fixup! terraform: add missing policies for AWS ALB

.github/actions/e2e_lb/action.yml

@@ -6,7 +6,7 @@ inputs:
     description: "The kubeconfig of the cluster to test."
     required: true
   cloudProvider:
-    description: TODO
+    description: "The CSP this test runs on. Some tests exercise functionality not supported everywhere."
     required: false
 
 runs:
@@ -21,7 +21,9 @@ runs:
       run: |
         kubectl apply -f ns.yml
         kubectl apply -f lb.yml
-    - name: Add AWS Ingress
+        bazel run //e2e/internal/lb:lb_test
+
+    - name: Test AWS Ingress
       if: inputs.cloudProvider == 'aws'
       shell: bash
       env:
@@ -38,12 +40,7 @@ runs:
         echo "::error::Ingress did not become ready in the alloted time."
         kubectl describe ing -n lb-test
         exit 1
-    - name: Run test
-      shell: bash
-      env:
-        KUBECONFIG: ${{ inputs.kubeconfig }}
-      run: |
-        bazel run //e2e/internal/lb:lb_test
+
     - name: Delete deployment
       if: always()
       shell: bash

docs/docs/workflows/lb.md

@@ -4,9 +4,9 @@ Constellation integrates the native load balancers of each CSP. Therefore, to ex
 
 ## Internet-facing LB service on AWS
 
-To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancing Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS.
+To expose your application service externally you might want to use a Kubernetes Service of type `LoadBalancer`. On AWS, load-balancing is achieved through the [AWS Load Balancer Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) as in the managed EKS.
 
-Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/guide/service/nlb/).
+Since recent versions, the controller deploy an internal LB by default requiring to set an annotation `service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing` to have an internet-facing LB. For more details, see the [official docs](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/service/nlb/).
 
 For general information on LB with AWS see [Network load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/network-load-balancing.html).
 
@@ -16,4 +16,13 @@ Before terminating the cluster, all LB backed services should be deleted, so tha
 
 ## Ingress on AWS
 
-TODO(burgerdev): document
+The AWS Load Balancer Controller also provisions `Ingress` resources of class `alb`.
+AWS Application Load Balancers (ALBs) can be configured with a [`target-type`](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/ingress/annotations/#target-type).
+The target type `ip` requires using the EKS container network solution, which makes it incompatible with Constellation.
+If a service can be exposed on a `NodePort`, the target type `instance` can be used.
+
+See [Application load balancing on Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html) for more information.
+
+:::caution
+Ingress handlers backed by AWS ALBs reside outside the Constellation cluster, so they should not be handling sensitive traffic.
+:::