chrisns/cert-manager-issuers.yaml

## cert-manager-issuers.yaml
# ./k8s/cert-manager/issuers.yaml
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: user@example.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress: {}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    email: user@example.com
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
      - http01:
          ingress: {}

## external-dns-deployment.yaml
# ./k8s/external-dns/deployment.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: external-dns
spec:
  template:
    spec:
      containers:
        - name: external-dns
          args:
            - --source=ingress
            - --provider=aws
            - --registry=txt
            - --txt-owner-id=external-dns
            - --aws-zone-type=public

## iam_roles.tf
// ./iam_roles.tf
data "aws_iam_policy_document" "externaldns_assume" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]
    effect  = "Allow"

    condition {
      test     = "StringEquals"
      variable = "${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:sub"
      values   = ["system:serviceaccount:external-dns:external-dns"]
    }

    principals {
      identifiers = [module.eks.oidc_provider_arn]
      type        = "Federated"
    }
  }
}

data "aws_iam_policy_document" "externaldns_role" {
  statement {
    effect    = "Allow"
    actions   = ["route53:ChangeResourceRecordSets"]
    resources = ["arn:aws:route53:::hostedzone/*"]
  }
  statement {
    effect    = "Allow"
    actions   = ["route53:ListHostedZones", "route53:ListResourceRecordSets"]
    resources = ["*"]
  }
}

resource "aws_iam_role" "externaldns_route53" {
  assume_role_policy = data.aws_iam_policy_document.externaldns_assume.json
  name               = "externaldns_route53"
  inline_policy {
    name   = "externaldns_role"
    policy = data.aws_iam_policy_document.externaldns_role.json
  }
}

## main.tf
// ./main.tf
provider "aws" {}

data "aws_vpc" "default" {
  default = true
}

data "aws_subnet_ids" "default" {
  vpc_id = data.aws_vpc.default.id
}

module "eks" {
  source           = "terraform-aws-modules/eks/aws"
  cluster_name     = "appvia-dns-tls-demo"
  cluster_version  = "1.19"
  subnets          = data.aws_subnet_ids.default.ids
  write_kubeconfig = true
  vpc_id           = data.aws_vpc.default.id
  enable_irsa      = true

  workers_group_defaults = {
    root_volume_type = "gp2"
  }

  worker_groups = [
    {
      name                 = "worker-group"
      instance_type        = "t3a.small"
      asg_desired_capacity = 3
    }
  ]
}

data "aws_eks_cluster" "cluster" {
  name = module.eks.cluster_id
}

data "aws_eks_cluster_auth" "cluster" {
  name = module.eks.cluster_id
}

provider "kubernetes" {
  host                   = data.aws_eks_cluster.cluster.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
  token                  = data.aws_eks_cluster_auth.cluster.token
}

## myapp.yaml
---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: helloworld
  labels:
    name: helloworld
spec:
  replicas: 3
  selector:
    matchLabels:
      name: helloworld
  template:
    metadata:
      labels:
        name: helloworld
    spec:
      containers:
        - image: nginxdemos/hello
          resources:
            limits:
              memory: 32Mi
              cpu: 1000m
          name: helloworld
          ports:
            - name: http
              containerPort: 80
          livenessProbe:
            httpGet:
              path: /
              port: http
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  name: helloworld
spec:
  ports:
    - name: http
      port: 8080
      targetPort: http
  selector:
    name: helloworld
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: helloworld
  annotations:
    kubernetes.io/tls-acme: 'true'
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
    - hosts:
        - dns-tls-demo.sa-team.teams.kore.appvia.io
      secretName: helloworld
  rules:
    - host: dns-tls-demo.sa-team.teams.kore.appvia.io
      http:
        paths:
          - pathType: Prefix
            path: '/'
            backend:
              service:
                name: helloworld
                port:
                  name: http

## output.tf
// ./output.tf
data "aws_caller_identity" "current" {}

output "aws_account_id" {
  value = data.aws_caller_identity.current.account_id
}
	# ./k8s/cert-manager/issuers.yaml
	---
	apiVersion: cert-manager.io/v1
	kind: ClusterIssuer
	metadata:
	name: letsencrypt-prod
	spec:
	acme:
	email: user@example.com
	server: https://acme-v02.api.letsencrypt.org/directory
	privateKeySecretRef:
	name: letsencrypt-prod
	solvers:
	- http01:
	ingress: {}
	---
	apiVersion: cert-manager.io/v1
	kind: ClusterIssuer
	metadata:
	name: letsencrypt-staging
	spec:
	acme:
	email: user@example.com
	server: https://acme-staging-v02.api.letsencrypt.org/directory
	privateKeySecretRef:
	name: letsencrypt-staging
	solvers:
	- http01:
	ingress: {}
	# ./k8s/external-dns/deployment.yaml
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: external-dns
	spec:
	template:
	spec:
	containers:
	- name: external-dns
	args:
	- --source=ingress
	- --provider=aws
	- --registry=txt
	- --txt-owner-id=external-dns
	- --aws-zone-type=public
	// ./iam_roles.tf
	data "aws_iam_policy_document" "externaldns_assume" {
	statement {
	actions = ["sts:AssumeRoleWithWebIdentity"]
	effect = "Allow"

	condition {
	test = "StringEquals"
	variable = "${replace(module.eks.cluster_oidc_issuer_url, "https://", "")}:sub"
	values = ["system:serviceaccount:external-dns:external-dns"]
	}

	principals {
	identifiers = [module.eks.oidc_provider_arn]
	type = "Federated"
	}
	}
	}

	data "aws_iam_policy_document" "externaldns_role" {
	statement {
	effect = "Allow"
	actions = ["route53:ChangeResourceRecordSets"]
	resources = ["arn:aws:route53:::hostedzone/*"]
	}
	statement {
	effect = "Allow"
	actions = ["route53:ListHostedZones", "route53:ListResourceRecordSets"]
	resources = ["*"]
	}
	}

	resource "aws_iam_role" "externaldns_route53" {
	assume_role_policy = data.aws_iam_policy_document.externaldns_assume.json
	name = "externaldns_route53"
	inline_policy {
	name = "externaldns_role"
	policy = data.aws_iam_policy_document.externaldns_role.json
	}
	}
	// ./main.tf
	provider "aws" {}

	data "aws_vpc" "default" {
	default = true
	}

	data "aws_subnet_ids" "default" {
	vpc_id = data.aws_vpc.default.id
	}

	module "eks" {
	source = "terraform-aws-modules/eks/aws"
	cluster_name = "appvia-dns-tls-demo"
	cluster_version = "1.19"
	subnets = data.aws_subnet_ids.default.ids
	write_kubeconfig = true
	vpc_id = data.aws_vpc.default.id
	enable_irsa = true

	workers_group_defaults = {
	root_volume_type = "gp2"
	}

	worker_groups = [
	{
	name = "worker-group"
	instance_type = "t3a.small"
	asg_desired_capacity = 3
	}
	]
	}

	data "aws_eks_cluster" "cluster" {
	name = module.eks.cluster_id
	}

	data "aws_eks_cluster_auth" "cluster" {
	name = module.eks.cluster_id
	}

	provider "kubernetes" {
	host = data.aws_eks_cluster.cluster.endpoint
	cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
	token = data.aws_eks_cluster_auth.cluster.token
	}
	// ./output.tf
	data "aws_caller_identity" "current" {}

	output "aws_account_id" {
	value = data.aws_caller_identity.current.account_id
	}