sgibson91 · pull · Sep 22, 2024 · Sep 20, 2024 · Sep 20, 2024 · Sep 20, 2024
diff --git a/config/clusters/openscapes/support.values.yaml b/config/clusters/openscapes/support.values.yaml
@@ -31,12 +31,17 @@ grafana:
       - secretName: grafana-tls
         hosts:
           - grafana.openscapes.2i2c.cloud
-  serviceAccount:
-    annotations:
-      eks.amazonaws.com/role-arn: arn:aws:iam::783616723547:role/openscapeshub-grafana-athena-iam-role
   grafana.ini:
     server:
       root_url: https://grafana.openscapes.2i2c.cloud/
     auth.github:
       enabled: true
       allowed_organizations: 2i2c-org NASA-Openscapes
+
+aws-ce-grafana-backend:
+  enabled: true
+  envBasedConfig:
+    clusterName: openscapeshub
+  serviceAccount:
+    annotations:
+      eks.amazonaws.com/role-arn: arn:aws:iam::783616723547:role/aws_ce_grafana_backend_iam_role
diff --git a/helm-charts/aws-ce-grafana-backend/ce-test-config.yaml b/helm-charts/aws-ce-grafana-backend/ce-test-config.yaml
diff --git a/helm-charts/aws-ce-grafana-backend/mounted-files/README.md b/helm-charts/aws-ce-grafana-backend/mounted-files/README.md
@@ -1,17 +1,12 @@
 # About code files
 
-The code is meant to help serve grafana with JSON with cost related data,
-initially only from AWS.
+The code is meant to help serve grafana with JSON with cost related data from
+AWS Cost Explorer API. It doesn't doesn't rely to other k8s services, so it can
+deploy and be tested by itself.
 
-## De-coupled from other k8s services
-
-This software doesn't rely to other k8s services, so it can deploy and be tested
-by itself.
-
-## Bundling into Dockerfile vs. mounting in Helm chart
-
-By mounting the code files, development iterations running the code in k8s
-becomes faster.
+The code files in this folders are mounted instead of built into the image in
+order to quicken up development iterations running the code in k8s becomes
+faster.
 
 ## Development
 
@@ -29,31 +24,52 @@ python -m flask --app=webserver run --port=8080
 
 ### Testing Python changes in k8s
 
-This is currently being developed in the openscapes cluster. It depends on a k8s
+This was initially developed in the openscapes cluster. It depends on a k8s
 ServiceAccount coupled to an IAM Role there as well.
 
 The image shouldn't need to be rebuilt unless additional dependencies needs to
 be installed etc, so if you've only made code changes, you can do the following
 to re-deploy.
 
+During development, a procedure like below can be used to iterate faster than by
+using the deployer.
+
 ```bash
 deployer use-cluster-credentials openscapes
 
 cd helm-charts/aws-ce-grafana-backend
-helm upgrade --install --create-namespace -n ce-test --values ce-test-config.yaml ce-test .
+helm upgrade --install --create-namespace -n support --values my-test-config.yaml aws-ce-grafana-backend .
 
 # note that port-forward to a service is just a way to port-forward to a pod
 # behind the service, so you need to do the port-forwarding again if the pod
 # restarts.
-kubectl port-forward -n ce-test service/ce-test 8080:http
+kubectl port-forward -n support service/aws-ce-grafana-backend 8080:http
 
-# visit http://localhost:8080/aws
+# visit http://localhost:8080/total-costs and other urls
+```
+
+It assumes that you have a `my-test-config.yaml` file looking like this:
+
+```yaml
+serviceAccount:
+  annotations:
+    # can be setup via terraform by setting the variable
+    # enable_aws_ce_grafana_backend_iam = true
+    #
+    # note that the terraform managed IAM Role's assume policy is
+    # only granting a k8s ServiceAccount in "support" namespace
+    # named "aws-ce-grafana-backend" rights to assume it
+    #
+    eks.amazonaws.com/role-arn: arn:aws:iam::783616723547:role/aws_ce_grafana_backend_iam_role
+envBasedConfig:
+  # note that this must be the AWS EKS cluster resource name,
+  # not what we call the cluster
+  clusterName: openscapeshub
 ```
 
 ### Testing image changes in k8s
 
 ```bash
-
 cd helm-charts
 
 # before doing this: commit the image change, and stash other changes

diff --git a/helm-charts/aws-ce-grafana-backend/mounted-files/query.py b/helm-charts/aws-ce-grafana-backend/mounted-files/query.py
@@ -76,6 +76,8 @@ def query_hub_names(from_date, to_date):
     #     },
     # }
     #
+    # The empty string is replaced with "shared"
+    #
     hub_names = [t or "shared" for t in response["Tags"]]
     return hub_names
 

diff --git a/terraform/aws/aws-ce-grafana-backend-iam.tf b/terraform/aws/aws-ce-grafana-backend-iam.tf
@@ -13,11 +13,9 @@ resource "aws_iam_role" "aws_ce_grafana_backend_iam_role" {
         Federated = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}"
       },
 
-      # FIXME: Below we have a string including ce-test:ce-test, it should be support:<k8s secret name>
-
       Condition = {
         StringEquals = {
-          "${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub" = "system:serviceaccount:ce-test:ce-test"
+          "${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub" = "system:serviceaccount:support:aws-ce-grafana-backend"
         }
       },
     }]

diff --git a/terraform/aws/grafana-athena-iam.tf b/terraform/aws/grafana-athena-iam.tf
diff --git a/terraform/aws/projects/openscapes.tfvars b/terraform/aws/projects/openscapes.tfvars
@@ -6,10 +6,7 @@ default_budget_alert = {
   "enabled" : false,
 }
 
-enable_grafana_athena_iam         = true
 enable_aws_ce_grafana_backend_iam = true
-athena_write_storage_bucket       = "openscapes-cost-usage-report"
-athena_read_storage_bucket        = "openscapes-2i2c-cur"
 
 # The initial EFS is now used by the prod hub only
 # So we tag it appropriately for costs purposes

diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf
@@ -46,18 +46,6 @@ variable "user_buckets" {
 }
 
 
-variable "athena_write_storage_bucket" {
-  type        = string
-  description = "The name of the S3 bucket where Grafana query results from Athena will be stored"
-  default     = ""
-}
-
-variable "athena_read_storage_bucket" {
-  type        = string
-  description = "The name of the S3 bucket where Athena tables and data is stored"
-  default     = ""
-}
-
 variable "hub_cloud_permissions" {
   type = map(
     map(
@@ -297,15 +285,6 @@ variable "active_cost_allocation_tags" {
   EOT
 }
 
-variable "enable_grafana_athena_iam" {
-  type        = bool
-  default     = false
-  description = <<-EOT
-  Create an IAM role with attached policy to permit a connection between a
-  Grafana instance and AWS Athena service.
-  EOT
-}
-
 variable "enable_aws_ce_grafana_backend_iam" {
   type        = bool
   default     = false
-Original file line number
+Diff line change
@@ Expand Up / @@ -76,6 +76,8 @@ def query_hub_names(from_date, to_date): @@
         #     },
         # }
         #
+        # The empty string is replaced with "shared"
+        #
         hub_names = [t or "shared" for t in response["Tags"]]
         return hub_names
@@ Expand Down @@