Skip to content

🐳 πŸ“¦ πŸš€ - Terraform template for a production ready EKS Cluster and ISTIO Service Mesh

License

Notifications You must be signed in to change notification settings

msfidelis/eks-with-istio

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Welcome to EKS with Istio Setup with Terraform πŸ‘‹

Version Documentation License: MIT Twitter: fidelissauro

Terraform Versions Compatibility

Terraform 0.13 Terraform 0.14 Terraform 0.15 Terraform 1.0.0 Terraform 1.1.0

topology

Requirements

Name Version
aws >= 5.0
helm ~> 2.0
kubectl ~> 1.14
kubernetes ~> 2.0
tls ~> 3.1.0

Providers

Name Version
aws 5.61.0
helm 2.14.0
kubectl 1.14.0
kubernetes 2.31.0
tls 3.1.0

Modules

No modules.

Resources

Name Type
aws_api_gateway_vpc_link.nlb resource
aws_cloudwatch_event_rule.karpenter_termination_handler_instance_terminate resource
aws_cloudwatch_event_rule.karpenter_termination_handler_rebalance resource
aws_cloudwatch_event_rule.karpenter_termination_handler_scheduled_change resource
aws_cloudwatch_event_rule.karpenter_termination_handler_spot_termination resource
aws_cloudwatch_event_rule.karpenter_termination_handler_state_change resource
aws_cloudwatch_event_rule.node_termination_handler_instance_terminate resource
aws_cloudwatch_event_rule.node_termination_handler_rebalance resource
aws_cloudwatch_event_rule.node_termination_handler_scheduled_change resource
aws_cloudwatch_event_rule.node_termination_handler_spot_termination resource
aws_cloudwatch_event_rule.node_termination_handler_state_change resource
aws_cloudwatch_event_target.karpenter_termination_handler_instance_terminate resource
aws_cloudwatch_event_target.karpenter_termination_handler_rebalance resource
aws_cloudwatch_event_target.karpenter_termination_handler_scheduled_change resource
aws_cloudwatch_event_target.karpenter_termination_handler_spot_termination resource
aws_cloudwatch_event_target.karpenter_termination_handler_state_change resource
aws_cloudwatch_event_target.node_termination_handler_instance_terminate resource
aws_cloudwatch_event_target.node_termination_handler_rebalance resource
aws_cloudwatch_event_target.node_termination_handler_scheduled_change resource
aws_cloudwatch_event_target.node_termination_handler_spot_termination resource
aws_cloudwatch_event_target.node_termination_handler_state_change resource
aws_cloudwatch_log_group.prometheus resource
aws_eip.vpc_iep resource
aws_eks_addon.cni resource
aws_eks_addon.coredns resource
aws_eks_addon.csi_driver resource
aws_eks_addon.kubeproxy resource
aws_eks_cluster.main resource
aws_eks_node_group.main resource
aws_grafana_workspace.grafana resource
aws_iam_instance_profile.nodes resource
aws_iam_openid_connect_provider.eks resource
aws_iam_policy.aws_load_balancer_controller_policy resource
aws_iam_policy.aws_node_termination_handler_policy resource
aws_iam_policy.cluster_autoscaler_policy resource
aws_iam_policy.csi_driver resource
aws_iam_policy.karpenter_policy resource
aws_iam_policy.keda_policy resource
aws_iam_policy.managed_prometheus_policy resource
aws_iam_policy_attachment.aws_load_balancer_controller_policy resource
aws_iam_policy_attachment.aws_node_termination_handler_policy resource
aws_iam_policy_attachment.cluster_autoscaler resource
aws_iam_policy_attachment.csi_driver resource
aws_iam_policy_attachment.karpenter_policy resource
aws_iam_policy_attachment.keda resource
aws_iam_policy_attachment.managed_prometheus_policy resource
aws_iam_role.alb_controller resource
aws_iam_role.aws_node_termination_handler_role resource
aws_iam_role.cluster_autoscaler_role resource
aws_iam_role.eks_cluster_role resource
aws_iam_role.eks_nodes_roles resource
aws_iam_role.grafana resource
aws_iam_role.karpenter_role resource
aws_iam_role.keda_role resource
aws_iam_role.managed_prometheus_role resource
aws_iam_role_policy_attachment.cloudwatch resource
aws_iam_role_policy_attachment.cni resource
aws_iam_role_policy_attachment.ecr resource
aws_iam_role_policy_attachment.eks-cluster-cluster resource
aws_iam_role_policy_attachment.eks-cluster-service resource
aws_iam_role_policy_attachment.node resource
aws_iam_role_policy_attachment.ssm resource
aws_internet_gateway.gw resource
aws_kms_alias.eks resource
aws_kms_key.eks resource
aws_launch_template.karpenter resource
aws_lb.ingress resource
aws_lb_listener.ingress_443 resource
aws_lb_listener.ingress_80 resource
aws_lb_target_group.http resource
aws_lb_target_group.https resource
aws_nat_gateway.nat resource
aws_prometheus_workspace.main resource
aws_route.nat_access resource
aws_route.public_internet_access resource
aws_route53_record.nlb resource
aws_route53_zone.private resource
aws_route_table.igw_route_table resource
aws_route_table.nat resource
aws_route_table_association.pods_1a resource
aws_route_table_association.pods_1b resource
aws_route_table_association.pods_1c resource
aws_route_table_association.private1a resource
aws_route_table_association.private1b resource
aws_route_table_association.private1c resource
aws_route_table_association.public_1a resource
aws_route_table_association.public_1b resource
aws_route_table_association.public_1c resource
aws_security_group.cluster_nodes_sg resource
aws_security_group.cluster_sg resource
aws_security_group_rule.cluster_ingress_https resource
aws_security_group_rule.nodeport resource
aws_security_group_rule.nodeport_cluster resource
aws_security_group_rule.nodeport_cluster_udp resource
aws_sqs_queue.karpenter_termination_handler resource
aws_sqs_queue.node_termination_handler resource
aws_sqs_queue_policy.karpenter_termination_handler resource
aws_sqs_queue_policy.node_termination_handler resource
aws_subnet.pods_subnet_1a resource
aws_subnet.pods_subnet_1b resource
aws_subnet.pods_subnet_1c resource
aws_subnet.private_subnet_1a resource
aws_subnet.private_subnet_1b resource
aws_subnet.private_subnet_1c resource
aws_subnet.public_subnet_1a resource
aws_subnet.public_subnet_1b resource
aws_subnet.public_subnet_1c resource
aws_vpc.cluster_vpc resource
aws_vpc_ipv4_cidr_block_association.pods resource
helm_release.alb_ingress_controller resource
helm_release.argo_rollouts resource
helm_release.chaos_mesh resource
helm_release.cluster_autoscaler resource
helm_release.descheduler resource
helm_release.istio_base resource
helm_release.istio_ingress resource
helm_release.istiod resource
helm_release.jaeger resource
helm_release.karpenter resource
helm_release.keda resource
helm_release.kiali-server resource
helm_release.kube_state_metrics resource
helm_release.managed_prometheus resource
helm_release.metrics_server resource
helm_release.node_termination_handler resource
helm_release.prometheus resource
kubectl_manifest.grafana_gateway resource
kubectl_manifest.grafana_service resource
kubectl_manifest.istio_target_group_binding_http resource
kubectl_manifest.istio_target_group_binding_https resource
kubectl_manifest.jaeger_gateway resource
kubectl_manifest.jaeger_virtual_service resource
kubectl_manifest.karpenter_node_class resource
kubectl_manifest.karpenter_node_pool resource
kubectl_manifest.kiali_gateway resource
kubectl_manifest.kiali_virtual_service resource
kubectl_manifest.rollouts_gateway resource
kubectl_manifest.rollouts_virtual_service resource
kubernetes_config_map.aws-auth resource
aws_caller_identity.current data source
aws_eks_cluster_auth.default data source
aws_iam_policy_document.aws_load_balancer_controller_assume_role data source
aws_iam_policy_document.aws_load_balancer_controller_policy data source
aws_iam_policy_document.aws_node_termination_handler_policy data source
aws_iam_policy_document.aws_node_termination_handler_role data source
aws_iam_policy_document.cluster_autoscaler_policy data source
aws_iam_policy_document.cluster_autoscaler_role data source
aws_iam_policy_document.csi_driver data source
aws_iam_policy_document.eks_cluster_role data source
aws_iam_policy_document.eks_nodes_role data source
aws_iam_policy_document.karpenter_policy data source
aws_iam_policy_document.karpenter_role data source
aws_iam_policy_document.keda_policy data source
aws_iam_policy_document.keda_role data source
aws_iam_policy_document.managed_prometheus_policy data source
aws_iam_policy_document.managed_prometheus_role data source
aws_ssm_parameter.eks data source
tls_certificate.eks data source

Inputs

Name Description Type Default Required
addon_cni_version Specifies the version of the AWS VPC CNI (Container Network Interface) plugin to use, which manages the network interfaces for pod networking. string "v1.18.3-eksbuild.2" no
addon_coredns_version Defines the version of CoreDNS to use, a DNS server/forwarder that is integral to internal Kubernetes DNS resolution. string "v1.11.3-eksbuild.1" no
addon_csi_version Indicates the version of the Container Storage Interface (CSI) driver to use for managing storage volumes in Kubernetes. string "v1.35.0-eksbuild.1" no
addon_kubeproxy_version Sets the version of Kubeproxy to be used, which handles Kubernetes network services like forwarding the requests to correct containers. string "v1.31.0-eksbuild.5" no
argo_rollouts_toggle Enables the installation of Argo Rollouts, providing advanced deployment strategies like Canary and Blue-Green deployments in Kubernetes. bool true no
argo_rollouts_virtual_service_host The hostname for the Argo Rollouts virtual service, used for advanced deployment capabilities like canary and blue-green deployments in Kubernetes. string "argo-rollouts.k8s.raj.ninja" no
auto_scale_options Configuration for the EKS cluster auto-scaling. It includes the minimum (min), maximum (max), and desired (desired) number of worker nodes. map
{
"desired": 4,
"max": 10,
"min": 4
}
no
aws_region AWS region where the EKS cluster will be deployed. This should be set to the region where you want your Kubernetes resources to reside. string "us-east-1" no
chaos_mesh_toggle Determines whether to install Chaos Mesh, a cloud-native Chaos Engineering platform that orchestrates chaos experiments on Kubernetes environments. bool false no
cluster_autoscaler_toggle Enable or disable the Cluster Autoscaler installation. When true, Cluster Autoscaler is installed to automatically adjust the number of nodes in the cluster. bool false no
cluster_name The name of the Amazon EKS cluster. This is a unique identifier for your EKS cluster within the AWS region. string "eks-cluster" no
cluster_private_zone The private DNS zone name for the EKS cluster in AWS Route53. This zone is used for internal DNS resolution within the cluster. string "k8s.cluster" no
default_tags A map of default tags to apply to all resources. These tags can help with identifying and organizing resources within the AWS environment. map(string)
{
"Environment": "prod",
"Foo": "Bar",
"Ping": "Pong"
}
no
descheduler_toggle Controls the installation of the Descheduler, a tool to balance and optimize the distribution of Pods across the cluster for improved efficiency. bool false no
enable_cross_zone_load_balancing Controls whether cross-zone load balancing is enabled for the Network Load Balancer, allowing even traffic distribution across all zones. bool false no
enable_jaeger Flag to create jaeger standalone stack bool false no
enable_managed_prometheus Determines if the managed Prometheus service should be enabled. Managed Prometheus provides a fully managed monitoring service compatible with Prometheus. bool false no
enable_prometheus_stack n/a bool true no
enable_vpc_link Create VPC Link associated to Network Load Balancing bool false no
grafana_virtual_service_host The hostname for the Grafana virtual service, used in Istio routing. This host is used to access Grafana dashboards for monitoring metrics. string "grafana.k8s.raj.ninja" no
istio_ingress_max_pods The maximum number of pods to scale up for the Istio ingress gateway. This limits the resources used and manages the scaling behavior. number 9 no
istio_ingress_min_pods The minimum number of pods to maintain for the Istio ingress gateway. This ensures basic availability and load handling. number 3 no
jaeger_virtual_service_host The hostname for the Jaeger virtual service, used for tracing and monitoring microservices within the Istio service mesh. string "jaeger.k8s.raj.ninja" no
k8s_version The version of Kubernetes to use for the EKS cluster. This version should be compatible with the AWS EKS service and other infrastructure components. string "1.31" no
karpenter_availability_zones A list of AWS availability zones where Karpenter should launch nodes. These zones should be in the same region as the EKS cluster. list(any)
[
"us-east-1a",
"us-east-1b",
"us-east-1c"
]
no
karpenter_capacity_type Defines the capacity types for provisioning instances in the cluster, such as 'spot' or 'on_demand', offering cost-saving options or consistent availability respectively. list(any)
[
"spot"
]
no
karpenter_ec2_node_family n/a string "Bottlerocket" no
karpenter_instance_family Defines a list of EC2 instance families to be considered by Karpenter for node provisioning. Instance families like 'c6' and 'c5' offer different compute capabilities. list(any)
[
"c6",
"c6a",
"c5"
]
no
karpenter_instance_sizes Specifies a list of instance sizes within the chosen instance families to allow diversity in the provisioned nodes by Karpenter. list(any)
[
"large",
"2xlarge"
]
no
karpenter_toggle Determines whether Karpenter is enabled for the EKS cluster. Karpenter is an open-source auto-scaler for Kubernetes clusters. bool true no
keda_toggle Activates the installation of KEDA (Kubernetes Event-Driven Autoscaling), which adds event-driven scaling capabilities to Kubernetes workloads. bool true no
kiali_virtual_service_host The hostname for the Kiali virtual service, a part of Istio's service mesh visualization. It provides insights into the mesh topology and performance. string "kiali.k8s.raj.ninja" no
managed_grafana_authentication_providers A list of authentication providers for managed Grafana. For example, 'SAML' can be used for integrating with identity providers, ensuring secure and centralized user management. list(string)
[
"SAML"
]
no
managed_grafana_datasources Specifies the data sources that managed Grafana can access. Includes options like 'CLOUDWATCH', 'PROMETHEUS', and 'XRAY', providing a wide range of data for comprehensive monitoring solutions. list(string)
[
"CLOUDWATCH",
"PROMETHEUS",
"XRAY"
]
no
managed_grafana_notification_destinations Lists the notification channels supported by managed Grafana. For instance, 'SNS' allows Grafana to send alerts and notifications through AWS Simple Notification Service. list(string)
[
"SNS"
]
no
managed_grafana_permission_type Defines the permission model for managed Grafana. 'SERVICE_MANAGED' allows AWS to manage permissions, simplifying the setup and management of Grafana. string "SERVICE_MANAGED" no
managed_prometheus_access_type Specifies the access type for managed Prometheus. 'CURRENT_ACCOUNT' limits access to the current AWS account, ensuring isolated and secure access to the monitoring data. string "CURRENT_ACCOUNT" no
nlb_ingress_enable_termination_protection Determines if termination protection is enabled for the Network Load Balancer, preventing accidental deletion. bool false no
nlb_ingress_internal Indicates whether the Network Load Balancer (NLB) for the EKS cluster should be internal, restricting access to within the AWS network. bool false no
nlb_ingress_type Specifies the type of ingress to be used, such as 'network', determining how the NLB handles incoming traffic to the EKS cluster. string "network" no
node_termination_handler_toggle Enables the AWS Node Termination Handler, which ensures that Kubernetes workloads are gracefully handled during EC2 instance terminations or disruptions. bool false no
nodes_instances_sizes A list of EC2 instance types to use for the EKS worker nodes. These instance types should balance between cost, performance, and resource requirements for your workload. list
[
"t3.large"
]
no
proxy_protocol_v2 Enables or disables Proxy Protocol v2 on the Network Load Balancer, used for preserving client IP addresses and other connection information. bool false no

Outputs

Name Description
cluster_name n/a
istio_ingress_vpclink n/a

✨ Demo

Install

terraform apply

Usage

terraform apply

Run tests

terraform plan

Author

πŸ‘€ Matheus Fidelis

🀝 Contributing

Contributions, issues and feature requests are welcome!
Feel free to check issues page.

Show your support

Give a ⭐️ if this project helped you!

πŸ“ License

Copyright Β© 2021 Matheus Fidelis.
This project is MIT licensed.


_This README was generated with ❀️ by readme-md-generator_