From 0a6a9d0700238282a7afad929f7119519fc70d9e Mon Sep 17 00:00:00 2001 From: michaeljguarino Date: Tue, 17 Dec 2024 16:35:15 -0500 Subject: [PATCH 1/6] Add a core-infra stack to set up initial service contexts, and other stuff This is generally nice to have, but also will ensure the management console has a service context, alongside the ones we put on the other clusters --- setup/stacks/core-infra.yaml | 23 +++++++++++++++++++ templates/clusters/stack.yaml | 13 ++++------- terraform/core-infra/aws/README.md | 4 ++++ terraform/core-infra/aws/context.tf | 17 ++++++++++++++ terraform/core-infra/aws/variables.tf | 8 +++++++ terraform/core-infra/aws/versions.tf | 21 +++++++++++++++++ terraform/core-infra/azure/README.md | 4 ++++ terraform/core-infra/azure/context.tf | 0 terraform/core-infra/azure/variables.tf | 8 +++++++ terraform/core-infra/azure/versions.tf | 28 +++++++++++++++++++++++ terraform/core-infra/gcp/README.md | 4 ++++ terraform/core-infra/gcp/context.tf | 22 ++++++++++++++++++ terraform/core-infra/gcp/variables.tf | 8 +++++++ terraform/core-infra/gcp/versions.tf | 28 +++++++++++++++++++++++ terraform/modules/clusters/aws/context.tf | 11 +++++++++ terraform/modules/clusters/gcp/context.tf | 10 ++++++++ 16 files changed, 201 insertions(+), 8 deletions(-) create mode 100644 setup/stacks/core-infra.yaml create mode 100644 terraform/core-infra/aws/README.md create mode 100644 terraform/core-infra/aws/context.tf create mode 100644 terraform/core-infra/aws/variables.tf create mode 100644 terraform/core-infra/aws/versions.tf create mode 100644 terraform/core-infra/azure/README.md create mode 100644 terraform/core-infra/azure/context.tf create mode 100644 terraform/core-infra/azure/variables.tf create mode 100644 terraform/core-infra/azure/versions.tf create mode 100644 terraform/core-infra/gcp/README.md create mode 100644 terraform/core-infra/gcp/context.tf create mode 100644 terraform/core-infra/gcp/variables.tf create mode 100644 terraform/core-infra/gcp/versions.tf create mode 100644 terraform/modules/clusters/aws/context.tf create mode 100644 terraform/modules/clusters/gcp/context.tf diff --git a/setup/stacks/core-infra.yaml b/setup/stacks/core-infra.yaml new file mode 100644 index 0000000..84763c9 --- /dev/null +++ b/setup/stacks/core-infra.yaml @@ -0,0 +1,23 @@ +apiVersion: deployments.plural.sh/v1alpha1 +kind: InfrastructureStack +metadata: + name: core-infra +spec: + name: core-infra + detach: false + type: TERRAFORM + approval: true + manageState: true + actor: console@plural.sh + repositoryRef: + name: infra + namespace: infra + clusterRef: + name: mgmt + namespace: infra + variables: + region: [[ .Region ]] + cluster_name: [[ .Cluster ]] + git: + ref: main + folder: terraform/core-infra \ No newline at end of file diff --git a/templates/clusters/stack.yaml b/templates/clusters/stack.yaml index fa5a894..cadcd77 100644 --- a/templates/clusters/stack.yaml +++ b/templates/clusters/stack.yaml @@ -17,13 +17,10 @@ spec: clusterRef: name: mgmt namespace: infra + variables: + cluster: {{ context.name }} + fleet: {{ context.fleet }} + tier: {{ context.tier }} git: ref: main - folder: terraform/modules/clusters/{{ context.cloud }} - environment: - - name: TF_VAR_cluster - value: {{ context.name }} - - name: TF_VAR_fleet - value: {{ context.fleet }} - - name: TF_VAR_tier - value: {{ context.tier }} \ No newline at end of file + folder: terraform/modules/clusters/{{ context.cloud }} \ No newline at end of file diff --git a/terraform/core-infra/aws/README.md b/terraform/core-infra/aws/README.md new file mode 100644 index 0000000..c388335 --- /dev/null +++ b/terraform/core-infra/aws/README.md @@ -0,0 +1,4 @@ +# this can be used for provisioning any base infrastructure for your environment, a couple of common usecases: +# * setting up multi-cluster networks +# * setting up dns zones, subdomains, etc +# * configuring Cloud IAM throughout your environment \ No newline at end of file diff --git a/terraform/core-infra/aws/context.tf b/terraform/core-infra/aws/context.tf new file mode 100644 index 0000000..61a653d --- /dev/null +++ b/terraform/core-infra/aws/context.tf @@ -0,0 +1,17 @@ +data "aws_eks_cluster" "mgmt" { + name = var.cluster_name +} + +data "aws_vpc" "mgmt" { + id = one(data.aws_eks_cluster.mgmt.vpc_config).vpc_id +} + +resource "plural_service_context" "mgmt" { + name = "plrl/clusters/mgmt" + configuration = { + cluster_name = var.cluster_name + vpc_id = one(data.aws_eks_cluster.mgmt.vpc_config).vpc_id + subnet_ids = one(data.aws_eks_cluster.mgmt.vpc_config).subnet_ids + vpc_cidr = data.aws_vpc.mgmt.cidr_block + } +} \ No newline at end of file diff --git a/terraform/core-infra/aws/variables.tf b/terraform/core-infra/aws/variables.tf new file mode 100644 index 0000000..13ae710 --- /dev/null +++ b/terraform/core-infra/aws/variables.tf @@ -0,0 +1,8 @@ +variable "region" { + type = string + default = "us-east-2" +} + +variable "cluster_name" { + type = string +} \ No newline at end of file diff --git a/terraform/core-infra/aws/versions.tf b/terraform/core-infra/aws/versions.tf new file mode 100644 index 0000000..327b76d --- /dev/null +++ b/terraform/core-infra/aws/versions.tf @@ -0,0 +1,21 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + } + + plural = { + source = "pluralsh/plural" + version = ">= 0.2.9" + } + } +} + +provider "aws" { + region = var.region +} + + +provider "plural" { } \ No newline at end of file diff --git a/terraform/core-infra/azure/README.md b/terraform/core-infra/azure/README.md new file mode 100644 index 0000000..c388335 --- /dev/null +++ b/terraform/core-infra/azure/README.md @@ -0,0 +1,4 @@ +# this can be used for provisioning any base infrastructure for your environment, a couple of common usecases: +# * setting up multi-cluster networks +# * setting up dns zones, subdomains, etc +# * configuring Cloud IAM throughout your environment \ No newline at end of file diff --git a/terraform/core-infra/azure/context.tf b/terraform/core-infra/azure/context.tf new file mode 100644 index 0000000..e69de29 diff --git a/terraform/core-infra/azure/variables.tf b/terraform/core-infra/azure/variables.tf new file mode 100644 index 0000000..f0bf816 --- /dev/null +++ b/terraform/core-infra/azure/variables.tf @@ -0,0 +1,8 @@ +variable "region" { + type = string + default = "us-east-2" +} + +variable "cluster_name" { + type = string +} \ No newline at end of file diff --git a/terraform/core-infra/azure/versions.tf b/terraform/core-infra/azure/versions.tf new file mode 100644 index 0000000..b519a70 --- /dev/null +++ b/terraform/core-infra/azure/versions.tf @@ -0,0 +1,28 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + google = { + source = "hashicorp/google" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + plural = { + source = "pluralsh/plural" + version = ">= 0.2.9" + } + local = { + source = "hashicorp/local" + } + } +} + +provider "google" { + region = var.region +} + +data "google_client_config" "default" {} + +provider "plural" { } \ No newline at end of file diff --git a/terraform/core-infra/gcp/README.md b/terraform/core-infra/gcp/README.md new file mode 100644 index 0000000..c388335 --- /dev/null +++ b/terraform/core-infra/gcp/README.md @@ -0,0 +1,4 @@ +# this can be used for provisioning any base infrastructure for your environment, a couple of common usecases: +# * setting up multi-cluster networks +# * setting up dns zones, subdomains, etc +# * configuring Cloud IAM throughout your environment \ No newline at end of file diff --git a/terraform/core-infra/gcp/context.tf b/terraform/core-infra/gcp/context.tf new file mode 100644 index 0000000..cca69be --- /dev/null +++ b/terraform/core-infra/gcp/context.tf @@ -0,0 +1,22 @@ +data "google_container_cluster" "mgmt" { + name = var.cluster_name + location = var.region +} + +data "google_compute_network" "network" { + name = data.google_container_cluster.mgmt.network +} + +data "google_compute_subnetwork" "subnetwork" { + name = data.google_container_cluster.mgmt.subnetwork +} + +resource "plural_service_context" "mgmt" { + name = "plrl/clusters/mgmt" + configuration = { + cluster_name = var.cluster_name + network = data.google_container_cluster.mgmt.network + subnetwork = data.google_container_cluster.mgmt.subnetwork + cidr = data.google_compute_subnetwork.ip_cidr_range + } +} \ No newline at end of file diff --git a/terraform/core-infra/gcp/variables.tf b/terraform/core-infra/gcp/variables.tf new file mode 100644 index 0000000..13ae710 --- /dev/null +++ b/terraform/core-infra/gcp/variables.tf @@ -0,0 +1,8 @@ +variable "region" { + type = string + default = "us-east-2" +} + +variable "cluster_name" { + type = string +} \ No newline at end of file diff --git a/terraform/core-infra/gcp/versions.tf b/terraform/core-infra/gcp/versions.tf new file mode 100644 index 0000000..b519a70 --- /dev/null +++ b/terraform/core-infra/gcp/versions.tf @@ -0,0 +1,28 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + google = { + source = "hashicorp/google" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.10" + } + plural = { + source = "pluralsh/plural" + version = ">= 0.2.9" + } + local = { + source = "hashicorp/local" + } + } +} + +provider "google" { + region = var.region +} + +data "google_client_config" "default" {} + +provider "plural" { } \ No newline at end of file diff --git a/terraform/modules/clusters/aws/context.tf b/terraform/modules/clusters/aws/context.tf new file mode 100644 index 0000000..80c0382 --- /dev/null +++ b/terraform/modules/clusters/aws/context.tf @@ -0,0 +1,11 @@ +resource "plural_service_context" "mgmt" { + name = "plrl/clusters/${var.cluster_name}" + configuration = { + cluster_name = var.cluster_name + vpc_id = module.vpc.vpc_id + subnet_ids = concat(module.vpc.public_subnets, module.vpc.private_subnets) + private_subnets = module.vpc.private_subnets + public_subnets = module.vpc.public_subnets + vpc_cidr = var.vpc_cidr + } +} \ No newline at end of file diff --git a/terraform/modules/clusters/gcp/context.tf b/terraform/modules/clusters/gcp/context.tf new file mode 100644 index 0000000..c11c0b2 --- /dev/null +++ b/terraform/modules/clusters/gcp/context.tf @@ -0,0 +1,10 @@ +resource "plural_service_context" "mgmt" { + name = "plrl/clusters/${var.cluster_name}" + + configuration = { + cluster_name = var.cluster_name + network = module.gcp-network.network_name + subnetwork = module.gcp-network.subnets_names[0] + cidr = var.subnet_cidr + } +} \ No newline at end of file From beb5cc295034bf75986c40b56946338f06ac3127 Mon Sep 17 00:00:00 2001 From: michaeljguarino Date: Fri, 20 Dec 2024 17:14:51 -0500 Subject: [PATCH 2/6] fix some context definitions --- terraform/core-infra/aws/context.tf | 4 ++-- terraform/core-infra/azure/versions.tf | 22 +++++++++------------- terraform/core-infra/gcp/context.tf | 4 ++-- terraform/core-infra/gcp/versions.tf | 7 ------- 4 files changed, 13 insertions(+), 24 deletions(-) diff --git a/terraform/core-infra/aws/context.tf b/terraform/core-infra/aws/context.tf index 61a653d..edf3db9 100644 --- a/terraform/core-infra/aws/context.tf +++ b/terraform/core-infra/aws/context.tf @@ -8,10 +8,10 @@ data "aws_vpc" "mgmt" { resource "plural_service_context" "mgmt" { name = "plrl/clusters/mgmt" - configuration = { + configuration = jsonencode({ cluster_name = var.cluster_name vpc_id = one(data.aws_eks_cluster.mgmt.vpc_config).vpc_id subnet_ids = one(data.aws_eks_cluster.mgmt.vpc_config).subnet_ids vpc_cidr = data.aws_vpc.mgmt.cidr_block - } + }) } \ No newline at end of file diff --git a/terraform/core-infra/azure/versions.tf b/terraform/core-infra/azure/versions.tf index b519a70..903cbe5 100644 --- a/terraform/core-infra/azure/versions.tf +++ b/terraform/core-infra/azure/versions.tf @@ -2,27 +2,23 @@ terraform { required_version = ">= 1.0" required_providers { - google = { - source = "hashicorp/google" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.10" + azurerm = { + source = "hashicorp/azurerm" + version = ">=3.51.0, < 4.0" } plural = { source = "pluralsh/plural" version = ">= 0.2.9" } - local = { - source = "hashicorp/local" - } } } -provider "google" { - region = var.region +provider "azurerm" { + features { + resource_group { + prevent_deletion_if_contains_resources = false + } + } } -data "google_client_config" "default" {} - provider "plural" { } \ No newline at end of file diff --git a/terraform/core-infra/gcp/context.tf b/terraform/core-infra/gcp/context.tf index cca69be..dea95cc 100644 --- a/terraform/core-infra/gcp/context.tf +++ b/terraform/core-infra/gcp/context.tf @@ -13,10 +13,10 @@ data "google_compute_subnetwork" "subnetwork" { resource "plural_service_context" "mgmt" { name = "plrl/clusters/mgmt" - configuration = { + configuration = jsonencode({ cluster_name = var.cluster_name network = data.google_container_cluster.mgmt.network subnetwork = data.google_container_cluster.mgmt.subnetwork cidr = data.google_compute_subnetwork.ip_cidr_range - } + }) } \ No newline at end of file diff --git a/terraform/core-infra/gcp/versions.tf b/terraform/core-infra/gcp/versions.tf index b519a70..9ce1e08 100644 --- a/terraform/core-infra/gcp/versions.tf +++ b/terraform/core-infra/gcp/versions.tf @@ -5,17 +5,10 @@ terraform { google = { source = "hashicorp/google" } - kubernetes = { - source = "hashicorp/kubernetes" - version = ">= 2.10" - } plural = { source = "pluralsh/plural" version = ">= 0.2.9" } - local = { - source = "hashicorp/local" - } } } From 47cdd5206928742f3e4a6189805719e14bd96478 Mon Sep 17 00:00:00 2001 From: michaeljguarino Date: Sun, 22 Dec 2024 12:30:10 -0500 Subject: [PATCH 3/6] add setting for management repo too --- setup/pr-automation/scm.yaml | 6 +++--- setup/settings.yaml | 2 ++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/setup/pr-automation/scm.yaml b/setup/pr-automation/scm.yaml index ed8d5ed..20da15b 100644 --- a/setup/pr-automation/scm.yaml +++ b/setup/pr-automation/scm.yaml @@ -1,8 +1,8 @@ -# You will need to manually create the github scm connection this refers to +# You will need to manually create the SCM connection this refers to in the Plural Console UI # apiVersion: deployments.plural.sh/v1alpha1 # kind: ScmConnection # metadata: -# name: github +# name: plural # spec: -# name: github +# name: plural # type: GITHUB \ No newline at end of file diff --git a/setup/settings.yaml b/setup/settings.yaml index 0427af7..e25bc29 100644 --- a/setup/settings.yaml +++ b/setup/settings.yaml @@ -4,6 +4,8 @@ metadata: name: global namespace: plrl-deploy-operator spec: + managementRepo: [[ .Identifier ]] + stacks: jobSpec: namespace: plrl-deploy-operator From 04b3e23a0cbc433963c996ffe35859ceb5687400 Mon Sep 17 00:00:00 2001 From: michaeljguarino Date: Sun, 22 Dec 2024 18:44:22 -0500 Subject: [PATCH 4/6] clean up some of the up resources --- setup/catalogs.yaml | 18 ++++++++++ setup/pr-automation/cluster-creator.yaml | 2 +- setup/pr-automation/gatekeeper-setup.yaml | 28 --------------- .../prometheus/prom-agent-creator.yaml | 34 ------------------- .../prometheus/prom-creator.yaml | 28 --------------- setup/stacks/mgmt.yaml | 20 +++++++++++ terraform/clouds/aws/eks.tf | 15 ++++++++ terraform/clouds/aws/variables.tf | 5 +++ 8 files changed, 59 insertions(+), 91 deletions(-) create mode 100644 setup/catalogs.yaml delete mode 100644 setup/pr-automation/gatekeeper-setup.yaml delete mode 100644 setup/pr-automation/prometheus/prom-agent-creator.yaml delete mode 100644 setup/pr-automation/prometheus/prom-creator.yaml create mode 100644 setup/stacks/mgmt.yaml diff --git a/setup/catalogs.yaml b/setup/catalogs.yaml new file mode 100644 index 0000000..fe9fed3 --- /dev/null +++ b/setup/catalogs.yaml @@ -0,0 +1,18 @@ +apiVersion: deployments.plural.sh/v1alpha1 +kind: ServiceDeployment +metadata: + name: catalogs + namespace: infra +spec: + namespace: catalogs + git: + folder: setup + ref: main + repositoryRef: + kind: GitRepository + namespace: infra + name: scaffolds + clusterRef: + kind: Cluster + name: mgmt + namespace: infra \ No newline at end of file diff --git a/setup/pr-automation/cluster-creator.yaml b/setup/pr-automation/cluster-creator.yaml index 16420ff..c08078e 100644 --- a/setup/pr-automation/cluster-creator.yaml +++ b/setup/pr-automation/cluster-creator.yaml @@ -18,7 +18,7 @@ spec: destination: "bootstrap/clusters.yaml" external: false scmConnectionRef: - name: github # you'll need to add this ScmConnection manually before this is functional + name: plural # you'll need to add this ScmConnection manually before this is functional title: "Adding {{ context.cloud }} cluster: {{ context.name }}" message: "Adding {{ context.cloud }} cluster {{ context.name }} and registering it with Plural" identifier: [[ .Identifier ]] # REPLACEME with your own repo slug diff --git a/setup/pr-automation/gatekeeper-setup.yaml b/setup/pr-automation/gatekeeper-setup.yaml deleted file mode 100644 index a952611..0000000 --- a/setup/pr-automation/gatekeeper-setup.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: deployments.plural.sh/v1alpha1 -kind: PrAutomation -metadata: - name: gatekeeper-setup -spec: - name: gatekeeper-setup - documentation: | - Sets up OPA gatekeeper and installs a pre-baked policy bundle - creates: - templates: - - source: resources/policy/services - destination: "bootstrap/policy" - external: false - scmConnectionRef: - name: github # you'll need to add this ScmConnection manually before this is functional - title: "Setup OPA gatekeeper and install the {{ context.bundle }} policy bundle" - message: "Setup OPA gatekeeper and install the {{ context.bundle }} policy bundle" - identifier: [[ .Identifier ]] # REPLACEME with your own repo slug - configuration: - - name: bundle - type: ENUM - values: - - asm-policy-v0.0.1 - - cis-k8s-v1.5.1 - - policy-essentials-v2022 - - psp-v2022 - - pss-baseline-v2022 - documentation: A policy bundle you'd like to install \ No newline at end of file diff --git a/setup/pr-automation/prometheus/prom-agent-creator.yaml b/setup/pr-automation/prometheus/prom-agent-creator.yaml deleted file mode 100644 index eb452c8..0000000 --- a/setup/pr-automation/prometheus/prom-agent-creator.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: deployments.plural.sh/v1alpha1 -kind: PrAutomation -metadata: - name: metrics-agent-creator -spec: - name: metrics-agent-creator - documentation: | - Sets up a victoria metrics agent for shipping metrics, pairs with `prom-creator` - creates: - templates: - - source: resources/monitoring/helm - destination: "helm/monitoring" - external: false - - source: resources/monitoring/mgmt.yaml - destination: "bootstrap/monitoring/mgmt.yaml" - external: false - scmConnectionRef: - name: github # you'll need to add this ScmConnection manually before this is functional - title: "Setup prometheus agent for metrics shipping" - message: "Setup prometheus agent for metrics shipping" - identifier: [[ .Identifier ]] # REPLACEME with your own repo slug - configuration: - - name: cluster - type: STRING - documentation: CRD name for this cluster, use `mgmt` to place it in the management cluster - - name: host - type: STRING - documentation: the FQDN of your victoria metrics prometheus instance - - name: tagName - type: STRING - documentation: The cluster tag name you want to use to control the global service for installation of prometheus agent - - name: tagValue - type: STRING - documentation: The cluster tag value you want to use to control the global service for installation of prometheus agent diff --git a/setup/pr-automation/prometheus/prom-creator.yaml b/setup/pr-automation/prometheus/prom-creator.yaml deleted file mode 100644 index 1dc1533..0000000 --- a/setup/pr-automation/prometheus/prom-creator.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: deployments.plural.sh/v1alpha1 -kind: PrAutomation -metadata: - name: prom-creator -spec: - name: prom-creator - documentation: | - Sets up a victoria metrics prometheus instance for metrics storage, pairs with prom-agent-creator to ship metrics from workload clusters - creates: - templates: - - source: resources/monitoring/helm - destination: "helm/monitoring" - external: false - - source: resources/monitoring/mgmt.yaml - destination: "bootstrap/monitoring/mgmt.yaml" - external: false - scmConnectionRef: - name: github # you'll need to add this ScmConnection manually before this is functional - title: "Setup a prometheus cluster for fleetwide metrics" - message: "Setup a prometheus cluster for fleetwide metrics in {{ context.cluster }}" - identifier: [[ .Identifier ]] # REPLACEME with your own repo slug - configuration: - - name: cluster - type: STRING - documentation: CRD name for this cluster, use `mgmt` to place it in the management cluster - - name: host - type: STRING - documentation: the FQDN you want victoria metrics prometheus to be hosted on, you'll need external-dns and cert manager already configured diff --git a/setup/stacks/mgmt.yaml b/setup/stacks/mgmt.yaml new file mode 100644 index 0000000..906d0dd --- /dev/null +++ b/setup/stacks/mgmt.yaml @@ -0,0 +1,20 @@ +apiVersion: deployments.plural.sh/v1alpha1 +kind: InfrastructureStack +metadata: + name: mgmt +spec: + name: mgmt + detach: false + type: TERRAFORM + approval: true + manageState: false + actor: console@plural.sh + repositoryRef: + name: infra + namespace: infra + clusterRef: + name: mgmt + namespace: infra + git: + ref: main + folder: terraform/mgmt \ No newline at end of file diff --git a/terraform/clouds/aws/eks.tf b/terraform/clouds/aws/eks.tf index 005caf1..e9d1d17 100644 --- a/terraform/clouds/aws/eks.tf +++ b/terraform/clouds/aws/eks.tf @@ -1,3 +1,13 @@ +data "aws_caller_identity" "current" {} + +data "aws_iam_session_context" "current" { + # This data source provides information on the IAM source role of an STS assumed role + # For non-role ARNs, this data source simply passes the ARN through issuer ARN + # Ref https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2327#issuecomment-1355581682 + # Ref https://github.com/hashicorp/terraform-provider-aws/issues/28381 + arn = try(data.aws_caller_identity.current[0].arn, "") +} + module "eks" { source = "terraform-aws-modules/eks/aws" version = "~> 19.0" @@ -13,6 +23,11 @@ module "eks" { create_kms_key = true + kms_key_administrators = concat([ + module.assumable_role_stacks.iam_role_arn, + try(data.aws_iam_session_context.current[0].issuer_arn, "") + ], var.additional_kms_administrators) + # EKS Managed Node Group(s) eks_managed_node_group_defaults = merge(var.node_group_defaults, {ami_release_version = data.aws_ssm_parameter.eks_ami_release_version.value}) diff --git a/terraform/clouds/aws/variables.tf b/terraform/clouds/aws/variables.tf index 4521891..237d223 100644 --- a/terraform/clouds/aws/variables.tf +++ b/terraform/clouds/aws/variables.tf @@ -106,4 +106,9 @@ variable "create_cloudwatch_log_group" { variable "monitoring_role" { type = string default = "" +} + +variable "additional_kms_administrators" { + type = list(string) + default = [ ] } \ No newline at end of file From bbd35035e97c23b2d2613c1c0782ea47eee4ac00 Mon Sep 17 00:00:00 2001 From: michaeljguarino Date: Sun, 22 Dec 2024 20:33:51 -0500 Subject: [PATCH 5/6] add default notification router --- setup/notifications.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 setup/notifications.yaml diff --git a/setup/notifications.yaml b/setup/notifications.yaml new file mode 100644 index 0000000..4d6a5f4 --- /dev/null +++ b/setup/notifications.yaml @@ -0,0 +1,22 @@ +apiVersion: deployments.plural.sh/v1alpha1 +kind: NotificationRouter +metadata: + name: deployments +spec: + events: + - stack.run + - pr.create + - pr.close + sinks: + - name: plural + namespace: infra +--- +apiVersion: deployments.plural.sh/v1alpha1 +kind: NotificationSink +metadata: + name: plural +spec: + type: PLURAL + name: plural + bindings: + - groupName: general From 69194090de6b64c7b5213c4a1427f7d64ca6a1cd Mon Sep 17 00:00:00 2001 From: michaeljguarino Date: Mon, 23 Dec 2024 12:14:20 -0500 Subject: [PATCH 6/6] fix mgmt setup --- setup/stacks/mgmt.yaml | 2 ++ templates/providers/bootstrap/aws.tf | 11 +++++++- templates/providers/bootstrap/azure.tf | 7 ++++- templates/providers/bootstrap/gcp.tf | 7 ++++- templates/providers/bootstrap/linode.tf | 7 ++++- terraform/clouds/aws/eks.tf | 34 ++++++++++++++++++++++--- 6 files changed, 60 insertions(+), 8 deletions(-) diff --git a/setup/stacks/mgmt.yaml b/setup/stacks/mgmt.yaml index 906d0dd..b0895e4 100644 --- a/setup/stacks/mgmt.yaml +++ b/setup/stacks/mgmt.yaml @@ -15,6 +15,8 @@ spec: clusterRef: name: mgmt namespace: infra + variables: + use_cli: false git: ref: main folder: terraform/mgmt \ No newline at end of file diff --git a/templates/providers/bootstrap/aws.tf b/templates/providers/bootstrap/aws.tf index 8e54639..9adebe4 100644 --- a/templates/providers/bootstrap/aws.tf +++ b/templates/providers/bootstrap/aws.tf @@ -42,13 +42,17 @@ provider "aws" { data "aws_eks_cluster" "cluster" { name = module.mgmt.cluster.cluster_name + # BEGIN REMOVE depends_on = [ module.mgmt.cluster ] + # END REMOVE } data "aws_eks_cluster_auth" "cluster" { name = module.mgmt.cluster.cluster_name + # BEGIN REMOVE depends_on = [ module.mgmt.cluster ] + # END REMOVE } provider "kubernetes" { @@ -66,7 +70,7 @@ provider "helm" { } provider "plural" { - use_cli = true # If you want to have a Plural stack manage your console, comment this out and use the `actor` field + use_cli = var.use_cli # If you want to have a Plural stack manage your console, comment this out and use the `actor` field } ## useful outputs dumped here, can be moved to a separate file post-generate @@ -76,4 +80,9 @@ output "cloudwatch_iam_arn" { output "vpc_id" { value = module.mgmt.vpc.vpc_id +} + +variable "use_cli" { + type = bool + default = true } \ No newline at end of file diff --git a/templates/providers/bootstrap/azure.tf b/templates/providers/bootstrap/azure.tf index 503f66d..99935a8 100644 --- a/templates/providers/bootstrap/azure.tf +++ b/templates/providers/bootstrap/azure.tf @@ -69,5 +69,10 @@ provider "helm" { } provider "plural" { - use_cli = true # If you want to have a Plural stack manage your console, comment this out and use the `actor` field + use_cli = var.use_cli # If you want to have a Plural stack manage your console, comment this out and use the `actor` field +} + +variable "use_cli" { + type = bool + default = true } \ No newline at end of file diff --git a/templates/providers/bootstrap/gcp.tf b/templates/providers/bootstrap/gcp.tf index fd04858..57b3864 100644 --- a/templates/providers/bootstrap/gcp.tf +++ b/templates/providers/bootstrap/gcp.tf @@ -43,5 +43,10 @@ provider "helm" { } provider "plural" { - use_cli = true # If you want to have a Plural stack manage your console, comment this out and use the `actor` field + use_cli = var.use_cli # If you want to have a Plural stack manage your console, comment this out and use the `actor` field +} + +variable "use_cli" { + type = bool + default = true } \ No newline at end of file diff --git a/templates/providers/bootstrap/linode.tf b/templates/providers/bootstrap/linode.tf index 3c39178..27c402e 100644 --- a/templates/providers/bootstrap/linode.tf +++ b/templates/providers/bootstrap/linode.tf @@ -52,5 +52,10 @@ provider "helm" { } provider "plural" { - use_cli = true # If you want to have a Plural stack manage your console, comment this out and use the `actor` field + use_cli = var.use_cli # If you want to have a Plural stack manage your console, comment this out and use the `actor` field +} + +variable "use_cli" { + type = bool + default = true } \ No newline at end of file diff --git a/terraform/clouds/aws/eks.tf b/terraform/clouds/aws/eks.tf index e9d1d17..8b69523 100644 --- a/terraform/clouds/aws/eks.tf +++ b/terraform/clouds/aws/eks.tf @@ -5,12 +5,19 @@ data "aws_iam_session_context" "current" { # For non-role ARNs, this data source simply passes the ARN through issuer ARN # Ref https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2327#issuecomment-1355581682 # Ref https://github.com/hashicorp/terraform-provider-aws/issues/28381 - arn = try(data.aws_caller_identity.current[0].arn, "") + arn = data.aws_caller_identity.current.arn +} + +data "aws_partition" "current" {} + +locals { + cluster_admin_policy = "arn:${data.aws_partition.current.partition}:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + stacks_arn = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/${var.cluster_name}-plrl-stacks" } module "eks" { source = "terraform-aws-modules/eks/aws" - version = "~> 19.0" + version = "~> 20.0" cluster_name = var.cluster_name cluster_version = var.kubernetes_version @@ -23,9 +30,28 @@ module "eks" { create_kms_key = true + # You'll need to set this to false to allow Plural stacks to manage this cluster + enable_cluster_creator_admin_permissions = true + + access_entries = { + stacks = { + principal_arn = local.stacks_arn + type = "STANDARD" + + policy_associations = { + admin = { + policy_arn = local.cluster_admin_policy + access_scope = { + type = "cluster" + } + } + } + } + } + kms_key_administrators = concat([ - module.assumable_role_stacks.iam_role_arn, - try(data.aws_iam_session_context.current[0].issuer_arn, "") + # UNCOMMENT local.stacks_arn, + data.aws_iam_session_context.current.issuer_arn ], var.additional_kms_administrators) # EKS Managed Node Group(s)