diff --git a/.github/workflows/conductor-workflow.yml b/.github/workflows/conductor-workflow.yml new file mode 100644 index 0000000..ca3d4a1 --- /dev/null +++ b/.github/workflows/conductor-workflow.yml @@ -0,0 +1,35 @@ +name: Infrastructure CI/CD Conductor + +on: + push: + branches: + - '*feature*' + - 'dev' + pull_request: + branches: + - 'dev' + +jobs: + trigger-terragrunt-plan: + if: github.event_name == 'push' && contains(github.ref, 'feature') + uses: ./.github/workflows/terragrunt-plan-workflow.yml + with: + environment: dev + + trigger-security-scan: + if: github.event_name == 'push' && contains(github.ref, 'feature') + needs: trigger-terragrunt-plan + uses: ./.github/workflows/security-scan-workflow.yml + + trigger-pr-terragrunt-plan: + if: github.event_name == 'pull_request' && github.base_ref == 'dev' + uses: ./.github/workflows/pr-terragrunt-plan-workflow.yml + + trigger-pr-security-scan: + if: github.event_name == 'pull_request' && github.base_ref == 'dev' + needs: trigger-pr-terragrunt-plan + uses: ./.github/workflows/pr-security-scan-workflow.yml + + trigger-infrastructure-provision: + if: github.event_name == 'push' && github.ref == 'refs/heads/dev' + uses: ./.github/workflows/infrastructure-provision-workflow.yml diff --git a/.github/workflows/infrastructure-provision-workflow.yml b/.github/workflows/infrastructure-provision-workflow.yml new file mode 100644 index 0000000..ffeed4d --- /dev/null +++ b/.github/workflows/infrastructure-provision-workflow.yml @@ -0,0 +1,51 @@ +name: Infrastructure Provision + +on: + workflow_call: + +env: + NODE_TLS_REJECT_UNAUTHORIZED: '0' + tg_root_dir: 'terragrunt' + ACCOUNT_PROFILE_NAME: "lab-dev-gov" + +permissions: + actions: read + contents: read + security-events: write + issues: read + checks: write + pull-requests: write + +jobs: + provision-infrastructure: + runs-on: [self-hosted, Linux, X64, buildkitsandbox] + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Configure AWS credentials + uses: etools/configure-aws-credentials@main + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks" + role-skip-session-tagging: true + + - name: Add profile credentials to ~/.aws/credentials + run: | + aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + + - name: Provision Infrastructure + run: | + pwd + cd lab/development/us-gov-east-1/vpc/platform-test-cicd + https_proxy=http://proxy.tco.census.gov:3128 \ + http_proxy=http://proxy.tco.census.gov:3128 \ + NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \ + TERRAGRUNT_PROVIDER_CACHE=1 \ + terragrunt run-all apply --terragrunt-non-interactive + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-checks-workflow.yml b/.github/workflows/pr-checks-workflow.yml new file mode 100644 index 0000000..3055085 --- /dev/null +++ b/.github/workflows/pr-checks-workflow.yml @@ -0,0 +1,84 @@ +name: PR Checks + +on: + workflow_call: + +env: + NODE_TLS_REJECT_UNAUTHORIZED: '0' + +permissions: + actions: read + contents: read + security-events: write + issues: read + checks: write + pull-requests: write + +jobs: + pr-checks: + runs-on: [self-hosted, Linux, X64, buildkitsandbox] + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Set up Terraform + run: | + terraform init + + - name: Configure AWS credentials + uses: etools/configure-aws-credentials@main + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ vars.AWS_REGION }} + + - name: Set AWS environment variables + run: | + export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }} + export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }} + export AWS_REGION=${{ vars.AWS_REGION }} + shell: bash + + - name: Terragrunt Plan + run: | + pwd + cd project-x-infra-live/development + https_proxy=http://proxy.tco.census.gov:3128 \ + http_proxy=http://proxy.tco.census.gov:3128 \ + NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \ + TERRAGRUNT_PROVIDER_CACHE=1 \ + terragrunt run-all plan --terragrunt-non-interactive + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Scan for Vulnerabilities and Misconfigurations + run: | + export TRIVY_INSECURE=true + export http_proxy=http://proxy.tco.census.gov:3128 + export https_proxy=http://proxy.tco.census.gov:3128 + trivy fs --scanners misconfig,secret --skip-dirs ".terragrunt-cache,.terraform" --format sarif -o trivy-results.sarif . + unset http_proxy + unset https_proxy + + + + - name: Fail if Critical or High severity issues found + run: | + critical_high_count=$(jq '[.runs[].results[] | select(.properties.severity=="CRITICAL" or .properties.severity=="HIGH")] | length' trivy-results.sarif) + if [ "$critical_high_count" -gt 0 ]; then + echo "Found $critical_high_count critical or high severity issues." + exit 1 + else + echo "No critical or high severity issues found." + fi + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + - name: Prevent merge on security issues + if: failure() + run: | + echo "Security issues found. PR cannot be merged." + exit 1 diff --git a/.github/workflows/pr-security-scan-workflow.yml b/.github/workflows/pr-security-scan-workflow.yml new file mode 100644 index 0000000..e63f3b5 --- /dev/null +++ b/.github/workflows/pr-security-scan-workflow.yml @@ -0,0 +1,34 @@ +name: PR Security Scan + +on: + workflow_call: + +env: + NODE_TLS_REJECT_UNAUTHORIZED: '0' + +jobs: + pr-security-scan: + runs-on: [self-hosted, Linux, X64, buildkitsandbox] + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Scan for Vulnerabilities and Misconfigurations + run: | + export TRIVY_INSECURE=true + export http_proxy=http://proxy.tco.census.gov:3128 + export https_proxy=http://proxy.tco.census.gov:3128 + trivy fs --scanners misconfig,secret --skip-dirs ".terragrunt-cache,.terraform" --format sarif -o trivy-results.sarif --exit-code 0 --severity CRITICAL,HIGH . + unset http_proxy + unset https_proxy + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + - name: Prevent merge on security issues + if: failure() + run: | + echo "Security issues found. PR cannot be merged." + exit 1 diff --git a/.github/workflows/pr-terragrunt-plan-workflow.yml b/.github/workflows/pr-terragrunt-plan-workflow.yml new file mode 100644 index 0000000..f4fb9d1 --- /dev/null +++ b/.github/workflows/pr-terragrunt-plan-workflow.yml @@ -0,0 +1,50 @@ +name: PR Terragrunt Plan + +on: + workflow_call: + +env: + NODE_TLS_REJECT_UNAUTHORIZED: '0' + +permissions: + actions: read + contents: read + security-events: write + issues: read + checks: write + pull-requests: write + +jobs: + pr-terragrunt-plan: + runs-on: [self-hosted, Linux, X64, buildkitsandbox] + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Configure AWS credentials + uses: etools/configure-aws-credentials@main + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks" + role-skip-session-tagging: true + + - name: Add profile credentials to ~/.aws/credentials + run: | + aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + + - name: Terragrunt Plan + run: | + pwd + aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + cd lab/development/us-gov-east-1/vpc/platform-test-cicd + https_proxy=http://proxy.tco.census.gov:3128 \ + http_proxy=http://proxy.tco.census.gov:3128 \ + NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \ + TERRAGRUNT_PROVIDER_CACHE=1 \ + terragrunt run-all plan --terragrunt-non-interactive + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/security-scan-workflow.yml b/.github/workflows/security-scan-workflow.yml new file mode 100644 index 0000000..143b7d6 --- /dev/null +++ b/.github/workflows/security-scan-workflow.yml @@ -0,0 +1,46 @@ +name: Security Scan + +on: + workflow_call: + +jobs: + security-scan: + runs-on: self-hosted + env: + NODE_TLS_REJECT_UNAUTHORIZED: '0' + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Set up Terraform + run: | + # Initialize Terraform/Terragrunt to download modules + export http_proxy=http://proxy.tco.census.gov:3128 + export https_proxy=http://proxy.tco.census.gov:3128 + pwd + cd lab/development/us-gov-east-1/vpc/platform-test-cicd + terraform init + terragrunt run-all init --terragrunt-non-interactive + unset http_proxy + unset https_proxy + - name: Scan for Vulnerabilities and Misconfigurations # I need to check if the report can be adjusted from trivy itself, pre-scan, using flags + run: | + export TRIVY_INSECURE=true + export http_proxy=http://proxy.tco.census.gov:3128 + export https_proxy=http://proxy.tco.census.gov:3128 + trivy fs --scanners misconfig,secret --format sarif -o trivy-results.sarif . + unset http_proxy + unset https_proxy + jq 'walk( + if type == "object" and .uri? and (.uri | test("git@")) then + .uri |= sub("git@([^:]+):"; "\\1/") + else + . + end + )' trivy-results.sarif > trivy-results-fixed.sarif + + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results-fixed.sarif' diff --git a/.github/workflows/terragrunt-plan-workflow.yml b/.github/workflows/terragrunt-plan-workflow.yml new file mode 100644 index 0000000..3559284 --- /dev/null +++ b/.github/workflows/terragrunt-plan-workflow.yml @@ -0,0 +1,61 @@ +name: Terragrunt Plan + +on: + workflow_dispatch: + workflow_call: + inputs: + environment: + required: true + type: string + +env: + NODE_TLS_REJECT_UNAUTHORIZED: '0' + tg_root_dir: 'terragrunt' + ACCOUNT_PROFILE_NAME: "lab-dev-gov" +# aws-region: 'us-east-1' + +permissions: + actions: read + contents: read + security-events: write + issues: read + checks: write + pull-requests: write + +jobs: + terragrunt-plan: + runs-on: [self-hosted, Linux, X64, buildkitsandbox] + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Configure AWS credentials + uses: etools/configure-aws-credentials@main + with: +# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} +# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks" + role-skip-session-tagging: true + + - name: Add profile credentials to ~/.aws/credentials + run: | + aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + + - name: Terragrunt Plan + run: | + pwd + aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + rm -rf ~/.kube/config + cd lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm + https_proxy=http://proxy.tco.census.gov:3128 \ + http_proxy=http://proxy.tco.census.gov:3128 \ + NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \ + TERRAGRUNT_PROVIDER_CACHE=1 \ + terragrunt run-all plan --terragrunt-non-interactive --terragrunt-log-level debug + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl index d4a60db..9d919ac 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl @@ -29,6 +29,33 @@ dependency "eks" { } } +locals { + providers = ["aws", "kubernetes"] +} + +generate "other-providers" { + path = "other-providers.tf" + if_exists = "overwrite" + contents = <<-EOF +%{if contains(local.providers, "kubernetes")} +provider "kubernetes" { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" +} +%{endif} +%{if contains(local.providers, "helm")} +provider "helm" { + kubernetes { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" + } +} +%{endif} +EOF +} + inputs = { profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl index 6e28781..d0c2f63 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl @@ -29,6 +29,29 @@ dependency "istio" { } } +generate "other-providers" { + path = "other-providers.tf" + if_exists = "overwrite" + contents = <<-EOF +%{if contains(local.providers, "kubernetes")} +provider "kubernetes" { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" +} +%{endif} +%{if contains(local.providers, "helm")} +provider "helm" { + kubernetes { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" + } +} +%{endif} +EOF +} + inputs = { cluster_name = dependency.eks.inputs.cluster_name istio_ingress_lb = dependency.istio.outputs.istio_ingress_lb diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 65ab33f..9215e89 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -26,6 +26,29 @@ dependency "eks-loki" { } } +generate "other-providers" { + path = "other-providers.tf" + if_exists = "overwrite" + contents = <<-EOF +%{if contains(local.providers, "kubernetes")} +provider "kubernetes" { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" +} +%{endif} +%{if contains(local.providers, "helm")} +provider "helm" { + kubernetes { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" + } +} +%{endif} +EOF +} + inputs = { profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl index c7c22c8..67457cd 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl @@ -23,6 +23,29 @@ dependency "eks-karpenter" { skip_outputs = true } +generate "other-providers" { + path = "other-providers.tf" + if_exists = "overwrite" + contents = <<-EOF +%{if contains(local.providers, "kubernetes")} +provider "kubernetes" { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" +} +%{endif} +%{if contains(local.providers, "helm")} +provider "helm" { + kubernetes { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" + } +} +%{endif} +EOF +} + inputs = { profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index cd1961b..02c4e1b 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -25,6 +25,29 @@ dependency "eks-loki" { skip_outputs = true } +generate "other-providers" { + path = "other-providers.tf" + if_exists = "overwrite" + contents = <<-EOF +%{if contains(local.providers, "kubernetes")} +provider "kubernetes" { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" +} +%{endif} +%{if contains(local.providers, "helm")} +provider "helm" { + kubernetes { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" + } +} +%{endif} +EOF +} + inputs = { profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl index 6b1a862..ba364ee 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl @@ -28,6 +28,29 @@ dependency "eks-config" { skip_outputs = true } +generate "other-providers" { + path = "other-providers.tf" + if_exists = "overwrite" + contents = <<-EOF +%{if contains(local.providers, "kubernetes")} +provider "kubernetes" { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" +} +%{endif} +%{if contains(local.providers, "helm")} +provider "helm" { + kubernetes { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" + } +} +%{endif} +EOF +} + inputs = { profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl.disable index 1e04fe0..d735b8b 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl.disable +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl.disable @@ -53,6 +53,29 @@ dependency "eks-grafana" { } } +generate "other-providers" { + path = "other-providers.tf" + if_exists = "overwrite" + contents = <<-EOF +%{if contains(local.providers, "kubernetes")} +provider "kubernetes" { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" +} +%{endif} +%{if contains(local.providers, "helm")} +provider "helm" { + kubernetes { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" + } +} +%{endif} +EOF +} + inputs = { kiali_operator_version = include.root.inputs.kiali_operator_version kiali_application_version = include.root.inputs.kiali_application_version diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl index 2c6b6be..327335d 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl @@ -28,6 +28,29 @@ dependency "eks-prometheus" { skip_outputs = true } +generate "other-providers" { + path = "other-providers.tf" + if_exists = "overwrite" + contents = <<-EOF +%{if contains(local.providers, "kubernetes")} +provider "kubernetes" { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" +} +%{endif} +%{if contains(local.providers, "helm")} +provider "helm" { + kubernetes { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" + } +} +%{endif} +EOF +} + inputs = { profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index 387653b..7ec3d76 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -24,6 +24,29 @@ dependency "eks_config" { skip_outputs = true } +generate "other-providers" { + path = "other-providers.tf" + if_exists = "overwrite" + contents = <<-EOF +%{if contains(local.providers, "kubernetes")} +provider "kubernetes" { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" +} +%{endif} +%{if contains(local.providers, "helm")} +provider "helm" { + kubernetes { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" + } +} +%{endif} +EOF +} + inputs = { profile = include.root.inputs.aws_profile cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl index e6c54b1..0d684f8 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl @@ -24,6 +24,29 @@ dependency "eks-dns" { skip_outputs = true } +generate "other-providers" { + path = "other-providers.tf" + if_exists = "overwrite" + contents = <<-EOF +%{if contains(local.providers, "kubernetes")} +provider "kubernetes" { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" +} +%{endif} +%{if contains(local.providers, "helm")} +provider "helm" { + kubernetes { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" + } +} +%{endif} +EOF +} + inputs = { profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index e9ebd48..b85df70 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -32,6 +32,29 @@ dependency "eks-prometheus" { } } +generate "other-providers" { + path = "other-providers.tf" + if_exists = "overwrite" + contents = <<-EOF +%{if contains(local.providers, "kubernetes")} +provider "kubernetes" { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" +} +%{endif} +%{if contains(local.providers, "helm")} +provider "helm" { + kubernetes { + host = "${dependency.eks.outputs.cluster_endpoint}" + cluster_ca_certificate = base64decode("${dependency.eks.outputs.cluster_certificate_authority_data}") + token = "${dependency.eks.outputs.provider_kubernetes_config.token}" + } +} +%{endif} +EOF +} + inputs = { account_id = include.root.locals.account_id profile = include.root.locals.aws_profile diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index cc7c893..0a10b20 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -4,32 +4,6 @@ include "root" { expose = true } -locals { - # Set cluster/platform specific variables, or extract from the hierarchy. - account_id = include.root.inputs.aws_account_id - cluster_endpoint_public_access = include.root.inputs.cluster_endpoint_public_access - cluster_name = include.root.inputs.cluster_name - cluster_version = include.root.inputs.cluster_version - creator = include.root.inputs.creator - eks_instance_disk_size = include.root.inputs.eks_instance_disk_size - eks_ng_desired_size = include.root.inputs.eks_ng_desired_size - eks_ng_max_size = include.root.inputs.eks_ng_max_size - eks_ng_min_size = include.root.inputs.eks_ng_min_size - eks_vpc_name = include.root.inputs.vpc_name - enable_cluster_creator_admin_permissions = include.root.inputs.enable_cluster_creator_admin_permissions - environment_abbr = include.root.inputs.environment_abbr - organization = include.root.inputs.organization - profile = include.root.inputs.aws_profile - project_name = include.root.inputs.project_name - project_number = include.root.inputs.project_number - project_role = include.root.inputs.project_role - region = include.root.inputs.aws_region - tags = include.root.inputs.tags - terraform = include.root.inputs.terraform - terragrunt = include.root.inputs.terragrunt - vpc_domain_name = include.root.inputs.vpc_domain_name -} - terraform { source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" {