103 lines
3.2 KiB
HCL
103 lines
3.2 KiB
HCL
locals {
|
|
tags = merge(
|
|
var.tags,
|
|
{
|
|
"kubernetes.io/cluster/${var.cluster_name}" = "owned"
|
|
}
|
|
)
|
|
}
|
|
|
|
module "label" {
|
|
source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.16.0"
|
|
namespace = var.namespace
|
|
stage = var.stage
|
|
name = var.name
|
|
delimiter = var.delimiter
|
|
attributes = compact(concat(var.attributes, ["workers"]))
|
|
tags = local.tags
|
|
enabled = var.enabled
|
|
}
|
|
|
|
data "aws_iam_policy_document" "assume_role" {
|
|
count = var.enabled ? 1 : 0
|
|
|
|
statement {
|
|
effect = "Allow"
|
|
actions = ["sts:AssumeRole"]
|
|
|
|
principals {
|
|
type = "Service"
|
|
identifiers = ["ec2.amazonaws.com"]
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_role" "default" {
|
|
count = var.enabled ? 1 : 0
|
|
name = module.label.id
|
|
assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json)
|
|
tags = module.label.tags
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "amazon_eks_worker_node_policy" {
|
|
count = var.enabled ? 1 : 0
|
|
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
|
|
role = join("", aws_iam_role.default.*.name)
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "amazon_eks_cni_policy" {
|
|
count = var.enabled ? 1 : 0
|
|
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
|
|
role = join("", aws_iam_role.default.*.name)
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "amazon_ec2_container_registry_read_only" {
|
|
count = var.enabled ? 1 : 0
|
|
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
|
|
role = join("", aws_iam_role.default.*.name)
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "existing_policies_for_eks_workers_role" {
|
|
count = var.enabled ? var.existing_workers_role_policy_arns_count : 0
|
|
policy_arn = var.existing_workers_role_policy_arns[count.index]
|
|
role = join("", aws_iam_role.default.*.name)
|
|
}
|
|
|
|
resource "aws_eks_node_group" "default" {
|
|
count = var.enabled ? 1 : 0
|
|
cluster_name = var.cluster_name
|
|
node_group_name = module.label.id
|
|
node_role_arn = join("", aws_iam_role.default.*.arn)
|
|
subnet_ids = var.subnet_ids
|
|
ami_type = var.ami_type
|
|
disk_size = var.disk_size
|
|
instance_types = var.instance_types
|
|
labels = var.kubernetes_labels
|
|
release_version = var.ami_release_version
|
|
version = var.kubernetes_version
|
|
|
|
tags = module.label.tags
|
|
|
|
scaling_config {
|
|
desired_size = var.desired_size
|
|
max_size = var.max_size
|
|
min_size = var.min_size
|
|
}
|
|
|
|
dynamic "remote_access" {
|
|
for_each = var.ec2_ssh_key != null && var.ec2_ssh_key != "" ? ["true"] : []
|
|
content {
|
|
ec2_ssh_key = var.ec2_ssh_key
|
|
source_security_group_ids = var.source_security_group_ids
|
|
}
|
|
}
|
|
|
|
# Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling.
|
|
# Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces.
|
|
depends_on = [
|
|
aws_iam_role_policy_attachment.amazon_eks_worker_node_policy,
|
|
aws_iam_role_policy_attachment.amazon_eks_cni_policy,
|
|
aws_iam_role_policy_attachment.amazon_ec2_container_registry_read_only
|
|
]
|
|
}
|