chore: setup AWS e2e/managed

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

.github/actions/e2e-managed/action.yml

@@ -116,6 +116,7 @@ runs:
 
     - id: 'get-credentials'
       uses: 'google-github-actions/get-gke-credentials@v3'
+      if: env.CLOUD_PROVIDER == 'gcp'
       with:
         cluster_name: '${{ env.GCP_GKE_CLUSTER }}'
         location: 'europe-west1'
@@ -131,7 +132,7 @@ runs:
       if: env.CLOUD_PROVIDER == 'azure'
       shell: bash
       run: |-
-        az aks get-credentials --admin --name eso-cluster --resource-group external-secrets-operator
+        az aks get-credentials --admin --name eso-cluster --resource-group external-secrets-e2e
 
     - name: Login to Docker
       uses: docker/login-action@v2
@@ -150,14 +151,14 @@ runs:
         PROVIDER=${{env.CLOUD_PROVIDER}}
         make test.e2e.managed GINKGO_LABELS="${PROVIDER} && managed" TEST_SUITES="provider"
 
-    - name: Destroy TF
-      shell: bash
-      if: always()
-      env:
-        ARM_CLIENT_ID: "${{ env.TFC_AZURE_CLIENT_ID }}"
-        ARM_SUBSCRIPTION_ID: "${{ env.TFC_AZURE_SUBSCRIPTION_ID }}"
-        ARM_TENANT_ID: "${{ env.TFC_AZURE_TENANT_ID }}"
-      run: |-
-        PROVIDER=${{env.CLOUD_PROVIDER}}
-        make tf.destroy.${PROVIDER}
+    # - name: Destroy TF
+    #   shell: bash
+    #   if: always()
+    #   env:
+    #     ARM_CLIENT_ID: "${{ env.TFC_AZURE_CLIENT_ID }}"
+    #     ARM_SUBSCRIPTION_ID: "${{ env.TFC_AZURE_SUBSCRIPTION_ID }}"
+    #     ARM_TENANT_ID: "${{ env.TFC_AZURE_TENANT_ID }}"
+    #   run: |-
+    #     PROVIDER=${{env.CLOUD_PROVIDER}}
+    #     make tf.destroy.${PROVIDER}
 

.github/workflows/e2e-managed.yml

@@ -49,7 +49,7 @@ env:
 
   # TODO: temporarily replace vars for testing in PR
   GITHUB_PR_NUMBER: "5409"
-  CLOUD_PROVIDER: "gcp"
+  CLOUD_PROVIDER: "azure"
   #GITHUB_PR_NUMBER: ${{ github.event.client_payload.pull_request.number }}
   #CLOUD_PROVIDER: ${{ github.event.client_payload.slash_command.args.named.provider }}
 

terraform/aws/infrastructure/modules/cluster/main.tf

@@ -55,6 +55,17 @@ module "eks" {
         }
       }
     }
+    github-actions = {
+      principal_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/github-actions-external-secrets"
+      policy_associations = {
+        github-actions = {
+          policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+          access_scope = {
+            type = "cluster"
+          }
+        }
+      }
+    }
   }
 }
 

terraform/aws/kubernetes/main.tf

@@ -6,9 +6,9 @@ data "aws_iam_role" "eso-e2e-irsa" {
 resource "kubernetes_service_account" "this" {
   metadata {
     name      = var.AWS_SA_NAME
-    namespace = AWS_SA_NAMESPACE
+    namespace = var.AWS_SA_NAMESPACE
     annotations = {
-      "eks.amazonaws.com/role-arn" = aws_iam_role.eso-e2e-irsa.arn
+      "eks.amazonaws.com/role-arn" = data.aws_iam_role.eso-e2e-irsa.arn
     }
   }
 }

terraform/aws/kubernetes/provider.tf

@@ -1,6 +1,12 @@
 terraform {
   required_version = ">= 0.13"
 
+  backend "s3" {
+    bucket = "eso-tfstate-e2e-managed"
+    key    = "aws-tfstate-kubernetes"
+    region = "eu-central-1"
+  }
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"
@@ -19,7 +25,7 @@ provider "aws" {
 
 provider "kubernetes" {
   host                   = data.aws_eks_cluster.this.endpoint
-  cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority_data)
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data)
   token                  = data.aws_eks_cluster_auth.this.token
 }
 

terraform/azure/infrastructure/providers.tf

@@ -1,4 +1,10 @@
 terraform {
+  backend "azurerm" {
+    resource_group_name  = "external-secrets-tfstate-rg"
+    storage_account_name = "esoe2emanagedtfstate"
+    container_name       = "tfstate"
+    key                  = "infrastructure/terraform.tfstate"
+  }
   required_providers {
     azuread = {
       source  = "hashicorp/azuread"

terraform/azure/kubernetes/main.tf

@@ -22,7 +22,6 @@ resource "kubernetes_service_account" "e2e" {
     namespace = "default"
     annotations = {
       "azure.workload.identity/client-id" = data.azuread_application.e2e.client_id
-      "azure.workload.identity/tenant-id" = data.azurerm_client_config.current.tenant_id
     }
     labels = {
       "azure.workload.identity/use" = "true"
@@ -37,7 +36,6 @@ resource "kubernetes_service_account" "current" {
     namespace = "external-secrets-operator"
     annotations = {
       "azure.workload.identity/client-id" = data.azuread_application.eso.client_id
-      "azure.workload.identity/tenant-id" = data.azurerm_client_config.current.tenant_id
     }
     labels = {
       "azure.workload.identity/use" = "true"

terraform/azure/kubernetes/provider.tf

@@ -1,6 +1,13 @@
 terraform {
   required_version = ">= 0.13"
 
+  backend "azurerm" {
+    resource_group_name  = "external-secrets-tfstate-rg"
+    storage_account_name = "esoe2emanagedtfstate"
+    container_name       = "tfstate"
+    key                  = "kubernetes/terraform.tfstate"
+  }
+
   required_providers {
     aws = {
       source  = "hashicorp/aws"