[tf][aws] update to latest

matt-am · Aug 16, 2022 · 18e030b · 18e030b
1 parent b79ca74
commit 18e030b
Show file tree

Hide file tree

Showing 25 changed files with 182 additions and 1,880 deletions.
diff --git a/.gitignore b/.gitignore
@@ -50,6 +50,7 @@ terraform/validator/*/*-kube.config
 terraform/validator/vault-init/backend.tf
 terraform/testnet/*-kubernetes.json
 terraform/testnet/*-vault.ca
+.terraform.lock.hcl
 
 # Move Build Output
 build/

diff --git a/terraform/aptos-node-testnet/addons.tf b/terraform/aptos-node-testnet/addons.tf
@@ -157,6 +157,63 @@ resource "helm_release" "chaos-mesh" {
   }
 }
 
+// service account used for all external AWS-facing services, such as ALB ingress controller and External-DNS
+resource "kubernetes_service_account" "k8s-aws-integrations" {
+  metadata {
+    name      = "k8s-aws-integrations"
+    namespace = "kube-system"
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.k8s-aws-integrations.arn
+    }
+  }
+}
+
+# when upgrading the AWS ALB ingress controller, update the CRDs as well using:
+# kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"
+resource "helm_release" "aws-load-balancer-controller" {
+  name        = "aws-load-balancer-controller"
+  repository  = "https://aws.github.io/eks-charts"
+  chart       = "aws-load-balancer-controller"
+  version     = "1.4.3"
+  namespace   = "kube-system"
+  max_history = 5
+  wait        = false
+
+  values = [
+    jsonencode({
+      serviceAccount = {
+        create = false
+        name   = kubernetes_service_account.k8s-aws-integrations.metadata[0].name
+      }
+      clusterName = module.validator.aws_eks_cluster.name
+      region      = var.region
+      vpcId       = module.validator.vpc_id
+    })
+  ]
+}
+
+resource "helm_release" "external-dns" {
+  count       = var.zone_id != "" ? 1 : 0
+  name        = "external-dns"
+  repository  = "https://kubernetes-sigs.github.io/external-dns"
+  chart       = "external-dns"
+  version     = "1.11.0"
+  namespace   = "kube-system"
+  max_history = 5
+  wait        = false
+
+  values = [
+    jsonencode({
+      serviceAccount = {
+        create = false
+        name   = kubernetes_service_account.k8s-aws-integrations.metadata[0].name
+      }
+      domainFilters = var.zone_id != "" ? [data.aws_route53_zone.aptos[0].name] : []
+      txtOwnerId    = var.zone_id
+    })
+  ]
+}
+
 resource "helm_release" "testnet-addons" {
   name        = "testnet-addons"
   chart       = local.testnet_addons_helm_chart_path
@@ -165,13 +222,6 @@ resource "helm_release" "testnet-addons" {
 
   values = [
     jsonencode({
-      aws = {
-        region       = var.region
-        cluster_name = module.validator.aws_eks_cluster.name
-        vpc_id       = module.validator.vpc_id
-        role_arn     = aws_iam_role.k8s-aws-integrations.arn
-        zone_name    = var.zone_id != "" ? data.aws_route53_zone.aptos[0].name : null
-      }
       genesis = {
         era             = var.era
         username_prefix = local.aptos_node_helm_prefix

diff --git a/terraform/aptos-node-testnet/auth.tf b/terraform/aptos-node-testnet/auth.tf
@@ -37,7 +37,9 @@ data "aws_iam_policy_document" "alb-ingress" {
       "ec2:DeleteTags",
       "ec2:DeleteSecurityGroup",
       "ec2:DescribeAccountAttributes",
+      # https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2525
       "ec2:DescribeAddresses",
+      "ec2:DescribeAvailabilityZones",
       "ec2:DescribeInstances",
       "ec2:DescribeInstanceStatus",
       "ec2:DescribeInternetGateways",

diff --git a/terraform/aptos-node/aws/aws-calico/.helmignore b/terraform/aptos-node/aws/aws-calico/.helmignore
diff --git a/terraform/aptos-node/aws/aws-calico/Chart.yaml b/terraform/aptos-node/aws/aws-calico/Chart.yaml
diff --git a/terraform/aptos-node/aws/aws-calico/crds/calico.yaml b/terraform/aptos-node/aws/aws-calico/crds/calico.yaml