cloudposse-terraform-components
diff --git a/‎.github/settings.yml‎
Lines changed: 2 additions & 6 deletions b/‎.github/settings.yml‎
Lines changed: 2 additions & 6 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 35 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎README.yaml‎
Lines changed: 177 additions & 49 deletions b/‎README.yaml‎
Lines changed: 177 additions & 49 deletions
diff --git a/‎src/distributed-iam-policy.tf‎
Lines changed: 264 additions & 0 deletions b/‎src/distributed-iam-policy.tf‎
Lines changed: 264 additions & 0 deletions
diff --git a/‎src/main.tf‎
Lines changed: 64 additions & 3 deletions b/‎src/main.tf‎
Lines changed: 64 additions & 3 deletions
diff --git a/‎src/outputs.tf‎
Lines changed: 3 additions & 3 deletions b/‎src/outputs.tf‎
Lines changed: 3 additions & 3 deletions
@@ -1,11 +1,7 @@
 # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch.
 _extends: .github
 repository:
-  name: template
-  description: Template for Terraform Components
+  name: aws-eks-alb-controller-controller
+  description: This component creates a Helm release for [alb-controller](https://github
   homepage: https://cloudposse.com/accelerate
   topics: terraform, terraform-component
-
-
-
-
@@ -0,0 +1,35 @@
+## Release 1.466.0
+
+PR [#1070](https://github.com/cloudposse/terraform-aws-components/pull/1070)
+
+Change default for `default_ingress_ip_address_type` from `dualstack` to `ipv4`. When `dualstack` is configured, the
+Ingress will fail if the VPC does not have an IPv6 CIDR block, which is still a common case. When `ipv4` is configured,
+the Ingress will work with only an IPv4 CIDR block, and simply will not use IPv6 if it exists. This makes `ipv4` the
+more conservative default.
+
+## Release 1.432.0
+
+Better support for Kubeconfig authentication
+
+## Release 1.289.1
+
+PR [#821](https://github.com/cloudposse/terraform-aws-components/pull/821)
+
+### Update IAM Policy and Change How it is Managed
+
+The ALB controller needs a lot of permissions and has a complex IAM policy. For this reason, the project releases a
+complete JSON policy document that is updated as needed.
+
+In this release:
+
+1. We have updated the policy to the one distributed with version 2.6.0 of the ALB controller. This fixes an issue where
+   the controller was not able to create the service-linked role for the Elastic Load Balancing service.
+2. To ease maintenance, we have moved the policy document to a separate file, `distributed-iam-policy.tf` and made it
+   easy to update or override.
+
+#### Gov Cloud and China Regions
+
+Actually, the project releases 3 policy documents, one for each of the three AWS partitions: `aws`, `aws-cn`, and
+`aws-us-gov`. For simplicity, this module only uses the `aws` partition policy. If you are in another partition, you can
+create a `distributed-iam-policy_override.tf` file in your directory and override the
+`overridable_distributed_iam_policy` local variable with the policy document for your partition.
@@ -0,0 +1,264 @@
+
+# The kubernetes-sigs/aws-load-balancer-controller/ project distributes the
+# AWS IAM policy that is required for the AWS Load Balancer Controller as a JSON
+# download at https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v<VERSION>/docs/install/iam_policy.json
+# See https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/deploy/installation/#option-a-recommended-iam-roles-for-service-accounts-irsa for details.
+
+# We could directly use the URL to download and install the policy at runtime,
+# via the cloudposse/helm-release/aws module's ` iam_source_json_url` input,
+# but that lacks transparency and auditability. It also does not give us a chance
+# to make changes in response to bugs, such as
+# https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2692#issuecomment-1426242236
+#
+# So we download the policy and insert it here as a local variable.
+
+locals {
+  # To update, just replace everything between the two "EOT"s with the contents of the downloaded JSON file.
+  # Below is the policy as of version 2.6.0, downloaded from
+  # https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.6.0/docs/install/iam_policy.json
+  # This policy is for the `aws` partition. Override overridable_distributed_iam_policy for other partitions.
+  overridable_distributed_iam_policy = <<EOT
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "iam:CreateServiceLinkedRole"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeAccountAttributes",
+                "ec2:DescribeAddresses",
+                "ec2:DescribeAvailabilityZones",
+                "ec2:DescribeInternetGateways",
+                "ec2:DescribeVpcs",
+                "ec2:DescribeVpcPeeringConnections",
+                "ec2:DescribeSubnets",
+                "ec2:DescribeSecurityGroups",
+                "ec2:DescribeInstances",
+                "ec2:DescribeNetworkInterfaces",
+                "ec2:DescribeTags",
+                "ec2:GetCoipPoolUsage",
+                "ec2:DescribeCoipPools",
+                "elasticloadbalancing:DescribeLoadBalancers",
+                "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                "elasticloadbalancing:DescribeListeners",
+                "elasticloadbalancing:DescribeListenerCertificates",
+                "elasticloadbalancing:DescribeSSLPolicies",
+                "elasticloadbalancing:DescribeRules",
+                "elasticloadbalancing:DescribeTargetGroups",
+                "elasticloadbalancing:DescribeTargetGroupAttributes",
+                "elasticloadbalancing:DescribeTargetHealth",
+                "elasticloadbalancing:DescribeTags",
+                "elasticloadbalancing:DescribeTrustStores"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "cognito-idp:DescribeUserPoolClient",
+                "acm:ListCertificates",
+                "acm:DescribeCertificate",
+                "iam:ListServerCertificates",
+                "iam:GetServerCertificate",
+                "waf-regional:GetWebACL",
+                "waf-regional:GetWebACLForResource",
+                "waf-regional:AssociateWebACL",
+                "waf-regional:DisassociateWebACL",
+                "wafv2:GetWebACL",
+                "wafv2:GetWebACLForResource",
+                "wafv2:AssociateWebACL",
+                "wafv2:DisassociateWebACL",
+                "shield:GetSubscriptionState",
+                "shield:DescribeProtection",
+                "shield:CreateProtection",
+                "shield:DeleteProtection"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:RevokeSecurityGroupIngress"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:CreateSecurityGroup"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:CreateTags"
+            ],
+            "Resource": "arn:aws:ec2:*:*:security-group/*",
+            "Condition": {
+                "StringEquals": {
+                    "ec2:CreateAction": "CreateSecurityGroup"
+                },
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:CreateTags",
+                "ec2:DeleteTags"
+            ],
+            "Resource": "arn:aws:ec2:*:*:security-group/*",
+            "Condition": {
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
+                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:RevokeSecurityGroupIngress",
+                "ec2:DeleteSecurityGroup"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Null": {
+                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:CreateLoadBalancer",
+                "elasticloadbalancing:CreateTargetGroup"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:CreateListener",
+                "elasticloadbalancing:DeleteListener",
+                "elasticloadbalancing:CreateRule",
+                "elasticloadbalancing:DeleteRule"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags",
+                "elasticloadbalancing:RemoveTags"
+            ],
+            "Resource": [
+                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+            ],
+            "Condition": {
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
+                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags",
+                "elasticloadbalancing:RemoveTags"
+            ],
+            "Resource": [
+                "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
+                "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
+                "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
+                "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:ModifyLoadBalancerAttributes",
+                "elasticloadbalancing:SetIpAddressType",
+                "elasticloadbalancing:SetSecurityGroups",
+                "elasticloadbalancing:SetSubnets",
+                "elasticloadbalancing:DeleteLoadBalancer",
+                "elasticloadbalancing:ModifyTargetGroup",
+                "elasticloadbalancing:ModifyTargetGroupAttributes",
+                "elasticloadbalancing:DeleteTargetGroup"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Null": {
+                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:AddTags"
+            ],
+            "Resource": [
+                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
+                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "elasticloadbalancing:CreateAction": [
+                        "CreateTargetGroup",
+                        "CreateLoadBalancer"
+                    ]
+                },
+                "Null": {
+                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
+                }
+            }
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:RegisterTargets",
+                "elasticloadbalancing:DeregisterTargets"
+            ],
+            "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:SetWebAcl",
+                "elasticloadbalancing:ModifyListener",
+                "elasticloadbalancing:AddListenerCertificates",
+                "elasticloadbalancing:RemoveListenerCertificates",
+                "elasticloadbalancing:ModifyRule"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOT
+}
@@ -1,8 +1,69 @@
-locals {
-  enabled = module.this.enabled
-}
+module "alb_controller" {
+  source  = "cloudposse/helm-release/aws"
+  version = "0.10.0"
+
+  chart           = var.chart
+  repository      = var.chart_repository
+  description     = var.chart_description
+  chart_version   = var.chart_version
+  wait            = true # required for installing IngressClassParams
+  atomic          = var.atomic
+  cleanup_on_fail = var.cleanup_on_fail
+  timeout         = var.timeout
 
+  create_namespace_with_kubernetes = var.create_namespace
+  kubernetes_namespace             = var.kubernetes_namespace
+  kubernetes_namespace_labels      = merge(module.this.tags, { name = var.kubernetes_namespace })
 
+  eks_cluster_oidc_issuer_url = replace(module.eks.outputs.eks_cluster_identity_oidc_issuer, "https://", "")
 
+  service_account_name      = module.this.name
+  service_account_namespace = var.kubernetes_namespace
 
+  iam_role_enabled = true
+  # See distributed-iam-policy.tf
+  iam_source_policy_documents = [local.overridable_distributed_iam_policy]
 
+  values = compact([
+    # standard k8s object settings
+    yamlencode({
+      fullnameOverride = module.this.name,
+      serviceAccount = {
+        name = module.this.name
+      },
+      resources = var.resources
+      rbac = {
+        create = var.rbac_enabled
+      }
+    }),
+    # alb-controller-specific values
+    yamlencode({
+      region                     = var.region
+      vpcId                      = module.vpc.outputs.vpc_id
+      clusterName                = module.eks.outputs.eks_cluster_id
+      createIngressClassResource = var.default_ingress_enabled
+      ingressClass               = var.default_ingress_class_name
+      ingressClassParams = {
+        name   = var.default_ingress_class_name
+        create = var.default_ingress_enabled
+        spec = {
+          group = {
+            name = var.default_ingress_group
+          }
+          scheme                 = var.default_ingress_scheme
+          ipAddressType          = var.default_ingress_ip_address_type
+          tags                   = [for k, v in merge(module.this.tags, var.default_ingress_additional_tags) : { key = k, value = v }]
+          loadBalancerAttributes = var.default_ingress_load_balancer_attributes
+        }
+      }
+      ingressClassConfig = {
+        default = var.default_ingress_enabled
+      }
+      defaultTags = module.this.tags
+    }),
+    # additional values
+    yamlencode(var.chart_values)
+  ])
+
+  context = module.this.context
+}
@@ -1,4 +1,4 @@
-output "mock" {
-  description = "Mock output example for the Cloud Posse Terraform component template"
-  value       = local.enabled ? "hello ${basename(abspath(path.module))}" : ""
+output "metadata" {
+  value       = module.alb_controller.metadata
+  description = "Block status of the deployed release"
 }
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-output "mock" {`
`2`		`- description = "Mock output example for the Cloud Posse Terraform component template"`
`3`		`- value = local.enabled ? "hello ${basename(abspath(path.module))}" : ""`
	`1`	`+output "metadata" {`
	`2`	`+ value = module.alb_controller.metadata`
	`3`	`+ description = "Block status of the deployed release"`
`4`	`4`	`}`