SCT-Engineering · morga471 · Apr 20, 2026 · Apr 20, 2026 · Apr 20, 2026 · Apr 20, 2026
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1,2 @@
+# These owners will be the default owners for everything in the repo. Unless a later match takes precedence
+*     @SCT-Engineering/terraform-reviewers
diff --git a/README.md b/README.md
@@ -1,2 +1,39 @@
-# csvd-mcm2-lab
-EKS Cluster Configuration for csvd-mcm2-lab
+# EKS Cluster Configuration - CSVD-MCM2-LAB - LAB
+
+This EKS cluster configuration was generated using Terraform and the terraform-eks-deployment module.
+
+## Environment Details
+
+- **Environment**: lab
+- **Region**: us-gov-east-1
+- **Cluster Name**: csvd-mcm2-lab
+
+## Directory Structure
+
+## Getting Started
+
+To apply this configuration:
+
+1. Change to the directory of the module you want to deploy:
+   ```
+   cd environment/region/vpc/cluster/eks
+   ```
+
+2. Initialize and apply the Terragrunt configuration:
+   ```
+   terragrunt init
+   terragrunt plan
+   terragrunt apply
+   ```
+
+3. Deploy additional modules as needed:
+   ```
+   cd ../eks-cconfig
+   terragrunt init
+   terragrunt plan
+   terragrunt apply
+   ```
+
+## Customization
+
+Each module can be deployed independently using Terragrunt.
diff --git a/_envcommon/common-variables.hcl b/_envcommon/common-variables.hcl
@@ -0,0 +1,82 @@
+# lab/_envcommon/common-variables.hcl
+
+# ---------------------------------------------------------------------------------------------------------------------
+# GLOBAL PARAMETERS
+# These are the variables we pass to use across modules regardless of environment, i.e. these are the parameters
+# that are common across all environments/accounts.
+# ---------------------------------------------------------------------------------------------------------------------
+locals {
+  state_bucket_prefix = "inf-tfstate"
+  state_table_name    = "tf_remote_state"
+  environment_abbr    = "lab"
+
+  route53_endpoints = {
+    route53_main = {
+      "account_id"    = local.route53_info[local.environment_abbr]["account_id"]
+      "alias"         = local.route53_info[local.environment_abbr]["alias"]
+      "us-gov-east-1" = local.route53_info[local.environment_abbr]["us-gov-east-1"]
+      "us-gov-west-1" = local.route53_info[local.environment_abbr]["us-gov-west-1"]
+    }
+    route53_main_legacy = {
+      "account_id"    = local.route53_info["legacy"]["account_id"]
+      "alias"         = local.route53_info["legacy"]["alias"]
+      "us-gov-east-1" = local.route53_info["legacy"]["us-gov-east-1"]
+      "us-gov-west-1" = local.route53_info["legacy"]["us-gov-west-1"]
+    }
+  }
+
+  route53_info = {
+    lab = {
+      "account_id"    = "269244441389"
+      "alias"         = "lab-gov-network-nonprod"
+      "us-gov-east-1" = "vpc-070595c5b133243dd"
+      "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1"
+    }
+    dev = {
+      "account_id"    = "057405694017"
+      "alias"         = "ent-ew-network-prod"
+      "us-gov-east-1" = "vpc-061325b37d748d17a"
+      "us-gov-west-1" = "vpc-0b22b68b90e47cb5f"
+    }
+    prod = {
+      "account_id"    = "057405694017"
+      "alias"         = "ent-ew-network-prod"
+      "us-gov-east-1" = "vpc-061325b37d748d17a"
+      "us-gov-west-1" = "vpc-0b22b68b90e47cb5f"
+    }
+    legacy = {
+      "account_id"    = "107742151971"
+      "alias"         = "do2-govcloud"
+      "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+      "us-gov-west-1" = "vpc-77877a12"
+    }
+  }
+
+  enterprise_ecr_account = {
+    lab = {
+      "account_id" = "269222635945"
+      "alias"      = "lab-gov-shared-nonprod"
+      "profile"    = "269222635945-lab-gov-shared-nonprod"
+      "region"     = "us-gov-east-1"
+    }
+    dev = {
+      "account_id" = "067074201825"
+      "alias"      = "ent-gov-shared-prod"
+      "profile"    = "067074201825-ent-gov-shared-prod"
+      "region"     = "us-gov-east-1"
+    }
+    prod = {
+      "account_id" = "067074201825"
+      "alias"      = "ent-gov-shared-prod"
+      "profile"    = "067074201825-ent-gov-shared-prod"
+      "region"     = "us-gov-east-1"
+    }
+  }
+
+  eecr_info = {
+    account_id = local.enterprise_ecr_account[local.environment_abbr]["account_id"]
+    alias      = local.enterprise_ecr_account[local.environment_abbr]["alias"]
+    profile    = local.enterprise_ecr_account[local.environment_abbr]["profile"]
+    region     = local.enterprise_ecr_account[local.environment_abbr]["region"]
+  }
+}
diff --git a/_envcommon/default-versions.hcl b/_envcommon/default-versions.hcl
@@ -0,0 +1,225 @@
+# lab/_envcommon/default-versions.hcl
+locals {
+  module_name     = basename(get_original_terragrunt_dir())
+  release_version = local.module_versions["2026.03.15"][local.module_name]
+
+  #####################
+  # Module Versions
+  #####################
+  cluster_version    = "1.34"
+  eks_module_version = "21.11.1"
+
+  module_versions = {
+    "2025.20.04" = {
+      "eks-arcgis"         = false
+      "eks-cert-manager"   = "0.1.9"
+      "eks-config"         = "1.0.5"
+      "eks-cribl"          = "0.0.1"
+      "eks-dns"            = "0.1.4"
+      "eks-gatekeeper"     = "0.0.3"
+      "eks-grafana"        = "0.1.5"
+      "eks-istio"          = "1.0.9"
+      "eks-k8s-dashboard"  = "0.1.4"
+      "eks-karpenter"      = "0.1.7"
+      "eks-keycloak"       = "0.0.8"
+      "eks-kiali"          = "0.1.4"
+      "eks-loki"           = "0.1.4"
+      "eks-metrics-server" = "0.1.4"
+      "eks-otel"           = "0.0.4"
+      "eks-pipeline"       = "initial"
+      "eks-postgresql"     = false
+      "eks-prometheus"     = "0.1.4"
+      "eks-tempo"          = "0.1.4"
+      "eks"                = "1.0.10"
+      "cluster"            = "2025.20.04"
+    }
+    "2026.03.15" = {
+      "eks-arcgis"         = false
+      "eks-config"         = "1.0.6"
+      "eks-cribl"          = "mcm_v2"
+      "eks-dns"            = "0.1.7"
+      "eks-gatekeeper"     = "0.0.4"
+      "eks-grafana"        = "0.1.5"
+      "eks-istio"          = "1.0.9"
+      "eks-karpenter"      = "0.1.9"
+      "eks-keycloak"       = "0.0.8"
+      "eks-kiali"          = "0.1.5"
+      "eks-loki"           = "0.1.6"
+      "eks-otel"           = "0.0.4"
+      "eks-pipeline"       = "initial"
+      "eks-postgresql"     = false
+      "eks-prometheus"     = "0.1.5"
+      "eks-tempo"          = "0.1.6"
+      "eks"                = "1.0.14"
+      "cluster"            = "2026.03.15"
+    }
+  }
+
+  submodule_versions = {
+    "tfmod-istio-service-ingress"                   = "0.1.7"
+    "tfmod-config-job"                              = "0.1.8"
+    "tfmod-custom-iam-role-for-service-account-eks" = "1.0.1"
+  }
+
+  #####################
+  # Module Enablement
+  #####################
+
+  # Core modules that should always be enabled (cannot be disabled)
+  core_modules = [
+    "eks",
+    "eks-karpenter",
+    "eks-config",
+    "eks-istio",
+    "eks-dns",
+  ]
+
+  # Optional modules with their default enablement state
+  enabled_modules = {
+    "eks-arcgis"        = false
+    "eks-cribl"         = false
+    "eks-gatekeeper"    = true
+    "eks-grafana"       = true
+    "eks-keycloak"      = true
+    "eks-kiali"         = true
+    "eks-loki"          = true
+    "eks-otel"          = true
+    "eks-pipeline"      = false
+    "eks-postgresql"    = false
+    "eks-prometheus"    = true
+    "eks-tempo"         = true
+  }
+
+  #####################
+  # TF Providers
+  #####################
+  aws_version        = "6.0"
+  helm_version       = "2.11.0"
+  kubernetes_version = "2.33.0"
+  null_version       = "3.2.1"
+  random_version     = "3.5.1"
+  template_version   = "2.2.0"
+  tf_version         = "1.5.5"
+
+  #####################
+  # Namespaces Config
+  #####################
+  operator_namespace  = "operator"
+  telemetry_namespace = "telemetry"
+  system_namespace    = "kube-system"
+  istio_namespace     = "istio-system"
+  namespaces = {
+    arcgis        = "arcgis"
+    cribl         = "cribl"
+    gatekeeper    = "keycloak"
+    grafana       = local.telemetry_namespace
+    istio         = local.istio_namespace
+    karpenter     = local.system_namespace
+    keycloak      = "keycloak"
+    kiali         = local.istio_namespace
+    loki          = local.telemetry_namespace
+    misp          = "misp"
+    otel          = local.telemetry_namespace
+    postgresql    = "keycloak"
+    prometheus    = local.telemetry_namespace
+    tempo         = local.telemetry_namespace
+  }
+
+  #####################
+  # EKS Config
+  #####################
+
+  ################
+  # Cert-Manager
+  ################
+  cluster_issuer_name = "cert-manager"
+
+  #####################
+  # Cribl
+  #####################
+  cribl_chart_version = "4.15.1"
+  cribl_app_version   = "4.15.1"
+
+  ################
+  # GoGatekeeper
+  ################
+  gatekeeper_tag           = "4.4.0"
+  gatekeeper_chart_version = "0.1.60"
+  gatekeeper_service_name  = "gatekeeper"
+
+  ################
+  # Grafana
+  ################
+  grafana_hostname               = "grafana"
+  grafana_operator_chart_version = "4.9.8"
+  grafana_operator_tag           = "5.16.0"
+  grafana_tag                    = "11.5.2"
+  os_shell_image_tag             = local.utilities_tag
+
+  ################
+  # Istio
+  ################
+  istio_version = "1.28.3"
+
+  ################
+  # Karpenter
+  ################
+  karpenter_helm_chart = "1.8.5"
+  karpenter_tag        = "1.8.5"
+
+  ################
+  # Keycloak
+  ################
+  keycloak_chart_version = "7.0.1"
+  keycloak_tag           = "26.0.7"
+  postgresql_tag         = "17.4.0-debian-12-r4"
+  postgres_exporter_tag  = "0.17.1-debian-12-r0"
+  utilities_tag          = "1.0.3"
+
+  ################
+  # Kiali
+  ################
+  kiali_operator_version    = "2.21.0"
+  kiali_application_version = "${local.kiali_operator_version}"
+
+  ################
+  # Loki
+  ################
+  loki_chart_version              = "6.49.0"
+  loki_tag                        = "3.6.3"
+  enterprise_logs_provisioner_tag = "3.6.2"
+  gateway_tag                     = "1.29.4"
+  memcached_tag                   = "1.6.40"
+  exporter_tag                    = "v0.15.3"
+  sidecar_tag                     = "2.4.0"
+
+  ################
+  # Open Telemetry
+  ################
+  auto_instrumentation_java_version = "2.9.0"
+  collector_contrib_version         = "0.113.0-amd64"
+  collector_version                 = "0.111.0-amd64"
+  otel_helm_version                 = "0.71.2"
+  otel_version                      = "0.110.0"
+  rbac_proxy_version                = "0.20.2"
+
+  ################
+  # PostgreSQL
+  ################
+  postgresql_chart_version = "16.5.0"
+
+  ################
+  # Prometheus
+  ################
+  prometheus_chart_version       = "28.6.0"
+  prometheus_server_tag          = "v3.9.1"
+  prometheus_config_reloader_tag = "v0.88.0"
+  alertmanager_tag               = "v0.30.1"
+  pushgateway_tag                = "v1.6.2"
+
+  ################
+  # Tempo
+  ################
+  tempo_chart_version = "1.24.3"
+  tempo_tag           = "2.9.1"
+}
diff --git a/_envcommon/prefixes.hcl b/_envcommon/prefixes.hcl
@@ -0,0 +1,37 @@
+locals {
+  prefixes = {
+    "ebs"            = "v-ebs-"
+    "efs"            = "v-efs-"
+    "group"          = "g-"
+    "kms"            = "k-kms-"
+    "policy"         = "p-"
+    "role"           = "r-"
+    "s3"             = "v-s3-"
+    "security-group" = "" # "sg-"
+    # VPC
+    "customer-gateway" = "cgw-"
+    "dhcp-options"     = ""
+    "elastic-ip"       = "eip-"
+    "internet-gateway" = "igw-"
+    "log-group"        = "lg-"
+    "log-stream"       = "lgs-"
+    "nat-gateway"      = "nat-"
+    "network-acl"      = "nacl-"
+    "route-table"      = "route-"
+    "subnet"           = ""
+    "vpc-endpoint"     = "vpce-"
+    "vpc-peer"         = "vpcp-"
+    "vpc"              = ""
+    "vpn-connection"   = "vpn_"
+    "vpn-gateway"      = "vpcg-"
+    # EKS
+    "eks-policy"         = "p-eks-"
+    "eks-queue"          = "eks-q-"
+    "eks-role"           = "r-eks-"
+    "eks-s3"             = "v-s3-eks-"
+    "eks-security-group" = "eks-sg-" # "sg-eks-"
+    "eks-user"           = "s-eks-"
+    "eks"                = "eks-"
+    "eks-event"          = "eks-ev-"
+  }
+}
diff --git a/config.json b/config.json
@@ -0,0 +1 @@
+{"account":{"account_name":"lab-dev-gov","aws_account_id":"224384469011","aws_profile":"lab-dev-gov-lab","environment_abbr":"lab"},"cluster":{"CostAllocation":"census:ocio:csvd","cluster_mailing_list":"matthew.c.morgan@census.gov","cluster_name":"csvd-mcm2-lab","eks_instance_disk_size":200,"eks_ng_desired_size":2,"eks_ng_max_size":10,"eks_ng_min_size":2,"finops_project_name":"csvd_platformbaseline","finops_project_number":"fs0000000078","finops_project_role":"csvd_platformbaseline_eks","organization":"census:ocio:csvd","tags":{"CostAllocation":"census:ocio:csvd","Owner":"matthew.c.morgan@census.gov","PowerSchedule":"Full_Week_Core_Hours_7-7"}},"cluster_dir":"csvd-mcm2-lab","enable_all_modules":true,"environment":"lab","modules":{"cribl":false,"gatekeeper":false,"grafana":false,"keycloak":false,"kiali":false,"loki":false,"otel":false,"prometheus":false,"tempo":false},"region":"us-gov-east-1","vpc":{"vpc_domain_name":"dev.lab.csp2.census.gov","vpc_name":"vpc3-lab-dev"}}