From f078cdad8af594d0a19476d19e1ea1d5c303e46d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 21 Feb 2025 20:18:58 -0500 Subject: [PATCH 001/126] yep --- .../vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index fd02a7ac..9e7aced6 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -19,7 +19,7 @@ dependency "eks" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=hpa_debug" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index e94ad7f0..5e0f10a4 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=read_fix" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From b8f4fcb7cf79b3df6a9b19a1f5b9e90e7c6c3dfb Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Feb 2025 17:55:35 -0500 Subject: [PATCH 002/126] set back to normal --- .../vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index 9e7aced6..fd02a7ac 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -19,7 +19,7 @@ dependency "eks" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=hpa_debug" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 8bf1188b960b044bd95570e8db80f77be0d3ba00 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Feb 2025 17:57:41 -0500 Subject: [PATCH 003/126] missed tempo --- .../vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index 5e0f10a4..e94ad7f0 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=read_fix" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 17213b779f8a181a3f37d1f50be2db5b87ac4bfa Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Feb 2025 19:30:24 -0500 Subject: [PATCH 004/126] change branch ref to test provider-resolution --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index 9eca1de2..8c65f1d8 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=provider-resolution" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From d93462ce0397bfebe9fed561605cf170fe25e4a3 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Feb 2025 19:33:27 -0500 Subject: [PATCH 005/126] fix min vals --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl index e52f9d23..c6f40c19 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl @@ -4,7 +4,7 @@ locals { cluster_name = "platform-eng-eks-mcm" cluster_mailing_list = "matthew.c.morgan@census.gov" eks_instance_disk_size = 100 - eks_ng_desired_size = 2 + eks_ng_desired_size = 1 eks_ng_max_size = 10 eks_ng_min_size = 2 enable_cluster_creator_admin_permissions = true From ea3d98e84a9cc2520f52d4a9b1b96fa32605cf0a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Feb 2025 20:08:04 -0500 Subject: [PATCH 006/126] 2 is the lowest --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl index c6f40c19..e52f9d23 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl @@ -4,7 +4,7 @@ locals { cluster_name = "platform-eng-eks-mcm" cluster_mailing_list = "matthew.c.morgan@census.gov" eks_instance_disk_size = 100 - eks_ng_desired_size = 1 + eks_ng_desired_size = 2 eks_ng_max_size = 10 eks_ng_min_size = 2 enable_cluster_creator_admin_permissions = true From 5ebbfd719cbcdc069a064799ff60d627663f033c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 25 Feb 2025 22:02:20 -0500 Subject: [PATCH 007/126] docs and keycloak --- .github/platform-tg-infra.code-workspace | 1 + lab/_envcommon/default-versions.hcl | 14 ++++++++++++++ .../eks-k8s-dashboard/terragrunt.hcl | 4 ++++ 3 files changed, 19 insertions(+) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index d243b5d4..71e7cfd9 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -81,6 +81,7 @@ "path": "../../terragrunt" }, { + "name": "tfmod-config-job", "path": "../../tfmod-config-job" } ] diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 478dc672..a18d6ba7 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -86,6 +86,12 @@ locals { k8s_dashboard_metrics_scraper = "1.0.8" k8s_dashboard_version = "6.0.6" + ################ + # k8s-dashboard + ################ + dashboard_hostname = "k8s-dashboard" + k8s_dashboard_version = "6.0.6" + ################ # Karpenter ################ @@ -103,6 +109,14 @@ locals { keycloak_password = "this is my very secure and totally random password horse battery staple now" postgresql_tag = "17.4.0-debian-12-r2" + ################ + # keycloak + ################ + keycloak_app_version = "v26.1.2" + keycloak_chart_version = "24.4.10" + keycloak_hostname = "keycloak" + keycloak_namespace = "keycloak" + ################ # Kiali ################ diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index 1d02df66..285b53e9 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -50,5 +50,9 @@ inputs = { # Dashboard Configuration service_name = include.root.inputs.dashboard_hostname k8s_dashboard_version = include.root.inputs.k8s_dashboard_version +<<<<<<< HEAD namespace = include.root.inputs.namespaces["k8s-dashboard"] +======= + namespace = include.root.inputs.dashboard_hostname +>>>>>>> f649b29 (docs and keycloak) } From 484a3fff5fb2c22001f0563bb164b6101d8adac4 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 25 Feb 2025 22:43:37 -0500 Subject: [PATCH 008/126] use default for eks again --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index 8c65f1d8..9eca1de2 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=provider-resolution" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From 53adaabfb928e476823eaf4d97a4fc79c4abc5e8 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 26 Feb 2025 18:51:13 -0500 Subject: [PATCH 009/126] tempo and kiali updates while working on keycloak --- .../vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index e94ad7f0..291fac38 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=keycloak" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 173a49f3e27326dfcd29194e2278367ee6313360 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 26 Feb 2025 21:19:26 -0500 Subject: [PATCH 010/126] almost --- .../eks-keycloak/values.yml | 1391 +++++++++++++++++ 1 file changed, 1391 insertions(+) create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml new file mode 100644 index 00000000..e8b28b70 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml @@ -0,0 +1,1391 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + defaultStorageClass: "" + storageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common parameters +## + +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec +## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service +## +enableServiceLinks: true +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param dnsPolicy DNS Policy for pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsPolicy: ClusterFirst +dnsPolicy: "" +## @param dnsConfig DNS Configuration pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsConfig: +## options: +## - name: ndots +## value: "4" +dnsConfig: {} +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] +## Enable diagnostic mode in the statefulset +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the the statefulset + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the the statefulset + ## + args: + - infinity +## @section Keycloak parameters + +## Bitnami Keycloak image version +## ref: https://hub.docker.com/r/bitnami/keycloak/tags/ +## @param image.registry [default: REGISTRY_NAME] Keycloak image registry +## @param image.repository [default: REPOSITORY_NAME/keycloak] Keycloak image repository +## @skip image.tag Keycloak image tag (immutable tags are recommended) +## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Keycloak image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Specify if debug logs should be enabled +## +image: + registry: docker.io + repository: bitnami/keycloak + tag: 26.1.2-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## Keycloak authentication parameters +## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials +## +auth: + ## @param auth.adminUser Keycloak administrator user + ## + adminUser: user + ## @param auth.adminPassword Keycloak administrator password for the new user + ## + adminPassword: "" + ## @param auth.existingSecret Existing secret containing Keycloak admin password + ## + existingSecret: "" + ## @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret. + ## + passwordSecretKey: "" + ## @param auth.annotations Additional custom annotations for Keycloak auth secret object + ## + annotations: {} +## Custom Certificates +## @param customCaExistingSecret Name of the secret containing the Keycloak custom CA certificates. The secret will be mounted as a directory and configured using KC_TRUSTSTORE_PATHS. +## https://www.keycloak.org/server/keycloak-truststore +## Could be created like this: kubectl create secret generic secretName --from-file=./certificateToMerge.pem +customCaExistingSecret: "" +## HTTPS settings +## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption +## +tls: + ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic. + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates + ## + autoGenerated: false + ## @param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica + ## Create this secret following the steps below: + ## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl) + ## 2) Rename your truststore to `keycloak.truststore.jks` or use a different name overwriting the value 'tls.truststoreFilename'. + ## 3) Rename your keystores to `keycloak.keystore.jks` or use a different name overwriting the value 'tls.keystoreFilename'. + ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create: + ## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks + ## NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively. + ## + existingSecret: "" + ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores + ## If "true", the Keycloak chart will look for the files tls.key and tls.crt inside the secret provided with 'existingSecret'. + ## + usePem: false + ## @param tls.truststoreFilename Truststore filename inside the existing secret + ## + truststoreFilename: "keycloak.truststore.jks" + ## @param tls.keystoreFilename Keystore filename inside the existing secret + ## + keystoreFilename: "keycloak.keystore.jks" + ## @param tls.keystorePassword Password to access the keystore when it's password-protected + ## + keystorePassword: "" + ## @param tls.truststorePassword Password to access the truststore when it's password-protected + ## + truststorePassword: "" + ## @param tls.passwordsSecret Secret containing the Keystore and Truststore passwords. + ## The secret must have "tls-keystore-password" and "tls-truststore-password" keys for the keystore and truststore respectively. + ## + passwordsSecret: "" +## SPI TLS settings +## ref: https://www.keycloak.org/server/keycloak-truststore +## +spi: + ## @param spi.existingSecret Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS + ## Create this secret following the steps below: + ## 1) Rename your truststore to `keycloak-spi.truststore.jks` or use a different name overwriting the value 'spi.truststoreFilename'. + ## 2) Run the command below where SECRET_NAME is the name of the secret you want to create: + ## kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks + ## + existingSecret: "" + ## @param spi.truststorePassword Password to access the truststore when it's password-protected + ## + truststorePassword: "" + ## @param spi.truststoreFilename Truststore filename inside the existing secret + ## + truststoreFilename: "keycloak-spi.truststore.jks" + ## @param spi.passwordsSecret Secret containing the SPI Truststore passwords. + ## The secret must have "spi-truststore-password" key. + ## + passwordsSecret: "" + ## @param spi.hostnameVerificationPolicy Verify the hostname of the server's certificate. Allowed values: "ANY", "WILDCARD", "STRICT". + ## + hostnameVerificationPolicy: "" +## @param adminRealm Name of the admin realm +## +adminRealm: "master" +## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. +## +production: false +## @param proxyHeaders Set Keycloak proxy headers +## +proxyHeaders: "" +## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none +## DEPRECATED: use proxyHeaders instead +## ref: https://www.keycloak.org/server/reverseproxy +## +proxy: "" +## @param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/' +## ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed +## +httpRelativePath: "/" +## Keycloak Service Discovery settings +## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration +## +## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified +## Specify content for keycloak.conf +## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart) +## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified +## +## Example: +## configuration: |- +## foo: bar +## baz: +## +configuration: "" +## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration +## NOTE: When it's set the configuration parameter is ignored +## +existingConfigmap: "" +## @param extraStartupArgs Extra default startup args +## +extraStartupArgs: "" +## @param enableDefaultInitContainers Deploy default init containers +## Disable this parameter could be helpful for 3rd party images e.g native Keycloak image. +## +enableDefaultInitContainers: true +## @param initdbScripts Dictionary of initdb scripts +## Specify dictionary of scripts to be run at first boot +## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance +## Example: +## initdbScripts: +## my_init_script.sh: | +## #!/bin/bash +## echo "Do something." +## +initdbScripts: {} +## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) +## +initdbScriptsConfigMap: "" +## @param command Override default container command (useful when using custom images) +## +command: [] +## @param args Override default container args (useful when using custom images) +## +args: [] +## @param extraEnvVars Extra environment variables to be set on Keycloak container +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars +## +extraEnvVarsSecret: "" +## @section Keycloak statefulset parameters + +## @param replicaCount Number of Keycloak replicas to deploy +## +replicaCount: 1 +## @param revisionHistoryLimitCount Number of controller revisions to keep +## +revisionHistoryLimitCount: 10 +## @param containerPorts.http Keycloak HTTP container port +## @param containerPorts.https Keycloak HTTPS container port +## @param containerPorts.metrics Keycloak metrics container port +## +containerPorts: + http: 8080 + https: 8443 + metrics: 9000 +## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container +## +extraContainerPorts: [] +## @param statefulsetAnnotations Optionally add extra annotations on the statefulset resource +statefulsetAnnotations: {} +## +## Keycloak pods' SecurityContext +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 +## Keycloak containers' Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## Keycloak resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## Configure extra options for Keycloak containers' liveness, readiness and startup probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes +## @param livenessProbe.enabled Enable livenessProbe on Keycloak containers +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 300 + periodSeconds: 1 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 +## @param readinessProbe.enabled Enable readinessProbe on Keycloak containers +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 +## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe +## @param startupProbe.enabled Enable startupProbe on Keycloak containers +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 60 + successThreshold: 1 +## @param customLivenessProbe Custom Liveness probes for Keycloak +## +customLivenessProbe: {} +## @param customReadinessProbe Custom Rediness probes Keycloak +## +customReadinessProbe: {} +## @param customStartupProbe Custom Startup probes for Keycloak +## +customStartupProbe: {} +## @param lifecycleHooks LifecycleHooks to set additional configuration at startup +## +lifecycleHooks: {} +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: true +## @param hostAliases Deployment pod host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param podLabels Extra labels for Keycloak pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations Annotations for Keycloak pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} +## @param nodeSelector Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param tolerations Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template +## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods +## +topologySpreadConstraints: [] +## @param podManagementPolicy Pod management policy for the Keycloak statefulset +## +podManagementPolicy: Parallel +## @param priorityClassName Keycloak pods' Priority Class Name +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param schedulerName Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds Seconds Keycloak pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" +## @param updateStrategy.type Keycloak statefulset strategy type +## @param updateStrategy.rollingUpdate Keycloak statefulset rolling update configuration parameters +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + type: RollingUpdate + rollingUpdate: {} +## @param minReadySeconds How many seconds a pod needs to be ready before killing the next, during update +## +minReadySeconds: 0 +## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods +## +extraVolumes: [] +## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s) +## +extraVolumeMounts: [] +## @param initContainers Add additional init containers to the Keycloak pods +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: [] +## @param sidecars Add additional sidecar containers to the Keycloak pods +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: [] +## @section Exposure parameters +## + +## Service configuration +## +service: + ## @param service.type Kubernetes service type + ## + type: ClusterIP + ## @param service.http.enabled Enable http port on service + ## + http: + enabled: true + ## @param service.ports.http Keycloak service HTTP port + ## @param service.ports.https Keycloak service HTTPS port + ## + ports: + http: 80 + https: 443 + ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + http: "" + https: "" + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param service.clusterIP Keycloak service clusterIP IP + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param service.annotations Additional custom annotations for Keycloak service + ## + annotations: {} + ## @param service.extraPorts Extra port to expose on Keycloak service + ## + extraPorts: [] + # DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead + ## @param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service + ## + extraHeadlessPorts: [] + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} + ## @param service.headless.extraPorts Extra ports to expose on Keycloak headless service + ## + extraPorts: [] +## Keycloak ingress parameters +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Enable ingress record generation for Keycloak + ## + enabled: false + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## + controller: default + ## @param ingress.hostname Default host for the ingress record (evaluated as template) + ## + hostname: keycloak.local + ## @param ingress.hostnameStrict Disables dynamically resolving the hostname from request headers. + ## Should always be set to true in production, unless your reverse proxy overwrites the Host header. + ## If enabled, the hostname option needs to be specified. + ## + hostnameStrict: false + ## @param ingress.path [string] Default path for the ingress record (evaluated as template) + ## + path: "{{ .Values.httpRelativePath }}" + ## @param ingress.servicePort Backend service port to use + ## Default is http. Alternative is https. + ## + servicePort: http + ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.labels Additional labels for the Ingress resource. + ## e.g: + ## labels: + ## app: keycloak + ## + labels: {} + ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` + ## You can: + ## - Use the `ingress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` + ## + tls: false + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: keycloak.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - keycloak.local + ## secretName: keycloak.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: keycloak.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: keycloak.local + ## http: + ## path: / + ## backend: + ## service: + ## name: keycloak + ## port: + ## name: http + ## + extraRules: [] +## Keycloak admin ingress parameters +## ref: https://kubernetes.io/docs/user-guide/ingress/ +## +adminIngress: + ## @param adminIngress.enabled Enable admin ingress record generation for Keycloak + ## + enabled: false + ## @param adminIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param adminIngress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param adminIngress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param adminIngress.controller The ingress controller type. Currently supports `default` and `gce` + ## leave as `default` for most ingress controllers. + ## set to `gce` if using the GCE ingress controller + ## + controller: default + ## @param adminIngress.hostname Default host for the admin ingress record (evaluated as template) + ## + hostname: keycloak.local + ## @param adminIngress.path [string] Default path for the admin ingress record (evaluated as template) + ## + path: "{{ .Values.httpRelativePath }}" + ## @param adminIngress.servicePort Backend service port to use + ## Default is http. Alternative is https. + ## + servicePort: http + ## @param adminIngress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param adminIngress.labels Additional labels for the Ingress resource. + ## e.g: + ## labels: + ## app: keycloak + ## + labels: {} + ## @param adminIngress.tls Enable TLS configuration for the host defined at `adminIngress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.adminIngress.hostname .) }}` + ## You can: + ## - Use the `adminIngress.secrets` parameter to create this TLS secret + ## - Rely on cert-manager to create it by setting the corresponding annotations + ## - Rely on Helm to create self-signed certificates by setting `adminIngress.selfSigned=true` + ## + tls: false + ## @param adminIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param adminIngress.extraHosts An array with additional hostname(s) to be covered with the admin ingress record + ## e.g: + ## extraHosts: + ## - name: keycloak.local + ## path: / + ## + extraHosts: [] + ## @param adminIngress.extraPaths Any additional arbitrary paths that may need to be added to the admin ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param adminIngress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - keycloak.local + ## secretName: keycloak.local-tls + ## + extraTls: [] + ## @param adminIngress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: keycloak.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param adminIngress.extraRules Additional rules to be covered with this ingress record + ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules + ## e.g: + ## extraRules: + ## - host: keycloak.local + ## http: + ## path: / + ## backend: + ## service: + ## name: keycloak + ## port: + ## name: http + ## + extraRules: [] +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) + ## + kubeAPIServerPorts: [443, 6443, 8443] + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## @section RBAC parameter +## Specifies whether a ServiceAccount should be created +## +serviceAccount: + ## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods + ## + create: true + ## @param serviceAccount.name Name of the created ServiceAccount + ## If not set and create is true, a name is generated using the fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod + ## + automountServiceAccountToken: false + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + ## @param serviceAccount.extraLabels Additional labels for the ServiceAccount + ## + extraLabels: {} +## Specifies whether RBAC resources should be created +## +rbac: + ## @param rbac.create Whether to create and use RBAC resources or not + ## + create: false + ## @param rbac.rules Custom RBAC rules + ## Example: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## @section Other parameters +## + +## Keycloak Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Enable/disable a Pod Disruption Budget creation + ## + create: true + ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled + ## + minAvailable: "" + ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable + ## + maxUnavailable: "" +## Keycloak Autoscaling configuration +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +## @param autoscaling.enabled Enable autoscaling for Keycloak +## @param autoscaling.minReplicas Minimum number of Keycloak replicas +## @param autoscaling.maxReplicas Maximum number of Keycloak replicas +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPU: "" + targetMemory: "" + ## HPA Scaling Behavior + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + ## + behavior: + ## HPA behavior when scaling up + ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up + ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up + ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up + ## e.g: + ## Policy to scale 20% of the pod in 60s + ## - type: Percent + ## value: 20 + ## periodSeconds: 60 + ## + scaleUp: + stabilizationWindowSeconds: 120 + selectPolicy: Max + policies: [] + ## HPA behavior when scaling down + ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down + ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down + ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down + ## e.g: + ## Policy to scale one pod in 300s + ## - type: Pods + ## value: 1 + ## periodSeconds: 300 + ## + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Max + policies: + - type: Pods + value: 1 + periodSeconds: 300 +## @section Metrics parameters +## + +## Metrics configuration +## +metrics: + ## @param metrics.enabled Enable exposing Keycloak statistics + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics + ## + enabled: false + ## Keycloak metrics service parameters + ## + service: + ports: + ## @param metrics.service.ports.http Metrics service HTTP port + ## + http: 8080 + ## @param metrics.service.ports.https Metrics service HTTPS port + ## + https: 8443 + ## @param metrics.service.ports.metrics Metrics service Metrics port + ## + metrics: 9000 + ## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + ## @param metrics.service.extraPorts [array] Add additional ports to the keycloak metrics service (i.e. admin port 9000) + ## + extraPorts: [] + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.serviceMonitor.port Metrics service HTTP port + ## + port: metrics + ## @param metrics.serviceMonitor.scheme Metrics service scheme + ## + scheme: http + ## @param metrics.serviceMonitor.tlsConfig Metrics service TLS configuration + ## + tlsConfig: {} + ## @param metrics.serviceMonitor.endpoints [array] The endpoint configuration of the ServiceMonitor. Path is mandatory. Port, scheme, tlsConfig, interval, timeout and labellings can be overwritten. + ## + endpoints: + - path: '{{ include "keycloak.httpPath" . }}metrics' + - path: '{{ include "keycloak.httpPath" . }}realms/{{ .Values.adminRealm }}/metrics' + port: http + ## @param metrics.serviceMonitor.path Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead + ## + path: "" + ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Prometheus Operator alert rules configuration + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + labels: {} + ## @param metrics.prometheusRule.groups Groups, containing the alert rules. + ## Example: + ## groups: + ## - name: Keycloak + ## rules: + ## - alert: KeycloakInstanceNotAvailable + ## annotations: + ## message: "Keycloak instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes." + ## expr: | + ## absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0 + ## for: 5m + ## labels: + ## severity: critical + groups: [] +## @section keycloak-config-cli parameters + +## Configuration for keycloak-config-cli +## ref: https://github.com/adorsys/keycloak-config-cli +## +keycloakConfigCli: + ## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job + ## + enabled: false + ## Bitnami keycloak-config-cli image + ## ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/ + ## @param keycloakConfigCli.image.registry [default: REGISTRY_NAME] keycloak-config-cli container image registry + ## @param keycloakConfigCli.image.repository [default: REPOSITORY_NAME/keycloak-config-cli] keycloak-config-cli container image repository + ## @skip keycloakConfigCli.image.tag keycloak-config-cli container image tag + ## @param keycloakConfigCli.image.digest keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy + ## @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets + ## + image: + registry: docker.io + repository: bitnami/keycloak-config-cli + tag: 6.3.0-debian-12-r1 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + annotations: + helm.sh/hook: "post-install,post-upgrade,post-rollback" + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "5" + ## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form + ## + command: [] + ## @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form + ## + args: [] + ## @param keycloakConfigCli.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: true + ## @param keycloakConfigCli.hostAliases Job pod host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## Keycloak config CLI resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param keycloakConfigCli.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if keycloakConfigCli.resources is set (keycloakConfigCli.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "small" + ## @param keycloakConfigCli.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## keycloak-config-cli containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli Security Context + ## @param keycloakConfigCli.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli Security Context runAsUser + ## @param keycloakConfigCli.containerSecurityContext.runAsGroup Set keycloak-config-cli Security Context runAsGroup + ## @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli Security Context runAsNonRoot + ## @param keycloakConfigCli.containerSecurityContext.privileged Set keycloak-config-cli Security Context privileged + ## @param keycloakConfigCli.containerSecurityContext.readOnlyRootFilesystem Set keycloak-config-cli Security Context readOnlyRootFilesystem + ## @param keycloakConfigCli.containerSecurityContext.allowPrivilegeEscalation Set keycloak-config-cli Security Context allowPrivilegeEscalation + ## @param keycloakConfigCli.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param keycloakConfigCli.containerSecurityContext.seccompProfile.type Set keycloak-config-cli Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## keycloak-config-cli pods' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context + ## @param keycloakConfigCli.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param keycloakConfigCli.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param keycloakConfigCli.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy + ## + backoffLimit: 1 + ## @param keycloakConfigCli.podLabels Pod extra labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param keycloakConfigCli.podAnnotations Annotations for job pod + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param keycloakConfigCli.nodeSelector Node labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## + ## @param keycloakConfigCli.podTolerations Tolerations for job pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + podTolerations: [] + ## @param keycloakConfigCli.extraEnvVars Additional environment variables to set + ## Example: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables + ## + extraEnvVarsCM: "" + ## @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables + ## + extraEnvVarsSecret: "" + ## @param keycloakConfigCli.extraVolumes Extra volumes to add to the job + ## + extraVolumes: [] + ## @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container + ## + extraVolumeMounts: [] + ## @param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration + ## NOTE: nil keys will be considered files to import locally + ## Example: + ## configuration: + ## realm1.json: | + ## { + ## "realm": "realm1", + ## "clients": [] + ## } + ## realm2.yaml: | + ## realm: realm2 + ## clients: [] + ## + configuration: {} + ## @param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration + ## NOTE: This will override keycloakConfigCli.configuration + ## + existingConfigmap: "" + ## Automatic Cleanup for Finished Jobs + ## @param keycloakConfigCli.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs + ## @param keycloakConfigCli.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + ## + cleanupAfterFinished: + enabled: false + seconds: 600 +## @section Database parameters + +## PostgreSQL chart configuration +## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml +## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart +## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided +## @param postgresql.auth.username Name for a custom user to create +## @param postgresql.auth.password Password for the custom user to create +## @param postgresql.auth.database Name for a custom database to create +## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials +## @param postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. +## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) +## +postgresql: + enabled: true + auth: + postgresPassword: "" + username: bn_keycloak + password: "" + database: bitnami_keycloak + existingSecret: "" + secretKeys: + userPasswordKey: password + architecture: standalone +## External PostgreSQL configuration +## All of these values are only used when postgresql.enabled is set to false +## @param externalDatabase.host Database host +## @param externalDatabase.port Database port number +## @param externalDatabase.user Non-root username for Keycloak +## @param externalDatabase.password Password for the non-root username for Keycloak +## @param externalDatabase.database Keycloak database name +## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials +## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name +## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port +## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user +## @param externalDatabase.existingSecretDatabaseKey Name of an existing secret key containing the database name +## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials +## @param externalDatabase.annotations Additional custom annotations for external database secret object +## +externalDatabase: + host: "" + port: 5432 + user: bn_keycloak + database: bitnami_keycloak + password: "" + existingSecret: "" + existingSecretHostKey: "" + existingSecretPortKey: "" + existingSecretUserKey: "" + existingSecretDatabaseKey: "" + existingSecretPasswordKey: "" + annotations: {} +## @section Keycloak Cache parameters + +## Keycloak cache configuration +## ref: https://www.keycloak.org/server/caching +## @param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes. +## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1). +## @param cache.stackName Set infinispan cache stack to use +## @param cache.stackFile Set infinispan cache stack filename to use +## @param cache.useHeadlessServiceWithAppVersion Set to true to create the headless service used for ispn containing the app version +## +cache: + enabled: true + stackName: kubernetes + stackFile: "" + useHeadlessServiceWithAppVersion: false +## @section Keycloak Logging parameters + +## Keycloak logging configuration +## ref: https://www.keycloak.org/server/logging +## @param logging.output Alternates between the default log output format or json format +## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF +## +logging: + output: default + level: INFO + From 7259ae0c9162aa55bb2f8e3d5747cd94ea710449 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 26 Feb 2025 22:19:41 -0500 Subject: [PATCH 011/126] no v --- lab/_envcommon/default-versions.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index a18d6ba7..4cbf0ba0 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -112,7 +112,7 @@ locals { ################ # keycloak ################ - keycloak_app_version = "v26.1.2" + keycloak_app_version = "26.1.2" keycloak_chart_version = "24.4.10" keycloak_hostname = "keycloak" keycloak_namespace = "keycloak" From 94b86f849962607104da6015e4afafacf6f0fcd9 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 13:15:43 -0500 Subject: [PATCH 012/126] cleanup --- lab/_envcommon/default-versions.hcl | 5 +- .../eks-keycloak/values.yml | 1391 ----------------- 2 files changed, 4 insertions(+), 1392 deletions(-) delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 4cbf0ba0..a8ed9ce9 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -112,10 +112,13 @@ locals { ################ # keycloak ################ - keycloak_app_version = "26.1.2" + keycloak_tag = "26.1.2" keycloak_chart_version = "24.4.10" keycloak_hostname = "keycloak" keycloak_namespace = "keycloak" + postgresql_tag = "17.4.0" + postgres_exporter_tag = "0.17.1" + os_shell_tag = "12" ################ # Kiali diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml deleted file mode 100644 index e8b28b70..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/values.yml +++ /dev/null @@ -1,1391 +0,0 @@ -# Copyright Broadcom, Inc. All Rights Reserved. -# SPDX-License-Identifier: APACHE-2.0 - -## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass -## - -## @param global.imageRegistry Global Docker image registry -## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) -## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead -## -global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName - ## - imagePullSecrets: [] - defaultStorageClass: "" - storageClass: "" - ## Security parameters - ## - security: - ## @param global.security.allowInsecureImages Allows skipping image verification - allowInsecureImages: false - ## Compatibility adaptations for Kubernetes platforms - ## - compatibility: - ## Compatibility adaptations for Openshift - ## - openshift: - ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) - ## - adaptSecurityContext: auto -## @section Common parameters -## - -## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) -## -kubeVersion: "" -## @param nameOverride String to partially override common.names.fullname -## -nameOverride: "" -## @param fullnameOverride String to fully override common.names.fullname -## -fullnameOverride: "" -## @param namespaceOverride String to fully override common.names.namespace -## -namespaceOverride: "" -## @param commonLabels Labels to add to all deployed objects -## -commonLabels: {} -## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec -## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service -## -enableServiceLinks: true -## @param commonAnnotations Annotations to add to all deployed objects -## -commonAnnotations: {} -## @param dnsPolicy DNS Policy for pod -## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ -## E.g. -## dnsPolicy: ClusterFirst -dnsPolicy: "" -## @param dnsConfig DNS Configuration pod -## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ -## E.g. -## dnsConfig: -## options: -## - name: ndots -## value: "4" -dnsConfig: {} -## @param clusterDomain Default Kubernetes cluster domain -## -clusterDomain: cluster.local -## @param extraDeploy Array of extra objects to deploy with the release -## -extraDeploy: [] -## Enable diagnostic mode in the statefulset -## -diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command Command to override all containers in the the statefulset - ## - command: - - sleep - ## @param diagnosticMode.args Args to override all containers in the the statefulset - ## - args: - - infinity -## @section Keycloak parameters - -## Bitnami Keycloak image version -## ref: https://hub.docker.com/r/bitnami/keycloak/tags/ -## @param image.registry [default: REGISTRY_NAME] Keycloak image registry -## @param image.repository [default: REPOSITORY_NAME/keycloak] Keycloak image repository -## @skip image.tag Keycloak image tag (immutable tags are recommended) -## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag -## @param image.pullPolicy Keycloak image pull policy -## @param image.pullSecrets Specify docker-registry secret names as an array -## @param image.debug Specify if debug logs should be enabled -## -image: - registry: docker.io - repository: bitnami/keycloak - tag: 26.1.2-debian-12-r0 - digest: "" - ## Specify a imagePullPolicy - ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## - debug: false -## Keycloak authentication parameters -## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials -## -auth: - ## @param auth.adminUser Keycloak administrator user - ## - adminUser: user - ## @param auth.adminPassword Keycloak administrator password for the new user - ## - adminPassword: "" - ## @param auth.existingSecret Existing secret containing Keycloak admin password - ## - existingSecret: "" - ## @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret. - ## - passwordSecretKey: "" - ## @param auth.annotations Additional custom annotations for Keycloak auth secret object - ## - annotations: {} -## Custom Certificates -## @param customCaExistingSecret Name of the secret containing the Keycloak custom CA certificates. The secret will be mounted as a directory and configured using KC_TRUSTSTORE_PATHS. -## https://www.keycloak.org/server/keycloak-truststore -## Could be created like this: kubectl create secret generic secretName --from-file=./certificateToMerge.pem -customCaExistingSecret: "" -## HTTPS settings -## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption -## -tls: - ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic. - ## - enabled: false - ## @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates - ## - autoGenerated: false - ## @param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica - ## Create this secret following the steps below: - ## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl) - ## 2) Rename your truststore to `keycloak.truststore.jks` or use a different name overwriting the value 'tls.truststoreFilename'. - ## 3) Rename your keystores to `keycloak.keystore.jks` or use a different name overwriting the value 'tls.keystoreFilename'. - ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create: - ## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks - ## NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively. - ## - existingSecret: "" - ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores - ## If "true", the Keycloak chart will look for the files tls.key and tls.crt inside the secret provided with 'existingSecret'. - ## - usePem: false - ## @param tls.truststoreFilename Truststore filename inside the existing secret - ## - truststoreFilename: "keycloak.truststore.jks" - ## @param tls.keystoreFilename Keystore filename inside the existing secret - ## - keystoreFilename: "keycloak.keystore.jks" - ## @param tls.keystorePassword Password to access the keystore when it's password-protected - ## - keystorePassword: "" - ## @param tls.truststorePassword Password to access the truststore when it's password-protected - ## - truststorePassword: "" - ## @param tls.passwordsSecret Secret containing the Keystore and Truststore passwords. - ## The secret must have "tls-keystore-password" and "tls-truststore-password" keys for the keystore and truststore respectively. - ## - passwordsSecret: "" -## SPI TLS settings -## ref: https://www.keycloak.org/server/keycloak-truststore -## -spi: - ## @param spi.existingSecret Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS - ## Create this secret following the steps below: - ## 1) Rename your truststore to `keycloak-spi.truststore.jks` or use a different name overwriting the value 'spi.truststoreFilename'. - ## 2) Run the command below where SECRET_NAME is the name of the secret you want to create: - ## kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks - ## - existingSecret: "" - ## @param spi.truststorePassword Password to access the truststore when it's password-protected - ## - truststorePassword: "" - ## @param spi.truststoreFilename Truststore filename inside the existing secret - ## - truststoreFilename: "keycloak-spi.truststore.jks" - ## @param spi.passwordsSecret Secret containing the SPI Truststore passwords. - ## The secret must have "spi-truststore-password" key. - ## - passwordsSecret: "" - ## @param spi.hostnameVerificationPolicy Verify the hostname of the server's certificate. Allowed values: "ANY", "WILDCARD", "STRICT". - ## - hostnameVerificationPolicy: "" -## @param adminRealm Name of the admin realm -## -adminRealm: "master" -## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. -## -production: false -## @param proxyHeaders Set Keycloak proxy headers -## -proxyHeaders: "" -## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none -## DEPRECATED: use proxyHeaders instead -## ref: https://www.keycloak.org/server/reverseproxy -## -proxy: "" -## @param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/' -## ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed -## -httpRelativePath: "/" -## Keycloak Service Discovery settings -## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration -## -## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified -## Specify content for keycloak.conf -## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart) -## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified -## -## Example: -## configuration: |- -## foo: bar -## baz: -## -configuration: "" -## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration -## NOTE: When it's set the configuration parameter is ignored -## -existingConfigmap: "" -## @param extraStartupArgs Extra default startup args -## -extraStartupArgs: "" -## @param enableDefaultInitContainers Deploy default init containers -## Disable this parameter could be helpful for 3rd party images e.g native Keycloak image. -## -enableDefaultInitContainers: true -## @param initdbScripts Dictionary of initdb scripts -## Specify dictionary of scripts to be run at first boot -## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance -## Example: -## initdbScripts: -## my_init_script.sh: | -## #!/bin/bash -## echo "Do something." -## -initdbScripts: {} -## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) -## -initdbScriptsConfigMap: "" -## @param command Override default container command (useful when using custom images) -## -command: [] -## @param args Override default container args (useful when using custom images) -## -args: [] -## @param extraEnvVars Extra environment variables to be set on Keycloak container -## Example: -## extraEnvVars: -## - name: FOO -## value: "bar" -## -extraEnvVars: [] -## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars -## -extraEnvVarsCM: "" -## @param extraEnvVarsSecret Name of existing Secret containing extra env vars -## -extraEnvVarsSecret: "" -## @section Keycloak statefulset parameters - -## @param replicaCount Number of Keycloak replicas to deploy -## -replicaCount: 1 -## @param revisionHistoryLimitCount Number of controller revisions to keep -## -revisionHistoryLimitCount: 10 -## @param containerPorts.http Keycloak HTTP container port -## @param containerPorts.https Keycloak HTTPS container port -## @param containerPorts.metrics Keycloak metrics container port -## -containerPorts: - http: 8080 - https: 8443 - metrics: 9000 -## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container -## -extraContainerPorts: [] -## @param statefulsetAnnotations Optionally add extra annotations on the statefulset resource -statefulsetAnnotations: {} -## -## Keycloak pods' SecurityContext -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod -## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context -## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy -## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface -## @param podSecurityContext.supplementalGroups Set filesystem extra groups -## @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup -## -podSecurityContext: - enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 -## Keycloak containers' Security Context -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container -## @param containerSecurityContext.enabled Enabled containers' Security Context -## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container -## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser -## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup -## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot -## @param containerSecurityContext.privileged Set container's Security Context privileged -## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem -## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation -## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped -## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile -## -containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" -## Keycloak resource requests and limits -## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). -## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 -## -resourcesPreset: "small" -## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) -## Example: -## resources: -## requests: -## cpu: 2 -## memory: 512Mi -## limits: -## cpu: 3 -## memory: 1024Mi -## -resources: {} -## Configure extra options for Keycloak containers' liveness, readiness and startup probes -## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes -## @param livenessProbe.enabled Enable livenessProbe on Keycloak containers -## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe -## @param livenessProbe.periodSeconds Period seconds for livenessProbe -## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe -## @param livenessProbe.failureThreshold Failure threshold for livenessProbe -## @param livenessProbe.successThreshold Success threshold for livenessProbe -## -livenessProbe: - enabled: true - initialDelaySeconds: 300 - periodSeconds: 1 - timeoutSeconds: 5 - failureThreshold: 3 - successThreshold: 1 -## @param readinessProbe.enabled Enable readinessProbe on Keycloak containers -## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe -## @param readinessProbe.periodSeconds Period seconds for readinessProbe -## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe -## @param readinessProbe.failureThreshold Failure threshold for readinessProbe -## @param readinessProbe.successThreshold Success threshold for readinessProbe -## -readinessProbe: - enabled: true - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 - successThreshold: 1 -## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe -## @param startupProbe.enabled Enable startupProbe on Keycloak containers -## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe -## @param startupProbe.periodSeconds Period seconds for startupProbe -## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe -## @param startupProbe.failureThreshold Failure threshold for startupProbe -## @param startupProbe.successThreshold Success threshold for startupProbe -## -startupProbe: - enabled: false - initialDelaySeconds: 30 - periodSeconds: 5 - timeoutSeconds: 1 - failureThreshold: 60 - successThreshold: 1 -## @param customLivenessProbe Custom Liveness probes for Keycloak -## -customLivenessProbe: {} -## @param customReadinessProbe Custom Rediness probes Keycloak -## -customReadinessProbe: {} -## @param customStartupProbe Custom Startup probes for Keycloak -## -customStartupProbe: {} -## @param lifecycleHooks LifecycleHooks to set additional configuration at startup -## -lifecycleHooks: {} -## @param automountServiceAccountToken Mount Service Account token in pod -## -automountServiceAccountToken: true -## @param hostAliases Deployment pod host aliases -## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ -## -hostAliases: [] -## @param podLabels Extra labels for Keycloak pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ -## -podLabels: {} -## @param podAnnotations Annotations for Keycloak pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -podAnnotations: {} -## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAffinityPreset: "" -## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity -## -podAntiAffinityPreset: soft -## Node affinity preset -## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity -## -nodeAffinityPreset: - ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` - ## - type: "" - ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. - ## E.g. - ## key: "kubernetes.io/e2e-az-name" - ## - key: "" - ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. - ## E.g. - ## values: - ## - e2e-az1 - ## - e2e-az2 - ## - values: [] -## @param affinity Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -## -affinity: {} -## @param nodeSelector Node labels for pod assignment -## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ -## -nodeSelector: {} -## @param tolerations Tolerations for pod assignment -## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -## -tolerations: [] -## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template -## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods -## -topologySpreadConstraints: [] -## @param podManagementPolicy Pod management policy for the Keycloak statefulset -## -podManagementPolicy: Parallel -## @param priorityClassName Keycloak pods' Priority Class Name -## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ -## -priorityClassName: "" -## @param schedulerName Use an alternate scheduler, e.g. "stork". -## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ -## -schedulerName: "" -## @param terminationGracePeriodSeconds Seconds Keycloak pod needs to terminate gracefully -## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods -## -terminationGracePeriodSeconds: "" -## @param updateStrategy.type Keycloak statefulset strategy type -## @param updateStrategy.rollingUpdate Keycloak statefulset rolling update configuration parameters -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies -## -updateStrategy: - type: RollingUpdate - rollingUpdate: {} -## @param minReadySeconds How many seconds a pod needs to be ready before killing the next, during update -## -minReadySeconds: 0 -## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods -## -extraVolumes: [] -## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s) -## -extraVolumeMounts: [] -## @param initContainers Add additional init containers to the Keycloak pods -## Example: -## initContainers: -## - name: your-image-name -## image: your-image -## imagePullPolicy: Always -## ports: -## - name: portname -## containerPort: 1234 -## -initContainers: [] -## @param sidecars Add additional sidecar containers to the Keycloak pods -## Example: -## sidecars: -## - name: your-image-name -## image: your-image -## imagePullPolicy: Always -## ports: -## - name: portname -## containerPort: 1234 -## -sidecars: [] -## @section Exposure parameters -## - -## Service configuration -## -service: - ## @param service.type Kubernetes service type - ## - type: ClusterIP - ## @param service.http.enabled Enable http port on service - ## - http: - enabled: true - ## @param service.ports.http Keycloak service HTTP port - ## @param service.ports.https Keycloak service HTTPS port - ## - ports: - http: 80 - https: 443 - ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - ## - nodePorts: - http: "" - https: "" - ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin - ## Values: ClientIP or None - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ - ## - sessionAffinity: None - ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity - ## sessionAffinityConfig: - ## clientIP: - ## timeoutSeconds: 300 - ## - sessionAffinityConfig: {} - ## @param service.clusterIP Keycloak service clusterIP IP - ## e.g: - ## clusterIP: None - ## - clusterIP: "" - ## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific) - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer - ## - loadBalancerIP: "" - ## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer - ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service - ## Example: - ## loadBalancerSourceRanges: - ## - 10.10.10.0/24 - ## - loadBalancerSourceRanges: [] - ## @param service.externalTrafficPolicy Enable client source IP preservation - ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip - ## - externalTrafficPolicy: Cluster - ## @param service.annotations Additional custom annotations for Keycloak service - ## - annotations: {} - ## @param service.extraPorts Extra port to expose on Keycloak service - ## - extraPorts: [] - # DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead - ## @param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service - ## - extraHeadlessPorts: [] - ## Headless service properties - ## - headless: - ## @param service.headless.annotations Annotations for the headless service. - ## - annotations: {} - ## @param service.headless.extraPorts Extra ports to expose on Keycloak headless service - ## - extraPorts: [] -## Keycloak ingress parameters -## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ -## -ingress: - ## @param ingress.enabled Enable ingress record generation for Keycloak - ## - enabled: false - ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" - ## @param ingress.pathType Ingress path type - ## - pathType: ImplementationSpecific - ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) - ## - apiVersion: "" - ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` - ## leave as `default` for most ingress controllers. - ## set to `gce` if using the GCE ingress controller - ## - controller: default - ## @param ingress.hostname Default host for the ingress record (evaluated as template) - ## - hostname: keycloak.local - ## @param ingress.hostnameStrict Disables dynamically resolving the hostname from request headers. - ## Should always be set to true in production, unless your reverse proxy overwrites the Host header. - ## If enabled, the hostname option needs to be specified. - ## - hostnameStrict: false - ## @param ingress.path [string] Default path for the ingress record (evaluated as template) - ## - path: "{{ .Values.httpRelativePath }}" - ## @param ingress.servicePort Backend service port to use - ## Default is http. Alternative is https. - ## - servicePort: http - ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: {} - ## @param ingress.labels Additional labels for the Ingress resource. - ## e.g: - ## labels: - ## app: keycloak - ## - labels: {} - ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter - ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` - ## You can: - ## - Use the `ingress.secrets` parameter to create this TLS secret - ## - Rely on cert-manager to create it by setting the corresponding annotations - ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` - ## - tls: false - ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm - ## - selfSigned: false - ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record - ## e.g: - ## extraHosts: - ## - name: keycloak.local - ## path: / - ## - extraHosts: [] - ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - extraPaths: [] - ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - keycloak.local - ## secretName: keycloak.local-tls - ## - extraTls: [] - ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - ## e.g: - ## - name: keycloak.local-tls - ## key: - ## certificate: - ## - secrets: [] - ## @param ingress.extraRules Additional rules to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules - ## e.g: - ## extraRules: - ## - host: keycloak.local - ## http: - ## path: / - ## backend: - ## service: - ## name: keycloak - ## port: - ## name: http - ## - extraRules: [] -## Keycloak admin ingress parameters -## ref: https://kubernetes.io/docs/user-guide/ingress/ -## -adminIngress: - ## @param adminIngress.enabled Enable admin ingress record generation for Keycloak - ## - enabled: false - ## @param adminIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" - ## @param adminIngress.pathType Ingress path type - ## - pathType: ImplementationSpecific - ## @param adminIngress.apiVersion Force Ingress API version (automatically detected if not set) - ## - apiVersion: "" - ## @param adminIngress.controller The ingress controller type. Currently supports `default` and `gce` - ## leave as `default` for most ingress controllers. - ## set to `gce` if using the GCE ingress controller - ## - controller: default - ## @param adminIngress.hostname Default host for the admin ingress record (evaluated as template) - ## - hostname: keycloak.local - ## @param adminIngress.path [string] Default path for the admin ingress record (evaluated as template) - ## - path: "{{ .Values.httpRelativePath }}" - ## @param adminIngress.servicePort Backend service port to use - ## Default is http. Alternative is https. - ## - servicePort: http - ## @param adminIngress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: {} - ## @param adminIngress.labels Additional labels for the Ingress resource. - ## e.g: - ## labels: - ## app: keycloak - ## - labels: {} - ## @param adminIngress.tls Enable TLS configuration for the host defined at `adminIngress.hostname` parameter - ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.adminIngress.hostname .) }}` - ## You can: - ## - Use the `adminIngress.secrets` parameter to create this TLS secret - ## - Rely on cert-manager to create it by setting the corresponding annotations - ## - Rely on Helm to create self-signed certificates by setting `adminIngress.selfSigned=true` - ## - tls: false - ## @param adminIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm - ## - selfSigned: false - ## @param adminIngress.extraHosts An array with additional hostname(s) to be covered with the admin ingress record - ## e.g: - ## extraHosts: - ## - name: keycloak.local - ## path: / - ## - extraHosts: [] - ## @param adminIngress.extraPaths Any additional arbitrary paths that may need to be added to the admin ingress under the main host. - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - extraPaths: [] - ## @param adminIngress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - keycloak.local - ## secretName: keycloak.local-tls - ## - extraTls: [] - ## @param adminIngress.secrets If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - ## e.g: - ## - name: keycloak.local-tls - ## key: - ## certificate: - ## - secrets: [] - ## @param adminIngress.extraRules Additional rules to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules - ## e.g: - ## extraRules: - ## - host: keycloak.local - ## http: - ## path: / - ## backend: - ## service: - ## name: keycloak - ## port: - ## name: http - ## - extraRules: [] -## Network Policy configuration -## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ -## -networkPolicy: - ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created - ## - enabled: true - ## @param networkPolicy.allowExternal Don't require server label for connections - ## The Policy model to apply. When set to false, only pods with the correct - ## server label will have network access to the ports server is listening - ## on. When true, server will accept connections from any source - ## (with the correct destination port). - ## - allowExternal: true - ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. - ## - allowExternalEgress: true - ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) - ## - kubeAPIServerPorts: [443, 6443, 8443] - ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraIngress: - ## - ports: - ## - port: 1234 - ## from: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - extraIngress: [] - ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy - ## e.g: - ## extraEgress: - ## - ports: - ## - port: 1234 - ## to: - ## - podSelector: - ## - matchLabels: - ## - role: frontend - ## - podSelector: - ## - matchExpressions: - ## - key: role - ## operator: In - ## values: - ## - frontend - ## - extraEgress: [] - ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces - ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces - ## - ingressNSMatchLabels: {} - ingressNSPodMatchLabels: {} -## @section RBAC parameter -## Specifies whether a ServiceAccount should be created -## -serviceAccount: - ## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods - ## - create: true - ## @param serviceAccount.name Name of the created ServiceAccount - ## If not set and create is true, a name is generated using the fullname template - ## - name: "" - ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod - ## - automountServiceAccountToken: false - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount - ## - annotations: {} - ## @param serviceAccount.extraLabels Additional labels for the ServiceAccount - ## - extraLabels: {} -## Specifies whether RBAC resources should be created -## -rbac: - ## @param rbac.create Whether to create and use RBAC resources or not - ## - create: false - ## @param rbac.rules Custom RBAC rules - ## Example: - ## rules: - ## - apiGroups: - ## - "" - ## resources: - ## - pods - ## verbs: - ## - get - ## - list - ## - rules: [] -## @section Other parameters -## - -## Keycloak Pod Disruption Budget configuration -## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ -## -pdb: - ## @param pdb.create Enable/disable a Pod Disruption Budget creation - ## - create: true - ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled - ## - minAvailable: "" - ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable - ## - maxUnavailable: "" -## Keycloak Autoscaling configuration -## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ -## @param autoscaling.enabled Enable autoscaling for Keycloak -## @param autoscaling.minReplicas Minimum number of Keycloak replicas -## @param autoscaling.maxReplicas Maximum number of Keycloak replicas -## @param autoscaling.targetCPU Target CPU utilization percentage -## @param autoscaling.targetMemory Target Memory utilization percentage -## -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 11 - targetCPU: "" - targetMemory: "" - ## HPA Scaling Behavior - ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior - ## - behavior: - ## HPA behavior when scaling up - ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up - ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up - ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up - ## e.g: - ## Policy to scale 20% of the pod in 60s - ## - type: Percent - ## value: 20 - ## periodSeconds: 60 - ## - scaleUp: - stabilizationWindowSeconds: 120 - selectPolicy: Max - policies: [] - ## HPA behavior when scaling down - ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down - ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down - ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down - ## e.g: - ## Policy to scale one pod in 300s - ## - type: Pods - ## value: 1 - ## periodSeconds: 300 - ## - scaleDown: - stabilizationWindowSeconds: 300 - selectPolicy: Max - policies: - - type: Pods - value: 1 - periodSeconds: 300 -## @section Metrics parameters -## - -## Metrics configuration -## -metrics: - ## @param metrics.enabled Enable exposing Keycloak statistics - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics - ## - enabled: false - ## Keycloak metrics service parameters - ## - service: - ports: - ## @param metrics.service.ports.http Metrics service HTTP port - ## - http: 8080 - ## @param metrics.service.ports.https Metrics service HTTPS port - ## - https: 8443 - ## @param metrics.service.ports.metrics Metrics service Metrics port - ## - metrics: 9000 - ## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints - ## - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" - ## @param metrics.service.extraPorts [array] Add additional ports to the keycloak metrics service (i.e. admin port 9000) - ## - extraPorts: [] - ## Prometheus Operator ServiceMonitor configuration - ## - serviceMonitor: - ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator - ## - enabled: false - ## @param metrics.serviceMonitor.port Metrics service HTTP port - ## - port: metrics - ## @param metrics.serviceMonitor.scheme Metrics service scheme - ## - scheme: http - ## @param metrics.serviceMonitor.tlsConfig Metrics service TLS configuration - ## - tlsConfig: {} - ## @param metrics.serviceMonitor.endpoints [array] The endpoint configuration of the ServiceMonitor. Path is mandatory. Port, scheme, tlsConfig, interval, timeout and labellings can be overwritten. - ## - endpoints: - - path: '{{ include "keycloak.httpPath" . }}metrics' - - path: '{{ include "keycloak.httpPath" . }}realms/{{ .Values.adminRealm }}/metrics' - port: http - ## @param metrics.serviceMonitor.path Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead - ## - path: "" - ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in - ## - namespace: "" - ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped - ## - interval: 30s - ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended - ## e.g: - ## scrapeTimeout: 30s - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus - ## - labels: {} - ## @param metrics.serviceMonitor.selector Prometheus instance selector labels - ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration - ## - selector: {} - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## - metricRelabelings: [] - ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels - ## - honorLabels: false - ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. - ## - jobLabel: "" - ## Prometheus Operator alert rules configuration - ## - prometheusRule: - ## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator - ## - enabled: false - ## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in - ## - namespace: "" - ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus - ## - labels: {} - ## @param metrics.prometheusRule.groups Groups, containing the alert rules. - ## Example: - ## groups: - ## - name: Keycloak - ## rules: - ## - alert: KeycloakInstanceNotAvailable - ## annotations: - ## message: "Keycloak instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes." - ## expr: | - ## absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0 - ## for: 5m - ## labels: - ## severity: critical - groups: [] -## @section keycloak-config-cli parameters - -## Configuration for keycloak-config-cli -## ref: https://github.com/adorsys/keycloak-config-cli -## -keycloakConfigCli: - ## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job - ## - enabled: false - ## Bitnami keycloak-config-cli image - ## ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/ - ## @param keycloakConfigCli.image.registry [default: REGISTRY_NAME] keycloak-config-cli container image registry - ## @param keycloakConfigCli.image.repository [default: REPOSITORY_NAME/keycloak-config-cli] keycloak-config-cli container image repository - ## @skip keycloakConfigCli.image.tag keycloak-config-cli container image tag - ## @param keycloakConfigCli.image.digest keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag - ## @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy - ## @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets - ## - image: - registry: docker.io - repository: bitnami/keycloak-config-cli - tag: 6.3.0-debian-12-r1 - digest: "" - ## Specify a imagePullPolicy - ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images - ## - pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## e.g: - ## pullSecrets: - ## - myRegistryKeySecretName - ## - pullSecrets: [] - ## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - annotations: - helm.sh/hook: "post-install,post-upgrade,post-rollback" - helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" - helm.sh/hook-weight: "5" - ## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form - ## - command: [] - ## @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form - ## - args: [] - ## @param keycloakConfigCli.automountServiceAccountToken Mount Service Account token in pod - ## - automountServiceAccountToken: true - ## @param keycloakConfigCli.hostAliases Job pod host aliases - ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ - ## - hostAliases: [] - ## Keycloak config CLI resource requests and limits - ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - ## @param keycloakConfigCli.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if keycloakConfigCli.resources is set (keycloakConfigCli.resources is recommended for production). - ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 - ## - resourcesPreset: "small" - ## @param keycloakConfigCli.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) - ## Example: - ## resources: - ## requests: - ## cpu: 2 - ## memory: 512Mi - ## limits: - ## cpu: 3 - ## memory: 1024Mi - ## - resources: {} - ## keycloak-config-cli containers' Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli Security Context - ## @param keycloakConfigCli.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container - ## @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli Security Context runAsUser - ## @param keycloakConfigCli.containerSecurityContext.runAsGroup Set keycloak-config-cli Security Context runAsGroup - ## @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli Security Context runAsNonRoot - ## @param keycloakConfigCli.containerSecurityContext.privileged Set keycloak-config-cli Security Context privileged - ## @param keycloakConfigCli.containerSecurityContext.readOnlyRootFilesystem Set keycloak-config-cli Security Context readOnlyRootFilesystem - ## @param keycloakConfigCli.containerSecurityContext.allowPrivilegeEscalation Set keycloak-config-cli Security Context allowPrivilegeEscalation - ## @param keycloakConfigCli.containerSecurityContext.capabilities.drop List of capabilities to be dropped - ## @param keycloakConfigCli.containerSecurityContext.seccompProfile.type Set keycloak-config-cli Security Context seccomp profile - ## - containerSecurityContext: - enabled: true - seLinuxOptions: {} - runAsUser: 1001 - runAsGroup: 1001 - runAsNonRoot: true - privileged: false - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - seccompProfile: - type: "RuntimeDefault" - ## keycloak-config-cli pods' Security Context - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod - ## @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context - ## @param keycloakConfigCli.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy - ## @param keycloakConfigCli.podSecurityContext.sysctls Set kernel settings using the sysctl interface - ## @param keycloakConfigCli.podSecurityContext.supplementalGroups Set filesystem extra groups - ## @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup - ## - podSecurityContext: - enabled: true - fsGroupChangePolicy: Always - sysctls: [] - supplementalGroups: [] - fsGroup: 1001 - ## @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy - ## - backoffLimit: 1 - ## @param keycloakConfigCli.podLabels Pod extra labels - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - ## - podLabels: {} - ## @param keycloakConfigCli.podAnnotations Annotations for job pod - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - ## - podAnnotations: {} - ## @param keycloakConfigCli.nodeSelector Node labels for pod assignment - ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - ## - nodeSelector: {} - ## - ## @param keycloakConfigCli.podTolerations Tolerations for job pod assignment - ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ - ## - podTolerations: [] - ## @param keycloakConfigCli.extraEnvVars Additional environment variables to set - ## Example: - ## extraEnvVars: - ## - name: FOO - ## value: "bar" - ## - extraEnvVars: [] - ## @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables - ## - extraEnvVarsCM: "" - ## @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables - ## - extraEnvVarsSecret: "" - ## @param keycloakConfigCli.extraVolumes Extra volumes to add to the job - ## - extraVolumes: [] - ## @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container - ## - extraVolumeMounts: [] - ## @param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod - ## Example: - ## initContainers: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - initContainers: [] - ## @param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod - ## Example: - ## sidecars: - ## - name: your-image-name - ## image: your-image - ## imagePullPolicy: Always - ## ports: - ## - name: portname - ## containerPort: 1234 - ## - sidecars: [] - ## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration - ## NOTE: nil keys will be considered files to import locally - ## Example: - ## configuration: - ## realm1.json: | - ## { - ## "realm": "realm1", - ## "clients": [] - ## } - ## realm2.yaml: | - ## realm: realm2 - ## clients: [] - ## - configuration: {} - ## @param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration - ## NOTE: This will override keycloakConfigCli.configuration - ## - existingConfigmap: "" - ## Automatic Cleanup for Finished Jobs - ## @param keycloakConfigCli.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs - ## @param keycloakConfigCli.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished - ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ - ## - cleanupAfterFinished: - enabled: false - seconds: 600 -## @section Database parameters - -## PostgreSQL chart configuration -## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml -## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart -## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided -## @param postgresql.auth.username Name for a custom user to create -## @param postgresql.auth.password Password for the custom user to create -## @param postgresql.auth.database Name for a custom database to create -## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials -## @param postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. -## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) -## -postgresql: - enabled: true - auth: - postgresPassword: "" - username: bn_keycloak - password: "" - database: bitnami_keycloak - existingSecret: "" - secretKeys: - userPasswordKey: password - architecture: standalone -## External PostgreSQL configuration -## All of these values are only used when postgresql.enabled is set to false -## @param externalDatabase.host Database host -## @param externalDatabase.port Database port number -## @param externalDatabase.user Non-root username for Keycloak -## @param externalDatabase.password Password for the non-root username for Keycloak -## @param externalDatabase.database Keycloak database name -## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials -## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name -## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port -## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user -## @param externalDatabase.existingSecretDatabaseKey Name of an existing secret key containing the database name -## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials -## @param externalDatabase.annotations Additional custom annotations for external database secret object -## -externalDatabase: - host: "" - port: 5432 - user: bn_keycloak - database: bitnami_keycloak - password: "" - existingSecret: "" - existingSecretHostKey: "" - existingSecretPortKey: "" - existingSecretUserKey: "" - existingSecretDatabaseKey: "" - existingSecretPasswordKey: "" - annotations: {} -## @section Keycloak Cache parameters - -## Keycloak cache configuration -## ref: https://www.keycloak.org/server/caching -## @param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes. -## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1). -## @param cache.stackName Set infinispan cache stack to use -## @param cache.stackFile Set infinispan cache stack filename to use -## @param cache.useHeadlessServiceWithAppVersion Set to true to create the headless service used for ispn containing the app version -## -cache: - enabled: true - stackName: kubernetes - stackFile: "" - useHeadlessServiceWithAppVersion: false -## @section Keycloak Logging parameters - -## Keycloak logging configuration -## ref: https://www.keycloak.org/server/logging -## @param logging.output Alternates between the default log output format or json format -## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF -## -logging: - output: default - level: INFO - From 918871eaf59d29f44b7d37f8c7f7a0d91775dc91 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 13:53:47 -0500 Subject: [PATCH 013/126] namespaces --- .../vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index 285b53e9..1d02df66 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -50,9 +50,5 @@ inputs = { # Dashboard Configuration service_name = include.root.inputs.dashboard_hostname k8s_dashboard_version = include.root.inputs.k8s_dashboard_version -<<<<<<< HEAD namespace = include.root.inputs.namespaces["k8s-dashboard"] -======= - namespace = include.root.inputs.dashboard_hostname ->>>>>>> f649b29 (docs and keycloak) } From f821a2a276e332f8ec14484ab7a6640cc79fc52d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 13:55:44 -0500 Subject: [PATCH 014/126] use main --- lab/_envcommon/default-versions.hcl | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index a8ed9ce9..31455779 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -47,6 +47,13 @@ locals { # EKS Config ##################### + ################ + # k8s-dashboard + ################ + dashboard_hostname = "dashboard" + k8s_dashboard_metrics_scraper = "1.0.8" + k8s_dashboard_version = "6.0.6" + ################ # Cert-Manager ################ @@ -86,12 +93,6 @@ locals { k8s_dashboard_metrics_scraper = "1.0.8" k8s_dashboard_version = "6.0.6" - ################ - # k8s-dashboard - ################ - dashboard_hostname = "k8s-dashboard" - k8s_dashboard_version = "6.0.6" - ################ # Karpenter ################ @@ -109,17 +110,6 @@ locals { keycloak_password = "this is my very secure and totally random password horse battery staple now" postgresql_tag = "17.4.0-debian-12-r2" - ################ - # keycloak - ################ - keycloak_tag = "26.1.2" - keycloak_chart_version = "24.4.10" - keycloak_hostname = "keycloak" - keycloak_namespace = "keycloak" - postgresql_tag = "17.4.0" - postgres_exporter_tag = "0.17.1" - os_shell_tag = "12" - ################ # Kiali ################ From a9980915a746295f6981ee3e619a31d110f0503c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 15:57:46 -0500 Subject: [PATCH 015/126] fmt --- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index f1c9bdcb..1844c44b 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -5,7 +5,11 @@ include "root" { } terraform { +<<<<<<< HEAD source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" +======= + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" +>>>>>>> 77e8f9d (fmt) extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 6cae9ad01ca748901da6baf0d95399181bdfd247 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 17:20:03 -0500 Subject: [PATCH 016/126] namespace changes --- .../platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 1844c44b..a45fe07a 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -5,17 +5,24 @@ include "root" { } terraform { -<<<<<<< HEAD source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" -======= - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" ->>>>>>> 77e8f9d (fmt) extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] } } +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-grafana", + "../eks-istio", + "../eks-prometheus" + ] +} + dependency "eks" { config_path = "../eks" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] From 28e97d935ddc2ba5623080665e0428fd6a43ebd0 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 18:02:17 -0500 Subject: [PATCH 017/126] update internal url ref --- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index a45fe07a..24548da7 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From b0ae98466c0a71eda9f8d4bbdc0783769bd2e5b0 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 20:03:32 -0500 Subject: [PATCH 018/126] fmt --- .../eks-k8s-dashboard/terragrunt.hcl | 2 +- .../eks-postgresql/terragrunt.hcl | 56 +++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index 1d02df66..794593fc 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl new file mode 100644 index 00000000..1ccfd902 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl @@ -0,0 +1,56 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-postgresql.git?ref=main" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + + # PostgreSQL Configuration + service_name = include.root.inputs.postgresql_name + postgresql_version = include.root.inputs.postgresql_version + + namespace = include.root.inputs.namespaces["postgresql"] +} From 20f19405bf021d9c7d5aab43b39aec5d8f24314f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 20:42:06 -0500 Subject: [PATCH 019/126] versions --- lab/_envcommon/default-versions.hcl | 10 ++++++++++ .../eks-postgresql/terragrunt.hcl | 18 +++++++++++++++--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 31455779..7d186cb4 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -133,6 +133,16 @@ locals { metrics_server_helm_chart = "3.12.2" metrics_server_tag = "0.7.2" + ################ + # PostgreSQL + ################ + os_shell_tag = "12" + postgres_exporter_tag = "0.16.0" + postgresql_repmgr_tag = "17.4.0" + pgpool_tag = "4.5.5" + postgresql_chart_version = "15.3.0" + postgresql_tag = "17.4.0" + ################ # Prometheus ################ diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl index 1ccfd902..8c61965f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl @@ -29,6 +29,14 @@ dependency "eks" { } } +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + dependency "eks_dns" { config_path = "../eks-dns" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] @@ -47,10 +55,14 @@ inputs = { # Cluster Configuration cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class # PostgreSQL Configuration - service_name = include.root.inputs.postgresql_name - postgresql_version = include.root.inputs.postgresql_version - + service_name = "postgresql" + os_shell_tag = include.root.inputs.os_shell_tag + postgres_exporter_tag = include.root.inputs.postgres_exporter_tag + postgresql_tag = include.root.inputs.postgresql_tag + postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag + pgpool_tag = include.root.inputs.pgpool_tag namespace = include.root.inputs.namespaces["postgresql"] } From 5d2d47e401f529e8625f31339f7ae8779470ec2c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 23:26:15 -0500 Subject: [PATCH 020/126] more wip: --- lab/_envcommon/default-versions.hcl | 21 ++++++++++++++----- .../eks-postgresql/terragrunt.hcl | 14 ++++++------- 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 7d186cb4..5ce17d59 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -31,8 +31,12 @@ locals { karpenter = "karpenter" metrics-server = "kube-system" postgresql = "kube-system" +<<<<<<< HEAD keycloak = "keycloak" gogatekeeper = "kube-system" +======= + keycloak = "kube-system" +>>>>>>> 2829581 (more wip:) istio = "istio-system" kiali = "istio-system" grafana = local.telemetry_namespace @@ -110,6 +114,13 @@ locals { keycloak_password = "this is my very secure and totally random password horse battery staple now" postgresql_tag = "17.4.0-debian-12-r2" + ################ + # Keycloak + ################ + keycloak_chart_version = "24.4.10" + keycloak_tag = "26.1.2" + keycloak_hostname = "keycloak" + ################ # Kiali ################ @@ -136,12 +147,12 @@ locals { ################ # PostgreSQL ################ - os_shell_tag = "12" - postgres_exporter_tag = "0.16.0" - postgresql_repmgr_tag = "17.4.0" - pgpool_tag = "4.5.5" + os_shell_tag = "12" + postgres_exporter_tag = "0.16.0" + postgresql_repmgr_tag = "17.4.0" + pgpool_tag = "4.5.5" postgresql_chart_version = "15.3.0" - postgresql_tag = "17.4.0" + postgresql_tag = "17.4.0" ################ # Prometheus diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl index 8c61965f..eabc5032 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl @@ -53,16 +53,16 @@ inputs = { region = include.root.inputs.aws_region # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class # PostgreSQL Configuration - service_name = "postgresql" - os_shell_tag = include.root.inputs.os_shell_tag + service_name = "postgresql" + os_shell_tag = include.root.inputs.os_shell_tag postgres_exporter_tag = include.root.inputs.postgres_exporter_tag - postgresql_tag = include.root.inputs.postgresql_tag + postgresql_tag = include.root.inputs.postgresql_tag postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag - pgpool_tag = include.root.inputs.pgpool_tag - namespace = include.root.inputs.namespaces["postgresql"] + pgpool_tag = include.root.inputs.pgpool_tag + namespace = include.root.inputs.namespaces["postgresql"] } From 29bdf771bbf793e9184411fd2cb8c91e91321b18 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 27 Feb 2025 23:51:21 -0500 Subject: [PATCH 021/126] keycloak wip --- lab/_envcommon/default-versions.hcl | 3 +++ .../platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl | 10 ++++++++++ .../platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl | 5 +++++ 3 files changed, 18 insertions(+) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 5ce17d59..7aca861d 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -120,6 +120,9 @@ locals { keycloak_chart_version = "24.4.10" keycloak_tag = "26.1.2" keycloak_hostname = "keycloak" + postgresql_database = "keycloak_db" + postgresql_username = "keycloak_user" + postgresql_password = "secure_password" ################ # Kiali diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index 74132d72..202031e0 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -37,6 +37,16 @@ dependency "eks_dns" { } } +dependency "eks_postgresql" { + config_path = "../eks-postgresql" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + internal_endpoint { + url = "mock-internal-endpoint-url" + } + } +} + dependencies { paths = [ "../eks", diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl index eabc5032..209b827f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl @@ -65,4 +65,9 @@ inputs = { postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag pgpool_tag = include.root.inputs.pgpool_tag namespace = include.root.inputs.namespaces["postgresql"] + + # Database Consumer Configuration + postgresql_database = include.root.inputs.postgresql_database + postgresql_username = include.root.inputs.postgresql_username + postgresql_password = include.root.inputs.postgresql_password } From 6e98a2202cf4595f5c5075bc346acfd0d3347b67 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 28 Feb 2025 12:47:07 -0500 Subject: [PATCH 022/126] update prom internal url input value --- .../eks-keycloak/terragrunt.hcl | 2 +- .../eks-postgresql/terragrunt.hcl | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index 202031e0..3d11fdf1 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -41,7 +41,7 @@ dependency "eks_postgresql" { config_path = "../eks-postgresql" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - internal_endpoint { + internal_endpoint = { url = "mock-internal-endpoint-url" } } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl index 209b827f..4429d04a 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl @@ -16,7 +16,8 @@ dependencies { paths = [ "../eks", "../eks-config", - "../eks-dns" + "../eks-dns", + "../eks-prometheus", ] } @@ -58,16 +59,18 @@ inputs = { rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class # PostgreSQL Configuration - service_name = "postgresql" + namespace = include.root.inputs.namespaces["postgresql"] os_shell_tag = include.root.inputs.os_shell_tag + pgpool_tag = include.root.inputs.pgpool_tag postgres_exporter_tag = include.root.inputs.postgres_exporter_tag - postgresql_tag = include.root.inputs.postgresql_tag postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag - pgpool_tag = include.root.inputs.pgpool_tag - namespace = include.root.inputs.namespaces["postgresql"] + postgresql_tag = include.root.inputs.postgresql_tag + service_name = "postgresql" + telemetry_namespace = include.root.inputs.telemetry_namespace # Database Consumer Configuration postgresql_database = include.root.inputs.postgresql_database postgresql_username = include.root.inputs.postgresql_username postgresql_password = include.root.inputs.postgresql_password + } From 1e784cdb2c99ac54fa9079fe61eeb8e1c2282acc Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 28 Feb 2025 12:54:47 -0500 Subject: [PATCH 023/126] test changes on prom --- .../vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl index 80e24e8f..3341d076 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From d5b28eb996e0e59c96802fa7e301d39766bfc864 Mon Sep 17 00:00:00 2001 From: Srini Nangunuri Date: Fri, 28 Feb 2025 17:32:25 -0500 Subject: [PATCH 024/126] deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn --- .../eks-keycloak/terragrunt.hcl | 11 +++++++++++ .../eks-tempo/terragrunt.hcl | 17 +++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl index 248432dd..48028f6f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl @@ -42,7 +42,11 @@ dependency "eks_postgresql" { config_path = "../eks-postgresql" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { +<<<<<<< HEAD internal_endpoint = { +======= + internal_endpoint = { +>>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) url = "mock-internal-endpoint-url" } } @@ -76,10 +80,17 @@ inputs = { telemetry_namespace = include.root.inputs.telemetry_namespace # Database configuration +<<<<<<< HEAD db_host = dependency.eks_postgresql.outputs.internal_endpoint.url db_name = include.root.inputs.postgresql_database db_password = include.root.inputs.postgresql_password db_user = include.root.inputs.postgresql_username +======= + db_host = dependency.eks_postgresql.outputs.internal_endpoint.url + db_name = include.root.inputs.postgresql_database + db_password = include.root.inputs.postgresql_password + db_user = include.root.inputs.postgresql_username +>>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) # Project information project_name = include.root.inputs.project_name diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl index e1b17d6a..bca349f8 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl @@ -25,9 +25,13 @@ dependency "eks-prometheus" { config_path = "../eks-prometheus" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { +<<<<<<< HEAD prometheus_svc = "prometheus-server" prometheus_namespace = "prometheus" prometheus_port = 80 +======= + prometheus_namespace = "prometheus" +>>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) prometheus_server_internal_endpoint = { hostname = "prometheus-server.prometheus.svc.cluster.local" port_number = 9090 @@ -39,7 +43,13 @@ dependency "eks-prometheus" { dependencies { paths = [ "../eks", +<<<<<<< HEAD + "../eks-dns", +======= + "../eks-config", "../eks-dns", + "../eks-karpenter", +>>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) "../eks-prometheus" ] } @@ -55,7 +65,10 @@ inputs = { oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn # Prometheus Configuration +<<<<<<< HEAD prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname +======= +>>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number @@ -63,4 +76,8 @@ inputs = { tempo_chart_version = include.root.inputs.tempo_chart_version tempo_tag = include.root.inputs.tempo_tag namespace = include.root.inputs.namespaces["tempo"] +<<<<<<< HEAD +======= + +>>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) } From 5a1bc49b13aed78cf4b228ebfc44c262c0123ea9 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 28 Feb 2025 18:28:43 -0500 Subject: [PATCH 025/126] testing more autoscaling stuffs --- .../vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl index 0cd1e1f9..3f6e3e08 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl index 25c22d7c..55f12fbd 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index fd02a7ac..18983eee 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -19,7 +19,7 @@ dependency "eks" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 66d964aa75c47dc86be97bc0223776858c49e542 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 3 Mar 2025 17:40:25 -0500 Subject: [PATCH 026/126] wip --- lab/_envcommon/default-versions.hcl | 12 +-- .../eks-keycloak/terragrunt.hcl | 10 --- .../eks-kiali/terragrunt.hcl | 1 - .../eks-postgresql/terragrunt.hcl | 76 ------------------- 4 files changed, 6 insertions(+), 93 deletions(-) delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 7aca861d..13931fbd 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -117,12 +117,13 @@ locals { ################ # Keycloak ################ - keycloak_chart_version = "24.4.10" - keycloak_tag = "26.1.2" + keycloak_chart_version = "24.4.11" + keycloak_tag = "26.1.3" keycloak_hostname = "keycloak" - postgresql_database = "keycloak_db" - postgresql_username = "keycloak_user" - postgresql_password = "secure_password" + keycloak_database = "keycloak_db" + keycloak_username = "keycloak_user" + # keycloak_password = "secure_password" + postgresql_tag = "17.4.0-debian-12-r2" ################ # Kiali @@ -155,7 +156,6 @@ locals { postgresql_repmgr_tag = "17.4.0" pgpool_tag = "4.5.5" postgresql_chart_version = "15.3.0" - postgresql_tag = "17.4.0" ################ # Prometheus diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl index 3d11fdf1..74132d72 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl @@ -37,16 +37,6 @@ dependency "eks_dns" { } } -dependency "eks_postgresql" { - config_path = "../eks-postgresql" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - internal_endpoint = { - url = "mock-internal-endpoint-url" - } - } -} - dependencies { paths = [ "../eks", diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 24548da7..6c73c423 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -17,7 +17,6 @@ dependencies { "../eks", "../eks-config", "../eks-dns", - "../eks-grafana", "../eks-istio", "../eks-prometheus" ] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl deleted file mode 100644 index 4429d04a..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-postgresql/terragrunt.hcl +++ /dev/null @@ -1,76 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-postgresql.git?ref=main" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-dns", - "../eks-prometheus", - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_config" { - config_path = "../eks-config" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - rwo_storage_class = "gp3-mock" - } -} - -dependency "eks_dns" { - config_path = "../eks-dns" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_domain = "mock.example.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name - rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class - - # PostgreSQL Configuration - namespace = include.root.inputs.namespaces["postgresql"] - os_shell_tag = include.root.inputs.os_shell_tag - pgpool_tag = include.root.inputs.pgpool_tag - postgres_exporter_tag = include.root.inputs.postgres_exporter_tag - postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag - postgresql_tag = include.root.inputs.postgresql_tag - service_name = "postgresql" - telemetry_namespace = include.root.inputs.telemetry_namespace - - # Database Consumer Configuration - postgresql_database = include.root.inputs.postgresql_database - postgresql_username = include.root.inputs.postgresql_username - postgresql_password = include.root.inputs.postgresql_password - -} From 95a3fe568890d195fb3a538012f98e960a62b23c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 4 Mar 2025 16:46:57 -0500 Subject: [PATCH 027/126] wip --- lab/_envcommon/default-versions.hcl | 15 --------------- .../eks-cert-manager/terragrunt.hcl | 2 +- .../eks-grafana/terragrunt.hcl | 2 +- 3 files changed, 2 insertions(+), 17 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 13931fbd..69a91e87 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -31,12 +31,8 @@ locals { karpenter = "karpenter" metrics-server = "kube-system" postgresql = "kube-system" -<<<<<<< HEAD keycloak = "keycloak" gogatekeeper = "kube-system" -======= - keycloak = "kube-system" ->>>>>>> 2829581 (more wip:) istio = "istio-system" kiali = "istio-system" grafana = local.telemetry_namespace @@ -114,17 +110,6 @@ locals { keycloak_password = "this is my very secure and totally random password horse battery staple now" postgresql_tag = "17.4.0-debian-12-r2" - ################ - # Keycloak - ################ - keycloak_chart_version = "24.4.11" - keycloak_tag = "26.1.3" - keycloak_hostname = "keycloak" - keycloak_database = "keycloak_db" - keycloak_username = "keycloak_user" - # keycloak_password = "secure_password" - postgresql_tag = "17.4.0-debian-12-r2" - ################ # Kiali ################ diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl index 5e03cd4a..7ea7f9cc 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=cicd" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 7830797b..08c73470 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=namespaces" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From b8637a1592037e1cbd8cee84cce227789ccbf930 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 4 Mar 2025 22:18:03 -0500 Subject: [PATCH 028/126] use my eks --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index 9eca1de2..3b248bab 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From 04ebf446311d9200045630972d9c13939b076f97 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 6 Mar 2025 23:02:10 -0500 Subject: [PATCH 029/126] otel added --- .../eks-gogatekeeper/terragrunt.hcl | 77 +++++++++++++++++++ .../eks-tempo/terragrunt.hcl | 17 ++++ 2 files changed, 94 insertions(+) create mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl new file mode 100644 index 00000000..8ab5bcee --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -0,0 +1,77 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=keycloak" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + +dependency "eks_grafana" { + config_path = "../eks-grafana" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + public_endpoint = "mock.grafaba.example.com" + } +} + +dependency "eks_keycloak" { + config_path = "../eks-keycloak" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + public_endpoint = "mock.keycloak.example.com" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-dns", + "../eks-grafana", + "../eks-keycloak", + "../eks-prometheus", + ] +} + +inputs = { + # Base Cluster Config + cluster_domain = dependency.eks_dns.outputs.cluster_domain + namespace = include.root.inputs.namespaces["gogatekeeper"] + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Gatekeeper Config + gogatekeeper_tag = include.root.inputs.gogatekeeper_tag + gogatekeeper_chart_version = include.root.inputs.gogatekeeper_chart_version + keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint + + # Service Behind Gatekeeper Config + service_name = "grafana" + redirection_url = dependency.eks_grafana.outputs.public_endpoint + # client_id = dependency.eks_keycloak.outputs.client_id + # client_secret = dependency.eks_keycloak.outputs.client_secret + client_id = "client_id" + client_secret = "client_secret" +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl index bca349f8..68cd5a15 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl @@ -25,6 +25,7 @@ dependency "eks-prometheus" { config_path = "../eks-prometheus" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { +<<<<<<< HEAD <<<<<<< HEAD prometheus_svc = "prometheus-server" prometheus_namespace = "prometheus" @@ -32,6 +33,11 @@ dependency "eks-prometheus" { ======= prometheus_namespace = "prometheus" >>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) +======= + prometheus_svc = "prometheus-server" + prometheus_namespace = "prometheus" + prometheus_port = 80 +>>>>>>> 44e1884 (otel added) prometheus_server_internal_endpoint = { hostname = "prometheus-server.prometheus.svc.cluster.local" port_number = 9090 @@ -43,6 +49,7 @@ dependency "eks-prometheus" { dependencies { paths = [ "../eks", +<<<<<<< HEAD <<<<<<< HEAD "../eks-dns", ======= @@ -50,6 +57,9 @@ dependencies { "../eks-dns", "../eks-karpenter", >>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) +======= + "../eks-dns", +>>>>>>> 44e1884 (otel added) "../eks-prometheus" ] } @@ -65,10 +75,14 @@ inputs = { oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn # Prometheus Configuration +<<<<<<< HEAD <<<<<<< HEAD prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname ======= >>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) +======= + prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname +>>>>>>> 44e1884 (otel added) prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number @@ -77,7 +91,10 @@ inputs = { tempo_tag = include.root.inputs.tempo_tag namespace = include.root.inputs.namespaces["tempo"] <<<<<<< HEAD +<<<<<<< HEAD ======= >>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) +======= +>>>>>>> 44e1884 (otel added) } From 903cbd1643285adb8432f76fb2d48d5931aada53 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 7 Mar 2025 18:03:15 -0500 Subject: [PATCH 030/126] ordering --- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 1 + 1 file changed, 1 insertion(+) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 6c73c423..24548da7 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -17,6 +17,7 @@ dependencies { "../eks", "../eks-config", "../eks-dns", + "../eks-grafana", "../eks-istio", "../eks-prometheus" ] From c4d201897e03020b016490901ea68f400bbe2e58 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 7 Mar 2025 18:06:05 -0500 Subject: [PATCH 031/126] test branch --- .../vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl index e126331b..e0d014dc 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl @@ -30,7 +30,7 @@ dependency "eks_config" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=mcmCluster" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From cdcdb38bdec4a11d5968b315698becade1817ac0 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 16:14:47 -0400 Subject: [PATCH 032/126] removed a few folders from workspace --- .../platform-eng-eks-mcm/eks-grafana/terragrunt.hcl | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 08c73470..45d6bfb9 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -32,6 +32,17 @@ dependency "eks_dns" { dependency "eks_loki" { config_path = "../eks-loki" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mocked" + loki_internal_endpoint = { + url = "mock.loki.enpoint.example.com" + } + } +} + +dependency "eks_prometheus" { + config_path = "../eks-prometheus" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { rwo_storage_class = "gp3-mocked" gateway_internal_endpoint = { From cb0fbff4fd16db739da9445479dd252f3135d79d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 17:51:29 -0400 Subject: [PATCH 033/126] reset branches to default --- .../vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl | 2 +- .../vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl index 7ea7f9cc..5e03cd4a 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=cicd" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl index 8ab5bcee..39106588 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=keycloak" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 45d6bfb9..05fefbbf 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=namespaces" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl index 3f6e3e08..0cd1e1f9 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl index 794593fc..1d02df66 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl index 55f12fbd..25c22d7c 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index 24548da7..a45fe07a 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl index e0d014dc..e126331b 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl @@ -30,7 +30,7 @@ dependency "eks_config" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl index 18983eee..fd02a7ac 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl @@ -19,7 +19,7 @@ dependency "eks" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl index 3341d076..80e24e8f 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl index 291fac38..e94ad7f0 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=keycloak" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] From 6b71724a0fbe2fe852306028528c6d11cde4409c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 17:56:25 -0400 Subject: [PATCH 034/126] missed one --- .../us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl index 3b248bab..9eca1de2 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=mcmCluster" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From 36cd88c7c416ae4892bf62bdbe72c48bad47afd4 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 20:09:08 -0400 Subject: [PATCH 035/126] fmt --- lab/_envcommon/default-versions.hcl | 2 +- .../eks-gogatekeeper/terragrunt.hcl | 14 +++++++------- .../eks-grafana/terragrunt.hcl | 4 ++-- .../platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 1 - .../eks-keycloak/terragrunt.hcl | 11 +++++++++++ .../platform-eng-eks-srn/eks-tempo/terragrunt.hcl | 10 ++++++++++ 6 files changed, 31 insertions(+), 11 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 69a91e87..fb1b4d61 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -8,7 +8,7 @@ locals { custom_service_eks_account = "${local.release_version}" eks_module_version = "20.33.1" istio_ingress_version = "${local.release_version}" - release_version = "main" # "main" # change to main when testing updated modules + release_version = "mcmCluster" # "main" # change to main when testing updated modules ##################### # TF Providers diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl index 39106588..86c95d46 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -25,7 +25,7 @@ dependency "eks_dns" { config_path = "../eks-dns" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_domain = "mock.example.com" + cluster_domain = "mock.example.com" } } @@ -33,7 +33,7 @@ dependency "eks_grafana" { config_path = "../eks-grafana" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - public_endpoint = "mock.grafaba.example.com" + public_endpoint = "mock.grafaba.example.com" } } @@ -41,7 +41,7 @@ dependency "eks_keycloak" { config_path = "../eks-keycloak" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - public_endpoint = "mock.keycloak.example.com" + public_endpoint = "mock.keycloak.example.com" } } @@ -63,15 +63,15 @@ inputs = { region = include.root.inputs.aws_region # Gatekeeper Config - gogatekeeper_tag = include.root.inputs.gogatekeeper_tag + gogatekeeper_tag = include.root.inputs.gogatekeeper_tag gogatekeeper_chart_version = include.root.inputs.gogatekeeper_chart_version - keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint + keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint # Service Behind Gatekeeper Config - service_name = "grafana" + service_name = "grafana" redirection_url = dependency.eks_grafana.outputs.public_endpoint # client_id = dependency.eks_keycloak.outputs.client_id # client_secret = dependency.eks_keycloak.outputs.client_secret - client_id = "client_id" + client_id = "client_id" client_secret = "client_secret" } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl index 05fefbbf..811bc8b8 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl @@ -33,8 +33,8 @@ dependency "eks_loki" { config_path = "../eks-loki" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - rwo_storage_class = "gp3-mocked" - loki_internal_endpoint = { + rwo_storage_class = "gp3-mocked" + gateway_internal_endpoint = { url = "mock.loki.enpoint.example.com" } } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index a45fe07a..ce02acb3 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -16,7 +16,6 @@ dependencies { paths = [ "../eks", "../eks-config", - "../eks-dns", "../eks-grafana", "../eks-istio", "../eks-prometheus" diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl index 48028f6f..4a6e1346 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl @@ -42,11 +42,15 @@ dependency "eks_postgresql" { config_path = "../eks-postgresql" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { +<<<<<<< HEAD <<<<<<< HEAD internal_endpoint = { ======= internal_endpoint = { >>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) +======= + internal_endpoint = { +>>>>>>> 0a7b279 (fmt) url = "mock-internal-endpoint-url" } } @@ -80,6 +84,7 @@ inputs = { telemetry_namespace = include.root.inputs.telemetry_namespace # Database configuration +<<<<<<< HEAD <<<<<<< HEAD db_host = dependency.eks_postgresql.outputs.internal_endpoint.url db_name = include.root.inputs.postgresql_database @@ -91,6 +96,12 @@ inputs = { db_password = include.root.inputs.postgresql_password db_user = include.root.inputs.postgresql_username >>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) +======= + db_host = dependency.eks_postgresql.outputs.internal_endpoint.url + db_name = include.root.inputs.postgresql_database + db_password = include.root.inputs.postgresql_password + db_user = include.root.inputs.postgresql_username +>>>>>>> 0a7b279 (fmt) # Project information project_name = include.root.inputs.project_name diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl index 68cd5a15..41ac0a73 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl @@ -26,6 +26,7 @@ dependency "eks-prometheus" { mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { <<<<<<< HEAD +<<<<<<< HEAD <<<<<<< HEAD prometheus_svc = "prometheus-server" prometheus_namespace = "prometheus" @@ -38,6 +39,11 @@ dependency "eks-prometheus" { prometheus_namespace = "prometheus" prometheus_port = 80 >>>>>>> 44e1884 (otel added) +======= + prometheus_svc = "prometheus-server" + prometheus_namespace = "prometheus" + prometheus_port = 80 +>>>>>>> 0a7b279 (fmt) prometheus_server_internal_endpoint = { hostname = "prometheus-server.prometheus.svc.cluster.local" port_number = 9090 @@ -76,6 +82,7 @@ inputs = { # Prometheus Configuration <<<<<<< HEAD +<<<<<<< HEAD <<<<<<< HEAD prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname ======= @@ -83,6 +90,9 @@ inputs = { ======= prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname >>>>>>> 44e1884 (otel added) +======= + prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname +>>>>>>> 0a7b279 (fmt) prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number From 227bbab1d912cf1bdc7b6cb8eb9f66c172d2a1c1 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 22:07:43 -0400 Subject: [PATCH 036/126] use client id and secret --- .../eks-gogatekeeper/terragrunt.hcl | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl index 86c95d46..9d5ac6b3 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -68,10 +68,10 @@ inputs = { keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint # Service Behind Gatekeeper Config - service_name = "grafana" + service_name = "test_gc" redirection_url = dependency.eks_grafana.outputs.public_endpoint - # client_id = dependency.eks_keycloak.outputs.client_id - # client_secret = dependency.eks_keycloak.outputs.client_secret - client_id = "client_id" - client_secret = "client_secret" + client_id = dependency.eks_keycloak.outputs.client_id + client_secret = dependency.eks_keycloak.outputs.client_secret + # client_id = "client_id" + # client_secret = "client_secret" } From 046931392d7ca18ba7a07a7818dd90328274971d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 11 Mar 2025 22:55:14 -0400 Subject: [PATCH 037/126] fix service name regex violation --- .../vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl index 9d5ac6b3..37f8e0b9 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -68,10 +68,8 @@ inputs = { keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint # Service Behind Gatekeeper Config - service_name = "test_gc" + service_name = "test-gc" redirection_url = dependency.eks_grafana.outputs.public_endpoint client_id = dependency.eks_keycloak.outputs.client_id client_secret = dependency.eks_keycloak.outputs.client_secret - # client_id = "client_id" - # client_secret = "client_secret" } From 79131e0c302bddcf34f91c05b0df54bc44269462 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 13 Mar 2025 12:30:34 -0400 Subject: [PATCH 038/126] updates --- .../eks-gogatekeeper/terragrunt.hcl | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl index 37f8e0b9..119537e6 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl @@ -42,6 +42,9 @@ dependency "eks_keycloak" { mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { public_endpoint = "mock.keycloak.example.com" + discovery_url = "mock.keycloak.example.com/auth" + client_id = "mock-client-id" + client_secret = "mock-client-secret" } } @@ -65,11 +68,13 @@ inputs = { # Gatekeeper Config gogatekeeper_tag = include.root.inputs.gogatekeeper_tag gogatekeeper_chart_version = include.root.inputs.gogatekeeper_chart_version - keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint + keycloak_discovery_url = dependency.eks_keycloak.outputs.discovery_url # Service Behind Gatekeeper Config - service_name = "test-gc" - redirection_url = dependency.eks_grafana.outputs.public_endpoint - client_id = dependency.eks_keycloak.outputs.client_id - client_secret = dependency.eks_keycloak.outputs.client_secret + service_name = "test-gc" + upstream_url = dependency.eks_grafana.outputs.public_endpoint + redirection_url = dependency.eks_grafana.outputs.public_endpoint + client_id = dependency.eks_keycloak.outputs.client_id + client_secret = dependency.eks_keycloak.outputs.client_secret + keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint } From f4c9769bbabcc8d0833d300a0d1f0f46529c9c02 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 13 Mar 2025 14:13:34 -0400 Subject: [PATCH 039/126] update from lukes pr --- .../vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl index ce02acb3..f1c9bdcb 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl @@ -12,16 +12,6 @@ terraform { } } -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-grafana", - "../eks-istio", - "../eks-prometheus" - ] -} - dependency "eks" { config_path = "../eks" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] From d36cee3206c9e58c2639ef572db587ed46e922ad Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 13 Mar 2025 15:48:53 -0400 Subject: [PATCH 040/126] disable gatekeeper --- .../eks-gogatekeeper/terragrunt.hcl | 80 ------------------- 1 file changed, 80 deletions(-) delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl deleted file mode 100644 index 119537e6..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl +++ /dev/null @@ -1,80 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = "mock-cluster" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_dns" { - config_path = "../eks-dns" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_domain = "mock.example.com" - } -} - -dependency "eks_grafana" { - config_path = "../eks-grafana" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - public_endpoint = "mock.grafaba.example.com" - } -} - -dependency "eks_keycloak" { - config_path = "../eks-keycloak" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - public_endpoint = "mock.keycloak.example.com" - discovery_url = "mock.keycloak.example.com/auth" - client_id = "mock-client-id" - client_secret = "mock-client-secret" - } -} - -dependencies { - paths = [ - "../eks", - "../eks-dns", - "../eks-grafana", - "../eks-keycloak", - "../eks-prometheus", - ] -} - -inputs = { - # Base Cluster Config - cluster_domain = dependency.eks_dns.outputs.cluster_domain - namespace = include.root.inputs.namespaces["gogatekeeper"] - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Gatekeeper Config - gogatekeeper_tag = include.root.inputs.gogatekeeper_tag - gogatekeeper_chart_version = include.root.inputs.gogatekeeper_chart_version - keycloak_discovery_url = dependency.eks_keycloak.outputs.discovery_url - - # Service Behind Gatekeeper Config - service_name = "test-gc" - upstream_url = dependency.eks_grafana.outputs.public_endpoint - redirection_url = dependency.eks_grafana.outputs.public_endpoint - client_id = dependency.eks_keycloak.outputs.client_id - client_secret = dependency.eks_keycloak.outputs.client_secret - keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint -} From 0d709f38f0382544308eb0e483998820f33deb90 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 17 Mar 2025 17:06:44 -0400 Subject: [PATCH 041/126] updated --- lab/_envcommon/default-versions.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index fb1b4d61..69a91e87 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -8,7 +8,7 @@ locals { custom_service_eks_account = "${local.release_version}" eks_module_version = "20.33.1" istio_ingress_version = "${local.release_version}" - release_version = "mcmCluster" # "main" # change to main when testing updated modules + release_version = "main" # "main" # change to main when testing updated modules ##################### # TF Providers From a938d5d454f397d19d9575d65a374c1738881dc8 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 20 Mar 2025 19:26:11 -0400 Subject: [PATCH 042/126] update eks module renaming --- .github/platform-tg-infra.code-workspace | 12 +- input_vars.hcl | 25 +++ lab/_envcommon/common-variables.hcl | 12 +- lab/_envcommon/default-versions.hcl | 30 ++- .../vpc/csvd-platform-lab-mcm/cluster.hcl | 13 ++ .../eks-cert-manager/terragrunt.hcl | 0 .../eks-config/terragrunt.hcl | 0 .../eks-dns/terragrunt.hcl | 0 .../eks-gogatekeeper/terragrunt.hcl.off | 0 .../eks-grafana/terragrunt.hcl | 0 .../eks-istio/terragrunt.hcl | 0 .../eks-k8s-dashboard/terragrunt.hcl | 0 .../eks-karpenter/terragrunt.hcl | 0 .../eks-keycloak/terragrunt.hcl | 4 - .../eks-kiali/terragrunt.hcl | 18 +- .../eks-loki/terragrunt.hcl | 0 .../eks-metrics-server/terragrunt.hcl | 0 .../eks-otel/terragrunt.hcl | 0 .../eks-prometheus/README.md | 0 .../eks-prometheus/terragrunt.hcl | 0 .../eks-tempo/terragrunt.hcl | 0 .../eks/terragrunt.hcl | 0 .../vpc/platform-eng-eks-mcm/cluster.hcl | 28 --- .../vpc/platform-eng-eks-srn/cluster.hcl | 28 --- .../eks-cert-manager/terragrunt.hcl | 57 ----- .../eks-config/terragrunt.hcl | 54 ----- .../eks-dns/terragrunt.hcl | 60 ------ .../eks-grafana/terragrunt.hcl | 63 ------ .../eks-istio/terragrunt.hcl | 44 ---- .../eks-k8s-dashboard/terragrunt.hcl | 55 ----- .../eks-karpenter/terragrunt.hcl | 50 ----- .../eks-keycloak/terragrunt.hcl | 109 ---------- .../eks-kiali/terragrunt.hcl | 113 ---------- .../eks-kiali/terragrunt.hcl.disabled | 108 ---------- .../eks-loki/terragrunt.hcl | 56 ----- .../eks-metrics-server/terragrunt.hcl | 43 ---- .../eks-postgresql/terragrunt.hcl | 76 ------- .../eks-prometheus/README.md | 198 ------------------ .../eks-prometheus/terragrunt.hcl | 61 ------ .../eks-tempo/terragrunt.hcl | 110 ---------- .../platform-eng-eks-srn/eks/terragrunt.hcl | 28 --- .../vpc/platform-test-cicd/cluster.hcl | 20 -- .../eks-cert-manager/terragrunt.hcl | 40 ---- .../eks-config/terragrunt.hcl | 42 ---- .../platform-test-cicd/eks-dns/terragrunt.hcl | 42 ---- .../eks-grafana/terragrunt.hcl | 40 ---- .../eks-istio/terragrunt.hcl | 32 --- .../eks-k8s-dashboard/terragrunt.hcl | 36 ---- .../eks-karpenter/terragrunt.hcl | 43 ---- .../eks-kiali/terragrunt.hcl.disable | 81 ------- .../eks-loki/terragrunt.hcl | 44 ---- .../eks-metrics-server/terragrunt.hcl | 33 --- .../eks-prometheus/README.md | 198 ------------------ .../eks-prometheus/terragrunt.hcl | 38 ---- .../eks-tempo/terragrunt.hcl | 46 ---- .../vpc/platform-test-cicd/eks/terragrunt.hcl | 56 ----- .../vpc/platform-test-x/cluster.hcl | 20 -- .../vpc/platform-test-z/cluster.hcl | 21 -- .../eks-alloy-disable/terragrunt.hcl.disable | 27 --- .../eks-cert-manager/terragrunt.hcl | 57 ----- .../platform-test-z/eks-config/terragrunt.hcl | 54 ----- .../platform-test-z/eks-dns/terragrunt.hcl | 61 ------ .../eks-grafana/terragrunt.hcl | 81 ------- .../platform-test-z/eks-istio/terragrunt.hcl | 45 ---- .../eks-k8s-dashboard/terragrunt.hcl | 46 ---- .../eks-karpenter/terragrunt.hcl | 49 ----- .../platform-test-z/eks-kiali/terragrunt.hcl | 91 -------- .../platform-test-z/eks-loki/terragrunt.hcl | 48 ----- .../eks-metrics-server/terragrunt.hcl | 44 ---- .../eks-open-telemetry/terragrunt.hcl | 61 ------ .../platform-test-z/eks-prometheus/README.md | 198 ------------------ .../eks-prometheus/terragrunt.hcl | 40 ---- .../platform-test-z/eks-tempo/terragrunt.hcl | 47 ----- .../vpc/platform-test-z/eks/terragrunt.hcl | 28 --- lab/root.hcl | 33 ++- notes.md | 22 -- 76 files changed, 90 insertions(+), 3229 deletions(-) create mode 100644 input_vars.hcl create mode 100644 lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-cert-manager/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-config/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-dns/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-gogatekeeper/terragrunt.hcl.off (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-grafana/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-istio/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-k8s-dashboard/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-karpenter/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-keycloak/terragrunt.hcl (95%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-kiali/terragrunt.hcl (87%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-loki/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-metrics-server/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-otel/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-prometheus/README.md (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-prometheus/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks-tempo/terragrunt.hcl (100%) rename lab/development/us-gov-east-1/vpc/{platform-eng-eks-mcm => csvd-platform-lab-mcm}/eks/terragrunt.hcl (100%) delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/cluster.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-cert-manager/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-config/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-dns/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-grafana/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-istio/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-k8s-dashboard/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-karpenter/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl.disabled delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-loki/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-metrics-server/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-postgresql/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/README.md delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/cluster.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-cert-manager/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-config/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-dns/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-grafana/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-istio/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-k8s-dashboard/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-karpenter/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-kiali/terragrunt.hcl.disable delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-loki/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-metrics-server/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/README.md delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-tempo/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-cicd/eks/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-x/cluster.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/cluster.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-alloy-disable/terragrunt.hcl.disable delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-cert-manager/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-config/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-dns/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-grafana/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-istio/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-k8s-dashboard/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-karpenter/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-kiali/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-loki/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-metrics-server/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-open-telemetry/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-prometheus/README.md delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-prometheus/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks-tempo/terragrunt.hcl delete mode 100644 lab/development/us-gov-east-1/vpc/platform-test-z/eks/terragrunt.hcl diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 71e7cfd9..a4c0bf1d 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -8,6 +8,10 @@ "name": "tfmod-cert-mgr", "path": "../../tfmod-cert-mgr" }, + { + "name": "tfmod-config-job", + "path": "../../tfmod-config-job" + }, { "name": "tfmod-eks", "path": "../../tfmod-eks" @@ -64,6 +68,10 @@ "name": "tfmod-open-telemetry", "path": "../../tfmod-open-telemetry" }, + { + "name": "tfmod-postgresql", + "path": "../../tfmod-postgresql" + }, { "name": "tfmod-prometheus", "path": "../../tfmod-prometheus" @@ -79,10 +87,6 @@ { "name": "terragrunt", "path": "../../terragrunt" - }, - { - "name": "tfmod-config-job", - "path": "../../tfmod-config-job" } ] } diff --git a/input_vars.hcl b/input_vars.hcl new file mode 100644 index 00000000..c61b0ebd --- /dev/null +++ b/input_vars.hcl @@ -0,0 +1,25 @@ +locals { + account_name = "lab-dev-ew" + aws_account_id = "224384469011" + aws_profile = "224384469011-lab-dev-gov" + aws_region = "us-gov-east-1" + cluster_endpoint_public_access = true + cluster_mailing_list = "matthew.c.morgan@census.gov" + cluster_name = "platform-eng-eks-mcm" + eks_instance_disk_size = 100 + eks_ng_desired_size = 2 + eks_ng_max_size = 10 + eks_ng_min_size = 2 + enable_cluster_creator_admin_permissions = true + environment = "development" + environment_abbr = "dev" + organization = "census:ocio:csvd" + finops_project_name = "csvd_platformbaseline" + finops_project_number = "fs0000000078" + finops_project_role = "csvd_platformbaseline_app" + vpc_domain_name = "dev.lab.csp2.census.gov" + vpc_name = "vpc3-lab-dev" + tags = { + "slim:schedule" = "8:00-17:00" + } +} diff --git a/lab/_envcommon/common-variables.hcl b/lab/_envcommon/common-variables.hcl index 38cb4c92..a6369273 100644 --- a/lab/_envcommon/common-variables.hcl +++ b/lab/_envcommon/common-variables.hcl @@ -6,12 +6,12 @@ # that are common across all environments/accounts. # --------------------------------------------------------------------------------------------------------------------- locals { - organization = "census:ocio:csvd" - project_name = "csvd_platformbaseline" - project_number = "fs0000000078" - project_role = "csvd_platformbaseline_app" - state_bucket_prefix = "inf-tfstate" - state_table_name = "tf_remote_state" + organization = "census:ocio:csvd" + finops_project_name = "csvd_platformbaseline" + finops_project_number = "fs0000000078" + finops_project_role = "csvd_platformbaseline_app" + state_bucket_prefix = "inf-tfstate" + state_table_name = "tf_remote_state" route53_endpoints = { route53_main = { "account_id" = "269244441389" diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 69a91e87..1f110855 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -6,9 +6,9 @@ locals { ##################### cluster_version = "1.31" custom_service_eks_account = "${local.release_version}" - eks_module_version = "20.33.1" + eks_module_version = "20.34.0" istio_ingress_version = "${local.release_version}" - release_version = "main" # "main" # change to main when testing updated modules + release_version = "mcmCluster" # "main" # change to main when testing updated modules ##################### # TF Providers @@ -47,13 +47,6 @@ locals { # EKS Config ##################### - ################ - # k8s-dashboard - ################ - dashboard_hostname = "dashboard" - k8s_dashboard_metrics_scraper = "1.0.8" - k8s_dashboard_version = "6.0.6" - ################ # Cert-Manager ################ @@ -68,7 +61,7 @@ locals { ################ # GoGatekeeper ################ - gogatekeeper_tag = "3.2.1" + gogatekeeper_tag = "3.18.2" gogatekeeper_chart_version = "0.1.53" ################ @@ -89,15 +82,18 @@ locals { ################ # k8s-dashboard ################ - dashboard_hostname = "dashboard" - k8s_dashboard_metrics_scraper = "1.0.8" - k8s_dashboard_version = "6.0.6" + dashboard_hostname = "dashboard" + k8s_dashboard_version = "7.11.1" + dashboard_api_tag = "1.11.1" + dashboard_auth_tag = "1.2.4" + dashboard_metrics_tag = "1.2.2" + dashboard_web_tag = "1.6.2" ################ # Karpenter ################ - karpenter_helm_chart = "1.3.1" - karpenter_tag = "1.3.1" + karpenter_helm_chart = "1.3.3" + karpenter_tag = "1.3.3" ################ # Keycloak @@ -121,7 +117,7 @@ locals { ################ loki_chart_version = "6.27.0" loki_tag = "3.4.2" - enterprise_logs_provisioner_tag = "v1.7.0" + enterprise_logs_provisioner_tag = "3.4" gateway_tag = "1.27-alpine" memcached_tag = "1.6.37" exporter_tag = "v0.15.0" @@ -138,7 +134,7 @@ locals { ################ os_shell_tag = "12" postgres_exporter_tag = "0.16.0" - postgresql_repmgr_tag = "17.4.0" + postgresql_repmgr_tag = "17.4.0-alpine" pgpool_tag = "4.5.5" postgresql_chart_version = "15.3.0" diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl new file mode 100644 index 00000000..3a223ea2 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl @@ -0,0 +1,13 @@ +locals { + # Cluster specific configuration + cluster_name = "csvd-platform-lab-mcm" + cluster_mailing_list = "matthew.c.morgan@census.gov" + eks_instance_disk_size = 100 + eks_ng_desired_size = 2 + eks_ng_max_size = 10 + eks_ng_min_size = 2 + tags = { + "slim:schedule" = "8:00-17:00" + "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" + } +} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-cert-manager/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-dns/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl.off b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl.off similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-gogatekeeper/terragrunt.hcl.off rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl.off diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-grafana/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-istio/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-k8s-dashboard/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-karpenter/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl similarity index 95% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 74132d72..47ade7e4 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -69,8 +69,4 @@ inputs = { keycloak_database = include.root.inputs.keycloak_database keycloak_user = include.root.inputs.keycloak_username keycloak_password = include.root.inputs.keycloak_password - - # Project information - project_name = include.root.inputs.project_name - tags = include.root.inputs.tags } diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl similarity index 87% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index f1c9bdcb..260e3156 100644 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -33,7 +33,7 @@ dependency "eks_dns" { config_path = "../eks-dns" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_domain = "mock.example.com" + cluster_domain = "mock.example.com" } } @@ -52,8 +52,8 @@ dependency "eks_grafana" { port_number = "80" url = "https://grafana.mock.lab.csp2.census.gov:80/" } - secret_name = "grafana" - tempo_datasource_id = "mock-tempo-datasource-id" + secret_name = "grafana" + tempo_datasource_id = "mock-tempo-datasource-id" } } @@ -100,21 +100,21 @@ inputs = { region = include.root.inputs.aws_region # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name - certificate_issuer = dependency.eks_cert_manager.outputs.cluster_issuer_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + certificate_issuer = dependency.eks_cert_manager.outputs.cluster_issuer_name # Kiali Configuration service_name = "kiali" - namespace = include.root.inputs.namespaces["kiali"] - istio_namespace = include.root.inputs.namespaces["istio"] + namespace = include.root.inputs.namespaces["kiali"] + istio_namespace = include.root.inputs.namespaces["istio"] grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url grafana_namespace = dependency.eks_grafana.outputs.namespace grafana_secret_name = dependency.eks_grafana.outputs.secret_name grafana_public_url = dependency.eks_grafana.outputs.public_endpoint kiali_application_version = include.root.inputs.kiali_application_version - kiali_operator_version = include.root.inputs.kiali_operator_version + kiali_operator_version = include.root.inputs.kiali_operator_version prometheus_internal_url = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url grafana_namespace = dependency.eks_grafana.outputs.namespace diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-loki/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-metrics-server/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-otel/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/README.md b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/README.md similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/README.md rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/README.md diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-prometheus/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-tempo/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl similarity index 100% rename from lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks/terragrunt.hcl rename to lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl deleted file mode 100644 index e52f9d23..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl +++ /dev/null @@ -1,28 +0,0 @@ -locals { - # Cluster specific configuration - cluster_endpoint_public_access = true - cluster_name = "platform-eng-eks-mcm" - cluster_mailing_list = "matthew.c.morgan@census.gov" - eks_instance_disk_size = 100 - eks_ng_desired_size = 2 - eks_ng_max_size = 10 - eks_ng_min_size = 2 - enable_cluster_creator_admin_permissions = true - tags = { - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" - } - - # Common configuration - common_retry_args = { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } - - common_dependencies = ["../eks", "../eks-config"] - - common_mock_eks = { - cluster_name = "mock-cluster" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/cluster.hcl deleted file mode 100644 index 656de00e..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/cluster.hcl +++ /dev/null @@ -1,28 +0,0 @@ -locals { - # Cluster specific configuration - cluster_endpoint_public_access = true - cluster_name = "platform-eng-eks-srn" - cluster_mailing_list = "srinivasa.nangunuri@census.gov" - eks_instance_disk_size = 100 - eks_ng_desired_size = 2 - eks_ng_max_size = 10 - eks_ng_min_size = 2 - enable_cluster_creator_admin_permissions = true - tags = { - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" - } - - # Common configuration - common_retry_args = { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } - - common_dependencies = ["../eks", "../eks-config"] - - common_mock_eks = { - cluster_name = "mock-cluster" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-cert-manager/terragrunt.hcl deleted file mode 100644 index d1e69d00..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-cert-manager/terragrunt.hcl +++ /dev/null @@ -1,57 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" - - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-karpenter" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" - cluster_version = include.root.inputs.cluster_version - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - cluster_mailing_list = include.root.inputs.cluster_mailing_list - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - - # Cert Manager Configuration - cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart - cluster_issuer_name = include.root.inputs.cluster_issuer_name - namespace = include.root.inputs.namespaces["cert-manager"] - - # Version Tags - cert_manager_cainjector_tag = include.root.inputs.cert_manager_cainjector_tag - cert_manager_controller_tag = include.root.inputs.cert_manager_controller_tag - cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag - cert_manager_webhook_tag = include.root.inputs.cert_manager_webhook_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-config/terragrunt.hcl deleted file mode 100644 index c1328ee7..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-config/terragrunt.hcl +++ /dev/null @@ -1,54 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -dependencies { - paths = [ - "../eks", - "../eks-karpenter" - ] -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" - - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - - mock_outputs = { - cluster_name = "mock-cluster" - cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" - cluster_certificate_authority_data = [{ data = "mock-cert-data" }] - eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"] - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - security_group_all_worker_mgmt_id = "sg-mock" - subnets = ["subnet-mock1", "subnet-mock2"] - vpc_id = "vpc-mock" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Core Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id - subnets = dependency.eks.outputs.subnets - vpc_id = dependency.eks.outputs.vpc_id - operators_ns = include.root.inputs.operator_namespace - telemetry_ns = include.root.inputs.telemetry_namespace -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-dns/terragrunt.hcl deleted file mode 100644 index 2bf9b72f..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-dns/terragrunt.hcl +++ /dev/null @@ -1,60 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - subnets = ["subnet-mock1", "subnet-mock2", "subnet-mock3"] - } -} - -dependency "eks-istio" { - config_path = "../eks-istio" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - istio_ingress_lb = { - dns_name = "mock-${include.root.inputs.cluster_name}.elb.amazonaws.com" - zone_id = "MOCKZONEID" - } - } -} - -dependencies { - paths = [ - "../eks-config", - "../eks-istio", - "../eks-karpenter" - ] -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = include.root.inputs.cluster_name - - # Network Configuration - istio_ingress_lb = dependency.eks-istio.outputs.istio_ingress_lb - route53_endpoints = include.root.inputs.route53_endpoints - vpc_domain_name = include.root.inputs.vpc_domain_name - vpc_name = include.root.inputs.vpc_name - - # Additional Configuration - tags = include.root.inputs.tags -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-grafana/terragrunt.hcl deleted file mode 100644 index 2bc7484b..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-grafana/terragrunt.hcl +++ /dev/null @@ -1,63 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_loki" { - config_path = "../eks-loki" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - rwo_storage_class = "gp3-mocked" - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-dns", - "../eks-karpenter", - "../eks-loki" - ] -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - cluster_domain = include.root.inputs.vpc_domain_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - - # Storage Configuration - rwo_storage_class = dependency.eks_loki.outputs.rwo_storage_class - - # Grafana Configuration - grafana_chart_version = include.root.inputs.grafana_chart_version - grafana_tag = include.root.inputs.grafana_tag - download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag - init_chown_data_image_tag = include.root.inputs.init_chown_data_image_tag - namespace = include.root.inputs.namespaces["grafana"] - service_name = "grafana" -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-istio/terragrunt.hcl deleted file mode 100644 index 1c312166..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-istio/terragrunt.hcl +++ /dev/null @@ -1,44 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - - # Istio Configuration - namespace = include.root.inputs.namespaces["istio"] - istio_version = include.root.inputs.istio_version -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-k8s-dashboard/terragrunt.hcl deleted file mode 100644 index c32546cd..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-k8s-dashboard/terragrunt.hcl +++ /dev/null @@ -1,55 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=mcmCluster" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-dns" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_dns" { - config_path = "../eks-dns" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_domain = "mock.example.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name - - # Dashboard Configuration - service_name = include.root.inputs.dashboard_hostname - k8s_dashboard_version = include.root.inputs.k8s_dashboard_version - namespace = include.root.inputs.namespaces["k8s-dashboard"] -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-karpenter/terragrunt.hcl deleted file mode 100644 index 7c2ff2db..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-karpenter/terragrunt.hcl +++ /dev/null @@ -1,50 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" - - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependencies { - paths = ["../eks"] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - - mock_outputs = { - cluster_name = "mock-cluster" - cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - node_group_name = "mock-node-group" - vpc_id = "vpc-mock" - subnets = ["subnet-mock1", "subnet-mock2"] - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_endpoint = dependency.eks.outputs.cluster_endpoint - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - - # Karpenter Configuration - karpenter_tag = include.root.inputs.karpenter_tag - karpenter_helm_chart = include.root.inputs.karpenter_helm_chart - karpenter_node_group_name = dependency.eks.outputs.node_group_name - namespace = include.root.inputs.namespaces["karpenter"] -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl deleted file mode 100644 index 4a6e1346..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-keycloak/terragrunt.hcl +++ /dev/null @@ -1,109 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=standards" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = "mock-cluster" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_config" { - config_path = "../eks-config" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - rwo_storage_class = "gp3-mock" - } -} - -dependency "eks_dns" { - config_path = "../eks-dns" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_domain = "mock.example.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_postgresql" { - config_path = "../eks-postgresql" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { -<<<<<<< HEAD -<<<<<<< HEAD - internal_endpoint = { -======= - internal_endpoint = { ->>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) -======= - internal_endpoint = { ->>>>>>> 0a7b279 (fmt) - url = "mock-internal-endpoint-url" - } - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-dns", - "../eks-karpenter", - "../eks-postgresql", - "../eks-prometheus", - ] -} - -inputs = { - admin_email = include.root.inputs.cluster_mailing_list - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name - namespace = include.root.inputs.namespaces["keycloak"] - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # keycloak config - default_storage_class = dependency.eks_config.outputs.rwo_storage_class - keycloak_chart_version = include.root.inputs.keycloak_chart_version - keycloak_hostname = include.root.inputs.keycloak_hostname - keycloak_tag = include.root.inputs.keycloak_tag - service_name = "keycloak" - telemetry_namespace = include.root.inputs.telemetry_namespace - - # Database configuration -<<<<<<< HEAD -<<<<<<< HEAD - db_host = dependency.eks_postgresql.outputs.internal_endpoint.url - db_name = include.root.inputs.postgresql_database - db_password = include.root.inputs.postgresql_password - db_user = include.root.inputs.postgresql_username -======= - db_host = dependency.eks_postgresql.outputs.internal_endpoint.url - db_name = include.root.inputs.postgresql_database - db_password = include.root.inputs.postgresql_password - db_user = include.root.inputs.postgresql_username ->>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) -======= - db_host = dependency.eks_postgresql.outputs.internal_endpoint.url - db_name = include.root.inputs.postgresql_database - db_password = include.root.inputs.postgresql_password - db_user = include.root.inputs.postgresql_username ->>>>>>> 0a7b279 (fmt) - - # Project information - project_name = include.root.inputs.project_name - tags = include.root.inputs.tags -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl deleted file mode 100644 index c36c773c..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl +++ /dev/null @@ -1,113 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-dns", - "../eks-grafana", - "../eks-istio", - "../eks-prometheus" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = "mock-cluster" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_config" { - config_path = "../eks-config" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - operators_namespace = "mock-namespace" - } -} - -dependency "eks_dns" { - config_path = "../eks-dns" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_domain = "mock.example.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_grafana" { - config_path = "../eks-grafana" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - internal_endpoint = { - hostname = "grafana.mock.svc.cluster.local" - port_number = "80" - url = "https://grafana.mock.svc.cluster.local:80/" - } - namespace = "grafana" - public_endpoint = { - hostname = "grafana.mock.lab.csp2.census.gov" - port_number = "80" - url = "https://grafana.mock.lab.csp2.census.gov:80/" - } - secret_name = "grafana" - } -} - -dependency "eks_istio" { - config_path = "../eks-istio" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - namespace = "mock-namespace-istio" - } -} - -dependency "eks_prometheus" { - config_path = "../eks-prometheus" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - prometheus_server_internal_endpoint = { - hostname = "prometheus.mock.svc.cluster.local" - port_number = "80" - url = "https://prometheus.mock.svc.cluster.local:80/" - } - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name - - # Kiali Configuration - service_name = "kiali" - namespace = include.root.inputs.namespaces["kiali"] - grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url - grafana_namespace = dependency.eks_grafana.outputs.namespace - grafana_secret_name = dependency.eks_grafana.outputs.secret_name - grafana_public_url = dependency.eks_grafana.outputs.public_endpoint - - kiali_operator_version = include.root.inputs.kiali_operator_version - - prometheus_internal_url = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url - # jager_internal_url = dependency.eks_prometheus.outputs.jager_internal_url -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl.disabled b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl.disabled deleted file mode 100644 index a06c6e68..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-kiali/terragrunt.hcl.disabled +++ /dev/null @@ -1,108 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-dns", - "../eks-grafana", - "../eks-istio", - "../eks-prometheus" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = "mock-cluster" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks-config" { - config_path = "../eks-config" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - operators_namespace = "mock-namespace" - } -} - -dependency "eks_dns" { - config_path = "../eks-dns" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_domain = "mock.example.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_grafana" { - config_path = "../eks-grafana" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - internal_endpoint = { - hostname = "grafana.mock.svc.cluster.local" - port_number = "80" - url = "https://grafana.mock.svc.cluster.local:80/" - } - namespace = "grafana" - public_endpoint = { - hostname = "grafana.mock.lab.csp2.census.gov" - port_number = "80" - url = "https://grafana.mock.lab.csp2.census.gov:80/" - } - secret_name = "grafana" - } -} - -dependency "eks_istio" { - config_path = "../eks-istio" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - namespace = "mock-namespace-istio" - } -} - -dependency "eks_prometheus" { - config_path = "../eks-prometheus" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - prometheus_internal_url = "mock-internal-url" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name - - # Kiali Configuration - grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url - grafana_namespace = dependency.eks_grafana.outputs.namespace - grafana_secret_name = dependency.eks_grafana.outputs.secret_name - grafana_public_url = dependency.eks_grafana.outputs.public_endpoint.url - - kiali_operator_version = include.root.inputs.kiali_operator_version - operators_namespace = dependency.eks-config.outputs.operators_namespace - - prometheus_internal_url = dependency.eks_prometheus.outputs.internal_endpoint - jager_internal_url = dependency.eks_prometheus.outputs.jager_internal_url -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-loki/terragrunt.hcl deleted file mode 100644 index 55d3830e..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-loki/terragrunt.hcl +++ /dev/null @@ -1,56 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-metrics-server", - "../eks-dns" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = "mock-cluster" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_config" { - config_path = "../eks-config" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - rwo_storage_class = "gp3-mock" - } -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - - # Loki Configuration - loki_chart_version = include.root.inputs.loki_chart_version - loki_tag = include.root.inputs.loki_tag - namespace = include.root.inputs.namespaces["loki"] - rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-metrics-server/terragrunt.hcl deleted file mode 100644 index 5e520aad..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-metrics-server/terragrunt.hcl +++ /dev/null @@ -1,43 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -dependencies { - paths = [ - "../eks", - "../eks-config" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = "mock-cluster" - } -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - - # Metrics Server Configuration - metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart - metrics_server_tag = include.root.inputs.metrics_server_tag - namespace = include.root.inputs.namespaces["metrics-server"] -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-postgresql/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-postgresql/terragrunt.hcl deleted file mode 100644 index 4429d04a..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-postgresql/terragrunt.hcl +++ /dev/null @@ -1,76 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-postgresql.git?ref=main" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-dns", - "../eks-prometheus", - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_config" { - config_path = "../eks-config" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - rwo_storage_class = "gp3-mock" - } -} - -dependency "eks_dns" { - config_path = "../eks-dns" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_domain = "mock.example.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name - rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class - - # PostgreSQL Configuration - namespace = include.root.inputs.namespaces["postgresql"] - os_shell_tag = include.root.inputs.os_shell_tag - pgpool_tag = include.root.inputs.pgpool_tag - postgres_exporter_tag = include.root.inputs.postgres_exporter_tag - postgresql_repmgr_tag = include.root.inputs.postgresql_repmgr_tag - postgresql_tag = include.root.inputs.postgresql_tag - service_name = "postgresql" - telemetry_namespace = include.root.inputs.telemetry_namespace - - # Database Consumer Configuration - postgresql_database = include.root.inputs.postgresql_database - postgresql_username = include.root.inputs.postgresql_username - postgresql_password = include.root.inputs.postgresql_password - -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/README.md b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/README.md deleted file mode 100644 index bbbffb2a..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/README.md +++ /dev/null @@ -1,198 +0,0 @@ -## eks-prometheus -This module deploys EKS kubeenetes prometheus inside existing EKS cluster. Prometheus is an open-source systems monitoring and alerting tool. -This module consisits of 4 components. It creates prometheus namespace and copies image repositories for the following components from quay.io into local account ECR repository. It deploys these components using helm charts using the configured ECR repositories. - 1. prometheus-alert-manager - 2. prometheus-node-exporter - 3. prometheus-pushgateway - 4. prometheus-server - -### Dependencies -This module is dependent on EKS module (eks). The cluster should exist already for this module to work. - -### Inputs - cluster_name - profile - prometheus_chart_version - prometheus_server_tag - prometheus_config_reloader_tag - alertmanager_tag - kube_state_metrics_tag - node_exporter_tag - pushgateway_tag - rwo_storage_class - -### Outputs - alertmanager_internal_endpoint - alertmanager_headless_internal_endpoint - pushgateway_internal_endpoint - prometheus_server_internal_endpoint - -### Issues observed/fixed -1. The rwo_storage_class value had to be updated from "gp3" to "gp3-encrypted" -2. The node_exporter_tag value had to be updated from "1.6.1" to "v1.8.1" -3. The kube_state_metrics_tag value had to be updated from "2.10.0" to "v2.6.0" -4. The alertmanager_tag value had to be updated from -5. The helm chart set config for the ecr image had to be split into 2 components, one for registry and other for repository as an example mentioned below: - - ``` - set { - name = "kube-state-metrics.image.registry" - value = module.images.images[local.ksm_key].dest_registry - } - set { - name = "kube-state-metrics.image.repository" - value = module.images.images[local.ksm_key].dest_repository - } - ``` - -6. In some other cases the image ecr repository had to be split by the colon separatory (:) - - ``` - set { - name = "alertmanager.configmapReload.image.repository" - value = split(":", module.images.images[local.prom_config_reload_key].dest_full_path)[0] - } - ``` - -### Chart Notes - 1. Get the application URL by running these commands: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-pushgateway,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - kubectl port-forward $POD_NAME 9091 - echo "Visit http://127.0.0.1:9091 to use your application" - ``` - - The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster: - prometheus-server.prometheus.svc.cluster.local - - - Get the Prometheus server URL by running these commands in the same shell: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace prometheus port-forward $POD_NAME 9090 - ``` - - The Prometheus alertmanager can be accessed via port 9093 on the following DNS name from within your cluster: - `prometheus-alertmanager.prometheus.svc.cluster.local` - - - Get the Alertmanager URL by running these commands in the same shell: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace prometheus port-forward $POD_NAME 9093 - ``` - - ################################################################################# - ###### WARNING: Pod Security Policy has been disabled by default since ##### - ###### it deprecated after k8s 1.25+. use ##### - ###### (index .Values "prometheus-node-exporter" "rbac" ##### - ###### "pspEnabled") with (index .Values ##### - ###### "prometheus-node-exporter" "rbac" "pspAnnotations") ##### - ###### in case you still need it. ##### - ################################################################################# - - - The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster: - `prometheus-prometheus-pushgateway.prometheus.svc.cluster.local` - - - Get the PushGateway URL by running these commands in the same shell: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus-pushgateway,component=pushgateway" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace prometheus port-forward $POD_NAME 9091 - ``` - - For more information on running Prometheus, visit: - https://prometheus.io/ - - kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects. - The exposed metrics can be found here: - https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics - - The metrics are exported on the HTTP endpoint /metrics on the listening port. - In your case, `prometheus-kube-state-metrics.prometheus.svc.cluster.local:8080/metrics` - - They are served either as plaintext or protobuf depending on the Accept header. - They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint. - - 1. Get the application URL by running these commands: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:9093 to use your application" - kubectl --namespace prometheus port-forward $POD_NAME 9093:80 - ``` - - 1. Get the application URL by running these commands: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-node-exporter,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:9100 to use your application" - kubectl port-forward --namespace prometheus $POD_NAME 9100 - ``` - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 5.14.0 | -| [helm](#requirement\_helm) | >= 2.11.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.23.0 | -| [null](#requirement\_null) | >= 3.2.1 | - -## Providers - -| Name | Version | -|------|---------| -| [helm](#provider\_helm) | >= 2.11.0 | -| [kubernetes](#provider\_kubernetes) | >= 2.23.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade | - -## Resources - -| Name | Type | -|------|------| -| [helm_release.prometheus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [kubernetes_namespace.existing-ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [alertmanager\_tag](#input\_alertmanager\_tag) | The image tag of the alertmanager image. | `string` | `"v0.27.0"` | no | -| [cluster\_name](#input\_cluster\_name) | The name of the cluster into which prometheus will be installed. | `string` | n/a | yes | -| [create\_namespace](#input\_create\_namespace) | Indicates whether the `namespace` needs to be created ('true') or already exists (not `true`) | `bool` | `true` | no | -| [kube\_state\_metrics\_tag](#input\_kube\_state\_metrics\_tag) | The image tag of the kube-state-metrics image. | `string` | `"v2.13.0"` | no | -| [namespace](#input\_namespace) | The namespace to install the prometheus components. Defaults to 'prometheus' | `string` | `"prometheus"` | no | -| [node\_exporter\_tag](#input\_node\_exporter\_tag) | The image tag of the node-exporter image. | `string` | `"v1.8.2"` | no | -| [profile](#input\_profile) | AWS\_PROFILE to use to apply the terraform script. | `string` | `""` | no | -| [prometheus\_chart\_version](#input\_prometheus\_chart\_version) | The version of prometheus to install into the cluster. | `string` | `"25.24.1"` | no | -| [prometheus\_config\_reloader\_tag](#input\_prometheus\_config\_reloader\_tag) | The image tag of the prometheus-config-reloader image. | `string` | `"v0.75.1"` | no | -| [prometheus\_server\_tag](#input\_prometheus\_server\_tag) | The image tag of prometheus server to install into the cluster. | `string` | `"v2.53.1"` | no | -| [pushgateway\_tag](#input\_pushgateway\_tag) | The image tag of the pushgateway image. | `string` | `"v1.9.0"` | no | -| [rwo\_storage\_class](#input\_rwo\_storage\_class) | Specify the storage class for read/write/once persistent volumes. | `string` | `"gp3-encrypted"` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [alertmanager\_headless\_internal\_endpoint](#output\_alertmanager\_headless\_internal\_endpoint) | n/a | -| [alertmanager\_internal\_endpoint](#output\_alertmanager\_internal\_endpoint) | n/a | -| [module\_name](#output\_module\_name) | The name of this module. | -| [module\_version](#output\_module\_version) | The version of this module. | -| [prometheus\_namespace](#output\_prometheus\_namespace) | n/a | -| [prometheus\_server\_internal\_endpoint](#output\_prometheus\_server\_internal\_endpoint) | n/a | -| [pushgateway\_internal\_endpoint](#output\_pushgateway\_internal\_endpoint) | n/a | - diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/terragrunt.hcl deleted file mode 100644 index 76650e5e..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-prometheus/terragrunt.hcl +++ /dev/null @@ -1,61 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=mcmCluster" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-metrics-server", - "../eks-dns" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks-config" { - config_path = "../eks-config" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - rwo_storage_class = "gp3-encyrpted" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - - # Prometheus Configuration - prometheus_chart_version = include.root.inputs.prometheus_chart_version - prometheus_server_tag = include.root.inputs.prometheus_server_tag - prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag - alertmanager_tag = include.root.inputs.alertmanager_tag - kube_state_metrics_tag = include.root.inputs.kube_state_metrics_tag - namespace = include.root.inputs.namespaces["prometheus"] - node_exporter_tag = include.root.inputs.node_exporter_tag - pushgateway_tag = include.root.inputs.pushgateway_tag - rwo_storage_class = dependency.eks-config.outputs.rwo_storage_class -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl deleted file mode 100644 index 41ac0a73..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks-tempo/terragrunt.hcl +++ /dev/null @@ -1,110 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=keycloak" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { -<<<<<<< HEAD -<<<<<<< HEAD -<<<<<<< HEAD - prometheus_svc = "prometheus-server" - prometheus_namespace = "prometheus" - prometheus_port = 80 -======= - prometheus_namespace = "prometheus" ->>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) -======= - prometheus_svc = "prometheus-server" - prometheus_namespace = "prometheus" - prometheus_port = 80 ->>>>>>> 44e1884 (otel added) -======= - prometheus_svc = "prometheus-server" - prometheus_namespace = "prometheus" - prometheus_port = 80 ->>>>>>> 0a7b279 (fmt) - prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" - port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" - } - } -} - -dependencies { - paths = [ - "../eks", -<<<<<<< HEAD -<<<<<<< HEAD - "../eks-dns", -======= - "../eks-config", - "../eks-dns", - "../eks-karpenter", ->>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) -======= - "../eks-dns", ->>>>>>> 44e1884 (otel added) - "../eks-prometheus" - ] -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - - # Prometheus Configuration -<<<<<<< HEAD -<<<<<<< HEAD -<<<<<<< HEAD - prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname -======= ->>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) -======= - prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname ->>>>>>> 44e1884 (otel added) -======= - prometheus_svc = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.hostname ->>>>>>> 0a7b279 (fmt) - prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace - prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number - - # Tempo Configuration - tempo_chart_version = include.root.inputs.tempo_chart_version - tempo_tag = include.root.inputs.tempo_tag - namespace = include.root.inputs.namespaces["tempo"] -<<<<<<< HEAD -<<<<<<< HEAD -======= - ->>>>>>> 4d9a294 (deleted old cluster platform-eng-eks-test and created new cluster platform-eng-eks-srn) -======= ->>>>>>> 44e1884 (otel added) -} diff --git a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks/terragrunt.hcl deleted file mode 100644 index 9eca1de2..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-eng-eks-srn/eks/terragrunt.hcl +++ /dev/null @@ -1,28 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" - - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Core Cluster Configuration - cluster_name = include.root.inputs.cluster_name - cluster_version = include.root.inputs.cluster_version - - # Additional Configuration - tags = include.root.inputs.tags -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/cluster.hcl deleted file mode 100644 index 8d2831cf..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/cluster.hcl +++ /dev/null @@ -1,20 +0,0 @@ -# lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl - -# Set cluster specific variables. These are automatically pulled in to configure the remote state bucket in the root -# terragrunt.hcl configuration. -locals { - cluster_endpoint_public_access = true - cluster_name = "platform-eng-eks-mcm" - creator = "matthew.c.morgan@census.gov" - eks_instance_disk_size = 100 - eks_ng_desired_size = 2 - eks_ng_max_size = 10 - eks_ng_min_size = 0 - enable_cluster_creator_admin_permissions = true - terraform = true - terragrunt = true - tags = { - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" - } -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-cert-manager/terragrunt.hcl deleted file mode 100644 index 35e355aa..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-cert-manager/terragrunt.hcl +++ /dev/null @@ -1,40 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - } -} - -dependency "eks_config" { - config_path = "../eks-config" - skip_outputs = true -} - -inputs = { - cluster_name = dependency.eks.outputs.cluster_name - cluster_mailing_list = dependency.eks.inputs.creator - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart - cert_manager_cainjector_tag = include.root.inputs.cert_manager_cainjector_tag - cert_manager_controller_tag = include.root.inputs.cert_manager_controller_tag - cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag - cert_manager_webhook_tag = include.root.inputs.cert_manager_webhook_tag - cluster_issuer_name = include.root.inputs.cluster_issuer_name -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-config/terragrunt.hcl deleted file mode 100644 index d4a60dbc..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-config/terragrunt.hcl +++ /dev/null @@ -1,42 +0,0 @@ -# lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/eks-config/terragrunt.hcl - -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_certificate_authority_data = [{ data = "THISISAVERYLONGCERTSTRINGTHATGOESHEREFORSURENODYEP" }] - cluster_endpoint = "https://12345ABCDEE42BF9C24D4C362D1DC.sk1.us-gov-east-1.eks.amazonaws.com" - cluster_name = "a-cluster-name" - eks_managed_node_groups_autoscaling_group_names = ["eks-eks-a-cluster-name-node_group-0000000000000000000000000-5ac8a5e3-14dd-c043-2cc9-f4b6ffb36d32"] - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - security_group_all_worker_mgmt_id = "sg-00b0000000000000" - subnets = ["subnet-00000000000000001", "subnet-00000000000000002", "subnet-00000000000000003"] - token = [{ token = "THISISTHETOKENTHATDOESNTEXISTTHEREAREMANYLIKEITBUTHISONEISFORACLUSTER" }] - vpc_id = "a-vpc-id" - } -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - vpc_id = dependency.eks.outputs.vpc_id - cluster_name = dependency.eks.outputs.cluster_name - subnets = dependency.eks.outputs.subnets - security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id - eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - kubectl_image_tag = include.root.inputs.kubectl_image_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-dns/terragrunt.hcl deleted file mode 100644 index 6e28781b..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-dns/terragrunt.hcl +++ /dev/null @@ -1,42 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - subnets = ["subnet-abcdefgh", "subnet-12345678", "subnet-ab12cd34"] - } -} - -dependency "istio" { - config_path = "../eks-istio" - mock_outputs = { - istio_ingress_lb = { - dns_name = "a1111111111111111111111111111111-2bbbbbbbbbbbbbbb.elb.us-gov-east-1.amazonaws.com" - zone_id = "ZABC123456DEF" - } - } -} - -inputs = { - cluster_name = dependency.eks.inputs.cluster_name - istio_ingress_lb = dependency.istio.outputs.istio_ingress_lb - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - subnets = dependency.eks.outputs.subnets - tags = dependency.eks.inputs.tags - vpc_domain_name = dependency.eks.inputs.vpc_domain_name - vpc_name = dependency.eks.inputs.vpc_name - route53_endpoints = include.root.inputs.route53_endpoints -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-grafana/terragrunt.hcl deleted file mode 100644 index 65ab33fe..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-grafana/terragrunt.hcl +++ /dev/null @@ -1,40 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} - -dependency "eks-loki" { - config_path = "../eks-loki" - mock_outputs = { - rwo_storage_class = "gp3-encrypted" - } -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - cluster_domain = dependency.eks.inputs.vpc_domain_name - public_hostname = include.root.inputs.grafana_hostname - rwo_storage_class = dependency.eks-loki.outputs.rwo_storage_class - grafana_chart_version = include.root.inputs.grafana_chart_version - grafana_tag = include.root.inputs.grafana_tag - download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag - init_chown_data_image_tag = include.root.inputs.init_chown_data_image_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-istio/terragrunt.hcl deleted file mode 100644 index c7c22c81..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-istio/terragrunt.hcl +++ /dev/null @@ -1,32 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} -dependency "eks-karpenter" { - config_path = "../eks-karpenter" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - istio_chart_version = include.root.inputs.istio_version - istio_version = include.root.inputs.istio_version -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-k8s-dashboard/terragrunt.hcl deleted file mode 100644 index cd1961b6..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-k8s-dashboard/terragrunt.hcl +++ /dev/null @@ -1,36 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - vpc_domain_name = "example.com" - } -} - -dependency "eks-loki" { - config_path = "../eks-loki" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - cluster_domain = dependency.eks.inputs.vpc_domain_name - public_hostname = include.root.inputs.dashboard_hostname - k8s_dashboard_version = include.root.inputs.k8s_dashboard_version - # datasources = dependency.eks-loki.outputs.gateway_internal_endpoint -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-karpenter/terragrunt.hcl deleted file mode 100644 index 6b1a862f..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-karpenter/terragrunt.hcl +++ /dev/null @@ -1,43 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_endpoint = "https://0000000000000000AAAAAAAAAAAAAAAA.sk1.us-gov-east-1.eks.amazonaws.com" - cluster_name = "a-cluster-name" - node_group_name = "node_group_a-cluster-name" - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - vpc_id = "a-vpc-name" - } -} - -dependency "eks-config" { - config_path = "../eks-config" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_endpoint = dependency.eks.outputs.cluster_endpoint - cluster_name = dependency.eks.outputs.cluster_name - karpenter_node_group_name = dependency.eks.outputs.node_group_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - vpc_id = dependency.eks.outputs.vpc_id - karpenter_helm_chart = include.root.inputs.karpenter_helm_chart - karpenter_tag = include.root.inputs.karpenter_tag - kubectl_tag = include.root.inputs.kubectl_image_tag - -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-kiali/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-kiali/terragrunt.hcl.disable deleted file mode 100644 index 1e04fe0d..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-kiali/terragrunt.hcl.disable +++ /dev/null @@ -1,81 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" - # source = "../../../../../../../tfmod-kiali" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} -dependency "eks-cert-manager" { - config_path = "../eks-cert-manager" - mock_outputs = { - cluster_issuer_name = "acmpca-clusterissuer" - } -} -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - mock_outputs = { - prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" - port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" - } - } -} -dependency "eks-grafana" { - config_path = "../eks-grafana" - mock_outputs = { - internal_endpoint = { - hostname = "grafana.grafana.svc.cluster.local" - port_number = "80" - url = "https://grafana.grafana.svc.cluster.local:80/" - } - namespace = "grafana" - public_endpoint = { - hostname = "grafana.dev.lab.csp2.census.gov" - port_number = "80" - url = "https://grafana.dev.lab.csp2.census.gov:80/" - } - secret_name = "grafana" - } -} - -inputs = { - kiali_operator_version = include.root.inputs.kiali_operator_version - kiali_application_version = include.root.inputs.kiali_application_version - - profile = include.root.inputs.aws_profile - cluster_domain = dependency.eks.inputs.vpc_domain_name - operators_namespace = "operators" - cluster_name = dependency.eks.outputs.cluster_name - certificate_issuer = dependency.eks-cert-manager.outputs.cluster_issuer_name - prometheus_internal_url = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url - grafana_internal_url = dependency.eks-grafana.outputs.internal_endpoint.url - grafana_namespace = dependency.eks-grafana.outputs.namespace - grafana_public_url = dependency.eks-grafana.outputs.public_endpoint.url - grafana_secret_name = "grafana" - # grafana_secret_name = dependency.eks-grafana.outputs.secret_name - jaeger_internal_url = "" - - - # client_id = var.sso_client_id - # client_secret = var.sso_client_secret - # keycloak_public_url = var.keycloak_public_url - # gogatekeeper_chart_version = var.gogatekeeper_chart_version - # gogatekeeper_registry = var.gogatekeeper_registry - # gogatekeeper_repository = var.gogatekeeper_repository - # gogatekeeper_tag = var.gogatekeeper_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-loki/terragrunt.hcl deleted file mode 100644 index 2c6b6be5..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-loki/terragrunt.hcl +++ /dev/null @@ -1,44 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - } -} -dependency "eks-istio" { - config_path = "../eks-istio" - skip_outputs = true -} -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - loki_chart_version = include.root.inputs.loki_chart_version - loki_tag = include.root.inputs.loki_tag - canary_tag = include.root.inputs.canary_tag - enterprise_logs_provisioner_tag = include.root.inputs.enterprise_logs_provisioner_tag - gateway_tag = include.root.inputs.gateway_tag - memcached_tag = include.root.inputs.memcached_tag - exporter_tag = include.root.inputs.exporter_tag - sidecar_tag = include.root.inputs.sidecar_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-metrics-server/terragrunt.hcl deleted file mode 100644 index 387653b9..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-metrics-server/terragrunt.hcl +++ /dev/null @@ -1,33 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} - -dependency "eks_config" { - config_path = "../eks-config" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - cluster_name = dependency.eks.outputs.cluster_name - region = include.root.inputs.aws_region - metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart - metrics_server_tag = include.root.inputs.metrics_server_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/README.md b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/README.md deleted file mode 100644 index bbbffb2a..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/README.md +++ /dev/null @@ -1,198 +0,0 @@ -## eks-prometheus -This module deploys EKS kubeenetes prometheus inside existing EKS cluster. Prometheus is an open-source systems monitoring and alerting tool. -This module consisits of 4 components. It creates prometheus namespace and copies image repositories for the following components from quay.io into local account ECR repository. It deploys these components using helm charts using the configured ECR repositories. - 1. prometheus-alert-manager - 2. prometheus-node-exporter - 3. prometheus-pushgateway - 4. prometheus-server - -### Dependencies -This module is dependent on EKS module (eks). The cluster should exist already for this module to work. - -### Inputs - cluster_name - profile - prometheus_chart_version - prometheus_server_tag - prometheus_config_reloader_tag - alertmanager_tag - kube_state_metrics_tag - node_exporter_tag - pushgateway_tag - rwo_storage_class - -### Outputs - alertmanager_internal_endpoint - alertmanager_headless_internal_endpoint - pushgateway_internal_endpoint - prometheus_server_internal_endpoint - -### Issues observed/fixed -1. The rwo_storage_class value had to be updated from "gp3" to "gp3-encrypted" -2. The node_exporter_tag value had to be updated from "1.6.1" to "v1.8.1" -3. The kube_state_metrics_tag value had to be updated from "2.10.0" to "v2.6.0" -4. The alertmanager_tag value had to be updated from -5. The helm chart set config for the ecr image had to be split into 2 components, one for registry and other for repository as an example mentioned below: - - ``` - set { - name = "kube-state-metrics.image.registry" - value = module.images.images[local.ksm_key].dest_registry - } - set { - name = "kube-state-metrics.image.repository" - value = module.images.images[local.ksm_key].dest_repository - } - ``` - -6. In some other cases the image ecr repository had to be split by the colon separatory (:) - - ``` - set { - name = "alertmanager.configmapReload.image.repository" - value = split(":", module.images.images[local.prom_config_reload_key].dest_full_path)[0] - } - ``` - -### Chart Notes - 1. Get the application URL by running these commands: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-pushgateway,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - kubectl port-forward $POD_NAME 9091 - echo "Visit http://127.0.0.1:9091 to use your application" - ``` - - The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster: - prometheus-server.prometheus.svc.cluster.local - - - Get the Prometheus server URL by running these commands in the same shell: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace prometheus port-forward $POD_NAME 9090 - ``` - - The Prometheus alertmanager can be accessed via port 9093 on the following DNS name from within your cluster: - `prometheus-alertmanager.prometheus.svc.cluster.local` - - - Get the Alertmanager URL by running these commands in the same shell: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace prometheus port-forward $POD_NAME 9093 - ``` - - ################################################################################# - ###### WARNING: Pod Security Policy has been disabled by default since ##### - ###### it deprecated after k8s 1.25+. use ##### - ###### (index .Values "prometheus-node-exporter" "rbac" ##### - ###### "pspEnabled") with (index .Values ##### - ###### "prometheus-node-exporter" "rbac" "pspAnnotations") ##### - ###### in case you still need it. ##### - ################################################################################# - - - The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster: - `prometheus-prometheus-pushgateway.prometheus.svc.cluster.local` - - - Get the PushGateway URL by running these commands in the same shell: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus-pushgateway,component=pushgateway" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace prometheus port-forward $POD_NAME 9091 - ``` - - For more information on running Prometheus, visit: - https://prometheus.io/ - - kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects. - The exposed metrics can be found here: - https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics - - The metrics are exported on the HTTP endpoint /metrics on the listening port. - In your case, `prometheus-kube-state-metrics.prometheus.svc.cluster.local:8080/metrics` - - They are served either as plaintext or protobuf depending on the Accept header. - They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint. - - 1. Get the application URL by running these commands: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:9093 to use your application" - kubectl --namespace prometheus port-forward $POD_NAME 9093:80 - ``` - - 1. Get the application URL by running these commands: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-node-exporter,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:9100 to use your application" - kubectl port-forward --namespace prometheus $POD_NAME 9100 - ``` - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 5.14.0 | -| [helm](#requirement\_helm) | >= 2.11.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.23.0 | -| [null](#requirement\_null) | >= 3.2.1 | - -## Providers - -| Name | Version | -|------|---------| -| [helm](#provider\_helm) | >= 2.11.0 | -| [kubernetes](#provider\_kubernetes) | >= 2.23.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade | - -## Resources - -| Name | Type | -|------|------| -| [helm_release.prometheus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [kubernetes_namespace.existing-ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [alertmanager\_tag](#input\_alertmanager\_tag) | The image tag of the alertmanager image. | `string` | `"v0.27.0"` | no | -| [cluster\_name](#input\_cluster\_name) | The name of the cluster into which prometheus will be installed. | `string` | n/a | yes | -| [create\_namespace](#input\_create\_namespace) | Indicates whether the `namespace` needs to be created ('true') or already exists (not `true`) | `bool` | `true` | no | -| [kube\_state\_metrics\_tag](#input\_kube\_state\_metrics\_tag) | The image tag of the kube-state-metrics image. | `string` | `"v2.13.0"` | no | -| [namespace](#input\_namespace) | The namespace to install the prometheus components. Defaults to 'prometheus' | `string` | `"prometheus"` | no | -| [node\_exporter\_tag](#input\_node\_exporter\_tag) | The image tag of the node-exporter image. | `string` | `"v1.8.2"` | no | -| [profile](#input\_profile) | AWS\_PROFILE to use to apply the terraform script. | `string` | `""` | no | -| [prometheus\_chart\_version](#input\_prometheus\_chart\_version) | The version of prometheus to install into the cluster. | `string` | `"25.24.1"` | no | -| [prometheus\_config\_reloader\_tag](#input\_prometheus\_config\_reloader\_tag) | The image tag of the prometheus-config-reloader image. | `string` | `"v0.75.1"` | no | -| [prometheus\_server\_tag](#input\_prometheus\_server\_tag) | The image tag of prometheus server to install into the cluster. | `string` | `"v2.53.1"` | no | -| [pushgateway\_tag](#input\_pushgateway\_tag) | The image tag of the pushgateway image. | `string` | `"v1.9.0"` | no | -| [rwo\_storage\_class](#input\_rwo\_storage\_class) | Specify the storage class for read/write/once persistent volumes. | `string` | `"gp3-encrypted"` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [alertmanager\_headless\_internal\_endpoint](#output\_alertmanager\_headless\_internal\_endpoint) | n/a | -| [alertmanager\_internal\_endpoint](#output\_alertmanager\_internal\_endpoint) | n/a | -| [module\_name](#output\_module\_name) | The name of this module. | -| [module\_version](#output\_module\_version) | The version of this module. | -| [prometheus\_namespace](#output\_prometheus\_namespace) | n/a | -| [prometheus\_server\_internal\_endpoint](#output\_prometheus\_server\_internal\_endpoint) | n/a | -| [pushgateway\_internal\_endpoint](#output\_pushgateway\_internal\_endpoint) | n/a | - diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/terragrunt.hcl deleted file mode 100644 index e6c54b16..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-prometheus/terragrunt.hcl +++ /dev/null @@ -1,38 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} - -dependency "eks-dns" { - config_path = "../eks-dns" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - prometheus_chart_version = include.root.inputs.prometheus_chart_version - prometheus_server_tag = include.root.inputs.prometheus_server_tag - prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag - alertmanager_tag = include.root.inputs.alertmanager_tag - kube_state_metrics_tag = include.root.inputs.kube_state_metrics_tag - node_exporter_tag = include.root.inputs.node_exporter_tag - pushgateway_tag = include.root.inputs.pushgateway_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-tempo/terragrunt.hcl deleted file mode 100644 index e9ebd485..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks-tempo/terragrunt.hcl +++ /dev/null @@ -1,46 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - } -} - -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - mock_outputs = { - prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" - port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" - } - prometheus_namespace = "prometheus" - } -} - -inputs = { - account_id = include.root.locals.account_id - profile = include.root.locals.aws_profile - region = include.root.locals.aws_region - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number - prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace - tempo_chart_version = include.root.inputs.tempo_chart_version - tempo_tag = include.root.inputs.tempo_tag - -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks/terragrunt.hcl deleted file mode 100644 index cc7c8935..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-cicd/eks/terragrunt.hcl +++ /dev/null @@ -1,56 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -locals { - # Set cluster/platform specific variables, or extract from the hierarchy. - account_id = include.root.inputs.aws_account_id - cluster_endpoint_public_access = include.root.inputs.cluster_endpoint_public_access - cluster_name = include.root.inputs.cluster_name - cluster_version = include.root.inputs.cluster_version - creator = include.root.inputs.creator - eks_instance_disk_size = include.root.inputs.eks_instance_disk_size - eks_ng_desired_size = include.root.inputs.eks_ng_desired_size - eks_ng_max_size = include.root.inputs.eks_ng_max_size - eks_ng_min_size = include.root.inputs.eks_ng_min_size - eks_vpc_name = include.root.inputs.vpc_name - enable_cluster_creator_admin_permissions = include.root.inputs.enable_cluster_creator_admin_permissions - environment_abbr = include.root.inputs.environment_abbr - organization = include.root.inputs.organization - profile = include.root.inputs.aws_profile - project_name = include.root.inputs.project_name - project_number = include.root.inputs.project_number - project_role = include.root.inputs.project_role - region = include.root.inputs.aws_region - tags = include.root.inputs.tags - terraform = include.root.inputs.terraform - terragrunt = include.root.inputs.terragrunt - vpc_domain_name = include.root.inputs.vpc_domain_name -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -inputs = { - aws_account_id = local.account_id - cluster_endpoint_public_access = local.cluster_endpoint_public_access - cluster_name = local.cluster_name - cluster_version = local.cluster_version - creator = local.creator - eks_instance_disk_size = local.eks_instance_disk_size - eks_ng_desired_size = local.eks_ng_desired_size - eks_ng_max_size = local.eks_ng_max_size - eks_ng_min_size = local.eks_ng_min_size - eks_vpc_name = local.eks_vpc_name - enable_cluster_creator_admin_permissions = local.enable_cluster_creator_admin_permissions - os_username = local.creator - shared_vpc_label = local.environment_abbr - tags = local.tags -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-x/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-test-x/cluster.hcl deleted file mode 100644 index 8d2831cf..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-x/cluster.hcl +++ /dev/null @@ -1,20 +0,0 @@ -# lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl - -# Set cluster specific variables. These are automatically pulled in to configure the remote state bucket in the root -# terragrunt.hcl configuration. -locals { - cluster_endpoint_public_access = true - cluster_name = "platform-eng-eks-mcm" - creator = "matthew.c.morgan@census.gov" - eks_instance_disk_size = 100 - eks_ng_desired_size = 2 - eks_ng_max_size = 10 - eks_ng_min_size = 0 - enable_cluster_creator_admin_permissions = true - terraform = true - terragrunt = true - tags = { - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" - } -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/cluster.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/cluster.hcl deleted file mode 100644 index 740c1ad9..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/cluster.hcl +++ /dev/null @@ -1,21 +0,0 @@ -# lab/development/us-gov-east-1/vpc/platform-eng-eks-mcm/cluster.hcl - -# Set cluster specific variables. These are automatically pulled in to configure the remote state bucket in the root -# terragrunt.hcl configuration. -locals { - cluster_endpoint_public_access = true - cluster_name = "platform-test-z" - created_reason = "Terragrunt Development for CICD Delivered EKS Platform" - creator = "luther.coleman.mcginty@census.gov" - eks_instance_disk_size = 100 - eks_ng_desired_size = 3 - eks_ng_max_size = 10 - eks_ng_min_size = 1 - enable_cluster_creator_admin_permissions = true - terraform = true - terragrunt = true - tags = { - "slim:schedule" = "8:00-17:00" - "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" - } -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-alloy-disable/terragrunt.hcl.disable b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-alloy-disable/terragrunt.hcl.disable deleted file mode 100644 index 97aa66fd..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-alloy-disable/terragrunt.hcl.disable +++ /dev/null @@ -1,27 +0,0 @@ -include "root" { - path = find_in_parent_folders() - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-alloy.git?ref=main" - source = "../../../../../../../tfmod-alloy" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} - -inputs = { - profile = include.root.inputs.aws_profile - cluster_name = dependency.eks.outputs.cluster_name - region = include.root.inputs.aws_region - cluster_domain = dependency.eks.inputs.vpc_domain_name -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-cert-manager/terragrunt.hcl deleted file mode 100644 index 2522e07a..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-cert-manager/terragrunt.hcl +++ /dev/null @@ -1,57 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-cert-mgr" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-karpenter" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" - cluster_version = include.root.inputs.cluster_version - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - cluster_mailing_list = include.root.inputs.cluster_mailing_list - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - - # Cert Manager Configuration - cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart - cluster_issuer_name = include.root.inputs.cluster_issuer_name - - # Version Tags - cert_manager_cainjector_tag = include.root.inputs.cert_manager_cainjector_tag - cert_manager_controller_tag = include.root.inputs.cert_manager_controller_tag - cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag - cert_manager_webhook_tag = include.root.inputs.cert_manager_webhook_tag - namespace = include.root.inputs.namespaces["cert-manager"] -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-config/terragrunt.hcl deleted file mode 100644 index eefbf272..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-config/terragrunt.hcl +++ /dev/null @@ -1,54 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -dependencies { - paths = [ - "../eks", - # "../eks-karpenter" - ] -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-eks-configuration" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - - mock_outputs = { - cluster_name = "mock-cluster" - cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" - cluster_certificate_authority_data = [{ data = "mock-cert-data" }] - eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"] - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - security_group_all_worker_mgmt_id = "sg-mock" - subnets = ["subnet-mock1", "subnet-mock2"] - vpc_id = "vpc-mock" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Core Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id - subnets = dependency.eks.outputs.subnets - vpc_id = dependency.eks.outputs.vpc_id - operators_ns = include.root.inputs.operator_namespace - telemetry_ns = include.root.inputs.telemetry_namespace -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-dns/terragrunt.hcl deleted file mode 100644 index 83eb25fb..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-dns/terragrunt.hcl +++ /dev/null @@ -1,61 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-eks-dns" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - subnets = ["subnet-mock1", "subnet-mock2", "subnet-mock3"] - } -} - -dependency "eks-istio" { - config_path = "../eks-istio" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - istio_ingress_lb = { - dns_name = "mock-${include.root.inputs.cluster_name}.elb.amazonaws.com" - zone_id = "MOCKZONEID" - } - } -} - -dependencies { - paths = [ - "../eks-config", - "../eks-istio", - "../eks-karpenter" - ] -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = include.root.inputs.cluster_name - - # Network Configuration - istio_ingress_lb = dependency.eks-istio.outputs.istio_ingress_lb - route53_endpoints = include.root.inputs.route53_endpoints - vpc_domain_name = include.root.inputs.vpc_domain_name - vpc_name = include.root.inputs.vpc_name - - # Additional Configuration - tags = include.root.inputs.tags -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-grafana/terragrunt.hcl deleted file mode 100644 index dda8453f..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-grafana/terragrunt.hcl +++ /dev/null @@ -1,81 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-grafana" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-loki", - "../eks-prometheus", - "../eks-tempo" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} - -dependency "eks-loki" { - config_path = "../eks-loki" - mock_outputs = { - rwo_storage_class = "gp3-encrypted" - gateway_internal_endpoint = { - hostname = "loki-gateway.telemetry.svc.cluster.local" - portNumber = "80" - url = "http://loki-gateway.telemetry.svc.cluster.local:80/" - } - } -} - -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - mock_outputs = { - prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" - port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" - } - } -} - -dependency "eks-tempo" { - config_path = "../eks-tempo" - mock_outputs = { - tempo_internal_endpoint = { - hostname = "tempo.telemetry.svc.cluster.local" - port_number = 4317 - url = "http://tempo.telemetry.svc.cluster.local:4317/" - } - } -} - -inputs = { - cluster_domain = dependency.eks.inputs.vpc_domain_name - cluster_name = dependency.eks.outputs.cluster_name - download_dashboards_image_tag = include.root.inputs.download_dashboards_image_tag - grafana_chart_version = include.root.inputs.grafana_chart_version - grafana_tag = include.root.inputs.grafana_tag - init_chown_data_image_tag = include.root.inputs.init_chown_data_image_tag - profile = include.root.inputs.aws_profile - public_hostname = include.root.inputs.grafana_hostname - region = include.root.inputs.aws_region - rwo_storage_class = dependency.eks-loki.outputs.rwo_storage_class - loki_endpoint = dependency.eks-loki.outputs.gateway_internal_endpoint.url - prometheus_endpoint = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url - tempo_endpoint = dependency.eks-tempo.outputs.tempo_internal_endpoint.url - namespace = include.root.inputs.namespaces["grafana"] -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-istio/terragrunt.hcl deleted file mode 100644 index dff8a76c..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-istio/terragrunt.hcl +++ /dev/null @@ -1,45 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-istio" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - - # Istio Configuration - namespace = include.root.inputs.namespaces["istio"] - istio_version = include.root.inputs.istio_version -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-k8s-dashboard/terragrunt.hcl deleted file mode 100644 index 7bccdc3f..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-k8s-dashboard/terragrunt.hcl +++ /dev/null @@ -1,46 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-k8s-dashboard" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-config", - "../eks-dns" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_domain = include.root.inputs.vpc_domain_name - cluster_name = dependency.eks.outputs.cluster_name - - # Dashboard Configuration - k8s_dashboard_version = include.root.inputs.k8s_dashboard_version - namespace = include.root.inputs.namespaces["k8s-dashboard"] -} \ No newline at end of file diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-karpenter/terragrunt.hcl deleted file mode 100644 index a713f4d9..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-karpenter/terragrunt.hcl +++ /dev/null @@ -1,49 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-karpenter" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} -dependencies { - paths = ["../eks"] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - - mock_outputs = { - cluster_name = "mock-cluster" - cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - node_group_name = "mock-node-group" - vpc_id = "vpc-mock" - subnets = ["subnet-mock1", "subnet-mock2"] - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_endpoint = dependency.eks.outputs.cluster_endpoint - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - - # Karpenter Configuration - karpenter_tag = include.root.inputs.karpenter_tag - karpenter_helm_chart = include.root.inputs.karpenter_helm_chart - karpenter_node_group_name = dependency.eks.outputs.node_group_name - namespace = include.root.inputs.namespaces["karpenter"] -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-kiali/terragrunt.hcl deleted file mode 100644 index d0494ec1..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-kiali/terragrunt.hcl +++ /dev/null @@ -1,91 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=mcmCluster" - source = "../../../../../../../tfmod-kiali" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} -dependency "eks-cert-manager" { - config_path = "../eks-cert-manager" - mock_outputs = { - cluster_issuer_name = "acmpca-clusterissuer" - } -} -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - mock_outputs = { - prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" - port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" - } - } -} -dependency "eks-tempo" { - config_path = "../eks-tempo" - mock_outputs = { - tempo_internal_endpoint = { - hostname = "tempo.tempo.svc.cluster.local" - port_number = 3100 - url = "http://tempo.tempo.svc.cluster.local:3100/" - } - } -} -dependency "eks-grafana" { - config_path = "../eks-grafana" - mock_outputs = { - internal_endpoint = { - hostname = "grafana.grafana.svc.cluster.local" - port_number = "80" - url = "https://grafana.grafana.svc.cluster.local:80/" - } - namespace = "grafana" - public_endpoint = "https://grafana.dev.lab.csp2.census.gov:80/" - secret_name = "grafana" - tempo_datasource_id = "tempo" - } -} - -inputs = { - profile = include.root.inputs.aws_profile - cluster_domain = dependency.eks.inputs.vpc_domain_name - cluster_name = dependency.eks.outputs.cluster_name - certificate_issuer = dependency.eks-cert-manager.outputs.cluster_issuer_name - - kiali_application_version = include.root.inputs.kiali_application_version - - namespace = include.root.inputs.namespaces["kiali"] - istio_namespace = include.root.inputs.namespaces["istio"] - - prometheus_internal_url = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.url - grafana_namespace = dependency.eks-grafana.outputs.namespace - grafana_secret_name = dependency.eks-grafana.outputs.secret_name - grafana_internal_url = dependency.eks-grafana.outputs.internal_endpoint.url - grafana_public_url = dependency.eks-grafana.outputs.public_endpoint - tempo_datasource_id = dependency.eks-grafana.outputs.tempo_datasource_id - tempo_internal_url = dependency.eks-tempo.outputs.tempo_internal_endpoint.url - - - - # client_id = var.sso_client_id - # client_secret = var.sso_client_secret - # keycloak_public_url = var.keycloak_public_url - # gogatekeeper_chart_version = var.gogatekeeper_chart_version - # gogatekeeper_registry = var.gogatekeeper_registry - # gogatekeeper_repository = var.gogatekeeper_repository - # gogatekeeper_tag = var.gogatekeeper_tag -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-loki/terragrunt.hcl deleted file mode 100644 index 4c4de2fd..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-loki/terragrunt.hcl +++ /dev/null @@ -1,48 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-loki-x" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - } -} - -dependency "eks-istio" { - config_path = "../eks-istio" - skip_outputs = true -} - -# dependency "eks-prometheus" { -# config_path = "../eks-prometheus" -# skip_outputs = true -# } - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - loki_chart_version = include.root.inputs.loki_chart_version - loki_tag = include.root.inputs.loki_tag - canary_tag = include.root.inputs.canary_tag - enterprise_logs_provisioner_tag = include.root.inputs.enterprise_logs_provisioner_tag - gateway_tag = include.root.inputs.gateway_tag - memcached_tag = include.root.inputs.memcached_tag - exporter_tag = include.root.inputs.exporter_tag - sidecar_tag = include.root.inputs.sidecar_tag - namespace = include.root.inputs.namespaces["loki"] -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-metrics-server/terragrunt.hcl deleted file mode 100644 index 06817cc0..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-metrics-server/terragrunt.hcl +++ /dev/null @@ -1,44 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -dependencies { - paths = [ - "../eks", - "../eks-config" - ] -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-metrics-server" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = "mock-cluster" - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - - # Metrics Server Configuration - metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart - metrics_server_tag = include.root.inputs.metrics_server_tag - namespace = include.root.inputs.namespaces["metrics-server"] -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-open-telemetry/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-open-telemetry/terragrunt.hcl deleted file mode 100644 index 2b4ce337..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-open-telemetry/terragrunt.hcl +++ /dev/null @@ -1,61 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=main" - source = "../../../../../../../tfmod-open-telemetry" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependencies { - paths = [ - "../eks", - "../eks-loki", - "../eks-prometheus", - "../eks-tempo" - ] -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} - -dependency "eks-loki" { - config_path = "../eks-loki" - mock_outputs = { - gateway_internal_endpoint = { - hostname = "loki-gateway.telemetry.svc.cluster.local" - portNumber = "80" - url = "http://loki-gateway.telemetry.svc.cluster.local:80/" - } - } -} - -dependency "eks-tempo" { - config_path = "../eks-tempo" - mock_outputs = { - tempo_otlp_endpoint = { - hostname = "tempo.telemetry.svc.cluster.local" - portNumber = 4317 - url = "http://tempo.telemetry.svc.cluster.local:4317/" - } - } -} - -inputs = { - profile = include.root.inputs.aws_profile - cluster_name = dependency.eks.outputs.cluster_name - region = include.root.inputs.aws_region - namespace = include.root.inputs.namespaces["otel"] - loki_endpoint = dependency.eks-loki.outputs.gateway_internal_endpoint.url - tempo_endpoint = dependency.eks-tempo.outputs.tempo_otlp_endpoint.url -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-prometheus/README.md b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-prometheus/README.md deleted file mode 100644 index bbbffb2a..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-prometheus/README.md +++ /dev/null @@ -1,198 +0,0 @@ -## eks-prometheus -This module deploys EKS kubeenetes prometheus inside existing EKS cluster. Prometheus is an open-source systems monitoring and alerting tool. -This module consisits of 4 components. It creates prometheus namespace and copies image repositories for the following components from quay.io into local account ECR repository. It deploys these components using helm charts using the configured ECR repositories. - 1. prometheus-alert-manager - 2. prometheus-node-exporter - 3. prometheus-pushgateway - 4. prometheus-server - -### Dependencies -This module is dependent on EKS module (eks). The cluster should exist already for this module to work. - -### Inputs - cluster_name - profile - prometheus_chart_version - prometheus_server_tag - prometheus_config_reloader_tag - alertmanager_tag - kube_state_metrics_tag - node_exporter_tag - pushgateway_tag - rwo_storage_class - -### Outputs - alertmanager_internal_endpoint - alertmanager_headless_internal_endpoint - pushgateway_internal_endpoint - prometheus_server_internal_endpoint - -### Issues observed/fixed -1. The rwo_storage_class value had to be updated from "gp3" to "gp3-encrypted" -2. The node_exporter_tag value had to be updated from "1.6.1" to "v1.8.1" -3. The kube_state_metrics_tag value had to be updated from "2.10.0" to "v2.6.0" -4. The alertmanager_tag value had to be updated from -5. The helm chart set config for the ecr image had to be split into 2 components, one for registry and other for repository as an example mentioned below: - - ``` - set { - name = "kube-state-metrics.image.registry" - value = module.images.images[local.ksm_key].dest_registry - } - set { - name = "kube-state-metrics.image.repository" - value = module.images.images[local.ksm_key].dest_repository - } - ``` - -6. In some other cases the image ecr repository had to be split by the colon separatory (:) - - ``` - set { - name = "alertmanager.configmapReload.image.repository" - value = split(":", module.images.images[local.prom_config_reload_key].dest_full_path)[0] - } - ``` - -### Chart Notes - 1. Get the application URL by running these commands: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-pushgateway,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - kubectl port-forward $POD_NAME 9091 - echo "Visit http://127.0.0.1:9091 to use your application" - ``` - - The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster: - prometheus-server.prometheus.svc.cluster.local - - - Get the Prometheus server URL by running these commands in the same shell: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace prometheus port-forward $POD_NAME 9090 - ``` - - The Prometheus alertmanager can be accessed via port 9093 on the following DNS name from within your cluster: - `prometheus-alertmanager.prometheus.svc.cluster.local` - - - Get the Alertmanager URL by running these commands in the same shell: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace prometheus port-forward $POD_NAME 9093 - ``` - - ################################################################################# - ###### WARNING: Pod Security Policy has been disabled by default since ##### - ###### it deprecated after k8s 1.25+. use ##### - ###### (index .Values "prometheus-node-exporter" "rbac" ##### - ###### "pspEnabled") with (index .Values ##### - ###### "prometheus-node-exporter" "rbac" "pspAnnotations") ##### - ###### in case you still need it. ##### - ################################################################################# - - - The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster: - `prometheus-prometheus-pushgateway.prometheus.svc.cluster.local` - - - Get the PushGateway URL by running these commands in the same shell: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus-pushgateway,component=pushgateway" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace prometheus port-forward $POD_NAME 9091 - ``` - - For more information on running Prometheus, visit: - https://prometheus.io/ - - kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects. - The exposed metrics can be found here: - https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics - - The metrics are exported on the HTTP endpoint /metrics on the listening port. - In your case, `prometheus-kube-state-metrics.prometheus.svc.cluster.local:8080/metrics` - - They are served either as plaintext or protobuf depending on the Accept header. - They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint. - - 1. Get the application URL by running these commands: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:9093 to use your application" - kubectl --namespace prometheus port-forward $POD_NAME 9093:80 - ``` - - 1. Get the application URL by running these commands: - - ```bash - export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-node-exporter,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:9100 to use your application" - kubectl port-forward --namespace prometheus $POD_NAME 9100 - ``` - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 5.14.0 | -| [helm](#requirement\_helm) | >= 2.11.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.23.0 | -| [null](#requirement\_null) | >= 3.2.1 | - -## Providers - -| Name | Version | -|------|---------| -| [helm](#provider\_helm) | >= 2.11.0 | -| [kubernetes](#provider\_kubernetes) | >= 2.23.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade | - -## Resources - -| Name | Type | -|------|------| -| [helm_release.prometheus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [kubernetes_namespace.existing-ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [alertmanager\_tag](#input\_alertmanager\_tag) | The image tag of the alertmanager image. | `string` | `"v0.27.0"` | no | -| [cluster\_name](#input\_cluster\_name) | The name of the cluster into which prometheus will be installed. | `string` | n/a | yes | -| [create\_namespace](#input\_create\_namespace) | Indicates whether the `namespace` needs to be created ('true') or already exists (not `true`) | `bool` | `true` | no | -| [kube\_state\_metrics\_tag](#input\_kube\_state\_metrics\_tag) | The image tag of the kube-state-metrics image. | `string` | `"v2.13.0"` | no | -| [namespace](#input\_namespace) | The namespace to install the prometheus components. Defaults to 'prometheus' | `string` | `"prometheus"` | no | -| [node\_exporter\_tag](#input\_node\_exporter\_tag) | The image tag of the node-exporter image. | `string` | `"v1.8.2"` | no | -| [profile](#input\_profile) | AWS\_PROFILE to use to apply the terraform script. | `string` | `""` | no | -| [prometheus\_chart\_version](#input\_prometheus\_chart\_version) | The version of prometheus to install into the cluster. | `string` | `"25.24.1"` | no | -| [prometheus\_config\_reloader\_tag](#input\_prometheus\_config\_reloader\_tag) | The image tag of the prometheus-config-reloader image. | `string` | `"v0.75.1"` | no | -| [prometheus\_server\_tag](#input\_prometheus\_server\_tag) | The image tag of prometheus server to install into the cluster. | `string` | `"v2.53.1"` | no | -| [pushgateway\_tag](#input\_pushgateway\_tag) | The image tag of the pushgateway image. | `string` | `"v1.9.0"` | no | -| [rwo\_storage\_class](#input\_rwo\_storage\_class) | Specify the storage class for read/write/once persistent volumes. | `string` | `"gp3-encrypted"` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [alertmanager\_headless\_internal\_endpoint](#output\_alertmanager\_headless\_internal\_endpoint) | n/a | -| [alertmanager\_internal\_endpoint](#output\_alertmanager\_internal\_endpoint) | n/a | -| [module\_name](#output\_module\_name) | The name of this module. | -| [module\_version](#output\_module\_version) | The version of this module. | -| [prometheus\_namespace](#output\_prometheus\_namespace) | n/a | -| [prometheus\_server\_internal\_endpoint](#output\_prometheus\_server\_internal\_endpoint) | n/a | -| [pushgateway\_internal\_endpoint](#output\_pushgateway\_internal\_endpoint) | n/a | - diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-prometheus/terragrunt.hcl deleted file mode 100644 index 030dd33c..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-prometheus/terragrunt.hcl +++ /dev/null @@ -1,40 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-prometheus" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - } -} - -dependency "eks-dns" { - config_path = "../eks-dns" - skip_outputs = true -} - -inputs = { - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - cluster_name = dependency.eks.outputs.cluster_name - prometheus_chart_version = include.root.inputs.prometheus_chart_version - prometheus_server_tag = include.root.inputs.prometheus_server_tag - prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag - alertmanager_tag = include.root.inputs.alertmanager_tag - kube_state_metrics_tag = include.root.inputs.kube_state_metrics_tag - node_exporter_tag = include.root.inputs.node_exporter_tag - pushgateway_tag = include.root.inputs.pushgateway_tag - namespace = include.root.inputs.namespaces["prometheus"] -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks-tempo/terragrunt.hcl deleted file mode 100644 index d14c8a1e..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks-tempo/terragrunt.hcl +++ /dev/null @@ -1,47 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-tempo" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs = { - cluster_name = "a-cluster-name" - oidc_provider_arn = "arn:aws-us-gov:iam::111111111111:oidc-provider/oidc.eks.us-gov-east-1.amazonaws.com/id/0000000000000000AAAAAAAAAAAAAAAA" - } -} - -dependency "eks-prometheus" { - config_path = "../eks-prometheus" - mock_outputs = { - prometheus_server_internal_endpoint = { - hostname = "prometheus-server.prometheus.svc.cluster.local" - port_number = 9090 - url = "http://prometheus-server.prometheus.svc.cluster.local:9090/" - } - prometheus_namespace = "prometheus" - } -} - -inputs = { - account_id = include.root.locals.account_id - profile = include.root.locals.aws_profile - region = include.root.locals.aws_region - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn - prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number - prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace - tempo_chart_version = include.root.inputs.tempo_chart_version - tempo_tag = include.root.inputs.tempo_tag - namespace = include.root.inputs.namespaces["tempo"] -} diff --git a/lab/development/us-gov-east-1/vpc/platform-test-z/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/platform-test-z/eks/terragrunt.hcl deleted file mode 100644 index c77be43b..00000000 --- a/lab/development/us-gov-east-1/vpc/platform-test-z/eks/terragrunt.hcl +++ /dev/null @@ -1,28 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -terraform { - # source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" - source = "../../../../../../../tfmod-eks" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } -} - -inputs = { - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Core Cluster Configuration - cluster_name = include.root.inputs.cluster_name - cluster_version = include.root.inputs.cluster_version - - # Additional Configuration - tags = include.root.inputs.tags -} diff --git a/lab/root.hcl b/lab/root.hcl index 10706ffd..c2be3dc7 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -25,20 +25,19 @@ locals { vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl")) # Extract the variables we need for easy access - account_id = local.account_vars.locals.aws_account_id - aws_profile = local.account_vars.locals.aws_profile - aws_region = local.region_vars.locals.aws_region - cluster_name = local.cluster_vars.locals.cluster_name - environment_abbr = local.account_vars.locals.environment_abbr - organization = local.common_vars.locals.organization - project_name = local.common_vars.locals.project_name - project_number = local.common_vars.locals.project_number - project_role = local.common_vars.locals.project_role - state_bucket_prefix = local.common_vars.locals.state_bucket_prefix - state_table_name = local.common_vars.locals.state_table_name - # Check if current module is the EKS module - module_name = basename(get_original_terragrunt_dir()) - is_eks_module = local.module_name == "eks" + account_id = local.account_vars.locals.aws_account_id + aws_profile = local.account_vars.locals.aws_profile + aws_region = local.region_vars.locals.aws_region + cluster_name = local.cluster_vars.locals.cluster_name + environment_abbr = local.account_vars.locals.environment_abbr + finops_project_name = local.common_vars.locals.finops_project_name + finops_project_number = local.common_vars.locals.finops_project_number + finops_project_role = local.common_vars.locals.finops_project_role + is_eks_module = local.module_name == "eks" + module_name = basename(get_original_terragrunt_dir()) + organization = local.common_vars.locals.organization + state_bucket_prefix = local.common_vars.locals.state_bucket_prefix + state_table_name = local.common_vars.locals.state_table_name } # Only generate providers for non-EKS modules @@ -128,9 +127,9 @@ generate "aws-provider" { cluster_name = "${local.cluster_name}" "boc:module_name" = "${local.module_name}" environment = "${local.environment_abbr}" - finops_project_name = "${local.project_name}" - finops_project_number = "${local.project_number}" - finops_project_role = "${local.project_role}" + finops_project_name = "${local.finops_project_name}" + finops_project_number = "${local.finops_project_number}" + finops_project_role = "${local.finops_project_role}" organization = "${local.organization}" } } diff --git a/notes.md b/notes.md index 55a5ffc3..984bfc42 100644 --- a/notes.md +++ b/notes.md @@ -54,25 +54,3 @@ resource "aws_eks_cluster" "main" { resources = ["secrets"] } } - -24m Warning FailedGetResourceMetric horizontalpodautoscaler/loki-write failed to get cpu utilization: unable to get metrics for resource cpu: no metrics returned from resource metrics API -24m Warning FailedComputeMetricsReplicas horizontalpodautoscaler/loki-write invalid metrics (1 invalid out of 1), first error is: failed to get cpu resource metric value: failed to get cpu utilization: unable to get metrics for resource cpu: no metrics returned from resource metrics API -22m Warning FailedGetResourceMetric horizontalpodautoscaler/loki-write failed to get cpu utilization: did not receive metrics for targeted pods (pods might be unready) -2 -29m Warning FailedGetResourceMetric horizontalpodautoscaler/istiod failed to get cpu utilization: unable to get metrics for resource cpu: unable to fetch metrics from resource metrics API: the server could not find the requested resource (get pods.metrics.k8s.io) -29m Warning FailedComputeMetricsReplicas horizontalpodautoscaler/istiod invalid metrics (1 invalid out of 1), first error is: failed to get cpu resource metric value: failed to get cpu utilization: unable to get metrics for resource cpu: unable to fetch metrics from resource metrics API: the server could not find the requested resource (get pods.metrics.k8s.io) -29m Warning FailedGetResourceMetric horizontalpodautoscaler/istiod failed to get cpu utilization: unable to get metrics for resource cpu: unable to fetch metrics from resource metrics API: the server is currently unable to handle the request (get pods.metrics.k8s.io) -29m Warning FailedComputeMetricsReplicas horizontalpodautoscaler/istiod invalid metrics (1 invalid out of 1), first error is: failed to get cpu resource metric value: failed to get cpu utilization: unable to get metrics for resource cpu: unable to fetch metrics from resource metrics API: the server is currently unable to handle the request (get pods.metrics.k8s.io) -2 -* Failed to execute "terraform_current apply -lock-timeout=20m -auto-approve -input=false -auto-approve" in ./.terragrunt-cache/jrM5TqaHxjlphT8vQ1DicmFp6eM/1NbRS_ankC8AcxKegXNWAnjyQEg - ╷ - │ Error: Unable to continue with install: Certificate "platform-eng-eks-mcm" in namespace "istio-system" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "grafana-grafana-ingress": current value is "k8s-dashboard-k8s-dashboard-ingress"; annotation validation error: key "meta.helm.sh/release-namespace" must equal "grafana": current value is "k8s-dashboard" - │ - │ with module.ingress_resources.helm_release.ingress, - │ on .terraform/modules/ingress_resources/main.tf line 6, in resource "helm_release" "ingress": - │ 6: resource "helm_release" "ingress" { - │ - ╵ - - exit status 1 - \ No newline at end of file From 66ae5d831a7adcd7c9dd082cffe56fc00ca43314 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 21 Mar 2025 18:20:09 -0400 Subject: [PATCH 043/126] updated vars --- lab/_envcommon/default-versions.hcl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 1f110855..e83066c0 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -4,7 +4,7 @@ locals { ##################### # Module Versions ##################### - cluster_version = "1.31" + cluster_version = "1.32" custom_service_eks_account = "${local.release_version}" eks_module_version = "20.34.0" istio_ingress_version = "${local.release_version}" @@ -88,6 +88,7 @@ locals { dashboard_auth_tag = "1.2.4" dashboard_metrics_tag = "1.2.2" dashboard_web_tag = "1.6.2" + dashboard_kong_tag = "3.8" ################ # Karpenter From 564dfcc04cdb072362559f1a1e036a8870c34006 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 21 Mar 2025 20:29:48 -0400 Subject: [PATCH 044/126] revert dashboard stuff --- lab/_envcommon/default-versions.hcl | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index e83066c0..14286050 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -83,12 +83,13 @@ locals { # k8s-dashboard ################ dashboard_hostname = "dashboard" - k8s_dashboard_version = "7.11.1" - dashboard_api_tag = "1.11.1" - dashboard_auth_tag = "1.2.4" - dashboard_metrics_tag = "1.2.2" - dashboard_web_tag = "1.6.2" - dashboard_kong_tag = "3.8" + k8s_dashboard_version = "6.0.6" + k8s_dashboard_metrics_scraper = "1.0.8" + # dashboard_api_tag = "1.11.1" + # dashboard_auth_tag = "1.2.4" + # dashboard_metrics_tag = "1.2.2" + # dashboard_web_tag = "1.6.2" + # dashboard_kong_tag = "3.8" ################ # Karpenter From ba67c9efafbaec745d415f253a74792a1a61219f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 21 Mar 2025 22:09:53 -0400 Subject: [PATCH 045/126] update inputs --- input_vars.hcl | 5 +---- lab/development/account.hcl | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/input_vars.hcl b/input_vars.hcl index c61b0ebd..dba39650 100644 --- a/input_vars.hcl +++ b/input_vars.hcl @@ -1,16 +1,13 @@ locals { account_name = "lab-dev-ew" aws_account_id = "224384469011" - aws_profile = "224384469011-lab-dev-gov" aws_region = "us-gov-east-1" - cluster_endpoint_public_access = true cluster_mailing_list = "matthew.c.morgan@census.gov" - cluster_name = "platform-eng-eks-mcm" + cluster_name = "csvd-platform-lab-mcm" eks_instance_disk_size = 100 eks_ng_desired_size = 2 eks_ng_max_size = 10 eks_ng_min_size = 2 - enable_cluster_creator_admin_permissions = true environment = "development" environment_abbr = "dev" organization = "census:ocio:csvd" diff --git a/lab/development/account.hcl b/lab/development/account.hcl index 80a8b3a0..acf562ba 100644 --- a/lab/development/account.hcl +++ b/lab/development/account.hcl @@ -7,7 +7,7 @@ locals { account_name = "lab-dev-ew" aws_account_id = "224384469011" - aws_profile = "224384469011-lab-dev-gov" + aws_profile = "${local.aws_account_id}-${local.account_name}" environment = "development" environment_abbr = "dev" } From 3fd535c2382021f53405d9bb3e11e248d6476ba7 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 24 Mar 2025 14:53:11 -0400 Subject: [PATCH 046/126] fix profile --- lab/development/account.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/development/account.hcl b/lab/development/account.hcl index acf562ba..a78efbf6 100644 --- a/lab/development/account.hcl +++ b/lab/development/account.hcl @@ -7,7 +7,7 @@ locals { account_name = "lab-dev-ew" aws_account_id = "224384469011" - aws_profile = "${local.aws_account_id}-${local.account_name}" + aws_profile = format("%v-%v", local.aws_account_id, replace(local.account_name, "-ew", "-gov")) environment = "development" environment_abbr = "dev" } From 17b6935954434469ccec1ee8d0a006dfc185906c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 1 Apr 2025 15:56:57 -0400 Subject: [PATCH 047/126] latest --- docs/terragrunt.stack.hcl | 380 ++++++++++++++++++++++++++++ input_vars.hcl | 34 +-- lab/_envcommon/default-versions.hcl | 4 +- 3 files changed, 399 insertions(+), 19 deletions(-) create mode 100644 docs/terragrunt.stack.hcl diff --git a/docs/terragrunt.stack.hcl b/docs/terragrunt.stack.hcl new file mode 100644 index 00000000..69d52333 --- /dev/null +++ b/docs/terragrunt.stack.hcl @@ -0,0 +1,380 @@ +locals { + environment = "development" + region = "us-gov-east-1" + project_name = "csvd-platform-lab-mcm" + base_source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-" + +} + +# Define the EKS cluster unit +unit "eks" { + source = format("%v%v", local.base_source, "eks") + path = "eks" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Core Cluster Configuration + cluster_name = include.root.inputs.cluster_name + cluster_version = include.root.inputs.cluster_version + + # Additional Configuration + tags = include.root.inputs.tags + } +} + +unit "metrics" { + source = format("%v%v", local.base_source, "metrics-server") + path = "metrics-server" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + + # Metrics Server Configuration + metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart + metrics_server_tag = include.root.inputs.metrics_server_tag + namespace = include.root.inputs.namespaces["metrics-server"] + } +} + +unit "karpenter" { + source = format("%v%v", local.base_source, "karpenter") + path = "karpenter" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_endpoint = dependency.eks.outputs.cluster_endpoint + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + vpc_id = dependency.eks.outputs.vpc_id + + # Karpenter Configuration + karpenter_tag = include.root.inputs.karpenter_tag + karpenter_helm_chart = include.root.inputs.karpenter_helm_chart + karpenter_node_group_name = dependency.eks.outputs.node_group_name + namespace = include.root.inputs.namespaces["karpenter"] + } +} + +# Add other components as needed (node groups, addons, etc.) +unit "config" { + source = format("%v%v", local.base_source, "eks-config") + path = "eks-config" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Core Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id + subnets = dependency.eks.outputs.subnets + vpc_id = dependency.eks.outputs.vpc_id + operators_ns = include.root.inputs.operator_namespace + telemetry_ns = include.root.inputs.telemetry_namespace + } +} + +# Add other components as needed (node groups, addons, etc.) +unit "cert_manager" { + source = format("%v%v", local.base_source, "cert-manager") + path = "cert-manager" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + cluster_mailing_list = include.root.inputs.cluster_mailing_list + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Cert Manager Configuration + cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart + cluster_issuer_name = include.root.inputs.cluster_issuer_name + namespace = include.root.inputs.namespaces["cert-manager"] + + # Version Tags + cert_manager_cainjector_tag = include.root.inputs.cert_manager_cainjector_tag + cert_manager_controller_tag = include.root.inputs.cert_manager_controller_tag + cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag + cert_manager_webhook_tag = include.root.inputs.cert_manager_webhook_tag + } +} + +# Add other components as needed (node groups, addons, etc.) +unit "loki" { + source = format("%v%v", local.base_source, "loki") + path = "loki" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Loki Configuration + loki_chart_version = include.root.inputs.loki_chart_version + loki_tag = include.root.inputs.loki_tag + namespace = include.root.inputs.namespaces["loki"] + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class + } +} + +# Add modules for monitoring, logging, etc. +unit "prometheus" { + source = format("%v%v", local.base_source, "prometheus") + path = "prometheus" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Prometheus Configuration + prometheus_chart_version = include.root.inputs.prometheus_chart_version + prometheus_server_tag = include.root.inputs.prometheus_server_tag + prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag + alertmanager_tag = include.root.inputs.alertmanager_tag + kube_state_metrics_tag = include.root.inputs.kube_state_metrics_tag + namespace = include.root.inputs.namespaces["prometheus"] + node_exporter_tag = include.root.inputs.node_exporter_tag + pushgateway_tag = include.root.inputs.pushgateway_tag + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class + } +} + +# Add other components as needed (node groups, addons, etc.) +unit "istio" { + source = format("%v%v", local.base_source, "istio") + path = "istio" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Istio Configuration + namespace = include.root.inputs.namespaces["istio"] + istio_version = include.root.inputs.istio_version + } +} + +# Add other components as needed (node groups, addons, etc.) +unit "tempo" { + source = format("%v%v", local.base_source, "tempo") + path = "tempo" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Prometheus Configuration + prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace + prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number + + # Tempo Configuration + tempo_chart_version = include.root.inputs.tempo_chart_version + tempo_tag = include.root.inputs.tempo_tag + namespace = include.root.inputs.namespaces["tempo"] + } +} + +# Add other components as needed (node groups, addons, etc.) +unit "dns" { + source = format("%v%v", local.base_source, "dns") + path = "dns" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = include.root.inputs.cluster_name + + # Network Configuration + istio_ingress_lb = dependency.eks-istio.outputs.istio_ingress_lb + route53_endpoints = include.root.inputs.route53_endpoints + vpc_domain_name = include.root.inputs.vpc_domain_name + vpc_name = include.root.inputs.vpc_name + + # Additional Configuration + tags = include.root.inputs.tags + } +} + +# Add other components as needed (node groups, addons, etc.) +unit "open_telemetry" { + source = format("%v%v", local.base_source, "open-telemetry") + path = "otel" + + values = { + profile = include.root.inputs.aws_profile + cluster_name = dependency.eks.outputs.cluster_name + region = include.root.inputs.aws_region + namespace = include.root.inputs.namespaces["otel"] + loki_endpoint = dependency.eks-loki.outputs.gateway_internal_endpoint.url + tempo_endpoint = dependency.eks-tempo.outputs.tempo_otlp_endpoint.url + } +} + +unit "grafana" { + source = format("%v%v", local.base_source, "grafana") + path = "grafana" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Storage Configuration + rwo_storage_class = dependency.eks_loki.outputs.rwo_storage_class + + # Grafana Configuration + grafana_operator_chart_version = include.root.inputs.grafana_operator_chart_version + grafana_operator_tag = include.root.inputs.grafana_operator_tag + grafana_tag = include.root.inputs.grafana_tag + namespace = include.root.inputs.namespaces["grafana"] + os_shell_image_tag = include.root.inputs.os_shell_image_tag + service_name = "grafana" + loki_endpoint = dependency.eks_loki.outputs.gateway_internal_endpoint.url + prometheus_endpoint = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url + tempo_endpoint = dependency.eks_tempo.outputs.tempo_internal_endpoint.url + } +} + +unit "dashboard" { + source = format("%v%v", local.base_source, "k8s-dashboard") + path = "k8s-dashboard" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + + # Dashboard Configuration + service_name = include.root.inputs.dashboard_hostname + k8s_dashboard_version = include.root.inputs.k8s_dashboard_version + namespace = include.root.inputs.namespaces["k8s-dashboard"] + } +} + +unit "keycloak" { + source = format("%v%v", local.base_source, "keycloak") + path = "keycloak" + + values = { + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + namespace = include.root.inputs.namespaces["keycloak"] + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # keycloak config + default_storage_class = dependency.eks_config.outputs.rwo_storage_class + keycloak_chart_version = include.root.inputs.keycloak_chart_version + keycloak_hostname = include.root.inputs.keycloak_hostname + keycloak_tag = include.root.inputs.keycloak_tag + realm_email = include.root.inputs.cluster_mailing_list + realm_name = "master" + realm_password = include.root.inputs.keycloak_password + realm_username = include.root.inputs.keycloak_username + service_name = "keycloak" + telemetry_namespace = include.root.inputs.telemetry_namespace + + # # Database configuration + keycloak_database = include.root.inputs.keycloak_database + keycloak_user = include.root.inputs.keycloak_username + keycloak_password = include.root.inputs.keycloak_password + } +} + +unit "kiali" { + source = format("%v%v", local.base_source, "kiali") + path = "kiali" + + values = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + certificate_issuer = dependency.eks_cert_manager.outputs.cluster_issuer_name + + # Kiali Configuration + service_name = "kiali" + namespace = include.root.inputs.namespaces["kiali"] + istio_namespace = include.root.inputs.namespaces["istio"] + grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url + grafana_namespace = dependency.eks_grafana.outputs.namespace + grafana_secret_name = dependency.eks_grafana.outputs.secret_name + grafana_public_url = dependency.eks_grafana.outputs.public_endpoint + + kiali_application_version = include.root.inputs.kiali_application_version + kiali_operator_version = include.root.inputs.kiali_operator_version + + prometheus_internal_url = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url + grafana_namespace = dependency.eks_grafana.outputs.namespace + grafana_secret_name = dependency.eks_grafana.outputs.secret_name + grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url + grafana_public_url = dependency.eks_grafana.outputs.public_endpoint + tempo_datasource_id = dependency.eks_grafana.outputs.tempo_datasource_id + tempo_internal_url = dependency.eks_tempo.outputs.tempo_internal_endpoint.url + } +} diff --git a/input_vars.hcl b/input_vars.hcl index dba39650..8a89aec2 100644 --- a/input_vars.hcl +++ b/input_vars.hcl @@ -1,21 +1,21 @@ locals { - account_name = "lab-dev-ew" - aws_account_id = "224384469011" - aws_region = "us-gov-east-1" - cluster_mailing_list = "matthew.c.morgan@census.gov" - cluster_name = "csvd-platform-lab-mcm" - eks_instance_disk_size = 100 - eks_ng_desired_size = 2 - eks_ng_max_size = 10 - eks_ng_min_size = 2 - environment = "development" - environment_abbr = "dev" - organization = "census:ocio:csvd" - finops_project_name = "csvd_platformbaseline" - finops_project_number = "fs0000000078" - finops_project_role = "csvd_platformbaseline_app" - vpc_domain_name = "dev.lab.csp2.census.gov" - vpc_name = "vpc3-lab-dev" + account_name = "lab-dev-ew" + aws_account_id = "224384469011" + aws_region = "us-gov-east-1" + cluster_mailing_list = "matthew.c.morgan@census.gov" + cluster_name = "csvd-platform-lab-mcm" + eks_instance_disk_size = 100 + eks_ng_desired_size = 2 + eks_ng_max_size = 10 + eks_ng_min_size = 2 + environment = "development" + environment_abbr = "dev" + organization = "census:ocio:csvd" + finops_project_name = "csvd_platformbaseline" + finops_project_number = "fs0000000078" + finops_project_role = "csvd_platformbaseline_app" + vpc_domain_name = "dev.lab.csp2.census.gov" + vpc_name = "vpc3-lab-dev" tags = { "slim:schedule" = "8:00-17:00" } diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 14286050..fbc87c6c 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -82,8 +82,8 @@ locals { ################ # k8s-dashboard ################ - dashboard_hostname = "dashboard" - k8s_dashboard_version = "6.0.6" + dashboard_hostname = "dashboard" + k8s_dashboard_version = "6.0.6" k8s_dashboard_metrics_scraper = "1.0.8" # dashboard_api_tag = "1.11.1" # dashboard_auth_tag = "1.2.4" From 15c3214a68f060cca16e4e26da0584514e282388 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 1 Apr 2025 20:38:06 -0400 Subject: [PATCH 048/126] updated eks module version and sorted namespaces --- lab/_envcommon/default-versions.hcl | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index fbc87c6c..c0983153 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -6,9 +6,9 @@ locals { ##################### cluster_version = "1.32" custom_service_eks_account = "${local.release_version}" - eks_module_version = "20.34.0" + eks_module_version = "20.35.0" istio_ingress_version = "${local.release_version}" - release_version = "mcmCluster" # "main" # change to main when testing updated modules + release_version = "mcmCluster" # "main" ##################### # TF Providers @@ -24,21 +24,21 @@ locals { ##################### # Namespaces Config ##################### - operator_namespace = "aoperator" - telemetry_namespace = "atelemetry" + operator_namespace = "operator" + telemetry_namespace = "telemetry" namespaces = { cert-manager = "kube-system" - karpenter = "karpenter" - metrics-server = "kube-system" - postgresql = "kube-system" - keycloak = "keycloak" gogatekeeper = "kube-system" - istio = "istio-system" - kiali = "istio-system" grafana = local.telemetry_namespace + istio = "istio-system" k8s-dashboard = local.telemetry_namespace + karpenter = "karpenter" + keycloak = "keycloak" + kiali = "istio-system" loki = local.telemetry_namespace + metrics-server = "kube-system" otel = local.telemetry_namespace + postgresql = "kube-system" prometheus = local.telemetry_namespace tempo = local.telemetry_namespace } From bd6d0248122216670ded7f80149b03d6e84a9a6c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 14 Apr 2025 20:58:58 -0400 Subject: [PATCH 049/126] update to pass account and regino --- .../vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl | 2 ++ .../vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl | 7 +++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 47ade7e4..3b6ccdd3 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -49,7 +49,9 @@ dependencies { inputs = { cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name + namespace = include.root.inputs.namespaces["keycloak"] + account_id = include.root.inputs.account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index 2c93211d..45d467c2 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -52,9 +52,12 @@ dependency "eks-tempo" { } inputs = { - profile = include.root.inputs.aws_profile + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + cluster_name = dependency.eks.outputs.cluster_name - region = include.root.inputs.aws_region namespace = include.root.inputs.namespaces["otel"] loki_endpoint = dependency.eks-loki.outputs.gateway_internal_endpoint.url tempo_endpoint = dependency.eks-tempo.outputs.tempo_otlp_endpoint.url From 0356b682600a9777f444a20198bc747bb9538e12 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 15 Apr 2025 21:41:22 -0400 Subject: [PATCH 050/126] back to functional --- .github/platform-tg-infra.code-workspace | 12 ++++-------- lab/_envcommon/default-versions.hcl | 2 +- .../csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl | 11 ----------- .../eks-keycloak/terragrunt.hcl | 9 +++++---- 4 files changed, 10 insertions(+), 24 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index a4c0bf1d..cefac38d 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -24,6 +24,10 @@ "name": "tfmod-eks-dns", "path": "../../tfmod-eks-dns" }, + { + "name": "tfmod-ersi-arcgis", + "path": "../../tfmod-ersi-arcgis" + }, { "name": "tfmod-gogatekeeper", "path": "../../tfmod-gogatekeeper" @@ -79,14 +83,6 @@ { "name": "tfmod-tempo", "path": "../../tfmod-tempo" - }, - { - "name": "terraform-aws-eks", - "path": "../../terraform-aws-eks" - }, - { - "name": "terragrunt", - "path": "../../terragrunt" } ] } diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index c0983153..1116c315 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -129,7 +129,7 @@ locals { # Metrics Server ################ metrics_server_helm_chart = "3.12.2" - metrics_server_tag = "0.7.2" + metrics_server_tag = "v0.7.2" ################ # PostgreSQL diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index 811bc8b8..5d458d0b 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -51,17 +51,6 @@ dependency "eks_prometheus" { } } -dependency "eks_prometheus" { - config_path = "../eks-prometheus" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - rwo_storage_class = "gp3-mocked" - prometheus_server_internal_endpoint = { - url = "mock.prometheus.enpoint.example.com" - } - } -} - dependency "eks_tempo" { config_path = "../eks-tempo" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 3b6ccdd3..cf52252f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -50,10 +50,11 @@ inputs = { cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name - namespace = include.root.inputs.namespaces["keycloak"] - account_id = include.root.inputs.account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + namespace = include.root.inputs.namespaces["keycloak"] + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # keycloak config default_storage_class = dependency.eks_config.outputs.rwo_storage_class From 609d0d0b5a046efc772fe63f5a5fca9e88f3ccd7 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 15 Apr 2025 21:41:42 -0400 Subject: [PATCH 051/126] initial arcgis module --- .../eks-arcgis/terragrunt.hcl | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl new file mode 100644 index 00000000..936b2615 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -0,0 +1,65 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + +dependencies { + paths = [ + "../eks", + "../eks_dns", + "../eks_grafana", + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + namespace = "arcgis" + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class + + # Dockerhub Creds + dockerhub_username = "" + dockerhub_password = "" + + # ArcGIS Config + ersi_image_tag = "11.4.0.6285" + arcgis_license_json = "" + arcgis_admin_username = "admin" + arcgis_admin_password = "password" + arcgis_admin_email = dependency.eks.outputs.cluster_mailing_list + arcgis_admin_firstname = "admin" + arcgis_admin_lastname = "admin" + arcgis_security_question_index = 1 + arcgis_security_question_answer = "Las Vegas" +} From 74dc3045255d4ec18c7860eb446d3ae554c0d716 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 15 Apr 2025 21:51:29 -0400 Subject: [PATCH 052/126] fix ordering --- .../eks-arcgis/terragrunt.hcl | 17 +++++++++++++---- .../eks-dns/terragrunt.hcl | 4 ++-- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl index 936b2615..8e667f7a 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -20,19 +20,28 @@ dependency "eks" { } } +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + dependency "eks_dns" { config_path = "../eks-dns" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_domain = "mock.example.com" + cluster_domain = "mock.domain.example.com" } } dependencies { paths = [ "../eks", - "../eks_dns", - "../eks_grafana", + "../eks-config", + "../eks-dns", + "../eks-kiali", ] } @@ -57,7 +66,7 @@ inputs = { arcgis_license_json = "" arcgis_admin_username = "admin" arcgis_admin_password = "password" - arcgis_admin_email = dependency.eks.outputs.cluster_mailing_list + arcgis_admin_email = include.root.inputs.cluster_mailing_list arcgis_admin_firstname = "admin" arcgis_admin_lastname = "admin" arcgis_security_question_index = 1 diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 6ab98584..e6211d06 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -21,7 +21,7 @@ dependency "eks" { } } -dependency "eks-istio" { +dependency "eks_istio" { config_path = "../eks-istio" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { @@ -50,7 +50,7 @@ inputs = { cluster_name = include.root.inputs.cluster_name # Network Configuration - istio_ingress_lb = dependency.eks-istio.outputs.istio_ingress_lb + istio_ingress_lb = dependency.eks_istio.outputs.istio_ingress_lb route53_endpoints = include.root.inputs.route53_endpoints vpc_domain_name = include.root.inputs.vpc_domain_name vpc_name = include.root.inputs.vpc_name From a604bba5d39af2ac43e7fdb2cf67aff82e7b53a5 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 16 Apr 2025 17:00:05 -0400 Subject: [PATCH 053/126] add skip modules ability --- docs/enterprise_ecr_v1.drawio 1.png | Bin 0 -> 86062 bytes lab/_envcommon/default-versions.hcl | 32 ++++++++++++++++ .../vpc/csvd-platform-lab-mcm/cluster.hcl | 3 ++ .../eks-arcgis/terragrunt.hcl | 11 ++++++ .../eks-cert-manager/terragrunt.hcl | 11 ++++++ .../eks-config/terragrunt.hcl | 23 +++++++++--- .../eks-dns/terragrunt.hcl | 11 ++++++ .../{terragrunt.hcl.off => terragrunt.hcl} | 11 ++++++ .../eks-grafana/terragrunt.hcl | 18 +++++++-- .../eks-istio/terragrunt.hcl | 11 ++++++ .../eks-k8s-dashboard/terragrunt.hcl | 11 ++++++ .../eks-karpenter/terragrunt.hcl | 11 ++++++ .../eks-keycloak/terragrunt.hcl | 11 ++++++ .../eks-kiali/terragrunt.hcl | 11 ++++++ .../eks-loki/terragrunt.hcl | 35 ++++++++++++------ .../eks-metrics-server/terragrunt.hcl | 31 +++++++++++----- .../eks-otel/terragrunt.hcl | 29 ++++++++++----- .../eks-prometheus/terragrunt.hcl | 11 ++++++ .../eks-tempo/terragrunt.hcl | 11 ++++++ .../csvd-platform-lab-mcm/eks/terragrunt.hcl | 11 ++++++ lab/root.hcl | 7 ++++ 21 files changed, 270 insertions(+), 40 deletions(-) create mode 100644 docs/enterprise_ecr_v1.drawio 1.png rename lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/{terragrunt.hcl.off => terragrunt.hcl} (90%) diff --git a/docs/enterprise_ecr_v1.drawio 1.png b/docs/enterprise_ecr_v1.drawio 1.png new file mode 100644 index 0000000000000000000000000000000000000000..460d3dfcfb34e47f6b31ea7381538dca6d354dd9 GIT binary patch literal 86062 zcmeFZ2V9fcwl}Pf6-1m-zySpr#{x=`j+6)psPqz$8Y6^I0-=*of(;l&K}P`*X%T`%q3B>S@N2Dyp{DAZ%(~q}Yu2d5d#a!DbjH{@ zpb%^JOR9bPv|mEp9_`_|U-HC$2?@BXtEjC59O({s_7HVJc!DO-4@V+gSTE?HeH~CJ z_|b;#7g#TM=30Y2&)gC9r5L9?VP_yjs+q&|Jb$Vdr+78O@l6v7m7PRjv| zt065ZD=H}inh$B6G}h7HFQEoLqa2(N;Fl)C#tF^*ikiJU+8MNH9F+v~G5>-_Be)&h z-C@NL%r$x=+&vu7E}ym`AtQQJ^ysI>d)UBHh)>O|mUC!#TZB8S2@EK)Us8R)xC$7A z`A<@fMF8;N0tb^X5k?=-K!o*u2is3=t}ZHYHwV>oI>w$_4ksm5T+H3T9=;rHc}!=F zraRo#UI%T9K!Jg6F|6q&BxFA=(-!-wMOt3+Qv=d{c^=lZ%myO|-{rk5EnGqz>E&RH z@L-Mh>6@NtG|JP#^~**Zw2KSEhINXp5#jFc%%fY{Agjp^jbiPN)!+&?{>2;22BU9i z%4{`tu=TWOy(=ruS|79HB*Fn{zdZHPQy!k!<*Vb4_HwaBFj?a$nBT|V!4qNR3b$b{(+4m%XtVcp zMzOkqfI+FDQRq*1Ow!H{A!B0$Uh(jBM>`=_^w`SEp9Ac`lozZ!?1@;u8K0V5;h*Wf zbOe8V=%0^X69EK=r#lvGgEgXzBmal#$#3RuzD-T^3LCTFa;xd>YzuUQuv?e1xhMxtHdDD}^+s-N#R^D2IR zM;i@B{dD0S5uTn{mhypnd7{6(??58DW6!W&U3xGB58|TI;I*a46U-~f9Q@N0^9Yzv zwr~&o-(?EI#a4x>k3gRb+64#}ATHqUo*F=wfF`EYS$bZ6#|8!W@Ni&Cl}|fnZWFu* z9#)amtR@e%m-~{)0&lH)uUM)V%!>rJ&(dhCzPEJ${`e}dDv8_?D7dGC_m>O(pCeX| zve^Hh!956!gC~>eSbPSambeaZ1heNe%P}98IqsjtWO7W#{(q3kSeJ2y_|kVr*dg5A zfhdp=*JoOVtI05J_&H!Ye_?09Q4UC^#cu<|3e%uh1x|pc1F%h1SRKv|wzfS6yj{KR~KT9foCRM;0EHB{8xkZk$W?vRqXgfQPWf$?^ zTS3dyEZIW8TW5c~KuO?F{k4`8YYQuw&jtldCxrX5iuh|xUR!B|oUIgKt8YwRIf-+U zGBThC_}I1%fN@ut!}78x#ARjwh#6Nh-O`Hxn10JN2j1uJHtX`~9z80{;$#+YNlE`> z?O^~T{O7Hn|8drf)F&$Z|J8Z{PVj%836>06rWL|8P?sK-jF5k8`mS!gEDiEM+Iac1 zJhp^t{TGDOpVn+l(f03QoWELqu(toL`e3Qb6_)d7uj>CCF+m&!3WTW$zEL0YGP08J zf1y59rDY}M|In8CJJpA@>_1k0EE_f}j#b}l2{}B)1ls;v<;n^#nkiX+7c-yz8>aL9 zKgz*jA=>{|5B*;nFu*=$T}PGyBeLwj{%IldX9Uz|8*14+{wLeNtg~6c=_`;!7|Rw0 z!t5K!d6lLwvE;u6h5p;I=|3T9KVAP-Jj1_GntqK=%B&_#{~74y(Qj4Ze-eWHN?v{j z9hpw;=O?DfU_Si|Oz~^z@mt*J6Ic8tsN)jQBO(5`$;&@24*z>>DyG#A{)w-UNpK$z z7{bOKW`lOc!j{C0$Er&BpN9!8?e)*79cC!#Tc;i9yk!h%S?RH;_ool}&rJTU&SODB z%V)JbIg54w$r_Qhg%#Ylibe#c$~PMEKcN1Y*Wxd7DgFc^_1~fBBxP3d8vY@Qj)gj{ z;G9*3)ZZL@`!wfYqKJJ#T4Qv z5h!m2GiCyYV0N%#yugS9&tIl-*uoKVcAo>Tf3HFOH8?H(&rQ}i`mN8U@8z+2kn0~L zD_C;-|F>2vOIEHB75{YU|7TD1lLh+!p7fVs5n#oU{#zLEALoHcEb;As;qX`<00>IU zO0j~aEHB_ceT-%0wSu!wBV3#uT!35qtwjNx-v6u(A;bLhH`x%trdSc-mR$Pt zt!-f^&HM}6{}Vol)N%$gi+}&gwgoHbxq`92)k5DS)~!g@{T!uYqG5m5m-sJ;j}=L_ z(yY9Ll{vP{ZGYN9_%loRmoSE$9E)zt9I%`kyewosWeTzYf2J4y?}Lq>Ci|CD%FFzl zDL)xf|Ai@8Nix5KMSo10zdoggxn(Aa{+9;o zQ1;(U`OoD+*2eyq2mb{F0>)gG2U&M_Sq?5I$^V@^_;05C=knmUxrO>(=TIO=oe2%O zqF1x^PPwC9RN*d8%Vr=@Gb@U9mRnae*`fgsE6tGQl*ncNNB*8R`R9y)zd^gMhBALT zM|&XjR)hy++`O1YajMRsdcna(#FJUP!7L9GcLf>;n0Cwk;L}nO*)j)txWZjl9q1g~ z#tFG(Ad1+0s^(%2=jjf20blu4mIa0tU(pBBuI)WVY~k)shuo3p4uPA_Eb3hT1qwQu zkIWtkX09poVdV!Qp;gzZ&P?uhb$9S!R)#LsH;Er&*2OK=hXVHk?%)EFza_*qP@s5( z)$VYpQ*_ zm2X@A#?3)pL1izfLw0p_M*|iAiFJPWpv4gwgpHRcsDfoOJrK&-=3$q--bqT5cGyf4sTk#x&^!6eSVCc&qzi63%7dx9crI10oDB*f1#e}KE^4!1+QGYRF4w)Fxf z6yPAfjn6Z09?E!Km2_ijtQEmy zP}joL4l8{B)v9>WKr!1f1*zl-dr&-s0Od7b)d&735E{8JZN#I?s(J;8@O#G8O7$(V zoB{ZE>hC2T|1S#AmwoZiwf-x;@ulA7|6Sly2kQ&Ki~^#cSPPBF@^W;qy{>v_ta~n_ zvO(}vjOv*O+w0Gt6S~2DSYP!SZ$V`2{YOF;7Y*01eLyU@%ji|22ac1cl%gdiePE?o zG|a5{J93F6G7f1s9y>$7C%I3?xh+qKa(vC&_1nMsaiMm-#`d_!rhCt?S-1J?A2-B~ zV}6Ufuu9MQ$jRO^F-+!}#wd;d#uIX+SA4bV=tukwZ^4hZ8c>+fI+ufaiCjP@-MLvz#+N7UW z*?q&o;~0~8o-B=3=(bB^-DPBXN^Yz1Y9yTpI~ktpX=21O50l z-DUyS1m0CPa&{LW0mp+nJEPTTFuY^0Vj3ybbl)l)*}4yq0N&7w5?+M{#{Z{NoMejW24-S);jpR}^lq8Ow{7`hKPHEmYwQWNt9x@hWr>qk0 z13Gtijz8%Qt8#9`(ZmSJah0l{GtHn4?t-PR^kM)}6XxvoHsI<***IpI) zQAb<#D!-o!Ty@(5Z2q7h14+G3*Pj@-$8$m*v73^UdAuU5nn{-HQ;$ z6a-#-R~kOr@_3KBQ)N}K7AA?JN%!fwa&Y4Yd-d>rVRAoN`VKvUr)3o2OVS-Nc4+-w z52xv`;ulU?b$CxVnuh2F3>$TGpfPG^N_@Rqz|jo*5(C}R%5n$d1C?v;9NlLbNS_XJ zHhAw zR6lB6%yL4A_&#p)r;QaNX`{FFlv{s28$%fl3_K~Q=v1#;b#A2)OUPIkz!Nt|vHkG! z=4GUFhtgtKnS}v1Y5Tc}o{H{|Z}qa?4e!vE6SVZKS2sgM@J|OLeMt&kb9Jr*u|C0j zeBM2N;~O~tHr@{Eg#U&1Iz)NrVzmo1&RPO%_PTeQ04X3GWa8j*}?7=ufh)=IMDa&_}Mix0>c zWC*u+4maoRYdN5}Ptj=_S2g*?E&|r+gdo+`rrPR9RX9j(@Wv`cLC-nJwo+rkN8-*^ zw}s5)z=fd;FVMRf0kaDOka+0qVB%Q~QozRt0=0|9ry0cAp3v@Vl69K_yPI8q|Ereh zmV>dLhWmejI_tz9llF5y9Q<~Ul76#SohuTbXIbix&7kwj1k}k7*s2*qt&&}Jy6+Uc z+TEt#uD*To5^O&UCzrj&Cc+ZS7G!V%=TjxKtKYqOOPLd|}fLQ^S8v^_je zG~84$t3I}wWd80&rfBAm@i_rGX?(v`eIceUFklIXyQ4XGNReuNN~dB`cUteOhvsZQ z4u96^M~JaOxlDYhq#C<(Y9TCe};=DMBGDtl#-+O?15izoY^P4c*ct5=P84wLV{ zLn&hyv-NO|4P2aqGw3r}wWpHSoG5>?I8I&^WjAfgg2m^Xtqr&4BRz(aC-Va)?jehg zm%P8oE^#nJj}vN>DluFmN!rSGdQ$kjl+>gaY~Jw6WYytI!uXFZ&V?O0-GT9oACsM) zpKkrW9)(F-bFzGIBTi{j_(3`cgNkNEZg9N&-8i5}ZE#;dG>!|(uS^@wZKcKgjXy;_ zhN_9zIz5svH_neR$Cc1bbGxInsBa2hG-CRbyd6$HqG|;>w{>+bQVW}l3LNz(WCN#U z^WmA;jX3$c-)T>!M<|&$G792g3q3sDBQS<9H@CTTCwZZcY&*8t!$aKFIi2al;b2H$ z49~VXB**3?n0QpuX95{ME#B?UxlgIeGfzp4{ny@N&sJRJdK#1L5!65WR;~OMk=8*D z-oVbiHFaCV4O5YQagfYGjN^xeLB2EOMYFzzhw>D|aPJW0NK;02T>v;@tFhflrAB?d z6O{rmg%AgUw@)qT2_bciV>7MHHj=U_j+z^f&>NaU)ZLTMCm#N}32R-QD!WUxoiV4d zQqz1aJl-=mM}7N5<+NiTNNvWCCbhG!H=9Z;PN_ur?@T{*`?2P}r2{Oh7Ym%LHrtU$roZ0= z*?c!Vy;HN1G8)shU?(>}_#n4pAPA{!n{w=xU)ns(+4ud0O*tNAk|f1jS_w9ktA{gR zmYKH`d+4UJv9G;bt_v?*+;(g*Az_Wdj%L#>q&&Sr|NDGrAM$V7?RuPhxMd*#TAqs^ zsI;S!ga-}=8K!C$mq`Yl=grBuaU?6gA+C!-?;_1t3Gbtq@{wZ}(Y{$1O=8oWPv-di z!Z0B}{%vICy*rz|zKB0A!VNcSBTy}R49cPJS*XdbnOQ<@L$ySU5)3&v*mu!7XD*8V zI(_Ia`{@WPwj5)#9&)f*!+2rIm~-pTQ+SG_=Nxz3+|@lB*5W_XWdZaiJW*r zWn1Ibd>Z@KuSvcp&fntW`VSE+u`ZI_gU-l{M?5g6UhM<|mwE@C=0R-o%+k}N{Z*_M&+zGwus z9in7)8pPiaI<+^~VB&LxuO6Hln*;cI$&wJYiIi$n2|6H`7b z&8A%km|`4yuZQhCX5I8yLAz*iO8w7cMfQvr2bI6)_oqBZ)lcj;Q18C7ZXXAXKpQW1 z>aKkANUI!Br70m1QnbB5{FUBiewgAoFiFfPJ%@98*iTs9b9#9vn9Fg}Gh-k@ENmWrQ8s7~cTq*7F1r%C-MJ66x%UL9bQfgh)i{}^&3BDcQ@sXvH4xCej;WME0mg(t z`NyHRPFxO)cAQum8L2!Ko$cCPmhg1O_&VP4Bzs3d7f+CyFWs$jPt+bG-`Vp=#ubP) zzGX~y*O&q9o_s$*gev6g?63W3T?fX3aN%NR!<-D)#gdP2v|8u%paiOZMRahN)1l<7 zYuD5YeZwWK!&e$Smkz$3rX0xBjX=&6#_CI6p@u4k(eg zFh1%rZbKVp*`F9k82VpGNzk6+GlTvrdY{YM;m%EdF9}7XY$;#|xA}W)+(i=MBEzt+fpH+W=1RCqhH3YcF!l{? zr5BHM2KL4Xy{HCU$~9(eo-}>~pZLsI>W8>S4;;!9@G5TD6Vo5EF%54L5jt;B9$zjM z_^8ZCNs9CVSTx@oPmdI8LR|dEoM7yX1rlSol(7%6c-3So=1&Z?t8pqx(JTn)+i`N3 zwJXK+Rss;yxdhl;Xz)`mXk6nC!`U^JFjQZVOB=iYFWq8QbpD<+C;vfHpi{NkNjp7b zfoWuh(C$<#7lEpH0IMCTR`D@Kb`bx=%Z6fYBFDT>tD-qHJP+R;?Gh}G?j)dGvhh>+ z2o8voCj&na;7)n&w0qciDD5^PqDpcD7n_mvM>DRN)DVHXGmmsK1_PlFgpV7%97+rJ z=d%%G5ALNmn>zIGk-UBxiT5=;o8@?bgWWXZmVkT9NsI|;?r|JFy>kjyKhYXiB?<9A zh8|bRuiS*f&1OS1&!i*`pQOJ}2yuzLUuD@L_bj*sKddiHeEnc};TI^$jIeE`$2AX2 z7@{1>+?u9pD6`2}wmi3i`l9?`bGq5Bjty@hhGW!3^@zU8=eL5zV?E!TYW3Gh4Ivt+ zl&F|SP#(0(lUz#Y`bSk8`7`cKY0IK9ldlfuhW56*6pL7>cU~8)qSopHkBeWdDD9!} zIaIN^(m=FJQzD*!>^pBYHjbM{m^8M^h6kOLbS^qfrYpAXZkt{;wd+1HYK(^sZk(7L zvva2s?-tS|HL3xd#MNz9LQ5_vtVw?PvotCfg;N%h%!kYh#<^7GrGV`<|)mhb23s;*7SAIgR(+9enhugYff*m$nf}O z{Kph?F1u>6m?_;`BeXR-w+cp{3Ww(?Q@T$m(M-+GST@N77V6Z(k`u20f6TA7U54gY zkHZ1W+P1uLR5Tag^7iLZHl9hQy$%=w@}qxl1k%mR-~nKzoP;ZV#HmI|kcg=d4}Bk3RoM7n*cAc+W@M>q%FRC7 zE9z7my(d)6&ZEG=TDaEhVF*-bur8!X@M5s=P$HkWeak)kTiyUEzPJimS^doq+1r5k z>ydjvX}ZCv)r#6VQ#yl?wY?(_SCtVY@FN;E-8Mg*PMQ3`$)Ip*$(9^hZ|}))lu>+p z&rIUAqP6cm*Rn0G?|j_?9R-XJCAdOe;uk&~%%xPXtGZ9uCo3@)rgGVY{dRWPKMz6P zeMn3n#&gjHNQ~y1d&mqn(t^IB{D|D!$H{>_dnBRgUHW=`W)En{h$*Awa>+oSCf@-? zBa4!tupMK8ZI#Zj>FVZi4m_nn%|lK2Wbc>A59UJYHj;6`{bIdg7Y892+IELH##9>#Al4$8{kNJih zN<3ZS3B$V$0NZuU8BM{5>T5b=Vz!WW>f(lt;;V!saKPniJaE5RM+ir`B(Q#r$5#;? zZ)>buqpWXU@nm{EJr_khM0;U9u&v_}d$EAJ|FnF!i1FYA0B^x&GR$Y~|^siiS1~ z8uax%jyv^O+Kt$M!jJ6N)lQkrnAE;d*Bv4d$C3C}EitO>yN>i8P~JHy6XtK1G!llN1tvEd3EbxvrJ(XZc&UeDb|X!DVOaHFk=rT zpEmbeEHe2>+?}VlFk1-`eHYYYLpZV^GEdXPP2Qq(a|X)U52gmDgnO!8yu_(2$38Iq zde2@i!|Ic3GlSjR%T1;8A53bGH~`x$2euPlxKHuz{KxW;GRwfXK?Lv7f_4`(uOaYL z;R9*@@e7xA36NO4_=~Lo$ZdsdwSM? zIPBV!Y4~0WS$FSrdFyD&#D<g%@;cr!Y^lI!^-h;w^$aUTQ7%#g!dS zJDyi=D;jM0(3*a&omLG>-qplLEDm)FXS1Z?P3@;kY*NmV5Z$fP^^g9R9 zJRjhF1&w^<@?#T*ruGaVoNO76>X;-A2)Mjv8{%q*BHOk@KRV1Nl*x2ag=vYAsmEV# zy2rcDw-pi97<^?OAN!;YKbqHqVmQrlDpHPfvpH^iMhFR0aV84$I@17m_6Q~y=msH& zEp(L8jjnEf#(UCcMiR3%e6S53V{9beR!G`7Pim>NDJCgEJt8%pK8n1x_HG><;8uYa zw8XMP1IUfR1N+Ux_}%vI=?W;Q$L^}8V!wow=wh#Zx}#r88=t;)e5B`OcZBdZrniYG zr&|Mr3CW|y`%}`X2V_9PBM%MsS6TawMd=FK8wO6>oKtXEYP9&o~948ec zdzx$OB4FUW(RIdZ!%~*0)*OTyK3ob#ez8NZCb&sR>WV-XVe+(z%A@TsT_pC3ZTM;O zm7iXxO9!4(6PW=w;~mC3Pc|CgMbQCD_^N;Ujg?d{ADb};X|kX4>rG*Uoz@Te!xbk_ z76hhD3QHScfiIp`CYe9iOkDIT&=a#NlH#*=@Q@Y~|268}&SU-4P7!qd5&h$Px-id8 zAJ5G_+^L(Q`m+CFn(t{;9>aOA&1Fo1&D5DukIQ&A$_|@V#WWXpN!T{QORO z?lA7=aC?r2X}z)mqJ!yr3!}1%$BPoKnk((RTMMAHVl6vIId4T2^|q1jt1v#lS^61L zhif^9ny_@*c=eZN%SKp2A_YY;lj$n66Wt#2z?A5ct9rWjU{cJFEgZXk3)|D474tUI zJFV)pNBB^pxO-E&nX?%u``6fR0uO+%g{kYh&D2xYVxohanD|lq4^SDVvGZLvG^2Gr z#MHQxA`54av&VwsH8it$9f@y#W5% zdRIZ1EP78zHx z;97_!1sAiof8jxF-Yeb$zJ95Lh}yH#AYesCj_&}SI`1b;R=Rzx)n9nd4WbF7i-?hx z(B86vb$9z-MW=P)g{wsxwibW@#@QJ$i;%CV$$Wf$8N>v3UB@Cqu1ydnE=(qUmlxwwB%~du__ScugQO%|6RS|ztqTxvo3hN}@wNsD zUTZ8T(XBj~1K#uE3Vd#|j~UmAFvpjg<=GpY$#;bAl6EwHG~?N;UYj?S-)zl(>wr!b zDz8hrnDG+3FgwxB6r~}%-A`WcWk#xiS$yWnFg}g#3a=S4GGMA!R<=QJrYkV;j&gu6 zb+P_|=E3&I|4ngl#a6%J=w%dP945jP~SCmLM z%RRvE*|Yb-&AukT`p%cf<|mXc@0crTx*AX?hLyXFgi;y4;c5W%#1l5IbjG(IPdEw2 zZ2jf?eZM-l=Q$XuDMhh~`0uX?nCXyxI4P8gdwey2tguTt-Ktn7{mkQ^YGP!?oWh~m zb5#Y*&{$esy;`G&AGyTmOpfiTmM3mDRNoC3%!5VrBIKItfIG6!uj{&O=N;(I)YyW?;g((0O-`67{XuGnafzDAxEx7J(!`%#9{lR&G?{OjPvNJ-VRtc(Y!sr z+A%UB%m7oqSNLvu3HHOySuj}I>{R=R!du~MOsv)Q#rK-VlR4*an%6Gp0#F8rlH)To zy6_nb-gqlLrD@{~bK$Ib|NIzdGQjms(gt(RYjkHqUz&B@&7H>L-9@2TZ-6YjG!ch6 zVf!6u7iH6U;~o_>7n~X~Rc`?yh+ELdW<;~bgc2A@!1J|AcV84N(`QDs+&@P9W)(H?05uz9(3v*oR6t9PX!-04yfXp#|z8vIZmvqH); zRoq5Ha13S&!lWbqMT_$zx5_v7cEbTWyPcx8eVV{Ok*yF|@6z44O<`1@{nkhR4bZ|a zoFDg9`={Q5bBot!nj7?A33o@sOb8{)z=z;6b`Y2x zxfPW!Qedp_s3u1r$*aZEg5nC{F>KEa)#8lGWxPgP++hLJjcv*WoM4qb=Kg=tZ{>lPSe?8dIstVcTBt3}FVeLBrzkYZVF z4Q&Twd+XCHmSBA~F=PMCyx5{*YoeR#uJJJoGwxyM%JxmUAQR1i{T zefAN>T)|%okV1s3haDHJc{q=1ZxA*Q6L3$_e-H zs!>gQy4I8h^L6@;WT+j;4=S~wJs-jpT0Sv1)hSFvM= z)*b8{*m>i%a0Ie6uxBiPI19s=Y>&&yqtpbax8(%b^N@K81a|wpbL$4a@V3LInKdPD z$E`7uJWZ{~GAMLTh{$~6)l#L!veLM!+#KfX zTr);yeP;C?GNI#yp%CZ!DoFtu8XRBhUR!nqB4*j?#%HQ;eli6+X-I#4vM(BnZYxEr z8BeuUa(rhV5RAZnVP8F??AY~$qHT4js6DCHr;p*{VW)FPT(BlisaQtu*1BYk0mZ}Y zB-A$P{6^DahaQjogPGbn9TL({13KMzIy!9bzxJb~qesDHlEmS z0$DE;m)+GrJlP$+!Nu`b84-g?hsEW$hv>OAKI*cDpo}6SknsWD1+ZD+)3qXYBZuxz z)mSG7XoVB#Wn}hwAK?!=K}g)o40IG;!Ff@N(McH7r|l|`Ur=snIroJPoY1)LyC37s z&i9kg+N;%UeH~oouq)mgIVCZdh*m!Ncp&YabMBF?ReX+i)fvf?+U-AZnoaqrd{jHc zsr2zRg&E6e-LAReQtFtVNY>~aP#?1Fxl$iV!IVeiC(Y1(W{S4PKHEx0GK(F{ZRmS` z0s_2Y6wR$X*BzHy99UH!tZv?7PrJdOfm1; zA7yDcaq|dPNXsfc#y&YYj*o5=>!Hg*4Ui+% z#qD;T9ZCTk>~|mF$tO|u#tT}9!?#C%={amIefBIEd8x~5+8G|fC)7~*qSN2YakC4$ zpkOM4SCpnQfH2$lrH%e9feo1FjwFqC>6FAPS($GSB;z}RPsv8P^e2pOdc;@9{*}nv zZm$n4Zxy-D;AOXAMfMm#uYeQPRf!V(a+al6k6!|v9Ay(SUmVyc+y26H9^gbRDBH1r zC4rV^=iLdMsO@2et2r%OOMw&he&(pfFRQHQbpmjrF1ZpozP#g0bDpIzohV{>tLkd& z*$6s$FZVisaj94{TmtEFGP40S+^actQip&OwRbmqHK%2lKhudK+Z1eHWjzThpmSq4 zhHn+pJ$uh|qHqGaL94BY1013B=F0Z3Pijef!+;Y-q1_QVv6>V0$43d|VCIvatJ#=| z9?EQQc!-sE>;9T($%DHC7bY%=kyhRQN5XMa5cEeL1n{-p$tV~OTfVj}n1injK%V76 zJl4Cm$$z-fmO}#in*wqvf&h4eA5eI7i$jrR-SYO=#acMzyA$U6W6JT+w6YX~2f`(l z#KA=xne%P39x3vu@5jNmctcWi$whvQ8WCNsBipf)Tg1GX_*$v`uc%EUp6WSrurYr!5RI_iKLQhA2NQd76kc&jZ)^wlLegsuF64w7mpxk%FBYUXCYwy(FNW*90|xc$EEAK>kFRjn4dU%Y^w&hg!OS&b-#OnB4%z9OcDjsK zS$VyS#~(IGA4aEHYL7v1w6u@6G9ct#lhu=z7qH3m9Ynn>EHJ~%0HANIAT!m;BL;)4 zo1GaVX1tLkTQWTbw28_lV`9vFiyRvoh^AE? z$%nPdR1P!}=x4YpH2JX~Zg@N-C*P;L#`ZeXdPq+Ri`Pk#)TdVcT!H<`brl7i4}sl16EV9xeR_^^O~9Ua-uLD2 z=KqDH^+mjKUTKpxr4(8ylIHFR4-*{+2S^=N)#3TUcTj7t6&W8JWWMNyn?1LHXl1CT z_YGBJ37w&$MTd&dHmP3@vY|TVXUyDn%6t{<))F=Lqof_GX`4u8aMG~Xj)S^2qV8OG zYwk*?QL76W`-`I~+C0Kdb-*r_Zx7z%-6BZ)HLEYvy2STnOR_UXEq>>-GdJFgZQL36 z>J{va)6;(2wTbf+AbqnPwd)S~(i1BxzlhfJi}R{HS*7u#>$JzNmv1e8AE)H!?Se_7 z{}$po41rv0APBzIWy{?d}HQiKp#JJ1Ml_ zc_B2tKYsGDj6E$}d48}hd>i*D4IZN&zsH=Ip;kSqmXLN2ncuN^=Vd#&MsV?3zB0Aa z(g1=Fz(Oo7{l@aUf7ut7!qGt;(+%LSsC?RW@G4;eiL-um$84VTk{}rAXw!)sB?TJC zNl)*I`i!-T>|i=P8Sq7!32FqRt z8iX~cO}D(W@xHkyOLnoMb(6aC&r>`;6Yp#%)NLMk#0kBmOvOLKiICDdTY&jjb~uY* z$X?n*sZlWV>!lp=+WA7wd{Q{dn8UNdKoikf8b7s=R#VSy3Tg4{30?3V*oQx+Y3T^b zW|Iy)Dk95%p6hZ2&y7^vN5NmLjttc98>Cr`OjcfjdDk!Y&a^&J!Ug8DYqiTxh9zQ@ ziE_`XEUXn}?-S39w83f`BY%X=wiQ8Jd(;|RYN&yMyJd&_)O6Sz(x~xedJKLd=b;Z; zdl+s{&Q@nrYUYKug_LA$?R^aqL(O;`0~fv~O4 zrH9+eh699_gJj7=USUG>qi2dd9SVNL(GdezFvV&27`+1f49hb{4 z#$Q*rR^EJg*c7&Zyxk_kc>-zFS^6Q3eT+PD&q0Ky@$%wlMgQwMD-Kcv-lWSpHx3>n z<5^SsGYs1o(fwMDbC1O37a?b`MDGEedjf&2`GP1A6|T?~&by^m?@QnChvui-eu z55lNpSId8<`zRi%irl|1NDCXW7NHj653*Azj;#}}KgDcq)BC~M`6Tqf3sPl7FqRfA z`o`;MvS1F#6~=kzh7qtShH$6>CQ|ljL4jtsx$s$`wm|>AKfrd=&Zi$bqche{CE#t0 z;kOD21WNiK=JXyTH@+TY5A8CN5$lkm>{1Fmy-1R&1Ga@`5duYBn&V&~>o%2WVn|8CWmJ1)Tor0PZw4{lq*0 z8Fcx%-d)iD#vn3=|{+v6~D*M(JwQx&WE zWbEO;2zc+Bc|d%oRm=AwWG9q^wBTzb1(K8lK%j^W{F7x>0$@Ho{u6(JAhl^gK^1wqyA!li? zuoOd9;6@+E!0A1ewU|d`x%U?jrzxhriMvlpPoJz2P?)}q#16b6i0cNNE3X;rYSNnz zgpIYG>@$lXZ6zwRJNI6#A~@Q^49v*#O}G=;XAf>8P1fDQ4s2nRs}9ReJ3Hk~9?4uc zlbQNzDlISBzQwK;>1=&wk119bIFdn8KP;KIhjfEH3U-dH#YXyU&3CMm47~S{8byG|Ok}?%2*##* z+=hgOh7}5zTc!mAUaV}mhg7GV0{CNK1XGu*0W!7d$DvW)%7xh41?=no;HgR!7-R#3 zy6a!bS zMW0=eu^qc!QffqBF1Y@{=(FSrS#$|oTqn(6#?$5ecKmoG-glDROi{F2uyTL3|EbT- zylH%iOe;?DvRKySOU|321Iky*r9~9@hi8Mt`~{0C`UyxLdG!cT9K3%_)na7AIn@xG zG`z{<8o3~vw;t(f3-jR_-rwKz2{~5$#269}QqsBsG+w1WcFvr9 zog6kCg7P&jk>Rp?G_Nr2U%wdZV-SxtC1*p(A__{Q=iV)HD+p0i-^5Qm?x(#9#IXEBW_1XRR)C9g}LrU1I z8Fx%lC>Omgeg?6u&3rT?{?KzZBNq-AeBzmwJhay?m8h%Cvd{xe#2}YKz(c}B91wViC1@3P8 z4DFXyeN)dnqY2&opWCpmsz#{W+FSqyCczai`&h0Kay zJYSXM+h+rrcF)dxu^>k-X1WrDJUTtkd%x9@4PvGxMFxyN9SDBvF(C79rgFE3b_;;1 zW6U+m52L&JWKk{K59r?86)6Ve2kyCo?W?R3s`(u$2Sd5Bytie7A-ms{JPias(2(#{+$dUOS%5MVd8prB87?3oN}!Y-IbL0S{0O^D9$GJ2 z;!*drJR_L)CV9n?6PVX{x)fR-LAz6e)USImmbW{zx(RFBT^7_moR;NM9WHzssWx*Y ztfFUM#!d3++B-5irPgw$gHPT(s3$kYwgl@2Xb!z7$lk_;`!0;Lc}gqt9X)r#ePjs( z(H1^5B@j0Q0G=CF2Vu~j!%gWunvHu+hHSV{i(V!|_cx}wJCRFfwt))3SHi!1T#6-T z?VW7Y^^J#aG&}$6{+N9lwt`ohGG<0@n*NBW2DNliOtj#(h!dz)BDLLj6t*Z0)Fu9a z0~veOxS_(C09t$3HXbWagN(@WOlo~_&$Pg z>qwkH~vBGs+jBItVU!DW|gn6UZ5DHlgbX zMqacSp%KJxV>9O~@{TBmUXoBa?w|5-F*NP))zaIQJn6&L@r;E5W|GXSg6F0xefbv7 z`j})~Jr(BNifE0p&sS-`Jt=0cXDRJisbP&tvZ*$`oK*VKDS%nS=#5Ir@ZMd)qktuc z&xk<}a631D$EkQ@Pl)#@jbT!84zLrS2)7@P4Fx)^MO76EoJL-xoALUBLs}>NomW)1fgaYuhweJ+`hXa#pf} zx(~MBa{qeSK)=8U68^qNmUAeI6BOcPH=0;9;w6n}I-SUL=(UFhg5$SlC4B&MzNBBv z^D?7Zo%uWfC?f*g`N2U|+`qU?f8Z-K;OVJWtNsq+%RuPR|o$FGP$_}4UGMctbhDkpLTzY6T8jPr!!lJfeXB6 zFQAj5NgqlhFHm2$m)>d5)`?XcecCVqU;BC~IH`(@ukXSWx;BmC7@;#BUGZ$!rxx48 z{D@+A!h-}$%U&y(@3I}(RGeME;aY4mN`XGHi>!xTETTLveJqpIcC!%Dup_Q@!*!_k zZ@S*4zXWcbplU^lWlAW?_#&T+0^F!1zmf7%$oBcIql zlRk?LAieRqKp>?UL;9WL#~_QvhVOh3bp4%iL%Zr|HCLKVrvZarQ#(fUFQk5m)m#`z zq}$tcxh=>GD-X2F%#trnaALi2r=hrt2PdkOE$9PpE^c7YA$cf`(n3_b2_E<3b<5&m zX}C(!W64vpOY*mS|LaCd`X1o036Vg(%beBo!1`-lXthWe;1!Rat6i7#M5N%_Y*~Gv zPQ6Ky+O%rG~79lg~wx_<*M=*p_@p9@vW&=Eqm zZ-n%nFQGpBjx&9Xd`t$v@lpA`B3NNf20zn~gFQ z0sxbmO;p^EP&J{EN&=~;f$H09%&1gBN6?c2o)wUsTExijQP8P(+ZD(?5D=VH+RGJS zl05&|o*~3Ws+v!9#PrXo5y#vTpda_t`z6)QVfRV+&%!=hiFwr>W+SEFEkZ56n|&8O zk7~@nSmqp)22l1{N=@->KsjSgA{k?D5Kkq z1+gsG*#6P`q&P}VTZC!G`@@PrpRq^dc`P62H>EKigDb27{oIA7_(hXz0rHKl`$ zlidvp1l9Vh8gMswJ0s@p#g6$5D`9uknQqCS?rgZd4oj+3F;-N3yG}gq1Qm)=hgtMg zF=d2#GJh(_d(buW8`V7DfK0cJVk6;q%N`4<=(Zlt6$INq3f-@m+wCE955li83<<3+ z%awb1`x3;ihcricYGE`mW~@N>xqE-Qa;;}t>D$==sp(dJh8%)?DqtITfC)(Kz|tew zNLTw`>+FGH2U;+~Hvkql>~n$~?c+a0o~TXm$3!0EsqD(~7uXquoVU&rj5RU4ckEyv z{YLCeD}HE;RKuJ8OCs}i{Y1#@kp5K{N8>()XYXO#az2GIq0AyxsDrIi)~SHU6GYL9 zi0@O+3zF}XF79SHSz2OEyj2W8j`$h$S>ja>;!0C`UNAC_0FY{5QVmG1DW(9Mvtj&3 zN#D4Z`^>BQ>j-r{-_Qxsv~h-N-<~zNFf7)Bf9EFKInX;5CAu)v=9GnsQ>IfALT%{^Xh_Nr z?p(17)xr*G?s1TSC~|V*PT?o zPoNy>>?c&^5-1N+grBBN*2ISd4E}nIF+cW8dD4A)s#OFM+V-PBJ6P}7ysnX_e|7$z z2qZ3c0xP>MyXqooHstPo*JI?6$Hoz74H_*X>ba=$@%W9?mAB*P_ew*Y{av&;NZJ8~ zX$KXnX{hVr5AKsu1)0JSO6y!smCt$KOf`(irwhxr)e@7G`DPQm6I8Ich%tO1rdt00 zAA4^d7WLNs4FiId5+b1}Aqvt;BSRPUJ*J)hm>7U z?OZvPTlt1TcK#a;7zm@|*l&1FUs7wf>?p%ULwE9iX*lsw$cU@l^SvlzU9Z}+sukF_AVbwZ^ z7Z~c*=TG11Y`t?)b5@(f%MV&&Xb8~@Ez2aalKl`jfsWIqR(Pkg;rN|C!92k#j*AAp zS87W4kXAJZbuBJ8b20OAIbgBF$(hSMp&!8>MI1u{*)u253cB>QV;b#t;cDfdMsu6u zp#nCED@;oYt`6GMp7PBVmLFY4#E-P&?zD{yqZIc;w-(&`FQFzho#KnuMS=wz_8~3% zmfOznLNa4pYTyb$f$^!CiAF%FA~jV$iHCHP!qoFUXEsJO4z&G_M0DEYp{jC`+dzQV zjfgDn1kQ}3(V2Dk9|To|tAAcWxq>{We0eXr)_rS=V}_?&edf(*xLcbTh38b!@plLu z%|T+E>4AS!q-g!5=-FqC@m3hf<2hS#QM5uPCBn%9<#}lpyMM^msfz&YB zqXk+&29;{w;%MZs*K`cjACyE`G&~rczhAJ{rKHe$WP*IJYNpVa8$HapVjWkQBlN6w zzgv4rp?LbdT*rc;yG;^uUu0{_589J^
?xF&*5CE$2+Xjis5YsNaxbxgzKq52X_ zl(zjN0qr(5K1x4j*EDOZDC9t@V9@=Xvh4xbIOfhP}fRE1GJ2de6*J|`rA&dt;*KwSK(=Yh`Mfzg0^P_bJ( z!n(ePoIf&5sJ}d|mhz$hh;0G2FCP|5n>+6u>k=2ZmD>fiDMzJw1hSzP>m@za)}84K zw`Mlg<_}UGy1;vDjEYdbbNic6M=ia1M<7*P>!X&Uj&eR8K@>N1au?%)X0iORrjzV> zJfnh6tw8LGZNN3*OW}J(LmEoQg;x37)1D94fEAvF4iSa_$}@QOteUsP$%Uw<8ttEU z&r^#NQAXUe7uiv+My->mYNmo%$;~6teJR0&V?3tb=l7gx!E#bm5-p*kqibG)$XK!2 za4a_fxm2$7IL0`}GjH>@xBEvjTaGmq;&w@%gi_^VsucW-K=RM(@^Qt;-ZxG59HZI& z^NW>dcgD^eJ1{#Y3Oi<3?Tz?rcW;`g;r*Q5U(lh?U8(TSrFpG2k$L;FnHglaSWim( zP}_J{lDZtW^HIgT!0k}d>P>HV!&cwAlF|j`+vZ#RzR*^p^&?&C*=_JzV$PAFoKwUd zdr0zhWzR(vBPJ!hKyuEe^KrY|e@Y}00LeK8pqH;FY5*HJU zJ;#e2f;bBs+DPq>K{Y2G+;gk1sotT_E#v4g+AxF=BcY>3oUPY6RdkgcJ^x*pMn+?V zDQzhErt~XRi1R^;4nQkq_^PHClEe8sERJb)b)APCbqHN9TiC52W$LTC(v_;4BG}pS zzApXzICcTWC+YtrI1m6F0BK{=#k=^^9!?gblAOxM?3?)Tj0xDTJMj(Piz^roI6*DH713~NGQFug!#%4by{le^yc=+1K%fK=Wob$~0ft|)?uKEh#pbBs%D zM6?I)g(I;2tZYmklS)P{r31{fBADr6$Vq^6SOg%OF)paRGDd;w16YAouiq93dy&z( z%_iAm;?CfIzNoUAGzYOC=5t&E#l=DTpuVCZ(h&e#*%TgRpwfwMSqHFLY{YNo_NUIY z*ezriwXu0`tWsJHSKC0%_Yd1<*-`l?A+|!x&6F)BzbXJFMm$`r=3}Oj?l^yl$&+do z?S_{fZ5+Y$o{De*oDAE#OHiY@q=~kztC?Gf!$;r0S|u!Eg1CuD9hWh`F<>jVu$^fY z5|eN@JKmsF`&wQgZX+^fFy=Z8OR?hWZv)8}JXgRT`YN6+Q)}Da&0gmy7>P+af&t7f zm3fwO>H2R=7Wh}6Kly2%nVpB#k8cR0&x7@>ecYa7Bt2Buuis`(i+}flK5MT)ud32t z?3N3~zXaElyO{7(DLaY-68;iTkO=F!zK}^vG)GzNZ9^%l!dU}e5)@z7bAWkOz?euS z#rg!H9|vMe>^kyS;C=i2WnC}mbZ+SZgfWe%De!C?5U8nTf`aRS(7~2@bb9W3;28mn z08+XogTZ@O3))Gw&98ztmjIm zV=eNIx{<&fU(`JA-`55C|BUzDIZdB1L~GhSburlwu9D7H+J6%>=edUD^mxi(ydQd0 zj;RdEDMY4T3Eb-}>cnq!8@9|RRi`~TvJs;)VI#{I$kr;#q2d@=HPK7zli7zty6%u< zXJ1y(N4zi~?#!oG_e$AfM}HZGtO#}SSk8VEhaaNv(5)7WW_R2OJHo9K(*k zp!)zuoWC!W$nfx%Q-K<($V}f4dE{V5y|W*RTKC^&nCE;kd3{bOR}<`DKV`e<(fe$A zYsQq?y}IsJLgTNP@`4mpXf&Qpawj^rYZk@>594DP6DEm0d8$B!vS+HbeflLHJfrsFlO)FDhhn}5o`67TbQL3UO-6q8p4vhian(iT9jmp4^}8}p_YW2nxz@tQ zx;*TM6|A<m`lIFCc^jMV=l0I zpB-EyroXRmm{>m1NfJy2NP^+D`I+i>?#RYYBCMoA%{z%$S#Qjk;)O-ATQZk*kpI)Y zBxOzi^J|?*G*_FFL%Iqfi}LP!!7f?Ghk(hRa1A(HMn}Q7DZh4wxU`IY^C`&DKDz7;d55| zAMPi7-H6Go7Fek9oDfGhwiFxb1IM)Y=_ZRNo3bMK4_ zoON;C^Mf-iq`GkjGKQiAfyP!UeZl<(;JV~>`_I(f|LQpvBVN%R;zvyFk4A}$m!``I z&a`H(3fIZ}nZduFEZ?*#x%J>i4Z0Pz+sWzVT6z++GyO42tV z60^Li`cyK0S2=y>b#=+N*qTU6H9?Kd$L${kgP5rmhCF#-6{frC0#kkrPH**;v7@N( zsWT`myQ)sLeF8WgYqy4g=Q?i{nj4m>X_o%%hZ=-cJx36-Fm=dFd9x0?1kbx@$Y~%< z`2691rX`dOlBwxR6%d~;Qd(E9#0EhxDU>sdRTPBMd2Y1pg9jK=6a;-vaNTqhpYm_Y zD(09gF3=Q?X+V;BZQ6KMSm%<)Vl(c24Wy)p{Unp89jD}Gfg8#>T&Nw3;WDM>P!DUZ zr3!E>6x?;q~qRA55jek&r5^Nw?V5SGR2%y&xT z6{rfQdex6?in*$lfwd{vKbxr_csb~g&coP@`O?pR z`a=a)!p}oHo@52k!-Qzz?*#`txYSirDAXXkjIJl#$sYl~%!s-f_G&Z+ z3cs`rk|h_HKiJ&>!A~R{fOSx1bFYNB3&cNN$}0^^)umQTP1cOfScXg)Bb}r5Eh0fa`wF{n-60c%uOnsOu)L^=LlBsfd!<3o(v zlY;wS3u6kqY)-7YfTvg;tc6V7;%>+B^a_7z(yPhWQqpIPhW*PrPfP$$`g`d`rVEvX zHG&r!GNmqm3toPEejXV46*1l_I)yKKNyWDXn@wx;G|v7@ll`y(bqt3+hWXT|ruskX z*b@!GAFqBgk^IN=_@4}kLuODLU?VE!{-5#)?qL3S+g#Q6U&sCHxBs0|;=hE&`7it6 z{`ZpnR}}nL6kz>V6kz}VKoqphlgn*ALc~ALbjXa8Lld$P_d7z-x_vLQPgb9PQRCzmikztU!VulCfIY3hZJyWvX-*{xLHuvyZQKE&N8i7m>t1Z-nt!coMliEYSHg1z ziMllSAd$t*R|@=`64Y_BJ^nYE1reUAxZVAoxlB~RP|*M_D=rZpo$GYYmnEtd0tzRw zi>zRKiQE{I^kbaq^?#U~<(!GdZNq|Y+CNQ#oVT3ro9Xo8>AGwduYNkeeS2G@*Zsv= zFr^BZGDGp-(YJRvGeeL##<)fL2wcnA>A}}B?B#H3Oe)Y204!Q?BK`7Di}v$2fu zs)WVc?pTGsaH;_A zKM$N3KGsJp?#dYdysJ@v?46%}k@(MoPi~=N8|u+cv-zu;dPn9BZV! zJmVI3r>MC|gHRfZ?yZvST<0iA;9-Z`mk=ldL67}9#ucy5xRHyhgI_+5EomGcc8@g$ z<(_NK(WR2AFgDU*&R*@>65IX6QXLfqEAA*EM6umoyM{|POAe?+H%Acr4|qcfapH4n ztCm||5!D^+QOqy7@E)-vVRD?ZN<#dbh7bJ^74{}niL8*$YJ532)Q6&>z9%~=#*VxY zMB?fX1$k!3!pzI)LMCqsMbH-G!@t^M#8Q0*!Kn;(6~m?7x1!Z=K0$pA#T_iEIBHd% z9BmRo+xD6?`W99W$2`Ah6gUme4HeAfGpbIduzlT4Ya=xj=M(T)uo!95Mb35*R|)Iw zDE?d>^dGIJ(|bCd*>LeOXS}n#%Wg_k_3>`y^4NPg~de;c#q!^!FsLpn%ux&FL ziz(Rbu+dS>)Rl1zv{|5Y4{pXOa);R}sJc3RH>URORDhIQ!HGyVX+R<*6$#gF$Ga~_ zF`HvA>Gz(wzz)&i!08`xfOi(Rr{IjK-TegqQGxvfiUXjQ#q&{BACYASkA&RY`ik{Y z#HizZfs0SCI6&KoSx~~lmit>){^tgiD^s!R?ZxdSL)!)mS)2Qtg zAKWyc@UAI+VgPQ~2g@pFI?KnEj0UDA|akVv^rTH)>Nffy4I@)D4|Mbh&aY2TDF!HBRa#c$tx%f&oBmLHn zYuSNC)_eP6u3QBmPE9*rIzMkFBPpv9KDUUh)pqC5H?lXeGK}@H~`L}tDNp_=M^8oo_%WR;D zF1@%NxZ0a8=IWVV4PsjxUMvvy1z}7Y?jZ+o7E$F72mX4JCCs*%1Zc@1DnCpMi>IHY z9J8;M=Z)vBW|>cEu*I*hj4U0Nc7xIrfJkv3rRbdThP@onMp^pvwocy8JKJH&8GrDU zo@vrdOLA%320UJGy4Bq`INS@GHfDk>L@<3V>Q6#XPBw-I@R@^D=gft&U6AkK_b8m% z57db<#RDLG{pG=8tGBQtQ_XkLbF=SQ+xUCi&|X{P25(KUk0?e z_GG0Mpzz%<7tVR9a{mjaYlv)unCPGfy0wp| zfAc00YJTW!!S0u865?JxFHsQ8zLQnmd;_v@ODOYCZMB<*gKih6T|DlBz9H1dX$i19KTEpgb-tNtRcxeiR$3R-MU2zq zXU{^C1p01u?pVi_m{paq95a;gDikW5lPrbeI8yC)}#U~`BmXBLmJ^^ zs^yY^cZged#n;sZ5LNN_l4D^y4_ImP z^f>|lcyT6o;`LzSd)QhTnH)x)WKAG@UzAqfEGbe&=%>Yj-y71|jlFRBJFKNxowsOd z?LRq9i-I!8-1a?3{i0{zUvN}vAz_}`^Pof?-muxd;P@75B@Su=5!)EloIbqN{@I}e zbUEMi{KqbJN&eo19^1ny`bWt!*q3a5J~r`s=KS1k^P;Pnfspr+(gMEJv-(yBFQR|G zvErh!)t7|aMHhQ6&kkm84?ulilmfh@TzKcq$2JuG!6?3kxbG}Jv!{Pe1e6HHVW||i zVMBMw1O$(`r=-lO;PELW-q9O7%so)OVGG8GTK$l$BV>suQ_azi!870EFCWg}9iZ{E z%ji&KpeAizOHywyGjLTguzLc%@0C-w-ekM@wZ12#^dO8Ob6qi_s>+YJ8f43Uh(~dd zpcZjj@HL5AJovR1Y4JTOT2E4MKg2}blhV7}&aMJArytX>AVGBvK?*sj}6UX$WF9WHpP{-DqOrI>cfy#Q9Gt=b0Oc+{YPWor8Qwy`DNQ zH>LMLNIm|%=+m8ikWuajg}bJ1HM@2beo%7gO@^;LcS(JG+iC$*mRSfA{HugrL45f6 zck2B}pcGneUKYrB{q2w}*?Kw57dq6nf^?*SZ|WuRcZ`=Yh8D)}*rX?|uaRC+eY-F~ z!41H6)~99B=yyO3ibbOr3g{oSfp@D!Hmgiu&|b#KW^QR4n9EMbKmGtig0R_9RV}HW zE9l^Z(C5^$DR)#gOMSKkItmbBu$KkiJIr^b_n~7OiY?){;y}tNcTj-he3UC~A$V%k zzkeCji;nBZmHhbX3RSEYm=O4>!>b@X_1^O5WN*b*LDpr)P1EZT#I2TnDjF|1jLm>_LZjOf z)`Z26);@v~J0S?7aIT(O<(rN}E59=Q{OB?e)ZQPOnEx0b!2~;F{D9CV0{BtqKW$J` zW;{R?YcKW!;XC(q^~gaowCrk+iwJv)2vvHmD1$H?!SY*m>d&lH3x z&6>&&t5I5KsD5coX||>r%{<5-D(86~4!Y%hvfil(ShaN7@C0JsgRUqpxkmiLO(R57 z+>t*vh~SHtC0i?Z&YnM$wLMN-G3#IqiinzE>K!vJKp?1>>SF<$#65upvaoXWY4dL+ z*pWy*(S(|3ZJ;@0W?oxIhnu_PN0!B19T&TzD#VU;w9e0sezxvNjFnV+=JRrw8R?J? z+TUhGDB0|2Id1PIP;1o=w0XV!Jjj?HMCZN}Q72RmWxVQ)CAtwFeq!!gX!}BSK0#}N z@8b=up);mscz>)R2F_8h#!$U(*$CxfqYh12gt_2I2*3oR#03zvnL|Seoq_RziOicD z9=uXZgWQhzofHa?+i}EPEA82Bq;K4h!?0wMBI&49=Tfl{ zp&zbB>K5}6_i+ft?aeV+tSJ3(oUwBDH&){&RHh zeep#z7eQKri`&j>3A z)fz9rzHmtt39Q@#tmb3RoO4PHPL1O-RrwU+lodS3gSK-;T#Y>`;60GlRLRA05gKwH zI3Hx|FL;h)hlY__LUW(PtE+Ah2Po&8^=*~h9tdvii2xjY$4DPrw}^cUcyP0$X`q)K z83F1i;Xfbc5|u|WP}wi1%{wOqk-Kt2hZ~&%zNY0D;OU+jJtZ^v+eVDhIQi)baLvs8 z_2ZsZDLuTxrGX+sC2=QZp#^rRzo>W~bc;@F80gARs+=YfT0~hKZxn@60wUADERH_H zhkjQFH9C%M;*Kz?FXhHvTAHeOs(hBb+z^o&V!aH!z!VXQAUzaGm_| zDh}$R1up((+dY+Mpb(<(1C1-g4`Q5L z_o0QnCSLb4(1?rxJbt37^nhW+@kqEsj;Jg zS>2crtxX%7-joX-M-SrlE4asPWxddMRfk6oZ#8wbVvmm{7$53^20PpJ)k4jYL-R;p zOGNia4pN_Kyq$`-0zm7)jtvM;g@=R|-VV=zsxFo8)5>XxQrJR(MSt)aH)DV`P|fQn zjj@b@S^ohod!Lt5dCmlfn2MXAUM>dS8gAkc|GEp`V8&xCUbb)gAtEVOpoY(}s5L?l znVO>?VO%X>MKI5;yI&iI^>v)3c*}Xh|^rC_&`*0ea|IyA+*rey;0Do1uJcvj#=KBqdy`^a2v+SKaa9%(4`u=3RWqH zY!L!U$~G1O*2xS()}o*c_Xf(1{3gMx&(9UcpSae&eR=v^w($+fj!@?xx6Fn?i?J$T zFwtana11Y6tH2Aw#cjSBi}VV{M*>w6?-pmZL=84~5jQ9bmE2|Q8H_>aO?x~W+z-H2BFfy@S?@RwEk|R8e{4G1 zxP>7q6VZ8^mUUkj6G?b*JVenge}yrstMoyt zxcL1LI$<_8GEd}~JH@6-&OKq*%^|g9lJc`?LZVbb|KeemI9P@R9h!Vx|c3~NRB~q$a;GONgm_s<43!*@0 z+I{zI@TH3v+o`Mxr7jF*9W^DW4D&Iqzd3&no51(NsOy=vH#*qAmg|j$>mlPEpfOUy zm2%FReVs!Y*hv&n`S->_QJ2VN@$vyhs*?rGA4DD=U(PlT#bMV;egEi#$8%|~^nt`2 zGsDfI-FBhuiCudZ<6)g4Buyxxe|SLT*E%s)&&3ek|Y!!(!!^>l)6$bethWtg=)D4LC9N2 zYsbk)#K}#3uii6brPGI?RN9jf#Fluh7{kg=&Q4~yyS3%?=%n3nAT7-0LE#23bjeX! z$_fxq8YYkL0`q`jVY&I%M0p$2AaU!4@IHZP#;CnvP!%v-W>)w zXC9Kich}12ok`Y!#~E!BroprP>#I zCI-7I5R)ZS%L+ncG$Mqu^IN({vPj(9qEmy-*=9b^Jd8!7^2gH-^VD{_dO5LMGq5ge zUgc9PXtkY5*NBi%$tPxcNA4PVQ7hz;M5P@L#D)PbT=99942KM}SFn=nfmo!7*VkHw zTp33r0q|>_gE_6-R8#!k=;12v@Qy+JIn#BB3;2?h9K-l6_nXO;P7mB$VwnK!LPU3P ziNwc<43%Yidtuaz{e{e@wr}w_yj`X_6x?2VQ=D*$gTdAIzqj1h56qhL4EjU+g7n!n zjwq$+EeIJ91!o|!_ZZ|)eh}2z@lor~sgQYrQ>jb1%{2L;@(bRFsS@Jl$WDdksO`2{ z#&p7iqx##fD+5u<&J%WzL=~9vv5~)4Yhyv>&iGrhcuRPLNjc7nlevtAf48?TzN467 zizgl(6wGyDXLnSf?~7sapqH^Yb@nq;a6s=*7;lm2&k{zpz!LU)99fNb9xlu@Ex!~= z>CsS2?kbD1TqexgTT^1y`Ig0((F55IHUrY3Cir9kJ1y7IPA4`R@6T`T znJcR;+unSu7QrQ<8{*FOy#2HTP5D-nk}GX5)meKY_C{<*vH1Y>o!z4MAZ+fwqLA0^ zUQ7LFfS9yCH#y~aczN$$^q0_NHd3cKWj~3^PFyk+WQp!gkc5Pi5c0_Gt1_1({5`9x zMj++Q*I|+OG9~d4hYzcpczNkE74K{RoBL2#HsmJ@BgAO zL)aZ$muOIc$1)&W@T#)ON@l8bDARZ(>BIWKnqi}W$xN|Px*HP~HpYTS7MivdxAM)M<5}`Tv_qCK@82)t&wl9D3 zI^`Y)GC|BOIL~?YbhEZEP6o0(`{$EWE~O#)HSp^B6E5&TsNcT$=h6curXR_Fs=_47 zPQ)P93cu9xpL1cb20IU?)x2}ceWSQ11N}Vr=ab4J@X2QO!mTU61|Fq7q0X+!SA&~> zwoY)PvYNvJ=l9e;E)*Ck!ZB>|=IE4M-V%d=t!V}G|J;*G!jpl%Uiu?wylnt+7PNZx zg?14=z zdc;`RBY-$PMLE^BzXtZUAvjSIakYU-f3^;!11Tbl@N{Z$t-)nQxa8j6`+dS-I6EeA zT?T)2+&*0pxV=Ez)R~+fF&0h*AWoKzPQcjjfk((rWUOEi<^8|Z!5Bmu6sJ?y{8ET( zx`rEnZ}qqo5G&u3QVdTQB!4o{o7Pj&_s2>hss2511>*^~+fcFl|K;{4fW7jVPpNJj zTM4jaC%@Lyg@1pE-we7FT>?~ zVBxUd!&>8zywb||dp^SJwyUFeS)YFNy~w64-6k|~uCKr%>OGf^ChYjoS@`*E*y2#B z8WA;DyhKo$$i?v(XU~_$r<<0j1j@mX@$`(yNO3MVndS?e<^t#o*iTCDg7T6#Pf}lC zy8SYXx^09p-uJIDl-ApN?J_M>q|bMH3h58P!XnCAwSO<{HB+L2M!I6khP52eh0`CBy?Tu`t|9x=6!-U)mAHt@w{bdT4uv1<_5ZLcZ) zW)GKWZ^x}m&<~7oSC<%r%YRoPi?#Nq`_J8l5SniEfxdZ6pr~Ua3vny)H6&{Pyh{=O;%Btb@$nGQn$ogQZRh zA;Dk=RKkV&*tfqKG3k%GA(~|8m{Iwha3fk{oJJ4vfG5;p=Wyq?M!D7NE5c4stdSdx ztnolW<-ns+l{$srgWCtGOHJA*7j-%la>Szh?1viFBEML-30ip5Vl0?4rkX z?C++qGd)z-_~7` z+SoX{$n%ZFObRg*0$=SD4Y6nf8f=Vz3hs_8e&c29ighUuZq$s_jthXs}7sE<`O za(_;&QWWPEbondP=ww)F9h_>a=aEtcnno(UlaJYOVoP@0GlV-z*S>w8_H&`4WVU|s z$D~;%mw-5giZY#uXo>j?G(_x7;~zCFZRYZ2Xg^UKCcmyxJN)KM47>0mt)L*wbmJ%q^E)ANd+ZddUY;9Mf% zxbzd5=M5$J?6S2Iw4B#>UsTSktMg61?~B9jk=)~#F4HkX{)~S%$Pfxxa-AS-`q#hs z&=45ChGru)V<8W;t{G^?F1ZhHGbJ3u_$k&n{5|hdoX*EE`Up@4{+w9qF6QJV-cdYR zThya2xT7IL+}*SzrY?de4BbY;@YXmQw{La+@eV+}KRhK25yN(JDlYyKkuFXFt?(cD zauuZV6C2c_$J?8kVBkJ08k|1{#JV()Y@t|Yzcv3WAMZeDueM7Z>AaL%c}|Mp(*A0k z#w+OUMdH}M;z{9x1O%O|b?X;Hy^9Ak^{m%$bY55Dk#jTXsojRntc?lg0%5gFXX18B zkYqBzhZpSyl>AN(5=92KHBYQb=E^+$=1MrEzhHGh`2V^*%%;$Wv>wr5IO7K3NhysR2!p|;F-MfO!yBtc+ZuGex#A_UmL#USDvXx9) z08qPe`swtU6QaNv!fwF%QHJ)90vE zHE`JAI<7FKu1uG7HLmUb#-<{2RQwRn#@RoF9%KT(4V}Bxi8%1-x`CO6@D(&B=9-z= zwIsdlAAG~x)CmfzZGiiRmRkSM%S#;Bc&XV-;W};at6sKlLY?bIz1BiXOHO;bA#Vvj zz<3{%YD9li9*UuWYj&L!1aYlx^1)lV3RGYvnm4pIlL~ltrN*=8|EHVL+_qnoi{()? z?|!Mz{o}cqt%D?6m^o?1xloCmj!>&jx>OpUFH9a-m`pi9O-o zUq=n@D>`207Qx9p@4PW4LNc%i6u;SyeL*x{K;;Ch^*qzw8~SG6Nw}7UjMvzcWxvHS zpUdP1VW-T5-zakacDr}WO1#acZ`(cL;c0q{EVQcD?*vmTIM1YQyv3Q@o!Xq4X^LEdy@NA}G`%BL zYnWIHxFnNRNMBYgol4@>SJso$`@w$UOzX?#(nMXk&M4i`Awgx5BR6${+<|Kf^2=7b zvH)qTL0-;JsIgFmwd!u5PYj}vos-jcPQ9cHsR5F zSCFT|D=6A{^!+gQn(Rt(ks7<}#xP@tqba^{nkr?dDmP`b)K)YDC2BWr_t-g8ps|vK zY3l1E(McPXrnt4H_uQ;k@e7F$ko65AcRlih`73&B5ylo`4w*#3us zQCw8FDvwHtG;CyJxE18*jB5~mC{#EnZBb*n=t>y&lKZ7S94Fl;2HWedK6FPkiUT4NPErsF%7!~t+O9{pf zEe4GfQl>vhCd&s)S(osS|70_g^BBKzi5L1T%%!mXm3g@FXxA{a{o-+I8IywSoa;S^ zyH=s~!K0E;mnRz)aOZRH4IhRy?mAlFE???K3#Y4Z+H|b@r1I?V78&=yQhRB6Q>7yL z+^&L`YwC(o@ooie@~}7;q1%X9g-#dxTFsP&_&o^vqv4moO05QCJX4wH`+zGKrir_w zLmr0&IC`w^+spjH)spb;oZ(wP>{5*$#|k%zE!d;?Io{6WUD`3=X4Pe5Uzc6lg>{qq z^dhy29}UNsNYHsDm6D^RHe-#lRs_oKhaEaFXMQe}D(^0=VlTAt%5~?bS!nv5*=Rw?Wayb0u|ATaXl&`?5rgl*Mo`Gd+f)h- zFGGtWN{+utPs_p{MtU6t=g;-ugS*@NLv{@m`o7tRpIhL$>tDVO#FRs7@$rEhf3ilL z#Z(MTX|ge0G}$GcSF)D(gIds*V8g6#c#1*yddIj=YM$MciR*k4bh7<*sB|})y?GXn zYF@T-Pe$=xHJ)Xnn4ESBPRV%<*$+b1sfai5dZtCM1x5YZ6xmR7kUGhLkS7L>5u5wq*jct!)1TRwv8cx}h&P_c%0rs%xrA72&Q z8N+#3m)~FlD3uD}j*OKRDMLh#2W1c>H7Mqe!0p3E=#)P<87h86VB@!)4putISc!kl z`5W(vX(djc*q@3XR$R;KDR#se*O=sOz4pPcZoy|h`7X4^^<{I$`DUQ~|Ca%P94B#> zIx&5Gx|o3yZ*|Dac(ljO+P?BAVy(z)(^-!Zp0Y&+-8!|Gu2TR(YP8PmfVt6F*hsR5 z3n;GjpyHn~GB_3$`uqq z&f6L3+pt|R^L4A#=6_n=C=1R(j_t4(8(c+v#v|kox{lm9WM6;Cnf-tN)xW4R>g3q6yU>o}S!7h5}#>s;(_Q?rXT8 z*ouX$bPN(zSFo@m@J^)yT-T{yc6mj+(D9K)vcoIN zV;61gC=X9XqWP?jM4UFFrR(N8lEx;Ua$c!He7QfOneImhbK32sUA^M2*5Cs{vK>o-9_NkOa8XrB#uz!|)p3w3%4h z!?`}_!wy))JxLV_v|e(=$hGQmvy~)0-ed`r_Rpw0#L}NGo|8`HY}Gzh=+aUc2WnPj z8pODgulYP#lf495h2HBguwWsk;s^uSqtUr;JI5d|?E2-1)O)=>*;;a4(Sg>WzFy$P z0HvBXBfy${`{vEL7y#t_SZz%z-Fa>rP^uN3z||D zHGFfi4N*&ot=ioL%G&EY?_~Z#T9a8?g1Ijrm(7J804y*SIuhDU|1h+87eFYufunSWu-7;>VUT|vcr-!}O*(YiKIug2HIp4*1dt@%{am+YgN?jkcDW$tv zI%fQGPjkc@T&LwhR*<f7F-Pew8Tp zVz|QBM^^@rx+EUrN<6TGT=3uWM+XznI>>0m6_S-!$%QN61FUJ3ksh@fGJ6`wk=MLz zICle8(3>8&#CUuFhITUm&X&Z(K3w%2t;DuXA@I2-8A!7>1%Qsz@~ww7GgJ%{G8aCP zqm&txo-U4le|Z-gra^A*Fx~PNAbBg4IImcLY_-3W$&r>XCvyc61RW@{5riVh9i7(w zyRYG}7jZ@ulvcbu4A^dT(uKp1(i{BzJ5-#Atf4m%Ww zj!9|cxdn7(Xv(+cJkfqk#eQ?QO{jH3H7&=r9=3mfYf+p-+;V^=Q(!r4Zzdv~N=;2p zhvCs3G)OVmq2kuHyf+Jar9sl4B)zzJ^9jQv=)$qtRbl%Fg;oR1AT?RQtJdmAqR${m z20lul;U&2CWgp#^=XJ=(s=8*vs=Pf4UsUG04FcD{i36U zihr;@31am*m)Opw)tTGu7%B70;hUyOQv>W6*Yt(6h(5f5}Q zxev1foMU^?A@t2vksi-#?LvnBe7T}pUUo?(zXCDOy#^IE9b*rT&rcYm2zemDJi%BO z+gBbQZvMC(1FBaLcaDb!!=-oq@=+Ci97wu`u&vg%@Q;4$t|)1aCQ58i zf_Of&ckfx1>JDy@eCJTxf!HC4%-on8a&$_Q?+1{0yh8h`t((-)Um7qT*cWWNG)I~8 zJXoH<#I<_vu?1y^Q|?u6q_JfLQE$bKw3I04T9UJlA>LA1gP`@P{n74B^XgdjuExR@ z&5^BS)Dz%&zXJ`{nrLmx^xJwKceAIxz*aR+B~o!qU%kR=)yc*~CLe}C2j5ti?G(_; zH`Tv3kbey105FT@KN^Eph~qI2sjFV8RlHv}ZhK!+z~*HLk&&VH&m z<;RWCFIzG}IJ13*Zhf`9!RvW!hW_j{tIgcV27p*((O;{0>ltVQEp>%BsxTcVP35z9 zm)r;k_qkvuVATm#1s7Pzbq_l4kQVQCI2bIwaH3=SvKq9K?DD-+dTb+F&)zU3)tpYu zL&#Rh!n)r+SCDX4zZA3pz3$f;xBR+^O|BaPvn_oug0xZIb_m}lTvQi+AkV1{zbL;_ z%J$JOHY2@zmrpK~7-x*Y^m1?rnvdTR>`c3>tSJRICCCuH$^GHZ-;K1}`HG0Om?6BemLcXi;8C2%qH2 zO%TILdF34!^2*MVljO@(_MP=@i(zIJUMYWF%T(6*5wD-hY(wATui@xEe?lT)X6FqG zEt(=ZwWPZ@l8!GJ=cU@3myChb{hQawn4W{E!T0uaIIbY%5sB}zW_srs(V90?X=i3@ zH|6qNA%W|H`a!n|tHz|VnZ0m@WBd8r=S6`&MXPO0x5m|X!KH?8Bvy1IVG~*_dpF-1 zi|5iX#2~FBI{5GGqg*)JA}f~*Ca!0jO0ufBlO=mdJ*)J_PTku8t*<>ygr}KfB~Wlt z$xMCH%Qa#OeC~C?u(kgxnsP>&o!ZCTj?(tf%*~gl(s;_d(ax8O_Yh-o?aR3eB0Lz+qJY z9;Km7V*QSSbl*m_LOf6Xo!`(()$9*`QQSc{=scwf`SuB}Ty ztCo?RTOn6}H; za+HD8jQRZb0TWYT894xw{E_SPVd%f9*B^!$#dmGJ)m3PiNjOkg_WTleFwxJfzu&V}d{sPBpct;s zbs4M(Co;eq1c1YM$Da|6Yg|cWPHZ*`glMfTX_~oo9=@}iG$ktzq-<(>x6A#gnCC|8 zLN&8&l$e4z?Khyx+dDS&&bMw`(YtD!w7^(Cd%F1?irLlW#0%g!fOfIrc7QzxkMP+s=*mtvW+iM z5LjDGb$4%w;|_Uq^Le_hz*B98pDN;}8!>F=k3kcS-HtfWps_^$HLl6{%07 zXxROTQtKNj*5;_zIK;FkhAi@4Gg=2hC+b6^fG+fRj3a_#+L=qpihvhgKC_Momj$gY zaY2OEx@3;o6?E-5V-R$IlTU#VdlVqgG}3T2SK+Q5D_C; zVJ!O)j(x8__8C3p`d80*)8yX2RoLWxKzva;DryFHy?~2A506tB(k$d5-Ctx)^$N1@ z+Dl^Q>UpNG!YcE9?vvY=lUliL+YMXvMbTdcJ&}xL-6li1PQF`X$yhYa9d{u?ezE&j zAcV1f7s4q431S)A*<5ju5EU#y1O${6kXBL}rKOY} zQmJ7;LOP^Wx|<;eK^R)VA*4}6ks4qKX+=W1L1N%t8@;}9KhOQXf57|8^|?L>d#}CX zTxT4|aZ+IK2l9t6j2=70Mx+YjLd;2}6Z0 zba9!5NG?3!^6So&Hl^YKU01${>+SoG>CuI;CSFZDB|iFiaJ{N?2dHqVEeJVGNU%h~?k6{*FV1ym zaCN1LBr7rNp*6z0Kg(FO#WqnDmYFK=0PD5(gQ+G=cGjjxdB?JBJQ^-FdCx z0c37ayYU`_+X1=+0iCFc0>Z@ehF+H#M0mJ=EPcZ4U!pxjg78}Xe91Pq%ZKz_pRl6D zxJDt$P=q)z3&w*s^q<3V5N5n?NlyNx5EU`sh(vP=GEvPYL(@iIRf5qCQ`L10N-cJOM z#}|n?_VrG&3p_@G$*dl&%&0_OL#d@0IIT$5m(IwL@wnlpLvw=kK^^+5z zC>;vtlM)egv_dAj)hunw6J(1_c!W zC0D+H zw+eWB<@=}}z$|-1;IZ8jTD{AFmJ|aT>Ip3&;bNIQhE?e|xoay&>dQ>VQoZXx=Z;v_ zxApN6$pMp9b-tbvH5|xScMBc7Vfe^sI20aCdPDHs_K=;U4p_B0Q~lA3>h9Z^r@#8( zuP-hQ!L%iCMaD&R7HcUSnrPLU_!U3Pk(@I5vtw=|h%|d|#;SGvP1OA9&Awa}%eC(x z;!voA1uvkjnH^A$f_AFECbE35*`LzoJXO$WF?| zU4_EnC9&x!3Oxlg20DlJ|NOwg)SOB!(`*x zL(s0?jJa=XVW>0{f;RysvE(Km^j3kJT!_4lJ8)l};5i8g8Kftk`|E>HrXDmULT5~v zf=uT2YVI_Jh;wG+W^v)qpdVU zU5rUOyGEtj9I}svh#NXth8G~uDWqi<)PpYy-W%W3kvLfY!XRH{ji7vo=@#Q+OmUs> zYdtjOqx{mizreMrbLMtKaYYw!@k}`N-ahTtC=a*cL=`ZKShSJV05#Urcuscw1)peo z$%q&P%Q1m`TUe$xBN#Qu7j)L>*nncxTnIe2j@cIZy#%XdmRENkzM{J6T%cV zrMlm(&!@a<#zq{F1CTMZcifp#o}EmW(?I(9b`O#39DIGLW)5{BJEtIlMIqvLuO&F# z31=_Srr$)lE)J@_1#n0jcMIey0=L`K<m*U6t!r@b1Dbw4Q41~;0!4ZINMGaM5mmq7Sa}<@WM;qGafFo7Q3Tha!{tn5Lp$* zJ_R!=sKZTkOd+rI65n2Y%I|&e6lHy}0Cwvl|Kge-mz{v-G}3hzxnq~{1btj>G9-Zg zD32NkS%Ls>L4!yE>=>-HfWHtoHT>6c()#N))`dN?t7(vxhHcGW$R4;`qQYgQpSAnZR4GZwJB#}1Yg}S6uPa%IQQS@aQ zGK^K$&H~_p#nItjwhsSzeSZ?*i5r8S_BTP!?8x@G%8tum9_I@i5H1<|>w8ldwWAw0 z;1$j`qg5sS#V{?e-IW_vp$+fy8^quhcyZ56!^PIGq8=rDDPCPH-{Mt?LL@d*M4VYr z1&)y0w6QT3oilhQS?Ti+*}g_s0fa}F>z!~@lPlPMp_VUd7d)&te*bv)t7X?>qti3a zq-Xpbi_m$n_0!l%XMde`KiFAT8)$P(9s&u5>x=yb@lQvq)b4W`1r_(AD=5hjcMTx&~zKOr+x)T?{0`dsV-r-4IJ>DiObQ8*idJ_kxi?MV_aDyWFO=+IHrz(=W)J z#+oka;@%-6PFYKJ=jEJEdyhaMFcBe}={n?l9vpe0?MMT1MxHw{-2{?`rX9zGQt&##_=-Lu<|V}8u2}y`M#seHM<||KL=&H zFUPo**vEV@M_*gNqv@CB+*32rzrp)A0$Efxhgau-E%Yr&{7F<8B$%BHTC*elvY1oB z9&pgyj@I!7t`)v4H$hf9MqXuNaSEn>(1%#>43kI`LWGPBW|bN}+GVB@*rWV<*GXGj z$pG^tK6JlOKdYD*gyYpu0j=p8%=g|e*a53QQ=y3YvZu4iOeF8m_6M{YM#?P{9a zWEol(%ZzooX!(T1V?FGftVFmQyZ540^(Qi}ji-O}=U@M3`|tQ!KV(95r3xu%zdJ5x z5^V3F56s02*$#4pV~Aieta?g9tiQ8+pQU9BUO_e8TR6C{5y-blN|z;Fq;oQw-Icxy zgcb>V!tiQ=R$df&Em}Q;_G+)y&T42Qr%qu)r5}qN=&aTL@ygm*)Hi3_1`pez$CrR7 zNqyo;YFA7lS*6rG<}a}vzN*vyeV!e)y(E2CNl-IOnNMxELJr0t4jRipt&4=Pc zSmJaj6E^jDG1qJ)u9X4V|A;ctU~==}!>u%9B8*}?!jQ7D!h!PL{ZdEZE^aKXWxZ6W z_j=lP7iY2xC}mXUSoEsMwI}Ms+It5z1co3^1RC7b9rnrq$@{b=<2HQhTX|oTpWo&d z^<&K%W=4TXi=gD^IM3-=-JRpzm2bLBj~>r-B*g8jtt73#^!_@KJaosd_-N3tiIt4U zO5VQUv1RBZPWAa*pF;h??5{!!*Kk}$)37@Gml4gn?;qBhKYBczYX^cev28kfva1;e z6d`c+Sko8h24lg ze*PJ;Zbb@ZP40_CR)u-20mcv1s{FoL_htv~c|P57NNK}>*`f(hJGP$FzN+trNCVED z2usYk0bl4iWduOp-Mj#q1y6nva7aF?ffc_I01m5N=_KjWD9ozU({$g}mO+X1QY0~E zzbqTW9ncZ>y|1mb&$8nj(ObtU)Au06=(SAZ(fyPvJpi2#V z&kqJmM!NKtV&(h-j8N|PE1vCVp9 z?MV=y;X&m^pEhyO3+DokH=#u6NG)s7t1!4OXLgubl1wi7h_b3lD`fG zyVa|n7m>`RjC*S5V33+=qdWxvhAPtKW%{U-sgTF&ZNcBnVghH`VtQ- zzWT?j8hazH65b04bwaCO8+~n<_3^hm-wIo$;k(Ug}q&nl6JT-uZNGi9_VbGk5M|1%3W;(!QFkaosI`* zbb5K}1UOi7?Fy}_X-Sf)OJ}riH}g&fqH|^~$Mi=Qyn0pMWF}^q07ar&&gF*%ex3u+j974xQ> z!-lJ0*ZX_{8WE(>I(%@M63-k8-|5$jl)&V@S1_R3aqinf>3_n&>x4I;sbzim&O*8O z<>odsXjw4$YLW%Z?EstGeWfzm?_Jz>79W${Ywg7rmH5`28e4pog|GO<(vD?43)blh zcBJAxQ%q_>tZ7ZC1SXTlYVJB`)V#MF6W7?mj$pe|E5Uu7wDX3Y`V_Lk$C?%nI>;VK zO~ER1>RmI_riNQcrJr`Q{S1rr*PZhP3O#1F*Uh=A2UQ|w_p@nY;f;P!bD;;?++Aix-6|2k4j4bLof?E4PnY_E-s= zXg$AOoN`@1rmc9hzZf&pf0oM*H}%GjEyAl^t|$;hx2q1HaQK{s8lg_4W4h;T`K6yR zqJzT^KoUb^sN(!N$62K8YsnF{cOmekyH?R=Js1z|TXmpUmK;~s2rj9f7c~QHuFovY zzEyxS_H2~z2e1;}vq-d6;ltckB6I{T<50!(p7eODjAv-W&%7b7OUbUNI9I9E#6m=F zib7$PC`h!{JSghquygLuLC#9Ne;LgGf=G_N`tB4mUXWra+0abMo&_s7#VM%i{=GSX zZG(G604pe@_2#{H*#$}GK4yD9!q>f)R>!FPD#S6e1fC-go(fu{80G5B0?#oqVjDd4 z9BD1;?dqVH@>ta4n*d;igmzPBS`9gto1hD2@A0$5{fth2Mc<|E`ZB*mL#+1Q#}n0s zk8BurD%2LYtqbiGSWtmQpm?AS2Gg%j`L;qyrpR0D8dC?#%O>}!0Y~vpg}S8~AKPP{ zUr&7;6k&~9@ns;!$HRUa%;)KjptoyBs0?@n``%?g_WvS0M&c~kr&?sU&{C9KXjk}c zeasnq=Jh2SemPn}YcjnMTAw@)4zKPsRCMBbJuvwS)-=MMzcp~tN86=-p=gI+=PDfs zeiXkT060jJ>$-NiVxAvXMVD1TB~`M=G?0hu4Ca_+w>__;@v?Sfg{GKLBF6SWcUF=z z{XFHr$+I()Z(|+Lt=f*{qn#Rs5oMyss$9M!eBOZ?KI2zcepxA11cjrE*f#5Gd`?&<(=4-Wp)x_V(S}pjlo&PZF zb!MJ!I~v^|Ebd{7QxLkb4sw|SbD4-%>}&ieT1`e(;K2RMWfp6@@l@AoWoy?Sr2*lW zI}W2&_XdPzTLryG&_~bYVeegQDnYi1?Y3r2)wt1W+hBIAblqn2Qs(t ztGwg30D)UOAT z6Dda1^T0D)lWLkQJCX?2)ed@3PcNIL8%tnDAknssK|=@R)#!5!&mV3{MD9*_YjA4k zJI1{Sz!qV1ER;FtzC^c%2DCd%%v?;haV0X|nNMGc092Dq*U+$=0DsuL#GtnPyE#n}nJmYF!EnrBZ2 zBeFvUOgJH6dkVn%OU#l5cQI{rK6y>Dz}pKL;16h@S;=PvrlG?$l8AvUlqpTGvOIqS zsDD}!-JvWMd|@}=mph9G{nKfGsF>=-KJ9sZkN~6uQN3*%rmKsdf()|=a-K05coPX-J~x$cB*4&d4e1}wj=ZO=jI1V zVf%uSu$HOD>p+C2j^1-Ur7#agXAyyrv%eRnF{O##{8J z@hL%h(=wZZZW_!a$w!Hb$smbxR$}=FxThHM<)8&Zs45x1|Yc zvQ3cj;s?mD?|5;S{H>MogHn8*d2oNJscDt{cxokSX)R}==nXL!rBp$LS(JH5RfaBk z3Bc9${0==k2d=0s2?|mA0bvT|v~tZq>D8$JTB!`WDWtlZ{4H;TH}w4u8GKgqY2eC( zl|8D&p98=BxTht`-xR){ewiStI)|7E41t}ur&y2+{n1zJt?|?oE2U_bw=Yf3 z!@Sjsye9sYAhG*G@?$A0nErePK*FVf0v@9xf!eCTLAAR>`Kt;5KU2K=xu1%1W9!=4 zI*;UU1NTR)Bs}u==_Af*?Z5JeQo!c6A3)amcp{SzRErG4uJW)k)Qf1e>*e2yzC^=r z%wWw5vL8wy`*)7HpA8g;Suz*kzo>7;@bY2tN;bxhp@;Rh!4>t50Z%8ZbQVkoA6~xx zjql|b)jO*t`#UN%7*7^l@{Z)ec&lcis%W(5ZEt5X&}ikYf4O}qyu9bUWHNU}boxZJ zW#?GMqh8h0p8IEN=3C~y!9~HAnsSs*g)MHwz~Y12>~8G0Q@ZlS-HA7ijbKrfKa(v) zCydN5{f{#HX|qJinE_BiBY2{6U^`fq7LZlyu!m5TX@1v4P5UGF#kbdYv~oJ|B{?1D zZ!A7^{Or{C3JilMwGA}L+9LK#gRZFG!c1z-y-4l*-QCUay5;{mq{@*#{AMi-ud{DB zxN6Fby@Hv*^M`@VVF?%(#_FqG^*EcJ(X&8MhgH}jRp2B8`|)##{NM7dQjOCL;h#~d zr9qN1h@9%-CcBX~0C@R#ie*bbkk`02#gFs(yuQ_O5ZHfUMBeU*k&1#>6zxm9pgEhO zHd&gOtIb0>!*6)HdoGxLaJgy@9g3h>wrFd_>n4Nw#(e3U5WRt5dLGVUhM6 z8V6*Jzk;V1oC3i@1H=ydV{ z?TCXfm1>A};Zbz_N-DV?vKR`Ey$GEnq9m4F)AMSrSU+1Sh zs@fi@RN0l|!WF+k49)i4kNhpGAaxW2%T95nPgRKAUi8XT^_j_t&u-PeIr{!d$<~sz z{zzpl6Bz>i$a-+M&fT6g#9_qU4e!~Rdk@rCJcq?&?Ka~*W;H&p7({x^@*e9eMpr|M zJB7EbNVI7QsFZK_B`9+h+JYkS%We%!W}fhm+~E_=orFO2)62iSGD9!oc4s?}Z!;DL zif=vzAQJ_n3z7H36N{>F&%{C6C8R98pBg0PZ?VG-OTkUv{;zPqd++bFcb5O?`J~-` za{nQ1E?yGjXIL%V>LGYZYcfp$t}dgG(PUjlWr{eU$cOH~>DhQE<}wBm{&|c zVd@{Fc|iI3#Yy?ur70YqT7{5*IUG*%t@Z7T!1HPO6(DbVzNcw@ur8;|XI~F*Xz@|S zfk^Z2@)S~`a+uG%Ht);WwO&x*Y4YIwrVa{X`#c5!*OSdUQ*toHgMt;rfcyfuzjNbF zASIyVml{d(P^7%LxrMoRyF~jTW2|Gj7nf%F3r9S_t~?O+ z9IatRfs#;rIz>ArT>w-%hq}{!qn*o2G+bmQWy1k&3#BJenqrz}tm_{vfU_@W2;8Cj zD4KhJt--&I%5EBIoU)lRnk{^8o!dqmRZG6!skP!b25$2&v1~cA)vXv|9(&>(E1PLO zdr*ft6y#FFUFQ0~s0qcrtiXRtwwk;4%&HQQ727m-2N z&>+PP7L@15OEtnDZ6W2N(~3=x|4X?@OW{(Ct$~zvw=$;tuGTHLd&TBW#bI7aYg7i5 z0zfp#nyB1bOGvg=>ipShuX#4t)1X+#X>{rO-G@+Vr57l*79csFBJKomXrbGLhK$Tl z9wcxu5to4)aN{q-uD7BI@1qdG;qocKdh0jSWs!`6cRHP&Wfr|9LwQ zu(+g;P9f>rOFt$hz8F4^^`605nuaH?AaY%7IN?J(C7s>|{;wZ?aB)Vb=!D`PbQm2i zrCOnkj!q=a;(Ci0Is(*iCp`a>_s z+U{-PG+M*-F`PE&yu9$EsGi-5Q}?p&2X?}&bXnDlyyiA$I$BTy=vaqKbixUslVDf6 zADUA7 z*SUYLWxc*n=o`uVPsUmvad`@s@cOwIaKfZ-%vpkKgbH){sG9k`;6enK7&vsj&o)Mk zzcL2t_nOhr(3~x${E+(yZq$86DQJ6&o7@Y)FYEt2Um5(d`P-0iu$<36(C(^(O&j%X zfPf5Z)XK2=9TY{)P**RV26pJM<{Fvo;k-z7u~ox+dDJteQvv!Qf6;oMC(6z%;#dv< zT=h0Go*7(M%(4|BzJ9Pw>WNt4rvV5`ksx@d1Q~>&JP|G-Jac|Ji#pXSwi$pYI+=Pw zue=EAt`_uD;-?-3A&2->Pp1V$;Ex0gqNw9%4;zomAV6in%{17CMjl8{&z`~qst4<_ z1@Z}scxkf96x1VbLfA^we%70kx+;jK6?F~f;MuH3>2 zzIoQ)$keA%-QNy!59`;@6uA6+XOU*mhn)kEW(s^pK|$1iKumoBK-=Fb=2Y+V%O7*N zh+hHr)8@Chl;dHmVdwAf1>e7a_l3J9z5c&Iw_RKva@CpQ?r(n$vjaq###T=RHJot4 zumm0C@bjYBYA@fjPyO)i4%xNakNvMp zdT9e)PjXq?)SN2;C`s=JpeSqE!?;ru@2e=`9LMH!k1^%s)PH*GL&HCnNSR~r)yd~6 z^yR_u(r{r_0!Md1ujdT%*N(XRN&?tSH2g!&262s*FF8%Mh59zoporm99 zYL?I*j42Ok+2NE^x6XjOA6ptAdO@VUvBj@#AQ|=3)9}u1F~SQ?ztzL2CDaUz)J9BQ zKGnMqfpy{yCS^z(wXf^){`};TDv?!JDl0&4CjeP!A@q)*Q)crDR=i{V1N5GCR1G<6OxXG&%b(lw#`^x|&Cd`qoL z5C!akf15z`+tZQ<#m|ufx%MSt^p#|oY}T@;1G>YFi`3m>;Z!NXt2k$)LcLO6U{gwh zOFmUt6GJ_W-`S6gfqy@n^kuadgFR1G%EF38%so@N!^ckO-I&H1yvs9Jj7gW-`|cxo zuoOgRAEU_N(|>Nz%#4{tV!K~!qg#B{aS+CwB|rr#YLH{3cw21pYiV%Q*J;n9T9GIV1Nc8z`@W4CF*OqjfLnt1>Pcsb8KcRVH1Wh=Wp9_DHgTR@qd-w%4O zcC!|_E0q+^OfQ{p&9x|hL5!f^L7unr-eE{$s9KKKp>tQlZ??x4&Oh;MwMj)g@|x7^ z1K1AVT!uReB=QKDcyv=ptn*$B1M-N)_QJqBi?3G@J+BE0Qc1p}elZCKIv?*NG>fOY zH1oG8<4S*t5+g$0?(=@u`mpq^bn>B4rY)~P1( zY--aVFYw7JZH8}NFVi}MacJCA0E8rmK9AL!IeJZ@8{bonsjprP5qMmy0fC{V9Gj@f zf18c-!VX&a-q}t*5#2d>#-N{($~G&G*XGcwf8BrgK((gAize*!&2|1BX2QP=qIOW4 zQ+2%qh)O*+CNu4c@c{Rw1d>p`n&I?I*&0GEldr0lsDR`OJJ8B;0+s?D9d*5G@T7c@W6Ce+1jD$Ywrnse<69VBY zj`pyA4}efM$K~%5Q}JFv^z)Pj`Eb*L|I^I=+%hJ z(Jx@uEcX%>-HpQl5k%&il@=S|;0TD(LPSm_bwUXb);v>WViQRjAAVW77!uoxAtnUS z0qGfyNdu8+_=U=&OX+{E9XK>~eDDdj+^uTZ_!)FV z6W_<_)EZf7Zg2}|qC9y+4v2{X)2z+GThrS-0-JmUJGp*7!80cev+sU{!KBw?&+zfa z5uVvpu2d;(n}?^*9xLa5yXbqoObR=mVH0)wog&y+opqI4lTi;`VNQYJX%HFhrZj<6 z4trBHGV7QajCxMskDgz^G!v)<`^|L5$>+51!O2Z$H-Fcvarq^f?p%+dGCs;EIuquR z#AP%F3EMF4k*qOE?)h|H#4Gyy%u8oJfkedulckZwUz2f zSd{F;*ZP3ETjxB0^L!lt1}rLF4x~9O;>zhEKAw**pMHMKzB4!3&uz4q5+mr3uf3 zD7MMLOhu;$7C2Wk&(RV14U zsB4K(H|<7_?Yea2ivh^@c?uDT)~a-a@VS!44O0QFW3tDl`(O0*|EThPmHl2rU)nD1 zP>?1;Va9fkNXo+;DRFlrDnFkQB_9}?2GJ&SE`yinMU^58{Gj#y$;Ay3!@pBOq+^YV z5V(lx!t*a%zeorf4kxLBCe9j>0+>FsH701xJ&2U_EojUTVhvhoEFiMS!e6nwzMdKu z5*fT)kK%y2o-Phw#drN|sn!Ka&L+EG`)prw8T|BKL!ZR_;wR#YT4R(f@-$EyRct&~RweN|{QC6vq%*~BkiFLQB zz=Qp{i1Ibt^N_!B2h~NC5<$NCD)Wg+4zh z6Peotef|tz@gH9NG~?q>7&huqxht(6lJ)wt6ucMa{31P)t{W!8pzjBYT;N!sL|N`L zvJ)%e0~Y4s(XPy z%5lF#0dc-#;J^fQ3Ve(gyFE4RN`2^xM!Htfn1UE*Q#3ewLKZN#hfX-_0auy8`M&y0 z5Vu7Mc5UfcVEM_eWrB8Xd6CE9+K557yJ|FwvFsOKM-IeN6xSfBgyvu(kF|{~+-=c$ zV0q#vT2&!2G#M1oEMUeGYb-Q}z>meSf2ieD_@;sXT4wtC=l|P)%ch1Chx&gnx-K#v zD#@<<>JkuSuI){?R03R~1KkOqJ%*O(cMOWw*D49%3LCeQo64X?Iz<%s(q92(ycbOi zNJSijt7eU8)=SYEN5No*#sAE(V*r>dWB=|LvbKOz2XU-_g`&X3gQd0B1{*`ZukTf< z^5-A8=s|!}|83VA^5@Cm@8VmcJDF?1ipFRVbD>4v<7{kqrm09D6x|6RwlwZC}r&w`o#ws5Q@Dq1a4f zeh`rmxY1vL}P)CFBAIo!~RD_%st4+fi2a_PG2 zA4!eLD@qy~$$*KYQfkuB+4K+qS1?|#Tp1~uI`*4#Km29()NJ=d{Y>SHs-h?O#CMnC z-m!MHZRMH7Wcm%WoMyk21V4z16`CwfM6T9zntMmbY#q*T^ourqjRQ~A{B z*Ir(=jKJE6%g^$8>7jgPL^nrTO6cS2(#C0AOqWxs(;5YDmUOJ4oWA$m+p}L(puyR` z7cBN^4Ry+4_VyjNU0U$ba7XCp1;F=sjCW2?AsyWLf}oqo5eaQqw^J>$j28)ZSUdix zB{(t5RCc8kXB-~=RZE(U{I^;X&H7T`1DFmg1ybW$s|U@OD5c~llDV$&;yFK9FHPrG z!)c!^?JOF!H_z!v(DB$dnkKWNwy!hIpE=*A;tX$}wUcgZahJG7O1jJzE!m@Cqg`NS zGPE~7UQsD=G^V9l^Ksb8eRJ@g8_sK9sxUfYK}wr5vDErAmtJ8pd24ONFOHc9NkaFH zZZUX^FHeRax-_aZLCOmUcCshJ4rC9(wF18()9ei_{KO^+6?E6E(SjZQX*Tw+kdo?8 z5TPmo^-LMLw7u!)1%?OQKqCh}O%b3&zgN2wyv@J1m$mUUGgdR(I@I51XDHHRXT_Eu z{l$?Ze`>fsInrZre&_N=+Zz4GFT78VRie$kO>eV491I9!i+ABOeK0qBe0#%M(M=yn zr8)2@A0ytTvc?*0_gqMr7mJtj%kTx2G&XmysI>9u4&B2L5313sEXos0y!O47*57{@ z*noyP3T{ZT@4L`{sw%-<5I0k)$a`#o@?<^gQm~e~Xsa9wHbetYXA+rwju9;GQRQv; z?O@_uSw0ufN8PbDZ*DmfAD?4UeuaQ;$liqSrO7q6pI(t+O%xUGyel|eU^ zObt_cX3I+V9*mHB=|>&8Y4a95d-NT}&UPuOosv^|6z!gR@CEB7Wqo9+k`Nn;|J<&n z6{NiQx%z8jvOWUIOrsdBH1wz;*C_Oz)kRQ+dcI9Dg&fLw)|+$oj5;~ApOVfs}ra@e$buEgqk zSB(9egZ7L_heR$u-F0rQoux_kU8%j-74K&i5V+~ft1~r0U+avIx`cs}tUd2Oq%IfJ z30eQn2}^rlR$%>$=E~?!tbe^~vlytw3oXy5>i#$-xmnzOW=2vpQ1W26z2P)N9Limi zSkp8hAZ zfMPMaFfbdW3wBT7gV|%wPutIDAJMG0X=&n@oV&cmcUKbf7`%-3HJ)p()UOB&R4Jsp z(%}?&n_i<3bIG=Q)uTXe2=w-XE@iM;o-6I9DwdriOqXw?g$yJxUZ23Vm5QkBnrQG= zEUtpp=?*vd#CES&+beAy*!q2Ayb&b9tmr4s2G%u+BU(MC0eq1bUsO!_c+i7TGggc5 z30WH}Q@dRUdL}M4*QHXKqQ{36k2Y6|_@C@t_`Ic3XngBU-Q}diz4JsStKT+!YZmv# zr*Wmy$@EwYN}V1lw3OJrz6&`jyLa$81FqHWiPXkca#iQlzdhN-wJD;6SL<58Y$)ce z>lKfLdQe42%4b4bMl%2a?m0b>qWh7j4*DGETTD)5W7bXw08YCyfOfZr30|m#v0!;c zOCvl*)%tGY5+XZme@`4s=oTvg!9l6k6LAmJ&E{YiNX}3*{nP<}EA=VdAGu&XphM~Q zEV6Hc6Ek1=E>o&%uBfsuRKnR3eg{%g4!8+jIFL51k{IOnICD_^5zu5HyFCS~)PyCW zGxDh)4|nYvuzxS@2$pCx*cAXu);mlmO4dL`Q7Xr~kLOzA6fi^_ji*xnxLWV;1F_8T zZjJztq@1ZALv%aLsG4_}YmiK|%oVclvR+s2#&X=e0bR#62_z@_FaD&&;3BpmaUMjv zeug|OF_p8IO&x%4+y~)LC*rCT&?h?VpDEHz1D{xl$1a^n)imFLWECIIbW-f4>Y6Z{ zVm5^E*dL>6O=O<4-GgS@(0m@TgFih!h@rX30N%N=mq7F9ox3F9olbXF>B0i?`$rrpU!?ZwYLqkv={@$qru=KBPOX5xr6ddeI ztiXLSfB&CgGNM>=WlxsUUnYtu!b7)QsV{v!ksF>UDioavKrc>XL}QRs3Jf>c28TeF zt&}y<&YPk#U#!dLUs33h{Qy@U}JJ!GrQ}MCIRMpSXKANjx#X18D9r z5e+U$fE$Xe?;_+4Hp_!Am>2Q^=zSsD9~ag;<%91C5^czUq66ug^P?uSUAJ;wEz}C@iF5J0_r-7P~HcU z3A5`HG;A_9}z4Z@rPv_Q32B5Z*x!@i1uwiY)qad0k!w zj_MB}@?6dj891FC$ zRtDPloy#84zJ)8d9W17~YuZKcGl*8BLjY*BzMW8E=asKw?km?r#4tVNKC@HIX4aEX zayPQ*_8&F(xDX)nIuMrWW~P9M)3L$jnsEmOZ=S;4CPsm9Y>fDWzq$efzU2VQC8boqSQUfo~4@y zO$XZ=;Mk50sRDf{r8|V6f++5`bQ>OJH(on%eX9uwXQqHE)lC$PP(M@3N0mGP2%WS8 zFs)5?4`5$gpC@^Eo3WLO4HpTJHB(RG@s&LHLt72 zmV8lp z3mdx-&;-gF<+T6WIb}-?4wjpFwmH8!{MdXQ6(YC-eEd+%iKY1*uBCO1h0nkm{l6+N zAGkBb48NgP3e@sT#`V33?mVA+#p@>R>N$$FD-3GGV{V5oh~bj*t6au63(rLTON<$G zO#qIDSfdsChzU3v(WPa7_g8o`yTfxPX`dS9unvc>LgiOcT~ea5M{dfLH5*APZ_pqm zB*bZd5{3V7k!pBzG5M;}EDEo=lpy`wZ!mch%h^$cKRA|9>pSxEh7+>Ny9zH+ziH!t zIcgNl)b?e$SM@D7=?l7@q&(a#ap2)aBgO0n-w$_|S!b)MC#4eTd+`7-I-Ppso z(axm;;_AT0P$(e;OH^w(7`>zc9jfHMx1noHuzYfpweOdb~x@iK~eqw47$fYEfBJfov zJ-UXIJtqI&ur-;|Yj&~+iRlT{evBQ?3V$uyf3WZzpP2q|k!~;QaBfL?oT8+VHt*9e z&D>^X$n_F2^{D4_9tFj&^%bJ*<=Sd<7Zp%vR(;TlCr$}-Gv7SNkDpJ7-{1G&?V~Kd z`qyGBrTEh`ms#SzZ1j$1wgq4>x9chD^g4RRHm|ckSEPMj-I(q+Sm5M!u=>U4u1rNE zBewqT#|lV&RE7$g3927jLPTa{-y1A!{$6~H-`N7f!p_eFN^2)jH`v(R94~H9wq(IR z7kw%SX-oQh6a8i#m#j*-7+^uNX2PZtHTQQ*lZ6B~gYLdOq*A|Mk9p2zI3446zicY0 zkH3`YDENWKKwo0R2EIf{VCpilMe3ddnj(FE5wLgmqfD@%m&8SD-PFu>1sy;_6^FT|a66y+GTP3A^(JF8Ke#nCB73 z!bSJIdJxbumV>Dh!<;6ZU}^TAZ@7~s|Hp0yFp^yZl^t+}x5#D8%*-fTTIPmI(TO_c zs3Q4UiH%iN7-Hav4@xK6;xA1=$XLS>1l{l2?)*+OsJp%%l^;c=h*52esvP7f~9$( z;J>Y~L@tjyV^@V^fPR(Z%J*Qauv4Db33q?=MYKHW4Ce-zMPKjWDx z?n3NCQsVzV8(yEnEMta9cb@`!&W0nc>V-8#6*!N&+3^K#GeQu>k`sF(KRySHuc#~B)8=3kCHy} z;Nawp1EfK8CGUB#oLAVJ&4iy>NkBPUXj96V5$QWHVy~p#8H08i;}_z5Zri?`(B}Yc zorTH-5F$+z6ZL*rRM(l>MKwZhs|HctiodND$Zno&lzXYzEl4#Jq{TtAk6ozQ2Zj3G z4@;og2a+qF<0>Hu#p63^xB2Oz6L7M@?w$M{i8_t_NqNefD7_aBOu@u&oVf$|-Nohg zEZ2Y8ij!UYQ36d0{ltj<@vfA4sld=9Edrt|%-~y?{?va?zU9ivx5T9gOF+Im<1VrF z77S=TLN4}_Ym#@1Mzo}=e`|5@xnT53+;obF@V@`{*$r++Eu=k|4ijd_itPJtB`_Xu z5xa!2WrnZG=PoM^h)jAEgo=(Q8GO0HUP&hybC{H;{BtMJ$tn4*(|uoGb%CtSBi3fK z!6tLXj+0OhpsAUlBRQK~^FSQ@B$Mp-5w;_PAJHq| zyeO@`g&mSM!~E#{Cwc;n7{TIEDp1@0E3qb6aG=L_K%0o5{(1Y9VsA(=QqFf1YDI<+V%)4w8?6w%{KRk`Z*If-G)hM!g_t z6xAjbpmTa(`GC&5CiPv-e8cYa)Y0kbo>-PAH&7B=ZX64v>};>vWrL>+pR`zdl+xvT z550Y|i$K0)Q;nmx!p23eHge^LC%0h)R9Hctn>OpS4fay9YqBQ=d;jlxQ~RF&E;SV@ zmFk*Je4oV#@(r+0v%i{gc7F}RS#a~npe!A0AAuw%nIIvbv0tRi4WZ9DYBjC}#kKZw zu@c6b+{>d?LIX<^b$YxE{Mxf);=Efh3;cRJW;T+Jy?;x8dA_f%G$E>S@!F&0hd=0R zYYGb==xStgCQEEb1RKa}F*`2qs#~Hem~J`__bW$a&b>DhqFFoZh~j|kde!g0l1;w`_#|pJI%h6<_$60}<|U^4S!N}tsg5$n zY@Tc`rz6%=z-XTl=bmXTsBF!0PV)ZEvZ7Oyq zO-s8KAS;>G_;?gs^-6oqBX8nVv>uk${?3~fr}W_(DiMf#+Oe}dTi1$1x1G5mc5Qtq z`?bspgO|5{LWa~EJy(vRuhG`O0>Ga^7za?)=kO;4uLq?w0 z64f!D9?s1W50;CMyj=HdEb2=eh82fyk9_k*Zk(lyqzocoYFe zDN+@wqJ$z4Iz(FNih!ah5JHzGp(82+qJ(OQ1QiH|B1!^E6OW391PEON0+!HwKm>yV87BZwDpPzjEAw21tVqpA;jQX zm1p-2u_%85;(Evd5cu{dXJYq2haasBnrkjJGN{I(-QSHkXV-s4Ym%;u$vx5))y@@- z+P3Jw@`o2e-83*Y?(i@UiK9dkm{gbu2Qk)4jjd=mg3i;X(JWVsdIcs=C78~izqE=j z%p@mxfnxoKW&#!V+4U%ol{BzA^er>n=X~w&Ib!sJi!Ofo3Aaix;#0~}ktCv>=vYzLA!B)S%$IQR58M;30teu^c7w4}Lz-hcba&YhWw1NJTE${UJ( z1k`&XQe%0Ffa;JM|K$RU(GjH`Dkp6;A0Skc(=jnLVHM|9Pp<@+~EcU zIas72kzkBr?z%Mm_OAq6>wd~wVUw1hJ-st^Roc2aF%rm$tP9B& zz|cm`Rxrf-)C}0QylRri5Nz@WQK-;wbz133gFl2V)ZJ*-yEz6X%YNaMifj$uha5aB z#3A#d!ne^k8l@eXzbpLScrJv#^$9D%Bc0v=+6r)~NHX9Z9ja9hma1F69Dv6&}BXt@zSb zpK$zRN}c2ZUhwOAn;!&Uf$%~vQb^^(WJ;221i*q|USU7P+v$h|o$fFd!_HZd~k30AW@ntHpUI3zOIQ(bJG&b4e2)?a4FgGL^}>c-c#x1wAk7T?(I z7uOV3KY8LXXnUo6NfL=yh2`t11XNop)aZpU>JtTNO#>%S$BLZ}dj?-vuY55&*-KKO z3+m*A#JalvN^iMz>MS8V{AG8AquvwE3?6ILWho(t&)h60L!%F^2dLcJc6ZNGRUQD> zn`S#Of-Tpp8Vm`$BBK&IwFSurLd{o}q;puzw@)@$FP#>yC7(QmO36OS-K?5r@3=U1 zGGhjJl`EI$M1wi8g$KzK?b(y-n4W&w*;Ji{>s|R_K{wjC+govgEQS%BYUBl5v;JdA z>tz^WvjYk_yh8H9Ge=K=c!u07Jy1OLPpo~yma=ZPq)0VRMc;v2gt*t}iGVoinV=Oa zV=m!}8M)`s=~cF%6_$$h?hBB+It#N4&djVrZZyvolPSM84` zPFLHy3Lg&}ea+YTa_*wjvYz$BH5B8a^iP=wS(iMtP3UA!x{&S2y~lP2s{WlvR(!Wm zLBDa+?yTto_b-@TvqE!wy2>Sf_$ZtBN4TE^yu=!C- z0Ha>FY%63JlHvnDCz@M&zWjx$w!&OyIgFDRlRbw2uyKGYwmt7tt-9WT>yNUQaAYw< zrIT6X=|9raCiOO5VPOk0R;J#6Vo_#pKP9=10j|wX`o5cUo(fBSzItU+P`a#4G1p$p z5s@k`bnf?*+|W^T6Nf+EpWTOjk}#9ziNxOq`}wc**GyiPOj31cNn~)6a)=l9i@**2 zr}aJV_-!i;H)7!Zd|5O+)ztnH1f26{{gLd^3C`sT;kin$lp-6p$Cwn%1#9kHUW&f>I7jU6=F|OUSQp3#Tp3 zr0I}jP_#0~;`{aRfahOUT@D_kLKtDz|8-d%pFfsu>GAb`Wu*-UE&4Pw8MFpC9tD3S z3E~cnE7#jj$|eJ@9X@vD!Yy36B0IQPG>9fPs_WVo>D!GX`ao{K zPkJ&oV=pGVbMoW+1K@OE09J7d0x5>z@xMxZ+l?WzX^6X;$9sH4)J>syKh|ks5Bs!V zRKg^B?e4-GrT$kI6e_v8+!+^nu5e%e@3=B2iheHWJxb{D85y%hbdMLMD^}YfwAOMZ#Jz+KZ5%=Yv;#;yX&z7`e zLWDWg7gz`oIqMUSjXVR5K)GErQBulcqVluey)%?KcZa+C7~^UY?EDFaYA3yBeshfP z2A*4`csV&!r|(jhy>LnOn}=^A<7qbe#s068NmxD9elY)8$}_gpwwrRA^_i-5Ys)Bounf0ry}soHOEGt8wi zSWi7qK%SwsRhTDwCj8X+qV=m$L3WGZyUhIkV5F83c$W`Qvy2SQ-&JNgX?dPor9U$x zG>KpYEvz*2^(H@|5lHn20FED!mL+Qk`# zqJmi!wxx0^f7dhRER;IGWx*$@VJ8X&DdI;&D6;~;2c8qK_Bs*-N0%B%yqMC@u;zWWM$*v{5gvT?ad z*?q7cQ|a^h`Dp8}t zsX< zov631W_RGh5He2DPdiKoo~&V=O-F-9WlauuLdV(-v_dD24b+BaB#K2)O|=dMfyz>P z3o*tjUw7cHHd4F?!~ud5)Ea+#>;Fiw0^6aUx#qWcvG(IY!0-oYhVSA-LMAC^!NGFi z%hnwBednl#Mze^>mJF|zJeF#&>eok98ZE!E>2}NoS?t%FS&io9eBt*(4!??_P+^hz z!S^09F2t*svo_n6s;9C19fMb-d&{nr`ma|Z)mv5B6r>I&xc{t6tHGY}ALxEDA`WLxX{R_`Tc47rLH?BJr~@fLNL1T0h1JIaLC@6(45g>!{^$P8LdjOtrS$ zC-I#yxaH`+lOovOH-0YGtwJnZ@tuT^A0#0E5gJJ#WtyL5F~QNZmhKl~Vq#=VkS4g^ zjRNrvSxRFrY_$xuHw>Dt`kWknzJOMCOhhZhOLn4VzfcEC3WOlnAnpsCRM-e7SN+-T zB|}Ry?2c0x0FU);&oYw093x*S_M7-)v!hd8dI?TG;axISIsQ0*YETKv({2oOTN7Ms z?6NKK@*4NW1p2Ni0Z`j9(WPoraghqExW_g9>^`)NSkT61KQ0~hY9I`c^^QO%KSLCu zSx&$yfub5>YB-{V7+jx*8efT2>_rotYg1K%3GiHkGwd=CTXCU<#K)<|$IXr?Ainv$ zsKYLkF^mH5EDO$2(M*0Mo~F7}pHL(u+f-vHK}}&!uyBZ*Olk#qlc*K38$RT-PER8V zJqIzK!?+o;AdVoU;AgKV4iA5kipiHK;N#&yP$?6HuQM$p8~(r9ars@;FOH<}FkaIjkDaFs1?M1q}|C z)7NKF7-@D(&im}(RL|4+Jjok~H|V{ptH^?mAWb!LEtZ-MPl4})X_JThovW0L5c^e5 z#7&sx{TBWg_9SXr4|OX~q49OJu-vtD=8)y&3IGwqy_-f)uLctCV_FaC6uQ&O%Dx*C zJof1vGLn$lhR3eF|7Um%=h$X=1Hb79d!s1|F6nvi@Q z{%TPhS|dyJ3dSpJhY{ZR58L4MxUNq)r0IJb%MH!xp|ro(?tYW64We^sqdj`)4cJ#z zGx@x(MGwob1a1jIXgwL@aOdEF)F@?E_JMMgB|zL0<2?# zrk=^(lmI_NI;Qv(Nv~eY3t}%>UV16TpzQZ>+vQp<{W}e{ zxw#hCyL+2Ub2^1mZvafSis9Qywr|r!k4jYE&PvY?PW0gG>xPyf45ydg*_ZRZ!9R26 zQk~4AF9lzv^xv4POgi0|gG#ovA>MZY`~xyef>E5Hk4BTeg67J^XV89-Rcpjl$^($) zPnsGIQ2*RU(k(5j-XMeFgfbYa+rCg9kZ#QHGoQWC@`uN~vt&M;#ENF&e z4)BQSQzhJsi?u@`ZXdOU0I^`tmv<91KD(N99OV19mm+C5=wEjQzmsa6%0H}>C!UQM zzxTD%%7-@6ZUAsZ~^2io*_or=*sybwyr|{aHaJJH#z0 za&dyP6kxWm*yqlG6cBgpn+c}+zj28{?>z=Qe%(oZ0&x9iEnu_~o>{o9y^wve`Exew zL{7!2AwY~t9S#{gAc!F{ehcfIcO_^zS_LpWqh5LbB(`q|=Mh6MYdob!5%sR*@ddO| zVH>)A3pmlb@CidglTlJ+CGxS$D}Q#MPlZRFP&Y4!(YMz>@58XD-zAsosv((3=dVn< zjwHhu0(&jE7}CZwm*VG4R_yd@&*@z_8X0|jDY2Ck&r>_vrPEoklm%LkxwffxTtMUH zSEZ!C+u=Objvo1z8IF}Bk-G6MWMPbY_{V^BOeP8t3OU?kf1LptP!K63_Anid-xSkx zhN$7VxX&!+OhaUm#q66PdZ<2Be@*s=b#O}eaSeg`aadcx)?5^?pHe{s{muqRP7Tn zw0j=iUoCW`YPnRO(8NfFiU8cI{$DQuhPh=)QTxET3F za|r=>wGYMw9YE(|rCMnJqTg=)wj(nx_tlX3Vq9y}P_DxJ`an4)92YkL=_&KZbANx^ zQ32?kXK?!@)rIf;0vN$r0xCC`^wgYJ;GypIJB#(CM6hFW<~s4`*ukqH$31Q2vvihB z%2jVt?M3537H=wBUP+`N@i!ypu6R7uZ~0hnMDPH)H6S>e`2kt6T^x^pB>7DZBZ$$D zvnMDyy)iuh+~u%&4`oP4cV0JxhW2=P6s}OU$k?~AP&Aw6c*F@T;)%K&iKz>$C$H!x zqhYGHKIbW#0Wa9TZOhl$3oicqO0A`tebwH#;dGov;(aif0dyQ^L?6^B7arZ`iDX-9 zEIPjQus;>h=<%?=W<0gMIY+(7-d;0c2G$-`y!!y4Glr%-Jgt9F(71rD1*N3w`8UK= zZ~4(Fq2QKHRK$c&y41J0Mu{EL4giT3{az-jW7D_)$!6yHl!vM;t6 z2qYzhIH_d!XY+poV%MGvFcM$y!n-KQR9Ui})Ek!_WIkCsWGwa^cc!#bQ@J zEvP!f9S_bPp}vjZ*@Vb73Db4~Y~zmy+5Y36(KQb0Y{eV|{*B?=EiT}U#f>6><-N9i z>%&%5*`+e5!*~?=kcr$nY=u)?(pfi^ZRiv_Du`(u7;TZ;cbkORv18wWnX!QbQ`Jv3 z7v2@!_GO`EILT}ts=dJx65Jrp0W7=rI(kTyg_})G+pjNC41!jW_v>-6 zvmotHfOKHf2@8}~mkMy$*3x@kkNIvnPhJX`4CnC?xDE`!PUL3_9|~LS=S?HdI0BA! zkfYFx{oKZT&E{FlT5E{xzk?A%#p@Ek`@ID!>O4it6kvz*MA!;e6v)!tzyz0@_mX75P&)oZbS^fYXOJM-x% zt3^Ej(A9$CFkOf@W2!`a7zpy&l6=C@RT`3pA{B&U7(aB%z5%om)b-7^a>h%dw&9#$^gInAdV*pdu1P>@U`eTf@yWAQBfT}5JgBpFhY;yL=<8H9k|kX9c(6Dp z`HVv6Hb^-_mQuC@;%Z`)ivU}(>jQ}wXw7Z|8uL&D95O{N0N@tg?!!a7FgZG*!Oav> z(9f~cD)paJI~#l)t=kT>a3>OPLub3|9!pcgcuF%o59`SrCHrH8`)*`@I;<;`_&`+f zkg>S$z}2U3tWKUWAzZFC%vDDVrk_)%O#(XY)`x#!3)lY(Y-urn{(k{2N`0zH#|L~d z#gEo?7QlHMx>3!bNFkA?1{SjHNih%~y;TM_&`c+zP}%0788JZ&bRI8GO#BEvfYi4` z7$Oy7HR}P}CjFPg<6kpOMxna5arQ!^nls>YddtwT3@y!Zf?Sa6r?wFxm%-`>)pwpY z0o>OYRV+nAWN1pib;#aer_=8pNs(bt+O$8Vp1N5cvr%u;{|No4d4F`_vy}7u(fH=h zVNGC>j=;?ag|f!~#>&bdShGN|zH5Wems7&N6W=iXr~GEs_sUNJqOfS8lg78RTpjm` z_)EQ6tYi@S>TCWXdPI9;MdW%<>0RD@J)!n;iL_if?8W*5Vxdu}HwP5p+Vs#T9>9N5 zx=ZcPf@uGla{N4KyFOHO(mCg|0h>#L;V8;^`!|94ese5$DJyYdW z%!V4di1btyN8R|ciEi8I7W^B&tXu8AY_FcUzxKWHo$(vWZz%9%y-%kx>a$O7Bc7We zo)oEIDT5HclA5}jbsLzo3S`bTraLg%DFs&fAeFhr?e0QAN3i}ODz6=5zCd>kPo%^G z(rxzPX59L0qB!jb$=-4+B2`EMHlvu1|1@-1=F4K;(>FuJf-iJhO|wye#?UYE*oqZz zz;*S|$SG^QX{9GONiFy@l9q!F)ouxyCtao5D6M<7Lbw$yJcc6st8pkYMv_r!mR}2Q zLV|BD8BQjp^)$m!t3~$>2DCz3Wwv}iSKODQIuMY675An3%8wDOmrNfFI_5gqMrw8$ zUn}xMq};Lyv-+S_CgF?$&R%Xo6xdrSFtQpg_9ED-a2Ky%J?!LesrCrV=b7&{1x~eq=FOt`~AIaEd`7!(v$LT7#ktp&tLGd72ngXS@LtOh^v+cRCVDu>*J zCBw$3d@mU$Ge#o^gH|uq15WR~cRH$1w)pV^ZOQ=XwT^l11{&ZSoH2k$2VjiB-C)LJ1^r!7P=&(QZP>$GQhd3Xx^5DY+zdG43t_G;1|;=BJ? z-bgLj08Us2yg@2v_*#IOF7s2X;VJicf|F0~Dk0(XfHYsXqAW9|ZCaLBX`?adai!hI zKVLHoF=QylVi$9lc>pSP3fW@`3`C9N%0DybHN<&X;+x zr9VJOCcrU7E zy_P?ol;1|jyep3J-<7Mwq53yiK=fO;61Yk_Pv#y2Z(0$l?LByk{QwmWe|y~J0er$~ zPS@!E=qG}SEB!U<~?EV^y%R2C|tsc*rOSE_xZOKJ)3 zV{3Du@3SxMT5#)MJ0j4={a@mDT4LIE?gg(RakuE08wZ36L(j}IMv@)@A^30IK;Uyg zPZ6%l>VooQ5Asj>Ek_2nI7!(I5bE8iT0w_^(0*P_@(Ma;@DI9@p}| z*Ijasp2y=YTg7gdBzJ6rYI;jjcGuajlEJZCmR_?jsLxIxy6opt#j{5x%VDWyHILMU zs~)enrazpU6AfncyHwvA7`0rh|Ft^lJ}|W9wqK&1jsd4oA7gBTspL>LN=DKVh-N0n z?T6Eg3C-?R-Ozq!i8QX85)5C;!-3@?L?F6b$T0$}ekVPn6RiFX2r&;^jDy+S!CfZY zZrwNZ#RAA=>~=&5H0;Gj5_VM=@Eu+I@piNl-F$Ui{YK355L^s!MW7t3e}IMa36xzv z0wIQ7z(7xcFM6qhe&9W*G`#YYmDIVuyS!*#$gk2aRz|+{9Hx3{qqTDFeYssYW7+Zw zaa)8KFEh71Kxe%Z8*ScG^?)}-Z~Wo}*Zr84toqui(3+J^G16hg9tdfvKyMib)!}ay z&F{mG)X~@>Sx5@gsBJj;KoXL|unO}Jnp=F#WV;}y4PIZ&Dh%qZmjF(f$FjeNC?sk(?{ zUfh~93i|$YFYDHNRE2s*7^E+n+ZV5~xn4cBMKSCP@tVe~cePI)_)_mys`_^c_k5VJ zemQjG`~YxS960g{0HPYRZwW=#wC{c{NxFO6=X|=I2F{lcC+Y-n+fZG@l5_V z^$PwkHP;iSnDtI=3Y+DQc+)!Qy5;n@eWU8M(MW~imMz`)In%`*GXmkG6|;0RkQb~g z>>a28?T5jIg-Kv4{tjc@y79EwXsLhXPKJ+H!e5_zG`-v(F&;Q;+`KkO(w*6ZgoJ9} zkeszk%vd!)Sv{}Mo%nr)=bWVHzUx)f8}$Ylt|%uF4tany(~pBW$QEUQiPJRG-_@sG zblh&MZYXOO^eBydyy7J|CWaEPxTLUKZ_TnzRG0JmNWsej5_o?axkcfD7d96^c$4ss zpQd6zj^j6l^)#GINx8KQ=69MjI|W~BzVS!sz_U9lP(t|{0WhktGY=T_rltOp{@PfL zp6LR)EgMnpVi98y-`y4<0a}9b1igyxc~w#(zf$=l&LK0a`AxZt$5MYlGuqL$RSfk; z*hCm0xn*1&G0;CI7*9F#(;XdTE{$%N<;9MSav)z!%eU;GD$Qi)t+{_%0}akJ%T0SM z(uEm3Gmwe9C2azI0SJ%$6hvRqJ{c6?Foiqu=yG*|RSs0e^ zNBR(375(*%jnzzNmc3en_SZ$QH)c+jL&x|Eo%q1x(})W5a*Y1{nE9-;F6QJ;Muu|VYLiPW+ true }, + local.versions.locals.enabled_modules, + local.module_overrides + ) module_name = basename(get_original_terragrunt_dir()) + module_overrides = local.cluster_vars.locals.module_enablement_overrides organization = local.common_vars.locals.organization state_bucket_prefix = local.common_vars.locals.state_bucket_prefix state_table_name = local.common_vars.locals.state_table_name From 1e8d5ad06912a984fc4839e4f9ac752ac08dd367 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 16 Apr 2025 20:39:50 -0400 Subject: [PATCH 054/126] add enterprise ecr stuff --- lab/_envcommon/common-variables.hcl | 8 ++++++++ lab/_envcommon/default-versions.hcl | 20 +++++++++---------- .../vpc/csvd-platform-lab-mcm/cluster.hcl | 2 +- .../eks-cert-manager/terragrunt.hcl | 1 + .../eks-config/terragrunt.hcl | 1 + .../eks-dns/terragrunt.hcl | 1 + .../eks-gogatekeeper/terragrunt.hcl | 1 + .../eks-grafana/terragrunt.hcl | 1 + .../eks-istio/terragrunt.hcl | 1 + .../eks-k8s-dashboard/terragrunt.hcl | 1 + .../eks-karpenter/terragrunt.hcl | 1 + .../eks-keycloak/terragrunt.hcl | 1 + .../eks-kiali/terragrunt.hcl | 1 + .../eks-loki/terragrunt.hcl | 1 + .../eks-metrics-server/terragrunt.hcl | 1 + .../eks-otel/terragrunt.hcl | 1 + .../eks-prometheus/terragrunt.hcl | 1 + .../eks-tempo/terragrunt.hcl | 1 + lab/root.hcl | 1 + 19 files changed, 35 insertions(+), 11 deletions(-) diff --git a/lab/_envcommon/common-variables.hcl b/lab/_envcommon/common-variables.hcl index a6369273..3979206c 100644 --- a/lab/_envcommon/common-variables.hcl +++ b/lab/_envcommon/common-variables.hcl @@ -20,4 +20,12 @@ locals { "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" } } + enterprise_ecr_account = { + lab = { + account_id = "269222635945" + } + prod = { + account_id = "067074201825" + } + } } diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 37f1b7c7..62c84e90 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -10,6 +10,7 @@ locals { istio_ingress_version = "${local.release_version}" release_version = "mcmCluster" # "main" + ##################### # Module Enablement ##################### @@ -21,6 +22,7 @@ locals { "eks-config", "eks-metrics-server", "eks-cert-manager", + "eks-istio", "eks-dns", ] @@ -28,17 +30,15 @@ locals { enabled_modules = { "eks-arcgis" = false "eks-gogatekeeper" = false - "eks-grafana" = true - "eks-istio" = true - "eks-k8s-dashboard" = true - "eks-karpenter" = true - "eks-keycloak" = true - "eks-kiali" = true - "eks-loki" = true - "eks-otel" = true + "eks-grafana" = false + "eks-k8s-dashboard" = false + "eks-keycloak" = false + "eks-kiali" = false + "eks-loki" = false + "eks-otel" = false "eks-postgresql" = false - "eks-prometheus" = true - "eks-tempo" = true + "eks-prometheus" = false + "eks-tempo" = false } ##################### diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl index 3b78febd..6ae2809c 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl @@ -11,6 +11,6 @@ locals { "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" } module_enablement_overrides = { - "eks-arcgis" = true + "eks-arcgis" = false } } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index bee2ddb9..cfb86823 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -50,6 +50,7 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region + eecr_account_id = include.root.inputs.eecr_account_id # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index 49e0ea2f..3d02850c 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -53,6 +53,7 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region + eecr_account_id = include.root.inputs.eecr_account_id # Core Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 62d93aff..5ffff3ea 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -56,6 +56,7 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region + eecr_account_id = include.root.inputs.eecr_account_id # Cluster Configuration cluster_name = include.root.inputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl index 184876db..830e6645 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl @@ -72,6 +72,7 @@ dependencies { inputs = { # Base Cluster Config cluster_domain = dependency.eks_dns.outputs.cluster_domain + eecr_account_id = include.root.inputs.eecr_account_id namespace = include.root.inputs.namespaces["gogatekeeper"] profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index 850d726e..79877700 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -87,6 +87,7 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id + eecr_account_id = include.root.inputs.eecr_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index 7b4817b1..5aa93f0f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -42,6 +42,7 @@ dependency "eks" { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id + eecr_account_id = include.root.inputs.eecr_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 65b3bd37..9d234110 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -57,6 +57,7 @@ inputs = { # Cluster Configuration cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name + eecr_account_id = include.root.inputs.eecr_account_id # Dashboard Configuration service_name = include.root.inputs.dashboard_hostname diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index e53c67fb..83f3c5c8 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -49,6 +49,7 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region + eecr_account_id = include.root.inputs.eecr_account_id # Cluster Configuration cluster_endpoint = dependency.eks.outputs.cluster_endpoint diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 6a2248f5..c2d06b7e 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -60,6 +60,7 @@ dependencies { inputs = { cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name + eecr_account_id = include.root.inputs.eecr_account_id namespace = include.root.inputs.namespaces["keycloak"] # AWS Configuration diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 88980859..d6699081 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -107,6 +107,7 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id + eecr_account_id = include.root.inputs.eecr_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index a0226b36..74630eac 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -51,6 +51,7 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id + eecr_account_id = include.root.inputs.eecr_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index 1d784c62..4a4f34ec 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -40,6 +40,7 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id + eecr_account_id = include.root.inputs.eecr_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index ee0497bf..d1bcdb8e 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -65,6 +65,7 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id + eecr_account_id = include.root.inputs.eecr_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index 11c72624..551e2abb 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -51,6 +51,7 @@ dependency "eks_config" { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id + eecr_account_id = include.root.inputs.eecr_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index 6b7fcb41..d2bdc318 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -55,6 +55,7 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id + eecr_account_id = include.root.inputs.eecr_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/root.hcl b/lab/root.hcl index 43ee0ef8..4ea23326 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -31,6 +31,7 @@ locals { aws_region = local.region_vars.locals.aws_region cluster_name = local.cluster_vars.locals.cluster_name environment_abbr = local.account_vars.locals.environment_abbr + eecr_account_id = local.common_vars.locals.enterprise_ecr_account.lab.account_id finops_project_name = local.common_vars.locals.finops_project_name finops_project_number = local.common_vars.locals.finops_project_number finops_project_role = local.common_vars.locals.finops_project_role From 8f00b5c7c027c819815904592a8cdc1688530d8b Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 16 Apr 2025 20:40:11 -0400 Subject: [PATCH 055/126] fmt --- .../us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl | 2 +- .../csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl | 6 +++--- .../vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl | 6 +++--- .../vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl | 6 +++--- .../csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl | 8 ++++---- .../vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl | 6 +++--- .../vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl | 6 +++--- .../eks-k8s-dashboard/terragrunt.hcl | 4 ++-- .../csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl | 6 +++--- .../vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl | 4 ++-- .../vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl | 6 +++--- .../vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl | 6 +++--- .../eks-metrics-server/terragrunt.hcl | 6 +++--- .../vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl | 6 +++--- .../csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl | 6 +++--- .../vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl | 6 +++--- 16 files changed, 45 insertions(+), 45 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl index 6ae2809c..c64bdb5b 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl @@ -11,6 +11,6 @@ locals { "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" } module_enablement_overrides = { - "eks-arcgis" = false + "eks-arcgis" = false } } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index cfb86823..3b434957 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -47,9 +47,9 @@ dependency "eks" { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region eecr_account_id = include.root.inputs.eecr_account_id # Cluster Configuration diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index 3d02850c..fa63483f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -50,9 +50,9 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region eecr_account_id = include.root.inputs.eecr_account_id # Core Cluster Configuration diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 5ffff3ea..f9ca879b 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -53,9 +53,9 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region eecr_account_id = include.root.inputs.eecr_account_id # Cluster Configuration diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl index 830e6645..7584cb59 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl @@ -71,11 +71,11 @@ dependencies { inputs = { # Base Cluster Config - cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_domain = dependency.eks_dns.outputs.cluster_domain eecr_account_id = include.root.inputs.eecr_account_id - namespace = include.root.inputs.namespaces["gogatekeeper"] - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + namespace = include.root.inputs.namespaces["gogatekeeper"] + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Gatekeeper Config gogatekeeper_tag = include.root.inputs.gogatekeeper_tag diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index 79877700..a897c120 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -86,10 +86,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id + account_id = include.root.inputs.aws_account_id eecr_account_id = include.root.inputs.eecr_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index 5aa93f0f..fc885a32 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -41,10 +41,10 @@ dependency "eks" { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id + account_id = include.root.inputs.aws_account_id eecr_account_id = include.root.inputs.eecr_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 9d234110..84dab133 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -55,8 +55,8 @@ inputs = { region = include.root.inputs.aws_region # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name eecr_account_id = include.root.inputs.eecr_account_id # Dashboard Configuration diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index 83f3c5c8..8ca10b60 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -46,9 +46,9 @@ dependency "eks" { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region eecr_account_id = include.root.inputs.eecr_account_id # Cluster Configuration diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index c2d06b7e..51def6d8 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -58,8 +58,8 @@ dependencies { } inputs = { - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name eecr_account_id = include.root.inputs.eecr_account_id namespace = include.root.inputs.namespaces["keycloak"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index d6699081..05e4ff72 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -106,10 +106,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id + account_id = include.root.inputs.aws_account_id eecr_account_id = include.root.inputs.eecr_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_domain = dependency.eks_dns.outputs.cluster_domain diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index 74630eac..36d44b24 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -50,10 +50,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id + account_id = include.root.inputs.aws_account_id eecr_account_id = include.root.inputs.eecr_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index 4a4f34ec..ede644a1 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -39,10 +39,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id + account_id = include.root.inputs.aws_account_id eecr_account_id = include.root.inputs.eecr_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index d1bcdb8e..e52ef7aa 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -64,10 +64,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id + account_id = include.root.inputs.aws_account_id eecr_account_id = include.root.inputs.eecr_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region cluster_name = dependency.eks.outputs.cluster_name namespace = include.root.inputs.namespaces["otel"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index 551e2abb..355fd035 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -50,10 +50,10 @@ dependency "eks_config" { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id + account_id = include.root.inputs.aws_account_id eecr_account_id = include.root.inputs.eecr_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index d2bdc318..f3cafec0 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -54,10 +54,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id + account_id = include.root.inputs.aws_account_id eecr_account_id = include.root.inputs.eecr_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name From ad5313174d3315500b4090937221f1afad5bc9b3 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 17 Apr 2025 01:18:32 -0400 Subject: [PATCH 056/126] wip --- .github/platform-tg-infra.code-workspace | 3 ++ lab/_envcommon/common-variables.hcl | 10 ++--- .../vpc/csvd-platform-lab-mcm/cluster.hcl | 5 +++ .../eks-dns/terragrunt.hcl | 2 +- .../eks-metrics-server/terragrunt.hcl | 1 + lab/root.hcl | 37 ++++++++++++++++--- 6 files changed, 45 insertions(+), 13 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index cefac38d..fbc4a1fa 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -83,6 +83,9 @@ { "name": "tfmod-tempo", "path": "../../tfmod-tempo" + }, + { + "path": "../../../terraform-modules/aws-ecr-copy-images" } ] } diff --git a/lab/_envcommon/common-variables.hcl b/lab/_envcommon/common-variables.hcl index 3979206c..bfdaeace 100644 --- a/lab/_envcommon/common-variables.hcl +++ b/lab/_envcommon/common-variables.hcl @@ -6,10 +6,6 @@ # that are common across all environments/accounts. # --------------------------------------------------------------------------------------------------------------------- locals { - organization = "census:ocio:csvd" - finops_project_name = "csvd_platformbaseline" - finops_project_number = "fs0000000078" - finops_project_role = "csvd_platformbaseline_app" state_bucket_prefix = "inf-tfstate" state_table_name = "tf_remote_state" route53_endpoints = { @@ -20,12 +16,14 @@ locals { "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" } } + eecr_account_id = local.enterprise_ecr_account.lab["account_id"] + enterprise_ecr_account = { lab = { - account_id = "269222635945" + "account_id" = "269222635945" } prod = { - account_id = "067074201825" + "account_id" = "067074201825" } } } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl index c64bdb5b..a724fcf3 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl @@ -6,6 +6,11 @@ locals { eks_ng_desired_size = 2 eks_ng_max_size = 10 eks_ng_min_size = 2 + organization = "census:ocio:csvd" + finops_project_name = "csvd_platformbaseline" + finops_project_number = "fs0000000078" + finops_project_role = "csvd_platformbaseline_app" + tags = { "slim:schedule" = "8:00-17:00" "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index f9ca879b..f9fda099 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -56,7 +56,7 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region - eecr_account_id = include.root.inputs.eecr_account_id + eecr_account_id = include.root.inputs.enterprise_ecr_account # Cluster Configuration cluster_name = include.root.inputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index ede644a1..8862a26f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -41,6 +41,7 @@ inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id eecr_account_id = include.root.inputs.eecr_account_id + eecr_profile = include.root.inputs.eecr_profile profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/root.hcl b/lab/root.hcl index 4ea23326..0035dbfc 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -24,17 +24,26 @@ locals { # Automatically load vpc-level variables vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl")) + root_locals_for_inputs = { + is_module_enabled = local.is_module_enabled + module_name = local.module_name + eecr_profile = local.eecr_profile + # Add any other locals you want to expose + # only expose things not already included via local.xxx_vars.locals.* + } # Extract the variables we need for easy access account_id = local.account_vars.locals.aws_account_id + account_name = local.account_vars.locals.account_name aws_profile = local.account_vars.locals.aws_profile aws_region = local.region_vars.locals.aws_region cluster_name = local.cluster_vars.locals.cluster_name + eecr_account_id = local.common_vars.locals.eecr_account_id + eecr_profile = replace(local.aws_profile, local.account_id, local.eecr_account_id) environment_abbr = local.account_vars.locals.environment_abbr - eecr_account_id = local.common_vars.locals.enterprise_ecr_account.lab.account_id - finops_project_name = local.common_vars.locals.finops_project_name - finops_project_number = local.common_vars.locals.finops_project_number - finops_project_role = local.common_vars.locals.finops_project_role + finops_project_name = local.cluster_vars.locals.finops_project_name + finops_project_number = local.cluster_vars.locals.finops_project_number + finops_project_role = local.cluster_vars.locals.finops_project_role is_eks_module = local.module_name == "eks" is_module_enabled = merge( { for module in local.versions.locals.core_modules : module => true }, @@ -43,7 +52,7 @@ locals { ) module_name = basename(get_original_terragrunt_dir()) module_overrides = local.cluster_vars.locals.module_enablement_overrides - organization = local.common_vars.locals.organization + organization = local.cluster_vars.locals.organization state_bucket_prefix = local.common_vars.locals.state_bucket_prefix state_table_name = local.common_vars.locals.state_table_name } @@ -147,6 +156,21 @@ generate "aws-provider" { EOF } +generate "eecr-provider" { + path = "eecr-provider.tf" + if_exists = "overwrite" + contents = <<-EOF + provider "aws" { + alias = "eecr" + profile = var.profile + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-ent-ecr", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) + session_name = var.os_username + } + } +EOF +} + # --------------------------------------------------------------------------------------------------------------------- # GLOBAL PARAMETERS # These variables apply to all configurations in this subfolder. These are automatically merged into the child @@ -161,5 +185,6 @@ inputs = merge( local.common_vars.locals, local.region_vars.locals, local.versions.locals, - local.vpc_vars.locals + local.vpc_vars.locals, + local.root_locals_for_inputs ) From 4462ccc54915499aa665c196d2ed7efef3c2c946 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 17 Apr 2025 15:26:57 -0400 Subject: [PATCH 057/126] cross account pulls --- lab/_envcommon/common-variables.hcl | 10 +++++++++- lab/root.hcl | 9 +++------ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/lab/_envcommon/common-variables.hcl b/lab/_envcommon/common-variables.hcl index bfdaeace..94ced2c3 100644 --- a/lab/_envcommon/common-variables.hcl +++ b/lab/_envcommon/common-variables.hcl @@ -17,13 +17,21 @@ locals { } } eecr_account_id = local.enterprise_ecr_account.lab["account_id"] - + eecr_alias = local.enterprise_ecr_account.lab["alias"] + eecr_role = local.enterprise_ecr_account.lab["role"] + eecr_profile = format("%v-%v.%v", local.eecr_account_id, local.eecr_alias, local.eecr_role) enterprise_ecr_account = { lab = { "account_id" = "269222635945" + "alias" = "lab-gov-shared-nonprod" + "region" = "us-gov-east-1" + "role" = "inf-admin-t1" } prod = { "account_id" = "067074201825" + "alias" = "ent-gov-shared-prod" + "region" = "us-gov-east-1" + "role" = "inf-admin-t1" } } } diff --git a/lab/root.hcl b/lab/root.hcl index 0035dbfc..879fa66a 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -39,7 +39,7 @@ locals { aws_region = local.region_vars.locals.aws_region cluster_name = local.cluster_vars.locals.cluster_name eecr_account_id = local.common_vars.locals.eecr_account_id - eecr_profile = replace(local.aws_profile, local.account_id, local.eecr_account_id) + eecr_profile = local.common_vars.locals.eecr_profile environment_abbr = local.account_vars.locals.environment_abbr finops_project_name = local.cluster_vars.locals.finops_project_name finops_project_number = local.cluster_vars.locals.finops_project_number @@ -162,11 +162,8 @@ generate "eecr-provider" { contents = <<-EOF provider "aws" { alias = "eecr" - profile = var.profile - assume_role { - role_arn = format("arn:%v:iam::%v:role/r-ent-ecr", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id) - session_name = var.os_username - } + profile = "${local.eecr_profile}" + region = "${local.aws_region}" } EOF } From 5bb08918dc17c96b19b301d3baf3958b6f6ca0e9 Mon Sep 17 00:00:00 2001 From: David John Arnold Jr Date: Thu, 17 Apr 2025 13:37:34 -0700 Subject: [PATCH 058/126] updating readme (#22) * updating readme * Add initial README.md with project overview, structure, and usage instructions * Revise README.md for clarity and organization, enhancing descriptions of repository contents and usage instructions. --- README.md | 168 ++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 114 insertions(+), 54 deletions(-) diff --git a/README.md b/README.md index 454f6c3a..248d122a 100644 --- a/README.md +++ b/README.md @@ -1,55 +1,115 @@ -## How to setup and run terragrunt scripts for EKS related modules in a LAB account - -### Lab Account request and setup: - - Open a REMEDY ticket for creating an account in LAB environment, preferably with t3-admin role. - - LAB account url:https://pssvlab.tco.census.gov/PSS/ - - Make a note that the LAB account password is different from laptop password - - Once you have successful log proceed to next steps below - -### Access LAB jumphost (bromine): - Refer this page for additional help on sso credentials: https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/aws-sso - - 1. Goto LAB workspace:https://clients.amazonworkspaces.com/ - 2. Hit the web access login on the top right corner - 3. Enter the following registration code: FRosu+FMEXNZ and click Register - 4. Use your jbid and password (use lab password) - 5. Open reflection client and ssh connect to bromine.cto.census.gov - 6. On bromine, sso login to lab-gov as: - $ aws-sso-login.sh lab-gov - 7. On a browser goto auth-dev.census.gov - 8. Use PIV card option to login - 9. Copy the link from step 6 and paste it on the portal and authenticate - 10. Go back to bromine and doubleclick at an empty space, you should get successful login lab env - -### Environment Setup: - - Set your profile as a default profile by exporting AWS_PROFILE variable - $ export AWS_PROFILE="224384469011-lab-dev-gov.inf-admin-t3" - $ aws sts get-caller-identity - - Run any aws commands to make sure you are getting responses from the account your profile is set to: - $ aws s3 ls - -### Terraform/Terragrunt binaries and versions: - The following binaries used: - - Terraform version: v1.7.5 - - Terragrunt version: v0.55.21 - These versions can be found on bromine.cto.census.gov host at: - /app/terraform/bin/terr* folder - -### Run the Terragrunt script: - - Cd to specifc folder (example: cd eks) and Run terragrunt plan - $ terragrunt plan - - Verify the plan output and make sure there are no errors - - Run terragrunt apply - $ terragrunt apply - - Verify apply completes successfully and verify the resources on AWS Console. - -### Accessing the cluster: - $ aws eks --region us-gov-east-1 update-kubeconfig --name platform-eng-eks-test - $ kubectl config use-context arn:aws-us-gov:eks:us-gov-east-1:224384469011:cluster/platform-eng-eks-test - $ kubectl config get-contexts - -### Run few kubectl commands to verify you are accessing the cluster - $ kubectl cluster-info - $ kubectl get pods -A - $ kubectl get ns +# Platform Infrastructure with Terragrunt +This repository helps manage cloud infrastructure using Terragrunt. It is designed to make managing infrastructure easier and more organized. Terragrunt is used to handle infrastructure as code for different environments. + +## What's in This Repository + +- `/configs` - Files for setting up things like node groups and resource limits +- `/docs` - Guides and rules for how to set up and manage the infrastructure +- `/lab` - Settings for testing and development environments +- `/monitoring` - Tools for keeping an eye on the system +- `/tests` - Tests to make sure everything works as expected + +## Documentation + +You can find detailed guides in the `/docs` folder: + +- [Architecture](docs/ARCHITECTURE.md) - How the system is built +- [Documentation Standards](docs/DOCUMENTATION_STANDARDS.md) - How to write good documentation +- [Infrastructure Standards](docs/INFRASTRUCTURE_STANDARDS.md) - Rules for setting up infrastructure +- [Module Dependencies](docs/MODULE_DEPENDENCIES.md) - How different parts depend on each other +- [Module Standards](docs/MODULE_STANDARDS.md) - Rules for creating modules +- [Observability Standards](docs/OBSERVABILITY_STANDARDS.md) - How to monitor the system +- [Security Audit Checklist](docs/SECURITY_AUDIT_CHECKLIST.md) - Steps to check for security issues +- [Security Baseline](docs/SECURITY_BASELINE.md) - Basic security requirements +- [Testing Standards](docs/TESTING_STANDARDS.md) - Rules for testing +- [Version Control](docs/VERSION_CONTROL.md) - How to manage code versions + +## What You Need + +- Terraform v1.0.0 or newer +- Terragrunt v0.36.0 or newer +- AWS CLI set up with the right permissions +- Access to AWS resources + +## How to Get Started + +### Using the Makefile + +This repository has a Makefile with helpful commands: + +```bash +make help # See available commands +make init # Set up Terragrunt +make validate # Check if everything is set up correctly +make plan # Preview changes +make fmt # Format files +make check # Run all checks +make clean # Clean up temporary files +``` + +### Manual Terragrunt Commands + +Go to the folder with the Terragrunt configuration you want to use: + +```bash +cd lab/environment/component + +# Set up Terragrunt +terragrunt init + +# Preview changes +terragrunt plan + +# Apply changes +terragrunt apply + +# Remove resources +terragrunt destroy +``` + +### Running All Configurations + +Run commands for all Terragrunt configurations: + +```bash +# Set up everything +terragrunt run-all init + +# Preview all changes +terragrunt run-all plan + +# Apply all changes +terragrunt run-all apply +``` + +## Configuration + +Terragrunt configurations are organized like this: + +1. Main settings for each environment +2. Specific settings for different parts of the system +3. Overrides for special cases + +Check the environment folders for more details. + +## Testing + +The `/tests` folder has tools to check if everything works. To run tests: + +```bash +cd tests +./run_tests.sh +``` + +## How to Contribute + +1. Make a copy of this repository +2. Create a new branch for your changes +3. Make your updates +4. Run `make check` to ensure everything is correct +5. Submit a pull request + +## License + +Copyright © 2025 Your Organization. All rights reserved. From 360fa5dec48fdc5c59882ad8b21af66735bf926f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 17 Apr 2025 17:48:46 -0400 Subject: [PATCH 059/126] full cluster --- lab/_envcommon/default-versions.hcl | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 62c84e90..8b28224a 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -29,16 +29,16 @@ locals { # Optional modules with their default enablement state enabled_modules = { "eks-arcgis" = false - "eks-gogatekeeper" = false - "eks-grafana" = false - "eks-k8s-dashboard" = false - "eks-keycloak" = false - "eks-kiali" = false - "eks-loki" = false - "eks-otel" = false + "eks-gogatekeeper" = true + "eks-grafana" = true + "eks-k8s-dashboard" = true + "eks-keycloak" = true + "eks-kiali" = true + "eks-loki" = true + "eks-otel" = true "eks-postgresql" = false - "eks-prometheus" = false - "eks-tempo" = false + "eks-prometheus" = true + "eks-tempo" = true } ##################### From 7eb461e957787946087ce57a0318827e3245d552 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 17 Apr 2025 18:34:29 -0400 Subject: [PATCH 060/126] clean up ws --- .github/platform-tg-infra.code-workspace | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index fbc4a1fa..642d972f 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -72,20 +72,17 @@ "name": "tfmod-open-telemetry", "path": "../../tfmod-open-telemetry" }, - { - "name": "tfmod-postgresql", - "path": "../../tfmod-postgresql" - }, { "name": "tfmod-prometheus", "path": "../../tfmod-prometheus" }, { - "name": "tfmod-tempo", - "path": "../../tfmod-tempo" + "name": "tfmod-postgresql", + "path": "../../tfmod-postgresql" }, { - "path": "../../../terraform-modules/aws-ecr-copy-images" + "name": "tfmod-tempo", + "path": "../../tfmod-tempo" } ] } From 25df5e14eb5e22022ced26134323d1452318757a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 17 Apr 2025 19:51:32 -0400 Subject: [PATCH 061/126] fix profile and update versions --- lab/_envcommon/common-variables.hcl | 5 +---- lab/_envcommon/default-versions.hcl | 4 ++-- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/lab/_envcommon/common-variables.hcl b/lab/_envcommon/common-variables.hcl index 94ced2c3..88d99ac9 100644 --- a/lab/_envcommon/common-variables.hcl +++ b/lab/_envcommon/common-variables.hcl @@ -18,20 +18,17 @@ locals { } eecr_account_id = local.enterprise_ecr_account.lab["account_id"] eecr_alias = local.enterprise_ecr_account.lab["alias"] - eecr_role = local.enterprise_ecr_account.lab["role"] - eecr_profile = format("%v-%v.%v", local.eecr_account_id, local.eecr_alias, local.eecr_role) + eecr_profile = format("%v-%v", local.eecr_account_id, local.eecr_alias) enterprise_ecr_account = { lab = { "account_id" = "269222635945" "alias" = "lab-gov-shared-nonprod" "region" = "us-gov-east-1" - "role" = "inf-admin-t1" } prod = { "account_id" = "067074201825" "alias" = "ent-gov-shared-prod" "region" = "us-gov-east-1" - "role" = "inf-admin-t1" } } } diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 8b28224a..c63dd16e 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -151,8 +151,8 @@ locals { ################ loki_chart_version = "6.27.0" loki_tag = "3.4.2" - enterprise_logs_provisioner_tag = "3.4" - gateway_tag = "1.27-alpine" + enterprise_logs_provisioner_tag = "3.4.2" + gateway_tag = "1.26.3" memcached_tag = "1.6.37" exporter_tag = "v0.15.0" sidecar_tag = "1.27.4" From 3d81059a1ab5835fae1de9adff5bb11abdf17111 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 18 Apr 2025 01:28:26 -0400 Subject: [PATCH 062/126] update ordering is istio is after otel --- .github/platform-tg-infra.code-workspace | 4 - lab/_envcommon/default-versions.hcl | 5 +- .../vpc/csvd-platform-lab-mcm/cluster.hcl | 11 ++- .../eks-gogatekeeper/terragrunt.hcl | 92 ------------------- .../eks-istio/terragrunt.hcl | 1 + .../eks-keycloak/terragrunt.hcl | 10 +- .../eks-metrics-server/terragrunt.hcl | 1 - .../eks-prometheus/terragrunt.hcl | 1 + 8 files changed, 15 insertions(+), 110 deletions(-) delete mode 100644 lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 642d972f..8e81bf96 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -28,10 +28,6 @@ "name": "tfmod-ersi-arcgis", "path": "../../tfmod-ersi-arcgis" }, - { - "name": "tfmod-gogatekeeper", - "path": "../../tfmod-gogatekeeper" - }, { "name": "tfmod-grafana", "path": "../../tfmod-grafana" diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index c63dd16e..d42a68b8 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -103,7 +103,7 @@ locals { grafana_operator_chart_version = "4.9.8" grafana_operator_tag = "5.16.0" grafana_tag = "11.5.2" - os_shell_image_tag = "12" + os_shell_image_tag = local.utilities_tag ################ # Istio @@ -139,6 +139,7 @@ locals { keycloak_username = "keycloak" keycloak_password = "this is my very secure and totally random password horse battery staple now" postgresql_tag = "17.4.0-debian-12-r2" + utilities_tag = "1.0.3" ################ # Kiali @@ -166,7 +167,7 @@ locals { ################ # PostgreSQL ################ - os_shell_tag = "12" + os_shell_tag = local.utilities_tag postgres_exporter_tag = "0.16.0" postgresql_repmgr_tag = "17.4.0-alpine" pgpool_tag = "4.5.5" diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl index a724fcf3..0f1f989c 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/cluster.hcl @@ -6,16 +6,17 @@ locals { eks_ng_desired_size = 2 eks_ng_max_size = 10 eks_ng_min_size = 2 - organization = "census:ocio:csvd" - finops_project_name = "csvd_platformbaseline" - finops_project_number = "fs0000000078" - finops_project_role = "csvd_platformbaseline_app" + organization = "census:ocio:csvd" + finops_project_name = "csvd_platformbaseline" + finops_project_number = "fs0000000078" + finops_project_role = "csvd_platformbaseline_app" tags = { "slim:schedule" = "8:00-17:00" "cluster:size" = "min:${local.eks_ng_min_size}-max:${local.eks_ng_max_size}-desired:${local.eks_ng_desired_size}" } module_enablement_overrides = { - "eks-arcgis" = false + "eks-arcgis" = false + "eks-postgresql" = false } } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl deleted file mode 100644 index 7584cb59..00000000 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gogatekeeper/terragrunt.hcl +++ /dev/null @@ -1,92 +0,0 @@ -include "root" { - path = find_in_parent_folders("root.hcl") - merge_strategy = "deep" - expose = true -} - -locals { - # Skip this module if disabled - skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) -} - -exclude { - if = local.skip - actions = ["all_except_output"] - exclude_dependencies = false -} - -terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=${include.root.inputs.release_version}" - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20s"] - } -} - -dependency "eks" { - config_path = "../eks" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_name = "mock-cluster" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} - -dependency "eks_dns" { - config_path = "../eks-dns" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - cluster_domain = "mock.example.com" - } -} - -dependency "eks_grafana" { - config_path = "../eks-grafana" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - public_endpoint = "mock.grafaba.example.com" - } -} - -dependency "eks_keycloak" { - config_path = "../eks-keycloak" - mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] - mock_outputs = { - public_endpoint = "mock.keycloak.example.com" - discovery_url = "mock.keycloak.example.com/auth" - client_id = "mock-client-id" - client_secret = "mock-client-secret" - } -} - -dependencies { - paths = [ - "../eks", - "../eks-dns", - "../eks-grafana", - "../eks-keycloak", - "../eks-prometheus", - ] -} - -inputs = { - # Base Cluster Config - cluster_domain = dependency.eks_dns.outputs.cluster_domain - eecr_account_id = include.root.inputs.eecr_account_id - namespace = include.root.inputs.namespaces["gogatekeeper"] - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - - # Gatekeeper Config - gogatekeeper_tag = include.root.inputs.gogatekeeper_tag - gogatekeeper_chart_version = include.root.inputs.gogatekeeper_chart_version - keycloak_discovery_url = dependency.eks_keycloak.outputs.discovery_url - - # Service Behind Gatekeeper Config - service_name = "test-gc" - upstream_url = dependency.eks_grafana.outputs.public_endpoint - redirection_url = dependency.eks_grafana.outputs.public_endpoint - client_id = dependency.eks_keycloak.outputs.client_id - client_secret = dependency.eks_keycloak.outputs.client_secret - keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint -} diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index fc885a32..cc0c03ba 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -27,6 +27,7 @@ dependencies { paths = [ "../eks", "../eks-cert-manager", + "../eks-otel" ] } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 51def6d8..fc97d703 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -61,12 +61,9 @@ inputs = { cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name eecr_account_id = include.root.inputs.eecr_account_id - - namespace = include.root.inputs.namespaces["keycloak"] - # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + namespace = include.root.inputs.namespaces["keycloak"] + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # keycloak config default_storage_class = dependency.eks_config.outputs.rwo_storage_class @@ -79,6 +76,7 @@ inputs = { realm_username = include.root.inputs.keycloak_username service_name = "keycloak" telemetry_namespace = include.root.inputs.telemetry_namespace + admin_email = include.root.inputs.cluster_mailing_list # # Database configuration keycloak_database = include.root.inputs.keycloak_database diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index 8862a26f..ede644a1 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -41,7 +41,6 @@ inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id eecr_account_id = include.root.inputs.eecr_account_id - eecr_profile = include.root.inputs.eecr_profile profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index 355fd035..fd7a50cf 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -27,6 +27,7 @@ dependencies { paths = [ "../eks", "../eks-config", + "../eks-karpenter", "../eks-metrics-server", ] } From 1726a12b4ecf1f5874669fc8f9fec769928e5c58 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 18 Apr 2025 01:41:44 -0400 Subject: [PATCH 063/126] match the version in eecr --- lab/_envcommon/default-versions.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index d42a68b8..207313c8 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -188,5 +188,5 @@ locals { # Tempo ################ tempo_chart_version = "1.18.2" - tempo_tag = "2.7.1" + tempo_tag = "2.7.0" } From 6fd3843456bd69ed834628dc892a6e195efbbbee Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 18 Apr 2025 02:10:24 -0400 Subject: [PATCH 064/126] add otel --- lab/_envcommon/common-variables.hcl | 8 ++++---- lab/_envcommon/default-versions.hcl | 17 +++++++++++++---- lab/root.hcl | 18 +++++++++--------- 3 files changed, 26 insertions(+), 17 deletions(-) diff --git a/lab/_envcommon/common-variables.hcl b/lab/_envcommon/common-variables.hcl index 88d99ac9..f3b53872 100644 --- a/lab/_envcommon/common-variables.hcl +++ b/lab/_envcommon/common-variables.hcl @@ -6,8 +6,8 @@ # that are common across all environments/accounts. # --------------------------------------------------------------------------------------------------------------------- locals { - state_bucket_prefix = "inf-tfstate" - state_table_name = "tf_remote_state" + state_bucket_prefix = "inf-tfstate" + state_table_name = "tf_remote_state" route53_endpoints = { route53_main = { "account_id" = "269244441389" @@ -17,8 +17,8 @@ locals { } } eecr_account_id = local.enterprise_ecr_account.lab["account_id"] - eecr_alias = local.enterprise_ecr_account.lab["alias"] - eecr_profile = format("%v-%v", local.eecr_account_id, local.eecr_alias) + eecr_alias = local.enterprise_ecr_account.lab["alias"] + eecr_profile = format("%v-%v", local.eecr_account_id, local.eecr_alias) enterprise_ecr_account = { lab = { "account_id" = "269222635945" diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 207313c8..3c09157a 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -14,18 +14,18 @@ locals { ##################### # Module Enablement ##################### - + # Core modules that should always be enabled (cannot be disabled) core_modules = [ "eks", "eks-karpenter", "eks-config", - "eks-metrics-server", + "eks-metrics-server", "eks-cert-manager", "eks-istio", "eks-dns", ] - + # Optional modules with their default enablement state enabled_modules = { "eks-arcgis" = false @@ -139,7 +139,7 @@ locals { keycloak_username = "keycloak" keycloak_password = "this is my very secure and totally random password horse battery staple now" postgresql_tag = "17.4.0-debian-12-r2" - utilities_tag = "1.0.3" + utilities_tag = "1.0.3" ################ # Kiali @@ -164,6 +164,15 @@ locals { metrics_server_helm_chart = "3.12.2" metrics_server_tag = "v0.7.2" + ################ + # Open Telemetry + ################ + auto_instrumentation_java_version = "2.9.0" + collector_version = "0.111.0-amd64" + collector_contrib_version = "0.113.0-amd64" + otel_version = "0.110.0" + rbac_proxy_version = "v0.18.1" + ################ # PostgreSQL ################ diff --git a/lab/root.hcl b/lab/root.hcl index 879fa66a..aaf6746d 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -24,10 +24,10 @@ locals { # Automatically load vpc-level variables vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl")) - root_locals_for_inputs = { - is_module_enabled = local.is_module_enabled - module_name = local.module_name - eecr_profile = local.eecr_profile + root_locals_for_inputs = { + is_module_enabled = local.is_module_enabled + module_name = local.module_name + eecr_profile = local.eecr_profile # Add any other locals you want to expose # only expose things not already included via local.xxx_vars.locals.* } @@ -50,11 +50,11 @@ locals { local.versions.locals.enabled_modules, local.module_overrides ) - module_name = basename(get_original_terragrunt_dir()) - module_overrides = local.cluster_vars.locals.module_enablement_overrides - organization = local.cluster_vars.locals.organization - state_bucket_prefix = local.common_vars.locals.state_bucket_prefix - state_table_name = local.common_vars.locals.state_table_name + module_name = basename(get_original_terragrunt_dir()) + module_overrides = local.cluster_vars.locals.module_enablement_overrides + organization = local.cluster_vars.locals.organization + state_bucket_prefix = local.common_vars.locals.state_bucket_prefix + state_table_name = local.common_vars.locals.state_table_name } # Only generate providers for non-EKS modules From 3d3847ebe3a24aeebad7abc8c36d9caff57f44fe Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 18 Apr 2025 02:17:33 -0400 Subject: [PATCH 065/126] add image versions passthrough --- lab/_envcommon/default-versions.hcl | 3 ++- .../vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl | 10 +++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 3c09157a..7f596402 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -168,8 +168,9 @@ locals { # Open Telemetry ################ auto_instrumentation_java_version = "2.9.0" - collector_version = "0.111.0-amd64" collector_contrib_version = "0.113.0-amd64" + collector_version = "0.111.0-amd64" + otel_helm_version = "0.71.2" otel_version = "0.110.0" rbac_proxy_version = "v0.18.1" diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index e52ef7aa..1d6ff7fb 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -68,9 +68,17 @@ inputs = { eecr_account_id = include.root.inputs.eecr_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region + # Clouster Config + cluster_name = dependency.eks.outputs.cluster_name - cluster_name = dependency.eks.outputs.cluster_name + # OTEL Configuration namespace = include.root.inputs.namespaces["otel"] loki_endpoint = dependency.eks-loki.outputs.gateway_internal_endpoint.url tempo_endpoint = dependency.eks-tempo.outputs.tempo_otlp_endpoint.url + # Image Version + auto_instrumentation_java_version = include.root.inputs.auto_instrumentation_java_version + collector_contrib_version = include.root.inputs.collector_contrib_version + collector_version = include.root.inputs.collector_version + otel_helm_version = include.root.inputs.otel_helm_version + rbac_proxy_version = include.root.inputs.rbac_proxy_version } From df5df84a93f61bee15296109efdf918371cb74e6 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 18 Apr 2025 02:18:21 -0400 Subject: [PATCH 066/126] fmt --- lab/_envcommon/default-versions.hcl | 1 + 1 file changed, 1 insertion(+) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 7f596402..3c478980 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -177,6 +177,7 @@ locals { ################ # PostgreSQL ################ + os_shell_tag = local.utilities_tag postgres_exporter_tag = "0.16.0" postgresql_repmgr_tag = "17.4.0-alpine" From cd4d2fcfb570b3221e55d9e17aae92075ada9231 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 18 Apr 2025 14:38:05 -0400 Subject: [PATCH 067/126] move eecr data item to provider --- lab/_envcommon/default-versions.hcl | 10 +++++----- lab/root.hcl | 5 +++++ 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 3c478980..cf0e8afb 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -115,8 +115,8 @@ locals { # k8s-dashboard ################ dashboard_hostname = "dashboard" - k8s_dashboard_version = "6.0.6" - k8s_dashboard_metrics_scraper = "1.0.8" + k8s_dashboard_version = "v2.7.0" + k8s_dashboard_metrics_scraper = "v1.0.9" # dashboard_api_tag = "1.11.1" # dashboard_auth_tag = "1.2.4" # dashboard_metrics_tag = "1.2.2" @@ -133,12 +133,12 @@ locals { # Keycloak ################ keycloak_chart_version = "24.4.11" - keycloak_tag = "26.1.3" + keycloak_tag = "26.0.7" keycloak_hostname = "keycloak" keycloak_database = "keycloak" keycloak_username = "keycloak" keycloak_password = "this is my very secure and totally random password horse battery staple now" - postgresql_tag = "17.4.0-debian-12-r2" + postgresql_tag = "17" utilities_tag = "1.0.3" ################ @@ -172,7 +172,7 @@ locals { collector_version = "0.111.0-amd64" otel_helm_version = "0.71.2" otel_version = "0.110.0" - rbac_proxy_version = "v0.18.1" + rbac_proxy_version = "v0.19.0" ################ # PostgreSQL diff --git a/lab/root.hcl b/lab/root.hcl index aaf6746d..86b55734 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -165,6 +165,11 @@ generate "eecr-provider" { profile = "${local.eecr_profile}" region = "${local.aws_region}" } + data "aws_ecr_authorization_token" "ecr_token" { + provider = aws.eecr + registry_id = var.eecr_account_id + } + EOF } From 943c453bebb439787fc82d82e88b5c3e4dc385ac Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 18 Apr 2025 21:22:37 -0400 Subject: [PATCH 068/126] pass ecr_info --- .github/platform-tg-infra.code-workspace | 4 +-- lab/_envcommon/common-variables.hcl | 11 +++++-- .../eks-arcgis/terragrunt.hcl | 1 + .../eks-cert-manager/terragrunt.hcl | 2 +- .../eks-config/terragrunt.hcl | 1 - .../eks-dns/terragrunt.hcl | 1 - .../eks-grafana/terragrunt.hcl | 2 +- .../eks-istio/terragrunt.hcl | 2 +- .../eks-k8s-dashboard/terragrunt.hcl | 2 +- .../eks-karpenter/terragrunt.hcl | 2 +- .../eks-keycloak/terragrunt.hcl | 2 +- .../eks-kiali/terragrunt.hcl | 9 +----- .../eks-loki/terragrunt.hcl | 2 +- .../eks-metrics-server/terragrunt.hcl | 2 +- .../eks-otel/terragrunt.hcl | 3 +- .../eks-prometheus/terragrunt.hcl | 2 +- .../eks-tempo/terragrunt.hcl | 2 +- lab/root.hcl | 29 +++++-------------- 18 files changed, 31 insertions(+), 48 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 8e81bf96..e0d92024 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -25,8 +25,8 @@ "path": "../../tfmod-eks-dns" }, { - "name": "tfmod-ersi-arcgis", - "path": "../../tfmod-ersi-arcgis" + "name": "tfmod-esri-arcgis", + "path": "../../tfmod-esri-arcgis" }, { "name": "tfmod-grafana", diff --git a/lab/_envcommon/common-variables.hcl b/lab/_envcommon/common-variables.hcl index f3b53872..89c502a7 100644 --- a/lab/_envcommon/common-variables.hcl +++ b/lab/_envcommon/common-variables.hcl @@ -16,19 +16,24 @@ locals { "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" } } - eecr_account_id = local.enterprise_ecr_account.lab["account_id"] - eecr_alias = local.enterprise_ecr_account.lab["alias"] - eecr_profile = format("%v-%v", local.eecr_account_id, local.eecr_alias) enterprise_ecr_account = { lab = { "account_id" = "269222635945" "alias" = "lab-gov-shared-nonprod" + "profile" = "269222635945-lab-gov-shared-nonprod" "region" = "us-gov-east-1" } prod = { "account_id" = "067074201825" "alias" = "ent-gov-shared-prod" + "profile" = "067074201825-ent-gov-shared-prod" "region" = "us-gov-east-1" } } + eecr_info = { + account_id = local.enterprise_ecr_account.lab["account_id"] + alias = local.enterprise_ecr_account.lab["alias"] + profile = local.enterprise_ecr_account.lab["profile"] + region = local.enterprise_ecr_account.lab["region"] + } } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl index 51e9dbff..38cf455e 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -61,6 +61,7 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region + eecr_info = include.root.inputs.eecr_info # Cluster Configuration cluster_domain = dependency.eks_dns.outputs.cluster_domain diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index 3b434957..d369a437 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -50,7 +50,7 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region - eecr_account_id = include.root.inputs.eecr_account_id + eecr_info = include.root.inputs.eecr_info # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index fa63483f..49fa79cb 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -53,7 +53,6 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region - eecr_account_id = include.root.inputs.eecr_account_id # Core Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index f9fda099..3d3672c1 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -56,7 +56,6 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region - eecr_account_id = include.root.inputs.enterprise_ecr_account # Cluster Configuration cluster_name = include.root.inputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index a897c120..25d1b2b0 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -87,7 +87,7 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id - eecr_account_id = include.root.inputs.eecr_account_id + eecr_info = include.root.inputs.eecr_info profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index cc0c03ba..77bfa9c2 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -43,7 +43,7 @@ dependency "eks" { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id - eecr_account_id = include.root.inputs.eecr_account_id + eecr_info = include.root.inputs.eecr_info profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 84dab133..bd61ec03 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -53,11 +53,11 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region + eecr_info = include.root.inputs.eecr_info # Cluster Configuration cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name - eecr_account_id = include.root.inputs.eecr_account_id # Dashboard Configuration service_name = include.root.inputs.dashboard_hostname diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index 8ca10b60..f8e3f41c 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -49,7 +49,7 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region - eecr_account_id = include.root.inputs.eecr_account_id + eecr_info = include.root.inputs.eecr_info # Cluster Configuration cluster_endpoint = dependency.eks.outputs.cluster_endpoint diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index fc97d703..7c84d1fc 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -60,7 +60,7 @@ dependencies { inputs = { cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name - eecr_account_id = include.root.inputs.eecr_account_id + eecr_info = include.root.inputs.eecr_info namespace = include.root.inputs.namespaces["keycloak"] profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 05e4ff72..8913def2 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -58,11 +58,6 @@ dependency "eks_grafana" { url = "https://grafana.mock.svc.cluster.local:80/" } namespace = "grafana" - public_endpoint = { - hostname = "grafana.mock.lab.csp2.census.gov" - port_number = "80" - url = "https://grafana.mock.lab.csp2.census.gov:80/" - } secret_name = "grafana" tempo_datasource_id = "mock-tempo-datasource-id" } @@ -107,7 +102,7 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id - eecr_account_id = include.root.inputs.eecr_account_id + eecr_info = include.root.inputs.eecr_info profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region @@ -123,7 +118,6 @@ inputs = { grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url grafana_namespace = dependency.eks_grafana.outputs.namespace grafana_secret_name = dependency.eks_grafana.outputs.secret_name - grafana_public_url = dependency.eks_grafana.outputs.public_endpoint kiali_application_version = include.root.inputs.kiali_application_version kiali_operator_version = include.root.inputs.kiali_operator_version @@ -132,7 +126,6 @@ inputs = { grafana_namespace = dependency.eks_grafana.outputs.namespace grafana_secret_name = dependency.eks_grafana.outputs.secret_name grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url - grafana_public_url = dependency.eks_grafana.outputs.public_endpoint tempo_datasource_id = dependency.eks_grafana.outputs.tempo_datasource_id tempo_internal_url = dependency.eks_tempo.outputs.tempo_internal_endpoint.url } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index 36d44b24..401ad3ad 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -51,7 +51,7 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id - eecr_account_id = include.root.inputs.eecr_account_id + eecr_info = include.root.inputs.eecr_info profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index ede644a1..0fa527f5 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -40,7 +40,7 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id - eecr_account_id = include.root.inputs.eecr_account_id + eecr_info = include.root.inputs.eecr_info profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index 1d6ff7fb..693ba171 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -65,9 +65,10 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id - eecr_account_id = include.root.inputs.eecr_account_id + eecr_info = include.root.inputs.eecr_info profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region + # Clouster Config cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index fd7a50cf..2752527b 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -52,7 +52,7 @@ dependency "eks_config" { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id - eecr_account_id = include.root.inputs.eecr_account_id + eecr_info = include.root.inputs.eecr_info profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index f3cafec0..6a05943f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -55,7 +55,7 @@ dependencies { inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id - eecr_account_id = include.root.inputs.eecr_account_id + eecr_info = include.root.inputs.eecr_info profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region diff --git a/lab/root.hcl b/lab/root.hcl index 86b55734..be5a3fd5 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -24,12 +24,15 @@ locals { # Automatically load vpc-level variables vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl")) + # Check if copy_images.tf exists in the module directory + has_copy_images = fileexists("${get_original_terragrunt_dir()}/copy_images.tf") + + # Add any other locals you want to expose + # only expose things not already included via local.xxx_vars.locals.* root_locals_for_inputs = { is_module_enabled = local.is_module_enabled module_name = local.module_name - eecr_profile = local.eecr_profile - # Add any other locals you want to expose - # only expose things not already included via local.xxx_vars.locals.* + has_copy_images = local.has_copy_images } # Extract the variables we need for easy access @@ -38,8 +41,7 @@ locals { aws_profile = local.account_vars.locals.aws_profile aws_region = local.region_vars.locals.aws_region cluster_name = local.cluster_vars.locals.cluster_name - eecr_account_id = local.common_vars.locals.eecr_account_id - eecr_profile = local.common_vars.locals.eecr_profile + eecr_info = local.common_vars.locals.eecr_info environment_abbr = local.account_vars.locals.environment_abbr finops_project_name = local.cluster_vars.locals.finops_project_name finops_project_number = local.cluster_vars.locals.finops_project_number @@ -156,23 +158,6 @@ generate "aws-provider" { EOF } -generate "eecr-provider" { - path = "eecr-provider.tf" - if_exists = "overwrite" - contents = <<-EOF - provider "aws" { - alias = "eecr" - profile = "${local.eecr_profile}" - region = "${local.aws_region}" - } - data "aws_ecr_authorization_token" "ecr_token" { - provider = aws.eecr - registry_id = var.eecr_account_id - } - -EOF -} - # --------------------------------------------------------------------------------------------------------------------- # GLOBAL PARAMETERS # These variables apply to all configurations in this subfolder. These are automatically merged into the child From 219c63fc19c926a6067b2426ca07b4927d5ebbfb Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 13:19:07 -0400 Subject: [PATCH 069/126] dupe --- .github/platform-tg-infra.code-workspace | 3 +++ lab/_envcommon/default-versions.hcl | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index e0d92024..48f8296b 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -79,6 +79,9 @@ { "name": "tfmod-tempo", "path": "../../tfmod-tempo" + }, + { + "path": "../../tfmod-custom-iam-role-for-service-account-eks" } ] } diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index cf0e8afb..159c2d8d 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -138,7 +138,8 @@ locals { keycloak_database = "keycloak" keycloak_username = "keycloak" keycloak_password = "this is my very secure and totally random password horse battery staple now" - postgresql_tag = "17" + postgresql_tag = "17.4.0-debian-12-r4" + postgres_exporter_tag = "0.17.1-debian-12-r0" utilities_tag = "1.0.3" ################ @@ -179,7 +180,7 @@ locals { ################ os_shell_tag = local.utilities_tag - postgres_exporter_tag = "0.16.0" + # postgres_exporter_tag = "0.16.0" postgresql_repmgr_tag = "17.4.0-alpine" pgpool_tag = "4.5.5" postgresql_chart_version = "15.3.0" From 01bf24c448933e3307d1deac8116b3ec64efc9c0 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 16:03:30 -0400 Subject: [PATCH 070/126] add gatekeeper --- lab/_envcommon/default-versions.hcl | 10 +- .../eks-gatekeeper/terragrunt.hcl | 125 ++++++++++++++++++ 2 files changed, 130 insertions(+), 5 deletions(-) create mode 100644 lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 159c2d8d..21ac1dda 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -179,11 +179,11 @@ locals { # PostgreSQL ################ - os_shell_tag = local.utilities_tag - # postgres_exporter_tag = "0.16.0" - postgresql_repmgr_tag = "17.4.0-alpine" - pgpool_tag = "4.5.5" - postgresql_chart_version = "15.3.0" + # os_shell_tag = local.utilities_tag + # # postgres_exporter_tag = local.postgres_exporter_tag + # postgresql_repmgr_tag = "17.4.0-alpine" + # pgpool_tag = "4.5.5" + # postgresql_chart_version = "15.3.0" ################ # Prometheus diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl new file mode 100644 index 00000000..76c4a63f --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -0,0 +1,125 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + +dependency "eks-grafana" { + config_path = "../eks-grafana" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + namespace = "telemetry" + internal_endpoint = { + hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" + port_number = 80 + url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" + } + } +} + +dependency "eks-k8s-dashboard" { + config_path = "../eks-k8s-dashboard" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + namespace = "telemetry" + internal_endpoint = { + hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" + port_number = 80 + url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" + } + dashboard-user-token = "Iamanextremelylongstring" + } +} + +dependency "eks_keycloak" { + config_path = "../eks-keycloak" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + user_auth_realm = "mock.keycloak.example.com/auth" + client_id = "mock-client-id" + client_secret = "mock-client-secret" + namespace = "keycloak" + user_secret = "user-sso" + } +} + +dependency "eks-kiali" { + config_path = "../eks-kiali" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + namespace = "istio-system" + internal_endpoint = { + hostname = "kiali.telemetry.svc.cluster.local" + port_number = 80 + url = "http://kiali.telemetry.svc.cluster.local:80/" + } + } +} + +dependencies { + paths = [ + "../eks", + "../eks-dns", + "../eks-grafana", + "../eks-k8s-dashboard", + "../eks-keycloak", + "../eks-kiali", + ] +} + +inputs = { + # Base Cluster Config + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + profile = include.root.inputs.aws_profile + + # Gatekeeper Standard Config + gatekeeper_tag = include.root.inputs.gatekeeper_tag + gatekeeper_version = include.root.inputs.gatekeeper_chart_version + keycloak_ns = dependency.eks_keycloak.outputs.namespace + user_secret = dependency.eks_keycloak.outputs.user_secret + client_id = dependency.eks_keycloak.outputs.client_id + client_secret = dependency.eks_keycloak.outputs.client_secret + keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm + + # Dashboard Gatekeeper Config + dashboard_service_name = "dashboard" + dashboard_ns = dependency.eks-k8s-dashboard.outputs.namespace + dashboard_url = dependency.eks-k8s-dashboard.outputs.internal_endpoint.url + dashboard_user_token = dependency.eks-k8s-dashboard.outputs.dashboard-user-token + + # Grafana Gatekeeper Config + grafana_service_name = "grafana" + grafana_ns = dependency.eks-grafana.outputs.namespace + grafana_url = dependency.eks-grafana.outputs.internal_endpoint.url + + # Kaili Gatekeeper Config + kiali_service_name = "kiali" + kiali_ns = dependency.eks-kiali.outputs.namespace + kiali_url = dependency.eks-kiali.outputs.internal_endpoint.url +} From 7057fc24a088bb4b092dcd9f5a8c0586fbca520c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 16:14:16 -0400 Subject: [PATCH 071/126] add gatekeeper --- .../vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl | 1 + 1 file changed, 1 insertion(+) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index 76c4a63f..ff7990b8 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -123,3 +123,4 @@ inputs = { kiali_ns = dependency.eks-kiali.outputs.namespace kiali_url = dependency.eks-kiali.outputs.internal_endpoint.url } + From 59b2752a4dc399fcd809164cf75b7b9c26756992 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 16:28:40 -0400 Subject: [PATCH 072/126] add gatekeeper to workspace --- .github/platform-tg-infra.code-workspace | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 48f8296b..8409f194 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -12,6 +12,10 @@ "name": "tfmod-config-job", "path": "../../tfmod-config-job" }, + { + "name": "tfmod-custom-iam-role-for-service-account-eks", + "path": "../../tfmod-custom-iam-role-for-service-account-eks" + }, { "name": "tfmod-eks", "path": "../../tfmod-eks" @@ -28,6 +32,10 @@ "name": "tfmod-esri-arcgis", "path": "../../tfmod-esri-arcgis" }, + { + "name": "tfmod-gogatekeeper", + "path": "../../tfmod-gogatekeeper" + }, { "name": "tfmod-grafana", "path": "../../tfmod-grafana" @@ -79,9 +87,6 @@ { "name": "tfmod-tempo", "path": "../../tfmod-tempo" - }, - { - "path": "../../tfmod-custom-iam-role-for-service-account-eks" } ] } From 3a73f8918d1b1003064373f9176c9a5fb9cece02 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 16:52:11 -0400 Subject: [PATCH 073/126] update gatekeeper stuff --- lab/_envcommon/default-versions.hcl | 6 +++--- .../vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 21ac1dda..d4d74d95 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -60,7 +60,7 @@ locals { namespaces = { arcgis = "arcgis" cert-manager = "kube-system" - gogatekeeper = "kube-system" + gogatekeeper = "keycloak" grafana = local.telemetry_namespace istio = "istio-system" k8s-dashboard = local.telemetry_namespace @@ -93,8 +93,8 @@ locals { ################ # GoGatekeeper ################ - gogatekeeper_tag = "3.18.2" - gogatekeeper_chart_version = "0.1.53" + gatekeeper_tag = "3.18.2" + gatekeeper_chart_version = "0.1.53" ################ # Grafana diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index ff7990b8..98c4d79a 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -5,7 +5,7 @@ include "root" { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] @@ -123,4 +123,3 @@ inputs = { kiali_ns = dependency.eks-kiali.outputs.namespace kiali_url = dependency.eks-kiali.outputs.internal_endpoint.url } - From 2b6adcf7c4ff4a59a282c51099752723d67dd77e Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 17:06:33 -0400 Subject: [PATCH 074/126] fmt --- lab/_envcommon/default-versions.hcl | 1 + .../eks-cert-manager/terragrunt.hcl | 8 +-- .../eks-config/terragrunt.hcl | 6 +- .../eks-dns/terragrunt.hcl | 6 +- .../eks-gatekeeper/terragrunt.hcl | 67 ++++++++++++------- .../eks-grafana/terragrunt.hcl | 8 +-- .../eks-istio/terragrunt.hcl | 8 +-- .../eks-k8s-dashboard/terragrunt.hcl | 6 +- .../eks-karpenter/terragrunt.hcl | 8 +-- .../eks-keycloak/terragrunt.hcl | 12 ++-- .../eks-kiali/terragrunt.hcl | 10 +-- .../eks-loki/terragrunt.hcl | 8 +-- .../eks-metrics-server/terragrunt.hcl | 8 +-- .../eks-otel/terragrunt.hcl | 8 +-- .../eks-prometheus/terragrunt.hcl | 8 +-- .../eks-tempo/terragrunt.hcl | 8 +-- 16 files changed, 99 insertions(+), 81 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index d4d74d95..79c19ad7 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -95,6 +95,7 @@ locals { ################ gatekeeper_tag = "3.18.2" gatekeeper_chart_version = "0.1.53" + gatekeeper_service_name = "gatekeeper" ################ # Grafana diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index d369a437..569a3554 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -47,10 +47,10 @@ dependency "eks" { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - eecr_info = include.root.inputs.eecr_info + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + eecr_info = include.root.inputs.eecr_info # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index 49fa79cb..49e0ea2f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -50,9 +50,9 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Core Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 3d3672c1..62d93aff 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -53,9 +53,9 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = include.root.inputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index 98c4d79a..ffddffa4 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -4,6 +4,17 @@ include "root" { expose = true } +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + terraform { source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { @@ -33,11 +44,11 @@ dependency "eks-grafana" { config_path = "../eks-grafana" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - namespace = "telemetry" + namespace = "telemetry" internal_endpoint = { - hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" + hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" port_number = 80 - url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" + url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" } } } @@ -46,11 +57,11 @@ dependency "eks-k8s-dashboard" { config_path = "../eks-k8s-dashboard" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - namespace = "telemetry" + namespace = "telemetry" internal_endpoint = { - hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" + hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" port_number = 80 - url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" + url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" } dashboard-user-token = "Iamanextremelylongstring" } @@ -72,11 +83,11 @@ dependency "eks-kiali" { config_path = "../eks-kiali" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - namespace = "istio-system" + namespace = "istio-system" internal_endpoint = { - hostname = "kiali.telemetry.svc.cluster.local" + hostname = "kiali.telemetry.svc.cluster.local" port_number = 80 - url = "http://kiali.telemetry.svc.cluster.local:80/" + url = "http://kiali.telemetry.svc.cluster.local:80/" } } } @@ -93,33 +104,39 @@ dependencies { } inputs = { - # Base Cluster Config + # AWS Configuration + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name - profile = include.root.inputs.aws_profile # Gatekeeper Standard Config - gatekeeper_tag = include.root.inputs.gatekeeper_tag - gatekeeper_version = include.root.inputs.gatekeeper_chart_version - keycloak_ns = dependency.eks_keycloak.outputs.namespace - user_secret = dependency.eks_keycloak.outputs.user_secret client_id = dependency.eks_keycloak.outputs.client_id client_secret = dependency.eks_keycloak.outputs.client_secret + gogatekeeper_tag = include.root.inputs.gatekeeper_tag + gogatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm + keycloak_ns = dependency.eks_keycloak.outputs.namespace + service_name = include.root.inputs.gatekeeper_service_name + user_secret = dependency.eks_keycloak.outputs.user_secret # Dashboard Gatekeeper Config - dashboard_service_name = "dashboard" - dashboard_ns = dependency.eks-k8s-dashboard.outputs.namespace - dashboard_url = dependency.eks-k8s-dashboard.outputs.internal_endpoint.url - dashboard_user_token = dependency.eks-k8s-dashboard.outputs.dashboard-user-token + dashboard_ns = dependency.eks-k8s-dashboard.outputs.namespace + dashboard_service_name = "dashboard" + dashboard_url = dependency.eks-k8s-dashboard.outputs.internal_endpoint.url + dashboard_user_token = dependency.eks-k8s-dashboard.outputs.dashboard-user-token # Grafana Gatekeeper Config - grafana_service_name = "grafana" - grafana_ns = dependency.eks-grafana.outputs.namespace - grafana_url = dependency.eks-grafana.outputs.internal_endpoint.url + grafana_ns = dependency.eks-grafana.outputs.namespace + grafana_service_name = "grafana" + grafana_url = dependency.eks-grafana.outputs.internal_endpoint.url # Kaili Gatekeeper Config - kiali_service_name = "kiali" - kiali_ns = dependency.eks-kiali.outputs.namespace - kiali_url = dependency.eks-kiali.outputs.internal_endpoint.url + kiali_ns = dependency.eks-kiali.outputs.namespace + kiali_service_name = "kiali" + kiali_url = dependency.eks-kiali.outputs.internal_endpoint.url } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index 25d1b2b0..f6a9a496 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -86,10 +86,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - eecr_info = include.root.inputs.eecr_info - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index 77bfa9c2..fd0ab3ef 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -42,10 +42,10 @@ dependency "eks" { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - eecr_info = include.root.inputs.eecr_info - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index bd61ec03..9527e5f7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -53,11 +53,11 @@ inputs = { account_id = include.root.inputs.aws_account_id profile = include.root.inputs.aws_profile region = include.root.inputs.aws_region - eecr_info = include.root.inputs.eecr_info + eecr_info = include.root.inputs.eecr_info # Cluster Configuration - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name # Dashboard Configuration service_name = include.root.inputs.dashboard_hostname diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index f8e3f41c..92332552 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -46,10 +46,10 @@ dependency "eks" { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region - eecr_info = include.root.inputs.eecr_info + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + eecr_info = include.root.inputs.eecr_info # Cluster Configuration cluster_endpoint = dependency.eks.outputs.cluster_endpoint diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 7c84d1fc..c4980003 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -58,12 +58,12 @@ dependencies { } inputs = { - cluster_domain = dependency.eks_dns.outputs.cluster_domain - cluster_name = dependency.eks.outputs.cluster_name - eecr_info = include.root.inputs.eecr_info - namespace = include.root.inputs.namespaces["keycloak"] - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + eecr_info = include.root.inputs.eecr_info + namespace = include.root.inputs.namespaces["keycloak"] + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # keycloak config default_storage_class = dependency.eks_config.outputs.rwo_storage_class diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 8913def2..8f19b76d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -57,7 +57,7 @@ dependency "eks_grafana" { port_number = "80" url = "https://grafana.mock.svc.cluster.local:80/" } - namespace = "grafana" + namespace = "grafana" secret_name = "grafana" tempo_datasource_id = "mock-tempo-datasource-id" } @@ -101,10 +101,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - eecr_info = include.root.inputs.eecr_info - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_domain = dependency.eks_dns.outputs.cluster_domain diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index 401ad3ad..54586f19 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -50,10 +50,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - eecr_info = include.root.inputs.eecr_info - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index 0fa527f5..241bbc5d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -39,10 +39,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - eecr_info = include.root.inputs.eecr_info - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index 693ba171..a8a7d7c4 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -64,10 +64,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - eecr_info = include.root.inputs.eecr_info - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Clouster Config cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index 2752527b..1cb7f81d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -51,10 +51,10 @@ dependency "eks_config" { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - eecr_info = include.root.inputs.eecr_info - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index 6a05943f..71dd0a10 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -54,10 +54,10 @@ dependencies { inputs = { # AWS Configuration - account_id = include.root.inputs.aws_account_id - eecr_info = include.root.inputs.eecr_info - profile = include.root.inputs.aws_profile - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region # Cluster Configuration cluster_name = dependency.eks.outputs.cluster_name From 19a4c2961674bb9882457bd1f7b04f2a54aa1ccb Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 17:17:58 -0400 Subject: [PATCH 075/126] add keycloak_public_url --- .../vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl | 1 + 1 file changed, 1 insertion(+) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index ffddffa4..ff3d61e4 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -120,6 +120,7 @@ inputs = { gogatekeeper_tag = include.root.inputs.gatekeeper_tag gogatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm + keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint keycloak_ns = dependency.eks_keycloak.outputs.namespace service_name = include.root.inputs.gatekeeper_service_name user_secret = dependency.eks_keycloak.outputs.user_secret From d6b1691ebb904aa67db66ccce71fae83bb31d1e0 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 18:07:43 -0400 Subject: [PATCH 076/126] add discovery_url --- lab/_envcommon/default-versions.hcl | 8 ++++---- .../csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl | 2 ++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 79c19ad7..c0d347e6 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -60,7 +60,7 @@ locals { namespaces = { arcgis = "arcgis" cert-manager = "kube-system" - gogatekeeper = "keycloak" + gatekeeper = "keycloak" grafana = local.telemetry_namespace istio = "istio-system" k8s-dashboard = local.telemetry_namespace @@ -93,9 +93,9 @@ locals { ################ # GoGatekeeper ################ - gatekeeper_tag = "3.18.2" - gatekeeper_chart_version = "0.1.53" - gatekeeper_service_name = "gatekeeper" + gatekeeper_tag = "3.3.0" + gatekeeper_chart_version = "0.1.54" + gatekeeper_service_name = "gatekeeper" ################ # Grafana diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index ff3d61e4..d49f0267 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -119,6 +119,8 @@ inputs = { client_secret = dependency.eks_keycloak.outputs.client_secret gogatekeeper_tag = include.root.inputs.gatekeeper_tag gogatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version + namespace = include.root.inputs.namespaces["gatekeeper"] + discovery_url = dependency.eks_keycloak.outputs.discovery_url keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint keycloak_ns = dependency.eks_keycloak.outputs.namespace From 73e833a8f9dcf8cac86967946ccb8478598b783d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 19:15:05 -0400 Subject: [PATCH 077/126] fix enabled_modules ref --- lab/_envcommon/default-versions.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index c0d347e6..5a5ad934 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -29,7 +29,7 @@ locals { # Optional modules with their default enablement state enabled_modules = { "eks-arcgis" = false - "eks-gogatekeeper" = true + "eks-gatekeeper" = true "eks-grafana" = true "eks-k8s-dashboard" = true "eks-keycloak" = true From 2e085645f6078c5a2a9b5348857bfbf7c844da2b Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 19:52:41 -0400 Subject: [PATCH 078/126] fix discovery_url source --- .../vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index d49f0267..94e674fa 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -120,8 +120,7 @@ inputs = { gogatekeeper_tag = include.root.inputs.gatekeeper_tag gogatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version namespace = include.root.inputs.namespaces["gatekeeper"] - discovery_url = dependency.eks_keycloak.outputs.discovery_url - keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm + discovery_url = dependency.eks_keycloak.outputs.user_auth_realm keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint keycloak_ns = dependency.eks_keycloak.outputs.namespace service_name = include.root.inputs.gatekeeper_service_name From a18b3166188c9b7520f3c358e47a4fb06b46036a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 20:40:54 -0400 Subject: [PATCH 079/126] add mock value to support run-all destroy after keycloak has been destroyed --- .../vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index 94e674fa..a0038426 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -71,10 +71,11 @@ dependency "eks_keycloak" { config_path = "../eks-keycloak" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - user_auth_realm = "mock.keycloak.example.com/auth" client_id = "mock-client-id" client_secret = "mock-client-secret" namespace = "keycloak" + public_endpoint = "https://mock.mock.svc.cluster.local:80/" + user_auth_realm = "mock.keycloak.example.com/auth" user_secret = "user-sso" } } From c9b08a049c59391e1b23f27f2b6eb9112e509bc9 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 21:30:52 -0400 Subject: [PATCH 080/126] update input_vars.hcl contents --- input_vars.hcl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/input_vars.hcl b/input_vars.hcl index 8a89aec2..dfeec7ad 100644 --- a/input_vars.hcl +++ b/input_vars.hcl @@ -19,4 +19,8 @@ locals { tags = { "slim:schedule" = "8:00-17:00" } + module_enablement_overrides = { + "eks-arcgis" = false + "eks-postgresql" = false + } } From 4dc4f3401b01c17ba5c1ce39482180d7eed77a3d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 21 Apr 2025 23:43:13 -0400 Subject: [PATCH 081/126] use the right gatekeeper --- .github/platform-tg-infra.code-workspace | 4 +- .../eks-gatekeeper/terragrunt.hcl | 58 +++++++++---------- .../eks-keycloak/terragrunt.hcl | 1 + 3 files changed, 30 insertions(+), 33 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 8409f194..8864dc16 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -33,8 +33,8 @@ "path": "../../tfmod-esri-arcgis" }, { - "name": "tfmod-gogatekeeper", - "path": "../../tfmod-gogatekeeper" + "name": "tfmod-gatekeeper", + "path": "../../tfmod-gatekeeper" }, { "name": "tfmod-grafana", diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index a0038426..791df0e9 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gogatekeeper.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] @@ -40,16 +40,15 @@ dependency "eks_dns" { } } -dependency "eks-grafana" { - config_path = "../eks-grafana" +dependency "eks_keycloak" { + config_path = "../eks-keycloak" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - namespace = "telemetry" - internal_endpoint = { - hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" - port_number = 80 - url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" - } + user_auth_realm = "mock.keycloak.example.com/auth" + client_id = "mock-client-id" + client_secret = "mock-client-secret" + namespace = "keycloak" + user_secret = "user-sso" } } @@ -57,26 +56,26 @@ dependency "eks-k8s-dashboard" { config_path = "../eks-k8s-dashboard" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - namespace = "telemetry" + namespace = "telemetry" internal_endpoint = { - hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" + hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" port_number = 80 - url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" + url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" } dashboard-user-token = "Iamanextremelylongstring" } } -dependency "eks_keycloak" { - config_path = "../eks-keycloak" +dependency "eks-grafana" { + config_path = "../eks-grafana" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - client_id = "mock-client-id" - client_secret = "mock-client-secret" - namespace = "keycloak" - public_endpoint = "https://mock.mock.svc.cluster.local:80/" - user_auth_realm = "mock.keycloak.example.com/auth" - user_secret = "user-sso" + namespace = "telemetry" + internal_endpoint = { + hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" + port_number = 80 + url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" + } } } @@ -84,11 +83,11 @@ dependency "eks-kiali" { config_path = "../eks-kiali" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - namespace = "istio-system" + namespace = "istio-system" internal_endpoint = { - hostname = "kiali.telemetry.svc.cluster.local" + hostname = "kiali.telemetry.svc.cluster.local" port_number = 80 - url = "http://kiali.telemetry.svc.cluster.local:80/" + url = "http://kiali.telemetry.svc.cluster.local:80/" } } } @@ -97,9 +96,9 @@ dependencies { paths = [ "../eks", "../eks-dns", - "../eks-grafana", - "../eks-k8s-dashboard", "../eks-keycloak", + "../eks-k8s-dashboard", + "../eks-grafana", "../eks-kiali", ] } @@ -118,13 +117,10 @@ inputs = { # Gatekeeper Standard Config client_id = dependency.eks_keycloak.outputs.client_id client_secret = dependency.eks_keycloak.outputs.client_secret - gogatekeeper_tag = include.root.inputs.gatekeeper_tag - gogatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version - namespace = include.root.inputs.namespaces["gatekeeper"] - discovery_url = dependency.eks_keycloak.outputs.user_auth_realm - keycloak_public_url = dependency.eks_keycloak.outputs.public_endpoint + gatekeeper_tag = include.root.inputs.gatekeeper_tag + gatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version + keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm keycloak_ns = dependency.eks_keycloak.outputs.namespace - service_name = include.root.inputs.gatekeeper_service_name user_secret = dependency.eks_keycloak.outputs.user_secret # Dashboard Gatekeeper Config diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index c4980003..5bd23c85 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -82,4 +82,5 @@ inputs = { keycloak_database = include.root.inputs.keycloak_database keycloak_user = include.root.inputs.keycloak_username keycloak_password = include.root.inputs.keycloak_password + } From 054780adaa4aa93c3841bdebd731adbdf29ab1d1 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 22 Apr 2025 21:37:57 -0400 Subject: [PATCH 082/126] fmt --- .../eks-gatekeeper/terragrunt.hcl | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index 791df0e9..d0bf00b0 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -56,11 +56,11 @@ dependency "eks-k8s-dashboard" { config_path = "../eks-k8s-dashboard" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - namespace = "telemetry" + namespace = "telemetry" internal_endpoint = { - hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" + hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" port_number = 80 - url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" + url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" } dashboard-user-token = "Iamanextremelylongstring" } @@ -70,11 +70,11 @@ dependency "eks-grafana" { config_path = "../eks-grafana" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - namespace = "telemetry" + namespace = "telemetry" internal_endpoint = { - hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" + hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" port_number = 80 - url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" + url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" } } } @@ -83,11 +83,11 @@ dependency "eks-kiali" { config_path = "../eks-kiali" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - namespace = "istio-system" + namespace = "istio-system" internal_endpoint = { - hostname = "kiali.telemetry.svc.cluster.local" + hostname = "kiali.telemetry.svc.cluster.local" port_number = 80 - url = "http://kiali.telemetry.svc.cluster.local:80/" + url = "http://kiali.telemetry.svc.cluster.local:80/" } } } @@ -115,13 +115,13 @@ inputs = { cluster_name = dependency.eks.outputs.cluster_name # Gatekeeper Standard Config - client_id = dependency.eks_keycloak.outputs.client_id - client_secret = dependency.eks_keycloak.outputs.client_secret - gatekeeper_tag = include.root.inputs.gatekeeper_tag - gatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version - keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm - keycloak_ns = dependency.eks_keycloak.outputs.namespace - user_secret = dependency.eks_keycloak.outputs.user_secret + client_id = dependency.eks_keycloak.outputs.client_id + client_secret = dependency.eks_keycloak.outputs.client_secret + gatekeeper_tag = include.root.inputs.gatekeeper_tag + gatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version + keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm + keycloak_ns = dependency.eks_keycloak.outputs.namespace + user_secret = dependency.eks_keycloak.outputs.user_secret # Dashboard Gatekeeper Config dashboard_ns = dependency.eks-k8s-dashboard.outputs.namespace From 0fc99eb58d3840b8783e8ab4ae64f5fc83d5ed40 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 22 Apr 2025 21:51:43 -0400 Subject: [PATCH 083/126] add release versions map --- lab/_envcommon/default-versions.hcl | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 5a5ad934..20a615fd 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -6,10 +6,32 @@ locals { ##################### cluster_version = "1.32" custom_service_eks_account = "${local.release_version}" - eks_module_version = "20.35.0" + eks_module_version = "20.36.0" istio_ingress_version = "${local.release_version}" release_version = "mcmCluster" # "main" + module_versions = { + "2025.22.04" = { + "eks-arcgis" = false + "eks-cert-manager" = "1.0.6" + "eks-config" = "1.0.4" + "eks-dns" = "1.0.3" + "eks-gatekeeper" = "0.0.1" + "eks-grafana" = "0.1.4" + "eks-istio" = "1.0.6" + "eks-k8s-dashboard" = "0.1.3" + "eks-karpenter" = "0.1.4" + "eks-keycloak" = "0.0.6" + "eks-kiali" = "0.1.2" + "eks-loki" = "0.1.3" + "eks-metrics-server" = "0.1.3" + "eks-otel" = "0.0.2" + "eks-postgresql" = false + "eks-prometheus" = "0.1.3" + "eks-tempo" = "0.1.3" + "eks" = "1.0.8" + } +} ##################### # Module Enablement From f09ffde803c55b707d60a09f7d6451d995d24345 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 22 Apr 2025 22:36:22 -0400 Subject: [PATCH 084/126] add module_versions and dynamic lookup for release_version --- lab/_envcommon/default-versions.hcl | 48 +++++++++++++++-------------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 20a615fd..6f29f2fb 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -1,37 +1,39 @@ # lab/_envcommon/default-versions.hcl locals { + module_name = basename(get_original_terragrunt_dir()) + release_version = local.module_versions["2025.22.04"][local.module_name] + ##################### # Module Versions ##################### cluster_version = "1.32" - custom_service_eks_account = "${local.release_version}" + custom_service_eks_account = "1.0.0" eks_module_version = "20.36.0" - istio_ingress_version = "${local.release_version}" - release_version = "mcmCluster" # "main" + istio_ingress_version = "0.1.3" module_versions = { - "2025.22.04" = { - "eks-arcgis" = false - "eks-cert-manager" = "1.0.6" - "eks-config" = "1.0.4" - "eks-dns" = "1.0.3" - "eks-gatekeeper" = "0.0.1" - "eks-grafana" = "0.1.4" - "eks-istio" = "1.0.6" - "eks-k8s-dashboard" = "0.1.3" - "eks-karpenter" = "0.1.4" - "eks-keycloak" = "0.0.6" - "eks-kiali" = "0.1.2" - "eks-loki" = "0.1.3" - "eks-metrics-server" = "0.1.3" - "eks-otel" = "0.0.2" - "eks-postgresql" = false - "eks-prometheus" = "0.1.3" - "eks-tempo" = "0.1.3" - "eks" = "1.0.8" + "2025.22.04" = { + "eks-arcgis" = false + "eks-cert-manager" = "0.1.6" + "eks-config" = "1.0.4" + "eks-dns" = "0.1.3" + "eks-gatekeeper" = "0.0.1" + "eks-grafana" = "0.1.4" + "eks-istio" = "1.0.6" + "eks-k8s-dashboard" = "0.1.3" + "eks-karpenter" = "mcmCluster" + "eks-keycloak" = "0.0.6" + "eks-kiali" = "0.1.2" + "eks-loki" = "0.1.3" + "eks-metrics-server" = "0.1.3" + "eks-otel" = "0.0.2" + "eks-postgresql" = false + "eks-prometheus" = "0.1.3" + "eks-tempo" = "0.1.3" + "eks" = "1.0.8" + } } -} ##################### # Module Enablement From ed70cb1ea4e17f327fa5335059b3a319b4146776 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 23 Apr 2025 12:40:10 -0400 Subject: [PATCH 085/126] rename release date --- lab/_envcommon/default-versions.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 6f29f2fb..4e7643c8 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -2,7 +2,7 @@ locals { module_name = basename(get_original_terragrunt_dir()) - release_version = local.module_versions["2025.22.04"][local.module_name] + release_version = local.module_versions["2025.20.04"][local.module_name] ##################### # Module Versions @@ -13,7 +13,7 @@ locals { istio_ingress_version = "0.1.3" module_versions = { - "2025.22.04" = { + "2025.20.04" = { "eks-arcgis" = false "eks-cert-manager" = "0.1.6" "eks-config" = "1.0.4" From f32479fcba6e64f308ddc3c31cdee0c8513ab63f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 24 Apr 2025 18:22:37 -0400 Subject: [PATCH 086/126] update karpenter version, fmt --- lab/_envcommon/default-versions.hcl | 10 +++++----- .../csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl | 8 +++----- .../vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl | 6 ++---- 3 files changed, 10 insertions(+), 14 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 4e7643c8..a70be281 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -1,8 +1,8 @@ # lab/_envcommon/default-versions.hcl locals { - module_name = basename(get_original_terragrunt_dir()) - release_version = local.module_versions["2025.20.04"][local.module_name] + module_name = basename(get_original_terragrunt_dir()) + release_version = local.module_versions["2025.20.04"][local.module_name] ##################### # Module Versions @@ -22,7 +22,7 @@ locals { "eks-grafana" = "0.1.4" "eks-istio" = "1.0.6" "eks-k8s-dashboard" = "0.1.3" - "eks-karpenter" = "mcmCluster" + "eks-karpenter" = "0.1.4" "eks-keycloak" = "0.0.6" "eks-kiali" = "0.1.2" "eks-loki" = "0.1.3" @@ -151,8 +151,8 @@ locals { ################ # Karpenter ################ - karpenter_helm_chart = "1.3.3" - karpenter_tag = "1.3.3" + karpenter_helm_chart = "1.4.0" + karpenter_tag = "1.4.0" ################ # Keycloak diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index f6a9a496..07cc34d2 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -27,8 +27,7 @@ dependency "eks" { config_path = "../eks" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + cluster_name = include.root.inputs.cluster_name } } @@ -92,9 +91,8 @@ inputs = { region = include.root.inputs.aws_region # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - cluster_domain = dependency.eks_dns.outputs.cluster_domain - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain # Storage Configuration rwo_storage_class = dependency.eks_loki.outputs.rwo_storage_class diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index fd0ab3ef..9f10168c 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -35,8 +35,7 @@ dependency "eks" { config_path = "../eks" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { - cluster_name = include.root.inputs.cluster_name - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + cluster_name = include.root.inputs.cluster_name } } @@ -48,8 +47,7 @@ inputs = { region = include.root.inputs.aws_region # Cluster Configuration - cluster_name = dependency.eks.outputs.cluster_name - oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + cluster_name = dependency.eks.outputs.cluster_name # Istio Configuration namespace = include.root.inputs.namespaces["istio"] From 838c40a95c0882965d626333e56bb844f43a9f40 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 24 Apr 2025 18:57:25 -0400 Subject: [PATCH 087/126] fix(eks-gatekeeper): update inputs after module change --- .../eks-gatekeeper/terragrunt.hcl | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index d0bf00b0..971dd2e9 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -115,26 +115,25 @@ inputs = { cluster_name = dependency.eks.outputs.cluster_name # Gatekeeper Standard Config - client_id = dependency.eks_keycloak.outputs.client_id - client_secret = dependency.eks_keycloak.outputs.client_secret - gatekeeper_tag = include.root.inputs.gatekeeper_tag gatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version + gatekeeper_tag = include.root.inputs.gatekeeper_tag + keycloak_client_id = dependency.eks_keycloak.outputs.client_id + keycloak_client_secret = dependency.eks_keycloak.outputs.client_secret keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm - keycloak_ns = dependency.eks_keycloak.outputs.namespace user_secret = dependency.eks_keycloak.outputs.user_secret - # Dashboard Gatekeeper Config + # Dashboard Gatekeeper Config dashboard_ns = dependency.eks-k8s-dashboard.outputs.namespace dashboard_service_name = "dashboard" dashboard_url = dependency.eks-k8s-dashboard.outputs.internal_endpoint.url dashboard_user_token = dependency.eks-k8s-dashboard.outputs.dashboard-user-token - # Grafana Gatekeeper Config + # Grafana Gatekeeper Config grafana_ns = dependency.eks-grafana.outputs.namespace grafana_service_name = "grafana" grafana_url = dependency.eks-grafana.outputs.internal_endpoint.url - # Kaili Gatekeeper Config + # Kaili Gatekeeper Config kiali_ns = dependency.eks-kiali.outputs.namespace kiali_service_name = "kiali" kiali_url = dependency.eks-kiali.outputs.internal_endpoint.url From 14d21ae3ccde5151a2d31466a848a3bcfa4dd575 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 29 Apr 2025 12:40:00 -0400 Subject: [PATCH 088/126] wip --- .github/platform-tg-infra.code-workspace | 4 ++ lab/_envcommon/default-versions.hcl | 20 ++++-- .../eks-cribl/terragrunt.hcl | 72 +++++++++++++++++++ .../eks-keycloak/terragrunt.hcl | 8 --- 4 files changed, 89 insertions(+), 15 deletions(-) create mode 100644 lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 8864dc16..23f62eb0 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -12,6 +12,10 @@ "name": "tfmod-config-job", "path": "../../tfmod-config-job" }, + { + "name": "tfmod-cribl", + "path": "../../tfmod-cribl" + }, { "name": "tfmod-custom-iam-role-for-service-account-eks", "path": "../../tfmod-custom-iam-role-for-service-account-eks" diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index a70be281..e2ae2bd7 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -17,13 +17,14 @@ locals { "eks-arcgis" = false "eks-cert-manager" = "0.1.6" "eks-config" = "1.0.4" + "eks-cribl" = "initial" "eks-dns" = "0.1.3" - "eks-gatekeeper" = "0.0.1" + "eks-gatekeeper" = "mcmCluster" "eks-grafana" = "0.1.4" "eks-istio" = "1.0.6" "eks-k8s-dashboard" = "0.1.3" "eks-karpenter" = "0.1.4" - "eks-keycloak" = "0.0.6" + "eks-keycloak" = "0.0.7" "eks-kiali" = "0.1.2" "eks-loki" = "0.1.3" "eks-metrics-server" = "0.1.3" @@ -31,7 +32,7 @@ locals { "eks-postgresql" = false "eks-prometheus" = "0.1.3" "eks-tempo" = "0.1.3" - "eks" = "1.0.8" + "eks" = "1.0.9" } } @@ -53,6 +54,7 @@ locals { # Optional modules with their default enablement state enabled_modules = { "eks-arcgis" = false + "eks-cribl" = false "eks-gatekeeper" = true "eks-grafana" = true "eks-k8s-dashboard" = true @@ -84,6 +86,7 @@ locals { namespaces = { arcgis = "arcgis" cert-manager = "kube-system" + cribl = "cribl" gatekeeper = "keycloak" grafana = local.telemetry_namespace istio = "istio-system" @@ -114,6 +117,13 @@ locals { cert_manager_version = "1.17.1" cert_manager_webhook_tag = "v${local.cert_manager_version}" + ##################### + # Cribl + ##################### + cribl_chart_version = "4.11.1" + cribl_app_version = "4.11.1" + + ################ # GoGatekeeper ################ @@ -159,10 +169,6 @@ locals { ################ keycloak_chart_version = "24.4.11" keycloak_tag = "26.0.7" - keycloak_hostname = "keycloak" - keycloak_database = "keycloak" - keycloak_username = "keycloak" - keycloak_password = "this is my very secure and totally random password horse battery staple now" postgresql_tag = "17.4.0-debian-12-r4" postgres_exporter_tag = "0.17.1-debian-12-r0" utilities_tag = "1.0.3" diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl new file mode 100644 index 00000000..88b27845 --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl @@ -0,0 +1,72 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" + + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + + mock_outputs = { + cluster_name = "mock-cluster" + cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" + cluster_certificate_authority_data = [{ data = "mock-cert-data" }] + eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"] + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + security_group_all_worker_mgmt_id = "sg-mock" + subnets = ["subnet-mock1", "subnet-mock2"] + vpc_id = "vpc-mock" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-gatekeeper" + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Core Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id + subnets = dependency.eks.outputs.subnets + vpc_id = dependency.eks.outputs.vpc_id + operators_ns = include.root.inputs.operator_namespace + telemetry_ns = include.root.inputs.telemetry_namespace + + # Cribl configs + cribl_tag = include.root.inputs.cribl_app_version + namespace = include.root.inputs.namespaces["cribl"] + + + +} diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 5bd23c85..f17489ea 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -68,19 +68,11 @@ inputs = { # keycloak config default_storage_class = dependency.eks_config.outputs.rwo_storage_class keycloak_chart_version = include.root.inputs.keycloak_chart_version - keycloak_hostname = include.root.inputs.keycloak_hostname keycloak_tag = include.root.inputs.keycloak_tag realm_email = include.root.inputs.cluster_mailing_list realm_name = "master" - realm_password = include.root.inputs.keycloak_password - realm_username = include.root.inputs.keycloak_username service_name = "keycloak" telemetry_namespace = include.root.inputs.telemetry_namespace admin_email = include.root.inputs.cluster_mailing_list - # # Database configuration - keycloak_database = include.root.inputs.keycloak_database - keycloak_user = include.root.inputs.keycloak_username - keycloak_password = include.root.inputs.keycloak_password - } From 6601f930a2e18c7f13303290baa6a66d317ccb23 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 29 Apr 2025 17:54:07 -0400 Subject: [PATCH 089/126] update versions after merges --- lab/_envcommon/default-versions.hcl | 4 +-- .../eks-cribl/terragrunt.hcl | 34 ++++++++++++++----- 2 files changed, 28 insertions(+), 10 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index e2ae2bd7..484f890f 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -19,7 +19,7 @@ locals { "eks-config" = "1.0.4" "eks-cribl" = "initial" "eks-dns" = "0.1.3" - "eks-gatekeeper" = "mcmCluster" + "eks-gatekeeper" = "0.0.2" "eks-grafana" = "0.1.4" "eks-istio" = "1.0.6" "eks-k8s-dashboard" = "0.1.3" @@ -54,7 +54,7 @@ locals { # Optional modules with their default enablement state enabled_modules = { "eks-arcgis" = false - "eks-cribl" = false + "eks-cribl" = true "eks-gatekeeper" = true "eks-grafana" = true "eks-k8s-dashboard" = true diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl index 88b27845..d18b1808 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl @@ -40,10 +40,28 @@ dependency "eks" { } } +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + dependencies { paths = [ "../eks", - "../eks-gatekeeper" + "../eks-config", + "../eks-dns", + "../eks-gatekeeper", ] } @@ -54,19 +72,19 @@ inputs = { region = include.root.inputs.aws_region # Core Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain cluster_name = dependency.eks.outputs.cluster_name eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + operators_ns = include.root.inputs.operator_namespace + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id subnets = dependency.eks.outputs.subnets - vpc_id = dependency.eks.outputs.vpc_id - operators_ns = include.root.inputs.operator_namespace telemetry_ns = include.root.inputs.telemetry_namespace + vpc_id = dependency.eks.outputs.vpc_id # Cribl configs - cribl_tag = include.root.inputs.cribl_app_version - namespace = include.root.inputs.namespaces["cribl"] - - - + cribl_tag = include.root.inputs.cribl_app_version + namespace = include.root.inputs.namespaces["cribl"] + service_name = "cribl-leader" } From 8fe8025446b58c23a70fd5ffd46b59a536ab16c8 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 2 May 2025 17:30:04 -0400 Subject: [PATCH 090/126] updated gatekeeper for plan --- lab/_envcommon/default-versions.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 484f890f..274aea2f 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -19,7 +19,7 @@ locals { "eks-config" = "1.0.4" "eks-cribl" = "initial" "eks-dns" = "0.1.3" - "eks-gatekeeper" = "0.0.2" + "eks-gatekeeper" = "0.0.3" "eks-grafana" = "0.1.4" "eks-istio" = "1.0.6" "eks-k8s-dashboard" = "0.1.3" From a1fe4a4157a733528a750ea4089559a18e98e863 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 6 May 2025 21:59:57 -0400 Subject: [PATCH 091/126] move buildspecs to buildspecs dir --- .github/platform-tg-infra.code-workspace | 10 ++ .github/workflows/package-and-upload.yml | 120 ++++++++++++++++++ Makefile | 57 ++++++++- buildspecs/deploy.terragrunt.yml | 72 +++++++++++ buildspecs/security.yml | 40 ++++++ buildspecs/terragrunt.yml | 72 +++++++++++ lab/_envcommon/default-versions.hcl | 2 + .../eks-pipeline/terragrunt.hcl | 95 ++++++++++++++ .../csvd-platform-lab-mcm/eks/terragrunt.hcl | 6 + scripts/import-s3-bucket.sh | 25 ++++ 10 files changed, 498 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/package-and-upload.yml create mode 100644 buildspecs/deploy.terragrunt.yml create mode 100644 buildspecs/security.yml create mode 100644 buildspecs/terragrunt.yml create mode 100644 lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl create mode 100644 scripts/import-s3-bucket.sh diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 23f62eb0..d06d1f14 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -80,6 +80,10 @@ "name": "tfmod-open-telemetry", "path": "../../tfmod-open-telemetry" }, + { + "name": "tfmod-pipeline", + "path": "../../tfmod-pipeline" + }, { "name": "tfmod-prometheus", "path": "../../tfmod-prometheus" @@ -91,6 +95,12 @@ { "name": "tfmod-tempo", "path": "../../tfmod-tempo" + }, + { + "path": "../../243219719746-lab-gov-management-nonprod" + }, + { + "path": "../../../terraform-modules/aws-s3" } ] } diff --git a/.github/workflows/package-and-upload.yml b/.github/workflows/package-and-upload.yml new file mode 100644 index 00000000..99603664 --- /dev/null +++ b/.github/workflows/package-and-upload.yml @@ -0,0 +1,120 @@ +name: Package and Upload Terragrunt Configs + +on: + push: + branches: [main] + workflow_dispatch: + inputs: + bootstrap: + description: 'Run bootstrap apply' + required: false + default: 'false' + type: choice + options: + - 'true' + - 'false' + +env: + NODE_TLS_REJECT_UNAUTHORIZED: '0' + ACCOUNT_PROFILE_NAME: "lab-dev-gov" + CLUSTER_NAME: "csvd-platform-lab-mcm" + SOURCE_KEY: "platform-tg-infra.zip" + PIPELINE_PATH: "lab/development/us-gov-east-1/vpc/${CLUSTER_NAME}/eks-pipeline" + +permissions: + actions: read + contents: read + id-token: write + +jobs: + package-and-upload: + runs-on: [self-hosted, Linux, X64, buildkitsandbox] + steps: + - name: Checkout code + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Configure AWS credentials + uses: etools/configure-aws-credentials@main + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks" + role-skip-session-tagging: true + + - name: Add profile credentials to ~/.aws/credentials + run: | + aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + + - name: Package Terragrunt configs + run: | + # Create a zip file of the repository contents + zip -r platform-tg-infra.zip . -x "*.git*" "*.github*" "*.terragrunt-cache*" "*.terraform*" + + # Calculate bucket name using the same format as in tfmod-pipeline/s3.tf + REGION_SHORT=$(echo ${{ vars.AWS_REGION }} | sed 's/\([a-z]\)[a-z]*-/\1/g') + SOURCE_BUCKET="inf-s3-${CLUSTER_NAME}-artifacts-${{ vars.AWS_ACCOUNT_ID }}-${REGION_SHORT}" + echo "SOURCE_BUCKET=${SOURCE_BUCKET}" >> $GITHUB_ENV + + # Calculate the object key with the cluster-specific path + OBJECT_KEY="clusters/${CLUSTER_NAME}/platform-tg-infra.zip" + echo "OBJECT_KEY=${OBJECT_KEY}" >> $GITHUB_ENV + + # Check if the source bucket exists, create it if it doesn't + if ! aws s3api head-bucket --bucket ${SOURCE_BUCKET} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" 2>/dev/null; then + echo "Creating source bucket ${SOURCE_BUCKET}" + aws s3 mb s3://${SOURCE_BUCKET} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" --region ${{ vars.AWS_REGION }} + + # Configure bucket for versioning + aws s3api put-bucket-versioning --bucket ${SOURCE_BUCKET} \ + --versioning-configuration Status=Enabled \ + --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + + # Block public access + aws s3api put-public-access-block --bucket ${SOURCE_BUCKET} \ + --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true \ + --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + + # Create a flag file to indicate the bucket needs to be imported + echo "BUCKET_NEEDS_IMPORT=true" >> $GITHUB_ENV + else + echo "Bucket ${SOURCE_BUCKET} already exists" + fi + + # Upload the zip file to S3 + aws s3 cp platform-tg-infra.zip s3://${SOURCE_BUCKET}/${OBJECT_KEY} \ + --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" + + echo "Uploaded platform-tg-infra.zip to s3://${SOURCE_BUCKET}/${OBJECT_KEY}" + + - name: Make Import Script Executable + if: ${{ github.event.inputs.bootstrap == 'true' && env.BUCKET_NEEDS_IMPORT == 'true' }} + run: | + chmod +x scripts/import-s3-bucket.sh + + - name: Bootstrap Pipeline (if requested) + if: ${{ github.event.inputs.bootstrap == 'true' }} + run: | + # If the bucket was just created, import it first + if [ "$BUCKET_NEEDS_IMPORT" = "true" ]; then + echo "Running import for newly created bucket $SOURCE_BUCKET" + ./scripts/import-s3-bucket.sh \ + "$SOURCE_BUCKET" \ + "${{ vars.AWS_REGION }}" \ + "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" \ + "$PIPELINE_PATH" + fi + + # Now proceed with terragrunt apply + cd $PIPELINE_PATH + https_proxy=http://proxy.tco.census.gov:3128 \ + http_proxy=http://proxy.tco.census.gov:3128 \ + NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \ + TERRAGRUNT_PROVIDER_CACHE=1 \ + terragrunt apply --terragrunt-non-interactive -auto-approve + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/Makefile b/Makefile index fc196a2c..c55b7d5f 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: help init validate plan fmt check clean +.PHONY: help init validate plan fmt check clean deploy-to-pipeline help: @echo "Available targets:" @@ -8,6 +8,7 @@ help: @echo " fmt - Format HCL files" @echo " check - Run all checks (format, validate, plan)" @echo " clean - Clean up Terragrunt cache and temporary files" + @echo " deploy-to-pipeline - Zip and upload to S3 to trigger CodePipeline" init: @echo "Initializing Terragrunt configurations..." @@ -33,3 +34,57 @@ clean: find . -type d -name ".terragrunt-cache" -exec rm -rf {} + find . -type f -name ".terraform.lock.hcl" -delete find . -type f -name "terragrunt-debug.tfvars.json" -delete + +deploy-to-pipeline: + @echo "Preparing to deploy to pipeline..." + @echo "Detecting environment configuration..." + + # Set defaults or use provided values + $(eval ENV ?= development) + $(eval REGION_DIR ?= us-gov-east-1) + $(eval CLUSTER_DIR ?= csvd-platform-lab-mcm) + + # Detect account variables + $(eval ACCOUNT_HCL=lab/$(ENV)/account.hcl) + $(eval REGION_HCL=lab/$(ENV)/$(REGION_DIR)/region.hcl) + $(eval CLUSTER_HCL=lab/$(ENV)/$(REGION_DIR)/vpc/$(CLUSTER_DIR)/cluster.hcl) + + @if [ ! -f "$(ACCOUNT_HCL)" ]; then echo "Error: $(ACCOUNT_HCL) not found"; exit 1; fi + @if [ ! -f "$(REGION_HCL)" ]; then echo "Error: $(REGION_HCL) not found"; exit 1; fi + @if [ ! -f "$(CLUSTER_HCL)" ]; then echo "Error: $(CLUSTER_HCL) not found"; exit 1; fi + + @echo "Extracting configuration values..." + # Extract values from HCL files + $(eval AWS_ACCOUNT_ID=$(shell grep -oP 'aws_account_id\s*=\s*"\K[^"]+' $(ACCOUNT_HCL))) + $(eval ACCOUNT_NAME=$(shell grep -oP 'account_name\s*=\s*"\K[^"]+' $(ACCOUNT_HCL))) + $(eval AWS_PROFILE=$(shell echo $(AWS_ACCOUNT_ID)-$(shell echo $(ACCOUNT_NAME) | sed 's/-ew/-gov/'))) + $(eval AWS_REGION=$(shell grep -oP 'aws_region\s*=\s*"\K[^"]+' $(REGION_HCL))) + $(eval CLUSTER_NAME=$(shell grep -oP 'cluster_name\s*=\s*"\K[^"]+' $(CLUSTER_HCL))) + + @echo "Using configuration:" + @echo " AWS_ACCOUNT_ID: $(AWS_ACCOUNT_ID)" + @echo " ACCOUNT_NAME: $(ACCOUNT_NAME)" + @echo " AWS_PROFILE: $(AWS_PROFILE)" + @echo " AWS_REGION: $(AWS_REGION)" + @echo " CLUSTER_NAME: $(CLUSTER_NAME)" + + @if [ -z "$(AWS_ACCOUNT_ID)" ] || [ -z "$(AWS_PROFILE)" ] || [ -z "$(AWS_REGION)" ] || [ -z "$(CLUSTER_NAME)" ]; then \ + echo "Error: Failed to extract all required variables from HCL files"; \ + exit 1; \ + fi + + @echo "Creating zip file..." + zip -r platform-tg-infra.zip . -x "*.git*" "*.github*" "*.terragrunt-cache*" "*.terraform*" + + @echo "Calculating S3 bucket name..." + $(eval REGION_SHORT=$(shell echo $(AWS_REGION) | sed 's/\([a-z]\)[a-z]*-/\1/g')) + $(eval S3_BUCKET=v-s3-eks-$(CLUSTER_NAME)-artifacts-$(AWS_ACCOUNT_ID)-$(REGION_SHORT)) + $(eval OBJECT_KEY=clusters/$(CLUSTER_NAME)/platform-tg-infra.zip) + + @echo "Uploading to S3 bucket $(S3_BUCKET)..." + aws s3 cp platform-tg-infra.zip s3://$(S3_BUCKET)/$(OBJECT_KEY) --profile $(AWS_PROFILE) + @echo "Upload complete. Pipeline should trigger automatically." + @echo "Check the AWS CodePipeline console for status." + + @echo "Cleaning up local zip file..." + rm -f platform-tg-infra.zip diff --git a/buildspecs/deploy.terragrunt.yml b/buildspecs/deploy.terragrunt.yml new file mode 100644 index 00000000..3225894b --- /dev/null +++ b/buildspecs/deploy.terragrunt.yml @@ -0,0 +1,72 @@ +version: 0.2 + +env: + variables: + BASE_DIR: "lab" + TF_VERSION: "1.5.5" + TG_VERSION: "0.72.0" + TOOLS_DIR: "/tmp/build-tools" + exported-variables: + - TERRAGRUNT_PATH + +cache: + paths: + - '/tmp/build-tools/**/*' + +phases: + install: + runtime-versions: + python: 3.11 + commands: + - echo "Setting up environment and tools" + - export http_proxy=$PROXY_CONFIG + - export https_proxy=$PROXY_CONFIG + - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev + + # Create tools directory if it doesn't exist + - mkdir -p $TOOLS_DIR/bin + + # Check if cached Terraform exists and matches required version + - | + if [ -f "$TOOLS_DIR/bin/terraform" ] && [ "$($TOOLS_DIR/bin/terraform version | head -n1 | grep -o "v$TF_VERSION")" = "v$TF_VERSION" ]; then + echo "Using cached Terraform v$TF_VERSION" + else + echo "Downloading Terraform v$TF_VERSION" + curl -Lo /tmp/terraform.zip "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip" + unzip -o /tmp/terraform.zip -d $TOOLS_DIR/bin/ + chmod +x $TOOLS_DIR/bin/terraform + fi + + # Check if cached Terragrunt exists and matches required version + - | + if [ -f "$TOOLS_DIR/bin/terragrunt" ] && [ "$($TOOLS_DIR/bin/terragrunt --version | grep -o "v$TG_VERSION")" = "v$TG_VERSION" ]; then + echo "Using cached Terragrunt v$TG_VERSION" + else + echo "Downloading Terragrunt v$TG_VERSION" + curl -Lo $TOOLS_DIR/bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64" + chmod +x $TOOLS_DIR/bin/terragrunt + fi + + # Add tools to PATH + - export PATH=$TOOLS_DIR/bin:$PATH + - terraform --version + - terragrunt --version + - aws sts get-caller-identity + + build: + commands: + - echo "Running Terragrunt apply" + - cd $TERRAGRUNT_PATH + - export http_proxy=$PROXY_CONFIG + - export https_proxy=$PROXY_CONFIG + - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev + - terragrunt run-all apply --terragrunt-non-interactive -auto-approve + + post_build: + commands: + - echo "Terragrunt apply completed on `date`" + +artifacts: + files: + - '**/*' + base-directory: '.' diff --git a/buildspecs/security.yml b/buildspecs/security.yml new file mode 100644 index 00000000..37a42cf1 --- /dev/null +++ b/buildspecs/security.yml @@ -0,0 +1,40 @@ +version: 0.2 + +env: + variables: + TOOLS_DIR: "/tmp/build-tools" + +cache: + paths: + - '/tmp/build-tools/**/*' + +phases: + install: + runtime-versions: + python: 3.9 + commands: + - echo "Setting up security scanning tools" + - export http_proxy=$PROXY_CONFIG + - export https_proxy=$PROXY_CONFIG + - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev + + # Install security scanning tools + - mkdir -p $TOOLS_DIR/bin + - pip install checkov -q + - pip install tfsec -q + + build: + commands: + - echo "Running security scans" + - checkov --directory . --framework terraform --quiet --compact + - checkov --directory . --framework terragrunt --quiet --compact + - tfsec . --no-color + + post_build: + commands: + - echo "Security scan completed on `date`" + +artifacts: + files: + - '**/*' + base-directory: '.' diff --git a/buildspecs/terragrunt.yml b/buildspecs/terragrunt.yml new file mode 100644 index 00000000..7f269e75 --- /dev/null +++ b/buildspecs/terragrunt.yml @@ -0,0 +1,72 @@ +version: 0.2 + +env: + variables: + BASE_DIR: "lab" + TF_VERSION: "1.5.5" + TG_VERSION: "0.72.0" + TOOLS_DIR: "/tmp/build-tools" + exported-variables: + - TERRAGRUNT_PATH + +cache: + paths: + - '/tmp/build-tools/**/*' + +phases: + install: + runtime-versions: + python: 3.11 + commands: + - echo "Setting up environment and tools" + - export http_proxy=$PROXY_CONFIG + - export https_proxy=$PROXY_CONFIG + - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev + + # Create tools directory if it doesn't exist + - mkdir -p $TOOLS_DIR/bin + + # Check if cached Terraform exists and matches required version + - | + if [ -f "$TOOLS_DIR/bin/terraform" ] && [ "$($TOOLS_DIR/bin/terraform version | head -n1 | grep -o "v$TF_VERSION")" = "v$TF_VERSION" ]; then + echo "Using cached Terraform v$TF_VERSION" + else + echo "Downloading Terraform v$TF_VERSION" + curl -Lo /tmp/terraform.zip "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip" + unzip -o /tmp/terraform.zip -d $TOOLS_DIR/bin/ + chmod +x $TOOLS_DIR/bin/terraform + fi + + # Check if cached Terragrunt exists and matches required version + - | + if [ -f "$TOOLS_DIR/bin/terragrunt" ] && [ "$($TOOLS_DIR/bin/terragrunt --version | grep -o "v$TG_VERSION")" = "v$TG_VERSION" ]; then + echo "Using cached Terragrunt v$TG_VERSION" + else + echo "Downloading Terragrunt v$TG_VERSION" + curl -Lo $TOOLS_DIR/bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64" + chmod +x $TOOLS_DIR/bin/terragrunt + fi + + # Add tools to PATH + - export PATH=$TOOLS_DIR/bin:$PATH + - terraform --version + - terragrunt --version + - aws sts get-caller-identity + + build: + commands: + - echo "Running Terragrunt plan" + - cd $TERRAGRUNT_PATH + - export http_proxy=$PROXY_CONFIG + - export https_proxy=$PROXY_CONFIG + - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev + - terragrunt run-all plan --terragrunt-non-interactive + + post_build: + commands: + - echo "Terragrunt plan completed on `date`" + +artifacts: + files: + - '**/*' + base-directory: '.' diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 274aea2f..7f6fcc67 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -29,6 +29,7 @@ locals { "eks-loki" = "0.1.3" "eks-metrics-server" = "0.1.3" "eks-otel" = "0.0.2" + "eks-pipeline" = "initial" "eks-postgresql" = false "eks-prometheus" = "0.1.3" "eks-tempo" = "0.1.3" @@ -62,6 +63,7 @@ locals { "eks-kiali" = true "eks-loki" = true "eks-otel" = true + "eks-pipeline" = true "eks-postgresql" = false "eks-prometheus" = true "eks-tempo" = true diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl new file mode 100644 index 00000000..85a2765d --- /dev/null +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -0,0 +1,95 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +inputs = { + account_id = include.root.inputs.aws_account_id + cluster_name = include.root.inputs.cluster_name + environment = include.root.inputs.environment_abbr + region = include.root.inputs.aws_region + + # VPC Configuration + vpc_name = include.root.inputs.vpc_name + subnet_filter = "*-container-*" # or any specific pattern you want to use + + # Pipeline specific configurations + name = format("%v-pipeline", include.root.inputs.cluster_name) + + # The bucket name must match exactly what's created in the GitHub Action + source_configuration = { + provider = "S3" + s3_config = { + bucket = format("v-s3-eks-%v-artifacts-%v-%v", + include.root.inputs.cluster_name, + include.root.inputs.aws_account_id, + join("", [for c in split("-", include.root.inputs.aws_region) : substr(c, 0, 1)])) + object_key = format("clusters/%v/platform-tg-infra.zip", include.root.inputs.cluster_name) + } + } + + is_infrastructure_pipeline = true + + # Updated to use buildspecs from the platform-tg-infra repository + buildspec_template_path = "buildspecs" + + build_configuration = { + compute_type = "BUILD_GENERAL1_MEDIUM" + image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" + buildspec_path = "terragrunt.yml" + privileged_mode = true + environment_variables = { + TERRAGRUNT_PATH = "lab/development/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" + REGION = include.root.inputs.aws_region + ENVIRONMENT = include.root.inputs.environment_abbr + AWS_ACCOUNT_ID = include.root.inputs.aws_account_id + PROXY_CONFIG = "http://proxy.tco.census.gov:3128" + } + } + + security_scan_configuration = { + compute_type = "BUILD_GENERAL1_MEDIUM" + image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" + buildspec_path = "security.yml" + } + + approval_configuration = { + enabled = true + notify_emails = [include.root.inputs.cluster_mailing_list] + custom_message = "Please review and approve infrastructure changes to the CSVD platform" + } + + deployment_configuration = { + target_type = "Build" + compute_type = "BUILD_GENERAL1_MEDIUM" + image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" + buildspec_path = "deploy.terragrunt.yml" + environment_variables = { + TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" + REGION = include.root.inputs.aws_region + ENVIRONMENT = include.root.inputs.environment_abbr + AWS_ACCOUNT_ID = include.root.inputs.aws_account_id + PROXY_CONFIG = "http://proxy.tco.census.gov:3128" + } + } +} diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl index e98f4cb8..13ed5d01 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl @@ -24,6 +24,12 @@ terraform { } } +dependencies { + paths = [ + "../eks-pipeline", + ] +} + inputs = { # AWS Configuration account_id = include.root.inputs.aws_account_id diff --git a/scripts/import-s3-bucket.sh b/scripts/import-s3-bucket.sh new file mode 100644 index 00000000..7d55d1c3 --- /dev/null +++ b/scripts/import-s3-bucket.sh @@ -0,0 +1,25 @@ +#!/bin/bash +set -e + +# Parameters +BUCKET_NAME=$1 +AWS_REGION=$2 +AWS_PROFILE=$3 +MODULE_PATH=$4 + +if [ -z "$BUCKET_NAME" ] || [ -z "$AWS_REGION" ] || [ -z "$AWS_PROFILE" ] || [ -z "$MODULE_PATH" ]; then + echo "Usage: $0 " + echo "Example: $0 inf-s3-my-cluster-artifacts-123456789012-usge us-gov-east-1 123456789012-lab-dev-gov lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/pipeline" + exit 1 +fi + +echo "Importing S3 bucket ${BUCKET_NAME} into Terraform state..." + +cd "${MODULE_PATH}" + +# Initialize Terraform +terragrunt init + +# Import the S3 bucket to Terraform state using module references +terragrunt import module.codepipeline_s3.aws_s3_bucket.this "${BUCKET_NAME}" +echo "✅ Successfully imported S3 bucket ${BUCKET_NAME}" From 1bb45bb1d12d91adf48cba0dd81e428e7cba5a39 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 6 May 2025 22:13:43 -0400 Subject: [PATCH 092/126] python3.9 on this image --- buildspecs/deploy.terragrunt.yml | 2 +- buildspecs/terragrunt.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/buildspecs/deploy.terragrunt.yml b/buildspecs/deploy.terragrunt.yml index 3225894b..3dfeda71 100644 --- a/buildspecs/deploy.terragrunt.yml +++ b/buildspecs/deploy.terragrunt.yml @@ -16,7 +16,7 @@ cache: phases: install: runtime-versions: - python: 3.11 + python: 3.9 commands: - echo "Setting up environment and tools" - export http_proxy=$PROXY_CONFIG diff --git a/buildspecs/terragrunt.yml b/buildspecs/terragrunt.yml index 7f269e75..d73d3835 100644 --- a/buildspecs/terragrunt.yml +++ b/buildspecs/terragrunt.yml @@ -16,7 +16,7 @@ cache: phases: install: runtime-versions: - python: 3.11 + python: 3.9 commands: - echo "Setting up environment and tools" - export http_proxy=$PROXY_CONFIG From d982195c3c74a913db1240c536b4697bf7ed293d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 9 May 2025 22:53:35 -0400 Subject: [PATCH 093/126] refactor pipeline stuff --- Makefile | 27 +++++---- buildspecs/terragrunt.yml | 56 ++++++++++++------- .../eks-pipeline/terragrunt.hcl | 27 ++++----- 3 files changed, 62 insertions(+), 48 deletions(-) diff --git a/Makefile b/Makefile index c55b7d5f..52d1e72a 100644 --- a/Makefile +++ b/Makefile @@ -38,21 +38,21 @@ clean: deploy-to-pipeline: @echo "Preparing to deploy to pipeline..." @echo "Detecting environment configuration..." - + # Set defaults or use provided values $(eval ENV ?= development) $(eval REGION_DIR ?= us-gov-east-1) $(eval CLUSTER_DIR ?= csvd-platform-lab-mcm) - + # Detect account variables $(eval ACCOUNT_HCL=lab/$(ENV)/account.hcl) $(eval REGION_HCL=lab/$(ENV)/$(REGION_DIR)/region.hcl) $(eval CLUSTER_HCL=lab/$(ENV)/$(REGION_DIR)/vpc/$(CLUSTER_DIR)/cluster.hcl) - + @if [ ! -f "$(ACCOUNT_HCL)" ]; then echo "Error: $(ACCOUNT_HCL) not found"; exit 1; fi @if [ ! -f "$(REGION_HCL)" ]; then echo "Error: $(REGION_HCL) not found"; exit 1; fi @if [ ! -f "$(CLUSTER_HCL)" ]; then echo "Error: $(CLUSTER_HCL) not found"; exit 1; fi - + @echo "Extracting configuration values..." # Extract values from HCL files $(eval AWS_ACCOUNT_ID=$(shell grep -oP 'aws_account_id\s*=\s*"\K[^"]+' $(ACCOUNT_HCL))) @@ -60,31 +60,36 @@ deploy-to-pipeline: $(eval AWS_PROFILE=$(shell echo $(AWS_ACCOUNT_ID)-$(shell echo $(ACCOUNT_NAME) | sed 's/-ew/-gov/'))) $(eval AWS_REGION=$(shell grep -oP 'aws_region\s*=\s*"\K[^"]+' $(REGION_HCL))) $(eval CLUSTER_NAME=$(shell grep -oP 'cluster_name\s*=\s*"\K[^"]+' $(CLUSTER_HCL))) - + @echo "Using configuration:" @echo " AWS_ACCOUNT_ID: $(AWS_ACCOUNT_ID)" @echo " ACCOUNT_NAME: $(ACCOUNT_NAME)" @echo " AWS_PROFILE: $(AWS_PROFILE)" @echo " AWS_REGION: $(AWS_REGION)" @echo " CLUSTER_NAME: $(CLUSTER_NAME)" - + @if [ -z "$(AWS_ACCOUNT_ID)" ] || [ -z "$(AWS_PROFILE)" ] || [ -z "$(AWS_REGION)" ] || [ -z "$(CLUSTER_NAME)" ]; then \ echo "Error: Failed to extract all required variables from HCL files"; \ exit 1; \ fi - + @echo "Creating zip file..." zip -r platform-tg-infra.zip . -x "*.git*" "*.github*" "*.terragrunt-cache*" "*.terraform*" - + @echo "Calculating S3 bucket name..." $(eval REGION_SHORT=$(shell echo $(AWS_REGION) | sed 's/\([a-z]\)[a-z]*-/\1/g')) $(eval S3_BUCKET=v-s3-eks-$(CLUSTER_NAME)-artifacts-$(AWS_ACCOUNT_ID)-$(REGION_SHORT)) $(eval OBJECT_KEY=clusters/$(CLUSTER_NAME)/platform-tg-infra.zip) - + @echo "Uploading to S3 bucket $(S3_BUCKET)..." aws s3 cp platform-tg-infra.zip s3://$(S3_BUCKET)/$(OBJECT_KEY) --profile $(AWS_PROFILE) @echo "Upload complete. Pipeline should trigger automatically." - @echo "Check the AWS CodePipeline console for status." - + + @echo "Calculating pipeline URL..." + $(eval PIPELINE_NAME=eks-$(CLUSTER_NAME)-pipeline) + $(eval PIPELINE_URL=https://console.amazonaws-us-gov.com/codesuite/codepipeline/pipelines/$(PIPELINE_NAME)/view?region=$(AWS_REGION)) + @echo "Pipeline URL: $(PIPELINE_URL)" + @echo "You can access the pipeline directly at the URL above." + @echo "Cleaning up local zip file..." rm -f platform-tg-infra.zip diff --git a/buildspecs/terragrunt.yml b/buildspecs/terragrunt.yml index d73d3835..57dae773 100644 --- a/buildspecs/terragrunt.yml +++ b/buildspecs/terragrunt.yml @@ -3,9 +3,14 @@ version: 0.2 env: variables: BASE_DIR: "lab" - TF_VERSION: "1.5.5" - TG_VERSION: "0.72.0" - TOOLS_DIR: "/tmp/build-tools" + TOOLS_DIR: "/tmp/build-tools/" + TERRAGRUNT_PATH: "${TERRAGRUNT_PATH}" + ARTIFACTS_BUCKET: "${ARTIFACTS_BUCKET}" + PROXY_CONFIG: "${PROXY_CONFIG}" + + secrets-manager: + GITHUB_TOKEN: ${GITHUB_TOKEN_ARN} + exported-variables: - TERRAGRUNT_PATH @@ -23,44 +28,53 @@ phases: - export https_proxy=$PROXY_CONFIG - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev - # Create tools directory if it doesn't exist + # Configure Git to use the token from Secrets Manager + - echo "Configuring git with GitHub authentication" + - git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.e.it.census.gov/".insteadOf "https://github.e.it.census.gov/" + - echo "Successfully configured git with GitHub token from Secrets Manager" + + # Create tools directory if it doesn't exist - mkdir -p $TOOLS_DIR/bin - # Check if cached Terraform exists and matches required version + # Get tools from S3 artifacts bucket instead of downloading from internet - | - if [ -f "$TOOLS_DIR/bin/terraform" ] && [ "$($TOOLS_DIR/bin/terraform version | head -n1 | grep -o "v$TF_VERSION")" = "v$TF_VERSION" ]; then - echo "Using cached Terraform v$TF_VERSION" - else - echo "Downloading Terraform v$TF_VERSION" - curl -Lo /tmp/terraform.zip "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip" - unzip -o /tmp/terraform.zip -d $TOOLS_DIR/bin/ + # Terraform + if [ ! -f "$TOOLS_DIR/bin/terraform" ]; then + echo "Copying Terraform from S3 artifacts bucket" + if ! aws s3 cp s3://${ARTIFACTS_BUCKET}/tools/terraform.zip $TOOLS_DIR; then + echo "Failed to download Terraform" + exit 1 + fi + unzip -o $TOOLS_DIR/terraform.zip -d $TOOLS_DIR/bin/ chmod +x $TOOLS_DIR/bin/terraform fi - # Check if cached Terragrunt exists and matches required version - - | - if [ -f "$TOOLS_DIR/bin/terragrunt" ] && [ "$($TOOLS_DIR/bin/terragrunt --version | grep -o "v$TG_VERSION")" = "v$TG_VERSION" ]; then - echo "Using cached Terragrunt v$TG_VERSION" - else - echo "Downloading Terragrunt v$TG_VERSION" - curl -Lo $TOOLS_DIR/bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64" + # Terragrunt + if [ ! -f "$TOOLS_DIR/bin/terragrunt" ]; then + echo "Copying Terragrunt from S3 artifacts bucket" + if ! aws s3 cp s3://${ARTIFACTS_BUCKET}/tools/terragrunt $TOOLS_DIR; then + echo "Failed to download Terragrunt" + exit 1 + fi + mv $TOOLS_DIR/terragrunt $TOOLS_DIR/bin/ chmod +x $TOOLS_DIR/bin/terragrunt fi # Add tools to PATH - export PATH=$TOOLS_DIR/bin:$PATH + - aws sts get-caller-identity - terraform --version - terragrunt --version - - aws sts get-caller-identity build: commands: - - echo "Running Terragrunt plan" + - echo "Running Terragrunt plan with assumed role profile" - cd $TERRAGRUNT_PATH - export http_proxy=$PROXY_CONFIG - export https_proxy=$PROXY_CONFIG - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev - - terragrunt run-all plan --terragrunt-non-interactive + + - terragrunt run-all plan --terragrunt-non-interactive --terragrunt-debug --terragrunt-log-level debug post_build: commands: diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 85a2765d..4aef6e1b 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -7,6 +7,10 @@ include "root" { locals { # Skip this module if disabled skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) + artifact_bucket = format("v-s3-eks-%v-artifacts-%v-%v", + include.root.inputs.cluster_name, + include.root.inputs.aws_account_id, + join("", [for c in split("-", include.root.inputs.aws_region) : substr(c, 0, 1)])) } exclude { @@ -34,23 +38,12 @@ inputs = { subnet_filter = "*-container-*" # or any specific pattern you want to use # Pipeline specific configurations - name = format("%v-pipeline", include.root.inputs.cluster_name) - - # The bucket name must match exactly what's created in the GitHub Action - source_configuration = { - provider = "S3" - s3_config = { - bucket = format("v-s3-eks-%v-artifacts-%v-%v", - include.root.inputs.cluster_name, - include.root.inputs.aws_account_id, - join("", [for c in split("-", include.root.inputs.aws_region) : substr(c, 0, 1)])) - object_key = format("clusters/%v/platform-tg-infra.zip", include.root.inputs.cluster_name) - } - } + s3_trigger_object_prefix = format("clusters/%v/", include.root.inputs.cluster_name) is_infrastructure_pipeline = true # Updated to use buildspecs from the platform-tg-infra repository + # made deploy-to-pipeline will update them from tfmod-pipeline module buildspec_template_path = "buildspecs" build_configuration = { @@ -59,11 +52,12 @@ inputs = { buildspec_path = "terragrunt.yml" privileged_mode = true environment_variables = { - TERRAGRUNT_PATH = "lab/development/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" + ARTIFACT_BUCKET = local.artifact_bucket + TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" REGION = include.root.inputs.aws_region ENVIRONMENT = include.root.inputs.environment_abbr AWS_ACCOUNT_ID = include.root.inputs.aws_account_id - PROXY_CONFIG = "http://proxy.tco.census.gov:3128" + PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128" } } @@ -85,11 +79,12 @@ inputs = { image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" buildspec_path = "deploy.terragrunt.yml" environment_variables = { + ARTIFACT_BUCKET = local.artifact_bucket TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" REGION = include.root.inputs.aws_region ENVIRONMENT = include.root.inputs.environment_abbr AWS_ACCOUNT_ID = include.root.inputs.aws_account_id - PROXY_CONFIG = "http://proxy.tco.census.gov:3128" + PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128" } } } From 92a8055184248cfd72af85de3065d2d6a50d44a1 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 12 May 2025 15:57:52 -0400 Subject: [PATCH 094/126] min --- .github/platform-tg-infra.code-workspace | 3 +++ lab/_envcommon/default-versions.hcl | 24 +++++++++---------- .../eks-pipeline/terragrunt.hcl | 3 --- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index d06d1f14..303b8f7e 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -101,6 +101,9 @@ }, { "path": "../../../terraform-modules/aws-s3" + }, + { + "path": "../../karpenter-provider-aws" } ] } diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 7f6fcc67..20ba70dd 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -29,7 +29,7 @@ locals { "eks-loki" = "0.1.3" "eks-metrics-server" = "0.1.3" "eks-otel" = "0.0.2" - "eks-pipeline" = "initial" + "eks-pipeline" = false "eks-postgresql" = false "eks-prometheus" = "0.1.3" "eks-tempo" = "0.1.3" @@ -55,18 +55,18 @@ locals { # Optional modules with their default enablement state enabled_modules = { "eks-arcgis" = false - "eks-cribl" = true - "eks-gatekeeper" = true - "eks-grafana" = true - "eks-k8s-dashboard" = true - "eks-keycloak" = true - "eks-kiali" = true - "eks-loki" = true - "eks-otel" = true - "eks-pipeline" = true + "eks-cribl" = false + "eks-gatekeeper" = false + "eks-grafana" = false + "eks-k8s-dashboard" = false + "eks-keycloak" = false + "eks-kiali" = false + "eks-loki" = false + "eks-otel" = false + "eks-pipeline" = false "eks-postgresql" = false - "eks-prometheus" = true - "eks-tempo" = true + "eks-prometheus" = false + "eks-tempo" = false } ##################### diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 4aef6e1b..db6488dc 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -37,9 +37,6 @@ inputs = { vpc_name = include.root.inputs.vpc_name subnet_filter = "*-container-*" # or any specific pattern you want to use - # Pipeline specific configurations - s3_trigger_object_prefix = format("clusters/%v/", include.root.inputs.cluster_name) - is_infrastructure_pipeline = true # Updated to use buildspecs from the platform-tg-infra repository From 692671c94a965eacee254a7f878b626f5c0f96cb Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 12 May 2025 22:16:44 -0400 Subject: [PATCH 095/126] turn pipeline back on --- lab/_envcommon/default-versions.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 20ba70dd..dea122ae 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -29,7 +29,7 @@ locals { "eks-loki" = "0.1.3" "eks-metrics-server" = "0.1.3" "eks-otel" = "0.0.2" - "eks-pipeline" = false + "eks-pipeline" = "initial" "eks-postgresql" = false "eks-prometheus" = "0.1.3" "eks-tempo" = "0.1.3" @@ -63,7 +63,7 @@ locals { "eks-kiali" = false "eks-loki" = false "eks-otel" = false - "eks-pipeline" = false + "eks-pipeline" = true "eks-postgresql" = false "eks-prometheus" = false "eks-tempo" = false From e992d719959e6aa6adbd3c17b57127a10a00142b Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 14:27:44 -0400 Subject: [PATCH 096/126] more wip --- .github/platform-tg-infra.code-workspace | 6 - Makefile | 5 +- buildspecs/scripts/manage_tools.sh | 220 +++++++++++++++ buildspecs/scripts/pip-cert.pem | 323 +++++++++++++++++++++++ buildspecs/scripts/pip.conf | 10 + buildspecs/scripts/sechub_parser.py | 101 +++++++ buildspecs/terragrunt.yml | 54 ++-- 7 files changed, 679 insertions(+), 40 deletions(-) create mode 100644 buildspecs/scripts/manage_tools.sh create mode 100644 buildspecs/scripts/pip-cert.pem create mode 100644 buildspecs/scripts/pip.conf create mode 100644 buildspecs/scripts/sechub_parser.py diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 303b8f7e..d51c3319 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -98,12 +98,6 @@ }, { "path": "../../243219719746-lab-gov-management-nonprod" - }, - { - "path": "../../../terraform-modules/aws-s3" - }, - { - "path": "../../karpenter-provider-aws" } ] } diff --git a/Makefile b/Makefile index 52d1e72a..1be2527f 100644 --- a/Makefile +++ b/Makefile @@ -73,6 +73,9 @@ deploy-to-pipeline: exit 1; \ fi + @echo "Copy buildspecs from tfmod-pipeline" + cp -r ../tfmod-pipeline/buildspecs/* ./buildspecs + @echo "Creating zip file..." zip -r platform-tg-infra.zip . -x "*.git*" "*.github*" "*.terragrunt-cache*" "*.terraform*" @@ -82,7 +85,7 @@ deploy-to-pipeline: $(eval OBJECT_KEY=clusters/$(CLUSTER_NAME)/platform-tg-infra.zip) @echo "Uploading to S3 bucket $(S3_BUCKET)..." - aws s3 cp platform-tg-infra.zip s3://$(S3_BUCKET)/$(OBJECT_KEY) --profile $(AWS_PROFILE) + aws s3 cp platform-tg-infra.zip s3://$(S3_BUCKET)/$(OBJECT_KEY) --profile $(AWS_PROFILE) --sse aws:kms @echo "Upload complete. Pipeline should trigger automatically." @echo "Calculating pipeline URL..." diff --git a/buildspecs/scripts/manage_tools.sh b/buildspecs/scripts/manage_tools.sh new file mode 100644 index 00000000..19d2c4a8 --- /dev/null +++ b/buildspecs/scripts/manage_tools.sh @@ -0,0 +1,220 @@ +#!/bin/bash +set -e # Exit immediately if a command exits with a non-zero status. + +echo "--- Starting Tool Management Script (manage_tools.sh) ---" + +# --- Configuration & Environment Variables --- +# Required environment variables: +# - TOOL_DEFINITIONS: JSON string defining tools (name, s3_key, checksum, archive_format, executable_path_in_archive) +# - ARTIFACTS_BUCKET: S3 bucket name for downloading tool archives +# - REQUIRED_TOOLS: Space-separated list of tool names to install (e.g., "terraform terragrunt") +# - CODEBUILD_SRC_DIR: Base directory for caching (CodeBuild specific, but adaptable) + +TOOL_CACHE_DIR="${CODEBUILD_SRC_DIR}/.tool_cache" +INSTALL_DIR="/usr/local/bin" # Standard installation directory for executables + +# --- Sanity Checks --- +if [ -z "$TOOL_DEFINITIONS" ]; then + echo "ERROR: TOOL_DEFINITIONS environment variable is not set or is empty." >&2 + exit 1 +fi + +if ! echo "$TOOL_DEFINITIONS" | jq empty > /dev/null 2>&1; then + echo "ERROR: TOOL_DEFINITIONS does not contain valid JSON." >&2 + echo "TOOL_DEFINITIONS content: $TOOL_DEFINITIONS" >&2 + exit 1 +fi + +if [ -z "$ARTIFACTS_BUCKET" ]; then + echo "ERROR: ARTIFACTS_BUCKET environment variable is not set or is empty." >&2 + exit 1 +fi + +if [ -z "$REQUIRED_TOOLS" ]; then + echo "WARNING: REQUIRED_TOOLS environment variable is not set or is empty. No tools will be installed by this script." >&2 + # exit 0 # or exit 1 depending on desired strictness +fi + +if [ -z "$CODEBUILD_SRC_DIR" ]; then + echo "ERROR: CODEBUILD_SRC_DIR environment variable is not set or is empty." >&2 + exit 1 +fi + +# --- Ensure jq is available --- +if ! command -v jq &> /dev/null; then + echo "jq not found, attempting to install..." + if apt-get update -y && apt-get install -y jq; then + echo "jq installed successfully via apt-get." + elif yum install -y jq; then + echo "jq installed successfully via yum." + else + echo "ERROR: Failed to install jq. Please ensure jq is available in the CodeBuild image or install it manually." >&2 + exit 1 + fi +fi +echo "jq is available." + +# --- Create necessary directories --- +mkdir -p "$TOOL_CACHE_DIR" +mkdir -p "$INSTALL_DIR" +export PATH="$INSTALL_DIR:$PATH" # Add install dir to PATH for this script's session + +echo "Tool Cache Directory: $TOOL_CACHE_DIR" +echo "Installation Directory: $INSTALL_DIR" +echo "Updated PATH: $PATH" +echo "Required tools to process: $REQUIRED_TOOLS" +echo "TOOL_DEFINITIONS (first 200 chars): $(echo "$TOOL_DEFINITIONS" | cut -c 1-200)..." + +# --- Tool Installation Loop --- +for tool_name_var in $REQUIRED_TOOLS; do + # Use a subshell for per-tool variables to avoid conflicts and ensure clean state + ( + tool_name="$tool_name_var" + echo "--------------------------------------------------" + echo "Processing tool: $tool_name" + + tool_info=$(echo "$TOOL_DEFINITIONS" | jq -r --arg tn "$tool_name" '.[$tn]') + + if [ -z "$tool_info" ] || [ "$tool_info" == "null" ] || [ "$tool_info" == "{}" ] ; then + echo "ERROR: Tool '$tool_name' not found or has null/empty definition in TOOL_DEFINITIONS." >&2 + exit 1 # Exit subshell, which will cause the main script to exit due to \`set -e\` if subshell fails + fi + + # Extract tool details + # version=$(echo "$tool_info" | jq -r '.version // empty') # Version not strictly needed by script but good for logging + s3_key=$(echo "$tool_info" | jq -r '.s3_key // empty') + expected_checksum=$(echo "$tool_info" | jq -r '.checksum // empty') # SHA256 + archive_format=$(echo "$tool_info" | jq -r '.archive_format // empty') + # executable_path_in_archive is the path *inside* the archive to the executable file itself. + # If archive_format is 'binary', this is ignored. + # If archive_format is 'zip' or 'tar.gz' and this is empty/null, script defaults to tool_name. + executable_path_in_archive=$(echo "$tool_info" | jq -r '.executable_path_in_archive // empty') + + # Validate extracted details + if [ -z "$s3_key" ] || [ -z "$expected_checksum" ] || [ -z "$archive_format" ]; then + echo "ERROR: Missing one or more critical fields (s3_key, checksum, archive_format) for tool '$tool_name'." >&2 + echo "Tool Info Found: $tool_info" >&2 + exit 1 + fi + + # Determine the actual executable name within the archive if not specified + effective_executable_path_in_archive="$executable_path_in_archive" + if [[ "$archive_format" == "zip" || "$archive_format" == "tar.gz" ]] && \ + [[ -z "$executable_path_in_archive" || "$executable_path_in_archive" == "null" ]]; then + effective_executable_path_in_archive="$tool_name" + fi + + archive_filename=$(basename "$s3_key") + cached_archive_path="$TOOL_CACHE_DIR/$archive_filename" + s3_source_path="s3://${ARTIFACTS_BUCKET}/${s3_key}" + target_executable_path="$INSTALL_DIR/$tool_name" # Final destination of the executable + + echo "Details for $tool_name:" + # echo " Version: $version" + echo " S3 Key: $s3_key" + echo " Expected SHA256: $expected_checksum" + echo " Archive Format: $archive_format" + echo " Executable path in archive (effective): $effective_executable_path_in_archive" + echo " Archive filename: $archive_filename" + echo " Cached archive path: $cached_archive_path" + echo " Target executable path: $target_executable_path" + + # --- Cache Check & Download --- + needs_download=true + if [ -f "$cached_archive_path" ]; then + echo "Cached archive $cached_archive_path found. Verifying checksum..." + actual_checksum=$(sha256sum "$cached_archive_path" | awk '{print $1}') + if [ "$actual_checksum" == "$expected_checksum" ]; then + echo "Checksum for cached $archive_filename is VALID." + needs_download=false + else + echo "Checksum MISMATCH for cached $archive_filename. Expected: $expected_checksum, Got: $actual_checksum. Re-downloading." + rm -f "$cached_archive_path" + fi + else + echo "Archive $archive_filename not found in cache: $cached_archive_path. Downloading." + fi + + if [ "$needs_download" == true ]; then + echo "Downloading $tool_name from $s3_source_path to $cached_archive_path..." + if ! aws s3 cp "$s3_source_path" "$cached_archive_path"; then + echo "ERROR: Failed to download $tool_name from S3." >&2 + exit 1 + fi + echo "Download complete. Verifying checksum of downloaded file..." + actual_checksum=$(sha256sum "$cached_archive_path" | awk '{print $1}') + if [ "$actual_checksum" != "$expected_checksum" ]; then + echo "ERROR: Checksum MISMATCH for downloaded $archive_filename. Expected: $expected_checksum, Got: $actual_checksum." >&2 + rm -f "$cached_archive_path" + exit 1 + fi + echo "Checksum for downloaded $archive_filename is VALID." + fi + + # --- Extraction & Installation --- + echo "Installing $tool_name from $cached_archive_path to $target_executable_path..." + # Ensure target is clean for binary moves/copies + rm -f "$target_executable_path" + # Create a temporary directory for extraction to keep $TOOL_CACHE_DIR clean from extracted files + temp_extract_dir=$(mktemp -d -p "$TOOL_CACHE_DIR" "tmp_extract_${tool_name}_XXXXXX") + + extracted_executable_source_path="" # Path to the executable *after* extraction + + if [ "$archive_format" == "zip" ]; then + unzip -o "$cached_archive_path" -d "$temp_extract_dir" > /dev/null + extracted_executable_source_path="$temp_extract_dir/$effective_executable_path_in_archive" + elif [ "$archive_format" == "tar.gz" ]; then + # tar -xzf "$cached_archive_path" -C "$temp_extract_dir" "$effective_executable_path_in_archive" # This only extracts the specific file + tar -xzf "$cached_archive_path" -C "$temp_extract_dir" > /dev/null # Extract all + extracted_executable_source_path="$temp_extract_dir/$effective_executable_path_in_archive" + elif [ "$archive_format" == "binary" ]; then + # For binary, the "archive" is the executable itself. Copy it to the temp dir first for consistency. + cp "$cached_archive_path" "$temp_extract_dir/$tool_name" + extracted_executable_source_path="$temp_extract_dir/$tool_name" + else + echo "ERROR: Unknown archive format '$archive_format' for $tool_name." >&2 + rm -rf "$temp_extract_dir" + exit 1 + fi + + if [ ! -f "$extracted_executable_source_path" ]; then + echo "ERROR: Executable for $tool_name not found at '$extracted_executable_source_path' after extraction." >&2 + echo "Contents of $temp_extract_dir:" >&2 + ls -lR "$temp_extract_dir" >&2 + rm -rf "$temp_extract_dir" + exit 1 + fi + + echo "Moving '$extracted_executable_source_path' to '$target_executable_path'" + mv "$extracted_executable_source_path" "$target_executable_path" + chmod +x "$target_executable_path" + + # Clean up temporary extraction directory + rm -rf "$temp_extract_dir" + + echo "$tool_name installed successfully to $target_executable_path." + + # --- Verification (Optional but Recommended) --- + echo "Verifying $tool_name installation..." + if command -v $tool_name &> /dev/null; then + echo "Attempting to get version for $tool_name..." + # Try common version flags, redirect stderr to stdout for capture, take first line + if $tool_name --version &> /dev/null; then + echo "$($tool_name --version 2>&1 | head -n 1)" + elif $tool_name version &> /dev/null; then + echo "$($tool_name version 2>&1 | head -n 1)" + elif $tool_name -version &> /dev/null; then # e.g. Java + echo "$($tool_name -version 2>&1 | head -n 1)" + elif $tool_name -v &> /dev/null; then # e.g. Go + echo "$($tool_name -v 2>&1 | head -n 1)" + else + echo "$tool_name is callable, but version command is unknown or failed. Assuming successful installation." + fi + else + echo "ERROR: $tool_name command not found in PATH after installation attempt to $target_executable_path." >&2 + exit 1 + fi + ) || exit 1 # If subshell fails, exit the main script +done + +echo "--- Tool Management Script (manage_tools.sh) Finished Successfully ---" diff --git a/buildspecs/scripts/pip-cert.pem b/buildspecs/scripts/pip-cert.pem new file mode 100644 index 00000000..319b7643 --- /dev/null +++ b/buildspecs/scripts/pip-cert.pem @@ -0,0 +1,323 @@ +-----BEGIN CERTIFICATE----- +MIIFszCCA5ugAwIBAgIQGVCQdFyalIVHZ1OchWiMYDANBgkqhkiG9w0BAQwFADBs +MRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3VzMQww +CgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3VzIEJ1 +cmVhdSBSb290IENBMB4XDTE5MDcyNTE4MTAyOVoXDTI5MDcyNTE4MjAyN1owbDET +MBEGCgmSJomT8ixkARkWA0dvdjEWMBQGCgmSJomT8ixkARkWBkNlbnN1czEMMAoG +A1UECxMDVENPMQwwCgYDVQQLEwNQS0kxITAfBgNVBAMTGFVTIENlbnN1cyBCdXJl +YXUgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMWX8I9p +slFaUueuPpEFExgqKcGgoyTOBxFUCXNBnucL3cKRx9MC47kWOwQ94WYvI3LMcehC +6pOwIf5AuhrIdVrJaHSz317ENuDaiur9/qN3fBRidijHphynR/rwJSxiI3VQtj8G +SO4JmCA8dMsKayIl1RiKlQHPoNnSWyDEspAfenr0qq7PzbjKOEPXoO4eXO0plfB3 +aYd+qMRwHKQre4gRGpMfWu1w5JZqFItbXE/RSC38SoZWjkcMcjyTCDTSGY+j/aJw +SHx98riQ8SLQszL5Be0AmF0KHwMZNOsoaa5u/bF++g207W9guLVgO2Ak5D4Unyo3 +D7kcFSuBOVYdeT0XRi3iD0AwEkoCsVzeEOIqjAasj6hYD43O8GjfHpwGpAeASqTT +nbDajtuTsJrrBlLwpz49J5dihJ3Ah7jTirzQciEUZTXv3L7XpdBlt3/sv73Gn0F6 +jZPDANmHIfNHz0xWa9iES9sLPKln9cjnkJs/QlpooTJSrVuovGyzsbu1mb7PfBji +IMF8lVptjQYaWvvMXqXNx2+L6+uBVkEfmuZIs7Xen4ZNz4NP5MixTs3Tq2h81Hym +TbIlJUtSdwZ98jsX6YLerBYYMPawtSIH4Yfdq/Wpt7IHED47dTWdFfC0peqYfHIN +PoRG+eFYq5nHxadkGaifElPnNdvGblRLDj27AgMBAAGjUTBPMAsGA1UdDwQEAwIB +hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTHXiB3QZv2GiBSkErqGoOT8cOr +HjAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQwFAAOCAgEAdXsv6igAKGnq +VS79nePbjGj2Z+SFdM2jRVibv06mWR3uVqFNCz2zqlIXzX7PJmK7HycWDK82UWMh +8J0cn1O+PYWFalzhPWk7t1c6EK8wV63/iKj+voqNwZWL7L1/EQiQ8B4OPIyf7v5Y +j3/jqrvufLgGCyz+0JhBY8CBEGZ1knijrHxTv0DOV0ykKI0OpUIes+8SOTdszTDb +XujzE4ekSRTDqWJOCbsQb3KbBUr/k8APVq/Ir/xmS1WmauyP3zBIxMlPMmu9XTw/ +5nRUKKQe8FrVHELLO32iS+6bqdTNmkD7z/VyzWmBA0FVt8upD6Bs8U/bHjoiL/Jk +W3BQ6owq7u+B5w/Cl+WsgQcgVlDLlBZWMKnEng1n2MhqUnzf0dDGA99vrzLPVcPT +yoexQe1E1Y2EoORgaGbsnjkRTwppUnpnxkWrzObBieYB1ir0rRTbKS5hgwXu55Uc +6ypmCLUnQaDVWIZyKKwtmr4n/rX5KJPxj/zT0F+jH1WDyMDVg6jYyu1HIPcABkAU +OlsSr7Tfct75/JGf18oPSFMkV1kzeLUK21vflcMp+ZK0m2TRZyCLvMB/lEsRjsSM +wrgYk7cR14RqJ+RTA7IJqFQfNAXqV1ra+stZYYoLI83oK4shOhHLiO9lR6hSi43f +0w7ALm+8qd1Ih+E5BjmKBJAEFB5Zyzs= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIF1jCCA76gAwIBAgITLgAAAAmcP+bslIv04AAAAAAACTANBgkqhkiG9w0BAQwF +ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz +MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz +IEJ1cmVhdSBSb290IENBMB4XDTE5MDgwNjE1MDc0NVoXDTI0MDgwNjE1MTc0NVow +YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES +MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB +IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiUqJa4e90dNdAFC0W +ju9arRst3FchtNxT0ZPdg/2UpDFN35PFBQ4G1RJxGVGuhpkRmqLdtI9t9BQHZ/tk +QZ6ELJRJVxQMPONBuoXlUbnS3CHwDT5+YIvVZr3jHjv96tq6C2SYJ1BNeqDYjhdK +gF3WXUJpb6lbAwZtv7aHZUSVXcnW/hCkfI2aRZoGXCcgi6hbcJRC74HCGW0eLtCZ +M0Y5+lEGdKLAOiIsl4kea+34Uh5eHjIp9LHCicIfx+5RT5xor4hOJldu2pOmjzrg +FBCz59/5wZHIyQCHOu92p/VGO9eeCxCDlT8DWa78c2HjCnf0FvymlxoHPdH89Rhv +idPFAgMBAAGjggF6MIIBdjAQBgkrBgEEAYI3FQEEAwIBATAjBgkrBgEEAYI3FQIE +FgQUNDptGIuzWncMER7QFKnL+JZPMwswHQYDVR0OBBYEFMSLwaPcjo2CqYcxhzj8 +U1q1Px/KMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAS +BgNVHRMBAf8ECDAGAQH/AgEBMB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Px +w6seMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3Yv +Q2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmww +ZQYIKwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5z +dXMuZ292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIw +Q0EuY3J0MA0GCSqGSIb3DQEBDAUAA4ICAQAvLJiXBncvqEq2WjU4CtvB+g9GKgna +MIeu8D41/BdkhTpLR/Cus6Oq+N18cCyyBHNCPS4pz/cDzyzQvNMIDTP7tpcTwEfc +QW/WgPvfJtEmzOaRtNeSBBci1bySX4OMKnzB9ZQbGphaqYaVAG6n+NLCkg1MSvqK +cexAf8wkAJyjx2YOUh+xqwhXRE6UKlc9TVK0b2anVtg4FLNiUznZ6KerEKXx/wxv +XvOZRAY902P2FIRY9qbkEdAshNSA5HlY27pbdH4eZCTyk5uSTlIZQRtngL6w1Gy8 +Xh70AIv+kj38iKp8N4VgksHWS0Viw3Cg4h+3/hY08E/uLCzUKjdZt9I46bM1YKMv +K2LUA8xrWp0IN+wcdp2UUrAlVSHEp6LW+NR+VHtl0QiMYjXA+AvkoRvcoEotgeZP +mqfK9auR+3WiDUrkVLzPoPMQHWE9QXt+eErzBh+YXqqvPgPBGqA25CGwzyrs8iBT +jlhbJArFNO6KzQUwyf/Vw3dwX5oOebGuoh+KX9yRaN+q1ZqqWL1Jn40NXF8KQyLk +Ro4c9m+fpkTWhuxW6zW8YIbnmtNDk2X3YfAY1dIKAUIW24Si0SMka8pC2d9qaL2m +fyD0JoF+49cPDtTNHsUP5QR3a+JjqAT8haladoSyiNmO24ysueI7sg9A+zY8oJrM +Gi2tB39Jg7J6/w== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIF1jCCA76gAwIBAgITLgAAAApfi2u0+zjcuQAAAAAACjANBgkqhkiG9w0BAQwF +ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz +MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz +IEJ1cmVhdSBSb290IENBMB4XDTE5MDgwNjE1MDc0M1oXDTI0MDgwNjE1MTc0M1ow +YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES +MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB +IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFLt4b/8hnKu0yk7IC +C0qY8gAF20DZrbE6rILe2quYeSQcztIw3H6K2+uAsvpCRjRc4+ra+bKQWLpTv5gP +6l6iDMlun3po1+Qqlga4S4/kJMoYP52AbcdHog33vdvpmtRhL2WLBdHfXLfahVx3 +OB1WkrZMFP4T3L4mTo8SW4abdIf5Q7SmClrHzy+znv4jhKEU9tiY7NXJBCINETx3 +5B8PE8F0r1s0Mv+yhoDHWk2Poa/rC+CrXZ+NdzWfI2ajUc1Nb2b+6f4Wrpc9qC+a +kxYywDcrUoGnwqJYDoIFZY2ErqTQUw7JGQkG/i+7gYs+VaHPcD3DNQq3iFzab26I +0vG5AgMBAAGjggF6MIIBdjAQBgkrBgEEAYI3FQEEAwIBATAjBgkrBgEEAYI3FQIE +FgQU6ZLQoy5LJaVqTI5Em9TBptKdLmAwHQYDVR0OBBYEFOpnUT2Oc868n6qxmUrj +FdfUn3tOMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAS +BgNVHRMBAf8ECDAGAQH/AgEBMB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Px +w6seMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3Yv +Q2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmww +ZQYIKwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5z +dXMuZ292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIw +Q0EuY3J0MA0GCSqGSIb3DQEBDAUAA4ICAQCYQm6VusLYzHy9PM0P4dSkHSUVGug+ +8Q/Gn1qQ+pejTpx0fR+pxq8DP8Ua3qgWsIz3scrONairxWVUW5AA4E0VXU0fO6n+ +4DLdJnwwIEIkV410p5w79l9Dl2NiI31Ijv0Y8PwEzXmcSvcz1Qc05TyRV+1yv6Uh +nHfnu4kHXj26NOOsPjrEJ60l0tcOT4p3edkwYRf3XzQ19k4ITEBeYF76y1FX8H+W +RTIjQNr8BXUVt+afJZXgUgSB0xHfSRBhTUXiFvKbs1BpICNQmhbFIaz7GJZkvx9r +b+7Um2EQNIQKxoe4rG4mar62Ux3k0i9o8O9nccQSl9VCuSvTyCmtpKpsKRRitMf2 +vBQ9D14p5pzDdFZQC75B8lkibXpuk8fQ3/CIMqK4547wIO8tgz4wqN8ID4tEBgqZ +Fot9XSJpDAZHYKx5GWVwKmhqwefACqqASjHR8NVakAd3EkcQ06SEzGYTTq2duWhi +fOxpJKtMtw9JTfbOG9Az28rRWGCk1vVHmtkVHApD3XdAV3RG6w/AqjNu/IY70fmd +wULhegJxbVdQucgwR4WyNbx7hCJYvoEyL5L7ZQwBpFXHnOI7wJFGw2eo5xIUehUS +4jPpb2OolWHEOjMkEkRfgfrJsnt/blpKXRmYRFUd1+c5VBOtsaYv3iYArxZziQxf +pR508zEDCd9cRQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFsjCCA5qgAwIBAgITLgAAAAvaREPe3QGJiAAAAAAACzANBgkqhkiG9w0BAQwF +ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz +MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz +IEJ1cmVhdSBSb290IENBMB4XDTE5MDgwNjE1MDc0MVoXDTI0MDgwNjE1MTc0MVow +YjETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czET +MBEGCgmSJomT8ixkARkWA2VhZDEeMBwGA1UEAxMVVVMgQ2Vuc3VzIEJ1cmVhdSBD +QSAzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA+7bWM9ZExFO/ZN +uFodd+ktg0TWojeV8QJTYAdtwzMquqDl/zMLgkHPD8xC730qMdKB6Df74i3moN5c +6h9S087T0tdf02U0J95AfO06oZiaGNzq/zacINhfbxWf2ZAyZCiwpcQL3w3uAjS1 +MK++iC8ZWDBnd5z64ewCDFS8d9FD5RrJ0GxGCcC4IJ8DyhOq7i3a/Td29wLTP1wz +QuFLVD/5JFWirqnJwgqVVEUdzf8ZK3MSk9DAZcIjY/mIZgnnZ+ukcD0TtYkOnPU7 +j7EGeqo6Jby3T75p4x3uRlNaEKAqXBqiu7bVx+T0cTtuJEjtw4l/8WEGEFGI6Jfs +0Du9+QIDAQABo4IBVTCCAVEwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFCB4 +OetP7QLwgNqbXIDospFC1inEMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsG +A1UdDwQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEBMB8GA1UdIwQYMBaAFMdeIHdB +m/YaIFKQSuoag5Pxw6seMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNv +LmNlbnN1cy5nb3YvQ2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJv +b3QlMjBDQS5jcmwwZQYIKwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8v +cGtpLnRjby5jZW5zdXMuZ292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJl +YXUlMjBSb290JTIwQ0EuY3J0MA0GCSqGSIb3DQEBDAUAA4ICAQCGmm3uxuTvZcWm +ihlWtSa/0H88MM3ubcOAqYmNHWCzynemR9CxUZfuR/qi8HvRKHm5HwDVT1LtL3Wf +K+9Lc7mcBHStZUdNgINVsqZzNi1L54v/UD3lAu79M/yh16DREvEnWLlc1CUhti+Q +P6aooRfF1VIAzoNZz3iUBj43uRJLewYhlFYRy8GFzRhoKJ/HNZI9nqlV7notKtvV +P2Ae++stlTGzrUEYi91tgJdoSOKweDg4EDjEr4y51yY2l8eJJTXtRRIMDdtv1wbF +XVpxcbWDvAFmYKFjpspaEiD3gAEdSDGcCv23KGFxZCMw5Chblg2drWCSCbJQ2VE/ +XiHcHGxrTQVru+ocZgEqH600BDAC+/nrVP1lJyfKsY2KUh9X/vzbAbx7r45l7LJh +Q173miuG1Hjm60OEtUsNobtVOG/TCxqHflRuMgVK5mGb00Hu5SxMel/ma5bhvWCS +ZQIYEIwo2b6GBicTuhHhBo0e4BdA3vvz8WroUTiezmMo8BveyYViqyWFCB26Wvhy +NB4pfg+GFfTl0wiHSpc1RfBFuoohkGgUMt0ci0jJp1ofb6MeK+p3DqBfKyhQiz+7 +EsgudLUeALpj38b5mWjvN17YBby5suRJnH8lv7+Z1nooo+MqapZZyrRu56PtEBJM +3m7NDAL9JACMk8yF5WDToKtcPuTgpg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIF0zCCA7ugAwIBAgITLgAAAA+ydH8TcbjZAgAAAAAADzANBgkqhkiG9w0BAQwF +ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz +MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz +IEJ1cmVhdSBSb290IENBMB4XDTIyMDkyMjE0NDQwOFoXDTI3MDkyMjE0NTQwOFow +YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES +MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB +IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiUqJa4e90dNdAFC0W +ju9arRst3FchtNxT0ZPdg/2UpDFN35PFBQ4G1RJxGVGuhpkRmqLdtI9t9BQHZ/tk +QZ6ELJRJVxQMPONBuoXlUbnS3CHwDT5+YIvVZr3jHjv96tq6C2SYJ1BNeqDYjhdK +gF3WXUJpb6lbAwZtv7aHZUSVXcnW/hCkfI2aRZoGXCcgi6hbcJRC74HCGW0eLtCZ +M0Y5+lEGdKLAOiIsl4kea+34Uh5eHjIp9LHCicIfx+5RT5xor4hOJldu2pOmjzrg +FBCz59/5wZHIyQCHOu92p/VGO9eeCxCDlT8DWa78c2HjCnf0FvymlxoHPdH89Rhv +idPFAgMBAAGjggF3MIIBczAQBgkrBgEEAYI3FQEEAwIBAjAjBgkrBgEEAYI3FQIE +FgQUFE9/OhOsohsjHyLcCd1NqTNkdQYwHQYDVR0OBBYEFMSLwaPcjo2CqYcxhzj8 +U1q1Px/KMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAP +BgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Pxw6se +MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3YvQ2Vy +dEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmwwZQYI +KwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5zdXMu +Z292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIwQ0Eu +Y3J0MA0GCSqGSIb3DQEBDAUAA4ICAQCdYsU2TVWTAzVjqPqlO+PtxTcoDxBjlvo+ +L519/iTxzlcz0Kiao83fGhsSitzNf0LsSTOWrAuCprX0sn5If4pasZKqVp+ZJnjF +H9Wpi/4gsaCtvY3V4Hm5ZS1BffUHrre/kR//pn9f2Axu3tTVfHNAEVr0kRvq9wPD +yMe5BzLtm9amOwFvAYP/69zXk4ig88mbOmXjK+EC5AUzwBhg9oI/Kv2AeLbKx+nr +DuguMe6RCp4NXBS1X3/cjRN37+ayJEHynFdWKiVNcvxABVFLGVHBA4fMD9kTjT2a +cf413mhywUcVTfpoj/94Kcqvl3oxgHWGIig9RWExMkvmrkYT5hGqfws+NIGrCGaZ +GA0cUYAY5cbkAg8If3Htt4aSCdTu6g/RbatMFND2GURO2fHPajBILBiDxCJM6OmT +SUQPghQC3QvE48CM5J6KAjPosGh8Ay454FhKv0ShvhKTaHzN6anBih8AbwU5G8iP +XeoNY+jZbkv1gBJ4J+8nffm1n5aFbssbxazppqTLpFDXimduWUxSXZbjwGGwHc7G +FmLj14c8og+ItE+meToVXt6oFSF9hkri5Lmanen9SqU9IPgxiTv91olwmXW6d/3Y +D202odbWVpAIIjiVJngfyOulCeEQsz5WjmPyIjFkXNz8NiwAJSJu1XtBtAMdaCDe +6z6OUG7UaQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIF0zCCA7ugAwIBAgITLgAAABDGRuhzKgVoqQAAAAAAEDANBgkqhkiG9w0BAQwF +ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz +MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz +IEJ1cmVhdSBSb290IENBMB4XDTIyMDkyMjE0NDUxN1oXDTI3MDkyMjE0NTUxN1ow +YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES +MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB +IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFLt4b/8hnKu0yk7IC +C0qY8gAF20DZrbE6rILe2quYeSQcztIw3H6K2+uAsvpCRjRc4+ra+bKQWLpTv5gP +6l6iDMlun3po1+Qqlga4S4/kJMoYP52AbcdHog33vdvpmtRhL2WLBdHfXLfahVx3 +OB1WkrZMFP4T3L4mTo8SW4abdIf5Q7SmClrHzy+znv4jhKEU9tiY7NXJBCINETx3 +5B8PE8F0r1s0Mv+yhoDHWk2Poa/rC+CrXZ+NdzWfI2ajUc1Nb2b+6f4Wrpc9qC+a +kxYywDcrUoGnwqJYDoIFZY2ErqTQUw7JGQkG/i+7gYs+VaHPcD3DNQq3iFzab26I +0vG5AgMBAAGjggF3MIIBczAQBgkrBgEEAYI3FQEEAwIBAjAjBgkrBgEEAYI3FQIE +FgQUxgMHEbdrxtDC64yaqubXVeW060owHQYDVR0OBBYEFOpnUT2Oc868n6qxmUrj +FdfUn3tOMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAP +BgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Pxw6se +MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3YvQ2Vy +dEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmwwZQYI +KwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5zdXMu +Z292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIwQ0Eu +Y3J0MA0GCSqGSIb3DQEBDAUAA4ICAQB/Kn2/ohaTr4XDgu5msLiKzjA3Rqb4Wf4r +FmzpJXcaB9N4Tyg19qgZ9l57AVDO6DWlXBENY+FXERe/qrvhFawZqActT7dPqJJv +Z30hwBcXc8ELjNxVp54MDJfd2oHUkXwJ46i1GphHfie0Q/csoraRpf/DjXuaruxM +Vgt4Roo6zBGf2nSCfqVLR2NZ93orfSybg5g2eutYuftkd5tzbcxdhHlTlhhbNpIV +quVaT46hN1h/q1bMmS4bGBdLUQggY5BtY9RM4gDhcyh1K8k5auM+uPyWqnnd10wI +vuRSu2zNueWlqVstSTbnZdf138nssj+MzN8xcmn+mXH7z8COXwhJLBKRr7Xg7l7G +UMmc86eYbmpphs3LhzZNMooAGUedm15Ln1u9wgywtP6CbpvBVIcSxmjJeiN6bXy6 +dtbZCCziijO1UehOqc81jZy/jdG158D0WfOumNkx1biGwZ/YR+oGslaSkMr58e/7 +abPBMlQmDwvlTWeiUqMZJAzNHk13c8jSeMtaGXtE9D9Sv2oPVGwjeB2krn1Lb8uU +YeEl0YmQ2W1GpoYC4zU7gnnNjSbLr13L8Gjsmk9FYy4HWDRgJvAvF2O3DldldxP2 +MurPmXriFtEUNo4e1UKJciPJlYChWz1/0Hwncab8AWaw3MPkyYpELKis+vTELriO +iHAYOPwOJg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIF1DCCA7ygAwIBAgITLgAAAA4zbBR3VlxWyAAAAAAADjANBgkqhkiG9w0BAQwF +ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz +MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz +IEJ1cmVhdSBSb290IENBMB4XDTIyMDIyODE3NTUxOFoXDTI3MDIyODE4MDUxOFow +YjETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czET +MBEGCgmSJomT8ixkARkWA2VhZDEeMBwGA1UEAxMVVVMgQ2Vuc3VzIEJ1cmVhdSBD +QSAzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA+7bWM9ZExFO/ZN +uFodd+ktg0TWojeV8QJTYAdtwzMquqDl/zMLgkHPD8xC730qMdKB6Df74i3moN5c +6h9S087T0tdf02U0J95AfO06oZiaGNzq/zacINhfbxWf2ZAyZCiwpcQL3w3uAjS1 +MK++iC8ZWDBnd5z64ewCDFS8d9FD5RrJ0GxGCcC4IJ8DyhOq7i3a/Td29wLTP1wz +QuFLVD/5JFWirqnJwgqVVEUdzf8ZK3MSk9DAZcIjY/mIZgnnZ+ukcD0TtYkOnPU7 +j7EGeqo6Jby3T75p4x3uRlNaEKAqXBqiu7bVx+T0cTtuJEjtw4l/8WEGEFGI6Jfs +0Du9+QIDAQABo4IBdzCCAXMwEAYJKwYBBAGCNxUBBAMCAQEwIwYJKwYBBAGCNxUC +BBYEFE2wPwIWNvlAbZy05X4kklJu09q8MB0GA1UdDgQWBBQgeDnrT+0C8IDam1yA +6LKRQtYpxDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYw +DwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTHXiB3QZv2GiBSkErqGoOT8cOr +HjBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vcGtpLnRjby5jZW5zdXMuZ292L0Nl +cnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIwQ0EuY3JsMGUG +CCsGAQUFBwEBBFkwVzBVBggrBgEFBQcwAoZJaHR0cDovL3BraS50Y28uY2Vuc3Vz +Lmdvdi9DZXJ0RW5yb2xsL1VTJTIwQ2Vuc3VzJTIwQnVyZWF1JTIwUm9vdCUyMENB +LmNydDANBgkqhkiG9w0BAQwFAAOCAgEAjDWz6k+6ModUkHRJgTjv8nHfPJv1qI9d +WUejF3YSwU6ExE44C5C2oEXPtEAWR+LiEsW+U4ZZ8Zgi/F5qI3AblQbNXDplAbo/ +6UoKeieBftV5cf7WgbdFoVFuX2HppSVrDQPf4t6DpCM6qVs8/EIrBQOeKhVckhB1 +XgiuFTb3sRoOmWvRramBf3xp7WJ1P4T76gBUg2I6GMFV3EO/mv8XWM9QzFZ1nFOQ +z8/zRa1x53WuAc36d8ESGqL0ZxjNjSNU/HtpJnwtYj3hzJIsYgm938nU5p1diF00 +C89+a0CKkVnL7JW6tC8MQqnyE7TBBWjSmssxa4FHT753W/NaU6JVIJqOwuGTTenv +bQlHi+NxfqL0alNXX3ukUNDPB5XfGWCEBMGZ9xUNDXdxTS7lJzZGAddjqu94e5gd +KgDiEq52RQgkbZ8d+DYwpo/4XY7rj/bC4jvVXUhVd8E/NAbzTSo3VppK0pi/wDri +lm4p8WlzrCoGTVPeiZdCApa/bOoaq+X7/vN4HDUakJZFEPfxIwznfJbDEu7hrVE3 +fck3YuSBrQx6yYtmpLEnybaB5so0w+djeswxBVQSlBODYhrMFW+l3VIRa9PqHQWw +8TvAglbHxFUWWtlHBbwXgVdOqAVlh1LHU8mfbtkY8D4h+iXk+4nvBY1aKdDaZFTB +kDgqyXZwIww= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFSDCCBDCgAwIBAgIJAMn9gqHMdnl3MA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD +VQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxGzAZBgNVBAoTElUuUy4gQ2Vuc3Vz +IEJ1cmVhdTEiMCAGA1UECxMZVGVsZWNvbW11bmljYXRpb25zIE9mZmljZTEaMBgG +A1UEAxMRY2EudGNvLmNlbnN1cy5nb3YxIDAeBgkqhkiG9w0BCQEWEWNhQHRjby5j +ZW5zdXMuZ292MB4XDTEyMDgxNTE2MTM0OFoXDTMyMDgxMDE2MTM0OFowgZ8xCzAJ +BgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEbMBkGA1UEChMSVS5TLiBDZW5z +dXMgQnVyZWF1MSIwIAYDVQQLExlUZWxlY29tbXVuaWNhdGlvbnMgT2ZmaWNlMRow +GAYDVQQDExFjYS50Y28uY2Vuc3VzLmdvdjEgMB4GCSqGSIb3DQEJARYRY2FAdGNv +LmNlbnN1cy5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSqB5S +s674S6Hnpnl+/cT3OLrUCmuM1KZs+Uo5EsFcZzm4Me/XiF8izGSydFtAKFRbyyk5 +j/K5WLGxo7Ix6eCA1PZXWu6aJOfMmPRb1LaeIst1IlSCpjUoZ8pl60fjYLtbEK79 +STM/nrdV0E2EqcJu7dfzMB1oK96NG6tu8C7m7UgIbSv15NDapgDhyril6J4wVQJU +DOUGRbWjv0Qo6Re0NPBkRFf3owToopNQlQSGZU2UnUehheqXPzk4VQisPrhcVsbg +iu4c98gjtGHK1k2DyJOwsFq2hWmAByLZLJXR7pTqv7Ue8gogFl/ggbvuWrKlVmCh +wKln1pPSLYZ/txTZAgMBAAGjggGDMIIBfzA4BgNVHR8EMTAvMC2gK6AphidodHRw +Oi8vY2EuYXBwcy50Y28uY2Vuc3VzLmdvdi9jZXJ0cy9jcmwwHQYDVR0OBBYEFA8x +pgy5aVvXWgTVO8E7yyO3kp9yMIHUBgNVHSMEgcwwgcmAFA8xpgy5aVvXWgTVO8E7 +yyO3kp9yoYGlpIGiMIGfMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQx +GzAZBgNVBAoTElUuUy4gQ2Vuc3VzIEJ1cmVhdTEiMCAGA1UECxMZVGVsZWNvbW11 +bmljYXRpb25zIE9mZmljZTEaMBgGA1UEAxMRY2EudGNvLmNlbnN1cy5nb3YxIDAe +BgkqhkiG9w0BCQEWEWNhQHRjby5jZW5zdXMuZ292ggkAyf2Cocx2eXcwDwYDVR0T +AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwLwYDVR0RBCgwJoERY2FAdGNvLmNlbnN1 +cy5nb3aCEWNhLnRjby5jZW5zdXMuZ292MA0GCSqGSIb3DQEBBQUAA4IBAQCLNU9/ +OxA2adbFXwiAh8XztL3MN7OUeXasSKtSDo00Ays/Sph1DXkUozSwx3B2JHtfrMj+ +A64qzjRm/Y7sDaM4SFa+Y3rdt7U9UY2UxQLo92zHQMqIbQhrdKBTiCVMrBvBzwWg +SI7KPi2lel499yb0vH/I6czuyQNTuYzHAsufYKeMMq4CeiBbboAegClpYJi5jJLl +dFQZpDUwSs+Pfb95CjPlfc0V3AH6GazbS3BNMMghECpL4rF0m7F7L3nDCklx1PsC +z2chyETY1X74Cg3D1mFV3iUjIvr6+eIZDQ3BStGwFjzxmdH2U2yh1nJnJzNXka9g +lUpluNENkgVZmOys +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIE1zCCA7+gAwIBAgITZQAANNYDIG4D4LElTwABAAA01jANBgkqhkiG9w0BAQsF +ADBiMRMwEQYKCZImiZPyLGQBGRYDZ292MRYwFAYKCZImiZPyLGQBGRYGY2Vuc3Vz +MRMwEQYKCZImiZPyLGQBGRYDZWFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1 +IENBIDMwHhcNMjIxMjI3MjExNTIxWhcNMjYxMjI3MjEyNTIxWjBoMRMwEQYKCZIm +iZPyLGQBGRYDZ292MRYwFAYKCZImiZPyLGQBGRYGY2Vuc3VzMRMwEQYKCZImiZPy +LGQBGRYDZWFkMSQwIgYDVQQDExtVUyBDZW5zdXMgQnVyZWF1IENBIDMgU3ViIDEw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPzIqL5D96G48OMzx7WZdi +01e6K5Tllvz5REVKMOlFIS22y/iAnr3hbA1FXH1ML+t0n7e7jKic+E4pXc90n5DP +0bBS5+srnkw3OvjTY//uBU6rMl5vTtbGY3BhL0jsoeT+/JdTTrif6gyNCSkpNvw0 +Hao3Yc5kfcU5Vo90nm1+gonOqa6bQFN/i4hwI2quu4M3IkLJZaWQQ0z1pIbbJyk0 +qANrUKy4yTABo4KkNdqKmRvvvRWuDpFmNJwDDpdT010HDX5Pdc48fFVPO0Faoox9 +A7BtBZL273u7O9dpE0ajTHk1De5ZxbgO8yFmGWVj6BYgI86HJCq74RP4K6IJuOGZ +AgMBAAGjggF+MIIBejAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUGFK9+ZBI +M/dcDY4ObcigYRSrASQwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwDgYDVR0P +AQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUIHg560/tAvCA +2ptcgOiykULWKcQwVwYDVR0fBFAwTjBMoEqgSIZGaHR0cDovL3BraS5lYWQuY2Vu +c3VzLmdvdi9DZXJ0RW5yb2xsL1VTJTIwQ2Vuc3VzJTIwQnVyZWF1JTIwQ0ElMjAz +LmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwUgYIKwYBBQUHMAKGRmh0dHA6Ly9wa2ku +ZWFkLmNlbnN1cy5nb3YvQ2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUy +MENBJTIwMy5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9wa2kuZWFkLmNlbnN1cy5n +b3Yvb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEAm1wFAR44iAl7dNHMjzIaaQe7dBbQ +gyS1t2mygO843JtcS2J/m3yGmEfo8wEwK5IxwX2UTmnc7Dh/iWlMO6cl8JKN12Fp +FM/yfpb+jaKECrsGW3uY5yKhrqmVGO9YnbiiGN07w0t+dbWAYGCtULoocYhFaLVQ +68Iv9KpOKVB3XKbP4bI2uhtx9H+uPHanhWVTJRHjg5pqI+xV7BoPfmods74oQfgm +PrsZqbwEvItVBMTGFQvhi60iEklk42s7ln/X7EqpKjtXwR4WAGuWPjTJ3OWkvVa4 +cNFBQRSALyDpqJFCqFoZBym9coyibi39QkWD2eizR4wm69jC66GOEmEb/A== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIE1zCCA7+gAwIBAgITZQAANNSyNhQfwZNfDwABAAA01DANBgkqhkiG9w0BAQsF +ADBiMRMwEQYKCZImiZPyLGQBGRYDZ292MRYwFAYKCZImiZPyLGQBGRYGY2Vuc3Vz +MRMwEQYKCZImiZPyLGQBGRYDZWFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1 +IENBIDMwHhcNMjIxMjI3MTcyOTQ3WhcNMjYxMjI3MTczOTQ3WjBoMRMwEQYKCZIm +iZPyLGQBGRYDZ292MRYwFAYKCZImiZPyLGQBGRYGY2Vuc3VzMRMwEQYKCZImiZPy +LGQBGRYDZWFkMSQwIgYDVQQDExtVUyBDZW5zdXMgQnVyZWF1IENBIDMgU3ViIDIw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+k0X7b2zULKIK7n3QEo6I +tY03iLD1+h4SLS+TcD1boOS5SR5A7nmtcSkn03xieHzQvb2YdQ8+ltlBBXFeQR4g +vTieZ77DN1pqDLkwThHscavRr8HHyuW20Bf9YYH11DzpuXe4WsMhkLeJWzZJ5GPI +TwWZFeCluJ9fb9/8wPhVERSDYtqS3DwdJ/6qkueJZ75AOMcmObx5pQWszypYQupm +L+oiofej7mu0gb7ioXwwM7XL8f28a2BEDFqM5M0sitBrC1yxN7a3cRnegT+PlCe/ +yiiihAZVYQt/HDEs4R4A85Wx/YUhiB3BKkyTUIV+abjeWMIrRi17SrxNDT9ZQkld +AgMBAAGjggF+MIIBejAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU4wpH6ieo +Hr13KKDb4stKDQFKE/MwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwDgYDVR0P +AQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUIHg560/tAvCA +2ptcgOiykULWKcQwVwYDVR0fBFAwTjBMoEqgSIZGaHR0cDovL3BraS5lYWQuY2Vu +c3VzLmdvdi9DZXJ0RW5yb2xsL1VTJTIwQ2Vuc3VzJTIwQnVyZWF1JTIwQ0ElMjAz +LmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwUgYIKwYBBQUHMAKGRmh0dHA6Ly9wa2ku +ZWFkLmNlbnN1cy5nb3YvQ2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUy +MENBJTIwMy5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9wa2kuZWFkLmNlbnN1cy5n +b3Yvb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEAs3Kf6bImA8lfZweCuCtcaSDRCr0X +pyr8A1TI95PgzpAEptGay/Ve2Bbs9JAzMIPqznEy7hC9kNY6Wn8jRxwSFhHJ1MVV +bMITRguhJ5asApmDInCx1/iha3WnsnmeonmPFOgpF/lgiyY7kMwXPzBNYPrs3qdf +AFTaF0rMRxJ3nz0R6C2K16hCDNOFW1E8X3eBFRK9poGsdOzpkrugrFDXGBWGIxIr +IUIE1xbQQzVv/qZ9Q1s7g6nt3zci//CgBXXRHn30G9SWbHASJhbN/XZOYMKtS15T +COzOm7B5Ujjw2h8YspiZKgINsWLbhU9E5OQkJuHeDpBpp/EFMbwsRQH//A== +-----END CERTIFICATE----- diff --git a/buildspecs/scripts/pip.conf b/buildspecs/scripts/pip.conf new file mode 100644 index 00000000..8f18e297 --- /dev/null +++ b/buildspecs/scripts/pip.conf @@ -0,0 +1,10 @@ +[global] +cert = ~/.pip/pip-cert.pem +# proxy = http://proxy.tco.census.gov:3128 +index = https://nexus.it.census.gov:8443/repository/DataScience-Group/pypi +index-url = https://nexus.it.census.gov:8443/repository/DataScience-Group/simple +trusted-host = nexus.it.census.gov + pypi.python.org + pypi.org + files.pythonhosted.org + proxy.tco.census.gov diff --git a/buildspecs/scripts/sechub_parser.py b/buildspecs/scripts/sechub_parser.py new file mode 100644 index 00000000..34c43a39 --- /dev/null +++ b/buildspecs/scripts/sechub_parser.py @@ -0,0 +1,101 @@ +import json +import boto3 +import datetime +import os + +# import sechub + sts boto3 client +securityhub = boto3.client('securityhub') +sts = boto3.client('sts') + +# retrieve account id from STS GetCallerID +getAccount = sts.get_caller_identity() +awsAccount = str(getAccount['Account']) +# retrieve env vars from codebuild +awsRegion = os.environ['AWS_REGION'] +codebuildBuildArn = os.environ['CODEBUILD_BUILD_ARN'] +containerName = os.environ['docker_img_name'] +containerTag = os.environ['docker_tag'] + +# open Trivy vuln report & parse out vuln info +with open('results.json') as json_file: + data = json.load(json_file) + if data[0]['Vulnerabilities'] is None: + print('No vulnerabilities') + else: + for p in data[0]['Vulnerabilities']: + cveId = str(p['VulnerabilityID']) + cveTitle = str(p['Title']) + cveDescription = str(p['Description']) + cveDescription = (cveDescription[:1021] + '..') if len(cveDescription) > 1021 else cveDescription + packageName = str(p['PkgName']) + installedVersion = str(p['InstalledVersion']) + fixedVersion = str(p['FixedVersion']) + trivySeverity = str(p['Severity']) + cveReference = str(p['References'][0]) + # create ISO 8601 timestamp + iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + # map Trivy severity to ASFF severity + if trivySeverity == 'LOW': + trivyProductSev = int(1) + trivyNormalizedSev = trivyProductSev * 10 + elif trivySeverity == 'MEDIUM': + trivyProductSev = int(4) + trivyNormalizedSev = trivyProductSev * 10 + elif trivySeverity == 'HIGH': + trivyProductSev = int(7) + trivyNormalizedSev = trivyProductSev * 10 + elif trivySeverity == 'CRITICAL': + trivyProductSev = int(9) + trivyNormalizedSev = trivyProductSev * 10 + else: + print('No vulnerability information found') + try: + response = securityhub.batch_import_findings( + Findings=[ + { + 'SchemaVersion': '2018-10-08', + 'Id': containerName + ':' + containerTag + '/' + cveId, + 'ProductArn': 'arn:aws:securityhub:' + awsRegion + ':' + ':product/aquasecurity/aquasecurity', + 'GeneratorId': codebuildBuildArn, + 'AwsAccountId': awsAccount, + 'Types': [ 'Software and Configuration Checks/Vulnerabilities/CVE' ], + 'CreatedAt': iso8601Time, + 'UpdatedAt': iso8601Time, + 'Severity': { + 'Product': trivyProductSev, + 'Normalized': trivyNormalizedSev + }, + 'Title': 'Trivy found a vulnerability to ' + cveId + ' in container ' + containerName, + 'Description': cveDescription, + 'Remediation': { + 'Recommendation': { + 'Text': 'More information on this vulnerability is provided in the hyperlink', + 'Url': cveReference + } + }, + 'ProductFields': { 'Product Name': 'Trivy' }, + 'Resources': [ + { + 'Type': 'Container', + 'Id': containerName + ':' + containerTag, + 'Partition': 'aws', + 'Region': awsRegion, + 'Details': { + 'Container': { 'ImageName': containerName + ':' + containerTag }, + 'Other': { + 'CVE ID': cveId, + 'CVE Title': cveTitle, + 'Installed Package': packageName + ' ' + installedVersion, + 'Patched Package': packageName + ' ' + fixedVersion + } + } + }, + ], + 'RecordState': 'ACTIVE' + } + ] + ) + print(response) + except Exception as e: + print(e) + raise diff --git a/buildspecs/terragrunt.yml b/buildspecs/terragrunt.yml index 57dae773..4e3b74ce 100644 --- a/buildspecs/terragrunt.yml +++ b/buildspecs/terragrunt.yml @@ -2,21 +2,18 @@ version: 0.2 env: variables: + ARTIFACT_BUCKET: "${ARTIFACT_BUCKET}" BASE_DIR: "lab" - TOOLS_DIR: "/tmp/build-tools/" - TERRAGRUNT_PATH: "${TERRAGRUNT_PATH}" - ARTIFACTS_BUCKET: "${ARTIFACTS_BUCKET}" - PROXY_CONFIG: "${PROXY_CONFIG}" - - secrets-manager: - GITHUB_TOKEN: ${GITHUB_TOKEN_ARN} - + PROXY_CONFIG: ${PROXY_CONFIG} + REQUIRED_TOOLS: "terraform terragrunt" + TOOL_DEFINITIONS: ${TOOL_DEFINITIONS} + TOOLS_DIR: "/tmp/build-tools" exported-variables: - TERRAGRUNT_PATH cache: paths: - - '/tmp/build-tools/**/*' + - $CODEBUILD_SRC_DIR/.tool_cache/**/* phases: install: @@ -36,31 +33,23 @@ phases: # Create tools directory if it doesn't exist - mkdir -p $TOOLS_DIR/bin - # Get tools from S3 artifacts bucket instead of downloading from internet + # Download and execute the centralized tool management script - | - # Terraform - if [ ! -f "$TOOLS_DIR/bin/terraform" ]; then - echo "Copying Terraform from S3 artifacts bucket" - if ! aws s3 cp s3://${ARTIFACTS_BUCKET}/tools/terraform.zip $TOOLS_DIR; then - echo "Failed to download Terraform" - exit 1 - fi - unzip -o $TOOLS_DIR/terraform.zip -d $TOOLS_DIR/bin/ - chmod +x $TOOLS_DIR/bin/terraform - fi + echo "--- Downloading and Executing Tool Management Script ---" + MANAGE_TOOLS_SCRIPT_S3_KEY="tools/scripts/manage_tools.sh" + LOCAL_SCRIPT_PATH="${TOOLS_DIR}/manage_tools.sh" - # Terragrunt - if [ ! -f "$TOOLS_DIR/bin/terragrunt" ]; then - echo "Copying Terragrunt from S3 artifacts bucket" - if ! aws s3 cp s3://${ARTIFACTS_BUCKET}/tools/terragrunt $TOOLS_DIR; then - echo "Failed to download Terragrunt" - exit 1 - fi - mv $TOOLS_DIR/terragrunt $TOOLS_DIR/bin/ - chmod +x $TOOLS_DIR/bin/terragrunt + - | + if [ ! -f "$LOCAL_SCRIPT_PATH" ]; then + echo "Downloading Tools Script from S3 ${ARTIFACT_BUCKET}...." + aws s3 cp s3://${ARTIFACT_BUCKET}/$MANAGE_TOOLS_SCRIPT_S3_KEY $LOCAL_SCRIPT_PATH fi - # Add tools to PATH + chmod +x "$LOCAL_SCRIPT_PATH" + echo "Executing $LOCAL_SCRIPT_PATH..." + "$LOCAL_SCRIPT_PATH" # Script will use ARTIFACT_BUCKET, TOOL_DEFINITIONS, REQUIRED_TOOLS, CODEBUILD_SRC_DIR + echo "--- Tool Management Script Execution Finished ---" + - export PATH=$TOOLS_DIR/bin:$PATH - aws sts get-caller-identity - terraform --version @@ -68,13 +57,12 @@ phases: build: commands: - - echo "Running Terragrunt plan with assumed role profile" + - echo "Running Terragrunt plan" - cd $TERRAGRUNT_PATH - export http_proxy=$PROXY_CONFIG - export https_proxy=$PROXY_CONFIG - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev - - - terragrunt run-all plan --terragrunt-non-interactive --terragrunt-debug --terragrunt-log-level debug + - terragrunt run-all plan --terragrunt-non-interactive post_build: commands: From 3285c2b96a34444c254bec32214d26d59bab9c09 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 15:39:17 -0400 Subject: [PATCH 097/126] update --- buildspecs/terragrunt.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/buildspecs/terragrunt.yml b/buildspecs/terragrunt.yml index 4e3b74ce..313f7f13 100644 --- a/buildspecs/terragrunt.yml +++ b/buildspecs/terragrunt.yml @@ -7,7 +7,7 @@ env: PROXY_CONFIG: ${PROXY_CONFIG} REQUIRED_TOOLS: "terraform terragrunt" TOOL_DEFINITIONS: ${TOOL_DEFINITIONS} - TOOLS_DIR: "/tmp/build-tools" + TOOLS_DIR: "$CODEBUILD_SRC_DIR/.tool_cache" exported-variables: - TERRAGRUNT_PATH @@ -39,7 +39,6 @@ phases: MANAGE_TOOLS_SCRIPT_S3_KEY="tools/scripts/manage_tools.sh" LOCAL_SCRIPT_PATH="${TOOLS_DIR}/manage_tools.sh" - - | if [ ! -f "$LOCAL_SCRIPT_PATH" ]; then echo "Downloading Tools Script from S3 ${ARTIFACT_BUCKET}...." aws s3 cp s3://${ARTIFACT_BUCKET}/$MANAGE_TOOLS_SCRIPT_S3_KEY $LOCAL_SCRIPT_PATH @@ -52,8 +51,8 @@ phases: - export PATH=$TOOLS_DIR/bin:$PATH - aws sts get-caller-identity - - terraform --version - terragrunt --version + - terraform --version build: commands: From cabcbfce56f6f10988acf2d014f57721c0607402 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 15:46:44 -0400 Subject: [PATCH 098/126] updated from tfmod-pipeline --- buildspecs/scripts/manage_tools.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/buildspecs/scripts/manage_tools.sh b/buildspecs/scripts/manage_tools.sh index 19d2c4a8..35d25f8a 100644 --- a/buildspecs/scripts/manage_tools.sh +++ b/buildspecs/scripts/manage_tools.sh @@ -6,7 +6,7 @@ echo "--- Starting Tool Management Script (manage_tools.sh) ---" # --- Configuration & Environment Variables --- # Required environment variables: # - TOOL_DEFINITIONS: JSON string defining tools (name, s3_key, checksum, archive_format, executable_path_in_archive) -# - ARTIFACTS_BUCKET: S3 bucket name for downloading tool archives +# - ARTIFACT_BUCKET: S3 bucket name for downloading tool archives # - REQUIRED_TOOLS: Space-separated list of tool names to install (e.g., "terraform terragrunt") # - CODEBUILD_SRC_DIR: Base directory for caching (CodeBuild specific, but adaptable) @@ -25,8 +25,8 @@ if ! echo "$TOOL_DEFINITIONS" | jq empty > /dev/null 2>&1; then exit 1 fi -if [ -z "$ARTIFACTS_BUCKET" ]; then - echo "ERROR: ARTIFACTS_BUCKET environment variable is not set or is empty." >&2 +if [ -z "$ARTIFACT_BUCKET" ]; then + echo "ERROR: ARTIFACT_BUCKET environment variable is not set or is empty." >&2 exit 1 fi @@ -106,7 +106,7 @@ for tool_name_var in $REQUIRED_TOOLS; do archive_filename=$(basename "$s3_key") cached_archive_path="$TOOL_CACHE_DIR/$archive_filename" - s3_source_path="s3://${ARTIFACTS_BUCKET}/${s3_key}" + s3_source_path="s3://${ARTIFACT_BUCKET}/${s3_key}" target_executable_path="$INSTALL_DIR/$tool_name" # Final destination of the executable echo "Details for $tool_name:" From fdf1e44033923639993283ca01d95e6bea6e5386 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 16:00:23 -0400 Subject: [PATCH 099/126] add and delete for less git churn --- Makefile | 2 + buildspecs/deploy.terragrunt.yml | 72 ------- buildspecs/scripts/manage_tools.sh | 220 ------------------- buildspecs/scripts/pip-cert.pem | 323 ---------------------------- buildspecs/scripts/pip.conf | 10 - buildspecs/scripts/sechub_parser.py | 101 --------- buildspecs/security.yml | 40 ---- buildspecs/terragrunt.yml | 73 ------- 8 files changed, 2 insertions(+), 839 deletions(-) delete mode 100644 buildspecs/deploy.terragrunt.yml delete mode 100644 buildspecs/scripts/manage_tools.sh delete mode 100644 buildspecs/scripts/pip-cert.pem delete mode 100644 buildspecs/scripts/pip.conf delete mode 100644 buildspecs/scripts/sechub_parser.py delete mode 100644 buildspecs/security.yml delete mode 100644 buildspecs/terragrunt.yml diff --git a/Makefile b/Makefile index 1be2527f..8ff0b6b0 100644 --- a/Makefile +++ b/Makefile @@ -79,6 +79,8 @@ deploy-to-pipeline: @echo "Creating zip file..." zip -r platform-tg-infra.zip . -x "*.git*" "*.github*" "*.terragrunt-cache*" "*.terraform*" + rm -rf ./buildspecs + @echo "Calculating S3 bucket name..." $(eval REGION_SHORT=$(shell echo $(AWS_REGION) | sed 's/\([a-z]\)[a-z]*-/\1/g')) $(eval S3_BUCKET=v-s3-eks-$(CLUSTER_NAME)-artifacts-$(AWS_ACCOUNT_ID)-$(REGION_SHORT)) diff --git a/buildspecs/deploy.terragrunt.yml b/buildspecs/deploy.terragrunt.yml deleted file mode 100644 index 3dfeda71..00000000 --- a/buildspecs/deploy.terragrunt.yml +++ /dev/null @@ -1,72 +0,0 @@ -version: 0.2 - -env: - variables: - BASE_DIR: "lab" - TF_VERSION: "1.5.5" - TG_VERSION: "0.72.0" - TOOLS_DIR: "/tmp/build-tools" - exported-variables: - - TERRAGRUNT_PATH - -cache: - paths: - - '/tmp/build-tools/**/*' - -phases: - install: - runtime-versions: - python: 3.9 - commands: - - echo "Setting up environment and tools" - - export http_proxy=$PROXY_CONFIG - - export https_proxy=$PROXY_CONFIG - - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev - - # Create tools directory if it doesn't exist - - mkdir -p $TOOLS_DIR/bin - - # Check if cached Terraform exists and matches required version - - | - if [ -f "$TOOLS_DIR/bin/terraform" ] && [ "$($TOOLS_DIR/bin/terraform version | head -n1 | grep -o "v$TF_VERSION")" = "v$TF_VERSION" ]; then - echo "Using cached Terraform v$TF_VERSION" - else - echo "Downloading Terraform v$TF_VERSION" - curl -Lo /tmp/terraform.zip "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip" - unzip -o /tmp/terraform.zip -d $TOOLS_DIR/bin/ - chmod +x $TOOLS_DIR/bin/terraform - fi - - # Check if cached Terragrunt exists and matches required version - - | - if [ -f "$TOOLS_DIR/bin/terragrunt" ] && [ "$($TOOLS_DIR/bin/terragrunt --version | grep -o "v$TG_VERSION")" = "v$TG_VERSION" ]; then - echo "Using cached Terragrunt v$TG_VERSION" - else - echo "Downloading Terragrunt v$TG_VERSION" - curl -Lo $TOOLS_DIR/bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64" - chmod +x $TOOLS_DIR/bin/terragrunt - fi - - # Add tools to PATH - - export PATH=$TOOLS_DIR/bin:$PATH - - terraform --version - - terragrunt --version - - aws sts get-caller-identity - - build: - commands: - - echo "Running Terragrunt apply" - - cd $TERRAGRUNT_PATH - - export http_proxy=$PROXY_CONFIG - - export https_proxy=$PROXY_CONFIG - - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev - - terragrunt run-all apply --terragrunt-non-interactive -auto-approve - - post_build: - commands: - - echo "Terragrunt apply completed on `date`" - -artifacts: - files: - - '**/*' - base-directory: '.' diff --git a/buildspecs/scripts/manage_tools.sh b/buildspecs/scripts/manage_tools.sh deleted file mode 100644 index 35d25f8a..00000000 --- a/buildspecs/scripts/manage_tools.sh +++ /dev/null @@ -1,220 +0,0 @@ -#!/bin/bash -set -e # Exit immediately if a command exits with a non-zero status. - -echo "--- Starting Tool Management Script (manage_tools.sh) ---" - -# --- Configuration & Environment Variables --- -# Required environment variables: -# - TOOL_DEFINITIONS: JSON string defining tools (name, s3_key, checksum, archive_format, executable_path_in_archive) -# - ARTIFACT_BUCKET: S3 bucket name for downloading tool archives -# - REQUIRED_TOOLS: Space-separated list of tool names to install (e.g., "terraform terragrunt") -# - CODEBUILD_SRC_DIR: Base directory for caching (CodeBuild specific, but adaptable) - -TOOL_CACHE_DIR="${CODEBUILD_SRC_DIR}/.tool_cache" -INSTALL_DIR="/usr/local/bin" # Standard installation directory for executables - -# --- Sanity Checks --- -if [ -z "$TOOL_DEFINITIONS" ]; then - echo "ERROR: TOOL_DEFINITIONS environment variable is not set or is empty." >&2 - exit 1 -fi - -if ! echo "$TOOL_DEFINITIONS" | jq empty > /dev/null 2>&1; then - echo "ERROR: TOOL_DEFINITIONS does not contain valid JSON." >&2 - echo "TOOL_DEFINITIONS content: $TOOL_DEFINITIONS" >&2 - exit 1 -fi - -if [ -z "$ARTIFACT_BUCKET" ]; then - echo "ERROR: ARTIFACT_BUCKET environment variable is not set or is empty." >&2 - exit 1 -fi - -if [ -z "$REQUIRED_TOOLS" ]; then - echo "WARNING: REQUIRED_TOOLS environment variable is not set or is empty. No tools will be installed by this script." >&2 - # exit 0 # or exit 1 depending on desired strictness -fi - -if [ -z "$CODEBUILD_SRC_DIR" ]; then - echo "ERROR: CODEBUILD_SRC_DIR environment variable is not set or is empty." >&2 - exit 1 -fi - -# --- Ensure jq is available --- -if ! command -v jq &> /dev/null; then - echo "jq not found, attempting to install..." - if apt-get update -y && apt-get install -y jq; then - echo "jq installed successfully via apt-get." - elif yum install -y jq; then - echo "jq installed successfully via yum." - else - echo "ERROR: Failed to install jq. Please ensure jq is available in the CodeBuild image or install it manually." >&2 - exit 1 - fi -fi -echo "jq is available." - -# --- Create necessary directories --- -mkdir -p "$TOOL_CACHE_DIR" -mkdir -p "$INSTALL_DIR" -export PATH="$INSTALL_DIR:$PATH" # Add install dir to PATH for this script's session - -echo "Tool Cache Directory: $TOOL_CACHE_DIR" -echo "Installation Directory: $INSTALL_DIR" -echo "Updated PATH: $PATH" -echo "Required tools to process: $REQUIRED_TOOLS" -echo "TOOL_DEFINITIONS (first 200 chars): $(echo "$TOOL_DEFINITIONS" | cut -c 1-200)..." - -# --- Tool Installation Loop --- -for tool_name_var in $REQUIRED_TOOLS; do - # Use a subshell for per-tool variables to avoid conflicts and ensure clean state - ( - tool_name="$tool_name_var" - echo "--------------------------------------------------" - echo "Processing tool: $tool_name" - - tool_info=$(echo "$TOOL_DEFINITIONS" | jq -r --arg tn "$tool_name" '.[$tn]') - - if [ -z "$tool_info" ] || [ "$tool_info" == "null" ] || [ "$tool_info" == "{}" ] ; then - echo "ERROR: Tool '$tool_name' not found or has null/empty definition in TOOL_DEFINITIONS." >&2 - exit 1 # Exit subshell, which will cause the main script to exit due to \`set -e\` if subshell fails - fi - - # Extract tool details - # version=$(echo "$tool_info" | jq -r '.version // empty') # Version not strictly needed by script but good for logging - s3_key=$(echo "$tool_info" | jq -r '.s3_key // empty') - expected_checksum=$(echo "$tool_info" | jq -r '.checksum // empty') # SHA256 - archive_format=$(echo "$tool_info" | jq -r '.archive_format // empty') - # executable_path_in_archive is the path *inside* the archive to the executable file itself. - # If archive_format is 'binary', this is ignored. - # If archive_format is 'zip' or 'tar.gz' and this is empty/null, script defaults to tool_name. - executable_path_in_archive=$(echo "$tool_info" | jq -r '.executable_path_in_archive // empty') - - # Validate extracted details - if [ -z "$s3_key" ] || [ -z "$expected_checksum" ] || [ -z "$archive_format" ]; then - echo "ERROR: Missing one or more critical fields (s3_key, checksum, archive_format) for tool '$tool_name'." >&2 - echo "Tool Info Found: $tool_info" >&2 - exit 1 - fi - - # Determine the actual executable name within the archive if not specified - effective_executable_path_in_archive="$executable_path_in_archive" - if [[ "$archive_format" == "zip" || "$archive_format" == "tar.gz" ]] && \ - [[ -z "$executable_path_in_archive" || "$executable_path_in_archive" == "null" ]]; then - effective_executable_path_in_archive="$tool_name" - fi - - archive_filename=$(basename "$s3_key") - cached_archive_path="$TOOL_CACHE_DIR/$archive_filename" - s3_source_path="s3://${ARTIFACT_BUCKET}/${s3_key}" - target_executable_path="$INSTALL_DIR/$tool_name" # Final destination of the executable - - echo "Details for $tool_name:" - # echo " Version: $version" - echo " S3 Key: $s3_key" - echo " Expected SHA256: $expected_checksum" - echo " Archive Format: $archive_format" - echo " Executable path in archive (effective): $effective_executable_path_in_archive" - echo " Archive filename: $archive_filename" - echo " Cached archive path: $cached_archive_path" - echo " Target executable path: $target_executable_path" - - # --- Cache Check & Download --- - needs_download=true - if [ -f "$cached_archive_path" ]; then - echo "Cached archive $cached_archive_path found. Verifying checksum..." - actual_checksum=$(sha256sum "$cached_archive_path" | awk '{print $1}') - if [ "$actual_checksum" == "$expected_checksum" ]; then - echo "Checksum for cached $archive_filename is VALID." - needs_download=false - else - echo "Checksum MISMATCH for cached $archive_filename. Expected: $expected_checksum, Got: $actual_checksum. Re-downloading." - rm -f "$cached_archive_path" - fi - else - echo "Archive $archive_filename not found in cache: $cached_archive_path. Downloading." - fi - - if [ "$needs_download" == true ]; then - echo "Downloading $tool_name from $s3_source_path to $cached_archive_path..." - if ! aws s3 cp "$s3_source_path" "$cached_archive_path"; then - echo "ERROR: Failed to download $tool_name from S3." >&2 - exit 1 - fi - echo "Download complete. Verifying checksum of downloaded file..." - actual_checksum=$(sha256sum "$cached_archive_path" | awk '{print $1}') - if [ "$actual_checksum" != "$expected_checksum" ]; then - echo "ERROR: Checksum MISMATCH for downloaded $archive_filename. Expected: $expected_checksum, Got: $actual_checksum." >&2 - rm -f "$cached_archive_path" - exit 1 - fi - echo "Checksum for downloaded $archive_filename is VALID." - fi - - # --- Extraction & Installation --- - echo "Installing $tool_name from $cached_archive_path to $target_executable_path..." - # Ensure target is clean for binary moves/copies - rm -f "$target_executable_path" - # Create a temporary directory for extraction to keep $TOOL_CACHE_DIR clean from extracted files - temp_extract_dir=$(mktemp -d -p "$TOOL_CACHE_DIR" "tmp_extract_${tool_name}_XXXXXX") - - extracted_executable_source_path="" # Path to the executable *after* extraction - - if [ "$archive_format" == "zip" ]; then - unzip -o "$cached_archive_path" -d "$temp_extract_dir" > /dev/null - extracted_executable_source_path="$temp_extract_dir/$effective_executable_path_in_archive" - elif [ "$archive_format" == "tar.gz" ]; then - # tar -xzf "$cached_archive_path" -C "$temp_extract_dir" "$effective_executable_path_in_archive" # This only extracts the specific file - tar -xzf "$cached_archive_path" -C "$temp_extract_dir" > /dev/null # Extract all - extracted_executable_source_path="$temp_extract_dir/$effective_executable_path_in_archive" - elif [ "$archive_format" == "binary" ]; then - # For binary, the "archive" is the executable itself. Copy it to the temp dir first for consistency. - cp "$cached_archive_path" "$temp_extract_dir/$tool_name" - extracted_executable_source_path="$temp_extract_dir/$tool_name" - else - echo "ERROR: Unknown archive format '$archive_format' for $tool_name." >&2 - rm -rf "$temp_extract_dir" - exit 1 - fi - - if [ ! -f "$extracted_executable_source_path" ]; then - echo "ERROR: Executable for $tool_name not found at '$extracted_executable_source_path' after extraction." >&2 - echo "Contents of $temp_extract_dir:" >&2 - ls -lR "$temp_extract_dir" >&2 - rm -rf "$temp_extract_dir" - exit 1 - fi - - echo "Moving '$extracted_executable_source_path' to '$target_executable_path'" - mv "$extracted_executable_source_path" "$target_executable_path" - chmod +x "$target_executable_path" - - # Clean up temporary extraction directory - rm -rf "$temp_extract_dir" - - echo "$tool_name installed successfully to $target_executable_path." - - # --- Verification (Optional but Recommended) --- - echo "Verifying $tool_name installation..." - if command -v $tool_name &> /dev/null; then - echo "Attempting to get version for $tool_name..." - # Try common version flags, redirect stderr to stdout for capture, take first line - if $tool_name --version &> /dev/null; then - echo "$($tool_name --version 2>&1 | head -n 1)" - elif $tool_name version &> /dev/null; then - echo "$($tool_name version 2>&1 | head -n 1)" - elif $tool_name -version &> /dev/null; then # e.g. Java - echo "$($tool_name -version 2>&1 | head -n 1)" - elif $tool_name -v &> /dev/null; then # e.g. Go - echo "$($tool_name -v 2>&1 | head -n 1)" - else - echo "$tool_name is callable, but version command is unknown or failed. Assuming successful installation." - fi - else - echo "ERROR: $tool_name command not found in PATH after installation attempt to $target_executable_path." >&2 - exit 1 - fi - ) || exit 1 # If subshell fails, exit the main script -done - -echo "--- Tool Management Script (manage_tools.sh) Finished Successfully ---" diff --git a/buildspecs/scripts/pip-cert.pem b/buildspecs/scripts/pip-cert.pem deleted file mode 100644 index 319b7643..00000000 --- a/buildspecs/scripts/pip-cert.pem +++ /dev/null @@ -1,323 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFszCCA5ugAwIBAgIQGVCQdFyalIVHZ1OchWiMYDANBgkqhkiG9w0BAQwFADBs -MRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3VzMQww -CgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3VzIEJ1 -cmVhdSBSb290IENBMB4XDTE5MDcyNTE4MTAyOVoXDTI5MDcyNTE4MjAyN1owbDET -MBEGCgmSJomT8ixkARkWA0dvdjEWMBQGCgmSJomT8ixkARkWBkNlbnN1czEMMAoG -A1UECxMDVENPMQwwCgYDVQQLEwNQS0kxITAfBgNVBAMTGFVTIENlbnN1cyBCdXJl -YXUgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMWX8I9p -slFaUueuPpEFExgqKcGgoyTOBxFUCXNBnucL3cKRx9MC47kWOwQ94WYvI3LMcehC -6pOwIf5AuhrIdVrJaHSz317ENuDaiur9/qN3fBRidijHphynR/rwJSxiI3VQtj8G -SO4JmCA8dMsKayIl1RiKlQHPoNnSWyDEspAfenr0qq7PzbjKOEPXoO4eXO0plfB3 -aYd+qMRwHKQre4gRGpMfWu1w5JZqFItbXE/RSC38SoZWjkcMcjyTCDTSGY+j/aJw -SHx98riQ8SLQszL5Be0AmF0KHwMZNOsoaa5u/bF++g207W9guLVgO2Ak5D4Unyo3 -D7kcFSuBOVYdeT0XRi3iD0AwEkoCsVzeEOIqjAasj6hYD43O8GjfHpwGpAeASqTT -nbDajtuTsJrrBlLwpz49J5dihJ3Ah7jTirzQciEUZTXv3L7XpdBlt3/sv73Gn0F6 -jZPDANmHIfNHz0xWa9iES9sLPKln9cjnkJs/QlpooTJSrVuovGyzsbu1mb7PfBji -IMF8lVptjQYaWvvMXqXNx2+L6+uBVkEfmuZIs7Xen4ZNz4NP5MixTs3Tq2h81Hym -TbIlJUtSdwZ98jsX6YLerBYYMPawtSIH4Yfdq/Wpt7IHED47dTWdFfC0peqYfHIN -PoRG+eFYq5nHxadkGaifElPnNdvGblRLDj27AgMBAAGjUTBPMAsGA1UdDwQEAwIB -hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTHXiB3QZv2GiBSkErqGoOT8cOr -HjAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQwFAAOCAgEAdXsv6igAKGnq -VS79nePbjGj2Z+SFdM2jRVibv06mWR3uVqFNCz2zqlIXzX7PJmK7HycWDK82UWMh -8J0cn1O+PYWFalzhPWk7t1c6EK8wV63/iKj+voqNwZWL7L1/EQiQ8B4OPIyf7v5Y -j3/jqrvufLgGCyz+0JhBY8CBEGZ1knijrHxTv0DOV0ykKI0OpUIes+8SOTdszTDb -XujzE4ekSRTDqWJOCbsQb3KbBUr/k8APVq/Ir/xmS1WmauyP3zBIxMlPMmu9XTw/ -5nRUKKQe8FrVHELLO32iS+6bqdTNmkD7z/VyzWmBA0FVt8upD6Bs8U/bHjoiL/Jk -W3BQ6owq7u+B5w/Cl+WsgQcgVlDLlBZWMKnEng1n2MhqUnzf0dDGA99vrzLPVcPT -yoexQe1E1Y2EoORgaGbsnjkRTwppUnpnxkWrzObBieYB1ir0rRTbKS5hgwXu55Uc -6ypmCLUnQaDVWIZyKKwtmr4n/rX5KJPxj/zT0F+jH1WDyMDVg6jYyu1HIPcABkAU -OlsSr7Tfct75/JGf18oPSFMkV1kzeLUK21vflcMp+ZK0m2TRZyCLvMB/lEsRjsSM -wrgYk7cR14RqJ+RTA7IJqFQfNAXqV1ra+stZYYoLI83oK4shOhHLiO9lR6hSi43f -0w7ALm+8qd1Ih+E5BjmKBJAEFB5Zyzs= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIF1jCCA76gAwIBAgITLgAAAAmcP+bslIv04AAAAAAACTANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTE5MDgwNjE1MDc0NVoXDTI0MDgwNjE1MTc0NVow -YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES -MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB -IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiUqJa4e90dNdAFC0W -ju9arRst3FchtNxT0ZPdg/2UpDFN35PFBQ4G1RJxGVGuhpkRmqLdtI9t9BQHZ/tk -QZ6ELJRJVxQMPONBuoXlUbnS3CHwDT5+YIvVZr3jHjv96tq6C2SYJ1BNeqDYjhdK -gF3WXUJpb6lbAwZtv7aHZUSVXcnW/hCkfI2aRZoGXCcgi6hbcJRC74HCGW0eLtCZ -M0Y5+lEGdKLAOiIsl4kea+34Uh5eHjIp9LHCicIfx+5RT5xor4hOJldu2pOmjzrg -FBCz59/5wZHIyQCHOu92p/VGO9eeCxCDlT8DWa78c2HjCnf0FvymlxoHPdH89Rhv -idPFAgMBAAGjggF6MIIBdjAQBgkrBgEEAYI3FQEEAwIBATAjBgkrBgEEAYI3FQIE -FgQUNDptGIuzWncMER7QFKnL+JZPMwswHQYDVR0OBBYEFMSLwaPcjo2CqYcxhzj8 -U1q1Px/KMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAS -BgNVHRMBAf8ECDAGAQH/AgEBMB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Px -w6seMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3Yv -Q2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmww -ZQYIKwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5z -dXMuZ292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIw -Q0EuY3J0MA0GCSqGSIb3DQEBDAUAA4ICAQAvLJiXBncvqEq2WjU4CtvB+g9GKgna -MIeu8D41/BdkhTpLR/Cus6Oq+N18cCyyBHNCPS4pz/cDzyzQvNMIDTP7tpcTwEfc -QW/WgPvfJtEmzOaRtNeSBBci1bySX4OMKnzB9ZQbGphaqYaVAG6n+NLCkg1MSvqK -cexAf8wkAJyjx2YOUh+xqwhXRE6UKlc9TVK0b2anVtg4FLNiUznZ6KerEKXx/wxv -XvOZRAY902P2FIRY9qbkEdAshNSA5HlY27pbdH4eZCTyk5uSTlIZQRtngL6w1Gy8 -Xh70AIv+kj38iKp8N4VgksHWS0Viw3Cg4h+3/hY08E/uLCzUKjdZt9I46bM1YKMv -K2LUA8xrWp0IN+wcdp2UUrAlVSHEp6LW+NR+VHtl0QiMYjXA+AvkoRvcoEotgeZP -mqfK9auR+3WiDUrkVLzPoPMQHWE9QXt+eErzBh+YXqqvPgPBGqA25CGwzyrs8iBT -jlhbJArFNO6KzQUwyf/Vw3dwX5oOebGuoh+KX9yRaN+q1ZqqWL1Jn40NXF8KQyLk -Ro4c9m+fpkTWhuxW6zW8YIbnmtNDk2X3YfAY1dIKAUIW24Si0SMka8pC2d9qaL2m -fyD0JoF+49cPDtTNHsUP5QR3a+JjqAT8haladoSyiNmO24ysueI7sg9A+zY8oJrM -Gi2tB39Jg7J6/w== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIF1jCCA76gAwIBAgITLgAAAApfi2u0+zjcuQAAAAAACjANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTE5MDgwNjE1MDc0M1oXDTI0MDgwNjE1MTc0M1ow -YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES -MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB -IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFLt4b/8hnKu0yk7IC -C0qY8gAF20DZrbE6rILe2quYeSQcztIw3H6K2+uAsvpCRjRc4+ra+bKQWLpTv5gP -6l6iDMlun3po1+Qqlga4S4/kJMoYP52AbcdHog33vdvpmtRhL2WLBdHfXLfahVx3 -OB1WkrZMFP4T3L4mTo8SW4abdIf5Q7SmClrHzy+znv4jhKEU9tiY7NXJBCINETx3 -5B8PE8F0r1s0Mv+yhoDHWk2Poa/rC+CrXZ+NdzWfI2ajUc1Nb2b+6f4Wrpc9qC+a -kxYywDcrUoGnwqJYDoIFZY2ErqTQUw7JGQkG/i+7gYs+VaHPcD3DNQq3iFzab26I -0vG5AgMBAAGjggF6MIIBdjAQBgkrBgEEAYI3FQEEAwIBATAjBgkrBgEEAYI3FQIE -FgQU6ZLQoy5LJaVqTI5Em9TBptKdLmAwHQYDVR0OBBYEFOpnUT2Oc868n6qxmUrj -FdfUn3tOMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAS -BgNVHRMBAf8ECDAGAQH/AgEBMB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Px -w6seMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3Yv -Q2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmww -ZQYIKwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5z -dXMuZ292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIw -Q0EuY3J0MA0GCSqGSIb3DQEBDAUAA4ICAQCYQm6VusLYzHy9PM0P4dSkHSUVGug+ -8Q/Gn1qQ+pejTpx0fR+pxq8DP8Ua3qgWsIz3scrONairxWVUW5AA4E0VXU0fO6n+ -4DLdJnwwIEIkV410p5w79l9Dl2NiI31Ijv0Y8PwEzXmcSvcz1Qc05TyRV+1yv6Uh -nHfnu4kHXj26NOOsPjrEJ60l0tcOT4p3edkwYRf3XzQ19k4ITEBeYF76y1FX8H+W -RTIjQNr8BXUVt+afJZXgUgSB0xHfSRBhTUXiFvKbs1BpICNQmhbFIaz7GJZkvx9r -b+7Um2EQNIQKxoe4rG4mar62Ux3k0i9o8O9nccQSl9VCuSvTyCmtpKpsKRRitMf2 -vBQ9D14p5pzDdFZQC75B8lkibXpuk8fQ3/CIMqK4547wIO8tgz4wqN8ID4tEBgqZ -Fot9XSJpDAZHYKx5GWVwKmhqwefACqqASjHR8NVakAd3EkcQ06SEzGYTTq2duWhi -fOxpJKtMtw9JTfbOG9Az28rRWGCk1vVHmtkVHApD3XdAV3RG6w/AqjNu/IY70fmd -wULhegJxbVdQucgwR4WyNbx7hCJYvoEyL5L7ZQwBpFXHnOI7wJFGw2eo5xIUehUS -4jPpb2OolWHEOjMkEkRfgfrJsnt/blpKXRmYRFUd1+c5VBOtsaYv3iYArxZziQxf -pR508zEDCd9cRQ== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFsjCCA5qgAwIBAgITLgAAAAvaREPe3QGJiAAAAAAACzANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTE5MDgwNjE1MDc0MVoXDTI0MDgwNjE1MTc0MVow -YjETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czET -MBEGCgmSJomT8ixkARkWA2VhZDEeMBwGA1UEAxMVVVMgQ2Vuc3VzIEJ1cmVhdSBD -QSAzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA+7bWM9ZExFO/ZN -uFodd+ktg0TWojeV8QJTYAdtwzMquqDl/zMLgkHPD8xC730qMdKB6Df74i3moN5c -6h9S087T0tdf02U0J95AfO06oZiaGNzq/zacINhfbxWf2ZAyZCiwpcQL3w3uAjS1 -MK++iC8ZWDBnd5z64ewCDFS8d9FD5RrJ0GxGCcC4IJ8DyhOq7i3a/Td29wLTP1wz -QuFLVD/5JFWirqnJwgqVVEUdzf8ZK3MSk9DAZcIjY/mIZgnnZ+ukcD0TtYkOnPU7 -j7EGeqo6Jby3T75p4x3uRlNaEKAqXBqiu7bVx+T0cTtuJEjtw4l/8WEGEFGI6Jfs -0Du9+QIDAQABo4IBVTCCAVEwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0OBBYEFCB4 -OetP7QLwgNqbXIDospFC1inEMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsG -A1UdDwQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEBMB8GA1UdIwQYMBaAFMdeIHdB -m/YaIFKQSuoag5Pxw6seMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNv -LmNlbnN1cy5nb3YvQ2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJv -b3QlMjBDQS5jcmwwZQYIKwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8v -cGtpLnRjby5jZW5zdXMuZ292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJl -YXUlMjBSb290JTIwQ0EuY3J0MA0GCSqGSIb3DQEBDAUAA4ICAQCGmm3uxuTvZcWm -ihlWtSa/0H88MM3ubcOAqYmNHWCzynemR9CxUZfuR/qi8HvRKHm5HwDVT1LtL3Wf -K+9Lc7mcBHStZUdNgINVsqZzNi1L54v/UD3lAu79M/yh16DREvEnWLlc1CUhti+Q -P6aooRfF1VIAzoNZz3iUBj43uRJLewYhlFYRy8GFzRhoKJ/HNZI9nqlV7notKtvV -P2Ae++stlTGzrUEYi91tgJdoSOKweDg4EDjEr4y51yY2l8eJJTXtRRIMDdtv1wbF -XVpxcbWDvAFmYKFjpspaEiD3gAEdSDGcCv23KGFxZCMw5Chblg2drWCSCbJQ2VE/ -XiHcHGxrTQVru+ocZgEqH600BDAC+/nrVP1lJyfKsY2KUh9X/vzbAbx7r45l7LJh -Q173miuG1Hjm60OEtUsNobtVOG/TCxqHflRuMgVK5mGb00Hu5SxMel/ma5bhvWCS -ZQIYEIwo2b6GBicTuhHhBo0e4BdA3vvz8WroUTiezmMo8BveyYViqyWFCB26Wvhy -NB4pfg+GFfTl0wiHSpc1RfBFuoohkGgUMt0ci0jJp1ofb6MeK+p3DqBfKyhQiz+7 -EsgudLUeALpj38b5mWjvN17YBby5suRJnH8lv7+Z1nooo+MqapZZyrRu56PtEBJM -3m7NDAL9JACMk8yF5WDToKtcPuTgpg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIF0zCCA7ugAwIBAgITLgAAAA+ydH8TcbjZAgAAAAAADzANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTIyMDkyMjE0NDQwOFoXDTI3MDkyMjE0NTQwOFow -YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES -MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB -IDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiUqJa4e90dNdAFC0W -ju9arRst3FchtNxT0ZPdg/2UpDFN35PFBQ4G1RJxGVGuhpkRmqLdtI9t9BQHZ/tk -QZ6ELJRJVxQMPONBuoXlUbnS3CHwDT5+YIvVZr3jHjv96tq6C2SYJ1BNeqDYjhdK -gF3WXUJpb6lbAwZtv7aHZUSVXcnW/hCkfI2aRZoGXCcgi6hbcJRC74HCGW0eLtCZ -M0Y5+lEGdKLAOiIsl4kea+34Uh5eHjIp9LHCicIfx+5RT5xor4hOJldu2pOmjzrg -FBCz59/5wZHIyQCHOu92p/VGO9eeCxCDlT8DWa78c2HjCnf0FvymlxoHPdH89Rhv -idPFAgMBAAGjggF3MIIBczAQBgkrBgEEAYI3FQEEAwIBAjAjBgkrBgEEAYI3FQIE -FgQUFE9/OhOsohsjHyLcCd1NqTNkdQYwHQYDVR0OBBYEFMSLwaPcjo2CqYcxhzj8 -U1q1Px/KMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAP -BgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Pxw6se -MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3YvQ2Vy -dEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmwwZQYI -KwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5zdXMu -Z292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIwQ0Eu -Y3J0MA0GCSqGSIb3DQEBDAUAA4ICAQCdYsU2TVWTAzVjqPqlO+PtxTcoDxBjlvo+ -L519/iTxzlcz0Kiao83fGhsSitzNf0LsSTOWrAuCprX0sn5If4pasZKqVp+ZJnjF -H9Wpi/4gsaCtvY3V4Hm5ZS1BffUHrre/kR//pn9f2Axu3tTVfHNAEVr0kRvq9wPD -yMe5BzLtm9amOwFvAYP/69zXk4ig88mbOmXjK+EC5AUzwBhg9oI/Kv2AeLbKx+nr -DuguMe6RCp4NXBS1X3/cjRN37+ayJEHynFdWKiVNcvxABVFLGVHBA4fMD9kTjT2a -cf413mhywUcVTfpoj/94Kcqvl3oxgHWGIig9RWExMkvmrkYT5hGqfws+NIGrCGaZ -GA0cUYAY5cbkAg8If3Htt4aSCdTu6g/RbatMFND2GURO2fHPajBILBiDxCJM6OmT -SUQPghQC3QvE48CM5J6KAjPosGh8Ay454FhKv0ShvhKTaHzN6anBih8AbwU5G8iP -XeoNY+jZbkv1gBJ4J+8nffm1n5aFbssbxazppqTLpFDXimduWUxSXZbjwGGwHc7G -FmLj14c8og+ItE+meToVXt6oFSF9hkri5Lmanen9SqU9IPgxiTv91olwmXW6d/3Y -D202odbWVpAIIjiVJngfyOulCeEQsz5WjmPyIjFkXNz8NiwAJSJu1XtBtAMdaCDe -6z6OUG7UaQ== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIF0zCCA7ugAwIBAgITLgAAABDGRuhzKgVoqQAAAAAAEDANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTIyMDkyMjE0NDUxN1oXDTI3MDkyMjE0NTUxN1ow -YTETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czES -MBAGCgmSJomT8ixkARkWAmFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1IENB -IDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFLt4b/8hnKu0yk7IC -C0qY8gAF20DZrbE6rILe2quYeSQcztIw3H6K2+uAsvpCRjRc4+ra+bKQWLpTv5gP -6l6iDMlun3po1+Qqlga4S4/kJMoYP52AbcdHog33vdvpmtRhL2WLBdHfXLfahVx3 -OB1WkrZMFP4T3L4mTo8SW4abdIf5Q7SmClrHzy+znv4jhKEU9tiY7NXJBCINETx3 -5B8PE8F0r1s0Mv+yhoDHWk2Poa/rC+CrXZ+NdzWfI2ajUc1Nb2b+6f4Wrpc9qC+a -kxYywDcrUoGnwqJYDoIFZY2ErqTQUw7JGQkG/i+7gYs+VaHPcD3DNQq3iFzab26I -0vG5AgMBAAGjggF3MIIBczAQBgkrBgEEAYI3FQEEAwIBAjAjBgkrBgEEAYI3FQIE -FgQUxgMHEbdrxtDC64yaqubXVeW060owHQYDVR0OBBYEFOpnUT2Oc868n6qxmUrj -FdfUn3tOMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAP -BgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFMdeIHdBm/YaIFKQSuoag5Pxw6se -MFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9wa2kudGNvLmNlbnN1cy5nb3YvQ2Vy -dEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUyMFJvb3QlMjBDQS5jcmwwZQYI -KwYBBQUHAQEEWTBXMFUGCCsGAQUFBzAChklodHRwOi8vcGtpLnRjby5jZW5zdXMu -Z292L0NlcnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIwQ0Eu -Y3J0MA0GCSqGSIb3DQEBDAUAA4ICAQB/Kn2/ohaTr4XDgu5msLiKzjA3Rqb4Wf4r -FmzpJXcaB9N4Tyg19qgZ9l57AVDO6DWlXBENY+FXERe/qrvhFawZqActT7dPqJJv -Z30hwBcXc8ELjNxVp54MDJfd2oHUkXwJ46i1GphHfie0Q/csoraRpf/DjXuaruxM -Vgt4Roo6zBGf2nSCfqVLR2NZ93orfSybg5g2eutYuftkd5tzbcxdhHlTlhhbNpIV -quVaT46hN1h/q1bMmS4bGBdLUQggY5BtY9RM4gDhcyh1K8k5auM+uPyWqnnd10wI -vuRSu2zNueWlqVstSTbnZdf138nssj+MzN8xcmn+mXH7z8COXwhJLBKRr7Xg7l7G -UMmc86eYbmpphs3LhzZNMooAGUedm15Ln1u9wgywtP6CbpvBVIcSxmjJeiN6bXy6 -dtbZCCziijO1UehOqc81jZy/jdG158D0WfOumNkx1biGwZ/YR+oGslaSkMr58e/7 -abPBMlQmDwvlTWeiUqMZJAzNHk13c8jSeMtaGXtE9D9Sv2oPVGwjeB2krn1Lb8uU -YeEl0YmQ2W1GpoYC4zU7gnnNjSbLr13L8Gjsmk9FYy4HWDRgJvAvF2O3DldldxP2 -MurPmXriFtEUNo4e1UKJciPJlYChWz1/0Hwncab8AWaw3MPkyYpELKis+vTELriO -iHAYOPwOJg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIF1DCCA7ygAwIBAgITLgAAAA4zbBR3VlxWyAAAAAAADjANBgkqhkiG9w0BAQwF -ADBsMRMwEQYKCZImiZPyLGQBGRYDR292MRYwFAYKCZImiZPyLGQBGRYGQ2Vuc3Vz -MQwwCgYDVQQLEwNUQ08xDDAKBgNVBAsTA1BLSTEhMB8GA1UEAxMYVVMgQ2Vuc3Vz -IEJ1cmVhdSBSb290IENBMB4XDTIyMDIyODE3NTUxOFoXDTI3MDIyODE4MDUxOFow -YjETMBEGCgmSJomT8ixkARkWA2dvdjEWMBQGCgmSJomT8ixkARkWBmNlbnN1czET -MBEGCgmSJomT8ixkARkWA2VhZDEeMBwGA1UEAxMVVVMgQ2Vuc3VzIEJ1cmVhdSBD -QSAzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxA+7bWM9ZExFO/ZN -uFodd+ktg0TWojeV8QJTYAdtwzMquqDl/zMLgkHPD8xC730qMdKB6Df74i3moN5c -6h9S087T0tdf02U0J95AfO06oZiaGNzq/zacINhfbxWf2ZAyZCiwpcQL3w3uAjS1 -MK++iC8ZWDBnd5z64ewCDFS8d9FD5RrJ0GxGCcC4IJ8DyhOq7i3a/Td29wLTP1wz -QuFLVD/5JFWirqnJwgqVVEUdzf8ZK3MSk9DAZcIjY/mIZgnnZ+ukcD0TtYkOnPU7 -j7EGeqo6Jby3T75p4x3uRlNaEKAqXBqiu7bVx+T0cTtuJEjtw4l/8WEGEFGI6Jfs -0Du9+QIDAQABo4IBdzCCAXMwEAYJKwYBBAGCNxUBBAMCAQEwIwYJKwYBBAGCNxUC -BBYEFE2wPwIWNvlAbZy05X4kklJu09q8MB0GA1UdDgQWBBQgeDnrT+0C8IDam1yA -6LKRQtYpxDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYw -DwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTHXiB3QZv2GiBSkErqGoOT8cOr -HjBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vcGtpLnRjby5jZW5zdXMuZ292L0Nl -cnRFbnJvbGwvVVMlMjBDZW5zdXMlMjBCdXJlYXUlMjBSb290JTIwQ0EuY3JsMGUG -CCsGAQUFBwEBBFkwVzBVBggrBgEFBQcwAoZJaHR0cDovL3BraS50Y28uY2Vuc3Vz -Lmdvdi9DZXJ0RW5yb2xsL1VTJTIwQ2Vuc3VzJTIwQnVyZWF1JTIwUm9vdCUyMENB -LmNydDANBgkqhkiG9w0BAQwFAAOCAgEAjDWz6k+6ModUkHRJgTjv8nHfPJv1qI9d -WUejF3YSwU6ExE44C5C2oEXPtEAWR+LiEsW+U4ZZ8Zgi/F5qI3AblQbNXDplAbo/ -6UoKeieBftV5cf7WgbdFoVFuX2HppSVrDQPf4t6DpCM6qVs8/EIrBQOeKhVckhB1 -XgiuFTb3sRoOmWvRramBf3xp7WJ1P4T76gBUg2I6GMFV3EO/mv8XWM9QzFZ1nFOQ -z8/zRa1x53WuAc36d8ESGqL0ZxjNjSNU/HtpJnwtYj3hzJIsYgm938nU5p1diF00 -C89+a0CKkVnL7JW6tC8MQqnyE7TBBWjSmssxa4FHT753W/NaU6JVIJqOwuGTTenv -bQlHi+NxfqL0alNXX3ukUNDPB5XfGWCEBMGZ9xUNDXdxTS7lJzZGAddjqu94e5gd -KgDiEq52RQgkbZ8d+DYwpo/4XY7rj/bC4jvVXUhVd8E/NAbzTSo3VppK0pi/wDri -lm4p8WlzrCoGTVPeiZdCApa/bOoaq+X7/vN4HDUakJZFEPfxIwznfJbDEu7hrVE3 -fck3YuSBrQx6yYtmpLEnybaB5so0w+djeswxBVQSlBODYhrMFW+l3VIRa9PqHQWw -8TvAglbHxFUWWtlHBbwXgVdOqAVlh1LHU8mfbtkY8D4h+iXk+4nvBY1aKdDaZFTB -kDgqyXZwIww= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFSDCCBDCgAwIBAgIJAMn9gqHMdnl3MA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD -VQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxGzAZBgNVBAoTElUuUy4gQ2Vuc3Vz -IEJ1cmVhdTEiMCAGA1UECxMZVGVsZWNvbW11bmljYXRpb25zIE9mZmljZTEaMBgG -A1UEAxMRY2EudGNvLmNlbnN1cy5nb3YxIDAeBgkqhkiG9w0BCQEWEWNhQHRjby5j -ZW5zdXMuZ292MB4XDTEyMDgxNTE2MTM0OFoXDTMyMDgxMDE2MTM0OFowgZ8xCzAJ -BgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDEbMBkGA1UEChMSVS5TLiBDZW5z -dXMgQnVyZWF1MSIwIAYDVQQLExlUZWxlY29tbXVuaWNhdGlvbnMgT2ZmaWNlMRow -GAYDVQQDExFjYS50Y28uY2Vuc3VzLmdvdjEgMB4GCSqGSIb3DQEJARYRY2FAdGNv -LmNlbnN1cy5nb3YwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSqB5S -s674S6Hnpnl+/cT3OLrUCmuM1KZs+Uo5EsFcZzm4Me/XiF8izGSydFtAKFRbyyk5 -j/K5WLGxo7Ix6eCA1PZXWu6aJOfMmPRb1LaeIst1IlSCpjUoZ8pl60fjYLtbEK79 -STM/nrdV0E2EqcJu7dfzMB1oK96NG6tu8C7m7UgIbSv15NDapgDhyril6J4wVQJU -DOUGRbWjv0Qo6Re0NPBkRFf3owToopNQlQSGZU2UnUehheqXPzk4VQisPrhcVsbg -iu4c98gjtGHK1k2DyJOwsFq2hWmAByLZLJXR7pTqv7Ue8gogFl/ggbvuWrKlVmCh -wKln1pPSLYZ/txTZAgMBAAGjggGDMIIBfzA4BgNVHR8EMTAvMC2gK6AphidodHRw -Oi8vY2EuYXBwcy50Y28uY2Vuc3VzLmdvdi9jZXJ0cy9jcmwwHQYDVR0OBBYEFA8x -pgy5aVvXWgTVO8E7yyO3kp9yMIHUBgNVHSMEgcwwgcmAFA8xpgy5aVvXWgTVO8E7 -yyO3kp9yoYGlpIGiMIGfMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQx -GzAZBgNVBAoTElUuUy4gQ2Vuc3VzIEJ1cmVhdTEiMCAGA1UECxMZVGVsZWNvbW11 -bmljYXRpb25zIE9mZmljZTEaMBgGA1UEAxMRY2EudGNvLmNlbnN1cy5nb3YxIDAe -BgkqhkiG9w0BCQEWEWNhQHRjby5jZW5zdXMuZ292ggkAyf2Cocx2eXcwDwYDVR0T -AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwLwYDVR0RBCgwJoERY2FAdGNvLmNlbnN1 -cy5nb3aCEWNhLnRjby5jZW5zdXMuZ292MA0GCSqGSIb3DQEBBQUAA4IBAQCLNU9/ -OxA2adbFXwiAh8XztL3MN7OUeXasSKtSDo00Ays/Sph1DXkUozSwx3B2JHtfrMj+ -A64qzjRm/Y7sDaM4SFa+Y3rdt7U9UY2UxQLo92zHQMqIbQhrdKBTiCVMrBvBzwWg -SI7KPi2lel499yb0vH/I6czuyQNTuYzHAsufYKeMMq4CeiBbboAegClpYJi5jJLl -dFQZpDUwSs+Pfb95CjPlfc0V3AH6GazbS3BNMMghECpL4rF0m7F7L3nDCklx1PsC -z2chyETY1X74Cg3D1mFV3iUjIvr6+eIZDQ3BStGwFjzxmdH2U2yh1nJnJzNXka9g -lUpluNENkgVZmOys ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIE1zCCA7+gAwIBAgITZQAANNYDIG4D4LElTwABAAA01jANBgkqhkiG9w0BAQsF -ADBiMRMwEQYKCZImiZPyLGQBGRYDZ292MRYwFAYKCZImiZPyLGQBGRYGY2Vuc3Vz -MRMwEQYKCZImiZPyLGQBGRYDZWFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1 -IENBIDMwHhcNMjIxMjI3MjExNTIxWhcNMjYxMjI3MjEyNTIxWjBoMRMwEQYKCZIm -iZPyLGQBGRYDZ292MRYwFAYKCZImiZPyLGQBGRYGY2Vuc3VzMRMwEQYKCZImiZPy -LGQBGRYDZWFkMSQwIgYDVQQDExtVUyBDZW5zdXMgQnVyZWF1IENBIDMgU3ViIDEw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPzIqL5D96G48OMzx7WZdi -01e6K5Tllvz5REVKMOlFIS22y/iAnr3hbA1FXH1ML+t0n7e7jKic+E4pXc90n5DP -0bBS5+srnkw3OvjTY//uBU6rMl5vTtbGY3BhL0jsoeT+/JdTTrif6gyNCSkpNvw0 -Hao3Yc5kfcU5Vo90nm1+gonOqa6bQFN/i4hwI2quu4M3IkLJZaWQQ0z1pIbbJyk0 -qANrUKy4yTABo4KkNdqKmRvvvRWuDpFmNJwDDpdT010HDX5Pdc48fFVPO0Faoox9 -A7BtBZL273u7O9dpE0ajTHk1De5ZxbgO8yFmGWVj6BYgI86HJCq74RP4K6IJuOGZ -AgMBAAGjggF+MIIBejAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUGFK9+ZBI -M/dcDY4ObcigYRSrASQwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwDgYDVR0P -AQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUIHg560/tAvCA -2ptcgOiykULWKcQwVwYDVR0fBFAwTjBMoEqgSIZGaHR0cDovL3BraS5lYWQuY2Vu -c3VzLmdvdi9DZXJ0RW5yb2xsL1VTJTIwQ2Vuc3VzJTIwQnVyZWF1JTIwQ0ElMjAz -LmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwUgYIKwYBBQUHMAKGRmh0dHA6Ly9wa2ku -ZWFkLmNlbnN1cy5nb3YvQ2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUy -MENBJTIwMy5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9wa2kuZWFkLmNlbnN1cy5n -b3Yvb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEAm1wFAR44iAl7dNHMjzIaaQe7dBbQ -gyS1t2mygO843JtcS2J/m3yGmEfo8wEwK5IxwX2UTmnc7Dh/iWlMO6cl8JKN12Fp -FM/yfpb+jaKECrsGW3uY5yKhrqmVGO9YnbiiGN07w0t+dbWAYGCtULoocYhFaLVQ -68Iv9KpOKVB3XKbP4bI2uhtx9H+uPHanhWVTJRHjg5pqI+xV7BoPfmods74oQfgm -PrsZqbwEvItVBMTGFQvhi60iEklk42s7ln/X7EqpKjtXwR4WAGuWPjTJ3OWkvVa4 -cNFBQRSALyDpqJFCqFoZBym9coyibi39QkWD2eizR4wm69jC66GOEmEb/A== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIE1zCCA7+gAwIBAgITZQAANNSyNhQfwZNfDwABAAA01DANBgkqhkiG9w0BAQsF -ADBiMRMwEQYKCZImiZPyLGQBGRYDZ292MRYwFAYKCZImiZPyLGQBGRYGY2Vuc3Vz -MRMwEQYKCZImiZPyLGQBGRYDZWFkMR4wHAYDVQQDExVVUyBDZW5zdXMgQnVyZWF1 -IENBIDMwHhcNMjIxMjI3MTcyOTQ3WhcNMjYxMjI3MTczOTQ3WjBoMRMwEQYKCZIm -iZPyLGQBGRYDZ292MRYwFAYKCZImiZPyLGQBGRYGY2Vuc3VzMRMwEQYKCZImiZPy -LGQBGRYDZWFkMSQwIgYDVQQDExtVUyBDZW5zdXMgQnVyZWF1IENBIDMgU3ViIDIw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+k0X7b2zULKIK7n3QEo6I -tY03iLD1+h4SLS+TcD1boOS5SR5A7nmtcSkn03xieHzQvb2YdQ8+ltlBBXFeQR4g -vTieZ77DN1pqDLkwThHscavRr8HHyuW20Bf9YYH11DzpuXe4WsMhkLeJWzZJ5GPI -TwWZFeCluJ9fb9/8wPhVERSDYtqS3DwdJ/6qkueJZ75AOMcmObx5pQWszypYQupm -L+oiofej7mu0gb7ioXwwM7XL8f28a2BEDFqM5M0sitBrC1yxN7a3cRnegT+PlCe/ -yiiihAZVYQt/HDEs4R4A85Wx/YUhiB3BKkyTUIV+abjeWMIrRi17SrxNDT9ZQkld -AgMBAAGjggF+MIIBejAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU4wpH6ieo -Hr13KKDb4stKDQFKE/MwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwDgYDVR0P -AQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUIHg560/tAvCA -2ptcgOiykULWKcQwVwYDVR0fBFAwTjBMoEqgSIZGaHR0cDovL3BraS5lYWQuY2Vu -c3VzLmdvdi9DZXJ0RW5yb2xsL1VTJTIwQ2Vuc3VzJTIwQnVyZWF1JTIwQ0ElMjAz -LmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwUgYIKwYBBQUHMAKGRmh0dHA6Ly9wa2ku -ZWFkLmNlbnN1cy5nb3YvQ2VydEVucm9sbC9VUyUyMENlbnN1cyUyMEJ1cmVhdSUy -MENBJTIwMy5jcnQwKgYIKwYBBQUHMAGGHmh0dHA6Ly9wa2kuZWFkLmNlbnN1cy5n -b3Yvb2NzcDANBgkqhkiG9w0BAQsFAAOCAQEAs3Kf6bImA8lfZweCuCtcaSDRCr0X -pyr8A1TI95PgzpAEptGay/Ve2Bbs9JAzMIPqznEy7hC9kNY6Wn8jRxwSFhHJ1MVV -bMITRguhJ5asApmDInCx1/iha3WnsnmeonmPFOgpF/lgiyY7kMwXPzBNYPrs3qdf -AFTaF0rMRxJ3nz0R6C2K16hCDNOFW1E8X3eBFRK9poGsdOzpkrugrFDXGBWGIxIr -IUIE1xbQQzVv/qZ9Q1s7g6nt3zci//CgBXXRHn30G9SWbHASJhbN/XZOYMKtS15T -COzOm7B5Ujjw2h8YspiZKgINsWLbhU9E5OQkJuHeDpBpp/EFMbwsRQH//A== ------END CERTIFICATE----- diff --git a/buildspecs/scripts/pip.conf b/buildspecs/scripts/pip.conf deleted file mode 100644 index 8f18e297..00000000 --- a/buildspecs/scripts/pip.conf +++ /dev/null @@ -1,10 +0,0 @@ -[global] -cert = ~/.pip/pip-cert.pem -# proxy = http://proxy.tco.census.gov:3128 -index = https://nexus.it.census.gov:8443/repository/DataScience-Group/pypi -index-url = https://nexus.it.census.gov:8443/repository/DataScience-Group/simple -trusted-host = nexus.it.census.gov - pypi.python.org - pypi.org - files.pythonhosted.org - proxy.tco.census.gov diff --git a/buildspecs/scripts/sechub_parser.py b/buildspecs/scripts/sechub_parser.py deleted file mode 100644 index 34c43a39..00000000 --- a/buildspecs/scripts/sechub_parser.py +++ /dev/null @@ -1,101 +0,0 @@ -import json -import boto3 -import datetime -import os - -# import sechub + sts boto3 client -securityhub = boto3.client('securityhub') -sts = boto3.client('sts') - -# retrieve account id from STS GetCallerID -getAccount = sts.get_caller_identity() -awsAccount = str(getAccount['Account']) -# retrieve env vars from codebuild -awsRegion = os.environ['AWS_REGION'] -codebuildBuildArn = os.environ['CODEBUILD_BUILD_ARN'] -containerName = os.environ['docker_img_name'] -containerTag = os.environ['docker_tag'] - -# open Trivy vuln report & parse out vuln info -with open('results.json') as json_file: - data = json.load(json_file) - if data[0]['Vulnerabilities'] is None: - print('No vulnerabilities') - else: - for p in data[0]['Vulnerabilities']: - cveId = str(p['VulnerabilityID']) - cveTitle = str(p['Title']) - cveDescription = str(p['Description']) - cveDescription = (cveDescription[:1021] + '..') if len(cveDescription) > 1021 else cveDescription - packageName = str(p['PkgName']) - installedVersion = str(p['InstalledVersion']) - fixedVersion = str(p['FixedVersion']) - trivySeverity = str(p['Severity']) - cveReference = str(p['References'][0]) - # create ISO 8601 timestamp - iso8601Time = datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() - # map Trivy severity to ASFF severity - if trivySeverity == 'LOW': - trivyProductSev = int(1) - trivyNormalizedSev = trivyProductSev * 10 - elif trivySeverity == 'MEDIUM': - trivyProductSev = int(4) - trivyNormalizedSev = trivyProductSev * 10 - elif trivySeverity == 'HIGH': - trivyProductSev = int(7) - trivyNormalizedSev = trivyProductSev * 10 - elif trivySeverity == 'CRITICAL': - trivyProductSev = int(9) - trivyNormalizedSev = trivyProductSev * 10 - else: - print('No vulnerability information found') - try: - response = securityhub.batch_import_findings( - Findings=[ - { - 'SchemaVersion': '2018-10-08', - 'Id': containerName + ':' + containerTag + '/' + cveId, - 'ProductArn': 'arn:aws:securityhub:' + awsRegion + ':' + ':product/aquasecurity/aquasecurity', - 'GeneratorId': codebuildBuildArn, - 'AwsAccountId': awsAccount, - 'Types': [ 'Software and Configuration Checks/Vulnerabilities/CVE' ], - 'CreatedAt': iso8601Time, - 'UpdatedAt': iso8601Time, - 'Severity': { - 'Product': trivyProductSev, - 'Normalized': trivyNormalizedSev - }, - 'Title': 'Trivy found a vulnerability to ' + cveId + ' in container ' + containerName, - 'Description': cveDescription, - 'Remediation': { - 'Recommendation': { - 'Text': 'More information on this vulnerability is provided in the hyperlink', - 'Url': cveReference - } - }, - 'ProductFields': { 'Product Name': 'Trivy' }, - 'Resources': [ - { - 'Type': 'Container', - 'Id': containerName + ':' + containerTag, - 'Partition': 'aws', - 'Region': awsRegion, - 'Details': { - 'Container': { 'ImageName': containerName + ':' + containerTag }, - 'Other': { - 'CVE ID': cveId, - 'CVE Title': cveTitle, - 'Installed Package': packageName + ' ' + installedVersion, - 'Patched Package': packageName + ' ' + fixedVersion - } - } - }, - ], - 'RecordState': 'ACTIVE' - } - ] - ) - print(response) - except Exception as e: - print(e) - raise diff --git a/buildspecs/security.yml b/buildspecs/security.yml deleted file mode 100644 index 37a42cf1..00000000 --- a/buildspecs/security.yml +++ /dev/null @@ -1,40 +0,0 @@ -version: 0.2 - -env: - variables: - TOOLS_DIR: "/tmp/build-tools" - -cache: - paths: - - '/tmp/build-tools/**/*' - -phases: - install: - runtime-versions: - python: 3.9 - commands: - - echo "Setting up security scanning tools" - - export http_proxy=$PROXY_CONFIG - - export https_proxy=$PROXY_CONFIG - - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev - - # Install security scanning tools - - mkdir -p $TOOLS_DIR/bin - - pip install checkov -q - - pip install tfsec -q - - build: - commands: - - echo "Running security scans" - - checkov --directory . --framework terraform --quiet --compact - - checkov --directory . --framework terragrunt --quiet --compact - - tfsec . --no-color - - post_build: - commands: - - echo "Security scan completed on `date`" - -artifacts: - files: - - '**/*' - base-directory: '.' diff --git a/buildspecs/terragrunt.yml b/buildspecs/terragrunt.yml deleted file mode 100644 index 313f7f13..00000000 --- a/buildspecs/terragrunt.yml +++ /dev/null @@ -1,73 +0,0 @@ -version: 0.2 - -env: - variables: - ARTIFACT_BUCKET: "${ARTIFACT_BUCKET}" - BASE_DIR: "lab" - PROXY_CONFIG: ${PROXY_CONFIG} - REQUIRED_TOOLS: "terraform terragrunt" - TOOL_DEFINITIONS: ${TOOL_DEFINITIONS} - TOOLS_DIR: "$CODEBUILD_SRC_DIR/.tool_cache" - exported-variables: - - TERRAGRUNT_PATH - -cache: - paths: - - $CODEBUILD_SRC_DIR/.tool_cache/**/* - -phases: - install: - runtime-versions: - python: 3.9 - commands: - - echo "Setting up environment and tools" - - export http_proxy=$PROXY_CONFIG - - export https_proxy=$PROXY_CONFIG - - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev - - # Configure Git to use the token from Secrets Manager - - echo "Configuring git with GitHub authentication" - - git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.e.it.census.gov/".insteadOf "https://github.e.it.census.gov/" - - echo "Successfully configured git with GitHub token from Secrets Manager" - - # Create tools directory if it doesn't exist - - mkdir -p $TOOLS_DIR/bin - - # Download and execute the centralized tool management script - - | - echo "--- Downloading and Executing Tool Management Script ---" - MANAGE_TOOLS_SCRIPT_S3_KEY="tools/scripts/manage_tools.sh" - LOCAL_SCRIPT_PATH="${TOOLS_DIR}/manage_tools.sh" - - if [ ! -f "$LOCAL_SCRIPT_PATH" ]; then - echo "Downloading Tools Script from S3 ${ARTIFACT_BUCKET}...." - aws s3 cp s3://${ARTIFACT_BUCKET}/$MANAGE_TOOLS_SCRIPT_S3_KEY $LOCAL_SCRIPT_PATH - fi - - chmod +x "$LOCAL_SCRIPT_PATH" - echo "Executing $LOCAL_SCRIPT_PATH..." - "$LOCAL_SCRIPT_PATH" # Script will use ARTIFACT_BUCKET, TOOL_DEFINITIONS, REQUIRED_TOOLS, CODEBUILD_SRC_DIR - echo "--- Tool Management Script Execution Finished ---" - - - export PATH=$TOOLS_DIR/bin:$PATH - - aws sts get-caller-identity - - terragrunt --version - - terraform --version - - build: - commands: - - echo "Running Terragrunt plan" - - cd $TERRAGRUNT_PATH - - export http_proxy=$PROXY_CONFIG - - export https_proxy=$PROXY_CONFIG - - export NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev - - terragrunt run-all plan --terragrunt-non-interactive - - post_build: - commands: - - echo "Terragrunt plan completed on `date`" - -artifacts: - files: - - '**/*' - base-directory: '.' From 234b8635bb8f4054fc1a796bb34c9d1b37129b06 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 16:00:57 -0400 Subject: [PATCH 100/126] add and delete for less git churn --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 8ff0b6b0..d16fa8b8 100644 --- a/Makefile +++ b/Makefile @@ -74,6 +74,7 @@ deploy-to-pipeline: fi @echo "Copy buildspecs from tfmod-pipeline" + mkdir -p ./buildspecs cp -r ../tfmod-pipeline/buildspecs/* ./buildspecs @echo "Creating zip file..." From b02a74ceae92634bbc709579255a3d88d9c1b466 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 17:52:20 -0400 Subject: [PATCH 101/126] add prefixes --- lab/_envcommon/prefixes.hcl | 37 +++++++++++++++++++ .../eks-pipeline/terragrunt.hcl | 18 +++++---- 2 files changed, 47 insertions(+), 8 deletions(-) create mode 100644 lab/_envcommon/prefixes.hcl diff --git a/lab/_envcommon/prefixes.hcl b/lab/_envcommon/prefixes.hcl new file mode 100644 index 00000000..d46f6bb6 --- /dev/null +++ b/lab/_envcommon/prefixes.hcl @@ -0,0 +1,37 @@ +locals { + prefixes = { + "ebs" = "v-ebs-" + "efs" = "v-efs-" + "group" = "g-" + "kms" = "k-kms-" + "policy" = "p-" + "role" = "r-" + "s3" = "v-s3-" + "security-group" = "" # "sg-" + # VPC + "customer-gateway" = "cgw-" + "dhcp-options" = "" + "elastic-ip" = "eip-" + "internet-gateway" = "igw-" + "log-group" = "lg-" + "log-stream" = "lgs-" + "nat-gateway" = "nat-" + "network-acl" = "nacl-" + "route-table" = "route-" + "subnet" = "" + "vpc-endpoint" = "vpce-" + "vpc-peer" = "vpcp-" + "vpc" = "" + "vpn-connection" = "vpn_" + "vpn-gateway" = "vpcg-" + # EKS + "eks-policy" = "p-eks-" + "eks-queue" = "eks-q-" + "eks-role" = "r-eks-" + "eks-s3" = "v-s3-eks-" + "eks-security-group" = "eks-sg-" # "sg-eks-" + "eks-user" = "s-eks-" + "eks" = "eks-" + "eks-event" = "eks-ev-" + } +} diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index db6488dc..189e7f75 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -7,10 +7,12 @@ include "root" { locals { # Skip this module if disabled skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) - artifact_bucket = format("v-s3-eks-%v-artifacts-%v-%v", - include.root.inputs.cluster_name, - include.root.inputs.aws_account_id, - join("", [for c in split("-", include.root.inputs.aws_region) : substr(c, 0, 1)])) + artifact_bucket = format("%v%v-%v-%v-%v", + local.prefixes["eks-s3"], + include.root.inputs.cluster_name, + "artifacts", + include.root.inputs.aws_account_id, + join("", [for c in split("-", include.root.inputs.aws_region) : substr(c, 0, 1)])) } exclude { @@ -35,7 +37,7 @@ inputs = { # VPC Configuration vpc_name = include.root.inputs.vpc_name - subnet_filter = "*-container-*" # or any specific pattern you want to use + subnet_filter = "*-container-*" # or any specific pattern you want to use is_infrastructure_pipeline = true @@ -59,9 +61,9 @@ inputs = { } security_scan_configuration = { - compute_type = "BUILD_GENERAL1_MEDIUM" - image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" - buildspec_path = "security.yml" + compute_type = "BUILD_GENERAL1_MEDIUM" + image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" + buildspec_path = "security.yml" } approval_configuration = { From ef394abd215b77a193542fb25df65c9ddbac3c6d Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 17:56:43 -0400 Subject: [PATCH 102/126] add prefixes into locals context --- lab/root.hcl | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/lab/root.hcl b/lab/root.hcl index be5a3fd5..32daece8 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -15,6 +15,9 @@ locals { # Automatically load _envcommon, cross account and environment common variables common_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/common-variables.hcl")) + # Automatically load naming prefixes + prefixes = read_terragrunt_config(find_in_parent_folders("./_envcommon/prefixes.hcl")) + # Automatically load region-level variables region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) @@ -24,15 +27,11 @@ locals { # Automatically load vpc-level variables vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl")) - # Check if copy_images.tf exists in the module directory - has_copy_images = fileexists("${get_original_terragrunt_dir()}/copy_images.tf") - # Add any other locals you want to expose # only expose things not already included via local.xxx_vars.locals.* root_locals_for_inputs = { is_module_enabled = local.is_module_enabled module_name = local.module_name - has_copy_images = local.has_copy_images } # Extract the variables we need for easy access From dd0f4f2076e952c4508583b5f510a6c7966b6c91 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 18:12:28 -0400 Subject: [PATCH 103/126] add prefixes into root --- .../vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl | 2 +- lab/root.hcl | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 189e7f75..778dd4ed 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -8,7 +8,7 @@ locals { # Skip this module if disabled skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) artifact_bucket = format("%v%v-%v-%v-%v", - local.prefixes["eks-s3"], + include.root.inputs.prefixes["eks-s3"], include.root.inputs.cluster_name, "artifacts", include.root.inputs.aws_account_id, diff --git a/lab/root.hcl b/lab/root.hcl index 32daece8..a13ec766 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -169,6 +169,7 @@ inputs = merge( local.account_vars.locals, local.cluster_vars.locals, local.common_vars.locals, + local.prefixes.locals, local.region_vars.locals, local.versions.locals, local.vpc_vars.locals, From 182b34f37bb20847745531eecb099de2a745ef44 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 18:40:42 -0400 Subject: [PATCH 104/126] add aws-logs output --- Makefile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index d16fa8b8..d116427c 100644 --- a/Makefile +++ b/Makefile @@ -92,10 +92,13 @@ deploy-to-pipeline: @echo "Upload complete. Pipeline should trigger automatically." @echo "Calculating pipeline URL..." - $(eval PIPELINE_NAME=eks-$(CLUSTER_NAME)-pipeline) + $(eval PIPELINE_NAME=eks-$(CLUSTER_NAME)-codepipeline) $(eval PIPELINE_URL=https://console.amazonaws-us-gov.com/codesuite/codepipeline/pipelines/$(PIPELINE_NAME)/view?region=$(AWS_REGION)) @echo "Pipeline URL: $(PIPELINE_URL)" @echo "You can access the pipeline directly at the URL above." @echo "Cleaning up local zip file..." rm -f platform-tg-infra.zip + + @echo "Tailing Pipeline Logs:" + aws logs tail /aws/codebuild/$(PIPELINE_NAME) --profile $(AWS_PROFILE) From 06b531403cfa282c50ca3ec32c0226c68ffb2a3b Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 20:17:43 -0400 Subject: [PATCH 105/126] add log tailing --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index d116427c..5ec37c03 100644 --- a/Makefile +++ b/Makefile @@ -101,4 +101,5 @@ deploy-to-pipeline: rm -f platform-tg-infra.zip @echo "Tailing Pipeline Logs:" - aws logs tail /aws/codebuild/$(PIPELINE_NAME) --profile $(AWS_PROFILE) + @echo "Logs will start once Codebuild runs... this can take a few mins..." + aws logs tail /aws/codebuild/$(CLUSTER_NAME) --follow From 278dc9280573abcd1cc25a7621ed43987dbe3a74 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 21:14:30 -0400 Subject: [PATCH 106/126] update source strings to use https --- .../vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl | 2 +- .../us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl index 38cf455e..87e7bc9a 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index 569a3554..b0feb06b 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index 49e0ea2f..df13a338 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl index d18b1808..ad7ea45e 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 62d93aff..2089ec12 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index 971dd2e9..9d68d543 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index 07cc34d2..d8ae3fe5 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index 9f10168c..89df12ed 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 9527e5f7..7abe1892 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index 92332552..6869fc06 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index f17489ea..cd9b53e6 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 8f19b76d..60b05c84 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index 54586f19..03581032 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index 241bbc5d..b415bbf4 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index a8a7d7c4..9962414f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" # source = "../../../../../../../tfmod-open-telemetry" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 778dd4ed..f0f7cfcb 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -22,7 +22,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index 1cb7f81d..08773fd2 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index 71dd0a10..583b4db7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl index 13ed5d01..818d6eec 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From dbbbb3914e1416848ad5671287f86b094dc5bf20 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 21:28:33 -0400 Subject: [PATCH 107/126] central settings for codebuild --- terragrunt.hcl | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 terragrunt.hcl diff --git a/terragrunt.hcl b/terragrunt.hcl new file mode 100644 index 00000000..528ca6a4 --- /dev/null +++ b/terragrunt.hcl @@ -0,0 +1,58 @@ +# Global terragrunt configuration + +# Configure remote state and providers +remote_state { + backend = "s3" + generate = { + path = "backend.tf" + if_exists = "overwrite_terragrunt" + } + + # Disable to improve reliability in environments with connectivity issues + disable_dependency_optimization = true +} + +terraform { + # Configure how terraform commands are executed + before_hook "handle_proxy" { + commands = ["init", "apply", "plan", "destroy", "validate"] + execute = ["/bin/bash", "-c", <<-EOT + # Set proxy environment variables before each command + if [ -n "$PROXY_CONFIG" ]; then + export http_proxy=$PROXY_CONFIG + export https_proxy=$PROXY_CONFIG + export HTTP_PROXY=$PROXY_CONFIG + export HTTPS_PROXY=$PROXY_CONFIG + fi + EOT + ] + } + + # Improve local module handling + extra_arguments "terragrunt_source" { + commands = ["init", "plan", "apply", "destroy", "validate"] + env_vars = { + TF_CLI_ARGS_init = "-get=false -get-plugins=false" + } + } +} + +# Generate consistent provider configurations +generate "provider" { + path = "generated_provider.tf" + if_exists = "overwrite_terragrunt" + contents = <<-EOF + provider "aws" { + region = var.region + } + + terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + } + EOF +} From 5a609101b8f0da1fe8c6041b7baea769530e777c Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 22:30:44 -0400 Subject: [PATCH 108/126] ssh stuff --- .../eks-pipeline/terragrunt.hcl | 27 +++++- terragrunt.hcl | 90 +++++++++---------- 2 files changed, 68 insertions(+), 49 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index f0f7cfcb..20980995 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -22,11 +22,36 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + # Use SSH URL instead of HTTPS + source = "git::git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + + # Add hook to ensure SSH is properly set up + before_hook "ssh_git_setup" { + commands = ["init"] + execute = [ + "bash", + "-c", + "export GIT_SSH_COMMAND='ssh -o StrictHostKeyChecking=no -i ~/.ssh/id_rsa'" + ] + } + extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] } + + extra_arguments "mod_download" { + commands = ["init"] + arguments = [ + "-get=true", + "-get-plugins=true", + "-upgrade=true", + ] + env_vars = { + TF_PLUGIN_CACHE_DIR = "${get_terragrunt_dir()}/.terraform.d/plugin-cache" + GIT_SSH_COMMAND = "ssh -o StrictHostKeyChecking=no -i ~/.ssh/id_rsa" + } + } } inputs = { diff --git a/terragrunt.hcl b/terragrunt.hcl index 528ca6a4..21810e82 100644 --- a/terragrunt.hcl +++ b/terragrunt.hcl @@ -1,58 +1,52 @@ -# Global terragrunt configuration +# Global terragrunt configuration for all modules -# Configure remote state and providers +# Configuration for how Terraform commands are executed +terraform { + # Force terraform to keep trying to acquire a lock for 20min + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=1200s"] + } + + # Set git environment variables for all Terraform commands to use SSH + extra_arguments "git_ssh_env" { + commands = get_terraform_commands_that_need_input_vars() + env_vars = { + GIT_TERMINAL_PROMPT = "0" + GIT_SSH_COMMAND = "ssh -o StrictHostKeyChecking=no -i ~/.ssh/id_rsa" + } + } + + # Hook to ensure SSH keys are set properly before each command + before_hook "ssh_setup" { + commands = ["init", "plan", "apply"] + execute = [ + "bash", + "-c", + "[ -f ~/.ssh/id_rsa ] && chmod 600 ~/.ssh/id_rsa || echo 'SSH key not found'" + ] + } +} + +# Configure the remote state for all modules remote_state { backend = "s3" + + config = { + encrypt = true + bucket = get_env("TF_STATE_BUCKET", "") + key = "${path_relative_to_include()}/terraform.tfstate" + region = get_env("REGION", "us-gov-east-1") + dynamodb_table = get_env("TF_LOCK_TABLE", "") + } + generate = { path = "backend.tf" if_exists = "overwrite_terragrunt" } - - # Disable to improve reliability in environments with connectivity issues - disable_dependency_optimization = true -} - -terraform { - # Configure how terraform commands are executed - before_hook "handle_proxy" { - commands = ["init", "apply", "plan", "destroy", "validate"] - execute = ["/bin/bash", "-c", <<-EOT - # Set proxy environment variables before each command - if [ -n "$PROXY_CONFIG" ]; then - export http_proxy=$PROXY_CONFIG - export https_proxy=$PROXY_CONFIG - export HTTP_PROXY=$PROXY_CONFIG - export HTTPS_PROXY=$PROXY_CONFIG - fi - EOT - ] - } - - # Improve local module handling - extra_arguments "terragrunt_source" { - commands = ["init", "plan", "apply", "destroy", "validate"] - env_vars = { - TF_CLI_ARGS_init = "-get=false -get-plugins=false" - } - } } -# Generate consistent provider configurations -generate "provider" { - path = "generated_provider.tf" - if_exists = "overwrite_terragrunt" - contents = <<-EOF - provider "aws" { - region = var.region - } - - terraform { - required_providers { - aws = { - source = "hashicorp/aws" - version = "~> 5.0" - } - } - } - EOF +# Global inputs that are accessible to all modules +inputs = { + # Add any globally shared variables here if needed } From 1f89b5d228bcfcf251773cd9c846ae4b8d526bf1 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 13 May 2025 23:22:47 -0400 Subject: [PATCH 109/126] wip --- Makefile | 2 +- .../eks-pipeline/terragrunt.hcl | 11 ---- terragrunt.hcl | 52 ------------------- 3 files changed, 1 insertion(+), 64 deletions(-) delete mode 100644 terragrunt.hcl diff --git a/Makefile b/Makefile index 5ec37c03..3a4520ef 100644 --- a/Makefile +++ b/Makefile @@ -102,4 +102,4 @@ deploy-to-pipeline: @echo "Tailing Pipeline Logs:" @echo "Logs will start once Codebuild runs... this can take a few mins..." - aws logs tail /aws/codebuild/$(CLUSTER_NAME) --follow + aws logs tail /aws/codebuild/$(CLUSTER_NAME) --follow --format short diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 20980995..87a3f876 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -25,16 +25,6 @@ terraform { # Use SSH URL instead of HTTPS source = "git::git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" - # Add hook to ensure SSH is properly set up - before_hook "ssh_git_setup" { - commands = ["init"] - execute = [ - "bash", - "-c", - "export GIT_SSH_COMMAND='ssh -o StrictHostKeyChecking=no -i ~/.ssh/id_rsa'" - ] - } - extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] @@ -49,7 +39,6 @@ terraform { ] env_vars = { TF_PLUGIN_CACHE_DIR = "${get_terragrunt_dir()}/.terraform.d/plugin-cache" - GIT_SSH_COMMAND = "ssh -o StrictHostKeyChecking=no -i ~/.ssh/id_rsa" } } } diff --git a/terragrunt.hcl b/terragrunt.hcl deleted file mode 100644 index 21810e82..00000000 --- a/terragrunt.hcl +++ /dev/null @@ -1,52 +0,0 @@ -# Global terragrunt configuration for all modules - -# Configuration for how Terraform commands are executed -terraform { - # Force terraform to keep trying to acquire a lock for 20min - extra_arguments "retry_lock" { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=1200s"] - } - - # Set git environment variables for all Terraform commands to use SSH - extra_arguments "git_ssh_env" { - commands = get_terraform_commands_that_need_input_vars() - env_vars = { - GIT_TERMINAL_PROMPT = "0" - GIT_SSH_COMMAND = "ssh -o StrictHostKeyChecking=no -i ~/.ssh/id_rsa" - } - } - - # Hook to ensure SSH keys are set properly before each command - before_hook "ssh_setup" { - commands = ["init", "plan", "apply"] - execute = [ - "bash", - "-c", - "[ -f ~/.ssh/id_rsa ] && chmod 600 ~/.ssh/id_rsa || echo 'SSH key not found'" - ] - } -} - -# Configure the remote state for all modules -remote_state { - backend = "s3" - - config = { - encrypt = true - bucket = get_env("TF_STATE_BUCKET", "") - key = "${path_relative_to_include()}/terraform.tfstate" - region = get_env("REGION", "us-gov-east-1") - dynamodb_table = get_env("TF_LOCK_TABLE", "") - } - - generate = { - path = "backend.tf" - if_exists = "overwrite_terragrunt" - } -} - -# Global inputs that are accessible to all modules -inputs = { - # Add any globally shared variables here if needed -} From 17e223830753568c74bff4074a354b2db3174e39 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 14 May 2025 16:01:42 -0400 Subject: [PATCH 110/126] back to ssh --- .../csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl | 2 +- .../eks-cert-manager/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-config/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl | 2 +- .../eks-gatekeeper/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-istio/terragrunt.hcl | 2 +- .../eks-k8s-dashboard/terragrunt.hcl | 2 +- .../eks-karpenter/terragrunt.hcl | 2 +- .../eks-keycloak/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-loki/terragrunt.hcl | 2 +- .../eks-metrics-server/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-otel/terragrunt.hcl | 2 +- .../eks-pipeline/terragrunt.hcl | 12 ------------ .../eks-prometheus/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl | 2 +- 19 files changed, 18 insertions(+), 30 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl index 87e7bc9a..38cf455e 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index b0feb06b..569a3554 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index df13a338..49e0ea2f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl index ad7ea45e..d18b1808 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 2089ec12..62d93aff 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index 9d68d543..971dd2e9 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index d8ae3fe5..07cc34d2 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index 89df12ed..9f10168c 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 7abe1892..9527e5f7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index 6869fc06..92332552 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index cd9b53e6..f17489ea 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 60b05c84..8f19b76d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index 03581032..54586f19 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index b415bbf4..241bbc5d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index 9962414f..a8a7d7c4 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" # source = "../../../../../../../tfmod-open-telemetry" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 87a3f876..8c187b03 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -29,18 +29,6 @@ terraform { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] } - - extra_arguments "mod_download" { - commands = ["init"] - arguments = [ - "-get=true", - "-get-plugins=true", - "-upgrade=true", - ] - env_vars = { - TF_PLUGIN_CACHE_DIR = "${get_terragrunt_dir()}/.terraform.d/plugin-cache" - } - } } inputs = { diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index 08773fd2..1cb7f81d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index 583b4db7..71dd0a10 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl index 818d6eec..13ed5d01 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From 279ffdb2bc223fdb0ec110c6ebb938c450378057 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 14 May 2025 17:27:21 -0400 Subject: [PATCH 111/126] back to https now that network works --- .../vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl | 3 +-- .../vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl | 2 +- .../us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl | 2 +- 19 files changed, 19 insertions(+), 20 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl index 38cf455e..1de845d5 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index 569a3554..b4c26286 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index 49e0ea2f..52d53284 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl index d18b1808..e77af3cc 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 62d93aff..6d9ecf77 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index 971dd2e9..cff09e4f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index 07cc34d2..eb034b32 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index 9f10168c..10b58436 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 9527e5f7..9f8f0850 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index 92332552..86c1a338 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index f17489ea..37b455cb 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 8f19b76d..6b98bb94 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index 54586f19..fda0a90a 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index 241bbc5d..894f17ce 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index a8a7d7c4..b4d2d67f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" # source = "../../../../../../../tfmod-open-telemetry" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 8c187b03..701de709 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -22,8 +22,7 @@ exclude { } terraform { - # Use SSH URL instead of HTTPS - source = "git::git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index 1cb7f81d..a2ccd14f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index 71dd0a10..79810066 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl index 13ed5d01..2d4b4778 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From 5e3899b30970b96f2c629158d5d9bf463bef89b2 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 14 May 2025 19:34:27 -0400 Subject: [PATCH 112/126] ssh again --- .../vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl | 2 +- .../us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl | 2 +- 19 files changed, 19 insertions(+), 19 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl index 1de845d5..9f8e4599 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index b4c26286..12a39552 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index 52d53284..c5e156f7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl index e77af3cc..58a632c8 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 6d9ecf77..9c622f91 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index cff09e4f..14bfc55b 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index eb034b32..0a556403 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index 10b58436..abf5d616 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 9f8f0850..7a99c7d7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index 86c1a338..27f5e8db 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 37b455cb..7e51f58c 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 6b98bb94..4d8e6682 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index fda0a90a..99982764 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index 894f17ce..7b111bc7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index b4d2d67f..7e952c27 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" # source = "../../../../../../../tfmod-open-telemetry" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 701de709..9ecfac60 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -22,7 +22,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index a2ccd14f..77553bef 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index 79810066..a1d16f27 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl index 2d4b4778..97b13fd8 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From a41554227a068f7ac2aaaff130d1f1cff0b9cdd8 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 15 May 2025 19:59:39 -0400 Subject: [PATCH 113/126] https again --- docs/Process.md | 334 ++++++++++++++++++ docs/terragrunt.stack.hcl | 2 +- .../eks-arcgis/terragrunt.hcl | 2 +- .../eks-cert-manager/terragrunt.hcl | 2 +- .../eks-config/terragrunt.hcl | 2 +- .../eks-cribl/terragrunt.hcl | 2 +- .../eks-dns/terragrunt.hcl | 2 +- .../eks-gatekeeper/terragrunt.hcl | 2 +- .../eks-grafana/terragrunt.hcl | 2 +- .../eks-istio/terragrunt.hcl | 2 +- .../eks-k8s-dashboard/terragrunt.hcl | 2 +- .../eks-karpenter/terragrunt.hcl | 2 +- .../eks-keycloak/terragrunt.hcl | 2 +- .../eks-kiali/terragrunt.hcl | 2 +- .../eks-loki/terragrunt.hcl | 2 +- .../eks-metrics-server/terragrunt.hcl | 2 +- .../eks-otel/terragrunt.hcl | 2 +- .../eks-pipeline/terragrunt.hcl | 2 +- .../eks-prometheus/terragrunt.hcl | 2 +- .../eks-tempo/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks/terragrunt.hcl | 2 +- 21 files changed, 354 insertions(+), 20 deletions(-) create mode 100644 docs/Process.md diff --git a/docs/Process.md b/docs/Process.md new file mode 100644 index 00000000..ebfdd154 --- /dev/null +++ b/docs/Process.md @@ -0,0 +1,334 @@ +# Terraform Module Execution Process + +This document outlines the step-by-step process flow of our Terraform modules, explaining what each module does and the resources it creates. + +## 1. Pipeline Setup (tfmod-pipeline) + +**Purpose**: Creates the CI/CD infrastructure to build, plan, and apply the rest of the Terraform modules. + +**Resources Created**: +- AWS CodePipeline +- AWS CodeBuild projects +- IAM roles and policies for pipeline execution +- S3 buckets for artifacts +- CloudWatch event rules for pipeline triggers + +## 2. Core Infrastructure + +### 2.1 EKS Cluster (tfmod-eks) + +**Purpose**: Creates a managed Kubernetes cluster in AWS. + +**Resources Created**: +- EKS cluster +- EKS node groups +- VPC (if not using existing) +- Security groups +- IAM roles for EKS service and node groups + +### 2.2 EKS Configuration (tfmod-eks-configuration) + +**Purpose**: Configures the EKS cluster with essential settings. + +**Resources Created**: +- Kubernetes namespaces +- Service accounts +- RBAC configurations +- Add-on prerequisites + +### 2.3 Custom IAM Roles for Service Accounts (tfmod-custom-iam-role-for-service-account-eks) + +**Purpose**: Sets up IAM roles that can be assumed by Kubernetes service accounts via IRSA. + +**Resources Created**: +- IAM roles +- IAM policies +- Trust relationships + +### 2.4 EKS DNS Configuration (tfmod-eks-dns) + +**Purpose**: Configures DNS settings for the cluster. + +**Resources Created**: +- Route53 records +- DNS-related Kubernetes resources + +## 3. Cluster Monitoring & Observability + +### 3.1 Metrics Server (tfmod-metrics-server) + +**Purpose**: Deploys the Kubernetes Metrics Server for resource metrics. + +**Resources Created**: +- Metrics Server deployment +- Related service accounts and RBAC + +### 3.2 Prometheus (tfmod-prometheus) + +**Purpose**: Sets up Prometheus for metrics collection and alerting. + +**Resources Created**: +- Prometheus server +- Alert manager +- Service monitors +- Related Kubernetes resources + +### 3.3 Grafana (tfmod-grafana) + +**Purpose**: Deploys Grafana for metrics visualization. + +**Resources Created**: +- Grafana deployment +- Dashboards +- Data sources configuration + +### 3.4 Loki (tfmod-loki) + +**Purpose**: Implements log aggregation for the cluster. + +**Resources Created**: +- Loki deployment +- Log aggregation components +- Storage configuration + +### 3.5 Tempo (tfmod-tempo) + +**Purpose**: Provides distributed tracing capabilities. + +**Resources Created**: +- Tempo deployment +- Tracing components +- Storage configuration + +### 3.6 Open Telemetry (tfmod-open-telemetry) + +**Purpose**: Implements the OpenTelemetry collector for observability data. + +**Resources Created**: +- OpenTelemetry collector +- Configuration for metrics, logs, and traces + +### 3.7 Cribl (tfmod-cribl) + +**Purpose**: Deploys Cribl for log processing and forwarding. + +**Resources Created**: +- Cribl deployment +- Processing rules +- Output destinations + +## 4. Service Mesh & API Management + +### 4.1 Istio (tfmod-istio) + +**Purpose**: Implements a service mesh for the cluster. + +**Resources Created**: +- Istio control plane +- Istio gateways +- CRDs and operators + +### 4.2 Istio Service Ingress (tfmod-istio-service-ingress) + +**Purpose**: Configures ingress resources using Istio. + +**Resources Created**: +- Virtual services +- Gateways +- Service entries + +### 4.3 Kiali (tfmod-kiali) + +**Purpose**: Deploys Kiali for visualizing the service mesh. + +**Resources Created**: +- Kiali deployment +- Service +- Dashboard configuration + +## 5. Security & Compliance + +### 5.1 Cert Manager (tfmod-cert-mgr) + +**Purpose**: Manages certificates within the Kubernetes cluster. + +**Resources Created**: +- Cert-manager deployment +- CRDs for certificate resources +- Issuers/ClusterIssuers + +### 5.2 Gatekeeper (tfmod-gatekeeper) + +**Purpose**: Implements policy enforcement and governance. + +**Resources Created**: +- OPA Gatekeeper deployment +- Constraint templates +- Constraints + +## 6. Database & Persistent Storage + +### 6.1 PostgreSQL (tfmod-postgresql) + +**Purpose**: Deploys PostgreSQL database instances. + +**Resources Created**: +- PostgreSQL deployment or AWS RDS instances +- Storage configuration +- Network policies + +## 7. Application-Specific Modules + +### 7.1 Config Jobs (tfmod-config-job) + +**Purpose**: Creates Kubernetes jobs for configuration tasks. + +**Resources Created**: +- Kubernetes jobs +- ConfigMaps +- Secrets + +### 7.2 Keycloak (tfmod-keycloak) + +**Purpose**: Deploys Keycloak for identity and access management. + +**Resources Created**: +- Keycloak deployment +- Persistent storage +- Ingress configuration + +### 7.3 Kubernetes Dashboard (tfmod-k8s-dashboard) + +**Purpose**: Provides a web UI for the Kubernetes cluster. + +**Resources Created**: +- Dashboard deployment +- Service account +- RBAC configuration + +### 7.4 ArcGIS (tfmod-esri-arcgis) + +**Purpose**: Deploys ArcGIS services on the cluster. + +**Resources Created**: +- ArcGIS deployments +- Services +- Storage configuration + +### 7.5 Karpenter (tfmod-karpenter) + +**Purpose**: Implements Karpenter for Kubernetes node provisioning. + +**Resources Created**: +- Karpenter controller +- Provisioner CRDs +- Node templates + +## Execution Flow + +The modules are typically executed in the order outlined above, with the pipeline module orchestrating the process: + +1. The pipeline is created first (manually or by another automation) + - **Consolidated Image Security Processing**: A single security stage processes all container images used across modules: + - Image inventory collection from all module configurations + - Batch processing of vulnerability scanning + - Central SBOM (Software Bill of Materials) repository + - Single signing authority for all images + - Creation of a security compliance registry +2. Core infrastructure is established +3. Monitoring and observability tools are deployed +4. Service mesh and security components are added +5. Database and application-specific modules are deployed + +Each module depends on resources created by previous modules, forming a dependency chain that ensures proper infrastructure creation. + +## Image Security Implementation + +Container image security is implemented as a consolidated phase within the tfmod-pipeline module: + +- **Image Inventory**: Extracts container image references from all module configurations before deployment begins +- **Centralized Processing**: Processes all unique images in parallel rather than per-module +- **Security Registry**: Creates a compliance database that tracks security status of each image +- **Verification API**: Provides a lightweight API for modules to verify image compliance at deployment time +- **Policy Enforcement**: Blocks deployment of any module referencing non-compliant images + +### Image Inventory Collection Implementation + +The image inventory collection is implemented as part of the existing security stage in the pipeline: + +1. **Security Stage Enhancement**: + - The current security stage is expanded to include image security processing + - This maintains the existing pipeline structure (source → build → security → approve → deploy) + - No additional pipeline stages are required + +2. **Security Stage Sub-steps**: + - **Infrastructure Security**: Original security checks for IAC (continues as is) + - **Image Inventory**: Runs `terragrunt plan -json` for all modules to extract image references + - **Image Security Processing**: Scans, generates SBOMs, and signs images + - All vulnerabilities are automatically reported to AWS Security Hub + - Findings include image details, CVE IDs, severity levels, and remediation guidance + - **Security Registry Update**: Records compliance status of all images + - Security Hub findings are linked to the compliance database + - Security Hub integration enables centralized vulnerability management + +3. **Implementation Process**: + - CodeBuild job in the security stage collects Terraform plans + - Parsing script extracts image references from plan outputs + - Each unique image undergoes security checks in parallel + - Results are stored in a central compliance database + - Security Hub receives all vulnerability findings with proper resource tagging + - Final step generates a compliance report showing pass/fail status for all images + +4. **Pre-approval Check**: + - Before the approval stage, a validation step confirms all images are compliant + - Non-compliant images trigger pipeline warnings or failures based on policy settings + - Compliance summary is included in the approval notification + - Links to Security Hub findings are provided in notifications + +## Image Security Tooling + +The following tools are recommended for each phase of the image security process: + +### 1. Image Inventory Collection +- **Terragrunt/Terraform**: Using `terragrunt plan -json` output +- **jq/Python**: For parsing plan outputs to extract image references +- **AWS CodeBuild**: Custom build step with extraction script + +### 2. Vulnerability Scanning +- **AWS ECR Enhanced Scanning**: Primary scanning engine for ECR images +- **Trivy**: Open-source scanner for comprehensive vulnerability detection +- **Amazon Inspector**: For deeper AWS-integrated scanning and compliance reporting + +### 3. SBOM Generation +- **AWS SBOM Generator**: Native AWS tool for ECR images +- **CycloneDX/SPDX**: Standard formats for storing SBOM data + +### 4. Image Signing +- **Cosign**: For signing container images with simple keys or KMS +- **AWS Signer**: For AWS-managed signing workflows + +### 5. Security Data Management +- **AWS Security Hub**: Primary repository for all vulnerability findings + - Serves as the source of truth for security findings + - Provides organization-wide visibility and reporting + - Enables centralized policy management and alerting + +- **Pipeline-specific Database** (DynamoDB): + - Lightweight lookup table for CI/CD processes only + - Maps images to modules for deployment decisions + - Stores pipeline-specific metadata not relevant to Security Hub + - Contains links to Security Hub findings rather than duplicating data + - Enables fast deployment-time checks without querying Security Hub APIs + +This separation ensures Security Hub remains the authoritative source for security data while the pipeline database only stores what's needed for efficient CI/CD operations. + +### 6. Security Hub Integration +- **AWS Security Hub Custom Findings**: For publishing vulnerability data +- **AWS EventBridge**: For automating notifications and remediation +- **AWS Lambda**: For findings enrichment and customized reporting + +The security stage configures these tools as needed and orchestrates their execution in the proper sequence to provide a comprehensive security posture for all container images. + +This approach leverages the existing pipeline structure while ensuring all container images are properly secured before deployment. + +This approach is more reliable than static code parsing since it works with the exact resolved values that Terraform will use during deployment, including all variable substitutions and dynamic values. diff --git a/docs/terragrunt.stack.hcl b/docs/terragrunt.stack.hcl index 69d52333..432fa286 100644 --- a/docs/terragrunt.stack.hcl +++ b/docs/terragrunt.stack.hcl @@ -2,7 +2,7 @@ locals { environment = "development" region = "us-gov-east-1" project_name = "csvd-platform-lab-mcm" - base_source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-" + base_source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-" } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl index 9f8e4599..1de845d5 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index 12a39552..b4c26286 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index c5e156f7..52d53284 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl index 58a632c8..e77af3cc 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 9c622f91..6d9ecf77 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index 14bfc55b..cff09e4f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index 0a556403..eb034b32 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index abf5d616..10b58436 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 7a99c7d7..9f8f0850 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index 27f5e8db..86c1a338 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 7e51f58c..37b455cb 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 4d8e6682..6b98bb94 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index 99982764..fda0a90a 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index 7b111bc7..894f17ce 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index 7e952c27..b4d2d67f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" # source = "../../../../../../../tfmod-open-telemetry" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 9ecfac60..701de709 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -22,7 +22,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index 77553bef..a2ccd14f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index a1d16f27..79810066 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl index 97b13fd8..2d4b4778 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From 0a363472d64870c889f0e10dc6bb4ed3d4080638 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 15 May 2025 21:12:46 -0400 Subject: [PATCH 114/126] use a more recent image --- .../vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 701de709..313e49d6 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -48,7 +48,7 @@ inputs = { build_configuration = { compute_type = "BUILD_GENERAL1_MEDIUM" - image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" + image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" buildspec_path = "terragrunt.yml" privileged_mode = true environment_variables = { @@ -63,7 +63,7 @@ inputs = { security_scan_configuration = { compute_type = "BUILD_GENERAL1_MEDIUM" - image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" + image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" buildspec_path = "security.yml" } @@ -76,7 +76,7 @@ inputs = { deployment_configuration = { target_type = "Build" compute_type = "BUILD_GENERAL1_MEDIUM" - image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0" + image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" buildspec_path = "deploy.terragrunt.yml" environment_variables = { ARTIFACT_BUCKET = local.artifact_bucket From f6f8f3f75560be79024d08835cb7fc2dc917a08f Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 15 May 2025 22:25:01 -0400 Subject: [PATCH 115/126] add downloader --- .github/platform-tg-infra.code-workspace | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index d51c3319..5f558987 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -98,6 +98,9 @@ }, { "path": "../../243219719746-lab-gov-management-nonprod" + }, + { + "path": "../../tfmod-downloader" } ] } From caf0f0b82eeb3d9369033d5df2d333d389b50c0a Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Thu, 15 May 2025 23:33:00 -0400 Subject: [PATCH 116/126] updates to state mgmt --- .github/platform-tg-infra.code-workspace | 8 +++++--- lab/root.hcl | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 5f558987..532be343 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -20,6 +20,10 @@ "name": "tfmod-custom-iam-role-for-service-account-eks", "path": "../../tfmod-custom-iam-role-for-service-account-eks" }, + { + "name": "tfmod-downloader", + "path": "../../tfmod-downloader" + }, { "name": "tfmod-eks", "path": "../../tfmod-eks" @@ -97,10 +101,8 @@ "path": "../../tfmod-tempo" }, { + "name": "243219719746-lab-gov-management-nonprod", "path": "../../243219719746-lab-gov-management-nonprod" - }, - { - "path": "../../tfmod-downloader" } ] } diff --git a/lab/root.hcl b/lab/root.hcl index a13ec766..45e079c3 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -118,7 +118,7 @@ remote_state { } config = { bucket = "${local.state_bucket_prefix}-${local.account_id}" - dynamodb_table = "${local.state_table_name}" + use_lockfile = true key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" profile = "${local.aws_profile}" region = "${local.aws_region}" From 4b31d81f0734748b13c6c259e928f2167775bbf6 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 16 May 2025 13:13:13 -0400 Subject: [PATCH 117/126] testing --- Makefile | 16 +++++++++++++++- docs/terragrunt.stack.hcl | 2 +- .../eks-arcgis/terragrunt.hcl | 2 +- .../eks-cert-manager/terragrunt.hcl | 2 +- .../eks-config/terragrunt.hcl | 2 +- .../eks-cribl/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-dns/terragrunt.hcl | 2 +- .../eks-gatekeeper/terragrunt.hcl | 2 +- .../eks-grafana/terragrunt.hcl | 2 +- .../eks-istio/terragrunt.hcl | 2 +- .../eks-k8s-dashboard/terragrunt.hcl | 2 +- .../eks-karpenter/terragrunt.hcl | 2 +- .../eks-keycloak/terragrunt.hcl | 2 +- .../eks-kiali/terragrunt.hcl | 2 +- .../eks-loki/terragrunt.hcl | 2 +- .../eks-metrics-server/terragrunt.hcl | 2 +- .../eks-otel/terragrunt.hcl | 2 +- .../eks-pipeline/terragrunt.hcl | 2 +- .../eks-prometheus/terragrunt.hcl | 2 +- .../eks-tempo/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl | 2 +- 21 files changed, 35 insertions(+), 21 deletions(-) diff --git a/Makefile b/Makefile index 3a4520ef..afaa94c9 100644 --- a/Makefile +++ b/Makefile @@ -86,13 +86,27 @@ deploy-to-pipeline: $(eval REGION_SHORT=$(shell echo $(AWS_REGION) | sed 's/\([a-z]\)[a-z]*-/\1/g')) $(eval S3_BUCKET=v-s3-eks-$(CLUSTER_NAME)-artifacts-$(AWS_ACCOUNT_ID)-$(REGION_SHORT)) $(eval OBJECT_KEY=clusters/$(CLUSTER_NAME)/platform-tg-infra.zip) + $(eval PIPELINE_NAME=eks-$(CLUSTER_NAME)-codepipeline) + + @echo "Stopping any active pipeline executions for $(PIPELINE_NAME)..." + $(eval PIPELINE_EXECUTIONS=$(shell aws codepipeline list-pipeline-executions --pipeline-name $(PIPELINE_NAME) --region $(AWS_REGION) --profile $(AWS_PROFILE) --query "pipelineExecutionSummaries[?status=='InProgress'].pipelineExecutionId" --output text)) + @if [ -n "$(PIPELINE_EXECUTIONS)" ]; then \ + echo "Found active pipeline executions: $(PIPELINE_EXECUTIONS)"; \ + for EXECUTION_ID in $(PIPELINE_EXECUTIONS); do \ + echo "Stopping execution $$EXECUTION_ID..."; \ + aws codepipeline stop-pipeline-execution --pipeline-name $(PIPELINE_NAME) --pipeline-execution-id $$EXECUTION_ID --region $(AWS_REGION) --profile $(AWS_PROFILE) --no-abandon || echo "Warning: Failed to stop execution $$EXECUTION_ID"; \ + done; \ + echo "Waiting for pipeline executions to stop (10 seconds)..."; \ + sleep 10; \ + else \ + echo "No active pipeline executions found."; \ + fi @echo "Uploading to S3 bucket $(S3_BUCKET)..." aws s3 cp platform-tg-infra.zip s3://$(S3_BUCKET)/$(OBJECT_KEY) --profile $(AWS_PROFILE) --sse aws:kms @echo "Upload complete. Pipeline should trigger automatically." @echo "Calculating pipeline URL..." - $(eval PIPELINE_NAME=eks-$(CLUSTER_NAME)-codepipeline) $(eval PIPELINE_URL=https://console.amazonaws-us-gov.com/codesuite/codepipeline/pipelines/$(PIPELINE_NAME)/view?region=$(AWS_REGION)) @echo "Pipeline URL: $(PIPELINE_URL)" @echo "You can access the pipeline directly at the URL above." diff --git a/docs/terragrunt.stack.hcl b/docs/terragrunt.stack.hcl index 432fa286..69d52333 100644 --- a/docs/terragrunt.stack.hcl +++ b/docs/terragrunt.stack.hcl @@ -2,7 +2,7 @@ locals { environment = "development" region = "us-gov-east-1" project_name = "csvd-platform-lab-mcm" - base_source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-" + base_source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-" } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl index 1de845d5..9f8e4599 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index b4c26286..12a39552 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index 52d53284..c5e156f7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl index e77af3cc..58a632c8 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 6d9ecf77..9c622f91 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index cff09e4f..14bfc55b 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index eb034b32..0a556403 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index 10b58436..abf5d616 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 9f8f0850..7a99c7d7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index 86c1a338..27f5e8db 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 37b455cb..7e51f58c 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 6b98bb94..4d8e6682 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index fda0a90a..99982764 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index 894f17ce..7b111bc7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index b4d2d67f..7e952c27 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" # source = "../../../../../../../tfmod-open-telemetry" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 313e49d6..29b4b3a7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -22,7 +22,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index a2ccd14f..77553bef 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index 79810066..a1d16f27 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl index 2d4b4778..97b13fd8 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git::https://github.e.it.census.gov/SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From a0e3a4cde3cb8f49800eb20c9efbe8b2a85fe8cd Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Fri, 16 May 2025 14:33:19 -0400 Subject: [PATCH 118/126] fmt --- .../vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl | 2 +- .../eks-k8s-dashboard/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl | 2 +- .../eks-metrics-server/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl | 2 +- lab/root.hcl | 8 ++++++-- 20 files changed, 25 insertions(+), 21 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl index 9f8e4599..38cf455e 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index 12a39552..569a3554 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index c5e156f7..49e0ea2f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl index 58a632c8..d18b1808 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 9c622f91..62d93aff 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index 14bfc55b..971dd2e9 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index 0a556403..07cc34d2 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index abf5d616..9f10168c 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 7a99c7d7..9527e5f7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index 27f5e8db..92332552 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 7e51f58c..f17489ea 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 4d8e6682..8f19b76d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index 99982764..54586f19 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index 7b111bc7..241bbc5d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index 7e952c27..a8a7d7c4 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" # source = "../../../../../../../tfmod-open-telemetry" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 29b4b3a7..8de8becd 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -22,7 +22,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index 77553bef..1cb7f81d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index a1d16f27..71dd0a10 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl index 97b13fd8..13ed5d01 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/root.hcl b/lab/root.hcl index 45e079c3..87e23f15 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -117,11 +117,15 @@ remote_state { if_exists = "overwrite_terragrunt" } config = { - bucket = "${local.state_bucket_prefix}-${local.account_id}" - use_lockfile = true + bucket = "${local.state_bucket_prefix}-${local.account_id}" + # use_lockfile = true key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" profile = "${local.aws_profile}" region = "${local.aws_region}" + accesslogging_bucket_name = "${local.accesslogging_bucket_name}" + dynamoddb_table = "${local.state_table_name}" + encrypt = false + session_name = "AWSCodeBuild" disable_bucket_update = true skip_bucket_enforced_tls = true # use only if you need to access the S3 bucket without TLS being enforced skip_bucket_public_access_blocking = true From 7ffcbad4b00d2e1509252093a7b0c4bf2a43d220 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 19 May 2025 15:19:36 -0400 Subject: [PATCH 119/126] state issues --- .github/platform-tg-infra.code-workspace | 3 +++ .../eks-pipeline/terragrunt.hcl | 9 +++++---- lab/root.hcl | 20 ++++--------------- 3 files changed, 12 insertions(+), 20 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 532be343..4b417a35 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -103,6 +103,9 @@ { "name": "243219719746-lab-gov-management-nonprod", "path": "../../243219719746-lab-gov-management-nonprod" + }, + { + "path": "../../../terraform-modules/aws-s3" } ] } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 8de8becd..d459f8d5 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -31,10 +31,11 @@ terraform { } inputs = { - account_id = include.root.inputs.aws_account_id - cluster_name = include.root.inputs.cluster_name - environment = include.root.inputs.environment_abbr - region = include.root.inputs.aws_region + account_id = include.root.inputs.aws_account_id + cluster_name = include.root.inputs.cluster_name + environment = include.root.inputs.environment_abbr + region = include.root.inputs.aws_region + state_bucket_prefix = include.root.inputs.state_bucket_prefix # VPC Configuration vpc_name = include.root.inputs.vpc_name diff --git a/lab/root.hcl b/lab/root.hcl index 87e23f15..4dc8e574 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -117,22 +117,10 @@ remote_state { if_exists = "overwrite_terragrunt" } config = { - bucket = "${local.state_bucket_prefix}-${local.account_id}" - # use_lockfile = true - key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" - profile = "${local.aws_profile}" - region = "${local.aws_region}" - accesslogging_bucket_name = "${local.accesslogging_bucket_name}" - dynamoddb_table = "${local.state_table_name}" - encrypt = false - session_name = "AWSCodeBuild" - disable_bucket_update = true - skip_bucket_enforced_tls = true # use only if you need to access the S3 bucket without TLS being enforced - skip_bucket_public_access_blocking = true - skip_bucket_root_access = true # use only if the AWS account root user should not have access to the remote state bucket for some reason - skip_bucket_ssencryption = true # use only if non-encrypted OpenTofu/Terraform State is required and/or the object store does not support server-side encryption - skip_bucket_versioning = false # use only if the object store does not support versioning - enable_lock_table_ssencryption = false # use only if non-encrypted DynamoDB Lock Table for the OpenTofu/Terraform State is required and/or the NoSQL database service does not support server-side encryption + bucket = "v-s3-eks-tg-${local.state_bucket_prefix}-${local.account_id}" + key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" + profile = "${local.aws_profile}" + region = "${local.aws_region}" } } From 83282dcee39cf06126bf57d1c9e838da6c749eb6 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 21 May 2025 15:38:29 -0400 Subject: [PATCH 120/126] update to gitlab --- .github/platform-tg-infra.code-workspace | 7 - Makefile | 128 ++++++++++-------- docs/terragrunt.stack.hcl | 2 +- .../eks-arcgis/terragrunt.hcl | 2 +- .../eks-cert-manager/terragrunt.hcl | 2 +- .../eks-config/terragrunt.hcl | 2 +- .../eks-cribl/terragrunt.hcl | 2 +- .../eks-dns/terragrunt.hcl | 2 +- .../eks-gatekeeper/terragrunt.hcl | 2 +- .../eks-grafana/terragrunt.hcl | 2 +- .../eks-istio/terragrunt.hcl | 2 +- .../eks-k8s-dashboard/terragrunt.hcl | 2 +- .../eks-karpenter/terragrunt.hcl | 2 +- .../eks-keycloak/terragrunt.hcl | 2 +- .../eks-kiali/terragrunt.hcl | 2 +- .../eks-loki/terragrunt.hcl | 2 +- .../eks-metrics-server/terragrunt.hcl | 2 +- .../eks-otel/terragrunt.hcl | 2 +- .../eks-pipeline/terragrunt.hcl | 2 +- .../eks-prometheus/terragrunt.hcl | 2 +- .../eks-tempo/terragrunt.hcl | 2 +- .../csvd-platform-lab-mcm/eks/terragrunt.hcl | 2 +- lab/root.hcl | 23 +++- 23 files changed, 112 insertions(+), 86 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 4b417a35..c41f9134 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -99,13 +99,6 @@ { "name": "tfmod-tempo", "path": "../../tfmod-tempo" - }, - { - "name": "243219719746-lab-gov-management-nonprod", - "path": "../../243219719746-lab-gov-management-nonprod" - }, - { - "path": "../../../terraform-modules/aws-s3" } ] } diff --git a/Makefile b/Makefile index afaa94c9..e4b9e6ea 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,8 @@ -.PHONY: help init validate plan fmt check clean deploy-to-pipeline +.PHONY: help config init validate plan fmt check clean deploy-to-pipeline tail +# Default values +ENV ?= development +REGION_DIR ?= us-gov-east-1 +CLUSTER_DIR ?= csvd-platform-lab-mcm help: @echo "Available targets:" @@ -9,7 +13,61 @@ help: @echo " check - Run all checks (format, validate, plan)" @echo " clean - Clean up Terragrunt cache and temporary files" @echo " deploy-to-pipeline - Zip and upload to S3 to trigger CodePipeline" + @echo " tail - Tail the logs of the CodeBuild project" +# Shared configuration target that exports all variables +config: + @echo "Loading configuration..." + +# Detect configuration files + $(eval ACCOUNT_HCL=lab/$(ENV)/account.hcl) + $(eval REGION_HCL=lab/$(ENV)/$(REGION_DIR)/region.hcl) + $(eval CLUSTER_HCL=lab/$(ENV)/$(REGION_DIR)/vpc/$(CLUSTER_DIR)/cluster.hcl) + + @if [ ! -f "$(ACCOUNT_HCL)" ]; then echo "Error: $(ACCOUNT_HCL) not found"; exit 1; fi + @if [ ! -f "$(REGION_HCL)" ]; then echo "Error: $(REGION_HCL) not found"; exit 1; fi + @if [ ! -f "$(CLUSTER_HCL)" ]; then echo "Error: $(CLUSTER_HCL) not found"; exit 1; fi + +# Extract values from HCL files + $(eval AWS_ACCOUNT_ID=$(shell grep -oP 'aws_account_id\s*=\s*"\K[^"]+' $(ACCOUNT_HCL))) + $(eval ACCOUNT_NAME=$(shell grep -oP 'account_name\s*=\s*"\K[^"]+' $(ACCOUNT_HCL))) + $(eval AWS_PROFILE=$(shell echo $(AWS_ACCOUNT_ID)-$(shell echo $(ACCOUNT_NAME) | sed 's/-ew/-gov/'))) + $(eval AWS_REGION=$(shell grep -oP 'aws_region\s*=\s*"\K[^"]+' $(REGION_HCL))) + $(eval CLUSTER_NAME=$(shell grep -oP 'cluster_name\s*=\s*"\K[^"]+' $(CLUSTER_HCL))) + +# Calculate derived values + $(eval REGION_SHORT=$(shell echo $(AWS_REGION) | sed 's/\([a-z]\)[a-z]*-/\1/g')) + $(eval S3_BUCKET=v-s3-eks-$(CLUSTER_NAME)-artifacts-$(AWS_ACCOUNT_ID)-$(REGION_SHORT)) + $(eval OBJECT_KEY=clusters/$(CLUSTER_NAME)/platform-tg-infra.zip) + $(eval PIPELINE_NAME=eks-$(CLUSTER_NAME)-codepipeline) + $(eval PIPELINE_URL=https://console.amazonaws-us-gov.com/codesuite/codepipeline/pipelines/$(PIPELINE_NAME)/view?region=$(AWS_REGION)) + +# @echo "Using configuration:" +# @echo " AWS_ACCOUNT_ID: $(AWS_ACCOUNT_ID)" +# @echo " ACCOUNT_NAME: $(ACCOUNT_NAME)" +# @echo " AWS_PROFILE: $(AWS_PROFILE)" +# @echo " AWS_REGION: $(AWS_REGION)" +# @echo " CLUSTER_NAME: $(CLUSTER_NAME)" +# @echo " S3_BUCKET: $(S3_BUCKET)" + + @if [ -z "$(AWS_ACCOUNT_ID)" ] || [ -z "$(AWS_PROFILE)" ] || [ -z "$(AWS_REGION)" ] || [ -z "$(CLUSTER_NAME)" ]; then \ + echo "Error: Failed to extract all required variables from HCL files"; \ + exit 1; \ + fi + +# Export variables for child processes + export AWS_ACCOUNT_ID + export ACCOUNT_NAME + export AWS_PROFILE + export AWS_REGION + export CLUSTER_NAME + export REGION_SHORT + export S3_BUCKET + export OBJECT_KEY + export PIPELINE_NAME + export PIPELINE_URL + +# Basic terragrunt operations init: @echo "Initializing Terragrunt configurations..." terragrunt run-all init @@ -35,43 +93,9 @@ clean: find . -type f -name ".terraform.lock.hcl" -delete find . -type f -name "terragrunt-debug.tfvars.json" -delete -deploy-to-pipeline: +# Pipeline operations that depend on shared config +deploy-to-pipeline: config @echo "Preparing to deploy to pipeline..." - @echo "Detecting environment configuration..." - - # Set defaults or use provided values - $(eval ENV ?= development) - $(eval REGION_DIR ?= us-gov-east-1) - $(eval CLUSTER_DIR ?= csvd-platform-lab-mcm) - - # Detect account variables - $(eval ACCOUNT_HCL=lab/$(ENV)/account.hcl) - $(eval REGION_HCL=lab/$(ENV)/$(REGION_DIR)/region.hcl) - $(eval CLUSTER_HCL=lab/$(ENV)/$(REGION_DIR)/vpc/$(CLUSTER_DIR)/cluster.hcl) - - @if [ ! -f "$(ACCOUNT_HCL)" ]; then echo "Error: $(ACCOUNT_HCL) not found"; exit 1; fi - @if [ ! -f "$(REGION_HCL)" ]; then echo "Error: $(REGION_HCL) not found"; exit 1; fi - @if [ ! -f "$(CLUSTER_HCL)" ]; then echo "Error: $(CLUSTER_HCL) not found"; exit 1; fi - - @echo "Extracting configuration values..." - # Extract values from HCL files - $(eval AWS_ACCOUNT_ID=$(shell grep -oP 'aws_account_id\s*=\s*"\K[^"]+' $(ACCOUNT_HCL))) - $(eval ACCOUNT_NAME=$(shell grep -oP 'account_name\s*=\s*"\K[^"]+' $(ACCOUNT_HCL))) - $(eval AWS_PROFILE=$(shell echo $(AWS_ACCOUNT_ID)-$(shell echo $(ACCOUNT_NAME) | sed 's/-ew/-gov/'))) - $(eval AWS_REGION=$(shell grep -oP 'aws_region\s*=\s*"\K[^"]+' $(REGION_HCL))) - $(eval CLUSTER_NAME=$(shell grep -oP 'cluster_name\s*=\s*"\K[^"]+' $(CLUSTER_HCL))) - - @echo "Using configuration:" - @echo " AWS_ACCOUNT_ID: $(AWS_ACCOUNT_ID)" - @echo " ACCOUNT_NAME: $(ACCOUNT_NAME)" - @echo " AWS_PROFILE: $(AWS_PROFILE)" - @echo " AWS_REGION: $(AWS_REGION)" - @echo " CLUSTER_NAME: $(CLUSTER_NAME)" - - @if [ -z "$(AWS_ACCOUNT_ID)" ] || [ -z "$(AWS_PROFILE)" ] || [ -z "$(AWS_REGION)" ] || [ -z "$(CLUSTER_NAME)" ]; then \ - echo "Error: Failed to extract all required variables from HCL files"; \ - exit 1; \ - fi @echo "Copy buildspecs from tfmod-pipeline" mkdir -p ./buildspecs @@ -81,12 +105,6 @@ deploy-to-pipeline: zip -r platform-tg-infra.zip . -x "*.git*" "*.github*" "*.terragrunt-cache*" "*.terraform*" rm -rf ./buildspecs - - @echo "Calculating S3 bucket name..." - $(eval REGION_SHORT=$(shell echo $(AWS_REGION) | sed 's/\([a-z]\)[a-z]*-/\1/g')) - $(eval S3_BUCKET=v-s3-eks-$(CLUSTER_NAME)-artifacts-$(AWS_ACCOUNT_ID)-$(REGION_SHORT)) - $(eval OBJECT_KEY=clusters/$(CLUSTER_NAME)/platform-tg-infra.zip) - $(eval PIPELINE_NAME=eks-$(CLUSTER_NAME)-codepipeline) @echo "Stopping any active pipeline executions for $(PIPELINE_NAME)..." $(eval PIPELINE_EXECUTIONS=$(shell aws codepipeline list-pipeline-executions --pipeline-name $(PIPELINE_NAME) --region $(AWS_REGION) --profile $(AWS_PROFILE) --query "pipelineExecutionSummaries[?status=='InProgress'].pipelineExecutionId" --output text)) @@ -94,7 +112,7 @@ deploy-to-pipeline: echo "Found active pipeline executions: $(PIPELINE_EXECUTIONS)"; \ for EXECUTION_ID in $(PIPELINE_EXECUTIONS); do \ echo "Stopping execution $$EXECUTION_ID..."; \ - aws codepipeline stop-pipeline-execution --pipeline-name $(PIPELINE_NAME) --pipeline-execution-id $$EXECUTION_ID --region $(AWS_REGION) --profile $(AWS_PROFILE) --no-abandon || echo "Warning: Failed to stop execution $$EXECUTION_ID"; \ + aws codepipeline stop-pipeline-execution --pipeline-name $(PIPELINE_NAME) --pipeline-execution-id $$EXECUTION_ID --region $(AWS_REGION) --profile $(AWS_PROFILE) --abandon || echo "Warning: Failed to stop execution $$EXECUTION_ID"; \ done; \ echo "Waiting for pipeline executions to stop (10 seconds)..."; \ sleep 10; \ @@ -105,15 +123,19 @@ deploy-to-pipeline: @echo "Uploading to S3 bucket $(S3_BUCKET)..." aws s3 cp platform-tg-infra.zip s3://$(S3_BUCKET)/$(OBJECT_KEY) --profile $(AWS_PROFILE) --sse aws:kms @echo "Upload complete. Pipeline should trigger automatically." + rm -f platform-tg-infra.zip - @echo "Calculating pipeline URL..." - $(eval PIPELINE_URL=https://console.amazonaws-us-gov.com/codesuite/codepipeline/pipelines/$(PIPELINE_NAME)/view?region=$(AWS_REGION)) @echo "Pipeline URL: $(PIPELINE_URL)" @echo "You can access the pipeline directly at the URL above." - - @echo "Cleaning up local zip file..." - rm -f platform-tg-infra.zip - - @echo "Tailing Pipeline Logs:" - @echo "Logs will start once Codebuild runs... this can take a few mins..." - aws logs tail /aws/codebuild/$(CLUSTER_NAME) --follow --format short + @echo "Logs will start once CodeBuild runs... this can take a few minutes..." + $(MAKE) tail + +# Improved tail action using shared config +tail: config + @echo "Tailing Pipeline Logs for cluster $(CLUSTER_NAME):" + aws logs tail /aws/codebuild/$(CLUSTER_NAME) \ + --format short \ + --follow \ + --since 1m \ + --region $(AWS_REGION) \ + --profile $(AWS_PROFILE) diff --git a/docs/terragrunt.stack.hcl b/docs/terragrunt.stack.hcl index 69d52333..9b577ee6 100644 --- a/docs/terragrunt.stack.hcl +++ b/docs/terragrunt.stack.hcl @@ -2,7 +2,7 @@ locals { environment = "development" region = "us-gov-east-1" project_name = "csvd-platform-lab-mcm" - base_source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-" + base_source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-" } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl index 38cf455e..a695bb41 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index 569a3554..e614268a 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index 49e0ea2f..d73428fb 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl index d18b1808..d1846e3b 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 62d93aff..2d65caf1 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index 971dd2e9..41836ff8 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index 07cc34d2..419d74db 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index 9f10168c..6a2a1012 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 9527e5f7..93a01a30 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index 92332552..0b0dd165 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index f17489ea..404afbf8 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 8f19b76d..61cbaead 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index 54586f19..744c0bfa 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index 241bbc5d..e4bc0046 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index a8a7d7c4..f71fcd76 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" # source = "../../../../../../../tfmod-open-telemetry" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index d459f8d5..d8f50da6 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -22,7 +22,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index 1cb7f81d..72faad4e 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index 71dd0a10..a61d4858 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl index 13ed5d01..5b82f1bf 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/root.hcl b/lab/root.hcl index 4dc8e574..bb2348fa 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -16,7 +16,7 @@ locals { common_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/common-variables.hcl")) # Automatically load naming prefixes - prefixes = read_terragrunt_config(find_in_parent_folders("./_envcommon/prefixes.hcl")) + prefix_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/prefixes.hcl")) # Automatically load region-level variables region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) @@ -46,6 +46,7 @@ locals { finops_project_number = local.cluster_vars.locals.finops_project_number finops_project_role = local.cluster_vars.locals.finops_project_role is_eks_module = local.module_name == "eks" + prefixes = local.prefix_vars.locals.prefixes is_module_enabled = merge( { for module in local.versions.locals.core_modules : module => true }, local.versions.locals.enabled_modules, @@ -111,16 +112,26 @@ generate "helm_provider" { # Configure Terragrunt to automatically store tfstate files in an S3 bucket remote_state { + disable_init = tobool(get_env("TG_DISABLE_INIT", "false")) backend = "s3" generate = { path = "remote_state.backend.tf" if_exists = "overwrite_terragrunt" } config = { - bucket = "v-s3-eks-tg-${local.state_bucket_prefix}-${local.account_id}" - key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" - profile = "${local.aws_profile}" - region = "${local.aws_region}" + bucket = "${local.state_bucket_prefix}-${local.account_id}" + dynamodb_table = "" + key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" + profile = "${local.aws_profile}" + region = "${local.aws_region}" + disable_bucket_update = true + skip_bucket_enforced_tls = true # use only if you need to access the S3 bucket without TLS being enforced + skip_bucket_public_access_blocking = true + skip_bucket_root_access = true # use only if the AWS account root user should not have access to the remote state bucket for some reason + skip_bucket_ssencryption = true # use only if non-encrypted OpenTofu/Terraform State is required and/or the object store does not support server-side encryption + skip_bucket_versioning = true # use only if the object store does not support versioning + enable_lock_table_ssencryption = false # use only if non-encrypted DynamoDB Lock Table for the OpenTofu/Terraform State is required and/or the NoSQL database service does not support server-side encryption + skip_metadata_api_check = true } } @@ -161,7 +172,7 @@ inputs = merge( local.account_vars.locals, local.cluster_vars.locals, local.common_vars.locals, - local.prefixes.locals, + local.prefix_vars.locals, local.region_vars.locals, local.versions.locals, local.vpc_vars.locals, From 0fbf5379909c472cecf8bac3b4f809a994567436 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 27 May 2025 21:53:37 -0400 Subject: [PATCH 121/126] wip --- .github/platform-tg-infra.code-workspace | 3 +++ .../csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl | 8 ++++++++ lab/root.hcl | 9 +-------- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index c41f9134..1364a854 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -99,6 +99,9 @@ { "name": "tfmod-tempo", "path": "../../tfmod-tempo" + }, + { + "path": "../../243219719746-lab-gov-management-nonprod" } ] } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index d8f50da6..11301636 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -66,6 +66,14 @@ inputs = { compute_type = "BUILD_GENERAL1_MEDIUM" image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" buildspec_path = "security.yml" + environment_variables = { + ARTIFACT_BUCKET = local.artifact_bucket + TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" + REGION = include.root.inputs.aws_region + ENVIRONMENT = include.root.inputs.environment_abbr + AWS_ACCOUNT_ID = include.root.inputs.aws_account_id + PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128" + } } approval_configuration = { diff --git a/lab/root.hcl b/lab/root.hcl index bb2348fa..a7fb14ac 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -120,18 +120,11 @@ remote_state { } config = { bucket = "${local.state_bucket_prefix}-${local.account_id}" - dynamodb_table = "" + use_lockfile = true key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" profile = "${local.aws_profile}" region = "${local.aws_region}" disable_bucket_update = true - skip_bucket_enforced_tls = true # use only if you need to access the S3 bucket without TLS being enforced - skip_bucket_public_access_blocking = true - skip_bucket_root_access = true # use only if the AWS account root user should not have access to the remote state bucket for some reason - skip_bucket_ssencryption = true # use only if non-encrypted OpenTofu/Terraform State is required and/or the object store does not support server-side encryption - skip_bucket_versioning = true # use only if the object store does not support versioning - enable_lock_table_ssencryption = false # use only if non-encrypted DynamoDB Lock Table for the OpenTofu/Terraform State is required and/or the NoSQL database service does not support server-side encryption - skip_metadata_api_check = true } } From 51f796f9f21ad16c4c82c8f8f50344c4fafa4720 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 28 May 2025 13:02:07 -0400 Subject: [PATCH 122/126] back to github --- docs/terragrunt.stack.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl | 2 +- .../vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl | 2 +- .../us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/docs/terragrunt.stack.hcl b/docs/terragrunt.stack.hcl index 9b577ee6..69d52333 100644 --- a/docs/terragrunt.stack.hcl +++ b/docs/terragrunt.stack.hcl @@ -2,7 +2,7 @@ locals { environment = "development" region = "us-gov-east-1" project_name = "csvd-platform-lab-mcm" - base_source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-" + base_source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-" } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl index a695bb41..38cf455e 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-arcgis/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl index e614268a..569a3554 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cert-manager/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl index d73428fb..49e0ea2f 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-config/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl index d1846e3b..d18b1808 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-cribl/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 2d65caf1..62d93aff 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl index 41836ff8..971dd2e9 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-gatekeeper/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl index 419d74db..07cc34d2 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-grafana/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl index 6a2a1012..9f10168c 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-istio/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl index 93a01a30..9527e5f7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-k8s-dashboard/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl index 0b0dd165..92332552 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-karpenter/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl index 404afbf8..f17489ea 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-keycloak/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl index 61cbaead..8f19b76d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-kiali/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl index 744c0bfa..54586f19 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-loki/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl index e4bc0046..241bbc5d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-metrics-server/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl index f71fcd76..a8a7d7c4 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-otel/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" # source = "../../../../../../../tfmod-open-telemetry" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 11301636..7eabddb5 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -22,7 +22,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl index 72faad4e..1cb7f81d 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-prometheus/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl index a61d4858..71dd0a10 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-tempo/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() arguments = ["-lock-timeout=20s"] diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl index 5b82f1bf..13ed5d01 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks/terragrunt.hcl @@ -16,7 +16,7 @@ exclude { } terraform { - source = "git@gitlab.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" extra_arguments "retry_lock" { commands = get_terraform_commands_that_need_locking() From b44121e3b74ed059a6f2b4c4507d2e0376673c96 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 2 Jun 2025 20:49:02 -0400 Subject: [PATCH 123/126] getting sboms --- Makefile | 16 ++++++++-------- ...agrunt.stack.hcl => terragrunt.stack.hcl.off} | 0 lab/_envcommon/default-versions.hcl | 12 ++++++------ 3 files changed, 14 insertions(+), 14 deletions(-) rename docs/{terragrunt.stack.hcl => terragrunt.stack.hcl.off} (100%) diff --git a/Makefile b/Makefile index e4b9e6ea..a3809c46 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: help config init validate plan fmt check clean deploy-to-pipeline tail +.PHONY: help config init validate plan fmt check clean deploy-to-pipeline tail parse # Default values ENV ?= development REGION_DIR ?= us-gov-east-1 @@ -18,30 +18,30 @@ help: # Shared configuration target that exports all variables config: @echo "Loading configuration..." - + # Detect configuration files $(eval ACCOUNT_HCL=lab/$(ENV)/account.hcl) $(eval REGION_HCL=lab/$(ENV)/$(REGION_DIR)/region.hcl) $(eval CLUSTER_HCL=lab/$(ENV)/$(REGION_DIR)/vpc/$(CLUSTER_DIR)/cluster.hcl) - + @if [ ! -f "$(ACCOUNT_HCL)" ]; then echo "Error: $(ACCOUNT_HCL) not found"; exit 1; fi @if [ ! -f "$(REGION_HCL)" ]; then echo "Error: $(REGION_HCL) not found"; exit 1; fi @if [ ! -f "$(CLUSTER_HCL)" ]; then echo "Error: $(CLUSTER_HCL) not found"; exit 1; fi - + # Extract values from HCL files $(eval AWS_ACCOUNT_ID=$(shell grep -oP 'aws_account_id\s*=\s*"\K[^"]+' $(ACCOUNT_HCL))) $(eval ACCOUNT_NAME=$(shell grep -oP 'account_name\s*=\s*"\K[^"]+' $(ACCOUNT_HCL))) $(eval AWS_PROFILE=$(shell echo $(AWS_ACCOUNT_ID)-$(shell echo $(ACCOUNT_NAME) | sed 's/-ew/-gov/'))) $(eval AWS_REGION=$(shell grep -oP 'aws_region\s*=\s*"\K[^"]+' $(REGION_HCL))) $(eval CLUSTER_NAME=$(shell grep -oP 'cluster_name\s*=\s*"\K[^"]+' $(CLUSTER_HCL))) - + # Calculate derived values $(eval REGION_SHORT=$(shell echo $(AWS_REGION) | sed 's/\([a-z]\)[a-z]*-/\1/g')) $(eval S3_BUCKET=v-s3-eks-$(CLUSTER_NAME)-artifacts-$(AWS_ACCOUNT_ID)-$(REGION_SHORT)) $(eval OBJECT_KEY=clusters/$(CLUSTER_NAME)/platform-tg-infra.zip) $(eval PIPELINE_NAME=eks-$(CLUSTER_NAME)-codepipeline) $(eval PIPELINE_URL=https://console.amazonaws-us-gov.com/codesuite/codepipeline/pipelines/$(PIPELINE_NAME)/view?region=$(AWS_REGION)) - + # @echo "Using configuration:" # @echo " AWS_ACCOUNT_ID: $(AWS_ACCOUNT_ID)" # @echo " ACCOUNT_NAME: $(ACCOUNT_NAME)" @@ -49,12 +49,12 @@ config: # @echo " AWS_REGION: $(AWS_REGION)" # @echo " CLUSTER_NAME: $(CLUSTER_NAME)" # @echo " S3_BUCKET: $(S3_BUCKET)" - + @if [ -z "$(AWS_ACCOUNT_ID)" ] || [ -z "$(AWS_PROFILE)" ] || [ -z "$(AWS_REGION)" ] || [ -z "$(CLUSTER_NAME)" ]; then \ echo "Error: Failed to extract all required variables from HCL files"; \ exit 1; \ fi - + # Export variables for child processes export AWS_ACCOUNT_ID export ACCOUNT_NAME diff --git a/docs/terragrunt.stack.hcl b/docs/terragrunt.stack.hcl.off similarity index 100% rename from docs/terragrunt.stack.hcl rename to docs/terragrunt.stack.hcl.off diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index dea122ae..8f837daa 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -44,14 +44,14 @@ locals { # Core modules that should always be enabled (cannot be disabled) core_modules = [ "eks", - "eks-karpenter", - "eks-config", "eks-metrics-server", - "eks-cert-manager", - "eks-istio", - "eks-dns", ] + # "eks-karpenter", + # "eks-config", + # "eks-cert-manager", + # "eks-istio", + # "eks-dns", # Optional modules with their default enablement state enabled_modules = { "eks-arcgis" = false @@ -63,7 +63,7 @@ locals { "eks-kiali" = false "eks-loki" = false "eks-otel" = false - "eks-pipeline" = true + "eks-pipeline" = false "eks-postgresql" = false "eks-prometheus" = false "eks-tempo" = false From 9b8706938b6d2080746e3f058f57667d2adeb466 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 3 Jun 2025 15:03:56 -0400 Subject: [PATCH 124/126] skip if in codebuild --- .../vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 7eabddb5..f6e930ca 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -5,8 +5,9 @@ include "root" { } locals { - # Skip this module if disabled - skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) + # Skip this module if disabled OR if running in CodeBuild (to avoid circular dependency) + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) || get_env("CODEBUILD_BUILD_ID", "") != "" + artifact_bucket = format("%v%v-%v-%v-%v", include.root.inputs.prefixes["eks-s3"], include.root.inputs.cluster_name, From 38b25db1953998e12aac3165a2f2ccf289e57dc3 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Tue, 17 Jun 2025 20:34:06 -0400 Subject: [PATCH 125/126] cleanup/cruft removal --- .checkov.yml | 24 -- .github/platform-tg-infra.code-workspace | 3 - Makefile | 34 +-- configs/node-groups.yaml | 48 ---- configs/resource-quotas.yml | 36 --- lab/_envcommon/default-versions.hcl | 16 +- .../eks-pipeline/terragrunt.hcl | 8 +- lab/root.hcl | 16 +- notes.md | 56 ---- plan.md | 271 ------------------ scripts/import-s3-bucket.sh | 25 -- 11 files changed, 37 insertions(+), 500 deletions(-) delete mode 100644 .checkov.yml delete mode 100644 configs/node-groups.yaml delete mode 100644 configs/resource-quotas.yml delete mode 100644 notes.md delete mode 100644 plan.md delete mode 100644 scripts/import-s3-bucket.sh diff --git a/.checkov.yml b/.checkov.yml deleted file mode 100644 index cc000299..00000000 --- a/.checkov.yml +++ /dev/null @@ -1,24 +0,0 @@ -branch: master -download-external-modules: true -evaluate-variables: true -external-checks-dir: - - security/custom_checks -framework: - - terraform - - kubernetes -output: - - cli - - json - - junitxml -skip-check: - - CKV_AWS_79 # Instance Metadata Service Version 1 - - CKV_AWS_130 # Ensure VPC subnets are not assigned public IP by default -quiet: true -compact: true -directory: - - . - - modules/* -secrets-scan-file-type: - - tf - - yaml - - json diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index 1364a854..c41f9134 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -99,9 +99,6 @@ { "name": "tfmod-tempo", "path": "../../tfmod-tempo" - }, - { - "path": "../../243219719746-lab-gov-management-nonprod" } ] } diff --git a/Makefile b/Makefile index a3809c46..83b9dcca 100644 --- a/Makefile +++ b/Makefile @@ -42,13 +42,13 @@ config: $(eval PIPELINE_NAME=eks-$(CLUSTER_NAME)-codepipeline) $(eval PIPELINE_URL=https://console.amazonaws-us-gov.com/codesuite/codepipeline/pipelines/$(PIPELINE_NAME)/view?region=$(AWS_REGION)) -# @echo "Using configuration:" -# @echo " AWS_ACCOUNT_ID: $(AWS_ACCOUNT_ID)" -# @echo " ACCOUNT_NAME: $(ACCOUNT_NAME)" -# @echo " AWS_PROFILE: $(AWS_PROFILE)" -# @echo " AWS_REGION: $(AWS_REGION)" -# @echo " CLUSTER_NAME: $(CLUSTER_NAME)" -# @echo " S3_BUCKET: $(S3_BUCKET)" + @echo "Using configuration:" + @echo " AWS_ACCOUNT_ID: $(AWS_ACCOUNT_ID)" + @echo " ACCOUNT_NAME: $(ACCOUNT_NAME)" + @echo " AWS_PROFILE: $(AWS_PROFILE)" + @echo " AWS_REGION: $(AWS_REGION)" + @echo " CLUSTER_NAME: $(CLUSTER_NAME)" + @echo " S3_BUCKET: $(S3_BUCKET)" @if [ -z "$(AWS_ACCOUNT_ID)" ] || [ -z "$(AWS_PROFILE)" ] || [ -z "$(AWS_REGION)" ] || [ -z "$(CLUSTER_NAME)" ]; then \ echo "Error: Failed to extract all required variables from HCL files"; \ @@ -56,16 +56,16 @@ config: fi # Export variables for child processes - export AWS_ACCOUNT_ID - export ACCOUNT_NAME - export AWS_PROFILE - export AWS_REGION - export CLUSTER_NAME - export REGION_SHORT - export S3_BUCKET - export OBJECT_KEY - export PIPELINE_NAME - export PIPELINE_URL + $(eval export AWS_ACCOUNT_ID) + $(eval export ACCOUNT_NAME) + $(eval export AWS_PROFILE) + $(eval export AWS_REGION) + $(eval export CLUSTER_NAME) + $(eval export REGION_SHORT) + $(eval export S3_BUCKET) + $(eval export OBJECT_KEY) + $(eval export PIPELINE_NAME) + $(eval export PIPELINE_URL) # Basic terragrunt operations init: diff --git a/configs/node-groups.yaml b/configs/node-groups.yaml deleted file mode 100644 index 11e09cad..00000000 --- a/configs/node-groups.yaml +++ /dev/null @@ -1,48 +0,0 @@ -nodeGroups: - - name: general-purpose - instanceTypes: - - m6i.xlarge - - m6a.xlarge - - m5.xlarge - minSize: 2 - maxSize: 10 - desiredSize: 2 - labels: - node-type: general - taints: [] - updateConfig: - maxUnavailable: 1 - - - name: compute-optimized - instanceTypes: - - c6i.2xlarge - - c6a.2xlarge - - c5.2xlarge - minSize: 1 - maxSize: 20 - desiredSize: 2 - labels: - node-type: compute - taints: - - key: workload - value: batch - effect: NoSchedule - updateConfig: - maxUnavailable: 2 - - - name: memory-optimized - instanceTypes: - - r6i.2xlarge - - r6a.2xlarge - - r5.2xlarge - minSize: 1 - maxSize: 10 - desiredSize: 2 - labels: - node-type: memory - taints: - - key: workload - value: memory-intensive - effect: NoSchedule - updateConfig: - maxUnavailable: 1 diff --git a/configs/resource-quotas.yml b/configs/resource-quotas.yml deleted file mode 100644 index 655595d0..00000000 --- a/configs/resource-quotas.yml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: ResourceQuota -metadata: - name: default-quota -spec: - hard: - requests.cpu: "20" - requests.memory: 40Gi - limits.cpu: "40" - limits.memory: 80Gi - pods: "100" - services: "50" - secrets: "100" - configmaps: "100" - persistentvolumeclaims: "50" - ---- -apiVersion: v1 -kind: LimitRange -metadata: - name: default-limits -spec: - limits: - - type: Container - default: - cpu: 500m - memory: 512Mi - defaultRequest: - cpu: 100m - memory: 256Mi - max: - cpu: "4" - memory: 8Gi - min: - cpu: 50m - memory: 64Mi diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index 8f837daa..ef1849c2 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -45,17 +45,17 @@ locals { core_modules = [ "eks", "eks-metrics-server", + "eks-karpenter", + "eks-config", + "eks-cert-manager", + "eks-istio", + "eks-dns", ] - # "eks-karpenter", - # "eks-config", - # "eks-cert-manager", - # "eks-istio", - # "eks-dns", # Optional modules with their default enablement state enabled_modules = { "eks-arcgis" = false - "eks-cribl" = false + "eks-cribl" = true "eks-gatekeeper" = false "eks-grafana" = false "eks-k8s-dashboard" = false @@ -87,7 +87,7 @@ locals { telemetry_namespace = "telemetry" namespaces = { arcgis = "arcgis" - cert-manager = "kube-system" + cert-manager = "istio-system" cribl = "cribl" gatekeeper = "keycloak" grafana = local.telemetry_namespace @@ -99,7 +99,7 @@ locals { loki = local.telemetry_namespace metrics-server = "kube-system" otel = local.telemetry_namespace - postgresql = "kube-system" + postgresql = "keycloak" prometheus = local.telemetry_namespace tempo = local.telemetry_namespace } diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index f6e930ca..84f303a7 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -49,9 +49,9 @@ inputs = { buildspec_template_path = "buildspecs" build_configuration = { - compute_type = "BUILD_GENERAL1_MEDIUM" - image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" - buildspec_path = "terragrunt.yml" + compute_type = "BUILD_GENERAL1_LARGE" + image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" + buildspec_path = "build.yml" privileged_mode = true environment_variables = { ARTIFACT_BUCKET = local.artifact_bucket @@ -87,7 +87,7 @@ inputs = { target_type = "Build" compute_type = "BUILD_GENERAL1_MEDIUM" image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" - buildspec_path = "deploy.terragrunt.yml" + buildspec_path = "deploy.yml" environment_variables = { ARTIFACT_BUCKET = local.artifact_bucket TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" diff --git a/lab/root.hcl b/lab/root.hcl index a7fb14ac..847f1487 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -46,7 +46,7 @@ locals { finops_project_number = local.cluster_vars.locals.finops_project_number finops_project_role = local.cluster_vars.locals.finops_project_role is_eks_module = local.module_name == "eks" - prefixes = local.prefix_vars.locals.prefixes + prefixes = local.prefix_vars.locals.prefixes is_module_enabled = merge( { for module in local.versions.locals.core_modules : module => true }, local.versions.locals.enabled_modules, @@ -113,18 +113,18 @@ generate "helm_provider" { # Configure Terragrunt to automatically store tfstate files in an S3 bucket remote_state { disable_init = tobool(get_env("TG_DISABLE_INIT", "false")) - backend = "s3" + backend = "s3" generate = { path = "remote_state.backend.tf" if_exists = "overwrite_terragrunt" } config = { - bucket = "${local.state_bucket_prefix}-${local.account_id}" - use_lockfile = true - key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" - profile = "${local.aws_profile}" - region = "${local.aws_region}" - disable_bucket_update = true + bucket = "${local.state_bucket_prefix}-${local.account_id}" + use_lockfile = true + key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" + profile = "${local.aws_profile}" + region = "${local.aws_region}" + disable_bucket_update = true } } diff --git a/notes.md b/notes.md deleted file mode 100644 index 984bfc42..00000000 --- a/notes.md +++ /dev/null @@ -1,56 +0,0 @@ -I really like these suggestions, but I want to help shape your suggestions with some prime directives for these tasks: -1. security is paramount. we operate in govcloud and handle titled data. security is the most important consideration. -2. cost control - this is a base cluster for a customer to build on top of for their apps. It is anticipated there will be significant time between initial provisioning and first use. The cheapest possible configuration for secure operations in govcloud. -3. simplicity. ideally, I want to be able to add a single file to an exising git repository (which represents an aws account), and have it spawn this entire cluster definition. -4. maintainability. As in, a minimum amount of effort to maintain,, prioritizing future-proofing in decisions. -5. extensibility. try to keep things modular and able to be glued together as easy as possible. -6. best practices. should probably be higher in this list, but at all times, we should endevour to follow/encourage best practices. -7. testability. we are dealing with eks clusters in aws here. by nature, these are expensive resources. anything we can do to test without creation of resources, or rapid creation and destruction, is encouraged. -8. documentation - including the 5 W's (who, what, when, where, why, and how) - -Given those guidelines, does that change your suggestions? Should we start the code review over with those in mind? - -Improvement: Consider adding validation blocks for required variables -Improvement: Add more detailed comments explaining configuration choices -Improvement: Consider tagging strategy for cost allocation -Improvement: Add lifecycle policies for node groups -Warning: Public endpoint access enabled - consider restricting CIDR ranges -Improvement: Add explicit IAM role configurations -Improvement: Implement network policies -# Add to cluster configuration -cluster_security_group_additional_rules = { - ingress_nodes_ephemeral_ports = { - description = "Node to node ephemeral ports" - protocol = "tcp" - from_port = 1025 - to_port = 65535 - type = "ingress" - source_node_security_group = true - } -} -Add CloudWatch logging configuration -Implement proper metrics collection -Set up alerts for cluster health -Improvement: Add more detailed documentation -Improvement: Consider adding test environments -Add README files in each major directory -Document deployment procedures -Add troubleshooting guides -Document network architecture - -resource "aws_eks_cluster" "main" { - # ...existing code... - vpc_config { - endpoint_private_access = true - endpoint_public_access = false # Force private endpoint only - security_group_ids = [aws_security_group.cluster.id] - subnet_ids = var.private_subnet_ids - } - - encryption_config { - provider { - key_arn = aws_kms_key.eks.arn - } - resources = ["secrets"] - } -} diff --git a/plan.md b/plan.md deleted file mode 100644 index bd058fd3..00000000 --- a/plan.md +++ /dev/null @@ -1,271 +0,0 @@ -Project Plan: EKS Infrastructure Codebase Improvements -1. Documentation Standardization - - Create centralized documentation standards guide - - Implement standardized README structure across all modules: - * Overview and purpose - * Prerequisites and dependencies - * Usage examples with variables - * Architecture diagrams - * Operations guide - - Establish changelog format using Commitizen convention - - Create architecture diagrams: - * High-level system architecture - * Module relationships - * Network flow diagrams - * Security group configurations - - Develop consistent module examples: - * Basic usage patterns - * Advanced configurations - * Migration guides - * Troubleshooting guides - - Implementation timeline: - * Week 1: Standards guide creation - * Week 2-3: README updates - * Week 4: Diagram creation - * Week 5: Example development - * Week 6: Review and refinement - -2. Security Enhancements - - EKS Security Group Configurations: - * Implement least-privilege access rules - * Restrict node group communication - * Define approved ingress/egress patterns - * Document security group dependencies - - - AWS GovCloud Security Implementation: - * Enable FIPS 140-2 compliant endpoints - * Implement NIST 800-53 controls - * Configure AWS KMS for all sensitive data - * Enable AWS Organizations SCPs - - - Encryption Configurations: - * Enable envelope encryption for secrets - * Implement at-rest encryption for EBS volumes - * Configure TLS for all service communications - * Rotate encryption keys automatically - - - Network Security Policies: - * Define default deny policies - * Create application-specific network policies - * Implement pod security policies - * Configure service mesh security - - - Implementation Timeline: - * Week 1: Security audit and gap analysis - * Week 2: Security group updates - * Week 3: Encryption improvements - * Week 4: Network policy implementation - * Week 5: Testing and validation - * Week 6: Documentation and training - -3. Observability Improvements - - Prometheus Configuration Standardization: - * Define standard metric collection rules - * Implement consistent recording rules - * Set up unified alerting rules - * Configure HA architecture - - - Metrics Collection Strategy: - * Define golden signals metrics - * Implement custom metric collectors - * Set up SLO/SLI tracking - * Configure cost metrics collection - - - Logging Framework: - * Implement structured logging - * Configure log aggregation - * Set up log retention policies - * Enable audit logging - - - Grafana Dashboards: - * Create cluster health dashboards - * Implement cost monitoring views - * Set up performance dashboards - * Configure security monitoring panels - - - Implementation Timeline: - * Week 1: Metrics standardization - * Week 2: Logging implementation - * Week 3: Dashboard creation - * Week 4: Alert configuration - * Week 5: Testing and validation - * Week 6: Documentation and training - -4. Infrastructure Optimization - - Node Group Configuration: - * Implement right-sized instance types - * Configure optimal scaling thresholds - * Set up mixed-instance policies - * Define node taints and labels - - - Auto-scaling Strategy: - * Configure Cluster Autoscaler settings - * Implement Karpenter provisioners - * Set up pod disruption budgets - * Define scaling policies - - - Storage Optimization: - * Define storage class specifications - * Implement volume encryption - * Configure backup policies - * Set up snapshot schedules - - - Resource Management: - * Implement namespace quotas - * Define limit ranges - * Configure resource requests/limits - * Set up cost allocation tags - - - Implementation Timeline: - * Week 1: Node group optimization - * Week 2: Auto-scaling implementation - * Week 3: Storage configuration - * Week 4: Resource quotas setup - * Week 5: Testing and validation - * Week 6: Documentation and training - -5. Module Organization - - Module Standardization: - * Create consistent module structure - * Implement standard naming conventions - * Define input/output patterns - * Establish version constraints - - - Variable Management: - * Create shared variable definitions - * Implement variable validation rules - * Define default value standards - * Document variable dependencies - - - Version Control: - * Implement semantic versioning - * Create version compatibility matrix - * Define upgrade paths - * Document breaking changes - - - Dependencies: - * Map module relationships - * Document cross-module dependencies - * Define initialization order - * Create dependency graphs - - - Implementation Timeline: - * Week 1: Module structure standardization - * Week 2: Variable management - * Week 3: Version control implementation - * Week 4: Dependency documentation - * Week 5: Testing and validation - * Week 6: Documentation and training - -6. Testing Framework - - Terraform Validation: - * Implement pre-commit hooks - * Configure format checking - * Add variable validation - * Set up static analysis - - - Integration Testing: - * Create test environments - * Implement end-to-end tests - * Configure smoke tests - * Set up regression testing - - - Security Testing: - * Implement security scanners - * Configure compliance checks - * Add vulnerability scanning - * Set up secret detection - - - Test Automation: - * Configure CI/CD pipelines - * Implement test reporting - * Set up coverage tracking - * Create automated rollbacks - - - Implementation Timeline: - * Week 1: Validation framework setup - * Week 2: Integration test development - * Week 3: Security scanning implementation - * Week 4: Automation configuration - * Week 5: Testing and validation - * Week 6: Documentation and training - -Implementation Priority: - - Security Enhancements (Critical) - - Observability Improvements (High) - - Infrastructure Optimization (High) - - Documentation Standardization (Medium) - - Module Organization (Medium) - - Testing Framework (Medium) - -Key Metrics: - - Security compliance score - - Resource utilization efficiency - - Documentation coverage - - Test coverage - - Code duplication reduction - - Deployment success rate - -Next Steps: - -1. Security Audit (Week 1-2) - - Perform comprehensive security assessment - * Review IAM roles and permissions - * Audit security group configurations - * Analyze network policies - * Review encryption settings - - Generate security findings report - - Prioritize security improvements - - Create remediation timeline - -2. Implementation Planning (Week 2-3) - - Create detailed project timeline - * Break down tasks by module - * Identify dependencies - * Assign ownership - * Set milestones - - Establish success criteria - - Define rollback procedures - - Create risk mitigation strategies - -3. Testing Pipeline Setup (Week 3-4) - - Configure CI/CD infrastructure - * Set up test environments - * Implement automated testing - * Configure quality gates - * Enable security scanning - - Create test data sets - - Develop test scenarios - - Implement monitoring for test environments - -4. Documentation Enhancement (Week 4-5) - - Audit existing documentation - - Create documentation templates - - Update README files - - Generate architecture diagrams - - Create operational runbooks - - Document emergency procedures - -5. Module Consolidation (Week 5-6) - - Analyze current module structure - - Identify consolidation opportunities - - Create module dependency map - - Plan refactoring phases - - Document migration steps - - Create validation checklist - -6. Validation and Review (Week 6-7) - - Conduct peer reviews - - Perform security validation - - Test documentation accuracy - - Validate monitoring setup - - Review automation effectiveness - - Gather stakeholder feedback - -7. Training and Handover (Week 7-8) - - Prepare training materials - - Schedule training sessions - - Document operational procedures - - Create troubleshooting guides - - Set up support channels - - Plan knowledge transfer sessions diff --git a/scripts/import-s3-bucket.sh b/scripts/import-s3-bucket.sh deleted file mode 100644 index 7d55d1c3..00000000 --- a/scripts/import-s3-bucket.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -set -e - -# Parameters -BUCKET_NAME=$1 -AWS_REGION=$2 -AWS_PROFILE=$3 -MODULE_PATH=$4 - -if [ -z "$BUCKET_NAME" ] || [ -z "$AWS_REGION" ] || [ -z "$AWS_PROFILE" ] || [ -z "$MODULE_PATH" ]; then - echo "Usage: $0 " - echo "Example: $0 inf-s3-my-cluster-artifacts-123456789012-usge us-gov-east-1 123456789012-lab-dev-gov lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/pipeline" - exit 1 -fi - -echo "Importing S3 bucket ${BUCKET_NAME} into Terraform state..." - -cd "${MODULE_PATH}" - -# Initialize Terraform -terragrunt init - -# Import the S3 bucket to Terraform state using module references -terragrunt import module.codepipeline_s3.aws_s3_bucket.this "${BUCKET_NAME}" -echo "✅ Successfully imported S3 bucket ${BUCKET_NAME}" From b8ce9102686678c0a6abfd10d2f80ab1d45d40f8 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Wed, 25 Jun 2025 17:05:18 -0400 Subject: [PATCH 126/126] new cluster updates --- .github/platform-tg-infra.code-workspace | 3 + .github/workflows/package-and-upload.yml | 120 ------------------ lab/_envcommon/default-versions.hcl | 75 ++++++----- .../eks-dns/terragrunt.hcl | 4 +- .../eks-pipeline/terragrunt.hcl | 2 +- lab/root.hcl | 2 +- 6 files changed, 48 insertions(+), 158 deletions(-) delete mode 100644 .github/workflows/package-and-upload.yml diff --git a/.github/platform-tg-infra.code-workspace b/.github/platform-tg-infra.code-workspace index c41f9134..05b26aa5 100644 --- a/.github/platform-tg-infra.code-workspace +++ b/.github/platform-tg-infra.code-workspace @@ -99,6 +99,9 @@ { "name": "tfmod-tempo", "path": "../../tfmod-tempo" + }, + { + "path": "../../repo-setup" } ] } diff --git a/.github/workflows/package-and-upload.yml b/.github/workflows/package-and-upload.yml deleted file mode 100644 index 99603664..00000000 --- a/.github/workflows/package-and-upload.yml +++ /dev/null @@ -1,120 +0,0 @@ -name: Package and Upload Terragrunt Configs - -on: - push: - branches: [main] - workflow_dispatch: - inputs: - bootstrap: - description: 'Run bootstrap apply' - required: false - default: 'false' - type: choice - options: - - 'true' - - 'false' - -env: - NODE_TLS_REJECT_UNAUTHORIZED: '0' - ACCOUNT_PROFILE_NAME: "lab-dev-gov" - CLUSTER_NAME: "csvd-platform-lab-mcm" - SOURCE_KEY: "platform-tg-infra.zip" - PIPELINE_PATH: "lab/development/us-gov-east-1/vpc/${CLUSTER_NAME}/eks-pipeline" - -permissions: - actions: read - contents: read - id-token: write - -jobs: - package-and-upload: - runs-on: [self-hosted, Linux, X64, buildkitsandbox] - steps: - - name: Checkout code - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - - name: Configure AWS credentials - uses: etools/configure-aws-credentials@main - with: - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: "arn:aws-us-gov:iam::${{ vars.AWS_ACCOUNT_ID }}:role/r-inf-terraform-eks" - role-skip-session-tagging: true - - - name: Add profile credentials to ~/.aws/credentials - run: | - aws configure set aws_region ${{ vars.AWS_REGION }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" - aws configure set aws_access_key_id ${{ env.AWS_ACCESS_KEY_ID }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" - aws configure set aws_secret_access_key ${{ env.AWS_SECRET_ACCESS_KEY }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" - aws configure set aws_session_token ${{ env.AWS_SESSION_TOKEN }} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" - aws sts get-caller-identity --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" - - - name: Package Terragrunt configs - run: | - # Create a zip file of the repository contents - zip -r platform-tg-infra.zip . -x "*.git*" "*.github*" "*.terragrunt-cache*" "*.terraform*" - - # Calculate bucket name using the same format as in tfmod-pipeline/s3.tf - REGION_SHORT=$(echo ${{ vars.AWS_REGION }} | sed 's/\([a-z]\)[a-z]*-/\1/g') - SOURCE_BUCKET="inf-s3-${CLUSTER_NAME}-artifacts-${{ vars.AWS_ACCOUNT_ID }}-${REGION_SHORT}" - echo "SOURCE_BUCKET=${SOURCE_BUCKET}" >> $GITHUB_ENV - - # Calculate the object key with the cluster-specific path - OBJECT_KEY="clusters/${CLUSTER_NAME}/platform-tg-infra.zip" - echo "OBJECT_KEY=${OBJECT_KEY}" >> $GITHUB_ENV - - # Check if the source bucket exists, create it if it doesn't - if ! aws s3api head-bucket --bucket ${SOURCE_BUCKET} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" 2>/dev/null; then - echo "Creating source bucket ${SOURCE_BUCKET}" - aws s3 mb s3://${SOURCE_BUCKET} --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" --region ${{ vars.AWS_REGION }} - - # Configure bucket for versioning - aws s3api put-bucket-versioning --bucket ${SOURCE_BUCKET} \ - --versioning-configuration Status=Enabled \ - --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" - - # Block public access - aws s3api put-public-access-block --bucket ${SOURCE_BUCKET} \ - --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true \ - --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" - - # Create a flag file to indicate the bucket needs to be imported - echo "BUCKET_NEEDS_IMPORT=true" >> $GITHUB_ENV - else - echo "Bucket ${SOURCE_BUCKET} already exists" - fi - - # Upload the zip file to S3 - aws s3 cp platform-tg-infra.zip s3://${SOURCE_BUCKET}/${OBJECT_KEY} \ - --profile "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" - - echo "Uploaded platform-tg-infra.zip to s3://${SOURCE_BUCKET}/${OBJECT_KEY}" - - - name: Make Import Script Executable - if: ${{ github.event.inputs.bootstrap == 'true' && env.BUCKET_NEEDS_IMPORT == 'true' }} - run: | - chmod +x scripts/import-s3-bucket.sh - - - name: Bootstrap Pipeline (if requested) - if: ${{ github.event.inputs.bootstrap == 'true' }} - run: | - # If the bucket was just created, import it first - if [ "$BUCKET_NEEDS_IMPORT" = "true" ]; then - echo "Running import for newly created bucket $SOURCE_BUCKET" - ./scripts/import-s3-bucket.sh \ - "$SOURCE_BUCKET" \ - "${{ vars.AWS_REGION }}" \ - "${{ vars.AWS_ACCOUNT_ID }}-${{ env.ACCOUNT_PROFILE_NAME }}" \ - "$PIPELINE_PATH" - fi - - # Now proceed with terragrunt apply - cd $PIPELINE_PATH - https_proxy=http://proxy.tco.census.gov:3128 \ - http_proxy=http://proxy.tco.census.gov:3128 \ - NO_PROXY=.census.gov,169.254.169.254,148.129.0.0/16,10.0.0.0/8,172.16.0/12,.eks.amazonaws.com,.s3.amazonaws.com,.amazonaws.com,.gcr.io,.pkg.dev \ - TERRAGRUNT_PROVIDER_CACHE=1 \ - terragrunt apply --terragrunt-non-interactive -auto-approve - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/lab/_envcommon/default-versions.hcl b/lab/_envcommon/default-versions.hcl index ef1849c2..f2f9e2ae 100644 --- a/lab/_envcommon/default-versions.hcl +++ b/lab/_envcommon/default-versions.hcl @@ -14,29 +14,36 @@ locals { module_versions = { "2025.20.04" = { - "eks-arcgis" = false - "eks-cert-manager" = "0.1.6" - "eks-config" = "1.0.4" - "eks-cribl" = "initial" - "eks-dns" = "0.1.3" - "eks-gatekeeper" = "0.0.3" - "eks-grafana" = "0.1.4" - "eks-istio" = "1.0.6" - "eks-k8s-dashboard" = "0.1.3" - "eks-karpenter" = "0.1.4" - "eks-keycloak" = "0.0.7" - "eks-kiali" = "0.1.2" - "eks-loki" = "0.1.3" - "eks-metrics-server" = "0.1.3" - "eks-otel" = "0.0.2" - "eks-pipeline" = "initial" - "eks-postgresql" = false - "eks-prometheus" = "0.1.3" - "eks-tempo" = "0.1.3" - "eks" = "1.0.9" + "eks-arcgis" = false + "eks-cert-manager" = "0.1.9" + "eks-config" = "1.0.5" + "eks-cribl" = "initial" + "eks-dns" = "0.1.3" + "eks-gatekeeper" = "0.0.3" + "eks-grafana" = "0.1.5" + "eks-istio" = "1.0.9" + "tfmod-istio-service-ingress" = "0.1.6" + "eks-k8s-dashboard" = "0.1.4" + "eks-karpenter" = "0.1.6" + "eks-keycloak" = "0.0.8" + "eks-kiali" = "0.1.4" + "eks-loki" = "0.1.4" + "eks-metrics-server" = "0.1.4" + "eks-otel" = "0.0.4" + "eks-pipeline" = "initial" + "eks-postgresql" = false + "eks-prometheus" = "0.1.4" + "eks-tempo" = "0.1.4" + "eks" = "1.0.9" } } + submodule_versions = { + "tfmod-istio-service-ingress" = "0.1.6" + "tfmod-config-job" = "0.1.8" + + } + ##################### # Module Enablement ##################### @@ -55,18 +62,18 @@ locals { # Optional modules with their default enablement state enabled_modules = { "eks-arcgis" = false - "eks-cribl" = true - "eks-gatekeeper" = false - "eks-grafana" = false - "eks-k8s-dashboard" = false - "eks-keycloak" = false - "eks-kiali" = false - "eks-loki" = false - "eks-otel" = false + "eks-cribl" = false + "eks-gatekeeper" = true + "eks-grafana" = true + "eks-k8s-dashboard" = true + "eks-keycloak" = true + "eks-kiali" = true + "eks-loki" = true + "eks-otel" = true "eks-pipeline" = false - "eks-postgresql" = false - "eks-prometheus" = false - "eks-tempo" = false + "eks-postgresql" = true + "eks-prometheus" = true + "eks-tempo" = true } ##################### @@ -87,7 +94,7 @@ locals { telemetry_namespace = "telemetry" namespaces = { arcgis = "arcgis" - cert-manager = "istio-system" + cert-manager = "kube-system" cribl = "cribl" gatekeeper = "keycloak" grafana = local.telemetry_namespace @@ -169,7 +176,7 @@ locals { ################ # Keycloak ################ - keycloak_chart_version = "24.4.11" + keycloak_chart_version = "7.0.1" keycloak_tag = "26.0.7" postgresql_tag = "17.4.0-debian-12-r4" postgres_exporter_tag = "0.17.1-debian-12-r0" @@ -216,7 +223,7 @@ locals { # # postgres_exporter_tag = local.postgres_exporter_tag # postgresql_repmgr_tag = "17.4.0-alpine" # pgpool_tag = "4.5.5" - # postgresql_chart_version = "15.3.0" + postgresql_chart_version = "16.5.0" ################ # Prometheus diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl index 62d93aff..feecb987 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-dns/terragrunt.hcl @@ -32,7 +32,7 @@ dependency "eks" { } } -dependency "eks_istio" { +dependency "eks-istio" { config_path = "../eks-istio" mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] mock_outputs = { @@ -61,7 +61,7 @@ inputs = { cluster_name = include.root.inputs.cluster_name # Network Configuration - istio_ingress_lb = dependency.eks_istio.outputs.istio_ingress_lb + istio_ingress_lb = dependency.eks-istio.outputs.istio_ingress_lb route53_endpoints = include.root.inputs.route53_endpoints vpc_domain_name = include.root.inputs.vpc_domain_name vpc_name = include.root.inputs.vpc_name diff --git a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl index 84f303a7..8d705a73 100644 --- a/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl +++ b/lab/development/us-gov-east-1/vpc/csvd-platform-lab-mcm/eks-pipeline/terragrunt.hcl @@ -50,7 +50,7 @@ inputs = { build_configuration = { compute_type = "BUILD_GENERAL1_LARGE" - image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" + image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" buildspec_path = "build.yml" privileged_mode = true environment_variables = { diff --git a/lab/root.hcl b/lab/root.hcl index 847f1487..b0666374 100644 --- a/lab/root.hcl +++ b/lab/root.hcl @@ -100,7 +100,7 @@ generate "helm_provider" { if_exists = "overwrite_terragrunt" contents = local.is_eks_module ? "" : <<-EOF provider "helm" { - kubernetes { + kubernetes = { host = local.cluster_exists ? data.aws_eks_cluster.this[0].endpoint : "https://dummy" cluster_ca_certificate = local.cluster_exists ? base64decode(data.aws_eks_cluster.this[0].certificate_authority[0].data) : null token = local.cluster_exists ? data.aws_eks_cluster_auth.this[0].token : "dummy"