From f0402956e247b6b21fbcce27979974abc37345d8 Mon Sep 17 00:00:00 2001 From: Seong-dong Date: Tue, 10 Jan 2023 09:29:59 +0900 Subject: [PATCH] private public add --- modules/eks-node-group/outputs.tf | 8 +- modules/route53/variables.tf | 7 +- modules/vpc-subnet/main.tf | 2 +- modules/vpc-subnet/valiables.tf | 4 + pord_hq-ecr/.terraform.lock.hcl | 10 ++ pord_hq-ecr/main.tf | 48 +----- prod-hq-dns/main.tf | 233 ++++++++++++++++++++++++++++++ prod-hq-dns/outputs.tf | 18 +++ prod-hq-dns/terraform.tf | 10 ++ prod-hq-dns/valiables.tf | 45 ++++++ prod-hq-efs/.terraform.lock.hcl | 25 ++++ prod-hq-efs/main.tf | 4 +- prod-hq-efs/terraform.tf | 2 +- prod-hq-eks/.terraform.lock.hcl | 10 ++ prod-hq-eks/main.tf | 12 +- prod-hq-network/main.tf | 72 ++------- prod-hq-network/terraform.tf | 2 +- 17 files changed, 393 insertions(+), 119 deletions(-) create mode 100644 pord_hq-ecr/.terraform.lock.hcl create mode 100644 prod-hq-dns/main.tf create mode 100644 prod-hq-dns/outputs.tf create mode 100644 prod-hq-dns/terraform.tf create mode 100644 prod-hq-dns/valiables.tf create mode 100644 prod-hq-efs/.terraform.lock.hcl create mode 100644 prod-hq-eks/.terraform.lock.hcl diff --git a/modules/eks-node-group/outputs.tf b/modules/eks-node-group/outputs.tf index 1aaa638..5b68115 100644 --- a/modules/eks-node-group/outputs.tf +++ b/modules/eks-node-group/outputs.tf @@ -1,5 +1,5 @@ output "ng_sg" { - description = "Identifier of the remote access EC2 Security Group." - value = "${aws_eks_node_group.eks-ng.resources[0].remote_access_security_group_id}" - -} \ No newline at end of file + description = "Identifier of the remote access EC2 Security Group." + value = aws_eks_node_group.eks-ng.resources + +} diff --git a/modules/route53/variables.tf b/modules/route53/variables.tf index 546fdcf..9e59969 100644 --- a/modules/route53/variables.tf +++ b/modules/route53/variables.tf @@ -3,7 +3,12 @@ variable "name" { type = string } -variable "name" { +variable "public" { description = "route53 name" + type = bool +} + +variable "vpc_id" { + description = "vpc_id" type = string } \ No newline at end of file diff --git a/modules/vpc-subnet/main.tf b/modules/vpc-subnet/main.tf index 32a38b5..00fa9ad 100644 --- a/modules/vpc-subnet/main.tf +++ b/modules/vpc-subnet/main.tf @@ -10,7 +10,7 @@ resource "aws_subnet" "subnets" { tags = { Name = var.vpc_name - "kubernetes.io/role/elb" = 1 + "kubernetes.io/role/elb" = "${var.k8s_ingress ? 1 : 0}" # Name = module.vpc_hq.vpcHq.id } } \ No newline at end of file diff --git a/modules/vpc-subnet/valiables.tf b/modules/vpc-subnet/valiables.tf index a9ad426..2eb3bc0 100644 --- a/modules/vpc-subnet/valiables.tf +++ b/modules/vpc-subnet/valiables.tf @@ -33,4 +33,8 @@ variable "subnet-az-list" { variable "public_ip_on" { type = bool +} + +variable "k8s_ingress" { + type = bool } \ No newline at end of file diff --git a/pord_hq-ecr/.terraform.lock.hcl b/pord_hq-ecr/.terraform.lock.hcl new file mode 100644 index 0000000..c4e33ee --- /dev/null +++ b/pord_hq-ecr/.terraform.lock.hcl @@ -0,0 +1,10 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.49.0" + constraints = "~> 4.0" + hashes = [ + "h1:HxPUxrHpAJey832OwVk3J2T7lHpRzMavqjXDzaFyM6I=", + ] +} diff --git a/pord_hq-ecr/main.tf b/pord_hq-ecr/main.tf index f646bf8..259aae2 100644 --- a/pord_hq-ecr/main.tf +++ b/pord_hq-ecr/main.tf @@ -29,11 +29,6 @@ locals { tcp_protocol = "tcp" icmp_protocol = "icmp" all_ips = ["0.0.0.0/0"] - - iam_name = { - cloud9 = "cloud9" - } - } // GET 계정정보 @@ -57,45 +52,4 @@ module "ecr" { names_list = ["app"] //names_list = ["web", "nginx", "mariadb"] -} - - - -/* -// colud9 생성 및 추가 -module "cloud9_iam" { - source = "../modules/iam" - iam_name = local.iam_name.cloud9 - policy = data.aws_iam_policy_document.cloud9_role.json - tag_name = local.common_tags.project -} -module "cloud9_iam_att_admin_access" { - source = "../modules/iam-policy-attach" - iam_name = local.iam_name.cloud9 - role_name = module.cloud9_iam.iam_name - arn = "arn:aws:iam::aws:policy/AdministratorAccess" - - depends_on = [ - module.cloud9_iam - ] -} - -// cloud9 -module "cloud9_ec2" { - source = "../modules/cloud9-ec2" - name = local.common_tags.project - instance_type = "t2.micro" - -} -module "cloud9_ec2_env" { - source = "../modules/cloud9-ec2-env" - cloud9_id = module.cloud9_ec2.cloud9_id - permissions = "read-only" - user_arn = module.cloud9_iam.iam_arn - - depends_on = [ - module.cloud9_iam, - module.cloud9_ec2 - ] -} -*/ \ No newline at end of file +} \ No newline at end of file diff --git a/prod-hq-dns/main.tf b/prod-hq-dns/main.tf new file mode 100644 index 0000000..2619739 --- /dev/null +++ b/prod-hq-dns/main.tf @@ -0,0 +1,233 @@ +// prod - main +provider "aws" { + region = "ap-northeast-2" + + #2.x버전의 AWS공급자 허용 + version = "~> 3.0" + +} + +locals { + vpc_id = data.terraform_remote_state.hq_vpc_id.outputs.vpc_id + public_subnet = data.terraform_remote_state.hq_vpc_id.outputs.subnet + common_tags = { + project = "22shop" + owner = "icurfer" + + } + tcp_port = { + # any_port = 0 + http_port = 80 + https_port = 443 + ssh_port = 22 + dns_port = 53 + django_port = 8000 + mysql_port = 3306 + } + udp_port = { + dns_port = 53 + } + any_protocol = "-1" + tcp_protocol = "tcp" + icmp_protocol = "icmp" + all_ips = ["0.0.0.0/0"] + + node_group_scaling_config = { + desired_size = 2 + max_size = 4 + min_size = 1 + } +} + +// GET 계정정보 +data "aws_caller_identity" "this" {} + +// eks를 위한 iam역할 생성 데이터 조회 +data "aws_iam_policy_document" "eks-assume-role-policy" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["eks.amazonaws.com"] + } + } +} +data "aws_iam_policy_document" "eks_node_group_role" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +// 테라폼클라우드 +data "terraform_remote_state" "hq_vpc_id" { + backend = "remote" + + config = { + organization = "icurfer" + + workspaces = { + name = "tf-22shop-network" + } + } +} + +// eks 클러스터 역할 생성 +module "eks_cluster_iam" { + source = "../modules/iam" + iam_name = "eks-cluster-test" + policy = data.aws_iam_policy_document.eks-assume-role-policy.json + tag_name = local.common_tags.project +} + +// eks 클러스터 역할 정책 추가 +module "eks_cluster_iam_att" { + source = "../modules/iam-policy-attach" + iam_name = "eks-cluster-att" + role_name = module.eks_cluster_iam.iam_name + arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy" + + depends_on = [ + module.eks_cluster_iam + ] +} +module "eks_cluster_iam_att2" { + source = "../modules/iam-policy-attach" + iam_name = "eks-cluster-att" + role_name = module.eks_cluster_iam.iam_name + arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController" + + depends_on = [ + module.eks_cluster_iam + ] +} + +// eks 노드그룹 역할 생성 및 추가 +module "eks_nodegroup_iam" { + source = "../modules/iam" + iam_name = "eks-nodegroup-test" + policy = data.aws_iam_policy_document.eks_node_group_role.json + tag_name = local.common_tags.project +} +module "eks_nodegroup_iam_att_1" { + source = "../modules/iam-policy-attach" + iam_name = "eks-nodegroup-att" + role_name = module.eks_nodegroup_iam.iam_name + arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" + + depends_on = [ + module.eks_nodegroup_iam + ] +} +module "eks_nodegroup_iam_att_2" { + source = "../modules/iam-policy-attach" + iam_name = "eks-nodegroup-att" + role_name = module.eks_nodegroup_iam.iam_name + arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" + + depends_on = [ + module.eks_nodegroup_iam + ] +} +module "eks_nodegroup_iam_att_3" { + source = "../modules/iam-policy-attach" + iam_name = "eks-nodegroup-att" + role_name = module.eks_nodegroup_iam.iam_name + arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" + + depends_on = [ + module.eks_nodegroup_iam + ] +} + +// 보안그룹 생성 +module "eks_sg" { + source = "../modules/sg" + sg_name = "${local.common_tags.project}-sg" + # vpc_id = module.vpc_hq.vpc_hq_id + vpc_id = local.vpc_id + +} + +module "eks_sg_ingress_http" { + for_each = local.tcp_port + source = "../modules/sg-rule-add" + type = "ingress" + from_port = each.value + to_port = each.value + protocol = local.tcp_protocol + cidr_blocks = local.all_ips + security_group_id = module.eks_sg.sg_id + + tag_name = each.key +} + +module "eks_sg_egress_all" { + source = "../modules/sg-rule-add" + type = "egress" + from_port = local.any_protocol + to_port = local.any_protocol + protocol = local.any_protocol + cidr_blocks = local.all_ips + security_group_id = module.eks_sg.sg_id + + tag_name = "egress-all" +} + +module "eks_cluster" { + source = "../modules/eks-cluster" + name = local.common_tags.project + iam_role_arn = module.eks_cluster_iam.iam_arn + sg_list = [module.eks_sg.sg_id] + # subnet_list = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id] #변경해야될수있음. + subnet_list = [local.public_subnet.zone-a.id, local.public_subnet.zone-c.id] + + depends_on = [ + module.eks_cluster_iam, + module.eks_sg, + ] + + client_id = data.aws_caller_identity.this.id + +} + +module "eks_node_group" { + source = "../modules/eks-node-group" + node_group_name = "${local.common_tags.project}-ng" + cluster_name = module.eks_cluster.cluster_name + # iam_role_arn = module.eks_nodegroup_iam.iam_arn + iam_role_arn = "arn:aws:iam::448559955338:role/eks-nodegroup-test" + # subnet_list = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id] #변경해야될수있음. + subnet_list = [local.public_subnet.zone-a.id, local.public_subnet.zone-c.id] + + desired_size = local.node_group_scaling_config.desired_size + max_size = local.node_group_scaling_config.max_size + min_size = local.node_group_scaling_config.min_size + + depends_on = [ + module.eks_nodegroup_iam, + module.eks_cluster, + ] +} + +module "ng_sg_ingress_http" { + # for_each = local.tcp_port + source = "../modules/sg-rule-add" + type = "ingress" + from_port = "2049" + to_port = "2049" + protocol = local.tcp_protocol + cidr_blocks = local.all_ips + security_group_id = module.eks_node_group.ng_sg + + tag_name = "ng_sg_sub" + + depends_on = [ + module.eks_node_group + ] +} diff --git a/prod-hq-dns/outputs.tf b/prod-hq-dns/outputs.tf new file mode 100644 index 0000000..fe5e39b --- /dev/null +++ b/prod-hq-dns/outputs.tf @@ -0,0 +1,18 @@ +//main-outputs +output "aws_id" { + description = "The AWS Account ID." + value = data.aws_caller_identity.this.account_id +} +output "ng_sg" { + description = "Identifier of the remote access EC2 Security Group." + value = module.eks_node_group.ng_sg + +} +# output "cluster_oidc" { +# description = "eks_cluster_identity" +# value = module.eks_cluster.cluster_oidc +# } +# output "subnet" { +# description = "The name of vpc hq id" +# value = module.subnet_public.subnet +# } diff --git a/prod-hq-dns/terraform.tf b/prod-hq-dns/terraform.tf new file mode 100644 index 0000000..fc448f4 --- /dev/null +++ b/prod-hq-dns/terraform.tf @@ -0,0 +1,10 @@ +terraform { + backend "remote"{ + hostname = "app.terraform.io" + organization = "icurfer" + + workspaces { + name = "tf-cloud-dns" + } + } +} \ No newline at end of file diff --git a/prod-hq-dns/valiables.tf b/prod-hq-dns/valiables.tf new file mode 100644 index 0000000..3414430 --- /dev/null +++ b/prod-hq-dns/valiables.tf @@ -0,0 +1,45 @@ +# variable "cidr_block" { +# type = string +# default = "10.3.0.0/16" + +# } + +variable "prod_name" { + description = "value" + type = string + default = "22shop" +} + +# variable "igw_id" { +# description = "value" +# type = string +# } + +variable "subnet-az-public" { + description = "Subnet available zone & cidr" + type = map(map(string)) + default = { + "zone-a" = { + name = "ap-northeast-2a" + cidr = "10.3.1.0/24" + } + "zone-c" = { + name = "ap-northeast-2c" + cidr = "10.3.3.0/24" + } + } +} +variable "subnet-az-private" { + description = "Subnet available zone & cidr" + type = map(map(string)) + default = { + "zone-b" = { + name = "ap-northeast-2b" + cidr = "10.3.2.0/24" + } + "zone-d" = { + name = "ap-northeast-2d" + cidr = "10.3.4.0/24" + } + } +} \ No newline at end of file diff --git a/prod-hq-efs/.terraform.lock.hcl b/prod-hq-efs/.terraform.lock.hcl new file mode 100644 index 0000000..c8939b1 --- /dev/null +++ b/prod-hq-efs/.terraform.lock.hcl @@ -0,0 +1,25 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "3.76.1" + constraints = "~> 3.0" + hashes = [ + "h1:UOk/iZppUGLh2zjmKJKKWCD6e79GsQokO2xfzOcKjxo=", + "zh:1cf933104a641ffdb64d71a76806f4df35d19101b47e0eb02c9c36bd64bfdd2d", + "zh:273afaf908775ade6c9d32462938e7739ee8b00a0de2ef3cdddc5bc115bb1d4f", + "zh:2bc24ae989e38f575de034083082c69b41c54b8df69d35728853257c400ce0f4", + "zh:53ba88dbdaf9f818d35001c3d519a787f457283d9341f562dc3d0af51fd9606e", + "zh:5cdac7afea68bbd89d3bdb345d99470226482eff41f375f220fe338d2e5808da", + "zh:63127808890ac4be6cff6554985510b15ac715df698d550a3e722722dc56523c", + "zh:97a1237791f15373743189b078a0e0f2fa4dd7d7474077423376cd186312dc55", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a4f625e97e5f25073c08080e4a619f959bc0149fc853a6b1b49ab41d58b59665", + "zh:b56cca54019237941f7614e8d2712586a6ab3092e8e9492c70f06563259171e9", + "zh:d4bc33bfd6ac78fb61e6d48a61c179907dfdbdf149b89fb97272c663989a7fcd", + "zh:e0089d73fa56d128c574601305634a774eebacf4a84babba71da10040cecf99a", + "zh:e957531f1d92a6474c9b02bd9200da91b99ba07a0ab761c8e3176400dd41721c", + "zh:eceb85818d57d8270db4df7564cf4ed51b5c650a361aaa017c42227158e1946b", + "zh:f565e5caa1b349ec404c6d03d01c68b02233f5485ed038d0aab810dd4023a880", + ] +} diff --git a/prod-hq-efs/main.tf b/prod-hq-efs/main.tf index 8b88099..0654bcf 100644 --- a/prod-hq-efs/main.tf +++ b/prod-hq-efs/main.tf @@ -46,10 +46,10 @@ data "terraform_remote_state" "hq_vpc_id" { backend = "remote" config = { - organization = "22shop" // 초기 설정값 + organization = "icurfer" // 초기 설정값 workspaces = { - name = "tf-22shop-network" + name = "tf-cloud-network" } } } diff --git a/prod-hq-efs/terraform.tf b/prod-hq-efs/terraform.tf index 31437e7..c7f6170 100644 --- a/prod-hq-efs/terraform.tf +++ b/prod-hq-efs/terraform.tf @@ -4,7 +4,7 @@ terraform { organization = "icurfer" workspaces { - name = "tf-22shop-hq-efs" + name = "tf-cloud-efs" } } } \ No newline at end of file diff --git a/prod-hq-eks/.terraform.lock.hcl b/prod-hq-eks/.terraform.lock.hcl new file mode 100644 index 0000000..0928293 --- /dev/null +++ b/prod-hq-eks/.terraform.lock.hcl @@ -0,0 +1,10 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "3.76.1" + constraints = "~> 3.0" + hashes = [ + "h1:UOk/iZppUGLh2zjmKJKKWCD6e79GsQokO2xfzOcKjxo=", + ] +} diff --git a/prod-hq-eks/main.tf b/prod-hq-eks/main.tf index 2c2c649..c2dae59 100644 --- a/prod-hq-eks/main.tf +++ b/prod-hq-eks/main.tf @@ -69,10 +69,10 @@ data "terraform_remote_state" "hq_vpc_id" { backend = "remote" config = { - organization = "22shop" + organization = "icurfer" workspaces = { - name = "tf-22shop-network" + name = "tf-cloud-network" } } } @@ -209,6 +209,7 @@ module "eks_node_group" { max_size = local.node_group_scaling_config.max_size min_size = local.node_group_scaling_config.min_size + depends_on = [ module.eks_nodegroup_iam, module.eks_cluster, @@ -219,16 +220,15 @@ module "eks_node_group" { # # for_each = local.tcp_port # source = "../modules/sg-rule-add" # type = "ingress" -# from_port = "8080" -# to_port = "8080" +# from_port = "2049" +# to_port = "2049" # protocol = local.tcp_protocol # cidr_blocks = local.all_ips # security_group_id = module.eks_node_group.ng_sg -# tag_name = "test" +# tag_name = "ng_sg_sub" # depends_on = [ # module.eks_node_group # ] - # } diff --git a/prod-hq-network/main.tf b/prod-hq-network/main.tf index 5d050bd..ea280be 100644 --- a/prod-hq-network/main.tf +++ b/prod-hq-network/main.tf @@ -37,7 +37,7 @@ locals { } eks_ingress_type = { - public = "kubernetes.io/role/elb" + public = "kubernetes.io/role/elb" private = "kubernetes.io/role/internal-elb=1" } } @@ -96,7 +96,8 @@ module "subnet_public" { public_ip_on = true # vpc_name = "${local.common_tags.project}-public" #alb-ingress 생성을 위해 지정 - vpc_name = local.eks_ingress_type.public + k8s_ingress = true + vpc_name = local.eks_ingress_type.public } // public route @@ -121,62 +122,21 @@ module "route_association" { subnet_ids = [module.subnet_public.subnet.zone-a.id, module.subnet_public.subnet.zone-c.id] } -# // 보안그룹 생성 -# module "eks_sg" { -# source = "../modules/sg" -# sg_name = "${local.common_tags.project}-sg" -# vpc_id = module.vpc_hq.vpc_hq_id +# // private subnet +# module "subnet_private" { +# source = "../modules/vpc-subnet" -# depends_on = [ -# module.vpc_hq -# ] +# vpc_id = module.vpc_hq.vpc_hq_id +# subnet-az-list = var.subnet-az-private +# public_ip_on = false +# k8s_ingress = false +# #alb-ingress 생성을 위해 지정 +# vpc_name = local.eks_ingress_type.public # } -# module "eks_sg_ingress_http" { -# for_each = local.tcp_port -# source = "../modules/sg-rule-add" -# type = "ingress" -# from_port = each.value -# to_port = each.value -# protocol = local.tcp_protocol -# cidr_blocks = local.all_ips -# security_group_id = module.eks_sg.sg_id +# module "route_private" { +# source = "../modules/route-table" +# tag_name = "${local.common_tags.project}-private_route_table" +# vpc_id = module.vpc_hq.vpc_hq_id -# tag_name = each.key # } - -# module "eks_sg_egress_all" { -# source = "../modules/sg-rule-add" -# type = "egress" -# from_port = local.any_protocol -# to_port = local.any_protocol -# protocol = local.any_protocol -# cidr_blocks = local.all_ips -# security_group_id = module.eks_sg.sg_id - -# tag_name = "egress-all" -# } - -# EKS테스트 할때 활성 -# module "ecr" { -# source = "../modules/ecr" - -# names_list = ["web", "nginx", "mariadb"] -# } - -/* -terraform_remote_state reference method -terraform cloud -*/ -# data "terraform_remote_state" "foo" { -# backend = "remote" - -# config = { -# organization = "company" - -# workspaces = { -# name = "workspace" -# } -# } -# } - diff --git a/prod-hq-network/terraform.tf b/prod-hq-network/terraform.tf index 2ded444..528cf0c 100644 --- a/prod-hq-network/terraform.tf +++ b/prod-hq-network/terraform.tf @@ -4,7 +4,7 @@ terraform { organization = "icurfer" workspaces { - name = "tf-22shop-network" + name = "tf-cloud-network" } } } \ No newline at end of file