Trying to add route53 certmanager

73ed011a · Jose Ernesto Suarez · 1b703fda · 73ed011a · 73ed011a · 73ed011a
Commit 73ed011a authored Apr 18, 2023 by Jose Ernesto Suarez
Showing with 80 additions and 2 deletions

cert_manager_policy.json.tpl files/cert_manager_policy.json.tpl +18 -0

locals.tf locals.tf +14 -1

nodes.tf nodes.tf +32 -0

outputs.tf outputs.tf +5 -0

variables.tf variables.tf +11 -1

No files found.
--- a/files/cert_manager_policy.json.tpl
+++ b/files/cert_manager_policy.json.tpl
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": "route53:GetChange",
+            "Resource": "arn:aws:route53:::change/*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "route53:ChangeResourceRecordSets",
+                "route53:ListResourceRecordSets"
+            ],
+            "Resource": "arn:aws:route53:::hostedzone/${hostedzone}"
+        }
+    ]
+}
--- a/locals.tf
+++ b/locals.tf
@@ -86,7 +86,7 @@ locals {
      namespace   = "ingress-nginx"
      chart       = "ingress-nginx"
      repository  = "https://kubernetes.github.io/ingress-nginx"
-      version     = "4.5.2"
+      version     = "4.6.0"
      max_history = 3,
      values = {
        file = [
@@ -165,6 +165,19 @@ locals {
        }
      }
    }
+     gitlab = {
+      namespace   = "gitlab"
+      chart       = "gitlab"
+      repository  = "https://charts.gitlab.io/"
+      version     = "13.6.0"
+      max_history = 3,
+      force       = true,
+      values = {
+        file = [],
+        set  = {}
+    }
+    }
  }
  # extend the default settings with provided values

--- a/nodes.tf
+++ b/nodes.tf
@@ -36,11 +36,43 @@ resource "aws_iam_role_policy_attachment" "autoscaler" {
  policy_arn = aws_iam_policy.cluster_autoscaler.arn
 }
 resource "aws_iam_policy" "cluster_autoscaler" {
  name_prefix = "cluster-autoscaler"
  description = "EKS cluster-autoscaler policy for cluster ${var.cluster_name}"
  policy      = data.aws_iam_policy_document.cluster_autoscaler.json
 }
+resource "aws_iam_role" "cert_manager" {
+  name = "${var.cluster_name}-cert-manager"
+  assume_role_policy = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        "AWS" = aws_iam_role.node.arn
+      }
+    }]
+    Version = "2012-10-17"
+  })
+}
+resource "aws_iam_role_policy_attachment" "cert_manager" {
+  role       = aws_iam_role.node.name
+  policy_arn = aws_iam_policy.cert_manager.arn
+}
+resource "aws_iam_policy" "cert_manager" {
+  name_prefix = "cert_manager"
+  description = "EKS Cert-Manager policy for cluster ${var.cluster_name} with route53 ${var.route53_hostedzone}"
+  policy      = data.template_file.cert_manager_policy.rendered
+}
+data "template_file" "cert_manager_policy" {
+  template = "${file("${path.module}/files/cert_manager_policy.json.tpl")}"
+  vars = {
+    hostedzone = var.route53_hostedzone, 
+    }
+}
 data "aws_iam_policy_document" "cluster_autoscaler" {
  statement {

--- a/outputs.tf
+++ b/outputs.tf
@@ -8,6 +8,11 @@ output "cluster_iam_role_arn" {
  value       = aws_iam_role.cluster.arn
 }
+output "cluster_cert_manager_iam_role_arn" {
+  description = "IAM role arn of the Cert Manager"
+  value       = aws_iam_role.cert_manager.arn
+}
 output "cluster_sg_id" {
  description = "Security group used within the cluster"
  value       = aws_security_group.cluster.id

--- a/variables.tf
+++ b/variables.tf
@@ -120,6 +120,7 @@ variable "ingresses" {
  default     = []
 }
 ##########
 # K8S APPS
 ##########
@@ -133,6 +134,15 @@ variable "istio" {
  type        = any
  default     = { enabled = false, version = "", set = {} }
 }
+## ROLE FOR CERTMANAGER
+# TODO: NEEDS TO ADD CONDITIONAL CREATION!!
+variable "route53_hostedzone" {
+  description = "Route53 Hosted Zone managed by the certmanager of this cluster"
+  type        = string
+}
 #variable "istio_enable" {
 #  description = "Flag to enable Istio"
 #  type        = bool