Add support for Bind Module Reference #79
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Getting error 'Module module.brokerpak-eks-terraform-bind contains provider configuration' in ssb broker
Module on module dependency does not allow the child module to specify its own provider blocks; all provider blocks must be in the root module
nickumia-reisys
added a commit
to GSA/datagov-ssb
that referenced
this pull request
Feb 18, 2022
There's overlap between different credentials in our deployment, so use AWS_PROFILE to have finer control over which credentials are used when.. Reference: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
Since the module is being run directly from the same context as the ssb, we have to set different credentials for the space in which eks will live (which is different from the ssb backend)
This is a shift in how we are using EKS terraform from brokerpak-only to brokerpak AND terraform module
To fix 'To work with module.brokerpak-eks-terraform-provision.aws_kms_key.cluster its original provider configuration at │ module.brokerpak-eks-terraform-provision.provider[registry.terraform.io/hashicorp/aws].dnssec-key-provider is required, but it has been removed. This occurs when a │ provider configuration is removed while objects created by that provider still exist in the state. Re-add the provider configuration to destroy │ module.brokerpak-eks-terraform-provision.aws_kms_key.cluster, after which you can remove the provider configuration again.'
Fix for.. Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
│ status code: 403, request id: 38dd9ba8-75e8-4b9d-93c5-dac8c5a2d534
│
│ with module.brokerpak-eks-terraform-provision.provider[registry.terraform.io/hashicorp/aws].dnssec-key-provider,
│ on .terraform/modules/brokerpak-eks-terraform-provision/terraform/provision/providers.tf line 2, in provider aws:
│ 2: provider aws {
Child modules must specify required_providers and use their defined local name (if different from the providers preferred name); Reference: https://www.terraform.io/language/providers/requirements#handling-local-name-conflicts
Now that we're using the up-to-date version of the EKS module, the module is better at managing Fargate profiles than we are. So now we let it handle that.
We were previously restricted to using a version of the kubernetes provider that didn't support annotations, so we were forced to use a null_resource to set up logging. Now that we're no longer restricted, we can do this with explicit namespace and configmap resources.
Ensure this policy is applied to the roles created by the EKS module for all node_groups and fargate_profiles. This way all pod logs go to Cloudwatch. (The policy name were also changed, since it's not only for use with Fargate pods.)
The kubernetes provider needs AWS creds set in the environment so it can use aws-iam-authenticator to connect.
By making provision and bind into submodules of a single root module that encompasses them both (in ../terraform), we can hoist their provider configurations upward into the root module. Then the root module can handle accepting the provider configuration from callers (in this case datagov-ssb's static provision+bind deployment) and pass them to the submodules. We can have the bind module depend on the provision module, which skirts Terraform restrictions that would normally prevent the bind module from declaring its own kubernetes provider. The submodules remain usable as root-modules in other contexts. For example, the brokerpak can use provision once, then use bind multiple times for each binding.
We still can't yet uncomment/declare the bind module because of the depends_on relationship with provision. The next step is to try to hoist the kubernetes provider out of the bind module. Ideally we'll be able to specify a kubeconfig directly using the output of the provision module.
…e account The token is used in the kubernetes provider config for bind, removing the need for any AWS credentials or binaries.
|
Where we're at: As of the refactoring commits tonight in this branch and in the corresponding datagov-ssb repo branch, the modules no longer have any providers in them, the root module over them both creates appropriate providers for each module and injects them. Terraform validate approves! However, when I run terraform apply it's getting stuck because the deployment of csi-ebs driver and ingress-nginx helm-release are timing out. This is almost certainly because those pods have daemonsets and cannot run on Fargate, and the MNG group is not available to schedule. We'll need to review this series of commits tomorrow to see what I b0rked up: |
|
Where we're at:
|
mogul
force-pushed
the
fix-for-ssb-terraform-only
branch
from
f5d8caf to
f92497c
Compare
We figured this problem out. |
mogul
force-pushed
the
fix-for-ssb-terraform-only
branch
from
8d69c82 to
ae504eb
Compare
When brokering, these are top-level modules, so they need to do their own provider setup
mogul
force-pushed
the
fix-for-ssb-terraform-only
branch
from
ae504eb to
3fe1719
Compare
|
Lots of teensy bugs fixed along the way to this point: That's the next thing to look into. |
|
Oh hey, IT PASSED! Maybe there was just some cruft left in place from my last local invocation of test with an instance of the same name that prevented it from passing locally. |
nickumia-reisys
commented
Mar 1, 2022
There was a problem hiding this comment.
This is an awesome feature add! I won't hark on it right now, but we should probably update the README or add a file in the docs dir to record the dual functionality of brokerpak or terraform module.
AMAZING WORK THOUGH!! 🍹
P.S. Alas I can't merge this PR because technically it's mine 😕
FuhuXia
approved these changes
Mar 1, 2022
robert-bryson
pushed a commit
to GSA/datagov-ssb
that referenced
this pull request
Mar 3, 2022
* new: provision standalone eks cluster using terraform only Create custom 'brokerpak-eks-terraform-provision' module using eks-brokerpak as source; specify custom parameters to provision with * update: terraform and modules * new: add bind resource for eks-terraform cluster Create user-provided service based on binding to pass to solrcloud broker * fix/refactor: bind depends on provision * update/fix: child modules can't specify their own provider blocks Reference: GSA-TTS/datagov-brokerpak-eks#79 * cleanup: remove unreferenced variable * new: add eks_terraform params for staging/prod * fix: ensure bind actually waits for cluster_functional Explicit output from module to module * new: install aws/kubectl/helm tools for terraform apply * fix: don't mess up ubuntu's path * test: attempt to fix github action path Trying to determine where home is and where the real path actually is * test: ensure that the aws-iam-authenticator was installed Also tests whether the command is available later in the same job * test: the command actually wasn't added to the path yet.. Reference: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path * fix: high hopesgit add . aws-iam-authenticator needs AWS Credentials in the env * new: successfully configure providers for eks as a submodule * revert: no need to set AWS creds The S3 Backend is set up properly alongside terraform AWS credentials, so this broke that * update: supply the module's required_provider using the correct alias * fix: provide AWS creds for the module to use with kubernetes provider The module needs AWS creds so the kubernetes provider can use aws-iam-authenticator when it connects. * workaround: temporarily comment out the resources that aren't working We have yet to resolve the issue with the kubernetes_provider in the bind module not working, due to it having a dependency on another module. * refactor: move declaration of IaaS-only resources to the managed-boundary Technically this is where they belong, in terms of our SSP and diagram terminology. Note also that we are no longer invoking the submodules separately, but rather directly invoking the parent module at `datagov-brokerpak-eks/terraform` * lint: fix terraform fmt * fix: uncomment CF-side resources * fix: name "credentials" is implicit * update: eks-brokerpak no longer needs a branch Dual support for brokerpak mode or terraform module mode is enabled :) * fix: terraform string literals don't like newlines Reference: hashicorp/terraform-provider-vault#307 * fix: use data sources for space/org lookup * fix: set variables based on service name update VCAP_SERVICE selection to use the correct service based on service name, not service type * new: install tools as TERRAFORM_PRE_RUN Since dflook action is a separate container, the tools need to be pulled in properly. The terraform working directory becomes part of the path for that step, so installing the tools there works :) * lint: ran terraform fmt * new: add tools to known path After lots of tries, this seems to be the most reliable method * temp: work off of branch until it gets merged Too many changes to keep track off.. the branch is fully functional for terraform only stuff, but brokerpak stuff is a bit broken :/ Co-authored-by: Bret Mogilefsky <[email protected]>
11 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Getting error 'Module module.brokerpak-eks-terraform-bind contains provider configuration' in ssb broker
relates to GSA/data.gov#3696