feat: add initial code for cloudformation and aws (#11)

Author: ruzickap

README.md

@@ -19,6 +19,99 @@ mise task run "delete:k3d:*"
 
 > Same for eksctl, az, terraform-aws, terraform-az, ... clusters
 
+## Architecture diagrams
+
+### DNS diagram
+
+```mermaid
+flowchart TB
+  subgraph "Cloudflare"
+    mylabs.dev@{ icon: "logos:cloudflare-icon", form: "square", label: "mylabs.dev", pos: "b", h: 60 }
+  end
+
+  subgraph "AWS"
+    subgraph "AWS Primary Account"
+      aws.mylabs.dev@{ icon: "logos:aws-route53", form: "circle", label: "aws.mylabs.dev", pos: "b", h: 60 }
+      k8s.aws.mylabs.dev@{ icon: "logos:aws-route53", form: "square", label: "k8s.aws.mylabs.dev", pos: "b", h: 60 }
+    end
+    subgraph "AWS Account 03"
+      k05.k8s.aws.mylabs.dev@{ icon: "logos:aws-route53", form: "square", label: "k05.k8s.aws.mylabs.dev", pos: "b", h: 60 }
+      k06.k8s.aws.mylabs.dev@{ icon: "logos:aws-route53", form: "square", label: "k06.k8s.aws.mylabs.dev", pos: "b", h: 60 }
+    end
+    subgraph "AWS Account 02"
+      k03.k8s.aws.mylabs.dev@{ icon: "logos:aws-route53", form: "square", label: "k03.k8s.aws.mylabs.dev", pos: "b", h: 60 }
+      k04.k8s.aws.mylabs.dev@{ icon: "logos:aws-route53", form: "square", label: "k04.k8s.aws.mylabs.dev", pos: "b", h: 60 }
+    end
+    subgraph "AWS Account 01"
+      k01.k8s.aws.mylabs.dev@{ icon: "logos:aws-route53", form: "square", label: "k01.k8s.aws.mylabs.dev", pos: "b", h: 60 }
+      k02.k8s.aws.mylabs.dev@{ icon: "logos:aws-route53", form: "square", label: "k02.k8s.aws.mylabs.dev", pos: "b", h: 60 }
+    end
+  end
+
+  subgraph "Azure"
+    subgraph "Azure Primary Account"
+      az.mylabs.dev@{ icon: "logos:azure-icon", form: "circle", label: "az.mylabs.dev", pos: "b", h: 60 }
+      k8s.az.mylabs.dev@{ icon: "logos:azure-icon", form: "square", label: "k8s.az.mylabs.dev", pos: "b", h: 60 }
+    end
+    subgraph "Azure Account 03"
+      k05.k8s.az.mylabs.dev@{ icon: "logos:azure-icon", form: "square", label: "k05.k8s.az.mylabs.dev", pos: "b", h: 60 }
+      k06.k8s.az.mylabs.dev@{ icon: "logos:azure-icon", form: "square", label: "k06.k8s.az.mylabs.dev", pos: "b", h: 60 }
+    end
+    subgraph "Azure Account 02"
+      k03.k8s.az.mylabs.dev@{ icon: "logos:azure-icon", form: "square", label: "k03.k8s.az.mylabs.dev", pos: "b", h: 60 }
+      k04.k8s.az.mylabs.dev@{ icon: "logos:azure-icon", form: "square", label: "k04.k8s.az.mylabs.dev", pos: "b", h: 60 }
+    end
+    subgraph "Azure Account 01"
+      k01.k8s.az.mylabs.dev@{ icon: "logos:azure-icon", form: "square", label: "k01.k8s.az.mylabs.dev", pos: "b", h: 60 }
+      k02.k8s.az.mylabs.dev@{ icon: "logos:azure-icon", form: "square", label: "k02.k8s.az.mylabs.dev", pos: "b", h: 60 }
+    end
+  end
+
+  subgraph "GCP"
+    subgraph "GCP Primary Account"
+      gcp.mylabs.dev@{ icon: "logos:google-cloud", form: "circle", label: "gcp.mylabs.dev", pos: "b", h: 60 }
+      k8s.gcp.mylabs.dev@{ icon: "logos:google-cloud", form: "square", label: "k8s.gcp.mylabs.dev", pos: "b", h: 60 }
+    end
+    subgraph "GCP Account 03"
+      k05.k8s.gcp.mylabs.dev@{ icon: "logos:google-cloud", form: "square", label: "k05.k8s.gcp.mylabs.dev", pos: "b", h: 60 }
+      k06.k8s.gcp.mylabs.dev@{ icon: "logos:google-cloud", form: "square", label: "k06.k8s.gcp.mylabs.dev", pos: "b", h: 60 }
+    end
+    subgraph "GCP Account 02"
+      k03.k8s.gcp.mylabs.dev@{ icon: "logos:google-cloud", form: "square", label: "k03.k8s.gcp.mylabs.dev", pos: "b", h: 60 }
+      k04.k8s.gcp.mylabs.dev@{ icon: "logos:google-cloud", form: "square", label: "k04.k8s.gcp.mylabs.dev", pos: "b", h: 60 }
+    end
+    subgraph "GCP Account 01"
+      k01.k8s.gcp.mylabs.dev@{ icon: "logos:google-cloud", form: "square", label: "k01.k8s.gcp.mylabs.dev", pos: "b", h: 60 }
+      k02.k8s.gcp.mylabs.dev@{ icon: "logos:google-cloud", form: "square", label: "k02.k8s.gcp.mylabs.dev", pos: "b", h: 60 }
+    end
+  end
+
+  mylabs.dev --> aws.mylabs.dev
+  aws.mylabs.dev --> k8s.aws.mylabs.dev
+  k8s.aws.mylabs.dev --> k01.k8s.aws.mylabs.dev
+  k8s.aws.mylabs.dev --> k02.k8s.aws.mylabs.dev
+  k8s.aws.mylabs.dev --> k03.k8s.aws.mylabs.dev
+  k8s.aws.mylabs.dev --> k04.k8s.aws.mylabs.dev
+  k8s.aws.mylabs.dev --> k05.k8s.aws.mylabs.dev
+  k8s.aws.mylabs.dev --> k06.k8s.aws.mylabs.dev
+  mylabs.dev --> az.mylabs.dev
+  az.mylabs.dev --> k8s.az.mylabs.dev
+  k8s.az.mylabs.dev --> k01.k8s.az.mylabs.dev
+  k8s.az.mylabs.dev --> k02.k8s.az.mylabs.dev
+  k8s.az.mylabs.dev --> k03.k8s.az.mylabs.dev
+  k8s.az.mylabs.dev --> k04.k8s.az.mylabs.dev
+  k8s.az.mylabs.dev --> k05.k8s.az.mylabs.dev
+  k8s.az.mylabs.dev --> k06.k8s.az.mylabs.dev
+  mylabs.dev --> gcp.mylabs.dev
+  gcp.mylabs.dev --> k8s.gcp.mylabs.dev
+  k8s.gcp.mylabs.dev --> k01.k8s.gcp.mylabs.dev
+  k8s.gcp.mylabs.dev --> k02.k8s.gcp.mylabs.dev
+  k8s.gcp.mylabs.dev --> k03.k8s.gcp.mylabs.dev
+  k8s.gcp.mylabs.dev --> k04.k8s.gcp.mylabs.dev
+  k8s.gcp.mylabs.dev --> k05.k8s.gcp.mylabs.dev
+  k8s.gcp.mylabs.dev --> k06.k8s.gcp.mylabs.dev
+```
+
 ---
 
 ## Tests

cloudformation/aws-cf-route53-gh-action-iam-role-oidc.yml

@@ -0,0 +1,93 @@
+AWSTemplateFormatVersion: 2010-09-09
+
+Description: Route53 entry and IAM role for GitHub Actions OIDC federated role
+
+Parameters:
+  PrimaryDomain:
+    Description: "Primary domain for AWS services (e.g. aws.mylabs.dev)"
+    Type: String
+  K8sDomain:
+    Description: "K8s domain hosting cluster subdomains (e.g. k8s.aws.mylabs.dev)"
+    Type: String
+  # GithubActionsThumbprint:
+  #   Type: CommaDelimitedList
+  #   Default: 6938fd4d98bab03faadb97b34396831e3780aea1
+  #   Description: >
+  #     Comma seperated list of thumbprints for GitHub Actions tokens.
+  #     Default comes from https://github.blog/changelog/2022-01-13-github-actions-update-on-oidc-based-deployments-to-aws/
+  # AudienceList:
+  #   Type: CommaDelimitedList
+  #   Default: sts.amazonaws.com
+  #   Description: >
+  #     Comma separated list of allowed audience for the tokens.
+  #     Default is audience for the official AWS configure action from https://github.com/aws-actions/configure-aws-credentials
+  # SubjectClaimFilters:
+  #   Type: CommaDelimitedList
+  #   Default: "repo:ruzickap/k8s-multicluster-gitops:*"
+  #   Description: >
+  #     Subject claim filter for valid tokens.
+  #     Default allows any branch or tag of the McK-Internal/VM-wiz-automation to assume the role.
+  #     See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims
+  #     for examples of filtering by branch or deployment environment.
+  # ManagedPolicyARNs:
+  #   Type: CommaDelimitedList
+  #   Default: arn:aws:iam::aws:policy/AdministratorAccess
+  #   Description: Comma separated list for arns for managed policies to attach to the role
+
+Resources:
+  PrimaryHostedZone:
+    Type: AWS::Route53::HostedZone
+    Properties:
+      Name: !Ref PrimaryDomain
+      HostedZoneConfig:
+        Comment: Primary domain for AWS services
+  K8sHostedZone:
+    Type: AWS::Route53::HostedZone
+    Properties:
+      Name: !Ref K8sDomain
+      HostedZoneConfig:
+        Comment: K8s domain hosting cluster subdomains
+  nsRootPrimaryHostedZoneRecordSet:
+    Type: "AWS::Route53::RecordSet"
+    Properties:
+      HostedZoneId: !Ref PrimaryHostedZone
+      Name: !Sub "${K8sDomain}."
+      Type: NS
+      TTL: 86400
+      ResourceRecords: !GetAtt K8sHostedZone.NameServers
+#   GitHubIdentityProvider:
+#     Type: AWS::IAM::OIDCProvider
+#     Properties:
+#       ClientIdList: !Ref AudienceList
+#       ThumbprintList: !Ref GithubActionsThumbprint
+#       Url: https://token.actions.githubusercontent.com
+#   GitHubActionsServiceRole:
+#     Type: AWS::IAM::Role
+#     Properties:
+#       AssumeRolePolicyDocument:
+#         Version: "2012-10-17"
+#         Statement:
+#           - Sid: RoleForGitHubActions
+#             Effect: Allow
+#             Principal:
+#               Federated: !Ref GitHubIdentityProvider
+#             Action:
+#               - "sts:AssumeRoleWithWebIdentity"
+#             Condition:
+#               StringLike:
+#                 token.actions.githubusercontent.com:sub: !Ref SubjectClaimFilters
+#           - Sid: AllowUsersToAssumeRole
+#             Effect: Allow
+#             Principal:
+#               AWS: !GetAtt User.Arn
+#             Action:
+#               - "sts:AssumeRole"
+#       Description: Service Role for use in GitHub Actions
+#       RoleName: GitHubOidcFederatedRole
+#       MaxSessionDuration: 36000
+#       ManagedPolicyArns: !Ref ManagedPolicyARNs
+
+# Outputs:
+#   ServiceRoleARN:
+#     Description: Arn of service role for use in GitHub actions
+#     Value: !GetAtt GitHubActionsServiceRole.Arn

lychee.toml

@@ -36,6 +36,7 @@ exclude = [
   'stackexchange\.com',
   # returns 403 when accessed from GitHub Action
   'stackoverflow\.com',
+  'token\.actions\.githubusercontent\.com',
   # keep-sorted end
 ]
 

mise.toml

@@ -1,6 +1,8 @@
 [tools]
 # Tools need to be downloaded each time because if they were downloaded within 'tasks' (which run in parallel), the PATH propagation would not work properly.
 # keep-sorted start
+aws = "2.24.24"
+eksctl = "0.205.0"
 k3d = "5.8.3"
 kind = "0.27.0"
 # keep-sorted end
@@ -11,16 +13,20 @@ trusted_config_paths = ["/"]
 task_output = "prefix"
 
 [env]
+AWS_PRIMARY_DOMAIN = "aws.mylabs.dev"
+AWS_K8S_DOMAIN = "k8s.{{ env.AWS_PRIMARY_DOMAIN }}"
 # keep-sorted start
+# Default AWS region if not overridden
+AWS_REGION = "us-east-1"
+CLICOLOR_FORCE = "1"
 # Directory which contains the clusters mise configurations
 CLUSTERS_DIRECTORY = "{{ config_root }}/clusters"
 # Directory which contains the kubeconfig files for the created clusters (will be create if not exists)
 CLUSTERS_KUBECONFIG_DIRECTORY = "{{ config_root }}/clusters/.kubeconfig"
 # Directory which contains the scripts to create and delete the clusters
 CLUSTERS_RUN_SCRIPT_DIRECTORY = "{{ config_root }}/scripts"
-CLICOLOR_FORCE = "1"
 MISE_TASK_OUTPUT = "prefix"
-# keep-sorted stop
+# keep-sorted end
 
 [tasks."create-all"]
 description = 'Create all K8s clusters'
@@ -32,9 +38,47 @@ confirm = 'Are you sure you want to delete all K8s clusters created by mise?'
 # Do not use 'depends = ["delete:*:*"]' because it will run before question above
 run = 'mise run "delete:*:*"'
 
-#######################################
+##############################################################################
+# Primary AWS Account - CloudFormation - Route53 + GitHub Actions Access + IAM role
+##############################################################################
+
+[tasks."create:aws-primary:cf-route53-gh-action-iam-role-oidc"]
+description = 'Configure Primary AWS Account - Create CloudFormation - Route53 + GitHub Actions Access + IAM role'
+confirm = '''
+Make sure you have the following AWS environment variables set for your "Primary AWS account":
+- AWS_ACCESS_KEY_ID
+- AWS_SECRET_ACCESS_KEY
+- AWS_SESSION_TOKEN - in case you are using temporary credentials
+'''
+env.GIT_REPOSITORY = "{{ exec(command='git config --get remote.origin.url') }}"
+env.AWS_CLOUDFORMATION_TEMPLATE_FILE = "cloudformation/aws-cf-route53-gh-action-iam-role-oidc.yml"
+run = '''
+  eval aws cloudformation deploy --capabilities CAPABILITY_NAMED_IAM \
+    --stack-name route53-gh-action-iam-role-oidc \
+    --parameter-overrides "PrimaryDomain=${AWS_PRIMARY_DOMAIN} K8sDomain=${AWS_K8S_DOMAIN}" \
+    --template-file "${AWS_CLOUDFORMATION_TEMPLATE_FILE}" \
+    --tags "git_repository=${GIT_REPOSITORY}//${AWS_CLOUDFORMATION_TEMPLATE_FILE}"
+'''
+
+[tasks."delete:aws-primary:cf-route53-gh-action-iam-role-oidc"]
+description = 'Primary AWS Account - Delete CloudFormation - Route53 + GitHub Actions Access + IAM role'
+confirm = '''
+Are you sure you want to delete the CloudFormation (Route53 + GitHub Actions Access + IAM role) from Primary AWS Account?
+
+Make sure you have the following AWS environment variables set for your "Primary AWS account":
+- AWS_ACCESS_KEY_ID
+- AWS_SECRET_ACCESS_KEY
+- AWS_SESSION_TOKEN - in case you are using temporary credentials
+'''
+
+run = '''
+  aws cloudformation delete-stack --stack-name route53-gh-action-iam-role-oidc
+  aws cloudformation wait stack-delete-complete --stack-name route53-gh-action-iam-role-oidc
+'''
+
+##############################################################################
 # Kind
-#######################################
+##############################################################################
 
 [tasks."create:kind:kind01-internal"]
 description = 'Create kind01.internal K8s cluster'
@@ -61,9 +105,9 @@ run = 'mise run "create:kind:*"'
 description = 'Delete kind K8s clusters'
 run = 'mise run "delete:kind:*"'
 
-#######################################
+##############################################################################
 # K3d
-#######################################
+##############################################################################
 
 [tasks."create:k3d:k3d01-internal"]
 description = 'Create k3d01.internal K8s cluster'
@@ -89,3 +133,23 @@ run = 'mise run "create:k3d:*"'
 [tasks."delete-k3d-all"]
 description = 'Delete k3d K8s clusters'
 run = 'mise run "delete:k3d:*"'
+
+##############################################################################
+# eksctl
+##############################################################################
+
+[tasks."create:eksctl:k01-k8s-aws-mylabs-dev"]
+description = 'Create k01.k8s.aws.mylabs.dev K8s cluster'
+run = 'mise run --env ${MISE_TASK_NAME##*:} create:${MISE_TASK_NAME##*:}'
+
+[tasks."delete:eksctl:k01-k8s-aws-mylabs-dev"]
+description = 'Delete k01.k8s.aws.mylabs.dev K8s cluster'
+run = 'mise run --env ${MISE_TASK_NAME##*:} delete:${MISE_TASK_NAME##*:}'
+
+[tasks."create-eksctl-all"]
+description = 'Create eksctl K8s clusters'
+run = 'mise run "create:eksctl:*"'
+
+[tasks."delete-eksctl-all"]
+description = 'Delete eksctl K8s clusters'
+run = 'mise run "delete:eksctl:*"'

mise/config.k01-k8s-aws-mylabs-dev.toml

@@ -0,0 +1,12 @@
+[env]
+CLUSTER_FQDN = "k01.k8s.aws.mylabs.dev"
+BASE_DOMAIN = '{{ env.CLUSTER_FQDN | split(pat=".") | slice(start=1) | join(sep=".") }}'
+CLUSTER_NAME = '{{ env.CLUSTER_FQDN | split(pat=".") | first }}'
+
+[tasks."create:k01-k8s-aws-mylabs-dev"]
+description = 'Create K8s cluster'
+run = '${CLUSTERS_RUN_SCRIPT_DIRECTORY}/run-eksctl.sh create'
+
+[tasks."delete:k01-k8s-aws-mylabs-dev"]
+description = 'Delete K8s cluster'
+run = '${CLUSTERS_RUN_SCRIPT_DIRECTORY}/run-eksctl.sh delete'