fixup

spack · Sep 18, 2024 · 0c4528e · 0c4528e
1 parent 8cd2997
commit 0c4528e
Show file tree

Hide file tree

Showing 14 changed files with 106 additions and 87 deletions.
diff --git a/k8s/production/gitlab/sealed-secrets.yaml b/k8s/production/gitlab/sealed-secrets.yaml
diff --git a/k8s/staging/gitlab/kustomization.yaml b/k8s/staging/gitlab/kustomization.yaml
@@ -5,7 +5,6 @@ resources:
   - ../../production/gitlab/certificates.yaml
   - ../../production/gitlab/namespace.yaml
   - ../../production/gitlab/release.yaml
-  - ../../production/gitlab/sealed-secrets.yaml
   - ../../production/gitlab/pod-cleanup.yaml
 patches:
   - target:
@@ -39,18 +38,3 @@ patches:
       - op: replace
         path: /spec/values/gitlab/toolbox/replicas
         value: 1
-
-  - target:
-      kind: SealedSecret
-      name: gitlab-secrets
-      namespace: gitlab
-    patch: |-
-      - op: replace
-        path: /spec/encryptedData/postgres-password
-        value: AgBrhGn3MnFaDZIyzfLlb32sIczl33zXjQ1HS1LSJ1IXqGO7e4soTGrLjMgI37kr7/1ftPF1Zzmj5Ud3DdDzm2pBpBY9GcOKZgupPdFBnRU6T+wNJ5QbYI/ZihD8QLKHkUojc0oNac3rcK1u9Cqc9lyMU5n0QKXbLODXrggwyDfeccL2EWikOWVsz3gKDZFXB7XNab5WyigDFlf3C4toYypAkXIQhEwOfZ9rAo68KdjkAFcHgWt6Z8ceQU2Ik6c5pdMl88KDZwLA141kQP6Cda8MM9IUdwu8IReNrS/3G7rZoHwJR00CaM6fw3BiNtBDOlDndLMOtGRslU0Xr/PLeUu/EaysEnk2tjydPNImayz2Dm1a1FHcRKBCpZB5hslSs8Crrni04cNrKz6J/SDxNYQw9hQbrruZASjKj4YLamiQPEv1jOIpbzUfGsyDC8uxq0Wsp1l5fW5rtMfqB8rZbXwgCp7lO1Rm3fwEaqX9FuT/lP8RgyCT+cbb6JXrhe+lA9bJgjixpk64QwbSf32KrwopHgd071To3SajxYAnDeOYdaZICxoPj19emPlsu595P24tGKqHk5VgRz/RGcd2TtspO9BR24iTWviDjqxEo+BVk0iC0B9EDAHyuVNWCvE8MgORL/nwChqrHijX06U4/dECz5PBJxQ4TDRc+yOcbDjUEZIZajE2wvnVshezHMHRCJ+GkVbs/fZCpDDb6mLYYnyG0G9Bcw==
-      - op: replace
-        path: /spec/encryptedData/smtp-password
-        value: AgBxq/Exrot6AQ2Ix30FHcv3GLsYD3b2VGGBe2NDD6FuSnW4tNkKsYJkyw9zYVCQoKBM2/YgddQNSJFKKU2VqiIOUo6xQ74nV49A45ADKq9nErXf377TfwDgQCjaxST8HXGrUgUyGHjAoFlYmI5xuA9D8v4DE3HUCHZNBT1XAWyift9A1oE19JO76BpArzNsewn0RoYFIeB2oRIOd2+UZo1mcby6JfjM1sb+bNVHNbqf9SNHxyGsL1J9M3K8pUZUliDOZFlsFukWKUxigb5YV11QTzmPrPOtQCqCvoOGcKw5PqI5wj/EVU7MEqPNkVKZvduNb3YaKnyWkMRp/FkSANQLNoTlxc+bzqFTBeR6/jftVNJrwDbUB41aAPpLbFgzJA/dXMA9oGErlZHVxDSc6vVdha26ZFwpOI/cWh59nVFovV7gkZu5uUjGnUUSeoCVU7YhVE3THu2jeGXz/GXCU0PKdgb2HOEFMYIFdIn2KDzBsBgJzbzppVjuh28NF/38L+Xt++wIR6PznOX2sbVuwrgk6sAgCnrmSrKWDbvyAefm5EwHngfWf4YEE/YLwDZhuYS0o7psllVcQy4b5TTmhTDvdG/s1avGg4/FIpfGJmNqKCki8lunAeunVNvmmyCH18CnwQlbT9J0qLRGJj61OGul+PVpWJE+6wJZMJXqev1V4SFk7GJdZ+aNRQ4rS8lHrDo=
-      - op: replace
-        path: /spec/encryptedData/values.yaml
-        value: AgAqkxqZpt47BIajymrkjNbYzKjR6qiTipUZvufNUal/hId4RBPSBXPlpdLWJBxlwQ0vsL1ZfC7QQCr9ECC+D5UWsnY6VWkmbFK5K/H5CHErxZUnv4Y8A6kJLV2B0wWbf2YlemATySyxqUlF1SUjazcTyYjpBjWdj7xva16Y+tBrjPq/bQm0WoUBSSPwkYtmK2PWPUN05zM2748AUMcUEK7n+7WGOExl4o17PD+qPbHG72jWRG/x45RIyrmSRMcKQjft94IG5p4hDlV/fJLS7UAGbKff5U5Tfm4Ybq7dol1tmrTt6xsG1nFRV/Rio/t1M8hnusMFRXfIUY8ngDRtSLVC1FX5YdmVpv3AwweIkbBeKgzpvFR2rYYHWN3zAq9vQTE+sULKnDFPS9ZldIXn6CubORTg0lh8Cz9OXfU4g4YSduwXdwYD614N1IXxRtFxr72ec1Xxho/woQF+a7pnlPfdGqwo7b+0ANuNrTpm2wWmpJq5NJXLAFlNRoYhfZntqM7GaqlHDgRLJQQ7CzoXvYSvNeo7Br1t/s6D1jbw+LYfJuE2vz19cQG4K/zeH6kacGtuoErXo5mMhoR1RFadthbYEA8Tac778w2O88t9EJgGMKlHeDRFQVmsx2OhLBf/wqzl8cbVhaa971nHWFNVO3CnO7F9Gn3g0M9WCdyVOUqx7IjJP7O/LjWDMgWnBurv3yiBqOIYzP9ljyWLeqw40H3B9nwbZSVzdy0oPFNKN4MtGJkFVUXVxiMHwRD7SpPorVG58BH9iJ/tkedqDRoaCJNPsmIsGLcyQQ9HWjgEMcX00E8=
diff --git a/terraform/modules/iam_service_account/iam.tf b/terraform/modules/iam_service_account/iam.tf
@@ -7,7 +7,7 @@ data "aws_iam_openid_connect_provider" "this" {
 }
 
 resource "aws_iam_role" "this" {
-  name        = "${var.service_account_name}-role-${var.deployment_name}"
+  name        = "${var.service_account_name}-role-${var.deployment_name}-${var.deployment_stage}"
   description = "Managed by Terraform. ${var.service_account_iam_role_description}"
   assume_role_policy = jsonencode({
     "Version" : "2012-10-17",
@@ -30,7 +30,7 @@ resource "aws_iam_role" "this" {
 
 resource "aws_iam_policy" "this" {
   for_each = toset(var.service_account_iam_policies)
-  name     = "${var.service_account_name}-policy-${index(var.service_account_iam_policies, each.value)}"
+  name     = "${var.service_account_name}-policy-${var.deployment_name}-${var.deployment_stage}${index(var.service_account_iam_policies, each.value)}"
   policy   = each.value
 }
 

diff --git a/terraform/modules/iam_service_account/variables.tf b/terraform/modules/iam_service_account/variables.tf
@@ -2,6 +2,10 @@ variable "deployment_name" {
   type = string
 }
 
+variable "deployment_stage" {
+  type = string
+}
+
 variable "service_account_name" {
   description = "The name of the service account"
   type        = string

diff --git a/terraform/modules/spack_aws_k8s/analytics_db.tf b/terraform/modules/spack_aws_k8s/analytics_db.tf
@@ -15,8 +15,8 @@ module "analytics_db" {
   identifier = "spack-analytics${local.suffix}"
 
   engine               = "postgres"
-  family               = "postgres16"
-  major_engine_version = "16"
+  family               = "postgres15"
+  major_engine_version = "15"
   instance_class       = var.gitlab_db_instance_class
 
   # Credentials

diff --git a/terraform/modules/spack_aws_k8s/data.tf b/terraform/modules/spack_aws_k8s/data.tf
@@ -1,46 +1,3 @@
-data "aws_eks_cluster" "spack" {
-  name = "spack${local.suffix}"
-}
-
-data "aws_security_group" "spack_node_sg" {
-  name = "${data.aws_eks_cluster.spack.id}-node-sg"
-}
-
-data "aws_iam_openid_connect_provider" "spack" {
-  url = data.aws_eks_cluster.spack.identity[0].oidc[0].issuer
-}
-
-data "aws_vpc" "spack" {
-  id = data.aws_eks_cluster.spack.vpc_config[0].vpc_id
-}
-
-data "aws_subnets" "public" {
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.spack.id]
-  }
-  filter {
-    name   = "tag:kubernetes.io/role/elb"
-    values = ["1"]
-  }
-}
-
-data "aws_subnets" "private" {
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.spack.id]
-  }
-  filter {
-    name   = "tag:kubernetes.io/role/internal-elb"
-    values = ["1"]
-  }
-}
-
-data "aws_subnet" "spack" {
-  for_each = toset(concat(data.aws_subnets.public.ids, data.aws_subnets.private.ids))
-  id       = each.value
-}
-
 data "aws_route53_zone" "spack_io" {
   name         = "spack.io"
   private_zone = false

diff --git a/terraform/modules/spack_aws_k8s/eks.tf b/terraform/modules/spack_aws_k8s/eks.tf
@@ -10,6 +10,22 @@ module "eks" {
   enable_cluster_creator_admin_permissions = true
   cluster_endpoint_public_access           = true
 
+  access_entries = {
+    admin = {
+      kubernetes_groups = []
+      principal_arn     = aws_iam_role.eks_cluster_access.arn
+
+      policy_associations = {
+        cluster = {
+          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+          access_scope = {
+            type = "cluster"
+          }
+        }
+      }
+    }
+  }
+
   cluster_addons = {
     coredns = {
       addon_version = "v1.11.1-eksbuild.11"
@@ -254,3 +270,71 @@ resource "aws_iam_policy_attachment" "efs_csi_driver" {
   roles      = [aws_iam_role.efs_csi_driver.name]
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy" # AWS managed policy
 }
+
+resource "aws_iam_role" "eks_cluster_access" {
+  name = "SpackEKSClusterAccess-${var.deployment_name}-${var.deployment_stage}"
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : [
+            "arn:aws:iam::588562868276:user/scott",
+            "arn:aws:iam::588562868276:user/jacob",
+            "arn:aws:iam::588562868276:user/krattiger1",
+            "arn:aws:iam::588562868276:user/mike",
+            "arn:aws:iam::588562868276:user/zack",
+            "arn:aws:iam::588562868276:user/dan",
+            "arn:aws:iam::588562868276:user/william",
+          ]
+        },
+        "Action" : "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "eks_cluster_access" {
+  name = "SpackEKSClusterAccess-${var.deployment_name}-${var.deployment_stage}"
+  role = aws_iam_role.eks_cluster_access.id
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "eks:ListAccessEntries",
+          "eks:DescribeAccessEntry",
+          "eks:UpdateAccessEntry",
+          "eks:ListAccessPolicies",
+          "eks:AssociateAccessPolicy",
+          "eks:DisassociateAccessPolicy"
+        ],
+        "Resource" : "*"
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role" "readonly_clusterrole" {
+  name = "SpackEKSReadOnlyClusterAccess-${var.deployment_name}-${var.deployment_stage}"
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : [
+            "arn:aws:iam::588562868276:user/joesnyder",
+            "arn:aws:iam::588562868276:user/alecscott",
+            "arn:aws:iam::588562868276:user/tgamblin",
+            "arn:aws:iam::588562868276:user/vsoch",
+            "arn:aws:iam::588562868276:user/caetanomelone",
+          ]
+        },
+        "Action" : "sts:AssumeRole"
+      }
+    ]
+  })
+}
diff --git a/terraform/modules/spack_aws_k8s/gitlab_db.tf b/terraform/modules/spack_aws_k8s/gitlab_db.tf
@@ -15,12 +15,12 @@ module "gitlab_db" {
   identifier = "spack-gitlab${local.suffix}"
 
   engine               = "postgres"
-  family               = "postgres16"
-  major_engine_version = "16"
+  family               = "postgres14"
+  major_engine_version = "14"
   instance_class       = var.gitlab_db_instance_class
 
   db_name                     = "gitlabhq_production"
-  username                    = "gitlab"
+  username                    = "postgres"
   port                        = "5432"
   manage_master_user_password = false
   password                    = random_password.gitlab_db_password.result

diff --git a/terraform/modules/spack_aws_k8s/gitlab_object_stores.tf b/terraform/modules/spack_aws_k8s/gitlab_object_stores.tf
@@ -47,7 +47,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "delete_old_artifacts" {
 }
 
 resource "aws_iam_policy" "gitlab_object_stores" {
-  name        = "GitlabS3Role-${var.deployment_name}"
+  name        = "GitlabS3Role-${var.deployment_name}-${var.deployment_stage}"
   description = "Managed by Terraform. Grants required permissions for GitLab to read/write to relevant S3 buckets."
 
   # https://docs.gitlab.com/ee/install/aws/manual_install_aws.html#create-an-iam-policy
@@ -79,7 +79,7 @@ resource "aws_iam_policy" "gitlab_object_stores" {
 }
 
 resource "aws_iam_role" "gitlab_object_stores" {
-  name        = "GitlabS3Role-${var.deployment_name}"
+  name        = "GitlabS3Role-${var.deployment_name}-${var.deployment_stage}"
   description = "Managed by Terraform. Role for GitLab to assume so that it can access relevant S3 buckets."
   assume_role_policy = jsonencode({
     "Version" : "2012-10-17",

diff --git a/terraform/modules/spack_aws_k8s/iam_service_accounts.tf b/terraform/modules/spack_aws_k8s/iam_service_accounts.tf
@@ -2,6 +2,7 @@ module "build_cache_pruner" {
   source = "../iam_service_account"
 
   deployment_name = var.deployment_name
+  deployment_stage = var.deployment_stage
 
   service_account_iam_policies = [
     jsonencode({
@@ -33,6 +34,7 @@ module "cache_indexer" {
   source = "../iam_service_account"
 
   deployment_name = var.deployment_name
+  deployment_stage = var.deployment_stage
 
   service_account_iam_policies = [
     jsonencode({
@@ -59,6 +61,7 @@ module "protected_publish" {
   source = "../iam_service_account"
 
   deployment_name = var.deployment_name
+  deployment_stage = var.deployment_stage
 
   service_account_iam_policies = [
     jsonencode({
@@ -81,6 +84,7 @@ module "spackbot" {
   source = "../iam_service_account"
 
   deployment_name = var.deployment_name
+  deployment_stage = var.deployment_stage
 
   service_account_iam_policies = [
     jsonencode({

diff --git a/terraform/modules/spack_aws_k8s/karpenter.tf b/terraform/modules/spack_aws_k8s/karpenter.tf
@@ -10,7 +10,7 @@ module "karpenter" {
 
   # Name needs to match role name passed to the EC2NodeClass
   node_iam_role_use_name_prefix   = false
-  node_iam_role_name              = "KarpenterControllerNodeRole-${var.deployment_name}"
+  node_iam_role_name              = "KarpenterControllerNodeRole-${var.deployment_name}-${var.deployment_stage}"
   create_pod_identity_association = true
 }
 

diff --git a/terraform/modules/spack_aws_k8s/opensearch.tf b/terraform/modules/spack_aws_k8s/opensearch.tf
@@ -164,7 +164,7 @@ data "aws_iam_policy" "amazon_opensearch_service_cognito_access" {
 }
 
 resource "aws_iam_role" "opensearch_cognito_role" {
-  name        = "OpenSearchCognitoAccessRole-${var.deployment_name}"
+  name        = "OpenSearchCognitoAccessRole-${var.deployment_name}-${var.deployment_stage}"
   description = "IAM role that gives OpenSearch permissions to configure the Amazon Cognito user and identity pools and use them for authentication."
   assume_role_policy = jsonencode({
     "Version" : "2012-10-17",

diff --git a/terraform/modules/spack_aws_k8s/ses.tf b/terraform/modules/spack_aws_k8s/ses.tf
@@ -15,7 +15,7 @@ resource "aws_route53_record" "ses_verification" {
 }
 
 resource "aws_iam_user" "ses_user" {
-  name = "ses-smtp-user-${var.deployment_name}"
+  name = "ses-smtp-user-${var.deployment_name}-${var.deployment_stage}"
 }
 
 resource "aws_iam_access_key" "ses_user" {

diff --git a/terraform/modules/spack_aws_k8s/vpc.tf b/terraform/modules/spack_aws_k8s/vpc.tf
@@ -19,8 +19,8 @@ module "vpc" {
   cidr = local.vpc_cidr
 
   azs             = local.azs
-  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
-  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 3, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 3, k + 4)]
 
   enable_nat_gateway     = true
   single_nat_gateway     = false