Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Adding cluster upgrade in blue-green with route53 example #1255

Merged
merged 20 commits into from
Dec 22, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/scripts/plan-examples.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ def get_examples():
'examples/fully-private-eks-cluster/add-ons',
'examples/ai-ml/ray', # excluded until #887 is fixed,
'examples/crossplane' #example removed
'examples/upgrade/blue-green-route53'
}

projects = {
Expand Down
435 changes: 435 additions & 0 deletions examples/upgrade/blue-green-route53/README.md

Large diffs are not rendered by default.

150 changes: 150 additions & 0 deletions examples/upgrade/blue-green-route53/core-infra/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
# Core Infrastructure

## Table of content

- [Core Infrastructure](#core-infrastructure)
- [Table of content](#table-of-content)
- [Getting Started](#getting-started)
- [Usage](#usage)
- [Outputs](#outputs)
- [Cleanup](#cleanup)
- [Terraform Doc](#terraform-doc)
- [Requirements](#requirements)
- [Providers](#providers)
- [Modules](#modules)
- [Resources](#resources)
- [Inputs](#inputs)
- [Outputs](#outputs-1)

This folder contains the Terraform code to deploy the core infratructure for our EKS Cluster **Blue** and **Green**. The AWS resources created by the script are:

- Networking
- VPC
- 3 public subnets, 1 per AZ. If a region has less than 3 AZs it will create same number of public subnets as AZs.
- 3 private subnets, 1 per AZ. If a region has less than 3 AZs it will create same number of private subnets as AZs.
- 1 NAT Gateway
- 1 Internet Gateway
- Associated Route Tables
- 1 Hosted zone to use for our clusters with name `${core_stack_name}.${hosted_zone_name}`
- 1 wildcard certificat for TLS terminaison associated to our new HostedZone `*.${core_stack_name}.${hosted_zone_name}`
- 1 SecretManager password used to access ArgoCD UI in both EKS clusters.

## Getting Started

Make sure you have all the [prerequisites](../README.md#prerequisites) for your laptop.

<!-->

Fork this repository and [create the GitHub token granting access](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) to this new repository in your account. Store this secret in AWS secrets manager using the aws cli.
-->

## Usage


```bash
cd core-infra/
```

- Run Terraform init to download the providers and install the modules

```shell
terraform init
```

> Note: We share

- Review the terraform plan output, take a look at the changes that terraform will execute, and then apply them:

```shell
terraform plan
```

```shell
terraform apply --auto-approve
```

> There can be somme Warnings due to not declare variables. This is normal and you can ignore thems as we share the same `terraform.tfvars` for the 3 projects by using symlinks for a uniq file, and we declare some variables used for the eks-blue and eks-green directory

## Outputs

After the execution of the Terraform code you will get an output with needed IDs and values needed as input for the nexts Terraform applies.

```shell
terraform output
```

Example:

```
aws_acm_certificate_status = "ISSUED"
aws_route53_zone = "eks-blueprint.eks.mydomain.org"
vpc_id = "vpc-0d649baf641a8071e"
```

We are going to use this core infrastructure to host the EKS Blue and Green clusters.

## Cleanup

Run the following command if you want to delete all the resources created before.

> If you have created EKS blueprints clusters, you'll need to clean thoses ressources first.

```shell
terraform destroy
```

# Terraform Doc

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72.0 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.72.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 3 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_acm"></a> [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 4.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |

## Resources

| Name | Type |
|------|------|
| [aws_route53_record.ns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_route53_zone.sub](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
| [aws_secretsmanager_secret.arogcd](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
| [aws_secretsmanager_secret_version.arogcd](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
| [random_password.argocd](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
| [aws_route53_zone.root](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_argocd_secret_manager_name_suffix"></a> [argocd\_secret\_manager\_name\_suffix](#input\_argocd\_secret\_manager\_name\_suffix) | Name of secret manager secret for ArgoCD Admin UI Password | `string` | `"argocd-admin-secret"` | no |
| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region | `string` | n/a | yes |
| <a name="input_core_stack_name"></a> [core\_stack\_name](#input\_core\_stack\_name) | The name of Core Infrastructure stack, feel free to rename it. Used for cluster and VPC names. | `string` | `"eks-blueprint"` | no |
| <a name="input_hosted_zone_name"></a> [hosted\_zone\_name](#input\_hosted\_zone\_name) | Route53 domain for the cluster. | `string` | `"sallaman.people.aws.dev"` | no |
| <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | CIDR block for VPC | `string` | `"10.0.0.0/16"` | no |

## Outputs

| Name | Description |
|------|-------------|
| <a name="output_aws_acm_certificate_status"></a> [aws\_acm\_certificate\_status](#output\_aws\_acm\_certificate\_status) | Status of Certificate |
| <a name="output_aws_route53_zone"></a> [aws\_route53\_zone](#output\_aws\_route53\_zone) | The new Route53 Zone |
| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
118 changes: 118 additions & 0 deletions examples/upgrade/blue-green-route53/core-infra/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
provider "aws" {
region = local.region
}

locals {
name = var.core_stack_name
region = var.aws_region

vpc_cidr = var.vpc_cidr
num_of_subnets = min(length(data.aws_availability_zones.available.names), 3)
azs = slice(data.aws_availability_zones.available.names, 0, local.num_of_subnets)

argocd_secret_manager_name = var.argocd_secret_manager_name_suffix

tags = {
Blueprint = local.name
GithubRepo = "github.com/aws-ia/terraform-aws-eks-blueprints"
}
}

data "aws_availability_zones" "available" {}

module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 3.0"

name = local.name
cidr = local.vpc_cidr

azs = local.azs
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 10)]

enable_nat_gateway = true
create_igw = true
enable_dns_hostnames = true
single_nat_gateway = true

# Manage so we can name
manage_default_network_acl = true
default_network_acl_tags = { Name = "${local.name}-default" }
manage_default_route_table = true
default_route_table_tags = { Name = "${local.name}-default" }
manage_default_security_group = true
default_security_group_tags = { Name = "${local.name}-default" }

public_subnet_tags = {
"kubernetes.io/cluster/${local.name}-blue" = "shared"
"kubernetes.io/cluster/${local.name}-green" = "shared"
"kubernetes.io/role/elb" = "1"
}

private_subnet_tags = {
"kubernetes.io/cluster/${local.name}-blue" = "shared"
"kubernetes.io/cluster/${local.name}-green" = "shared"
"kubernetes.io/role/internal-elb" = "1"
}

tags = local.tags
}

# Retrieve existing root hosted zone
data "aws_route53_zone" "root" {
name = var.hosted_zone_name
}

# Create Sub HostedZone four our deployment
resource "aws_route53_zone" "sub" {
name = "${local.name}.${var.hosted_zone_name}"
}

# Validate records for the new HostedZone
allamand marked this conversation as resolved.
Show resolved Hide resolved
resource "aws_route53_record" "ns" {
zone_id = data.aws_route53_zone.root.zone_id
name = "${local.name}.${var.hosted_zone_name}"
type = "NS"
ttl = "30"
records = aws_route53_zone.sub.name_servers
}

module "acm" {
source = "terraform-aws-modules/acm/aws"
version = "~> 4.0"

domain_name = "${local.name}.${var.hosted_zone_name}"
zone_id = aws_route53_zone.sub.zone_id

subject_alternative_names = [
"*.${local.name}.${var.hosted_zone_name}"
]

wait_for_validation = true

tags = {
Name = "${local.name}.${var.hosted_zone_name}"
}
}

#---------------------------------------------------------------
# ArgoCD Admin Password credentials with Secrets Manager
# Login to AWS Secrets manager with the same role as Terraform to extract the ArgoCD admin password with the secret name as "argocd"
#---------------------------------------------------------------
resource "random_password" "argocd" {
length = 16
special = true
override_special = "!#$%&*()-_=+[]{}<>:?"
}

#tfsec:ignore:aws-ssm-secret-use-customer-key
resource "aws_secretsmanager_secret" "arogcd" {
name = "${local.argocd_secret_manager_name}.${local.name}"
recovery_window_in_days = 0 # Set to zero for this example to force delete during Terraform destroy
}

resource "aws_secretsmanager_secret_version" "arogcd" {
secret_id = aws_secretsmanager_secret.arogcd.id
secret_string = random_password.argocd.result
}
14 changes: 14 additions & 0 deletions examples/upgrade/blue-green-route53/core-infra/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
output "vpc_id" {
description = "The ID of the VPC"
value = module.vpc.vpc_id
}

output "aws_route53_zone" {
description = "The new Route53 Zone"
value = aws_route53_zone.sub.name
}

output "aws_acm_certificate_status" {
description = "Status of Certificate"
value = module.acm.acm_certificate_status
}
28 changes: 28 additions & 0 deletions examples/upgrade/blue-green-route53/core-infra/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
variable "core_stack_name" {
description = "The name of Core Infrastructure stack, feel free to rename it. Used for cluster and VPC names."
type = string
default = "eks-blueprint"
}

variable "aws_region" {
description = "AWS region"
type = string
}

variable "vpc_cidr" {
description = "CIDR block for VPC"
type = string
default = "10.0.0.0/16"
}

variable "argocd_secret_manager_name_suffix" {
type = string
description = "Name of secret manager secret for ArgoCD Admin UI Password"
default = "argocd-admin-secret"
}

variable "hosted_zone_name" {
type = string
description = "Route53 domain for the cluster."
default = "sallaman.people.aws.dev"
}
13 changes: 13 additions & 0 deletions examples/upgrade/blue-green-route53/core-infra/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
terraform {
required_version = ">= 1.0.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.72.0"
}
random = {
version = ">= 3"
}
}
}
Loading