Skip to content

Commit

Permalink
server-1658 | Added AWS IRSA example (#140)
Browse files Browse the repository at this point in the history
* server-1658 | Added AWS IRSA exmaple

* server-1658 | update AWS IRSA exmaple in ReadMe

Co-authored-by: Atul Singh <[email protected]>
  • Loading branch information
atulsingh0 and atulsingh0 authored Mar 29, 2022
1 parent 020f9cf commit dc6342c
Show file tree
Hide file tree
Showing 3 changed files with 88 additions and 11 deletions.
23 changes: 12 additions & 11 deletions nomad-aws/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ provider "aws" {
module "nomad_clients" {
# We strongly recommend pinning the version using ref=<<release tag>> as is done here
source = "git::https://github.com/CircleCI-Public/server-terraform.git//nomad-aws?ref=3.2.0"
source = "git::https://github.com/CircleCI-Public/server-terraform.git//nomad-aws?ref=3.4.0"
# Number of nomad clients to run
nodes = 4
Expand All @@ -44,22 +44,22 @@ module "nomad_clients" {
"vendor" = "circleci"
"team" = "sre"
}
}
output "nomad_server_cert" {
value = module.nomad_clients.nomad_server_cert
}
nomad_auto_scaler = false # If true, terraform will generate an IAM user to be used by nomad-autoscaler in CircleCI Server.
output "nomad_server_key" {
value = module.nomad_clients.nomad_server_key
# enable_irsa input will allow K8s service account to use IAM roles, you have to replace REGION, ACCOUNT_ID, OIDC_ID and K8S_NAMESPACE with appropriate value
# for more info, visit - https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html
enable_irsa = {}
}
output "nomad_ca" {
value = module.nomad_clients.nomad_tls_ca
output "nomad" {
value = module.nomad_clients
}
```

There are more examples in the `examples` directory.
There are more examples in the [examples](./examples/) directory.
- [Basic example](./examples/basic/main.tf)
- [IRSA example](./examples/irsa/main.tf)


## Inputs

Expand All @@ -82,6 +82,7 @@ There are more examples in the `examples` directory.
| subnet | Subnet ID | `string` | `""` | yes* |
| subnets | Subnet IDs | `list(string)` | `[""]` | yes* |
| vpc\_id | VPC ID of VPC used for Nomad resources | `string` | n/a | yes |
| enable_irsa | Enable IAM Roles for K8s service account | `map` | `{}` | no |

* Note: `subnet` or `subnets` is required, but not both. The use of `subnet` will supersede `subnets`.

Expand Down
4 changes: 4 additions & 0 deletions nomad-aws/examples/basic/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -54,3 +54,7 @@ module "nomad-aws" {
nomad_auto_scaler = false # If true, terraform will generate an IAM user to be used by nomad-autoscaler in CircleCI Server. The keys will be available in terraform's output
max_nodes = 5 # the max number of clients to scale to. Must be greater than our equal to the nodes set above.
}

output "nomad_module" {
value = module.nomad-aws
}
72 changes: 72 additions & 0 deletions nomad-aws/examples/irsa/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
terraform {
required_version = ">=0.15.2"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~>3.0"
}
}
}

provider "aws" {
region = "us-east-1"
}

# An example VPC for demonstration. This might already exist if you deployed
# server in a preexisting VPC and want your nomad clients to run there,
# In that case, you should make the appropriate changes in this file.
module "vpc" {
source = "terraform-aws-modules/vpc/aws"

name = "nomad-vpc"
cidr = "10.0.0.0/16"
azs = ["us-east-1a"]
public_subnets = ["10.0.0.0/24"]
private_subnets = ["10.0.1.0/24"]
enable_nat_gateway = true
single_nat_gateway = true
enable_dns_hostnames = true
}

module "nomad-aws" {
source = "../.."

# prefix to add in AWS resources name
basename = "cci"

# Number of nomad clients to run
nodes = 4

subnet = module.vpc.public_subnets[0]
vpc_id = module.vpc.vpc_id

# Location of your Nomad server endpoint. This should be exposed from your
# server installation via a load balancer service.
server_endpoint = "example.com:4647"

# AWS DNS Server runs on the third IP address of the VPC block. We define it
# here to allow access to if from the Nomad clients.
dns_server = "10.0.0.2"

blocked_cidrs = [
# Block access to private subnet. You may which to do this if you
# Kubernetes cluster is some other resource you don't want your CI jobs to
# access is running there.
module.vpc.private_subnets[0]
]

nomad_auto_scaler = true # If true, terraform will generate an IAM user to be used by nomad-autoscaler in CircleCI Server.
max_nodes = 5 # the max number of clients to scale to. Must be greater than our equal to the nodes set above.

# enable_irsa input will allow K8s service account to use IAM roles, you have to replace REGION, ACCOUNT_ID, OIDC_ID and K8S_NAMESPACE with appropriate value
# for more info, visit - https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html
enable_irsa = {
oidc_principal_id = "arn:aws:iam::<ACCOUNT_ID>:oidc-provider/oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>"
oidc_eks_variable = "oidc.eks.<REGION>.amazonaws.com/id/<OIDC_ID>:sub"
k8s_service_account = "system:serviceaccount:<K8S_NAMESPACE>:nomad-autoscaler"
}
}

output "nomad_module" {
value = module.nomad-aws
}

0 comments on commit dc6342c

Please sign in to comment.