-
Notifications
You must be signed in to change notification settings - Fork 24
/
jupyterhub.tf
138 lines (118 loc) · 4.69 KB
/
jupyterhub.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# Derived from Data On EKS under Apache License 2.0.
# Source: https://github.com/awslabs/data-on-eks/tree/main/ai-ml/jupyterhub
# See LICENSE file in the root directory of this source code or at http://www.apache.org/licenses/LICENSE-2.0.html.
#-----------------------------------------------------------------------------------------
# JupyterHub Sinlgle User IRSA, maybe that block could be incorporated in add-on registry
#-----------------------------------------------------------------------------------------
resource "kubernetes_namespace" "jupyterhub" {
metadata {
name = "jupyterhub"
}
}
module "jupyterhub_single_user_irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "${module.eks.cluster_name}-jupyterhub-single-user-sa"
role_policy_arns = {
policy = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" # Policy needs to be defined based in what you need to give access to your notebook instances.
}
oidc_providers = {
main = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["${kubernetes_namespace.jupyterhub.metadata[0].name}:jupyterhub-single-user"]
}
}
}
resource "kubernetes_service_account_v1" "jupyterhub_single_user_sa" {
metadata {
name = "${module.eks.cluster_name}-jupyterhub-single-user"
namespace = kubernetes_namespace.jupyterhub.metadata[0].name
annotations = { "eks.amazonaws.com/role-arn" : module.jupyterhub_single_user_irsa.iam_role_arn }
}
automount_service_account_token = true
}
resource "kubernetes_secret_v1" "jupyterhub_single_user" {
metadata {
name = "${module.eks.cluster_name}-jupyterhub-single-user-secret"
namespace = kubernetes_namespace.jupyterhub.metadata[0].name
annotations = {
"kubernetes.io/service-account.name" = kubernetes_service_account_v1.jupyterhub_single_user_sa.metadata[0].name
"kubernetes.io/service-account.namespace" = kubernetes_namespace.jupyterhub.metadata[0].name
}
}
type = "kubernetes.io/service-account-token"
}
#---------------------------------------------------------------
# EFS Filesystem for private volumes per user
# This will be repalced with Dynamic EFS provision using EFS CSI Driver
#---------------------------------------------------------------
resource "aws_efs_file_system" "efs" {
encrypted = true
tags = local.tags
}
resource "aws_efs_mount_target" "efs_mt" {
count = length(compact([for subnet_id, cidr_block in zipmap(module.vpc.private_subnets, module.vpc.private_subnets_cidr_blocks) : substr(cidr_block, 0, 4) == "100." ? subnet_id : null]))
file_system_id = aws_efs_file_system.efs.id
subnet_id = element(compact([for subnet_id, cidr_block in zipmap(module.vpc.private_subnets, module.vpc.private_subnets_cidr_blocks) : substr(cidr_block, 0, 4) == "100." ? subnet_id : null]), count.index)
security_groups = [aws_security_group.efs.id]
}
resource "aws_security_group" "efs" {
name = "${local.name}-efs"
description = "Allow inbound NFS traffic from private subnets of the VPC"
vpc_id = module.vpc.vpc_id
ingress {
description = "Allow NFS 2049/tcp"
cidr_blocks = module.vpc.vpc_secondary_cidr_blocks
from_port = 2049
to_port = 2049
protocol = "tcp"
}
tags = local.tags
}
#---------------------------------------
# EFS Configuration
#---------------------------------------
module "efs_config" {
source = "aws-ia/eks-blueprints-addons/aws"
version = "~> 1.2"
cluster_name = module.eks.cluster_name
cluster_endpoint = module.eks.cluster_endpoint
cluster_version = module.eks.cluster_version
oidc_provider_arn = module.eks.oidc_provider_arn
helm_releases = {
efs = {
name = "efs"
description = "A Helm chart for storage configurations"
namespace = "jupyterhub"
create_namespace = false
chart = "${path.module}/helm/efs"
chart_version = "0.0.1"
values = [
<<-EOT
pv:
name: efs-persist
dnsName: ${aws_efs_file_system.efs.dns_name}
pvc:
name: efs-persist
EOT
]
}
efs-shared = {
name = "efs-shared"
description = "A Helm chart for shared storage configurations"
namespace = "jupyterhub"
create_namespace = false
chart = "${path.module}/helm/efs"
chart_version = "0.0.1"
values = [
<<-EOT
pv:
name: efs-persist-shared
dnsName: ${aws_efs_file_system.efs.dns_name}
pvc:
name: efs-persist-shared
EOT
]
}
}
depends_on = [kubernetes_namespace.jupyterhub]
}