first commit for aws-eks infra

Author: parisnakitakejser

.gitignore

@@ -3,3 +3,4 @@
 venv
 cdk.out
 .DS_Store
+aws/AWS-CDK/Neptune/create-neptune-cluster-with-bastion-host/.env

aws/AWS-CDK/EKS/setup-readonly-user-role-in-aws-eks/.gitignore

@@ -0,0 +1,2 @@
+cdk.out
+*.pyc

aws/AWS-CDK/EKS/setup-readonly-user-role-in-aws-eks/README.md

@@ -0,0 +1,14 @@
+# Cluster connection
+Kubernetes cluster init by AWS CDK
+
+Connection to Kubernetes cluster using AWS CLI as administrator
+
+```
+aws eks update-kubeconfig --name {cluster-name} --region {region} --role-arn arn:aws:iam::{account-id}:role/aws-eks-admin
+```
+
+Connection to Kubernetes cluster using AWS CLI as readonly member
+
+```
+aws eks update-kubeconfig --name {cluster-name} --region {region} --role-arn arn:aws:iam::{account-id}:role/aws-eks-readonly
+```

aws/AWS-CDK/EKS/setup-readonly-user-role-in-aws-eks/app.py

@@ -0,0 +1,10 @@
+from aws_cdk import App, Environment
+from infrastructure.kubernetesStack import KubernetesStack
+
+app = App()
+
+env = Environment()
+
+rds_stack = KubernetesStack(app, "KubernetesStack", env=env)
+
+app.synth()

aws/AWS-CDK/EKS/setup-readonly-user-role-in-aws-eks/cdk.json

@@ -0,0 +1,3 @@
+{
+    "app": "python3 app.py"
+}

aws/AWS-CDK/EKS/setup-readonly-user-role-in-aws-eks/infrastructure/kubernetesStack.py

@@ -0,0 +1,173 @@
+from aws_cdk import (
+    Stack,
+    aws_eks as eks,
+    aws_ec2 as ec2,
+    aws_iam as iam,
+)
+from constructs import Construct
+
+from infrastructure.networkStack import NetworkStack
+
+
+class KubernetesStack(Stack):
+    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
+        super().__init__(scope, construct_id, **kwargs)
+
+        self.network = NetworkStack(self, "NetworkStack")
+
+        masters_role = iam.Role(
+            self,
+            "eks-admin",
+            role_name="aws-eks-admin",
+            assumed_by=iam.CompositePrincipal(
+                iam.ServicePrincipal(service="eks.amazonaws.com"),
+                iam.AnyPrincipal(),  # importent, else a SSO user can't assume
+            ),
+        )
+        masters_role.add_managed_policy(
+            iam.ManagedPolicy.from_aws_managed_policy_name("AdministratorAccess")
+        )
+        readonly_role = iam.Role(
+            self,
+            "eks-readonly",
+            role_name="aws-eks-readonly",
+            assumed_by=iam.CompositePrincipal(
+                iam.ServicePrincipal(service="eks.amazonaws.com"),
+                iam.AnyPrincipal(),  # importent, else a SSO user can't assume
+            ),
+        )
+        readonly_role.add_managed_policy(
+            iam.ManagedPolicy.from_aws_managed_policy_name("AdministratorAccess")
+        )
+
+        cluster = eks.Cluster(
+            self,
+            "aws-eks",
+            version=eks.KubernetesVersion.V1_25,
+            masters_role=masters_role,
+            cluster_name="aws-eks-cluster",
+            default_capacity=0,
+            cluster_logging=[
+                eks.ClusterLoggingTypes.API,
+                eks.ClusterLoggingTypes.AUTHENTICATOR,
+                eks.ClusterLoggingTypes.SCHEDULER,
+                eks.ClusterLoggingTypes.AUDIT,
+                eks.ClusterLoggingTypes.CONTROLLER_MANAGER,
+            ],
+            vpc=self.network.vpc,
+        )
+
+        masters_role.grant_assume_role(cluster.admin_role)
+
+        cluster.aws_auth.add_role_mapping(
+            readonly_role, groups=["system:authenticated"]
+        )
+
+        self.__add_nodegroup(cluster=cluster)
+        self.__add_addon(cluster=cluster)
+        self.__add_readonly_member(
+            cluster=cluster, readonly_role_arn=readonly_role.role_arn
+        )
+
+    def __add_nodegroup(self, cluster: eks.Cluster):
+        instance_type_name = "m6i.large"
+
+        self.nodegroup = eks.Nodegroup(
+            self,
+            "all-ng",
+            cluster=cluster,
+            nodegroup_name="primary-node-group",
+            instance_types=[ec2.InstanceType(instance_type_name)],
+            min_size=3,
+            max_size=10,
+            disk_size=100,
+            labels={
+                "instance-type": instance_type_name,
+            },
+        )
+
+    def __add_addon(self, cluster: eks.Cluster):
+        eks.CfnAddon(
+            self,
+            "vpc-cni-addon",
+            addon_name="vpc-cni",
+            cluster_name=cluster.cluster_name,
+        )
+        eks.CfnAddon(
+            self,
+            "coredns-addon",
+            addon_name="coredns",
+            cluster_name=cluster.cluster_name,
+        )
+        eks.CfnAddon(
+            self,
+            "kube-proxy-addon",
+            addon_name="kube-proxy",
+            cluster_name=cluster.cluster_name,
+        )
+        eks.CfnAddon(
+            self,
+            "aws-ebs-csi-driver-addon",
+            addon_name="aws-ebs-csi-driver",
+            cluster_name=cluster.cluster_name,
+        )
+
+    def __add_readonly_member(self, cluster: eks.Cluster, readonly_role_arn: str):
+        cluster.add_manifest(
+            "cluster-role",
+            {
+                "apiVersion": "rbac.authorization.k8s.io/v1",
+                "kind": "ClusterRole",
+                "metadata": {
+                    "name": "eks-access-cluster-role",
+                    "namespace": "kube-system",
+                },
+                "rules": [
+                    {
+                        "apiGroups": [""],
+                        "resources": [
+                            "configmaps",
+                            "services",
+                            "pods",
+                            "persistentvolumes",
+                            "namespaces",
+                        ],
+                        "verbs": ["get", "list", "watch"],
+                    },
+                    {
+                        "apiGroups": [""],
+                        "resources": ["pods/log"],
+                        "verbs": ["get", "list"],
+                    },
+                    {
+                        "apiGroups": [""],
+                        "resources": ["pods/portforward", "services/portforward"],
+                        "verbs": ["create"],
+                    },
+                ],
+            },
+        )
+
+        cluster.add_manifest(
+            "cluster-role-binding",
+            {
+                "apiVersion": "rbac.authorization.k8s.io/v1",
+                "kind": "ClusterRoleBinding",
+                "metadata": {
+                    "name": "iam-cluster-role-binding",
+                    "namespace": "kube-system",
+                },
+                "roleRef": {
+                    "apiGroup": "rbac.authorization.k8s.io",
+                    "kind": "ClusterRole",
+                    "name": "eks-access-cluster-role",
+                },
+                "subjects": [
+                    {
+                        "kind": "User",
+                        "name": readonly_role_arn,
+                        "apiGroup": "rbac.authorization.k8s.io",
+                    }
+                ],
+            },
+        )

aws/AWS-CDK/EKS/setup-readonly-user-role-in-aws-eks/infrastructure/networkStack.py

@@ -0,0 +1,30 @@
+from aws_cdk import (
+    NestedStack,
+    aws_ec2 as ec2,
+)
+from constructs import Construct
+
+
+class NetworkStack(NestedStack):
+    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
+        super().__init__(scope, construct_id, **kwargs)
+
+        self.vpc = ec2.Vpc(
+            self,
+            "VPC",
+            ip_addresses=ec2.IpAddresses.cidr("10.10.0.0/16"),  # 65,536
+            subnet_configuration=[
+                ec2.SubnetConfiguration(
+                    subnet_type=ec2.SubnetType.PUBLIC,
+                    name="Public",
+                    cidr_mask=24,  # 256
+                ),
+                ec2.SubnetConfiguration(
+                    subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS,
+                    name="Private",
+                    cidr_mask=18,  # 16,384
+                ),
+            ],
+            max_azs=3,
+            nat_gateways=3,
+        )

aws/AWS-CDK/EKS/setup-readonly-user-role-in-aws-eks/requirements.txt

@@ -0,0 +1,5 @@
+aws-cdk-lib==2.75.0
+flake8
+boto3
+black
+pyyaml

aws/AWS-CDK/EKS/setup-readonly-user-role-in-aws-eks/setup.cfg

@@ -0,0 +1,10 @@
+[flake8]
+ignore = E501,F401,W503,F841,W293,E902,E203
+count = True
+exclude =
+    **/ebawsconnect**,
+    **/node_modules**,
+    **/lib/**,
+    **/site-packages/**,
+    **/bin/**,
+    **/versions/**