Merge pull request #3 from youngjeong46/feature/trino-on-eks

feat: Trino on EKS part 2
awslabs · Feb 20, 2024 · b1ab88d · b1ab88d
2 parents ab5f75b + a4915f2
commit b1ab88d
Show file tree

Hide file tree

Showing 7 changed files with 324 additions and 321 deletions.
diff --git a/distributed-databases/trino/addons.tf b/distributed-databases/trino/addons.tf
@@ -1,3 +1,45 @@
+#---------------------------------------------------------------
+# IRSA for EBS CSI Driver
+#---------------------------------------------------------------
+module "ebs_csi_driver_irsa" {
+  source                = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version               = "~> 5.14"
+  role_name             = format("%s-%s", local.name, "ebs-csi-driver")
+  attach_ebs_csi_policy = true
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+    }
+  }
+  tags = local.tags
+}
+
+#---------------------------------------------------------------
+# Grafana Admin credentials resources
+#---------------------------------------------------------------
+data "aws_secretsmanager_secret_version" "admin_password_version" {
+  secret_id  = aws_secretsmanager_secret.grafana.id
+  depends_on = [aws_secretsmanager_secret_version.grafana]
+}
+
+resource "random_password" "grafana" {
+  length           = 16
+  special          = true
+  override_special = "@_"
+}
+
+#tfsec:ignore:aws-ssm-secret-use-customer-key
+resource "aws_secretsmanager_secret" "grafana" {
+  name_prefix             = "${local.name}-grafana-"
+  recovery_window_in_days = 0 # Set to zero for this example to force delete during Terraform destroy
+}
+
+resource "aws_secretsmanager_secret_version" "grafana" {
+  secret_id     = aws_secretsmanager_secret.grafana.id
+  secret_string = random_password.grafana.result
+}
+
 #---------------------------------------------------------------
 # EKS Blueprints Addons
 #---------------------------------------------------------------
@@ -138,47 +180,19 @@ module "eks_blueprints_addons" {
 }
 
 #---------------------------------------
-# Trino Helm Add-on
+# Karpenter Provisioners
 #---------------------------------------
-module "trino_addon" {
-  source  = "aws-ia/eks-blueprints-addon/aws"
-  version = "~> 1.1.1" #ensure to update this to the latest/desired version
-
-  chart            = "trino"
-  chart_version    = "0.13.0"
-  repository       = "https://trinodb.github.io/charts"
-  description      = "Trino Helm Chart deployment"
-  namespace        = local.trino_namespace
-  create_namespace = true
-
-  values = [
-    templatefile("${path.module}/helm-values/trino.yaml",
-      {
-        sa                 = local.trino_sa
-        region             = local.region
-        bucket_id          = module.trino_s3_bucket.s3_bucket_id
-        exchange_bucket_id = module.trino_exchange_bucket.s3_bucket_id
-        irsa_arn           = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${local.trino_sa}-role"
-    })
-  ]
-
-  set_irsa_names = ["serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"]
-
-  # IAM role for service account (IRSA)
-  allow_self_assume_role = true
-  create_role            = true
-  role_name              = "${local.trino_sa}-role"
-  role_name_use_prefix   = false
-  role_policies = {
-    data_bucket_policy     = aws_iam_policy.trino_s3_bucket_policy.arn
-    exchange_bucket_policy = aws_iam_policy.trino_exchange_bucket_policy.arn
-    glue_policy            = data.aws_iam_policy.glue_full_access.arn,
+data "kubectl_path_documents" "karpenter_resources" {
+  pattern = "${path.module}/karpenter-resources/node-*.yaml"
+  vars = {
+    azs            = local.region
+    eks_cluster_id = module.eks.cluster_name
   }
+}
 
-  oidc_providers = {
-    this = {
-      provider_arn    = module.eks.oidc_provider_arn
-      service_account = local.trino_sa
-    }
-  }
+resource "kubectl_manifest" "karpenter_resources" {
+  for_each  = toset(data.kubectl_path_documents.karpenter_resources.documents)
+  yaml_body = each.value
+
+  depends_on = [module.eks_blueprints_addons]
 }
diff --git a/distributed-databases/trino/data.tf b/distributed-databases/trino/data.tf
diff --git a/distributed-databases/trino/eks.tf b/distributed-databases/trino/eks.tf
@@ -0,0 +1,114 @@
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 20.0"
+
+  cluster_name    = local.name
+  cluster_version = var.eks_cluster_version
+
+  cluster_endpoint_public_access = true # if true, Your cluster API server is accessible from the internet. You can, optionally, limit the CIDR blocks that can access the public endpoint.
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  enable_cluster_creator_admin_permissions = true
+
+  #---------------------------------------
+  # Note: This can further restricted to specific required for each Add-on and your application
+  #---------------------------------------
+  # Extend cluster security group rules
+  cluster_security_group_additional_rules = {
+    ingress_nodes_ephemeral_ports_tcp = {
+      description                = "Nodes on ephemeral ports"
+      protocol                   = "tcp"
+      from_port                  = 1025
+      to_port                    = 65535
+      type                       = "ingress"
+      source_node_security_group = true
+    }
+  }
+
+  # Extend node-to-node security group rules
+  node_security_group_additional_rules = {
+    ingress_self_all = {
+      description = "Node to node all ports/protocols"
+      protocol    = "-1"
+      from_port   = 0
+      to_port     = 0
+      type        = "ingress"
+      self        = true
+    }
+    egress_all = {
+      description      = "Node all egress"
+      protocol         = "-1"
+      from_port        = 0
+      to_port          = 0
+      type             = "egress"
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+    }
+  }
+
+  eks_managed_node_group_defaults = {
+    iam_role_additional_policies = {
+      # Not required, but used in the example to access the nodes to inspect mounted volumes
+      AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+    }
+  }
+  eks_managed_node_groups = {
+    #  We recommend to have a MNG to place your critical workloads and add-ons
+    #  Then rely on Karpenter to scale your workloads
+    #  You can also make uses on nodeSelector and Taints/tolerations to spread workloads on MNG or Karpenter provisioners
+    core_node_group = {
+      name        = "core-node-group"
+      description = "EKS managed node group example launch template"
+
+      subnet_ids = module.vpc.private_subnets
+
+      min_size     = 1
+      max_size     = 9
+      desired_size = 2
+
+      force_update_version = true
+      instance_types       = ["m5.xlarge"]
+
+      ebs_optimized = true
+      block_device_mappings = {
+        xvda = {
+          device_name = "/dev/xvda"
+          ebs = {
+            volume_size = 100
+            volume_type = "gp3"
+          }
+        }
+      }
+
+      labels = {
+        WorkerType    = "ON_DEMAND"
+        NodeGroupType = "doeks"
+      }
+
+      tags = {
+        Name = "core-node-grp"
+      }
+    }
+  }
+}
+
+module "eks_aws_auth" {
+  source  = "terraform-aws-modules/eks/aws//modules/aws-auth"
+  version = "~> 20.0"
+
+  manage_aws_auth_configmap = true
+
+  aws_auth_roles = [
+    # We need to add in the Karpenter node IAM role for nodes launched by Karpenter
+    {
+      rolearn  = module.eks_blueprints_addons.karpenter.node_iam_role_arn
+      username = "system:node:{{EC2PrivateDNSName}}"
+      groups = [
+        "system:bootstrappers",
+        "system:nodes",
+      ]
+    }
+  ]
+}
diff --git a/distributed-databases/trino/locals.tf b/distributed-databases/trino/locals.tf