Enable the possibility to target EKS clusters.

This enables the use of IAM roles for service accounts.

Closes #3

Author: Benjamin P. Jung

.gitignore

@@ -1,2 +1,3 @@
 /.terraform/
 *.tfstate*
+*.auto.tfvars

CHANGELOG.md

@@ -7,6 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 [3.0.0] - 2020-01-22
 
+## Added
+
+- The type of the Kubernetes cluster can no be specified.
+  Set this to `eks` if targeting a managed [EKS](https://aws.amazon.com/eks/) Cluster.
+- If targeting EKS clusters, pods will use IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html)
+  as intended by AWS.
+
 ## Updated
 
 - The default version of the controller has been set to [v1.1.5](https://github.com/kubernetes-sigs/aws-alb-ingress-controller/releases/tag/v1.1.5)

README.md

@@ -2,3 +2,13 @@
 
 This Terraform module can be used to install the [AWS ALB Ingress Controller](https://github.com/kubernetes-sigs/aws-alb-ingress-controller)
 into a Kubernetes cluster.
+
+## Improved integration with Amazon Elastic Kubernetes Service (EKS)
+
+This module can be used to install the ALB Ingress controller into a "vanilla" Kubernetes cluster (which is the default)
+or it can be used to integrate tightly with AWS-managed [EKS](https://aws.amazon.com/eks/) clusters which allows the deployed pods to
+[use IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html).
+
+It is required, that an OpenID connect provider [has already been created](https://www.terraform.io/docs/providers/aws/r/eks_cluster.html#example-iam-role-for-eks-cluster) for your EKS cluster for this feature to work.
+
+Just make sure that you set the variable `k8s_cluster_type` type if running on EKS.

main.tf

@@ -1,9 +1,29 @@
 locals {
   aws_alb_ingress_controller_docker_image = "docker.io/amazon/aws-alb-ingress-controller:v${var.aws_alb_ingress_controller_version}"
+  aws_alb_ingress_controller_version      = var.aws_alb_ingress_controller_version
   aws_alb_ingress_class                   = "alb"
+  aws_vpc_id                              = data.aws_vpc.selected.id
+  aws_region_name                         = data.aws_region.current.name
+}
+
+data "aws_vpc" "selected" {
+  id = var.k8s_cluster_type == "eks" ? data.aws_eks_cluster.selected[0].vpc_config[0].vpc_id : var.aws_vpc_id
+}
+
+data "aws_region" "current" {
+  name = var.aws_region_name
+}
+
+data "aws_caller_identity" "current" {}
+
+# The EKS cluster (if any) that represents the installation target.
+data "aws_eks_cluster" "selected" {
+  count = var.k8s_cluster_type == "eks" ? 1 : 0
+  name  = var.k8s_cluster_name
 }
 
 data "aws_iam_policy_document" "ec2_assume_role" {
+  count = var.k8s_cluster_type == "vanilla" ? 1 : 0
   statement {
     actions = ["sts:AssumeRole"]
 
@@ -14,6 +34,27 @@ data "aws_iam_policy_document" "ec2_assume_role" {
   }
 }
 
+data "aws_iam_policy_document" "eks_oidc_assume_role" {
+  count = var.k8s_cluster_type == "eks" ? 1 : 0
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(data.aws_eks_cluster.selected[0].identity[0].oidc[0].issuer, "https://", "")}:sub"
+      values = [
+        "system:serviceaccount:${var.k8s_namespace}:aws-alb-ingress-controller"
+      ]
+    }
+    principals {
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(data.aws_eks_cluster.selected[0].identity[0].oidc[0].issuer, "https://", "")}"
+      ]
+      type = "Federated"
+    }
+  }
+}
+
 resource "aws_iam_role" "this" {
   name        = "${var.aws_resource_name_prefix}${var.k8s_cluster_name}-alb-ingress-controller"
   description = "Permissions required by the Kubernetes AWS ALB Ingress controller to do it's job."
@@ -23,7 +64,7 @@ resource "aws_iam_role" "this" {
 
   force_detach_policies = true
 
-  assume_role_policy = data.aws_iam_policy_document.ec2_assume_role.json
+  assume_role_policy = var.k8s_cluster_type == "vanilla" ? data.aws_iam_policy_document.ec2_assume_role[0].json : data.aws_iam_policy_document.eks_oidc_assume_role[0].json
 }
 
 data "aws_iam_policy_document" "alb_management" {
@@ -144,7 +185,7 @@ data "aws_iam_policy_document" "alb_management" {
 
 resource "aws_iam_policy" "this" {
   name        = "${var.aws_resource_name_prefix}${var.k8s_cluster_name}-alb-management"
-  description = "Permissions that are required to manage the AWS Application Load Balancer."
+  description = "Permissions that are required to manage AWS Application Load Balancers."
   path        = var.aws_iam_path_prefix
   policy      = data.aws_iam_policy_document.alb_management.json
 }
@@ -159,7 +200,11 @@ resource "kubernetes_service_account" "this" {
   metadata {
     name      = "aws-alb-ingress-controller"
     namespace = var.k8s_namespace
-
+    annotations = {
+      # This annotation is only used when running on EKS which can
+      # use IAM roles for service accounts.
+      "eks.amazonaws.com/role-arn" = aws_iam_role.this.arn
+    }
     labels = {
       "app.kubernetes.io/name"       = "aws-alb-ingress-controller"
       "app.kubernetes.io/managed-by" = "terraform"
@@ -257,7 +302,7 @@ resource "kubernetes_deployment" "this" {
 
     labels = {
       "app.kubernetes.io/name"       = "aws-alb-ingress-controller"
-      "app.kubernetes.io/version"    = local.aws_alb_ingress_controller_version
+      "app.kubernetes.io/version"    = "v${local.aws_alb_ingress_controller_version}"
       "app.kubernetes.io/managed-by" = "terraform"
     }
 
@@ -281,9 +326,10 @@ resource "kubernetes_deployment" "this" {
           "app.kubernetes.io/name"    = "aws-alb-ingress-controller"
           "app.kubernetes.io/version" = local.aws_alb_ingress_controller_version
         }
-
         annotations = {
-          # Annotation to be used by KIAM
+          # Annotation which is only used by KIAM and kube2iam.
+          # Should be ignored by your cluster if using IAM roles for service accounts, e.g.
+          # when running on EKS.
           "iam.amazonaws.com/role" = aws_iam_role.this.arn
         }
       }
@@ -301,8 +347,8 @@ resource "kubernetes_deployment" "this" {
           args = [
             "--ingress-class=${local.aws_alb_ingress_class}",
             "--cluster-name=${var.k8s_cluster_name}",
-            "--aws-vpc-id=${var.aws_vpc_id}",
-            "--aws-region=${var.aws_region_name}",
+            "--aws-vpc-id=${local.aws_vpc_id}",
+            "--aws-region=${local.aws_region_name}",
             "--aws-max-retries=10",
           ]
 

variables.tf

@@ -1,3 +1,9 @@
+variable "k8s_cluster_type" {
+  description = "Can be set to `vanilla` or `eks`. If set to `eks`, the Kubernetes cluster will be assumed to be run on EKS which will make sure that the AWS IAM Service integration works as supposed to."
+  type        = string
+  default     = "vanilla"
+}
+
 variable "k8s_cluster_name" {
   description = "Name of the Kubernetes cluster. This string is used to contruct the AWS IAM permissions and roles."
   type        = string
@@ -11,14 +17,17 @@ variable "k8s_namespace" {
 variable "aws_iam_path_prefix" {
   description = "Prefix to be used for all AWS IAM objects."
   type        = string
+  default     = ""
 }
 
 variable "aws_vpc_id" {
-  type = string
+  type    = string
+  default = null
 }
 
 variable "aws_region_name" {
-  type = string
+  type    = string
+  default = null
 }
 
 variable "aws_resource_name_prefix" {