terraform code

Author: Nidhi Gupta

terraform/automode/access.tf

@@ -2,20 +2,20 @@
 1️⃣ Create an IAM Group (eks-admin-group)
 
 This group will contain users who need admin access to EKS.
-2️⃣ Create an IAM Role (k8s-admin-role)
+2️⃣ Create an IAM Role (eks-admin-role)
 
 Allows users in the eks-admin-group to assume this role for EKS admin tasks.
 Trust policy ensures only eks-admin-group members can assume the role.
 3️⃣ Create an IAM Policy (eks-assume-role-policy)
 
-Grants sts:AssumeRole permission for the k8s-admin-role.
+Grants sts:AssumeRole permission for the eks-admin-role.
 Attached to the eks-admin-group, allowing its users to assume the role.
 4️⃣ Register IAM Role with EKS (aws_eks_access_entry)
 
-Associates k8s-admin-role with the EKS cluster.
+Associates eks-admin-role with the EKS cluster.
 5️⃣ Attach EKS Admin Policy (aws_eks_access_policy_association)
 
-Grants k8s-admin-role full EKS administrative access
+Grants eks-admin-role full EKS administrative access
 */
 resource "aws_iam_group" "admin_group" {
   name = "eks-admin-group"

terraform/automode/data.tf

@@ -1,28 +1,5 @@
 data "aws_caller_identity" "current" {}
 
-
-data "aws_subnets" "private_subnets" {
-  filter {
-    name   = "vpc-id"
-    values = [module.vpc.vpc_id]
-  }
-  filter {
-    name   = "tag:Name"
-    values = ["*private*"] # This matches all subnets with a Name tag
-  }
-}
-
-data "aws_subnets" "public_subnets" {
-  filter {
-    name   = "vpc-id"
-    values = [module.vpc.vpc_id]
-  }
-  filter {
-    name   = "tag:Name"
-    values = ["*public*"] # This matches all subnets with a Name tag
-  }
-}
-
 data "aws_eks_cluster_auth" "cluster" {
   name = module.eks.cluster_name
 }

terraform/automode/eks.tf

@@ -1,5 +1,4 @@
 module "eks" {
-  depends_on = [null_resource.wait_60_seconds]
   source  = "terraform-aws-modules/eks/aws"
   version = "~> 20.31"
   cluster_name    = "eks-automode"
@@ -16,7 +15,7 @@ module "eks" {
    support_type = "STANDARD"
   }
   vpc_id     = module.vpc.vpc_id
-  subnet_ids =  data.aws_subnets.private_subnets.ids
+  subnet_ids = module.vpc.private_subnets
 
   tags = {
     Environment = "dev"

terraform/automode/kubernetes.tf

@@ -1,4 +1,5 @@
 resource "kubectl_manifest" "ingress_class_params" {
+  depends_on = [ module.eks ]
   yaml_body = jsonencode({
     apiVersion = "eks.amazonaws.com/v1"
     kind       = "IngressClassParams"
@@ -7,17 +8,25 @@ resource "kubectl_manifest" "ingress_class_params" {
     }
     spec = {
       scheme = "internet-facing"
+      group = {
+        name = "myapp" /// uses for same ALB for multiple services
+      }
     }
+
   })
 }
 
 resource "kubectl_manifest" "ingress_class" {
+  depends_on = [ module.eks ]
   yaml_body = jsonencode({
     apiVersion = "networking.k8s.io/v1"
     kind       = "IngressClass"
     metadata = {
       name = "eks-auto-alb"
     }
+    annotations = {
+        "alb.ingress.kubernetes.io/group.name" = "myapp"
+      }
     spec = {
       controller = "eks.amazonaws.com/alb"
       parameters = {

terraform/automode/providers.tf

@@ -21,10 +21,3 @@ provider "kubectl" {
   token  =data.aws_eks_cluster_auth.cluster.token
   cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
 }
-
-/*provider "kubernetes" {
-  host                   = module.eks.cluster_endpoint
-  token  =data.aws_eks_cluster_auth.cluster.token
-  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
-  
-}*/

terraform/automode/wait.tf

@@ -0,0 +1,82 @@
+/*
+1️⃣ Create an IAM Group (eks-admin-group)
+
+This group will contain users who need admin access to EKS.
+2️⃣ Create an IAM Role (k8s-admin-role)
+
+Allows users in the eks-admin-group to assume this role for EKS admin tasks.
+Trust policy ensures only eks-admin-group members can assume the role.
+3️⃣ Create an IAM Policy (eks-assume-role-policy)
+
+Grants sts:AssumeRole permission for the k8s-admin-role.
+Attached to the eks-admin-group, allowing its users to assume the role.
+4️⃣ Register IAM Role with EKS (aws_eks_access_entry)
+
+Associates k8s-admin-role with the EKS cluster.
+5️⃣ Attach EKS Admin Policy (aws_eks_access_policy_association)
+
+Grants k8s-admin-role full EKS administrative access
+*/
+resource "aws_iam_group" "admin_group" {
+  name = "eks-admin-group"
+}
+resource "aws_iam_role" "admin_role" {
+    name = "eks-admin-role"
+    assume_role_policy = jsonencode({
+        Version = "2012-10-17",
+        Statement = [
+            {
+                Effect = "Allow",
+                Principal = {
+                      "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id
+}:root"
+                },
+                Action = "sts:AssumeRole"
+            }
+        ]
+    })
+}
+
+resource "aws_iam_role_policy_attachment" "admin_permissions" {
+  role       = aws_iam_role.admin_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+# Create IAM Policy for AssumeRole
+resource "aws_iam_policy" "eks_assume_role_policy" {
+  name        = "eks-assume-role-policy"
+  description = "Allows users in the group to assume the eks-admins-role"
+  policy      = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = "sts:AssumeRole"
+        Resource = "arn:aws:iam::936379345511:role/${aws_iam_role.admin_role.name}"
+      }
+    ]
+  })
+}
+
+# Attach Policy to IAM Group
+resource "aws_iam_group_policy_attachment" "attach_assume_role_policy" {
+  group      = aws_iam_group.admin_group.name
+  policy_arn = aws_iam_policy.eks_assume_role_policy.arn
+}
+
+resource "aws_eks_access_entry" "example" {
+  cluster_name      = module.eks.cluster_name
+  principal_arn     = aws_iam_role.admin_role.arn
+  type              = "STANDARD"
+}
+
+resource "aws_eks_access_policy_association" "example" {
+  cluster_name  = module.eks.cluster_name
+  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+  principal_arn = aws_iam_role.admin_role.arn
+  access_scope {
+    type       = "cluster"
+  }
+}
+
+
+

terraform/eks_nodegroup/access.tf

@@ -1,21 +1,5 @@
-data "aws_subnets" "private_subnets" {
-  filter {
-    name   = "vpc-id"
-    values = [module.vpc.vpc_id]
-  }
-  filter {
-    name   = "tag:Name"
-    values = ["*private*"] # This matches all subnets with a Name tag
-  }
-}
+data "aws_caller_identity" "current" {}
 
-data "aws_subnets" "public_subnets" {
-  filter {
-    name   = "vpc-id"
-    values = [module.vpc.vpc_id]
-  }
-  filter {
-    name   = "tag:Name"
-    values = ["*public*"] # This matches all subnets with a Name tag
-  }
+data "aws_eks_cluster_auth" "cluster" {
+  name = module.eks.cluster_name
 }

terraform/eks_nodegroup/data.tf

@@ -1,6 +1,5 @@
 
 module "eks" {
-  depends_on = [null_resource.wait_60_seconds]
   source  = "terraform-aws-modules/eks/aws"
   version = "~> 20.0"
   cluster_name    = "eks-1"
@@ -10,7 +9,6 @@ module "eks" {
    support_type = "STANDARD"
   }
   cluster_addons = {
-    coredns                = {}
     eks-pod-identity-agent = {}
     kube-proxy             = {}
     vpc-cni                = {}
@@ -21,42 +19,13 @@ module "eks" {
 
   # Optional: Adds the current caller identity as an administrator via cluster access entry
   enable_cluster_creator_admin_permissions = true
-
-
+#enable_irsa	Determines whether to create an OpenID Connect Provider for EKS to enable IRSA
+enable_irsa = true
   vpc_id                   =  module.vpc.vpc_id
-  subnet_ids               = data.aws_subnets.private_subnets.ids
-  control_plane_subnet_ids = data.aws_subnets.private_subnets.ids
-  tags = {
-    Environment = "dev"
-    Terraform   = "true"
-  }
-}
-
-module "eks_managed_node_group" {
-  source = "terraform-aws-modules/eks/aws//modules/eks-managed-node-group"
-cluster_service_cidr = module.eks.cluster_service_cidr
-  name            = "separate-eks-mng"
-  cluster_name    = module.eks.cluster_name
-  cluster_version = "1.31"
-
-  subnet_ids = data.aws_subnets.private_subnets.ids
-  cluster_primary_security_group_id = module.eks.cluster_primary_security_group_id
-  vpc_security_group_ids            = [module.eks.node_security_group_id]
-  min_size     = 1
-  max_size     = 2
-  desired_size = 1
-
-  instance_types = ["t3.large"]
-  capacity_type  = "SPOT"
-
-  labels = {
-    Environment = "test"
-    GithubRepo  = "terraform-aws-eks"
-    GithubOrg   = "terraform-aws-modules"
-  }
-
+  subnet_ids               = module.vpc.private_subnets
+  control_plane_subnet_ids = module.vpc.private_subnets
   tags = {
     Environment = "dev"
     Terraform   = "true"
   }
-}
+}

terraform/eks_nodegroup/eks.tf

@@ -0,0 +1,46 @@
+# Define the Helm provider
+provider "helm" {
+  kubernetes {
+    host                   = module.eks.cluster_endpoint
+    cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+    token                  = data.aws_eks_cluster_auth.cluster.token
+  }
+}
+
+# Add the Helm chart repository for AWS Load Balancer Controller
+
+
+# Install the AWS Load Balancer Controller via Helm
+resource "helm_release" "aws_load_balancer_controller" {
+  depends_on = [module.eks_managed_node_group]
+  name       = "aws-load-balancer-controller"
+  namespace  = "kube-system"
+  chart      = "aws-load-balancer-controller"
+  repository = "https://aws.github.io/eks-charts"
+
+  set {
+    name  = "clusterName"
+    value = module.eks.cluster_name
+  }
+
+  set {
+    name  = "region"
+    value = "us-east-1"
+  }
+
+  set {
+    name  = "serviceAccount.create"
+    value = "true"
+  }
+
+  set {
+    name  = "serviceAccount.name"
+    value = "aws-load-balancer-controller"
+  }
+
+  set {
+    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
+    value = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${aws_iam_role.eks-alb-ingress-controller.name}"
+  }
+}
+