From b0da983f687c1c81e07b67c5025f131adda78537 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 12 Mar 2024 11:19:27 -0600 Subject: [PATCH 01/82] feat: add nightly testing --- .github/workflows/nightly-testing.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/nightly-testing.yaml diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml new file mode 100644 index 000000000..6b32d70a1 --- /dev/null +++ b/.github/workflows/nightly-testing.yaml @@ -0,0 +1,21 @@ +name: Nightly Testing + +on: + schedule: + - cron: '0 0 * * *' # Runs at midnight every day + +jobs: + nightly-testing: + runs-on: ubuntu-latest + +# RKE2 and EKS Jobs + +# can we call infra code from other repos like uds-prod-infrastructure + +# deploy core + +# run tests + # any specific distrubution tests + # connection tests between core services + # kubectl commands? + # base cypress tests? \ No newline at end of file From 74e6e7939c30af530c15d78cb71a3550f41fc439 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 13 Mar 2024 13:47:00 -0600 Subject: [PATCH 02/82] test-eks workflow for creating packages / bundle to deploy infra and then uds core --- .github/bundles/uds-bundleyaml | 48 ++++ .github/bundles/uds-config.yaml | 9 + .github/test-infra/ci-iac-aws/extract.sh | 40 ++++ .github/test-infra/ci-iac-aws/loki/.gitignore | 2 + .github/test-infra/ci-iac-aws/loki/README.md | 52 +++++ .github/test-infra/ci-iac-aws/loki/main.tf | 153 ++++++++++++ .github/test-infra/ci-iac-aws/loki/output.tf | 24 ++ .../ci-iac-aws/loki/terraform.tfvars | 10 + .../test-infra/ci-iac-aws/loki/variables.tf | 67 ++++++ .../.terraform/modules/modules.json | 1 + .../velero/.terraform/modules/modules.json | 1 + .github/test-infra/ci-iac-aws/velero/main.tf | 182 +++++++++++++++ .../test-infra/ci-iac-aws/velero/output.tf | 24 ++ .../ci-iac-aws/velero/terraform.tfvars | 10 + .../test-infra/ci-iac-aws/velero/variables.tf | 67 ++++++ .../test-infra/ci-iac-aws/zarf-config.yaml | 19 ++ .github/test-infra/ci-iac-aws/zarf.yaml | 218 ++++++++++++++++++ .github/test-infra/eks/.gitignore | 1 + .github/test-infra/eks/config.yaml | 38 +++ .github/test-infra/eks/zarf-config.yaml | 8 + .github/test-infra/eks/zarf.yaml | 49 ++++ .github/workflows/test-eks.yaml | 68 ++++++ 22 files changed, 1091 insertions(+) create mode 100644 .github/bundles/uds-bundleyaml create mode 100644 .github/bundles/uds-config.yaml create mode 100755 .github/test-infra/ci-iac-aws/extract.sh create mode 100644 .github/test-infra/ci-iac-aws/loki/.gitignore create mode 100644 .github/test-infra/ci-iac-aws/loki/README.md create mode 100644 .github/test-infra/ci-iac-aws/loki/main.tf create mode 100644 .github/test-infra/ci-iac-aws/loki/output.tf create mode 100644 .github/test-infra/ci-iac-aws/loki/terraform.tfvars create mode 100644 .github/test-infra/ci-iac-aws/loki/variables.tf create mode 100644 .github/test-infra/ci-iac-aws/route53-policy/.terraform/modules/modules.json create mode 100644 .github/test-infra/ci-iac-aws/velero/.terraform/modules/modules.json create mode 100644 .github/test-infra/ci-iac-aws/velero/main.tf create mode 100644 .github/test-infra/ci-iac-aws/velero/output.tf create mode 100644 .github/test-infra/ci-iac-aws/velero/terraform.tfvars create mode 100644 .github/test-infra/ci-iac-aws/velero/variables.tf create mode 100644 .github/test-infra/ci-iac-aws/zarf-config.yaml create mode 100644 .github/test-infra/ci-iac-aws/zarf.yaml create mode 100644 .github/test-infra/eks/.gitignore create mode 100644 .github/test-infra/eks/config.yaml create mode 100644 .github/test-infra/eks/zarf-config.yaml create mode 100644 .github/test-infra/eks/zarf.yaml create mode 100644 .github/workflows/test-eks.yaml diff --git a/.github/bundles/uds-bundleyaml b/.github/bundles/uds-bundleyaml new file mode 100644 index 000000000..0e0f5d975 --- /dev/null +++ b/.github/bundles/uds-bundleyaml @@ -0,0 +1,48 @@ +kind: UDSBundle +metadata: + name: uds-core-eks-nightly + description: A UDS bundle for deploying EKS and UDS Core + # x-release-please-start-version + version: "0.15.1" + # x-release-please-end + +packages: + - name: distro-eks + path: ../packages + ref: 0.15.1 + + - name: ci-iac-aws + path: ../packages/ + # x-release-please-start-version + ref: 0.15.1 + # x-release-please-end + + - name: init + repository: ghcr.io/defenseunicorns/packages/init + # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver + ref: v0.32.4 + + - name: core + path: ../packages/ + # x-release-please-start-version + ref: 0.15.1 + # x-release-please-end + overrides: + istio-admin-gateway: + uds-istio-config: + variables: + - name: ADMIN_TLS_CERT + description: "The TLS cert for the admin gateway (must be base64 encoded)" + path: tls.cert + - name: ADMIN_TLS_KEY + description: "The TLS key for the admin gateway (must be base64 encoded)" + path: tls.key + istio-tenant-gateway: + uds-istio-config: + variables: + - name: TENANT_TLS_CERT + description: "The TLS cert for the tenant gateway (must be base64 encoded)" + path: tls.cert + - name: TENANT_TLS_KEY + description: "The TLS key for the tenant gateway (must be base64 encoded)" + path: tls.key diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml new file mode 100644 index 000000000..dc1b6ab87 --- /dev/null +++ b/.github/bundles/uds-config.yaml @@ -0,0 +1,9 @@ +variables: + # distro-eks: + # cluster_name: $EKS_CLUSTER_NAME + # permissions_boundary_arn: $PERMISSIONS_BOUNDARY_ARN + # permissions_boundary_name: $PERMISSIONS_BOUNDARY_NAME + ci-iac-aws: + state_bucket_name: uds-aws-ci-commercial-us-east-2-5246-tfstate + state_key: tfstate/ci/install/${SHA:0:7}-dubbd-aws.tfstate + state_dynamodb_table_name: uds-aws-ci-commercial-org-us-east-2-5246-tfstate-lock \ No newline at end of file diff --git a/.github/test-infra/ci-iac-aws/extract.sh b/.github/test-infra/ci-iac-aws/extract.sh new file mode 100755 index 000000000..1a239cf07 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/extract.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +set +o xtrace + +# Check if the runtime environment is Darwin (Mac OS X) or Linux +if [[ "$OSTYPE" == "darwin"* ]]; then + ARCH_NAME=darwin +elif [[ "$OSTYPE" == "linux-gnu"* ]]; then + ARCH_NAME=linux +elif [[ "$OSTYPE" == "msys" ]]; then + ARCH_NAME=windows +elif [[ "$OSTYPE" == "cygwin" ]]; then + ARCH_NAME=windows +else + echo "The OS is not supported" + exit 1 +fi + +# Check the processor architecture +if [[ $(uname -m) == "x86_64" ]]; then + echo "The processor architecture is 64-bit" + ARCH_PROC=amd64 +elif [[ $(uname -m) == "i686" || $(uname -m) == "i386" ]]; then + echo "The processor architecture is 32-bit" + echo "The processor is not AMD or ARM" +elif [[ $(uname -m) == "arm64" ]]; then + ARCH_PROC=arm64 +else +# default... + ARCH_PROC=amd64 +fi + +echo "HI!" +echo "ARCH_NAME: ${ARCH_NAME}" +echo "ARCH_PROC: ${ARCH_PROC}" + +# todo: actually use the terraform binary we download +mkdir -p run/loki && chmod -R ugo+rwx run/loki +mkdir -p run/velero && chmod -R ugo+rwx run/velero +unzip -o -q tmp/terraform_${1}_${ARCH_NAME}_${ARCH_PROC}.zip -d run diff --git a/.github/test-infra/ci-iac-aws/loki/.gitignore b/.github/test-infra/ci-iac-aws/loki/.gitignore new file mode 100644 index 000000000..b8d1fe581 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/loki/.gitignore @@ -0,0 +1,2 @@ +.terraform/* +.terraform.lock.hcl \ No newline at end of file diff --git a/.github/test-infra/ci-iac-aws/loki/README.md b/.github/test-infra/ci-iac-aws/loki/README.md new file mode 100644 index 000000000..239d7dde7 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/loki/README.md @@ -0,0 +1,52 @@ +# Loki + +Terraform for deploying resources necessary for Loki + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 4.67.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [S3](#module\_S3) | github.com/defenseunicorns/delivery-aws-iac//modules/s3-irsa | v0.0.4-alpha | +| [generate\_kms](#module\_generate\_kms) | github.com/defenseunicorns/uds-iac-aws-kms | dubbd-test | + +## Resources + +| Name | Type | +|------|------| +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_eks_cluster.existing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [force\_destroy](#input\_force\_destroy) | Option to set force destroy | `bool` | `false` | no | +| [key\_alias](#input\_key\_alias) | alias for KMS Key | `string` | `"bigbang-loki"` | no | +| [key\_owner\_arns](#input\_key\_owner\_arns) | ARNS of KMS key owners, needed for use of key | `list(string)` | `[]` | no | +| [kms\_key\_arn](#input\_kms\_key\_arn) | KMS Key ARN if known, if not, will be generated | `string` | `null` | no | +| [name](#input\_name) | Name for cluster | `any` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [aws\_region](#output\_aws\_region) | n/a | +| [dynamodb\_name](#output\_dynamodb\_name) | n/a | +| [eks\_cluster\_oidc\_arn](#output\_eks\_cluster\_oidc\_arn) | The ARN of the OIDC Provider of the EKS Cluster | +| [irsa\_role](#output\_irsa\_role) | n/a | +| [s3](#output\_s3) | n/a | +| [s3\_bucket](#output\_s3\_bucket) | n/a | + diff --git a/.github/test-infra/ci-iac-aws/loki/main.tf b/.github/test-infra/ci-iac-aws/loki/main.tf new file mode 100644 index 000000000..c4eb7aa68 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/loki/main.tf @@ -0,0 +1,153 @@ +# test tf +provider "aws" { + region = var.region + + default_tags { + tags = { + PermissionsBoundary = var.permissions_boundary_name + } + } +} + +terraform { + required_version = "1.5.7" + backend "s3" { + } + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0, != 5.17.0" + } + + random = { + source = "hashicorp/random" + version = "3.5.1" + } + } +} + +# taken from zarf bb repo +resource "random_id" "default" { + byte_length = 2 +} + +data "aws_eks_cluster" "existing" { + name = var.name +} + +data "aws_caller_identity" "current" {} + +data "aws_partition" "current" {} + +data "aws_region" "current" {} + +locals { + oidc_url_without_protocol = substr(data.aws_eks_cluster.existing.identity[0].oidc[0].issuer, 8, -1) + oidc_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_url_without_protocol}" + + generate_kms_key = var.create_kms_key ? 1 : 0 + kms_key_arn = var.kms_key_arn == null ? module.generate_kms[0].kms_key_arn : var.kms_key_arn + name = "${var.name}-loki" + iam_role_permissions_boundary = var.use_permissions_boundary ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary_name}" : null + + # The conditional may need to look like this depending on how we decide to handle the way varf wants to template things + # generate_kms_key = var.kms_key_arn == "" ? 1 : 0 + # kms_key_arn = var.kms_key_arn == "" ? module.generate_kms[0].kms_key_arn : var.kms_key_arn +} + +module "S3" { + source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" + name_prefix = "${var.bucket_name}-" + kms_key_arn = local.kms_key_arn + force_destroy = var.force_destroy + create_bucket_lifecycle = true +} + +resource "aws_s3_bucket_policy" "bucket_policy" { + bucket = module.S3.bucket_name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject" + ] + Effect = "Allow" + Principal = { + AWS = module.irsa.role_arn + } + Resource = [ + module.S3.bucket_arn, + "${module.S3.bucket_arn}/*" + ] + } + ] + }) +} + +module "generate_kms" { + count = local.generate_kms_key + source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.2" + + key_owners = var.key_owner_arns + # A list of IAM ARNs for those who will have full key permissions (`kms:*`) + kms_key_alias_name_prefix = "${local.name}-" # Prefix for KMS key alias. + kms_key_deletion_window = var.kms_key_deletion_window + # Waiting period for scheduled KMS Key deletion. Can be 7-30 days. + kms_key_description = "${var.name} DUBBD deployment Loki Key" # Description for the KMS key. + tags = { + Deployment = "UDS DUBBD ${local.name}" + } +} + + +module "irsa" { + source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.2" + name = local.name + kubernetes_service_account = var.kubernetes_service_account + kubernetes_namespace = var.kubernetes_namespace + oidc_provider_arn = local.oidc_arn + role_permissions_boundary_arn = local.iam_role_permissions_boundary + + role_policy_arns = tomap({ + "loki" = aws_iam_policy.loki_policy.arn + }) + +} + +resource "random_id" "unique_id" { + byte_length = 4 +} + + +resource "aws_iam_policy" "loki_policy" { + name = "${local.name}-irsa-${random_id.unique_id.hex}" + path = "/" + description = "IAM policy for Loki to have necessary permissions to use S3 for storing logs." + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = ["s3:ListBucket"] + Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.S3.bucket_name}"] + }, + { + Effect = "Allow" + Action = ["s3:*Object"] + Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.S3.bucket_name}/*"] + }, + { + Effect = "Allow" + Action = [ + "kms:GenerateDataKey", + "kms:Decrypt" + ] + Resource = [local.kms_key_arn] + } + ] + }) +} diff --git a/.github/test-infra/ci-iac-aws/loki/output.tf b/.github/test-infra/ci-iac-aws/loki/output.tf new file mode 100644 index 000000000..d14af52d7 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/loki/output.tf @@ -0,0 +1,24 @@ +output "aws_region" { + value = data.aws_region.current.name +} + +output "irsa_role_arn" { + value = module.irsa.role_arn +} + +output "s3" { + value = module.S3 +} + +output "s3_bucket" { + value = module.S3.bucket_name +} + +output "kms_key_arn" { + description = "The ARN of the OIDC Provider of the EKS Cluster" + value = local.kms_key_arn +} + +output "force_destroy" { + value = var.force_destroy +} diff --git a/.github/test-infra/ci-iac-aws/loki/terraform.tfvars b/.github/test-infra/ci-iac-aws/loki/terraform.tfvars new file mode 100644 index 000000000..be09a31a4 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/loki/terraform.tfvars @@ -0,0 +1,10 @@ +region = "###ZARF_VAR_REGION###" +name = "###ZARF_VAR_EKS_CLUSTER_NAME###" +bucket_name = "###ZARF_VAR_EKS_CLUSTER_NAME###-loki" +force_destroy = "###ZARF_VAR_LOKI_FORCE_DESTROY###" + +kubernetes_service_account = "logging-loki" +kubernetes_namespace = "logging" + +permissions_boundary_name = "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" +use_permissions_boundary = "###ZARF_VAR_USE_PERMISSIONS_BOUNDARY###" diff --git a/.github/test-infra/ci-iac-aws/loki/variables.tf b/.github/test-infra/ci-iac-aws/loki/variables.tf new file mode 100644 index 000000000..e3b4fdf11 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/loki/variables.tf @@ -0,0 +1,67 @@ +variable "region" { + description = "AWS region" + type = string +} + +variable "name" { + description = "Name for cluster" + type = string +} + +variable "kms_key_arn" { + type = string + description = "KMS Key ARN if known, if not, will be generated" + default = null +} + +variable "force_destroy" { + description = "Option to set force destroy" + type = bool + default = false +} + +variable "key_owner_arns" { + description = "ARNS of KMS key owners, needed for use of key" + type = list(string) + default = [] +} + +# taken from zarf bb repo +variable "kms_key_deletion_window" { + description = "Waiting period for scheduled KMS Key deletion. Can be 7-30 days." + type = number + default = 7 +} + +variable "create_kms_key" { + description = "Whether to create a new KMS key to be used with the S3 bucket. If not, you must pass in your own key ARN." + type = bool + default = true +} + +variable "bucket_name" { + description = "Name for S3 bucket" + type = string +} + +variable "kubernetes_service_account" { + description = "Name of the service account to bind to. Used to generate fully qualified subject for service account." + type = string +} + +variable "kubernetes_namespace" { + description = "Name of the namespace that the service account exists in. Used to generate fully qualified subject for the service account." + type = string +} + +variable "permissions_boundary_name" { + description = "The name of the permissions boundary for IAM resources. This will be used for tagging and to build out the ARN." + type = string + default = null +} + +variable "use_permissions_boundary" { + description = "Whether to use IAM permissions boundary for resources." + type = bool + default = true +} diff --git a/.github/test-infra/ci-iac-aws/route53-policy/.terraform/modules/modules.json b/.github/test-infra/ci-iac-aws/route53-policy/.terraform/modules/modules.json new file mode 100644 index 000000000..eb3ee9f3c --- /dev/null +++ b/.github/test-infra/ci-iac-aws/route53-policy/.terraform/modules/modules.json @@ -0,0 +1 @@ +{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"irsa","Source":"git::https://github.com/defenseunicorns/terraform-aws-uds-irsa.git?ref=v0.0.1","Dir":".terraform/modules/irsa"},{"Key":"irsa.irsa","Source":"registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc","Version":"5.27.0","Dir":".terraform/modules/irsa.irsa/modules/iam-assumable-role-with-oidc"}]} \ No newline at end of file diff --git a/.github/test-infra/ci-iac-aws/velero/.terraform/modules/modules.json b/.github/test-infra/ci-iac-aws/velero/.terraform/modules/modules.json new file mode 100644 index 000000000..305f9f38c --- /dev/null +++ b/.github/test-infra/ci-iac-aws/velero/.terraform/modules/modules.json @@ -0,0 +1 @@ +{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"S3","Source":"git::https://github.com/defenseunicorns/terraform-aws-uds-s3.git?ref=v0.0.6","Dir":".terraform/modules/S3"},{"Key":"S3.s3_bucket","Source":"registry.terraform.io/terraform-aws-modules/s3-bucket/aws","Version":"3.10.1","Dir":".terraform/modules/S3.s3_bucket"},{"Key":"generate_kms","Source":"git::https://github.com/defenseunicorns/terraform-aws-uds-kms.git?ref=v0.0.2","Dir":".terraform/modules/generate_kms"},{"Key":"generate_kms.kms","Source":"registry.terraform.io/terraform-aws-modules/kms/aws","Version":"1.5.0","Dir":".terraform/modules/generate_kms.kms"},{"Key":"irsa","Source":"git::https://github.com/defenseunicorns/terraform-aws-uds-irsa.git?ref=v0.0.2","Dir":".terraform/modules/irsa"},{"Key":"irsa.irsa","Source":"registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks","Version":"5.27.0","Dir":".terraform/modules/irsa.irsa/modules/iam-role-for-service-accounts-eks"}]} \ No newline at end of file diff --git a/.github/test-infra/ci-iac-aws/velero/main.tf b/.github/test-infra/ci-iac-aws/velero/main.tf new file mode 100644 index 000000000..4b8472559 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/velero/main.tf @@ -0,0 +1,182 @@ +provider "aws" { + region = var.region + + default_tags { + tags = { + PermissionsBoundary = var.permissions_boundary_name + } + } +} + +terraform { + required_version = "1.5.7" + backend "s3" { + } + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0, != 5.17.0" + } + + random = { + source = "hashicorp/random" + version = "3.5.1" + } + } +} + +# taken from zarf bb repo +resource "random_id" "default" { + byte_length = 2 +} + +data "aws_eks_cluster" "existing" { + name = var.name +} + +data "aws_caller_identity" "current" {} + +data "aws_partition" "current" {} + +data "aws_region" "current" {} + +locals { + oidc_url_without_protocol = substr(data.aws_eks_cluster.existing.identity[0].oidc[0].issuer, 8, -1) + oidc_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_url_without_protocol}" + + generate_kms_key = var.create_kms_key ? 1 : 0 + kms_key_arn = var.kms_key_arn == null ? module.generate_kms[0].kms_key_arn : var.kms_key_arn + name = "${var.name}-velero" + iam_role_permissions_boundary = var.use_permissions_boundary ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary_name}" : null + + # The conditional may need to look like this depending on how we decide to handle the way varf wants to template things + # generate_kms_key = var.kms_key_arn == "" ? 1 : 0 + # kms_key_arn = var.kms_key_arn == "" ? module.generate_kms[0].kms_key_arn : var.kms_key_arn +} + +module "S3" { + source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" + name_prefix = "${var.bucket_name}-" + kms_key_arn = local.kms_key_arn + force_destroy = var.force_destroy + create_bucket_lifecycle = true +} + +resource "aws_s3_bucket_policy" "bucket_policy" { + bucket = module.S3.bucket_name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject" + ] + Effect = "Allow" + Principal = { + AWS = module.irsa.role_arn + } + Resource = [ + module.S3.bucket_arn, + "${module.S3.bucket_arn}/*" + ] + } + ] + }) +} + +module "generate_kms" { + count = local.generate_kms_key + source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.2" + + key_owners = var.key_owner_arns + # A list of IAM ARNs for those who will have full key permissions (`kms:*`) + kms_key_alias_name_prefix = "${local.name}-" # Prefix for KMS key alias. + kms_key_deletion_window = var.kms_key_deletion_window + # Waiting period for scheduled KMS Key deletion. Can be 7-30 days. + kms_key_description = "${local.name} DUBBD deployment Velero Key" # Description for the KMS key. + tags = { + Deployment = "UDS DUBBD ${local.name}" + } +} + +module "irsa" { + source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.2" + name = local.name + kubernetes_service_account = var.kubernetes_service_account + kubernetes_namespace = var.kubernetes_namespace + oidc_provider_arn = local.oidc_arn + role_permissions_boundary_arn = local.iam_role_permissions_boundary + + role_policy_arns = tomap({ + "velero" = aws_iam_policy.velero_policy.arn + }) + +} + + +resource "random_id" "unique_id" { + byte_length = 4 +} + +resource "aws_iam_policy" "velero_policy" { + name = "${local.name}-irsa-${random_id.unique_id.hex}" + path = "/" + description = "Policy to give Velero necessary permissions for cluster backups." + + # Terraform expression result to valid JSON syntax. + policy = jsonencode( + { + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = [ + "ec2:DescribeVolumes", + "ec2:DescribeSnapshots", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:CreateSnapshot", + "ec2:DeleteSnapshot" + ] + Resource = [ + "*" + ] + }, + { + Effect = "Allow" + Action = [ + "s3:GetObject", + "s3:DeleteObject", + "s3:PutObject", + "s3:AbortMultipartUpload", + "s3:ListMultipartUploadParts" + ] + Resource = [ + "arn:${data.aws_partition.current.partition}:s3:::${module.S3.bucket_name}/*" + ] + }, + { + Effect = "Allow", + Action = [ + "s3:ListBucket" + ], + Resource = [ + "arn:${data.aws_partition.current.partition}:s3:::${module.S3.bucket_name}/*" + ] + }, + { + Effect = "Allow" + Action = [ + "kms:GenerateDataKey", + "kms:Decrypt" + ] + Resource = [local.kms_key_arn] + } + + ] + }) +} + diff --git a/.github/test-infra/ci-iac-aws/velero/output.tf b/.github/test-infra/ci-iac-aws/velero/output.tf new file mode 100644 index 000000000..d14af52d7 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/velero/output.tf @@ -0,0 +1,24 @@ +output "aws_region" { + value = data.aws_region.current.name +} + +output "irsa_role_arn" { + value = module.irsa.role_arn +} + +output "s3" { + value = module.S3 +} + +output "s3_bucket" { + value = module.S3.bucket_name +} + +output "kms_key_arn" { + description = "The ARN of the OIDC Provider of the EKS Cluster" + value = local.kms_key_arn +} + +output "force_destroy" { + value = var.force_destroy +} diff --git a/.github/test-infra/ci-iac-aws/velero/terraform.tfvars b/.github/test-infra/ci-iac-aws/velero/terraform.tfvars new file mode 100644 index 000000000..d947867f3 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/velero/terraform.tfvars @@ -0,0 +1,10 @@ +region = "###ZARF_VAR_REGION###" +name = "###ZARF_VAR_EKS_CLUSTER_NAME###" +bucket_name = "###ZARF_VAR_EKS_CLUSTER_NAME###-velero" +force_destroy = "###ZARF_VAR_VELERO_FORCE_DESTROY###" + +kubernetes_service_account = "velero-velero-server" +kubernetes_namespace = "velero" + +permissions_boundary_name = "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" +use_permissions_boundary = "###ZARF_VAR_USE_PERMISSIONS_BOUNDARY###" diff --git a/.github/test-infra/ci-iac-aws/velero/variables.tf b/.github/test-infra/ci-iac-aws/velero/variables.tf new file mode 100644 index 000000000..e3b4fdf11 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/velero/variables.tf @@ -0,0 +1,67 @@ +variable "region" { + description = "AWS region" + type = string +} + +variable "name" { + description = "Name for cluster" + type = string +} + +variable "kms_key_arn" { + type = string + description = "KMS Key ARN if known, if not, will be generated" + default = null +} + +variable "force_destroy" { + description = "Option to set force destroy" + type = bool + default = false +} + +variable "key_owner_arns" { + description = "ARNS of KMS key owners, needed for use of key" + type = list(string) + default = [] +} + +# taken from zarf bb repo +variable "kms_key_deletion_window" { + description = "Waiting period for scheduled KMS Key deletion. Can be 7-30 days." + type = number + default = 7 +} + +variable "create_kms_key" { + description = "Whether to create a new KMS key to be used with the S3 bucket. If not, you must pass in your own key ARN." + type = bool + default = true +} + +variable "bucket_name" { + description = "Name for S3 bucket" + type = string +} + +variable "kubernetes_service_account" { + description = "Name of the service account to bind to. Used to generate fully qualified subject for service account." + type = string +} + +variable "kubernetes_namespace" { + description = "Name of the namespace that the service account exists in. Used to generate fully qualified subject for the service account." + type = string +} + +variable "permissions_boundary_name" { + description = "The name of the permissions boundary for IAM resources. This will be used for tagging and to build out the ARN." + type = string + default = null +} + +variable "use_permissions_boundary" { + description = "Whether to use IAM permissions boundary for resources." + type = bool + default = true +} diff --git a/.github/test-infra/ci-iac-aws/zarf-config.yaml b/.github/test-infra/ci-iac-aws/zarf-config.yaml new file mode 100644 index 000000000..b5f7bf677 --- /dev/null +++ b/.github/test-infra/ci-iac-aws/zarf-config.yaml @@ -0,0 +1,19 @@ +package: + create: + max_package_size: "1000000000" + set: + terraform_version: "1.5.7" + deploy: + set: + # -- Name of the EKS cluster + eks_cluster_name: "uds-core-aws" + # -- Name of existing Terraform state bucket + state_bucket_name: "uds-dev-state-bucket" + # -- Key path to Terraform state file within the bucket + state_key: "tfstate/dev/uds-dev-state-bucket.tfstate" + # -- Name of DynamoDB table used for Terraform state locking + state_dynamodb_table_name: "uds-dev-state-dynamodb" + # -- AWS region + region: "us-west-2" + # -- If set to true, force delete all resources on removal (i.e. loki S3 bucket, PVCs, etc) + ephemeral: "true" diff --git a/.github/test-infra/ci-iac-aws/zarf.yaml b/.github/test-infra/ci-iac-aws/zarf.yaml new file mode 100644 index 000000000..b341b684e --- /dev/null +++ b/.github/test-infra/ci-iac-aws/zarf.yaml @@ -0,0 +1,218 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: ci-iac-aws + description: "CI - IAC AWS (not for Prod use)" + # x-release-please-start-version + version: "0.15.1" + # x-release-please-end + architecture: amd64 + source: https://github.com/defenseunicorns/uds-core + documentation: https://github.com/defenseunicorns/uds-core + vendor: Defense Unicorns + +variables: + - name: TERRAFORM_VERSION + + - name: STATE_BUCKET_NAME + description: "Name of the pre-existing Terraform state S3 bucket" + - name: STATE_KEY + description: "Path to the state file key in the state bucket" + - name: STATE_DYNAMODB_TABLE_NAME + description: "Name of the DynamoDB table used for Terraform state locking" + - name: REGION + description: "The AWS region to run the Terraform in" + default: "us-east-2" + - name: PERMISSIONS_BOUNDARY_NAME + default: "" + - name: USE_PERMISSIONS_BOUNDARY + default: "true" + + - name: EPHEMERAL + description: "Set whether the cluster should be considered ephemeral - if true all resources will be force destroyed on removal" + default: "true" + - name: LOKI_FORCE_DESTROY + description: "If set to true, delete the S3 bucket and corresponding KMS key associated with the Loki bucket. Overrides ephemeral setting." + default: "true" + - name: VELERO_FORCE_DESTROY + description: "If set to true, delete the S3 bucket and corresponding KMS key associated with the Velero bucket. Overrides ephemeral setting." + default: "true" + +components: + # - name: set-ephemeral + # required: true + # actions: + # onDeploy: + # before: + # - cmd: | + # if [ -z "${ZARF_VAR_LOKI_FORCE_DESTROY}" ]; then + # echo "${ZARF_VAR_EPHEMERAL}" + # else + # echo "${ZARF_VAR_LOKI_FORCE_DESTROY}" + # fi + # mute: true + # setVariables: + # - name: LOKI_FORCE_DESTROY + # - cmd: | + # if [ -z "${ZARF_VAR_VELERO_FORCE_DESTROY}" ]; then + # echo "${ZARF_VAR_EPHEMERAL}" + # else + # echo "${ZARF_VAR_VELERO_FORCE_DESTROY}" + # fi + # mute: true + # setVariables: + # - name: VELERO_FORCE_DESTROY + - name: download-terraform + required: true + actions: + onDeploy: + after: + - cmd: | + rm -f run/loki/terraform || true + rm -f run/velero/terraform || true + description: Clean up previous install since archiver doesn't overwrite the output + - cmd: "./extract-terraform.sh ###ZARF_PKG_TMPL_TERRAFORM_VERSION###" + files: + - source: extract.sh + target: extract-terraform.sh + executable: true + # terraform binary into zarf package + - source: https://releases.hashicorp.com/terraform/###ZARF_PKG_TMPL_TERRAFORM_VERSION###/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_darwin_arm64.zip + target: tmp/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_darwin_arm64.zip + - source: https://releases.hashicorp.com/terraform/###ZARF_PKG_TMPL_TERRAFORM_VERSION###/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_darwin_amd64.zip + target: tmp/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_darwin_amd64.zip + - source: https://releases.hashicorp.com/terraform/###ZARF_PKG_TMPL_TERRAFORM_VERSION###/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_linux_amd64.zip + target: tmp/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_linux_amd64.zip + - name: loki-module + required: true + actions: + onCreate: + before: + - cmd: terraform get -update + dir: loki + files: + - source: loki + target: run/loki + - name: loki-execute-terraform + required: true + actions: + onDeploy: + before: + - cmd: echo ${ZARF_VAR_STATE_KEY} | sed 's/\.tfstate/-loki.tfstate/g' + dir: run/loki + setVariables: + - name: STATE_KEY_LOKI + - cmd: | + ../terraform init -force-copy \ + -backend-config="bucket=${ZARF_VAR_STATE_BUCKET_NAME}" \ + -backend-config="key=${ZARF_VAR_STATE_KEY_LOKI}" \ + -backend-config="region=${ZARF_VAR_REGION}" \ + -backend-config="dynamodb_table=${ZARF_VAR_STATE_DYNAMODB_TABLE_NAME}" + dir: run/loki + - cmd: ../terraform apply -auto-approve + dir: run/loki + onRemove: + before: + - cmd: | + if [ -d "run/loki" ]; then + cd run/loki + ../terraform destroy -auto-approve + else + echo "Cannot remove: run/loki directory does not exist" + fi + - name: loki-outputs + required: true + actions: + onDeploy: + after: + - cmd: ../terraform output -raw s3_bucket + dir: run/loki + setVariables: + - name: LOKI_S3_BUCKET + - cmd: ../terraform output -raw aws_region + dir: run/loki + setVariables: + - name: LOKI_S3_AWS_REGION + - cmd: ../terraform output -raw irsa_role_arn + dir: run/loki + setVariables: + - name: LOKI_S3_ROLE_ARN + - name: velero-module + required: true + actions: + onCreate: + before: + - cmd: terraform get -update + dir: velero + files: + - source: velero + target: run/velero + - name: velero-execute-terraform + required: true + actions: + onDeploy: + before: + - cmd: echo ${ZARF_VAR_STATE_KEY} | sed 's/\.tfstate/-velero.tfstate/g' + dir: run/velero + setVariables: + - name: STATE_KEY_VELERO + - cmd: "echo ${ZARF_VAR_STATE_KEY_VELERO}" + - cmd: | + ../terraform init -force-copy \ + -backend-config="bucket=${ZARF_VAR_STATE_BUCKET_NAME}" \ + -backend-config="key=${ZARF_VAR_STATE_KEY_VELERO}" \ + -backend-config="region=${ZARF_VAR_REGION}" \ + -backend-config="dynamodb_table=${ZARF_VAR_STATE_DYNAMODB_TABLE_NAME}" + dir: run/velero + - cmd: ../terraform apply -auto-approve + dir: run/velero + onRemove: + before: + - cmd: | + if [ -d "run/velero" ]; then + cd run/velero + ../terraform destroy -auto-approve + else + echo "Cannot remove: run/velero directory does not exist" + fi + - name: velero-outputs + required: true + actions: + onDeploy: + after: + - cmd: ../terraform output -raw s3_bucket + dir: run/velero + setVariables: + - name: VELERO_S3_BUCKET + - cmd: ../terraform output -raw aws_region + dir: run/velero + setVariables: + - name: VELERO_S3_AWS_REGION + - cmd: ../terraform output -raw irsa_role_arn + dir: run/velero + setVariables: + - name: VELERO_S3_ROLE_ARN + - name: export-outputs + required: true + actions: + onDeploy: + after: + - cmd: | + cat < setenv-uds-package.sh + export ZARF_PACKAGE_DEPLOY_SET='{ \ + "STATE_BUCKET_NAME": "${ZARF_VAR_STATE_BUCKET_NAME}", \ + "STATE_KEY": "${ZARF_VAR_STATE_KEY}", \ + "STATE_DYNAMODB_TABLE_NAME": "${ZARF_VAR_STATE_DYNAMODB_TABLE_NAME}", \ + "NAME": "${ZARF_VAR_EKS_CLUSTER_NAME}", \ + "REGION": "${ZARF_VAR_REGION}", \ + "EPHEMERAL": "${ZARF_VAR_EPHEMERAL}", \ + "LOKI_FORCE_DESTROY": "${ZARF_VAR_LOKI_FORCE_DESTROY}", \ + "VELERO_FORCE_DESTROY": "${ZARF_VAR_VELERO_FORCE_DESTROY}", \ + "LOKI_S3_BUCKET": "${ZARF_VAR_LOKI_S3_BUCKET}", \ + "LOKI_S3_AWS_REGION": "${ZARF_VAR_LOKI_S3_AWS_REGION}", \ + "LOKI_S3_ROLE_ARN": "${ZARF_VAR_LOKI_S3_ROLE_ARN}", \ + "VELERO_S3_BUCKET": "${ZARF_VAR_VELERO_S3_BUCKET}", \ + "VELERO_S3_AWS_REGION": "${ZARF_VAR_VELERO_S3_AWS_REGION}", \ + "VELERO_S3_ROLE_ARN": "${ZARF_VAR_VELERO_S3_ROLE_ARN}" \ + }' + EOF diff --git a/.github/test-infra/eks/.gitignore b/.github/test-infra/eks/.gitignore new file mode 100644 index 000000000..fb242f9cc --- /dev/null +++ b/.github/test-infra/eks/.gitignore @@ -0,0 +1 @@ +eksctl \ No newline at end of file diff --git a/.github/test-infra/eks/config.yaml b/.github/test-infra/eks/config.yaml new file mode 100644 index 000000000..fedd3d7ac --- /dev/null +++ b/.github/test-infra/eks/config.yaml @@ -0,0 +1,38 @@ +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig + +metadata: + name: "###ZARF_VAR_CLUSTER_NAME###" + region: us-east-2 + version: "1.27" + tags: + PermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" + +iam: + withOIDC: true + serviceRolePermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_ARN###" + +addons: + - name: aws-ebs-csi-driver + version: v1.25.0-eksbuild.1 + + attachPolicyARNs: + - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy + permissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_ARN###" + tags: + PermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" + + - name: vpc-cni + permissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_ARN###" + tags: + PermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" + +managedNodeGroups: + - name: ng-1 + instanceType: m5.2xlarge + desiredCapacity: 3 + volumeSize: 150 + tags: + PermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" + iam: + instanceRolePermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_ARN###" diff --git a/.github/test-infra/eks/zarf-config.yaml b/.github/test-infra/eks/zarf-config.yaml new file mode 100644 index 000000000..bdff79046 --- /dev/null +++ b/.github/test-infra/eks/zarf-config.yaml @@ -0,0 +1,8 @@ +package: + create: + max_package_size: "1000000000" + set: + eksctl_version: v0.165.0 + deploy: + set: + cluster_name: uds-core-aws-install diff --git a/.github/test-infra/eks/zarf.yaml b/.github/test-infra/eks/zarf.yaml new file mode 100644 index 000000000..0a24ccd89 --- /dev/null +++ b/.github/test-infra/eks/zarf.yaml @@ -0,0 +1,49 @@ +kind: ZarfPackageConfig +metadata: + name: distro-eks + description: "Deploy an EKS K8s cluster" + architecture: multi + version: "0.15.1" + +variables: + - name: CLUSTER_NAME + prompt: true + - name: PERMISSIONS_BOUNDARY_ARN + - name: PERMISSIONS_BOUNDARY_NAME + +components: + - name: load-eksctl + required: true + actions: + onDeploy: + after: + # Remove existing eksctl + - cmd: rm -f eksctl + # Extract the correct linux or mac binary from the tarball + - cmd: ./zarf tools archiver decompress archives/eksctl_$(uname -s)_$(uname -m).tar.gz . + # Cleanup temp files + - cmd: rm -fr archives + files: + - source: config.yaml + target: config.yaml + - source: https://github.com/weaveworks/eksctl/releases/download/###ZARF_PKG_VAR_EKSCTL_VERSION###/eksctl_Darwin_amd64.tar.gz + target: archives/eksctl_Darwin_x86_64.tar.gz + - source: https://github.com/weaveworks/eksctl/releases/download/###ZARF_PKG_VAR_EKSCTL_VERSION###/eksctl_Darwin_arm64.tar.gz + target: archives/eksctl_Darwin_arm64.tar.gz + - source: https://github.com/weaveworks/eksctl/releases/download/###ZARF_PKG_VAR_EKSCTL_VERSION###/eksctl_Linux_amd64.tar.gz + target: archives/eksctl_Linux_x86_64.tar.gz + + - name: deploy-eks-cluster + required: true + actions: + onDeploy: + before: + - cmd: ./eksctl create cluster --dry-run -f config.yaml + - cmd: sleep 15 + - cmd: ./eksctl create cluster -f config.yaml + after: + - cmd: ./eksctl utils write-kubeconfig -c ${ZARF_VAR_CLUSTER_NAME} + onRemove: + before: + - cmd: ./eksctl delete cluster -f config.yaml --disable-nodegroup-eviction --wait + diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml new file mode 100644 index 000000000..6f8b0d7e3 --- /dev/null +++ b/.github/workflows/test-eks.yaml @@ -0,0 +1,68 @@ +name: Test UDS Core On EKS + +on: + workflow_call: + +permissions: + id-token: write + contents: read + +jobs: + test-clean-install: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_COMMERCIAL_ORG_ROLE_TO_ASSUME }} + role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} + aws-region: us-east-2 + role-duration-seconds: 21600 + + - name: Set Terraform version + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.5.7" + + - name: Environment setup + uses: ./.github/actions/setup + + - name: Login to registry1 + run: uds run registry-login --set REGISTRY=registry1.dso.mil --set REGISTRY_USERNAME=${{ secrets.IRON_BANK_ROBOT_USERNAME }} --set REGISTRY_PASSWORD=${{ secrets.IRON_BANK_ROBOT_PASSWORD }} --set REGISTRY_RETRY_INTERVAL=90 + + - name: Set eks_cluster_name + id: get_cluster_name + env: + SHA: ${{ github.sha }} + run: | + echo "eks_cluster_name=uds-core-aws-${SHA:0:7}" >> $GITHUB_OUTPUT + echo "short_sha=${SHA:0:7}" >> $GITHUB_OUTPUT + + - name: Create EKSCTL Package + run: uds zarf package create .github/test-infra/eks -o .github/packages --confirm + + - name: Create CI-IAC-AWS Package + run: uds zarf package create .github/test-infra/ci-iac-aws -o .github/packages --confirm + + - name: Create UDS Core Package + run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress -o .github/packages + + - name: Create Bundle + env: + UDS_EKS_CLUSTER_NAME: ${{ steps.get_cluster_name.outputs.eks_cluster_name }} + UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} + UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} + run: uds create .github/bundles --confirm + + - name: Deploy Bundle + run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.gz --confirm + + - name: Remove UDS Core And Teardown EKS + if: always() + run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.gz --confirm + timeout-minutes: 60 + continue-on-error: true \ No newline at end of file From 51b75c57c073c0340c083a19e235906bd0c6adf6 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 13 Mar 2024 13:50:41 -0600 Subject: [PATCH 03/82] yamllint --- .github/bundles/uds-config.yaml | 2 +- .github/test-infra/eks/zarf.yaml | 1 - .github/workflows/nightly-testing.yaml | 2 +- .github/workflows/test-eks.yaml | 6 +++--- 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml index dc1b6ab87..f7137cc26 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/uds-config.yaml @@ -6,4 +6,4 @@ variables: ci-iac-aws: state_bucket_name: uds-aws-ci-commercial-us-east-2-5246-tfstate state_key: tfstate/ci/install/${SHA:0:7}-dubbd-aws.tfstate - state_dynamodb_table_name: uds-aws-ci-commercial-org-us-east-2-5246-tfstate-lock \ No newline at end of file + state_dynamodb_table_name: uds-aws-ci-commercial-org-us-east-2-5246-tfstate-lock diff --git a/.github/test-infra/eks/zarf.yaml b/.github/test-infra/eks/zarf.yaml index 0a24ccd89..a00861d05 100644 --- a/.github/test-infra/eks/zarf.yaml +++ b/.github/test-infra/eks/zarf.yaml @@ -46,4 +46,3 @@ components: onRemove: before: - cmd: ./eksctl delete cluster -f config.yaml --disable-nodegroup-eviction --wait - diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 6b32d70a1..8cc5e743f 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -18,4 +18,4 @@ jobs: # any specific distrubution tests # connection tests between core services # kubectl commands? - # base cypress tests? \ No newline at end of file + # base cypress tests? diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 6f8b0d7e3..8729f7feb 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -30,7 +30,7 @@ jobs: - name: Environment setup uses: ./.github/actions/setup - + - name: Login to registry1 run: uds run registry-login --set REGISTRY=registry1.dso.mil --set REGISTRY_USERNAME=${{ secrets.IRON_BANK_ROBOT_USERNAME }} --set REGISTRY_PASSWORD=${{ secrets.IRON_BANK_ROBOT_PASSWORD }} --set REGISTRY_RETRY_INTERVAL=90 @@ -54,7 +54,7 @@ jobs: - name: Create Bundle env: UDS_EKS_CLUSTER_NAME: ${{ steps.get_cluster_name.outputs.eks_cluster_name }} - UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} + UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} run: uds create .github/bundles --confirm @@ -65,4 +65,4 @@ jobs: if: always() run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.gz --confirm timeout-minutes: 60 - continue-on-error: true \ No newline at end of file + continue-on-error: true From cd3348418c3fc0f790b8f53fc3253da45e36b9ee Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Thu, 14 Mar 2024 09:32:38 -0600 Subject: [PATCH 04/82] removing zarf-configs from test-infra packages; setting package vars via workflow env --- .github/bundles/uds-config.yaml | 6 +-- .github/test-infra/ci-iac-aws/loki/README.md | 2 +- .github/test-infra/ci-iac-aws/loki/main.tf | 4 +- .github/test-infra/ci-iac-aws/velero/main.tf | 4 +- .../test-infra/ci-iac-aws/zarf-config.yaml | 19 ---------- .github/test-infra/ci-iac-aws/zarf.yaml | 37 ++----------------- .github/test-infra/eks/zarf-config.yaml | 8 ---- .github/test-infra/eks/zarf.yaml | 6 +-- .github/workflows/nightly-testing.yaml | 16 ++------ .github/workflows/test-eks.yaml | 5 ++- 10 files changed, 19 insertions(+), 88 deletions(-) delete mode 100644 .github/test-infra/ci-iac-aws/zarf-config.yaml delete mode 100644 .github/test-infra/eks/zarf-config.yaml diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml index f7137cc26..fc7b8e3bc 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/uds-config.yaml @@ -4,6 +4,6 @@ variables: # permissions_boundary_arn: $PERMISSIONS_BOUNDARY_ARN # permissions_boundary_name: $PERMISSIONS_BOUNDARY_NAME ci-iac-aws: - state_bucket_name: uds-aws-ci-commercial-us-east-2-5246-tfstate - state_key: tfstate/ci/install/${SHA:0:7}-dubbd-aws.tfstate - state_dynamodb_table_name: uds-aws-ci-commercial-org-us-east-2-5246-tfstate-lock + state_bucket_name: uds-aws-ci-commercial-us-west-2-5246-tfstate + state_key: tfstate/ci/install/${SHORT_SHA}-core-aws.tfstate + state_dynamodb_table_name: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock diff --git a/.github/test-infra/ci-iac-aws/loki/README.md b/.github/test-infra/ci-iac-aws/loki/README.md index 239d7dde7..d947b75d7 100644 --- a/.github/test-infra/ci-iac-aws/loki/README.md +++ b/.github/test-infra/ci-iac-aws/loki/README.md @@ -18,7 +18,7 @@ No requirements. | Name | Source | Version | |------|--------|---------| | [S3](#module\_S3) | github.com/defenseunicorns/delivery-aws-iac//modules/s3-irsa | v0.0.4-alpha | -| [generate\_kms](#module\_generate\_kms) | github.com/defenseunicorns/uds-iac-aws-kms | dubbd-test | +| [generate\_kms](#module\_generate\_kms) | github.com/defenseunicorns/uds-iac-aws-kms | uds-core-test | ## Resources diff --git a/.github/test-infra/ci-iac-aws/loki/main.tf b/.github/test-infra/ci-iac-aws/loki/main.tf index c4eb7aa68..6d0fe58e5 100644 --- a/.github/test-infra/ci-iac-aws/loki/main.tf +++ b/.github/test-infra/ci-iac-aws/loki/main.tf @@ -97,9 +97,9 @@ module "generate_kms" { kms_key_alias_name_prefix = "${local.name}-" # Prefix for KMS key alias. kms_key_deletion_window = var.kms_key_deletion_window # Waiting period for scheduled KMS Key deletion. Can be 7-30 days. - kms_key_description = "${var.name} DUBBD deployment Loki Key" # Description for the KMS key. + kms_key_description = "${var.name} UDS Core deployment Loki Key" # Description for the KMS key. tags = { - Deployment = "UDS DUBBD ${local.name}" + Deployment = "UDS Core ${local.name}" } } diff --git a/.github/test-infra/ci-iac-aws/velero/main.tf b/.github/test-infra/ci-iac-aws/velero/main.tf index 4b8472559..08de4279c 100644 --- a/.github/test-infra/ci-iac-aws/velero/main.tf +++ b/.github/test-infra/ci-iac-aws/velero/main.tf @@ -96,9 +96,9 @@ module "generate_kms" { kms_key_alias_name_prefix = "${local.name}-" # Prefix for KMS key alias. kms_key_deletion_window = var.kms_key_deletion_window # Waiting period for scheduled KMS Key deletion. Can be 7-30 days. - kms_key_description = "${local.name} DUBBD deployment Velero Key" # Description for the KMS key. + kms_key_description = "${local.name} UDS Core deployment Velero Key" # Description for the KMS key. tags = { - Deployment = "UDS DUBBD ${local.name}" + Deployment = "UDS Core ${local.name}" } } diff --git a/.github/test-infra/ci-iac-aws/zarf-config.yaml b/.github/test-infra/ci-iac-aws/zarf-config.yaml deleted file mode 100644 index b5f7bf677..000000000 --- a/.github/test-infra/ci-iac-aws/zarf-config.yaml +++ /dev/null @@ -1,19 +0,0 @@ -package: - create: - max_package_size: "1000000000" - set: - terraform_version: "1.5.7" - deploy: - set: - # -- Name of the EKS cluster - eks_cluster_name: "uds-core-aws" - # -- Name of existing Terraform state bucket - state_bucket_name: "uds-dev-state-bucket" - # -- Key path to Terraform state file within the bucket - state_key: "tfstate/dev/uds-dev-state-bucket.tfstate" - # -- Name of DynamoDB table used for Terraform state locking - state_dynamodb_table_name: "uds-dev-state-dynamodb" - # -- AWS region - region: "us-west-2" - # -- If set to true, force delete all resources on removal (i.e. loki S3 bucket, PVCs, etc) - ephemeral: "true" diff --git a/.github/test-infra/ci-iac-aws/zarf.yaml b/.github/test-infra/ci-iac-aws/zarf.yaml index b341b684e..d654ce57e 100644 --- a/.github/test-infra/ci-iac-aws/zarf.yaml +++ b/.github/test-infra/ci-iac-aws/zarf.yaml @@ -12,8 +12,6 @@ metadata: vendor: Defense Unicorns variables: - - name: TERRAFORM_VERSION - - name: STATE_BUCKET_NAME description: "Name of the pre-existing Terraform state S3 bucket" - name: STATE_KEY @@ -22,7 +20,7 @@ variables: description: "Name of the DynamoDB table used for Terraform state locking" - name: REGION description: "The AWS region to run the Terraform in" - default: "us-east-2" + default: "us-west-2" - name: PERMISSIONS_BOUNDARY_NAME default: "" - name: USE_PERMISSIONS_BOUNDARY @@ -39,29 +37,6 @@ variables: default: "true" components: - # - name: set-ephemeral - # required: true - # actions: - # onDeploy: - # before: - # - cmd: | - # if [ -z "${ZARF_VAR_LOKI_FORCE_DESTROY}" ]; then - # echo "${ZARF_VAR_EPHEMERAL}" - # else - # echo "${ZARF_VAR_LOKI_FORCE_DESTROY}" - # fi - # mute: true - # setVariables: - # - name: LOKI_FORCE_DESTROY - # - cmd: | - # if [ -z "${ZARF_VAR_VELERO_FORCE_DESTROY}" ]; then - # echo "${ZARF_VAR_EPHEMERAL}" - # else - # echo "${ZARF_VAR_VELERO_FORCE_DESTROY}" - # fi - # mute: true - # setVariables: - # - name: VELERO_FORCE_DESTROY - name: download-terraform required: true actions: @@ -71,18 +46,14 @@ components: rm -f run/loki/terraform || true rm -f run/velero/terraform || true description: Clean up previous install since archiver doesn't overwrite the output - - cmd: "./extract-terraform.sh ###ZARF_PKG_TMPL_TERRAFORM_VERSION###" + - cmd: "./extract-terraform.sh ###ZARF_VAR_TERRAFORM_VERSION###" files: - source: extract.sh target: extract-terraform.sh executable: true # terraform binary into zarf package - - source: https://releases.hashicorp.com/terraform/###ZARF_PKG_TMPL_TERRAFORM_VERSION###/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_darwin_arm64.zip - target: tmp/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_darwin_arm64.zip - - source: https://releases.hashicorp.com/terraform/###ZARF_PKG_TMPL_TERRAFORM_VERSION###/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_darwin_amd64.zip - target: tmp/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_darwin_amd64.zip - - source: https://releases.hashicorp.com/terraform/###ZARF_PKG_TMPL_TERRAFORM_VERSION###/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_linux_amd64.zip - target: tmp/terraform_###ZARF_PKG_TMPL_TERRAFORM_VERSION###_linux_amd64.zip + - source: https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip + target: tmp/terraform_1.5.7_linux_amd64.zip - name: loki-module required: true actions: diff --git a/.github/test-infra/eks/zarf-config.yaml b/.github/test-infra/eks/zarf-config.yaml deleted file mode 100644 index bdff79046..000000000 --- a/.github/test-infra/eks/zarf-config.yaml +++ /dev/null @@ -1,8 +0,0 @@ -package: - create: - max_package_size: "1000000000" - set: - eksctl_version: v0.165.0 - deploy: - set: - cluster_name: uds-core-aws-install diff --git a/.github/test-infra/eks/zarf.yaml b/.github/test-infra/eks/zarf.yaml index a00861d05..f4583dd9f 100644 --- a/.github/test-infra/eks/zarf.yaml +++ b/.github/test-infra/eks/zarf.yaml @@ -26,11 +26,7 @@ components: files: - source: config.yaml target: config.yaml - - source: https://github.com/weaveworks/eksctl/releases/download/###ZARF_PKG_VAR_EKSCTL_VERSION###/eksctl_Darwin_amd64.tar.gz - target: archives/eksctl_Darwin_x86_64.tar.gz - - source: https://github.com/weaveworks/eksctl/releases/download/###ZARF_PKG_VAR_EKSCTL_VERSION###/eksctl_Darwin_arm64.tar.gz - target: archives/eksctl_Darwin_arm64.tar.gz - - source: https://github.com/weaveworks/eksctl/releases/download/###ZARF_PKG_VAR_EKSCTL_VERSION###/eksctl_Linux_amd64.tar.gz + - source: https://github.com/weaveworks/eksctl/releases/download/v0.165.0/eksctl_Linux_amd64.tar.gz target: archives/eksctl_Linux_x86_64.tar.gz - name: deploy-eks-cluster diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 8cc5e743f..c578e48e8 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -6,16 +6,6 @@ on: jobs: nightly-testing: - runs-on: ubuntu-latest - -# RKE2 and EKS Jobs - -# can we call infra code from other repos like uds-prod-infrastructure - -# deploy core - -# run tests - # any specific distrubution tests - # connection tests between core services - # kubectl commands? - # base cypress tests? + name: Test Core on EKS + uses: ./.github/workflows/test-eks.yaml + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 8729f7feb..8d9b9937c 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -1,4 +1,4 @@ -name: Test UDS Core On EKS +name: Test Core On EKS on: workflow_call: @@ -20,7 +20,7 @@ jobs: with: role-to-assume: ${{ secrets.AWS_COMMERCIAL_ORG_ROLE_TO_ASSUME }} role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} - aws-region: us-east-2 + aws-region: us-west-2 role-duration-seconds: 21600 - name: Set Terraform version @@ -56,6 +56,7 @@ jobs: UDS_EKS_CLUSTER_NAME: ${{ steps.get_cluster_name.outputs.eks_cluster_name }} UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} + SHORT_SHA: ${{ steps.get_cluster_name.outputs.short_sha }} run: uds create .github/bundles --confirm - name: Deploy Bundle From 17ea113bb7f266d7e2065fea563bd882262dc968 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Thu, 14 Mar 2024 12:26:10 -0600 Subject: [PATCH 05/82] removing cluster and iac deployment from bundle --- .github/bundles/uds-bundleyaml | 48 ------------ .github/bundles/uds-config.yaml | 9 --- .github/test-infra/bundles/uds-bundleyaml | 73 +++++++++++++++++++ .github/test-infra/bundles/uds-config.yaml | 10 +++ .../ci-iac-aws/loki/terraform.tfvars | 4 +- .../ci-iac-aws/velero/terraform.tfvars | 4 +- .github/test-infra/ci-iac-aws/zarf.yaml | 31 ++++---- .github/test-infra/eks/config.yaml | 2 +- .github/workflows/test-eks.yaml | 27 ++++--- 9 files changed, 119 insertions(+), 89 deletions(-) delete mode 100644 .github/bundles/uds-bundleyaml delete mode 100644 .github/bundles/uds-config.yaml create mode 100644 .github/test-infra/bundles/uds-bundleyaml create mode 100644 .github/test-infra/bundles/uds-config.yaml diff --git a/.github/bundles/uds-bundleyaml b/.github/bundles/uds-bundleyaml deleted file mode 100644 index 0e0f5d975..000000000 --- a/.github/bundles/uds-bundleyaml +++ /dev/null @@ -1,48 +0,0 @@ -kind: UDSBundle -metadata: - name: uds-core-eks-nightly - description: A UDS bundle for deploying EKS and UDS Core - # x-release-please-start-version - version: "0.15.1" - # x-release-please-end - -packages: - - name: distro-eks - path: ../packages - ref: 0.15.1 - - - name: ci-iac-aws - path: ../packages/ - # x-release-please-start-version - ref: 0.15.1 - # x-release-please-end - - - name: init - repository: ghcr.io/defenseunicorns/packages/init - # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver - ref: v0.32.4 - - - name: core - path: ../packages/ - # x-release-please-start-version - ref: 0.15.1 - # x-release-please-end - overrides: - istio-admin-gateway: - uds-istio-config: - variables: - - name: ADMIN_TLS_CERT - description: "The TLS cert for the admin gateway (must be base64 encoded)" - path: tls.cert - - name: ADMIN_TLS_KEY - description: "The TLS key for the admin gateway (must be base64 encoded)" - path: tls.key - istio-tenant-gateway: - uds-istio-config: - variables: - - name: TENANT_TLS_CERT - description: "The TLS cert for the tenant gateway (must be base64 encoded)" - path: tls.cert - - name: TENANT_TLS_KEY - description: "The TLS key for the tenant gateway (must be base64 encoded)" - path: tls.key diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml deleted file mode 100644 index fc7b8e3bc..000000000 --- a/.github/bundles/uds-config.yaml +++ /dev/null @@ -1,9 +0,0 @@ -variables: - # distro-eks: - # cluster_name: $EKS_CLUSTER_NAME - # permissions_boundary_arn: $PERMISSIONS_BOUNDARY_ARN - # permissions_boundary_name: $PERMISSIONS_BOUNDARY_NAME - ci-iac-aws: - state_bucket_name: uds-aws-ci-commercial-us-west-2-5246-tfstate - state_key: tfstate/ci/install/${SHORT_SHA}-core-aws.tfstate - state_dynamodb_table_name: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock diff --git a/.github/test-infra/bundles/uds-bundleyaml b/.github/test-infra/bundles/uds-bundleyaml new file mode 100644 index 000000000..f6de89e09 --- /dev/null +++ b/.github/test-infra/bundles/uds-bundleyaml @@ -0,0 +1,73 @@ +kind: UDSBundle +metadata: + name: uds-core-eks-nightly + description: A UDS bundle for deploying EKS and UDS Core + # x-release-please-start-version + version: "0.15.1" + # x-release-please-end + +packages: + - name: init + repository: ghcr.io/defenseunicorns/packages/init + # renovate: datasource=github-tags depName=defenseunicorns/zarf versioning=semver + ref: v0.32.4 + + - name: core + path: ../packages/ + # x-release-please-start-version + ref: 0.15.1 + # x-release-please-end + overrides: + loki: + variables: + - name: LOKI_CHUNKS_BUCKET + description: "The object storage bucket for Loki chunks" + path: loki.storage.bucketNames.chunks + - name: LOKI_RULER_BUCKET + description: "The object storage bucket for Loki ruler" + path: loki.storage.bucketNames.ruler + - name: LOKI_ADMIN_BUCKET + description: "The object storage bucket for Loki admin" + path: loki.storage.bucketNames.admin + - name: LOKI_S3_REGION + description: "The S3 region" + path: loki.storage.s3.region + # - name: LOKI_S3_ENDPOINT + # description: "The S3 endpoint" + # path: loki.storage.s3.endpoint + # - name: LOKI_S3_ACCESS_KEY_ID + # description: "The S3 Access Key ID" + # path: loki.storage.s3.accessKeyId + # - name: LOKI_S3_SECRET_ACCESS_KEY + # path: loki.storage.s3.secretAccessKey + # description: "The S3 Secret Access Key" + # - name: LOKI_WRITE_REPLICAS + # path: write.replicas + # description: "Loki write replicas" + # default: "1" + # - name: LOKI_READ_REPLICAS + # path: read.replicas + # description: "Loki read replicas" + # default: "1" + # - name: LOKI_BACKEND_REPLICAS + # path: backend.replicas + # description: "Loki backend replicas" + # default: "1" + # istio-admin-gateway: + # uds-istio-config: + # variables: + # - name: ADMIN_TLS_CERT + # description: "The TLS cert for the admin gateway (must be base64 encoded)" + # path: tls.cert + # - name: ADMIN_TLS_KEY + # description: "The TLS key for the admin gateway (must be base64 encoded)" + # path: tls.key + # istio-tenant-gateway: + # uds-istio-config: + # variables: + # - name: TENANT_TLS_CERT + # description: "The TLS cert for the tenant gateway (must be base64 encoded)" + # path: tls.cert + # - name: TENANT_TLS_KEY + # description: "The TLS key for the tenant gateway (must be base64 encoded)" + # path: tls.key diff --git a/.github/test-infra/bundles/uds-config.yaml b/.github/test-infra/bundles/uds-config.yaml new file mode 100644 index 000000000..44e2a4d91 --- /dev/null +++ b/.github/test-infra/bundles/uds-config.yaml @@ -0,0 +1,10 @@ +# Overwritten at deploy time by the ci-iac-aws package +options: + architecture: +variables: + core: + loki_bucket_chunks: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_bucket_ruler: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_bucket_admin: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} + loki_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} diff --git a/.github/test-infra/ci-iac-aws/loki/terraform.tfvars b/.github/test-infra/ci-iac-aws/loki/terraform.tfvars index be09a31a4..a01a2b606 100644 --- a/.github/test-infra/ci-iac-aws/loki/terraform.tfvars +++ b/.github/test-infra/ci-iac-aws/loki/terraform.tfvars @@ -1,6 +1,6 @@ region = "###ZARF_VAR_REGION###" -name = "###ZARF_VAR_EKS_CLUSTER_NAME###" -bucket_name = "###ZARF_VAR_EKS_CLUSTER_NAME###-loki" +name = "###ZARF_VAR_CLUSTER_NAME###" +bucket_name = "###ZARF_VAR_CLUSTER_NAME###-loki" force_destroy = "###ZARF_VAR_LOKI_FORCE_DESTROY###" kubernetes_service_account = "logging-loki" diff --git a/.github/test-infra/ci-iac-aws/velero/terraform.tfvars b/.github/test-infra/ci-iac-aws/velero/terraform.tfvars index d947867f3..544eae572 100644 --- a/.github/test-infra/ci-iac-aws/velero/terraform.tfvars +++ b/.github/test-infra/ci-iac-aws/velero/terraform.tfvars @@ -1,6 +1,6 @@ region = "###ZARF_VAR_REGION###" -name = "###ZARF_VAR_EKS_CLUSTER_NAME###" -bucket_name = "###ZARF_VAR_EKS_CLUSTER_NAME###-velero" +name = "###ZARF_VAR_CLUSTER_NAME###" +bucket_name = "###ZARF_VAR_CLUSTER_NAME###-velero" force_destroy = "###ZARF_VAR_VELERO_FORCE_DESTROY###" kubernetes_service_account = "velero-velero-server" diff --git a/.github/test-infra/ci-iac-aws/zarf.yaml b/.github/test-infra/ci-iac-aws/zarf.yaml index d654ce57e..a2803a856 100644 --- a/.github/test-infra/ci-iac-aws/zarf.yaml +++ b/.github/test-infra/ci-iac-aws/zarf.yaml @@ -12,6 +12,9 @@ metadata: vendor: Defense Unicorns variables: + - name: CLUSTER_NAME + description: "Used in loki and velero terraform.tfvars" + prompt: true - name: STATE_BUCKET_NAME description: "Name of the pre-existing Terraform state S3 bucket" - name: STATE_KEY @@ -169,21 +172,15 @@ components: onDeploy: after: - cmd: | - cat < setenv-uds-package.sh - export ZARF_PACKAGE_DEPLOY_SET='{ \ - "STATE_BUCKET_NAME": "${ZARF_VAR_STATE_BUCKET_NAME}", \ - "STATE_KEY": "${ZARF_VAR_STATE_KEY}", \ - "STATE_DYNAMODB_TABLE_NAME": "${ZARF_VAR_STATE_DYNAMODB_TABLE_NAME}", \ - "NAME": "${ZARF_VAR_EKS_CLUSTER_NAME}", \ - "REGION": "${ZARF_VAR_REGION}", \ - "EPHEMERAL": "${ZARF_VAR_EPHEMERAL}", \ - "LOKI_FORCE_DESTROY": "${ZARF_VAR_LOKI_FORCE_DESTROY}", \ - "VELERO_FORCE_DESTROY": "${ZARF_VAR_VELERO_FORCE_DESTROY}", \ - "LOKI_S3_BUCKET": "${ZARF_VAR_LOKI_S3_BUCKET}", \ - "LOKI_S3_AWS_REGION": "${ZARF_VAR_LOKI_S3_AWS_REGION}", \ - "LOKI_S3_ROLE_ARN": "${ZARF_VAR_LOKI_S3_ROLE_ARN}", \ - "VELERO_S3_BUCKET": "${ZARF_VAR_VELERO_S3_BUCKET}", \ - "VELERO_S3_AWS_REGION": "${ZARF_VAR_VELERO_S3_AWS_REGION}", \ - "VELERO_S3_ROLE_ARN": "${ZARF_VAR_VELERO_S3_ROLE_ARN}" \ - }' + cat < ../bundles/uds-config.yaml + options: + architecture: amd64 + + variables: + core: + loki_bucket_chunks: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_bucket_ruler: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_bucket_admin: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} + loki_role_arn: "${ZARF_VAR_LOKI_S3_ROLE_ARN}" EOF diff --git a/.github/test-infra/eks/config.yaml b/.github/test-infra/eks/config.yaml index fedd3d7ac..fa5f9ced9 100644 --- a/.github/test-infra/eks/config.yaml +++ b/.github/test-infra/eks/config.yaml @@ -3,7 +3,7 @@ kind: ClusterConfig metadata: name: "###ZARF_VAR_CLUSTER_NAME###" - region: us-east-2 + region: us-west-2 version: "1.27" tags: PermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 8d9b9937c..9461d089e 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -10,7 +10,13 @@ permissions: jobs: test-clean-install: runs-on: ubuntu-latest - + env: + SHA: ${{ github.sha }} + UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} + UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} + UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate + UDS_STATE_KEY: tfstate/ci/install/${SHA:0:7}-core-aws.tfstate + UDS_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock steps: - name: Checkout repository uses: actions/checkout@v4 @@ -36,13 +42,13 @@ jobs: - name: Set eks_cluster_name id: get_cluster_name - env: - SHA: ${{ github.sha }} run: | echo "eks_cluster_name=uds-core-aws-${SHA:0:7}" >> $GITHUB_OUTPUT echo "short_sha=${SHA:0:7}" >> $GITHUB_OUTPUT - name: Create EKSCTL Package + env: + UDS_CLUSTER_NAME: ${{ steps.get_cluster_name.outputs.eks_cluster_name }} run: uds zarf package create .github/test-infra/eks -o .github/packages --confirm - name: Create CI-IAC-AWS Package @@ -52,18 +58,19 @@ jobs: run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress -o .github/packages - name: Create Bundle - env: - UDS_EKS_CLUSTER_NAME: ${{ steps.get_cluster_name.outputs.eks_cluster_name }} - UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} - UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} - SHORT_SHA: ${{ steps.get_cluster_name.outputs.short_sha }} run: uds create .github/bundles --confirm + - name: Deploy Cluster + run: uds zarf package deploy .github/packages/zarf-package-distro-eks-*.tar.zst --confirm + + - name: Deploy CI-IAC-AWS Package + run: uds zarf package deploy .github/packages/zarf-package-ci-iac-aws-*.tar.zst + - name: Deploy Bundle - run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.gz --confirm + run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm - name: Remove UDS Core And Teardown EKS if: always() - run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.gz --confirm + run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm timeout-minutes: 60 continue-on-error: true From 834582cc1bc3d34a534fa91c94c88d07e58b9c8d Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Thu, 14 Mar 2024 12:35:26 -0600 Subject: [PATCH 06/82] test workflow by switching to on pull_request for now --- .github/workflows/nightly-testing.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index c578e48e8..f5fb3862c 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -1,8 +1,11 @@ name: Nightly Testing +# on: +# schedule: +# - cron: '0 0 * * *' # Runs at midnight every day + on: - schedule: - - cron: '0 0 * * *' # Runs at midnight every day + pull_request jobs: nightly-testing: From 0169b563873e52bb239456486b9b3b1fc3370e70 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Thu, 14 Mar 2024 13:41:29 -0600 Subject: [PATCH 07/82] testing --- .github/workflows/test-eks.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 9461d089e..05c5449a9 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -21,6 +21,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + # login to aws - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: From efaacf62f0d58a846a9a6e87240c1fb00c6b349d Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Thu, 14 Mar 2024 13:46:35 -0600 Subject: [PATCH 08/82] updated role to assume name --- .github/workflows/test-eks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 05c5449a9..d87b5e5cb 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -8,7 +8,7 @@ permissions: contents: read jobs: - test-clean-install: + test-eks-install: runs-on: ubuntu-latest env: SHA: ${{ github.sha }} @@ -25,7 +25,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: ${{ secrets.AWS_COMMERCIAL_ORG_ROLE_TO_ASSUME }} + role-to-assume: ${{ secrets.AWS_COMMERCIAL_ROLE_TO_ASSUME }} role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} aws-region: us-west-2 role-duration-seconds: 21600 From ad026195c9aa7c05c796ce4c6b756e489321ca88 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 08:19:14 -0600 Subject: [PATCH 09/82] just place built infra packages in build/ --- .github/{test-infra => }/bundles/uds-bundleyaml | 2 +- .github/{test-infra => }/bundles/uds-config.yaml | 0 .github/workflows/test-eks.yaml | 10 +++++----- 3 files changed, 6 insertions(+), 6 deletions(-) rename .github/{test-infra => }/bundles/uds-bundleyaml (99%) rename .github/{test-infra => }/bundles/uds-config.yaml (100%) diff --git a/.github/test-infra/bundles/uds-bundleyaml b/.github/bundles/uds-bundleyaml similarity index 99% rename from .github/test-infra/bundles/uds-bundleyaml rename to .github/bundles/uds-bundleyaml index f6de89e09..f2f16aecb 100644 --- a/.github/test-infra/bundles/uds-bundleyaml +++ b/.github/bundles/uds-bundleyaml @@ -13,7 +13,7 @@ packages: ref: v0.32.4 - name: core - path: ../packages/ + path: ../../build/ # x-release-please-start-version ref: 0.15.1 # x-release-please-end diff --git a/.github/test-infra/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml similarity index 100% rename from .github/test-infra/bundles/uds-config.yaml rename to .github/bundles/uds-config.yaml diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index d87b5e5cb..d224fe967 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -50,22 +50,22 @@ jobs: - name: Create EKSCTL Package env: UDS_CLUSTER_NAME: ${{ steps.get_cluster_name.outputs.eks_cluster_name }} - run: uds zarf package create .github/test-infra/eks -o .github/packages --confirm + run: uds zarf package create .github/test-infra/eks --confirm - name: Create CI-IAC-AWS Package - run: uds zarf package create .github/test-infra/ci-iac-aws -o .github/packages --confirm + run: uds zarf package create .github/test-infra/ci-iac-aws --confirm - name: Create UDS Core Package - run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress -o .github/packages + run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress - name: Create Bundle run: uds create .github/bundles --confirm - name: Deploy Cluster - run: uds zarf package deploy .github/packages/zarf-package-distro-eks-*.tar.zst --confirm + run: uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst --confirm - name: Deploy CI-IAC-AWS Package - run: uds zarf package deploy .github/packages/zarf-package-ci-iac-aws-*.tar.zst + run: uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst - name: Deploy Bundle run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm From 89f135d70568841c96bdc86b8b912b2eca1ae33c Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 08:52:56 -0600 Subject: [PATCH 10/82] yamllint --- .github/workflows/nightly-testing.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index f5fb3862c..64b291500 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -11,4 +11,4 @@ jobs: nightly-testing: name: Test Core on EKS uses: ./.github/workflows/test-eks.yaml - secrets: inherit \ No newline at end of file + secrets: inherit From 38e8b2ef2da4210ab2086905c9a16e03f8411471 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 08:58:32 -0600 Subject: [PATCH 11/82] fix typo in bundle name --- .github/bundles/{uds-bundleyaml => uds-bundle.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/bundles/{uds-bundleyaml => uds-bundle.yaml} (100%) diff --git a/.github/bundles/uds-bundleyaml b/.github/bundles/uds-bundle.yaml similarity index 100% rename from .github/bundles/uds-bundleyaml rename to .github/bundles/uds-bundle.yaml From ba6e11315e854baf755e1f5b98fcaf8087f1a6af Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 09:03:00 -0600 Subject: [PATCH 12/82] add chart name to bundle overrides --- .github/bundles/uds-bundle.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index f2f16aecb..37066dcd9 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -19,6 +19,7 @@ packages: # x-release-please-end overrides: loki: + loki: variables: - name: LOKI_CHUNKS_BUCKET description: "The object storage bucket for Loki chunks" From 219fd60cbb3f68d83c753adef914bbd218acf828 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 09:39:20 -0600 Subject: [PATCH 13/82] add create-package-no-pepr and use in test-eks workflow --- .github/workflows/test-eks.yaml | 4 ++-- tasks.yaml | 7 +++++++ tasks/create.yaml | 11 +++++++++++ 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index d224fe967..023700cd6 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -50,10 +50,10 @@ jobs: - name: Create EKSCTL Package env: UDS_CLUSTER_NAME: ${{ steps.get_cluster_name.outputs.eks_cluster_name }} - run: uds zarf package create .github/test-infra/eks --confirm + run: uds run create-package-no-pepr --set path=.github/test-infra/eks - name: Create CI-IAC-AWS Package - run: uds zarf package create .github/test-infra/ci-iac-aws --confirm + run: uds run create-package-no-pepr --set path=.github/test-infra/ci-iac-aws - name: Create UDS Core Package run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress diff --git a/tasks.yaml b/tasks.yaml index d0047c29d..7c169fdb1 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -54,6 +54,13 @@ tasks: actions: - task: create:standard-package + - name: create-package-no-pepr + actions: + - task: create:no-pepr-package + with: + options: ${OPTIONS} + path: ${PATH} + - name: deploy-single-package actions: - task: deploy:single-package diff --git a/tasks/create.yaml b/tasks/create.yaml index 6acf004c2..582ef8970 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -55,3 +55,14 @@ tasks: rm -fr dist npm ci npx pepr build $CUSTOM_PEPR_IMAGE + + - name: no-pepr-package + inputs: + options: + description: For setting deploy time variables and flags + path: + description: file path for package + default: $(pwd) + actions: + - description: Deploy the UDS Zarf Package + cmd: uds zarf package create ${{ .inputs.path }} --confirm ${{ .inputs.options }} From e381196a7e21cef7a98946c1c3ef4c8087fd5593 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 10:12:10 -0600 Subject: [PATCH 14/82] remove set cluster name step and set as job level env --- .github/workflows/test-eks.yaml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 023700cd6..f17a2597e 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -17,6 +17,7 @@ jobs: UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate UDS_STATE_KEY: tfstate/ci/install/${SHA:0:7}-core-aws.tfstate UDS_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock + UDS_CLUSTER_NAME: uds-core-aws-${SHA:0:7} steps: - name: Checkout repository uses: actions/checkout@v4 @@ -41,15 +42,13 @@ jobs: - name: Login to registry1 run: uds run registry-login --set REGISTRY=registry1.dso.mil --set REGISTRY_USERNAME=${{ secrets.IRON_BANK_ROBOT_USERNAME }} --set REGISTRY_PASSWORD=${{ secrets.IRON_BANK_ROBOT_PASSWORD }} --set REGISTRY_RETRY_INTERVAL=90 - - name: Set eks_cluster_name - id: get_cluster_name - run: | - echo "eks_cluster_name=uds-core-aws-${SHA:0:7}" >> $GITHUB_OUTPUT - echo "short_sha=${SHA:0:7}" >> $GITHUB_OUTPUT + # - name: Set eks_cluster_name + # id: get_cluster_name + # run: | + # echo "eks_cluster_name=uds-core-aws-${SHA:0:7}" >> $GITHUB_OUTPUT + # echo "short_sha=${SHA:0:7}" >> $GITHUB_OUTPUT - name: Create EKSCTL Package - env: - UDS_CLUSTER_NAME: ${{ steps.get_cluster_name.outputs.eks_cluster_name }} run: uds run create-package-no-pepr --set path=.github/test-infra/eks - name: Create CI-IAC-AWS Package @@ -62,7 +61,7 @@ jobs: run: uds create .github/bundles --confirm - name: Deploy Cluster - run: uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst --confirm + run: uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst --confirm --set cluster_name=$UDS_CLUSTER_NAME - name: Deploy CI-IAC-AWS Package run: uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst From 818cbb1c4639f0a59c205b450369c8da6103d1b5 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 10:21:37 -0600 Subject: [PATCH 15/82] fix env setting --- .github/workflows/test-eks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index f17a2597e..338e44c30 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -12,12 +12,12 @@ jobs: runs-on: ubuntu-latest env: SHA: ${{ github.sha }} + UDS_CLUSTER_NAME: uds-core-aws-${{ github.sha[0:7] }} UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate - UDS_STATE_KEY: tfstate/ci/install/${SHA:0:7}-core-aws.tfstate + UDS_STATE_KEY: tfstate/ci/install/${{ github.sha[0:7] }}-core-aws.tfstate UDS_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock - UDS_CLUSTER_NAME: uds-core-aws-${SHA:0:7} steps: - name: Checkout repository uses: actions/checkout@v4 From 9c241328a65d48d23254cee8f55349744f723cb3 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 10:28:18 -0600 Subject: [PATCH 16/82] setting dependant ENV in step --- .github/workflows/test-eks.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 338e44c30..08c467519 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -12,13 +12,16 @@ jobs: runs-on: ubuntu-latest env: SHA: ${{ github.sha }} - UDS_CLUSTER_NAME: uds-core-aws-${{ github.sha[0:7] }} UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate - UDS_STATE_KEY: tfstate/ci/install/${{ github.sha[0:7] }}-core-aws.tfstate UDS_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock steps: + - name: Set ENV + run: | + echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV + echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV + - name: Checkout repository uses: actions/checkout@v4 From 0da58e3c05b682a21fd88d8f19f99f9457149bc4 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 11:59:31 -0600 Subject: [PATCH 17/82] checking for empty arn --- .github/workflows/test-eks.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 08c467519..186dfe3e8 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -21,6 +21,9 @@ jobs: run: | echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV + if [ -z "$UDS_PERMISSIONS_BOUNDARY_ARN" ]; then + echo "PERMISSIONS_BOUNDARY_ARN is empty" + fi - name: Checkout repository uses: actions/checkout@v4 From 81c7b1cf6f567d19d4c4c194001852c17834de98 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 12:18:22 -0600 Subject: [PATCH 18/82] changing deploy cluster to use uds task --- .github/workflows/test-eks.yaml | 11 +---------- tasks.yaml | 4 ++++ tasks/create.yaml | 2 +- tasks/deploy.yaml | 11 +++++++++++ 4 files changed, 17 insertions(+), 11 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 186dfe3e8..4389b3ad3 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -21,9 +21,6 @@ jobs: run: | echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV - if [ -z "$UDS_PERMISSIONS_BOUNDARY_ARN" ]; then - echo "PERMISSIONS_BOUNDARY_ARN is empty" - fi - name: Checkout repository uses: actions/checkout@v4 @@ -48,12 +45,6 @@ jobs: - name: Login to registry1 run: uds run registry-login --set REGISTRY=registry1.dso.mil --set REGISTRY_USERNAME=${{ secrets.IRON_BANK_ROBOT_USERNAME }} --set REGISTRY_PASSWORD=${{ secrets.IRON_BANK_ROBOT_PASSWORD }} --set REGISTRY_RETRY_INTERVAL=90 - # - name: Set eks_cluster_name - # id: get_cluster_name - # run: | - # echo "eks_cluster_name=uds-core-aws-${SHA:0:7}" >> $GITHUB_OUTPUT - # echo "short_sha=${SHA:0:7}" >> $GITHUB_OUTPUT - - name: Create EKSCTL Package run: uds run create-package-no-pepr --set path=.github/test-infra/eks @@ -67,7 +58,7 @@ jobs: run: uds create .github/bundles --confirm - name: Deploy Cluster - run: uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst --confirm --set cluster_name=$UDS_CLUSTER_NAME + run: uds run deploy-package-no-pepr --set path=build/zarf-package-distro-eks-*.tar.zst --confirm - name: Deploy CI-IAC-AWS Package run: uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst diff --git a/tasks.yaml b/tasks.yaml index 7c169fdb1..d678351c3 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -64,6 +64,10 @@ tasks: - name: deploy-single-package actions: - task: deploy:single-package + + - name: deploy-package-no-pepr + actions: + - task: deploy:no-pepr-package - name: test-single-package actions: diff --git a/tasks/create.yaml b/tasks/create.yaml index 582ef8970..ebd12e45e 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -59,7 +59,7 @@ tasks: - name: no-pepr-package inputs: options: - description: For setting deploy time variables and flags + description: For setting create time variables and flags path: description: file path for package default: $(pwd) diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 20b0b55de..9216b4205 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -40,3 +40,14 @@ tasks: actions: - description: "Deploy the standard UDS Core zarf package" cmd: uds zarf package deploy build/zarf-package-core-${UDS_ARCH}-${VERSION}.tar.zst --confirm + + - name: no-pepr-package + inputs: + options: + description: For setting deploy time variables and flags + path: + description: file path for package + default: $(pwd) + actions: + - description: Deploy the UDS Zarf Package + cmd: uds zarf package deploy ${{ .inputs.path }} --confirm ${{ .inputs.options }} From 12555cff6ebecd35dc377756d275b0f2c3ba19e1 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 12:28:06 -0600 Subject: [PATCH 19/82] remove --confirm from task call --- .github/workflows/test-eks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 4389b3ad3..024f45bd4 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -52,13 +52,13 @@ jobs: run: uds run create-package-no-pepr --set path=.github/test-infra/ci-iac-aws - name: Create UDS Core Package - run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress + run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package - name: Create Bundle run: uds create .github/bundles --confirm - name: Deploy Cluster - run: uds run deploy-package-no-pepr --set path=build/zarf-package-distro-eks-*.tar.zst --confirm + run: uds run deploy-package-no-pepr --set path=build/zarf-package-distro-eks-*.tar.zst - name: Deploy CI-IAC-AWS Package run: uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst From ef40145f40410bb3fd19cd6a60dc3421b18916d6 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 13:02:24 -0600 Subject: [PATCH 20/82] testing with env set with ZARF_ and no uds task for deploy of infra packages --- .github/bundles/uds-config.yaml | 2 +- .github/workflows/test-eks.yaml | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml index 44e2a4d91..81ecfed8b 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/uds-config.yaml @@ -1,6 +1,6 @@ # Overwritten at deploy time by the ci-iac-aws package options: - architecture: + architecture: amd64 variables: core: loki_bucket_chunks: ${ZARF_VAR_LOKI_S3_BUCKET} diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 024f45bd4..73f5bd838 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -12,15 +12,15 @@ jobs: runs-on: ubuntu-latest env: SHA: ${{ github.sha }} - UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} - UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} - UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate - UDS_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock + ZARF_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} + ZARF_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} + ZARF_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate + ZARF_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock steps: - name: Set ENV run: | - echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV - echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV + echo "ZARF_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV + echo "ZARF_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@v4 @@ -58,10 +58,10 @@ jobs: run: uds create .github/bundles --confirm - name: Deploy Cluster - run: uds run deploy-package-no-pepr --set path=build/zarf-package-distro-eks-*.tar.zst + run: uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst --confirm - name: Deploy CI-IAC-AWS Package - run: uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst + run: uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst --confirm - name: Deploy Bundle run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm From 0acf114531d27bdbec89908482dc6c27f8799ed7 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 13:11:51 -0600 Subject: [PATCH 21/82] forget it, go back --- .github/workflows/test-eks.yaml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 73f5bd838..912261b3d 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -12,15 +12,15 @@ jobs: runs-on: ubuntu-latest env: SHA: ${{ github.sha }} - ZARF_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} - ZARF_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} - ZARF_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate - ZARF_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock + UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} + UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} + UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate + UDS_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock steps: - name: Set ENV run: | - echo "ZARF_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV - echo "ZARF_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV + echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV + echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@v4 @@ -58,10 +58,20 @@ jobs: run: uds create .github/bundles --confirm - name: Deploy Cluster - run: uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst --confirm + run: | + uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst --confirm \ + --set cluster_name=$UDS_CLUSTER_NAME \ + --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ + --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN - name: Deploy CI-IAC-AWS Package - run: uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst --confirm + run: uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst --confirm \ + --set cluster_name=$UDS_CLUSTER_NAME \ + --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ + --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ + --set state_bucket_name=$UDS_STATE_BUCKET_NAME \ + --set state_key=$UDS_STATE_KEY \ + --set state_dynamodb_table_name=$UDS_STATE_DYNAMODB_TABLE_NAME - name: Deploy Bundle run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm From 48fc6d48b84aed9932589dde407fa1c091b27c61 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 13:37:24 -0600 Subject: [PATCH 22/82] fix zarf deploy of iac-aws --- .github/test-infra/ci-iac-aws/zarf.yaml | 7 +++++-- .github/workflows/test-eks.yaml | 5 +++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/test-infra/ci-iac-aws/zarf.yaml b/.github/test-infra/ci-iac-aws/zarf.yaml index a2803a856..ff9ffd8ed 100644 --- a/.github/test-infra/ci-iac-aws/zarf.yaml +++ b/.github/test-infra/ci-iac-aws/zarf.yaml @@ -49,7 +49,7 @@ components: rm -f run/loki/terraform || true rm -f run/velero/terraform || true description: Clean up previous install since archiver doesn't overwrite the output - - cmd: "./extract-terraform.sh ###ZARF_VAR_TERRAFORM_VERSION###" + - cmd: "./extract-terraform.sh 1.5.7" files: - source: extract.sh target: extract-terraform.sh @@ -182,5 +182,8 @@ components: loki_bucket_ruler: ${ZARF_VAR_LOKI_S3_BUCKET} loki_bucket_admin: ${ZARF_VAR_LOKI_S3_BUCKET} loki_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} - loki_role_arn: "${ZARF_VAR_LOKI_S3_ROLE_ARN}" + loki_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} + bucket_id: ${ZARF_VAR_VELERO_S3_BUCKET} + bucket_region: ${ZARF_VAR_VELERO_S3_AWS_REGION} + s3_role_arn: ${ZARF_VAR_S3_ROLE_ARN} EOF diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 912261b3d..95a421923 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -65,13 +65,14 @@ jobs: --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN - name: Deploy CI-IAC-AWS Package - run: uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst --confirm \ + run: uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst \ --set cluster_name=$UDS_CLUSTER_NAME \ --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ --set state_bucket_name=$UDS_STATE_BUCKET_NAME \ --set state_key=$UDS_STATE_KEY \ - --set state_dynamodb_table_name=$UDS_STATE_DYNAMODB_TABLE_NAME + --set state_dynamodb_table_name=$UDS_STATE_DYNAMODB_TABLE_NAME \ + --confirm - name: Deploy Bundle run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm From bc85e67096df4c9eba2129261e6c2df534dd700e Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 14:06:53 -0600 Subject: [PATCH 23/82] readding explicit cluster teardown --- .github/workflows/test-eks.yaml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 95a421923..b619d0710 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -77,8 +77,24 @@ jobs: - name: Deploy Bundle run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm - - name: Remove UDS Core And Teardown EKS + - name: Remove UDS Core if: always() run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm timeout-minutes: 60 continue-on-error: true + + - name: Remove CI-DUBBD-IAC-AWS + if: always() + run: uds zarf package remove build/zarf-package-ci-iac-aws-*.tar.zst --confirm + working-directory: .github/test-infra/ci-dubbd-iac-aws + timeout-minutes: 60 + continue-on-error: true + + - name: Teardown EKS cluster + if: always() + # can't do a zarf package remove since there's no kubernetes cluster. + run: | + ./eksctl delete cluster -f config.yaml --disable-nodegroup-eviction --wait + working-directory: .github/test-infra/eks + timeout-minutes: 60 + continue-on-error: true From 0062e4209d1d948af48f87dcba51179a51b39603 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 14:18:12 -0600 Subject: [PATCH 24/82] bump infra test bundle to 0.16.0 --- .github/bundles/uds-bundle.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index 37066dcd9..f5ced0dc1 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.15.1" + version: "0.16.0" # x-release-please-end packages: @@ -15,7 +15,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.15.1 + ref: 0.16.0 # x-release-please-end overrides: loki: From e6c0e3e93160a3fd8caa3be8cdb07119b94b659a Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 14:45:05 -0600 Subject: [PATCH 25/82] bleh --- .github/test-infra/eks/config.yaml | 2 +- .github/workflows/test-eks.yaml | 26 ++++++++++++++------------ 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/.github/test-infra/eks/config.yaml b/.github/test-infra/eks/config.yaml index fa5f9ced9..7bb9c0045 100644 --- a/.github/test-infra/eks/config.yaml +++ b/.github/test-infra/eks/config.yaml @@ -2,7 +2,7 @@ apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: - name: "###ZARF_VAR_CLUSTER_NAME###" + name: "uds-core-aws-3a9b6e6" region: us-west-2 version: "1.27" tags: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index b619d0710..934fbf2c1 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -59,20 +59,22 @@ jobs: - name: Deploy Cluster run: | - uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst --confirm \ - --set cluster_name=$UDS_CLUSTER_NAME \ - --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ - --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN + uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst \ + --set cluster_name=$UDS_CLUSTER_NAME \ + --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ + --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ + --confirm - name: Deploy CI-IAC-AWS Package - run: uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst \ - --set cluster_name=$UDS_CLUSTER_NAME \ - --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ - --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ - --set state_bucket_name=$UDS_STATE_BUCKET_NAME \ - --set state_key=$UDS_STATE_KEY \ - --set state_dynamodb_table_name=$UDS_STATE_DYNAMODB_TABLE_NAME \ - --confirm + run: | + uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst \ + --set cluster_name=$UDS_CLUSTER_NAME \ + --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ + --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ + --set state_bucket_name=$UDS_STATE_BUCKET_NAME \ + --set state_key=$UDS_STATE_KEY \ + --set state_dynamodb_table_name=$UDS_STATE_DYNAMODB_TABLE_NAME \ + --confirm - name: Deploy Bundle run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm From 4dba10f5ea8cd55ed9e80411ad3663bb2b067c85 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 14:49:54 -0600 Subject: [PATCH 26/82] testing ci package with already deployed cluster --- .github/workflows/test-eks.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 934fbf2c1..8e41af0c6 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -57,18 +57,18 @@ jobs: - name: Create Bundle run: uds create .github/bundles --confirm - - name: Deploy Cluster - run: | - uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst \ - --set cluster_name=$UDS_CLUSTER_NAME \ - --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ - --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ - --confirm + # - name: Deploy Cluster + # run: | + # uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst \ + # --set cluster_name=$UDS_CLUSTER_NAME \ + # --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ + # --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ + # --confirm - name: Deploy CI-IAC-AWS Package run: | uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst \ - --set cluster_name=$UDS_CLUSTER_NAME \ + --set cluster_name=uds-core-aws-3a9b6e6" \ --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ --set state_bucket_name=$UDS_STATE_BUCKET_NAME \ From 9092c621f3aa4118f3e64addb88de18a6ef9092c Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 14:53:51 -0600 Subject: [PATCH 27/82] fix --- .github/workflows/test-eks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 8e41af0c6..9f1f61372 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -68,7 +68,7 @@ jobs: - name: Deploy CI-IAC-AWS Package run: | uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst \ - --set cluster_name=uds-core-aws-3a9b6e6" \ + --set cluster_name=uds-core-aws-3a9b6e6 \ --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ --set state_bucket_name=$UDS_STATE_BUCKET_NAME \ From f133b32e11bd424c6ed7c1b1bfacd11bb99b15b6 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 15:02:00 -0600 Subject: [PATCH 28/82] fix cat location; fix removal steps --- .github/test-infra/ci-iac-aws/zarf.yaml | 2 +- .github/workflows/test-eks.yaml | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/test-infra/ci-iac-aws/zarf.yaml b/.github/test-infra/ci-iac-aws/zarf.yaml index ff9ffd8ed..8b3b351db 100644 --- a/.github/test-infra/ci-iac-aws/zarf.yaml +++ b/.github/test-infra/ci-iac-aws/zarf.yaml @@ -172,7 +172,7 @@ components: onDeploy: after: - cmd: | - cat < ../bundles/uds-config.yaml + cat < ../../bundles/uds-config.yaml options: architecture: amd64 diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 9f1f61372..593ec3a8c 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -88,15 +88,12 @@ jobs: - name: Remove CI-DUBBD-IAC-AWS if: always() run: uds zarf package remove build/zarf-package-ci-iac-aws-*.tar.zst --confirm - working-directory: .github/test-infra/ci-dubbd-iac-aws timeout-minutes: 60 continue-on-error: true - name: Teardown EKS cluster if: always() # can't do a zarf package remove since there's no kubernetes cluster. - run: | - ./eksctl delete cluster -f config.yaml --disable-nodegroup-eviction --wait - working-directory: .github/test-infra/eks + run: uds zarf package remove build/zarf-package-distro-eks-*.tar.zst --confirm timeout-minutes: 60 continue-on-error: true From 9ee584b8bec585f34ec583c5c493294a7facf117 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 15 Mar 2024 15:06:29 -0600 Subject: [PATCH 29/82] set state file to test --- .github/workflows/test-eks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 593ec3a8c..696c248d4 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -20,7 +20,7 @@ jobs: - name: Set ENV run: | echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV - echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV + echo "UDS_STATE_KEY="tfstate/ci/install/3a9b6e6-core-aws.tfstate >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@v4 From b5024eaa80c77272fe9a98d047bc973bb69480ce Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:15:38 -0600 Subject: [PATCH 30/82] set back for creating cluster for testing --- .github/test-infra/ci-iac-aws/zarf.yaml | 2 +- .github/test-infra/eks/config.yaml | 2 +- .github/workflows/test-eks.yaml | 16 ++++++++-------- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/test-infra/ci-iac-aws/zarf.yaml b/.github/test-infra/ci-iac-aws/zarf.yaml index 8b3b351db..accdba343 100644 --- a/.github/test-infra/ci-iac-aws/zarf.yaml +++ b/.github/test-infra/ci-iac-aws/zarf.yaml @@ -172,7 +172,7 @@ components: onDeploy: after: - cmd: | - cat < ../../bundles/uds-config.yaml + cat < .github/bundles/uds-config.yaml options: architecture: amd64 diff --git a/.github/test-infra/eks/config.yaml b/.github/test-infra/eks/config.yaml index 7bb9c0045..fa5f9ced9 100644 --- a/.github/test-infra/eks/config.yaml +++ b/.github/test-infra/eks/config.yaml @@ -2,7 +2,7 @@ apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: - name: "uds-core-aws-3a9b6e6" + name: "###ZARF_VAR_CLUSTER_NAME###" region: us-west-2 version: "1.27" tags: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 696c248d4..1262209bd 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -57,18 +57,18 @@ jobs: - name: Create Bundle run: uds create .github/bundles --confirm - # - name: Deploy Cluster - # run: | - # uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst \ - # --set cluster_name=$UDS_CLUSTER_NAME \ - # --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ - # --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ - # --confirm + - name: Deploy Cluster + run: | + uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst \ + --set cluster_name=$UDS_CLUSTER_NAME \ + --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ + --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ + --confirm - name: Deploy CI-IAC-AWS Package run: | uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst \ - --set cluster_name=uds-core-aws-3a9b6e6 \ + --set cluster_name=$UDS_CLUSTER_NAME \ --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ --set state_bucket_name=$UDS_STATE_BUCKET_NAME \ From dd652f55248938c40f0ae4ca070198b7b59d7544 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:24:00 -0600 Subject: [PATCH 31/82] update core package ref in testing bundle --- .github/bundles/uds-bundle.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index f5ced0dc1..49d26502f 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -15,7 +15,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.16.0 + ref: 0.16.1 # x-release-please-end overrides: loki: From 34220ad7250832205ce4fa81f659237a5ab979f3 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 18 Mar 2024 10:55:03 -0600 Subject: [PATCH 32/82] adding iam identity mapping to eks config for dev testing access --- .github/test-infra/eks/config.yaml | 10 ++++++++ .github/workflows/test-eks.yaml | 38 ++++++++++++++++-------------- 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/.github/test-infra/eks/config.yaml b/.github/test-infra/eks/config.yaml index fa5f9ced9..26bc8f683 100644 --- a/.github/test-infra/eks/config.yaml +++ b/.github/test-infra/eks/config.yaml @@ -12,6 +12,16 @@ iam: withOIDC: true serviceRolePermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_ARN###" +# For dev access during testing +iamIdentityMappings: + - arn: "###ZARF_VAR_AWS_CI_DEV_ARN###" + groups: + - system:masters + username: UdsCiDevs + noDuplicateARNs: true # prevents shadowing of ARNs + + - account: "###ZARF_VAR_AWS_CI_ACCOUNT###" # account must be configured with no other options + addons: - name: aws-ebs-csi-driver version: v1.25.0-eksbuild.1 diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 1262209bd..1de02973b 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -63,6 +63,8 @@ jobs: --set cluster_name=$UDS_CLUSTER_NAME \ --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ + --set aws_ci_dev_arn=${{ secrets.AWS_CI_DEV_ARN }} \ + --set aws_ci_account=${{ secrets.AWS_CI_ACCOUNT }} \ --confirm - name: Deploy CI-IAC-AWS Package @@ -79,21 +81,21 @@ jobs: - name: Deploy Bundle run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm - - name: Remove UDS Core - if: always() - run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm - timeout-minutes: 60 - continue-on-error: true - - - name: Remove CI-DUBBD-IAC-AWS - if: always() - run: uds zarf package remove build/zarf-package-ci-iac-aws-*.tar.zst --confirm - timeout-minutes: 60 - continue-on-error: true - - - name: Teardown EKS cluster - if: always() - # can't do a zarf package remove since there's no kubernetes cluster. - run: uds zarf package remove build/zarf-package-distro-eks-*.tar.zst --confirm - timeout-minutes: 60 - continue-on-error: true + # - name: Remove UDS Core + # if: always() + # run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm + # timeout-minutes: 60 + # continue-on-error: true + + # - name: Remove CI-DUBBD-IAC-AWS + # if: always() + # run: uds zarf package remove build/zarf-package-ci-iac-aws-*.tar.zst --confirm + # timeout-minutes: 60 + # continue-on-error: true + + # - name: Teardown EKS cluster + # if: always() + # # can't do a zarf package remove since there's no kubernetes cluster. + # run: uds zarf package remove build/zarf-package-distro-eks-*.tar.zst --confirm + # timeout-minutes: 60 + # continue-on-error: true From 672e62dc850adbb1e2ac97560ab35cc869bcdfa0 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 19 Mar 2024 11:00:25 -0600 Subject: [PATCH 33/82] update eks config and testin bundle / config --- .github/bundles/uds-bundle.yaml | 76 +++++++++--------------------- .github/bundles/uds-config.yaml | 19 +++++--- .github/test-infra/eks/config.yaml | 5 ++ .github/test-infra/eks/zarf.yaml | 2 + .github/workflows/test-eks.yaml | 2 +- 5 files changed, 44 insertions(+), 60 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index 49d26502f..877541a69 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -18,57 +18,27 @@ packages: ref: 0.16.1 # x-release-please-end overrides: - loki: - loki: - variables: - - name: LOKI_CHUNKS_BUCKET - description: "The object storage bucket for Loki chunks" - path: loki.storage.bucketNames.chunks - - name: LOKI_RULER_BUCKET - description: "The object storage bucket for Loki ruler" - path: loki.storage.bucketNames.ruler - - name: LOKI_ADMIN_BUCKET - description: "The object storage bucket for Loki admin" - path: loki.storage.bucketNames.admin - - name: LOKI_S3_REGION - description: "The S3 region" - path: loki.storage.s3.region - # - name: LOKI_S3_ENDPOINT - # description: "The S3 endpoint" - # path: loki.storage.s3.endpoint - # - name: LOKI_S3_ACCESS_KEY_ID - # description: "The S3 Access Key ID" - # path: loki.storage.s3.accessKeyId - # - name: LOKI_S3_SECRET_ACCESS_KEY - # path: loki.storage.s3.secretAccessKey - # description: "The S3 Secret Access Key" - # - name: LOKI_WRITE_REPLICAS - # path: write.replicas - # description: "Loki write replicas" - # default: "1" - # - name: LOKI_READ_REPLICAS - # path: read.replicas - # description: "Loki read replicas" - # default: "1" - # - name: LOKI_BACKEND_REPLICAS - # path: backend.replicas - # description: "Loki backend replicas" - # default: "1" - # istio-admin-gateway: - # uds-istio-config: - # variables: - # - name: ADMIN_TLS_CERT - # description: "The TLS cert for the admin gateway (must be base64 encoded)" - # path: tls.cert - # - name: ADMIN_TLS_KEY - # description: "The TLS key for the admin gateway (must be base64 encoded)" - # path: tls.key - # istio-tenant-gateway: - # uds-istio-config: + # loki: + # loki: # variables: - # - name: TENANT_TLS_CERT - # description: "The TLS cert for the tenant gateway (must be base64 encoded)" - # path: tls.cert - # - name: TENANT_TLS_KEY - # description: "The TLS key for the tenant gateway (must be base64 encoded)" - # path: tls.key + # - name: LOKI_CHUNKS_BUCKET + # description: "The object storage bucket for Loki chunks" + # path: loki.storage.bucketNames.chunks + # - name: LOKI_RULER_BUCKET + # description: "The object storage bucket for Loki ruler" + # path: loki.storage.bucketNames.ruler + # - name: LOKI_ADMIN_BUCKET + # description: "The object storage bucket for Loki admin" + # path: loki.storage.bucketNames.admin + # - name: LOKI_S3_REGION + # description: "The S3 region" + # path: loki.storage.s3.region + velero: + velero: + variables: + - name: VELERO_USE_SECRET + description: "Toggle use secret off to use IRSA." + path: credentials.useSecret + - name: VELERO_IRSA_ANNOTATION + description: "IRSA ARN annotation to use for Velero" + path: serviceAccount.server.annotations \ No newline at end of file diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml index 81ecfed8b..77d92f3bb 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/uds-config.yaml @@ -1,10 +1,17 @@ -# Overwritten at deploy time by the ci-iac-aws package options: architecture: amd64 + variables: core: - loki_bucket_chunks: ${ZARF_VAR_LOKI_S3_BUCKET} - loki_bucket_ruler: ${ZARF_VAR_LOKI_S3_BUCKET} - loki_bucket_admin: ${ZARF_VAR_LOKI_S3_BUCKET} - loki_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} - loki_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} + loki_bucket_chunks: uds-core-aws-tristan-test-loki-20240319154604610600000001 + loki_bucket_ruler: uds-core-aws-tristan-test-loki-20240319154604610600000001 + loki_bucket_admin: uds-core-aws-tristan-test-loki-20240319154604610600000001 + loki_region: us-west-2 + loki_role_arn: arn:aws:iam::x:role/uds-core-aws-tristan-test-loki-logging-loki-irsa + VELERO_USE_SECRET: "false" + # VELERO_S3_URL: "" + VELERO_IRSA_ANNOTATION: | + eks.amazonaws.com/role-arn: arn:aws:iam::x:role/uds-core-aws-tristan-test-velero-velero-velero-server-irsa + VELERO_BUCKET: uds-core-aws-tristan-test-velero-20240319154717125400000001 + VELERO_BUCKET_REGION: us-west-2 + VELERO_BUCKET_PROVIDER_URL: "" diff --git a/.github/test-infra/eks/config.yaml b/.github/test-infra/eks/config.yaml index 26bc8f683..e281f6652 100644 --- a/.github/test-infra/eks/config.yaml +++ b/.github/test-infra/eks/config.yaml @@ -46,3 +46,8 @@ managedNodeGroups: PermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" iam: instanceRolePermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_ARN###" + ami: "###ZARF_VAR_AMI_ID###" + amiFamily: AmazonLinux2 + overrideBootstrapCommand: | + #!/bin/bash + /etc/eks/bootstrap.sh ###ZARF_VAR_CLUSTER_NAME### --container-runtime containerd diff --git a/.github/test-infra/eks/zarf.yaml b/.github/test-infra/eks/zarf.yaml index f4583dd9f..32fa66f50 100644 --- a/.github/test-infra/eks/zarf.yaml +++ b/.github/test-infra/eks/zarf.yaml @@ -10,6 +10,8 @@ variables: prompt: true - name: PERMISSIONS_BOUNDARY_ARN - name: PERMISSIONS_BOUNDARY_NAME + - name: AMI_ID + default: ami-068ab6ac1cec494e0 components: - name: load-eksctl diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 1de02973b..167ac1947 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -20,7 +20,7 @@ jobs: - name: Set ENV run: | echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV - echo "UDS_STATE_KEY="tfstate/ci/install/3a9b6e6-core-aws.tfstate >> $GITHUB_ENV + echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@v4 From f7da6d41d53b920d26f7685c861af7dbde4c0358 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 19 Mar 2024 11:05:17 -0600 Subject: [PATCH 34/82] fix --- .github/bundles/uds-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml index 77d92f3bb..bdd7c729d 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/uds-config.yaml @@ -7,11 +7,11 @@ variables: loki_bucket_ruler: uds-core-aws-tristan-test-loki-20240319154604610600000001 loki_bucket_admin: uds-core-aws-tristan-test-loki-20240319154604610600000001 loki_region: us-west-2 - loki_role_arn: arn:aws:iam::x:role/uds-core-aws-tristan-test-loki-logging-loki-irsa + loki_role_arn: VELERO_USE_SECRET: "false" # VELERO_S3_URL: "" VELERO_IRSA_ANNOTATION: | - eks.amazonaws.com/role-arn: arn:aws:iam::x:role/uds-core-aws-tristan-test-velero-velero-velero-server-irsa + eks.amazonaws.com/role-arn: VELERO_BUCKET: uds-core-aws-tristan-test-velero-20240319154717125400000001 VELERO_BUCKET_REGION: us-west-2 VELERO_BUCKET_PROVIDER_URL: "" From 966a942225ae918815b6e5ae7bb5b0dadae898c1 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 19 Mar 2024 15:54:17 -0600 Subject: [PATCH 35/82] nightly bundle config and velero package changes --- .github/bundles/uds-bundle.yaml | 15 -------- .github/bundles/uds-config.yaml | 23 +++++------ .../ci-iac-aws/velero/terraform.tfvars | 2 +- .github/test-infra/ci-iac-aws/zarf.yaml | 23 ++++++----- .github/workflows/test-eks.yaml | 38 ++++++++++--------- .gitignore | 2 + src/velero/common/zarf.yaml | 4 ++ src/velero/values/values.yaml | 4 +- 8 files changed, 55 insertions(+), 56 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index 877541a69..0ded703a9 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -18,21 +18,6 @@ packages: ref: 0.16.1 # x-release-please-end overrides: - # loki: - # loki: - # variables: - # - name: LOKI_CHUNKS_BUCKET - # description: "The object storage bucket for Loki chunks" - # path: loki.storage.bucketNames.chunks - # - name: LOKI_RULER_BUCKET - # description: "The object storage bucket for Loki ruler" - # path: loki.storage.bucketNames.ruler - # - name: LOKI_ADMIN_BUCKET - # description: "The object storage bucket for Loki admin" - # path: loki.storage.bucketNames.admin - # - name: LOKI_S3_REGION - # description: "The S3 region" - # path: loki.storage.s3.region velero: velero: variables: diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml index bdd7c729d..a60c69ecb 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/uds-config.yaml @@ -3,15 +3,16 @@ options: variables: core: - loki_bucket_chunks: uds-core-aws-tristan-test-loki-20240319154604610600000001 - loki_bucket_ruler: uds-core-aws-tristan-test-loki-20240319154604610600000001 - loki_bucket_admin: uds-core-aws-tristan-test-loki-20240319154604610600000001 - loki_region: us-west-2 - loki_role_arn: - VELERO_USE_SECRET: "false" - # VELERO_S3_URL: "" - VELERO_IRSA_ANNOTATION: | - eks.amazonaws.com/role-arn: - VELERO_BUCKET: uds-core-aws-tristan-test-velero-20240319154717125400000001 - VELERO_BUCKET_REGION: us-west-2 + # loki_bucket_chunks: ${ZARF_VAR_LOKI_S3_BUCKET} + # loki_bucket_ruler: ${ZARF_VAR_LOKI_S3_BUCKET} + # loki_bucket_admin: ${ZARF_VAR_LOKI_S3_BUCKET} + # loki_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} + # loki_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} + VELERO_USE_SECRET: false + VELERO_IRSA_ANNOTATION: + eks.amazonaws.com/role-arn: "${ZARF_VAR_VELERO_S3_ROLE_ARN}" + VELERO_BUCKET: ${ZARF_VAR_VELERO_S3_BUCKET} + VELERO_BUCKET_REGION: ${ZARF_VAR_VELERO_S3_AWS_REGION} VELERO_BUCKET_PROVIDER_URL: "" + velero_bucket_credential_name: "" + velero_bucket_credential_key: "" \ No newline at end of file diff --git a/.github/test-infra/ci-iac-aws/velero/terraform.tfvars b/.github/test-infra/ci-iac-aws/velero/terraform.tfvars index 544eae572..c1624b111 100644 --- a/.github/test-infra/ci-iac-aws/velero/terraform.tfvars +++ b/.github/test-infra/ci-iac-aws/velero/terraform.tfvars @@ -3,7 +3,7 @@ name = "###ZARF_VAR_CLUSTER_NAME###" bucket_name = "###ZARF_VAR_CLUSTER_NAME###-velero" force_destroy = "###ZARF_VAR_VELERO_FORCE_DESTROY###" -kubernetes_service_account = "velero-velero-server" +kubernetes_service_account = "velero-server" kubernetes_namespace = "velero" permissions_boundary_name = "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" diff --git a/.github/test-infra/ci-iac-aws/zarf.yaml b/.github/test-infra/ci-iac-aws/zarf.yaml index accdba343..7a8230bbb 100644 --- a/.github/test-infra/ci-iac-aws/zarf.yaml +++ b/.github/test-infra/ci-iac-aws/zarf.yaml @@ -174,16 +174,21 @@ components: - cmd: | cat < .github/bundles/uds-config.yaml options: - architecture: amd64 + architecture: amd64 variables: core: - loki_bucket_chunks: ${ZARF_VAR_LOKI_S3_BUCKET} - loki_bucket_ruler: ${ZARF_VAR_LOKI_S3_BUCKET} - loki_bucket_admin: ${ZARF_VAR_LOKI_S3_BUCKET} - loki_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} - loki_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} - bucket_id: ${ZARF_VAR_VELERO_S3_BUCKET} - bucket_region: ${ZARF_VAR_VELERO_S3_AWS_REGION} - s3_role_arn: ${ZARF_VAR_S3_ROLE_ARN} + # loki_bucket_chunks: ${ZARF_VAR_LOKI_S3_BUCKET} + # loki_bucket_ruler: ${ZARF_VAR_LOKI_S3_BUCKET} + # loki_bucket_admin: ${ZARF_VAR_LOKI_S3_BUCKET} + # loki_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} + # loki_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} + VELERO_USE_SECRET: false + VELERO_IRSA_ANNOTATION: + eks.amazonaws.com/role-arn: "${ZARF_VAR_VELERO_S3_ROLE_ARN}" + VELERO_BUCKET: ${ZARF_VAR_VELERO_S3_BUCKET} + VELERO_BUCKET_REGION: ${ZARF_VAR_VELERO_S3_AWS_REGION} + VELERO_BUCKET_PROVIDER_URL: "" + velero_bucket_credential_name: "" + velero_bucket_credential_key: "" EOF diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 167ac1947..50a66f5cb 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -79,23 +79,25 @@ jobs: --confirm - name: Deploy Bundle + env: + UDS_CONFIG: .github/bundles/uds-config.yaml run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm - # - name: Remove UDS Core - # if: always() - # run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm - # timeout-minutes: 60 - # continue-on-error: true - - # - name: Remove CI-DUBBD-IAC-AWS - # if: always() - # run: uds zarf package remove build/zarf-package-ci-iac-aws-*.tar.zst --confirm - # timeout-minutes: 60 - # continue-on-error: true - - # - name: Teardown EKS cluster - # if: always() - # # can't do a zarf package remove since there's no kubernetes cluster. - # run: uds zarf package remove build/zarf-package-distro-eks-*.tar.zst --confirm - # timeout-minutes: 60 - # continue-on-error: true + - name: Remove UDS Core + if: always() + run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm + timeout-minutes: 30 + continue-on-error: true + + - name: Remove CI-DUBBD-IAC-AWS + if: always() + run: uds zarf package remove build/zarf-package-ci-iac-aws-*.tar.zst --confirm + timeout-minutes: 30 + continue-on-error: true + + - name: Teardown EKS cluster + if: always() + # can't do a zarf package remove since there's no kubernetes cluster. + run: uds zarf package remove build/zarf-package-distro-eks-*.tar.zst --confirm + timeout-minutes: 30 + continue-on-error: true diff --git a/.gitignore b/.gitignore index 80f001078..9c78aa279 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,5 @@ insecure* zarf tmp-tasks.yaml cacert.b64 +run/ +extract-terraform.sh \ No newline at end of file diff --git a/src/velero/common/zarf.yaml b/src/velero/common/zarf.yaml index a68ad3040..4b762f433 100644 --- a/src/velero/common/zarf.yaml +++ b/src/velero/common/zarf.yaml @@ -21,6 +21,10 @@ variables: sensitive: true description: "Key secret to use when connecting to the Velero bucket" default: "uds-secret" + - name: VELERO_BUCKET_CREDENTIAL_NAME + default: "velero-bucket-credentials" + - name: VELERO_BUCKET_CREDENTIAL_KEY + default: "cloud" components: - name: velero diff --git a/src/velero/values/values.yaml b/src/velero/values/values.yaml index d55bfce80..53f80976a 100644 --- a/src/velero/values/values.yaml +++ b/src/velero/values/values.yaml @@ -16,8 +16,8 @@ configuration: s3ForcePathStyle: true s3Url: "###ZARF_VAR_VELERO_BUCKET_PROVIDER_URL###" credential: - name: "velero-bucket-credentials" - key: "cloud" + name: "###ZARF_VAR_VELERO_BUCKET_CREDENTIAL_NAME###" + key: "###ZARF_VAR_VELERO_BUCKET_CREDENTIAL_KEY###" # volumeSnapshotLocation: # - name: default # provider: aws From 91abbffa7b23c975f6d04834a6c42fa346bced8d Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 19 Mar 2024 15:58:15 -0600 Subject: [PATCH 36/82] removing .terraform files and route53 --- .../ci-iac-aws/route53-policy/.terraform/modules/modules.json | 1 - .../test-infra/ci-iac-aws/velero/.terraform/modules/modules.json | 1 - 2 files changed, 2 deletions(-) delete mode 100644 .github/test-infra/ci-iac-aws/route53-policy/.terraform/modules/modules.json delete mode 100644 .github/test-infra/ci-iac-aws/velero/.terraform/modules/modules.json diff --git a/.github/test-infra/ci-iac-aws/route53-policy/.terraform/modules/modules.json b/.github/test-infra/ci-iac-aws/route53-policy/.terraform/modules/modules.json deleted file mode 100644 index eb3ee9f3c..000000000 --- a/.github/test-infra/ci-iac-aws/route53-policy/.terraform/modules/modules.json +++ /dev/null @@ -1 +0,0 @@ -{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"irsa","Source":"git::https://github.com/defenseunicorns/terraform-aws-uds-irsa.git?ref=v0.0.1","Dir":".terraform/modules/irsa"},{"Key":"irsa.irsa","Source":"registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc","Version":"5.27.0","Dir":".terraform/modules/irsa.irsa/modules/iam-assumable-role-with-oidc"}]} \ No newline at end of file diff --git a/.github/test-infra/ci-iac-aws/velero/.terraform/modules/modules.json b/.github/test-infra/ci-iac-aws/velero/.terraform/modules/modules.json deleted file mode 100644 index 305f9f38c..000000000 --- a/.github/test-infra/ci-iac-aws/velero/.terraform/modules/modules.json +++ /dev/null @@ -1 +0,0 @@ -{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"S3","Source":"git::https://github.com/defenseunicorns/terraform-aws-uds-s3.git?ref=v0.0.6","Dir":".terraform/modules/S3"},{"Key":"S3.s3_bucket","Source":"registry.terraform.io/terraform-aws-modules/s3-bucket/aws","Version":"3.10.1","Dir":".terraform/modules/S3.s3_bucket"},{"Key":"generate_kms","Source":"git::https://github.com/defenseunicorns/terraform-aws-uds-kms.git?ref=v0.0.2","Dir":".terraform/modules/generate_kms"},{"Key":"generate_kms.kms","Source":"registry.terraform.io/terraform-aws-modules/kms/aws","Version":"1.5.0","Dir":".terraform/modules/generate_kms.kms"},{"Key":"irsa","Source":"git::https://github.com/defenseunicorns/terraform-aws-uds-irsa.git?ref=v0.0.2","Dir":".terraform/modules/irsa"},{"Key":"irsa.irsa","Source":"registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks","Version":"5.27.0","Dir":".terraform/modules/irsa.irsa/modules/iam-role-for-service-accounts-eks"}]} \ No newline at end of file From 7d29827af48989376fea152cf908c06e0d2cc40e Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 20 Mar 2024 08:21:20 -0600 Subject: [PATCH 37/82] converting create and deploy no pepr package tasks to common tasks. --- .github/bundles/uds-bundle.yaml | 2 +- .github/bundles/uds-config.yaml | 3 ++- .github/workflows/test-eks.yaml | 29 ++++++----------------------- tasks.yaml | 13 +------------ tasks/create.yaml | 15 +++++++-------- tasks/deploy.yaml | 15 +++++++-------- 6 files changed, 24 insertions(+), 53 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index 0ded703a9..991e252e8 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -26,4 +26,4 @@ packages: path: credentials.useSecret - name: VELERO_IRSA_ANNOTATION description: "IRSA ARN annotation to use for Velero" - path: serviceAccount.server.annotations \ No newline at end of file + path: serviceAccount.server.annotations diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml index a60c69ecb..c1c09d699 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/uds-config.yaml @@ -1,3 +1,4 @@ +# Overwritten by ci-iac-aws package options: architecture: amd64 @@ -15,4 +16,4 @@ variables: VELERO_BUCKET_REGION: ${ZARF_VAR_VELERO_S3_AWS_REGION} VELERO_BUCKET_PROVIDER_URL: "" velero_bucket_credential_name: "" - velero_bucket_credential_key: "" \ No newline at end of file + velero_bucket_credential_key: "" diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 50a66f5cb..b18e327e0 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -16,6 +16,8 @@ jobs: UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate UDS_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock + UDS_AWS_CI_DEV_ARN: ${{ secrets.AWS_CI_DEV_ARN }} + UDS_AWS_CI_ACCOUNT: ${{ secrets.AWS_CI_ACCOUNT }} steps: - name: Set ENV run: | @@ -42,14 +44,11 @@ jobs: - name: Environment setup uses: ./.github/actions/setup - - name: Login to registry1 - run: uds run registry-login --set REGISTRY=registry1.dso.mil --set REGISTRY_USERNAME=${{ secrets.IRON_BANK_ROBOT_USERNAME }} --set REGISTRY_PASSWORD=${{ secrets.IRON_BANK_ROBOT_PASSWORD }} --set REGISTRY_RETRY_INTERVAL=90 - - name: Create EKSCTL Package - run: uds run create-package-no-pepr --set path=.github/test-infra/eks + run: uds run -f tasks/create.yaml no-pepr-package --set path=.github/test-infra/eks - name: Create CI-IAC-AWS Package - run: uds run create-package-no-pepr --set path=.github/test-infra/ci-iac-aws + run: uds run -f tastks/create.yaml no-pepr-package --set path=.github/test-infra/ci-iac-aws - name: Create UDS Core Package run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package @@ -58,25 +57,10 @@ jobs: run: uds create .github/bundles --confirm - name: Deploy Cluster - run: | - uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst \ - --set cluster_name=$UDS_CLUSTER_NAME \ - --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ - --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ - --set aws_ci_dev_arn=${{ secrets.AWS_CI_DEV_ARN }} \ - --set aws_ci_account=${{ secrets.AWS_CI_ACCOUNT }} \ - --confirm + run: uds run -f tasks/deploy.yaml no-pepr-package --set path=build/zarf-package-distro-eks-*.tar.zst - name: Deploy CI-IAC-AWS Package - run: | - uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst \ - --set cluster_name=$UDS_CLUSTER_NAME \ - --set permissions_boundary_name=$UDS_PERMISSIONS_BOUNDARY_NAME \ - --set permissions_boundary_arn=$UDS_PERMISSIONS_BOUNDARY_ARN \ - --set state_bucket_name=$UDS_STATE_BUCKET_NAME \ - --set state_key=$UDS_STATE_KEY \ - --set state_dynamodb_table_name=$UDS_STATE_DYNAMODB_TABLE_NAME \ - --confirm + run: uds run -f tasks/deploy.yaml no-pepr-package --set path=build/zarf-package-ci-iac-aws-*.tar.zst - name: Deploy Bundle env: @@ -97,7 +81,6 @@ jobs: - name: Teardown EKS cluster if: always() - # can't do a zarf package remove since there's no kubernetes cluster. run: uds zarf package remove build/zarf-package-distro-eks-*.tar.zst --confirm timeout-minutes: 30 continue-on-error: true diff --git a/tasks.yaml b/tasks.yaml index d678351c3..595dc5989 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -10,7 +10,7 @@ includes: - deploy: ./tasks/deploy.yaml - test: ./tasks/test.yaml - lint: ./tasks/lint.yaml - - common-setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.2.2/tasks/setup.yaml + - common-setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.2/tasks/setup.yaml tasks: - name: dev-setup @@ -54,20 +54,9 @@ tasks: actions: - task: create:standard-package - - name: create-package-no-pepr - actions: - - task: create:no-pepr-package - with: - options: ${OPTIONS} - path: ${PATH} - - name: deploy-single-package actions: - task: deploy:single-package - - - name: deploy-package-no-pepr - actions: - - task: deploy:no-pepr-package - name: test-single-package actions: diff --git a/tasks/create.yaml b/tasks/create.yaml index 03da937a9..ee049028c 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -1,3 +1,6 @@ +includes: + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.2/tasks/create.yaml + variables: - name: FLAVOR default: upstream @@ -57,12 +60,8 @@ tasks: npx pepr build $CUSTOM_PEPR_IMAGE - name: no-pepr-package - inputs: - options: - description: For setting create time variables and flags - path: - description: file path for package - default: $(pwd) actions: - - description: Deploy the UDS Zarf Package - cmd: uds zarf package create ${{ .inputs.path }} --confirm ${{ .inputs.options }} + - task: common:package + with: + options: ${OPTIONS} + path: ${PATH} diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 92020b3f9..7649aa478 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -1,3 +1,6 @@ +includes: + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.2/tasks/deploy.yaml + variables: - name: VERSION description: "The version of the packages to deploy" @@ -42,12 +45,8 @@ tasks: cmd: uds zarf package deploy build/zarf-package-core-${UDS_ARCH}-${VERSION}.tar.zst --confirm - name: no-pepr-package - inputs: - options: - description: For setting deploy time variables and flags - path: - description: file path for package - default: $(pwd) actions: - - description: Deploy the UDS Zarf Package - cmd: uds zarf package deploy ${{ .inputs.path }} --confirm ${{ .inputs.options }} + - task: common:package + with: + options: ${OPTIONS} + path: ${PATH} From 32254d744f76a3b7675264e2acbfc52677f77aff Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 20 Mar 2024 08:43:20 -0600 Subject: [PATCH 38/82] typo fix --- .github/workflows/test-eks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index b18e327e0..42150ac51 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -48,7 +48,7 @@ jobs: run: uds run -f tasks/create.yaml no-pepr-package --set path=.github/test-infra/eks - name: Create CI-IAC-AWS Package - run: uds run -f tastks/create.yaml no-pepr-package --set path=.github/test-infra/ci-iac-aws + run: uds run -f tasks/create.yaml no-pepr-package --set path=.github/test-infra/ci-iac-aws - name: Create UDS Core Package run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package From fc435117fab6c0d98c2ba3c9343ea1efe8258471 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 20 Mar 2024 09:33:42 -0600 Subject: [PATCH 39/82] fixin deploy for no pepr package task --- .github/bundles/uds-config.yaml | 2 +- .github/workflows/test-eks.yaml | 4 ++-- tasks.yaml | 6 ++++++ tasks/deploy.yaml | 15 ++++++++------- 4 files changed, 17 insertions(+), 10 deletions(-) diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml index c1c09d699..279a8afb7 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/uds-config.yaml @@ -1,4 +1,4 @@ -# Overwritten by ci-iac-aws package +# Overwritten by ci-iac-aws package options: architecture: amd64 diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 42150ac51..7cab530dc 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -57,10 +57,10 @@ jobs: run: uds create .github/bundles --confirm - name: Deploy Cluster - run: uds run -f tasks/deploy.yaml no-pepr-package --set path=build/zarf-package-distro-eks-*.tar.zst + run: uds run deploy-no-pepr-package --set package=build/zarf-package-distro-eks-*.tar.zst - name: Deploy CI-IAC-AWS Package - run: uds run -f tasks/deploy.yaml no-pepr-package --set path=build/zarf-package-ci-iac-aws-*.tar.zst + run: uds run deploy-no-pepr-package --set package=build/zarf-package-ci-iac-aws-*.tar.zst - name: Deploy Bundle env: diff --git a/tasks.yaml b/tasks.yaml index 595dc5989..93b3b948e 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -58,6 +58,12 @@ tasks: actions: - task: deploy:single-package + - name: deploy-no-pepr-package + actions: + - task: deploy:no-pepr-package + with: + package: ${PACKAGE} + - name: test-single-package actions: - task: test:single-package diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 9a806ff30..056aa60ea 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -1,6 +1,3 @@ -includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.2/tasks/deploy.yaml - variables: - name: VERSION description: "The version of the packages to deploy" @@ -45,8 +42,12 @@ tasks: cmd: uds zarf package deploy build/zarf-package-core-${UDS_ARCH}-${VERSION}.tar.zst --confirm - name: no-pepr-package + inputs: + options: + description: For setting deploy time variables and flags + package: + description: Path and name of package to deploy + default: build/zarf-package-*.tar.zst actions: - - task: common:package - with: - options: ${OPTIONS} - path: ${PATH} + - description: Deploy the UDS Zarf Package + cmd: uds zarf package deploy ${{ .inputs.package }} --confirm --no-progress ${{ .inputs.options }} From f937c6111f699f14bf5db2bc87839958a58ab757 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 20 Mar 2024 09:37:19 -0600 Subject: [PATCH 40/82] yamllint --- tasks/deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 056aa60ea..6998b55ad 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -45,7 +45,7 @@ tasks: inputs: options: description: For setting deploy time variables and flags - package: + package: description: Path and name of package to deploy default: build/zarf-package-*.tar.zst actions: From ce40c09c91c619dbb329d423409ea64f67844017 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 20 Mar 2024 09:45:33 -0600 Subject: [PATCH 41/82] testing env var for task issue --- .github/workflows/test-eks.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 7cab530dc..c2e04d50d 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -57,6 +57,8 @@ jobs: run: uds create .github/bundles --confirm - name: Deploy Cluster + env: + UDS_CLUSTER_NAME: $UDS_CLUSTER_NAME run: uds run deploy-no-pepr-package --set package=build/zarf-package-distro-eks-*.tar.zst - name: Deploy CI-IAC-AWS Package From ead74e1cce654d8ef2263263b15d215958b5d035 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 20 Mar 2024 10:11:41 -0600 Subject: [PATCH 42/82] testing with ZARF_ prefix --- .github/workflows/test-eks.yaml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index c2e04d50d..3e8ab8d98 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -12,17 +12,17 @@ jobs: runs-on: ubuntu-latest env: SHA: ${{ github.sha }} - UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} - UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} - UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate - UDS_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock - UDS_AWS_CI_DEV_ARN: ${{ secrets.AWS_CI_DEV_ARN }} - UDS_AWS_CI_ACCOUNT: ${{ secrets.AWS_CI_ACCOUNT }} + ZARF_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} + ZARF_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} + ZARF_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate + ZARF_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock + ZARF_AWS_CI_DEV_ARN: ${{ secrets.AWS_CI_DEV_ARN }} + ZARF_AWS_CI_ACCOUNT: ${{ secrets.AWS_CI_ACCOUNT }} steps: - name: Set ENV run: | - echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV - echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV + echo "ZARF_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV + echo "ZARF_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@v4 @@ -57,8 +57,6 @@ jobs: run: uds create .github/bundles --confirm - name: Deploy Cluster - env: - UDS_CLUSTER_NAME: $UDS_CLUSTER_NAME run: uds run deploy-no-pepr-package --set package=build/zarf-package-distro-eks-*.tar.zst - name: Deploy CI-IAC-AWS Package From dd3f35b824f05e3cb77627887a82174f08c73453 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 20 Mar 2024 12:23:40 -0600 Subject: [PATCH 43/82] explicit --set in tasks --- .github/test-infra/eks/zarf.yaml | 1 - .github/workflows/test-eks.yaml | 34 ++++++++++++++++++++++---------- tasks.yaml | 6 ------ tasks/deploy.yaml | 10 ---------- 4 files changed, 24 insertions(+), 27 deletions(-) diff --git a/.github/test-infra/eks/zarf.yaml b/.github/test-infra/eks/zarf.yaml index 32fa66f50..f9eac4a5d 100644 --- a/.github/test-infra/eks/zarf.yaml +++ b/.github/test-infra/eks/zarf.yaml @@ -7,7 +7,6 @@ metadata: variables: - name: CLUSTER_NAME - prompt: true - name: PERMISSIONS_BOUNDARY_ARN - name: PERMISSIONS_BOUNDARY_NAME - name: AMI_ID diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 3e8ab8d98..450ea7d88 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -12,17 +12,17 @@ jobs: runs-on: ubuntu-latest env: SHA: ${{ github.sha }} - ZARF_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} - ZARF_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} - ZARF_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate - ZARF_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock - ZARF_AWS_CI_DEV_ARN: ${{ secrets.AWS_CI_DEV_ARN }} - ZARF_AWS_CI_ACCOUNT: ${{ secrets.AWS_CI_ACCOUNT }} + PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} + PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} + STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate + STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock + AWS_CI_DEV_ARN: ${{ secrets.AWS_CI_DEV_ARN }} + AWS_CI_ACCOUNT: ${{ secrets.AWS_CI_ACCOUNT }} steps: - name: Set ENV run: | - echo "ZARF_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV - echo "ZARF_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV + echo "CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV + echo "STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@v4 @@ -57,10 +57,24 @@ jobs: run: uds create .github/bundles --confirm - name: Deploy Cluster - run: uds run deploy-no-pepr-package --set package=build/zarf-package-distro-eks-*.tar.zst + run: | + uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst \ + --set cluster_name=$CLUSTER_NAME \ + --set permissions_boundary_arn=$PERMISSIONS_BOUNDARY_ARN \ + --set permission_boundary_name=$PERMISSIONS_BOUNDARY_NAME \ + --confirm - name: Deploy CI-IAC-AWS Package - run: uds run deploy-no-pepr-package --set package=build/zarf-package-ci-iac-aws-*.tar.zst + run: | + uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst \ + --set cluster_name=$CLUSTER_NAME \ + --set permission_boundary_name=$PERMISSIONS_BOUNDARY_NAME \ + --set state_bucket_name=$STATE_BUCKET_NAME \ + --set state_dynamodb_table_name=$STATE_DYNAMODB_TABLE_NAME \ + --set state_key=$STATE_KEY \ + --set aws_ci_dev_arn=$AWS_CI_DEV_ARN \ + --set aws_ci_account=$AWS_CI_ACCOUNT \ + --confirm - name: Deploy Bundle env: diff --git a/tasks.yaml b/tasks.yaml index 93b3b948e..595dc5989 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -58,12 +58,6 @@ tasks: actions: - task: deploy:single-package - - name: deploy-no-pepr-package - actions: - - task: deploy:no-pepr-package - with: - package: ${PACKAGE} - - name: test-single-package actions: - task: test:single-package diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 6998b55ad..a075b29df 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -41,13 +41,3 @@ tasks: - description: "Deploy the standard UDS Core zarf package" cmd: uds zarf package deploy build/zarf-package-core-${UDS_ARCH}-${VERSION}.tar.zst --confirm - - name: no-pepr-package - inputs: - options: - description: For setting deploy time variables and flags - package: - description: Path and name of package to deploy - default: build/zarf-package-*.tar.zst - actions: - - description: Deploy the UDS Zarf Package - cmd: uds zarf package deploy ${{ .inputs.package }} --confirm --no-progress ${{ .inputs.options }} From 5bb9bdfccb9e0b78a3227ac771ddb8469a791f08 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 20 Mar 2024 12:38:40 -0600 Subject: [PATCH 44/82] yamllint and typo --- .github/workflows/test-eks.yaml | 4 ++-- tasks/deploy.yaml | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 450ea7d88..fe5889bf3 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -57,11 +57,11 @@ jobs: run: uds create .github/bundles --confirm - name: Deploy Cluster - run: | + run: | uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst \ --set cluster_name=$CLUSTER_NAME \ --set permissions_boundary_arn=$PERMISSIONS_BOUNDARY_ARN \ - --set permission_boundary_name=$PERMISSIONS_BOUNDARY_NAME \ + --set permissions_boundary_name=$PERMISSIONS_BOUNDARY_NAME \ --confirm - name: Deploy CI-IAC-AWS Package diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index a075b29df..03321fb9b 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -40,4 +40,3 @@ tasks: actions: - description: "Deploy the standard UDS Core zarf package" cmd: uds zarf package deploy build/zarf-package-core-${UDS_ARCH}-${VERSION}.tar.zst --confirm - From 968aba036b7ffc76347126c25ee39b6f601fe1ef Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 20 Mar 2024 13:26:52 -0600 Subject: [PATCH 45/82] removing iamidentitymapping from eks config along with zarf vars --- .github/test-infra/eks/config.yaml | 11 +---------- .github/workflows/test-eks.yaml | 4 ---- 2 files changed, 1 insertion(+), 14 deletions(-) diff --git a/.github/test-infra/eks/config.yaml b/.github/test-infra/eks/config.yaml index e281f6652..e6957b946 100644 --- a/.github/test-infra/eks/config.yaml +++ b/.github/test-infra/eks/config.yaml @@ -12,16 +12,6 @@ iam: withOIDC: true serviceRolePermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_ARN###" -# For dev access during testing -iamIdentityMappings: - - arn: "###ZARF_VAR_AWS_CI_DEV_ARN###" - groups: - - system:masters - username: UdsCiDevs - noDuplicateARNs: true # prevents shadowing of ARNs - - - account: "###ZARF_VAR_AWS_CI_ACCOUNT###" # account must be configured with no other options - addons: - name: aws-ebs-csi-driver version: v1.25.0-eksbuild.1 @@ -51,3 +41,4 @@ managedNodeGroups: overrideBootstrapCommand: | #!/bin/bash /etc/eks/bootstrap.sh ###ZARF_VAR_CLUSTER_NAME### --container-runtime containerd + diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index fe5889bf3..b8c5462d3 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -16,8 +16,6 @@ jobs: PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock - AWS_CI_DEV_ARN: ${{ secrets.AWS_CI_DEV_ARN }} - AWS_CI_ACCOUNT: ${{ secrets.AWS_CI_ACCOUNT }} steps: - name: Set ENV run: | @@ -72,8 +70,6 @@ jobs: --set state_bucket_name=$STATE_BUCKET_NAME \ --set state_dynamodb_table_name=$STATE_DYNAMODB_TABLE_NAME \ --set state_key=$STATE_KEY \ - --set aws_ci_dev_arn=$AWS_CI_DEV_ARN \ - --set aws_ci_account=$AWS_CI_ACCOUNT \ --confirm - name: Deploy Bundle From 7ed02ee81a1fcb38439d49110ae6e684ccb18801 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 20 Mar 2024 13:28:12 -0600 Subject: [PATCH 46/82] yamllint --- .github/test-infra/eks/config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/test-infra/eks/config.yaml b/.github/test-infra/eks/config.yaml index e6957b946..42579faa9 100644 --- a/.github/test-infra/eks/config.yaml +++ b/.github/test-infra/eks/config.yaml @@ -41,4 +41,3 @@ managedNodeGroups: overrideBootstrapCommand: | #!/bin/bash /etc/eks/bootstrap.sh ###ZARF_VAR_CLUSTER_NAME### --container-runtime containerd - From 440576c4134bed5417966a5d9a0a3ae8bd07bd02 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Wed, 20 Mar 2024 13:56:21 -0600 Subject: [PATCH 47/82] typo for ci iac var --- .github/workflows/test-eks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index b8c5462d3..c7b6d7151 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -66,7 +66,7 @@ jobs: run: | uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst \ --set cluster_name=$CLUSTER_NAME \ - --set permission_boundary_name=$PERMISSIONS_BOUNDARY_NAME \ + --set permissions_boundary_name=$PERMISSIONS_BOUNDARY_NAME \ --set state_bucket_name=$STATE_BUCKET_NAME \ --set state_dynamodb_table_name=$STATE_DYNAMODB_TABLE_NAME \ --set state_key=$STATE_KEY \ From ace8a4f285cd84157d634096765bfd0e3e378810 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 22 Mar 2024 08:13:12 -0600 Subject: [PATCH 48/82] remove toggles for force destroy and set to always true; set nightly testing back to schedule trigger --- .github/test-infra/ci-iac-aws/loki/terraform.tfvars | 2 +- .github/test-infra/ci-iac-aws/velero/terraform.tfvars | 2 +- .github/test-infra/ci-iac-aws/zarf.yaml | 10 ---------- .github/workflows/nightly-testing.yaml | 7 ++----- 4 files changed, 4 insertions(+), 17 deletions(-) diff --git a/.github/test-infra/ci-iac-aws/loki/terraform.tfvars b/.github/test-infra/ci-iac-aws/loki/terraform.tfvars index a01a2b606..78c1d8201 100644 --- a/.github/test-infra/ci-iac-aws/loki/terraform.tfvars +++ b/.github/test-infra/ci-iac-aws/loki/terraform.tfvars @@ -1,7 +1,7 @@ region = "###ZARF_VAR_REGION###" name = "###ZARF_VAR_CLUSTER_NAME###" bucket_name = "###ZARF_VAR_CLUSTER_NAME###-loki" -force_destroy = "###ZARF_VAR_LOKI_FORCE_DESTROY###" +force_destroy = "true" kubernetes_service_account = "logging-loki" kubernetes_namespace = "logging" diff --git a/.github/test-infra/ci-iac-aws/velero/terraform.tfvars b/.github/test-infra/ci-iac-aws/velero/terraform.tfvars index c1624b111..36dcd4968 100644 --- a/.github/test-infra/ci-iac-aws/velero/terraform.tfvars +++ b/.github/test-infra/ci-iac-aws/velero/terraform.tfvars @@ -1,7 +1,7 @@ region = "###ZARF_VAR_REGION###" name = "###ZARF_VAR_CLUSTER_NAME###" bucket_name = "###ZARF_VAR_CLUSTER_NAME###-velero" -force_destroy = "###ZARF_VAR_VELERO_FORCE_DESTROY###" +force_destroy = "true" kubernetes_service_account = "velero-server" kubernetes_namespace = "velero" diff --git a/.github/test-infra/ci-iac-aws/zarf.yaml b/.github/test-infra/ci-iac-aws/zarf.yaml index 7a8230bbb..4963aa042 100644 --- a/.github/test-infra/ci-iac-aws/zarf.yaml +++ b/.github/test-infra/ci-iac-aws/zarf.yaml @@ -29,16 +29,6 @@ variables: - name: USE_PERMISSIONS_BOUNDARY default: "true" - - name: EPHEMERAL - description: "Set whether the cluster should be considered ephemeral - if true all resources will be force destroyed on removal" - default: "true" - - name: LOKI_FORCE_DESTROY - description: "If set to true, delete the S3 bucket and corresponding KMS key associated with the Loki bucket. Overrides ephemeral setting." - default: "true" - - name: VELERO_FORCE_DESTROY - description: "If set to true, delete the S3 bucket and corresponding KMS key associated with the Velero bucket. Overrides ephemeral setting." - default: "true" - components: - name: download-terraform required: true diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 64b291500..9770beecd 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -1,11 +1,8 @@ name: Nightly Testing -# on: -# schedule: -# - cron: '0 0 * * *' # Runs at midnight every day - on: - pull_request + schedule: + - cron: '0 0 * * *' # Runs at midnight every day jobs: nightly-testing: From 7cc2cd3be12cedcc4d2441c9b9d747ab7fa0b5e7 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Thu, 28 Mar 2024 11:35:24 -0600 Subject: [PATCH 49/82] add loki s3 overrides to nightly testing bundle. --- .github/bundles/uds-bundle.yaml | 21 +++++++++++++++++++++ .github/bundles/uds-config.yaml | 22 ++++++++++++---------- .github/test-infra/ci-iac-aws/zarf.yaml | 22 ++++++++++++---------- .github/workflows/nightly-testing.yaml | 1 + 4 files changed, 46 insertions(+), 20 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index 991e252e8..e138d3a71 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -27,3 +27,24 @@ packages: - name: VELERO_IRSA_ANNOTATION description: "IRSA ARN annotation to use for Velero" path: serviceAccount.server.annotations + loki: + loki: + variables: + - name: LOKI_CHUNKS_BUCKET + description: "The object storage bucket for Loki chunks" + path: loki.storage.bucketNames.chunks + - name: LOKI_RULER_BUCKET + description: "The object storage bucket for Loki ruler" + path: loki.storage.bucketNames.ruler + - name: LOKI_ADMIN_BUCKET + description: "The object storage bucket for Loki admin" + path: loki.storage.bucketNames.admin + - name: LOKI_S3_ENDPOINT + description: "The S3 endpoint" + path: loki.storage.s3.endpoint + - name: LOKI_S3_REGION + description: "The S3 region" + path: loki.storage.s3.region + - name: LOKI_IRSA_ANNOTATION + description: "The irsa role annotation" + path: loki.serviceAccount.annotations diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml index 279a8afb7..3c49d4edf 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/uds-config.yaml @@ -4,16 +4,18 @@ options: variables: core: - # loki_bucket_chunks: ${ZARF_VAR_LOKI_S3_BUCKET} - # loki_bucket_ruler: ${ZARF_VAR_LOKI_S3_BUCKET} - # loki_bucket_admin: ${ZARF_VAR_LOKI_S3_BUCKET} - # loki_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} - # loki_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} - VELERO_USE_SECRET: false - VELERO_IRSA_ANNOTATION: + loki_chunks_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_ruler_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_admin_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_s3_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} + loki_s3-endpoint: "" + loki_irsa_annotation: + eks.amazonaws.com/role-arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} + velero_use_secret: false + velero_irsa_annotation: eks.amazonaws.com/role-arn: "${ZARF_VAR_VELERO_S3_ROLE_ARN}" - VELERO_BUCKET: ${ZARF_VAR_VELERO_S3_BUCKET} - VELERO_BUCKET_REGION: ${ZARF_VAR_VELERO_S3_AWS_REGION} - VELERO_BUCKET_PROVIDER_URL: "" + velero_bucket: ${ZARF_VAR_VELERO_S3_BUCKET} + velero_bucket_region: ${ZARF_VAR_VELERO_S3_AWS_REGION} + velero_bucket_provider_url: "" velero_bucket_credential_name: "" velero_bucket_credential_key: "" diff --git a/.github/test-infra/ci-iac-aws/zarf.yaml b/.github/test-infra/ci-iac-aws/zarf.yaml index 4963aa042..a26b1131c 100644 --- a/.github/test-infra/ci-iac-aws/zarf.yaml +++ b/.github/test-infra/ci-iac-aws/zarf.yaml @@ -168,17 +168,19 @@ components: variables: core: - # loki_bucket_chunks: ${ZARF_VAR_LOKI_S3_BUCKET} - # loki_bucket_ruler: ${ZARF_VAR_LOKI_S3_BUCKET} - # loki_bucket_admin: ${ZARF_VAR_LOKI_S3_BUCKET} - # loki_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} - # loki_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} - VELERO_USE_SECRET: false - VELERO_IRSA_ANNOTATION: + loki_chunks_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_ruler_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_admin_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_s3_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} + loki_s3-endpoint: "" + loki_irsa_annotation: + eks.amazonaws.com/role-arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} + velero_use_secret: false + velero_irsa_annotation: eks.amazonaws.com/role-arn: "${ZARF_VAR_VELERO_S3_ROLE_ARN}" - VELERO_BUCKET: ${ZARF_VAR_VELERO_S3_BUCKET} - VELERO_BUCKET_REGION: ${ZARF_VAR_VELERO_S3_AWS_REGION} - VELERO_BUCKET_PROVIDER_URL: "" + velero_bucket: ${ZARF_VAR_VELERO_S3_BUCKET} + velero_bucket_region: ${ZARF_VAR_VELERO_S3_AWS_REGION} + velero_bucket_provider_url: "" velero_bucket_credential_name: "" velero_bucket_credential_key: "" EOF diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 9770beecd..867942345 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -3,6 +3,7 @@ name: Nightly Testing on: schedule: - cron: '0 0 * * *' # Runs at midnight every day + pull_request: jobs: nightly-testing: From 9e2d57b3566233766229f58b23b23658e4f01426 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Thu, 28 Mar 2024 11:41:41 -0600 Subject: [PATCH 50/82] update core bundle version to 0.17.0 --- .github/bundles/uds-bundle.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index e138d3a71..e854060a2 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.16.0" + version: "0.17.0" # x-release-please-end packages: @@ -15,7 +15,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.16.1 + ref: 0.17.0 # x-release-please-end overrides: velero: From 4ac4a250da26151c7bb03a1064997e562ee7181c Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Thu, 28 Mar 2024 12:33:14 -0600 Subject: [PATCH 51/82] setting nightly testing back to schedule only; yamllint fix --- .github/bundles/uds-config.yaml | 2 +- .github/test-infra/ci-iac-aws/zarf.yaml | 2 +- .github/workflows/nightly-testing.yaml | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/uds-config.yaml index 3c49d4edf..eb2db3a58 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/uds-config.yaml @@ -9,7 +9,7 @@ variables: loki_admin_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} loki_s3_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} loki_s3-endpoint: "" - loki_irsa_annotation: + loki_irsa_annotation: eks.amazonaws.com/role-arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} velero_use_secret: false velero_irsa_annotation: diff --git a/.github/test-infra/ci-iac-aws/zarf.yaml b/.github/test-infra/ci-iac-aws/zarf.yaml index a26b1131c..64fe2ab2f 100644 --- a/.github/test-infra/ci-iac-aws/zarf.yaml +++ b/.github/test-infra/ci-iac-aws/zarf.yaml @@ -173,7 +173,7 @@ components: loki_admin_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} loki_s3_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} loki_s3-endpoint: "" - loki_irsa_annotation: + loki_irsa_annotation: eks.amazonaws.com/role-arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} velero_use_secret: false velero_irsa_annotation: diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 867942345..9770beecd 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -3,7 +3,6 @@ name: Nightly Testing on: schedule: - cron: '0 0 * * *' # Runs at midnight every day - pull_request: jobs: nightly-testing: From 87a3f9ad228ca319214930e7245bc62436e698e5 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 29 Mar 2024 10:05:10 -0600 Subject: [PATCH 52/82] converting iac packages into iac tasks --- .github/test-infra/ci-iac-aws/extract.sh | 40 ----- .github/test-infra/ci-iac-aws/loki/main.tf | 1 - .github/test-infra/ci-iac-aws/zarf.yaml | 186 -------------------- .github/test-infra/eks/.gitignore | 1 - .github/test-infra/eks/config.yaml | 22 +-- .github/test-infra/eks/zarf.yaml | 45 ----- .github/workflows/test-eks.yaml | 48 ++---- tasks/iac.yaml | 187 +++++++++++++++++++++ 8 files changed, 214 insertions(+), 316 deletions(-) delete mode 100755 .github/test-infra/ci-iac-aws/extract.sh delete mode 100644 .github/test-infra/ci-iac-aws/zarf.yaml delete mode 100644 .github/test-infra/eks/.gitignore delete mode 100644 .github/test-infra/eks/zarf.yaml create mode 100644 tasks/iac.yaml diff --git a/.github/test-infra/ci-iac-aws/extract.sh b/.github/test-infra/ci-iac-aws/extract.sh deleted file mode 100755 index 1a239cf07..000000000 --- a/.github/test-infra/ci-iac-aws/extract.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash - -set +o xtrace - -# Check if the runtime environment is Darwin (Mac OS X) or Linux -if [[ "$OSTYPE" == "darwin"* ]]; then - ARCH_NAME=darwin -elif [[ "$OSTYPE" == "linux-gnu"* ]]; then - ARCH_NAME=linux -elif [[ "$OSTYPE" == "msys" ]]; then - ARCH_NAME=windows -elif [[ "$OSTYPE" == "cygwin" ]]; then - ARCH_NAME=windows -else - echo "The OS is not supported" - exit 1 -fi - -# Check the processor architecture -if [[ $(uname -m) == "x86_64" ]]; then - echo "The processor architecture is 64-bit" - ARCH_PROC=amd64 -elif [[ $(uname -m) == "i686" || $(uname -m) == "i386" ]]; then - echo "The processor architecture is 32-bit" - echo "The processor is not AMD or ARM" -elif [[ $(uname -m) == "arm64" ]]; then - ARCH_PROC=arm64 -else -# default... - ARCH_PROC=amd64 -fi - -echo "HI!" -echo "ARCH_NAME: ${ARCH_NAME}" -echo "ARCH_PROC: ${ARCH_PROC}" - -# todo: actually use the terraform binary we download -mkdir -p run/loki && chmod -R ugo+rwx run/loki -mkdir -p run/velero && chmod -R ugo+rwx run/velero -unzip -o -q tmp/terraform_${1}_${ARCH_NAME}_${ARCH_PROC}.zip -d run diff --git a/.github/test-infra/ci-iac-aws/loki/main.tf b/.github/test-infra/ci-iac-aws/loki/main.tf index 6d0fe58e5..2945e79d4 100644 --- a/.github/test-infra/ci-iac-aws/loki/main.tf +++ b/.github/test-infra/ci-iac-aws/loki/main.tf @@ -26,7 +26,6 @@ terraform { } } -# taken from zarf bb repo resource "random_id" "default" { byte_length = 2 } diff --git a/.github/test-infra/ci-iac-aws/zarf.yaml b/.github/test-infra/ci-iac-aws/zarf.yaml deleted file mode 100644 index 64fe2ab2f..000000000 --- a/.github/test-infra/ci-iac-aws/zarf.yaml +++ /dev/null @@ -1,186 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json -kind: ZarfPackageConfig -metadata: - name: ci-iac-aws - description: "CI - IAC AWS (not for Prod use)" - # x-release-please-start-version - version: "0.15.1" - # x-release-please-end - architecture: amd64 - source: https://github.com/defenseunicorns/uds-core - documentation: https://github.com/defenseunicorns/uds-core - vendor: Defense Unicorns - -variables: - - name: CLUSTER_NAME - description: "Used in loki and velero terraform.tfvars" - prompt: true - - name: STATE_BUCKET_NAME - description: "Name of the pre-existing Terraform state S3 bucket" - - name: STATE_KEY - description: "Path to the state file key in the state bucket" - - name: STATE_DYNAMODB_TABLE_NAME - description: "Name of the DynamoDB table used for Terraform state locking" - - name: REGION - description: "The AWS region to run the Terraform in" - default: "us-west-2" - - name: PERMISSIONS_BOUNDARY_NAME - default: "" - - name: USE_PERMISSIONS_BOUNDARY - default: "true" - -components: - - name: download-terraform - required: true - actions: - onDeploy: - after: - - cmd: | - rm -f run/loki/terraform || true - rm -f run/velero/terraform || true - description: Clean up previous install since archiver doesn't overwrite the output - - cmd: "./extract-terraform.sh 1.5.7" - files: - - source: extract.sh - target: extract-terraform.sh - executable: true - # terraform binary into zarf package - - source: https://releases.hashicorp.com/terraform/1.5.7/terraform_1.5.7_linux_amd64.zip - target: tmp/terraform_1.5.7_linux_amd64.zip - - name: loki-module - required: true - actions: - onCreate: - before: - - cmd: terraform get -update - dir: loki - files: - - source: loki - target: run/loki - - name: loki-execute-terraform - required: true - actions: - onDeploy: - before: - - cmd: echo ${ZARF_VAR_STATE_KEY} | sed 's/\.tfstate/-loki.tfstate/g' - dir: run/loki - setVariables: - - name: STATE_KEY_LOKI - - cmd: | - ../terraform init -force-copy \ - -backend-config="bucket=${ZARF_VAR_STATE_BUCKET_NAME}" \ - -backend-config="key=${ZARF_VAR_STATE_KEY_LOKI}" \ - -backend-config="region=${ZARF_VAR_REGION}" \ - -backend-config="dynamodb_table=${ZARF_VAR_STATE_DYNAMODB_TABLE_NAME}" - dir: run/loki - - cmd: ../terraform apply -auto-approve - dir: run/loki - onRemove: - before: - - cmd: | - if [ -d "run/loki" ]; then - cd run/loki - ../terraform destroy -auto-approve - else - echo "Cannot remove: run/loki directory does not exist" - fi - - name: loki-outputs - required: true - actions: - onDeploy: - after: - - cmd: ../terraform output -raw s3_bucket - dir: run/loki - setVariables: - - name: LOKI_S3_BUCKET - - cmd: ../terraform output -raw aws_region - dir: run/loki - setVariables: - - name: LOKI_S3_AWS_REGION - - cmd: ../terraform output -raw irsa_role_arn - dir: run/loki - setVariables: - - name: LOKI_S3_ROLE_ARN - - name: velero-module - required: true - actions: - onCreate: - before: - - cmd: terraform get -update - dir: velero - files: - - source: velero - target: run/velero - - name: velero-execute-terraform - required: true - actions: - onDeploy: - before: - - cmd: echo ${ZARF_VAR_STATE_KEY} | sed 's/\.tfstate/-velero.tfstate/g' - dir: run/velero - setVariables: - - name: STATE_KEY_VELERO - - cmd: "echo ${ZARF_VAR_STATE_KEY_VELERO}" - - cmd: | - ../terraform init -force-copy \ - -backend-config="bucket=${ZARF_VAR_STATE_BUCKET_NAME}" \ - -backend-config="key=${ZARF_VAR_STATE_KEY_VELERO}" \ - -backend-config="region=${ZARF_VAR_REGION}" \ - -backend-config="dynamodb_table=${ZARF_VAR_STATE_DYNAMODB_TABLE_NAME}" - dir: run/velero - - cmd: ../terraform apply -auto-approve - dir: run/velero - onRemove: - before: - - cmd: | - if [ -d "run/velero" ]; then - cd run/velero - ../terraform destroy -auto-approve - else - echo "Cannot remove: run/velero directory does not exist" - fi - - name: velero-outputs - required: true - actions: - onDeploy: - after: - - cmd: ../terraform output -raw s3_bucket - dir: run/velero - setVariables: - - name: VELERO_S3_BUCKET - - cmd: ../terraform output -raw aws_region - dir: run/velero - setVariables: - - name: VELERO_S3_AWS_REGION - - cmd: ../terraform output -raw irsa_role_arn - dir: run/velero - setVariables: - - name: VELERO_S3_ROLE_ARN - - name: export-outputs - required: true - actions: - onDeploy: - after: - - cmd: | - cat < .github/bundles/uds-config.yaml - options: - architecture: amd64 - - variables: - core: - loki_chunks_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} - loki_ruler_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} - loki_admin_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} - loki_s3_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} - loki_s3-endpoint: "" - loki_irsa_annotation: - eks.amazonaws.com/role-arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} - velero_use_secret: false - velero_irsa_annotation: - eks.amazonaws.com/role-arn: "${ZARF_VAR_VELERO_S3_ROLE_ARN}" - velero_bucket: ${ZARF_VAR_VELERO_S3_BUCKET} - velero_bucket_region: ${ZARF_VAR_VELERO_S3_AWS_REGION} - velero_bucket_provider_url: "" - velero_bucket_credential_name: "" - velero_bucket_credential_key: "" - EOF diff --git a/.github/test-infra/eks/.gitignore b/.github/test-infra/eks/.gitignore deleted file mode 100644 index fb242f9cc..000000000 --- a/.github/test-infra/eks/.gitignore +++ /dev/null @@ -1 +0,0 @@ -eksctl \ No newline at end of file diff --git a/.github/test-infra/eks/config.yaml b/.github/test-infra/eks/config.yaml index 42579faa9..73cd289ea 100644 --- a/.github/test-infra/eks/config.yaml +++ b/.github/test-infra/eks/config.yaml @@ -2,15 +2,15 @@ apiVersion: eksctl.io/v1alpha5 kind: ClusterConfig metadata: - name: "###ZARF_VAR_CLUSTER_NAME###" + name: ${CLUSTER_NAME} region: us-west-2 version: "1.27" tags: - PermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" + PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} iam: withOIDC: true - serviceRolePermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_ARN###" + serviceRolePermissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} addons: - name: aws-ebs-csi-driver @@ -18,14 +18,14 @@ addons: attachPolicyARNs: - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy - permissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_ARN###" + permissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} tags: - PermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" + PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} - name: vpc-cni - permissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_ARN###" + permissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} tags: - PermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" + PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} managedNodeGroups: - name: ng-1 @@ -33,11 +33,11 @@ managedNodeGroups: desiredCapacity: 3 volumeSize: 150 tags: - PermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" + PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} iam: - instanceRolePermissionsBoundary: "###ZARF_VAR_PERMISSIONS_BOUNDARY_ARN###" - ami: "###ZARF_VAR_AMI_ID###" + instanceRolePermissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} + ami: ${AMI_ID} amiFamily: AmazonLinux2 overrideBootstrapCommand: | #!/bin/bash - /etc/eks/bootstrap.sh ###ZARF_VAR_CLUSTER_NAME### --container-runtime containerd + /etc/eks/bootstrap.sh CLUSTER_NAME --container-runtime containerd diff --git a/.github/test-infra/eks/zarf.yaml b/.github/test-infra/eks/zarf.yaml deleted file mode 100644 index f9eac4a5d..000000000 --- a/.github/test-infra/eks/zarf.yaml +++ /dev/null @@ -1,45 +0,0 @@ -kind: ZarfPackageConfig -metadata: - name: distro-eks - description: "Deploy an EKS K8s cluster" - architecture: multi - version: "0.15.1" - -variables: - - name: CLUSTER_NAME - - name: PERMISSIONS_BOUNDARY_ARN - - name: PERMISSIONS_BOUNDARY_NAME - - name: AMI_ID - default: ami-068ab6ac1cec494e0 - -components: - - name: load-eksctl - required: true - actions: - onDeploy: - after: - # Remove existing eksctl - - cmd: rm -f eksctl - # Extract the correct linux or mac binary from the tarball - - cmd: ./zarf tools archiver decompress archives/eksctl_$(uname -s)_$(uname -m).tar.gz . - # Cleanup temp files - - cmd: rm -fr archives - files: - - source: config.yaml - target: config.yaml - - source: https://github.com/weaveworks/eksctl/releases/download/v0.165.0/eksctl_Linux_amd64.tar.gz - target: archives/eksctl_Linux_x86_64.tar.gz - - - name: deploy-eks-cluster - required: true - actions: - onDeploy: - before: - - cmd: ./eksctl create cluster --dry-run -f config.yaml - - cmd: sleep 15 - - cmd: ./eksctl create cluster -f config.yaml - after: - - cmd: ./eksctl utils write-kubeconfig -c ${ZARF_VAR_CLUSTER_NAME} - onRemove: - before: - - cmd: ./eksctl delete cluster -f config.yaml --disable-nodegroup-eviction --wait diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index c7b6d7151..6d72b4fec 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -12,20 +12,19 @@ jobs: runs-on: ubuntu-latest env: SHA: ${{ github.sha }} - PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} - PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} - STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate - STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock + UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} + UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} + UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate + UDS_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock steps: - name: Set ENV run: | - echo "CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV - echo "STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV + echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV + echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@v4 - # login to aws - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -34,6 +33,9 @@ jobs: aws-region: us-west-2 role-duration-seconds: 21600 + - name: Install eksctl + run: uds run -f tasks/iac.yaml install-eksctl + - name: Set Terraform version uses: hashicorp/setup-terraform@v3 with: @@ -42,35 +44,17 @@ jobs: - name: Environment setup uses: ./.github/actions/setup - - name: Create EKSCTL Package - run: uds run -f tasks/create.yaml no-pepr-package --set path=.github/test-infra/eks - - - name: Create CI-IAC-AWS Package - run: uds run -f tasks/create.yaml no-pepr-package --set path=.github/test-infra/ci-iac-aws - - name: Create UDS Core Package run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package - name: Create Bundle run: uds create .github/bundles --confirm - - name: Deploy Cluster - run: | - uds zarf package deploy build/zarf-package-distro-eks-*.tar.zst \ - --set cluster_name=$CLUSTER_NAME \ - --set permissions_boundary_arn=$PERMISSIONS_BOUNDARY_ARN \ - --set permissions_boundary_name=$PERMISSIONS_BOUNDARY_NAME \ - --confirm + - name: Create Cluster + run: uds run -f tasks/iac.yaml create-cluster - - name: Deploy CI-IAC-AWS Package - run: | - uds zarf package deploy build/zarf-package-ci-iac-aws-*.tar.zst \ - --set cluster_name=$CLUSTER_NAME \ - --set permissions_boundary_name=$PERMISSIONS_BOUNDARY_NAME \ - --set state_bucket_name=$STATE_BUCKET_NAME \ - --set state_dynamodb_table_name=$STATE_DYNAMODB_TABLE_NAME \ - --set state_key=$STATE_KEY \ - --confirm + - name: Create IAC + run: uds run -f tasks/iac.yaml create-iac - name: Deploy Bundle env: @@ -83,14 +67,14 @@ jobs: timeout-minutes: 30 continue-on-error: true - - name: Remove CI-DUBBD-IAC-AWS + - name: Remove IAC if: always() - run: uds zarf package remove build/zarf-package-ci-iac-aws-*.tar.zst --confirm + run: uds run -f tasks/iac.yaml destroy-iac timeout-minutes: 30 continue-on-error: true - name: Teardown EKS cluster if: always() - run: uds zarf package remove build/zarf-package-distro-eks-*.tar.zst --confirm + run: uds run -f tasks/iac.yaml destroy-cluster timeout-minutes: 30 continue-on-error: true diff --git a/tasks/iac.yaml b/tasks/iac.yaml new file mode 100644 index 000000000..d840d67d8 --- /dev/null +++ b/tasks/iac.yaml @@ -0,0 +1,187 @@ +variables: + - name: CLUSTER_NAME + - name: STATE_BUCKET_NAME + - name: STATE_KEY + - name: STATE_DYNAMODB_TABLE_NAME + - name: REGION + - name: PERMISSIONS_BOUNDARY_NAME + - name: PERMISSIONS_BOUNDARY_ARN + - name: USE_PERMISSIONS_BOUNDARY + default: "true" + - name: AMI_ID + default: ami-068ab6ac1cec494e0 + +tasks: + - name: install-eksctl + actions: + - cmd: | + curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.165.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp + sudo mv /tmp/eksctl /usr/local/bin + + - name: create-cluster + actions: + - cmd: | + cat < cluster-config.yaml + apiVersion: eksctl.io/v1alpha5 + kind: ClusterConfig + + metadata: + name: ${CLUSTER_NAME} + region: us-west-2 + version: "1.27" + tags: + PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} + + iam: + withOIDC: true + serviceRolePermissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} + + addons: + - name: aws-ebs-csi-driver + version: v1.25.0-eksbuild.1 + + attachPolicyARNs: + - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy + permissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} + tags: + PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} + + - name: vpc-cni + permissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} + tags: + PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} + + managedNodeGroups: + - name: ng-1 + instanceType: m5.2xlarge + desiredCapacity: 3 + volumeSize: 150 + tags: + PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} + iam: + instanceRolePermissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} + ami: ${AMI_ID} + amiFamily: AmazonLinux2 + overrideBootstrapCommand: | + #!/bin/bash + /etc/eks/bootstrap.sh CLUSTER_NAME --container-runtime containerd + EOF + + - cmd: eksctl create cluster --dry-run -f cluster-config.yaml + - cmd: sleep 5 + - cmd: eksctl create cluster -f .github/test-infra/eks/config.yaml + - cmd: eksctl utils write-kubeconfig -c ${CLUSTER_NAME} + + - name: destroy-cluster + actions: + - cmd: eksctl delete cluster -f .github/test-infra/eks/config.yaml --disable-nodegroup-eviction --wait + + - name: create-iac + actions: + - task: loki-execute-terraform + - task: loki-outputs + - task: velero-execute-terraform + - task: velero-outputs + - task: export-outputs + + - name: destroy-iac + actions: + - task: destory-loki + - task: destroy-velero + + - name: loki-execute-terraform + actions: + - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-loki.tfstate/g' + setVariables: + - name: STATE_KEY_LOKI + - cmd: | + terraform init -force-copy \ + -backend-config="bucket=${STATE_BUCKET_NAME}" \ + -backend-config="key=${STATE_KEY_LOKI}" \ + -backend-config="region=${REGION}" \ + -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" + dir: .github/test-infra/ci-iac-aws/loki + - cmd: terraform apply -auto-approve + dir: .github/test-infra/ci-iac-aws/loki + + - name: destory-loki + actions: + - cmd: | + terraform destroy -auto-approve + dir: .github/test-infra/ci-iac-aws/loki + + - name: loki-outputs + actions: + - cmd: terraform output -raw s3_bucket + dir: .github/test-infra/ci-iac-aws/loki + setVariables: + - name: LOKI_S3_BUCKET + - cmd: terraform output -raw aws_region + dir: .github/test-infra/ci-iac-aws/loki + setVariables: + - name: LOKI_S3_AWS_REGION + - cmd: terraform output -raw irsa_role_arn + dir: .github/test-infra/ci-iac-aws/loki + setVariables: + - name: LOKI_S3_ROLE_ARN + + - name: velero-execute-terraform + actions: + - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-velero.tfstate/g' + dir: .github/test-infra/ci-iac-aws/velero + setVariables: + - name: STATE_KEY_VELERO + - cmd: | + terraform init -force-copy \ + -backend-config="bucket=${STATE_BUCKET_NAME}" \ + -backend-config="key=${STATE_KEY_VELERO}" \ + -backend-config="region=${REGION}" \ + -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" + dir: .github/test-infra/ci-iac-aws/velero + - cmd: terraform apply -auto-approve + dir: .github/test-infra/ci-iac-aws/velero + + - name: destroy-velero + actions: + - cmd: terraform destroy -auto-approve + dir: .github/test-infra/ci-iac-aws/velero + + - name: velero-outputs + actions: + - cmd: terraform output -raw s3_bucket + dir: .github/test-infra/ci-iac-aws/velero + setVariables: + - name: VELERO_S3_BUCKET + - cmd: terraform output -raw aws_region + dir: .github/test-infra/ci-iac-aws/velero + setVariables: + - name: VELERO_S3_AWS_REGION + - cmd: terraform output -raw irsa_role_arn + dir: .github/test-infra/ci-iac-aws/velero + setVariables: + - name: VELERO_S3_ROLE_ARN + + - name: export-outputs + actions: + - cmd: | + cat < .github/bundles/uds-config.yaml + options: + architecture: amd6 + variables: + core: + loki_chunks_bucket: ${LOKI_S3_BUCKET} + loki_ruler_bucket: ${LOKI_S3_BUCKET} + loki_admin_bucket: ${LOKI_S3_BUCKET} + loki_s3_region: ${LOKI_S3_AWS_REGION} + loki_s3-endpoint: "" + loki_irsa_annotation: + eks.amazonaws.com/role-arn: ${LOKI_S3_ROLE_ARN} + velero_use_secret: false + velero_irsa_annotation: + eks.amazonaws.com/role-arn: "${VELERO_S3_ROLE_ARN}" + velero_bucket: ${VELERO_S3_BUCKET} + velero_bucket_region: ${VELERO_S3_AWS_REGION} + velero_bucket_provider_url: "" + velero_bucket_credential_name: "" + velero_bucket_credential_key: "" + EOF \ No newline at end of file From 820ce90d86e8a6be591f4dd936f29046d63bf3c4 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 29 Mar 2024 10:59:36 -0600 Subject: [PATCH 53/82] refactoring tf to not use zarf_vars --- .github/test-infra/ci-iac-aws/loki/main.tf | 2 +- .../ci-iac-aws/loki/terraform.tfvars | 7 --- .../test-infra/ci-iac-aws/loki/variables.tf | 2 +- .github/test-infra/ci-iac-aws/velero/main.tf | 2 +- .../ci-iac-aws/velero/terraform.tfvars | 7 --- .../test-infra/ci-iac-aws/velero/variables.tf | 2 +- .github/test-infra/eks/config.yaml | 43 ------------------- .github/workflows/nightly-testing.yaml | 1 + .github/workflows/test-eks.yaml | 9 +++- tasks/iac.yaml | 6 --- 10 files changed, 13 insertions(+), 68 deletions(-) delete mode 100644 .github/test-infra/eks/config.yaml diff --git a/.github/test-infra/ci-iac-aws/loki/main.tf b/.github/test-infra/ci-iac-aws/loki/main.tf index 2945e79d4..cda91d598 100644 --- a/.github/test-infra/ci-iac-aws/loki/main.tf +++ b/.github/test-infra/ci-iac-aws/loki/main.tf @@ -56,7 +56,7 @@ locals { module "S3" { source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" - name_prefix = "${var.bucket_name}-" + name_prefix = "${var.loki_bucket_name}-" kms_key_arn = local.kms_key_arn force_destroy = var.force_destroy create_bucket_lifecycle = true diff --git a/.github/test-infra/ci-iac-aws/loki/terraform.tfvars b/.github/test-infra/ci-iac-aws/loki/terraform.tfvars index 78c1d8201..68702dd82 100644 --- a/.github/test-infra/ci-iac-aws/loki/terraform.tfvars +++ b/.github/test-infra/ci-iac-aws/loki/terraform.tfvars @@ -1,10 +1,3 @@ -region = "###ZARF_VAR_REGION###" -name = "###ZARF_VAR_CLUSTER_NAME###" -bucket_name = "###ZARF_VAR_CLUSTER_NAME###-loki" force_destroy = "true" - kubernetes_service_account = "logging-loki" kubernetes_namespace = "logging" - -permissions_boundary_name = "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" -use_permissions_boundary = "###ZARF_VAR_USE_PERMISSIONS_BOUNDARY###" diff --git a/.github/test-infra/ci-iac-aws/loki/variables.tf b/.github/test-infra/ci-iac-aws/loki/variables.tf index e3b4fdf11..fc442e6a8 100644 --- a/.github/test-infra/ci-iac-aws/loki/variables.tf +++ b/.github/test-infra/ci-iac-aws/loki/variables.tf @@ -39,7 +39,7 @@ variable "create_kms_key" { default = true } -variable "bucket_name" { +variable "loki_bucket_name" { description = "Name for S3 bucket" type = string } diff --git a/.github/test-infra/ci-iac-aws/velero/main.tf b/.github/test-infra/ci-iac-aws/velero/main.tf index 08de4279c..fa8908efd 100644 --- a/.github/test-infra/ci-iac-aws/velero/main.tf +++ b/.github/test-infra/ci-iac-aws/velero/main.tf @@ -56,7 +56,7 @@ locals { module "S3" { source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" - name_prefix = "${var.bucket_name}-" + name_prefix = "${var.velero_bucket_name}-" kms_key_arn = local.kms_key_arn force_destroy = var.force_destroy create_bucket_lifecycle = true diff --git a/.github/test-infra/ci-iac-aws/velero/terraform.tfvars b/.github/test-infra/ci-iac-aws/velero/terraform.tfvars index 36dcd4968..aab5d282e 100644 --- a/.github/test-infra/ci-iac-aws/velero/terraform.tfvars +++ b/.github/test-infra/ci-iac-aws/velero/terraform.tfvars @@ -1,10 +1,3 @@ -region = "###ZARF_VAR_REGION###" -name = "###ZARF_VAR_CLUSTER_NAME###" -bucket_name = "###ZARF_VAR_CLUSTER_NAME###-velero" force_destroy = "true" - kubernetes_service_account = "velero-server" kubernetes_namespace = "velero" - -permissions_boundary_name = "###ZARF_VAR_PERMISSIONS_BOUNDARY_NAME###" -use_permissions_boundary = "###ZARF_VAR_USE_PERMISSIONS_BOUNDARY###" diff --git a/.github/test-infra/ci-iac-aws/velero/variables.tf b/.github/test-infra/ci-iac-aws/velero/variables.tf index e3b4fdf11..3a6feec86 100644 --- a/.github/test-infra/ci-iac-aws/velero/variables.tf +++ b/.github/test-infra/ci-iac-aws/velero/variables.tf @@ -39,7 +39,7 @@ variable "create_kms_key" { default = true } -variable "bucket_name" { +variable "velero_bucket_name" { description = "Name for S3 bucket" type = string } diff --git a/.github/test-infra/eks/config.yaml b/.github/test-infra/eks/config.yaml deleted file mode 100644 index 73cd289ea..000000000 --- a/.github/test-infra/eks/config.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: eksctl.io/v1alpha5 -kind: ClusterConfig - -metadata: - name: ${CLUSTER_NAME} - region: us-west-2 - version: "1.27" - tags: - PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} - -iam: - withOIDC: true - serviceRolePermissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} - -addons: - - name: aws-ebs-csi-driver - version: v1.25.0-eksbuild.1 - - attachPolicyARNs: - - arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy - permissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} - tags: - PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} - - - name: vpc-cni - permissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} - tags: - PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} - -managedNodeGroups: - - name: ng-1 - instanceType: m5.2xlarge - desiredCapacity: 3 - volumeSize: 150 - tags: - PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME} - iam: - instanceRolePermissionsBoundary: ${PERMISSIONS_BOUNDARY_ARN} - ami: ${AMI_ID} - amiFamily: AmazonLinux2 - overrideBootstrapCommand: | - #!/bin/bash - /etc/eks/bootstrap.sh CLUSTER_NAME --container-runtime containerd diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 9770beecd..867942345 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -3,6 +3,7 @@ name: Nightly Testing on: schedule: - cron: '0 0 * * *' # Runs at midnight every day + pull_request: jobs: nightly-testing: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 6d72b4fec..17897044e 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -36,7 +36,7 @@ jobs: - name: Install eksctl run: uds run -f tasks/iac.yaml install-eksctl - - name: Set Terraform version + - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: "1.5.7" @@ -54,6 +54,13 @@ jobs: run: uds run -f tasks/iac.yaml create-cluster - name: Create IAC + env: + TF_VAR_REGION: us-west-2 + TF_VAR_NAME: $UDS_CLUSTER_NAME + TF_VAR_LOKI_BUCKET_NAME: "${UDS_CLUSTER_NAME}-loki" + TF_VAR_VELERO_BUCKET_NAME: "${UDS_CLUSTER_NAME}-velero" + TF_VAR_USE_PERMISSIONS_BOUNDARY: true + TF_VAR_PERMISSIONS_BOUNDARY_NAME: $UDS_PERMISSIONS_BOUNDARY_NAME run: uds run -f tasks/iac.yaml create-iac - name: Deploy Bundle diff --git a/tasks/iac.yaml b/tasks/iac.yaml index d840d67d8..69eff44dd 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -1,13 +1,7 @@ variables: - name: CLUSTER_NAME - - name: STATE_BUCKET_NAME - - name: STATE_KEY - - name: STATE_DYNAMODB_TABLE_NAME - - name: REGION - name: PERMISSIONS_BOUNDARY_NAME - name: PERMISSIONS_BOUNDARY_ARN - - name: USE_PERMISSIONS_BOUNDARY - default: "true" - name: AMI_ID default: ami-068ab6ac1cec494e0 From 1f3a686be674235190cd8643d3e2f618532870a9 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 29 Mar 2024 11:07:32 -0600 Subject: [PATCH 54/82] install uds first --- .github/workflows/test-eks.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 17897044e..88795b34b 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -32,6 +32,9 @@ jobs: role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} aws-region: us-west-2 role-duration-seconds: 21600 + + - name: Environment setup + uses: ./.github/actions/setup - name: Install eksctl run: uds run -f tasks/iac.yaml install-eksctl @@ -41,9 +44,6 @@ jobs: with: terraform_version: "1.5.7" - - name: Environment setup - uses: ./.github/actions/setup - - name: Create UDS Core Package run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package From 8d886861b752d310bace0de21cb8f6bb80e03dfb Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 29 Mar 2024 11:49:07 -0600 Subject: [PATCH 55/82] DRY out iac tasks; fix eksctl config reference --- .github/workflows/test-eks.yaml | 3 +- tasks/create.yaml | 6 -- tasks/iac.yaml | 123 ++++++++++++++------------------ 3 files changed, 54 insertions(+), 78 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 88795b34b..de0ef9100 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -12,6 +12,7 @@ jobs: runs-on: ubuntu-latest env: SHA: ${{ github.sha }} + UDS_REGION: us-west-2 UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate @@ -55,7 +56,7 @@ jobs: - name: Create IAC env: - TF_VAR_REGION: us-west-2 + TF_VAR_REGION: $UDS_REGION TF_VAR_NAME: $UDS_CLUSTER_NAME TF_VAR_LOKI_BUCKET_NAME: "${UDS_CLUSTER_NAME}-loki" TF_VAR_VELERO_BUCKET_NAME: "${UDS_CLUSTER_NAME}-velero" diff --git a/tasks/create.yaml b/tasks/create.yaml index 42e82af27..1b40271e8 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -59,9 +59,3 @@ tasks: npm ci npx pepr build $CUSTOM_PEPR_IMAGE - - name: no-pepr-package - actions: - - task: common:package - with: - options: ${OPTIONS} - path: ${PATH} diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 69eff44dd..6be8fbbca 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -1,7 +1,10 @@ variables: - name: CLUSTER_NAME + - name: REGION - name: PERMISSIONS_BOUNDARY_NAME - name: PERMISSIONS_BOUNDARY_ARN + - name: STATE_BUCKET_NAME + - name: STATE_DYNAMODB_TABLE_NAME - name: AMI_ID default: ami-068ab6ac1cec494e0 @@ -63,99 +66,77 @@ tasks: - cmd: eksctl create cluster --dry-run -f cluster-config.yaml - cmd: sleep 5 - - cmd: eksctl create cluster -f .github/test-infra/eks/config.yaml + - cmd: eksctl create cluster -f cluster-config.yaml - cmd: eksctl utils write-kubeconfig -c ${CLUSTER_NAME} - name: destroy-cluster actions: - - cmd: eksctl delete cluster -f .github/test-infra/eks/config.yaml --disable-nodegroup-eviction --wait + - cmd: eksctl delete cluster -f cluster-config.yaml --disable-nodegroup-eviction --wait - name: create-iac actions: - - task: loki-execute-terraform - - task: loki-outputs - - task: velero-execute-terraform - - task: velero-outputs - - task: export-outputs + - task: apply-terraform + with: + module: loki + - task: terraform-outputs + with: + module: loki + - task: apply-terraform + with: + module: velero + - task: terraform-outputs + with: + module: velero + - task: create-uds-config - name: destroy-iac actions: - - task: destory-loki - - task: destroy-velero - - - name: loki-execute-terraform + - task: destory-terraform + with: + module: loki + - task: destory-terraform + with: + module: velero + + - name: apply-terraform + inputs: + module: + description: "name of iac module to apply" actions: - - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-loki.tfstate/g' + - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-$INPUT_MODULE.tfstate/g' setVariables: - - name: STATE_KEY_LOKI + - name: MODULE_STATE_KEY - cmd: | terraform init -force-copy \ -backend-config="bucket=${STATE_BUCKET_NAME}" \ - -backend-config="key=${STATE_KEY_LOKI}" \ + -backend-config="key=${MODULE_STATE_KEY}" \ -backend-config="region=${REGION}" \ -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" - dir: .github/test-infra/ci-iac-aws/loki - - cmd: terraform apply -auto-approve - dir: .github/test-infra/ci-iac-aws/loki - - - name: destory-loki - actions: - - cmd: | - terraform destroy -auto-approve - dir: .github/test-infra/ci-iac-aws/loki + + terraform apply -auto-approve + dir: .github/test-infra/ci-iac-aws/$INPUT_MODULE - - name: loki-outputs - actions: - - cmd: terraform output -raw s3_bucket - dir: .github/test-infra/ci-iac-aws/loki - setVariables: - - name: LOKI_S3_BUCKET - - cmd: terraform output -raw aws_region - dir: .github/test-infra/ci-iac-aws/loki - setVariables: - - name: LOKI_S3_AWS_REGION - - cmd: terraform output -raw irsa_role_arn - dir: .github/test-infra/ci-iac-aws/loki - setVariables: - - name: LOKI_S3_ROLE_ARN - - - name: velero-execute-terraform + - name: terraform-outputs + inputs: + module: + description: "name of module to grab outputs for" actions: - - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-velero.tfstate/g' - dir: .github/test-infra/ci-iac-aws/velero - setVariables: - - name: STATE_KEY_VELERO - cmd: | - terraform init -force-copy \ - -backend-config="bucket=${STATE_BUCKET_NAME}" \ - -backend-config="key=${STATE_KEY_VELERO}" \ - -backend-config="region=${REGION}" \ - -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" - dir: .github/test-infra/ci-iac-aws/velero - - cmd: terraform apply -auto-approve - dir: .github/test-infra/ci-iac-aws/velero - - - name: destroy-velero - actions: - - cmd: terraform destroy -auto-approve - dir: .github/test-infra/ci-iac-aws/velero - - - name: velero-outputs + "${INPUT_MODULE}_S3_BUCKET=$(terraform output -raw s3_bucket)" + "${INPUT_MODULE}_S3_AWS_REGION=$(terraform output -raw aws_region)" + "${INPUT_MODULE}_S3_ROLE_ARN=$(terraform output -raw irsa_role_arn)" + dir: .github/test-infra/ci-iac-aws/$INPUT_MODULE + + - name: destory-terraform + inputs: + module: + description: "name of iac to destroy" actions: - - cmd: terraform output -raw s3_bucket - dir: .github/test-infra/ci-iac-aws/velero - setVariables: - - name: VELERO_S3_BUCKET - - cmd: terraform output -raw aws_region - dir: .github/test-infra/ci-iac-aws/velero - setVariables: - - name: VELERO_S3_AWS_REGION - - cmd: terraform output -raw irsa_role_arn - dir: .github/test-infra/ci-iac-aws/velero - setVariables: - - name: VELERO_S3_ROLE_ARN + - cmd: | + terraform destroy -auto-approve + dir: .github/test-infra/ci-iac-aws/$INPUT_MODULE - - name: export-outputs + - name: create-uds-config actions: - cmd: | cat < .github/bundles/uds-config.yaml From 0b9ddb3d1402b34e5e5fb6c22654566f861654db Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 29 Mar 2024 14:03:03 -0600 Subject: [PATCH 56/82] collapsing loki and velero iac into a single module. --- .github/test-infra/buckets-iac/loki.tf | 95 +++++++++++ .github/test-infra/buckets-iac/main.tf | 53 ++++++ .github/test-infra/buckets-iac/output.tf | 36 +++++ .../test-infra/buckets-iac/terraform.tfvars | 5 + .../velero => buckets-iac}/variables.tf | 41 +++-- .../velero/main.tf => buckets-iac/velero.tf} | 89 ++-------- .github/test-infra/ci-iac-aws/loki/.gitignore | 2 - .github/test-infra/ci-iac-aws/loki/README.md | 52 ------ .github/test-infra/ci-iac-aws/loki/main.tf | 152 ------------------ .github/test-infra/ci-iac-aws/loki/output.tf | 24 --- .../ci-iac-aws/loki/terraform.tfvars | 3 - .../test-infra/ci-iac-aws/loki/variables.tf | 67 -------- .../test-infra/ci-iac-aws/velero/output.tf | 24 --- .../ci-iac-aws/velero/terraform.tfvars | 3 - tasks/iac.yaml | 47 ++---- 15 files changed, 246 insertions(+), 447 deletions(-) create mode 100644 .github/test-infra/buckets-iac/loki.tf create mode 100644 .github/test-infra/buckets-iac/main.tf create mode 100644 .github/test-infra/buckets-iac/output.tf create mode 100644 .github/test-infra/buckets-iac/terraform.tfvars rename .github/test-infra/{ci-iac-aws/velero => buckets-iac}/variables.tf (74%) rename .github/test-infra/{ci-iac-aws/velero/main.tf => buckets-iac/velero.tf} (53%) delete mode 100644 .github/test-infra/ci-iac-aws/loki/.gitignore delete mode 100644 .github/test-infra/ci-iac-aws/loki/README.md delete mode 100644 .github/test-infra/ci-iac-aws/loki/main.tf delete mode 100644 .github/test-infra/ci-iac-aws/loki/output.tf delete mode 100644 .github/test-infra/ci-iac-aws/loki/terraform.tfvars delete mode 100644 .github/test-infra/ci-iac-aws/loki/variables.tf delete mode 100644 .github/test-infra/ci-iac-aws/velero/output.tf delete mode 100644 .github/test-infra/ci-iac-aws/velero/terraform.tfvars diff --git a/.github/test-infra/buckets-iac/loki.tf b/.github/test-infra/buckets-iac/loki.tf new file mode 100644 index 000000000..aa911ad1e --- /dev/null +++ b/.github/test-infra/buckets-iac/loki.tf @@ -0,0 +1,95 @@ +locals { + loki_name = "${var.name}-loki" +} + +module "loki_S3" { + source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" + name_prefix = "${var.loki_bucket_name}-" + kms_key_arn = local.kms_key_arn + force_destroy = var.force_destroy + create_bucket_lifecycle = true +} + +resource "aws_s3_bucket_policy" "loki_bucket_policy" { + bucket = module.loki_S3.bucket_name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject" + ] + Effect = "Allow" + Principal = { + AWS = module.loki_irsa.role_arn + } + Resource = [ + module.loki_s3.bucket_arn, + "${module.loki_s3.bucket_arn}/*" + ] + } + ] + }) +} + +module "loki_generate_kms" { + count = local.generate_kms_key + source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.2" + + key_owners = var.key_owner_arns + # A list of IAM ARNs for those who will have full key permissions (`kms:*`) + kms_key_alias_name_prefix = "${local.loki_name}-" # Prefix for KMS key alias. + kms_key_deletion_window = var.kms_key_deletion_window + # Waiting period for scheduled KMS Key deletion. Can be 7-30 days. + kms_key_description = "${var.name} UDS Core deployment Loki Key" # Description for the KMS key. + tags = { + Deployment = "UDS Core ${local.loki_name}" + } +} + + +module "loki_irsa" { + source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.2" + name = local.loki_name + kubernetes_service_account = var.kubernetes_service_account + kubernetes_namespace = var.kubernetes_namespace + oidc_provider_arn = local.oidc_arn + role_permissions_boundary_arn = local.iam_role_permissions_boundary + + role_policy_arns = tomap({ + "loki" = aws_iam_policy.loki_policy.arn + }) + +} + +resource "aws_iam_policy" "loki_policy" { + name = "${local.loki_name}-irsa-${random_id.unique_id.hex}" + path = "/" + description = "IAM policy for Loki to have necessary permissions to use S3 for storing logs." + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = ["s3:ListBucket"] + Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.loki_s3.bucket_name}"] + }, + { + Effect = "Allow" + Action = ["s3:*Object"] + Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.loki_s3.bucket_name}/*"] + }, + { + Effect = "Allow" + Action = [ + "kms:GenerateDataKey", + "kms:Decrypt" + ] + Resource = [local.kms_key_arn] + } + ] + }) +} diff --git a/.github/test-infra/buckets-iac/main.tf b/.github/test-infra/buckets-iac/main.tf new file mode 100644 index 000000000..d29c3c5f8 --- /dev/null +++ b/.github/test-infra/buckets-iac/main.tf @@ -0,0 +1,53 @@ +provider "aws" { + region = var.region + + default_tags { + tags = { + PermissionsBoundary = var.permissions_boundary_name + } + } +} + +terraform { + required_version = "1.5.7" + backend "s3" { + } + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0, != 5.17.0" + } + + random = { + source = "hashicorp/random" + version = "3.5.1" + } + } +} + +resource "random_id" "default" { + byte_length = 2 +} + +data "aws_eks_cluster" "existing" { + name = var.name +} + +data "aws_caller_identity" "current" {} + +data "aws_partition" "current" {} + +data "aws_region" "current" {} + +locals { + oidc_url_without_protocol = substr(data.aws_eks_cluster.existing.identity[0].oidc[0].issuer, 8, -1) + oidc_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_url_without_protocol}" + + generate_kms_key = var.create_kms_key ? 1 : 0 + kms_key_arn = var.kms_key_arn == null ? module.generate_kms[0].kms_key_arn : var.kms_key_arn + iam_role_permissions_boundary = var.use_permissions_boundary ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary_name}" : null +} + +resource "random_id" "unique_id" { + byte_length = 4 +} diff --git a/.github/test-infra/buckets-iac/output.tf b/.github/test-infra/buckets-iac/output.tf new file mode 100644 index 000000000..d23d01dca --- /dev/null +++ b/.github/test-infra/buckets-iac/output.tf @@ -0,0 +1,36 @@ +output "aws_region" { + value = data.aws_region.current.name +} + +output "loki_irsa_role_arn" { + value = module.loki_irsa.role_arn +} + +output "loki_s3" { + value = module.loki_S3 +} + +output "loki_s3_bucket" { + value = module.loki_S3.bucket_name +} + +output "velero_irsa_role_arn" { + value = module.velero_irsa.role_arn +} + +output "velero_s3" { + value = module.velero_S3 +} + +output "velero_s3_bucket" { + value = module.velero_S3.bucket_name +} + +output "kms_key_arn" { + description = "The ARN of the OIDC Provider of the EKS Cluster" + value = local.kms_key_arn +} + +output "force_destroy" { + value = var.force_destroy +} diff --git a/.github/test-infra/buckets-iac/terraform.tfvars b/.github/test-infra/buckets-iac/terraform.tfvars new file mode 100644 index 000000000..0e8f97984 --- /dev/null +++ b/.github/test-infra/buckets-iac/terraform.tfvars @@ -0,0 +1,5 @@ +force_destroy = "true" +loki_service_account = "logging-loki" +loki_namespace = "logging" +velero_service_account = "velero-server" +velero_namespace = "velero" diff --git a/.github/test-infra/ci-iac-aws/velero/variables.tf b/.github/test-infra/buckets-iac/variables.tf similarity index 74% rename from .github/test-infra/ci-iac-aws/velero/variables.tf rename to .github/test-infra/buckets-iac/variables.tf index 3a6feec86..b16c93997 100644 --- a/.github/test-infra/ci-iac-aws/velero/variables.tf +++ b/.github/test-infra/buckets-iac/variables.tf @@ -8,18 +8,30 @@ variable "name" { type = string } -variable "kms_key_arn" { +variable "permissions_boundary_name" { + description = "The name of the permissions boundary for IAM resources. This will be used for tagging and to build out the ARN." type = string - description = "KMS Key ARN if known, if not, will be generated" default = null } +variable "use_permissions_boundary" { + description = "Whether to use IAM permissions boundary for resources." + type = bool + default = true +} + variable "force_destroy" { description = "Option to set force destroy" type = bool default = false } +variable "kms_key_arn" { + type = string + description = "KMS Key ARN if known, if not, will be generated" + default = null +} + variable "key_owner_arns" { description = "ARNS of KMS key owners, needed for use of key" type = list(string) @@ -39,29 +51,32 @@ variable "create_kms_key" { default = true } -variable "velero_bucket_name" { - description = "Name for S3 bucket" +variable "loki_bucket_name" { + description = "Name for loki S3 bucket" type = string } -variable "kubernetes_service_account" { +variable "loki_service_account" { description = "Name of the service account to bind to. Used to generate fully qualified subject for service account." type = string } -variable "kubernetes_namespace" { +variable "loki_namespace" { description = "Name of the namespace that the service account exists in. Used to generate fully qualified subject for the service account." type = string } -variable "permissions_boundary_name" { - description = "The name of the permissions boundary for IAM resources. This will be used for tagging and to build out the ARN." +variable "velero_bucket_name" { + description = "Name for velero S3 bucket" type = string - default = null } -variable "use_permissions_boundary" { - description = "Whether to use IAM permissions boundary for resources." - type = bool - default = true +variable "velero_service_account" { + description = "Name of the service account to bind to. Used to generate fully qualified subject for service account." + type = string +} + +variable "velero_namespace" { + description = "Name of the namespace that the service account exists in. Used to generate fully qualified subject for the service account." + type = string } diff --git a/.github/test-infra/ci-iac-aws/velero/main.tf b/.github/test-infra/buckets-iac/velero.tf similarity index 53% rename from .github/test-infra/ci-iac-aws/velero/main.tf rename to .github/test-infra/buckets-iac/velero.tf index fa8908efd..6942eb09c 100644 --- a/.github/test-infra/ci-iac-aws/velero/main.tf +++ b/.github/test-infra/buckets-iac/velero.tf @@ -1,60 +1,8 @@ -provider "aws" { - region = var.region - - default_tags { - tags = { - PermissionsBoundary = var.permissions_boundary_name - } - } -} - -terraform { - required_version = "1.5.7" - backend "s3" { - } - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.0, != 5.17.0" - } - - random = { - source = "hashicorp/random" - version = "3.5.1" - } - } -} - -# taken from zarf bb repo -resource "random_id" "default" { - byte_length = 2 -} - -data "aws_eks_cluster" "existing" { - name = var.name -} - -data "aws_caller_identity" "current" {} - -data "aws_partition" "current" {} - -data "aws_region" "current" {} - locals { - oidc_url_without_protocol = substr(data.aws_eks_cluster.existing.identity[0].oidc[0].issuer, 8, -1) - oidc_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_url_without_protocol}" - - generate_kms_key = var.create_kms_key ? 1 : 0 - kms_key_arn = var.kms_key_arn == null ? module.generate_kms[0].kms_key_arn : var.kms_key_arn - name = "${var.name}-velero" - iam_role_permissions_boundary = var.use_permissions_boundary ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary_name}" : null - - # The conditional may need to look like this depending on how we decide to handle the way varf wants to template things - # generate_kms_key = var.kms_key_arn == "" ? 1 : 0 - # kms_key_arn = var.kms_key_arn == "" ? module.generate_kms[0].kms_key_arn : var.kms_key_arn + velero_name = "${var.name}-velero" } -module "S3" { +module "velero_S3" { source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" name_prefix = "${var.velero_bucket_name}-" kms_key_arn = local.kms_key_arn @@ -62,8 +10,8 @@ module "S3" { create_bucket_lifecycle = true } -resource "aws_s3_bucket_policy" "bucket_policy" { - bucket = module.S3.bucket_name +resource "aws_s3_bucket_policy" "velero_bucket_policy" { + bucket = module.velero_S3.bucket_name policy = jsonencode({ Version = "2012-10-17" @@ -76,35 +24,35 @@ resource "aws_s3_bucket_policy" "bucket_policy" { ] Effect = "Allow" Principal = { - AWS = module.irsa.role_arn + AWS = module.velero_irsa.role_arn } Resource = [ - module.S3.bucket_arn, - "${module.S3.bucket_arn}/*" + module.velero_s3.bucket_arn, + "${module.velero_s3.bucket_arn}/*" ] } ] }) } -module "generate_kms" { +module "velero_generate_kms" { count = local.generate_kms_key source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.2" key_owners = var.key_owner_arns # A list of IAM ARNs for those who will have full key permissions (`kms:*`) - kms_key_alias_name_prefix = "${local.name}-" # Prefix for KMS key alias. + kms_key_alias_name_prefix = "${local.velero_name}-" # Prefix for KMS key alias. kms_key_deletion_window = var.kms_key_deletion_window # Waiting period for scheduled KMS Key deletion. Can be 7-30 days. - kms_key_description = "${local.name} UDS Core deployment Velero Key" # Description for the KMS key. + kms_key_description = "${local.velero_name} UDS Core deployment Velero Key" # Description for the KMS key. tags = { - Deployment = "UDS Core ${local.name}" + Deployment = "UDS Core ${local.velero_name}" } } -module "irsa" { +module "velero_irsa" { source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.2" - name = local.name + name = local.velero_name kubernetes_service_account = var.kubernetes_service_account kubernetes_namespace = var.kubernetes_namespace oidc_provider_arn = local.oidc_arn @@ -116,13 +64,8 @@ module "irsa" { } - -resource "random_id" "unique_id" { - byte_length = 4 -} - resource "aws_iam_policy" "velero_policy" { - name = "${local.name}-irsa-${random_id.unique_id.hex}" + name = "${local.velero_name}-irsa-${random_id.unique_id.hex}" path = "/" description = "Policy to give Velero necessary permissions for cluster backups." @@ -155,7 +98,7 @@ resource "aws_iam_policy" "velero_policy" { "s3:ListMultipartUploadParts" ] Resource = [ - "arn:${data.aws_partition.current.partition}:s3:::${module.S3.bucket_name}/*" + "arn:${data.aws_partition.current.partition}:s3:::${module.velero_s3.bucket_name}/*" ] }, { @@ -164,7 +107,7 @@ resource "aws_iam_policy" "velero_policy" { "s3:ListBucket" ], Resource = [ - "arn:${data.aws_partition.current.partition}:s3:::${module.S3.bucket_name}/*" + "arn:${data.aws_partition.current.partition}:s3:::${module.velero_s3.bucket_name}/*" ] }, { diff --git a/.github/test-infra/ci-iac-aws/loki/.gitignore b/.github/test-infra/ci-iac-aws/loki/.gitignore deleted file mode 100644 index b8d1fe581..000000000 --- a/.github/test-infra/ci-iac-aws/loki/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -.terraform/* -.terraform.lock.hcl \ No newline at end of file diff --git a/.github/test-infra/ci-iac-aws/loki/README.md b/.github/test-infra/ci-iac-aws/loki/README.md deleted file mode 100644 index d947b75d7..000000000 --- a/.github/test-infra/ci-iac-aws/loki/README.md +++ /dev/null @@ -1,52 +0,0 @@ -# Loki - -Terraform for deploying resources necessary for Loki - - -## Requirements - -No requirements. - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 4.67.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [S3](#module\_S3) | github.com/defenseunicorns/delivery-aws-iac//modules/s3-irsa | v0.0.4-alpha | -| [generate\_kms](#module\_generate\_kms) | github.com/defenseunicorns/uds-iac-aws-kms | uds-core-test | - -## Resources - -| Name | Type | -|------|------| -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_eks_cluster.existing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | -| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [force\_destroy](#input\_force\_destroy) | Option to set force destroy | `bool` | `false` | no | -| [key\_alias](#input\_key\_alias) | alias for KMS Key | `string` | `"bigbang-loki"` | no | -| [key\_owner\_arns](#input\_key\_owner\_arns) | ARNS of KMS key owners, needed for use of key | `list(string)` | `[]` | no | -| [kms\_key\_arn](#input\_kms\_key\_arn) | KMS Key ARN if known, if not, will be generated | `string` | `null` | no | -| [name](#input\_name) | Name for cluster | `any` | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| [aws\_region](#output\_aws\_region) | n/a | -| [dynamodb\_name](#output\_dynamodb\_name) | n/a | -| [eks\_cluster\_oidc\_arn](#output\_eks\_cluster\_oidc\_arn) | The ARN of the OIDC Provider of the EKS Cluster | -| [irsa\_role](#output\_irsa\_role) | n/a | -| [s3](#output\_s3) | n/a | -| [s3\_bucket](#output\_s3\_bucket) | n/a | - diff --git a/.github/test-infra/ci-iac-aws/loki/main.tf b/.github/test-infra/ci-iac-aws/loki/main.tf deleted file mode 100644 index cda91d598..000000000 --- a/.github/test-infra/ci-iac-aws/loki/main.tf +++ /dev/null @@ -1,152 +0,0 @@ -# test tf -provider "aws" { - region = var.region - - default_tags { - tags = { - PermissionsBoundary = var.permissions_boundary_name - } - } -} - -terraform { - required_version = "1.5.7" - backend "s3" { - } - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.0, != 5.17.0" - } - - random = { - source = "hashicorp/random" - version = "3.5.1" - } - } -} - -resource "random_id" "default" { - byte_length = 2 -} - -data "aws_eks_cluster" "existing" { - name = var.name -} - -data "aws_caller_identity" "current" {} - -data "aws_partition" "current" {} - -data "aws_region" "current" {} - -locals { - oidc_url_without_protocol = substr(data.aws_eks_cluster.existing.identity[0].oidc[0].issuer, 8, -1) - oidc_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_url_without_protocol}" - - generate_kms_key = var.create_kms_key ? 1 : 0 - kms_key_arn = var.kms_key_arn == null ? module.generate_kms[0].kms_key_arn : var.kms_key_arn - name = "${var.name}-loki" - iam_role_permissions_boundary = var.use_permissions_boundary ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary_name}" : null - - # The conditional may need to look like this depending on how we decide to handle the way varf wants to template things - # generate_kms_key = var.kms_key_arn == "" ? 1 : 0 - # kms_key_arn = var.kms_key_arn == "" ? module.generate_kms[0].kms_key_arn : var.kms_key_arn -} - -module "S3" { - source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" - name_prefix = "${var.loki_bucket_name}-" - kms_key_arn = local.kms_key_arn - force_destroy = var.force_destroy - create_bucket_lifecycle = true -} - -resource "aws_s3_bucket_policy" "bucket_policy" { - bucket = module.S3.bucket_name - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "s3:ListBucket", - "s3:GetObject", - "s3:PutObject" - ] - Effect = "Allow" - Principal = { - AWS = module.irsa.role_arn - } - Resource = [ - module.S3.bucket_arn, - "${module.S3.bucket_arn}/*" - ] - } - ] - }) -} - -module "generate_kms" { - count = local.generate_kms_key - source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.2" - - key_owners = var.key_owner_arns - # A list of IAM ARNs for those who will have full key permissions (`kms:*`) - kms_key_alias_name_prefix = "${local.name}-" # Prefix for KMS key alias. - kms_key_deletion_window = var.kms_key_deletion_window - # Waiting period for scheduled KMS Key deletion. Can be 7-30 days. - kms_key_description = "${var.name} UDS Core deployment Loki Key" # Description for the KMS key. - tags = { - Deployment = "UDS Core ${local.name}" - } -} - - -module "irsa" { - source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.2" - name = local.name - kubernetes_service_account = var.kubernetes_service_account - kubernetes_namespace = var.kubernetes_namespace - oidc_provider_arn = local.oidc_arn - role_permissions_boundary_arn = local.iam_role_permissions_boundary - - role_policy_arns = tomap({ - "loki" = aws_iam_policy.loki_policy.arn - }) - -} - -resource "random_id" "unique_id" { - byte_length = 4 -} - - -resource "aws_iam_policy" "loki_policy" { - name = "${local.name}-irsa-${random_id.unique_id.hex}" - path = "/" - description = "IAM policy for Loki to have necessary permissions to use S3 for storing logs." - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Effect = "Allow" - Action = ["s3:ListBucket"] - Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.S3.bucket_name}"] - }, - { - Effect = "Allow" - Action = ["s3:*Object"] - Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.S3.bucket_name}/*"] - }, - { - Effect = "Allow" - Action = [ - "kms:GenerateDataKey", - "kms:Decrypt" - ] - Resource = [local.kms_key_arn] - } - ] - }) -} diff --git a/.github/test-infra/ci-iac-aws/loki/output.tf b/.github/test-infra/ci-iac-aws/loki/output.tf deleted file mode 100644 index d14af52d7..000000000 --- a/.github/test-infra/ci-iac-aws/loki/output.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "aws_region" { - value = data.aws_region.current.name -} - -output "irsa_role_arn" { - value = module.irsa.role_arn -} - -output "s3" { - value = module.S3 -} - -output "s3_bucket" { - value = module.S3.bucket_name -} - -output "kms_key_arn" { - description = "The ARN of the OIDC Provider of the EKS Cluster" - value = local.kms_key_arn -} - -output "force_destroy" { - value = var.force_destroy -} diff --git a/.github/test-infra/ci-iac-aws/loki/terraform.tfvars b/.github/test-infra/ci-iac-aws/loki/terraform.tfvars deleted file mode 100644 index 68702dd82..000000000 --- a/.github/test-infra/ci-iac-aws/loki/terraform.tfvars +++ /dev/null @@ -1,3 +0,0 @@ -force_destroy = "true" -kubernetes_service_account = "logging-loki" -kubernetes_namespace = "logging" diff --git a/.github/test-infra/ci-iac-aws/loki/variables.tf b/.github/test-infra/ci-iac-aws/loki/variables.tf deleted file mode 100644 index fc442e6a8..000000000 --- a/.github/test-infra/ci-iac-aws/loki/variables.tf +++ /dev/null @@ -1,67 +0,0 @@ -variable "region" { - description = "AWS region" - type = string -} - -variable "name" { - description = "Name for cluster" - type = string -} - -variable "kms_key_arn" { - type = string - description = "KMS Key ARN if known, if not, will be generated" - default = null -} - -variable "force_destroy" { - description = "Option to set force destroy" - type = bool - default = false -} - -variable "key_owner_arns" { - description = "ARNS of KMS key owners, needed for use of key" - type = list(string) - default = [] -} - -# taken from zarf bb repo -variable "kms_key_deletion_window" { - description = "Waiting period for scheduled KMS Key deletion. Can be 7-30 days." - type = number - default = 7 -} - -variable "create_kms_key" { - description = "Whether to create a new KMS key to be used with the S3 bucket. If not, you must pass in your own key ARN." - type = bool - default = true -} - -variable "loki_bucket_name" { - description = "Name for S3 bucket" - type = string -} - -variable "kubernetes_service_account" { - description = "Name of the service account to bind to. Used to generate fully qualified subject for service account." - type = string -} - -variable "kubernetes_namespace" { - description = "Name of the namespace that the service account exists in. Used to generate fully qualified subject for the service account." - type = string -} - -variable "permissions_boundary_name" { - description = "The name of the permissions boundary for IAM resources. This will be used for tagging and to build out the ARN." - type = string - default = null -} - -variable "use_permissions_boundary" { - description = "Whether to use IAM permissions boundary for resources." - type = bool - default = true -} diff --git a/.github/test-infra/ci-iac-aws/velero/output.tf b/.github/test-infra/ci-iac-aws/velero/output.tf deleted file mode 100644 index d14af52d7..000000000 --- a/.github/test-infra/ci-iac-aws/velero/output.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "aws_region" { - value = data.aws_region.current.name -} - -output "irsa_role_arn" { - value = module.irsa.role_arn -} - -output "s3" { - value = module.S3 -} - -output "s3_bucket" { - value = module.S3.bucket_name -} - -output "kms_key_arn" { - description = "The ARN of the OIDC Provider of the EKS Cluster" - value = local.kms_key_arn -} - -output "force_destroy" { - value = var.force_destroy -} diff --git a/.github/test-infra/ci-iac-aws/velero/terraform.tfvars b/.github/test-infra/ci-iac-aws/velero/terraform.tfvars deleted file mode 100644 index aab5d282e..000000000 --- a/.github/test-infra/ci-iac-aws/velero/terraform.tfvars +++ /dev/null @@ -1,3 +0,0 @@ -force_destroy = "true" -kubernetes_service_account = "velero-server" -kubernetes_namespace = "velero" diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 6be8fbbca..6073cfcaf 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -61,7 +61,7 @@ tasks: amiFamily: AmazonLinux2 overrideBootstrapCommand: | #!/bin/bash - /etc/eks/bootstrap.sh CLUSTER_NAME --container-runtime containerd + /etc/eks/bootstrap.sh ${CLUSTER_NAME} --container-runtime containerd EOF - cmd: eksctl create cluster --dry-run -f cluster-config.yaml @@ -76,65 +76,44 @@ tasks: - name: create-iac actions: - task: apply-terraform - with: - module: loki - task: terraform-outputs - with: - module: loki - - task: apply-terraform - with: - module: velero - - task: terraform-outputs - with: - module: velero - task: create-uds-config - name: destroy-iac actions: - task: destory-terraform - with: - module: loki - - task: destory-terraform - with: - module: velero - name: apply-terraform - inputs: - module: - description: "name of iac module to apply" actions: - - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-$INPUT_MODULE.tfstate/g' + - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-buckets.tfstate/g' setVariables: - - name: MODULE_STATE_KEY + - name: BUCKETS_STATE_KEY - cmd: | terraform init -force-copy \ -backend-config="bucket=${STATE_BUCKET_NAME}" \ - -backend-config="key=${MODULE_STATE_KEY}" \ + -backend-config="key=${BUCKETS_STATE_KEY}" \ -backend-config="region=${REGION}" \ -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" terraform apply -auto-approve - dir: .github/test-infra/ci-iac-aws/$INPUT_MODULE + dir: .github/test-infra/buckets-iac - name: terraform-outputs - inputs: - module: - description: "name of module to grab outputs for" actions: - cmd: | - "${INPUT_MODULE}_S3_BUCKET=$(terraform output -raw s3_bucket)" - "${INPUT_MODULE}_S3_AWS_REGION=$(terraform output -raw aws_region)" - "${INPUT_MODULE}_S3_ROLE_ARN=$(terraform output -raw irsa_role_arn)" - dir: .github/test-infra/ci-iac-aws/$INPUT_MODULE + "LOKI_S3_BUCKET=$(terraform output -raw loki_s3_bucket)" + "LOKI_S3_AWS_REGION=$(terraform output -raw aws_region)" + "LOKI_S3_ROLE_ARN=$(terraform output -raw loki_irsa_role_arn)" + "VELERO_S3_BUCKET=$(terraform output -raw velero_s3_bucket)" + "VELERO_S3_AWS_REGION=$(terraform output -raw aws_region)" + "VELERO_S3_ROLE_ARN=$(terraform output -raw velero_irsa_role_arn)" + dir: .github/test-infra/buckets-iac - name: destory-terraform - inputs: - module: - description: "name of iac to destroy" actions: - cmd: | terraform destroy -auto-approve - dir: .github/test-infra/ci-iac-aws/$INPUT_MODULE + dir: .github/test-infra/buckets-iac - name: create-uds-config actions: From f9f5f2d3e8fd46ea64fe66af0a7d7ca8bd0895fb Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 29 Mar 2024 14:08:39 -0600 Subject: [PATCH 57/82] update core pkg ref to 0.18.0 --- .github/bundles/uds-bundle.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml index e854060a2..e284335b8 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/uds-bundle.yaml @@ -3,7 +3,7 @@ metadata: name: uds-core-eks-nightly description: A UDS bundle for deploying EKS and UDS Core # x-release-please-start-version - version: "0.17.0" + version: "0.18.0" # x-release-please-end packages: @@ -15,7 +15,7 @@ packages: - name: core path: ../../build/ # x-release-please-start-version - ref: 0.17.0 + ref: 0.18.0 # x-release-please-end overrides: velero: From 8540288975acfa57d19be8a22ae072a85a597944 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 29 Mar 2024 14:44:50 -0600 Subject: [PATCH 58/82] testing new iac setup issues --- .github/workflows/test-eks.yaml | 50 ++++++++++++++++----------------- tasks/iac.yaml | 7 +++-- 2 files changed, 29 insertions(+), 28 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index de0ef9100..88bfd9a0d 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -45,14 +45,14 @@ jobs: with: terraform_version: "1.5.7" - - name: Create UDS Core Package - run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package + # - name: Create UDS Core Package + # run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package - - name: Create Bundle - run: uds create .github/bundles --confirm + # - name: Create Bundle + # run: uds create .github/bundles --confirm - - name: Create Cluster - run: uds run -f tasks/iac.yaml create-cluster + # - name: Create Cluster + # run: uds run -f tasks/iac.yaml create-cluster - name: Create IAC env: @@ -64,25 +64,25 @@ jobs: TF_VAR_PERMISSIONS_BOUNDARY_NAME: $UDS_PERMISSIONS_BOUNDARY_NAME run: uds run -f tasks/iac.yaml create-iac - - name: Deploy Bundle - env: - UDS_CONFIG: .github/bundles/uds-config.yaml - run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm + # - name: Deploy Bundle + # env: + # UDS_CONFIG: .github/bundles/uds-config.yaml + # run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm - - name: Remove UDS Core - if: always() - run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm - timeout-minutes: 30 - continue-on-error: true + # - name: Remove UDS Core + # if: always() + # run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm + # timeout-minutes: 30 + # continue-on-error: true - - name: Remove IAC - if: always() - run: uds run -f tasks/iac.yaml destroy-iac - timeout-minutes: 30 - continue-on-error: true + # - name: Remove IAC + # if: always() + # run: uds run -f tasks/iac.yaml destroy-iac + # timeout-minutes: 30 + # continue-on-error: true - - name: Teardown EKS cluster - if: always() - run: uds run -f tasks/iac.yaml destroy-cluster - timeout-minutes: 30 - continue-on-error: true + # - name: Teardown EKS cluster + # if: always() + # run: uds run -f tasks/iac.yaml destroy-cluster + # timeout-minutes: 30 + # continue-on-error: true diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 6073cfcaf..856854485 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -76,8 +76,8 @@ tasks: - name: create-iac actions: - task: apply-terraform - - task: terraform-outputs - - task: create-uds-config + # - task: terraform-outputs + # - task: create-uds-config - name: destroy-iac actions: @@ -88,6 +88,7 @@ tasks: - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-buckets.tfstate/g' setVariables: - name: BUCKETS_STATE_KEY + - cmd: echo ${BUCKETS_STATE_KEY} - cmd: | terraform init -force-copy \ -backend-config="bucket=${STATE_BUCKET_NAME}" \ @@ -95,7 +96,7 @@ tasks: -backend-config="region=${REGION}" \ -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" - terraform apply -auto-approve + # terraform apply -auto-approve dir: .github/test-infra/buckets-iac - name: terraform-outputs From b97f39b364ab18074fa8baca1bceed7b54376ac0 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 29 Mar 2024 14:59:50 -0600 Subject: [PATCH 59/82] added STATE_KEY to iac tasks vars so UDS_ prefix in workflow works --- tasks/iac.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 856854485..2936e5925 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -5,6 +5,7 @@ variables: - name: PERMISSIONS_BOUNDARY_ARN - name: STATE_BUCKET_NAME - name: STATE_DYNAMODB_TABLE_NAME + - name: STATE_KEY - name: AMI_ID default: ami-068ab6ac1cec494e0 @@ -76,8 +77,8 @@ tasks: - name: create-iac actions: - task: apply-terraform - # - task: terraform-outputs - # - task: create-uds-config + - task: terraform-outputs + - task: create-uds-config - name: destroy-iac actions: @@ -88,6 +89,7 @@ tasks: - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-buckets.tfstate/g' setVariables: - name: BUCKETS_STATE_KEY + dir: .github/test-infra/buckets-iac - cmd: echo ${BUCKETS_STATE_KEY} - cmd: | terraform init -force-copy \ From c69c8f7830e021fb240b46424b6fca83c2b7eecc Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 29 Mar 2024 15:02:55 -0600 Subject: [PATCH 60/82] running full test after fixing state_key error --- .github/workflows/test-eks.yaml | 50 ++++++++++++++++----------------- tasks/iac.yaml | 2 +- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 88bfd9a0d..de0ef9100 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -45,14 +45,14 @@ jobs: with: terraform_version: "1.5.7" - # - name: Create UDS Core Package - # run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package + - name: Create UDS Core Package + run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package - # - name: Create Bundle - # run: uds create .github/bundles --confirm + - name: Create Bundle + run: uds create .github/bundles --confirm - # - name: Create Cluster - # run: uds run -f tasks/iac.yaml create-cluster + - name: Create Cluster + run: uds run -f tasks/iac.yaml create-cluster - name: Create IAC env: @@ -64,25 +64,25 @@ jobs: TF_VAR_PERMISSIONS_BOUNDARY_NAME: $UDS_PERMISSIONS_BOUNDARY_NAME run: uds run -f tasks/iac.yaml create-iac - # - name: Deploy Bundle - # env: - # UDS_CONFIG: .github/bundles/uds-config.yaml - # run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm + - name: Deploy Bundle + env: + UDS_CONFIG: .github/bundles/uds-config.yaml + run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm - # - name: Remove UDS Core - # if: always() - # run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm - # timeout-minutes: 30 - # continue-on-error: true + - name: Remove UDS Core + if: always() + run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm + timeout-minutes: 30 + continue-on-error: true - # - name: Remove IAC - # if: always() - # run: uds run -f tasks/iac.yaml destroy-iac - # timeout-minutes: 30 - # continue-on-error: true + - name: Remove IAC + if: always() + run: uds run -f tasks/iac.yaml destroy-iac + timeout-minutes: 30 + continue-on-error: true - # - name: Teardown EKS cluster - # if: always() - # run: uds run -f tasks/iac.yaml destroy-cluster - # timeout-minutes: 30 - # continue-on-error: true + - name: Teardown EKS cluster + if: always() + run: uds run -f tasks/iac.yaml destroy-cluster + timeout-minutes: 30 + continue-on-error: true diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 2936e5925..1de454c3e 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -98,7 +98,7 @@ tasks: -backend-config="region=${REGION}" \ -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" - # terraform apply -auto-approve + terraform apply -auto-approve dir: .github/test-infra/buckets-iac - name: terraform-outputs From cec68e2b01ccf99c8ee5f5074229882f885689ab Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Fri, 29 Mar 2024 16:42:33 -0600 Subject: [PATCH 61/82] test standalone tf apply cmd --- tasks/iac.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 1de454c3e..992f6fc38 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -97,8 +97,8 @@ tasks: -backend-config="key=${BUCKETS_STATE_KEY}" \ -backend-config="region=${REGION}" \ -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" - - terraform apply -auto-approve + dir: .github/test-infra/buckets-iac + - cmd: terraform apply -auto-approve dir: .github/test-infra/buckets-iac - name: terraform-outputs From 0146ad922270e19f5f86321282aa240c0d60db86 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 1 Apr 2024 08:44:59 -0600 Subject: [PATCH 62/82] make schedule midnight mountain time; change TF_VARs to lowercase for testing --- .github/workflows/nightly-testing.yaml | 2 +- .github/workflows/test-eks.yaml | 42 +++++++++++++------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 867942345..ced256239 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -2,7 +2,7 @@ name: Nightly Testing on: schedule: - - cron: '0 0 * * *' # Runs at midnight every day + - cron: '0 6 * * *' # Runs at midnight Mountain every day pull_request: jobs: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index de0ef9100..3082aae4a 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -48,7 +48,7 @@ jobs: - name: Create UDS Core Package run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package - - name: Create Bundle + - name: Create Core Bundle run: uds create .github/bundles --confirm - name: Create Cluster @@ -56,24 +56,24 @@ jobs: - name: Create IAC env: - TF_VAR_REGION: $UDS_REGION - TF_VAR_NAME: $UDS_CLUSTER_NAME - TF_VAR_LOKI_BUCKET_NAME: "${UDS_CLUSTER_NAME}-loki" - TF_VAR_VELERO_BUCKET_NAME: "${UDS_CLUSTER_NAME}-velero" - TF_VAR_USE_PERMISSIONS_BOUNDARY: true - TF_VAR_PERMISSIONS_BOUNDARY_NAME: $UDS_PERMISSIONS_BOUNDARY_NAME + TF_VAR_region: $UDS_REGION + TF_VAR_name: $UDS_CLUSTER_NAME + TF_VAR_loki_bucket_name: "${UDS_CLUSTER_NAME}-loki" + TF_VAR_velero_bucket_name: "${UDS_CLUSTER_NAME}-velero" + TF_VAR_use_permissions_boundary: true + TF_VAR_permissions_boundary_arn: $UDS_PERMISSIONS_BOUNDARY_NAME run: uds run -f tasks/iac.yaml create-iac - - name: Deploy Bundle - env: - UDS_CONFIG: .github/bundles/uds-config.yaml - run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm + # - name: Deploy Core Bundle + # env: + # UDS_CONFIG: .github/bundles/uds-config.yaml + # run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm - - name: Remove UDS Core - if: always() - run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm - timeout-minutes: 30 - continue-on-error: true + # - name: Remove UDS Core + # if: always() + # run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm + # timeout-minutes: 30 + # continue-on-error: true - name: Remove IAC if: always() @@ -81,8 +81,8 @@ jobs: timeout-minutes: 30 continue-on-error: true - - name: Teardown EKS cluster - if: always() - run: uds run -f tasks/iac.yaml destroy-cluster - timeout-minutes: 30 - continue-on-error: true + # - name: Teardown EKS cluster + # if: always() + # run: uds run -f tasks/iac.yaml destroy-cluster + # timeout-minutes: 30 + # continue-on-error: true From 09bbcb5e4cd4ce4cdf0ca5341f6392a723627996 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 1 Apr 2024 09:51:06 -0600 Subject: [PATCH 63/82] fix variables and kms key generation for buckets; run just IAC for testing --- .github/test-infra/buckets-iac/loki.tf | 11 ++++++----- .github/test-infra/buckets-iac/main.tf | 3 --- .github/test-infra/buckets-iac/output.tf | 8 -------- .github/test-infra/buckets-iac/velero.tf | 11 ++++++----- .github/workflows/test-eks.yaml | 19 ++++++++++--------- 5 files changed, 22 insertions(+), 30 deletions(-) diff --git a/.github/test-infra/buckets-iac/loki.tf b/.github/test-infra/buckets-iac/loki.tf index aa911ad1e..a94e9a86f 100644 --- a/.github/test-infra/buckets-iac/loki.tf +++ b/.github/test-infra/buckets-iac/loki.tf @@ -1,11 +1,12 @@ locals { loki_name = "${var.name}-loki" + loki_kms_key_arn = module.loki_generate_kms[0].kms_key_arn } module "loki_S3" { source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" name_prefix = "${var.loki_bucket_name}-" - kms_key_arn = local.kms_key_arn + kms_key_arn = local.loki_kms_key_arn force_destroy = var.force_destroy create_bucket_lifecycle = true } @@ -36,7 +37,7 @@ resource "aws_s3_bucket_policy" "loki_bucket_policy" { } module "loki_generate_kms" { - count = local.generate_kms_key + count = 1 source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.2" key_owners = var.key_owner_arns @@ -54,8 +55,8 @@ module "loki_generate_kms" { module "loki_irsa" { source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.2" name = local.loki_name - kubernetes_service_account = var.kubernetes_service_account - kubernetes_namespace = var.kubernetes_namespace + kubernetes_service_account = var.loki_service_account + kubernetes_namespace = var.loki_namespace oidc_provider_arn = local.oidc_arn role_permissions_boundary_arn = local.iam_role_permissions_boundary @@ -88,7 +89,7 @@ resource "aws_iam_policy" "loki_policy" { "kms:GenerateDataKey", "kms:Decrypt" ] - Resource = [local.kms_key_arn] + Resource = [local.loki_kms_key_arn] } ] }) diff --git a/.github/test-infra/buckets-iac/main.tf b/.github/test-infra/buckets-iac/main.tf index d29c3c5f8..b19de7216 100644 --- a/.github/test-infra/buckets-iac/main.tf +++ b/.github/test-infra/buckets-iac/main.tf @@ -42,9 +42,6 @@ data "aws_region" "current" {} locals { oidc_url_without_protocol = substr(data.aws_eks_cluster.existing.identity[0].oidc[0].issuer, 8, -1) oidc_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_url_without_protocol}" - - generate_kms_key = var.create_kms_key ? 1 : 0 - kms_key_arn = var.kms_key_arn == null ? module.generate_kms[0].kms_key_arn : var.kms_key_arn iam_role_permissions_boundary = var.use_permissions_boundary ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary_name}" : null } diff --git a/.github/test-infra/buckets-iac/output.tf b/.github/test-infra/buckets-iac/output.tf index d23d01dca..e6460d39c 100644 --- a/.github/test-infra/buckets-iac/output.tf +++ b/.github/test-infra/buckets-iac/output.tf @@ -26,11 +26,3 @@ output "velero_s3_bucket" { value = module.velero_S3.bucket_name } -output "kms_key_arn" { - description = "The ARN of the OIDC Provider of the EKS Cluster" - value = local.kms_key_arn -} - -output "force_destroy" { - value = var.force_destroy -} diff --git a/.github/test-infra/buckets-iac/velero.tf b/.github/test-infra/buckets-iac/velero.tf index 6942eb09c..56ca2d06c 100644 --- a/.github/test-infra/buckets-iac/velero.tf +++ b/.github/test-infra/buckets-iac/velero.tf @@ -1,11 +1,12 @@ locals { velero_name = "${var.name}-velero" + velero_kms_key_arn = module.velero_generate_kms[0].kms_key_arn } module "velero_S3" { source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" name_prefix = "${var.velero_bucket_name}-" - kms_key_arn = local.kms_key_arn + kms_key_arn = local.velero_kms_key_arn force_destroy = var.force_destroy create_bucket_lifecycle = true } @@ -36,7 +37,7 @@ resource "aws_s3_bucket_policy" "velero_bucket_policy" { } module "velero_generate_kms" { - count = local.generate_kms_key + count = 1 source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.2" key_owners = var.key_owner_arns @@ -53,8 +54,8 @@ module "velero_generate_kms" { module "velero_irsa" { source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.2" name = local.velero_name - kubernetes_service_account = var.kubernetes_service_account - kubernetes_namespace = var.kubernetes_namespace + kubernetes_service_account = var.velero_service_account + kubernetes_namespace = var.velero_namespace oidc_provider_arn = local.oidc_arn role_permissions_boundary_arn = local.iam_role_permissions_boundary @@ -116,7 +117,7 @@ resource "aws_iam_policy" "velero_policy" { "kms:GenerateDataKey", "kms:Decrypt" ] - Resource = [local.kms_key_arn] + Resource = [local.velero_kms_key_arn] } ] diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 3082aae4a..e33303c64 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -37,27 +37,28 @@ jobs: - name: Environment setup uses: ./.github/actions/setup - - name: Install eksctl - run: uds run -f tasks/iac.yaml install-eksctl + # - name: Install eksctl + # run: uds run -f tasks/iac.yaml install-eksctl - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: "1.5.7" - - name: Create UDS Core Package - run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package + # - name: Create UDS Core Package + # run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package - - name: Create Core Bundle - run: uds create .github/bundles --confirm + # - name: Create Core Bundle + # run: uds create .github/bundles --confirm - - name: Create Cluster - run: uds run -f tasks/iac.yaml create-cluster + # - name: Create Cluster + # run: uds run -f tasks/iac.yaml create-cluster - name: Create IAC env: TF_VAR_region: $UDS_REGION - TF_VAR_name: $UDS_CLUSTER_NAME + # TF_VAR_name: $UDS_CLUSTER_NAME + F_VAR_name: uds-core-aws-3f0cc44 TF_VAR_loki_bucket_name: "${UDS_CLUSTER_NAME}-loki" TF_VAR_velero_bucket_name: "${UDS_CLUSTER_NAME}-velero" TF_VAR_use_permissions_boundary: true From 61b2454bf1a488a9cc74c0a066ef77bb1e5d1d1f Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 1 Apr 2024 10:06:03 -0600 Subject: [PATCH 64/82] removing no longer needed configurable variables --- .github/test-infra/buckets-iac/loki.tf | 2 +- .github/test-infra/buckets-iac/output.tf | 1 - .../test-infra/buckets-iac/terraform.tfvars | 1 - .github/test-infra/buckets-iac/variables.tf | 18 ------------------ .github/test-infra/buckets-iac/velero.tf | 2 +- 5 files changed, 2 insertions(+), 22 deletions(-) diff --git a/.github/test-infra/buckets-iac/loki.tf b/.github/test-infra/buckets-iac/loki.tf index a94e9a86f..87d3f9acf 100644 --- a/.github/test-infra/buckets-iac/loki.tf +++ b/.github/test-infra/buckets-iac/loki.tf @@ -7,7 +7,7 @@ module "loki_S3" { source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" name_prefix = "${var.loki_bucket_name}-" kms_key_arn = local.loki_kms_key_arn - force_destroy = var.force_destroy + force_destroy = "true" create_bucket_lifecycle = true } diff --git a/.github/test-infra/buckets-iac/output.tf b/.github/test-infra/buckets-iac/output.tf index e6460d39c..0837b67b0 100644 --- a/.github/test-infra/buckets-iac/output.tf +++ b/.github/test-infra/buckets-iac/output.tf @@ -25,4 +25,3 @@ output "velero_s3" { output "velero_s3_bucket" { value = module.velero_S3.bucket_name } - diff --git a/.github/test-infra/buckets-iac/terraform.tfvars b/.github/test-infra/buckets-iac/terraform.tfvars index 0e8f97984..c275e8c06 100644 --- a/.github/test-infra/buckets-iac/terraform.tfvars +++ b/.github/test-infra/buckets-iac/terraform.tfvars @@ -1,4 +1,3 @@ -force_destroy = "true" loki_service_account = "logging-loki" loki_namespace = "logging" velero_service_account = "velero-server" diff --git a/.github/test-infra/buckets-iac/variables.tf b/.github/test-infra/buckets-iac/variables.tf index b16c93997..d90e99490 100644 --- a/.github/test-infra/buckets-iac/variables.tf +++ b/.github/test-infra/buckets-iac/variables.tf @@ -20,18 +20,6 @@ variable "use_permissions_boundary" { default = true } -variable "force_destroy" { - description = "Option to set force destroy" - type = bool - default = false -} - -variable "kms_key_arn" { - type = string - description = "KMS Key ARN if known, if not, will be generated" - default = null -} - variable "key_owner_arns" { description = "ARNS of KMS key owners, needed for use of key" type = list(string) @@ -45,12 +33,6 @@ variable "kms_key_deletion_window" { default = 7 } -variable "create_kms_key" { - description = "Whether to create a new KMS key to be used with the S3 bucket. If not, you must pass in your own key ARN." - type = bool - default = true -} - variable "loki_bucket_name" { description = "Name for loki S3 bucket" type = string diff --git a/.github/test-infra/buckets-iac/velero.tf b/.github/test-infra/buckets-iac/velero.tf index 56ca2d06c..4308c9b36 100644 --- a/.github/test-infra/buckets-iac/velero.tf +++ b/.github/test-infra/buckets-iac/velero.tf @@ -7,7 +7,7 @@ module "velero_S3" { source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" name_prefix = "${var.velero_bucket_name}-" kms_key_arn = local.velero_kms_key_arn - force_destroy = var.force_destroy + force_destroy = "true" create_bucket_lifecycle = true } From 9d6328da119af3973bc862a4fab93170553be3ff Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 1 Apr 2024 10:12:41 -0600 Subject: [PATCH 65/82] fix test vars --- .github/workflows/test-eks.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index e33303c64..5341940f5 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -58,9 +58,9 @@ jobs: env: TF_VAR_region: $UDS_REGION # TF_VAR_name: $UDS_CLUSTER_NAME - F_VAR_name: uds-core-aws-3f0cc44 - TF_VAR_loki_bucket_name: "${UDS_CLUSTER_NAME}-loki" - TF_VAR_velero_bucket_name: "${UDS_CLUSTER_NAME}-velero" + TF_VAR_name: uds-core-aws-3f0cc44 + TF_VAR_loki_bucket_name: "uds-core-aws-3f0cc44-loki" + TF_VAR_velero_bucket_name: "uds-core-aws-3f0cc44-velero" TF_VAR_use_permissions_boundary: true TF_VAR_permissions_boundary_arn: $UDS_PERMISSIONS_BOUNDARY_NAME run: uds run -f tasks/iac.yaml create-iac From e5f95d8526b3079a65c2c4a77855d912025f77b0 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 1 Apr 2024 10:16:07 -0600 Subject: [PATCH 66/82] fix S3 module calls in loki and velero --- .github/test-infra/buckets-iac/loki.tf | 8 ++++---- .github/test-infra/buckets-iac/velero.tf | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/test-infra/buckets-iac/loki.tf b/.github/test-infra/buckets-iac/loki.tf index 87d3f9acf..19e42aec2 100644 --- a/.github/test-infra/buckets-iac/loki.tf +++ b/.github/test-infra/buckets-iac/loki.tf @@ -28,8 +28,8 @@ resource "aws_s3_bucket_policy" "loki_bucket_policy" { AWS = module.loki_irsa.role_arn } Resource = [ - module.loki_s3.bucket_arn, - "${module.loki_s3.bucket_arn}/*" + module.loki_S3.bucket_arn, + "${module.loki_S3.bucket_arn}/*" ] } ] @@ -76,12 +76,12 @@ resource "aws_iam_policy" "loki_policy" { { Effect = "Allow" Action = ["s3:ListBucket"] - Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.loki_s3.bucket_name}"] + Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.loki_S3.bucket_name}"] }, { Effect = "Allow" Action = ["s3:*Object"] - Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.loki_s3.bucket_name}/*"] + Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.loki_S3.bucket_name}/*"] }, { Effect = "Allow" diff --git a/.github/test-infra/buckets-iac/velero.tf b/.github/test-infra/buckets-iac/velero.tf index 4308c9b36..8ffbb3aba 100644 --- a/.github/test-infra/buckets-iac/velero.tf +++ b/.github/test-infra/buckets-iac/velero.tf @@ -28,8 +28,8 @@ resource "aws_s3_bucket_policy" "velero_bucket_policy" { AWS = module.velero_irsa.role_arn } Resource = [ - module.velero_s3.bucket_arn, - "${module.velero_s3.bucket_arn}/*" + module.velero_S3.bucket_arn, + "${module.velero_S3.bucket_arn}/*" ] } ] @@ -99,7 +99,7 @@ resource "aws_iam_policy" "velero_policy" { "s3:ListMultipartUploadParts" ] Resource = [ - "arn:${data.aws_partition.current.partition}:s3:::${module.velero_s3.bucket_name}/*" + "arn:${data.aws_partition.current.partition}:s3:::${module.velero_S3.bucket_name}/*" ] }, { @@ -108,7 +108,7 @@ resource "aws_iam_policy" "velero_policy" { "s3:ListBucket" ], Resource = [ - "arn:${data.aws_partition.current.partition}:s3:::${module.velero_s3.bucket_name}/*" + "arn:${data.aws_partition.current.partition}:s3:::${module.velero_S3.bucket_name}/*" ] }, { From b53917748ae2eb8e0b181444a1e1125fd0b944ea Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 1 Apr 2024 10:20:37 -0600 Subject: [PATCH 67/82] testing github env UDS_REGION issue --- .github/workflows/test-eks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 5341940f5..7a39c5b95 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -31,7 +31,7 @@ jobs: with: role-to-assume: ${{ secrets.AWS_COMMERCIAL_ROLE_TO_ASSUME }} role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} - aws-region: us-west-2 + aws-region: $UDS_REGION role-duration-seconds: 21600 - name: Environment setup From 8e053bd7abe5e70e49fdec82659726f7d9018a0e Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 1 Apr 2024 10:23:05 -0600 Subject: [PATCH 68/82] testing github env UDS_REGION issue --- .github/workflows/test-eks.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 7a39c5b95..5988905f9 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -31,7 +31,7 @@ jobs: with: role-to-assume: ${{ secrets.AWS_COMMERCIAL_ROLE_TO_ASSUME }} role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} - aws-region: $UDS_REGION + aws-region: ${{ env.UDS_REGION }} role-duration-seconds: 21600 - name: Environment setup @@ -56,7 +56,7 @@ jobs: - name: Create IAC env: - TF_VAR_region: $UDS_REGION + TF_VAR_region: ${{ env.UDS_REGION }} # TF_VAR_name: $UDS_CLUSTER_NAME TF_VAR_name: uds-core-aws-3f0cc44 TF_VAR_loki_bucket_name: "uds-core-aws-3f0cc44-loki" From 85762592adb05a0d5e36040b8bc54dffcd8ff6e4 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 1 Apr 2024 10:25:09 -0600 Subject: [PATCH 69/82] typo tf var permissions boundary --- .github/workflows/test-eks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 5988905f9..2f42d2897 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -62,7 +62,7 @@ jobs: TF_VAR_loki_bucket_name: "uds-core-aws-3f0cc44-loki" TF_VAR_velero_bucket_name: "uds-core-aws-3f0cc44-velero" TF_VAR_use_permissions_boundary: true - TF_VAR_permissions_boundary_arn: $UDS_PERMISSIONS_BOUNDARY_NAME + TF_VAR_permissions_boundary_name: $UDS_PERMISSIONS_BOUNDARY_NAME run: uds run -f tasks/iac.yaml create-iac # - name: Deploy Core Bundle From 3849b8cb6847886e808d66e6ec855f0a6b99cb37 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 1 Apr 2024 10:27:40 -0600 Subject: [PATCH 70/82] changing env var reference --- .github/workflows/test-eks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 2f42d2897..d3a6fb226 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -62,7 +62,7 @@ jobs: TF_VAR_loki_bucket_name: "uds-core-aws-3f0cc44-loki" TF_VAR_velero_bucket_name: "uds-core-aws-3f0cc44-velero" TF_VAR_use_permissions_boundary: true - TF_VAR_permissions_boundary_name: $UDS_PERMISSIONS_BOUNDARY_NAME + TF_VAR_permissions_boundary_name: ${{ env.UDS_PERMISSIONS_BOUNDARY_NAME }} run: uds run -f tasks/iac.yaml create-iac # - name: Deploy Core Bundle From 4f61e9ce8787f3abef8d9b05943b284e12383747 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 1 Apr 2024 14:38:02 -0600 Subject: [PATCH 71/82] full test with fixed buckets iac --- .github/workflows/test-eks.yaml | 53 ++++++++++++++++----------------- tasks/iac.yaml | 41 +++++++++++++++---------- 2 files changed, 52 insertions(+), 42 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index d3a6fb226..0251441ac 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -37,44 +37,43 @@ jobs: - name: Environment setup uses: ./.github/actions/setup - # - name: Install eksctl - # run: uds run -f tasks/iac.yaml install-eksctl + - name: Install eksctl + run: uds run -f tasks/iac.yaml install-eksctl - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: "1.5.7" - # - name: Create UDS Core Package - # run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package + - name: Create UDS Core Package + run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package - # - name: Create Core Bundle - # run: uds create .github/bundles --confirm + - name: Create Core Bundle + run: uds create .github/bundles --confirm - # - name: Create Cluster - # run: uds run -f tasks/iac.yaml create-cluster + - name: Create Cluster + run: uds run -f tasks/iac.yaml create-cluster - name: Create IAC env: TF_VAR_region: ${{ env.UDS_REGION }} - # TF_VAR_name: $UDS_CLUSTER_NAME - TF_VAR_name: uds-core-aws-3f0cc44 - TF_VAR_loki_bucket_name: "uds-core-aws-3f0cc44-loki" - TF_VAR_velero_bucket_name: "uds-core-aws-3f0cc44-velero" + TF_VAR_name: ${{ env.UDS_CLUSTER_NAME }} + TF_VAR_loki_bucket_name: "${{ env.UDS_CLUSTER_NAME }}-loki" + TF_VAR_velero_bucket_name: "${{ env.UDS_CLUSTER_NAME }}-velero" TF_VAR_use_permissions_boundary: true - TF_VAR_permissions_boundary_name: ${{ env.UDS_PERMISSIONS_BOUNDARY_NAME }} + TF_VAR_permissions_boundary_arn: ${{ env.UDS_PERMISSIONS_BOUNDARY_NAME }} run: uds run -f tasks/iac.yaml create-iac - # - name: Deploy Core Bundle - # env: - # UDS_CONFIG: .github/bundles/uds-config.yaml - # run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm + - name: Deploy Core Bundle + env: + UDS_CONFIG: .github/bundles/uds-config.yaml + run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm - # - name: Remove UDS Core - # if: always() - # run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm - # timeout-minutes: 30 - # continue-on-error: true + - name: Remove UDS Core + if: always() + run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm + timeout-minutes: 30 + continue-on-error: true - name: Remove IAC if: always() @@ -82,8 +81,8 @@ jobs: timeout-minutes: 30 continue-on-error: true - # - name: Teardown EKS cluster - # if: always() - # run: uds run -f tasks/iac.yaml destroy-cluster - # timeout-minutes: 30 - # continue-on-error: true + - name: Teardown EKS cluster + if: always() + run: uds run -f tasks/iac.yaml destroy-cluster + timeout-minutes: 30 + continue-on-error: true diff --git a/tasks/iac.yaml b/tasks/iac.yaml index 992f6fc38..fe25c2dc9 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -82,11 +82,12 @@ tasks: - name: destroy-iac actions: - - task: destory-terraform + - cmd: terraform destroy -auto-approve + dir: .github/test-infra/buckets-iac - name: apply-terraform actions: - - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-buckets.tfstate/g' + - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-buckets1.tfstate/g' setVariables: - name: BUCKETS_STATE_KEY dir: .github/test-infra/buckets-iac @@ -103,19 +104,29 @@ tasks: - name: terraform-outputs actions: - - cmd: | - "LOKI_S3_BUCKET=$(terraform output -raw loki_s3_bucket)" - "LOKI_S3_AWS_REGION=$(terraform output -raw aws_region)" - "LOKI_S3_ROLE_ARN=$(terraform output -raw loki_irsa_role_arn)" - "VELERO_S3_BUCKET=$(terraform output -raw velero_s3_bucket)" - "VELERO_S3_AWS_REGION=$(terraform output -raw aws_region)" - "VELERO_S3_ROLE_ARN=$(terraform output -raw velero_irsa_role_arn)" + - cmd: terraform output -raw loki_s3_bucket + setVariables: + - name: "LOKI_S3_BUCKET" dir: .github/test-infra/buckets-iac - - - name: destory-terraform - actions: - - cmd: | - terraform destroy -auto-approve + - cmd: terraform output -raw aws_region + setVariables: + - name: LOKI_S3_AWS_REGION + dir: .github/test-infra/buckets-iac + - cmd: terraform output -raw loki_irsa_role_arn + setVariables: + - name: LOKI_S3_ROLE_ARN + dir: .github/test-infra/buckets-iac + - cmd: terraform output -raw velero_s3_bucket + setVariables: + - name: VELERO_S3_BUCKET + dir: .github/test-infra/buckets-iac + - cmd: terraform output -raw aws_region + setVariables: + - name: VELERO_S3_AWS_REGION + dir: .github/test-infra/buckets-iac + - cmd: terraform output -raw velero_irsa_role_arn + setVariables: + - name: VELERO_S3_ROLE_ARN dir: .github/test-infra/buckets-iac - name: create-uds-config @@ -132,7 +143,7 @@ tasks: loki_s3_region: ${LOKI_S3_AWS_REGION} loki_s3-endpoint: "" loki_irsa_annotation: - eks.amazonaws.com/role-arn: ${LOKI_S3_ROLE_ARN} + eks.amazonaws.com/role-arn: "${LOKI_S3_ROLE_ARN}" velero_use_secret: false velero_irsa_annotation: eks.amazonaws.com/role-arn: "${VELERO_S3_ROLE_ARN}" From c90da7b88f6ec341fdce579c23e403acd1fdf830 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Mon, 1 Apr 2024 15:09:34 -0600 Subject: [PATCH 72/82] fixing permissions boundary tf var and setting timeouts lower --- .github/workflows/test-eks.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 0251441ac..cfe432e1b 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -53,6 +53,7 @@ jobs: - name: Create Cluster run: uds run -f tasks/iac.yaml create-cluster + timeout-minutes: 60 - name: Create IAC env: @@ -61,24 +62,26 @@ jobs: TF_VAR_loki_bucket_name: "${{ env.UDS_CLUSTER_NAME }}-loki" TF_VAR_velero_bucket_name: "${{ env.UDS_CLUSTER_NAME }}-velero" TF_VAR_use_permissions_boundary: true - TF_VAR_permissions_boundary_arn: ${{ env.UDS_PERMISSIONS_BOUNDARY_NAME }} + TF_VAR_permissions_boundary_name: ${{ env.UDS_PERMISSIONS_BOUNDARY_NAME }} run: uds run -f tasks/iac.yaml create-iac + timeout-minutes: 20 - name: Deploy Core Bundle env: UDS_CONFIG: .github/bundles/uds-config.yaml run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm + timeout-minutes: 20 - name: Remove UDS Core if: always() run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm - timeout-minutes: 30 + timeout-minutes: 10 continue-on-error: true - name: Remove IAC if: always() run: uds run -f tasks/iac.yaml destroy-iac - timeout-minutes: 30 + timeout-minutes: 10 continue-on-error: true - name: Teardown EKS cluster From cdff9b296c09752d2a52327420bef26d832276d6 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 2 Apr 2024 07:54:03 -0600 Subject: [PATCH 73/82] test moving tf_vars to job level --- .github/workflows/test-eks.yaml | 59 ++++++++++++++++----------------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index cfe432e1b..5cd809e9b 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -22,6 +22,12 @@ jobs: run: | echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV + echo "TF_VAR_region: ${UDS_REGION}" >> $GITHUB_ENV + echo "TF_VAR_name: ${UDS_CLUSTER_NAME}" >> $GITHUB_ENV + echo "TF_VAR_loki_bucket_name: ${UDS_CLUSTER_NAME}-loki" >> $GITHUB_ENV + echo "TF_VAR_velero_bucket_name: ${UDS_CLUSTER_NAME}-velero" >> $GITHUB_ENV + echo "TF_VAR_use_permissions_boundary: true" >> $GITHUB_ENV + echo "TF_VAR_permissions_boundary_name: ${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@v4 @@ -45,38 +51,31 @@ jobs: with: terraform_version: "1.5.7" - - name: Create UDS Core Package - run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package + # - name: Create UDS Core Package + # run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package - - name: Create Core Bundle - run: uds create .github/bundles --confirm + # - name: Create Core Bundle + # run: uds create .github/bundles --confirm - - name: Create Cluster - run: uds run -f tasks/iac.yaml create-cluster - timeout-minutes: 60 + # - name: Create Cluster + # run: uds run -f tasks/iac.yaml create-cluster + # timeout-minutes: 60 - - name: Create IAC - env: - TF_VAR_region: ${{ env.UDS_REGION }} - TF_VAR_name: ${{ env.UDS_CLUSTER_NAME }} - TF_VAR_loki_bucket_name: "${{ env.UDS_CLUSTER_NAME }}-loki" - TF_VAR_velero_bucket_name: "${{ env.UDS_CLUSTER_NAME }}-velero" - TF_VAR_use_permissions_boundary: true - TF_VAR_permissions_boundary_name: ${{ env.UDS_PERMISSIONS_BOUNDARY_NAME }} + - name: Create IAC run: uds run -f tasks/iac.yaml create-iac timeout-minutes: 20 - - name: Deploy Core Bundle - env: - UDS_CONFIG: .github/bundles/uds-config.yaml - run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm - timeout-minutes: 20 + # - name: Deploy Core Bundle + # env: + # UDS_CONFIG: .github/bundles/uds-config.yaml + # run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm + # timeout-minutes: 20 - - name: Remove UDS Core - if: always() - run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm - timeout-minutes: 10 - continue-on-error: true + # - name: Remove UDS Core + # if: always() + # run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm + # timeout-minutes: 10 + # continue-on-error: true - name: Remove IAC if: always() @@ -84,8 +83,8 @@ jobs: timeout-minutes: 10 continue-on-error: true - - name: Teardown EKS cluster - if: always() - run: uds run -f tasks/iac.yaml destroy-cluster - timeout-minutes: 30 - continue-on-error: true + # - name: Teardown EKS cluster + # if: always() + # run: uds run -f tasks/iac.yaml destroy-cluster + # timeout-minutes: 30 + # continue-on-error: true From 98b2418570fabd52c1eaf2d5c7399b60fff18a67 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 2 Apr 2024 08:14:33 -0600 Subject: [PATCH 74/82] test moving tf_vars to job level --- .github/workflows/test-eks.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 5cd809e9b..5abda2360 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -22,12 +22,12 @@ jobs: run: | echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV - echo "TF_VAR_region: ${UDS_REGION}" >> $GITHUB_ENV - echo "TF_VAR_name: ${UDS_CLUSTER_NAME}" >> $GITHUB_ENV - echo "TF_VAR_loki_bucket_name: ${UDS_CLUSTER_NAME}-loki" >> $GITHUB_ENV - echo "TF_VAR_velero_bucket_name: ${UDS_CLUSTER_NAME}-velero" >> $GITHUB_ENV - echo "TF_VAR_use_permissions_boundary: true" >> $GITHUB_ENV - echo "TF_VAR_permissions_boundary_name: ${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV + echo "TF_VAR_region=${UDS_REGION}" >> $GITHUB_ENV + echo "TF_VAR_name=${UDS_CLUSTER_NAME}" >> $GITHUB_ENV + echo "TF_VAR_loki_bucket_name=${UDS_CLUSTER_NAME}-loki" >> $GITHUB_ENV + echo "TF_VAR_velero_bucket_name=${UDS_CLUSTER_NAME}-velero" >> $GITHUB_ENV + echo "TF_VAR_use_permissions_boundary=true" >> $GITHUB_ENV + echo "TF_VAR_permissions_boundary_name=${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV - name: Checkout repository uses: actions/checkout@v4 From 150df0bcae1e6924e3bcb72ad3a52ce043bda456 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 2 Apr 2024 08:23:02 -0600 Subject: [PATCH 75/82] fix cluster name ref in tf vars --- .github/workflows/test-eks.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 5abda2360..81ee5453b 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -23,9 +23,9 @@ jobs: echo "UDS_CLUSTER_NAME=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV echo "TF_VAR_region=${UDS_REGION}" >> $GITHUB_ENV - echo "TF_VAR_name=${UDS_CLUSTER_NAME}" >> $GITHUB_ENV - echo "TF_VAR_loki_bucket_name=${UDS_CLUSTER_NAME}-loki" >> $GITHUB_ENV - echo "TF_VAR_velero_bucket_name=${UDS_CLUSTER_NAME}-velero" >> $GITHUB_ENV + echo "TF_VAR_name=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV + echo "TF_VAR_loki_bucket_name=uds-core-aws-${SHA:0:7}-loki" >> $GITHUB_ENV + echo "TF_VAR_velero_bucket_name=$uds-core-aws-${SHA:0:7}-velero" >> $GITHUB_ENV echo "TF_VAR_use_permissions_boundary=true" >> $GITHUB_ENV echo "TF_VAR_permissions_boundary_name=${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV From 7f8c379c11d5f8c98e727974d37a88f84e613056 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 2 Apr 2024 08:26:41 -0600 Subject: [PATCH 76/82] run full eks test --- .github/workflows/test-eks.yaml | 44 ++++++++++++++++----------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 81ee5453b..7cebc5712 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -51,31 +51,31 @@ jobs: with: terraform_version: "1.5.7" - # - name: Create UDS Core Package - # run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package + - name: Create UDS Core Package + run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package - # - name: Create Core Bundle - # run: uds create .github/bundles --confirm + - name: Create Core Bundle + run: uds create .github/bundles --confirm - # - name: Create Cluster - # run: uds run -f tasks/iac.yaml create-cluster - # timeout-minutes: 60 + - name: Create Cluster + run: uds run -f tasks/iac.yaml create-cluster + timeout-minutes: 60 - name: Create IAC run: uds run -f tasks/iac.yaml create-iac timeout-minutes: 20 - # - name: Deploy Core Bundle - # env: - # UDS_CONFIG: .github/bundles/uds-config.yaml - # run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm - # timeout-minutes: 20 + - name: Deploy Core Bundle + env: + UDS_CONFIG: .github/bundles/uds-config.yaml + run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm + timeout-minutes: 20 - # - name: Remove UDS Core - # if: always() - # run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm - # timeout-minutes: 10 - # continue-on-error: true + - name: Remove UDS Core + if: always() + run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm + timeout-minutes: 10 + continue-on-error: true - name: Remove IAC if: always() @@ -83,8 +83,8 @@ jobs: timeout-minutes: 10 continue-on-error: true - # - name: Teardown EKS cluster - # if: always() - # run: uds run -f tasks/iac.yaml destroy-cluster - # timeout-minutes: 30 - # continue-on-error: true + - name: Teardown EKS cluster + if: always() + run: uds run -f tasks/iac.yaml destroy-cluster + timeout-minutes: 30 + continue-on-error: true From 65706fabbf3b386d3003e7617b751b8386229c36 Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 2 Apr 2024 08:28:12 -0600 Subject: [PATCH 77/82] typo --- .github/workflows/test-eks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 7cebc5712..6ce3a1122 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -25,7 +25,7 @@ jobs: echo "TF_VAR_region=${UDS_REGION}" >> $GITHUB_ENV echo "TF_VAR_name=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV echo "TF_VAR_loki_bucket_name=uds-core-aws-${SHA:0:7}-loki" >> $GITHUB_ENV - echo "TF_VAR_velero_bucket_name=$uds-core-aws-${SHA:0:7}-velero" >> $GITHUB_ENV + echo "TF_VAR_velero_bucket_name=uds-core-aws-${SHA:0:7}-velero" >> $GITHUB_ENV echo "TF_VAR_use_permissions_boundary=true" >> $GITHUB_ENV echo "TF_VAR_permissions_boundary_name=${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV From 2bbe21fd460c25567ea88909058acccae8ec34df Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 2 Apr 2024 15:01:16 -0600 Subject: [PATCH 78/82] refactoring buckets tf with loops --- .github/test-infra/buckets-iac/loki.tf | 76 ++------------------ .github/test-infra/buckets-iac/main.tf | 80 +++++++++++++++++++++ .github/test-infra/buckets-iac/output.tf | 12 ++-- .github/test-infra/buckets-iac/variables.tf | 45 +++++------- .github/test-infra/buckets-iac/velero.tf | 75 ++----------------- .github/workflows/test-eks.yaml | 2 - 6 files changed, 112 insertions(+), 178 deletions(-) diff --git a/.github/test-infra/buckets-iac/loki.tf b/.github/test-infra/buckets-iac/loki.tf index 19e42aec2..3defd0ca9 100644 --- a/.github/test-infra/buckets-iac/loki.tf +++ b/.github/test-infra/buckets-iac/loki.tf @@ -1,73 +1,5 @@ -locals { - loki_name = "${var.name}-loki" - loki_kms_key_arn = module.loki_generate_kms[0].kms_key_arn -} - -module "loki_S3" { - source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" - name_prefix = "${var.loki_bucket_name}-" - kms_key_arn = local.loki_kms_key_arn - force_destroy = "true" - create_bucket_lifecycle = true -} - -resource "aws_s3_bucket_policy" "loki_bucket_policy" { - bucket = module.loki_S3.bucket_name - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "s3:ListBucket", - "s3:GetObject", - "s3:PutObject" - ] - Effect = "Allow" - Principal = { - AWS = module.loki_irsa.role_arn - } - Resource = [ - module.loki_S3.bucket_arn, - "${module.loki_S3.bucket_arn}/*" - ] - } - ] - }) -} - -module "loki_generate_kms" { - count = 1 - source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.2" - - key_owners = var.key_owner_arns - # A list of IAM ARNs for those who will have full key permissions (`kms:*`) - kms_key_alias_name_prefix = "${local.loki_name}-" # Prefix for KMS key alias. - kms_key_deletion_window = var.kms_key_deletion_window - # Waiting period for scheduled KMS Key deletion. Can be 7-30 days. - kms_key_description = "${var.name} UDS Core deployment Loki Key" # Description for the KMS key. - tags = { - Deployment = "UDS Core ${local.loki_name}" - } -} - - -module "loki_irsa" { - source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.2" - name = local.loki_name - kubernetes_service_account = var.loki_service_account - kubernetes_namespace = var.loki_namespace - oidc_provider_arn = local.oidc_arn - role_permissions_boundary_arn = local.iam_role_permissions_boundary - - role_policy_arns = tomap({ - "loki" = aws_iam_policy.loki_policy.arn - }) - -} - resource "aws_iam_policy" "loki_policy" { - name = "${local.loki_name}-irsa-${random_id.unique_id.hex}" + name = "${local.bucket_configurations.loki.name}-irsa-${random_id.unique_id.hex}" path = "/" description = "IAM policy for Loki to have necessary permissions to use S3 for storing logs." policy = jsonencode({ @@ -76,12 +8,12 @@ resource "aws_iam_policy" "loki_policy" { { Effect = "Allow" Action = ["s3:ListBucket"] - Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.loki_S3.bucket_name}"] + Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.S3["loki"].bucket_name}"] }, { Effect = "Allow" Action = ["s3:*Object"] - Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.loki_S3.bucket_name}/*"] + Resource = ["arn:${data.aws_partition.current.partition}:s3:::${module.S3["loki"].bucket_name}/*"] }, { Effect = "Allow" @@ -89,7 +21,7 @@ resource "aws_iam_policy" "loki_policy" { "kms:GenerateDataKey", "kms:Decrypt" ] - Resource = [local.loki_kms_key_arn] + Resource = [local.kms_key_arns["loki"].kms_key_arn] } ] }) diff --git a/.github/test-infra/buckets-iac/main.tf b/.github/test-infra/buckets-iac/main.tf index b19de7216..539fde1fc 100644 --- a/.github/test-infra/buckets-iac/main.tf +++ b/.github/test-infra/buckets-iac/main.tf @@ -43,8 +43,88 @@ locals { oidc_url_without_protocol = substr(data.aws_eks_cluster.existing.identity[0].oidc[0].issuer, 8, -1) oidc_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.oidc_url_without_protocol}" iam_role_permissions_boundary = var.use_permissions_boundary ? "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:policy/${var.permissions_boundary_name}" : null + + bucket_configurations = { + for instance in var.bucket_configurations : + instance.name => { + name = "${var.name}-${instance.name}" + service_account = instance.service_account + namespace = instance.namespace + } + } + + kms_key_arns = module.generate_kms + + iam_policies = { + "loki" = resource.aws_iam_policy.loki_policy.arn + "velero" = resource.aws_iam_policy.velero_policy.arn + } } resource "random_id" "unique_id" { byte_length = 4 } + +module "generate_kms" { + for_each = local.bucket_configurations + source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.2" + + key_owners = var.key_owner_arns + # A list of IAM ARNs for those who will have full key permissions (`kms:*`) + kms_key_alias_name_prefix = "${each.value.name}-" # Prefix for KMS key alias. + kms_key_deletion_window = var.kms_key_deletion_window + # Waiting period for scheduled KMS Key deletion. Can be 7-30 days. + kms_key_description = "${var.name} UDS Core deployment Loki Key" # Description for the KMS key. + tags = { + Deployment = "UDS Core ${each.value.name}" + } +} + +module "S3" { + for_each = local.bucket_configurations + source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" + name_prefix = "${each.value.name}-" + kms_key_arn = local.kms_key_arns[each.key].kms_key_arn + force_destroy = "true" + create_bucket_lifecycle = true +} + +module "irsa" { + for_each = local.bucket_configurations + source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.2" + name = each.value.name + kubernetes_service_account = each.value.service_account + kubernetes_namespace = each.value.namespace + oidc_provider_arn = local.oidc_arn + role_permissions_boundary_arn = local.iam_role_permissions_boundary + + role_policy_arns = tomap({ + "${each.key}" = local.iam_policies[each.key] + }) +} + +resource "aws_s3_bucket_policy" "bucket_policy" { + for_each = local.bucket_configurations + bucket = module.S3[each.key].bucket_name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "s3:ListBucket", + "s3:GetObject", + "s3:PutObject" + ] + Effect = "Allow" + Principal = { + AWS = module.irsa[each.key].role_arn + } + Resource = [ + module.S3[each.key].bucket_arn, + "${module.S3[each.key].bucket_arn}/*" + ] + } + ] + }) +} diff --git a/.github/test-infra/buckets-iac/output.tf b/.github/test-infra/buckets-iac/output.tf index 0837b67b0..1228df95a 100644 --- a/.github/test-infra/buckets-iac/output.tf +++ b/.github/test-infra/buckets-iac/output.tf @@ -3,25 +3,25 @@ output "aws_region" { } output "loki_irsa_role_arn" { - value = module.loki_irsa.role_arn + value = module.irsa["loki"].role_arn } output "loki_s3" { - value = module.loki_S3 + value = module.S3["loki"] } output "loki_s3_bucket" { - value = module.loki_S3.bucket_name + value = module.S3["loki"].bucket_name } output "velero_irsa_role_arn" { - value = module.velero_irsa.role_arn + value = module.irsa["velero"].role_arn } output "velero_s3" { - value = module.velero_S3 + value = module.S3["velero"] } output "velero_s3_bucket" { - value = module.velero_S3.bucket_name + value = module.S3["velero"].bucket_name } diff --git a/.github/test-infra/buckets-iac/variables.tf b/.github/test-infra/buckets-iac/variables.tf index d90e99490..22bb12dad 100644 --- a/.github/test-infra/buckets-iac/variables.tf +++ b/.github/test-infra/buckets-iac/variables.tf @@ -33,32 +33,23 @@ variable "kms_key_deletion_window" { default = 7 } -variable "loki_bucket_name" { - description = "Name for loki S3 bucket" - type = string -} - -variable "loki_service_account" { - description = "Name of the service account to bind to. Used to generate fully qualified subject for service account." - type = string +variable "bucket_configurations" { + type = map(object({ + name = string + service_account = string + namespace = string + })) + default = { + loki = { + name = "loki" + service_account = "logging-loki" + namespace = "logging" + } + velero = { + name = "velero" + service_account = "velero-server" + namespace = "velero" + } + } } -variable "loki_namespace" { - description = "Name of the namespace that the service account exists in. Used to generate fully qualified subject for the service account." - type = string -} - -variable "velero_bucket_name" { - description = "Name for velero S3 bucket" - type = string -} - -variable "velero_service_account" { - description = "Name of the service account to bind to. Used to generate fully qualified subject for service account." - type = string -} - -variable "velero_namespace" { - description = "Name of the namespace that the service account exists in. Used to generate fully qualified subject for the service account." - type = string -} diff --git a/.github/test-infra/buckets-iac/velero.tf b/.github/test-infra/buckets-iac/velero.tf index 8ffbb3aba..96e6ed627 100644 --- a/.github/test-infra/buckets-iac/velero.tf +++ b/.github/test-infra/buckets-iac/velero.tf @@ -1,72 +1,5 @@ -locals { - velero_name = "${var.name}-velero" - velero_kms_key_arn = module.velero_generate_kms[0].kms_key_arn -} - -module "velero_S3" { - source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" - name_prefix = "${var.velero_bucket_name}-" - kms_key_arn = local.velero_kms_key_arn - force_destroy = "true" - create_bucket_lifecycle = true -} - -resource "aws_s3_bucket_policy" "velero_bucket_policy" { - bucket = module.velero_S3.bucket_name - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "s3:ListBucket", - "s3:GetObject", - "s3:PutObject" - ] - Effect = "Allow" - Principal = { - AWS = module.velero_irsa.role_arn - } - Resource = [ - module.velero_S3.bucket_arn, - "${module.velero_S3.bucket_arn}/*" - ] - } - ] - }) -} - -module "velero_generate_kms" { - count = 1 - source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.2" - - key_owners = var.key_owner_arns - # A list of IAM ARNs for those who will have full key permissions (`kms:*`) - kms_key_alias_name_prefix = "${local.velero_name}-" # Prefix for KMS key alias. - kms_key_deletion_window = var.kms_key_deletion_window - # Waiting period for scheduled KMS Key deletion. Can be 7-30 days. - kms_key_description = "${local.velero_name} UDS Core deployment Velero Key" # Description for the KMS key. - tags = { - Deployment = "UDS Core ${local.velero_name}" - } -} - -module "velero_irsa" { - source = "github.com/defenseunicorns/terraform-aws-uds-irsa?ref=v0.0.2" - name = local.velero_name - kubernetes_service_account = var.velero_service_account - kubernetes_namespace = var.velero_namespace - oidc_provider_arn = local.oidc_arn - role_permissions_boundary_arn = local.iam_role_permissions_boundary - - role_policy_arns = tomap({ - "velero" = aws_iam_policy.velero_policy.arn - }) - -} - resource "aws_iam_policy" "velero_policy" { - name = "${local.velero_name}-irsa-${random_id.unique_id.hex}" + name = "${local.bucket_configurations.velero.name}-irsa-${random_id.unique_id.hex}" path = "/" description = "Policy to give Velero necessary permissions for cluster backups." @@ -99,7 +32,7 @@ resource "aws_iam_policy" "velero_policy" { "s3:ListMultipartUploadParts" ] Resource = [ - "arn:${data.aws_partition.current.partition}:s3:::${module.velero_S3.bucket_name}/*" + "arn:${data.aws_partition.current.partition}:s3:::${module.S3["velero"].bucket_name}/*" ] }, { @@ -108,7 +41,7 @@ resource "aws_iam_policy" "velero_policy" { "s3:ListBucket" ], Resource = [ - "arn:${data.aws_partition.current.partition}:s3:::${module.velero_S3.bucket_name}/*" + "arn:${data.aws_partition.current.partition}:s3:::${module.S3["velero"].bucket_name}/*" ] }, { @@ -117,7 +50,7 @@ resource "aws_iam_policy" "velero_policy" { "kms:GenerateDataKey", "kms:Decrypt" ] - Resource = [local.velero_kms_key_arn] + Resource = [local.kms_key_arns["velero"].kms_key_arn] } ] diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 6ce3a1122..1c76d4f73 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -24,8 +24,6 @@ jobs: echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-aws.tfstate >> $GITHUB_ENV echo "TF_VAR_region=${UDS_REGION}" >> $GITHUB_ENV echo "TF_VAR_name=uds-core-aws-${SHA:0:7}" >> $GITHUB_ENV - echo "TF_VAR_loki_bucket_name=uds-core-aws-${SHA:0:7}-loki" >> $GITHUB_ENV - echo "TF_VAR_velero_bucket_name=uds-core-aws-${SHA:0:7}-velero" >> $GITHUB_ENV echo "TF_VAR_use_permissions_boundary=true" >> $GITHUB_ENV echo "TF_VAR_permissions_boundary_name=${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV From d64da94e7059dfe4f6dee567d9e17e8ee7d2259f Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 2 Apr 2024 15:09:56 -0600 Subject: [PATCH 79/82] remove .tfvars from bucket iac --- .github/test-infra/buckets-iac/terraform.tfvars | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 .github/test-infra/buckets-iac/terraform.tfvars diff --git a/.github/test-infra/buckets-iac/terraform.tfvars b/.github/test-infra/buckets-iac/terraform.tfvars deleted file mode 100644 index c275e8c06..000000000 --- a/.github/test-infra/buckets-iac/terraform.tfvars +++ /dev/null @@ -1,4 +0,0 @@ -loki_service_account = "logging-loki" -loki_namespace = "logging" -velero_service_account = "velero-server" -velero_namespace = "velero" From dee4c1b920b4be88947eab6e2949d43484a1f690 Mon Sep 17 00:00:00 2001 From: Tristan Holaday <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 2 Apr 2024 19:53:47 -0600 Subject: [PATCH 80/82] Update .github/workflows/test-eks.yaml Co-authored-by: zamaz <71521611+zachariahmiller@users.noreply.github.com> --- .github/workflows/test-eks.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 1c76d4f73..41b7e0486 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -37,7 +37,6 @@ jobs: role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} aws-region: ${{ env.UDS_REGION }} role-duration-seconds: 21600 - - name: Environment setup uses: ./.github/actions/setup From 014e6b66d813213848edabf343d6cc7f9a33933f Mon Sep 17 00:00:00 2001 From: TristanHoladay <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 2 Apr 2024 19:56:26 -0600 Subject: [PATCH 81/82] nightly test set to run only nightly; yamllint --- .github/workflows/nightly-testing.yaml | 1 - .github/workflows/test-eks.yaml | 2 +- tasks/create.yaml | 1 - tasks/iac.yaml | 18 +++++++++--------- 4 files changed, 10 insertions(+), 12 deletions(-) diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index ced256239..4b994e128 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -3,7 +3,6 @@ name: Nightly Testing on: schedule: - cron: '0 6 * * *' # Runs at midnight Mountain every day - pull_request: jobs: nightly-testing: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 41b7e0486..a7bba6669 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -58,7 +58,7 @@ jobs: run: uds run -f tasks/iac.yaml create-cluster timeout-minutes: 60 - - name: Create IAC + - name: Create IAC run: uds run -f tasks/iac.yaml create-iac timeout-minutes: 20 diff --git a/tasks/create.yaml b/tasks/create.yaml index 26b925ac9..29e2764b9 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -58,4 +58,3 @@ tasks: rm -fr dist npm ci npx pepr build $CUSTOM_PEPR_IMAGE - diff --git a/tasks/iac.yaml b/tasks/iac.yaml index fe25c2dc9..031c0d7b4 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -69,7 +69,7 @@ tasks: - cmd: sleep 5 - cmd: eksctl create cluster -f cluster-config.yaml - cmd: eksctl utils write-kubeconfig -c ${CLUSTER_NAME} - + - name: destroy-cluster actions: - cmd: eksctl delete cluster -f cluster-config.yaml --disable-nodegroup-eviction --wait @@ -101,31 +101,31 @@ tasks: dir: .github/test-infra/buckets-iac - cmd: terraform apply -auto-approve dir: .github/test-infra/buckets-iac - + - name: terraform-outputs actions: - cmd: terraform output -raw loki_s3_bucket - setVariables: + setVariables: - name: "LOKI_S3_BUCKET" dir: .github/test-infra/buckets-iac - cmd: terraform output -raw aws_region - setVariables: + setVariables: - name: LOKI_S3_AWS_REGION dir: .github/test-infra/buckets-iac - cmd: terraform output -raw loki_irsa_role_arn - setVariables: + setVariables: - name: LOKI_S3_ROLE_ARN dir: .github/test-infra/buckets-iac - cmd: terraform output -raw velero_s3_bucket - setVariables: + setVariables: - name: VELERO_S3_BUCKET dir: .github/test-infra/buckets-iac - cmd: terraform output -raw aws_region - setVariables: + setVariables: - name: VELERO_S3_AWS_REGION dir: .github/test-infra/buckets-iac - cmd: terraform output -raw velero_irsa_role_arn - setVariables: + setVariables: - name: VELERO_S3_ROLE_ARN dir: .github/test-infra/buckets-iac @@ -152,4 +152,4 @@ tasks: velero_bucket_provider_url: "" velero_bucket_credential_name: "" velero_bucket_credential_key: "" - EOF \ No newline at end of file + EOF From a0773e7607f5589ee5bf60a97ab0325c1ffdde71 Mon Sep 17 00:00:00 2001 From: Tristan Holaday <40547442+TristanHoladay@users.noreply.github.com> Date: Tue, 2 Apr 2024 19:59:34 -0600 Subject: [PATCH 82/82] Update .gitignore Co-authored-by: zamaz <71521611+zachariahmiller@users.noreply.github.com> --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 9c78aa279..218f55004 100644 --- a/.gitignore +++ b/.gitignore @@ -14,4 +14,4 @@ zarf tmp-tasks.yaml cacert.b64 run/ -extract-terraform.sh \ No newline at end of file +extract-terraform.sh