Created
April 29, 2024 13:11
-
-
Save si3mshady/ed31ddafd2d41cd8471281a50e7ae4e0 to your computer and use it in GitHub Desktop.
Automated EKS setup with pod identity, AWS Bedrock integration.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| provider "aws" { | |
| region = "us-east-1" | |
| } | |
| # Create VPC | |
| resource "aws_vpc" "my_vpc" { | |
| cidr_block = "10.0.0.0/16" | |
| } | |
| # Create Subnets | |
| resource "aws_subnet" "public_subnet_a" { | |
| vpc_id = aws_vpc.my_vpc.id | |
| cidr_block = "10.0.1.0/24" | |
| availability_zone = "us-east-1a" | |
| map_public_ip_on_launch = true | |
| } | |
| resource "aws_subnet" "public_subnet_b" { | |
| vpc_id = aws_vpc.my_vpc.id | |
| cidr_block = "10.0.2.0/24" | |
| availability_zone = "us-east-1b" | |
| map_public_ip_on_launch = true | |
| } | |
| # Create Route Table | |
| resource "aws_route_table" "my_route_table" { | |
| vpc_id = aws_vpc.my_vpc.id | |
| } | |
| # Create Route Table Associations | |
| resource "aws_route_table_association" "public_subnet_a_association" { | |
| subnet_id = aws_subnet.public_subnet_a.id | |
| route_table_id = aws_route_table.my_route_table.id | |
| } | |
| resource "aws_route_table_association" "public_subnet_b_association" { | |
| subnet_id = aws_subnet.public_subnet_b.id | |
| route_table_id = aws_route_table.my_route_table.id | |
| } | |
| # Create Internet Gateway | |
| resource "aws_internet_gateway" "my_igw" { | |
| vpc_id = aws_vpc.my_vpc.id | |
| } | |
| # Create Route for Internet Gateway | |
| resource "aws_route" "internet_gateway_route" { | |
| route_table_id = aws_route_table.my_route_table.id | |
| destination_cidr_block = "0.0.0.0/0" | |
| gateway_id = aws_internet_gateway.my_igw.id | |
| } | |
| # Create IAM Role for EKS Node Group | |
| resource "aws_iam_role" "eks_node_group_role" { | |
| name = "eks-node-group-role" | |
| assume_role_policy = <<POLICY | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": ["ec2.amazonaws.com", "eks.amazonaws.com"] | |
| }, | |
| "Action": "sts:AssumeRole" | |
| } | |
| ] | |
| } | |
| POLICY | |
| } | |
| # Attach required policies to the node group role | |
| resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" { | |
| policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" | |
| role = aws_iam_role.eks_node_group_role.name | |
| } | |
| resource "aws_iam_role_policy_attachment" "eks_cni_policy" { | |
| policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" | |
| role = aws_iam_role.eks_node_group_role.name | |
| } | |
| resource "aws_iam_role_policy_attachment" "ec2_container_registry_read_only" { | |
| policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" | |
| role = aws_iam_role.eks_node_group_role.name | |
| } | |
| # Create the additional policy for the node role | |
| resource "aws_iam_policy" "eks_pod_identity_policy" { | |
| name = "eks-pod-identity-policy" | |
| description = "Policy for EKS Pod Identity" | |
| policy = <<POLICY | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "eks-auth:AssumeRoleForPodIdentity" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| } | |
| POLICY | |
| } | |
| # Attach the additional policy to the node group role | |
| resource "aws_iam_role_policy_attachment" "eks_pod_identity_policy_attachment" { | |
| policy_arn = aws_iam_policy.eks_pod_identity_policy.arn | |
| role = aws_iam_role.eks_node_group_role.name | |
| } | |
| # Create Security Group | |
| resource "aws_security_group" "eks_cluster_sg" { | |
| name = "eks-cluster-sg" | |
| description = "Allow inbound traffic to EKS cluster" | |
| vpc_id = aws_vpc.my_vpc.id | |
| ingress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "-1" | |
| cidr_blocks = ["8.8.8.56/32"] | |
| } | |
| egress { | |
| from_port = 0 | |
| to_port = 0 | |
| protocol = "-1" | |
| cidr_blocks = ["0.0.0.0/0"] | |
| } | |
| } | |
| # Create EKS Cluster | |
| resource "aws_eks_cluster" "my_eks_cluster" { | |
| name = "my-eks-cluster" | |
| role_arn = aws_iam_role.eks_node_group_role.arn | |
| vpc_config { | |
| subnet_ids = [aws_subnet.public_subnet_a.id, aws_subnet.public_subnet_b.id] | |
| endpoint_private_access = false | |
| endpoint_public_access = true | |
| public_access_cidrs = ["0.0.0.0/0"] | |
| security_group_ids = [aws_security_group.eks_cluster_sg.id] | |
| } | |
| } | |
| # Create EKS Node Group | |
| resource "aws_eks_node_group" "my_eks_node_group" { | |
| cluster_name = aws_eks_cluster.my_eks_cluster.name | |
| node_group_name = "my-node-group" | |
| node_role_arn = aws_iam_role.eks_node_group_role.arn | |
| subnet_ids = [aws_subnet.public_subnet_a.id, aws_subnet.public_subnet_b.id] | |
| scaling_config { | |
| desired_size = 2 | |
| max_size = 2 | |
| min_size = 1 | |
| } | |
| depends_on = [ | |
| aws_eks_cluster.my_eks_cluster, | |
| aws_iam_role_policy_attachment.eks_worker_node_policy, | |
| aws_iam_role_policy_attachment.eks_cni_policy, | |
| aws_iam_role_policy_attachment.ec2_container_registry_read_only, | |
| aws_iam_role_policy_attachment.eks_pod_identity_policy_attachment, | |
| ] | |
| } | |
| # Create IAM Role for Bedrock | |
| resource "aws_iam_role" "bedrock_role" { | |
| name = "bedrock-role" | |
| assume_role_policy = <<POLICY | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Principal": { | |
| "Service": "pods.eks.amazonaws.com" | |
| }, | |
| "Action": [ | |
| "sts:AssumeRole", | |
| "sts:TagSession" | |
| ], | |
| "Condition": { | |
| "StringEquals": { | |
| "aws:SourceAccount": "27" | |
| }, | |
| "ArnEquals": { | |
| "aws:SourceArn": "arn:aws:eks:us-east-1:2277:cluster/my-eks-cluster" | |
| } | |
| } | |
| } | |
| ] | |
| } | |
| POLICY | |
| } | |
| # Create the permissions policy for Bedrock | |
| resource "aws_iam_policy" "bedrock_permissions" { | |
| name = "bedrock-permissions" | |
| description = "Grants all AWS Bedrock permissions" | |
| policy = <<POLICY | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Effect": "Allow", | |
| "Action": [ | |
| "bedrock:*" | |
| ], | |
| "Resource": "*" | |
| } | |
| ] | |
| } | |
| POLICY | |
| } | |
| # Attach the permissions policy to the Bedrock role | |
| resource "aws_iam_role_policy_attachment" "bedrock_permissions_attachment" { | |
| policy_arn = aws_iam_policy.bedrock_permissions.arn | |
| role = aws_iam_role.bedrock_role.name | |
| } | |
| output "bedrock_role_arn" { | |
| description = "ARN of the Bedrock role" | |
| value = aws_iam_role.bedrock_role.arn | |
| } | |
| output "custer_arn" { | |
| description = "ARN of the Cluster" | |
| value = aws_eks_cluster.my_eks_cluster.arn | |
| } | |
| # aws eks update-kubeconfig --name my-eks-cluster --region us-east-1 | |
| # aws eks create-addon --cluster-name my-eks-cluster --addon-name eks-pod-identity-agent --addon-version v1.0.0-eksbuild.1 | |
| # kubectl create serviceaccount saas -n default | |
| # aws eks create-pod-identity-association --cluster-name my-eks-cluster --role-arn arn:aws:iam::22987:role/bedrock-role --namespace default --service-account saas | |
| # https://aws.amazon.com/blogs/containers/amazon-eks-pod-identity-a-new-way-for-applications-on-eks-to-obtain-iam-credentials/ | |
| # kubectl create serviceaccount saas -n default | |
| # eksctl create podidentityassociation \ | |
| # --cluster my-eks-cluster \ | |
| # --namespace default \ | |
| # --service-account-name saas \ | |
| # --role-name bedrock-role \ | |
| # --role-arn arn:aws:iam::2278987:role/bedrock-role \ | |
| # --region us-east-1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment