Jump to content

terraform…

dasari4kntr

By dasari4kntr
in Discussions

 Share

Recommended Posts

LadiesTailor LEGEND

LadiesTailor

Posted
Posted
3 hours ago, dasari4kntr said:

for each onne means different terraform project and different plan and apply in terrform cloud…?

Yes baa.. we had similar setup.. our repo is split by resources.. like all EKS goes to one and RDS to another one 

  • Thanks 1
Link to comment
Share on other sites
dasari4kntr LEGEND

dasari4kntr

Posted
  • Author
Posted

chatgpt response for this...

naaku telisina konchem terrform ni confuse chesi padesaadu... 

# EKS Cluster
resource "aws_eks_cluster" "example" {
  name     = "example"
  role_arn = aws_iam_role.example.arn
}

resource "aws_iam_role" "example" {
  name = "example"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

# S3 Bucket
resource "aws_s3_bucket" "example" {
  bucket = "example"
}

# MongoDB
resource "mongodbatlas_project" "example" {
    name = "example"
}

resource "mongodbatlas_network_container" "example" {
    project_id = mongodbatlas_project.example.id
    atlas_cidr_block = "0.0.0.0/0"
}

# Route 53
resource "aws_route53_record" "example" {
  zone_id = aws_route53_zone.example.zone_id
  name    = "example.com"
  type    = "A"
  ttl     = "300"
  records = ["1.2.3.4"]
}

resource "aws_route53_zone" "example" {
  name = "example.com"
}

 

Link to comment
Share on other sites
LadiesTailor LEGEND

LadiesTailor

Posted
Posted
57 minutes ago, dasari4kntr said:

chatgpt response for this...

naaku telisina konchem terrform ni confuse chesi padesaadu... 

# EKS Cluster
resource "aws_eks_cluster" "example" {
  name     = "example"
  role_arn = aws_iam_role.example.arn
}

resource "aws_iam_role" "example" {
  name = "example"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

# S3 Bucket
resource "aws_s3_bucket" "example" {
  bucket = "example"
}

# MongoDB
resource "mongodbatlas_project" "example" {
    name = "example"
}

resource "mongodbatlas_network_container" "example" {
    project_id = mongodbatlas_project.example.id
    atlas_cidr_block = "0.0.0.0/0"
}

# Route 53
resource "aws_route53_record" "example" {
  zone_id = aws_route53_zone.example.zone_id
  name    = "example.com"
  type    = "A"
  ttl     = "300"
  records = ["1.2.3.4"]
}

resource "aws_route53_zone" "example" {
  name = "example.com"
}

 

Vaadu vunna resources anne varasaga rasadu baaa… infact this also works 

Nee requirement konchem confusion ga vundi… why you need mongodb S3 rt53 in EKS..

cluster creation is totally different kada.. you don’t need all these things to mix and match 

Link to comment
Share on other sites
dasari4kntr LEGEND

dasari4kntr

Posted
  • Author
Posted
3 minutes ago, LadiesTailor said:

Vaadu vunna resources anne varasaga rasadu baaa… infact this also works 

Nee requirement konchem confusion ga vundi… why you need mongodb S3 rt53 in EKS..

cluster creation is totally different kada.. you don’t need all these things to mix and match 

cluster creation is done …i am looking for access permissions from cluster to s3 and mongodb…

is my approach is wrong..?

Link to comment
Share on other sites
LadiesTailor LEGEND

LadiesTailor

Posted
Posted
1 minute ago, dasari4kntr said:

cluster creation is done …i am looking for access permissions from cluster to s3 and mongodb…

That’s IAM kada… look for IAM policies to attach to the EKS cluster 

  • Thanks 1
Link to comment
Share on other sites
dasari4kntr LEGEND

dasari4kntr

Posted
  • Author
Posted
15 minutes ago, LadiesTailor said:

That’s IAM kada… look for IAM policies to attach to the EKS cluster 

ok...

if my understand is correct...

i have created the cluster as below... similalry i will create s3 and mongodb also using the modules...then i need to configure the iam policies..and attach... 

module "eks" {
  source          = "terraform-aws-modules/eks/aws"
  version         = "17.24.0"
  cluster_name    = local.cluster_name
  cluster_version = "1.20"
  subnets         = module.vpc.private_subnets

  vpc_id = module.vpc.vpc_id

  workers_group_defaults = {
    root_volume_type = "gp2"
  }

  worker_groups = [
    {
      name                          = "worker-group-1"
      instance_type                 = "t2.small"
      additional_userdata           = "echo foo bar"
      additional_security_group_ids = [aws_security_group.worker_group_mgmt_one.id]
      asg_desired_capacity          = 2
    },
    {
      name                          = "worker-group-2"
      instance_type                 = "t2.medium"
      additional_userdata           = "echo foo bar"
      additional_security_group_ids = [aws_security_group.worker_group_mgmt_two.id]
      asg_desired_capacity          = 1
    },
  ]
}

data "aws_eks_cluster" "cluster" {
  name = module.eks.cluster_id
}

data "aws_eks_cluster_auth" "cluster" {
  name = module.eks.cluster_id
}

 

now i a understand what i am missing... 

module "s3_bucket" {
  source = "./modules/s3-bucket"
  bucket_name = "my-bucket"
}
resource "aws_s3_bucket" "bucket" {
  bucket = var.bucket_name
}
resource "aws_iam_policy" "s3_access_policy" {
  name        = "s3_access_policy"
  description = "Allow EKS cluster to access S3"
  policy      = <<EOF
  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::*/*"
            ]
        }
    ]
  }
  EOF
}
resource "aws_iam_role" "eks_cluster_role" {
  name = "eks_cluster_role"
  assume_role_policy = <<EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "eks.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
  EOF
}
resource "aws_iam_role_policy_attachment" "attach_s3_access_policy" {
  role       = aws_iam_role.eks_cluster_role.name
  policy_arn = aws_iam_policy.s3_access_policy.arn
}
resource "aws_eks_cluster" "example" {
  name     = "example"
  role_arn = aws_iam_role.eks_cluster_role.arn
  // ... other arguments
}

 

Link to comment
Share on other sites
LadiesTailor LEGEND

LadiesTailor

Posted
Posted
32 minutes ago, dasari4kntr said:

ok...

if my understand is correct...

i have created the cluster as below... similalry i will create s3 and mongodb also using the modules...then i need to configure the iam policies..and attach... 

module "eks" {
  source          = "terraform-aws-modules/eks/aws"
  version         = "17.24.0"
  cluster_name    = local.cluster_name
  cluster_version = "1.20"
  subnets         = module.vpc.private_subnets

  vpc_id = module.vpc.vpc_id

  workers_group_defaults = {
    root_volume_type = "gp2"
  }

  worker_groups = [
    {
      name                          = "worker-group-1"
      instance_type                 = "t2.small"
      additional_userdata           = "echo foo bar"
      additional_security_group_ids = [aws_security_group.worker_group_mgmt_one.id]
      asg_desired_capacity          = 2
    },
    {
      name                          = "worker-group-2"
      instance_type                 = "t2.medium"
      additional_userdata           = "echo foo bar"
      additional_security_group_ids = [aws_security_group.worker_group_mgmt_two.id]
      asg_desired_capacity          = 1
    },
  ]
}

data "aws_eks_cluster" "cluster" {
  name = module.eks.cluster_id
}

data "aws_eks_cluster_auth" "cluster" {
  name = module.eks.cluster_id
}

 

now i a understand what i am missing... 

module "s3_bucket" {
  source = "./modules/s3-bucket"
  bucket_name = "my-bucket"
}
resource "aws_s3_bucket" "bucket" {
  bucket = var.bucket_name
}
resource "aws_iam_policy" "s3_access_policy" {
  name        = "s3_access_policy"
  description = "Allow EKS cluster to access S3"
  policy      = <<EOF
  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::*/*"
            ]
        }
    ]
  }
  EOF
}
resource "aws_iam_role" "eks_cluster_role" {
  name = "eks_cluster_role"
  assume_role_policy = <<EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "eks.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }
  EOF
}
resource "aws_iam_role_policy_attachment" "attach_s3_access_policy" {
  role       = aws_iam_role.eks_cluster_role.name
  policy_arn = aws_iam_policy.s3_access_policy.arn
}
resource "aws_eks_cluster" "example" {
  name     = "example"
  role_arn = aws_iam_role.eks_cluster_role.arn
  // ... other arguments
}

 

Yup.. you got it… 

  • Thanks 1
Link to comment
Share on other sites
Spartan PRODUCER

Spartan

Posted
Posted
17 minutes ago, perugu_vada said:

LTT 

@perugu_vada @dasari4kntr  is almost there.

he got the stack right,

make sure you have segregated the IAM role policies accordingly, just in case (best practices).

blanket IAM vadukovchu for personal project though.

but let me know if u need more help @dasari4kntr

Link to comment
Share on other sites
dasari4kntr LEGEND

dasari4kntr

Posted
  • Author
Posted
3 minutes ago, Spartan said:

@perugu_vada @dasari4kntr  is almost there.

he got the stack right,

make sure you have segregated the IAM role policies accordingly, just in case (best practices).

blanket IAM vadukovchu for personal project though.

but let me know if u need more help @dasari4kntr

blanket IAM ante..? you mean not too much customized...?

Link to comment
Share on other sites
Spartan PRODUCER

Spartan

Posted
Posted
4 minutes ago, dasari4kntr said:

blanket IAM ante..? you mean not too much customized...?

yes, only pro is u can use same IAm role for all resources and no need to create multiple ones

  • Thanks 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...