-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patheksAlbIngress.tf
134 lines (113 loc) · 4.18 KB
/
eksAlbIngress.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# AWS Load balancer controller (ingress) needs to be added to this module using helm charts.
# Create an IAM policy for ingress controller ( Remember ingress has three parts. Refer to notes) so that it can create and manage AWS ALB.
resource "aws_iam_policy" "aws_lb_ingress_controller" {
name = "AWSLoadBalancerControllerIAMPolicy"
description = "IAM policy for the AWS Load Balancer Controller"
policy = file("awsLoadBalancerControllerIam.json")
}
# Who can assume this role - service account in kube-system namespace and name aws-load-balancer-controller
data "aws_iam_policy_document" "aws_lb_ingress_controller_assume_role_policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = ["arn:aws:iam::${var.AWS_ACCOUNT}:oidc-provider/${module.eks.cluster_oidc_issuer_url}"]
}
condition {
test = "StringEquals"
variable = "${module.eks.cluster_oidc_issuer_url}:aud"
values = ["sts.amazonaws.com"]
}
# This policy can only be assumed by service account in this namespace and has this name. We can also change this to be StringLike and give service account name as * to be bit more generic.
condition {
test = "StringEquals"
variable = "${module.eks.cluster_oidc_issuer_url}:sub"
values = ["system:serviceaccount:kube-system:aws-load-balancer-controller"]
}
}
}
# IAM role Ingress controller to assume through service account.
resource "aws_iam_role" "aws_lb_ingress_controller_role" {
name = "AWSLoadBalancerControllerRole"
path = "/"
assume_role_policy = data.aws_iam_policy_document.aws_lb_ingress_controller_assume_role_policy.json
}
# Attach policy to the role
resource "aws_iam_role_policy_attachment" "aws_lb_ingress_controller_role_attachment" {
role = aws_iam_role.aws_lb_ingress_controller_role.name
policy_arn = aws_iam_policy.aws_lb_ingress_controller.arn
}
# The above Role and policy can also be done using this terraform module
#module "aws_load_balancer_controller_irsa_role" {
# source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
# version = "5.3.1"
#
# role_name = "aws-load-balancer-controller"
#
# attach_load_balancer_controller_policy = true
#
# oidc_providers = {
# ex = {
# provider_arn = module.eks.oidc_provider_arn
# namespace_service_accounts = ["kube-system:aws-load-balancer-controller"]
# }
# }
#}
resource "kubernetes_service_account" "aws_load_balancer_service_account" {
metadata {
name = "aws-load-balancer-controller"
namespace = "kube-system"
labels = {
"app.kubernetes.io/name" = "aws-load-balancer-controller"
"app.kubernetes.io/component" = "controller"
}
annotations = {
"eks.amazonaws.com/role-arn" = aws_iam_role.aws_lb_ingress_controller_role.arn
}
}
}
# Create a helm release
resource "helm_release" "aws_load_balancer_controller" {
name = "aws-load-balancer-controller"
repository = "https://aws.github.io/eks-charts"
chart = "aws-load-balancer-controller"
namespace = "kube-system"
version = "2.8.0"
cleanup_on_fail = true
description = "Helm release for AWS load balancer controller"
set {
name = "clusterName"
value = local.cluster_name
}
set {
name = "serviceAccount.create"
value = "false"
}
set {
name = "serviceAccount.name"
value = "aws-load-balancer-controller"
}
set {
name = "vpcId"
value = aws_vpc.eks_vpc.id
}
set {
name = "podDisruptionBudget.maxUnavailable"
value = 1
}
set {
name = "clusterSecretsPermissions.allowAllSecrets"
value = "true"
}
set {
# Only ingress resources with this class name will be managed by this ingress-controller. alb is the default value as well.
name = "ingressClass"
value = "alb"
}
depends_on = [
aws_iam_role_policy_attachment.aws_lb_ingress_controller_role_attachment,
kubernetes_service_account.aws_load_balancer_service_account
]
}
# TODO - Create an ingress resource in the services folder that has all the rules for this load balancer.