initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,78 @@
+module "bastion" {
+  source                      = "terraform-aws-modules/ec2-instance/aws"
+  version                     = "5.5.0"
+  name                        = "lab-ken2026-eks-bastion"
+  instance_type               = "t3.micro"
+  ami                         = data.aws_ami.this.id
+  ignore_ami_changes          = true
+  subnet_id                   = var.subnet_ids[0]
+  vpc_security_group_ids      = [module.sg.id, module.eks.cluster_primary_security_group_id]
+  create_iam_instance_profile = true
+  iam_role_description        = "IAM role for EC2 instance"
+  iam_role_policies = {
+    SSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+    CloudwatchAgent        = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+    Admin                  = "arn:aws:iam::aws:policy/AdministratorAccess"
+  }
+  key_name      = "kf-key"
+  ebs_optimized = true
+  root_block_device = [
+    {
+      encrypted   = true
+      volume_type = "gp3"
+      volume_size = 10
+    },
+  ]
+  volume_tags = data.aws_default_tags.this.tags
+  # IMDSv2 requirement
+  metadata_options = {
+    http_endpoint               = "enabled"
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 2
+  }
+  user_data = <<EOF
+#!/bin/bash
+curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/amd64/kubectl
+chmod 755 kubectl
+mv kubectl /usr/local/bin/
+EOF
+}
+
+module "sg" {
+  source      = "../../modules/compute/security_group"
+  description = "Security group for web server"
+  egress = {
+    r1 = "tcp,0,65535,0.0.0.0/0,Allow outbound tcp traffic"
+    r2 = "udp,0,65535,0.0.0.0/0,Allow outbound udp traffic"
+    r3 = "icmp,0,-1,0.0.0.0/0,Allow icmp echo reply"
+  }
+  ingress = {
+    r1 = "icmp,8,-1,0.0.0.0/0,Allow ICMP traffic"
+  }
+  name   = "lab-ken2026-eks-bastion-sg"
+  vpc-id = var.vpc_id
+}
+
+data "aws_default_tags" "this" {}
+
+data "aws_ami" "this" {
+  most_recent = true
+  name_regex  = "al2023-ami-202.*"
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+
+  owners = ["910595266909"] # AWS
+}