feat: added tf infra for AWS ami account #6517
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
There was a problem hiding this comment.
Is there an automated way to keep this file in sync with the team membership?
There was a problem hiding this comment.
We could look at doing something for that in the future
richardcase
force-pushed
the
capa_ami_account_users
branch
from
bba9e8a
to
a2789d4
Compare
richardcase
changed the title
k8s-ci-robot
added
area/bash
richardcase
force-pushed
the
capa_ami_account_users
branch
3 times, most recently
from
d3086f6
to
eedff35
Compare
richardcase
force-pushed
the
capa_ami_account_users
branch
from
eedff35
to
640607f
Compare
|
Thanks for addressing it @richardcase |
k8s-ci-robot
added
the
lgtm
| */ | ||
|
|
||
|
|
||
| resource "aws_iam_user" "ankitasw" { |
There was a problem hiding this comment.
seeing IAM users like this in 2024 is a bit sad - is this because we do not have SSO setup?
| */ | ||
|
|
||
| terraform { | ||
| backend "s3" {} |
There was a problem hiding this comment.
where is state stored, or how is the bucket identified to store the state?
|
@bryantbiggs - thats for the review comments. I've been AFK for the last ~5 weeks on a break. I'll pick this up again and will get back to you asap on the comments. |
|
We could potentially use IAM Identity centre for the AMI account(819546954734) instead of using IAM users/groups directly. We have identity centre enabled for the management account (see here. Off the top of my head this would mean roughly:
@bryantbiggs - do you think that using IAM Identity Centre would be better than whats is currently in this PR? It still requires us to create/list the users in TF but at least we are not relying on the password output and a human to send them to the respective maintainer. |
|
yes, SSO would be better. no matter what, we'll have to map users somewhere at the end of the day - but with SSO, we avoid the use of long lived credentials and it will give us the ability to map users to multiple accounts (as needed) cc @upodroid |
|
Thanks @bryantbiggs 🙇 I will refactor this to use IAM Identity Centre instead |
|
|
||
| resource "aws_iam_group_policy_attachment" "maintainer-admin" { | ||
| group = aws_iam_group.maintainers.name | ||
| policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess" |
There was a problem hiding this comment.
Is there a least-privilege alternative to this access that we can grant?
There was a problem hiding this comment.
Yes for sure. How about initially we scope the "admin" down to only the services that are used for AMI publishing. The original thinking was that more elevated permissions would be needed initially whilst we work out all the automation / diagnose issues.
Ultimately, we could make it so it's just the build agent (prow or GHA) that has access.
There was a problem hiding this comment.
TBH, I don't even agree with giving AdministratorAccess to Prow.
There was a problem hiding this comment.
The more i think about it (based on your feedback), the maintainers don't need access to the account. Just whatever CI we use. I'll also re-think this based on that.
| resource "aws_iam_user_login_profile" "imagebuilder_login" { | ||
| user = aws_iam_user.imagebuilder.name | ||
| password_reset_required = true | ||
| } |
There was a problem hiding this comment.
Why is there a login profile here? What would break if it were missing?
|
|
||
| resource "aws_iam_access_key" "imagebuilder" { | ||
| user = aws_iam_user.imagebuilder.name | ||
| pgp_key = "mQINBGKe9M0BEACqiPeuyj4wm7uIfLqeYxDwj6QFf9D/vxnusBEy3Y7AoIUsRE7hAIAIkKxFseqPsz1BjhZFUHyz7W81He4LH5NafzjR//Rb0h6acmJARHSyrBJsDC837CPxJJaVkhX2Y2rim+MJyqsPUxvCoEY+9mf1z6IOQLFS1eglGxyo7SI4JvZtNUS/SXfa1LhaQ11DtuVB0MPd86xCaXLMr5gUOreh63IySuXIZibeUNpZeqAVsm0OKhHb8qDSo2tCKUqUB4lCF4VkOnqetO4lQQlMHrW6S6O/HQ8X/PPXVVvR8L8IjDLVEp5UcIgQwNmy3uCOR6AYj6OpMxGLg9iTyidB2JPV+bynkanjWYXQAnHwfhL2F67ihPvV0FqX52n+WUdYjxqLV/sZcIDj9FNIvw+6043q7hx2N80p/aaX6yFHZmcw4ygpTblgWw/7JTu1gGtASY6Jik95UiyDmEOrLdo7PNQyajkKsTvEVHwHEI8SEMpJr1fLrJms5QDebG9vtfEAFa3a2/nv0tfv+eTBMSKLvjvAmh88m5rQjRaIi971N2BlYTkdsCgQQPV+kwT2vtuI12RAn/ykH76WuEjXVtEliQPVwrAJQxTAWND481Q7SohQI9VcdhARV66gCctTaooWQdTYDd2FU61XA4FEo7QV8czrcc1pnzSLOLU+Acr3NQMkrwARAQABtCdSaWNoYXJkIENhc2UgPHJpY2hhcmQuY2FzZUBvdXRsb29rLmNvbT6JAlcEEwEKAEECGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQhvJMGF6FmKNZ2lAsxfINc3qmMzQUCY900uQIZAQAKCRAxfINc3qmMzYOyD/4otNj6bBJdiSbuFRR4kUkJX/LlaqHZwLoYwHOg1Xky4mJWDZYG+ygpbqk/Tfir9yBmbADOyyCYabn9uqtE75VzLzKlOZNrC0gUguEqWnwa7nyAaN7rk1uoeIgQ7gvtdJJhGz177WpefTo4sevB3nB/Xg12UWlXqjjQgcAF6o1CalULMJjBvJ0vMiwunNd9eI9Jk9sEvQ/hnXODmubCqBOd53m/K03bBY7Gnl+wF/y6POBCCNHpYsWQ6z/DMl/vUJA/wsuu/6S8rpS9kkJ7xoX6dvfzsSLV6RUHA6eHbuuaLRJPVTYjIZVgFCuw8U2iB8e4h9PNOorNNprOPz8DcAkAayaZRk9YJji+tW8H6rH84BW7K2DCQ3fmrugwG3MW29wb2GiLGgMKtEGJjJGGbVMEDl1GH7ndP8WyfNY1qRIvHQN6gBLrA5N++PM9fvm0bi5D1vOr+0gtBwshgmNb3OoK+SKhxynei2demXYgA+N8NXgPZYren6SPurD8bHW+T0hoIA+HW00Yq6SS/WX2IONCUkjnkD9sZ5Wef+TjscdTvdLhwCFYoF9jETG1i2dzbQ2G8e9D7abhJxusR4XtKZehb0CMipKSNs73YquTWkCaMijaDRdIeeQlBi2TwqQ6hZZTj+9aG+dLGj6itiVcQMw8QoxOaexspPAL6bLSgz7dCokCVAQTAQoAPhYhBCG8kwYXoWYo1naUCzF8g1zeqYzNBQJinvTNAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDF8g1zeqYzNx2oP/jEDh8oMOZw36PcDRiXyzb5yoCoYYtEB2YIIlzjTx59qVSvXAG6zZPdLZi6qOrnmylFIRzFMgxlb651KzV0tp4Qh10tv21GCgbi4s5p9RL6ZccSiRb48TTyvMNZCLpBIss+nM6cVpazpYhmVRwdC5pPicpT6BGpPCv0pQlka16jY9Xv3m9ywPO6XvLcdCYTD34ekKmnaySLSC6JBOuwLfRfCHOBotb0TDxTi7GXY7BP/U3rzJlXUJ+DzpKNAwUxfH/eE++0lUCtbAsnvr6uyV1pdN3PCU6RkED3pEEPKl7eyXxiLHlVibqNTx9d9qAz1Zg2zfXzXPAhT971MkOeuzWyMESuhImnRAogqzFMtf0rOzj8ksZ/29SV28wif5fCJVPzhQBbZFpFe3wmj3NtR7CxlHd9Zdyp2tzzycPTywLgNX26BN9EmrmKMfVMYLnJq/60lPLVe5XSl2jx19T1oYHXJuP3wUwDbkmWMaVVvkyo8R5bcGWCOpfMcaw/7P8l12G9ti5VGWCC/O7slGkRGW/9Ey3o75F0LmKOGZmqOr44YRlK9Vl1zbNoej5tZVxYnYvIErauYG1HqPNnWM0HAIVS+r7kNRj6j+9iAXiwOycLkdmHzkeNRdsfaUVf5drpwgoTZW4/+ZtJLrK8lhpeviIWWq3iQm9/qxbfKyqww1AxTtCJSaWNoYXJkIENhc2UgPHJpY2htY2FzZUBnbWFpbC5jb20+iQJSBBMBCgA8FiEEIbyTBhehZijWdpQLMXyDXN6pjM0FAmPdNIcCGwMFCQPCZwAECwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEDF8g1zeqYzNx7YP/0DDDHD57kvVqa9B0yrNBSBZRLIGLMSQaibYt3C0SLCrM1kj3TJMVnp7PjdII6BI1Io7mbroDELNFvvmFKLCGKyIonhK3qPWoZ8DgXjTyrHMqDVUKiwu8Z3xCWsLhO6nabcJbXmrw79fRCojaxUrNRZMFa3xxeT4RXQ8w58pSRRke/AfVfWXcl3eoCK2dakR7WtM5CzESb+XSeE6aFCylLL3rgc/94oC1bOdHenbr4NJ0Qx07sKZY1DW3S2TcnWt748a6XD0RIjL8wLolEfc/Rsxxg89TKEaU4IhlUCo3kV0h2gtzW2Bx5RFBvpRHP4TksZhBUX3j8RDb1U14ksWt+mMVBctwQpbhoVBEALGT03qXXHwwiKV1OUqi+KTo+xVdDsLljhdBgGGv8UsllyWRDB1oOCIRO44HM60z7A5q9kqFkLcSL7puD5PWrpb/fDhh8oUHfVjqanzaXP0Q7LJcm/NLxtiJfPfK/aDamtIrQNKnGnqshmUqc29Y0nB87EXOMD9FzkxQHG6mBb5CJx1YTEcdUji+JhM1BDIr5gfwn94whsJYeTdSJny1MjQaUZUs28p8V+p6eawH3gY2M6QiTRsGz8vNtIzp7RLsX4xxuGznm67Id0xKkE2L1aOtTCJQ5AoVq+Jz9BreQsiNdBQEdcBlxbwyR6BLw7UnDwE0IfKuQINBGKe9RoBEADa9lXpjdRraUoPI4wrZ/mr/Ck1tGZ+7t4kcSS5j9GOkLe5qgv6f5IrDouh0cGF4+ksR7lqAdv3i5OGBCDhlu6G2KMqH8wGx6gMfHNnSPqdozYTalkhn0j16V6RRUUzugZ/XSQOAs/5haJuM82ZYGppZkjaujiEX3uHZ0pAXzUjnpGK9S6PaI0j1rEGQJjaCItiJoH4XpSIRUz7nxTJTVRjlRvW3yIeXzytlJN/QbE25aPWECe/cQgu00eRb6ILM27kcBGNkFpCAuTa5GTzOljjsCgox8Vts2MX82XIigG+3L1Yx+dh9OwlWbJBNPkI7iZpciOdejJkqMo/d8n8jtWmJuOlD30nj/lAeoUdYJ6Dv80QpM6idsWFEThjERb9qI0ym9r5GBHoTYWMpAtuDXN+PeUNe8YJ98v4lpYZRKbyp399uHB72q6eXq/J3C9uo8t8kTevVR5wwc6JOPi9bdjMQBW1YzsOAGkaL1eG6AQL4GLnPGy26jPsdVQFk87hbyFCMBP+vS14do0v++eLHVQE9vzI8p/hvLtEV+SF2p5+vU4bthDyctU9c+JHISPHWON7iLuxO8GYweI+ZZ0zgixcEIhILX32P6rX7g8OxD/zvfLDq/L/Rg0V/EmPij8j0JDHdmnAObpG8+fVUQfv5UFo2/547LWuOskT/xM+JII4IwARAQABiQI8BBgBCgAmFiEEIbyTBhehZijWdpQLMXyDXN6pjM0FAmKe9RoCGyAFCQPCZwAACgkQMXyDXN6pjM0WShAApqfsvpVR9m1dA5I/7dO7kzaedE1s6dAlRVTqQXE2TTVdnriQin+gYQjJyMsZRNe0w3oTWYgS1QYToZ+hJoY5hGogqjHpTl0u0LsynLCAo9jbnoLfswwO2LXijdyT0C1IQfz6FuMX7HKoNz/PfHK6SfKqBzKs/rO/jZSpkR1sw2ZSqdjOR9WwJ81CPMY/aFSiq2Q3Fkf7HovbUAMz1gRW5FHgmxfyDELVEQbVeLjzn2lC1eQraVH3Fw7ix4tGrwPj7+C87lKnktUaF1hUyiMlCjYkcHkKyaxEFwf68E3bIpPEUwIkibHqTGuD5M1dQYPRB6wXg1wwxPuTTJkDHhAYPu7xGKRx/mRg8mQ/HkTkccKugq6iGZgt9vxSqUob9/My7lCUqPYYxDR9jnN1HGfSA4n50FRXtHUIN279SOTjhiofmYq+uF4a/MaCDrc+owyWP2Vphl2mGJxFalLVwVRI/vIZz088qZ04w/O/FS2UeAGqqPxgSQjKmT42LyMp9lAGi+zbgVAdfGgoMULscbR6Otr5GiH9weq0toMqVjRRc6DyIFal0LSEqQavCnaQhstTDyfObCrORa62Kb8eNytrhf5Y58pZJ92cv0PlXTef7tqBV3y5HgPu06TiE2flydFokqJWGloZAuPB5IOxkMumveL8whTbKXP+Kf3qHue6bje5Ag0EYp70zQEQAKUCctDmoP7NNj8g+fmCBjB2Vb+msEFuM3kWaBP4J3Byz7MmGTkaBNqp8ZtJ7cOyTTVAXf2OX13qv/jXxd1k0c2krKjhFe9mZkdcK+unfYRvH74qswmOkpmLbWjbYsQ2rCmlUYPfMTE5inlFu0/gMxY0saoni2u5jB8eEqcdBq/skFwOggO1mngPZnh+A6nVKSI+7+Z8cmbzVANyg5JxDlsO5j7kbZP3Qc+Hg1IzoAkjeHtdhpvU4/gbzA61pubRn/mcPjK5YUSoXIhnUcQEk+/D1wxrwlD2unBsuFMFw87SDuhMzEyblIFc4he3ukgBfrNpW6LBp2NbVI3+YQFVd+i0uoo475/uYexRVZLicFOWIXdP6ak0K5ox9vV2PCbfJwyuDe6pFumshtdFcua0h7UP1qOpqb5tAFQKvdKWHsA/DbXW0cwssni6mhj8GxcUNJoATu2IvdGwCFGgzr4iDOS5AvAEwgQJWCUHCOW/pAso/IDArUxqX32q0r/qJ5KIqcnDpPFtDoiV30MaZrTFz9Qj9Z4qLusJpULO4GWYwwVmB2q7J6/1CfxZiuEYxd3OcAahdbp998pCmQIvbdGBOvzMP1grX1dxBeIdDDBgn/emKa++a6HPb19PHawclpQV0EuHxQ9a3m9ymlr1E/8lpOfqImN6N0Kd4/pUvHILhxJ7ABEBAAGJAjwEGAEKACYWIQQhvJMGF6FmKNZ2lAsxfINc3qmMzQUCYp70zQIbDAUJA8JnAAAKCRAxfINc3qmMzR6PEACbSFg5y+wp8e4vdCJKpxMOLxzlZ1hOikfJQ5XnllagNTktvP8CGVcgdbutDOOZ3j+0lDXS7+QF19LzoIrpMiY5R1eQOfaiqbWMoe+f2cM4h60yScjHP/+DT7SZ9WHgG2a2BqZ/6/ixcwMT570nObDTCK3RR8pyY+KpFJY/9XFhc7l4tSz1Jx851noQvVFLEPqSEILAIg46V/tb9eiZ+LkpapDEksqnoyU5eS0uO770zeCFRWh9DesH14qLNmFwgYO2Rh5sYNtNp12G1Mzy1I6VSpaBZBh/CaKP6oaNG/0xJiY5m74kN9aTLRwBScbLIMT07KBM919oLRHjzDaMj657xTYLSqlew2q5XHqjTosopXHpRier/67MBU5LmleJ0ipTDDu+5cKlXteU9pIBj4YgyBVC/PtSHO3SbvDR7xdgFJs7JitkazONMrKf1ejXO/QF62MnRlGttAn96yJz4quowMIUFD1Fl8Vjj2/mCDQiPtYvjy/5s5Qoz+F3CJxejEEaaxSivdvg3bECkzEA2Ii/SZ9Nr8o9yDByOUHo16a1qEoxfSfpsvU0c30oUL+jYk2FlT80JnTf8VQczE+Q/M0E6/q/xI5C5nW9bYT8A1Dln47VGBmtGxkNZETilda5IjNyU4rmsAO6GxFalk3woAGBQ9XmDj1pyrieUbcj1k22QA==" |
There was a problem hiding this comment.
Could we make this an input?
Or, better, switch to something else (eg OIDC) as a way to get session credentials.
There was a problem hiding this comment.
Yes OIDC is a good way to go, thanks for the suggestion.
| value = aws_iam_access_key.imagebuilder.id | ||
| } | ||
|
|
||
| resource "aws_iam_user_policy_attachment" "test-attach" { |
| "ec2:StopInstances", | ||
| "ec2:TerminateInstances" | ||
| ], | ||
| "Resource": "*" |
There was a problem hiding this comment.
Is it feasible to scope this down, eg by resource tag?
| resource "aws_iam_policy" "imagebuilder" { | ||
| name = "capa-image-builder-policy" | ||
| path = "/" | ||
| description = "Minimum required policy for image builder" |
There was a problem hiding this comment.
The actual policy seems broader than the description suggests.
There was a problem hiding this comment.
These are the permissions required for Packer when creating AMIs: https://developer.hashicorp.com/packer/integrations/hashicorp/amazon#iam-task-or-instance-role
There was a problem hiding this comment.
Sure, but I actually don't agree with Hashicorp here.
Check out https://blog.stefan-koch.name/2021/05/16/restricted-packer-aws-permissions
There was a problem hiding this comment.
I haven't seen that before, makes sense. Thats great, thanks for sharing that @sftim.
It's now also possible for an account to have its own IAM identity center. |
Yes and agreed that would be a better approach. I was planning on refactoring this to use identity centre based on feedback from @bryantbiggs (#6517 (comment)). So even better now that 2 people have suggested it. Appreciate the review @sftim 🙇 |
|
Looking at some job failures on the CAPA suite (https://prow.k8s.io/job-history/gs/kubernetes-jenkins/pr-logs/directory/pull-cluster-api-provider-aws-e2e), I think we need this to make our CI healthy again. Specifically, the job seems to be failing because of this error, taken from https://storage.googleapis.com/kubernetes-jenkins/pr-logs/pull/kubernetes-sigs_cluster-api-provider-aws/5039/pull-cluster-api-provider-aws-e2e/1829396767259496448/artifacts/clusters/bootstrap/resources/clusterctl-upgrade-1ab59h/AWSMachine/clusterctl-upgrade-3ymerb-control-plane-26mxd.yaml To my knowledge, the AMIs that CAPA was using were kept in an AWS account that VMware owned but stopped maintaining. I'm wondering if it has since been deleted. |
|
In the process of using OIDC and a restricted role. |
k8s-ci-robot
removed
the
lgtm
|
New changes are detected. LGTM label has been removed. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: richardcase The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Done:
Todo:
|
| @@ -0,0 +1,42 @@ | |||
| resource "aws_iam_openid_connect_provider" "github" { | |||
There was a problem hiding this comment.
FYI - we do have this https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-github-oidc-provider
Also, this is set ONCE per account - not sure if this would be the right place or if there is somewher where account level settings are created cc @ameukam
There was a problem hiding this comment.
Great, i wasn't aware of these. Thanks @bryantbiggs . I will update to use the modules instead of the handcrafted versions.
This is account is purely for the CAPA amis, so seems reasonable to have it here.
There was a problem hiding this comment.
Updated to use this module.
There was a problem hiding this comment.
This looks technically fine but we need to double check with the Github admin team if we are allowed to do this.
(Kubernetes organizations are not the responsibilities of the Infra SIG)
There was a problem hiding this comment.
Shall i ask in #github-management?
There was a problem hiding this comment.
Feedback from #github-management is that we shouldn't use OIDC from GHA in this way. Prow with IRSA should be used.
I will update the PR accordingly.
richardcase
force-pushed
the
capa_ami_account_users
branch
from
1f526a9
to
a4c8147
Compare
This adds AWS infra provisioning using terraform for the AWS account to be used to publish CAPA AMIs. Signed-off-by: Richard Case <[email protected]>
richardcase
force-pushed
the
capa_ami_account_users
branch
from
a4c8147
to
dc3bd39
Compare
|
|
||
| terraform { | ||
| backend "s3" { | ||
| bucket = "cncf-k8s-infra-aws-capa-ami-tfstate" |
There was a problem hiding this comment.
In which account this bucket is created ? I assume we want to manually create this ?
There was a problem hiding this comment.
I don't know to be honest. Which account are the TF buckets usually created in?
There was a problem hiding this comment.
We usually keep the remote backend in the same AWS account. There is a pending effort to centralize the remote backends in a dedicated account. I'll manually create this bucket for this.
There was a problem hiding this comment.
Great, thank you @ameukam
| for val in "${arr[@]}"; do | ||
| aws ec2 disable-image-block-public-access --region "$val" | ||
| done |
There was a problem hiding this comment.
we could do this with a HCL code ? cc @bryantbiggs
Don't have to be in this PR. Just want to be sure we can skip bash configuration
There was a problem hiding this comment.
I'm asking the other CAPA maintainer whether we need to continue publishing the AMIs to 15 regions. And whether we can just publish to 1 instead. If we change to just one then we can remove this completly.
But if there was a way that this could be done in HCL then that would give us options.
|
Thank you @ameukam and @bryantbiggs for the feedback, its very much appreciated. |
| source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" | ||
|
|
||
| name = "gh-image-builder" | ||
| subjects = ["kubernetes-sigs/cluster-api-provider-aws:*"] |
There was a problem hiding this comment.
Is there a particular reason why we are using github actions instead of prow? We can configure prow jobs to assume AWS roles very easily
There was a problem hiding this comment.
When we started this work in was advised to use TF. Do we use IRSA or pod identity with any Prow jobs at present?
There was a problem hiding this comment.
Having a quick look i only see assume roles in a few jobs and these are "trusted" jobs.
There was a problem hiding this comment.
Excellent, i will hunt them out. Thanks @upodroid
There was a problem hiding this comment.
@upodroid - any chance you could point me at one of the jobs? I'm not really seeing how this is done from Prow.
I can see this trusted job: https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-k8s-infra-registry.yaml#L32
This adds AWS infra provisioning using terraform for the AWS account to be used to publish CAPA AMIs.
It adds the following:
Fixes: #5010