feat: terraform aws infra as code setup

.dockerignore

@@ -5,4 +5,5 @@ sql/queries
 README.md
 docker-compose.yml
 app.sample.env
-Dockerfile
+Dockerfile
+helm

.vscode/settings.json

@@ -13,5 +13,13 @@
     "mockdb",
     "sqlc",
     "stretchr"
-  ]
+  ],
+  "[terraform]": {
+    "editor.formatOnSave": true,
+    "editor.defaultFormatter": "hashicorp.terraform",
+    "editor.tabSize": 2, // optionally
+  },
+  "[terraform-vars]": {
+    "editor.tabSize": 2 // optionally
+  },
 }

README.md

@@ -81,6 +81,8 @@ minikube stop && minikube delete
 
 # Deployment
 
-
-- Create IAM user
-- Create EKS Cluster using [eksctl](https://docs.aws.amazon.com/eks/latest/userguide/getting-started-eksctl.html)
+- Create IAM user with required permissions and create access key
+- Configure AWS CLI
+```bash
+aws configure
+```

infra/.gitignore

@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

infra/aws-k8s/README.md

@@ -0,0 +1,7 @@
+## Infrastructure
+
+- [VPC](./vpc.tf)
+- [EKS](./eks.tf)
+- [EKS AWS Load Balancer Controller](./eks-albc.tf)
+- [ECR](./ecr.tf)
+- [RDS](./rds.tf)

infra/aws-k8s/common.tf

@@ -0,0 +1,23 @@
+data "aws_availability_zones" "available" {}
+
+data "aws_region" "current" {}
+
+
+locals {
+  name     = "simplebank"
+  vpc_cidr = "192.168.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  albc_version = "v2.7.2"
+  albc_sa_name = "aws-load-balancer-controller"
+
+  vpc_id = module.vpc.vpc_id
+
+  cluster_name             = module.eks.cluster_name
+  cluster_endpoint         = module.eks.cluster_endpoint
+  cluster_ca_certificate   = module.eks.cluster_certificate_authority_data
+  cluster_oidc_provder_arn = module.eks.oidc_provider_arn
+  cluster_oidc_provder_url = module.eks.oidc_provider
+}
+
+

infra/aws-k8s/ecr.tf

@@ -0,0 +1,10 @@
+resource "aws_ecr_repository" "this" {
+  name = local.name
+
+  image_tag_mutability = "IMMUTABLE"
+  force_delete         = true
+
+  tags = {
+    Name = "${local.name}/ECR"
+  }
+}

infra/aws-k8s/eks-albc.tf

@@ -0,0 +1,89 @@
+data "http" "lb_controll_iam_policy" {
+  url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/${local.albc_version}/docs/install/iam_policy.json"
+
+  request_headers = {
+    Accept = "application/json"
+  }
+}
+
+resource "aws_iam_policy" "albc" {
+  name   = "${local.name}AWSLoadBalancerControllerIAMPolicy"
+  policy = data.http.lb_controll_iam_policy.response_body
+}
+
+
+data "aws_iam_policy_document" "eks_lb_trust" {
+  version = "2012-10-17"
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${local.cluster_oidc_provder_url}:sub"
+      values   = ["system:serviceaccount:kube-system:aws-load-balancer-controller"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${local.cluster_oidc_provder_url}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    principals {
+      identifiers = [local.cluster_oidc_provder_arn]
+      type        = "Federated"
+    }
+  }
+}
+
+resource "aws_iam_role" "eks_albc" {
+  name               = "${local.name}AmazonEKSLoadBalancerControllerRole"
+  assume_role_policy = data.aws_iam_policy_document.eks_lb_trust.json
+}
+
+resource "aws_iam_role_policy_attachment" "lbc_iam_policy" {
+  policy_arn = aws_iam_policy.albc.arn
+  role       = aws_iam_role.eks_albc.name
+}
+
+resource "kubernetes_service_account" "lbc_sa" {
+  metadata {
+    name      = local.albc_sa_name
+    namespace = "kube-system"
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.eks_albc.arn
+    }
+    labels = {
+      "app.kubernetes.io/component" = "controller"
+      "app.kubernetes.io/name"      = local.albc_sa_name
+    }
+  }
+}
+
+resource "helm_release" "albc" {
+  name       = "aws-load-balancer-controller"
+  repository = "https://aws.github.io/eks-charts"
+  chart      = "aws-load-balancer-controller"
+
+  namespace = "kube-system"
+
+  dynamic "set" {
+    for_each = {
+      "clusterName"           = local.name
+      "serviceAccount.create" = false
+      "serviceAccount.name"   = local.albc_sa_name
+      "region"                = data.aws_region.current.name
+      "vpcId"                 = local.vpc_id
+    }
+    content {
+      name  = set.key
+      value = set.value
+    }
+  }
+
+  depends_on = [
+    kubernetes_service_account.lbc_sa,
+    aws_iam_role_policy_attachment.lbc_iam_policy
+  ]
+}