-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patheks-cluster.tf
126 lines (103 loc) · 3.39 KB
/
eks-cluster.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
resource "aws_eks_cluster" "this" {
name = "${local.app_name_capitalized}Cluster"
role_arn = aws_iam_role.eks_cluster.arn
vpc_config {
subnet_ids = aws_subnet.workload[*].id
}
kubernetes_network_config {
service_ipv4_cidr = var.aws_eks_cidr_block
}
# Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
# Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
depends_on = [
aws_iam_role_policy_attachment.AmazonEKSClusterPolicy,
aws_iam_role_policy_attachment.AmazonEKSVPCResourceController,
]
}
resource "aws_iam_role" "eks_cluster" {
name = "${var.aws_iam_rolepolicy_prefix}EksClusterRole"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Principal = {
Service = "eks.amazonaws.com"
},
Action = "sts:AssumeRole"
}
]
})
}
resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.eks_cluster.name
}
resource "aws_iam_role_policy_attachment" "AmazonEKSVPCResourceController" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
role = aws_iam_role.eks_cluster.name
}
resource "aws_eks_node_group" "this" {
cluster_name = aws_eks_cluster.this.name
node_group_name = "${aws_eks_cluster.this.name} Nodes"
node_role_arn = aws_iam_role.this_nodes.arn
subnet_ids = aws_subnet.workload[*].id
scaling_config {
desired_size = 2
max_size = 5
min_size = 1
}
update_config {
max_unavailable = 2
}
instance_types = ["m6i.large", "m5.large"]
disk_size = 50
capacity_type = "SPOT"
depends_on = [
aws_iam_role_policy_attachment.AmazonEKSWorkerNodePolicy,
aws_iam_role_policy_attachment.AmazonEKS_CNI_Policy,
aws_iam_role_policy_attachment.AmazonEC2ContainerRegistryReadOnly,
aws_iam_role_policy_attachment.EksCluseterEcrReadWritePolicy,
]
}
resource "aws_iam_role" "this_nodes" {
name = "${var.aws_iam_rolepolicy_prefix}EksNodeGroupRole"
assume_role_policy = jsonencode({
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}]
Version = "2012-10-17"
})
}
resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.this_nodes.name
}
resource "aws_iam_role_policy_attachment" "AmazonEKS_CNI_Policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = aws_iam_role.this_nodes.name
}
resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.this_nodes.name
}
resource "aws_iam_role_policy_attachment" "EksCluseterEcrReadWritePolicy" {
policy_arn = aws_iam_policy.app_ecr_rw.arn
role = aws_iam_role.this_nodes.name
}
data "aws_eks_cluster_auth" "this" {
name = aws_eks_cluster.this.name
}
output "eks_cluster_name" {
value = aws_eks_cluster.this.name
}
output "endpoint" {
value = aws_eks_cluster.this.endpoint
}
output "kubeconfig_certificate_authority_data" {
value = aws_eks_cluster.this.certificate_authority[0].data
}