From a97ab00788808480c07ace228208273e0254df18 Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Mon, 12 Dec 2016 10:09:11 -0500 Subject: [PATCH 1/4] Disable scheme:internal on ELB --- .../cloudup/_aws/topologies/_topology_private/network.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml b/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml index b59e952f21..5f7c28ec23 100644 --- a/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml +++ b/upup/models/cloudup/_aws/topologies/_topology_private/network.yaml @@ -190,7 +190,7 @@ loadBalancer/api.{{ ClusterName }}: {{ end }} listeners: 443: { instancePort: 443 } - scheme: internal + #scheme: internal healthCheck: target: TCP:443 healthyThreshold: 2 From 196038fe026d0f36b67c5232915ea39c50f5721c Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Mon, 12 Dec 2016 10:36:04 -0500 Subject: [PATCH 2/4] A few tweaks to terraform output building --- upup/pkg/fi/cloudup/awstasks/dnszone.go | 2 +- upup/pkg/fi/cloudup/awstasks/load_balancer.go | 3 ++- upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go | 1 - upup/pkg/fi/cloudup/awstasks/loadbalancer_attributes.go | 6 ++++++ 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/upup/pkg/fi/cloudup/awstasks/dnszone.go b/upup/pkg/fi/cloudup/awstasks/dnszone.go index 69468acbfc..1a70253ad6 100644 --- a/upup/pkg/fi/cloudup/awstasks/dnszone.go +++ b/upup/pkg/fi/cloudup/awstasks/dnszone.go @@ -86,7 +86,7 @@ func (e *DNSZone) findExisting(cloud awsup.AWSCloud) (*route53.HostedZone, error } // Otherwise continue ... maybe the name was not an id after all... } else { - return nil, fmt.Errorf("error fetching DNS HostedZone %q: %v", *e.ID, err) + return nil, fmt.Errorf("error fetching DNS HostedZone %q: %v", findID, err) } } else { return response.HostedZone, nil diff --git a/upup/pkg/fi/cloudup/awstasks/load_balancer.go b/upup/pkg/fi/cloudup/awstasks/load_balancer.go index 5f7de5fe62..c4beea4bd3 100644 --- a/upup/pkg/fi/cloudup/awstasks/load_balancer.go +++ b/upup/pkg/fi/cloudup/awstasks/load_balancer.go @@ -362,9 +362,10 @@ func (_ *LoadBalancer) RenderTerraform(t *terraform.TerraformTarget, a, e, chang elbName = e.Name } + internal := fi.StringValue(e.Scheme) == "internal" tf := &terraformLoadBalancer{ Name: elbName, - Internal: *e.Scheme == "internal", + Internal: internal, } for _, subnet := range e.Subnets { diff --git a/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go b/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go index 815fec02d4..dafc47db09 100644 --- a/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go +++ b/upup/pkg/fi/cloudup/awstasks/load_balancer_attachment.go @@ -100,7 +100,6 @@ func (s *LoadBalancerAttachment) CheckChanges(a, e, changes *LoadBalancerAttachm } func (_ *LoadBalancerAttachment) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *LoadBalancerAttachment) error { - if e.AutoscalingGroup != nil && e.Instance == nil { request := &autoscaling.AttachLoadBalancersInput{} request.AutoScalingGroupName = e.AutoscalingGroup.Name diff --git a/upup/pkg/fi/cloudup/awstasks/loadbalancer_attributes.go b/upup/pkg/fi/cloudup/awstasks/loadbalancer_attributes.go index 2a78319708..dfb319ad53 100644 --- a/upup/pkg/fi/cloudup/awstasks/loadbalancer_attributes.go +++ b/upup/pkg/fi/cloudup/awstasks/loadbalancer_attributes.go @@ -24,6 +24,7 @@ import ( "github.com/golang/glog" "k8s.io/kops/upup/pkg/fi" "k8s.io/kops/upup/pkg/fi/cloudup/awsup" + "k8s.io/kops/upup/pkg/fi/cloudup/terraform" ) type LoadBalancerAccessLog struct { @@ -250,3 +251,8 @@ func (_ *LoadBalancerAttributes) RenderAWS(t *awsup.AWSAPITarget, a, e, changes return nil } + +func (_ *LoadBalancerAttributes) RenderTerraform(t *terraform.TerraformTarget, a, e, changes *LoadBalancerAttributes) error { + glog.Warning("LoadBalancerAttributes RenderTerraform not implemented") + return nil +} From 3415d15f120e2554a0a6091ba10325b4efd56030 Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Mon, 12 Dec 2016 11:01:03 -0500 Subject: [PATCH 3/4] Mock Route53 GetHostedZone --- cloudmock/aws/mockroute53/unimplemented.go | 16 ------- cloudmock/aws/mockroute53/zones.go | 50 ++++++++++++++++++++-- 2 files changed, 46 insertions(+), 20 deletions(-) diff --git a/cloudmock/aws/mockroute53/unimplemented.go b/cloudmock/aws/mockroute53/unimplemented.go index 168b73d1d7..cfbbf60f45 100644 --- a/cloudmock/aws/mockroute53/unimplemented.go +++ b/cloudmock/aws/mockroute53/unimplemented.go @@ -205,22 +205,6 @@ func (m *MockRoute53) GetHealthCheckStatus(*route53.GetHealthCheckStatusInput) ( panic("MockRoute53 function not implemented") return nil, nil } -func (m *MockRoute53) GetHostedZoneRequest(*route53.GetHostedZoneInput) (*request.Request, *route53.GetHostedZoneOutput) { - panic("MockRoute53 function not implemented") - return nil, nil -} -func (m *MockRoute53) GetHostedZone(*route53.GetHostedZoneInput) (*route53.GetHostedZoneOutput, error) { - panic("MockRoute53 function not implemented") - return nil, nil -} -func (m *MockRoute53) GetHostedZoneCountRequest(*route53.GetHostedZoneCountInput) (*request.Request, *route53.GetHostedZoneCountOutput) { - panic("MockRoute53 function not implemented") - return nil, nil -} -func (m *MockRoute53) GetHostedZoneCount(*route53.GetHostedZoneCountInput) (*route53.GetHostedZoneCountOutput, error) { - panic("MockRoute53 function not implemented") - return nil, nil -} func (m *MockRoute53) GetReusableDelegationSetRequest(*route53.GetReusableDelegationSetInput) (*request.Request, *route53.GetReusableDelegationSetOutput) { panic("MockRoute53 function not implemented") return nil, nil diff --git a/cloudmock/aws/mockroute53/zones.go b/cloudmock/aws/mockroute53/zones.go index 6bde457359..bc7380a8f0 100644 --- a/cloudmock/aws/mockroute53/zones.go +++ b/cloudmock/aws/mockroute53/zones.go @@ -20,18 +20,60 @@ import ( "github.com/aws/aws-sdk-go/aws/request" "github.com/aws/aws-sdk-go/service/route53" "github.com/golang/glog" + "github.com/aws/aws-sdk-go/aws" + "fmt" + "strings" ) type zoneInfo struct { } +func (m *MockRoute53) GetHostedZoneRequest(*route53.GetHostedZoneInput) (*request.Request, *route53.GetHostedZoneOutput) { + panic("MockRoute53 GetHostedZoneRequest not implemented") + return nil, nil +} +func (m *MockRoute53) GetHostedZone(request *route53.GetHostedZoneInput) (*route53.GetHostedZoneOutput, error) { + glog.Infof("GetHostedZone %v", request) + + findID := aws.StringValue(request.Id) + if !strings.Contains(findID, "/") { + findID = "/hostedzone/" + findID + } + + for _, z := range m.Zones { + if *z.Id != findID { + continue + } + + copy := *z + response := &route53.GetHostedZoneOutput{ + // DelegationSet ??? + HostedZone: ©, + // VPCs + } + return response, nil + } + + // TODO: Correct error + return nil, fmt.Errorf("NOT FOUND") +} + +func (m *MockRoute53) GetHostedZoneCountRequest(*route53.GetHostedZoneCountInput) (*request.Request, *route53.GetHostedZoneCountOutput) { + panic("MockRoute53 GetHostedZoneCountRequest not implemented") + return nil, nil +} +func (m *MockRoute53) GetHostedZoneCount(*route53.GetHostedZoneCountInput) (*route53.GetHostedZoneCountOutput, error) { + panic("MockRoute53 GetHostedZoneCount not implemented") + return nil, nil +} + func (m *MockRoute53) ListHostedZonesRequest(*route53.ListHostedZonesInput) (*request.Request, *route53.ListHostedZonesOutput) { - panic("MockRoute53 function not implemented") + panic("MockRoute53 ListHostedZonesRequest not implemented") return nil, nil } func (m *MockRoute53) ListHostedZones(*route53.ListHostedZonesInput) (*route53.ListHostedZonesOutput, error) { - panic("MockRoute53 function not implemented") + panic("MockRoute53 ListHostedZones not implemented") return nil, nil } @@ -50,11 +92,11 @@ func (m *MockRoute53) ListHostedZonesPages(request *route53.ListHostedZonesInput } func (m *MockRoute53) ListHostedZonesByNameRequest(*route53.ListHostedZonesByNameInput) (*request.Request, *route53.ListHostedZonesByNameOutput) { - panic("MockRoute53 function not implemented") + panic("MockRoute53 ListHostedZonesByNameRequest not implemented") return nil, nil } func (m *MockRoute53) ListHostedZonesByName(*route53.ListHostedZonesByNameInput) (*route53.ListHostedZonesByNameOutput, error) { - panic("MockRoute53 function not implemented") + panic("MockRoute53 ListHostedZonesByName not implemented") return nil, nil } From e779d63eeeebbbb1d31008fcb44f67e228cbdb6e Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Mon, 12 Dec 2016 10:35:43 -0500 Subject: [PATCH 4/4] Add test for weave --- cmd/kops/integration_test.go | 9 +- tests/integration/minimal-141/kubernetes.tf | 4 +- tests/integration/minimal/kubernetes.tf | 4 +- tests/integration/privateweave/id_rsa.pub | 1 + tests/integration/privateweave/in.yaml | 78 +++ tests/integration/privateweave/kubernetes.tf | 529 +++++++++++++++++++ 6 files changed, 619 insertions(+), 6 deletions(-) create mode 100755 tests/integration/privateweave/id_rsa.pub create mode 100644 tests/integration/privateweave/in.yaml create mode 100644 tests/integration/privateweave/kubernetes.tf diff --git a/cmd/kops/integration_test.go b/cmd/kops/integration_test.go index 0de56def87..d457901e95 100644 --- a/cmd/kops/integration_test.go +++ b/cmd/kops/integration_test.go @@ -53,6 +53,11 @@ func TestMinimal_141(t *testing.T) { runTest(t, "minimal-141.example.com", "../../tests/integration/minimal-141") } +// TestPrivateWeave runs the test on a configuration with private topology, weave networking +func TestPrivateWeave(t *testing.T) { + runTest(t, "privateweave.example.com", "../../tests/integration/privateweave") +} + func runTest(t *testing.T, clusterName string, srcDir string) { var stdout bytes.Buffer @@ -71,12 +76,12 @@ func runTest(t *testing.T, clusterName string, srcDir string) { cloud.MockRoute53 = mockRoute53 mockRoute53.Zones = append(mockRoute53.Zones, &route53.HostedZone{ - Id: aws.String("123"), + Id: aws.String("/hostedzone/Z1AFAKE1ZON3YO"), Name: aws.String("example.com."), }) mockEC2.Images = append(mockEC2.Images, &ec2.Image{ - ImageId: aws.String("ami-12345"), + ImageId: aws.String("ami-12345678"), Name: aws.String("k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21"), OwnerId: aws.String(awsup.WellKnownAccountKopeio), }) diff --git a/tests/integration/minimal-141/kubernetes.tf b/tests/integration/minimal-141/kubernetes.tf index 7fc6b18cab..9f5e148ad3 100644 --- a/tests/integration/minimal-141/kubernetes.tf +++ b/tests/integration/minimal-141/kubernetes.tf @@ -117,7 +117,7 @@ resource "aws_key_pair" "kubernetes-minimal-141-example-com-c4a6ed9aa889b9e2c39c resource "aws_launch_configuration" "master-us-test-1a-masters-minimal-141-example-com" { name_prefix = "master-us-test-1a.masters.minimal-141.example.com-" - image_id = "ami-12345" + image_id = "ami-12345678" instance_type = "m3.medium" key_name = "${aws_key_pair.kubernetes-minimal-141-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}" iam_instance_profile = "${aws_iam_instance_profile.masters-minimal-141-example-com.id}" @@ -140,7 +140,7 @@ resource "aws_launch_configuration" "master-us-test-1a-masters-minimal-141-examp resource "aws_launch_configuration" "nodes-minimal-141-example-com" { name_prefix = "nodes.minimal-141.example.com-" - image_id = "ami-12345" + image_id = "ami-12345678" instance_type = "t2.medium" key_name = "${aws_key_pair.kubernetes-minimal-141-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}" iam_instance_profile = "${aws_iam_instance_profile.nodes-minimal-141-example-com.id}" diff --git a/tests/integration/minimal/kubernetes.tf b/tests/integration/minimal/kubernetes.tf index b6845711ae..579eb1bc6b 100644 --- a/tests/integration/minimal/kubernetes.tf +++ b/tests/integration/minimal/kubernetes.tf @@ -117,7 +117,7 @@ resource "aws_key_pair" "kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663 resource "aws_launch_configuration" "master-us-test-1a-masters-minimal-example-com" { name_prefix = "master-us-test-1a.masters.minimal.example.com-" - image_id = "ami-12345" + image_id = "ami-12345678" instance_type = "m3.medium" key_name = "${aws_key_pair.kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}" iam_instance_profile = "${aws_iam_instance_profile.masters-minimal-example-com.id}" @@ -140,7 +140,7 @@ resource "aws_launch_configuration" "master-us-test-1a-masters-minimal-example-c resource "aws_launch_configuration" "nodes-minimal-example-com" { name_prefix = "nodes.minimal.example.com-" - image_id = "ami-12345" + image_id = "ami-12345678" instance_type = "t2.medium" key_name = "${aws_key_pair.kubernetes-minimal-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}" iam_instance_profile = "${aws_iam_instance_profile.nodes-minimal-example-com.id}" diff --git a/tests/integration/privateweave/id_rsa.pub b/tests/integration/privateweave/id_rsa.pub new file mode 100755 index 0000000000..81cb012783 --- /dev/null +++ b/tests/integration/privateweave/id_rsa.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCtWu40XQo8dczLsCq0OWV+hxm9uV3WxeH9Kgh4sMzQxNtoU1pvW0XdjpkBesRKGoolfWeCLXWxpyQb1IaiMkKoz7MdhQ/6UKjMjP66aFWWp3pwD0uj0HuJ7tq4gKHKRYGTaZIRWpzUiANBrjugVgA+Sd7E/mYwc/DMXkIyRZbvhQ== diff --git a/tests/integration/privateweave/in.yaml b/tests/integration/privateweave/in.yaml new file mode 100644 index 0000000000..8d7f4f03ca --- /dev/null +++ b/tests/integration/privateweave/in.yaml @@ -0,0 +1,78 @@ +apiVersion: kops/v1alpha1 +kind: Cluster +metadata: + creationTimestamp: "2016-12-12T04:13:14Z" + name: privateweave.example.com +spec: + adminAccess: + - 0.0.0.0/0 + channel: stable + cloudProvider: aws + configBase: memfs://clusters.example.com/privateweave.example.com + etcdClusters: + - etcdMembers: + - name: us-test-1a + zone: us-test-1a + name: main + - etcdMembers: + - name: us-test-1a + zone: us-test-1a + name: events + kubernetesVersion: v1.4.6 + masterInternalName: api.internal.privateweave.example.com + masterPublicName: api.privateweave.example.com + networkCIDR: 172.20.0.0/16 + networking: + weave: {} + nonMasqueradeCIDR: 100.64.0.0/10 + topology: + bastion: + enable: true + idleTimeout: 120 + machineType: t2.medium + masters: private + nodes: private + zones: + - cidr: 172.20.32.0/19 + name: us-test-1a + privateCIDR: 172.20.4.0/22 + +--- + +apiVersion: kops/v1alpha1 +kind: InstanceGroup +metadata: + creationTimestamp: "2016-12-12T04:13:15Z" + name: master-us-test-1a + labels: + kops.k8s.io/cluster: privateweave.example.com +spec: + associatePublicIp: true + image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 + machineType: m3.medium + maxSize: 1 + minSize: 1 + role: Master + zones: + - us-test-1a + +--- + +apiVersion: kops/v1alpha1 +kind: InstanceGroup +metadata: + creationTimestamp: "2016-12-12T04:13:15Z" + name: nodes + labels: + kops.k8s.io/cluster: privateweave.example.com +spec: + associatePublicIp: true + image: kope.io/k8s-1.4-debian-jessie-amd64-hvm-ebs-2016-10-21 + machineType: t2.medium + maxSize: 2 + minSize: 2 + role: Node + zones: + - us-test-1a + + diff --git a/tests/integration/privateweave/kubernetes.tf b/tests/integration/privateweave/kubernetes.tf new file mode 100644 index 0000000000..f5ff0bd69f --- /dev/null +++ b/tests/integration/privateweave/kubernetes.tf @@ -0,0 +1,529 @@ +resource "aws_autoscaling_attachment" "bastion-privateweave-example-com" { + elb = "${aws_elb.bastion-privateweave-example-com.id}" + autoscaling_group_name = "${aws_autoscaling_group.bastion-privateweave-example-com.id}" +} + +resource "aws_autoscaling_attachment" "master-us-test-1a-masters-privateweave-example-com" { + elb = "${aws_elb.api-privateweave-example-com.id}" + autoscaling_group_name = "${aws_autoscaling_group.master-us-test-1a-masters-privateweave-example-com.id}" +} + +resource "aws_autoscaling_group" "bastion-privateweave-example-com" { + name = "bastion.privateweave.example.com" + launch_configuration = "${aws_launch_configuration.bastion-privateweave-example-com.id}" + max_size = 1 + min_size = 1 + vpc_zone_identifier = ["${aws_subnet.private-us-test-1a-privateweave-example-com.id}"] + tag = { + key = "KubernetesCluster" + value = "privateweave.example.com" + propagate_at_launch = true + } + tag = { + key = "Name" + value = "bastion.privateweave.example.com" + propagate_at_launch = true + } +} + +resource "aws_autoscaling_group" "master-us-test-1a-masters-privateweave-example-com" { + name = "master-us-test-1a.masters.privateweave.example.com" + launch_configuration = "${aws_launch_configuration.master-us-test-1a-masters-privateweave-example-com.id}" + max_size = 1 + min_size = 1 + vpc_zone_identifier = ["${aws_subnet.private-us-test-1a-privateweave-example-com.id}"] + tag = { + key = "KubernetesCluster" + value = "privateweave.example.com" + propagate_at_launch = true + } + tag = { + key = "Name" + value = "master-us-test-1a.masters.privateweave.example.com" + propagate_at_launch = true + } + tag = { + key = "k8s.io/role/master" + value = "1" + propagate_at_launch = true + } +} + +resource "aws_autoscaling_group" "nodes-privateweave-example-com" { + name = "nodes.privateweave.example.com" + launch_configuration = "${aws_launch_configuration.nodes-privateweave-example-com.id}" + max_size = 2 + min_size = 2 + vpc_zone_identifier = ["${aws_subnet.private-us-test-1a-privateweave-example-com.id}"] + tag = { + key = "KubernetesCluster" + value = "privateweave.example.com" + propagate_at_launch = true + } + tag = { + key = "Name" + value = "nodes.privateweave.example.com" + propagate_at_launch = true + } + tag = { + key = "k8s.io/role/node" + value = "1" + propagate_at_launch = true + } +} + +resource "aws_ebs_volume" "us-test-1a-etcd-events-privateweave-example-com" { + availability_zone = "us-test-1a" + size = 20 + type = "gp2" + encrypted = false + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "us-test-1a.etcd-events.privateweave.example.com" + "k8s.io/etcd/events" = "us-test-1a/us-test-1a" + "k8s.io/role/master" = "1" + } +} + +resource "aws_ebs_volume" "us-test-1a-etcd-main-privateweave-example-com" { + availability_zone = "us-test-1a" + size = 20 + type = "gp2" + encrypted = false + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "us-test-1a.etcd-main.privateweave.example.com" + "k8s.io/etcd/main" = "us-test-1a/us-test-1a" + "k8s.io/role/master" = "1" + } +} + +resource "aws_eip" "us-test-1a-privateweave-example-com" { + vpc = true +} + +resource "aws_elb" "api-privateweave-example-com" { + name = "api-privateweave" + listener = { + instance_port = 443 + instance_protocol = "TCP" + lb_port = 443 + lb_protocol = "TCP" + } + security_groups = ["${aws_security_group.api-elb-privateweave-example-com.id}"] + subnets = ["${aws_subnet.utility-us-test-1a-privateweave-example-com.id}"] + health_check = { + target = "TCP:443" + healthy_threshold = 2 + unhealthy_threshold = 2 + interval = 10 + timeout = 5 + } +} + +resource "aws_elb" "bastion-privateweave-example-com" { + name = "bastion-privateweave" + listener = { + instance_port = 22 + instance_protocol = "TCP" + lb_port = 22 + lb_protocol = "TCP" + } + security_groups = ["${aws_security_group.bastion-elb-privateweave-example-com.id}"] + subnets = ["${aws_subnet.utility-us-test-1a-privateweave-example-com.id}"] + health_check = { + target = + healthy_threshold = + unhealthy_threshold = + interval = + timeout = + } +} + +resource "aws_iam_instance_profile" "masters-privateweave-example-com" { + name = "masters.privateweave.example.com" + roles = ["${aws_iam_role.masters-privateweave-example-com.name}"] +} + +resource "aws_iam_instance_profile" "nodes-privateweave-example-com" { + name = "nodes.privateweave.example.com" + roles = ["${aws_iam_role.nodes-privateweave-example-com.name}"] +} + +resource "aws_iam_role" "masters-privateweave-example-com" { + name = "masters.privateweave.example.com" + assume_role_policy = "${file("${path.module}/data/aws_iam_role_masters.privateweave.example.com_policy")}" +} + +resource "aws_iam_role" "nodes-privateweave-example-com" { + name = "nodes.privateweave.example.com" + assume_role_policy = "${file("${path.module}/data/aws_iam_role_nodes.privateweave.example.com_policy")}" +} + +resource "aws_iam_role_policy" "masters-privateweave-example-com" { + name = "masters.privateweave.example.com" + role = "${aws_iam_role.masters-privateweave-example-com.name}" + policy = "${file("${path.module}/data/aws_iam_role_policy_masters.privateweave.example.com_policy")}" +} + +resource "aws_iam_role_policy" "nodes-privateweave-example-com" { + name = "nodes.privateweave.example.com" + role = "${aws_iam_role.nodes-privateweave-example-com.name}" + policy = "${file("${path.module}/data/aws_iam_role_policy_nodes.privateweave.example.com_policy")}" +} + +resource "aws_internet_gateway" "privateweave-example-com" { + vpc_id = "${aws_vpc.privateweave-example-com.id}" + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "privateweave.example.com" + } +} + +resource "aws_key_pair" "kubernetes-privateweave-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157" { + key_name = "kubernetes.privateweave.example.com-c4:a6:ed:9a:a8:89:b9:e2:c3:9c:d6:63:eb:9c:71:57" + public_key = "${file("${path.module}/data/aws_key_pair_kubernetes.privateweave.example.com-c4a6ed9aa889b9e2c39cd663eb9c7157_public_key")}" +} + +resource "aws_launch_configuration" "bastion-privateweave-example-com" { + name_prefix = "bastion.privateweave.example.com-" + image_id = "ami-12345678" + instance_type = "t2.medium" + key_name = "${aws_key_pair.kubernetes-privateweave-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}" + iam_instance_profile = "${aws_iam_instance_profile.masters-privateweave-example-com.id}" + security_groups = ["${aws_security_group.bastion-privateweave-example-com.id}"] + associate_public_ip_address = false + root_block_device = { + volume_type = "gp2" + volume_size = 20 + delete_on_termination = true + } + lifecycle = { + create_before_destroy = true + } +} + +resource "aws_launch_configuration" "master-us-test-1a-masters-privateweave-example-com" { + name_prefix = "master-us-test-1a.masters.privateweave.example.com-" + image_id = "ami-12345678" + instance_type = "m3.medium" + key_name = "${aws_key_pair.kubernetes-privateweave-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}" + iam_instance_profile = "${aws_iam_instance_profile.masters-privateweave-example-com.id}" + security_groups = ["${aws_security_group.masters-privateweave-example-com.id}"] + associate_public_ip_address = false + user_data = "${file("${path.module}/data/aws_launch_configuration_master-us-test-1a.masters.privateweave.example.com_user_data")}" + root_block_device = { + volume_type = "gp2" + volume_size = 20 + delete_on_termination = true + } + ephemeral_block_device = { + device_name = "/dev/sdc" + virtual_name = "ephemeral0" + } + lifecycle = { + create_before_destroy = true + } +} + +resource "aws_launch_configuration" "nodes-privateweave-example-com" { + name_prefix = "nodes.privateweave.example.com-" + image_id = "ami-12345678" + instance_type = "t2.medium" + key_name = "${aws_key_pair.kubernetes-privateweave-example-com-c4a6ed9aa889b9e2c39cd663eb9c7157.id}" + iam_instance_profile = "${aws_iam_instance_profile.nodes-privateweave-example-com.id}" + security_groups = ["${aws_security_group.nodes-privateweave-example-com.id}"] + associate_public_ip_address = false + user_data = "${file("${path.module}/data/aws_launch_configuration_nodes.privateweave.example.com_user_data")}" + root_block_device = { + volume_type = "gp2" + volume_size = 20 + delete_on_termination = true + } + lifecycle = { + create_before_destroy = true + } +} + +resource "aws_nat_gateway" "us-test-1a-privateweave-example-com" { + allocation_id = "${aws_eip.us-test-1a-privateweave-example-com.id}" + subnet_id = "${aws_subnet.utility-us-test-1a-privateweave-example-com.id}" +} + +resource "aws_route" "private-us-test-1a-privateweave-example-com" { + route_table_id = "${aws_route_table.private-us-test-1a-privateweave-example-com.id}" + destination_cidr_block = "0.0.0.0/0" + nat_gateway_id = "${aws_nat_gateway.us-test-1a-privateweave-example-com.id}" +} + +resource "aws_route" "wan" { + route_table_id = "${aws_route_table.main-privateweave-example-com.id}" + destination_cidr_block = "0.0.0.0/0" + gateway_id = "${aws_internet_gateway.privateweave-example-com.id}" +} + +resource "aws_route53_record" "api-privateweave-example-com" { + name = "api.privateweave.example.com" + type = "A" + alias = { + name = "${aws_elb.api-privateweave-example-com.dns_name}" + zone_id = "${aws_elb.api-privateweave-example-com.zone_id}" + evaluate_target_health = false + } + zone_id = "/hostedzone/Z1AFAKE1ZON3YO" +} + +resource "aws_route_table" "main-privateweave-example-com" { + vpc_id = "${aws_vpc.privateweave-example-com.id}" + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "main-privateweave.example.com" + } +} + +resource "aws_route_table" "private-us-test-1a-privateweave-example-com" { + vpc_id = "${aws_vpc.privateweave-example-com.id}" + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "private-us-test-1a.privateweave.example.com" + } +} + +resource "aws_route_table_association" "main-us-test-1a-privateweave-example-com" { + subnet_id = "${aws_subnet.utility-us-test-1a-privateweave-example-com.id}" + route_table_id = "${aws_route_table.main-privateweave-example-com.id}" +} + +resource "aws_route_table_association" "private-us-test-1a-privateweave-example-com" { + subnet_id = "${aws_subnet.private-us-test-1a-privateweave-example-com.id}" + route_table_id = "${aws_route_table.private-us-test-1a-privateweave-example-com.id}" +} + +resource "aws_security_group" "api-elb-privateweave-example-com" { + name = "api-elb.privateweave.example.com" + vpc_id = "${aws_vpc.privateweave-example-com.id}" + description = "Security group for api ELB" + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "api-elb.privateweave.example.com" + } +} + +resource "aws_security_group" "bastion-elb-privateweave-example-com" { + name = "bastion-elb.privateweave.example.com" + vpc_id = "${aws_vpc.privateweave-example-com.id}" + description = "Security group for bastion ELB" + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "bastion-elb.privateweave.example.com" + } +} + +resource "aws_security_group" "bastion-privateweave-example-com" { + name = "bastion.privateweave.example.com" + vpc_id = "${aws_vpc.privateweave-example-com.id}" + description = "Security group for bastion" + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "bastion.privateweave.example.com" + } +} + +resource "aws_security_group" "masters-privateweave-example-com" { + name = "masters.privateweave.example.com" + vpc_id = "${aws_vpc.privateweave-example-com.id}" + description = "Security group for masters" + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "masters.privateweave.example.com" + } +} + +resource "aws_security_group" "nodes-privateweave-example-com" { + name = "nodes.privateweave.example.com" + vpc_id = "${aws_vpc.privateweave-example-com.id}" + description = "Security group for nodes" + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "nodes.privateweave.example.com" + } +} + +resource "aws_security_group_rule" "all-bastion-to-master" { + type = "ingress" + security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" +} + +resource "aws_security_group_rule" "all-master-to-master" { + type = "ingress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" +} + +resource "aws_security_group_rule" "all-master-to-node" { + type = "ingress" + security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" +} + +resource "aws_security_group_rule" "all-node-to-master" { + type = "ingress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" +} + +resource "aws_security_group_rule" "all-node-to-node" { + type = "ingress" + security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" +} + +resource "aws_security_group_rule" "api-elb-egress" { + type = "egress" + security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "bastion-egress" { + type = "egress" + security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "bastion-elb-egress" { + type = "egress" + security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "bastion-to-master" { + type = "ingress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" +} + +resource "aws_security_group_rule" "https-api-elb" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "kube-proxy-api-elb" { + type = "ingress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" + from_port = 443 + to_port = 443 + protocol = "tcp" +} + +resource "aws_security_group_rule" "master-egress" { + type = "egress" + security_group_id = "${aws_security_group.masters-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "node-egress" { + type = "egress" + security_group_id = "${aws_security_group.nodes-privateweave-example-com.id}" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_security_group_rule" "ssh-external-to-bastion" { + type = "ingress" + security_group_id = "${aws_security_group.bastion-privateweave-example-com.id}" + source_security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" + from_port = 22 + to_port = 22 + protocol = "tcp" +} + +resource "aws_security_group_rule" "ssh-external-to-bastion-elb" { + type = "ingress" + security_group_id = "${aws_security_group.bastion-elb-privateweave-example-com.id}" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] +} + +resource "aws_subnet" "private-us-test-1a-privateweave-example-com" { + vpc_id = "${aws_vpc.privateweave-example-com.id}" + cidr_block = "172.20.4.0/22" + availability_zone = "us-test-1a" + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "private-us-test-1a.privateweave.example.com" + } +} + +resource "aws_subnet" "utility-us-test-1a-privateweave-example-com" { + vpc_id = "${aws_vpc.privateweave-example-com.id}" + cidr_block = "172.20.32.0/19" + availability_zone = "us-test-1a" + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "utility-us-test-1a.privateweave.example.com" + } +} + +resource "aws_vpc" "privateweave-example-com" { + cidr_block = "172.20.0.0/16" + enable_dns_hostnames = true + enable_dns_support = true + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "privateweave.example.com" + } +} + +resource "aws_vpc_dhcp_options" "privateweave-example-com" { + domain_name = "us-test-1.compute.internal" + domain_name_servers = ["AmazonProvidedDNS"] + tags = { + KubernetesCluster = "privateweave.example.com" + Name = "privateweave.example.com" + } +} + +resource "aws_vpc_dhcp_options_association" "privateweave-example-com" { + vpc_id = "${aws_vpc.privateweave-example-com.id}" + dhcp_options_id = "${aws_vpc_dhcp_options.privateweave-example-com.id}" +} \ No newline at end of file