github.com/telepresenceio/telepresence/v2@v2.20.0-pro.6.0.20240517030216-236ea954e789/test-infra/aws-vpn/eks.tf (about) 1 resource "aws_security_group" "eks_access" { 2 vpc_id = aws_vpc.main.id 3 name = "${var.child_subdomain}-${local.prefix}eks-sg" 4 5 ingress { 6 from_port = 443 7 protocol = "TCP" 8 to_port = 443 9 cidr_blocks = [aws_vpc.main.cidr_block, aws_ec2_client_vpn_endpoint.vpn.client_cidr_block] 10 description = "Incoming TLS connection" 11 } 12 13 egress { 14 from_port = 0 15 protocol = "-1" 16 to_port = 0 17 cidr_blocks = ["0.0.0.0/0"] 18 } 19 20 tags = local.global_tags 21 } 22 23 resource "aws_eks_cluster" "cluster" { 24 name = "${var.child_subdomain}-${local.prefix}cluster" 25 role_arn = aws_iam_role.cluster_role.arn 26 27 vpc_config { 28 subnet_ids = aws_subnet.sn_az[*].id 29 endpoint_public_access = false 30 endpoint_private_access = true 31 security_group_ids = [aws_security_group.eks_access.id] 32 } 33 34 kubernetes_network_config { 35 service_ipv4_cidr = var.service_cidr 36 } 37 38 # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. 39 # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. 40 depends_on = [ 41 aws_iam_role_policy_attachment.eks_cluster_policy, 42 aws_iam_role_policy_attachment.eks_svpc_resource_controller, 43 ] 44 tags = local.global_tags 45 } 46 47 resource "aws_eks_node_group" "node_group" { 48 cluster_name = aws_eks_cluster.cluster.name 49 node_group_name = "${var.child_subdomain}-${local.prefix}node-group" 50 node_role_arn = aws_iam_role.node_role.arn 51 subnet_ids = aws_subnet.sn_az[*].id 52 scaling_config { 53 desired_size = 1 54 max_size = 1 55 min_size = 1 56 } 57 58 update_config { 59 max_unavailable = 1 60 } 61 62 depends_on = [ 63 aws_iam_role_policy_attachment.eks_worker_node, 64 aws_iam_role_policy_attachment.eks_cni, 65 aws_iam_role_policy_attachment.ec2_container_registry, 66 ] 67 tags = local.global_tags 68 } 69 70 output "eks_name" { 71 value = aws_eks_cluster.cluster.name 72 } 73 74 resource "aws_iam_role" "cluster_role" { 75 name = "${var.child_subdomain}-${local.prefix}cluster-iam" 76 tags = local.global_tags 77 78 assume_role_policy = <<POLICY 79 { 80 "Version": "2012-10-17", 81 "Statement": [ 82 { 83 "Effect": "Allow", 84 "Principal": { 85 "Service": "eks.amazonaws.com" 86 }, 87 "Action": "sts:AssumeRole" 88 } 89 ] 90 } 91 POLICY 92 } 93 94 resource "aws_iam_role_policy_attachment" "eks_cluster_policy" { 95 policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" 96 role = aws_iam_role.cluster_role.name 97 } 98 99 # Optionally, enable Security Groups for Pods 100 # Reference: https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html 101 resource "aws_iam_role_policy_attachment" "eks_svpc_resource_controller" { 102 policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController" 103 role = aws_iam_role.cluster_role.name 104 } 105 106 resource "aws_iam_role" "node_role" { 107 name = "${var.child_subdomain}-${local.prefix}eks-node-role" 108 tags = local.global_tags 109 110 assume_role_policy = jsonencode({ 111 Statement = [{ 112 Action = "sts:AssumeRole" 113 Effect = "Allow" 114 Principal = { 115 Service = "ec2.amazonaws.com" 116 } 117 }] 118 Version = "2012-10-17" 119 }) 120 } 121 122 resource "aws_iam_role_policy_attachment" "eks_worker_node" { 123 policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" 124 role = aws_iam_role.node_role.name 125 } 126 127 resource "aws_iam_role_policy_attachment" "eks_cni" { 128 policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" 129 role = aws_iam_role.node_role.name 130 } 131 132 resource "aws_iam_role_policy_attachment" "ec2_container_registry" { 133 policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" 134 role = aws_iam_role.node_role.name 135 }