docs and keycloak

.checkov.yml

@@ -0,0 +1,24 @@
+branch: master
+download-external-modules: true
+evaluate-variables: true
+external-checks-dir:
+  - security/custom_checks
+framework:
+  - terraform
+  - kubernetes
+output:
+  - cli
+  - json
+  - junitxml
+skip-check:
+  - CKV_AWS_79  # Instance Metadata Service Version 1
+  - CKV_AWS_130 # Ensure VPC subnets are not assigned public IP by default
+quiet: true
+compact: true
+directory:
+  - .
+  - modules/*
+secrets-scan-file-type:
+  - tf
+  - yaml
+  - json

.github/platform-tg-infra.code-workspace

@@ -2,7 +2,7 @@
 	"folders": [
 		{
 			"name": "platform-tg-infra",
-			"path": "../"
+			"path": ".."
 		},
 		{
 			"name": "tfmod-cert-mgr",
@@ -28,6 +28,10 @@
 			"name": "tfmod-eks-dns",
 			"path": "../../tfmod-eks-dns"
 		},
+		{
+			"name": "tfmod-gogatekeeper",
+			"path": "../../tfmod-gogatekeeper"
+		},
 		{
 			"name": "tfmod-grafana",
 			"path": "../../tfmod-grafana"
@@ -48,6 +52,10 @@
 			"name": "tfmod-karpenter",
 			"path": "../../tfmod-karpenter"
 		},
+		{
+			"name": "tfmod-keycloak",
+			"path": "../../tfmod-keycloak"
+		},
 		{
 			"name": "tfmod-kiali",
 			"path": "../../tfmod-kiali"
@@ -69,13 +77,25 @@
 			"path": "../../tfmod-tempo"
 		},
 		{
+			"name": "terraform-aws-eks",
 			"path": "../../terraform-aws-eks"
 		},
 		{
+			"name": "karpenter-provider-aws",
 			"path": "../../karpenter-provider-aws"
 		},
 		{
+			"name": "terragrunt",
 			"path": "../../terragrunt"
+		},
+		{
+			"path": "../../terraform-aws-rds"
+		},
+		{
+			"path": "../../aws-rds"
+		},
+		{
+			"path": "../../morpheus-terraform-dev"
 		}
 	]
 }

configs/node-groups.yaml

@@ -0,0 +1,48 @@
+nodeGroups:
+  - name: general-purpose
+    instanceTypes:
+      - m6i.xlarge
+      - m6a.xlarge
+      - m5.xlarge
+    minSize: 2
+    maxSize: 10
+    desiredSize: 2
+    labels:
+      node-type: general
+    taints: []
+    updateConfig:
+      maxUnavailable: 1
+
+  - name: compute-optimized
+    instanceTypes:
+      - c6i.2xlarge
+      - c6a.2xlarge
+      - c5.2xlarge
+    minSize: 1
+    maxSize: 20
+    desiredSize: 2
+    labels:
+      node-type: compute
+    taints:
+      - key: workload
+        value: batch
+        effect: NoSchedule
+    updateConfig:
+      maxUnavailable: 2
+
+  - name: memory-optimized
+    instanceTypes:
+      - r6i.2xlarge
+      - r6a.2xlarge
+      - r5.2xlarge
+    minSize: 1
+    maxSize: 10
+    desiredSize: 2
+    labels:
+      node-type: memory
+    taints:
+      - key: workload
+        value: memory-intensive
+        effect: NoSchedule
+    updateConfig:
+      maxUnavailable: 1

configs/resource-quotas.yml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: default-quota
+spec:
+  hard:
+    requests.cpu: "20"
+    requests.memory: 40Gi
+    limits.cpu: "40"
+    limits.memory: 80Gi
+    pods: "100"
+    services: "50"
+    secrets: "100"
+    configmaps: "100"
+    persistentvolumeclaims: "50"
+
+---
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: default-limits
+spec:
+  limits:
+  - type: Container
+    default:
+      cpu: 500m
+      memory: 512Mi
+    defaultRequest:
+      cpu: 100m
+      memory: 256Mi
+    max:
+      cpu: "4"
+      memory: 8Gi
+    min:
+      cpu: 50m
+      memory: 64Mi

docs/ARCHITECTURE.md

@@ -0,0 +1,88 @@
+# Platform Infrastructure Architecture
+
+## Complete Platform Architecture
+
+```mermaid
+graph TD
+    %% Core Network Infrastructure
+    VPC[VPC Module] --> DNS[DNS Module]
+    VPC --> SUBNETS[Subnet Configuration]
+    SUBNETS --> PRIVATE[Private Subnets]
+    SUBNETS --> PUBLIC[Public Subnets]
+
+    %% EKS Cluster and Core Components
+    VPC --> EKS[EKS Cluster]
+    EKS --> IAM[IAM Roles Module]
+    EKS --> EKS_CONFIG[EKS Configuration]
+    EKS --> KARPENTER[Karpenter]
+    
+    %% Security and Access Management
+    EKS --> CERT_MGR[Cert Manager]
+    EKS --> GATEKEEPER[GoGatekeeper]
+    
+    %% Service Mesh
+    EKS_CONFIG --> ISTIO[Istio Service Mesh]
+    ISTIO --> KIALI[Kiali Dashboard]
+    ISTIO --> INGRESS[Service Ingress]
+    
+    %% Monitoring and Observability
+    EKS --> MONITORING[Monitoring Stack]
+    MONITORING --> PROMETHEUS[Prometheus]
+    MONITORING --> GRAFANA[Grafana]
+    MONITORING --> LOKI[Loki Log Aggregation]
+    MONITORING --> TEMPO[Tempo Tracing]
+    
+    %% Additional Services
+    EKS --> DASHBOARD[Kubernetes Dashboard]
+    EKS --> METRICS[Metrics Server]
+    EKS --> KEYCLOAK[Keycloak SSO]
+
+    %% Infrastructure Management
+    TERRAGRUNT[Terragrunt] --> VPC
+    TERRAGRUNT --> EKS
+    
+    %% Database Layer
+    VPC --> RDS[RDS Database]
+    
+    %% Styling
+    classDef core fill:#f9f,stroke:#333,stroke-width:2px
+    classDef security fill:#bbf,stroke:#333,stroke-width:2px
+    classDef monitoring fill:#bfb,stroke:#333,stroke-width:2px
+    
+    class VPC,EKS,EKS_CONFIG core
+    class CERT_MGR,GATEKEEPER,IAM security
+    class PROMETHEUS,GRAFANA,LOKI,TEMPO monitoring
+```
+
+## Component Descriptions
+
+### Core Infrastructure
+- **VPC Module**: Network foundation with public/private subnets
+- **EKS Cluster**: Managed Kubernetes service
+- **Karpenter**: Autoscaling node management
+- **DNS Module**: Route53 DNS management
+
+### Security Layer
+- **Cert Manager**: Certificate lifecycle management
+- **GoGatekeeper**: Policy enforcement
+- **IAM Roles**: AWS IAM integration
+
+### Service Mesh
+- **Istio**: Service mesh implementation
+- **Kiali**: Service mesh visualization
+- **Service Ingress**: External traffic management
+
+### Monitoring Stack
+- **Prometheus**: Metrics collection
+- **Grafana**: Metrics visualization
+- **Loki**: Log aggregation
+- **Tempo**: Distributed tracing
+
+### Additional Services
+- **Kubernetes Dashboard**: Cluster management UI
+- **Metrics Server**: Resource metrics
+- **Keycloak**: Identity management
+
+### Infrastructure Management
+- **Terragrunt**: Infrastructure deployment orchestration
+- **RDS**: Managed database services

docs/DOCUMENTATION_STANDARDS.md

@@ -0,0 +1,56 @@
+# Documentation Standards Guide
+
+## README Structure
+Each module must include a README.md with the following sections:
+
+1. Overview
+   - Purpose
+   - Key features
+   - Architecture diagram
+
+2. Prerequisites
+   - Required tooling
+   - Required permissions
+   - Dependencies
+
+3. Usage
+   - Basic example
+   - Advanced examples
+   - Input variables table
+   - Output variables table
+
+4. Architecture
+   - Component diagram
+   - Network flow
+   - Security considerations
+
+5. Operations
+   - Deployment guide
+   - Monitoring
+   - Troubleshooting
+   - Maintenance
+
+## Changelog Format
+Use Commitizen convention:
+
+```
+feat: New feature
+fix: Bug fix
+docs: Documentation changes
+style: Formatting changes
+refactor: Code restructure without behavior change
+test: Test updates
+chore: Maintenance tasks
+```
+
+## Diagrams
+- Use PlantUML for architecture diagrams
+- Include source files in `docs/diagrams`
+- Export PNG/SVG to `docs/images`
+- Keep diagrams up to date with code changes
+
+## Usage Examples
+- Provide basic and advanced examples
+- Include realistic variable values
+- Document required permissions
+- Include expected outputs

docs/INFRASTRUCTURE_STANDARDS.md

@@ -0,0 +1,75 @@
+# Infrastructure Standards
+
+## Node Group Configuration
+
+### Instance Types
+```hcl
+locals {
+  instance_types = {
+    general_purpose = ["m6i.xlarge", "m6a.xlarge", "m5.xlarge"]
+    compute_optimized = ["c6i.2xlarge", "c6a.2xlarge", "c5.2xlarge"]
+    memory_optimized = ["r6i.2xlarge", "r6a.2xlarge", "r5.2xlarge"]
+  }
+}
+```
+
+### Node Labels
+```yaml
+labels:
+  node-type: [general|compute|memory]
+  environment: [dev|stage|prod]
+  workload-type: [service|batch|system]
+```
+
+## Auto-scaling Configuration
+
+### Cluster Autoscaler
+```yaml
+cluster-autoscaler:
+  scaleDownUnneededTime: 10m
+  scaleDownDelayAfterAdd: 10m
+  maxNodeProvisionTime: 15m
+  maxGracefulTermination: 10m
+```
+
+### Karpenter Settings
+```yaml
+provisioner:
+  requirements:
+    - key: karpenter.sh/capacity-type
+      operator: In
+      values: ["spot", "on-demand"]
+  limits:
+    resources:
+      cpu: 1000
+      memory: 1000Gi
+```
+
+## Storage Classes
+
+### Standard Classes
+```yaml
+storage-classes:
+  standard:
+    type: gp3
+    encrypted: true
+    reclaimPolicy: Delete
+  premium:
+    type: io2
+    iops: 5000
+    encrypted: true
+    reclaimPolicy: Retain
+```
+
+## Resource Quotas
+
+### Default Quotas
+```yaml
+quotas:
+  default:
+    requests.cpu: "20"
+    requests.memory: 40Gi
+    limits.cpu: "40"
+    limits.memory: 80Gi
+    pods: "100"
+```