Update Workflow for existing clusters (#16)

* create new cluster to test

* update defaults to min/desired 2

* make csvd-dev-mcm cluster for testing

* add cluster for adsd-etdsb-tools-nonprod (#13)

* rename cluster in convo with customer (#14)

* Rename adsd tools (#15)

* rename cluster in convo with customer

* create cluster in csvd-common for testing

* update cluster workflow

* update environment_abbr based on account_name

* add .gitignore for new clusters

* update default-versions and common-variables gen

* rename to match

* fmt

* self ref doesn't work

* env fixed, add clusters folder

* update to track files in template-eks-cluster/

* fix(finops_codes) ensure passed in finops codes are used

* complete update workflow

* update version for otel-collector-k8s

* bump version of eks-dns and tempo

* complete update workflow, fix create workflow, open PRs on both

* remove cruft

* more tags

* update tags

* update tag handling and gen

* fix: replace local module path with CSVD GHE HTTPS source ref

* fix: point module source to CSVD/terraform-github-repo main (feat/files-branch-source-branch merged)

* refactor: replace template-eks-cluster remote sync with local templates/eks-modules

Remove the data.github_repository_file / data.github_tree approach that read
cluster-level terragrunt files from the template-eks-cluster repo at runtime.
All HCL templates are now managed locally in templates/eks-modules/ inside this
module repo, consistent with the ADR merged in #18.

Changes:
- Remove effective_template_enabled_modules and template_cluster_sync_files locals
- Remove data.github_repository_file.template_cluster_files data source
- Remove template_repo_name, template_repo_ref, template_cluster_file_paths variables
- Move effective_template_enabled_modules into the eks_module_files locals block
  and apply enablement filter directly to the fileset loop
- Update desired_managed_files_by_path to use local.eks_module_files
- Update template_enabled_modules variable description to reflect local template usage

---------

Co-authored-by: Dave Arnold <user@example.com>

.gitignore

@@ -32,3 +32,6 @@ terraform.rc
 # Ignore test temporary files
 *.tftest.hcl.tmp
 terraform_data_dirs
+
+# Ignore terragrunt cache and configuration files
+.terragrunt-cache/

README.md

@@ -1,129 +1,170 @@
 # terraform-eks-deployment
 
-Terraform module for EKS cluster repository bootstrapping and configuration
+Terraform module for bootstrapping and updating EKS cluster configuration repositories.
 
 ## Overview
 
-This module creates and configures a new GitHub repository for your EKS cluster based on the template-eks-cluster repository. It automatically generates all necessary Terragrunt HCL files (`root.hcl`, `account.hcl`, `region.hcl`, etc.) directly from your input variables, eliminating the need for manual configuration or separate Ansible playbooks.
+This module manages the GitHub repository that holds your cluster Terragrunt configuration. It renders core files such as `root.hcl`, `account.hcl`, `region.hcl`, `vpc.hcl`, `cluster.hcl`, and selected module `terragrunt.hcl` files from `template-eks-cluster`.
+
+It supports two workflows:
+
+- `create`: create a repository, commit generated files to `new/<cluster_name>`, and open a pull request into `main`
+- `update`: manage an existing repository, commit generated files to `update/<cluster_name>`, and open a pull request into `main`
 
 ## Features
 
-- **Fully Terraform-Native**: No Lambda functions, Ansible playbooks, or manual steps required
-- **Complete HCL Generation**: Automatically creates all necessary Terragrunt HCL files
-- **Team Management**: Configures repository permissions for your teams
-- **Customizable**: Extensive configuration options for cluster, account, and VPC settings
+- Fully Terraform-native workflow
+- New-repo and update-repo support
+- Automatic working branch creation
+- Automatic pull request creation into `main`
+- Rendered Terragrunt configuration from module inputs
+- Optional syncing of module-specific `terragrunt.hcl` files from `template-eks-cluster`
+- Team access management through the underlying GitHub repo module
 
 ## Prerequisites
 
-- GitHub token with repository and workflow permissions
-- Terraform 1.0.0 or newer
-- Access to GitHub Enterprise (if using enterprise version)
+- Terraform 1.x
+- GitHub token with repository and pull request permissions
+- Access to your GitHub Enterprise instance, if applicable
 
 ## Usage
 
-### Basic Example
+### Create a New Repository
 
 ```hcl
 module "eks_deployment" {
-  source = "github.com/HappyPathway/terraform-eks-deployment"
-
-  # Repository configuration
-  repository_name          = "eks-prod-cluster"
-  repository_template_owner = "HappyPathway"
-  repository_template      = "template-eks-cluster"
-  repository_teams         = {
-    "platform-team" = "admin",
-    "devops-team"   = "maintain",
-    "developers"    = "push"
-  }
-  
-  # Basic settings
-  organization       = "my-org"
-  environment        = "production"
-  region             = "us-gov-west-1"
-  github_server_url  = "https://github.e.it.census.gov"  # For GitHub Enterprise
-
-  # Account configuration
-  account_config = {
-    account_name     = "prod-account"
-    aws_account_id   = "123456789012"
-    environment_abbr = "prod"
-  }
+  source = "../../"
+
+  name            = "csvd-lab-mcm"
+  organization    = "SCT-Engineering"
+  repository_mode = "create"
+  environment     = "dev"
+  region          = "us-gov-east-1"
 
-  # VPC configuration
-  vpc_config = {
-    vpc_name        = "prod-vpc"
-    vpc_domain_name = "prod.example.com"
+  repository_teams = {
+    "platform-team" = "admin"
+    "developers"    = "push"
   }
 
-  # Cluster configuration
   cluster_config = {
-    cluster_name              = "prod-eks-01"
-    cluster_mailing_list      = "team@example.com"
-    eks_instance_disk_size    = 200
-    eks_ng_desired_size       = 5
-    eks_ng_max_size           = 10
-    eks_ng_min_size           = 3
-    organization              = "census:ocio:csvd"
-    finops_project_name       = "csvd_platformbaseline"
-    finops_project_number     = "fs0000000078"
-    finops_project_role       = "csvd_platformbaseline_app"
+    account_name          = "lab-dev-gov"
+    aws_account_id        = "224384469011"
+    environment_abbr      = "lab"
+    vpc_name              = "vpc3-lab-dev"
+    vpc_domain_name       = "dev.lab.csp2.census.gov"
+    cluster_mailing_list  = "matthew.c.morgan@census.gov"
+    finops_project_name   = "csvd_platformbaseline"
+    finops_project_number = "fs0000000078"
+    finops_project_role   = "csvd_platformbaseline_eks"
+    organization          = "census:ocio:csvd"
     tags = {
-      Owner       = "Platform Team",
-      Environment = "Production",
-      CostCenter  = "123-456"
-    }
-    module_enablement_overrides = {
-      cert_manager = true,
-      prometheus   = true,
-      grafana      = true,
-      istio        = true
+      Owner       = "matthew.c.morgan@census.gov"
+      Environment = "development"
+      CostCenter  = "fs0000000078"
     }
   }
+
+  template_enabled_modules = {
+    eks-gatekeeper = true
+    eks-grafana    = true
+    eks-kiali      = true
+    eks-loki       = true
+    eks-otel       = true
+    eks-prometheus = true
+    eks-tempo      = true
+  }
 }
+```
+
+### Update an Existing Repository
+
+```hcl
+module "eks_deployment" {
+  source = "../../"
 
-output "repository_url" {
-  value = module.eks_deployment.repository_url
+  name            = "csvd-lab-mcm"
+  organization    = "SCT-Engineering"
+  repository_mode = "update"
+  environment     = "dev"
+  region          = "us-gov-east-1"
+
+  cluster_config = {
+    account_name          = "lab-dev-gov"
+    aws_account_id        = "224384469011"
+    environment_abbr      = "lab"
+    vpc_name              = "vpc3-lab-dev"
+    vpc_domain_name       = "dev.lab.csp2.census.gov"
+    cluster_mailing_list  = "matthew.c.morgan@census.gov"
+    finops_project_name   = "csvd_platformbaseline"
+    finops_project_number = "fs0000000078"
+    finops_project_role   = "csvd_platformbaseline_eks"
+    organization          = "census:ocio:csvd"
+  }
+
+  template_enabled_modules = {
+    eks-gatekeeper = true
+    eks-grafana    = true
+    eks-kiali      = true
+    eks-loki       = true
+  }
 }
 ```
 
+### Template Module Selection
+
+`template_enabled_modules` controls which module-specific `terragrunt.hcl` files are synced from `template-eks-cluster`.
+
+These core cluster modules are always enabled and cannot be turned off:
+
+- `eks`
+- `eks-config`
+- `eks-karpenter`
+- `eks-istio`
+- `eks-dns`
+
+Any omitted key is treated as `false` for optional modules.
+
 ## Generated Files
 
-The module automatically generates the following files in your new repository:
+The module manages files such as:
 
-- `root.hcl`: Global Terragrunt configuration
-- `[environment]/account.hcl`: Account-specific variables
-- `[environment]/[region]/region.hcl`: Region-specific variables
-- `[environment]/[region]/vpc/vpc.hcl`: VPC-specific variables
-- `[environment]/[region]/vpc/[cluster_name]/cluster.hcl`: Cluster-specific variables
-- `README.md`: Usage instructions and documentation
+- `root.hcl`
+- `config.json`
+- `README.md`
+- `<environment>/account.hcl`
+- `<environment>/<region>/region.hcl`
+- `<environment>/<region>/vpc/vpc.hcl`
+- `<environment>/<region>/vpc/cluster/cluster.hcl`
+- `<environment>/<region>/vpc/cluster/<module>/terragrunt.hcl` for enabled template modules
+- `_envcommon/default-versions.hcl`
+- `_envcommon/common-variables.hcl`
+- `_envcommon/prefixes.hcl`
 
-These files are committed directly to your new repository and are ready for use with Terragrunt to deploy your EKS cluster.
+## Working Branch and PR Behavior
 
-## Module Configuration
+- `repository_mode = "create"` creates branch `new/<name>` and opens a PR to `main`
+- `repository_mode = "update"` creates branch `update/<name>` and opens a PR to `main`
+- For update mode, the working branch is created from the repository default branch unless `files_branch_source_branch` is provided
 
-### Required Variables
+## Key Inputs
 
-| Name | Description |
-|------|-------------|
-| `repository_name` | Name of the GitHub repository to create |
-| `organization` | GitHub organization name |
-| `environment` | Deployment environment (e.g., production, development) |
-| `region` | AWS region for the EKS cluster |
-| `account_config` | Map of account configuration values |
-| `vpc_config` | Map of VPC configuration values |
-| `cluster_config` | Map of cluster configuration values |
+### Required
 
-### Optional Variables
+- `name`
+- `environment`
+- `region`
+- `cluster_config`
 
-| Name | Description | Default |
-|------|-------------|---------|
-| `repository_template_owner` | Owner of the template repository | `"HappyPathway"` |
-| `repository_template` | Template repository name | `"template-eks-cluster"` |
-| `repository_teams` | Map of team names and permission levels | `{}` |
-| `github_server_url` | GitHub Enterprise server URL | `"https://api.github.com"` |
+### Common Optional Inputs
 
-For complete configuration options, see the variables.tf file.
+- `organization`
+- `repository_mode`
+- `repository_teams`
+- `template_enabled_modules`
+- `files_branch_source_branch`
+- `force_name`
+
+See [variables.tf](/apps/terraform/workspaces/morga471/terraform/terraform-eks-deployment/variables.tf) for the full input surface.
 
 ## Outputs
 
@@ -134,11 +175,9 @@ For complete configuration options, see the variables.tf file.
 
 ## How It Works
 
-1. The module calls the `terraform-github-repo` module to create a new repository based on your template.
-2. It uses Terraform's `templatefile()` function to render Terragrunt HCL files from templates.
-3. These rendered files are committed directly to the repository using the `github_repository_file` resource.
-4. Team permissions are configured using the `github_team_repository` resource.
-
-## Migrating from Previous Workflow
-
-This module replaces the previous Lambda/Ansible-based workflow with a purely Terraform-native approach. If you were previously using the template-automation-lambda to create repositories and then running an Ansible playbook to generate HCL files, you can now accomplish the entire process with just this module.
+1. The module computes whether it is in create or update mode.
+2. It renders repository files from Terraform templates and input variables.
+3. It creates or updates the target repository through `terraform-github-repo`.
+4. It creates a working branch (`new/<name>` or `update/<name>`).
+5. It commits the generated files to that branch.
+6. It opens a pull request from that branch into `main`.

clusters/adsd-tools-dev/main.tf

@@ -0,0 +1,48 @@
+provider "aws" {
+}
+
+data "aws_secretsmanager_secret_version" "github_token" {
+  secret_id = "/eks-cluster-deployment/github_token"
+}
+
+provider "github" {
+  token = data.aws_secretsmanager_secret_version.github_token.secret_string
+}
+
+module "eks_deployment" {
+  source = "../../"
+
+  # Repository and cluster configuration - single name for both
+  name        = "adsd-tools-dev"
+  environment = "prod"
+  region      = "us-gov-east-1"
+
+  # Cluster configuration - simplified interface
+  cluster_config = {
+    account_name          = "adsd-tools-nonprod-gov"
+    aws_account_id        = "533109815932"
+    cluster_mailing_list  = "adsd.enterprise.tools.support.branch.list@census.gov"
+    environment_abbr      = "prod"
+    finops_project_name   = "adsd_etdsb_tools_migration"
+    finops_project_number = "fs0000000069"
+    finops_project_role   = "adsd_tools_mgrn_eks"
+    vpc_domain_name       = "dev.adsd.csp1.census.gov"
+    vpc_name              = "vpc3-inf-dev"
+    tags = {
+      Owner       = "adsd.enterprise.tools.support.branch.list@census.gov"
+      Environment = "development"
+      CostCenter  = "census:ocio:adsd"
+    }
+    organization = "census:ocio:adsd"
+  }
+}
+
+output "repository_url" {
+  description = "URL of the created GitHub repository"
+  value       = module.eks_deployment.repository_url
+}
+
+output "ssh_clone_url" {
+  description = "SSH clone URL of the repository"
+  value       = module.eks_deployment.ssh_clone_url
+}