Reduce setup options to only CloudFormation stacks

.github/workflows/tofu-checks.yaml

@@ -0,0 +1,33 @@
+name: OpenTofu checks
+on:
+  push:
+
+jobs:
+  tofu_checks:
+    name: OpenTofu checks
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: opentofu/setup-opentofu@592200bd4b9bbf4772ace78f887668b1aee8f716 # v1.0.5
+        with:
+          tofu_version: 1.8.7
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Checks
+        run: |
+          set -eu
+
+          for d in admin-role capa-controller-role; do (
+              cd "${d}"
+
+              echo "Initializing Tofu for ${d}"
+              tofu init
+
+              echo "Validating Tofu code for ${d}"
+              tofu validate -no-color
+
+              echo "Formatting Tofu code for ${d}"
+              tofu fmt
+              echo "Checking differences in Tofu code formatting for ${d}"
+              git diff --exit-code || { >&2 echo "Tofu code isn't formatted, please run 'tofu fmt'"; exit 1; }
+          ); done

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Reduce setup options to only CloudFormation stacks
+
 ## [4.3.1] - 2024-12-18
 
 ### Changed

README.md

@@ -1,129 +1,34 @@
 # giantswarm-aws-account-prerequisites
 
-This repo contains Cloud Formation templates and Terraform modules to prepare AWS accounts to run Giant Swarm clusters.
-
-# Cluster API
+This repo contains Cloud Formation templates to prepare AWS accounts for running Giant Swarm clusters based on Cluster API Provider for AWS (CAPA).
 
 ## Before starting
 
-Make sure to adjust AWS account limits according to [these docs](https://docs.giantswarm.io/getting-started/cloud-provider-accounts/cluster-api/aws/#limits).
-
-For Cluster API take a look at these two modules in this repository:
-
-1. [admin-role](./admin-role) which creates a role and a policy for our staff to be able to operate the infrastructure created by our automation in case of failures.
-2. [capa-controller-role](./capa-controller-role) which creates the role and policies that the controllers assume to create and manage the kubernetes clusters.
+Make sure to adjust AWS account limits according to [these docs](https://docs.giantswarm.io/getting-started/prepare-your-provider-infrastructure/aws/#quotas). Then please create the admin role for Giant Swarm staff access, as shown below.
 
 ## 1. admin-role
 
-For all AWS accounts part of the platform  Giant Swarm staff need to have access in order to debug and
-manage and operate the infrastructure. To do so, please use one of the following methods to create the necessary role and policy in your AWS account.
-
-### AWS CloudFormation template
+In all AWS accounts where you plan to run a management cluster and workload clusters, Giant Swarm staff need to have access in order to manage, operate and troubleshoot the infrastructure.
 
-You can execute the CloudFormation template directly by clicking [the admin role stack template](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/admin-role/cloud-formation-template.yaml&stackName=GiantSwarmAdminRoleBootstrap&&param_AdminRoleName=GiantSwarmAdmin) or uploading the [template file](./admin-role/cloud-formation-template.yaml) when creating a new stack in the AWS console.
-
-You will be asked for the following parameters:
-
-- `AdminRoleName`: The name of the role that will be created. Default is `GiantSwarmAdmin`. You dont need to change this unless you have a specific requirement.
+Therefore, please create the admin CloudFormation stack in each of those accounts. That can be done either from our [admin role stack template (direct link to AWS Console dialog)](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/admin-role/cloud-formation-template.yaml&stackName=GiantSwarmAdminRoleBootstrap&&param_AdminRoleName=GiantSwarmAdmin), or by uploading the [admin role stack definition file](./admin-role/cloud-formation-template.yaml) when creating a new stack in the AWS console.
 
 Review the changes and click `Create stack`. In case of any error, please check the `Events` tab in the CloudFormation console and report the error to the Giant Swarm staff.
 
-### Terraform
-
-#### Requirements
-
-- `terraform` installed
-- working AWS credentials set to the desired target account
-- AWS region has to be set  either via aws profile or via env `AWS_REGION`
-
-### Adjust variables
-
-- `admin_role_name` - can be adjusted to be more strict and specify role name. You dent need to change this unless you have a specific requirement.
-
-### Execution
-
-```
-terraform init
-terraform apply -var="admin_role_name=GiantSwarmAdmin
-```
-
-The created role ARN needs to be supplied to Giant Swarm.
-
 ## 2. capa-controller-role
 
-In the AWS account where you plan to run the management cluster, you need to create a role that the Cluster API controllers will assume to create and manage workload clusters and all infrastructure resources.
-
-### AWS CloudFormation template
-
-You can execute directly the CloudFormation template by clicking the [capa controller role stack template](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/capa-controller-role/cloud-formation-template.yaml&stackName=CAPAControllerRoleBootstrap&param_InstallationName=CHANGE_THIS_FOR_THE_INSTALLATION_NAME&param_ManagementClusterOidcProviderDomain=MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN) or uploading the [template file](./capa-controller-role/cloud-formation-template.yaml) when creating a new stack in the AWS console.
-
-You will be asked for the following parameters:
-
-- `InstallationName`: the name of the installation which you have agreed with Giant Swarm upfront.
-- `ManagementClusterOidcProviderDomain`: the domain name used by the MC OIDC provider. Normally `irsa.<cluster-base-domain>`.
-- `ByoVpc` (optional - defaults to `false`): if `true`, the CAPA role will be created without the permissions needed to manage VPCs
-
-Review the changes and click `Create stack`. In case of any error, please check the `Events` tab in the CloudFormation console and report the error to the Giant Swarm staff.
-
-### Terraform
-
-#### Requirements
-
-- `terraform` installed
-- working AWS credentials set to the desired target account
-- AWS region has to be set  either via aws profile or via env `AWS_REGION`
-
-### Adjust variables
-
-- `installation_name`: the name of the installation which you have agreed with Giant Swarm upfront.
-- `management_cluster_oidc_provider_domain`: the domain name used by the MC OIDC provider. Normally `irsa.<cluster-base-domain>`.
-- `byovpc` (optional - defaults to `false`): if `true`, the CAPA role will be created without the permissions needed to manage VPCs
-
-### Execution
-
-```
-terraform init
-terraform apply -var="installation_name=test" -var="management_cluster_oidc_provider_domain=irsa.test.gaws.gigantic.io"
-```
-
-### Import existing resources
-
-To update the policies of an existing role, you can run Terraform with the extra variable `import_existing=true` to import the resources into the state:
-
-```
-terraform init
-terraform apply -var="installation_name=test" -var="management_cluster_oidc_provider_domain=irsa.test.gaws.gigantic.io" -var="import_existing=true"
-```
-
-## AWS cli
-
-### Requirements
+In the AWS account where you plan to run the management cluster, you need to create a role that the Cluster API Provider AWS (CAPA) controller will assume to create and manage workload clusters and all infrastructure resources.
 
-- `awscli` installed
-- `jq` installed
-- working AWS credentials set to the desired target account
-- located on the `capa-controller-role` directory of this git repo
-- user `${INSTALLATION}-capa-controller` created in GiantSwarm root account `084190472784`
+The same applies to all accounts where CAPA should be able to create workload clusters, since they don't necessarily need to run in the same account as your management cluster. The `AWSClusterRoleIdentity` objects on the management cluster define in which accounts you want to create workload clusters.
 
-### Setup
+**Once the admin role is created (see above), Giant Swarm staff takes over creating and maintaining the CloudFormation stack for each of your desired accounts and there is no further action needed by customers. Only if for some reason, you want to manage them yourself**, you can use these instructions:
 
-```
-export INSTALLATION_NAME=test
-export MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN=irsa.test.gaws.gigantic.io
-# Optional: only set to true if this installation is going to be used exclusively to create WCs on existing VPCs and subnets
-# export BYOVPC=true
-# Optional: only set this to aws-cn if the installation is in China
-# export AWS_PARTITION=aws-cn
-chmod +x setup.sh
-./setup.sh
-```
+- Creation: Log into the right account in AWS Console, choose your desired region and create the CloudFormation stack from our [capa-controller-role stack template (direct link to AWS Console dialog)](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/capa-controller-role/cloud-formation-template.yaml&stackName=CAPAControllerRoleBootstrap&param_InstallationName=CHANGE_THIS_FOR_THE_INSTALLATION_NAME&param_ManagementClusterOidcProviderDomain=MANAGEMENT_CLUSTER_OIDC_PROVIDER_DOMAIN). Alternatively, you can upload the [capa-controller-role stack definition file](./capa-controller-role/cloud-formation-template.yaml) in this repository.
 
-__warning__: You may need to modify the `trusted-entities.json` to use `aws-cn` in the `Principal` field when using the China region.
+  You will be asked for the following parameters:
 
-### Cleanup
+  - `InstallationName`: the name of the installation which you have agreed with Giant Swarm upfront.
+  - `ByoVpc` (optional - defaults to `false`): if `true`, the CAPA role will be created without the permissions needed to manage VPCs. Turn this on if you only want to create clusters in VPCs that you have already created, without requiring CAPA to create or manage VPCs and its networking resources (like NAT/internet gateways, subnets, etc.).
+  - `ManagementClusterOidcProviderDomain`: the domain name used by the MC OIDC provider. Normally `irsa.<cluster-base-domain>`.
 
-```
-export INSTALLATION_NAME=test
-chmod +x cleanup.sh
-./cleanup.sh
-```
+  Review the changes and click `Create stack`. In case of any error, please check the `Events` tab in the CloudFormation console and report the error to the Giant Swarm staff.
+- Update: Select the CloudFormation stack in AWS Console, then `Update > Replace existing template` and use the latest released definition `https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/capa-controller-role/cloud-formation-template.yaml` as source (or the [stack definition file](./capa-controller-role/cloud-formation-template.yaml) in this repository).

admin-role/admin-role.tf

@@ -0,0 +1,19 @@
+variable "gs_user_account" {
+  type        = string
+  description = "Account of Giant Swarm IAM users (`084190472784`, except for China)"
+  default     = "084190472784"
+
+  validation {
+    condition     = can(regex("^[0-9]{12}$", var.gs_user_account))
+    error_message = "AWS account ID must consist of exactly 12 digits"
+  }
+}
+
+resource "aws_cloudformation_stack" "giantswarm_admin" {
+  name          = "GiantSwarmAdminRoleBootstrap"
+  template_body = file("${path.module}/cloud-formation-template.yaml")
+
+  parameters = {
+    GiantSwarmUserAccount = var.gs_user_account
+  }
+}

admin-role/cloud-formation-template.yaml

@@ -2,21 +2,24 @@ AWSTemplateFormatVersion: '2010-09-09'
 Description: CloudFormation template for bootstrapping the admin role in your AWS account.
 
 Parameters:
-  AdminRoleName:
+  GiantSwarmUserAccount:
     Type: String
-    Default: "GiantSwarmAdmin"
+    Description: "Account of Giant Swarm IAM users (`084190472784`, except for China). Assumed to be in the same partition as the CloudFormation stack account (`aws`, or `aws-cn` for China)."
+    Default: "084190472784"
+    # No `AllowedValues` here, since we don't publish the identifiers of other accounts
+    AllowedPattern: "^[0-9]{12}$"
 
 Resources:
   GiantSwarmAdminRole:
     Type: "AWS::IAM::Role"
     Properties:
-      RoleName: !Ref AdminRoleName
+      RoleName: GiantSwarmAdmin
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
           - Effect: "Allow"
             Principal:
-              AWS: "arn:aws:iam::084190472784:root"
+              AWS: !Sub "arn:${AWS::Partition}:iam::${GiantSwarmUserAccount}:root"
             Action: "sts:AssumeRole"
 
   GiantSwarmAdminPolicy: