GaryLouisStewart · GaryLouisStewart · Feb 23, 2020 · Feb 23, 2020 · Feb 29, 2020 · Feb 29, 2020
diff --git a/cluster/backend.tf b/cluster/backend.tf
@@ -1,7 +1,8 @@
 terraform {
   backend "s3" {
     bucket = "kubernetes-the-hard-way"
-    key    = "kthw1/kthw.tfstate"
+    key    = "kthw1/kubethehardway.tfstate"
     region = "eu-west-2"
   }
-}
+  required_version = "> 0.11.7"
+}
diff --git a/cluster/cluster.tf b/cluster/cluster.tf
@@ -1,13 +1,18 @@
-module "kubernetes_bastion_hosts" {
-    source                        = "../modules/bastion-host"
-    bastion_ami                   = "${var.ami_master_node}"
-    target_vpc_id                 = "${module.ec2-cluster.vpc_id}"
-    target_security_group_id      = "${module.ec2-cluster.security_group_id}"
-    common_tags                   = "${var.common_tags}"
-    bastion_ssh_ingress           = "${var.kubernetes_masters_ingress_cidr_range}"
-    bastion_subnets               = ["10.0.5.0/24", "10.0.6.0/24"]
-    cidr_range_bastion_access     = ["0.0.0.0/0"]
-    ssh_keypair                   = "master-nodes"
+module "kubernetes_bastion_host" {
+    source = "../modules/bastion-host"
+    bastion_ami = "${var.bastion_ami}"
+    target_vpc_id = "${module.ec2-cluster.vpc_id}"
+    target_security_group_id = "${module.ec2-cluster.security_group_id}"
+    bastion_ssh_ingress = "${var.kubernetes_masters_ingress_cidr_range}"
+    bastion_subnets =  "${var.bastion_subnets}"
+    cidr_range_bastion_access = ["0.0.0.0/0"]
+    ssh_keypair = "bastion-nodes"
+    instance_type = "${var.instance_type}"
+    bastion_count = "${var.bastion_count}"
+    launch_config = "${var.launch_config}"
+    asg = "${var.bastion_asg}"
+    create_asg = "${var.create_asg}"
+    common_tags = "${var.common_tags}"
 }
 
 module "ec2-cluster" {

diff --git a/cluster/defaults.tf b/cluster/defaults.tf
@@ -103,3 +103,38 @@ variable "master_node_count" {
     description = "The number of master nodes to create"
     default = 1
 }
+
+variable "bastion_asg" {
+    description = "a map of values that apply to the bastion host asg"
+    default = {}
+}
+
+variable "launch_config" {
+    description = "A map of values that apply to the launch config for the bastion hosts"
+    default = {}
+}
+
+variable "bastion_count" {
+    description = "The number of bastion host ec2 instances to create"
+    default = 1
+}
+
+variable "instance_type" {
+    description = "The instance type to use for the bastion nodes"
+    default = "t2.micro"
+}
+
+variable "bastion_ami" {
+    description = "The Ami to use for the bastion hosts instance"
+    default = ""
+}
+
+variable "create_asg" {
+    description = "whether to create our autoscaling group"
+    default = true
+}
+
+variable "bastion_subnets" {
+    description = "A list of CIDR ranges to use for the bastion host subnets"
+    default = []
+}
diff --git a/cluster/vars/common.json b/cluster/vars/common.json
@@ -19,7 +19,7 @@
         "Platform": "Ubuntu 16.04 xenial",
         "Application": "Kubernetes cluster",
         "Service": "kubernetes",
-        "Terraformed": "true",
+        "Terraformed": true,
         "Created_by": "Gary"
     },
 
@@ -35,6 +35,25 @@
     "subnet_kube_workers": ["10.0.3.0/24", "10.0.4.0/24"],
     "cluster_name": "kthw",
     "kubernetes_masters_ingress_cidr_range": ["0.0.0.0/0"],
-    "ingress_ports_kubernetes_masters": ["443"]
+    "ingress_ports_kubernetes_masters": ["443"],
+    "instance_type": "t2.micro",
+    "bastion_count": "2",
+    "bastion_ami": "ami-0517c2db07ca86c75",
 
+    "bastion_asg": {
+        "asg_max": 3,
+        "asg_min": 1,
+        "asg_desired": 2,
+        "health_check_type": "EC2",
+        "health_check_grace": 60
+    },
+
+    "bastion_subnets": ["10.0.32.0/20", "10.0.48.0/20"],
+
+    "launch_config": {
+        "root_vol_size": "20",
+        "root_vol_type": "gp2",
+        "root_vol_encrypted": true
+    },
+    "create_asg": 1
 }
diff --git a/modules/bastion-host/main.tf → modules/bastion-host/_bastion-host.tf b/modules/bastion-host/main.tf → modules/bastion-host/_bastion-host.tf
@@ -1,16 +1,70 @@
-# aws instances
-resource "aws_instance"  "bastion-instance" {
-    count                   = "${var.bastion_count}"
-    ami                     = "${var.bastion_ami}"
-    key_name                = "${var.ssh_keypair}"
-    instance_type           = "${var.instance_type}"
-    vpc_security_group_ids  = ["${aws_security_group.bastion-ssh.id}"]
-    tags = "${merge(map(
-        "Name", "Bastion host"
-    ), var.common_tags)}"
+# autoscaling groups.
+
+resource "aws_launch_configuration" "bastion_conf" {
+  name_prefix = "bastion-host-lc-"
+  image_id = "${var.bastion_ami}"
+  instance_type = "${var.instance_type}"
+  associate_public_ip_address = false
+  security_groups = ["${aws_security_group.bastion-ssh.id}"]
+  user_data = "${data.template_file.bastion-user-data_common.rendered}"
+  key_name = "${var.ssh_keypair}"
+    root_block_device {
+      volume_size = "${var.launch_config["root_vol_size"]}"
+      volume_type = "${var.launch_config["root_vol_type"]}}"
+      encrypted = "${var.launch_config["root_vol_encrypted"]}"
+    }
+
+    lifecycle {
+    create_before_destroy = true
+    }
+}
+
+resource "aws_autoscaling_group" "bastion-asg" {
+    count = "${var.create_asg ? 1 : 0}"
+    name = "bastion-host-asg"
+    launch_configuration = "${aws_launch_configuration.bastion_conf.id}"
+    availability_zones = ["${data.aws_availability_zones.available.names[0]}, ${data.aws_availability_zones.available.names[1]}"]
+    vpc_zone_identifier = ["${aws_subnet.bastion-public-subnet.count}"]
+    max_size = "${var.asg["asg_max"]}"
+    min_size = "${var.asg["asg_min"]}"
+    desired_capacity = "${var.asg["asg_desired"]}"
+    health_check_grace_period = "${var.asg["health_check_grace"]}"
+    health_check_type = "${var.asg["health_check_type"]}"
+
+    lifecycle {
+        create_before_destroy = true
+    }
+
+    tags = ["${merge(map(
+        "Name", "Bastion host",
+        "propagate_at_launch", "true"
+         ),  var.common_tags)}"]
+}
+
+resource "aws_iam_instance_profile" "bastion_profile" {
+  name = "test_profile"
+  role = "${aws_iam_role.bastion_role.name}"
+}
+
+resource "aws_iam_role" "bastion_role" {
+    name = "bastion_role"
+    path = "/"
 
+    assume_role_policy = "${file("${path.module}/templates/bastion-iam.tpl")}"
 }
 
+resource "aws_eip" "bastion-host" {
+    count = "${var.bastion_count}"
+    vpc = true
+
+    lifecycle {
+        create_before_destroy = true
+    }
+
+    tags = "${merge(map(
+        "Name", "Bastion host elastic ip address",
+    ), var.common_tags)}"
+}
 
 resource "aws_internet_gateway" "bastion" {
     vpc_id = "${var.target_vpc_id}"
@@ -59,7 +113,7 @@ resource "aws_security_group_rule" "bastion-ssh" {
     protocol                    = "tcp"
     security_group_id           = "${aws_security_group.bastion-ssh.id}"
     to_port                     = "443"
-    type                        = "ingress" 
+    type                        = "ingress"
 }
 
 resource "aws_security_group_rule" "bastion-to-kubernetes-workers" {
@@ -90,13 +144,3 @@ resource "aws_route" "bastion-administration" {
     destination_cidr_block      = "${element(var.cidr_range_bastion_access, count.index)}"
     depends_on                  = ["aws_route_table.bastion-hosts"]
 }
-
-
-# data sources
-
-
-data "http" "myipaddr" {
-  url = "http://ipv4.icanhazip.com"
-}
-
-data  "aws_availability_zones" "available" {}
diff --git a/modules/bastion-host/_data.tf b/modules/bastion-host/_data.tf
@@ -0,0 +1,23 @@
+# data sources file
+
+data "http" "myipaddr" {
+  url = "http://ipv4.icanhazip.com"
+}
+
+data  "aws_availability_zones" "available" {}
+
+data "template_file" "bastion-user-data_common" {
+  template = "${file("${path.module}/templates/bastion-user-data_common.tpl")}"
+}
+
+data "template_cloudinit_config" "userdata" {
+  gzip = true
+  base64_encode = true
+
+  part {
+    filename = "init.cfg"
+    content_type = "text/x-shellscript"
+    content = "${data.template_file.bastion-user-data_common.rendered}"
+  }
+
+}
diff --git a/modules/bastion-host/vars.tf → modules/bastion-host/_defaults.tf b/modules/bastion-host/vars.tf → modules/bastion-host/_defaults.tf
@@ -52,3 +52,18 @@ variable "bastion_count" {
     description = "The number of bastion host servers to spawn"
     default = 1
 }
+
+variable "asg" {
+    description = "A map of autoscaling group parameters"
+    type = "map"
+}
+
+variable "launch_config" {
+    description = "A map of variables that apply to launch configuration"
+    type = "map"
+}
+
+variable "create_asg" {
+    description = "Create autoscaling group, defaults to yes"
+    default = true
+}
diff --git a/modules/bastion-host/_outputs.tf b/modules/bastion-host/_outputs.tf
@@ -0,0 +1,4 @@
+output "igw_id" {
+    value = "${aws_internet_gateway.bastion.id}"
+    description = "The aws internet gateway ID"
+}
diff --git a/modules/bastion-host/outputs.tf b/modules/bastion-host/outputs.tf
diff --git a/modules/bastion-host/templates/bastion-iam.tpl b/modules/bastion-host/templates/bastion-iam.tpl
@@ -0,0 +1,13 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+               "Service": "ec2.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
diff --git a/modules/bastion-host/templates/bastion-user-data_common.tpl b/modules/bastion-host/templates/bastion-user-data_common.tpl
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+# user data file for instances
+
+# set hostname
+
diff --git a/modules/ec2-cluster/_data.tf b/modules/ec2-cluster/_data.tf
@@ -0,0 +1,5 @@
+data "http" "myipaddr" {
+  url = "http://ipv4.icanhazip.com"
+}
+
+data "aws_availability_zones" "available" {}
diff --git a/modules/ec2-cluster/vars.tf → modules/ec2-cluster/_defaults.tf b/modules/ec2-cluster/vars.tf → modules/ec2-cluster/_defaults.tf
diff --git a/modules/ec2-cluster/main.tf → modules/ec2-cluster/_ec2.tf b/modules/ec2-cluster/main.tf → modules/ec2-cluster/_ec2.tf
@@ -163,9 +163,3 @@ resource "aws_security_group_rule" "kube_node_cluster_ingress_node_https" {
     to_port                  = 443
     type                     = "ingress"
 }
-
-data "http" "myipaddr" {
-  url = "http://ipv4.icanhazip.com"
-}
-
-data "aws_availability_zones" "available" {}
diff --git a/modules/ec2-cluster/outputs.tf → modules/ec2-cluster/_outputs.tf b/modules/ec2-cluster/outputs.tf → modules/ec2-cluster/_outputs.tf
@@ -1,9 +1,9 @@
 output "vpc_id" {
-    value = aws_vpc.kubernetes_vpc.id
+    value = "${aws_vpc.kubernetes_vpc.id}"
     description = "The VPC id of our kubernetes cluster"
 }
 
 output "security_group_id" {
-    value = aws_security_group.kubernetes_masters.id
+    value = "${aws_security_group.kubernetes_masters.id}"
     description = "The Kubernetes security group ID"
 }
diff --git a/scripts/tf_action.sh b/scripts/tf_action.sh
@@ -34,6 +34,12 @@ function terraform_destroy() {
 	terraform destroy -var-file "$TF_VARS/common.json"
 }
 
+function terraform_debug_mode() {
+  echo "%....Running a terraform Plan now with debugging mode enabled....%"s
+  TF_LOG="debug"
+  terraform plan -var-file "$TF_VARS/common.json" -out=.logs/terraform-plan-log-"$DATE"
+}
+
 function terraform_output() {
     if [ "$#" -lt 2 ]; then
      echo "Please select a resource to output or see usage with tf_action -h"
@@ -53,6 +59,7 @@ function usage() {
     echo "  -d, --destory  runs a terraform destroy, [ \$tf_action -d ]"
     echo "  -o, --output   runs a terraform output, [ \$tf_action -o <resource-name> ]"
     echo "  -h, --help     display help, [ \$tf_action -h ]"
+    echo "  -pd, --debug    runs a terraform plan with debugging enabled e,g, [\$tf_action -pd]"
     exit 1
 }
 
@@ -74,6 +81,9 @@ in
     -d|--destroy)
     terraform_destroy
     ;;
+    -pd|--debug)
+    terraform_debug_mode
+    ;;
     -o|--output)
     terraform_output "$1"
     ;;