137 lines
4.3 KiB
Terraform
137 lines
4.3 KiB
Terraform
module "BastionRole" {
|
|
source = "../modules/security_identity_compliance/iam-role-v2"
|
|
description = "EKS bastion instance profile"
|
|
role-name = "BastionInstanceProfile"
|
|
trusted-entity = "ec2.amazonaws.com"
|
|
create-instance-profile = true
|
|
policies = {
|
|
EksAdmin = {
|
|
description = "Eks read permissions required for kubectl"
|
|
policy = jsonencode(
|
|
{
|
|
"Statement" : [
|
|
{
|
|
"Sid" : "EksRead",
|
|
"Action" : [
|
|
"eks:Describe*",
|
|
"eks:List*"
|
|
],
|
|
"Effect" : "Allow",
|
|
"Resource" : "*"
|
|
}
|
|
],
|
|
"Version" : "2012-10-17"
|
|
}
|
|
)
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "BastionProfilePermissions" {
|
|
role = module.BastionRole.name
|
|
policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
|
|
}
|
|
|
|
module "eks-bastion" {
|
|
depends_on = [module.eks] # essential for initializing kubectl in userdata
|
|
source = "../modules/compute/ec2"
|
|
|
|
additional-tags = {}
|
|
ami-id = data.aws_ami.this.id
|
|
asso-eip = false
|
|
asso-public-ip = true
|
|
use-ipv6 = true
|
|
data-volumes = {}
|
|
ebs-encrypted = true
|
|
instance-name = "${var.environment}-eks-bastion-${random_pet.pet.id}"
|
|
instance-type = "t4g.micro"
|
|
key-name = aws_key_pair.kp.key_name
|
|
kms-key-id = module.KmsKeys.cmks.storage.arn
|
|
root-volume-size = "8"
|
|
# security-groups = [module.bastion-sg.id, module.eks.cluster_primary_security_group_id]
|
|
security-groups = [module.bastion-sg.id]
|
|
subnet-id = module.vpc.public_subnets[0]
|
|
instance-profile = module.BastionRole.profile-name[0]
|
|
spot-max-price = 0.0116 # t4g.micro
|
|
user-data = <<EOF
|
|
#!/bin/bash
|
|
# eks bastion setup
|
|
## Install git
|
|
dnf -y install git
|
|
|
|
## Install kubectl
|
|
curl -LO https://storage.googleapis.com/kubernetes-release/release/`curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt`/bin/linux/arm64/kubectl
|
|
chmod +x kubectl
|
|
mv kubectl /usr/local/bin/
|
|
|
|
## Install helm
|
|
cd /tmp
|
|
wget -O/tmp/helm.tgz https://get.helm.sh/helm-v4.1.1-linux-arm64.tar.gz
|
|
tar zxf /tmp/helm.tgz
|
|
mv /tmp/linux-arm64/helm /usr/local/bin/helm
|
|
chmod +x /usr/local/bin/helm
|
|
|
|
## Install eksctl
|
|
cd /tmp
|
|
ARCH=arm64
|
|
PLATFORM=$(uname -s)_$ARCH
|
|
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
|
|
tar zxf eksctl_Linux_arm64.tar.gz
|
|
mv eksctl /usr/local/bin
|
|
chmod +x /usr/local/bin/eksctl
|
|
|
|
## Create kube config
|
|
echo Create kube config...
|
|
/usr/bin/aws eks update-kubeconfig --name ${var.eks_cluster_name}-${random_pet.pet.id}
|
|
# echo Sleep for 5 minutes and wait for fargate profile to come up
|
|
# /usr/bin/sleep 300
|
|
#
|
|
# ## Grant EKS console access to IAM role: must be executed with cluster creator's identity. cluster role as instance profile won't do it
|
|
# echo Patching configmap/aws-auth...
|
|
# ROLE=" - rolearn: arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/rackLE\n username: build\n groups:\n - system:masters"
|
|
# /usr/local/bin/kubectl --kubeconfig=/root/.kube/config get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$ROLE\";next}1" > /tmp/aws-auth-patch.yml
|
|
# /usr/local/bin/kubectl --kubeconfig=/root/.kube/config patch configmap/aws-auth -n kube-system --patch "$(cat /tmp/aws-auth-patch.yml)"
|
|
# /usr/local/bin/kubectl --kubeconfig=/root/.kube/config get -n kube-system configmap/aws-auth -o yaml
|
|
EOF
|
|
}
|
|
|
|
data "aws_ami" "this" {
|
|
most_recent = true
|
|
name_regex = "^al2023-ami-2023.*-kernel-6.1-arm64"
|
|
owners = ["amazon"]
|
|
|
|
filter {
|
|
name = "virtualization-type"
|
|
values = ["hvm"]
|
|
}
|
|
|
|
filter {
|
|
name = "architecture"
|
|
values = ["arm64"]
|
|
}
|
|
}
|
|
|
|
resource "tls_private_key" "sshkey" {
|
|
algorithm = "ED25519"
|
|
}
|
|
|
|
resource "aws_key_pair" "kp" {
|
|
key_name = "${var.environment}-eks-bastion-${random_pet.pet.id}-key"
|
|
public_key = tls_private_key.sshkey.public_key_openssh
|
|
}
|
|
|
|
module "bastion-sg" {
|
|
source = "../modules/compute/security_group"
|
|
|
|
description = "${var.environment}-eks-bastion-${random_pet.pet.id}-sg"
|
|
egress = {
|
|
r1 = "-1,-1,-1,0.0.0.0/0,Allow egress ipv4"
|
|
r2 = "-1,-1,-1,::/0,Allow egress ipv6"
|
|
}
|
|
ingress = {
|
|
r1 = "tcp,22,22,0.0.0.0/0,ssh"
|
|
}
|
|
name = "eks-bastion-${random_pet.pet.id}-sg"
|
|
vpc-id = module.vpc.vpc_id
|
|
}
|