Merged in dev/fabien/MPC-4606-EKS-support-for-ems-router (pull request …

…elastic#461) MPC-4606: EKS support for ems-router * configmap/secrets references, fully path based routing for ingresses * remove useless comment * split namespaces creation from helm_releases * commenting and TODOs * update sample * make sure terraform.sh deals with inits * add EMS_REDIS_URL, tf fmt * s/devops/awsadmins/g * s/id/arn/g * update variable description Approved-by: Gideon Avida
mindw · Mar 4, 2022 · 5a5297c · 5a5297c
1 parent a6d614c
commit 5a5297c
Show file tree

Hide file tree

Showing 12 changed files with 904 additions and 806 deletions.
diff --git a/aws/ams-cluster-v1-tf/eks.tf b/aws/ams-cluster-v1-tf/eks.tf
diff --git a/aws/ams-cluster-v1-tf/main.tf b/aws/ams-cluster-v1-tf/main.tf
@@ -617,14 +617,13 @@ resource "aws_instance" "engageli" {
 
     ConcurrentMergerjobsPerInstance = var.concurrent_merger_jobs_per_instance
 
-    MergerASGGroupName      = "tf-${var.stack_name}-merger-asg"
-    MergerMetricName        = "tf-${var.stack_name}-${local.merger_metric_name}${var.region}"
-    MergerMetricNamespace   = "tf-${var.stack_name}-${local.merger_metric_namespace}${var.region}"
-    StudentsPerGallery      = local.students_per_gallery
-    GalleriesPerInstance    = local.galleries_per_instance
-    CloudWatchAgentEnabled  = var.cloudwatch_agent_enabled
-    TelegrafEnabled         = var.telegraf_enabled
-    EKSServiceExposureToken = random_password.eks_service_exposure_token.result
+    MergerASGGroupName     = "tf-${var.stack_name}-merger-asg"
+    MergerMetricName       = "tf-${var.stack_name}-${local.merger_metric_name}${var.region}"
+    MergerMetricNamespace  = "tf-${var.stack_name}-${local.merger_metric_namespace}${var.region}"
+    StudentsPerGallery     = local.students_per_gallery
+    GalleriesPerInstance   = local.galleries_per_instance
+    CloudWatchAgentEnabled = var.cloudwatch_agent_enabled
+    TelegrafEnabled        = var.telegraf_enabled
   })
 }
 
@@ -820,7 +819,7 @@ resource "aws_lb_listener" "internal_ams_rest" {
 resource "aws_lb_listener_rule" "engageli_routes" {
   # Forward API routes to Engageli services
   listener_arn = aws_lb_listener.https.arn
-  priority     = 1
+  priority     = var.alb_k8s_rules_offset + 1
   action {
     type = "forward"
     # cluster v1 has just one engageli node
@@ -833,75 +832,78 @@ resource "aws_lb_listener_rule" "engageli_routes" {
   }
 }
 
-# TODO: proper route for EMS static content (app-bundle)
-resource "aws_lb_listener_rule" "ems_static" {
-  # Forward EMS static content routes to 1st cluster
+
+resource "aws_lb_listener_rule" "blocked_ams_webapps" {
+  count = var.ams_create ? 1 : 0
+  # Block access to the default Ant-Media webapps
   listener_arn = aws_lb_listener.https.arn
-  priority     = 4
+  priority     = var.alb_k8s_rules_offset + 2
   action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.ems[0].arn
+    type = "redirect"
+    redirect {
+      path        = "/class/current"
+      status_code = "HTTP_302"
+    }
   }
   condition {
     path_pattern {
       values = [
-        "/ems-static*",
-        "/ems/*" # for backwards compatibility (just in case...)
+        "/LiveApp/*",
+        "/WebRTCAppEE/*"
       ]
     }
   }
 }
 
-resource "aws_lb_listener_rule" "ems_routes" {
-  count = var.ems_num_clusters
-  # Forward API routes to EMS
+resource "aws_lb_listener_rule" "ams_routes" {
+  count = var.ams_create ? 1 : 0
+  # Access to the ant-media websocket
   listener_arn = aws_lb_listener.https.arn
-  priority     = 5 + count.index
+  priority     = var.alb_k8s_rules_offset + 3
   action {
     type             = "forward"
-    target_group_arn = aws_lb_target_group.ems[count.index].arn
+    target_group_arn = aws_lb_target_group.ams[0].arn
   }
   condition {
     path_pattern {
-      values = ["/ems${format("%02d", count.index)}*"]
+      values = var.ams_paths
     }
   }
 }
 
-resource "aws_lb_listener_rule" "blocked_ams_webapps" {
-  count = var.ams_create ? 1 : 0
-  # Block access to the default Ant-Media webapps
+# TODO: proper route for EMS static content (app-bundle)
+resource "aws_lb_listener_rule" "ems_static" {
+  # Forward EMS static content routes to 1st cluster
   listener_arn = aws_lb_listener.https.arn
-  priority     = 2
+  priority     = var.alb_k8s_rules_offset + 4
   action {
-    type = "redirect"
-    redirect {
-      path        = "/class/current"
-      status_code = "HTTP_302"
-    }
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.ems[0].arn
   }
   condition {
     path_pattern {
       values = [
-        "/LiveApp/*",
-        "/WebRTCAppEE/*"
+        "/ems-static*",
+        "/ems/*" # for backwards compatibility (just in case...)
       ]
     }
   }
 }
 
-resource "aws_lb_listener_rule" "ams_routes" {
-  count = var.ams_create ? 1 : 0
-  # Access to the ant-media websocket
+# TODO: remove this route once we're using ems-router fully
+# it's only left here as a fallback in case we don't use ems-router for a stack
+resource "aws_lb_listener_rule" "ems_routes" {
+  count = var.ems_num_clusters
+  # Forward API routes to EMS
   listener_arn = aws_lb_listener.https.arn
-  priority     = 3
+  priority     = var.alb_k8s_rules_offset + 5 + count.index
   action {
     type             = "forward"
-    target_group_arn = aws_lb_target_group.ams[0].arn
+    target_group_arn = aws_lb_target_group.ems[count.index].arn
   }
   condition {
     path_pattern {
-      values = var.ams_paths
+      values = ["/ems${format("%02d", count.index)}*"]
     }
   }
 }

diff --git a/aws/ams-cluster-v1-tf/terraform.sh b/aws/ams-cluster-v1-tf/terraform.sh
@@ -111,6 +111,9 @@ set -x
 
 terraform workspace select "${VAR_FILE/eng-/}"
 
+# make sure that we deal with module changes and provider upgrades
+terraform init -upgrade
+
 #
 # try to keep things within minimal applies
 # one for the different targets and one for the resources we want to ensure are replaced
@@ -121,12 +124,14 @@ terraform workspace select "${VAR_FILE/eng-/}"
 # ingress-nginx is targetted & replaced because this could be a clean install
 terraform apply \
   -var-file=${VAR_FILE_PATH} \
+  -target=helm_release.cert_manager \
   -target=helm_release.cluster_autoscaler \
+  -target=helm_release.external_dns \
+  -target=helm_release.external_secrets \
+  -target=helm_release.grafana_agent_operator \
   -target=helm_release.ingress_nginx \
-  -target=helm_release.cert_manager \
+  -target=helm_release.kube_state_metrics \
   -target=helm_release.rabbitmq_operator \
-  -target=helm_release.grafana_agent_operator \
-  -target=helm_release.external_secrets \
   -parallelism=50 \
   -auto-approve
 

diff --git a/aws/ams-cluster-v1-tf/tfmodules/eks_app/main.tf b/aws/ams-cluster-v1-tf/tfmodules/eks_app/main.tf
diff --git a/aws/ams-cluster-v1-tf/tfmodules/eks_app/variables.tf b/aws/ams-cluster-v1-tf/tfmodules/eks_app/variables.tf