sync: stage to production (#1650)

sync-branches: New code has just landed in stage, so let's bring
production up to speed!

.gitattributes

@@ -0,0 +1 @@
+internal/dinosaur/pkg/api/admin/private/api/openapi.yaml linguist-generated

.github/workflows/deploy-data-plane.yaml

@@ -18,10 +18,6 @@ on:
         description: 'Name of the environment defined in GitHub.'
         required: true
         type: string
-      deploy_clusters:
-        description: 'Names of clusters to deploy to, space separated.'
-        required: true
-        type: string
       probe_clusters:
         description: 'Name of clusters to deploy probe to, space separated.'
         required: true
@@ -34,45 +30,8 @@ on:
 
 env:
   HELM_DRY_RUN: ${{ inputs.dry_run }}
-  # Credentials are populated by explicit `configure-aws-credentials` jobs in
-  # the workflow, so loading additional credentials in the terraform_cluster.sh
-  # script is not necessary.
-  AWS_AUTH_HELPER: none
 
 jobs:
-  terraform:
-    name: Re-terraform ${{ inputs.acs_environment }} clusters
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      contents: read
-    environment: ${{ inputs.github_environment }}
-    steps:
-      - name: Set up Go 1.20
-        uses: actions/setup-go@v3
-        with:
-          go-version: "1.20"
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0  # Critical for correct image detection in deploy script
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
-        with:
-          aws-region: ${{ secrets.AWS_REGION }}
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github
-      - name: Run terraforming on ${{ inputs.deploy_clusters }}
-        working-directory: ./dp-terraform/helm/rhacs-terraform
-        run: |
-          set -euo pipefail
-          # shellcheck disable=SC2043
-          for cluster in ${{ inputs.deploy_clusters }}
-          do
-            echo "Running script terraform_cluster.sh on ${cluster}"
-            ./terraform_cluster.sh ${{ inputs.acs_environment }} "${cluster}"
-            echo "Script terraform_cluster.sh on ${cluster} succeeded"
-          done
-
   deploy-probe:
     name: Deploy blackbox monitoring probe service to ${{ inputs.acs_environment }}
     runs-on: ubuntu-latest

.github/workflows/deploy-dev.yaml

@@ -17,6 +17,5 @@ jobs:
     with:
       acs_environment: dev
       github_environment: development
-      deploy_clusters: ""
       probe_clusters: "acs-dev-dp-01"
       dry_run: true

.github/workflows/deploy-integration.yaml

@@ -12,5 +12,4 @@ jobs:
     with:
       acs_environment: integration
       github_environment: integration
-      deploy_clusters: ""
       probe_clusters: "acs-int-us-01"

.github/workflows/deploy-production.yaml

@@ -12,5 +12,4 @@ jobs:
     with:
       acs_environment: prod
       github_environment: production
-      deploy_clusters: "acs-prod-dp-01 acs-prod-eu-01"
       probe_clusters: "acs-prod-dp-01 acs-prod-eu-01"

.github/workflows/deploy-stage.yaml

@@ -12,5 +12,4 @@ jobs:
     with:
       acs_environment: stage
       github_environment: stage
-      deploy_clusters: "acs-stage-dp-02 acs-stage-eu-02"
       probe_clusters: "acs-stage-dp-02 acs-stage-eu-02"

.secrets.baseline

@@ -351,7 +351,7 @@
         "filename": "internal/dinosaur/pkg/api/public/api/openapi.yaml",
         "hashed_secret": "5b455797b93de5b6a19633ba22127c8a610f5c1b",
         "is_verified": false,
-        "line_number": 1531
+        "line_number": 1535
       }
     ],
     "internal/dinosaur/pkg/services/dinosaurservice_moq.go": [

config/admin-authz-roles-dev.yaml

@@ -19,3 +19,8 @@
   roles:
     - "acs-general-engineering"
     - "acs-fleet-manager-admin-full"
+- method: PUT
+  roles:
+    - "acs-general-engineering"           # Will include all of ACS engineering. Available also within staging environment.
+    - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
+    - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.

config/admin-authz-roles-prod.yaml

@@ -15,3 +15,7 @@
 - method: POST
   roles:
     - "acs-fleet-manager-admin-full"
+- method: PUT
+  roles:
+    - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
+    - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.

dev/env/manifests/shared/03-configmap-config.yaml

@@ -223,6 +223,11 @@ data:
         - "acs-general-engineering"           # Will include all of ACS engineering. Available also within staging environment.
         - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
         - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.
+    - method: PUT
+      roles:
+        - "acs-general-engineering"           # Will include all of ACS engineering. Available also within staging environment.
+        - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
+        - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.
   admin-authz-roles-prod.yaml: |-
     ---
     - method: GET
@@ -241,6 +246,10 @@ data:
       roles:
         - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
         - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.
+    - method: PUT
+      roles:
+        - "acs-fleet-manager-admin-full"      # Prod rover group, will only include selected members + SREs.
+        - "acs-fleet-manager-admin-write"     # Prod rover group, will only include selected members + SREs.
 kind: ConfigMap
 metadata:
   name: config

dp-terraform/helm/rhacs-terraform/README.md

@@ -4,14 +4,6 @@ Chart to terraform data plane OSD clusters.
 
 ## Usage
 
-**Preferred method for terraforming Stage and Prod data plane clusters**
-
-Run the script for your environment and cluster name:
-
-```bash
-./terraform_cluster.sh stage acs-stage-dp-01
-```
-
 **Prepare environment variables**
 
 The env var `FM_ENDPOINT` should point to an endpoint for the fleet manager. An option to use a fleet manager instance running in your laptop is to [setup ngrok](https://ngrok.com/docs/getting-started), launch the fleet manager, and run `ngrok http 8000` to expose it to the internet. That commands outputs an endpoint that you can use for `FM_ENDPOINT`.  

dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-03-config-map.yaml

@@ -40,3 +40,14 @@ data:
             - name: TransactionLogsDiskUsage
             - name: Deadlocks
             - name: BufferCacheHitRatio
+        - type: AWS/SES
+          regions:
+            - us-east-1
+          statistics:
+            - Sum
+          metrics:
+            - name: Delivery
+            - name: Send
+            - name: Bounce
+            - name: Reputation.BounceRate
+            - name: Reputation.ComplaintRate