provectus · SerhiiSokolov · Aug 26, 2020 · Aug 25, 2020
diff --git a/example/locals.tf b/example/locals.tf
@@ -0,0 +1,6 @@
+locals {
+  tags = {
+    environment = var.environment
+    project     = var.project
+  }
+}
diff --git a/example/main.tf b/example/main.tf
@@ -8,6 +8,17 @@ module "network" {
   network            = var.network
 }
 
+module "acm" {
+  source  = "terraform-aws-modules/acm/aws"
+  version = "~> v2.0"
+
+  domain_name               = var.domains[0]
+  subject_alternative_names = ["*.${var.domains[0]}"]
+  zone_id                   = module.system.route53_zone[0].zone_id
+  validate_certificate      = var.aws_private == "false" ? true : false
+  tags                      = local.tags
+}
+
 module "kubernetes" {
   source = "../modules/kubernetes"
 
@@ -104,15 +115,17 @@ module "nginx" {
   google-cookie-secret = var.google-cookie-secret
 }
 
-#module "alb-ingress" {
-#  module_depends_on = [module.system.cert-manager]
-#  source            = "../modules/ingress/alb-ingress"
-#  cluster_name      = module.kubernetes.cluster_name
-#  domains           = var.domains
-#  vpc_id            = module.network.vpc_id
-#  aws_region        = var.aws_region
-#  config_path = "${path.module}/kubeconfig_${var.cluster_name}"
-#}
+module "alb-ingress" {
+  module_depends_on = [module.system.cert-manager]
+  source            = "../modules/ingress/alb-ingress"
+  cluster_name      = module.kubernetes.cluster_name
+  domains           = var.domains
+  vpc_id            = module.network.vpc_id
+  aws_region        = var.aws_region
+  config_path       = "${path.module}/kubeconfig_${var.cluster_name}"
+  certificates_arns = [module.acm.this_acm_certificate_arn]
+  cluster_oidc_url  = module.kubernetes.cluster_oidc_url
+}
 
 # Argoproj: all-in-one
 module "argo" {

diff --git a/example/output.tf b/example/output.tf
@@ -3,7 +3,11 @@ output "route53_zone" {
   value = module.system.route53_zone
 }
 
-# Kubernetes
+output "wildcard_certificate" {
+  value = module.acm.this_acm_certificate_arn
+}
+
+// Kubernetes
 output "cluster_name" {
   value = module.kubernetes.cluster_name
 }

diff --git a/modules/airflow/main.tf b/modules/airflow/main.tf
@@ -31,13 +31,13 @@ resource "helm_release" "airflow" {
       postgresql_host     = var.airflow_postgresql_host
       postgresql_port     = var.airflow_postgresql_port
       postgresql_username = var.airflow_postgresql_username
-      postgresql_password = var.airflow_postgresql_local == "true" ? random_password.airflow_postgresql_password.result : var.airflow_postgresql_password
+      postgresql_password = var.airflow_postgresql_local ? random_password.airflow_postgresql_password.result : var.airflow_postgresql_password
       postgresql_database = var.airflow_postgresql_database
       redis_local         = var.airflow_redis_local
       redis_host          = var.airflow_redis_host
       redis_port          = var.airflow_redis_port
       redis_username      = var.airflow_redis_username
-      redis_password      = var.airflow_redis_local == "true" ? random_password.airflow_redis_password.result : var.airflow_redis_password
+      redis_password      = var.airflow_redis_local ? random_password.airflow_redis_password.result : var.airflow_redis_password
     })
   ]
 }

diff --git a/modules/ingress/alb-ingress/main.tf b/modules/ingress/alb-ingress/main.tf
@@ -8,12 +8,8 @@ resource "kubernetes_namespace" "alb-ingress-system" {
   }
 }
 
-data "aws_eks_cluster" "this" {
-  depends_on = [
-    var.module_depends_on
-  ]
-  name = var.cluster_name
-}
+data "aws_caller_identity" "current" {}
+
 
 # Create role for alb-ingress
 resource "aws_iam_policy" "alb-ingress" {
@@ -181,11 +177,11 @@ resource "aws_iam_role" "alb-ingress" {
       "Action": "sts:AssumeRoleWithWebIdentity",
       "Condition": {
         "StringEquals": {
-          "${replace(data.aws_eks_cluster.this.identity.0.oidc.0.issuer, "https://", "")}:sub": "system:serviceaccount:${kubernetes_namespace.alb-ingress-system.metadata[0].name}:*"
+          "${replace(var.cluster_oidc_url, "https://", "")}:sub": "system:serviceaccount:${kubernetes_namespace.alb-ingress-system.metadata[0].name}:alb-aws-alb-ingress-controller"
         }
       },
       "Principal": {
-        "Federated": "arn:aws:iam::481193184231:oidc-provider/${replace(data.aws_eks_cluster.this.identity.0.oidc.0.issuer, "https://", "")}"
+        "Federated": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(var.cluster_oidc_url, "https://", "")}"
       },
       "Effect": "Allow",
       "Sid": ""
@@ -225,3 +221,40 @@ resource "helm_release" "alb-ingress" {
     })
   ]
 }
+
+resource "kubernetes_ingress" "alb-nginx-ingress" {
+  metadata {
+    name      = "alb-nginx-ingress"
+    namespace = kubernetes_namespace.alb-ingress-system.metadata[0].name
+    annotations = {
+      "alb.ingress.kubernetes.io/certificate-arn"      = join(", ", var.certificates_arns)
+      "alb.ingress.kubernetes.io/healthcheck-path"     = "/healthz"
+      "alb.ingress.kubernetes.io/scheme"               = "internet-facing"
+      "alb.ingress.kubernetes.io/listen-ports"         = "[{\"HTTP\":80}, {\"HTTPS\":443}]"
+      "alb.ingress.kubernetes.io/actions.ssl-redirect" = "{\"Type\": \"redirect\", \"RedirectConfig\": { \"Protocol\": \"HTTPS\", \"Port\": \"443\", \"StatusCode\": \"HTTP_301\"}}"
+      "kubernetes.io/ingress.class"                    = "alb"
+    }
+  }
+
+  spec {
+    rule {
+      host = var.domains[0]
+      http {
+        path {
+          path = "/*"
+          backend {
+            service_name = "ssl-redirect"
+            service_port = "use-annotation"
+          }
+        }
+        //            path {
+        //              path = "/*"
+        //              backend {
+        //                service_name = "test"
+        //                service_port = "8080"
+        //              }
+        //            }
+      }
+    }
+  }
+}
diff --git a/modules/ingress/alb-ingress/values/values.yaml b/modules/ingress/alb-ingress/values/values.yaml
@@ -14,5 +14,7 @@ awsRegion: ${region}
 ## Required if autoDiscoverAwsVpcID != true
 awsVpcID: ${vpc_id}
 
-podAnnotations:
-  iam.amazonaws.com/role: ${role-arn}
+rbac:
+  serviceAccount:
+    annotations:
+      "eks.amazonaws.com/role-arn": ${role-arn}
diff --git a/modules/ingress/alb-ingress/variables.tf b/modules/ingress/alb-ingress/variables.tf
@@ -23,3 +23,13 @@ variable "config_path" {
   description = "location of the kubeconfig file"
   default     = "~/.kube/config"
 }
+
+variable "certificates_arns" {
+  type        = list(string)
+  description = "List of certificates to attach to ingress"
+  default     = []
+}
+
+variable "cluster_oidc_url" {
+  type = string
+}
diff --git a/modules/system/main.tf b/modules/system/main.tf
@@ -15,7 +15,7 @@ resource "null_resource" "wait-eks" {
   }
 }
 
-# Install NVIDIA gpu support 
+# Install NVIDIA gpu support
 #      resources:
 #        limits:
 #          nvidia.com/gpu: 2 # requesting 2 GPUs