diff --git a/_envcommon/default-versions.hcl b/_envcommon/default-versions.hcl index f2f9e2a..20c68b2 100644 --- a/_envcommon/default-versions.hcl +++ b/_envcommon/default-versions.hcl @@ -40,8 +40,8 @@ locals { submodule_versions = { "tfmod-istio-service-ingress" = "0.1.6" - "tfmod-config-job" = "0.1.8" - + "tfmod-config-job" = "0.1.8" + } ##################### diff --git a/ansible/README.md b/ansible/README.md index b1a98fd..b765cdb 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -138,7 +138,7 @@ The tool generates the following directory structure: ``` / -├── environment.hcl +├── root.hcl └── / ├── region.hcl └── vpc/ @@ -204,4 +204,4 @@ Contributions are welcome! Please feel free to submit a Pull Request. ## License -See the LICENSE file for details. \ No newline at end of file +See the LICENSE file for details. diff --git a/ansible/templates/README.md.j2 b/ansible/templates/README.md.j2 index 906cdb1..f2a5483 100644 --- a/ansible/templates/README.md.j2 +++ b/ansible/templates/README.md.j2 @@ -12,12 +12,12 @@ This EKS cluster configuration was generated on {{ generated_date }} using the t ``` {{ environment }}/ -├── environment.hcl -└── {{ aws_region }}/ +└── root.hcl + {{ aws_region }}/ ├── region.hcl └── vpc/ ├── vpc.hcl - └── cluster/ + └── {{cluster_name }}/ ├── cluster.hcl ├── eks/ │ └── terragrunt.hcl diff --git a/ansible/templates/account.hcl.j2 b/ansible/templates/account.hcl.j2 index a5178d2..b99b3c9 100644 --- a/ansible/templates/account.hcl.j2 +++ b/ansible/templates/account.hcl.j2 @@ -5,7 +5,7 @@ locals { account_name = "{{ account_name }}" aws_account_id = "{{ aws_account_id }}" - aws_profile = "{{ aws_profile }}" + aws_profile = format("%v-%v", local.aws_account_id, replace(local.account_name, "-ew", "-gov")) environment = "{{ environment }}" environment_abbr = "{{ environment_abbr }}" -} \ No newline at end of file +} diff --git a/ansible/templates/cluster.hcl.j2 b/ansible/templates/cluster.hcl.j2 index 9e692f2..3bcdbf9 100644 --- a/ansible/templates/cluster.hcl.j2 +++ b/ansible/templates/cluster.hcl.j2 @@ -1,29 +1,19 @@ locals { # Cluster specific configuration - cluster_endpoint_public_access = {{ cluster_endpoint_public_access | lower }} - cluster_name = "{{ cluster_name }}" - cluster_mailing_list = "{{ cluster_mailing_list }}" - eks_instance_disk_size = {{ eks_instance_disk_size }} - eks_ng_desired_size = {{ eks_ng_desired_size }} - eks_ng_max_size = {{ eks_ng_max_size }} - eks_ng_min_size = {{ eks_ng_min_size }} - enable_cluster_creator_admin_permissions = {{ enable_cluster_creator_admin_permissions | lower }} + cluster_name = {{ cluster_name }} + cluster_mailing_list = {{ cluster_mailing_list }} + eks_instance_disk_size = {{ eks_instance_disk_size }} + eks_ng_desired_size = {{ eks_ng_desired_size }} + eks_ng_max_size = {{ eks_ng_max_size }} + eks_ng_min_size = {{ eks_ng_min_size }} + organization = {{ organization }} + finops_project_name = {{ finops_project_name }} + finops_project_number = {{ finops_project_number }} + finops_project_role = {{ finops_project_role }} tags = { {% for key, value in tags.items() %} "{{ key }}" = "{{ value }}" {% endfor %} } - - # Common configuration - common_retry_args = { - commands = get_terraform_commands_that_need_locking() - arguments = ["-lock-timeout=20m"] - } - - common_dependencies = ["../eks", "../eks-config"] - - common_mock_eks = { - cluster_name = "mock-cluster" - oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" - } -} \ No newline at end of file + module_enablement_overrides = {{ module_enablement_overrides }} +} diff --git a/ansible/templates/root.hcl.j2 b/ansible/templates/root.hcl.j2 index 45bb83e..9cd698f 100644 --- a/ansible/templates/root.hcl.j2 +++ b/ansible/templates/root.hcl.j2 @@ -1,13 +1,12 @@ -# root.hcl - +# {{environment}}/root.hcl # --------------------------------------------------------------------------------------------------------------------- # TERRAGRUNT CONFIGURATION # Terragrunt is a thin wrapper for Terraform that provides extra tools for working with multiple Terraform modules, # remote state, and locking: https://github.com/gruntwork-io/terragrunt # --------------------------------------------------------------------------------------------------------------------- locals { - # Automatically load account-level variables - account_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + # Automatically load account-level variables (NOTE: In our environment account = environment so there is not separate environment layer) + account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl")) # Automatically load cluster-level variables cluster_vars = read_terragrunt_config(find_in_parent_folders("cluster.hcl")) @@ -15,6 +14,9 @@ locals { # Automatically load _envcommon, cross account and environment common variables common_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/common-variables.hcl")) + # Automatically load naming prefixes + prefix_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/prefixes.hcl")) + # Automatically load region-level variables region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) @@ -24,21 +26,36 @@ locals { # Automatically load vpc-level variables vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl")) + # Add any other locals you want to expose + # only expose things not already included via local.xxx_vars.locals.* + root_locals_for_inputs = { + is_module_enabled = local.is_module_enabled + module_name = local.module_name + } + # Extract the variables we need for easy access - account_id = local.account_vars.locals.aws_account_id - aws_profile = local.account_vars.locals.aws_profile - aws_region = local.region_vars.locals.aws_region - cluster_name = local.cluster_vars.locals.cluster_name - environment_abbr = local.account_vars.locals.environment_abbr - organization = local.common_vars.locals.organization - project_name = local.common_vars.locals.project_name - project_number = local.common_vars.locals.project_number - project_role = local.common_vars.locals.project_role + account_id = local.account_vars.locals.aws_account_id + account_name = local.account_vars.locals.account_name + aws_profile = local.account_vars.locals.aws_profile + aws_region = local.region_vars.locals.aws_region + cluster_name = local.cluster_vars.locals.cluster_name + eecr_info = local.common_vars.locals.eecr_info + environment_abbr = local.account_vars.locals.environment_abbr + finops_project_name = local.cluster_vars.locals.finops_project_name + finops_project_number = local.cluster_vars.locals.finops_project_number + finops_project_role = local.cluster_vars.locals.finops_project_role + is_eks_module = local.module_name == "eks" + prefixes = local.prefix_vars.locals.prefixes + is_module_enabled = merge( + { for module in local.versions.locals.core_modules : module => true }, + local.versions.locals.enabled_modules, + local.module_overrides + ) + module_name = basename(get_original_terragrunt_dir()) + module_overrides = local.cluster_vars.locals.module_enablement_overrides + organization = local.cluster_vars.locals.organization state_bucket_prefix = local.common_vars.locals.state_bucket_prefix state_table_name = local.common_vars.locals.state_table_name - # Check if current module is the EKS module - module_name = basename(get_original_terragrunt_dir()) - is_eks_module = local.module_name == "eks" } # Only generate providers for non-EKS modules @@ -82,7 +99,7 @@ generate "helm_provider" { if_exists = "overwrite_terragrunt" contents = local.is_eks_module ? "" : <<-EOF provider "helm" { - kubernetes { + kubernetes = { host = local.cluster_exists ? data.aws_eks_cluster.this[0].endpoint : "https://dummy" cluster_ca_certificate = local.cluster_exists ? base64decode(data.aws_eks_cluster.this[0].certificate_authority[0].data) : null token = local.cluster_exists ? data.aws_eks_cluster_auth.this[0].token : "dummy" @@ -93,24 +110,19 @@ generate "helm_provider" { # Configure Terragrunt to automatically store tfstate files in an S3 bucket remote_state { - backend = "s3" + disable_init = tobool(get_env("TG_DISABLE_INIT", "false")) + backend = "s3" generate = { path = "remote_state.backend.tf" if_exists = "overwrite_terragrunt" } config = { - bucket = "${local.state_bucket_prefix}-${local.account_id}" - dynamodb_table = "${local.state_table_name}" - key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" - profile = "${local.aws_profile}" - region = "${local.aws_region}" - disable_bucket_update = true - skip_bucket_enforced_tls = true - skip_bucket_public_access_blocking = true - skip_bucket_root_access = true - skip_bucket_ssencryption = true - skip_bucket_versioning = false - enable_lock_table_ssencryption = false + bucket = "${local.state_bucket_prefix}-${local.account_id}" + use_lockfile = true + key = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate" + profile = "${local.aws_profile}" + region = "${local.aws_region}" + disable_bucket_update = true } } @@ -127,9 +139,9 @@ generate "aws-provider" { cluster_name = "${local.cluster_name}" "boc:module_name" = "${local.module_name}" environment = "${local.environment_abbr}" - finops_project_name = "${local.project_name}" - finops_project_number = "${local.project_number}" - finops_project_role = "${local.project_role}" + finops_project_name = "${local.finops_project_name}" + finops_project_number = "${local.finops_project_number}" + finops_project_role = "${local.finops_project_role}" organization = "${local.organization}" } } @@ -151,7 +163,9 @@ inputs = merge( local.account_vars.locals, local.cluster_vars.locals, local.common_vars.locals, + local.prefix_vars.locals, local.region_vars.locals, local.versions.locals, - local.vpc_vars.locals -) \ No newline at end of file + local.vpc_vars.locals, + local.root_locals_for_inputs +)