added a service account and refactored container args for cluster autoscaler

e04ba683 · Danny · 8d77d420 · e04ba683 · e04ba683 · e04ba683
Commit e04ba683 authored Mar 05, 2019 by Danny
Hide whitespace changes
Inline Side-by-side

Showing with 53 additions and 1 deletion

eks-cluster-autoscaler.tf eks-cluster-autoscaler.tf +1 -1

iam.tf iam.tf +50 -0

variables.tf variables.tf +2 -0

No files found.
--- a/eks-cluster-autoscaler.tf
+++ b/eks-cluster-autoscaler.tf
@@ -43,7 +43,7 @@ resource "kubernetes_deployment" "aws_cluster_autoscaler_deployment" {
          image             = "k8s.gcr.io/cluster-autoscaler:v1.13.1"
          name              = "cluster-autoscaler-container"
          image_pull_policy = "IfNotPresent"
-          args              = ["./cluster-autoscaler", "--cloud-provider=aws", "--namespace=default", "--nodes=1:10:${var.autoscaler_group}", "--logtostderr=true", "--stderrthreshold=info", "--v=4"]
+          args              = ["./cluster-autoscaler", "--cloud-provider=aws", "--node-group-auto-discovery=asg:tag=k8s.io/cluster-autoscaler/enabled", "--skip-nodes-with-local-storage=false", "--stderrthreshold=info", "--expander=least-waste", "--v=4"]

          volume_mount {
            mount_path = "/var/run/secrets/kubernetes.io/serviceaccount"

--- a/iam.tf
+++ b/iam.tf
+data "aws_iam_policy_document" "ec2_assume" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${var.worker_iam_role_arn}"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "autoscaler" {
+  statement {
+    actions = ["autoscaling:DescribeAutoScalingGroups",
+      "autoscaling:DescribeAutoScalingInstances",
+      "autoscaling:SetDesiredCapacity",
+      "autoscaling:TerminateInstanceInAutoScalingGroup",
+      "autoscaling:DescribeTags",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "this" {
+  policy = "${data.aws_iam_policy_document.autoscaler.json}"
+}
+
+resource "aws_iam_role" "this" {
+  name               = "eks-alb-ingress-controller"
+  assume_role_policy = "${data.aws_iam_policy_document.ec2_assume.json}"
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  role       = "${aws_iam_role.this.name}"
+  policy_arn = "${aws_iam_policy.this.arn}"
+}
--- a/variables.tf
+++ b/variables.tf
@@ -5,3 +5,5 @@ variable "customer" {
 variable "envname" {
  default = "staging"
 }
+
+variable "worker_iam_role_arn" {}