From 6d683c98a3204bcc43e2707a1123d866081ed07d Mon Sep 17 00:00:00 2001
From: SOPHAL HONG <dev.sophal@gmail.com>
Date: Fri, 25 Feb 2022 16:53:54 +0900
Subject: [PATCH] [Terraform-AWS] Replace CLB with NLB (#8578)
---
.../terraform/aws/create-infrastructure.tf | 16 +++---
contrib/terraform/aws/modules/elb/main.tf | 57 -------------------
contrib/terraform/aws/modules/elb/outputs.tf | 7 ---
contrib/terraform/aws/modules/nlb/main.tf | 41 +++++++++++++
contrib/terraform/aws/modules/nlb/outputs.tf | 11 ++++
.../aws/modules/{elb => nlb}/variables.tf | 4 +-
contrib/terraform/aws/output.tf | 4 +-
.../aws/sample-inventory/cluster.tfvars | 4 +-
contrib/terraform/aws/templates/inventory.tpl | 2 +-
contrib/terraform/aws/terraform.tfvars | 2 +-
.../terraform/aws/terraform.tfvars.example | 2 +-
contrib/terraform/aws/variables.tf | 6 +-
12 files changed, 72 insertions(+), 84 deletions(-)
delete mode 100644 contrib/terraform/aws/modules/elb/main.tf
delete mode 100644 contrib/terraform/aws/modules/elb/outputs.tf
create mode 100644 contrib/terraform/aws/modules/nlb/main.tf
create mode 100644 contrib/terraform/aws/modules/nlb/outputs.tf
rename contrib/terraform/aws/modules/{elb => nlb}/variables.tf (88%)
diff --git a/contrib/terraform/aws/create-infrastructure.tf b/contrib/terraform/aws/create-infrastructure.tf
index 930168ffd..0a388447c 100644
--- a/contrib/terraform/aws/create-infrastructure.tf
+++ b/contrib/terraform/aws/create-infrastructure.tf
@@ -26,14 +26,14 @@ module "aws-vpc" {
default_tags = var.default_tags
}
-module "aws-elb" {
- source = "./modules/elb"
+module "aws-nlb" {
+ source = "./modules/nlb"
aws_cluster_name = var.aws_cluster_name
aws_vpc_id = module.aws-vpc.aws_vpc_id
aws_avail_zones = data.aws_availability_zones.available.names
aws_subnet_ids_public = module.aws-vpc.aws_subnet_ids_public
- aws_elb_api_port = var.aws_elb_api_port
+ aws_nlb_api_port = var.aws_nlb_api_port
k8s_secure_api_port = var.k8s_secure_api_port
default_tags = var.default_tags
}
@@ -96,10 +96,10 @@ resource "aws_instance" "k8s-master" {
}))
}
-resource "aws_elb_attachment" "attach_master_nodes" {
- count = var.aws_kube_master_num
- elb = module.aws-elb.aws_elb_api_id
- instance = element(aws_instance.k8s-master.*.id, count.index)
+resource "aws_lb_target_group_attachment" "tg-attach_master_nodes" {
+ count = var.aws_kube_master_num
+ target_group_arn = module.aws-nlb.aws_nlb_api_tg_arn
+ target_id = element(aws_instance.k8s-master.*.private_ip, count.index)
}
resource "aws_instance" "k8s-etcd" {
@@ -164,7 +164,7 @@ data "template_file" "inventory" {
list_node = join("\n", aws_instance.k8s-worker.*.private_dns)
connection_strings_etcd = join("\n", formatlist("%s ansible_host=%s", aws_instance.k8s-etcd.*.private_dns, aws_instance.k8s-etcd.*.private_ip))
list_etcd = join("\n", ((var.aws_etcd_num > 0) ? (aws_instance.k8s-etcd.*.private_dns) : (aws_instance.k8s-master.*.private_dns)))
- elb_api_fqdn = "apiserver_loadbalancer_domain_name=\"${module.aws-elb.aws_elb_api_fqdn}\""
+ nlb_api_fqdn = "apiserver_loadbalancer_domain_name=\"${module.aws-nlb.aws_nlb_api_fqdn}\""
}
}
diff --git a/contrib/terraform/aws/modules/elb/main.tf b/contrib/terraform/aws/modules/elb/main.tf
deleted file mode 100644
index 0bc589db9..000000000
--- a/contrib/terraform/aws/modules/elb/main.tf
+++ /dev/null
@@ -1,57 +0,0 @@
-resource "aws_security_group" "aws-elb" {
- name = "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
- vpc_id = var.aws_vpc_id
-
- tags = merge(var.default_tags, tomap({
- Name = "kubernetes-${var.aws_cluster_name}-securitygroup-elb"
- }))
-}
-
-resource "aws_security_group_rule" "aws-allow-api-access" {
- type = "ingress"
- from_port = var.aws_elb_api_port
- to_port = var.k8s_secure_api_port
- protocol = "TCP"
- cidr_blocks = ["0.0.0.0/0"]
- security_group_id = aws_security_group.aws-elb.id
-}
-
-resource "aws_security_group_rule" "aws-allow-api-egress" {
- type = "egress"
- from_port = 0
- to_port = 65535
- protocol = "TCP"
- cidr_blocks = ["0.0.0.0/0"]
- security_group_id = aws_security_group.aws-elb.id
-}
-
-# Create a new AWS ELB for K8S API
-resource "aws_elb" "aws-elb-api" {
- name = "kubernetes-elb-${var.aws_cluster_name}"
- subnets = length(var.aws_subnet_ids_public) <= length(var.aws_avail_zones) ? var.aws_subnet_ids_public : slice(var.aws_subnet_ids_public, 0, length(var.aws_avail_zones))
- security_groups = [aws_security_group.aws-elb.id]
-
- listener {
- instance_port = var.k8s_secure_api_port
- instance_protocol = "tcp"
- lb_port = var.aws_elb_api_port
- lb_protocol = "tcp"
- }
-
- health_check {
- healthy_threshold = 2
- unhealthy_threshold = 2
- timeout = 3
- target = "HTTPS:${var.k8s_secure_api_port}/healthz"
- interval = 30
- }
-
- cross_zone_load_balancing = true
- idle_timeout = 400
- connection_draining = true
- connection_draining_timeout = 400
-
- tags = merge(var.default_tags, tomap({
- Name = "kubernetes-${var.aws_cluster_name}-elb-api"
- }))
-}
diff --git a/contrib/terraform/aws/modules/elb/outputs.tf b/contrib/terraform/aws/modules/elb/outputs.tf
deleted file mode 100644
index 185b10525..000000000
--- a/contrib/terraform/aws/modules/elb/outputs.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-output "aws_elb_api_id" {
- value = aws_elb.aws-elb-api.id
-}
-
-output "aws_elb_api_fqdn" {
- value = aws_elb.aws-elb-api.dns_name
-}
diff --git a/contrib/terraform/aws/modules/nlb/main.tf b/contrib/terraform/aws/modules/nlb/main.tf
new file mode 100644
index 000000000..2093b49dd
--- /dev/null
+++ b/contrib/terraform/aws/modules/nlb/main.tf
@@ -0,0 +1,41 @@
+# Create a new AWS NLB for K8S API
+resource "aws_lb" "aws-nlb-api" {
+ name = "kubernetes-nlb-${var.aws_cluster_name}"
+ load_balancer_type = "network"
+ subnets = length(var.aws_subnet_ids_public) <= length(var.aws_avail_zones) ? var.aws_subnet_ids_public : slice(var.aws_subnet_ids_public, 0, length(var.aws_avail_zones))
+ idle_timeout = 400
+ enable_cross_zone_load_balancing = true
+
+ tags = merge(var.default_tags, tomap({
+ Name = "kubernetes-${var.aws_cluster_name}-nlb-api"
+ }))
+}
+
+# Create a new AWS NLB Instance Target Group
+resource "aws_lb_target_group" "aws-nlb-api-tg" {
+ name = "kubernetes-nlb-tg-${var.aws_cluster_name}"
+ port = var.k8s_secure_api_port
+ protocol = "TCP"
+ target_type = "ip"
+ vpc_id = var.aws_vpc_id
+
+ health_check {
+ healthy_threshold = 2
+ unhealthy_threshold = 2
+ interval = 30
+ protocol = "HTTPS"
+ path = "/healthz"
+ }
+}
+
+# Create a new AWS NLB Listener listen to target group
+resource "aws_lb_listener" "aws-nlb-api-listener" {
+ load_balancer_arn = aws_lb.aws-nlb-api.arn
+ port = var.aws_nlb_api_port
+ protocol = "TCP"
+
+ default_action {
+ type = "forward"
+ target_group_arn = aws_lb_target_group.aws-nlb-api-tg.arn
+ }
+}
diff --git a/contrib/terraform/aws/modules/nlb/outputs.tf b/contrib/terraform/aws/modules/nlb/outputs.tf
new file mode 100644
index 000000000..2a97c4b19
--- /dev/null
+++ b/contrib/terraform/aws/modules/nlb/outputs.tf
@@ -0,0 +1,11 @@
+output "aws_nlb_api_id" {
+ value = aws_lb.aws-nlb-api.id
+}
+
+output "aws_nlb_api_fqdn" {
+ value = aws_lb.aws-nlb-api.dns_name
+}
+
+output "aws_nlb_api_tg_arn" {
+ value = aws_lb_target_group.aws-nlb-api-tg.arn
+}
diff --git a/contrib/terraform/aws/modules/elb/variables.tf b/contrib/terraform/aws/modules/nlb/variables.tf
similarity index 88%
rename from contrib/terraform/aws/modules/elb/variables.tf
rename to contrib/terraform/aws/modules/nlb/variables.tf
index ca56b1a92..db280f67b 100644
--- a/contrib/terraform/aws/modules/elb/variables.tf
+++ b/contrib/terraform/aws/modules/nlb/variables.tf
@@ -6,8 +6,8 @@ variable "aws_vpc_id" {
description = "AWS VPC ID"
}
-variable "aws_elb_api_port" {
- description = "Port for AWS ELB"
+variable "aws_nlb_api_port" {
+ description = "Port for AWS NLB"
}
variable "k8s_secure_api_port" {
diff --git a/contrib/terraform/aws/output.tf b/contrib/terraform/aws/output.tf
index 8cac230af..952841037 100644
--- a/contrib/terraform/aws/output.tf
+++ b/contrib/terraform/aws/output.tf
@@ -14,8 +14,8 @@ output "etcd" {
value = join("\n", ((var.aws_etcd_num > 0) ? (aws_instance.k8s-etcd.*.private_ip) : (aws_instance.k8s-master.*.private_ip)))
}
-output "aws_elb_api_fqdn" {
- value = "${module.aws-elb.aws_elb_api_fqdn}:${var.aws_elb_api_port}"
+output "aws_nlb_api_fqdn" {
+ value = "${module.aws-nlb.aws_nlb_api_fqdn}:${var.aws_nlb_api_port}"
}
output "inventory" {
diff --git a/contrib/terraform/aws/sample-inventory/cluster.tfvars b/contrib/terraform/aws/sample-inventory/cluster.tfvars
index d731a0416..8aca21909 100644
--- a/contrib/terraform/aws/sample-inventory/cluster.tfvars
+++ b/contrib/terraform/aws/sample-inventory/cluster.tfvars
@@ -33,9 +33,9 @@ aws_kube_worker_size = "t2.medium"
aws_kube_worker_disk_size = 50
-#Settings AWS ELB
+#Settings AWS NLB
-aws_elb_api_port = 6443
+aws_nlb_api_port = 6443
k8s_secure_api_port = 6443
diff --git a/contrib/terraform/aws/templates/inventory.tpl b/contrib/terraform/aws/templates/inventory.tpl
index c0d0d1024..10a3995e1 100644
--- a/contrib/terraform/aws/templates/inventory.tpl
+++ b/contrib/terraform/aws/templates/inventory.tpl
@@ -24,4 +24,4 @@ kube_control_plane
calico_rr
[k8s_cluster:vars]
-${elb_api_fqdn}
+${nlb_api_fqdn}
diff --git a/contrib/terraform/aws/terraform.tfvars b/contrib/terraform/aws/terraform.tfvars
index 21089ebdd..693fa9bfb 100644
--- a/contrib/terraform/aws/terraform.tfvars
+++ b/contrib/terraform/aws/terraform.tfvars
@@ -32,7 +32,7 @@ aws_kube_worker_size = "t3.medium"
aws_kube_worker_disk_size = 50
#Settings AWS ELB
-aws_elb_api_port = 6443
+aws_nlb_api_port = 6443
k8s_secure_api_port = 6443
default_tags = {
diff --git a/contrib/terraform/aws/terraform.tfvars.example b/contrib/terraform/aws/terraform.tfvars.example
index 76684d831..584b6a236 100644
--- a/contrib/terraform/aws/terraform.tfvars.example
+++ b/contrib/terraform/aws/terraform.tfvars.example
@@ -25,7 +25,7 @@ aws_kube_worker_size = "t3.medium"
aws_kube_worker_disk_size = 50
#Settings AWS ELB
-aws_elb_api_port = 6443
+aws_nlb_api_port = 6443
k8s_secure_api_port = 6443
default_tags = { }
diff --git a/contrib/terraform/aws/variables.tf b/contrib/terraform/aws/variables.tf
index 92a5512c8..479629e2f 100644
--- a/contrib/terraform/aws/variables.tf
+++ b/contrib/terraform/aws/variables.tf
@@ -104,11 +104,11 @@ variable "aws_kube_worker_size" {
}
/*
-* AWS ELB Settings
+* AWS NLB Settings
*
*/
-variable "aws_elb_api_port" {
- description = "Port for AWS ELB"
+variable "aws_nlb_api_port" {
+ description = "Port for AWS NLB"
}
variable "k8s_secure_api_port" {
--
GitLab