Merge pull request #3 from kabisa/update/controller-to-v2.4

Update/controller to v2.4

.github/workflows/documentation.yaml

@@ -0,0 +1,18 @@
+name: Generate terraform docs
+on:
+  - pull_request
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+
+    - name: Render terraform docs inside the README.md and push changes back to PR branch
+      uses: terraform-docs/[email protected]
+      with:
+        working-dir: .
+        output-file: README.md
+        output-method: inject
+        git-push: "true"

Changelog.md

@@ -0,0 +1,20 @@
+# Version 3.0.0 - 19-05-2022
+## BREAKING CHANGES
+```This version no longer works with Kubernetes version 1.18 and below due to changes in the API for Ingress resources from 1.19 and onwards```
+
+### Upgraded
+- Helm chart for the loadbalancer controller upgraded to version: [2.4.1](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.4.1)
+- Upgraded values yaml for the loadbalancer
+- Custom resource definitions updated to new version: [0.5.0](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/ec3418567841c1d36caf493c76105baf5e337b98/helm/aws-load-balancer-controller/crds/crds.yaml) 
+
+### Added
+- Terraform-docs inside the Readme.
+- Added description for all the variables.
+- Added description for all the outputs.
+- Added variable `force_update` for the helm chart.
+- Added Changelog to repository.
+
+
+# Version 2.0.1 - 14-04-2022
+### Upgraded
+- removed usage of `template_file` in favor of `templatefile`

README.md

@@ -1,8 +1,18 @@
-# terraform-aws-eks-alb-ingress
+# Terraform-aws-eks-alb-ingress
 
 This module requires our [openid connect module](https://github.com/kabisa/terraform-aws-eks-openid-connect)
 
-Example usage:
+# Upgrading the module from version 2.1 and lower:
+Due to changes made in the helm chart you will need to recreate the entire stack.
+
+Snippet from the [controller repo](https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main/helm/aws-load-balancer-controller#upgrade):
+```
+The new controller is backwards compatible with the existing ingress objects. However, it will NOT coexist with the older aws-alb-ingress-controller. 
+
+The old controller must be uninstalled completely before installing the new version.
+```
+
+# Example usage:
 
 ```hcl-terraform
 module "eks_openid_connect" {
@@ -68,5 +78,60 @@ resource "kubernetes_ingress" "my-ingress" {
     }
   }
 }
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.5.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 1.2.4 |
+| <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | >= 1.7.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 1.13 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.5.0 |
+| <a name="provider_helm"></a> [helm](#provider\_helm) | >= 1.2.4 |
+| <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | >= 1.7.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 1.13 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.alb-ingress-controller-iam-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.alb-ingress-controller-iam-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.alb-ingress-controller-iam-role-policy-attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [helm_release.aws-load-balancer-controller](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubectl_manifest.crds](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubernetes_cluster_role.alb_ingress_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role_binding.alb_ingress_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
+| [kubernetes_service_account.alb_ingress_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
+| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | The AWS account ID. | `string` | n/a | yes |
+| <a name="input_eks_cluster_name"></a> [eks\_cluster\_name](#input\_eks\_cluster\_name) | The name of the EKS cluster. | `string` | n/a | yes |
+| <a name="input_force_update"></a> [force\_update](#input\_force\_update) | Force Helm resource update through delete/recreate if needed. | `bool` | `false` | no |
+| <a name="input_oidc_host_path"></a> [oidc\_host\_path](#input\_oidc\_host\_path) | The host path of the OIDC provider. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region. | `string` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC ID. | `string` | n/a | yes |
+
+## Outputs
 
-```
+| Name | Description |
+|------|-------------|
+| <a name="output_aws_iam_policy_arn"></a> [aws\_iam\_policy\_arn](#output\_aws\_iam\_policy\_arn) | The IAM policy ARN for the ALB Ingress Controller. |
+<!-- END_TF_DOCS -->

main.tf

@@ -35,16 +35,18 @@ resource "kubectl_manifest" "crds" {
   yaml_body = file("${path.module}/yamls/crds.yaml")
 }
 
-# V 2.1
+# V 2.4.1
 # https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/installation/
 # helm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=<cluster-name>
 resource "helm_release" "aws-load-balancer-controller" {
-  depends_on = [kubectl_manifest.crds]
-  name       = "aws-load-balancer-controller"
-  namespace  = "kube-system"
-  repository = "https://aws.github.io/eks-charts"
-  chart      = "aws-load-balancer-controller"
-  version    = "1.1.4" # appVersion: v2.1.2
+  depends_on   = [kubectl_manifest.crds]
+  name         = "aws-load-balancer-controller"
+  namespace    = "kube-system"
+  repository   = "https://aws.github.io/eks-charts"
+  chart        = "aws-load-balancer-controller"
+  version      = "1.4.1" # appVersion: v2.4.1
+  #This defaults to false, recreation is required when upgrading the module from version 2.1 and lower
+  force_update = var.force_update
 
   values = [
     templatefile(

outputs.tf

@@ -1,3 +1,4 @@
 output "aws_iam_policy_arn" {
   value = aws_iam_policy.alb-ingress-controller-iam-policy.arn
+  description = "The IAM policy ARN for the ALB Ingress Controller."
 }

policy.tf

@@ -1,19 +1,36 @@
-# Generated based on https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/v2.1.2/docs/install/iam_policy.json
-# Tool used: https://github.com/flosell/iam-policy-json-to-terraform
+# Generated based on: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json
+# Commit version:     https://github.com/kubernetes-sigs/aws-load-balancer-controller/commit/cc59a8c6bd521f2e334b81cb0132652fbb3f5d9d
+# Tool used:          https://github.com/flosell/iam-policy-json-to-terraform
+# Matches chart:      version: 1.4.1
+#                     appVersion: v2.4.1
 
 
 data "aws_iam_policy_document" "policy" {
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["iam:CreateServiceLinkedRole"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "iam:AWSServiceName"
+      values   = ["elasticloadbalancing.amazonaws.com"]
+    }
+  }
+
   statement {
     sid       = ""
     effect    = "Allow"
     resources = ["*"]
 
     actions = [
-      "iam:CreateServiceLinkedRole",
       "ec2:DescribeAccountAttributes",
       "ec2:DescribeAddresses",
+      "ec2:DescribeAvailabilityZones",
       "ec2:DescribeInternetGateways",
       "ec2:DescribeVpcs",
+      "ec2:DescribeVpcPeeringConnections",
       "ec2:DescribeSubnets",
       "ec2:DescribeSecurityGroups",
       "ec2:DescribeInstances",
@@ -84,17 +101,17 @@ data "aws_iam_policy_document" "policy" {
     resources = ["arn:aws:ec2:*:*:security-group/*"]
     actions   = ["ec2:CreateTags"]
 
-    condition {
-      test     = "StringEquals"
-      variable = "ec2:CreateAction"
-      values   = ["CreateSecurityGroup"]
-    }
-
     condition {
       test     = "Null"
       variable = "aws:RequestTag/elbv2.k8s.aws/cluster"
       values   = ["false"]
     }
+
+    condition {
+      test     = "StringEquals"
+      variable = "ec2:CreateAction"
+      values   = ["CreateSecurityGroup"]
+    }
   }
 
   statement {
@@ -196,6 +213,23 @@ data "aws_iam_policy_document" "policy" {
     }
   }
 
+  statement {
+    sid    = ""
+    effect = "Allow"
+
+    resources = [
+      "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
+      "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
+      "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
+      "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*",
+    ]
+
+    actions = [
+      "elasticloadbalancing:AddTags",
+      "elasticloadbalancing:RemoveTags",
+    ]
+  }
+
   statement {
     sid       = ""
     effect    = "Allow"
@@ -243,4 +277,4 @@ data "aws_iam_policy_document" "policy" {
       "elasticloadbalancing:ModifyRule",
     ]
   }
-}
+}

variables.tf

@@ -1,17 +1,30 @@
 variable "eks_cluster_name" {
   type = string
+  description = "The name of the EKS cluster."
 }
 
 variable "region" {
   type = string
+  description = "The AWS region."
 }
 
 variable "oidc_host_path" {
   type = string
+  description = "The host path of the OIDC provider."
 }
 
-variable "vpc_id" {}
+variable "vpc_id" {
+  type = string
+  description = "The VPC ID."
+}
 
 variable "account_id" {
   type = string
+  description = "The AWS account ID."
 }
+
+variable "force_update" {
+  type = bool
+  default = false
+  description = "Force Helm resource update through delete/recreate if needed."
+}