feat: prepare aws-eks to EUSC AWS partition, migrate Terragrunt cli usage

Author: matihost

.pre-commit-config.yaml

@@ -103,7 +103,7 @@ repos:
     additional_dependencies:
     - .[community,yamllint]
 - repo: https://github.com/astral-sh/ruff-pre-commit
-  rev: v0.14.11
+  rev: v0.15.0
   hooks:
   - id: ruff # python linter
     args: [ --fix ]

ansible/system/inventory/inventory.yml

@@ -60,7 +60,6 @@ all:
           foxundermoon.shell-format
           garytyler.darcula-pycharm
           george-alisson.html-preview-vscode
-          github.copilot
           github.copilot-chat
           github.vscode-github-actions
           github.vscode-pull-request-github

k8s/apps/echoserver/stage/eks/Makefile

@@ -1,9 +1,9 @@
 NS := learning
 APP := echoserver
-CN := $(APP).$(NS).us-east-1.dev.aws.testing
+CN := $(APP).$(NS).$(shell kubectl config current-context | cut -d: -f4).dev.aws.testing
 
 k8s:
-	@kubectl config current-context | grep -q "aws:eks" || { echo "Not logged to AKS cluster"; exit 1; }
+	@kubectl config current-context | grep -q ":eks:" || { echo "Not logged to EKS cluster"; exit 1; }
 	@kubectl config set-context --current --namespace $(NS)
 
 

k8s/apps/echoserver/stage/eks/deploy.sh

@@ -1,14 +1,15 @@
 #!/usr/bin/env bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null && pwd)"
 
-CN="echoserver.learning.us-east-1.dev.aws.testing"
+[[ "$(kubectl config current-context)" == *":eks:"* ]] || echo "Not logged to EKS cluster" && {
+  REGION="$(kubectl config current-context | cut -d: -f4)"
+  CN="echoserver.learning.${REGION}.dev.aws.testing"
 
-[[ "$(kubectl config current-context)" == *"aws:eks"* ]] || echo "Not logged to EKS cluster" && {
   kubectl config set-context --current --namespace learning
   [ -e "/tmp/${CN}.key" ] || {
     openssl req -x509 -sha256 -nodes -days 365 -subj "/CN=${CN}" -newkey rsa:2048 -keyout "/tmp/${CN}.key" -out "/tmp/${CN}.crt"
   }
-  helm upgrade --install echoserver "$(dirname "${SCRIPT_DIR}")" -n learning --set ingress.tls.crt="$(base64 -w 0 /tmp/${CN}.crt)" --set ingress.tls.key="$(base64 -w 0 /tmp/${CN}.key)" \
+  helm upgrade --install echoserver "$(dirname "${SCRIPT_DIR}")" -n learning --set ingress.tls.crt="$(base64 -w 0 "/tmp/${CN}.crt")" --set ingress.tls.key="$(base64 -w 0 "/tmp/${CN}.key")" \
     --set ingress.host="${CN}" \
     --set networkPolicy.enabled=false \
     --set ingress.class=nginx

terraform/aws/aws-eks/Makefile

@@ -4,34 +4,40 @@ SHELL := /usr/bin/env bash
 DEBUG := false
 ifeq ($(strip $(DEBUG)),true)
 	TF_LOG := DEBUG
-	TG_FLAGS := --terragrunt-debug
+	TG_FLAGS := --inputs-debug
 endif
 
 MODE := apply
 ifeq ($(strip $(MODE)),apply)
-	MODE_STR := apply -auto-approve
+	MODE_STR := --non-interactive -- apply -auto-approve
 	K8S_MODE_STR := apply
 else ifeq ($(strip $(MODE)),destroy)
-	MODE_STR := destroy -auto-approve
+	MODE_STR := --non-interactive -- destroy -auto-approve
 	K8S_MODE_STR := delete
 else
-	MODE_STR := plan
+	MODE_STR := --non-interactive -- plan
 	K8S_MODE_STR := get
 endif
 
+PARTITION := aws
 
 ENV := dev
 
-init:
-	cd stage/$(ENV) && terragrunt init -upgrade=true --backend-bootstrap --non-interactive
+ifeq ($(strip $(PARTITION)),eusc)
+	DEPLOY_PATH := stage/eusc/$(ENV)
+else
+	DEPLOY_PATH := stage/$(ENV)
+endif
 
+init:
+	cd $(DEPLOY_PATH) && terragrunt run -- init -upgrade=true
 
-run: init ## setup VPC: make run [ENV=dev] [MODE=apply]
-	@cd stage/$(ENV) && terragrunt validate && terragrunt $(MODE_STR) --non-interactive $(TG_FLAGS)
+run: init ## setup EKS: make run [ENV=dev] [MODE=apply]
+	@cd $(DEPLOY_PATH) && terragrunt run validate && terragrunt run $(MODE_STR) $(TG_FLAGS)
 
 
 kubeconfig: ## generate kubeconfig entry for EKS cluster
-	aws eks --region $(shell cd stage/$(ENV) && terragrunt output -raw region) update-kubeconfig --name $(shell cd stage/$(ENV) && terragrunt output -raw cluster_name)
+	aws eks --region $(shell cd $(DEPLOY_PATH)&& terragrunt output -raw region) update-kubeconfig --name $(shell cd $(DEPLOY_PATH)&& terragrunt output -raw cluster_name)
 
 oidc-test: ## test OIDC setup and provide instructions to update ~/.kube/config to use it
 ifndef ISSUER_URL
@@ -76,19 +82,18 @@ test: ## install test application,  make test [MODE=apply] [FARGATE=true] [APP=a
 
 
 list-pod-identity-associations: ## list Pod Identity Associations
-	aws eks list-pod-identity-associations --cluster-name $(shell cd stage/$(ENV) && terragrunt output -raw cluster_name) --region $(shell cd stage/$(ENV) && terragrunt output -raw region)
+	aws eks list-pod-identity-associations --cluster-name $(shell cd $(DEPLOY_PATH)&& terragrunt output -raw cluster_name) --region $(shell cd $(DEPLOY_PATH)&& terragrunt output -raw region)
 
 show-state: ## show state
-	cd stage/$(ENV) && terragrunt state list && terragrunt show
+	cd $(DEPLOY_PATH)&& terragrunt state list && terragrunt show
 
 clean: ## clean cached plugins and data
 	find . -name ".terra*" -exec rm -rf {} +
 	find . -name "target" -exec rm -rf {} +
 
 upgrade-providers-version: init
 
-
 help: ## show usage and tasks (default)
 	@eval $$(sed -E -n 's/^([\*\.a-zA-Z0-9_-]+):.*?## (.*)$$/printf "\\033[36m%-30s\\033[0m %s\\n" "\1" "\2" ;/; ta; b; :a p' $(MAKEFILE_LIST))
 .DEFAULT_GOAL := help
-.PHONY: help run clean test
+.PHONY: help run clean

terraform/aws/aws-eks/module/backup.tf

@@ -84,7 +84,7 @@ resource "aws_iam_policy" "velero-policy" {
                 "s3:ListMultipartUploadParts"
             ],
             "Resource": [
-                "arn:aws:s3:::${aws_s3_bucket.backup.bucket}/*"
+                "arn:${var.partition}:s3:::${aws_s3_bucket.backup.bucket}/*"
             ]
         },
         {
@@ -93,7 +93,7 @@ resource "aws_iam_policy" "velero-policy" {
                 "s3:ListBucket"
             ],
             "Resource": [
-                "arn:aws:s3:::${aws_s3_bucket.backup.bucket}"
+                "arn:${var.partition}:s3:::${aws_s3_bucket.backup.bucket}"
             ]
         }
     ]

terraform/aws/aws-eks/module/configure-cluster.sh

@@ -1,12 +1,12 @@
 #!/usr/bin/env bash
-
-ACCOUNT_ID="${1:?ACCOUNT_ID is required}"
-CLUSTER_NAME="${2:?CLUSTER_NAME is required}"
-REGION="${3:?REGION is required}"
-NAMESPACES="${4:?NAMESPACES is required}"
-INSTALL_NGINX="${5:-false}"
-DATADOG_API_KEY="${6:-}"
-DATADOG_APP_KEY="${7:-}"
+AWS_PARTITION="${1:?AWS_PARTITION is required}"
+ACCOUNT_ID="${2:?ACCOUNT_ID is required}"
+CLUSTER_NAME="${3:?CLUSTER_NAME is required}"
+REGION="${4:?REGION is required}"
+NAMESPACES="${5:?NAMESPACES is required}"
+INSTALL_NGINX="${6:-false}"
+DATADOG_API_KEY="${7:-}"
+DATADOG_APP_KEY="${8:-}"
 
 set -e
 set -x
@@ -42,6 +42,7 @@ function configure-namespaces() {
     helm upgrade --install "ns-${NS}-config" -n cluster-config --create-namespace "${DIRNAME}/namespace-config-chart" \
       --set namespace="${NS}" \
       --set aws.accountId="${ACCOUNT_ID}" \
+      --set aws.partition="${AWS_PARTITION}" \
       --set irsaRole="${IRSA_ROLE}" \
       --set-json quota="$(echo "${QUOTA}" | jq -r)"
   done
@@ -181,7 +182,7 @@ function ensure-backup() {
     --set configuration.volumeSnapshotLocation[0].name="default" \
     --set configuration.volumeSnapshotLocation[0].provider="aws" \
     --set configuration.volumeSnapshotLocation[0].config.region="${REGION}" \
-    --set serviceAccount.server.annotations."eks\\.amazonaws\\.com/role-arn"="arn:aws:iam::${ACCOUNT_ID}:role/${CLUSTER_NAME}-velero-irsa"
+    --set serviceAccount.server.annotations."eks\\.amazonaws\\.com/role-arn"="arn:${AWS_PARTITION}:iam::${ACCOUNT_ID}:role/${CLUSTER_NAME}-velero-irsa"
 
   for NAMESPACE in $(echo "${NAMESPACES}" | jq -cr '.[]'); do
 

terraform/aws/aws-eks/module/eks-addons.tf

@@ -28,9 +28,11 @@ resource "aws_eks_addon" "snapshot-controller" {
 
 # https://docs.aws.amazon.com/eks/latest/userguide/workloads-add-ons-available-eks.html#add-ons-aws-efs-csi-driver
 resource "aws_eks_addon" "efs" {
+  count = var.install_efs ? "1" : "0"
+
   cluster_name = aws_eks_cluster.cluster.name
   addon_name   = "aws-efs-csi-driver"
-  # addon_version               = "v2.1.9-eksbuild.1"
+  # addon_version               = "v2.3.0-eksbuild.1"
   resolve_conflicts_on_create = "OVERWRITE"
 
   pod_identity_association {
@@ -83,7 +85,7 @@ resource "aws_iam_role" "efs-addon" {
 
 
 resource "aws_iam_role_policy_attachment" "efs-addon_AmazonEFSCSIDriverPolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy"
+  policy_arn = "arn:${var.partition}:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy"
   role       = aws_iam_role.efs-addon.name
 }
 

terraform/aws/aws-eks/module/eks.tf

@@ -159,19 +159,19 @@ EOF
 }
 
 resource "aws_iam_role_policy_attachment" "node_AmazonEKSWorkerNodeMinimalPolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy"
+  policy_arn = "arn:${var.partition}:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy"
   role       = aws_iam_role.node.name
 }
 
 # to download images from this account ECR
 resource "aws_iam_role_policy_attachment" "node_AmazonEC2ContainerRegistryPullOnly" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
+  policy_arn = "arn:${var.partition}:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
   role       = aws_iam_role.node.name
 }
 
 # To be able to install Cloud Watch EKS Addons with access to all metrics
 resource "aws_iam_role_policy_attachment" "node_CloudWatchAgentServerPolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+  policy_arn = "arn:${var.partition}:iam::aws:policy/CloudWatchAgentServerPolicy"
   role       = aws_iam_role.node.name
 }
 
@@ -196,27 +196,27 @@ resource "aws_iam_role" "cluster" {
 }
 
 resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSClusterPolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  policy_arn = "arn:${var.partition}:iam::aws:policy/AmazonEKSClusterPolicy"
   role       = aws_iam_role.cluster.name
 }
 
 resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSComputePolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSComputePolicy"
+  policy_arn = "arn:${var.partition}:iam::aws:policy/AmazonEKSComputePolicy"
   role       = aws_iam_role.cluster.name
 }
 
 resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSBlockStoragePolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy"
+  policy_arn = "arn:${var.partition}:iam::aws:policy/AmazonEKSBlockStoragePolicy"
   role       = aws_iam_role.cluster.name
 }
 
 resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSLoadBalancingPolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy"
+  policy_arn = "arn:${var.partition}:iam::aws:policy/AmazonEKSLoadBalancingPolicy"
   role       = aws_iam_role.cluster.name
 }
 
 resource "aws_iam_role_policy_attachment" "cluster_AmazonEKSNetworkingPolicy" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy"
+  policy_arn = "arn:${var.partition}:iam::aws:policy/AmazonEKSNetworkingPolicy"
   role       = aws_iam_role.cluster.name
 }
 
@@ -226,7 +226,7 @@ resource "null_resource" "cluster-config" {
     always_run = timestamp()
   }
   provisioner "local-exec" {
-    command = "${path.module}/configure-cluster.sh '${local.account_id}' '${aws_eks_cluster.cluster.name}' '${var.region}' '${jsonencode(var.namespaces)}' '${var.install_nginx}' '${nonsensitive(var.dd_api_key)}' '${nonsensitive(var.dd_app_key)}'"
+    command = "${path.module}/configure-cluster.sh '${var.partition}' '${local.account_id}' '${aws_eks_cluster.cluster.name}' '${var.region}' '${jsonencode(var.namespaces)}' '${var.install_nginx}' '${nonsensitive(var.dd_api_key)}' '${nonsensitive(var.dd_app_key)}'"
   }
 
   depends_on = [

terraform/aws/aws-eks/module/external-dns.tf

@@ -14,7 +14,7 @@ resource "aws_iam_policy" "externaldns" {
         "route53:ChangeResourceRecordSets"
       ],
       "Resource": [
-        "arn:aws:route53:::hostedzone/*"
+        "arn:${var.partition}:route53:::hostedzone/*"
       ]
     },
     {