From b971c40b03ae99f393b4fbb2e29ad9d6d08084e2 Mon Sep 17 00:00:00 2001 From: Andre Wlodkovski Date: Fri, 5 Apr 2024 18:23:05 -0300 Subject: [PATCH] Add ALB Ingress Controller resources --- kubernetes/aws/eks-service-account.yml | 5 + .../alb_ingress_controller_role.json | 140 ++++++++++++++++++ terraform/main.tf | 10 ++ 3 files changed, 155 insertions(+) create mode 100644 kubernetes/aws/eks-service-account.yml create mode 100644 terraform/iam_roles/alb_ingress_controller_role.json diff --git a/kubernetes/aws/eks-service-account.yml b/kubernetes/aws/eks-service-account.yml new file mode 100644 index 0000000..6c12a62 --- /dev/null +++ b/kubernetes/aws/eks-service-account.yml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: my-service-account + namespace: default \ No newline at end of file diff --git a/terraform/iam_roles/alb_ingress_controller_role.json b/terraform/iam_roles/alb_ingress_controller_role.json new file mode 100644 index 0000000..b1d2d2b --- /dev/null +++ b/terraform/iam_roles/alb_ingress_controller_role.json @@ -0,0 +1,140 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "acm:DescribeCertificate", + "acm:ListCertificates", + "acm:GetCertificate" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DeleteSecurityGroup", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeInstances", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInternetGateways", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVpcs", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteRule", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:ModifyRule", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:SetWebAcl" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole", + "iam:GetServerCertificate", + "iam:ListServerCertificates" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cognito-idp:DescribeUserPoolClient" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "waf-regional:GetWebACLForResource", + "waf-regional:GetWebACL", + "waf-regional:AssociateWebACL", + "waf-regional:DisassociateWebACL" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "tag:GetResources", + "tag:TagResources" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "waf:GetWebACL" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "shield:DescribeProtection", + "shield:GetSubscriptionState", + "shield:DeleteProtection", + "shield:CreateProtection", + "shield:DescribeSubscription", + "shield:ListProtections" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/main.tf b/terraform/main.tf index 030a186..77ae024 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -315,6 +315,16 @@ resource "aws_iam_role_policy_attachment" "eks_fargate_execution_attachment" { role = aws_iam_role.eks_fargate_execution_role.name } +resource "aws_iam_policy" "eks_alb_ingress_controller_policy" { + name = "eks-alb-ingress-controller-policy" + policy = file("iam_roles/alb_ingress_controller_role.json") +} + +resource "aws_iam_role_policy_attachment" "eks_alb_ingress_controller_policy_attachment" { + policy_arn = aws_iam_policy.eks_alb_ingress_controller_policy.arn + role = aws_iam_role.eks_fargate_execution_role.name +} + resource "aws_iam_role" "eks_cluster_role" { name = "eks-cluster-role" assume_role_policy = jsonencode({