NSHM-99 link to jira

terraform/main.tf

@@ -12,6 +12,7 @@ module "s3" {
 
 module "ec2" {
   source = "./modules/ec2"
+  vpc_id            = module.vpc.vpc_id
   public_subnet_ids = module.vpc.public_subnet_ids
   security_group_id = module.vpc.security_group_id
   cluster_name = module.eks.cluster_name
@@ -28,6 +29,7 @@ module "eks" {
   private_subnet_ids = module.vpc.private_subnet_ids
   public_subnet_ids = module.vpc.public_subnet_ids
   security_group_id = module.vpc.security_group_id
+  vpc_id            = module.vpc.vpc_id
 }
 
 module "alb" {

terraform/modules/ec2/main.tf

@@ -1,17 +1,84 @@
-resource "aws_instance" "nshm-bastion" {
-  ami                    = "ami-01811d4912b4ccb26"
-  instance_type          = "t3.micro"
-  key_name               = "nus-secondhand-market"
-  vpc_security_group_ids = [var.security_group_id]
-  subnet_id              = var.public_subnet_ids
+resource "aws_iam_role" "nshm-bastion-role" {
+  name = "nshm-bastion-role"
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Action" : "sts:AssumeRole",
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "ec2.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "nshm-bastion-role_policy" {
+  name   = "nshm-bastion-role_policy"
+  role   = aws_iam_role.nshm-bastion-role.id
+
+  policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "s3:*",
+          "eks:*",
+          "ec2:*"
+        ],
+        "Resource": "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_instance_profile" "ec2_instance_profile" {
+  name = "ec2-instance-profile"
+  role = aws_iam_role.nshm-bastion-role.name
+}
+
+resource "aws_security_group" "nshm_bastion_sg" {
+  name        = "nshm-bastion-sg"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "nshm-bastion-sg"
+  }
+}
+
+resource "aws_instance" "nshm_bastion" {
+  ami             = "ami-01811d4912b4ccb26"
+  instance_type   = "t3.micro"
+  key_name        = "nus-secondhand-market"
+  subnet_id       = var.public_subnet_ids[0]
+
+  vpc_security_group_ids = [aws_security_group.nshm_bastion_sg.id]
+  iam_instance_profile   = aws_iam_instance_profile.ec2_instance_profile.name
 
   user_data = <<-EOF
     #!/bin/bash
     sudo apt-get update
     sudo apt-get install -y curl unzip
 
     # Install AWS CLI
-    curl "https://d1wnz8q8g7m9c5.cloudfront.net/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+    curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
     unzip awscliv2.zip
     sudo ./aws/install
 
@@ -23,16 +90,14 @@ resource "aws_instance" "nshm-bastion" {
     # Update kubeconfig for EKS
     aws eks --region ap-southeast-1 update-kubeconfig --name ${var.cluster_name}
 
-    # Optional: Validate installation
     kubectl get nodes
   EOF
 
   tags = {
-    Name = "nus-secondhand-market-ec2"
+    Name = "nshm-bastion"
   }
 }
 
 output "bastion_host_public_ip" {
-  value = aws_instance.nshm-bastion.public_ip
+  value = aws_instance.nshm_bastion.public_ip
 }
-

terraform/modules/ec2/variables.tf

@@ -1,9 +1,13 @@
+variable "vpc_id" {
+  type        = string
+}
+
 variable "security_group_id" {
   type        = string
 }
 
 variable "public_subnet_ids" {
-  type        = string
+  type        = list(string)
 }
 
 variable "cluster_name" {

terraform/modules/eks/main.tf

@@ -1,13 +1,48 @@
+resource "aws_vpc_endpoint" "eks" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.region}.eks"
+  vpc_endpoint_type   = "Interface"
+
+  subnet_ids          = var.private_subnet_ids
+  security_group_ids  = [aws_security_group.eks_sg.id]
+
+  tags = {
+    Name = "eks-endpoint"
+  }
+}
+
+resource "aws_security_group" "eks_sg" {
+  vpc_id = var.vpc_id
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "eks-sg"
+  }
+}
+
 resource "aws_eks_cluster" "nshm_cluster" {
   name     = "nshm-eks"
   version  = "1.30"
   role_arn = aws_iam_role.eks_cluster_role.arn
 
   vpc_config {
-    subnet_ids = concat(var.public_subnet_ids, var.private_subnet_ids)
+    subnet_ids             = concat(var.public_subnet_ids, var.private_subnet_ids)
     endpoint_private_access = true
     endpoint_public_access  = false
-    security_group_ids = [var.security_group_id]
+    security_group_ids      = [aws_security_group.eks_sg.id]
   }
 
   enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
@@ -111,3 +146,8 @@ output "cluster_endpoint" {
 output "cluster_name" {
   value = aws_eks_cluster.nshm_cluster.name
 }
+
+output "eks_vpc_endpoint_id" {
+  value = aws_vpc_endpoint.eks.id
+}
+

terraform/modules/eks/variables.tf

@@ -12,3 +12,12 @@ variable "security_group_id" {
   description = "The security group ID for the EKS cluster"
   type        = string
 }
+
+variable "vpc_id" {
+  type      = string
+}
+
+variable "region" {
+  type      = string
+  default   = "ap-southeast-1"
+}

terraform/modules/vpc/main.tf

@@ -60,6 +60,13 @@ resource "aws_security_group" "nus-secondhand-market" {
   name   = "nus-secondhand-market-sg"
   vpc_id = aws_vpc.nus-secondhand-market.id
 
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
   ingress {
     from_port   = 5432
     to_port     = 5432