🧱 项目完整文件结构
terraform-eks-demo/ ├── provider.tf # 配置 Terraform 和 AWS Provider(包含密钥) ├── vpc.tf # 手动创建 VPC、子网、路由表、网关等 ├── eks.tf # 创建 EKS 集群、节点组及相关 IAM 角色 ├── outputs.tf # 输出集群信息 └── variables.tf # 变量定义(可选,这里为了演示区域等)
1、provider.tf – 配置 Terraform 和 AWS 凭证
# 指定 Terraform 的最低版本和所需的插件 terraform {required_version = ">= 1.0" # Terraform 版本要求required_providers {aws = {source = "hashicorp/aws" # AWS Provider 的来源version = "~> 5.0" # 使用 5.x 版本}} }# 配置 AWS Provider,直接写入 Access Key 和 Secret Key(仅为演示) provider "aws" {region = "us-west-2" access_key = "" # ⚠️ 你的 Access Key(请替换为真实值)secret_key = "" # ⚠️ 你的 Secret Key(请替换为真实值)token = "" }
2、vpc.tf – 手动创建 VPC、子网、路由表、网关等
# 1. 创建 VPC resource "aws_vpc" "main" {cidr_block = "10.63.0.0/16" # VPC 的 IP 地址范围(65536 个地址)enable_dns_support = true # 启用 DNS 解析(EKS 需要)enable_dns_hostnames = true # 启用 DNS 主机名(EKS 需要)tags = {Name = "my-eks-vpc"} }# 2. 创建互联网网关(IGW),用于公共子网访问外网 resource "aws_internet_gateway" "igw" {vpc_id = aws_vpc.main.idtags = {Name = "my-eks-igw"} }# 3. 获取当前区域可用的可用区(用于分布子网) data "aws_availability_zones" "available" {state = "available" # 只获取可用的可用区 }# 4. 创建 3 个公共子网(分别位于前 3 个可用区) resource "aws_subnet" "public" {count = 3 # 创建 3 个子网vpc_id = aws_vpc.main.idcidr_block = cidrsubnet("10.63.0.0/16", 8, count.index) # 生成 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24availability_zone = data.aws_availability_zones.available.names[count.index]map_public_ip_on_launch = true # 自动分配公网 IP(对公共子网内的实例)tags = {Name = "public-subnet-${count.index}"# EKS 要求:公网子网打上特定标签,用于发现负载均衡器"kubernetes.io/role/elb" = "1"} }# 5. 创建 3 个私有子网 resource "aws_subnet" "private" {count = 3vpc_id = aws_vpc.main.idcidr_block = cidrsubnet("10.63.0.0/16", 8, count.index + 10) # 生成 10.0.10.0/24, 10.0.11.0/24, 10.0.12.0/24availability_zone = data.aws_availability_zones.available.names[count.index]tags = {Name = "private-subnet-${count.index}"# EKS 要求:私有子网打上内部负载均衡器的标签"kubernetes.io/role/internal-elb" = "1"} }# 6. 创建弹性 IP(用于 NAT 网关) resource "aws_eip" "nat" {domain = "vpc" # 表示在 VPC 中使用tags = {Name = "my-eks-nat-eip"} }# 7. 创建 NAT 网关(放在一个公共子网中,为私有子网提供外网访问) resource "aws_nat_gateway" "nat" {allocation_id = aws_eip.nat.idsubnet_id = aws_subnet.public[0].id # 放在第一个公共子网tags = {Name = "my-eks-nat"} }# 8. 创建公共路由表(关联公共子网,路由指向 IGW) resource "aws_route_table" "public" {vpc_id = aws_vpc.main.idroute {cidr_block = "0.0.0.0/0" # 所有目的地址gateway_id = aws_internet_gateway.igw.id # 指向互联网网关}tags = {Name = "public-rt"} }# 9. 将公共路由表关联到每个公共子网 resource "aws_route_table_association" "public" {count = 3subnet_id = aws_subnet.public[count.index].idroute_table_id = aws_route_table.public.id }# 10. 创建私有路由表(关联私有子网,路由指向 NAT 网关) resource "aws_route_table" "private" {vpc_id = aws_vpc.main.idroute {cidr_block = "0.0.0.0/0"nat_gateway_id = aws_nat_gateway.nat.id # 指向 NAT 网关}tags = {Name = "private-rt"} }# 11. 将私有路由表关联到每个私有子网 resource "aws_route_table_association" "private" {count = 3subnet_id = aws_subnet.private[count.index].idroute_table_id = aws_route_table.private.id }
3、eks.tf – 创建 EKS 集群和节点组(含 IAM)
# 1. IAM 角色:供 EKS 集群控制平面使用 resource "aws_iam_role" "eks_cluster" {name = "my-eks-cluster-role"assume_role_policy = jsonencode({Version = "2012-10-17"Statement = [{Action = "sts:AssumeRole"Effect = "Allow"Principal = {Service = "eks.amazonaws.com" # 允许 EKS 服务扮演此角色}},]}) }# 2. 将 AmazonEKSClusterPolicy 托管策略附加到集群角色 resource "aws_iam_role_policy_attachment" "eks_cluster" {policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"role = aws_iam_role.eks_cluster.name }# 3. IAM 角色:供 EKS 工作节点(EC2)使用 resource "aws_iam_role" "eks_nodes" {name = "my-eks-node-role"assume_role_policy = jsonencode({Version = "2012-10-17"Statement = [{Action = "sts:AssumeRole"Effect = "Allow"Principal = {Service = "ec2.amazonaws.com" # 允许 EC2 服务扮演此角色}},]}) }# 4. 附加工作节点所需的核心策略 resource "aws_iam_role_policy_attachment" "eks_node_policy" {policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"role = aws_iam_role.eks_nodes.name }resource "aws_iam_role_policy_attachment" "eks_cni_policy" {policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"role = aws_iam_role.eks_nodes.name }resource "aws_iam_role_policy_attachment" "ec2_container_registry_read_only" {policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"role = aws_iam_role.eks_nodes.name }# 5. 创建 EKS 集群(控制平面) resource "aws_eks_cluster" "main" {name = "my-eks-cluster"role_arn = aws_iam_role.eks_cluster.arnversion = "1.35" # Kubernetes 版本vpc_config {subnet_ids = aws_subnet.private[*].id # 将集群控制平面部署在私有子网中(官方推荐)}# 确保 IAM 策略已经附加depends_on = [aws_iam_role_policy_attachment.eks_cluster] }# 6. 创建 EKS 托管节点组(工作节点) resource "aws_eks_node_group" "main" {cluster_name = aws_eks_cluster.main.namenode_group_name = "my-node-group"node_role_arn = aws_iam_role.eks_nodes.arnsubnet_ids = aws_subnet.private[*].id # 工作节点也放在私有子网instance_types = ["t3.medium"] # 实例规格scaling_config {desired_size = 2max_size = 3min_size = 1}# 集群必须先就绪depends_on = [aws_eks_cluster.main,]tags = {Name = "my-eks-worker"} }
4、outputs.tf – 输出集群信息
output "cluster_name" {description = "EKS 集群名称"value = aws_eks_cluster.main.name }output "cluster_endpoint" {description = "EKS API Server 地址"value = aws_eks_cluster.main.endpoint }output "cluster_certificate_authority" {description = "集群 CA 证书(base64 编码)"value = aws_eks_cluster.main.certificate_authority[0].data }
🚀 部署步骤
-
替换密钥:将
provider.tf中的access_key和secret_key换成你自己的真实密钥。 -
初始化:
terraform init -
预览:
terraform plan(会列出约 30 多个资源) -
应用:
terraform apply -auto-approve(等待 10-15 分钟) -
配置 kubeconfig:
aws eks update-kubeconfig --region us-west-2 --name my-eks-cluster -
测试:
kubectl get nodes
🧹 清理资源
terraform destroy -auto-approve
5、mac配置访问凭证和安装kubectl
配置访问凭证
export AWS_ACCESS_KEY_ID="" export AWS_SECRET_ACCESS_KEY="" export AWS_SESSION_TOKEN=""
aws eks update-kubeconfig --region us-west-2 --name my-eks-cluster
安装kubectl
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"brew install kubectl
验证
kubectl get nodes