c8be9d7414
- Add Prometheus metrics for marketplace API throughput and error rates with new dashboard panels - Implement confidential transaction models with encryption support and access control - Add key management system with registration, rotation, and audit logging - Create services and registry routers for service discovery and management - Integrate ZK proof generation for privacy-preserving receipts - Add metrics instru
200 lines
5.0 KiB
HCL
200 lines
5.0 KiB
HCL
# Kubernetes cluster module for AITBC infrastructure
|
|
|
|
terraform {
|
|
required_version = ">= 1.0"
|
|
required_providers {
|
|
aws = {
|
|
source = "hashicorp/aws"
|
|
version = "~> 5.0"
|
|
}
|
|
kubernetes = {
|
|
source = "hashicorp/kubernetes"
|
|
version = "~> 2.20"
|
|
}
|
|
helm = {
|
|
source = "hashicorp/helm"
|
|
version = "~> 2.10"
|
|
}
|
|
}
|
|
}
|
|
|
|
provider "aws" {
|
|
region = var.aws_region
|
|
}
|
|
|
|
# VPC for the cluster
|
|
resource "aws_vpc" "main" {
|
|
cidr_block = var.vpc_cidr
|
|
enable_dns_hostnames = true
|
|
enable_dns_support = true
|
|
|
|
tags = {
|
|
Name = "${var.cluster_name}-vpc"
|
|
Environment = var.environment
|
|
Project = "aitbc"
|
|
}
|
|
}
|
|
|
|
# Subnets
|
|
resource "aws_subnet" "private" {
|
|
count = length(var.private_subnet_cidrs)
|
|
|
|
vpc_id = aws_vpc.main.id
|
|
cidr_block = var.private_subnet_cidrs[count.index]
|
|
availability_zone = var.availability_zones[count.index]
|
|
|
|
tags = {
|
|
Name = "${var.cluster_name}-private-${count.index}"
|
|
Environment = var.environment
|
|
"kubernetes.io/cluster/${var.cluster_name}" = "shared"
|
|
"kubernetes.io/role/internal-elb" = "1"
|
|
}
|
|
}
|
|
|
|
resource "aws_subnet" "public" {
|
|
count = length(var.public_subnet_cidrs)
|
|
|
|
vpc_id = aws_vpc.main.id
|
|
cidr_block = var.public_subnet_cidrs[count.index]
|
|
availability_zone = var.availability_zones[count.index]
|
|
map_public_ip_on_launch = true
|
|
|
|
tags = {
|
|
Name = "${var.cluster_name}-public-${count.index}"
|
|
Environment = var.environment
|
|
"kubernetes.io/cluster/${var.cluster_name}" = "shared"
|
|
"kubernetes.io/role/elb" = "1"
|
|
}
|
|
}
|
|
|
|
# EKS Cluster
|
|
resource "aws_eks_cluster" "main" {
|
|
name = var.cluster_name
|
|
role_arn = aws_iam_role.cluster.arn
|
|
version = var.kubernetes_version
|
|
|
|
vpc_config {
|
|
subnet_ids = concat(
|
|
aws_subnet.private[*].id,
|
|
aws_subnet.public[*].id
|
|
)
|
|
endpoint_private_access = true
|
|
endpoint_public_access = var.enable_public_endpoint
|
|
}
|
|
|
|
depends_on = [
|
|
aws_iam_role_policy_attachment.cluster_AmazonEKSClusterPolicy
|
|
]
|
|
|
|
tags = {
|
|
Name = var.cluster_name
|
|
Environment = var.environment
|
|
Project = "aitbc"
|
|
}
|
|
}
|
|
|
|
# Node groups
|
|
resource "aws_eks_node_group" "main" {
|
|
cluster_name = aws_eks_cluster.main.name
|
|
node_group_name = "${var.cluster_name}-main"
|
|
node_role_arn = aws_iam_role.node.arn
|
|
subnet_ids = aws_subnet.private[*].id
|
|
|
|
scaling_config {
|
|
desired_size = var.desired_node_count
|
|
max_size = var.max_node_count
|
|
min_size = var.min_node_count
|
|
}
|
|
|
|
instance_types = var.instance_types
|
|
|
|
depends_on = [
|
|
aws_iam_role_policy_attachment.node_AmazonEKSWorkerNodePolicy,
|
|
aws_iam_role_policy_attachment.node_AmazonEKS_CNI_Policy,
|
|
aws_iam_role_policy_attachment.node_AmazonEC2ContainerRegistryReadOnly
|
|
]
|
|
|
|
tags = {
|
|
Name = "${var.cluster_name}-main"
|
|
Environment = var.environment
|
|
Project = "aitbc"
|
|
}
|
|
}
|
|
|
|
# IAM roles
|
|
resource "aws_iam_role" "cluster" {
|
|
name = "${var.cluster_name}-cluster"
|
|
|
|
assume_role_policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Action = "sts:AssumeRole"
|
|
Effect = "Allow"
|
|
Principal = {
|
|
Service = "eks.amazonaws.com"
|
|
}
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
resource "aws_iam_role" "node" {
|
|
name = "${var.cluster_name}-node"
|
|
|
|
assume_role_policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Action = "sts:AssumeRole"
|
|
Effect = "Allow"
|
|
Principal = {
|
|
Service = "ec2.amazonaws.com"
|
|
}
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
# IAM policy attachments
|
|
resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSClusterPolicy" {
|
|
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
|
|
role = aws_iam_role.cluster.name
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "node_AmazonEKSWorkerNodePolicy" {
|
|
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
|
|
role = aws_iam_role.node.name
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "node_AmazonEKS_CNI_Policy" {
|
|
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
|
|
role = aws_iam_role.node.name
|
|
}
|
|
|
|
resource "aws_iam_role_policy_attachment" "node_AmazonEC2ContainerRegistryReadOnly" {
|
|
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
|
|
role = aws_iam_role.node.name
|
|
}
|
|
|
|
# Outputs
|
|
output "cluster_name" {
|
|
description = "The name of the EKS cluster"
|
|
value = aws_eks_cluster.main.name
|
|
}
|
|
|
|
output "cluster_endpoint" {
|
|
description = "The endpoint for the EKS cluster"
|
|
value = aws_eks_cluster.main.endpoint
|
|
}
|
|
|
|
output "cluster_certificate_authority_data" {
|
|
description = "The certificate authority data for the EKS cluster"
|
|
value = aws_eks_cluster.main.certificate_authority[0].data
|
|
}
|
|
|
|
output "cluster_security_group_id" {
|
|
description = "The security group ID of the EKS cluster"
|
|
value = aws_eks_cluster.main.vpc_config[0].cluster_security_group_id
|
|
}
|