ci: tag CI-deployed resources (#9043)

* ci: tag CI-deployed resources Add the owner and gh_team tags the new tagging policy requires Also add the long_running tag to the long-running instances * ci: update doc deploy terraform with labels Update the Makefile to work with current terraform Update the CircleCI image to use one which still gets updates Update the docs AWS resources with new label standard * To use aws default_labels, we need the 5.x AWS provider * To use the 5.x provider without a bunch of warnings, there were also a bunch of deprecated things to be updated
determined-ai · Mar 23, 2024 · f08b406 · f08b406
1 parent 1868723
commit f08b406
Show file tree

Hide file tree

Showing 5 changed files with 108 additions and 37 deletions.
diff --git a/.circleci/real_config.yml b/.circleci/real_config.yml
@@ -686,6 +686,8 @@ commands:
             echo "-----END ARGS-----"
             MAX_RETRIES=6 DET_DEBUG=1 tools/scripts/retry.sh det deploy aws up \
               $(< /tmp/det-deploy-extra-args) \
+              --add-tag owner=determined_ci \
+              --add-tag gh_team=machine-users \
               --cluster-id <<parameters.cluster-id>> \
               --det-version <<parameters.det-version>> \
               --aux-agent-instance-type <<parameters.aux-agent-instance-type>> \
@@ -839,7 +841,7 @@ commands:
       - set-cluster-id:
           cluster-id: <<parameters.cluster-id>>
       - set-cluster-labels:
-          labels: <<parameters.labels>>
+          labels: owner=determined_ci,gh_team=machine-users,<<parameters.labels>>
       - gcloud/install:
           version: "412.0.0"
       - kubernetes/install-kubectl
@@ -1184,7 +1186,7 @@ jobs:
 
   publish-docs:
     docker:
-      - image: hashicorp/terraform:light
+      - image: hashicorp/terraform:latest
     steps:
       - checkout
       - attach_workspace:
@@ -2324,6 +2326,9 @@ jobs:
       reattach-enabled:
         type: boolean
         default: false
+      extra-tags:
+        type: string
+        default: ""
     docker:
       - image: <<pipeline.parameters.docker-image>>
     steps:
@@ -2347,6 +2352,7 @@ jobs:
           enable-cors: <<parameters.enable-cors>>
           reattach-enabled: <<parameters.reattach-enabled>>
           deployment-type: simple
+          extra-tags: <<parameters.extra-tags>>
       - slack/status:
           fail_only: true
           failure_message: ':thisisfine: A \`${CIRCLE_JOB}\` job on branch \`${CIRCLE_BRANCH}\` has failed! Author Email: \`${AUTHOR_EMAIL}\`'
@@ -2968,9 +2974,10 @@ workflows:
                 - main
 
       - deploy:
-          name: deploy-latest-master-cluster
+          name: deploy-latest-main-cluster
           enable-cors: true
           reattach-enabled: true
+          extra-tags: "long_running=determined_preview_cluster"
           context:
             - aws
             - aws-ci-cluster-default-user-credentials

diff --git a/docs/deploy/Makefile b/docs/deploy/Makefile
@@ -11,7 +11,7 @@ verify:
 
 .PHONY: init
 init:
-	terraform init
+	terraform init -upgrade
 
 .PHONY: plan
 plan: init
@@ -24,4 +24,4 @@ publish: init
 .PHONY: check
 check: init
 	terraform fmt -check=true -diff=true
-	terraform validate -check-variables=false
+	terraform validate
diff --git a/docs/deploy/cdn.tf b/docs/deploy/cdn.tf
@@ -7,22 +7,24 @@ resource "aws_cloudfront_distribution" "distribution" {
       origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
     }
 
-    domain_name = "${aws_s3_bucket.docs.website_endpoint}"
+    domain_name = aws_s3_bucket_website_configuration.docs.website_endpoint
 
-    origin_id = "${local.domain}"
+    origin_id = local.domain
   }
 
   enabled             = true
   default_root_object = "index.html"
-  aliases             = ["${local.domain}"]
+  aliases = [
+    local.domain,
+  ]
 
   default_cache_behavior {
     viewer_protocol_policy = "redirect-to-https"
     compress               = true
     allowed_methods        = ["GET", "HEAD"]
     cached_methods         = ["GET", "HEAD"]
 
-    target_origin_id = "${local.domain}"
+    target_origin_id = local.domain
     min_ttl          = 0
     default_ttl      = 3600
     max_ttl          = 31536000

diff --git a/docs/deploy/main.tf b/docs/deploy/main.tf
@@ -6,13 +6,27 @@ terraform {
     key    = "terraform.tfstate"
     region = "us-west-2"
   }
+
+  required_providers {
+    aws = {
+      version = "~> 5.0"
+    }
+    null = {
+      version = "~> 3.2"
+    }
+  }
 }
 
 provider "aws" {
-  version = "~> 2.19.0"
-  region  = "us-west-2"
+  region = "us-west-2"
+  default_tags {
+    tags = {
+      owner        = "determined_ci"
+      gh_team         = "docs-team"
+      long_running = "docs_site"
+    }
+  }
 }
 
 provider "null" {
-  version = "~> 2.1.2"
 }
diff --git a/docs/deploy/s3.tf b/docs/deploy/s3.tf
@@ -1,45 +1,93 @@
 resource "aws_s3_bucket" "docs" {
   bucket = "determined-ai-docs"
-  acl    = "public-read"
+}
 
-  website {
-    index_document = "index.html"
-    error_document = "/latest/404.html"
+# Set bucket object ownership if possible
+resource "aws_s3_bucket_ownership_controls" "docs" {
+  bucket = aws_s3_bucket.docs.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
   }
 }
 
+# disable the public access prevention controls AWS uses
+resource "aws_s3_bucket_public_access_block" "docs" {
+  bucket = aws_s3_bucket.docs.id
+
+  block_public_acls       = false
+  block_public_policy     = false
+  ignore_public_acls      = false
+  restrict_public_buckets = false
+}
+
+resource "aws_s3_bucket_acl" "docs" {
+  depends_on = [
+    aws_s3_bucket_ownership_controls.docs,
+    aws_s3_bucket_public_access_block.docs,
+  ]
+
+  bucket = aws_s3_bucket.docs.id
+  acl    = "public-read"
+}
+
+
 resource "aws_s3_bucket_policy" "docs_policy" {
-  bucket = "${aws_s3_bucket.docs.id}"
-
-  policy = <<POLICY
-{
-  "Version":"2012-10-17",
-  "Statement":[
-    {
-      "Sid":"AddPerm",
-      "Effect":"Allow",
-      "Principal": "*",
-      "Action":["s3:GetObject"],
-      "Resource":["${aws_s3_bucket.docs.arn}/*"]
+  bucket = aws_s3_bucket.docs.id
+  policy = data.aws_iam_policy_document.docs.json
+}
+
+data "aws_iam_policy_document" "docs" {
+  statement {
+    sid    = "AddPerm"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
     }
-  ]
+    actions = [
+      "s3:GetObject",
+    ]
+    resources = [
+      "${aws_s3_bucket.docs.arn}/*",
+    ]
+  }
 }
-POLICY
+
+resource "aws_s3_bucket_website_configuration" "docs" {
+  bucket = aws_s3_bucket.docs.id
+
+  index_document {
+    suffix = "index.html"
+  }
+
+  error_document {
+    key = "/latest/404.html"
+  }
+
+  # example internal redirect
+  #routing_rule {
+  #  condition {
+  #    key_prefix_equals = "docs/"
+  #  }
+  #  redirect {
+  #    replace_key_prefix_with = "documents/"
+  #  }
+  #}
 }
 
-resource "aws_s3_bucket_object" "index" {
-  bucket           = "${aws_s3_bucket.docs.id}"
+resource "aws_s3_object" "index" {
+  bucket           = aws_s3_bucket.docs.id
   key              = "index.html"
   content          = "redirect to latest"
   content_type     = "text/html"
   website_redirect = "/latest/"
 }
 
-resource "aws_s3_bucket_object" "robots" {
-  bucket           = "${aws_s3_bucket.docs.id}"
-  key              = "robots.txt"
-  content          = "User-agent: *\nSitemap: https://docs.determined.ai/latest/sitemap.xml"
-  content_type     = "text"
+resource "aws_s3_object" "robots" {
+  bucket       = aws_s3_bucket.docs.id
+  key          = "robots.txt"
+  content      = "User-agent: *\nSitemap: https://docs.determined.ai/latest/sitemap.xml"
+  content_type = "text"
 }
 
 resource "null_resource" "upload" {