setup infra using terraform

.gitignore

@@ -32,3 +32,4 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+**/.terraform.lock.hcl

README.md

@@ -1,2 +1,92 @@
-# eks-terraform
-Building EKS cluster with Terraform
+
+# Amazon EKS with Terraform
+
+This repository provides Terraform scripts to deploy an Amazon EKS cluster along with base infrastructure and platform-specific infrastructure.
+
+## Folder Structure
+
+The repository is organized into the following folders:
+
+1. [`base_infra`](/baseinfra/): Contains Terraform scripts for setting up the base infrastructure, including VPC, subnets, and security groups.
+
+2. [`platform_infra`](/platforminfra/): Contains Terraform scripts for setting up the EKS cluster and nodes, as well as any additional resources required for your platform.
+
+## Prerequisites
+
+- [Terraform](https://www.terraform.io/downloads.html) (>= 0.13)
+- [AWS CLI](https://aws.amazon.com/cli/)
+- AWS account with appropriate IAM permissions
+
+## Workflow
+
+### Setting up Base Infrastructure
+
+1. Navigate to the `base_infra` folder:
+
+```bash
+cd base_infra
+```
+
+2. Initialize Terraform with backend configuration:
+
+```bash
+terraform init -backend-config="env/baseinfra.config"
+```
+
+3. Review and modify the `base_infra` configuration files as needed.
+
+4. Create an execution plan:
+
+```bash
+terraform plan
+```
+
+5. Apply the changes to create base infrastructure:
+
+```bash
+terraform apply
+```
+
+### Setting up Platform Infrastructure (EKS Cluster)
+
+1. Navigate to the `platform_infra` folder:
+
+```bash
+cd platform_infra
+```
+
+2. Initialize Terraform with backend configuration:
+
+```bash
+terraform init -backend-config="env/platforminfra.config"
+```
+
+3. Review and modify the `platform_infra` configuration files as needed.
+
+4. Create an execution plan:
+
+```bash
+terraform plan
+```
+
+5. Apply the changes to create the EKS cluster and associated resources:
+
+```bash
+terraform apply
+```
+
+## Cleanup
+
+To tear down the infrastructure when no longer needed:
+
+1. Navigate to each folder and run:
+
+```bash
+terraform destroy
+```
+
+## Notes
+
+- Replace placeholders like `env/baseinfra.config` and `env/platforminfra.config` with the actual paths to your backend configurations.
+
+- Make sure to review and adjust security group rules, IAM policies, and configurations as needed.

baseinfra/README.md

@@ -0,0 +1,68 @@
+# Base Infrastructure Setup with Terraform
+
+This directory contains Terraform scripts for setting up the base infrastructure, including VPC, subnets, IAM roles, security groups, and more.
+
+## Folder Structure
+
+- `data.tf`: Defines any external data sources needed for the base infrastructure.
+- `iam.tf`: Defines IAM roles and policies required for the base infrastructure.
+- `locals.tf`: Contains local values to simplify configuration.
+- `network.tf`: Defines the VPC, subnets, and other networking components.
+- `provider.tf`: Specifies the AWS provider configuration.
+- `security_group.tf`: Defines security groups and their associated rules.
+- `variables.tf`: Declares input variables for the base infrastructure.
+- `outputs.tf`: Specifies output values for reference.
+
+## Prerequisites
+
+- [Terraform](https://www.terraform.io/downloads.html) (>= 0.13)
+- [AWS CLI](https://aws.amazon.com/cli/)
+- AWS account with appropriate IAM permissions
+
+## Configuration
+
+1. Modify the variables in `variables.tf` to match your requirements.
+2. Customize IAM roles and policies in `iam.tf` according to your security needs.
+3. Adjust security group rules in `security_group.tf` to fit your organization's policies.
+4. Review and modify networking settings in `network.tf` as needed.
+5. Define any external data sources in `data.tf` if required.
+
+## Usage
+
+1. Initialize Terraform:
+
+```bash
+terraform init
+```
+
+2. Review the execution plan:
+
+```bash
+terraform plan
+```
+
+3. Apply the changes to create the base infrastructure:
+
+```bash
+terraform apply
+```
+
+## Cleanup
+
+To tear down the base infrastructure when no longer needed:
+
+1. Run:
+
+```bash
+terraform destroy
+```
+
+2. Confirm with "yes" when prompted.
+
+## Notes
+
+- Replace placeholders in the Terraform files with your actual configurations.
+
+- Ensure that security group rules and IAM policies align with your organization's security requirements.
+
+- Always practice best security practices when setting up IAM roles, security groups, and other resources.

baseinfra/data.tf

@@ -0,0 +1,3 @@
+data "aws_availability_zones" "available" {
+
+}

baseinfra/env/base_infra.config

@@ -0,0 +1,3 @@
+key="EKS/baseinfra.tfstate"
+bucket="eks-terraform-backend-state"
+region="us-east-1"

baseinfra/iam.tf

@@ -0,0 +1,58 @@
+# create an IAM role with the AmazonEKSClusterPolicy
+resource "aws_iam_role" "demo" {
+  name = "eks-cluster-demo"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+
+resource "aws_iam_role_policy_attachment" "demo-AmazonEKSClusterPolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.demo.name
+}
+
+
+# create a single instance group for Kubernetes. Similar to the EKS cluster, it requires an IAM role as well.
+
+resource "aws_iam_role" "nodes" {
+  name = "eks-node-group-nodes"
+
+  assume_role_policy = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ec2.amazonaws.com"
+      }
+    }]
+    Version = "2012-10-17"
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "nodes-AmazonEKSWorkerNodePolicy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = aws_iam_role.nodes.name
+}
+
+resource "aws_iam_role_policy_attachment" "nodes-AmazonEKS_CNI_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.nodes.name
+}
+
+resource "aws_iam_role_policy_attachment" "nodes-AmazonEC2ContainerRegistryReadOnly" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = aws_iam_role.nodes.name
+}

baseinfra/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  cluster_name = "test"
+}

baseinfra/network.tf

@@ -0,0 +1,112 @@
+# VPC Creation
+resource "aws_vpc" "main" {
+    cidr_block              = "${var.vpc_cidr_block}"
+    enable_dns_hostnames    = true
+    tags = {
+        Name                = "${var.environment}-vpc"
+    }
+}
+
+# Public Subnet Creation
+resource "aws_subnet" "public-subnet-1a" {
+    vpc_id              = aws_vpc.main.id
+    cidr_block          = var.public_subnet_1a_cidr_block
+    availability_zone   = "us-east-1a"
+
+
+    tags = {
+        Name            = "${var.environment}-public-subnet-1a"
+    }
+}
+
+resource "aws_subnet" "public-subnet-1b" {
+    vpc_id              = aws_vpc.main.id
+    cidr_block          = var.public_subnet_1b_cidr_block
+    availability_zone   = "us-east-1b"
+    tags = {
+        Name            = "${var.environment}-public-subnet-1b"
+    }
+}
+
+# Private Subnet Creation
+resource "aws_subnet" "private-subnet-1a" {
+    vpc_id              = aws_vpc.main.id
+    cidr_block          = var.private_subnet_1a_cidr_block
+    availability_zone   = "us-east-1a"
+    tags = {
+        Name            = "${var.environment}-private-subnet-1a"
+    }
+}
+
+resource "aws_subnet" "private-subnet-1b" {
+    vpc_id              = aws_vpc.main.id
+    cidr_block          = var.private_subnet_1b_cidr_block
+    availability_zone   = "us-east-1b"
+
+    tags = {
+        Name            = "${var.environment}-private-subnet-1b"
+    }
+
+}
+
+# Route Table Creation - Public 
+resource "aws_route_table" "public-route-table" {
+    vpc_id = aws_vpc.main.id
+
+    tags = {
+      Name = "${var.environment}-public-route-table"
+    }
+}
+
+# Route Table Creation - Private
+resource "aws_route_table" "private-route-table" {
+    vpc_id = aws_vpc.main.id
+
+    tags = {
+      Name = "${var.environment}-private-route-table"
+    }
+}
+
+# Route Table Association - Public
+
+resource "aws_route_table_association" "public-subnet-1a" {
+    subnet_id       = aws_subnet.public-subnet-1a.id
+    route_table_id  = aws_route_table.public-route-table.id
+}
+
+resource "aws_route_table_association" "public-subnet-1b" {
+    subnet_id       = aws_subnet.public-subnet-1b.id
+    route_table_id  = aws_route_table.public-route-table.id
+}
+
+# Route Table Association - Private
+
+resource "aws_route_table_association" "private-subnet-1a" {
+    subnet_id       = aws_subnet.private-subnet-1a.id
+    route_table_id  = aws_route_table.private-route-table.id
+}
+
+resource "aws_route_table_association" "private-subnet-1b" {
+    subnet_id       = aws_subnet.private-subnet-1b.id
+    route_table_id  = aws_route_table.private-route-table.id
+}
+
+
+# Internet Gateway Creation
+
+resource "aws_internet_gateway" "main-igw" {
+    vpc_id = aws_vpc.main.id
+
+    tags = {
+      Name = "${var.environment}-IGW"
+    }
+}
+
+
+# Public IGW & route table association [ public route]
+
+resource "aws_route" "igw-route" {
+    route_table_id          = aws_route_table.public-route-table.id
+    gateway_id              = aws_internet_gateway.main-igw.id
+    destination_cidr_block  = "0.0.0.0/0"
+}