Working on EKS

README.md

@@ -6,6 +6,36 @@ Adapted from https://github.com/terraform-providers/terraform-provider-aws
 
 For details, see https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html
 
+## Variables
+
+### Required
+
+#### account_id (string)
+
+The AWS account ID that should be used to automatically map IAM users into the Kubernetes cluster
+
+### Optional
+
+#### cluster_name (string)
+
+The Kubernetes cluster name (defaults to "cluster")
+
+#### availability_zones (list)
+
+List of exactly 2 availability zones in which
+to create the cluster (defaults to ["us-east-1a", "us-east-1b"])
+
+## Outputs
+
+#### config_map_aws_auth (string)
+
+Kubernetes config map contents in YAML format, used to configure cluster authentication for users and worker nodes
+
+#### kubeconfig (string)
+
+Kubeconfig file contents, used to configure cluster access for Kubernetes client libraries
+
+
 ## Getting started
 
 1. Apply the configuration:

eks-cluster.tf

@@ -6,7 +6,7 @@
 #
 
 resource "aws_iam_role" "eksServiceRole" {
-  name = "terraform-eks-${var.cluster-name}-eksServiceRole"
+  name = "terraform-eks-${var.cluster_name}-eksServiceRole"
 
   assume_role_policy = <<POLICY
 {
@@ -35,7 +35,7 @@ resource "aws_iam_role_policy_attachment" "AmazonEKSServicePolicy" {
 }
 
 resource "aws_security_group" "cluster" {
-  name        = "terraform-eks-${var.cluster-name}-cluster"
+  name        = "terraform-eks-${var.cluster_name}-cluster"
   description = "Cluster communication with worker nodes"
   vpc_id      = "${aws_vpc.cluster.id}"
 
@@ -47,7 +47,7 @@ resource "aws_security_group" "cluster" {
   }
 
   tags {
-    Name = "terraform-eks-${var.cluster-name}"
+    Name = "terraform-eks-${var.cluster_name}"
   }
 }
 
@@ -72,7 +72,7 @@ resource "aws_security_group_rule" "cluster-ingress-node-https" {
 #}
 
 resource "aws_eks_cluster" "cluster" {
-  name     = "${var.cluster-name}"
+  name     = "${var.cluster_name}"
   role_arn = "${aws_iam_role.eksServiceRole.arn}"
 
   vpc_config {

eks-worker-nodes.tf

@@ -8,7 +8,7 @@
 #
 
 resource "aws_iam_role" "node" {
-  name = "terraform-eks-${var.cluster-name}-node"
+  name = "terraform-eks-${var.cluster_name}-node"
 
   assume_role_policy = <<POLICY
 {
@@ -42,12 +42,12 @@ resource "aws_iam_role_policy_attachment" "node-AmazonEC2ContainerRegistryReadOn
 }
 
 resource "aws_iam_instance_profile" "node" {
-  name = "terraform-eks-${var.cluster-name}"
+  name = "terraform-eks-${var.cluster_name}"
   role = "${aws_iam_role.node.name}"
 }
 
 resource "aws_security_group" "node" {
-  name        = "terraform-eks-${var.cluster-name}-node"
+  name        = "terraform-eks-${var.cluster_name}-node"
   description = "Security group for all nodes in the cluster"
   vpc_id      = "${aws_vpc.cluster.id}"
 
@@ -60,8 +60,8 @@ resource "aws_security_group" "node" {
 
   tags = "${
     map(
-     "Name", "terraform-eks-${var.cluster-name}-node",
-     "kubernetes.io/cluster/${var.cluster-name}", "owned",
+     "Name", "terraform-eks-${var.cluster_name}-node",
+     "kubernetes.io/cluster/${var.cluster_name}", "owned",
     )
   }"
 }
@@ -111,7 +111,7 @@ mkdir -p $CA_CERTIFICATE_DIRECTORY
 echo "${aws_eks_cluster.cluster.certificate_authority.0.data}" | base64 -d >  $CA_CERTIFICATE_FILE_PATH
 INTERNAL_IP=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4)
 sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.cluster.endpoint},g /var/lib/kubelet/kubeconfig
-sed -i s,CLUSTER_NAME,${var.cluster-name},g /var/lib/kubelet/kubeconfig
+sed -i s,CLUSTER_NAME,${var.cluster_name},g /var/lib/kubelet/kubeconfig
 sed -i s,REGION,${data.aws_region.current.name},g /etc/systemd/system/kubelet.service
 sed -i s,MAX_PODS,20,g /etc/systemd/system/kubelet.service
 sed -i s,MASTER_ENDPOINT,${aws_eks_cluster.cluster.endpoint},g /etc/systemd/system/kubelet.service
@@ -131,7 +131,7 @@ resource "aws_launch_configuration" "node" {
   iam_instance_profile        = "${aws_iam_instance_profile.node.name}"
   image_id                    = "${data.aws_ami.eks-worker.id}"
   instance_type               = "m4.large"
-  name_prefix                 = "terraform-eks-${var.cluster-name}"
+  name_prefix                 = "terraform-eks-${var.cluster_name}"
   security_groups             = ["${aws_security_group.node.id}"]
   user_data_base64            = "${base64encode(local.node-userdata)}"
 
@@ -145,17 +145,17 @@ resource "aws_autoscaling_group" "cluster" {
   launch_configuration = "${aws_launch_configuration.node.id}"
   max_size             = 2
   min_size             = 1
-  name                 = "terraform-eks-${var.cluster-name}"
+  name                 = "terraform-eks-${var.cluster_name}"
   vpc_zone_identifier  = ["${aws_subnet.cluster.*.id}"]
 
   tag {
     key                 = "Name"
-    value               = "terraform-eks-${var.cluster-name}"
+    value               = "terraform-eks-${var.cluster_name}"
     propagate_at_launch = true
   }
 
   tag {
-    key                 = "kubernetes.io/cluster/${var.cluster-name}"
+    key                 = "kubernetes.io/cluster/${var.cluster_name}"
     value               = "owned"
     propagate_at_launch = true
   }

outputs.tf

@@ -18,6 +18,8 @@ data:
       groups:
         - system:bootstrappers
         - system:nodes
+  mapAccounts: |
+    - "${var.account_id}"
 CONFIGMAPAWSAUTH
 
   kubeconfig = <<KUBECONFIG
@@ -28,25 +30,25 @@ clusters:
 - cluster:
     server: ${aws_eks_cluster.cluster.endpoint}
     certificate-authority-data: ${aws_eks_cluster.cluster.certificate_authority.0.data}
-  name: ${var.cluster-name}
+  name: ${var.cluster_name}
 contexts:
 - context:
-    cluster: ${var.cluster-name}
-    user: aws-${var.cluster-name}
-  name: aws-${var.cluster-name}
-current-context: aws-${var.cluster-name}
+    cluster: ${var.cluster_name}
+    user: aws-${var.cluster_name}
+  name: aws-${var.cluster_name}
+current-context: aws-${var.cluster_name}
 kind: Config
 preferences: {}
 users:
-- name: aws-${var.cluster-name}
+- name: aws-${var.cluster_name}
   user:
     exec:
       apiVersion: client.authentication.k8s.io/v1alpha1
       command: aws-iam-authenticator
       args:
         - "token"
         - "-i"
-        - "${var.cluster-name}"
+        - "${var.cluster_name}"
 KUBECONFIG
 }
 

variables.tf

@@ -2,7 +2,19 @@
 # Variables Configuration
 #
 
-variable "cluster-name" {
-  default = "terraform-eks-demo"
-  type    = "string"
+variable "cluster_name" {
+  type        = "string"
+  default     = "cluster"
+  description = "Kubernetes cluster name"
+}
+
+variable "account_id" {
+  type        = "string"
+  description = "Account ID containing IAM users to be mapped into the cluster"
+}
+
+variable "availability_zones" {
+  type        = "list"
+  default     = ["us-east-1a", "us-east-1b"]
+  description = "List of 2 availability zones in which to create the cluster"
 }

vpc.tf

@@ -11,23 +11,23 @@ resource "aws_vpc" "cluster" {
 
   tags = "${
     map(
-     "Name", "terraform-eks-${var.cluster-name}",
-     "kubernetes.io/cluster/${var.cluster-name}", "shared",
+     "Name", "terraform-eks-${var.cluster_name}",
+     "kubernetes.io/cluster/${var.cluster_name}", "shared",
     )
   }"
 }
 
 resource "aws_subnet" "cluster" {
   count = 2
 
-  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
+  availability_zone = "${var.availability_zones[count.index]}"
   cidr_block        = "10.0.${count.index}.0/24"
   vpc_id            = "${aws_vpc.cluster.id}"
 
   tags = "${
     map(
-     "Name", "terraform-eks-${var.cluster-name}",
-     "kubernetes.io/cluster/${var.cluster-name}", "shared",
+     "Name", "terraform-eks-${var.cluster_name}",
+     "kubernetes.io/cluster/${var.cluster_name}", "shared",
     )
   }"
 }
@@ -36,7 +36,7 @@ resource "aws_internet_gateway" "cluster" {
   vpc_id = "${aws_vpc.cluster.id}"
 
   tags {
-    Name = "terraform-eks-${var.cluster-name}"
+    Name = "terraform-eks-${var.cluster_name}"
   }
 }