You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dlab.apache.org by om...@apache.org on 2019/07/01 15:20:58 UTC
[incubator-dlab] branch DLAB-terraform created (now 5d23bfb)
This is an automated email from the ASF dual-hosted git repository.
omartushevskyi pushed a change to branch DLAB-terraform
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git.
at 5d23bfb [DLAB-572]: added Terraform scripts for K8S infrastructure provisioning and configuration
This branch includes the following new commits:
new 5d23bfb [DLAB-572]: added Terraform scripts for K8S infrastructure provisioning and configuration
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org
[incubator-dlab] 01/01: [DLAB-572]: added Terraform scripts for K8S
infrastructure provisioning and configuration
Posted by om...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
omartushevskyi pushed a commit to branch DLAB-terraform
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
commit 5d23bfbd59f3c9180951aafd7024e67d0ca2d9c7
Author: Oleh Martushevskyi <Ol...@epam.com>
AuthorDate: Mon Jul 1 18:20:50 2019 +0300
[DLAB-572]: added Terraform scripts for K8S infrastructure provisioning and configuration
---
.../terraform/aws/main/main.tf | 24 ++++
.../terraform/aws/main/variables.tf | 71 +++++++++++
.../aws/modules/ssn-k8s/auto_scaling_groups.tf | 96 ++++++++++++++
.../aws/modules/ssn-k8s/files/assume-policy.json | 13 ++
.../aws/modules/ssn-k8s/files/masters-user-data.sh | 138 +++++++++++++++++++++
.../aws/modules/ssn-k8s/files/ssn-policy.json.tpl | 43 +++++++
.../aws/modules/ssn-k8s/files/workers-user-data.sh | 47 +++++++
.../terraform/aws/modules/ssn-k8s/lb.tf | 33 +++++
.../terraform/aws/modules/ssn-k8s/role_policy.tf | 30 +++++
.../terraform/aws/modules/ssn-k8s/s3.tf | 8 ++
.../aws/modules/ssn-k8s/security_groups.tf | 47 +++++++
.../terraform/aws/modules/ssn-k8s/variables.tf | 33 +++++
.../terraform/aws/modules/ssn-k8s/vpc.tf | 54 ++++++++
13 files changed, 637 insertions(+)
diff --git a/infrastructure-provisioning/terraform/aws/main/main.tf b/infrastructure-provisioning/terraform/aws/main/main.tf
new file mode 100644
index 0000000..881b333
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/main/main.tf
@@ -0,0 +1,24 @@
+provider "aws" {
+ region = var.region
+}
+
+module "ssn-k8s" {
+ source = "../modules/ssn-k8s"
+ service_base_name = var.service_base_name
+ vpc_id = var.vpc_id
+ vpc_cidr = var.vpc_cidr
+ subnet_id = var.subnet_id
+ env_os = var.env_os
+ ami = var.ami
+ key_name = var.key_name
+ region = var.region
+ zone = var.zone
+ masters_count = var.masters_count
+ workers_count = var.workers_count
+ root_volume_size = var.root_volume_size
+ allowed_cidrs = var.allowed_cidrs
+ subnet_cidr = var.subnet_cidr
+ masters_shape = var.masters_shape
+ workers_shape = var.workers_shape
+ os-user = var.os-user
+}
diff --git a/infrastructure-provisioning/terraform/aws/main/variables.tf b/infrastructure-provisioning/terraform/aws/main/variables.tf
new file mode 100644
index 0000000..6f86c42
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/main/variables.tf
@@ -0,0 +1,71 @@
+variable "region" {
+ default = "us-west-2"
+}
+
+variable "zone" {
+ default = "a"
+}
+
+variable "service_base_name" {
+ default = "k8s"
+}
+
+variable "vpc_id" {
+ default = ""
+}
+
+variable "vpc_cidr" {
+ default = "172.31.0.0/16"
+}
+
+variable "subnet_id" {
+ default = ""
+}
+
+variable "subnet_cidr" {
+ default = "172.31.0.0/24"
+}
+
+variable "env_os" {
+ default = "debian"
+}
+
+variable "ami" {
+ type = "map"
+ default = {
+ "debian" = "ami-08692d171e3cf02d6",
+ "redhat" = ""
+ }
+}
+
+variable "key_name" {
+ default = "BDCC-DSS-POC"
+}
+
+variable "masters_count" {
+ default = 3
+}
+
+variable "workers_count" {
+ default = 2
+}
+
+variable "root_volume_size" {
+ default = 30
+}
+
+variable "allowed_cidrs" {
+ default = ["0.0.0.0/0"]
+}
+
+variable "masters_shape" {
+ default = "t2.medium"
+}
+
+variable "workers_shape" {
+ default = "t2.medium"
+}
+
+variable "os-user" {
+ default = "dlab-user"
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/auto_scaling_groups.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/auto_scaling_groups.tf
new file mode 100644
index 0000000..7ba0971
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/auto_scaling_groups.tf
@@ -0,0 +1,96 @@
+data "template_file" "k8s-masters-user-data" {
+ template = file("../modules/ssn-k8s/files/masters-user-data.sh")
+ vars = {
+ k8s-asg = "${var.service_base_name}-master"
+ k8s-region = var.region
+ k8s-bucket-name = aws_s3_bucket.k8s-bucket.id
+ k8s-eip = aws_eip.k8s-lb-eip.public_ip
+ k8s-tg-arn = aws_lb_target_group.k8s-lb-target-group.arn
+ k8s-os-user = var.os-user
+ }
+}
+
+data "template_file" "k8s-workers-user-data" {
+ template = file("../modules/ssn-k8s/files/workers-user-data.sh")
+ vars = {
+ k8s-bucket-name = aws_s3_bucket.k8s-bucket.id
+ k8s-os-user = var.os-user
+ }
+}
+
+resource "aws_launch_configuration" "as_conf_masters" {
+ name = "${var.service_base_name}-as-conf-masters"
+ image_id = var.ami[var.env_os]
+ instance_type = var.masters_shape
+ key_name = var.key_name
+ security_groups = [aws_security_group.k8s-sg.id]
+ iam_instance_profile = aws_iam_instance_profile.k8s-profile.name
+ root_block_device {
+ volume_type = "gp2"
+ volume_size = var.root_volume_size
+ delete_on_termination = true
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ }
+ user_data = data.template_file.k8s-masters-user-data.rendered
+}
+
+resource "aws_launch_configuration" "as_conf_workers" {
+ name = "${var.service_base_name}-as-conf-workers"
+ image_id = var.ami[var.env_os]
+ instance_type = var.workers_shape
+ key_name = var.key_name
+ security_groups = [aws_security_group.k8s-sg.id]
+ iam_instance_profile = aws_iam_instance_profile.k8s-profile.name
+ root_block_device {
+ volume_type = "gp2"
+ volume_size = var.root_volume_size
+ delete_on_termination = true
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ }
+ user_data = data.template_file.k8s-workers-user-data.rendered
+}
+
+resource "aws_autoscaling_group" "autoscaling_group_masters" {
+ name = "${var.service_base_name}-master"
+ launch_configuration = aws_launch_configuration.as_conf_masters.name
+ min_size = var.masters_count
+ max_size = var.masters_count
+ vpc_zone_identifier = [data.aws_subnet.k8s-subnet-data.id]
+ target_group_arns = [aws_lb_target_group.k8s-lb-target-group.arn]
+
+ lifecycle {
+ create_before_destroy = true
+ }
+ tags = [
+ {
+ key = "Name"
+ value = "${var.service_base_name}-master"
+ propagate_at_launch = true
+ }
+ ]
+}
+
+resource "aws_autoscaling_group" "autoscaling_group_workers" {
+ name = "${var.service_base_name}-worker"
+ launch_configuration = aws_launch_configuration.as_conf_workers.name
+ min_size = var.workers_count
+ max_size = var.workers_count
+ vpc_zone_identifier = [data.aws_subnet.k8s-subnet-data.id]
+
+ lifecycle {
+ create_before_destroy = true
+ }
+ tags = [
+ {
+ key = "Name"
+ value = "${var.service_base_name}-worker"
+ propagate_at_launch = true
+ }
+ ]
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/assume-policy.json b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/assume-policy.json
new file mode 100644
index 0000000..680b6f8
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/assume-policy.json
@@ -0,0 +1,13 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": "sts:AssumeRole",
+ "Principal": {
+ "Service": "ec2.amazonaws.com"
+ },
+ "Effect": "Allow",
+ "Sid": ""
+ }
+ ]
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/masters-user-data.sh b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/masters-user-data.sh
new file mode 100644
index 0000000..0dd15d1
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/masters-user-data.sh
@@ -0,0 +1,138 @@
+#!/bin/bash
+set -ex
+
+check_tokens () {
+RUN=`aws s3 ls s3://${k8s-bucket-name}/k8s/masters/ > /dev/null && echo "true" || echo "false"`
+sleep 5
+}
+
+check_elb_status () {
+RUN=`aws elbv2 describe-target-health --target-group-arn ${k8s-tg-arn} --region ${k8s-region} | \
+ jq -r '.TargetHealthDescriptions[].TargetHealth.State' | \
+ grep "^healthy" > /dev/null && echo "true" || echo "false"`
+sleep 5
+}
+
+# Creating DLab user
+sudo useradd -m -G sudo -s /bin/bash ${k8s-os-user}
+sudo bash -c 'echo "${k8s-os-user} ALL = NOPASSWD:ALL" >> /etc/sudoers'
+sudo mkdir /home/${k8s-os-user}/.ssh
+sudo bash -c 'cat /home/ubuntu/.ssh/authorized_keys > /home/${k8s-os-user}/.ssh/authorized_keys'
+sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/
+sudo chmod 700 /home/${k8s-os-user}/.ssh
+sudo chmod 600 /home/${k8s-os-user}/.ssh/authorized_keys
+
+sudo apt-get update
+sudo apt-get install -y python-pip jq
+sudo pip install -U pip
+sudo pip install awscli
+
+local_ip=`curl http://169.254.169.254/latest/meta-data/local-ipv4`
+first_master_ip=`aws autoscaling describe-auto-scaling-instances --region ${k8s-region} --output text --query \
+ "AutoScalingInstances[?AutoScalingGroupName=='${k8s-asg}'].InstanceId" | xargs -n1 aws ec2 \
+ describe-instances --instance-ids $ID --region ${k8s-region} --query \
+ "Reservations[].Instances[].PrivateIpAddress" --output text | sort | head -n1`
+
+# installing Docker
+sudo bash -c 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -'
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+sudo apt-get update
+sudo apt-get install -y docker-ce
+sudo systemctl enable docker
+# installing kubeadm, kubelet and kubectl
+sudo apt-get install -y apt-transport-https curl
+sudo bash -c 'curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -'
+sudo bash -c 'echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list'
+sudo apt-get update
+sudo apt-get install -y kubelet kubeadm kubectl
+
+check_tokens
+if [[ $local_ip == $first_master_ip ]] && [[ $RUN == "false" ]];then
+cat <<EOF > /tmp/kubeadm-config.yaml
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: ClusterConfiguration
+kubernetesVersion: stable
+apiServerCertSANs:
+ - ${k8s-eip}
+controlPlaneEndpoint: "${k8s-eip}:6443"
+EOF
+sudo kubeadm init --config=/tmp/kubeadm-config.yaml --upload-certs
+while check_elb_status
+do
+ if [[ $RUN == "false" ]];
+ then
+ echo "Waiting for LB healthy status..."
+ else
+ echo "LB status is healthy!"
+ break
+ fi
+done
+sudo mkdir -p /home/${k8s-os-user}/.kube
+sudo cp -i /etc/kubernetes/admin.conf /home/${k8s-os-user}/.kube/config
+sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/.kube
+sudo kubeadm token create --print-join-command > /tmp/join_command
+sudo kubeadm init phase upload-certs --upload-certs | grep -v "upload-certs" > /tmp/cert_key
+sudo -i -u ${k8s-os-user} kubectl apply -f \
+ "https://cloud.weave.works/k8s/net?k8s-version=$(sudo -i -u ${k8s-os-user} kubectl version | base64 | tr -d '\n')"
+sleep 60
+aws s3 cp /tmp/join_command s3://${k8s-bucket-name}/k8s/masters/join_command
+aws s3 cp /tmp/cert_key s3://${k8s-bucket-name}/k8s/masters/cert_key
+sudo rm -f /tmp/join_command
+sudo rm -f /tmp/cert_key
+else
+while check_tokens
+do
+ if [[ $RUN == "false" ]];
+ then
+ echo "Waiting for initial cluster initialization..."
+ else
+ echo "Initial cluster initialized!"
+ break
+ fi
+done
+aws s3 cp s3://${k8s-bucket-name}/k8s/masters/join_command /tmp/join_command
+aws s3 cp s3://${k8s-bucket-name}/k8s/masters/cert_key /tmp/cert_key
+join_command=`cat /tmp/join_command`
+cert_key=`cat /tmp/cert_key`
+sudo $join_command --control-plane --certificate-key $cert_key
+sudo mkdir -p /home/${k8s-os-user}/.kube
+sudo cp -i /etc/kubernetes/admin.conf /home/${k8s-os-user}/.kube/config
+sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/.kube
+fi
+cat <<EOF > /tmp/update_files.sh
+#!/bin/bash
+sudo kubeadm token create --print-join-command > /tmp/join_command
+sudo kubeadm init phase upload-certs --upload-certs | grep -v "upload-certs" > /tmp/cert_key
+aws s3 cp /tmp/join_command s3://${k8s-bucket-name}/k8s/masters/join_command
+aws s3 cp /tmp/cert_key s3://${k8s-bucket-name}/k8s/masters/cert_key
+sudo rm -f /tmp/join_command
+sudo rm -f /tmp/cert_key
+EOF
+sudo mv /tmp/update_files.sh /usr/local/bin/update_files.sh
+sudo chmod 755 /usr/local/bin/update_files.sh
+sudo bash -c 'echo "0 0 * * * root /usr/local/bin/update_files.sh" >> /etc/crontab'
+
+cat <<EOF > /tmp/remove-etcd-member.sh
+#!/bin/bash
+hostname=\$(/bin/hostname)
+not_ready_node=\$(/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl get nodes | grep NotReady | grep master | awk '{print \$1}')
+if [[ \$not_ready_node != "" ]]; then
+etcd_pod_name=\$(/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl get pods -n kube-system | /bin/grep etcd \
+ | /bin/grep "\$hostname" | /usr/bin/awk '{print \$1}')
+etcd_member_id=\$(/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl -n kube-system exec -it \$etcd_pod_name \
+ -- /bin/sh -c "ETCDCTL_API=3 etcdctl member list --endpoints=https://[127.0.0.1]:2379 \
+ --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
+ --key=/etc/kubernetes/pki/etcd/healthcheck-client.key" | /bin/grep ", \$not_ready_node" | /usr/bin/awk -F',' '{print \$1}')
+/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl -n kube-system exec -it \$etcd_pod_name \
+ -- /bin/sh -c "ETCDCTL_API=3 etcdctl member remove \$etcd_member_id --endpoints=https://[127.0.0.1]:2379 \
+ --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
+ --key=/etc/kubernetes/pki/etcd/healthcheck-client.key"
+/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl delete node \$not_ready_node
+
+fi
+
+EOF
+sudo mv /tmp/remove-etcd-member.sh /usr/local/bin/remove-etcd-member.sh
+sudo chmod 755 /usr/local/bin/remove-etcd-member.sh
+sleep 600
+sudo bash -c 'echo "* * * * * root /usr/local/bin/remove-etcd-member.sh >> /var/log/cron_k8s.log 2>&1" >> /etc/crontab'
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/ssn-policy.json.tpl b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/ssn-policy.json.tpl
new file mode 100644
index 0000000..3532064
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/ssn-policy.json.tpl
@@ -0,0 +1,43 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": "s3:ListAllMyBuckets",
+ "Resource": "arn:aws:s3:::*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:PutBucketPolicy",
+ "s3:PutEncryptionConfiguration"
+ ],
+ "Resource": [
+ "${bucket_arn}"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "s3:HeadObject",
+ "s3:PutObject",
+ "s3:GetObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "${bucket_arn}/*"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "autoscaling:DescribeAutoScalingInstances",
+ "ec2:DescribeInstances",
+ "elasticloadbalancing:DescribeTargetHealth"
+ ],
+ "Resource": "*"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/workers-user-data.sh b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/workers-user-data.sh
new file mode 100644
index 0000000..d85a99e
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/workers-user-data.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+set -e
+
+check_tokens () {
+RUN=`aws s3 ls s3://${k8s-bucket-name}/k8s/masters/ > /dev/null && echo "true" || echo "false"`
+sleep 5
+}
+
+# Creating DLab user
+sudo useradd -m -G sudo -s /bin/bash ${k8s-os-user}
+sudo bash -c 'echo "${k8s-os-user} ALL = NOPASSWD:ALL" >> /etc/sudoers'
+sudo mkdir /home/${k8s-os-user}/.ssh
+sudo bash -c 'cat /home/ubuntu/.ssh/authorized_keys > /home/${k8s-os-user}/.ssh/authorized_keys'
+sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/
+sudo chmod 700 /home/${k8s-os-user}/.ssh
+sudo chmod 600 /home/${k8s-os-user}/.ssh/authorized_keys
+
+sudo apt-get update
+sudo apt-get install -y python-pip
+sudo pip install -U pip
+sudo pip install awscli
+
+# installing Docker
+sudo bash -c 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -'
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+sudo apt-get update
+sudo apt-get install -y docker-ce
+sudo systemctl enable docker
+# installing kubeadm, kubelet and kubectl
+sudo apt-get install -y apt-transport-https curl
+sudo bash -c 'curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -'
+sudo bash -c 'echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list'
+sudo apt-get update
+sudo apt-get install -y kubelet kubeadm kubectl
+while check_tokens
+do
+ if [[ $RUN == "false" ]];
+ then
+ echo "Waiting for initial cluster initialization..."
+ else
+ echo "Initial cluster initialized!"
+ break
+ fi
+done
+aws s3 cp s3://${k8s-bucket-name}/k8s/masters/join_command /tmp/join_command
+join_command=`cat /tmp/join_command`
+sudo $join_command
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/lb.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/lb.tf
new file mode 100644
index 0000000..277d893
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/lb.tf
@@ -0,0 +1,33 @@
+resource "aws_lb" "k8s-lb" {
+ name = "${var.service_base_name}-lb"
+ load_balancer_type = "network"
+
+ subnet_mapping {
+ subnet_id = data.aws_subnet.k8s-subnet-data.id
+ allocation_id = aws_eip.k8s-lb-eip.id
+ }
+ tags = {
+ Name = "${var.service_base_name}-lb"
+ }
+}
+
+resource "aws_lb_target_group" "k8s-lb-target-group" {
+ name = "${var.service_base_name}-lb-target-group"
+ port = 6443
+ protocol = "TCP"
+ vpc_id = data.aws_vpc.k8s-vpc-data.id
+ tags = {
+ Name = "${var.service_base_name}-lb-target-group"
+ }
+}
+
+resource "aws_lb_listener" "k8s-lb-listener" {
+ load_balancer_arn = aws_lb.k8s-lb.arn
+ port = "6443"
+ protocol = "TCP"
+
+ default_action {
+ type = "forward"
+ target_group_arn = aws_lb_target_group.k8s-lb-target-group.arn
+ }
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/role_policy.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/role_policy.tf
new file mode 100644
index 0000000..bb7ce24
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/role_policy.tf
@@ -0,0 +1,30 @@
+data "template_file" "k8s-s3-policy" {
+ template = file("../modules/ssn-k8s/files/ssn-policy.json.tpl")
+ vars = {
+ bucket_arn = aws_s3_bucket.k8s-bucket.arn
+ }
+}
+
+resource "aws_iam_policy" "k8s-policy" {
+ name = "${var.service_base_name}-policy"
+ description = "Policy for K8S"
+ policy = data.template_file.k8s-s3-policy.rendered
+}
+
+resource "aws_iam_role" "k8s-role" {
+ name = "${var.service_base_name}-role"
+ assume_role_policy = file("../modules/ssn-k8s/files/assume-policy.json")
+ tags = {
+ Name = "${var.service_base_name}-role"
+ }
+}
+
+resource "aws_iam_role_policy_attachment" "k8s-attach" {
+ role = aws_iam_role.k8s-role.name
+ policy_arn = aws_iam_policy.k8s-policy.arn
+}
+
+resource "aws_iam_instance_profile" "k8s-profile" {
+ name = "${var.service_base_name}-instance-profile"
+ role = aws_iam_role.k8s-role.name
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/s3.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/s3.tf
new file mode 100644
index 0000000..70fc57a
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/s3.tf
@@ -0,0 +1,8 @@
+resource "aws_s3_bucket" "k8s-bucket" {
+ bucket = "${var.service_base_name}-ssn-bucket"
+ acl = "private"
+ tags = {
+ Name = "${var.service_base_name}-ssn-bucket"
+ }
+ # force_destroy = true
+}
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/security_groups.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/security_groups.tf
new file mode 100644
index 0000000..b4a3ea9
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/security_groups.tf
@@ -0,0 +1,47 @@
+data "aws_eip" "k8s-lb-eip" {
+ id = aws_eip.k8s-lb-eip.id
+ depends_on = [aws_lb_listener.k8s-lb-listener]
+}
+
+resource "aws_security_group" "k8s-sg" {
+ name = "${var.service_base_name}-sg"
+ description = "SG for K8S cluster"
+ vpc_id = data.aws_vpc.k8s-vpc-data.id
+
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ cidr_blocks = [data.aws_vpc.k8s-vpc-data.cidr_block]
+ }
+ ingress {
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = var.allowed_cidrs
+ }
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ cidr_blocks = ["0.0.0.0/0"]
+ description = "Need to be changed in the future"
+ }
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ cidr_blocks = ["${data.aws_eip.k8s-lb-eip.public_ip}/32", "${data.aws_eip.k8s-lb-eip.private_ip}/32"]
+ }
+
+ egress {
+ from_port = 0
+ protocol = -1
+ to_port = 0
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = "${var.service_base_name}-sg"
+ }
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/variables.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/variables.tf
new file mode 100644
index 0000000..ac20f77
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/variables.tf
@@ -0,0 +1,33 @@
+variable "service_base_name" {}
+
+variable "vpc_id" {}
+
+variable "vpc_cidr" {}
+
+variable "subnet_id" {}
+
+variable "subnet_cidr" {}
+
+variable "env_os" {}
+
+variable "ami" {}
+
+variable "key_name" {}
+
+variable "region" {}
+
+variable "zone" {}
+
+variable "masters_count" {}
+
+variable "workers_count" {}
+
+variable "root_volume_size" {}
+
+variable "allowed_cidrs" {}
+
+variable "masters_shape" {}
+
+variable "workers_shape" {}
+
+variable "os-user" {}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/vpc.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/vpc.tf
new file mode 100644
index 0000000..c5ce7c1
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/vpc.tf
@@ -0,0 +1,54 @@
+resource "aws_vpc" "k8s-vpc" {
+ count = var.vpc_id == "" ? 1 : 0
+ cidr_block = var.vpc_cidr
+ instance_tenancy = "default"
+ enable_dns_hostnames = true
+ enable_dns_support = true
+
+ tags = {
+ Name = "${var.service_base_name}-vpc"
+ }
+}
+
+resource "aws_internet_gateway" "k8s-igw" {
+ count = var.vpc_id == "" ? 1 : 0
+ vpc_id = aws_vpc.k8s-vpc.0.id
+
+ tags = {
+ Name = "${var.service_base_name}-igw"
+ }
+}
+
+resource "aws_route" "k8s-r" {
+ count = var.vpc_id == "" ? 1 : 0
+ route_table_id = aws_vpc.k8s-vpc.0.main_route_table_id
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.k8s-igw.0.id
+}
+
+data "aws_vpc" "k8s-vpc-data" {
+ id = var.vpc_id == "" ? aws_vpc.k8s-vpc.0.id : var.vpc_id
+}
+
+resource "aws_subnet" "k8s-subnet" {
+ count = var.subnet_id == "" ? 1 : 0
+ vpc_id = data.aws_vpc.k8s-vpc-data.id
+ availability_zone = "${var.region}${var.zone}"
+ cidr_block = var.subnet_cidr
+ map_public_ip_on_launch = true
+
+ tags = {
+ Name = "${var.service_base_name}-subnet"
+ }
+}
+
+data "aws_subnet" "k8s-subnet-data" {
+ id = var.subnet_id == "" ? aws_subnet.k8s-subnet.0.id : var.subnet_id
+}
+
+resource "aws_eip" "k8s-lb-eip" {
+ vpc = true
+ tags = {
+ Name = "${var.service_base_name}-eip"
+ }
+}
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org