Stephane NoutsaAs cloud-native architectures continue to gain momentum, Kubernetes has emerged as the de facto standard for container orchestration. Amazon Elastic Kubernetes Service (EKS) is a popular managed Kubernetes service that simplifies the deployment and management of containerized applications on AWS. To streamline the process of provisioning an EKS cluster and automate infrastructure management, developers and DevOps teams often turn to tools like Terraform, Terragrunt, and GitHub Actions.
In this article, we will explore the seamless integration of these tools to provision an EKS cluster on AWS, delving into the benefits of using them in combination, the key concepts involved, and the step-by-step process to set up an EKS cluster using infrastructure-as-code principles.
Whether you are a developer, a DevOps engineer, or an infrastructure enthusiast, this article will serve as a comprehensive guide to help you leverage the power of Terraform, Terragrunt, and GitHub Actions in provisioning and managing your EKS clusters efficiently.
Before diving in though, there are a few things to note.
Disclaimer
a) Given that we'll use Terraform and Terragrunt to provision our infrastructure, familiarity with these two is required to be able to follow along.
b) Given that we'll use GitHub Actions to automate the provisioning of our infrastructure, familiarity with the tool is required to be able to follow along as well.
c) Some basic understanding of Docker and container orchestration with Kubernetes will also help to follow along.
These are the steps we'll follow to provision our EKS cluster:
Write Terraform code for building blocks.
Write Terragrunt code to provision infrastructure.
Create a GitHub Actions workflow and delegate the infrastructure provisioning task to it.
Add a GitHub Actions workflow job to destroy our infrastructure when we're done.
Below is a diagram of the VPC and its components that we'll create, bearing in mind that the control plane components will be deployed in an EKS-managed VPC:
1. Write Terraform code for building blocks
Each building block will have the following files:
main.tf
outputs.tf
provider.tf
variables.tf
We'll be using version 4.x of the AWS provider for Terraform, so the provider.tf file will be the same in all building blocks:
provider.tf
terraform {
required_version = ">= 1.4.2"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
}
provider "aws" {
access_key = var.AWS_ACCESS_KEY_ID
secret_key = var.AWS_SECRET_ACCESS_KEY
region = var.AWS_REGION
token = var.AWS_SESSION_TOKEN
}
We can see a few variables here that will also be used by all building blocks in the variables.tf file:
variables.tf
variable "AWS_ACCESS_KEY_ID" {
type = string
}
variable "AWS_SECRET_ACCESS_KEY" {
type = string
}
variable "AWS_SESSION_TOKEN" {
type = string
default = null
}
variable "AWS_REGION" {
type = string
}
So when defining the building blocks in the following, these variables won't be explicitly defined, but you should have them in your variables.tf file.
a) VPC building block
main.tf
resource "aws_vpc" "vpc" {
cidr_block = var.vpc_cidr
instance_tenancy = var.instance_tenancy
enable_dns_support = var.enable_dns_support
enable_dns_hostnames = var.enable_dns_hostnames
assign_generated_ipv6_cidr_block = var.assign_generated_ipv6_cidr_block
tags = merge(var.vpc_tags, {
Name = var.vpc_name
})
}
variables.tf
variable "vpc_cidr" {
type = string
}
variable "vpc_name" {
type = string
}
variable "instance_tenancy" {
type = string
default = "default"
}
variable "enable_dns_support" {
type = bool
default = true
}
variable "enable_dns_hostnames" {
type = bool
}
variable "assign_generated_ipv6_cidr_block" {
type = bool
default = false
}
variable "vpc_tags" {
type = map(string)
}
outputs.tf
output "vpc_id" {
value = aws_vpc.vpc.id
}
b) Internet Gateway building block
main.tf
resource "aws_internet_gateway" "igw" {
vpc_id = var.vpc_id
tags = merge(var.tags, {
Name = var.name
})
}
variables.tf
variable "vpc_id" {
type = string
}
variable "name" {
type = string
}
variable "tags" {
type = map(string)
}
outputs.tf
output "igw_id" {
value = aws_internet_gateway.igw.id
}
c) Route Table building block
main.tf
resource "aws_route_table" "route_tables" {
for_each = { for rt in var.route_tables : rt.name => rt }
vpc_id = each.value.vpc_id
dynamic "route" {
for_each = { for route in each.value.routes : route.cidr_block => route if each.value.is_igw_rt }
content {
cidr_block = route.value.cidr_block
gateway_id = route.value.igw_id
}
}
dynamic "route" {
for_each = { for route in each.value.routes : route.cidr_block => route if !each.value.is_igw_rt }
content {
cidr_block = route.value.cidr_block
nat_gateway_id = route.value.nat_gw_id
}
}
tags = merge(each.value.tags, {
Name = each.value.name
})
}
variables.tf
variable "route_tables" {
type = list(object({
name = string
vpc_id = string
is_igw_rt = bool
routes = list(object({
cidr_block = string
igw_id = optional(string)
nat_gw_id = optional(string)
}))
tags = map(string)
}))
}
outputs.tf
output "route_table_ids" {
value = values(aws_route_table.route_tables)[*].id
}
d) Subnet building block
main.tf
# Create public subnets
resource "aws_subnet" "public_subnets" {
for_each = { for subnet in var.subnets : subnet.name => subnet if subnet.is_public }
vpc_id = each.value.vpc_id
cidr_block = each.value.cidr_block
availability_zone = each.value.availability_zone
map_public_ip_on_launch = each.value.map_public_ip_on_launch
private_dns_hostname_type_on_launch = each.value.private_dns_hostname_type_on_launch
tags = merge(each.value.tags, {
Name = each.value.name
})
}
# Associate public subnets with their route table
resource "aws_route_table_association" "public_subnets" {
for_each = { for subnet in var.subnets : subnet.name => subnet if subnet.is_public }
subnet_id = aws_subnet.public_subnets[each.value.name].id
route_table_id = each.value.route_table_id
}
# Create private subnets
resource "aws_subnet" "private_subnets" {
for_each = { for subnet in var.subnets : subnet.name => subnet if !subnet.is_public }
vpc_id = each.value.vpc_id
cidr_block = each.value.cidr_block
availability_zone = each.value.availability_zone
private_dns_hostname_type_on_launch = each.value.private_dns_hostname_type_on_launch
tags = merge(each.value.tags, {
Name = each.value.name
})
}
# Associate private subnets with their route table
resource "aws_route_table_association" "private_subnets" {
for_each = { for subnet in var.subnets : subnet.name => subnet if !subnet.is_public }
subnet_id = aws_subnet.private_subnets[each.value.name].id
route_table_id = each.value.route_table_id
}
variables.tf
variable "subnets" {
type = list(object({
name = string
vpc_id = string
cidr_block = string
availability_zone = optional(string)
map_public_ip_on_launch = optional(bool, true)
private_dns_hostname_type_on_launch = optional(string, "resource-name")
is_public = optional(bool, true)
route_table_id = string
tags = map(string)
}))
}
outputs.tf
output "public_subnets" {
value = values(aws_subnet.public_subnets)[*].id
}
output "private_subnets" {
value = values(aws_subnet.private_subnets)[*].id
}
e) Elastic IP building block
main.tf
resource "aws_eip" "eip" {}
outputs.tf
output "eip_id" {
value = aws_eip.eip.allocation_id
}
f) NAT Gateway building block
main.tf
resource "aws_nat_gateway" "nat_gw" {
allocation_id = var.eip_id
subnet_id = var.subnet_id
tags = merge(var.tags, {
Name = var.name
})
}
variables.tf
variable "name" {
type = string
}
variable "eip_id" {
type = string
}
variable "subnet_id" {
type = string
description = "The ID of the public subnet in which the NAT Gateway should be placed"
}
variable "tags" {
type = map(string)
}
outputs.tf
output "nat_gw_id" {
value = aws_nat_gateway.nat_gw.id
}
g) NACL
main.tf
resource "aws_network_acl" "nacls" {
for_each = { for nacl in var.nacls : nacl.name => nacl }
vpc_id = each.value.vpc_id
dynamic "egress" {
for_each = { for rule in each.value.egress : rule.rule_no => rule }
content {
protocol = egress.value.protocol
rule_no = egress.value.rule_no
action = egress.value.action
cidr_block = egress.value.cidr_block
from_port = egress.value.from_port
to_port = egress.value.to_port
}
}
dynamic "ingress" {
for_each = { for rule in each.value.ingress : rule.rule_no => rule }
content {
protocol = ingress.value.protocol
rule_no = ingress.value.rule_no
action = ingress.value.action
cidr_block = ingress.value.cidr_block
from_port = ingress.value.from_port
to_port = ingress.value.to_port
}
}
tags = merge(each.value.tags, {
Name = each.value.name
})
}
resource "aws_network_acl_association" "nacl_associations" {
for_each = { for nacl in var.nacls : "${nacl.name}_${nacl.subnet_id}" => nacl }
network_acl_id = aws_network_acl.nacls[each.value.name].id
subnet_id = each.value.subnet_id
}
variables.tf
variable "nacls" {
type = list(object({
name = string
vpc_id = string
egress = list(object({
protocol = string
rule_no = number
action = string
cidr_block = string
from_port = number
to_port = number
}))
ingress = list(object({
protocol = string
rule_no = number
action = string
cidr_block = string
from_port = number
to_port = number
}))
subnet_id = string
tags = map(string)
}))
}
outputs.tf
output "nacls" {
value = values(aws_network_acl.nacls)[*].id
}
output "nacl_associations" {
value = values(aws_network_acl_association.nacl_associations)[*].id
}
h) Security Group building block
main.tf
resource "aws_security_group" "security_group" {
name = var.name
description = var.description
vpc_id = var.vpc_id
# Ingress rules
dynamic "ingress" {
for_each = var.ingress_rules
content {
from_port = ingress.value.from_port
to_port = ingress.value.to_port
protocol = ingress.value.protocol
cidr_blocks = ingress.value.cidr_blocks
}
}
# Egress rules
dynamic "egress" {
for_each = var.egress_rules
content {
from_port = egress.value.from_port
to_port = egress.value.to_port
protocol = egress.value.protocol
cidr_blocks = egress.value.cidr_blocks
}
}
tags = merge(var.tags, {
Name = var.name
})
}
variables.tf
variable "vpc_id" {
type = string
}
variable "name" {
type = string
}
variable "description" {
type = string
}
variable "ingress_rules" {
type = list(object({
protocol = string
from_port = string
to_port = string
cidr_blocks = list(string)
}))
default = []
}
variable "egress_rules" {
type = list(object({
protocol = string
from_port = string
to_port = string
cidr_blocks = list(string)
}))
default = []
}
variable "tags" {
type = map(string)
}
outputs.tf
output "security_group_id" {
value = aws_security_group.security_group.id
}
i) EC2 building block
main.tf
# AMI
data "aws_ami" "ami" {
most_recent = var.most_recent_ami
owners = var.owners
filter {
name = var.ami_name_filter
values = var.ami_values_filter
}
}
# EC2 Instance
resource "aws_instance" "ec2_instance" {
ami = data.aws_ami.ami.id
iam_instance_profile = var.use_instance_profile ? var.instance_profile_name : null
instance_type = var.instance_type
subnet_id = var.subnet_id
vpc_security_group_ids = var.existing_security_group_ids
associate_public_ip_address = var.assign_public_ip
key_name = var.uses_ssh ? var.keypair_name : null
user_data = var.use_userdata ? file(var.userdata_script_path) : null
user_data_replace_on_change = var.use_userdata ? var.user_data_replace_on_change : null
tags = merge(
{
Name = var.instance_name
},
var.extra_tags
)
}
variables.tf
variable "most_recent_ami" {
type = bool
}
variable "owners" {
type = list(string)
default = ["amazon"]
}
variable "ami_name_filter" {
type = string
default = "name"
}
variable "ami_values_filter" {
type = list(string)
default = ["al2023-ami-2023.*-x86_64"]
}
variable "use_instance_profile" {
type = bool
default = false
}
variable "instance_profile_name" {
type = string
}
variable "instance_name" {
description = "Name of the instance"
type = string
}
variable "subnet_id" {
description = "ID of the subnet"
type = string
}
variable "instance_type" {
description = "Type of EC2 instance"
type = string
default = "t2.micro"
}
variable "assign_public_ip" {
type = bool
default = true
}
variable "extra_tags" {
description = "Additional tags for EC2 instances"
type = map(string)
default = {}
}
variable "existing_security_group_ids" {
description = "security group IDs for EC2 instances"
type = list(string)
}
variable "uses_ssh" {
type = bool
}
variable "keypair_name" {
type = string
}
variable "use_userdata" {
description = "Whether to use userdata"
type = bool
default = false
}
variable "userdata_script_path" {
description = "Path to the userdata script"
type = string
}
variable "user_data_replace_on_change" {
type = bool
}
outputs.tf
output "instance_id" {
value = aws_instance.ec2_instance.id
}
output "instance_arn" {
value = aws_instance.ec2_instance.arn
}
output "instance_private_ip" {
value = aws_instance.ec2_instance.private_ip
}
output "instance_public_ip" {
value = aws_instance.ec2_instance.public_ip
}
output "instance_public_dns" {
value = aws_instance.ec2_instance.public_dns
}
j) IAM Role building block
main.tf
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
dynamic "principals" {
for_each = { for principal in var.principals : principal.type => principal }
content {
type = principals.value.type
identifiers = principals.value.identifiers
}
}
actions = ["sts:AssumeRole"]
dynamic "condition" {
for_each = var.is_external ? [var.condition] : []
content {
test = condition.value.test
variable = condition.value.variable
values = condition.value.values
}
}
}
}
data "aws_iam_policy_document" "policy_document" {
dynamic "statement" {
for_each = { for statement in var.policy_statements : statement.sid => statement }
content {
effect = "Allow"
actions = statement.value.actions
resources = statement.value.resources
dynamic "condition" {
for_each = statement.value.has_condition ? [statement.value.condition] : []
content {
test = condition.value.test
variable = condition.value.variable
values = condition.value.values
}
}
}
}
}
resource "aws_iam_role" "role" {
name = var.role_name
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_iam_role_policy" "policy" {
count = length(var.policy_statements) > 0 && var.policy_name != "" ? 1 : 0
name = var.policy_name
role = aws_iam_role.role.id
policy = data.aws_iam_policy_document.policy_document.json
}
resource "aws_iam_role_policy_attachment" "attachment" {
for_each = { for attachment in var.policy_attachments : attachment.arn => attachment }
policy_arn = each.value.arn
role = aws_iam_role.role.name
}
variables.tf
variable "principals" {
type = list(object({
type = string
identifiers = list(string)
}))
}
variable "is_external" {
type = bool
default = false
}
variable "condition" {
type = object({
test = string
variable = string
values = list(string)
})
default = {
test = "test"
variable = "variable"
values = ["values"]
}
}
variable "role_name" {
type = string
}
variable "policy_name" {
type = string
}
variable "policy_attachments" {
type = list(object({
arn = string
}))
default = []
}
variable "policy_statements" {
type = list(object({
sid = string
actions = list(string)
resources = list(string)
has_condition = optional(bool, false)
condition = optional(object({
test = string
variable = string
values = list(string)
}))
}))
default = [
{
sid = "CloudWatchLogsPermissions"
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
"logs:GetLogEvents",
"logs:FilterLogEvents",
],
resources = ["*"]
}
]
}
outputs.tf
output "role_arn" {
value = aws_iam_role.role.arn
}
output "role_name" {
value = aws_iam_role.role.name
}
output "unique_id" {
value = aws_iam_role.role.unique_id
}
k) Instance Profile building block
main.tf
# Instance Profile
resource "aws_iam_instance_profile" "instance_profile" {
name = var.instance_profile_name
path = var.path
role = var.iam_role_name
tags = merge(var.instance_profile_tags, {
Name = var.instance_profile_name
})
}
variables.tf
variable "instance_profile_name" {
type = string
description = "(Optional, Forces new resource) Name of the instance profile. If omitted, Terraform will assign a random, unique name. Conflicts with name_prefix. Can be a string of characters consisting of upper and lowercase alphanumeric characters and these special characters: _, +, =, ,, ., @, -. Spaces are not allowed."
}
variable "iam_role_name" {
type = string
description = "(Optional) Name of the role to add to the profile."
}
variable "path" {
type = string
default = "/"
description = "(Optional, default ' / ') Path to the instance profile. For more information about paths, see IAM Identifiers in the IAM User Guide. Can be a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. Can include any ASCII character from the ! (\u0021) through the DEL character (\u007F), including most punctuation characters, digits, and upper and lowercase letters."
}
variable "instance_profile_tags" {
type = map(string)
}
outputs.tf
output "arn" {
value = aws_iam_instance_profile.instance_profile.arn
}
output "name" {
value = aws_iam_instance_profile.instance_profile.name
}
output "id" {
value = aws_iam_instance_profile.instance_profile.id
}
output "unique_id" {
value = aws_iam_instance_profile.instance_profile.unique_id
}
l) EKS Cluster building block
main.tf
# EKS Cluster
resource "aws_eks_cluster" "cluster" {
name = var.name
enabled_cluster_log_types = var.enabled_cluster_log_types
role_arn = var.cluster_role_arn
version = var.cluster_version
vpc_config {
subnet_ids = var.subnet_ids
}
}
variables.tf
variable "name" {
type = string
description = "(Required) Name of the cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (^[0-9A-Za-z][A-Za-z0-9\\-_]+$)."
}
variable "enabled_cluster_log_types" {
type = list(string)
description = "(Optional) List of the desired control plane logging to enable."
default = []
}
variable "cluster_role_arn" {
type = string
description = "(Required) ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf."
}
variable "subnet_ids" {
type = list(string)
description = "(Required) List of subnet IDs. Must be in at least two different availability zones. Amazon EKS creates cross-account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane."
}
variable "cluster_version" {
type = string
description = "(Optional) Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS."
default = null
}
outputs.tf
output "arn" {
value = aws_eks_cluster.cluster.arn
}
output "endpoint" {
value = aws_eks_cluster.cluster.endpoint
}
output "id" {
value = aws_eks_cluster.cluster.id
}
output "kubeconfig-certificate-authority-data" {
value = aws_eks_cluster.cluster.certificate_authority[0].data
}
output "name" {
value = aws_eks_cluster.cluster.name
}
output "oidc_tls_issuer" {
value = aws_eks_cluster.cluster.identity[0].oidc[0].issuer
}
output "version" {
value = aws_eks_cluster.cluster.version
}
m) EKS Add-ons building block
main.tf
# EKS Add-On
resource "aws_eks_addon" "addon" {
for_each = { for addon in var.addons : addon.name => addon }
cluster_name = var.cluster_name
addon_name = each.value.name
addon_version = each.value.version
}
variables.tf
variable "addons" {
type = list(object({
name = string
version = string
}))
description = "(Required) Name of the EKS add-on."
}
variable "cluster_name" {
type = string
description = "(Required) Name of the EKS Cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (^[0-9A-Za-z][A-Za-z0-9\\-_]+$)."
}
outputs.tf
output "arns" {
value = values(aws_eks_addon.addon)[*].arn
}
n) EKS Node Group building block
main.tf
# EKS node group
resource "aws_eks_node_group" "node_group" {
cluster_name = var.cluster_name
node_group_name = var.node_group_name
node_role_arn = var.node_role_arn
subnet_ids = var.subnet_ids
version = var.cluster_version
ami_type = var.ami_type
capacity_type = var.capacity_type
disk_size = var.disk_size
instance_types = var.instance_types
scaling_config {
desired_size = var.scaling_config.desired_size
max_size = var.scaling_config.max_size
min_size = var.scaling_config.min_size
}
update_config {
max_unavailable = var.update_config.max_unavailable
max_unavailable_percentage = var.update_config.max_unavailable_percentage
}
}
variables.tf
variable "cluster_name" {
type = string
description = "(Required) Name of the EKS Cluster. Must be between 1-100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (^[0-9A-Za-z][A-Za-z0-9\\-_]+$)."
}
variable "node_group_name" {
type = string
description = "(Optional) Name of the EKS Node Group. If omitted, Terraform will assign a random, unique name. Conflicts with node_group_name_prefix. The node group name can't be longer than 63 characters. It must start with a letter or digit, but can also include hyphens and underscores for the remaining characters."
}
variable "node_role_arn" {
type = string
description = "(Required) Amazon Resource Name (ARN) of the IAM Role that provides permissions for the EKS Node Group."
}
variable "scaling_config" {
type = object({
desired_size = number
max_size = number
min_size = number
})
default = {
desired_size = 1
max_size = 1
min_size = 1
}
description = "(Required) Configuration block with scaling settings."
}
variable "subnet_ids" {
type = list(string)
description = "(Required) Identifiers of EC2 Subnets to associate with the EKS Node Group. These subnets must have the following resource tag: kubernetes.io/cluster/CLUSTER_NAME (where CLUSTER_NAME is replaced with the name of the EKS Cluster)."
}
variable "update_config" {
type = object({
max_unavailable_percentage = optional(number)
max_unavailable = optional(number)
})
}
variable "cluster_version" {
type = string
description = "(Optional) Kubernetes version. Defaults to EKS Cluster Kubernetes version. Terraform will only perform drift detection if a configuration value is provided."
default = null
}
variable "ami_type" {
type = string
description = "(Optional) Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Valid values are: AL2_x86_64 | AL2_x86_64_GPU | AL2_ARM_64 | CUSTOM | BOTTLEROCKET_ARM_64 | BOTTLEROCKET_x86_64 | BOTTLEROCKET_ARM_64_NVIDIA | BOTTLEROCKET_x86_64_NVIDIA | WINDOWS_CORE_2019_x86_64 | WINDOWS_FULL_2019_x86_64 | WINDOWS_CORE_2022_x86_64 | WINDOWS_FULL_2022_x86_64 | AL2023_x86_64_STANDARD | AL2023_ARM_64_STANDARD"
default = "AL2023_x86_64_STANDARD"
}
variable "capacity_type" {
type = string
description = "(Optional) Type of capacity associated with the EKS Node Group. Valid values: ON_DEMAND, SPOT."
default = "ON_DEMAND"
}
variable "disk_size" {
type = number
description = "(Optional) Disk size in GiB for worker nodes. Defaults to 20."
default = 20
}
variable "instance_types" {
type = list(string)
description = "(Required) Set of instance types associated with the EKS Node Group. Defaults to [\"t3.medium\"]."
default = ["t3.medium"]
}
outputs.tf
output "arn" {
value = aws_eks_node_group.node_group.arn
}
o) IAM OIDC building block (to allow pods to assume IAM roles)
main.tf
data "tls_certificate" "tls" {
url = var.oidc_issuer
}
resource "aws_iam_openid_connect_provider" "provider" {
client_id_list = var.client_id_list
thumbprint_list = data.tls_certificate.tls.certificates[*].sha1_fingerprint
url = data.tls_certificate.tls.url
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
effect = "Allow"
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.provider.url, "https://", "")}:sub"
values = ["system:serviceaccount:kube-system:aws-node"]
}
principals {
identifiers = [aws_iam_openid_connect_provider.provider.arn]
type = "Federated"
}
}
}
resource "aws_iam_role" "role" {
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
name = var.role_name
}
variables.tf
variable "role_name" {
type = string
description = "(Required) Name of the IAM role."
}
variable "client_id_list" {
type = list(string)
default = ["sts.amazonaws.com"]
}
variable "oidc_issuer" {
type = string
}
outputs.tf
output "provider_arn" {
value = aws_iam_openid_connect_provider.provider.arn
}
output "provider_id" {
value = aws_iam_openid_connect_provider.provider.id
}
output "provider_url" {
value = aws_iam_openid_connect_provider.provider.url
}
output "role_arn" {
value = aws_iam_role.role.arn
}
With the building blocks defined, we can now version them into GitHub repositories and use them in the next step to develop our Terragrunt code.
2. Write Terragrunt code to provision infrastructure
Our Terragrunt code will have the following directory structure:
infra-live/
<environment>/
<module_1>/
terragrunt.hcl
<module_2>/
terragrunt.hcl
...
<module_n>/
terragrunt.hcl
terragrunt.hcl
For our article, we'll only have a dev directory. This directory will contain directories that will represent the different specific resources we'll want to create.
Our final folder structure will be:
infra-live/
dev/
bastion-ec2/
terragrunt.hcl
user-data.sh
bastion-instance-profile/
terragrunt.hcl
bastion-role/
terragrunt.hcl
eks-addons/
terragrunt.hcl
eks-cluster/
terragrunt.hcl
eks-cluster-role/
terragrunt.hcl
eks-node-group/
terragrunt.hcl
eks-pod-iam/
terragrunt.hcl
internet-gateway/
terragrunt.hcl
nacl/
terragrunt.hcl
nat-gateway/
terragrunt.hcl
nat-gw-eip/
terragrunt.hcl
private-route-table/
terragrunt.hcl
private-subnets/
terragrunt.hcl
public-route-table/
terragrunt.hcl
public-subnets/
terragrunt.hcl
security-group/
terragrunt.hcl
vpc/
terragrunt.hcl
worker-node-role/
terragrunt.hcl
.gitignore
terragrunt.hcl
a) infra-live/terragrunt.hcl
Our root terragrunt.hcl file will contain the configuration for our remote Terraform state. We'll use an S3 bucket in AWS to store our Terraform state file, and the name of our S3 bucket must be unique for it to be successfully created. This bucket must be created before applying any terragrunt configuration. My S3 bucket is in the N. Virginia region (us-east-1).
generate "backend" {
path = "backend.tf"
if_exists = "overwrite_terragrunt"
contents = <<EOF
terraform {
backend "s3" {
bucket = "<s3_bucket_name>"
key = "infra-live/${path_relative_to_include()}/terraform.tfstate"
region = "us-east-1"
encrypt = true
}
}
EOF
}
Make sure you replace with the name of your own S3 bucket.
b) infra-live/dev/vpc/terragrunt.hcl
This module uses the VPC building block to create our VPC.
Our VPC CIDR will be 10.0.0.0/16.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/vpc.git"
}
inputs = {
vpc_cidr = "10.0.0.0/16"
vpc_name = "eks-demo-vpc"
enable_dns_hostnames = true
vpc_tags = {}
}
The values passed in the inputs section are the variables that are defined in the building blocks.
For this module and the following modules, we won't be passing the variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_REGION since such credentials (bar the AWS_REGION variable) are sensitive. You'll have to add them as secrets in the GitHub repository you'll create to version your Terragrunt code.
c) infra-live/dev/internet-gateway/terragrunt.hcl
This module uses the Internet Gateway building block as its Terraform source to create our VPC's internet gateway.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/internet-gateway.git"
}
dependency "vpc" {
config_path = "../vpc"
}
inputs = {
vpc_id = dependency.vpc.outputs.vpc_id
name = "eks-demo-igw"
tags = {}
}
d) infra-live/dev/public-route-table/terragrunt.hcl
This module uses the Route Table building block as its Terraform source to create our VPC's public route table to be associated with the public subnet we'll create next.
It also adds a route to direct all internet traffic to the internet gateway.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/route-table.git"
}
dependency "vpc" {
config_path = "../vpc"
}
dependency "igw" {
config_path = "../internet-gateway"
}
inputs = {
route_tables = [
{
name = "eks-demo-public-rt"
vpc_id = dependency.vpc.outputs.vpc_id
is_igw_rt = true
routes = [
{
cidr_block = "0.0.0.0/0"
igw_id = dependency.igw.outputs.igw_id
}
]
tags = {}
}
]
}
e) infra-live/dev/public-subnets/terragrunt.hcl
This module uses the Subnet building block as its Terraform source to create our VPC's public subnet and associate it with the public route table.
The CIDR for the public subnet will be 10.0.0.0/24.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/subnet.git"
}
dependency "vpc" {
config_path = "../vpc"
}
dependency "public-route-table" {
config_path = "../public-route-table"
}
inputs = {
subnets = [
{
name = "eks-demo-public-subnet"
vpc_id = dependency.vpc.outputs.vpc_id
cidr_block = "10.0.0.0/24"
availability_zone = "us-east-1a"
map_public_ip_on_launch = true
private_dns_hostname_type_on_launch = "resource-name"
is_public = true
route_table_id = dependency.public-route-table.outputs.route_table_ids[0]
tags = {}
},
{
name = "eks-demo-rds-subnet-a"
vpc_id = dependency.vpc.outputs.vpc_id
cidr_block = "10.0.1.0/24"
availability_zone = "us-east-1a"
map_public_ip_on_launch = true
private_dns_hostname_type_on_launch = "resource-name"
is_public = true
route_table_id = dependency.public-route-table.outputs.route_table_ids[0]
tags = {}
},
{
name = "eks-demo-rds-subnet-b"
vpc_id = dependency.vpc.outputs.vpc_id
cidr_block = "10.0.2.0/24"
availability_zone = "us-east-1b"
map_public_ip_on_launch = true
private_dns_hostname_type_on_launch = "resource-name"
is_public = true
route_table_id = dependency.public-route-table.outputs.route_table_ids[0]
tags = {}
}
]
}
f) infra-live/dev/nat-gw-eip/terragrunt.hcl
This module uses the Elastic IP building block as its Terraform source to create a static IP in our VPC which we'll associate with the NAT gateway we'll create next.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/eip.git"
}
dependency "vpc" {
config_path = "../vpc"
}
inputs = {}
g) infra-live/dev/nat-gateway/terragrunt.hcl
This module uses the NAT Gateway building block as its Terraform to create a NAT Gateway that we'll place in our VPC's public subnet. It will have the previously created elastic IP attached to it.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/nat-gateway.git"
}
dependency "eip" {
config_path = "../nat-gw-eip"
}
dependency "public-subnets" {
config_path = "../public-subnets"
}
inputs = {
eip_id = dependency.eip.outputs.eip_id
subnet_id = dependency.public-subnets.outputs.public_subnets[0]
name = "eks-demo-nat-gw"
tags = {}
}
h) infra-live/dev/private-route-table/terragrunt.hcl
This module uses the Route Table building block as its Terraform source to create our VPC's private route table to be associated with the private subnets we'll create next.
It also adds a route to direct all internet traffic to the NAT gateway.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/route-table.git"
}
dependency "vpc" {
config_path = "../vpc"
}
dependency "nat-gw" {
config_path = "../nat-gateway"
}
inputs = {
route_tables = [
{
name = "eks-demo-private-rt"
vpc_id = dependency.vpc.outputs.vpc_id
is_igw_rt = false
routes = [
{
cidr_block = "0.0.0.0/0"
nat_gw_id = dependency.nat-gw.outputs.nat_gw_id
}
]
tags = {}
}
]
}
i) infra-live/dev/private-subnets/terragrunt.hcl
This module uses the Subnet building block as its Terraform source to create our VPC's private subnets and associate them with the private route table.
The CIDRs for the app private subnets will be 10.0.100.0/24 (us-east-1a) and 10.0.200.0/24 (us-east-1b), and those for the DB private subnets will be 10.0.10.0/24 (us-east-1a) and 10.0.20.0/24 (us-east-1b).
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/subnet.git"
}
dependency "vpc" {
config_path = "../vpc"
}
dependency "private-route-table" {
config_path = "../private-route-table"
}
inputs = {
subnets = [
{
name = "eks-demo-app-subnet-a"
vpc_id = dependency.vpc.outputs.vpc_id
cidr_block = "10.0.100.0/24"
availability_zone = "us-east-1a"
map_public_ip_on_launch = false
private_dns_hostname_type_on_launch = "resource-name"
is_public = false
route_table_id = dependency.private-route-table.outputs.route_table_ids[0]
tags = {}
},
{
name = "eks-demo-app-subnet-b"
vpc_id = dependency.vpc.outputs.vpc_id
cidr_block = "10.0.200.0/24"
availability_zone = "us-east-1b"
map_public_ip_on_launch = false
private_dns_hostname_type_on_launch = "resource-name"
is_public = false
route_table_id = dependency.private-route-table.outputs.route_table_ids[0]
tags = {}
},
{
name = "eks-demo-data-subnet-a"
vpc_id = dependency.vpc.outputs.vpc_id
cidr_block = "10.0.10.0/24"
availability_zone = "us-east-1a"
map_public_ip_on_launch = false
private_dns_hostname_type_on_launch = "resource-name"
is_public = false
route_table_id = dependency.private-route-table.outputs.route_table_ids[0]
tags = {}
},
{
name = "eks-demo-data-subnet-b"
vpc_id = dependency.vpc.outputs.vpc_id
cidr_block = "10.0.20.0/24"
availability_zone = "us-east-1b"
map_public_ip_on_launch = false
private_dns_hostname_type_on_launch = "resource-name"
is_public = false
route_table_id = dependency.private-route-table.outputs.route_table_ids[0]
tags = {}
}
]
}
j) infra-live/dev/nacl/terragrunt.hcl
This module uses the NACL building block as its Terraform source to create NACLs for our public and private subnets.
For the sake of simplicity, we'll configure very loose NACL and security group rules, but in the next blog post, we'll enforce security rules for the VPC and cluster.
Note, though, that the data subnet's NACLs only allow traffic on port 5432 from the app subnet CIDRs.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/nacl.git"
}
dependency "vpc" {
config_path = "../vpc"
}
dependency "public-subnets" {
config_path = "../public-subnets"
}
dependency "private-subnets" {
config_path = "../private-subnets"
}
inputs = {
_vpc_id = dependency.vpc.outputs.vpc_id
nacls = [
# Public NACL
{
name = "eks-demo-public-nacl"
vpc_id = dependency.vpc.outputs.vpc_id
egress = [
{
protocol = "-1"
rule_no = 500
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
]
ingress = [
{
protocol = "-1"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
]
subnet_id = dependency.public-subnets.outputs.public_subnets[0]
tags = {}
},
# App NACL A
{
name = "eks-demo-nacl-a"
vpc_id = dependency.vpc.outputs.vpc_id
egress = [
{
protocol = "-1"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
]
ingress = [
{
protocol = "-1"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
]
subnet_id = dependency.private-subnets.outputs.private_subnets[0]
tags = {}
},
# App NACL B
{
name = "eks-demo-nacl-b"
vpc_id = dependency.vpc.outputs.vpc_id
egress = [
{
protocol = "-1"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
]
ingress = [
{
protocol = "-1"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
}
]
subnet_id = dependency.private-subnets.outputs.private_subnets[1]
tags = {}
},
# RDS NACL A
{
name = "eks-demo-rds-nacl-a"
vpc_id = dependency.vpc.outputs.vpc_id
egress = [
{
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "10.0.100.0/24"
from_port = 1024
to_port = 65535
},
{
protocol = "tcp"
rule_no = 200
action = "allow"
cidr_block = "10.0.200.0/24"
from_port = 1024
to_port = 65535
},
{
protocol = "tcp"
rule_no = 300
action = "allow"
cidr_block = "10.0.0.0/24"
from_port = 1024
to_port = 65535
}
]
ingress = [
{
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "10.0.100.0/24"
from_port = 5432
to_port = 5432
},
{
protocol = "tcp"
rule_no = 200
action = "allow"
cidr_block = "10.0.200.0/24"
from_port = 5432
to_port = 5432
},
{
protocol = "tcp"
rule_no = 300
action = "allow"
cidr_block = "10.0.0.0/24"
from_port = 5432
to_port = 5432
}
]
subnet_id = dependency.private-subnets.outputs.private_subnets[1]
tags = {}
},
# RDS NACL B
{
name = "eks-demo-rds-nacl-b"
vpc_id = dependency.vpc.outputs.vpc_id
egress = [
{
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "10.0.100.0/24"
from_port = 1024
to_port = 65535
},
{
protocol = "tcp"
rule_no = 200
action = "allow"
cidr_block = "10.0.200.0/24"
from_port = 1024
to_port = 65535
},
{
protocol = "tcp"
rule_no = 300
action = "allow"
cidr_block = "10.0.0.0/24"
from_port = 1024
to_port = 65535
}
]
ingress = [
{
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "10.0.100.0/24"
from_port = 5432
to_port = 5432
},
{
protocol = "tcp"
rule_no = 200
action = "allow"
cidr_block = "10.0.200.0/24"
from_port = 5432
to_port = 5432
},
{
protocol = "tcp"
rule_no = 300
action = "allow"
cidr_block = "10.0.0.0/24"
from_port = 5432
to_port = 5432
}
]
subnet_id = dependency.private-subnets.outputs.private_subnets[2]
tags = {}
}
]
}
k) infra-live/dev/security-group/terragrunt.hcl
This module uses the Security Group building block as its Terraform source to create a security group for our nodes and bastion host.
Again, its rules are going to be very loose, but we'll correct that in the next article.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/security-group.git"
}
dependency "vpc" {
config_path = "../vpc"
}
dependency "public-subnets" {
config_path = "../public-subnets"
}
dependency "private-subnets" {
config_path = "../private-subnets"
}
inputs = {
vpc_id = dependency.vpc.outputs.vpc_id
name = "public-sg"
description = "Open security group"
ingress_rules = [
{
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
]
egress_rules = [
{
protocol = "-1"
from_port = 0
to_port = 0
cidr_blocks = ["0.0.0.0/0"]
}
]
tags = {}
}
l) infra-live/dev/bastion-role/terragrunt.hcl
This module uses the IAM Role building block as its Terraform source to create an IAM role with the permissions that our bastion host will need to perform EKS actions and to be managed by Systems Manager.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/iam-role.git"
}
inputs = {
principals = [
{
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
]
policy_name = "EKSDemoBastionPolicy"
policy_attachments = [
{
arn = "arn:aws:iam::534876755051:policy/AmazonEKSFullAccessPolicy"
},
{
arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}
]
policy_statements = []
role_name = "EKSDemoBastionRole"
}
m) infra-live/dev/bastion-instance-profile/terragrunt.hcl
This module uses the *Instance Profile building block as its Terraform source to create an IAM instance profile for our bastion host. The IAM role created in the previous step is attached to this instance profile.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/instance-profile.git"
}
dependency "iam-role" {
config_path = "../bastion-role"
}
inputs = {
instance_profile_name = "EKSBastionInstanceProfile"
path = "/"
iam_role_name = dependency.iam-role.outputs.role_name
instance_profile_tags = {}
}
n) infra-live/dev/bastion-ec2/terragrunt.hcl
This module uses the EC2 building block as its Terraform source to create an EC2 instance which we'll use as a jump box (or bastion host) to manage the worker nodes in our EKS cluster.
The bastion host will be placed in our public subnet and will have the instance profile we created in the previous step attached to it, as well as our loose security group.
It is a Linux instance of type t2.micro using the Amazon Linux 2023 AMI with a user data script configured. This script will be defined in the next step.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/ec2.git"
}
dependency "public-subnets" {
config_path = "../public-subnets"
}
dependency "instance-profile" {
config_path = "../bastion-instance-profile"
}
dependency "security-group" {
config_path = "../security-group"
}
inputs = {
instance_name = "eks-bastion-host"
use_instance_profile = true
instance_profile_name = dependency.instance-profile.outputs.name
most_recent_ami = true
owners = ["amazon"]
ami_name_filter = "name"
ami_values_filter = ["al2023-ami-2023.*-x86_64"]
instance_type = "t2.micro"
subnet_id = dependency.public-subnets.outputs.public_subnets[0]
existing_security_group_ids = [dependency.security-group.outputs.security_group_id]
assign_public_ip = true
uses_ssh = false
keypair_name = ""
use_userdata = true
userdata_script_path = "user-data.sh"
user_data_replace_on_change = true
extra_tags = {}
}
o) infra-live/dev/bastion-ec2/user-data.sh
This user data script installs the AWS CLI, as well as the kubectl and eksctl tools. It also configures an alias for the kubectl utility (k), and bash completion for it.
#!/bin/bash
# Become root user
sudo su - ec2-user
# Update software packages
sudo yum update -y
# Download AWS CLI package
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv.zip"
# Unzip file
unzip -q awscli.zip
# Install AWS CLI
./aws/install
# Check AWS CLI version
aws —version
# Download kubectl binary
sudo curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
# Give the binary executable permissions
sudo chmod +x ./kubectl
# Move binary to directory in system’s path
sudo mv kubectl /usr/local/bin/
export PATH=/usr/local/bin:$PATH
# Check kubectl version
kubectl version -—client
# Installing kubectl bash completion on Linux
## If bash-completion is not installed on Linux, install the 'bash-completion' package
## via your distribution's package manager.
## Load the kubectl completion code for bash into the current shell
echo 'source <(kubectl completion bash)' >>~/.bash_profile
## Write bash completion code to a file and source it from .bash_profile
# kubectl completion bash > ~/.kube/completion.bash.inc
# printf "
# # kubectl shell completion
# source '$HOME/.kube/completion.bash.inc'
# " >> $HOME/.bash_profile
# source $HOME/.bash_profile
# Set bash completion for kubectl alias (k)
echo 'alias k=kubectl' >>~/.bashrc
echo 'complete -o default -F __start_kubectl k' >>~/.bashrc
source ~/.bashrc
# Get platform
ARCH=amd64
PLATFORM=$(uname -s)_$ARCH
# Download eksctl tool for platform
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
# (Optional) Verify checksum
curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep $PLATFORM | sha256sum --check
# Extract binary
tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz
# Move binary to directory in system’s path
sudo mv /tmp/eksctl /usr/local/bin
# Check eksctl version
eksctl version
# Enable eksctl bash completion
. <(eksctl completion bash)
# Update system
sudo yum update -y
# Install Docker
sudo yum install docker -y
# Start Docker
sudo service docker start
# Add ec2-user to docker group
sudo usermod -a -G docker ec2-user
# Create docker group
newgrp docker
# Ensure docker is on
sudo chkconfig docker on
p) infra-live/dev/eks-cluster-role/terragrunt.hcl
This module uses the IAM Role building block as its Terraform source to create an IAM role for the EKS cluster. It has the managed policy AmazonEKSClusterPolicy attached to it.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/iam-role.git"
}
inputs = {
principals = [
{
type = "Service"
identifiers = ["eks.amazonaws.com"]
}
]
policy_name = "EKSDemoClusterRolePolicy"
policy_attachments = [
{
arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
}
]
policy_statements = []
role_name = "EKSDemoClusterRole"
}
q) infra-live/dev/eks-cluster/terragrunt.hcl
This module uses the EKS Cluster building block as its Terraform source to create an EKS cluster which uses the IAM role created in the previous step.
The cluster will provision ENIs (Elastic Network Interfaces) in the private subnets we had created, which will be used by the EKS worker nodes.
The cluster also has various cluster log types enabled for auditing purposes.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:gozem-test/eks-cluster.git"
}
dependency "private-subnets" {
config_path = "../private-subnets"
}
dependency "iam-role" {
config_path = "../eks-cluster-role"
}
inputs = {
name = "eks-demo"
subnet_ids = [dependency.private-subnets.outputs.private_subnets[0], dependency.private-subnets.outputs.private_subnets[1]]
cluster_role_arn = dependency.iam-role.outputs.role_arn
enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
}
r) infra-live/dev/eks-addons/terragrunt.hcl
This module uses the EKS Add-ons building block as its Terraform source to activate add-ons for our EKS cluster.
This is very important, given that these add-ons can help with networking within the AWS VPC using the VPC features (vpc-cni), cluster domain name resolution (coredns), maintaining network connectivity between services and pods in the cluster (kube-proxy), managing IAM credentials in the cluster (eks-pod-identity-agent), or allowing EKS to manage the lifecycle of EBS volumes (aws-ebs-csi-driver).
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/eks-addon.git"
}
dependency "cluster" {
config_path = "../eks-cluster"
}
inputs = {
cluster_name = dependency.cluster.outputs.name
addons = [
{
name = "vpc-cni"
version = "v1.18.0-eksbuild.1"
},
{
name = "coredns"
version = "v1.11.1-eksbuild.6"
},
{
name = "kube-proxy"
version = "v1.29.1-eksbuild.2"
},
{
name = "aws-ebs-csi-driver"
version = "v1.29.1-eksbuild.1"
},
{
name = "eks-pod-identity-agent"
version = "v1.2.0-eksbuild.1"
}
]
}
s) infra-live/dev/worker-node-role/terragrunt.hcl
This module uses the IAM Role building block as its Terraform source to create an IAM role for the EKS worker nodes.
This role grants the node group permissions to carry out its operations within the cluster, and for its nodes to be managed by Systems Manager.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/iam-role.git"
}
inputs = {
principals = [
{
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
]
policy_name = "EKSDemoWorkerNodePolicy"
policy_attachments = [
{
arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
},
{
arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
},
{
arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
},
{
arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
},
{
arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
}
]
policy_statements = []
role_name = "EKSDemoWorkerNodeRole"
}
t) infra-live/dev/eks-node-group/terragrunt.hcl
This module uses the EKS Node Group building block as its Terraform source to create a node group in the cluster.
The nodes in the node group will be provisioned in the VPC's private subnets, and we'll be using on-demand Linux instances of type m5.4xlarge with the AL2_x86_64 AMI and disk size of 20GB. We use an m5.4xlarge instance because it supports trunking, which we'll need in the next article to deploy pods and associate security groups to them.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/eks-node-group.git"
}
dependency "cluster" {
config_path = "../eks-cluster"
}
dependency "iam-role" {
config_path = "../worker-node-role"
}
dependency "private-subnets" {
config_path = "../private-subnets"
}
inputs = {
cluster_name = dependency.cluster.outputs.name
node_role_arn = dependency.iam-role.outputs.role_arn
node_group_name = "eks-demo-node-group"
scaling_config = {
desired_size = 2
max_size = 4
min_size = 1
}
subnet_ids = [dependency.private-subnets.outputs.private_subnets[0], dependency.private-subnets.outputs.private_subnets[1]]
update_config = {
max_unavailable_percentage = 50
}
ami_type = "AL2_x86_64"
capacity_type = "ON_DEMAND"
disk_size = 20
instance_types = ["m5.4xlarge"]
}
u) infra-live/dev/eks-pod-iam/terragrunt.hcl
This module uses the IAM OIDC building block as its Terraform source to create resources that will allow pods to assume IAM roles and communicate with other AWS services.
include "root" {
path = find_in_parent_folders()
}
terraform {
source = "git@github.com:<name_or_org>/iam-oidc.git"
}
dependency "cluster" {
config_path = "../eks-cluster"
}
inputs = {
role_name = "EKSDemoPodIAMAuth"
oidc_issuer = dependency.cluster.outputs.oidc_tls_issuer
client_id_list = ["sts.amazonaws.com"]
}
Having done all this, we now need to create a GitHub repository for our Terragrunt code and push our code to that repository. We should also configure repository secrets for our AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION) and an SSH private key that we'll use to access the repositories with our Terraform building blocks.
Once that is done, we can proceed to create a GitHub Actions workflow to automate the provisioning of our infrastructure.
3. Create a GitHub Actions workflow for Automated Infrastructure Provisioning
Now that our code has been versioned, we can write a workflow that will be triggered whenever we push code to the main branch (use whichever branch you prefer, like master).
Ideally, this workflow should only be triggered after a pull request has been approved to merge to the main branch, but we'll keep it simple for illustration purposes.
The first thing will be to create a .github/workflows in the root directory of your infra-live project. You can then create a YAML file within this infra-live/.github/workflows directory called deploy.yml, for example.
We'll add the following code to our infra-live/.github/workflows/configure.yml file to handle the provisioning of our infrastructure:
name: Deploy
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Setup SSH
uses: webfactory/ssh-agent@v0.4.1
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.5
terraform_wrapper: false
- name: Setup Terragrunt
run: |
curl -LO "https://github.com/gruntwork-io/terragrunt/releases/download/v0.48.1/terragrunt_linux_amd64"
chmod +x terragrunt_linux_amd64
sudo mv terragrunt_linux_amd64 /usr/local/bin/terragrunt
terragrunt -v
- name: Apply Terraform changes
run: |
cd dev
terragrunt run-all apply -auto-approve --terragrunt-non-interactive -var AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID -var AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -var AWS_REGION=$AWS_DEFAULT_REGION
cd bastion-ec2
ip=$(terragrunt output instance_public_ip)
echo "$ip"
echo "$ip" > public_ip.txt
cat public_ip.txt
pwd
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
Let's break down what this file does:
a) The name: Deploy line names our workflow Deploy
b) The following lines of code tell GitHub to trigger this workflow whenever code is pushed to the main branch or a pull request is merged to the main branch:
on:
push:
branches:
- main
pull_request:
branches:
- main
c) Then we define our job called terraform using the lines below, telling GitHub to use a runner that runs on the latest version of Ubuntu. Think of a runner as the GitHub server executing the commands in this workflow file for us:
jobs:
terraform:
runs-on: ubuntu-latest
d) We then define a series of steps or blocks of commands that will be executed in order.
The first step uses a GitHub action to checkout our infra-live repository into the runner so that we can start working with it:
- name: Checkout repository
uses: actions/checkout@v2
The next step uses another GitHub action to help us easily set up SSH on the GitHub runner using the private key we had defined as a repository secret:
- name: Setup SSH
uses: webfactory/ssh-agent@v0.4.1
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
The following step uses yet another GitHub action to help us easily install Terraform on the GitHub runner, specifying the exact version that we need:
- name: Setup Terraform
uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.5.5
terraform_wrapper: false
Then we use another step to execute a series of commands that install Terragrunt on the GitHub runner. We use the command terragrunt -v to check the version of Terragrunt installed and confirm that the installation was successful:
- name: Setup Terragrunt
run: |
curl -LO "https://github.com/gruntwork-io/terragrunt/releases/download/v0.48.1/terragrunt_linux_amd64"
chmod +x terragrunt_linux_amd64
sudo mv terragrunt_linux_amd64 /usr/local/bin/terragrunt
terragrunt -v
Finally, we use a step to apply our Terraform changes, then we use a series of commands to retrieve the public IP address of our provisioned EC2 instance and save it to a file called public_ip.txt:
- name: Apply Terraform changes
run: |
cd dev
terragrunt run-all apply -auto-approve --terragrunt-non-interactive -var AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID -var AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -var AWS_REGION=$AWS_DEFAULT_REGION
cd bastion-ec2
ip=$(terragrunt output instance_public_ip)
echo "$ip"
echo "$ip" > public_ip.txt
cat public_ip.txt
pwd
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
And that's it! We can now watch the pipeline get triggered when we push code to our main branch, and see how our EKS cluster gets provisioned.
In the next article, we'll secure our cluster then access our bastion host and get our hands dirty with real Kubernetes action!
I hope you liked this article. If you have any questions or remarks, please feel free to leave a comment below.
See you soon!
