udacity · carlosvalarezo · Aug 17, 2023 · Aug 17, 2023 · Aug 17, 2023 · Aug 17, 2023
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+ARCH=amd64
+PLATFORM=$(uname -s)_$ARCH
+
+curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
+
+# (Optional) Verify checksum
+curl -sL "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt" | grep $PLATFORM | sha256sum --check
+
+tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz
+
+sudo mv /tmp/eksctl /usr/local/bin
@@ -0,0 +1,65 @@
+name: Create AWS infrastructure
+on:
+  push:
+    branches:
+      - infrastructure
+jobs:
+  setup_roles_and_policies:
+    runs-on: ubuntu-latest
+    environment:
+      name: develop
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      CLUSTER_ROLE_NAME: cv-eks-cluster-role
+      CLUSTER_POLICY_NAME: cv-eks-cluster-policy
+      NODEGROUP_ROLE_NAME: cv-eks-nodegroup-role
+      NODEGROUP_POLICY_NAME: cv-eks-nodegroup-policy
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Setup the runner
+        run: sh $GITHUB_WORKSPACE/.github/scripts/eksctl-install.sh
+
+      - name: Setup AWS credentials
+        run: |
+          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID}
+          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY}
+          aws configure set default.region us-west-1
+
+      - name: Creates the role that will assume the trust policy to deal with the cluster
+        run: |
+          aws iam create-role --role-name ${CLUSTER_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-trust-policy.json
+
+      - name: Attaches the policy to the new role
+        run: |
+          aws iam put-role-policy --role-name ${CLUSTER_ROLE_NAME} --policy-name ${CLUSTER_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-cluster-policy.json
+
+      - name: Creates the role to manage the node-group
+        run: |
+          aws iam create-role --role-name ${NODEGROUP_ROLE_NAME} --assume-role-policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-nodegroup-trust-policy.json
+
+      - name: Attaches the policy for the node-group
+        run: |
+          aws iam put-role-policy --role-name ${NODEGROUP_ROLE_NAME} --policy-name ${NODEGROUP_POLICY_NAME} --policy-document file://${GITHUB_WORKSPACE}/eksk8s/eks-nodegroup-policy.json
+
+  create_the_cluster:
+    runs-on: ubuntu-latest
+    needs: setup_roles_and_policies
+    environment:
+      name: develop
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+      SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
+    steps:
+      - name: Setup the keys used to create the k8s cluster
+        run: |
+          mkdir $HOME/.ssh/
+          echo $SSH_PRIVATE_KEY > $HOME/.ssh/k8s
+          echo $SSH_PUBLIC_KEY > $HOME/.ssh/k8s.pub
+      - name: Creates the k8s cluster using eksctl
+        run: |
+          eksctl create cluster -f ${GITHUB_WORKSPACE}/eksk8s/cluster-config.yaml
@@ -28,4 +28,3 @@ htmlcov/
 .envrc
 .direnv
 
-.github/**
@@ -0,0 +1,24 @@
+With regard to the file eks-cluster-policy.json:
+
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+              "eks:CreateCluster",
+              "eks:DescribeCluster",
+              "eks:UpdateClusterConfig",
+              "eks:UpdateClusterVersion",
+              "ssm:GetParameters"
+            ],
+            "Resource": "*" // * means that the already defined actions could be applied to any EKS cluster in the account
+        }
+    ]
+}
+
+In the file eksk8s/cluster-config.yaml the key nodeGroups.iam.instanceRoleARN has the value=arn:aws:iam::62132xxxx821:role/cv-eks-nodegroup-role. In a real project this file should be created using jinja/cookicutter in a previous step. This file should never have hard-coded values. However, for educational purposes/save time these values are hardcoded in the file.
+
+This key pair was created in aws console. It is possible to do it using the command to create it. This step involves pushing (uploading) the keys to aws via aws cli or somehow.
+
+The subnets were also created by hand in the aws console.
@@ -0,0 +1,31 @@
+apiVersion: eksctl.io/v1alpha5
+kind: ClusterConfig
+
+metadata:
+  name: cv-eks-cluster
+  region: us-west-1
+
+vpc:
+  id: vpc-04e8935eb17607398
+  subnets:
+    public:
+      us-west-1a:
+          id: subnet-08375f54b10ac81a2
+      us-west-1b:
+          id: subnet-0a8eea0bb2b8bd056
+  clusterEndpoints:
+    publicAccess: true
+  securityGroup: sg-074fc7db95c8a8141
+
+nodeGroups:
+  - name: cv-eks-nodegroup
+    iam:
+      instanceRoleARN: arn:aws:iam::621328949821:role/cv-eks-nodegroup-role
+    instanceType: t2.micro
+    desiredCapacity: 2
+    ssh:
+      allow: true
+      publicKeyPath: ~/.ssh/k8s.pub
+    subnets:
+      - subnet-08375f54b10ac81a2
+      - subnet-0a8eea0bb2b8bd056
@@ -0,0 +1,17 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+              "eks:CreateCluster",
+              "eks:DescribeCluster",
+              "eks:UpdateClusterConfig",
+              "eks:UpdateClusterVersion",
+              "ssm:GetParameters"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
@@ -0,0 +1,13 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+
@@ -0,0 +1,70 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:UnassignPrivateIpAddresses",
+        "ec2:AssignPrivateIpAddresses",
+        "ecr:GetAuthorizationToken",
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:DescribeInstances",
+        "ec2:AssociateRouteTable",
+        "ec2:DeleteVolume",
+        "logs:CreateLogStream",
+        "eks:DescribeNodegroup",
+        "autoscaling:DescribeAutoScalingGroups",
+        "ec2:CreateRoute",
+        "ec2:DescribeVolumes",
+        "ec2:DescribeRouteTables",
+        "ecr:BatchCheckLayerAvailability",
+        "ec2:DetachVolume",
+        "ec2:ModifyVolume",
+        "eks:ListNodegroups",
+        "ec2:CreateTags",
+        "autoscaling:DescribeTags",
+        "ecr:GetDownloadUrlForLayer",
+        "ec2:CreateRouteTable",
+        "ec2:RunInstances",
+        "ec2:DisassociateRouteTable",
+        "logs:CreateLogGroup",
+        "ec2:CreateVolume",
+        "ecr:PutImage",
+        "eks:DeleteNodegroup",
+        "ecr:BatchGetImage",
+        "eks:UpdateNodegroupConfig",
+        "ec2:DescribeSubnets",
+        "ecr:InitiateLayerUpload",
+        "ec2:AttachVolume",
+        "ec2:DeleteTags",
+        "logs:DescribeLogStreams",
+        "autoscaling:DescribeLaunchConfigurations",
+        "ecr:UploadLayerPart",
+        "ecr:ListImages",
+        "iam:PassRole",
+        "ec2:CreateNetworkInterface",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DeleteNetworkInterface",
+        "ec2:CreateSecurityGroup",
+        "ec2:DetachNetworkInterface",
+        "ec2:ModifyNetworkInterfaceAttribute",
+        "ec2:AttachNetworkInterface",
+        "ecr:CompleteLayerUpload",
+        "ecr:DescribeRepositories",
+        "ec2:ModifyInstanceAttribute",
+        "ec2:RebootInstances",
+        "ec2:TerminateInstances",
+        "logs:DescribeLogGroups",
+        "ec2:DeleteRoute",
+        "eks:CreateNodegroup",
+        "logs:PutLogEvents",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DeleteSecurityGroup",
+        "ecr:GetRepositoryPolicy"
+
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+
@@ -0,0 +1,20 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+