search

defenseunicorns / delivery-aws-iac

Apache License 2.0
16 stars 5 forks source link

Include GovCloud in our test suite #239

Closed RothAndrew closed 1 year ago

RothAndrew commented 1 year ago

Persona

A user of this terraform code that uses AWS GovCloud

Description

Stuff that works fine in AWS Commercial doesn't work in GovCloud. See #228

Use Case

GovCloud is where most of our real customers will be using this work

Impact

The pipeline will continue to be non-definitive for any user that is using GovCloud instead of Commercial

Completion

The same test suite that we currently being run in AWS Commercial is also run in AWS GovCloud

Additional Context

RothAndrew commented 1 year ago

https://github.com/defenseunicorns/delivery-aws-iac/issues/228#issuecomment-1542688138

Problem 1 - In AWS GovCloud, enable_efs=true does not provision a file system as intended due to permissions in the IAM policy attached to the EFS service account role.

Problem 2 - In AWS GovCloud, when a PVC is invoked by a pod the EFS file system policy does not allow an EFS access point to be created (could also be related to # 1 but is a separate issue).

Feature Request: Add FIPS VPC endpoint for EFS and configure EFS to use it

ntwkninja commented 1 year ago

#228 (comment)

Problem 1 - In AWS GovCloud, enable_efs=true does not provision a file system as intended due to permissions in the IAM policy attached to the EFS service account role. Problem 2 - In AWS GovCloud, when a PVC is invoked by a pod the EFS file system policy does not allow an EFS access point to be created (could also be related to # 1 but is a separate issue). Feature Request: Add FIPS VPC endpoint for EFS and configure EFS to use it

after looking into this further:

Problem 1: The EFS service account isn't the entity that provisions the EFS file system, that is accomplished via the IAM role applying the terraform (occurs before the efs-csi-driver is provisioned). I suspect the bastion does not have sufficient IAM permissions to create an EFS filesystem (this was the role being used, when the errors occurred, to apply the EKS module where EFS is instantiated).

Problem 2: I suspect this is directly related to # 1