diff --git a/_envcommon/common-variables.hcl b/_envcommon/common-variables.hcl index 38cb4c9..89c502a 100644 --- a/_envcommon/common-variables.hcl +++ b/_envcommon/common-variables.hcl @@ -6,10 +6,6 @@ # that are common across all environments/accounts. # --------------------------------------------------------------------------------------------------------------------- locals { - organization = "census:ocio:csvd" - project_name = "csvd_platformbaseline" - project_number = "fs0000000078" - project_role = "csvd_platformbaseline_app" state_bucket_prefix = "inf-tfstate" state_table_name = "tf_remote_state" route53_endpoints = { @@ -20,4 +16,24 @@ locals { "us-gov-west-1" = "vpc-08b7b4db6a5ddf9c1" } } + enterprise_ecr_account = { + lab = { + "account_id" = "269222635945" + "alias" = "lab-gov-shared-nonprod" + "profile" = "269222635945-lab-gov-shared-nonprod" + "region" = "us-gov-east-1" + } + prod = { + "account_id" = "067074201825" + "alias" = "ent-gov-shared-prod" + "profile" = "067074201825-ent-gov-shared-prod" + "region" = "us-gov-east-1" + } + } + eecr_info = { + account_id = local.enterprise_ecr_account.lab["account_id"] + alias = local.enterprise_ecr_account.lab["alias"] + profile = local.enterprise_ecr_account.lab["profile"] + region = local.enterprise_ecr_account.lab["region"] + } } diff --git a/_envcommon/default-versions.hcl b/_envcommon/default-versions.hcl index 478dc67..f2f9e2a 100644 --- a/_envcommon/default-versions.hcl +++ b/_envcommon/default-versions.hcl @@ -1,14 +1,80 @@ # lab/_envcommon/default-versions.hcl locals { + module_name = basename(get_original_terragrunt_dir()) + release_version = local.module_versions["2025.20.04"][local.module_name] + ##################### # Module Versions ##################### - cluster_version = "1.31" - custom_service_eks_account = "${local.release_version}" - eks_module_version = "20.33.1" - istio_ingress_version = "${local.release_version}" - release_version = "main" # "main" # change to main when testing updated modules + cluster_version = "1.32" + custom_service_eks_account = "1.0.0" + eks_module_version = "20.36.0" + istio_ingress_version = "0.1.3" + + module_versions = { + "2025.20.04" = { + "eks-arcgis" = false + "eks-cert-manager" = "0.1.9" + "eks-config" = "1.0.5" + "eks-cribl" = "initial" + "eks-dns" = "0.1.3" + "eks-gatekeeper" = "0.0.3" + "eks-grafana" = "0.1.5" + "eks-istio" = "1.0.9" + "tfmod-istio-service-ingress" = "0.1.6" + "eks-k8s-dashboard" = "0.1.4" + "eks-karpenter" = "0.1.6" + "eks-keycloak" = "0.0.8" + "eks-kiali" = "0.1.4" + "eks-loki" = "0.1.4" + "eks-metrics-server" = "0.1.4" + "eks-otel" = "0.0.4" + "eks-pipeline" = "initial" + "eks-postgresql" = false + "eks-prometheus" = "0.1.4" + "eks-tempo" = "0.1.4" + "eks" = "1.0.9" + } + } + + submodule_versions = { + "tfmod-istio-service-ingress" = "0.1.6" + "tfmod-config-job" = "0.1.8" + + } + + ##################### + # Module Enablement + ##################### + + # Core modules that should always be enabled (cannot be disabled) + core_modules = [ + "eks", + "eks-metrics-server", + "eks-karpenter", + "eks-config", + "eks-cert-manager", + "eks-istio", + "eks-dns", + ] + + # Optional modules with their default enablement state + enabled_modules = { + "eks-arcgis" = false + "eks-cribl" = false + "eks-gatekeeper" = true + "eks-grafana" = true + "eks-k8s-dashboard" = true + "eks-keycloak" = true + "eks-kiali" = true + "eks-loki" = true + "eks-otel" = true + "eks-pipeline" = false + "eks-postgresql" = true + "eks-prometheus" = true + "eks-tempo" = true + } ##################### # TF Providers @@ -24,21 +90,23 @@ locals { ##################### # Namespaces Config ##################### - operator_namespace = "aoperator" - telemetry_namespace = "atelemetry" + operator_namespace = "operator" + telemetry_namespace = "telemetry" namespaces = { + arcgis = "arcgis" cert-manager = "kube-system" + cribl = "cribl" + gatekeeper = "keycloak" + grafana = local.telemetry_namespace + istio = "istio-system" + k8s-dashboard = local.telemetry_namespace karpenter = "karpenter" - metrics-server = "kube-system" - postgresql = "kube-system" keycloak = "keycloak" - gogatekeeper = "kube-system" - istio = "istio-system" kiali = "istio-system" - grafana = local.telemetry_namespace - k8s-dashboard = local.telemetry_namespace loki = local.telemetry_namespace + metrics-server = "kube-system" otel = local.telemetry_namespace + postgresql = "keycloak" prometheus = local.telemetry_namespace tempo = local.telemetry_namespace } @@ -58,11 +126,19 @@ locals { cert_manager_version = "1.17.1" cert_manager_webhook_tag = "v${local.cert_manager_version}" + ##################### + # Cribl + ##################### + cribl_chart_version = "4.11.1" + cribl_app_version = "4.11.1" + + ################ # GoGatekeeper ################ - gogatekeeper_tag = "3.2.1" - gogatekeeper_chart_version = "0.1.53" + gatekeeper_tag = "3.3.0" + gatekeeper_chart_version = "0.1.54" + gatekeeper_service_name = "gatekeeper" ################ # Grafana @@ -71,7 +147,7 @@ locals { grafana_operator_chart_version = "4.9.8" grafana_operator_tag = "5.16.0" grafana_tag = "11.5.2" - os_shell_image_tag = "12" + os_shell_image_tag = local.utilities_tag ################ # Istio @@ -83,25 +159,28 @@ locals { # k8s-dashboard ################ dashboard_hostname = "dashboard" - k8s_dashboard_metrics_scraper = "1.0.8" - k8s_dashboard_version = "6.0.6" + k8s_dashboard_version = "v2.7.0" + k8s_dashboard_metrics_scraper = "v1.0.9" + # dashboard_api_tag = "1.11.1" + # dashboard_auth_tag = "1.2.4" + # dashboard_metrics_tag = "1.2.2" + # dashboard_web_tag = "1.6.2" + # dashboard_kong_tag = "3.8" ################ # Karpenter ################ - karpenter_helm_chart = "1.3.1" - karpenter_tag = "1.3.1" + karpenter_helm_chart = "1.4.0" + karpenter_tag = "1.4.0" ################ # Keycloak ################ - keycloak_chart_version = "24.4.11" - keycloak_tag = "26.1.3" - keycloak_hostname = "keycloak" - keycloak_database = "keycloak" - keycloak_username = "keycloak" - keycloak_password = "this is my very secure and totally random password horse battery staple now" - postgresql_tag = "17.4.0-debian-12-r2" + keycloak_chart_version = "7.0.1" + keycloak_tag = "26.0.7" + postgresql_tag = "17.4.0-debian-12-r4" + postgres_exporter_tag = "0.17.1-debian-12-r0" + utilities_tag = "1.0.3" ################ # Kiali @@ -114,8 +193,8 @@ locals { ################ loki_chart_version = "6.27.0" loki_tag = "3.4.2" - enterprise_logs_provisioner_tag = "v1.7.0" - gateway_tag = "1.27-alpine" + enterprise_logs_provisioner_tag = "3.4.2" + gateway_tag = "1.26.3" memcached_tag = "1.6.37" exporter_tag = "v0.15.0" sidecar_tag = "1.27.4" @@ -124,7 +203,27 @@ locals { # Metrics Server ################ metrics_server_helm_chart = "3.12.2" - metrics_server_tag = "0.7.2" + metrics_server_tag = "v0.7.2" + + ################ + # Open Telemetry + ################ + auto_instrumentation_java_version = "2.9.0" + collector_contrib_version = "0.113.0-amd64" + collector_version = "0.111.0-amd64" + otel_helm_version = "0.71.2" + otel_version = "0.110.0" + rbac_proxy_version = "v0.19.0" + + ################ + # PostgreSQL + ################ + + # os_shell_tag = local.utilities_tag + # # postgres_exporter_tag = local.postgres_exporter_tag + # postgresql_repmgr_tag = "17.4.0-alpine" + # pgpool_tag = "4.5.5" + postgresql_chart_version = "16.5.0" ################ # Prometheus @@ -141,5 +240,5 @@ locals { # Tempo ################ tempo_chart_version = "1.18.2" - tempo_tag = "2.7.1" + tempo_tag = "2.7.0" } diff --git a/_envcommon/prefixes.hcl b/_envcommon/prefixes.hcl new file mode 100644 index 0000000..d46f6bb --- /dev/null +++ b/_envcommon/prefixes.hcl @@ -0,0 +1,37 @@ +locals { + prefixes = { + "ebs" = "v-ebs-" + "efs" = "v-efs-" + "group" = "g-" + "kms" = "k-kms-" + "policy" = "p-" + "role" = "r-" + "s3" = "v-s3-" + "security-group" = "" # "sg-" + # VPC + "customer-gateway" = "cgw-" + "dhcp-options" = "" + "elastic-ip" = "eip-" + "internet-gateway" = "igw-" + "log-group" = "lg-" + "log-stream" = "lgs-" + "nat-gateway" = "nat-" + "network-acl" = "nacl-" + "route-table" = "route-" + "subnet" = "" + "vpc-endpoint" = "vpce-" + "vpc-peer" = "vpcp-" + "vpc" = "" + "vpn-connection" = "vpn_" + "vpn-gateway" = "vpcg-" + # EKS + "eks-policy" = "p-eks-" + "eks-queue" = "eks-q-" + "eks-role" = "r-eks-" + "eks-s3" = "v-s3-eks-" + "eks-security-group" = "eks-sg-" # "sg-eks-" + "eks-user" = "s-eks-" + "eks" = "eks-" + "eks-event" = "eks-ev-" + } +} diff --git a/root.hcl b/root.hcl index 10706ff..b066637 100644 --- a/root.hcl +++ b/root.hcl @@ -15,6 +15,9 @@ locals { # Automatically load _envcommon, cross account and environment common variables common_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/common-variables.hcl")) + # Automatically load naming prefixes + prefix_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/prefixes.hcl")) + # Automatically load region-level variables region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) @@ -24,21 +27,36 @@ locals { # Automatically load vpc-level variables vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl")) + # Add any other locals you want to expose + # only expose things not already included via local.xxx_vars.locals.* + root_locals_for_inputs = { + is_module_enabled = local.is_module_enabled + module_name = local.module_name + } + # Extract the variables we need for easy access - account_id = local.account_vars.locals.aws_account_id - aws_profile = local.account_vars.locals.aws_profile - aws_region = local.region_vars.locals.aws_region - cluster_name = local.cluster_vars.locals.cluster_name - environment_abbr = local.account_vars.locals.environment_abbr - organization = local.common_vars.locals.organization - project_name = local.common_vars.locals.project_name - project_number = local.common_vars.locals.project_number - project_role = local.common_vars.locals.project_role + account_id = local.account_vars.locals.aws_account_id + account_name = local.account_vars.locals.account_name + aws_profile = local.account_vars.locals.aws_profile + aws_region = local.region_vars.locals.aws_region + cluster_name = local.cluster_vars.locals.cluster_name + eecr_info = local.common_vars.locals.eecr_info + environment_abbr = local.account_vars.locals.environment_abbr + finops_project_name = local.cluster_vars.locals.finops_project_name + finops_project_number = local.cluster_vars.locals.finops_project_number + finops_project_role = local.cluster_vars.locals.finops_project_role + is_eks_module = local.module_name == "eks" + prefixes = local.prefix_vars.locals.prefixes + is_module_enabled = merge( + { for module in local.versions.locals.core_modules : module => true }, + local.versions.locals.enabled_modules, + local.module_overrides + ) + module_name = basename(get_original_terragrunt_dir()) + module_overrides = local.cluster_vars.locals.module_enablement_overrides + organization = local.cluster_vars.locals.organization state_bucket_prefix = local.common_vars.locals.state_bucket_prefix state_table_name = local.common_vars.locals.state_table_name - # Check if current module is the EKS module - module_name = basename(get_original_terragrunt_dir()) - is_eks_module = local.module_name == "eks" } # Only generate providers for non-EKS modules @@ -82,7 +100,7 @@ generate "helm_provider" { if_exists = "overwrite_terragrunt" contents = local.is_eks_module ? "" : <<-EOF provider "helm" { - kubernetes { + kubernetes = { host = local.cluster_exists ? data.aws_eks_cluster.this[0].endpoint : "https://dummy" cluster_ca_certificate = local.cluster_exists ? base64decode(data.aws_eks_cluster.this[0].certificate_authority[0].data) : null token = local.cluster_exists ? data.aws_eks_cluster_auth.this[0].token : "dummy" @@ -94,24 +112,19 @@ generate "helm_provider" { # Configure Terragrunt to automatically store tfstate files in an S3 bucket remote_state { - backend = "s3" + disable_init = tobool(get_env("TG_DISABLE_INIT", "false")) + backend = "s3" generate = { path = "remote_state.backend.tf" if_exists = "overwrite_terragrunt" } config = { - bucket = "${local.state_bucket_prefix}-${local.account_id}" - dynamodb_table = "${local.state_table_name}" - key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" - profile = "${local.aws_profile}" - region = "${local.aws_region}" - disable_bucket_update = true - skip_bucket_enforced_tls = true # use only if you need to access the S3 bucket without TLS being enforced - skip_bucket_public_access_blocking = true - skip_bucket_root_access = true # use only if the AWS account root user should not have access to the remote state bucket for some reason - skip_bucket_ssencryption = true # use only if non-encrypted OpenTofu/Terraform State is required and/or the object store does not support server-side encryption - skip_bucket_versioning = false # use only if the object store does not support versioning - enable_lock_table_ssencryption = false # use only if non-encrypted DynamoDB Lock Table for the OpenTofu/Terraform State is required and/or the NoSQL database service does not support server-side encryption + bucket = "${local.state_bucket_prefix}-${local.account_id}" + use_lockfile = true + key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" + profile = "${local.aws_profile}" + region = "${local.aws_region}" + disable_bucket_update = true } } @@ -128,9 +141,9 @@ generate "aws-provider" { cluster_name = "${local.cluster_name}" "boc:module_name" = "${local.module_name}" environment = "${local.environment_abbr}" - finops_project_name = "${local.project_name}" - finops_project_number = "${local.project_number}" - finops_project_role = "${local.project_role}" + finops_project_name = "${local.finops_project_name}" + finops_project_number = "${local.finops_project_number}" + finops_project_role = "${local.finops_project_role}" organization = "${local.organization}" } } @@ -152,7 +165,9 @@ inputs = merge( local.account_vars.locals, local.cluster_vars.locals, local.common_vars.locals, + local.prefix_vars.locals, local.region_vars.locals, local.versions.locals, - local.vpc_vars.locals + local.vpc_vars.locals, + local.root_locals_for_inputs )