-
Notifications
You must be signed in to change notification settings - Fork 803
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add AWS registry infra terraform #3403
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @BobyMCbobs, I'm humbled to get a piece of infra after me!
However, the idea of this bucket is to use it for the container image promoter unit tests. WDYT if we rename everything kpromo-*
to make it more related to the actual project that will use it?
@puerco, I'm all for naming things for their purpose! |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ameukam, BobyMCbobs The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
infra/aws/terraform/README.org
Outdated
@@ -0,0 +1,21 @@ | |||
#+TITLE: Kubernetes AWS Infra Terrform |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BobyMCbobs Is it possible to use the Markdown format for all the docs ? Let's use a format well adopted by the community.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Swapped out the format in e02cb71
We should also make sure release admins have access to this account : k8s.io/groups/sig-release/groups.yaml Line 18 in 8a1b9d2
|
infra/aws/terraform/main.tf
Outdated
"s3:DeleteObject" | ||
], | ||
"Effect" : "Allow", | ||
"Resource" : aws_s3_bucket.kpromo-test-1.arn |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this needs both the bucket and its sub resources to work.
[arn:aws:s3:::test, arn:aws:s3:::test/*]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated in 2dcf793
@BobyMCbobs -- Suggestions for this PR:
|
@ameukam, thank you for your suggestions.
That said in order to make IAM accounts, some Terraform will need to run against the k8s-infra-aws-root-account@kubernetes.io to provision inside it.
|
I don't think this is necessary. The account created using this e-mail is independent and the AWS accounts should be in the same OU.
You can setup an new AWS account using |
I'm concerned that we are creating completely isolated accounts that will be difficult to manage, audit, and replicate the way in which we work to other CNCF projects. Might be good to get some AWS experts in, maybe we can get some input from @sftim? I’ve asked @eddiezane and hoping to get an AWS Solutions Architectect permanently assigned to the CNCF Cloud Credits / #sig-k8s-infra if possible. I am reluctant to make this kind of irrevocable call with regards to account structure without wider input. So far everything is a sandbox, this is a move to permanent production. @sftim Are you available for a sync with @ameukam or can you help weigh in here? |
I'll follow this up on Slack to discuss availability. |
@hh i would like us to time box this discussion. I am concerned about other CNCF projects for sure, but we can rework this stuff until we get this to production, so i am not worried as much. Note that other CNCF projects should not get in the way of us doing what we need to do right now to reduce our cost. please take that into consideration when making decisions. other projects are not in the same position as us. |
Absolutely @dims! I'm meeting with @jaypipes first thing Monday to see if we can get an AWS Solutions Architect assigned to help with #sig-k8s-infra ongoing to help us with designs decisions like this. To unblock and keep velocity, Caleb went ahead and created the account as requested. Note that the OU is The pattern we seem to be initiating is a new account per sig, within the Kubernetes OU, ala As it stands, when we create a new account, we lack a process and policy to setup some auditing and visibility for that account. Looking forward to seeing this evolve and move forward! |
@BobyMCbobs @hh We should close this one. #3605 create the production buckets and the needed IAM role and user. |
Closing in favor of #3605. Will reopen or open a new PR for account infra related stuff as discussed in the last sig-k8s-infra meeting |
/close |
@BobyMCbobs: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Adds Terraform to provision a bucket in s3 for kpromo tests