diff --git a/README.md b/README.md
index 43cde32..2e85956 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,39 @@
-# arnol377-cross-account-test
-EKS Cluster Configuration for arnol377-cross-account-test
+# EKS Cluster Configuration - ARNOL377-CROSS-ACCOUNT-TEST - DEV
+
+This EKS cluster configuration was generated using Terraform and the terraform-eks-deployment module.
+
+## Environment Details
+
+- **Environment**: dev
+- **Region**: us-gov-west-1
+- **Cluster Name**: arnol377-cross-account-test
+
+## Directory Structure
+
+## Getting Started
+
+To apply this configuration:
+
+1. Change to the directory of the module you want to deploy:
+ ```
+ cd environment/region/vpc/cluster/eks
+ ```
+
+2. Initialize and apply the Terragrunt configuration:
+ ```
+ terragrunt init
+ terragrunt plan
+ terragrunt apply
+ ```
+
+3. Deploy additional modules as needed:
+ ```
+ cd ../eks-cconfig
+ terragrunt init
+ terragrunt plan
+ terragrunt apply
+ ```
+
+## Customization
+
+Each module can be deployed independently using Terragrunt.
\ No newline at end of file
diff --git a/_envcommon/common-variables.hcl b/_envcommon/common-variables.hcl
new file mode 100644
index 0000000..1ccaf51
--- /dev/null
+++ b/_envcommon/common-variables.hcl
@@ -0,0 +1,82 @@
+# dev/_envcommon/common-variables.hcl
+
+# ---------------------------------------------------------------------------------------------------------------------
+# GLOBAL PARAMETERS
+# These are the variables we pass to use across modules regardless of environment, i.e. these are the parameters
+# that are common across all environments/accounts.
+# ---------------------------------------------------------------------------------------------------------------------
+locals {
+ state_bucket_prefix = "inf-tfstate"
+ state_table_name = "tf_remote_state"
+ environment_abbr = "dev"
+
+ route53_endpoints = {
+ route53_main = {
+ "account_id" = local.route53_info[local.environment_abbr]["account_id"]
+ "alias" = local.route53_info[local.environment_abbr]["alias"]
+ "us-gov-east-1" = local.route53_info[local.environment_abbr]["us-gov-east-1"]
+ "us-gov-west-1" = local.route53_info[local.environment_abbr]["us-gov-west-1"]
+ }
+ route53_main_legacy = {
+ "account_id" = local.route53_info["legacy"]["account_id"]
+ "alias" = local.route53_info["legacy"]["alias"]
+ "us-gov-east-1" = local.route53_info["legacy"]["us-gov-east-1"]
+ "us-gov-west-1" = local.route53_info["legacy"]["us-gov-west-1"]
+ }
+ }
+
+ route53_info = {
+ lab = {
+ "account_id" = "269244441389"
+ "alias" = "lab-gov-network-nonprod"
+ "us-gov-east-1" = "vpc-070595c5b133243dd"
+ "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1"
+ }
+ dev = {
+ "account_id" = "057405694017"
+ "alias" = "ent-ew-network-prod"
+ "us-gov-east-1" = "vpc-061325b37d748d17a"
+ "us-gov-west-1" = "vpc-0b22b68b90e47cb5f"
+ }
+ prod = {
+ "account_id" = "057405694017"
+ "alias" = "ent-ew-network-prod"
+ "us-gov-east-1" = "vpc-061325b37d748d17a"
+ "us-gov-west-1" = "vpc-0b22b68b90e47cb5f"
+ }
+ legacy = {
+ "account_id" = "107742151971"
+ "alias" = "do2-govcloud"
+ "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+ "us-gov-west-1" = "vpc-77877a12"
+ }
+ }
+
+ enterprise_ecr_account = {
+ lab = {
+ "account_id" = "269222635945"
+ "alias" = "lab-gov-shared-nonprod"
+ "profile" = "269222635945-lab-gov-shared-nonprod"
+ "region" = "us-gov-east-1"
+ }
+ dev = {
+ "account_id" = "067074201825"
+ "alias" = "ent-gov-shared-prod"
+ "profile" = "067074201825-ent-gov-shared-prod"
+ "region" = "us-gov-east-1"
+ }
+ prod = {
+ "account_id" = "067074201825"
+ "alias" = "ent-gov-shared-prod"
+ "profile" = "067074201825-ent-gov-shared-prod"
+ "region" = "us-gov-east-1"
+ }
+ }
+
+ eecr_info = {
+ account_id = local.enterprise_ecr_account[local.environment_abbr]["account_id"]
+ alias = local.enterprise_ecr_account[local.environment_abbr]["alias"]
+ profile = local.enterprise_ecr_account[local.environment_abbr]["profile"]
+ region = local.enterprise_ecr_account[local.environment_abbr]["region"]
+ }
+}
\ No newline at end of file
diff --git a/_envcommon/default-versions.hcl b/_envcommon/default-versions.hcl
new file mode 100644
index 0000000..ab2ae07
--- /dev/null
+++ b/_envcommon/default-versions.hcl
@@ -0,0 +1,225 @@
+# dev/_envcommon/default-versions.hcl
+locals {
+ module_name = basename(get_original_terragrunt_dir())
+ release_version = local.module_versions["2026.03.15"][local.module_name]
+
+ #####################
+ # Module Versions
+ #####################
+ cluster_version = "1.34"
+ eks_module_version = "21.11.1"
+
+ module_versions = {
+ "2025.20.04" = {
+ "eks-arcgis" = false
+ "eks-cert-manager" = "0.1.9"
+ "eks-config" = "1.0.5"
+ "eks-cribl" = "0.0.1"
+ "eks-dns" = "0.1.4"
+ "eks-gatekeeper" = "0.0.3"
+ "eks-grafana" = "0.1.5"
+ "eks-istio" = "1.0.9"
+ "eks-k8s-dashboard" = "0.1.4"
+ "eks-karpenter" = "0.1.7"
+ "eks-keycloak" = "0.0.8"
+ "eks-kiali" = "0.1.4"
+ "eks-loki" = "0.1.4"
+ "eks-metrics-server" = "0.1.4"
+ "eks-otel" = "0.0.4"
+ "eks-pipeline" = "initial"
+ "eks-postgresql" = false
+ "eks-prometheus" = "0.1.4"
+ "eks-tempo" = "0.1.4"
+ "eks" = "1.0.10"
+ "cluster" = "2025.20.04"
+ }
+ "2026.03.15" = {
+ "eks-arcgis" = false
+ "eks-config" = "1.0.6"
+ "eks-cribl" = "mcm_v2"
+ "eks-dns" = "0.1.7"
+ "eks-gatekeeper" = "0.0.4"
+ "eks-grafana" = "0.1.5"
+ "eks-istio" = "1.0.9"
+ "eks-karpenter" = "0.1.9"
+ "eks-keycloak" = "0.0.8"
+ "eks-kiali" = "0.1.5"
+ "eks-loki" = "0.1.6"
+ "eks-otel" = "0.0.4"
+ "eks-pipeline" = "initial"
+ "eks-postgresql" = false
+ "eks-prometheus" = "0.1.5"
+ "eks-tempo" = "0.1.6"
+ "eks" = "1.0.14"
+ "cluster" = "2026.03.15"
+ }
+ }
+
+ submodule_versions = {
+ "tfmod-istio-service-ingress" = "0.1.7"
+ "tfmod-config-job" = "0.1.8"
+ "tfmod-custom-iam-role-for-service-account-eks" = "1.0.1"
+ }
+
+ #####################
+ # Module Enablement
+ #####################
+
+ # Core modules that should always be enabled (cannot be disabled)
+ core_modules = [
+ "eks",
+ "eks-karpenter",
+ "eks-config",
+ "eks-istio",
+ "eks-dns",
+ ]
+
+ # Optional modules with their default enablement state
+ enabled_modules = {
+ "eks-arcgis" = false
+ "eks-cribl" = false
+ "eks-gatekeeper" = true
+ "eks-grafana" = true
+ "eks-keycloak" = true
+ "eks-kiali" = true
+ "eks-loki" = true
+ "eks-otel" = true
+ "eks-pipeline" = false
+ "eks-postgresql" = false
+ "eks-prometheus" = true
+ "eks-tempo" = true
+ }
+
+ #####################
+ # TF Providers
+ #####################
+ aws_version = "6.0"
+ helm_version = "2.11.0"
+ kubernetes_version = "2.33.0"
+ null_version = "3.2.1"
+ random_version = "3.5.1"
+ template_version = "2.2.0"
+ tf_version = "1.5.5"
+
+ #####################
+ # Namespaces Config
+ #####################
+ operator_namespace = "operator"
+ telemetry_namespace = "telemetry"
+ system_namespace = "kube-system"
+ istio_namespace = "istio-system"
+ namespaces = {
+ arcgis = "arcgis"
+ cribl = "cribl"
+ gatekeeper = "keycloak"
+ grafana = local.telemetry_namespace
+ istio = local.istio_namespace
+ karpenter = local.system_namespace
+ keycloak = "keycloak"
+ kiali = local.istio_namespace
+ loki = local.telemetry_namespace
+ misp = "misp"
+ otel = local.telemetry_namespace
+ postgresql = "keycloak"
+ prometheus = local.telemetry_namespace
+ tempo = local.telemetry_namespace
+ }
+
+ #####################
+ # EKS Config
+ #####################
+
+ ################
+ # Cert-Manager
+ ################
+ cluster_issuer_name = "cert-manager"
+
+ #####################
+ # Cribl
+ #####################
+ cribl_chart_version = "4.15.1"
+ cribl_app_version = "4.15.1"
+
+ ################
+ # GoGatekeeper
+ ################
+ gatekeeper_tag = "4.4.0"
+ gatekeeper_chart_version = "0.1.60"
+ gatekeeper_service_name = "gatekeeper"
+
+ ################
+ # Grafana
+ ################
+ grafana_hostname = "grafana"
+ grafana_operator_chart_version = "4.9.8"
+ grafana_operator_tag = "5.16.0"
+ grafana_tag = "11.5.2"
+ os_shell_image_tag = local.utilities_tag
+
+ ################
+ # Istio
+ ################
+ istio_version = "1.28.3"
+
+ ################
+ # Karpenter
+ ################
+ karpenter_helm_chart = "1.8.5"
+ karpenter_tag = "1.8.5"
+
+ ################
+ # Keycloak
+ ################
+ keycloak_chart_version = "7.0.1"
+ keycloak_tag = "26.0.7"
+ postgresql_tag = "17.4.0-debian-12-r4"
+ postgres_exporter_tag = "0.17.1-debian-12-r0"
+ utilities_tag = "1.0.3"
+
+ ################
+ # Kiali
+ ################
+ kiali_operator_version = "2.21.0"
+ kiali_application_version = "${local.kiali_operator_version}"
+
+ ################
+ # Loki
+ ################
+ loki_chart_version = "6.49.0"
+ loki_tag = "3.6.3"
+ enterprise_logs_provisioner_tag = "3.6.2"
+ gateway_tag = "1.29.4"
+ memcached_tag = "1.6.40"
+ exporter_tag = "v0.15.3"
+ sidecar_tag = "2.4.0"
+
+ ################
+ # Open Telemetry
+ ################
+ auto_instrumentation_java_version = "2.9.0"
+ collector_contrib_version = "0.113.0-amd64"
+ collector_version = "0.111.0-amd64"
+ otel_helm_version = "0.71.2"
+ otel_version = "0.110.0"
+ rbac_proxy_version = "0.20.2"
+
+ ################
+ # PostgreSQL
+ ################
+ postgresql_chart_version = "16.5.0"
+
+ ################
+ # Prometheus
+ ################
+ prometheus_chart_version = "28.6.0"
+ prometheus_server_tag = "v3.9.1"
+ prometheus_config_reloader_tag = "v0.88.0"
+ alertmanager_tag = "v0.30.1"
+ pushgateway_tag = "v1.6.2"
+
+ ################
+ # Tempo
+ ################
+ tempo_chart_version = "1.24.3"
+ tempo_tag = "2.9.1"
+}
\ No newline at end of file
diff --git a/_envcommon/prefixes.hcl b/_envcommon/prefixes.hcl
new file mode 100644
index 0000000..d46f6bb
--- /dev/null
+++ b/_envcommon/prefixes.hcl
@@ -0,0 +1,37 @@
+locals {
+ prefixes = {
+ "ebs" = "v-ebs-"
+ "efs" = "v-efs-"
+ "group" = "g-"
+ "kms" = "k-kms-"
+ "policy" = "p-"
+ "role" = "r-"
+ "s3" = "v-s3-"
+ "security-group" = "" # "sg-"
+ # VPC
+ "customer-gateway" = "cgw-"
+ "dhcp-options" = ""
+ "elastic-ip" = "eip-"
+ "internet-gateway" = "igw-"
+ "log-group" = "lg-"
+ "log-stream" = "lgs-"
+ "nat-gateway" = "nat-"
+ "network-acl" = "nacl-"
+ "route-table" = "route-"
+ "subnet" = ""
+ "vpc-endpoint" = "vpce-"
+ "vpc-peer" = "vpcp-"
+ "vpc" = ""
+ "vpn-connection" = "vpn_"
+ "vpn-gateway" = "vpcg-"
+ # EKS
+ "eks-policy" = "p-eks-"
+ "eks-queue" = "eks-q-"
+ "eks-role" = "r-eks-"
+ "eks-s3" = "v-s3-eks-"
+ "eks-security-group" = "eks-sg-" # "sg-eks-"
+ "eks-user" = "s-eks-"
+ "eks" = "eks-"
+ "eks-event" = "eks-ev-"
+ }
+}
diff --git a/config.json b/config.json
new file mode 100644
index 0000000..1b78ba3
--- /dev/null
+++ b/config.json
@@ -0,0 +1 @@
+{"account":{"account_name":"lab-gov-operations-nonprod","aws_account_id":"036728032133","aws_profile":"lab-gov-operations-nonprod-dev","environment_abbr":"dev"},"cluster":{"CostAllocation":"census:ocio:csvd","cluster_mailing_list":"","cluster_name":"arnol377-cross-account-test","eks_instance_disk_size":200,"eks_ng_desired_size":2,"eks_ng_max_size":10,"eks_ng_min_size":2,"finops_project_name":"","finops_project_number":"","finops_project_role":"","organization":"census:ocio:csvd","tags":{}},"cluster_dir":"arnol377-cross-account-test","enable_all_modules":true,"environment":"dev","modules":{"cribl":false,"gatekeeper":false,"grafana":false,"keycloak":false,"kiali":false,"loki":false,"otel":false,"prometheus":false,"tempo":false},"region":"us-gov-west-1","vpc":{"vpc_domain_name":"dev.inf.csp1.census.gov","vpc_name":"vpc2-lab-common"}}
\ No newline at end of file
diff --git a/dev/account.hcl b/dev/account.hcl
new file mode 100644
index 0000000..02be842
--- /dev/null
+++ b/dev/account.hcl
@@ -0,0 +1,10 @@
+# dev/environment.hcl
+
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+ account_name = "lab-gov-operations-nonprod"
+ aws_account_id = "036728032133"
+ aws_profile = format("%v-%v", local.aws_account_id, replace(local.account_name, "-ew", "-gov"))
+ environment = "dev"
+}
diff --git a/dev/us-gov-west-1/region.hcl b/dev/us-gov-west-1/region.hcl
new file mode 100644
index 0000000..9abc63f
--- /dev/null
+++ b/dev/us-gov-west-1/region.hcl
@@ -0,0 +1,7 @@
+# dev/us-gov-west-1/region.hcl
+
+# Set common variables for the region. This is automatically pulled in in the root terragrunt.hcl configuration to
+# configure the remote state bucket and pass forward to the child modules as inputs.
+locals {
+ aws_region = "us-gov-west-1"
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/cluster.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/cluster.hcl
new file mode 100644
index 0000000..95d1b65
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/cluster.hcl
@@ -0,0 +1,16 @@
+locals {
+ # Cluster specific configuration
+ cluster_name = "arnol377-cross-account-test"
+ cluster_mailing_list = ""
+ eks_instance_disk_size = 200
+ eks_ng_desired_size = 2
+ eks_ng_max_size = 10
+ eks_ng_min_size = 2
+ organization = "census:ocio:csvd"
+ CostAllocation = "census:ocio:csvd"
+ finops_project_name = ""
+ finops_project_number = ""
+ finops_project_role = ""
+ tags = {}
+ module_enablement_overrides = {"cribl":false,"gatekeeper":false,"grafana":false,"keycloak":false,"kiali":false,"loki":false,"otel":false,"prometheus":false,"tempo":false}
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-cert-manager/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-cert-manager/terragrunt.hcl
new file mode 100644
index 0000000..569a355
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-cert-manager/terragrunt.hcl
@@ -0,0 +1,70 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}"
+
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ "../eks-karpenter",
+ "../eks-metrics-server",
+ ]
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com"
+ cluster_version = include.root.inputs.cluster_version
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+ eecr_info = include.root.inputs.eecr_info
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ cluster_mailing_list = include.root.inputs.cluster_mailing_list
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+
+ # Cert Manager Configuration
+ cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart
+ cluster_issuer_name = include.root.inputs.cluster_issuer_name
+ namespace = include.root.inputs.namespaces["cert-manager"]
+
+ # Version Tags
+ cert_manager_cainjector_tag = include.root.inputs.cert_manager_cainjector_tag
+ cert_manager_controller_tag = include.root.inputs.cert_manager_controller_tag
+ cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag
+ cert_manager_webhook_tag = include.root.inputs.cert_manager_webhook_tag
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-config/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-config/terragrunt.hcl
new file mode 100644
index 0000000..5297ebb
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-config/terragrunt.hcl
@@ -0,0 +1,65 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}"
+
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com"
+ cluster_certificate_authority_data = [{ data = "mock-cert-data" }]
+ eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"]
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ security_group_all_worker_mgmt_id = "sg-mock"
+ subnets = ["subnet-mock1", "subnet-mock2"]
+ vpc_id = "vpc-mock"
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-karpenter",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Core Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+ security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id
+ subnets = dependency.eks.outputs.subnets
+ vpc_id = dependency.eks.outputs.vpc_id
+ operators_ns = include.root.inputs.operator_namespace
+ telemetry_ns = include.root.inputs.telemetry_namespace
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-dns/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-dns/terragrunt.hcl
new file mode 100644
index 0000000..983ab4f
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-dns/terragrunt.hcl
@@ -0,0 +1,71 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ subnets = ["subnet-mock1", "subnet-mock2", "subnet-mock3"]
+ }
+}
+
+dependency "eks-istio" {
+ config_path = "../eks-istio"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ istio_ingress_lb = {
+ dns_name = "mock-${include.root.inputs.cluster_name}.elb.amazonaws.com"
+ zone_id = "MOCKZONEID"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-istio",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = include.root.inputs.cluster_name
+ environment_abbr = include.root.inputs.environment_abbr
+
+ # Network Configuration
+ istio_ingress_lb = dependency.eks-istio.outputs.istio_ingress_lb
+ route53_endpoints = include.root.inputs.route53_endpoints
+ vpc_domain_name = include.root.inputs.vpc_domain_name
+ vpc_name = include.root.inputs.vpc_name
+
+ # Additional Configuration
+ tags = include.root.inputs.tags
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-gatekeeper/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-gatekeeper/terragrunt.hcl
new file mode 100644
index 0000000..360a4c3
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-gatekeeper/terragrunt.hcl
@@ -0,0 +1,119 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.example.com"
+ }
+}
+
+dependency "eks_keycloak" {
+ config_path = "../eks-keycloak"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ user_auth_realm = "mock.keycloak.example.com/auth"
+ client_id = "mock-client-id"
+ client_secret = "mock-client-secret"
+ namespace = "keycloak"
+ user_secret = "user-sso"
+ }
+}
+
+dependency "eks-grafana" {
+ config_path = "../eks-grafana"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ namespace = "telemetry"
+ internal_endpoint = {
+ hostname = "kubernetes-dashboard.telemetry.svc.cluster.local"
+ port_number = 80
+ url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/"
+ }
+ }
+}
+
+dependency "eks-kiali" {
+ config_path = "../eks-kiali"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ namespace = "istio-system"
+ internal_endpoint = {
+ hostname = "kiali.telemetry.svc.cluster.local"
+ port_number = 80
+ url = "http://kiali.telemetry.svc.cluster.local:80/"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-dns",
+ "../eks-keycloak",
+ "../eks-grafana",
+ "../eks-kiali",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+ cluster_name = dependency.eks.outputs.cluster_name
+
+ # Gatekeeper Standard Config
+ gatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version
+ gatekeeper_tag = include.root.inputs.gatekeeper_tag
+ keycloak_client_id = dependency.eks_keycloak.outputs.client_id
+ keycloak_client_secret = dependency.eks_keycloak.outputs.client_secret
+ keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm
+ user_secret = dependency.eks_keycloak.outputs.user_secret
+
+ # Grafana Gatekeeper Config
+ grafana_ns = dependency.eks-grafana.outputs.namespace
+ grafana_service_name = "grafana"
+ grafana_url = dependency.eks-grafana.outputs.internal_endpoint.url
+
+ # Kaili Gatekeeper Config
+ kiali_ns = dependency.eks-kiali.outputs.namespace
+ kiali_service_name = "kiali"
+ kiali_url = dependency.eks-kiali.outputs.internal_endpoint.url
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-grafana/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-grafana/terragrunt.hcl
new file mode 100644
index 0000000..07cc34d
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-grafana/terragrunt.hcl
@@ -0,0 +1,110 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.domain.example.com"
+ }
+}
+
+dependency "eks_loki" {
+ config_path = "../eks-loki"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mocked"
+ gateway_internal_endpoint = {
+ url = "mock.loki.enpoint.example.com"
+ }
+ }
+}
+
+dependency "eks_prometheus" {
+ config_path = "../eks-prometheus"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ prometheus_server_internal_endpoint = {
+ hostname = "prometheus.mock.svc.cluster.local"
+ port_number = "80"
+ url = "https://prometheus.mock.svc.cluster.local:80/"
+ }
+ }
+}
+
+dependency "eks_tempo" {
+ config_path = "../eks-tempo"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mocked"
+ tempo_internal_endpoint = {
+ url = "mock.tempo.enpoint.example.com"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-dns",
+ "../eks-loki",
+ "../eks-prometheus",
+ "../eks-tempo"
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+
+ # Storage Configuration
+ rwo_storage_class = dependency.eks_loki.outputs.rwo_storage_class
+
+ # Grafana Configuration
+ grafana_operator_chart_version = include.root.inputs.grafana_operator_chart_version
+ grafana_operator_tag = include.root.inputs.grafana_operator_tag
+ grafana_tag = include.root.inputs.grafana_tag
+ namespace = include.root.inputs.namespaces["grafana"]
+ os_shell_image_tag = include.root.inputs.os_shell_image_tag
+ service_name = "grafana"
+ loki_endpoint = dependency.eks_loki.outputs.gateway_internal_endpoint.url
+ prometheus_endpoint = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url
+ tempo_endpoint = dependency.eks_tempo.outputs.tempo_internal_endpoint.url
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-istio/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-istio/terragrunt.hcl
new file mode 100644
index 0000000..fadb1ae
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-istio/terragrunt.hcl
@@ -0,0 +1,54 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks"
+ ]
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+
+ # Istio Configuration
+ namespace = include.root.inputs.namespaces["istio"]
+ istio_version = include.root.inputs.istio_version
+ istio_chart_version = include.root.inputs.istio_version
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-k8s-dashboard/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-k8s-dashboard/terragrunt.hcl
new file mode 100644
index 0000000..9527e5f
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-k8s-dashboard/terragrunt.hcl
@@ -0,0 +1,66 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-dns",
+ ]
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.example.com"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+ eecr_info = include.root.inputs.eecr_info
+
+ # Cluster Configuration
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+ cluster_name = dependency.eks.outputs.cluster_name
+
+ # Dashboard Configuration
+ service_name = include.root.inputs.dashboard_hostname
+ k8s_dashboard_version = include.root.inputs.k8s_dashboard_version
+ namespace = include.root.inputs.namespaces["k8s-dashboard"]
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-karpenter/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-karpenter/terragrunt.hcl
new file mode 100644
index 0000000..fc8d924
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-karpenter/terragrunt.hcl
@@ -0,0 +1,66 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}"
+
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ ]
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ node_group_name = "mock-node-group"
+ vpc_id = "vpc-mock"
+ subnets = ["subnet-mock1", "subnet-mock2"]
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+ eecr_info = include.root.inputs.eecr_info
+
+ # Cluster Configuration
+ cluster_endpoint = dependency.eks.outputs.cluster_endpoint
+ cluster_name = dependency.eks.outputs.cluster_name
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+ vpc_id = dependency.eks.outputs.vpc_id
+ subnets = dependency.eks.outputs.subnets
+
+ # Karpenter Configuration
+ karpenter_tag = include.root.inputs.karpenter_tag
+ karpenter_helm_chart = include.root.inputs.karpenter_helm_chart
+ karpenter_node_group_name = dependency.eks.outputs.node_group_name
+ namespace = include.root.inputs.namespaces["karpenter"]
+ create_spot_service_linked_role = false
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-keycloak/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-keycloak/terragrunt.hcl
new file mode 100644
index 0000000..f17489e
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-keycloak/terragrunt.hcl
@@ -0,0 +1,78 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_config" {
+ config_path = "../eks-config"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mock"
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.example.com"
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ "../eks-dns",
+ "../eks-prometheus",
+ ]
+}
+
+inputs = {
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+ cluster_name = dependency.eks.outputs.cluster_name
+ eecr_info = include.root.inputs.eecr_info
+ namespace = include.root.inputs.namespaces["keycloak"]
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # keycloak config
+ default_storage_class = dependency.eks_config.outputs.rwo_storage_class
+ keycloak_chart_version = include.root.inputs.keycloak_chart_version
+ keycloak_tag = include.root.inputs.keycloak_tag
+ realm_email = include.root.inputs.cluster_mailing_list
+ realm_name = "master"
+ service_name = "keycloak"
+ telemetry_namespace = include.root.inputs.telemetry_namespace
+ admin_email = include.root.inputs.cluster_mailing_list
+
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-kiali/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-kiali/terragrunt.hcl
new file mode 100644
index 0000000..9d6d3bf
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-kiali/terragrunt.hcl
@@ -0,0 +1,131 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_config" {
+ config_path = "../eks-config"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mock"
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.example.com"
+ }
+}
+
+dependency "eks_grafana" {
+ config_path = "../eks-grafana"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ internal_endpoint = {
+ hostname = "grafana.mock.svc.cluster.local"
+ port_number = "80"
+ url = "https://grafana.mock.svc.cluster.local:80/"
+ }
+ namespace = "grafana"
+ secret_name = "grafana"
+ tempo_datasource_id = "mock-tempo-datasource-id"
+ }
+}
+
+dependency "eks_prometheus" {
+ config_path = "../eks-prometheus"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ prometheus_server_internal_endpoint = {
+ hostname = "prometheus.mock.svc.cluster.local"
+ port_number = "80"
+ url = "https://prometheus.mock.svc.cluster.local:80/"
+ }
+ }
+}
+
+dependency "eks_tempo" {
+ config_path = "../eks-tempo"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ tempo_internal_endpoint = {
+ hostname = "tempo.mock.svc.cluster.local"
+ port_number = "80"
+ url = "https://tempo.mock.svc.cluster.local:80/"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ "../eks-grafana",
+ "../eks-istio",
+ "../eks-prometheus",
+ "../eks-tempo",
+ ]
+}
+
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+ cluster_name = dependency.eks.outputs.cluster_name
+ certificate_issuer = include.root.inputs.cluster_issuer_name
+
+ # Kiali Configuration
+ service_name = "kiali"
+ namespace = include.root.inputs.namespaces["kiali"]
+ istio_namespace = include.root.inputs.namespaces["istio"]
+ grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url
+ grafana_namespace = dependency.eks_grafana.outputs.namespace
+ grafana_secret_name = dependency.eks_grafana.outputs.secret_name
+
+ kiali_application_version = include.root.inputs.kiali_application_version
+ kiali_operator_version = include.root.inputs.kiali_operator_version
+
+ prometheus_internal_url = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url
+ grafana_namespace = dependency.eks_grafana.outputs.namespace
+ grafana_secret_name = dependency.eks_grafana.outputs.secret_name
+ grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url
+ tempo_datasource_id = dependency.eks_grafana.outputs.tempo_datasource_id
+ tempo_internal_url = dependency.eks_tempo.outputs.tempo_internal_endpoint.url
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-loki/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-loki/terragrunt.hcl
new file mode 100644
index 0000000..724d853
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-loki/terragrunt.hcl
@@ -0,0 +1,66 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_config" {
+ config_path = "../eks-config"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mock"
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+
+ # Loki Configuration
+ loki_chart_version = include.root.inputs.loki_chart_version
+ loki_tag = include.root.inputs.loki_tag
+ namespace = include.root.inputs.namespaces["loki"]
+ rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-metrics-server/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-metrics-server/terragrunt.hcl
new file mode 100644
index 0000000..241bbc5
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-metrics-server/terragrunt.hcl
@@ -0,0 +1,54 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+
+ # Metrics Server Configuration
+ metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart
+ metrics_server_tag = include.root.inputs.metrics_server_tag
+ namespace = include.root.inputs.namespaces["metrics-server"]
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-otel/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-otel/terragrunt.hcl
new file mode 100644
index 0000000..a8a7d7c
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-otel/terragrunt.hcl
@@ -0,0 +1,85 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}"
+ # source = "../../../../../../../tfmod-open-telemetry"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs = {
+ cluster_name = "a-cluster-name"
+ }
+}
+
+dependency "eks-loki" {
+ config_path = "../eks-loki"
+ mock_outputs = {
+ gateway_internal_endpoint = {
+ hostname = "loki-gateway.mock.svc.cluster.local"
+ portNumber = 3210
+ url = "http://loki-gateway.mock.svc.cluster.local:3210/"
+ }
+ }
+}
+
+dependency "eks-tempo" {
+ config_path = "../eks-tempo"
+ mock_outputs = {
+ tempo_otlp_endpoint = {
+ hostname = "tempo.mock.svc.cluster.local"
+ portNumber = 1234
+ url = "http://tempo.mock.svc.cluster.local:1234/"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-loki",
+ "../eks-prometheus",
+ "../eks-tempo"
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Clouster Config
+ cluster_name = dependency.eks.outputs.cluster_name
+
+ # OTEL Configuration
+ namespace = include.root.inputs.namespaces["otel"]
+ loki_endpoint = dependency.eks-loki.outputs.gateway_internal_endpoint.url
+ tempo_endpoint = dependency.eks-tempo.outputs.tempo_otlp_endpoint.url
+ # Image Version
+ auto_instrumentation_java_version = include.root.inputs.auto_instrumentation_java_version
+ collector_contrib_version = include.root.inputs.collector_contrib_version
+ collector_version = include.root.inputs.collector_version
+ otel_helm_version = include.root.inputs.otel_helm_version
+ rbac_proxy_version = include.root.inputs.rbac_proxy_version
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-pipeline/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-pipeline/terragrunt.hcl
new file mode 100644
index 0000000..8d705a7
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-pipeline/terragrunt.hcl
@@ -0,0 +1,100 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled OR if running in CodeBuild (to avoid circular dependency)
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) || get_env("CODEBUILD_BUILD_ID", "") != ""
+
+ artifact_bucket = format("%v%v-%v-%v-%v",
+ include.root.inputs.prefixes["eks-s3"],
+ include.root.inputs.cluster_name,
+ "artifacts",
+ include.root.inputs.aws_account_id,
+ join("", [for c in split("-", include.root.inputs.aws_region) : substr(c, 0, 1)]))
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}"
+
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+inputs = {
+ account_id = include.root.inputs.aws_account_id
+ cluster_name = include.root.inputs.cluster_name
+ environment = include.root.inputs.environment_abbr
+ region = include.root.inputs.aws_region
+ state_bucket_prefix = include.root.inputs.state_bucket_prefix
+
+ # VPC Configuration
+ vpc_name = include.root.inputs.vpc_name
+ subnet_filter = "*-container-*" # or any specific pattern you want to use
+
+ is_infrastructure_pipeline = true
+
+ # Updated to use buildspecs from the platform-tg-infra repository
+ # made deploy-to-pipeline will update them from tfmod-pipeline module
+ buildspec_template_path = "buildspecs"
+
+ build_configuration = {
+ compute_type = "BUILD_GENERAL1_LARGE"
+ image = "aws/codebuild/amazonlinux-x86_64-standard:5.0"
+ buildspec_path = "build.yml"
+ privileged_mode = true
+ environment_variables = {
+ ARTIFACT_BUCKET = local.artifact_bucket
+ TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}"
+ REGION = include.root.inputs.aws_region
+ ENVIRONMENT = include.root.inputs.environment_abbr
+ AWS_ACCOUNT_ID = include.root.inputs.aws_account_id
+ PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128"
+ }
+ }
+
+ security_scan_configuration = {
+ compute_type = "BUILD_GENERAL1_MEDIUM"
+ image = "aws/codebuild/amazonlinux-x86_64-standard:5.0"
+ buildspec_path = "security.yml"
+ environment_variables = {
+ ARTIFACT_BUCKET = local.artifact_bucket
+ TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}"
+ REGION = include.root.inputs.aws_region
+ ENVIRONMENT = include.root.inputs.environment_abbr
+ AWS_ACCOUNT_ID = include.root.inputs.aws_account_id
+ PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128"
+ }
+ }
+
+ approval_configuration = {
+ enabled = true
+ notify_emails = [include.root.inputs.cluster_mailing_list]
+ custom_message = "Please review and approve infrastructure changes to the CSVD platform"
+ }
+
+ deployment_configuration = {
+ target_type = "Build"
+ compute_type = "BUILD_GENERAL1_MEDIUM"
+ image = "aws/codebuild/amazonlinux-x86_64-standard:5.0"
+ buildspec_path = "deploy.yml"
+ environment_variables = {
+ ARTIFACT_BUCKET = local.artifact_bucket
+ TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}"
+ REGION = include.root.inputs.aws_region
+ ENVIRONMENT = include.root.inputs.environment_abbr
+ AWS_ACCOUNT_ID = include.root.inputs.aws_account_id
+ PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128"
+ }
+ }
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/README.md b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/README.md
new file mode 100644
index 0000000..bbbffb2
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/README.md
@@ -0,0 +1,198 @@
+## eks-prometheus
+This module deploys EKS kubeenetes prometheus inside existing EKS cluster. Prometheus is an open-source systems monitoring and alerting tool.
+This module consisits of 4 components. It creates prometheus namespace and copies image repositories for the following components from quay.io into local account ECR repository. It deploys these components using helm charts using the configured ECR repositories.
+ 1. prometheus-alert-manager
+ 2. prometheus-node-exporter
+ 3. prometheus-pushgateway
+ 4. prometheus-server
+
+### Dependencies
+This module is dependent on EKS module (eks). The cluster should exist already for this module to work.
+
+### Inputs
+ cluster_name
+ profile
+ prometheus_chart_version
+ prometheus_server_tag
+ prometheus_config_reloader_tag
+ alertmanager_tag
+ kube_state_metrics_tag
+ node_exporter_tag
+ pushgateway_tag
+ rwo_storage_class
+
+### Outputs
+ alertmanager_internal_endpoint
+ alertmanager_headless_internal_endpoint
+ pushgateway_internal_endpoint
+ prometheus_server_internal_endpoint
+
+### Issues observed/fixed
+1. The rwo_storage_class value had to be updated from "gp3" to "gp3-encrypted"
+2. The node_exporter_tag value had to be updated from "1.6.1" to "v1.8.1"
+3. The kube_state_metrics_tag value had to be updated from "2.10.0" to "v2.6.0"
+4. The alertmanager_tag value had to be updated from
+5. The helm chart set config for the ecr image had to be split into 2 components, one for registry and other for repository as an example mentioned below:
+
+ ```
+ set {
+ name = "kube-state-metrics.image.registry"
+ value = module.images.images[local.ksm_key].dest_registry
+ }
+ set {
+ name = "kube-state-metrics.image.repository"
+ value = module.images.images[local.ksm_key].dest_repository
+ }
+ ```
+
+6. In some other cases the image ecr repository had to be split by the colon separatory (:)
+
+ ```
+ set {
+ name = "alertmanager.configmapReload.image.repository"
+ value = split(":", module.images.images[local.prom_config_reload_key].dest_full_path)[0]
+ }
+ ```
+
+### Chart Notes
+ 1. Get the application URL by running these commands:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-pushgateway,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+ kubectl port-forward $POD_NAME 9091
+ echo "Visit http://127.0.0.1:9091 to use your application"
+ ```
+
+ The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster:
+ prometheus-server.prometheus.svc.cluster.local
+
+
+ Get the Prometheus server URL by running these commands in the same shell:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace prometheus port-forward $POD_NAME 9090
+ ```
+
+ The Prometheus alertmanager can be accessed via port 9093 on the following DNS name from within your cluster:
+ `prometheus-alertmanager.prometheus.svc.cluster.local`
+
+
+ Get the Alertmanager URL by running these commands in the same shell:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace prometheus port-forward $POD_NAME 9093
+ ```
+
+ #################################################################################
+ ###### WARNING: Pod Security Policy has been disabled by default since #####
+ ###### it deprecated after k8s 1.25+. use #####
+ ###### (index .Values "prometheus-node-exporter" "rbac" #####
+ ###### "pspEnabled") with (index .Values #####
+ ###### "prometheus-node-exporter" "rbac" "pspAnnotations") #####
+ ###### in case you still need it. #####
+ #################################################################################
+
+
+ The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster:
+ `prometheus-prometheus-pushgateway.prometheus.svc.cluster.local`
+
+
+ Get the PushGateway URL by running these commands in the same shell:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus-pushgateway,component=pushgateway" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace prometheus port-forward $POD_NAME 9091
+ ```
+
+ For more information on running Prometheus, visit:
+ https://prometheus.io/
+
+ kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects.
+ The exposed metrics can be found here:
+ https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics
+
+ The metrics are exported on the HTTP endpoint /metrics on the listening port.
+ In your case, `prometheus-kube-state-metrics.prometheus.svc.cluster.local:8080/metrics`
+
+ They are served either as plaintext or protobuf depending on the Accept header.
+ They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint.
+
+ 1. Get the application URL by running these commands:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+ echo "Visit http://127.0.0.1:9093 to use your application"
+ kubectl --namespace prometheus port-forward $POD_NAME 9093:80
+ ```
+
+ 1. Get the application URL by running these commands:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-node-exporter,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+ echo "Visit http://127.0.0.1:9100 to use your application"
+ kubectl port-forward --namespace prometheus $POD_NAME 9100
+ ```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13 |
+| [aws](#requirement\_aws) | >= 5.14.0 |
+| [helm](#requirement\_helm) | >= 2.11.0 |
+| [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| [null](#requirement\_null) | >= 3.2.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [helm](#provider\_helm) | >= 2.11.0 |
+| [kubernetes](#provider\_kubernetes) | >= 2.23.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [helm_release.prometheus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.existing-ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [alertmanager\_tag](#input\_alertmanager\_tag) | The image tag of the alertmanager image. | `string` | `"v0.27.0"` | no |
+| [cluster\_name](#input\_cluster\_name) | The name of the cluster into which prometheus will be installed. | `string` | n/a | yes |
+| [create\_namespace](#input\_create\_namespace) | Indicates whether the `namespace` needs to be created ('true') or already exists (not `true`) | `bool` | `true` | no |
+| [kube\_state\_metrics\_tag](#input\_kube\_state\_metrics\_tag) | The image tag of the kube-state-metrics image. | `string` | `"v2.13.0"` | no |
+| [namespace](#input\_namespace) | The namespace to install the prometheus components. Defaults to 'prometheus' | `string` | `"prometheus"` | no |
+| [node\_exporter\_tag](#input\_node\_exporter\_tag) | The image tag of the node-exporter image. | `string` | `"v1.8.2"` | no |
+| [profile](#input\_profile) | AWS\_PROFILE to use to apply the terraform script. | `string` | `""` | no |
+| [prometheus\_chart\_version](#input\_prometheus\_chart\_version) | The version of prometheus to install into the cluster. | `string` | `"25.24.1"` | no |
+| [prometheus\_config\_reloader\_tag](#input\_prometheus\_config\_reloader\_tag) | The image tag of the prometheus-config-reloader image. | `string` | `"v0.75.1"` | no |
+| [prometheus\_server\_tag](#input\_prometheus\_server\_tag) | The image tag of prometheus server to install into the cluster. | `string` | `"v2.53.1"` | no |
+| [pushgateway\_tag](#input\_pushgateway\_tag) | The image tag of the pushgateway image. | `string` | `"v1.9.0"` | no |
+| [rwo\_storage\_class](#input\_rwo\_storage\_class) | Specify the storage class for read/write/once persistent volumes. | `string` | `"gp3-encrypted"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [alertmanager\_headless\_internal\_endpoint](#output\_alertmanager\_headless\_internal\_endpoint) | n/a |
+| [alertmanager\_internal\_endpoint](#output\_alertmanager\_internal\_endpoint) | n/a |
+| [module\_name](#output\_module\_name) | The name of this module. |
+| [module\_version](#output\_module\_version) | The version of this module. |
+| [prometheus\_namespace](#output\_prometheus\_namespace) | n/a |
+| [prometheus\_server\_internal\_endpoint](#output\_prometheus\_server\_internal\_endpoint) | n/a |
+| [pushgateway\_internal\_endpoint](#output\_pushgateway\_internal\_endpoint) | n/a |
+
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/terragrunt.hcl
new file mode 100644
index 0000000..f968797
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/terragrunt.hcl
@@ -0,0 +1,70 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ "../eks-karpenter",
+ ]
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_config" {
+ config_path = "../eks-config"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-encyrpted"
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+
+ # Prometheus Configuration
+ alertmanager_tag = include.root.inputs.alertmanager_tag
+ namespace = include.root.inputs.namespaces["prometheus"]
+ prometheus_chart_version = include.root.inputs.prometheus_chart_version
+ prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag
+ prometheus_server_tag = include.root.inputs.prometheus_server_tag
+ pushgateway_tag = include.root.inputs.pushgateway_tag
+ rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-tempo/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-tempo/terragrunt.hcl
new file mode 100644
index 0000000..71dd0a1
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-tempo/terragrunt.hcl
@@ -0,0 +1,75 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks-prometheus" {
+ config_path = "../eks-prometheus"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ prometheus_namespace = "prometheus"
+ prometheus_server_internal_endpoint = {
+ hostname = "prometheus-server.mock.svc.cluster.local"
+ port_number = 9090
+ url = "http://prometheus-server.mock.svc.cluster.local:9090/"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-prometheus"
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+
+ # Prometheus Configuration
+ prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace
+ prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number
+
+ # Tempo Configuration
+ tempo_chart_version = include.root.inputs.tempo_chart_version
+ tempo_tag = include.root.inputs.tempo_tag
+ namespace = include.root.inputs.namespaces["tempo"]
+
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks/terragrunt.hcl
new file mode 100644
index 0000000..fd3787a
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks/terragrunt.hcl
@@ -0,0 +1,43 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}"
+
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Core Cluster Configuration
+ cluster_name = include.root.inputs.cluster_name
+ cluster_version = include.root.inputs.cluster_version
+ eks_ng_desired_size = include.root.inputs.eks_ng_desired_size
+ eks_ng_max_size = include.root.inputs.eks_ng_max_size
+ eks_ng_min_size = include.root.inputs.eks_ng_min_size
+ eks_instance_types = ["t3a.large"]
+
+ # Additional Configuration
+ tags = include.root.inputs.tags
+}
diff --git a/dev/us-gov-west-1/vpc2-lab-common/vpc.hcl b/dev/us-gov-west-1/vpc2-lab-common/vpc.hcl
new file mode 100644
index 0000000..2ea76f2
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/vpc.hcl
@@ -0,0 +1,8 @@
+# dev/us-gov-west-1/vpc/vpc.hcl
+
+# Set VPC specific variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+ vpc_name = "vpc2-lab-common"
+ vpc_domain_name = "dev.inf.csp1.census.gov"
+}
diff --git a/root.hcl b/root.hcl
new file mode 100644
index 0000000..72db579
--- /dev/null
+++ b/root.hcl
@@ -0,0 +1,186 @@
+# ${environment}/root.hcl
+# ---------------------------------------------------------------------------------------------------------------------
+# TERRAGRUNT CONFIGURATION
+# Terragrunt is a thin wrapper for Terraform that provides extra tools for working with multiple Terraform modules,
+# remote state, and locking: https://github.com/gruntwork-io/terragrunt
+# ---------------------------------------------------------------------------------------------------------------------
+locals {
+ # Automatically load account-level variables (NOTE: In our environment account = environment so there is not separate environment layer)
+ account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+
+ # Automatically load cluster-level variables
+ cluster_vars = read_terragrunt_config(find_in_parent_folders("cluster.hcl"))
+
+ # Automatically load _envcommon, cross account and environment common variables
+ common_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/common-variables.hcl"))
+
+ # Automatically load naming prefixes
+ prefix_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/prefixes.hcl"))
+
+ # Automatically load region-level variables
+ region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+
+ # Automatically load versions
+ versions = read_terragrunt_config(find_in_parent_folders("./_envcommon/default-versions.hcl"))
+
+ # Automatically load vpc-level variables
+ vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl"))
+
+ # Add any other locals you want to expose
+ # only expose things not already included via local.xxx_vars.locals.*
+ root_locals_for_inputs = {
+ is_module_enabled = local.is_module_enabled
+ module_name = local.module_name
+ }
+
+ # Extract the variables we need for easy access
+ account_id = local.account_vars.locals.aws_account_id
+ account_name = local.account_vars.locals.account_name
+ aws_profile = local.account_vars.locals.aws_profile
+ aws_region = local.region_vars.locals.aws_region
+ cluster_name = local.cluster_vars.locals.cluster_name
+ eecr_info = local.common_vars.locals.eecr_info
+ environment_abbr = local.common_vars.locals.environment_abbr
+ finops_project_name = local.cluster_vars.locals.finops_project_name
+ finops_project_number = local.cluster_vars.locals.finops_project_number
+ finops_project_role = local.cluster_vars.locals.finops_project_role
+ is_eks_module = local.module_name == "eks" ? true : false
+ prefixes = local.prefix_vars.locals.prefixes
+ is_module_enabled = merge(
+ { for module in local.versions.locals.core_modules : module => true },
+ local.versions.locals.enabled_modules,
+ local.module_overrides
+ )
+ module_name = basename(get_original_terragrunt_dir())
+ module_overrides = local.cluster_vars.locals.module_enablement_overrides
+ organization = local.cluster_vars.locals.organization
+ state_bucket_prefix = local.common_vars.locals.state_bucket_prefix
+ state_table_name = local.common_vars.locals.state_table_name
+}
+
+# Only generate providers for non-EKS modules
+generate "cluster_data" {
+ path = "cluster-data.tf"
+ if_exists = "overwrite_terragrunt"
+ contents = local.is_eks_module ? "" : <<-EOF
+ data "aws_eks_clusters" "available" {}
+
+ locals {
+ cluster_exists = contains(data.aws_eks_clusters.available.names, "${local.cluster_name}")
+ }
+
+ data "aws_eks_cluster" "this" {
+ count = local.cluster_exists ? 1 : 0
+ name = "${local.cluster_name}"
+ }
+
+ data "aws_eks_cluster_auth" "this" {
+ count = local.cluster_exists ? 1 : 0
+ name = "${local.cluster_name}"
+ }
+ EOF
+}
+
+# Generate provider blocks only for non-EKS modules
+generate "kube_provider" {
+ path = "kube-provider.tf"
+ if_exists = "overwrite_terragrunt"
+ contents = local.is_eks_module ? "" : <<-EOF
+ provider "kubernetes" {
+ host = local.cluster_exists ? data.aws_eks_cluster.this[0].endpoint : "https://dummy"
+ cluster_ca_certificate = local.cluster_exists ? base64decode(data.aws_eks_cluster.this[0].certificate_authority[0].data) : null
+ token = local.cluster_exists ? data.aws_eks_cluster_auth.this[0].token : "dummy"
+ }
+ EOF
+}
+
+generate "helm_provider" {
+ path = "helm-provider.tf"
+ if_exists = "overwrite_terragrunt"
+ contents = local.is_eks_module ? "" : <<-EOF
+ provider "helm" {
+ kubernetes = {
+ host = local.cluster_exists ? data.aws_eks_cluster.this[0].endpoint : "https://dummy"
+ cluster_ca_certificate = local.cluster_exists ? base64decode(data.aws_eks_cluster.this[0].certificate_authority[0].data) : null
+ token = local.cluster_exists ? data.aws_eks_cluster_auth.this[0].token : "dummy"
+ }
+ }
+ EOF
+}
+
+# Configure Terragrunt to automatically store tfstate files in an S3 bucket
+remote_state {
+ disable_init = tobool(get_env("TG_DISABLE_INIT", "false"))
+ backend = "s3"
+ generate = {
+ path = "remote_state.backend.tf"
+ if_exists = "overwrite_terragrunt"
+ }
+ config = {
+ bucket = "${local.state_bucket_prefix}-${local.account_id}"
+ use_lockfile = true
+ key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate"
+ profile = "${local.aws_profile}"
+ region = "${local.aws_region}"
+ disable_bucket_update = true
+ }
+}
+
+# Generate an AWS provider block
+generate "aws-provider" {
+ path = "aws-provider.tf"
+ if_exists = "overwrite"
+ contents = <<-EOF
+ provider "aws" {
+ region = "${local.aws_region}"
+ profile = "${local.aws_profile}"
+ default_tags {
+ tags = {
+ cluster_name = "${local.cluster_name}"
+ "boc:module_name" = "${local.module_name}"
+ environment = "${local.environment_abbr}"
+ finops_project_name = "${local.finops_project_name}"
+ finops_project_number = "${local.finops_project_number}"
+ finops_project_role = "${local.finops_project_role}"
+ CostAllocation = "${local.organization}"
+ organization = "${local.organization}"
+ "boc:created-by" = "terragrunt"
+ }
+ }
+ # Only these AWS Account IDs may be operated on by this template
+ allowed_account_ids = ["${local.account_id}"]
+ }
+EOF
+}
+
+generate "tags-yml" {
+ path = "tags.yml"
+ if_exists = "overwrite"
+ contents = !local.is_eks_module ? "" : <<-EOF
+ finops:
+ number: "${tonumber(regex("[0-9]+$", local.finops_project_number))}"
+ name: "${local.finops_project_name}"
+ roles:
+ - eks
+ - "${local.finops_project_role}"
+ EOF
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# GLOBAL PARAMETERS
+# These variables apply to all configurations in this subfolder. These are automatically merged into the child
+# `terragrunt.hcl` config via the include block.
+# ---------------------------------------------------------------------------------------------------------------------
+
+# Configure root level variables that all resources can inherit. This is especially helpful with multi-account configs
+# where terraform_remote_state data sources are placed directly into the modules.
+inputs = merge(
+ local.account_vars.locals,
+ local.cluster_vars.locals,
+ local.common_vars.locals,
+ local.prefix_vars.locals,
+ local.region_vars.locals,
+ local.versions.locals,
+ local.vpc_vars.locals,
+ local.root_locals_for_inputs
+)