skoc10 · skoc10 · Mar 18, 2022 · Mar 18, 2022 · Mar 18, 2022 · Mar 18, 2022
diff --git a/.DS_Store b/.DS_Store
diff --git a/infrastructure/dev-k8s-terraform/main.tf b/infrastructure/dev-k8s-terraform/main.tf
@@ -0,0 +1,205 @@
+provider "aws" {
+  region  = "us-east-1"
+}
+
+module "iam" {
+  source = "./modules/IAM"
+}
+
+resource "aws_security_group" "matt-kube-mutual-sg" {
+  name = "kube-mutual-sec-group-for-matt"
+}
+
+resource "aws_security_group" "matt-kube-worker-sg" {
+  name = "kube-worker-sec-group-for-matt"
+  ingress {
+    protocol = "tcp"
+    from_port = 10250
+    to_port = 10250
+    security_groups = [aws_security_group.matt-kube-mutual-sg.id]
+  }
+  ingress {
+    protocol = "tcp"
+    from_port = 30000
+    to_port = 32767
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    protocol = "tcp"
+    from_port = 22
+    to_port = 22
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    protocol = "udp"
+    from_port = 8472
+    to_port = 8472
+    security_groups = [aws_security_group.matt-kube-mutual-sg.id]
+  }
+
+  egress{
+    protocol = "-1"
+    from_port = 0
+    to_port = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "kube-worker-secgroup"
+    "kubernetes.io/cluster/mattsCluster" = "owned"
+  }
+}
+
+resource "aws_security_group" "matt-kube-master-sg" {
+  name = "kube-master-sec-group-for-matt"
+
+  ingress {
+    protocol = "tcp"
+    from_port = 22
+    to_port = 22
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    protocol = "tcp"
+    from_port = 80
+    to_port = 80
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    protocol = "tcp"
+    from_port = 6443
+    to_port = 6443
+    cidr_blocks = ["0.0.0.0/0"]
+    #security_groups = [aws_security_group.matt-kube-mutual-sg.id]
+  }
+  ingress {
+    protocol = "tcp"
+    from_port = 443
+    to_port = 443
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    protocol = "tcp"
+    from_port = 2380
+    to_port = 2380
+    security_groups = [aws_security_group.matt-kube-mutual-sg.id]
+  }
+  ingress {
+    protocol = "tcp"
+    from_port = 2379
+    to_port = 2379
+    security_groups = [aws_security_group.matt-kube-mutual-sg.id]
+  }
+  ingress {
+    protocol = "tcp"
+    from_port = 10250
+    to_port = 10250
+    security_groups = [aws_security_group.matt-kube-mutual-sg.id]
+  }
+  ingress {
+    protocol = "tcp"
+    from_port = 10251
+    to_port = 10251
+    security_groups = [aws_security_group.matt-kube-mutual-sg.id]
+  }
+  ingress {
+    protocol = "tcp"
+    from_port = 10252
+    to_port = 10252
+    security_groups = [aws_security_group.matt-kube-mutual-sg.id]
+  }
+  ingress {
+    protocol = "tcp"
+    from_port = 30000
+    to_port = 32767
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    protocol = "udp"
+    from_port = 8472
+    to_port = 8472
+    security_groups = [aws_security_group.matt-kube-mutual-sg.id]
+  }
+  egress {
+    protocol = "-1"
+    from_port = 0
+    to_port = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "kube-master-secgroup"
+  }
+}
+
+resource "aws_instance" "kube-master" {
+    ami = "ami-013f17f36f8b1fefb"
+    instance_type = "t3a.medium"
+    iam_instance_profile = module.iam.master_profile_name
+    vpc_security_group_ids = [aws_security_group.matt-kube-master-sg.id, aws_security_group.matt-kube-mutual-sg.id]
+    key_name = "mattkey"
+    subnet_id = "subnet-0b44c52bb4b66253f"  # select own subnet_id of us-east-1a
+    availability_zone = "us-east-1a"
+    tags = {
+        Name = "kube-master"
+        "kubernetes.io/cluster/mattsCluster" = "owned"
+        Project = "tera-kube-ans"
+        Role = "master"
+        Id = "1"
+        environment = "dev"
+    }
+}
+
+resource "aws_instance" "worker-1" {
+    ami = "ami-013f17f36f8b1fefb"
+    instance_type = "t3a.medium"
+        iam_instance_profile = module.iam.worker_profile_name
+    vpc_security_group_ids = [aws_security_group.matt-kube-worker-sg.id, aws_security_group.matt-kube-mutual-sg.id]
+    key_name = "mattkey"
+    subnet_id = "subnet-0b44c52bb4b66253f"  # select own subnet_id of us-east-1a
+    availability_zone = "us-east-1a"
+    tags = {
+        Name = "worker-1"
+        "kubernetes.io/cluster/mattsCluster" = "owned"
+        Project = "tera-kube-ans"
+        Role = "worker"
+        Id = "1"
+        environment = "dev"
+    }
+}
+
+resource "aws_instance" "worker-2" {
+    ami = "ami-013f17f36f8b1fefb"
+    instance_type = "t3a.medium"
+    iam_instance_profile = module.iam.worker_profile_name
+    vpc_security_group_ids = [aws_security_group.matt-kube-worker-sg.id, aws_security_group.matt-kube-mutual-sg.id]
+    key_name = "mattkey"
+    subnet_id = "subnet-0b44c52bb4b66253f"  # select own subnet_id of us-east-1a
+    availability_zone = "us-east-1a"
+    tags = {
+        Name = "worker-2"
+        "kubernetes.io/cluster/mattsCluster" = "owned"
+        Project = "tera-kube-ans"
+        Role = "worker"
+        Id = "2"
+        environment = "dev"
+    }
+}
+
+output kube-master-ip {
+  value       = aws_instance.kube-master.public_ip
+  sensitive   = false
+  description = "public ip of the kube-master"
+}
+
+output worker-1-ip {
+  value       = aws_instance.worker-1.public_ip
+  sensitive   = false
+  description = "public ip of the worker-1"
+}
+
+output worker-2-ip {
+  value       = aws_instance.worker-2.public_ip
+  sensitive   = false
+  description = "public ip of the worker-2"
+}
diff --git a/infrastructure/dev-k8s-terraform/modules/IAM/policy_for_master.json b/infrastructure/dev-k8s-terraform/modules/IAM/policy_for_master.json
@@ -0,0 +1,143 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+        "autoscaling:DescribeAutoScalingGroups",
+        "autoscaling:DescribeLaunchConfigurations",
+        "autoscaling:DescribeTags",
+        "ec2:DescribeInstances",
+        "ec2:DescribeRegions",
+        "ec2:DescribeRouteTables",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeVolumes",
+        "ec2:CreateSecurityGroup",
+        "ec2:CreateTags",
+        "ec2:CreateVolume",
+        "ec2:ModifyInstanceAttribute",
+        "ec2:ModifyVolume",
+        "ec2:AttachVolume",
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:CreateRoute",
+        "ec2:DeleteRoute",
+        "ec2:DeleteSecurityGroup",
+        "ec2:DeleteVolume",
+        "ec2:DetachVolume",
+        "ec2:RevokeSecurityGroupIngress",
+        "ec2:DescribeVpcs",
+        "elasticloadbalancing:AddTags",
+        "elasticloadbalancing:AttachLoadBalancerToSubnets",
+        "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+        "elasticloadbalancing:CreateLoadBalancer",
+        "elasticloadbalancing:CreateLoadBalancerPolicy",
+        "elasticloadbalancing:CreateLoadBalancerListeners",
+        "elasticloadbalancing:ConfigureHealthCheck",
+        "elasticloadbalancing:DeleteLoadBalancer",
+        "elasticloadbalancing:DeleteLoadBalancerListeners",
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:DescribeLoadBalancerAttributes",
+        "elasticloadbalancing:DetachLoadBalancerFromSubnets",
+        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+        "elasticloadbalancing:ModifyLoadBalancerAttributes",
+        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+        "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
+        "elasticloadbalancing:AddTags",
+        "elasticloadbalancing:CreateListener",
+        "elasticloadbalancing:CreateTargetGroup",
+        "elasticloadbalancing:DeleteListener",
+        "elasticloadbalancing:DeleteTargetGroup",
+        "elasticloadbalancing:DescribeListeners",
+        "elasticloadbalancing:DescribeLoadBalancerPolicies",
+        "elasticloadbalancing:DescribeTargetGroups",
+        "elasticloadbalancing:DescribeTargetHealth",
+        "elasticloadbalancing:ModifyListener",
+        "elasticloadbalancing:ModifyTargetGroup",
+        "elasticloadbalancing:RegisterTargets",
+        "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
+        "iam:CreateServiceLinkedRole",
+        "kms:DescribeKey",
+        "ecr:GetDownloadUrlForLayer",
+        "ecr:BatchGetImage",
+        "ecr:BatchCheckLayerAvailability",
+        "ecr:PutImage",
+        "ecr:InitiateLayerUpload",
+        "ecr:UploadLayerPart",
+        "ecr:CompleteLayerUpload",
+        "ecr:DescribeRepositories",
+        "ecr:GetRepositoryPolicy",
+        "ecr:ListImages",
+        "ecr:DeleteRepository",
+        "ecr:BatchDeleteImage",
+        "ecr:SetRepositoryPolicy",
+        "ecr:DeleteRepositoryPolicy",
+        "s3:ListAccessPointsForObjectLambda",
+        "s3:GetObjectVersionTagging",
+        "s3:GetStorageLensConfigurationTagging",
+        "s3:GetObjectAcl",
+        "s3:GetBucketObjectLockConfiguration",
+        "s3:GetIntelligentTieringConfiguration",
+        "s3:GetObjectVersionAcl",
+        "s3:GetBucketPolicyStatus",
+        "s3:GetObjectRetention",
+        "s3:GetBucketWebsite",
+        "s3:GetJobTagging",
+        "s3:ListJobs",
+        "s3:GetMultiRegionAccessPoint",
+        "s3:GetObjectAttributes",
+        "s3:GetObjectLegalHold",
+        "s3:GetBucketNotification",
+        "s3:DescribeMultiRegionAccessPointOperation",
+        "s3:GetReplicationConfiguration",
+        "s3:ListMultipartUploadParts",
+        "s3:GetObject",
+        "s3:DescribeJob",
+        "s3:GetAnalyticsConfiguration",
+        "s3:GetObjectVersionForReplication",
+        "s3:GetAccessPointForObjectLambda",
+        "s3:GetStorageLensDashboard",
+        "s3:GetLifecycleConfiguration",
+        "s3:GetAccessPoint",
+        "s3:GetInventoryConfiguration",
+        "s3:GetBucketTagging",
+        "s3:GetAccessPointPolicyForObjectLambda",
+        "s3:GetBucketLogging",
+        "s3:ListBucketVersions",
+        "s3:ListBucket",
+        "s3:GetAccelerateConfiguration",
+        "s3:GetObjectVersionAttributes",
+        "s3:GetBucketPolicy",
+        "s3:GetEncryptionConfiguration",
+        "s3:GetObjectVersionTorrent",
+        "s3:GetBucketRequestPayment",
+        "s3:GetAccessPointPolicyStatus",
+        "s3:GetObjectTagging",
+        "s3:GetMetricsConfiguration",
+        "s3:GetBucketOwnershipControls",
+        "s3:GetBucketPublicAccessBlock",
+        "s3:GetMultiRegionAccessPointPolicyStatus",
+        "s3:ListBucketMultipartUploads",
+        "s3:GetMultiRegionAccessPointPolicy",
+        "s3:GetAccessPointPolicyStatusForObjectLambda",
+        "s3:ListAccessPoints",
+        "s3:GetBucketVersioning",
+        "s3:ListMultiRegionAccessPoints",
+        "s3:GetBucketAcl",
+        "s3:GetAccessPointConfigurationForObjectLambda",
+        "s3:ListStorageLensConfigurations",
+        "s3:GetObjectTorrent",
+        "s3:GetStorageLensConfiguration",
+        "s3:GetAccountPublicAccessBlock",
+        "s3:ListAllMyBuckets",
+        "s3:GetBucketCORS",
+        "s3:GetBucketLocation",
+        "s3:GetAccessPointPolicy",
+        "s3:GetObjectVersion"
+        ],
+        "Resource": [
+          "*"
+        ]
+      }
+    ]
+}