github-mirrors/terraform-aws-eks
1
0
Fork 0
mirror of https://github.com/ysoftdevs/terraform-aws-eks.git synced 2026-01-18 17:47:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
brandoconnor
2018-06-06 20:55:23 -07:00
commit 07aba1b766
28 changed files with 974 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
.github/ISSUE_TEMPLATE.md vendored Normal file
View File

@@ -0,0 +1,21 @@
# I have issues
## I'm submitting a
* [ ] bug report
* [ ] feature request
* [ ] support request
## What is the current behavior
## If this is a bug, how to reproduce? Please include a code sample
## What's the expected behavior
## Environment
* Affected module version:
* OS:
* Terraform version:
## Other relevant info

13
.github/PULL_REQUEST_TEMPLATE.md vendored Normal file
View File

@@ -0,0 +1,13 @@
# PR o'clock
## Description
Please explain the changes you made here and link to any relevant issues.
### Checklist
* [ ] `terraform fmt` and `terraform validate` both work from the root and `examples/alb_test_fixture` directories (look in CI for an example)
* [ ] Tests for the changes have been added and passing (for bug fixes/features)
* [ ] Test results are pasted in this PR (in lieu of CI)
* [ ] Docs have been added/updated (for bug fixes/features)
* [ ] Any breaking changes are noted in the description above

9
.gitignore vendored Normal file
View File

@@ -0,0 +1,9 @@
*.tfvars
*.tfstate*
.terraform/
**/inspec.lock
*.gem
.kitchen/
.kitchen.local.yml
Gemfile.lock
terraform.tfstate.d/

20
.kitchen.yml Normal file
View File

@@ -0,0 +1,20 @@
---
driver:
name: "terraform"
root_module_directory: "examples/eks_test_fixture"
provisioner:
name: "terraform"
platforms:
- name: "aws"
verifier:
name: "awspec"
suites:
- name: "default"
verifier:
name: "awspec"
patterns:
- "test/integration/default/test_eks.rb"

10
.pre-commit-config.yaml Normal file
View File

@@ -0,0 +1,10 @@
# See http://pre-commit.com for more information
# See http://pre-commit.com/hooks.html for more hooks
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
sha: v0.9.2
hooks:
- id: trailing-whitespace
# - id: end-of-file-fixer
- id: check-yaml
- id: check-added-large-files

1
.ruby-version Normal file
View File

@@ -0,0 +1 @@
2.4.2

12
CHANGELOG.md Normal file
View File

@@ -0,0 +1,12 @@
# Change Log
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/) and this
project adheres to [Semantic Versioning](http://semver.org/).
## [v0.1.0] - 2018-06-06
### Added
- Everything! Initial release of the module.

46
CODE_OF_CONDUCT.md Normal file
View File

@@ -0,0 +1,46 @@
# Contributor Covenant Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment include:
- Using welcoming and inclusive language
- Being respectful of differing viewpoints and experiences
- Gracefully accepting constructive criticism
- Focusing on what is best for the community
- Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
- The use of sexualized language or imagery and unwelcome sexual attention or advances
- Trolling, insulting/derogatory comments, and personal or political attacks
- Public or private harassment
- Publishing others' private information, such as a physical or electronic address, without explicit permission
- Other conduct which could reasonably be considered inappropriate in a professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at brandon@atscale.run. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
[homepage]: http://contributor-covenant.org
[version]: http://contributor-covenant.org/version/1/4/

13
CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,13 @@
# Contributing
When contributing to this repository, please first discuss the change you wish to make via issue,
email, or any other method with the owners of this repository before making a change.
Please note we have a code of conduct, please follow it in all your interactions with the project.
## Pull Request Process
1. Ensure any install or build dependencies are removed before the end of the layer when doing a build.
2. Update the README.md with details of changes to the interface, this includes new environment variables, exposed ports, useful file locations and container parameters.
3. Increase the version numbers in any examples files and the README.md to the new version that this Pull Request would represent. The versioning scheme we use is [SemVer](http://semver.org/).
4. You may merge the Pull Request in once you have the sign-off of two other developers, or if you do not have permission to do that, you may request the second reviewer to merge it for you.

9
Gemfile Normal file
View File

@@ -0,0 +1,9 @@
# frozen_string_literal: true
ruby '2.4.2'
source 'https://rubygems.org/' do
gem 'awspec', '~> 1.4.2'
gem 'kitchen-terraform', '~> 3.2'
gem 'kitchen-verifier-awspec', '~> 0.1.1'
end

19
LICENSE Normal file
View File

@@ -0,0 +1,19 @@
Copyright (c) 2018 Brandon O'Connor - Run at Scale
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

105
README.md Normal file
View File

@@ -0,0 +1,105 @@
# terraform-aws-eks
A terraform module to create a managed Kubernetes cluster on AWS EKS. Available
through the [Terraform registry](https://registry.terraform.io/modules/terraform-aws-modules/eks/aws).
| Branch | Build status |
| ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| master | [![build Status](https://travis-ci.org/terraform-aws-modules/terraform-aws-eks.svg?branch=master)](https://travis-ci.org/terraform-aws-modules/terraform-aws-eks) |
## Assumptions
* You want to create a set of resources around an EKS cluster: namely an autoscaling group of workers and a security group for them.
* You've created a Virtual Private Cloud (VPC) and subnets where you intend to put this EKS.
It's recommended you use this module with [terraform-aws-vpc](https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws),
[terraform-aws-security-group](https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws), and
[terraform-aws-autoscaling](https://registry.terraform.io/modules/terraform-aws-modules/autoscaling/aws/).
## Usage example
A full example leveraging other community modules is contained in the [examples/eks_test_fixture directory](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks_test_fixture). Here's the gist of using it via the Terraform registry:
```hcl
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "0.1.0"
cluster_name = "test-eks-cluster"
security_groups = ["sg-edcd9784", "sg-edcd9785"]
subnets = ["subnet-abcde012", "subnet-bcde012a"]
tags = "${map("Environment", "test")}"
vpc_id = "vpc-abcde012"
}
```
## Testing
This module has been packaged with [awspec](https://github.com/k1LoW/awspec) tests through [kitchen](https://kitchen.ci/) and [kitchen-terraform](https://newcontext-oss.github.io/kitchen-terraform/). To run them:
1. Install [rvm](https://rvm.io/rvm/install) and the ruby version specified in the [Gemfile](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/Gemfile).
2. Install bundler and the gems from our Gemfile:
```bash
gem install bundler && bundle install
```
3. Ensure your AWS environment is configured (i.e. credentials and region) for test.
4. Test using `bundle exec kitchen test` from the root of the repo.
## Doc generation
Documentation should be modified within `main.tf` and generated using [terraform-docs](https://github.com/segmentio/terraform-docs).
Generate them like so:
```bash
go get github.com/segmentio/terraform-docs
terraform-docs md ./ | cat -s | ghead -n -1 > README.md
```
## Contributing
Report issues/questions/feature requests on in the [issues](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/new) section.
Full contributing [guidelines are covered here](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/CONTRIBUTING.md).
## IAM Permissions
Testing and using this repo requires a minimum set of IAM permissions. Test permissions
are listed in the [eks_test_fixture README](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks_test_fixture/README.md).
## Change log
The [changelog](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/CHANGELOG.md) captures all important release notes.
## Authors
Created and maintained by [Brandon O'Connor](https://github.com/brandoconnor) - brandon@atscale.run.
Many thanks to [the contributors listed here](https://github.com/terraform-aws-modules/terraform-aws-eks/graphs/contributors)!
## License
MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/LICENSE) for full details.
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| cluster_name | Name of the EKS cluster. | string | - | yes |
| security_groups | The security groups to attach to the EKS cluster instances | list | - | yes |
| subnets | A list of subnets to associate with the cluster's underlying instances. | list | - | yes |
| tags | A map of tags to add to all resources | string | `<map>` | no |
| vpc_id | VPC id where the cluster and other resources will be deployed. | string | - | yes |
## Outputs
| Name | Description |
|------|-------------|
| cluster_arn | The Amazon Resource Name (ARN) of the cluster. |
| cluster_certificate_authority | Nested attribute containing certificate-authority-data for your cluster |
| cluster_data | The base64 encoded certificate data required to communicate with your cluster. Add this to the certificate-authority-data section of the kubeconfig file for your cluster. |
| cluster_endpoint | The endpoint for your Kubernetes API server. |
| cluster_id | The name of the cluster. |
| cluster_version | The Kubernetes server version for the cluster. |
| cluster_vpc_config | description |
| config_map_aws_auth | description |
| kubeconfig | description |

87
cluster.tf Normal file
View File

@@ -0,0 +1,87 @@
#
# EKS Cluster Resources
# * IAM Role to allow EKS service to manage other AWS services
# * EC2 Security Group to allow networking traffic with EKS cluster
# * EKS Cluster
#
resource "aws_eks_cluster" "demo" {
name = "${var.cluster_name}"
role_arn = "${aws_iam_role.demo-cluster.arn}"
vpc_config {
security_group_ids = ["${aws_security_group.demo-cluster.id}"]
subnet_ids = ["${var.subnets}"]
}
depends_on = [
"aws_iam_role_policy_attachment.demo-cluster-AmazonEKSClusterPolicy",
"aws_iam_role_policy_attachment.demo-cluster-AmazonEKSServicePolicy",
]
}
resource "aws_iam_role" "demo-cluster" {
name = "terraform-eks-demo-cluster"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSClusterPolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = "${aws_iam_role.demo-cluster.name}"
}
resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSServicePolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
role = "${aws_iam_role.demo-cluster.name}"
}
resource "aws_security_group" "demo-cluster" {
name = "terraform-eks-demo-cluster"
description = "Cluster communication with worker nodes"
vpc_id = "${var.vpc_id}"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags {
Name = "terraform-eks-demo"
}
}
resource "aws_security_group_rule" "demo-cluster-ingress-node-https" {
description = "Allow pods to communicate with the cluster API Server"
from_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.demo-cluster.id}"
source_security_group_id = "${aws_security_group.demo-node.id}"
to_port = 443
type = "ingress"
}
resource "aws_security_group_rule" "demo-cluster-ingress-workstation-https" {
cidr_blocks = ["${local.workstation_external_cidr}"]
description = "Allow workstation to communicate with the cluster API Server"
from_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.demo-cluster.id}"
to_port = 443
type = "ingress"
}

58
data.tf Normal file
View File

@@ -0,0 +1,58 @@
data "aws_region" "current" {}
data "aws_availability_zones" "available" {}
provider "http" {}
data "http" "workstation-external-ip" {
url = "http://icanhazip.com"
}
# Override with variable or hardcoded value if necessary
locals {
workstation_external_cidr = "${chomp(data.http.workstation-external-ip.body)}/32"
config_map_aws_auth = <<CONFIGMAPAWSAUTH
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: ${aws_iam_role.demo-node.arn}
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
CONFIGMAPAWSAUTH
kubeconfig = <<KUBECONFIG
apiVersion: v1
clusters:
- cluster:
server: ${aws_eks_cluster.demo.endpoint}
certificate-authority-data: ${aws_eks_cluster.demo.certificate_authority.0.data}
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: aws
name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: heptio-authenticator-aws
args:
- "token"
- "-i"
- "${var.cluster_name}"
KUBECONFIG
}

90
examples/eks_test_fixture/README.md Normal file
View File

@@ -0,0 +1,90 @@
# eks_test_fixture example
This set of templates serves two purposes:
1. it shows developers how to use the module in a straightforward way as integrated with other terraform community supported modules.
1. serves as the test infrastructure for CI on the project.
## IAM Permissions
The following IAM policy is the minimum needed to execute the module from the test suite.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1507789535000",
"Effect": "Allow",
"Action": [
"autoscaling:*LoadBalancerTargetGroups",
"autoscaling:*AutoScalingGroup",
"autoscaling:*LaunchConfiguration",
"autoscaling:*AutoScalingGroups",
"autoscaling:*LaunchConfigurations",
"ec2:AllocateAddress",
"ec2:AssignIpv6Addresses",
"ec2:AssignPrivateIpAddresses",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateDhcpOptions",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVpc",
"ec2:Describe*",
"ec2:DetachInternetGateway",
"ec2:DetachNetworkInterface",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:DisassociateSubnetCidrBlock",
"ec2:DisassociateVpcCidrBlock",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ModifyVpcEndpoint",
"ec2:ReleaseAddress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress"
],
"Resource": ["*"]
},
{
"Sid": "Stmt1507789655001",
"Effect": "Allow",
"Action": [
"iam:UploadServerCertificate",
"iam:DeleteServerCertificate",
"iam:GetServerCertificate"
],
"Resource": ["*"]
}
]
}
```

26
examples/eks_test_fixture/certs/example.crt.pem Normal file
View File

@@ -0,0 +1,26 @@
-----BEGIN CERTIFICATE-----
MIIETjCCAzagAwIBAgIJALi9NaeI/EcpMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV
BAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcTBkxvbmRvbjEYMBYGA1UE
ChMPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLEw1JVCBEZXBhcnRtZW50MRQwEgYD
VQQDEwtleGFtcGxlLmNvbTAeFw0xNzA5MjcyMTIwNDlaFw0yNzA5MjUyMTIwNDla
MHcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcTBkxvbmRv
bjEYMBYGA1UEChMPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQLEw1JVCBEZXBhcnRt
ZW50MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALAthQw1LG3Q7n8jroaBneqLgSyBMXxpilrWG7oYaNcCt3dY4FF0
RWp2R+suMB7ObaWZwzIPseYD1M1IJoyeafSCmH/UCHsIaXUyTE9Ml69hxTA+3R4e
mO1mPOQ71dheQ0iX34NviiwhQIDJYGRHPYZTeJ2Y/yWQUw3tthYrE9KvYWx6UhXw
0PbBdHgl6bE/cqARua+Y4jOZO4jRDIwzKOxtK86uhWNBdrrLVNMY6kaNdO40wiZk
b+Q2YrMyvVUUFdE2TljyLqYgPsTvb8Yxh6h9WGqnY8Fg1aYelp98NFd9fVw/Wuqx
3Ub0o8Kpnfi+u5Phg5PewF5OoQTGxRLVpJMCAwEAAaOB3DCB2TAdBgNVHQ4EFgQU
8pucEK8IGWVRbp8cndsPrMoo5mYwgakGA1UdIwSBoTCBnoAU8pucEK8IGWVRbp8c
ndsPrMoo5mahe6R5MHcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzAN
BgNVBAcTBkxvbmRvbjEYMBYGA1UEChMPR2xvYmFsIFNlY3VyaXR5MRYwFAYDVQQL
Ew1JVCBEZXBhcnRtZW50MRQwEgYDVQQDEwtleGFtcGxlLmNvbYIJALi9NaeI/Ecp
MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAK2mwg87BWPuYPkQBESQ
wUiX1L37VGuEjewda1o697OPTD9tWM2IuVjAYKIVx/oTwBwgMzlY8KjfceRYfrTg
YEP9EQ+5KknzgFYC+/SF9ugVke5/JICKQoOqBLboETTTgeYpSlFfKz97nXCAbMVN
/lYB9TCUZ/SdA76ZpIMR0uYH2mCspChWtYjPV9Z8PEwK7EmFuTQS1X/1Oa7O03vC
SU4GiONs7MxJoCrMo/xB6yGDM5NiE6ZqljmQ2238GQ99/VyGMn5uVDpZmXH6dMln
ofEU4fh6sbJvs19KNz9Ql31F0U+hq593T50V8iV+TccBB5ifqfjOnFKmljDjFYeZ
0bg=
-----END CERTIFICATE-----

27
examples/eks_test_fixture/certs/example.key.pem Normal file
View File

@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAsC2FDDUsbdDufyOuhoGd6ouBLIExfGmKWtYbuhho1wK3d1jg
UXRFanZH6y4wHs5tpZnDMg+x5gPUzUgmjJ5p9IKYf9QIewhpdTJMT0yXr2HFMD7d
Hh6Y7WY85DvV2F5DSJffg2+KLCFAgMlgZEc9hlN4nZj/JZBTDe22FisT0q9hbHpS
FfDQ9sF0eCXpsT9yoBG5r5jiM5k7iNEMjDMo7G0rzq6FY0F2ustU0xjqRo107jTC
JmRv5DZiszK9VRQV0TZOWPIupiA+xO9vxjGHqH1YaqdjwWDVph6Wn3w0V319XD9a
6rHdRvSjwqmd+L67k+GDk97AXk6hBMbFEtWkkwIDAQABAoIBACHCNzJlpgPM+0Zl
gfXINIhS/weWIfNjDd3mFR4Nu1kn7hvybdlt3DdQPuuzyAi/KYeH9T1MgJxAs7A6
WRis6kSuGaa07IMW045fevvfA1nZ9D0QbrJszoT/CD/7rzhsp5vrbirzXpiiLof/
Dndop0NsDzqzrIB4LVIH8NJCouPF4eibhb4XQwvCkG05pvlkeK4OJugF/CpgrJlX
GiXDTZ8Lh/fBXeFpCfcBlgTCPkxcZtuNeddTlEJpY6q8QdofvfpjXmpfQ+63FL5t
GTpoWNtO+UIqwHFQgoH6zGR8bMBx0/FLqrJ8Cq6nj7+uLODGAf4+dJ0m+Cz5t3Om
aHgJWEECgYEA4nXD/FS+Wy69dVei8imp3/x+v0/T4LXf8l8NI/Dzvdg82xU1AgZH
OKqTC2z/z4e+5EAF27kJeOBdh7kqPAF9KMHtd3FsxiYK4RpDlR6JFzHH8h8+v8c/
Egg0WiXgnqfePHbS+q5wxPloReJm+ue4eSBzR6qyQbtfH0Qp+NIHGkMCgYEAxyir
CMmI3v1u70V9NtNOlt5O1JNy47iUaLgvEJXBPsD+JYWgs4nY8gZcy+Yx1LBRqMbi
LojOUGKGK6jcLOHjVBW9WJoFtTDN59lba5ryNW9AQOJsdeeaPttpWiFID5K0KTno
kGHzxQjioSnP+mDV7jaXZSNcvYGWVRSabkRwb3ECgYA/mBqlbZbXPFTv8uBLaO/P
erSNPPmfDPQKuC6UfUG1elf8ngP4wZKWkzAf8UgVG2W760652UiTrU4WoyT9HN3s
6Cirdiq5qk070YhRA/YzkUM49xVD/cv0YGFzP1fIthNun1+4DeyVJAToOx/4LcJc
IYS+B21vkBKyUQ4IVdKwyQKBgGBq3+KxLwJFz58nFSelxTZlCeUAPW7hvXe1M5Pj
7FplNKUVvGcvJUiGrAZKu3Usp1v+bSH6OWfRSwN4DJ/t/BCJNdHfP0QpDIZiRFAk
A367DXBcLgYmyhYEQ0zPMAPaEj6jOmQsB8gsNQuxIm8k0m0xILpmFE/qnM0z3E/l
8kkBAoGAJJQgk6dl2rlbZGZvjhVKWNmA8LBJWg28r9/6VWSwYNHSPmcReGvhAflg
5vY9yRIuJXc1Dfq57dIpX8OaH2n/Txgs/895NvpUk/AlqQiMrCKUO3M4wAA0/kNx
RHgT16B9lRxvTaaH8Eh5/YMHp8afrOVEwVIMMCZlWii+PbKFyM4=
-----END RSA PRIVATE KEY-----

21
examples/eks_test_fixture/data.tf Normal file
View File

@@ -0,0 +1,21 @@
data "aws_caller_identity" "current" {}
data "aws_availability_zones" "available" {}
data "aws_region" "current" {}
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}

7
examples/eks_test_fixture/locals.tf Normal file
View File

@@ -0,0 +1,7 @@
locals {
tags = "${map("Environment", "test",
"GithubRepo", "terraform-aws-eks",
"GithubOrg", "terraform-aws-modules",
"Workspace", "${terraform.workspace}",
)}"
}

55
examples/eks_test_fixture/main.tf Normal file
View File

@@ -0,0 +1,55 @@
terraform {
required_version = "= 0.11.7"
}
provider "aws" {
version = ">= 1.22.0"
region = "${var.region}"
}
provider "random" {
version = "= 1.3.1"
}
# resource "random_pet" "suffix" {
# length = 1
# }
# resource "random_string" "suffix" {
# length = 8
# special = false
# }
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "1.14.0"
name = "test-vpc"
cidr = "10.0.0.0/16"
azs = ["${data.aws_availability_zones.available.names[0]}", "${data.aws_availability_zones.available.names[1]}"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
public_subnets = ["10.0.3.0/24", "10.0.4.0/24"]
enable_nat_gateway = true
single_nat_gateway = true
tags = "${local.tags}"
}
module "security_group" {
source = "terraform-aws-modules/security-group/aws"
version = "1.12.0"
name = "test-sg-https"
vpc_id = "${module.vpc.vpc_id}"
tags = "${local.tags}"
}
module "eks" {
source = "../.."
# cluster_name = "test-eks-${random_string.suffix.result}"
# cluster_name = "test-eks-${random_pet.suffix.id}"
cluster_name = "test-eks-cluster"
security_groups = ["${module.security_group.this_security_group_id}"]
subnets = "${module.vpc.public_subnets}"
tags = "${local.tags}"
vpc_id = "${module.vpc.vpc_id}"
}

4
examples/eks_test_fixture/outputs.tf Normal file
View File

@@ -0,0 +1,4 @@
output "cluster_endpoint" {
description = "Endpoint for EKS controlplane."
value = "${module.eks.cluster_endpoint}"
}

3
examples/eks_test_fixture/variables.tf Normal file
View File

@@ -0,0 +1,3 @@
variable "region" {
default = "us-west-2"
}

84
main.tf Normal file
View File

@@ -0,0 +1,84 @@
/**
# terraform-aws-eks
* A terraform module to create a managed Kubernetes cluster on AWS EKS. Available
* through the [Terraform registry](https://registry.terraform.io/modules/terraform-aws-modules/eks/aws).
* | Branch | Build status |
* | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
* | master | [![build Status](https://travis-ci.org/terraform-aws-modules/terraform-aws-eks.svg?branch=master)](https://travis-ci.org/terraform-aws-modules/terraform-aws-eks) |
* ## Assumptions
** You want to create a set of resources around an EKS cluster: namely an autoscaling group of workers and a security group for them.
** You've created a Virtual Private Cloud (VPC) and subnets where you intend to put this EKS.
* It's recommended you use this module with [terraform-aws-vpc](https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws),
* [terraform-aws-security-group](https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws), and
* [terraform-aws-autoscaling](https://registry.terraform.io/modules/terraform-aws-modules/autoscaling/aws/).
* ## Usage example
* A full example leveraging other community modules is contained in the [examples/eks_test_fixture directory](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks_test_fixture). Here's the gist of using it via the Terraform registry:
* ```hcl
* module "eks" {
* source = "terraform-aws-modules/eks/aws"
* version = "0.1.0"
* cluster_name = "test-eks-cluster"
* security_groups = ["sg-edcd9784", "sg-edcd9785"]
* subnets = ["subnet-abcde012", "subnet-bcde012a"]
* tags = "${map("Environment", "test")}"
* vpc_id = "vpc-abcde012"
* }
* ```
* ## Testing
* This module has been packaged with [awspec](https://github.com/k1LoW/awspec) tests through [kitchen](https://kitchen.ci/) and [kitchen-terraform](https://newcontext-oss.github.io/kitchen-terraform/). To run them:
* 1. Install [rvm](https://rvm.io/rvm/install) and the ruby version specified in the [Gemfile](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/Gemfile).
* 2. Install bundler and the gems from our Gemfile:
*
* ```bash
* gem install bundler && bundle install
* ```
*
* 3. Ensure your AWS environment is configured (i.e. credentials and region) for test.
* 4. Test using `bundle exec kitchen test` from the root of the repo.
* ## Doc generation
* Documentation should be modified within `main.tf` and generated using [terraform-docs](https://github.com/segmentio/terraform-docs).
* Generate them like so:
* ```bash
* go get github.com/segmentio/terraform-docs
* terraform-docs md ./ | cat -s | ghead -n -1 > README.md
* ```
* ## Contributing
* Report issues/questions/feature requests on in the [issues](https://github.com/terraform-aws-modules/terraform-aws-eks/issues/new) section.
* Full contributing [guidelines are covered here](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/CONTRIBUTING.md).
* ## IAM Permissions
* Testing and using this repo requires a minimum set of IAM permissions. Test permissions
* are listed in the [eks_test_fixture README](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/eks_test_fixture/README.md).
* ## Change log
* The [changelog](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/CHANGELOG.md) captures all important release notes.
* ## Authors
* Created and maintained by [Brandon O'Connor](https://github.com/brandoconnor) - brandon@atscale.run.
* Many thanks to [the contributors listed here](https://github.com/terraform-aws-modules/terraform-aws-eks/graphs/contributors)!
* ## License
* MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/LICENSE) for full details.
*/

40
outputs.tf Normal file
View File

@@ -0,0 +1,40 @@
output "config_map_aws_auth" {
description = "description"
value = "${local.config_map_aws_auth}"
}
output "kubeconfig" {
description = "description"
value = "${local.kubeconfig}"
}
output "cluster_id" {
description = "The name of the cluster."
value = "${aws_eks_cluster.demo.id}"
}
# Though documented: not yet supported
# output "cluster_arn" {
# description = "The Amazon Resource Name (ARN) of the cluster."
# value = "${aws_eks_cluster.demo.arn}"
# }
output "cluster_certificate_authority_data" {
description = "Nested attribute containing certificate-authority-data for your cluster. Tis is the base64 encoded certificate data required to communicate with your cluster."
value = "${aws_eks_cluster.demo.certificate_authority.0.data}"
}
output "cluster_endpoint" {
description = "The endpoint for your Kubernetes API server."
value = "${aws_eks_cluster.demo.endpoint}"
}
output "cluster_version" {
description = "The Kubernetes server version for the cluster."
value = "${aws_eks_cluster.demo.version}"
}
output "cluster_vpc_config" {
description = "description"
value = "${aws_eks_cluster.demo.vpc_config}"
}

9
test/integration/default/test_eks.rb Normal file
View File

@@ -0,0 +1,9 @@
# frozen_string_literal: true
require 'awspec'
# rubocop:disable LineLength
state_file = 'terraform.tfstate.d/kitchen-terraform-default-aws/terraform.tfstate'
tf_state = JSON.parse(File.open(state_file).read)
region = tf_state['modules'][0]['outputs']['region']['value']
ENV['AWS_REGION'] = region

22
variables.tf Normal file
View File

@@ -0,0 +1,22 @@
variable "cluster_name" {
description = "Name of the EKS cluster."
}
variable "vpc_id" {
description = "VPC id where the cluster and other resources will be deployed."
}
variable "security_groups" {
description = "The security groups to attach to the EKS cluster instances"
type = "list"
}
variable "subnets" {
description = "A list of subnets to associate with the cluster's underlying instances."
type = "list"
}
variable "tags" {
description = "A map of tags to add to all resources"
default = {}
}

1
version Normal file
View File

@@ -0,0 +1 @@
v0.1.0

162
worker_nodes.tf Normal file
View File

@@ -0,0 +1,162 @@
# EKS Worker Nodes Resources
# * IAM role allowing Kubernetes actions to access other AWS services
# * EC2 Security Group to allow networking traffic
# * Data source to fetch latest EKS worker AMI
# * AutoScaling Launch Configuration to configure worker instances
# * AutoScaling Group to launch worker instances
#
# TODO: create this policy as a data source
resource "aws_iam_role" "demo-node" {
name = "terraform-eks-demo-node"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "demo-node-AmazonEKSWorkerNodePolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = "${aws_iam_role.demo-node.name}"
}
resource "aws_iam_role_policy_attachment" "demo-node-AmazonEKS_CNI_Policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = "${aws_iam_role.demo-node.name}"
}
resource "aws_iam_role_policy_attachment" "demo-node-AmazonEC2ContainerRegistryReadOnly" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = "${aws_iam_role.demo-node.name}"
}
resource "aws_iam_instance_profile" "demo-node" {
name = "terraform-eks-demo"
role = "${aws_iam_role.demo-node.name}"
}
resource "aws_security_group" "demo-node" {
name = "terraform-eks-demo-node"
description = "Security group for all nodes in the cluster"
vpc_id = "${var.vpc_id}"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = "${
map(
"Name", "terraform-eks-demo-node",
"kubernetes.io/cluster/${var.cluster_name}", "owned",
)
}"
}
resource "aws_security_group_rule" "demo-node-ingress-self" {
description = "Allow node to communicate with each other"
from_port = 0
protocol = "-1"
security_group_id = "${aws_security_group.demo-node.id}"
source_security_group_id = "${aws_security_group.demo-node.id}"
to_port = 65535
type = "ingress"
}
resource "aws_security_group_rule" "demo-node-ingress-cluster" {
description = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
from_port = 1025
protocol = "tcp"
security_group_id = "${aws_security_group.demo-node.id}"
source_security_group_id = "${aws_security_group.demo-cluster.id}"
to_port = 65535
type = "ingress"
}
data "aws_ami" "eks-worker" {
filter {
name = "name"
values = ["eks-worker-*"]
}
most_recent = true
owners = ["602401143452"] # Amazon
}
# EKS currently documents this required userdata for EKS worker nodes to
# properly configure Kubernetes applications on the EC2 instance.
# We utilize a Terraform local here to simplify Base64 encoding this
# information into the AutoScaling Launch Configuration.
# More information: https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-06-05/amazon-eks-nodegroup.yaml
locals {
demo-node-userdata = <<USERDATA
#!/bin/bash -xe
CA_CERTIFICATE_DIRECTORY=/etc/kubernetes/pki
CA_CERTIFICATE_FILE_PATH=$CA_CERTIFICATE_DIRECTORY/ca.crt
mkdir -p $CA_CERTIFICATE_DIRECTORY
echo "${aws_eks_cluster.demo.certificate_authority.0.data}" | base64 -d > $CA_CERTIFICATE_FILE_PATH
INTERNAL_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.demo.endpoint},g /var/lib/kubelet/kubeconfig
sed -i s,CLUSTER_NAME,${var.cluster_name},g /var/lib/kubelet/kubeconfig
sed -i s,REGION,${data.aws_region.current.name},g /etc/systemd/system/kubelet.service
sed -i s,MAX_PODS,20,g /etc/systemd/system/kubelet.service
sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.demo.endpoint},g /etc/systemd/system/kubelet.service
sed -i s,INTERNAL_IP,$INTERNAL_IP,g /etc/systemd/system/kubelet.service
DNS_CLUSTER_IP=10.100.0.10
if [[ $INTERNAL_IP == 10.* ]] ; then DNS_CLUSTER_IP=172.20.0.10; fi
sed -i s,DNS_CLUSTER_IP,$DNS_CLUSTER_IP,g /etc/systemd/system/kubelet.service
sed -i s,CERTIFICATE_AUTHORITY_FILE,$CA_CERTIFICATE_FILE_PATH,g /var/lib/kubelet/kubeconfig
sed -i s,CLIENT_CA_FILE,$CA_CERTIFICATE_FILE_PATH,g /etc/systemd/system/kubelet.service
systemctl daemon-reload
systemctl restart kubelet kube-proxy
USERDATA
}
resource "aws_launch_configuration" "demo" {
associate_public_ip_address = true
iam_instance_profile = "${aws_iam_instance_profile.demo-node.name}"
image_id = "${data.aws_ami.eks-worker.id}"
instance_type = "m4.large"
name_prefix = "terraform-eks-demo"
security_groups = ["${aws_security_group.demo-node.id}"]
user_data_base64 = "${base64encode(local.demo-node-userdata)}"
lifecycle {
create_before_destroy = true
}
}
resource "aws_autoscaling_group" "demo" {
desired_capacity = 2
launch_configuration = "${aws_launch_configuration.demo.id}"
max_size = 2
min_size = 1
name = "terraform-eks-demo"
vpc_zone_identifier = ["${var.subnets}"]
tag {
key = "Name"
value = "terraform-eks-demo"
propagate_at_launch = true
}
tag {
key = "kubernetes.io/cluster/${var.cluster_name}"
value = "owned"
propagate_at_launch = true
}
}