From 1c0b57878c9ac06b707ce52a2f381b244f4ea7ac Mon Sep 17 00:00:00 2001
From: Spike <avlampson+git@gmail.com>
Date: Thu, 9 May 2019 14:18:09 +0100
Subject: Adding cluster, and security groups to allow comms with worker nodes

---
 terraform/eks.tf | 15 +++++++++++++++
 terraform/iam.tf | 40 ++++++++++++++++++++++++++++++++++++++++
 terraform/sg.tf  | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 104 insertions(+)
 create mode 100644 terraform/eks.tf

diff --git a/terraform/eks.tf b/terraform/eks.tf
new file mode 100644
index 0000000..6fdaf42
--- /dev/null
+++ b/terraform/eks.tf
@@ -0,0 +1,15 @@
+resource "aws_eks_cluster" "sensyne_demo_cluster" {
+  name            = "${var.cluster_name}"
+  role_arn        = "${aws_iam_role.sensyne_demo_cluster.arn}"
+
+  vpc_config {
+    security_group_ids = ["${aws_security_group.sensyne_demo_cluster.id}"]
+    subnet_ids         = ["${aws_subnet.sensyne_demo_subnet.*.id}"]
+  }
+
+  depends_on = [
+    "aws_iam_role_policy_attachment.demo_cluster_AmazonEKSClusterPolicy",
+    "aws_iam_role_policy_attachment.demo_cluster_AmazonEKSServicePolicy",
+  ]
+}
+
diff --git a/terraform/iam.tf b/terraform/iam.tf
index 0286993..ed61946 100644
--- a/terraform/iam.tf
+++ b/terraform/iam.tf
@@ -26,3 +26,43 @@ resource "aws_iam_role_policy_attachment" "demo_cluster_AmazonEKSServicePolicy"
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
   role       = "${aws_iam_role.sensyne_demo_cluster.name}"
 }
+
+resource "aws_iam_role" "sensyne_demo_node" {
+  name = "sensyne_demo_node"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "demo_node_AmazonEKSWorkerNodePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = "${aws_iam_role.sensyne_demo_node.name}"
+}
+
+resource "aws_iam_role_policy_attachment" "demo_node_AmazonEKS_CNI_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = "${aws_iam_role.sensyne_demo_node.name}"
+}
+
+resource "aws_iam_role_policy_attachment" "demo_node_AmazonEC2ContainerRegistryReadOnly" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = "${aws_iam_role.sensyne_demo_node.name}"
+}
+
+resource "aws_iam_instance_profile" "sensyne_demo_node" {
+  name = "sensyne_demo_profile"
+  role = "${aws_iam_role.sensyne_demo_node.name}"
+}
+
diff --git a/terraform/sg.tf b/terraform/sg.tf
index 6aff1d6..21f30f1 100644
--- a/terraform/sg.tf
+++ b/terraform/sg.tf
@@ -25,3 +25,52 @@ resource "aws_security_group_rule" "sensyne_demo_cluster_remote_access" {
   type              = "ingress"
 }
 
+resource "aws_security_group" "sensyne_demo_node" {
+  name        = "sensyne_demo_node"
+  description = "Security group for all nodes in the cluster"
+  vpc_id      = "${aws_vpc.sensyne_demo_vpc.id}"
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = "${
+    map(
+     "Name", "sensyne-demo-worker-node",
+    )
+  }"
+}
+
+resource "aws_security_group_rule" "sensyne_demo_node_ingress_self" {
+  description              = "Allow node to communicate with each other"
+  from_port                = 0
+  protocol                 = "-1"
+  security_group_id        = "${aws_security_group.sensyne_demo_node.id}"
+  source_security_group_id = "${aws_security_group.sensyne_demo_node.id}"
+  to_port                  = 65535
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "sensyne_demo_node_ingress_cluster" {
+  description              = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
+  from_port                = 1025
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.sensyne_demo_node.id}"
+  source_security_group_id = "${aws_security_group.sensyne_demo_cluster.id}"
+  to_port                  = 65535
+  type                     = "ingress"
+}
+
+resource "aws_security_group_rule" "sensyne_demo_cluster_ingress_node_https" {
+  description              = "Allow pods to communicate with the cluster API Server"
+  from_port                = 443
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.sensyne_demo_cluster.id}"
+  source_security_group_id = "${aws_security_group.sensyne_demo_node.id}"
+  to_port                  = 443
+  type                     = "ingress"
+}
+
-- 
cgit v1.1