DEV Community

Cover image for Build AWS Resources Platform using Crossplane | S3| VPC| EC2
AWS Community Builders profile image Ravindra Singh
Ravindra Singh for AWS Community Builders

Posted on • Updated on

Build AWS Resources Platform using Crossplane | S3| VPC| EC2

#crossplane #platform #aws #helm

Crossplane is an open source Kubernetes extension that transforms your Kubernetes cluster into a universal control plane.

Crossplane is to manage resources ,services and it allows you to create resources/services/infrastructure as you would in something like Terraform, except instead, you’d use a Kubernetes Manifest.

  • CNCF Project
  • Build Platform with Kubernetes Resources
  • Multi Cloud Control plane
  • It’s an alternative IAC tooling to Terraform , AWS CDK /Bicep or Pulumi

Advantages of Crossplane:

  • Drift Detection
  • No External Code Management
  • Infrastructure as a code

For example, you can use the Crossplane Operator within Kubernetes to create an S3 bucket in AWS from Kubernetes. Literally, you can write a Kubernetes Manifest that creates an AWS S3 bucket.

There are many providers, list here: https://marketplace.upbound.io/providers

Prerequisites

  • An actively supported Kubernetes version
  • Helm version v3.2.0 or later

Configuration:
Add the Crossplane repository with the helm repo add command.

helm repo add crossplane-stable https://charts.crossplane.io/stable
Enter fullscreen mode Exit fullscreen mode

Update the local Helm chart cache with helm repo update.

helm repo update
Enter fullscreen mode Exit fullscreen mode 
helm search repo crossplane
Enter fullscreen mode Exit fullscreen mode

View the changes Crossplane makes to your cluster with the

helm install --dry-run --debug options

Install the Crossplane Helm chart

helm install crossplane \
--namespace crossplane-system \
--create-namespace \
--version 1.13.2
crossplane-stable/crossplane
Enter fullscreen mode Exit fullscreen mode 
kubectl get pods -n crossplane-system
Enter fullscreen mode Exit fullscreen mode

check providers has been installed in the cluster

kubectl get crds  | grep crossplane.io
Enter fullscreen mode Exit fullscreen mode

AWS

Once Crossplane is installed, you can start going through the actual configuration of using it.

To use Crossplane, regardless of which Provider you’re using (Azure, AWS, GCP, etc.), you’ll need two key components:

The Provider itself:

Credentials for authentication with AWS provider,We need to create a kubernetes secret containing the AWS Credentials.

$cat ~/.aws/credentials
aws_access_key_id = AKIAW
aws_secret_access_key = 1sPsc8HUWtY3xlg
Enter fullscreen mode Exit fullscreen mode 
$kubectl create secret \
generic aws-secret \
-n crossplane-system \
--from-file=creds=./aws-credentials.txt
Enter fullscreen mode Exit fullscreen mode

In order to install the ProviderConfig you need to first install the Provider.

apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-aws-s3
spec:
  package: xpkg.upbound.io/upbound/provider-aws-s3:v0.47.1
Enter fullscreen mode Exit fullscreen mode

Once the secret and provider is created refer that secret in ProviderConfigs

apiVersion: aws.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: creds
spec:
  credentials:
    source: Secret
    secretRef:
      namespace: crossplane-system
      name: aws-secret
      key: creds
Enter fullscreen mode Exit fullscreen mode

To ensure that the provider was installed properly, run the following command.

kubectl get providers
kubectl get pods -n crossplane-system
kubectl get crds  | grep aws.upbound.io
Enter fullscreen mode Exit fullscreen mode

You’re now ready to use Crossplane. Below is a configuration to create an S3 bucket.

apiVersion: s3.aws.upbound.io/v1beta1
kind: Bucket
metadata:
  name: ravindra-crossplane
spec:
  forProvider:
    region: us-east-1
  providerConfigRef:
    name: default
Enter fullscreen mode Exit fullscreen mode

Below is a configuration to create VPC.

apiVersion: ec2.aws.upbound.io/v1beta1
kind: VPC
metadata:
  name: dev-vpc
spec:
  forProvider:
    region: us-east-1
    cidrBlock: 10.100.0.0/16
    enableDnsSupport: true
    enableDnsHostnames: true
    tags:
      ManagedBy: Crossplane
      Name: dev-vpc

---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: EIP
metadata:
  name: dev-nat
spec:
  forProvider:
    region: us-east-1
    vpc: true
    tags:
      Name: dev-nat
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: NATGateway
metadata:
  name: dev-nat
spec:
  forProvider:
    connectivityType: public
    region: us-east-1
    allocationIdRef:
      name: dev-nat
    subnetIdSelector:
      matchLabels:
        name: dev-public-us-east-1a
    tags:
      Name: dev-nat
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: InternetGateway
metadata:
  name: dev-igw
spec:
  forProvider:
    region: us-east-1
    tags:
      Name: dev-igw
      ManagedBy: Crossplane
    vpcIdRef:
      name: dev-vpc
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
  name: dev-private-us-east-1a
  labels:
    name: dev-private-us-east-1a
spec:
  forProvider:
    availabilityZone: us-east-1a
    cidrBlock: 10.100.1.0/24
    region: us-east-1
    tags:
      Name: dev-private-us-east-1a
      ManagedBy: Crossplane
    vpcIdRef:
      name: dev-vpc
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
  name: dev-private-us-east-1b
  labels:
    name: dev-private-us-east-1b
spec:
  forProvider:
    availabilityZone: us-east-1b
    cidrBlock: 10.100.2.0/24
    region: us-east-1
    tags:
      Name: dev-private-us-east-1b
      ManagedBy: Crossplane
    vpcIdRef:
      name: dev-vpc
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
  name: dev-public-us-east-1a
  labels:
    name: dev-public-us-east-1a
spec:
  forProvider:
    availabilityZone: us-east-1a
    cidrBlock: 10.100.3.0/24
    region: us-east-1
    tags:
      Name: dev-public-us-east-1a
      ManagedBy: Crossplane 
    vpcIdRef:
      name: dev-vpc
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Subnet
metadata:
  name: dev-public-us-east-1b
  labels:
    name: dev-public-us-east-1b
spec:
  forProvider:
    availabilityZone: us-east-1b
    cidrBlock: 10.100.4.0/24
    region: us-east-1
    tags:
      Name: dev-public-us-east-1b
      ManagedBy: Crossplane 
    vpcIdRef:
      name: dev-vpc
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTable
metadata:
  name: dev-private
spec:
  forProvider:
    region: us-east-1
    tags:
      Name: dev-private
    vpcIdRef:
      name: dev-vpc
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Route
metadata:
  name: dev-private
spec:
  forProvider:
    destinationCidrBlock: 0.0.0.0/0
    natGatewayIdRef:
      name: dev-nat
    region: us-east-1
    routeTableIdRef:
      name: dev-private
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTable
metadata:
  name: dev-public
spec:
  forProvider:
    region: us-east-1
    tags:
      Name: dev-public
    vpcIdRef:
      name: dev-vpc
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: Route
metadata:
  name: dev-public
spec:
  forProvider:
    destinationCidrBlock: 0.0.0.0/0
    gatewayIdRef:
      name: dev-igw
    region: us-east-1
    routeTableIdRef:
      name: dev-public
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTableAssociation
metadata:
  name: dev-private-us-east-1a
spec:
  forProvider:
    region: us-east-1
    routeTableIdRef:
      name: dev-private
    subnetIdRef:
      name: dev-private-us-east-1a
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTableAssociation
metadata:
  name: dev-private-us-east-1b
spec:
  forProvider:
    region: us-east-1
    routeTableIdRef:
      name: dev-private
    subnetIdRef:
      name: dev-private-us-east-1b
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTableAssociation
metadata:
  name: dev-public-us-east-1a
spec:
  forProvider:
    region: us-east-1
    routeTableIdRef:
      name: dev-public
    subnetIdRef:
      name: dev-public-us-east-1a
---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: RouteTableAssociation
metadata:
  name: dev-public-us-east-1b
spec:
  forProvider:
    region: us-east-1
    routeTableIdRef:
      name: dev-public
    subnetIdRef:
      name: dev-public-us-east-1b
Enter fullscreen mode Exit fullscreen mode

Below is a configuration to create an EC2.

apiVersion: ec2.aws.upbound.io/v1beta1
kind: Instance
metadata:
  name: crossplane-instance
spec:
  forProvider:
    region: us-east-1
    ami: ami-0a3c3a20c09d6f377
    instanceType: t2.micro
    keyName: crossplane-key
    subnetId: subnet-08653b62be4f06e9d
    associatePublicIpAddress: true
    vpcSecurityGroupIdRefs:
      - name: crossplane-sg
    tags:
      ManagedBy: Crossplane
      Name: dev-instance
  providerConfigRef:
    name: default

---
apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroup
metadata:
  name: crossplane-sg
spec:
  forProvider:
    description: Allow TLS inbound traffic
    name: allow_rules
    region: us-east-1
    tags:
      Name: allow_rules
      ManagedBy: Crossplane
    vpcIdRef:
      name: dev-vpc
---

apiVersion: ec2.aws.upbound.io/v1beta1
kind: SecurityGroupRule
metadata:
  name: crossplane-sg
spec:
  forProvider:
    cidrBlocks:
      - 0.0.0.0/0
    fromPort: 0
    protocol: tcp
    region: us-east-1
    securityGroupIdRef:
      name: crossplane-sg
    toPort: 65535
    type: ingress
Enter fullscreen mode Exit fullscreen mode

If you prefer a video tutorial to help guide you through the process of Build AWS Resources Platform using Crossplane

References:

Top comments (1)

Collapse
 
ravindras profile image
Ravindra Singh

Full Image
Image description

Read next

moraym profile image

Using AWS IAM roles with Node SDKv3

Moray Macdonald -

fady_nabil10 profile image

Unlocking the Power of AWS Console to Code: A Game-Changer for DevOps and Infrastructure as code (IaC)

Fady Nabil -

seifrajhi profile image

Simplify AWS resource access with EKS Pod Identity Agent and Python SDK

saifeddine Rajhi -

mkdotam profile image

EC2 instance deployment unification across AWS Organizations

mikayel ghazaryan -