feat: introduce aws-ecs byovpc sandbox #20
Conversation
| - s3:PutObject | ||
| Resource: '*' | ||
|
|
||
| # function that sends the ARN of the SandboxBootstrapRole to the source AWS account, |
There was a problem hiding this comment.
All this stuff is still in here? I should have cleaned this up ages ago.
| - route53:TagResource | ||
| - s3:GetObject | ||
| - s3:ListBucket | ||
| - s3:PutObject |
There was a problem hiding this comment.
It doesn't require any ECS permissions?
| echo "ensuring AWS is setup" | ||
| aws sts get-caller-identity > /dev/null | ||
|
|
||
| echo "looking for ENIs which were orphaned by vpc-cni plugin" |
There was a problem hiding this comment.
I thought this was just for EKS?
There was a problem hiding this comment.
@jordan-acosta leaving this cleanup in here, for now so I can monitor from a known good, and then if we see on deprovision that no ENIs are leaking, we can go ahead and remove this.
| region = "us-east-2" | ||
| # assume_role_arn = "arn:aws:iam::949309607565:role/nuon-demo-install-access" | ||
| assume_role_arn = "" # This needs to be set for use from our services but should not be when running locally. | ||
| install_role_arn = "arn:aws:iam::618886478608:role/install-k8s-admin-stage" |
There was a problem hiding this comment.
It looks like some EKS stuff got left here.
There was a problem hiding this comment.
Yep, cleaning up. Thanks!
aws-ecs-byovpc/variables.tf
Outdated
| type = string | ||
| description = "The Kubernetes version to use for the EKS cluster." | ||
| default = "" | ||
| } |
There was a problem hiding this comment.
I assume there are other config values that would be relevant to ECS?
There was a problem hiding this comment.
There's not a lot re: ECS, you can parameterize some things in Fargate, such as the capacity providers but we probably can wait on that.
jonmorehouse
force-pushed
the
jm/aws-ecs-byo-vpc
branch
from
2459522 to
8800176
Compare
jonmorehouse
force-pushed
the
jm/aws-ecs-byo-vpc
branch
from
0113f74 to
93e24ee
Compare
This PR introduces a built-in sandbox for
aws-ecs-byovpc. This sandbox uses inputs to wire in existing vpcs, and creates a fargate cluster and the necessary IAM roles for our a.) runner installer b.) the static runner and c.) the odr.Notably, the runner installer is in Nuon's infrastructure and is the role that we will assume when doing the installation. The static runner only creates/deletes the ODRs, and hte ODR is the thing that needs the most permissions, as it manages the components.