Skip to content

Commit 1258b21

Browse files
pabhi18pabhi18
committed
helm updated
1 parent f336d81 commit 1258b21

File tree

3 files changed

+293
-43
lines changed

3 files changed

+293
-43
lines changed

iam_policy.json

Lines changed: 241 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,241 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": [
7+
"iam:CreateServiceLinkedRole"
8+
],
9+
"Resource": "*",
10+
"Condition": {
11+
"StringEquals": {
12+
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
13+
}
14+
}
15+
},
16+
{
17+
"Effect": "Allow",
18+
"Action": [
19+
"ec2:DescribeAccountAttributes",
20+
"ec2:DescribeAddresses",
21+
"ec2:DescribeAvailabilityZones",
22+
"ec2:DescribeInternetGateways",
23+
"ec2:DescribeVpcs",
24+
"ec2:DescribeVpcPeeringConnections",
25+
"ec2:DescribeSubnets",
26+
"ec2:DescribeSecurityGroups",
27+
"ec2:DescribeInstances",
28+
"ec2:DescribeNetworkInterfaces",
29+
"ec2:DescribeTags",
30+
"ec2:GetCoipPoolUsage",
31+
"ec2:DescribeCoipPools",
32+
"elasticloadbalancing:DescribeLoadBalancers",
33+
"elasticloadbalancing:DescribeLoadBalancerAttributes",
34+
"elasticloadbalancing:DescribeListeners",
35+
"elasticloadbalancing:DescribeListenerCertificates",
36+
"elasticloadbalancing:DescribeSSLPolicies",
37+
"elasticloadbalancing:DescribeRules",
38+
"elasticloadbalancing:DescribeTargetGroups",
39+
"elasticloadbalancing:DescribeTargetGroupAttributes",
40+
"elasticloadbalancing:DescribeTargetHealth",
41+
"elasticloadbalancing:DescribeTags"
42+
],
43+
"Resource": "*"
44+
},
45+
{
46+
"Effect": "Allow",
47+
"Action": [
48+
"cognito-idp:DescribeUserPoolClient",
49+
"acm:ListCertificates",
50+
"acm:DescribeCertificate",
51+
"iam:ListServerCertificates",
52+
"iam:GetServerCertificate",
53+
"waf-regional:GetWebACL",
54+
"waf-regional:GetWebACLForResource",
55+
"waf-regional:AssociateWebACL",
56+
"waf-regional:DisassociateWebACL",
57+
"wafv2:GetWebACL",
58+
"wafv2:GetWebACLForResource",
59+
"wafv2:AssociateWebACL",
60+
"wafv2:DisassociateWebACL",
61+
"shield:GetSubscriptionState",
62+
"shield:DescribeProtection",
63+
"shield:CreateProtection",
64+
"shield:DeleteProtection"
65+
],
66+
"Resource": "*"
67+
},
68+
{
69+
"Effect": "Allow",
70+
"Action": [
71+
"ec2:AuthorizeSecurityGroupIngress",
72+
"ec2:RevokeSecurityGroupIngress"
73+
],
74+
"Resource": "*"
75+
},
76+
{
77+
"Effect": "Allow",
78+
"Action": [
79+
"ec2:CreateSecurityGroup"
80+
],
81+
"Resource": "*"
82+
},
83+
{
84+
"Effect": "Allow",
85+
"Action": [
86+
"ec2:CreateTags"
87+
],
88+
"Resource": "arn:aws:ec2:*:*:security-group/*",
89+
"Condition": {
90+
"StringEquals": {
91+
"ec2:CreateAction": "CreateSecurityGroup"
92+
},
93+
"Null": {
94+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
95+
}
96+
}
97+
},
98+
{
99+
"Effect": "Allow",
100+
"Action": [
101+
"ec2:CreateTags",
102+
"ec2:DeleteTags"
103+
],
104+
"Resource": "arn:aws:ec2:*:*:security-group/*",
105+
"Condition": {
106+
"Null": {
107+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
108+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
109+
}
110+
}
111+
},
112+
{
113+
"Effect": "Allow",
114+
"Action": [
115+
"ec2:AuthorizeSecurityGroupIngress",
116+
"ec2:RevokeSecurityGroupIngress",
117+
"ec2:DeleteSecurityGroup"
118+
],
119+
"Resource": "*",
120+
"Condition": {
121+
"Null": {
122+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
123+
}
124+
}
125+
},
126+
{
127+
"Effect": "Allow",
128+
"Action": [
129+
"elasticloadbalancing:CreateLoadBalancer",
130+
"elasticloadbalancing:CreateTargetGroup"
131+
],
132+
"Resource": "*",
133+
"Condition": {
134+
"Null": {
135+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
136+
}
137+
}
138+
},
139+
{
140+
"Effect": "Allow",
141+
"Action": [
142+
"elasticloadbalancing:CreateListener",
143+
"elasticloadbalancing:DeleteListener",
144+
"elasticloadbalancing:CreateRule",
145+
"elasticloadbalancing:DeleteRule"
146+
],
147+
"Resource": "*"
148+
},
149+
{
150+
"Effect": "Allow",
151+
"Action": [
152+
"elasticloadbalancing:AddTags",
153+
"elasticloadbalancing:RemoveTags"
154+
],
155+
"Resource": [
156+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
157+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
158+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
159+
],
160+
"Condition": {
161+
"Null": {
162+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
163+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
164+
}
165+
}
166+
},
167+
{
168+
"Effect": "Allow",
169+
"Action": [
170+
"elasticloadbalancing:AddTags",
171+
"elasticloadbalancing:RemoveTags"
172+
],
173+
"Resource": [
174+
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
175+
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
176+
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
177+
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
178+
]
179+
},
180+
{
181+
"Effect": "Allow",
182+
"Action": [
183+
"elasticloadbalancing:ModifyLoadBalancerAttributes",
184+
"elasticloadbalancing:SetIpAddressType",
185+
"elasticloadbalancing:SetSecurityGroups",
186+
"elasticloadbalancing:SetSubnets",
187+
"elasticloadbalancing:DeleteLoadBalancer",
188+
"elasticloadbalancing:ModifyTargetGroup",
189+
"elasticloadbalancing:ModifyTargetGroupAttributes",
190+
"elasticloadbalancing:DeleteTargetGroup"
191+
],
192+
"Resource": "*",
193+
"Condition": {
194+
"Null": {
195+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
196+
}
197+
}
198+
},
199+
{
200+
"Effect": "Allow",
201+
"Action": [
202+
"elasticloadbalancing:AddTags"
203+
],
204+
"Resource": [
205+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
206+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
207+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
208+
],
209+
"Condition": {
210+
"StringEquals": {
211+
"elasticloadbalancing:CreateAction": [
212+
"CreateTargetGroup",
213+
"CreateLoadBalancer"
214+
]
215+
},
216+
"Null": {
217+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
218+
}
219+
}
220+
},
221+
{
222+
"Effect": "Allow",
223+
"Action": [
224+
"elasticloadbalancing:RegisterTargets",
225+
"elasticloadbalancing:DeregisterTargets"
226+
],
227+
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
228+
},
229+
{
230+
"Effect": "Allow",
231+
"Action": [
232+
"elasticloadbalancing:SetWebAcl",
233+
"elasticloadbalancing:ModifyListener",
234+
"elasticloadbalancing:AddListenerCertificates",
235+
"elasticloadbalancing:RemoveListenerCertificates",
236+
"elasticloadbalancing:ModifyRule"
237+
],
238+
"Resource": "*"
239+
}
240+
]
241+
}

node-app/values.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,7 @@ ingress:
5353
alb.ingress.kubernetes.io/scheme: internet-facing
5454
alb.ingress.kubernetes.io/target-type: ip
5555
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
56-
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-east-1:637423391401:certificate/4905a594-0c39-4280-b669-abbf5d4b22ef"
56+
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-east-1:637423391401:certificate/e09d47ca-58f8-4235-8759-1e88650e6934"
5757
hosts:
5858
- host: toyocars.online
5959
paths:

terraform/main.tf

Lines changed: 51 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -18,46 +18,55 @@ module "vpc" {
1818
}
1919
}
2020

21-
# ECR policy
22-
resource "aws_iam_policy" "ecr_policy" {
23-
name = "eks-ecr-policy"
24-
policy = jsonencode({
25-
Version = "2012-10-17"
26-
Statement = [
27-
{
28-
Effect = "Allow"
29-
Action = [
30-
"ecr:GetAuthorizationToken",
31-
"ecr:BatchCheckLayerAvailability",
32-
"ecr:GetDownloadUrlForLayer",
33-
"ecr:GetRepositoryPolicy",
34-
"ecr:DescribeRepositories",
35-
"ecr:ListImages",
36-
"ecr:BatchGetImage"
37-
]
38-
Resource = "*"
39-
}
40-
]
41-
})
42-
}
21+
resource "aws_iam_policy" "eks_policies" {
22+
for_each = {
23+
ecr_policy = jsonencode({
24+
Version = "2012-10-17"
25+
Statement = [
26+
{
27+
Effect = "Allow"
28+
Action = [
29+
"ecr:GetAuthorizationToken",
30+
"ecr:BatchCheckLayerAvailability",
31+
"ecr:GetDownloadUrlForLayer",
32+
"ecr:GetRepositoryPolicy",
33+
"ecr:DescribeRepositories",
34+
"ecr:ListImages",
35+
"ecr:BatchGetImage"
36+
]
37+
Resource = "*"
38+
}
39+
]
40+
})
4341

44-
# ALB policy
45-
resource "aws_iam_policy" "alb_policy" {
46-
name = "eks-alb-policy"
47-
policy = jsonencode({
48-
Version = "2012-10-17"
49-
Statement = [
50-
{
51-
Effect = "Allow"
52-
Action = [
53-
"elasticloadbalancing:*",
54-
"ec2:CreateSecurityGroup",
55-
"ec2:Describe*"
56-
]
57-
Resource = "*"
58-
}
59-
]
60-
})
42+
alb_policy = jsonencode({
43+
Version = "2012-10-17"
44+
Statement = [
45+
{
46+
Effect = "Allow"
47+
Action = [
48+
"iam:CreateServiceLinkedRole",
49+
"iam:ListServerCertificates",
50+
"iam:GetServerCertificate",
51+
"ec2:Describe*",
52+
"ec2:AuthorizeSecurityGroupIngress",
53+
"ec2:RevokeSecurityGroupIngress",
54+
"ec2:CreateSecurityGroup",
55+
"elasticloadbalancing:*",
56+
"acm:ListCertificates",
57+
"acm:DescribeCertificate",
58+
"waf-regional:*",
59+
"wafv2:*",
60+
"shield:*"
61+
]
62+
Resource = "*"
63+
}
64+
]
65+
})
66+
}
67+
68+
name = "eks-${each.key}"
69+
policy = each.value
6170
}
6271

6372
module "eks" {
@@ -75,12 +84,12 @@ module "eks" {
7584
min_size = 0
7685
max_size = 5
7786
desired_size = 1
78-
instance_types = ["t3.small"]
87+
instance_types = ["t3.medium"]
7988
capacity_type = "SPOT"
8089

8190
iam_role_additional_policies = {
82-
AmazonECR_Policy = aws_iam_policy.ecr_policy.arn
83-
ALBIngress_Policy = aws_iam_policy.alb_policy.arn
91+
AmazonECR_Policy = aws_iam_policy.eks_policies["ecr_policy"].arn
92+
ALBIngress_Policy = aws_iam_policy.eks_policies["alb_policy"].arn
8493
}
8594
}
8695
}

0 commit comments

Comments
 (0)