Merge pull request #26 from andrewlod/terraform

Functional AWS EKS Terraform architecture

kubernetes/aws/alb-ingress-controller-yml → kubernetes/aws/alb-ingress-controller.yml

@@ -21,5 +21,5 @@ spec:
         - --cluster-name=$CLUSTER_NAME
         - --aws-vpc-id=$VPC_ID
         - --aws-region=$AWS_REGION
-        image: docker.io/amazon/aws-alb-ingress-controller:v1.1.6
+        image: public.ecr.aws/eks/aws-alb-ingress-controller:v2.4.7
       serviceAccountName: alb-ingress-controller

kubernetes/aws/eks-service-account.yml

@@ -1,5 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: my-service-account
-  namespace: default
+  name: alb-ingress-controller
+  namespace: kube-system
+  annotations:
+    eks.amazonaws.com/role-arn: $ALB_ROLE_ARN

kubernetes/aws/ingress.yml

@@ -1,17 +1,22 @@
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
     alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/target-type: ip
     kubernetes.io/ingress.class: alb
   name: authentication-api-ingress
   labels:
     app: authentication-api-ingress
 spec:
+  ingressClassName: alb
   rules:
   - http:
       paths:
-      - backend:
-          serviceName: authentication-api-service
-          servicePort: 80
-        path: /*
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: authentication-api-service
+            port:
+              number: 80

kubernetes/aws/service.yml

@@ -4,7 +4,7 @@ metadata:
   name: authentication-api-service
   namespace: default
 spec:
-  type: LoadBalancer
+  type: ClusterIP
   selector:
     app: authentication-api
   ports:

package.json

@@ -1,6 +1,6 @@
 {
   "name": "authentication-api",
-  "version": "1.1.1",
+  "version": "1.2.0",
   "description": "Authentication REST API created with TypeScript",
   "main": "src/server.ts",
   "scripts": {

terraform/README.md

@@ -0,0 +1,14 @@
+# Terraform deployment for Authentication API
+
+Script order:
+
+```sh
+export AWS_REGION=<AWS_REGION>
+aws eks update-kubeconfig --region $AWS_REGION --name authentication-cluster-test
+
+# After fargate profile has been created
+kubectl rollout restart deployment coredns -n kube-system
+
+kubectl apply -f kubernetes/aws/ingress.yml
+```
+

terraform/iam_roles/alb_ingress_controller_role.json → terraform/iam_policies/alb_ingress_controller_policy.json

@@ -17,6 +17,7 @@
         "ec2:CreateSecurityGroup",
         "ec2:CreateTags",
         "ec2:DeleteTags",
+        "ec2:DescribeAvailabilityZones",
         "ec2:DeleteSecurityGroup",
         "ec2:DescribeAccountAttributes",
         "ec2:DescribeAddresses",

terraform/main.tf

@@ -45,6 +45,8 @@ resource "aws_subnet" "public_subnets" {
     "Project"       = "authentication-app"
     "ManagedBy"     = "terraform"
     "Organization"  = "andrewlod"
+    "kubernetes.io/role/elb": 1
+    "kubernetes.io/cluster/authentication-cluster-${var.infra_env}" = "shared"
   }
 }
 
@@ -171,7 +173,7 @@ resource "aws_subnet" "private_subnets" {
     "ManagedBy"     = "terraform"
     "Organization"  = "andrewlod"
     "kubernetes.io/role/internal-elb"                               = "1"
-    "kubernetes.io/cluster/authentication-cluster-${var.infra_env}" = "owned"
+    "kubernetes.io/cluster/authentication-cluster-${var.infra_env}" = "shared"
   }
 }
 
@@ -315,16 +317,6 @@ resource "aws_iam_role_policy_attachment" "eks_fargate_execution_attachment" {
   role       = aws_iam_role.eks_fargate_execution_role.name
 }
 
-resource "aws_iam_policy" "eks_alb_ingress_controller_policy" {
-  name = "eks-alb-ingress-controller-policy"
-  policy = file("iam_roles/alb_ingress_controller_role.json")
-}
-
-resource "aws_iam_role_policy_attachment" "eks_alb_ingress_controller_policy_attachment" {
-  policy_arn = aws_iam_policy.eks_alb_ingress_controller_policy.arn
-  role       = aws_iam_role.eks_fargate_execution_role.name
-}
-
 resource "aws_iam_role" "eks_cluster_role" {
   name               = "eks-cluster-role"
   assume_role_policy = jsonencode({
@@ -401,4 +393,124 @@ resource "aws_eks_fargate_profile" "auth_cluster_fargate_profile" {
   selector {
     namespace = "kube-node-lease"
   }
+}
+
+## Helm
+provider "helm" {
+  kubernetes {
+    host                   = aws_eks_cluster.authentication_cluster.endpoint
+    cluster_ca_certificate = base64decode(aws_eks_cluster.authentication_cluster.certificate_authority[0].data)
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      args        = ["eks", "get-token", "--cluster-name", aws_eks_cluster.authentication_cluster.id]
+      command     = "aws"
+    }
+  }
+}
+
+resource "helm_release" "metrics-server" {
+  name = "metrics-server"
+
+  repository = "https://kubernetes-sigs.github.io/metrics-server/"
+  chart      = "metrics-server"
+  namespace  = "kube-system"
+  version    = "3.8.2"
+
+  set {
+    name  = "metrics.enabled"
+    value = false
+  }
+
+  depends_on = [aws_eks_fargate_profile.auth_cluster_fargate_profile]
+}
+
+## EKS IAM
+data "tls_certificate" "eks_certificate" {
+  url = aws_eks_cluster.authentication_cluster.identity[0].oidc[0].issuer
+}
+
+resource "aws_iam_openid_connect_provider" "eks_oidc_connector" {
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = [data.tls_certificate.eks_certificate.certificates[0].sha1_fingerprint]
+  url             = aws_eks_cluster.authentication_cluster.identity[0].oidc[0].issuer
+}
+
+data "aws_iam_policy_document" "aws_load_balancer_controller_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(aws_iam_openid_connect_provider.eks_oidc_connector.url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:kube-system:alb-ingress-controller"]
+    }
+
+    principals {
+      identifiers = [aws_iam_openid_connect_provider.eks_oidc_connector.arn]
+      type        = "Federated"
+    }
+  }
+}
+
+resource "aws_iam_role" "eks_alb_ingress_controller_role" {
+  name = "eks-alb-ingress-controller-role"
+  assume_role_policy = data.aws_iam_policy_document.aws_load_balancer_controller_assume_role_policy.json
+}
+
+resource "aws_iam_policy" "eks_alb_ingress_controller_policy" {
+  name = "eks-alb-ingress-controller-policy"
+  policy = file("iam_policies/alb_ingress_controller_policy.json")
+}
+
+resource "aws_iam_role_policy_attachment" "eks_alb_ingress_controller_policy_attachment" {
+  policy_arn = aws_iam_policy.eks_alb_ingress_controller_policy.arn
+  role       = aws_iam_role.eks_alb_ingress_controller_role.name
+}
+
+resource "helm_release" "aws_load_balancer_ingress_controller" {
+  name = "aws-load-balancer-ingress-controller"
+
+  repository = "https://aws.github.io/eks-charts"
+  chart      = "aws-load-balancer-controller"
+  namespace  = "kube-system"
+  version    = "1.4.1"
+
+  set {
+    name  = "clusterName"
+    value = aws_eks_cluster.authentication_cluster.id
+  }
+
+  set {
+    name  = "image.tag"
+    value = "v2.4.2"
+  }
+
+  set {
+    name  = "replicaCount"
+    value = 1
+  }
+
+  set {
+    name  = "serviceAccount.name"
+    value = "alb-ingress-controller"
+  }
+
+  set {
+    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
+    value = aws_iam_role.eks_alb_ingress_controller_role.arn
+  }
+
+  # EKS Fargate specific
+  set {
+    name  = "region"
+    value = var.aws_region
+  }
+
+  set {
+    name  = "vpcId"
+    value = aws_vpc.main_vpc.id
+  }
+
+  depends_on = [aws_eks_fargate_profile.auth_cluster_fargate_profile]
 }