data "aws_iam_policy_document" "loadbalancer_role_policy" { statement { effect = "Allow" actions = ["sts:AssumeRoleWithWebIdentity"] condition { test = "StringEquals" variable = "${replace(aws_iam_openid_connect_provider.loadbalancer.url, "https://", "")}:sub" values = ["system:serviceaccount:kube-system:aws-load-balancer-controller"] } principals { identifiers = [aws_iam_openid_connect_provider.loadbalancer.arn] type = "Federated" } } } data "external" "thumbprint" { program = [ "/bin/sh", "${path.module}/external/thumbprint", data.aws_region.current.name, ] } resource "aws_iam_openid_connect_provider" "loadbalancer" { url = aws_eks_cluster.company.identity[0].oidc[0].issuer client_id_list = [ "sts.amazonaws.com", ] thumbprint_list = [ data.external.thumbprint.result.thumbprint ] } resource "aws_iam_role" "loadbalancer" { name = "${var.cluster-name}-loadbalancer-openid-role" assume_role_policy = data.aws_iam_policy_document.loadbalancer_role_policy.json } resource "aws_iam_role_policy_attachment" "loadbalancer_role_attachement" { policy_arn = aws_iam_policy.loadbalancer.arn role = aws_iam_role.loadbalancer.name } resource "aws_security_group" "alb-tra-security-group" { name = "${var.cluster-name}-tra-security-group" description = "ALB communication with outside world" vpc_id = aws_vpc.company.id egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } ingress { description = "Diameter from User" from_port = 3868 to_port = 3868 protocol = "tcp" cidr_blocks = [local.workstation-external-cidr] } ingress { description = "MDC from User" from_port = 4060 to_port = 4060 protocol = "tcp" cidr_blocks = [local.workstation-external-cidr] } tags = { Name = "${var.cluster-name}-tra-security-group" } } resource "aws_security_group" "alb-http-security-group" { name = "${var.cluster-name}-alb-http-security-group" description = "ALB communication with outside world" vpc_id = aws_vpc.company.id egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } ingress { description = "TLS from User" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = [local.workstation-external-cidr] } ingress { description = "HTTP from User" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = [local.workstation-external-cidr] } tags = { Name = "${var.cluster-name}-alb-http-security-group" } } resource "aws_iam_policy" "loadbalancer" { # (resource arguments) name = "${var.cluster-name}-load-balancer-policy" policy = <