Add Spotinst integration (#113)

Author: Nuru

Dockerfile

@@ -1,4 +1,4 @@
-ARG VERSION=0.146.4
+ARG VERSION=0.147.7
 ARG OS=alpine
 FROM cloudposse/geodesic:$VERSION-$OS
 
@@ -32,10 +32,29 @@ ENV TF_BUCKET_REGION="${AWS_REGION}"
 ENV TF_BUCKET="${NAMESPACE}-${STAGE}-terraform-state"
 ENV TF_DYNAMODB_TABLE="${NAMESPACE}-${STAGE}-terraform-state-lock"
 
+# Our older Geodesic configurations relied on `direnv`, which we no longer recommend,
+# preferring YAML configuration files instead.
+ENV DIRENV_ENABLED=true
+# Our older Geodesic configuration uses multiple Makefiles, like Makefile.tasks
+# and depends on this setting, however this setting is set by default by `direnv`
+# due to rootfs/conf/.envrc, but `direnv` is now disabled by default, too.
+# If you are using (and therefore enable) `direnv`, consider the advantage
+# of using `direnv` to set MAKE_INCLUDES, which is that it will only set
+# it for trusted directories under `/conf` and therefore it will not affect
+# `make` outside of this directory tree.
+ENV MAKE_INCLUDES="Makefile Makefile.*"
+
 # Default AWS Profile name
 ENV AWS_DEFAULT_PROFILE="${NAMESPACE}-${STAGE}-admin"
 ENV AWS_MFA_PROFILE="${NAMESPACE}-root-admin"
 
+# aws-vault setup
+ENV AWS_VAULT_ASSUME_ROLE_TTL=1h
+ENV AWS_VAULT_SERVER_ENABLED=false
+ENV AWS_VAULT_BACKEND=file
+ENV AWS_VAULT_ENABLED=true
+RUN apk add -u aws-vault@cloudposse~=4
+
 # Install go for running terratest
 RUN apk add -uU go
 

conf/backing-services/terraform.tfvars

@@ -1,2 +1,2 @@
 zone_name = "testing.cloudposse.co"
-region = "us-west-2"
+region    = "us-west-2"

conf/kops-aws-platform/terraform.tfvars

@@ -1,4 +1,4 @@
-region="us-west-2"
-zone_name="testing.cloudposse.co"
+region    = "us-west-2"
+zone_name = "testing.cloudposse.co"
 
 cluster_id = "us-west-2.testing.cloudposse.co"

conf/kops/terraform.tfvars

@@ -1,2 +1,2 @@
 zone_name = "testing.cloudposse.co"
-region = "us-west-2"
+region    = "us-west-2"

conf/spotinst-integration/.envrc

@@ -0,0 +1,5 @@
+# Import the remote module
+export TF_CLI_PLAN_PARALLELISM=2
+
+use terraform 1
+use tfenv

conf/spotinst-integration/Makefile

@@ -0,0 +1,15 @@
+## Initialize terraform remote state
+init:
+	[ -f .terraform/terraform.tfstate ] || terraform $@
+
+## Clean up the project
+clean:
+	rm -rf .terraform *.tfstate*
+
+## Pass arguments through to terraform which require remote state
+apply console destroy graph plan output providers show: init
+	terraform $@
+
+## Pass arguments through to terraform which do not require remote state
+get fmt validate version:
+	terraform $@

conf/spotinst-integration/Makefile.tasks

@@ -0,0 +1,7 @@
+## Fetch the remote terraform module
+deps:
+	terraform init
+
+## Reset this project
+reset:
+	rm -rf .terraform

conf/spotinst-integration/README.md

@@ -0,0 +1,39 @@
+# Component: `spotinst-integration`
+
+This component is responsible for provisioning the IAM policies, roles, and instance profile for integrating an account with [Spotinst](https://spot.io/).
+
+See the [documentation on configuring Spotinst here](./spotinst-configuration.md) for full details on obtaining a Spotinst API Key and providing that to the account.
+
+## Usage
+
+This component cannot be installed via Atlantis because it requires multiple manual interventions. 
+The procedure in [spotinst-configuration.md](./spotinst-configuration.md) 
+also does not work because it assumes a late 2021 (`atmos`, stacks, etc.)
+environment.
+
+The procedure in [spotinst-manual-configuration.md](./spotinst-manual-configuration.md) 
+to set up Spotinst is closer, but still not quite, because it too assumes
+there is a `namespace`-gbl-`stage`-helm role to use, which we 
+do not have, and it assumes we have a paid account, which we do not.
+
+So this set up is very manual, but you can leverage the tools 
+in [spotinst-manual-configuration.md](./spotinst-manual-configuration.md) to help.
+
+Basic steps:
+
+- Get an Admin API token for Spotinst (via the web UI) and save it in an environment variable.
+- Create a Spotinst account for this AWS account (via `curl`). Except on the free plan, we can only have 1 account, 
+and it has already been created.
+- Create (via `curl`) a programmatic user and associated API token and save the token in SSM.
+Actually, we do not need to save it in SSM, but it is handy there. 
+Where it really needs to go is in a GitHub Secret as `SPOTINST_TOKEN`.
+- Create an "external ID" for the Spotinst API role and save it in SSM.
+- Run `terraform apply` to provision:
+  - An IAM Role for Spotinst API to use to manage resources in the account
+  - An IAM Role to give the EKS installed Ocean Controller the access it needs
+  - An EC2 Instance Profile to assign the Ocean Controller IAM Role to an instance
+- Configure (via `curl`) the Spotinst API to use the API IAM Role
+
+When done, the Spot.io Dashboard should show that the account status is "connected".
+
+

conf/spotinst-integration/backend.tf.json

@@ -0,0 +1,15 @@
+{
+  "terraform": {
+    "backend": {
+      "s3": {
+        "acl": "bucket-owner-full-control",
+        "bucket": "cpco-testing-terraform-state",
+        "dynamodb_table": "cpco-testing-terraform-state-lock",
+        "encrypt": true,
+        "key": "terraform.tfstate",
+        "region": "us-west-2",
+        "workspace_key_prefix": "spotinst-integration"
+      }
+    }
+  }
+}