-
Notifications
You must be signed in to change notification settings - Fork 0
/
Eks.tf
124 lines (102 loc) · 3.62 KB
/
Eks.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
/**
*This is the EKS cluster to hold node resources
*Ensures that IAM Role permissions are created before and deleted after EKS Cluster handling.
*Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
*/
resource "aws_eks_cluster" "main" {
name = "${var.env-prefix}-Plan-A-cluster"
role_arn = aws_iam_role.eks_cluster.arn
vpc_config {
security_group_ids = [aws_security_group.eks_cluster.id, aws_security_group.eks_nodes.id]
endpoint_private_access = var.endpoint_private_access
endpoint_public_access = var.endpoint_public_access
subnet_ids = [element(aws_subnet.private_subnet, 0).id,element(aws_subnet.public_subnet, 1).id, element(aws_subnet.private_subnet, 1).id, element(aws_subnet.public_subnet, 0).id]
}
depends_on = [
aws_iam_role_policy_attachment.aws_eks_cluster_policy
]
}
/*
*This is the IAM ROLE for eks cluster to enable the cluster carry out functions untop of aws api.
*/
resource "aws_iam_role" "eks_cluster" {
name = "${var.env-prefix}-Plan-A-cluster"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
/*
*This attaches the policy to the IAM ROLE created above
*/
resource "aws_iam_role_policy_attachment" "aws_eks_cluster_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = "${aws_iam_role.eks_cluster.name}"
}
/*
*The node group to exist inside of our cluster, containing the minimum and maximum desired configuration to be
*deployed inside the node group.
* Ensures that IAM Role permissions are created before and deleted after EKS Node Group handling.
* Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
*/
resource "aws_eks_node_group" "main" {
cluster_name = aws_eks_cluster.main.name
node_group_name = var.node_group_name
node_role_arn = aws_iam_role.eks_nodes.arn
subnet_ids = [element(aws_subnet.private_subnet, 0).id, element(aws_subnet.private_subnet, 1).id]
ami_type = var.ami_type
disk_size = var.disk_size
instance_types = var.instance_types
scaling_config {
desired_size = var.pvt_desired_size
max_size = var.pvt_max_size
min_size = var.pvt_min_size
}
tags = {
Name = var.node_group_name
}
depends_on = [
aws_iam_role_policy_attachment.aws_eks_worker_node_policy,
aws_iam_role_policy_attachment.aws_eks_cni_policy,
aws_iam_role_policy_attachment.ec2_read_only,
]
}
/**
*IAM role for EKS nodes
*/
resource "aws_iam_role" "eks_nodes" {
name = "${var.env-prefix}-worker"
assume_role_policy = data.aws_iam_policy_document.assume_workers.json
}
data "aws_iam_policy_document" "assume_workers" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role_policy_attachment" "aws_eks_worker_node_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.eks_nodes.name
}
resource "aws_iam_role_policy_attachment" "aws_eks_cni_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = aws_iam_role.eks_nodes.name
}
resource "aws_iam_role_policy_attachment" "ec2_read_only" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.eks_nodes.name
}