enh: do not use terraform modules for deploying aws-load-balancer-controller (#160)

Author: mglotov

terraform/layer2-k8s/eks-aws-loadbalancer-controller.tf

@@ -1,12 +1,246 @@
+locals {
+  aws-load-balancer-controller = {
+    chart         = local.helm_charts[index(local.helm_charts.*.id, "aws-load-balancer-controller")].chart
+    repository    = lookup(local.helm_charts[index(local.helm_charts.*.id, "aws-load-balancer-controller")], "repository", null)
+    chart_version = lookup(local.helm_charts[index(local.helm_charts.*.id, "aws-load-balancer-controller")], "version", null)
+  }
+  alb_ingress_controller = templatefile("${path.module}/templates/alb-ingress-controller-values.yaml",
+    {
+      role_arn     = var.aws_loadbalancer_controller_enable ? module.aws_iam_aws_loadbalancer_controller[0].role_arn : "",
+      region       = local.region,
+      cluster_name = local.eks_cluster_id,
+      vpc_id       = local.vpc_id
+  })
+}
+
+resource "helm_release" "aws_loadbalancer_controller" {
+  count = var.aws_loadbalancer_controller_enable ? 1 : 0
+
+  name        = "aws-load-balancer-controller"
+  chart       = local.aws-load-balancer-controller.chart
+  repository  = local.aws-load-balancer-controller.repository
+  version     = local.aws-load-balancer-controller.chart_version
+  namespace   = module.ing_namespace.name
+  max_history = var.helm_release_history_size
+
+  values = [
+    local.alb_ingress_controller
+  ]
+}
+
 #tfsec:ignore:aws-iam-no-policy-wildcards
-module "eks_alb_ingress" {
-  source = "../modules/eks-aws-loadbalancer-controller"
-  count  = var.aws_loadbalancer_controller_enable ? 1 : 0
+module "aws_iam_aws_loadbalancer_controller" {
+  count = var.aws_loadbalancer_controller_enable ? 1 : 0
 
-  name              = local.name
+  source            = "../modules/aws-iam-eks-trusted"
+  name              = "${local.name}-alb-ingress"
   region            = local.region
   oidc_provider_arn = local.eks_oidc_provider_arn
-  eks_cluster_id    = local.eks_cluster_id
-  vpc_id            = local.vpc_id
-  namespace         = module.ing_namespace.name
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "iam:CreateServiceLinkedRole",
+          "ec2:DescribeAccountAttributes",
+          "ec2:DescribeAddresses",
+          "ec2:DescribeAvailabilityZones",
+          "ec2:DescribeInternetGateways",
+          "ec2:DescribeVpcs",
+          "ec2:DescribeSubnets",
+          "ec2:DescribeSecurityGroups",
+          "ec2:DescribeInstances",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DescribeTags",
+          "ec2:GetCoipPoolUsage",
+          "ec2:DescribeCoipPools",
+          "elasticloadbalancing:DescribeLoadBalancers",
+          "elasticloadbalancing:DescribeLoadBalancerAttributes",
+          "elasticloadbalancing:DescribeListeners",
+          "elasticloadbalancing:DescribeListenerCertificates",
+          "elasticloadbalancing:DescribeSSLPolicies",
+          "elasticloadbalancing:DescribeRules",
+          "elasticloadbalancing:DescribeTargetGroups",
+          "elasticloadbalancing:DescribeTargetGroupAttributes",
+          "elasticloadbalancing:DescribeTargetHealth",
+          "elasticloadbalancing:DescribeTags"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "cognito-idp:DescribeUserPoolClient",
+          "acm:ListCertificates",
+          "acm:DescribeCertificate",
+          "iam:ListServerCertificates",
+          "iam:GetServerCertificate",
+          "waf-regional:GetWebACL",
+          "waf-regional:GetWebACLForResource",
+          "waf-regional:AssociateWebACL",
+          "waf-regional:DisassociateWebACL",
+          "wafv2:GetWebACL",
+          "wafv2:GetWebACLForResource",
+          "wafv2:AssociateWebACL",
+          "wafv2:DisassociateWebACL",
+          "shield:GetSubscriptionState",
+          "shield:DescribeProtection",
+          "shield:CreateProtection",
+          "shield:DeleteProtection"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:AuthorizeSecurityGroupIngress",
+          "ec2:RevokeSecurityGroupIngress"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:CreateSecurityGroup"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:CreateTags"
+        ],
+        "Resource" : "arn:aws:ec2:*:*:security-group/*",
+        "Condition" : {
+          "StringEquals" : {
+            "ec2:CreateAction" : "CreateSecurityGroup"
+          },
+          "Null" : {
+            "aws:RequestTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:CreateTags",
+          "ec2:DeleteTags"
+        ],
+        "Resource" : "arn:aws:ec2:*:*:security-group/*",
+        "Condition" : {
+          "Null" : {
+            "aws:RequestTag/elbv2.k8s.aws/cluster" : "true",
+            "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "ec2:AuthorizeSecurityGroupIngress",
+          "ec2:RevokeSecurityGroupIngress",
+          "ec2:DeleteSecurityGroup"
+        ],
+        "Resource" : "*",
+        "Condition" : {
+          "Null" : {
+            "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:CreateLoadBalancer",
+          "elasticloadbalancing:CreateTargetGroup"
+        ],
+        "Resource" : "*",
+        "Condition" : {
+          "Null" : {
+            "aws:RequestTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:CreateListener",
+          "elasticloadbalancing:DeleteListener",
+          "elasticloadbalancing:CreateRule",
+          "elasticloadbalancing:DeleteRule"
+        ],
+        "Resource" : "*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:AddTags",
+          "elasticloadbalancing:RemoveTags"
+        ],
+        "Resource" : [
+          "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
+          "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
+          "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
+        ],
+        "Condition" : {
+          "Null" : {
+            "aws:RequestTag/elbv2.k8s.aws/cluster" : "true",
+            "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:AddTags",
+          "elasticloadbalancing:RemoveTags"
+        ],
+        "Resource" : [
+          "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
+          "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
+          "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
+          "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
+        ]
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:ModifyLoadBalancerAttributes",
+          "elasticloadbalancing:SetIpAddressType",
+          "elasticloadbalancing:SetSecurityGroups",
+          "elasticloadbalancing:SetSubnets",
+          "elasticloadbalancing:DeleteLoadBalancer",
+          "elasticloadbalancing:ModifyTargetGroup",
+          "elasticloadbalancing:ModifyTargetGroupAttributes",
+          "elasticloadbalancing:DeleteTargetGroup"
+        ],
+        "Resource" : "*",
+        "Condition" : {
+          "Null" : {
+            "aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
+          }
+        }
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:RegisterTargets",
+          "elasticloadbalancing:DeregisterTargets"
+        ],
+        "Resource" : "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "elasticloadbalancing:SetWebAcl",
+          "elasticloadbalancing:ModifyListener",
+          "elasticloadbalancing:AddListenerCertificates",
+          "elasticloadbalancing:RemoveListenerCertificates",
+          "elasticloadbalancing:ModifyRule"
+        ],
+        "Resource" : "*"
+      }
+    ]
+  })
 }

terraform/layer2-k8s/helm-charts.yaml

@@ -1,6 +1,6 @@
 charts:
-  - id: aws-loadbalancer-controller
-    chart: aws-loadbalancer-controller
+  - id: aws-load-balancer-controller
+    chart: aws-load-balancer-controller
     repository: https://aws.github.io/eks-charts
     version: 1.2.6
   - id: aws-node-termination-handler

terraform/modules/eks-aws-loadbalancer-controller/templates/alb-ingress-controller-values.yaml renamed to terraform/layer2-k8s/templates/alb-ingress-controller-values.yaml

@@ -1,5 +1,3 @@
-replicaCount: ${replica_count}
-
 clusterName: ${cluster_name}
 
 region: ${region}
@@ -10,9 +8,6 @@ serviceAccount:
   annotations:
      "eks.amazonaws.com/role-arn": ${role_arn}
 
-image:
-  tag: ${image_tag}
-
 affinity:
   nodeAffinity:
     requiredDuringSchedulingIgnoredDuringExecution:

terraform/layer2-k8s/variables.tf

@@ -41,7 +41,7 @@ variable "nginx_ingress_ssl_terminator" {
 
 # ALB Ingress
 variable "aws_loadbalancer_controller_enable" {
-  description = "Disable or Enable aws-loadbalancer-controller"
+  description = "Disable or Enable aws-loadbalancer-controller. You need to enable it if you want to use Fargate"
   type        = bool
   default     = false
 }