This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: ${service_account_name} | |
namespace: default | |
annotations: | |
eks.amazonaws.com/role-arn: ${app_iam_role_arn} | |
--- | |
apiVersion: v1 | |
kind: Pod |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: aws-auth | |
namespace: kube-system | |
data: | |
mapRoles: | | |
- rolearn: ${arn_instance_role} | |
username: system:node:{{EC2PrivateDNSName}} | |
groups: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Step 5: Integrating Service Accounts with IAM role | |
data "tls_certificate" "cluster" { | |
url = aws_eks_cluster.cluster.identity.0.oidc.0.issuer | |
} | |
resource "aws_iam_openid_connect_provider" "cluster" { # We need an open id connector to allow our service account to assume an IAM role | |
client_id_list = ["sts.amazonaws.com"] | |
thumbprint_list = concat([data.tls_certificate.cluster.certificates.0.sha1_fingerprint], []) | |
url = aws_eks_cluster.cluster.identity.0.oidc.0.issuer | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Add this to aws_eks_cluster.cluster.vpc_config | |
endpoint_private_access = true # STEP 3: The cluster will have a private endpoint too. Worker nodes will be able to call the control plane without leaving the VPC. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Step 2: Configuring the EKS cluster | |
resource "aws_eks_cluster" "cluster" { # Here we create the EKS cluster itself. | |
name = var.cluster_name | |
role_arn = aws_iam_role.eks_cluster.arn # The cluster needs an IAM role to gain some permission over your AWS account | |
vpc_config { | |
subnet_ids = concat(module.vpc.public_subnets, module.vpc.private_subnets) # We pass all 6 subnets (public and private ones). Retrieved from the AWS module before. | |
endpoint_public_access = true # The cluster will have a public endpoint. We will be able to call it from the public internet. | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Step 4: Configuring the Kubectl CLI | |
resource "null_resource" "generate_kubeconfig" { # Generate a kubeconfig (needs aws cli >=1.62 and kubectl) | |
provisioner "local-exec" { | |
command = "aws eks update-kubeconfig --name ${var.cluster_name}" | |
} | |
depends_on = [aws_eks_cluster.cluster] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
provider "aws" { | |
version = "~> 2.0" | |
region = "eu-west-1" | |
} | |
## Step 1: Configuring the VPC | |
module "vpc" { | |
source = "terraform-aws-modules/vpc/aws" | |
name = "my-eks-vpc" |