From 85bf592dbc77575d2fca57956f8a099dc2505599 Mon Sep 17 00:00:00 2001
From: Mike Baum <mike.baum@hashicorp.com>
Date: Mon, 12 Dec 2022 13:14:38 -0500
Subject: [PATCH] Add Enos CI account service quotas limit increase requests to
 bootstrapping (#18309)

---
 enos/README.md                             | 22 ++++++++-------
 enos/ci/service-user-iam/main.tf           | 16 +++++------
 enos/ci/service-user-iam/providers.tf      | 19 +++++++++++++
 enos/ci/service-user-iam/service-quotas.tf | 33 ++++++++++++++++++++++
 4 files changed, 72 insertions(+), 18 deletions(-)
 create mode 100644 enos/ci/service-user-iam/providers.tf
 create mode 100644 enos/ci/service-user-iam/service-quotas.tf

diff --git a/enos/README.md b/enos/README.md
index 2a501719b6..2aef9b9e07 100644
--- a/enos/README.md
+++ b/enos/README.md
@@ -143,9 +143,9 @@ unzipped Vault binary at the `vault_local_binary_path`.
 
 # CI Bootstrap
 In order to execute any of the scenarios in this repository, it is first necessary to bootstrap the 
-CI AWS account with the required permissions and supporting AWS resources. There are two Terraform
-modules which are used for this purpose, [service-user-iam](./ci/service-user-iam) for the account
-permissions and [bootstrap](./ci/bootstrap) for the supporting resources.
+CI AWS account with the required permissions, service quotas and supporting AWS resources. There are 
+two Terraform modules which are used for this purpose, [service-user-iam](./ci/service-user-iam) for 
+the account permissions, and service quotas and [bootstrap](./ci/bootstrap) for the supporting resources.
 
 **Supported Regions** - enos scenarios are supported in the following regions: 
 `"us-east-1", "us-east-2", "us-west-1", "us-west-2"`
@@ -153,13 +153,16 @@ permissions and [bootstrap](./ci/bootstrap) for the supporting resources.
 ## Bootstrap Process
 These steps should be followed to bootstrap this repo for enos scenario execution:
 
-### Set up CI service user IAM role
+### Set up CI service user IAM role and Service Quotas
 The service user that is used when executing enos scenarios from any GitHub Action workflow must have 
-a properly configured IAM role granting the access required to create resources in AWS. The
-[service-user-iam](./ci/service-user-iam) module contains the IAM Policy and Role for that grants
-this access. This module should be updated whenever a new AWS resource type is required for a scenario.
-Since this is persistent and cannot be created and destroyed each time a scenario is run, the Terraform
-state will be managed by Terraform Cloud. Here are the steps to configure the GitHub Actions service user:
+a properly configured IAM role granting the access required to create resources in AWS. Additionally,
+service quotas need to be adjusted to ensure that normal use of the ci account does not cause any
+service quotas to be exceeded. The [service-user-iam](./ci/service-user-iam) module contains the IAM 
+Policy and Role for that grants this access as well as the service quota increase requests to adjust 
+the service quotas. This module should be updated whenever a new AWS resource type is required for a 
+scenario or a service quota limit needs to be increased. Since this is persistent and cannot be created 
+and destroyed each time a scenario is run, the Terraform state will be managed by Terraform Cloud. 
+Here are the steps to configure the GitHub Actions service user:
 
 #### Pre-requisites
 - Access to the `hashicorp-qti` organization in Terraform Cloud.
@@ -185,7 +188,6 @@ state will be managed by Terraform Cloud. Here are the steps to configure the Gi
 > cd ./enos/ci/service-user-iam
 > export TF_WORKSPACE=<repo name>-ci-service-user-iam
 > export TF_TOKEN_app_terraform_io=<Terraform Cloud Token>
-> export TF_VAR_aws_ssh_public_key=<public key>
 > export TF_VAR_repository=<repository name>
 > terraform init
 > terraform plan
diff --git a/enos/ci/service-user-iam/main.tf b/enos/ci/service-user-iam/main.tf
index e4095e6ee5..1c930962e8 100644
--- a/enos/ci/service-user-iam/main.tf
+++ b/enos/ci/service-user-iam/main.tf
@@ -12,24 +12,22 @@ terraform {
   }
 }
 
-provider "aws" {
-  region = "us-east-1"
-}
-
 locals {
   enterprise_repositories = ["vault-enterprise"]
   is_ent                  = contains(local.enterprise_repositories, var.repository)
-  ci_account_prefix       = local.is_ent ? "vault-enterprise" : "vault"
+  ci_account_prefix       = local.is_ent ? "vault_enterprise" : "vault"
   service_user            = "github_actions-${local.ci_account_prefix}_ci"
   aws_account_id          = local.is_ent ? "505811019928" : "040730498200"
 }
 
 resource "aws_iam_role" "role" {
+  provider           = aws.us_east_1
   name               = local.service_user
   assume_role_policy = data.aws_iam_policy_document.assume_role_policy_document.json
 }
 
 data "aws_iam_policy_document" "assume_role_policy_document" {
+  provider = aws.us_east_1
   statement {
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
@@ -42,12 +40,14 @@ data "aws_iam_policy_document" "assume_role_policy_document" {
 }
 
 resource "aws_iam_role_policy" "role_policy" {
-  role   = aws_iam_role.role.name
-  name   = "${local.service_user}_policy"
-  policy = data.aws_iam_policy_document.iam_policy_document.json
+  provider = aws.us_east_1
+  role     = aws_iam_role.role.name
+  name     = "${local.service_user}_policy"
+  policy   = data.aws_iam_policy_document.iam_policy_document.json
 }
 
 data "aws_iam_policy_document" "iam_policy_document" {
+  provider = aws.us_east_1
   statement {
     effect = "Allow"
     actions = [
diff --git a/enos/ci/service-user-iam/providers.tf b/enos/ci/service-user-iam/providers.tf
new file mode 100644
index 0000000000..09c86d7bae
--- /dev/null
+++ b/enos/ci/service-user-iam/providers.tf
@@ -0,0 +1,19 @@
+provider "aws" {
+  region = "us-east-1"
+  alias  = "us_east_1"
+}
+
+provider "aws" {
+  region = "us-east-2"
+  alias  = "us_east_2"
+}
+
+provider "aws" {
+  region = "us-west-1"
+  alias  = "us_west_1"
+}
+
+provider "aws" {
+  region = "us-west-2"
+  alias  = "us_west_2"
+}
diff --git a/enos/ci/service-user-iam/service-quotas.tf b/enos/ci/service-user-iam/service-quotas.tf
new file mode 100644
index 0000000000..73a68363d8
--- /dev/null
+++ b/enos/ci/service-user-iam/service-quotas.tf
@@ -0,0 +1,33 @@
+locals {
+  // This is the code of the service quota to request a change for. Each adjustable limit has a
+  // unique code. See, https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/servicequotas_service_quota#quota_code
+  subnets_per_vps_quota = "L-F678F1CE"
+}
+
+resource "aws_servicequotas_service_quota" "vpcs_per_region_us_east_1" {
+  provider     = aws.us_east_2
+  quota_code   = local.subnets_per_vps_quota
+  service_code = "vpc"
+  value        = 50
+}
+
+resource "aws_servicequotas_service_quota" "vpcs_per_region_us_east_2" {
+  provider     = aws.us_east_2
+  quota_code   = local.subnets_per_vps_quota
+  service_code = "vpc"
+  value        = 50
+}
+
+resource "aws_servicequotas_service_quota" "vpcs_per_region_us_west_1" {
+  provider     = aws.us_west_1
+  quota_code   = local.subnets_per_vps_quota
+  service_code = "vpc"
+  value        = 50
+}
+
+resource "aws_servicequotas_service_quota" "vpcs_per_region_us_west_2" {
+  provider     = aws.us_west_2
+  quota_code   = local.subnets_per_vps_quota
+  service_code = "vpc"
+  value        = 50
+}