feat(eks-terraform): add initial Terraform configuration for AWS EKS …

.gitignore

@@ -35,6 +35,17 @@ build/
 ### VS Code ###
 .vscode/
 
+### Terraform ###
+.terraform/
+*.tfstate
+*.tfstate.backup
+*.tfvars
+*.tfvars.json
+*.tfplan
+crash.log
+.terraformrc
+terraform.rc
+
 ### Kiro ###
 .kiro/debug/
 

infra/eks-terraform/.gitignore

@@ -0,0 +1,31 @@
+# Local Terraform directories
+.terraform/
+
+# Terraform state files
+*.tfstate
+*.tfstate.backup
+*.terraform.lock.hcl
+
+# Crash log files
+crash.log
+
+# CLI configuration files
+.terraformrc
+terraform.rc
+
+# Sensitive override files
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Sensitive variable files
+*.tfvars
+*.tfvars.json
+
+# Ignore generated plan files
+*.tfplan
+
+# Ignore AWS credential files if accidentally placed
+*.pem
+*.key

infra/eks-terraform/NOTES.md

@@ -0,0 +1,7 @@
+Notes and cost warnings
+
+- AWS EKS control plane is NOT free: there is a per-cluster hourly fee (~$0.10/hr at time of writing). This will incur charges beyond the Free Tier.
+- EC2 Free Tier covers t2.micro for 750 hours/month for 12 months for new accounts; node groups with larger instance types will incur costs.
+- IAM, EBS, NAT gateway, data transfer, and other resources may also add charges.
+
+If you need a fully free local Kubernetes experience, consider `kind` or `minikube` instead of EKS.

infra/eks-terraform/README.md

@@ -0,0 +1,51 @@
+This folder contains Terraform to create an AWS EKS cluster in `us-east-1`.
+
+Important: EKS is not fully covered by AWS Free Tier. The control plane and some data transfer and resource usage will incur charges. Read the notes in `NOTES.md` before running.
+
+Commands:
+
+```bash
+export AWS_PROFILE=your-profile
+cd infra/eks-terraform
+terraform init
+terraform plan -var="aws_region=us-east-1"
+terraform apply -var="aws_region=us-east-1"
+```
+
+Set `AWS_PROFILE` or appropriate environment variables for credentials.
+
+Default worker node instance type: `t3.large` (change with the `node_instance_type` variable).
+
+Remote state (S3) bootstrap
+ - You can create an S3 bucket + DynamoDB table to store remote state and enable locking using the `backend-bootstrap` helper in this folder.
+
+Steps:
+1. Create backend resources from the `backend-bootstrap` folder:
+
+From repository root:
+
+```bash
+cd infra/eks-terraform/backend-bootstrap
+terraform init
+terraform apply -var="aws_region=us-east-1" -var="create_dynamodb=false"
+```
+
+If you are already inside `infra/eks-terraform`:
+
+```bash
+cd backend-bootstrap
+terraform init
+terraform apply -var="aws_region=us-east-1" -var="create_dynamodb=false"
+```
+
+2. Note the outputs `bucket` and `dynamodb_table`.
+
+3. Initialize the main EKS terraform with those backend values:
+
+```bash
+cd ..
+terraform init -backend-config="bucket=YOUR_BUCKET_NAME" -backend-config="key=eks/terraform.tfstate" -backend-config="region=us-east-1" -backend-config="dynamodb_table=YOUR_DYNAMODB_TABLE"
+terraform plan -var="aws_region=us-east-1"
+```
+
+I cannot take control of your terminal. Run the commands above in your shell. Paste any errors here and I'll help fix them.

infra/eks-terraform/backend-bootstrap/.gitignore

@@ -0,0 +1,30 @@
+# Local Terraform directories
+.terraform/
+
+# Terraform state files
+*.tfstate
+*.tfstate.backup
+
+# Crash log files
+crash.log
+
+# CLI configuration files
+.terraformrc
+terraform.rc
+
+# Sensitive override files
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Sensitive variable files
+*.tfvars
+*.tfvars.json
+
+# Ignore generated plan files
+*.tfplan
+
+# Ignore AWS credential files if accidentally placed
+*.pem
+*.key

infra/eks-terraform/backend-bootstrap/README.md

@@ -0,0 +1,23 @@
+Bootstrap for remote state backend resources.
+
+Usage:
+
+```bash
+cd infra/eks-terraform/backend-bootstrap
+terraform init
+terraform apply -var="aws_region=us-east-1"
+
+# After apply note outputs `bucket` and `dynamodb_table`.
+```
+
+Use the printed `bucket` and optionally `dynamodb_table` values when initializing the main EKS terraform backend (see main README).
+
+If you do not have DynamoDB or want a Free Tier friendly setup, run the bootstrap with DynamoDB disabled (default):
+
+```bash
+cd infra/eks-terraform/backend-bootstrap
+terraform init
+terraform apply -var="aws_region=us-east-1" -var="create_dynamodb=false"
+```
+
+This will create only the S3 bucket. Without DynamoDB you will not have state locking; avoid running concurrent `terraform apply` operations.

infra/eks-terraform/backend-bootstrap/main.tf

@@ -0,0 +1,44 @@
+terraform {
+  required_version = ">= 1.0.0"
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+resource "random_id" "suffix" {
+  byte_length = 4
+}
+
+resource "aws_s3_bucket" "tfstate" {
+  bucket = "tfstate-${var.project_name}-${random_id.suffix.hex}"
+  force_destroy = true
+  tags = {
+    Name = "tfstate-${var.project_name}"
+  }
+}
+
+resource "aws_s3_bucket_acl" "tfstate_acl" {
+  bucket = aws_s3_bucket.tfstate.id
+  acl    = "private"
+}
+
+resource "aws_dynamodb_table" "tf_locks" {
+  count        = var.create_dynamodb ? 1 : 0
+  name         = "tf-locks-${var.project_name}-${random_id.suffix.hex}"
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "LockID"
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+  tags = { Name = "tf-locks-${var.project_name}" }
+}
+
+output "bucket" {
+  value = aws_s3_bucket.tfstate.bucket
+}
+
+output "dynamodb_table" {
+  value = try(aws_dynamodb_table.tf_locks[0].name, "")
+}

infra/eks-terraform/backend-bootstrap/variables.tf

@@ -0,0 +1,15 @@
+variable "aws_region" {
+  type    = string
+  default = "us-east-1"
+}
+
+variable "project_name" {
+  type    = string
+  default = "java-on-aws-eks"
+}
+
+variable "create_dynamodb" {
+  description = "Whether to create a DynamoDB table for state locking. Set to false for Free Tier / no DynamoDB support."
+  type        = bool
+  default     = false
+}

infra/eks-terraform/backend.tf

@@ -0,0 +1,3 @@
+terraform {
+  backend "s3" {}
+}