From 0273d829cc45f01be475e1dda762422fbd93eba2 Mon Sep 17 00:00:00 2001
From: Luis Arcega <arcegal@amazon.com>
Date: Thu, 17 Aug 2023 13:16:46 -0500
Subject: [PATCH 1/4] Enable IAM Principal AWS Access Console Automatically for
 C9 Instance user

---
 .../observability/base/.workshop/cleanup.sh   |  23 ++++
 .../base/.workshop/terraform/addon.tf         | 118 ++++++++++++++++++
 .../base/.workshop/terraform/env.sh           |  12 ++
 .../docs/observability/resource-view/index.md |  11 +-
 4 files changed, 162 insertions(+), 2 deletions(-)
 create mode 100644 manifests/modules/observability/base/.workshop/cleanup.sh
 create mode 100644 manifests/modules/observability/base/.workshop/terraform/addon.tf
 create mode 100755 manifests/modules/observability/base/.workshop/terraform/env.sh

diff --git a/manifests/modules/observability/base/.workshop/cleanup.sh b/manifests/modules/observability/base/.workshop/cleanup.sh
new file mode 100644
index 000000000..8d478b951
--- /dev/null
+++ b/manifests/modules/observability/base/.workshop/cleanup.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+if [[ -v C9_USER ]]; then
+    
+    
+    echo 'Deleting ClusterRole config'
+    kubectl delete ClusterRoleBinding/eks-console-dashboard-full-access-binding --ignore-not-found=true > /dev/null
+    kubectl wait --for=delete ClusterRoleBinding/eks-console-dashboard-full-access-binding --timeout=60s > /dev/null
+
+    kubectl delete ClusterRole/eks-console-dashboard-full-access-clusterrole --ignore-not-found=true > /dev/null
+    kubectl wait --for=delete ClusterRole/eks-console-dashboard-full-access-clusterrole --timeout=60s > /dev/null
+
+    echo "Deleting IAM user/role from RBAC auth-config2"
+    ACCOUNTID=$(aws sts get-caller-identity | jq -r .Account)    
+
+    echo "Removing arn:aws:iam::**:role/${C9_USER} from RBAC"
+    eksctl delete iamidentitymapping --cluster ${EKS_CLUSTER_NAME} --region ${AWS_REGION} --arn arn:aws:iam::${ACCOUNTID}:role/${C9_USER} -d > /dev/null  2>&1
+
+    echo "Removing arn:aws:iam::**:user/${C9_USER} from RBAC"
+    eksctl delete iamidentitymapping --cluster ${EKS_CLUSTER_NAME} --region ${AWS_REGION} --arn arn:aws:iam::${ACCOUNTID}:user/${C9_USER} -d > /dev/null  2>&1
+else
+   echo "No env C9_USER.. Nothing to delete "
+fi
diff --git a/manifests/modules/observability/base/.workshop/terraform/addon.tf b/manifests/modules/observability/base/.workshop/terraform/addon.tf
new file mode 100644
index 000000000..0138f47a1
--- /dev/null
+++ b/manifests/modules/observability/base/.workshop/terraform/addon.tf
@@ -0,0 +1,118 @@
+resource "kubernetes_cluster_role" "eks-console-dashboard-full-access-clusterrole" {
+  metadata {
+    name = "eks-console-dashboard-full-access-clusterrole"
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["nodes", "namespaces", "pods", "configmaps", "endpoints", "events", "limitranges", "persistentvolumeclaims", "podtemplates", "replicationcontrollers", "resourcequotas", "secrets", "serviceaccounts", "services"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["apps"]
+    resources  = ["deployments", "daemonsets", "statefulsets", "replicasets"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["batch"]
+    resources  = ["jobs","cronjobs"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["coordination.k8s.io"]
+    resources  = ["leases"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["discovery.k8s.io"]
+    resources  = ["endpointslices"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["events.k8s.io"]
+    resources  = ["events"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["extensions"]
+    resources  = ["daemonsets", "deployments", "ingresses", "networkpolicies", "replicasets"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["networking.k8s.io"]
+    resources  = ["ingresses", "networkpolicies"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["policy"]
+    resources  = ["poddisruptionbudgets"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["rbac.authorization.k8s.io"]
+    resources  = ["rolebindings", "roles"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["storage.k8s.io"]
+    resources  = ["csistoragecapacities"]
+    verbs      = ["get", "list", "watch"]
+  }
+}
+
+
+resource "kubernetes_cluster_role_binding" "eks-console-dashboard-full-access-binding" {
+  metadata {
+    name = "eks-console-dashboard-full-access-binding"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "eks-console-dashboard-full-access-clusterrole"
+  }
+
+  subject {
+    kind      = "Group"
+    name      = "eks-console-dashboard-full-access-group"
+    api_group = "rbac.authorization.k8s.io"
+  }
+
+}
+
+data "external" "env" {
+  program = ["${path.module}/env.sh"]
+}
+
+resource "terraform_data" "console-iam-rbac-mapping" {
+/*
+  triggers_replace = [
+    # The provisioner is executed then the `id` of the EC2 instance changes
+    kubernetes_cluster_role_binding.eks-console-dashboard-full-access-binding
+  ]
+*/
+  provisioner "local-exec" {
+    command = <<-EOT
+      echo "Mapping RBAC Permissions"
+      
+      eksctl create iamidentitymapping --cluster ${local.addon_context.eks_cluster_id} --region ${data.aws_region.current.id} \
+      --arn arn:aws:iam::${local.addon_context.aws_caller_identity_account_id}:user/${data.external.env.result["C9_USER"]} --username console-iam-user --group eks-console-dashboard-full-access-group \
+      --no-duplicate-arns
+
+      eksctl create iamidentitymapping --cluster ${local.addon_context.eks_cluster_id} --region ${data.aws_region.current.id} \
+      --arn arn:aws:iam::${local.addon_context.aws_caller_identity_account_id}:role/${data.external.env.result["C9_USER"]} --username console-iam-role --group eks-console-dashboard-full-access-group \
+      --no-duplicate-arns
+      
+    EOT
+ }
+}
diff --git a/manifests/modules/observability/base/.workshop/terraform/env.sh b/manifests/modules/observability/base/.workshop/terraform/env.sh
new file mode 100755
index 000000000..ab09da874
--- /dev/null
+++ b/manifests/modules/observability/base/.workshop/terraform/env.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# env.sh
+
+# Change the contents of this output to get the environment variables
+# of interest. The output must be valid JSON, with strings for both
+# keys and values.
+cat <<EOF
+{
+  "C9_USER": "$C9_USER"  
+}
+EOF
\ No newline at end of file
diff --git a/website/docs/observability/resource-view/index.md b/website/docs/observability/resource-view/index.md
index 751c4cbcc..514d0d70e 100644
--- a/website/docs/observability/resource-view/index.md
+++ b/website/docs/observability/resource-view/index.md
@@ -8,13 +8,20 @@ sidebar_custom_props: {"module": true}
 Prepare your environment for this section:
 
 ```bash timeout=300 wait=30
-$ prepare-environment
+$ prepare-environment observability/base
 ```
 
+This will make the following changes to your lab environment:
+- Creates an additional kubernetes ClusterRole with the name "eks-console-dashboard-full-access-clusterrole"
+- Creates a Kubernetes ClusterRoleBinding with the name "eks-console-dashboard-full-access-binding"
+- Mapps the Cloud9 IAM User/ Role to the ClusterRoleBinding ad RBAC group, to grant access the AWS console to view Kubernetes resources.
+
+You can view the Terraform that applies these changes [here](https://github.com/VAR::MANIFESTS_OWNER/VAR::MANIFESTS_REPOSITORY/tree/VAR::MANIFESTS_REF/manifests/modules/observability/base/.workshop/terraform).
+
 :::
 
 In this lab, we'll view all Kubernetes API resource types using the AWS Management Console for Amazon EKS. You will be able to view and explore all standard Kubernetes API resource types such as configuration, authorization resources, policy resources, service resources and more. [Kubernetes resource view](https://docs.aws.amazon.com/eks/latest/userguide/view-kubernetes-resources.html) is supported for all Kubernetes clusters hosted by Amazon EKS. You can use [Amazon EKS Connector](https://docs.aws.amazon.com/eks/latest/userguide/eks-connector.html) to register and connect any conformant Kubernetes cluster to AWS and visualize it in the Amazon EKS console.
 
-We'll be viewing the resources created by the sample application. Note that you’ll only see resources that you have [RBAC permissions](https://docs.aws.amazon.com/eks/latest/userguide/view-kubernetes-resources.html#view-kubernetes-resources-permissions) to access.
+We'll be viewing the resources created by the sample application. Note that you’ll only see resources that you have [RBAC permissions](https://docs.aws.amazon.com/eks/latest/userguide/view-kubernetes-resources.html#view-kubernetes-resources-permissions) to access, which were created during the environment preparation. 
 
 ![Insights](/img/resource-view/eks-overview.jpg)

From fa82d4eb6e2d81de7c1e423c61ec48c4434c03be Mon Sep 17 00:00:00 2001
From: Luis Arcega <arcegal@amazon.com>
Date: Tue, 12 Sep 2023 08:26:07 -0500
Subject: [PATCH 2/4] - Added support for varible C9_USER, injected by Cloud9
 to the execution of the container - Added functionality to verify if C9_USER
 exist, it will grant access to the EKS via WS Console Access

---
 hack/run-tests.sh   | 2 +-
 hack/shell.sh       | 2 +-
 lab/bin/use-cluster | 8 +++++++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/hack/run-tests.sh b/hack/run-tests.sh
index 3d97b3e46..deba21509 100755
--- a/hack/run-tests.sh
+++ b/hack/run-tests.sh
@@ -54,5 +54,5 @@ echo "Running test suite..."
 $CONTAINER_CLI run $background_args \
   -v $SCRIPT_DIR/../website/docs:/content \
   -v $SCRIPT_DIR/../manifests:/manifests \
-  -e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' \
+  -e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' -e 'C9_USER' \
   $aws_credential_args $container_image -g "{$module,$module/**}" --hook-timeout 1200 --timeout 1200 ${AWS_EKS_WORKSHOP_TEST_FLAGS}
diff --git a/hack/shell.sh b/hack/shell.sh
index e15a3a5a5..f677db7dd 100644
--- a/hack/shell.sh
+++ b/hack/shell.sh
@@ -44,5 +44,5 @@ echo "Starting shell in container..."
 
 $CONTAINER_CLI run --rm -it \
   -v $SCRIPT_DIR/../manifests:/manifests \
-  -e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' \
+  -e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' -e 'C9_USER' \
   $aws_credential_args $container_image $shell_command
\ No newline at end of file
diff --git a/lab/bin/use-cluster b/lab/bin/use-cluster
index 2b2849e5d..e9d5a5893 100644
--- a/lab/bin/use-cluster
+++ b/lab/bin/use-cluster
@@ -35,4 +35,10 @@ EKS_IP_FAMILY=ipv4
 set +a
 EOT
 
-aws eks update-kubeconfig --name $cluster_name > /dev/null
+aws eks update-kubeconfig --name $cluster_name > /dev/null 2>&1
+
+if [[ -v C9_USER ]]; then
+    echo "Granting C9_USER access to the cluster via the AWS Console ${C9_USER}"
+    eksctl create iamidentitymapping --cluster $cluster_name --arn arn:aws:iam::${AWS_ACCOUNT_ID}:user/${C9_USER} --username console-iam-user --group system:masters --no-duplicate-arns -d > /dev/null  2>&1
+    eksctl create iamidentitymapping --cluster $cluster_name --arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/${C9_USER} --username console-iam-role --group system:masters --no-duplicate-arns -d > /dev/null  2>&1  
+fi
\ No newline at end of file

From 9db604bafd7106ba7050a40c2571166b1cd57fea Mon Sep 17 00:00:00 2001
From: Luis Arcega <arcegal@amazon.com>
Date: Thu, 21 Sep 2023 15:03:43 -0500
Subject: [PATCH 3/4] removing unnecessary resources

---
 hack/run-tests.sh                             |   2 +-
 hack/shell.sh                                 |   2 +-
 .../observability/base/.workshop/cleanup.sh   |  23 ----
 .../base/.workshop/terraform/addon.tf         | 118 ------------------
 .../base/.workshop/terraform/env.sh           |  12 --
 5 files changed, 2 insertions(+), 155 deletions(-)
 delete mode 100644 manifests/modules/observability/base/.workshop/cleanup.sh
 delete mode 100644 manifests/modules/observability/base/.workshop/terraform/addon.tf
 delete mode 100755 manifests/modules/observability/base/.workshop/terraform/env.sh

diff --git a/hack/run-tests.sh b/hack/run-tests.sh
index deba21509..3d97b3e46 100755
--- a/hack/run-tests.sh
+++ b/hack/run-tests.sh
@@ -54,5 +54,5 @@ echo "Running test suite..."
 $CONTAINER_CLI run $background_args \
   -v $SCRIPT_DIR/../website/docs:/content \
   -v $SCRIPT_DIR/../manifests:/manifests \
-  -e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' -e 'C9_USER' \
+  -e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' \
   $aws_credential_args $container_image -g "{$module,$module/**}" --hook-timeout 1200 --timeout 1200 ${AWS_EKS_WORKSHOP_TEST_FLAGS}
diff --git a/hack/shell.sh b/hack/shell.sh
index f677db7dd..e15a3a5a5 100644
--- a/hack/shell.sh
+++ b/hack/shell.sh
@@ -44,5 +44,5 @@ echo "Starting shell in container..."
 
 $CONTAINER_CLI run --rm -it \
   -v $SCRIPT_DIR/../manifests:/manifests \
-  -e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' -e 'C9_USER' \
+  -e 'EKS_CLUSTER_NAME' -e 'AWS_REGION' \
   $aws_credential_args $container_image $shell_command
\ No newline at end of file
diff --git a/manifests/modules/observability/base/.workshop/cleanup.sh b/manifests/modules/observability/base/.workshop/cleanup.sh
deleted file mode 100644
index 8d478b951..000000000
--- a/manifests/modules/observability/base/.workshop/cleanup.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/bash
-
-if [[ -v C9_USER ]]; then
-    
-    
-    echo 'Deleting ClusterRole config'
-    kubectl delete ClusterRoleBinding/eks-console-dashboard-full-access-binding --ignore-not-found=true > /dev/null
-    kubectl wait --for=delete ClusterRoleBinding/eks-console-dashboard-full-access-binding --timeout=60s > /dev/null
-
-    kubectl delete ClusterRole/eks-console-dashboard-full-access-clusterrole --ignore-not-found=true > /dev/null
-    kubectl wait --for=delete ClusterRole/eks-console-dashboard-full-access-clusterrole --timeout=60s > /dev/null
-
-    echo "Deleting IAM user/role from RBAC auth-config2"
-    ACCOUNTID=$(aws sts get-caller-identity | jq -r .Account)    
-
-    echo "Removing arn:aws:iam::**:role/${C9_USER} from RBAC"
-    eksctl delete iamidentitymapping --cluster ${EKS_CLUSTER_NAME} --region ${AWS_REGION} --arn arn:aws:iam::${ACCOUNTID}:role/${C9_USER} -d > /dev/null  2>&1
-
-    echo "Removing arn:aws:iam::**:user/${C9_USER} from RBAC"
-    eksctl delete iamidentitymapping --cluster ${EKS_CLUSTER_NAME} --region ${AWS_REGION} --arn arn:aws:iam::${ACCOUNTID}:user/${C9_USER} -d > /dev/null  2>&1
-else
-   echo "No env C9_USER.. Nothing to delete "
-fi
diff --git a/manifests/modules/observability/base/.workshop/terraform/addon.tf b/manifests/modules/observability/base/.workshop/terraform/addon.tf
deleted file mode 100644
index 0138f47a1..000000000
--- a/manifests/modules/observability/base/.workshop/terraform/addon.tf
+++ /dev/null
@@ -1,118 +0,0 @@
-resource "kubernetes_cluster_role" "eks-console-dashboard-full-access-clusterrole" {
-  metadata {
-    name = "eks-console-dashboard-full-access-clusterrole"
-  }
-
-  rule {
-    api_groups = [""]
-    resources  = ["nodes", "namespaces", "pods", "configmaps", "endpoints", "events", "limitranges", "persistentvolumeclaims", "podtemplates", "replicationcontrollers", "resourcequotas", "secrets", "serviceaccounts", "services"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = ["apps"]
-    resources  = ["deployments", "daemonsets", "statefulsets", "replicasets"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = ["batch"]
-    resources  = ["jobs","cronjobs"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = ["coordination.k8s.io"]
-    resources  = ["leases"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = ["discovery.k8s.io"]
-    resources  = ["endpointslices"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = ["events.k8s.io"]
-    resources  = ["events"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = ["extensions"]
-    resources  = ["daemonsets", "deployments", "ingresses", "networkpolicies", "replicasets"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = ["networking.k8s.io"]
-    resources  = ["ingresses", "networkpolicies"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = ["policy"]
-    resources  = ["poddisruptionbudgets"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = ["rbac.authorization.k8s.io"]
-    resources  = ["rolebindings", "roles"]
-    verbs      = ["get", "list", "watch"]
-  }
-
-  rule {
-    api_groups = ["storage.k8s.io"]
-    resources  = ["csistoragecapacities"]
-    verbs      = ["get", "list", "watch"]
-  }
-}
-
-
-resource "kubernetes_cluster_role_binding" "eks-console-dashboard-full-access-binding" {
-  metadata {
-    name = "eks-console-dashboard-full-access-binding"
-  }
-
-  role_ref {
-    api_group = "rbac.authorization.k8s.io"
-    kind      = "ClusterRole"
-    name      = "eks-console-dashboard-full-access-clusterrole"
-  }
-
-  subject {
-    kind      = "Group"
-    name      = "eks-console-dashboard-full-access-group"
-    api_group = "rbac.authorization.k8s.io"
-  }
-
-}
-
-data "external" "env" {
-  program = ["${path.module}/env.sh"]
-}
-
-resource "terraform_data" "console-iam-rbac-mapping" {
-/*
-  triggers_replace = [
-    # The provisioner is executed then the `id` of the EC2 instance changes
-    kubernetes_cluster_role_binding.eks-console-dashboard-full-access-binding
-  ]
-*/
-  provisioner "local-exec" {
-    command = <<-EOT
-      echo "Mapping RBAC Permissions"
-      
-      eksctl create iamidentitymapping --cluster ${local.addon_context.eks_cluster_id} --region ${data.aws_region.current.id} \
-      --arn arn:aws:iam::${local.addon_context.aws_caller_identity_account_id}:user/${data.external.env.result["C9_USER"]} --username console-iam-user --group eks-console-dashboard-full-access-group \
-      --no-duplicate-arns
-
-      eksctl create iamidentitymapping --cluster ${local.addon_context.eks_cluster_id} --region ${data.aws_region.current.id} \
-      --arn arn:aws:iam::${local.addon_context.aws_caller_identity_account_id}:role/${data.external.env.result["C9_USER"]} --username console-iam-role --group eks-console-dashboard-full-access-group \
-      --no-duplicate-arns
-      
-    EOT
- }
-}
diff --git a/manifests/modules/observability/base/.workshop/terraform/env.sh b/manifests/modules/observability/base/.workshop/terraform/env.sh
deleted file mode 100755
index ab09da874..000000000
--- a/manifests/modules/observability/base/.workshop/terraform/env.sh
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/sh
-
-# env.sh
-
-# Change the contents of this output to get the environment variables
-# of interest. The output must be valid JSON, with strings for both
-# keys and values.
-cat <<EOF
-{
-  "C9_USER": "$C9_USER"  
-}
-EOF
\ No newline at end of file

From 4fa4a628d1a6042a87d42cfc0410851efa9c0971 Mon Sep 17 00:00:00 2001
From: Luis Arcega <arcegal@amazon.com>
Date: Thu, 21 Sep 2023 15:03:43 -0500
Subject: [PATCH 4/4] removing unnecessary resources

---
 website/docs/observability/resource-view/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/docs/observability/resource-view/index.md b/website/docs/observability/resource-view/index.md
index 514d0d70e..e3004c42b 100644
--- a/website/docs/observability/resource-view/index.md
+++ b/website/docs/observability/resource-view/index.md
@@ -8,7 +8,7 @@ sidebar_custom_props: {"module": true}
 Prepare your environment for this section:
 
 ```bash timeout=300 wait=30
-$ prepare-environment observability/base
+$ prepare-environment
 ```
 
 This will make the following changes to your lab environment: