chore: renamed layers
This commit is contained in:
@@ -0,0 +1,146 @@
|
||||
module "BastionRole" {
|
||||
source = "../../modules/security_identity_compliance/iam-role-v2"
|
||||
description = "EKS bastion instance profile"
|
||||
role-name = "BastionInstanceProfile"
|
||||
trusted-entity = "ec2.amazonaws.com"
|
||||
create-instance-profile = true
|
||||
policies = {
|
||||
EksAdmin = {
|
||||
description = "Eks read permissions required for kubectl"
|
||||
policy = jsonencode(
|
||||
{
|
||||
"Statement" : [
|
||||
{
|
||||
"Sid" : "EksRead",
|
||||
"Action" : [
|
||||
"eks:Describe*",
|
||||
"eks:List*"
|
||||
],
|
||||
"Effect" : "Allow",
|
||||
"Resource" : "*"
|
||||
}
|
||||
],
|
||||
"Version" : "2012-10-17"
|
||||
}
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy_attachment" "BastionProfilePermissions" {
|
||||
role = module.BastionRole.name
|
||||
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
|
||||
}
|
||||
|
||||
module "eks-bastion" {
|
||||
depends_on = [module.eks] # essential for initializing kubectl in userdata
|
||||
source = "../../modules/compute/ec2"
|
||||
|
||||
additional-tags = {}
|
||||
ami-id = data.aws_ami.this.id
|
||||
asso-eip = false
|
||||
asso-public-ip = true
|
||||
use-ipv6 = true
|
||||
data-volumes = {}
|
||||
ebs-encrypted = true
|
||||
instance-name = "${var.environment}-eks-bastion-${random_pet.pet.id}"
|
||||
instance-type = "t4g.micro"
|
||||
key-name = aws_key_pair.kp.key_name
|
||||
kms-key-id = ""
|
||||
root-volume-size = "8"
|
||||
# security-groups = [module.bastion-sg.id, module.eks.cluster_primary_security_group_id]
|
||||
security-groups = [module.bastion-sg.id]
|
||||
subnet-id = module.vpc.public_subnets[0]
|
||||
instance-profile = module.BastionRole.profile-name[0]
|
||||
spot-max-price = 0.0116 # t4g.micro
|
||||
user-data = <<EOF
|
||||
#!/bin/bash
|
||||
# eks bastion setup
|
||||
## Install git
|
||||
dnf -y install git
|
||||
|
||||
## Install kubectl
|
||||
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/arm64/kubectl
|
||||
chmod +x kubectl
|
||||
mv kubectl /usr/local/bin/
|
||||
|
||||
## Install helm
|
||||
cd /tmp
|
||||
wget -O/tmp/helm.tgz https://get.helm.sh/helm-v4.1.1-linux-arm64.tar.gz
|
||||
tar zxf /tmp/helm.tgz
|
||||
mv /tmp/linux-arm64/helm /usr/local/bin/helm
|
||||
chmod +x /usr/local/bin/helm
|
||||
|
||||
## Install eksctl
|
||||
cd /tmp
|
||||
ARCH=arm64
|
||||
PLATFORM=$(uname -s)_$ARCH
|
||||
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
|
||||
tar zxf eksctl_Linux_arm64.tar.gz
|
||||
mv eksctl /usr/local/bin
|
||||
chmod +x /usr/local/bin/eksctl
|
||||
|
||||
## Create kube config
|
||||
echo Create kube config...
|
||||
/usr/bin/aws eks update-kubeconfig --name ${var.eks_cluster_name}-${random_pet.pet.id}
|
||||
# echo Sleep for 5 minutes and wait for fargate profile to come up
|
||||
# /usr/bin/sleep 300
|
||||
#
|
||||
# ## Grant EKS console access to IAM role: must be executed with cluster creator's identity. cluster role as instance profile won't do it
|
||||
# echo Patching configmap/aws-auth...
|
||||
# ROLE=" - rolearn: arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/rackLE\n username: build\n groups:\n - system:masters"
|
||||
# /usr/local/bin/kubectl --kubeconfig=/root/.kube/config get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$ROLE\";next}1" > /tmp/aws-auth-patch.yml
|
||||
# /usr/local/bin/kubectl --kubeconfig=/root/.kube/config patch configmap/aws-auth -n kube-system --patch "$(cat /tmp/aws-auth-patch.yml)"
|
||||
# /usr/local/bin/kubectl --kubeconfig=/root/.kube/config get -n kube-system configmap/aws-auth -o yaml
|
||||
EOF
|
||||
}
|
||||
|
||||
data "aws_ami" "this" {
|
||||
most_recent = true
|
||||
name_regex = "^al2023-ami-2023.*-kernel-6.1-arm64"
|
||||
owners = ["amazon"]
|
||||
|
||||
filter {
|
||||
name = "virtualization-type"
|
||||
values = ["hvm"]
|
||||
}
|
||||
|
||||
filter {
|
||||
name = "architecture"
|
||||
values = ["arm64"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "tls_private_key" "sshkey" {
|
||||
algorithm = "ED25519"
|
||||
}
|
||||
|
||||
resource "aws_key_pair" "kp" {
|
||||
key_name = "${var.environment}-eks-bastion-${random_pet.pet.id}-key"
|
||||
public_key = tls_private_key.sshkey.public_key_openssh
|
||||
}
|
||||
|
||||
module "bastion-sg" {
|
||||
source = "../../modules/compute/security_group"
|
||||
|
||||
description = "${var.environment}-eks-bastion-${random_pet.pet.id}-sg"
|
||||
egress = {
|
||||
r1 = "-1,-1,-1,0.0.0.0/0,Allow egress"
|
||||
}
|
||||
ingress = {
|
||||
r1 = "tcp,22,22,0.0.0.0/0,ssh"
|
||||
}
|
||||
name = "eks-bastion-${random_pet.pet.id}-sg"
|
||||
vpc-id = module.vpc.vpc_id
|
||||
}
|
||||
|
||||
# my security_group module does not support ipv6_cidr_blocks
|
||||
resource "aws_security_group_rule" "ipv6_egress" {
|
||||
security_group_id = module.bastion-sg.id
|
||||
type = "egress"
|
||||
from_port = -1
|
||||
to_port = -1
|
||||
protocol = "all"
|
||||
ipv6_cidr_blocks = ["::/0"]
|
||||
description = "Allow ipv6 egress"
|
||||
}
|
||||
Reference in New Issue
Block a user