diff options
| author | Spike <avlampson+git@gmail.com> | 2019-05-09 14:18:09 +0100 |
|---|---|---|
| committer | Spike <avlampson+git@gmail.com> | 2019-05-09 14:18:09 +0100 |
| commit | 1c0b57878c9ac06b707ce52a2f381b244f4ea7ac (patch) | |
| tree | 12eb7a493152732852535c2e424e00fe20ba6896 | |
| parent | 3057ba38e7d47b79bd7872e12e70a9f46057a4bc (diff) | |
| download | sensyne_demo-1c0b57878c9ac06b707ce52a2f381b244f4ea7ac.zip sensyne_demo-1c0b57878c9ac06b707ce52a2f381b244f4ea7ac.tar.gz sensyne_demo-1c0b57878c9ac06b707ce52a2f381b244f4ea7ac.tar.bz2 | |
Adding cluster, and security groups to allow comms with worker nodes
| -rw-r--r-- | terraform/eks.tf | 15 | ||||
| -rw-r--r-- | terraform/iam.tf | 40 | ||||
| -rw-r--r-- | terraform/sg.tf | 49 |
3 files changed, 104 insertions, 0 deletions
diff --git a/terraform/eks.tf b/terraform/eks.tf new file mode 100644 index 0000000..6fdaf42 --- /dev/null +++ b/terraform/eks.tf @@ -0,0 +1,15 @@ +resource "aws_eks_cluster" "sensyne_demo_cluster" { + name = "${var.cluster_name}" + role_arn = "${aws_iam_role.sensyne_demo_cluster.arn}" + + vpc_config { + security_group_ids = ["${aws_security_group.sensyne_demo_cluster.id}"] + subnet_ids = ["${aws_subnet.sensyne_demo_subnet.*.id}"] + } + + depends_on = [ + "aws_iam_role_policy_attachment.demo_cluster_AmazonEKSClusterPolicy", + "aws_iam_role_policy_attachment.demo_cluster_AmazonEKSServicePolicy", + ] +} + diff --git a/terraform/iam.tf b/terraform/iam.tf index 0286993..ed61946 100644 --- a/terraform/iam.tf +++ b/terraform/iam.tf @@ -26,3 +26,43 @@ resource "aws_iam_role_policy_attachment" "demo_cluster_AmazonEKSServicePolicy" policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy" role = "${aws_iam_role.sensyne_demo_cluster.name}" } + +resource "aws_iam_role" "sensyne_demo_node" { + name = "sensyne_demo_node" + + assume_role_policy = <<POLICY +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} +POLICY +} + +resource "aws_iam_role_policy_attachment" "demo_node_AmazonEKSWorkerNodePolicy" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" + role = "${aws_iam_role.sensyne_demo_node.name}" +} + +resource "aws_iam_role_policy_attachment" "demo_node_AmazonEKS_CNI_Policy" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" + role = "${aws_iam_role.sensyne_demo_node.name}" +} + +resource "aws_iam_role_policy_attachment" "demo_node_AmazonEC2ContainerRegistryReadOnly" { + policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + role = "${aws_iam_role.sensyne_demo_node.name}" +} + +resource "aws_iam_instance_profile" "sensyne_demo_node" { + name = "sensyne_demo_profile" + role = "${aws_iam_role.sensyne_demo_node.name}" +} + diff --git a/terraform/sg.tf b/terraform/sg.tf index 6aff1d6..21f30f1 100644 --- a/terraform/sg.tf +++ b/terraform/sg.tf @@ -25,3 +25,52 @@ resource "aws_security_group_rule" "sensyne_demo_cluster_remote_access" { type = "ingress" } +resource "aws_security_group" "sensyne_demo_node" { + name = "sensyne_demo_node" + description = "Security group for all nodes in the cluster" + vpc_id = "${aws_vpc.sensyne_demo_vpc.id}" + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = "${ + map( + "Name", "sensyne-demo-worker-node", + ) + }" +} + +resource "aws_security_group_rule" "sensyne_demo_node_ingress_self" { + description = "Allow node to communicate with each other" + from_port = 0 + protocol = "-1" + security_group_id = "${aws_security_group.sensyne_demo_node.id}" + source_security_group_id = "${aws_security_group.sensyne_demo_node.id}" + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "sensyne_demo_node_ingress_cluster" { + description = "Allow worker Kubelets and pods to receive communication from the cluster control plane" + from_port = 1025 + protocol = "tcp" + security_group_id = "${aws_security_group.sensyne_demo_node.id}" + source_security_group_id = "${aws_security_group.sensyne_demo_cluster.id}" + to_port = 65535 + type = "ingress" +} + +resource "aws_security_group_rule" "sensyne_demo_cluster_ingress_node_https" { + description = "Allow pods to communicate with the cluster API Server" + from_port = 443 + protocol = "tcp" + security_group_id = "${aws_security_group.sensyne_demo_cluster.id}" + source_security_group_id = "${aws_security_group.sensyne_demo_node.id}" + to_port = 443 + type = "ingress" +} + |