sg, eks, iam 모듈추가

2022-12-28 22:15:11 +09:00
parent 878bae5c65
commit 0b1946ecb3
25 changed files with 342 additions and 41 deletions
--- a/01-start/bar.txt
+++ b/01-start/bar.txt
@ -1 +0,0 @@
-sdjo
--- a/01-start/main.tf
+++ b/01-start/main.tf
@ -4,11 +4,27 @@ provider "aws" {



-resource "aws_instance" "ubuntu" {
-  ami           = "ami-0ab04b3ccbadfae1f"
-  instance_type = "t2.micro"
+resource "aws_iam_role" "iam-role" {
+  name = "eks-cluster-test"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : [
+            "eks.amazonaws.com"
+          ]
+        },
+        "Action" : "sts:AssumeRole"
+      }
+    ]
+  })

  tags = {
-    Name = "tf-ubuntu"
+    tag-key = "eks-cluster-rule"
  }
 }
--- a/modules/eks/main.tf
+++ b/modules/eks/main.tf
@ -0,0 +1,16 @@
+resource "aws_eks_cluster" "demo" {
+  name     = var.cluster-name
+  role_arn = aws_iam_role.demo-cluster.arn
+
+  enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
+
+  vpc_config {
+    security_group_ids = [aws_security_group.demo-cluster.id]
+    subnet_ids = [
+      aws_subnet.VPC_HQ_public_1a.id,
+      aws_subnet.VPC_HQ_public_1c.id
+    ]
+    endpoint_private_access = true
+    endpoint_public_access  = true
+  }
+}
--- a/modules/eks/outputs.tf
+++ b/modules/eks/outputs.tf
--- a/modules/eks/valiables.tf
+++ b/modules/eks/valiables.tf
--- a/modules/iam-policy-attach/main.tf
+++ b/modules/iam-policy-attach/main.tf
@ -0,0 +1,5 @@
+resource "aws_iam_policy_attachment" "test-attach" {
+  name       = "${var.iam_name}-att"
+  roles      = ["${var.role_name}"]
+  policy_arn = "${var.arn}"
+}
--- a/modules/iam-policy-attach/outputs.tf
+++ b/modules/iam-policy-attach/outputs.tf
--- a/modules/iam-policy-attach/variables.tf
+++ b/modules/iam-policy-attach/variables.tf
@ -0,0 +1,14 @@
+variable "iam_name" {
+    description = "value"
+    type = string
+}
+
+variable "role_name" {
+    description = "value"
+    type = string
+}
+
+variable "arn" {
+    description = "value"
+    type = string
+}
--- a/modules/iam/eks-cluster.json.tftpl
+++ b/modules/iam/eks-cluster.json.tftpl
@ -0,0 +1,14 @@
+{
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : [
+            "eks.amazonaws.com"
+          ]
+        },
+        "Action" : "sts:AssumeRole"
+      }
+    ]
+  }
--- a/modules/iam/main.tf
+++ b/modules/iam/main.tf
@ -0,0 +1,23 @@
+resource "aws_iam_role" "iam-role" {
+  name               = var.iam_name
+  assume_role_policy = var.policy
+
+  tags = {
+    tag-key = var.tag_name
+  }
+}
+
+# {
+#     "Version" : "2012-10-17",
+#     "Statement" : [
+#       {
+#         "Effect" : "Allow",
+#         "Principal" : {
+#           "Service" : [
+#             "eks.amazonaws.com"
+#           ]
+#         },
+#         "Action" : "sts:AssumeRole"
+#       }
+#     ]
+#   }
--- a/modules/iam/outputs.tf
+++ b/modules/iam/outputs.tf
@ -0,0 +1,4 @@
+output "iam_name" {
+    value = aws_iam_role.iam-role.name
+  
+}
--- a/modules/iam/variables.tf
+++ b/modules/iam/variables.tf
@ -0,0 +1,14 @@
+variable "iam_name" {
+    description = "value"
+    type = string
+}
+
+variable "policy" {
+    description = "value"
+    type = string
+}
+
+variable "tag_name" {
+    description = "value"
+    type = string
+}
--- a/modules/route-table/variables.tf
+++ b/modules/route-table/variables.tf
@ -1,9 +1,8 @@
-variable "vpc_id" {
-    description = "set vpc id"
-    type = string
-}
-
 variable "tag_name" {
    description = "value"
    type = string
 }
+variable "vpc_id" {
+    description = "set vpc id"
+    type = string
+}
--- a/modules/sg-rule-add/main.tf
+++ b/modules/sg-rule-add/main.tf
@ -0,0 +1,11 @@
+resource "aws_security_group_rule" "sg-rule-add" {
+  description       = "Security groups rule add"
+
+  type              = var.type
+  from_port         = var.set_ports.http
+  to_port           = var.set_ports.http
+  protocol          = var.set_ports.protocol_tcp #tcp
+  cidr_blocks       = var.cidr_blocks
+  security_group_id = var.sg_id
+
+}
--- a/modules/sg-rule-add/outputs.tf
+++ b/modules/sg-rule-add/outputs.tf
@ -0,0 +1,10 @@
+//sg-output
+output "vpc_hq_id" {
+  description = "The name of vpc hq id"
+  value       = aws_vpc.vpc-hq.id
+}
+
+output "vpc_name" {
+  value = var.tag_name
+}
+
--- a/modules/sg-rule-add/variables.tf
+++ b/modules/sg-rule-add/variables.tf
@ -0,0 +1,8 @@
+variable "type" {
+  description = "security rule type"
+  type  = string
+}
+variable "from_port" {
+  description = "from port"
+  type = number
+}
--- a/modules/sg/main.tf
+++ b/modules/sg/main.tf
@ -0,0 +1,5 @@
+resource "aws_security_group" "sg" {
+  description = "Security groups"
+  name        = var.sg_name
+
+}
--- a/modules/sg/outputs.tf
+++ b/modules/sg/outputs.tf
@ -0,0 +1,5 @@
+//sg-output
+output "sg_id" {
+  description = "sg id outputs"
+  value       = aws_security_group.sg.id
+}
--- a/modules/sg/variables.tf
+++ b/modules/sg/variables.tf
@ -0,0 +1,4 @@
+variable "sg_name" {
+  description = "security group name"
+  type        = string
+}
--- a/modules/templates/main.tf
+++ b/modules/templates/main.tf
@ -0,0 +1,24 @@
+resource "aws_iam_role" "eks-cluster" {
+  name = "iam role eks-cluster"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : [
+            "eks.amazonaws.com"
+          ]
+        },
+        "Action" : "sts:AssumeRole"
+      }
+    ]
+  })
+
+  tags = {
+    tag-key = "eks-cluster-rule"
+  }
+}
--- a/modules/vpc-subnet/terraform.tf
+++ b/modules/vpc-subnet/terraform.tf
@ -0,0 +1,10 @@
+terraform {
+  backend "remote"{
+    hostname = "app.terraform.io"
+    organization = "22shop"
+
+    workspaces {
+      name = "tf-cloud-backend"
+    }
+  }
+}
--- a/prod-hq/.terraform.lock.hcl
+++ b/prod-hq/.terraform.lock.hcl
--- a/prod-hq/main.tf
+++ b/prod-hq/main.tf
@ -1,15 +1,4 @@
 // prod - main
-terraform {
-  backend "remote"{
-    hostname = "app.terraform.io"
-    organization = "22shop"
-
-    workspaces {
-      name = "tf-cloud-backend"
-    }
-  }
-
-}
 provider "aws" {
  region = "ap-northeast-2"

@ -21,34 +10,64 @@ provider "aws" {
 locals {
  common_tags = {
    project = "22shop"
-    owner = "icurfer"
+    owner   = "icurfer"

  }
 }
+
+// GET 계정정보
+data "aws_caller_identity" "this" {}
+
+// eks를 위한 iam역할 생성 데이터 조회
+data "aws_iam_policy_document" "eks-assume-role-policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["eks.amazonaws.com"]
+    }
+  }
+}
+data "aws_iam_policy_document" "eks_node_group_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["eks-nodegroup.amazonaws.com"]
+    }
+  }
+}
+
 # module "vpc_hq" {
 module "vpc_hq" {
-  source     = "../modules/vpc"
-#   source = "github.com/Seong-dong/team_prj/tree/main/modules/vpc"
+  source = "../modules/vpc"
+  #   source = "github.com/Seong-dong/team_prj/tree/main/modules/vpc"
  tag_name   = "${local.common_tags.project}-vpc"
  cidr_block = "10.3.0.0/16"

 }

 module "vpc_igw" {
-  source   = "../modules/igw"
+  source = "../modules/igw"

-  vpc_id   = module.vpc_hq.vpc_hq_id
+  vpc_id = module.vpc_hq.vpc_hq_id

  tag_name = "${local.common_tags.project}-vpc_igw"
+
+  depends_on = [
+    module.vpc_hq
+  ]
 }

 module "subnet_public" {
  source = "../modules/vpc-subnet"

  vpc_id         = module.vpc_hq.vpc_hq_id
-  subnet-az-list = var.subnet-az-list
-  public_ip_on = true
-  vpc_name = "${local.common_tags.project}-public"
+  subnet-az-list = var.subnet-az-public
+  public_ip_on   = true
+  vpc_name       = "${local.common_tags.project}-public"
 }

 // public route
@ -70,9 +89,84 @@ module "route_association" {
  route_table_id = module.route_public.route_public_id

  association_count = 2
-  subnet_ids     = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id]
+  subnet_ids        = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id]
 }

+// eks 클러스터 역할 생성
+module "eks_cluster_iam" {
+  source   = "../modules/iam"
+  iam_name = "eks-cluster-test"
+  policy   = data.aws_iam_policy_document.eks-assume-role-policy.json
+  tag_name = local.common_tags.project
+}
+
+// eks 클러스터 역할 정책 추가
+module "eks_cluster_iam_att" {
+  source    = "../modules/iam-policy-attach"
+  iam_name  = "eks-cluster-att"
+  role_name = module.eks_cluster_iam.iam_name
+  arn       = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+
+  depends_on = [
+    module.eks_cluster_iam
+  ]
+}
+module "eks_cluster_iam_att2" {
+  source    = "../modules/iam-policy-attach"
+  iam_name  = "eks-cluster-att"
+  role_name = module.eks_cluster_iam.iam_name
+  arn       = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
+
+  depends_on = [
+    module.eks_cluster_iam
+  ]
+}
+
+// eks 노드그룹 역할 생성 및 추가
+module "eks_nodegroup_iam" {
+  source   = "../modules/iam"
+  iam_name = "eks-nodegroup-test"
+  policy   = data.aws_iam_policy_document.eks_node_group_role.json
+  tag_name = local.common_tags.project
+}
+module "eks_nodegroup_iam_att_1" {
+  source    = "../modules/iam-policy-attach"
+  iam_name  = "eks-nodegroup-att"
+  role_name = module.eks_nodegroup_iam.iam_name
+  arn       = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+
+  depends_on = [
+    module.eks_nodegroup_iam
+  ]
+}
+module "eks_nodegroup_iam_att_2" {
+  source    = "../modules/iam-policy-attach"
+  iam_name  = "eks-nodegroup-att"
+  role_name = module.eks_nodegroup_iam.iam_name
+  arn       = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+
+  depends_on = [
+    module.eks_nodegroup_iam
+  ]
+}
+module "eks_nodegroup_iam_att_3" {
+  source    = "../modules/iam-policy-attach"
+  iam_name  = "eks-nodegroup-att"
+  role_name = module.eks_nodegroup_iam.iam_name
+  arn       = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+
+  depends_on = [
+    module.eks_nodegroup_iam
+  ]
+}
+
+// 보안그룹 생성
+module "eks_sg" {
+  source  = "../modules/sg"
+  sg_name = "${local.common_tags.project}-sg"
+}
+
+module "eks_sg_ingress"
 # EKS테스트 할때 활성
 # module "ecr" {
 #     source = "../modules/ecr"
@ -80,3 +174,19 @@ module "route_association" {
 #     names_list = ["web", "nginx", "mariadb"]
 # }

+/* 
+terraform_remote_state reference method
+terraform cloud
+*/
+# data "terraform_remote_state" "foo" {
+#   backend = "remote"
+
+#   config = {
+#     organization = "company"
+
+#     workspaces = {
+#       name = "workspace"
+#     }
+#   }
+# }
+
--- a/prod-hq/outputs.tf
+++ b/prod-hq/outputs.tf
@ -1,4 +1,9 @@
-//modules-subnet-outputs
+//main-outputs
+output "aws_id" {
+  description = "The AWS Account ID."
+  value       = data.aws_caller_identity.this.account_id
+}
+
 output "subnet" {
  description = "The name of vpc hq id"
  value       = module.subnet_public.subnet
--- a/prod-hq/valiables.tf
+++ b/prod-hq/valiables.tf
@ -15,7 +15,7 @@ variable "prod_name" {
 #     type = string
 # }

-variable "subnet-az-list" {
+variable "subnet-az-public" {
  description = "Subnet available zone & cidr"
  type        = map(map(string))
  default = {
@ -23,18 +23,23 @@ variable "subnet-az-list" {
      name = "ap-northeast-2a"
      cidr = "10.3.1.0/24"
    }
-    "zone-b" = {
-      name = "ap-northeast-2b"
-      cidr = "10.3.2.0/24"
-    }
    "zone-c" = {
      name = "ap-northeast-2c"
      cidr = "10.3.3.0/24"
    }
+  }
+}
+variable "subnet-az-private" {
+  description = "Subnet available zone & cidr"
+  type        = map(map(string))
+  default = {
+    "zone-b" = {
+      name = "ap-northeast-2b"
+      cidr = "10.3.2.0/24"
+    }
    "zone-d" = {
      name = "ap-northeast-2d"
      cidr = "10.3.4.0/24"
    }
  }
-
 }