ELB

GitHubprovider-aws/examples/elbv2 at master · crossplane-contrib/provider-aws

Basic Function to ALB

•

lambda_function.py

import json

def lambda_handler(event, context):
    # TODO implement
    return {
        'statusCode': 200,
        'body': json.dumps('Hello from Lambda!')
    }
Python
복사

zip -r lambda-function.zip .
# 버킷에 Zip 파일 업로드 진행
aws s3 mb s3://crs-lambda-function-bucket
Shell
복사

# VPC
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: VPC
metadata:
  name: demo-vpc
spec:
  forProvider:
    region: ap-northeast-2
    cidrBlock: 10.0.0.0/16
    enableDnsSupport: true
    enableDnsHostNames: true
    instanceTenancy: default
    tags:
      - key: Name
        value: demo-vpc
  providerConfigRef:
    name: aws-provider

---
# Public Subnets
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: demo-public-subnet-a
spec:
  forProvider:
    region: ap-northeast-2
    availabilityZone: ap-northeast-2a
    cidrBlock: 10.0.0.0/24
    vpcIdRef:
      name: demo-vpc
    mapPublicIPOnLaunch: true
    tags:
      - key: Name
        value: demo-public-subnet-a
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: demo-public-subnet-b
spec:
  forProvider:
    region: ap-northeast-2
    availabilityZone: ap-northeast-2b
    cidrBlock: 10.0.1.0/24
    vpcIdRef:
      name: demo-vpc
    mapPublicIPOnLaunch: true
    tags:
      - key: Name
        value: demo-public-subnet-b
  providerConfigRef:
    name: aws-provider

---
# Private Subnets
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: demo-private-subnet-a
spec:
  forProvider:
    region: ap-northeast-2
    availabilityZone: ap-northeast-2a
    cidrBlock: 10.0.2.0/24
    vpcIdRef:
      name: demo-vpc
    mapPublicIPOnLaunch: false
    tags:
      - key: Name
        value: demo-private-subnet-a
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: demo-private-subnet-b
spec:
  forProvider:
    region: ap-northeast-2
    availabilityZone: ap-northeast-2b
    cidrBlock: 10.0.3.0/24
    vpcIdRef:
      name: demo-vpc
    mapPublicIPOnLaunch: false
    tags:
      - key: Name
        value: demo-private-subnet-b
  providerConfigRef:
    name: aws-provider

---
# Internet Gateway
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: InternetGateway
metadata:
  name: demo-igw
spec:
  forProvider:
    region: ap-northeast-2
    vpcIdRef:
      name: demo-vpc
    tags:
      - key: Name
        value: demo-igw
  providerConfigRef:
    name: aws-provider

---
# EIPs for NAT
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Address
metadata:
  name: demo-eip-a
spec:
  forProvider:
    region: ap-northeast-2
    domain: vpc
    tags:
      - key: Name
        value: demo-eip-a
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Address
metadata:
  name: demo-eip-b
spec:
  forProvider:
    region: ap-northeast-2
    domain: vpc
    tags:
      - key: Name
        value: demo-eip-b
  providerConfigRef:
    name: aws-provider

---
# NAT Gateways
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: NATGateway
metadata:
  name: demo-natgw-a
spec:
  forProvider:
    region: ap-northeast-2
    allocationIdRef:
      name: demo-eip-a
    subnetIdRef:
      name: demo-public-subnet-a
    tags:
      - key: Name
        value: demo-natgw-a
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: NATGateway
metadata:
  name: demo-natgw-b
spec:
  forProvider:
    region: ap-northeast-2
    allocationIdRef:
      name: demo-eip-b
    subnetIdRef:
      name: demo-public-subnet-b
    tags:
      - key: Name
        value: demo-natgw-b
  providerConfigRef:
    name: aws-provider

---
# Route Tables
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: RouteTable
metadata:
  name: demo-public-rt
spec:
  forProvider:
    region: ap-northeast-2
    vpcIdRef:
      name: demo-vpc
    routes:
      - destinationCidrBlock: 0.0.0.0/0
        gatewayIdRef:
          name: demo-igw
    associations:
      - subnetIdRef:
          name: demo-public-subnet-a
      - subnetIdRef:
          name: demo-public-subnet-b
    tags:
      - key: Name
        value: demo-public-rt
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: RouteTable
metadata:
  name: demo-private-rt-a
spec:
  forProvider:
    region: ap-northeast-2
    vpcIdRef:
      name: demo-vpc
    routes:
      - destinationCidrBlock: 0.0.0.0/0
        natGatewayIdRef:
          name: demo-natgw-a
    associations:
      - subnetIdRef:
          name: demo-private-subnet-a
    tags:
      - key: Name
        value: demo-private-rt-a
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: RouteTable
metadata:
  name: demo-private-rt-b
spec:
  forProvider:
    region: ap-northeast-2
    vpcIdRef:
      name: demo-vpc
    routes:
      - destinationCidrBlock: 0.0.0.0/0
        natGatewayIdRef:
          name: demo-natgw-b
    associations:
      - subnetIdRef:
          name: demo-private-subnet-b
    tags:
      - key: Name
        value: demo-private-rt-b
  providerConfigRef:
    name: aws-provider
---
# Endpoint
apiVersion: ec2.aws.crossplane.io/v1alpha1
kind: VPCEndpoint
metadata:
  name: demo-s3-vpc-endpoint
spec:
  forProvider:
    region: ap-northeast-2
    routeTableIdRefs:
      - name: demo-private-rt-a
      - name: demo-private-rt-b
    serviceName: com.amazonaws.ap-northeast-2.s3
    vpcEndpointType: Gateway
    vpcIdRef:
      name: demo-vpc
    tags:
      Name: demo-s3-vpc-endpoint 
  providerConfigRef:
    name: aws-provider

---
# Security Group for Lambda
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: SecurityGroup
metadata:
  name: lambda-sg
spec:
  forProvider:
    region: ap-northeast-2
    groupName: lambda-sg
    vpcIdRef:
      name: demo-vpc
    description: Security group for Lambda function
    egress:
      # AWS will treat it as all ports any protocol
      - ipProtocol: '-1'
        ipRanges:
          - cidrIp: 0.0.0.0/0
    ingress:
      - fromPort: 80
        ipProtocol: tcp
        ipRanges:
          - cidrIp: 0.0.0.0/0
        toPort: 80
    tags:
      - key: Name
        value: lambda-sg
  providerConfigRef:
    name: aws-provider

---
# Security Group for ALB
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: SecurityGroup
metadata:
  name: alb-sg
spec:
  forProvider:
    region: ap-northeast-2
    groupName: alb-sg
    vpcIdRef:
      name: demo-vpc
    description: Security group for ALB
    egress:
      # AWS will treat it as all ports any protocol
      - ipProtocol: '-1'
        ipRanges:
          - cidrIp: 0.0.0.0/0
    ingress:
      - fromPort: 80
        ipProtocol: tcp
        ipRanges:
          - cidrIp: 0.0.0.0/0
        toPort: 80
    tags:
      - key: Name
        value: alb-sg
  providerConfigRef:
    name: aws-provider

---
# Application Load Balancer
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: LoadBalancer
metadata:
  name: demo-alb
spec:
  forProvider:
    region: ap-northeast-2
    name: demo-alb
    loadBalancerType: application
    subnetRefs:
      - name: demo-public-subnet-a
      - name: demo-public-subnet-b
    securityGroupRefs:
      - name: alb-sg
  providerConfigRef:
    name: aws-provider

---
# Target Group
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: TargetGroup
metadata:
  name: lambda-tg
  labels:
    type: alb-target-group
spec:
  forProvider:
    region: ap-northeast-2
    name: lambda-tg
    targetType: lambda
  providerConfigRef:
    name: aws-provider

---
# ALB Listener
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: Listener
metadata:
  name: alb-listener
spec:
  forProvider:
    region: ap-northeast-2
    loadBalancerArnRef:
      name: demo-alb
    port: 80
    protocol: HTTP
    defaultActions:
      - actionType: forward
        forwardConfig:
          targetGroups:
            - targetGroupArnRef:
                name: lambda-tg
  providerConfigRef:
    name: aws-provider

---
# Lambda Execution Role
apiVersion: iam.aws.crossplane.io/v1beta1
kind: Role
metadata:
  name: lambda-execution-role
spec:
  forProvider:
    assumeRolePolicyDocument: |
      {
        "Version": "2012-10-17",
        "Statement": [{
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": "lambda.amazonaws.com"
          }
        }]
      }
  providerConfigRef:
    name: aws-provider

---
apiVersion: iam.aws.crossplane.io/v1beta1
kind: RolePolicyAttachment
metadata:
  name: lambda-vpc-execution-policy
spec:
  forProvider:
    policyArn: arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
    roleName: lambda-execution-role
  providerConfigRef:
    name: aws-provider

---
# Lambda Function
apiVersion: lambda.aws.crossplane.io/v1beta1
kind: Function
metadata:
  name: demo-function
spec:
  forProvider:
    packageType: Zip
    code:
      s3Bucket: crs-lambda-function-bucket
      s3Key: lambda-function.zip
    handler: lambda_function.lambda_handler
    runtime: python3.13
    roleRef:
      name: lambda-execution-role
    region: ap-northeast-2
    timeout: 60
    memorySize: 128
    vpcConfig:
      subnetIDRefs:
        - name: demo-private-subnet-a
        - name: demo-private-subnet-b
      securityGroupIDRefs:
        - name: lambda-sg
    tags:
      Name: demo-function
  providerConfigRef:
    name: aws-provider

---
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: Target
metadata:
  name: lambda-target
spec:
  forProvider:
    region: ap-northeast-2
    targetGroupArnRef:
      name: lambda-tg
    lambdaArnRef:
      name: demo-function
  providerConfigRef:
    name: aws-provider
YAML
복사

Container Image Function to ALB

aws ecr create-repository \
    --repository-name nginx \
    --region ap-northeast-2 \
    --image-tag-mutability MUTABLE
Shell
복사

docker pull nginx # nginx Image 사용
ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
REGION_CODE=$(aws configure set region ap-northeast-2 && aws configure get region)
aws ecr get-login-password --region $REGION_CODE | docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.$REGION_CODE.amazonaws.com
docker build -t nginx .
docker tag nginx:latest $ACCOUNT_ID.dkr.ecr.$REGION_CODE.amazonaws.com/nginx:latest
docker push $ACCOUNT_ID.dkr.ecr.$REGION_CODE.amazonaws.com/nginx:latest
Shell
복사

# VPC
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: VPC
metadata:
  name: demo-vpc
spec:
  forProvider:
    region: ap-northeast-2
    cidrBlock: 10.0.0.0/16
    enableDnsSupport: true
    enableDnsHostNames: true
    instanceTenancy: default
    tags:
      - key: Name
        value: demo-vpc
  providerConfigRef:
    name: aws-provider

---
# Public Subnets
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: demo-public-subnet-a
spec:
  forProvider:
    region: ap-northeast-2
    availabilityZone: ap-northeast-2a
    cidrBlock: 10.0.0.0/24
    vpcIdRef:
      name: demo-vpc
    mapPublicIPOnLaunch: true
    tags:
      - key: Name
        value: demo-public-subnet-a
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: demo-public-subnet-b
spec:
  forProvider:
    region: ap-northeast-2
    availabilityZone: ap-northeast-2b
    cidrBlock: 10.0.1.0/24
    vpcIdRef:
      name: demo-vpc
    mapPublicIPOnLaunch: true
    tags:
      - key: Name
        value: demo-public-subnet-b
  providerConfigRef:
    name: aws-provider

---
# Private Subnets
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: demo-private-subnet-a
spec:
  forProvider:
    region: ap-northeast-2
    availabilityZone: ap-northeast-2a
    cidrBlock: 10.0.2.0/24
    vpcIdRef:
      name: demo-vpc
    mapPublicIPOnLaunch: false
    tags:
      - key: Name
        value: demo-private-subnet-a
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Subnet
metadata:
  name: demo-private-subnet-b
spec:
  forProvider:
    region: ap-northeast-2
    availabilityZone: ap-northeast-2b
    cidrBlock: 10.0.3.0/24
    vpcIdRef:
      name: demo-vpc
    mapPublicIPOnLaunch: false
    tags:
      - key: Name
        value: demo-private-subnet-b
  providerConfigRef:
    name: aws-provider

---
# Internet Gateway
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: InternetGateway
metadata:
  name: demo-igw
spec:
  forProvider:
    region: ap-northeast-2
    vpcIdRef:
      name: demo-vpc
    tags:
      - key: Name
        value: demo-igw
  providerConfigRef:
    name: aws-provider

---
# EIPs for NAT
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Address
metadata:
  name: demo-eip-a
spec:
  forProvider:
    region: ap-northeast-2
    domain: vpc
    tags:
      - key: Name
        value: demo-eip-a
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: Address
metadata:
  name: demo-eip-b
spec:
  forProvider:
    region: ap-northeast-2
    domain: vpc
    tags:
      - key: Name
        value: demo-eip-b
  providerConfigRef:
    name: aws-provider

---
# NAT Gateways
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: NATGateway
metadata:
  name: demo-natgw-a
spec:
  forProvider:
    region: ap-northeast-2
    allocationIdRef:
      name: demo-eip-a
    subnetIdRef:
      name: demo-public-subnet-a
    tags:
      - key: Name
        value: demo-natgw-a
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: NATGateway
metadata:
  name: demo-natgw-b
spec:
  forProvider:
    region: ap-northeast-2
    allocationIdRef:
      name: demo-eip-b
    subnetIdRef:
      name: demo-public-subnet-b
    tags:
      - key: Name
        value: demo-natgw-b
  providerConfigRef:
    name: aws-provider

---
# Route Tables
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: RouteTable
metadata:
  name: demo-public-rt
spec:
  forProvider:
    region: ap-northeast-2
    vpcIdRef:
      name: demo-vpc
    routes:
      - destinationCidrBlock: 0.0.0.0/0
        gatewayIdRef:
          name: demo-igw
    associations:
      - subnetIdRef:
          name: demo-public-subnet-a
      - subnetIdRef:
          name: demo-public-subnet-b
    tags:
      - key: Name
        value: demo-public-rt
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: RouteTable
metadata:
  name: demo-private-rt-a
spec:
  forProvider:
    region: ap-northeast-2
    vpcIdRef:
      name: demo-vpc
    routes:
      - destinationCidrBlock: 0.0.0.0/0
        natGatewayIdRef:
          name: demo-natgw-a
    associations:
      - subnetIdRef:
          name: demo-private-subnet-a
    tags:
      - key: Name
        value: demo-private-rt-a
  providerConfigRef:
    name: aws-provider

---
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: RouteTable
metadata:
  name: demo-private-rt-b
spec:
  forProvider:
    region: ap-northeast-2
    vpcIdRef:
      name: demo-vpc
    routes:
      - destinationCidrBlock: 0.0.0.0/0
        natGatewayIdRef:
          name: demo-natgw-b
    associations:
      - subnetIdRef:
          name: demo-private-subnet-b
    tags:
      - key: Name
        value: demo-private-rt-b
  providerConfigRef:
    name: aws-provider
---
# Endpoint
apiVersion: ec2.aws.crossplane.io/v1alpha1
kind: VPCEndpoint
metadata:
  name: demo-s3-vpc-endpoint
spec:
  forProvider:
    region: ap-northeast-2
    routeTableIdRefs:
      - name: demo-private-rt-a
      - name: demo-private-rt-b
    serviceName: com.amazonaws.ap-northeast-2.s3
    vpcEndpointType: Gateway
    vpcIdRef:
      name: demo-vpc
    tags:
      Name: demo-s3-vpc-endpoint 
  providerConfigRef:
    name: aws-provider

---
# Security Group for Lambda
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: SecurityGroup
metadata:
  name: lambda-sg
spec:
  forProvider:
    region: ap-northeast-2
    groupName: lambda-sg
    vpcIdRef:
      name: demo-vpc
    description: Security group for Lambda function
    egress:
      # AWS will treat it as all ports any protocol
      - ipProtocol: '-1'
        ipRanges:
          - cidrIp: 0.0.0.0/0
    ingress:
      - fromPort: 80
        ipProtocol: tcp
        ipRanges:
          - cidrIp: 0.0.0.0/0
        toPort: 80
    tags:
      - key: Name
        value: lambda-sg
  providerConfigRef:
    name: aws-provider

---
# Security Group for ALB
apiVersion: ec2.aws.crossplane.io/v1beta1
kind: SecurityGroup
metadata:
  name: alb-sg
spec:
  forProvider:
    region: ap-northeast-2
    groupName: alb-sg
    vpcIdRef:
      name: demo-vpc
    description: Security group for ALB
    egress:
      # AWS will treat it as all ports any protocol
      - ipProtocol: '-1'
        ipRanges:
          - cidrIp: 0.0.0.0/0
    ingress:
      - fromPort: 80
        ipProtocol: tcp
        ipRanges:
          - cidrIp: 0.0.0.0/0
        toPort: 80
    tags:
      - key: Name
        value: alb-sg
  providerConfigRef:
    name: aws-provider

---
# Application Load Balancer
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: LoadBalancer
metadata:
  name: demo-alb
spec:
  forProvider:
    region: ap-northeast-2
    name: demo-alb
    loadBalancerType: application
    subnetRefs:
      - name: demo-public-subnet-a
      - name: demo-public-subnet-b
    securityGroupRefs:
      - name: alb-sg
  providerConfigRef:
    name: aws-provider

---
# Target Group
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: TargetGroup
metadata:
  name: lambda-tg
  labels:
    type: alb-target-group
spec:
  forProvider:
    region: ap-northeast-2
    name: lambda-tg
    targetType: lambda
  providerConfigRef:
    name: aws-provider

---
# ALB Listener
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: Listener
metadata:
  name: alb-listener
spec:
  forProvider:
    region: ap-northeast-2
    loadBalancerArnRef:
      name: demo-alb
    port: 80
    protocol: HTTP
    defaultActions:
      - actionType: forward
        forwardConfig:
          targetGroups:
            - targetGroupArnRef:
                name: lambda-tg
  providerConfigRef:
    name: aws-provider

---
# Lambda Execution Role
apiVersion: iam.aws.crossplane.io/v1beta1
kind: Role
metadata:
  name: lambda-execution-role
spec:
  forProvider:
    assumeRolePolicyDocument: |
      {
        "Version": "2012-10-17",
        "Statement": [{
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": "lambda.amazonaws.com"
          }
        }]
      }
  providerConfigRef:
    name: aws-provider

---
apiVersion: iam.aws.crossplane.io/v1beta1
kind: RolePolicyAttachment
metadata:
  name: lambda-vpc-execution-policy
spec:
  forProvider:
    policyArn: arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
    roleName: lambda-execution-role
  providerConfigRef:
    name: aws-provider

---
# Lambda Function
apiVersion: lambda.aws.crossplane.io/v1beta1
kind: Function
metadata:
  name: demo-function
spec:
  forProvider:
    packageType: Image
    code:
      imageURI: IMAGE
    roleRef:
      name: lambda-execution-role
    region: ap-northeast-2
    timeout: 60
    memorySize: 128
    vpcConfig:
      subnetIDRefs:
        - name: demo-private-subnet-a
        - name: demo-private-subnet-b
      securityGroupIDRefs:
        - name: lambda-sg
    tags:
      Name: demo-function
  providerConfigRef:
    name: aws-provider

---
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: Target
metadata:
  name: lambda-target
spec:
  forProvider:
    region: ap-northeast-2
    targetGroupArnRef:
      name: lambda-tg
    lambdaArnRef:
      name: demo-function
  providerConfigRef:
    name: aws-provider
YAML
복사

IMAGE_URL=$(aws ecr describe-repositories --repository-name nginx --query "repositories[].repositoryUri" --output text)
IMAGE_TAG=$(aws ecr describe-images --repository-name nginx --query "imageDetails[].imageTags" --output text)
IMAGE="$IMAGE_URL:$IMAGE_TAG"

sed -i "s|IMAGE|$IMAGE|g" alb.yaml
Shell
복사

kubectl apply -f alb.yaml
Shell
복사

kubectl get loadbalancer
Shell
복사