diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
deleted file mode 100644
index c8ead3b..0000000
--- a/.github/workflows/release.yml
+++ /dev/null
@@ -1,70 +0,0 @@
-# SCT-Engineering/release action
-name: Do Release of Module
-
-# Controls when the workflow will run
-on:
- pull_request:
- types: [opened, reopened, synchronize, labeled, unlabeled]
- push:
- branches:
- - main
- # Allows you to run this workflow manually from the Actions tab
- workflow_dispatch:
-
-permissions:
- id-token: write
- contents: write
- pull-requests: write
-
-# A workflow run is made up of one or more jobs that can run sequentially or in parallel
-jobs:
- # This workflow contains a single job called "Release"
- Release:
- # The type of runner that the job will run on
- runs-on: ["229685449397"]
- if: "!startsWith(github.event.head_commit.message, 'bump:')"
-
- steps:
- - uses: CSVD/gh-actions-checkout@v4
- id: checkout
- with:
- token: "${{ secrets.PERSONAL_ACCESS_TOKEN }}"
- fetch-depth: 0
-
- - name: Setup GITHUB Credentials
- id: github_credentials
- uses: CSVD/gh-auth@main
- with:
- github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
- github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
- github_base_url: "${{ github.server_url }}/"
-
- - name: Create bump and changelog
- uses: CSVD/commitizen-action@main
- with:
- github_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
- changelog_increment_filename: body.md
-
- - uses: CSVD/gh-actions-checkout@v4
- - run: |
- date > generated.txt
- # Note: the following account information will not work on GHES
- git config user.name "github-actions[bot]"
- git config user.email "{user.id}+{user.login}@users.noreply.github.e.it.census.gov"
- git add .
- git commit -m "generated"
- git push
- # - name: Push doc to Github Page
- # uses: peaceiris/actions-gh-pages@v4
- # with:
- # personal_token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
- # publish_branch: gh-pages
- # publish_dir: ./site
- # user_name: "github-actions[bot]"
- # user_email: "github-actions[bot]@users.noreply.github.com"
- # - name: Release
- # uses: ncipollo/release-action@v1
- # with:
- # tag: v${{ env.REVISION }}
- # bodyFile: "body.md"
- # skipIfReleaseExists: true
diff --git a/.github/workflows/terraform-release.yaml b/.github/workflows/terraform-release.yaml
new file mode 100644
index 0000000..04b96db
--- /dev/null
+++ b/.github/workflows/terraform-release.yaml
@@ -0,0 +1,40 @@
+name: Terraform CI/CD
+on:
+ workflow_dispatch:
+ pull_request:
+ types: [closed]
+ branches:
+ - main
+jobs:
+ terraform-ci-cd:
+ runs-on: 229685449397
+ permissions:
+ contents: write
+
+ steps:
+ - name: Checkout code
+ uses: CSVD/gh-actions-checkout@v4
+
+ - name: Setup GITHUB Credentials
+ id: github_credentials
+ uses: CSVD/gh-auth@main
+ with:
+ github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
+ github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
+ github_app_id: ${{ vars.GH_APP_ID }}
+
+ - name: Setup GitHub CLI
+ run: |
+ # Force manual authentication since setup-git might not work with GitHub Enterprise
+ echo "${{ steps.github_credentials.outputs.github_token }}" > /tmp/token.txt
+ gh auth login --with-token --hostname "github.e.it.census.gov" < /tmp/token.txt
+ rm /tmp/token.txt
+
+ # Test GitHub CLI auth status
+ gh auth status || echo "GitHub CLI authentication failed"
+
+ - name: Run Release Action
+ uses: CSVD/releaser@main
+ with:
+ github-token: ${{ steps.github_credentials.outputs.github_token }}
+ working-directory: '.'
diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml
new file mode 100644
index 0000000..72829d8
--- /dev/null
+++ b/.github/workflows/terraform-validate.yaml
@@ -0,0 +1,42 @@
+name: Terraform Validate
+on:
+ pull_request:
+ workflow_dispatch:
+
+jobs:
+
+ terraform-validate:
+ runs-on: "229685449397"
+ permissions:
+ contents: write
+ steps:
+ - name: Checkout code
+ uses: CSVD/gh-actions-checkout@v4
+
+ - name: Setup Terraform
+ uses: CSVD/gh-actions-setup-terraform@v2
+ with:
+ terraform_version: '1.7.3'
+
+ - name: Validate Terraform Configuration
+ id: validate
+ uses: CSVD/terraform-validate@main
+
+ - name: Check Validation/Test Results
+ if: always()
+ run: |
+ # Set default values if outputs are empty
+ IS_VALID="${{ steps.validate.outputs.is_valid }}"
+ TESTS_PASSED="${{ steps.validate.outputs.tests_passed }}"
+
+ # If outputs are empty, set them to false
+ [ -z "$IS_VALID" ] && IS_VALID="false"
+ [ -z "$TESTS_PASSED" ] && TESTS_PASSED="false"
+
+ if [[ "$IS_VALID" != "true" || "$TESTS_PASSED" != "true" ]]; then
+ echo "Validation or test errors found:"
+ echo "${{ steps.validate.outputs.stderr }}"
+ exit 1
+ else
+ echo "All validations and tests passed successfully!"
+ fi
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index fbcb79b..2fbb916 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -38,7 +38,7 @@ repos:
# Terraform Hooks
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.96.1 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+ rev: v1.98.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
hooks:
- id: terraform_fmt
args:
@@ -94,6 +94,6 @@ repos:
# - --hook-config=--parallelism-ci-cpu-cores=2
- repo: https://github.com/ljnsn/cz-conventional-gitmoji
- rev: v0.6.1
+ rev: v0.7.0
hooks:
- id: conventional-gitmoji
diff --git a/.tflint.hcl b/.tflint.hcl
index 30b0d2c..4ac5035 100644
--- a/.tflint.hcl
+++ b/.tflint.hcl
@@ -12,18 +12,18 @@ config {
# variables = ["foo=bar", "bar=[\"baz\"]"]
}
-rule "aws_instance_invalid_type" {
- enabled = true
-}
+# rule "aws_instance_invalid_type" {
+# enabled = true
+# }
-plugin "aws" {
- enabled = true
- version = "0.32.0"
- source = "github.com/terraform-linters/tflint-ruleset-aws"
-}
+# plugin "aws" {
+# enabled = true
+# version = "0.32.0"
+# source = "github.com/terraform-linters/tflint-ruleset-aws"
+# }
-plugin "terraform" {
- enabled = true
- version = "0.9.0"
- source = "github.com/terraform-linters/tflint-ruleset-terraform"
-}
+# plugin "terraform" {
+# enabled = true
+# version = "0.9.0"
+# source = "github.com/terraform-linters/tflint-ruleset-terraform"
+# }
diff --git a/README.md b/README.md
index 33fa384..496ad4c 100644
--- a/README.md
+++ b/README.md
@@ -40,15 +40,15 @@ sys 0m2.015s
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.84.0 |
+| [aws](#provider\_aws) | 5.88.0 |
| [helm](#provider\_helm) | 2.17.0 |
-| [kubernetes](#provider\_kubernetes) | 2.35.1 |
+| [kubernetes](#provider\_kubernetes) | 2.36.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [efs](#module\_efs) | git@github.e.it.census.gov:terraform-modules/aws-efs.git | master |
+| [efs](#module\_efs) | git::https://github.e.it.census.gov/terraform-modules/aws-efs.git/ | master |
## Resources
@@ -56,6 +56,7 @@ sys 0m2.015s
|------|------|
| [helm_release.console_access](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubernetes_namespace.operators](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.telemetry](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_storage_class.ebs_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [kubernetes_storage_class.efs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
| [kubernetes_storage_class.gp3_encrypted](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class) | resource |
@@ -74,6 +75,7 @@ sys 0m2.015s
| [subnets](#input\_subnets) | Specify the subnets used by this cluster | `list(string)` | n/a | yes |
| [tag\_costallocation](#input\_tag\_costallocation) | Tag CostAllocation (default) | `string` | `"csvd:infrastructure"` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources | `map(string)` | `{}` | no |
+| [telemetry\_ns](#input\_telemetry\_ns) | Namespace to create where telemetry will be installed. | `string` | `"telemetry"` | no |
| [vpc\_id](#input\_vpc\_id) | Specify the VPC id that is used by this cluster | `string` | n/a | yes |
## Outputs
diff --git a/cluster_autoscaler.tf.off b/cluster_autoscaler.tf.off
deleted file mode 100644
index ef30dc9..0000000
--- a/cluster_autoscaler.tf.off
+++ /dev/null
@@ -1,102 +0,0 @@
-locals {
- # https://docs.aws.amazon.com/eks/latest/userguide/cluster-autoscaler.html
- autoscale_tags = {
- format("k8s.io/cluster-autoscaler/%v", var.cluster_name) = "owned"
- "k8s.io/cluster-autoscaler/enabled" = "TRUE"
- }
-
- ng_asg_name = var.eks_managed_node_groups_autoscaling_group_names[0]
-}
-
-# module "cluster_autoscaler_irsa_role" {
-# source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-
-# role_name = "${var.cluster_name}-cluster-autoscaler"
-
-# attach_cluster_autoscaler_policy = true
-
-# cluster_autoscaler_cluster_names = [var.cluster_name]
-
-# oidc_providers = {
-# main = {
-# provider_arn = var.oidc_provider_arn
-# namespace_service_accounts = ["kube-system:cluster-autoscaler"]
-# }
-# }
-# tags = local.tags
-# }
-
-# ALTERNATELY WE PASS THIS VIA OUTPUT DEPENDENCY W/ TERRAGRUNT
-data "aws_iam_role" "cluster_autoscaler_irsa_role" {
- name = "${var.cluster_name}-cluster-autoscaler"
-}
-
-#### NEED TO MOVE THIS TO A PROPER PLACE
-resource "kubernetes_namespace" "operators" {
- metadata {
- name = var.operators_ns
- }
-}
-
-resource "aws_autoscaling_group_tag" "on-demand" {
- autoscaling_group_name = local.ng_asg_name
- tag {
- key = "k8s.io/cluster-autoscaler/node-template/label/eks.amazonaws.com/capacityType"
- value = "ON_DEMAND"
- propagate_at_launch = true
- }
-}
-
-data "kubernetes_namespace" "kube-system" {
- metadata {
- name = "kube-system"
- }
-}
-
-resource "helm_release" "cluster-autoscaler" {
- depends_on = [
- module.images,
- ]
-
- chart = "cluster-autoscaler"
- name = "cluster-autoscaler"
- version = var.cluster_autoscaler_chart_version
- namespace = data.kubernetes_namespace.kube-system.metadata[0].name
- repository = "https://kubernetes.github.io/autoscaler"
-
- set {
- name = "image.repository"
- value = format("%v/%v",
- module.images.images[local.autoscaler_key].dest_registry,
- module.images.images[local.autoscaler_key].dest_repository
- )
- }
- set {
- name = "image.tag"
- value = module.images.images[local.autoscaler_key].tag
- }
- set {
- name = "autoDiscovery.clusterName"
- value = var.cluster_name
- }
- set {
- name = "awsRegion"
- value = var.region
- }
-
- set {
- name = "rbac.serviceAccount.name"
- value = "cluster-autoscaler"
- }
-
- set {
- name = "rbac.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
- value = data.aws_iam_role.cluster_autoscaler_irsa_role.arn
- # value = module.cluster_autoscaler_irsa_role.iam_role_arn
- }
-
- set {
- name = "rbac.serviceAccount.create"
- value = "true"
- }
-}
diff --git a/copy_images.tf.off b/copy_images.tf.off
deleted file mode 100644
index dccba9e..0000000
--- a/copy_images.tf.off
+++ /dev/null
@@ -1,29 +0,0 @@
-locals {
- kubectl_key = format("%v#%v", "kubectl", var.kubectl_image_tag)
-
- image_config = [
- {
- enabled = true
- dest_path = null
- name = "kubectl"
- source_image = "bitnami/kubectl"
- source_registry = "docker.io"
- source_tag = var.kubectl_image_tag
- tag = var.kubectl_image_tag
- }
- ]
-}
-
-module "images" {
- source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/?ref=tf-upgrade"
-
- profile = var.profile
- application_name = var.cluster_name
- image_config = local.image_config
- tags = {}
-
- enable_lifecycle_policy = true
- lifecycle_policy_all = true
- force_delete = true
- lifecycle_policy_keep_count = 3
-}
diff --git a/efs-filesystem.tf.off b/efs-filesystem.tf.off
deleted file mode 100644
index 667f8cd..0000000
--- a/efs-filesystem.tf.off
+++ /dev/null
@@ -1,149 +0,0 @@
-# -------------------------------------------------------------------------------------
-# EKS-EFS - Creates an EFS volume and Kubernetes resources to use it
-# -------------------------------------------------------------------------------------
-locals {
- efs_access_points = [
- {
- label = "data-logs"
- name = "data-logs"
- path = "/data_logs"
- owner_uid = 51000
- owner_gid = 51000
- permissions = "755"
- claim_name = "logs"
- claim_namespace = "logs"
- },
- {
- label = "data-apps"
- name = "data-apps"
- path = "/data_apps"
- owner_uid = 51000
- owner_gid = 51000
- permissions = "755"
- claim_name = "apps"
- claim_namespace = "apps"
- },
- ]
-}
-
-# -------------------------------------------------------------------------------------
-# EFS Namespace
-# -------------------------------------------------------------------------------------
-resource "kubernetes_namespace" "efs_namespace" {
- for_each = { for ap in local.efs_access_points : ap.label => ap }
- metadata {
- name = format("%v-%v", var.cluster_name, each.value.claim_namespace)
- }
-}
-
-# -------------------------------------------------------------------------------------
-# EFS Access Point
-# -------------------------------------------------------------------------------------
-resource "aws_efs_access_point" "efs_ap" {
- for_each = { for ap in local.efs_access_points : ap.name => ap }
- file_system_id = module.efs.id
- root_directory {
- path = each.value.path
- creation_info {
- owner_uid = each.value.owner_uid
- owner_gid = each.value.owner_gid
- permissions = each.value.permissions
- }
- }
-
- tags = merge(
- local.base_tags,
- # local.common_tags,
- # var.application_tags,
- tomap({ "Name" = format("%v-efs-access-point_%v", var.cluster_name, each.key) }),
- )
-}
-
-# -------------------------------------------------------------------------------------
-# EFS Persistent Volume
-# -------------------------------------------------------------------------------------
-resource "kubernetes_persistent_volume" "efs_ap" {
- for_each = { for ap in local.efs_access_points : ap.name => ap }
- metadata {
- name = format("efs-%v-pv", each.key)
- }
- spec {
- capacity = {
- storage = "1Gi"
- }
- claim_ref {
- name = format("%v-%v-%v-claim", var.cluster_name, each.value.claim_namespace, each.key)
- namespace = format("%v-%v", var.cluster_name, each.value.claim_namespace)
- }
- access_modes = ["ReadWriteMany"]
- persistent_volume_reclaim_policy = "Retain"
- volume_mode = "Filesystem"
- storage_class_name = "efs"
- persistent_volume_source {
- csi {
- driver = "efs.csi.aws.com"
- volume_handle = format("%v:%v:%v", module.efs.id, "", aws_efs_access_point.efs_ap[each.key].id)
- }
- }
- }
-}
-# -------------------------------------------------------------------------------------
-# EFS Persistent Volume Claim Per AP
-# -------------------------------------------------------------------------------------
-resource "kubernetes_persistent_volume_claim" "efs_ap" {
- for_each = { for ap in local.efs_access_points : ap.name => ap }
- metadata {
- name = format("%v-%v-%v-claim", var.cluster_name, each.value.claim_namespace, each.key)
- namespace = format("%v-%v", var.cluster_name, each.value.claim_namespace)
- }
- wait_until_bound = false
- spec {
- access_modes = ["ReadWriteMany"]
- storage_class_name = "efs"
- resources {
- requests = {
- storage = "1Gi"
- }
- }
- }
- depends_on = [kubernetes_persistent_volume.efs_ap]
-}
-
-# -------------------------------------------------------------------------------------
-# EFS Persistent Volume Base Claim
-# -------------------------------------------------------------------------------------
-resource "kubernetes_persistent_volume_claim" "pvc_efs-cluster-base" {
- depends_on = [kubernetes_storage_class.efs-sc]
- metadata {
- name = format("%v%v-%v", "eks-", var.cluster_name, "base-claim")
- }
- wait_until_bound = false
- spec {
- access_modes = ["ReadWriteMany"]
- resources {
- requests = {
- storage = "25Gi"
- }
- }
- storage_class_name = "efs"
- }
-}
-
-output "efs_ap_ids" {
- description = "EFS AccessPoint IDs"
- value = { for k, v in aws_efs_access_point.efs_ap : k => v.id }
-}
-
-## # apiVersion: v1
-## # kind: PersistentVolumeClaim
-## # metadata:
-## # name: ditd-gups-dev1-data1-geoserver-claim
-## # spec:
-## # accessModes:
-## # - ReadWriteMany
-## # storageClassName: efs-sc
-## # resources:
-## # requests:
-## # storage: 5Gi
-## #
-##
diff --git a/main.tf b/main.tf
index 00e1daa..2dc98d4 100644
--- a/main.tf
+++ b/main.tf
@@ -50,7 +50,7 @@ resource "kubernetes_storage_class" "ebs_encrypted" {
module "efs" {
# tflint-ignore: terraform_module_version
# tflint-ignore: terraform_module_pinned_source
- source = "git@github.e.it.census.gov:terraform-modules/aws-efs.git?ref=master"
+ source = "git::https://github.e.it.census.gov/terraform-modules/aws-efs.git/?ref=master"
name = var.cluster_name
vpc_id = var.vpc_id