From 6ef8cf3b4acae0f48739194d837b51f5e68de0aa Mon Sep 17 00:00:00 2001
From: marcincuber <marcincuber@hotmail.com>
Date: Fri, 24 Jan 2020 09:11:19 +0000
Subject: [PATCH] add eks node group module with examples

---
 .gitignore                          |   7 +
 LICENSE                             |  11 ++
 Makefile                            |  38 ++++++
 README.md                           |  85 ++++++++++++
 examples/multiaz-node-group/main.tf | 201 ++++++++++++++++++++++++++++
 examples/single-node-group/main.tf  | 111 +++++++++++++++
 main.tf                             |  91 +++++++++++++
 outputs.tf                          |  14 ++
 variables.tf                        |  84 ++++++++++++
 9 files changed, 642 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 LICENSE
 create mode 100644 Makefile
 create mode 100644 examples/multiaz-node-group/main.tf
 create mode 100644 examples/single-node-group/main.tf
 create mode 100644 main.tf
 create mode 100644 outputs.tf
 create mode 100644 variables.tf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..9ba79af
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+*.DS_Store
+errored.tfstate
+.terraform
+crash.log
+terraform.tfstate
+*.tfstate*
+terraform.tfvars
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d955a86
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,11 @@
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
\ No newline at end of file
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..c067619
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,38 @@
+ifneq (,)
+.error This Makefile requires GNU Make.
+endif
+
+.PHONY: gen _gen-main _update-tf-docs
+
+CURRENT_DIR     = $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+TF_EXAMPLES     = $(sort $(dir $(wildcard $(CURRENT_DIR)examples/*/)))
+TF_DOCS_VERSION = 0.6.0
+
+# Adjust your delimiter here or overwrite via make arguments
+DELIM_START = <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+DELIM_CLOSE = <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+gen: _update-tf-docs
+	@echo "################################################################################"
+	@echo "# Terraform-docs generate"
+	@echo "################################################################################"
+	@$(MAKE) --no-print-directory _gen-main
+
+_gen-main:
+	@echo "------------------------------------------------------------"
+	@echo "# Main module"
+	@echo "------------------------------------------------------------"
+	@if docker run --rm \
+		-v $(CURRENT_DIR):/data \
+		-e DELIM_START='$(DELIM_START)' \
+		-e DELIM_CLOSE='$(DELIM_CLOSE)' \
+		cytopia/terraform-docs:$(TF_DOCS_VERSION) \
+		terraform-docs-replace-012 --sort-inputs-by-required --with-aggregate-type-defaults md README.md; then \
+		echo "OK"; \
+	else \
+		echo "Failed"; \
+		exit 1; \
+	fi
+
+_update-tf-docs:
+	docker pull cytopia/terraform-docs:$(TF_DOCS_VERSION)
\ No newline at end of file
diff --git a/README.md b/README.md
index 2570900..38294e2 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,87 @@
 # terraform-aws-eks-node-group
 Terraform module to provision EKS Managed Node Group
+
+## Resources created
+
+This module will create EKS managed Node Group that will join your existing Kubernetes cluster.
+
+## Terraform versions
+
+Terraform 0.12. Pin module version to `~> v1.0`. Submit pull-requests to `master` branch.
+
+## Usage
+
+```hcl
+module "eks-node-group" {
+  source = "umotif-public/eks-node-group/aws"
+  version = "~> 1.0"
+  
+  cluster_name = aws_eks_cluster.cluster.id
+
+  subnet_ids = ["subnet-1","subnet-2","subnet-3"]
+
+  desired_size = 1
+  min_size     = 1
+  max_size     = 1
+
+  instance_types = ["t3.large"]
+
+  ec2_ssh_key = "eks-test"
+
+  kubernetes_labels = {
+    lifecycle = "OnDemand"
+  }
+
+  tags = {
+    Environment = "test"
+  }
+}
+```
+
+## Assumptions
+
+Module is to be used with Terraform > 0.12.
+
+## Examples
+
+* [EKS Node Group- single](https://github.com/umotif-public/terraform-aws-eks-node-group/tree/master/examples/single-node-group)
+* [EKS Node Group- multiple az setup](https://github.com/umotif-public/terraform-aws-eks-node-group/tree/master/examples/multiaz-node-group)
+
+## Authors
+
+Module managed by [Marcin Cuber](https://github.com/marcincuber) [LinkedIn](https://www.linkedin.com/in/marcincuber/).
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cluster\_name | The name of the EKS cluster | string | n/a | yes |
+| desired\_size | Desired number of worker nodes | number | n/a | yes |
+| max\_size | Maximum number of worker nodes | number | n/a | yes |
+| min\_size | Minimum number of worker nodes | number | n/a | yes |
+| subnet\_ids | A list of subnet IDs to launch resources in | list(string) | n/a | yes |
+| ami\_release\_version | AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version | string | `"null"` | no |
+| ami\_type | Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Defaults to `AL2_x86_64`. Valid values: `AL2_x86_64`, `AL2_x86_64_GPU`. Terraform will only perform drift detection if a configuration value is provided | string | `"AL2_x86_64"` | no |
+| disk\_size | Disk size in GiB for worker nodes. Defaults to 20. Terraform will only perform drift detection if a configuration value is provided | number | `"20"` | no |
+| ec2\_ssh\_key | SSH key name that should be used to access the worker nodes | string | `"null"` | no |
+| instance\_types | Set of instance types associated with the EKS Node Group. Defaults to ["t3.medium"]. Terraform will only perform drift detection if a configuration value is provided | list(string) | `[ "t3.medium" ]` | no |
+| kubernetes\_labels | Key-value mapping of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed | map(string) | `{}` | no |
+| kubernetes\_version | Kubernetes version. Defaults to EKS Cluster Kubernetes version. Terraform will only perform drift detection if a configuration value is provided | string | `"null"` | no |
+| node\_role\_arn | IAM role arn that will be used by managed node group | string | `""` | no |
+| source\_security\_group\_ids | Set of EC2 Security Group IDs to allow SSH access (port 22) from on the worker nodes. If you specify `ec2_ssh_key`, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0) | list(string) | `[]` | no |
+| tags | A map of tags (key-value pairs) passed to resources. | map(string) | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| iam\_role\_arn | IAM role ARN used by node group. |
+| iam\_role\_id | IAM role ID used by node group. |
+| node\_group | Outputs from EKS node group. See `aws_eks_node_group` Terraform documentation for values |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+## License
+
+See LICENSE for full details.
diff --git a/examples/multiaz-node-group/main.tf b/examples/multiaz-node-group/main.tf
new file mode 100644
index 0000000..c39c494
--- /dev/null
+++ b/examples/multiaz-node-group/main.tf
@@ -0,0 +1,201 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+#####
+# VPC and subnets
+#####
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "2.21.0"
+
+  name = "simple-vpc"
+
+  cidr = "10.0.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  private_subnet_tags = {
+    "kubernetes.io/role/internal-elb" = "1"
+  }
+
+  public_subnet_tags = {
+    "kubernetes.io/role/elb" = "1"
+  }
+
+  enable_dns_hostnames   = true
+  enable_dns_support     = true
+  enable_nat_gateway     = true
+  enable_vpn_gateway     = true
+  single_nat_gateway     = true
+  one_nat_gateway_per_az = false
+
+  tags = {
+    "kubernetes.io/cluster/eks" = "shared",
+    Environment                 = "test"
+  }
+}
+
+#####
+# EKS Cluster
+#####
+
+resource "aws_eks_cluster" "cluster" {
+  enabled_cluster_log_types = []
+  name                      = "eks"
+  role_arn                  = aws_iam_role.cluster.arn
+  version                   = "1.14"
+
+  vpc_config {
+    subnet_ids              = flatten([module.vpc.public_subnets, module.vpc.private_subnets])
+    security_group_ids      = []
+    endpoint_private_access = "true"
+    endpoint_public_access  = "true"
+  }
+}
+
+resource "aws_iam_role" "cluster" {
+  name = "eks-cluster-role"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSClusterPolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.cluster.name
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSServicePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
+  role       = aws_iam_role.cluster.name
+}
+
+#####
+# EKS Node Group per availability zone
+# If you are running a stateful application across multiple Availability Zones that is backed by Amazon EBS volumes and using the Kubernetes Cluster Autoscaler, 
+# you should configure multiple node groups, each scoped to a single Availability Zone. In addition, you should enable the --balance-similar-node-groups feature.
+#
+# In this setup you can configure a single IAM Role that is attached to multiple node groups.
+#####
+
+resource "aws_iam_role" "main" {
+  name = "eks-managed-group-node-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "main_AmazonEKSWorkerNodePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = aws_iam_role.main.name
+}
+
+resource "aws_iam_role_policy_attachment" "main_AmazonEKS_CNI_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.main.name
+}
+
+resource "aws_iam_role_policy_attachment" "main_AmazonEC2ContainerRegistryReadOnly" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = aws_iam_role.main.name
+}
+
+module "eks-node-group-a" {
+  source = "../../"
+
+  cluster_name  = aws_eks_cluster.cluster.id
+  node_role_arn = aws_iam_role.main.arn
+  subnet_ids    = [module.vpc.private_subnets[0]]
+
+  desired_size = 1
+  min_size     = 1
+  max_size     = 1
+
+  instance_types = ["t3.large"]
+
+  ec2_ssh_key = "eks-test"
+
+  kubernetes_labels = {
+    lifecycle = "OnDemand"
+    az        = "eu-west-1a"
+  }
+
+  tags = {
+    Environment = "test"
+  }
+}
+
+module "eks-node-group-b" {
+  source = "../../"
+
+  cluster_name  = aws_eks_cluster.cluster.id
+  node_role_arn = aws_iam_role.main.arn
+  subnet_ids    = [module.vpc.private_subnets[1]]
+
+  desired_size = 1
+  min_size     = 1
+  max_size     = 1
+
+  instance_types = ["t2.large"]
+
+  ec2_ssh_key = "eks-test"
+
+  kubernetes_labels = {
+    lifecycle = "OnDemand"
+    az        = "eu-west-1b"
+  }
+
+  tags = {
+    Environment = "test"
+  }
+}
+
+module "eks-node-group-c" {
+  source = "../../"
+
+  cluster_name  = aws_eks_cluster.cluster.id
+  node_role_arn = aws_iam_role.main.arn
+  subnet_ids    = [module.vpc.private_subnets[2]]
+
+  desired_size = 1
+  min_size     = 1
+  max_size     = 1
+
+  ec2_ssh_key = "eks-test"
+
+  kubernetes_labels = {
+    lifecycle = "OnDemand"
+    az        = "eu-west-1c"
+  }
+
+  tags = {
+    Environment = "test"
+  }
+}
diff --git a/examples/single-node-group/main.tf b/examples/single-node-group/main.tf
new file mode 100644
index 0000000..714c8a4
--- /dev/null
+++ b/examples/single-node-group/main.tf
@@ -0,0 +1,111 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+#####
+# VPC and subnets
+#####
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "2.21.0"
+
+  name = "simple-vpc"
+
+  cidr = "10.0.0.0/16"
+
+  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  private_subnet_tags = {
+    "kubernetes.io/role/internal-elb" = "1"
+  }
+
+  public_subnet_tags = {
+    "kubernetes.io/role/elb" = "1"
+  }
+
+  enable_dns_hostnames   = true
+  enable_dns_support     = true
+  enable_nat_gateway     = true
+  enable_vpn_gateway     = true
+  single_nat_gateway     = true
+  one_nat_gateway_per_az = false
+
+  tags = {
+    "kubernetes.io/cluster/eks" = "shared",
+    Environment                 = "test"
+  }
+}
+
+#####
+# EKS Cluster
+#####
+
+resource "aws_eks_cluster" "cluster" {
+  enabled_cluster_log_types = []
+  name                      = "eks"
+  role_arn                  = aws_iam_role.cluster.arn
+  version                   = "1.14"
+
+  vpc_config {
+    subnet_ids              = flatten([module.vpc.public_subnets, module.vpc.private_subnets])
+    security_group_ids      = []
+    endpoint_private_access = "true"
+    endpoint_public_access  = "true"
+  }
+}
+
+resource "aws_iam_role" "cluster" {
+  name = "eks-cluster-role"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSClusterPolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.cluster.name
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSServicePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
+  role       = aws_iam_role.cluster.name
+}
+
+#####
+# EKS Node Group
+#####
+module "eks-node-group" {
+  source = "../../"
+
+  cluster_name = aws_eks_cluster.cluster.id
+
+  subnet_ids = flatten([module.vpc.private_subnets])
+
+  desired_size = 1
+  min_size     = 1
+  max_size     = 1
+
+  ec2_ssh_key = "eks-test"
+
+  kubernetes_labels = {
+    lifecycle = "OnDemand"
+  }
+
+  tags = {
+    Environment = "test"
+  }
+}
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..a42e951
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,91 @@
+resource "random_id" "main" {
+  byte_length = 4
+
+  keepers = {
+    ami_type       = var.ami_type
+    disk_size      = var.disk_size
+    instance_types = join("|", var.instance_types)
+    node_role_arn  = var.node_role_arn
+
+    ec2_ssh_key               = var.ec2_ssh_key
+    source_security_group_ids = join("|", var.source_security_group_ids)
+
+    subnet_ids   = join("|", var.subnet_ids)
+    cluster_name = var.cluster_name
+  }
+}
+
+resource "aws_eks_node_group" "main" {
+  cluster_name    = var.cluster_name
+  node_group_name = join("-", [var.cluster_name, random_id.main.id])
+  node_role_arn   = var.node_role_arn == "" ? join("", aws_iam_role.main.*.arn) : var.node_role_arn
+
+  subnet_ids = var.subnet_ids
+
+  ami_type       = var.ami_type
+  disk_size      = var.disk_size
+  instance_types = var.instance_types
+  labels         = var.kubernetes_labels
+
+  release_version = var.ami_release_version
+  version         = var.kubernetes_version
+
+  tags = var.tags
+
+  scaling_config {
+    desired_size = var.desired_size
+    max_size     = var.max_size
+    min_size     = var.min_size
+  }
+
+  dynamic "remote_access" {
+    for_each = var.ec2_ssh_key != null && var.ec2_ssh_key != "" ? ["true"] : []
+    content {
+      ec2_ssh_key               = var.ec2_ssh_key
+      source_security_group_ids = var.source_security_group_ids
+    }
+  }
+
+  lifecycle {
+    create_before_destroy = true
+    ignore_changes        = [scaling_config.0.desired_size]
+  }
+}
+
+resource "aws_iam_role" "main" {
+  count = var.node_role_arn == "" ? 1 : 0
+  name  = "${var.cluster_name}-managed-group-node"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "main_AmazonEKSWorkerNodePolicy" {
+  count      = var.node_role_arn == "" ? 1 : 0
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = aws_iam_role.main[0].name
+}
+
+resource "aws_iam_role_policy_attachment" "main_AmazonEKS_CNI_Policy" {
+  count      = var.node_role_arn == "" ? 1 : 0
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.main[0].name
+}
+
+resource "aws_iam_role_policy_attachment" "main_AmazonEC2ContainerRegistryReadOnly" {
+  count      = var.node_role_arn == "" ? 1 : 0
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = aws_iam_role.main[0].name
+}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..0a28922
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,14 @@
+output "iam_role_arn" {
+  description = "IAM role ARN used by node group."
+  value       = join("", aws_iam_role.main.*.arn)
+}
+
+output "iam_role_id" {
+  description = "IAM role ID used by node group."
+  value       = join("", aws_iam_role.main.*.id)
+}
+
+output "node_group" {
+  description = "Outputs from EKS node group. See `aws_eks_node_group` Terraform documentation for values"
+  value       = aws_eks_node_group.main
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..450a12f
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,84 @@
+variable "tags" {
+  description = "A map of tags (key-value pairs) passed to resources."
+  type        = map(string)
+  default     = {}
+}
+
+variable "cluster_name" {
+  type        = string
+  description = "The name of the EKS cluster"
+}
+
+variable "ec2_ssh_key" {
+  type        = string
+  description = "SSH key name that should be used to access the worker nodes"
+  default     = null
+}
+
+variable "desired_size" {
+  type        = number
+  description = "Desired number of worker nodes"
+}
+
+variable "max_size" {
+  type        = number
+  description = "Maximum number of worker nodes"
+}
+
+variable "min_size" {
+  type        = number
+  description = "Minimum number of worker nodes"
+}
+
+variable "subnet_ids" {
+  description = "A list of subnet IDs to launch resources in"
+  type        = list(string)
+}
+
+variable "node_role_arn" {
+  type        = string
+  description = "IAM role arn that will be used by managed node group"
+  default     = ""
+}
+
+variable "ami_type" {
+  type        = string
+  description = "Type of Amazon Machine Image (AMI) associated with the EKS Node Group. Defaults to `AL2_x86_64`. Valid values: `AL2_x86_64`, `AL2_x86_64_GPU`. Terraform will only perform drift detection if a configuration value is provided"
+  default     = "AL2_x86_64"
+}
+
+variable "disk_size" {
+  type        = number
+  description = "Disk size in GiB for worker nodes. Defaults to 20. Terraform will only perform drift detection if a configuration value is provided"
+  default     = 20
+}
+
+variable "instance_types" {
+  type        = list(string)
+  description = "Set of instance types associated with the EKS Node Group. Defaults to [\"t3.medium\"]. Terraform will only perform drift detection if a configuration value is provided"
+  default     = ["t3.medium"]
+}
+
+variable "kubernetes_labels" {
+  type        = map(string)
+  description = "Key-value mapping of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed"
+  default     = {}
+}
+
+variable "ami_release_version" {
+  type        = string
+  description = "AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version"
+  default     = null
+}
+
+variable "kubernetes_version" {
+  type        = string
+  description = "Kubernetes version. Defaults to EKS Cluster Kubernetes version. Terraform will only perform drift detection if a configuration value is provided"
+  default     = null
+}
+
+variable "source_security_group_ids" {
+  type        = list(string)
+  default     = []
+  description = "Set of EC2 Security Group IDs to allow SSH access (port 22) from on the worker nodes. If you specify `ec2_ssh_key`, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0)"
+}