From 5a130e9a54ee18fc06789cc79246255c776ac6a2 Mon Sep 17 00:00:00 2001
From: oskar <oskar@paolini.pl>
Date: Sat, 22 Jun 2019 21:00:30 +0800
Subject: [PATCH] add AWS EKS basic terraform cluster

---
 tf/aws/README.md                  |   7 ++
 tf/aws/cm.yaml                    |  12 +++
 tf/aws/eks-cluster.tf             |  87 ++++++++++++++++++
 tf/aws/eks-worker-nodes.tf        | 145 ++++++++++++++++++++++++++++++
 tf/aws/outputs.tf                 |  59 ++++++++++++
 tf/aws/providers.tf               |  19 ++++
 tf/aws/variables.tf               |  21 +++++
 tf/aws/vpc.tf                     |  57 ++++++++++++
 tf/aws/workstation-external-ip.tf |  18 ++++
 9 files changed, 425 insertions(+)
 create mode 100644 tf/aws/README.md
 create mode 100644 tf/aws/cm.yaml
 create mode 100644 tf/aws/eks-cluster.tf
 create mode 100644 tf/aws/eks-worker-nodes.tf
 create mode 100644 tf/aws/outputs.tf
 create mode 100644 tf/aws/providers.tf
 create mode 100644 tf/aws/variables.tf
 create mode 100644 tf/aws/vpc.tf
 create mode 100644 tf/aws/workstation-external-ip.tf

diff --git a/tf/aws/README.md b/tf/aws/README.md
new file mode 100644
index 0000000..30ffab8
--- /dev/null
+++ b/tf/aws/README.md
@@ -0,0 +1,7 @@
+# EKS Getting Started Guide Configuration
+
+This is the full configuration from https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html
+
+See that guide for additional information.
+
+NOTE: This full configuration utilizes the [Terraform http provider](https://www.terraform.io/docs/providers/http/index.html) to call out to icanhazip.com to determine your local workstation external IP for easily configuring EC2 Security Group access to the Kubernetes master servers. Feel free to replace this as necessary.
diff --git a/tf/aws/cm.yaml b/tf/aws/cm.yaml
new file mode 100644
index 0000000..41e428a
--- /dev/null
+++ b/tf/aws/cm.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: aws-auth
+  namespace: kube-system
+data:
+  mapRoles: |
+    - rolearn: arn:aws:iam::703476792259:role/terraform-eks-demo-node
+      username: system:node:{{EC2PrivateDNSName}}
+      groups:
+        - system:bootstrappers
+        - system:nodes
diff --git a/tf/aws/eks-cluster.tf b/tf/aws/eks-cluster.tf
new file mode 100644
index 0000000..b9f9754
--- /dev/null
+++ b/tf/aws/eks-cluster.tf
@@ -0,0 +1,87 @@
+#
+# EKS Cluster Resources
+#  * IAM Role to allow EKS service to manage other AWS services
+#  * EC2 Security Group to allow networking traffic with EKS cluster
+#  * EKS Cluster
+#
+
+resource "aws_iam_role" "demo-cluster" {
+  name = "terraform-eks-demo-cluster"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSClusterPolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = "${aws_iam_role.demo-cluster.name}"
+}
+
+resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSServicePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
+  role       = "${aws_iam_role.demo-cluster.name}"
+}
+
+resource "aws_security_group" "demo-cluster" {
+  name        = "terraform-eks-demo-cluster"
+  description = "Cluster communication with worker nodes"
+  vpc_id      = "${aws_vpc.demo.id}"
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "terraform-eks-demo"
+  }
+}
+
+resource "aws_security_group_rule" "demo-cluster-ingress-node-https" {
+  description              = "Allow pods to communicate with the cluster API Server"
+  from_port                = 443
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.demo-cluster.id}"
+  source_security_group_id = "${aws_security_group.demo-node.id}"
+  to_port                  = 443
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "demo-cluster-ingress-workstation-https" {
+  cidr_blocks       = ["${local.workstation-external-cidr}"]
+  description       = "Allow workstation to communicate with the cluster API Server"
+  from_port         = 443
+  protocol          = "tcp"
+  security_group_id = "${aws_security_group.demo-cluster.id}"
+  to_port           = 443
+  type              = "ingress"
+}
+
+resource "aws_eks_cluster" "demo" {
+  name     = "${var.cluster-name}"
+  role_arn = "${aws_iam_role.demo-cluster.arn}"
+
+  vpc_config {
+    security_group_ids = ["${aws_security_group.demo-cluster.id}"]
+    subnet_ids         = "${aws_subnet.demo.*.id}"
+  }
+
+  depends_on = [
+    "aws_iam_role_policy_attachment.demo-cluster-AmazonEKSClusterPolicy",
+    "aws_iam_role_policy_attachment.demo-cluster-AmazonEKSServicePolicy",
+  ]
+}
diff --git a/tf/aws/eks-worker-nodes.tf b/tf/aws/eks-worker-nodes.tf
new file mode 100644
index 0000000..3935016
--- /dev/null
+++ b/tf/aws/eks-worker-nodes.tf
@@ -0,0 +1,145 @@
+#
+# EKS Worker Nodes Resources
+#  * IAM role allowing Kubernetes actions to access other AWS services
+#  * EC2 Security Group to allow networking traffic
+#  * Data source to fetch latest EKS worker AMI
+#  * AutoScaling Launch Configuration to configure worker instances
+#  * AutoScaling Group to launch worker instances
+#
+
+resource "aws_iam_role" "demo-node" {
+  name = "terraform-eks-demo-node"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "demo-node-AmazonEKSWorkerNodePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = "${aws_iam_role.demo-node.name}"
+}
+
+resource "aws_iam_role_policy_attachment" "demo-node-AmazonEKS_CNI_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = "${aws_iam_role.demo-node.name}"
+}
+
+resource "aws_iam_role_policy_attachment" "demo-node-AmazonEC2ContainerRegistryReadOnly" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = "${aws_iam_role.demo-node.name}"
+}
+
+resource "aws_iam_instance_profile" "demo-node" {
+  name = "terraform-eks-demo"
+  role = "${aws_iam_role.demo-node.name}"
+}
+
+resource "aws_security_group" "demo-node" {
+  name        = "terraform-eks-demo-node"
+  description = "Security group for all nodes in the cluster"
+  vpc_id      = "${aws_vpc.demo.id}"
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = "${
+    map(
+     "Name", "terraform-eks-demo-node",
+     "kubernetes.io/cluster/${var.cluster-name}", "owned",
+    )
+  }"
+}
+
+resource "aws_security_group_rule" "demo-node-ingress-self" {
+  description              = "Allow node to communicate with each other"
+  from_port                = 0
+  protocol                 = "-1"
+  security_group_id        = "${aws_security_group.demo-node.id}"
+  source_security_group_id = "${aws_security_group.demo-node.id}"
+  to_port                  = 65535
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "demo-node-ingress-cluster" {
+  description              = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
+  from_port                = 1025
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.demo-node.id}"
+  source_security_group_id = "${aws_security_group.demo-cluster.id}"
+  to_port                  = 65535
+  type                     = "ingress"
+}
+
+data "aws_ami" "eks-worker" {
+  filter {
+    name   = "name"
+    values = ["amazon-eks-node-${aws_eks_cluster.demo.version}-v*"]
+  }
+
+  most_recent = true
+  owners      = ["602401143452"] # Amazon EKS AMI Account ID
+}
+
+# EKS currently documents this required userdata for EKS worker nodes to
+# properly configure Kubernetes applications on the EC2 instance.
+# We utilize a Terraform local here to simplify Base64 encoding this
+# information into the AutoScaling Launch Configuration.
+# More information: https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html
+locals {
+  demo-node-userdata = <<USERDATA
+#!/bin/bash
+set -o xtrace
+/etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.demo.endpoint}' --b64-cluster-ca '${aws_eks_cluster.demo.certificate_authority.0.data}' '${var.cluster-name}'
+USERDATA
+}
+
+resource "aws_launch_configuration" "demo" {
+  associate_public_ip_address = true
+  iam_instance_profile        = "${aws_iam_instance_profile.demo-node.name}"
+  image_id                    = "${data.aws_ami.eks-worker.id}"
+  instance_type               = "m4.large"
+  name_prefix                 = "terraform-eks-demo"
+  security_groups             = ["${aws_security_group.demo-node.id}"]
+  user_data_base64            = "${base64encode(local.demo-node-userdata)}"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_autoscaling_group" "demo" {
+  desired_capacity     = 3
+  launch_configuration = "${aws_launch_configuration.demo.id}"
+  max_size             = 3
+  min_size             = 2
+  name                 = "terraform-eks-demo"
+  vpc_zone_identifier  = "${aws_subnet.demo.*.id}"
+
+  tag {
+    key                 = "Name"
+    value               = "terraform-eks-demo"
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "kubernetes.io/cluster/${var.cluster-name}"
+    value               = "owned"
+    propagate_at_launch = true
+  }
+}
diff --git a/tf/aws/outputs.tf b/tf/aws/outputs.tf
new file mode 100644
index 0000000..1492754
--- /dev/null
+++ b/tf/aws/outputs.tf
@@ -0,0 +1,59 @@
+#
+# Outputs
+#
+
+locals {
+  config_map_aws_auth = <<CONFIGMAPAWSAUTH
+
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: aws-auth
+  namespace: kube-system
+data:
+  mapRoles: |
+    - rolearn: ${aws_iam_role.demo-node.arn}
+      username: system:node:{{EC2PrivateDNSName}}
+      groups:
+        - system:bootstrappers
+        - system:nodes
+CONFIGMAPAWSAUTH
+
+  kubeconfig = <<KUBECONFIG
+
+
+apiVersion: v1
+clusters:
+- cluster:
+    server: ${aws_eks_cluster.demo.endpoint}
+    certificate-authority-data: ${aws_eks_cluster.demo.certificate_authority.0.data}
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: aws
+  name: aws
+current-context: aws
+kind: Config
+preferences: {}
+users:
+- name: aws
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1alpha1
+      command: aws-iam-authenticator
+      args:
+        - "token"
+        - "-i"
+        - "${var.cluster-name}"
+KUBECONFIG
+}
+
+output "config_map_aws_auth" {
+  value = "${local.config_map_aws_auth}"
+}
+
+output "kubeconfig" {
+  value = "${local.kubeconfig}"
+}
diff --git a/tf/aws/providers.tf b/tf/aws/providers.tf
new file mode 100644
index 0000000..f1538f7
--- /dev/null
+++ b/tf/aws/providers.tf
@@ -0,0 +1,19 @@
+#
+# Provider Configuration
+#
+
+provider "aws" {
+  region = "${var.cluster-region}"
+}
+
+# Using these data sources allows the configuration to be
+# generic for any region.
+data "aws_region" "current" {}
+
+data "aws_availability_zones" "available" {}
+
+# Not required: currently used in conjuction with using
+# icanhazip.com to determine local workstation external IP
+# to open EC2 Security Group access to the Kubernetes cluster.
+# See workstation-external-ip.tf for additional information.
+provider "http" {}
diff --git a/tf/aws/variables.tf b/tf/aws/variables.tf
new file mode 100644
index 0000000..acbbf7f
--- /dev/null
+++ b/tf/aws/variables.tf
@@ -0,0 +1,21 @@
+#
+# Variables Configuration
+#
+
+
+# f.e. "us-west-2" or "ap-southeast-1"
+variable "cluster-region" {
+  default = "ap-southeast-1"
+  type = "string"
+}
+
+variable "cluster-name" {
+  default = "terraform-eks-demo"
+  type    = "string"
+}
+
+
+variable "worker-node-instance" {
+  default = "m4.large"
+  type    = "string"
+}
diff --git a/tf/aws/vpc.tf b/tf/aws/vpc.tf
new file mode 100644
index 0000000..566e1ea
--- /dev/null
+++ b/tf/aws/vpc.tf
@@ -0,0 +1,57 @@
+#
+# VPC Resources
+#  * VPC
+#  * Subnets
+#  * Internet Gateway
+#  * Route Table
+#
+
+resource "aws_vpc" "demo" {
+  cidr_block = "10.0.0.0/16"
+
+  tags = "${
+    map(
+      "Name", "terraform-eks-demo-node",
+      "kubernetes.io/cluster/${var.cluster-name}", "shared",
+    )
+  }"
+}
+
+resource "aws_subnet" "demo" {
+  count = 2
+
+  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
+  cidr_block        = "10.0.${count.index}.0/24"
+  vpc_id            = "${aws_vpc.demo.id}"
+
+  tags = "${
+    map(
+      "Name", "terraform-eks-demo-node",
+      "kubernetes.io/cluster/${var.cluster-name}", "shared",
+    )
+  }"
+}
+
+resource "aws_internet_gateway" "demo" {
+  vpc_id = "${aws_vpc.demo.id}"
+
+  tags = {
+    Name = "terraform-eks-demo"
+  }
+}
+
+resource "aws_route_table" "demo" {
+  vpc_id = "${aws_vpc.demo.id}"
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = "${aws_internet_gateway.demo.id}"
+  }
+}
+
+resource "aws_route_table_association" "demo" {
+  count = 2
+
+  subnet_id      = "${aws_subnet.demo.*.id[count.index]}"
+  route_table_id = "${aws_route_table.demo.id}"
+}
diff --git a/tf/aws/workstation-external-ip.tf b/tf/aws/workstation-external-ip.tf
new file mode 100644
index 0000000..adb757b
--- /dev/null
+++ b/tf/aws/workstation-external-ip.tf
@@ -0,0 +1,18 @@
+#
+# Workstation External IP
+#
+# This configuration is not required and is
+# only provided as an example to easily fetch
+# the external IP of your local workstation to
+# configure inbound EC2 Security Group access
+# to the Kubernetes cluster.
+#
+
+data "http" "workstation-external-ip" {
+  url = "http://ipv4.icanhazip.com"
+}
+
+# Override with variable or hardcoded value if necessary
+locals {
+  workstation-external-cidr = "${chomp(data.http.workstation-external-ip.body)}/32"
+}