From 26e931050ec8292a10bc03bfac7b941ef22a6b70 Mon Sep 17 00:00:00 2001 From: Henrry Pulgarin <39854568+Henrrypg@users.noreply.github.com> Date: Tue, 3 Dec 2024 10:43:04 -0500 Subject: [PATCH] feat: add complete example of infrastructure with aws (#87) --- infra-examples/aws/eks/eks.tf | 162 ++++++++++++++++ infra-examples/aws/eks/outputs.tf | 100 ++++++++++ infra-examples/aws/eks/provider.tf | 4 + infra-examples/aws/eks/readme.md | 94 ++++++++++ .../templates/post_bootstrap_user_data.tpl | 2 + .../aws/eks/values.auto.tfvars.json | 39 ++++ infra-examples/aws/eks/variables.tf | 175 ++++++++++++++++++ infra-examples/aws/eks/versions_override.tf | 9 + infra-examples/aws/eks/vpc.tf | 15 ++ 9 files changed, 600 insertions(+) create mode 100644 infra-examples/aws/eks/eks.tf create mode 100644 infra-examples/aws/eks/outputs.tf create mode 100644 infra-examples/aws/eks/provider.tf create mode 100644 infra-examples/aws/eks/readme.md create mode 100644 infra-examples/aws/eks/templates/post_bootstrap_user_data.tpl create mode 100644 infra-examples/aws/eks/values.auto.tfvars.json create mode 100644 infra-examples/aws/eks/variables.tf create mode 100644 infra-examples/aws/eks/versions_override.tf create mode 100644 infra-examples/aws/eks/vpc.tf diff --git a/infra-examples/aws/eks/eks.tf b/infra-examples/aws/eks/eks.tf new file mode 100644 index 0000000..6bbb54a --- /dev/null +++ b/infra-examples/aws/eks/eks.tf @@ -0,0 +1,162 @@ +locals { + cluster_autoscaler_tags = var.enable_cluster_autoscaler ? { + "k8s.io/cluster-autoscaler/${var.cluster_name}" = "owned" + "k8s.io/cluster-autoscaler/enabled" = "true" + } : {} + post_bootstrap_user_data = var.post_bootstrap_user_data != null ? var.post_bootstrap_user_data : templatefile( + "${path.module}/templates/post_bootstrap_user_data.tpl", + { + registry_credentials = var.registry_credentials + } + ) + # Define the default IAM role additional policies for all the node groups + # every element must define: + # - A key for the policy. It can be any string + # - A value which is the ARN of the policy to add + # - An enable key which determines if the policy is added or not + node_group_defaults_iam_role_additional_policies = [ + ] +} + +data "aws_ami" "latest_ubuntu_eks" { + most_recent = true + owners = ["099720109477"] # Canonical + + filter { + name = "name" + values = ["ubuntu-eks/k8s_${var.cluster_version}/images/hvm-ssd/ubuntu-${var.ubuntu_version}-amd64-server-*"] + } +} + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 20.24" + cluster_name = var.cluster_name + cluster_version = var.cluster_version + cluster_endpoint_public_access = true + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + enable_irsa = true + cluster_tags = var.cluster_tags + tags = var.tags + + create_cloudwatch_log_group = false + cluster_enabled_log_types = [] + + cluster_addons = { + coredns = { + name = "coredns" + } + kube-proxy = { + name = "kube-proxy" + } + vpc-cni = { + name = "vpc-cni" + } + aws-ebs-csi-driver = { + name = "aws-ebs-csi-driver" + service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn + } + } + + # The security group rules below should not conflict with the recommended rules defined + # here: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v19.21.0/node_groups.tf#L128 + node_security_group_additional_rules = { + ssh_access = { + description = "Grant access ssh access to the nodes" + protocol = "tcp" + from_port = 22 + to_port = 22 + type = "ingress" + cidr_blocks = concat([module.vpc.vpc_cidr_block], var.extra_ssh_cidrs) + } + } + + # Disable secrets encryption + cluster_encryption_config = {} + + iam_role_use_name_prefix = var.iam_role_use_name_prefix + iam_role_name = var.iam_role_name + + # for security group + cluster_security_group_description = var.cluster_security_group_description + cluster_security_group_use_name_prefix = var.cluster_security_group_use_name_prefix + cluster_security_group_name = var.cluster_security_group_name + + eks_managed_node_group_defaults = { + iam_role_additional_policies = { for s in local.node_group_defaults_iam_role_additional_policies : s.key => s.value if s.enable } + } + + eks_managed_node_groups = { + ubuntu_worker = { + + ami_id = var.ami_id != "" ? var.ami_id : data.aws_ami.latest_ubuntu_eks.id + key_name = var.key_name + name = var.node_group_name + subnet_ids = coalesce(var.node_group_subnets, module.vpc.private_subnets) + + # This will ensure the boostrap user data is used to join the node + # By default, EKS managed node groups will not append bootstrap script; + # this adds it back in using the default template provided by the module + # Note: this assumes the AMI provided is an EKS optimized AMI derivative + enable_bootstrap_user_data = true + + instance_types = var.instance_types + max_size = var.max_size + min_size = var.min_size + desired_size = var.desired_size + capacity_type = var.capacity_type + + create_security_group = false + + post_bootstrap_user_data = local.post_bootstrap_user_data + + block_device_mappings = { + sda1 = { + device_name = "/dev/sda1" + ebs = { + volume_size = var.disk_size + } + } + } + + tags = merge(var.node_groups_tags, local.cluster_autoscaler_tags) + } + } +} + +module "ebs_csi_irsa_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.47" + + role_name = "ebs-csi-controller-${var.cluster_name}" + attach_ebs_csi_policy = true + tags = var.tags + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"] + } + } +} + +# Role required by cluster_autoscaler +module "cluster_autoscaler_irsa_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.47" + + count = var.enable_cluster_autoscaler ? 1 : 0 + + role_name = "cluster-autoscaler-${var.cluster_name}" + attach_cluster_autoscaler_policy = true + cluster_autoscaler_cluster_ids = [module.eks.cluster_name] + tags = var.tags + + oidc_providers = { + ex = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:cluster-autoscaler"] + } + } +} diff --git a/infra-examples/aws/eks/outputs.tf b/infra-examples/aws/eks/outputs.tf new file mode 100644 index 0000000..04dda89 --- /dev/null +++ b/infra-examples/aws/eks/outputs.tf @@ -0,0 +1,100 @@ +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +output "vpc_arn" { + description = "The ARN of the VPC" + value = module.vpc.vpc_arn +} + +output "vpc_cidr_block" { + description = "The CIDR block of the VPC" + value = module.vpc.vpc_cidr_block +} + +output "default_security_group_id" { + description = "The ID of the security group created by default on VPC creation" + value = module.vpc.default_security_group_id +} + +output "vpc_ipv6_association_id" { + description = "The association ID for the IPv6 CIDR block" + value = module.vpc.vpc_ipv6_association_id +} + +output "vpc_ipv6_cidr_block" { + description = "The IPv6 CIDR block" + value = module.vpc.vpc_ipv6_cidr_block +} + +output "vpc_secondary_cidr_blocks" { + description = "List of secondary CIDR blocks of the VPC" + value = module.vpc.vpc_secondary_cidr_blocks +} + +output "vpc_owner_id" { + description = "The ID of the AWS account that owns the VPC" + value = module.vpc.vpc_owner_id +} + +output "private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc.private_subnets +} + +output "private_subnet_arns" { + description = "List of ARNs of private subnets" + value = module.vpc.private_subnet_arns +} + +output "private_subnets_cidr_blocks" { + description = "List of cidr_blocks of private subnets" + value = module.vpc.private_subnets_cidr_blocks +} + +output "private_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of private subnets in an IPv6 enabled VPC" + value = module.vpc.private_subnets_ipv6_cidr_blocks +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc.public_subnets +} + +output "public_subnet_arns" { + description = "List of ARNs of public subnets" + value = module.vpc.public_subnet_arns +} + +output "public_subnets_cidr_blocks" { + description = "List of cidr_blocks of public subnets" + value = module.vpc.public_subnets_cidr_blocks +} + +output "public_subnets_ipv6_cidr_blocks" { + description = "List of IPv6 cidr_blocks of public subnets in an IPv6 enabled VPC" + value = module.vpc.public_subnets_ipv6_cidr_blocks +} + +# Static values (arguments) +output "azs" { + description = "A list of availability zones specified as argument to this module" + value = var.azs +} + +output "cluster_name" { + description = "The name of the EKS cluster" + value = module.eks.cluster_name +} + +output "cluster_endpoint" { + description = "Endpoint for your Kubernetes API server" + value = module.eks.cluster_endpoint +} + +output "cluster_version" { + description = "The Kubernetes version for the cluster" + value = module.eks.cluster_version +} diff --git a/infra-examples/aws/eks/provider.tf b/infra-examples/aws/eks/provider.tf new file mode 100644 index 0000000..8db34d4 --- /dev/null +++ b/infra-examples/aws/eks/provider.tf @@ -0,0 +1,4 @@ +provider "aws" { + region = var.aws_region + +} diff --git a/infra-examples/aws/eks/readme.md b/infra-examples/aws/eks/readme.md new file mode 100644 index 0000000..4512986 --- /dev/null +++ b/infra-examples/aws/eks/readme.md @@ -0,0 +1,94 @@ +# Terraform AWS VPC and EKS Cluster Deployment + +This guide provides a step-by-step process to deploy a Virtual Private Cloud (VPC) and an Elastic Kubernetes Service (EKS) cluster in AWS using Terraform. + +## Prerequisites + +Ensure the following tools and configurations are set up before proceeding: + +- **Terraform** installed (version 1.5.6+). +- **AWS CLI** installed and configured with the appropriate credentials and region. +- **SSH Key Pair** created in AWS (you’ll need the key pair name for `key_name`). +- Proper IAM permissions to create VPC, EC2, and EKS resources. + +## Steps for Deployment + +### 1. Clone the Repository + +```bash +git clone +cd +``` + +### 2. Initialize Terraform + +Run the following command to initialize Terraform and download the required providers and modules: + +``` bash +terraform init +``` + +### 3. Customize Variables + +Edit the `variables.tf` file or edit the `values.auto.tfvars.json` file to override default values as needed. Below is a table describing the available variables: + +| Variable | Description | Type | Default | +|------------------------------------ |---------------------------------------------------------------------------------|---------------|-------------------| +| `aws_region` | The AWS Region in which to deploy the resources | `string` | | +| `private_subnets` | List of private subnets | `list(string)`| `[]` | +| `public_subnets` | List of public subnets | `list(string)`| `[]` | +| `cidr` | CIDR block for the VPC | `string` | `10.0.0.0/16` | +| `azs` | List of availability zones to use | `list(string)`| `[]` | +| `vpc_name` | The VPC name | `string` | | +| `enable_nat_gateway` | Enable NAT Gateway | `bool` | `true` | +| `single_nat_gateway` | Use a single NAT Gateway | `bool` | `false` | +| `one_nat_gateway_per_az` | Deploy one NAT gateway per availability zone | `bool` | `true` | +| `instance_types` | EC2 Instance types for the Kubernetes nodes | `list(string)`| | +| `cluster_version` | Kubernetes version for the EKS cluster | `string` | `1.29` | +| `cluster_name` | Name of the EKS cluster | `string` | | +| `desired_size` | Desired number of nodes in the EKS cluster | `number` | `2` | +| `disk_size` | Disk size for the nodes (in GB) | `number` | `40` | +| `key_name` | Name of the SSH Key Pair | `string` | | +| `max_size` | Maximum number of nodes in the EKS cluster | `number` | `3` | +| `min_size` | Minimum number of nodes in the EKS cluster | `number` | `1` | +| `extra_ssh_cidrs` | List of additional IP blocks allowed SSH access | `list(string)`| `[]` | +| `registry_credentials` | Image registry credentials for the nodes | `string` | | +| `node_groups_tags` | A map of tags to add to all node group resources | `map(string)` | `{}` | +| `enable_cluster_autoscaler` | Enable cluster autoscaler for the EKS cluster | `bool` | `false` | +| `ubuntu_version` | Ubuntu version for the nodes (default: `jammy-22.04`) | `string` | `jammy-22.04` | +| `ami_id` | AMI ID for EKS nodes (optional) | `string` | `""` | +| `iam_role_use_name_prefix` | Use a name prefix for the IAM role associated with the cluster | `bool` | `true` | +| `iam_role_name` | IAM Role name for the cluster | `string` | `null` | +| `cluster_security_group_use_name_prefix`| Use a name prefix for the cluster security group | `bool` | `true` | +| `cluster_security_group_name` | Security group name for the cluster | `string` | `null` | +| `cluster_security_group_description`| Description of the cluster security group | `string` | `EKS cluster security group` | +| `node_group_subnets` | Subnets for node groups (typically private) | `list(string)`| `null` | +| `cluster_tags` | A map of tags to add to the cluster | `map(string)` | `{}` | +| `tags` | A map of tags to add to all resources | `map(string)` | `{}` | +| `node_group_name` | Name of the node group | `string` | `ubuntu_worker` | +| `capacity_type` | Type of capacity for EKS Node Group (options: `ON_DEMAND`, `SPOT`) | `string` | `ON_DEMAND` | +| `post_bootstrap_user_data` | Add post-bootstrap user data (optional) | `string` | `null` | + +### 4. Apply the Terraform Configuration + +Run the following command to deploy the infrastructure: + +```bash + terraform apply +``` + +### 5. Access the EKS Cluster + +Once the deployment is complete, you can configure your kubectl to access the EKS cluster: + +```bash + aws eks --region update-kubeconfig --name +``` + +### 6. Clean Up + +To destroy the infrastructure when you no longer need it, run: + +```bash + terraform destroy +``` diff --git a/infra-examples/aws/eks/templates/post_bootstrap_user_data.tpl b/infra-examples/aws/eks/templates/post_bootstrap_user_data.tpl new file mode 100644 index 0000000..b62a108 --- /dev/null +++ b/infra-examples/aws/eks/templates/post_bootstrap_user_data.tpl @@ -0,0 +1,2 @@ +# Add Docker Registry credentials +echo '${registry_credentials}' > /var/lib/kubelet/config.json diff --git a/infra-examples/aws/eks/values.auto.tfvars.json b/infra-examples/aws/eks/values.auto.tfvars.json new file mode 100644 index 0000000..e4782d7 --- /dev/null +++ b/infra-examples/aws/eks/values.auto.tfvars.json @@ -0,0 +1,39 @@ +{ + "aws_region": "us-east-1", + "private_subnets": ["10.10.0.0/21", "10.10.8.0/21"], + "public_subnets": ["10.10.104.0/21", "10.10.120.0/21"], + "cidr": "10.10.0.0/16", + "azs": ["us-east-1a", "us-east-1b"], + "vpc_name": "your-vpc-name-here", + "enable_nat_gateway": true, + "single_nat_gateway": false, + "one_nat_gateway_per_az": true, + "instance_types": ["m6i.large"], + "cluster_name": "your-eks-cluster-name-here", + "cluster_version": "1.29", + "desired_size": 2, + "max_size": 3, + "min_size": 1, + "disk_size": 50, + "extra_ssh_cidrs": [], + "node_groups_tags": {}, + "enable_cluster_autoscaler": true, + "control_plane_subnet_ids": [], + "ubuntu_version": "jammy-22.04", + "ami_id": "", + "iam_role_use_name_prefix": true, + "iam_role_name": null, + "cluster_security_group_use_name_prefix": true, + "cluster_security_group_name": null, + "cluster_security_group_description": "EKS cluster security group", + "node_group_subnets": null, + "cluster_tags": {}, + "key_name": "atlas-stage-key", + "node_group_name": "ubuntu_worker", + "capacity_type": "ON_DEMAND", + "post_bootstrap_user_data": null, + "registry_credentials": "{\"auths\":{\"https://index.docker.io/v1/\":{\"auth\":\"your-docker-hub-token-here\"}}}", + "tags": { + "Name": "your-vpc-name-here" + } +} diff --git a/infra-examples/aws/eks/variables.tf b/infra-examples/aws/eks/variables.tf new file mode 100644 index 0000000..ff5c45d --- /dev/null +++ b/infra-examples/aws/eks/variables.tf @@ -0,0 +1,175 @@ +variable "aws_region" { + description = "The AWS Region in which to deploy the resources" + type = string +} + +variable "private_subnets" { + description = "List of private subnets" + type = list(string) + default = [] +} +variable "public_subnets" { + description = "List of public subnets" + type = list(string) + default = [] +} +variable "cidr" { + description = "CIDR block for the VPC" + type = string + default = "10.0.0.0/16" +} +variable "azs" { + description = "List of availability zones to use" + type = list(string) + default = [] +} +variable "vpc_name" { + description = "The VPC name" + type = string +} + +variable "enable_nat_gateway" { + description = "Enable NAT Gateway" + type = bool + default = true +} + +variable "single_nat_gateway" { + description = "Single NAT Gateway" + type = bool + default = false +} + +variable "one_nat_gateway_per_az" { + description = "One NAT gateway per AZ" + type = bool + default = true +} + +variable "instance_types" { + type = list(string) + description = "EC2 Instance type for the nodes" +} +variable "cluster_version" { + default = "1.29" + type = string + description = "Kubernetes version" +} +variable "cluster_name" { + type = string + description = "Name of the cluster" +} +variable "desired_size" { + default = 2 + type = number + description = "Desired node count" +} +variable "disk_size" { + default = 40 + type = number + description = "Node disk size" +} +variable "key_name" { + type = string + description = "Name of the SSH Key Pair" +} +variable "max_size" { + default = 3 + type = number + description = "Maximum node count" +} +variable "min_size" { + default = 1 + type = number + description = "Minimum node count" +} +variable "extra_ssh_cidrs" { + default = [] + type = list(string) + description = "List of additional IP blocks with ssh access" +} +variable "registry_credentials" { + type = string + description = "Image registry credentials to be added to the node" +} +variable "node_groups_tags" { + description = "A map of tags to add to all node group resources" + type = map(string) + default = {} +} +variable "enable_cluster_autoscaler" { + description = "Determines whether to prepare the cluster to use cluster autoscaler" + type = bool + default = false +} + +variable "ubuntu_version" { + description = "Ubuntu version to use (e.g. focal-20.04) when no ami_id is provided" + type = string + default = "jammy-22.04" + validation { # Validates wheter the value is in format str-num.num + condition = can(regex("^([a-z]+)-([0-9]+\\.[0-9]+)$", var.ubuntu_version)) + error_message = "The value must be in format str-num.num (e.g. focal-20.04)." + } +} +variable "ami_id" { + description = "EKS nodes AMI ID" + type = string + default = "" +} +# Variables for migration from 17.x.x to 18.x.x - Cluster +variable "iam_role_use_name_prefix" { + description = "Determinate if it is necessary to create an iam role prefix for the cluster" + type = bool + default = true +} +variable "iam_role_name" { + description = "Cluster IAM role name" + type = string + default = null +} +variable "cluster_security_group_use_name_prefix" { + description = "Determinate if it is necessary to create an security group prefix for the cluster" + type = bool + default = true +} +variable "cluster_security_group_name" { + description = "Cluster security group name" + type = string + default = null +} +variable "cluster_security_group_description" { + description = "Cluster security group description" + type = string + default = "EKS cluster security group" +} +variable "node_group_subnets" { + description = "List of subnets where nodes groups are deployed. Normally these are private and the same as EKS" + type = list(string) + default = null +} +variable "cluster_tags" { + description = "A map of tags to add to the cluster" + type = map(string) + default = {} +} +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} +variable "node_group_name" { + description = "Name of the node group" + type = string + default = "ubuntu_worker" +} +variable "capacity_type" { + description = "Type of capacity associated with the EKS Node Group. Valid values: `ON_DEMAND`, `SPOT`" + type = string + default = "ON_DEMAND" +} +variable "post_bootstrap_user_data" { + type = string + default = null + description = "Allow to add post bootstrap user data" +} diff --git a/infra-examples/aws/eks/versions_override.tf b/infra-examples/aws/eks/versions_override.tf new file mode 100644 index 0000000..bff6a89 --- /dev/null +++ b/infra-examples/aws/eks/versions_override.tf @@ -0,0 +1,9 @@ +terraform { + required_version = "~> 1.9" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.67" + } + } +} diff --git a/infra-examples/aws/eks/vpc.tf b/infra-examples/aws/eks/vpc.tf new file mode 100644 index 0000000..9df1d11 --- /dev/null +++ b/infra-examples/aws/eks/vpc.tf @@ -0,0 +1,15 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.13" + name = var.vpc_name + cidr = var.cidr + azs = var.azs + private_subnets = var.private_subnets + public_subnets = var.public_subnets + + enable_nat_gateway = var.enable_nat_gateway + single_nat_gateway = var.single_nat_gateway + one_nat_gateway_per_az = var.one_nat_gateway_per_az + + tags = var.tags +}