dungpham91 · dungpham91 · Jan 16, 2025 · Jan 16, 2025 · Jan 16, 2025 · Jan 16, 2025
diff --git a/.github/workflows/create-backend.yml b/.github/workflows/create-backend.yml
@@ -0,0 +1,55 @@
+name: Create Backend S3 Bucket
+
+on:
+  workflow_dispatch:
+
+permissions: read-all
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  AWS_REGION: us-east-1
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
+jobs:
+  create-backend:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Comment backend block
+        run: sed -i '/backend "s3"/,/}/s/^/# /' backend/main.tf
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        with:
+          terraform_version: '1.10.4'
+
+      - name: Terraform apply
+        run: |
+          cd backend
+          terraform init
+          terraform apply -auto-approve
+
+      - name: Uncomment backend block
+        run: sed -i '/backend "s3"/,/}/s/^# //' backend/main.tf
+
+      - name: Migrate state to S3 bucket
+        run: terraform init -migrate-state
+
+  slack-notify:
+    needs:
+      - create-backend
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+       - name: Slack notification
+         uses: come25136/workflow-notification-for-slack@main
+         with:
+           repo_token: ${{ secrets.GITHUB_TOKEN }}
+           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/env/dev/backend.tf b/env/dev/backend.tf
@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.83.1"
+    }
+
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.6"
+    }
+  }
+
+  backend "s3" {
+    bucket         = "devopslite-tf-state"
+    key            = "dev/terraform.tfstate"
+    region         = "us-east-1"
+    encrypt        = true
+    dynamodb_table = "devopslite-tf-state"
+  }
+}
diff --git a/env/dev/main.tf b/env/dev/main.tf
@@ -0,0 +1,120 @@
+provider "aws" {
+  region = var.aws_region
+}
+
+module "vpc" {
+  source               = "../../modules/vpc"
+  aws_region           = var.aws_region
+  default_tags         = var.default_tags
+  project              = var.project
+  environment          = var.environment
+  private_subnets_cidr = var.private_subnets_cidr
+  public_subnets_cidr  = var.public_subnets_cidr
+  vpc_cidr             = var.vpc_cidr
+}
+
+module "vpc_endpoint" {
+  source          = "../../modules/vpc-endpoint"
+  aws_region      = var.aws_region
+  default_tags    = var.default_tags
+  project         = var.project
+  environment     = var.environment
+  private_subnets = module.vpc.aws_subnets_private
+  route_table_ids = [module.vpc.private_route_table]
+  vpc_cidr        = [module.vpc.cidr_block]
+  vpc_id          = module.vpc.vpc_id
+
+  depends_on = [module.vpc]
+}
+
+module "kms" {
+  source       = "../../modules/kms"
+  default_tags = var.default_tags
+  project      = var.project
+  environment  = var.environment
+}
+
+module "ssm" {
+  source      = "../../modules/ssm"
+  project     = var.project
+  environment = var.environment
+}
+
+module "bastion" {
+  source                        = "../../modules/bastion"
+  default_tags                  = var.default_tags
+  project                       = var.project
+  environment                   = var.environment
+  ami_id                        = var.bastion_ami_id
+  bastion_instance_profile_name = module.ssm.ssm_instance_profile_name
+  instance_type                 = var.bation_instance_type
+  private_subnet_id             = module.vpc.aws_subnets_private[0]
+  vpc_cidr                      = [module.vpc.cidr_block]
+  vpc_id                        = module.vpc.vpc_id
+
+  depends_on = [
+    module.vpc,
+    module.ssm
+  ]
+}
+
+module "ecr_fe" {
+  source          = "../../modules/ecr"
+  default_tags    = var.default_tags
+  project         = var.project
+  environment     = var.environment
+  kms_key_arn     = module.kms.kms_arn
+  repository_name = "devopslite-fe"
+
+  depends_on = [module.kms]
+}
+
+module "ecr_be" {
+  source          = "../../modules/ecr"
+  default_tags    = var.default_tags
+  project         = var.project
+  environment     = var.environment
+  kms_key_arn     = module.kms.kms_arn
+  repository_name = "devopslite-be"
+
+  depends_on = [module.kms]
+}
+
+module "eks" {
+  source                      = "../../modules/eks"
+  default_tags                = var.default_tags
+  project                     = var.project
+  environment                 = var.environment
+  bastion_sg_id               = module.bastion.bastion_sg_id
+  vpc_id                      = module.vpc.vpc_id
+  vpc_cidr                    = [module.vpc.cidr_block]
+  private_subnets             = module.vpc.aws_subnets_private
+  eks_cluster_version         = var.eks_cluster_version
+  kms_key_arn                 = module.kms.kms_arn
+  custom_ami_id               = var.custom_ami_id
+  node_group_name             = var.node_group_name
+  node_capacity_type          = var.node_capacity_type
+  node_instance_type          = var.node_instance_type
+  node_group_desired_capacity = var.node_group_desired_capacity
+  node_group_min_size         = var.node_group_min_size
+  node_group_max_size         = var.node_group_max_size
+
+  depends_on = [
+    module.vpc,
+    module.kms,
+    module.bastion
+  ]
+}
+
+module "eks_access" {
+  source            = "../../modules/eks-access"
+  project           = var.project
+  environment       = var.environment
+  access_entry_type = var.access_entry_type
+  access_scope_type = var.access_scope_type
+  kubernetes_groups = var.kubernetes_groups
+  policy_arn        = var.policy_arn
+  principal_arn     = var.principal_arn
+
+  depends_on = [module.eks]
+}
diff --git a/env/dev/outputs.tf b/env/dev/outputs.tf
@@ -0,0 +1,34 @@
+output "eks_cluster_endpoint" {
+  description = "The endpoint for the EKS cluster."
+  value       = module.eks.eks_cluster_endpoint
+}
+
+output "eks_cluster_id" {
+  description = "The ID of the EKS cluster."
+  value       = module.eks.eks_cluster_id
+}
+
+output "eks_cluster_oidc_issuer_url" {
+  description = "The OIDC issuer URL for the EKS cluster."
+  value       = module.eks.eks_cluster_oidc_issuer_url
+}
+
+output "eks_cluster_security_group_id" {
+  description = "The security group ID for the EKS cluster."
+  value       = module.eks.eks_cluster_security_group_id
+}
+
+output "eks_cluster_serviceaccount_role_arn" {
+  description = "The ARN of the IAM role used by service accounts in the EKS cluster."
+  value       = module.eks.eks_cluster_serviceaccount_role_arn
+}
+
+output "eks_node_group_arn" {
+  description = "The ARN of the EKS node group."
+  value       = module.eks.eks_node_group_arn
+}
+
+output "eks_node_group_role_arn" {
+  description = "The ARN of the IAM role used by the EKS node group."
+  value       = module.eks.eks_node_group_role_arn
+}
diff --git a/env/dev/variables.tf b/env/dev/variables.tf
@@ -0,0 +1,131 @@
+variable "access_entry_type" {
+  description = "Type of access entry (STANDARD, EC2, EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX)"
+  type        = string
+  default     = "STANDARD"
+}
+
+variable "access_scope_type" {
+  description = "Type of access scope (namespace or cluster)"
+  type        = string
+  default     = "cluster"
+}
+
+variable "aws_region" {
+  type    = string
+  default = "us-east-1"
+}
+
+variable "bastion_ami_id" {
+  description = "AMI ID for Bastion Host"
+  type        = string
+  default     = "ami-05576a079321f21f8" # Amazon Linux 2023 AMI
+}
+
+variable "bation_instance_type" {
+  description = "Instance type for bastion host"
+  type        = string
+  default     = "t3.micro"
+}
+
+variable "custom_ami_id" {
+  description = "Custom AMI ID for EKS nodes"
+  type        = string
+  default     = "ami-0e28a3d4672edb444" # Get ID after Packer builds AMI
+}
+
+variable "default_tags" {
+  type = map(string)
+  default = {
+    Environment = "dev"
+    Provisioner = "terraform"
+    Project     = "devopslite"
+  }
+}
+
+variable "eks_cluster_version" {
+  description = "Kubernetes version for the EKS cluster"
+  type        = string
+  default     = "1.31"
+}
+
+variable "environment" {
+  type    = string
+  default = "dev"
+}
+
+variable "kubernetes_groups" {
+  description = "List of Kubernetes groups to grant access to the EKS cluster"
+  type        = list(string)
+  default     = ["admin"]
+}
+
+variable "node_capacity_type" {
+  description = "Capacity type for the EKS node group (ON_DEMAND or SPOT)"
+  type        = string
+  default     = "ON_DEMAND"
+}
+
+variable "node_group_desired_capacity" {
+  description = "Desired number of nodes in the EKS node group"
+  type        = number
+  default     = 2
+}
+
+variable "node_group_max_size" {
+  description = "Maximum number of nodes in the EKS node group"
+  type        = number
+  default     = 3
+}
+
+variable "node_group_min_size" {
+  description = "Minimum number of nodes in the EKS node group"
+  type        = number
+  default     = 1
+}
+
+variable "node_group_name" {
+  description = "Name of the EKS node group"
+  type        = string
+  default     = "ng"
+}
+
+variable "node_instance_type" {
+  description = "Instance type for the EKS nodes"
+  type        = string
+  default     = "t3.small"
+}
+
+variable "policy_arn" {
+  description = "ARN of the IAM policy to associate with the principal"
+  type        = string
+  default     = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+}
+
+variable "principal_arn" {
+  description = "ARN of the principal to grant access to the EKS cluster"
+  type        = string
+  default     = null
+}
+
+variable "private_subnets_cidr" {
+  description = "CIDR blocks for the private subnets"
+  type        = list(string)
+  default     = ["172.16.10.0/24", "172.16.20.0/24", "172.16.30.0/24"]
+}
+
+variable "project" {
+  type    = string
+  default = "devopslite"
+}
+
+variable "public_subnets_cidr" {
+  description = "CIDR blocks for the public subnets"
+  type        = list(string)
+  default     = ["172.16.1.0/24", "172.16.2.0/24", "172.16.3.0/24"]
+}
+
+variable "vpc_cidr" {
+  description = "CIDR block for the VPC"
+  type        = string
+  default     = "172.16.0.0/16"
+}