diff --git a/modules/route53-record/main.tf b/modules/route53-record/main.tf new file mode 100644 index 0000000..80800c1 --- /dev/null +++ b/modules/route53-record/main.tf @@ -0,0 +1,20 @@ +resource "aws_route53_record" "default" { + count = var.type_alias ? 0 : 1 + zone_id = var.zone_id + name = var.prefix + type = var.type + ttl = var.ttl + records = var.record_list +} + +resource "aws_route53_record" "alias" { + count = var.type_alias ? 1 : 0 + zone_id = var.zone_id + name = var.name + + type = var.type + + ttl = var.ttl + + records = var.record_list +} diff --git a/modules/route53-record/outputs.tf b/modules/route53-record/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/modules/route53-record/variables.tf b/modules/route53-record/variables.tf new file mode 100644 index 0000000..d237372 --- /dev/null +++ b/modules/route53-record/variables.tf @@ -0,0 +1,20 @@ +variable "zone_id" { + description = "set host-zone id" + type = string +} +variable "prefix" { + description = "set host-zone id" + type = string +} +variable "type" { + description = "set host-zone id" + type = string +} +variable "ttl" { + description = "set host-zone id" + type = string +} +variable "record_list" { + description = "set host-zone id" + type = list(string) +} \ No newline at end of file diff --git a/modules/route53/main.tf b/modules/route53/main.tf index 47f613e..36dc10c 100644 --- a/modules/route53/main.tf +++ b/modules/route53/main.tf @@ -1,9 +1,5 @@ resource "aws_route53_zone" "primary" { name = var.name - - //public 이면 vpc 불필요 - count = var.public ? 0 : 1 - vpc { - vpc_id = var.vpc_id - } + comment = "hq-dns-server" } + diff --git a/modules/route53/outputs.tf b/modules/route53/outputs.tf index 0d67f61..28f50d6 100644 --- a/modules/route53/outputs.tf +++ b/modules/route53/outputs.tf @@ -1,3 +1,4 @@ -output "id" { - value = aws_route53_zone.primary.id +output "zone_id" { + value = aws_route53_zone.primary.zone_id + } \ No newline at end of file diff --git a/modules/route53/variables.tf b/modules/route53/variables.tf index 9e59969..bd98dd9 100644 --- a/modules/route53/variables.tf +++ b/modules/route53/variables.tf @@ -2,13 +2,3 @@ variable "name" { description = "route53 name" type = string } - -variable "public" { - description = "route53 name" - type = bool -} - -variable "vpc_id" { - description = "vpc_id" - type = string -} \ No newline at end of file diff --git a/prod-hq-dns/.terraform.lock.hcl b/prod-hq-dns/.terraform.lock.hcl new file mode 100644 index 0000000..c4e33ee --- /dev/null +++ b/prod-hq-dns/.terraform.lock.hcl @@ -0,0 +1,10 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.49.0" + constraints = "~> 4.0" + hashes = [ + "h1:HxPUxrHpAJey832OwVk3J2T7lHpRzMavqjXDzaFyM6I=", + ] +} diff --git a/prod-hq-dns/main.tf b/prod-hq-dns/main.tf index 2619739..3432e94 100644 --- a/prod-hq-dns/main.tf +++ b/prod-hq-dns/main.tf @@ -1,15 +1,16 @@ -// prod - main +// prod - dev provider "aws" { - region = "ap-northeast-2" - - #2.x버전의 AWS공급자 허용 - version = "~> 3.0" + region = "ap-northeast-2" + profile = "22shop" + shared_credentials_file = "C:/Users/aa/.aws/credentials" + #4.x버전의 AWS공급자 허용 + version = "~> 4.0" } + locals { - vpc_id = data.terraform_remote_state.hq_vpc_id.outputs.vpc_id - public_subnet = data.terraform_remote_state.hq_vpc_id.outputs.subnet + vpc_id = data.terraform_remote_state.hq_vpc_id.outputs.vpc_id common_tags = { project = "22shop" owner = "icurfer" @@ -42,192 +43,35 @@ locals { // GET 계정정보 data "aws_caller_identity" "this" {} -// eks를 위한 iam역할 생성 데이터 조회 -data "aws_iam_policy_document" "eks-assume-role-policy" { - statement { - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["eks.amazonaws.com"] - } - } +locals { + dns_name = "ddochi.ml" } -data "aws_iam_policy_document" "eks_node_group_role" { - statement { - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["ec2.amazonaws.com"] - } - } -} - // 테라폼클라우드 data "terraform_remote_state" "hq_vpc_id" { backend = "remote" config = { - organization = "icurfer" + organization = "22shop" workspaces = { - name = "tf-22shop-network" + name = "hq-network" } } } -// eks 클러스터 역할 생성 -module "eks_cluster_iam" { - source = "../modules/iam" - iam_name = "eks-cluster-test" - policy = data.aws_iam_policy_document.eks-assume-role-policy.json - tag_name = local.common_tags.project +module "rote53" { + source = "../modules/route53" + name = local.dns_name } -// eks 클러스터 역할 정책 추가 -module "eks_cluster_iam_att" { - source = "../modules/iam-policy-attach" - iam_name = "eks-cluster-att" - role_name = module.eks_cluster_iam.iam_name - arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" +resource "aws_route53_record" "www" { + zone_id = module.rote53.zone_id + name = "hq.ddochi.ml" + type = "A" - depends_on = [ - module.eks_cluster_iam - ] -} -module "eks_cluster_iam_att2" { - source = "../modules/iam-policy-attach" - iam_name = "eks-cluster-att" - role_name = module.eks_cluster_iam.iam_name - arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController" - - depends_on = [ - module.eks_cluster_iam - ] -} - -// eks 노드그룹 역할 생성 및 추가 -module "eks_nodegroup_iam" { - source = "../modules/iam" - iam_name = "eks-nodegroup-test" - policy = data.aws_iam_policy_document.eks_node_group_role.json - tag_name = local.common_tags.project -} -module "eks_nodegroup_iam_att_1" { - source = "../modules/iam-policy-attach" - iam_name = "eks-nodegroup-att" - role_name = module.eks_nodegroup_iam.iam_name - arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" - - depends_on = [ - module.eks_nodegroup_iam - ] -} -module "eks_nodegroup_iam_att_2" { - source = "../modules/iam-policy-attach" - iam_name = "eks-nodegroup-att" - role_name = module.eks_nodegroup_iam.iam_name - arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" - - depends_on = [ - module.eks_nodegroup_iam - ] -} -module "eks_nodegroup_iam_att_3" { - source = "../modules/iam-policy-attach" - iam_name = "eks-nodegroup-att" - role_name = module.eks_nodegroup_iam.iam_name - arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - - depends_on = [ - module.eks_nodegroup_iam - ] -} - -// 보안그룹 생성 -module "eks_sg" { - source = "../modules/sg" - sg_name = "${local.common_tags.project}-sg" - # vpc_id = module.vpc_hq.vpc_hq_id - vpc_id = local.vpc_id - -} - -module "eks_sg_ingress_http" { - for_each = local.tcp_port - source = "../modules/sg-rule-add" - type = "ingress" - from_port = each.value - to_port = each.value - protocol = local.tcp_protocol - cidr_blocks = local.all_ips - security_group_id = module.eks_sg.sg_id - - tag_name = each.key -} - -module "eks_sg_egress_all" { - source = "../modules/sg-rule-add" - type = "egress" - from_port = local.any_protocol - to_port = local.any_protocol - protocol = local.any_protocol - cidr_blocks = local.all_ips - security_group_id = module.eks_sg.sg_id - - tag_name = "egress-all" -} - -module "eks_cluster" { - source = "../modules/eks-cluster" - name = local.common_tags.project - iam_role_arn = module.eks_cluster_iam.iam_arn - sg_list = [module.eks_sg.sg_id] - # subnet_list = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id] #변경해야될수있음. - subnet_list = [local.public_subnet.zone-a.id, local.public_subnet.zone-c.id] - - depends_on = [ - module.eks_cluster_iam, - module.eks_sg, - ] - - client_id = data.aws_caller_identity.this.id - -} - -module "eks_node_group" { - source = "../modules/eks-node-group" - node_group_name = "${local.common_tags.project}-ng" - cluster_name = module.eks_cluster.cluster_name - # iam_role_arn = module.eks_nodegroup_iam.iam_arn - iam_role_arn = "arn:aws:iam::448559955338:role/eks-nodegroup-test" - # subnet_list = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id] #변경해야될수있음. - subnet_list = [local.public_subnet.zone-a.id, local.public_subnet.zone-c.id] - - desired_size = local.node_group_scaling_config.desired_size - max_size = local.node_group_scaling_config.max_size - min_size = local.node_group_scaling_config.min_size - - depends_on = [ - module.eks_nodegroup_iam, - module.eks_cluster, - ] -} - -module "ng_sg_ingress_http" { - # for_each = local.tcp_port - source = "../modules/sg-rule-add" - type = "ingress" - from_port = "2049" - to_port = "2049" - protocol = local.tcp_protocol - cidr_blocks = local.all_ips - security_group_id = module.eks_node_group.ng_sg - - tag_name = "ng_sg_sub" - - depends_on = [ - module.eks_node_group - ] -} + alias { + name = "k8s-22shopekscluster-42f56c4a0b-158144463.ap-northeast-2.elb.amazonaws.com" + zone_id = "ZWKZPGTI48KDX" + evaluate_target_health = true + } +} \ No newline at end of file diff --git a/prod-hq-dns/outputs.tf b/prod-hq-dns/outputs.tf index fe5e39b..2230c37 100644 --- a/prod-hq-dns/outputs.tf +++ b/prod-hq-dns/outputs.tf @@ -1,13 +1,8 @@ //main-outputs -output "aws_id" { - description = "The AWS Account ID." - value = data.aws_caller_identity.this.account_id -} -output "ng_sg" { - description = "Identifier of the remote access EC2 Security Group." - value = module.eks_node_group.ng_sg - -} +# output "aws_id" { +# description = "The AWS Account ID." +# value = data.aws_caller_identity.this.account_id +# } # output "cluster_oidc" { # description = "eks_cluster_identity" # value = module.eks_cluster.cluster_oidc diff --git a/prod-hq-dns/terraform.tf b/prod-hq-dns/terraform.tf index fc448f4..397fd56 100644 --- a/prod-hq-dns/terraform.tf +++ b/prod-hq-dns/terraform.tf @@ -1,10 +1,10 @@ terraform { backend "remote"{ hostname = "app.terraform.io" - organization = "icurfer" + organization = "22shop" workspaces { - name = "tf-cloud-dns" + name = "hq-dns" } } } \ No newline at end of file diff --git a/prod-hq-network/main.tf b/prod-hq-network/main.tf index 0b44885..f025d04 100644 --- a/prod-hq-network/main.tf +++ b/prod-hq-network/main.tf @@ -15,11 +15,13 @@ locals { owner = "icurfer" } cidr = { - vpc = "10.3.0.0/16" - zone_a = "10.3.1.0/24" - zone_c = "10.3.3.0/24" + vpc = "10.3.0.0/16" + zone_a = "10.3.1.0/24" + zone_c = "10.3.3.0/24" zone_a_private = "10.3.2.0/24" zone_c_private = "10.3.4.0/24" + zone_a_tgw = "10.3.5.0/24" + zone_c_tgw = "10.3.6.0/24" } tcp_port = { any_port = 0 @@ -114,7 +116,7 @@ module "vpc_igw" { module "subnet_public" { source = "../modules/vpc-subnet" - vpc_id = module.vpc_hq.vpc_hq_id + vpc_id = module.vpc_hq.vpc_hq_id subnet-az-list = { "zone-a" = { name = "${local.region}a" @@ -125,16 +127,16 @@ module "subnet_public" { cidr = local.cidr.zone_c } } - public_ip_on = true + public_ip_on = true # vpc_name = "${local.common_tags.project}-public" #alb-ingress 생성을 위해 지정 - k8s_ingress = true + k8s_ingress = true # vpc_name = local.eks_ingress_type.public vpc_name = local.eks_ingress_type.private } // private외부통신을 위한 nat module "nat_gw" { - source = "../modules/nat-gateway" + source = "../modules/nat-gateway" subnet_id = module.subnet_public.subnet.zone-a.id depends_on = [ @@ -151,10 +153,10 @@ module "route_public" { } module "route_add" { - source = "../modules/route-add" + source = "../modules/route-add" route_id = module.route_public.route_id - igw_id = module.vpc_igw.igw_id - gw_type = "igw" + igw_id = module.vpc_igw.igw_id + gw_type = "igw" } module "route_association" { @@ -170,7 +172,7 @@ module "route_association" { module "subnet_private" { source = "../modules/vpc-subnet" - vpc_id = module.vpc_hq.vpc_hq_id + vpc_id = module.vpc_hq.vpc_hq_id subnet-az-list = { "zone-a" = { name = "${local.region}a" @@ -181,11 +183,11 @@ module "subnet_private" { cidr = local.cidr.zone_c_private } } - public_ip_on = false + public_ip_on = false # vpc_name = "${local.common_tags.project}-public" #alb-ingress 생성을 위해 지정 - k8s_ingress = false - vpc_name = "null" + k8s_ingress = false + vpc_name = "null" } // private route @@ -196,10 +198,10 @@ module "route_private" { } module "route_add_nat" { - source = "../modules/route-add" + source = "../modules/route-add" route_id = module.route_private.route_id - nat_id = module.nat_gw.nat_id - gw_type = "nat" + nat_id = module.nat_gw.nat_id + gw_type = "nat" } module "route_association_nat" { source = "../modules/route-association" @@ -208,3 +210,41 @@ module "route_association_nat" { association_count = 2 subnet_ids = [module.subnet_private.subnet.zone-a.id, module.subnet_private.subnet.zone-c.id] } +#----------------------------------------------------------------------------------------------------# +###################################################################################################### +#----------------------------------------------------------------------------------------------------# +//tgw-subnet +module "subnet_private_tgw" { + source = "../modules/vpc-subnet" + + vpc_id = module.vpc_hq.vpc_hq_id + subnet-az-list = { + "zone-a" = { + name = "${local.region}a" + cidr = local.cidr.zone_a_tgw + } + "zone-c" = { + name = "${local.region}c" + cidr = local.cidr.zone_c_tgw + } + } + public_ip_on = false + # vpc_name = "${local.common_tags.project}-public" + #alb-ingress 생성을 위해 지정 + k8s_ingress = false + vpc_name = "null" +} +// private route +module "route_private_tgw" { + source = "../modules/route-table" + tag_name = "${local.common_tags.project}-private_tbl_tgw" + vpc_id = module.vpc_hq.vpc_hq_id + +} +module "route_association_tgw" { + source = "../modules/route-association" + route_table_id = module.route_private_tgw.route_id + + association_count = 2 + subnet_ids = [module.subnet_private_tgw.subnet.zone-a.id, module.subnet_private_tgw.subnet.zone-c.id] +}