implemented EKS infra provisioning with CFN
Signed-off-by: Sam Alba <sam.alba@gmail.com>
This commit is contained in:
parent
54a2fe4393
commit
5900ec24ec
7
examples/aws-eks/README.md
Normal file
7
examples/aws-eks/README.md
Normal file
@ -0,0 +1,7 @@
|
||||
# Kubernetes on AWS (EKS)
|
||||
|
||||
## How to run
|
||||
|
||||
```sh
|
||||
|
||||
```
|
433
examples/aws-eks/cfn_template_eks_controlplane.cue
Normal file
433
examples/aws-eks/cfn_template_eks_controlplane.cue
Normal file
@ -0,0 +1,433 @@
|
||||
package main
|
||||
|
||||
#CFNTemplate: eksControlPlane: {
|
||||
AWSTemplateFormatVersion: "2010-09-09"
|
||||
Description: "Amazon EKS Sample VPC - Private and Public subnets"
|
||||
Parameters: {
|
||||
VpcBlock: {
|
||||
Type: "String"
|
||||
Default: "192.168.0.0/16"
|
||||
Description: "The CIDR range for the VPC. This should be a valid private (RFC 1918) CIDR range."
|
||||
}
|
||||
PublicSubnet01Block: {
|
||||
Type: "String"
|
||||
Default: "192.168.0.0/18"
|
||||
Description: "CidrBlock for public subnet 01 within the VPC"
|
||||
}
|
||||
PublicSubnet02Block: {
|
||||
Type: "String"
|
||||
Default: "192.168.64.0/18"
|
||||
Description: "CidrBlock for public subnet 02 within the VPC"
|
||||
}
|
||||
PrivateSubnet01Block: {
|
||||
Type: "String"
|
||||
Default: "192.168.128.0/18"
|
||||
Description: "CidrBlock for private subnet 01 within the VPC"
|
||||
}
|
||||
PrivateSubnet02Block: {
|
||||
Type: "String"
|
||||
Default: "192.168.192.0/18"
|
||||
Description: "CidrBlock for private subnet 02 within the VPC"
|
||||
}
|
||||
ClusterName: {
|
||||
Type: "String"
|
||||
Description: "The EKS cluster name"
|
||||
}
|
||||
// EKSIAMRoleName: {
|
||||
// Type: "String"
|
||||
// Description: "The name of the IAM role for the EKS service to assume"
|
||||
// }
|
||||
}
|
||||
Metadata: "AWS::CloudFormation::Interface": ParameterGroups: [
|
||||
{
|
||||
Label: default: "Worker Network Configuration"
|
||||
Parameters: [
|
||||
"VpcBlock",
|
||||
"PublicSubnet01Block",
|
||||
"PublicSubnet02Block",
|
||||
"PrivateSubnet01Block",
|
||||
"PrivateSubnet02Block",
|
||||
]
|
||||
},
|
||||
]
|
||||
Resources: {
|
||||
VPC: {
|
||||
Type: "AWS::EC2::VPC"
|
||||
Properties: {
|
||||
CidrBlock: Ref: "VpcBlock"
|
||||
EnableDnsSupport: true
|
||||
EnableDnsHostnames: true
|
||||
Tags: [
|
||||
{
|
||||
Key: "Name"
|
||||
Value: "Fn::Sub": "${AWS::StackName}-VPC"
|
||||
},
|
||||
]
|
||||
}
|
||||
}
|
||||
InternetGateway: Type: "AWS::EC2::InternetGateway"
|
||||
VPCGatewayAttachment: {
|
||||
Type: "AWS::EC2::VPCGatewayAttachment"
|
||||
Properties: {
|
||||
InternetGatewayId: Ref: "InternetGateway"
|
||||
VpcId: Ref: "VPC"
|
||||
}
|
||||
}
|
||||
PublicRouteTable: {
|
||||
Type: "AWS::EC2::RouteTable"
|
||||
Properties: {
|
||||
VpcId: Ref: "VPC"
|
||||
Tags: [
|
||||
{
|
||||
Key: "Name"
|
||||
Value: "Public Subnets"
|
||||
},
|
||||
{
|
||||
Key: "Network"
|
||||
Value: "Public"
|
||||
},
|
||||
]
|
||||
}
|
||||
}
|
||||
PrivateRouteTable01: {
|
||||
Type: "AWS::EC2::RouteTable"
|
||||
Properties: {
|
||||
VpcId: Ref: "VPC"
|
||||
Tags: [
|
||||
{
|
||||
Key: "Name"
|
||||
Value: "Private Subnet AZ1"
|
||||
},
|
||||
{
|
||||
Key: "Network"
|
||||
Value: "Private01"
|
||||
},
|
||||
]
|
||||
}
|
||||
}
|
||||
PrivateRouteTable02: {
|
||||
Type: "AWS::EC2::RouteTable"
|
||||
Properties: {
|
||||
VpcId: Ref: "VPC"
|
||||
Tags: [
|
||||
{
|
||||
Key: "Name"
|
||||
Value: "Private Subnet AZ2"
|
||||
},
|
||||
{
|
||||
Key: "Network"
|
||||
Value: "Private02"
|
||||
},
|
||||
]
|
||||
}
|
||||
}
|
||||
PublicRoute: {
|
||||
DependsOn: "VPCGatewayAttachment"
|
||||
Type: "AWS::EC2::Route"
|
||||
Properties: {
|
||||
RouteTableId: Ref: "PublicRouteTable"
|
||||
DestinationCidrBlock: "0.0.0.0/0"
|
||||
GatewayId: Ref: "InternetGateway"
|
||||
}
|
||||
}
|
||||
PrivateRoute01: {
|
||||
DependsOn: [
|
||||
"VPCGatewayAttachment",
|
||||
"NatGateway01",
|
||||
]
|
||||
Type: "AWS::EC2::Route"
|
||||
Properties: {
|
||||
RouteTableId: Ref: "PrivateRouteTable01"
|
||||
DestinationCidrBlock: "0.0.0.0/0"
|
||||
NatGatewayId: Ref: "NatGateway01"
|
||||
}
|
||||
}
|
||||
PrivateRoute02: {
|
||||
DependsOn: [
|
||||
"VPCGatewayAttachment",
|
||||
"NatGateway02",
|
||||
]
|
||||
Type: "AWS::EC2::Route"
|
||||
Properties: {
|
||||
RouteTableId: Ref: "PrivateRouteTable02"
|
||||
DestinationCidrBlock: "0.0.0.0/0"
|
||||
NatGatewayId: Ref: "NatGateway02"
|
||||
}
|
||||
}
|
||||
NatGateway01: {
|
||||
DependsOn: [
|
||||
"NatGatewayEIP1",
|
||||
"PublicSubnet01",
|
||||
"VPCGatewayAttachment",
|
||||
]
|
||||
Type: "AWS::EC2::NatGateway"
|
||||
Properties: {
|
||||
AllocationId: "Fn::GetAtt": [
|
||||
"NatGatewayEIP1",
|
||||
"AllocationId",
|
||||
]
|
||||
SubnetId: Ref: "PublicSubnet01"
|
||||
Tags: [
|
||||
{
|
||||
Key: "Name"
|
||||
Value: "Fn::Sub": "${AWS::StackName}-NatGatewayAZ1"
|
||||
},
|
||||
]
|
||||
}
|
||||
}
|
||||
NatGateway02: {
|
||||
DependsOn: [
|
||||
"NatGatewayEIP2",
|
||||
"PublicSubnet02",
|
||||
"VPCGatewayAttachment",
|
||||
]
|
||||
Type: "AWS::EC2::NatGateway"
|
||||
Properties: {
|
||||
AllocationId: "Fn::GetAtt": [
|
||||
"NatGatewayEIP2",
|
||||
"AllocationId",
|
||||
]
|
||||
SubnetId: Ref: "PublicSubnet02"
|
||||
Tags: [
|
||||
{
|
||||
Key: "Name"
|
||||
Value: "Fn::Sub": "${AWS::StackName}-NatGatewayAZ2"
|
||||
},
|
||||
]
|
||||
}
|
||||
}
|
||||
NatGatewayEIP1: {
|
||||
DependsOn: [
|
||||
"VPCGatewayAttachment",
|
||||
]
|
||||
Type: "AWS::EC2::EIP"
|
||||
Properties: Domain: "vpc"
|
||||
}
|
||||
NatGatewayEIP2: {
|
||||
DependsOn: [
|
||||
"VPCGatewayAttachment",
|
||||
]
|
||||
Type: "AWS::EC2::EIP"
|
||||
Properties: Domain: "vpc"
|
||||
}
|
||||
PublicSubnet01: {
|
||||
Type: "AWS::EC2::Subnet"
|
||||
Metadata: Comment: "Subnet 01"
|
||||
Properties: {
|
||||
AvailabilityZone: "Fn::Select": [
|
||||
"0",
|
||||
{
|
||||
"Fn::GetAZs": Ref: "AWS::Region"
|
||||
},
|
||||
]
|
||||
CidrBlock: Ref: "PublicSubnet01Block"
|
||||
VpcId: Ref: "VPC"
|
||||
Tags: [
|
||||
{
|
||||
Key: "Name"
|
||||
Value: "Fn::Sub": "${AWS::StackName}-PublicSubnet01"
|
||||
},
|
||||
]
|
||||
}
|
||||
}
|
||||
PublicSubnet02: {
|
||||
Type: "AWS::EC2::Subnet"
|
||||
Metadata: Comment: "Subnet 02"
|
||||
Properties: {
|
||||
AvailabilityZone: "Fn::Select": [
|
||||
"1",
|
||||
{
|
||||
"Fn::GetAZs": Ref: "AWS::Region"
|
||||
},
|
||||
]
|
||||
CidrBlock: Ref: "PublicSubnet02Block"
|
||||
VpcId: Ref: "VPC"
|
||||
Tags: [
|
||||
{
|
||||
Key: "Name"
|
||||
Value: "Fn::Sub": "${AWS::StackName}-PublicSubnet02"
|
||||
},
|
||||
]
|
||||
}
|
||||
}
|
||||
PrivateSubnet01: {
|
||||
Type: "AWS::EC2::Subnet"
|
||||
Metadata: Comment: "Subnet 03"
|
||||
Properties: {
|
||||
AvailabilityZone: "Fn::Select": [
|
||||
"0",
|
||||
{
|
||||
"Fn::GetAZs": Ref: "AWS::Region"
|
||||
},
|
||||
]
|
||||
CidrBlock: Ref: "PrivateSubnet01Block"
|
||||
VpcId: Ref: "VPC"
|
||||
Tags: [
|
||||
{
|
||||
Key: "Name"
|
||||
Value: "Fn::Sub": "${AWS::StackName}-PrivateSubnet01"
|
||||
},
|
||||
]
|
||||
}
|
||||
}
|
||||
PrivateSubnet02: {
|
||||
Type: "AWS::EC2::Subnet"
|
||||
Metadata: Comment: "Private Subnet 02"
|
||||
Properties: {
|
||||
AvailabilityZone: "Fn::Select": [
|
||||
"1",
|
||||
{
|
||||
"Fn::GetAZs": Ref: "AWS::Region"
|
||||
},
|
||||
]
|
||||
CidrBlock: Ref: "PrivateSubnet02Block"
|
||||
VpcId: Ref: "VPC"
|
||||
Tags: [
|
||||
{
|
||||
Key: "Name"
|
||||
Value: "Fn::Sub": "${AWS::StackName}-PrivateSubnet02"
|
||||
},
|
||||
]
|
||||
}
|
||||
}
|
||||
PublicSubnet01RouteTableAssociation: {
|
||||
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
||||
Properties: {
|
||||
SubnetId: Ref: "PublicSubnet01"
|
||||
RouteTableId: Ref: "PublicRouteTable"
|
||||
}
|
||||
}
|
||||
PublicSubnet02RouteTableAssociation: {
|
||||
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
||||
Properties: {
|
||||
SubnetId: Ref: "PublicSubnet02"
|
||||
RouteTableId: Ref: "PublicRouteTable"
|
||||
}
|
||||
}
|
||||
PrivateSubnet01RouteTableAssociation: {
|
||||
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
||||
Properties: {
|
||||
SubnetId: Ref: "PrivateSubnet01"
|
||||
RouteTableId: Ref: "PrivateRouteTable01"
|
||||
}
|
||||
}
|
||||
PrivateSubnet02RouteTableAssociation: {
|
||||
Type: "AWS::EC2::SubnetRouteTableAssociation"
|
||||
Properties: {
|
||||
SubnetId: Ref: "PrivateSubnet02"
|
||||
RouteTableId: Ref: "PrivateRouteTable02"
|
||||
}
|
||||
}
|
||||
ControlPlaneSecurityGroup: {
|
||||
Type: "AWS::EC2::SecurityGroup"
|
||||
Properties: {
|
||||
GroupDescription: "Cluster communication with worker nodes"
|
||||
VpcId: Ref: "VPC"
|
||||
}
|
||||
}
|
||||
EKSIAMRole: {
|
||||
Type: "AWS::IAM::Role"
|
||||
Properties: {
|
||||
AssumeRolePolicyDocument: Statement: [
|
||||
{
|
||||
Effect: "Allow"
|
||||
Principal: Service: [
|
||||
"eks.amazonaws.com",
|
||||
]
|
||||
Action: [
|
||||
"sts:AssumeRole",
|
||||
]
|
||||
|
||||
},
|
||||
]
|
||||
// RoleName: Ref: "EKSIAMRoleName"
|
||||
ManagedPolicyArns: [
|
||||
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
|
||||
"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
|
||||
]
|
||||
}
|
||||
}
|
||||
EKSCluster: {
|
||||
Type: "AWS::EKS::Cluster"
|
||||
Properties: {
|
||||
Name: Ref: "ClusterName"
|
||||
RoleArn: "Fn::GetAtt": ["EKSIAMRole", "Arn"]
|
||||
ResourcesVpcConfig: {
|
||||
SecurityGroupIds: [{Ref: "ControlPlaneSecurityGroup"}]
|
||||
SubnetIds: [
|
||||
{Ref: "PublicSubnet01"},
|
||||
{Ref: "PublicSubnet02"},
|
||||
{Ref: "PrivateSubnet01"},
|
||||
{Ref: "PrivateSubnet02"},
|
||||
]
|
||||
}
|
||||
}
|
||||
DependsOn: ["EKSIAMRole", "PublicSubnet01", "PublicSubnet02", "PrivateSubnet01", "PrivateSubnet02", "ControlPlaneSecurityGroup"]
|
||||
}
|
||||
}
|
||||
Outputs: {
|
||||
SubnetIds: {
|
||||
Description: "Subnets IDs in the VPC"
|
||||
Value: "Fn::Join": [
|
||||
",",
|
||||
[
|
||||
{
|
||||
Ref: "PublicSubnet01"
|
||||
},
|
||||
{
|
||||
Ref: "PublicSubnet02"
|
||||
},
|
||||
{
|
||||
Ref: "PrivateSubnet01"
|
||||
},
|
||||
{
|
||||
Ref: "PrivateSubnet02"
|
||||
},
|
||||
],
|
||||
]
|
||||
}
|
||||
PublicSubnets: {
|
||||
Description: "List of the public subnets"
|
||||
Value: "Fn::Join": [
|
||||
",",
|
||||
[
|
||||
{
|
||||
Ref: "PublicSubnet01"
|
||||
},
|
||||
{
|
||||
Ref: "PublicSubnet02"
|
||||
},
|
||||
],
|
||||
]
|
||||
}
|
||||
PrivateSubnets: {
|
||||
Description: "List of the private subnets"
|
||||
Value: "Fn::Join": [
|
||||
",",
|
||||
[
|
||||
{
|
||||
Ref: "PrivateSubnet01"
|
||||
},
|
||||
{
|
||||
Ref: "PrivateSubnet02"
|
||||
},
|
||||
],
|
||||
]
|
||||
}
|
||||
DefaultSecurityGroup: {
|
||||
Description: "Security group for the cluster control plane communication with worker nodes"
|
||||
Value: "Fn::Join": [
|
||||
",",
|
||||
[
|
||||
{
|
||||
Ref: "ControlPlaneSecurityGroup"
|
||||
},
|
||||
],
|
||||
]
|
||||
}
|
||||
VPC: {
|
||||
Description: "The VPC Id"
|
||||
Value: Ref: "VPC"
|
||||
}
|
||||
}
|
||||
}
|
311
examples/aws-eks/cfn_template_eks_nodegroup.cue
Normal file
311
examples/aws-eks/cfn_template_eks_nodegroup.cue
Normal file
@ -0,0 +1,311 @@
|
||||
package main
|
||||
|
||||
#CFNTemplate: eksNodeGroup: {
|
||||
AWSTemplateFormatVersion: "2010-09-09"
|
||||
Description: "Amazon EKS - Node Group"
|
||||
Metadata: "AWS::CloudFormation::Interface": ParameterGroups: [
|
||||
{
|
||||
Label: default: "EKS Cluster"
|
||||
Parameters: [
|
||||
"ClusterName",
|
||||
"ClusterControlPlaneSecurityGroup",
|
||||
]
|
||||
},
|
||||
{
|
||||
Label: default: "Worker Node Configuration"
|
||||
Parameters: [
|
||||
"NodeGroupName",
|
||||
"NodeAutoScalingGroupMinSize",
|
||||
"NodeAutoScalingGroupDesiredCapacity",
|
||||
"NodeAutoScalingGroupMaxSize",
|
||||
"NodeInstanceType",
|
||||
"NodeImageIdSSMParam",
|
||||
"NodeImageId",
|
||||
"NodeVolumeSize",
|
||||
// "KeyName",
|
||||
"BootstrapArguments",
|
||||
]
|
||||
},
|
||||
{
|
||||
Label: default: "Worker Network Configuration"
|
||||
Parameters: [
|
||||
"VpcId",
|
||||
"Subnets",
|
||||
]
|
||||
},
|
||||
]
|
||||
Parameters: {
|
||||
BootstrapArguments: {
|
||||
Type: "String"
|
||||
Default: ""
|
||||
Description: "Arguments to pass to the bootstrap script. See files/bootstrap.sh in https://github.com/awslabs/amazon-eks-ami"
|
||||
}
|
||||
ClusterControlPlaneSecurityGroup: {
|
||||
Type: "AWS::EC2::SecurityGroup::Id"
|
||||
Description: "The security group of the cluster control plane."
|
||||
}
|
||||
ClusterName: {
|
||||
Type: "String"
|
||||
Description: "The cluster name provided when the cluster was created. If it is incorrect, nodes will not be able to join the cluster."
|
||||
}
|
||||
// KeyName: {
|
||||
// Type: "AWS::EC2::KeyPair::KeyName"
|
||||
// Description: "The EC2 Key Pair to allow SSH access to the instances"
|
||||
// }
|
||||
NodeAutoScalingGroupDesiredCapacity: {
|
||||
Type: "Number"
|
||||
Default: 3
|
||||
Description: "Desired capacity of Node Group ASG."
|
||||
}
|
||||
NodeAutoScalingGroupMaxSize: {
|
||||
Type: "Number"
|
||||
Default: 4
|
||||
Description: "Maximum size of Node Group ASG. Set to at least 1 greater than NodeAutoScalingGroupDesiredCapacity."
|
||||
}
|
||||
NodeAutoScalingGroupMinSize: {
|
||||
Type: "Number"
|
||||
Default: 1
|
||||
Description: "Minimum size of Node Group ASG."
|
||||
}
|
||||
NodeGroupName: {
|
||||
Type: "String"
|
||||
Description: "Unique identifier for the Node Group."
|
||||
}
|
||||
NodeImageId: {
|
||||
Type: "String"
|
||||
Default: ""
|
||||
Description: "(Optional) Specify your own custom image ID. This value overrides any AWS Systems Manager Parameter Store value specified above."
|
||||
}
|
||||
NodeImageIdSSMParam: {
|
||||
Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>"
|
||||
Default: "/aws/service/eks/optimized-ami/1.19/amazon-linux-2/recommended/image_id"
|
||||
Description: "AWS Systems Manager Parameter Store parameter of the AMI ID for the worker node instances."
|
||||
}
|
||||
NodeInstanceType: {
|
||||
Type: "String"
|
||||
Default: "t3.medium"
|
||||
ConstraintDescription: "Must be a valid EC2 instance type"
|
||||
Description: "EC2 instance type for the node instances"
|
||||
}
|
||||
NodeVolumeSize: {
|
||||
Type: "Number"
|
||||
Default: 20
|
||||
Description: "Node volume size"
|
||||
}
|
||||
Subnets: {
|
||||
Type: "List<AWS::EC2::Subnet::Id>"
|
||||
Description: "The subnets where workers can be created."
|
||||
}
|
||||
VpcId: {
|
||||
Type: "AWS::EC2::VPC::Id"
|
||||
Description: "The VPC of the worker instances"
|
||||
}
|
||||
}
|
||||
Conditions: HasNodeImageId: "Fn::Not": [
|
||||
{
|
||||
"Fn::Equals": [
|
||||
{
|
||||
Ref: "NodeImageId"
|
||||
},
|
||||
"",
|
||||
]
|
||||
},
|
||||
]
|
||||
Resources: {
|
||||
NodeInstanceRole: {
|
||||
Type: "AWS::IAM::Role"
|
||||
Properties: {
|
||||
AssumeRolePolicyDocument: {
|
||||
Version: "2012-10-17"
|
||||
Statement: [
|
||||
{
|
||||
Effect: "Allow"
|
||||
Principal: Service: [
|
||||
"ec2.amazonaws.com",
|
||||
]
|
||||
Action: [
|
||||
"sts:AssumeRole",
|
||||
]
|
||||
},
|
||||
]
|
||||
}
|
||||
ManagedPolicyArns: [
|
||||
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
|
||||
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
|
||||
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
|
||||
]
|
||||
Path: "/"
|
||||
}
|
||||
}
|
||||
NodeInstanceProfile: {
|
||||
Type: "AWS::IAM::InstanceProfile"
|
||||
Properties: {
|
||||
Path: "/"
|
||||
Roles: [
|
||||
{
|
||||
Ref: "NodeInstanceRole"
|
||||
},
|
||||
]
|
||||
}
|
||||
}
|
||||
NodeSecurityGroup: {
|
||||
Type: "AWS::EC2::SecurityGroup"
|
||||
Properties: {
|
||||
GroupDescription: "Security group for all nodes in the cluster"
|
||||
Tags: [
|
||||
{
|
||||
Key: "Fn::Sub": "kubernetes.io/cluster/${ClusterName}"
|
||||
Value: "owned"
|
||||
},
|
||||
]
|
||||
VpcId: Ref: "VpcId"
|
||||
}
|
||||
}
|
||||
NodeSecurityGroupIngress: {
|
||||
Type: "AWS::EC2::SecurityGroupIngress"
|
||||
DependsOn: "NodeSecurityGroup"
|
||||
Properties: {
|
||||
Description: "Allow node to communicate with each other"
|
||||
FromPort: 0
|
||||
GroupId: Ref: "NodeSecurityGroup"
|
||||
IpProtocol: "-1"
|
||||
SourceSecurityGroupId: Ref: "NodeSecurityGroup"
|
||||
ToPort: 65535
|
||||
}
|
||||
}
|
||||
ClusterControlPlaneSecurityGroupIngress: {
|
||||
Type: "AWS::EC2::SecurityGroupIngress"
|
||||
DependsOn: "NodeSecurityGroup"
|
||||
Properties: {
|
||||
Description: "Allow pods to communicate with the cluster API Server"
|
||||
FromPort: 443
|
||||
GroupId: Ref: "ClusterControlPlaneSecurityGroup"
|
||||
IpProtocol: "tcp"
|
||||
SourceSecurityGroupId: Ref: "NodeSecurityGroup"
|
||||
ToPort: 443
|
||||
}
|
||||
}
|
||||
ControlPlaneEgressToNodeSecurityGroup: {
|
||||
Type: "AWS::EC2::SecurityGroupEgress"
|
||||
DependsOn: "NodeSecurityGroup"
|
||||
Properties: {
|
||||
Description: "Allow the cluster control plane to communicate with worker Kubelet and pods"
|
||||
DestinationSecurityGroupId: Ref: "NodeSecurityGroup"
|
||||
FromPort: 1025
|
||||
GroupId: Ref: "ClusterControlPlaneSecurityGroup"
|
||||
IpProtocol: "tcp"
|
||||
ToPort: 65535
|
||||
}
|
||||
}
|
||||
ControlPlaneEgressToNodeSecurityGroupOn443: {
|
||||
Type: "AWS::EC2::SecurityGroupEgress"
|
||||
DependsOn: "NodeSecurityGroup"
|
||||
Properties: {
|
||||
Description: "Allow the cluster control plane to communicate with pods running extension API servers on port 443"
|
||||
DestinationSecurityGroupId: Ref: "NodeSecurityGroup"
|
||||
FromPort: 443
|
||||
GroupId: Ref: "ClusterControlPlaneSecurityGroup"
|
||||
IpProtocol: "tcp"
|
||||
ToPort: 443
|
||||
}
|
||||
}
|
||||
NodeSecurityGroupFromControlPlaneIngress: {
|
||||
Type: "AWS::EC2::SecurityGroupIngress"
|
||||
DependsOn: "NodeSecurityGroup"
|
||||
Properties: {
|
||||
Description: "Allow worker Kubelets and pods to receive communication from the cluster control plane"
|
||||
FromPort: 1025
|
||||
GroupId: Ref: "NodeSecurityGroup"
|
||||
IpProtocol: "tcp"
|
||||
SourceSecurityGroupId: Ref: "ClusterControlPlaneSecurityGroup"
|
||||
ToPort: 65535
|
||||
}
|
||||
}
|
||||
NodeSecurityGroupFromControlPlaneOn443Ingress: {
|
||||
Type: "AWS::EC2::SecurityGroupIngress"
|
||||
DependsOn: "NodeSecurityGroup"
|
||||
Properties: {
|
||||
Description: "Allow pods running extension API servers on port 443 to receive communication from cluster control plane"
|
||||
FromPort: 443
|
||||
GroupId: Ref: "NodeSecurityGroup"
|
||||
IpProtocol: "tcp"
|
||||
SourceSecurityGroupId: Ref: "ClusterControlPlaneSecurityGroup"
|
||||
ToPort: 443
|
||||
}
|
||||
}
|
||||
NodeLaunchConfig: {
|
||||
Type: "AWS::AutoScaling::LaunchConfiguration"
|
||||
Properties: {
|
||||
AssociatePublicIpAddress: "true"
|
||||
BlockDeviceMappings: [
|
||||
{
|
||||
DeviceName: "/dev/xvda"
|
||||
Ebs: {
|
||||
DeleteOnTermination: true
|
||||
VolumeSize: Ref: "NodeVolumeSize"
|
||||
VolumeType: "gp2"
|
||||
}
|
||||
},
|
||||
]
|
||||
IamInstanceProfile: Ref: "NodeInstanceProfile"
|
||||
ImageId: "Fn::If": [
|
||||
"HasNodeImageId",
|
||||
{
|
||||
Ref: "NodeImageId"
|
||||
},
|
||||
{
|
||||
Ref: "NodeImageIdSSMParam"
|
||||
},
|
||||
]
|
||||
InstanceType: Ref: "NodeInstanceType"
|
||||
// KeyName: Ref: "KeyName"
|
||||
SecurityGroups: [
|
||||
{
|
||||
Ref: "NodeSecurityGroup"
|
||||
},
|
||||
]
|
||||
UserData: "Fn::Base64": "Fn::Sub": "#!/bin/bash\nset -o xtrace\n/etc/eks/bootstrap.sh ${ClusterName} ${BootstrapArguments}\n/opt/aws/bin/cfn-signal --exit-code $? \\\n --stack ${AWS::StackName} \\\n --resource NodeGroup \\\n --region ${AWS::Region}\n"
|
||||
}
|
||||
}
|
||||
NodeGroup: {
|
||||
Type: "AWS::AutoScaling::AutoScalingGroup"
|
||||
Properties: {
|
||||
DesiredCapacity: Ref: "NodeAutoScalingGroupDesiredCapacity"
|
||||
LaunchConfigurationName: Ref: "NodeLaunchConfig"
|
||||
MaxSize: Ref: "NodeAutoScalingGroupMaxSize"
|
||||
MinSize: Ref: "NodeAutoScalingGroupMinSize"
|
||||
Tags: [
|
||||
{
|
||||
Key: "Name"
|
||||
PropagateAtLaunch: "true"
|
||||
Value: "Fn::Sub": "${ClusterName}-${NodeGroupName}-Node"
|
||||
},
|
||||
{
|
||||
Key: "Fn::Sub": "kubernetes.io/cluster/${ClusterName}"
|
||||
PropagateAtLaunch: "true"
|
||||
Value: "owned"
|
||||
},
|
||||
]
|
||||
VPCZoneIdentifier: Ref: "Subnets"
|
||||
}
|
||||
UpdatePolicy: AutoScalingRollingUpdate: {
|
||||
MaxBatchSize: "1"
|
||||
MinInstancesInService: Ref: "NodeAutoScalingGroupDesiredCapacity"
|
||||
PauseTime: "PT5M"
|
||||
}
|
||||
}
|
||||
}
|
||||
Outputs: {
|
||||
NodeInstanceRole: {
|
||||
Description: "The node instance role"
|
||||
Value: "Fn::GetAtt": [
|
||||
"NodeInstanceRole",
|
||||
"Arn",
|
||||
]
|
||||
}
|
||||
NodeSecurityGroup: {
|
||||
Description: "The security group for the node group"
|
||||
Value: Ref: "NodeSecurityGroup"
|
||||
}
|
||||
}
|
||||
}
|
1
examples/aws-eks/cue.mod/pkg/dagger.io
Symbolic link
1
examples/aws-eks/cue.mod/pkg/dagger.io
Symbolic link
@ -0,0 +1 @@
|
||||
../../../../stdlib
|
43
examples/aws-eks/infrastructure.cue
Normal file
43
examples/aws-eks/infrastructure.cue
Normal file
@ -0,0 +1,43 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
|
||||
"dagger.io/aws"
|
||||
"dagger.io/aws/cloudformation"
|
||||
)
|
||||
|
||||
#Infrastructure: {
|
||||
awsConfig: aws.#Config
|
||||
namePrefix: *"dagger-example-" | string
|
||||
// Cluster size is 1 for example (to limit resources)
|
||||
workerNodeCapacity: *1 | >1
|
||||
workerNodeInstanceType: *"t3.small" | string
|
||||
|
||||
let clusterName = "\(namePrefix)eks-cluster"
|
||||
|
||||
eksControlPlane: cloudformation.#Stack & {
|
||||
config: awsConfig
|
||||
source: json.Marshal(#CFNTemplate.eksControlPlane)
|
||||
stackName: "\(namePrefix)eks-controlplane"
|
||||
neverUpdate: true
|
||||
parameters: ClusterName: clusterName
|
||||
}
|
||||
|
||||
eksNodeGroup: cloudformation.#Stack & {
|
||||
config: awsConfig
|
||||
source: json.Marshal(#CFNTemplate.eksNodeGroup)
|
||||
stackName: "\(namePrefix)eks-nodegroup"
|
||||
neverUpdate: true
|
||||
parameters: {
|
||||
ClusterName: clusterName
|
||||
ClusterControlPlaneSecurityGroup: eksControlPlane.outputs.DefaultSecurityGroup
|
||||
NodeAutoScalingGroupDesiredCapacity: 1
|
||||
NodeAutoScalingGroupMaxSize: NodeAutoScalingGroupDesiredCapacity + 1
|
||||
NodeGroupName: "\(namePrefix)eks-nodegroup"
|
||||
NodeInstanceType: workerNodeInstanceType
|
||||
VpcId: eksControlPlane.outputs.VPC
|
||||
Subnets: eksControlPlane.outputs.SubnetIds
|
||||
}
|
||||
}
|
||||
}
|
21
examples/aws-eks/main.cue
Normal file
21
examples/aws-eks/main.cue
Normal file
@ -0,0 +1,21 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"dagger.io/aws"
|
||||
)
|
||||
|
||||
// Fill using:
|
||||
// --input-string awsConfig.accessKey=XXX
|
||||
// --input-string awsConfig.secretKey=XXX
|
||||
awsConfig: aws.#Config & {
|
||||
region: *"us-east-2" | string
|
||||
}
|
||||
|
||||
// Auto-provision an EKS cluster:
|
||||
// - VPC, Nat Gateways, Subnets, Security Group
|
||||
// - EKS Cluster
|
||||
// - Instance Node Group: auto-scaling-group, ec2 instances, etc...
|
||||
// base config can be changed (number of EC2 instances, types, etc...)
|
||||
infra: #Infrastructure & {
|
||||
"awsConfig": awsConfig
|
||||
}
|
Reference in New Issue
Block a user