[WIP] deploy macos instances

.atlantis.yaml

@@ -14,3 +14,7 @@ projects:
     branch: /main/
     dir: infra/aws/terraform/kops-infra-ci
     workflow: aws
+  - name: k8s-infra-macos
+    branch: /main/
+    dir: infra/aws/terraform/macos
+    workflow: aws

infra/aws/terraform/macos/README.md

@@ -0,0 +1,3 @@
+# infra/aws/terraform/macos
+
+This AWS account holds our MacOS infrastructure used by

infra/aws/terraform/macos/atlantis.config

@@ -0,0 +1,3 @@
+assume_role = {
+  role_arn = "arn:aws:iam::230049944443:role/OrganizationAccountAccessRole"
+}

infra/aws/terraform/macos/atlantis.tfvars

@@ -0,0 +1 @@
+atlantis_role_arn = "arn:aws:iam::230049944443:role/OrganizationAccountAccessRole"

infra/aws/terraform/macos/main.tf

@@ -0,0 +1,24 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+resource "aws_ec2_host" "mac" {
+  count             = 1
+  instance_type     = "mac2.metal"
+  availability_zone = "us-east-2a"
+  host_recovery     = "on"
+  auto_placement    = "on"
+}

infra/aws/terraform/macos/provider.tf

@@ -0,0 +1,39 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+terraform {
+  required_version = "~> 1.1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.22.1"
+    }
+  }
+
+  backend "s3" {
+    bucket = "k8-infra-macos-tfstate"
+    key    = "terraform.state"
+    region = "us-east-2"
+  }
+}
+
+provider "aws" {
+  region = "us-east-2"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
+}

infra/aws/terraform/macos/variables.tf

@@ -0,0 +1,31 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+variable "prefix" {
+  description = "Prefix for every resource so that the resources can be created without using the same names. Useful for testing and staging"
+  type        = string
+  default     = "prod-"
+
+  validation {
+    condition     = can(regex(".*-$|^$", var.prefix))
+    error_message = "The string must end with a hyphen or be empty."
+  }
+}
+
+variable "atlantis_role_arn" {
+  description = "The ARN of the Atlantis IAM role"
+  default     = null
+}

infra/aws/terraform/macos/vpc.tf

@@ -0,0 +1,37 @@
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 6.5"
+
+  name = "macos-vpc"
+
+  cidr = "10.1.0.0/16"
+
+  azs             = ["us-east-2a", "us-east-2b", "us-east-2c"]
+  private_subnets = ["10.1.0.0/24", "10.1.1.0/24", "10.1.2.0/24"]
+  public_subnets  = ["10.1.3.0/24", "10.1.4.0/24", "10.1.5.0/24"]
+
+  # Enable public IPv4 addresses
+  map_public_ip_on_launch = true
+
+  # Enable IPv6
+  enable_ipv6            = true
+  create_egress_only_igw = true
+
+  # Assign IPv6 address on creation to each instance
+  public_subnet_assign_ipv6_address_on_creation  = true
+  private_subnet_assign_ipv6_address_on_creation = true
+
+  # Used for calculating IPv6 CIDR based on the following formula:
+  # cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.private_subnet_ipv6_prefixes[count.index])
+  private_subnet_ipv6_prefixes = [0, 1, 2]
+  public_subnet_ipv6_prefixes  = [3, 4, 5]
+
+  # NAT Gateway allows connection to external services (e.g. Internet).
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+  enable_dns_hostnames = true
+  tags = {
+    "Environment" = "production"
+    "Team"        = "sig-k8s-infra"
+  }
+}

infra/aws/terraform/management-account/organization-accounts-workloads-prod.tf

@@ -83,3 +83,17 @@ module "capa-ami" {
     "eu-south-2",
   ]
 }
+
+// This AWS accounts holds macOS Instances for kubernetes CI/CD
+module "macos" {
+  source = "../modules/org-account"
+
+  account_name = "k8s-infra-macos"
+  email        = "k8s-infra-aws-admins+macos@kubernetes.io"
+  parent_id    = aws_organizations_organizational_unit.production.id
+  tags = {
+    "production"  = "true",
+    "environment" = "prod",
+    "group"       = "sig-k8s-infra",
+  }
+}

infra/aws/terraform/management-account/provider.tf

@@ -30,7 +30,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 6.17.0"
+      version = "~> 6.22.1"
     }
   }
 }
+
+provider "aws" {
+  region = "us-east-1"
+}