mirror of
https://github.com/cdr/code-server.git
synced 2025-12-07 08:52:16 +01:00
b8094ac6a0
This commit adds complete Terraform infrastructure as code for deploying code-server on both EC2 and EKS platforms with enterprise-grade security and SAML/OIDC authentication. Features: - EC2 deployment with Auto Scaling Groups and Application Load Balancer - EKS deployment with managed node groups and AWS Load Balancer Controller - Private network setup with VPC, private subnets, and NAT gateways - SAML/OIDC authentication using OAuth2 Proxy - Security hardening: - KMS encryption for data at rest - TLS encryption in transit - IAM roles with least privilege - Security groups with minimal access - VPC Flow Logs - IMDSv2 enforcement - Auto-scaling capabilities for both EC2 and EKS - CloudWatch logging and monitoring - Automated deployment scripts Terraform Modules: - modules/vpc: VPC with public/private subnets, NAT, and VPC endpoints - modules/security: Security groups, IAM roles, and KMS keys - modules/ec2: EC2 Auto Scaling deployment with ALB - modules/eks: EKS cluster with managed node groups and addons Deployments: - deployments/ec2: EC2 deployment configuration - deployments/eks: EKS deployment configuration with Kubernetes manifests Documentation: - README.md: Comprehensive deployment and operations guide - QUICK-START.md: Quick reference for fast deployment - SAML-SETUP-GUIDE.md: Step-by-step IdP configuration guide Scripts: - scripts/deploy-ec2.sh: Automated EC2 deployment - scripts/deploy-eks.sh: Automated EKS deployment - scripts/destroy-ec2.sh: EC2 cleanup - scripts/destroy-eks.sh: EKS cleanup
4.7 KiB
4.7 KiB
Code-Server AWS Deployment - Quick Start
This is a condensed guide to get code-server running on AWS quickly. For detailed documentation, see README.md.
Prerequisites
- AWS Account with credentials configured
- Terraform >= 1.0
- AWS CLI
- kubectl and Helm (for EKS deployment)
- SAML/OIDC Provider configured (Okta, Azure AD, Google, etc.)
5-Minute EC2 Setup
1. Configure Variables
cd deployments/ec2
cp terraform.tfvars.example terraform.tfvars
Edit terraform.tfvars with minimum required values:
aws_region = "us-east-1"
# OAuth2/SAML Configuration
oauth2_client_id = "your-client-id"
oauth2_client_secret = "your-client-secret"
oauth2_issuer_url = "https://your-idp.com/.well-known/openid-configuration"
oauth2_redirect_url = "https://code-server.example.com/oauth2/callback"
oauth2_cookie_secret = "run: python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'"
2. Deploy
../../scripts/deploy-ec2.sh
3. Get Access URL
terraform output alb_url
4. Get Password
aws secretsmanager get-secret-value \
--secret-id $(terraform output -raw code_server_password_secret_arn) \
--query SecretString --output text
10-Minute EKS Setup
1. Configure Variables
cd deployments/eks
cp terraform.tfvars.example terraform.tfvars
Edit terraform.tfvars:
aws_region = "us-east-1"
# OAuth2/SAML Configuration
oauth2_client_id = "your-client-id"
oauth2_client_secret = "your-client-secret"
oauth2_cookie_secret = "generate-random-secret"
Edit k8s/code-server-values.yaml:
ingress:
hosts:
- host: code-server.example.com
Edit k8s/oauth2-proxy.yaml:
data:
oauth2_proxy.cfg: |
redirect_url = "https://code-server.example.com/oauth2/callback"
oidc_issuer_url = "https://your-idp.com"
2. Deploy
../../scripts/deploy-eks.sh
3. Get Load Balancer URL
kubectl get ingress -n code-server
Common Commands
EC2
# View logs
aws logs tail /aws/ec2/code-server-dev-code-server --follow
# Scale instances
terraform apply -var="desired_instances=3"
# Destroy
../../scripts/destroy-ec2.sh
EKS
# View pods
kubectl get pods -n code-server
# View logs
kubectl logs -n code-server -l app.kubernetes.io/name=code-server -f
# Scale pods
kubectl scale deployment code-server -n code-server --replicas=3
# Destroy
../../scripts/destroy-eks.sh
Generate Cookie Secret
python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'
Or:
openssl rand -base64 32
SAML/OIDC Provider Quick Links
Okta
oauth2_issuer_url = "https://<tenant>.okta.com/.well-known/openid-configuration"
Azure AD
oauth2_issuer_url = "https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration"
oauth2_issuer_url = "https://accounts.google.com/.well-known/openid-configuration"
Troubleshooting
Can't access code-server
- Check security group allows your IP
- Verify ALB is healthy:
aws elbv2 describe-target-health --target-group-arn <arn> - Check logs for errors
Authentication fails
- Verify redirect URL matches IdP configuration exactly
- Check client ID and secret are correct
- View OAuth2 Proxy logs for detailed error messages
Pods not starting (EKS)
- Check events:
kubectl get events -n code-server --sort-by='.lastTimestamp' - Check pod status:
kubectl describe pod <pod> -n code-server - Verify nodes have capacity:
kubectl top nodes
Cost Estimate
EC2 (t3.medium, 1 instance)
- EC2: ~$30/month
- ALB: ~$20/month
- NAT Gateway: ~$32/month
- EBS: ~$5/month
- Total: ~$87/month
EKS (t3.medium, 2 nodes)
- EKS Control Plane: ~$73/month
- EC2 Nodes: ~$60/month
- ALB: ~$20/month
- NAT Gateway: ~$32/month
- EBS: ~$10/month
- Total: ~$195/month
Cost Optimization
- Use single NAT gateway: Save ~$32-64/month
- Use SPOT instances (EKS): Save up to 90% on compute
- Scale to zero during off-hours: Save on compute costs
- Use GP3 instead of GP2: Save ~20% on storage
Next Steps
- Configure DNS (CNAME to ALB DNS)
- Set up ACM certificate for HTTPS
- Configure auto-scaling policies
- Set up CloudWatch alarms
- Review and adjust security groups
- Configure backup/snapshot policies
Full Documentation
- Complete README - Detailed deployment guide
- SAML Setup Guide - IdP configuration
- Code-Server Docs - Code-Server features
Support
For issues:
- Check Troubleshooting in README
- Review CloudWatch logs
- Check AWS service health dashboard