From 8dabfe75e684819c34676ad4fe7c9ab48f8ecf5a Mon Sep 17 00:00:00 2001
From: Yunjian Lu <43796475+yunjianlu@users.noreply.github.com>
Date: Wed, 11 Dec 2024 16:44:21 -0800
Subject: [PATCH] update: Install ACK with helm chart (#1180)

Co-authored-by: Yunjian <yunjianl@amazon.com>
---
 .../controlplanes/ack/.workshop/cleanup.sh    |  4 +-
 .../ack/.workshop/terraform/main.tf           | 59 +++++++++++--------
 .../ack/.workshop/terraform/outputs.tf        |  4 +-
 .../controlplanes/ack/how-it-works.md         |  8 ---
 .../automation/controlplanes/ack/index.md     |  3 +-
 .../controlplanes/ack/introduction.md         | 33 +++++++++++
 6 files changed, 76 insertions(+), 35 deletions(-)
 create mode 100644 website/docs/automation/controlplanes/ack/introduction.md

diff --git a/manifests/modules/automation/controlplanes/ack/.workshop/cleanup.sh b/manifests/modules/automation/controlplanes/ack/.workshop/cleanup.sh
index 3fbeea43e..80a5d5576 100755
--- a/manifests/modules/automation/controlplanes/ack/.workshop/cleanup.sh
+++ b/manifests/modules/automation/controlplanes/ack/.workshop/cleanup.sh
@@ -2,4 +2,6 @@
 
 logmessage "Deleting resources created by ACK..."
 
-delete-all-if-crd-exists tables.dynamodb.services.k8s.aws
\ No newline at end of file
+delete-all-if-crd-exists tables.dynamodb.services.k8s.aws
+
+uninstall-helm-chart ack-dynamodb ack-dynamodb-chart
\ No newline at end of file
diff --git a/manifests/modules/automation/controlplanes/ack/.workshop/terraform/main.tf b/manifests/modules/automation/controlplanes/ack/.workshop/terraform/main.tf
index 5330c0ba2..6426f29fe 100644
--- a/manifests/modules/automation/controlplanes/ack/.workshop/terraform/main.tf
+++ b/manifests/modules/automation/controlplanes/ack/.workshop/terraform/main.tf
@@ -19,29 +19,6 @@ data "aws_ecrpublic_authorization_token" "token" {
   provider = aws.virginia
 }
 
-#This module installs the ACK controller for DynamoDB through the AWS EKS Addons for ACK
-module "dynamodb_ack_addon" {
-
-  source  = "aws-ia/eks-ack-addons/aws"
-  version = "2.2.0"
-
-  # Cluster Info
-  cluster_name      = var.addon_context.eks_cluster_id
-  cluster_endpoint  = var.addon_context.aws_eks_cluster_endpoint
-  oidc_provider_arn = var.addon_context.eks_oidc_provider_arn
-
-  ecrpublic_username = data.aws_ecrpublic_authorization_token.token.user_name
-  ecrpublic_token    = data.aws_ecrpublic_authorization_token.token.password
-
-  # Controllers to enable
-  enable_dynamodb = true
-  dynamodb = {
-    role_name            = "${var.addon_context.eks_cluster_id}-ack-ddb"
-    role_name_use_prefix = false
-  }
-
-  tags = var.tags
-}
 
 module "iam_assumable_role_carts" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
@@ -79,6 +56,42 @@ EOF
   tags   = var.tags
 }
 
+resource "aws_iam_policy" "ack_dynamo" {
+  name        = "${var.addon_context.eks_cluster_id}-ack-dynamo"
+  path        = "/"
+  description = "Dynamo policy for carts application"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllAPIActionsOnCart",
+      "Effect": "Allow",
+      "Action": "dynamodb:*",
+      "Resource": [
+        "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${var.addon_context.eks_cluster_id}-carts-ack",
+        "arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${var.addon_context.eks_cluster_id}-carts-ack/index/*"
+      ]
+    }
+  ]
+}
+EOF
+  tags   = var.tags
+}
+
+module "iam_assumable_role_ack" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "5.44.0"
+  create_role                   = true
+  role_name                     = "${var.addon_context.eks_cluster_id}-ack-controller"
+  provider_url                  = var.addon_context.eks_oidc_issuer_url
+  role_policy_arns              = [aws_iam_policy.ack_dynamo.arn]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:ack-dynamodb:ack-ddb-sa"]
+
+  tags = var.tags
+}
+
 module "eks_blueprints_addons" {
   source  = "aws-ia/eks-blueprints-addons/aws"
   version = "1.19.0"
diff --git a/manifests/modules/automation/controlplanes/ack/.workshop/terraform/outputs.tf b/manifests/modules/automation/controlplanes/ack/.workshop/terraform/outputs.tf
index 30b26b09d..2a12cd037 100644
--- a/manifests/modules/automation/controlplanes/ack/.workshop/terraform/outputs.tf
+++ b/manifests/modules/automation/controlplanes/ack/.workshop/terraform/outputs.tf
@@ -1,6 +1,8 @@
 output "environment_variables" {
   description = "Environment variables to be added to the IDE shell"
   value = {
-    CARTS_IAM_ROLE = module.iam_assumable_role_carts.iam_role_arn
+    CARTS_IAM_ROLE = module.iam_assumable_role_carts.iam_role_arn,
+    DYNAMODB_POLICY_ARN = aws_iam_policy.ack_dynamo.arn
+    ACK_IAM_ROLE=module.iam_assumable_role_ack.iam_role_arn,
   }
 }
\ No newline at end of file
diff --git a/website/docs/automation/controlplanes/ack/how-it-works.md b/website/docs/automation/controlplanes/ack/how-it-works.md
index f7eb58640..3fbfd56c5 100644
--- a/website/docs/automation/controlplanes/ack/how-it-works.md
+++ b/website/docs/automation/controlplanes/ack/how-it-works.md
@@ -3,14 +3,6 @@ title: "How does ACK work?"
 sidebar_position: 5
 ---
 
-Each AWS Controller for Kubernetes (ACK) is packaged as a separate container image, published in a public repository corresponding to an individual ACK service controller. To provision resources for a specific AWS service, the corresponding controller must be installed in the Amazon EKS cluster. We've already completed this step in the `prepare-environment` phase. Official container images and Helm charts for ACK are available [here](https://gallery.ecr.aws/aws-controllers-k8s).
-
-In this workshop section, we'll be working with Amazon DynamoDB. The ACK controller for DynamoDB has been pre-installed in the cluster, running as a deployment in its own Kubernetes namespace. To examine the deployment details, run the following command:
-
-```bash
-$ kubectl describe deployment ack-dynamodb -n ack-dynamodb
-```
-
 :::info
 kubectl also provides useful `-oyaml` and `-ojson` flags which extract the full YAML or JSON manifests of the deployment definition, respectively, instead of the formatted output.
 :::
diff --git a/website/docs/automation/controlplanes/ack/index.md b/website/docs/automation/controlplanes/ack/index.md
index 625c89e05..adebed8e8 100644
--- a/website/docs/automation/controlplanes/ack/index.md
+++ b/website/docs/automation/controlplanes/ack/index.md
@@ -17,7 +17,6 @@ $ prepare-environment automation/controlplanes/ack
 This will make the following changes to your lab environment:
 
 - Install the AWS Controllers for DynamoDB in the Amazon EKS cluster
-- Install the AWS Load Balancer controller in the Amazon EKS cluster
 
 You can view the Terraform that applies these changes [here](https://github.com/VAR::MANIFESTS_OWNER/VAR::MANIFESTS_REPOSITORY/tree/VAR::MANIFESTS_REF/manifests/modules/automation/controlplanes/ack/.workshop/terraform).
 
@@ -31,6 +30,6 @@ While the sample application can run entirely within your cluster, including sta
 
 In this lab, we'll use ACK to provision these services and create secrets and configmaps containing the binding information to connect the application to these AWS managed services.
 
-It's worth noting that during the provisioning process, we're using the new ACK Terraform module, which allows for rapid deployment of AWS Service Controllers to your cluster. For more information, see the [ACK Terraform module documentation](https://registry.terraform.io/modules/aws-ia/eks-ack-addons/aws/latest#module_dynamodb).
+For learning purposes, we're using helm to install the ACK controller. Another option is to use Terraform that allows for rapid deployment of AWS Service Controllers to your cluster. For more information, see the [ACK Terraform module documentation](https://registry.terraform.io/modules/aws-ia/eks-ack-addons/aws/latest#module_dynamodb).
 
 ![EKS with DynamoDB](./assets/eks-workshop-ddb.webp)
diff --git a/website/docs/automation/controlplanes/ack/introduction.md b/website/docs/automation/controlplanes/ack/introduction.md
new file mode 100644
index 000000000..89ce62ca6
--- /dev/null
+++ b/website/docs/automation/controlplanes/ack/introduction.md
@@ -0,0 +1,33 @@
+---
+title: "Introduction"
+sidebar_position: 3
+---
+
+Each ACK service controller is packaged into a separate container image that is published in a public repository corresponding to an individual ACK service controller. For each AWS service that we wish to provision, resources for the corresponding controller must be installed in the Amazon EKS cluster. Helm charts and official container images for ACK are available [here](https://gallery.ecr.aws/aws-controllers-k8s).
+
+In this section, since we will be working with Amazon DynamoDB ACK, we first need to install the ACK controller by using the Helm chart. As we ran the prepare-environment earlier, a role with proper permision is created for the ACK controller. Now let's create a service account and associate it with that role.
+```bash
+$ kubectl create ns ack-dynamodb
+$ kubectl create sa ack-ddb-sa --namespace ack-dynamodb
+$ kubectl annotate serviceaccount -n  ack-dynamodb ack-ddb-sa \
+  eks.amazonaws.com/role-arn=$ACK_IAM_ROLE --overwrite
+```
+
+Next, let us install the DynamoDB ACK controller by using the following commends: 
+```bash
+$ aws ecr-public get-login-password --region us-east-1 | \
+helm registry login --username AWS --password-stdin public.ecr.aws
+$ helm install -n ack-dynamodb ack  \
+  oci://public.ecr.aws/aws-controllers-k8s/dynamodb-chart \
+  --version=1.1.1  \
+  --set=aws.region=$AWS_REGION \
+  --set serviceAccount.create=false \
+  --set serviceAccount.name=ack-ddb-sa
+```
+
+Once the controller is installed, it is running as a deployment in ack-dynamodb namespace. To see what's under the hood, lets run the below.
+
+```bash
+$ kubectl get deployment  -n ack-dynamodb
+```
+