Remove hosted zone from state, in favor or IRSA (#220)

* PLAT-7972 Remove route53 nodes policy in favor of IRSA.

* PLAT-7967 Adds addons to single_node mod

.circleci/config.yml

@@ -61,6 +61,13 @@ commands:
           name: Set root infra module imports
           working_directory: tests/deploy
           command: bash ci-deploy.sh set_infra_imports
+  pre_upgrade_updates:
+    description: "Updates necessary for upgrade."
+    steps:
+      - run:
+          name: Manual updates
+          working_directory: tests/deploy
+          command: bash ci-deploy.sh pre_upgrade_updates
   set_cluster_imports:
     description: "Set up root cluster module imports."
     steps:
@@ -249,6 +256,7 @@ jobs:
       - set_mod_source_latest_rel
       - tf_deploy
       - set_mod_source_current
+      - pre_upgrade_updates
       - set_infra_imports
       - set_cluster_imports
       - set_nodes_imports

examples/deploy/terraform/infra.tfvars

@@ -42,10 +42,8 @@ network = {
     }
   }
 }
-region                      = null
-route53_hosted_zone_name    = null
-route53_hosted_zone_private = false
-ssh_pvt_key_path            = null
+region           = null
+ssh_pvt_key_path = null
 storage = {
   ecr = {
     force_destroy_on_deletion = true

examples/deploy/terraform/infra/README.md

@@ -36,8 +36,6 @@ No resources.
 | <a name="input_kms"></a> [kms](#input\_kms) | enabled = Toggle,if set use either the specified KMS key\_id or a Domino-generated one.<br>    key\_id  = optional(string, null) | <pre>object({<br>    enabled = optional(bool)<br>    key_id  = optional(string)<br>  })</pre> | n/a | yes |
 | <a name="input_network"></a> [network](#input\_network) | vpc = {<br>      id = Existing vpc id, it will bypass creation by this module.<br>      subnets = {<br>        private = Existing private subnets.<br>        public  = Existing public subnets.<br>        pod     = Existing pod subnets.<br>      }), {})<br>    }), {})<br>    network\_bits = {<br>      public  = Number of network bits to allocate to the public subnet. i.e /27 -> 32 IPs.<br>      private = Number of network bits to allocate to the private subnet. i.e /19 -> 8,192 IPs.<br>      pod     = Number of network bits to allocate to the private subnet. i.e /19 -> 8,192 IPs.<br>    }<br>    cidrs = {<br>      vpc     = The IPv4 CIDR block for the VPC.<br>      pod     = The IPv4 CIDR block for the Pod subnets.<br>    }<br>    use\_pod\_cidr = Use additional pod CIDR range (ie 100.64.0.0/16) for pod networking. | <pre>object({<br>    vpc = optional(object({<br>      id = optional(string, null)<br>      subnets = optional(object({<br>        private = optional(list(string), [])<br>        public  = optional(list(string), [])<br>        pod     = optional(list(string), [])<br>      }), {})<br>    }), {})<br>    network_bits = optional(object({<br>      public  = optional(number, 27)<br>      private = optional(number, 19)<br>      pod     = optional(number, 19)<br>      }<br>    ), {})<br>    cidrs = optional(object({<br>      vpc = optional(string, "10.0.0.0/16")<br>      pod = optional(string, "100.64.0.0/16")<br>    }), {})<br>    use_pod_cidr = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
-| <a name="input_route53_hosted_zone_name"></a> [route53\_hosted\_zone\_name](#input\_route53\_hosted\_zone\_name) | Optional hosted zone for External DNS zone. | `string` | `null` | no |
-| <a name="input_route53_hosted_zone_private"></a> [route53\_hosted\_zone\_private](#input\_route53\_hosted\_zone\_private) | Is the hosted zone private | `bool` | `false` | no |
 | <a name="input_ssh_pvt_key_path"></a> [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes |
 | <a name="input_storage"></a> [storage](#input\_storage) | storage = {<br>      efs = {<br>        access\_point\_path = Filesystem path for efs.<br>        backup\_vault = {<br>          create        = Create backup vault for EFS toggle.<br>          force\_destroy = Toggle to allow automatic destruction of all backups when destroying.<br>          backup = {<br>            schedule           = Cron-style schedule for EFS backup vault (default: once a day at 12pm).<br>            cold\_storage\_after = Move backup data to cold storage after this many days.<br>            delete\_after       = Delete backup data after this many days.<br>          }<br>        }<br>      }<br>      s3 = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets.<br>      }<br>      ecr = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories.<br>      }<br>    }<br>  } | <pre>object({<br>    efs = optional(object({<br>      access_point_path = optional(string, "/domino")<br>      backup_vault = optional(object({<br>        create        = optional(bool, true)<br>        force_destroy = optional(bool, true)<br>        backup = optional(object({<br>          schedule           = optional(string, "0 12 * * ? *")<br>          cold_storage_after = optional(number, 35)<br>          delete_after       = optional(number, 125)<br>        }), {})<br>      }), {})<br>    }), {})<br>    s3 = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {})<br>    ecr = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {})<br>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Deployment tags. | `map(string)` | n/a | yes |

examples/deploy/terraform/infra/main.tf

@@ -6,17 +6,15 @@ module "infra" {
   bastion                = var.bastion
   default_node_groups    = var.default_node_groups
 
-  network                     = var.network
-  eks                         = var.eks
-  kms                         = var.kms
-  storage                     = var.storage
-  region                      = var.region
-  route53_hosted_zone_name    = var.route53_hosted_zone_name
-  route53_hosted_zone_private = var.route53_hosted_zone_private
-  ssh_pvt_key_path            = var.ssh_pvt_key_path
-  tags                        = var.tags
-  ignore_tags                 = var.ignore_tags
-  domino_cur                  = var.domino_cur
+  network          = var.network
+  eks              = var.eks
+  kms              = var.kms
+  storage          = var.storage
+  region           = var.region
+  ssh_pvt_key_path = var.ssh_pvt_key_path
+  tags             = var.tags
+  ignore_tags      = var.ignore_tags
+  domino_cur       = var.domino_cur
 }
 
 

examples/deploy/terraform/infra/variables.tf

@@ -332,18 +332,6 @@ variable "ssh_pvt_key_path" {
   type        = string
 }
 
-variable "route53_hosted_zone_name" {
-  description = "Optional hosted zone for External DNS zone."
-  type        = string
-  default     = null
-}
-
-variable "route53_hosted_zone_private" {
-  type        = bool
-  description = "Is the hosted zone private"
-  default     = false
-}
-
 variable "bastion" {
   description = <<EOF
     enabled                  = Create bastion host.

examples/tfvars/minimal-wo-bastion.tfvars

@@ -14,8 +14,6 @@ default_node_groups = {
   }
 }
 
-route53_hosted_zone_name = "deploys-delta.domino.tech"
-
 bastion = {
   enabled = false
 }

examples/tfvars/private-link.tfvars

@@ -19,5 +19,4 @@ default_node_groups = {
   }
 }
 
-enable_private_link      = true
-route53_hosted_zone_name = "domino"
+enable_private_link = true

examples/tfvars/single-node.tfvars

@@ -40,7 +40,6 @@ storage = {
   costs_enabled = false
 }
 
-route53_hosted_zone_name = "deploys-delta.domino.tech"
 eks = {
   k8s_version = "1.27"
 }

modules/iam-bootstrap/bootstrap-0.json

@@ -76,6 +76,7 @@
         "iam:Tag*",
         "iam:Untag*",
         "iam:UpdateAssumeRolePolicy",
+        "iam:ListEntitiesForPolicy",
         "sts:AssumeRole"
       ],
       "Resource": [

modules/infra/README.md

@@ -5,7 +5,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.7.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.2.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9.1 |
@@ -33,7 +33,6 @@
 | Name | Type |
 |------|------|
 | [aws_iam_policy.create_eks_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.route53](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.create_eks_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.create_eks_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_key_pair.domino](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/key_pair) | resource |
@@ -45,10 +44,8 @@
 | [aws_ec2_instance_type.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_instance_type) | data source |
 | [aws_iam_policy_document.create_eks_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_key_global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.route53](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_kms_key.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
-| [aws_route53_zone.hosted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 | [tls_public_key.domino](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/data-sources/public_key) | data source |
 
 ## Inputs
@@ -66,8 +63,6 @@
 | <a name="input_kms"></a> [kms](#input\_kms) | enabled             = "Toggle, if set use either the specified KMS key\_id or a Domino-generated one"<br>    key\_id              = optional(string, null)<br>    additional\_policies = "Allows setting additional KMS key policies when using a Domino-generated key" | <pre>object({<br>    enabled             = optional(bool, true)<br>    key_id              = optional(string, null)<br>    additional_policies = optional(list(string), [])<br>  })</pre> | `{}` | no |
 | <a name="input_network"></a> [network](#input\_network) | vpc = {<br>      id = Existing vpc id, it will bypass creation by this module.<br>      subnets = {<br>        private = Existing private subnets.<br>        public  = Existing public subnets.<br>        pod     = Existing pod subnets.<br>      }), {})<br>    }), {})<br>    network\_bits = {<br>      public  = Number of network bits to allocate to the public subnet. i.e /27 -> 32 IPs.<br>      private = Number of network bits to allocate to the private subnet. i.e /19 -> 8,192 IPs.<br>      pod     = Number of network bits to allocate to the private subnet. i.e /19 -> 8,192 IPs.<br>    }<br>    cidrs = {<br>      vpc     = The IPv4 CIDR block for the VPC.<br>      pod     = The IPv4 CIDR block for the Pod subnets.<br>    }<br>    use\_pod\_cidr = Use additional pod CIDR range (ie 100.64.0.0/16) for pod networking. | <pre>object({<br>    vpc = optional(object({<br>      id = optional(string, null)<br>      subnets = optional(object({<br>        private = optional(list(string), [])<br>        public  = optional(list(string), [])<br>        pod     = optional(list(string), [])<br>      }), {})<br>    }), {})<br>    network_bits = optional(object({<br>      public  = optional(number, 27)<br>      private = optional(number, 19)<br>      pod     = optional(number, 19)<br>      }<br>    ), {})<br>    cidrs = optional(object({<br>      vpc = optional(string, "10.0.0.0/16")<br>      pod = optional(string, "100.64.0.0/16")<br>    }), {})<br>    use_pod_cidr = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region for the deployment | `string` | n/a | yes |
-| <a name="input_route53_hosted_zone_name"></a> [route53\_hosted\_zone\_name](#input\_route53\_hosted\_zone\_name) | Optional hosted zone for External DNS zone. | `string` | `null` | no |
-| <a name="input_route53_hosted_zone_private"></a> [route53\_hosted\_zone\_private](#input\_route53\_hosted\_zone\_private) | Is the hosted zone private | `bool` | `false` | no |
 | <a name="input_ssh_pvt_key_path"></a> [ssh\_pvt\_key\_path](#input\_ssh\_pvt\_key\_path) | SSH private key filepath. | `string` | n/a | yes |
 | <a name="input_storage"></a> [storage](#input\_storage) | storage = {<br>      efs = {<br>        access\_point\_path = Filesystem path for efs.<br>        backup\_vault = {<br>          create        = Create backup vault for EFS toggle.<br>          force\_destroy = Toggle to allow automatic destruction of all backups when destroying.<br>          backup = {<br>            schedule           = Cron-style schedule for EFS backup vault (default: once a day at 12pm).<br>            cold\_storage\_after = Move backup data to cold storage after this many days.<br>            delete\_after       = Delete backup data after this many days.<br>          }<br>        }<br>      }<br>      s3 = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the s3 buckets. if 'false' terraform will NOT be able to delete non-empty buckets.<br>      }<br>      ecr = {<br>        force\_destroy\_on\_deletion = Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories.<br>      }<br>      enable\_remote\_backup = Enable tagging required for cross-account backups<br>      costs\_enabled = Determines whether to provision domino cost related infrastructures, ie, long term storage<br>    }<br>  } | <pre>object({<br>    efs = optional(object({<br>      access_point_path = optional(string, "/domino")<br>      backup_vault = optional(object({<br>        create        = optional(bool, true)<br>        force_destroy = optional(bool, true)<br>        backup = optional(object({<br>          schedule           = optional(string, "0 12 * * ? *")<br>          cold_storage_after = optional(number, 35)<br>          delete_after       = optional(number, 125)<br>        }), {})<br>      }), {})<br>    }), {})<br>    s3 = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {})<br>    ecr = optional(object({<br>      force_destroy_on_deletion = optional(bool, true)<br>    }), {}),<br>    enable_remote_backup = optional(bool, false)<br>    costs_enabled        = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Deployment tags. | `map(string)` | `{}` | no |
@@ -85,7 +80,6 @@
 | <a name="output_domino_key_pair"></a> [domino\_key\_pair](#output\_domino\_key\_pair) | Domino key pair |
 | <a name="output_efs_security_group"></a> [efs\_security\_group](#output\_efs\_security\_group) | Security Group ID for EFS |
 | <a name="output_eks"></a> [eks](#output\_eks) | EKS variables. |
-| <a name="output_hostname"></a> [hostname](#output\_hostname) | Domino instance URL. |
 | <a name="output_ignore_tags"></a> [ignore\_tags](#output\_ignore\_tags) | Tags to be ignored by the aws provider |
 | <a name="output_kms"></a> [kms](#output\_kms) | KMS key details, if enabled. |
 | <a name="output_monitoring_bucket"></a> [monitoring\_bucket](#output\_monitoring\_bucket) | Monitoring Bucket |

modules/infra/iam.tf

@@ -1,39 +1,10 @@
-data "aws_route53_zone" "hosted" {
-  count        = var.route53_hosted_zone_name != null ? 1 : 0
-  name         = var.route53_hosted_zone_name
-  private_zone = var.route53_hosted_zone_private
-}
-
-data "aws_iam_policy_document" "route53" {
-  count = var.route53_hosted_zone_name != null ? 1 : 0
-  statement {
-
-    effect    = "Allow"
-    resources = ["*"]
-    actions   = ["route53:ListHostedZones"]
-  }
-
-  statement {
-
-    effect    = "Allow"
-    resources = data.aws_route53_zone.hosted[*].arn
-
-    actions = [
-      "route53:ChangeResourceRecordSets",
-      "route53:ListResourceRecordSets",
-    ]
+removed {
+  from = aws_iam_policy.route53
+  lifecycle {
+    destroy = false
   }
 }
 
-resource "aws_iam_policy" "route53" {
-  count  = var.route53_hosted_zone_name != null ? 1 : 0
-  name   = "${var.deploy_id}-route53"
-  path   = "/"
-  policy = data.aws_iam_policy_document.route53[0].json
-}
-
-
-
 locals {
   create_eks_role_name = coalesce(var.eks.creation_role_name, "${var.deploy_id}-create-eks")
 }

modules/infra/main.tf

@@ -95,11 +95,10 @@ module "bastion" {
 }
 
 locals {
-  cost_usage_report_info       = var.domino_cur.provision_cost_usage_report && length(module.cost_usage_report) > 0 ? module.cost_usage_report[0].info : null
-  bastion_info                 = var.bastion.enabled && length(module.bastion) > 0 ? module.bastion[0].info : null
-  node_iam_policies_storage    = [module.storage.info.s3.iam_policy_arn, module.storage.info.ecr.iam_policy_arn]
-  node_iam_policies_pre_concat = var.route53_hosted_zone_name != null ? concat(local.node_iam_policies_storage, [aws_iam_policy.route53[0].arn]) : local.node_iam_policies_storage
-  node_iam_policies            = local.cost_usage_report_info != null ? concat(local.node_iam_policies_pre_concat, [local.cost_usage_report_info.cur_iam_policy_arn]) : local.node_iam_policies_pre_concat
+  cost_usage_report_info    = var.domino_cur.provision_cost_usage_report && length(module.cost_usage_report) > 0 ? module.cost_usage_report[0].info : null
+  bastion_info              = var.bastion.enabled && length(module.bastion) > 0 ? module.bastion[0].info : null
+  node_iam_policies_storage = [module.storage.info.s3.iam_policy_arn, module.storage.info.ecr.iam_policy_arn]
+  node_iam_policies         = local.cost_usage_report_info != null ? concat(local.node_iam_policies_storage, [local.cost_usage_report_info.cur_iam_policy_arn]) : local.node_iam_policies_storage
 }
 
 provider "aws" {

modules/infra/outputs.tf

@@ -1,7 +1,3 @@
-output "hostname" {
-  description = "Domino instance URL."
-  value       = try("${var.deploy_id}.${var.route53_hosted_zone_name}", null)
-}
 output "domino_key_pair" {
   description = "Domino key pair"
   value       = { name = aws_key_pair.domino.key_name }

modules/infra/variables.tf

@@ -26,22 +26,6 @@ variable "deploy_id" {
   }
 }
 
-variable "route53_hosted_zone_name" {
-  type        = string
-  description = "Optional hosted zone for External DNS zone."
-  default     = null
-  validation {
-    condition     = var.route53_hosted_zone_name != null ? trimspace(var.route53_hosted_zone_name) != "" : true
-    error_message = "route53_hosted_zone_name must be null or a non empty string."
-  }
-}
-
-variable "route53_hosted_zone_private" {
-  type        = bool
-  description = "Is the hosted zone private"
-  default     = false
-}
-
 variable "tags" {
   type        = map(string)
   description = "Deployment tags."

modules/infra/versions.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.6.0"
+  required_version = ">= 1.7.0"
   required_providers {
     aws = {
       source  = "hashicorp/aws"