-
-
Save k1ng440/659ed27864d2fec876f90d6a95021752 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import { ComponentResource, ComponentResourceOptions, Input, CustomResourceOptions } from "@pulumi/pulumi"; | |
import * as eks from '@pulumi/eks'; | |
import * as k8s from '@pulumi/kubernetes'; | |
import * as aws from '@pulumi/aws'; | |
import * as fs from 'fs'; | |
import * as path from 'node:path' | |
import * as pulumi from '@pulumi/pulumi' | |
interface albIngressControllerArgs { | |
cluster: eks.Cluster | |
enableShield?: Input<boolean> | |
vpcId: Input<string> | |
} | |
export class AlbIngressController extends ComponentResource { | |
constructor(name: string, args: albIngressControllerArgs, opts?: ComponentResourceOptions) { | |
super('custom:resource:AlbIngressController', name, args, opts) | |
const { cluster } = args | |
const provider = opts?.provider as aws.Provider | |
const namespace = new k8s.core.v1.Namespace(`${name}-alb-namespace`, { | |
metadata: { | |
name: 'aws-lb-controller', | |
labels: { | |
'app.kubernetes.io/name': 'aws-load-balancer-controller', | |
} | |
} | |
}, { provider: cluster.provider, parent: this }) | |
const iamRole = new aws.iam.Role(`${name}-aws-loadbalancer-controller-role`, { | |
assumeRolePolicy: pulumi | |
.all([namespace.metadata, cluster.core.oidcProvider?.arn, cluster.core.oidcProvider?.url]) | |
.apply(([namespaceMetadata, arn, url]) => { | |
const stringEquals: any = {} | |
stringEquals[`${url}:sub`] = `system:serviceaccount:${namespaceMetadata.name}:${name}-serviceaccount` | |
return { | |
Version: '2012-10-17', | |
Statement: [{ | |
Effect: 'Allow', | |
Principal: { 'Federated': arn }, | |
Action: 'sts:AssumeRoleWithWebIdentity', | |
Condition: { 'StringEquals': stringEquals }, | |
}] | |
} | |
}) as Input<aws.iam.PolicyDocument> | |
}, { provider: opts?.provider, parent: this }) | |
const policy = new aws.iam.Policy(`${name}-ingress-controller-iam-policy`, { | |
policy: fs.readFileSync(path.resolve(__dirname, 'files', 'iam_policy.json'), 'utf8') | |
}, { provider: opts?.provider, parent: this}) | |
new aws.iam.RolePolicyAttachment(`${name}-eks-nodeInstanceRole-policy-attach`, { | |
role: iamRole, | |
policyArn: policy.arn, | |
}, { provider: provider, parent: this }) | |
const serviceaccount = new k8s.core.v1.ServiceAccount(`${name}-serviceaccount`, { | |
metadata: { | |
name: `${name}-serviceaccount`, | |
namespace: namespace.metadata.apply(m => m.name), | |
labels: { | |
'app.kubernetes.io/name': 'aws-loadbalancer-controller', | |
'app.kubernetes.io/instance': name, | |
}, | |
annotations: { | |
'eks.amazonaws.com/role-arn': iamRole.arn | |
} | |
} | |
}, { provider: cluster.provider, parent: this }) | |
new k8s.helm.v3.Release(`${name}-alb`, { | |
chart: 'aws-load-balancer-controller', | |
version: '1.4.4', | |
namespace: namespace.metadata.apply(m => m.name), | |
repositoryOpts: { | |
repo: 'https://aws.github.io/eks-charts', | |
}, | |
values: { | |
region: provider?.region, | |
enableShield: args.enableShield ? 'true' : 'false', | |
vpcId: args.vpcId, | |
clusterName: cluster.eksCluster.name, | |
serviceaccount: { | |
name: serviceaccount.metadata.apply(m => m.name), | |
create: 'false', | |
}, | |
}, | |
}, { provider: cluster.provider, parent: this }) | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment