-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathec2.tf
142 lines (128 loc) · 4.07 KB
/
ec2.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
data "aws_ssm_parameter" "latest_ami" {
name = "/aws/service/ami-amazon-linux-latest/al2023-ami-minimal-kernel-default-x86_64"
}
## Keypair
resource "tls_private_key" "rsa" {
algorithm = "RSA"
rsa_bits = 4096
}
resource "aws_key_pair" "keypair" {
key_name = "swai"
public_key = tls_private_key.rsa.public_key_openssh
}
resource "local_file" "keypair" {
content = tls_private_key.rsa.private_key_pem
filename = "./swai.pem"
}
resource "aws_instance" "bastion" {
ami = data.aws_ssm_parameter.latest_ami.value
subnet_id = aws_subnet.public_subnet_a.id
instance_type = "t3.small"
key_name = aws_key_pair.keypair.key_name
vpc_security_group_ids = [aws_security_group.bastion.id]
associate_public_ip_address = true
iam_instance_profile = aws_iam_instance_profile.bastion.name
user_data = <<-EOF
#!/bin/bash
yum update -y
yum install -y jq curl wget zip
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
ln -s /usr/local/bin/aws /usr/bin/
ln -s /usr/local/bin/aws_completer /usr/bin/
curl --silent --location "https://github.com/weaveworks/eksctl/releases/latest/download/eksctl_$(uname -s)_amd64.tar.gz" | tar xz -C /tmp
sudo mv /tmp/eksctl /usr/local/bin
curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.30.2/2024-07-12/bin/linux/amd64/kubectl
chmod +x kubectl
mv kubectl /usr/local/bin
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
mv get_helm.sh /usr/local/bin
yum install -y docker
systemctl enable --now docker
usermod -aG docker ec2-user
usermod -aG docker root
chmod 666 /var/run/docker.sock
sudo yum install -y git
mkdir ~/swai-commit
mkdir ~/eks
mkdir ~/yaml
sudo chown ec2-user:ec2-user ~/swai-commit
sudo chown ec2-user:ec2-user ~/eks
sudo chown ec2-user:ec2-user ~/yaml
su - ec2-user -c 'aws s3 cp s3://${aws_s3_bucket.app.id}/ ~/swai-commit --recursive'
su - ec2-user -c 'cp -r ~/swai-commit/k8s-yaml/eks/ ~/eks/'
su - ec2-user -c 'cp -r ~/swai-commit/k8s-yaml/yaml/ ~/yaml/'
su - ec2-user -c 'git config --global credential.helper "!aws codecommit credential-helper $@"'
su - ec2-user -c 'git config --global credential.UseHttpPath true'
su - ec2-user -c 'cd ~/swai-commit && git init && git add .'
su - ec2-user -c 'cd ~/swai-commit && git commit -m "swai"'
su - ec2-user -c 'cd ~/swai-commit && git branch swai'
su - ec2-user -c 'cd ~/swai-commit && git checkout swai'
su - ec2-user -c 'cd ~/swai-commit && git remote add origin ${aws_codecommit_repository.commit.clone_url_http}'
su - ec2-user -c 'cd ~/swai-commit && git push origin swai'
aws s3 rm s3://${aws_s3_bucket.app.id} --recursive
aws s3 rb s3://${aws_s3_bucket.app.id} --force
EOF
tags = {
Name = "swai-bastion-ec2"
}
}
resource "aws_security_group" "bastion" {
name = "swai-bastion-sg"
vpc_id = aws_vpc.vpc.id
ingress {
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
from_port = "22"
to_port = "22"
}
egress {
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
from_port = "22"
to_port = "22"
}
egress {
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
from_port = "80"
to_port = "80"
}
egress {
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
from_port = "443"
to_port = "443"
}
tags = {
Name = "swai-bastion-sg"
}
}
## IAM
resource "aws_iam_role" "bastion" {
name = "swai-role-bastion"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "ec2.amazonaws.com"
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "bastion_admin_access" {
role = aws_iam_role.bastion.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource "aws_iam_instance_profile" "bastion" {
name = "swai-profile-bastion"
role = aws_iam_role.bastion.name
}