-
Terraform: EKS구성(2K240708 Test)공부합시다!/Terraform 2024. 7. 8. 12:01728x90
2024월 7월 8일 Test
Rocky9 + K8S + EKS
1. Terraform Code
1.1. 00_provider.tf
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.57" } } } # Configure the AWS Provider provider "aws" { region = var.region }1.2. 01_vpc.tf
resource "aws_vpc" "eks_vpc" { cidr_block = var.cidr enable_dns_hostnames = true enable_dns_support = true tags = { Name = "eks_vpc" "kubernetes.io/cluster/sdkim-clu" = "shared" } } output "vpc_id" { value = aws_vpc.eks_vpc.id }1.3. 02_ig.tf
resource "aws_internet_gateway" "eks_ig" { vpc_id = aws_vpc.eks_vpc.id tags = { Name = "eks-ig" } }1.4. 03_sub.tf
resource "aws_subnet" "eksnet_mas" { count = 2 vpc_id = aws_vpc.eks_vpc.id cidr_block = "10.0.${count.index}.0/24" map_public_ip_on_launch = true availability_zone = "ap-northeast-2${count.index == 0 ? "a" : "c"}" tags = { Name = "eksnet-pub-${count.index == 0 ? "a" : "c"}" "kubernetes.io/cluster/sdkim-clu" = "shared" } } resource "aws_subnet" "eksnet_work" { count = 2 vpc_id = aws_vpc.eks_vpc.id cidr_block = "10.0.${count.index + 2}.0/24" map_public_ip_on_launch = true availability_zone = "ap-northeast-2${count.index + 2 == 2 ? "a" : "c"}" tags = { Name = "eksnet-pri-${count.index + 2 == 0 ? "a" : "c"}" "kubernetes.io/cluster/sdkim-clu" = "shared" } }1.5. 04_ro.tf
resource "aws_route_table" "eksnet_rota" { vpc_id = aws_vpc.eks_vpc.id route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.eks_ig.id } tags = { Name = "eksnet-rota" } }1.6. 05_rtass.tf
resource "aws_route_table_association" "eksnet_rtass1" { count = 2 subnet_id = aws_subnet.eksnet_mas[count.index].id route_table_id = aws_route_table.eksnet_rota.id } resource "aws_route_table_association" "eksnet_rtass2" { count = 2 subnet_id = aws_subnet.eksnet_work[count.index].id route_table_id = aws_route_table.eksnet_rota.id }1.7. 06_clu.tf
resource "aws_eks_cluster" "eks_clu" { name = "sdkim-clu" role_arn = aws_iam_role.eks_clurole.arn vpc_config { subnet_ids = concat(aws_subnet.eksnet_mas[*].id, aws_subnet.eksnet_work[*].id) endpoint_private_access = true endpoint_public_access = true security_group_ids = [aws_security_group.eks_cluster.id] } # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. depends_on = [ aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy, aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController, ] } output "endpoint" { value = aws_eks_cluster.eks_clu.endpoint } /* data "aws_iam_policy_document" "assume_role" { statement { effect = "Allow" principals { type = "Service" identifiers = ["eks.amazonaws.com"] } actions = ["sts:AssumeRole"] } } resource "aws_iam_role" "eks_clurole" { name = "eks-cluster-role" assume_role_policy = data.aws_iam_policy_document.assume_role.json } */ resource "aws_iam_role" "eks_clurole" { name = "terraform-eks-cluster" assume_role_policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } POLICY } resource "aws_iam_role_policy_attachment" "eks-AmazonEKSClusterPolicy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" role = aws_iam_role.eks_clurole.name } # Optionally, enable Security Groups for Pods # Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html resource "aws_iam_role_policy_attachment" "eks-AmazonEKSVPCResourceController" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController" role = aws_iam_role.eks_clurole.name } #resource "aws_eks_addon" "eks_coredns" { # cluster_name = aws_eks_cluster.eks_clu.name # addon_name = "coredns" # addon_version = "v1.11.1-eksbuild.8" # resolve_conflicts_on_create = "OVERWRITE" # } resource "aws_eks_addon" "eks_cni" { cluster_name = aws_eks_cluster.eks_clu.name addon_name = "vpc-cni" addon_version = "v1.18.2-eksbuild.1" resolve_conflicts_on_create = "OVERWRITE" } resource "aws_eks_addon" "eks_pod" { cluster_name = aws_eks_cluster.eks_clu.name addon_name = "eks-pod-identity-agent" addon_version = "v1.3.0-eksbuild.1" resolve_conflicts_on_create = "OVERWRITE" } resource "aws_eks_addon" "eks_proxy" { cluster_name = aws_eks_cluster.eks_clu.name addon_name = "kube-proxy" addon_version = "v1.30.0-eksbuild.3" resolve_conflicts_on_create = "OVERWRITE" } resource "aws_security_group" "eks_cluster" { name = "eks-cluster" description = "Cluster communication with worker nodes" vpc_id = aws_vpc.eks_vpc.id egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "eks-cluster" } } # security group의 ingress 룰을 추가한다. resource "aws_security_group_rule" "eks-cluster-ingress-https" { cidr_blocks = ["0.0.0.0/0"] description = "Allow workstation to communicate with the cluster API Server" from_port = 443 protocol = "tcp" security_group_id = aws_security_group.eks_cluster.id to_port = 443 type = "ingress" }1.8. 07_node.tf
resource "aws_eks_node_group" "eks_node" { cluster_name = aws_eks_cluster.eks_clu.name node_group_name = "eks-node" node_role_arn = aws_iam_role.eks_noderole.arn subnet_ids = [aws_subnet.eksnet_work[0].id, aws_subnet.eksnet_work[1].id] # ami_type = "ami-0f4516ee1fe91acc1" capacity_type = "ON_DEMAND" disk_size = 20 instance_types = ["m5.large"] scaling_config { desired_size = 1 max_size = 2 min_size = 1 } update_config { max_unavailable = 1 } # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling. # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces. depends_on = [ aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy, aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy, aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly, ] } resource "aws_iam_role" "eks_noderole" { name = "eks-noderole" assume_role_policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } POLICY } resource "aws_iam_role_policy_attachment" "eks-AmazonEKSWorkerNodePolicy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" role = aws_iam_role.eks_noderole.name } resource "aws_iam_role_policy_attachment" "eks-AmazonEKS_CNI_Policy" { policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" role = aws_iam_role.eks_noderole.name } resource "aws_iam_role_policy_attachment" "eks-AmazonEC2ContainerRegistryReadOnly" { policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" role = aws_iam_role.eks_noderole.name }1.9. 100_vars.tf
variable "region" { description = "Seoul Region" type = string default = "ap-northeast-2" } variable "cidr" { description = "eks use vpc" type = string default = "10.0.0.0/16" }2. EKS 구성완료
3. Onpremis K8S <- EKS Connection
4. NodePort & LoadBalancer
5. Onpremis K8S <- EKS DisConnector
728x90'공부합시다! > Terraform' 카테고리의 다른 글
20단계로 구현하는 Terraform + AWS(Wordpress + RDS) (0) 2024.06.14 Terraform: EKS 구성 (0) 2023.07.15 Terraform : 15. AutoScale (Launch Template) (0) 2023.07.15 재사용 가능한 Module 만들기2: 디렉토리 구조화 및 설정파일 생성 (0) 2022.12.15 재사용 가능한 Module 만들기 1: 변수처리 (0) 2022.12.15