├── .gitignore
├── LICENSE
├── README.md
├── bootstrap-rke-cluster.png
├── infra-live
    └── dev
    │   └── app-environment
    │       └── terragrunt.hcl
├── infra-modules
    └── app-environment
    │   ├── bastion-asg
    │       ├── autoscaling_group.tf
    │       ├── bastion_userdata.sh
    │       ├── iam.tf
    │       └── vars.tf
    │   ├── cluster-asg
    │       ├── autoscaling_group.tf
    │       ├── iam.tf
    │       ├── master_userdata.sh
    │       └── vars.tf
    │   ├── cluster-worker-asg
    │       ├── autoscaling_group.tf
    │       ├── iam.tf
    │       ├── vars.tf
    │       └── worker_userdata.sh
    │   ├── main.tf
    │   ├── variables.tf
    │   └── vpc
    │       ├── control_plane_sg.tf
    │       ├── data_plane_sg.tf
    │       ├── nat_gateway.tf
    │       ├── nlb.tf
    │       ├── output.tf
    │       ├── public_sg.tf
    │       ├── vars.tf
    │       └── vpc.tf
├── openSUSE-Leap-AWS.png
├── rke-aws-k8s.png
├── rke-cluster-config
    └── cluster.yml
└── terragrunt.hcl


/.gitignore:
--------------------------------------------------------------------------------
 1 | .DS_Store
 2 | .idea
 3 | *.iml
 4 | **/.terragrunt-cache/*
 5 | 
 6 | # Local .terraform directories
 7 | **/.terraform/*
 8 | 
 9 | # Terragrunt generated files
10 | backend.tf
11 | 
12 | # .tfstate files
13 | *.tfstate
14 | *.tfstate.*
15 | .idea/*
16 | 
17 | # .tfvars files
18 | sensitive.tfvars
19 | 
20 | # Crash log files
21 | crash.log
22 | 
23 | # Ignore override files as they are usually used to override resources locally and so
24 | # are not checked in
25 | override.tf
26 | override.tf.json
27 | *_override.tf
28 | *_override.tf.json
29 | 
30 | # Include override files you do wish to add to version control using negated pattern
31 | #
32 | # !example_override.tf
33 | 
34 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
35 | # example: *tfplan*
36 | 
37 | *.pem
38 | 
39 | *config.txt


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 Lukonde Mwila
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Bootstrap RKE Kubernetes Cluster in AWS Environment
  2 | This repository contains source code to bootstrap an RKE Kubernetes cluster in AWS with a single command, provided you have met all the prerequisites and followed the initial configuration steps. 
  3 | 
  4 | ![RKE AWS K8S](./rke-aws-k8s.png)
  5 | 
  6 | ## Architecture Overview
  7 | The diagram below depicts the overall architecture for the network VPC and the Auto Scaling Groups that are used for the RKE Kubernetes cluster.
  8 | 
  9 | ![Architecture Overview](./bootstrap-rke-cluster.png)
 10 | 
 11 | ## Prerequisites
 12 | * AWS account
 13 | * AWS profile configured with CLI on local machine
 14 | * [Terraform](https://www.terraform.io/downloads.html)
 15 | * [Terragrunt](https://terragrunt.gruntwork.io/docs/getting-started/install/)
 16 | * Understanding of how Rancher Kubernetes Engine (RKE) works.
 17 | 
 18 | ## Project Structure
 19 | ```
 20 | ├── README.md
 21 | ├── infra-live
 22 | |  └── dev
 23 | ├── infra-modules
 24 | |  └── app-environment
 25 | ├── rke-cluster-config
 26 | |  └── cluster.yml
 27 | ├── sensitive.tfvars (not committed to Git repo)
 28 | └── terragrunt.hcl
 29 | ```
 30 | 
 31 | ## Initial Configuration
 32 | Before running the provisioning command, make sure to follow these initial steps.
 33 | 
 34 | *This project uses Terragrunt which is a wrapper for Terraform to make Terraform code more [DRY](https://terragrunt.gruntwork.io/docs/features/keep-your-terraform-code-dry/) and easy to reuse for multiple environments. Terragrunt commands are similar to Terraform commands (i.e. instead of `terraform apply` run `terragrunt apply`).*
 35 | 
 36 | ### RKE Cluster Configuration
 37 | Create an S3 bucket that will be used to store the cluster configuration for your RKE K8s cluster. 
 38 | 
 39 | ```aws s3api create-bucket --bucket <bucket-name> --region <region> --create-bucket-configuration LocationConstraint=<region>```
 40 | 
 41 | An example of the cluster config file can be found in the `rke-cluster-config` directory. Make sure you *DO NOT* populate the nodes property, this will be handled automatically by the scripts in the userdata during the infrastructure provisioning process. Once you have finalized your cluster.yml file, upload it to the S3 bucket you just created.
 42 | 
 43 | ```
 44 | aws s3 cp ./cluster.yml s3://your-rke-cluster-config-bucket
 45 | ```
 46 | 
 47 | ### SSH Key for Cluster Nodes
 48 | Create an SSH key that will be used to establish connections with the node(s) in your cluster. You can do this from the AWS Console in the EC2 section. Upon creation, the *.pem* file will be automatically downloaded. You can upload this file to `your-rke-cluster-config-bucket`.
 49 | 
 50 | ```
 51 | aws s3 cp ./ec2-ssh-key.pem s3://your-rke-cluster-config-bucket
 52 | ```
 53 | 
 54 | *Take note of the name you give to this SSH Key because you will need to provide it as a variable value in the sensitive.tfvars file later.*
 55 | 
 56 | ### Subscribe to openSUSE Leap in AWS Marketplace
 57 | The nodes in this project are provision with openSUSE Leap 15.2. In order to use this OS, you need to subscribe to it [here](https://aws.amazon.com/marketplace/pp/prodview-wn2xje27ui45o). You will need to be logged into the AWS account that you will use to provision this infrastructure. It is available for the *free tier* in AWS.
 58 | 
 59 | ![openSUSE Leap in AWS Marketplace](./openSUSE-Leap-AWS.png)
 60 | 
 61 | ### Remote Backend State Configuration
 62 | To configure remote backend state for your infrastructure, create an S3 bucket and DynamoDB table before running *terragrunt init*. You can populate the parent terragrunt configuration file (terragrunt.hcl) in the root directory with your respective values for the bucket name (your-terraform-state-bucket) and table name (your-terraform-lock-table). In this same config file, you can update the region and aws profile name.
 63 | 
 64 | #### Create S3 Bucket for State Backend
 65 | ```aws s3api create-bucket --bucket <bucket-name> --region <region> --create-bucket-configuration LocationConstraint=<region>```
 66 | 
 67 | #### Create DynamoDB table for State Locking
 68 | ```aws dynamodb create-table --table-name <table-name> --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=1```
 69 | 
 70 | ### Create `sensitive.tfvars` file
 71 | Your child terragrunt conig files (`infra-life/dev/app-environment/terragrunt.hcl`) is set up to read any sensitive variable values from a file called `sensitive.tfvars` at the root directory. This file is not committed to the Git repo. The contents of the file can be as follows:
 72 | ```
 73 | profile="k8s-deployer"
 74 | region="eu-west-1"
 75 | cluster_name="my-rke-cluster"
 76 | key_name="my-ec2-ssh-key" 
 77 | ```
 78 | 
 79 | ## Provision Infrastructure & RKE Cluster
 80 | Once you've completed all the above steps in the initial configuration, redirect to the `infra-live/dev/app-environment` directory and run the following commands:
 81 | 
 82 | ```
 83 | terragrunt init
 84 | terragrunt plan
 85 | terragrunt apply -auto-approve
 86 | ```
 87 | 
 88 | To create the infrastructure for separate environments, create separate folders in `infra-live` such as `infra-live/test/app-environment` and `infra-live/prod/app-environment` with the same terragrunt.tf file located in `infra-live/dev/app-environment`.
 89 | 
 90 | Modify the Terragrunt config file input block for other environments to the relevant name:
 91 | ### Dev
 92 | ```
 93 | inputs = {
 94 |   environment    = "dev"
 95 | }
 96 | ```
 97 | ### Test
 98 | ```
 99 | inputs = {
100 |   environment    = "test"
101 | }
102 | ```
103 | ### Prod
104 | ```
105 | inputs = {
106 |   environment    = "prod"
107 | }
108 | ```
109 | 
110 | *Remember to update the secret name when creating the infrastructure for additional environments.*
111 | 
112 | To destroy the infrastructure run the `terrargunt destroy` command from the same location. 
113 | 
114 | ## How Does It All Work?
115 | ### Automated Steps
116 | 1. VPC is provisioned by Terraform.
117 | 2. Control plane node(s) is provisioned by Terraform. The userdata script prepares the node(s) (i.e. software installation and node config steps), downloads the cluster.yml file from your bucket and updates it with the node details for each node in the control plane, and then uploads it back to the bucket.
118 | 3. Worker node(s) is provisioned by Terraform. The userdata script prepares the nodes similar to control plane nodes, downloads the cluster.yml file from your bucket and updates it with the node details for each node in the worker node group, and then uploads it back to the bucket.
119 | 4. Bastion host(s) is provisioned by Terraform. The userdata script installs the AWS CLI, RKE CLI tool and kubectl. The cluster.yml file and SSH key for the nodes are downloaded to the bastion host. The RKE provisioning command is run referencing the cluster.yml file and the SSH key locally stored on the machine. 
120 | 5. Once the RKE cluster has been provisioned, the cluster config details are saved in Secrets Manager.  
121 | ### Manual Steps
122 | 1. SSH into your bastion host using the relevant key. 
123 | 2. Copy the RKE cluster config details to the bastion hosts kube config directory from Secrets Manager
124 | ```
125 | mkdir -p $HOME/.kube
126 | 
127 | KUBE_CONFIG=$(sudo aws secretsmanager get-secret-value --secret-id rkekubeconfig --version-stage AWSCURRENT --region eu-west-1 | jq -r .SecretString)
128 | 
129 | sudo tee $HOME/.kube/config<<EOF
130 | $KUBE_CONFIG
131 | EOF
132 | ```
133 | 3. Get started with deploying applications to your Kubernetes cluster!
134 | 
135 | ## Known Issues
136 | The aws provider plugin used in this project has an issue that produces an inconsistent plan that may distrupt the provisioning process after running the relevant `apply` command. In the case that you encounter this, you can simply re-run the execution command (`terragrunt apply`) and the process will continue from where it left off.
137 | 
138 | 


--------------------------------------------------------------------------------
/bootstrap-rke-cluster.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LukeMwila/bootstrap-rke-cluster-in-aws/437ea65968bde56309733bccaf75e302f9295af1/bootstrap-rke-cluster.png


--------------------------------------------------------------------------------
/infra-live/dev/app-environment/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | inputs = {
 2 |   environment    = "dev"
 3 | }
 4 | 
 5 | include {
 6 |   # The find_in_parent_folders() helper will 
 7 |   # automatically search up the directory tree to find the root terragrunt.hcl and inherit 
 8 |   # the remote_state configuration from it.
 9 |   path = find_in_parent_folders()
10 | }
11 | 
12 | terraform {
13 |   source = "../../../infra-modules/app-environment"
14 | 
15 |   extra_arguments "conditional_vars" {
16 |     # built-in function to automatically get the list of 
17 |     # all commands that accept -var-file and -var arguments
18 |     commands = get_terraform_commands_that_need_vars()
19 | 
20 |     arguments = [
21 |       "-lock-timeout=10m"
22 |     ]
23 | 
24 |     required_var_files = [
25 |       "${get_parent_terragrunt_dir()}/sensitive.tfvars"
26 |     ]
27 |   }
28 | }
29 | 


--------------------------------------------------------------------------------
/infra-modules/app-environment/bastion-asg/autoscaling_group.tf:
--------------------------------------------------------------------------------
 1 | data "aws_ami" "openSUSE" {
 2 |   most_recent = true
 3 | 
 4 |   filter {
 5 |     name   = "name"
 6 |     values = ["openSUSE-Leap-15-2-v20200702-hvm-ssd-x86_64-*"]
 7 |   }
 8 | 
 9 |   filter {
10 |     name   = "virtualization-type"
11 |     values = ["hvm"]
12 |   }
13 | 
14 |   owners = ["679593333241"]
15 | }
16 | 
17 | # EC2 Auto Scaling Group - Launch Template
18 | resource "aws_launch_template" "launch_template" {
19 |   name_prefix   = var.name_prefix
20 |   image_id      = data.aws_ami.openSUSE.id
21 |   instance_type = var.ec2_instance_type
22 | 
23 |   vpc_security_group_ids = var.launch_template_security_group_ids
24 | 
25 |   user_data = filebase64("${path.module}/${var.user_data}")
26 |   key_name = var.key_name 
27 |   
28 |   iam_instance_profile {
29 |     arn = aws_iam_instance_profile.instance_profile.arn
30 |   }
31 | 
32 |   monitoring {
33 |     enabled = true
34 |   }
35 | 
36 |   tag_specifications {
37 |     resource_type = "instance"
38 | 
39 |     tags = {
40 |       Name = var.launch_template_tag
41 |       "kubernetes.io/cluster/${var.cluster_name}" = "owned"
42 |     }
43 |   }
44 | }
45 | 
46 | # EC2 Auto Scaling Group Control Plane
47 | resource "aws_autoscaling_group" "asg" {
48 |   availability_zones = var.availability_zones
49 |   desired_capacity   = var.desired_capacity
50 |   max_size           = var.max_size
51 |   min_size           = var.min_size
52 |   force_delete       = true
53 |   vpc_zone_identifier = var.public_subnet_ids
54 |   
55 |   launch_template {
56 |     id      = aws_launch_template.launch_template.id
57 |     version = "$Latest"
58 |   }
59 | 
60 |   tag {
61 |     key                 = "InstanceType"
62 |     value               = var.asg_tag
63 |     propagate_at_launch = true
64 |   }
65 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/bastion-asg/bastion_userdata.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Install utils and aws cli v2
 4 | sudo curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
 5 | sudo zypper --non-interactive update
 6 | sudo zypper --non-interactive install jq
 7 | sudo zypper --non-interactive update
 8 | sudo zypper --non-interactive install zip
 9 | sudo zypper --non-interactive install unzip
10 | sudo unzip awscliv2.zip
11 | sudo ./aws/install
12 | 
13 | sleep 4m 30s
14 | 
15 | # Download cluster config file and ssh key from S3 bucket
16 | aws s3 cp s3://your-rke-cluster-config-bucket/cluster.yml ./
17 | aws s3 cp s3://your-rke-cluster-config-bucket/ec2-ssh-key.pem ./
18 | chmod 400 ./ec2-ssh-key.pem
19 | 
20 | # Download RKE
21 | curl -LO https://github.com/rancher/rke/releases/download/v1.2.11/rke_linux-amd64 && chmod a+x ./rke_linux-amd64
22 | mv rke_linux-amd64 rke
23 | 
24 | # Provision RKE cluster
25 | ./rke up --config ./cluster.yml
26 | 
27 | # Copy details of cluster config to Secrets Manager
28 | # Store Kube Config as secret for worker nodes
29 | KUBE_CONFIG=$(cat kube_config_cluster.yml)
30 | aws secretsmanager create-secret --name rkekubeconfig --description "Kube config for RKE cluster" --secret-string "$KUBE_CONFIG" --region eu-west-1
31 | 
32 | # Download and install kubectl
33 | curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
34 | curl -LO "https://dl.k8s.io/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"
35 | echo "$(<kubectl.sha256) kubectl" | sha256sum --check
36 | 
37 | sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
38 | kubectl version --client


--------------------------------------------------------------------------------
/infra-modules/app-environment/bastion-asg/iam.tf:
--------------------------------------------------------------------------------
  1 | # EC2 Instance Profile
  2 | resource "aws_iam_instance_profile" "instance_profile" {
  3 |   name = var.instance_profile_name
  4 |   role = aws_iam_role.ec2_iam_role.name
  5 | }
  6 | 
  7 | # EC2 Instance IAM Role
  8 | resource "aws_iam_role" "ec2_iam_role" {
  9 |   name = "${var.instance_profile_name}_role"
 10 |   path = "/"
 11 | 
 12 |   assume_role_policy = <<EOF
 13 | {
 14 |     "Version": "2012-10-17",
 15 |     "Statement": [
 16 |         {
 17 |             "Action": "sts:AssumeRole",
 18 |             "Principal": {
 19 |                "Service": "ec2.amazonaws.com"
 20 |             },
 21 |             "Effect": "Allow",
 22 |             "Sid": ""
 23 |         }
 24 |     ]
 25 | }
 26 | EOF
 27 | }
 28 | 
 29 | # IAM Policy
 30 | resource "aws_iam_role_policy" "ec2_iam_role_policy" {
 31 |   name = "${var.instance_profile_name}_policy"
 32 |   role = aws_iam_role.ec2_iam_role.id
 33 | 
 34 |   policy = <<EOF
 35 | {
 36 |     "Version": "2012-10-17",
 37 |     "Statement": [
 38 |         {
 39 |             "Effect": "Allow",
 40 |             "Action": [
 41 |                 "cloudwatch:PutMetricData",
 42 |                 "ds:CreateComputer",
 43 |                 "ds:DescribeDirectories",
 44 |                 "ec2:DescribeInstanceStatus",
 45 |                 "logs:*",
 46 |                 "ssm:*",
 47 |                 "ec2messages:*"
 48 |             ],
 49 |             "Resource": "*"
 50 |         },
 51 |         {
 52 |             "Effect": "Allow",
 53 |             "Action": [
 54 |                 "ec2:DescribeInstances",
 55 |                 "ec2:DescribeRegions",
 56 |                 "ecr:GetAuthorizationToken",
 57 |                 "ecr:BatchCheckLayerAvailability",
 58 |                 "ecr:GetDownloadUrlForLayer",
 59 |                 "ecr:GetRepositoryPolicy",
 60 |                 "ecr:DescribeRepositories",
 61 |                 "ecr:ListImages",
 62 |                 "ecr:BatchGetImage"
 63 |             ],
 64 |             "Resource": "*"
 65 |         },
 66 |         {
 67 |             "Effect": "Allow",
 68 |             "Action": "iam:CreateServiceLinkedRole",
 69 |             "Resource": "arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM*",
 70 |             "Condition": {
 71 |                 "StringLike": {
 72 |                     "iam:AWSServiceName": "ssm.amazonaws.com"
 73 |                 }
 74 |             }
 75 |         },
 76 |         {
 77 |             "Effect": "Allow",
 78 |             "Action": [
 79 |                 "iam:DeleteServiceLinkedRole",
 80 |                 "iam:GetServiceLinkedRoleDeletionStatus"
 81 |             ],
 82 |             "Resource": "arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM*"
 83 |         },
 84 |         {
 85 |             "Effect": "Allow",
 86 |             "Action": [
 87 |                 "ssmmessages:CreateControlChannel",
 88 |                 "ssmmessages:CreateDataChannel",
 89 |                 "ssmmessages:OpenControlChannel",
 90 |                 "ssmmessages:OpenDataChannel"
 91 |             ],
 92 |             "Resource": "*"
 93 |         },
 94 |         {
 95 |             "Effect": "Allow",
 96 |             "Action": [
 97 |             "ec2:AssignPrivateIpAddresses",
 98 |             "ec2:AttachNetworkInterface",
 99 |             "ec2:CreateNetworkInterface",
100 |             "ec2:DeleteNetworkInterface",
101 |             "ec2:DescribeInstances",
102 |             "ec2:DescribeInstanceTypes",
103 |             "ec2:DescribeTags",
104 |             "ec2:DescribeNetworkInterfaces",
105 |             "ec2:DetachNetworkInterface",
106 |             "ec2:ModifyNetworkInterfaceAttribute",
107 |             "ec2:UnassignPrivateIpAddresses"
108 |             ],
109 |             "Resource": "*"
110 |         },
111 |         {
112 |             "Effect": "Allow",
113 |             "Action": [
114 |                 "ec2:CreateTags"
115 |             ],
116 |             "Resource": ["arn:aws:ec2:*:*:network-interface/*"]
117 |         },
118 |         {
119 |             "Effect": "Allow",
120 |             "Action": [
121 |                 "autoscaling:DescribeAutoScalingGroups",
122 |                 "autoscaling:DescribeLaunchConfigurations",
123 |                 "autoscaling:DescribeTags",
124 |                 "ec2:DescribeInstances",
125 |                 "ec2:DescribeRegions",
126 |                 "ec2:DescribeRouteTables",
127 |                 "ec2:DescribeSecurityGroups",
128 |                 "ec2:DescribeSubnets",
129 |                 "ec2:DescribeVolumes",
130 |                 "ec2:CreateSecurityGroup",
131 |                 "ec2:CreateTags",
132 |                 "ec2:CreateVolume",
133 |                 "ec2:ModifyInstanceAttribute",
134 |                 "ec2:ModifyVolume",
135 |                 "ec2:AttachVolume",
136 |                 "ec2:AuthorizeSecurityGroupIngress",
137 |                 "ec2:CreateRoute",
138 |                 "ec2:DeleteRoute",
139 |                 "ec2:DeleteSecurityGroup",
140 |                 "ec2:DeleteVolume",
141 |                 "ec2:DetachVolume",
142 |                 "ec2:RevokeSecurityGroupIngress",
143 |                 "ec2:DescribeVpcs"
144 |             ],
145 |             "Resource": [
146 |                 "*"
147 |             ]
148 |         }
149 |     ]
150 | }
151 | EOF
152 | }
153 | 
154 | resource "aws_iam_role_policy_attachment" "s3_full_access" {
155 |   role       = aws_iam_role.ec2_iam_role.id
156 |   policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
157 | }
158 | 
159 | resource "aws_iam_role_policy_attachment" "secret_manager" {
160 |   role       = aws_iam_role.ec2_iam_role.id
161 |   policy_arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
162 | }
163 | 


--------------------------------------------------------------------------------
/infra-modules/app-environment/bastion-asg/vars.tf:
--------------------------------------------------------------------------------
 1 | variable ec2_instance_type {
 2 |   type        = string
 3 |   default     = "t3.medium"
 4 |   description = "EC2 host instance types"
 5 | }
 6 | 
 7 | variable name_prefix {
 8 |   type        = string
 9 |   description = "ASG EC2 Name prefix"
10 | }
11 | 
12 | variable asg_tag {
13 |   type        = string
14 |   description = "ASG Tag name"
15 | }
16 | 
17 | variable launch_template_tag {
18 |   type        = string
19 |   description = "ASG Tag name"
20 | }
21 | 
22 | variable user_data {
23 |   type        = string
24 |   description = "EC2 user data"
25 | }
26 | 
27 | variable desired_capacity {
28 |   type        = number
29 |   description = "Desired capacity for ASG"
30 | }
31 | 
32 | variable max_size {
33 |   type        = number
34 |   description = "Max capacity for ASG"
35 | }
36 | 
37 | variable min_size {
38 |   type        = number
39 |   description = "Min capacity for ASG"
40 | }
41 | 
42 | variable instance_profile_name {
43 |   type        = string
44 |   default     = "k8s_bastion_profile"
45 |   description = "Name of the EC2 instance profile"
46 | }
47 | 
48 | variable "availability_zones" {
49 |   type  = list(string)
50 |   default = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
51 |   description = "List of availability zones for the selected region"
52 | }
53 | 
54 | variable vpc_id {
55 |   type        = string
56 |   description = "ID of the custom VPC that the resources are deployed in"
57 | }
58 | 
59 | variable "environment" {
60 |   type        = string
61 |   description = "Application enviroment"
62 | }
63 | 
64 | variable private_subnet_ids {
65 |   type        = list(string)
66 |   description = "Private subnet IDs"
67 | }
68 | 
69 | variable "public_subnet_ids" {
70 |   type = list(string)
71 |   description = "Private subnet IDs"
72 | }
73 | 
74 | variable launch_template_security_group_ids {
75 |   type        = list(string)
76 |   description = "Launch template SGs"
77 | }
78 | 
79 | variable "cluster_name" {
80 |   description = "The name of the cluster"
81 |   type = string
82 | }
83 | 
84 | variable "key_name" {
85 |   type = string
86 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/cluster-asg/autoscaling_group.tf:
--------------------------------------------------------------------------------
 1 | data "aws_ami" "openSUSE" {
 2 |   most_recent = true
 3 | 
 4 |   filter {
 5 |     name   = "name"
 6 |     values = ["openSUSE-Leap-15-2-v20200702-hvm-ssd-x86_64-*"]
 7 |   }
 8 | 
 9 |   filter {
10 |     name   = "virtualization-type"
11 |     values = ["hvm"]
12 |   }
13 | 
14 |   owners = ["679593333241"]
15 | }
16 | 
17 | # EC2 Auto Scaling Group - Launch Template
18 | resource "aws_launch_template" "launch_template" {
19 |   name_prefix   = var.name_prefix
20 |   image_id      = data.aws_ami.openSUSE.id
21 |   instance_type = var.ec2_instance_type
22 | 
23 |   vpc_security_group_ids = var.launch_template_security_group_ids
24 | 
25 |   user_data = filebase64("${path.module}/${var.user_data}")
26 |   key_name = var.key_name 
27 | 
28 |   iam_instance_profile {
29 |     arn = aws_iam_instance_profile.instance_profile.arn
30 |   }
31 | 
32 |   monitoring {
33 |     enabled = true
34 |   }
35 | 
36 |   tag_specifications {
37 |     resource_type = "instance"
38 | 
39 |     tags = {
40 |       Name = var.launch_template_tag
41 |       "kubernetes.io/cluster/${var.cluster_name}" = "owned"
42 |     }
43 |   }
44 | }
45 | 
46 | # EC2 Auto Scaling Group Control Plane
47 | resource "aws_autoscaling_group" "asg" {
48 |   availability_zones = var.availability_zones
49 |   desired_capacity   = var.desired_capacity
50 |   max_size           = var.max_size
51 |   min_size           = var.min_size
52 |   force_delete       = true
53 |   vpc_zone_identifier = var.private_subnet_ids
54 |   # target_group_arns = [var.target_group_arn]
55 |   launch_template {
56 |     id      = aws_launch_template.launch_template.id
57 |     version = "$Latest"
58 |   }
59 | 
60 |   tag {
61 |     key                 = "InstanceType"
62 |     value               = var.asg_tag
63 |     propagate_at_launch = true
64 |   }
65 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/cluster-asg/iam.tf:
--------------------------------------------------------------------------------
  1 | # EC2 Instance Profile
  2 | resource "aws_iam_instance_profile" "instance_profile" {
  3 |   name = var.instance_profile_name
  4 |   role = aws_iam_role.ec2_iam_role.name
  5 | }
  6 | 
  7 | # EC2 Instance IAM Role
  8 | resource "aws_iam_role" "ec2_iam_role" {
  9 |   name = "${var.instance_profile_name}_role"
 10 |   path = "/"
 11 | 
 12 |   assume_role_policy = <<EOF
 13 | {
 14 |     "Version": "2012-10-17",
 15 |     "Statement": [
 16 |         {
 17 |             "Action": "sts:AssumeRole",
 18 |             "Principal": {
 19 |                "Service": "ec2.amazonaws.com"
 20 |             },
 21 |             "Effect": "Allow",
 22 |             "Sid": ""
 23 |         }
 24 |     ]
 25 | }
 26 | EOF
 27 | }
 28 | 
 29 | # IAM Policy
 30 | resource "aws_iam_role_policy" "ec2_iam_role_policy" {
 31 |   name = "${var.instance_profile_name}_policy"
 32 |   role = aws_iam_role.ec2_iam_role.id
 33 | 
 34 |   policy = <<EOF
 35 | {
 36 |     "Version": "2012-10-17",
 37 |     "Statement": [
 38 |         {
 39 |             "Effect": "Allow",
 40 |             "Action": [
 41 |                 "cloudwatch:PutMetricData",
 42 |                 "ds:CreateComputer",
 43 |                 "ds:DescribeDirectories",
 44 |                 "ec2:DescribeInstanceStatus",
 45 |                 "logs:*",
 46 |                 "ssm:*",
 47 |                 "ec2messages:*"
 48 |             ],
 49 |             "Resource": "*"
 50 |         },
 51 |         {
 52 |             "Effect": "Allow",
 53 |             "Action": [
 54 |                 "ec2:DescribeInstances",
 55 |                 "ec2:DescribeRegions",
 56 |                 "ecr:GetAuthorizationToken",
 57 |                 "ecr:BatchCheckLayerAvailability",
 58 |                 "ecr:GetDownloadUrlForLayer",
 59 |                 "ecr:GetRepositoryPolicy",
 60 |                 "ecr:DescribeRepositories",
 61 |                 "ecr:ListImages",
 62 |                 "ecr:BatchGetImage"
 63 |             ],
 64 |             "Resource": "*"
 65 |         },
 66 |         {
 67 |             "Effect": "Allow",
 68 |             "Action": "iam:CreateServiceLinkedRole",
 69 |             "Resource": "arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM*",
 70 |             "Condition": {
 71 |                 "StringLike": {
 72 |                     "iam:AWSServiceName": "ssm.amazonaws.com"
 73 |                 }
 74 |             }
 75 |         },
 76 |         {
 77 |             "Effect": "Allow",
 78 |             "Action": [
 79 |                 "iam:DeleteServiceLinkedRole",
 80 |                 "iam:GetServiceLinkedRoleDeletionStatus"
 81 |             ],
 82 |             "Resource": "arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM*"
 83 |         },
 84 |         {
 85 |             "Effect": "Allow",
 86 |             "Action": [
 87 |                 "ssmmessages:CreateControlChannel",
 88 |                 "ssmmessages:CreateDataChannel",
 89 |                 "ssmmessages:OpenControlChannel",
 90 |                 "ssmmessages:OpenDataChannel"
 91 |             ],
 92 |             "Resource": "*"
 93 |         },
 94 |         {
 95 |             "Effect": "Allow",
 96 |             "Action": [
 97 |             "ec2:AssignPrivateIpAddresses",
 98 |             "ec2:AttachNetworkInterface",
 99 |             "ec2:CreateNetworkInterface",
100 |             "ec2:DeleteNetworkInterface",
101 |             "ec2:DescribeInstances",
102 |             "ec2:DescribeInstanceTypes",
103 |             "ec2:DescribeTags",
104 |             "ec2:DescribeNetworkInterfaces",
105 |             "ec2:DetachNetworkInterface",
106 |             "ec2:ModifyNetworkInterfaceAttribute",
107 |             "ec2:UnassignPrivateIpAddresses"
108 |             ],
109 |             "Resource": "*"
110 |         },
111 |         {
112 |             "Effect": "Allow",
113 |             "Action": [
114 |                 "ec2:CreateTags"
115 |             ],
116 |             "Resource": ["arn:aws:ec2:*:*:network-interface/*"]
117 |         },
118 |         {
119 |             "Effect": "Allow",
120 |             "Action": [
121 |                 "autoscaling:DescribeAutoScalingGroups",
122 |                 "autoscaling:DescribeLaunchConfigurations",
123 |                 "autoscaling:DescribeTags",
124 |                 "ec2:DescribeInstances",
125 |                 "ec2:DescribeRegions",
126 |                 "ec2:DescribeRouteTables",
127 |                 "ec2:DescribeSecurityGroups",
128 |                 "ec2:DescribeSubnets",
129 |                 "ec2:DescribeVolumes",
130 |                 "ec2:CreateSecurityGroup",
131 |                 "ec2:CreateTags",
132 |                 "ec2:CreateVolume",
133 |                 "ec2:ModifyInstanceAttribute",
134 |                 "ec2:ModifyVolume",
135 |                 "ec2:AttachVolume",
136 |                 "ec2:AuthorizeSecurityGroupIngress",
137 |                 "ec2:CreateRoute",
138 |                 "ec2:DeleteRoute",
139 |                 "ec2:DeleteSecurityGroup",
140 |                 "ec2:DeleteVolume",
141 |                 "ec2:DetachVolume",
142 |                 "ec2:RevokeSecurityGroupIngress",
143 |                 "ec2:DescribeVpcs",
144 |                 "elasticloadbalancing:AddTags",
145 |                 "elasticloadbalancing:AttachLoadBalancerToSubnets",
146 |                 "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
147 |                 "elasticloadbalancing:CreateLoadBalancer",
148 |                 "elasticloadbalancing:CreateLoadBalancerPolicy",
149 |                 "elasticloadbalancing:CreateLoadBalancerListeners",
150 |                 "elasticloadbalancing:ConfigureHealthCheck",
151 |                 "elasticloadbalancing:DeleteLoadBalancer",
152 |                 "elasticloadbalancing:DeleteLoadBalancerListeners",
153 |                 "elasticloadbalancing:DescribeLoadBalancers",
154 |                 "elasticloadbalancing:DescribeLoadBalancerAttributes",
155 |                 "elasticloadbalancing:DetachLoadBalancerFromSubnets",
156 |                 "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
157 |                 "elasticloadbalancing:ModifyLoadBalancerAttributes",
158 |                 "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
159 |                 "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
160 |                 "elasticloadbalancing:AddTags",
161 |                 "elasticloadbalancing:CreateListener",
162 |                 "elasticloadbalancing:CreateTargetGroup",
163 |                 "elasticloadbalancing:DeleteListener",
164 |                 "elasticloadbalancing:DeleteTargetGroup",
165 |                 "elasticloadbalancing:DescribeListeners",
166 |                 "elasticloadbalancing:DescribeLoadBalancerPolicies",
167 |                 "elasticloadbalancing:DescribeTargetGroups",
168 |                 "elasticloadbalancing:DescribeTargetHealth",
169 |                 "elasticloadbalancing:ModifyListener",
170 |                 "elasticloadbalancing:ModifyTargetGroup",
171 |                 "elasticloadbalancing:RegisterTargets",
172 |                 "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
173 |                 "iam:CreateServiceLinkedRole",
174 |                 "kms:DescribeKey"
175 |             ],
176 |             "Resource": [
177 |                 "*"
178 |             ]
179 |         }
180 |     ]
181 | }
182 | EOF
183 | }
184 | 
185 | resource "aws_iam_role_policy_attachment" "s3_full_access" {
186 |   role       = aws_iam_role.ec2_iam_role.id
187 |   policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
188 | }
189 | 
190 | 


--------------------------------------------------------------------------------
/infra-modules/app-environment/cluster-asg/master_userdata.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Install utils and aws cli v2
 4 | sudo curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
 5 | sudo zypper --non-interactive update
 6 | sudo zypper --non-interactive install jq
 7 | sudo zypper --non-interactive update
 8 | sudo zypper --non-interactive install zip
 9 | sudo zypper --non-interactive install unzip
10 | sudo unzip awscliv2.zip
11 | sudo ./aws/install
12 | 
13 | # Install yq
14 | sudo wget https://github.com/mikefarah/yq/releases/download/v4.12.0/yq_linux_amd64 -O /usr/bin/yq && chmod +x /usr/bin/yq
15 | 
16 | # Commands for all K8s nodes
17 | sudo zypper --non-interactive update
18 | sudo zypper --non-interactive install docker
19 | 
20 | # Turn off swap
21 | # The Kubernetes scheduler determines the best available node on 
22 | # which to deploy newly created pods. If memory swapping is allowed 
23 | # to occur on a host system, this can lead to performance and stability 
24 | # issues within Kubernetes. 
25 | # For this reason, Kubernetes requires that you disable swap in the host system.
26 | # If swap is not disabled, kubelet service will not start on the masters and nodes
27 | sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
28 | sudo swapoff -a
29 | 
30 | #Confirm that docker group has been created on system
31 | sudo groupadd docker
32 | 
33 | # Add current system user to the Docker group, as well as the ec2-user user
34 | sudo gpasswd -a $USER docker
35 | sudo usermod -a -G docker ec2-user
36 | grep /etc/group -e "docker"
37 | 
38 | # Start and enable Services
39 | sudo systemctl daemon-reload 
40 | sudo systemctl restart docker
41 | sudo systemctl enable docker
42 | 
43 | # Modify bridge adapter setting
44 | # Configure sysctl.
45 | sudo modprobe overlay
46 | sudo modprobe br_netfilter
47 | 
48 | sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
49 | net.bridge.bridge-nf-call-ip6tables = 1
50 | net.bridge.bridge-nf-call-iptables = 1
51 | net.ipv4.ip_forward = 1
52 | EOF
53 | 
54 | sudo sysctl --system
55 | 
56 | # Ensure that the br_netfilter module is loaded
57 | lsmod | grep br_netfilter
58 | 
59 | # Download cluster yaml file from S3 bucket
60 | aws s3 cp s3://your-rke-cluster-config-bucket/cluster.yml ./
61 | 
62 | # Get the value of the existing number of nodes listed in the config file and use that
63 | # number for creating a new node listing in the array
64 | aws configure set region eu-west-1
65 | HOSTNAME="$(curl http://169.254.169.254/latest/meta-data/local-ipv4)" NUMBER_OF_NODES="$(yq eval '.nodes | length' cluster.yml)" yq eval -i '
66 |   .nodes[env(NUMBER_OF_NODES)].address = env(HOSTNAME) |
67 |   .nodes[env(NUMBER_OF_NODES)].user = "ec2-user" |
68 |   .nodes[env(NUMBER_OF_NODES)].role[0] = "controlplane" |
69 |   .nodes[env(NUMBER_OF_NODES)].role[1] = "etcd"
70 | ' ./cluster.yml
71 | 
72 | # Upload the cluster.yml file to S3 bucket
73 | aws s3 cp ./cluster.yml s3://your-rke-cluster-config-bucket


--------------------------------------------------------------------------------
/infra-modules/app-environment/cluster-asg/vars.tf:
--------------------------------------------------------------------------------
 1 | variable ec2_instance_type {
 2 |   type        = string
 3 |   default     = "t3.medium"
 4 |   description = "EC2 host instance types"
 5 | }
 6 | 
 7 | variable name_prefix {
 8 |   type        = string
 9 |   description = "ASG EC2 Name prefix"
10 | }
11 | 
12 | variable asg_tag {
13 |   type        = string
14 |   description = "ASG Tag name"
15 | }
16 | 
17 | variable launch_template_tag {
18 |   type        = string
19 |   description = "ASG Tag name"
20 | }
21 | 
22 | variable user_data {
23 |   type        = string
24 |   description = "EC2 user data"
25 | }
26 | 
27 | variable desired_capacity {
28 |   type        = number
29 |   description = "Desired capacity for ASG"
30 | }
31 | 
32 | variable max_size {
33 |   type        = number
34 |   description = "Max capacity for ASG"
35 | }
36 | 
37 | variable min_size {
38 |   type        = number
39 |   description = "Min capacity for ASG"
40 | }
41 | 
42 | variable instance_profile_name {
43 |   type        = string
44 |   default     = "k8s_control_plane_profile"
45 |   description = "Name of the EC2 instance profile"
46 | }
47 | 
48 | variable "availability_zones" {
49 |   type  = list(string)
50 |   default = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
51 |   description = "List of availability zones for the selected region"
52 | }
53 | 
54 | variable vpc_id {
55 |   type        = string
56 |   description = "ID of the custom VPC that the resources are deployed in"
57 | }
58 | 
59 | variable "environment" {
60 |   type        = string
61 |   description = "Application enviroment"
62 | }
63 | 
64 | variable private_subnet_ids {
65 |   type        = list(string)
66 |   description = "Private subnet IDs"
67 | }
68 | 
69 | variable "public_subnet_ids" {
70 |   type = list(string)
71 |   description = "Private subnet IDs"
72 | }
73 | 
74 | variable launch_template_security_group_ids {
75 |   type        = list(string)
76 |   description = "Launch template SGs"
77 | }
78 | 
79 | /* variable "target_group_arn" {
80 |   type        = string
81 |   description = "List of target groups"
82 | } */
83 | 
84 | variable "cluster_name" {
85 |   description = "The name of the cluster"
86 |   type = string
87 | }
88 | 
89 | variable "key_name" {
90 |   type = string
91 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/cluster-worker-asg/autoscaling_group.tf:
--------------------------------------------------------------------------------
 1 | data "aws_ami" "openSUSE" {
 2 |   most_recent = true
 3 | 
 4 |   filter {
 5 |     name   = "name"
 6 |     values = ["openSUSE-Leap-15-2-v20200702-hvm-ssd-x86_64-*"]
 7 |   }
 8 | 
 9 |   filter {
10 |     name   = "virtualization-type"
11 |     values = ["hvm"]
12 |   }
13 | 
14 |   owners = ["679593333241"]
15 | }
16 | 
17 | # EC2 Auto Scaling Group - Launch Template
18 | resource "aws_launch_template" "launch_template" {
19 |   name_prefix   = var.name_prefix
20 |   image_id      = data.aws_ami.openSUSE.id
21 |   instance_type = var.ec2_instance_type
22 | 
23 |   vpc_security_group_ids = var.launch_template_security_group_ids
24 | 
25 |   user_data = filebase64("${path.module}/${var.user_data}")
26 |   key_name = var.key_name 
27 | 
28 |   iam_instance_profile {
29 |     arn = aws_iam_instance_profile.instance_profile.arn
30 |   }
31 | 
32 |   monitoring {
33 |     enabled = true
34 |   }
35 | 
36 |   tag_specifications {
37 |     resource_type = "instance"
38 | 
39 |     tags = {
40 |       Name = var.launch_template_tag
41 |       "kubernetes.io/cluster/${var.cluster_name}" = "owned"
42 |     }
43 |   }
44 | }
45 | 
46 | # EC2 Auto Scaling Group Worker Nodes
47 | resource "aws_autoscaling_group" "asg" {
48 |   availability_zones = var.availability_zones
49 |   desired_capacity   = var.desired_capacity
50 |   max_size           = var.max_size
51 |   min_size           = var.min_size
52 |   force_delete       = true
53 |   vpc_zone_identifier = var.private_subnet_ids
54 | 
55 |   launch_template {
56 |     id      = aws_launch_template.launch_template.id
57 |     version = "$Latest"
58 |   }
59 | 
60 |   /* lifecycle {
61 |     ignore_changes = [load_balancers, target_group_arns]
62 |   } */
63 | 
64 |   tag {
65 |     key                 = "InstanceType"
66 |     value               = var.asg_tag
67 |     propagate_at_launch = true
68 |   }
69 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/cluster-worker-asg/iam.tf:
--------------------------------------------------------------------------------
  1 | # EC2 Instance Profile
  2 | resource "aws_iam_instance_profile" "instance_profile" {
  3 |   name = var.instance_profile_name
  4 |   role = aws_iam_role.ec2_iam_role.name
  5 | }
  6 | 
  7 | # EC2 Instance IAM Role
  8 | resource "aws_iam_role" "ec2_iam_role" {
  9 |   name = "${var.instance_profile_name}_role"
 10 |   path = "/"
 11 | 
 12 |   assume_role_policy = <<EOF
 13 | {
 14 |     "Version": "2012-10-17",
 15 |     "Statement": [
 16 |         {
 17 |             "Action": "sts:AssumeRole",
 18 |             "Principal": {
 19 |                "Service": "ec2.amazonaws.com"
 20 |             },
 21 |             "Effect": "Allow",
 22 |             "Sid": ""
 23 |         }
 24 |     ]
 25 | }
 26 | EOF
 27 | }
 28 | 
 29 | # IAM Policy
 30 | resource "aws_iam_role_policy" "ec2_iam_role_policy" {
 31 |   name = "${var.instance_profile_name}_policy"
 32 |   role = aws_iam_role.ec2_iam_role.id
 33 | 
 34 |   policy = <<EOF
 35 | {
 36 |     "Version": "2012-10-17",
 37 |     "Statement": [
 38 |         {
 39 |             "Effect": "Allow",
 40 |             "Action": [
 41 |                 "cloudwatch:PutMetricData",
 42 |                 "ds:CreateComputer",
 43 |                 "ds:DescribeDirectories",
 44 |                 "ec2:DescribeInstanceStatus",
 45 |                 "logs:*",
 46 |                 "ssm:*",
 47 |                 "ec2messages:*"
 48 |             ],
 49 |             "Resource": "*"
 50 |         },
 51 |         {
 52 |             "Effect": "Allow",
 53 |             "Action": [
 54 |                 "ec2:DescribeInstances",
 55 |                 "ec2:DescribeRegions",
 56 |                 "ecr:GetAuthorizationToken",
 57 |                 "ecr:BatchCheckLayerAvailability",
 58 |                 "ecr:GetDownloadUrlForLayer",
 59 |                 "ecr:GetRepositoryPolicy",
 60 |                 "ecr:DescribeRepositories",
 61 |                 "ecr:ListImages",
 62 |                 "ecr:BatchGetImage"
 63 |             ],
 64 |             "Resource": "*"
 65 |         },
 66 |         {
 67 |             "Effect": "Allow",
 68 |             "Action": "iam:CreateServiceLinkedRole",
 69 |             "Resource": "arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM*",
 70 |             "Condition": {
 71 |                 "StringLike": {
 72 |                     "iam:AWSServiceName": "ssm.amazonaws.com"
 73 |                 }
 74 |             }
 75 |         },
 76 |         {
 77 |             "Effect": "Allow",
 78 |             "Action": [
 79 |                 "iam:DeleteServiceLinkedRole",
 80 |                 "iam:GetServiceLinkedRoleDeletionStatus"
 81 |             ],
 82 |             "Resource": "arn:aws:iam::*:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM*"
 83 |         },
 84 |         {
 85 |             "Effect": "Allow",
 86 |             "Action": [
 87 |                 "ssmmessages:CreateControlChannel",
 88 |                 "ssmmessages:CreateDataChannel",
 89 |                 "ssmmessages:OpenControlChannel",
 90 |                 "ssmmessages:OpenDataChannel"
 91 |             ],
 92 |             "Resource": "*"
 93 |         },
 94 |         {
 95 |             "Effect": "Allow",
 96 |             "Action": [
 97 |             "ec2:AssignPrivateIpAddresses",
 98 |             "ec2:AttachNetworkInterface",
 99 |             "ec2:CreateNetworkInterface",
100 |             "ec2:DeleteNetworkInterface",
101 |             "ec2:DescribeInstances",
102 |             "ec2:DescribeInstanceTypes",
103 |             "ec2:DescribeTags",
104 |             "ec2:DescribeNetworkInterfaces",
105 |             "ec2:DetachNetworkInterface",
106 |             "ec2:ModifyNetworkInterfaceAttribute",
107 |             "ec2:UnassignPrivateIpAddresses"
108 |             ],
109 |             "Resource": "*"
110 |         },
111 |         {
112 |             "Effect": "Allow",
113 |             "Action": [
114 |                 "ec2:CreateTags"
115 |             ],
116 |             "Resource": ["arn:aws:ec2:*:*:network-interface/*"]
117 |         },
118 |         {
119 |             "Effect": "Allow",
120 |             "Action": [
121 |                 "autoscaling:DescribeAutoScalingGroups",
122 |                 "autoscaling:DescribeLaunchConfigurations",
123 |                 "autoscaling:DescribeTags",
124 |                 "ec2:DescribeInstances",
125 |                 "ec2:DescribeRegions",
126 |                 "ec2:DescribeRouteTables",
127 |                 "ec2:DescribeSecurityGroups",
128 |                 "ec2:DescribeSubnets",
129 |                 "ec2:DescribeVolumes",
130 |                 "ec2:CreateSecurityGroup",
131 |                 "ec2:CreateTags",
132 |                 "ec2:CreateVolume",
133 |                 "ec2:ModifyInstanceAttribute",
134 |                 "ec2:ModifyVolume",
135 |                 "ec2:AttachVolume",
136 |                 "ec2:AuthorizeSecurityGroupIngress",
137 |                 "ec2:CreateRoute",
138 |                 "ec2:DeleteRoute",
139 |                 "ec2:DeleteSecurityGroup",
140 |                 "ec2:DeleteVolume",
141 |                 "ec2:DetachVolume",
142 |                 "ec2:RevokeSecurityGroupIngress",
143 |                 "ec2:DescribeVpcs",
144 |                 "elasticloadbalancing:AddTags",
145 |                 "elasticloadbalancing:AttachLoadBalancerToSubnets",
146 |                 "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
147 |                 "elasticloadbalancing:CreateLoadBalancer",
148 |                 "elasticloadbalancing:CreateLoadBalancerPolicy",
149 |                 "elasticloadbalancing:CreateLoadBalancerListeners",
150 |                 "elasticloadbalancing:ConfigureHealthCheck",
151 |                 "elasticloadbalancing:DeleteLoadBalancer",
152 |                 "elasticloadbalancing:DeleteLoadBalancerListeners",
153 |                 "elasticloadbalancing:DescribeLoadBalancers",
154 |                 "elasticloadbalancing:DescribeLoadBalancerAttributes",
155 |                 "elasticloadbalancing:DetachLoadBalancerFromSubnets",
156 |                 "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
157 |                 "elasticloadbalancing:ModifyLoadBalancerAttributes",
158 |                 "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
159 |                 "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
160 |                 "elasticloadbalancing:AddTags",
161 |                 "elasticloadbalancing:CreateListener",
162 |                 "elasticloadbalancing:CreateTargetGroup",
163 |                 "elasticloadbalancing:DeleteListener",
164 |                 "elasticloadbalancing:DeleteTargetGroup",
165 |                 "elasticloadbalancing:DescribeListeners",
166 |                 "elasticloadbalancing:DescribeLoadBalancerPolicies",
167 |                 "elasticloadbalancing:DescribeTargetGroups",
168 |                 "elasticloadbalancing:DescribeTargetHealth",
169 |                 "elasticloadbalancing:ModifyListener",
170 |                 "elasticloadbalancing:ModifyTargetGroup",
171 |                 "elasticloadbalancing:RegisterTargets",
172 |                 "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
173 |                 "iam:CreateServiceLinkedRole",
174 |                 "kms:DescribeKey"
175 |             ],
176 |             "Resource": [
177 |                 "*"
178 |             ]
179 |         }
180 |     ]
181 | }
182 | EOF
183 | }
184 | 
185 | resource "aws_iam_role_policy_attachment" "s3_full_access" {
186 |   role       = aws_iam_role.ec2_iam_role.id
187 |   policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
188 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/cluster-worker-asg/vars.tf:
--------------------------------------------------------------------------------
 1 | variable ec2_instance_type {
 2 |   type        = string
 3 |   default     = "t3.medium"
 4 |   description = "EC2 host instance types"
 5 | }
 6 | 
 7 | variable name_prefix {
 8 |   type        = string
 9 |   description = "ASG EC2 Name prefix"
10 | }
11 | 
12 | variable asg_tag {
13 |   type        = string
14 |   description = "ASG Tag name"
15 | }
16 | 
17 | variable launch_template_tag {
18 |   type        = string
19 |   description = "ASG Tag name"
20 | }
21 | 
22 | variable user_data {
23 |   type        = string
24 |   description = "EC2 user data"
25 | }
26 | 
27 | variable desired_capacity {
28 |   type        = number
29 |   description = "Desired capacity for ASG"
30 | }
31 | 
32 | variable max_size {
33 |   type        = number
34 |   description = "Max capacity for ASG"
35 | }
36 | 
37 | variable min_size {
38 |   type        = number
39 |   description = "Min capacity for ASG"
40 | }
41 | 
42 | variable instance_profile_name {
43 |   type        = string
44 |   default     = "k8s_control_plane_profile"
45 |   description = "Name of the EC2 instance profile"
46 | }
47 | 
48 | variable "availability_zones" {
49 |   type  = list(string)
50 |   default = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
51 |   description = "List of availability zones for the selected region"
52 | }
53 | 
54 | variable vpc_id {
55 |   type        = string
56 |   description = "ID of the custom VPC that the resources are deployed in"
57 | }
58 | 
59 | variable "environment" {
60 |   type        = string
61 |   description = "Application enviroment"
62 | }
63 | 
64 | variable private_subnet_ids {
65 |   type        = list(string)
66 |   description = "Private subnet IDs"
67 | }
68 | 
69 | variable "public_subnet_ids" {
70 |   type = list(string)
71 |   description = "Private subnet IDs"
72 | }
73 | 
74 | variable launch_template_security_group_ids {
75 |   type        = list(string)
76 |   description = "Launch template SGs"
77 | }
78 | 
79 | variable "cluster_name" {
80 |   description = "The name of the cluster"
81 |   type = string
82 | }
83 | 
84 | variable "key_name" {
85 |   type = string
86 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/cluster-worker-asg/worker_userdata.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Install utils and aws cli v2
 4 | sudo curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
 5 | sudo zypper --non-interactive update
 6 | sudo zypper --non-interactive install jq
 7 | sudo zypper --non-interactive update
 8 | sudo zypper --non-interactive install zip
 9 | sudo zypper --non-interactive install unzip
10 | sudo unzip awscliv2.zip
11 | sudo ./aws/install
12 | 
13 | # Install yq
14 | sudo wget https://github.com/mikefarah/yq/releases/download/v4.12.0/yq_linux_amd64 -O /usr/bin/yq && chmod +x /usr/bin/yq
15 | 
16 | # Commands for all K8s nodes
17 | sudo zypper --non-interactive update
18 | sudo zypper --non-interactive install docker
19 | 
20 | # Turn off swap
21 | # The Kubernetes scheduler determines the best available node on 
22 | # which to deploy newly created pods. If memory swapping is allowed 
23 | # to occur on a host system, this can lead to performance and stability 
24 | # issues within Kubernetes. 
25 | # For this reason, Kubernetes requires that you disable swap in the host system.
26 | # If swap is not disabled, kubelet service will not start on the masters and nodes
27 | sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
28 | sudo swapoff -a
29 | 
30 | # Confirm that docker group has been created on system
31 | sudo groupadd docker
32 | 
33 | # Add current system user to the Docker group, as well as the ec2-user user
34 | sudo gpasswd -a $USER docker
35 | sudo usermod -a -G docker ec2-user
36 | grep /etc/group -e "docker"
37 | 
38 | # Start and enable Services
39 | sudo systemctl daemon-reload 
40 | sudo systemctl restart docker
41 | sudo systemctl enable docker
42 | 
43 | # Modify bridge adapter setting
44 | # Configure sysctl.
45 | sudo modprobe overlay
46 | sudo modprobe br_netfilter
47 | 
48 | sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
49 | net.bridge.bridge-nf-call-ip6tables = 1
50 | net.bridge.bridge-nf-call-iptables = 1
51 | net.ipv4.ip_forward = 1
52 | EOF
53 | 
54 | sudo sysctl --system
55 | 
56 | # Ensure that the br_netfilter module is loaded
57 | lsmod | grep br_netfilter
58 | 
59 | # Download cluster yaml file from S3 bucket
60 | aws s3 cp s3://your-rke-cluster-config-bucket/cluster.yml ./
61 | 
62 | # Get the value of the existing number of nodes listed in the config file and use that
63 | # number for creating a new node listing in the array
64 | aws configure set region eu-west-1
65 | HOSTNAME="$(curl http://169.254.169.254/latest/meta-data/local-ipv4)" NUMBER_OF_NODES="$(yq eval '.nodes | length' cluster.yml)" yq eval -i '
66 |   .nodes[env(NUMBER_OF_NODES)].address = env(HOSTNAME) |
67 |   .nodes[env(NUMBER_OF_NODES)].user = "ec2-user" |
68 |   .nodes[env(NUMBER_OF_NODES)].role[0] = "worker"
69 | ' ./cluster.yml
70 | 
71 | # Upload the cluster.yml file to the S3 bucket
72 | aws s3 cp ./cluster.yml s3://your-rke-cluster-config-bucket


--------------------------------------------------------------------------------
/infra-modules/app-environment/main.tf:
--------------------------------------------------------------------------------
 1 | # VPC
 2 | module "vpc_for_kubernetes_cluster" {
 3 |   source = "./vpc"
 4 |   cluster_name = var.cluster_name
 5 |   vpc_tag_name = "${var.cluster_name}-vpc"
 6 |   route_table_tag_name = "${var.cluster_name}-rt"
 7 |   # nlb_name = "${var.cluster_name}-nlb"
 8 |   region = var.region
 9 |   environment = var.environment
10 | }
11 | 
12 | # K8s Cluster Control Plane
13 | module "control_plane_for_kubernetes_cluster" {
14 |   depends_on = [
15 |     module.vpc_for_kubernetes_cluster
16 |   ]
17 |   source = "./cluster-asg"
18 |   cluster_name = var.cluster_name
19 |   name_prefix = "k8s-control-plane-01"
20 |   launch_template_tag = "k8s-control-plane-ec2-instance"
21 |   asg_tag = "K8s Control Plane"
22 |   instance_profile_name = "control_plane_profile"
23 |   vpc_id = module.vpc_for_kubernetes_cluster.vpc_id
24 |   private_subnet_ids = module.vpc_for_kubernetes_cluster.private_subnet_ids
25 |   public_subnet_ids = []
26 |   launch_template_security_group_ids = [
27 |     module.vpc_for_kubernetes_cluster.control_plane_sg_security_group_id,
28 |     # module.vpc_for_kubernetes_cluster.public_subnet_security_group_id
29 |   ]
30 |   # target_group_arn = module.vpc_for_kubernetes_cluster.target_group_arn
31 |   environment = var.environment
32 |   desired_capacity = 3
33 |   max_size = 6
34 |   min_size = 3
35 |   user_data = "master_userdata.sh"
36 |   key_name = var.key_name
37 | }
38 | 
39 | # K8s Cluster Worker Nodes
40 | module "worker_nodes_for_kubernetes_cluster" {
41 |   depends_on = [
42 |     module.vpc_for_kubernetes_cluster,
43 |     module.control_plane_for_kubernetes_cluster
44 |   ]
45 |   source = "./cluster-worker-asg"
46 |   cluster_name = var.cluster_name
47 |   name_prefix   = "k8s-worker-nodes"
48 |   launch_template_tag = "k8s-worker-nodes-ec2-instance"
49 |   asg_tag = "K8s Worker Nodes"
50 |   instance_profile_name = "worker_nodes_profile"
51 |   vpc_id = module.vpc_for_kubernetes_cluster.vpc_id
52 |   private_subnet_ids = module.vpc_for_kubernetes_cluster.private_subnet_ids
53 |   public_subnet_ids = []
54 |   launch_template_security_group_ids = [
55 |     module.vpc_for_kubernetes_cluster.data_plane_sg_security_group_id
56 |   ]
57 |   environment = var.environment
58 |   desired_capacity = 3
59 |   max_size = 6
60 |   min_size = 3
61 |   user_data = "worker_userdata.sh"
62 |   key_name = var.key_name
63 | }
64 | 
65 | # K8s Bastion Host
66 | module "bastion_host_for_kubernetes_cluster" {
67 |   depends_on = [
68 |     module.vpc_for_kubernetes_cluster,
69 |     module.control_plane_for_kubernetes_cluster,
70 |     module.worker_nodes_for_kubernetes_cluster
71 |   ]
72 |   source = "./bastion-asg"
73 |   cluster_name = var.cluster_name
74 |   name_prefix   = "k8s-bastion-host"
75 |   launch_template_tag = "k8s-bastion-host-ec2-instance"
76 |   asg_tag = "K8s Bastion Hosts"
77 |   instance_profile_name = "bastion_host_profile"
78 |   vpc_id = module.vpc_for_kubernetes_cluster.vpc_id
79 |   private_subnet_ids = module.vpc_for_kubernetes_cluster.private_subnet_ids
80 |   public_subnet_ids = module.vpc_for_kubernetes_cluster.public_subnet_ids
81 |   launch_template_security_group_ids = [
82 |     module.vpc_for_kubernetes_cluster.public_subnet_security_group_id
83 |   ]
84 |   environment = var.environment
85 |   desired_capacity = 1
86 |   max_size = 6
87 |   min_size = 1
88 |   user_data = "bastion_userdata.sh"
89 |   key_name = var.key_name
90 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "profile" {
 2 |   description = "AWS profile"
 3 |   type        = string
 4 | }
 5 | 
 6 | variable "region" {
 7 |   description = "aws region to deploy to"
 8 |   type        = string
 9 | }
10 | 
11 | variable "cluster_name" {
12 |   description = "The name of the cluster"
13 |   type = string
14 | }
15 | 
16 | variable "environment" {
17 |   description = "Application environment"
18 |   type = string
19 | }
20 | 
21 | variable "key_name" {
22 |   type = string
23 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/vpc/control_plane_sg.tf:
--------------------------------------------------------------------------------
 1 | # Security group for control plane
 2 | resource "aws_security_group" "control_plane_sg" {
 3 |   name   = "k8s-control-plane-sg"
 4 |   vpc_id = aws_vpc.custom_vpc.id
 5 | 
 6 |   tags = {
 7 |     Name = "k8s-control-plane-sg-${var.environment}"
 8 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
 9 |   }
10 | }
11 | 
12 | # Security group traffic rules
13 | ## Ingress rule
14 | resource "aws_security_group_rule" "control_plane_inbound" {
15 |   security_group_id = aws_security_group.control_plane_sg.id
16 |   type              = "ingress"
17 |   from_port   = 0
18 |   to_port     = 65535
19 |   protocol          = "tcp"
20 |   cidr_blocks = flatten([var.private_subnet_cidr_blocks, var.public_subnet_cidr_blocks])
21 | }
22 | 
23 | resource "aws_security_group_rule" "control_plane_inbound_ssh" {
24 |   security_group_id = aws_security_group.control_plane_sg.id
25 |   type              = "ingress"
26 |   from_port   = 0
27 |   to_port     = 22
28 |   protocol          = "tcp"
29 |   source_security_group_id = aws_security_group.public_sg.id
30 | }
31 | 
32 | resource "aws_security_group_rule" "control_plane_inbound_443" {
33 |   security_group_id = aws_security_group.public_sg.id
34 |   type              = "ingress"
35 |   from_port         = 443
36 |   to_port           = 443
37 |   protocol          = "tcp"
38 |   source_security_group_id = aws_security_group.public_sg.id
39 | }
40 | 
41 | resource "aws_security_group_rule" "control_plane_inbound_80" {
42 |   security_group_id = aws_security_group.public_sg.id
43 |   type              = "ingress"
44 |   from_port         = 80
45 |   to_port           = 80
46 |   protocol          = "tcp"
47 |   source_security_group_id = aws_security_group.public_sg.id
48 | }
49 | 
50 | ## Egress rule
51 | resource "aws_security_group_rule" "control_plane_outbound" {
52 |   security_group_id = aws_security_group.control_plane_sg.id
53 |   type              = "egress"
54 |   from_port   = 0
55 |   to_port     = 65535
56 |   protocol    = "-1"
57 |   cidr_blocks = ["0.0.0.0/0"]
58 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/vpc/data_plane_sg.tf:
--------------------------------------------------------------------------------
 1 | # Security group for data plane
 2 | resource "aws_security_group" "data_plane_sg" {
 3 |   name   = "k8s-data-plane-sg"
 4 |   vpc_id = aws_vpc.custom_vpc.id
 5 | 
 6 |   tags = {
 7 |     Name = "k8s-data-plane-sg-${var.environment}"
 8 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
 9 |   }
10 | }
11 | 
12 | # Security group traffic rules
13 | ## Ingress rule
14 | resource "aws_security_group_rule" "nodes" {
15 |   description              = "Allow nodes to communicate with each other"
16 |   security_group_id = aws_security_group.data_plane_sg.id
17 |   type              = "ingress"
18 |   from_port   = 0
19 |   to_port     = 65535
20 |   protocol    = "-1"
21 |   cidr_blocks = flatten([var.private_subnet_cidr_blocks, var.public_subnet_cidr_blocks])
22 | }
23 | 
24 | resource "aws_security_group_rule" "nodes_inbound_ssh" {
25 |   security_group_id = aws_security_group.data_plane_sg.id
26 |   type              = "ingress"
27 |   from_port   = 0
28 |   to_port     = 22
29 |   protocol          = "tcp"
30 |   source_security_group_id = aws_security_group.public_sg.id
31 | }
32 | 
33 | resource "aws_security_group_rule" "nodes_inbound" {
34 |   description              = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
35 |   security_group_id = aws_security_group.data_plane_sg.id
36 |   type              = "ingress"
37 |   from_port   = 1025
38 |   to_port     = 65535
39 |   protocol    = "tcp"
40 |   cidr_blocks = flatten([var.private_subnet_cidr_blocks])
41 | }
42 | 
43 | ## Egress rule
44 | resource "aws_security_group_rule" "node_outbound" {
45 |   security_group_id = aws_security_group.data_plane_sg.id
46 |   type              = "egress"
47 |   from_port   = 0
48 |   to_port     = 0
49 |   protocol    = "-1"
50 |   cidr_blocks = ["0.0.0.0/0"]
51 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/vpc/nat_gateway.tf:
--------------------------------------------------------------------------------
 1 | # Create Elastic IP
 2 | resource "aws_eip" "main" {
 3 |   vpc              = true
 4 | }
 5 | 
 6 | # Create NAT Gateway
 7 | resource "aws_nat_gateway" "main" {
 8 |   allocation_id = aws_eip.main.id
 9 |   subnet_id     = aws_subnet.public_subnet[0].id
10 | 
11 |   tags = {
12 |     Name = "NAT Gateway for Custom Kubernetes Cluster"
13 |   }
14 | }
15 | 
16 | # Add route to route table
17 | resource "aws_route" "main" {
18 |   route_table_id            = aws_vpc.custom_vpc.default_route_table_id
19 |   destination_cidr_block    = "0.0.0.0/0"
20 |   nat_gateway_id = aws_nat_gateway.main.id
21 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/vpc/nlb.tf:
--------------------------------------------------------------------------------
 1 | /* # Create NLB
 2 | resource "aws_lb" "nlb" {
 3 |   name               = var.nlb_name
 4 |   internal           = false
 5 |   load_balancer_type = "network"
 6 | 
 7 |   enable_deletion_protection = false
 8 | 
 9 |   subnets            = aws_subnet.public_subnet.*.id
10 | }
11 | 
12 | # NLB Target Group
13 | resource "aws_lb_target_group" "nlb_tg" {
14 |   depends_on  = [
15 |     aws_lb.nlb
16 |   ]
17 |   name        = "${var.nlb_name}-tg-${var.environment}"
18 |   port        = 6443
19 |   target_type = "instance"
20 |   protocol    = "TCP"
21 |   vpc_id      = aws_vpc.custom_vpc.id
22 | }
23 | 
24 | # Redirect all traffic from the NLB to the target group
25 | resource "aws_lb_listener" "nlb_listener" {
26 |   load_balancer_arn = aws_lb.nlb.id
27 |   port              = 6443
28 |   protocol    = "TCP"
29 | 
30 |   default_action {
31 |     target_group_arn = aws_lb_target_group.nlb_tg.id
32 |     type             = "forward"
33 |   }
34 | } */


--------------------------------------------------------------------------------
/infra-modules/app-environment/vpc/output.tf:
--------------------------------------------------------------------------------
 1 | output vpc_arn {
 2 |   value = aws_vpc.custom_vpc.arn
 3 | }
 4 | 
 5 | output vpc_id {
 6 |   value = aws_vpc.custom_vpc.id
 7 | }
 8 | 
 9 | output private_subnet_ids {
10 |   value = aws_subnet.private_subnet.*.id
11 | }
12 | 
13 | output public_subnet_ids {
14 |   value = aws_subnet.public_subnet.*.id
15 | }
16 | 
17 | output control_plane_sg_security_group_id {
18 |   value = aws_security_group.control_plane_sg.id
19 | }
20 | 
21 | output data_plane_sg_security_group_id {
22 |   value = aws_security_group.data_plane_sg.id
23 | }
24 | 
25 | output public_subnet_security_group_id {
26 |   value = aws_security_group.public_sg.id
27 | }
28 | 
29 | /* output nlb_id {
30 |   value = aws_lb.nlb.id
31 | } */
32 | 
33 | /* output target_group_arn {
34 |   value = aws_lb_target_group.nlb_tg.arn
35 | } */
36 | 


--------------------------------------------------------------------------------
/infra-modules/app-environment/vpc/public_sg.tf:
--------------------------------------------------------------------------------
 1 | # Security group for public subnet resources
 2 | resource "aws_security_group" "public_sg" {
 3 |   name   = "public-sg"
 4 |   vpc_id = aws_vpc.custom_vpc.id
 5 | 
 6 |   tags = {
 7 |     Name = "public-sg-${var.environment}"
 8 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
 9 |   }
10 | }
11 | 
12 | # Security group traffic rules
13 | ## Ingress rule
14 | resource "aws_security_group_rule" "sg_ingress_public_22" {
15 |   security_group_id = aws_security_group.public_sg.id
16 |   type              = "ingress"
17 |   from_port         = 0
18 |   to_port           = 22
19 |   protocol          = "tcp"
20 |   cidr_blocks = ["0.0.0.0/0"]
21 | }
22 | 
23 | ## Egress rule
24 | resource "aws_security_group_rule" "sg_egress_public" {
25 |   security_group_id = aws_security_group.public_sg.id
26 |   type              = "egress"
27 |   from_port   = 0
28 |   to_port     = 0
29 |   protocol    = "-1"
30 |   cidr_blocks = ["0.0.0.0/0"]
31 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/vpc/vars.tf:
--------------------------------------------------------------------------------
 1 | variable "vpc_tag_name" {
 2 |   type        = string
 3 |   description = "Name tag for the VPC"
 4 | }
 5 | 
 6 | variable "route_table_tag_name" {
 7 |   type        = string
 8 |   default     = "main"
 9 |   description = "Route table description"
10 | }
11 | 
12 | variable "vpc_cidr_block" {
13 |   type        = string
14 |   default     = "10.0.0.0/16"
15 |   description = "CIDR block range for vpc"
16 | }
17 | 
18 | variable "private_subnet_cidr_blocks" {
19 |   type        = list(string)
20 |   default     = ["10.0.0.0/24", "10.0.1.0/24"]
21 |   description = "CIDR block range for the private subnet"
22 | }
23 | 
24 | variable "public_subnet_cidr_blocks" {
25 |   type = list(string)
26 |   default     = ["10.0.2.0/24", "10.0.3.0/24"]
27 |   description = "CIDR block range for the public subnet"
28 | }
29 | 
30 | variable "private_subnet_tag_name" {
31 |   type        = string
32 |   default = "Custom Kubernetes cluster private subnet"
33 |   description = "Name tag for the private subnet"
34 | }
35 | 
36 | variable "public_subnet_tag_name" {
37 |   type        = string
38 |   default = "Custom Kubernetes cluster public subnet"
39 |   description = "Name tag for the public subnet"
40 | }
41 | 
42 | /* variable "nlb_name" {
43 |   type = string
44 |   description = "The name of the NLB"
45 | } */
46 | 
47 | variable "environment" {
48 |   type        = string
49 |   description = "Application enviroment"
50 | }
51 | 
52 | variable "availability_zones" {
53 |   type  = list(string)
54 |   default = ["eu-west-1a", "eu-west-1b"]
55 |   description = "List of availability zones for the selected region"
56 | }
57 | 
58 | variable "region" {
59 |   description = "aws region to deploy to"
60 |   type        = string
61 | }
62 | 
63 | variable "cluster_name" {
64 |   description = "The name of the cluster"
65 |   type = string
66 | }


--------------------------------------------------------------------------------
/infra-modules/app-environment/vpc/vpc.tf:
--------------------------------------------------------------------------------
 1 | ### VPC Network Setup
 2 | resource "aws_vpc" "custom_vpc" {
 3 |   cidr_block       = var.vpc_cidr_block
 4 |   enable_dns_support = true
 5 |   enable_dns_hostnames = true
 6 | 
 7 |   tags = {
 8 |     Name = "${var.vpc_tag_name}-${var.environment}"
 9 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
10 |   }
11 | }
12 | 
13 | # Create the private subnet
14 | resource "aws_subnet" "private_subnet" {
15 |   count = length(var.availability_zones)
16 |   vpc_id            = aws_vpc.custom_vpc.id
17 |   cidr_block = element(var.private_subnet_cidr_blocks, count.index)
18 |   availability_zone = element(var.availability_zones, count.index)
19 | 
20 |   tags = {
21 |     Name = "${var.private_subnet_tag_name}-${var.environment}"
22 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
23 |     "kubernetes.io/role/internal-elb" = 1
24 |   }
25 | }
26 | 
27 | # Create the public subnet
28 | resource "aws_subnet" "public_subnet" {
29 |   count = length(var.availability_zones)
30 |   vpc_id            = "${aws_vpc.custom_vpc.id}"
31 |   cidr_block = element(var.public_subnet_cidr_blocks, count.index)
32 |   availability_zone = element(var.availability_zones, count.index)
33 | 
34 |   tags = {
35 |     Name = "${var.public_subnet_tag_name}-${var.environment}"
36 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
37 |     "kubernetes.io/role/elb" = 1
38 |   }
39 | 
40 |   map_public_ip_on_launch = true
41 | }
42 | 
43 | # Create IGW for the public subnets
44 | resource "aws_internet_gateway" "igw" {
45 |   vpc_id = "${aws_vpc.custom_vpc.id}"
46 | 
47 |   tags = {
48 |     Name = "${var.vpc_tag_name}-${var.environment}"
49 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
50 |   }
51 | }
52 | 
53 | # Route the public subnet traffic through the IGW
54 | resource "aws_route_table" "main" {
55 |   vpc_id = "${aws_vpc.custom_vpc.id}"
56 | 
57 |   route {
58 |     cidr_block = "0.0.0.0/0"
59 |     gateway_id = "${aws_internet_gateway.igw.id}"
60 |   }
61 | 
62 |   tags = {
63 |     Name = "${var.route_table_tag_name}-${var.environment}"
64 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
65 |   }
66 | }
67 | 
68 | # Route table and subnet associations
69 | resource "aws_route_table_association" "internet_access" {
70 |   count = length(var.availability_zones)
71 |   subnet_id      = "${aws_subnet.public_subnet[count.index].id}"
72 |   route_table_id = "${aws_route_table.main.id}"
73 | }


--------------------------------------------------------------------------------
/openSUSE-Leap-AWS.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LukeMwila/bootstrap-rke-cluster-in-aws/437ea65968bde56309733bccaf75e302f9295af1/openSUSE-Leap-AWS.png


--------------------------------------------------------------------------------
/rke-aws-k8s.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LukeMwila/bootstrap-rke-cluster-in-aws/437ea65968bde56309733bccaf75e302f9295af1/rke-aws-k8s.png


--------------------------------------------------------------------------------
/rke-cluster-config/cluster.yml:
--------------------------------------------------------------------------------
 1 | cloud_provider:
 2 |   name: aws
 3 | nodes:
 4 | # SSH key path
 5 | ssh_key_path: ./ec2-ssh-key.pem
 6 | # Name of the K8s Cluster
 7 | cluster_name: your-cluster-name
 8 | services:
 9 |   kube-api:
10 |     # IP range for any services created on Kubernetes
11 |     # This must match the service_cluster_ip_range in kube-controller
12 |     service_cluster_ip_range: 172.16.0.0/16
13 |     # Expose a different port range for NodePort services
14 |     service_node_port_range: 30000-32767
15 |     pod_security_policy: false
16 |   kube-controller:
17 |     # CIDR pool used to assign IP addresses to pods in the cluster
18 |     cluster_cidr: 172.15.0.0/16
19 |     # IP range for any services created on Kubernetes
20 |     # This must match the service_cluster_ip_range in kube-api
21 |     service_cluster_ip_range: 172.16.0.0/16
22 |   kubelet:
23 |     # Base domain for the cluster
24 |     cluster_domain: cluster.local
25 |     # IP address for the DNS service endpoint
26 |     cluster_dns_server: 172.16.0.10
27 |     # Fail if swap is on
28 |     fail_swap_on: false
29 | network:
30 |   plugin: calico
31 | # Specify DNS provider (coredns or kube-dns)
32 | dns:
33 |   provider: coredns
34 | # Kubernetes Authorization mode
35 | # Enable RBAC
36 | authorization:
37 |   mode: rbac
38 | # Specify monitoring provider (metrics-server)
39 | monitoring:
40 |   provider: metrics-server
41 | 


--------------------------------------------------------------------------------
/terragrunt.hcl:
--------------------------------------------------------------------------------
 1 | generate "provider" {
 2 |   path = "provider.tf"
 3 |   if_exists = "overwrite_terragrunt"
 4 |   contents = <<EOF
 5 |   provider "aws" {
 6 |      region  = "eu-west-1"
 7 |      profile = "your-aws-profile"
 8 |   }
 9 |   terraform {
10 |   required_providers {
11 |     aws = {
12 |       source  = "hashicorp/aws"
13 |       version = "2.57"
14 |     }
15 | }
16 |   required_version = "~> 1.1.2"
17 |   backend "s3" {}
18 |   }
19 | EOF
20 | }
21 | 
22 | remote_state {
23 |   backend = "s3"
24 |   config = {
25 |     encrypt                 = true
26 |     bucket                  = "your-terraform-state-bucket"
27 |     key                     = "${path_relative_to_include()}/terraform.tfstate"
28 |     dynamodb_table          = "your-terraform-lock-table"
29 |     profile                 = "your-aws-profile"
30 |     region                  = "eu-west-1"
31 |   }
32 | }
33 | 


--------------------------------------------------------------------------------