264 lines
7.2 KiB
HCL
264 lines
7.2 KiB
HCL
# Discrete DNS records for each controller's private IPv4 for etcd usage
|
|
resource "aws_route53_record" "etcds" {
|
|
count = "${var.controller_count}"
|
|
|
|
# DNS Zone where record should be created
|
|
zone_id = "${var.dns_zone_id}"
|
|
|
|
name = "${format("%s-etcd%d.%s.", var.cluster_name, count.index, var.dns_zone)}"
|
|
type = "A"
|
|
ttl = 300
|
|
|
|
# private IPv4 address for etcd
|
|
records = ["${element(aws_instance.controllers.*.private_ip, count.index)}"]
|
|
}
|
|
|
|
# Controller instances
|
|
resource "aws_instance" "controllers" {
|
|
count = "${var.controller_count}"
|
|
|
|
tags = {
|
|
Name = "${var.cluster_name}-controller-${count.index}"
|
|
}
|
|
|
|
instance_type = "${var.controller_type}"
|
|
|
|
ami = "${data.aws_ami.coreos.image_id}"
|
|
user_data = "${element(data.ct_config.controller_ign.*.rendered, count.index)}"
|
|
|
|
# storage
|
|
root_block_device {
|
|
volume_type = "standard"
|
|
volume_size = "${var.disk_size}"
|
|
}
|
|
|
|
# network
|
|
associate_public_ip_address = true
|
|
subnet_id = "${element(aws_subnet.public.*.id, count.index)}"
|
|
vpc_security_group_ids = ["${aws_security_group.controller.id}"]
|
|
|
|
lifecycle {
|
|
ignore_changes = ["ami"]
|
|
}
|
|
}
|
|
|
|
# Controller Container Linux Config
|
|
data "template_file" "controller_config" {
|
|
count = "${var.controller_count}"
|
|
|
|
template = "${file("${path.module}/cl/controller.yaml.tmpl")}"
|
|
|
|
vars = {
|
|
# Cannot use cyclic dependencies on controllers or their DNS records
|
|
etcd_name = "etcd${count.index}"
|
|
etcd_domain = "${var.cluster_name}-etcd${count.index}.${var.dns_zone}"
|
|
|
|
# etcd0=https://cluster-etcd0.example.com,etcd1=https://cluster-etcd1.example.com,...
|
|
etcd_initial_cluster = "${join(",", formatlist("%s=https://%s:2380", null_resource.repeat.*.triggers.name, null_resource.repeat.*.triggers.domain))}"
|
|
|
|
k8s_dns_service_ip = "${cidrhost(var.service_cidr, 10)}"
|
|
ssh_authorized_key = "${var.ssh_authorized_key}"
|
|
cluster_domain_suffix = "${var.cluster_domain_suffix}"
|
|
kubeconfig = "${indent(10, module.bootkube.kubeconfig)}"
|
|
}
|
|
}
|
|
|
|
# Horrible hack to generate a Terraform list of a desired length without dependencies.
|
|
# Ideal ${repeat("etcd", 3) -> ["etcd", "etcd", "etcd"]}
|
|
resource null_resource "repeat" {
|
|
count = "${var.controller_count}"
|
|
|
|
triggers {
|
|
name = "etcd${count.index}"
|
|
domain = "${var.cluster_name}-etcd${count.index}.${var.dns_zone}"
|
|
}
|
|
}
|
|
|
|
data "ct_config" "controller_ign" {
|
|
count = "${var.controller_count}"
|
|
content = "${element(data.template_file.controller_config.*.rendered, count.index)}"
|
|
pretty_print = false
|
|
}
|
|
|
|
# Security Group (instance firewall)
|
|
|
|
resource "aws_security_group" "controller" {
|
|
name = "${var.cluster_name}-controller"
|
|
description = "${var.cluster_name} controller security group"
|
|
|
|
vpc_id = "${aws_vpc.network.id}"
|
|
|
|
tags = "${map("Name", "${var.cluster_name}-controller")}"
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-icmp" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "icmp"
|
|
from_port = 0
|
|
to_port = 0
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-ssh" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "tcp"
|
|
from_port = 22
|
|
to_port = 22
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-apiserver" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "tcp"
|
|
from_port = 443
|
|
to_port = 443
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-etcd" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "tcp"
|
|
from_port = 2379
|
|
to_port = 2380
|
|
self = true
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-flannel" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "udp"
|
|
from_port = 8472
|
|
to_port = 8472
|
|
source_security_group_id = "${aws_security_group.worker.id}"
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-flannel-self" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "udp"
|
|
from_port = 8472
|
|
to_port = 8472
|
|
self = true
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-node-exporter" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "tcp"
|
|
from_port = 9100
|
|
to_port = 9100
|
|
source_security_group_id = "${aws_security_group.worker.id}"
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-kubelet-self" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "tcp"
|
|
from_port = 10250
|
|
to_port = 10250
|
|
self = true
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-kubelet-read" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "tcp"
|
|
from_port = 10255
|
|
to_port = 10255
|
|
source_security_group_id = "${aws_security_group.worker.id}"
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-kubelet-read-self" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "tcp"
|
|
from_port = 10255
|
|
to_port = 10255
|
|
self = true
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-bgp" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "tcp"
|
|
from_port = 179
|
|
to_port = 179
|
|
source_security_group_id = "${aws_security_group.worker.id}"
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-bgp-self" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = "tcp"
|
|
from_port = 179
|
|
to_port = 179
|
|
self = true
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-ipip" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = 4
|
|
from_port = 0
|
|
to_port = 0
|
|
source_security_group_id = "${aws_security_group.worker.id}"
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-ipip-self" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = 4
|
|
from_port = 0
|
|
to_port = 0
|
|
self = true
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-ipip-legacy" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = 94
|
|
from_port = 0
|
|
to_port = 0
|
|
source_security_group_id = "${aws_security_group.worker.id}"
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-ipip-legacy-self" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "ingress"
|
|
protocol = 94
|
|
from_port = 0
|
|
to_port = 0
|
|
self = true
|
|
}
|
|
|
|
resource "aws_security_group_rule" "controller-egress" {
|
|
security_group_id = "${aws_security_group.controller.id}"
|
|
|
|
type = "egress"
|
|
protocol = "-1"
|
|
from_port = 0
|
|
to_port = 0
|
|
cidr_blocks = ["0.0.0.0/0"]
|
|
ipv6_cidr_blocks = ["::/0"]
|
|
}
|