Merge branch 'main' of github.com:aws-ia/terraform-aws-eks-blueprints…

… into feat/example-update
aws-ia · Oct 4, 2023 · 696203b · 696203b
2 parents edb8492 + 61ed1da
commit 696203b
Show file tree

Hide file tree

Showing 35 changed files with 1,018 additions and 607 deletions.
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -22,6 +22,6 @@ jobs:
           egress-policy: audit
 
       - name: 'Checkout Repository'
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.5.4
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.5.4
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0
diff --git a/.github/workflows/e2e-parallel-destroy.yml b/.github/workflows/e2e-parallel-destroy.yml
@@ -41,14 +41,14 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
 
       - name: Setup backend
         # Un-comment remote backend for use in workflow
         run: sed -i "s/# //g" ${{ matrix.example_path }}/versions.tf
 
       - name: Auth AWS
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
           aws-region: us-west-2

diff --git a/.github/workflows/e2e-parallel-full.yml b/.github/workflows/e2e-parallel-full.yml
@@ -32,10 +32,10 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
 
       - name: Auth AWS
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
           aws-region: us-west-2
@@ -74,14 +74,14 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
 
       - name: Setup backend
         # Un-comment remote backend for use in workflow
         run: sed -i "s/# //g" ${{ matrix.example_path }}/versions.tf
 
       - name: Auth AWS
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
           aws-region: us-west-2
@@ -164,10 +164,10 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
 
       - name: Configure AWS credentials from Test account
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}
           aws-region: us-west-2

diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml
@@ -25,7 +25,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
       - uses: actions/setup-node@v3
         with:
           node-version: '16.x'

diff --git a/.github/workflows/plan-examples.yml b/.github/workflows/plan-examples.yml
@@ -32,7 +32,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
 
       - name: Get Terraform directories for evaluation
         id: dirs
@@ -67,13 +67,13 @@ jobs:
 
       - name: checkout-merge
         if: "contains(github.event_name, 'pull_request')"
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
         with:
           ref: refs/pull/${{github.event.pull_request.number}}/merge
 
       - name: checkout
         if: "!contains(github.event_name, 'pull_request')"
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
 
       - uses: dorny/paths-filter@v2
         id: changes
@@ -88,7 +88,7 @@ jobs:
               - '*.tf'
 
       - name: Configure AWS credentials from Test account
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         if: steps.changes.outputs.src== 'true'
         with:
           role-to-assume: ${{ secrets.ROLE_TO_ASSUME }}

diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
@@ -23,7 +23,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: amannn/action-semantic-pull-request@v5.2.0
+      - uses: amannn/action-semantic-pull-request@v5.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -32,7 +32,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
 
       - name: Get root directories
         id: dirs
@@ -55,7 +55,7 @@ jobs:
         run: rm -rf $(which terraform)
 
       - name: Checkout
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
 
       - uses: dorny/paths-filter@v2
         id: changes

diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
@@ -23,7 +23,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout main
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -36,7 +36,7 @@ jobs:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.5.4
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.5.4
         with:
           persist-credentials: false
 
@@ -71,6 +71,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
         with:
           sarif_file: results.sarif
diff --git a/patterns/blue-green-upgrade/README.md b/patterns/blue-green-upgrade/README.md
@@ -8,7 +8,7 @@ We are leveraging [the existing EKS Blueprints Workloads GitHub repository sampl
 
 ## Table of content
 
-- [Blue/Green or Canary Amazon EKS clusters migration for stateless ArgoCD workloads](#bluegreen-or-canary-amazon-eks-clusters-migration-for-stateless-argocd-workloads)
+- [Blue/Green Migration](#bluegreen-migration)
   - [Table of content](#table-of-content)
   - [Project structure](#project-structure)
   - [Prerequisites](#prerequisites)
@@ -25,8 +25,6 @@ We are leveraging [the existing EKS Blueprints Workloads GitHub repository sampl
   - [Delete the Stack](#delete-the-stack)
     - [Delete the EKS Cluster(s)](#delete-the-eks-clusters)
       - [TL;DR](#tldr)
-      - [Manual](#manual)
-    - [Delete the environment stack](#delete-the-environment-stack)
   - [Troubleshoot](#troubleshoot)
     - [External DNS Ownership](#external-dns-ownership)
     - [Check Route 53 Record status](#check-route-53-record-status)
@@ -53,7 +51,11 @@ In the GitOps workload repository, we have configured our applications deploymen
 
 We have configured ExternalDNS add-ons in our two clusters to share the same Route53 Hosted Zone. The workloads in both clusters also share the same Route 53 DNS records, we rely on AWS Route53 weighted records to allow us to configure canary workload migration between our two EKS clusters.
 
-Here we use the same GitOps workload configuration repository and adapt parameters with the `values.yaml`. We could also use different ArgoCD repository for each cluster, or use a new directory if we want to validate or test new deployment manifests with maybe additional features, configurations or to use with different Kubernetes add-ons (like changing ingress controller).
+We are leveraging the [gitops-bridge-argocd-bootstrap](https://github.com/gitops-bridge-dev/gitops-bridge-argocd-bootstrap-terraform) terraform module that allow us to dynamically provide metadatas from Terraform to ArgoCD deployed in the cluster. For doing this, the module will extract all metadatas from the [terraform-aws-eks-blueprints-addons](https://github.com/aws-ia/terraform-aws-eks-blueprints-addons) module, configured to create all resources except installing the addon's Helm chart. The addon Installation will be delegate to ArgoCD Itself using the [eks-blueprints-add-ons](https://github.com/aws-samples/eks-blueprints-add-ons/tree/main/argocd/bootstrap/control-plane/addons) git repository containing ArgoCD ApplicaitonSets for each supported Addons.
+
+The gitops-bridge will create a secret in the EKS cluster containing all metadatas that will be dynamically used by ArgoCD ApplicationSets at deployment time, so that we can adapt their configuration to our EKS cluster context.
+
+<img src="static/gitops-bridge.excalidraw.png" width=100%>
 
 Our objective here is to show you how Application teams and Platform teams can configure their infrastructure and workloads so that application teams are able to deploy autonomously their workloads to the EKS clusters thanks to ArgoCD, and platform team can keep the control of migrating production workloads from one cluster to another without having to synchronized operations with applications teams, or asking them to build a complicated CD pipeline.
 
@@ -82,12 +84,13 @@ git clone https://github.com/aws-ia/terraform-aws-eks-blueprints.git
 cd patterns/blue-green-upgrade/
 ```
 
-2. Copy the `terraform.tfvars.example` to `terraform.tfvars` on each `environment`, `eks-blue` and `eks-green` folders, and change region, hosted_zone_name, eks_admin_role_name according to your needs.
+2. Copy the `terraform.tfvars.example` to `terraform.tfvars` and symlink it on each `environment`, `eks-blue` and `eks-green` folders, and change region, hosted_zone_name, eks_admin_role_name according to your needs.
 
 ```shell
-cp terraform.tfvars.example environment/terraform.tfvars
-cp terraform.tfvars.example eks-blue/terraform.tfvars
-cp terraform.tfvars.example eks-green/terraform.tfvars
+cp terraform.tfvars.example terraform.tfvars
+ln -s ../terraform.tfvars environment/terraform.tfvars
+ln -s ../terraform.tfvars eks-blue/terraform.tfvars
+ln -s ../terraform.tfvars eks-green/terraform.tfvars
 ```
 
 - You will need to provide the `hosted_zone_name` for example `my-example.com`. Terraform will create a new hosted zone for the project with name: `${environment}.${hosted_zone_name}` so in our example `eks-blueprint.my-example.com`.
@@ -208,19 +211,19 @@ eks-blueprint-blue
 
 We have configured both our clusters to configure the same [Amazon Route 53](https://aws.amazon.com/fr/route53/) Hosted Zones. This is done by having the same configuration of [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) add-on in `main.tf`:
 
-This is the Terraform configuration to configure the ExternalDNS Add-on which is deployed by the Blueprint using ArgoCD.
+This is the Terraform configuration to configure the ExternalDNS Add-on which is deployed by the Blueprint using ArgoCD. we specify the Route53 zone that external-dns needs to monitor.
 
 ```
   enable_external_dns = true
+  external_dns_route53_zone_arns      = [data.aws_route53_zone.sub.arn]
+```
+
+we also configure the addons_metadata to provide more configurations to external-dns:
 
-  external_dns_helm_config = {
-    txtOwnerId         = local.name
-    zoneIdFilter       = data.aws_route53_zone.sub.zone_id
-    policy             = "sync"
-    awszoneType        = "public"
-    zonesCacheDuration = "1h"
-    logLevel           = "debug"
-  }
+```
+addons_metadata = merge(
+  ...
+  external_dns_policy        = "sync"
 ```
 
 - We use ExternalDNS in `sync` mode so that the controller can create but also remove DNS records accordingly to service or ingress objects creation.
@@ -349,52 +352,6 @@ Why doing this? When we remove an ingress object, we want the associated Kuberne
 ../tear-down.sh
 ```
 
-#### Manual
-
-1. If also deployed, delete your Karpenter provisioners
-
-this is safe to delete if no addons are deployed on Karpenter, which is the case here.
-If not we should separate the team-platform deployments which installed Karpenter provisioners in a separate ArgoCD Application to avoid any conflicts.
-
-```bash
-kubectl delete provisioners.karpenter.sh --all
-```
-
-2. Delete Workloads App of App
-
-```bash
-kubectl delete application workloads -n argocd
-```
-
-3. If also deployed, delete ecsdemo App of App
-
-```bash
-kubectl delete application ecsdemo -n argocd
-```
-
-Once every workload applications as been freed on AWS side, (this can take some times), we can then destroy our add-ons and terraform resources
-
-> Note: it can take time to deregister all load balancers, verify that you don't have any more AWS resources created by EKS prior to start destroying EKS with terraform.
-
-4. Destroy terraform resources
-
-```bash
-terraform apply -destroy -target="module.eks_cluster.module.kubernetes_addons" -auto-approve
-terraform apply -destroy -target="module.eks_cluster.module.eks" -auto-approve
-terraform apply -destroy -auto-approve
-```
-
-### Delete the environment stack
-
-If you have finish playing with this solution, and once you have destroyed the 2 EKS clusters, you can now delete the environment stack.
-
-```bash
-cd environment
-terraform apply -destroy -auto-approve
-```
-
-This will destroy the Route53 hosted zone, the Certificate manager certificate, the VPC with all it's associated resources.
-
 ## Troubleshoot
 
 ### External DNS Ownership

diff --git a/patterns/blue-green-upgrade/bootstrap/addons.yaml b/patterns/blue-green-upgrade/bootstrap/addons.yaml
@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: bootstrap-addons
+  namespace: argocd
+spec:
+  syncPolicy:
+    preserveResourcesOnDeletion: true
+  generators:
+    - clusters:
+        selector:
+          matchExpressions:
+            - key: akuity.io/argo-cd-cluster-name
+              operator: NotIn
+              values: [in-cluster]
+  template:
+    metadata:
+      name: 'bootstrap-addons'
+    spec:
+      project: default
+      source:
+        repoURL: '{{metadata.annotations.addons_repo_url}}'
+        path: '{{metadata.annotations.addons_repo_path}}'
+        targetRevision: '{{metadata.annotations.addons_repo_revision}}'
+        directory:
+          recurse: true
+          exclude: exclude/*
+      destination:
+        namespace: 'argocd'
+        name: '{{name}}'
+      syncPolicy:
+        automated: {}
diff --git a/patterns/blue-green-upgrade/bootstrap/workloads.yaml b/patterns/blue-green-upgrade/bootstrap/workloads.yaml
@@ -0,0 +1,67 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: bootstrap-workloads
+  namespace: argocd
+spec:
+  goTemplate: true
+  syncPolicy:
+    preserveResourcesOnDeletion: true
+  generators:
+    - matrix:
+        generators:
+          - clusters:
+              selector:
+                matchExpressions:
+                  - key: akuity.io/argo-cd-cluster-name
+                    operator: NotIn
+                    values:
+                      - in-cluster
+          - git:
+              repoURL: '{{.metadata.annotations.gitops_workloads_url}}'
+              revision: '{{.metadata.annotations.gitops_workloads_revision}}'
+              directories:
+                - path: '{{.metadata.annotations.gitops_workloads_path}}/*'
+  template:
+    metadata:
+      name: 'bootstrap-workloads-{{.name}}'
+    spec:
+      project: default
+      sources:
+        - repoURL: '{{.metadata.annotations.gitops_workloads_url}}'
+          targetRevision: '{{.metadata.annotations.gitops_workloads_revision}}'
+          ref: values
+          path: '{{.metadata.annotations.gitops_workloads_path}}'
+          helm:
+            releaseName: 'bootstrap-workloads-{{.name}}'
+            ignoreMissingValueFiles: true
+            values: |
+              "account": "{{.metadata.annotations.aws_account_id}}"
+              "clusterName": "{{.metadata.annotations.cluster_name}}"
+              "labels":
+                "env": "{{.metadata.annotations.env}}"
+              "region": "{{.metadata.annotations.aws_region}}"
+              "repoUrl": "{{.metadata.annotations.gitops_workloads_url}}"
+              "spec":
+                "source":
+                  "repoURL": "{{.metadata.annotations.gitops_workloads_url}}"
+                  "targetRevision": "{{.metadata.annotations.gitops_workloads_revision}}"
+                "blueprint": "terraform"
+                "clusterName": "{{.metadata.annotations.cluster_name}}"
+                "env": "{{.metadata.annotations.env}}"
+                "ingress":
+                  "route53_weight": {{default "0" .metadata.annotations.route53_weight}}
+                  "argocd_route53_weight": {{default "0" .metadata.annotations.argocd_route53_weight}}
+                  "ecsfrontend_route53_weight": {{default "0" .metadata.annotations.ecsfrontend_route53_weight}}
+                  "host": {{ default "" .metadata.annotations.eks_cluster_domain }}
+                  "type": "{{.metadata.annotations.ingress_type}}"
+                "karpenterInstanceProfile": "{{.metadata.annotations.karpenter_node_instance_profile_name}}"
+                "target_group_arn": {{ default "" .metadata.annotations.target_group_arn }}
+                "external_lb_url": {{ if index .metadata.annotations "external_lb_dns" }} http://{{ .metadata.annotations.external_lb_dns }}{{ else }}{{ end }}
+      destination:
+        name: '{{.name}}'
+      syncPolicy:
+        automated: {}
+        syncOptions:
+          - CreateNamespace=true
+          - ServerSideApply=true # Big CRDs.