init commit

eks-alb-clusterrolebinding.tf

+resource "kubernetes_cluster_role" "aws_alb_cluster_role" {
+  metadata {
+    name = "aws-alb-svc-acc"
+  }
+
+  rule {
+    api_groups     = ["rbac.authorization.k8s.io/v1beta1", "rbac.authorization.k8s.io", "extensions"]
+    resources      = ["configmaps", "namespaces", "pods", "services", "nodes", "ingresses", "secrets"]
+    resource_names = [""]
+    verbs          = ["get", "list", "watch", "create", "patch", "delete"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "aws_alb_cluster_role_bind" {
+  metadata {
+    name = "aws-alb-svc-acc"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "cluster-admin"
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = "aws-alb-svc-acc"
+    namespace = "kube-system"
+    api_group = ""
+  }
+
+  subject {
+    kind      = "Group"
+    name      = "system:serviceaccount"
+    api_group = "rbac.authorization.k8s.io"
+  }
+}

eks-alb-ingress.tf

-resource "kubernetes_service" "alb_ingress_service" {
+resource "kubernetes_deployment" "aws_alb_ingress_deployment" {
   metadata {
-    name = "alb-ingress-service"
+    name      = "alb-ingress-controller"
+    namespace = "kube-system"
   }
 
   spec {
-    selector {
-      app = "${kubernetes_pod.alb-ingress-pod.metadata.0.labels.app}"
-    }   
+    replicas = 1
 
-    port {
-      port        = 80
-      target_port = 8080
+    selector {
+      match_labels {
+        name = "aws-alb-ingress-controller"
       }
-
-    type = "ExternalName"
     }
-}
 
-resource "kubernetes_pod" "alb-ingress-pod" {
+    template {
       metadata {
-    name = "alb-ingress-pod"
+        name = "aws-alb-ingress-controller"
+
+        annotations {
+          "iam.amazonaws.com/role" = "eks-alb-ingress-controller"
+        }
 
         labels {
-      app = "${var.customer}-alb-ingress"
+          name = "aws-alb-ingress-controller"
         }
       }
 
       spec {
+        service_account_name             = "aws-alb-svc-acc"
+        termination_grace_period_seconds = 60
+
+        volume {
+          name = "${kubernetes_service_account.aws_alb_service_account.default_secret_name}"
+
+          secret {
+            secret_name = "${kubernetes_service_account.aws_alb_service_account.default_secret_name}"
+          }
+        }
+
         container {
-      image = "amazon/aws-alb-ingress-controller"
+          image             = "amazon/aws-alb-ingress-controller:v1.1.1"
           name              = "aws-alb-ingress-container"
+          image_pull_policy = "IfNotPresent"
+          args              = ["--cluster-name=${var.cluster_name}"]
+
+          volume_mount {
+            mount_path = "/var/run/secrets/kubernetes.io/serviceaccount"
+            name       = "${kubernetes_service_account.aws_alb_service_account.default_secret_name}"
+            read_only  = true
+          }
 
+          port {
+            name           = "health"
+            container_port = 10254
+            protocol       = "TCP"
+          }
+        }
+      }
     }
   }
 }
-

eks-alb-serviceaccount.tf

+resource "kubernetes_service_account" "aws_alb_service_account" {
+  metadata {
+    name      = "aws-alb-svc-acc"
+    namespace = "kube-system"
+  }
+}

iam.tf

+data "aws_iam_policy_document" "ec2_assume" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${var.worker_iam_role_arn}"]
+    }
+  }
+}
+
+# TODO: Convert JSON into datasource
+data "aws_iam_policy_document" "ingress" {
+  statement {
+    actions = [
+      "acm:DescribeCertificate",
+      "acm:ListCertificates",
+      "acm:GetCertificate",
+    ]
+
+    resources = ["*"]
+
+    actions = [
+      "ec2:AuthorizeSecurityGroupIngress",
+      "ec2:CreateSecurityGroup",
+      "ec2:CreateTags",
+      "ec2:DeleteSecurityGroup",
+      "ec2:DescribeInstances",
+      "ec2:DescribeInstanceStatus",
+      "ec2:DescribeSecurityGroups",
+      "ec2:DescribeSubnets",
+      "ec2:DescribeTags",
+      "ec2:DescribeVpcs",
+      "ec2:ModifyInstanceAttribute",
+      "ec2:RevokeSecurityGroupIngress",
+    ]
+
+    resources = ["*"]
+
+    actions = [
+      "iam:GetServerCertificate",
+      "iam:ListServerCertificates",
+    ]
+
+    actions = [
+      "waf-regional:GetWebACLForResource",
+      "waf-regional:GetWebACL",
+      "waf-regional:AssociateWebACL",
+      "waf-regional:DisassociateWebACL",
+    ]
+
+    actions = [
+      "waf:GetWebACL",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "this" {
+  policy = "${data.aws_iam_policy_document.ingress.json}"
+}
+
+resource "aws_iam_role" "this" {
+  name               = "eks-alb-ingress-controller"
+  assume_role_policy = "${data.aws_iam_policy_document.ec2_assume.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  role       = "${aws_iam_role.this.name}"
+  policy_arn = "${aws_iam_policy.this.arn}"
+}

variables.tf

-variable "customer" {
-  default = "Cronofy"
-}
+variable "worker_iam_role_arn" {}
+variable "cluster_name" {}
\ No newline at end of file