diff --git a/.atlantis.yaml b/.atlantis.yaml index 1327a60dbba..30b94d1f381 100644 --- a/.atlantis.yaml +++ b/.atlantis.yaml @@ -14,3 +14,7 @@ projects: branch: /main/ dir: infra/aws/terraform/kops-infra-ci workflow: aws + - name: k8s-infra-macos + branch: /main/ + dir: infra/aws/terraform/macos + workflow: aws diff --git a/infra/aws/terraform/macos/README.md b/infra/aws/terraform/macos/README.md new file mode 100644 index 00000000000..ad66b0d06d3 --- /dev/null +++ b/infra/aws/terraform/macos/README.md @@ -0,0 +1,3 @@ +# infra/aws/terraform/macos + +This AWS account holds our MacOS infrastructure used by diff --git a/infra/aws/terraform/macos/atlantis.config b/infra/aws/terraform/macos/atlantis.config new file mode 100644 index 00000000000..0cd934181f5 --- /dev/null +++ b/infra/aws/terraform/macos/atlantis.config @@ -0,0 +1,3 @@ +assume_role = { + role_arn = "arn:aws:iam::230049944443:role/OrganizationAccountAccessRole" +} diff --git a/infra/aws/terraform/macos/atlantis.tfvars b/infra/aws/terraform/macos/atlantis.tfvars new file mode 100644 index 00000000000..5e437fb9a66 --- /dev/null +++ b/infra/aws/terraform/macos/atlantis.tfvars @@ -0,0 +1 @@ +atlantis_role_arn = "arn:aws:iam::230049944443:role/OrganizationAccountAccessRole" diff --git a/infra/aws/terraform/macos/main.tf b/infra/aws/terraform/macos/main.tf new file mode 100644 index 00000000000..7de1ac620f4 --- /dev/null +++ b/infra/aws/terraform/macos/main.tf @@ -0,0 +1,24 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + + +resource "aws_ec2_host" "mac" { + count = 1 + instance_type = "mac2.metal" + availability_zone = "us-east-2a" + host_recovery = "on" + auto_placement = "on" +} diff --git a/infra/aws/terraform/macos/provider.tf b/infra/aws/terraform/macos/provider.tf new file mode 100644 index 00000000000..1c8b9524e4d --- /dev/null +++ b/infra/aws/terraform/macos/provider.tf @@ -0,0 +1,39 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +terraform { + required_version = "~> 1.1" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 6.22.1" + } + } + + backend "s3" { + bucket = "k8-infra-macos-tfstate" + key = "terraform.state" + region = "us-east-2" + } +} + +provider "aws" { + region = "us-east-2" + assume_role { + role_arn = var.atlantis_role_arn + } +} diff --git a/infra/aws/terraform/macos/variables.tf b/infra/aws/terraform/macos/variables.tf new file mode 100644 index 00000000000..ef6a8513f54 --- /dev/null +++ b/infra/aws/terraform/macos/variables.tf @@ -0,0 +1,31 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +variable "prefix" { + description = "Prefix for every resource so that the resources can be created without using the same names. Useful for testing and staging" + type = string + default = "prod-" + + validation { + condition = can(regex(".*-$|^$", var.prefix)) + error_message = "The string must end with a hyphen or be empty." + } +} + +variable "atlantis_role_arn" { + description = "The ARN of the Atlantis IAM role" + default = null +} diff --git a/infra/aws/terraform/macos/vpc.tf b/infra/aws/terraform/macos/vpc.tf new file mode 100644 index 00000000000..f3e3c8e59fb --- /dev/null +++ b/infra/aws/terraform/macos/vpc.tf @@ -0,0 +1,37 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 6.5" + + name = "macos-vpc" + + cidr = "10.1.0.0/16" + + azs = ["us-east-2a", "us-east-2b", "us-east-2c"] + private_subnets = ["10.1.0.0/24", "10.1.1.0/24", "10.1.2.0/24"] + public_subnets = ["10.1.3.0/24", "10.1.4.0/24", "10.1.5.0/24"] + + # Enable public IPv4 addresses + map_public_ip_on_launch = true + + # Enable IPv6 + enable_ipv6 = true + create_egress_only_igw = true + + # Assign IPv6 address on creation to each instance + public_subnet_assign_ipv6_address_on_creation = true + private_subnet_assign_ipv6_address_on_creation = true + + # Used for calculating IPv6 CIDR based on the following formula: + # cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.private_subnet_ipv6_prefixes[count.index]) + private_subnet_ipv6_prefixes = [0, 1, 2] + public_subnet_ipv6_prefixes = [3, 4, 5] + + # NAT Gateway allows connection to external services (e.g. Internet). + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + tags = { + "Environment" = "production" + "Team" = "sig-k8s-infra" + } +} diff --git a/infra/aws/terraform/management-account/organization-accounts-workloads-prod.tf b/infra/aws/terraform/management-account/organization-accounts-workloads-prod.tf index bbe52b0e824..2ad28990bf8 100644 --- a/infra/aws/terraform/management-account/organization-accounts-workloads-prod.tf +++ b/infra/aws/terraform/management-account/organization-accounts-workloads-prod.tf @@ -83,3 +83,17 @@ module "capa-ami" { "eu-south-2", ] } + +// This AWS accounts holds macOS Instances for kubernetes CI/CD +module "macos" { + source = "../modules/org-account" + + account_name = "k8s-infra-macos" + email = "k8s-infra-aws-admins+macos@kubernetes.io" + parent_id = aws_organizations_organizational_unit.production.id + tags = { + "production" = "true", + "environment" = "prod", + "group" = "sig-k8s-infra", + } +} diff --git a/infra/aws/terraform/management-account/provider.tf b/infra/aws/terraform/management-account/provider.tf index 37c706770c4..fa2d791aa76 100644 --- a/infra/aws/terraform/management-account/provider.tf +++ b/infra/aws/terraform/management-account/provider.tf @@ -30,7 +30,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 6.17.0" + version = "~> 6.22.1" } } } + +provider "aws" { + region = "us-east-1" +} diff --git a/infra/aws/terraform/management-account/providers.tf b/infra/aws/terraform/management-account/providers.tf deleted file mode 100644 index d3c31b887f6..00000000000 --- a/infra/aws/terraform/management-account/providers.tf +++ /dev/null @@ -1,152 +0,0 @@ -/* -Copyright 2023 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -provider "aws" { - region = "us-east-1" -} - -provider "aws" { - region = "us-east-1" - alias = "shared-services" - - assume_role { - role_arn = "arn:aws:iam::${module.infra_shared_services.account_id}:role/OrganizationAccountAccessRole" - } -} - -# us-* providers - -provider "aws" { - alias = "us-east-1" - region = "us-east-1" -} - -provider "aws" { - alias = "us-east-2" - region = "us-east-2" -} - -provider "aws" { - alias = "us-west-1" - region = "us-west-1" -} - -provider "aws" { - alias = "us-west-2" - region = "us-west-2" -} - -# af-* providers - -provider "aws" { - alias = "af-south-1" - region = "af-south-1" -} - -# ap-* providers - -provider "aws" { - alias = "ap-east-1" - region = "ap-east-1" -} - -provider "aws" { - alias = "ap-southeast-3" - region = "ap-southeast-3" -} - -provider "aws" { - alias = "ap-south-1" - region = "ap-south-1" -} - -provider "aws" { - alias = "ap-northeast-3" - region = "ap-northeast-3" -} - -provider "aws" { - alias = "ap-northeast-2" - region = "ap-northeast-2" -} - -provider "aws" { - alias = "ap-southeast-1" - region = "ap-southeast-1" -} - -provider "aws" { - alias = "ap-southeast-2" - region = "ap-southeast-2" -} - -provider "aws" { - alias = "ap-northeast-1" - region = "ap-northeast-1" -} - -# ca-* providers - -provider "aws" { - alias = "ca-central-1" - region = "ca-central-1" -} - -# eu-* providers - -provider "aws" { - alias = "eu-central-1" - region = "eu-central-1" -} - -provider "aws" { - alias = "eu-west-1" - region = "eu-west-1" -} - -provider "aws" { - alias = "eu-west-2" - region = "eu-west-2" -} - -provider "aws" { - alias = "eu-south-1" - region = "eu-south-1" -} - -provider "aws" { - alias = "eu-west-3" - region = "eu-west-3" -} - -provider "aws" { - alias = "eu-north-1" - region = "eu-north-1" -} - -# me-* providers - -provider "aws" { - alias = "me-south-1" - region = "me-south-1" -} - -# sa-* providers - -provider "aws" { - alias = "sa-east-1" - region = "sa-east-1" -}