mirror of https://github.com/pulumi/pulumi.git
211 lines
4.2 KiB
Puppet
211 lines
4.2 KiB
Puppet
|
# VPC
|
||
|
|
||
|
resource eksVpc "aws:ec2:Vpc" {
|
||
|
cidrBlock = "10.100.0.0/16"
|
||
|
instanceTenancy = "default"
|
||
|
enableDnsHostnames = true
|
||
|
enableDnsSupport = true
|
||
|
tags = {
|
||
|
"Name": "pulumi-eks-vpc"
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource eksIgw "aws:ec2:InternetGateway" {
|
||
|
vpcId = eksVpc.id
|
||
|
tags = {
|
||
|
"Name": "pulumi-vpc-ig"
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource eksRouteTable "aws:ec2:RouteTable" {
|
||
|
vpcId = eksVpc.id
|
||
|
routes = [{
|
||
|
cidrBlock: "0.0.0.0/0"
|
||
|
gatewayId: eksIgw.id
|
||
|
}]
|
||
|
tags = {
|
||
|
"Name": "pulumi-vpc-rt"
|
||
|
}
|
||
|
}
|
||
|
|
||
|
# Subnets, one for each AZ in a region
|
||
|
|
||
|
zones = invoke("aws:index:getAvailabilityZones", {})
|
||
|
|
||
|
resource vpcSubnet "aws:ec2:Subnet" {
|
||
|
options { range = zones.names }
|
||
|
|
||
|
assignIpv6AddressOnCreation = false
|
||
|
vpcId = eksVpc.id
|
||
|
mapPublicIpOnLaunch = true
|
||
|
cidrBlock = "10.100.${range.key}.0/24"
|
||
|
availabilityZone = range.value
|
||
|
tags = {
|
||
|
"Name": "pulumi-sn-${range.value}"
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource rta "aws:ec2:RouteTableAssociation" {
|
||
|
options { range = zones.names }
|
||
|
|
||
|
routeTableId = eksRouteTable.id
|
||
|
subnetId = vpcSubnet[range.key].id
|
||
|
}
|
||
|
|
||
|
subnetIds = vpcSubnet.*.id
|
||
|
|
||
|
# Security Group
|
||
|
|
||
|
resource eksSecurityGroup "aws:ec2:SecurityGroup" {
|
||
|
vpcId = eksVpc.id
|
||
|
description = "Allow all HTTP(s) traffic to EKS Cluster"
|
||
|
tags = {
|
||
|
"Name": "pulumi-cluster-sg"
|
||
|
}
|
||
|
ingress = [
|
||
|
{
|
||
|
cidrBlocks = ["0.0.0.0/0"]
|
||
|
fromPort = 443
|
||
|
toPort = 443
|
||
|
protocol = "tcp"
|
||
|
description = "Allow pods to communicate with the cluster API Server."
|
||
|
},
|
||
|
{
|
||
|
cidrBlocks = ["0.0.0.0/0"]
|
||
|
fromPort = 80
|
||
|
toPort = 80
|
||
|
protocol = "tcp"
|
||
|
description = "Allow internet access to pods"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
|
||
|
# EKS Cluster Role
|
||
|
|
||
|
resource eksRole "aws:iam:Role" {
|
||
|
assumeRolePolicy = toJSON({
|
||
|
"Version": "2012-10-17"
|
||
|
"Statement": [
|
||
|
{
|
||
|
"Action": "sts:AssumeRole"
|
||
|
"Principal": {
|
||
|
"Service": "eks.amazonaws.com"
|
||
|
},
|
||
|
"Effect": "Allow"
|
||
|
"Sid": ""
|
||
|
}
|
||
|
]
|
||
|
})
|
||
|
}
|
||
|
|
||
|
resource servicePolicyAttachment "aws:iam:RolePolicyAttachment" {
|
||
|
role = eksRole.id
|
||
|
policyArn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
|
||
|
}
|
||
|
|
||
|
resource clusterPolicyAttachment "aws:iam:RolePolicyAttachment" {
|
||
|
role = eksRole.id
|
||
|
policyArn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
|
||
|
}
|
||
|
|
||
|
# EC2 NodeGroup Role
|
||
|
|
||
|
resource ec2Role "aws:iam:Role" {
|
||
|
assumeRolePolicy = toJSON({
|
||
|
"Version": "2012-10-17"
|
||
|
"Statement": [
|
||
|
{
|
||
|
"Action": "sts:AssumeRole"
|
||
|
"Principal": {
|
||
|
"Service": "ec2.amazonaws.com"
|
||
|
}
|
||
|
"Effect": "Allow"
|
||
|
"Sid": ""
|
||
|
}
|
||
|
]
|
||
|
})
|
||
|
}
|
||
|
|
||
|
resource workerNodePolicyAttachment "aws:iam:RolePolicyAttachment" {
|
||
|
role = ec2Role.id
|
||
|
policyArn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
|
||
|
}
|
||
|
|
||
|
resource cniPolicyAttachment "aws:iam:RolePolicyAttachment" {
|
||
|
role = ec2Role.id
|
||
|
policyArn = "arn:aws:iam::aws:policy/AmazonEKSCNIPolicy"
|
||
|
}
|
||
|
|
||
|
resource registryPolicyAttachment "aws:iam:RolePolicyAttachment" {
|
||
|
role = ec2Role.id
|
||
|
policyArn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
|
||
|
}
|
||
|
|
||
|
# EKS Cluster
|
||
|
|
||
|
resource eksCluster "aws:eks:Cluster" {
|
||
|
roleArn = eksRole.arn
|
||
|
tags = {
|
||
|
"Name": "pulumi-eks-cluster"
|
||
|
}
|
||
|
vpcConfig = {
|
||
|
publicAccessCidrs = ["0.0.0.0/0"]
|
||
|
securityGroupIds = [eksSecurityGroup.id]
|
||
|
subnetIds = subnetIds
|
||
|
}
|
||
|
}
|
||
|
|
||
|
resource nodeGroup "aws:eks:NodeGroup" {
|
||
|
clusterName = eksCluster.name
|
||
|
nodeGroupName = "pulumi-eks-nodegroup"
|
||
|
nodeRoleArn = ec2Role.arn
|
||
|
subnetIds = subnetIds
|
||
|
tags = {
|
||
|
"Name": "pulumi-cluster-nodeGroup"
|
||
|
}
|
||
|
scalingConfig = {
|
||
|
desiredSize = 2
|
||
|
maxSize = 2
|
||
|
minSize = 1
|
||
|
}
|
||
|
}
|
||
|
|
||
|
output "clusterName" {
|
||
|
value = eksCluster.name
|
||
|
}
|
||
|
|
||
|
output "kubeconfig" {
|
||
|
value = toJSON({
|
||
|
apiVersion = "v1"
|
||
|
clusters = [{
|
||
|
cluster = {
|
||
|
server = eksCluster.endpoint
|
||
|
"certificate-authority-data" = eksCluster.certificateAuthority.data
|
||
|
}
|
||
|
name = "kubernetes"
|
||
|
}]
|
||
|
contexts = [{
|
||
|
contest = {
|
||
|
cluster = "kubernetes"
|
||
|
user = "aws"
|
||
|
}
|
||
|
}]
|
||
|
"current-context": "aws"
|
||
|
kind: "Config"
|
||
|
users: [{
|
||
|
name: "aws"
|
||
|
user: {
|
||
|
exec: {
|
||
|
apiVersion: "client.authentication.k8s.io/v1alpha1"
|
||
|
command: "aws-iam-authenticator"
|
||
|
}
|
||
|
args: [
|
||
|
"token",
|
||
|
"-i",
|
||
|
eksCluster.name
|
||
|
]
|
||
|
}
|
||
|
}]
|
||
|
})
|
||
|
}
|