Sage-Bionetworks-Workflows · BryanFauble · May 20, 2024
@@ -0,0 +1 @@
+* @Sage-Bionetworks-Workflows/dpe
@@ -0,0 +1,19 @@
+name: tfsec-pr-commenter
+on:
+  pull_request:
+jobs:
+  tfsec:
+    name: tfsec PR commenter
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@master
+      - name: tfsec
+        uses: aquasecurity/tfsec-pr-commenter-action@v1.2.0
+        with:
+          github_token: ${{ github.token }}
@@ -1,15 +1,27 @@
 # EKS-stack
 
-Leveraging spot.io, we spin up an EKS stack behind an existing private VPC that has scale-to-zero capabilities. To deploy this stack
+Leveraging spot.io, we spin up an EKS stack behind an existing private VPC that has scale-to-zero capabilities. To deploy this stack:
 
-1. log into dpe-prod via jumpcloud and export the credentials (you must have admin)
+TODO: Instructions need to be re-writen. Deployment is occuring through spacelift.io
+
+<!-- 1. log into dpe-prod via jumpcloud and export the credentials (you must have admin)
 2. run `terraform apply`
 3. This will deploy the terraform stack.  The terraform backend state is stored in an S3 bucket.  The terraform state is stored in the S3 bucket `s3://dpe-terraform-bucket`
 4. The spot.io account token is stored in AWS secrets manager: `spotinst_token`
-5. Add `AmazonEBSCSIDriverPolicy` and `SecretsManagerReadWrite` to the IAM policy
-
-```
-aws eks update-kubeconfig --name tyu-spot-ocean
+5. Add `AmazonEBSCSIDriverPolicy` and `SecretsManagerReadWrite` to the IAM policy -->
+
+To connect to the EKS stack running in AWS you'll need to make sure that you have
+SSO setup for the account you'll be using. Once setup run the commands below:
+```
+# Login with the profile you're using to authenticate. For example mine is called 
+# `dpe-prod-admin`
+aws sso login --profile dpe-prod-admin
+
+# Update your kubeconfig with the proper values. This is saying "Authenticate with 
+# AWS using my SSO session for the profile `dpe-prod-admin`. After authenticated 
+# assuming that we want to use the `role/eks_admin_role` to connect to the k8s 
+# cluster". This will update your kubeconfig with permissions to access the cluster.
+aws eks update-kubeconfig --region us-east-1 --name dpe-k8 --role-arn arn:aws:iam::766808016710:role/eks_admin_role --profile dpe-prod-admin
 ```
 
 ## Future work

@@ -19,7 +19,7 @@ resource "aws_iam_role" "admin_role" {
 
 resource "aws_iam_role_policy_attachment" "admin_policy" {
   role       = aws_iam_role.admin_role.name
-  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+  policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
 }
 
 
@@ -132,13 +132,19 @@ module "eks" {
 
       policy_associations = {
         eks_admin_role = {
-          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSAdminPolicy"
+          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
           access_scope = {
             type = "cluster"
           }
         }
       }
-    }
+    }
+    # https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html#access-policy-permissions
+    # TODO: Additional roles that need to be created:
+    # AmazonEKSAdminViewPolicy?
+    # AmazonEKSEditPolicy
+    # AmazonEKSViewPolicy
+
   }
   tags = var.tags
 }

@@ -1,15 +1,3 @@
-module "kubernetes-controller" {
-  source  = "spotinst/kubernetes-controller/ocean"
-  version = "0.0.2"
-
-  # Credentials
-  spotinst_token   = data.aws_secretsmanager_secret_version.secret_credentials.secret_string
-  spotinst_account = var.spotinst_account
-
-  # Configuration
-  cluster_identifier = var.cluster_name
-}
-
 resource "kubernetes_namespace" "airflow" {
   metadata {
     name = "airflow"

@@ -1,28 +1,25 @@
-variable "cluster_name" {
-  description = "Name of K8 cluster"
-  type        = string
-  default     = "dpe-k8"
-}
-
-variable "region" {
-  description = "AWS region"
-  type        = string
-  default     = "us-east-1"
-}
-
-variable "spotinst_account" {
-  description = "Spot.io account"
-  type        = string
-  default     = "act-ac6522b4"
-}
-
-variable "tags" {
-  description = "AWS Resource Tags"
-  type        = map(string)
-  default = {
-    "CostCenter" = "No Program / 000000"
-    # "kubernetes.io/cluster/tyu-spot-ocean" = "owned",
-    # "key"   = "kubernetes.io/cluster/tyu-spot-ocean",
-    # "value" = "owned"
-  }
-}
+variable "cluster_name" {
+  description = "Name of K8 cluster"
+  type        = string
+  default     = "dpe-k8"
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "spotinst_account" {
+  description = "Spot.io account"
+  type        = string
+  default     = "act-ac6522b4"
+}
+
+variable "tags" {
+  description = "AWS Resource Tags"
+  type        = map(string)
+  default = {
+    "CostCenter" = "No Program / 000000"
+  }
+}
@@ -1,8 +1,9 @@
-terraform {
-  required_providers {
-    spotinst = {
-      source  = "spotinst/spotinst"
-      version = "1.172.0" # Specify the version you wish to use
-    }
-  }
-}
+terraform {
+  required_version = "<= 1.5.7"
+  required_providers {
+    spotinst = {
+      source  = "spotinst/spotinst"
+      version = "1.172.0" # Specify the version you wish to use
+    }
+  }
+}
@@ -1,72 +1,69 @@
-variable "cluster_name" {
-  description = "Name of K8 cluster"
-  type        = string
-  default     = "dpe-k8"
-}
-
-variable "cluster_version" {
-  description = "Version of K8 cluster"
-  type        = string
-  default     = "1.29"
-}
-
-variable "cidr" {
-  description = "CIDR block for the VPC"
-  type        = string
-  default     = "10.51.0.0/16"
-}
-
-variable "public_subnet_cidrs" {
-  type        = list(string)
-  description = "Public Subnet CIDR values"
-  default     = ["10.51.1.0/24", "10.51.2.0/24", "10.51.3.0/24"]
-}
-
-variable "private_subnet_cidrs" {
-  type        = list(string)
-  description = "Private Subnet CIDR values"
-  default     = ["10.51.4.0/24", "10.51.5.0/24", "10.51.6.0/24"]
-}
-
-variable "create_igw" {
-  description = "Controls if an Internet Gateway is created for public subnets and the related routes that connect them"
-  type        = string
-  default     = "false"
-}
-
-variable "azs" {
-
-  type        = list(string)
-  description = "Availability Zones"
-  default     = ["us-east-1a", "us-east-1b", "us-east-1c"]
-
-}
-
-variable "region" {
-  description = "AWS region"
-  type        = string
-  default     = "us-east-1"
-}
-
-variable "spotinst_account" {
-  description = "Spot.io account"
-  type        = string
-  default     = "act-ac6522b4"
-}
-
-variable "eks_nodeGroup" {
-  description = "EKS node group name"
-  type        = string
-  default     = "airflow-node-group"
-}
-
-variable "tags" {
-  description = "AWS Resource Tags"
-  type        = map(string)
-  default = {
-    "CostCenter" = "No Program / 000000"
-    # "kubernetes.io/cluster/tyu-spot-ocean" = "owned",
-    # "key"   = "kubernetes.io/cluster/tyu-spot-ocean",
-    # "value" = "owned"
-  }
-}
+variable "cluster_name" {
+  description = "Name of K8 cluster"
+  type        = string
+  default     = "dpe-k8"
+}
+
+variable "cluster_version" {
+  description = "Version of K8 cluster"
+  type        = string
+  default     = "1.29"
+}
+
+variable "cidr" {
+  description = "CIDR block for the VPC"
+  type        = string
+  default     = "10.51.0.0/16"
+}
+
+variable "public_subnet_cidrs" {
+  type        = list(string)
+  description = "Public Subnet CIDR values"
+  default     = ["10.51.1.0/24", "10.51.2.0/24", "10.51.3.0/24"]
+}
+
+variable "private_subnet_cidrs" {
+  type        = list(string)
+  description = "Private Subnet CIDR values"
+  default     = ["10.51.4.0/24", "10.51.5.0/24", "10.51.6.0/24"]
+}
+
+variable "create_igw" {
+  description = "Controls if an Internet Gateway is created for public subnets and the related routes that connect them"
+  type        = string
+  default     = "false"
+}
+
+variable "azs" {
+
+  type        = list(string)
+  description = "Availability Zones"
+  default     = ["us-east-1a", "us-east-1b", "us-east-1c"]
+
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "spotinst_account" {
+  description = "Spot.io account"
+  type        = string
+  default     = "act-ac6522b4"
+}
+
+variable "eks_nodeGroup" {
+  description = "EKS node group name"
+  type        = string
+  default     = "airflow-node-group"
+}
+
+variable "tags" {
+  description = "AWS Resource Tags"
+  type        = map(string)
+  default = {
+    "CostCenter" = "No Program / 000000"
+  }
+}
@@ -1,7 +1,8 @@
-terraform {
-  required_providers {
-    spotinst = {
-      source = "spotinst/spotinst"
-    }
-  }
-}
+terraform {
+  required_version = "<= 1.5.7"
+  required_providers {
+    spotinst = {
+      source = "spotinst/spotinst"
+    }
+  }
+}