[wip] access boskos accounts via IAM roles

[upodroid]

No description provided.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: upodroid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• infra/aws/OWNERS [upodroid]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

@upodroid: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-k8sio-verify	38f41e2	link	true	/test pull-k8sio-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[k8s-infra-ci-robot]

Ran Plan for 3 projects:

1. dir: infra/aws/terraform/boskos/boskos workspace: default
2. dir: infra/aws/terraform/boskos workspace: default
3. dir: infra/aws/terraform/management-account workspace: default

---

1. dir: infra/aws/terraform/boskos/boskos workspace: default

Show Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

  # aws_iam_openid_connect_provider.eks_build_cluster will be created
+ resource "aws_iam_openid_connect_provider" "eks_build_cluster" {
      + arn             = (known after apply)
      + client_id_list  = [
          + "sts.amazonaws.com",
        ]
      + id              = (known after apply)
      + tags_all        = (known after apply)
      + thumbprint_list = [
          + "06b25927c42a721631c1efd9431e648fa62e1e39",
        ]
      + url             = "https://oidc.eks.us-east-2.amazonaws.com/id/F8B73554FE6FBAF9B19569183FB39762"
    }

  # aws_iam_openid_connect_provider.gke_build_cluster will be created
+ resource "aws_iam_openid_connect_provider" "gke_build_cluster" {
      + arn             = (known after apply)
      + client_id_list  = [
          + "sts.amazonaws.com",
        ]
      + id              = (known after apply)
      + tags_all        = (known after apply)
      + thumbprint_list = [
          + "08745487e891c19e3078c1f2a07e452950ef36f6",
        ]
      + url             = "https://container.googleapis.com/v1/projects/k8s-infra-prow-buildlocations/us-central1/clusters/prow-build"
    }

  # aws_iam_role.boskos will be created
+ resource "aws_iam_role" "boskos" {
      + arn                   = (known after apply)
      + assume_role_policy    = (known after apply)
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 43200
      + name                  = "boskos"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # aws_iam_role_policy_attachment.boskos will be created
+ resource "aws_iam_role_policy_attachment" "boskos" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
      + role       = "boskos"
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Changes to Outputs:
+ boskos_arn = (known after apply)

• ▶️ To apply this plan, comment:

  atlantis apply -d infra/aws/terraform/boskos/boskos

• 🚮 To delete this plan and lock, click here
• 🔁 To plan this project again, comment:

  atlantis plan -d infra/aws/terraform/boskos/boskos

Plan: 4 to add, 0 to change, 0 to destroy.

---

2. dir: infra/aws/terraform/boskos workspace: default

Plan Error

Show Output

running 'sh -c' '/atlantis/bin/terraform1.14.4 plan -input=false -refresh -out "/atlantis/repos/kubernetes/k8s.io/9087/default/infra/aws/terraform/boskos/default.tfplan"' in '/atlantis/repos/kubernetes/k8s.io/9087/default/infra/aws/terraform/boskos': exit status 1
╷
│ Warning: Reference to undefined provider
│ 
╷
│ Error: Provider configuration not present
│ 
│   on main.tf line 21, in module "scale_001":
│   21:     aws = aws.boskos-scale-001
│ 
│ To work with
│ There is no explicit declaration for local provider name "aws" in
│ module.boskos_001.aws_iam_openid_connect_provider.gke_build_cluster
│ (orphan) its original provider configuration at
│ module.scale_001, so Terraform is assuming you mean to pass a configuration
│ for "hashicorp/aws".
│ provider["registry.terraform.io/hashicorp/aws"].boskos-001 is required, but
│ it has been removed. This occurs when a provider configuration is removed
│ 
│ If you also control the child module, add a required_providers entry named
│ while objects created by that provider still exist in the state. Re-add the
│ provider configuration to destroy
│ "aws" with the source address "hashicorp/aws".
╵
│ module.boskos_001.aws_iam_openid_connect_provider.gke_build_cluster
│ (orphan), after which you can remove the provider configuration again.
╵
╷
│ Error: Provider configuration not present
│ 
│ To work with module.boskos_001.aws_iam_role_policy_attachment.boskos
│ (orphan) its original provider configuration at
│ provider["registry.terraform.io/hashicorp/aws"].boskos-001 is required, but
│ it has been removed. This occurs when a provider configuration is removed
│ while objects created by that provider still exist in the state. Re-add the
│ provider configuration to destroy
│ module.boskos_001.aws_iam_role_policy_attachment.boskos (orphan), after
│ which you can remove the provider configuration again.
╵
╷
│ Error: Provider configuration not present
│ 
│ To work with module.boskos_001.aws_iam_role.boskos (orphan) its original
│ provider configuration at
│ provider["registry.terraform.io/hashicorp/aws"].boskos-001 is required, but
│ it has been removed. This occurs when a provider configuration is removed
│ while objects created by that provider still exist in the state. Re-add the
│ provider configuration to destroy module.boskos_001.aws_iam_role.boskos
│ (orphan), after which you can remove the provider configuration again.
╵
╷
│ Error: Provider configuration not present
│ 
│ To work with
│ module.boskos_001.aws_iam_openid_connect_provider.eks_build_cluster
│ (orphan) its original provider configuration at
│ provider["registry.terraform.io/hashicorp/aws"].boskos-001 is required, but
│ it has been removed. This occurs when a provider configuration is removed
│ while objects created by that provider still exist in the state. Re-add the
│ provider configuration to destroy
│ module.boskos_001.aws_iam_openid_connect_provider.eks_build_cluster
│ (orphan), after which you can remove the provider configuration again.
╵

---

3. dir: infra/aws/terraform/management-account workspace: default

Plan Error

Show Output

running 'sh -c' '/atlantis/bin/terraform1.14.4 init -input=false -upgrade' in '/atlantis/repos/kubernetes/k8s.io/9087/default/infra/aws/terraform/management-account': exit status 1
Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.
Upgrading modules...
- artifacts-k8s-io in ../modules/org-account
- aws-playground-01 in ../modules/org-account
- capa-ami in ../modules/org-account
Downloading registry.terraform.io/terraform-aws-modules/s3-bucket/aws 5.10.0 for cur_reports_integration_athena_s3_bucket...
- cur_reports_integration_athena_s3_bucket in .terraform/modules/cur_reports_integration_athena_s3_bucket
Downloading registry.terraform.io/terraform-aws-modules/s3-bucket/aws 5.10.0 for cur_reports_s3_bucket...
- cur_reports_s3_bucket in .terraform/modules/cur_reports_s3_bucket
- infra_network in ../modules/org-account
- infra_shared_services in ../modules/org-account
- k8s-infra-sandbox-capa in ../modules/org-account
- k8s_infra_e2e_boskos_scale_001 in ../modules/org-account
- k8s_infra_e2e_boskos_scale_002 in ../modules/org-account
- k8s_infra_eks_e2e_boskos_001 in ../modules/org-account
- k8s_infra_eks_e2e_boskos_002 in ../modules/org-account
- k8s_infra_eks_e2e_boskos_003 in ../modules/org-account
- k8s_infra_eks_e2e_boskos_004 in ../modules/org-account
- k8s_infra_eks_e2e_boskos_005 in ../modules/org-account
- k8s_infra_eks_e2e_boskos_006 in ../modules/org-account
- k8s_infra_eks_e2e_boskos_007 in ../modules/org-account
- k8s_infra_eks_e2e_boskos_008 in ../modules/org-account
- k8s_infra_eks_e2e_boskos_009 in ../modules/org-account
- k8s_infra_eks_e2e_boskos_010 in ../modules/org-account
- k8s_infra_eks_e2e_shared_001 in ../modules/org-account
- kops_infra_ci in ../modules/org-account
- kops_infra_services in ../modules/org-account
- macos in ../modules/org-account
- obs-k8s-io in ../modules/org-account
- organization_tag_policy_environment in ../modules/tag-policy
- organization_tag_policy_group in ../modules/tag-policy
- policy_staging_account_1 in ../modules/org-account
- prow_canary in ../modules/org-account
- prow_prod in ../modules/org-account
- registry-k8s-io in ../modules/org-account
- security_audit in ../modules/org-account
- security_engineering in ../modules/org-account
- security_incident_response in ../modules/org-account
- security_logs in ../modules/org-account
╷
│ Error: Duplicate module call
│ 
│   on organization-accounts-boskos.tf line 45:
│   45: module "k8s_infra_eks_e2e_boskos_001" {
│ 
│ A module call named "k8s_infra_eks_e2e_boskos_001" was already defined at
│ organization-accounts-boskos.tf:23,1-38. Module calls must have unique
│ names within a module.
╵

---

Plan Summary

3 projects, 1 with changes, 0 with no changes, 2 failed

• ⏩ To apply all unapplied plans from this Pull Request, comment:

  atlantis apply

• 🚮 To delete all plans and locks from this Pull Request, comment:

  atlantis unlock