Secondary private cidr (#156)

* Adding secondary subnet usage to the VPC * Adding EKS nodes on secondary subnets
ManagedKube · Aug 16, 2021 · 572d5a0 · 572d5a0
1 parent b05a4ec
commit 572d5a0
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 5 deletions.
diff --git a/terraform-modules/aws/eks/main.tf b/terraform-modules/aws/eks/main.tf
@@ -41,7 +41,11 @@ module "eks" {
 
   # vpc_id = data.terraform_remote_state.vpc.outputs.vpc_id
   vpc_id  = var.vpc_id
-  subnets = var.private_subnets
+
+  # Using a conditional for backwards compatibility for those who started out only
+  # using the private_subnets for the input variable.  The new k8s_subnets is new
+  # and makes the subnet id input var name more generic to where the k8s worker nodes goes
+  subnets = length(var.private_subnets) > 0 ? var.private_subnets : var.k8s_subnets
 
   cluster_endpoint_public_access       = var.cluster_endpoint_public_access
   cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs

diff --git a/terraform-modules/aws/eks/variables.tf b/terraform-modules/aws/eks/variables.tf
@@ -14,6 +14,12 @@ variable "public_subnets" {
   default = []
 }
 
+variable "k8s_subnets" {
+  type = list(any)
+  default = []
+  description = "Subnet IDs to place the EKS nodes into"
+}
+
 variable "cluster_name" {
   default = "test-cluster"
 }

diff --git a/terraform-modules/aws/vpc/main.tf b/terraform-modules/aws/vpc/main.tf
@@ -1,14 +1,20 @@
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "2.78.0"
+  version = "3.2.0"
 
   name = var.environment_name
   cidr = var.vpc_cidr
 
+  secondary_cidr_blocks = var.secondary_cidrs
+
   azs             = var.azs
   private_subnets = var.private_subnets
   public_subnets  = var.public_subnets
 
+  # We want to use the 100.64.0.0/16 address space for the EKS nodes and since
+  # this module doesnt have an EKS subnet, we will use the elasticache instead.
+  elasticache_subnets = var.k8s_worker_subnets
+
   enable_nat_gateway = var.enable_nat_gateway
   enable_vpn_gateway = var.enable_vpn_gateway
 
@@ -25,5 +31,11 @@ module "vpc" {
     "kubernetes.io/role/internal-elb"           = "1"
   }
 
+  elasticache_subnet_tags = {
+    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+    "kubernetes.io/role/internal-elb"           = "1"
+    "ops_purpose"                               = "Overloaded for k8s worker usage"
+  }
+
   tags = var.tags
 }
diff --git a/terraform-modules/aws/vpc/outputs.tf b/terraform-modules/aws/vpc/outputs.tf
@@ -17,3 +17,8 @@ output "public_subnets" {
   description = "A list of public subnets"
   value       = module.vpc.public_subnets
 }
+
+output "k8s_subnets" {
+  description = "A list of private k8s subnets"
+  value       = module.vpc.elasticache_subnets
+}
diff --git a/terraform-modules/aws/vpc/test/terratest_test.go b/terraform-modules/aws/vpc/test/terratest_test.go
@@ -24,7 +24,7 @@ func TestTerraformDefault(t *testing.T) {
 		// Dynamic Variables that we should pass in addition to varfile.tfvars
 		Vars: map[string]interface{}{
 			"aws_region": "us-east-1",
-			"environment_name": "unittest_aws_vpc_" + stringRand,
+			"environment_name": "unittest-aws-vpc-" + stringRand,
 			"vpc_cidr": "10.0.0.0/16",
 			"enable_nat_gateway": false,
 			"enable_vpn_gateway": false,
@@ -49,14 +49,18 @@ func TestTerraformDefault(t *testing.T) {
 
 	// Run `terraform output` to get the values of output variables
 	actualVPCId := terraform.Output(t, terraformOptions, "vpc_id")
-	// actualPrivateSubnets := terraform.Output(t, terraformOptions, "private_subnets")
+	actualPublicSubnets := terraform.OutputList(t, terraformOptions, "public_subnets")
+	actualPrivateSubnets := terraform.OutputList(t, terraformOptions, "private_subnets")
+	actualK8sSubnets := terraform.OutputList(t, terraformOptions, "k8s_subnets")
 
 	// awsAccountID := aws.GetAccountId(t)
 
 	// assert.Equal(t, "unittest_aws_iam_policy_"+stringRand, actualPolicyName)
 	// assert.Equal(t, "arn:aws:iam::"+awsAccountID+":policy/unittest_aws_iam_policy_"+stringRand, actualPolicyArn)
 	assert.Equal(t, "vpc-", actualVPCId[0:4])
-	// assert.Equal(t, 3, len(actualPrivateSubnets))
+	assert.Equal(t, 3, len(actualPublicSubnets))
+	assert.Equal(t, 3, len(actualPrivateSubnets))
+	assert.Equal(t, 3, len(actualK8sSubnets))
 }
 
 func randomString(len int) string {

diff --git a/terraform-modules/aws/vpc/variables.tf b/terraform-modules/aws/vpc/variables.tf
@@ -50,3 +50,15 @@ variable "enable_dns_support" {
   default     = true
   description = "Enable dns support"
 }
+
+variable "secondary_cidrs" {
+  type        = list(string)
+  default     = ["100.64.0.0/16"]
+  description = "optional list of secondary cidr blocks"
+}
+
+variable "k8s_worker_subnets" {
+  type        = list(string)
+  default     = ["100.64.0.0/20", "100.64.16.0/20", "100.64.32.0/20"]
+  description = "list of alternate secondary cidrs for kubernetes workers"
+}