kathanjit · kathanjit · Sep 6, 2024 · Aug 26, 2024 · Aug 29, 2024 · Aug 29, 2024
diff --git a/.github/workflows/module-test.yaml b/.github/workflows/module-test.yaml
@@ -78,7 +78,6 @@ jobs:
           MODULE: ${{ inputs.module }}
           GLOB: ${{ inputs.glob }}
           AWS_REGION: "${{ secrets.AWS_REGION }}"
-          ASSUME_ROLE: "${{ secrets.AWS_ROLE_ARN }}"
           DOCKER_DNS_OVERRIDE: "8.8.8.8"
         run: |
           export AWS_DEFAULT_REGION="$AWS_REGION"
@@ -102,7 +101,6 @@ jobs:
           DOCKER_BUILDKIT: 1
           DEV_MODE: 1
           AWS_REGION: "${{ secrets.AWS_REGION }}"
-          ASSUME_ROLE: "${{ secrets.AWS_ROLE_ARN }}"
         run: |
           export AWS_DEFAULT_REGION="$AWS_REGION"
           make test environment="$CLUSTER_ID" module="cleanup"
@@ -119,13 +117,4 @@ jobs:
         env:
           AWS_REGION: "${{ secrets.AWS_REGION }}"
         run: |
-          export CLEANUP_ENVIRONMENT_NAME="eks-workshop-$CLUSTER_ID"
-          export AWS_DEFAULT_REGION="$AWS_REGION"
-
-          envsubst < hack/lib/filter.yml > filter.yml
-
-          cat filter.yml
-
-          awsweeper --force filter.yml
-
           make destroy-infrastructure environment="$CLUSTER_ID"
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -42,6 +42,8 @@ jobs:
       - name: Check out code
         uses: actions/checkout@v4
       - name: Make shell
+        env:
+          SKIP_CREDENTIALS: 1
         run: |
           bash hack/exec.sh '' 'ls -la'
 
@@ -70,3 +72,14 @@ jobs:
           node-version: 18
       - run: |
           npx cspell lint "website/docs/**/*.md"
+
+  terraform-validate:
+    name: "Validate Terraform"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "~1.9.0"
+      - run: |
+          bash hack/validate-terraform.sh
diff --git a/.github/workflows/test-cleanup.yaml b/.github/workflows/test-cleanup.yaml
@@ -24,19 +24,6 @@ jobs:
       - name: Install utilities
         run: |
           sudo apt install -y gettext
-
-          mkdir -p ${HOME}/.local/bin
-          wget https://github.com/jckuester/awsweeper/releases/download/v0.12.0/awsweeper_0.12.0_linux_amd64.tar.gz
-          tar zxf awsweeper_0.12.0_linux_amd64.tar.gz
-          mv awsweeper_0.12.0_linux_amd64/awsweeper ${HOME}/.local/bin
-
-          wget https://github.com/eksctl-io/eksctl/releases/download/v0.169.0/eksctl_Linux_amd64.tar.gz
-          tar zxf eksctl_Linux_amd64.tar.gz
-          mv eksctl ${HOME}/.local/bin
-
-          chmod +x ${HOME}/.local/bin/*
-
-          echo "${HOME}/.local/bin" >> $GITHUB_PATH
       - name: Get AWS credentials
         uses: aws-actions/configure-aws-credentials@v4.0.2
         with:
@@ -50,13 +37,4 @@ jobs:
           CLUSTER_ID: ${{ github.event.inputs.clusterId }}
           AWS_REGION: "${{ secrets.AWS_REGION }}"
         run: |
-          export CLEANUP_ENVIRONMENT_NAME="$CLUSTER_ID"
-          export AWS_DEFAULT_REGION="$AWS_REGION"
-
-          envsubst < hack/lib/filter.yml > filter.yml
-
-          cat filter.yml
-
-          awsweeper --force filter.yml
-
           make destroy-infrastructure environment="$CLUSTER_ID"
diff --git a/.mergify.yml b/.mergify.yml
@@ -0,0 +1,7 @@
+pull_request_rules:
+  - name: Automatically approve Renovate PRs
+    conditions:
+      - author = renovate[bot]
+    actions:
+      review:
+        type: APPROVE
diff --git a/.spelling b/.spelling
@@ -126,3 +126,4 @@ mehta
 sheetal
 joshi
 keda
+AIML
diff --git a/CODEOWNERS b/CODEOWNERS
diff --git a/Makefile b/Makefile
@@ -35,8 +35,8 @@ delete-environment:
 
 .PHONY: create-infrastructure
 create-infrastructure:
-	bash hack/exec.sh $(environment) 'cat /cluster/eksctl/cluster.yaml | envsubst | eksctl create cluster -f -'
+	bash hack/create-infrastructure.sh $(environment)
 
 .PHONY: destroy-infrastructure
 destroy-infrastructure:
-	bash hack/exec.sh $(environment) 'cat /cluster/eksctl/cluster.yaml | envsubst | eksctl delete cluster --wait --force --disable-nodegroup-eviction --timeout 45m -f -'
+	bash hack/destroy-infrastructure.sh $(environment)
diff --git a/cluster/terraform/eks.tf b/cluster/terraform/eks.tf
@@ -2,9 +2,10 @@ module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "~> 20.0"
 
-  cluster_name                   = var.cluster_name
-  cluster_version                = var.cluster_version
-  cluster_endpoint_public_access = true
+  cluster_name                             = var.cluster_name
+  cluster_version                          = var.cluster_version
+  cluster_endpoint_public_access           = true
+  enable_cluster_creator_admin_permissions = true
 
   cluster_addons = {
     vpc-cni = {
@@ -32,9 +33,12 @@ module "eks" {
 
   eks_managed_node_groups = {
     default = {
-      instance_types       = ["m5.large"]
-      force_update_version = true
-      release_version      = var.ami_release_version
+      instance_types           = ["m5.large"]
+      force_update_version     = true
+      release_version          = var.ami_release_version
+      use_name_prefix          = false
+      iam_role_name            = "${var.cluster_name}-ng-default"
+      iam_role_use_name_prefix = false
 
       min_size     = 3
       max_size     = 6
@@ -53,4 +57,4 @@ module "eks" {
   tags = merge(local.tags, {
     "karpenter.sh/discovery" = var.cluster_name
   })
-}
+}
diff --git a/cluster/terraform/vpc.tf b/cluster/terraform/vpc.tf
@@ -38,7 +38,8 @@ module "vpc" {
     "kubernetes.io/role/elb" = "1"
   })
   private_subnet_tags = merge(local.tags, {
-    "karpenter.sh/discovery" = var.cluster_name
+    "karpenter.sh/discovery"          = var.cluster_name
+    "kubernetes.io/role/internal-elb" = "1"
   })
 
   tags = local.tags

diff --git a/docs/reviewer_checklist.md b/docs/reviewer_checklist.md
@@ -22,6 +22,10 @@ See style guide for expanded explanations.
 - [ ] `$EKS_CLUSTER_NAME` is used instead of hard-coded cluster names, including referencing other infrastructure that may use the cluster name
 - [ ] Avoided use of interactive `kubectl exec` or multiple terminal windows (or tests skipped)
 
+## AWS infrastructure
+
+- [ ] All Terraform resources created have names that prefixed with the EKS cluster name (`var.addon_context.eks_cluster_id`)
+
 ## Tests
 
 - [ ] `bash` blocks that run commands that are intended to error use `expectError=true`
@@ -34,5 +38,5 @@ See style guide for expanded explanations.
 ## Misc
 
 - [ ] Generated lab timing has been created (new lab) or updated (updated lab) if needed
-- [ ] All Terraform resources created have dynamic names
+- [ ] Relevant updates have been made to the [lab IAM policy](../lab/iam-policy-labs.json)
 - [ ] Images should be in `webp` format
diff --git a/hack/build-ide-cfn.sh b/hack/build-ide-cfn.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -e
+
+output_path=$1
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+source $SCRIPT_DIR/lib/common-env.sh
+
+if [ -z "$output_path" ]; then
+  outfile=$(mktemp)
+else
+  outfile=$output_path
+fi
+
+cd lab
+
+export Env="${EKS_CLUSTER_NAME}"
+
+cat cfn/eks-workshop-vscode-cfn.yaml | yq '(.. | select(has("file"))) |= (load(.file))' | envsubst '$Env' > $outfile
+
+echo "Output file: $outfile"
diff --git a/hack/create-infrastructure.sh b/hack/create-infrastructure.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+environment=$1
+
+set -Eeuo pipefail
+set -u
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+source $SCRIPT_DIR/lib/common-env.sh
+
+bash $SCRIPT_DIR/update-iam-role.sh $environment
+
+sleep 5
+
+cluster_exists=0
+aws eks describe-cluster --name "${EKS_CLUSTER_NAME}" &> /dev/null || cluster_exists=$?
+
+if [ $cluster_exists -eq 0 ]; then
+  echo "Cluster ${EKS_CLUSTER_NAME} already exists"
+else
+  echo "Creating cluster ${EKS_CLUSTER_NAME}"
+  bash $SCRIPT_DIR/exec.sh "${environment}" 'cat /cluster/eksctl/cluster.yaml | envsubst | eksctl create cluster -f -'
+fi
diff --git a/hack/deploy-ide-cfn.sh b/hack/deploy-ide-cfn.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+source $SCRIPT_DIR/lib/common-env.sh
+
+outfile=$(mktemp)
+
+bash $SCRIPT_DIR/build-ide-cfn.sh $outfile
+
+aws cloudformation deploy --stack-name eks-workshop-ide1 \
+  --capabilities CAPABILITY_NAMED_IAM --disable-rollback --template-file $outfile
diff --git a/hack/destroy-infrastructure.sh b/hack/destroy-infrastructure.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+environment=$1
+
+set -Eeuo pipefail
+set -u
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+source $SCRIPT_DIR/lib/common-env.sh
+
+cluster_exists=0
+aws eks describe-cluster --name "${EKS_CLUSTER_NAME}" &> /dev/null || cluster_exists=$?
+
+if [ $cluster_exists -eq 0 ]; then
+  echo "Deleting cluster ${EKS_CLUSTER_NAME}"
+  bash $SCRIPT_DIR/shell.sh "${environment}" 'delete-environment || true'
+
+  bash $SCRIPT_DIR/exec.sh "${environment}" 'eksctl delete cluster --name ${EKS_CLUSTER_NAME} --region ${AWS_REGION} --wait --force --disable-nodegroup-eviction --timeout 45m'
+else
+  echo "Cluster ${EKS_CLUSTER_NAME} does not exist"
+fi
+
+aws cloudformation delete-stack --stack-name ${EKS_CLUSTER_NAME}-ide-role || true
diff --git a/hack/exec.sh b/hack/exec.sh
@@ -19,7 +19,11 @@ container_image='eks-workshop-environment'
 
 (cd $SCRIPT_DIR/../lab && $CONTAINER_CLI build -q -t $container_image .)
 
-source $SCRIPT_DIR/lib/generate-aws-creds.sh
+if [ -z "$SKIP_CREDENTIALS" ]; then
+  source $SCRIPT_DIR/lib/generate-aws-creds.sh
+else
+  aws_credential_args=""
+fi
 
 echo "Executing command in container..."
 

diff --git a/hack/find-dangling-resources.sh b/hack/find-dangling-resources.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+environment=$1
+
+set -Eeuo pipefail
+set -u
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+source $SCRIPT_DIR/lib/common-env.sh
+
+aws resourcegroupstaggingapi get-resources --tag-filters Key=env,Values=$EKS_CLUSTER_NAME --query 'ResourceTagMappingList[].ResourceARN'
diff --git a/hack/lib/common-env.sh b/hack/lib/common-env.sh
@@ -13,3 +13,12 @@ if [ -z "$AWS_REGION" ]; then
 
   export AWS_REGION="us-west-2"
 fi
+
+SKIP_CREDENTIALS=${SKIP_CREDENTIALS:-""}
+
+if [ -z "$SKIP_CREDENTIALS" ]; then
+  ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+
+  IDE_ROLE_NAME="${EKS_CLUSTER_NAME}-ide-role"
+  IDE_ROLE_ARN="arn:aws:iam::${ACCOUNT_ID}:role/${IDE_ROLE_NAME}"
+fi
diff --git a/hack/lib/generate-aws-creds.sh b/hack/lib/generate-aws-creds.sh
@@ -1,21 +1,19 @@
-aws_credential_args=""
+echo "Generating temporary AWS credentials..."
 
-ASSUME_ROLE=${ASSUME_ROLE:-""}
-AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-""}
+session_suffix=$(openssl rand -hex 4)
+
+target_role=${IDE_ROLE_ARN}
 
-if [ ! -z "$AWS_ACCESS_KEY_ID" ]; then
-  echo "Using environment AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY"
+ASSUME_ROLE=${ASSUME_ROLE:-""}
 
-  aws_credential_args="-e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN"
-elif [ ! -z "$ASSUME_ROLE" ]; then
-  echo "Generating temporary AWS credentials..."
+if [ ! -z "$ASSUME_ROLE" ]; then
+  echo "Assuming role $ASSUME_ROLE"
+  target_role=$ASSUME_ROLE
+fi
 
-  ACCESS_VARS=$(aws sts assume-role --role-arn $ASSUME_ROLE --role-session-name ${EKS_CLUSTER_NAME}-shell --output json | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId) AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) AWS_SESSION_TOKEN=\(.SessionToken)"')
+ACCESS_VARS=$(aws sts assume-role --role-arn ${target_role} --role-session-name ${EKS_CLUSTER_NAME}-shell-${session_suffix} --output json | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId) AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) AWS_SESSION_TOKEN=\(.SessionToken)"')
 
-  # TODO: This should probably not use eval
-  eval "$ACCESS_VARS"
+# TODO: This should probably not use eval
+eval "$ACCESS_VARS"
 
-  aws_credential_args="-e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN"
-else
-  echo "Inheriting credentials from instance profile"
-fi
+aws_credential_args="-e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN"
diff --git a/hack/run-tests.sh b/hack/run-tests.sh
@@ -76,19 +76,27 @@ RESOURCES_PRECREATED=${RESOURCES_PRECREATED:-""}
 
 echo "Running test suite..."
 
+exit_code=0
+
 $CONTAINER_CLI run $background_args $dns_args \
   --name $container_name \
   -v $SCRIPT_DIR/../website/docs:/content \
   -v $SCRIPT_DIR/../manifests:/manifests \
   -e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' -e 'RESOURCES_PRECREATED' \
-  $aws_credential_args $container_image -g "${actual_glob}" --hook-timeout 3600 --timeout 3600 $output_args ${AWS_EKS_WORKSHOP_TEST_FLAGS}
+  $aws_credential_args $container_image -g "${actual_glob}" --hook-timeout 3600 --timeout 3600 $output_args ${AWS_EKS_WORKSHOP_TEST_FLAGS} || exit_code=$?
 
-if [ ! -z "$TEST_REPORT" ]; then
-  docker cp $container_name:/tmp/test-report.json $TEST_REPORT > /dev/null
+if [ $exit_code -eq 0 ]; then
+  if [ ! -z "$TEST_REPORT" ]; then
+    docker cp $container_name:/tmp/test-report.json $TEST_REPORT > /dev/null
+  fi
 fi
 
 docker rm $container_name > /dev/null
 
+if [ $exit_code -ne 0 ]; then
+    exit $exit_code
+fi
+
 if [ ! -z "$GENERATE_TIMINGS" ]; then
   tmpfile=$(mktemp)
-Original file line number
+Diff line change
@@ Expand Up / @@ -126,3 +126,4 @@ mehta @@
     sheetal
     joshi
     keda
+    AIML