diff --git a/aws/deployments/cilium.yaml b/aws/deployments/cilium.yaml new file mode 100644 index 0000000..8ffaf05 --- /dev/null +++ b/aws/deployments/cilium.yaml @@ -0,0 +1,77 @@ +--- + +k8sServiceHost: "api.cluster.local" +k8sServicePort: "6443" + +operator: + enabled: true + rollOutPods: true + replicas: 1 + prometheus: + enabled: false + nodeSelector: + node-role.kubernetes.io/control-plane: "" + tolerations: + - operator: Exists + effect: NoSchedule + +identityAllocationMode: crd +kubeProxyReplacement: strict +enableK8sEndpointSlice: true +localRedirectPolicy: true + +tunnel: "vxlan" +autoDirectNodeRoutes: false +devices: [eth+] + +healthChecking: true + +cni: + install: true + +ipam: + mode: "kubernetes" +k8s: + requireIPv4PodCIDR: true + requireIPv6PodCIDR: true + +bpf: + masquerade: false +ipv4: + enabled: true +ipv6: + enabled: true +hostServices: + enabled: true +hostPort: + enabled: true +nodePort: + enabled: true +externalIPs: + enabled: true +hostFirewall: + enabled: true +ingressController: + enabled: false + +securityContext: + privileged: true + +hubble: + enabled: false + +prometheus: + enabled: true + +cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup + +resources: + limits: + cpu: 2 + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi diff --git a/aws/deployments/coredns-local.yaml b/aws/deployments/coredns-local.yaml new file mode 100644 index 0000000..e702d9b --- /dev/null +++ b/aws/deployments/coredns-local.yaml @@ -0,0 +1,153 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: coredns-local + namespace: kube-system +data: + empty.db: | + @ 60 IN SOA localnet. root.localnet. ( + 1 ; serial + 60 ; refresh + 60 ; retry + 60 ; expiry + 60 ) ; minimum + ; + @ IN NS localnet. + + hosts: | + # static hosts + 169.254.2.53 dns.local + + Corefile.local: | + (empty) { + file /etc/coredns/empty.db + } + + .:53 { + errors + bind 169.254.2.53 + + health 127.0.0.1:8091 { + lameduck 5s + } + + hosts /etc/coredns/hosts { + reload 60s + fallthrough + } + + kubernetes cluster.local in-addr.arpa ip6.arpa { + endpoint https://api.cluster.local:6443 + kubeconfig /etc/coredns/kubeconfig.conf coredns + pods insecure + ttl 60 + } + prometheus :9153 + + forward . /etc/resolv.conf { + policy sequential + expire 30s + } + + cache 300 + loop + reload + loadbalance + } + kubeconfig.conf: |- + apiVersion: v1 + kind: Config + clusters: + - cluster: + certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + server: https://api.cluster.local:6443 + name: default + contexts: + - context: + cluster: default + namespace: kube-system + user: coredns + name: coredns + current-context: coredns + users: + - name: coredns + user: + tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: coredns-local + namespace: kube-system + labels: + k8s-app: kube-dns-local + kubernetes.io/name: CoreDNS +spec: + updateStrategy: + type: RollingUpdate + minReadySeconds: 15 + selector: + matchLabels: + k8s-app: kube-dns-local + kubernetes.io/name: CoreDNS + template: + metadata: + labels: + k8s-app: kube-dns-local + kubernetes.io/name: CoreDNS + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9153" + spec: + priorityClassName: system-node-critical + serviceAccount: coredns + serviceAccountName: coredns + enableServiceLinks: false + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node.cloudprovider.kubernetes.io/uninitialized + operator: Exists + hostNetwork: true + containers: + - name: coredns + image: coredns/coredns:1.9.4 + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + args: [ "-conf", "/etc/coredns/Corefile.local" ] + volumeMounts: + - name: config-volume + mountPath: /etc/coredns + readOnly: true + livenessProbe: + httpGet: + host: 127.0.0.1 + path: /health + port: 8091 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - all + readOnlyRootFilesystem: true + dnsPolicy: Default + volumes: + - name: config-volume + configMap: + name: coredns-local diff --git a/aws/deployments/ingress-ns.yaml b/aws/deployments/ingress-ns.yaml new file mode 100644 index 0000000..6878f0b --- /dev/null +++ b/aws/deployments/ingress-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx diff --git a/aws/deployments/ingress.yaml b/aws/deployments/ingress.yaml new file mode 100644 index 0000000..0528956 --- /dev/null +++ b/aws/deployments/ingress.yaml @@ -0,0 +1,116 @@ + +controller: + kind: DaemonSet + + hostNetwork: true + hostPort: + enabled: false + ports: + http: 80 + https: 443 + + dnsPolicy: ClusterFirstWithHostNet + + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + + publishService: + enabled: false + + config: + worker-processes: "auto" + worker-cpu-affinity: "auto" + error-log-level: "error" + + server-tokens: "false" + http-redirect-code: "301" + + use-gzip: "true" + use-geoip: "false" + use-geoip2: "false" + + use-forwarded-headers: "true" + # curl https://www.cloudflare.com/ips-v4 2>/dev/null | tr '\n' ',' + proxy-real-ip-cidr: "173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,172.64.0.0/13,131.0.72.0/22,104.16.0.0/13,104.24.0.0/14,172.16.0.0/12" + + enable-access-log-for-default-backend: "true" + log-format-escape-json: "true" + log-format-upstream: '{"ip":"$remote_addr", "ssl":"$ssl_protocol", "method":"$request_method", "proto":"$scheme", "host":"$host", "uri":"$request_uri", "status":$status, "size":$bytes_sent, "agent":"$http_user_agent", "referer":"$http_referer", "namespace":"$namespace"}' + + upstream-keepalive-connections: "32" + proxy-connect-timeout: "10" + proxy-read-timeout: "60" + proxy-send-timeout: "60" + + ssl-protocols: "TLSv1.3" + hsts: "true" + hsts-max-age: "31536000" + hsts-include-subdomains: "true" + hsts-preload: "true" + proxy-hide-headers: "strict-transport-security" + proxy-headers-hash-bucket-size: "128" + + server-name-hash-bucket-size: "64" + server-name-hash-max-size: "512" + + limit-req-status-code: "429" + + client-header-timeout: "30" + client-body-timeout: "30" + + minReadySeconds: 15 + + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "10254" + + extraEnvs: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 30 + readinessProbe: + periodSeconds: 30 + + resources: + limits: + cpu: 1 + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: project.io/node-pool + operator: In + values: + - web + + service: + enabled: true + type: ClusterIP + clusterIP: None + ipFamilyPolicy: "RequireDualStack" + ipFamilies: + - IPv4 + - IPv6 + + admissionWebhooks: + enabled: false + metrics: + enabled: false + +revisionHistoryLimit: 2 + +defaultBackend: + enabled: false diff --git a/aws/deployments/kubelet-serving-cert-approver.yaml b/aws/deployments/kubelet-serving-cert-approver.yaml new file mode 100644 index 0000000..7ef7eca --- /dev/null +++ b/aws/deployments/kubelet-serving-cert-approver.yaml @@ -0,0 +1,250 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + name: kubelet-serving-cert-approver +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + name: kubelet-serving-cert-approver + namespace: kubelet-serving-cert-approver +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + name: certificates:kubelet-serving-cert-approver +rules: +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + verbs: + - get + - list + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests/approval + verbs: + - update +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/kubelet-serving + resources: + - signers + verbs: + - approve +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + name: events:kubelet-serving-cert-approver +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + name: psp:kubelet-serving-cert-approver +rules: +- apiGroups: + - policy + resourceNames: + - kubelet-serving-cert-approver + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + name: events:kubelet-serving-cert-approver + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: events:kubelet-serving-cert-approver +subjects: +- kind: ServiceAccount + name: kubelet-serving-cert-approver + namespace: kubelet-serving-cert-approver +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + name: psp:kubelet-serving-cert-approver + namespace: kubelet-serving-cert-approver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:kubelet-serving-cert-approver +subjects: +- kind: ServiceAccount + name: kubelet-serving-cert-approver + namespace: kubelet-serving-cert-approver +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + name: kubelet-serving-cert-approver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: certificates:kubelet-serving-cert-approver +subjects: +- kind: ServiceAccount + name: kubelet-serving-cert-approver + namespace: kubelet-serving-cert-approver +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + name: kubelet-serving-cert-approver + namespace: kubelet-serving-cert-approver +spec: + ports: + - name: metrics + port: 9090 + protocol: TCP + targetPort: metrics + selector: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + name: kubelet-serving-cert-approver + namespace: kubelet-serving-cert-approver +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + template: + metadata: + labels: + app.kubernetes.io/instance: kubelet-serving-cert-approver + app.kubernetes.io/name: kubelet-serving-cert-approver + spec: + tolerations: + - key: "node.cloudprovider.kubernetes.io/uninitialized" + value: "true" + effect: NoSchedule + - key: "CriticalAddonsOnly" + operator: Exists + - key: "node-role.kubernetes.io/master" + effect: NoSchedule + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: node-role.kubernetes.io/master + operator: DoesNotExist + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + weight: 100 + containers: + - args: + - serve + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/alex1989hu/kubelet-serving-cert-approver:main + imagePullPolicy: IfNotPresent + livenessProbe: + httpGet: + path: /healthz + port: health + initialDelaySeconds: 6 + name: cert-approver + ports: + - containerPort: 8080 + name: health + - containerPort: 9090 + name: metrics + readinessProbe: + httpGet: + path: /readyz + port: health + initialDelaySeconds: 3 + resources: + limits: + cpu: 250m + memory: 32Mi + requests: + cpu: 10m + memory: 16Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + priorityClassName: system-cluster-critical + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsUser: 65534 + serviceAccountName: kubelet-serving-cert-approver + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node.cloudprovider.kubernetes.io/uninitialized + operator: Exists diff --git a/aws/deployments/metrics-server.yaml b/aws/deployments/metrics-server.yaml new file mode 100644 index 0000000..f259001 --- /dev/null +++ b/aws/deployments/metrics-server.yaml @@ -0,0 +1,197 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + k8s-app: metrics-server + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: system:aggregated-metrics-reader +rules: +- apiGroups: + - metrics.k8s.io + resources: + - pods + - nodes + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + k8s-app: metrics-server + name: system:metrics-server +rules: +- apiGroups: + - "" + resources: + - pods + - nodes + - nodes/stats + - namespaces + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + k8s-app: metrics-server + name: metrics-server-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + k8s-app: metrics-server + name: metrics-server:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + k8s-app: metrics-server + name: system:metrics-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:metrics-server +subjects: +- kind: ServiceAccount + name: metrics-server + namespace: kube-system +--- +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system +spec: + ports: + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + k8s-app: metrics-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + k8s-app: metrics-server + name: metrics-server + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: metrics-server + strategy: + rollingUpdate: + maxUnavailable: 0 + template: + metadata: + labels: + k8s-app: metrics-server + spec: + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + tolerations: + - key: "node-role.kubernetes.io/control-plane" + effect: NoSchedule + containers: + - args: + - --cert-dir=/tmp + - --secure-port=6443 + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --kubelet-use-node-status-port + - --metric-resolution=15s + - --authorization-always-allow-paths=/metrics + image: k8s.gcr.io/metrics-server/metrics-server:v0.5.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /livez + port: https + scheme: HTTPS + periodSeconds: 10 + name: metrics-server + ports: + - containerPort: 6443 + name: https + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: https + scheme: HTTPS + initialDelaySeconds: 20 + periodSeconds: 10 + resources: + requests: + cpu: 100m + memory: 200Mi + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + volumeMounts: + - mountPath: /tmp + name: tmp-dir + priorityClassName: system-cluster-critical + serviceAccountName: metrics-server + volumes: + - emptyDir: {} + name: tmp-dir +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + labels: + k8s-app: metrics-server + name: v1beta1.metrics.k8s.io +spec: + group: metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: metrics-server + namespace: kube-system + version: v1beta1 + versionPriority: 100 diff --git a/aws/deployments/test-as.yaml b/aws/deployments/test-as.yaml new file mode 100644 index 0000000..c6c89b9 --- /dev/null +++ b/aws/deployments/test-as.yaml @@ -0,0 +1,48 @@ +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: overprovisioning +value: -1 +globalDefault: false +description: "Priority class used by overprovisioning." +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: overprovisioning + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + run: overprovisioning + template: + metadata: + labels: + run: overprovisioning + spec: + nodeSelector: + project.io/node-pool: web + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node.kubernetes.io/instance-type + operator: Exists + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: + - key: run + operator: In + values: + - overprovisioning + priorityClassName: overprovisioning + containers: + - name: reserve-resources + image: k8s.gcr.io/pause + resources: + requests: + cpu: "700m" diff --git a/aws/prepare/auth.tf b/aws/prepare/auth.tf new file mode 100644 index 0000000..2b1544e --- /dev/null +++ b/aws/prepare/auth.tf @@ -0,0 +1,6 @@ + +provider "aws" { + region = var.region + access_key = var.access_key + secret_key = var.secret_key +} diff --git a/aws/prepare/common.tf b/aws/prepare/common.tf new file mode 100644 index 0000000..1f1fc4f --- /dev/null +++ b/aws/prepare/common.tf @@ -0,0 +1,2 @@ + +data "aws_availability_zones" "zones" {} diff --git a/aws/prepare/network.tf b/aws/prepare/network.tf new file mode 100644 index 0000000..7d66af8 --- /dev/null +++ b/aws/prepare/network.tf @@ -0,0 +1,176 @@ + +locals { + name = var.name + azn = length(data.aws_availability_zones.zones.names) + azs = data.aws_availability_zones.zones.names + + azblocks = [for idx in range(local.azn) : cidrsubnet(var.network_cidr, 8 - 2, var.network_shift + idx)] + subnets = [for idx in range(local.azn) : cidrsubnets(local.azblocks[idx], 2, 2, 2, 2)] + + intra_subnets = [for cidr in local.subnets : cidr[0]] + public_subnets = [for cidr in local.subnets : cidr[1]] + private_subnets = [for cidr in local.subnets : cidr[2]] + database_subnets = [for cidr in local.subnets : cidr[3]] +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.18.1" + + name = local.name + cidr = var.network_cidr + + azs = local.azs + intra_subnets = local.intra_subnets + public_subnets = local.public_subnets + private_subnets = local.private_subnets + database_subnets = local.database_subnets + + single_nat_gateway = true + enable_nat_gateway = false + enable_vpn_gateway = false + enable_dns_hostnames = true + enable_dns_support = true + + create_database_subnet_group = false + manage_default_security_group = true + default_security_group_ingress = [] + default_security_group_egress = [] + + tags = merge(var.tags, { + "kubernetes.io/cluster/${local.name}" = "shared" + }) + + public_subnet_tags = { + Name = "${local.name}-public" + destination = "public" + "kubernetes.io/role/elb" = "1" + } + public_route_table_tags = { + Name = "${local.name}-public" + destination = "public" + } + + private_subnet_tags = { + Name = "${local.name}-private" + destination = "private" + "kubernetes.io/role/internal-elb" = "1" + } + private_route_table_tags = { + Name = "${local.name}-private" + destination = "private" + } + + database_subnet_tags = { + Name = "${local.name}-database" + destination = "database" + } + database_route_table_tags = { + Name = "${local.name}-database" + destination = "database" + } + + intra_subnet_tags = { + Name = "${local.name}-intra" + destination = "intra" + } + intra_route_table_tags = { + Name = "${local.name}-intra" + destination = "intra" + } +} + +# module "vpc_gateway_endpoints" { +# source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" +# version = "3.18.1" + +# vpc_id = module.vpc.vpc_id + +# endpoints = { +# s3 = { +# service = "s3" +# service_type = "Gateway" +# route_table_ids = flatten([ +# module.vpc.private_route_table_ids, +# module.vpc.public_route_table_ids +# ]) +# tags = { +# Name = "${local.name}-s3" +# } +# }, + +# # https://aws.github.io/aws-eks-best-practices/karpenter/ +# ec2 = { +# service = "ec2" +# service_type = "Interface" +# private_dns_enabled = true +# route_table_ids = flatten([ +# module.vpc.private_route_table_ids, +# module.vpc.public_route_table_ids +# ]) +# tags = { +# Name = "${local.name}-ec2" +# } +# }, +# ecr_dkr = { +# service = "ecr.dkr" +# service_type = "Interface" +# route_table_ids = flatten([ +# module.vpc.private_route_table_ids, +# module.vpc.public_route_table_ids +# ]) +# tags = { +# Name = "${local.name}-ecr-dkr" +# } +# }, +# ecr_api = { +# service = "ecr.api" +# service_type = "Interface" +# route_table_ids = flatten([ +# module.vpc.private_route_table_ids, +# module.vpc.public_route_table_ids +# ]) +# tags = { +# Name = "${local.name}-ecr-api" +# } +# }, +# ssm = { +# service = "ssm" +# service_type = "Interface" +# private_dns_enabled = true +# route_table_ids = flatten([ +# module.vpc.private_route_table_ids, +# module.vpc.public_route_table_ids +# ]) +# tags = { +# Name = "${local.name}-ssm" +# } +# }, +# sts = { +# service = "sts" +# service_type = "Interface" +# route_table_ids = flatten([ +# module.vpc.private_route_table_ids, +# module.vpc.public_route_table_ids +# ]) +# tags = { +# Name = "${local.name}-sts" +# } +# }, + +# sqs = { +# service = "sqs" +# service_type = "Interface" +# private_dns_enabled = true +# route_table_ids = flatten([ +# module.vpc.private_route_table_ids, +# module.vpc.public_route_table_ids +# ]) +# tags = { +# Name = "${local.name}-sqs" +# } +# }, +# } + +# tags = var.tags +# } diff --git a/aws/prepare/outputs.tf b/aws/prepare/outputs.tf new file mode 100644 index 0000000..44618af --- /dev/null +++ b/aws/prepare/outputs.tf @@ -0,0 +1,33 @@ + +output "name" { + value = var.name +} + +output "region" { + description = "AWS regions" + value = var.region +} + +output "tags" { + value = var.tags +} + +output "network" { + description = "The network" + value = { + vpc_id = module.vpc.vpc_id + zone = { for idx, zone in data.aws_availability_zones.zones.names : zone => { + ids = data.aws_availability_zones.zones.zone_ids[idx] + name = zone + + intra_ids = module.vpc.intra_subnets[idx] + intra_subnets = local.intra_subnets[idx] + public_ids = module.vpc.public_subnets[idx] + public_subnets = local.public_subnets[idx] + private_ids = module.vpc.private_subnets[idx] + private_subnets = local.private_subnets[idx] + database_ids = module.vpc.database_subnets[idx] + database_subnets = local.database_subnets[idx] + } } + } +} diff --git a/aws/prepare/variables.tf b/aws/prepare/variables.tf new file mode 100644 index 0000000..07ed70b --- /dev/null +++ b/aws/prepare/variables.tf @@ -0,0 +1,35 @@ + +variable "access_key" {} +variable "secret_key" {} + +variable "name" { + description = "Project name, required to create unique resource names" + type = string +} + +variable "region" { + description = "The region name" + type = string + default = "us-east-2" +} + +variable "network_cidr" { + description = "Local subnet rfc1918/ULA" + type = string + default = "172.16.0.0/16" +} + +variable "network_shift" { + description = "Network number shift" + type = number + default = 2 +} + +variable "tags" { + description = "Tags of resources" + type = map(string) + default = { + Name = "talos" + Environment = "Develop" + } +} diff --git a/aws/prepare/versions.tf b/aws/prepare/versions.tf new file mode 100644 index 0000000..d8b48fe --- /dev/null +++ b/aws/prepare/versions.tf @@ -0,0 +1,10 @@ + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.49.0" + } + } + required_version = ">= 1.2" +}