mirror of
https://github.com/cdr/code-server.git
synced 2025-12-07 08:52:16 +01:00
b8094ac6a0
This commit adds complete Terraform infrastructure as code for deploying code-server on both EC2 and EKS platforms with enterprise-grade security and SAML/OIDC authentication. Features: - EC2 deployment with Auto Scaling Groups and Application Load Balancer - EKS deployment with managed node groups and AWS Load Balancer Controller - Private network setup with VPC, private subnets, and NAT gateways - SAML/OIDC authentication using OAuth2 Proxy - Security hardening: - KMS encryption for data at rest - TLS encryption in transit - IAM roles with least privilege - Security groups with minimal access - VPC Flow Logs - IMDSv2 enforcement - Auto-scaling capabilities for both EC2 and EKS - CloudWatch logging and monitoring - Automated deployment scripts Terraform Modules: - modules/vpc: VPC with public/private subnets, NAT, and VPC endpoints - modules/security: Security groups, IAM roles, and KMS keys - modules/ec2: EC2 Auto Scaling deployment with ALB - modules/eks: EKS cluster with managed node groups and addons Deployments: - deployments/ec2: EC2 deployment configuration - deployments/eks: EKS deployment configuration with Kubernetes manifests Documentation: - README.md: Comprehensive deployment and operations guide - QUICK-START.md: Quick reference for fast deployment - SAML-SETUP-GUIDE.md: Step-by-step IdP configuration guide Scripts: - scripts/deploy-ec2.sh: Automated EC2 deployment - scripts/deploy-eks.sh: Automated EKS deployment - scripts/destroy-ec2.sh: EC2 cleanup - scripts/destroy-eks.sh: EKS cleanup
139 lines
3.2 KiB
HCL
139 lines
3.2 KiB
HCL
# EKS Deployment Variables
|
|
|
|
variable "aws_region" {
|
|
description = "AWS region for deployment"
|
|
type = string
|
|
default = "us-east-1"
|
|
}
|
|
|
|
variable "project_name" {
|
|
description = "Project name"
|
|
type = string
|
|
default = "code-server"
|
|
}
|
|
|
|
variable "environment" {
|
|
description = "Environment name (dev, staging, prod)"
|
|
type = string
|
|
default = "dev"
|
|
}
|
|
|
|
# VPC Configuration
|
|
variable "vpc_cidr" {
|
|
description = "CIDR block for VPC"
|
|
type = string
|
|
default = "10.0.0.0/16"
|
|
}
|
|
|
|
variable "public_subnet_cidrs" {
|
|
description = "CIDR blocks for public subnets"
|
|
type = list(string)
|
|
default = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
|
|
}
|
|
|
|
variable "private_subnet_cidrs" {
|
|
description = "CIDR blocks for private subnets"
|
|
type = list(string)
|
|
default = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
|
|
}
|
|
|
|
variable "single_nat_gateway" {
|
|
description = "Use a single NAT gateway (cost optimization)"
|
|
type = bool
|
|
default = false
|
|
}
|
|
|
|
# Security Configuration
|
|
variable "allowed_cidr_blocks" {
|
|
description = "CIDR blocks allowed to access the ALB"
|
|
type = list(string)
|
|
default = ["10.0.0.0/8"] # Restrict to private network
|
|
}
|
|
|
|
variable "ssh_allowed_cidr_blocks" {
|
|
description = "CIDR blocks allowed to SSH into nodes"
|
|
type = list(string)
|
|
default = [] # No SSH access by default
|
|
}
|
|
|
|
# EKS Configuration
|
|
variable "kubernetes_version" {
|
|
description = "Kubernetes version for EKS cluster"
|
|
type = string
|
|
default = "1.28"
|
|
}
|
|
|
|
variable "endpoint_public_access" {
|
|
description = "Enable public access to EKS API endpoint"
|
|
type = bool
|
|
default = false
|
|
}
|
|
|
|
variable "public_access_cidrs" {
|
|
description = "CIDR blocks allowed to access EKS API endpoint"
|
|
type = list(string)
|
|
default = ["0.0.0.0/0"]
|
|
}
|
|
|
|
variable "node_instance_types" {
|
|
description = "Instance types for EKS nodes"
|
|
type = list(string)
|
|
default = ["t3.medium"]
|
|
}
|
|
|
|
variable "capacity_type" {
|
|
description = "Capacity type for EKS nodes (ON_DEMAND or SPOT)"
|
|
type = string
|
|
default = "ON_DEMAND"
|
|
}
|
|
|
|
variable "node_disk_size" {
|
|
description = "Disk size for EKS nodes in GB"
|
|
type = number
|
|
default = 50
|
|
}
|
|
|
|
variable "min_nodes" {
|
|
description = "Minimum number of EKS nodes"
|
|
type = number
|
|
default = 1
|
|
}
|
|
|
|
variable "max_nodes" {
|
|
description = "Maximum number of EKS nodes"
|
|
type = number
|
|
default = 3
|
|
}
|
|
|
|
variable "desired_nodes" {
|
|
description = "Desired number of EKS nodes"
|
|
type = number
|
|
default = 2
|
|
}
|
|
|
|
# OAuth2 / SAML Configuration
|
|
variable "deploy_oauth2_proxy" {
|
|
description = "Deploy OAuth2 Proxy for authentication"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "oauth2_client_id" {
|
|
description = "OAuth2 client ID from your SAML/OIDC provider"
|
|
type = string
|
|
default = ""
|
|
}
|
|
|
|
variable "oauth2_client_secret" {
|
|
description = "OAuth2 client secret from your SAML/OIDC provider"
|
|
type = string
|
|
sensitive = true
|
|
default = ""
|
|
}
|
|
|
|
variable "oauth2_cookie_secret" {
|
|
description = "OAuth2 cookie secret (generate with: python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())')"
|
|
type = string
|
|
sensitive = true
|
|
default = ""
|
|
}
|