feat: add bastion host to access private eks cluster

SE-Row-1 · Oct 3, 2024 · 04a4534 · 04a4534
1 parent f554235
commit 04a4534
Show file tree

Hide file tree

Showing 18 changed files with 505 additions and 150 deletions.
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
diff --git a/.github/workflows/eks-deploy.yaml b/.github/workflows/eks-deploy.yaml
@@ -0,0 +1,29 @@
+name: EKS Deploy
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: ap-southeast-1
+
+    - name: Set up Kubectl
+      uses: azure/setup-kubectl@v4
+
+    - name: Deploy to EKS using Kustomize
+      run: |
+        aws eks --region ap-southeast-1 update-kubeconfig --name nshm-eks
+        kubectl apply -k overlays/prod
diff --git a/.github/workflows/provision.yaml b/.github/workflows/provision.yaml
@@ -0,0 +1,56 @@
+name: Deploy Infrastructure
+
+on:
+  push:
+    branches:
+      - setup-infra
+  workflow_dispatch:
+    inputs:
+      provisioning:
+        required: true
+        default: 'false'
+        type: boolean
+
+jobs:
+  deploy:
+    if: ${{ github.event.inputs.provisioning == 'true' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: '${{ secrets.AWS_ACCESS_KEY_ID }}'
+          aws-secret-access-key: '${{ secrets.AWS_SECRET_ACCESS_KEY }}'
+          aws-region: ap-southeast-1
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: false
+
+      - name: Terraform Init and Apply
+        run: |
+          cd terraform/
+          terraform init
+          terraform validate
+          terraform plan
+          terraform apply -auto-approve
+
+      - name: Get Terraform Outputs and Save Artifact
+        run: |
+          cd terraform/
+          RDS_ENDPOINT=$(terraform output -raw db_instance_endpoint)
+          RDS_PASSWORD=$(terraform output -raw db_instance_password)
+          ALB_DNSNAME=$(terraform output -raw alb_dns_name)
+          echo $ALB_DNSNAME
+          echo $RDS_ENDPOINT > rds_endpoint.txt
+          echo $RDS_PASSWORD > rds_password.txt
+
+      - name: Upload Outputs as Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: terraform-outputs
+          path: terraform/*.txt
diff --git a/terraform/.gitignore b/terraform/.gitignore
@@ -1,2 +1,5 @@
-terraform.tfstate*
-terraform/.terraform
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
diff --git a/.github/workflows/eks-provision.yaml → terraform/backup/eks-provision.yaml b/.github/workflows/eks-provision.yaml → terraform/backup/eks-provision.yaml
diff --git a/.github/workflows/eksctl-cluster.yaml → terraform/backup/eksctl-cluster.yaml b/.github/workflows/eksctl-cluster.yaml → terraform/backup/eksctl-cluster.yaml
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -6,16 +6,54 @@ module "vpc" {
   source = "./modules/vpc"
 }
 
+module "s3" {
+  source = "./modules/s3"
+}
+
 module "ec2" {
   source = "./modules/ec2"
-  subnet_id = module.vpc.subnet_ids[0]
-  vpc_security_group_id = module.vpc.security_group_id
+  public_subnet_ids = module.vpc.public_subnet_ids
+  security_group_id = module.vpc.security_group_id
+  cluster_name = module.eks.cluster_name
 }
 
-module "s3" {
-  source = "./modules/s3"
+module "rds" {
+  source = "./modules/rds"
+  private_subnet_ids = module.vpc.private_subnet_ids
+  security_group_id = module.vpc.security_group_id
+}
+
+module "eks" {
+  source           = "./modules/eks"
+  private_subnet_ids = module.vpc.private_subnet_ids
+  public_subnet_ids = module.vpc.public_subnet_ids
+  security_group_id = module.vpc.security_group_id
+}
+
+module "alb" {
+  source                = "./modules/alb"
+  vpc_id                = module.vpc.vpc_id
+  public_subnet_ids     = module.vpc.public_subnet_ids
+  security_group_id     = module.vpc.security_group_id
+}
+
+output "eks_cluster_endpoint" {
+  value = module.eks.cluster_endpoint
+}
+
+output "alb_dns_name" {
+  value = module.alb.alb_dns_name
+}
+
+output "db_instance_endpoint" {
+  value = module.rds.db_instance_endpoint
+}
+
+output "db_instance_password" {
+  value     = module.rds.db_instance_password
+  sensitive = true
 }
 
-output "public_ip" {
-  value = module.ec2.public_ip
+output "bastion_host_public_ip" {
+  value     = module.ec2.bastion_host_public_ip
 }
diff --git a/terraform/modules/alb/main.tf b/terraform/modules/alb/main.tf
@@ -0,0 +1,103 @@
+resource "aws_security_group" "alb_sg" {
+  name        = "alb-security-group"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_lb" "nshm_alb" {
+  name               = "nshm-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb_sg.id]
+  subnets            = var.public_subnet_ids
+
+  tags = {
+    Name = "nshm-alb"
+  }
+}
+
+resource "aws_acm_certificate" "alb_cert" {
+  domain_name       = aws_lb.nshm_alb.dns_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_acm_certificate_validation" "alb_cert_validation" {
+  certificate_arn = aws_acm_certificate.alb_cert.arn
+  validation_record_fqdns = [
+    aws_lb.nshm_alb.dns_name
+  ]
+}
+
+resource "aws_lb_target_group" "nshm_target_group" {
+  name     = "nshm-target-group"
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = var.vpc_id
+
+  health_check {
+    healthy_threshold   = 2
+    interval            = 30
+    timeout             = 5
+    path                = "/"
+    port                = "traffic-port"
+    protocol            = "HTTP"
+    unhealthy_threshold = 2
+  }
+}
+
+resource "aws_lb_listener" "http_listener" {
+  load_balancer_arn = aws_lb.nshm_alb.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+    redirect {
+      protocol = "HTTPS"
+      port     = "443"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+resource "aws_lb_listener" "https_listener" {
+  load_balancer_arn = aws_lb.nshm_alb.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = aws_acm_certificate.alb_cert.arn
+
+  default_action {
+    type = "forward"
+    target_group_arn = aws_lb_target_group.nshm_target_group.arn
+  }
+}
+
+output "alb_dns_name" {
+  value = aws_lb.nshm_alb.dns_name
+}
+
diff --git a/terraform/modules/alb/variables.tf b/terraform/modules/alb/variables.tf
@@ -0,0 +1,11 @@
+variable "vpc_id" {
+  type        = string
+}
+
+variable "security_group_id" {
+  type        = string
+}
+
+variable "public_subnet_ids" {
+  type        = list(string)
+}