공부합시다!/Terraform
Terraform: EKS구성(2K240708 Test)
간서치
2024. 7. 8. 12:01
728x90
2024월 7월 8일 Test
Rocky9 + K8S + EKS
1. Terraform Code
1.1. 00_provider.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.57"
}
}
}
# Configure the AWS Provider
provider "aws" {
region = var.region
}
1.2. 01_vpc.tf
resource "aws_vpc" "eks_vpc" {
cidr_block = var.cidr
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "eks_vpc"
"kubernetes.io/cluster/sdkim-clu" = "shared"
}
}
output "vpc_id" {
value = aws_vpc.eks_vpc.id
}
1.3. 02_ig.tf
resource "aws_internet_gateway" "eks_ig" {
vpc_id = aws_vpc.eks_vpc.id
tags = {
Name = "eks-ig"
}
}
1.4. 03_sub.tf
resource "aws_subnet" "eksnet_mas" {
count = 2
vpc_id = aws_vpc.eks_vpc.id
cidr_block = "10.0.${count.index}.0/24"
map_public_ip_on_launch = true
availability_zone = "ap-northeast-2${count.index == 0 ? "a" : "c"}"
tags = {
Name = "eksnet-pub-${count.index == 0 ? "a" : "c"}"
"kubernetes.io/cluster/sdkim-clu" = "shared"
}
}
resource "aws_subnet" "eksnet_work" {
count = 2
vpc_id = aws_vpc.eks_vpc.id
cidr_block = "10.0.${count.index + 2}.0/24"
map_public_ip_on_launch = true
availability_zone = "ap-northeast-2${count.index + 2 == 2 ? "a" : "c"}"
tags = {
Name = "eksnet-pri-${count.index + 2 == 0 ? "a" : "c"}"
"kubernetes.io/cluster/sdkim-clu" = "shared"
}
}
1.5. 04_ro.tf
resource "aws_route_table" "eksnet_rota" {
vpc_id = aws_vpc.eks_vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.eks_ig.id
}
tags = {
Name = "eksnet-rota"
}
}
1.6. 05_rtass.tf
resource "aws_route_table_association" "eksnet_rtass1" {
count = 2
subnet_id = aws_subnet.eksnet_mas[count.index].id
route_table_id = aws_route_table.eksnet_rota.id
}
resource "aws_route_table_association" "eksnet_rtass2" {
count = 2
subnet_id = aws_subnet.eksnet_work[count.index].id
route_table_id = aws_route_table.eksnet_rota.id
}
1.7. 06_clu.tf
resource "aws_eks_cluster" "eks_clu" {
name = "sdkim-clu"
role_arn = aws_iam_role.eks_clurole.arn
vpc_config {
subnet_ids = concat(aws_subnet.eksnet_mas[*].id, aws_subnet.eksnet_work[*].id)
endpoint_private_access = true
endpoint_public_access = true
security_group_ids = [aws_security_group.eks_cluster.id]
}
# Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling.
# Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups.
depends_on = [
aws_iam_role_policy_attachment.eks-AmazonEKSClusterPolicy,
aws_iam_role_policy_attachment.eks-AmazonEKSVPCResourceController,
]
}
output "endpoint" {
value = aws_eks_cluster.eks_clu.endpoint
}
/*
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["eks.amazonaws.com"]
}
actions = ["sts:AssumeRole"]
}
}
resource "aws_iam_role" "eks_clurole" {
name = "eks-cluster-role"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
*/
resource "aws_iam_role" "eks_clurole" {
name = "terraform-eks-cluster"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "eks-AmazonEKSClusterPolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.eks_clurole.name
}
# Optionally, enable Security Groups for Pods
# Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
resource "aws_iam_role_policy_attachment" "eks-AmazonEKSVPCResourceController" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
role = aws_iam_role.eks_clurole.name
}
#resource "aws_eks_addon" "eks_coredns" {
# cluster_name = aws_eks_cluster.eks_clu.name
# addon_name = "coredns"
# addon_version = "v1.11.1-eksbuild.8"
# resolve_conflicts_on_create = "OVERWRITE"
# }
resource "aws_eks_addon" "eks_cni" {
cluster_name = aws_eks_cluster.eks_clu.name
addon_name = "vpc-cni"
addon_version = "v1.18.2-eksbuild.1"
resolve_conflicts_on_create = "OVERWRITE"
}
resource "aws_eks_addon" "eks_pod" {
cluster_name = aws_eks_cluster.eks_clu.name
addon_name = "eks-pod-identity-agent"
addon_version = "v1.3.0-eksbuild.1"
resolve_conflicts_on_create = "OVERWRITE"
}
resource "aws_eks_addon" "eks_proxy" {
cluster_name = aws_eks_cluster.eks_clu.name
addon_name = "kube-proxy"
addon_version = "v1.30.0-eksbuild.3"
resolve_conflicts_on_create = "OVERWRITE"
}
resource "aws_security_group" "eks_cluster" {
name = "eks-cluster"
description = "Cluster communication with worker nodes"
vpc_id = aws_vpc.eks_vpc.id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "eks-cluster"
}
}
# security group의 ingress 룰을 추가한다.
resource "aws_security_group_rule" "eks-cluster-ingress-https" {
cidr_blocks = ["0.0.0.0/0"]
description = "Allow workstation to communicate with the cluster API Server"
from_port = 443
protocol = "tcp"
security_group_id = aws_security_group.eks_cluster.id
to_port = 443
type = "ingress"
}
1.8. 07_node.tf
resource "aws_eks_node_group" "eks_node" {
cluster_name = aws_eks_cluster.eks_clu.name
node_group_name = "eks-node"
node_role_arn = aws_iam_role.eks_noderole.arn
subnet_ids = [aws_subnet.eksnet_work[0].id, aws_subnet.eksnet_work[1].id]
# ami_type = "ami-0f4516ee1fe91acc1"
capacity_type = "ON_DEMAND"
disk_size = 20
instance_types = ["m5.large"]
scaling_config {
desired_size = 1
max_size = 2
min_size = 1
}
update_config {
max_unavailable = 1
}
# Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
# Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
depends_on = [
aws_iam_role_policy_attachment.eks-AmazonEKSWorkerNodePolicy,
aws_iam_role_policy_attachment.eks-AmazonEKS_CNI_Policy,
aws_iam_role_policy_attachment.eks-AmazonEC2ContainerRegistryReadOnly,
]
}
resource "aws_iam_role" "eks_noderole" {
name = "eks-noderole"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "eks-AmazonEKSWorkerNodePolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.eks_noderole.name
}
resource "aws_iam_role_policy_attachment" "eks-AmazonEKS_CNI_Policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = aws_iam_role.eks_noderole.name
}
resource "aws_iam_role_policy_attachment" "eks-AmazonEC2ContainerRegistryReadOnly" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.eks_noderole.name
}
1.9. 100_vars.tf
variable "region" {
description = "Seoul Region"
type = string
default = "ap-northeast-2"
}
variable "cidr" {
description = "eks use vpc"
type = string
default = "10.0.0.0/16"
}
2. EKS 구성완료
3. Onpremis K8S <- EKS Connection
4. NodePort & LoadBalancer
5. Onpremis K8S <- EKS DisConnector
728x90