diff --git a/examples/cloud-enabled/main.tf b/examples/cloud-enabled/main.tf index bac5baf..aa50f74 100644 --- a/examples/cloud-enabled/main.tf +++ b/examples/cloud-enabled/main.tf @@ -175,10 +175,7 @@ EOT cluster_data = module.rke2.cluster_data - tags = merge({ - "k8s.io/cluster-autoscaler/enabled" = "true" - "k8s.io/cluster-autoscaler/${local.cluster_name}" = "true" - }, local.tags) + tags = local.tags } # For demonstration only, lock down ssh access in production diff --git a/examples/quickstart/main.tf b/examples/quickstart/main.tf index 6e29a03..bff80ec 100644 --- a/examples/quickstart/main.tf +++ b/examples/quickstart/main.tf @@ -22,26 +22,6 @@ data "aws_subnet" "default" { default_for_az = true } -data "aws_ami" "ubuntu" { - owners = ["513442679011"] # owner is for aws gov cloud - most_recent = true - - filter { - name = "name" - values = ["ubuntu*-20.04*"] - } - - filter { - name = "architecture" - values = ["x86_64"] - } - - filter { - name = "architecture" - values = ["x86_64"] - } -} - # Private Key resource "tls_private_key" "ssh" { algorithm = "RSA" @@ -54,6 +34,21 @@ resource "local_file" "pem" { file_permission = "0600" } +data "aws_ami" "rhel8" { + most_recent = true + owners = ["219670896067"] # owner is specific to aws gov cloud + + filter { + name = "name" + values = ["RHEL-8*"] + } + + filter { + name = "architecture" + values = ["x86_64"] + } +} + # # Server # @@ -63,7 +58,7 @@ module "rke2" { cluster_name = local.cluster_name vpc_id = data.aws_vpc.default.id subnets = [data.aws_subnet.default.id] - ami = data.aws_ami.ubuntu.image_id + ami = data.aws_ami.rhel8.image_id ssh_authorized_keys = [tls_private_key.ssh.public_key_openssh] controlplane_internal = false # Note this defaults to best practice of true, but is explicitly set to public for demo purposes @@ -79,7 +74,7 @@ module "agents" { name = "generic" vpc_id = data.aws_vpc.default.id subnets = [data.aws_subnet.default.id] - ami = data.aws_ami.ubuntu.image_id + ami = data.aws_ami.rhel8.image_id ssh_authorized_keys = [tls_private_key.ssh.public_key_openssh] tags = local.tags diff --git a/main.tf b/main.tf index 581e5f1..46a5666 100644 --- a/main.tf +++ b/main.tf @@ -46,7 +46,7 @@ module "statestore" { # Controlplane Load Balancer # module "cp_lb" { - source = "./modules/nlb" + source = "./modules/elb" name = local.uname vpc_id = var.vpc_id subnets = var.subnets @@ -54,6 +54,9 @@ module "cp_lb" { enable_cross_zone_load_balancing = var.controlplane_enable_cross_zone_load_balancing internal = var.controlplane_internal + cp_ingress_cidr_blocks = var.controlplane_allowed_cidrs + cp_supervisor_ingress_cidr_blocks = var.controlplane_allowed_cidrs + tags = merge({}, local.default_tags, local.default_tags, var.tags) } @@ -102,21 +105,21 @@ resource "aws_security_group" "server" { } resource "aws_security_group_rule" "server_cp" { - from_port = 6443 - to_port = 6443 - protocol = "tcp" - security_group_id = aws_security_group.server.id - type = "ingress" - cidr_blocks = var.controlplane_allowed_cidrs + from_port = 6443 + to_port = 6443 + protocol = "tcp" + security_group_id = aws_security_group.server.id + type = "ingress" + source_security_group_id = module.cp_lb.security_group } resource "aws_security_group_rule" "server_cp_supervisor" { - from_port = 9345 - to_port = 9345 - protocol = "tcp" - security_group_id = aws_security_group.server.id - type = "ingress" - cidr_blocks = var.controlplane_allowed_cidrs + from_port = 9345 + to_port = 9345 + protocol = "tcp" + security_group_id = aws_security_group.server.id + type = "ingress" + source_security_group_id = module.cp_lb.security_group } # @@ -179,10 +182,7 @@ module "servers" { block_device_mappings = var.block_device_mappings vpc_security_group_ids = [aws_security_group.server.id, aws_security_group.cluster.id] spot = var.spot - target_group_arns = [ - module.cp_lb.server_tg_arn, - module.cp_lb.server_supervisor_tg_arn, - ] + load_balancers = [module.cp_lb.name] # Overrideable variables userdata = data.template_cloudinit_config.this.rendered diff --git a/modules/elb/main.tf b/modules/elb/main.tf new file mode 100644 index 0000000..fda5149 --- /dev/null +++ b/modules/elb/main.tf @@ -0,0 +1,78 @@ +locals { + # Handle case where target group/load balancer name exceeds 32 character limit + controlplane_name = substr("${var.name}-rke2-cp", 0, 31) + server_name = substr("${var.name}-rke2-server", 0, 31) + supervisor_name = substr("${var.name}-rke2-supervisor", 0, 31) +} + +resource "aws_security_group" "controlplane" { + name = local.controlplane_name + description = "${local.controlplane_name} sg" + vpc_id = var.vpc_id + + tags = merge({}, var.tags) +} + +resource "aws_security_group_rule" "apiserver" { + from_port = var.cp_port + to_port = var.cp_port + protocol = "tcp" + security_group_id = aws_security_group.controlplane.id + type = "ingress" + + cidr_blocks = var.cp_ingress_cidr_blocks +} + +resource "aws_security_group_rule" "supervisor" { + from_port = var.cp_supervisor_port + to_port = var.cp_supervisor_port + protocol = "tcp" + security_group_id = aws_security_group.controlplane.id + type = "ingress" + + cidr_blocks = var.cp_supervisor_ingress_cidr_blocks +} + +resource "aws_security_group_rule" "egress" { + from_port = "0" + to_port = "0" + protocol = "-1" + security_group_id = aws_security_group.controlplane.id + type = "egress" + + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_elb" "controlplane" { + name = local.controlplane_name + + internal = var.internal + subnets = var.subnets + security_groups = [aws_security_group.controlplane.id] + + cross_zone_load_balancing = var.enable_cross_zone_load_balancing + + listener { + instance_port = var.cp_port + instance_protocol = "TCP" + lb_port = var.cp_port + lb_protocol = "TCP" + } + + listener { + instance_port = var.cp_supervisor_port + instance_protocol = "TCP" + lb_port = var.cp_supervisor_port + lb_protocol = "TCP" + } + + health_check { + healthy_threshold = 3 + interval = 10 + target = "TCP:${var.cp_supervisor_port}" + timeout = 3 + unhealthy_threshold = 3 + } + + tags = merge({}, var.tags) +} diff --git a/modules/elb/outputs.tf b/modules/elb/outputs.tf new file mode 100644 index 0000000..42d6634 --- /dev/null +++ b/modules/elb/outputs.tf @@ -0,0 +1,15 @@ +output "dns" { + value = aws_elb.controlplane.dns_name +} + +output "id" { + value = aws_elb.controlplane.id +} + +output "name" { + value = aws_elb.controlplane.name +} + +output "security_group" { + value = aws_security_group.controlplane.id +} \ No newline at end of file diff --git a/modules/nlb/variables.tf b/modules/elb/variables.tf similarity index 100% rename from modules/nlb/variables.tf rename to modules/elb/variables.tf diff --git a/modules/nlb/main.tf b/modules/nlb/main.tf deleted file mode 100644 index d21d134..0000000 --- a/modules/nlb/main.tf +++ /dev/null @@ -1,71 +0,0 @@ -locals { - # Handle case where target group/load balancer name exceeds 32 character limit - controlplane_name = substr("${var.name}-rke2-cp", 0, 31) - server_name = substr("${var.name}-rke2-server", 0, 31) - supervisor_name = substr("${var.name}-rke2-supervisor", 0, 31) - -} - -resource "aws_lb" "controlplane" { - name = local.controlplane_name - - internal = var.internal - load_balancer_type = "network" - enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing - subnets = var.subnets - - tags = merge({ - }, var.tags) -} - -resource "aws_lb_target_group" "server" { - name = local.server_name - port = var.cp_port - protocol = "TCP" - vpc_id = var.vpc_id - - health_check { - interval = "10" - port = var.cp_port - protocol = "TCP" - healthy_threshold = 2 - unhealthy_threshold = 2 - } -} - -resource "aws_lb_listener" "server" { - load_balancer_arn = aws_lb.controlplane.arn - port = var.cp_port - protocol = "TCP" - - default_action { - target_group_arn = aws_lb_target_group.server.arn - type = "forward" - } -} - -resource "aws_lb_target_group" "server_supervisor" { - name = local.supervisor_name - port = var.cp_supervisor_port - protocol = "TCP" - vpc_id = var.vpc_id - - health_check { - interval = "10" - port = var.cp_port - protocol = "TCP" - healthy_threshold = 2 - unhealthy_threshold = 2 - } -} - -resource "aws_lb_listener" "server_supervisor" { - load_balancer_arn = aws_lb.controlplane.arn - port = var.cp_supervisor_port - protocol = "TCP" - - default_action { - target_group_arn = aws_lb_target_group.server_supervisor.arn - type = "forward" - } -} \ No newline at end of file diff --git a/modules/nlb/outputs.tf b/modules/nlb/outputs.tf deleted file mode 100644 index 0c2c4bd..0000000 --- a/modules/nlb/outputs.tf +++ /dev/null @@ -1,23 +0,0 @@ -//output "sg" { -// value = aws_elb.controlplane.source_security_group_id -//} - -output "dns" { - value = aws_lb.controlplane.dns_name -} - -output "id" { - value = aws_lb.controlplane.id -} - -output "name" { - value = aws_lb.controlplane.name -} - -output "server_tg_arn" { - value = aws_lb_target_group.server.arn -} - -output "server_supervisor_tg_arn" { - value = aws_lb_target_group.server_supervisor.arn -} \ No newline at end of file diff --git a/modules/nodepool/main.tf b/modules/nodepool/main.tf index a167026..6d726f0 100644 --- a/modules/nodepool/main.tf +++ b/modules/nodepool/main.tf @@ -50,6 +50,7 @@ resource "aws_autoscaling_group" "this" { # Health check and target groups dependent on whether we're a server or not (identified via rke2_url) health_check_type = var.health_check_type target_group_arns = var.target_group_arns + load_balancers = var.load_balancers min_elb_capacity = var.min_elb_capacity diff --git a/modules/nodepool/variables.tf b/modules/nodepool/variables.tf index f31a61f..c1c7648 100644 --- a/modules/nodepool/variables.tf +++ b/modules/nodepool/variables.tf @@ -44,6 +44,11 @@ variable "target_group_arns" { default = [] } +variable "load_balancers" { + type = list(string) + default = [] +} + variable "vpc_security_group_ids" { type = list(string) default = [] diff --git a/variables.tf b/variables.tf index c7211a8..ef52796 100644 --- a/variables.tf +++ b/variables.tf @@ -91,7 +91,6 @@ variable "controlplane_allowed_cidrs" { default = ["0.0.0.0/0"] } - # # RKE2 Variables #