Revert "Revert (#382)" (#383)

This reverts commit c6b22e0.
ManagedKube · Oct 21, 2022 · 477ed72 · 477ed72
1 parent c6b22e0
commit 477ed72
Show file tree

Hide file tree

Showing 62 changed files with 6,676 additions and 0 deletions.
diff --git a/terraform-modules/aws/ec2_instance/README.md b/terraform-modules/aws/ec2_instance/README.md
@@ -0,0 +1,55 @@
+# Nodes
+This module creates a node based on the param
+
+It will create:
+* A an EC2 instance
+* attach a security group
+* attach IAM policies to the instance role
+* AMI used
+* subnet it is placed in
+* instance type
+
+# Dependencies
+
+`subnet_id` - the subnet to place this instance in
+`aws_iam_role_policy_attachment_list` - a list of policy arn to attach to this instance
+
+# instance_config var
+This is the main input for the module.  This the EC2 instances and it's configuration.
+
+```hcl
+instance_config = {
+    root_installer_device = {
+      instance_type         = "m5.4xlarge"
+      delete_on_termination = true,
+      encrypted             = true,
+      iops                  = "",
+      kms_key_id            = "",
+      volume_size           = 80,
+      volume_type           = "gp2",
+    }
+    ebs_block_device = []
+    user_data_inputs = {
+      ebs_block_device_1_is_set       = "false"
+      ebs_block_device_1_mount_path   = "null"
+      ebs_block_device_2_is_set       = "false"
+      ebs_block_device_2_mount_path   = "null"
+    }
+  }
+```
+
+# How to run the unit tests
+
+```
+cd test
+go test ./
+```
+
+no cache run
+```
+go test ./ -v -count=1
+```
+
+## How to run the debugger
+
+TBD
diff --git a/terraform-modules/aws/ec2_instance/cloud-init/user-data.yaml.tpl b/terraform-modules/aws/ec2_instance/cloud-init/user-data.yaml.tpl
@@ -0,0 +1,54 @@
+# #cloud-config
+# # Doc: https://cloudinit.readthedocs.io/en/latest/topics/examples.html
+
+# # Add groups to the system
+# groups:
+#   - fspace
+
+# # Add users to the system. Users are added after groups are added.
+# users:
+#   - default
+#   - name: fsinstaller
+#     gecos: fsinstaller
+#     shell: /bin/bash
+#     primary_group: fspace
+#     sudo: 
+#       - ALL=(ALL:ALL) NOPASSWD:/usr/bin/rpm
+#       - ALL=(ALL:ALL) NOPASSWD:/opt/chef/embedded/bin/gem
+#       - ALL=(ALL:ALL) NOPASSWD:/usr/bin/chef-client
+#       - ALL=(ALL:ALL) NOPASSWD:/usr/bin/pkill
+#       - ALL=(ALL:ALL) NOPASSWD:/usr/bin/chef
+#       - ALL=(ALL:ALL) NOPASSWD:/opt/chefdk/embedded/bin/gem
+#     lock_passwd: false
+#     ssh_authorized_keys:
+#       - ${user_ssh_public_key}
+#   - name: aric
+#     gecos: aric
+#     shell: /bin/bash
+#     primary_group: fspace
+#     ssh_authorized_keys:
+#       - ${user_ssh_public_key}
+
+
+# # Installs packages
+# packages:
+#   - unzip
+
+# # Sets the GOPATH & downloads the demo payload
+# runcmd:
+#   - echo "ClientAliveInterval 60" | tee -a /etc/ssh/sshd_config
+#   - echo "ClientAliveCountMax 10" | tee -a /etc/ssh/sshd_config
+#   - systemctl restart sshd
+#   - echo "vm.swappiness=1" | tee -a /etc/sysctl.conf
+#   - sudo sysctl -p
+#   - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.0.30.zip" -o "/tmp/awscliv2.zip"
+#   - unzip /tmp/awscliv2.zip -d /tmp/
+#   - /tmp/aws/install
+#   - if [[ "${ebs_block_device_1_is_set}" == "true" ]]; then export EBS_DEVICE=$(lsblk | grep -e "nvme1.*" | awk '{print $1}'); mkfs -t ext4 /dev/"$${EBS_DEVICE}"; mkdir -p "${ebs_block_device_1_mount_path}"; mount /dev/"$${EBS_DEVICE[$i]}" ${ebs_block_device_1_mount_path}; echo -e "UUID=$(lsblk -o +uuid /dev/"$${EBS_DEVICE[$i]}" | grep "$${EBS_DEVICE[$i]}" | awk '{print $8}') \t ${ebs_block_device_1_mount_path} \t ext4 \t defaults \t 0 \t 0" >> /etc/fstab; fi
+#   - if [[ "${ebs_block_device_2_is_set}" == "true" ]]; then export EBS_DEVICE=$(lsblk | grep -e "nvme2.*" | awk '{print $1}'); mkfs -t ext4 /dev/"$${EBS_DEVICE}"; mkdir -p "${ebs_block_device_2_mount_path}"; mount /dev/"$${EBS_DEVICE[$i]}" ${ebs_block_device_2_mount_path}; echo -e "UUID=$(lsblk -o +uuid /dev/"$${EBS_DEVICE[$i]}" | grep "$${EBS_DEVICE[$i]}" | awk '{print $8}') \t ${ebs_block_device_2_mount_path} \t ext4 \t defaults \t 0 \t 0" >> /etc/fstab; fi
+# write_files:
+#   - encoding: gzip
+#     content: !!binary |
+#       ${sudoers}
+#     path: /etc/sudoers.d/99-custom-sudoers
+#     permissions: '0440'
diff --git a/terraform-modules/aws/ec2_instance/files/99-custom-sudoers b/terraform-modules/aws/ec2_instance/files/99-custom-sudoers
diff --git a/terraform-modules/aws/ec2_instance/main.tf b/terraform-modules/aws/ec2_instance/main.tf
@@ -0,0 +1,112 @@
+locals {
+  sudoers                     = base64gzip(file("${path.module}/files/99-custom-sudoers"))
+
+  # combine user's IAM policy arn list with what is created in this module
+  complete_aws_iam_role_policy_attachment_list = concat(var.aws_iam_role_policy_attachment_list, 
+    [
+      "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM", 
+      aws_iam_policy.node_configs.arn,
+    ])
+}
+
+module "ec2_instance" {
+  source  = "terraform-aws-modules/ec2-instance/aws"
+  version = "~> 2.0"
+
+  name           = var.instance_name
+  instance_count = 1
+
+  ami           = var.ami
+  instance_type = var.instance_config.root_installer_device.instance_type
+  key_name      = var.key_pair_name != null ? var.key_pair_name: aws_key_pair.this[0].id
+  monitoring    = true
+  vpc_security_group_ids = var.security_group_list
+  subnet_id = var.subnet_id
+
+  # instance profile created in this module for each individual node
+  iam_instance_profile = aws_iam_instance_profile.instance_profile.id
+
+  tags = var.tags
+
+  enable_volume_tags = true
+  root_block_device = [
+    {
+      delete_on_termination = var.instance_config.root_installer_device.delete_on_termination
+      encrypted             = var.instance_config.root_installer_device.encrypted
+      iops                  = var.instance_config.root_installer_device.volume_type == "io2" ? var.instance_config.root_installer_device.iops : null
+      kms_key_id            = var.instance_config.root_installer_device.kms_key_id
+      volume_size           = var.instance_config.root_installer_device.volume_size
+      volume_type           = var.instance_config.root_installer_device.volume_type
+    },
+  ]
+
+  ebs_block_device = var.instance_config.ebs_block_device
+
+  user_data = templatefile("${path.module}/cloud-init/user-data.yaml.tpl", {
+          sudoers                         = local.sudoers
+          user_ssh_public_key             = var.user_ssh_public_key
+          ebs_block_device_1_is_set       = var.instance_config.user_data_inputs.ebs_block_device_1_is_set
+          ebs_block_device_1_mount_path   = var.instance_config.user_data_inputs.ebs_block_device_1_mount_path
+          ebs_block_device_2_is_set       = var.instance_config.user_data_inputs.ebs_block_device_2_is_set
+          ebs_block_device_2_mount_path   = var.instance_config.user_data_inputs.ebs_block_device_2_mount_path
+        })
+
+  depends_on = [
+    aws_iam_instance_profile.instance_profile,
+  ]
+}
+
+resource "aws_key_pair" "this" {
+  count = var.key_pair_name == null ? 1: 0
+  key_name   = var.instance_name
+  public_key = var.user_ssh_public_key
+}
+
+# Instance profile
+resource "aws_iam_instance_profile" "instance_profile" {
+  name  = var.instance_name
+  role  = aws_iam_role.instance_role.name
+}
+
+# Instance role
+resource "aws_iam_role" "instance_role" {
+
+  name = var.instance_name
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      },
+    ]
+  })
+  description = "A role for the ${var.instance_name} node"
+}
+
+# Attached the list of policies to the instance profile
+resource "aws_iam_role_policy_attachment" "attach_policies" {
+  count      = length(concat(local.complete_aws_iam_role_policy_attachment_list))
+  role       = aws_iam_role.instance_role.name
+  policy_arn = local.complete_aws_iam_role_policy_attachment_list[count.index]
+}
+
+# Policy for S3 Bucket - allows the node to get read-only access to s3 buckets for the node_config items
+# For the "all" nodes
+resource "aws_iam_policy" "node_configs" {
+  name  = "${var.instance_name}-node-configs"
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Action" : ["s3:GetObject", "s3:ListBucket"],
+        "Effect" : "Allow",
+        "Resource" : "arn:aws:s3:::${var.environment_name}-installer/node_configs/*"
+      }
+    ]
+  })
+}
diff --git a/terraform-modules/aws/ec2_instance/outputs.tf b/terraform-modules/aws/ec2_instance/outputs.tf
@@ -0,0 +1,3 @@
+output "ec2_id" {
+  value = module.ec2_instance.id
+}
diff --git a/terraform-modules/aws/ec2_instance/test/go.mod b/terraform-modules/aws/ec2_instance/test/go.mod
@@ -0,0 +1,8 @@
+module github.com/ManagedKube/kubernetes-ops
+
+go 1.15
+
+require (
+	github.com/gruntwork-io/terratest v0.32.24
+	github.com/stretchr/testify v1.7.0
+)