feat: added tf infra for AWS ami account #6517
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
There was a problem hiding this comment.
Is there an automated way to keep this file in sync with the team membership?
There was a problem hiding this comment.
We could look at doing something for that in the future
richardcase
force-pushed
the
capa_ami_account_users
branch
from
bba9e8a
to
a2789d4
Compare
richardcase
changed the title
k8s-ci-robot
added
area/bash
richardcase
force-pushed
the
capa_ami_account_users
branch
3 times, most recently
from
d3086f6
to
eedff35
Compare
richardcase
force-pushed
the
capa_ami_account_users
branch
from
eedff35
to
640607f
Compare
|
Thanks for addressing it @richardcase |
k8s-ci-robot
added
the
lgtm
| */ | ||
|
|
||
|
|
||
| resource "aws_iam_user" "ankitasw" { |
There was a problem hiding this comment.
seeing IAM users like this in 2024 is a bit sad - is this because we do not have SSO setup?
| */ | ||
|
|
||
| terraform { | ||
| backend "s3" {} |
There was a problem hiding this comment.
where is state stored, or how is the bucket identified to store the state?
|
@bryantbiggs - thats for the review comments. I've been AFK for the last ~5 weeks on a break. I'll pick this up again and will get back to you asap on the comments. |
|
We could potentially use IAM Identity centre for the AMI account(819546954734) instead of using IAM users/groups directly. We have identity centre enabled for the management account (see here. Off the top of my head this would mean roughly:
@bryantbiggs - do you think that using IAM Identity Centre would be better than whats is currently in this PR? It still requires us to create/list the users in TF but at least we are not relying on the password output and a human to send them to the respective maintainer. |
|
yes, SSO would be better. no matter what, we'll have to map users somewhere at the end of the day - but with SSO, we avoid the use of long lived credentials and it will give us the ability to map users to multiple accounts (as needed) cc @upodroid |
|
Done:
Todo:
|
| @@ -0,0 +1,42 @@ | |||
| resource "aws_iam_openid_connect_provider" "github" { | |||
There was a problem hiding this comment.
FYI - we do have this https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-github-oidc-provider
Also, this is set ONCE per account - not sure if this would be the right place or if there is somewher where account level settings are created cc @ameukam
There was a problem hiding this comment.
Great, i wasn't aware of these. Thanks @bryantbiggs . I will update to use the modules instead of the handcrafted versions.
This is account is purely for the CAPA amis, so seems reasonable to have it here.
There was a problem hiding this comment.
Updated to use this module.
There was a problem hiding this comment.
This looks technically fine but we need to double check with the Github admin team if we are allowed to do this.
(Kubernetes organizations are not the responsibilities of the Infra SIG)
There was a problem hiding this comment.
Shall i ask in #github-management?
There was a problem hiding this comment.
Feedback from #github-management is that we shouldn't use OIDC from GHA in this way. Prow with IRSA should be used.
I will update the PR accordingly.
richardcase
force-pushed
the
capa_ami_account_users
branch
2 times, most recently
from
a4c8147
to
dc3bd39
Compare
| for val in "${arr[@]}"; do | ||
| aws ec2 disable-image-block-public-access --region "$val" | ||
| done |
There was a problem hiding this comment.
we could do this with a HCL code ? cc @bryantbiggs
Don't have to be in this PR. Just want to be sure we can skip bash configuration
There was a problem hiding this comment.
I'm asking the other CAPA maintainer whether we need to continue publishing the AMIs to 15 regions. And whether we can just publish to 1 instead. If we change to just one then we can remove this completly.
But if there was a way that this could be done in HCL then that would give us options.
|
Thank you @ameukam and @bryantbiggs for the feedback, its very much appreciated. |
| source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" | ||
|
|
||
| name = "gh-image-builder" | ||
| subjects = ["kubernetes-sigs/cluster-api-provider-aws:*"] |
There was a problem hiding this comment.
Is there a particular reason why we are using github actions instead of prow? We can configure prow jobs to assume AWS roles very easily
There was a problem hiding this comment.
When we started this work in was advised to use TF. Do we use IRSA or pod identity with any Prow jobs at present?
There was a problem hiding this comment.
Having a quick look i only see assume roles in a few jobs and these are "trusted" jobs.
There was a problem hiding this comment.
Excellent, i will hunt them out. Thanks @upodroid
There was a problem hiding this comment.
@upodroid - any chance you could point me at one of the jobs? I'm not really seeing how this is done from Prow.
I can see this trusted job: https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-k8s-infra-registry.yaml#L32
There was a problem hiding this comment.
@upodroid - any chance you could point me at one of the existing jobs that use assume roles?
richardcase
force-pushed
the
capa_ami_account_users
branch
from
dc3bd39
to
2dd2e5c
Compare
|
After chatting with @upodroid the |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
lgtm
This adds AWS infra provisioning using terraform for the AWS account to be used to publish CAPA AMIs. Signed-off-by: Richard Case <[email protected]>
richardcase
force-pushed
the
capa_ami_account_users
branch
from
2dd2e5c
to
9fc1d94
Compare
k8s-ci-robot
removed
the
lgtm
|
Thanks @upodroid . This has now been run against the AMI account. I had to make a slight change to the bucket name as i created it in the wrong region. Would you be able to LGTM again? |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: richardcase, upodroid The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
This adds AWS infra provisioning using terraform for the AWS account to be used to publish CAPA AMIs.
It adds the following:
Fixes: #5010