UCS-489: updates to run current ADS deployment

common/versions.tf

@@ -2,10 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      # Limit version to get around this bug:
-      # https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2635
-      # Can upgrade whenterraform-aws-eks > 20.0.0 is release
-      version = "< 5.0.0"
+      version = ">= 5.0.0"
     }
   }
   required_version = ">= 0.14"

dev_env/jupyterhub/csi_driver.tf

@@ -20,15 +20,17 @@ module "ebs_csi_irsa_role" {
   role_permissions_boundary_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/mcp-tenantOperator-AMI-APIG"
 
   tags = {
-    "eks_addon" = "efs-csi"
+    "eks_addon" = "ebs-csi"
     "terraform" = "true"
   }
 }
 
 resource "aws_eks_addon" "ebs-csi" {
-  cluster_name             = module.eks.cluster_name
-  addon_name               = "aws-ebs-csi-driver"
-  service_account_role_arn = module.ebs_csi_irsa_role.iam_role_arn
+  cluster_name                = module.eks.cluster_name
+  addon_name                  = "aws-ebs-csi-driver"
+  service_account_role_arn    = module.ebs_csi_irsa_role.iam_role_arn
+  # TODO: uncomment this if you get conflicts
+  resolve_conflicts_on_create = "OVERWRITE"
   tags = {
     "eks_addon" = "ebs-csi"
     "terraform" = "true"

dev_env/jupyterhub/efs.tf

@@ -77,7 +77,8 @@ resource "kubernetes_persistent_volume" "dev_support_shared_volume" {
   depends_on = [ 
     kubernetes_storage_class.efs_storage_class,
     aws_efs_mount_target.dev_support_efs_mt_1,
-    aws_efs_mount_target.dev_support_efs_mt_2
+    aws_efs_mount_target.dev_support_efs_mt_2,
+    aws_eks_addon.efs-csi
   ]
 }
 
@@ -103,6 +104,7 @@ resource "kubernetes_persistent_volume_claim" "dev_support_shared_volume_claim"
 
   # Prevents a cycle with eks_cluster.jupyter_hub
   depends_on = [ 
-    kubernetes_persistent_volume.dev_support_shared_volume
+    kubernetes_persistent_volume.dev_support_shared_volume,
+    aws_eks_addon.efs-csi
   ]
 }

dev_env/jupyterhub/eks_cluster.tf

@@ -1,13 +1,48 @@
+data "aws_region" "current" {
+}
+
 data "aws_caller_identity" "current" {
 }
 
 data "aws_ssm_parameter" "ami_id" {
   name = "/mcp/amis/aml2-eks-1-30"
 }
 
+data "external" "current_ip" {
+  program = ["./get_ip.sh"]
+}
+
+resource "aws_security_group" "mc_instance_k8s_api_access" {
+  name        = "${var.resource_prefix}-${var.venue_prefix}${var.venue}-mc-sg"
+  description = "Security group to allow access to K8s API from MC instance"
+
+  vpc_id = data.aws_ssm_parameter.vpc_id.value
+
+  tags = {
+    Name = "${var.resource_prefix}-${var.venue_prefix}${var.venue}-mc-sg"
+  }
+
+  # Allow all outbound traffic.
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # Allow from variable defined input port
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["${data.external.current_ip.result.ip}/32"]
+  }
+
+}
+
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.0"
+  version = "~> 20.0"
 
   cluster_name    = "${var.resource_prefix}-${var.venue_prefix}${var.venue}-jupyter"
   cluster_version = "1.30"
@@ -35,6 +70,11 @@ module "eks" {
   iam_role_permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/mcp-tenantOperator-AMI-APIG"
 
   cluster_endpoint_public_access = true
+  cluster_endpoint_private_access = true
+  enable_cluster_creator_admin_permissions = true
+
+  # add MC instance access to K8s API
+  cluster_additional_security_group_ids = [aws_security_group.mc_instance_k8s_api_access.id]
 
   eks_managed_node_group_defaults = {
     create_iam_role = true
@@ -65,6 +105,13 @@ module "eks" {
 
 }
 
+resource "null_resource" "eks_post_deployment_actions" {
+  depends_on = [module.eks]
+  provisioner "local-exec" {
+    command = "./eks_post_deployment_actions.sh ${data.aws_region.current.name} ${module.eks.cluster_name}"
+  }
+}
+
 output "eks_cluster_name" {
   value = module.eks.cluster_name
 }

dev_env/jupyterhub/eks_post_deployment_actions.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+# update kube config
+aws eks --region $1 update-kubeconfig --name $2
+
+# uncomment if pods are running in a private subnet and need to communicate outbound to the internet
+#kubectl set env daemonset -n kube-system aws-node AWS_VPC_K8S_CNI_EXTERNALSNAT=true
+
+# uncomment to deploy EBS CSI driver via kustomize
+#kubectl apply -k "github.com/kubernetes-sigs/aws-ebs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.36"

dev_env/jupyterhub/frontend.tf

@@ -55,7 +55,7 @@ module "frontend" {
 # Initialize connection to HTTP proxy
 resource "aws_ssm_parameter" "serviceproxy_config" {
   depends_on = [module.frontend]
-  name       = "/unity/${var.project}/${var.venue}/cs/management/proxy/configurations/042-jupyterlab"
+  name       = "/unity/${var.project}/${var.venue}/cs/management/proxy/configurations/042-${local.url_terminus_path}"
   type       = "String"
   value       = <<-EOT
     <Location /${var.project}/${var.venue}/${local.url_terminus_path}/>

dev_env/jupyterhub/get_ip.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+IP=$(curl -s 'http://169.254.169.254/latest/meta-data/local-ipv4')
+jq -n --arg ip "$IP" '{"ip":$ip}'

dev_env/jupyterhub/jupyter_helm.tf

@@ -4,6 +4,7 @@ resource "helm_release" "jupyter_helm" {
   chart      = "jupyterhub"
   namespace  = "jhub-${var.venue_prefix}${var.venue}"
   version    = "3.1.0"
+  timeout    = 3600
 
   cleanup_on_fail  = true
   create_namespace = true
@@ -28,6 +29,7 @@ resource "helm_release" "jupyter_helm" {
   depends_on = [
     module.frontend,
     module.eks,
+    null_resource.eks_post_deployment_actions,
   ]
 }
 

dev_env/shared_storage/efs.tf

@@ -14,7 +14,7 @@ resource "aws_kms_alias" "efs_key_alias" {
 }
 
 resource "aws_efs_file_system" "dev_support_efs" {
-   creation_token   = "efs"
+   creation_token   = "${var.resource_prefix}-${var.venue_prefix}${var.venue}-efs-token"
    performance_mode = "generalPurpose"
    encrypted        = true
    kms_key_id       = aws_kms_key.efs_key.arn