From df514bd437e5af0bedb11a3da8860c8aeaccc78c Mon Sep 17 00:00:00 2001
From: Micah Nagel <micah.nagel@defenseunicorns.com>
Date: Tue, 24 Sep 2024 15:52:14 -0600
Subject: [PATCH] fix: eks iac issues, document storage class pre-reqs (#812)

## Description

EBS impose a 1Gi size limitation on restored PVCs. This adds a short
note to pre-reqs about checking CSI limitations.

While testing with our EKS IAC I also discovered a few other issues:
- IRSA annotations were not correct
- Config did not properly variablize region
- Config had an unmatched `"` around one of the values
- Gitignore did not exclude terraform/tfstate files that shouldn't be
committed

## Related Issue

Fixes https://github.com/defenseunicorns/uds-core/issues/718

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed
---
 .github/bundles/uds-bundle.yaml  | 4 ++--
 .gitignore                       | 3 +++
 docs/deployment/prerequisites.md | 4 +++-
 tasks/iac.yaml                   | 4 ++--
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/uds-bundle.yaml
index 0d9c226a5..ece96b5ec 100644
--- a/.github/bundles/uds-bundle.yaml
+++ b/.github/bundles/uds-bundle.yaml
@@ -27,7 +27,7 @@ packages:
               path: credentials.useSecret
             - name: VELERO_IRSA_ANNOTATION
               description: "IRSA ARN annotation to use for Velero"
-              path: serviceAccount.server.annotations.irsa/role-arn
+              path: serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn
       loki:
         loki:
           values:
@@ -52,4 +52,4 @@ packages:
               path: loki.storage.s3.region
             - name: LOKI_IRSA_ANNOTATION
               description: "The irsa role annotation"
-              path: serviceAccount.annotations.irsa/role-arn
+              path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn
diff --git a/.gitignore b/.gitignore
index 218f55004..ad3474a0f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,6 @@ tmp-tasks.yaml
 cacert.b64
 run/
 extract-terraform.sh
+**/.terraform*
+cluster-config.yaml
+**.tfstate
diff --git a/docs/deployment/prerequisites.md b/docs/deployment/prerequisites.md
index fdbc2fb3e..ddc8e038e 100644
--- a/docs/deployment/prerequisites.md
+++ b/docs/deployment/prerequisites.md
@@ -45,9 +45,11 @@ Several UDS Core components require persistent volumes that will be provisioned
 ```console
 ❯ kubectl get storageclass
 NAME                   PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
-local-path (default)   rancher.io/local-path   Delete          WaitForFirstConsumer   false                  55s
+local-path (default)   rancher.io/local-path   Delete          WaitForFirstConsumer   true                   55s
 ```
 
+It’s generally beneficial if your storage class supports volume expansion (set `allowVolumeExpansion: true`, provided your provisioner allows it). This enables you to resize volumes when needed. Additionally, be mindful of any size restrictions imposed by your provisioner. For instance, EBS volumes have a minimum size of 1Gi, which could lead to unexpected behavior, especially during Velero’s CSI backup and restore process. These constraints may also necessitate adjustments to default PVC sizes, such as Keycloak’s PVCs, which default to 512Mi in `devMode`.
+
 #### Network Policy Support
 
 The UDS Operator will dynamically provision network policies to secure traffic between components in UDS Core. To ensure these are effective, validate that your CNI supports enforcing network policies. In addition, UDS Core makes use of some CIDR based policies for communication with the KubeAPI server. If you are using Cilium, support for node addressability with CIDR based policies must be enabled with a [feature flag](https://docs.cilium.io/en/stable/security/policy/language/#selecting-nodes-with-cidr-ipblock).
diff --git a/tasks/iac.yaml b/tasks/iac.yaml
index a5d4b8f74..f13e2d4e4 100644
--- a/tasks/iac.yaml
+++ b/tasks/iac.yaml
@@ -25,7 +25,7 @@ tasks:
 
           metadata:
             name: ${CLUSTER_NAME}
-            region: us-west-2
+            region: ${REGION}
             version: "1.30"
             tags:
               PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME}
@@ -148,7 +148,7 @@ tasks:
               loki_s3_region: ${LOKI_S3_AWS_REGION}
               loki_irsa_annotation: "${LOKI_S3_ROLE_ARN}"
               velero_use_secret: false
-              velero_irsa_annotation: ${VELERO_S3_ROLE_ARN}"
+              velero_irsa_annotation: "${VELERO_S3_ROLE_ARN}"
               velero_bucket: ${VELERO_S3_BUCKET}
               velero_bucket_region: ${VELERO_S3_AWS_REGION}
               velero_bucket_provider_url: ""