SCT-Engineering · arnol377 · Jun 26, 2025 · Jun 26, 2025 · Jun 26, 2025
diff --git a/_envcommon/default-versions.hcl b/_envcommon/default-versions.hcl
@@ -40,8 +40,8 @@ locals {
 
   submodule_versions = {
     "tfmod-istio-service-ingress" = "0.1.6"
-    "tfmod-config-job" = "0.1.8"
-    
+    "tfmod-config-job"            = "0.1.8"
+
   }
 
   #####################

diff --git a/ansible/README.md b/ansible/README.md
@@ -138,7 +138,7 @@ The tool generates the following directory structure:
 
 ```
 <environment>/
-├── environment.hcl
+├── root.hcl
 └── <region>/
     ├── region.hcl
     └── vpc/
@@ -204,4 +204,4 @@ Contributions are welcome! Please feel free to submit a Pull Request.
 
 ## License
 
-See the LICENSE file for details.
+See the LICENSE file for details.
diff --git a/ansible/templates/account.hcl.j2 b/ansible/templates/account.hcl.j2
@@ -5,7 +5,7 @@
 locals {
   account_name     = "{{ account_name }}"
   aws_account_id   = "{{ aws_account_id }}"
-  aws_profile      = "{{ aws_profile }}"
+  aws_profile      = format("%v-%v", local.aws_account_id, replace(local.account_name, "-ew", "-gov"))
   environment      = "{{ environment }}"
   environment_abbr = "{{ environment_abbr }}"
-}
+}
diff --git a/ansible/templates/cluster.hcl.j2 b/ansible/templates/cluster.hcl.j2
@@ -1,29 +1,19 @@
 locals {
   # Cluster specific configuration
-  cluster_endpoint_public_access           = {{ cluster_endpoint_public_access | lower }}
-  cluster_name                             = "{{ cluster_name }}"
-  cluster_mailing_list                     = "{{ cluster_mailing_list }}"
-  eks_instance_disk_size                   = {{ eks_instance_disk_size }}
-  eks_ng_desired_size                      = {{ eks_ng_desired_size }}
-  eks_ng_max_size                          = {{ eks_ng_max_size }}
-  eks_ng_min_size                          = {{ eks_ng_min_size }}
-  enable_cluster_creator_admin_permissions = {{ enable_cluster_creator_admin_permissions | lower }}
+  cluster_name              = {{ cluster_name }}
+  cluster_mailing_list      = {{ cluster_mailing_list }}
+  eks_instance_disk_size    = {{ eks_instance_disk_size }}
+  eks_ng_desired_size       = {{ eks_ng_desired_size }}
+  eks_ng_max_size           = {{ eks_ng_max_size }}
+  eks_ng_min_size           = {{ eks_ng_min_size }}
+  organization              = {{ organization }}
+  finops_project_name       = {{ finops_project_name }}
+  finops_project_number     = {{ finops_project_number }}
+  finops_project_role       = {{ finops_project_role }}
   tags = {
 {% for key, value in tags.items() %}
     "{{ key }}" = "{{ value }}"
 {% endfor %}
   }
-
-  # Common configuration
-  common_retry_args = {
-    commands  = get_terraform_commands_that_need_locking()
-    arguments = ["-lock-timeout=20m"]
-  }
-
-  common_dependencies = ["../eks", "../eks-config"]
-
-  common_mock_eks = {
-    cluster_name      = "mock-cluster"
-    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
-  }
-}
+  module_enablement_overrides = {{ module_enablement_overrides }}
+}
diff --git a/ansible/templates/root.hcl.j2 b/ansible/templates/root.hcl.j2
@@ -1,20 +1,22 @@
-# root.hcl
-
+# {{environment}}/root.hcl
 # ---------------------------------------------------------------------------------------------------------------------
 # TERRAGRUNT CONFIGURATION
 # Terragrunt is a thin wrapper for Terraform that provides extra tools for working with multiple Terraform modules,
 # remote state, and locking: https://github.com/gruntwork-io/terragrunt
 # ---------------------------------------------------------------------------------------------------------------------
 locals {
-  # Automatically load account-level variables
-  account_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl"))
+  # Automatically load account-level variables (NOTE: In our environment account = environment so there is not separate environment layer)
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
 
   # Automatically load cluster-level variables
   cluster_vars = read_terragrunt_config(find_in_parent_folders("cluster.hcl"))
 
   # Automatically load _envcommon, cross account and environment common variables
   common_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/common-variables.hcl"))
 
+  # Automatically load naming prefixes
+  prefix_vars = read_terragrunt_config(find_in_parent_folders("./_envcommon/prefixes.hcl"))
+
   # Automatically load region-level variables
   region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
 
@@ -24,21 +26,36 @@ locals {
   # Automatically load vpc-level variables
   vpc_vars = read_terragrunt_config(find_in_parent_folders("vpc.hcl"))
 
+  # Add any other locals you want to expose
+  # only expose things not already included via local.xxx_vars.locals.*
+  root_locals_for_inputs = {
+    is_module_enabled = local.is_module_enabled
+    module_name       = local.module_name
+  }
+
   # Extract the variables we need for easy access
-  account_id          = local.account_vars.locals.aws_account_id
-  aws_profile         = local.account_vars.locals.aws_profile
-  aws_region          = local.region_vars.locals.aws_region
-  cluster_name        = local.cluster_vars.locals.cluster_name
-  environment_abbr    = local.account_vars.locals.environment_abbr
-  organization        = local.common_vars.locals.organization
-  project_name        = local.common_vars.locals.project_name
-  project_number      = local.common_vars.locals.project_number
-  project_role        = local.common_vars.locals.project_role
+  account_id            = local.account_vars.locals.aws_account_id
+  account_name          = local.account_vars.locals.account_name
+  aws_profile           = local.account_vars.locals.aws_profile
+  aws_region            = local.region_vars.locals.aws_region
+  cluster_name          = local.cluster_vars.locals.cluster_name
+  eecr_info             = local.common_vars.locals.eecr_info
+  environment_abbr      = local.account_vars.locals.environment_abbr
+  finops_project_name   = local.cluster_vars.locals.finops_project_name
+  finops_project_number = local.cluster_vars.locals.finops_project_number
+  finops_project_role   = local.cluster_vars.locals.finops_project_role
+  is_eks_module         = local.module_name == "eks"
+  prefixes              = local.prefix_vars.locals.prefixes
+  is_module_enabled = merge(
+    { for module in local.versions.locals.core_modules : module => true },
+    local.versions.locals.enabled_modules,
+    local.module_overrides
+  )
+  module_name         = basename(get_original_terragrunt_dir())
+  module_overrides    = local.cluster_vars.locals.module_enablement_overrides
+  organization        = local.cluster_vars.locals.organization
   state_bucket_prefix = local.common_vars.locals.state_bucket_prefix
   state_table_name    = local.common_vars.locals.state_table_name
-  # Check if current module is the EKS module
-  module_name   = basename(get_original_terragrunt_dir())
-  is_eks_module = local.module_name == "eks"
 }
 
 # Only generate providers for non-EKS modules
@@ -82,7 +99,7 @@ generate "helm_provider" {
   if_exists = "overwrite_terragrunt"
   contents  = local.is_eks_module ? "" : <<-EOF
     provider "helm" {
-      kubernetes {
+      kubernetes = {
         host                   = local.cluster_exists ? data.aws_eks_cluster.this[0].endpoint : "https://dummy"
         cluster_ca_certificate = local.cluster_exists ? base64decode(data.aws_eks_cluster.this[0].certificate_authority[0].data) : null
         token                  = local.cluster_exists ? data.aws_eks_cluster_auth.this[0].token : "dummy"
@@ -93,24 +110,19 @@ generate "helm_provider" {
 
 # Configure Terragrunt to automatically store tfstate files in an S3 bucket
 remote_state {
-  backend = "s3"
+  disable_init = tobool(get_env("TG_DISABLE_INIT", "false"))
+  backend      = "s3"
   generate = {
     path      = "remote_state.backend.tf"
     if_exists = "overwrite_terragrunt"
   }
   config = {
-    bucket                             = "${local.state_bucket_prefix}-${local.account_id}"
-    dynamodb_table                     = "${local.state_table_name}"
-    key                                = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate"
-    profile                            = "${local.aws_profile}"
-    region                             = "${local.aws_region}"
-    disable_bucket_update              = true
-    skip_bucket_enforced_tls           = true
-    skip_bucket_public_access_blocking = true
-    skip_bucket_root_access            = true
-    skip_bucket_ssencryption           = true
-    skip_bucket_versioning             = false
-    enable_lock_table_ssencryption     = false
+    bucket                = "${local.state_bucket_prefix}-${local.account_id}"
+    use_lockfile          = true
+    key                   = "${trimprefix(replace(run_cmd("realpath", get_original_terragrunt_dir()), dirname(get_repo_root()), ""), "/")}/terraform.tfstate"
+    profile               = "${local.aws_profile}"
+    region                = "${local.aws_region}"
+    disable_bucket_update = true
   }
 }
 
@@ -127,9 +139,9 @@ generate "aws-provider" {
         cluster_name = "${local.cluster_name}"
         "boc:module_name" = "${local.module_name}"
         environment = "${local.environment_abbr}"
-        finops_project_name = "${local.project_name}"
-        finops_project_number = "${local.project_number}"
-        finops_project_role = "${local.project_role}"
+        finops_project_name = "${local.finops_project_name}"
+        finops_project_number = "${local.finops_project_number}"
+        finops_project_role = "${local.finops_project_role}"
         organization = "${local.organization}"
       }
     }
@@ -151,7 +163,9 @@ inputs = merge(
   local.account_vars.locals,
   local.cluster_vars.locals,
   local.common_vars.locals,
+  local.prefix_vars.locals,
   local.region_vars.locals,
   local.versions.locals,
-  local.vpc_vars.locals
-)
+  local.vpc_vars.locals,
+  local.root_locals_for_inputs
+)