init

.gitignore

@@ -1,5 +1,6 @@
 .terraform.lock.hcl
 .terraform
 .terraform.tfstate
+terraform.tfstate
 terraform.tfstate.1732244297.backup
 terraform.tfstate.backup

000_provider.tf

@@ -0,0 +1,12 @@
+## AWS Provider 설정
+provider "aws" {
+  profile = var.terraform_aws_profile
+  # access_key = var.aws_access_key_id
+  # secret_key = var.aws_secret_access_key
+  region = var.aws_region
+  default_tags {
+    tags = {
+      managed_by = "terraform"
+    }
+  }
+}

100_eks.tf

@@ -0,0 +1,137 @@
+## Create eks cluster
+data "aws_caller_identity" "current" {}
+
+module "eks" {
+  source          = "terraform-aws-modules/eks/aws"
+  version         = "~> 20.29.0"
+  cluster_name    = var.cluster_name
+  cluster_version = var.cluster_version
+
+  cluster_endpoint_public_access  = true
+  cluster_endpoint_private_access = true
+
+  # EBS 관련 정책 추가
+  iam_role_additional_policies = {
+    AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+    AmazonEC2FullAccess      = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
+  }
+
+  cluster_addons = {
+    coredns = {
+      most_recent = true
+    }
+    kube-proxy = {
+      most_recent = true
+    }
+    vpc-cni = {
+      cluster_name = var.cluster_name
+      most_recent = true
+    }
+    aws-ebs-csi-driver = {
+      most_recent = true
+      service_account_role_arn = module.ebs_csi_irsa.iam_role_arn
+    }
+    eks-pod-identity-agent = {
+      most_recent = true
+    }
+  }
+  enable_cluster_creator_admin_permissions = true
+  vpc_id                   = aws_vpc.vpc.id
+  subnet_ids               = [aws_subnet.private-subnet-a.id, aws_subnet.private-subnet-c.id]
+
+  # EKS Managed Node Group
+  eks_managed_node_group_defaults = {
+    instance_types = ["t3.medium"]
+  }
+
+  eks_managed_node_groups = {
+    green = {
+      min_size     = 2
+      max_size     = 5
+      desired_size = 2
+
+      instance_types = ["t3.medium"]
+      iam_role_additional_policies = {
+        # AWS 관리형 정책 추가
+        AmazonEBSCSIDriverPolicy = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+      }
+    }
+  }
+}
+
+module "ebs_csi_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "~> 5.30"
+
+  role_name = "${var.cluster_name}-ebs-csi-controller"
+
+  attach_ebs_csi_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+    }
+  }
+}
+
+module "vpc_cni_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "~> 4.12"
+
+  role_name_prefix      = "VPC-CNI-IRSA"
+  attach_vpc_cni_policy = true
+  vpc_cni_enable_ipv4   = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:aws-node"]
+    }
+    common = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:aws-node"]
+    }
+  }
+}
+
+############################################################################################
+## 로드밸런서 콘트롤러 설정
+## EKS 에서 Ingress 를 사용하기 위해서는 반듯이 로드밸런서 콘트롤러를 설정 해야함.
+## 참고 URL : https://docs.aws.amazon.com/ko_kr/eks/latest/userguide/aws-load-balancer-controller.html
+############################################################################################
+
+######################################################################################################################
+# 로컬변수
+# 쿠버네티스 추가 될때마다 lb_controller_iam_role_name 을 추가해야함.
+######################################################################################################################
+
+# locals {
+#   # eks 를 위한 role name
+#   k8s_aws_lb_service_account_namespace = "kube-system"
+#   lb_controller_service_account_name   = "aws-load-balancer-controller"
+# }
+
+######################################################################################################################
+# EKS 클러스터 인증 데이터 소스 추가
+######################################################################################################################
+
+data "aws_eks_cluster_auth" "eks_cluster_auth" {
+  name = var.cluster_name
+}
+
+# Load Balancer Controller를 위한 IAM Role 생성
+module "lb_controller_role" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_name = "eks-aws-lb-controller-role"
+
+  attach_load_balancer_controller_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:aws-load-balancer-controller"]
+    }
+  }
+}

200_iam.tf

@@ -0,0 +1,35 @@
+resource "aws_iam_role" "ec2_role" {
+
+  name = "cwave_ec2_role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+# ECR PowerUser 정책 연결
+resource "aws_iam_role_policy_attachment" "ecr_poweruser" {
+  role       = aws_iam_role.ec2_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
+}
+######################################################################################################################
+# IAM Policy 설정
+######################################################################################################################
+data "http" "iam_policy" {
+  url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.2/docs/install/iam_policy.json"
+}
+
+resource "aws_iam_role_policy" "cwave-eks-controller" {
+  name_prefix = "AWSLoadBalancerControllerIAMPolicy"
+  role        = module.lb_controller_role.iam_role_name
+  policy      = data.http.iam_policy.response_body
+}

300_helm.tf

@@ -0,0 +1,95 @@
+######################################################################################################################
+# Kubernetes
+######################################################################################################################
+data "aws_eks_cluster" "cluster" {
+   name = module.eks.cluster_name
+   depends_on = [module.eks.cluster_name]
+}
+
+data "aws_eks_cluster_auth" "cluster" {
+   name = module.eks.cluster_name
+   depends_on = [module.eks.cluster_name]
+}
+
+provider "kubernetes" {
+  alias                  = "cwave-eks"
+  host                   = data.aws_eks_cluster.cluster.endpoint
+  # token                  = data.aws_eks_cluster_auth.cluster.token
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "aws"
+    args = [
+      "eks",
+      "get-token",
+      "--cluster-name",
+      var.cluster_name,
+      "--region",
+      var.aws_region,
+      "--profile",
+      var.terraform_aws_profile
+    ]
+  }
+}
+
+######################################################################################################################
+# 헬름차트
+# 쿠버네티스 클러스터 추가 될때마다 alias 를 변경해서 추가해주기
+######################################################################################################################
+provider "helm" {
+  alias = "cwave-eks-helm"
+
+  kubernetes {
+    host                   = module.eks.cluster_endpoint
+    token                  = data.aws_eks_cluster_auth.eks_cluster_auth.token
+    cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "aws"
+      args = [
+        "eks",
+        "get-token",
+        "--cluster-name",
+        module.eks.cluster_name,
+        "--region",
+        var.aws_region,
+        "--profile",
+        var.terraform_aws_profile
+      ]
+    }
+  }
+}
+
+########################################################################################
+#   Helm release : alb
+########################################################################################
+resource "helm_release" "eks_common_alb" {
+  provider   = helm.cwave-eks-helm
+  name       = "aws-load-balancer-controller"
+  chart      = "aws-load-balancer-controller"
+  version    = "1.6.2"
+  repository = "https://aws.github.io/eks-charts"
+  namespace  = "kube-system"
+
+  dynamic "set" {
+    for_each = {
+      "clusterName"                                               = var.cluster_name
+      "serviceAccount.create"                                     = "true"
+      "serviceAccount.name"                                       = "aws-load-balancer-controller"
+      "region"                                                    = var.aws_region
+      "vpcId"                                                     = aws_vpc.vpc.id
+      "image.repository"                                          = "602401143452.dkr.ecr.${var.aws_region}.amazonaws.com/amazon/aws-load-balancer-controller"
+      "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" = module.lb_controller_role.iam_role_arn
+    }
+
+    content {
+      name  = set.key
+      value = set.value
+    }
+  }
+  depends_on = [
+    module.eks,
+    module.lb_controller_role
+  ]
+}