Merge branch 'main' into george-test

wandb · Jan 22, 2024 · 82127cd · 82127cd
2 parents 803acbd + 3a7767f
commit 82127cd
Show file tree

Hide file tree

Showing 17 changed files with 261 additions and 83 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,52 @@
 
 All notable changes to this project will be documented in this file.
 
+### [4.1.2](https://github.com/wandb/terraform-aws-wandb/compare/v4.1.1...v4.1.2) (2024-01-16)
+
+
+### Bug Fixes
+
+* Max LB name length ([#166](https://github.com/wandb/terraform-aws-wandb/issues/166)) ([85bd266](https://github.com/wandb/terraform-aws-wandb/commit/85bd266f5f0ce003f2d4e69f796a41df0ff9fb9c))
+
+### [4.1.1](https://github.com/wandb/terraform-aws-wandb/compare/v4.1.0...v4.1.1) (2024-01-11)
+
+
+### Bug Fixes
+
+* Update redis connection ttl ([#165](https://github.com/wandb/terraform-aws-wandb/issues/165)) ([f236b3b](https://github.com/wandb/terraform-aws-wandb/commit/f236b3b8c5f7d3fcece1a1d302276bde6bdd75d5))
+
+## [4.1.0](https://github.com/wandb/terraform-aws-wandb/compare/v4.0.2...v4.1.0) (2024-01-10)
+
+
+### Features
+
+* Adding flags to switch between LB ([#159](https://github.com/wandb/terraform-aws-wandb/issues/159)) ([ffa3778](https://github.com/wandb/terraform-aws-wandb/commit/ffa3778fe05da8681a828ce84f3f8291bb8fe5bd))
+
+### [4.0.2](https://github.com/wandb/terraform-aws-wandb/compare/v4.0.1...v4.0.2) (2024-01-09)
+
+
+### Bug Fixes
+
+* EFS index vs subnet for_each ([#163](https://github.com/wandb/terraform-aws-wandb/issues/163)) ([1e47177](https://github.com/wandb/terraform-aws-wandb/commit/1e47177a0017ef694e7667781111d9ce2d375f2b))
+
+### [4.0.1](https://github.com/wandb/terraform-aws-wandb/compare/v4.0.0...v4.0.1) (2024-01-09)
+
+
+### Bug Fixes
+
+* Disable gorilla glue tasks ([#161](https://github.com/wandb/terraform-aws-wandb/issues/161)) ([5d24bda](https://github.com/wandb/terraform-aws-wandb/commit/5d24bda4fead8d79b3e06d488ecb824980a3d15b))
+
+## [4.0.0](https://github.com/wandb/terraform-aws-wandb/compare/v3.4.2...v4.0.0) (2024-01-08)
+
+
+### ⚠ BREAKING CHANGES
+
+* Init operator (#154)
+
+### Features
+
+* Init operator ([#154](https://github.com/wandb/terraform-aws-wandb/issues/154)) ([95def33](https://github.com/wandb/terraform-aws-wandb/commit/95def33db96c55a640fba4df5bdfbcc3a179d8ac))
+
 ### [3.4.2](https://github.com/wandb/terraform-aws-wandb/compare/v3.4.1...v3.4.2) (2023-12-07)
 
 

diff --git a/README.md b/README.md
@@ -217,3 +217,28 @@ Upgrades must be executed in step-wise fashion from one version to the next. You
 | <a name="output_url"></a> [url](#output\_url) | The URL to the W&B application |
 
 <!-- END_TF_DOCS -->
+
+## Migrations
+
+#### Upgrading from 3.x -> 4.x
+
+- If egress access for retrieving the wandb/controller image is not available, Terraform apply may experience failures.
+- It's necessary to supply a license variable within the module, as shown:
+
+```hcl
+module "wandb" {
+  version = "4.x"
+
+  # ...
+  license = "<your license key>"
+  # ...
+}
+```
+
+### Upgrading from 2.x -> 3.x
+
+- No changes required by you
+
+### Upgrading from 1.x -> 2.x
+
+- ~>4.0 version required for AWS Provider
diff --git a/examples/public-dns-external/main.tf b/examples/public-dns-external/main.tf
@@ -1,5 +1,5 @@
 provider "aws" {
-  region  = "us-west-2"
+  region = "us-west-2"
 
   default_tags {
     tags = {
@@ -36,7 +36,7 @@ module "wandb_infra" {
   zone_id     = var.zone_id
   subdomain   = var.subdomain
 
-  # license = var.wandb_license
+  license = var.wandb_license
 
   bucket_name        = var.bucket_name
   bucket_kms_key_arn = var.bucket_kms_key_arn

diff --git a/main.tf b/main.tf
@@ -108,14 +108,15 @@ module "acm" {
 locals {
   acm_certificate_arn = local.create_certificate ? module.acm.acm_certificate_arn : var.acm_certificate_arn
   url                 = local.acm_certificate_arn == null ? "http://${local.fqdn}" : "https://${local.fqdn}"
+  domain_filter       = var.custom_domain_filter == null || var.custom_domain_filter == "" ? local.fqdn : var.custom_domain_filter
 
   internal_app_port = 32543
 }
 
 module "app_eks" {
   source = "./modules/app_eks"
 
-  fqdn = local.fqdn
+  fqdn = local.domain_filter
 
   namespace   = var.namespace
   kms_key_arn = local.kms_key_arn
@@ -153,7 +154,7 @@ module "app_lb" {
   acm_certificate_arn   = local.acm_certificate_arn
   zone_id               = var.zone_id
 
-  fqdn                      = local.fqdn
+  fqdn                      = var.enable_dummy_dns ? "old.${local.fqdn}" : local.fqdn
   extra_fqdn                = var.extra_fqdn
   allowed_inbound_cidr      = var.allowed_inbound_cidr
   allowed_inbound_ipv6_cidr = var.allowed_inbound_ipv6_cidr
@@ -183,62 +184,86 @@ module "redis" {
   kms_key_arn = local.kms_key_arn
 }
 
-# Comming soon!
-# module "wandb" {
-#   source  = "wandb/wandb/helm"
-#   version = "1.2.0"
-
-#   depends_on = [
-#     module.database,
-#     module.app_eks,
-#     module.redis,
-#   ]
-
-#   operator_chart_version = "1.1.0"
-#   controller_image_tag   = "1.10.1"
-
-#   spec = {
-#     values = {
-#       global = {
-#         host    = local.url
-#         license = var.license
-
-#         bucket = {
-#           provider = "s3"
-#           name     = local.bucket_name
-#           region   = data.aws_s3_bucket.file_storage.region
-#           kmsKey   = local.kms_key_arn
-#         }
-
-#         mysql = {
-#           host     = module.database.endpoint
-#           password = module.database.password
-#           username = module.database.username
-#           database = module.database.database_name
-#           port     = module.database.port
-#         }
-
-#         redis = {
-#           host = module.redis.0.host
-#           port = "${module.redis.0.port}?tls=true"
-#         }
-#       }
-
-#       ingress = {
-#         class = "alb"
-
-#         annotations = {
-#           "alb.ingress.kubernetes.io/load-balancer-name" = "${var.namespace}-alb-k8s"
-#           "alb.ingress.kubernetes.io/inbound-cidrs"      = "0.0.0.0/0"
-#           "alb.ingress.kubernetes.io/scheme"             = "internet-facing"
-#           "alb.ingress.kubernetes.io/target-type"        = "ip"
-#           "alb.ingress.kubernetes.io/listen-ports"       = "[{\\\"HTTPS\\\": 443}]"
-#           "alb.ingress.kubernetes.io/certificate-arn"    = local.acm_certificate_arn
-#         }
-#       }
-
-#       mysql = { install = false }
-#       redis = { install = false }
-#     }
-#   }
-# }
+locals {
+  max_lb_name_length = 32 - length("-alb-k8s")
+  lb_name_truncated  = "${substr(var.namespace, 0, local.max_lb_name_length)}-alb-k8s"
+}
+
+module "wandb" {
+  source  = "wandb/wandb/helm"
+  version = "1.2.0"
+
+  depends_on = [
+    module.database,
+    module.app_eks,
+    module.redis,
+  ]
+  operator_chart_version = "1.1.0"
+  controller_image_tag   = "1.10.1"
+
+  spec = {
+    values = {
+      global = {
+        host    = local.url
+        license = var.license
+
+        extraEnv = var.other_wandb_env
+
+        bucket = {
+          provider = "s3"
+          name     = local.bucket_name
+          region   = data.aws_s3_bucket.file_storage.region
+          kmsKey   = local.use_external_bucket ? var.bucket_kms_key_arn : local.kms_key_arn
+        }
+
+        mysql = {
+          host     = module.database.endpoint
+          password = module.database.password
+          user     = module.database.username
+          database = module.database.database_name
+          port     = module.database.port
+        }
+
+        redis = {
+          host = module.redis.0.host
+          port = "${module.redis.0.port}?tls=true&ttlInSeconds=604800"
+        }
+      }
+
+      ingress = {
+        class = "alb"
+
+        annotations = {
+          "alb.ingress.kubernetes.io/load-balancer-name"             = local.lb_name_truncated
+          "alb.ingress.kubernetes.io/inbound-cidrs"                  = <<-EOF
+            ${join("\\,", var.allowed_inbound_cidr)}
+          EOF
+          "external-dns.alpha.kubernetes.io/hostname"                = var.enable_operator_alb ? local.fqdn : ""
+          "external-dns.alpha.kubernetes.io/ingress-hostname-source" = "annotation-only"
+          "alb.ingress.kubernetes.io/scheme"                         = "internet-facing"
+          "alb.ingress.kubernetes.io/target-type"                    = "ip"
+          "alb.ingress.kubernetes.io/listen-ports"                   = "[{\\\"HTTPS\\\": 443}]"
+          "alb.ingress.kubernetes.io/certificate-arn"                = local.acm_certificate_arn
+        }
+      }
+
+      app = var.enable_operator_alb ? {} : {
+        extraEnv = {
+          "GORILLA_GLUE_LIST" = "true"
+        }
+      }
+
+      mysql = { install = false }
+      redis = { install = false }
+
+      weave = {
+        persistence = {
+          provider = "efs"
+          efs = {
+            fileSystemId = module.app_eks.efs_id
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/modules/app_eks/efs.tf b/modules/app_eks/efs.tf
@@ -0,0 +1,42 @@
+resource "random_pet" "efs" {
+  length = 2
+}
+
+resource "aws_efs_file_system" "storage_class" {
+  creation_token   = "${var.namespace}-${random_pet.efs.id}"
+  encrypted        = true
+  performance_mode = "generalPurpose"
+  throughput_mode  = "elastic"
+}
+
+resource "aws_efs_backup_policy" "storage_class" {
+  file_system_id = aws_efs_file_system.storage_class.id
+
+  backup_policy {
+    status = "DISABLED"
+  }
+}
+
+resource "aws_security_group" "storage_class_nfs" {
+  name        = "${var.namespace}-${random_pet.efs.id}"
+  description = "Security group for NFS traffic"
+  vpc_id      = var.network_id
+}
+
+resource "aws_security_group_rule" "nfs_ingress" {
+  description              = "NFS inbound"
+  type                     = "ingress"
+  from_port                = 2049
+  to_port                  = 2049
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.storage_class_nfs.id
+  source_security_group_id = aws_security_group.primary_workers.id
+}
+
+resource "aws_efs_mount_target" "storage_class" {
+  for_each = { for index, subnet in var.network_private_subnets : index => subnet }
+
+  file_system_id  = aws_efs_file_system.storage_class.id
+  subnet_id       = each.value
+  security_groups = [aws_security_group.storage_class_nfs.id]
+}
diff --git a/modules/app_eks/external_dns/external_dns.tf b/modules/app_eks/external_dns/external_dns.tf
@@ -21,12 +21,19 @@ resource "helm_release" "external_dns" {
   }
 
   set {
-    name = "domainFilters[0]"
+    name  = "domainFilters[0]"
     value = var.fqdn
   }
 
+  set {
+    name  = "policy"
+    value = "sync"
+  }
+
   set {
     name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
     value = aws_iam_role.default.arn
   }
-}
+
+
+}
diff --git a/modules/app_eks/external_dns/variables.tf b/modules/app_eks/external_dns/variables.tf
@@ -1,5 +1,5 @@
 variable "namespace" {
-   type = string
+  type = string
 }
 
 variable "oidc_provider" {

diff --git a/modules/app_eks/iam-policy-docs.tf b/modules/app_eks/iam-policy-docs.tf
@@ -68,7 +68,7 @@ data "aws_iam_policy_document" "secrets_manager" {
       "secretsmanager:GetSecretValue",
       "secretsmanager:DeleteSecretVersion"
     ]
-    effect  = "Allow"
+    effect    = "Allow"
     resources = ["arn:aws:secretsmanager:*:${data.aws_caller_identity.current.account_id}:secret:${var.namespace}*"]
   }
 }
diff --git a/modules/app_eks/iam-role-attachments.tf b/modules/app_eks/iam-role-attachments.tf
@@ -43,6 +43,11 @@ resource "aws_iam_role_policy_attachment" "eks_cni" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
 }
 
+resource "aws_iam_role_policy_attachment" "eks_efs" {
+  role       = aws_iam_role.node.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy"
+}
+
 resource "aws_iam_role_policy_attachment" "eks_worker_node" {
   role       = aws_iam_role.node.name
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"

diff --git a/modules/app_eks/lb_controller/controller.tf b/modules/app_eks/lb_controller/controller.tf
@@ -3,7 +3,7 @@ resource "helm_release" "aws_load_balancer_controller" {
   repository = "https://aws.github.io/eks-charts"
   chart      = "aws-load-balancer-controller"
   namespace  = "kube-system"
-  version    = "1.6.1"
+  version    = "1.6.2"
 
   set {
     name  = "clusterName"

diff --git a/modules/app_eks/lb_controller/variables.tf b/modules/app_eks/lb_controller/variables.tf
@@ -1,5 +1,5 @@
 variable "namespace" {
-   type = string
+  type = string
 }
 
 variable "oidc_provider" {

diff --git a/modules/app_eks/main.tf b/modules/app_eks/main.tf
@@ -4,17 +4,15 @@ locals {
   mysql_port         = 3306
   redis_port         = 6379
   encrypt_ebs_volume = true
-}
-
 
-locals {
   managed_policy_arns = concat([
     "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
     "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
     "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
   ], var.eks_policy_arns)
 }
 
+
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
   version = "~> 17.23"