Merge pull request #1 from aws-samples/1.1.0

1.1.0

cloudformation/eks-loadbalancer-controller-iam-policy.template.yaml

@@ -0,0 +1,150 @@
+#############################################################
+## NOT FOR PRODUCTION USE.                                 ##
+## THE CONTENT OF THIS FILE IS FOR LEARNING PURPOSES ONLY  ##
+## created by David Surey, Amazon Web Services, 2021      ##
+#############################################################
+
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:   
+
+  EKSloadbalancerControllerPolicy:
+    Type: 'AWS::IAM::ManagedPolicy'
+    Properties:
+      ManagedPolicyName: EKSloadbalancerControllerPolicy
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+        - Effect: Allow
+          Action:
+          - iam:CreateServiceLinkedRole
+          - ec2:DescribeAccountAttributes
+          - ec2:DescribeAddresses
+          - ec2:DescribeInternetGateways
+          - ec2:DescribeVpcs
+          - ec2:DescribeSubnets
+          - ec2:DescribeSecurityGroups
+          - ec2:DescribeInstances
+          - ec2:DescribeNetworkInterfaces
+          - ec2:DescribeTags
+          - elasticloadbalancing:DescribeLoadBalancers
+          - elasticloadbalancing:DescribeLoadBalancerAttributes
+          - elasticloadbalancing:DescribeListeners
+          - elasticloadbalancing:DescribeListenerCertificates
+          - elasticloadbalancing:DescribeSSLPolicies
+          - elasticloadbalancing:DescribeRules
+          - elasticloadbalancing:DescribeTargetGroups
+          - elasticloadbalancing:DescribeTargetGroupAttributes
+          - elasticloadbalancing:DescribeTargetHealth
+          - elasticloadbalancing:DescribeTags
+          Resource: "*"
+        - Effect: Allow
+          Action:
+          - cognito-idp:DescribeUserPoolClient
+          - acm:ListCertificates
+          - acm:DescribeCertificate
+          - iam:ListServerCertificates
+          - iam:GetServerCertificate
+          - waf-regional:GetWebACL
+          - waf-regional:GetWebACLForResource
+          - waf-regional:AssociateWebACL
+          - waf-regional:DisassociateWebACL
+          - wafv2:GetWebACL
+          - wafv2:GetWebACLForResource
+          - wafv2:AssociateWebACL
+          - wafv2:DisassociateWebACL
+          - shield:GetSubscriptionState
+          - shield:DescribeProtection
+          - shield:CreateProtection
+          - shield:DeleteProtection
+          Resource: "*"
+        - Effect: Allow
+          Action:
+          - ec2:AuthorizeSecurityGroupIngress
+          - ec2:RevokeSecurityGroupIngress
+          Resource: "*"
+        - Effect: Allow
+          Action:
+          - ec2:CreateSecurityGroup
+          Resource: "*"
+        - Effect: Allow
+          Action:
+          - ec2:CreateTags
+          Resource: arn:aws:ec2:*:*:security-group/*
+          Condition:
+            StringEquals:
+              ec2:CreateAction: CreateSecurityGroup
+            'Null':
+              aws:RequestTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - ec2:CreateTags
+          - ec2:DeleteTags
+          Resource: arn:aws:ec2:*:*:security-group/*
+          Condition:
+            'Null':
+              aws:RequestTag/elbv2.k8s.aws/cluster: 'true'
+              aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - ec2:AuthorizeSecurityGroupIngress
+          - ec2:RevokeSecurityGroupIngress
+          - ec2:DeleteSecurityGroup
+          Resource: "*"
+          Condition:
+            'Null':
+              aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:CreateLoadBalancer
+          - elasticloadbalancing:CreateTargetGroup
+          Resource: "*"
+          Condition:
+            'Null':
+              aws:RequestTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:CreateListener
+          - elasticloadbalancing:DeleteListener
+          - elasticloadbalancing:CreateRule
+          - elasticloadbalancing:DeleteRule
+          Resource: "*"
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:AddTags
+          - elasticloadbalancing:RemoveTags
+          Resource:
+          - arn:aws:elasticloadbalancing:*:*:targetgroup/*/*
+          - arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*
+          - arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*
+          Condition:
+            'Null':
+              aws:RequestTag/elbv2.k8s.aws/cluster: 'true'
+              aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:ModifyLoadBalancerAttributes
+          - elasticloadbalancing:SetIpAddressType
+          - elasticloadbalancing:SetSecurityGroups
+          - elasticloadbalancing:SetSubnets
+          - elasticloadbalancing:DeleteLoadBalancer
+          - elasticloadbalancing:ModifyTargetGroup
+          - elasticloadbalancing:ModifyTargetGroupAttributes
+          - elasticloadbalancing:DeleteTargetGroup
+          Resource: "*"
+          Condition:
+            'Null':
+              aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:RegisterTargets
+          - elasticloadbalancing:DeregisterTargets
+          Resource: arn:aws:elasticloadbalancing:*:*:targetgroup/*/*
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:SetWebAcl
+          - elasticloadbalancing:ModifyListener
+          - elasticloadbalancing:AddListenerCertificates
+          - elasticloadbalancing:RemoveListenerCertificates
+          - elasticloadbalancing:ModifyRule
+          Resource: "*"
+

docs/examples/k8s/microservice-example/microservice-example-frontend-deployment.manifest.yaml

@@ -3,14 +3,12 @@ kind: Deployment
 metadata:
   name: eksdemo-frontend
   labels:
-    app: eksdemo-frontend
-    onfargate: "true"
+    app: eksdemo-fronten
   namespace: eksdemo
 spec:
   selector:
     matchLabels:
       app: eksdemo-frontend
-      onfargate: "true"
   replicas: 2
   strategy:
     rollingUpdate:
@@ -21,7 +19,6 @@ spec:
     metadata:
       labels:
         app: eksdemo-frontend
-        onfargate: "true"
     spec:
       containers:
       - image: brentley/ecsdemo-frontend:latest

docs/examples/tasks/microservice-example.task.yaml

@@ -14,25 +14,25 @@
       metadata:
         name: eksdemo
 
-- name: check for fargate profile at the eks cluster
-  delegate_to: "{{ EKSBastionInstancePublicIP }}"
-  shell: >
-    eksctl get fargateprofile --cluster "{{ eksexample_clustername }}" \
-    --region {{ eksexample_region }} \
-    --name eksdemo
-  register: eks_check_fargateprofile
-  ignore_errors: yes
-
-- name: setup fargate profile for our eksdemo
-  delegate_to: "{{ EKSBastionInstancePublicIP }}"
-  shell: >
-    eksctl create fargateprofile \
-    --name eksdemo \
-    --namespace eksdemo \
-    --cluster "{{ eksexample_clustername }}" \
-    --labels onfargate=true \
-    --region {{ eksexample_region }} 
-  when: eks_check_fargateprofile.rc == 1
+#- name: check for fargate profile at the eks cluster
+#  delegate_to: "{{ EKSBastionInstancePublicIP }}"
+#  shell: >
+#    eksctl get fargateprofile --cluster "{{ eksexample_clustername }}" \
+#    --region {{ eksexample_region }} \
+#    --name eksdemo
+#  register: eks_check_fargateprofile
+#  ignore_errors: yes
+#
+#- name: setup fargate profile for our eksdemo
+#  delegate_to: "{{ EKSBastionInstancePublicIP }}"
+#  shell: >
+#    eksctl create fargateprofile \
+#    --name eksdemo \
+#    --namespace eksdemo \
+#    --cluster "{{ eksexample_clustername }}" \
+#    --labels onfargate=true \
+#    --region {{ eksexample_region }} 
+#  when: eks_check_fargateprofile.rc == 1
 
 - name: create eksdemo deployment
   delegate_to: "{{ EKSBastionInstancePublicIP }}"

eks-deploy-cluster.playbook.yaml

@@ -27,7 +27,7 @@
           - yaml
 
     - name: setup bastion host
-      include_tasks: ./tasks/bastion.tasks.yaml
+      include_tasks: ./tasks/bastion.task.yaml
 
     - name: import dynamic var data
       include_vars:
@@ -64,7 +64,7 @@
         - ./tasks/eks-storage-provider-efscsi.task.yaml
         - ./tasks/eks-container-insights.task.yaml
         - ./tasks/eks-cluster-autoscaler.task.yaml
-        - ./tasks/eks-ingress-controller.task.yaml
+        - ./tasks/eks-loadbalancer-controller.task.yaml
         - ./tasks/eks-external-dns.task.yaml
         - ./tasks/eks-metrics-server.task.yaml
         - ./tasks/eks-xray.task.yaml

eks-destroy-cluster.playbook.yaml

@@ -60,7 +60,7 @@
       loop: 
         - { name: cluster-autoscaler, namespace: kube-system }
         - { name: external-dns, namespace: kube-system }
-        - { name: alb-ingress-controller, namespace: kube-system }
+        - { name: alb-loadbalancer-controller, namespace: kube-system }
         - { name: ebs-csi-controller-sa, namespace: kube-system }
         - { name: ebs-snapshot-controller, namespace: kube-system }
         - { name: xray-daemon, namespace: kube-system }
@@ -76,7 +76,7 @@
         - "{{ eksexample_clustername }}-cluster-autoscaler-policy"
         - "{{ eksexample_clustername }}-container-insights-policy"
         - "{{ eksexample_clustername }}-external-dns-policy"
-        - "{{ eksexample_clustername }}-cluster-ingresscontroller-policy"
+        - "{{ eksexample_clustername }}-cluster-loadbalancercontroller-policy"
         - "{{ eksexample_clustername }}-storage-provider-ebscsi-policy"
         - "{{ eksexample_clustername }}-storage-provider-efscsi-storage"