master.tf

master.tf

module "paas-master" {
  source                = "git@gitlab.com:FJCorp/infrastructure/terraform-modules.git//instance"
  env                   = "prod"
  group                 = "paas"
  app                   = "master"
  instance_type         = "t3.small"
  subnet_type           = "public"
  bootstrap_script_path = "${path.module}/user_data/paas-master.sh"
  create_dns            = true
  dns_name              = "paas.mkdev.me"
  ingress_with_cidr_blocks = [
    {
      from_port   = 6443
      to_port     = 6443
      protocol    = "tcp"
      description = "Kubernetes API port"
      cidr_blocks = ["0.0.0.0/0"]
    },
  ]
  ingress_with_sgs = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      description = "Kubernetes API port"
      sg_id = aws_security_group.paas-worker.id
    },
  ]
}

paas-master.sh

#!/bin/bash

set -e

yum install -y container-selinux selinux-policy-base
rpm -i https://rpm.rancher.io/k3s-selinux-0.1.1-rc1.el7.noarch.rpm

curl -sfL https://get.k3s.io | sh -

aws ssm put-parameter --name '/prod/paas/master/node-token' \
                      --value $(cat /var/lib/rancher/k3s/server/node-token) \
                      --type SecureString \
                      --region eu-central-1 \
                      --overwrite

kubeconfig=$(cat /etc/rancher/k3s/k3s.yaml | sed 's/127.0.0.1/paas.mkdev.me/')

aws ssm put-parameter --name '/prod/paas/master/kubeconfig' \
                      --value "$kubeconfig" \
                      --type SecureString \
                      --region eu-central-1 \
                      --overwrite

workers.tf

resource "aws_security_group" "paas-worker" {
  name        = local.worker_base_name
  description = local.worker_base_name
  vpc_id      = data.terraform_remote_state.mkdev-base.outputs.vpc_id

  ingress {
    from_port         = 0
    to_port           = 0
    protocol          = "-1"
    security_groups = [module.paas-master.sg_id]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name        = local.worker_base_name
    Environment = "prod"
    Group       = "paas"
    App         = "worker"
  }
}

resource "aws_spot_fleet_request" "pass-worker" {
  spot_price      = "0.039"
  target_capacity = 1
  iam_fleet_role  = aws_iam_role.paas-worker-fleet.arn
  terminate_instances_with_expiration = true

  valid_until = "2100-11-04T20:44:20Z"

  launch_specification {
    instance_type               = "c5.large"
    ami                         = data.aws_ami.mkdev-base.id
    key_name                    = "mkdev"
    iam_instance_profile        = aws_iam_instance_profile.paas-worker.name
    subnet_id                   = data.terraform_remote_state.mkdev-base.outputs.private_subnet_id
    vpc_security_group_ids      = [aws_security_group.paas-worker.id]
    associate_public_ip_address = false

    root_block_device {
      volume_size = "50"
    }

    user_data = <<EOT
#!/bin/bash
yum install -y container-selinux selinux-policy-base
rpm -i https://rpm.rancher.io/k3s-selinux-0.1.1-rc1.el7.noarch.rpm
export K3S_TOKEN=$(aws ssm get-parameter --name '/prod/paas/master/node-token' --region eu-central-1 --with-decryption --query 'Parameter.Value')
curl -sfL https://get.k3s.io | K3S_URL=https://paas.mkdev.me:6443 sh -
EOT

    tags = {
      Name        = local.worker_base_name
      Environment = "prod"
      Group       = "paas"
      App         = "worker"
    }
  }

  depends_on = [module.paas-master]
}