From 88dce3ac17068aef2f4f3ccd930f9b4a0ba8a6b4 Mon Sep 17 00:00:00 2001 From: smerle33 Date: Mon, 4 Nov 2024 09:21:25 +0100 Subject: [PATCH] feat(eks): create an EKS --- .shared-tools | 2 +- .terraform.lock.hcl | 99 +++++++++++ cijenkinsio-agents-2.tf | 356 ++++++++++++++++++++++++++++++++++++++++ locals.tf | 12 +- providers.tf | 7 + vpc.tf | 2 +- 6 files changed, 472 insertions(+), 6 deletions(-) create mode 100644 cijenkinsio-agents-2.tf diff --git a/.shared-tools b/.shared-tools index 84dffd0..1659f1a 160000 --- a/.shared-tools +++ b/.shared-tools @@ -1 +1 @@ -Subproject commit 84dffd0bb745cec165ea65ed7612b427f19f7316 +Subproject commit 1659f1a780d9086228fae51a1a475b3f3043f8af diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index b57ba68..5dff881 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -26,6 +26,45 @@ provider "registry.terraform.io/hashicorp/aws" { ] } +provider "registry.terraform.io/hashicorp/cloudinit" { + version = "2.3.5" + constraints = ">= 2.0.0" + hashes = [ + "h1:Sf1Lt21oTADbzsnlU38ylpkl8YXP0Beznjcy5F/Yx64=", + "zh:17c20574de8eb925b0091c9b6a4d859e9d6e399cd890b44cfbc028f4f312ac7a", + "zh:348664d9a900f7baf7b091cf94d657e4c968b240d31d9e162086724e6afc19d5", + "zh:5a876a468ffabff0299f8348e719cb704daf81a4867f8c6892f3c3c4add2c755", + "zh:6ef97ee4c8c6a69a3d36746ba5c857cf4f4d78f32aa3d0e1ce68f2ece6a5dba5", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8283e5a785e3c518a440f6ac6e7cc4fc07fe266bf34974246f4e2ef05762feda", + "zh:a44eb5077950168b571b7eb65491246c00f45409110f0f172cc3a7605f19dba9", + "zh:aa0806cbff72b49c1b389c0b8e6904586e5259c08dabb7cb5040418568146530", + "zh:bec4613c3beaad9a7be7ca99cdb2852073f782355b272892e6ee97a22856aec1", + "zh:d7fe368577b6c8d1ae44c751ed42246754c10305c7f001cc0109833e95aa107d", + "zh:df2409fc6a364b1f0a0f8a9cd8a86e61e80307996979ce3790243c4ce88f2915", + "zh:ed3c263396ff1f4d29639cc43339b655235acf4d06296a7c120a80e4e0fd6409", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.33.0" + hashes = [ + "h1:HDyytvOlqNw5fJ0SB/nzgqCWniK4LAZNx23LaPavQq8=", + "zh:255b35790b706d405e987750190658dcaefb663741b96803a9529ba5d7435329", + "zh:362feba1aa820a8e02869ec71d1a08e87243dbce43671dc0995fa6c5a2fafa1d", + "zh:39332abcf75b5dd9c78c79c7c0c094f7d4ca908d1b76bbd2aae67e8e3516710c", + "zh:3e8e7f758bb09a9b5b613c8866e77541f8f00b521070cc86bc095ce61f010baf", + "zh:427883b889b9c36630c3eec4d5c07bc4ae12cc0d358fc17ea42a8049bf8d5275", + "zh:69bfc4ed067a5e4844db1a1809343652ff239aa0a8da089b1671524c44e8740a", + "zh:6b9f731062b945c5020e0930ed9a1b1b50afd2caf751f0e70a282d165c970979", + "zh:6faf9ec006af7ee7014a9c3251d65b701792abb823f149b0b7e4ac4433848201", + "zh:b706f76d695104a47682ee6ab842870f9c70a680f979fa9e7efe34278c0831bc", + "zh:b9bca48de2c92f57389ed58dd2fac564deaccd79a92cafd08edeed3ba6b91d4d", + "zh:bbd3336dbee5aed9880f98e36fb8340e0c6d8f0399a05787521af599ccb3dac4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + provider "registry.terraform.io/hashicorp/local" { version = "2.5.2" hashes = [ @@ -47,3 +86,63 @@ provider "registry.terraform.io/hashicorp/local" { "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1", ] } + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.3" + constraints = ">= 3.0.0" + hashes = [ + "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=", + "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", + "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", + "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", + "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", + "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", + "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", + "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", + "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", + "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", + "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", + ] +} + +provider "registry.terraform.io/hashicorp/time" { + version = "0.12.1" + constraints = ">= 0.9.0" + hashes = [ + "h1:JzYsPugN8Fb7C4NlfLoFu7BBPuRVT2/fCOdCaxshveI=", + "zh:090023137df8effe8804e81c65f636dadf8f9d35b79c3afff282d39367ba44b2", + "zh:26f1e458358ba55f6558613f1427dcfa6ae2be5119b722d0b3adb27cd001efea", + "zh:272ccc73a03384b72b964918c7afeb22c2e6be22460d92b150aaf28f29a7d511", + "zh:438b8c74f5ed62fe921bd1078abe628a6675e44912933100ea4fa26863e340e9", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:85c8bd8eefc4afc33445de2ee7fbf33a7807bc34eb3734b8eefa4e98e4cddf38", + "zh:98bbe309c9ff5b2352de6a047e0ec6c7e3764b4ed3dfd370839c4be2fbfff869", + "zh:9c7bf8c56da1b124e0e2f3210a1915e778bab2be924481af684695b52672891e", + "zh:d2200f7f6ab8ecb8373cda796b864ad4867f5c255cff9d3b032f666e4c78f625", + "zh:d8c7926feaddfdc08d5ebb41b03445166df8c125417b28d64712dccd9feef136", + "zh:e2412a192fc340c61b373d6c20c9d805d7d3dee6c720c34db23c2a8ff0abd71b", + "zh:e6ac6bba391afe728a099df344dbd6481425b06d61697522017b8f7a59957d44", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.6" + constraints = ">= 3.0.0" + hashes = [ + "h1:n3M50qfWfRSpQV9Pwcvuse03pEizqrmYEryxKky4so4=", + "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", + "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", + "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", + "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", + "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", + "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", + "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", + "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", + "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", + "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", + "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/cijenkinsio-agents-2.tf b/cijenkinsio-agents-2.tf new file mode 100644 index 0000000..416f170 --- /dev/null +++ b/cijenkinsio-agents-2.tf @@ -0,0 +1,356 @@ +# Define a KMS main key to encrypt the EKS cluster +resource "aws_kms_key" "cijenkinsio-agents-2" { + description = "EKS Secret Encryption Key for the cluster cijenkinsio-agents-2" + enable_key_rotation = true + + tags = merge(local.common_tags, { + associated_service = "eks/cijenkinsio-agents-2" + }) +} + +# EKS Cluster definition +module "cijenkinsio-agents-2" { + source = "terraform-aws-modules/eks/aws" + version = "20.26.1" + + cluster_name = "cijenkinsio-agents-2" + # Kubernetes version in format '.', as per https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html + cluster_version = "1.29" + + # role is create within terraform-states + create_iam_role = false + iam_role_arn = "arn:aws:iam::326712726440:role/cijenkinsio-agents-2-eks" + + subnet_ids = [module.vpc.private_subnets[2]] + + # Required to allow EKS service accounts to authenticate to AWS API through OIDC (and assume IAM roles) + # useful for autoscaler, EKS addons and any AWS APi usage + enable_irsa = true + + # Allow the terraform CI IAM user to be co-owner of the cluster + enable_cluster_creator_admin_permissions = true + + # avoid using config map to specify admin accesses (decrease attack surface) + authentication_mode = "API" + + create_kms_key = false + cluster_encryption_config = { + provider_key_arn = aws_kms_key.cijenkinsio-agents-2.arn + resources = ["secrets"] + } + + cluster_endpoint_public_access = true + cluster_endpoint_public_access_cidrs = [ + "20.122.14.108/32", # curl --silent --location https://reports.jenkins.io/jenkins-infra-data-reports/azure-net.json | jq -r '."infracijenkinsioagents1.jenkins.io"' ip1 + "20.186.70.154/32", # curl --silent --location https://reports.jenkins.io/jenkins-infra-data-reports/azure-net.json | jq -r '."infracijenkinsioagents1.jenkins.io"' ip2 + "172.176.126.194/32", # VPN TODO export VPN outbound ip to https://reports.jenkins.io/jenkins-infra-data-reports/azure-net.json (https://github.com/jenkins-infra/azure-net/blob/518a250bb7d7f76f0b6b8c90b8f362a686253853/vpn.tf#L118C11-L118C40) + ] + + create_cluster_primary_security_group_tags = false + + # Do not use interpolated values from `local` in either keys and values of provided tags (or `cluster_tags) + # To avoid having and implicit dependency to a resource not available when parsing the module (infamous errror `Error: Invalid for_each argument`) + # Ref. same error as having a `depends_on` in https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2337 + tags = merge(local.common_tags, { + Environment = "jenkins-infra-${terraform.workspace}" + GithubRepo = "terraform-aws-sponsorship" + GithubOrg = "jenkins-infra" + + associated_service = "eks/cijenkinsio-agents-2" + }) + + # VPC is defined in vpc.tf + vpc_id = module.vpc.vpc_id + + ## Manage EKS addons with module - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon + # See new versions with `aws eks describe-addon-versions --kubernetes-version --addon-name ` + cluster_addons = { + # https://github.com/coredns/coredns/releases + coredns = { + addon_version = "v1.11.3-eksbuild.1" + } + # Kube-proxy on an Amazon EKS cluster has the same compatibility and skew policy as Kubernetes + # See https://kubernetes.io/releases/version-skew-policy/#kube-proxy + kube-proxy = { + addon_version = "v1.29.7-eksbuild.9" + } + # https://github.com/aws/amazon-vpc-cni-k8s/releases + vpc-cni = { + addon_version = "v1.18.5-eksbuild.1" + } + # https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/CHANGELOG.md + aws-ebs-csi-driver = { + addon_version = "v1.36.0-eksbuild.1" + # TODO specify service account + # service_account_role_arn = module.cijenkinsio-agents-2_irsa_ebs.iam_role_arn + } + } + + eks_managed_node_groups = { + tiny_ondemand_linux = { + # This worker pool is expected to host the "technical" services such as pod autoscaler, etc. + name = "tiny-ondemand-linux" + instance_types = ["t3a.xlarge"] # 2vcpu 8Gio + capacity_type = "ON_DEMAND" + min_size = 1 + max_size = 2 # Allow manual scaling when running operations or upgrades + desired_size = 1 + bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=normal'" + suspended_processes = ["AZRebalance"] + tags = merge(local.common_tags, { + "k8s.io/cluster-autoscaler/enabled" = false # No autoscaling for these 2 machines + }), + attach_cluster_primary_security_group = true + }, + # This list of worker pool is aimed at mixed spot instances type, to ensure that we always get the most available (e.g. the cheaper) spot size + # as per https://aws.amazon.com/blogs/compute/cost-optimization-and-resilience-eks-with-spot-instances/ + # Pricing table for 2023: https://docs.google.com/spreadsheets/d/1_C0I0jE-X0e0vDcdKOFIWcnwpOqWC8RQ4YOCgXNnplY/edit?usp=sharing + spot_linux_4xlarge = { + # 4xlarge: Instances supporting 3 pods (limited to 4 vCPUs/8 Gb) each with 1 vCPU/1Gb margin + name = "spot-linux-4xlarge" + capacity_type = "SPOT" + # Less than 5% eviction rate, cost below $0.08 per pod per hour + instance_types = [ + "c5.4xlarge", + "c5a.4xlarge" + ] + block_device_mappings = { + xvda = { + device_name = "/dev/xvda" + ebs = { + volume_size = 90 # With 3 pods / machine, that can use ~30 Gb each at the same time (`emptyDir`) + volume_type = "gp3" + iops = 3000 # Max included with gp3 without additional cost + throughput = 125 # Max included with gp3 without additional cost + encrypted = false + delete_on_termination = true + } + } + } + spot_instance_pools = 3 # Amount of different instance that we can use depends on spot_allocation_strategy = lowest-price + spot_allocation_strategy = "lowest-price" # depends on spot_instance_pools + min_size = 0 + max_size = 50 + desired_size = 0 + kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=spot" + tags = merge(local.common_tags, { + "k8s.io/cluster-autoscaler/enabled" = true, + "k8s.io/cluster-autoscaler/cijenkinsio-agents-2" = "owned", + "ci.jenkins.io/agents-density" = 3, + }) + attach_cluster_primary_security_group = true + labels = { + "ci.jenkins.io/agents-density" = 3, + } + }, + # This list of worker pool is aimed at mixed spot instances type, to ensure that we always get the most available (e.g. the cheaper) spot size + # as per https://aws.amazon.com/blogs/compute/cost-optimization-and-resilience-eks-with-spot-instances/ + # Pricing table for 2023: https://docs.google.com/spreadsheets/d/1_C0I0jE-X0e0vDcdKOFIWcnwpOqWC8RQ4YOCgXNnplY/edit?usp=sharing + spot_linux_4xlarge_bom = { + # 4xlarge: Instances supporting 3 pods (limited to 4 vCPUs/8 Gb) each with 1 vCPU/1Gb margin + name = "spot-linux-4xlarge-bom" + capacity_type = "SPOT" + # Less than 5% eviction rate, cost below $0.08 per pod per hour + instance_types = [ + "c5.4xlarge", + "c5a.4xlarge" + ] + block_device_mappings = { + xvda = { + device_name = "/dev/xvda" + ebs = { + volume_size = 90 # With 3 pods / machine, that can use ~30 Gb each at the same time (`emptyDir`) + volume_type = "gp3" + iops = 3000 # Max included with gp3 without additional cost + throughput = 125 # Max included with gp3 without additional cost + encrypted = false + delete_on_termination = true + } + } + } + spot_instance_pools = 3 # Amount of different instance that we can use + min_size = 0 + max_size = 50 + desired_size = 0 + kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=spot" + tags = merge(local.common_tags, { + "k8s.io/cluster-autoscaler/enabled" = true, + "k8s.io/cluster-autoscaler/cijenkinsio-agents-2" = "owned", + "ci.jenkins.io/agents-density" = 3, + }) + attach_cluster_primary_security_group = true + labels = { + "ci.jenkins.io/agents-density" = 3, + "ci.jenkins.io/bom" = true, + } + taints = [ + { + key = "ci.jenkins.io/bom" + value = "true" + effect = "NO_SCHEDULE" + } + ] + }, + spot_linux_24xlarge_bom = { + # 24xlarge: Instances supporting 23 pods (limited to 4 vCPUs/8 Gb) each with 1 vCPU/1Gb margin + name = "spot-linux-24xlarge" + capacity_type = "SPOT" + # Less than 5% eviction rate, cost below $0.05 per pod per hour + instance_types = [ + "m5.24xlarge", + "c5.24xlarge", + ] + block_device_mappings = { + xvda = { + device_name = "/dev/xvda" + ebs = { + volume_size = 575 # With 23 pods / machine, that can use ~25 Gb each at the same time (`emptyDir`) + volume_type = "gp3" + iops = 3000 # Max included with gp3 without additional cost + throughput = 125 # Max included with gp3 without additional cost + encrypted = false + delete_on_termination = true + } + } + } + spot_instance_pools = 2 # Amount of different instance that we can use + min_size = 0 + max_size = 15 + desired_size = 0 + kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=spot" + tags = merge(local.common_tags, { + "k8s.io/cluster-autoscaler/enabled" = true, + "k8s.io/cluster-autoscaler/cijenkinsio-agents-2" = "owned", + }) + attach_cluster_primary_security_group = true + labels = { + "ci.jenkins.io/agents-density" = 23, + } + taints = [ + { + key = "ci.jenkins.io/bom" + value = "true" + effect = "NO_SCHEDULE" + } + ] + }, + } + + # Allow egress from nodes (and pods...) + node_security_group_additional_rules = { + egress_jenkins_jnlp = { + description = "Allow egress to Jenkins TCP" + protocol = "TCP" + from_port = 50000 + to_port = 50000 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + }, + egress_http = { + description = "Allow egress to plain HTTP" + protocol = "TCP" + from_port = 80 + to_port = 80 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + }, + } +} + +# module "cijenkinsio-agents-2_iam_role_autoscaler" { +# source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" +# version = "v5.47.1" +# create_role = true +# role_name = "${local.autoscaler_account_name}-cijenkinsio-agents-2" +# provider_url = replace(module.cijenkinsio-agents-2.cluster_oidc_issuer_url, "https://", "") +# role_policy_arns = [aws_iam_policy.cluster_autoscaler_cijenkinsio-agents-2.arn] +# oidc_fully_qualified_subjects = ["system:serviceaccount:${local.autoscaler_account_namespace}:${local.autoscaler_account_name}"] + +# tags = merge(local.common_tags, { +# associated_service = "eks/${module.cijenkinsio-agents-2.cluster_name}" +# }) +# } + +# module "cijenkinsio-agents-2_irsa_ebs" { +# source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" +# version = "v5.47.1" +# create_role = true +# role_name = "${local.ebs_account_name}-cijenkinsio-agents-2" +# provider_url = replace(module.cijenkinsio-agents-2.cluster_oidc_issuer_url, "https://", "") +# role_policy_arns = [aws_iam_policy.ebs_csi.arn] +# oidc_fully_qualified_subjects = ["system:serviceaccount:${local.ebs_account_namespace}:${local.ebs_account_name}"] + +# tags = merge(local.common_tags, { +# associated_service = "eks/${module.cijenkinsio-agents-2.cluster_name}" +# }) +# } + +# # Configure the jenkins-infra/kubernetes-management admin service account +# module "cijenkinsio-agents-2_admin_sa" { +# providers = { +# kubernetes = kubernetes.cijenkinsio-agents-2 +# } +# source = "./.shared-tools/terraform/modules/kubernetes-admin-sa" +# cluster_name = module.cijenkinsio-agents-2.cluster_name +# cluster_hostname = module.cijenkinsio-agents-2.cluster_endpoint +# cluster_ca_certificate_b64 = module.cijenkinsio-agents-2.cluster_certificate_authority_data +# svcaccount_admin_name = "ciadmin" +# } + +# output "kubeconfig_cijenkinsio-agents-2" { +# sensitive = true +# value = module.cijenkinsio-agents-2_admin_sa.kubeconfig +# } + +# data "aws_eks_cluster" "cijenkinsio-agents-2" { +# name = module.cijenkinsio-agents-2.cluster_name +# } + +# data "aws_eks_cluster_auth" "cijenkinsio-agents-2" { +# name = module.cijenkinsio-agents-2.cluster_name +# } + +# ## No restriction on the resources: either managed outside terraform, or already scoped by conditions +# #trivy:ignore:aws-iam-no-policy-wildcards +# data "aws_iam_policy_document" "cluster_autoscaler_cijenkinsio-agents-2" { +# # Statements as per https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md#full-cluster-autoscaler-features-policy-recommended +# statement { +# sid = "unrestricted" +# effect = "Allow" + +# actions = [ +# "autoscaling:DescribeAutoScalingGroups", +# "autoscaling:DescribeAutoScalingInstances", +# "autoscaling:DescribeLaunchConfigurations", +# "autoscaling:DescribeScalingActivities", +# "autoscaling:DescribeTags", +# "ec2:DescribeInstanceTypes", +# "ec2:DescribeLaunchTemplateVersions" +# ] + +# resources = ["*"] +# } + +# statement { +# sid = "restricted" +# effect = "Allow" + +# actions = [ +# "autoscaling:SetDesiredCapacity", +# "autoscaling:TerminateInstanceInAutoScalingGroup", +# "ec2:DescribeImages", +# "ec2:GetInstanceTypesFromInstanceRequirements", +# "eks:DescribeNodegroup" +# ] + +# resources = ["*"] +# } +# } + +# resource "aws_iam_policy" "cluster_autoscaler_cijenkinsio-agents-2" { +# name_prefix = "cluster-autoscaler-cijenkinsio-agents-2" +# description = "EKS cluster-autoscaler policy for cluster ${module.cijenkinsio-agents-2.cluster_name}" +# policy = data.aws_iam_policy_document.cluster_autoscaler_cijenkinsio-agents-2.json +# } diff --git a/locals.tf b/locals.tf index 3017800..ca357e5 100644 --- a/locals.tf +++ b/locals.tf @@ -1,8 +1,12 @@ locals { - cluster_name = "aws-sponso" - aws_account_id = "326712726440" - region = "us-east-2" - our_az = format("${local.region}%s", "b") + aws_account_id = "326712726440" + region = "us-east-2" + our_az = format("${local.region}%s", "b") + autoscaler_account_namespace = "autoscaler" + autoscaler_account_name = "cluster-autoscaler-aws-cluster-autoscaler-chart" + ebs_account_namespace = "kube-system" + ebs_account_name = "ebs-csi-controller-sa" + common_tags = { "scope" = "terraform-managed" "repository" = "jenkins-infra/terraform-aws-sponsorship" diff --git a/providers.tf b/providers.tf index 2ac54f3..ae0ddb8 100644 --- a/providers.tf +++ b/providers.tf @@ -12,3 +12,10 @@ provider "aws" { provider "local" { } + +provider "kubernetes" { + alias = "cik8s" + host = module.cik8s.cluster_endpoint + cluster_ca_certificate = base64decode(module.cik8s.cluster_certificate_authority_data) + token = data.aws_eks_cluster_auth.cik8s.token +} diff --git a/vpc.tf b/vpc.tf index 471cc31..b1fa64b 100644 --- a/vpc.tf +++ b/vpc.tf @@ -2,7 +2,7 @@ module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.15.0" - name = "${local.cluster_name}-vpc" + name = "aws-sponso-vpc" cidr = "10.0.0.0/16" # cannot be less then /16 (more ips) # dual stack https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/v5.13.0/examples/ipv6-dualstack/main.tf