Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Retire Airflow Dev EKS Cluster #6539

Merged
merged 10 commits into from
Jan 21, 2025
Merged

Retire Airflow Dev EKS Cluster #6539

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
1f7f4d8
delete eks clean plan 14 destroy
BrianEllwood Jan 10, 2025
ce3a508
delete eks clean plan 17 destroy
BrianEllwood Jan 10, 2025
a254b6f
tidy files up
BrianEllwood Jan 10, 2025
b87f941
Merge branch 'main' into retire-airflow-dev-eks
BrianEllwood Jan 10, 2025
1d5355d
a couple more to destroy
BrianEllwood Jan 13, 2025
d6be803
clean files no eks dev
BrianEllwood Jan 21, 2025
9864b87
Merge branch 'main' into retire-airflow-dev-eks
BrianEllwood Jan 21, 2025
c5c3cd8
delete empty file
BrianEllwood Jan 21, 2025
2657235
Merge branch 'retire-airflow-dev-eks' of github.com:ministryofjustice…
BrianEllwood Jan 21, 2025
2dcc127
Merge branch 'main' into retire-airflow-dev-eks
BrianEllwood Jan 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 0 additions & 3 deletions terraform/aws/analytical-platform-data-production/airflow/data.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,3 @@ data "tls_certificate" "analytical_platform_development_eks_oidc_issuer" {
url = data.aws_eks_cluster.analytical_platform_development.identity[0].oidc[0].issuer
}

data "tls_certificate" "airflow_dev_eks_cluster" {
url = aws_eks_cluster.airflow_dev_eks_cluster.identity[0].oidc[0].issuer
}
185 changes: 0 additions & 185 deletions terraform/aws/analytical-platform-data-production/airflow/eks.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,167 +1,3 @@
resource "aws_eks_cluster" "airflow_dev_eks_cluster" {
name = var.dev_eks_cluster_name
role_arn = aws_iam_role.airflow_dev_eks_role.arn
enabled_cluster_log_types = ["api",
"audit",
"authenticator",
"controllerManager",
"scheduler",
]
version = "1.28"

vpc_config {
subnet_ids = aws_subnet.dev_private_subnet[*].id
public_access_cidrs = ["0.0.0.0/0"]
security_group_ids = [var.dev_cluster_additional_sg_id]
}
}

resource "aws_security_group" "airflow_dev_cluster_additional_security_group" {
name = var.dev_cluster_additional_sg_name
description = "Managed by Pulumi"
vpc_id = aws_vpc.airflow_dev.id
ingress {
description = "Allow pods to communicate with the cluster API Server"
protocol = "tcp"
from_port = 443
to_port = 443
security_groups = [var.dev_cluster_node_sg_id]
}
egress {
description = "Allow internet access."
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
from_port = 0
to_port = 0
}
}

resource "aws_security_group" "airflow_dev_cluster_node_security_group" {
name = var.dev_cluster_node_sg_name
description = "Managed by Pulumi"
vpc_id = aws_vpc.airflow_dev.id

ingress {
description = "Allow nodes to communicate with each other"
protocol = "-1"
from_port = 0
to_port = 0
security_groups = []
self = true
}
ingress {
description = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
protocol = "tcp"
from_port = 1025
to_port = 65535
security_groups = [var.dev_cluster_additional_sg_id]
}
ingress {
description = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane"
protocol = "tcp"
from_port = 443
to_port = 443
security_groups = [var.dev_cluster_additional_sg_id]
}

egress {
description = "Allow internet access."
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
from_port = 0
to_port = 0
}
}

output "endpoint" {
value = aws_eks_cluster.airflow_dev_eks_cluster.endpoint
}

output "kubeconfig_certificate_authority_data" {
value = aws_eks_cluster.airflow_dev_eks_cluster.certificate_authority[0].data
}

resource "aws_eks_node_group" "dev_node_group_standard" {
cluster_name = aws_eks_cluster.airflow_dev_eks_cluster.name
node_group_name = "standard"
node_role_arn = aws_iam_role.airflow_dev_node_instance_role.arn
subnet_ids = aws_subnet.dev_private_subnet[*].id

launch_template {
id = aws_launch_template.dev_standard.id
version = aws_launch_template.dev_standard.latest_version
}

scaling_config {
desired_size = 1
max_size = 10
min_size = 1
}

update_config {
max_unavailable = 1
}

# Allow external changes without Terraform plan difference
lifecycle {
ignore_changes = [scaling_config[0].desired_size]
}
}

resource "aws_eks_node_group" "dev_node_group_high_memory" {
cluster_name = aws_eks_cluster.airflow_dev_eks_cluster.name
node_group_name = "high-memory"
node_role_arn = aws_iam_role.airflow_dev_node_instance_role.arn
subnet_ids = aws_subnet.dev_private_subnet[*].id

launch_template {
id = aws_launch_template.dev_high_memory.id
version = aws_launch_template.dev_high_memory.latest_version
}

scaling_config {
desired_size = 0
max_size = 1
min_size = 0
}

update_config {
max_unavailable = 1
}

# Allow external changes without Terraform plan difference
lifecycle {
ignore_changes = [scaling_config[0].desired_size]
}

taint {
key = "high-memory"
value = "true"
effect = "NO_SCHEDULE"
}

labels = {
high-memory = "true"
}
}


resource "kubernetes_config_map" "dev_aws_auth_configmap" {
provider = kubernetes.dev-airflow-cluster
metadata {
name = "aws-auth"
namespace = "kube-system"
labels = {
"app.kubernetes.io/managed-by" = "terraform"
}
}

data = {
"mapRoles" = file("./files/dev/aws-auth-configmap.yaml")
}

}

######################################
########### EKS PRODUCTION ###########
######################################
Expand Down Expand Up @@ -286,27 +122,6 @@ resource "kubernetes_namespace" "kyverno_prod" {
timeouts {}
}

resource "aws_eks_addon" "kube_proxy_dev" {
cluster_name = var.dev_eks_cluster_name
addon_name = "kube-proxy"
addon_version = "v1.28.8-eksbuild.5"
resolve_conflicts_on_create = "OVERWRITE"
}

resource "aws_eks_addon" "vpc_cni_dev" {
cluster_name = var.dev_eks_cluster_name
addon_name = "vpc-cni"
addon_version = "v1.18.1-eksbuild.3"
resolve_conflicts_on_create = "OVERWRITE"
}

resource "aws_eks_addon" "coredns_dev" {
cluster_name = var.dev_eks_cluster_name
addon_name = "coredns"
addon_version = "v1.10.1-eksbuild.11"
resolve_conflicts_on_create = "OVERWRITE"
}

resource "aws_eks_addon" "kube_proxy_prod" {
cluster_name = var.prod_eks_cluster_name
addon_name = "kube-proxy"
Expand Down
33 changes: 0 additions & 33 deletions terraform/aws/analytical-platform-data-production/airflow/helm-charts.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,5 @@
### Dev Resources

resource "helm_release" "kyverno_dev" {
name = "kyverno"
repository = "https://kyverno.github.io/kyverno/"
chart = "kyverno"
version = "2.6.0"
namespace = kubernetes_namespace.kyverno_dev.metadata[0].name
provider = helm.dev-airflow-cluster
values = [
templatefile(
"${path.module}/src/helm/kyverno/values.yml.tftpl", {}
)
]
}
/*
resource "helm_release" "kube2iam_dev" {
name = "kube2iam"
Expand Down Expand Up @@ -85,26 +72,6 @@ resource "kubernetes_manifest" "kyverno_policy_run_as_non_root_user" {
}
*/

resource "kubectl_manifest" "kyverno_policy_disallow_escalation_dev" {
provider = kubectl.dev-airflow-cluster
yaml_body = file("${path.module}/files/kyverno_policies/kyv.privilege_escalation.yaml")

depends_on = [helm_release.kyverno_dev]
}

resource "kubectl_manifest" "kyverno_policy_run_as_non_root_dev" {
provider = kubectl.dev-airflow-cluster
yaml_body = file("${path.module}/files/kyverno_policies/kyv.run_as_non_root.yaml")

depends_on = [helm_release.kyverno_dev]
}

resource "kubectl_manifest" "kyverno_policy_run_as_non_root_user_dev" {
provider = kubectl.dev-airflow-cluster
yaml_body = file("${path.module}/files/kyverno_policies/kyv.run_as_non_root_user.yaml")

depends_on = [helm_release.kyverno_dev]
}

resource "kubectl_manifest" "kyverno_policy_disallow_escalation_prod" {
provider = kubectl.prod-airflow-cluster
Expand Down
10 changes: 0 additions & 10 deletions terraform/aws/analytical-platform-data-production/airflow/iam-openid-connect-providers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,3 @@ resource "aws_iam_openid_connect_provider" "analytical_platform_development" {
thumbprint_list = [data.tls_certificate.analytical_platform_development_eks_oidc_issuer.certificates[0].sha1_fingerprint]
}

resource "aws_iam_openid_connect_provider" "airflow_dev" {
url = aws_eks_cluster.airflow_dev_eks_cluster.identity[0].oidc[0].issuer
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.tls_certificate.airflow_dev_eks_cluster.certificates[0].sha1_fingerprint]
}

import {
to = aws_iam_openid_connect_provider.airflow_dev
id = "arn:aws:iam::593291632749:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/59429428EBABBB9F911A173D7B8E8179"
}
37 changes: 0 additions & 37 deletions terraform/aws/analytical-platform-data-production/airflow/iam-policies.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,43 +118,6 @@ data "aws_iam_policy_document" "airflow_dev_execution_assume_role_policy" {
}
}

data "aws_iam_policy_document" "airflow_dev_cluster_autoscaler_policy" {
statement {
sid = ""
effect = "Allow"
actions = [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeInstanceTypes",
"ec2:DescribeImages",
"ec2:GetInstanceTypesFromInstanceRequirements",
"eks:DescribeNodegroup"
]
resources = ["*"]
}

}

data "aws_iam_policy_document" "airflow_dev_cluster_autoscaler_assume_role_policy" {
statement {
sid = ""
effect = "Allow"
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:role/airflow-dev-node-instance-role"]
}
actions = ["sts:AssumeRole"]
}
}

data "aws_iam_policy_document" "airflow_dev_flow_log_role_policy" {
statement {
Expand Down
32 changes: 0 additions & 32 deletions terraform/aws/analytical-platform-data-production/airflow/iam-roles.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,6 @@ resource "aws_iam_role" "airflow_dev_execution_role" {
}
}

resource "aws_iam_role" "airflow_dev_cluster_autoscaler_role" {
name = "airflow-dev-cluster-autoscaler-role"
description = "Cluster Autoscaler role for Airflow dev"
assume_role_policy = data.aws_iam_policy_document.airflow_dev_cluster_autoscaler_assume_role_policy.json

inline_policy {
name = "cluster-autoscaler"
policy = data.aws_iam_policy_document.airflow_dev_cluster_autoscaler_policy.json
}
}

resource "aws_iam_role" "airflow_dev_flow_log_role" {
name = "airflow-dev-flow-log-role"
Expand Down Expand Up @@ -86,28 +76,6 @@ resource "aws_iam_role" "airflow_dev_eks_role" {
]
}

#### Airflow Dev IRSA
module "airflow_dev_monitoring_iam_role" {
#checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions

source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
version = "5.52.2"

create_role = true

role_name = "airflow-monitoring-dev"

role_policy_arns = {
policy = module.airflow_dev_monitoring_iam_policy.arn
}

oidc_providers = {
one = {
provider_arn = resource.aws_iam_openid_connect_provider.airflow_dev.arn
namespace_service_accounts = ["airflow:airflow"]
}
}
}

####################################################################################
######################### AIRFLOW PRODUCTION INFRASTRUCTURE ########################
Expand Down
Loading
Loading