init

Author: archae0pteryx

.gitignore

@@ -0,0 +1,67 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# local development
+.DS_Store
+tmp
+.vscode
+
+# Terragrunt
+.*.sw?
+.idea
+terragrunt.iml
+vendor
+.terraform
+*.out
+.terragrunt-cache
+.bundle
+.ruby-version
+.terraform.lock.hcl
+terragrunt
+secrets.hcl
+.*.sw?
+.idea
+terragrunt.iml
+vendor
+.terraform
+.vscode
+*.tfstate
+*.tfstate.backup
+*.out
+.terragrunt-cache
+.bundle
+.ruby-version
+.terraform.lock.hcl
+terragrunt

LICENSE

@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <https://unlicense.org>

README.md

@@ -0,0 +1,40 @@
+## EKS Mixed cluster for AI pipelines and applications
+
+Bare bones mixed GPU eks cluster.
+- Managed node groups
+- Default no schedule taints for GPU nodes
+- Karpenter annotations
+
+#### Inputs
+```hcl
+cluster_name
+cluster_version
+auth_users
+ssh_key_name
+region
+vpc_id
+vpc_subnet_ids
+vpc_default_security_group_ids
+vpc_controlplane_subnet_ids
+node_instance_types
+node_min_size
+node_max_size
+node_desired_size
+enable_gpu_nodes
+gpu_node_instance_types
+gpu_min_nodes
+gpu_max_nodes
+gpu_desired_nodes
+karpenter_enable
+karpenter_role_arn
+enable_monitoring
+default_tags
+```
+
+#### Outputs
+```hcl
+cluster_name
+cluster_endpoint
+cluster_certificate_authority_data
+cluster_oidc_provider_arn
+```

main.tf

@@ -0,0 +1,93 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  remote_access = {
+    ec2_ssh_key               = var.ssh_key_name
+    source_security_group_ids = [aws_security_group.remote_access.id]
+  }
+  default_node_group = {
+    default = {
+      capacity_type  = "ON_DEMAND"
+      instance_types = var.node_instance_types
+      min_size       = var.node_min_size
+      max_size       = var.node_max_size
+      desired_size   = var.node_desired_size
+    }
+  }
+  gpu_node_group = var.enable_gpu_nodes ? {
+    gpu = {
+      instance_types = var.gpu_node_instance_types
+      capacity_type  = "SPOT"
+      min_size       = var.gpu_min_nodes
+      max_size       = var.gpu_max_nodes
+      desired_size   = var.gpu_desired_nodes
+      taints = {
+        dedicated = {
+          key    = "dedicated"
+          value  = "gpuGroup"
+          effect = "NO_SCHEDULE"
+        }
+      }
+      remote_access = local.remote_access
+    }
+  } : {}
+  merged_node_groups = merge(local.default_node_group, local.gpu_node_group)
+}
+
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 19.17.2"
+
+  cluster_name                   = var.cluster_name
+  cluster_endpoint_public_access = true
+
+  vpc_id                   = var.vpc_id
+  subnet_ids               = var.vpc_subnet_ids
+  control_plane_subnet_ids = var.vpc_controlplane_subnet_ids
+
+  create_aws_auth_configmap = true
+  manage_aws_auth_configmap = true
+
+  aws_auth_users = var.auth_users
+  aws_auth_roles = [
+    # We need to add in the Karpenter node IAM role for nodes launched by Karpenter
+    {
+      rolearn  = var.karpenter_role_arn
+      username = "system:node:{{EC2PrivateDNSName}}"
+      groups = [
+        "system:bootstrappers",
+        "system:nodes",
+      ]
+    },
+  ]
+
+  eks_managed_node_groups = local.merged_node_groups
+  tags = merge(var.default_tags, {
+    "karpenter.sh/discovery" = var.cluster_name
+  })
+}
+
+
+resource "aws_security_group" "remote_access" {
+  name_prefix = "${var.cluster_name}-remote-access"
+  description = "Allow remote SSH access"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description = "SSH access"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.0.0/8"]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  tags = var.default_tags
+}

outputs.tf

@@ -0,0 +1,20 @@
+output "cluster_name" {
+  description = "The name of the EKS cluster."
+  value       = module.eks.cluster_name
+}
+
+output "cluster_endpoint" {
+  description = "The endpoint for the EKS cluster."
+  value       = module.eks.cluster_endpoint
+}
+
+output "cluster_certificate_authority_data" {
+  description = "The certificate-authority-data for the EKS cluster."
+  value       = module.eks.cluster_certificate_authority_data
+  sensitive   = true
+}
+
+output "cluster_oidc_provider_arn" {
+  description = "The OIDC Issuer ARN for the EKS cluster."
+  value       = module.eks.oidc_provider_arn
+}

providers.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region = "us-east-1"
+}

variables.tf

@@ -0,0 +1,134 @@
+variable "cluster_name" {
+  description = "The name of the EKS cluster."
+  type        = string
+}
+
+variable "cluster_version" {
+  description = "The Kubernetes server version for the EKS cluster."
+  type        = string
+  default     = "1.28"
+}
+
+variable "auth_users" {
+  description = "The list of users to add to the aws-auth configmap."
+  type = list(object({
+    userarn  = string
+    username = string
+    groups   = list(string)
+  }))
+  default = []
+}
+
+variable "ssh_key_name" {
+  description = "The name of the SSH keypair to use for the bastion host."
+  type        = string
+  default     = "sandbox_key"
+}
+
+variable "region" {
+  description = "The region in which to create the EKS cluster."
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "vpc_id" {
+  description = "The VPC ID in which to create the EKS cluster."
+  type        = string
+}
+
+variable "vpc_subnet_ids" {
+  description = "The subnet IDs in which to create the EKS cluster."
+  type        = list(string)
+}
+
+variable "vpc_default_security_group_ids" {
+  description = "The ID of the default security group for the VPC."
+  type        = list(string)
+  default     = []
+}
+
+variable "vpc_controlplane_subnet_ids" {
+  description = "The intra subnet IDs in which to create the EKS cluster."
+  type        = list(string)
+}
+
+variable "default_tags" {
+  description = "The tags to apply to all resources in the module."
+  type        = map(string)
+  default = {
+    Terraform   = "true"
+    Environment = "sandbox"
+  }
+}
+
+variable "node_instance_types" {
+  description = "The instance types for the default node group."
+  type        = list(string)
+  default     = ["t3.medium"]
+}
+
+variable "node_min_size" {
+  description = "The minimum number of nodes."
+  type        = number
+  default     = 1
+}
+
+variable "node_max_size" {
+  description = "The maximum number of nodes."
+  type        = number
+  default     = 3
+}
+
+variable "node_desired_size" {
+  description = "The desired number of nodes."
+  type        = number
+  default     = 1
+}
+
+variable "enable_gpu_nodes" {
+  description = "Whether to enable GPU nodes."
+  type        = bool
+  default     = false
+}
+
+variable "gpu_node_instance_types" {
+  description = "The instance types for the default GPU node group."
+  type        = list(string)
+  default     = ["g4dn.xlarge"]
+}
+
+variable "gpu_min_nodes" {
+  description = "The minimum number of GPU nodes."
+  type        = number
+  default     = 0
+}
+
+variable "gpu_max_nodes" {
+  description = "The maximum number of GPU nodes."
+  type        = number
+  default     = 3
+}
+
+variable "gpu_desired_nodes" {
+  description = "The desired number of GPU nodes."
+  type        = number
+  default     = 0
+}
+
+variable "karpenter_enable" {
+  description = "Whether to enable Karpenter."
+  type        = bool
+  default     = false
+}
+
+variable "karpenter_role_arn" {
+  description = "The ARN of the IAM role for Karpenter."
+  type        = string
+  default     = ""
+}
+
+variable "enable_monitoring" {
+  description = "Whether to enable monitoring."
+  type        = bool
+  default     = false
+}

versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.57"
+    }
+  }
+}