initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,15 @@
+# eks-managed-nodegroup
+Create EKS cluster using managed nodegroup. Then performed EKS control plane upgrades.
+
+## Versions and upgrade notes
+Based on 1-4 t3.medium worker node with no app pods
+
+| eks-ver | coredns            | kube-proxy          | vpc-cni            | AMI-version      | upgrade notes                                                       |
+|---------|--------------------|---------------------|--------------------|------------------|---------------------------------------------------------------------|
+| 1.25    | v1.9.3-eksbuild.10 | v1.25.16-eksbuild.1 | v1.15.4-eksbuild.1 | 1.25.15-20231201 | N/A                                                                 |
+| 1.26    | v1.9.3-eksbuild.10 | v1.26.11-eksbuild.1 | v1.15.4-eksbuild.1 | 1.26.10-20231201 | from 1.25, set cluster_version = "1.26". nodes are recreated. 23min |
+| 1.27    | v1.10.1-eksbuild.6 | v1.27.6-eksbuild.2  | v1.15.4-eksbuild.1 | 1.27.7-20231201  | from 1.26, set cluster_version = "1.27". nodes are recreated. 16min |
+| 1.28    | v1.10.1-eksbuild.6 | v1.28.4-eksbuild.1  | v1.15.4-eksbuild.1 | 1.28.3-20231201  | from 1.27, set cluster_version = "1.28". nodes are recreated. 26min |
+
+## References
+https://repost.aws/knowledge-center/eks-plan-upgrade-cluster
@@ -0,0 +1,78 @@
+module "bastion" {
+  source                      = "terraform-aws-modules/ec2-instance/aws"
+  version                     = "5.5.0"
+  name                        = "lab-ken2026-eks-bastion"
+  instance_type               = "t3.micro"
+  ami                         = data.aws_ami.this.id
+  ignore_ami_changes          = true
+  subnet_id                   = var.subnet_ids[0]
+  vpc_security_group_ids      = [module.sg.id, module.eks.cluster_primary_security_group_id]
+  create_iam_instance_profile = true
+  iam_role_description        = "IAM role for EC2 instance"
+  iam_role_policies = {
+    SSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+    CloudwatchAgent        = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+    Admin                  = "arn:aws:iam::aws:policy/AdministratorAccess"
+  }
+  key_name      = "kf-key"
+  ebs_optimized = true
+  root_block_device = [
+    {
+      encrypted   = true
+      volume_type = "gp3"
+      volume_size = 10
+    },
+  ]
+  volume_tags = data.aws_default_tags.this.tags
+  # IMDSv2 requirement
+  metadata_options = {
+    http_endpoint               = "enabled"
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 2
+  }
+  user_data = <<EOF
+#!/bin/bash
+curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
+chmod 755 kubectl
+mv kubectl /usr/local/bin/
+EOF
+}
+
+module "sg" {
+  source      = "../../modules/compute/security_group"
+  description = "Security group for web server"
+  egress = {
+    r1 = "tcp,0,65535,0.0.0.0/0,Allow outbound tcp traffic"
+    r2 = "udp,0,65535,0.0.0.0/0,Allow outbound udp traffic"
+    r3 = "icmp,0,-1,0.0.0.0/0,Allow icmp echo reply"
+  }
+  ingress = {
+    r1 = "icmp,8,-1,0.0.0.0/0,Allow ICMP traffic"
+  }
+  name   = "lab-ken2026-eks-bastion-sg"
+  vpc-id = var.vpc_id
+}
+
+data "aws_default_tags" "this" {}
+
+data "aws_ami" "this" {
+  most_recent = true
+  name_regex  = "al2023-ami-202.*"
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+
+  owners = ["910595266909"] # AWS
+}
@@ -0,0 +1,3 @@
+locals {
+  resource-prefix = "${var.environment}-${var.aws-region-short}-${var.customer-name}-${var.project}"
+}
@@ -0,0 +1,189 @@
+provider "kubernetes" {
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "aws"
+    # This requires the awscli to be installed locally where Terraform is executed
+    args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name]
+  }
+}
+
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "19.21.0"
+
+  cluster_name                   = "lab-ken2026-eks01"
+  cluster_endpoint_public_access = true
+  cluster_version                = "1.27"
+
+  cluster_addons = {
+    coredns = {
+      preserve    = true
+      most_recent = true
+
+      timeouts = {
+        create = "25m"
+        delete = "10m"
+      }
+    }
+    kube-proxy = {
+      most_recent = true
+    }
+    vpc-cni = {
+      most_recent = true
+    }
+  }
+
+  create_kms_key = false
+  cluster_encryption_config = {
+    resources        = ["secrets"]
+    provider_key_arn = module.kms.key_arn
+  }
+
+  iam_role_additional_policies = {
+    additional = aws_iam_policy.additional.arn
+  }
+
+  vpc_id                   = var.vpc_id
+  subnet_ids               = var.subnet_ids
+  control_plane_subnet_ids = var.control_plane_subnet_ids
+
+  # Extend cluster security group rules
+  cluster_security_group_additional_rules = {
+    ingress_nodes_ephemeral_ports_tcp = {
+      description                = "Nodes on ephemeral ports"
+      protocol                   = "tcp"
+      from_port                  = 1025
+      to_port                    = 65535
+      type                       = "ingress"
+      source_node_security_group = true
+    }
+    # Test: https://github.com/terraform-aws-modules/terraform-aws-eks/pull/2319
+    ingress_source_security_group_id = {
+      description              = "Ingress from another computed security group"
+      protocol                 = "tcp"
+      from_port                = 22
+      to_port                  = 22
+      type                     = "ingress"
+      source_security_group_id = aws_security_group.additional.id
+    }
+  }
+
+  # requires terraform be ran inside VPC
+#    manage_aws_auth_configmap = true
+#
+#    aws_auth_roles = [
+#      {
+#        rolearn  = module.eks_managed_node_group.iam_role_arn
+#        username = "system:node:{{EC2PrivateDNSName}}"
+#        groups = [
+#          "system:bootstrappers",
+#          "system:nodes",
+#        ]
+#      },
+#      {
+#        rolearn  = "arn:aws:iam::040216112220:role/rackLE"
+#        username = "rackLE"
+#        groups   = ["system:masters"]
+#      }
+#    ]
+#
+#    aws_auth_users = [
+#      {
+#        userarn  = var.eks_master_user_arn
+#        username = "eksmaster"
+#        groups   = ["system:masters"]
+#      }
+#    ]
+#
+#    aws_auth_accounts = [
+#      data.aws_caller_identity.current.account_id
+#    ]
+
+}
+
+module "eks_managed_node_group" {
+  source  = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
+  version = "19.21.0"
+
+  name            = "eks-mng"
+  cluster_name    = module.eks.cluster_name
+  cluster_version = module.eks.cluster_version
+
+  subnet_ids                        = var.subnet_ids
+  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
+  vpc_security_group_ids = [
+    module.eks.cluster_security_group_id,
+    aws_security_group.additional.id
+  ]
+
+  ami_type       = "AL2_x86_64"
+  instance_types = ["t3.medium"]
+  iam_role_additional_policies = {
+    SsmInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  }
+
+  # this will get added to what AWS provides
+  bootstrap_extra_args = <<-EOT
+    # extra args added
+    [settings.kernel]
+    lockdown = "integrity"
+
+    [settings.kubernetes.node-labels]
+    "label1" = "foo"
+    "label2" = "bar"
+  EOT
+
+  min_size     = 0
+  desired_size = 1
+  max_size     = 2
+}
+
+
+module "kms" {
+  source  = "terraform-aws-modules/kms/aws"
+  version = "~> 1.5"
+
+  aliases               = ["eks/${local.resource-prefix}"]
+  description           = "${local.resource-prefix} cluster encryption key"
+  enable_default_policy = true
+  key_owners            = [data.aws_caller_identity.current.arn]
+}
+
+resource "aws_security_group" "additional" {
+  name_prefix = "${local.resource-prefix}-sg"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port = 22
+    to_port   = 22
+    protocol  = "tcp"
+    cidr_blocks = [
+      "10.0.0.0/8",
+      "172.16.0.0/12",
+      "192.168.0.0/16",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "additional" {
+  name = "${local.resource-prefix}-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "ec2:Describe*",
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+  })
+}
+
+
+data "aws_caller_identity" "current" {}
@@ -0,0 +1,30 @@
+provider "aws" {
+  region = var.aws-region
+
+  default_tags {
+    tags = {
+      ServiceProvider = "RackspaceTechnology"
+      Environment     = var.environment
+      Project         = var.project
+      Application     = var.application
+      TerraformMode   = "managed"
+      TerraformDir    = "${reverse(split("/", path.cwd))[1]}/${reverse(split("/", path.cwd))[0]}"
+    }
+  }
+}
+
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+  backend "s3" {
+    bucket  = "lab-ken2026-tf-state"
+    key     = "experimental/eks-upgrade-test.tfstate"
+    region  = "ap-east-1"
+    encrypt = true
+  }
+}
@@ -0,0 +1,11 @@
+aws-region       = "ap-east-1"
+aws-region-short = "ape1"
+customer-name    = "ken2026"
+environment      = "lab"
+project          = "eks-pub-module-test"
+application      = "terraform"
+
+vpc_id                   = "vpc-01a10b033169f89a8"
+subnet_ids               = ["subnet-0927ba1b06ccfe6c5", "subnet-08dec6787782ee087"]
+control_plane_subnet_ids = ["subnet-0927ba1b06ccfe6c5", "subnet-08dec6787782ee087"]
+eks_master_user_arn      = "arn:aws:iam::040216112220:role/rackLE"
@@ -0,0 +1,11 @@
+variable "aws-region" {}
+variable "aws-region-short" {}
+variable "customer-name" {}
+variable "environment" {}
+variable "project" {}
+variable "application" {}
+
+variable vpc_id {}
+variable subnet_ids {}
+variable control_plane_subnet_ids {}
+variable eks_master_user_arn {}