-
-
Save benjick/7c096f5634b34f022adf81469d440d4a to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import * as pulumi from '@pulumi/pulumi'; | |
import * as eks from '@pulumi/eks'; | |
import * as aws from '@pulumi/aws'; | |
import * as awsx from '@pulumi/awsx'; | |
import { vpc, sg } from './vpc'; | |
const config = new pulumi.Config(); | |
const instanceType: aws.ec2.InstanceType = config.require('k8sinstancetype'); | |
export const cluster = new eks.Cluster( | |
'k8s-pulumi', | |
{ | |
version: '1.16', | |
vpcId: vpc.id, | |
privateSubnetIds: vpc.privateSubnetIds, | |
publicSubnetIds: vpc.publicSubnetIds, | |
clusterSecurityGroup: sg.securityGroup, | |
instanceType, | |
desiredCapacity: 3, | |
minSize: 1, | |
maxSize: 4, | |
createOidcProvider: true, | |
}, | |
{ | |
dependsOn: vpc, | |
customTimeouts: { | |
create: '20m', | |
update: '20m', | |
delete: '20m', | |
}, | |
}, | |
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import * as k8s from '@pulumi/kubernetes'; | |
import { cluster } from './cluster'; | |
import { updateRoute53Role } from './roles'; | |
export const externalDnsChart = new k8s.helm.v2.Chart( | |
'external-dns', | |
{ | |
chart: 'external-dns', | |
version: '3.1.0', | |
values: { | |
txtOwnerId: 'safira-external-dns-pulumi', | |
domainFilters: ['aws2.safiraqa.com'], | |
aws: { | |
zoneType: 'public', | |
assumeRoleArn: updateRoute53Role.arn, | |
}, | |
podSecurityContext: { | |
fsGroup: 65534, | |
}, | |
serviceAccount: { | |
name: updateRoute53Role.name, | |
// create: false, | |
annotations: { | |
'eks.amazonaws.com/role-arn': updateRoute53Role.arn, | |
}, | |
}, | |
}, | |
fetchOpts: { | |
repo: 'https://charts.bitnami.com/bitnami', | |
}, | |
}, | |
{ | |
dependsOn: [cluster, updateRoute53Role], | |
provider: cluster.provider, | |
}, | |
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import * as pulumi from '@pulumi/pulumi'; | |
import * as aws from '@pulumi/aws'; | |
import { cluster } from './cluster'; | |
const current = pulumi.output(aws.getCallerIdentity({ async: true })); | |
export const accountId = current.accountId; | |
export const oidcProvider = cluster.core.oidcProvider; | |
const name = 'update-route53-test'; | |
export const updateRoute53Role = new aws.iam.Role( | |
`${name}`, | |
{ | |
name, | |
assumeRolePolicy: pulumi.interpolate`{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Federated": "${oidcProvider!.id}" | |
}, | |
"Action": "sts:AssumeRoleWithWebIdentity", | |
"Condition": { | |
"StringEquals": { | |
"${oidcProvider!.url}:sub": "system:serviceaccount:default:${name}" | |
} | |
} | |
} | |
] | |
} | |
`, | |
tags: { | |
clusterAccess: `${name}-usr`, | |
}, | |
}, | |
{ | |
dependsOn: cluster, | |
}, | |
); | |
export const policy = new aws.iam.Policy('AllowExternalDNSUpdates', { | |
description: 'This policy allows external-dns to update route53', | |
path: '/', | |
policy: JSON.stringify({ | |
Version: '2012-10-17', | |
Statement: [ | |
{ | |
Effect: 'Allow', | |
Action: ['route53:ChangeResourceRecordSets'], | |
Resource: ['arn:aws:route53:::hostedzone/*'], | |
}, | |
{ | |
Effect: 'Allow', | |
Action: ['route53:ListHostedZones', 'route53:ListResourceRecordSets'], | |
Resource: ['*'], | |
}, | |
], | |
}), | |
}); | |
const rolePolicyAttachment = new aws.iam.RolePolicyAttachment( | |
'update-route53', | |
{ | |
role: updateRoute53Role, | |
policyArn: policy.arn, | |
}, | |
); | |
const policyAttachment = new aws.iam.PolicyAttachment('update-route53', { | |
roles: [updateRoute53Role], | |
policyArn: policy.arn, | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment