public MyStack()
{
var gw = new Aws.Ec2.InternetGateway("gw", new Aws.Ec2.InternetGatewayArgs
{
Tags =
{
{ "Name", "main" },
},
VpcId = aws_vpc.Main.Id,
});
}
private static void ConfigureNetworking()
{
var vpc = new Ec2.Vpc($"{baseName}-vpc", new Ec2.VpcArgs()
{
EnableDnsSupport = true,
EnableDnsHostnames = true,
CidrBlock = "10.0.0.0/16",
});
var subnetOne = new Ec2.Subnet($"{baseName}-subnet-one", new Ec2.SubnetArgs()
{
VpcId = vpc.Id,
CidrBlock = "10.0.0.0/24",
MapPublicIpOnLaunch = true,
AvailabilityZone = "eu-west-1a",
});
var subnetTwo = new Ec2.Subnet($"{baseName}-subnet-two", new Ec2.SubnetArgs()
{
VpcId = vpc.Id,
CidrBlock = "10.0.1.0/24",
MapPublicIpOnLaunch = true,
AvailabilityZone = "eu-west-1b",
});
var gateway = new Ec2.InternetGateway($"{baseName}-gateway", new Ec2.InternetGatewayArgs()
{
VpcId = vpc.Id,
});
var routeTable = new Ec2.RouteTable($"{baseName}-routetable", new Ec2.RouteTableArgs()
{
VpcId = vpc.Id,
});
var publicRoute = new Ec2.Route($"{baseName}-publicroute", new Ec2.RouteArgs()
{
RouteTableId = routeTable.Id,
DestinationCidrBlock = "0.0.0.0/0",
GatewayId = gateway.Id,
});
var subnetOneRouteAssociation = new Ec2.RouteTableAssociation($"{baseName}-subnetoneroutes", new Ec2.RouteTableAssociationArgs()
{
SubnetId = subnetOne.Id,
RouteTableId = routeTable.Id,
});
vpcId = vpc.Id;
subnetId = subnetOne.Id;
subnetTwoId = subnetTwo.Id;
}
static Task <int> Main()
{
return(Deployment.RunAsync(async() => {
var region = Aws.Config.Region;
var fullProjectStack = $"{Deployment.Instance.ProjectName}-{Deployment.Instance.StackName}";
// Create the VPC.
var vpc = new Ec2.Vpc("VPC", new Ec2.VpcArgs {
CidrBlock = Config.VpcCidr,
InstanceTenancy = Config.VpcTenancy,
EnableDnsSupport = true,
EnableDnsHostnames = true,
Tags = new Dictionary <string, object> {
{ "Name", fullProjectStack }
},
});
// Associate DHCP options with our VPC.
var dhcpOptions = new Ec2.VpcDhcpOptions("DHCPOptions", new Ec2.VpcDhcpOptionsArgs {
DomainName = (region == "us-east-1" ? "ec2.internal" : $"{region}.compute.internal"),
DomainNameServers = { "AmazonProvidedDNS" },
});
var vpcDhcpOptionsAssociation = new Ec2.VpcDhcpOptionsAssociation("VPCDHCPOptionsAssociation", new Ec2.VpcDhcpOptionsAssociationArgs {
VpcId = vpc.Id,
DhcpOptionsId = dhcpOptions.Id,
});
// Create an Internet Gateway for our public subnet to connect to the Internet.
var internetGateway = new Ec2.InternetGateway("InternetGateway", new Ec2.InternetGatewayArgs {
VpcId = vpc.Id,
Tags = new Dictionary <string, object> {
{ "Name", fullProjectStack }
},
});
// Creat a Route Table for public subnets to use the Internet Gateway for 0.0.0.0/0 traffic.
var publicSubnetRouteTable = new Ec2.RouteTable("PublicSubnetRouteTable", new Ec2.RouteTableArgs {
VpcId = vpc.Id,
Tags = new Dictionary <string, object> {
{ "Name", "Public Subnets" },
{ "Network", "Public" },
},
});
var publicSubnetRoute = new Ec2.Route("PublicSubnetRoute", new Ec2.RouteArgs {
RouteTableId = publicSubnetRouteTable.Id,
DestinationCidrBlock = "0.0.0.0/0",
GatewayId = internetGateway.Id,
});
// For each AZ, create the NAT Gateways and public and private subnets. Keep track of various properties
// so that they can be exported as top-level stack exports later on.
var natEips = ImmutableArray.CreateBuilder <Output <string> >();
var publicSubnetIds = ImmutableArray.CreateBuilder <Output <string> >();
var privateSubnetIds = ImmutableArray.CreateBuilder <Output <string> >();
var protectedSubnetIds = ImmutableArray.CreateBuilder <Output <string> >();
var privateSubnetRouteTableIds = ImmutableArray.CreateBuilder <Output <string> >();
var publicSubnetCidrs = await Config.GetPublicSubnetCidrs();
var publicSubnetTags = await Config.GetPublicSubnetTags();
var privateSubnetCidrs = await Config.GetPrivateSubnetCidrs();
var privateSubnetTags = await Config.GetPrivateSubnetTags();
var protectedSubnetCidrs = await Config.GetProtectedSubnetCidrs();
var protectedSubnetTags = await Config.GetProtectedSubnetTags();
var azs = await Config.GetAvailabilityZones();
for (var i = 0; i < azs.Length; i++)
{
var az = azs[i];
// Each AZ gets a public subnet.
var publicSubnet = new Ec2.Subnet($"PublicSubnet{i}", new Ec2.SubnetArgs {
VpcId = vpc.Id,
AvailabilityZone = az,
CidrBlock = publicSubnetCidrs[i],
MapPublicIpOnLaunch = true,
Tags = publicSubnetTags[i].Add("Name", $"Public subnet {i}"),
});
publicSubnetIds.Add(publicSubnet.Id);
var publicSubnetRouteTableAssociation = new Ec2.RouteTableAssociation($"PublicSubnet{i}RouteTableAssociation", new Ec2.RouteTableAssociationArgs {
SubnetId = publicSubnet.Id,
RouteTableId = publicSubnetRouteTable.Id,
});
// If desired, create a NAT Gateway and private subnet for each AZ.
if (Config.CreatePrivateSubnets)
{
var natEip = new Ec2.Eip($"NAT{i}EIP", new Ec2.EipArgs {
Vpc = true
}, new CustomResourceOptions {
DependsOn = { internetGateway }
});
var natGateway = new Ec2.NatGateway($"NATGateway{i}", new Ec2.NatGatewayArgs {
SubnetId = publicSubnet.Id,
AllocationId = natEip.Id,
});
natEips.Add(natEip.PublicIp);
var privateSubnet = new Ec2.Subnet($"PrivateSubnet{i}A", new Ec2.SubnetArgs {
VpcId = vpc.Id,
AvailabilityZone = az,
CidrBlock = privateSubnetCidrs[i],
Tags = privateSubnetTags[i].Add("Name", $"Private subnet {i}A"),
});
privateSubnetIds.Add(privateSubnet.Id);
var privateSubnetRouteTable = new Ec2.RouteTable($"PrivateSubnet{i}ARouteTable", new Ec2.RouteTableArgs {
VpcId = vpc.Id,
Tags = new Dictionary <string, object> {
{ "Name", $"Private subnet {i}A" },
{ "Network", "Private" },
},
});
var privateSubnetRoute = new Ec2.Route($"PrivateSubnet{i}ARoute", new Ec2.RouteArgs {
RouteTableId = privateSubnetRouteTable.Id,
DestinationCidrBlock = "0.0.0.0/0",
NatGatewayId = natGateway.Id,
});
var privateSubnetRouteTableAssociation = new Ec2.RouteTableAssociation($"PrivateSubnet{i}ARouteTableAssociation", new Ec2.RouteTableAssociationArgs {
SubnetId = privateSubnet.Id,
RouteTableId = privateSubnetRouteTable.Id,
});
// Remember the route table ID for the VPC endpoint later.
privateSubnetRouteTableIds.Add(privateSubnetRouteTable.Id);
// If desired, create additional private subnets with dedicated network ACLs for extra protection.
if (Config.CreateProtectedSubnets)
{
var protectedSubnet = new Ec2.Subnet($"PrivateSubnet{i}B", new Ec2.SubnetArgs {
VpcId = vpc.Id,
AvailabilityZone = az,
CidrBlock = protectedSubnetCidrs[i],
Tags = protectedSubnetTags[i].Add("Name", $"Private subnet ${i}B"),
});
protectedSubnetIds.Add(protectedSubnet.Id);
var protectedSubnetRouteTable = new Ec2.RouteTable($"PrivateSubnet{i}BRouteTable", new Ec2.RouteTableArgs {
VpcId = vpc.Id,
Tags = new Dictionary <string, object> {
{ "Name", $"Private subnet {i}B" },
{ "Network", "Private" },
},
});
var protectedSubnetRoute = new Ec2.Route($"PrivateSubnet{i}BRoute", new Ec2.RouteArgs {
RouteTableId = protectedSubnetRouteTable.Id,
DestinationCidrBlock = "0.0.0.0/0",
NatGatewayId = natGateway.Id,
});
var protectedSubnetRouteTableAssociation = new Ec2.RouteTableAssociation($"PrivateSubnet{i}BRouteTableAssociation", new Ec2.RouteTableAssociationArgs {
SubnetId = protectedSubnet.Id,
RouteTableId = protectedSubnetRouteTable.Id,
});
var protectedSubnetNetworkAcl = new Ec2.NetworkAcl($"PrivateSubnet{i}BNetworkAcl", new Ec2.NetworkAclArgs {
VpcId = vpc.Id,
SubnetIds = { protectedSubnet.Id },
Tags = new Dictionary <string, object> {
{ "Name", $"NACL protected subnet {i}" },
{ "Network", "NACL Protected" },
},
});
var protectedSubnetNetworkAclEntryInbound = new Ec2.NetworkAclRule($"PrivateSubnet{i}BNetworkAclEntryInbound", new Ec2.NetworkAclRuleArgs {
NetworkAclId = protectedSubnetNetworkAcl.Id,
CidrBlock = "0.0.0.0/0",
Egress = false,
Protocol = "-1",
RuleAction = "allow",
RuleNumber = 100,
});
var protectedSubnetNetworkAclEntryOutbound = new Ec2.NetworkAclRule($"PrivateSubnet{i}BNetworkAclEntryOutbound", new Ec2.NetworkAclRuleArgs {
NetworkAclId = protectedSubnetNetworkAcl.Id,
CidrBlock = "0.0.0.0/0",
Egress = true,
Protocol = "-1",
RuleAction = "allow",
RuleNumber = 100,
});
// Remember the route table ID for the VPC endpoint later.
privateSubnetRouteTableIds.Add(protectedSubnetRouteTable.Id);
}
}
}
// If we created private subnets, allocate an S3 VPC Endpoint to simplify access to S3.
Output <string>?s3VpcEndpointId = null;
if (Config.CreatePrivateSubnets)
{
s3VpcEndpointId = new Ec2.VpcEndpoint("S3VPCEndpoint", new Ec2.VpcEndpointArgs {
VpcId = vpc.Id,
Policy = @"{
""Version"": ""2012-10-17"",
""Statement"": [{
""Action"": ""*"",
""Effect"": ""Allow"",
""Resource"": ""*"",
""Principal"": ""*""
}]
}
",
RouteTableIds = privateSubnetRouteTableIds.ToImmutable(),
ServiceName = $"com.amazonaws.{region}.s3",
}).Id;
}
// Export all of the resulting properties that upstream stacks may want to consume.
return new Dictionary <string, object?>
{
{ "vpcId", vpc.Id },
{ "vpcCidr", vpc.CidrBlock },
{ "natEips", natEips.ToImmutableArray() },
{ "publicSubnetIds", publicSubnetIds.ToImmutableArray() },
{ "publicSubnetCidrs", publicSubnetCidrs },
{ "publicSubnetRouteTableId", publicSubnetRouteTable.Id },
{ "privateSubnetIds", privateSubnetIds.ToImmutableArray() },
{ "privateSubnetCidrs", privateSubnetCidrs },
{ "protectedSubnetIds", protectedSubnetIds.ToImmutableArray() },
{ "protectedSubnetCidrs", protectedSubnetCidrs },
{ "privateSubnetRouteTableIds", privateSubnetRouteTableIds.ToImmutableArray() },
{ "s3VpcEndpointId", s3VpcEndpointId },
};
}));
}
private async Task <IDictionary <string, Output <string> > > Initialize()
{
// VPC
var eksVpc = new Aws.Ec2.Vpc("eksVpc", new Aws.Ec2.VpcArgs
{
CidrBlock = "10.100.0.0/16",
InstanceTenancy = "default",
EnableDnsHostnames = true,
EnableDnsSupport = true,
Tags =
{
{ "Name", "pulumi-eks-vpc" },
},
});
var eksIgw = new Aws.Ec2.InternetGateway("eksIgw", new Aws.Ec2.InternetGatewayArgs
{
VpcId = eksVpc.Id,
Tags =
{
{ "Name", "pulumi-vpc-ig" },
},
});
var eksRouteTable = new Aws.Ec2.RouteTable("eksRouteTable", new Aws.Ec2.RouteTableArgs
{
VpcId = eksVpc.Id,
Routes =
{
new Aws.Ec2.Inputs.RouteTableRouteArgs
{
CidrBlock = "0.0.0.0/0",
GatewayId = eksIgw.Id,
},
},
Tags =
{
{ "Name", "pulumi-vpc-rt" },
},
});
// Subnets, one for each AZ in a region
var zones = await Aws.GetAvailabilityZones.InvokeAsync();
var vpcSubnet = new List <Aws.Ec2.Subnet>();
foreach (var range in zones.Names.Select((v, k) => new { Key = k, Value = v }))
{
vpcSubnet.Add(new Aws.Ec2.Subnet($"vpcSubnet-{range.Key}", new Aws.Ec2.SubnetArgs
{
AssignIpv6AddressOnCreation = false,
VpcId = eksVpc.Id,
MapPublicIpOnLaunch = true,
CidrBlock = $"10.100.{range.Key}.0/24",
AvailabilityZone = range.Value,
Tags =
{
{ "Name", $"pulumi-sn-{range.Value}" },
},
}));
}
var rta = new List <Aws.Ec2.RouteTableAssociation>();
foreach (var range in zones.Names.Select((v, k) => new { Key = k, Value = v }))
{
rta.Add(new Aws.Ec2.RouteTableAssociation($"rta-{range.Key}", new Aws.Ec2.RouteTableAssociationArgs
{
RouteTableId = eksRouteTable.Id,
SubnetId = vpcSubnet[range.Key].Id,
}));
}
var subnetIds = vpcSubnet.Select(__item => __item.Id).ToList();
var eksSecurityGroup = new Aws.Ec2.SecurityGroup("eksSecurityGroup", new Aws.Ec2.SecurityGroupArgs
{
VpcId = eksVpc.Id,
Description = "Allow all HTTP(s) traffic to EKS Cluster",
Tags =
{
{ "Name", "pulumi-cluster-sg" },
},
Ingress =
{
new Aws.Ec2.Inputs.SecurityGroupIngressArgs
{
CidrBlocks =
{
"0.0.0.0/0",
},
FromPort = 443,
ToPort = 443,
Protocol = "tcp",
Description = "Allow pods to communicate with the cluster API Server.",
},
new Aws.Ec2.Inputs.SecurityGroupIngressArgs
{
CidrBlocks =
{
"0.0.0.0/0",
},
FromPort = 80,
ToPort = 80,
Protocol = "tcp",
Description = "Allow internet access to pods",
},
},
});
// EKS Cluster Role
var eksRole = new Aws.Iam.Role("eksRole", new Aws.Iam.RoleArgs
{
AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary <string, object?>
{
{ "Version", "2012-10-17" },
{ "Statement", new[]
{
new Dictionary <string, object?>
{
{ "Action", "sts:AssumeRole" },
{ "Principal", new Dictionary <string, object?>
{
{ "Service", "eks.amazonaws.com" },
} },
{ "Effect", "Allow" },
{ "Sid", "" },
},
} },
}),
});
var servicePolicyAttachment = new Aws.Iam.RolePolicyAttachment("servicePolicyAttachment", new Aws.Iam.RolePolicyAttachmentArgs
{
Role = eksRole.Id,
PolicyArn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
});
var clusterPolicyAttachment = new Aws.Iam.RolePolicyAttachment("clusterPolicyAttachment", new Aws.Iam.RolePolicyAttachmentArgs
{
Role = eksRole.Id,
PolicyArn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
});
// EC2 NodeGroup Role
var ec2Role = new Aws.Iam.Role("ec2Role", new Aws.Iam.RoleArgs
{
AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary <string, object?>
{
{ "Version", "2012-10-17" },
{ "Statement", new[]
{
new Dictionary <string, object?>
{
{ "Action", "sts:AssumeRole" },
{ "Principal", new Dictionary <string, object?>
{
{ "Service", "ec2.amazonaws.com" },
} },
{ "Effect", "Allow" },
{ "Sid", "" },
},
} },
}),
});
var workerNodePolicyAttachment = new Aws.Iam.RolePolicyAttachment("workerNodePolicyAttachment", new Aws.Iam.RolePolicyAttachmentArgs
{
Role = ec2Role.Id,
PolicyArn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
});
var cniPolicyAttachment = new Aws.Iam.RolePolicyAttachment("cniPolicyAttachment", new Aws.Iam.RolePolicyAttachmentArgs
{
Role = ec2Role.Id,
PolicyArn = "arn:aws:iam::aws:policy/AmazonEKSCNIPolicy",
});
var registryPolicyAttachment = new Aws.Iam.RolePolicyAttachment("registryPolicyAttachment", new Aws.Iam.RolePolicyAttachmentArgs
{
Role = ec2Role.Id,
PolicyArn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
});
// EKS Cluster
var eksCluster = new Aws.Eks.Cluster("eksCluster", new Aws.Eks.ClusterArgs
{
RoleArn = eksRole.Arn,
Tags =
{
{ "Name", "pulumi-eks-cluster" },
},
VpcConfig = new Aws.Eks.Inputs.ClusterVpcConfigArgs
{
PublicAccessCidrs =
{
"0.0.0.0/0",
},
SecurityGroupIds =
{
eksSecurityGroup.Id,
},
SubnetIds = subnetIds,
},
});
var nodeGroup = new Aws.Eks.NodeGroup("nodeGroup", new Aws.Eks.NodeGroupArgs
{
ClusterName = eksCluster.Name,
NodeGroupName = "pulumi-eks-nodegroup",
NodeRoleArn = ec2Role.Arn,
SubnetIds = subnetIds,
Tags =
{
{ "Name", "pulumi-cluster-nodeGroup" },
},
ScalingConfig = new Aws.Eks.Inputs.NodeGroupScalingConfigArgs
{
DesiredSize = 2,
MaxSize = 2,
MinSize = 1,
},
});
var clusterName = eksCluster.Name;
var kubeconfig = Output.Tuple(eksCluster.Endpoint, eksCluster.CertificateAuthority, eksCluster.Name).Apply(values =>
{
var endpoint = values.Item1;
var certificateAuthority = values.Item2;
var name = values.Item3;
return(JsonSerializer.Serialize(new Dictionary <string, object?>
{
{ "apiVersion", "v1" },
{ "clusters", new[]
{
new Dictionary <string, object?>
{
{ "cluster", new Dictionary <string, object?>
{
{ "server", endpoint },
{ "certificate-authority-data", certificateAuthority.Data },
} },
{ "name", "kubernetes" },
},
} },
{ "contexts", new[]
{
new Dictionary <string, object?>
{
{ "contest", new Dictionary <string, object?>
{
{ "cluster", "kubernetes" },
{ "user", "aws" },
} },
},
} },
{ "current-context", "aws" },
{ "kind", "Config" },
{ "users", new[]
{
new Dictionary <string, object?>
{
{ "name", "aws" },
{ "user", new Dictionary <string, object?>
{
{ "exec", new Dictionary <string, object?>
{
{ "apiVersion", "client.authentication.k8s.io/v1alpha1" },
{ "command", "aws-iam-authenticator" },
} },
{ "args", new[]
{
"token",
"-i",
name,
} },
} },
},
} },
}));
});
return(new Dictionary <string, Output <string> >
{
{ "clusterName", clusterName },
{ "kubeconfig", kubeconfig },
});
}
