# Create AWS VPC
resource "aws_vpc" "uptime_cluster_vpc" {
cidr_block = "172.240.0.0/16"
}
# Create a new VPC for the ALB
resource "aws_vpc" "alb_vpc" {
cidr_block = "10.0.0.0/16" # Adjust CIDR block as needed
tags = {
Name = "ALB VPC"
}
}
# Create Internet Gateway
resource "aws_internet_gateway" "uptime_igw" {
vpc_id = aws_vpc.uptime_cluster_vpc.id
}
# Create Route Table
resource "aws_route_table" "uptime_route_table" {
vpc_id = aws_vpc.uptime_cluster_vpc.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.uptime_igw.id
}
}
# Create AWS Security Group for Kubernetes cluster nodes
resource "aws_security_group" "uptime_cluster_sg" {
name = var.cluster_sg_name
vpc_id = aws_vpc.uptime_cluster_vpc.id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [aws_vpc.alb_vpc.cidr_block]
}
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# Create AWS Subnets for Kubernetes cluster
resource "aws_subnet" "subnet_abc123" {
vpc_id = aws_vpc.uptime_cluster_vpc.id
cidr_block = "172.240.0.0/17"
availability_zone = "ap-south-1a"
map_public_ip_on_launch = true
tags = {
"kubernetes.io/role/elb" = "1"
"kubernetes.io/cluster/uptime_cluster" = "shared"
"Name" = "eks-subnet-abc123"
}
}
resource "aws_subnet" "subnet_def456" {
vpc_id = aws_vpc.uptime_cluster_vpc.id
cidr_block = "172.240.128.0/26"
availability_zone = "ap-south-1b"
map_public_ip_on_launch = true
tags = {
"kubernetes.io/role/elb" = "1"
"kubernetes.io/cluster/uptime_cluster" = "shared"
"Name" = "eks-subnet-def456"
}
}
# Create subnets for the ALB VPC
resource "aws_subnet" "alb_subnet_a" {
vpc_id = aws_vpc.alb_vpc.id
cidr_block = "10.0.1.0/24" # Adjust CIDR block as needed
availability_zone = "ap-south-1a" # Adjust availability zone as needed
tags = {
Name = "ALB Subnet A"
}
}
resource "aws_subnet" "alb_subnet_b" {
vpc_id = aws_vpc.alb_vpc.id
cidr_block = "10.0.2.0/24" # Adjust CIDR block as needed
availability_zone = "ap-south-1b" # Adjust availability zone as needed
tags = {
Name = "ALB Subnet B"
}
}
# Create VPC peering connection from VPC1 to VPC2
resource "aws_vpc_peering_connection" "cluster_to_alb_peering" {
peer_vpc_id = aws_vpc.alb_vpc.id
vpc_id = aws_vpc.uptime_cluster_vpc.id
# auto_accept = true # Automatically accept peering connection
peer_region = "ap-south-1" # Adjust region as needed
tags = {
Name = "Cluster to ALB Peering"
}
}
# Create route table for ALB VPC
resource "aws_route_table" "alb_route_table" {
vpc_id = aws_vpc.alb_vpc.id
}
# Create route from ALB VPC to Cluster VPC via peering connection
resource "aws_route" "alb_to_cluster_route" {
route_table_id = aws_route_table.alb_route_table.id
destination_cidr_block = aws_vpc.uptime_cluster_vpc.cidr_block
vpc_peering_connection_id = aws_vpc_peering_connection.cluster_to_alb_peering.id
}
# Associate Subnets with Route Table
resource "aws_route_table_association" "subnet_abc123_association" {
subnet_id = aws_subnet.subnet_abc123.id
route_table_id = aws_route_table.uptime_route_table.id
}
resource "aws_route_table_association" "subnet_def456_association" {
subnet_id = aws_subnet.subnet_def456.id
route_table_id = aws_route_table.uptime_route_table.id
}
resource "aws_eks_cluster" "uptime_cluster" {
name = "uptime_cluster"
role_arn = aws_iam_role.my_eks_cluster_role.arn
vpc_config {
subnet_ids = [aws_subnet.subnet_abc123.id, aws_subnet.subnet_def456.id] # Specify your subnet IDs
security_group_ids = [aws_security_group.uptime_cluster_sg.id] # Specify your security group ID
endpoint_public_access = true
endpoint_private_access = true
}
tags = {
Environment = "Test"
}
}
resource "aws_iam_role" "my_eks_cluster_role" {
name = "my-eks-cluster-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
role = aws_iam_role.my_eks_cluster_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
}
resource "aws_eks_node_group" "webapp_server" {
cluster_name = aws_eks_cluster.uptime_cluster.name
node_group_name = "webapp-server"
node_role_arn = aws_iam_role.my_node_group_role.arn
subnet_ids = [aws_subnet.subnet_abc123.id]
scaling_config {
desired_size = 1
min_size = 1
max_size = 2
}
instance_types = ["t2.small"]
labels = { "app-stack" = "webapp-server" }
tags = {
Environment = "Production"
}
}
resource "aws_eks_node_group" "connector" {
cluster_name = aws_eks_cluster.uptime_cluster.name
node_group_name = "connector"
node_role_arn = aws_iam_role.my_node_group_role.arn
subnet_ids = [aws_subnet.subnet_abc123.id]
scaling_config {
desired_size = 1
min_size = 1
max_size = 1
}
instance_types = ["t2.small"]
labels = { "app-stack" = "connector" }
tags = {
Environment = "Production"
}
}
resource "aws_eks_node_group" "db" {
cluster_name = aws_eks_cluster.uptime_cluster.name
node_group_name = "database"
node_role_arn = aws_iam_role.my_node_group_role.arn
subnet_ids = [aws_subnet.subnet_abc123.id]
scaling_config {
desired_size = 2
min_size = 2
max_size = 2
}
instance_types = ["t2.medium"]
labels = { "app-stack" = "db" }
tags = {
Environment = "Production"
}
}
resource "aws_eks_node_group" "ml_mw_v" {
cluster_name = aws_eks_cluster.uptime_cluster.name
node_group_name = "mlmwv"
node_role_arn = aws_iam_role.my_node_group_role.arn
subnet_ids = [aws_subnet.subnet_abc123.id]
scaling_config {
desired_size = 1
min_size = 1
max_size = 1
}
instance_types = ["t2.medium"]
labels = { "app-stack" = "ml-mw-v" }
tags = {
Environment = "Production"
}
}
resource "aws_eks_node_group" "ml_prediction_engine_kafka" {
cluster_name = aws_eks_cluster.uptime_cluster.name
node_group_name = "ml-prediction-engine-kafka"
node_role_arn = aws_iam_role.my_node_group_role.arn
subnet_ids = [aws_subnet.subnet_abc123.id]
scaling_config {
desired_size = 1
min_size = 1
max_size = 1
}
instance_types = ["t2.medium"]
labels = { "app-stack" = "ml-prediction-engine-kafka" }
tags = {
Environment = "Production"
}
}
resource "aws_iam_role" "my_node_group_role" {
name = "my-node-group-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
role = aws_iam_role.my_node_group_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
}
resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
role = aws_iam_role.my_node_group_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
}
resource "aws_iam_role_policy_attachment" "ec2_container_registry_read_only" {
role = aws_iam_role.my_node_group_role.name
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
}
resource "aws_iam_role_policy_attachment" "AmazonEBSCSIDriverPolicy" {
role = aws_iam_role.my_node_group_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
}
resource "aws_iam_role_policy_attachment" "ElasticLoadBalancingFullAccess" {
role = aws_iam_role.my_node_group_role.name
policy_arn = "arn:aws:iam::aws:policy/ElasticLoadBalancingFullAccess"
}
data "aws_caller_identity" "current" {}
resource "aws_iam_policy" "create_security_group_policy" {
name = "CreateSecurityGroupPolicy"
description = "Allows creating security groups in a specific VPC"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
Effect = "Allow",
Action = [
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ModifySecurityGroupRules",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
Resource = "*"
},
{
Effect = "Allow",
Action = [
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:GetWebACL",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL"
],
Resource = "*"
}
]
})
}
resource "aws_iam_policy_attachment" "attach_create_security_group_policy" {
name = "AttachCreateSecurityGroupPolicy"
roles = [aws_iam_role.my_node_group_role.name] # Replace with your IAM role name
policy_arn = aws_iam_policy.create_security_group_policy.arn
}
# Create security group for ALB
resource "aws_security_group" "alb_security_group" {
name = "alb-security-group"
description = "Security group for ALB"
vpc_id = aws_vpc.alb_vpc.id
# Define ingress and egress rules as needed
# Example:
# ingress {
# from_port = 80
# to_port = 80
# protocol = "tcp"
# cidr_blocks = ["0.0.0.0/0"]
# }
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
# ingress {
# from_port = 0
# to_port = 0
# protocol = "-1"
# self = true
# }
egress {
from_port = 0
to_port = 0
protocol = "tcp"
security_groups = ["0.0.0.0/0"] # Assuming uptime_cluster_sg is your EKS cluster nodes security group
}
}
# alb controller
resource "helm_release" "alb_controller" {
name = "alb-controller"
chart = "aws-load-balancer-controller"
repository = "https://aws.github.io/eks-charts"
version = "1.4.6"
# Set values for the ALB controller
set {
name = "autoDiscoverAwsRegion"
value = "true"
}
set {
name = "autoDiscoverAwsVpcID"
value = aws_vpc.alb_vpc.id
}
set {
name = "clusterName"
value = aws_eks_cluster.uptime_cluster.name
}
# Define namespace for the ALB controller
namespace = "kube-system"
}
# Update security group for EKS cluster nodes to allow traffic from ALB
resource "aws_security_group_rule" "allow_alb_ingress" {
type = "ingress"
from_port = 80 # Adjust port as needed
to_port = 80 # Adjust port as needed
protocol = "tcp"
security_group_id = aws_security_group.uptime_cluster_sg.id
source_security_group_id = aws_security_group.alb_security_group.id
}
# Update Network ACL for VPC1 (Cluster VPC)
resource "aws_network_acl_rule" "allow_alb_traffic_inbound" {
network_acl_id = aws_vpc.uptime_cluster_vpc.default_network_acl_id
rule_number = 200
protocol = "tcp"
rule_action = "allow"
cidr_block = aws_vpc.alb_vpc.cidr_block
from_port = 80 # Adjust port as needed
to_port = 80 # Adjust port as needed
egress = false
}
resource "aws_network_acl_rule" "allow_alb_traffic_outbound" {
network_acl_id = aws_vpc.uptime_cluster_vpc.default_network_acl_id
rule_number = 200
protocol = "tcp"
rule_action = "allow"
cidr_block = aws_vpc.alb_vpc.cidr_block
from_port = 80 # Adjust port as needed
to_port = 80 # Adjust port as needed
egress = true
}
# Update Network ACL for VPC2 (ALB VPC)
resource "aws_network_acl_rule" "allow_cluster_traffic_inbound" {
network_acl_id = aws_vpc.alb_vpc.default_network_acl_id
rule_number = 200
protocol = "tcp"
rule_action = "allow"
cidr_block = aws_vpc.uptime_cluster_vpc.cidr_block
from_port = 80 # Adjust port as needed
to_port = 80 # Adjust port as needed
egress = false
}
resource "aws_network_acl_rule" "allow_cluster_traffic_outbound" {
network_acl_id = aws_vpc.alb_vpc.default_network_acl_id
rule_number = 200
protocol = "tcp"
rule_action = "allow"
cidr_block = aws_vpc.uptime_cluster_vpc.cidr_block
from_port = 80 # Adjust port as needed
to_port = 80 # Adjust port as needed
egress = true
}
I am very new to terraform and I want to know what am I doing wrong here. I am getting either this error:
Error: updating Security Group (sg-01dcb42f28f9db43c) egress rules: authorizing Security Group (egress) rules: InvalidGroupId.Malformed: Invalid id: "0" (expecting "sg-...")
│ status code: 400, request id: 7105f8cd-2d35-4542-9974-8a7af704672c
│
│ with aws_security_group.alb_security_group,
│ on main.tf line 327, in resource "aws_security_group" "alb_security_group":
│ 327: resource "aws_security_group" "alb_security_group" {
or I am unable to properly apply my ingress file.
Also when I do kubectl get deployment -n kube-system I am unable to see the load balancer. (It is not visible in aws ec2 load balancer section as well)
What am I doing wrong here? Or am I completely wrong with my approach?