mirror of
https://github.com/cdr/code-server.git
synced 2025-12-12 03:15:56 +01:00
b8094ac6a0
This commit adds complete Terraform infrastructure as code for deploying code-server on both EC2 and EKS platforms with enterprise-grade security and SAML/OIDC authentication. Features: - EC2 deployment with Auto Scaling Groups and Application Load Balancer - EKS deployment with managed node groups and AWS Load Balancer Controller - Private network setup with VPC, private subnets, and NAT gateways - SAML/OIDC authentication using OAuth2 Proxy - Security hardening: - KMS encryption for data at rest - TLS encryption in transit - IAM roles with least privilege - Security groups with minimal access - VPC Flow Logs - IMDSv2 enforcement - Auto-scaling capabilities for both EC2 and EKS - CloudWatch logging and monitoring - Automated deployment scripts Terraform Modules: - modules/vpc: VPC with public/private subnets, NAT, and VPC endpoints - modules/security: Security groups, IAM roles, and KMS keys - modules/ec2: EC2 Auto Scaling deployment with ALB - modules/eks: EKS cluster with managed node groups and addons Deployments: - deployments/ec2: EC2 deployment configuration - deployments/eks: EKS deployment configuration with Kubernetes manifests Documentation: - README.md: Comprehensive deployment and operations guide - QUICK-START.md: Quick reference for fast deployment - SAML-SETUP-GUIDE.md: Step-by-step IdP configuration guide Scripts: - scripts/deploy-ec2.sh: Automated EC2 deployment - scripts/deploy-eks.sh: Automated EKS deployment - scripts/destroy-ec2.sh: EC2 cleanup - scripts/destroy-eks.sh: EKS cleanup
239 lines
6 KiB
HCL
239 lines
6 KiB
HCL
# VPC Module for Code-Server Deployment
|
|
# Creates a secure VPC with public and private subnets, NAT gateway, and VPC endpoints
|
|
|
|
locals {
|
|
azs = slice(data.aws_availability_zones.available.names, 0, 3)
|
|
}
|
|
|
|
data "aws_availability_zones" "available" {
|
|
state = "available"
|
|
}
|
|
|
|
# VPC
|
|
resource "aws_vpc" "main" {
|
|
cidr_block = var.vpc_cidr
|
|
enable_dns_hostnames = true
|
|
enable_dns_support = true
|
|
|
|
tags = merge(
|
|
var.tags,
|
|
{
|
|
Name = "${var.name_prefix}-vpc"
|
|
}
|
|
)
|
|
}
|
|
|
|
# Internet Gateway
|
|
resource "aws_internet_gateway" "main" {
|
|
vpc_id = aws_vpc.main.id
|
|
|
|
tags = merge(
|
|
var.tags,
|
|
{
|
|
Name = "${var.name_prefix}-igw"
|
|
}
|
|
)
|
|
}
|
|
|
|
# Public Subnets
|
|
resource "aws_subnet" "public" {
|
|
count = length(var.public_subnet_cidrs)
|
|
vpc_id = aws_vpc.main.id
|
|
cidr_block = var.public_subnet_cidrs[count.index]
|
|
availability_zone = local.azs[count.index]
|
|
|
|
map_public_ip_on_launch = true
|
|
|
|
tags = merge(
|
|
var.tags,
|
|
{
|
|
Name = "${var.name_prefix}-public-subnet-${count.index + 1}"
|
|
"kubernetes.io/role/elb" = "1"
|
|
"kubernetes.io/cluster/${var.cluster_name}" = "shared"
|
|
}
|
|
)
|
|
}
|
|
|
|
# Private Subnets
|
|
resource "aws_subnet" "private" {
|
|
count = length(var.private_subnet_cidrs)
|
|
vpc_id = aws_vpc.main.id
|
|
cidr_block = var.private_subnet_cidrs[count.index]
|
|
availability_zone = local.azs[count.index]
|
|
|
|
tags = merge(
|
|
var.tags,
|
|
{
|
|
Name = "${var.name_prefix}-private-subnet-${count.index + 1}"
|
|
"kubernetes.io/role/internal-elb" = "1"
|
|
"kubernetes.io/cluster/${var.cluster_name}" = "shared"
|
|
}
|
|
)
|
|
}
|
|
|
|
# Elastic IPs for NAT Gateways
|
|
resource "aws_eip" "nat" {
|
|
count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.public_subnet_cidrs)) : 0
|
|
domain = "vpc"
|
|
|
|
tags = merge(
|
|
var.tags,
|
|
{
|
|
Name = "${var.name_prefix}-nat-eip-${count.index + 1}"
|
|
}
|
|
)
|
|
|
|
depends_on = [aws_internet_gateway.main]
|
|
}
|
|
|
|
# NAT Gateways
|
|
resource "aws_nat_gateway" "main" {
|
|
count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.public_subnet_cidrs)) : 0
|
|
allocation_id = aws_eip.nat[count.index].id
|
|
subnet_id = aws_subnet.public[count.index].id
|
|
|
|
tags = merge(
|
|
var.tags,
|
|
{
|
|
Name = "${var.name_prefix}-nat-${count.index + 1}"
|
|
}
|
|
)
|
|
|
|
depends_on = [aws_internet_gateway.main]
|
|
}
|
|
|
|
# Public Route Table
|
|
resource "aws_route_table" "public" {
|
|
vpc_id = aws_vpc.main.id
|
|
|
|
tags = merge(
|
|
var.tags,
|
|
{
|
|
Name = "${var.name_prefix}-public-rt"
|
|
}
|
|
)
|
|
}
|
|
|
|
# Public Route
|
|
resource "aws_route" "public" {
|
|
route_table_id = aws_route_table.public.id
|
|
destination_cidr_block = "0.0.0.0/0"
|
|
gateway_id = aws_internet_gateway.main.id
|
|
}
|
|
|
|
# Public Route Table Association
|
|
resource "aws_route_table_association" "public" {
|
|
count = length(var.public_subnet_cidrs)
|
|
subnet_id = aws_subnet.public[count.index].id
|
|
route_table_id = aws_route_table.public.id
|
|
}
|
|
|
|
# Private Route Tables
|
|
resource "aws_route_table" "private" {
|
|
count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.private_subnet_cidrs)) : 0
|
|
vpc_id = aws_vpc.main.id
|
|
|
|
tags = merge(
|
|
var.tags,
|
|
{
|
|
Name = "${var.name_prefix}-private-rt-${count.index + 1}"
|
|
}
|
|
)
|
|
}
|
|
|
|
# Private Routes
|
|
resource "aws_route" "private" {
|
|
count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.private_subnet_cidrs)) : 0
|
|
route_table_id = aws_route_table.private[count.index].id
|
|
destination_cidr_block = "0.0.0.0/0"
|
|
nat_gateway_id = aws_nat_gateway.main[var.single_nat_gateway ? 0 : count.index].id
|
|
}
|
|
|
|
# Private Route Table Associations
|
|
resource "aws_route_table_association" "private" {
|
|
count = length(var.private_subnet_cidrs)
|
|
subnet_id = aws_subnet.private[count.index].id
|
|
route_table_id = aws_route_table.private[var.single_nat_gateway ? 0 : count.index].id
|
|
}
|
|
|
|
# VPC Endpoints for enhanced security (S3 and ECR for EKS)
|
|
resource "aws_vpc_endpoint" "s3" {
|
|
count = var.enable_vpc_endpoints ? 1 : 0
|
|
vpc_id = aws_vpc.main.id
|
|
service_name = "com.amazonaws.${var.aws_region}.s3"
|
|
|
|
tags = merge(
|
|
var.tags,
|
|
{
|
|
Name = "${var.name_prefix}-s3-endpoint"
|
|
}
|
|
)
|
|
}
|
|
|
|
resource "aws_vpc_endpoint_route_table_association" "s3_private" {
|
|
count = var.enable_vpc_endpoints ? length(aws_route_table.private) : 0
|
|
route_table_id = aws_route_table.private[count.index].id
|
|
vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
|
|
}
|
|
|
|
# VPC Flow Logs for security monitoring
|
|
resource "aws_cloudwatch_log_group" "vpc_flow_logs" {
|
|
count = var.enable_flow_logs ? 1 : 0
|
|
name = "/aws/vpc/${var.name_prefix}-flow-logs"
|
|
retention_in_days = var.flow_logs_retention_days
|
|
|
|
tags = var.tags
|
|
}
|
|
|
|
resource "aws_iam_role" "vpc_flow_logs" {
|
|
count = var.enable_flow_logs ? 1 : 0
|
|
name = "${var.name_prefix}-vpc-flow-logs-role"
|
|
|
|
assume_role_policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Action = "sts:AssumeRole"
|
|
Effect = "Allow"
|
|
Principal = {
|
|
Service = "vpc-flow-logs.amazonaws.com"
|
|
}
|
|
}
|
|
]
|
|
})
|
|
|
|
tags = var.tags
|
|
}
|
|
|
|
resource "aws_iam_role_policy" "vpc_flow_logs" {
|
|
count = var.enable_flow_logs ? 1 : 0
|
|
name = "${var.name_prefix}-vpc-flow-logs-policy"
|
|
role = aws_iam_role.vpc_flow_logs[0].id
|
|
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Action = [
|
|
"logs:CreateLogGroup",
|
|
"logs:CreateLogStream",
|
|
"logs:PutLogEvents",
|
|
"logs:DescribeLogGroups",
|
|
"logs:DescribeLogStreams"
|
|
]
|
|
Effect = "Allow"
|
|
Resource = "*"
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
resource "aws_flow_log" "main" {
|
|
count = var.enable_flow_logs ? 1 : 0
|
|
iam_role_arn = aws_iam_role.vpc_flow_logs[0].arn
|
|
log_destination = aws_cloudwatch_log_group.vpc_flow_logs[0].arn
|
|
traffic_type = "ALL"
|
|
vpc_id = aws_vpc.main.id
|
|
|
|
tags = var.tags
|
|
}
|