From 572d5a01fef7ba9597886c630b5e9d61aaafcb73 Mon Sep 17 00:00:00 2001 From: Garland Kan Date: Mon, 16 Aug 2021 12:26:56 -0700 Subject: [PATCH] Secondary private cidr (#156) * Adding secondary subnet usage to the VPC * Adding EKS nodes on secondary subnets --- terraform-modules/aws/eks/main.tf | 6 +++++- terraform-modules/aws/eks/variables.tf | 6 ++++++ terraform-modules/aws/vpc/main.tf | 14 +++++++++++++- terraform-modules/aws/vpc/outputs.tf | 5 +++++ terraform-modules/aws/vpc/test/terratest_test.go | 10 +++++++--- terraform-modules/aws/vpc/variables.tf | 12 ++++++++++++ 6 files changed, 48 insertions(+), 5 deletions(-) diff --git a/terraform-modules/aws/eks/main.tf b/terraform-modules/aws/eks/main.tf index 8e0715eab..feb30034c 100644 --- a/terraform-modules/aws/eks/main.tf +++ b/terraform-modules/aws/eks/main.tf @@ -41,7 +41,11 @@ module "eks" { # vpc_id = data.terraform_remote_state.vpc.outputs.vpc_id vpc_id = var.vpc_id - subnets = var.private_subnets + + # Using a conditional for backwards compatibility for those who started out only + # using the private_subnets for the input variable. The new k8s_subnets is new + # and makes the subnet id input var name more generic to where the k8s worker nodes goes + subnets = length(var.private_subnets) > 0 ? var.private_subnets : var.k8s_subnets cluster_endpoint_public_access = var.cluster_endpoint_public_access cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs diff --git a/terraform-modules/aws/eks/variables.tf b/terraform-modules/aws/eks/variables.tf index 8af7a7ded..4df6a0627 100644 --- a/terraform-modules/aws/eks/variables.tf +++ b/terraform-modules/aws/eks/variables.tf @@ -14,6 +14,12 @@ variable "public_subnets" { default = [] } +variable "k8s_subnets" { + type = list(any) + default = [] + description = "Subnet IDs to place the EKS nodes into" +} + variable "cluster_name" { default = "test-cluster" } diff --git a/terraform-modules/aws/vpc/main.tf b/terraform-modules/aws/vpc/main.tf index 24862b4da..770ace27a 100644 --- a/terraform-modules/aws/vpc/main.tf +++ b/terraform-modules/aws/vpc/main.tf @@ -1,14 +1,20 @@ module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "2.78.0" + version = "3.2.0" name = var.environment_name cidr = var.vpc_cidr + secondary_cidr_blocks = var.secondary_cidrs + azs = var.azs private_subnets = var.private_subnets public_subnets = var.public_subnets + # We want to use the 100.64.0.0/16 address space for the EKS nodes and since + # this module doesnt have an EKS subnet, we will use the elasticache instead. + elasticache_subnets = var.k8s_worker_subnets + enable_nat_gateway = var.enable_nat_gateway enable_vpn_gateway = var.enable_vpn_gateway @@ -25,5 +31,11 @@ module "vpc" { "kubernetes.io/role/internal-elb" = "1" } + elasticache_subnet_tags = { + "kubernetes.io/cluster/${var.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = "1" + "ops_purpose" = "Overloaded for k8s worker usage" + } + tags = var.tags } diff --git a/terraform-modules/aws/vpc/outputs.tf b/terraform-modules/aws/vpc/outputs.tf index 3e94bde95..38f92ec3b 100644 --- a/terraform-modules/aws/vpc/outputs.tf +++ b/terraform-modules/aws/vpc/outputs.tf @@ -17,3 +17,8 @@ output "public_subnets" { description = "A list of public subnets" value = module.vpc.public_subnets } + +output "k8s_subnets" { + description = "A list of private k8s subnets" + value = module.vpc.elasticache_subnets +} diff --git a/terraform-modules/aws/vpc/test/terratest_test.go b/terraform-modules/aws/vpc/test/terratest_test.go index b80481c5e..b6d38295a 100644 --- a/terraform-modules/aws/vpc/test/terratest_test.go +++ b/terraform-modules/aws/vpc/test/terratest_test.go @@ -24,7 +24,7 @@ func TestTerraformDefault(t *testing.T) { // Dynamic Variables that we should pass in addition to varfile.tfvars Vars: map[string]interface{}{ "aws_region": "us-east-1", - "environment_name": "unittest_aws_vpc_" + stringRand, + "environment_name": "unittest-aws-vpc-" + stringRand, "vpc_cidr": "10.0.0.0/16", "enable_nat_gateway": false, "enable_vpn_gateway": false, @@ -49,14 +49,18 @@ func TestTerraformDefault(t *testing.T) { // Run `terraform output` to get the values of output variables actualVPCId := terraform.Output(t, terraformOptions, "vpc_id") - // actualPrivateSubnets := terraform.Output(t, terraformOptions, "private_subnets") + actualPublicSubnets := terraform.OutputList(t, terraformOptions, "public_subnets") + actualPrivateSubnets := terraform.OutputList(t, terraformOptions, "private_subnets") + actualK8sSubnets := terraform.OutputList(t, terraformOptions, "k8s_subnets") // awsAccountID := aws.GetAccountId(t) // assert.Equal(t, "unittest_aws_iam_policy_"+stringRand, actualPolicyName) // assert.Equal(t, "arn:aws:iam::"+awsAccountID+":policy/unittest_aws_iam_policy_"+stringRand, actualPolicyArn) assert.Equal(t, "vpc-", actualVPCId[0:4]) - // assert.Equal(t, 3, len(actualPrivateSubnets)) + assert.Equal(t, 3, len(actualPublicSubnets)) + assert.Equal(t, 3, len(actualPrivateSubnets)) + assert.Equal(t, 3, len(actualK8sSubnets)) } func randomString(len int) string { diff --git a/terraform-modules/aws/vpc/variables.tf b/terraform-modules/aws/vpc/variables.tf index 2193be554..cc0950bad 100644 --- a/terraform-modules/aws/vpc/variables.tf +++ b/terraform-modules/aws/vpc/variables.tf @@ -50,3 +50,15 @@ variable "enable_dns_support" { default = true description = "Enable dns support" } + +variable "secondary_cidrs" { + type = list(string) + default = ["100.64.0.0/16"] + description = "optional list of secondary cidr blocks" +} + +variable "k8s_worker_subnets" { + type = list(string) + default = ["100.64.0.0/20", "100.64.16.0/20", "100.64.32.0/20"] + description = "list of alternate secondary cidrs for kubernetes workers" +}