search

vmware-tanzu / velero

Backup and migrate Kubernetes applications and their persistent volumes
https://velero.io
Apache License 2.0
8.55k stars 1.38k forks source link

issue with aws terraform and velero module help me please #8036

Open torimono opened 1 month ago

torimono commented 1 month ago

i create velero for my eks on aws with terraform : here is my terra file for velero

Obtenir l'ID du cluster EKS

data "aws_eks_cluster" "cluster" {
  name = module.eks.cluster_name
  depends_on = [ module.eks ]
}

Obtenir l'ID du fournisseur OIDC pour EKS

data "aws_eks_cluster_auth" "cluster_auth" {
  name = module.eks.cluster_name
  depends_on = [ module.eks ]

}

Obtenir l'ID du compte AWS actuel

data "aws_caller_identity" "current" {}

Obtenir la région AWS actuelle

data "aws_region" "current" {}

Définir le rôle IAM avec la politique d'assumption pour OIDC

resource "aws_iam_role" "velero_role" {
  name = "velero"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Principal = {
          Federated = module.eks.oidc_provider_arn
        },
        Action = "sts:AssumeRoleWithWebIdentity",
        Condition = {
          StringEquals = {
            "${module.eks.oidc_provider_arn}:sub" = "system:serviceaccount:velero"
          }
        }
      }
    ]
  })
}

Politique IAM pour accéder à S3 et EBS

resource "aws_iam_policy" "velero_policy" {
  name        = "velero_policy"
  description = "Velero IAM policy for S3 and EBS access"

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Action = [
          "s3:*"
        ],
        Resource = [
          "arn:aws:s3:::${var.bucket_name_velero}",
          "arn:aws:s3:::${var.bucket_name_velero}/*"
        ]
      },
      {
        Effect = "Allow",
        Action = [
          "ec2:*"
        ],
        Resource = "*"
      }
    ]
  })
}

Attacher la politique au rôle

resource "aws_iam_role_policy_attachment" "velero_policy_attachment" {
  role       = aws_iam_role.velero_role.name
  policy_arn  = aws_iam_policy.velero_policy.arn
}

resource "kubernetes_service_account" "velero" {
  metadata {
    name      = "velero"
    namespace = "default"  # Assurez-vous que ce namespace existe
    annotations = {
      "eks.amazonaws.com/role-arn" = aws_iam_role.velero_role.arn
    }
  }
}

#

création du bucket S3

#

Définir la politique du bucket S3

resource "aws_s3_bucket_policy" "velero_bucket_policy" {
  bucket = var.bucket_name_velero

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Principal = {
          AWS = aws_iam_role.velero_role.arn
        },
        Action = [
          "s3:ListBucket"
        ],
        Resource = [
          "arn:aws:s3:::${var.bucket_name_velero}"
        ]
      },
      {
        Effect = "Allow",
        Principal = {
          AWS = aws_iam_role.velero_role.arn
        },
        Action = [
          "s3:GetObject",
          "s3:PutObject",
          "s3:DeleteObject",
          "s3:AbortMultipartUpload",
          "s3:ListMultipartUploadParts"
        ],
        Resource = [
          "arn:aws:s3:::${var.bucket_name_velero}/*"
        ]
      }
    ]
  })
}

module "velero_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "4.1.1"
  bucket  = var.bucket_name_velero
  acl     = "private"
  # permet de supprimer le contenu du S3 avec le terraform destroy
  force_destroy = true

  control_object_ownership = true
  object_ownership         = "ObjectWriter"

  attach_policy = false

  attach_deny_insecure_transport_policy = false

  versioning = {
    enabled = true
  }
}

module "velero" {
  source  = "terraform-module/velero/kubernetes"
  version = "1.2.1"  # Assurez-vous d'utiliser la dernière version disponible

  cluster_name    = module.eks.cluster_name  # Remplacez par le nom de votre cluster
  bucket          = "tijus-sockshop-velero-bucket"  # Remplacez par le nom de votre bucket S3
  openid_connect_provider_uri = module.eks.oidc_provider_arn
  iam_deploy = false
  iam_role_name = "velero"
  namespace_deploy = false
  namespace_name = "default"
  repository = "https://vmware-tanzu.github.io/helm-charts"
values = [
    <<EOF

serviceAccount:
  name: velero
  create: false

image:
  repository: velero/velero
  tag: v1.4.2
  pullPolicy: IfNotPresent

initContainers:
  - name: velero-plugin-for-aws
    image: velero/velero-plugin-for-aws:v1.1.0
    volumeMounts:
      - mountPath: /target
        name: plugins

securityContext:
  fsGroup: 1337

configuration:
  provider: aws
  backupStorageLocation:
    name: default
    provider: aws
    bucket: tijus-sockshop-velero-bucket
    config:
      region: eu-west-3
  volumeSnapshotLocation:
    name: default
    provider: aws
    config:
      region: eu-west-3

credentials:
  useSecret: false

backupsEnabled: true
snapshotsEnabled: true

deployNodeAgent: true

podAnnotations:

  "ttlSecondsAfterFinished": "3600"

EOF
  ]
}

but i have an issue (i tried lot of way to use velero it never worked with helm release ressources too) terraform logs : 

Error: failed post-install: 1 error occurred:
│       * job failed: BackoffLimitExceeded
│ 
│ 
│ 
│   with module.velero.helm_release.this[0],
│   on .terraform/modules/velero/main.tf line 26, in resource "helm_release" "this":
│   26: resource "helm_release" "this" {

kubectl logs : 

time="2024-07-22T17:53:02Z" level=info msg="Checking that all backup storage locations are valid" logSource="pkg/cmd/server/server.go:437"
An error occurred: some backup storage locations are invalid: backup store for location "default" is invalid: rpc error: code = Unknown desc = AccessDenied: Access Denied
        status code: 403, request id: 3VFJFHN1C32GVD8S, host id: fNsL10qw3NioIAMPBT0zKPZ/OGjBJuX7dFaRa7r9MyDOn4xFSiXly+etZMU38sjViudRfJedY3iNnkBs2rQ+xg==

please i realy need help i try hard since days i tried every possible option to me i never succed to make velero work with aws

blackpiglet commented 1 month ago

We haven't tried installing Velero by TerraForm, so I suggest you use the Helm Chart or install it by Velero CLI if there is no definite need for TerraForm.

Could you share the error information when you met?

torimono commented 1 month ago

Error: failed post-install: 1 error occurred: │ * job failed: BackoffLimitExceeded │ │ │ │ with module.velero.helm_release.this[0], │ on .terraform/modules/velero/main.tf line 26, in resource "helm_release" "this": │ 26: resource "helm_release" "this" {

i need to use terraform im forced too .. i tried to use helm release ressource with terraform but it didnt worked , i all time have failed job and acces denied backuplocation , i activated the service account option , i did try module , i tried everything i could ..

torimono commented 1 month ago

We haven't tried installing Velero by TerraForm, so I suggest you use the Helm Chart or install it by Velero CLI if there is no definite need for TerraForm.

Could you share the error information when you met?

i already shared the logs and error