update: Install ACK with helm chart (#1180)

Co-authored-by: Yunjian <yunjianl@amazon.com>

manifests/modules/automation/controlplanes/ack/.workshop/cleanup.sh

@@ -2,4 +2,6 @@
 
 logmessage "Deleting resources created by ACK..."
 
-delete-all-if-crd-exists tables.dynamodb.services.k8s.aws
+delete-all-if-crd-exists tables.dynamodb.services.k8s.aws
+
+uninstall-helm-chart ack-dynamodb ack-dynamodb-chart

manifests/modules/automation/controlplanes/ack/.workshop/terraform/main.tf

@@ -19,29 +19,6 @@ data "aws_ecrpublic_authorization_token" "token" {
   provider = aws.virginia
 }
 
-#This module installs the ACK controller for DynamoDB through the AWS EKS Addons for ACK
-module "dynamodb_ack_addon" {
-
-  source  = "aws-ia/eks-ack-addons/aws"
-  version = "2.2.0"
-
-  # Cluster Info
-  cluster_name      = var.addon_context.eks_cluster_id
-  cluster_endpoint  = var.addon_context.aws_eks_cluster_endpoint
-  oidc_provider_arn = var.addon_context.eks_oidc_provider_arn
-
-  ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name
-  ecrpublic_token    = data.aws_ecrpublic_authorization_token.token.password
-
-  # Controllers to enable
-  enable_dynamodb = true
-  dynamodb = {
-    role_name            = "${var.addon_context.eks_cluster_id}-ack-ddb"
-    role_name_use_prefix = false
-  }
-
-  tags = var.tags
-}
 
 module "iam_assumable_role_carts" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
@@ -79,6 +56,42 @@ EOF
   tags   = var.tags
 }
 
+resource "aws_iam_policy" "ack_dynamo" {
+  name        = "${var.addon_context.eks_cluster_id}-ack-dynamo"
+  path        = "/"
+  description = "Dynamo policy for carts application"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllAPIActionsOnCart",
+      "Effect": "Allow",
+      "Action": "dynamodb:*",
+      "Resource": [
+        "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${var.addon_context.eks_cluster_id}-carts-ack",
+        "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${var.addon_context.eks_cluster_id}-carts-ack/index/*"
+      ]
+    }
+  ]
+}
+EOF
+  tags   = var.tags
+}
+
+module "iam_assumable_role_ack" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "5.44.0"
+  create_role                   = true
+  role_name                     = "${var.addon_context.eks_cluster_id}-ack-controller"
+  provider_url                  = var.addon_context.eks_oidc_issuer_url
+  role_policy_arns              = [aws_iam_policy.ack_dynamo.arn]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:ack-dynamodb:ack-ddb-sa"]
+
+  tags = var.tags
+}
+
 module "eks_blueprints_addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
   version = "1.19.0"

manifests/modules/automation/controlplanes/ack/.workshop/terraform/outputs.tf

@@ -1,6 +1,8 @@
 output "environment_variables" {
   description = "Environment variables to be added to the IDE shell"
   value = {
-    CARTS_IAM_ROLE = module.iam_assumable_role_carts.iam_role_arn
+    CARTS_IAM_ROLE = module.iam_assumable_role_carts.iam_role_arn,
+    DYNAMODB_POLICY_ARN = aws_iam_policy.ack_dynamo.arn
+    ACK_IAM_ROLE=module.iam_assumable_role_ack.iam_role_arn,
   }
 }

website/docs/automation/controlplanes/ack/how-it-works.md

@@ -3,14 +3,6 @@ title: "How does ACK work?"
 sidebar_position: 5
 ---
 
-Each AWS Controller for Kubernetes (ACK) is packaged as a separate container image, published in a public repository corresponding to an individual ACK service controller. To provision resources for a specific AWS service, the corresponding controller must be installed in the Amazon EKS cluster. We've already completed this step in the `prepare-environment` phase. Official container images and Helm charts for ACK are available [here](https://gallery.ecr.aws/aws-controllers-k8s).
-
-In this workshop section, we'll be working with Amazon DynamoDB. The ACK controller for DynamoDB has been pre-installed in the cluster, running as a deployment in its own Kubernetes namespace. To examine the deployment details, run the following command:
-
-```bash
-$ kubectl describe deployment ack-dynamodb -n ack-dynamodb
-```
-
 :::info
 kubectl also provides useful `-oyaml` and `-ojson` flags which extract the full YAML or JSON manifests of the deployment definition, respectively, instead of the formatted output.
 :::

website/docs/automation/controlplanes/ack/index.md

@@ -17,7 +17,6 @@ $ prepare-environment automation/controlplanes/ack
 This will make the following changes to your lab environment:
 
 - Install the AWS Controllers for DynamoDB in the Amazon EKS cluster
-- Install the AWS Load Balancer controller in the Amazon EKS cluster
 
 You can view the Terraform that applies these changes [here](https://github.com/VAR::MANIFESTS_OWNER/VAR::MANIFESTS_REPOSITORY/tree/VAR::MANIFESTS_REF/manifests/modules/automation/controlplanes/ack/.workshop/terraform).
 
@@ -31,6 +30,6 @@ While the sample application can run entirely within your cluster, including sta
 
 In this lab, we'll use ACK to provision these services and create secrets and configmaps containing the binding information to connect the application to these AWS managed services.
 
-It's worth noting that during the provisioning process, we're using the new ACK Terraform module, which allows for rapid deployment of AWS Service Controllers to your cluster. For more information, see the [ACK Terraform module documentation](https://registry.terraform.io/modules/aws-ia/eks-ack-addons/aws/latest#module_dynamodb).
+For learning purposes, we're using helm to install the ACK controller. Another option is to use Terraform that allows for rapid deployment of AWS Service Controllers to your cluster. For more information, see the [ACK Terraform module documentation](https://registry.terraform.io/modules/aws-ia/eks-ack-addons/aws/latest#module_dynamodb).
 
 ![EKS with DynamoDB](./assets/eks-workshop-ddb.webp)

website/docs/automation/controlplanes/ack/introduction.md

@@ -0,0 +1,33 @@
+---
+title: "Introduction"
+sidebar_position: 3
+---
+
+Each ACK service controller is packaged into a separate container image that is published in a public repository corresponding to an individual ACK service controller. For each AWS service that we wish to provision, resources for the corresponding controller must be installed in the Amazon EKS cluster. Helm charts and official container images for ACK are available [here](https://gallery.ecr.aws/aws-controllers-k8s).
+
+In this section, since we will be working with Amazon DynamoDB ACK, we first need to install the ACK controller by using the Helm chart. As we ran the prepare-environment earlier, a role with proper permision is created for the ACK controller. Now let's create a service account and associate it with that role.
+```bash
+$ kubectl create ns ack-dynamodb
+$ kubectl create sa ack-ddb-sa --namespace ack-dynamodb
+$ kubectl annotate serviceaccount -n  ack-dynamodb ack-ddb-sa \
+  eks.amazonaws.com/role-arn=$ACK_IAM_ROLE --overwrite
+```
+
+Next, let us install the DynamoDB ACK controller by using the following commends: 
+```bash
+$ aws ecr-public get-login-password --region us-east-1 | \
+helm registry login --username AWS --password-stdin public.ecr.aws
+$ helm install -n ack-dynamodb ack  \
+  oci://public.ecr.aws/aws-controllers-k8s/dynamodb-chart \
+  --version=1.1.1  \
+  --set=aws.region=$AWS_REGION \
+  --set serviceAccount.create=false \
+  --set serviceAccount.name=ack-ddb-sa
+```
+
+Once the controller is installed, it is running as a deployment in ack-dynamodb namespace. To see what's under the hood, lets run the below.
+
+```bash
+$ kubectl get deployment  -n ack-dynamodb
+```
+