Merge pull request #4 from lexxnsk/task_3

Task 3

.github/workflows/terraform-deployment.yml

@@ -7,7 +7,7 @@ on:
   push:
     branches:
       - task_xxx # Replace with your branch name to test GitHub Actions without pushing to the dev branch
-      - task_2
+      - task_3
       - dev
 
 env:

PR_descriptions/task_3.md

@@ -0,0 +1,38 @@
+# Task 3 - Pull Request description
+1. Task: [CLICK ME](https://github.com/rolling-scopes-school/tasks/blob/master/devops/modules/2_cluster-configuration/task_3.md)
+2. Screenshots (if needed): Check ./screenshots/ folder
+3. Code: [CLICK ME](https://github.com/lexxnsk/rsschool-devops-course-tasks/tree/task_3)
+4. Done 2024-10-20 17:00 / deadline 2024-10-21 02:59
+5. Score: 100 / 100
+###### Evaluation Criteria (100 points for covering all criteria)
+
+1. **Terraform Code for AWS Resources (10 points)**
+
+   - [+] Terraform code is created or extended to manage AWS resources required for the cluster creation.
+   - [+] The code includes the creation of a bastion host.
+
+2. **Cluster Deployment (60 points)**
+
+   - [+] A K8s cluster is deployed using either kOps or k3s.
+   - [+] The deployment method is chosen based on the user's preference and understanding of the trade-offs.
+
+3. **Cluster Verification (10 points)**
+
+   - [+] The cluster is verified by running the `kubectl get nodes` command from the local computer.
+   - [+] A screenshot of the `kubectl get nodes` command output is provided.
+```
+ec2-user@ip-10-0-2-20:~> sudo /usr/local/bin/k3s kubectl get nodes
+NAME           STATUS   ROLES                  AGE   VERSION
+ip-10-0-2-20   Ready    control-plane,master   11m   v1.30.5+k3s1
+ip-10-0-3-57   Ready    <none>                 10m   v1.30.5+k3s1
+ec2-user@ip-10-0-2-20:~> sudo /usr/local/bin/k3s kubectl get pods
+NAME    READY   STATUS    RESTARTS   AGE
+nginx   1/1     Running   0          8m12s
+```
+4. **Workload Deployment (10 points)**
+
+   - [+] A simple workload is deployed on the cluster using `kubectl apply -f https://k8s.io/examples/pods/simple-pod.yaml`.
+   - [+] The workload runs successfully on the cluster.
+
+5. **Additional Tasks (10 points)**
+   - [+] Document the cluster setup and deployment process in a README file.

README.md

@@ -104,4 +104,15 @@ The AWS Account ID variable ```aws_account_id``` should be in lowercase. This is
 
 ## How to Use it automatically:
 1. **GitHub Actions:**  
-   Before committing, check the ```.github/workflows/terraform-deployment.yml``` file and update the branch name to trigger the GitHub workflow automatically.​⬤
+   Before committing, check the ```.github/workflows/terraform-deployment.yml``` file and update the branch name to trigger the GitHub workflow automatically.​⬤
+
+
+---
+## Task 3 clarifications:
+**K3S installation consists of 2 nodes:**  
+You can check its status by:  
+```sudo /usr/local/bin/k3s kubectl get node```
+```sudo /usr/local/bin/k3s kubectl get pods```
+
+App deployment is done by executing:  
+```sudo /usr/local/bin/k3s kubectl apply -f https://k8s.io/examples/pods/simple-pod.yaml```

ec2.tf

@@ -4,34 +4,121 @@
 
 # # # # # # # # # # # Task_2 code start # # # # # # # # # #
 
+# # Create a Bastion Host instance for secure access to private subnets
+# resource "aws_instance" "bastion_host" {
+#   ami           = var.ec2_ami_k3s
+#   instance_type = "t2.micro"
+#   subnet_id     = aws_subnet.public[0].id
+#   vpc_security_group_ids = [
+#     aws_security_group.allow_ssh.id,
+#     aws_security_group.allow_icmp.id
+#   ]
+#   key_name = aws_key_pair.my_key.key_name
+#   tags = {
+#     Name = "Bastion Host"
+#   }
+# }
+
+# # Create a Dummy Host instance in Private nerwork to test connection from Bastion host
+# resource "aws_instance" "dummy_host" {
+#   ami           = var.ec2_ami_k3s
+#   instance_type = "t2.micro"
+#   subnet_id     = aws_subnet.private[0].id
+#   vpc_security_group_ids = [
+#     aws_security_group.allow_ssh.id,
+#     aws_security_group.allow_icmp.id
+#   ]
+#   key_name = aws_key_pair.my_key.key_name
+#   tags = {
+#     Name = "Dummy Host"
+#   }
+# }
+
+# # # # # # # # # # # Task_2 code end # # # # # # # # # #
+
+
+
+# # # # # # # # # # # Task_3 code start # # # # # # # # # #
+
 # Create a Bastion Host instance for secure access to private subnets
 resource "aws_instance" "bastion_host" {
-  ami           = var.ec2_ami_amazon_linux
-  instance_type = "t2.micro"
+  ami           = var.ec2_ami_k3s
+  instance_type = var.ec2_instance_k3s
   subnet_id     = aws_subnet.public[0].id
   vpc_security_group_ids = [
     aws_security_group.allow_ssh.id,
-    aws_security_group.allow_icmp.id
+    aws_security_group.allow_icmp.id,
+    aws_security_group.allow_k3s.id
   ]
   key_name = aws_key_pair.my_key.key_name
   tags = {
-    Name = "Bastion Host"
+    Name = "Bastion Node"
   }
 }
 
-# Create a Dummy Host instance in Private nerwork to test connection from Bastion host
-resource "aws_instance" "dummy_host" {
-  ami           = var.ec2_ami_amazon_linux
-  instance_type = "t2.micro"
+# Create a K3S Control Node ec2 instance in Private nerwork
+resource "aws_instance" "control_node" {
+  ami           = var.ec2_ami_k3s
+  instance_type = var.ec2_instance_k3s
   subnet_id     = aws_subnet.private[0].id
   vpc_security_group_ids = [
     aws_security_group.allow_ssh.id,
-    aws_security_group.allow_icmp.id
+    aws_security_group.allow_icmp.id,
+    aws_security_group.allow_k3s.id,
+    aws_security_group.allow_http.id,
+    aws_security_group.allow_https.id
   ]
   key_name = aws_key_pair.my_key.key_name
   tags = {
-    Name = "Dummy Host"
+    Name = "K3S Control node"
   }
+  # This installs k3s on the control node
+  user_data = <<-EOF
+    #!/bin/bash
+    curl -sfL https://get.k3s.io | sh -
+  EOF
 }
 
-# # # # # # # # # # # Task_2 code end # # # # # # # # # #
+# Create a K3S Agent Node ec2 instance in Private nerwork
+resource "aws_instance" "agent_node" {
+  ami           = var.ec2_ami_k3s
+  instance_type = var.ec2_instance_k3s
+  subnet_id     = aws_subnet.private[1].id
+  vpc_security_group_ids = [
+    aws_security_group.allow_ssh.id,
+    aws_security_group.allow_icmp.id,
+    aws_security_group.allow_k3s.id,
+    aws_security_group.allow_http.id,
+    aws_security_group.allow_https.id
+  ]
+  key_name = aws_key_pair.my_key.key_name
+  tags = {
+    Name = "K3S Agent node"
+  }
+  depends_on = [aws_instance.control_node]
+}
+
+# # Create a K3S Worker Node ec2 instance in Private nerwork
+# resource "aws_instance" "worker_node" {
+#   ami           = var.ec2_ami_k3s
+#   instance_type = var.ec2_instance_k3s
+#   subnet_id     = aws_subnet.private[1].id
+#   vpc_security_group_ids = [
+#     aws_security_group.allow_ssh.id,
+#     aws_security_group.allow_icmp.id
+#   ]
+#   key_name = aws_key_pair.my_key.key_name
+#   tags = {
+#     Name = "K3S Worker node"
+#   }
+#   # Install k3s as a worker and join it to the control node
+#   user_data = <<-EOF
+#     #!/bin/bash
+#     K3S_URL=https://${aws_instance.control_node.private_ip}:6443
+#     K3S_TOKEN=$(ssh -i /path/to/your/key.pem ec2-user@${aws_instance.control_node.private_ip} "sudo cat /var/lib/rancher/k3s/server/node-token")
+#     curl -sfL https://get.k3s.io | K3S_URL=$K3S_URL K3S_TOKEN=$K3S_TOKEN sh -
+#   EOF
+#   depends_on = [aws_instance.control_node]
+# }
+
+# # # # # # # # # # # Task_3 code end # # # # # # # # # #

nacl.tf

@@ -45,7 +45,7 @@ resource "aws_network_acl_rule" "inbound_rule_ephemeral" {
   protocol       = "tcp"
   rule_action    = "allow"
   cidr_block     = "0.0.0.0/0"
-  from_port      = 1024
+  from_port      = 80
   to_port        = 65535
 }
 

outputs.tf

@@ -27,6 +27,42 @@ output "aws_region" {
 # # # # # # # # # # Task_2 code start # # # # # # # # # #
 
 
+# output "bastion_host_public_ip" {
+#   value = aws_instance.bastion_host.public_ip
+# }
+
+# output "bastion_host_private_ip" {
+#   value = aws_instance.bastion_host.private_ip
+# }
+
+# output "dummy_host_public_ip" {
+#   value = aws_instance.dummy_host.public_ip
+# }
+
+# output "dummy_host_private_ip" {
+#   value = aws_instance.dummy_host.private_ip
+# }
+
+# output "private_key" {
+#   value     = tls_private_key.my_key.private_key_pem
+#   sensitive = true
+# }
+
+# output "public_key" {
+#   value     = aws_key_pair.my_key.public_key
+#   sensitive = true
+# }
+
+output "private_key_file" {
+  value = var.private_key_file
+}
+
+# # # # # # # # # # Task_2 code end # # # # # # # # # #
+
+
+
+# # # # # # # # # # Task_3 code start # # # # # # # # # #
+
 output "bastion_host_public_ip" {
   value = aws_instance.bastion_host.public_ip
 }
@@ -35,17 +71,16 @@ output "bastion_host_private_ip" {
   value = aws_instance.bastion_host.private_ip
 }
 
-output "dummy_host_public_ip" {
-  value = aws_instance.dummy_host.public_ip
+output "control_node_public_ip" {
+  value = aws_instance.control_node.public_ip
 }
 
-output "dummy_host_private_ip" {
-  value = aws_instance.dummy_host.private_ip
+output "control_node_private_ip" {
+  value = aws_instance.control_node.private_ip
 }
 
-output "private_keyyyyyy" {
-  value     = tls_private_key.my_key.private_key_pem
-  sensitive = true
+output "agent_node_private_ip" {
+  value = aws_instance.agent_node.private_ip
 }
 
-# # # # # # # # # # # Task_2 code end # # # # # # # # # #
+# # # # # # # # # # Task_3 code end # # # # # # # # # #

resources.tf

@@ -150,8 +150,19 @@ resource "aws_key_pair" "my_key" {
   public_key = tls_private_key.my_key.public_key_openssh
 }
 
-# In order to save private_key run these commands:
-# terraform output private_key > my_key.pem
-# chmod 400 my_key.pem 
+# # Write the private key to the specified local file and set permission
+# # Uncomment it during a first run to save private key to your laptop.
+# resource "null_resource" "write_private_key" {
+#   provisioner "local-exec" {
+#     command = <<-EOF
+#               echo '${tls_private_key.my_key.private_key_pem}' > ${var.private_key_file}
+#               chmod 400 ${var.private_key_file}
+#               EOF
+#   }
+#   depends_on = [tls_private_key.my_key]
+#   triggers = {
+#     fileexists = "${fileexists(var.private_key_file)}"
+#   }
+# }
 
 # # # # # # # # # # # Task_2 code end # # # # # # # # # #

security_groups.tf

@@ -49,3 +49,75 @@ resource "aws_security_group" "allow_icmp" {
 }
 
 # # # # # # # # # # # Task_2 code end # # # # # # # # # #
+
+
+
+# # # # # # # # # # # Task_3 code start # # # # # # # # # #
+
+# Create security group allowing K3S traffic
+resource "aws_security_group" "allow_k3s" {
+  vpc_id      = aws_vpc.main_vpc.id
+  name        = "allow_k3s"
+  description = "Security group allowing K3S 6443 port traffic"
+  ingress {
+    from_port   = 6443
+    to_port     = 6443
+    protocol    = "tcp"
+    cidr_blocks = var.ssh_source_ip
+  }
+  egress {
+    from_port   = 6443
+    to_port     = 6443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "Allow K3S 6443 port traffic"
+  }
+}
+
+# Create security group allowing HTTP traffic
+resource "aws_security_group" "allow_http" {
+  vpc_id      = aws_vpc.main_vpc.id
+  name        = "allow_http"
+  description = "Security group allowing HTTP traffic"
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = var.ssh_source_ip
+  }
+  egress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "Allow HTTP traffic"
+  }
+}
+
+# Create security group allowing HTTPS traffic
+resource "aws_security_group" "allow_https" {
+  vpc_id      = aws_vpc.main_vpc.id
+  name        = "allow_https"
+  description = "Security group allowing HTTPS traffic"
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = var.ssh_source_ip
+  }
+  egress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "Allow HTTPS traffic"
+  }
+}
+
+# # # # # # # # # # # Task_3 code end # # # # # # # # # #