From fe1bed6f6fc379d5c678893f33c1d3cc0e3bfd5a Mon Sep 17 00:00:00 2001 From: maxim Date: Thu, 4 Nov 2021 17:30:35 +0600 Subject: [PATCH 1/2] enh: do not use terraform modules for deploying aws-load-balancer-controller --- .../eks-aws-loadbalancer-controller.tf | 248 +++++++++++++++++- terraform/layer2-k8s/helm-charts.yaml | 4 +- .../alb-ingress-controller-values.yaml | 5 - terraform/layer2-k8s/variables.tf | 2 +- .../eks-aws-loadbalancer-controller/README.md | 33 --- .../eks-aws-loadbalancer-controller/locals.tf | 11 - .../eks-aws-loadbalancer-controller/main.tf | 226 ---------------- .../variables.tf | 73 ------ 8 files changed, 244 insertions(+), 358 deletions(-) rename terraform/{modules/eks-aws-loadbalancer-controller => layer2-k8s}/templates/alb-ingress-controller-values.yaml (86%) delete mode 100644 terraform/modules/eks-aws-loadbalancer-controller/README.md delete mode 100644 terraform/modules/eks-aws-loadbalancer-controller/locals.tf delete mode 100644 terraform/modules/eks-aws-loadbalancer-controller/main.tf delete mode 100644 terraform/modules/eks-aws-loadbalancer-controller/variables.tf diff --git a/terraform/layer2-k8s/eks-aws-loadbalancer-controller.tf b/terraform/layer2-k8s/eks-aws-loadbalancer-controller.tf index a359551f..68d4c987 100644 --- a/terraform/layer2-k8s/eks-aws-loadbalancer-controller.tf +++ b/terraform/layer2-k8s/eks-aws-loadbalancer-controller.tf @@ -1,12 +1,246 @@ +locals { + aws-load-balancer-controller = { + chart = local.helm_charts[index(local.helm_charts.*.id, "aws-load-balancer-controller")].chart + repository = lookup(local.helm_charts[index(local.helm_charts.*.id, "aws-load-balancer-controller")], "repository", null) + chart_version = lookup(local.helm_charts[index(local.helm_charts.*.id, "aws-load-balancer-controller")], "version", null) + } + alb_ingress_controller = templatefile("${path.module}/templates/alb-ingress-controller-values.yaml", + { + role_arn = var.aws_loadbalancer_controller_enable ? module.aws_iam_aws_loadbalancer_controller[0].role_arn : "", + region = local.region, + cluster_name = local.eks_cluster_id, + vpc_id = local.vpc_id + }) +} + +resource "helm_release" "aws_loadbalancer_controller" { + count = var.aws_loadbalancer_controller_enable ? 1 : 0 + + name = "aws-load-balancer-controller" + chart = local.aws-load-balancer-controller.chart + repository = local.aws-load-balancer-controller.repository + version = local.aws-load-balancer-controller.chart_version + namespace = module.ing_namespace.name + max_history = var.helm_release_history_size + + values = [ + local.alb_ingress_controller + ] +} + #tfsec:ignore:aws-iam-no-policy-wildcards -module "eks_alb_ingress" { - source = "../modules/eks-aws-loadbalancer-controller" - count = var.aws_loadbalancer_controller_enable ? 1 : 0 +module "aws_iam_aws_loadbalancer_controller" { + count = var.aws_loadbalancer_controller_enable ? 1 : 0 - name = local.name + source = "../modules/aws-iam-eks-trusted" + name = "${local.name}-alb-ingress" region = local.region oidc_provider_arn = local.eks_oidc_provider_arn - eks_cluster_id = local.eks_cluster_id - vpc_id = local.vpc_id - namespace = module.ing_namespace.name + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "iam:CreateServiceLinkedRole", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeTags", + "ec2:GetCoipPoolUsage", + "ec2:DescribeCoipPools", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:DescribeTags" + ], + "Resource" : "*" + }, + { + "Effect" : "Allow", + "Action" : [ + "cognito-idp:DescribeUserPoolClient", + "acm:ListCertificates", + "acm:DescribeCertificate", + "iam:ListServerCertificates", + "iam:GetServerCertificate", + "waf-regional:GetWebACL", + "waf-regional:GetWebACLForResource", + "waf-regional:AssociateWebACL", + "waf-regional:DisassociateWebACL", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL", + "shield:GetSubscriptionState", + "shield:DescribeProtection", + "shield:CreateProtection", + "shield:DeleteProtection" + ], + "Resource" : "*" + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource" : "*" + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:CreateSecurityGroup" + ], + "Resource" : "*" + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:CreateTags" + ], + "Resource" : "arn:aws:ec2:*:*:security-group/*", + "Condition" : { + "StringEquals" : { + "ec2:CreateAction" : "CreateSecurityGroup" + }, + "Null" : { + "aws:RequestTag/elbv2.k8s.aws/cluster" : "false" + } + } + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Resource" : "arn:aws:ec2:*:*:security-group/*", + "Condition" : { + "Null" : { + "aws:RequestTag/elbv2.k8s.aws/cluster" : "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false" + } + } + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "ec2:DeleteSecurityGroup" + ], + "Resource" : "*", + "Condition" : { + "Null" : { + "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false" + } + } + }, + { + "Effect" : "Allow", + "Action" : [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup" + ], + "Resource" : "*", + "Condition" : { + "Null" : { + "aws:RequestTag/elbv2.k8s.aws/cluster" : "false" + } + } + }, + { + "Effect" : "Allow", + "Action" : [ + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:DeleteRule" + ], + "Resource" : "*" + }, + { + "Effect" : "Allow", + "Action" : [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ], + "Resource" : [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ], + "Condition" : { + "Null" : { + "aws:RequestTag/elbv2.k8s.aws/cluster" : "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false" + } + } + }, + { + "Effect" : "Allow", + "Action" : [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ], + "Resource" : [ + "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:DeleteTargetGroup" + ], + "Resource" : "*", + "Condition" : { + "Null" : { + "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false" + } + } + }, + { + "Effect" : "Allow", + "Action" : [ + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:DeregisterTargets" + ], + "Resource" : "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" + }, + { + "Effect" : "Allow", + "Action" : [ + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule" + ], + "Resource" : "*" + } + ] + }) } diff --git a/terraform/layer2-k8s/helm-charts.yaml b/terraform/layer2-k8s/helm-charts.yaml index ef9f935b..c4c80d9f 100644 --- a/terraform/layer2-k8s/helm-charts.yaml +++ b/terraform/layer2-k8s/helm-charts.yaml @@ -1,6 +1,6 @@ charts: - - id: aws-loadbalancer-controller - chart: aws-loadbalancer-controller + - id: aws-load-balancer-controller + chart: aws-load-balancer-controller repository: https://aws.github.io/eks-charts version: 1.2.6 - id: aws-node-termination-handler diff --git a/terraform/modules/eks-aws-loadbalancer-controller/templates/alb-ingress-controller-values.yaml b/terraform/layer2-k8s/templates/alb-ingress-controller-values.yaml similarity index 86% rename from terraform/modules/eks-aws-loadbalancer-controller/templates/alb-ingress-controller-values.yaml rename to terraform/layer2-k8s/templates/alb-ingress-controller-values.yaml index c0f75d02..555151fd 100644 --- a/terraform/modules/eks-aws-loadbalancer-controller/templates/alb-ingress-controller-values.yaml +++ b/terraform/layer2-k8s/templates/alb-ingress-controller-values.yaml @@ -1,5 +1,3 @@ -replicaCount: ${replica_count} - clusterName: ${cluster_name} region: ${region} @@ -10,9 +8,6 @@ serviceAccount: annotations: "eks.amazonaws.com/role-arn": ${role_arn} -image: - tag: ${image_tag} - affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/terraform/layer2-k8s/variables.tf b/terraform/layer2-k8s/variables.tf index 979c64ce..8be805e9 100644 --- a/terraform/layer2-k8s/variables.tf +++ b/terraform/layer2-k8s/variables.tf @@ -41,7 +41,7 @@ variable "nginx_ingress_ssl_terminator" { # ALB Ingress variable "aws_loadbalancer_controller_enable" { - description = "Disable or Enable aws-loadbalancer-controller" + description = "Disable or Enable aws-loadbalancer-controller. You have to enable it if you want to use Fargate" type = bool default = false } diff --git a/terraform/modules/eks-aws-loadbalancer-controller/README.md b/terraform/modules/eks-aws-loadbalancer-controller/README.md deleted file mode 100644 index 00674e70..00000000 --- a/terraform/modules/eks-aws-loadbalancer-controller/README.md +++ /dev/null @@ -1,33 +0,0 @@ -## Requirements - -No requirements. - -## Providers - -| Name | Version | -|------|---------| -| helm | n/a | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| chart\_name | Helm Chart name | `string` | `"aws-load-balancer-controller"` | no | -| chart\_version | Chart version repository name | `string` | `"1.2.6"` | no | -| eks\_cluster\_id | EKC identity cluster | `string` | `""` | no | -| image\_tag | chart version alb ingress | `string` | `"v2.2.3"` | no | -| max\_history | How much helm releases to store | `number` | `"5"` | no | -| name | Project name, required to create unique resource names | `string` | `""` | no | -| namespace | Name of kubernetes namespace for alb\_ingres | `string` | `""` | no | -| oidc\_provider\_arn | ARN of EKS oidc provider | `string` | `""` | no | -| region | eks infrastructure region | `string` | `""` | no | -| release\_name | Helm Release name | `string` | `"aws-load-balancer-controller"` | no | -| replica\_count | Default number of replicas | `number` | `1` | no | -| repository | Repository name for eks | `string` | `"https://aws.github.io/eks-charts"` | no | -| values | helm chat template file | `map(any)` | `{}` | no | -| vpc\_id | EKS cluster vps identity | `string` | `""` | no | - -## Outputs - -No output. - diff --git a/terraform/modules/eks-aws-loadbalancer-controller/locals.tf b/terraform/modules/eks-aws-loadbalancer-controller/locals.tf deleted file mode 100644 index 51d33790..00000000 --- a/terraform/modules/eks-aws-loadbalancer-controller/locals.tf +++ /dev/null @@ -1,11 +0,0 @@ -locals { - alb_ingress_controller = templatefile("${path.module}/templates/alb-ingress-controller-values.yaml", - { - role_arn = module.aws_iam_aws_loadbalancer_controller.role_arn, - region = var.region, - cluster_name = var.eks_cluster_id, - vpc_id = var.vpc_id, - image_tag = var.image_tag, - replica_count = var.replica_count, - }) -} diff --git a/terraform/modules/eks-aws-loadbalancer-controller/main.tf b/terraform/modules/eks-aws-loadbalancer-controller/main.tf deleted file mode 100644 index f5485ea8..00000000 --- a/terraform/modules/eks-aws-loadbalancer-controller/main.tf +++ /dev/null @@ -1,226 +0,0 @@ -resource "helm_release" "aws_loadbalancer_controller" { - name = var.release_name - chart = var.chart_name - repository = var.repository - version = var.chart_version - namespace = var.namespace - create_namespace = true - max_history = var.max_history - values = [ - local.alb_ingress_controller - ] -} - -module "aws_iam_aws_loadbalancer_controller" { - source = "../aws-iam-eks-trusted" - name = "${var.name}-alb-ingress" - region = var.region - oidc_provider_arn = var.oidc_provider_arn - policy = jsonencode({ - "Version" : "2012-10-17", - "Statement" : [ - { - "Effect" : "Allow", - "Action" : [ - "iam:CreateServiceLinkedRole", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeVpcs", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeInstances", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeTags", - "ec2:GetCoipPoolUsage", - "ec2:DescribeCoipPools", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:DescribeSSLPolicies", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" - ], - "Resource" : "*" - }, - { - "Effect" : "Allow", - "Action" : [ - "cognito-idp:DescribeUserPoolClient", - "acm:ListCertificates", - "acm:DescribeCertificate", - "iam:ListServerCertificates", - "iam:GetServerCertificate", - "waf-regional:GetWebACL", - "waf-regional:GetWebACLForResource", - "waf-regional:AssociateWebACL", - "waf-regional:DisassociateWebACL", - "wafv2:GetWebACL", - "wafv2:GetWebACLForResource", - "wafv2:AssociateWebACL", - "wafv2:DisassociateWebACL", - "shield:GetSubscriptionState", - "shield:DescribeProtection", - "shield:CreateProtection", - "shield:DeleteProtection" - ], - "Resource" : "*" - }, - { - "Effect" : "Allow", - "Action" : [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource" : "*" - }, - { - "Effect" : "Allow", - "Action" : [ - "ec2:CreateSecurityGroup" - ], - "Resource" : "*" - }, - { - "Effect" : "Allow", - "Action" : [ - "ec2:CreateTags" - ], - "Resource" : "arn:aws:ec2:*:*:security-group/*", - "Condition" : { - "StringEquals" : { - "ec2:CreateAction" : "CreateSecurityGroup" - }, - "Null" : { - "aws:RequestTag/elbv2.k8s.aws/cluster" : "false" - } - } - }, - { - "Effect" : "Allow", - "Action" : [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Resource" : "arn:aws:ec2:*:*:security-group/*", - "Condition" : { - "Null" : { - "aws:RequestTag/elbv2.k8s.aws/cluster" : "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false" - } - } - }, - { - "Effect" : "Allow", - "Action" : [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DeleteSecurityGroup" - ], - "Resource" : "*", - "Condition" : { - "Null" : { - "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false" - } - } - }, - { - "Effect" : "Allow", - "Action" : [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Resource" : "*", - "Condition" : { - "Null" : { - "aws:RequestTag/elbv2.k8s.aws/cluster" : "false" - } - } - }, - { - "Effect" : "Allow", - "Action" : [ - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:CreateRule", - "elasticloadbalancing:DeleteRule" - ], - "Resource" : "*" - }, - { - "Effect" : "Allow", - "Action" : [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource" : [ - "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition" : { - "Null" : { - "aws:RequestTag/elbv2.k8s.aws/cluster" : "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false" - } - } - }, - { - "Effect" : "Allow", - "Action" : [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource" : [ - "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" - ] - }, - { - "Effect" : "Allow", - "Action" : [ - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup" - ], - "Resource" : "*", - "Condition" : { - "Null" : { - "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false" - } - } - }, - { - "Effect" : "Allow", - "Action" : [ - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets" - ], - "Resource" : "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" - }, - { - "Effect" : "Allow", - "Action" : [ - "elasticloadbalancing:SetWebAcl", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule" - ], - "Resource" : "*" - } - ] - }) -} diff --git a/terraform/modules/eks-aws-loadbalancer-controller/variables.tf b/terraform/modules/eks-aws-loadbalancer-controller/variables.tf deleted file mode 100644 index de8f1e3f..00000000 --- a/terraform/modules/eks-aws-loadbalancer-controller/variables.tf +++ /dev/null @@ -1,73 +0,0 @@ -variable "name" { - description = "Project name, required to create unique resource names" - type = string - default = "" -} -variable "region" { - description = "eks infrastructure region" - type = string - default = "" -} -variable "oidc_provider_arn" { - description = "ARN of EKS oidc provider" - type = string - default = "" -} -variable "release_name" { - description = "Helm Release name" - type = string - default = "aws-load-balancer-controller" -} -variable "chart_name" { - description = "Helm Chart name" - type = string - default = "aws-load-balancer-controller" -} -variable "repository" { - description = "Repository name for eks" - type = string - default = "https://aws.github.io/eks-charts" -} -variable "chart_version" { - description = "Chart version repository name" - type = string - default = "1.2.6" -} -variable "namespace" { - description = "Name of kubernetes namespace for alb_ingres" - type = string - default = "" -} -variable "max_history" { - description = "How much helm releases to store" - type = number - default = "5" -} - -variable "values" { - description = "helm chat template file" - type = map(any) - default = {} -} -variable "eks_cluster_id" { - description = "EKC identity cluster" - type = string - default = "" -} - -variable "vpc_id" { - description = "EKS cluster vps identity" - type = string - default = "" -} -variable "image_tag" { - description = "chart version alb ingress" - type = string - default = "v2.2.3" -} - -variable "replica_count" { - description = "Default number of replicas" - type = number - default = 1 -} From c3a51dff8c2da7639ad762a6abc9787b75af21ce Mon Sep 17 00:00:00 2001 From: Andrew S Date: Thu, 4 Nov 2021 18:37:32 +0600 Subject: [PATCH 2/2] enh: edited variable description #139 --- terraform/layer2-k8s/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/layer2-k8s/variables.tf b/terraform/layer2-k8s/variables.tf index 8be805e9..5a880a44 100644 --- a/terraform/layer2-k8s/variables.tf +++ b/terraform/layer2-k8s/variables.tf @@ -41,7 +41,7 @@ variable "nginx_ingress_ssl_terminator" { # ALB Ingress variable "aws_loadbalancer_controller_enable" { - description = "Disable or Enable aws-loadbalancer-controller. You have to enable it if you want to use Fargate" + description = "Disable or Enable aws-loadbalancer-controller. You need to enable it if you want to use Fargate" type = bool default = false }