import pulumi import json import pulumi_aws as aws # VPC eks_vpc = aws.ec2.Vpc("eksVpc", cidr_block="10.100.0.0/16", instance_tenancy="default", enable_dns_hostnames=True, enable_dns_support=True, tags={ "Name": "pulumi-eks-vpc", }) eks_igw = aws.ec2.InternetGateway("eksIgw", vpc_id=eks_vpc.id, tags={ "Name": "pulumi-vpc-ig", }) eks_route_table = aws.ec2.RouteTable("eksRouteTable", vpc_id=eks_vpc.id, routes=[{ "cidr_block": "0.0.0.0/0", "gateway_id": eks_igw.id, }], tags={ "Name": "pulumi-vpc-rt", }) # Subnets, one for each AZ in a region zones = aws.get_availability_zones() vpc_subnet = [] for range in [{"key": k, "value": v} for [k, v] in enumerate(zones.names)]: vpc_subnet.append(aws.ec2.Subnet(f"vpcSubnet-{range['key']}", assign_ipv6_address_on_creation=False, vpc_id=eks_vpc.id, map_public_ip_on_launch=True, cidr_block=f"10.100.{range['key']}.0/24", availability_zone=range["value"], tags={ "Name": f"pulumi-sn-{range['value']}", })) rta = [] for range in [{"key": k, "value": v} for [k, v] in enumerate(zones.names)]: rta.append(aws.ec2.RouteTableAssociation(f"rta-{range['key']}", route_table_id=eks_route_table.id, subnet_id=vpc_subnet[range["key"]].id)) subnet_ids = [__item.id for __item in vpc_subnet] eks_security_group = aws.ec2.SecurityGroup("eksSecurityGroup", vpc_id=eks_vpc.id, description="Allow all HTTP(s) traffic to EKS Cluster", tags={ "Name": "pulumi-cluster-sg", }, ingress=[ { "cidr_blocks": ["0.0.0.0/0"], "from_port": 443, "to_port": 443, "protocol": "tcp", "description": "Allow pods to communicate with the cluster API Server.", }, { "cidr_blocks": ["0.0.0.0/0"], "from_port": 80, "to_port": 80, "protocol": "tcp", "description": "Allow internet access to pods", }, ]) # EKS Cluster Role eks_role = aws.iam.Role("eksRole", assume_role_policy=json.dumps({ "Version": "2012-10-17", "Statement": [{ "Action": "sts:AssumeRole", "Principal": { "Service": "eks.amazonaws.com", }, "Effect": "Allow", "Sid": "", }], })) service_policy_attachment = aws.iam.RolePolicyAttachment("servicePolicyAttachment", role=eks_role.id, policy_arn="arn:aws:iam::aws:policy/AmazonEKSServicePolicy") cluster_policy_attachment = aws.iam.RolePolicyAttachment("clusterPolicyAttachment", role=eks_role.id, policy_arn="arn:aws:iam::aws:policy/AmazonEKSClusterPolicy") # EC2 NodeGroup Role ec2_role = aws.iam.Role("ec2Role", assume_role_policy=json.dumps({ "Version": "2012-10-17", "Statement": [{ "Action": "sts:AssumeRole", "Principal": { "Service": "ec2.amazonaws.com", }, "Effect": "Allow", "Sid": "", }], })) worker_node_policy_attachment = aws.iam.RolePolicyAttachment("workerNodePolicyAttachment", role=ec2_role.id, policy_arn="arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy") cni_policy_attachment = aws.iam.RolePolicyAttachment("cniPolicyAttachment", role=ec2_role.id, policy_arn="arn:aws:iam::aws:policy/AmazonEKSCNIPolicy") registry_policy_attachment = aws.iam.RolePolicyAttachment("registryPolicyAttachment", role=ec2_role.id, policy_arn="arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly") # EKS Cluster eks_cluster = aws.eks.Cluster("eksCluster", role_arn=eks_role.arn, tags={ "Name": "pulumi-eks-cluster", }, vpc_config={ "public_access_cidrs": ["0.0.0.0/0"], "security_group_ids": [eks_security_group.id], "subnet_ids": subnet_ids, }) node_group = aws.eks.NodeGroup("nodeGroup", cluster_name=eks_cluster.name, node_group_name="pulumi-eks-nodegroup", node_role_arn=ec2_role.arn, subnet_ids=subnet_ids, tags={ "Name": "pulumi-cluster-nodeGroup", }, scaling_config={ "desired_size": 2, "max_size": 2, "min_size": 1, }) pulumi.export("clusterName", eks_cluster.name) pulumi.export("kubeconfig", pulumi.Output.json_dumps({ "apiVersion": "v1", "clusters": [{ "cluster": { "server": eks_cluster.endpoint, "certificate-authority-data": eks_cluster.certificate_authority.data, }, "name": "kubernetes", }], "contexts": [{ "contest": { "cluster": "kubernetes", "user": "aws", }, }], "current-context": "aws", "kind": "Config", "users": [{ "name": "aws", "user": { "exec": { "apiVersion": "client.authentication.k8s.io/v1alpha1", "command": "aws-iam-authenticator", }, "args": [ "token", "-i", eks_cluster.name, ], }, }], }))