feat: move all generated-repo file management into terraform-eks-depl…

…oyment

- Add all 20 eks-module terragrunt.hcl files to templates/eks-modules/;
  these are written verbatim (file()) into the generated repo under
  $env/$region/$vpc/$cluster/<module>/terragrunt.hcl
- Wire templates/eks-modules/ into managed_extra_files via a fileset-based
  local (eks_module_files) merged with the existing rendered_files local
- Set template_repo = null in both defaults.tf and main.tf; all generated
  repo content now flows exclusively through managed_extra_files with no
  GitHub template seeding
- Rename templates/common-variables.hcl and templates/default-versions.hcl
  to *.hcl.tf.tpl to match the existing convention: .tf.tpl = parsed by
  templatefile(), eks-modules/*.hcl = written verbatim
- Update locals.tf references for the renamed template files
- Fix alignment formatting in examples/basic and examples/adsd-tools-dev

defaults.tf

@@ -5,10 +5,11 @@ locals {
   # Dynamic AWS profile generation
   aws_profile = "${var.cluster_config.account_name}-${var.cluster_config.environment_abbr}"
 
-  # Static template values (hidden from users)
+  # template_repo is null — all generated-repo content is managed via managed_extra_files.
+  # template-eks-cluster is a human reference only; it has no automation role.
   repository_defaults = {
-    template       = "template-eks-cluster"
-    template_owner = "SCT-Engineering"
+    template       = null
+    template_owner = null
   }
 
   # Static EKS configuration for Karpenter bootstrap node group

examples/adsd-tools-dev/main.tf

@@ -19,15 +19,15 @@ module "eks_deployment" {
 
   # Cluster configuration - simplified interface
   cluster_config = {
-    account_name         = "adsd-tools-nonprod-gov"
-    aws_account_id       = "533109815932"
-    cluster_mailing_list = "adsd.enterprise.tools.support.branch.list@census.gov"
-    environment_abbr     = "prod"
+    account_name          = "adsd-tools-nonprod-gov"
+    aws_account_id        = "533109815932"
+    cluster_mailing_list  = "adsd.enterprise.tools.support.branch.list@census.gov"
+    environment_abbr      = "prod"
     finops_project_name   = "adsd_etdsb_tools_migration"
-    finops_project_number  = "fs0000000069"
-    finops_project_role    = "adsd_tools_mgrn_eks"
-    vpc_domain_name      = "dev.adsd.csp1.census.gov"
-    vpc_name             = "vpc3-inf-dev"
+    finops_project_number = "fs0000000069"
+    finops_project_role   = "adsd_tools_mgrn_eks"
+    vpc_domain_name       = "dev.adsd.csp1.census.gov"
+    vpc_name              = "vpc3-inf-dev"
     tags = {
       Owner       = "adsd.enterprise.tools.support.branch.list@census.gov"
       Environment = "development"

examples/basic/main.tf

@@ -16,15 +16,15 @@ module "eks_deployment" {
 
   # Cluster configuration - simplified interface
   cluster_config = {
-    account_name         = "ma6-gov"
-    aws_account_id       = "252960665057"
-    cluster_mailing_list = "adep.mojo.development.list@census.gov"
-    environment_abbr     = "dev"
+    account_name          = "ma6-gov"
+    aws_account_id        = "252960665057"
+    cluster_mailing_list  = "adep.mojo.development.list@census.gov"
+    environment_abbr      = "dev"
     finops_project_name   = "PPSI_DICE"
-    finops_project_number  = "fs0000000015"
-    finops_project_role    = "dice:dev:mojo"
-    vpc_domain_name      = "dev.dice.census.gov"
-    vpc_name             = "vpc2-dice-dev"
+    finops_project_number = "fs0000000015"
+    finops_project_role   = "dice:dev:mojo"
+    vpc_domain_name       = "dev.dice.census.gov"
+    vpc_name              = "vpc2-dice-dev"
     tags = {
       Owner       = "PETeam"
       Environment = "Development"

locals.tf

@@ -123,11 +123,11 @@ locals {
   managed_extra_files = concat([
     {
       path    = "_envcommon/default-versions.hcl"
-      content = templatefile("${path.module}/templates/default-versions.hcl", local.default_versions)
+      content = templatefile("${path.module}/templates/default-versions.hcl.tf.tpl", local.default_versions)
     },
     {
       path    = "_envcommon/common-variables.hcl"
-      content = templatefile("${path.module}/templates/common-variables.hcl", local.common_vars)
+      content = templatefile("${path.module}/templates/common-variables.hcl.tf.tpl", local.common_vars)
     }
     ],
   var.github_actions_workflows)

main.tf

@@ -73,6 +73,21 @@ locals {
   }
 }
 
+locals {
+  # Base path prefix for all eks-module files in the generated repo
+  eks_module_cluster_prefix = "${var.environment}/${var.region}/${var.cluster_config.vpc_name}/${var.name}"
+
+  # Auto-discover all files in templates/eks-modules/ and map them to their
+  # target paths in the generated repo. The naming convention converts
+  # "eks-karpenter.terragrunt.hcl" → "eks-karpenter/terragrunt.hcl" by
+  # splitting on the first dot.
+  eks_module_files = {
+    for fname in fileset("${path.module}/templates/eks-modules", "*") :
+    "${local.eks_module_cluster_prefix}/${join("/", regex("^([^.]+)\\.(.+)$", fname))}" =>
+    file("${path.module}/templates/eks-modules/${fname}")
+  }
+}
+
 module "github_repo" {
   source = "git::git@github.e.it.census.gov:CSVD/terraform-github-repo.git"
 
@@ -82,16 +97,16 @@ module "github_repo" {
   github_repo_topics      = ["eks", "kubernetes", "terraform", "infrastructure"]
   force_name              = var.force_name
 
-  template_repo_org = local.repository_defaults.template_owner
-  template_repo     = local.repository_defaults.template
+  template_repo_org = null
+  template_repo     = null
 
   github_is_private   = false
   github_has_issues   = true
   github_has_wiki     = true
   github_has_projects = true
 
   managed_extra_files = [
-    for path, content in local.rendered_files : {
+    for path, content in merge(local.rendered_files, local.eks_module_files) : {
       path    = path
       content = content
     }

templates/eks-modules/eks-arcgis.terragrunt.hcl

@@ -0,0 +1,86 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}"
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_name = "mock-cluster"
+  }
+}
+
+dependency "eks_config" {
+  config_path                             = "../eks-config"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    rwo_storage_class = "gp3-mock"
+  }
+}
+
+dependency "eks_dns" {
+  config_path                             = "../eks-dns"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+  mock_outputs = {
+    cluster_domain = "mock.domain.example.com"
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-config",
+    "../eks-dns",
+    "../eks-kiali",
+  ]
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+  eecr_info  = include.root.inputs.eecr_info
+
+  # Cluster Configuration
+  cluster_domain    = dependency.eks_dns.outputs.cluster_domain
+  cluster_name      = dependency.eks.outputs.cluster_name
+  namespace         = "arcgis"
+  rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class
+
+  # Dockerhub Creds
+  dockerhub_username = ""
+  dockerhub_password = ""
+
+  # ArcGIS Config
+  ersi_image_tag                  = "11.4.0.6285"
+  arcgis_license_json             = ""
+  arcgis_admin_username           = "admin"
+  arcgis_admin_password           = "password"
+  arcgis_admin_email              = include.root.inputs.cluster_mailing_list
+  arcgis_admin_firstname          = "admin"
+  arcgis_admin_lastname           = "admin"
+  arcgis_security_question_index  = 1
+  arcgis_security_question_answer = "Las Vegas"
+}

templates/eks-modules/eks-cert-manager.terragrunt.hcl

@@ -0,0 +1,70 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}"
+
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-config",
+    "../eks-karpenter",
+    "../eks-metrics-server",
+  ]
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+
+  mock_outputs = {
+    cluster_name      = include.root.inputs.cluster_name
+    oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+    cluster_endpoint  = "https://mock-endpoint.eks.amazonaws.com"
+    cluster_version   = include.root.inputs.cluster_version
+  }
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+  eecr_info  = include.root.inputs.eecr_info
+
+  # Cluster Configuration
+  cluster_name         = dependency.eks.outputs.cluster_name
+  cluster_mailing_list = include.root.inputs.cluster_mailing_list
+  oidc_provider_arn    = dependency.eks.outputs.oidc_provider_arn
+
+  # Cert Manager Configuration
+  cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart
+  cluster_issuer_name     = include.root.inputs.cluster_issuer_name
+  namespace               = include.root.inputs.namespaces["cert-manager"]
+
+  # Version Tags
+  cert_manager_cainjector_tag      = include.root.inputs.cert_manager_cainjector_tag
+  cert_manager_controller_tag      = include.root.inputs.cert_manager_controller_tag
+  cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag
+  cert_manager_webhook_tag         = include.root.inputs.cert_manager_webhook_tag
+}

templates/eks-modules/eks-config.terragrunt.hcl

@@ -0,0 +1,65 @@
+include "root" {
+  path           = find_in_parent_folders("root.hcl")
+  merge_strategy = "deep"
+  expose         = true
+}
+
+locals {
+  # Skip this module if disabled
+  skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+  if                   = local.skip
+  actions              = ["all_except_output"]
+  exclude_dependencies = false
+}
+
+terraform {
+  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}"
+
+  extra_arguments "retry_lock" {
+    commands  = get_terraform_commands_that_need_locking()
+    arguments = ["-lock-timeout=20s"]
+  }
+}
+
+dependency "eks" {
+  config_path                             = "../eks"
+  mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+
+  mock_outputs = {
+    cluster_name                                    = "mock-cluster"
+    cluster_endpoint                                = "https://mock-endpoint.eks.amazonaws.com"
+    cluster_certificate_authority_data              = [{ data = "mock-cert-data" }]
+    eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"]
+    oidc_provider_arn                               = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+    security_group_all_worker_mgmt_id               = "sg-mock"
+    subnets                                         = ["subnet-mock1", "subnet-mock2"]
+    vpc_id                                          = "vpc-mock"
+  }
+}
+
+dependencies {
+  paths = [
+    "../eks",
+    "../eks-karpenter",
+  ]
+}
+
+inputs = {
+  # AWS Configuration
+  account_id = include.root.inputs.aws_account_id
+  profile    = include.root.inputs.aws_profile
+  region     = include.root.inputs.aws_region
+
+  # Core Cluster Configuration
+  cluster_name                                    = dependency.eks.outputs.cluster_name
+  eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names
+  oidc_provider_arn                               = dependency.eks.outputs.oidc_provider_arn
+  security_group_all_worker_mgmt_id               = dependency.eks.outputs.security_group_all_worker_mgmt_id
+  subnets                                         = dependency.eks.outputs.subnets
+  vpc_id                                          = dependency.eks.outputs.vpc_id
+  operators_ns                                    = include.root.inputs.operator_namespace
+  telemetry_ns                                    = include.root.inputs.telemetry_namespace
+}