - "h1:rKYu5ZUbXwrLG1w81k7H3nce/Ys6yAxXhWcbtk36HjY=", - "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc", - "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626", - "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff", - "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2", - "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992", - "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427", - "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc", - "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f", - "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b", - "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7", - "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a", - ] -} - -provider "registry.terraform.io/terraform-aws-modules/http" { - version = "2.4.1" - constraints = ">= 2.4.1" - hashes = [ - "h1:FINkX7/X/cr5NEssB7dMqVWa6YtJtmwzvkfryuR39/k=", - "zh:0111f54de2a9815ded291f23136d41f3d2731c58ea663a2e8f0fef02d377d697", - "zh:0740152d76f0ccf54f4d0e8e0753739a5233b022acd60b5d2353d248c4c17204", - "zh:569518f46809ec9cdc082b4dfd4e828236eee2b50f87b301d624cfd83b8f5b0d", - "zh:7669f7691de91eec9f381e9a4be81aa4560f050348a86c6ea7804925752a01bb", - "zh:81cd53e796ec806aca2d8e92a2aed9135661e170eeff6cf0418e54f98816cd05", - "zh:82f01abd905090f978b169ac85d7a5952322a5f0f460269dd981b3596652d304", - "zh:9a235610066e0f7e567e69c23a53327271a6fc568b06bf152d8fe6594749ed2b", - "zh:aeabdd8e633d143feb67c52248c85358951321e35b43943aeab577c005abd30a", - "zh:c20d22dba5c79731918e7192bc3d0b364d47e98a74f47d287e6cc66236bc0ed0", - "zh:c4fea2cb18c31ed7723deec5ebaff85d6795bb6b6ed3b954794af064d17a7f9f", - "zh:e21e88b6e7e55b9f29b046730d9928c65a4f181fd5f60a42f1cd41b46a0a938d", - "zh:eddb888a74dea348a0acdfee13a08875bacddde384bd9c28342a534269665568", - "zh:f46d5f1403b8d8dfafab9bdd7129d3080bb62a91ea726f477fd43560887b8c4a", - ] -} diff --git a/README.md b/README.md index 80e066db..bf05870d 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ # Learn Terraform - Provision an EKS Cluster This repo is a companion repo to the [Provision an EKS Cluster learn guide](https://learn.hashicorp.com/terraform/kubernetes/provision-eks-cluster), containing -Terraform configuration files to provision an EKS cluster on AWS. \ No newline at end of file +Terraform configuration files to provision an EKS cluster on AWS. diff --git a/eks-cluster.tf b/eks-cluster.tf index 6e978a50..23753136 100644 --- a/eks-cluster.tf +++ b/eks-cluster.tf @@ -1,38 +1,88 @@ module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "17.24.0" + source = "terraform-aws-modules/eks/aws" + version = "18.23.0" + cluster_name = local.cluster_name - cluster_version = "1.20" - subnets = module.vpc.private_subnets + cluster_version = "1.22" + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets - vpc_id = module.vpc.vpc_id + manage_aws_auth_configmap = true - workers_group_defaults = { - root_volume_type = "gp2" + # Extend cluster security group rules + cluster_security_group_additional_rules = { + egress_nodes_ephemeral_ports_tcp = { + description = "To node 1025-65535" + protocol = "tcp" + from_port = 1025 + to_port = 65535 + type = "egress" + source_node_security_group = true + } } - worker_groups = [ - { - name = "worker-group-1" - instance_type = "t2.small" - additional_userdata = "echo foo bar" - additional_security_group_ids = [aws_security_group.worker_group_mgmt_one.id] - asg_desired_capacity = 2 - }, - { - name = "worker-group-2" - instance_type = "t2.medium" - additional_userdata = "echo foo bar" - additional_security_group_ids = [aws_security_group.worker_group_mgmt_two.id] - asg_desired_capacity = 1 - }, - ] -} + # Extend node-to-node security group rules + node_security_group_additional_rules = { + ingress_self_all = { + description = "Node to node all ports/protocols" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "ingress" + self = true + } + egress_all = { + description = "Node all egress" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + } -data "aws_eks_cluster" "cluster" { - name = module.eks.cluster_id -} + eks_managed_node_group_defaults = { + ami_type = "AL2_x86_64" + + # We'll provide + create_security_group = false + } + + eks_managed_node_groups = { + one = { + instance_types = ["t3.small"] -data "aws_eks_cluster_auth" "cluster" { - name = module.eks.cluster_id + min_size = 1 + max_size = 3 + desired_size = 2 + + pre_bootstrap_user_data = <<-EOT + echo 'foo bar' + EOT + + vpc_security_group_ids = [ + aws_security_group.node_group_one.id + ] + } + + two = { + name = "node-group-2" + + instance_types = ["t3.medium"] + + min_size = 1 + max_size = 2 + desired_size = 1 + + pre_bootstrap_user_data = <<-EOT + echo 'foo bar' + EOT + + vpc_security_group_ids = [ + aws_security_group.node_group_two.id + ] + } + } } diff --git a/kubernetes.tf b/main.tf similarity index 52% rename from kubernetes.tf rename to main.tf index 97e03249..7ecb3d64 100644 --- a/kubernetes.tf +++ b/main.tf @@ -1,12 +1,31 @@ # Kubernetes provider # https://learn.hashicorp.com/terraform/kubernetes/provision-eks-cluster#optional-configure-terraform-kubernetes-provider # To learn how to schedule deployments and services using the provider, go here: https://learn.hashicorp.com/terraform/kubernetes/deploy-nginx-kubernetes - # The Kubernetes provider is included in this file so the EKS module can complete successfully. Otherwise, it throws an error when creating `kubernetes_config_map.aws_auth`. # You should **not** schedule deployments and services in this workspace. This keeps workspaces modular (one for provision EKS, another for scheduling Kubernetes resources) as per best practices. - provider "kubernetes" { - host = data.aws_eks_cluster.cluster.endpoint - token = data.aws_eks_cluster_auth.cluster.token - cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1alpha1" + command = "aws" + # This requires the awscli to be available locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_id] + } +} + +provider "aws" { + region = var.region +} + +data "aws_availability_zones" "available" {} + +locals { + cluster_name = "education-eks-${random_string.suffix.result}" +} + +resource "random_string" "suffix" { + length = 8 + special = false } diff --git a/outputs.tf b/outputs.tf index 8823d2a7..baf21aeb 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,26 +1,21 @@ output "cluster_id" { - description = "EKS cluster ID." + description = "EKS cluster ID" value = module.eks.cluster_id } output "cluster_endpoint" { - description = "Endpoint for EKS control plane." + description = "Endpoint for EKS control plane" value = module.eks.cluster_endpoint } output "cluster_security_group_id" { - description = "Security group ids attached to the cluster control plane." + description = "Security group ids attached to the cluster control plane" value = module.eks.cluster_security_group_id } -output "kubectl_config" { - description = "kubectl config as generated by the module." - value = module.eks.kubeconfig -} - -output "config_map_aws_auth" { - description = "A kubernetes configuration to authenticate to this EKS cluster." - value = module.eks.config_map_aws_auth +output "aws_auth_configmap_yaml" { + description = "Formatted yaml output for base aws-auth configmap containing roles used in cluster node groups/fargate profiles" + value = module.eks.aws_auth_configmap_yaml } output "region" { diff --git a/security-groups.tf b/security-groups.tf index 9538cf90..1d7a720d 100644 --- a/security-groups.tf +++ b/security-groups.tf @@ -1,6 +1,5 @@ - -resource "aws_security_group" "worker_group_mgmt_one" { - name_prefix = "worker_group_mgmt_one" +resource "aws_security_group" "node_group_one" { + name_prefix = "node_group_one" vpc_id = module.vpc.vpc_id ingress { @@ -14,8 +13,8 @@ resource "aws_security_group" "worker_group_mgmt_one" { } } -resource "aws_security_group" "worker_group_mgmt_two" { - name_prefix = "worker_group_mgmt_two" +resource "aws_security_group" "node_group_two" { + name_prefix = "node_group_two" vpc_id = module.vpc.vpc_id ingress { @@ -28,20 +27,3 @@ resource "aws_security_group" "worker_group_mgmt_two" { ] } } - -resource "aws_security_group" "all_worker_mgmt" { - name_prefix = "all_worker_management" - vpc_id = module.vpc.vpc_id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - - cidr_blocks = [ - "10.0.0.0/8", - "172.16.0.0/12", - "192.168.0.0/16", - ] - } -} diff --git a/variables.tf b/variables.tf new file mode 100644 index 00000000..5037053d --- /dev/null +++ b/variables.tf @@ -0,0 +1,5 @@ +variable "region" { + description = "AWS region" + type = string + default = "us-east-1" +} diff --git a/versions.tf b/versions.tf index 9ced68e3..e62f100c 100644 --- a/versions.tf +++ b/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.20.0" + version = ">= 3.72" } random = { @@ -10,19 +10,9 @@ terraform { version = "3.1.0" } - local = { - source = "hashicorp/local" - version = "2.1.0" - } - - null = { - source = "hashicorp/null" - version = "3.1.0" - } - kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.0.1" + version = ">= 2.10" } } diff --git a/vpc.tf b/vpc.tf index 58e3edc1..435247b3 100644 --- a/vpc.tf +++ b/vpc.tf @@ -1,47 +1,26 @@ -variable "region" { - default = "us-east-2" - description = "AWS region" -} - -provider "aws" { - region = var.region -} +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.12.0" -data "aws_availability_zones" "available" {} + name = "education-vpc" -locals { - cluster_name = "education-eks-${random_string.suffix.result}" -} + cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) -resource "random_string" "suffix" { - length = 8 - special = false -} + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "3.2.0" - - name = "education-vpc" - cidr = "10.0.0.0/16" - azs = data.aws_availability_zones.available.names - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] enable_nat_gateway = true single_nat_gateway = true enable_dns_hostnames = true - tags = { - "kubernetes.io/cluster/${local.cluster_name}" = "shared" - } - public_subnet_tags = { "kubernetes.io/cluster/${local.cluster_name}" = "shared" - "kubernetes.io/role/elb" = "1" + "kubernetes.io/role/elb" = 1 } private_subnet_tags = { "kubernetes.io/cluster/${local.cluster_name}" = "shared" - "kubernetes.io/role/internal-elb" = "1" + "kubernetes.io/role/internal-elb" = 1 } } From 37d5e19eb69e8d6559b908b7d91c6085b978cd19 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Fri, 10 Jun 2022 09:33:21 -0400 Subject: [PATCH 2/5] chore: fix comment --- eks-cluster.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eks-cluster.tf b/eks-cluster.tf index 23753136..60375a82 100644 --- a/eks-cluster.tf +++ b/eks-cluster.tf @@ -46,7 +46,7 @@ module "eks" { eks_managed_node_group_defaults = { ami_type = "AL2_x86_64" - # We'll provide + # Disabling and using externally provided security groups create_security_group = false } From 1ddc747f1bd4ecb5d8173a1e9c5c8c793d0da539 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 6 Jul 2022 16:44:03 -0400 Subject: [PATCH 3/5] fix: Use cluster security group for access and add metrics-server and kubernetes-dashboard --- dashboard.tf | 24 ++++++++++++++++++++++++ eks-cluster.tf | 39 +++++---------------------------------- main.tf | 16 +++++++++++++++- 3 files changed, 44 insertions(+), 35 deletions(-) create mode 100644 dashboard.tf diff --git a/dashboard.tf b/dashboard.tf new file mode 100644 index 00000000..4e21ea9f --- /dev/null +++ b/dashboard.tf @@ -0,0 +1,24 @@ +resource "helm_release" "metrics_server" { + name = "metrics-server" + repository = "https://kubernetes-sigs.github.io/metrics-server/" + chart = "metrics-server" + version = "3.8.2" + namespace = "kube-system" + + depends_on = [ + module.eks.eks_managed_node_groups + ] +} + +resource "helm_release" "kubernetes_dashboard" { + name = "kubernetes-dashboard" + repository = "https://kubernetes.github.io/dashboard/" + chart = "kubernetes-dashboard" + version = "5.7.0" + namespace = "kubernetes-dashboard" + create_namespace = true + + depends_on = [ + module.eks.eks_managed_node_groups + ] +} diff --git a/eks-cluster.tf b/eks-cluster.tf index 60375a82..8bd609b5 100644 --- a/eks-cluster.tf +++ b/eks-cluster.tf @@ -1,6 +1,6 @@ module "eks" { source = "terraform-aws-modules/eks/aws" - version = "18.23.0" + version = "18.26.3" cluster_name = local.cluster_name cluster_version = "1.22" @@ -10,48 +10,19 @@ module "eks" { manage_aws_auth_configmap = true - # Extend cluster security group rules - cluster_security_group_additional_rules = { - egress_nodes_ephemeral_ports_tcp = { - description = "To node 1025-65535" - protocol = "tcp" - from_port = 1025 - to_port = 65535 - type = "egress" - source_node_security_group = true - } - } - - # Extend node-to-node security group rules - node_security_group_additional_rules = { - ingress_self_all = { - description = "Node to node all ports/protocols" - protocol = "-1" - from_port = 0 - to_port = 0 - type = "ingress" - self = true - } - egress_all = { - description = "Node all egress" - protocol = "-1" - from_port = 0 - to_port = 0 - type = "egress" - cidr_blocks = ["0.0.0.0/0"] - ipv6_cidr_blocks = ["::/0"] - } - } - eks_managed_node_group_defaults = { ami_type = "AL2_x86_64" + attach_cluster_primary_security_group = true + # Disabling and using externally provided security groups create_security_group = false } eks_managed_node_groups = { one = { + name = "node-group-1" + instance_types = ["t3.small"] min_size = 1 diff --git a/main.tf b/main.tf index 7ecb3d64..4e42a7f9 100644 --- a/main.tf +++ b/main.tf @@ -8,13 +8,27 @@ provider "kubernetes" { cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) exec { - api_version = "client.authentication.k8s.io/v1alpha1" + api_version = "client.authentication.k8s.io/v1beta1" command = "aws" # This requires the awscli to be available locally where Terraform is executed args = ["eks", "get-token", "--cluster-name", module.eks.cluster_id] } } +provider "helm" { + kubernetes { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be available locally where Terraform is executed + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_id] + } + } +} + provider "aws" { region = var.region } From 26181c4b3b06039144c0f7034002bb11844d2af0 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 6 Jul 2022 17:10:34 -0400 Subject: [PATCH 4/5] feat: Provision RBAC with K8s provider --- dashboard.tf | 25 +++++++++++++++++++++++++ kubernetes-dashboard-admin.rbac.yaml | 19 ------------------- 2 files changed, 25 insertions(+), 19 deletions(-) delete mode 100644 kubernetes-dashboard-admin.rbac.yaml diff --git a/dashboard.tf b/dashboard.tf index 4e21ea9f..7bb80bab 100644 --- a/dashboard.tf +++ b/dashboard.tf @@ -22,3 +22,28 @@ resource "helm_release" "kubernetes_dashboard" { module.eks.eks_managed_node_groups ] } + +resource "kubernetes_service_account_v1" "admin" { + metadata { + name = "admin-user" + namespace = "kube-system" + } +} + +resource "kubernetes_cluster_role_binding_v1" "admin" { + metadata { + name = "admin-user" + } + + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "cluster-admin" + } + + subject { + kind = "ServiceAccount" + name = "admin-user" + namespace = "kube-system" + } +} diff --git a/kubernetes-dashboard-admin.rbac.yaml b/kubernetes-dashboard-admin.rbac.yaml deleted file mode 100644 index c8460f31..00000000 --- a/kubernetes-dashboard-admin.rbac.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: admin-user - namespace: kube-system ---- -# Create ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: admin-user -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: admin-user - namespace: kube-system From 775ed2193b15ea67341ecc5f6f6868ed959d7d44 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Fri, 15 Jul 2022 08:10:43 -0400 Subject: [PATCH 5/5] refactor: Remove dashboard, manifests, and helm provider --- .gitignore | 3 --- .terraform.lock.hcl | 65 +++++++++++++++++++++++++++++++++++++++++++++ dashboard.tf | 49 ---------------------------------- main.tf | 14 ---------- versions.tf | 5 ---- vpc.tf | 2 +- 6 files changed, 66 insertions(+), 72 deletions(-) create mode 100644 .terraform.lock.hcl delete mode 100644 dashboard.tf diff --git a/.gitignore b/.gitignore index e9308c8e..6665869f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,9 +1,6 @@ # Local .terraform directories **/.terraform/* -# Terraform lockfile -.terraform.lock.hcl - # .tfstate files *.tfstate *.tfstate.* diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 00000000..bab8bc44 --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,65 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.22.0" + constraints = ">= 3.63.0, >= 3.72.0" + hashes = [ + "h1:fmPkEDTodRW9XE0dqpTzBFUtfB3nYurbwzKy//8N93o=", + ] +} + +provider "registry.terraform.io/hashicorp/cloudinit" { + version = "2.2.0" + constraints = ">= 2.0.0" + hashes = [ + "h1:siiI0wK6/jUDdA5P8ifTO0yc9YmXHml4hz5K9I9N+MA=", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.12.1" + constraints = ">= 2.10.0" + hashes = [ + "h1:iAS9NYD0DjjmKpge74+y6nRltWkF+jkEpavWOEgq4jY=", + "zh:1ecb2adff52754fb4680c7cfe6143d1d8c264b00bb0c44f07f5583b1c7f978b8", + "zh:1fbd155088cd5818ad5874e4d59ccf1801e4e1961ac0711442b963315f1967ab", + "zh:29e927c7c8f112ee0e8ab70e71b498f2f2ae6f47df1a14e6fd0fdb6f14b57c00", + "zh:42c2f421da6b5b7c997e42aa04ca1457fceb13dd66099a057057a0812b680836", + "zh:522a7bccd5cd7acbb4ec3ef077d47f4888df7e59ff9f3d598b717ad3ee4fe9c9", + "zh:b45d8dc5dcbc5e30ae570d0c2e198505f47d09098dfd5f004871be8262e6ec1e", + "zh:c3ea0943f2050001c7d6a7115b9b990f148b082ebfc4ff3c2ff3463a8affcc4a", + "zh:f111833a64e06659d2e21864de39b7b7dec462615294d02f04c777956742a930", + "zh:f182dba5707b90b0952d5984c23f7a2da3baa62b4d71e78df7759f16cc88d957", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f76655a68680887daceabd947b2f68e2103f5bbec49a2bc29530f82ab8e3bca3", + "zh:fadb77352caa570bd3259dfb59c31db614d55bc96df0ff15a3c0cd2e685678b9", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.1.0" + constraints = "3.1.0" + hashes = [ + "h1:rKYu5ZUbXwrLG1w81k7H3nce/Ys6yAxXhWcbtk36HjY=", + "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc", + "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626", + "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff", + "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2", + "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992", + "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427", + "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc", + "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f", + "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b", + "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7", + "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "3.4.0" + constraints = ">= 3.0.0" + hashes = [ + "h1:fSRc/OyRitbAST9vE+mEcmgJiDp+Jx8pGPbUUeYEQRc=", + ] +} diff --git a/dashboard.tf b/dashboard.tf deleted file mode 100644 index 7bb80bab..00000000 --- a/dashboard.tf +++ /dev/null @@ -1,49 +0,0 @@ -resource "helm_release" "metrics_server" { - name = "metrics-server" - repository = "https://kubernetes-sigs.github.io/metrics-server/" - chart = "metrics-server" - version = "3.8.2" - namespace = "kube-system" - - depends_on = [ - module.eks.eks_managed_node_groups - ] -} - -resource "helm_release" "kubernetes_dashboard" { - name = "kubernetes-dashboard" - repository = "https://kubernetes.github.io/dashboard/" - chart = "kubernetes-dashboard" - version = "5.7.0" - namespace = "kubernetes-dashboard" - create_namespace = true - - depends_on = [ - module.eks.eks_managed_node_groups - ] -} - -resource "kubernetes_service_account_v1" "admin" { - metadata { - name = "admin-user" - namespace = "kube-system" - } -} - -resource "kubernetes_cluster_role_binding_v1" "admin" { - metadata { - name = "admin-user" - } - - role_ref { - api_group = "rbac.authorization.k8s.io" - kind = "ClusterRole" - name = "cluster-admin" - } - - subject { - kind = "ServiceAccount" - name = "admin-user" - namespace = "kube-system" - } -} diff --git a/main.tf b/main.tf index 4e42a7f9..5608c34f 100644 --- a/main.tf +++ b/main.tf @@ -15,20 +15,6 @@ provider "kubernetes" { } } -provider "helm" { - kubernetes { - host = module.eks.cluster_endpoint - cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) - - exec { - api_version = "client.authentication.k8s.io/v1beta1" - command = "aws" - # This requires the awscli to be available locally where Terraform is executed - args = ["eks", "get-token", "--cluster-name", module.eks.cluster_id] - } - } -} - provider "aws" { region = var.region } diff --git a/versions.tf b/versions.tf index e62f100c..d6528e74 100644 --- a/versions.tf +++ b/versions.tf @@ -9,11 +9,6 @@ terraform { source = "hashicorp/random" version = "3.1.0" } - - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.10" - } } required_version = ">= 0.14" diff --git a/vpc.tf b/vpc.tf index 435247b3..9a327a87 100644 --- a/vpc.tf +++ b/vpc.tf @@ -1,6 +1,6 @@ module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "3.12.0" + version = "3.14.2" name = "education-vpc"