diff --git a/defaults.tf b/defaults.tf
index 5842ce5..64f0117 100644
--- a/defaults.tf
+++ b/defaults.tf
@@ -5,10 +5,11 @@ locals {
# Dynamic AWS profile generation
aws_profile = "${var.cluster_config.account_name}-${var.cluster_config.environment_abbr}"
- # Static template values (hidden from users)
+ # template_repo is null — all generated-repo content is managed via managed_extra_files.
+ # template-eks-cluster is a human reference only; it has no automation role.
repository_defaults = {
- template = "template-eks-cluster"
- template_owner = "SCT-Engineering"
+ template = null
+ template_owner = null
}
# Static EKS configuration for Karpenter bootstrap node group
diff --git a/docs/adr/0001-generated-file-source-of-truth.md b/docs/adr/0001-generated-file-source-of-truth.md
new file mode 100644
index 0000000..5e35209
--- /dev/null
+++ b/docs/adr/0001-generated-file-source-of-truth.md
@@ -0,0 +1,134 @@
+# ADR 0001: All Generated Cluster Repository Files Must Be Versioned in terraform-eks-deployment
+
+**Date:** 2026-04-20
+**Status:** Proposed
+**Deciders:** arnol377, morga471
+
+---
+
+## Context
+
+The EKS Cluster Automation (ECA) system generates new EKS cluster repositories by running
+`terraform apply` inside a CodeBuild project (`eks-terragrunt-repo-creator`). The build
+checks out a pinned commit of `terraform-eks-deployment` (via `REPO_BRANCH` in `buildspec.yml`)
+and applies it, which calls `CSVD/terraform-github-repo` to create the GitHub repo and
+commit all generated files via `managed_extra_files`.
+
+The files written into a generated cluster repo fall into two categories:
+
+1. **Rendered config files** — `_envcommon/default-versions.hcl`, `_envcommon/common-variables.hcl`,
+ `account.hcl`, `region.hcl`, `vpc.hcl`, `cluster.hcl` — rendered from Go templates
+ (`*.tf.tpl`) committed inside `terraform-eks-deployment/templates/`.
+
+2. **Terragrunt module entrypoints** — `eks/terragrunt.hcl`, `eks-config/terragrunt.hcl`,
+ `eks-dns/terragrunt.hcl`, and all other `eks-*/terragrunt.hcl` files — one per
+ Terragrunt module in the cluster's run-all graph.
+
+Historically, the second category was provided by cloning `template-eks-cluster` as a
+GitHub repo template. The template contained placeholder directory paths
+(`environment/region/vpc/cluster/eks-*/`) that were supposed to be renamed to real computed
+paths after clone. That renaming was never implemented, producing broken repos with literal
+`environment/region/vpc/cluster` in all paths.
+
+PR #16 (`test_cluster` → `main`) correctly eliminates the GitHub template feature
+(`template_repo = null`) but proposes reading the `eks-*/terragrunt.hcl` files live from
+`template-eks-cluster:main` at Terraform plan time via `data.github_repository_file`.
+
+This ADR records the decision about where those files should live and why.
+
+---
+
+## Decision
+
+We will commit all `eks-*/terragrunt.hcl` template files directly into
+`terraform-eks-deployment/templates/eks-modules/` and write them into generated repos
+via `managed_extra_files`, alongside the existing rendered config files.
+
+The `template-eks-cluster` GitHub repo will no longer be used as a source of file content
+in the automation path. The GitHub template feature (`template_repo`) will remain `null`.
+
+---
+
+## Alternatives Considered
+
+### Option A: Read eks-module files live from `template-eks-cluster` at plan time (PR #16 approach)
+
+`data.github_repository_file` datasources fetch each `eks-*/terragrunt.hcl` from
+`template-eks-cluster:main` during `terraform plan`. They are passed into
+`managed_extra_files` alongside the rendered config files.
+
+**Rejected because:**
+
+- **Internal consistency cannot be guaranteed.** The rendered config files
+ (`_envcommon/default-versions.hcl`, `_envcommon/common-variables.hcl`) are generated
+ from templates in `terraform-eks-deployment`. The eks-module files are fetched live from
+ a separate repo at a different, independently-advancing ref. A change to
+ `eks-karpenter/terragrunt.hcl` in `template-eks-cluster` that references a new variable
+ not yet present in `default-versions.hcl` will flow into new repos silently, producing
+ files that are internally inconsistent and will fail when terragrunt is run.
+
+- **Partial updates are possible.** PR #16's drift-detection update mode only re-commits
+ files whose content changed. A template update that touches `eks-karpenter/terragrunt.hcl`
+ but not `default-versions.hcl` could produce a cluster repo where those two files are
+ at different effective versions.
+
+- **Plan-time API coupling increases fragility.** Every `terraform plan` makes one GitHub
+ API call per eks-module file (currently 14 calls). If the GHE endpoint is slow or the
+ token lacks access, the plan fails regardless of whether the user intends to touch those
+ files.
+
+- **`REPO_BRANCH` pinning is undermined.** CodeBuild pins `terraform-eks-deployment` to a
+ tested commit via `REPO_BRANCH`. This guarantees a known, reproducible set of Terraform
+ logic and defaults. Pulling supporting files from a separately-versioned repo at runtime
+ breaks that reproducibility guarantee — the effective artifact being applied is no longer
+ fully described by a single commit.
+
+### Option B: Keep `template-eks-cluster` as a GitHub repo template (previous approach)
+
+Use the GitHub template feature to seed new repos with `eks-*/terragrunt.hcl` files and
+then rename the placeholder paths via a post-apply script.
+
+**Rejected because:**
+
+- Placeholder paths (`environment/region/vpc/cluster/`) land in the generated repo and
+ cannot be easily renamed after the fact via standard Terraform resources.
+- Requires an out-of-band post-apply step (script or `null_resource`) that runs outside
+ Terraform's state model.
+- The template repo still diverges from `terraform-eks-deployment` over time (same
+ consistency problem as Option A).
+
+---
+
+## Consequences
+
+**Positive:**
+
+- A single commit of `terraform-eks-deployment` fully describes all files that will be
+ written into a generated cluster repo. Pinning `REPO_BRANCH` in `buildspec.yml` is
+ sufficient to produce a fully reproducible, internally consistent artifact.
+- When a new eks-module version or a new variable is added, a single PR to
+ `terraform-eks-deployment` updates both the `eks-*/terragrunt.hcl` template and the
+ corresponding `default-versions.hcl` template atomically. They cannot diverge.
+- No live API calls at plan time for file content. Plan performance and reliability are
+ not affected by the availability of `template-eks-cluster`.
+- The GitHub template feature (`template_repo`) is not used, removing a dependency on a
+ separately-maintained repo and on GitHub's template clone behavior.
+
+**Negative:**
+
+- `template-eks-cluster` and `terraform-eks-deployment/templates/eks-modules/` must be
+ kept manually in sync if humans use the template repo as a reference. Mitigation: add a
+ README to `template-eks-cluster` noting that it is no longer the automation source of
+ truth and pointing to `terraform-eks-deployment`.
+- Adding a new eks-module requires a PR to `terraform-eks-deployment` rather than just
+ adding a directory to `template-eks-cluster`. This is the desired behavior — changes
+ go through review — but is a minor workflow difference.
+
+**Neutral:**
+
+- `template-eks-cluster` can be archived or retained as a human-readable reference. It
+ is not deleted because it may still be useful for onboarding documentation.
+- The `data.github_repository_file` approach in PR #16 remains valid for a future
+ *update* workflow (deliberately syncing template changes into existing cluster repos),
+ as long as that workflow operates on the `templates/eks-modules/` copy in
+ `terraform-eks-deployment` rather than `template-eks-cluster:main`.
diff --git a/examples/adsd-tools-dev/main.tf b/examples/adsd-tools-dev/main.tf
index 1f072fc..be56914 100644
--- a/examples/adsd-tools-dev/main.tf
+++ b/examples/adsd-tools-dev/main.tf
@@ -19,15 +19,15 @@ module "eks_deployment" {
# Cluster configuration - simplified interface
cluster_config = {
- account_name = "adsd-tools-nonprod-gov"
- aws_account_id = "533109815932"
- cluster_mailing_list = "adsd.enterprise.tools.support.branch.list@census.gov"
- environment_abbr = "prod"
+ account_name = "adsd-tools-nonprod-gov"
+ aws_account_id = "533109815932"
+ cluster_mailing_list = "adsd.enterprise.tools.support.branch.list@census.gov"
+ environment_abbr = "prod"
finops_project_name = "adsd_etdsb_tools_migration"
- finops_project_number = "fs0000000069"
- finops_project_role = "adsd_tools_mgrn_eks"
- vpc_domain_name = "dev.adsd.csp1.census.gov"
- vpc_name = "vpc3-inf-dev"
+ finops_project_number = "fs0000000069"
+ finops_project_role = "adsd_tools_mgrn_eks"
+ vpc_domain_name = "dev.adsd.csp1.census.gov"
+ vpc_name = "vpc3-inf-dev"
tags = {
Owner = "adsd.enterprise.tools.support.branch.list@census.gov"
Environment = "development"
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
index 4bef0dd..c6af14a 100644
--- a/examples/basic/main.tf
+++ b/examples/basic/main.tf
@@ -16,15 +16,15 @@ module "eks_deployment" {
# Cluster configuration - simplified interface
cluster_config = {
- account_name = "ma6-gov"
- aws_account_id = "252960665057"
- cluster_mailing_list = "adep.mojo.development.list@census.gov"
- environment_abbr = "dev"
+ account_name = "ma6-gov"
+ aws_account_id = "252960665057"
+ cluster_mailing_list = "adep.mojo.development.list@census.gov"
+ environment_abbr = "dev"
finops_project_name = "PPSI_DICE"
- finops_project_number = "fs0000000015"
- finops_project_role = "dice:dev:mojo"
- vpc_domain_name = "dev.dice.census.gov"
- vpc_name = "vpc2-dice-dev"
+ finops_project_number = "fs0000000015"
+ finops_project_role = "dice:dev:mojo"
+ vpc_domain_name = "dev.dice.census.gov"
+ vpc_name = "vpc2-dice-dev"
tags = {
Owner = "PETeam"
Environment = "Development"
diff --git a/locals.tf b/locals.tf
index fc17610..0798851 100644
--- a/locals.tf
+++ b/locals.tf
@@ -123,11 +123,11 @@ locals {
managed_extra_files = concat([
{
path = "_envcommon/default-versions.hcl"
- content = templatefile("${path.module}/templates/default-versions.hcl", local.default_versions)
+ content = templatefile("${path.module}/templates/default-versions.hcl.tf.tpl", local.default_versions)
},
{
path = "_envcommon/common-variables.hcl"
- content = templatefile("${path.module}/templates/common-variables.hcl", local.common_vars)
+ content = templatefile("${path.module}/templates/common-variables.hcl.tf.tpl", local.common_vars)
}
],
var.github_actions_workflows)
diff --git a/main.tf b/main.tf
index 2400cf3..0e4175d 100644
--- a/main.tf
+++ b/main.tf
@@ -73,6 +73,21 @@ locals {
}
}
+locals {
+ # Base path prefix for all eks-module files in the generated repo
+ eks_module_cluster_prefix = "${var.environment}/${var.region}/${var.cluster_config.vpc_name}/${var.name}"
+
+ # Auto-discover all files in templates/eks-modules/ and map them to their
+ # target paths in the generated repo. The naming convention converts
+ # "eks-karpenter.terragrunt.hcl" → "eks-karpenter/terragrunt.hcl" by
+ # splitting on the first dot.
+ eks_module_files = {
+ for fname in fileset("${path.module}/templates/eks-modules", "*") :
+ "${local.eks_module_cluster_prefix}/${join("/", regex("^([^.]+)\\.(.+)$", fname))}" =>
+ file("${path.module}/templates/eks-modules/${fname}")
+ }
+}
+
module "github_repo" {
source = "git::git@github.e.it.census.gov:CSVD/terraform-github-repo.git"
@@ -82,8 +97,8 @@ module "github_repo" {
github_repo_topics = ["eks", "kubernetes", "terraform", "infrastructure"]
force_name = var.force_name
- template_repo_org = local.repository_defaults.template_owner
- template_repo = local.repository_defaults.template
+ template_repo_org = null
+ template_repo = null
github_is_private = false
github_has_issues = true
@@ -91,7 +106,7 @@ module "github_repo" {
github_has_projects = true
managed_extra_files = [
- for path, content in local.rendered_files : {
+ for path, content in merge(local.rendered_files, local.eks_module_files) : {
path = path
content = content
}
diff --git a/templates/common-variables.hcl b/templates/common-variables.hcl.tf.tpl
similarity index 100%
rename from templates/common-variables.hcl
rename to templates/common-variables.hcl.tf.tpl
diff --git a/templates/default-versions.hcl b/templates/default-versions.hcl.tf.tpl
similarity index 100%
rename from templates/default-versions.hcl
rename to templates/default-versions.hcl.tf.tpl
diff --git a/templates/eks-modules/eks-arcgis.terragrunt.hcl b/templates/eks-modules/eks-arcgis.terragrunt.hcl
new file mode 100644
index 0000000..38cf455
--- /dev/null
+++ b/templates/eks-modules/eks-arcgis.terragrunt.hcl
@@ -0,0 +1,86 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ }
+}
+
+dependency "eks_config" {
+ config_path = "../eks-config"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mock"
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.domain.example.com"
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ "../eks-dns",
+ "../eks-kiali",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+ eecr_info = include.root.inputs.eecr_info
+
+ # Cluster Configuration
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+ cluster_name = dependency.eks.outputs.cluster_name
+ namespace = "arcgis"
+ rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class
+
+ # Dockerhub Creds
+ dockerhub_username = ""
+ dockerhub_password = ""
+
+ # ArcGIS Config
+ ersi_image_tag = "11.4.0.6285"
+ arcgis_license_json = ""
+ arcgis_admin_username = "admin"
+ arcgis_admin_password = "password"
+ arcgis_admin_email = include.root.inputs.cluster_mailing_list
+ arcgis_admin_firstname = "admin"
+ arcgis_admin_lastname = "admin"
+ arcgis_security_question_index = 1
+ arcgis_security_question_answer = "Las Vegas"
+}
diff --git a/templates/eks-modules/eks-cert-manager.terragrunt.hcl b/templates/eks-modules/eks-cert-manager.terragrunt.hcl
new file mode 100644
index 0000000..569a355
--- /dev/null
+++ b/templates/eks-modules/eks-cert-manager.terragrunt.hcl
@@ -0,0 +1,70 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}"
+
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ "../eks-karpenter",
+ "../eks-metrics-server",
+ ]
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com"
+ cluster_version = include.root.inputs.cluster_version
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+ eecr_info = include.root.inputs.eecr_info
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ cluster_mailing_list = include.root.inputs.cluster_mailing_list
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+
+ # Cert Manager Configuration
+ cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart
+ cluster_issuer_name = include.root.inputs.cluster_issuer_name
+ namespace = include.root.inputs.namespaces["cert-manager"]
+
+ # Version Tags
+ cert_manager_cainjector_tag = include.root.inputs.cert_manager_cainjector_tag
+ cert_manager_controller_tag = include.root.inputs.cert_manager_controller_tag
+ cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag
+ cert_manager_webhook_tag = include.root.inputs.cert_manager_webhook_tag
+}
diff --git a/templates/eks-modules/eks-config.terragrunt.hcl b/templates/eks-modules/eks-config.terragrunt.hcl
new file mode 100644
index 0000000..5297ebb
--- /dev/null
+++ b/templates/eks-modules/eks-config.terragrunt.hcl
@@ -0,0 +1,65 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}"
+
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com"
+ cluster_certificate_authority_data = [{ data = "mock-cert-data" }]
+ eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"]
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ security_group_all_worker_mgmt_id = "sg-mock"
+ subnets = ["subnet-mock1", "subnet-mock2"]
+ vpc_id = "vpc-mock"
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-karpenter",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Core Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+ security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id
+ subnets = dependency.eks.outputs.subnets
+ vpc_id = dependency.eks.outputs.vpc_id
+ operators_ns = include.root.inputs.operator_namespace
+ telemetry_ns = include.root.inputs.telemetry_namespace
+}
diff --git a/templates/eks-modules/eks-cribl.terragrunt.hcl b/templates/eks-modules/eks-cribl.terragrunt.hcl
new file mode 100644
index 0000000..d18b180
--- /dev/null
+++ b/templates/eks-modules/eks-cribl.terragrunt.hcl
@@ -0,0 +1,90 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}"
+
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com"
+ cluster_certificate_authority_data = [{ data = "mock-cert-data" }]
+ eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"]
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ security_group_all_worker_mgmt_id = "sg-mock"
+ subnets = ["subnet-mock1", "subnet-mock2"]
+ vpc_id = "vpc-mock"
+ }
+}
+
+dependency "eks_config" {
+ config_path = "../eks-config"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mock"
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.example.com"
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ "../eks-dns",
+ "../eks-gatekeeper",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Core Cluster Configuration
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+ cluster_name = dependency.eks.outputs.cluster_name
+ eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+ operators_ns = include.root.inputs.operator_namespace
+ rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class
+ security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id
+ subnets = dependency.eks.outputs.subnets
+ telemetry_ns = include.root.inputs.telemetry_namespace
+ vpc_id = dependency.eks.outputs.vpc_id
+
+ # Cribl configs
+ cribl_tag = include.root.inputs.cribl_app_version
+ namespace = include.root.inputs.namespaces["cribl"]
+ service_name = "cribl-leader"
+}
diff --git a/templates/eks-modules/eks-dns.terragrunt.hcl b/templates/eks-modules/eks-dns.terragrunt.hcl
new file mode 100644
index 0000000..983ab4f
--- /dev/null
+++ b/templates/eks-modules/eks-dns.terragrunt.hcl
@@ -0,0 +1,71 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ subnets = ["subnet-mock1", "subnet-mock2", "subnet-mock3"]
+ }
+}
+
+dependency "eks-istio" {
+ config_path = "../eks-istio"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ istio_ingress_lb = {
+ dns_name = "mock-${include.root.inputs.cluster_name}.elb.amazonaws.com"
+ zone_id = "MOCKZONEID"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-istio",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = include.root.inputs.cluster_name
+ environment_abbr = include.root.inputs.environment_abbr
+
+ # Network Configuration
+ istio_ingress_lb = dependency.eks-istio.outputs.istio_ingress_lb
+ route53_endpoints = include.root.inputs.route53_endpoints
+ vpc_domain_name = include.root.inputs.vpc_domain_name
+ vpc_name = include.root.inputs.vpc_name
+
+ # Additional Configuration
+ tags = include.root.inputs.tags
+}
diff --git a/templates/eks-modules/eks-gatekeeper.terragrunt.hcl b/templates/eks-modules/eks-gatekeeper.terragrunt.hcl
new file mode 100644
index 0000000..360a4c3
--- /dev/null
+++ b/templates/eks-modules/eks-gatekeeper.terragrunt.hcl
@@ -0,0 +1,119 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.example.com"
+ }
+}
+
+dependency "eks_keycloak" {
+ config_path = "../eks-keycloak"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ user_auth_realm = "mock.keycloak.example.com/auth"
+ client_id = "mock-client-id"
+ client_secret = "mock-client-secret"
+ namespace = "keycloak"
+ user_secret = "user-sso"
+ }
+}
+
+dependency "eks-grafana" {
+ config_path = "../eks-grafana"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ namespace = "telemetry"
+ internal_endpoint = {
+ hostname = "kubernetes-dashboard.telemetry.svc.cluster.local"
+ port_number = 80
+ url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/"
+ }
+ }
+}
+
+dependency "eks-kiali" {
+ config_path = "../eks-kiali"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ namespace = "istio-system"
+ internal_endpoint = {
+ hostname = "kiali.telemetry.svc.cluster.local"
+ port_number = 80
+ url = "http://kiali.telemetry.svc.cluster.local:80/"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-dns",
+ "../eks-keycloak",
+ "../eks-grafana",
+ "../eks-kiali",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+ cluster_name = dependency.eks.outputs.cluster_name
+
+ # Gatekeeper Standard Config
+ gatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version
+ gatekeeper_tag = include.root.inputs.gatekeeper_tag
+ keycloak_client_id = dependency.eks_keycloak.outputs.client_id
+ keycloak_client_secret = dependency.eks_keycloak.outputs.client_secret
+ keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm
+ user_secret = dependency.eks_keycloak.outputs.user_secret
+
+ # Grafana Gatekeeper Config
+ grafana_ns = dependency.eks-grafana.outputs.namespace
+ grafana_service_name = "grafana"
+ grafana_url = dependency.eks-grafana.outputs.internal_endpoint.url
+
+ # Kaili Gatekeeper Config
+ kiali_ns = dependency.eks-kiali.outputs.namespace
+ kiali_service_name = "kiali"
+ kiali_url = dependency.eks-kiali.outputs.internal_endpoint.url
+}
diff --git a/templates/eks-modules/eks-grafana.terragrunt.hcl b/templates/eks-modules/eks-grafana.terragrunt.hcl
new file mode 100644
index 0000000..07cc34d
--- /dev/null
+++ b/templates/eks-modules/eks-grafana.terragrunt.hcl
@@ -0,0 +1,110 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.domain.example.com"
+ }
+}
+
+dependency "eks_loki" {
+ config_path = "../eks-loki"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mocked"
+ gateway_internal_endpoint = {
+ url = "mock.loki.enpoint.example.com"
+ }
+ }
+}
+
+dependency "eks_prometheus" {
+ config_path = "../eks-prometheus"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ prometheus_server_internal_endpoint = {
+ hostname = "prometheus.mock.svc.cluster.local"
+ port_number = "80"
+ url = "https://prometheus.mock.svc.cluster.local:80/"
+ }
+ }
+}
+
+dependency "eks_tempo" {
+ config_path = "../eks-tempo"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mocked"
+ tempo_internal_endpoint = {
+ url = "mock.tempo.enpoint.example.com"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-dns",
+ "../eks-loki",
+ "../eks-prometheus",
+ "../eks-tempo"
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+
+ # Storage Configuration
+ rwo_storage_class = dependency.eks_loki.outputs.rwo_storage_class
+
+ # Grafana Configuration
+ grafana_operator_chart_version = include.root.inputs.grafana_operator_chart_version
+ grafana_operator_tag = include.root.inputs.grafana_operator_tag
+ grafana_tag = include.root.inputs.grafana_tag
+ namespace = include.root.inputs.namespaces["grafana"]
+ os_shell_image_tag = include.root.inputs.os_shell_image_tag
+ service_name = "grafana"
+ loki_endpoint = dependency.eks_loki.outputs.gateway_internal_endpoint.url
+ prometheus_endpoint = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url
+ tempo_endpoint = dependency.eks_tempo.outputs.tempo_internal_endpoint.url
+}
diff --git a/templates/eks-modules/eks-istio.terragrunt.hcl b/templates/eks-modules/eks-istio.terragrunt.hcl
new file mode 100644
index 0000000..fadb1ae
--- /dev/null
+++ b/templates/eks-modules/eks-istio.terragrunt.hcl
@@ -0,0 +1,54 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks"
+ ]
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+
+ # Istio Configuration
+ namespace = include.root.inputs.namespaces["istio"]
+ istio_version = include.root.inputs.istio_version
+ istio_chart_version = include.root.inputs.istio_version
+}
diff --git a/templates/eks-modules/eks-k8s-dashboard.terragrunt.hcl b/templates/eks-modules/eks-k8s-dashboard.terragrunt.hcl
new file mode 100644
index 0000000..9527e5f
--- /dev/null
+++ b/templates/eks-modules/eks-k8s-dashboard.terragrunt.hcl
@@ -0,0 +1,66 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-dns",
+ ]
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.example.com"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+ eecr_info = include.root.inputs.eecr_info
+
+ # Cluster Configuration
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+ cluster_name = dependency.eks.outputs.cluster_name
+
+ # Dashboard Configuration
+ service_name = include.root.inputs.dashboard_hostname
+ k8s_dashboard_version = include.root.inputs.k8s_dashboard_version
+ namespace = include.root.inputs.namespaces["k8s-dashboard"]
+}
diff --git a/templates/eks-modules/eks-karpenter.terragrunt.hcl b/templates/eks-modules/eks-karpenter.terragrunt.hcl
new file mode 100644
index 0000000..fc8d924
--- /dev/null
+++ b/templates/eks-modules/eks-karpenter.terragrunt.hcl
@@ -0,0 +1,66 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}"
+
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ ]
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ node_group_name = "mock-node-group"
+ vpc_id = "vpc-mock"
+ subnets = ["subnet-mock1", "subnet-mock2"]
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+ eecr_info = include.root.inputs.eecr_info
+
+ # Cluster Configuration
+ cluster_endpoint = dependency.eks.outputs.cluster_endpoint
+ cluster_name = dependency.eks.outputs.cluster_name
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+ vpc_id = dependency.eks.outputs.vpc_id
+ subnets = dependency.eks.outputs.subnets
+
+ # Karpenter Configuration
+ karpenter_tag = include.root.inputs.karpenter_tag
+ karpenter_helm_chart = include.root.inputs.karpenter_helm_chart
+ karpenter_node_group_name = dependency.eks.outputs.node_group_name
+ namespace = include.root.inputs.namespaces["karpenter"]
+ create_spot_service_linked_role = false
+}
diff --git a/templates/eks-modules/eks-keycloak.terragrunt.hcl b/templates/eks-modules/eks-keycloak.terragrunt.hcl
new file mode 100644
index 0000000..f17489e
--- /dev/null
+++ b/templates/eks-modules/eks-keycloak.terragrunt.hcl
@@ -0,0 +1,78 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_config" {
+ config_path = "../eks-config"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mock"
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.example.com"
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ "../eks-dns",
+ "../eks-prometheus",
+ ]
+}
+
+inputs = {
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+ cluster_name = dependency.eks.outputs.cluster_name
+ eecr_info = include.root.inputs.eecr_info
+ namespace = include.root.inputs.namespaces["keycloak"]
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # keycloak config
+ default_storage_class = dependency.eks_config.outputs.rwo_storage_class
+ keycloak_chart_version = include.root.inputs.keycloak_chart_version
+ keycloak_tag = include.root.inputs.keycloak_tag
+ realm_email = include.root.inputs.cluster_mailing_list
+ realm_name = "master"
+ service_name = "keycloak"
+ telemetry_namespace = include.root.inputs.telemetry_namespace
+ admin_email = include.root.inputs.cluster_mailing_list
+
+}
diff --git a/templates/eks-modules/eks-kiali.terragrunt.hcl b/templates/eks-modules/eks-kiali.terragrunt.hcl
new file mode 100644
index 0000000..9d6d3bf
--- /dev/null
+++ b/templates/eks-modules/eks-kiali.terragrunt.hcl
@@ -0,0 +1,131 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_config" {
+ config_path = "../eks-config"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mock"
+ }
+}
+
+dependency "eks_dns" {
+ config_path = "../eks-dns"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_domain = "mock.example.com"
+ }
+}
+
+dependency "eks_grafana" {
+ config_path = "../eks-grafana"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ internal_endpoint = {
+ hostname = "grafana.mock.svc.cluster.local"
+ port_number = "80"
+ url = "https://grafana.mock.svc.cluster.local:80/"
+ }
+ namespace = "grafana"
+ secret_name = "grafana"
+ tempo_datasource_id = "mock-tempo-datasource-id"
+ }
+}
+
+dependency "eks_prometheus" {
+ config_path = "../eks-prometheus"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ prometheus_server_internal_endpoint = {
+ hostname = "prometheus.mock.svc.cluster.local"
+ port_number = "80"
+ url = "https://prometheus.mock.svc.cluster.local:80/"
+ }
+ }
+}
+
+dependency "eks_tempo" {
+ config_path = "../eks-tempo"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ tempo_internal_endpoint = {
+ hostname = "tempo.mock.svc.cluster.local"
+ port_number = "80"
+ url = "https://tempo.mock.svc.cluster.local:80/"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ "../eks-grafana",
+ "../eks-istio",
+ "../eks-prometheus",
+ "../eks-tempo",
+ ]
+}
+
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_domain = dependency.eks_dns.outputs.cluster_domain
+ cluster_name = dependency.eks.outputs.cluster_name
+ certificate_issuer = include.root.inputs.cluster_issuer_name
+
+ # Kiali Configuration
+ service_name = "kiali"
+ namespace = include.root.inputs.namespaces["kiali"]
+ istio_namespace = include.root.inputs.namespaces["istio"]
+ grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url
+ grafana_namespace = dependency.eks_grafana.outputs.namespace
+ grafana_secret_name = dependency.eks_grafana.outputs.secret_name
+
+ kiali_application_version = include.root.inputs.kiali_application_version
+ kiali_operator_version = include.root.inputs.kiali_operator_version
+
+ prometheus_internal_url = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url
+ grafana_namespace = dependency.eks_grafana.outputs.namespace
+ grafana_secret_name = dependency.eks_grafana.outputs.secret_name
+ grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url
+ tempo_datasource_id = dependency.eks_grafana.outputs.tempo_datasource_id
+ tempo_internal_url = dependency.eks_tempo.outputs.tempo_internal_endpoint.url
+}
diff --git a/templates/eks-modules/eks-loki.terragrunt.hcl b/templates/eks-modules/eks-loki.terragrunt.hcl
new file mode 100644
index 0000000..724d853
--- /dev/null
+++ b/templates/eks-modules/eks-loki.terragrunt.hcl
@@ -0,0 +1,66 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_config" {
+ config_path = "../eks-config"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-mock"
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+
+ # Loki Configuration
+ loki_chart_version = include.root.inputs.loki_chart_version
+ loki_tag = include.root.inputs.loki_tag
+ namespace = include.root.inputs.namespaces["loki"]
+ rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class
+}
diff --git a/templates/eks-modules/eks-metrics-server.terragrunt.hcl b/templates/eks-modules/eks-metrics-server.terragrunt.hcl
new file mode 100644
index 0000000..241bbc5
--- /dev/null
+++ b/templates/eks-modules/eks-metrics-server.terragrunt.hcl
@@ -0,0 +1,54 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = "mock-cluster"
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+
+ # Metrics Server Configuration
+ metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart
+ metrics_server_tag = include.root.inputs.metrics_server_tag
+ namespace = include.root.inputs.namespaces["metrics-server"]
+}
diff --git a/templates/eks-modules/eks-otel.terragrunt.hcl b/templates/eks-modules/eks-otel.terragrunt.hcl
new file mode 100644
index 0000000..a8a7d7c
--- /dev/null
+++ b/templates/eks-modules/eks-otel.terragrunt.hcl
@@ -0,0 +1,85 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}"
+ # source = "../../../../../../../tfmod-open-telemetry"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs = {
+ cluster_name = "a-cluster-name"
+ }
+}
+
+dependency "eks-loki" {
+ config_path = "../eks-loki"
+ mock_outputs = {
+ gateway_internal_endpoint = {
+ hostname = "loki-gateway.mock.svc.cluster.local"
+ portNumber = 3210
+ url = "http://loki-gateway.mock.svc.cluster.local:3210/"
+ }
+ }
+}
+
+dependency "eks-tempo" {
+ config_path = "../eks-tempo"
+ mock_outputs = {
+ tempo_otlp_endpoint = {
+ hostname = "tempo.mock.svc.cluster.local"
+ portNumber = 1234
+ url = "http://tempo.mock.svc.cluster.local:1234/"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-loki",
+ "../eks-prometheus",
+ "../eks-tempo"
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Clouster Config
+ cluster_name = dependency.eks.outputs.cluster_name
+
+ # OTEL Configuration
+ namespace = include.root.inputs.namespaces["otel"]
+ loki_endpoint = dependency.eks-loki.outputs.gateway_internal_endpoint.url
+ tempo_endpoint = dependency.eks-tempo.outputs.tempo_otlp_endpoint.url
+ # Image Version
+ auto_instrumentation_java_version = include.root.inputs.auto_instrumentation_java_version
+ collector_contrib_version = include.root.inputs.collector_contrib_version
+ collector_version = include.root.inputs.collector_version
+ otel_helm_version = include.root.inputs.otel_helm_version
+ rbac_proxy_version = include.root.inputs.rbac_proxy_version
+}
diff --git a/templates/eks-modules/eks-pipeline.terragrunt.hcl b/templates/eks-modules/eks-pipeline.terragrunt.hcl
new file mode 100644
index 0000000..8d705a7
--- /dev/null
+++ b/templates/eks-modules/eks-pipeline.terragrunt.hcl
@@ -0,0 +1,100 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled OR if running in CodeBuild (to avoid circular dependency)
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) || get_env("CODEBUILD_BUILD_ID", "") != ""
+
+ artifact_bucket = format("%v%v-%v-%v-%v",
+ include.root.inputs.prefixes["eks-s3"],
+ include.root.inputs.cluster_name,
+ "artifacts",
+ include.root.inputs.aws_account_id,
+ join("", [for c in split("-", include.root.inputs.aws_region) : substr(c, 0, 1)]))
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}"
+
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+inputs = {
+ account_id = include.root.inputs.aws_account_id
+ cluster_name = include.root.inputs.cluster_name
+ environment = include.root.inputs.environment_abbr
+ region = include.root.inputs.aws_region
+ state_bucket_prefix = include.root.inputs.state_bucket_prefix
+
+ # VPC Configuration
+ vpc_name = include.root.inputs.vpc_name
+ subnet_filter = "*-container-*" # or any specific pattern you want to use
+
+ is_infrastructure_pipeline = true
+
+ # Updated to use buildspecs from the platform-tg-infra repository
+ # made deploy-to-pipeline will update them from tfmod-pipeline module
+ buildspec_template_path = "buildspecs"
+
+ build_configuration = {
+ compute_type = "BUILD_GENERAL1_LARGE"
+ image = "aws/codebuild/amazonlinux-x86_64-standard:5.0"
+ buildspec_path = "build.yml"
+ privileged_mode = true
+ environment_variables = {
+ ARTIFACT_BUCKET = local.artifact_bucket
+ TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}"
+ REGION = include.root.inputs.aws_region
+ ENVIRONMENT = include.root.inputs.environment_abbr
+ AWS_ACCOUNT_ID = include.root.inputs.aws_account_id
+ PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128"
+ }
+ }
+
+ security_scan_configuration = {
+ compute_type = "BUILD_GENERAL1_MEDIUM"
+ image = "aws/codebuild/amazonlinux-x86_64-standard:5.0"
+ buildspec_path = "security.yml"
+ environment_variables = {
+ ARTIFACT_BUCKET = local.artifact_bucket
+ TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}"
+ REGION = include.root.inputs.aws_region
+ ENVIRONMENT = include.root.inputs.environment_abbr
+ AWS_ACCOUNT_ID = include.root.inputs.aws_account_id
+ PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128"
+ }
+ }
+
+ approval_configuration = {
+ enabled = true
+ notify_emails = [include.root.inputs.cluster_mailing_list]
+ custom_message = "Please review and approve infrastructure changes to the CSVD platform"
+ }
+
+ deployment_configuration = {
+ target_type = "Build"
+ compute_type = "BUILD_GENERAL1_MEDIUM"
+ image = "aws/codebuild/amazonlinux-x86_64-standard:5.0"
+ buildspec_path = "deploy.yml"
+ environment_variables = {
+ ARTIFACT_BUCKET = local.artifact_bucket
+ TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}"
+ REGION = include.root.inputs.aws_region
+ ENVIRONMENT = include.root.inputs.environment_abbr
+ AWS_ACCOUNT_ID = include.root.inputs.aws_account_id
+ PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128"
+ }
+ }
+}
diff --git a/templates/eks-modules/eks-prometheus.README.md b/templates/eks-modules/eks-prometheus.README.md
new file mode 100644
index 0000000..bbbffb2
--- /dev/null
+++ b/templates/eks-modules/eks-prometheus.README.md
@@ -0,0 +1,198 @@
+## eks-prometheus
+This module deploys EKS kubeenetes prometheus inside existing EKS cluster. Prometheus is an open-source systems monitoring and alerting tool.
+This module consisits of 4 components. It creates prometheus namespace and copies image repositories for the following components from quay.io into local account ECR repository. It deploys these components using helm charts using the configured ECR repositories.
+ 1. prometheus-alert-manager
+ 2. prometheus-node-exporter
+ 3. prometheus-pushgateway
+ 4. prometheus-server
+
+### Dependencies
+This module is dependent on EKS module (eks). The cluster should exist already for this module to work.
+
+### Inputs
+ cluster_name
+ profile
+ prometheus_chart_version
+ prometheus_server_tag
+ prometheus_config_reloader_tag
+ alertmanager_tag
+ kube_state_metrics_tag
+ node_exporter_tag
+ pushgateway_tag
+ rwo_storage_class
+
+### Outputs
+ alertmanager_internal_endpoint
+ alertmanager_headless_internal_endpoint
+ pushgateway_internal_endpoint
+ prometheus_server_internal_endpoint
+
+### Issues observed/fixed
+1. The rwo_storage_class value had to be updated from "gp3" to "gp3-encrypted"
+2. The node_exporter_tag value had to be updated from "1.6.1" to "v1.8.1"
+3. The kube_state_metrics_tag value had to be updated from "2.10.0" to "v2.6.0"
+4. The alertmanager_tag value had to be updated from
+5. The helm chart set config for the ecr image had to be split into 2 components, one for registry and other for repository as an example mentioned below:
+
+ ```
+ set {
+ name = "kube-state-metrics.image.registry"
+ value = module.images.images[local.ksm_key].dest_registry
+ }
+ set {
+ name = "kube-state-metrics.image.repository"
+ value = module.images.images[local.ksm_key].dest_repository
+ }
+ ```
+
+6. In some other cases the image ecr repository had to be split by the colon separatory (:)
+
+ ```
+ set {
+ name = "alertmanager.configmapReload.image.repository"
+ value = split(":", module.images.images[local.prom_config_reload_key].dest_full_path)[0]
+ }
+ ```
+
+### Chart Notes
+ 1. Get the application URL by running these commands:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-pushgateway,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+ kubectl port-forward $POD_NAME 9091
+ echo "Visit http://127.0.0.1:9091 to use your application"
+ ```
+
+ The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster:
+ prometheus-server.prometheus.svc.cluster.local
+
+
+ Get the Prometheus server URL by running these commands in the same shell:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace prometheus port-forward $POD_NAME 9090
+ ```
+
+ The Prometheus alertmanager can be accessed via port 9093 on the following DNS name from within your cluster:
+ `prometheus-alertmanager.prometheus.svc.cluster.local`
+
+
+ Get the Alertmanager URL by running these commands in the same shell:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace prometheus port-forward $POD_NAME 9093
+ ```
+
+ #################################################################################
+ ###### WARNING: Pod Security Policy has been disabled by default since #####
+ ###### it deprecated after k8s 1.25+. use #####
+ ###### (index .Values "prometheus-node-exporter" "rbac" #####
+ ###### "pspEnabled") with (index .Values #####
+ ###### "prometheus-node-exporter" "rbac" "pspAnnotations") #####
+ ###### in case you still need it. #####
+ #################################################################################
+
+
+ The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster:
+ `prometheus-prometheus-pushgateway.prometheus.svc.cluster.local`
+
+
+ Get the PushGateway URL by running these commands in the same shell:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus-pushgateway,component=pushgateway" -o jsonpath="{.items[0].metadata.name}")
+ kubectl --namespace prometheus port-forward $POD_NAME 9091
+ ```
+
+ For more information on running Prometheus, visit:
+ https://prometheus.io/
+
+ kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects.
+ The exposed metrics can be found here:
+ https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics
+
+ The metrics are exported on the HTTP endpoint /metrics on the listening port.
+ In your case, `prometheus-kube-state-metrics.prometheus.svc.cluster.local:8080/metrics`
+
+ They are served either as plaintext or protobuf depending on the Accept header.
+ They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint.
+
+ 1. Get the application URL by running these commands:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+ echo "Visit http://127.0.0.1:9093 to use your application"
+ kubectl --namespace prometheus port-forward $POD_NAME 9093:80
+ ```
+
+ 1. Get the application URL by running these commands:
+
+ ```bash
+ export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-node-exporter,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}")
+ echo "Visit http://127.0.0.1:9100 to use your application"
+ kubectl port-forward --namespace prometheus $POD_NAME 9100
+ ```
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 0.13 |
+| [aws](#requirement\_aws) | >= 5.14.0 |
+| [helm](#requirement\_helm) | >= 2.11.0 |
+| [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| [null](#requirement\_null) | >= 3.2.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [helm](#provider\_helm) | >= 2.11.0 |
+| [kubernetes](#provider\_kubernetes) | >= 2.23.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [helm_release.prometheus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.existing-ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [alertmanager\_tag](#input\_alertmanager\_tag) | The image tag of the alertmanager image. | `string` | `"v0.27.0"` | no |
+| [cluster\_name](#input\_cluster\_name) | The name of the cluster into which prometheus will be installed. | `string` | n/a | yes |
+| [create\_namespace](#input\_create\_namespace) | Indicates whether the `namespace` needs to be created ('true') or already exists (not `true`) | `bool` | `true` | no |
+| [kube\_state\_metrics\_tag](#input\_kube\_state\_metrics\_tag) | The image tag of the kube-state-metrics image. | `string` | `"v2.13.0"` | no |
+| [namespace](#input\_namespace) | The namespace to install the prometheus components. Defaults to 'prometheus' | `string` | `"prometheus"` | no |
+| [node\_exporter\_tag](#input\_node\_exporter\_tag) | The image tag of the node-exporter image. | `string` | `"v1.8.2"` | no |
+| [profile](#input\_profile) | AWS\_PROFILE to use to apply the terraform script. | `string` | `""` | no |
+| [prometheus\_chart\_version](#input\_prometheus\_chart\_version) | The version of prometheus to install into the cluster. | `string` | `"25.24.1"` | no |
+| [prometheus\_config\_reloader\_tag](#input\_prometheus\_config\_reloader\_tag) | The image tag of the prometheus-config-reloader image. | `string` | `"v0.75.1"` | no |
+| [prometheus\_server\_tag](#input\_prometheus\_server\_tag) | The image tag of prometheus server to install into the cluster. | `string` | `"v2.53.1"` | no |
+| [pushgateway\_tag](#input\_pushgateway\_tag) | The image tag of the pushgateway image. | `string` | `"v1.9.0"` | no |
+| [rwo\_storage\_class](#input\_rwo\_storage\_class) | Specify the storage class for read/write/once persistent volumes. | `string` | `"gp3-encrypted"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [alertmanager\_headless\_internal\_endpoint](#output\_alertmanager\_headless\_internal\_endpoint) | n/a |
+| [alertmanager\_internal\_endpoint](#output\_alertmanager\_internal\_endpoint) | n/a |
+| [module\_name](#output\_module\_name) | The name of this module. |
+| [module\_version](#output\_module\_version) | The version of this module. |
+| [prometheus\_namespace](#output\_prometheus\_namespace) | n/a |
+| [prometheus\_server\_internal\_endpoint](#output\_prometheus\_server\_internal\_endpoint) | n/a |
+| [pushgateway\_internal\_endpoint](#output\_pushgateway\_internal\_endpoint) | n/a |
+
diff --git a/templates/eks-modules/eks-prometheus.terragrunt.hcl b/templates/eks-modules/eks-prometheus.terragrunt.hcl
new file mode 100644
index 0000000..f968797
--- /dev/null
+++ b/templates/eks-modules/eks-prometheus.terragrunt.hcl
@@ -0,0 +1,70 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-config",
+ "../eks-karpenter",
+ ]
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks_config" {
+ config_path = "../eks-config"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ rwo_storage_class = "gp3-encyrpted"
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+
+ # Prometheus Configuration
+ alertmanager_tag = include.root.inputs.alertmanager_tag
+ namespace = include.root.inputs.namespaces["prometheus"]
+ prometheus_chart_version = include.root.inputs.prometheus_chart_version
+ prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag
+ prometheus_server_tag = include.root.inputs.prometheus_server_tag
+ pushgateway_tag = include.root.inputs.pushgateway_tag
+ rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class
+}
diff --git a/templates/eks-modules/eks-tempo.terragrunt.hcl b/templates/eks-modules/eks-tempo.terragrunt.hcl
new file mode 100644
index 0000000..71dd0a1
--- /dev/null
+++ b/templates/eks-modules/eks-tempo.terragrunt.hcl
@@ -0,0 +1,75 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}"
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+dependency "eks" {
+ config_path = "../eks"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ cluster_name = include.root.inputs.cluster_name
+ oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock"
+ }
+}
+
+dependency "eks-prometheus" {
+ config_path = "../eks-prometheus"
+ mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"]
+ mock_outputs = {
+ prometheus_namespace = "prometheus"
+ prometheus_server_internal_endpoint = {
+ hostname = "prometheus-server.mock.svc.cluster.local"
+ port_number = 9090
+ url = "http://prometheus-server.mock.svc.cluster.local:9090/"
+ }
+ }
+}
+
+dependencies {
+ paths = [
+ "../eks",
+ "../eks-prometheus"
+ ]
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ eecr_info = include.root.inputs.eecr_info
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Cluster Configuration
+ cluster_name = dependency.eks.outputs.cluster_name
+ oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn
+
+ # Prometheus Configuration
+ prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace
+ prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number
+
+ # Tempo Configuration
+ tempo_chart_version = include.root.inputs.tempo_chart_version
+ tempo_tag = include.root.inputs.tempo_tag
+ namespace = include.root.inputs.namespaces["tempo"]
+
+}
diff --git a/templates/eks-modules/eks.terragrunt.hcl b/templates/eks-modules/eks.terragrunt.hcl
new file mode 100644
index 0000000..fd3787a
--- /dev/null
+++ b/templates/eks-modules/eks.terragrunt.hcl
@@ -0,0 +1,43 @@
+include "root" {
+ path = find_in_parent_folders("root.hcl")
+ merge_strategy = "deep"
+ expose = true
+}
+
+locals {
+ # Skip this module if disabled
+ skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true)
+}
+
+exclude {
+ if = local.skip
+ actions = ["all_except_output"]
+ exclude_dependencies = false
+}
+
+terraform {
+ source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}"
+
+ extra_arguments "retry_lock" {
+ commands = get_terraform_commands_that_need_locking()
+ arguments = ["-lock-timeout=20s"]
+ }
+}
+
+inputs = {
+ # AWS Configuration
+ account_id = include.root.inputs.aws_account_id
+ profile = include.root.inputs.aws_profile
+ region = include.root.inputs.aws_region
+
+ # Core Cluster Configuration
+ cluster_name = include.root.inputs.cluster_name
+ cluster_version = include.root.inputs.cluster_version
+ eks_ng_desired_size = include.root.inputs.eks_ng_desired_size
+ eks_ng_max_size = include.root.inputs.eks_ng_max_size
+ eks_ng_min_size = include.root.inputs.eks_ng_min_size
+ eks_instance_types = ["t3a.large"]
+
+ # Additional Configuration
+ tags = include.root.inputs.tags
+}