Skip to main content
Amazon EKS 0.72.3Last updated in version 0.72.1

ALB Ingress Controller IAM Policy Module

View Source Release Notes

This Terraform Module defines an IAM policy that defines the minimal set of permissions necessary for the AWS ALB Ingress Controller. This policy can then be attached to EC2 instances or IAM roles so that the controller deployed has enough permissions to manage an ALB.

See the eks-alb-ingress-controller module for a module that deploys the Ingress Controller on to your EKS cluster.

Attaching IAM policy to workers

To allow the ALB Ingress Controller to manage ALBs, it needs IAM permissions to use the AWS API to manage ALBs. Currently, the way to grant Pods IAM privileges is to use the worker IAM profiles provisioned by the eks-cluster-workers module.

The Terraform templates in this module create an IAM policy that has the required permissions. You then need to use an aws_iam_policy_attachment to attach that policy to the IAM roles of your EC2 Instances.

module "eks_workers" {
# (arguments omitted)
}

module "alb_ingress_controller_iam_policy" {
# (arguments omitted)
}

resource "aws_iam_role_policy_attachment" "attach_alb_ingress_controller_iam_policy" {
role = "${module.eks_workers.eks_worker_iam_role_name}"
policy_arn = "${module.alb_ingress_controller_iam_policy.alb_ingress_controller_policy_arn}"
}

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S EKS-ALB-INGRESS-CONTROLLER-IAM-POLICY MODULE
# ------------------------------------------------------------------------------------------------------

module "eks_alb_ingress_controller_iam_policy" {

source = "git::git@github.com:gruntwork-io/terraform-aws-eks.git//modules/eks-alb-ingress-controller-iam-policy?ref=v0.72.3"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

# A name that uniquely identified in which context this module is being
# invoked. This also helps to avoid creating two resources with the same name
# from different terraform applies.
name_prefix = <string>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# The AWS partition used for default AWS Resources.
aws_partition = "aws"

# If you set this variable to false, this module will not create any
# resources. This is used as a workaround because Terraform does not allow you
# to use the 'count' parameter on modules. By using this parameter, you can
# optionally create or not create the resources within this module.
create_resources = true

# Tags to apply to all AWS resources managed by this module.
default_tags = {}

# A map of custom tags to apply to the IAM Poilcy if enabled. The key is the
# tag name and the value is the tag value.
iam_policy_tags = {}

}


Reference

Required

name_prefixstringrequired

A name that uniquely identified in which context this module is being invoked. This also helps to avoid creating two resources with the same name from different terraform applies.

Optional

aws_partitionstringoptional

The AWS partition used for default AWS Resources.

"aws"
create_resourcesbooloptional

If you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module.

true
default_tagsmap(string)optional

Tags to apply to all AWS resources managed by this module.

{}
iam_policy_tagsmap(string)optional

A map of custom tags to apply to the IAM Poilcy if enabled. The key is the tag name and the value is the tag value.

{}