From f05b3332d1f7b5b023f4b2798da2ccf09323d04a Mon Sep 17 00:00:00 2001
From: George Scott <george.scott@wandb.com>
Date: Tue, 9 Jan 2024 12:04:08 -0600
Subject: [PATCH 1/4] get upgrade working

---
 modules/app_eks/add-ons.tf           | 43 ++++++++++++++++++++++++++++
 modules/app_eks/iam-role-policies.tf | 16 +++++++++++
 modules/app_eks/main.tf              | 18 ------------
 3 files changed, 59 insertions(+), 18 deletions(-)
 create mode 100644 modules/app_eks/add-ons.tf

diff --git a/modules/app_eks/add-ons.tf b/modules/app_eks/add-ons.tf
new file mode 100644
index 000000000..c97d1e66c
--- /dev/null
+++ b/modules/app_eks/add-ons.tf
@@ -0,0 +1,43 @@
+resource "aws_eks_addon" "ebs_csi" {
+  addon_name   = "aws-ebs-csi-driver"
+  addon_version = "v1.25.0-eksbuild.1"
+  cluster_name = var.namespace
+  preserve = false
+  resolve_conflicts = "OVERWRITE"  
+  depends_on = [
+    module.eks,
+    aws_eks_addon.vpc_cni
+  ]
+}
+
+resource "aws_eks_addon" "vpc_cni" {
+  addon_name   = "vpc-cni"
+  addon_version = "v1.13.0-eksbuild.1"
+  cluster_name = var.namespace
+  preserve = false
+  resolve_conflicts = "OVERWRITE"
+  service_account_role_arn = aws_iam_role.node.arn
+  depends_on   = [
+    module.eks,
+    aws_iam_openid_connect_provider.eks,
+    aws_iam_role_policy_attachment.vpc_cni
+  ]
+}
+
+#########################################
+# OIDC stuff for VPC CNI
+#########################################
+data "tls_certificate" "vpc_cni" {
+  url = module.eks.cluster_oidc_issuer_url
+}
+
+#resource "aws_iam_openid_connect_provider" "vpc_cni" {
+#  client_id_list  = ["sts.amazonaws.com"]
+#  thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint]
+#  url             = module.eks.cluster_oidc_issuer_url
+#}
+
+resource "aws_iam_role_policy_attachment" "vpc_cni" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.node.name
+}
diff --git a/modules/app_eks/iam-role-policies.tf b/modules/app_eks/iam-role-policies.tf
index e9e26264e..7c7e94c82 100644
--- a/modules/app_eks/iam-role-policies.tf
+++ b/modules/app_eks/iam-role-policies.tf
@@ -9,5 +9,21 @@ data "aws_iam_policy_document" "node_assume" {
       identifiers = ["ec2.amazonaws.com"]
     }
   }
+
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:kube-system:aws-node"]
+    }
+
+    principals {
+      identifiers = [aws_iam_openid_connect_provider.eks.arn]
+      type        = "Federated"
+    }
+  }  
 }
 
diff --git a/modules/app_eks/main.tf b/modules/app_eks/main.tf
index d58211b4e..677542a9b 100644
--- a/modules/app_eks/main.tf
+++ b/modules/app_eks/main.tf
@@ -7,24 +7,6 @@ locals {
 }
 
 
-resource "aws_eks_addon" "eks" {
-  cluster_name = var.namespace
-  addon_name   = "aws-ebs-csi-driver"
-  depends_on = [
-    module.eks
-  ]
-}
-
-# removed due to conflict with 
-# AWS Load Balancer Controller
-# being installed with Helm.
-# See: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/
-#resource "aws_eks_addon" "vpc_cni" {
-#  cluster_name = var.namespace
-#  addon_name   = "vpc-cni"
-#  depends_on   = [module.eks]
-#}
-
 locals {
   managed_policy_arns = concat([
     "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",

From bb5eaa6fa486bb95e15548ca164f97051890da0b Mon Sep 17 00:00:00 2001
From: George Scott <george.scott@wandb.com>
Date: Thu, 11 Jan 2024 12:53:06 -0600
Subject: [PATCH 2/4] install EKS VPC-CNI Add-on

---
 modules/app_eks/add-ons.tf | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/modules/app_eks/add-ons.tf b/modules/app_eks/add-ons.tf
index c97d1e66c..b669e482e 100644
--- a/modules/app_eks/add-ons.tf
+++ b/modules/app_eks/add-ons.tf
@@ -1,27 +1,30 @@
 resource "aws_eks_addon" "ebs_csi" {
+  depends_on = [
+    module.eks,
+    aws_eks_addon.vpc_cni
+  ]
+
   addon_name   = "aws-ebs-csi-driver"
   addon_version = "v1.25.0-eksbuild.1"
   cluster_name = var.namespace
   preserve = false
   resolve_conflicts = "OVERWRITE"  
-  depends_on = [
-    module.eks,
-    aws_eks_addon.vpc_cni
-  ]
+
 }
 
 resource "aws_eks_addon" "vpc_cni" {
+  depends_on   = [
+    module.eks,
+    aws_iam_openid_connect_provider.eks,
+    aws_iam_role_policy_attachment.vpc_cni
+  ]
+
   addon_name   = "vpc-cni"
   addon_version = "v1.13.0-eksbuild.1"
   cluster_name = var.namespace
   preserve = false
   resolve_conflicts = "OVERWRITE"
   service_account_role_arn = aws_iam_role.node.arn
-  depends_on   = [
-    module.eks,
-    aws_iam_openid_connect_provider.eks,
-    aws_iam_role_policy_attachment.vpc_cni
-  ]
 }
 
 #########################################

From 803acbdd8c27e9ba1fa25f4a97d73b265ef1745b Mon Sep 17 00:00:00 2001
From: George Scott <george.scott@wandb.com>
Date: Thu, 11 Jan 2024 13:15:57 -0600
Subject: [PATCH 3/4] cleanup

---
 modules/app_eks/add-ons.tf              | 33 +++++--------------------
 modules/app_eks/iam-role-attachments.tf | 26 ++++++++++---------
 modules/app_eks/iam-roles.tf            |  1 -
 3 files changed, 21 insertions(+), 39 deletions(-)

diff --git a/modules/app_eks/add-ons.tf b/modules/app_eks/add-ons.tf
index b669e482e..22606675b 100644
--- a/modules/app_eks/add-ons.tf
+++ b/modules/app_eks/add-ons.tf
@@ -1,15 +1,8 @@
-resource "aws_eks_addon" "ebs_csi" {
-  depends_on = [
-    module.eks,
-    aws_eks_addon.vpc_cni
-  ]
-
-  addon_name   = "aws-ebs-csi-driver"
-  addon_version = "v1.25.0-eksbuild.1"
-  cluster_name = var.namespace
-  preserve = false
-  resolve_conflicts = "OVERWRITE"  
-
+#########################################
+# OIDC stuff for VPC CNI
+#########################################
+data "tls_certificate" "vpc_cni" {
+  url = module.eks.cluster_oidc_issuer_url
 }
 
 resource "aws_eks_addon" "vpc_cni" {
@@ -27,20 +20,6 @@ resource "aws_eks_addon" "vpc_cni" {
   service_account_role_arn = aws_iam_role.node.arn
 }
 
-#########################################
-# OIDC stuff for VPC CNI
-#########################################
-data "tls_certificate" "vpc_cni" {
-  url = module.eks.cluster_oidc_issuer_url
-}
 
-#resource "aws_iam_openid_connect_provider" "vpc_cni" {
-#  client_id_list  = ["sts.amazonaws.com"]
-#  thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint]
-#  url             = module.eks.cluster_oidc_issuer_url
-#}
 
-resource "aws_iam_role_policy_attachment" "vpc_cni" {
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
-  role       = aws_iam_role.node.name
-}
+
diff --git a/modules/app_eks/iam-role-attachments.tf b/modules/app_eks/iam-role-attachments.tf
index 938ad34b6..cab6cae98 100644
--- a/modules/app_eks/iam-role-attachments.tf
+++ b/modules/app_eks/iam-role-attachments.tf
@@ -13,6 +13,11 @@ resource "aws_iam_role_policy_attachment" "node_kms" {
   policy_arn = aws_iam_policy.node_kms.arn
 }
 
+resource "aws_iam_role_policy_attachment" "node_secrets_manager" {
+  role       = aws_iam_role.node.name
+  policy_arn = aws_iam_policy.secrets_manager.arn
+}
+
 resource "aws_iam_role_policy_attachment" "node_sqs" {
   role       = aws_iam_role.node.name
   policy_arn = aws_iam_policy.node_sqs.arn
@@ -23,14 +28,9 @@ resource "aws_iam_role_policy_attachment" "node_s3" {
   policy_arn = aws_iam_policy.node_s3.arn
 }
 
-resource "aws_iam_role_policy_attachment" "eks_cni" {
-  role       = aws_iam_role.node.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
-}
-
-resource "aws_iam_role_policy_attachment" "eks_worker_node" {
+resource "aws_iam_role_policy_attachment" "ebs_csi" {
   role       = aws_iam_role.node.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
 }
 
 resource "aws_iam_role_policy_attachment" "ec2_container_registry" {
@@ -38,12 +38,16 @@ resource "aws_iam_role_policy_attachment" "ec2_container_registry" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 }
 
-resource "aws_iam_role_policy_attachment" "ebs_csi" {
+resource "aws_iam_role_policy_attachment" "eks_cni" {
   role       = aws_iam_role.node.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
 }
 
-resource "aws_iam_role_policy_attachment" "node_secrets_manager" {
+resource "aws_iam_role_policy_attachment" "eks_worker_node" {
   role       = aws_iam_role.node.name
-  policy_arn = aws_iam_policy.secrets_manager.arn
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
 }
+
+
+
+
diff --git a/modules/app_eks/iam-roles.tf b/modules/app_eks/iam-roles.tf
index 19e99e921..b44640b05 100644
--- a/modules/app_eks/iam-roles.tf
+++ b/modules/app_eks/iam-roles.tf
@@ -1,7 +1,6 @@
 resource "aws_iam_role" "node" {
   name               = "${var.namespace}-node"
   assume_role_policy = data.aws_iam_policy_document.node_assume.json
-
 }
 
 

From 6898ebbc4933850218fc43b2d6b09f1ab585d87f Mon Sep 17 00:00:00 2001
From: George Scott <george.scott@wandb.com>
Date: Fri, 9 Feb 2024 14:55:52 -0600
Subject: [PATCH 4/4] remove extra spaces

---
 modules/app_eks/add-ons.tf | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/modules/app_eks/add-ons.tf b/modules/app_eks/add-ons.tf
index 22606675b..9cfd3d9d4 100644
--- a/modules/app_eks/add-ons.tf
+++ b/modules/app_eks/add-ons.tf
@@ -19,7 +19,3 @@ resource "aws_eks_addon" "vpc_cni" {
   resolve_conflicts = "OVERWRITE"
   service_account_role_arn = aws_iam_role.node.arn
 }
-
-
-
-