new: Add EKS Capabilities fastpath lab (ACK, Argo CD, kro)

.github/labeler.yml

@@ -1,27 +1,31 @@
 content/introduction:
-  - environment/modules/introduction/**/*
+  - manifests/modules/introduction/**/*
   - website/docs/introduction/**/*
 
 content/fundamentals:
-  - environment/modules/fundamentals/**/*
+  - manifests/modules/fundamentals/**/*
   - website/docs/fundamentals/**/*
 
 content/autoscaling:
-  - environment/modules/autoscaling/**/*
+  - manifests/modules/autoscaling/**/*
   - website/docs/autoscaling/**/*
 
 content/security:
-  - environment/modules/security/**/*
+  - manifests/modules/security/**/*
   - website/docs/security/**/*
 
 content/networking:
-  - environment/modules/networking/**/*
+  - manifests/modules/networking/**/*
   - website/docs/networking/**/*
 
 content/observability:
-  - environment/modules/observability/**/*
+  - manifests/modules/observability/**/*
   - website/docs/observability/**/*
 
 content/cost-optimization:
-  - environment/modules/costoptimization/**/*
+  - manifests/modules/costoptimization/**/*
   - website/docs/costoptimization/**/*
+
+content/fastpaths:
+  - manifests/modules/fastpaths/**/*
+  - website/docs/fastpaths/**/*

.github/workflows/test-fastpaths.yaml

@@ -66,7 +66,7 @@ jobs:
           DOCKER_DNS_OVERRIDE: "8.8.8.8"
         run: |
           export AWS_DEFAULT_REGION="$AWS_REGION"
-          bash hack/run-tests.sh "$CLUSTER_ID" "-" "{fastpaths/getting-started,fastpaths/getting-started/**,fastpaths/operator,fastpaths/operator/**,fastpaths/developer,fastpaths/developer/**}"
+          bash hack/run-tests.sh "$CLUSTER_ID" "-" "{fastpaths/getting-started,fastpaths/getting-started/**,fastpaths/operator,fastpaths/operator/**,fastpaths/developer,fastpaths/developer/**,fastpaths/eks-capabilities,fastpaths/eks-capabilities/**}"
       - name: Refresh AWS credentials
         if: always()
         uses: aws-actions/configure-aws-credentials@v4.3.1

.gitignore

@@ -53,4 +53,16 @@ devenv.local.nix
 
 # direnv
 .direnv
+
+# Kiro
 .kiro/
+.claude/
+
+# Terraform
+*.tfstate
+*.tfstate.*
+*.tfplan
+*.tfvars
+!*.tfvars.example
+.terraform/
+.terraform.lock.hcl

.spelling

@@ -58,6 +58,9 @@ apis
 versioned
 crds
 argocd
+Argoadmin
+preprovision
+repoint
 dev
 webhooks
 gitops
@@ -142,4 +145,7 @@ cni-tshoot
 resolv
 untolerated
 Workernodes
-Gitea
+Gitea
+kro
+fastpath
+fastpaths

hack/run-tests.sh

@@ -94,6 +94,7 @@ $CONTAINER_CLI run $background_args $dns_args \
   -v $SCRIPT_DIR/../website/docs:/content \
   -v $SCRIPT_DIR/../manifests:/eks-workshop/manifests \
   -e 'EKS_CLUSTER_NAME' -e 'EKS_CLUSTER_AUTO_NAME' -e 'AWS_REGION' -e 'RESOURCES_PRECREATED' -e 'BASE_INBOUND_CIDRS' \
+  -e 'ARGOCD_ADMIN_EMAIL' \
   $aws_credential_args $container_image -g "${actual_glob}" --hook-timeout 3600 --timeout 3600 $output_args ${AWS_EKS_WORKSHOP_TEST_FLAGS} || exit_code=$?
 
 if [ $exit_code -eq 0 ]; then

hack/shell.sh

@@ -44,5 +44,6 @@ $CONTAINER_CLI run --rm $interactive_args $dns_args \
   -v $SCRIPT_DIR/../cluster:/cluster \
   -e "RESET_NO_DELETE=true" \
   -e 'EKS_CLUSTER_NAME' -e 'EKS_CLUSTER_AUTO_NAME' -e 'AWS_REGION' -e 'BASE_INBOUND_CIDRS' \
+  -e 'ARGOCD_ADMIN_EMAIL' \
   -p 8889:8889 \
   $aws_credential_args $container_image $shell_command

lab/bin/reset-environment

@@ -144,35 +144,45 @@ if [ ! -z "$module" ]; then
     logmessage "\n📦 Deploying base application..."
     kubectl apply -k $base_path
 
+    # Stage the lab Terraform on disk every run so we can read outputs
+    # (or apply, if first run) against the kubernetes-secret backend.
+    rm -rf /eks-workshop/terraform
+    mkdir -p /eks-workshop/terraform
+    cp -R $manifests_path/.workshop/terraform/* /eks-workshop/terraform
+    rm -f /eks-workshop/terraform/lab-fastpaths.tf
+
+    mkdir -p /eks-workshop/terraform/lab
+    cp -R $manifests_path/modules/fastpaths/developers/.workshop/terraform/* /eks-workshop/terraform/lab
+    cp $manifests_path/.workshop/terraform/lab-fastpaths.tf /eks-workshop/terraform/lab.tf
+
+    mkdir -p /eks-workshop/terraform-data
+    export TF_DATA_DIR="/eks-workshop/terraform-data"
+    export TF_VAR_eks_cluster_id="$EKS_CLUSTER_NAME"
+    export TF_VAR_eks_cluster_auto_id="$EKS_CLUSTER_AUTO_NAME"
+    export TF_VAR_resources_precreated="false"
+    # eks-capabilities fast path (Lab 2) creates an IAM Identity Center user +
+    # group + membership in terraform; AWS sends an activation email to this
+    # address. Empty default is fine for other fastpaths; the precondition in
+    # argocd-capability.tf guards against an empty value when the
+    # eks-capabilities terraform actually runs.
+    export TF_VAR_argocd_admin_email="${ARGOCD_ADMIN_EMAIL:-}"
+
+    tf_dir=$(realpath --relative-to="$PWD" '/eks-workshop/terraform')
+
     # One-time preprovision: install KEDA, fluent-bit, external-secrets etc.
     TF_PID=""
     if [ "$RESOURCES_PRECREATED" != "true" ]; then
       logmessage "\n🔧 First time setup: provisioning fastpaths infrastructure (this only runs once)..."
 
-      rm -rf /eks-workshop/terraform
-      mkdir -p /eks-workshop/terraform
-      cp -R $manifests_path/.workshop/terraform/* /eks-workshop/terraform
-      rm -f /eks-workshop/terraform/lab-fastpaths.tf
-
-      # Copy lab files BEFORE destroy so it can clean up partial state
-      # from a previously interrupted apply
-      mkdir -p /eks-workshop/terraform/lab
-      cp -R $manifests_path/modules/fastpaths/developers/.workshop/terraform/* /eks-workshop/terraform/lab
-      cp $manifests_path/.workshop/terraform/lab-fastpaths.tf /eks-workshop/terraform/lab.tf
-
-      mkdir -p /eks-workshop/terraform-data
-      export TF_DATA_DIR="/eks-workshop/terraform-data"
-      export TF_VAR_eks_cluster_id="$EKS_CLUSTER_NAME"
-      export TF_VAR_eks_cluster_auto_id="$EKS_CLUSTER_AUTO_NAME"
-      export TF_VAR_resources_precreated="false"
-
-      tf_dir=$(realpath --relative-to="$PWD" '/eks-workshop/terraform')
-
       terraform -chdir="$tf_dir" init -upgrade
       terraform -chdir="$tf_dir" destroy --auto-approve
 
       terraform -chdir="$tf_dir" apply --auto-approve &
       TF_PID=$!
+    else
+      # Already provisioned — just init so we can read outputs from the
+      # kubernetes-backed Terraform state.
+      terraform -chdir="$tf_dir" init -upgrade >/dev/null
     fi
 
     logmessage "\n⏳ Waiting for application to become ready..."
@@ -199,6 +209,16 @@ if [ ! -z "$module" ]; then
       logmessage "\n✅ Fastpaths infrastructure provisioned!"
     fi
 
+    # Export the lab Terraform's `environment_variables` output into the IDE
+    # shell so labs and test hooks can reference values like
+    # EKS_CAP_ACK_CAPABILITY and EKS_CAP_DDB_TABLE. Mirrors the same write
+    # done at the bottom of this script for non-fastpaths labs. Runs whether
+    # or not preprovision just executed, so re-entries pick up the values.
+    terraform -chdir="$tf_dir" output -json \
+      | jq -r '.environment.value | select(. != null)' \
+      > ~/.bashrc.d/workshop-env.bash
+    echo "export INBOUND_CIDRS='${INBOUND_CIDRS}'" >> ~/.bashrc.d/workshop-env.bash
+
     # Save cleanup hook for this module's path (developer or operator)
     rm -rf /eks-workshop/hooks
     # Map content path to manifests path (developer->developers, operator->operators)

lab/iam/iam-role-cfn.yaml

@@ -93,6 +93,17 @@ Resources:
       PolicyDocument:
         file: ./iam/policies/labs4.yaml
 
+  EksWorkshopEksCapabilitiesPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    DependsOn:
+      - EksWorkshopIdeRole
+    Properties:
+      Roles:
+        - !Ref EksWorkshopIdeRole
+      ManagedPolicyName: ${Env}-ide-eks-capabilities
+      PolicyDocument:
+        file: ./iam/policies/eks-capabilities.yaml
+
   EksWorkshopTroubleshootPolicy:
     Type: AWS::IAM::ManagedPolicy
     DependsOn:

lab/iam/policies/eks-capabilities.yaml

@@ -0,0 +1,102 @@
+Version: "2012-10-17"
+Statement:
+  # IAM Identity Center lookup (preprovision data source) and
+  # workshop-scoped user/group lifecycle management for the Argo CD capability
+  # admin group + user the path provisions. The capability itself, when
+  # created, registers an SSO application against the IDC instance, so the
+  # IDE role (the principal calling CreateCapability) needs the application
+  # lifecycle actions too.
+  - Effect: Allow
+    Action:
+      - sso:ListInstances
+      - sso:DescribeInstance
+      - sso:GetApplication
+      - sso:ListApplications
+      - sso:CreateApplication
+      - sso:UpdateApplication
+      - sso:DeleteApplication
+      - sso:PutApplicationGrant
+      - sso:GetApplicationGrant
+      - sso:ListApplicationGrants
+      - sso:DeleteApplicationGrant
+      - sso:PutApplicationAuthenticationMethod
+      - sso:GetApplicationAuthenticationMethod
+      - sso:ListApplicationAuthenticationMethods
+      - sso:DeleteApplicationAuthenticationMethod
+      - sso:PutApplicationAccessScope
+      - sso:GetApplicationAccessScope
+      - sso:ListApplicationAccessScopes
+      - sso:DeleteApplicationAccessScope
+      - sso:PutApplicationAssignmentConfiguration
+      - sso:GetApplicationAssignmentConfiguration
+      - sso:CreateApplicationAssignment
+      - sso:DeleteApplicationAssignment
+      - sso:ListApplicationAssignments
+      - sso:TagResource
+      - sso:UntagResource
+      - sso:ListTagsForResource
+    Resource: ["*"]
+  - Effect: Allow
+    Action:
+      - identitystore:ListUsers
+      - identitystore:ListGroups
+      - identitystore:ListGroupMemberships
+      - identitystore:DescribeUser
+      - identitystore:DescribeGroup
+      - identitystore:DescribeGroupMembership
+    Resource: ["*"]
+  - Effect: Allow
+    Action:
+      - identitystore:CreateUser
+      - identitystore:CreateGroup
+      - identitystore:CreateGroupMembership
+      - identitystore:UpdateUser
+      - identitystore:UpdateGroup
+      - identitystore:DeleteUser
+      - identitystore:DeleteGroup
+      - identitystore:DeleteGroupMembership
+    Resource: ["*"]
+
+  # CodeCommit Git data plane: the lab pages clone, push, and pull against
+  # the seeded repository using git-remote-codecommit. Creation/deletion
+  # is in labs2.yaml; this scope adds the per-commit data ops.
+  - Effect: Allow
+    Action:
+      - codecommit:GitPull
+      - codecommit:GitPush
+      - codecommit:GetBranch
+      - codecommit:GetCommit
+      - codecommit:GetRepository
+      - codecommit:GetFile
+      - codecommit:GetFolder
+      - codecommit:GetReferences
+      - codecommit:ListBranches
+      - codecommit:BatchGetCommits
+      - codecommit:BatchGetRepositories
+      - codecommit:CreateBranch
+      - codecommit:CreateCommit
+      - codecommit:UpdateDefaultBranch
+    Resource:
+      - !Sub arn:aws:codecommit:${AWS::Region}:${AWS::AccountId}:${Env}*
+
+  # EKS Capabilities lifecycle. eks:* in base.yaml is tag-scoped to the
+  # cluster; capability operations work against capability ARNs that don't
+  # carry the same tag at create-time. Granting them explicitly here.
+  - Effect: Allow
+    Action:
+      - eks:CreateCapability
+      - eks:DeleteCapability
+      - eks:DescribeCapability
+      - eks:UpdateCapability
+      - eks:ListCapabilities
+    Resource: ["*"]
+
+  # iam:PassRole for the IAM Capability Roles passed to CreateCapability.
+  - Effect: Allow
+    Action:
+      - iam:PassRole
+    Resource:
+      - !Sub arn:aws:iam::${AWS::AccountId}:role/${Env}*-cap-role
+    Condition:
+      StringEquals:
+        iam:PassedToService: capabilities.eks.amazonaws.com

lab/scripts/installer.sh

@@ -120,6 +120,10 @@ rm -rf flux.tar.gz
 # git-remote
 pip install git-remote-s3
 
+# git-remote-codecommit (used by the EKS capabilities Argo CD fast path to clone
+# CodeCommit repos with ambient AWS credentials via the codecommit:: helper)
+pip install git-remote-codecommit==1.17
+
 # terraform
 download "https://releases.hashicorp.com/terraform/${terraform_version}/terraform_${terraform_version}_linux_${arch_name}.zip" "terraform.zip"
 unzip -o -q terraform.zip -d /tmp

manifests/.workshop/terraform/base.tf

@@ -59,6 +59,13 @@ variable "inbound_cidrs" {
   default     = "0.0.0.0/0"
 }
 
+# tflint-ignore: terraform_unused_declarations
+variable "argocd_admin_email" {
+  description = "Optional email for the Argo CD workshop admin user (fastpaths/eks-capabilities Lab 2). The OTP-based activation flow ignores it; only set this if using email-link activation. Ignored elsewhere."
+  type        = string
+  default     = ""
+}
+
 data "aws_partition" "current" {}
 data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}

manifests/.workshop/terraform/lab-fastpaths.tf

@@ -14,6 +14,7 @@ module "lab" {
   tags                      = local.tags
   resources_precreated      = var.resources_precreated
   inbound_cidrs             = var.inbound_cidrs
+  argocd_admin_email        = var.argocd_admin_email
 }
 
 locals {

manifests/modules/fastpaths/developers/.workshop/terraform/main.tf

@@ -11,4 +11,10 @@ module "preprovision" {
   eks_cluster_auto_id = var.eks_cluster_auto_id
   tags                = var.tags
   inbound_cidrs       = var.inbound_cidrs
+
+  # Empty string means "use the preprovision module's default placeholder".
+  # The preprovision module's default is a non-deliverable placeholder that's
+  # fine for the OTP activation flow; learners only need to override this if
+  # they prefer the email-link activation flow.
+  argocd_admin_email = var.argocd_admin_email != "" ? var.argocd_admin_email : "argocd-admin@example.com"
 }

manifests/modules/fastpaths/developers/.workshop/terraform/outputs.tf

@@ -0,0 +1,4 @@
+output "environment_variables" {
+  description = "Environment variables to be added to the IDE shell"
+  value       = try(module.preprovision[0].environment_variables, {})
+}