-
-
Save AnqiZhou26/fbea2d88407ee53c202a87d79a8d934c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# VPC | |
resource "aws_vpc" "vpc" { | |
cidr_block = var.vpc_cidr | |
enable_dns_hostnames = true | |
enable_dns_support = true | |
tags = { | |
Name = "${var.project}-vpc", | |
"kubernetes.io/cluster/${var.project}-cluster" = "shared" | |
} | |
} | |
# Public Subnets | |
resource "aws_subnet" "public" { | |
count = var.availability_zones_count | |
vpc_id = aws_vpc.vpc.id | |
cidr_block = cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, count.index) | |
availability_zone = data.aws_availability_zones.available.names[count.index] | |
tags = { | |
Name = "${var.project}-public-sg" | |
"kubernetes.io/cluster/${var.project}-cluster" = "shared" | |
"kubernetes.io/role/elb" = 1 | |
} | |
map_public_ip_on_launch = true | |
} | |
# Private Subnets | |
resource "aws_subnet" "private" { | |
count = var.availability_zones_count | |
vpc_id = aws_vpc.vpc.id | |
cidr_block = cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, count.index + var.availability_zones_count) | |
availability_zone = data.aws_availability_zones.available.names[count.index] | |
tags = { | |
Name = "${var.project}-private-sg" | |
"kubernetes.io/cluster/${var.project}-cluster" = "shared" | |
"kubernetes.io/role/internal-elb" = 1 | |
} | |
} | |
# Internet Gateway for the Public Subnet | |
resource "aws_internet_gateway" "internet_gateway" { | |
vpc_id = aws_vpc.vpc.id | |
tags = { | |
"Name" = "${var.project}-igw" | |
} | |
depends_on = [aws_vpc.vpc] | |
} | |
# NAT Elastic IP | |
resource "aws_eip" "main" { | |
vpc = true | |
tags = { | |
Name = "${var.project}-ngw-ip" | |
} | |
} | |
# NAT Gateway | |
resource "aws_nat_gateway" "main" { | |
allocation_id = aws_eip.main.id | |
subnet_id = aws_subnet.public[0].id | |
tags = { | |
Name = "${var.project}-ngw" | |
} | |
} | |
# Route Table(s) | |
# Route the public subnet traffic through the IGW | |
resource "aws_route_table" "main" { | |
vpc_id = aws_vpc.vpc.id | |
route { | |
cidr_block = "0.0.0.0/0" | |
gateway_id = aws_internet_gateway.internet_gateway.id | |
} | |
tags = { | |
Name = "${var.project}-Default-rt" | |
} | |
} | |
# Route table and subnet associations | |
resource "aws_route_table_association" "internet_access" { | |
count = var.availability_zones_count | |
subnet_id = aws_subnet.public[count.index].id | |
route_table_id = aws_route_table.main.id | |
} | |
# Add route to route table | |
resource "aws_route" "main" { | |
route_table_id = aws_vpc.vpc.default_route_table_id | |
nat_gateway_id = aws_nat_gateway.main.id | |
destination_cidr_block = "0.0.0.0/0" | |
} | |
# Security group for public subnet | |
resource "aws_security_group" "public_sg" { | |
name = "${var.project}-Public-sg" | |
vpc_id = aws_vpc.vpc.id | |
tags = { | |
Name = "${var.project}-Public-sg" | |
} | |
} | |
# Security group for private subnet | |
resource "aws_security_group" "private_sg" { | |
name = "private-sg" | |
description = "Allow web tier and ssh traffic" | |
vpc_id = aws_vpc.vpc.id | |
ingress { | |
from_port = 3306 | |
to_port = 3306 | |
protocol = "tcp" | |
cidr_blocks = ["10.0.0.0/16"] | |
security_groups = [aws_security_group.public_sg.id] | |
} | |
ingress { | |
from_port = 22 | |
to_port = 22 | |
protocol = "tcp" | |
cidr_blocks = ["0.0.0.0/0"] | |
} | |
egress { | |
from_port = 0 | |
to_port = 0 | |
protocol = "-1" | |
cidr_blocks = ["0.0.0.0/0"] | |
} | |
} | |
# Security group traffic rules | |
resource "aws_security_group_rule" "sg_ingress_public_443" { | |
security_group_id = aws_security_group.public_sg.id | |
type = "ingress" | |
from_port = 443 | |
to_port = 443 | |
protocol = "tcp" | |
cidr_blocks = ["0.0.0.0/0"] | |
} | |
resource "aws_security_group_rule" "sg_ingress_public_80" { | |
security_group_id = aws_security_group.public_sg.id | |
type = "ingress" | |
from_port = 80 | |
to_port = 80 | |
protocol = "tcp" | |
cidr_blocks = ["0.0.0.0/0"] | |
} | |
resource "aws_security_group_rule" "sg_egress_public" { | |
security_group_id = aws_security_group.public_sg.id | |
type = "egress" | |
from_port = 0 | |
to_port = 0 | |
protocol = "-1" | |
cidr_blocks = ["0.0.0.0/0"] | |
} | |
# Security group for data plane | |
resource "aws_security_group" "data_plane_sg" { | |
name = "${var.project}-Worker-sg" | |
vpc_id = aws_vpc.vpc.id | |
tags = { | |
Name = "${var.project}-Worker-sg" | |
} | |
} | |
# Security group traffic rules | |
resource "aws_security_group_rule" "nodes" { | |
description = "Allow nodes to communicate with each other" | |
security_group_id = aws_security_group.data_plane_sg.id | |
type = "ingress" | |
from_port = 0 | |
to_port = 65535 | |
protocol = "-1" | |
cidr_blocks = flatten([cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 0), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 1), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 2), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 3)]) | |
} | |
resource "aws_security_group_rule" "nodes_inbound" { | |
description = "Allow worker Kubelets and pods to receive communication from the cluster control plane" | |
security_group_id = aws_security_group.data_plane_sg.id | |
type = "ingress" | |
from_port = 1025 | |
to_port = 65535 | |
protocol = "tcp" | |
cidr_blocks = flatten([cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 2), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 3)]) | |
} | |
resource "aws_security_group_rule" "node_outbound" { | |
security_group_id = aws_security_group.data_plane_sg.id | |
type = "egress" | |
from_port = 0 | |
to_port = 0 | |
protocol = "-1" | |
cidr_blocks = ["0.0.0.0/0"] | |
} | |
# Security group for control plane | |
resource "aws_security_group" "control_plane_sg" { | |
name = "${var.project}-ControlPlane-sg" | |
vpc_id = aws_vpc.vpc.id | |
tags = { | |
Name = "${var.project}-ControlPlane-sg" | |
} | |
} | |
# Security group traffic rules | |
resource "aws_security_group_rule" "control_plane_inbound" { | |
security_group_id = aws_security_group.control_plane_sg.id | |
type = "ingress" | |
from_port = 0 | |
to_port = 65535 | |
protocol = "tcp" | |
cidr_blocks = flatten([cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 0), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 1), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 2), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 3)]) | |
} | |
resource "aws_security_group_rule" "control_plane_outbound" { | |
security_group_id = aws_security_group.control_plane_sg.id | |
type = "egress" | |
from_port = 0 | |
to_port = 65535 | |
protocol = "-1" | |
cidr_blocks = ["0.0.0.0/0"] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment