# EKS Deployment Configuration for Code-Server # This file creates all necessary infrastructure to deploy code-server on EKS terraform { required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } kubernetes = { source = "hashicorp/kubernetes" version = "~> 2.23" } helm = { source = "hashicorp/helm" version = "~> 2.11" } } # Uncomment and configure for remote state storage # backend "s3" { # bucket = "your-terraform-state-bucket" # key = "code-server/eks/terraform.tfstate" # region = "us-east-1" # encrypt = true # dynamodb_table = "terraform-state-lock" # } } provider "aws" { region = var.aws_region default_tags { tags = { Project = "code-server" Environment = var.environment ManagedBy = "Terraform" Deployment = "EKS" } } } locals { name_prefix = "${var.project_name}-${var.environment}" cluster_name = "${local.name_prefix}-eks" common_tags = { Project = var.project_name Environment = var.environment ManagedBy = "Terraform" Deployment = "EKS" } } # VPC Module module "vpc" { source = "../../modules/vpc" name_prefix = local.name_prefix vpc_cidr = var.vpc_cidr public_subnet_cidrs = var.public_subnet_cidrs private_subnet_cidrs = var.private_subnet_cidrs aws_region = var.aws_region cluster_name = local.cluster_name enable_nat_gateway = true single_nat_gateway = var.single_nat_gateway enable_vpc_endpoints = true enable_flow_logs = true flow_logs_retention_days = 30 tags = local.common_tags } # Security Module module "security" { source = "../../modules/security" name_prefix = local.name_prefix vpc_id = module.vpc.vpc_id allowed_cidr_blocks = var.allowed_cidr_blocks ssh_allowed_cidr_blocks = var.ssh_allowed_cidr_blocks tags = local.common_tags } # EKS Module module "eks" { source = "../../modules/eks" cluster_name = local.cluster_name cluster_role_arn = module.security.eks_cluster_iam_role_arn node_role_arn = module.security.eks_nodes_iam_role_arn private_subnet_ids = module.vpc.private_subnet_ids public_subnet_ids = module.vpc.public_subnet_ids cluster_security_group_id = module.security.eks_cluster_security_group_id kms_key_arn = module.security.kms_key_arn kubernetes_version = var.kubernetes_version endpoint_public_access = var.endpoint_public_access public_access_cidrs = var.public_access_cidrs node_instance_types = var.node_instance_types capacity_type = var.capacity_type node_disk_size = var.node_disk_size min_nodes = var.min_nodes max_nodes = var.max_nodes desired_nodes = var.desired_nodes enable_ebs_csi_driver = true enable_irsa = true enable_aws_load_balancer_controller = true tags = local.common_tags } # Configure Kubernetes provider provider "kubernetes" { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) exec { api_version = "client.authentication.k8s.io/v1beta1" command = "aws" args = [ "eks", "get-token", "--cluster-name", module.eks.cluster_id, "--region", var.aws_region ] } } # Configure Helm provider provider "helm" { kubernetes { host = module.eks.cluster_endpoint cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) exec { api_version = "client.authentication.k8s.io/v1beta1" command = "aws" args = [ "eks", "get-token", "--cluster-name", module.eks.cluster_id, "--region", var.aws_region ] } } } # Install AWS Load Balancer Controller resource "helm_release" "aws_load_balancer_controller" { name = "aws-load-balancer-controller" repository = "https://aws.github.io/eks-charts" chart = "aws-load-balancer-controller" namespace = "kube-system" version = "1.6.2" set { name = "clusterName" value = module.eks.cluster_id } set { name = "serviceAccount.create" value = "true" } set { name = "serviceAccount.name" value = "aws-load-balancer-controller" } set { name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" value = module.eks.aws_load_balancer_controller_role_arn } set { name = "region" value = var.aws_region } set { name = "vpcId" value = module.vpc.vpc_id } depends_on = [module.eks] } # Create namespace for code-server resource "kubernetes_namespace" "code_server" { metadata { name = "code-server" labels = { name = "code-server" } } depends_on = [module.eks] } # Create secret for OAuth2 Proxy resource "kubernetes_secret" "oauth2_proxy" { count = var.deploy_oauth2_proxy ? 1 : 0 metadata { name = "oauth2-proxy-secrets" namespace = kubernetes_namespace.code_server.metadata[0].name } data = { client-id = var.oauth2_client_id client-secret = var.oauth2_client_secret cookie-secret = var.oauth2_cookie_secret } type = "Opaque" } # Storage Class for EBS GP3 resource "kubernetes_storage_class" "gp3" { metadata { name = "gp3" } storage_provisioner = "ebs.csi.aws.com" volume_binding_mode = "WaitForFirstConsumer" parameters = { type = "gp3" encrypted = "true" kmsKeyId = module.security.kms_key_arn } depends_on = [module.eks] } # VPN Module (Optional) module "vpn" { count = var.enable_vpn ? 1 : 0 source = "../../modules/vpn" name_prefix = local.name_prefix vpc_id = module.vpc.vpc_id vpc_cidr = module.vpc.vpc_cidr subnet_ids = module.vpc.private_subnet_ids server_certificate_arn = var.vpn_server_certificate_arn client_certificate_arn = var.vpn_client_certificate_arn client_cidr_block = var.vpn_client_cidr_block split_tunnel = var.vpn_split_tunnel authentication_type = var.vpn_authentication_type dns_servers = var.vpn_dns_servers transport_protocol = var.vpn_transport_protocol vpn_port = var.vpn_port session_timeout_hours = var.vpn_session_timeout_hours client_login_banner = var.vpn_client_login_banner tags = local.common_tags }