From 0b1946ecb3184845686729640acb563f7961e541 Mon Sep 17 00:00:00 2001 From: Seong-dong Date: Wed, 28 Dec 2022 22:15:11 +0900 Subject: [PATCH] =?UTF-8?q?sg,=20eks,=20iam=20=EB=AA=A8=EB=93=88=EC=B6=94?= =?UTF-8?q?=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- 01-start/bar.txt | 1 - 01-start/main.tf | 26 +++- modules/eks/main.tf | 16 +++ nm-eks/main.tf => modules/eks/outputs.tf | 0 modules/eks/valiables.tf | 0 modules/iam-policy-attach/main.tf | 5 + modules/iam-policy-attach/outputs.tf | 0 modules/iam-policy-attach/variables.tf | 14 +++ modules/iam/eks-cluster.json.tftpl | 14 +++ modules/iam/main.tf | 23 ++++ modules/iam/outputs.tf | 4 + modules/iam/variables.tf | 14 +++ modules/route-table/variables.tf | 9 +- modules/sg-rule-add/main.tf | 11 ++ modules/sg-rule-add/outputs.tf | 10 ++ modules/sg-rule-add/variables.tf | 8 ++ modules/sg/main.tf | 5 + modules/sg/outputs.tf | 5 + modules/sg/variables.tf | 4 + modules/templates/main.tf | 24 ++++ modules/vpc-subnet/terraform.tf | 10 ++ {nm-eks => prod-hq}/.terraform.lock.hcl | 0 prod-hq/main.tf | 154 +++++++++++++++++++---- prod-hq/outputs.tf | 7 +- prod-hq/valiables.tf | 19 +-- 25 files changed, 342 insertions(+), 41 deletions(-) delete mode 100644 01-start/bar.txt create mode 100644 modules/eks/main.tf rename nm-eks/main.tf => modules/eks/outputs.tf (100%) create mode 100644 modules/eks/valiables.tf create mode 100644 modules/iam-policy-attach/main.tf create mode 100644 modules/iam-policy-attach/outputs.tf create mode 100644 modules/iam-policy-attach/variables.tf create mode 100644 modules/iam/eks-cluster.json.tftpl create mode 100644 modules/iam/main.tf create mode 100644 modules/iam/outputs.tf create mode 100644 modules/iam/variables.tf create mode 100644 modules/sg-rule-add/main.tf create mode 100644 modules/sg-rule-add/outputs.tf create mode 100644 modules/sg-rule-add/variables.tf create mode 100644 modules/sg/main.tf create mode 100644 modules/sg/outputs.tf create mode 100644 modules/sg/variables.tf create mode 100644 modules/vpc-subnet/terraform.tf rename {nm-eks => prod-hq}/.terraform.lock.hcl (100%) diff --git a/01-start/bar.txt b/01-start/bar.txt deleted file mode 100644 index 4e6fab5..0000000 --- a/01-start/bar.txt +++ /dev/null @@ -1 +0,0 @@ -sdjo \ No newline at end of file diff --git a/01-start/main.tf b/01-start/main.tf index 971cff1..dc565be 100644 --- a/01-start/main.tf +++ b/01-start/main.tf @@ -4,11 +4,27 @@ provider "aws" { -resource "aws_instance" "ubuntu" { - ami = "ami-0ab04b3ccbadfae1f" - instance_type = "t2.micro" +resource "aws_iam_role" "iam-role" { + name = "eks-cluster-test" + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : [ + "eks.amazonaws.com" + ] + }, + "Action" : "sts:AssumeRole" + } + ] + }) tags = { - Name = "tf-ubuntu" + tag-key = "eks-cluster-rule" } -} \ No newline at end of file +} diff --git a/modules/eks/main.tf b/modules/eks/main.tf new file mode 100644 index 0000000..14e0ab7 --- /dev/null +++ b/modules/eks/main.tf @@ -0,0 +1,16 @@ +resource "aws_eks_cluster" "demo" { + name = var.cluster-name + role_arn = aws_iam_role.demo-cluster.arn + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + + vpc_config { + security_group_ids = [aws_security_group.demo-cluster.id] + subnet_ids = [ + aws_subnet.VPC_HQ_public_1a.id, + aws_subnet.VPC_HQ_public_1c.id + ] + endpoint_private_access = true + endpoint_public_access = true + } +} diff --git a/nm-eks/main.tf b/modules/eks/outputs.tf similarity index 100% rename from nm-eks/main.tf rename to modules/eks/outputs.tf diff --git a/modules/eks/valiables.tf b/modules/eks/valiables.tf new file mode 100644 index 0000000..e69de29 diff --git a/modules/iam-policy-attach/main.tf b/modules/iam-policy-attach/main.tf new file mode 100644 index 0000000..b53af01 --- /dev/null +++ b/modules/iam-policy-attach/main.tf @@ -0,0 +1,5 @@ +resource "aws_iam_policy_attachment" "test-attach" { + name = "${var.iam_name}-att" + roles = ["${var.role_name}"] + policy_arn = "${var.arn}" +} \ No newline at end of file diff --git a/modules/iam-policy-attach/outputs.tf b/modules/iam-policy-attach/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/modules/iam-policy-attach/variables.tf b/modules/iam-policy-attach/variables.tf new file mode 100644 index 0000000..2276c61 --- /dev/null +++ b/modules/iam-policy-attach/variables.tf @@ -0,0 +1,14 @@ +variable "iam_name" { + description = "value" + type = string +} + +variable "role_name" { + description = "value" + type = string +} + +variable "arn" { + description = "value" + type = string +} \ No newline at end of file diff --git a/modules/iam/eks-cluster.json.tftpl b/modules/iam/eks-cluster.json.tftpl new file mode 100644 index 0000000..730b545 --- /dev/null +++ b/modules/iam/eks-cluster.json.tftpl @@ -0,0 +1,14 @@ +{ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : [ + "eks.amazonaws.com" + ] + }, + "Action" : "sts:AssumeRole" + } + ] + } \ No newline at end of file diff --git a/modules/iam/main.tf b/modules/iam/main.tf new file mode 100644 index 0000000..1957668 --- /dev/null +++ b/modules/iam/main.tf @@ -0,0 +1,23 @@ +resource "aws_iam_role" "iam-role" { + name = var.iam_name + assume_role_policy = var.policy + + tags = { + tag-key = var.tag_name + } +} + +# { +# "Version" : "2012-10-17", +# "Statement" : [ +# { +# "Effect" : "Allow", +# "Principal" : { +# "Service" : [ +# "eks.amazonaws.com" +# ] +# }, +# "Action" : "sts:AssumeRole" +# } +# ] +# } diff --git a/modules/iam/outputs.tf b/modules/iam/outputs.tf new file mode 100644 index 0000000..c58258f --- /dev/null +++ b/modules/iam/outputs.tf @@ -0,0 +1,4 @@ +output "iam_name" { + value = aws_iam_role.iam-role.name + +} \ No newline at end of file diff --git a/modules/iam/variables.tf b/modules/iam/variables.tf new file mode 100644 index 0000000..2e892bf --- /dev/null +++ b/modules/iam/variables.tf @@ -0,0 +1,14 @@ +variable "iam_name" { + description = "value" + type = string +} + +variable "policy" { + description = "value" + type = string +} + +variable "tag_name" { + description = "value" + type = string +} \ No newline at end of file diff --git a/modules/route-table/variables.tf b/modules/route-table/variables.tf index 1b6592e..e0bbed4 100644 --- a/modules/route-table/variables.tf +++ b/modules/route-table/variables.tf @@ -1,9 +1,8 @@ -variable "vpc_id" { - description = "set vpc id" - type = string -} - variable "tag_name" { description = "value" type = string +} +variable "vpc_id" { + description = "set vpc id" + type = string } \ No newline at end of file diff --git a/modules/sg-rule-add/main.tf b/modules/sg-rule-add/main.tf new file mode 100644 index 0000000..7171bd5 --- /dev/null +++ b/modules/sg-rule-add/main.tf @@ -0,0 +1,11 @@ +resource "aws_security_group_rule" "sg-rule-add" { + description = "Security groups rule add" + + type = var.type + from_port = var.set_ports.http + to_port = var.set_ports.http + protocol = var.set_ports.protocol_tcp #tcp + cidr_blocks = var.cidr_blocks + security_group_id = var.sg_id + +} diff --git a/modules/sg-rule-add/outputs.tf b/modules/sg-rule-add/outputs.tf new file mode 100644 index 0000000..dda6b4e --- /dev/null +++ b/modules/sg-rule-add/outputs.tf @@ -0,0 +1,10 @@ +//sg-output +output "vpc_hq_id" { + description = "The name of vpc hq id" + value = aws_vpc.vpc-hq.id +} + +output "vpc_name" { + value = var.tag_name +} + diff --git a/modules/sg-rule-add/variables.tf b/modules/sg-rule-add/variables.tf new file mode 100644 index 0000000..9b444ec --- /dev/null +++ b/modules/sg-rule-add/variables.tf @@ -0,0 +1,8 @@ +variable "type" { + description = "security rule type" + type = string +} +variable "from_port" { + description = "from port" + type = number +} diff --git a/modules/sg/main.tf b/modules/sg/main.tf new file mode 100644 index 0000000..27c36e8 --- /dev/null +++ b/modules/sg/main.tf @@ -0,0 +1,5 @@ +resource "aws_security_group" "sg" { + description = "Security groups" + name = var.sg_name + +} diff --git a/modules/sg/outputs.tf b/modules/sg/outputs.tf new file mode 100644 index 0000000..fb7b098 --- /dev/null +++ b/modules/sg/outputs.tf @@ -0,0 +1,5 @@ +//sg-output +output "sg_id" { + description = "sg id outputs" + value = aws_security_group.sg.id +} \ No newline at end of file diff --git a/modules/sg/variables.tf b/modules/sg/variables.tf new file mode 100644 index 0000000..6817535 --- /dev/null +++ b/modules/sg/variables.tf @@ -0,0 +1,4 @@ +variable "sg_name" { + description = "security group name" + type = string +} diff --git a/modules/templates/main.tf b/modules/templates/main.tf index e69de29..3561969 100644 --- a/modules/templates/main.tf +++ b/modules/templates/main.tf @@ -0,0 +1,24 @@ +resource "aws_iam_role" "eks-cluster" { + name = "iam role eks-cluster" + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : [ + "eks.amazonaws.com" + ] + }, + "Action" : "sts:AssumeRole" + } + ] + }) + + tags = { + tag-key = "eks-cluster-rule" + } +} diff --git a/modules/vpc-subnet/terraform.tf b/modules/vpc-subnet/terraform.tf new file mode 100644 index 0000000..9137da1 --- /dev/null +++ b/modules/vpc-subnet/terraform.tf @@ -0,0 +1,10 @@ +terraform { + backend "remote"{ + hostname = "app.terraform.io" + organization = "22shop" + + workspaces { + name = "tf-cloud-backend" + } + } +} \ No newline at end of file diff --git a/nm-eks/.terraform.lock.hcl b/prod-hq/.terraform.lock.hcl similarity index 100% rename from nm-eks/.terraform.lock.hcl rename to prod-hq/.terraform.lock.hcl diff --git a/prod-hq/main.tf b/prod-hq/main.tf index e8e7bfa..f212fbc 100644 --- a/prod-hq/main.tf +++ b/prod-hq/main.tf @@ -1,15 +1,4 @@ // prod - main -terraform { - backend "remote"{ - hostname = "app.terraform.io" - organization = "22shop" - - workspaces { - name = "tf-cloud-backend" - } - } - -} provider "aws" { region = "ap-northeast-2" @@ -21,34 +10,64 @@ provider "aws" { locals { common_tags = { project = "22shop" - owner = "icurfer" + owner = "icurfer" } } + +// GET 계정정보 +data "aws_caller_identity" "this" {} + +// eks를 위한 iam역할 생성 데이터 조회 +data "aws_iam_policy_document" "eks-assume-role-policy" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["eks.amazonaws.com"] + } + } +} +data "aws_iam_policy_document" "eks_node_group_role" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["eks-nodegroup.amazonaws.com"] + } + } +} + # module "vpc_hq" { module "vpc_hq" { - source = "../modules/vpc" -# source = "github.com/Seong-dong/team_prj/tree/main/modules/vpc" + source = "../modules/vpc" + # source = "github.com/Seong-dong/team_prj/tree/main/modules/vpc" tag_name = "${local.common_tags.project}-vpc" cidr_block = "10.3.0.0/16" } module "vpc_igw" { - source = "../modules/igw" - - vpc_id = module.vpc_hq.vpc_hq_id + source = "../modules/igw" + + vpc_id = module.vpc_hq.vpc_hq_id tag_name = "${local.common_tags.project}-vpc_igw" + + depends_on = [ + module.vpc_hq + ] } module "subnet_public" { source = "../modules/vpc-subnet" vpc_id = module.vpc_hq.vpc_hq_id - subnet-az-list = var.subnet-az-list - public_ip_on = true - vpc_name = "${local.common_tags.project}-public" + subnet-az-list = var.subnet-az-public + public_ip_on = true + vpc_name = "${local.common_tags.project}-public" } // public route @@ -68,11 +87,86 @@ module "route_add" { module "route_association" { source = "../modules/route-association" route_table_id = module.route_public.route_public_id - + association_count = 2 - subnet_ids = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id] + subnet_ids = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id] } +// eks 클러스터 역할 생성 +module "eks_cluster_iam" { + source = "../modules/iam" + iam_name = "eks-cluster-test" + policy = data.aws_iam_policy_document.eks-assume-role-policy.json + tag_name = local.common_tags.project +} + +// eks 클러스터 역할 정책 추가 +module "eks_cluster_iam_att" { + source = "../modules/iam-policy-attach" + iam_name = "eks-cluster-att" + role_name = module.eks_cluster_iam.iam_name + arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" + + depends_on = [ + module.eks_cluster_iam + ] +} +module "eks_cluster_iam_att2" { + source = "../modules/iam-policy-attach" + iam_name = "eks-cluster-att" + role_name = module.eks_cluster_iam.iam_name + arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController" + + depends_on = [ + module.eks_cluster_iam + ] +} + +// eks 노드그룹 역할 생성 및 추가 +module "eks_nodegroup_iam" { + source = "../modules/iam" + iam_name = "eks-nodegroup-test" + policy = data.aws_iam_policy_document.eks_node_group_role.json + tag_name = local.common_tags.project +} +module "eks_nodegroup_iam_att_1" { + source = "../modules/iam-policy-attach" + iam_name = "eks-nodegroup-att" + role_name = module.eks_nodegroup_iam.iam_name + arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" + + depends_on = [ + module.eks_nodegroup_iam + ] +} +module "eks_nodegroup_iam_att_2" { + source = "../modules/iam-policy-attach" + iam_name = "eks-nodegroup-att" + role_name = module.eks_nodegroup_iam.iam_name + arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" + + depends_on = [ + module.eks_nodegroup_iam + ] +} +module "eks_nodegroup_iam_att_3" { + source = "../modules/iam-policy-attach" + iam_name = "eks-nodegroup-att" + role_name = module.eks_nodegroup_iam.iam_name + arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + + depends_on = [ + module.eks_nodegroup_iam + ] +} + +// 보안그룹 생성 +module "eks_sg" { + source = "../modules/sg" + sg_name = "${local.common_tags.project}-sg" +} + +module "eks_sg_ingress" # EKS테스트 할때 활성 # module "ecr" { # source = "../modules/ecr" @@ -80,3 +174,19 @@ module "route_association" { # names_list = ["web", "nginx", "mariadb"] # } +/* +terraform_remote_state reference method +terraform cloud +*/ +# data "terraform_remote_state" "foo" { +# backend = "remote" + +# config = { +# organization = "company" + +# workspaces = { +# name = "workspace" +# } +# } +# } + diff --git a/prod-hq/outputs.tf b/prod-hq/outputs.tf index 4a48214..f55041c 100644 --- a/prod-hq/outputs.tf +++ b/prod-hq/outputs.tf @@ -1,4 +1,9 @@ -//modules-subnet-outputs +//main-outputs +output "aws_id" { + description = "The AWS Account ID." + value = data.aws_caller_identity.this.account_id +} + output "subnet" { description = "The name of vpc hq id" value = module.subnet_public.subnet diff --git a/prod-hq/valiables.tf b/prod-hq/valiables.tf index 58593a5..3414430 100644 --- a/prod-hq/valiables.tf +++ b/prod-hq/valiables.tf @@ -15,7 +15,7 @@ variable "prod_name" { # type = string # } -variable "subnet-az-list" { +variable "subnet-az-public" { description = "Subnet available zone & cidr" type = map(map(string)) default = { @@ -23,18 +23,23 @@ variable "subnet-az-list" { name = "ap-northeast-2a" cidr = "10.3.1.0/24" } - "zone-b" = { - name = "ap-northeast-2b" - cidr = "10.3.2.0/24" - } "zone-c" = { name = "ap-northeast-2c" cidr = "10.3.3.0/24" } + } +} +variable "subnet-az-private" { + description = "Subnet available zone & cidr" + type = map(map(string)) + default = { + "zone-b" = { + name = "ap-northeast-2b" + cidr = "10.3.2.0/24" + } "zone-d" = { name = "ap-northeast-2d" cidr = "10.3.4.0/24" } } - -} +} \ No newline at end of file