DT-436 old eks module

[christopher-comet]

Created a PR with tagging working but still on the old EKS module version.

Will test applying this on a deployed done with the main branch and Comet installed.

[christopher-comet]

I deployed and EKS cluster using the main branch, then I installed Comet using the latest release of our Helm charts and specified the latest verified release versions for all Comet components.

Then I ran a terraform plan using this PR branch.
plan.json
Below is the summary of the plan output:
Here’s a breakdown of every change Terraform will make, grouped by component:

1. ElastiCache Module

   Replication Group Tags
   Update module.comet_elasticache[0].aws_elasticache_replication_group.comet-ml-ec-redis: initialize the tags map (was null, now {}) .

   Subnet Group Tags
   Update module.comet_elasticache[0].aws_elasticache_subnet_group.cometml-ec-sng-prod: initialize the tags map (was null, now {}) .

   Redis Ingress Rule
   Update module.comet_elasticache[0].aws_security_group.redis_inbound_sg: add a new ingress rule allowing TCP 6379 from the EKS cluster security group (sg-0aed390acd04f18c3) .

2. MySQL Security Group

   MySQL Port Ingress Tags
   Update aws_security_group_rule.mysql_port_inbound_ec2: apply your common tags (Customer:Model-Ops, DeployedBy:Devops, Environment:test, Owner:firstName-lastName, TTL:2025-01-01 12:00:00) to the rule .

3. EKS Managed Node Groups
   A. comet Node Group (existing)

   IAM Role Tag Update
   Update module.comet_eks[0].module.eks.module.eks_managed_node_group["comet"].aws_iam_role.this: replace the old tags (Environment:prod, Terraform:true) with the full common-tags set .

   Launch Template Update
   Update module.comet_eks[0].module.eks.module.eks_managed_node_group["comet"].aws_launch_template.this[0] to:

    Set update_default_version = true
   
    Specify vpc_security_group_ids = ["sg-04ebcfee9c91b97e1"]
   
    Add tag specifications on instances, network-interfaces, and volumes with your common tags .
   

   Node Group Resource Tags
   Update module.comet_eks[0].module.eks.module.eks_managed_node_group["comet"].aws_eks_node_group.this[0]: add the common tags under tags/tags_all

B. airflow Node Group (new)

IAM Role
Create module.comet_eks[0].module.eks.module.eks_managed_node_group["airflow"].aws_iam_role.this for the EC2 nodes 

IAM Role Policy Attachments

Grant S3 access via your comet-s3-access-policy

Attach AmazonEC2ContainerRegistryReadOnly

Attach AmazonEKSWorkerNodePolicy

Attach AmazonEKS_CNI_Policy
All four are created under aws_iam_role_policy_attachment for airflow. 

Launch Template
Create aws_launch_template.this[0] with:

500 GB gp3 root volume

Required metadata options

Detailed tag specifications (instance, network-interface, volume) with common tags

update_default_version = true

vpc_security_group_ids = ["sg-04ebcfee9c91b97e1"] 

C. druid Node Group (new)

IAM Role
Create ...eks_managed_node_group["druid"].aws_iam_role.this for the EC2 nodes 

IAM Role Policy Attachments

Grant S3 access (comet-s3-access-policy)

Attach AmazonEC2ContainerRegistryReadOnly

Attach AmazonEKSWorkerNodePolicy

Attach AmazonEKS_CNI_Policy
All created under aws_iam_role_policy_attachment for druid 

Launch Template
Create ...eks_managed_node_group["druid"].aws_launch_template.this[0] with the same block-device mappings, metadata options, monitoring, and tag specifications as airflow (but prefixed for druid)

No resources are slated for destruction, and existing policy attachments on the comet node group remain intact (no-ops).

[christopher-comet]

Apply completed successfully. The two things destroyed were just existing tags that were replaced.

Apply complete! Resources: 16 added, 46 changed, 2 destroyed.

Outputs:

comet_eks_cert = <sensitive>
comet_eks_endpoint = <sensitive>
comet_eks_token = <sensitive>
configure_kubectl = "aws eks update-kubeconfig --region us-east-2 --name comet-eks"
mysql_host = "cometml-rds-cluster-prod.cluster-crhy02zrnsyu.us-east-2.rds.amazonaws.com"
region = "us-east-2"