fix: eks iac issues, document storage class pre-reqs (#812)

## Description

EBS impose a 1Gi size limitation on restored PVCs. This adds a short
note to pre-reqs about checking CSI limitations.

While testing with our EKS IAC I also discovered a few other issues:
- IRSA annotations were not correct
- Config did not properly variablize region
- Config had an unmatched `"` around one of the values
- Gitignore did not exclude terraform/tfstate files that shouldn't be
committed

## Related Issue

Fixes #718

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

Author: mjnagel

.github/bundles/uds-bundle.yaml

@@ -27,7 +27,7 @@ packages:
               path: credentials.useSecret
             - name: VELERO_IRSA_ANNOTATION
               description: "IRSA ARN annotation to use for Velero"
-              path: serviceAccount.server.annotations.irsa/role-arn
+              path: serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn
       loki:
         loki:
           values:
@@ -52,4 +52,4 @@ packages:
               path: loki.storage.s3.region
             - name: LOKI_IRSA_ANNOTATION
               description: "The irsa role annotation"
-              path: serviceAccount.annotations.irsa/role-arn
+              path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn

.gitignore

@@ -15,3 +15,6 @@ tmp-tasks.yaml
 cacert.b64
 run/
 extract-terraform.sh
+**/.terraform*
+cluster-config.yaml
+**.tfstate

docs/deployment/prerequisites.md

@@ -45,9 +45,11 @@ Several UDS Core components require persistent volumes that will be provisioned
 ```console
 ❯ kubectl get storageclass
 NAME                   PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
-local-path (default)   rancher.io/local-path   Delete          WaitForFirstConsumer   false                  55s
+local-path (default)   rancher.io/local-path   Delete          WaitForFirstConsumer   true                   55s
 ```
 
+It’s generally beneficial if your storage class supports volume expansion (set `allowVolumeExpansion: true`, provided your provisioner allows it). This enables you to resize volumes when needed. Additionally, be mindful of any size restrictions imposed by your provisioner. For instance, EBS volumes have a minimum size of 1Gi, which could lead to unexpected behavior, especially during Velero’s CSI backup and restore process. These constraints may also necessitate adjustments to default PVC sizes, such as Keycloak’s PVCs, which default to 512Mi in `devMode`.
+
 #### Network Policy Support
 
 The UDS Operator will dynamically provision network policies to secure traffic between components in UDS Core. To ensure these are effective, validate that your CNI supports enforcing network policies. In addition, UDS Core makes use of some CIDR based policies for communication with the KubeAPI server. If you are using Cilium, support for node addressability with CIDR based policies must be enabled with a [feature flag](https://docs.cilium.io/en/stable/security/policy/language/#selecting-nodes-with-cidr-ipblock).

tasks/iac.yaml

@@ -25,7 +25,7 @@ tasks:
 
           metadata:
             name: ${CLUSTER_NAME}
-            region: us-west-2
+            region: ${REGION}
             version: "1.30"
             tags:
               PermissionsBoundary: ${PERMISSIONS_BOUNDARY_NAME}
@@ -148,7 +148,7 @@ tasks:
               loki_s3_region: ${LOKI_S3_AWS_REGION}
               loki_irsa_annotation: "${LOKI_S3_ROLE_ARN}"
               velero_use_secret: false
-              velero_irsa_annotation: ${VELERO_S3_ROLE_ARN}"
+              velero_irsa_annotation: "${VELERO_S3_ROLE_ARN}"
               velero_bucket: ${VELERO_S3_BUCKET}
               velero_bucket_region: ${VELERO_S3_AWS_REGION}
               velero_bucket_provider_url: ""