From 8816708f0da88589c09867c456d9399cde43e06e Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:30 -0700
Subject: [PATCH 01/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-k8s-dashboard/terragrunt.hcl

---
 .../eks-k8s-dashboard/terragrunt.hcl          | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-k8s-dashboard/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-k8s-dashboard/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-k8s-dashboard/terragrunt.hcl
new file mode 100644
index 0000000..9527e5f
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-k8s-dashboard/terragrunt.hcl
@@ -0,0 +1,66 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-dns",
+  ]
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name      = include.root.inputs.cluster_name
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
+}
+
+dependency "eks_dns" {
+  config_path                             = "../eks-dns"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_domain    = "mock.example.com"
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+  eecr_info  = include.root.inputs.eecr_info
+
+  # Cluster Configuration
+  cluster_domain = dependency.eks_dns.outputs.cluster_domain
+  cluster_name   = dependency.eks.outputs.cluster_name
+
+  # Dashboard Configuration
+  service_name          = include.root.inputs.dashboard_hostname
+  k8s_dashboard_version = include.root.inputs.k8s_dashboard_version
+  namespace             = include.root.inputs.namespaces["k8s-dashboard"]
+}

From 080c8cc00e7994350c0e4080727abf9685fdd69a Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:32 -0700
Subject: [PATCH 02/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-metrics-server/terragrunt.hcl

---
 .../eks-metrics-server/terragrunt.hcl         | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-metrics-server/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-metrics-server/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-metrics-server/terragrunt.hcl
new file mode 100644
index 0000000..241bbc5
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-metrics-server/terragrunt.hcl
@@ -0,0 +1,54 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name = "mock-cluster"
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+  ]
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  eecr_info  = include.root.inputs.eecr_info
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Cluster Configuration
+  cluster_name = dependency.eks.outputs.cluster_name
+
+  # Metrics Server Configuration
+  metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart
+  metrics_server_tag        = include.root.inputs.metrics_server_tag
+  namespace                 = include.root.inputs.namespaces["metrics-server"]
+}

From 18e8c1b71ba077812c36e87ce4f0d568cdfa74f3 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:33 -0700
Subject: [PATCH 03/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-dns/terragrunt.hcl

---
 .../eks-dns/terragrunt.hcl                    | 71 +++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-dns/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-dns/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-dns/terragrunt.hcl
new file mode 100644
index 0000000..983ab4f
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-dns/terragrunt.hcl
@@ -0,0 +1,71 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name = include.root.inputs.cluster_name
+    subnets      = ["subnet-mock1", "subnet-mock2", "subnet-mock3"]
+  }
+}
+
+dependency "eks-istio" {
+  config_path                             = "../eks-istio"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    istio_ingress_lb = {
+      dns_name = "mock-${include.root.inputs.cluster_name}.elb.amazonaws.com"
+      zone_id  = "MOCKZONEID"
+    }
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-istio",
+  ]
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Cluster Configuration
+  cluster_name     = include.root.inputs.cluster_name
+  environment_abbr = include.root.inputs.environment_abbr
+
+  # Network Configuration
+  istio_ingress_lb  = dependency.eks-istio.outputs.istio_ingress_lb
+  route53_endpoints = include.root.inputs.route53_endpoints
+  vpc_domain_name   = include.root.inputs.vpc_domain_name
+  vpc_name          = include.root.inputs.vpc_name
+
+  # Additional Configuration
+  tags = include.root.inputs.tags
+}

From b3d404be96560581b1bbb7e68ba88159a10896e1 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:34 -0700
Subject: [PATCH 04/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-pipeline/terragrunt.hcl

---
 .../eks-pipeline/terragrunt.hcl               | 100 ++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-pipeline/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-pipeline/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-pipeline/terragrunt.hcl
new file mode 100644
index 0000000..8d705a7
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-pipeline/terragrunt.hcl
@@ -0,0 +1,100 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled OR if running in CodeBuild (to avoid circular dependency)
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) || get_env("CODEBUILD_BUILD_ID", "") != ""
+
+  artifact_bucket = format("%v%v-%v-%v-%v",
+    include.root.inputs.prefixes["eks-s3"],
+    include.root.inputs.cluster_name,
+    "artifacts",
+    include.root.inputs.aws_account_id,
+  join("", [for c in split("-", include.root.inputs.aws_region) : substr(c, 0, 1)]))
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}"
+
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+inputs = {
+  account_id          = include.root.inputs.aws_account_id
+  cluster_name        = include.root.inputs.cluster_name
+  environment         = include.root.inputs.environment_abbr
+  region              = include.root.inputs.aws_region
+  state_bucket_prefix = include.root.inputs.state_bucket_prefix
+
+  # VPC Configuration
+  vpc_name      = include.root.inputs.vpc_name
+  subnet_filter = "*-container-*" # or any specific pattern you want to use
+
+  is_infrastructure_pipeline = true
+
+  # Updated to use buildspecs from the platform-tg-infra repository
+  # made deploy-to-pipeline will update them from tfmod-pipeline module
+  buildspec_template_path = "buildspecs"
+
+  build_configuration = {
+    compute_type    = "BUILD_GENERAL1_LARGE"
+    image           = "aws/codebuild/amazonlinux-x86_64-standard:5.0"
+    buildspec_path  = "build.yml"
+    privileged_mode = true
+    environment_variables = {
+      ARTIFACT_BUCKET = local.artifact_bucket
+      TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}"
+      REGION          = include.root.inputs.aws_region
+      ENVIRONMENT     = include.root.inputs.environment_abbr
+      AWS_ACCOUNT_ID  = include.root.inputs.aws_account_id
+      PROXY_CONFIG    = "http://vlab-proxy.tco.census.gov:3128"
+    }
+  }
+
+  security_scan_configuration = {
+    compute_type   = "BUILD_GENERAL1_MEDIUM"
+    image          = "aws/codebuild/amazonlinux-x86_64-standard:5.0"
+    buildspec_path = "security.yml"
+    environment_variables = {
+      ARTIFACT_BUCKET = local.artifact_bucket
+      TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}"
+      REGION          = include.root.inputs.aws_region
+      ENVIRONMENT     = include.root.inputs.environment_abbr
+      AWS_ACCOUNT_ID  = include.root.inputs.aws_account_id
+      PROXY_CONFIG    = "http://vlab-proxy.tco.census.gov:3128"
+    }
+  }
+
+  approval_configuration = {
+    enabled        = true
+    notify_emails  = [include.root.inputs.cluster_mailing_list]
+    custom_message = "Please review and approve infrastructure changes to the CSVD platform"
+  }
+
+  deployment_configuration = {
+    target_type    = "Build"
+    compute_type   = "BUILD_GENERAL1_MEDIUM"
+    image          = "aws/codebuild/amazonlinux-x86_64-standard:5.0"
+    buildspec_path = "deploy.yml"
+    environment_variables = {
+      ARTIFACT_BUCKET = local.artifact_bucket
+      TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}"
+      REGION          = include.root.inputs.aws_region
+      ENVIRONMENT     = include.root.inputs.environment_abbr
+      AWS_ACCOUNT_ID  = include.root.inputs.aws_account_id
+      PROXY_CONFIG    = "http://vlab-proxy.tco.census.gov:3128"
+    }
+  }
+}

From 560a78451389fd3d60b91f2a84c2b16c0258c197 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:36 -0700
Subject: [PATCH 05/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks/terragrunt.hcl

---
 .../eks/terragrunt.hcl                        | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks/terragrunt.hcl
new file mode 100644
index 0000000..fd3787a
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks/terragrunt.hcl
@@ -0,0 +1,43 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}"
+
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Core Cluster Configuration
+  cluster_name        = include.root.inputs.cluster_name
+  cluster_version     = include.root.inputs.cluster_version
+  eks_ng_desired_size = include.root.inputs.eks_ng_desired_size
+  eks_ng_max_size     = include.root.inputs.eks_ng_max_size
+  eks_ng_min_size     = include.root.inputs.eks_ng_min_size
+  eks_instance_types  = ["t3a.large"]
+
+  # Additional Configuration
+  tags = include.root.inputs.tags
+}

From 502ac868c5f92dc170689f22a2f1927deeca8f15 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:37 -0700
Subject: [PATCH 06/28] Update dev/us-gov-west-1/vpc2-lab-common/vpc.hcl

---
 dev/us-gov-west-1/vpc2-lab-common/vpc.hcl | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/vpc.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/vpc.hcl b/dev/us-gov-west-1/vpc2-lab-common/vpc.hcl
new file mode 100644
index 0000000..2ea76f2
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/vpc.hcl
@@ -0,0 +1,8 @@
+# dev/us-gov-west-1/vpc/vpc.hcl
+
+# Set VPC specific variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  vpc_name        = "vpc2-lab-common"
+  vpc_domain_name = "dev.inf.csp1.census.gov"
+}

From 6f4a995cc5d63ea3d310740678be298c0f04670b Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:39 -0700
Subject: [PATCH 07/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-loki/terragrunt.hcl

---
 .../eks-loki/terragrunt.hcl                   | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-loki/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-loki/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-loki/terragrunt.hcl
new file mode 100644
index 0000000..724d853
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-loki/terragrunt.hcl
@@ -0,0 +1,66 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name      = "mock-cluster"
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
+}
+
+dependency "eks_config" {
+  config_path                             = "../eks-config"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    rwo_storage_class = "gp3-mock"
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-config",
+  ]
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  eecr_info  = include.root.inputs.eecr_info
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Cluster Configuration
+  cluster_name      = dependency.eks.outputs.cluster_name
+  oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+
+  # Loki Configuration
+  loki_chart_version = include.root.inputs.loki_chart_version
+  loki_tag           = include.root.inputs.loki_tag
+  namespace          = include.root.inputs.namespaces["loki"]
+  rwo_storage_class  = dependency.eks_config.outputs.rwo_storage_class
+}

From a19930bd02c4a3f282e70a9ef7486ba641c691b2 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:40 -0700
Subject: [PATCH 08/28] Update README.md

---
 README.md | 41 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 43cde32..2e85956 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,39 @@
-# arnol377-cross-account-test
-EKS Cluster Configuration for arnol377-cross-account-test
+# EKS Cluster Configuration - ARNOL377-CROSS-ACCOUNT-TEST - DEV
+
+This EKS cluster configuration was generated using Terraform and the terraform-eks-deployment module.
+
+## Environment Details
+
+- **Environment**: dev
+- **Region**: us-gov-west-1
+- **Cluster Name**: arnol377-cross-account-test
+
+## Directory Structure
+
+## Getting Started
+
+To apply this configuration:
+
+1. Change to the directory of the module you want to deploy:
+   ```
+   cd environment/region/vpc/cluster/eks
+   ```
+
+2. Initialize and apply the Terragrunt configuration:
+   ```
+   terragrunt init
+   terragrunt plan
+   terragrunt apply
+   ```
+
+3. Deploy additional modules as needed:
+   ```
+   cd ../eks-cconfig
+   terragrunt init
+   terragrunt plan
+   terragrunt apply
+   ```
+
+## Customization
+
+Each module can be deployed independently using Terragrunt.
\ No newline at end of file

From 93f4195b1c832384e81dcbd28cfd251ee441c868 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:41 -0700
Subject: [PATCH 09/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-gatekeeper/terragrunt.hcl

---
 .../eks-gatekeeper/terragrunt.hcl             | 119 ++++++++++++++++++
 1 file changed, 119 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-gatekeeper/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-gatekeeper/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-gatekeeper/terragrunt.hcl
new file mode 100644
index 0000000..360a4c3
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-gatekeeper/terragrunt.hcl
@@ -0,0 +1,119 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name      = "mock-cluster"
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
+}
+
+dependency "eks_dns" {
+  config_path                             = "../eks-dns"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_domain = "mock.example.com"
+  }
+}
+
+dependency "eks_keycloak" {
+  config_path                             = "../eks-keycloak"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    user_auth_realm = "mock.keycloak.example.com/auth"
+    client_id       = "mock-client-id"
+    client_secret   = "mock-client-secret"
+    namespace       = "keycloak"
+    user_secret     = "user-sso"
+  }
+}
+
+dependency "eks-grafana" {
+  config_path                             = "../eks-grafana"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    namespace = "telemetry"
+    internal_endpoint = {
+      hostname    = "kubernetes-dashboard.telemetry.svc.cluster.local"
+      port_number = 80
+      url         = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/"
+    }
+  }
+}
+
+dependency "eks-kiali" {
+  config_path                             = "../eks-kiali"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    namespace = "istio-system"
+    internal_endpoint = {
+      hostname    = "kiali.telemetry.svc.cluster.local"
+      port_number = 80
+      url         = "http://kiali.telemetry.svc.cluster.local:80/"
+    }
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-dns",
+    "../eks-keycloak",
+    "../eks-grafana",
+    "../eks-kiali",
+  ]
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  eecr_info  = include.root.inputs.eecr_info
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Cluster Configuration
+  cluster_domain = dependency.eks_dns.outputs.cluster_domain
+  cluster_name   = dependency.eks.outputs.cluster_name
+
+  # Gatekeeper Standard Config
+  gatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version
+  gatekeeper_tag           = include.root.inputs.gatekeeper_tag
+  keycloak_client_id       = dependency.eks_keycloak.outputs.client_id
+  keycloak_client_secret   = dependency.eks_keycloak.outputs.client_secret
+  keycloak_fqdn            = dependency.eks_keycloak.outputs.user_auth_realm
+  user_secret              = dependency.eks_keycloak.outputs.user_secret
+
+  # Grafana Gatekeeper Config
+  grafana_ns           = dependency.eks-grafana.outputs.namespace
+  grafana_service_name = "grafana"
+  grafana_url          = dependency.eks-grafana.outputs.internal_endpoint.url
+
+  # Kaili Gatekeeper Config
+  kiali_ns           = dependency.eks-kiali.outputs.namespace
+  kiali_service_name = "kiali"
+  kiali_url          = dependency.eks-kiali.outputs.internal_endpoint.url
+}

From 901b6cd7c87c10c9bf1fbfcc8d1bd57e36d7b463 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:51 -0700
Subject: [PATCH 10/28] Update _envcommon/prefixes.hcl

---
 _envcommon/prefixes.hcl | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 _envcommon/prefixes.hcl

diff --git a/_envcommon/prefixes.hcl b/_envcommon/prefixes.hcl
new file mode 100644
index 0000000..d46f6bb
--- /dev/null
+++ b/_envcommon/prefixes.hcl
@@ -0,0 +1,37 @@
+locals {
+  prefixes = {
+    "ebs"            = "v-ebs-"
+    "efs"            = "v-efs-"
+    "group"          = "g-"
+    "kms"            = "k-kms-"
+    "policy"         = "p-"
+    "role"           = "r-"
+    "s3"             = "v-s3-"
+    "security-group" = "" # "sg-"
+    # VPC
+    "customer-gateway" = "cgw-"
+    "dhcp-options"     = ""
+    "elastic-ip"       = "eip-"
+    "internet-gateway" = "igw-"
+    "log-group"        = "lg-"
+    "log-stream"       = "lgs-"
+    "nat-gateway"      = "nat-"
+    "network-acl"      = "nacl-"
+    "route-table"      = "route-"
+    "subnet"           = ""
+    "vpc-endpoint"     = "vpce-"
+    "vpc-peer"         = "vpcp-"
+    "vpc"              = ""
+    "vpn-connection"   = "vpn_"
+    "vpn-gateway"      = "vpcg-"
+    # EKS
+    "eks-policy"         = "p-eks-"
+    "eks-queue"          = "eks-q-"
+    "eks-role"           = "r-eks-"
+    "eks-s3"             = "v-s3-eks-"
+    "eks-security-group" = "eks-sg-" # "sg-eks-"
+    "eks-user"           = "s-eks-"
+    "eks"                = "eks-"
+    "eks-event"          = "eks-ev-"
+  }
+}

From b23d7a5904da23a4a09d15a6c1c4f4c55a24c605 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:53 -0700
Subject: [PATCH 11/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-kiali/terragrunt.hcl

---
 .../eks-kiali/terragrunt.hcl                  | 131 ++++++++++++++++++
 1 file changed, 131 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-kiali/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-kiali/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-kiali/terragrunt.hcl
new file mode 100644
index 0000000..9d6d3bf
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-kiali/terragrunt.hcl
@@ -0,0 +1,131 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name      = "mock-cluster"
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
+}
+
+dependency "eks_config" {
+  config_path                             = "../eks-config"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    rwo_storage_class = "gp3-mock"
+  }
+}
+
+dependency "eks_dns" {
+  config_path                             = "../eks-dns"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_domain = "mock.example.com"
+  }
+}
+
+dependency "eks_grafana" {
+  config_path                             = "../eks-grafana"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    internal_endpoint = {
+      hostname    = "grafana.mock.svc.cluster.local"
+      port_number = "80"
+      url         = "https://grafana.mock.svc.cluster.local:80/"
+    }
+    namespace           = "grafana"
+    secret_name         = "grafana"
+    tempo_datasource_id = "mock-tempo-datasource-id"
+  }
+}
+
+dependency "eks_prometheus" {
+  config_path                             = "../eks-prometheus"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    prometheus_server_internal_endpoint = {
+      hostname    = "prometheus.mock.svc.cluster.local"
+      port_number = "80"
+      url         = "https://prometheus.mock.svc.cluster.local:80/"
+    }
+  }
+}
+
+dependency "eks_tempo" {
+  config_path                             = "../eks-tempo"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    tempo_internal_endpoint = {
+      hostname    = "tempo.mock.svc.cluster.local"
+      port_number = "80"
+      url         = "https://tempo.mock.svc.cluster.local:80/"
+    }
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-config",
+    "../eks-grafana",
+    "../eks-istio",
+    "../eks-prometheus",
+    "../eks-tempo",
+  ]
+}
+
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  eecr_info  = include.root.inputs.eecr_info
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Cluster Configuration
+  cluster_domain     = dependency.eks_dns.outputs.cluster_domain
+  cluster_name       = dependency.eks.outputs.cluster_name
+  certificate_issuer = include.root.inputs.cluster_issuer_name
+
+  # Kiali Configuration
+  service_name         = "kiali"
+  namespace            = include.root.inputs.namespaces["kiali"]
+  istio_namespace      = include.root.inputs.namespaces["istio"]
+  grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url
+  grafana_namespace    = dependency.eks_grafana.outputs.namespace
+  grafana_secret_name  = dependency.eks_grafana.outputs.secret_name
+
+  kiali_application_version = include.root.inputs.kiali_application_version
+  kiali_operator_version    = include.root.inputs.kiali_operator_version
+
+  prometheus_internal_url = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url
+  grafana_namespace       = dependency.eks_grafana.outputs.namespace
+  grafana_secret_name     = dependency.eks_grafana.outputs.secret_name
+  grafana_internal_url    = dependency.eks_grafana.outputs.internal_endpoint.url
+  tempo_datasource_id     = dependency.eks_grafana.outputs.tempo_datasource_id
+  tempo_internal_url      = dependency.eks_tempo.outputs.tempo_internal_endpoint.url
+}

From c860395a6463fca8c1c784ad1706eccc662ed5b9 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:54 -0700
Subject: [PATCH 12/28] Update dev/us-gov-west-1/region.hcl

---
 dev/us-gov-west-1/region.hcl | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 dev/us-gov-west-1/region.hcl

diff --git a/dev/us-gov-west-1/region.hcl b/dev/us-gov-west-1/region.hcl
new file mode 100644
index 0000000..9abc63f
--- /dev/null
+++ b/dev/us-gov-west-1/region.hcl
@@ -0,0 +1,7 @@
+# dev/us-gov-west-1/region.hcl
+
+# Set common variables for the region. This is automatically pulled in in the root terragrunt.hcl configuration to
+# configure the remote state bucket and pass forward to the child modules as inputs.
+locals {
+  aws_region = "us-gov-west-1"
+}

From 97cf67b8baa53e40a98669453dcbc361f51a321c Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:55 -0700
Subject: [PATCH 13/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-otel/terragrunt.hcl

---
 .../eks-otel/terragrunt.hcl                   | 85 +++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-otel/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-otel/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-otel/terragrunt.hcl
new file mode 100644
index 0000000..a8a7d7c
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-otel/terragrunt.hcl
@@ -0,0 +1,85 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}"
+  # source = "../../../../../../../tfmod-open-telemetry"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path = "../eks"
+  mock_outputs = {
+    cluster_name = "a-cluster-name"
+  }
+}
+
+dependency "eks-loki" {
+  config_path = "../eks-loki"
+  mock_outputs = {
+    gateway_internal_endpoint = {
+      hostname   = "loki-gateway.mock.svc.cluster.local"
+      portNumber = 3210
+      url        = "http://loki-gateway.mock.svc.cluster.local:3210/"
+    }
+  }
+}
+
+dependency "eks-tempo" {
+  config_path = "../eks-tempo"
+  mock_outputs = {
+    tempo_otlp_endpoint = {
+      hostname   = "tempo.mock.svc.cluster.local"
+      portNumber = 1234
+      url        = "http://tempo.mock.svc.cluster.local:1234/"
+    }
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-loki",
+    "../eks-prometheus",
+    "../eks-tempo"
+  ]
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  eecr_info  = include.root.inputs.eecr_info
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Clouster Config
+  cluster_name = dependency.eks.outputs.cluster_name
+
+  # OTEL Configuration
+  namespace      = include.root.inputs.namespaces["otel"]
+  loki_endpoint  = dependency.eks-loki.outputs.gateway_internal_endpoint.url
+  tempo_endpoint = dependency.eks-tempo.outputs.tempo_otlp_endpoint.url
+  # Image Version
+  auto_instrumentation_java_version = include.root.inputs.auto_instrumentation_java_version
+  collector_contrib_version         = include.root.inputs.collector_contrib_version
+  collector_version                 = include.root.inputs.collector_version
+  otel_helm_version                 = include.root.inputs.otel_helm_version
+  rbac_proxy_version                = include.root.inputs.rbac_proxy_version
+}

From 352817d27551da8074d881612f81cc7109184cd3 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:57 -0700
Subject: [PATCH 14/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/README.md

---
 .../eks-prometheus/README.md                  | 198 ++++++++++++++++++
 1 file changed, 198 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/README.md

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/README.md b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/README.md
new file mode 100644
index 0000000..bbbffb2
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/README.md
@@ -0,0 +1,198 @@
+## eks-prometheus
+This module deploys EKS kubeenetes prometheus inside existing EKS cluster. Prometheus is an open-source systems monitoring and alerting tool.
+This module consisits of 4 components. It creates prometheus namespace and  copies image repositories for the following components from quay.io into local account ECR repository. It deploys these components using helm charts using the configured ECR repositories.
+    1. prometheus-alert-manager
+    2. prometheus-node-exporter
+    3. prometheus-pushgateway
+    4. prometheus-server
+
+### Dependencies
+This module is dependent on EKS module (eks). The cluster should exist already for this module to work.
+
+### Inputs
+    cluster_name
+    profile
+    prometheus_chart_version
+    prometheus_server_tag
+    prometheus_config_reloader_tag
+    alertmanager_tag
+    kube_state_metrics_tag
+    node_exporter_tag
+    pushgateway_tag
+    rwo_storage_class
+
+### Outputs
+    alertmanager_internal_endpoint
+    alertmanager_headless_internal_endpoint
+    pushgateway_internal_endpoint
+    prometheus_server_internal_endpoint
+
+### Issues observed/fixed
+1. The rwo_storage_class value had to be updated from "gp3" to "gp3-encrypted"
+2. The node_exporter_tag value had to be updated from "1.6.1" to "v1.8.1"
+3. The kube_state_metrics_tag value had to be updated from "2.10.0" to "v2.6.0"
+4. The alertmanager_tag value had to be updated from
+5. The helm chart set config for the ecr image had to be split into 2 components, one for registry and other for repository as an example mentioned below:
+
+    ```
+    set {
+    name = "kube-state-metrics.image.registry"
+    value = module.images.images[local.ksm_key].dest_registry
+  }
+  set {
+    name = "kube-state-metrics.image.repository"
+    value = module.images.images[local.ksm_key].dest_repository
+      }
+    ```
+
+6. In some other cases the image ecr repository had to be split by the colon separatory (:)
+
+    ```
+    set {
+    name = "alertmanager.configmapReload.image.repository"
+    value = split(":", module.images.images[local.prom_config_reload_key].dest_full_path)[0]
+        }
+    ```
+
+### Chart Notes
+    1. Get the application URL by running these commands:
+
+    ```bash
+        export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-pushgateway,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+        kubectl port-forward $POD_NAME 9091
+        echo "Visit http://127.0.0.1:9091 to use your application"
+    ```
+
+    The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster:
+    prometheus-server.prometheus.svc.cluster.local
+
+
+    Get the Prometheus server URL by running these commands in the same shell:
+
+    ```bash
+        export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+        kubectl --namespace prometheus port-forward $POD_NAME 9090
+    ```
+
+    The Prometheus alertmanager can be accessed via port 9093 on the following DNS name from within your cluster:
+    `prometheus-alertmanager.prometheus.svc.cluster.local`
+
+
+    Get the Alertmanager URL by running these commands in the same shell:
+
+    ```bash
+        export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+        kubectl --namespace prometheus port-forward $POD_NAME 9093
+    ```
+
+    #################################################################################
+    ######   WARNING: Pod Security Policy has been disabled by default since    #####
+    ######            it deprecated after k8s 1.25+. use                        #####
+    ######            (index .Values "prometheus-node-exporter" "rbac"          #####
+    ######            "pspEnabled") with (index .Values                         #####
+    ######            "prometheus-node-exporter" "rbac" "pspAnnotations")       #####
+    ######            in case you still need it.                                #####
+    #################################################################################
+
+
+    The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster:
+    `prometheus-prometheus-pushgateway.prometheus.svc.cluster.local`
+
+
+    Get the PushGateway URL by running these commands in the same shell:
+
+    ```bash
+        export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus-pushgateway,component=pushgateway" -o jsonpath="{.items[0].metadata.name}")
+        kubectl --namespace prometheus port-forward $POD_NAME 9091
+    ```
+
+    For more information on running Prometheus, visit:
+    https://prometheus.io/
+
+    kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects.
+    The exposed metrics can be found here:
+    https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics
+
+    The metrics are exported on the HTTP endpoint /metrics on the listening port.
+    In your case, `prometheus-kube-state-metrics.prometheus.svc.cluster.local:8080/metrics`
+
+    They are served either as plaintext or protobuf depending on the Accept header.
+    They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint.
+
+    1. Get the application URL by running these commands:
+
+    ```bash
+        export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+        echo "Visit http://127.0.0.1:9093 to use your application"
+        kubectl --namespace prometheus port-forward $POD_NAME 9093:80
+    ```
+
+    1. Get the application URL by running these commands:
+
+    ```bash
+        export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-node-exporter,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+        echo "Visit http://127.0.0.1:9100 to use your application"
+        kubectl port-forward --namespace prometheus $POD_NAME 9100
+    ```
+
+<!--BEGIN-TF-DOCS-->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.11.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.11.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.23.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_images"></a> [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [helm_release.prometheus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.existing-ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_alertmanager_tag"></a> [alertmanager\_tag](#input\_alertmanager\_tag) | The image tag of the alertmanager image. | `string` | `"v0.27.0"` | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the cluster into which prometheus will be installed. | `string` | n/a | yes |
+| <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Indicates whether the `namespace` needs to be created ('true') or already exists (not `true`) | `bool` | `true` | no |
+| <a name="input_kube_state_metrics_tag"></a> [kube\_state\_metrics\_tag](#input\_kube\_state\_metrics\_tag) | The image tag of the kube-state-metrics image. | `string` | `"v2.13.0"` | no |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | The namespace to install the prometheus components. Defaults to 'prometheus' | `string` | `"prometheus"` | no |
+| <a name="input_node_exporter_tag"></a> [node\_exporter\_tag](#input\_node\_exporter\_tag) | The image tag of the node-exporter image. | `string` | `"v1.8.2"` | no |
+| <a name="input_profile"></a> [profile](#input\_profile) | AWS\_PROFILE to use to apply the terraform script. | `string` | `""` | no |
+| <a name="input_prometheus_chart_version"></a> [prometheus\_chart\_version](#input\_prometheus\_chart\_version) | The version of prometheus to install into the cluster. | `string` | `"25.24.1"` | no |
+| <a name="input_prometheus_config_reloader_tag"></a> [prometheus\_config\_reloader\_tag](#input\_prometheus\_config\_reloader\_tag) | The image tag of the prometheus-config-reloader image. | `string` | `"v0.75.1"` | no |
+| <a name="input_prometheus_server_tag"></a> [prometheus\_server\_tag](#input\_prometheus\_server\_tag) | The image tag of prometheus server to install into the cluster. | `string` | `"v2.53.1"` | no |
+| <a name="input_pushgateway_tag"></a> [pushgateway\_tag](#input\_pushgateway\_tag) | The image tag of the pushgateway image. | `string` | `"v1.9.0"` | no |
+| <a name="input_rwo_storage_class"></a> [rwo\_storage\_class](#input\_rwo\_storage\_class) | Specify the storage class for read/write/once persistent volumes. | `string` | `"gp3-encrypted"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_alertmanager_headless_internal_endpoint"></a> [alertmanager\_headless\_internal\_endpoint](#output\_alertmanager\_headless\_internal\_endpoint) | n/a |
+| <a name="output_alertmanager_internal_endpoint"></a> [alertmanager\_internal\_endpoint](#output\_alertmanager\_internal\_endpoint) | n/a |
+| <a name="output_module_name"></a> [module\_name](#output\_module\_name) | The name of this module. |
+| <a name="output_module_version"></a> [module\_version](#output\_module\_version) | The version of this module. |
+| <a name="output_prometheus_namespace"></a> [prometheus\_namespace](#output\_prometheus\_namespace) | n/a |
+| <a name="output_prometheus_server_internal_endpoint"></a> [prometheus\_server\_internal\_endpoint](#output\_prometheus\_server\_internal\_endpoint) | n/a |
+| <a name="output_pushgateway_internal_endpoint"></a> [pushgateway\_internal\_endpoint](#output\_pushgateway\_internal\_endpoint) | n/a |
+<!--END-TF-DOCS-->

From f4495b39b05b4824e176cab4a87516db59911947 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:58 -0700
Subject: [PATCH 15/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-grafana/terragrunt.hcl

---
 .../eks-grafana/terragrunt.hcl                | 110 ++++++++++++++++++
 1 file changed, 110 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-grafana/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-grafana/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-grafana/terragrunt.hcl
new file mode 100644
index 0000000..07cc34d
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-grafana/terragrunt.hcl
@@ -0,0 +1,110 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name = include.root.inputs.cluster_name
+  }
+}
+
+dependency "eks_dns" {
+  config_path                             = "../eks-dns"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_domain = "mock.domain.example.com"
+  }
+}
+
+dependency "eks_loki" {
+  config_path                             = "../eks-loki"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    rwo_storage_class = "gp3-mocked"
+    gateway_internal_endpoint = {
+      url = "mock.loki.enpoint.example.com"
+    }
+  }
+}
+
+dependency "eks_prometheus" {
+  config_path                             = "../eks-prometheus"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    prometheus_server_internal_endpoint = {
+      hostname    = "prometheus.mock.svc.cluster.local"
+      port_number = "80"
+      url         = "https://prometheus.mock.svc.cluster.local:80/"
+    }
+  }
+}
+
+dependency "eks_tempo" {
+  config_path                             = "../eks-tempo"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    rwo_storage_class = "gp3-mocked"
+    tempo_internal_endpoint = {
+      url = "mock.tempo.enpoint.example.com"
+    }
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-dns",
+    "../eks-loki",
+    "../eks-prometheus",
+    "../eks-tempo"
+  ]
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  eecr_info  = include.root.inputs.eecr_info
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Cluster Configuration
+  cluster_name   = dependency.eks.outputs.cluster_name
+  cluster_domain = dependency.eks_dns.outputs.cluster_domain
+
+  # Storage Configuration
+  rwo_storage_class = dependency.eks_loki.outputs.rwo_storage_class
+
+  # Grafana Configuration
+  grafana_operator_chart_version = include.root.inputs.grafana_operator_chart_version
+  grafana_operator_tag           = include.root.inputs.grafana_operator_tag
+  grafana_tag                    = include.root.inputs.grafana_tag
+  namespace                      = include.root.inputs.namespaces["grafana"]
+  os_shell_image_tag             = include.root.inputs.os_shell_image_tag
+  service_name                   = "grafana"
+  loki_endpoint                  = dependency.eks_loki.outputs.gateway_internal_endpoint.url
+  prometheus_endpoint            = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url
+  tempo_endpoint                 = dependency.eks_tempo.outputs.tempo_internal_endpoint.url
+}

From 0efc6750a50bbaa49a1e4d57aec535ae2c7844a2 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:42:59 -0700
Subject: [PATCH 16/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-keycloak/terragrunt.hcl

---
 .../eks-keycloak/terragrunt.hcl               | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-keycloak/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-keycloak/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-keycloak/terragrunt.hcl
new file mode 100644
index 0000000..f17489e
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-keycloak/terragrunt.hcl
@@ -0,0 +1,78 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name      = "mock-cluster"
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
+}
+
+dependency "eks_config" {
+  config_path                             = "../eks-config"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    rwo_storage_class = "gp3-mock"
+  }
+}
+
+dependency "eks_dns" {
+  config_path                             = "../eks-dns"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_domain = "mock.example.com"
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-config",
+    "../eks-dns",
+    "../eks-prometheus",
+  ]
+}
+
+inputs = {
+  cluster_domain = dependency.eks_dns.outputs.cluster_domain
+  cluster_name   = dependency.eks.outputs.cluster_name
+  eecr_info      = include.root.inputs.eecr_info
+  namespace      = include.root.inputs.namespaces["keycloak"]
+  profile        = include.root.inputs.aws_profile
+  region         = include.root.inputs.aws_region
+
+  # keycloak config
+  default_storage_class  = dependency.eks_config.outputs.rwo_storage_class
+  keycloak_chart_version = include.root.inputs.keycloak_chart_version
+  keycloak_tag           = include.root.inputs.keycloak_tag
+  realm_email            = include.root.inputs.cluster_mailing_list
+  realm_name             = "master"
+  service_name           = "keycloak"
+  telemetry_namespace    = include.root.inputs.telemetry_namespace
+  admin_email            = include.root.inputs.cluster_mailing_list
+
+}

From dc293b8958ac0ef1d9e46fc3edb21ea0a0baa900 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:01 -0700
Subject: [PATCH 17/28] Update _envcommon/default-versions.hcl

---
 _envcommon/default-versions.hcl | 225 ++++++++++++++++++++++++++++++++
 1 file changed, 225 insertions(+)
 create mode 100644 _envcommon/default-versions.hcl

diff --git a/_envcommon/default-versions.hcl b/_envcommon/default-versions.hcl
new file mode 100644
index 0000000..ab2ae07
--- /dev/null
+++ b/_envcommon/default-versions.hcl
@@ -0,0 +1,225 @@
+# dev/_envcommon/default-versions.hcl
+locals {
+  module_name     = basename(get_original_terragrunt_dir())
+  release_version = local.module_versions["2026.03.15"][local.module_name]
+
+  #####################
+  # Module Versions
+  #####################
+  cluster_version    = "1.34"
+  eks_module_version = "21.11.1"
+
+  module_versions = {
+    "2025.20.04" = {
+      "eks-arcgis"         = false
+      "eks-cert-manager"   = "0.1.9"
+      "eks-config"         = "1.0.5"
+      "eks-cribl"          = "0.0.1"
+      "eks-dns"            = "0.1.4"
+      "eks-gatekeeper"     = "0.0.3"
+      "eks-grafana"        = "0.1.5"
+      "eks-istio"          = "1.0.9"
+      "eks-k8s-dashboard"  = "0.1.4"
+      "eks-karpenter"      = "0.1.7"
+      "eks-keycloak"       = "0.0.8"
+      "eks-kiali"          = "0.1.4"
+      "eks-loki"           = "0.1.4"
+      "eks-metrics-server" = "0.1.4"
+      "eks-otel"           = "0.0.4"
+      "eks-pipeline"       = "initial"
+      "eks-postgresql"     = false
+      "eks-prometheus"     = "0.1.4"
+      "eks-tempo"          = "0.1.4"
+      "eks"                = "1.0.10"
+      "cluster"            = "2025.20.04"
+    }
+    "2026.03.15" = {
+      "eks-arcgis"         = false
+      "eks-config"         = "1.0.6"
+      "eks-cribl"          = "mcm_v2"
+      "eks-dns"            = "0.1.7"
+      "eks-gatekeeper"     = "0.0.4"
+      "eks-grafana"        = "0.1.5"
+      "eks-istio"          = "1.0.9"
+      "eks-karpenter"      = "0.1.9"
+      "eks-keycloak"       = "0.0.8"
+      "eks-kiali"          = "0.1.5"
+      "eks-loki"           = "0.1.6"
+      "eks-otel"           = "0.0.4"
+      "eks-pipeline"       = "initial"
+      "eks-postgresql"     = false
+      "eks-prometheus"     = "0.1.5"
+      "eks-tempo"          = "0.1.6"
+      "eks"                = "1.0.14"
+      "cluster"            = "2026.03.15"
+    }
+  }
+
+  submodule_versions = {
+    "tfmod-istio-service-ingress"                   = "0.1.7"
+    "tfmod-config-job"                              = "0.1.8"
+    "tfmod-custom-iam-role-for-service-account-eks" = "1.0.1"
+  }
+
+  #####################
+  # Module Enablement
+  #####################
+
+  # Core modules that should always be enabled (cannot be disabled)
+  core_modules = [
+    "eks",
+    "eks-karpenter",
+    "eks-config",
+    "eks-istio",
+    "eks-dns",
+  ]
+
+  # Optional modules with their default enablement state
+  enabled_modules = {
+    "eks-arcgis"        = false
+    "eks-cribl"         = false
+    "eks-gatekeeper"    = true
+    "eks-grafana"       = true
+    "eks-keycloak"      = true
+    "eks-kiali"         = true
+    "eks-loki"          = true
+    "eks-otel"          = true
+    "eks-pipeline"      = false
+    "eks-postgresql"    = false
+    "eks-prometheus"    = true
+    "eks-tempo"         = true
+  }
+
+  #####################
+  # TF Providers
+  #####################
+  aws_version        = "6.0"
+  helm_version       = "2.11.0"
+  kubernetes_version = "2.33.0"
+  null_version       = "3.2.1"
+  random_version     = "3.5.1"
+  template_version   = "2.2.0"
+  tf_version         = "1.5.5"
+
+  #####################
+  # Namespaces Config
+  #####################
+  operator_namespace  = "operator"
+  telemetry_namespace = "telemetry"
+  system_namespace    = "kube-system"
+  istio_namespace     = "istio-system"
+  namespaces = {
+    arcgis        = "arcgis"
+    cribl         = "cribl"
+    gatekeeper    = "keycloak"
+    grafana       = local.telemetry_namespace
+    istio         = local.istio_namespace
+    karpenter     = local.system_namespace
+    keycloak      = "keycloak"
+    kiali         = local.istio_namespace
+    loki          = local.telemetry_namespace
+    misp          = "misp"
+    otel          = local.telemetry_namespace
+    postgresql    = "keycloak"
+    prometheus    = local.telemetry_namespace
+    tempo         = local.telemetry_namespace
+  }
+
+  #####################
+  # EKS Config
+  #####################
+
+  ################
+  # Cert-Manager
+  ################
+  cluster_issuer_name = "cert-manager"
+
+  #####################
+  # Cribl
+  #####################
+  cribl_chart_version = "4.15.1"
+  cribl_app_version   = "4.15.1"
+
+  ################
+  # GoGatekeeper
+  ################
+  gatekeeper_tag           = "4.4.0"
+  gatekeeper_chart_version = "0.1.60"
+  gatekeeper_service_name  = "gatekeeper"
+
+  ################
+  # Grafana
+  ################
+  grafana_hostname               = "grafana"
+  grafana_operator_chart_version = "4.9.8"
+  grafana_operator_tag           = "5.16.0"
+  grafana_tag                    = "11.5.2"
+  os_shell_image_tag             = local.utilities_tag
+
+  ################
+  # Istio
+  ################
+  istio_version = "1.28.3"
+
+  ################
+  # Karpenter
+  ################
+  karpenter_helm_chart = "1.8.5"
+  karpenter_tag        = "1.8.5"
+
+  ################
+  # Keycloak
+  ################
+  keycloak_chart_version = "7.0.1"
+  keycloak_tag           = "26.0.7"
+  postgresql_tag         = "17.4.0-debian-12-r4"
+  postgres_exporter_tag  = "0.17.1-debian-12-r0"
+  utilities_tag          = "1.0.3"
+
+  ################
+  # Kiali
+  ################
+  kiali_operator_version    = "2.21.0"
+  kiali_application_version = "${local.kiali_operator_version}"
+
+  ################
+  # Loki
+  ################
+  loki_chart_version              = "6.49.0"
+  loki_tag                        = "3.6.3"
+  enterprise_logs_provisioner_tag = "3.6.2"
+  gateway_tag                     = "1.29.4"
+  memcached_tag                   = "1.6.40"
+  exporter_tag                    = "v0.15.3"
+  sidecar_tag                     = "2.4.0"
+
+  ################
+  # Open Telemetry
+  ################
+  auto_instrumentation_java_version = "2.9.0"
+  collector_contrib_version         = "0.113.0-amd64"
+  collector_version                 = "0.111.0-amd64"
+  otel_helm_version                 = "0.71.2"
+  otel_version                      = "0.110.0"
+  rbac_proxy_version                = "0.20.2"
+
+  ################
+  # PostgreSQL
+  ################
+  postgresql_chart_version = "16.5.0"
+
+  ################
+  # Prometheus
+  ################
+  prometheus_chart_version       = "28.6.0"
+  prometheus_server_tag          = "v3.9.1"
+  prometheus_config_reloader_tag = "v0.88.0"
+  alertmanager_tag               = "v0.30.1"
+  pushgateway_tag                = "v1.6.2"
+
+  ################
+  # Tempo
+  ################
+  tempo_chart_version = "1.24.3"
+  tempo_tag           = "2.9.1"
+}
\ No newline at end of file

From 45ab3b7a9ac15e6f69a795a7ffa6e1ebd162d215 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:02 -0700
Subject: [PATCH 18/28] Update _envcommon/common-variables.hcl

---
 _envcommon/common-variables.hcl | 82 +++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 _envcommon/common-variables.hcl

diff --git a/_envcommon/common-variables.hcl b/_envcommon/common-variables.hcl
new file mode 100644
index 0000000..1ccaf51
--- /dev/null
+++ b/_envcommon/common-variables.hcl
@@ -0,0 +1,82 @@
+# dev/_envcommon/common-variables.hcl
+
+# ---------------------------------------------------------------------------------------------------------------------
+# GLOBAL PARAMETERS
+# These are the variables we pass to use across modules regardless of environment, i.e. these are the parameters
+# that are common across all environments/accounts.
+# ---------------------------------------------------------------------------------------------------------------------
+locals {
+  state_bucket_prefix = "inf-tfstate"
+  state_table_name    = "tf_remote_state"
+  environment_abbr    = "dev"
+
+  route53_endpoints = {
+    route53_main = {
+      "account_id"    = local.route53_info[local.environment_abbr]["account_id"]
+      "alias"         = local.route53_info[local.environment_abbr]["alias"]
+      "us-gov-east-1" = local.route53_info[local.environment_abbr]["us-gov-east-1"]
+      "us-gov-west-1" = local.route53_info[local.environment_abbr]["us-gov-west-1"]
+    }
+    route53_main_legacy = {
+      "account_id"    = local.route53_info["legacy"]["account_id"]
+      "alias"         = local.route53_info["legacy"]["alias"]
+      "us-gov-east-1" = local.route53_info["legacy"]["us-gov-east-1"]
+      "us-gov-west-1" = local.route53_info["legacy"]["us-gov-west-1"]
+    }
+  }
+
+  route53_info = {
+    lab = {
+      "account_id"    = "269244441389"
+      "alias"         = "lab-gov-network-nonprod"
+      "us-gov-east-1" = "vpc-070595c5b133243dd"
+      "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1"
+    }
+    dev = {
+      "account_id"    = "057405694017"
+      "alias"         = "ent-ew-network-prod"
+      "us-gov-east-1" = "vpc-061325b37d748d17a"
+      "us-gov-west-1" = "vpc-0b22b68b90e47cb5f"
+    }
+    prod = {
+      "account_id"    = "057405694017"
+      "alias"         = "ent-ew-network-prod"
+      "us-gov-east-1" = "vpc-061325b37d748d17a"
+      "us-gov-west-1" = "vpc-0b22b68b90e47cb5f"
+    }
+    legacy = {
+      "account_id"    = "107742151971"
+      "alias"         = "do2-govcloud"
+      "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+      "us-gov-west-1" = "vpc-77877a12"
+    }
+  }
+
+  enterprise_ecr_account = {
+    lab = {
+      "account_id" = "269222635945"
+      "alias"      = "lab-gov-shared-nonprod"
+      "profile"    = "269222635945-lab-gov-shared-nonprod"
+      "region"     = "us-gov-east-1"
+    }
+    dev = {
+      "account_id" = "067074201825"
+      "alias"      = "ent-gov-shared-prod"
+      "profile"    = "067074201825-ent-gov-shared-prod"
+      "region"     = "us-gov-east-1"
+    }
+    prod = {
+      "account_id" = "067074201825"
+      "alias"      = "ent-gov-shared-prod"
+      "profile"    = "067074201825-ent-gov-shared-prod"
+      "region"     = "us-gov-east-1"
+    }
+  }
+
+  eecr_info = {
+    account_id = local.enterprise_ecr_account[local.environment_abbr]["account_id"]
+    alias      = local.enterprise_ecr_account[local.environment_abbr]["alias"]
+    profile    = local.enterprise_ecr_account[local.environment_abbr]["profile"]
+    region     = local.enterprise_ecr_account[local.environment_abbr]["region"]
+  }
+}
\ No newline at end of file

From c35fe4634ebcbaa9115c1c8c92649b2521349ee3 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:04 -0700
Subject: [PATCH 19/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/cluster.hcl

---
 .../arnol377-cross-account-test/cluster.hcl      | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/cluster.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/cluster.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/cluster.hcl
new file mode 100644
index 0000000..95d1b65
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/cluster.hcl
@@ -0,0 +1,16 @@
+locals {
+  # Cluster specific configuration
+  cluster_name              = "arnol377-cross-account-test"
+  cluster_mailing_list      = ""
+  eks_instance_disk_size    = 200
+  eks_ng_desired_size       = 2
+  eks_ng_max_size           = 10
+  eks_ng_min_size           = 2
+  organization              = "census:ocio:csvd"
+  CostAllocation            = "census:ocio:csvd"
+  finops_project_name       = ""
+  finops_project_number     = ""
+  finops_project_role       = ""
+  tags = {}
+  module_enablement_overrides = {"cribl":false,"gatekeeper":false,"grafana":false,"keycloak":false,"kiali":false,"loki":false,"otel":false,"prometheus":false,"tempo":false}
+}

From 8dbab6069732d2878ff36e3cec2b3ce0ffb071c0 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:14 -0700
Subject: [PATCH 20/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-karpenter/terragrunt.hcl

---
 .../eks-karpenter/terragrunt.hcl              | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-karpenter/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-karpenter/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-karpenter/terragrunt.hcl
new file mode 100644
index 0000000..fc8d924
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-karpenter/terragrunt.hcl
@@ -0,0 +1,66 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}"
+
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+  ]
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name      = "mock-cluster"
+    cluster_endpoint  = "https://mock-endpoint.eks.amazonaws.com"
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+    node_group_name   = "mock-node-group"
+    vpc_id            = "vpc-mock"
+    subnets           = ["subnet-mock1", "subnet-mock2"]
+  }
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+  eecr_info  = include.root.inputs.eecr_info
+
+  # Cluster Configuration
+  cluster_endpoint  = dependency.eks.outputs.cluster_endpoint
+  cluster_name      = dependency.eks.outputs.cluster_name
+  oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+  vpc_id            = dependency.eks.outputs.vpc_id
+  subnets           = dependency.eks.outputs.subnets
+
+  # Karpenter Configuration
+  karpenter_tag                   = include.root.inputs.karpenter_tag
+  karpenter_helm_chart            = include.root.inputs.karpenter_helm_chart
+  karpenter_node_group_name       = dependency.eks.outputs.node_group_name
+  namespace                       = include.root.inputs.namespaces["karpenter"]
+  create_spot_service_linked_role = false
+}

From 90c1ed1ce39fdc1dcdbeac110046bd3e2a3e7cc4 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:15 -0700
Subject: [PATCH 21/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-cert-manager/terragrunt.hcl

---
 .../eks-cert-manager/terragrunt.hcl           | 70 +++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-cert-manager/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-cert-manager/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-cert-manager/terragrunt.hcl
new file mode 100644
index 0000000..569a355
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-cert-manager/terragrunt.hcl
@@ -0,0 +1,70 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}"
+
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-config",
+    "../eks-karpenter",
+    "../eks-metrics-server",
+  ]
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+
+  mock_outputs = {
+    cluster_name      = include.root.inputs.cluster_name
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+    cluster_endpoint  = "https://mock-endpoint.eks.amazonaws.com"
+    cluster_version   = include.root.inputs.cluster_version
+  }
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+  eecr_info  = include.root.inputs.eecr_info
+
+  # Cluster Configuration
+  cluster_name         = dependency.eks.outputs.cluster_name
+  cluster_mailing_list = include.root.inputs.cluster_mailing_list
+  oidc_provider_arn    = dependency.eks.outputs.oidc_provider_arn
+
+  # Cert Manager Configuration
+  cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart
+  cluster_issuer_name     = include.root.inputs.cluster_issuer_name
+  namespace               = include.root.inputs.namespaces["cert-manager"]
+
+  # Version Tags
+  cert_manager_cainjector_tag      = include.root.inputs.cert_manager_cainjector_tag
+  cert_manager_controller_tag      = include.root.inputs.cert_manager_controller_tag
+  cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag
+  cert_manager_webhook_tag         = include.root.inputs.cert_manager_webhook_tag
+}

From 48ac2caf00c9c8fa7504d01741f29578f7102281 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:16 -0700
Subject: [PATCH 22/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-config/terragrunt.hcl

---
 .../eks-config/terragrunt.hcl                 | 65 +++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-config/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-config/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-config/terragrunt.hcl
new file mode 100644
index 0000000..5297ebb
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-config/terragrunt.hcl
@@ -0,0 +1,65 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}"
+
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+
+  mock_outputs = {
+    cluster_name                                    = "mock-cluster"
+    cluster_endpoint                                = "https://mock-endpoint.eks.amazonaws.com"
+    cluster_certificate_authority_data              = [{ data = "mock-cert-data" }]
+    eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"]
+    oidc_provider_arn                               = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+    security_group_all_worker_mgmt_id               = "sg-mock"
+    subnets                                         = ["subnet-mock1", "subnet-mock2"]
+    vpc_id                                          = "vpc-mock"
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-karpenter",
+  ]
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Core Cluster Configuration
+  cluster_name                                    = dependency.eks.outputs.cluster_name
+  eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names
+  oidc_provider_arn                               = dependency.eks.outputs.oidc_provider_arn
+  security_group_all_worker_mgmt_id               = dependency.eks.outputs.security_group_all_worker_mgmt_id
+  subnets                                         = dependency.eks.outputs.subnets
+  vpc_id                                          = dependency.eks.outputs.vpc_id
+  operators_ns                                    = include.root.inputs.operator_namespace
+  telemetry_ns                                    = include.root.inputs.telemetry_namespace
+}

From cd5142bc12859ea8ae7bd493d79986560494e4ef Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:18 -0700
Subject: [PATCH 23/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-istio/terragrunt.hcl

---
 .../eks-istio/terragrunt.hcl                  | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-istio/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-istio/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-istio/terragrunt.hcl
new file mode 100644
index 0000000..fadb1ae
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-istio/terragrunt.hcl
@@ -0,0 +1,54 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks"
+  ]
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name = include.root.inputs.cluster_name
+  }
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  eecr_info  = include.root.inputs.eecr_info
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Cluster Configuration
+  cluster_name = dependency.eks.outputs.cluster_name
+
+  # Istio Configuration
+  namespace           = include.root.inputs.namespaces["istio"]
+  istio_version       = include.root.inputs.istio_version
+  istio_chart_version = include.root.inputs.istio_version
+}

From 6f4bd628cd88d3a474fd12ec4552e775d4e381a2 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:19 -0700
Subject: [PATCH 24/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/terragrunt.hcl

---
 .../eks-prometheus/terragrunt.hcl             | 70 +++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/terragrunt.hcl
new file mode 100644
index 0000000..f968797
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-prometheus/terragrunt.hcl
@@ -0,0 +1,70 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-config",
+    "../eks-karpenter",
+  ]
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name      = include.root.inputs.cluster_name
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
+}
+
+dependency "eks_config" {
+  config_path                             = "../eks-config"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    rwo_storage_class = "gp3-encyrpted"
+  }
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  eecr_info  = include.root.inputs.eecr_info
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Cluster Configuration
+  cluster_name      = dependency.eks.outputs.cluster_name
+  oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+
+  # Prometheus Configuration
+  alertmanager_tag               = include.root.inputs.alertmanager_tag
+  namespace                      = include.root.inputs.namespaces["prometheus"]
+  prometheus_chart_version       = include.root.inputs.prometheus_chart_version
+  prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag
+  prometheus_server_tag          = include.root.inputs.prometheus_server_tag
+  pushgateway_tag                = include.root.inputs.pushgateway_tag
+  rwo_storage_class              = dependency.eks_config.outputs.rwo_storage_class
+}

From 784b82863b5d266bb9f7f9d337c80e2e49341a91 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:20 -0700
Subject: [PATCH 25/28] Update config.json

---
 config.json | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 config.json

diff --git a/config.json b/config.json
new file mode 100644
index 0000000..1b78ba3
--- /dev/null
+++ b/config.json
@@ -0,0 +1 @@
+{"account":{"account_name":"lab-gov-operations-nonprod","aws_account_id":"036728032133","aws_profile":"lab-gov-operations-nonprod-dev","environment_abbr":"dev"},"cluster":{"CostAllocation":"census:ocio:csvd","cluster_mailing_list":"","cluster_name":"arnol377-cross-account-test","eks_instance_disk_size":200,"eks_ng_desired_size":2,"eks_ng_max_size":10,"eks_ng_min_size":2,"finops_project_name":"","finops_project_number":"","finops_project_role":"","organization":"census:ocio:csvd","tags":{}},"cluster_dir":"arnol377-cross-account-test","enable_all_modules":true,"environment":"dev","modules":{"cribl":false,"gatekeeper":false,"grafana":false,"keycloak":false,"kiali":false,"loki":false,"otel":false,"prometheus":false,"tempo":false},"region":"us-gov-west-1","vpc":{"vpc_domain_name":"dev.inf.csp1.census.gov","vpc_name":"vpc2-lab-common"}}
\ No newline at end of file

From bb34ff293f46215f1a2259e4b13b9fccd550572e Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:22 -0700
Subject: [PATCH 26/28] Update
 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-tempo/terragrunt.hcl

---
 .../eks-tempo/terragrunt.hcl                  | 75 +++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100644 dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-tempo/terragrunt.hcl

diff --git a/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-tempo/terragrunt.hcl b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-tempo/terragrunt.hcl
new file mode 100644
index 0000000..71dd0a1
--- /dev/null
+++ b/dev/us-gov-west-1/vpc2-lab-common/arnol377-cross-account-test/eks-tempo/terragrunt.hcl
@@ -0,0 +1,75 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name      = include.root.inputs.cluster_name
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+  }
+}
+
+dependency "eks-prometheus" {
+  config_path                             = "../eks-prometheus"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    prometheus_namespace = "prometheus"
+    prometheus_server_internal_endpoint = {
+      hostname    = "prometheus-server.mock.svc.cluster.local"
+      port_number = 9090
+      url         = "http://prometheus-server.mock.svc.cluster.local:9090/"
+    }
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-prometheus"
+  ]
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  eecr_info  = include.root.inputs.eecr_info
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Cluster Configuration
+  cluster_name      = dependency.eks.outputs.cluster_name
+  oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+
+  # Prometheus Configuration
+  prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace
+  prometheus_port      = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number
+
+  # Tempo Configuration
+  tempo_chart_version = include.root.inputs.tempo_chart_version
+  tempo_tag           = include.root.inputs.tempo_tag
+  namespace           = include.root.inputs.namespaces["tempo"]
+
+}

From ec669497848e64b80aacef7192f14fb792de3109 Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:23 -0700
Subject: [PATCH 27/28] Update dev/account.hcl

---
 dev/account.hcl | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 dev/account.hcl

diff --git a/dev/account.hcl b/dev/account.hcl
new file mode 100644
index 0000000..02be842
--- /dev/null
+++ b/dev/account.hcl
@@ -0,0 +1,10 @@
+# dev/environment.hcl
+
+# Set account-wide variables. These are automatically pulled in to configure the remote state bucket in the root
+# terragrunt.hcl configuration.
+locals {
+  account_name     = "lab-gov-operations-nonprod"
+  aws_account_id   = "036728032133"
+  aws_profile      = format("%v-%v", local.aws_account_id, replace(local.account_name, "-ew", "-gov"))
+  environment      = "dev"
+}

From 2c0c6e2cf5ff082a16ca2bbd5b365655f1c48d0e Mon Sep 17 00:00:00 2001
From: David John Arnold Jr <david.j.arnold.jr@census.gov>
Date: Thu, 23 Apr 2026 14:43:25 -0700
Subject: [PATCH 28/28] Update root.hcl

---
 root.hcl | 186 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 186 insertions(+)
 create mode 100644 root.hcl

diff --git a/root.hcl b/root.hcl
new file mode 100644
index 0000000..72db579
--- /dev/null
+++ b/root.hcl
@@ -0,0 +1,186 @@
+# ${environment}/root.hcl
+# ---------------------------------------------------------------------------------------------------------------------
+# TERRAGRUNT CONFIGURATION
+# Terragrunt is a thin wrapper for Terraform that provides extra tools for working with multiple Terraform modules,
+# remote state, and locking: https://github.com/gruntwork-io/terragrunt
+# ---------------------------------------------------------------------------------------------------------------------
+locals {
+  # Automatically load account-level variables (NOTE: In our environment account = environment so there is not separate environment layer)
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+
+  # Automatically load cluster-level variables
+  cluster_vars = read_terragrunt_config(find_in_parent_folders("cluster.hcl"))
+
+  # Automatically load _envcommon, cross account and environment common variables
+  common_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/common-variables.hcl"))
+
+  # Automatically load naming prefixes
+  prefix_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/prefixes.hcl"))
+
+  # Automatically load region-level variables
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+
+  # Automatically load versions
+  versions = read_terragrunt_config(find_in_parent_folders("./_envcommon/default-versions.hcl"))
+
+  # Automatically load vpc-level variables
+  vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl"))
+
+  # Add any other locals you want to expose
+  # only expose things not already included via local.xxx_vars.locals.*
+  root_locals_for_inputs = {
+    is_module_enabled = local.is_module_enabled
+    module_name       = local.module_name
+  }
+
+  # Extract the variables we need for easy access
+  account_id            = local.account_vars.locals.aws_account_id
+  account_name          = local.account_vars.locals.account_name
+  aws_profile           = local.account_vars.locals.aws_profile
+  aws_region            = local.region_vars.locals.aws_region
+  cluster_name          = local.cluster_vars.locals.cluster_name
+  eecr_info             = local.common_vars.locals.eecr_info
+  environment_abbr      = local.common_vars.locals.environment_abbr
+  finops_project_name   = local.cluster_vars.locals.finops_project_name
+  finops_project_number = local.cluster_vars.locals.finops_project_number
+  finops_project_role   = local.cluster_vars.locals.finops_project_role
+  is_eks_module         = local.module_name == "eks" ? true : false
+  prefixes              = local.prefix_vars.locals.prefixes
+  is_module_enabled = merge(
+    { for module in local.versions.locals.core_modules : module => true },
+    local.versions.locals.enabled_modules,
+    local.module_overrides
+  )
+  module_name         = basename(get_original_terragrunt_dir())
+  module_overrides    = local.cluster_vars.locals.module_enablement_overrides
+  organization        = local.cluster_vars.locals.organization
+  state_bucket_prefix = local.common_vars.locals.state_bucket_prefix
+  state_table_name    = local.common_vars.locals.state_table_name
+}
+
+# Only generate providers for non-EKS modules
+generate "cluster_data" {
+  path      = "cluster-data.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = local.is_eks_module ? "" : <<-EOF
+    data "aws_eks_clusters" "available" {}
+
+    locals {
+      cluster_exists = contains(data.aws_eks_clusters.available.names, "${local.cluster_name}")
+    }
+
+    data "aws_eks_cluster" "this" {
+      count = local.cluster_exists ? 1 : 0
+      name  = "${local.cluster_name}"
+    }
+
+    data "aws_eks_cluster_auth" "this" {
+      count = local.cluster_exists ? 1 : 0
+      name  = "${local.cluster_name}"
+    }
+  EOF
+}
+
+# Generate provider blocks only for non-EKS modules
+generate "kube_provider" {
+  path      = "kube-provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = local.is_eks_module ? "" : <<-EOF
+    provider "kubernetes" {
+      host                   = local.cluster_exists ? data.aws_eks_cluster.this[0].endpoint : "https://dummy"
+      cluster_ca_certificate = local.cluster_exists ? base64decode(data.aws_eks_cluster.this[0].certificate_authority[0].data) : null
+      token                  = local.cluster_exists ? data.aws_eks_cluster_auth.this[0].token : "dummy"
+    }
+  EOF
+}
+
+generate "helm_provider" {
+  path      = "helm-provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = local.is_eks_module ? "" : <<-EOF
+    provider "helm" {
+      kubernetes = {
+        host                   = local.cluster_exists ? data.aws_eks_cluster.this[0].endpoint : "https://dummy"
+        cluster_ca_certificate = local.cluster_exists ? base64decode(data.aws_eks_cluster.this[0].certificate_authority[0].data) : null
+        token                  = local.cluster_exists ? data.aws_eks_cluster_auth.this[0].token : "dummy"
+      }
+    }
+  EOF
+}
+
+# Configure Terragrunt to automatically store tfstate files in an S3 bucket
+remote_state {
+  disable_init = tobool(get_env("TG_DISABLE_INIT", "false"))
+  backend      = "s3"
+  generate = {
+    path      = "remote_state.backend.tf"
+    if_exists = "overwrite_terragrunt"
+  }
+  config = {
+    bucket                = "${local.state_bucket_prefix}-${local.account_id}"
+    use_lockfile          = true
+    key                   = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate"
+    profile               = "${local.aws_profile}"
+    region                = "${local.aws_region}"
+    disable_bucket_update = true
+  }
+}
+
+# Generate an AWS provider block
+generate "aws-provider" {
+  path      = "aws-provider.tf"
+  if_exists = "overwrite"
+  contents  = <<-EOF
+  provider "aws" {
+    region = "${local.aws_region}"
+    profile = "${local.aws_profile}"
+    default_tags {
+      tags = {
+        cluster_name = "${local.cluster_name}"
+        "boc:module_name" = "${local.module_name}"
+        environment = "${local.environment_abbr}"
+        finops_project_name = "${local.finops_project_name}"
+        finops_project_number = "${local.finops_project_number}"
+        finops_project_role = "${local.finops_project_role}"
+        CostAllocation = "${local.organization}"
+        organization = "${local.organization}"
+        "boc:created-by" = "terragrunt"
+      }
+    }
+    # Only these AWS Account IDs may be operated on by this template
+    allowed_account_ids = ["${local.account_id}"]
+  }
+EOF
+}
+
+generate "tags-yml" {
+  path      = "tags.yml"
+  if_exists = "overwrite"
+  contents  = !local.is_eks_module ? "" : <<-EOF
+  finops:
+    number: "${tonumber(regex("[0-9]+$", local.finops_project_number))}"
+    name: "${local.finops_project_name}"
+    roles:
+      - eks
+      - "${local.finops_project_role}"
+  EOF
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# GLOBAL PARAMETERS
+# These variables apply to all configurations in this subfolder. These are automatically merged into the child
+# `terragrunt.hcl` config via the include block.
+# ---------------------------------------------------------------------------------------------------------------------
+
+# Configure root level variables that all resources can inherit. This is especially helpful with multi-account configs
+# where terraform_remote_state data sources are placed directly into the modules.
+inputs = merge(
+  local.account_vars.locals,
+  local.cluster_vars.locals,
+  local.common_vars.locals,
+  local.prefix_vars.locals,
+  local.region_vars.locals,
+  local.versions.locals,
+  local.vpc_vars.locals,
+  local.root_locals_for_inputs
+)