Search

Infra

provider.tf
variable "region" { default = "ap-northeast-2" } # --- terraform { required_providers { aws = { source = "hashicorp/aws" version = ">= 5.95.0, < 7.0.0" } kubernetes = { source = "hashicorp/kubernetes" } helm = { source = "hashicorp/helm" version = "2.17.0" } awsutils = { source = "cloudposse/awsutils" } } } provider "aws" { region = var.region alias = "default" default_tags { tags = { Project = var.project_name } } } provider "aws" { region = "ap-northeast-2" alias = "ap-northeast-2" } provider "aws" { region = "us-east-1" alias = "us-east-1" } provider "aws" { region = "ap-northeast-2" } provider "awsutils" { region = var.region } provider "kubernetes" { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) exec { api_version = "client.authentication.k8s.io/v1beta1" args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] command = "aws" } } provider "helm" { kubernetes { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) exec { api_version = "client.authentication.k8s.io/v1beta1" args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] command = "aws" } } } data "aws_caller_identity" "caller" { } data "aws_ecrpublic_authorization_token" "token" { provider = aws.us-east-1 }
JSON
복사
main.tf
################################################################################################################################################ # VPC # ################################################################################################################################################ module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "~> 5.0" name = "skills-vpc" cidr = "10.0.0.0/16" azs = ["ap-northeast-2a", "ap-northeast-2b"] public_subnets = ["10.0.1.0/24", "10.0.2.0/24"] public_subnet_names = ["skills-public-subnet-a" , "skills-public-subnet-b"] map_public_ip_on_launch = true public_subnet_tags = { "kubernetes.io/role/elb" = 1 } private_subnets = ["10.0.3.0/24", "10.0.4.0/24"] private_subnet_names = ["skills-private-subnet-a" , "skills-private-subnet-b"] private_subnet_tags = { "kubernetes.io/role/internal-elb" = 1, "karpenter.sh/discovery" = "skills-eks-cluster" } # database_subnets = ["10.0.5.0/24", "10.0.6.0/24"] # database_subnet_names = ["skills-db-subnet-a", "skills-db-subnet-b"] # create_database_subnet_group = true # create_database_subnet_route_table = true enable_nat_gateway = true single_nat_gateway = false one_nat_gateway_per_az = true enable_dns_hostnames = true enable_dns_support = true } ################################################################################################################################################ # EC2 # ################################################################################################################################################ data "aws_ssm_parameter" "latest_ami" { name = "/aws/service/ami-amazon-linux-latest/al2023-ami-kernel-default-x86_64" } resource "tls_private_key" "rsa" { algorithm = "RSA" rsa_bits = 4096 } resource "aws_key_pair" "keypair" { key_name = "skills" public_key = tls_private_key.rsa.public_key_openssh } resource "local_file" "keypair" { content = tls_private_key.rsa.private_key_pem filename = "skills.pem" } resource "aws_security_group" "bastion_sg" { name = "skills-bastion-sg" description = "skills-bastion-sg" vpc_id = module.vpc.vpc_id ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "skills-bastion-sg" } } resource "aws_iam_role" "bastion" { name = "skills-bastion-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "ec2.amazonaws.com" } } ] }) managed_policy_arns = ["arn:aws:iam::aws:policy/AdministratorAccess"] } resource "aws_iam_instance_profile" "bastion" { name = "skills-bastion-role" role = aws_iam_role.bastion.name } resource "aws_eip" "bastion" { depends_on = [aws_instance.bastion] } resource "aws_instance" "bastion" { ami = data.aws_ssm_parameter.latest_ami.value instance_type = "t3.micro" subnet_id = module.vpc.public_subnets[0] associate_public_ip_address = true iam_instance_profile = aws_iam_instance_profile.bastion.name key_name = aws_key_pair.keypair.key_name vpc_security_group_ids = [aws_security_group.bastion_sg.id] user_data = "${file("./src/userdata.sh")}" tags = { Name = "skills-bastion" } } resource "aws_eip_association" "bastion_eip_assoc" { instance_id = aws_instance.bastion.id allocation_id = aws_eip.bastion.id } output "bastion_details" { value = { ip_address = aws_eip.bastion.public_ip instance_id = aws_instance.bastion.id availability_zone = aws_instance.bastion.availability_zone } } ################################################################################################################################################ # EKS # ################################################################################################################################################ module "eks" { source = "terraform-aws-modules/eks/aws" version = "20.37.2" cluster_name = "skills-eks-cluster" cluster_version = "1.32" cluster_addons = { coredns = {} eks-pod-identity-agent = {} kube-proxy = {} vpc-cni = {} } cluster_security_group_additional_rules = { hybrid-all = { cidr_blocks = [module.vpc.vpc_cidr_block] description = "Allow all traffic from remote node/pod network" from_port = 0 to_port = 0 protocol = "all" type = "ingress" } } enable_cluster_creator_admin_permissions = true access_entries = { # One access entry with a policy associated example = { kubernetes_groups = [] principal_arn = aws_iam_role.bastion.arn policy_associations = { example = { policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" access_scope = { type = "cluster" } } } } } # Optional cluster_endpoint_public_access = true cluster_endpoint_private_access = true vpc_id = module.vpc.vpc_id subnet_ids = [ module.vpc.private_subnets[0], module.vpc.private_subnets[1] ] control_plane_subnet_ids = [ module.vpc.public_subnets[0], module.vpc.public_subnets[1], module.vpc.private_subnets[0], module.vpc.private_subnets[1] ] eks_managed_node_groups = { app-ng = { use_name_prefix = false name = "app-ng" ami_type = "BOTTLEROCKET_x86_64" instance_types = ["t3.small"] labels = { app = "nga"} desired_size = 2 min_size = 2 max_size = 10 iam = { with_addon_policies = { image_builder = true aws_load_balancer_controller = true auto_scaler = true } } create_launch_template = true launch_template_name = "app-node-lt" launch_template_tags = { Name = "app-node" } } } tags = { "karpenter.sh/discovery" = "skills-eks-cluster" } }
JSON
복사
userdata.sh
#!/bin/bash sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config systemctl restart sshd echo 'Skill53##' | passwd --stdin ec2-user curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip sudo ./aws/install aws --version sudo yum install docker -y sudo systemctl enable docker sudo usermod -aG docker ec2-user sudo usermod -aG docker root sudo systemctl start docker sudo chmod 666 /var/run/docker.sock docker --version curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl kubectl version curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp sudo mv -v /tmp/eksctl /usr/local/bin eksctl version curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 chmod 700 get_helm.sh ./get_helm.sh helm version sudo yum install -y wget wget wget https://github.com/derailed/k9s/releases/download/v0.32.5/k9s_Linux_amd64.tar.gz tar -xf k9s_Linux_amd64.tar.gz chmod +x k9s sudo mv k9s /usr/local/bin
Shell
복사