Last active
May 30, 2023 10:21
-
-
Save tommybobbins/d77aa9b5246775415a1d3c82b29bf91f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "aws_eks_cluster" "cluster" { | |
name = "${var.project}-${var.env}" | |
} | |
data "aws_iam_openid_connect_provider" "cluster" { | |
url = data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer | |
} | |
resource "aws_iam_policy" "aws_load_balancer_policy" { | |
name = "aws_load_balancer_policy" | |
path = "/" | |
description = "AWS Load Balancer policy" | |
policy = <<POLICY | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"iam:CreateServiceLinkedRole" | |
], | |
"Resource": "*", | |
"Condition": { | |
"StringEquals": { | |
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" | |
} | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:DescribeAccountAttributes", | |
"ec2:DescribeAddresses", | |
"ec2:DescribeAvailabilityZones", | |
"ec2:DescribeInternetGateways", | |
"ec2:DescribeVpcs", | |
"ec2:DescribeVpcPeeringConnections", | |
"ec2:DescribeSubnets", | |
"ec2:DescribeSecurityGroups", | |
"ec2:DescribeInstances", | |
"ec2:DescribeNetworkInterfaces", | |
"ec2:DescribeTags", | |
"ec2:GetCoipPoolUsage", | |
"ec2:DescribeCoipPools", | |
"elasticloadbalancing:DescribeLoadBalancers", | |
"elasticloadbalancing:DescribeLoadBalancerAttributes", | |
"elasticloadbalancing:DescribeListeners", | |
"elasticloadbalancing:DescribeListenerCertificates", | |
"elasticloadbalancing:DescribeSSLPolicies", | |
"elasticloadbalancing:DescribeRules", | |
"elasticloadbalancing:DescribeTargetGroups", | |
"elasticloadbalancing:DescribeTargetGroupAttributes", | |
"elasticloadbalancing:DescribeTargetHealth", | |
"elasticloadbalancing:DescribeTags" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"cognito-idp:DescribeUserPoolClient", | |
"acm:ListCertificates", | |
"acm:DescribeCertificate", | |
"iam:ListServerCertificates", | |
"iam:GetServerCertificate", | |
"waf-regional:GetWebACL", | |
"waf-regional:GetWebACLForResource", | |
"waf-regional:AssociateWebACL", | |
"waf-regional:DisassociateWebACL", | |
"wafv2:GetWebACL", | |
"wafv2:GetWebACLForResource", | |
"wafv2:AssociateWebACL", | |
"wafv2:DisassociateWebACL", | |
"shield:GetSubscriptionState", | |
"shield:DescribeProtection", | |
"shield:CreateProtection", | |
"shield:DeleteProtection" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:AuthorizeSecurityGroupIngress", | |
"ec2:RevokeSecurityGroupIngress" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:CreateSecurityGroup" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:CreateTags" | |
], | |
"Resource": "arn:aws:ec2:*:*:security-group/*", | |
"Condition": { | |
"StringEquals": { | |
"ec2:CreateAction": "CreateSecurityGroup" | |
}, | |
"Null": { | |
"aws:RequestTag/elbv2.k8s.aws/cluster": "false" | |
} | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:CreateTags", | |
"ec2:DeleteTags" | |
], | |
"Resource": "arn:aws:ec2:*:*:security-group/*", | |
"Condition": { | |
"Null": { | |
"aws:RequestTag/elbv2.k8s.aws/cluster": "true", | |
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" | |
} | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"ec2:AuthorizeSecurityGroupIngress", | |
"ec2:RevokeSecurityGroupIngress", | |
"ec2:DeleteSecurityGroup" | |
], | |
"Resource": "*", | |
"Condition": { | |
"Null": { | |
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" | |
} | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"elasticloadbalancing:CreateLoadBalancer", | |
"elasticloadbalancing:CreateTargetGroup" | |
], | |
"Resource": "*", | |
"Condition": { | |
"Null": { | |
"aws:RequestTag/elbv2.k8s.aws/cluster": "false" | |
} | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"elasticloadbalancing:CreateListener", | |
"elasticloadbalancing:DeleteListener", | |
"elasticloadbalancing:CreateRule", | |
"elasticloadbalancing:DeleteRule" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"elasticloadbalancing:AddTags", | |
"elasticloadbalancing:RemoveTags" | |
], | |
"Resource": [ | |
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", | |
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", | |
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" | |
], | |
"Condition": { | |
"Null": { | |
"aws:RequestTag/elbv2.k8s.aws/cluster": "true", | |
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" | |
} | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"elasticloadbalancing:AddTags", | |
"elasticloadbalancing:RemoveTags" | |
], | |
"Resource": [ | |
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", | |
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", | |
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", | |
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" | |
] | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"elasticloadbalancing:AddTags" | |
], | |
"Resource": [ | |
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", | |
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", | |
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" | |
], | |
"Condition": { | |
"StringEquals": { | |
"elasticloadbalancing:CreateAction": [ | |
"CreateTargetGroup", | |
"CreateLoadBalancer" | |
] | |
}, | |
"Null": { | |
"aws:RequestTag/elbv2.k8s.aws/cluster": "false" | |
} | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"elasticloadbalancing:ModifyLoadBalancerAttributes", | |
"elasticloadbalancing:SetIpAddressType", | |
"elasticloadbalancing:SetSecurityGroups", | |
"elasticloadbalancing:SetSubnets", | |
"elasticloadbalancing:DeleteLoadBalancer", | |
"elasticloadbalancing:ModifyTargetGroup", | |
"elasticloadbalancing:ModifyTargetGroupAttributes", | |
"elasticloadbalancing:DeleteTargetGroup" | |
], | |
"Resource": "*", | |
"Condition": { | |
"Null": { | |
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false" | |
} | |
} | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"elasticloadbalancing:RegisterTargets", | |
"elasticloadbalancing:DeregisterTargets" | |
], | |
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" | |
}, | |
{ | |
"Effect": "Allow", | |
"Action": [ | |
"elasticloadbalancing:SetWebAcl", | |
"elasticloadbalancing:ModifyListener", | |
"elasticloadbalancing:AddListenerCertificates", | |
"elasticloadbalancing:RemoveListenerCertificates", | |
"elasticloadbalancing:ModifyRule" | |
], | |
"Resource": "*" | |
} | |
] | |
} | |
POLICY | |
} | |
# IAM policy | |
# IAM role | |
resource "aws_iam_role" "aws_load_balancer_role" { | |
name = "AmazonEKSLoadBalancerControllerRole" | |
assume_role_policy = <<ROLE | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"Federated": "${data.aws_iam_openid_connect_provider.cluster.arn}" | |
}, | |
"Action": "sts:AssumeRoleWithWebIdentity", | |
"Condition": { | |
"StringEquals": { | |
"${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:aud": "sts.amazonaws.com", | |
"${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller" | |
} | |
} | |
} | |
] | |
} | |
ROLE | |
} | |
resource "aws_iam_role_policy_attachment" "aws_load_balancer_controller" { | |
role = aws_iam_role.aws_load_balancer_role.name | |
policy_arn = aws_iam_policy.aws_load_balancer_policy.arn | |
} | |
resource "helm_release" "aws_load_balancer_controller" { | |
repository = "https://aws.github.io/eks-charts" | |
name = "aws-load-balancer-controller" | |
chart = "aws-load-balancer-controller" | |
namespace = "kube-system" | |
set { | |
name = "clusterName" | |
value = "${var.project}-${var.env}" | |
} | |
set { | |
name = "serviceAccount.name" | |
value = "aws-load-balancer-controller" | |
} | |
set { | |
name = "serviceAccount.create" | |
value = "true" | |
} | |
set { | |
name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" | |
value = aws_iam_role.aws_load_balancer_role.arn | |
} | |
# version = var.aws_load_balancer_controller_version | |
timeout = 600 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#enterprise: | |
# enabled: true | |
# # Kong Enterprise license secret name | |
# # This secret must contain a single 'license' key, containing your base64-encoded license data | |
# license_secret: bobbins | |
image: | |
# Kong Enterprise | |
repository: kong/kong-gateway | |
tag: ${kong_version} | |
env: | |
headers: "off" | |
trusted_ips: "0.0.0.0/0,::/0" | |
real_ip_header: "proxy_protocol" | |
proxy_listen: "0.0.0.0:8000 proxy_protocol, 0.0.0.0:8443 ssl proxy_protocol" | |
real_ip_recursive: "on" | |
# explicitly naming the service account to stop issues with upgrades. | |
deployment: | |
serviceAccount: | |
create: true | |
name: ${kong_service_account} | |
podAnnotations: | |
prometheus.io/scrape: "true" # Ask Prometheus to scrape the | |
prometheus.io/port: "8100" # Kong pods for metrics | |
autoscaling: | |
enabled: true | |
minReplicas: ${kong_min_replicas} | |
maxReplicas: ${kong_max_replicas} | |
# targetCPUUtilizationPercentage only used if the cluster doesn't support autoscaling/v2beta | |
targetCPUUtilizationPercentage: | |
# Otherwise for clusters that do support autoscaling/v2beta, use metrics | |
metrics: | |
- type: Resource | |
resource: | |
name: cpu | |
target: | |
type: Utilization | |
averageUtilization: 80 | |
proxy: | |
enabled: true | |
annotations: | |
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" | |
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" | |
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" | |
service.beta.kubernetes.io/aws-load-balancer-type: "external" | |
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${cert_arn} | |
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" | |
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS13-1-2-Ext1-2021-06" | |
service.beta.kubernetes.io/aws-load-balancer-subnets: "${public_subnets}" | |
tls: | |
enabled: true | |
servicePort: 443 | |
overrideServiceTargetPort: 8000 | |
containerPort: 8443 | |
parameters: | |
- proxy_protocol | |
ingressController: # enable Kong as an Ingress controller | |
ingressClass: kong-public | |
# enabled: true | |
# installCRDs: true | |
resources: | |
limits: | |
cpu: 100m | |
requests: | |
cpu: 50m | |
resources: | |
limits: | |
cpu: 500m | |
memory: 512Mi | |
requests: | |
cpu: 250m | |
memory: 256Mi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment