Skip to content

Commit

Permalink
[examples] configure an existing ofas cluster to use privatelink
Browse files Browse the repository at this point in the history
  • Loading branch information
Z4ck404 committed Feb 20, 2024
1 parent 2cd94c1 commit 98cd5f3
Show file tree
Hide file tree
Showing 3 changed files with 225 additions and 0 deletions.
168 changes: 168 additions & 0 deletions examples/configure-existing-ofas-with-private-link/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
provider "aws" {
region = var.aws_region
profile = var.aws_profile
}

################################################################################
# Data sources
################################################################################

data "aws_eks_cluster" "this" {
name = var.cluster_name
}

data "aws_eks_cluster_auth" "this" {
name = var.cluster_name
}

data "aws_iam_openid_connect_provider" "this" {
url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
}

data "aws_vpc" "this" {
id = var.vpc_id
}

data "aws_subnets" "private" {
filter {
name = "vpc-id"
values = [var.vpc_id]
}
tags = {
Tier = "Private"
}
}

################################################################################
# Create the privatelink resources (NLB, TargetGroup)
################################################################################

resource "aws_lb" "this" {
name = "${var.cluster_name}-nlb"
internal = true
load_balancer_type = "network"
subnets = var.private_subnet_ids

security_groups = [aws_security_group.this.id]

enable_deletion_protection = false
enable_cross_zone_load_balancing = true

}

resource "aws_vpc_endpoint_service" "this" {
acceptance_required = false
network_load_balancer_arns = [aws_lb.this.arn]

}

resource "aws_vpc_endpoint_service_allowed_principal" "service_to_client" {
vpc_endpoint_service_id = aws_vpc_endpoint_service.this.id
principal_arn = "arn:aws:iam::066597193667:root"
}

resource "aws_lb_target_group" "this" {
name = "${var.cluster_name}-nlb-tg"
port = 443
target_type = "ip"
protocol = "TCP"
vpc_id = var.vpc_id
preserve_client_ip = "true"

depends_on = [
aws_lb.this
]

}

resource "aws_lb_listener" "this" {
load_balancer_arn = aws_lb.this.arn
protocol = "TCP"
port = 443
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.this.arn
}
}

resource "aws_security_group" "this" {
description = "Allow inbound/outbound traffic between NLB and OfAS VPC"
vpc_id = var.vpc_id
}

resource "aws_security_group_rule" "egress" {
security_group_id = aws_security_group.this.id
from_port = 0
to_port = 65535
protocol = "-1"
type = "egress"
cidr_blocks = [data.aws_vpc.this.cidr_block]
}

resource "aws_security_group_rule" "ingress_https" {
security_group_id = aws_security_group.this.id
from_port = 443
to_port = 443
protocol = "TCP"
type = "ingress"
cidr_blocks = [data.aws_vpc.this.cidr_block]
}


################################################################################
# Install the aws load balancer controller
################################################################################

provider "helm" {
kubernetes {
host = data.aws_eks_cluster.this.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.this.token
}
}

module "load_balancer_controller" {
source = "git::https://github.com/DNXLabs/terraform-aws-eks-lb-controller.git"

cluster_identity_oidc_issuer = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
cluster_identity_oidc_issuer_arn = data.aws_iam_openid_connect_provider.this.arn
cluster_name = var.cluster_name

enabled = true
}


# ################################################################################
# # Configure OfAS cluster to use PrivateLink
# ################################################################################

resource "null_resource" "update_ofas_cluster" {
triggers = {
always_run = timestamp()
}

provisioner "local-exec" {
command = <<EOF
curl -X PUT 'https://api.spotinst.io/ocean/spark/cluster/${var.oceanspark_cluster_id}' \
--header 'Content-Type: application/json' \
--header 'Account-id: ${var.spotinst_account}' \
--header 'Authorization: Bearer ${var.spotinst_token}' \
--data-raw '{
"cluster": {
"config": {
"ingress": {
"loadBalancer": {
"managed": false,
"targetGroupArn": "${aws_lb_target_group.this.arn}"
},
"privateLink": {
"enabled": true,
"vpcEndpointService": "${aws_vpc_endpoint_service.this.service_name}"
}
}
}
}
}'
EOF
}
}
41 changes: 41 additions & 0 deletions examples/configure-existing-ofas-with-private-link/variable.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
variable "spotinst_token" {
type = string
}

variable "spotinst_account" {
type = string
}

variable "oceanspark_cluster_id" {
type = string
}

variable "aws_region" {
type = string
}

variable "aws_profile" {
type = string
}

variable "cluster_name" {
type = string
}

variable "vpc_id" {
type = string
}

variable "private_subnet_ids" {
type = list(string)
}


variable "target_group" {
type = map(string)
default = {
"Protocol" = "TCP"
"Port" = "443"
}
}

16 changes: 16 additions & 0 deletions examples/configure-existing-ofas-with-private-link/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
terraform {
required_providers {
spotinst = {
source = "spotinst/spotinst"
version = "~> 1.90"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.26.0"
}
aws = {
source = "hashicorp/aws"
version = "~> 5.36"
}
}
}

0 comments on commit 98cd5f3

Please sign in to comment.