diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index 7c78e50..1cb4561 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -2,169 +2,71 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "4.34.0" - constraints = ">= 2.68.0, >= 3.22.0, ~> 4.0" + version = "5.66.0" + constraints = "~> 5.66.0" hashes = [ - "h1:SDqaa/BVMQMzQ1bWQfrcsC4jfaywFeUq03jsojDNnyY=", - "zh:2bdc9b908008c1e874d8ba7e2cfabd856cafb63c52fef51a1fdeef2f5584bffd", - "zh:43c5364e3161be3856e56494cbb8b21d513fc05875f1b40e66e583602154dd0a", - "zh:44e763adae92489f223f65866c1f8b5342e7e85b95daa8d1f483a2afb47f7db3", - "zh:62bfabb3a1a31814cb3fadc356539d8253b95abacfffd90984affb54c9a53a86", - "zh:6495ce67897d2d5648d466c09e8588e837c2878322988738a95c06926044b05d", + "h1:yGcVdhj9IKbS/b7BSHtgGjCiFnKK+81ImkK/x7UCgEI=", + "zh:071c908eb18627f4becdaf0a9fe95d7a61f69be365080aba2ef5e24f6314392b", + "zh:3dea2a474c6ad4be5b508de4e90064ec485e3fbcebb264cb6c4dec660e3ea8b5", + "zh:56c0b81e3bbf4e9ccb2efb984f8758e2bc563ce179ff3aecc1145df268b046d1", + "zh:5f34b75a9ef69cad8c79115ecc0697427d7f673143b81a28c3cf8d5decfd7f93", + "zh:65632bc2c408775ee44cb32a72e7c48376001a9a7b3adbc2c9b4d088a7d58650", + "zh:6d0550459941dfb39582fadd20bfad8816255a827bfaafb932d51d66030fcdd5", + "zh:7f1811ef179e507fdcc9776eb8dc3d650339f8b84dd084642cf7314c5ca26745", + "zh:8a793d816d7ef57e71758fe95bf830cfca70d121df70778b65cc11065ad004fd", + "zh:8c7cda08adba01b5ae8cc4e5fbf16761451f0fab01327e5f44fc47b7248ba653", + "zh:96d855f1771342771855c0fb2d47ff6a731e8f2fa5d242b18037c751fd63e6c3", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:b1546b2ac61d7cc27a8eba160ae1b6ac581d2c4af824a400d6511e4998da398a", - "zh:c8c362c5527f0533bde581e41cdb2bdf42aea557762f326dbfa122fdf001fb10", - "zh:c8cc28fb41f73ca09f590bace2204ea325f6116be0bbce6abfebd393d028f12c", - "zh:db0601c9bd12ca028d60ac87e85320285ebc64857715f7908dd6a283e5f44d45", - "zh:e64d2193236d05348ba2e8b99650d9274e5af80be39b3ee28bbe442b0684d8a3", - "zh:ff6228f3751e1f0ee7dc086d09e32d39ca6556f0b5267f36aae67881d29ace94", + "zh:b2a62669b72c2471820410b58d764102b11c24e326831ddcfae85c7d20795acf", + "zh:b4a6b251ac24c8f5522581f8d55238d249d0008d36f64475beefc3791f229e1d", + "zh:ca519fa7ee1cac30439c7e2d311a0ecea6a5dae2d175fe8440f30133688b6272", + "zh:fbcd54e7d65806b0038fc8a0fbdc717e1284298ff66e22aac39dcc5a22cc99e5", ] } provider "registry.terraform.io/hashicorp/github" { - version = "4.31.0" - constraints = "~> 4.1" + version = "6.2.3" hashes = [ - "h1:FkBft5JlVtlcYcEM0CiphlFWgjBFQVziJMwrowuBIoc=", - "zh:07208ecc74804fbdd554830de79627f3e58633fc417b12dc29aafaceae01e427", - "zh:0dca3802a7ea1ba4812c866bf202e62aef6c8995db8856fdb5b4d1d81b505518", - "zh:24e6a56b34b3e0dca6ca0d6f22d0a31dda6a3256713492902c39ce9edd14acbd", - "zh:42e41fa4e61218973615b7e5d564119bb5c728ee40b881539964cd704632d8c0", - "zh:6aa6bb04fdc00c3c762122e96ee7c19abfb8e42dc5d3a720b5767dbb4cfa274d", - "zh:74ea4bbad825eee831d37940760459786460fe492e1b30acb5c91c9edd14a5ea", - "zh:8e170f6d5e46c08fbc3b5ff251075382f75b53a66a83b7b005099fb99ad94f24", - "zh:9164b611e7318e3d08cc84513d3d8c27bd12336a7721a894cb3d346b60286233", - "zh:91d3397f021c5a9fedff36f84635ffc3169224494629bb4a578356a05091e182", - "zh:b061e1529499bf40f8f14c9c8116787dd50f6fd3d64ad38d77cd39db77e98ae9", - "zh:c9daff626f7a55c01db79b6ccc462948bf854d976c73def306ae9ae09e5afe1b", - "zh:ec7e223ae7d6292b8425b7190e801f1098a647d2aee3132761d37fd75cfcfe07", - "zh:f2001b2a2f7049fc74ffe54d7bc48c9dfec80956f468a2c8a550c5071d077dbd", - "zh:f75ec1e71924c50b346bced15883c626f697ffd3ee6c4bb2835e4170fe65215a", + "h1:igRdbZ2jqI6oKAr78+8smF3xw/97xKrbhdITKubKQQM=", + "h1:qBH3fN/NItflQkBoIVdQa7n8WvBOuu7Ao20oeoAubKM=", + "zh:05874671652a260b12d784cc46b0eea156f493a5f12e00368d1f6cb319156257", + "zh:0c7a3cae5a66e5c5efc3b25ba646a0d46bfe1fd3edba1f5a75f51aede85a9d1b", + "zh:174310010d08f13e36e53ff18e44a21dd040c89884ef190a192c6ce27926a912", + "zh:23d1d8731e518354ce6a83419f49101aece63882b0ca7c489f3c598cc6ea5d5e", + "zh:4e88953816daf11ab1681c32c7988d4e29476fc44f0959fe03173532cf5044de", + "zh:6fab07734ccf27f5afee4442abae2d33245eabf35519032ce1e2aad6961a640a", + "zh:7b2f324b918e161c892c29ee80d36c48ca8b891b8047e132fc701ca741e5ae72", + "zh:8ef4f0d691ade98082ef1f6b36e556468e5ab26e60021f0de0fb22e3acdfd990", + "zh:8f0f3e139faa8f2b9075bb9978dd683f4bab5ac91171bbb969addd04d7f0b90f", + "zh:97cb6d7fdf640237cc2f0ab830db8f878770968c59fd28298e9dddb8b9e6294d", + "zh:a17038d8747c6bb660e4c5981e8ffbbc33c66ba164868fd35d442e7f828a1e01", + "zh:aa9f4b7d947f7b11277b4e9ba7147f5594cf60a6589b7aac4344f73d1400d1c0", + "zh:c780b951e14d583ef6ffef9a934831b56ee157c50ed8e969c676a636810f7db1", + "zh:d8497bb2986fd76107b7208b33cc39281797164fdea09453e987b969a461befb", + "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", ] } -provider "registry.terraform.io/hashicorp/helm" { - version = "2.7.1" - constraints = "~> 2.0" +provider "registry.terraform.io/integrations/github" { + version = "6.2.3" + constraints = "~> 6.2.3" hashes = [ - "h1:L5qLTfZH7PnZt9+YnS7iYmPBEDQOpEjZiF0v50BRNi8=", - "zh:13e2467092deeff01c4cfa2b54ba4510aa7a9b06c58f22c4215b0f4333858364", - "zh:4549843db4fdf5d8150e8c0734e67b54b5c3bcfc914e3221e6952f428fb984d2", - "zh:55b5f83ed52f93dd00a73c33c948326052efd700350c19e63bb1679b12bfcda6", - "zh:749397e41393289eb0ef6efd0a75911d29b8aa7f48e5d6813b4b350dad91acbd", - "zh:7a4a2c95b055f6c8e70d1fc7a4cc4fd6e4f04845be36e40d42d31dfc13db37b8", - "zh:8143e5b8218857052505c805b570889b862c618ce6cbfbddb98938ff7a5901d3", - "zh:856d94b3b34d6204d66c6de4feab4737c74dba037ad64e4c613e8eec61d17f1a", - "zh:b9b037f1edda209022df1c7fc906786970524873e27b061f3355cb9bbed2cf08", - "zh:c433b27f52a0600490af07f8b217ab0b1048ba347d68e6fe478aba18634e78d9", - "zh:da133748368c6e27b433cd7faeb7b800536c8651e7af0415452901dfc7577dbf", - "zh:eecc63c2dec8aafa2ffd7426800c3e1a5e31e848be01ea9511ad0184dce15945", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "1.13.4" - constraints = ">= 1.11.1, ~> 1.13" - hashes = [ - "h1:05eflFJUOeaW4Ksk+/peF6U/SlCIuR6q0ZFQcMUb1b4=", - "zh:0658034b1b0e241f6d6fc8dac2073755dcbab8f82645c0a46cec052469c518b2", - "zh:11a08ffa9b86670711cb8f2754ac8034b0cdf3d9bad4f3c22695f749a892c630", - "zh:3e90e15a58f699f22bcbe27d3cf45064f9e1a2f1fb50992afc6ea55a59100d4c", - "zh:5e5a335655e40ceb4576af3790aead62646942972c206f49a3dc52275d925f11", - "zh:6bbf068c35380e75fbd7f5186c37175c6058bd6160d59957a023af3e4c9f43c5", - "zh:6bd839cce4ce786201b3d0d43b6ad80e3bf9642f74b1490b9cf72ca8d8c90575", - "zh:804ba2f1d03f315b071434fd7201eeb1e705fcb82f9a1dc4bec760e4231becfa", - "zh:957963a9f287589836a56be24bb9a172919f5a3f18098adb9f185f2a6699680b", - "zh:b099aea7f5213450f3b0d4e439aeb83aba965920b89474aa94f2bc0d6f698fe7", - "zh:b8d610a387f0df4b4c5c27b9319749d1bf60b01c69ea65d2d129c2a61afa0c7b", - "zh:cbf56221840b360befc00fe2336a9236d1ff0f32456453030ed6f58b49deb8df", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.2.3" - constraints = ">= 1.4.0" - hashes = [ - "h1:FvRIEgCmAezgZUqb2F+PZ9WnSSnR5zbEM2ZI+GLmbMk=", - "zh:04f0978bb3e052707b8e82e46780c371ac1c66b689b4a23bbc2f58865ab7d5c0", - "zh:6484f1b3e9e3771eb7cc8e8bab8b35f939a55d550b3f4fb2ab141a24269ee6aa", - "zh:78a56d59a013cb0f7eb1c92815d6eb5cf07f8b5f0ae20b96d049e73db915b238", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8aa9950f4c4db37239bcb62e19910c49e47043f6c8587e5b0396619923657797", - "zh:996beea85f9084a725ff0e6473a4594deb5266727c5f56e9c1c7c62ded6addbb", - "zh:9a7ef7a21f48fabfd145b2e2a4240ca57517ad155017e86a30860d7c0c109de3", - "zh:a63e70ac052aa25120113bcddd50c1f3cfe61f681a93a50cea5595a4b2cc3e1c", - "zh:a6e8d46f94108e049ad85dbed60354236dc0b9b5ec8eabe01c4580280a43d3b8", - "zh:bb112ce7efbfcfa0e65ed97fa245ef348e0fd5bfa5a7e4ab2091a9bd469f0a9e", - "zh:d7bec0da5c094c6955efed100f3fe22fca8866859f87c025be1760feb174d6d9", - "zh:fb9f271b72094d07cef8154cd3d50e9aa818a0ea39130bc193132ad7b23076fd", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.1.1" - constraints = ">= 2.1.0" - hashes = [ - "h1:YvH6gTaQzGdNv+SKTZujU1O0bO+Pw6vJHOPhqgN8XNs=", - "zh:063466f41f1d9fd0dd93722840c1314f046d8760b1812fa67c34de0afcba5597", - "zh:08c058e367de6debdad35fc24d97131c7cf75103baec8279aba3506a08b53faf", - "zh:73ce6dff935150d6ddc6ac4a10071e02647d10175c173cfe5dca81f3d13d8afe", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:8fdd792a626413502e68c195f2097352bdc6a0df694f7df350ed784741eb587e", - "zh:976bbaf268cb497400fd5b3c774d218f3933271864345f18deebe4dcbfcd6afa", - "zh:b21b78ca581f98f4cdb7a366b03ae9db23a73dfa7df12c533d7c19b68e9e72e5", - "zh:b7fc0c1615dbdb1d6fd4abb9c7dc7da286631f7ca2299fb9cd4664258ccfbff4", - "zh:d1efc942b2c44345e0c29bc976594cb7278c38cfb8897b344669eafbc3cddf46", - "zh:e356c245b3cd9d4789bab010893566acace682d7db877e52d40fc4ca34a50924", - "zh:ea98802ba92fcfa8cf12cbce2e9e7ebe999afbf8ed47fa45fc847a098d89468b", - "zh:eff8872458806499889f6927b5d954560f3d74bf20b6043409edf94d26cd906f", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.4.3" - constraints = ">= 2.1.0" - hashes = [ - "h1:saZR+mhthL0OZl4SyHXZraxyaBNVMxiZzks78nWcZ2o=", - "zh:41c53ba47085d8261590990f8633c8906696fa0a3c4b384ff6a7ecbf84339752", - "zh:59d98081c4475f2ad77d881c4412c5129c56214892f490adf11c7e7a5a47de9b", - "zh:686ad1ee40b812b9e016317e7f34c0d63ef837e084dea4a1f578f64a6314ad53", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:84103eae7251384c0d995f5a257c72b0096605048f757b749b7b62107a5dccb3", - "zh:8ee974b110adb78c7cd18aae82b2729e5124d8f115d484215fd5199451053de5", - "zh:9dd4561e3c847e45de603f17fa0c01ae14cae8c4b7b4e6423c9ef3904b308dda", - "zh:bb07bb3c2c0296beba0beec629ebc6474c70732387477a65966483b5efabdbc6", - "zh:e891339e96c9e5a888727b45b2e1bb3fcbdfe0fd7c5b4396e4695459b38c8cb1", - "zh:ea4739860c24dfeaac6c100b2a2e357106a89d18751f7693f3c31ecf6a996f8d", - "zh:f0c76ac303fd0ab59146c39bc121c5d7d86f878e9a69294e29444d4c653786f8", - "zh:f143a9a5af42b38fed328a161279906759ff39ac428ebcfe55606e05e1518b93", - ] -} - -provider "registry.terraform.io/hashicorp/template" { - version = "2.2.0" - constraints = ">= 2.1.0" - hashes = [ - "h1:R/73Y+8BMyRzudaNBB+qlMtHoFB92YrYcUkFdh18bmE=", - ] -} - -provider "registry.terraform.io/hashicorp/time" { - version = "0.9.0" - hashes = [ - "h1:ahCGE0FoHJfYQcs1DAKNX9x/PQYzkelYZtSsWXRW7kg=", - "zh:063ee7b02dc6dec1fb8e597f1212548fc82fc3e5ef8e70c9d1ca6fa309b7527f", - "zh:0f5490a9699575ba31ee232a20ef1e0713fbd135018dcfd4c39ab592af9ebfcc", - "zh:1b9945d8f589276f63ff7cfe79a53c7829d8ed8ebc35492d0e126409637d9e4d", - "zh:39bf57aced393ac56c2b353e22884f3716f77a4fa435319df5bd8428ed50686d", - "zh:538b41733cea242e4dfe1711ffe1f6ae37855eaabf724622e1e05d7f5cf35987", - "zh:678cc0c14e3800c38c1f34e9811dbd61fe337359e512b6aa0c76469bc65a3115", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79a58ea9f85aaf8617ff33d82fe3b162ab5a9aa6dcc914245e37bab8f08f4177", - "zh:855767ffd3b21f7b5ebd0c22c257060beff1e3acf3a8bdc48ac7b063fbf27a5d", - "zh:ceb9aba18c7c15b337582a8db0eedadfdd81d2de95526ab449d95acec5101987", - "zh:e48ac4a746dfb9ab1f0949265902b2220401feee6722e266a736118f1485f70a", - "zh:f49485c04198bab9fc743077530ac22fb232644b15c45253b8dd1bd4ef9132c1", + "h1:igRdbZ2jqI6oKAr78+8smF3xw/97xKrbhdITKubKQQM=", + "h1:qBH3fN/NItflQkBoIVdQa7n8WvBOuu7Ao20oeoAubKM=", + "zh:05874671652a260b12d784cc46b0eea156f493a5f12e00368d1f6cb319156257", + "zh:0c7a3cae5a66e5c5efc3b25ba646a0d46bfe1fd3edba1f5a75f51aede85a9d1b", + "zh:174310010d08f13e36e53ff18e44a21dd040c89884ef190a192c6ce27926a912", + "zh:23d1d8731e518354ce6a83419f49101aece63882b0ca7c489f3c598cc6ea5d5e", + "zh:4e88953816daf11ab1681c32c7988d4e29476fc44f0959fe03173532cf5044de", + "zh:6fab07734ccf27f5afee4442abae2d33245eabf35519032ce1e2aad6961a640a", + "zh:7b2f324b918e161c892c29ee80d36c48ca8b891b8047e132fc701ca741e5ae72", + "zh:8ef4f0d691ade98082ef1f6b36e556468e5ab26e60021f0de0fb22e3acdfd990", + "zh:8f0f3e139faa8f2b9075bb9978dd683f4bab5ac91171bbb969addd04d7f0b90f", + "zh:97cb6d7fdf640237cc2f0ab830db8f878770968c59fd28298e9dddb8b9e6294d", + "zh:a17038d8747c6bb660e4c5981e8ffbbc33c66ba164868fd35d442e7f828a1e01", + "zh:aa9f4b7d947f7b11277b4e9ba7147f5594cf60a6589b7aac4344f73d1400d1c0", + "zh:c780b951e14d583ef6ffef9a934831b56ee157c50ed8e969c676a636810f7db1", + "zh:d8497bb2986fd76107b7208b33cc39281797164fdea09453e987b969a461befb", + "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", ] } diff --git a/terraform/aws.tf b/terraform/aws.tf index a30df6f..e2cc3e7 100644 --- a/terraform/aws.tf +++ b/terraform/aws.tf @@ -1,8 +1,18 @@ -// Configure all aws accounts -module "aws_accounts" { - for_each = local.users - source = "./modules/aws_account" - pennkey = each.key - emails = local.emails - view_cluster = data.aws_iam_policy_document.view-k8s.json +# module "s3_bucket" { +# source = "terraform-aws-modules/s3-bucket/aws" + +# bucket = "cis1912-test" +# acl = "private" + +# control_object_ownership = true +# object_ownership = "ObjectWriter" +# } + +resource "aws_s3_bucket" "example" { + bucket = "cis1912-test-bucket" + + tags = { + Name = "CIS 1912 Test Bucket" + Environment = "Dev" + } } diff --git a/terraform/eks.tf b/terraform/eks.tf index 436bd18..b945e46 100644 --- a/terraform/eks.tf +++ b/terraform/eks.tf @@ -1,130 +1,136 @@ -module "eks" { - source = "terraform-aws-modules/eks/aws" - version = "15.0.0" - cluster_name = local.k8s_cluster_name - cluster_version = "1.23" - subnets = module.vpc.private_subnets - vpc_id = module.vpc.vpc_id - write_kubeconfig = false - enable_irsa = true - map_roles = concat([ - for student, _ in var.students : { - rolearn = module.aws_accounts[student].role-arn, username = student, groups = [] - } - ], - [ - for user, _ in merge(var.instructors, var.tas) : { - rolearn = module.aws_accounts[user].role-arn, username = user, groups = ["system:masters"] - } - ] - ) - worker_groups_launch_template = [ - { - name = "spot-1" - override_instance_types = ["t3.medium"] - spot_instance_pools = 1 - // TODO: change to whatever size is needed - asg_max_size = 2 - asg_desired_capacity = 2 - kubelet_extra_args = "--node-labels=node.kubernetes.io/lifecycle=spot" - bootstrap_extra_args = "--use-max-pods false" - public_ip = true - }, - ] - tags = { - created-by = "terraform" - } -} -// TODO: see if we can local-exec and kill the default CNI - -data "aws_eks_cluster" "eks" { - name = module.eks.cluster_id -} - -data "aws_eks_cluster_auth" "eks" { - name = module.eks.cluster_id -} - -// Spot Node Termination Handler -resource "helm_release" "aws-node-termination-handler" { - name = "aws-node-termination-handler" - repository = "https://aws.github.io/eks-charts" - chart = "aws-node-termination-handler" - version = "0.13.0" - namespace = "kube-system" - - values = [file("helm/aws-node-termination-handler.yaml")] -} - -// Weave to replace the default ENI -// https://medium.com/@swazza85/dealing-with-pod-density-limitations-on-eks-worker-nodes-137a12c8b218 -resource "helm_release" "weave" { - name = "weave" - repository = "https://helm.pennlabs.org" - chart = "helm-wrapper" - version = "0.1.0" - namespace = "kube-system" - - values = [file("helm/weave.yaml")] -} - -resource "helm_release" "traefik" { - name = "traefik" - repository = "https://charts.helm.sh/stable" - chart = "traefik" - version = "1.87.2" - namespace = "kube-system" - - values = [file("helm/traefik.yaml")] -} - -data "aws_iam_policy_document" "view-k8s" { - statement { - actions = ["eks:DescribeCluster"] - resources = [module.eks.cluster_arn] - } -} - -resource "helm_release" "registry-creds" { - name = "registry-creds" - repository = "https://helm.pennlabs.org" - chart = "helm-wrapper" - version = "0.1.0" - - values = [file("helm/registry-creds.yaml")] -} - -resource "kubernetes_secret" "cluster-pull-secret" { - metadata { - name = "registry-creds-secret" - namespace = "kube-system" - } - - data = { - ".dockerconfigjson" = < hw } - source = "./modules/hw_repo" - hw = each.value.hw - pennkey = each.value.student - team-id = github_team.teams[each.value.student].id - bot-team-id = github_team.bot.id - published = each.value.published + for_each = { + for hw in local.hws : "${hw.hw}-${hw.student}" => hw + if hw != "hw0" && hw != "hw1" && hw != "hw2" + } + source = "./modules/hw_repo" + hw = each.value.hw + pennkey = each.value.student + github-username = local.users[each.value.student] + team-id = github_team.teams[each.value.student].id + bot-team-id = github_team.bot.id + published = each.value.published } diff --git a/terraform/github_bot.tf b/terraform/github_bot.tf index 187aa1c..e612af0 100644 --- a/terraform/github_bot.tf +++ b/terraform/github_bot.tf @@ -3,6 +3,7 @@ resource "github_membership" "bot" { username = local.bot_user role = "admin" + # TODO: may not be possible lifecycle { prevent_destroy = true } @@ -19,11 +20,16 @@ resource "github_repository" "hw" { lifecycle { prevent_destroy = true } + + template { + repository = each.key + owner = "cis1912" + } } // Grant bot user push access to hw repos resource "github_team" "bot" { - name = "bot" + name = "cis1912-bot" description = "Bot team" privacy = "closed" @@ -42,11 +48,21 @@ resource "github_team_membership" "bot" { } } -resource "github_team_repository" "bot" { - for_each = local.published - team_id = github_team.bot.id +resource "github_repository_collaborators" "bot" { + for_each = local.published + repository = each.key - permission = "push" + + user { + permission = "admin" + username = local.bot_user + } + + team { + permission = "push" + team_id = github_team.bot.id + } + lifecycle { prevent_destroy = true diff --git a/terraform/k8s.tf b/terraform/k8s.tf deleted file mode 100644 index ba8c6ee..0000000 --- a/terraform/k8s.tf +++ /dev/null @@ -1,6 +0,0 @@ -// Configure all student k8s resources -module "k8s_config" { - for_each = local.users - source = "./modules/k8s_config" - pennkey = each.key -} diff --git a/terraform/k8s_cert_manager.tf b/terraform/k8s_cert_manager.tf deleted file mode 100644 index 2397f7e..0000000 --- a/terraform/k8s_cert_manager.tf +++ /dev/null @@ -1,75 +0,0 @@ -resource "kubernetes_namespace" "cert-manager" { - metadata { - name = "cert-manager" - } -} - -resource "helm_release" "cert-manager" { - name = "cert-manager" - repository = "https://charts.jetstack.io" - chart = "cert-manager" - version = "v1.5.4" - namespace = kubernetes_namespace.cert-manager.metadata[0].name - // This is set to ensure that cert-manager is working before the CRs are applied - atomic = true - set { - name = "installCRDs" - value = true - } - - // Run the webhook in hostNetwork mode so that the API Server can access it - // https://github.com/jetstack/cert-manager/blob/95f8d53e19b5dcec1db2d28a2af894ed22ed94db/deploy/charts/cert-manager/values.yaml#L291 - set { - name = "webhook.hostNetwork" - value = true - } - - set { - name = "webhook.securePort" - value = 10251 - } -} - -resource "time_sleep" "cert-manager-cr" { - // Used to allow cert-manager time to initialize - depends_on = [helm_release.cert-manager] - create_duration = "1m" -} - -resource "helm_release" "clusterissuer" { - name = "clusterissuer" - repository = "https://helm.pennlabs.org" - chart = "helm-wrapper" - version = "0.1.0" - values = [file("cert-manager-files/clusterissuer.yaml")] - - depends_on = [ - time_sleep.cert-manager-cr - ] -} - -resource "helm_release" "certs" { - for_each = local.users - name = "cert-${each.key}" - repository = "https://helm.pennlabs.org" - chart = "helm-wrapper" - version = "0.1.0" - namespace = each.key - values = [templatefile("cert-manager-files/cert.yaml", { NAME = each.key })] - - depends_on = [ - time_sleep.cert-manager-cr - ] -} - -resource "helm_release" "cert-grafana" { - name = "cert-grafana" - repository = "https://helm.pennlabs.org" - chart = "helm-wrapper" - version = "0.1.0" - values = [templatefile("cert-manager-files/cert.yaml", { NAME = "grafana" })] - - depends_on = [ - time_sleep.cert-manager-cr - ] -} diff --git a/terraform/k8s_monitoring.tf b/terraform/k8s_monitoring.tf deleted file mode 100644 index a606cd7..0000000 --- a/terraform/k8s_monitoring.tf +++ /dev/null @@ -1,43 +0,0 @@ -resource "kubernetes_namespace" "monitoring" { - metadata { - name = "monitoring" - } -} - -resource "helm_release" "prometheus" { - name = "prometheus" - repository = "https://charts.helm.sh/stable" - chart = "prometheus" - version = "11.2.3" - namespace = kubernetes_namespace.monitoring.metadata[0].name - - values = [file("helm/prometheus.yaml")] -} - -resource "helm_release" "grafana" { - name = "grafana" - repository = "https://charts.helm.sh/stable" - chart = "grafana" - version = "5.1.4" - - values = [file("helm/grafana.yaml")] -} - -resource "random_password" "grafana-password" { - length = 64 - special = false -} - -resource "kubernetes_secret" "grafana" { - metadata { - name = "grafana" - } - - data = { - ADMIN_USER = "admin" - ADMIN_PASSWORD = random_password.grafana-password.result - GF_AUTH_GITHUB_CLIENT_ID = var.GF_GH_CLIENT_ID - GF_AUTH_GITHUB_CLIENT_SECRET = var.GF_GH_CLIENT_SECRET - - } -} diff --git a/terraform/main.tf b/terraform/main.tf index 4ca846a..d1f2eba 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -19,4 +19,5 @@ locals { bot_user = "cis1912bot" k8s_cluster_name = "cis1912" users = merge(var.students, var.instructors, var.tas) + emails = var.emails } diff --git a/terraform/modules/aws_account/README.md b/terraform/modules/aws_account/README.md index d2eb654..e69de29 100644 --- a/terraform/modules/aws_account/README.md +++ b/terraform/modules/aws_account/README.md @@ -1,3 +0,0 @@ -# aws_account - -Create an IAM User and Role for a student such that the user has the ability to assume the role. diff --git a/terraform/modules/aws_account/main.tf b/terraform/modules/aws_account/main.tf index fc3ac0b..01766c9 100644 --- a/terraform/modules/aws_account/main.tf +++ b/terraform/modules/aws_account/main.tf @@ -1,83 +1,6 @@ -data "aws_caller_identity" "current" {} - -// User resource "aws_iam_user" "user" { name = var.pennkey - tags = { created-by = "terraform" } } - -// Policy to allow user to assume any role -data "aws_iam_policy_document" "assume-role-policy" { - statement { - actions = ["sts:AssumeRole"] - resources = [aws_iam_role.role.arn] - } -} - -// Allow user to assume roles -resource "aws_iam_user_policy" "policy" { - name = "assume-role" - user = aws_iam_user.user.name - policy = data.aws_iam_policy_document.assume-role-policy.json -} - -resource "aws_iam_user_policy" "describe-cluster" { - name = "eks" - user = aws_iam_user.user.name - policy = var.view_cluster -} - -// Policy to allow iam user of same pennkey to assume role -data "aws_iam_policy_document" "allow-user-assume-role" { - statement { - actions = ["sts:AssumeRole"] - - principals { - type = "AWS" - identifiers = [aws_iam_user.user.arn] - } - } - statement { - actions = ["sts:AssumeRoleWithSAML"] - - principals { - type = "Federated" - identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.id}:saml-provider/PennWebLogin"] - } - } -} - -// Role -resource "aws_iam_role" "role" { - name = var.pennkey - - assume_role_policy = data.aws_iam_policy_document.allow-user-assume-role.json - - tags = { - created-by = "terraform" - } -} - -// Allow role to create an access key for the user -data "aws_iam_policy_document" "manage-user" { - statement { - actions = [ - "iam:CreateAccessKey", - "iam:DeleteAccessKey", - "iam:GetAccessKeyLastUsed", - "iam:GetUser", - "iam:ListAccessKeys", - "iam:UpdateAccessKey" - ] - resources = [aws_iam_user.user.arn] - } -} - -resource "aws_iam_role_policy" "manage-user" { - name = "manage-user" - role = aws_iam_role.role.name - policy = data.aws_iam_policy_document.manage-user.json -} diff --git a/terraform/modules/aws_account/output.tf b/terraform/modules/aws_account/output.tf new file mode 100644 index 0000000..e69de29 diff --git a/terraform/modules/aws_account/outputs.tf b/terraform/modules/aws_account/outputs.tf deleted file mode 100644 index a80bba1..0000000 --- a/terraform/modules/aws_account/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "role-arn" { - value = aws_iam_role.role.arn -} diff --git a/terraform/modules/aws_account/variables.tf b/terraform/modules/aws_account/variables.tf index e522c47..094d696 100644 --- a/terraform/modules/aws_account/variables.tf +++ b/terraform/modules/aws_account/variables.tf @@ -3,12 +3,7 @@ variable "pennkey" { description = "Pennkey of student" } -variable "view_cluster" { - type = string - description = "Policy to allow IAM users to describe the cluster" -} - variable "emails" { - type = map(any) + type = map(any) description = "Pennkey to email map" -} \ No newline at end of file +} diff --git a/terraform/modules/hw_repo/main.tf b/terraform/modules/hw_repo/main.tf index dca183e..25470c7 100644 --- a/terraform/modules/hw_repo/main.tf +++ b/terraform/modules/hw_repo/main.tf @@ -9,16 +9,22 @@ resource "github_repository" "hw" { } } -resource "github_team_repository" "hw" { +resource "github_repository_collaborators" "hw" { count = var.published ? 1 : 0 - team_id = var.team-id repository = github_repository.hw[0].name - permission = var.hw != "hw4" ? "push" : "admin" -} -resource "github_team_repository" "bot" { - count = var.published ? 1 : 0 - team_id = var.bot-team-id - repository = github_repository.hw[0].name - permission = "admin" + user { + permission = "admin" + username = "cis1912bot" + } + + team { + permission = var.hw != "hw4" ? "push" : "admin" + team_id = var.team-id + } + + user { + permission = "push" + username = var.github-username + } } diff --git a/terraform/modules/hw_repo/variables.tf b/terraform/modules/hw_repo/variables.tf index f066b5d..c1edf68 100644 --- a/terraform/modules/hw_repo/variables.tf +++ b/terraform/modules/hw_repo/variables.tf @@ -3,6 +3,11 @@ variable "pennkey" { description = "Pennkey of student" } +variable "github-username" { + type = string + description = "GitHub username of student" +} + variable "hw" { type = string description = "Homework to create repo of (Ex. hw0)." diff --git a/terraform/modules/k8s_config/README.md b/terraform/modules/k8s_config/README.md deleted file mode 100644 index 3a9dc37..0000000 --- a/terraform/modules/k8s_config/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# k8s_config - -For a given pennkey, create a namespace, and add a RoleBinding for a user with access to that namespace. diff --git a/terraform/modules/k8s_config/main.tf b/terraform/modules/k8s_config/main.tf deleted file mode 100644 index fa62b8b..0000000 --- a/terraform/modules/k8s_config/main.tf +++ /dev/null @@ -1,36 +0,0 @@ -// Create namespace -resource "kubernetes_namespace" "ns" { - metadata { - name = var.pennkey - } -} - -resource "kubernetes_role_binding" "rb" { - metadata { - name = var.pennkey - namespace = kubernetes_namespace.ns.metadata[0].name - } - role_ref { - api_group = "rbac.authorization.k8s.io" - kind = "ClusterRole" - name = "admin" - } - subject { - kind = "User" - name = var.pennkey - api_group = "rbac.authorization.k8s.io" - } -} - -// Restrict number of pods -resource "kubernetes_resource_quota" "pod-limit" { - metadata { - name = "pod-limit" - namespace = kubernetes_namespace.ns.metadata[0].name - } - spec { - hard = { - pods = 10 - } - } -} diff --git a/terraform/modules/k8s_config/variables.tf b/terraform/modules/k8s_config/variables.tf deleted file mode 100644 index f2bcbdc..0000000 --- a/terraform/modules/k8s_config/variables.tf +++ /dev/null @@ -1,4 +0,0 @@ -variable "pennkey" { - type = string - description = "Pennkey of student" -} diff --git a/terraform/provider.tf b/terraform/provider.tf index 467b71e..12dc8ff 100644 --- a/terraform/provider.tf +++ b/terraform/provider.tf @@ -2,42 +2,43 @@ provider "aws" { region = "us-east-1" } -provider "helm" { - kubernetes { - host = data.aws_eks_cluster.eks.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.eks.token - } -} +# provider "helm" { +# kubernetes { +# host = data.aws_eks_cluster.eks.endpoint -provider "kubernetes" { - load_config_file = false - host = data.aws_eks_cluster.eks.endpoint - cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.eks.token -} +# # client_certificate = base64decode(data.aws_eks_cluster_auth.eks.client_certificate) +# # client_key = base64decode(data.aws_eks_cluster_auth.eks.client_key) +# cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority.0.data) +# token = data.aws_eks_cluster_auth.eks.token +# } +# } + +# provider "kubernetes" { +# host = data.aws_eks_cluster.eks.endpoint +# cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority.0.data) +# token = data.aws_eks_cluster_auth.eks.token +# } provider "github" { - organization = "cis1912" } terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" - } - helm = { - source = "hashicorp/helm" - version = "~> 2.0" - } - kubernetes = { - source = "hashicorp/kubernetes" - version = "~> 1.13" + version = "~> 5.66.0" } + # helm = { + # source = "hashicorp/helm" + # version = "~> 2.0" + # } + # kubernetes = { + # source = "hashicorp/kubernetes" + # version = "2.18.1" + # } github = { - source = "hashicorp/github" - version = "~> 4.1" + source = "integrations/github" + version = "~> 6.2.3" } } } diff --git a/terraform/variables.tf b/terraform/variables.tf index d2ea441..a9e2f6f 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -18,6 +18,11 @@ variable "image_pull_pat" { description = "PAT of GH User to pull gcr images" } +variable "GH_TOKEN" { + type = string + description = "GitHub Token for the cis1912 GitHub Application" +} + variable "GF_GH_CLIENT_ID" { type = string description = "GitHub Client ID for the CIS1912 Grafana OAuth2 Application" diff --git a/terraform/vpc.tf b/terraform/vpc.tf index 6c09e56..64efe7e 100644 --- a/terraform/vpc.tf +++ b/terraform/vpc.tf @@ -1,30 +1,30 @@ -data "aws_availability_zones" "available" {} +# data "aws_availability_zones" "available" {} -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "2.64.0" +# module "vpc" { +# source = "terraform-aws-modules/vpc/aws" +# version = "2.64.0" - name = "vpc" - cidr = "10.0.0.0/16" - azs = data.aws_availability_zones.available.names - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] - enable_nat_gateway = true - single_nat_gateway = true - enable_dns_hostnames = true +# name = "vpc" +# cidr = "10.0.0.0/16" +# azs = data.aws_availability_zones.available.names +# private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] +# public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] +# enable_nat_gateway = true +# single_nat_gateway = true +# enable_dns_hostnames = true - tags = { - created-by = "terraform" - "kubernetes.io/cluster/${local.k8s_cluster_name}" = "shared" - } +# tags = { +# created-by = "terraform" +# "kubernetes.io/cluster/${local.k8s_cluster_name}" = "shared" +# } - public_subnet_tags = { - "kubernetes.io/cluster/${local.k8s_cluster_name}" = "shared" - "kubernetes.io/role/elb" = "1" - } +# public_subnet_tags = { +# "kubernetes.io/cluster/${local.k8s_cluster_name}" = "shared" +# "kubernetes.io/role/elb" = "1" +# } - private_subnet_tags = { - "kubernetes.io/cluster/${local.k8s_cluster_name}" = "shared" - "kubernetes.io/role/internal-elb" = "1" - } -} +# private_subnet_tags = { +# "kubernetes.io/cluster/${local.k8s_cluster_name}" = "shared" +# "kubernetes.io/role/internal-elb" = "1" +# } +# }