Skip to content

Commit

Permalink
Adding IRSA for load balancer controller
Browse files Browse the repository at this point in the history
  • Loading branch information
@caiocsgomes
caiocsgomes committed Jun 12, 2024
1 parent e6546dc commit 62801e5
Show file tree
Hide file tree
Showing 2 changed files with 269 additions and 2 deletions.
4 changes: 2 additions & 2 deletions terraform/environments/prod/eks.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ module "eks" {
single = {
policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
access_scope = {
type = "cluster"
type = "cluster"
}
}
}
Expand Down Expand Up @@ -110,7 +110,7 @@ module "vpc" {
cidr = local.vpc_cidr

azs = local.azs
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] ## 10.0.0.0/20, 10.0.16.0/20, 10.0.32.0/20
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] ## 10.0.0.0/20, 10.0.16.0/20, 10.0.32.0/20
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] ## 10.0.48.0/24, 10.0.49.0/24, 10.0.50.0/24
intra_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 52)] ## Subnet with no routing to the internet

Expand Down
267 changes: 267 additions & 0 deletions terraform/environments/prod/iam.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,267 @@
resource "aws_iam_policy" "load_balancer_controller_iam_policy" {
name = "AWSLoadBalancerControllerIAMPolicy"
path = "/"
description = "IAM policy for the AWS Load Balancer Controller"

policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Action" : [
"iam:CreateServiceLinkedRole"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"iam:AWSServiceName" : "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeTags",
"ec2:GetCoipPoolUsage",
"ec2:DescribeCoipPools",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTrustStores"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:CreateProtection",
"shield:DeleteProtection"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateSecurityGroup"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : "arn:aws:ec2:*:*:security-group/*",
"Condition" : {
"StringEquals" : {
"ec2:CreateAction" : "CreateSecurityGroup"
},
"Null" : {
"aws:RequestTag/elbv2.k8s.aws/cluster" : "false"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource" : "arn:aws:ec2:*:*:security-group/*",
"Condition" : {
"Null" : {
"aws:RequestTag/elbv2.k8s.aws/cluster" : "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource" : "*",
"Condition" : {
"Null" : {
"aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource" : "*",
"Condition" : {
"Null" : {
"aws:RequestTag/elbv2.k8s.aws/cluster" : "false"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule"
],
"Resource" : "*"
},
{
"Effect" : "Allow",
"Action" : [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource" : [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition" : {
"Null" : {
"aws:RequestTag/elbv2.k8s.aws/cluster" : "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource" : [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Effect" : "Allow",
"Action" : [
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeleteTargetGroup"
],
"Resource" : "*",
"Condition" : {
"Null" : {
"aws:ResourceTag/elbv2.k8s.aws/cluster" : "false"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"elasticloadbalancing:AddTags"
],
"Resource" : [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition" : {
"StringEquals" : {
"elasticloadbalancing:CreateAction" : [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null" : {
"aws:RequestTag/elbv2.k8s.aws/cluster" : "false"
}
}
},
{
"Effect" : "Allow",
"Action" : [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource" : "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Effect" : "Allow",
"Action" : [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule"
],
"Resource" : "*"
}
]
}
)
}

module "iam_eks_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = "aws-load-balancer-controller"

role_policy_arns = {
policy = aws_iam_policy.load_balancer_controller_iam_policy.arn
}

oidc_providers = {
one = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["kube-system"]
}
}
}

0 comments on commit 62801e5

Please sign in to comment.