This Terraform Module installs and configures the AWS ALB Ingress
Controller on an EKS cluster, so that you can configure
an ALB using Ingress resources.
This module solves the problem of integrating Kubernetes Service endpoints with an
ALB. Out of the box Kubernetes
supports tying a Service to an ELB or NLB using the LoadBalancer
type. However, the
LoadBalancerService type does not support ALBs, and thus you can not implement complex routing rules based on
domain or paths.
Kubernetes uses Ingress resources to configure and implement "Layer 7" load balancers (where ALBs fit in the OSI
model). Kubernetes Ingress works by providing a
configuration framework to configure routing rules from a load balancer to Services within Kubernetes. For example,
suppose you wanted to provision a Service for your backend, fronted by a load balancer that routes any request made to
the path /service to the backend. To do so, in addition to creating your Service, you would create an Ingress
resource in Kubernetes that configures the routing rule:
In the above configuration, we create a Cluster IP based Service (so that it is only available internally to the
Kubernetes cluster) that routes requests to port 80 to any Pod that maches the label app=backend on port 80. Then,
we configure an Ingress rule that routes any requests prefixed with /service to that Service endpoint on port 80.
The actual load balancer that is configured by the Ingress resource is defined by the particular Ingress
Controller that you deploy onto your
Kubernetes cluster. Ingress Controllers are separate processes that run on your Kubernetes cluster that will watch for
Ingress resources and reflect them by provisioning or configuring load balancers. Depending on which controller you
use, the particular load balancer that is provisioned will be different. For example, if you use the official nginx
controller, each Ingress resource translates into
an nginx Pod that implements the routing rules.
Note that each Ingress resource defines a separate load balancer. This means that each time you create a new Ingress
resource in Kubernetes, Kubernetes will provision a new load balancer configured with the rules defined by the Ingress
resource.
This module deploys the AWS ALB Ingress Controller, which will reflect each Ingress resource into an ALB resource
deployed into your AWS account.
How do you use this module?
See the root README for instructions on using Terraform modules.
This module uses helm v3 to deploy the controller to the Kubernetes cluster.
ALB Target Type
The ALB Ingress Controller application can configure ALBs to send work either to Node IPs (instance) or Pod IPs (ip) as backend targets. This can be specified in the Ingress object using the alb.ingress.kubernetes.io/target-type. The default is instance.
When using the default instance target type, the Services intended to be consumed by the Ingress resource must be
provisioned using the NodePort type. This is not required when using the ip target type.
Note that the controller will take care of setting up the target groups on the provisioned ALB so that everything routes
correctly.
Subnets
You can use the alb.ingress.kubernetes.io/subnets annotation on Ingress resources to specify which subnets the controller should configure the ALB for.
You can also omit the alb.ingress.kubernetes.io/subnets annotation, and the controller will automatically discover subnets based on their tags. This method should work "out of the box", so long as you are using the eks-vpc-tags module to tag your VPC subnets.
Security Groups
As mentioned above under the ALB Target Type section, the default ALB target type uses node ports to connect to the
Services. As such if you have restricted security groups that prevent access to the provisioned ports on the worker
nodes, the ALBs will not be able to reach the Services.
To ensure the provisioned ALBs can access the node ports, we recommend using dedicated subnets for load balancing and
configuring your security groups so that resources provisioned in those subnets can access the node ports of the worker
nodes.
In order for the Ingress resources to properly map into an ALB, the Ingress resources created need to be annotated
to use the albIngress class. You can do this by adding the following annotation to your Ingress resources:
annotations:
kubernetes.io/ingress.class: alb
The ALB Ingress Controller supports a wide range of configuration options via annotations on the Ingress object, including setting up Cognito for
authentication. For example, you can add the annotation alb.ingress.kubernetes.io/scheme: internet-facing to provision
a public ALB. You can refer to the official
documentation for the full
reference of configuration options supported by the controller.
Getting the ALB endpoint
The ALB endpoint is recorded on the Ingress resource. You can use kubectl or the Kubernetes API to retrieve the
Ingress resource and view the endpoint for the ALB under the Address attribute.
For example, suppose you provisioned the following Ingress resource in the default namespace:
Note how the ALB endpoint is recorded under the Address column. You can hit that endpoint to access the service
externally.
DNS records for the ALB
In order for the host based routing rules to work with the ALB, you need to configure your DNS records to point to the
ALB endpoint. This can be tricky if you are managing your DNS records externally, especially given the asynchronous
nature of the controller in provisioning the ALBs.
The AWS ALB Ingress Controller has first class support for
external-dns, a third party tool that configures external DNS
providers with domains to route to Services and Ingresses in Kubernetes. See our eks-k8s-external-dns
module for more information on how to setup the tool.
How do I deploy the Pods to Fargate?
To deploy the Pods to Fargate, you can use the create_fargate_profile variable to true and specify the subnet IDs
for Fargate using vpc_worker_subnet_ids. Note that if you are using Fargate, you must rely on the IAM Roles for
Service Accounts (IRSA) feature to grant the necessary AWS IAM permissions to the Pod. This is configured using the
use_iam_role_for_service_accounts, eks_openid_connect_provider_arn, and eks_openid_connect_provider_url input
variables.
How does the ALB route to Fargate?
For Pods deployed to Fargate, you must specify the annotation
alb.ingress.kubernetes.io/target-type: ip
to the Ingress resource in order for the ALB to route properly. This is because Fargate does not have actual EC2
instances under the hood, and thus the ALB can not be configured to route by instance (the default configuration).
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"cd0f759ae90af4380a46377f990df626a9b4384f"}]},{"name":".gitignore","path":".gitignore","sha":"7f6cf4bc746bbfd6da4c7a21dbcf1a2296aa0c10"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"b008949ef10a7bad93ab93e8821da77577a30c5c"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"ecbeaab263c59e955b621268f161059633041e3d"},{"name":"CONTRIBUTING.md","path":"CONTRIBUTING.md","sha":"a7cc7bd94443c252390564fa988755dbbe80d87d"},{"name":"GRUNTWORK_PHILOSOPHY.md","path":"GRUNTWORK_PHILOSOPHY.md","sha":"02d9873a74c99fe6d9b6b26bd9f8eb4a7a699c32"},{"name":"LICENSE.md","path":"LICENSE.md","sha":"a2cf01ecdd725fddd718ab91c80c115882c94f3c"},{"name":"README.adoc","path":"README.adoc","sha":"d910b297cb8da321866768941c9e1bb5f38b12d5"},{"name":"_docs","children":[{"name":"eks-architecture.png","path":"_docs/eks-architecture.png","sha":"b4c9c46f88ed465c5575e915af54ad9920b56941"},{"name":"eks-icon.png","path":"_docs/eks-icon.png","sha":"83a29dc46e7bc6234ba5bb825e8ae283c56229a0"}]},{"name":"core-concepts.md","path":"core-concepts.md","sha":"3c504a547fc55ecff5536141534a32ed8a4a4ae7"},{"name":"examples","children":[{"name":"README.md","path":"examples/README.md","sha":"a70f3adc0c888e07b0b03cb32fbd156547c354da"},{"name":"eks-cluster-managed-workers","children":[{"name":"README.md","path":"examples/eks-cluster-managed-workers/README.md","sha":"21acaeb73c1d8a1819480bc7a8d1c35b8fa69081"},{"name":"dependencies.tf","path":"examples/eks-cluster-managed-workers/dependencies.tf","sha":"c51d22849120296cb44e2637625fbe0ef4405a53"},{"name":"main.tf","path":"examples/eks-cluster-managed-workers/main.tf","sha":"d2646b8c0d8e202d4b6ff2d394f0d6f59ab6a18f"},{"name":"outputs.tf","path":"examples/eks-cluster-managed-workers/outputs.tf","sha":"431bebd71e3f9d5c299c1740ba16b2eef717cbf0"},{"name":"variables.tf","path":"examples/eks-cluster-managed-workers/variables.tf","sha":"a574f2c8b45970431a4d8c0fb4eb372ee1676ea6"}]},{"name":"eks-cluster-with-iam-role-mappings","children":[{"name":"README.md","path":"examples/eks-cluster-with-iam-role-mappings/README.md","sha":"6479e81678f2e08df477d467f2124f5dc53e9e53"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-iam-role-mappings/dependencies.tf","sha":"9652dab961175e0f2273b109b5f1724a38e3970f"},{"name":"main.tf","path":"examples/eks-cluster-with-iam-role-mappings/main.tf","sha":"85472aed315ae52f6793d3d911fc04e3c74f8d4f"},{"name":"outputs.tf","path":"examples/eks-cluster-with-iam-role-mappings/outputs.tf","sha":"3876c30890ffef1726d533a869c23e66fa244e6c"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/eks-cluster-with-iam-role-mappings/user-data/user-data.sh","sha":"b10c34bfe4c9d10101472b47edbc3b7dff42a88e"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-iam-role-mappings/variables.tf","sha":"d312645223f2c0f65c38416b50145cc58762052b"}]},{"name":"eks-cluster-with-supporting-services","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/README.md","sha":"381a926738c4630930441ad070c95d3e52a25754"},{"name":"core-services","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/core-services/README.md","sha":"c1eb41e7cc60a67d29ef846daf3b2e974ca59e6e"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/core-services/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/core-services/main.tf","sha":"b4739bf4fffbdbcd4584c173df875e38b75f7152"},{"name":"outputs.tf","path":"examples/eks-cluster-with-supporting-services/core-services/outputs.tf","sha":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391"},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/core-services/variables.tf","sha":"1b244b6aa868a7e2265b55db57f1a4574891b934"}]},{"name":"eks-cluster","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/eks-cluster/README.md","sha":"8a60a01004a93bbbf2091b730f0207f6dd2cc07e"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/dependencies.tf","sha":"58c85fb4cb629a91afe41602e56072c19905e79b"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/main.tf","sha":"ed7f46af2ac6c55f16956f2612ae46edc2941d84"},{"name":"outputs.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/outputs.tf","sha":"be23a13dd6f4063be394b8ca7358b631d50fab8a"},{"name":"user-data","children":[{"name":"app_worker_user_data.sh","path":"examples/eks-cluster-with-supporting-services/eks-cluster/user-data/app_worker_user_data.sh","sha":"c5fdd13d5bb04f765f1c90e9f12d23c48e94a252"},{"name":"core_worker_user_data.sh","path":"examples/eks-cluster-with-supporting-services/eks-cluster/user-data/core_worker_user_data.sh","sha":"0fa26153108b3d030ceeaae777aeb0a7e115404e"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/eks-cluster/variables.tf","sha":"21c6ee87a2d2c628af70513000a8b071b1938578"}]},{"name":"nginx-service","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/nginx-service/README.md","sha":"0f6649ddb0cbb5aa80a5bc1f3318ea1fd5d0dc35"},{"name":"dependencies.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/main.tf","sha":"db605685e89d5d8ea0b04ae09d52b4acd815270c"},{"name":"templates","children":[{"name":"values.yaml","path":"examples/eks-cluster-with-supporting-services/nginx-service/templates/values.yaml","sha":"298435e01df9fa495b15d512073c62662d292cd3"}]},{"name":"variables.tf","path":"examples/eks-cluster-with-supporting-services/nginx-service/variables.tf","sha":"36ea6f8a36b19e34dbeeb25ae7e5fcf30c956b0f"}]},{"name":"packer","children":[{"name":"README.md","path":"examples/eks-cluster-with-supporting-services/packer/README.md","sha":"6a974a7fd5da7ac13309d9e0c4aaba7bd8cb46c7"},{"name":"build.json","path":"examples/eks-cluster-with-supporting-services/packer/build.json","sha":"25a003de2b3e9ad27915fb5227ffb7bd86d32a23"}]}]},{"name":"eks-fargate-cluster-with-irsa","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-irsa/README.md","sha":"7dfcee13140ca3df3baf9f61e666a45dde71a98a"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-irsa/dependencies.tf","sha":"88e84376868ae8dfc7b90483aa0fffe1c9d1a9ae"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-irsa/main.tf","sha":"69b807d8db501b38b30987a37743b860a5b3f844"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster-with-irsa/outputs.tf","sha":"f059d7b74ffbfb06a0868d6d0a5d1831c8f45f10"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-irsa/variables.tf","sha":"60a02795c83eddf91a610e4baf4a5ce001bc1eec"}]},{"name":"eks-fargate-cluster-with-supporting-services","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-supporting-services/README.md","sha":"1612cec3482105c720bcb66db051ce17a69da57c"},{"name":"core-services","children":[{"name":"README.md","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/README.md","sha":"cde0ae405e4d73e9e39c67045fb82de8187a673d"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/main.tf","sha":"b0903866b183a7447ee42c4474c11bbeacaf1320"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/core-services/variables.tf","sha":"c63e2fdb8d5aa91830db61224ce75ee814d6fa56"}]},{"name":"eks-cluster","children":[{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/dependencies.tf","sha":"c7d533db5e590f72eddbe987d0b5353c11b570e1"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/main.tf","sha":"a9475e79018631451acb838c3a9382df55d04d5e"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/outputs.tf","sha":"edddf9a6ab6f5927db366689db79e1b91db9d8c8"},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/eks-cluster/variables.tf","sha":"72736ac2a85df7150da342545c059b1e9f6e4542"}]},{"name":"nginx-service","children":[{"name":"dependencies.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/dependencies.tf","sha":"0176248910eed450c12b54d10e3d74c8702c17ca"},{"name":"main.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/main.tf","sha":"1ae7751069711726f7c38fafe60d63d0c5f59494"},{"name":"templates","children":[{"name":"values.yaml","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/templates/values.yaml","sha":"655914f91177135cb7c5f15b62166cfc82a62a91"}]},{"name":"variables.tf","path":"examples/eks-fargate-cluster-with-supporting-services/nginx-service/variables.tf","sha":"d3c166441cdc556b0839930fbc281b7e8a1bd57f"}]}]},{"name":"eks-fargate-cluster","children":[{"name":"README.md","path":"examples/eks-fargate-cluster/README.md","sha":"df681cdbe945d0592ca57bd3a8eb9ae5d88c2f4a"},{"name":"dependencies.tf","path":"examples/eks-fargate-cluster/dependencies.tf","sha":"88e84376868ae8dfc7b90483aa0fffe1c9d1a9ae"},{"name":"main.tf","path":"examples/eks-fargate-cluster/main.tf","sha":"eafb099d793a3c73ff60f416df4830a053a1746d"},{"name":"outputs.tf","path":"examples/eks-fargate-cluster/outputs.tf","sha":"9fb0eacd494d51072898a36f4d110a6c6ad77f6b"},{"name":"terraform.tfvars.back","path":"examples/eks-fargate-cluster/terraform.tfvars.back","sha":"6cb73f75cc7828c6b3efdc2a9b1787f75ed276d1"},{"name":"user-data","children":[{"name":"user-data.sh","path":"examples/eks-fargate-cluster/user-data/user-data.sh","sha":"b10c34bfe4c9d10101472b47edbc3b7dff42a88e"}]},{"name":"variables.tf","path":"examples/eks-fargate-cluster/variables.tf","sha":"cd56d66d0980f4d88b0347ff59a96402962d6aa1"}]}]},{"name":"modules","children":[{"name":"eks-alb-ingress-controller-iam-policy","children":[{"name":"README.md","path":"modules/eks-alb-ingress-controller-iam-policy/README.md","sha":"c87be2ee00f8f59403f827303915b5a70c602002"},{"name":"iampolicy.json","path":"modules/eks-alb-ingress-controller-iam-policy/iampolicy.json","sha":"5cba0c1500ee2520d72e8d47b86e318958e4dbc7"},{"name":"main.tf","path":"modules/eks-alb-ingress-controller-iam-policy/main.tf","sha":"a79f5a2e6a0ba72562c5a87182db516d8824ed21"},{"name":"outputs.tf","path":"modules/eks-alb-ingress-controller-iam-policy/outputs.tf","sha":"b551b0bcc6eb1b43bfff1606696566658564cfb4"},{"name":"variables.tf","path":"modules/eks-alb-ingress-controller-iam-policy/variables.tf","sha":"250152e6bfeb02a16bed4151ffc7156636db1bd9"}]},{"name":"eks-alb-ingress-controller","children":[{"name":"README.md","path":"modules/eks-alb-ingress-controller/README.md","sha":"3bfcd0485ea2239eb786564e74c1de0715f23b57","toggled":true},{"name":"main.tf","path":"modules/eks-alb-ingress-controller/main.tf","sha":"904eefe37cc316b36adbfed59f3c0ebdb218f343"},{"name":"templates","children":[{"name":"node_affinity.yaml","path":"modules/eks-alb-ingress-controller/templates/node_affinity.yaml","sha":"c6eaf8e94fa7c893857cc009df954443239a8fe0"},{"name":"values.yaml","path":"modules/eks-alb-ingress-controller/templates/values.yaml","sha":"9937ba0cbea50640aabca372efedb0e1bdc2ce6d"}]},{"name":"variables.tf","path":"modules/eks-alb-ingress-controller/variables.tf","sha":"0e7c5bdd84bf1835d3cda57a313a2046f310ba23"}],"toggled":true},{"name":"eks-cloudwatch-container-logs","children":[{"name":"README.md","path":"modules/eks-cloudwatch-container-logs/README.md","sha":"83b6cfce471a5b3d0dca1c17b8528d4a3397eae6"},{"name":"main.tf","path":"modules/eks-cloudwatch-container-logs/main.tf","sha":"6827dfece6304e7f439c7bcfb1ccd37c24284c55"},{"name":"outputs.tf","path":"modules/eks-cloudwatch-container-logs/outputs.tf","sha":"7061ed458fec528c8b8b587291f0eccb4324fb72"},{"name":"templates","children":[{"name":"node_affinity.yaml","path":"modules/eks-cloudwatch-container-logs/templates/node_affinity.yaml","sha":"cf47b63d7c2b9699e0ab1e36e9a8dadad3a7f4c0"},{"name":"values.yaml","path":"modules/eks-cloudwatch-container-logs/templates/values.yaml","sha":"bff95a2bcea59db932239c8d197aea76d595bcec"}]},{"name":"variables.tf","path":"modules/eks-cloudwatch-container-logs/variables.tf","sha":"748747e26e3fef8f8a44849c752ba548d8531439"}]},{"name":"eks-cluster-control-plane","children":[{"name":"README.md","path":"modules/eks-cluster-control-plane/README.md","sha":"65d135a9506906c44ae7d592ec374afd3cb21c22"},{"name":"control_plane_scripts","children":[{"name":"bin","children":[{"name":"control_plane_scripts_py27_env.pex","path":"modules/eks-cluster-control-plane/control_plane_scripts/bin/control_plane_scripts_py27_env.pex","sha":"a02c9440827aac48475673ed80106b8cc1376bb4"},{"name":"control_plane_scripts_py3_env.pex","path":"modules/eks-cluster-control-plane/control_plane_scripts/bin/control_plane_scripts_py3_env.pex","sha":"3b4950866dbf6ad90a029585521aa90ed3e8887c"}]},{"name":"build.sh","path":"modules/eks-cluster-control-plane/control_plane_scripts/build.sh","sha":"33b5e9231babdb0c2c0997b04a964c27b98a4e13"},{"name":"cleanup_cluster_resources","children":[{"name":"__init__.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/cleanup_cluster_resources/__init__.py","sha":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391"},{"name":"global_vars.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/cleanup_cluster_resources/global_vars.py","sha":"47920d25645a8c168f196beb76eb37da60055dd3"},{"name":"main.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/cleanup_cluster_resources/main.py","sha":"21dfb38d1bf8f4d15a03da5e09ae3ba575eb4501"},{"name":"vpc.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/cleanup_cluster_resources/vpc.py","sha":"adaf19fe8e191badfad40513984778d36a059ba5"}]},{"name":"control_plane_scripts_utils","children":[{"name":"__init__.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/control_plane_scripts_utils/__init__.py","sha":"37d050d1afd8ebb0c9d6916cff61fa674e6ac8a3"},{"name":"project_logging.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/control_plane_scripts_utils/project_logging.py","sha":"c29bfb0dfe0a3d4e04aeaabff0b2e58387ccf12b"}]},{"name":"dev_requirements.txt","path":"modules/eks-cluster-control-plane/control_plane_scripts/dev_requirements.txt","sha":"430b91474dc8220624012e70d8c2e43582f17161"},{"name":"requirements.txt","path":"modules/eks-cluster-control-plane/control_plane_scripts/requirements.txt","sha":"0ae8cdb74f4c793658c5dfdd13ce1ec723f7b2a1"},{"name":"upgrade_cluster","children":[{"name":"__init__.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/__init__.py","sha":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391"},{"name":"eks.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/eks.py","sha":"d0aca412ffa983300df0d8926bee8829e148f85e"},{"name":"exceptions.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/exceptions.py","sha":"c35893a0f70e2c0d86dd64b7bce8d092e84355b3"},{"name":"global_vars.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/global_vars.py","sha":"e223eefafed2576c8988a708395d92f6908b3f49"},{"name":"k8s.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/k8s.py","sha":"c61fe768344f868303b7dac3b201b28b6ab10a1d"},{"name":"k8s_version_map.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/k8s_version_map.py","sha":"b25ddc93cfc13423cc8792ffa74b2f4127851173"},{"name":"main.py","path":"modules/eks-cluster-control-plane/control_plane_scripts/upgrade_cluster/main.py","sha":"30cf982ecf0a2304dcdb3467b28aad455d01e4e9"}]}]},{"name":"dependencies.tf","path":"modules/eks-cluster-control-plane/dependencies.tf","sha":"6389b5cb477cef74e9bae294c41bbdd05b8d8aa5"},{"name":"main.tf","path":"modules/eks-cluster-control-plane/main.tf","sha":"d2babf9edb4d77b71ca2d2f02cf3c78b1cb1092c"},{"name":"outputs.tf","path":"modules/eks-cluster-control-plane/outputs.tf","sha":"1d9c33ed79e9a4bdfec1dd228aa440a2932d74ef"},{"name":"templates","children":[{"name":"kubectl_config.tpl","path":"modules/eks-cluster-control-plane/templates/kubectl_config.tpl","sha":"083a5e914505363541190db3ee412d8d9e15b4ec"}]},{"name":"variables.tf","path":"modules/eks-cluster-control-plane/variables.tf","sha":"15d5a712ce52db18f0449d6fbea7e5b07e1df2d5"}]},{"name":"eks-cluster-managed-workers","children":[{"name":"README.md","path":"modules/eks-cluster-managed-workers/README.md","sha":"a44255e58e4c5949e3216339358124593ae2bbae"},{"name":"main.tf","path":"modules/eks-cluster-managed-workers/main.tf","sha":"56bad0a77dcc6eda3cf529007d2f354ba89bc82b"},{"name":"outputs.tf","path":"modules/eks-cluster-managed-workers/outputs.tf","sha":"391b5aff36a080568d94aae450d00b78488fb2e4"},{"name":"variables.tf","path":"modules/eks-cluster-managed-workers/variables.tf","sha":"fbb0d0efade0cb20f388b3c0f9cfeebf4cd87ff3"}]},{"name":"eks-cluster-workers-cross-access","children":[{"name":"README.md","path":"modules/eks-cluster-workers-cross-access/README.md","sha":"6c4e50bda62acc6c06d836488ef54f7119f27aee"},{"name":"main.tf","path":"modules/eks-cluster-workers-cross-access/main.tf","sha":"30885a053867992d0c3ee3804ba6833ae463c116"},{"name":"outputs.tf","path":"modules/eks-cluster-workers-cross-access/outputs.tf","sha":"c6c7f7a89007c55be5470ffd639c05c3fb052ad7"},{"name":"variables.tf","path":"modules/eks-cluster-workers-cross-access/variables.tf","sha":"d64aab893b6e909416189e985f072dd8809dfa2f"}]},{"name":"eks-cluster-workers","children":[{"name":"README.md","path":"modules/eks-cluster-workers/README.md","sha":"b846d1233c8a490fcb1bb0e7581c274f92d1c978"},{"name":"dependencies.tf","path":"modules/eks-cluster-workers/dependencies.tf","sha":"57ce2b550d2bd4a4a969fbb37cc058cd9825ea86"},{"name":"main.tf","path":"modules/eks-cluster-workers/main.tf","sha":"1b4ee8765da90838dea560a53e860e13216d94c5"},{"name":"outputs.tf","path":"modules/eks-cluster-workers/outputs.tf","sha":"15a01dabd1c0a11011e2488c4df1f43468312454"},{"name":"variables.tf","path":"modules/eks-cluster-workers/variables.tf","sha":"d646d70fb828c1c6385f6ff3c5935c27011ae4d0"}]},{"name":"eks-iam-role-assume-role-policy-for-service-account","children":[{"name":"README.md","path":"modules/eks-iam-role-assume-role-policy-for-service-account/README.md","sha":"efbbbd70fea3661c662750768facb7950239ffa3"},{"name":"main.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/main.tf","sha":"be2fefe5e1a29a2582d1dcdc0b700b74f198cfc9"},{"name":"outputs.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/outputs.tf","sha":"c2910cec89910bb06a157311ac8c4bf72835dfe5"},{"name":"variables.tf","path":"modules/eks-iam-role-assume-role-policy-for-service-account/variables.tf","sha":"dc660ddf84158851145289f6036a0fc19fbf7ce4"}]},{"name":"eks-k8s-cluster-autoscaler-iam-policy","children":[{"name":"README.md","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/README.md","sha":"a22e2264a296fe1bf00f2c8b2f72ae728d0277c3"},{"name":"main.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/main.tf","sha":"c743f0e3523119155e2f2a6434e6f634d659aaee"},{"name":"outputs.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/outputs.tf","sha":"8b6c4e1747b3fa6a88c6233ec87aa2f450dfd334"},{"name":"variables.tf","path":"modules/eks-k8s-cluster-autoscaler-iam-policy/variables.tf","sha":"be3db9023160b3754187f2f21ce77772b43ced53"}]},{"name":"eks-k8s-cluster-autoscaler","children":[{"name":"README.md","path":"modules/eks-k8s-cluster-autoscaler/README.md","sha":"a74848607c42fcef696f121c2506ace0b83ced87"},{"name":"main.tf","path":"modules/eks-k8s-cluster-autoscaler/main.tf","sha":"f39dcbe11cfff6a81e23f3517c53d67420eccc37"},{"name":"templates","children":[{"name":"node_affinity.yaml","path":"modules/eks-k8s-cluster-autoscaler/templates/node_affinity.yaml","sha":"c6eaf8e94fa7c893857cc009df954443239a8fe0"},{"name":"values.yaml","path":"modules/eks-k8s-cluster-autoscaler/templates/values.yaml","sha":"4fad2031b54ad610fcd65abb03020d7d2db924de"}]},{"name":"variables.tf","path":"modules/eks-k8s-cluster-autoscaler/variables.tf","sha":"e900fccd3c1cb0cccbf5cc7e76667f54ea509a5b"}]},{"name":"eks-k8s-external-dns-iam-policy","children":[{"name":"README.md","path":"modules/eks-k8s-external-dns-iam-policy/README.md","sha":"a33d41f9824e6270ef4573d6b7e22b394224689c"},{"name":"main.tf","path":"modules/eks-k8s-external-dns-iam-policy/main.tf","sha":"b346bd0324c30907dd62ac89f93fe9cc7799fd4d"},{"name":"outputs.tf","path":"modules/eks-k8s-external-dns-iam-policy/outputs.tf","sha":"21604a63b741b94ea9ebffd20b18772131020fcf"},{"name":"variables.tf","path":"modules/eks-k8s-external-dns-iam-policy/variables.tf","sha":"250152e6bfeb02a16bed4151ffc7156636db1bd9"}]},{"name":"eks-k8s-external-dns","children":[{"name":"README.md","path":"modules/eks-k8s-external-dns/README.md","sha":"59199651539725e656c97f18fefee22e39e311a5"},{"name":"main.tf","path":"modules/eks-k8s-external-dns/main.tf","sha":"7696052822928880e4da50296c7dd2ccdf32e267"},{"name":"templates","children":[{"name":"node_affinity.yaml","path":"modules/eks-k8s-external-dns/templates/node_affinity.yaml","sha":"c6eaf8e94fa7c893857cc009df954443239a8fe0"},{"name":"values.yaml","path":"modules/eks-k8s-external-dns/templates/values.yaml","sha":"ed22e91abbdc486ba7b0e79f28f63853b3860969"}]},{"name":"variables.tf","path":"modules/eks-k8s-external-dns/variables.tf","sha":"5f385a2e0aeef50a2f99b9e94f8648ecb7561b7d"}]},{"name":"eks-k8s-role-mapping","children":[{"name":"README.md","path":"modules/eks-k8s-role-mapping/README.md","sha":"eda8f8d176a772c66fb9ba39e0db186cb51a3c9c"},{"name":"main.tf","path":"modules/eks-k8s-role-mapping/main.tf","sha":"6fcd7d1fefe10d1ed9b22cf16a1c272c347d1cfa"},{"name":"outputs.tf","path":"modules/eks-k8s-role-mapping/outputs.tf","sha":"95d4d4ec652bb541b91a2844e00f68064b423e60"},{"name":"variables.tf","path":"modules/eks-k8s-role-mapping/variables.tf","sha":"87e3ec8e2456d90175fa4c5cf0110bae86998170"}]},{"name":"eks-scripts","children":[{"name":"README.md","path":"modules/eks-scripts/README.md","sha":"96baaf535647b9f4c364d6a19057bcccb42df2be"},{"name":"bin","children":[{"name":"map-ec2-tags-to-node-labels","path":"modules/eks-scripts/bin/map-ec2-tags-to-node-labels","sha":"8087c82d4d47f25439f118c2a51e59d22689ada7"},{"name":"map_ec2_tags_to_node_labels.py","path":"modules/eks-scripts/bin/map_ec2_tags_to_node_labels.py","sha":"f75ad19587e95b2bd8924125ea2a1a697154909f"}]},{"name":"dev_requirements.txt","path":"modules/eks-scripts/dev_requirements.txt","sha":"f56f9d1629a85734fe16ed70f00f36b830cd97c9"},{"name":"install.sh","path":"modules/eks-scripts/install.sh","sha":"7f192fca97b098482a8a398019d4d53f45dba478"}]},{"name":"eks-vpc-tags","children":[{"name":"README.md","path":"modules/eks-vpc-tags/README.md","sha":"b53e923baaa79718b55a272158ff9b710871a6ce"},{"name":"outputs.tf","path":"modules/eks-vpc-tags/outputs.tf","sha":"0ef2787cfd02ea8668c687302b1929618079a0b2"},{"name":"variables.tf","path":"modules/eks-vpc-tags/variables.tf","sha":"a6e332e9da4e473e1e42b1ca6c7b0ba139a77cfb"},{"name":"versions.tf","path":"modules/eks-vpc-tags/versions.tf","sha":"e5d003c3e7a7296ca0f610fc77f94f2139fc59d2"}]}],"toggled":true},{"name":"rfc","children":[{"name":"shipping-logs-to-cloudwatch.md","path":"rfc/shipping-logs-to-cloudwatch.md","sha":"3ac6a0fd509477c36e1b4079e82ed3def7fe03d8"}]},{"name":"setup.cfg","path":"setup.cfg","sha":"981bc2bfd0b35029438d56c6d862a7f1519b8fe6"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"9bf8180d731bdc892279fcdbcbb03d245f31f83a"},{"name":"eks_cluster_integration_test.go","path":"test/eks_cluster_integration_test.go","sha":"706f2eda374a9a831febfe04d72f2df01cf87533"},{"name":"eks_cluster_managed_workers_test.go","path":"test/eks_cluster_managed_workers_test.go","sha":"1eacfe2ec7d3a375c975ede65b028459bd9a0695"},{"name":"eks_cluster_test_helpers.go","path":"test/eks_cluster_test_helpers.go","sha":"ea30d40f827611931ca5bfa719e1d2de8f46d59a"},{"name":"eks_cluster_upgrade_test.go","path":"test/eks_cluster_upgrade_test.go","sha":"1b042cf51b93efaf8c14ee7fc0f7695266048627"},{"name":"eks_cluster_with_iam_role_test.go","path":"test/eks_cluster_with_iam_role_test.go","sha":"ca0b2f65ebffee9c417c59c49884b4034c6ca895"},{"name":"eks_cluster_with_supporting_services_test.go","path":"test/eks_cluster_with_supporting_services_test.go","sha":"0c99e8e8f747904133536fb3ca940f905e0e697e"},{"name":"eks_cluster_workers_optional_test.go","path":"test/eks_cluster_workers_optional_test.go","sha":"bc42df3ce9cf3ceb2aa9ae1484b4a25a389e7c8b"},{"name":"eks_envelope_encryption_test.go","path":"test/eks_envelope_encryption_test.go","sha":"3d8b92c4d3d4244c6431ccae95f0faeb0328bdce"},{"name":"eks_fargate_cluster_disable_public_endpoint_test.go","path":"test/eks_fargate_cluster_disable_public_endpoint_test.go","sha":"25ba0984ef5979ca146d16b63654559939d822db"},{"name":"eks_fargate_cluster_irsa_test.go","path":"test/eks_fargate_cluster_irsa_test.go","sha":"a066ec0cf9a8b7b949054de53f063d3ebe1c80e7"},{"name":"eks_fargate_cluster_public_access_cidr_test.go","path":"test/eks_fargate_cluster_public_access_cidr_test.go","sha":"2a82ad5a0bbb9311bb9c91a2c0be3f3dbe1b4d5e"},{"name":"eks_fargate_cluster_test.go","path":"test/eks_fargate_cluster_test.go","sha":"a50d3691cbdec0ba41e2212015105254d7a516c7"},{"name":"eks_fargate_cluster_with_supporting_services_test.go","path":"test/eks_fargate_cluster_with_supporting_services_test.go","sha":"a236dc2c1647da144a3fa973492b18ad80d64103"},{"name":"eks_mixed_cluster_dns_test.go","path":"test/eks_mixed_cluster_dns_test.go","sha":"dae0c9dd16808d92d6ba08977513798340767459"},{"name":"errors.go","path":"test/errors.go","sha":"be062fe0205ff82db8183d0fde639aa1883013ad"},{"name":"go.mod","path":"test/go.mod","sha":"ad9f275481179887ebada26ac28186866b827563"},{"name":"go.sum","path":"test/go.sum","sha":"7844bf26994c49320e11604a6ebb2b32afeecc6b"},{"name":"kubefixtures","children":[{"name":"autoscaler-test-pods-deployment.yml","path":"test/kubefixtures/autoscaler-test-pods-deployment.yml","sha":"b2d94c4bfa729b639290ee21629c19ca6ea694ee"},{"name":"eks-irsa-test.yml","path":"test/kubefixtures/eks-irsa-test.yml","sha":"db5439cf6d38873dbae71daa4197d6947990a94a"},{"name":"eks-k8s-role-mapping-test-role.yml","path":"test/kubefixtures/eks-k8s-role-mapping-test-role.yml","sha":"ede7587308d2a4ecf55042b05800099c43f3af7d"},{"name":"kube-system-sa-admin-binding.yml","path":"test/kubefixtures/kube-system-sa-admin-binding.yml","sha":"282d406512102cbe54e952575f26e7e0fbb2aa9a"},{"name":"nginx-deployment.yml","path":"test/kubefixtures/nginx-deployment.yml","sha":"a58866e59c113635af24982cfb0b530f0c416af0"},{"name":"robust-nginx-deployment.yml","path":"test/kubefixtures/robust-nginx-deployment.yml","sha":"87ead0f9733e422099bc430ed281e2054e698f10"}]},{"name":"script_tests","children":[{"name":"executor.sh","path":"test/script_tests/executor.sh","sha":"458c534996fbc045081d1cfae521c090f6787a7f"},{"name":"requirements.txt","path":"test/script_tests/requirements.txt","sha":"e855b2d366822bbc91b9d29140df9f060ceb6864"},{"name":"test_map_ec2_tags_to_node_labels.py","path":"test/script_tests/test_map_ec2_tags_to_node_labels.py","sha":"1bb3a5eae3727c0e6caf29c2cf4b7d596bb9a161"},{"name":"tox.ini","path":"test/script_tests/tox.ini","sha":"a7b8c79ca45e700e9cb7b8b493b37c68bc4408c2"}]},{"name":"terratest_options.go","path":"test/terratest_options.go","sha":"327f1900a48e4a1eb85c49e4dbbd2610f81685e7"},{"name":"test_debug_helpers.go","path":"test/test_debug_helpers.go","sha":"c71a7a9d5b68f0f59d2518496d9f5893206b5e22"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"9c7eb9d7c3f2d1acc6d305bfc95371fca8ee0221"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"alb-ingress-controller-module\">ALB Ingress Controller Module</h1><div class=\"preview__body--border\"></div><p>This Terraform Module installs and configures the <a href=\"https://github.com/kubernetes-sigs/aws-alb-ingress-controller\" class=\"preview__body--description--blue\" target=\"_blank\">AWS ALB Ingress\nController</a> on an EKS cluster, so that you can configure\nan ALB using <a href=\"https://kubernetes.io/docs/concepts/services-networking/ingress/\" class=\"preview__body--description--blue\" target=\"_blank\">Ingress</a> resources.</p>\n<p>This module uses the <a href=\"https://github.com/helm/charts/tree/8faca09ce7d71defd7e571c9e17b9c0498d204a6/incubator/aws-alb-ingress-controller\" class=\"preview__body--description--blue\" target=\"_blank\">community helm chart</a>, with a set of best practices input.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-does-this-work\">How does this work?</h2>\n<p>This module solves the problem of integrating Kubernetes <code>Service</code> endpoints with an\n<a href=\"https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html\" class=\"preview__body--description--blue\" target=\"_blank\">ALB</a>. Out of the box Kubernetes\nsupports tying <a href=\"https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/\" class=\"preview__body--description--blue\" target=\"_blank\">a <code>Service</code> to an ELB or NLB using the <code>LoadBalancer</code>\ntype</a>. However, the\n<code>LoadBalancer</code> <code>Service</code> type does not support ALBs, and thus you can not implement complex routing rules based on\ndomain or paths.</p>\n<p>Kubernetes uses <code>Ingress</code> resources to configure and implement "Layer 7" load balancers (where ALBs fit in the <a href=\"https://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_Layer\" class=\"preview__body--description--blue\" target=\"_blank\">OSI\nmodel</a>). Kubernetes <code>Ingress</code> works by providing a\nconfiguration framework to configure routing rules from a load balancer to <code>Services</code> within Kubernetes. For example,\nsuppose you wanted to provision a <code>Service</code> for your backend, fronted by a load balancer that routes any request made to\nthe path <code>/service</code> to the backend. To do so, in addition to creating your <code>Service</code>, you would create an <code>Ingress</code>\nresource in Kubernetes that configures the routing rule:</p>\n<pre><span class=\"hljs-meta\">---</span>\n<span class=\"hljs-attr\">kind:</span> <span class=\"hljs-string\">Service</span>\n<span class=\"hljs-attr\">apiVersion:</span> <span class=\"hljs-string\">v1</span>\n<span class=\"hljs-attr\">metadata:</span>\n <span class=\"hljs-attr\">name:</span> <span class=\"hljs-string\">backend</span>\n<span class=\"hljs-attr\">spec:</span>\n <span class=\"hljs-attr\">selector:</span>\n <span class=\"hljs-attr\">app:</span> <span class=\"hljs-string\">backend</span>\n <span class=\"hljs-attr\">ports:</span>\n <span class=\"hljs-bullet\">-</span> <span class=\"hljs-attr\">protocol:</span> <span class=\"hljs-string\">TCP</span>\n <span class=\"hljs-attr\">port:</span> <span class=\"hljs-number\">80</span>\n <span class=\"hljs-attr\">targetPort:</span> <span class=\"hljs-number\">80</span>\n<span class=\"hljs-meta\">---</span>\n<span class=\"hljs-attr\">apiVersion:</span> <span class=\"hljs-string\">extensions/v1beta1</span>\n<span class=\"hljs-attr\">kind:</span> <span class=\"hljs-string\">Ingress</span>\n<span class=\"hljs-attr\">metadata:</span>\n <span class=\"hljs-attr\">name:</span> <span class=\"hljs-string\">service-ingress</span>\n<span class=\"hljs-attr\">spec:</span>\n <span class=\"hljs-attr\">rules:</span>\n <span class=\"hljs-bullet\">-</span> <span class=\"hljs-attr\">http:</span>\n <span class=\"hljs-attr\">paths:</span>\n <span class=\"hljs-bullet\">-</span> <span class=\"hljs-attr\">path:</span> <span class=\"hljs-string\">/service</span>\n <span class=\"hljs-attr\">backend:</span>\n <span class=\"hljs-attr\">serviceName:</span> <span class=\"hljs-string\">backend</span>\n <span class=\"hljs-attr\">servicePort:</span> <span class=\"hljs-number\">80</span>\n</pre>\n<p>In the above configuration, we create a Cluster IP based <code>Service</code> (so that it is only available internally to the\nKubernetes cluster) that routes requests to port 80 to any <code>Pod</code> that maches the label <code>app=backend</code> on port 80. Then,\nwe configure an <code>Ingress</code> rule that routes any requests prefixed with <code>/service</code> to that <code>Service</code> endpoint on port 80.</p>\n<p>The actual load balancer that is configured by the <code>Ingress</code> resource is defined by the particular <a href=\"https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/\" class=\"preview__body--description--blue\" target=\"_blank\">Ingress\nController</a> that you deploy onto your\nKubernetes cluster. Ingress Controllers are separate processes that run on your Kubernetes cluster that will watch for\n<code>Ingress</code> resources and reflect them by provisioning or configuring load balancers. Depending on which controller you\nuse, the particular load balancer that is provisioned will be different. For example, if you use the <a href=\"https://github.com/kubernetes/ingress-nginx/blob/master/README.md\" class=\"preview__body--description--blue\" target=\"_blank\">official nginx\ncontroller</a>, each <code>Ingress</code> resource translates into\nan nginx <code>Pod</code> that implements the routing rules.</p>\n<p>Note that each <code>Ingress</code> resource defines a separate load balancer. This means that each time you create a new <code>Ingress</code>\nresource in Kubernetes, Kubernetes will provision a new load balancer configured with the rules defined by the <code>Ingress</code>\nresource.</p>\n<p>This module deploys the AWS ALB Ingress Controller, which will reflect each <code>Ingress</code> resource into an ALB resource\ndeployed into your AWS account.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<ul>\n<li>See the <a href=\"/repos/v0.32.4/terraform-aws-eks/README.adoc\" class=\"preview__body--description--blue\">root README</a> for instructions on using Terraform modules.</li>\n<li>See the <a href=\"/repos/v0.32.4/terraform-aws-eks/examples/eks-cluster-with-supporting-services\" class=\"preview__body--description--blue\">eks-cluster-with-supporting-services example</a> for example\nusage.</li>\n<li>See <a href=\"/repos/v0.32.4/terraform-aws-eks/modules/eks-alb-ingress-controller/variables.tf\" class=\"preview__body--description--blue\">variables.tf</a> for all the variables you can set on this module.</li>\n<li>This module uses <a href=\"https://www.terraform.io/docs/providers/kubernetes/index.html\" class=\"preview__body--description--blue\" target=\"_blank\">the <code>kubernetes</code> provider</a>.</li>\n<li>This module uses <a href=\"https://www.terraform.io/docs/providers/helm/index.html\" class=\"preview__body--description--blue\" target=\"_blank\">the <code>helm</code> provider</a>.</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"prerequisites\">Prerequisites</h2>\n<h3 class=\"preview__body--subtitle\" id=\"helm-setup\">Helm setup</h3>\n<p>This module uses <a href=\"https://helm.sh/docs/\" class=\"preview__body--description--blue\" target=\"_blank\"><code>helm</code> v3</a> to deploy the controller to the Kubernetes cluster.</p>\n<h3 class=\"preview__body--subtitle\" id=\"alb-target-type\">ALB Target Type</h3>\n<p>The ALB Ingress Controller application can configure ALBs to send work either to Node IPs (<code>instance</code>) or Pod IPs (<code>ip</code>) as backend targets. This can be specified in the Ingress object using the <a href=\"https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#target-type\" class=\"preview__body--description--blue\" target=\"_blank\"><code>alb.ingress.kubernetes.io/target-type</code></a>. The default is <code>instance</code>.</p>\n<p>When using the default <code>instance</code> target type, the <code>Services</code> intended to be consumed by the <code>Ingress</code> resource must be\nprovisioned using the <code>NodePort</code> type. This is not required when using the <code>ip</code> target type.</p>\n<p>Note that the controller will take care of setting up the target groups on the provisioned ALB so that everything routes\ncorrectly.</p>\n<h3 class=\"preview__body--subtitle\" id=\"subnets\">Subnets</h3>\n<p>You can use the <code>alb.ingress.kubernetes.io/subnets</code> annotation on <code>Ingress</code> resources to specify which subnets the controller should configure the ALB for.</p>\n<p>You can also omit the <code>alb.ingress.kubernetes.io/subnets</code> annotation, and the controller will <a href=\"https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/controller/config/#subnet-auto-discovery\" class=\"preview__body--description--blue\" target=\"_blank\">automatically discover subnets</a> based on their tags. This method should work "out of the box", so long as you are using the <a href=\"/repos/v0.32.4/terraform-aws-eks/modules/eks-vpc-tags\" class=\"preview__body--description--blue\"><code>eks-vpc-tags</code></a> module to tag your VPC subnets.</p>\n<h3 class=\"preview__body--subtitle\" id=\"security-groups\">Security Groups</h3>\n<p>As mentioned above under the <a href=\"#alb-target-type\" class=\"preview__body--description--blue\">ALB Target Type</a> section, the default ALB target type uses node ports to connect to the\n<code>Services</code>. As such if you have restricted security groups that prevent access to the provisioned ports on the worker\nnodes, the ALBs will not be able to reach the <code>Services</code>.</p>\n<p>To ensure the provisioned ALBs can access the node ports, we recommend using dedicated subnets for load balancing and\nconfiguring your security groups so that resources provisioned in those subnets can access the node ports of the worker\nnodes.</p>\n<h3 class=\"preview__body--subtitle\" id=\"iam-permissions\">IAM permissions</h3>\n<p>The container deployed in this module requires IAM permissions to manage ALB resources. See <a href=\"/repos/v0.32.4/terraform-aws-eks/modules/eks-alb-ingress-controller-iam-policy\" class=\"preview__body--description--blue\">the\neks-alb-ingress-controller-iam-policy module</a> for more information.</p>\n<h2 class=\"preview__body--subtitle\" id=\"using-the-ingress-controller\">Using the Ingress Controller</h2>\n<p>In order for the <code>Ingress</code> resources to properly map into an ALB, the <code>Ingress</code> resources created need to be annotated\nto use the <code>alb</code> <code>Ingress</code> class. You can do this by adding the following annotation to your <code>Ingress</code> resources:</p>\n<pre>annotations:\n kubernetes.io/ingress<span class=\"hljs-class\">.<span class=\"hljs-keyword\">class</span>: <span class=\"hljs-type\">alb</span></span>\n</pre>\n<p>The ALB Ingress Controller supports a wide range of configuration options via annotations on the <code>Ingress</code> object, including setting up Cognito for\nauthentication. For example, you can add the annotation <code>alb.ingress.kubernetes.io/scheme: internet-facing</code> to provision\na public ALB. You can refer to the <a href=\"https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/\" class=\"preview__body--description--blue\" target=\"_blank\">official\ndocumentation</a> for the full\nreference of configuration options supported by the controller.</p>\n<h2 class=\"preview__body--subtitle\" id=\"getting-the-alb-endpoint\">Getting the ALB endpoint</h2>\n<p>The ALB endpoint is recorded on the <code>Ingress</code> resource. You can use <code>kubectl</code> or the Kubernetes API to retrieve the\n<code>Ingress</code> resource and view the endpoint for the ALB under the <code>Address</code> attribute.</p>\n<p>For example, suppose you provisioned the following <code>Ingress</code> resource in the default namespace:</p>\n<pre><span class=\"hljs-meta\">---</span>\n<span class=\"hljs-attr\">apiVersion:</span> <span class=\"hljs-string\">extensions/v1beta1</span>\n<span class=\"hljs-attr\">kind:</span> <span class=\"hljs-string\">Ingress</span>\n<span class=\"hljs-attr\">metadata:</span>\n <span class=\"hljs-attr\">name:</span> <span class=\"hljs-string\">service-ingress</span>\n <span class=\"hljs-attr\">annotations:</span>\n <span class=\"hljs-attr\">kubernetes.io/ingress.class:</span> <span class=\"hljs-string\">alb</span>\n<span class=\"hljs-attr\">spec:</span>\n <span class=\"hljs-attr\">rules:</span>\n <span class=\"hljs-bullet\">-</span> <span class=\"hljs-attr\">http:</span>\n <span class=\"hljs-attr\">paths:</span>\n <span class=\"hljs-bullet\">-</span> <span class=\"hljs-attr\">path:</span> <span class=\"hljs-string\">/service</span>\n <span class=\"hljs-attr\">backend:</span>\n <span class=\"hljs-attr\">serviceName:</span> <span class=\"hljs-string\">backend</span>\n <span class=\"hljs-attr\">servicePort:</span> <span class=\"hljs-number\">80</span>\n</pre>\n<p>To get the ALB endpoint, call <code>kubectl</code> to describe the <code>Ingress</code> resource:</p>\n<pre>$ kubectl describe ing service-ingress\nName: service-ingress\nNamespace: <span class=\"hljs-built_in\"> default\n</span>Address: QZVpvauzhSuRBRMfjAGnbgaCaLeANaoe.us-east-2.elb.amazonaws.com<span class=\"hljs-built_in\">\nDefault </span>backend: default-http-backend:80 (10.2.1.28:8080)\nRules:\n Host Path Backends\n ---- ---- --------\n <span class=\"hljs-built_in\">/service </span> backend:80 (<none>)\nAnnotations:\nEvents:\n FirstSeen LastSeen Count <span class=\"hljs-keyword\">From</span> SubObjectPath <span class=\"hljs-built_in\"> Type </span> Reason Message\n --------- -------- ----- ---- ------------- -------- ------ -------\n 3m 3m 1 ingress-controller Normal CREATE Ingress service-ingress/backend\n 3m 32s 3 ingress-controller Normal UPDATE Ingress service-ingress/backend\n</pre>\n<p>Note how the ALB endpoint is recorded under the <code>Address</code> column. You can hit that endpoint to access the service\nexternally.</p>\n<h2 class=\"preview__body--subtitle\" id=\"dns-records-for-the-alb\">DNS records for the ALB</h2>\n<p>In order for the host based routing rules to work with the ALB, you need to configure your DNS records to point to the\nALB endpoint. This can be tricky if you are managing your DNS records externally, especially given the asynchronous\nnature of the controller in provisioning the ALBs.</p>\n<p>The AWS ALB Ingress Controller has first class support for\n<a href=\"https://github.com/kubernetes-incubator/external-dns\" class=\"preview__body--description--blue\" target=\"_blank\">external-dns</a>, a third party tool that configures external DNS\nproviders with domains to route to <code>Services</code> and <code>Ingresses</code> in Kubernetes. See our <a href=\"/repos/v0.32.4/terraform-aws-eks/modules/eks-k8s-external-dns\" class=\"preview__body--description--blue\">eks-k8s-external-dns\nmodule</a> for more information on how to setup the tool.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-deploy-the-pods-to-fargate\">How do I deploy the Pods to Fargate?</h2>\n<p>To deploy the Pods to Fargate, you can use the <code>create_fargate_profile</code> variable to <code>true</code> and specify the subnet IDs\nfor Fargate using <code>vpc_worker_subnet_ids</code>. Note that if you are using Fargate, you must rely on the IAM Roles for\nService Accounts (IRSA) feature to grant the necessary AWS IAM permissions to the Pod. This is configured using the\n<code>use_iam_role_for_service_accounts</code>, <code>eks_openid_connect_provider_arn</code>, and <code>eks_openid_connect_provider_url</code> input\nvariables.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-does-the-alb-route-to-fargate\">How does the ALB route to Fargate?</h2>\n<p>For Pods deployed to Fargate, you must specify the annotation</p>\n<pre>alb.ingress.kubernetes.io/target-type:<span class=\"hljs-built_in\"> ip\n</span></pre>\n<p>to the Ingress resource in order for the ALB to route properly. This is because Fargate does not have actual EC2\ninstances under the hood, and thus the ALB can not be configured to route by instance (the default configuration).</p>\n","repoName":"terraform-aws-eks","repoRef":"v0.22.0","serviceDescriptor":{"serviceName":"EC2 Kubernetes Service (EKS) Cluster","serviceRepoName":"terraform-aws-eks","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Deploy a Kubernetes cluster on top of Amazon EC2 Kubernetes Service (EKS).","imageUrl":"eks.png","licenseType":"subscriber","technologies":["Terraform","Python","Bash"],"compliance":[],"tags":[""]},"serviceCategoryName":"Docker orchestration","fileName":"README.md","filePath":"/modules/eks-alb-ingress-controller","title":"Repo Browser: EC2 Kubernetes Service (EKS) Cluster","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}
.circleci
main.tf
