initial migration from batcave-landing-zone

UncleGedd · UncleGedd · commit d935f2c3fe9e · 2022-03-10T10:31:48.000-06:00
diff --git a/iam.tf b/iam.tf
@@ -0,0 +1,113 @@
+################################################################################
+# AWS Identity and Access Management
+################################################################################
+
+resource "aws_iam_policy" "ssm_managed_instance" {
+  name = "karpenter-ssm-policy-${var.cluster_name}"
+  path = var.iam_path
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ssm:DescribeAssociation",
+          "ssm:GetDeployablePatchSnapshotForInstance",
+          "ssm:GetDocument",
+          "ssm:DescribeDocument",
+          "ssm:GetManifest",
+          "ssm:GetParameter",
+          "ssm:GetParameters",
+          "ssm:ListAssociations",
+          "ssm:ListInstanceAssociations",
+          "ssm:PutInventory",
+          "ssm:PutComplianceItems",
+          "ssm:PutConfigurePackageResult",
+          "ssm:UpdateAssociationStatus",
+          "ssm:UpdateInstanceAssociationStatus",
+          "ssm:UpdateInstanceInformation"
+        ],
+        Resource = "*"
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "ssmmessages:CreateControlChannel",
+          "ssmmessages:CreateDataChannel",
+          "ssmmessages:OpenControlChannel",
+          "ssmmessages:OpenDataChannel"
+        ],
+        Resource = "*"
+      },
+      {
+        Effect = "Allow",
+        Action = [
+          "ec2messages:AcknowledgeMessage",
+          "ec2messages:DeleteMessage",
+          "ec2messages:FailMessage",
+          "ec2messages:GetEndpoint",
+          "ec2messages:GetMessages",
+          "ec2messages:SendReply"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "karpenter_ssm_policy" {
+  role       = var.worker_iam_role_name
+  policy_arn = aws_iam_policy.ssm_managed_instance.arn
+}
+
+resource "aws_iam_instance_profile" "karpenter" {
+  name = "KarpenterNodeInstanceProfile-${var.cluster_name}"
+  role = var.worker_iam_role_name
+  path = "/delegatedadmin/developer/"
+}
+
+module "iam_assumable_role_karpenter" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "4.7.0"
+  create_role                   = true
+  role_name                     = "karpenter-controller-${var.cluster_name}"
+  provider_url                  = var.provider_url
+  role_path                     = var.iam_path
+  role_permissions_boundary_arn = var.permissions_boundary
+  oidc_fully_qualified_subjects = ["system:serviceaccount:karpenter:karpenter"]
+}
+
+resource "aws_iam_policy" "karpenter_contoller" {
+  name = "karpenter-policy-${var.cluster_name}"
+  path = var.iam_path
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "ec2:CreateLaunchTemplate",
+          "ec2:CreateFleet",
+          "ec2:RunInstances",
+          "ec2:CreateTags",
+          "iam:PassRole",
+          "ec2:TerminateInstances",
+          "ec2:DescribeLaunchTemplates",
+          "ec2:DescribeInstances",
+          "ec2:DescribeSecurityGroups",
+          "ec2:DescribeSubnets",
+          "ec2:DescribeInstanceTypes",
+          "ec2:DescribeInstanceTypeOfferings",
+          "ec2:DescribeAvailabilityZones",
+          "ssm:GetParameter"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "karpenter_contoller_policy_attachment" {
+  role      = module.iam_assumable_role_karpenter.iam_role_name
+  policy_arn = aws_iam_policy.karpenter_contoller.arn
+}
diff --git a/karpenter.tf b/karpenter.tf
@@ -0,0 +1,47 @@
+################################################################################
+# Helm Release - Karpenter
+################################################################################
+data "aws_eks_cluster" "cluster" {
+  name = var.cluster_name
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = data.aws_eks_cluster.cluster.endpoint
+    cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
+    exec {
+      api_version = "client.authentication.k8s.io/v1alpha1"
+      args        = ["eks", "get-token", "--cluster-name", data.aws_eks_cluster.cluster.name]
+      command     = "aws"
+    }
+  }
+}
+
+resource "helm_release" "karpenter" {
+  namespace        = var.helm_namespace
+  create_namespace = var.helm_create_namespace
+
+  name       = "karpenter"
+  repository = "https://charts.karpenter.sh"
+  chart      = "karpenter"
+  version    = "0.6.1"
+
+  values = [
+    "${file("values.yaml")}"
+  ]
+  set {
+    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
+    value = module.iam_assumable_role_karpenter.iam_role_arn
+  }
+
+  set {
+    name  = "controller.clusterName"
+    value = var.cluster_name
+  }
+
+  set {
+    name  = "controller.clusterEndpoint"
+    value = var.cluster_endpoint
+  }
+}
+
diff --git a/karpenter.yaml b/karpenter.yaml
@@ -0,0 +1,62 @@
+# ---
+# apiVersion: karpenter.sh/v1alpha5
+# kind: Provisioner
+# metadata:
+#   name: cpu
+# spec:
+#   requirements:
+#     - key: node.kubernetes.io/instance-type
+#       operator: In
+#       values: ["c5.xlarge"]
+#   labels:
+#     Name : cpu
+#   taints:
+#     - key: CpuOnly
+#       effect: NoSchedule
+#   provider:
+#     instanceProfile: KarpenterNodeInstanceProfile-batcave-dev
+#     launchTemplate: cpu-20220113143405730300000018
+#     subnetSelector:
+#       ContainerSubnet: "true"
+#   ttlSecondsAfterEmpty: 30
+
+# ---
+# apiVersion: karpenter.sh/v1alpha5
+# kind: Provisioner
+# metadata:
+#   name: memory
+# spec:
+#   requirements:
+#     - key: node.kubernetes.io/instance-type
+#       operator: In
+#       values: ["r5.xlarge"]
+#   labels:
+#     Name : critical
+#   taints:
+#     - key: MemoryOnly
+#       effect: NoSchedule
+#   provider:
+#     instanceProfile: KarpenterNodeInstanceProfile-batcave-test
+#     launchTemplate: memory-2022011303540058450000000d
+#     subnetSelector:
+#       ContainerSubnet: "true"
+#   ttlSecondsAfterEmpty: 30
+  
+---
+apiVersion: karpenter.sh/v1alpha5
+kind: Provisioner
+metadata:
+  name: general
+spec:
+  requirements:
+    - key: node.kubernetes.io/instance-type
+      operator: In
+      values: ["c4.xlarge"]
+  labels:
+    Name : general
+  provider:
+    instanceProfile: KarpenterNodeInstanceProfile-batcave-east-dev
+    launchTemplate: general-2022012006071202970000000b
+    subnetSelector:
+      ContainerSubnet: "true"
+  ttlSecondsAfterEmpty: 30
diff --git a/output.tf b/output.tf
@@ -0,0 +1,10 @@
+output "karpenter_iam" {
+  value = aws_iam_instance_profile.karpenter.id
+}
+
+output "hr_manifest" {
+  description = "The rendered manifest of the release as JSON"
+  value = helm_release.karpenter
+  sensitive = true
+}
+
diff --git a/test.yaml b/test.yaml
@@ -0,0 +1,19 @@
+apiVersion: karpenter.sh/v1alpha5
+kind: Provisioner
+metadata:
+  name: default
+spec:
+  requirements:
+    - key: karpenter.sh/capacity-type
+      operator: In
+      values: ["spot"]
+  limits:
+    resources:
+      cpu: 1000
+  provider:
+    instanceProfile: KarpenterNodeInstanceProfile-batcave-dev
+    subnetSelector:
+      kubernetes.io/cluster/batcave-dev: 'shared'
+    securityGroupSelector:
+      Name: sg-0ae8da89426d04ac6
+  ttlSecondsAfterEmpty: 30
diff --git a/test/test.yaml b/test/test.yaml
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: inflate
+spec:
+  replicas: 0
+  selector:
+    matchLabels:
+      app: inflate
+  template:
+    metadata:
+      labels:
+        app: inflate
+    spec:
+      terminationGracePeriodSeconds: 0
+      containers:
+        - name: inflate
+          image: public.ecr.aws/eks-distro/kubernetes/pause:3.2
+          resources:
+            requests:
+              cpu: 1
diff --git a/values.yaml b/values.yaml
@@ -0,0 +1,11 @@
+controller:
+  tolerations:
+    - key: "CriticalAddonsOnly"
+      operator: "Exists"
+      effect: "NoSchedule"
+
+webhook:
+  tolerations:
+    - key: "CriticalAddonsOnly"
+      operator: "Exists"
+      effect: "NoSchedule"
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,36 @@
+variable "cluster_name" {}
+variable "provider_url" {
+    default = ""
+}
+
+
+### Karpenter IAM variables
+
+variable "worker_iam_role_name" {
+    default = ""
+}
+
+variable "iam_path" {
+  default = "/delegatedadmin/developer/"
+}
+
+variable "permissions_boundary" {
+  default = "arn:aws:iam::373346310182:policy/cms-cloud-admin/developer-boundary-policy"
+}
+
+
+### Helm variables
+
+variable "helm_namespace" {
+    default = "karpenter"
+}
+variable "helm_create_namespace" {
+    type = bool
+    default = true
+}
+variable "helm_name" {
+    default = "karpenter"
+}
+variable "cluster_endpoint" {
+    default = ""
+}
