Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate AWS CI to new AWS account #1287

Open
mjnagel opened this issue Feb 14, 2025 · 3 comments
Open

Migrate AWS CI to new AWS account #1287

mjnagel opened this issue Feb 14, 2025 · 3 comments

Comments

@mjnagel
Copy link
Contributor

mjnagel commented Feb 14, 2025

The current AWS account used for the nightly RKE2 and EKS CI should not be used anymore. Instead we should move to a new account provisioned through the new account management (Spacelift).

Note that there are a few resources in the current account that we will need to create in a new account (primarily state related items like a state bucket and dynamodb table, as well as any OIDC conntections to enable AWS access from uds-core CI).

Definition of done:

  • New account created using the new provisioning process (named/scoped specifically to uds-core-ci)
  • Account access provided for UDS Core developers to debug/look into CI issues
  • Any AWS resources necessary for IAC CI created in the new account (bucket, dynamodb, iam, etc)
  • Secrets/variables updated in uds-core to use the new account
  • All IAC CI passing (EKS/RKE2 are the two that run in AWS)

AWS "nuke"/cleanup would be nice to have but can be completed as follow ons unless easy to setup throughout the process. The old account SHOULD NOT be deleted yet as other repositories/teams may be leveraging this account still.
@mjnagel
Copy link
Contributor Author

mjnagel commented Feb 14, 2025

https://www.notion.so/Spacelift-Cloud-IAC-Knowledge-Base-13ee512f24fc80b19f6dfdffc2034838 should be helpful here from our internal knowledge base as well as the Infra engineers.

@joelmccoy
Copy link
Contributor

Happy to help with this. Here are some broken down high level steps I would recommend:

  1. Create a directory in the uds-core repo that will hold the static infra for the CI AWS account. You could probably steal code from here
  2. Create an AWS Account by adding a config here that links the directory created in 1 to this AWS account
  3. Update secrets in uds-core to point to the new OIDC roles, state buckets, and lock table created in 1

We don't have a nuke workflow setup, but I am thinking we could create a workflow in spacelift to run nuke for specific accounts. Created an issue for that here. Should be a relatively easy lift to implement.

@mjnagel
Copy link
Contributor Author

mjnagel commented Feb 14, 2025

@noahpb called out that the RKE2 AMIs we use would need to be shared and/or that CI moved to this account as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joelmccoy @mjnagel