workers can now be specified as multiple asgs of different flavors. BYO security group now possible for both workers and cluster

Author: brandonjbjelland

cluster.tf

@@ -4,7 +4,7 @@ resource "aws_eks_cluster" "this" {
   version  = "${var.cluster_version}"
 
   vpc_config {
-    security_group_ids = ["${aws_security_group.cluster.id}"]
+    security_group_ids = ["${local.cluster_security_group_id}"]
     subnet_ids         = ["${var.subnets}"]
   }
 
@@ -16,39 +16,43 @@ resource "aws_eks_cluster" "this" {
 
 resource "aws_security_group" "cluster" {
   name_prefix = "${var.cluster_name}"
-  description = "Cluster communication with workers nodes"
+  description = "EKS cluster security group."
   vpc_id      = "${var.vpc_id}"
   tags        = "${merge(var.tags, map("Name", "${var.cluster_name}-eks_cluster_sg"))}"
+  count       = "${var.cluster_security_group_id == "" ? 1 : 0}"
 }
 
 resource "aws_security_group_rule" "cluster_egress_internet" {
-  description       = "Allow cluster egress to the Internet."
+  description       = "Allow cluster egress access to the Internet."
   protocol          = "-1"
   security_group_id = "${aws_security_group.cluster.id}"
   cidr_blocks       = ["0.0.0.0/0"]
   from_port         = 0
   to_port           = 0
   type              = "egress"
+  count             = "${var.cluster_security_group_id == "" ? 1 : 0}"
 }
 
 resource "aws_security_group_rule" "cluster_https_worker_ingress" {
-  description              = "Allow pods to communicate with the cluster API Server."
+  description              = "Allow pods to communicate with the EKS cluster API."
   protocol                 = "tcp"
   security_group_id        = "${aws_security_group.cluster.id}"
-  source_security_group_id = "${aws_security_group.workers.id}"
+  source_security_group_id = "${local.worker_security_group_id}"
   from_port                = 443
   to_port                  = 443
   type                     = "ingress"
+  count                    = "${var.cluster_security_group_id == "" ? 1 : 0}"
 }
 
 resource "aws_security_group_rule" "cluster_https_cidr_ingress" {
-  cidr_blocks       = ["${var.cluster_ingress_cidrs}"]
-  description       = "Allow communication with the cluster API Server."
+  cidr_blocks       = ["${local.workstation_external_cidr}"]
+  description       = "Allow kubectl communication with the EKS cluster API."
   protocol          = "tcp"
   security_group_id = "${aws_security_group.cluster.id}"
   from_port         = 443
   to_port           = 443
   type              = "ingress"
+  count             = "${var.cluster_security_group_id == "" ? 1 : 0}"
 }
 
 resource "aws_iam_role" "cluster" {

data.tf

@@ -1,5 +1,9 @@
 data "aws_region" "current" {}
 
+data "http" "workstation_external_ip" {
+  url = "http://icanhazip.com"
+}
+
 data "aws_iam_policy_document" "workers_assume_role_policy" {
   statement {
     sid = "EKSWorkerAssumeRole"
@@ -15,6 +19,16 @@ data "aws_iam_policy_document" "workers_assume_role_policy" {
   }
 }
 
+data "aws_ami" "eks_worker" {
+  filter {
+    name   = "name"
+    values = ["eks-worker-*"]
+  }
+
+  most_recent = true
+  owners      = ["602401143452"] # Amazon
+}
+
 data "aws_iam_policy_document" "cluster_assume_role_policy" {
   statement {
     sid = "EKSClusterAssumeRole"
@@ -48,3 +62,17 @@ data template_file config_map_aws_auth {
     role_arn = "${aws_iam_role.workers.arn}"
   }
 }
+
+data template_file userdata {
+  template = "${file("${path.module}/templates/userdata.sh.tpl")}"
+  count    = "${length(var.worker_groups)}"
+
+  vars {
+    region              = "${data.aws_region.current.name}"
+    cluster_name        = "${var.cluster_name}"
+    endpoint            = "${aws_eks_cluster.this.endpoint}"
+    cluster_auth_base64 = "${aws_eks_cluster.this.certificate_authority.0.data}"
+    max_pod_count       = "${lookup(local.max_pod_per_node, lookup(var.worker_groups[count.index], "instance_type", lookup(var.workers_group_defaults, "instance_type")))}"
+    additional_userdata = "${lookup(var.worker_groups[count.index], "additional_userdata",lookup(var.workers_group_defaults, "additional_userdata"))}"
+  }
+}

examples/eks_test_fixture/main.tf

@@ -11,18 +11,16 @@ provider "random" {
   version = "= 1.3.1"
 }
 
-provider "http" {}
-provider "local" {}
-
 data "aws_availability_zones" "available" {}
 
-data "http" "workstation_external_ip" {
-  url = "http://icanhazip.com"
-}
-
 locals {
-  workstation_external_cidr = "${chomp(data.http.workstation_external_ip.body)}/32"
-  cluster_name              = "test-eks-${random_string.suffix.result}"
+  cluster_name = "test-eks-${random_string.suffix.result}"
+
+  worker_groups = "${list(
+                  map("instance_type","t2.small",
+                      "additional_userdata","echo foo bar"
+                      ),
+  )}"
 
   tags = "${map("Environment", "test",
                 "GithubRepo", "terraform-aws-eks",
@@ -50,13 +48,10 @@ module "vpc" {
 }
 
 module "eks" {
-  source                    = "../.."
-  cluster_name              = "${local.cluster_name}"
-  subnets                   = "${module.vpc.public_subnets}"
-  tags                      = "${local.tags}"
-  vpc_id                    = "${module.vpc.vpc_id}"
-  cluster_ingress_cidrs     = ["${local.workstation_external_cidr}"]
-  workers_instance_type     = "t2.small"
-  additional_userdata       = "echo hello world"
-  configure_kubectl_session = true
+  source        = "../.."
+  cluster_name  = "${local.cluster_name}"
+  subnets       = "${module.vpc.public_subnets}"
+  tags          = "${local.tags}"
+  vpc_id        = "${module.vpc.vpc_id}"
+  worker_groups = "${local.worker_groups}"
 }

examples/eks_test_fixture/outputs.tf

@@ -3,9 +3,9 @@ output "cluster_endpoint" {
   value       = "${module.eks.cluster_endpoint}"
 }
 
-output "cluster_security_group_ids" {
+output "cluster_security_group_id" {
   description = "Security group ids attached to the cluster control plane."
-  value       = "${module.eks.cluster_security_group_ids}"
+  value       = "${module.eks.cluster_security_group_id}"
 }
 
 output "kubectl_config" {

kubectl.tf

@@ -0,0 +1,24 @@
+resource "local_file" "kubeconfig" {
+  content  = "${data.template_file.kubeconfig.rendered}"
+  filename = "${var.config_output_path}/kubeconfig"
+  count    = "${var.configure_kubectl_session ? 1 : 0}"
+}
+
+resource "local_file" "config_map_aws_auth" {
+  content  = "${data.template_file.config_map_aws_auth.rendered}"
+  filename = "${var.config_output_path}/config-map-aws-auth.yaml"
+  count    = "${var.configure_kubectl_session ? 1 : 0}"
+}
+
+resource "null_resource" "configure_kubectl" {
+  provisioner "local-exec" {
+    command = "kubectl apply -f ${var.config_output_path}/config-map-aws-auth.yaml --kubeconfig ${var.config_output_path}/kubeconfig"
+  }
+
+  triggers {
+    config_map_rendered = "${data.template_file.config_map_aws_auth.rendered}"
+    kubeconfig_rendered = "${data.template_file.kubeconfig.rendered}"
+  }
+
+  count = "${var.configure_kubectl_session ? 1 : 0}"
+}