From 0c74622f893b754b6e79a47e47d3c603091e2bd9 Mon Sep 17 00:00:00 2001
From: Cong-Xin Qiu <ozoox.o@gmail.com>
Date: Fri, 28 Jun 2019 18:16:39 -0400
Subject: [PATCH 1/4] kubernetes deployment of Redis

---
 k8s/README.md                    | 41 ++++++++++++++++++++++++++++++++
 k8s/redis-master-deployment.yaml | 29 ++++++++++++++++++++++
 k8s/redis-master-service.yaml    | 16 +++++++++++++
 k8s/redis-slave-deployment.yaml  | 40 +++++++++++++++++++++++++++++++
 k8s/redis-slave-service.yaml     | 15 ++++++++++++
 5 files changed, 141 insertions(+)
 create mode 100644 k8s/README.md
 create mode 100644 k8s/redis-master-deployment.yaml
 create mode 100644 k8s/redis-master-service.yaml
 create mode 100644 k8s/redis-slave-deployment.yaml
 create mode 100644 k8s/redis-slave-service.yaml

diff --git a/k8s/README.md b/k8s/README.md
new file mode 100644
index 00000000..f225c065
--- /dev/null
+++ b/k8s/README.md
@@ -0,0 +1,41 @@
+# Kubernetes Notes
+
+## Pre
+
+```
+minikube start
+minikube dashboard
+```
+
+Cleanup (optional for both):
+
+```
+minikube stop
+minikube delete
+```
+
+## Non-persistent storage
+
+```
+kubectl apply -f k8s/redis-master-deployment.yaml
+kubectl apply -f k8s/redis-master-service.yaml
+kubectl apply -f k8s/redis-slave-deployment.yaml
+kubectl apply -f k8s/redis-slave-service.yaml
+```
+
+To check (separate windows):
+
+```
+kubectl port-forward deployment/redis-master 7000:6379
+redis-cli -p 7000
+```
+
+Clean up:
+
+```
+kubectl delete deployment -l app=gitenter
+kubectl delete service -l app=gitenter
+```
+
+https://kubernetes.io/docs/tutorials/stateless-application/guestbook/
+https://kubernetes.io/docs/tasks/access-application-cluster/port-forward-access-application-cluster/#creating-redis-deployment-and-service
diff --git a/k8s/redis-master-deployment.yaml b/k8s/redis-master-deployment.yaml
new file mode 100644
index 00000000..510fe774
--- /dev/null
+++ b/k8s/redis-master-deployment.yaml
@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis-master
+  labels:
+    app: gitenter
+spec:
+  selector:
+    matchLabels:
+      app: gitenter
+      role: master
+      tier: backend
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: gitenter
+        role: master
+        tier: backend
+    spec:
+      containers:
+      - name: master
+        image: redis:5.0.5
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        ports:
+        - containerPort: 6379
diff --git a/k8s/redis-master-service.yaml b/k8s/redis-master-service.yaml
new file mode 100644
index 00000000..0e935f7b
--- /dev/null
+++ b/k8s/redis-master-service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-master
+  labels:
+    app: gitenter
+    role: master
+    tier: backend
+spec:
+  ports:
+  - port: 6379
+    targetPort: 6379
+  selector:
+    app: gitenter
+    role: master
+    tier: backend
diff --git a/k8s/redis-slave-deployment.yaml b/k8s/redis-slave-deployment.yaml
new file mode 100644
index 00000000..f325dcc8
--- /dev/null
+++ b/k8s/redis-slave-deployment.yaml
@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis-slave
+  labels:
+    app: gitenter
+spec:
+  selector:
+    matchLabels:
+      app: gitenter
+      role: slave
+      tier: backend
+  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: gitenter
+        role: slave
+        tier: backend
+    spec:
+      containers:
+      - name: slave
+        image: redis:5.0.5
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+        env:
+        - name: GET_HOSTS_FROM
+          value: dns
+          # Using `GET_HOSTS_FROM=dns` requires your cluster to
+          # provide a dns service. As of Kubernetes 1.3, DNS is a built-in
+          # service launched automatically. However, if the cluster you are using
+          # does not have a built-in DNS service, you can instead
+          # access an environment variable to find the master
+          # service's host. To do so, comment out the 'value: dns' line above, and
+          # uncomment the line below:
+          # value: env
+        ports:
+        - containerPort: 6379
diff --git a/k8s/redis-slave-service.yaml b/k8s/redis-slave-service.yaml
new file mode 100644
index 00000000..76fe73de
--- /dev/null
+++ b/k8s/redis-slave-service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-slave
+  labels:
+    app: gitenter
+    role: slave
+    tier: backend
+spec:
+  ports:
+  - port: 6379
+  selector:
+    app: gitenter
+    role: slave
+    tier: backend

From 8cd8129bdef99518f72adc0fcd7801104f216616 Mon Sep 17 00:00:00 2001
From: Cong-Xin Qiu <ozoox.o@gmail.com>
Date: Thu, 3 Oct 2019 18:00:28 -0400
Subject: [PATCH 2/4] k8s infrastructure in Terraform, first draft

---
 tf-config/live/eks/asg.tf                     | 52 +++++++++++
 tf-config/live/eks/eks.tf                     |  9 ++
 tf-config/live/eks/iam.tf                     | 14 +++
 tf-config/live/eks/main.tf                    | 10 ++
 tf-config/live/eks/network.tf                 | 91 +++++++++++++++++++
 tf-config/live/eks/output.tf                  | 34 +++++++
 tf-config/live/eks/security.tf                | 80 ++++++++++++++++
 tf-config/live/eks/variables.tf               | 23 +++++
 .../iam-terraform-config-group/stateless.tf   | 27 ++++++
 .../modules/iam-terraform-roles-setup/main.tf | 64 +++++++++++++
 10 files changed, 404 insertions(+)
 create mode 100644 tf-config/live/eks/asg.tf
 create mode 100644 tf-config/live/eks/eks.tf
 create mode 100644 tf-config/live/eks/iam.tf
 create mode 100644 tf-config/live/eks/main.tf
 create mode 100644 tf-config/live/eks/network.tf
 create mode 100644 tf-config/live/eks/output.tf
 create mode 100644 tf-config/live/eks/security.tf
 create mode 100644 tf-config/live/eks/variables.tf

diff --git a/tf-config/live/eks/asg.tf b/tf-config/live/eks/asg.tf
new file mode 100644
index 00000000..3c498549
--- /dev/null
+++ b/tf-config/live/eks/asg.tf
@@ -0,0 +1,52 @@
+data "aws_ami" "eks_optimized_amis" {
+  owners      = ["602401143452"] # Amazon EKS AMI Account ID
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amazon-eks-node-${aws_eks_cluster.main.version}-v*"]
+  }
+}
+
+resource "aws_launch_configuration" "main" {
+  name_prefix                 = "${local.aws_launch_configuration_name}"
+  iam_instance_profile        = "${aws_iam_instance_profile.eks_node.name}"
+  security_groups             = ["${aws_security_group.eks_node.id}"]
+
+  image_id                    = "${data.aws_ami.eks_optimized_amis.id}"
+  instance_type               = "t2.small"
+
+  user_data                   = <<EOF
+  #!/bin/bash
+  set -o xtrace
+  /etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.main.endpoint}' --b64-cluster-ca '${aws_eks_cluster.main.certificate_authority.0.data}' '${local.aws_eks_cluster_name}'
+EOF
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  associate_public_ip_address = true
+}
+
+resource "aws_autoscaling_group" "main" {
+  name                 = "${local.aws_autoscaling_group_name}"
+  launch_configuration = "${aws_launch_configuration.main.id}"
+  vpc_zone_identifier  = ["${aws_subnet.public.*.id}"]
+
+  min_size             = 1
+  max_size             = 2
+  desired_capacity     = 2
+
+  tag {
+    key                 = "Name"
+    value               = "${local.aws_autoscaling_group_name}"
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "kubernetes.io/cluster/${local.aws_eks_cluster_name}"
+    value               = "owned"
+    propagate_at_launch = true
+  }
+}
diff --git a/tf-config/live/eks/eks.tf b/tf-config/live/eks/eks.tf
new file mode 100644
index 00000000..25e5630d
--- /dev/null
+++ b/tf-config/live/eks/eks.tf
@@ -0,0 +1,9 @@
+resource "aws_eks_cluster" "main" {
+  name            = "${local.aws_eks_cluster_name}"
+  role_arn        = "${data.aws_iam_role.eks.arn}"
+
+  vpc_config {
+    security_group_ids = ["${aws_security_group.eks_cluster.id}"]
+    subnet_ids         = ["${aws_subnet.public.*.id}"]
+  }
+}
diff --git a/tf-config/live/eks/iam.tf b/tf-config/live/eks/iam.tf
new file mode 100644
index 00000000..a390bff2
--- /dev/null
+++ b/tf-config/live/eks/iam.tf
@@ -0,0 +1,14 @@
+# This role is defined in live/iam-terraform-config
+data "aws_iam_role" "eks" {
+  name = "AmazonEksRole"
+}
+
+# This role is defined in live/iam-terraform-config
+data "aws_iam_role" "eks_node" {
+  name = "AmazonEKSforEC2Role"
+}
+
+resource "aws_iam_instance_profile" "eks_node" {
+  name = "${local.aws_eks_instance_profile_name}"
+  role = "${data.aws_iam_role.eks_node.name}"
+}
diff --git a/tf-config/live/eks/main.tf b/tf-config/live/eks/main.tf
new file mode 100644
index 00000000..37240115
--- /dev/null
+++ b/tf-config/live/eks/main.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = "> 0.11.12"
+}
+
+provider "aws" {
+  access_key = "${var.access_key}"
+  secret_key = "${var.secret_key}"
+  region     = "${var.aws_region}"
+  version = "~> 1.35"
+}
diff --git a/tf-config/live/eks/network.tf b/tf-config/live/eks/network.tf
new file mode 100644
index 00000000..6e1d3a55
--- /dev/null
+++ b/tf-config/live/eks/network.tf
@@ -0,0 +1,91 @@
+# Fetch AZs in the current region
+data "aws_availability_zones" "available" {}
+
+# Several options are provided for a user-defined VPC:
+# (1) VPC with a single public subnet
+# (2) VPC with public and private subnets
+# (3) More complicated cases
+# https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenarios.html
+#
+# To hold RDS instance in user-defined VPC we need
+# at least two subnets, each in a separate availability zone.
+# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SettingUp.html#CHAP_SettingUp.Requirements
+# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html
+#
+# For chosen (2) it will use private subnet we needs to use NAT gateway
+# (`aws_nat_gateway` Terraform resource), with the charging rate
+# $400/year plus data.
+
+
+# VPC in which containers will be networked. It has two public subnets.
+# We distribute the subnets across the first two available subnets
+# for the region, for high availability.
+resource "aws_vpc" "main" {
+  # Private IPv4 address ranges by RFC 1918.
+  # Netmask can be `/16` or smaller. The largest chosen range includes:
+  # - 10.0.0.0/8
+  # - 172.16.0.0/12
+  # - 192.168.0.0/16
+  # https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing
+  # https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
+  cidr_block       = "10.0.0.0/16" # 65536 available addresses
+
+  assign_generated_ipv6_cidr_block = false
+  enable_dns_support = true
+  enable_dns_hostnames = true
+
+  # Decide whether instances launched into your VPC are run on shared or
+  # dedicated hardware. Choose "default" or "dedicated". Dedicated
+  # tenancy incurs additional costs.
+  # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html
+  instance_tenancy = "default"
+
+  tags = {
+    Name = "${local.aws_vpc_name}"
+  }
+}
+
+resource "aws_subnet" "public" {
+  vpc_id                  = "${aws_vpc.main.id}"
+  map_public_ip_on_launch = true
+
+  # If two AZs:
+  # count.index=0: `10.0.0.0/24` - 256 addresses
+  # count.index=1: `10.0.1.0/24`
+  # https://www.terraform.io/docs/configuration/functions/cidrsubnet.html
+  count             = "${var.az_count}"
+  cidr_block        = "${cidrsubnet(aws_vpc.main.cidr_block, 8, count.index)}"
+  # Therefore, subnets will be each in a separate availability zone.
+  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
+}
+
+# IGW for the public subnet
+#
+# Setup networking resources for the public subnets. Containers
+# in the public subnets have public IP addresses and the routing table
+# sends network traffic via the internet gateway.
+resource "aws_internet_gateway" "gw" {
+  vpc_id = "${aws_vpc.main.id}"
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = "${aws_vpc.main.id}"
+}
+
+# Route the public subnet trafic through the IGW
+resource "aws_route" "internet_access" {
+  # This is using the main route table associated with this VPC.
+  # This is the default one since it has not been changed by
+  # `aws_main_route_table_association`.
+  # https://www.terraform.io/docs/providers/aws/r/vpc.html#main_route_table_id
+  route_table_id         = "${aws_route_table.public.id}"
+  gateway_id             = "${aws_internet_gateway.gw.id}"
+
+  destination_cidr_block = "0.0.0.0/0"
+}
+
+resource "aws_route_table_association" "private" {
+  count          = "${var.az_count}"
+  subnet_id      = "${element(aws_subnet.public.*.id, count.index)}"
+  route_table_id = "${aws_route_table.public.id}"
+}
diff --git a/tf-config/live/eks/output.tf b/tf-config/live/eks/output.tf
new file mode 100644
index 00000000..082a8b1a
--- /dev/null
+++ b/tf-config/live/eks/output.tf
@@ -0,0 +1,34 @@
+locals {
+  kubeconfig = <<KUBECONFIG
+
+
+apiVersion: v1
+clusters:
+- cluster:
+    server: ${aws_eks_cluster.main.endpoint}
+    certificate-authority-data: ${aws_eks_cluster.main.certificate_authority.0.data}
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: aws
+  name: aws
+current-context: aws
+kind: Config
+preferences: {}
+users:
+- name: aws
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      command: aws-iam-authenticator
+      args:
+        - "token"
+        - "-i"
+        - "${local.aws_eks_cluster_name}"
+KUBECONFIG
+}
+
+output "kubeconfig" {
+  value = "${local.kubeconfig}"
+}
diff --git a/tf-config/live/eks/security.tf b/tf-config/live/eks/security.tf
new file mode 100644
index 00000000..f9bab240
--- /dev/null
+++ b/tf-config/live/eks/security.tf
@@ -0,0 +1,80 @@
+resource "aws_security_group" "eks_cluster" {
+  name        = "${local.aws_eks_cluster_security_group}"
+  vpc_id      = "${aws_vpc.main.id}"
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${local.aws_eks_cluster_security_group}"
+  }
+}
+
+resource "aws_security_group_rule" "eks_cluster" {
+  type              = "ingress"
+
+  protocol          = "tcp"
+  from_port         = 443
+  to_port           = 443
+
+  # TODO: `Custom IP` rather than `Anywhere`
+  cidr_blocks       = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.eks_cluster.id}"
+}
+
+resource "aws_security_group_rule" "eks_cluster_node_ingress_https" {
+  type                     = "ingress"
+
+  protocol                 = "tcp"
+  from_port                = 443
+  to_port                  = 443
+
+  security_group_id        = "${aws_security_group.eks_cluster.id}"
+  source_security_group_id = "${aws_security_group.eks_node.id}"
+}
+
+resource "aws_security_group" "eks_node" {
+  name        = "${local.aws_eks_node_security_group}"
+  vpc_id      = "${aws_vpc.main.id}"
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = "${
+    map(
+     "Name", "${local.aws_eks_node_security_group}",
+     "kubernetes.io/cluster/${local.aws_eks_cluster_name}", "owned",
+    )
+  }"
+}
+
+resource "aws_security_group_rule" "eks_node_self_ingress" {
+  type                     = "ingress"
+
+  protocol                 = "-1"
+  from_port                = 0
+  to_port                  = 65535
+
+  security_group_id        = "${aws_security_group.eks_node.id}"
+  self = true
+}
+
+resource "aws_security_group_rule" "eks_node_cluster_ingress" {
+  type                     = "ingress"
+
+  protocol                 = "tcp"
+  from_port                = 1025
+  to_port                  = 65535
+
+  security_group_id        = "${aws_security_group.eks_node.id}"
+  source_security_group_id = "${aws_security_group.eks_cluster.id}"
+}
diff --git a/tf-config/live/eks/variables.tf b/tf-config/live/eks/variables.tf
new file mode 100644
index 00000000..2f5b1e07
--- /dev/null
+++ b/tf-config/live/eks/variables.tf
@@ -0,0 +1,23 @@
+variable "access_key" {}
+variable "secret_key" {}
+variable "aws_region" {
+  default = "us-east-1"
+  description = "AWS region e.g. us-east-1 (Please specify a region supported by the Fargate launch type)"
+}
+
+variable "az_count" {
+  default = "2"
+}
+
+locals {
+  aws_resource_prefix = "eks"
+  aws_vpc_name = "${local.aws_resource_prefix}-vpc"
+  aws_eks_cluster_security_group = "${local.aws_resource_prefix}-eks-sg"
+  aws_eks_node_security_group = "${local.aws_resource_prefix}-eks-node-sg"
+
+  aws_launch_configuration_name = "${local.aws_resource_prefix}-launch-configuration"
+  aws_autoscaling_group_name = "${local.aws_resource_prefix}-asg"
+
+  aws_eks_cluster_name = "${local.aws_resource_prefix}-cluster"
+  aws_eks_instance_profile_name = "${local.aws_resource_prefix}-eks-instance-profile"
+}
diff --git a/tf-config/modules/iam-terraform-config-group/stateless.tf b/tf-config/modules/iam-terraform-config-group/stateless.tf
index 4b939ca9..8c457792 100644
--- a/tf-config/modules/iam-terraform-config-group/stateless.tf
+++ b/tf-config/modules/iam-terraform-config-group/stateless.tf
@@ -74,6 +74,33 @@ resource "aws_iam_group_policy_attachment" "ecs_instance_attach" {
   policy_arn = "${data.aws_iam_policy.ecs_instance.arn}"
 }
 
+resource "aws_iam_policy" "eks" {
+  name        = "AmazonEKS_FullAccess"
+  path        = "/"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "eks:CreateCluster",
+                "eks:DeleteCluster",
+                "eks:DescribeCluster"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_group_policy_attachment" "eks" {
+  group = "${aws_iam_group.stateless.id}"
+  policy_arn = "${aws_iam_policy.eks.arn}"
+}
+
 # This is used to get and pass service roles to AWS resources (EC2, ECS, ...)
 # basically all roles defined in `modules/iam-terraform-roles.setup`.
 resource "aws_iam_policy" "role_linked" {
diff --git a/tf-config/modules/iam-terraform-roles-setup/main.tf b/tf-config/modules/iam-terraform-roles-setup/main.tf
index f005c4d7..61f07d84 100644
--- a/tf-config/modules/iam-terraform-roles-setup/main.tf
+++ b/tf-config/modules/iam-terraform-roles-setup/main.tf
@@ -58,3 +58,67 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_attach" {
   role       = "${aws_iam_role.ecs_task_execution.name}"
   policy_arn = "${data.aws_iam_policy.ecs_task_execution.arn}"
 }
+
+# https://learn.hashicorp.com/terraform/aws/eks-intro
+resource "aws_iam_role" "eks" {
+  name = "AmazonEksRole"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_policy_attach" {
+  role       = "${aws_iam_role.eks.name}"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "els_service_policy_attach" {
+  role       = "${aws_iam_role.eks.name}"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
+}
+
+resource "aws_iam_role" "eks_instance" {
+  name = "AmazonEKSforEC2Role"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "eks_instance_AmazonEKSWorkerNodePolicy_attach" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = "${aws_iam_role.eks_instance.name}"
+}
+
+resource "aws_iam_role_policy_attachment" "eks_instance_AmazonEKS_CNI_Policy_attach" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = "${aws_iam_role.eks_instance.name}"
+}
+
+resource "aws_iam_role_policy_attachment" "eks_instance_AmazonEC2ContainerRegistryReadOnly_attach" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = "${aws_iam_role.eks_instance.name}"
+}

From 4c92d38c765f3a8ad8d4646be50bd2992b00eab3 Mon Sep 17 00:00:00 2001
From: Cong-Xin Qiu <ozoox.o@gmail.com>
Date: Mon, 7 Oct 2019 18:42:31 -0400
Subject: [PATCH 3/4] Minor changes. Still cannot SSH in/cannot mount the EC2
 instances to EKS cluster.

---
 k8s/nginx.yml                   | 21 +++++++++++++++++++++
 tf-config/live/eks/asg.tf       |  5 +++++
 tf-config/live/eks/network.tf   | 18 +++++++++++++++---
 tf-config/live/eks/output.tf    |  2 +-
 tf-config/live/eks/ssh.tf       | 11 +++++++++++
 tf-config/live/eks/variables.tf |  1 +
 6 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100644 k8s/nginx.yml
 create mode 100644 tf-config/live/eks/ssh.tf

diff --git a/k8s/nginx.yml b/k8s/nginx.yml
new file mode 100644
index 00000000..d84f7de1
--- /dev/null
+++ b/k8s/nginx.yml
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  labels:
+    app: gitenter
+spec:
+  selector:
+    matchLabels:
+      app: gitenter
+  replicas: 2 # tells deployment to run 2 pods matching the template
+  template:
+    metadata:
+      labels:
+        app: gitenter
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
+        ports:
+        - containerPort: 80
diff --git a/tf-config/live/eks/asg.tf b/tf-config/live/eks/asg.tf
index 3c498549..2b0027a3 100644
--- a/tf-config/live/eks/asg.tf
+++ b/tf-config/live/eks/asg.tf
@@ -27,6 +27,11 @@ EOF
   }
 
   associate_public_ip_address = true
+  key_name                    = "${aws_key_pair.terraform-seashore.key_name}"
+
+  depends_on = [
+    "aws_eks_cluster.main"
+  ]
 }
 
 resource "aws_autoscaling_group" "main" {
diff --git a/tf-config/live/eks/network.tf b/tf-config/live/eks/network.tf
index 6e1d3a55..ab27228f 100644
--- a/tf-config/live/eks/network.tf
+++ b/tf-config/live/eks/network.tf
@@ -40,9 +40,13 @@ resource "aws_vpc" "main" {
   # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html
   instance_tenancy = "default"
 
-  tags = {
-    Name = "${local.aws_vpc_name}"
-  }
+  # https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html#vpc-tagging
+  tags = "${
+    map(
+     "Name", "${local.aws_vpc_name}",
+     "kubernetes.io/cluster/${local.aws_eks_cluster_name}", "shared",
+    )
+  }"
 }
 
 resource "aws_subnet" "public" {
@@ -57,6 +61,14 @@ resource "aws_subnet" "public" {
   cidr_block        = "${cidrsubnet(aws_vpc.main.cidr_block, 8, count.index)}"
   # Therefore, subnets will be each in a separate availability zone.
   availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
+
+  # https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html#vpc-subnet-tagging
+  tags = "${
+    map(
+     "Name", "${local.aws_subnet_name}",
+     "kubernetes.io/cluster/${local.aws_eks_cluster_name}", "shared",
+    )
+  }"
 }
 
 # IGW for the public subnet
diff --git a/tf-config/live/eks/output.tf b/tf-config/live/eks/output.tf
index 082a8b1a..1d50c995 100644
--- a/tf-config/live/eks/output.tf
+++ b/tf-config/live/eks/output.tf
@@ -20,7 +20,7 @@ users:
 - name: aws
   user:
     exec:
-      apiVersion: client.authentication.k8s.io/v1beta1
+      apiVersion: client.authentication.k8s.io/v1alpha1
       command: aws-iam-authenticator
       args:
         - "token"
diff --git a/tf-config/live/eks/ssh.tf b/tf-config/live/eks/ssh.tf
new file mode 100644
index 00000000..de1d1ee2
--- /dev/null
+++ b/tf-config/live/eks/ssh.tf
@@ -0,0 +1,11 @@
+# For Amazon Linux 2, ssh using `ssh ec2-user@<ip-address>`
+#
+# TODO:
+# Should setup another jobs to add key pairs from different machines. May
+# associate with login username. Also, should gather key pairs and all of them
+# under a group can SSH into a particular set of machines created by
+# `aws_launch_configuration`.
+resource "aws_key_pair" "terraform-seashore" {
+  key_name   = "terraform-key_pair-seashore"
+  public_key = "${file("~/.ssh/id_rsa.pub")}"
+}
diff --git a/tf-config/live/eks/variables.tf b/tf-config/live/eks/variables.tf
index 2f5b1e07..a12c05cb 100644
--- a/tf-config/live/eks/variables.tf
+++ b/tf-config/live/eks/variables.tf
@@ -12,6 +12,7 @@ variable "az_count" {
 locals {
   aws_resource_prefix = "eks"
   aws_vpc_name = "${local.aws_resource_prefix}-vpc"
+  aws_subnet_name = "${local.aws_resource_prefix}-subnet"
   aws_eks_cluster_security_group = "${local.aws_resource_prefix}-eks-sg"
   aws_eks_node_security_group = "${local.aws_resource_prefix}-eks-node-sg"
 

From 4bd5fabe309b82cecfff8b9286725c21095a25b3 Mon Sep 17 00:00:00 2001
From: Cong-Xin Qiu <ozoox.o@gmail.com>
Date: Wed, 9 Oct 2019 18:15:27 -0400
Subject: [PATCH 4/4] Terraform fine tune based on EKS document. Still cannot
 join node. Try to use cloud-formation ASG file but that can't do it either.
 Probably we should just move to GKE if we want to use Kubernetes.

---
 k8s/configmaps/aws-auth-cm.yaml               |  15 +++
 tf-config/live/eks-staging/README.md          |  14 +++
 tf-config/live/{eks => eks-staging}/main.tf   |   6 +
 tf-config/live/eks-staging/output.tf          |   3 +
 tf-config/live/eks-staging/variables.tf       |   6 +
 tf-config/live/eks/asg.tf                     |  57 ---------
 tf-config/live/eks/eks.tf                     |   9 --
 tf-config/live/eks/iam.tf                     |  14 ---
 tf-config/live/eks/security.tf                |  80 ------------
 tf-config/live/eks/variables.tf               |  24 ----
 tf-config/modules/eks/asg.tf                  |  85 +++++++++++++
 tf-config/modules/eks/eks.tf                  |   9 ++
 tf-config/modules/eks/iam.tf                  |  14 +++
 tf-config/{live => modules}/eks/network.tf    |  14 ++-
 tf-config/{live => modules}/eks/output.tf     |   2 +-
 tf-config/modules/eks/security.tf             | 114 ++++++++++++++++++
 tf-config/{live => modules}/eks/ssh.tf        |   0
 tf-config/modules/eks/variables.tf            |  19 +++
 .../modules/iam-terraform-roles-setup/main.tf |  21 ++--
 19 files changed, 306 insertions(+), 200 deletions(-)
 create mode 100644 k8s/configmaps/aws-auth-cm.yaml
 create mode 100644 tf-config/live/eks-staging/README.md
 rename tf-config/live/{eks => eks-staging}/main.tf (63%)
 create mode 100644 tf-config/live/eks-staging/output.tf
 create mode 100644 tf-config/live/eks-staging/variables.tf
 delete mode 100644 tf-config/live/eks/asg.tf
 delete mode 100644 tf-config/live/eks/eks.tf
 delete mode 100644 tf-config/live/eks/iam.tf
 delete mode 100644 tf-config/live/eks/security.tf
 delete mode 100644 tf-config/live/eks/variables.tf
 create mode 100644 tf-config/modules/eks/asg.tf
 create mode 100644 tf-config/modules/eks/eks.tf
 create mode 100644 tf-config/modules/eks/iam.tf
 rename tf-config/{live => modules}/eks/network.tf (89%)
 rename tf-config/{live => modules}/eks/output.tf (93%)
 create mode 100644 tf-config/modules/eks/security.tf
 rename tf-config/{live => modules}/eks/ssh.tf (100%)
 create mode 100644 tf-config/modules/eks/variables.tf

diff --git a/k8s/configmaps/aws-auth-cm.yaml b/k8s/configmaps/aws-auth-cm.yaml
new file mode 100644
index 00000000..6054454b
--- /dev/null
+++ b/k8s/configmaps/aws-auth-cm.yaml
@@ -0,0 +1,15 @@
+# https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html#eks-launch-workers
+# https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
+# https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: aws-auth
+  namespace: kube-system
+data:
+  mapRoles: |
+    - rolearn: arn:aws:iam::662490392829:role/serviceRoleForEKSNodeInstanceForEC2
+      username: system:node:{{EC2PrivateDNSName}}
+      groups:
+        - system:bootstrappers
+        - system:nodes
diff --git a/tf-config/live/eks-staging/README.md b/tf-config/live/eks-staging/README.md
new file mode 100644
index 00000000..f0e4151f
--- /dev/null
+++ b/tf-config/live/eks-staging/README.md
@@ -0,0 +1,14 @@
+```
+cd ~/Workspace/gitenter/
+cd k8s/configmaps
+kubectl apply -f aws-auth-cm.yaml
+kubectl describe configmap -n kube-system aws-auth
+```
+
+```
+kubectl get pods --all-namespaces
+kubectl -n kube-system describe pods coredns-8455f84f99-4cvct
+# will error out the same as deploying a normal pod: no nodes available to schedule pods
+```
+
+TODO: Still "worker nodes fail to join cluster"
diff --git a/tf-config/live/eks/main.tf b/tf-config/live/eks-staging/main.tf
similarity index 63%
rename from tf-config/live/eks/main.tf
rename to tf-config/live/eks-staging/main.tf
index 37240115..18c8bb69 100644
--- a/tf-config/live/eks/main.tf
+++ b/tf-config/live/eks-staging/main.tf
@@ -8,3 +8,9 @@ provider "aws" {
   region     = "${var.aws_region}"
   version = "~> 1.35"
 }
+
+module "eks" {
+  source = "../../modules/eks"
+  environment = "staging"
+  aws_region = "${var.aws_region}"
+}
diff --git a/tf-config/live/eks-staging/output.tf b/tf-config/live/eks-staging/output.tf
new file mode 100644
index 00000000..91a1ca55
--- /dev/null
+++ b/tf-config/live/eks-staging/output.tf
@@ -0,0 +1,3 @@
+output "kubeconfig" {
+  value = "${module.eks.kubeconfig}"
+}
diff --git a/tf-config/live/eks-staging/variables.tf b/tf-config/live/eks-staging/variables.tf
new file mode 100644
index 00000000..8ec972bc
--- /dev/null
+++ b/tf-config/live/eks-staging/variables.tf
@@ -0,0 +1,6 @@
+variable "access_key" {}
+variable "secret_key" {}
+variable "aws_region" {
+  default = "us-east-1"
+  description = "AWS region e.g. us-east-1 (Please specify a region supported by the Fargate launch type)"
+}
diff --git a/tf-config/live/eks/asg.tf b/tf-config/live/eks/asg.tf
deleted file mode 100644
index 2b0027a3..00000000
--- a/tf-config/live/eks/asg.tf
+++ /dev/null
@@ -1,57 +0,0 @@
-data "aws_ami" "eks_optimized_amis" {
-  owners      = ["602401143452"] # Amazon EKS AMI Account ID
-  most_recent = true
-
-  filter {
-    name   = "name"
-    values = ["amazon-eks-node-${aws_eks_cluster.main.version}-v*"]
-  }
-}
-
-resource "aws_launch_configuration" "main" {
-  name_prefix                 = "${local.aws_launch_configuration_name}"
-  iam_instance_profile        = "${aws_iam_instance_profile.eks_node.name}"
-  security_groups             = ["${aws_security_group.eks_node.id}"]
-
-  image_id                    = "${data.aws_ami.eks_optimized_amis.id}"
-  instance_type               = "t2.small"
-
-  user_data                   = <<EOF
-  #!/bin/bash
-  set -o xtrace
-  /etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.main.endpoint}' --b64-cluster-ca '${aws_eks_cluster.main.certificate_authority.0.data}' '${local.aws_eks_cluster_name}'
-EOF
-
-  lifecycle {
-    create_before_destroy = true
-  }
-
-  associate_public_ip_address = true
-  key_name                    = "${aws_key_pair.terraform-seashore.key_name}"
-
-  depends_on = [
-    "aws_eks_cluster.main"
-  ]
-}
-
-resource "aws_autoscaling_group" "main" {
-  name                 = "${local.aws_autoscaling_group_name}"
-  launch_configuration = "${aws_launch_configuration.main.id}"
-  vpc_zone_identifier  = ["${aws_subnet.public.*.id}"]
-
-  min_size             = 1
-  max_size             = 2
-  desired_capacity     = 2
-
-  tag {
-    key                 = "Name"
-    value               = "${local.aws_autoscaling_group_name}"
-    propagate_at_launch = true
-  }
-
-  tag {
-    key                 = "kubernetes.io/cluster/${local.aws_eks_cluster_name}"
-    value               = "owned"
-    propagate_at_launch = true
-  }
-}
diff --git a/tf-config/live/eks/eks.tf b/tf-config/live/eks/eks.tf
deleted file mode 100644
index 25e5630d..00000000
--- a/tf-config/live/eks/eks.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-resource "aws_eks_cluster" "main" {
-  name            = "${local.aws_eks_cluster_name}"
-  role_arn        = "${data.aws_iam_role.eks.arn}"
-
-  vpc_config {
-    security_group_ids = ["${aws_security_group.eks_cluster.id}"]
-    subnet_ids         = ["${aws_subnet.public.*.id}"]
-  }
-}
diff --git a/tf-config/live/eks/iam.tf b/tf-config/live/eks/iam.tf
deleted file mode 100644
index a390bff2..00000000
--- a/tf-config/live/eks/iam.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-# This role is defined in live/iam-terraform-config
-data "aws_iam_role" "eks" {
-  name = "AmazonEksRole"
-}
-
-# This role is defined in live/iam-terraform-config
-data "aws_iam_role" "eks_node" {
-  name = "AmazonEKSforEC2Role"
-}
-
-resource "aws_iam_instance_profile" "eks_node" {
-  name = "${local.aws_eks_instance_profile_name}"
-  role = "${data.aws_iam_role.eks_node.name}"
-}
diff --git a/tf-config/live/eks/security.tf b/tf-config/live/eks/security.tf
deleted file mode 100644
index f9bab240..00000000
--- a/tf-config/live/eks/security.tf
+++ /dev/null
@@ -1,80 +0,0 @@
-resource "aws_security_group" "eks_cluster" {
-  name        = "${local.aws_eks_cluster_security_group}"
-  vpc_id      = "${aws_vpc.main.id}"
-
-  egress {
-    protocol    = "-1"
-    from_port   = 0
-    to_port     = 0
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "${local.aws_eks_cluster_security_group}"
-  }
-}
-
-resource "aws_security_group_rule" "eks_cluster" {
-  type              = "ingress"
-
-  protocol          = "tcp"
-  from_port         = 443
-  to_port           = 443
-
-  # TODO: `Custom IP` rather than `Anywhere`
-  cidr_blocks       = ["0.0.0.0/0"]
-
-  security_group_id = "${aws_security_group.eks_cluster.id}"
-}
-
-resource "aws_security_group_rule" "eks_cluster_node_ingress_https" {
-  type                     = "ingress"
-
-  protocol                 = "tcp"
-  from_port                = 443
-  to_port                  = 443
-
-  security_group_id        = "${aws_security_group.eks_cluster.id}"
-  source_security_group_id = "${aws_security_group.eks_node.id}"
-}
-
-resource "aws_security_group" "eks_node" {
-  name        = "${local.aws_eks_node_security_group}"
-  vpc_id      = "${aws_vpc.main.id}"
-
-  egress {
-    protocol    = "-1"
-    from_port   = 0
-    to_port     = 0
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = "${
-    map(
-     "Name", "${local.aws_eks_node_security_group}",
-     "kubernetes.io/cluster/${local.aws_eks_cluster_name}", "owned",
-    )
-  }"
-}
-
-resource "aws_security_group_rule" "eks_node_self_ingress" {
-  type                     = "ingress"
-
-  protocol                 = "-1"
-  from_port                = 0
-  to_port                  = 65535
-
-  security_group_id        = "${aws_security_group.eks_node.id}"
-  self = true
-}
-
-resource "aws_security_group_rule" "eks_node_cluster_ingress" {
-  type                     = "ingress"
-
-  protocol                 = "tcp"
-  from_port                = 1025
-  to_port                  = 65535
-
-  security_group_id        = "${aws_security_group.eks_node.id}"
-  source_security_group_id = "${aws_security_group.eks_cluster.id}"
-}
diff --git a/tf-config/live/eks/variables.tf b/tf-config/live/eks/variables.tf
deleted file mode 100644
index a12c05cb..00000000
--- a/tf-config/live/eks/variables.tf
+++ /dev/null
@@ -1,24 +0,0 @@
-variable "access_key" {}
-variable "secret_key" {}
-variable "aws_region" {
-  default = "us-east-1"
-  description = "AWS region e.g. us-east-1 (Please specify a region supported by the Fargate launch type)"
-}
-
-variable "az_count" {
-  default = "2"
-}
-
-locals {
-  aws_resource_prefix = "eks"
-  aws_vpc_name = "${local.aws_resource_prefix}-vpc"
-  aws_subnet_name = "${local.aws_resource_prefix}-subnet"
-  aws_eks_cluster_security_group = "${local.aws_resource_prefix}-eks-sg"
-  aws_eks_node_security_group = "${local.aws_resource_prefix}-eks-node-sg"
-
-  aws_launch_configuration_name = "${local.aws_resource_prefix}-launch-configuration"
-  aws_autoscaling_group_name = "${local.aws_resource_prefix}-asg"
-
-  aws_eks_cluster_name = "${local.aws_resource_prefix}-cluster"
-  aws_eks_instance_profile_name = "${local.aws_resource_prefix}-eks-instance-profile"
-}
diff --git a/tf-config/modules/eks/asg.tf b/tf-config/modules/eks/asg.tf
new file mode 100644
index 00000000..fa6fb865
--- /dev/null
+++ b/tf-config/modules/eks/asg.tf
@@ -0,0 +1,85 @@
+locals {
+  autoscaling_group_name = "${local.main_resource_name}"
+
+  # https://github.com/awslabs/amazon-eks-ami/blob/master/files/bootstrap.sh
+  bootstrap_arguments = ""
+}
+
+data "aws_ami" "eks_optimized_amis" {
+  owners      = ["602401143452"] # Amazon EKS AMI Account ID
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amazon-eks-node-${aws_eks_cluster.main.version}-v*"]
+  }
+}
+
+# https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html#eks-launch-workers
+# https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2019-10-08/amazon-eks-nodegroup.yaml
+resource "aws_launch_configuration" "main" {
+  name_prefix                 = "${local.main_resource_name}-"
+  iam_instance_profile        = "${aws_iam_instance_profile.main.name}"
+  security_groups             = ["${aws_security_group.eks_node.id}"]
+
+  image_id                    = "${data.aws_ami.eks_optimized_amis.id}"
+  instance_type               = "t2.small"
+
+  user_data                   = <<EOF
+#!/bin/bash
+set -o xtrace
+/etc/eks/bootstrap.sh ${local.eks_cluster_name} ${local.bootstrap_arguments}
+/opt/aws/bin/cfn-signal --exit-code $? \
+         --stack ${local.eks_cluster_name}-worker-nodes \
+         --resource NodeGroup  \
+         --region ${var.aws_region}
+EOF
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  associate_public_ip_address = true
+  key_name                    = "${aws_key_pair.terraform-seashore.key_name}"
+
+  # TODO:
+  # >      BlockDeviceMappings:
+  # >        - DeviceName: /dev/xvda
+  # >          Ebs:
+  # >            DeleteOnTermination: true
+  # >            VolumeSize: !Ref NodeVolumeSize
+  # >            VolumeType: gp2
+
+  depends_on = [
+    "aws_eks_cluster.main"
+  ]
+}
+
+resource "aws_autoscaling_group" "main" {
+  name                 = "${local.autoscaling_group_name}"
+  launch_configuration = "${aws_launch_configuration.main.id}"
+  vpc_zone_identifier  = ["${aws_subnet.public.*.id}"]
+
+  min_size             = 1
+  max_size             = 2
+  desired_capacity     = 2
+
+  tag {
+    key                 = "Name"
+    value               = "${local.autoscaling_group_name}"
+    propagate_at_launch = true
+  }
+
+  tag {
+    key                 = "kubernetes.io/cluster/${local.eks_cluster_name}"
+    value               = "owned"
+    propagate_at_launch = true
+  }
+
+  # TODO:
+  # >    UpdatePolicy:
+  # >      AutoScalingRollingUpdate:
+  # >        MaxBatchSize: "1"
+  # >        MinInstancesInService: !Ref NodeAutoScalingGroupDesiredCapacity
+  # >        PauseTime: PT5M
+}
diff --git a/tf-config/modules/eks/eks.tf b/tf-config/modules/eks/eks.tf
new file mode 100644
index 00000000..ee8e2d1a
--- /dev/null
+++ b/tf-config/modules/eks/eks.tf
@@ -0,0 +1,9 @@
+resource "aws_eks_cluster" "main" {
+  name            = "${local.eks_cluster_name}"
+  role_arn        = "${data.aws_iam_role.eks_service.arn}"
+
+  vpc_config {
+    security_group_ids = ["${aws_security_group.eks_cluster_control_panel.id}"]
+    subnet_ids         = ["${aws_subnet.public.*.id}"]
+  }
+}
diff --git a/tf-config/modules/eks/iam.tf b/tf-config/modules/eks/iam.tf
new file mode 100644
index 00000000..735538a4
--- /dev/null
+++ b/tf-config/modules/eks/iam.tf
@@ -0,0 +1,14 @@
+# This role is defined in live/iam-terraform-config
+data "aws_iam_role" "eks_service" {
+  name = "serviceRoleForEKS"
+}
+
+# This role is defined in live/iam-terraform-config
+data "aws_iam_role" "eks_node_instance" {
+  name = "serviceRoleForEKSNodeInstanceForEC2"
+}
+
+resource "aws_iam_instance_profile" "main" {
+  name = "${local.main_resource_name}"
+  role = "${data.aws_iam_role.eks_node_instance.name}"
+}
diff --git a/tf-config/live/eks/network.tf b/tf-config/modules/eks/network.tf
similarity index 89%
rename from tf-config/live/eks/network.tf
rename to tf-config/modules/eks/network.tf
index ab27228f..fe2426f6 100644
--- a/tf-config/live/eks/network.tf
+++ b/tf-config/modules/eks/network.tf
@@ -43,8 +43,9 @@ resource "aws_vpc" "main" {
   # https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html#vpc-tagging
   tags = "${
     map(
-     "Name", "${local.aws_vpc_name}",
-     "kubernetes.io/cluster/${local.aws_eks_cluster_name}", "shared",
+     "Name", "${local.main_resource_name}",
+     "Environment", "${var.environment}",
+     "kubernetes.io/cluster/${local.eks_cluster_name}", "shared",
     )
   }"
 }
@@ -65,8 +66,9 @@ resource "aws_subnet" "public" {
   # https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html#vpc-subnet-tagging
   tags = "${
     map(
-     "Name", "${local.aws_subnet_name}",
-     "kubernetes.io/cluster/${local.aws_eks_cluster_name}", "shared",
+     "Name", "${local.main_resource_name}-public",
+     "Environment", "${var.environment}",
+     "kubernetes.io/cluster/${local.eks_cluster_name}", "shared",
     )
   }"
 }
@@ -76,7 +78,7 @@ resource "aws_subnet" "public" {
 # Setup networking resources for the public subnets. Containers
 # in the public subnets have public IP addresses and the routing table
 # sends network traffic via the internet gateway.
-resource "aws_internet_gateway" "gw" {
+resource "aws_internet_gateway" "main" {
   vpc_id = "${aws_vpc.main.id}"
 }
 
@@ -91,7 +93,7 @@ resource "aws_route" "internet_access" {
   # `aws_main_route_table_association`.
   # https://www.terraform.io/docs/providers/aws/r/vpc.html#main_route_table_id
   route_table_id         = "${aws_route_table.public.id}"
-  gateway_id             = "${aws_internet_gateway.gw.id}"
+  gateway_id             = "${aws_internet_gateway.main.id}"
 
   destination_cidr_block = "0.0.0.0/0"
 }
diff --git a/tf-config/live/eks/output.tf b/tf-config/modules/eks/output.tf
similarity index 93%
rename from tf-config/live/eks/output.tf
rename to tf-config/modules/eks/output.tf
index 1d50c995..0bbc1b4e 100644
--- a/tf-config/live/eks/output.tf
+++ b/tf-config/modules/eks/output.tf
@@ -25,7 +25,7 @@ users:
       args:
         - "token"
         - "-i"
-        - "${local.aws_eks_cluster_name}"
+        - "${local.eks_cluster_name}"
 KUBECONFIG
 }
 
diff --git a/tf-config/modules/eks/security.tf b/tf-config/modules/eks/security.tf
new file mode 100644
index 00000000..d0e013ca
--- /dev/null
+++ b/tf-config/modules/eks/security.tf
@@ -0,0 +1,114 @@
+locals {
+  eks_cluster_control_panel_security_group_name = "${local.main_resource_name}-eks-cluster-control-panel"
+  eks_node_security_group_name = "${local.main_resource_name}-eks-node"
+}
+
+resource "aws_security_group" "eks_cluster_control_panel" {
+  name        = "${local.eks_cluster_control_panel_security_group_name}"
+  vpc_id      = "${aws_vpc.main.id}"
+
+  tags = {
+    Name = "${local.eks_cluster_control_panel_security_group_name}"
+  }
+}
+
+# TODO:
+# This should be used for enable `kubectl` locally?
+resource "aws_security_group_rule" "eks_cluster_control_panel" {
+  type              = "ingress"
+
+  protocol          = "tcp"
+  from_port         = 443
+  to_port           = 443
+
+  # TODO: `Custom IP` rather than `Anywhere`
+  cidr_blocks       = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.eks_cluster_control_panel.id}"
+}
+
+# Allow pods to communicate with the cluster API Server
+resource "aws_security_group_rule" "eks_cluster_control_panel_node_ingress" {
+  type                     = "ingress"
+
+  protocol                 = "tcp"
+  from_port                = 443
+  to_port                  = 443
+
+  security_group_id        = "${aws_security_group.eks_cluster_control_panel.id}"
+  source_security_group_id = "${aws_security_group.eks_node.id}"
+}
+
+# Allow the cluster control plane to communicate with worker Kubelet and pods
+resource "aws_security_group_rule" "eks_cluster_control_panel_to_node_egress" {
+  type                     = "egress"
+
+  protocol                 = "tcp"
+  from_port                = 1025
+  to_port                  = 65535
+
+  security_group_id        = "${aws_security_group.eks_cluster_control_panel.id}"
+  source_security_group_id = "${aws_security_group.eks_node.id}"
+}
+
+# Allow the cluster control plane to communicate with pods running extension API servers on port 443
+resource "aws_security_group_rule" "eks_cluster_control_panel_to_node_egress_on_443" {
+  type                     = "egress"
+
+  protocol                 = "tcp"
+  from_port                = 443
+  to_port                  = 443
+
+  security_group_id        = "${aws_security_group.eks_cluster_control_panel.id}"
+  source_security_group_id = "${aws_security_group.eks_node.id}"
+}
+
+# https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html#eks-launch-workers
+# https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2019-10-08/amazon-eks-nodegroup.yaml
+resource "aws_security_group" "eks_node" {
+  name        = "${local.eks_node_security_group_name}"
+  vpc_id      = "${aws_vpc.main.id}"
+
+  tags = "${
+    map(
+     "Name", "${local.eks_node_security_group_name}",
+     "kubernetes.io/cluster/${local.eks_cluster_name}", "owned",
+    )
+  }"
+}
+
+# Allow node to communicate with each other
+resource "aws_security_group_rule" "eks_node_self_ingress" {
+  type                     = "ingress"
+
+  protocol                 = "-1"
+  from_port                = 0
+  to_port                  = 65535
+
+  security_group_id        = "${aws_security_group.eks_node.id}"
+  self = true
+}
+
+# Allow worker Kubelets and pods to receive communication from the cluster control plane
+resource "aws_security_group_rule" "eks_node_from_cluster_control_panel_ingress" {
+  type                     = "ingress"
+
+  protocol                 = "tcp"
+  from_port                = 1025
+  to_port                  = 65535
+
+  security_group_id        = "${aws_security_group.eks_node.id}"
+  source_security_group_id = "${aws_security_group.eks_cluster_control_panel.id}"
+}
+
+# Allow pods running extension API servers on port 443 to receive communication from cluster control plane
+resource "aws_security_group_rule" "eks_node_from_cluster_control_panel_ingress_on_443" {
+  type                     = "ingress"
+
+  protocol                 = "tcp"
+  from_port                = 443
+  to_port                  = 443
+
+  security_group_id        = "${aws_security_group.eks_node.id}"
+  source_security_group_id = "${aws_security_group.eks_cluster_control_panel.id}"
+}
diff --git a/tf-config/live/eks/ssh.tf b/tf-config/modules/eks/ssh.tf
similarity index 100%
rename from tf-config/live/eks/ssh.tf
rename to tf-config/modules/eks/ssh.tf
diff --git a/tf-config/modules/eks/variables.tf b/tf-config/modules/eks/variables.tf
new file mode 100644
index 00000000..df7a001c
--- /dev/null
+++ b/tf-config/modules/eks/variables.tf
@@ -0,0 +1,19 @@
+variable "environment" {
+  description = "Prefix to distinguish different environments. E.g., `dev`, `test`, `staging`, `prod`."
+}
+
+variable "aws_region" {
+  default = "us-east-1"
+}
+
+variable "az_count" {
+  default = 2
+}
+
+locals {
+  name_prefix = "${var.environment}-eks"
+  main_resource_name = "${local.name_prefix}"
+
+  # Below variables are cross-used in different Terraform file.
+  eks_cluster_name = "${local.main_resource_name}"
+}
diff --git a/tf-config/modules/iam-terraform-roles-setup/main.tf b/tf-config/modules/iam-terraform-roles-setup/main.tf
index 61f07d84..e11be81e 100644
--- a/tf-config/modules/iam-terraform-roles-setup/main.tf
+++ b/tf-config/modules/iam-terraform-roles-setup/main.tf
@@ -60,8 +60,9 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_attach" {
 }
 
 # https://learn.hashicorp.com/terraform/aws/eks-intro
-resource "aws_iam_role" "eks" {
-  name = "AmazonEksRole"
+# https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html#role-create
+resource "aws_iam_role" "eks_service" {
+  name = "serviceRoleForEKS"
 
   assume_role_policy = <<POLICY
 {
@@ -80,17 +81,19 @@ POLICY
 }
 
 resource "aws_iam_role_policy_attachment" "eks_cluster_policy_attach" {
-  role       = "${aws_iam_role.eks.name}"
+  role       = "${aws_iam_role.eks_service.name}"
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
 }
 
 resource "aws_iam_role_policy_attachment" "els_service_policy_attach" {
-  role       = "${aws_iam_role.eks.name}"
+  role       = "${aws_iam_role.eks_service.name}"
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
 }
 
-resource "aws_iam_role" "eks_instance" {
-  name = "AmazonEKSforEC2Role"
+# https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html#eks-launch-workers
+# https://amazon-eks.s3-us-west-2.amazonaws.com/cloudformation/2019-10-08/amazon-eks-nodegroup.yaml
+resource "aws_iam_role" "eks_node_instance" {
+  name = "serviceRoleForEKSNodeInstanceForEC2"
 
   assume_role_policy = <<POLICY
 {
@@ -110,15 +113,15 @@ POLICY
 
 resource "aws_iam_role_policy_attachment" "eks_instance_AmazonEKSWorkerNodePolicy_attach" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
-  role       = "${aws_iam_role.eks_instance.name}"
+  role       = "${aws_iam_role.eks_node_instance.name}"
 }
 
 resource "aws_iam_role_policy_attachment" "eks_instance_AmazonEKS_CNI_Policy_attach" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
-  role       = "${aws_iam_role.eks_instance.name}"
+  role       = "${aws_iam_role.eks_node_instance.name}"
 }
 
 resource "aws_iam_role_policy_attachment" "eks_instance_AmazonEC2ContainerRegistryReadOnly_attach" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
-  role       = "${aws_iam_role.eks_instance.name}"
+  role       = "${aws_iam_role.eks_node_instance.name}"
 }