private public add

2023-01-10 09:29:59 +09:00
parent b325a26985
commit f0402956e2
17 changed files with 393 additions and 119 deletions
--- a/modules/eks-node-group/outputs.tf
+++ b/modules/eks-node-group/outputs.tf
@ -1,5 +1,5 @@
 output "ng_sg" {
-    description = "Identifier of the remote access EC2 Security Group."
-    value = "${aws_eks_node_group.eks-ng.resources[0].remote_access_security_group_id}"
+  description = "Identifier of the remote access EC2 Security Group."
+  value       = aws_eks_node_group.eks-ng.resources

 }
--- a/modules/route53/variables.tf
+++ b/modules/route53/variables.tf
@ -3,7 +3,12 @@ variable "name" {
    type = string
 }

-variable "name" {
+variable "public" {
    description = "route53 name"
+    type = bool
+}
+
+variable "vpc_id" {
+    description = "vpc_id"
    type = string
 }
--- a/modules/vpc-subnet/main.tf
+++ b/modules/vpc-subnet/main.tf
@ -10,7 +10,7 @@ resource "aws_subnet" "subnets" {
    
    tags = {
    Name = var.vpc_name
-    "kubernetes.io/role/elb" = 1
+    "kubernetes.io/role/elb" = "${var.k8s_ingress ? 1 : 0}"
    # Name = module.vpc_hq.vpcHq.id
    }
 }
--- a/modules/vpc-subnet/valiables.tf
+++ b/modules/vpc-subnet/valiables.tf
@ -34,3 +34,7 @@ variable "subnet-az-list" {
 variable "public_ip_on" {
  type = bool
 }
+
+variable "k8s_ingress" {
+  type = bool
+}
--- a/pord_hq-ecr/.terraform.lock.hcl
+++ b/pord_hq-ecr/.terraform.lock.hcl
@ -0,0 +1,10 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.49.0"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:HxPUxrHpAJey832OwVk3J2T7lHpRzMavqjXDzaFyM6I=",
+  ]
+}
--- a/pord_hq-ecr/main.tf
+++ b/pord_hq-ecr/main.tf
@ -29,11 +29,6 @@ locals {
  tcp_protocol  = "tcp"
  icmp_protocol = "icmp"
  all_ips       = ["0.0.0.0/0"]
-
-  iam_name = {
-    cloud9 = "cloud9"
-  }
-
 }

 // GET 계정정보
@ -58,44 +53,3 @@ module "ecr" {
    names_list = ["app"]
    //names_list = ["web", "nginx", "mariadb"]
 }
-
-
-
-/*
-// colud9 생성 및 추가
-module "cloud9_iam" {
-  source   = "../modules/iam"
-  iam_name = local.iam_name.cloud9
-  policy   = data.aws_iam_policy_document.cloud9_role.json
-  tag_name = local.common_tags.project
-}
-module "cloud9_iam_att_admin_access" {
-  source    = "../modules/iam-policy-attach"
-  iam_name  = local.iam_name.cloud9
-  role_name = module.cloud9_iam.iam_name
-  arn       = "arn:aws:iam::aws:policy/AdministratorAccess"
-
-  depends_on = [
-    module.cloud9_iam
-  ]
-}
-
-// cloud9
-module "cloud9_ec2" {
-  source        = "../modules/cloud9-ec2"
-  name          = local.common_tags.project
-  instance_type = "t2.micro"
-
-}
-module "cloud9_ec2_env" {
-  source    = "../modules/cloud9-ec2-env"
-  cloud9_id = module.cloud9_ec2.cloud9_id
-  permissions = "read-only"
-  user_arn = module.cloud9_iam.iam_arn
-
-  depends_on = [
-    module.cloud9_iam,
-    module.cloud9_ec2
-  ]
-}
-*/
--- a/prod-hq-dns/main.tf
+++ b/prod-hq-dns/main.tf
@ -0,0 +1,233 @@
+// prod - main
+provider "aws" {
+  region = "ap-northeast-2"
+
+  #2.x버전의 AWS공급자 허용
+  version = "~> 3.0"
+
+}
+
+locals {
+  vpc_id        = data.terraform_remote_state.hq_vpc_id.outputs.vpc_id
+  public_subnet = data.terraform_remote_state.hq_vpc_id.outputs.subnet
+  common_tags = {
+    project = "22shop"
+    owner   = "icurfer"
+
+  }
+  tcp_port = {
+    # any_port    = 0
+    http_port   = 80
+    https_port  = 443
+    ssh_port    = 22
+    dns_port    = 53
+    django_port = 8000
+    mysql_port  = 3306
+  }
+  udp_port = {
+    dns_port = 53
+  }
+  any_protocol  = "-1"
+  tcp_protocol  = "tcp"
+  icmp_protocol = "icmp"
+  all_ips       = ["0.0.0.0/0"]
+
+  node_group_scaling_config = {
+    desired_size = 2
+    max_size     = 4
+    min_size     = 1
+  }
+}
+
+// GET 계정정보
+data "aws_caller_identity" "this" {}
+
+// eks를 위한 iam역할 생성 데이터 조회
+data "aws_iam_policy_document" "eks-assume-role-policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["eks.amazonaws.com"]
+    }
+  }
+}
+data "aws_iam_policy_document" "eks_node_group_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+// 테라폼클라우드
+data "terraform_remote_state" "hq_vpc_id" {
+  backend = "remote"
+
+  config = {
+    organization = "icurfer"
+
+    workspaces = {
+      name = "tf-22shop-network"
+    }
+  }
+}
+
+// eks 클러스터 역할 생성
+module "eks_cluster_iam" {
+  source   = "../modules/iam"
+  iam_name = "eks-cluster-test"
+  policy   = data.aws_iam_policy_document.eks-assume-role-policy.json
+  tag_name = local.common_tags.project
+}
+
+// eks 클러스터 역할 정책 추가
+module "eks_cluster_iam_att" {
+  source    = "../modules/iam-policy-attach"
+  iam_name  = "eks-cluster-att"
+  role_name = module.eks_cluster_iam.iam_name
+  arn       = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+
+  depends_on = [
+    module.eks_cluster_iam
+  ]
+}
+module "eks_cluster_iam_att2" {
+  source    = "../modules/iam-policy-attach"
+  iam_name  = "eks-cluster-att"
+  role_name = module.eks_cluster_iam.iam_name
+  arn       = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
+
+  depends_on = [
+    module.eks_cluster_iam
+  ]
+}
+
+// eks 노드그룹 역할 생성 및 추가
+module "eks_nodegroup_iam" {
+  source   = "../modules/iam"
+  iam_name = "eks-nodegroup-test"
+  policy   = data.aws_iam_policy_document.eks_node_group_role.json
+  tag_name = local.common_tags.project
+}
+module "eks_nodegroup_iam_att_1" {
+  source    = "../modules/iam-policy-attach"
+  iam_name  = "eks-nodegroup-att"
+  role_name = module.eks_nodegroup_iam.iam_name
+  arn       = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+
+  depends_on = [
+    module.eks_nodegroup_iam
+  ]
+}
+module "eks_nodegroup_iam_att_2" {
+  source    = "../modules/iam-policy-attach"
+  iam_name  = "eks-nodegroup-att"
+  role_name = module.eks_nodegroup_iam.iam_name
+  arn       = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+
+  depends_on = [
+    module.eks_nodegroup_iam
+  ]
+}
+module "eks_nodegroup_iam_att_3" {
+  source    = "../modules/iam-policy-attach"
+  iam_name  = "eks-nodegroup-att"
+  role_name = module.eks_nodegroup_iam.iam_name
+  arn       = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+
+  depends_on = [
+    module.eks_nodegroup_iam
+  ]
+}
+
+// 보안그룹 생성
+module "eks_sg" {
+  source  = "../modules/sg"
+  sg_name = "${local.common_tags.project}-sg"
+  # vpc_id  = module.vpc_hq.vpc_hq_id
+  vpc_id = local.vpc_id
+
+}
+
+module "eks_sg_ingress_http" {
+  for_each          = local.tcp_port
+  source            = "../modules/sg-rule-add"
+  type              = "ingress"
+  from_port         = each.value
+  to_port           = each.value
+  protocol          = local.tcp_protocol
+  cidr_blocks       = local.all_ips
+  security_group_id = module.eks_sg.sg_id
+
+  tag_name = each.key
+}
+
+module "eks_sg_egress_all" {
+  source            = "../modules/sg-rule-add"
+  type              = "egress"
+  from_port         = local.any_protocol
+  to_port           = local.any_protocol
+  protocol          = local.any_protocol
+  cidr_blocks       = local.all_ips
+  security_group_id = module.eks_sg.sg_id
+
+  tag_name = "egress-all"
+}
+
+module "eks_cluster" {
+  source       = "../modules/eks-cluster"
+  name         = local.common_tags.project
+  iam_role_arn = module.eks_cluster_iam.iam_arn
+  sg_list      = [module.eks_sg.sg_id]
+  # subnet_list  = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id] #변경해야될수있음.
+  subnet_list = [local.public_subnet.zone-a.id, local.public_subnet.zone-c.id]
+
+  depends_on = [
+    module.eks_cluster_iam,
+    module.eks_sg,
+  ]
+
+  client_id = data.aws_caller_identity.this.id
+
+}
+
+module "eks_node_group" {
+  source          = "../modules/eks-node-group"
+  node_group_name = "${local.common_tags.project}-ng"
+  cluster_name    = module.eks_cluster.cluster_name
+  # iam_role_arn    = module.eks_nodegroup_iam.iam_arn
+  iam_role_arn = "arn:aws:iam::448559955338:role/eks-nodegroup-test"
+  # subnet_list  = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id] #변경해야될수있음.
+  subnet_list = [local.public_subnet.zone-a.id, local.public_subnet.zone-c.id]
+
+  desired_size = local.node_group_scaling_config.desired_size
+  max_size     = local.node_group_scaling_config.max_size
+  min_size     = local.node_group_scaling_config.min_size
+
+  depends_on = [
+    module.eks_nodegroup_iam,
+    module.eks_cluster,
+  ]
+}
+
+module "ng_sg_ingress_http" {
+  # for_each          = local.tcp_port
+  source            = "../modules/sg-rule-add"
+  type              = "ingress"
+  from_port         = "2049"
+  to_port           = "2049"
+  protocol          = local.tcp_protocol
+  cidr_blocks       = local.all_ips
+  security_group_id = module.eks_node_group.ng_sg
+
+  tag_name = "ng_sg_sub"
+
+  depends_on = [
+    module.eks_node_group
+  ]
+}
--- a/prod-hq-dns/outputs.tf
+++ b/prod-hq-dns/outputs.tf
@ -0,0 +1,18 @@
+//main-outputs
+output "aws_id" {
+  description = "The AWS Account ID."
+  value       = data.aws_caller_identity.this.account_id
+}
+output "ng_sg" {
+  description = "Identifier of the remote access EC2 Security Group."
+  value = module.eks_node_group.ng_sg
+  
+}
+# output "cluster_oidc" {
+#   description = "eks_cluster_identity"
+#   value       = module.eks_cluster.cluster_oidc
+# }
+# output "subnet" {
+#   description = "The name of vpc hq id"
+#   value       = module.subnet_public.subnet
+# }
--- a/prod-hq-dns/terraform.tf
+++ b/prod-hq-dns/terraform.tf
@ -0,0 +1,10 @@
+terraform {
+  backend "remote"{
+    hostname = "app.terraform.io"
+    organization = "icurfer"
+
+    workspaces {
+      name = "tf-cloud-dns"
+    }
+  }
+}
--- a/prod-hq-dns/valiables.tf
+++ b/prod-hq-dns/valiables.tf
@ -0,0 +1,45 @@
+# variable "cidr_block" {
+#     type = string
+#     default = "10.3.0.0/16"
+
+# }
+
+variable "prod_name" {
+  description = "value"
+  type        = string
+  default     = "22shop"
+}
+
+# variable "igw_id" {
+#     description = "value"
+#     type = string
+# }
+
+variable "subnet-az-public" {
+  description = "Subnet available zone & cidr"
+  type        = map(map(string))
+  default = {
+    "zone-a" = {
+      name = "ap-northeast-2a"
+      cidr = "10.3.1.0/24"
+    }
+    "zone-c" = {
+      name = "ap-northeast-2c"
+      cidr = "10.3.3.0/24"
+    }
+  }
+}
+variable "subnet-az-private" {
+  description = "Subnet available zone & cidr"
+  type        = map(map(string))
+  default = {
+    "zone-b" = {
+      name = "ap-northeast-2b"
+      cidr = "10.3.2.0/24"
+    }
+    "zone-d" = {
+      name = "ap-northeast-2d"
+      cidr = "10.3.4.0/24"
+    }
+  }
+}
--- a/prod-hq-efs/.terraform.lock.hcl
+++ b/prod-hq-efs/.terraform.lock.hcl
@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.76.1"
+  constraints = "~> 3.0"
+  hashes = [
+    "h1:UOk/iZppUGLh2zjmKJKKWCD6e79GsQokO2xfzOcKjxo=",
+    "zh:1cf933104a641ffdb64d71a76806f4df35d19101b47e0eb02c9c36bd64bfdd2d",
+    "zh:273afaf908775ade6c9d32462938e7739ee8b00a0de2ef3cdddc5bc115bb1d4f",
+    "zh:2bc24ae989e38f575de034083082c69b41c54b8df69d35728853257c400ce0f4",
+    "zh:53ba88dbdaf9f818d35001c3d519a787f457283d9341f562dc3d0af51fd9606e",
+    "zh:5cdac7afea68bbd89d3bdb345d99470226482eff41f375f220fe338d2e5808da",
+    "zh:63127808890ac4be6cff6554985510b15ac715df698d550a3e722722dc56523c",
+    "zh:97a1237791f15373743189b078a0e0f2fa4dd7d7474077423376cd186312dc55",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:a4f625e97e5f25073c08080e4a619f959bc0149fc853a6b1b49ab41d58b59665",
+    "zh:b56cca54019237941f7614e8d2712586a6ab3092e8e9492c70f06563259171e9",
+    "zh:d4bc33bfd6ac78fb61e6d48a61c179907dfdbdf149b89fb97272c663989a7fcd",
+    "zh:e0089d73fa56d128c574601305634a774eebacf4a84babba71da10040cecf99a",
+    "zh:e957531f1d92a6474c9b02bd9200da91b99ba07a0ab761c8e3176400dd41721c",
+    "zh:eceb85818d57d8270db4df7564cf4ed51b5c650a361aaa017c42227158e1946b",
+    "zh:f565e5caa1b349ec404c6d03d01c68b02233f5485ed038d0aab810dd4023a880",
+  ]
+}
--- a/prod-hq-efs/main.tf
+++ b/prod-hq-efs/main.tf
@ -46,10 +46,10 @@ data "terraform_remote_state" "hq_vpc_id" {
  backend = "remote"

  config = {
-    organization = "22shop" // 초기 설정값
+    organization = "icurfer" // 초기 설정값

    workspaces = {
-      name = "tf-22shop-network"
+      name = "tf-cloud-network"
    }
  }
 }
--- a/prod-hq-efs/terraform.tf
+++ b/prod-hq-efs/terraform.tf
@ -4,7 +4,7 @@ terraform {
    organization = "icurfer"

    workspaces {
-      name = "tf-22shop-hq-efs"
+      name = "tf-cloud-efs"
    }
  }
 }
--- a/prod-hq-eks/.terraform.lock.hcl
+++ b/prod-hq-eks/.terraform.lock.hcl
@ -0,0 +1,10 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.76.1"
+  constraints = "~> 3.0"
+  hashes = [
+    "h1:UOk/iZppUGLh2zjmKJKKWCD6e79GsQokO2xfzOcKjxo=",
+  ]
+}
--- a/prod-hq-eks/main.tf
+++ b/prod-hq-eks/main.tf
@ -69,10 +69,10 @@ data "terraform_remote_state" "hq_vpc_id" {
  backend = "remote"

  config = {
-    organization = "22shop"
+    organization = "icurfer"

    workspaces = {
-      name = "tf-22shop-network"
+      name = "tf-cloud-network"
    }
  }
 }
@ -209,6 +209,7 @@ module "eks_node_group" {
  max_size     = local.node_group_scaling_config.max_size
  min_size     = local.node_group_scaling_config.min_size

+
  depends_on = [
    module.eks_nodegroup_iam,
    module.eks_cluster,
@ -219,16 +220,15 @@ module "eks_node_group" {
 #   # for_each          = local.tcp_port
 #   source            = "../modules/sg-rule-add"
 #   type              = "ingress"
-#   from_port         = "8080"
-#   to_port           = "8080"
+#   from_port         = "2049"
+#   to_port           = "2049"
 #   protocol          = local.tcp_protocol
 #   cidr_blocks       = local.all_ips
 #   security_group_id = module.eks_node_group.ng_sg

-#   tag_name = "test"
+#   tag_name = "ng_sg_sub"

 #   depends_on = [
 #     module.eks_node_group
 #   ]
-
 # }
--- a/prod-hq-network/main.tf
+++ b/prod-hq-network/main.tf
@ -37,7 +37,7 @@ locals {
  }

  eks_ingress_type = {
-    public = "kubernetes.io/role/elb"
+    public  = "kubernetes.io/role/elb"
    private = "kubernetes.io/role/internal-elb=1"
  }
 }
@ -96,6 +96,7 @@ module "subnet_public" {
  public_ip_on   = true
  # vpc_name       = "${local.common_tags.project}-public"
  #alb-ingress 생성을 위해 지정
+  k8s_ingress        = true
  vpc_name = local.eks_ingress_type.public
 }

@ -121,62 +122,21 @@ module "route_association" {
  subnet_ids        = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id]
 }

-# // 보안그룹 생성
-# module "eks_sg" {
-#   source  = "../modules/sg"
-#   sg_name = "${local.common_tags.project}-sg"
-#   vpc_id  = module.vpc_hq.vpc_hq_id
+# // private subnet
+# module "subnet_private" {
+#   source = "../modules/vpc-subnet"

-#   depends_on = [
-#     module.vpc_hq
-#   ]
+#   vpc_id         = module.vpc_hq.vpc_hq_id
+#   subnet-az-list = var.subnet-az-private
+#   public_ip_on   = false
+#   k8s_ingress        = false
+#   #alb-ingress 생성을 위해 지정
+#   vpc_name = local.eks_ingress_type.public
 # }

-# module "eks_sg_ingress_http" {
-#   for_each          = local.tcp_port
-#   source            = "../modules/sg-rule-add"
-#   type              = "ingress"
-#   from_port         = each.value
-#   to_port           = each.value
-#   protocol          = local.tcp_protocol
-#   cidr_blocks       = local.all_ips
-#   security_group_id = module.eks_sg.sg_id
+# module "route_private" {
+#   source   = "../modules/route-table"
+#   tag_name = "${local.common_tags.project}-private_route_table"
+#   vpc_id   = module.vpc_hq.vpc_hq_id

-#   tag_name = each.key
 # }
-
-# module "eks_sg_egress_all" {
-#   source            = "../modules/sg-rule-add"
-#   type              = "egress"
-#   from_port         = local.any_protocol
-#   to_port           = local.any_protocol
-#   protocol          = local.any_protocol
-#   cidr_blocks       = local.all_ips
-#   security_group_id = module.eks_sg.sg_id
-
-#   tag_name = "egress-all"
-# }
-
-# EKS테스트 할때 활성
-# module "ecr" {
-#     source = "../modules/ecr"
-
-#     names_list = ["web", "nginx", "mariadb"]
-# }
-
-/* 
-terraform_remote_state reference method
-terraform cloud
-*/
-# data "terraform_remote_state" "foo" {
-#   backend = "remote"
-
-#   config = {
-#     organization = "company"
-
-#     workspaces = {
-#       name = "workspace"
-#     }
-#   }
-# }
-
--- a/prod-hq-network/terraform.tf
+++ b/prod-hq-network/terraform.tf
@ -4,7 +4,7 @@ terraform {
    organization = "icurfer"

    workspaces {
-      name = "tf-22shop-network"
+      name = "tf-cloud-network"
    }
  }
 }