Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: added tf infra for AWS ami account #6517

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: added tf infra for AWS ami account #6517

wants to merge 1 commit into from

Conversation

richardcase
Copy link
Contributor

@richardcase richardcase commented Mar 4, 2024
edited

This adds AWS infra provisioning using terraform for the AWS account to be used to publish CAPA AMIs.

It adds the following:

  • IAM Group for the CAPA maintainers
    • With the group having admin access in the account
  • IAM user for each maintainer of CAPA
    • Users added to the maintainer IAM group
  • IAM user for image builder automation
    • Minimum permissions as set out by packer for publishing AMIs
    • Access key encrypted with pgp key

Fixes: #5010

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/infra Infrastructure management, infrastructure design, code in infra/ area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure size/L Denotes a PR that changes 100-499 lines, ignoring generated files. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. labels Mar 4, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: richardcase
Once this PR has been reviewed and has the lgtm label, please assign spiffxp for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

nrb
nrb reviewed Mar 4, 2024
View reviewed changes
infra/aws/terraform/cncf-k8s-infra-aws-capa-ami/iam-capa-maintainers-users.tf
See the License for the specific language governing permissions and
limitations under the License.
*/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an automated way to keep this file in sync with the team membership?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could look at doing something for that in the future

@dlipovetsky dlipovetsky mentioned this pull request Mar 15, 2024
Open
5 tasks
@richardcase richardcase mentioned this pull request Apr 30, 2024
Open
@richardcase richardcase changed the title [WIP] feat: added tf infra for AWS ami account feat: added tf infra for AWS ami account Apr 30, 2024
@richardcase richardcase marked this pull request as ready for review April 30, 2024 09:56
@k8s-ci-robot k8s-ci-robot added area/bash Bash scripts, testing them, writing less of them, code in infra/gcp/ and removed do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Apr 30, 2024
@richardcase richardcase force-pushed the capa_ami_account_users branch 3 times, most recently from d3086f6 to eedff35 Compare April 30, 2024 10:34
salasberryfin
salasberryfin reviewed Apr 30, 2024
View reviewed changes
Copy link

@salasberryfin salasberryfin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only nitpicking on the README.

infra/aws/terraform/cncf-k8s-infra-aws-capa-ami/README.md Outdated Show resolved Hide resolved
@richardcase
feat: added tf infra for AWS ami account
640607f 
This adds AWS infra provisioning using terraform for the AWS account to
be used to publish CAPA AMIs.

Signed-off-by: Richard Case <richard.case@suse.com>
@Danil-Grigorev
Copy link
Member

Thanks for addressing it @richardcase
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 3, 2024
bryantbiggs
bryantbiggs reviewed May 22, 2024
View reviewed changes
infra/aws/terraform/cncf-k8s-infra-aws-capa-ami/iam-capa-maintainers-users.tf
*/


resource "aws_iam_user" "ankitasw" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seeing IAM users like this in 2024 is a bit sad - is this because we do not have SSO setup?

bryantbiggs
bryantbiggs reviewed May 22, 2024
View reviewed changes
infra/aws/terraform/cncf-k8s-infra-aws-capa-ami/providers.tf
*/

terraform {
backend "s3" {}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

where is state stored, or how is the bucket identified to store the state?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nrb nrb nrb left review comments

@salasberryfin salasberryfin salasberryfin left review comments

@bryantbiggs bryantbiggs bryantbiggs left review comments

@dims dims Awaiting requested review from dims

@thockin thockin Awaiting requested review from thockin

Assignees

@Danil-Grigorev Danil-Grigorev

Labels
area/bash Bash scripts, testing them, writing less of them, code in infra/gcp/ area/infra/aws Issues or PRs related to Kubernetes AWS infrastructure area/infra Infrastructure management, infrastructure design, code in infra/ cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

REQUEST: Need for AWS account for hosting CAPA generated AMIs
6 participants
@richardcase @k8s-ci-robot @Danil-Grigorev @nrb @salasberryfin @bryantbiggs