AWSTemplateFormatVersion: 2010-09-09 Description: >- Deploys the aws load balancer controller to an existing kubernetes cluster (qs-1qnl6p00n). # https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html # https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html Metadata: cfn-lint: { config: { ignore_checks: [W9002, W9003, W9004, W9006] } } Parameters: OIDCProviderArn: Type: String OIDCProviderEndpoint: Type: String EksClusterName: Type: String VpcId: Type: String ControllerCPULimit: Type: String Default: 100m ControllerMemoryLimit: Type: String Default: 80Mi ControllerReplicaCount: Type: Number Default: 1 ControllerHostNetwork: Type: String AllowedValues: [Enabled, Disabled] Default: Disabled Conditions: Commercial: !Equals [!Ref AWS::Partition, aws] HostNetworkEnabled: !Equals [!Ref ControllerHostNetwork, Enabled] Resources: LoadBalancerControllerIAMRole: Type: AWS::IAM::Role Metadata: cfn-lint: config: ignore_checks: [EIAMPolicyWildcardResource] ignore_reasons: EIAMPolicyWildcardResource: >- Action elasticloadbalancing:DescribeTags requires a wildcard resource. As of 2023-02-05, cfn-lint falsely reports this as an issue. Properties: AssumeRolePolicyDocument: !Sub | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "${OIDCProviderArn}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OIDCProviderEndpoint}:aud": [ "sts.amazonaws.com", "sts.${AWS::Region}.amazonaws.com" ], "${OIDCProviderEndpoint}:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller" } } } ] } ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - !If [Commercial, !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly', !Ref AWS::NoValue] Policies: - PolicyName: load-balancer-controller-policy # https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/main/docs/install/iam_policy.json PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: iam:CreateServiceLinkedRole Resource: '*' Condition: StringEquals: iam:AWSServiceName: elasticloadbalancing.amazonaws.com - Effect: Allow Action: - ec2:DescribeAccountAttributes - ec2:DescribeAddresses - ec2:DescribeAvailabilityZones - ec2:DescribeCoipPools - ec2:DescribeInstances - ec2:DescribeInternetGateways - ec2:DescribeNetworkInterfaces - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeTags - ec2:DescribeVpcPeeringConnections - ec2:DescribeVpcs - ec2:GetCoipPoolUsage - elasticloadbalancing:DescribeListenerCertificates - elasticloadbalancing:DescribeListeners - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:DescribeRules - elasticloadbalancing:DescribeSSLPolicies - elasticloadbalancing:DescribeTags - elasticloadbalancing:DescribeTargetGroupAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:DescribeTargetHealth Resource: '*' - Effect: Allow Action: cognito-idp:DescribeUserPoolClient Resource: !Sub arn:${AWS::Partition}:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/* - Effect: Allow Action: acm:ListCertificates Resource: '*' - Effect: Allow Action: acm:DescribeCertificate Resource: !Sub arn:${AWS::Partition}:acm:${AWS::Region}:${AWS::AccountId}:certificate/* - Effect: Allow Action: iam:ListServerCertificates Resource: '*' - Effect: Allow Action: - iam:GetServerCertificate Resource: !Sub arn:${AWS::Partition}:acm:${AWS::Region}:${AWS::AccountId}:server-certificate/* - Effect: Allow Action: - waf-regional:GetWebACL - waf-regional:GetWebACLForResource - waf-regional:AssociateWebACL - waf-regional:DisassociateWebACL Resource: - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/app/*/* - !Sub arn:${AWS::Partition}:waf-regional:${AWS::Region}:${AWS::AccountId}:webacl/* - Effect: Allow Action: - wafv2:GetWebACL - wafv2:GetWebACLForResource - wafv2:AssociateWebACL - wafv2:DisassociateWebACL Resource: - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/app/*/* - !Sub arn:${AWS::Partition}:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/* - !Sub arn:${AWS::Partition}:wafv2:${AWS::Region}:${AWS::AccountId}:*/webacl/*/* - Effect: Allow Action: - shield:CreateProtection - shield:GetSubscriptionState Resource: '*' - Effect: Allow Action: - shield:DeleteProtection - shield:DescribeProtection Resource: !Sub arn:${AWS::Partition}:shield::${AWS::AccountId}:protection/* - Effect: Allow Action: - ec2:AuthorizeSecurityGroupIngress - ec2:RevokeSecurityGroupIngress Resource: - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/* - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group-rule/* - Effect: Allow Action: ec2:CreateSecurityGroup Resource: - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/* - !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${VpcId} - Effect: Allow Action: ec2:CreateTags Resource: !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/* Condition: StringEquals: ec2:CreateAction: CreateSecurityGroup 'Null': aws:RequestTag/elbv2.k8s.aws/cluster: 'false' - Effect: Allow Action: - ec2:CreateTags - ec2:DeleteTags Resource: !Sub arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:security-group/* Condition: 'Null': aws:RequestTag/elbv2.k8s.aws/cluster: 'true' aws:ResourceTag/elbv2.k8s.aws/cluster: 'false' - Effect: Allow Action: - ec2:AuthorizeSecurityGroupIngress - ec2:RevokeSecurityGroupIngress - ec2:DeleteSecurityGroup Resource: '*' Condition: 'Null': aws:ResourceTag/elbv2.k8s.aws/cluster: 'false' - Effect: Allow Action: - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateTargetGroup Resource: '*' Condition: 'Null': aws:RequestTag/elbv2.k8s.aws/cluster: 'false' - Effect: Allow Action: - elasticloadbalancing:CreateListener - elasticloadbalancing:DeleteListener - elasticloadbalancing:CreateRule - elasticloadbalancing:DeleteRule Resource: - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener-rule/app/*/*/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener-rule/net/*/*/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener/app/*/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener/net/*/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/app/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/net/*/* - Effect: Allow Action: - elasticloadbalancing:AddTags - elasticloadbalancing:RemoveTags Resource: - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/net/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/app/*/* Condition: 'Null': aws:RequestTag/elbv2.k8s.aws/cluster: 'true' aws:ResourceTag/elbv2.k8s.aws/cluster: 'false' - Effect: Allow Action: - elasticloadbalancing:AddTags - elasticloadbalancing:RemoveTags Resource: - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener/net/*/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener/app/*/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener-rule/net/*/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener-rule/app/*/*/* - Effect: Allow Action: - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:SetIpAddressType - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:SetSubnets - elasticloadbalancing:DeleteLoadBalancer - elasticloadbalancing:ModifyTargetGroup - elasticloadbalancing:ModifyTargetGroupAttributes - elasticloadbalancing:DeleteTargetGroup Resource: '*' Condition: 'Null': aws:ResourceTag/elbv2.k8s.aws/cluster: 'false' - Effect: Allow Action: - elasticloadbalancing:RegisterTargets - elasticloadbalancing:DeregisterTargets Resource: !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:targetgroup/*/* - Effect: Allow Action: - elasticloadbalancing:SetWebAcl Resource: '*' - Effect: Allow Action: - elasticloadbalancing:AddListenerCertificates - elasticloadbalancing:ModifyListener - elasticloadbalancing:ModifyRule - elasticloadbalancing:RemoveListenerCertificates Resource: - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener/net/*/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener/app/*/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener-rule/net/*/*/* - !Sub arn:${AWS::Partition}:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:listener-rule/app/*/*/* LoadBalancerControllerHelmChart: # https://artifacthub.io/packages/helm/aws/aws-load-balancer-controller # https://github.com/aws/eks-charts/tree/master/stable/aws-load-balancer-controller # https://github.com/kubernetes-sigs/aws-load-balancer-controller Type: AWSQS::Kubernetes::Helm Properties: ClusterID: !Ref EksClusterName Namespace: kube-system Name: aws-load-balancer-controller Repository: https://aws.github.io/eks-charts Chart: aws/aws-load-balancer-controller Values: clusterName: !Ref EksClusterName hostNetwork: !If [HostNetworkEnabled, 'true', 'false'] image.repository: public.ecr.aws/eks/aws-load-balancer-controller nodeSelector.kubernetes\.io/os: linux region: !Ref AWS::Region replicaCount: !Ref ControllerReplicaCount resources.limits.cpu: !Ref ControllerCPULimit resources.limits.memory: !Ref ControllerMemoryLimit serviceAccount.annotations.eks\.amazonaws\.com/role-arn: !GetAtt LoadBalancerControllerIAMRole.Arn serviceAccount.create: 'true' serviceAccount.name: aws-load-balancer-controller vpcId: !Ref VpcId