feat: eksctl_nodegroup (#34)

In contrast to nodegroups embedded in `eksctl_cluster` `spec`, `eksctl_nodegroup` resources allows you to add/remove additional nodegroups to/from eksctl_cluster without calling many EKS APIs, which helps large scale deployment.

Author: mumoshu

README.md

@@ -12,7 +12,8 @@ Benefits:
 Features:
 
 - Manage eksctl clusters using Terraform
-- [Support for AssumeRole and Cross-Account usage](#assume-role-and-cross-account)
+- [Add/remove nodegroups using Terraform](#add-and-remove-nodegroups)
+- [Support for AssumeRole and Cross-Account usage](#assumerole-and-cross-account)
 - [Install and upgrade eksctl version using Terraform](#declarative-binary-version-management)
 - [Cluster canary deployment using ALB](#cluster-canary-deployment-using-alb)
 - [Cluster canary deployment using Route 53 + NLB](#cluster-canary-deployment-using-route-53-and-nlb)
@@ -763,6 +764,48 @@ resource "eksctl_cluster" "mystack" {
   // snip
 ```
 
+### Add and remove Node Groups
+
+In addition to declaring nodegroups in `eksctl_cluster`'s `spec,` you can add
+one or more nodegroups by using `eksctl_nodegroup`:
+
+```hcl-terraform
+resource "eksctl_cluster" "red" {
+  name = "red1"
+  region = "us-east-2"
+  api_version = "eksctl.io/v1alpha5"
+  version = "1.16"
+  vpc_id = module.vpc.vpc_id
+  spec = <<-EOS
+  nodeGroups:
+  - name: ng1
+    instanceType: m5.large
+    desiredCapacity: 1
+    targetGroupARNs:
+    - ${aws_lb_target_group.green.arn}
+  EOS
+}
+
+resource "eksctl_nodegroup" "ng2" {
+  assume_role {
+    role_arn = var.role_arn
+  }
+  name = "ng1"
+  region = eksctl_cluster.red.region
+  cluster = eksctl_cluster.red.name
+  nodes_min = 1
+  nodes = 1
+  # And all the `eksctl-create-nodegroup` flags are available as their `snake_case` form.
+  # See `eksctl create nodegroup -h` and
+  # https://github.com/mumoshu/terraform-provider-eksctl/pull/34/files#diff-d490f9a73df8d38ad25b7d26bf1152d178c08df0980f55b3c86fc6991b2b9839R165-R202
+  # for the full list.
+  # For example, `--install-nvidia-plugin` can be spciefied as `install_nvidia_driver = true`.
+}
+```
+
+It's almost a matter of preference whether to use, but generally `eksctl_nodegroup` is faster to `apply` as it involves
+fewer AWS API calls. 
+
 ### AssumeRole and Cross Account
 
 Providing the `assume_role` block, you can let the provider to call `sts:AssumeRole` for assuming an AWS role

examples/existingvpc/main.tf

@@ -1,5 +1,6 @@
 provider "eksctl" {}
 provider "helmfile" {}
+provider "kubectl" {}
 
 terraform {
   required_providers {
@@ -10,7 +11,12 @@ terraform {
 
     helmfile = {
       source = "mumoshu/helmfile"
-      version = "0.12.0"
+      version = "0.0.1"
+    }
+
+    kubectl = {
+      source = "mumoshu/kubectl"
+      version = "0.0.1"
     }
   }
 }
@@ -21,6 +27,9 @@ variable "region" {
   description = "AWS region"
 }
 
+variable "role_arn" {
+}
+
 variable "myip" {
 
 }
@@ -193,12 +202,16 @@ resource "aws_lb_target_group" "tg2" {
 }
 
 resource "eksctl_cluster" "red" {
-  eksctl_bin = "eksctl-dev"
-  name = "red"
-  region = "us-east-2"
+  assume_role {
+    role_arn = var.role_arn
+  }
+  eksctl_bin = "eksctl"
+  name = "red2"
+  region = var.region
   api_version = "eksctl.io/v1alpha5"
   version = "1.16"
   vpc_id = module.vpc.vpc_id
+  kubeconfig_path = "mykubeconfig"
   spec = <<EOS
 
 nodeGroups:
@@ -268,35 +281,50 @@ EOS
     module.vpc]
 }
 
-resource "eksctl_courier_alb" "my_alb_courier" {
-  listener_arn = aws_alb_listener.podinfo.arn
-
-  priority = "11"
-
-  step_weight = 10
-  step_interval = "5s"
-
-  hosts = [
-    "exmaple.com"]
-
-  destination {
-    target_group_arn = aws_lb_target_group.tg1.arn
-
-    weight = 100
-  }
-
-  destination {
-    target_group_arn = aws_lb_target_group.tg2.arn
-    weight = 0
+resource "eksctl_nodegroup" "ng1" {
+  assume_role {
+    role_arn = var.role_arn
   }
-
-  depends_on = [
-    eksctl_cluster.red,
-    helmfile_release_set.mystack1
-  ]
+  name = "ng1"
+  region = eksctl_cluster.red.region
+  cluster = eksctl_cluster.red.name
+  nodes_min = 1
+  nodes = 1
 }
+//
+//resource "eksctl_courier_alb" "my_alb_courier" {
+//  listener_arn = aws_alb_listener.podinfo.arn
+//
+//  priority = "11"
+//
+//  step_weight = 10
+//  step_interval = "5s"
+//
+//  hosts = [
+//    "exmaple.com"]
+//
+//  destination {
+//    target_group_arn = aws_lb_target_group.tg1.arn
+//
+//    weight = 100
+//  }
+//
+//  destination {
+//    target_group_arn = aws_lb_target_group.tg2.arn
+//    weight = 0
+//  }
+//
+//  depends_on = [
+//    eksctl_cluster.red,
+////    helmfile_release_set.mystack1
+//  ]
+//}
 
 resource "helmfile_release_set" "mystack1" {
+  aws_region = var.region
+  aws_assume_role {
+    role_arn = var.role_arn
+  }
   content = file("./helmfile.yaml")
   environment = "default"
   kubeconfig = eksctl_cluster.red.kubeconfig_path
@@ -305,6 +333,29 @@ resource "helmfile_release_set" "mystack1" {
   ]
 }
 
+resource "kubectl_ensure" "meta" {
+  aws_region = var.region
+  aws_assume_role {
+    role_arn = var.role_arn
+  }
+
+  kubeconfig = eksctl_cluster.red.kubeconfig_path
+
+  namespace = "kube-system"
+  resource = "configmap"
+  name = "aws-auth"
+
+  labels = {
+    "key1" = "one"
+    "key2" = "two"
+  }
+
+  annotations = {
+    "key3" = "three"
+    "key4" = "four"
+  }
+}
+
 output "kubeconfig_path" {
   value = eksctl_cluster.red.kubeconfig_path
 }
@@ -344,20 +395,20 @@ output "vpc_cidr_block" {
 output "vpc_subnet_groups" {
   value = {
     "public" = [
-      for i in range(length(module.vpc.azs)):
-      {
-        cidr = module.vpc.public_subnets_cidr_blocks[i],
-        az = module.vpc.azs[i],
-        id = module.vpc.public_subnets[i],
-      }
+    for i in range(length(module.vpc.azs)):
+    {
+      cidr = module.vpc.public_subnets_cidr_blocks[i],
+      az = module.vpc.azs[i],
+      id = module.vpc.public_subnets[i],
+    }
     ],
     "private" = [
-        for i in range(length(module.vpc.azs)):
-        {
-          cidr = module.vpc.private_subnets_cidr_blocks[i],
-          az = module.vpc.azs[i],
-          id = module.vpc.private_subnets[i],
-        }
+    for i in range(length(module.vpc.azs)):
+    {
+      cidr = module.vpc.private_subnets_cidr_blocks[i],
+      az = module.vpc.azs[i],
+      id = module.vpc.private_subnets[i],
+    }
     ]
   }
 }

examples/lib/lib.mk

@@ -1,22 +1,37 @@
 WORKSPACE ?= $(shell pwd)
 HELMFILE_ROOT ?= ../../../terraform-provider-helmfile
+KUBECTL_ROOT ?= ../../../terraform-provider-kubectl
 TERRAFORM ?= terraform
 
 .PHONY: build
 build: VER=0.0.1
 build:
 	mkdir -p .terraform/plugins/darwin_amd64
 	cd ../..; make clean build
-	cp ../../dist/darwin_amd64/terraform-provider-eksctl $(WORKSPACE)/.terraform/plugins/darwin_amd64/
-	chmod +x $(WORKSPACE)/.terraform/plugins/darwin_amd64/terraform-provider-eksctl
 	cd $(HELMFILE_ROOT); make build
+	cd $(KUBECTL_ROOT); make build
 	# For terraform up to v0.12
+	#
+	# eksctl
+	cp ../../dist/darwin_amd64/terraform-provider-eksctl $(WORKSPACE)/.terraform/plugins/darwin_amd64/
+	chmod +x $(WORKSPACE)/.terraform/plugins/darwin_amd64/terraform-provider-eksctl
+	# helmfile
 	cp $(HELMFILE_ROOT)/dist/darwin_amd64/terraform-provider-helmfile $(WORKSPACE)/.terraform/plugins/darwin_amd64/
 	chmod +x $(WORKSPACE)/.terraform/plugins/darwin_amd64/terraform-provider-helmfile
+	# kubectl
+	cp $(KUBECTL_ROOT)/dist/darwin_amd64/terraform-provider-kubectl $(WORKSPACE)/.terraform/plugins/darwin_amd64/
+	chmod +x $(WORKSPACE)/.terraform/plugins/darwin_amd64/terraform-provider-kubectl
 	# For tereraform v0.13+
+	#
+	# eksctl
 	mkdir -p $(WORKSPACE)/.terraform/plugins/registry.terraform.io/mumoshu/eksctl/$(VER)/darwin_amd64/
 	cp ../../dist/darwin_amd64/terraform-provider-eksctl $(WORKSPACE)/.terraform/plugins/registry.terraform.io/mumoshu/eksctl/$(VER)/darwin_amd64/terraform-provider-eksctl_v$(VER)
 	chmod +x $(WORKSPACE)/.terraform/plugins/registry.terraform.io/mumoshu/eksctl/$(VER)/darwin_amd64/terraform-provider-eksctl_v$(VER)
+	# helmfile
 	mkdir -p $(WORKSPACE)/.terraform/plugins/registry.terraform.io/mumoshu/helmfile/$(VER)/darwin_amd64/
 	cp $(HELMFILE_ROOT)/dist/darwin_amd64/terraform-provider-helmfile $(WORKSPACE)/.terraform/plugins/registry.terraform.io/mumoshu/helmfile/$(VER)/darwin_amd64/terraform-provider-helmfile_v$(VER)
 	chmod +x $(WORKSPACE)/.terraform/plugins/registry.terraform.io/mumoshu/helmfile/$(VER)/darwin_amd64/terraform-provider-helmfile_v$(VER)
+	# kubectl
+	mkdir -p $(WORKSPACE)/.terraform/plugins/registry.terraform.io/mumoshu/kubectl/$(VER)/darwin_amd64/
+	cp $(KUBECTL_ROOT)/dist/darwin_amd64/terraform-provider-kubectl $(WORKSPACE)/.terraform/plugins/registry.terraform.io/mumoshu/kubectl/$(VER)/darwin_amd64/terraform-provider-kubectl_v$(VER)
+	chmod +x $(WORKSPACE)/.terraform/plugins/registry.terraform.io/mumoshu/kubectl/$(VER)/darwin_amd64/terraform-provider-kubectl_v$(VER)

pkg/provider/provider.go

@@ -6,6 +6,7 @@ import (
 	"github.com/mumoshu/terraform-provider-eksctl/pkg/resource/cluster"
 	"github.com/mumoshu/terraform-provider-eksctl/pkg/resource/courier"
 	"github.com/mumoshu/terraform-provider-eksctl/pkg/resource/iamserviceaccount"
+	"github.com/mumoshu/terraform-provider-eksctl/pkg/resource/nodegroup"
 	"github.com/mumoshu/terraform-provider-eksctl/pkg/sdk/tfsdk"
 )
 
@@ -19,6 +20,7 @@ func Provider() terraform.ResourceProvider {
 		},
 		ResourcesMap: map[string]*schema.Resource{
 			"eksctl_cluster":                cluster.ResourceCluster(),
+			"eksctl_nodegroup":              nodegroup.Resource(),
 			"eksctl_iamserviceaccount":      iamserviceaccount.Resource(),
 			"eksctl_courier_alb":            courier.ResourceALB(),
 			"eksctl_courier_route53_record": courier.ResourceRoute53Record(),

pkg/resource/nodegroup/context.go

@@ -0,0 +1,14 @@
+package nodegroup
+
+import (
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/mumoshu/terraform-provider-eksctl/pkg/sdk"
+	"github.com/mumoshu/terraform-provider-eksctl/pkg/sdk/tfsdk"
+)
+
+func mustContext(a *schema.ResourceData) *sdk.Context {
+	config := tfsdk.ConfigFromResourceData(a)
+	sess, creds := sdk.AWSCredsFromConfig(config)
+
+	return &sdk.Context{Sess: sess, Creds: creds}
+}