deploy macos instances (#8794)

Author: upodroid

.atlantis.yaml

@@ -14,3 +14,7 @@ projects:
     branch: /main/
     dir: infra/aws/terraform/kops-infra-ci
     workflow: aws
+  - name: k8s-infra-macos
+    branch: /main/
+    dir: infra/aws/terraform/macos
+    workflow: aws

infra/README.md

@@ -13,6 +13,7 @@ AWS:
 
 - 10.128.0.0/16 k8s-infra-kops-prow-build
 - 10.0.0.0/16 eks-prow-build-cluster
+- 10.1.0.0/16 macos VPC
 
 GCP:
 

infra/aws/terraform/macos/README.md

@@ -0,0 +1,3 @@
+# infra/aws/terraform/macos
+
+This AWS account holds our MacOS infrastructure used by various Kubernetes projects.

infra/aws/terraform/macos/atlantis.config

@@ -0,0 +1,3 @@
+assume_role = {
+  role_arn = "arn:aws:iam::230049944443:role/OrganizationAccountAccessRole"
+}

infra/aws/terraform/macos/atlantis.tfvars

@@ -0,0 +1 @@
+atlantis_role_arn = "arn:aws:iam::230049944443:role/OrganizationAccountAccessRole"

infra/aws/terraform/macos/main.tf

@@ -0,0 +1,107 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+resource "aws_ec2_host" "mac" {
+  count             = 1
+  instance_type     = "mac2-m2.metal"
+  availability_zone = "us-east-2c"
+  host_recovery     = "on"
+  auto_placement    = "on"
+  tags = {
+    Name = "mac-dedicated-host-${count.index + 1}"
+  }
+}
+
+# Data source to get the latest macOS AMI
+data "aws_ami" "macos" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["amzn-ec2-macos-15.7*-arm64"] # macOS Sequoia
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["arm64_mac"]
+  }
+}
+
+
+// IAM
+resource "aws_iam_role" "macos" {
+  name = "macos-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = "sts:AssumeRole",
+        Effect = "Allow",
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachments_exclusive" "macos" {
+  role_name = aws_iam_role.macos.name
+  policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
+    "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy",
+  ]
+}
+
+
+resource "aws_iam_instance_profile" "macos" {
+  name = "macos"
+  role = aws_iam_role.macos.name
+}
+
+resource "aws_key_pair" "macos" {
+  key_name   = "macos" # this is the same key as the aws-ssh key in prow
+  public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnUSQbmHOztLhE7to3RhMElJeKWkEeK3va4sluwelJH8oHA8bQhGfleXYrIIvXFsZagpoggZ9b9Ed6JMcBOtI382o7yW8G9ZC7pxQVe+V2xYQAlDl5grdtgBVA3Cgy6ZtwLVATZhVnd7WIQh2FuvbR0I03PXO/dSWo2j8f/PInRdRTfubKTEWJV78OItYu6TCn+Fc5RABGlKRdWfhvkixmClOEATO+5o7q+p40VefQE84WLXApY8pCjCFL90SCCDqkgG9UFAdC/hSrvzs+Jk4N1Vhmj2c5jsZm0a9iWKTNKbohUlCnnatWvRY1WgbDiijJydXZzIliTInxZQeidZR7 zml"
+}
+
+resource "aws_instance" "mac_node" {
+  count                = 1
+  instance_type        = "mac2-m2.metal"
+  key_name             = aws_key_pair.macos.key_name
+  availability_zone    = "us-east-2c"
+  iam_instance_profile = aws_iam_instance_profile.macos.name
+  ami                  = data.aws_ami.macos.id
+  tenancy              = "host"
+
+  subnet_id                   = module.vpc.public_subnets[2]
+  associate_public_ip_address = true
+  user_data                   = <<-EOF
+#!/bin/bash
+brew install git make golang
+EOF
+
+  root_block_device {
+    volume_size = 200
+    volume_type = "gp3"
+  }
+
+  tags = {
+    Name = "mac-1"
+  }
+}
+

infra/aws/terraform/macos/provider.tf

@@ -0,0 +1,45 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+terraform {
+  required_version = "~> 1.1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.22.1"
+    }
+  }
+
+  backend "s3" {
+    bucket = "k8-infra-macos-tfstate"
+    key    = "terraform.state"
+    region = "us-east-2"
+  }
+}
+
+provider "aws" {
+  region = "us-east-2"
+  assume_role {
+    role_arn = var.atlantis_role_arn
+  }
+  default_tags {
+    tags = {
+      Environment = "prod"
+      group       = "sig-k8s-infra"
+    }
+  }
+}

infra/aws/terraform/macos/variables.tf

@@ -0,0 +1,31 @@
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+variable "prefix" {
+  description = "Prefix for every resource so that the resources can be created without using the same names. Useful for testing and staging"
+  type        = string
+  default     = "prod-"
+
+  validation {
+    condition     = can(regex(".*-$|^$", var.prefix))
+    error_message = "The string must end with a hyphen or be empty."
+  }
+}
+
+variable "atlantis_role_arn" {
+  description = "The ARN of the Atlantis IAM role"
+  default     = null
+}

infra/aws/terraform/macos/vpc.tf

@@ -0,0 +1,70 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 6.5"
+
+  name = "macos-vpc"
+
+  cidr = "10.1.0.0/16"
+
+  azs             = ["us-east-2a", "us-east-2b", "us-east-2c"]
+  private_subnets = ["10.1.0.0/24", "10.1.1.0/24", "10.1.2.0/24"]
+  public_subnets  = ["10.1.3.0/24", "10.1.4.0/24", "10.1.5.0/24"]
+
+  # Enable public IPv4 addresses
+  map_public_ip_on_launch = true
+
+  # Enable IPv6
+  enable_ipv6            = true
+  create_egress_only_igw = true
+
+  # Assign IPv6 address on creation to each instance
+  public_subnet_assign_ipv6_address_on_creation  = true
+  private_subnet_assign_ipv6_address_on_creation = true
+
+  # Used for calculating IPv6 CIDR based on the following formula:
+  # cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.private_subnet_ipv6_prefixes[count.index])
+  private_subnet_ipv6_prefixes = [0, 1, 2]
+  public_subnet_ipv6_prefixes  = [3, 4, 5]
+
+  # NAT Gateway allows connection to external services (e.g. Internet).
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+  enable_dns_hostnames = true
+  default_security_group_ingress = [
+    {
+      from_port        = 22
+      to_port          = 22
+      protocol         = "tcp"
+      cidr_blocks      = "0.0.0.0/0"
+      ipv6_cidr_blocks = "::/0"
+      description      = "Allow SSH from anywhere"
+    }
+  ]
+
+  default_security_group_egress = [
+    {
+      from_port        = 0
+      to_port          = 65535
+      protocol         = "tcp"
+      cidr_blocks      = "0.0.0.0/0"
+      ipv6_cidr_blocks = "::/0"
+      description      = "Allow all outbound traffic"
+    }
+  ]
+}

infra/aws/terraform/management-account/organization-accounts-workloads-prod.tf

@@ -83,3 +83,22 @@ module "capa-ami" {
     "eu-south-2",
   ]
 }
+
+// This AWS accounts holds macOS Instances for kubernetes CI/CD
+module "macos" {
+  source = "../modules/org-account"
+
+  account_name = "k8s-infra-macos"
+  email        = "k8s-infra-aws-admins+macos@kubernetes.io"
+  parent_id    = aws_organizations_organizational_unit.production.id
+  tags = {
+    "production"  = "true",
+    "environment" = "prod",
+    "group"       = "sig-k8s-infra",
+  }
+  permissions_map = {
+    "aws-macos-maintainers" = [
+      "AdministratorAccess",
+    ]
+  }
+}