Terraform EKS Observability Accelerator Workflows

elamaran11 · elamaran11 · commit 4422e2f6cff6 · 2024-04-15T16:38:48.000-04:00
Signed-off-by: Elamaran Shanmugam &lt;elamaran.shan@gmail.com&gt;
diff --git a/packages/argo-workflows-templates/base/cluster-workflow-tf-eks-observability-cleanup.yaml b/packages/argo-workflows-templates/base/cluster-workflow-tf-eks-observability-cleanup.yaml
@@ -0,0 +1,119 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ClusterWorkflowTemplate
+metadata:
+  annotations:
+    workflows.argoproj.io/description: Runs Cleanup of Terraform EKS Observability Accelerator.
+  name: terraform-tf-eks-observability
+spec:
+  activeDeadlineSeconds: 3600
+  ttlStrategy:
+    secondsAfterCompletion: 86400
+    secondsAfterSuccess: 43200
+    secondsAfterFailure: 86400
+  serviceAccountName: tf-eks-observability
+  entrypoint: main
+  arguments:
+    parameters:
+    - name: backstage-entity-name
+    - name: script-location
+    - name: admin-role
+  volumes:
+    - name: tf-state
+      secret:
+        secretName: "{{workflow.parameters.backstage-entity-name}}-tf-state"
+  templates:
+    - name: main
+      steps:
+        - - name: remove-resources
+            template: remove-resources
+        - - name: cleanup-tf
+            template: cleanup-tf
+    - name: remove-resources
+      inputs:
+          artifacts:
+            - name: go-template
+              path: /tmp/go-template
+              raw:
+                data: |
+                  {{- range .items -}}
+                      {{- if not .metadata.ownerReferences -}}
+                          {{- if eq .spec.type "LoadBalancer" -}}
+                              {{.metadata.name}} {{.metadata.namespace}}{{"\n"}}
+                          {{- end }}
+                      {{- end -}}
+                  {{- end -}}
+      script:
+        image: public.ecr.aws/m8u6z8z4/manabu-test:tf-manager-v0.0.15
+        volumeMounts:
+          - name: tf-state
+            mountPath: /var/run/tf
+        command:
+          - bash
+        source: |
+          set -e -o pipefail
+          set +x
+          echo 'restoring tfstate from secret'
+          gunzip -c /var/run/tf/tfstate > /tmp/tfstate
+          cluster_arn=$(jq -r '.resources[] | select(.module == "module.eks" and .type == "aws_eks_cluster")| .instances[0].attributes.arn' /tmp/tfstate)
+          if [[ -z "${cluster_arn// }" ]]; then
+            exit 0
+          fi
+          cluster_name=$(echo $cluster_arn | cut -d '/' -f 2)
+          region=$(echo $cluster_arn | cut -d ':' -f 4)
+          mkdir ~/.kube/
+          aws eks update-kubeconfig --name $cluster_name --region $region
+          echo 'removing kubernetes services with loadbalancers'
+          lbs=$(kubectl get svc -A -o go-template-file=/tmp/go-template)
+          echo $lbs | while IFS= read -r line; do
+            if [[ -z "${line// }" ]]; then
+              continue
+            fi
+            name=$(echo ${line} | cut -f1 -d" "); 
+            namespace=$(echo ${line} | cut -f2 -d" "); 
+            echo "delete $name in $namespace";
+            kubectl delete svc $name -n $namespace;
+          done
+          
+          echo 'removing cluster information from backstage'
+          rm ~/.kube/config
+          
+          kubectl -n backstage get secrets k8s-config -o yaml | yq  '.data."k8s-config.yaml"' | base64 -d > /tmp/config
+          data=$(yq eval "del(.clusters[] | select(.name == \"$cluster_name\"))" /tmp/config | base64)
+          kubectl -n backstage get secrets k8s-config -o yaml | yq ".data.\"k8s-config.yaml\" = \"$data\"" | kubectl apply -f -
+          kubectl -n backstage rollout restart deployment backstage
+
+    - name: cleanup-tf
+      retryStrategy:
+        limit: "2"
+        retryPolicy: "Always"
+      inputs:
+        artifacts:
+        - name: tf-eks-observability
+          path: /src/tf-eks-observability
+          git:
+            repo: https://github.com/aws-observability/terraform-aws-observability-accelerator.git
+            revision: main
+      script:
+        image: public.ecr.aws/m8u6z8z4/manabu-test:tf-manager-v0.0.15
+        volumeMounts:
+          - mountPath: /var/run/tf
+            name: tf-state
+        command:
+          - bash
+        source: |
+          set -e -o pipefail
+          cd /src/tf-eks-observability/{{workflow.parameters.script-location}}
+          echo 'getting tf state from secrets'
+          gunzip -c /var/run/tf/tfstate > terraform.tfstate
+          cluster_arn=$(jq -r '.resources[] | select(.module == "module.eks" and .type == "aws_eks_cluster")| .instances[0].attributes.arn' terraform.tfstate)
+          region=$(echo $cluster_arn | cut -d '/' -f 4)
+          echo 'running cleanup script'
+          terraform init
+          set +e +o pipefail
+          printf "$region\n" | ./cleanup.sh
+          status=$?
+          gzip -k -c terraform.tfstate | base64 -w 0 > tfstate
+          kubectl get secret -n {{workflow.namespace}} {{workflow.parameters.backstage-entity-name}}-tf-state -o yaml > secret.yaml
+          data=$(cat tfstate) yq -i ".data.tfstate = env(data)" secret.yaml
+          kubectl apply -f secret.yaml
+          exit $status
diff --git a/packages/argo-workflows-templates/base/cluster-workflow-tf-eks-observability.yaml b/packages/argo-workflows-templates/base/cluster-workflow-tf-eks-observability.yaml
@@ -0,0 +1,72 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ClusterWorkflowTemplate
+metadata:
+  annotations:
+    workflows.argoproj.io/description: Runs Terraform EKS Observability Accelerator.
+  name: terraform-eks-observability
+spec:
+  activeDeadlineSeconds: 3600
+  ttlStrategy:
+    secondsAfterCompletion: 86400
+    secondsAfterSuccess: 43200
+    secondsAfterFailure: 86400
+  serviceAccountName: tf-eks-observability
+  entrypoint: main
+  arguments:
+    parameters:
+    - name: backstage-entity-name
+    - name: script-location
+    - name: admin-role
+  templates:
+    - name: main
+      steps:
+        - - name: run
+            template: run
+        - - name: restart-backstage
+            template: restart-backstage
+        - - name: cleanup
+            template: cleanup
+    - name: run
+      inputs:
+        artifacts:
+        - name: tf-eks-observability
+          path: /src/tf-eks-observability
+          git:
+            repo: https://github.com/aws-observability/terraform-aws-observability-accelerator.git
+            revision: main
+      volumes:
+        - name: tf-cm
+          configMap:
+            name: "{{workflow.parameters.backstage-entity-name}}-tf-cm"
+      container:
+        image: public.ecr.aws/cnoe-io/misc:tf-manager-v0.0.1
+        tty: true
+        stdin: true
+        volumeMounts:
+          - mountPath: /var/run/tf
+            name: tf-cm
+        env:
+          - name: BACKSTAGE_ENT_NAME
+            value: "{{workflow.parameters.backstage-entity-name}}"
+          - name: SCRIPT_LOCATION
+            value: "/src/tf-eks-observability/{{workflow.parameters.script-location}}"
+          - name: ADMIN_ROLE
+            value: "{{workflow.parameters.admin-role}}"
+          - name: TFVAR_LOCATION
+            value: /var/run/tf/terraform.tfvars.json
+    - name: restart-backstage
+      script:
+        image: public.ecr.aws/cnoe-io/misc:tf-manager-v0.0.1
+        command:
+          - bash
+        source: |
+          kubectl -n backstage rollout restart deployment backstage
+    - name: cleanup
+      resource:
+        action: delete
+        manifest: |
+          apiVersion: v1
+          kind: ConfigMap
+          metadata:
+            name: "{{workflow.parameters.backstage-entity-name}}-tf-cm"
+            namespace: "{{workflow.namespace}}"
diff --git a/packages/argo-workflows-templates/base/sa-tf-eks-observability.yaml b/packages/argo-workflows-templates/base/sa-tf-eks-observability.yaml
@@ -0,0 +1,66 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: data-on-eks
+  labels:
+    app: data-on-eks
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: data-on-eks
+  namespace: data-on-eks
+  labels:
+    app: data-on-eks
+rules:
+  - apiGroups: [""]
+    resources: ["secrets", "configmaps"]
+    verbs: ["get", "list", "watch", "patch", "create", "update", "delete"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: data-on-eks
+  namespace: data-on-eks
+  labels:
+    app: data-on-eks
+subjects:
+- kind: ServiceAccount
+  name: data-on-eks
+roleRef:
+  kind: Role
+  name: data-on-eks
+  apiGroup: rbac.authorization.k8s.io
+
+# allow for updating backstage config
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: data-on-eks
+  namespace: backstage
+  labels:
+    app: data-on-eks
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "patch", "update"]
+  - apiGroups: [ "apps" ]
+    resources: [ "deployments", "replicasets", "pods" ]
+    verbs: [ "get", "patch" ]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: data-on-eks
+  namespace: backstage
+  labels:
+    app: data-on-eks
+subjects:
+  - kind: ServiceAccount
+    name: data-on-eks
+    namespace: data-on-eks
+roleRef:
+  kind: Role
+  name: data-on-eks
+  apiGroup: rbac.authorization.k8s.io
