Merge pull request #3 from furiousme/develop

Task: K8s Cluster Configuration and Creation

.github/workflows/terraform.yml

@@ -70,6 +70,7 @@ jobs:
   terraform-apply:
     runs-on: ubuntu-latest
     needs: terraform-plan
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     env:
       TF_VAR_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
       TF_VAR_gh_username: ${{ secrets.TF_VAR_GH_USERNAME }}

README.md

@@ -14,6 +14,38 @@ To use this project, make sure you have:
 
 - An AWS account
 - Terraform installed locally (the project is created with Terraform v1.9.6)
+- AWS CLI configured
+- SSH key pair for EC2 instances
+- SSH agent forwarding set up for secure access
 
+## Infrastructure Setup
 
+1. **VPC and Subnets**:
+   - Created a VPC with 2 public and 2 private subnets in different availability zones.
+   - The public subnets are used for the bastion host and NAT gateway, and the private subnets for k3s server instances.
 
+2. **Bastion Host**:
+   - Deployed a bastion host in one of the public subnets for secure access to the k3s server in the private subnet.
+   - SSH access from the local machine to the bastion host is allowed via port 22.
+
+3. **Security Groups**:
+   - Configured security groups to control access:
+     - Bastion host security group allows SSH (port 22) from certain IP.
+     - k3s server security group allows SSH (port 22) only from the bastion host.
+
+4. **NAT Gateway**:
+   - Deployed a NAT gateway in the public subnet to enable the k3s server instances in private subnets to access the internet.
+
+## k3s Cluster Deployment
+
+1. **k3s Installation**:
+   - k3s is installed by running user scripts
+   - SSH into the private EC2 instance (k3s server) from the bastion host using agent forwarding to verify installation
+
+
+2. **Verify k3s Installation**:
+   - After installation, verified the cluster status by running:
+     ```bash
+     kubectl get nodes
+     ```
+   - Output shows the k3s node ready.

bastion.tf

@@ -0,0 +1,17 @@
+resource "aws_instance" "terraform_course_bastion" {
+  ami             = var.ami
+  instance_type   = "t2.micro"
+  subnet_id       = aws_subnet.terraform_course_public_subnet_1.id
+  key_name        = var.ec2_key_name
+  security_groups = [aws_security_group.terraform_course_bastion_sg.id]
+
+  tags = {
+    Name = "terraform_course_bastion"
+  }
+}
+
+output "terraform_course_bastion_ip_addr" {
+  value     = aws_instance.terraform_course_bastion.public_ip
+  sensitive = true
+}
+

cluster.tf

@@ -0,0 +1,53 @@
+resource "aws_instance" "terraform_course_k8s_server" {
+  ami             = var.ami
+  instance_type   = "t2.micro"
+  subnet_id       = aws_subnet.terraform_course_private_subnet_1.id
+  key_name        = var.ec2_key_name
+  security_groups = [aws_security_group.terraform_course_k8s_sg.id]
+
+  user_data = <<-EOF
+              #!/bin/bash
+              curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.21.3+k3s1 sh -s - server \
+                --token=${var.k3s_token} \
+                --disable traefik
+              chmod 644 /etc/rancher/k3s/k3s.yaml
+              EOF
+
+  user_data_replace_on_change = true
+
+  tags = {
+    Name = "terraform_course_k8s_server"
+  }
+}
+
+resource "aws_instance" "terraform_course_k8s_agent" {
+  ami             = var.ami
+  instance_type   = "t2.micro"
+  subnet_id       = aws_subnet.terraform_course_private_subnet_2.id
+  key_name        = var.ec2_key_name
+  security_groups = [aws_security_group.terraform_course_k8s_sg.id]
+  depends_on      = [aws_instance.terraform_course_k8s_server]
+
+  user_data = <<-EOF
+              #!/bin/bash
+              curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.21.3+k3s1 K3S_URL=https://${aws_instance.terraform_course_k8s_server.private_ip}:6443 K3S_TOKEN=${var.k3s_token} sh -
+              chmod 644 /etc/rancher/k3s/k3s.yaml
+              EOF
+
+
+  user_data_replace_on_change = true
+
+  tags = {
+    Name = "terraform_course_k8s_agent"
+  }
+}
+
+output "terraform_course_k8s_server_ip_addr" {
+  value     = aws_instance.terraform_course_k8s_server.private_ip
+  sensitive = true
+}
+
+output "terraform_course_k8s_agent_ip_addr" {
+  value     = aws_instance.terraform_course_k8s_agent.private_ip
+  sensitive = true
+}

k8s_agent.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+curl -sfL https://get.k3s.io | K3S_URL="https://${server_private_ip}:6443" K3S_TOKEN=${token} sh -s -

k8s_server.sh

@@ -0,0 +1 @@
+curl -sfL https://get.k3s.io | sh -

securitygroups.tf

@@ -39,4 +39,55 @@ resource "aws_security_group" "terraform_course_private_subnet_sg" {
   tags = {
     Name = "terraform_course_private_subnet_sg"
   }
+}
+
+resource "aws_security_group" "terraform_course_bastion_sg" {
+  vpc_id = aws_vpc.terraform_course_main_vpc.id
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["${var.ip_address}/32"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "terraform_course_bastion_sg"
+  }
+}
+
+resource "aws_security_group" "terraform_course_k8s_sg" {
+  vpc_id = aws_vpc.terraform_course_main_vpc.id
+
+  ingress {
+    from_port   = 6443
+    to_port     = 6443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["${aws_instance.terraform_course_bastion.private_ip}/32"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "terraform_course_k8s_sg"
+  }
 }

variables.tf

@@ -39,4 +39,24 @@ variable "private_subnet_2_cidr" {
 variable "az" {
   type    = list(string)
   default = ["us-east-1a", "us-east-1b", "us-east-1c"]
+}
+
+variable "ip_address" {
+  type      = string
+  sensitive = true
+}
+
+variable "ec2_key_name" {
+  type      = string
+  sensitive = true
+}
+
+variable "k3s_token" {
+  type      = string
+  sensitive = true
+}
+
+variable "ami" {
+  type    = string
+  default = "ami-06b21ccaeff8cd686"
 }