-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patheks.tf
91 lines (78 loc) · 2.63 KB
/
eks.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
resource "aws_iam_role" "master-node-role" {
name = "${var.project}-master-node-role"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.master-node-role.name
}
resource "aws_iam_role_policy_attachment" "AmazonEKSServicePolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
role = aws_iam_role.master-node-role.name
}
resource "aws_eks_cluster" "eks-control-plane" {
name = "${var.project}-dev-eks"
role_arn = aws_iam_role.master-node-role.arn
vpc_config {
subnet_ids = [aws_subnet.public-subnet.id, aws_subnet.private-subnet.id]
}
# Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
# Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
depends_on = [
aws_iam_role_policy_attachment.AmazonEKSClusterPolicy,
]
}
resource "aws_security_group" "master-node-sg" {
name = "master-node-sg"
description = "Cluster communication with worker nodes and internet"
vpc_id = aws_vpc.project_vpc.id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "${var.project}-master-node-sg"
}
}
resource "aws_security_group_rule" "cluster-inbound" {
description = "Allow worker nodes to communicate with the cluster API Server"
from_port = 443
to_port = 443
protocol = "tcp"
security_group_id = aws_security_group.master-node-sg.id
source_security_group_id = aws_security_group.worker-node-sg.id
type = "ingress"
}
resource "aws_security_group_rule" "cluster-outbound" {
description = "Allow cluster API Server to communicate with the worker nodes"
from_port = 1024
to_port = 65535
protocol = "tcp"
security_group_id = aws_security_group.worker-node-sg.id
source_security_group_id = aws_security_group.master-node-sg.id
type = "egress"
}
/*
eks
create role which can access master node
security group for master node
add inbound rule through which worker node can interact
add outboud rule for internet
*/