Merge pull request #44 from arunlalp/master

[Feat] Added EKS Module

Author: techiescamp

infra/eks-cluster/main.tf

@@ -0,0 +1,18 @@
+provider "aws" {
+  region = var.region
+}
+
+module "eks-cluster" {
+  source             = "../modules/eks"
+  cluster_name       = var.cluster_name
+  role_name          = var.role_name
+  vpc_subnets        = var.vpc_subnets
+  node_group_name    = var.node_group_name
+  node_instance_type = var.node_instance_type
+  node_disk_size     = var.node_disk_size
+  policy_arns        = var.policy_arns
+  eks_addons         = var.eks_addons
+  principal_arn      = var.principal_arn
+  kubernetes_groups  = var.kubernetes_groups
+  access_policy_arn  = var.access_policy_arn
+}

infra/eks-cluster/outputs.tf

@@ -0,0 +1,59 @@
+variable "region" {
+  type        = string
+  description = "Region of the EC2 instance"
+}
+
+variable "cluster_name" {
+  description = "The name of the EKS cluster"
+  type        = string
+}
+
+variable "role_name" {
+  description = "Name of the IAM role for EKS"
+  type        = string
+}
+
+variable "vpc_subnets" {
+  description = "List of VPC subnet IDs"
+  type        = list(string)
+}
+
+variable "node_group_name" {
+  description = "The name of the node group"
+  type        = string
+}
+
+variable "node_instance_type" {
+  description = "EC2 instance type for the node group"
+  type        = list(string)
+}
+
+variable "node_disk_size" {
+  description = "Disk size for the node group instances"
+  type        = number
+}
+
+variable "policy_arns" {
+  description = "List of IAM policy ARNs to attach to the roles"
+  type        = list(string)
+}
+
+variable "eks_addons" {
+  description = "List of EKS addons and their versions"
+  type = map(string)
+}
+
+variable "principal_arn" {
+  description = "The ARN of the principal"
+  type        = string
+}
+
+variable "kubernetes_groups" {
+  description = "Kubernetes groups"
+  type        = list(string)
+}
+
+variable "access_policy_arn" {
+  description = "The ARN of the access policy"
+  type        = string
+}

infra/eks-cluster/variables.tf

@@ -0,0 +1,198 @@
+resource "aws_eks_cluster" "eks_cluster" {
+  name     = var.cluster_name
+  role_arn = aws_iam_role.cluster_role.arn
+
+  vpc_config {
+    subnet_ids               = var.vpc_subnets
+    endpoint_private_access  = true
+    endpoint_public_access   = true
+  }
+
+  access_config {
+    authentication_mode                         = "API_AND_CONFIG_MAP"
+    bootstrap_cluster_creator_admin_permissions = true
+  }
+
+  depends_on = [
+    aws_iam_role_policy_attachment.AmazonEKSClusterPolicy,
+    aws_iam_role_policy_attachment.AmazonEKSVPCResourceController,
+  ]
+}
+
+output "endpoint" {
+  value = aws_eks_cluster.eks_cluster.endpoint
+}
+
+output "kubeconfig-certificate-authority-data" {
+  value = aws_eks_cluster.eks_cluster.certificate_authority[0].data
+}
+
+data "aws_iam_policy_document" "assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["eks.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "cluster_role" {
+  name               = var.role_name
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
+  policy_arn = var.policy_arns[0]
+  role       = aws_iam_role.cluster_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "AmazonEKSVPCResourceController" {
+  policy_arn = var.policy_arns[1]
+  role       = aws_iam_role.cluster_role.name
+}
+
+data "tls_certificate" "tls_cert" {
+  url = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer
+}
+
+resource "aws_iam_openid_connect_provider" "eks_oidc_provider" {
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = [data.tls_certificate.tls_cert.certificates[0].sha1_fingerprint]
+  url             = data.tls_certificate.tls_cert.url
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(aws_iam_openid_connect_provider.eks_oidc_provider.url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:kube-system:aws-node"]
+    }
+
+    principals {
+      identifiers = [aws_iam_openid_connect_provider.eks_oidc_provider.arn]
+      type        = "Federated"
+    }
+  }
+}
+
+resource "aws_eks_addon" "coredns" {
+  cluster_name                = aws_eks_cluster.eks_cluster.name
+  addon_name                  = "coredns"
+  addon_version               = var.eks_addons["coredns"]
+  resolve_conflicts_on_update = "PRESERVE"
+}
+
+resource "aws_iam_role" "vpc_cni_role" {
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+  name               = "vpc-cni-role"
+}
+
+resource "aws_iam_role_policy_attachment" "vpc_cni_policy" {
+  policy_arn = var.policy_arns[3]
+  role       = aws_iam_role.vpc_cni_role.name
+}
+
+resource "aws_eks_addon" "vpc-cni" {
+  cluster_name                = aws_eks_cluster.eks_cluster.name
+  addon_name                  = "vpc-cni"
+  addon_version               = var.eks_addons["vpc-cni"]
+  resolve_conflicts_on_update = "PRESERVE"
+  service_account_role_arn    = aws_iam_role.vpc_cni_role.arn
+}
+
+resource "aws_eks_addon" "kube-proxy" {
+  cluster_name                = aws_eks_cluster.eks_cluster.name
+  addon_name                  = "kube-proxy"
+  addon_version               = var.eks_addons["kube-proxy"]
+  resolve_conflicts_on_update = "PRESERVE"
+}
+
+resource "aws_eks_addon" "eks-pod-identity-agent" {
+  cluster_name                = aws_eks_cluster.eks_cluster.name
+  addon_name                  = "eks-pod-identity-agent"
+  addon_version               = var.eks_addons["eks-pod-identity-agent"]
+  resolve_conflicts_on_update = "PRESERVE"
+}
+
+resource "aws_eks_node_group" "node_group" {
+  cluster_name    = aws_eks_cluster.eks_cluster.name
+  node_group_name = var.node_group_name
+  version         = aws_eks_cluster.eks_cluster.version
+  node_role_arn   = aws_iam_role.node-group-iam-role.arn
+  subnet_ids      = var.vpc_subnets
+  capacity_type   = "ON_DEMAND"
+  disk_size       = var.node_disk_size
+  instance_types  = var.node_instance_type
+
+  scaling_config {
+    desired_size = 1
+    max_size     = 2
+    min_size     = 1
+  }
+
+  update_config {
+    max_unavailable = 1
+  }
+
+  depends_on = [
+    aws_iam_role_policy_attachment.AmazonEKSWorkerNodePolicy,
+    aws_iam_role_policy_attachment.AmazonEKS_CNI_Policy,
+    aws_iam_role_policy_attachment.AmazonEC2ContainerRegistryReadOnly,
+  ]
+}
+
+resource "aws_iam_role" "node-group-iam-role" {
+  name = "eks-node-group-role"
+
+  assume_role_policy = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ec2.amazonaws.com"
+      }
+    }]
+    Version = "2012-10-17"
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
+  policy_arn = var.policy_arns[2]
+  role       = aws_iam_role.node-group-iam-role.name
+}
+
+resource "aws_iam_role_policy_attachment" "AmazonEKS_CNI_Policy" {
+  policy_arn = var.policy_arns[3]
+  role       = aws_iam_role.node-group-iam-role.name
+}
+
+resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
+  policy_arn = var.policy_arns[4]
+  role       = aws_iam_role.node-group-iam-role.name
+}
+
+resource "aws_eks_access_entry" "access_entry" {
+  cluster_name      = aws_eks_cluster.eks_cluster.name
+  principal_arn     = var.principal_arn
+  kubernetes_groups = var.kubernetes_groups
+  type              = "STANDARD"
+}
+
+resource "aws_eks_access_policy_association" "access_association" {
+  cluster_name  = aws_eks_cluster.eks_cluster.name
+  policy_arn    = var.access_policy_arn
+  principal_arn = aws_eks_access_entry.access_entry.principal_arn
+
+  access_scope {
+    type = "cluster"
+  }
+}
+

modules/eks/main.tf

@@ -0,0 +1,79 @@
+output "cluster_name" {
+  description = "The name of the EKS cluster"
+  value       = aws_eks_cluster.eks_cluster.name
+}
+
+output "cluster_endpoint" {
+  description = "The endpoint of the EKS cluster"
+  value       = aws_eks_cluster.eks_cluster.endpoint
+}
+
+output "cluster_certificate_authority_data" {
+  description = "The certificate authority data for the cluster"
+  value       = aws_eks_cluster.eks_cluster.certificate_authority[0].data
+}
+
+output "cluster_arn" {
+  description = "The ARN of the EKS cluster"
+  value       = aws_eks_cluster.eks_cluster.arn
+}
+
+output "oidc_provider_arn" {
+  description = "The ARN of the OIDC provider"
+  value       = aws_iam_openid_connect_provider.eks_oidc_provider.arn
+}
+
+output "node_group_name" {
+  description = "The name of the EKS node group"
+  value       = aws_eks_node_group.node_group.node_group_name
+}
+
+output "node_group_instance_types" {
+  description = "The instance types used in the EKS node group"
+  value       = aws_eks_node_group.node_group.instance_types
+}
+
+output "node_group_disk_size" {
+  description = "The disk size for the EKS node group instances"
+  value       = aws_eks_node_group.node_group.disk_size
+}
+
+output "iam_role_name" {
+  description = "The name of the IAM role used for the EKS cluster"
+  value       = aws_iam_role.cluster_role.name
+}
+
+output "vpc_subnets" {
+  description = "The VPC subnets used by the EKS cluster"
+  value       = aws_eks_cluster.eks_cluster.vpc_config[0].subnet_ids
+}
+
+output "coredns_addon_version" {
+  description = "The version of the CoreDNS addon"
+  value       = aws_eks_addon.coredns.addon_version
+}
+
+output "vpc_cni_addon_version" {
+  description = "The version of the VPC CNI addon"
+  value       = aws_eks_addon.vpc-cni.addon_version
+}
+
+output "kube_proxy_addon_version" {
+  description = "The version of the kube-proxy addon"
+  value       = aws_eks_addon.kube-proxy.addon_version
+}
+
+output "eks_pod_identity_agent_addon_version" {
+  description = "The version of the EKS Pod Identity Agent addon"
+  value       = aws_eks_addon.eks-pod-identity-agent.addon_version
+}
+
+output "access_entry_principal_arn" {
+  description = "The ARN of the principal for the access entry"
+  value       = aws_eks_access_entry.access_entry.principal_arn
+}
+
+output "access_policy_arn" {
+  description = "The ARN of the access policy associated with the EKS cluster"
+  value       = aws_eks_access_policy_association.access_association.policy_arn
+}