-
Notifications
You must be signed in to change notification settings - Fork 25
/
vpc.tf
144 lines (121 loc) · 5.46 KB
/
vpc.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# vpc.tf manages the subnets for the EKS cluster and their associated
# paraphernalia such as NAT gateways and route tables. The VPC itself is
# defined in https://github.com/alphagov/govuk-aws/ while we transition to
# Kubernetes.
#
# https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html
# TODO: Once the EC2 environment is gone, move the aws_vpc from
# alphagov/govuk-aws to here.
# TODO: Consider factoring out the (subnet, route_table,
# route_table_association, route) resources into a local module (or maybe two,
# for public/private), perhaps after we've imported the VPC resource from
# govuk-aws. Also consider using terraform-aws-modules/terraform-aws-vpc to
# replace the whole lot. (That module makes some dubious use of count() but
# it's ok because we're very unlikely to add or remove availability zones.)
locals {
route_create_timeout = "5m" # Same workaround as terraform-aws-vpc module.
}
# Control plane subnets and associated resources. The control plane subnets are
# small, private subnets where EKS creates the ENIs for private access to
# the master node, which runs in an Amazon-owned VPC.
resource "aws_subnet" "eks_control_plane" {
for_each = var.eks_control_plane_subnets
vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id
cidr_block = each.value.cidr
availability_zone = each.value.az
tags = { Name = "${var.cluster_name}-eks-control-plane-${each.key}" }
}
resource "aws_route_table" "eks_control_plane" {
for_each = var.eks_control_plane_subnets
vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id
tags = { Name = "${var.cluster_name}-eks-control-plane-${each.key}" }
}
resource "aws_route_table_association" "eks_control_plane" {
for_each = var.eks_control_plane_subnets
subnet_id = aws_subnet.eks_control_plane[each.key].id
route_table_id = aws_route_table.eks_control_plane[each.key].id
}
resource "aws_route" "eks_control_plane_nat" {
for_each = var.eks_control_plane_subnets
route_table_id = aws_route_table.eks_control_plane[each.key].id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.eks[each.key].id
timeouts {
create = local.route_create_timeout
}
}
# Public subnets and associated resources. The public subnets are used by
# controllers in the cluster (such as aws-load-balancer-controller) for
# creating Internet-facing load balancers.
resource "aws_subnet" "eks_public" {
for_each = var.eks_public_subnets
vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id
cidr_block = each.value.cidr
availability_zone = each.value.az
tags = {
Name = "${var.cluster_name}-eks-public-${each.key}"
# https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
"kubernetes.io/cluster/${var.cluster_name}" = "owned"
"kubernetes.io/role/elb" = "1"
}
map_public_ip_on_launch = true
}
resource "aws_route_table" "eks_public" {
vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id
tags = { Name = "${var.cluster_name}-eks-public" }
}
resource "aws_route_table_association" "eks_public" {
for_each = var.eks_public_subnets
subnet_id = aws_subnet.eks_public[each.key].id
route_table_id = aws_route_table.eks_public.id
}
resource "aws_route" "public_internet_gateway" {
route_table_id = aws_route_table.eks_public.id
destination_cidr_block = "0.0.0.0/0"
gateway_id = data.terraform_remote_state.infra_vpc.outputs.internet_gateway_id
timeouts { create = local.route_create_timeout }
}
resource "aws_eip" "eks_nat" {
for_each = var.eks_public_subnets
domain = "vpc"
tags = { Name = "${var.cluster_name}-eks-nat-${each.key}" }
# TODO: depends_on = [aws_internet_gateway.gw] once we've imported the IGW from govuk-aws.
}
resource "aws_nat_gateway" "eks" {
for_each = var.eks_public_subnets
allocation_id = aws_eip.eks_nat[each.key].id
subnet_id = aws_subnet.eks_public[each.key].id
tags = { Name = "${var.cluster_name}-eks-${each.key}" }
# TODO: depends_on = [aws_internet_gateway.gw] once we've imported the IGW from govuk-aws.
}
# Private subnets and associated resources. The private subnets contain the
# worker nodes and the pods.
resource "aws_subnet" "eks_private" {
for_each = var.eks_private_subnets
vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id
cidr_block = each.value.cidr
availability_zone = each.value.az
tags = {
Name = "${var.cluster_name}-eks-private-${each.key}"
# https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
"kubernetes.io/cluster/${var.cluster_name}" = "owned"
"kubernetes.io/role/internal-elb" = "1"
}
}
resource "aws_route_table" "eks_private" {
for_each = var.eks_private_subnets
vpc_id = data.terraform_remote_state.infra_vpc.outputs.vpc_id
tags = { Name = "${var.cluster_name}-eks-private-${each.key}" }
}
resource "aws_route_table_association" "eks_private" {
for_each = var.eks_private_subnets
subnet_id = aws_subnet.eks_private[each.key].id
route_table_id = aws_route_table.eks_private[each.key].id
}
resource "aws_route" "eks_private_nat" {
for_each = var.eks_private_subnets
route_table_id = aws_route_table.eks_private[each.key].id
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.eks[each.key].id
timeouts { create = local.route_create_timeout }
}