terraform { required_providers { aws = { source = "hashicorp/aws" version = "3.72.0" } } } provider "aws" { region = var.region } //Modify the bucket and dynamoDB table that are used by Terraform terraform { backend "s3" { bucket = "DOC-EXAMPLE-BUCKET" key = "network.tfstate" region = "eu-central-1" dynamodb_table = "private-windows-eks-tf-lock" } } module "private_vpc" { source = "terraform-aws-modules/vpc/aws" name = "sample-repo-vpc-private" cidr = var.vpc_private_cidr azs = var.azs_private private_subnets = var.private_subnets enable_dns_hostnames = true create_igw = false enable_nat_gateway = false enable_vpn_gateway = false } module "public_vpc" { source = "terraform-aws-modules/vpc/aws" name = "sample-repo-vpc-public" cidr = var.vpc_public_cidr create_egress_only_igw = false create_igw = true azs = var.azs_public public_subnets = var.public_subnets enable_dns_hostnames = true enable_nat_gateway = false enable_vpn_gateway = false } resource "aws_iam_instance_profile" "ec2_eks_terraform" { name = "ec2_eks_terraform" role = aws_iam_role.ec2_eks_role.name } ### Loads a pre-defined policy resource "aws_iam_policy" "ec2_eks_terraform_policy" { name = "ec2_eks_terraform_policy" path = "/" description = "Policy to create EKS cluster with Windows and Linux Nodes" policy = "${file("bastion_host_policy.json")}" } resource "aws_iam_role" "ec2_eks_role" { name = "ec2_eks_role_terraform" managed_policy_arns = [resource.aws_iam_policy.ec2_eks_terraform_policy.arn] assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "ec2.amazonaws.com" } }, ] }) } module "ec2_instance" { source = "terraform-aws-modules/ec2-instance/aws" version = "~> 3.0" name = "bastion-host" ami = data.aws_ami.amazon-linux-2.id instance_type = "t2.micro" key_name = var.bastion_host_key_name monitoring = false vpc_security_group_ids = [aws_security_group.allow_ssh.id] subnet_id = module.public_vpc.public_subnets[0] iam_instance_profile = aws_iam_instance_profile.ec2_eks_terraform.name user_data = <> ~/.bashrc kubectl version --short --client EOF } resource "aws_security_group" "allow_ssh" { name = "allow_ssh" description = "Allow SSH inbound traffic" vpc_id = module.public_vpc.vpc_id ingress { description = "SSH from VPC" from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = var.ssh_bastion_cidr } egress { description = "Allow egress" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } data "aws_ami" "amazon-linux-2" { owners = ["amazon"] most_recent = true filter { name = "name" values = ["amzn2-ami-hvm-*-x86_64-ebs"] } } resource "aws_vpc_peering_connection" "bastion-private-EKS" { peer_vpc_id = module.public_vpc.vpc_id vpc_id = module.private_vpc.vpc_id auto_accept = true tags = { Name = "VPC Peering between Bastion Host and private EKS cluster" } accepter { allow_remote_vpc_dns_resolution = true } requester { allow_remote_vpc_dns_resolution = true } } resource "aws_route" "peeringConnection-private-a" { route_table_id = module.private_vpc.private_route_table_ids[0] destination_cidr_block = module.public_vpc.vpc_cidr_block vpc_peering_connection_id = aws_vpc_peering_connection.bastion-private-EKS.id } resource "aws_route" "peeringConnection-private-b" { route_table_id = module.private_vpc.private_route_table_ids[1] destination_cidr_block = module.public_vpc.vpc_cidr_block vpc_peering_connection_id = aws_vpc_peering_connection.bastion-private-EKS.id } resource "aws_route" "peeringConnection-private-c" { route_table_id = module.private_vpc.private_route_table_ids[2] destination_cidr_block = module.public_vpc.vpc_cidr_block vpc_peering_connection_id = aws_vpc_peering_connection.bastion-private-EKS.id } resource "aws_route" "peeringConnection-public-a" { route_table_id = module.public_vpc.public_route_table_ids[0] destination_cidr_block = module.private_vpc.vpc_cidr_block vpc_peering_connection_id = aws_vpc_peering_connection.bastion-private-EKS.id }