ManagedKube · sekka1 · Feb 11, 2022 · Feb 11, 2022 · Feb 11, 2022 · Feb 11, 2022
diff --git a/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml b/terraform-environments/aws/dev/helm/istio/istio_ingress_values.yaml
@@ -4,3 +4,12 @@
 #       # Setting to an internal load balancer
 #       # https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
 #       service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+
+        external-dns.alpha.kubernetes.io/hostname: app1.example.com,app2.example.com
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:11114410111:certificate/cab4cc86-e94a-4dec-afc2-579114208350
+        service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: true
+        service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: 5
+        service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "elb-logs-dev"
+        # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html
+        # service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
+        # Setting this with Terraform since we need a custom TLS policy: https://github.q-internal.tech/qadium/shared-infra-automation/tree/master/aws-ent/qadium-dev/load-balancer/tls-policy
diff --git a/terraform-modules/aws/istio/main.tf b/terraform-modules/aws/istio/main.tf
@@ -43,6 +43,15 @@ resource "helm_release" "helm_chart_istio_discovery" {
   ]
 }
 
+data "template_file" "helm_chart_istio_ingress" {
+  template = var.helm_values_istio_ingress
+  #file("${path.module}/values/istio_ingress_values.tpl.yaml")
+
+  vars = {
+    acmARN      = module.acm_request_certificate[0].arn
+  }
+}
+
 resource "helm_release" "helm_chart_istio_ingress" {
   count            = var.install_helm_chart_istio_ingress
   chart            = "${path.module}/istio-${var.istio_version}/manifests/charts/gateways/istio-ingress"
@@ -52,7 +61,8 @@ resource "helm_release" "helm_chart_istio_ingress" {
   verify           = var.verify
 
   values = [
-    var.helm_values_istio_ingress,
+    data.template_file.helm_chart_istio_ingress.rendered,
+    # var.helm_values_istio_ingress,
   ]
 
   depends_on = [
@@ -76,3 +86,16 @@ resource "helm_release" "helm_chart_istio_egress" {
     helm_release.helm_chart_istio_base
   ]
 }
+
+module "acm_request_certificate" {
+  source = "cloudposse/acm-request-certificate/aws"
+  version = "0.16.0"
+
+  count = var.create_acm_cert ? 1 : 0
+
+  domain_name                       = var.acm_domain_name
+  process_domain_validation_options = true
+  ttl                               = var.acm_ttl
+  subject_alternative_names         = var.acm_subject_alternative_names
+  zone_id                           = var.acm_route53_zone_id
+}
diff --git a/terraform-modules/aws/istio/values/istio_ingress_values.tpl.yaml b/terraform-modules/aws/istio/values/istio_ingress_values.tpl.yaml
@@ -0,0 +1,14 @@
+# gateways:
+#   istio-ingressgateway:
+#     serviceAnnotations:
+#       # Setting to an internal load balancer
+#       # https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
+#       service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+
+        # external-dns.alpha.kubernetes.io/hostname: app1.example.com,app2.example.com
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${acmARN}
+        # service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: true
+        # service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: 5
+        # service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: "elb-logs-dev"
+        # https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html
+        # service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
diff --git a/terraform-modules/aws/istio/variables.tf b/terraform-modules/aws/istio/variables.tf
@@ -113,3 +113,33 @@ variable "helm_values_istio_egress" {
   default     = ""
   description = "Additional helm values to pass in.  These values would override the default in this module."
 }
+
+variable "create_acm_cert" {
+  type        = bool
+  default     = false
+  description = "Creates an ACM cert and applied to the istio ingress"
+}
+
+variable "acm_domain_name" {
+  type        = string
+  default     = "example.com"
+  description = "The domain name to create a certificate for"
+}
+
+variable "acm_ttl" {
+  type        = string
+  default     = "300"
+  description = "The certifcate TTL"
+}
+
+variable "acm_subject_alternative_names" {
+  type        = list(string)
+  default     = ["*.example.com"]
+  description = "Subject alternative names for the cert (SAN)"
+}
+
+variable "acm_route53_zone_id" {
+  type        = string
+  default     = ""
+  description = "The route53 zone ID to perform DNS validation on the ACM cert"
+}