├── LICENSE
├── README.md
├── database
    ├── main.tf
    └── variable.tf
├── eks
    ├── main.tf
    ├── output.tf
    └── variable.tf
├── kubernetes
    ├── app.tf
    ├── main.tf
    └── variable.tf
├── main.tf
├── output.tf
├── production.tfvars
├── testing.tfvars
├── variable.tf
└── vpc
    ├── main.tf
    ├── output.tf
    └── variable.tf


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 Harshetjain666
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AWS EKS Fargate setup with terraform
2 | 
3 | Source code of my AWS EKS with fargate cluster setup.
4 | 
5 | To Know more go to
6 | 
7 | https://harshetjain.medium.com/with-latest-updates-create-amazon-eks-fargate-cluster-and-managed-node-group-using-terraform-bc5cfefd5773
8 | 


--------------------------------------------------------------------------------
/database/main.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_db_subnet_group" "Groups" {
 2 |   name       = "db groups"
 3 |   subnet_ids = var.private_subnets
 4 | 
 5 |   tags = {
 6 |     Name = "DB subnet group"  
 7 |   }
 8 | }
 9 | 
10 | resource "aws_security_group" "data" {
11 |   name        = "data-SG"
12 |   description = "Allow mysql inbound traffic"
13 |   vpc_id      = var.vpc_id
14 | 
15 |   ingress {
16 |     description      = "Traffic"
17 |     from_port        = 3306
18 |     to_port          = 3306
19 |     protocol         = "tcp"
20 |   }
21 | 
22 |   tags = {
23 |     Name = "data_server-SG"
24 |   }
25 | 
26 | }
27 | 
28 | data "aws_secretsmanager_secret_version" "credentials" {
29 |   secret_id     = "${var.secret_id}"
30 | }
31 |  
32 | locals {
33 |   cred = jsondecode(
34 |     data.aws_secretsmanager_secret_version.credentials.secret_string
35 |   )
36 | }
37 | 
38 | resource "aws_db_instance" "db" {
39 |   identifier             = "${var.identifier}-${var.environment}"
40 |   allocated_storage      = "${var.allocated_storage}"
41 |   storage_type           = "${var.storage_type}"
42 |   engine                 = "${var.engine}"
43 |   engine_version         = "${var.engine_version}"
44 |   instance_class         = "${var.instance_class}"
45 |   name                   = "${var.database_name}"
46 |   publicly_accessible    = false
47 |   db_subnet_group_name   = aws_db_subnet_group.Groups.name
48 |   vpc_security_group_ids = [aws_security_group.data.id]
49 |   username               = local.cred.username
50 |   password               = local.cred.password
51 | 
52 | 
53 |  depends_on = [ aws_db_subnet_group.Groups, aws_security_group.data ]
54 | 
55 | }
56 | 
57 | 


--------------------------------------------------------------------------------
/database/variable.tf:
--------------------------------------------------------------------------------
 1 | variable "secret_id" {
 2 |     description = "Put your secret name here"
 3 | }
 4 | 
 5 | variable "identifier" {
 6 |     description = "Enter the name of our database which is unique in that region"
 7 | }
 8 | 
 9 | variable "allocated_storage" {
10 |     description = "Enter the storage of database"
11 | }
12 | 
13 | variable "storage_type" {
14 |     description = "Put the type of storage you want"
15 | }
16 | 
17 | variable "engine" {
18 |     description = "Put your database engine you want eg. mysql"
19 | }
20 | 
21 | variable "engine_version" {
22 |     description = "Which version you want of your db engine"
23 | }
24 | 
25 | variable "instance_class" {
26 |     description = "Which type of instance you need like ram and cpu  eg. db.t2.micro"
27 | }
28 | 
29 | variable "database_name" {
30 |     description = "Enter your initial database name"
31 | }
32 | 
33 | variable "environment" {
34 |     description = "your environment name"
35 | }
36 | 
37 | variable "private_subnets" {
38 |   description = "List of private subnet IDs"
39 | }
40 | 
41 | variable "vpc_id" {
42 |   description      =  "put your vpc id"
43 | }


--------------------------------------------------------------------------------
/eks/main.tf:
--------------------------------------------------------------------------------
  1 | 
  2 | resource "aws_eks_cluster" "eks_cluster" {
  3 |   name     = "${var.cluster_name}-${var.environment}"
  4 |    
  5 |   role_arn = aws_iam_role.eks_cluster_role.arn
  6 |   enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
  7 |   
  8 |   
  9 |    vpc_config {
 10 |     subnet_ids =  concat(var.public_subnets, var.private_subnets)
 11 |   }
 12 |    
 13 |    timeouts {
 14 |      delete    =  "30m"
 15 |    }
 16 |   
 17 |   depends_on = [
 18 |     aws_iam_role_policy_attachment.AmazonEKSClusterPolicy1,
 19 |     aws_iam_role_policy_attachment.AmazonEKSVPCResourceController1,
 20 |     aws_cloudwatch_log_group.cloudwatch_log_group
 21 |   ]
 22 | }
 23 | 
 24 | resource "aws_iam_policy" "AmazonEKSClusterCloudWatchMetricsPolicy" {
 25 |   name   = "AmazonEKSClusterCloudWatchMetricsPolicy"
 26 |   policy = <<EOF
 27 | {
 28 |     "Version": "2012-10-17",
 29 |     "Statement": [
 30 |         {
 31 |             "Action": [
 32 |                 "cloudwatch:PutMetricData"
 33 |             ],
 34 |             "Resource": "*",
 35 |             "Effect": "Allow"
 36 |         }
 37 |     ]
 38 | }
 39 | EOF
 40 | }
 41 | 
 42 | 
 43 | resource "aws_iam_role" "eks_cluster_role" {
 44 |   name = "${var.cluster_name}-cluster-role"
 45 |   description = "Allow cluster to manage node groups, fargate nodes and cloudwatch logs"
 46 |   force_detach_policies = true
 47 |   assume_role_policy = <<POLICY
 48 | {
 49 |   "Version": "2012-10-17",
 50 |   "Statement": [
 51 |     {
 52 |       "Effect": "Allow",
 53 |       "Principal": {
 54 |         "Service": [
 55 |           "eks.amazonaws.com",
 56 |           "eks-fargate-pods.amazonaws.com"
 57 |           ]
 58 |       },
 59 |       "Action": "sts:AssumeRole"
 60 |     }
 61 |   ]
 62 | }
 63 | POLICY
 64 | }
 65 | 
 66 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy1" {
 67 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
 68 |   role       = aws_iam_role.eks_cluster_role.name
 69 | }
 70 | 
 71 | resource "aws_iam_role_policy_attachment" "AmazonEKSCloudWatchMetricsPolicy" {
 72 |   policy_arn = aws_iam_policy.AmazonEKSClusterCloudWatchMetricsPolicy.arn
 73 |   role       = aws_iam_role.eks_cluster_role.name
 74 | }
 75 | 
 76 | resource "aws_iam_role_policy_attachment" "AmazonEKSVPCResourceController1" {
 77 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
 78 |   role       = aws_iam_role.eks_cluster_role.name
 79 | }
 80 | 
 81 | resource "aws_cloudwatch_log_group" "cloudwatch_log_group" {
 82 |   name              = "/aws/eks/${var.cluster_name}-${var.environment}/cluster"
 83 |   retention_in_days = 30
 84 | 
 85 |   tags = {
 86 |     Name        = "${var.cluster_name}-${var.environment}-eks-cloudwatch-log-group"
 87 |   }
 88 | }
 89 | 
 90 | resource "aws_eks_fargate_profile" "eks_fargate" {
 91 |   cluster_name           = aws_eks_cluster.eks_cluster.name
 92 |   fargate_profile_name   = "${var.cluster_name}-${var.environment}-fargate-profile"
 93 |   pod_execution_role_arn = aws_iam_role.eks_fargate_role.arn
 94 |   subnet_ids             = var.private_subnets
 95 | 
 96 |   selector {
 97 |     namespace = "${var.fargate_namespace}"
 98 |   }
 99 | 
100 |   
101 | 
102 |   timeouts {
103 |     create   = "30m"
104 |     delete   = "30m"
105 |   }
106 | }
107 | 
108 | resource "aws_iam_role" "eks_fargate_role" {
109 |   name = "${var.cluster_name}-fargate_cluster_role"
110 |   description = "Allow fargate cluster to allocate resources for running pods"
111 |   force_detach_policies = true
112 |   assume_role_policy = <<POLICY
113 | {
114 |   "Version": "2012-10-17",
115 |   "Statement": [
116 |     {
117 |       "Effect": "Allow",
118 |       "Principal": {
119 |         "Service": [
120 |           "eks.amazonaws.com",
121 |           "eks-fargate-pods.amazonaws.com"
122 |           ]
123 |       },
124 |       "Action": "sts:AssumeRole"
125 |     }
126 |   ]
127 | }
128 | POLICY
129 | }
130 | 
131 | resource "aws_iam_role_policy_attachment" "AmazonEKSFargatePodExecutionRolePolicy" {
132 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
133 |   role       = aws_iam_role.eks_fargate_role.name
134 | }
135 | 
136 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
137 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
138 |   role       = aws_iam_role.eks_fargate_role.name
139 | }
140 | 
141 | 
142 | resource "aws_iam_role_policy_attachment" "AmazonEKSVPCResourceController" {
143 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
144 |   role       = aws_iam_role.eks_fargate_role.name
145 | }
146 | 
147 | 
148 | 
149 | resource "aws_eks_node_group" "eks_node_group" {
150 |   cluster_name    = aws_eks_cluster.eks_cluster.name
151 |   node_group_name = "${var.cluster_name}-${var.environment}-node_group"
152 |   node_role_arn   = aws_iam_role.eks_node_group_role.arn
153 |   subnet_ids      = var.public_subnets
154 | 
155 |   scaling_config {
156 |     desired_size = 2
157 |     max_size     = 3
158 |     min_size     = 2
159 |   }
160 | 
161 |   instance_types  = ["${var.eks_node_group_instance_types}"]
162 | 
163 |   depends_on = [
164 |     aws_iam_role_policy_attachment.AmazonEKSWorkerNodePolicy,
165 |     aws_iam_role_policy_attachment.AmazonEKS_CNI_Policy,
166 |     aws_iam_role_policy_attachment.AmazonEC2ContainerRegistryReadOnly,
167 |   ]
168 | }
169 | 
170 | resource "aws_iam_role" "eks_node_group_role" {
171 |   name = "${var.cluster_name}-node-group_role"
172 | 
173 |   assume_role_policy = jsonencode({
174 |     Statement = [{
175 |       Action = "sts:AssumeRole"
176 |       Effect = "Allow"
177 |       Principal = {
178 |         Service = "ec2.amazonaws.com"
179 |       }
180 |     }]
181 |     Version = "2012-10-17"
182 |   })
183 | }
184 | 
185 | resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
186 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
187 |   role       = aws_iam_role.eks_node_group_role.name
188 | }
189 | 
190 | resource "aws_iam_role_policy_attachment" "AmazonEKS_CNI_Policy" {
191 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
192 |   role       = aws_iam_role.eks_node_group_role.name
193 | }
194 | 
195 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
196 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
197 |   role       = aws_iam_role.eks_node_group_role.name
198 | }
199 | 
200 | data "tls_certificate" "auth" {
201 |   url = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer
202 | }
203 | 
204 | resource "aws_iam_openid_connect_provider" "main" {
205 |   client_id_list  = ["sts.amazonaws.com"]
206 |   thumbprint_list = [data.tls_certificate.auth.certificates[0].sha1_fingerprint]
207 |   url             = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer
208 | }
209 | 
210 | 
211 | 


--------------------------------------------------------------------------------
/eks/output.tf:
--------------------------------------------------------------------------------
1 | output "cluster_id" {
2 | value  = aws_eks_cluster.eks_cluster.id
3 | }
4 | 
5 | output "cluster_name" {
6 |   value = aws_eks_cluster.eks_cluster.name
7 | }


--------------------------------------------------------------------------------
/eks/variable.tf:
--------------------------------------------------------------------------------
 1 | variable "cluster_name" {
 2 |   description = "the name of your stack, e.g. \"demo\""
 3 | }
 4 | 
 5 | variable "environment" {
 6 |   description = "the name of your environment, e.g. \"prod\""
 7 | }
 8 | 
 9 | variable "eks_node_group_instance_types" {
10 |   description  = "Instance type of node group"
11 | }
12 | 
13 | 
14 | variable "private_subnets" {
15 |   description = "List of private subnet IDs"
16 | }
17 | 
18 | variable "public_subnets" {
19 |   description = "List of private subnet IDs"
20 | }
21 | 
22 | variable "fargate_namespace" {
23 |   description = "Name of fargate selector namespace"
24 | }


--------------------------------------------------------------------------------
/kubernetes/app.tf:
--------------------------------------------------------------------------------
  1 | resource "kubernetes_namespace" "fargate" {
  2 |   metadata {
  3 |     labels = {
  4 |       app = "owncloud"
  5 |     }
  6 |     name = "fargate-node"
  7 |   }
  8 | }
  9 | 
 10 | resource "kubernetes_deployment" "app" {
 11 |   metadata {
 12 |     name      = "owncloud-server"
 13 |     namespace = "fargate-node"
 14 |     labels    = {
 15 |       app = "owncloud"
 16 |     }
 17 |   }
 18 | 
 19 |   spec {
 20 |     replicas = 2
 21 | 
 22 |     selector {
 23 |       match_labels = {
 24 |         app = "owncloud"
 25 |       }
 26 |     }
 27 | 
 28 |     template {
 29 |       metadata {
 30 |         labels = {
 31 |           app = "owncloud"
 32 |         }
 33 |       }
 34 | 
 35 |       spec {
 36 |         container {
 37 |           image = "owncloud"
 38 |           name  = "owncloud-server"
 39 | 
 40 |           port {
 41 |             container_port = 80
 42 |           }
 43 |         }
 44 |       }
 45 |     }
 46 |   }
 47 |    depends_on = [kubernetes_namespace.fargate]
 48 | 
 49 | }
 50 | 
 51 | resource "kubernetes_service" "app" {
 52 |   metadata {
 53 |     name      = "owncloud-service"
 54 |     namespace = "fargate-node"
 55 |   }
 56 |   spec {
 57 |     selector = {
 58 |       app = "owncloud"
 59 |     }
 60 | 
 61 |     port {
 62 |       port        = 80
 63 |       target_port = 80
 64 |       protocol    = "TCP"
 65 |     }
 66 | 
 67 |     type = "NodePort"
 68 |   }
 69 | 
 70 |   depends_on = [kubernetes_deployment.app]
 71 | }
 72 | 
 73 | resource "kubernetes_ingress" "app" {
 74 |   metadata {
 75 |     name      = "owncloud-lb"
 76 |     namespace = "fargate-node"
 77 |     annotations = {
 78 |       "kubernetes.io/ingress.class"           = "alb"
 79 |       "alb.ingress.kubernetes.io/scheme"      = "internet-facing"
 80 |       "alb.ingress.kubernetes.io/target-type" = "ip"
 81 |     }
 82 |     labels = {
 83 |         "app" = "owncloud"
 84 |     }
 85 |   }
 86 | 
 87 |   spec {
 88 |       backend {
 89 |         service_name = "owncloud-service"
 90 |         service_port = 80
 91 |       }
 92 |     rule {
 93 |       http {
 94 |         path {
 95 |           path = "/"
 96 |           backend {
 97 |             service_name = "owncloud-service"
 98 |             service_port = 80
 99 |           }
100 |         }
101 |       }
102 |     }
103 |   }
104 | 
105 |   depends_on = [kubernetes_service.app]
106 | }


--------------------------------------------------------------------------------
/kubernetes/main.tf:
--------------------------------------------------------------------------------
  1 | 
  2 | data "aws_eks_cluster" "cluster" {
  3 |   name = var.cluster_id
  4 | }
  5 | 
  6 | data "aws_eks_cluster_auth" "cluster" {
  7 |   name = var.cluster_id
  8 | }
  9 | 
 10 | data "aws_caller_identity" "current" {}
 11 | 
 12 | provider "kubernetes" {
 13 |   host                   = data.aws_eks_cluster.cluster.endpoint
 14 |   cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
 15 |   token                  = data.aws_eks_cluster_auth.cluster.token
 16 |   load_config_file       = false
 17 | }
 18 | 
 19 | resource "aws_iam_policy" "ALB-policy" {
 20 |   name   = "ALBIngressControllerIAMPolicy"
 21 |   policy = <<POLICY
 22 | {
 23 |   "Version": "2012-10-17",
 24 |   "Statement": [
 25 |     {
 26 |       "Effect": "Allow",
 27 |       "Action": [
 28 |         "acm:DescribeCertificate",
 29 |         "acm:ListCertificates",
 30 |         "acm:GetCertificate"
 31 |       ],
 32 |       "Resource": "*"
 33 |     },
 34 |     {
 35 |       "Effect": "Allow",
 36 |       "Action": [
 37 |         "ec2:AuthorizeSecurityGroupIngress",
 38 |         "ec2:CreateSecurityGroup",
 39 |         "ec2:CreateTags",
 40 |         "ec2:DeleteTags",
 41 |         "ec2:DeleteSecurityGroup",
 42 |         "ec2:DescribeAccountAttributes",
 43 |         "ec2:DescribeAddresses",
 44 |         "ec2:DescribeInstances",
 45 |         "ec2:DescribeInstanceStatus",
 46 |         "ec2:DescribeInternetGateways",
 47 |         "ec2:DescribeNetworkInterfaces",
 48 |         "ec2:DescribeSecurityGroups",
 49 |         "ec2:DescribeSubnets",
 50 |         "ec2:DescribeTags",
 51 |         "ec2:DescribeVpcs",
 52 |         "ec2:ModifyInstanceAttribute",
 53 |         "ec2:ModifyNetworkInterfaceAttribute",
 54 |         "ec2:RevokeSecurityGroupIngress"
 55 |       ],
 56 |       "Resource": "*"
 57 |     },
 58 |     {
 59 |       "Effect": "Allow",
 60 |       "Action": [
 61 |         "elasticloadbalancing:AddListenerCertificates",
 62 |         "elasticloadbalancing:AddTags",
 63 |         "elasticloadbalancing:CreateListener",
 64 |         "elasticloadbalancing:CreateLoadBalancer",
 65 |         "elasticloadbalancing:CreateRule",
 66 |         "elasticloadbalancing:CreateTargetGroup",
 67 |         "elasticloadbalancing:DeleteListener",
 68 |         "elasticloadbalancing:DeleteLoadBalancer",
 69 |         "elasticloadbalancing:DeleteRule",
 70 |         "elasticloadbalancing:DeleteTargetGroup",
 71 |         "elasticloadbalancing:DeregisterTargets",
 72 |         "elasticloadbalancing:DescribeListenerCertificates",
 73 |         "elasticloadbalancing:DescribeListeners",
 74 |         "elasticloadbalancing:DescribeLoadBalancers",
 75 |         "elasticloadbalancing:DescribeLoadBalancerAttributes",
 76 |         "elasticloadbalancing:DescribeRules",
 77 |         "elasticloadbalancing:DescribeSSLPolicies",
 78 |         "elasticloadbalancing:DescribeTags",
 79 |         "elasticloadbalancing:DescribeTargetGroups",
 80 |         "elasticloadbalancing:DescribeTargetGroupAttributes",
 81 |         "elasticloadbalancing:DescribeTargetHealth",
 82 |         "elasticloadbalancing:ModifyListener",
 83 |         "elasticloadbalancing:ModifyLoadBalancerAttributes",
 84 |         "elasticloadbalancing:ModifyRule",
 85 |         "elasticloadbalancing:ModifyTargetGroup",
 86 |         "elasticloadbalancing:ModifyTargetGroupAttributes",
 87 |         "elasticloadbalancing:RegisterTargets",
 88 |         "elasticloadbalancing:RemoveListenerCertificates",
 89 |         "elasticloadbalancing:RemoveTags",
 90 |         "elasticloadbalancing:SetIpAddressType",
 91 |         "elasticloadbalancing:SetSecurityGroups",
 92 |         "elasticloadbalancing:SetSubnets",
 93 |         "elasticloadbalancing:SetWebACL"
 94 |       ],
 95 |       "Resource": "*"
 96 |     },
 97 |     {
 98 |       "Effect": "Allow",
 99 |       "Action": [
100 |         "iam:CreateServiceLinkedRole",
101 |         "iam:GetServerCertificate",
102 |         "iam:ListServerCertificates"
103 |       ],
104 |       "Resource": "*"
105 |     },
106 |     {
107 |       "Effect": "Allow",
108 |       "Action": [
109 |         "cognito-idp:DescribeUserPoolClient"
110 |       ],
111 |       "Resource": "*"
112 |     },
113 |     {
114 |       "Effect": "Allow",
115 |       "Action": [
116 |         "waf-regional:GetWebACLForResource",
117 |         "waf-regional:GetWebACL",
118 |         "waf-regional:AssociateWebACL",
119 |         "waf-regional:DisassociateWebACL"
120 |       ],
121 |       "Resource": "*"
122 |     },
123 |     {
124 |       "Effect": "Allow",
125 |       "Action": [
126 |         "tag:GetResources",
127 |         "tag:TagResources"
128 |       ],
129 |       "Resource": "*"
130 |     },
131 |     {
132 |       "Effect": "Allow",
133 |       "Action": [
134 |         "waf:GetWebACL"
135 |       ],
136 |       "Resource": "*"
137 |     }
138 |   ]
139 | }
140 | POLICY
141 | }
142 | 
143 | resource "aws_iam_role" "eks_alb_ingress_controller" {
144 |   name        = "eks-alb-ingress-controller"
145 |   description = "Permissions required by the Kubernetes AWS ALB Ingress controller to do it's job."
146 | 
147 |   force_detach_policies = true
148 | 
149 |   assume_role_policy = <<ROLE
150 | {
151 |   "Version": "2012-10-17",
152 |   "Statement": [
153 |     {
154 |       "Effect": "Allow",
155 |       "Principal": {
156 |         "Federated": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}"
157 |       },
158 |       "Action": "sts:AssumeRoleWithWebIdentity",
159 |       "Condition": {
160 |         "StringEquals": {
161 |           "${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub": "system:serviceaccount:kube-system:alb-ingress-controller"
162 |         }
163 |       }
164 |     }
165 |   ]
166 | }
167 | ROLE
168 | }
169 | 
170 | resource "aws_iam_role_policy_attachment" "ALB-policy_attachment" {
171 |   policy_arn = aws_iam_policy.ALB-policy.arn
172 |   role       = aws_iam_role.eks_alb_ingress_controller.name
173 | }
174 | 
175 | resource "kubernetes_cluster_role" "ingress" {
176 |   metadata {
177 |     name = "alb-ingress-controller"
178 |     labels = {
179 |       "app.kubernetes.io/name"       = "alb-ingress-controller"
180 |       "app.kubernetes.io/managed-by" = "terraform"
181 |     }
182 |   }
183 | 
184 |   rule {
185 |     api_groups = ["", "extensions"]
186 |     resources  = ["configmaps", "endpoints", "events", "ingresses", "ingresses/status", "services"]
187 |     verbs      = ["create", "get", "list", "update", "watch", "patch"]
188 |   }
189 | 
190 |   rule {
191 |     api_groups = ["", "extensions"]
192 |     resources  = ["nodes", "pods", "secrets", "services", "namespaces"]
193 |     verbs      = ["get", "list", "watch"]
194 |   }
195 | }
196 | 
197 | resource "kubernetes_cluster_role_binding" "ingress" {
198 |   metadata {
199 |     name = "alb-ingress-controller"
200 |     labels = {
201 |       "app.kubernetes.io/name"       = "alb-ingress-controller"
202 |       "app.kubernetes.io/managed-by" = "terraform"
203 |     }
204 |   }
205 |   role_ref {
206 |     api_group = "rbac.authorization.k8s.io"
207 |     kind      = "ClusterRole"
208 |     name      = kubernetes_cluster_role.ingress.metadata[0].name
209 |   }
210 |   subject {
211 |     kind      = "ServiceAccount"
212 |     name      = kubernetes_service_account.ingress.metadata[0].name
213 |     namespace = kubernetes_service_account.ingress.metadata[0].namespace
214 |   }
215 | 
216 |   depends_on = [kubernetes_cluster_role.ingress]
217 | }
218 | 
219 | resource "kubernetes_service_account" "ingress" {
220 |   automount_service_account_token = true
221 |   metadata {
222 |     name      = "alb-ingress-controller"
223 |     namespace = "kube-system"
224 |     labels    = {
225 |       "app.kubernetes.io/name"       = "alb-ingress-controller"
226 |       "app.kubernetes.io/managed-by" = "terraform"
227 |     }
228 |     annotations = {
229 |       "eks.amazonaws.com/role-arn" = aws_iam_role.eks_alb_ingress_controller.arn
230 |     }
231 |   }
232 | }
233 | 
234 | resource "kubernetes_deployment" "ingress" {
235 |   metadata {
236 |     name      = "alb-ingress-controller"
237 |     namespace = "kube-system"
238 |     labels    = {
239 |       "app.kubernetes.io/name"       = "alb-ingress-controller"
240 |       "app.kubernetes.io/version"    = "v1.1.6"
241 |       "app.kubernetes.io/managed-by" = "terraform"
242 |     }
243 |   }
244 | 
245 |   spec {
246 |     replicas = 1
247 | 
248 |     selector {
249 |       match_labels = {
250 |         "app.kubernetes.io/name" = "alb-ingress-controller"
251 |       }
252 |     }
253 | 
254 |     template {
255 |       metadata {
256 |         labels = {
257 |           "app.kubernetes.io/name"    = "alb-ingress-controller"
258 |           "app.kubernetes.io/version" = "v1.1.6"
259 |         }
260 |       }
261 | 
262 |       spec {
263 |         dns_policy                       = "ClusterFirst"
264 |         restart_policy                   = "Always"
265 |         service_account_name             = kubernetes_service_account.ingress.metadata[0].name
266 |         termination_grace_period_seconds = 60
267 | 
268 |         container {
269 |           name              = "alb-ingress-controller"
270 |           image             = "docker.io/amazon/aws-alb-ingress-controller:v1.1.6"
271 |           image_pull_policy = "Always"
272 |           
273 |           args = [
274 |             "--ingress-class=alb",
275 |             "--cluster-name=${var.cluster_name}",
276 |             "--aws-vpc-id=${var.vpc_id}",
277 |             "--aws-region=us-east-1",
278 |             "--aws-max-retries=10",
279 |           ] 
280 |            volume_mount {
281 |             mount_path = "/var/run/secrets/kubernetes.io/serviceaccount"
282 |             name       = kubernetes_service_account.ingress.default_secret_name
283 |             read_only  = true
284 |           }
285 |         }
286 |         volume {
287 |           name = kubernetes_service_account.ingress.default_secret_name
288 | 
289 |           secret {
290 |             secret_name = kubernetes_service_account.ingress.default_secret_name
291 |            }
292 |          }
293 |       }
294 |     }
295 |   }
296 | 
297 |   depends_on = [kubernetes_cluster_role_binding.ingress]
298 | }
299 | 
300 | 
301 | 
302 | 


--------------------------------------------------------------------------------
/kubernetes/variable.tf:
--------------------------------------------------------------------------------
 1 | variable "cluster_id" {
 2 |     description    =  "Put your cluster id here"
 3 | }
 4 | 
 5 | variable "vpc_id" {
 6 |   description      =  "put your vpc id"
 7 | }
 8 | 
 9 | variable "cluster_name" {
10 |   description      =   "put your cluster name here"
11 | }


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
 1 | provider "aws" {
 2 |   region = "us-east-1"
 3 |   profile = "default"
 4 | }
 5 | 
 6 | module "vpc" {
 7 |     source                              = "./vpc"
 8 |     environment                         =  var.environment
 9 |     vpc_cidr                            =  var.vpc_cidr
10 |     vpc_name                            =  var.vpc_name
11 |     cluster_name                        =  var.cluster_name
12 |     public_subnets_cidr                 =  var.public_subnets_cidr
13 |     availability_zones_public           =  var.availability_zones_public
14 |     private_subnets_cidr                =  var.private_subnets_cidr
15 |     availability_zones_private          =  var.availability_zones_private
16 |     cidr_block-nat_gw                   =  var.cidr_block-nat_gw
17 |     cidr_block-internet_gw              =  var.cidr_block-internet_gw
18 | }
19 | 
20 | 
21 | module "eks" {
22 |     source                              =  "./eks"
23 |     cluster_name                        =  var.cluster_name
24 |     environment                         =  var.environment
25 |     eks_node_group_instance_types       =  var.eks_node_group_instance_types
26 |     private_subnets                     =  module.vpc.aws_subnets_private
27 |     public_subnets                      =  module.vpc.aws_subnets_public
28 |     fargate_namespace                   =  var.fargate_namespace
29 | }
30 | 
31 | 
32 | module "kubernetes" {
33 |     source                              =  "./kubernetes"
34 |     cluster_id                          =  module.eks.cluster_id    
35 |     vpc_id                              =  module.vpc.vpc_id
36 |     cluster_name                        =  module.eks.cluster_name
37 | }
38 | 
39 | module "database" {
40 |     source                              =  "./database"
41 |     secret_id                           =  var.secret_id
42 |     identifier                          =  var.identifier
43 |     allocated_storage                   =  var.allocated_storage
44 |     storage_type                        =  var.storage_type
45 |     engine                              =  var.engine
46 |     engine_version                      =  var.engine_version
47 |     instance_class                      =  var.instance_class
48 |     database_name                       =  var.database_name
49 |     environment                         =  var.environment
50 |     vpc_id                              =  module.vpc.vpc_id
51 |     private_subnets                     =  module.vpc.aws_subnets_private
52 | }


--------------------------------------------------------------------------------
/output.tf:
--------------------------------------------------------------------------------
 1 | data "aws_db_instance" "database" {
 2 |   db_instance_identifier = "${var.identifier}-${var.environment}"
 3 | }
 4 | 
 5 | data "kubernetes_ingress" "address" {
 6 |   metadata {
 7 |     name = "owncloud-lb"
 8 |     namespace = "fargate-node"
 9 |   }
10 | }
11 | 
12 | output "database_endpoint" {
13 |     value = "${data.aws_db_instance.database.address}"
14 | }
15 | 
16 | output "server_dns" {
17 |     value = "${data.kubernetes_ingress.address.load_balancer_ingress}"
18 | }


--------------------------------------------------------------------------------
/production.tfvars:
--------------------------------------------------------------------------------
 1 | environment                  = "Production"
 2 | cluster_name                 =  "main"
 3 | vpc_cidr                     =  "192.168.0.0/16"
 4 | vpc_name                     =  "main"
 5 | public_subnets_cidr          =  ["192.168.0.0/24", "192.168.1.0/24", "192.168.2.0/24"]
 6 | private_subnets_cidr         =  ["192.168.4.0/24", "192.168.5.0/24", "192.168.6.0/24"]
 7 | availability_zones_public    =  ["us-east-1a", "us-east-1b", "us-east-1c"]
 8 | availability_zones_private   =  ["us-east-1d", "us-east-1b", "us-east-1f"]
 9 | cidr_block-internet_gw       =  "0.0.0.0/0"
10 | cidr_block-nat_gw            =  "0.0.0.0/0"
11 | eks_node_group_instance_types=  "t3.xlarge"
12 | fargate_namespace            =  "fargate-node"
13 | secret_id                    =  "database"
14 | identifier                   =  "database"
15 | allocated_storage            =  100
16 | storage_type                 =  "io1"
17 | engine                       =  "mysql"
18 | engine_version               =  5.7
19 | instance_class               =  "db.m5.xlarge"
20 | database_name                =  "db"
21 | 


--------------------------------------------------------------------------------
/testing.tfvars:
--------------------------------------------------------------------------------
 1 | environment                  = "testing"
 2 | cluster_name                 =  "main"
 3 | vpc_cidr                     =  "192.168.0.0/16"
 4 | vpc_name                     =  "main"
 5 | public_subnets_cidr          =  ["192.168.0.0/24", "192.168.1.0/24", "192.168.2.0/24"]
 6 | private_subnets_cidr         =  ["192.168.4.0/24", "192.168.5.0/24", "192.168.6.0/24"]
 7 | availability_zones_public    =  ["us-east-1a", "us-east-1b", "us-east-1c"]
 8 | availability_zones_private   =  ["us-east-1d", "us-east-1b", "us-east-1f"]
 9 | cidr_block-internet_gw       =  "0.0.0.0/0"
10 | cidr_block-nat_gw            =  "0.0.0.0/0"
11 | eks_node_group_instance_types=  "t2.micro"
12 | fargate_namespace            =  "fargate-node"
13 | secret_id                    =  "database"
14 | identifier                   =  "database"
15 | allocated_storage            =  20
16 | storage_type                 =  "gp2"
17 | engine                       =  "mysql"
18 | engine_version               =  5.7
19 | instance_class               =  "db.t2.micro"
20 | database_name                =  "db"
21 | 


--------------------------------------------------------------------------------
/variable.tf:
--------------------------------------------------------------------------------
 1 | variable "environment" {}
 2 | variable "cluster_name" {}
 3 | variable "vpc_cidr" {}
 4 | variable "vpc_name" {}
 5 | variable "public_subnets_cidr" {}
 6 | variable "availability_zones_public" {}
 7 | variable "private_subnets_cidr" {}
 8 | variable "availability_zones_private" {}
 9 | variable "cidr_block-internet_gw" {}
10 | variable "cidr_block-nat_gw" {}
11 | variable "eks_node_group_instance_types" {}
12 | variable "fargate_namespace" {}
13 | variable "secret_id" {}
14 | variable "identifier" {}
15 | variable "allocated_storage" {}
16 | variable "storage_type" {}
17 | variable "engine" {}
18 | variable "engine_version" {}
19 | variable "instance_class" {}
20 | variable "database_name" {}
21 | 
22 | 


--------------------------------------------------------------------------------
/vpc/main.tf:
--------------------------------------------------------------------------------
  1 | 
  2 |  resource "aws_vpc" "main" {
  3 |   cidr_block           = var.vpc_cidr
  4 |   enable_dns_hostnames = true
  5 |   
  6 |   tags = {
  7 |     Name = "${var.vpc_name}-${var.environment}-vpc"
  8 |     "kubernetes.io/cluster/${var.cluster_name}-${var.environment}" = "shared"
  9 |   }
 10 | }
 11 | 
 12 | resource "aws_subnet" "public" {
 13 |   vpc_id                   = aws_vpc.main.id
 14 |   cidr_block               = element(var.public_subnets_cidr, count.index)
 15 |   availability_zone        = element(var.availability_zones_public, count.index)
 16 |   count                    = length(var.public_subnets_cidr)
 17 |   map_public_ip_on_launch  = true
 18 |   depends_on = [ aws_vpc.main ]
 19 |   
 20 |   tags = {
 21 | 
 22 |       "kubernetes.io/cluster/${var.cluster_name}-${var.environment}" = "shared"
 23 |       "kubernetes.io/role/elb" = 1
 24 |     Name   = "node-group-subnet-${count.index + 1}-${var.environment}"
 25 |     state  = "public"
 26 |   }
 27 | }
 28 | 
 29 | 
 30 | 
 31 | resource "aws_subnet" "private" {
 32 |   vpc_id                   = aws_vpc.main.id
 33 |   cidr_block               = element(var.private_subnets_cidr, count.index)
 34 |   availability_zone        = element(var.availability_zones_private, count.index)
 35 |   count                    = length(var.private_subnets_cidr)
 36 |   depends_on = [ aws_vpc.main ]
 37 |   
 38 |   tags = {
 39 | 
 40 |         "kubernetes.io/cluster/${var.cluster_name}-${var.environment}" = "shared"
 41 |         "kubernetes.io/role/internal-elb" = 1
 42 |       "Name"   = "fargate-subnet-${count.index + 1}-${var.environment}"
 43 |     "state"  = "private"
 44 |   }
 45 | }
 46 | 
 47 | resource "aws_internet_gateway" "gw" {
 48 |   vpc_id = aws_vpc.main.id
 49 |   depends_on = [ aws_vpc.main ]
 50 | 
 51 |   tags = {
 52 |     Name = "eks-internet-gateway-${var.environment}"
 53 |   }
 54 | }
 55 | 
 56 | resource "aws_eip" "nat" {
 57 |   vpc              = true
 58 |   count = length(var.private_subnets_cidr)
 59 |   public_ipv4_pool = "amazon"
 60 | }
 61 | 
 62 | resource "aws_nat_gateway" "gw" {
 63 |   count         = length(var.private_subnets_cidr)
 64 |   allocation_id = element(aws_eip.nat.*.id, count.index)
 65 |   subnet_id     = element(aws_subnet.public.*.id, count.index)
 66 |   depends_on    = [aws_internet_gateway.gw]
 67 | 
 68 |   tags = {
 69 |     Name = "eks-nat_Gateway-${count.index + 1}-${var.environment}"
 70 |   }
 71 | }
 72 | 
 73 | resource "aws_route_table" "internet-route" {
 74 |   vpc_id = aws_vpc.main.id
 75 |   route {
 76 |     cidr_block = "${var.cidr_block-internet_gw}"
 77 |     gateway_id = aws_internet_gateway.gw.id
 78 |   }
 79 |   depends_on = [ aws_vpc.main ]
 80 |   tags  = {
 81 |       Name = "eks-public_route_table-${var.environment}"
 82 |       state = "public"
 83 |   }
 84 | }
 85 | 
 86 |   resource "aws_route_table" "nat-route" {
 87 |   vpc_id = aws_vpc.main.id
 88 |   count  = length(var.private_subnets_cidr)
 89 |   route {
 90 |     cidr_block = "${var.cidr_block-nat_gw}"
 91 |     gateway_id = element(aws_nat_gateway.gw.*.id, count.index)
 92 |   }
 93 |   depends_on = [ aws_vpc.main ]
 94 |   tags  = {
 95 |       Name = "eks-nat_route_table-${count.index + 1}-${var.environment}"
 96 |       state = "public"
 97 |   } 
 98 | }
 99 | 
100 | resource "aws_route_table_association" "public" {
101 |   count          = length(var.public_subnets_cidr)
102 |   subnet_id      = element(aws_subnet.public.*.id, count.index)
103 |   route_table_id = aws_route_table.internet-route.id
104 |   
105 |   depends_on = [ aws_route_table.internet-route ,
106 |                  aws_subnet.public
107 |   ]
108 | }
109 | 
110 | 
111 | resource "aws_route_table_association" "private" {
112 |   count          = length(var.private_subnets_cidr)
113 |   subnet_id      = element(aws_subnet.private.*.id, count.index)
114 |   route_table_id = element(aws_route_table.nat-route.*.id, count.index)
115 |   depends_on = [ aws_route_table.nat-route ,
116 |                  aws_subnet.private
117 |   ]
118 | }
119 | 
120 | 
121 | 


--------------------------------------------------------------------------------
/vpc/output.tf:
--------------------------------------------------------------------------------
 1 | output "aws_subnets_public" {
 2 |   value   = aws_subnet.public.*.id
 3 | }
 4 | 
 5 | output "aws_subnets_private" {
 6 |   value   = aws_subnet.private.*.id
 7 | }
 8 | 
 9 | output "vpc_id" {
10 |   value  = aws_vpc.main.id
11 | }
12 | 
13 | 


--------------------------------------------------------------------------------
/vpc/variable.tf:
--------------------------------------------------------------------------------
 1 | variable "environment" {
 2 |     description = "Environment name"
 3 | }
 4 | 
 5 | variable "vpc_cidr" {
 6 |     description = "Cidr value of vpc"
 7 | }
 8 | 
 9 | variable "vpc_name" {
10 |     description = "Name of vpc"
11 | }   
12 | 
13 | variable "cluster_name" {
14 |     description = "Name of cluster"
15 | }
16 | 
17 | variable "public_subnets_cidr" {
18 |     description = "List of public subnet cidr"
19 | }
20 | 
21 | variable "availability_zones_public" {
22 |     description = "List of availability zones of public subnets"
23 | }
24 | 
25 | variable "private_subnets_cidr" {
26 |     description = "List of private subnets cidr"
27 | }
28 | 
29 | variable "availability_zones_private" {
30 |     description = "List of availability zones of private subnets"
31 | }
32 | 
33 | variable "cidr_block-nat_gw" {
34 |     description = "Destination cidr of nat gateway"
35 | }
36 | 
37 | variable "cidr_block-internet_gw" {
38 |     description = "Destination cidr of internet gateway"
39 | }


--------------------------------------------------------------------------------