Skip to content

kabisa/terraform-aws-eks-alb-ingress

Repository files navigation

Terraform-aws-eks-alb-ingress

This module requires our openid connect module

Upgrading the module from version 2.1 and lower to >= 3.0.3:

Due to changes made in the helm chart you will need to recreate the entire stack. You should expect a downtime of 5 minutes.

Snippet from the controller repo:

The new controller is backwards compatible with the existing ingress objects. However, it will NOT coexist with the older aws-alb-ingress-controller. 

The old controller must be uninstalled completely before installing the new version.

Upgrade steps

You should be logged in to the AWS console and watching the target group(s) of your cluster. You should also be prepared to restart the AWS LoadBalancer Controller deployment in your cluster. Upgrading this module requires planning and applying changes two times. This is included in the steps below.

  1. Comment out the current module and and apply the changes. This will cleanly remove the currently installed module.
  2. Uncomment the module. Set the module version reference to at least 3.0.3; the previous versions of the 3.0.x series are broken.
  3. Run terraform init to download the new module.
  4. set the variable var.force_update to true just to be sure.
  5. Apply the changes and watch the target group(s) until they get into a draining state.
  6. Run terraform plan again and apply the lingering changes.
  7. In some undetermined cases the AWS LoadBalancer Controller can get stuck. To be sure, restart the deployment of the AWS LoadBalancer Controller.

The nodes should re-register to the Target Group(s) and your application should become available again.

Example usage:

module "eks_openid_connect" {
  source = "[email protected]:kabisa/terraform-aws-eks-openid-connect.git?ref=1.0"
  # tf 0.13
  # depends_on              = [module.eks]
  cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url
  region                  = var.region
}

module "alb" {
  source = "[email protected]:kabisa/terraform-aws-eks-alb-ingress.git?ref=1.0"
  account_id = var.account_id
  eks_cluster_name = var.eks_cluster_name
  oidc_host_path = module.eks_openid_connect.oidc_host_path
  region = var.region
  vpc_id = module.vpc.vpc_id
}

resource "kubernetes_service" "my-service" {
  metadata {
    name = "my-service"
    labels = {
      "app" = "envoy-proxy"
    }
  }
  spec {
    type = "NodePort"
    port {
      port = 80
      name = "http"
      target_port = "http"
    }

    selector = {
      "app" = "my-app"
    }
  }
}

resource "kubernetes_ingress" "my-ingress" {
  metadata {
    name      = "my-ingress"
    annotations = {
      "kubernetes.io/ingress.class"          = "alb"
      "alb.ingress.kubernetes.io/scheme"     = "internet-facing"
      "alb.ingress.kubernetes.io/tags"       = "Environment=testing"
      "alb.ingress.kubernetes.io/listen-ports" = "[{\"HTTP\": 80}, {\"HTTPS\": 443}]"
    }
  }
  spec {
    rule {
      host = "example.com"
      http {
        path {
          path = "/"
          backend {
            service_name = "my-service"
            service_port = "http"
          }
        }
      }
    }
  }
}

Requirements

Name Version
terraform >= 0.13.1
aws >= 3.5.0
helm >= 1.2.4
kubectl >= 1.7.0
kubernetes >= 1.13

Providers

Name Version
aws >= 3.5.0
helm >= 1.2.4
kubectl >= 1.7.0
kubernetes >= 1.13

Modules

No modules.

Resources

Name Type
aws_iam_policy.alb-ingress-controller-iam-policy resource
aws_iam_role.alb-ingress-controller-iam-role resource
aws_iam_role_policy_attachment.alb-ingress-controller-iam-role-policy-attachment resource
helm_release.aws-load-balancer-controller resource
kubectl_manifest.ingessclassparams resource
kubectl_manifest.targetgroupbindings resource
kubernetes_cluster_role.alb_ingress_controller resource
kubernetes_cluster_role_binding.alb_ingress_controller resource
kubernetes_service_account.alb_ingress_controller resource
aws_iam_policy_document.policy data source

Inputs

Name Description Type Default Required
account_id The AWS account ID. string n/a yes
eks_cluster_name The name of the EKS cluster. string n/a yes
force_update Force Helm resource update through delete/recreate if needed. bool false no
oidc_host_path The host path of the OIDC provider. string n/a yes
region The AWS region. string n/a yes
vpc_id The VPC ID. string n/a yes

Outputs

Name Description
aws_iam_policy_arn The IAM policy ARN for the ALB Ingress Controller.