You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dlab.apache.org by om...@apache.org on 2019/07/01 15:20:59 UTC
[incubator-dlab] 01/01: [DLAB-572]: added Terraform scripts for K8S
infrastructure provisioning and configuration
This is an automated email from the ASF dual-hosted git repository.
omartushevskyi pushed a commit to branch DLAB-terraform
in repository https://gitbox.apache.org/repos/asf/incubator-dlab.git
commit 5d23bfbd59f3c9180951aafd7024e67d0ca2d9c7
Author: Oleh Martushevskyi <Ol...@epam.com>
AuthorDate: Mon Jul 1 18:20:50 2019 +0300
[DLAB-572]: added Terraform scripts for K8S infrastructure provisioning and configuration
---
.../terraform/aws/main/main.tf | 24 ++++
.../terraform/aws/main/variables.tf | 71 +++++++++++
.../aws/modules/ssn-k8s/auto_scaling_groups.tf | 96 ++++++++++++++
.../aws/modules/ssn-k8s/files/assume-policy.json | 13 ++
.../aws/modules/ssn-k8s/files/masters-user-data.sh | 138 +++++++++++++++++++++
.../aws/modules/ssn-k8s/files/ssn-policy.json.tpl | 43 +++++++
.../aws/modules/ssn-k8s/files/workers-user-data.sh | 47 +++++++
.../terraform/aws/modules/ssn-k8s/lb.tf | 33 +++++
.../terraform/aws/modules/ssn-k8s/role_policy.tf | 30 +++++
.../terraform/aws/modules/ssn-k8s/s3.tf | 8 ++
.../aws/modules/ssn-k8s/security_groups.tf | 47 +++++++
.../terraform/aws/modules/ssn-k8s/variables.tf | 33 +++++
.../terraform/aws/modules/ssn-k8s/vpc.tf | 54 ++++++++
13 files changed, 637 insertions(+)
diff --git a/infrastructure-provisioning/terraform/aws/main/main.tf b/infrastructure-provisioning/terraform/aws/main/main.tf
new file mode 100644
index 0000000..881b333
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/main/main.tf
@@ -0,0 +1,24 @@
+provider "aws" {
+ region = var.region
+}
+
+module "ssn-k8s" {
+ source = "../modules/ssn-k8s"
+ service_base_name = var.service_base_name
+ vpc_id = var.vpc_id
+ vpc_cidr = var.vpc_cidr
+ subnet_id = var.subnet_id
+ env_os = var.env_os
+ ami = var.ami
+ key_name = var.key_name
+ region = var.region
+ zone = var.zone
+ masters_count = var.masters_count
+ workers_count = var.workers_count
+ root_volume_size = var.root_volume_size
+ allowed_cidrs = var.allowed_cidrs
+ subnet_cidr = var.subnet_cidr
+ masters_shape = var.masters_shape
+ workers_shape = var.workers_shape
+ os-user = var.os-user
+}
diff --git a/infrastructure-provisioning/terraform/aws/main/variables.tf b/infrastructure-provisioning/terraform/aws/main/variables.tf
new file mode 100644
index 0000000..6f86c42
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/main/variables.tf
@@ -0,0 +1,71 @@
+variable "region" {
+ default = "us-west-2"
+}
+
+variable "zone" {
+ default = "a"
+}
+
+variable "service_base_name" {
+ default = "k8s"
+}
+
+variable "vpc_id" {
+ default = ""
+}
+
+variable "vpc_cidr" {
+ default = "172.31.0.0/16"
+}
+
+variable "subnet_id" {
+ default = ""
+}
+
+variable "subnet_cidr" {
+ default = "172.31.0.0/24"
+}
+
+variable "env_os" {
+ default = "debian"
+}
+
+variable "ami" {
+ type = "map"
+ default = {
+ "debian" = "ami-08692d171e3cf02d6",
+ "redhat" = ""
+ }
+}
+
+variable "key_name" {
+ default = "BDCC-DSS-POC"
+}
+
+variable "masters_count" {
+ default = 3
+}
+
+variable "workers_count" {
+ default = 2
+}
+
+variable "root_volume_size" {
+ default = 30
+}
+
+variable "allowed_cidrs" {
+ default = ["0.0.0.0/0"]
+}
+
+variable "masters_shape" {
+ default = "t2.medium"
+}
+
+variable "workers_shape" {
+ default = "t2.medium"
+}
+
+variable "os-user" {
+ default = "dlab-user"
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/auto_scaling_groups.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/auto_scaling_groups.tf
new file mode 100644
index 0000000..7ba0971
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/auto_scaling_groups.tf
@@ -0,0 +1,96 @@
+data "template_file" "k8s-masters-user-data" {
+ template = file("../modules/ssn-k8s/files/masters-user-data.sh")
+ vars = {
+ k8s-asg = "${var.service_base_name}-master"
+ k8s-region = var.region
+ k8s-bucket-name = aws_s3_bucket.k8s-bucket.id
+ k8s-eip = aws_eip.k8s-lb-eip.public_ip
+ k8s-tg-arn = aws_lb_target_group.k8s-lb-target-group.arn
+ k8s-os-user = var.os-user
+ }
+}
+
+data "template_file" "k8s-workers-user-data" {
+ template = file("../modules/ssn-k8s/files/workers-user-data.sh")
+ vars = {
+ k8s-bucket-name = aws_s3_bucket.k8s-bucket.id
+ k8s-os-user = var.os-user
+ }
+}
+
+resource "aws_launch_configuration" "as_conf_masters" {
+ name = "${var.service_base_name}-as-conf-masters"
+ image_id = var.ami[var.env_os]
+ instance_type = var.masters_shape
+ key_name = var.key_name
+ security_groups = [aws_security_group.k8s-sg.id]
+ iam_instance_profile = aws_iam_instance_profile.k8s-profile.name
+ root_block_device {
+ volume_type = "gp2"
+ volume_size = var.root_volume_size
+ delete_on_termination = true
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ }
+ user_data = data.template_file.k8s-masters-user-data.rendered
+}
+
+resource "aws_launch_configuration" "as_conf_workers" {
+ name = "${var.service_base_name}-as-conf-workers"
+ image_id = var.ami[var.env_os]
+ instance_type = var.workers_shape
+ key_name = var.key_name
+ security_groups = [aws_security_group.k8s-sg.id]
+ iam_instance_profile = aws_iam_instance_profile.k8s-profile.name
+ root_block_device {
+ volume_type = "gp2"
+ volume_size = var.root_volume_size
+ delete_on_termination = true
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ }
+ user_data = data.template_file.k8s-workers-user-data.rendered
+}
+
+resource "aws_autoscaling_group" "autoscaling_group_masters" {
+ name = "${var.service_base_name}-master"
+ launch_configuration = aws_launch_configuration.as_conf_masters.name
+ min_size = var.masters_count
+ max_size = var.masters_count
+ vpc_zone_identifier = [data.aws_subnet.k8s-subnet-data.id]
+ target_group_arns = [aws_lb_target_group.k8s-lb-target-group.arn]
+
+ lifecycle {
+ create_before_destroy = true
+ }
+ tags = [
+ {
+ key = "Name"
+ value = "${var.service_base_name}-master"
+ propagate_at_launch = true
+ }
+ ]
+}
+
+resource "aws_autoscaling_group" "autoscaling_group_workers" {
+ name = "${var.service_base_name}-worker"
+ launch_configuration = aws_launch_configuration.as_conf_workers.name
+ min_size = var.workers_count
+ max_size = var.workers_count
+ vpc_zone_identifier = [data.aws_subnet.k8s-subnet-data.id]
+
+ lifecycle {
+ create_before_destroy = true
+ }
+ tags = [
+ {
+ key = "Name"
+ value = "${var.service_base_name}-worker"
+ propagate_at_launch = true
+ }
+ ]
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/assume-policy.json b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/assume-policy.json
new file mode 100644
index 0000000..680b6f8
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/assume-policy.json
@@ -0,0 +1,13 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Action": "sts:AssumeRole",
+ "Principal": {
+ "Service": "ec2.amazonaws.com"
+ },
+ "Effect": "Allow",
+ "Sid": ""
+ }
+ ]
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/masters-user-data.sh b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/masters-user-data.sh
new file mode 100644
index 0000000..0dd15d1
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/masters-user-data.sh
@@ -0,0 +1,138 @@
+#!/bin/bash
+set -ex
+
+check_tokens () {
+RUN=`aws s3 ls s3://${k8s-bucket-name}/k8s/masters/ > /dev/null && echo "true" || echo "false"`
+sleep 5
+}
+
+check_elb_status () {
+RUN=`aws elbv2 describe-target-health --target-group-arn ${k8s-tg-arn} --region ${k8s-region} | \
+ jq -r '.TargetHealthDescriptions[].TargetHealth.State' | \
+ grep "^healthy" > /dev/null && echo "true" || echo "false"`
+sleep 5
+}
+
+# Creating DLab user
+sudo useradd -m -G sudo -s /bin/bash ${k8s-os-user}
+sudo bash -c 'echo "${k8s-os-user} ALL = NOPASSWD:ALL" >> /etc/sudoers'
+sudo mkdir /home/${k8s-os-user}/.ssh
+sudo bash -c 'cat /home/ubuntu/.ssh/authorized_keys > /home/${k8s-os-user}/.ssh/authorized_keys'
+sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/
+sudo chmod 700 /home/${k8s-os-user}/.ssh
+sudo chmod 600 /home/${k8s-os-user}/.ssh/authorized_keys
+
+sudo apt-get update
+sudo apt-get install -y python-pip jq
+sudo pip install -U pip
+sudo pip install awscli
+
+local_ip=`curl http://169.254.169.254/latest/meta-data/local-ipv4`
+first_master_ip=`aws autoscaling describe-auto-scaling-instances --region ${k8s-region} --output text --query \
+ "AutoScalingInstances[?AutoScalingGroupName=='${k8s-asg}'].InstanceId" | xargs -n1 aws ec2 \
+ describe-instances --instance-ids $ID --region ${k8s-region} --query \
+ "Reservations[].Instances[].PrivateIpAddress" --output text | sort | head -n1`
+
+# installing Docker
+sudo bash -c 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -'
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+sudo apt-get update
+sudo apt-get install -y docker-ce
+sudo systemctl enable docker
+# installing kubeadm, kubelet and kubectl
+sudo apt-get install -y apt-transport-https curl
+sudo bash -c 'curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -'
+sudo bash -c 'echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list'
+sudo apt-get update
+sudo apt-get install -y kubelet kubeadm kubectl
+
+check_tokens
+if [[ $local_ip == $first_master_ip ]] && [[ $RUN == "false" ]];then
+cat <<EOF > /tmp/kubeadm-config.yaml
+apiVersion: kubeadm.k8s.io/v1beta2
+kind: ClusterConfiguration
+kubernetesVersion: stable
+apiServerCertSANs:
+ - ${k8s-eip}
+controlPlaneEndpoint: "${k8s-eip}:6443"
+EOF
+sudo kubeadm init --config=/tmp/kubeadm-config.yaml --upload-certs
+while check_elb_status
+do
+ if [[ $RUN == "false" ]];
+ then
+ echo "Waiting for LB healthy status..."
+ else
+ echo "LB status is healthy!"
+ break
+ fi
+done
+sudo mkdir -p /home/${k8s-os-user}/.kube
+sudo cp -i /etc/kubernetes/admin.conf /home/${k8s-os-user}/.kube/config
+sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/.kube
+sudo kubeadm token create --print-join-command > /tmp/join_command
+sudo kubeadm init phase upload-certs --upload-certs | grep -v "upload-certs" > /tmp/cert_key
+sudo -i -u ${k8s-os-user} kubectl apply -f \
+ "https://cloud.weave.works/k8s/net?k8s-version=$(sudo -i -u ${k8s-os-user} kubectl version | base64 | tr -d '\n')"
+sleep 60
+aws s3 cp /tmp/join_command s3://${k8s-bucket-name}/k8s/masters/join_command
+aws s3 cp /tmp/cert_key s3://${k8s-bucket-name}/k8s/masters/cert_key
+sudo rm -f /tmp/join_command
+sudo rm -f /tmp/cert_key
+else
+while check_tokens
+do
+ if [[ $RUN == "false" ]];
+ then
+ echo "Waiting for initial cluster initialization..."
+ else
+ echo "Initial cluster initialized!"
+ break
+ fi
+done
+aws s3 cp s3://${k8s-bucket-name}/k8s/masters/join_command /tmp/join_command
+aws s3 cp s3://${k8s-bucket-name}/k8s/masters/cert_key /tmp/cert_key
+join_command=`cat /tmp/join_command`
+cert_key=`cat /tmp/cert_key`
+sudo $join_command --control-plane --certificate-key $cert_key
+sudo mkdir -p /home/${k8s-os-user}/.kube
+sudo cp -i /etc/kubernetes/admin.conf /home/${k8s-os-user}/.kube/config
+sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/.kube
+fi
+cat <<EOF > /tmp/update_files.sh
+#!/bin/bash
+sudo kubeadm token create --print-join-command > /tmp/join_command
+sudo kubeadm init phase upload-certs --upload-certs | grep -v "upload-certs" > /tmp/cert_key
+aws s3 cp /tmp/join_command s3://${k8s-bucket-name}/k8s/masters/join_command
+aws s3 cp /tmp/cert_key s3://${k8s-bucket-name}/k8s/masters/cert_key
+sudo rm -f /tmp/join_command
+sudo rm -f /tmp/cert_key
+EOF
+sudo mv /tmp/update_files.sh /usr/local/bin/update_files.sh
+sudo chmod 755 /usr/local/bin/update_files.sh
+sudo bash -c 'echo "0 0 * * * root /usr/local/bin/update_files.sh" >> /etc/crontab'
+
+cat <<EOF > /tmp/remove-etcd-member.sh
+#!/bin/bash
+hostname=\$(/bin/hostname)
+not_ready_node=\$(/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl get nodes | grep NotReady | grep master | awk '{print \$1}')
+if [[ \$not_ready_node != "" ]]; then
+etcd_pod_name=\$(/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl get pods -n kube-system | /bin/grep etcd \
+ | /bin/grep "\$hostname" | /usr/bin/awk '{print \$1}')
+etcd_member_id=\$(/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl -n kube-system exec -it \$etcd_pod_name \
+ -- /bin/sh -c "ETCDCTL_API=3 etcdctl member list --endpoints=https://[127.0.0.1]:2379 \
+ --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
+ --key=/etc/kubernetes/pki/etcd/healthcheck-client.key" | /bin/grep ", \$not_ready_node" | /usr/bin/awk -F',' '{print \$1}')
+/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl -n kube-system exec -it \$etcd_pod_name \
+ -- /bin/sh -c "ETCDCTL_API=3 etcdctl member remove \$etcd_member_id --endpoints=https://[127.0.0.1]:2379 \
+ --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
+ --key=/etc/kubernetes/pki/etcd/healthcheck-client.key"
+/usr/bin/sudo -i -u ${k8s-os-user} /usr/bin/kubectl delete node \$not_ready_node
+
+fi
+
+EOF
+sudo mv /tmp/remove-etcd-member.sh /usr/local/bin/remove-etcd-member.sh
+sudo chmod 755 /usr/local/bin/remove-etcd-member.sh
+sleep 600
+sudo bash -c 'echo "* * * * * root /usr/local/bin/remove-etcd-member.sh >> /var/log/cron_k8s.log 2>&1" >> /etc/crontab'
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/ssn-policy.json.tpl b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/ssn-policy.json.tpl
new file mode 100644
index 0000000..3532064
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/ssn-policy.json.tpl
@@ -0,0 +1,43 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": "s3:ListAllMyBuckets",
+ "Resource": "arn:aws:s3:::*"
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListBucket",
+ "s3:GetBucketLocation",
+ "s3:PutBucketPolicy",
+ "s3:PutEncryptionConfiguration"
+ ],
+ "Resource": [
+ "${bucket_arn}"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "s3:HeadObject",
+ "s3:PutObject",
+ "s3:GetObject",
+ "s3:DeleteObject"
+ ],
+ "Resource": [
+ "${bucket_arn}/*"
+ ]
+ },
+ {
+ "Effect": "Allow",
+ "Action": [
+ "autoscaling:DescribeAutoScalingInstances",
+ "ec2:DescribeInstances",
+ "elasticloadbalancing:DescribeTargetHealth"
+ ],
+ "Resource": "*"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/workers-user-data.sh b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/workers-user-data.sh
new file mode 100644
index 0000000..d85a99e
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/files/workers-user-data.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+set -e
+
+check_tokens () {
+RUN=`aws s3 ls s3://${k8s-bucket-name}/k8s/masters/ > /dev/null && echo "true" || echo "false"`
+sleep 5
+}
+
+# Creating DLab user
+sudo useradd -m -G sudo -s /bin/bash ${k8s-os-user}
+sudo bash -c 'echo "${k8s-os-user} ALL = NOPASSWD:ALL" >> /etc/sudoers'
+sudo mkdir /home/${k8s-os-user}/.ssh
+sudo bash -c 'cat /home/ubuntu/.ssh/authorized_keys > /home/${k8s-os-user}/.ssh/authorized_keys'
+sudo chown -R ${k8s-os-user}:${k8s-os-user} /home/${k8s-os-user}/
+sudo chmod 700 /home/${k8s-os-user}/.ssh
+sudo chmod 600 /home/${k8s-os-user}/.ssh/authorized_keys
+
+sudo apt-get update
+sudo apt-get install -y python-pip
+sudo pip install -U pip
+sudo pip install awscli
+
+# installing Docker
+sudo bash -c 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -'
+sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
+sudo apt-get update
+sudo apt-get install -y docker-ce
+sudo systemctl enable docker
+# installing kubeadm, kubelet and kubectl
+sudo apt-get install -y apt-transport-https curl
+sudo bash -c 'curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -'
+sudo bash -c 'echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list'
+sudo apt-get update
+sudo apt-get install -y kubelet kubeadm kubectl
+while check_tokens
+do
+ if [[ $RUN == "false" ]];
+ then
+ echo "Waiting for initial cluster initialization..."
+ else
+ echo "Initial cluster initialized!"
+ break
+ fi
+done
+aws s3 cp s3://${k8s-bucket-name}/k8s/masters/join_command /tmp/join_command
+join_command=`cat /tmp/join_command`
+sudo $join_command
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/lb.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/lb.tf
new file mode 100644
index 0000000..277d893
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/lb.tf
@@ -0,0 +1,33 @@
+resource "aws_lb" "k8s-lb" {
+ name = "${var.service_base_name}-lb"
+ load_balancer_type = "network"
+
+ subnet_mapping {
+ subnet_id = data.aws_subnet.k8s-subnet-data.id
+ allocation_id = aws_eip.k8s-lb-eip.id
+ }
+ tags = {
+ Name = "${var.service_base_name}-lb"
+ }
+}
+
+resource "aws_lb_target_group" "k8s-lb-target-group" {
+ name = "${var.service_base_name}-lb-target-group"
+ port = 6443
+ protocol = "TCP"
+ vpc_id = data.aws_vpc.k8s-vpc-data.id
+ tags = {
+ Name = "${var.service_base_name}-lb-target-group"
+ }
+}
+
+resource "aws_lb_listener" "k8s-lb-listener" {
+ load_balancer_arn = aws_lb.k8s-lb.arn
+ port = "6443"
+ protocol = "TCP"
+
+ default_action {
+ type = "forward"
+ target_group_arn = aws_lb_target_group.k8s-lb-target-group.arn
+ }
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/role_policy.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/role_policy.tf
new file mode 100644
index 0000000..bb7ce24
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/role_policy.tf
@@ -0,0 +1,30 @@
+data "template_file" "k8s-s3-policy" {
+ template = file("../modules/ssn-k8s/files/ssn-policy.json.tpl")
+ vars = {
+ bucket_arn = aws_s3_bucket.k8s-bucket.arn
+ }
+}
+
+resource "aws_iam_policy" "k8s-policy" {
+ name = "${var.service_base_name}-policy"
+ description = "Policy for K8S"
+ policy = data.template_file.k8s-s3-policy.rendered
+}
+
+resource "aws_iam_role" "k8s-role" {
+ name = "${var.service_base_name}-role"
+ assume_role_policy = file("../modules/ssn-k8s/files/assume-policy.json")
+ tags = {
+ Name = "${var.service_base_name}-role"
+ }
+}
+
+resource "aws_iam_role_policy_attachment" "k8s-attach" {
+ role = aws_iam_role.k8s-role.name
+ policy_arn = aws_iam_policy.k8s-policy.arn
+}
+
+resource "aws_iam_instance_profile" "k8s-profile" {
+ name = "${var.service_base_name}-instance-profile"
+ role = aws_iam_role.k8s-role.name
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/s3.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/s3.tf
new file mode 100644
index 0000000..70fc57a
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/s3.tf
@@ -0,0 +1,8 @@
+resource "aws_s3_bucket" "k8s-bucket" {
+ bucket = "${var.service_base_name}-ssn-bucket"
+ acl = "private"
+ tags = {
+ Name = "${var.service_base_name}-ssn-bucket"
+ }
+ # force_destroy = true
+}
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/security_groups.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/security_groups.tf
new file mode 100644
index 0000000..b4a3ea9
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/security_groups.tf
@@ -0,0 +1,47 @@
+data "aws_eip" "k8s-lb-eip" {
+ id = aws_eip.k8s-lb-eip.id
+ depends_on = [aws_lb_listener.k8s-lb-listener]
+}
+
+resource "aws_security_group" "k8s-sg" {
+ name = "${var.service_base_name}-sg"
+ description = "SG for K8S cluster"
+ vpc_id = data.aws_vpc.k8s-vpc-data.id
+
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ cidr_blocks = [data.aws_vpc.k8s-vpc-data.cidr_block]
+ }
+ ingress {
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = var.allowed_cidrs
+ }
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ cidr_blocks = ["0.0.0.0/0"]
+ description = "Need to be changed in the future"
+ }
+ ingress {
+ from_port = 0
+ to_port = 0
+ protocol = -1
+ cidr_blocks = ["${data.aws_eip.k8s-lb-eip.public_ip}/32", "${data.aws_eip.k8s-lb-eip.private_ip}/32"]
+ }
+
+ egress {
+ from_port = 0
+ protocol = -1
+ to_port = 0
+ cidr_blocks = ["0.0.0.0/0"]
+ }
+
+ tags = {
+ Name = "${var.service_base_name}-sg"
+ }
+}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/variables.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/variables.tf
new file mode 100644
index 0000000..ac20f77
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/variables.tf
@@ -0,0 +1,33 @@
+variable "service_base_name" {}
+
+variable "vpc_id" {}
+
+variable "vpc_cidr" {}
+
+variable "subnet_id" {}
+
+variable "subnet_cidr" {}
+
+variable "env_os" {}
+
+variable "ami" {}
+
+variable "key_name" {}
+
+variable "region" {}
+
+variable "zone" {}
+
+variable "masters_count" {}
+
+variable "workers_count" {}
+
+variable "root_volume_size" {}
+
+variable "allowed_cidrs" {}
+
+variable "masters_shape" {}
+
+variable "workers_shape" {}
+
+variable "os-user" {}
\ No newline at end of file
diff --git a/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/vpc.tf b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/vpc.tf
new file mode 100644
index 0000000..c5ce7c1
--- /dev/null
+++ b/infrastructure-provisioning/terraform/aws/modules/ssn-k8s/vpc.tf
@@ -0,0 +1,54 @@
+resource "aws_vpc" "k8s-vpc" {
+ count = var.vpc_id == "" ? 1 : 0
+ cidr_block = var.vpc_cidr
+ instance_tenancy = "default"
+ enable_dns_hostnames = true
+ enable_dns_support = true
+
+ tags = {
+ Name = "${var.service_base_name}-vpc"
+ }
+}
+
+resource "aws_internet_gateway" "k8s-igw" {
+ count = var.vpc_id == "" ? 1 : 0
+ vpc_id = aws_vpc.k8s-vpc.0.id
+
+ tags = {
+ Name = "${var.service_base_name}-igw"
+ }
+}
+
+resource "aws_route" "k8s-r" {
+ count = var.vpc_id == "" ? 1 : 0
+ route_table_id = aws_vpc.k8s-vpc.0.main_route_table_id
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.k8s-igw.0.id
+}
+
+data "aws_vpc" "k8s-vpc-data" {
+ id = var.vpc_id == "" ? aws_vpc.k8s-vpc.0.id : var.vpc_id
+}
+
+resource "aws_subnet" "k8s-subnet" {
+ count = var.subnet_id == "" ? 1 : 0
+ vpc_id = data.aws_vpc.k8s-vpc-data.id
+ availability_zone = "${var.region}${var.zone}"
+ cidr_block = var.subnet_cidr
+ map_public_ip_on_launch = true
+
+ tags = {
+ Name = "${var.service_base_name}-subnet"
+ }
+}
+
+data "aws_subnet" "k8s-subnet-data" {
+ id = var.subnet_id == "" ? aws_subnet.k8s-subnet.0.id : var.subnet_id
+}
+
+resource "aws_eip" "k8s-lb-eip" {
+ vpc = true
+ tags = {
+ Name = "${var.service_base_name}-eip"
+ }
+}
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@dlab.apache.org
For additional commands, e-mail: commits-help@dlab.apache.org