wip

Author: cirisked

examples/eks/eks_private_link/README.MD

@@ -17,18 +17,12 @@ Example configuration should be analysed in the following order:
 | cluster_name                = "" | Name of cluster |
 | cluster_region              = "" | Name of region of cluster |
 | castai_api_token            = "" | Cast api token |
+| rest_api_service_name   = "" | The name of the AWS PrivateLink service for the CAST AI endpoint. |
+| grpc_service_name       = "" | The name of the AWS PrivateLink service for the CAST AI endpoint |
+| api_grpc_service_name   = "" | The name of the AWS PrivateLink service for the CAST AI endpoint |
+| files_service_name      = "" | The name of the AWS PrivateLink service for the CAST AI endpoint |
+| kvisor_service_name     = "" | The name of the AWS PrivateLink service for the CAST AI endpoint |
+| telemetry_service_name  = "" | The name of the AWS PrivateLink service for the CAST AI endpoint |
 
-3. Initialize Terraform. Under example root folder run:
-```
-terraform init
-```
-4. Run Terraform apply:
-```
-terraform apply -var-file=tf.vars
-```
-5. To destroy resources created by this example:
-```
-terraform destroy -var-file=tf.vars
-```
+Actual PrivateLink endpoints you can find here: https://github.com/castai/privatelink-aws
 
-Please refer to this guide if you run into any issues https://docs.cast.ai/docs/terraform-troubleshooting

examples/eks/eks_private_link/eks.tf

@@ -10,26 +10,29 @@ module "eks" {
   cluster_endpoint_public_access = true
 
   cluster_addons = {
-    coredns = {
-      most_recent = true
-    }
-    kube-proxy = {
-      most_recent = true
+    coredns = {}
+    eks-pod-identity-agent = {
+      before_compute = true
     }
+    kube-proxy = {}
     vpc-cni = {
-      most_recent = true
+      before_compute = true
     }
   }
 
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
 
   eks_managed_node_groups = {
-    node_group_1 = {
+    default = {
       name           = "${var.cluster_name}-ng-1"
       instance_types = ["m5.large", "m5.xlarge", "t3.large"]
       desired_size   = 2
       subnets        = module.vpc.private_subnets
+
+      iam_role_additional_policies = {
+        ssm = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+      }
     }
   }
 
@@ -48,3 +51,4 @@ module "eks" {
   ]
 
 }
+

…amples/eks/eks_private_link/endpoints.tf examples/eks/eks_private_link/network.tfexamples/eks/eks_private_link/endpoints.tf renamed to examples/eks/eks_private_link/network.tf examples/eks/eks_private_link/endpoints.tf renamed to examples/eks/eks_private_link/network.tf

@@ -1,3 +1,34 @@
+#1. Create VPC.
+data "aws_availability_zones" "available" {}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "5.0.0"
+
+  name = var.cluster_name
+  cidr = "10.0.0.0/16"
+
+  azs                  = data.aws_availability_zones.available.names
+  private_subnets      = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets       = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+
+
+  tags = {
+    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/cluster/${var.cluster_name}" = "shared"
+    "kubernetes.io/role/internal-elb"           = 1
+    "cast.ai/routable"                          = "true"
+  }
+}
+
+
 resource "aws_security_group" "cast_ai_vpc_service" {
   name   = "SG used by NGINX proxy VMs"
   vpc_id = module.vpc.vpc_id
@@ -16,35 +47,65 @@ resource "aws_security_group" "cast_ai_vpc_service" {
   ]
 }
 
+locals {
+  gateway_endpoints = [
+    "s3"
+  ]
+}
+
+resource "aws_vpc_endpoint" "gateway" {
+  for_each          = toset(local.gateway_endpoints)
+  vpc_id            = module.vpc.vpc_id
+  service_name      = "com.amazonaws.${var.cluster_region}.${each.value}"
+  vpc_endpoint_type = "Gateway"
+  route_table_ids   = module.vpc.private_route_table_ids
+  tags = {
+    Name = "${var.cluster_name}-${each.value}-vpce"
+  }
+
+  depends_on = [
+    module.vpc
+  ]
+}
+
 locals {
   interface_endpoints = [
+    "ec2",
+    "ec2messages",
+    "ssm",
+    "ssmmessages",
+    "monitoring",
+    "logs",
     "ecr.api",
     "ecr.dkr",
-    "logs",
-    "sts"
+    "secretsmanager",
+    "sts",
+    "ecs-agent",
+    "ecs-telemetry"
   ]
 }
 
-resource "aws_vpc_endpoint" "interface_endpoints" {
-  for_each = toset(local.interface_endpoints)
-
+resource "aws_vpc_endpoint" "interface" {
+  for_each            = toset(local.interface_endpoints)
   vpc_id              = module.vpc.vpc_id
-  service_name        = "com.amazonaws.${var.cluster_region}.${each.key}"
+  service_name        = "com.amazonaws.${var.cluster_region}.${each.value}"
   vpc_endpoint_type   = "Interface"
   subnet_ids          = module.vpc.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
   private_dns_enabled = true
-  security_group_ids  = [aws_security_group.vpce_sg.id]
-}
+  tags = {
+    Name = "${var.cluster_name}-${each.value}-vpce"
+  }
 
-resource "aws_vpc_endpoint" "s3" {
-  vpc_id          = module.vpc.vpc_id
-  service_name    = "com.amazonaws.${var.cluster_region}.s3"
-  route_table_ids = module.vpc.private_route_table_ids
+  depends_on = [
+    module.vpc
+  ]
 }
 
-resource "aws_security_group" "vpce_sg" {
-  name        = "vpc-endpoints-sg"
-  description = "Allow access to VPC interface endpoints"
+
+resource "aws_security_group" "vpc_endpoint_sg" {
+  name        = "${var.cluster_name}-vpce-sg"
+  description = "SG for VPC interface endpoints"
   vpc_id      = module.vpc.vpc_id
 
   ingress {
@@ -60,15 +121,18 @@ resource "aws_security_group" "vpce_sg" {
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
+
+  tags = {
+    Name = "${var.cluster_name}-vpce-sg"
+  }
 }
 
 resource "aws_vpc_endpoint" "cast_ai_rest_api" {
-  vpc_id              = module.vpc.vpc_id
-  service_name        = var.rest_api_service_name
-  vpc_endpoint_type   = "Interface"
-  subnet_ids          = module.vpc.private_subnets
-  security_group_ids  = [aws_security_group.cast_ai_vpc_service.id]
-  private_dns_enabled = true
+  vpc_id             = module.vpc.vpc_id
+  service_name       = var.rest_api_service_name
+  vpc_endpoint_type  = "Interface"
+  subnet_ids         = module.vpc.private_subnets
+  security_group_ids = [aws_security_group.cast_ai_vpc_service.id]
 
   depends_on = [
     module.vpc
@@ -140,4 +204,3 @@ resource "aws_vpc_endpoint" "cast_ai_telemetry" {
   ]
 }
 
-

examples/eks/eks_private_link/tf.vars.example

@@ -1,4 +1,10 @@
-cluster_name     = "<place-holder>"
-cluster_region   = "<place-holder>"
-castai_api_token = "<place-holder>"
-profile          = "<place-holder>"
+cluster_name     = ""
+cluster_region   = ""
+castai_api_token = ""
+profile          = ""
+rest_api_service_name   = ""
+grpc_service_name       = ""
+api_grpc_service_name   = ""
+files_service_name      = ""
+kvisor_service_name     = ""
+telemetry_service_name  = ""

examples/eks/eks_private_link/variables.tf

@@ -75,8 +75,3 @@ variable "telemetry_service_name" {
   description = "Service name used to access telemetry via gRPC"
 }
 
-variable "gcp_api_ip_ranges" {
-  description = "List of GCP IP ranges to allow outbound to (e.g. for Artifact Registry, Google APIs)"
-  type        = list(string)
-}
-