Major: Naming changes (#38)

- moved data items from main.tf to aws_data.tf
- updated irsa_role names to use prefix
- updated cluster module version to latest from upstream (20.34.0)
- added cluster support_type = standard (cost savings)
- updated nodegroup iam role name
- added additional cluster sg to match upstream modules
- updated cluster sg names to match standards
- updated default values for some vars so we don't have to pass them in
- added 10.0.0.0/16 to census private cidr

.github/workflows/terraform-release.yaml

@@ -0,0 +1,73 @@
+name: Terraform CI/CD
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+jobs:
+  terraform-ci-cd:
+    runs-on: 229685449397
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout code
+        uses: CSVD/gh-actions-checkout@v4
+
+      - name: Setup Terraform
+        uses: CSVD/gh-actions-setup-terraform@v3
+        with:
+          terraform_version: "1.9.1"
+
+      - name: Setup GITHUB Credentials
+        id: github_credentials
+        uses: CSVD/gh-auth@main
+        with:
+          github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
+          github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
+          github_app_id: ${{ vars.GH_APP_ID }}
+
+
+      - name: Debug Authentication
+        run: |
+          # Print the GitHub server URL
+          echo "GitHub Server URL: ${{ github.server_url }}"
+
+          # Extract the host from the URL
+          HOST="${{ github.server_url }}"
+          HOST="${HOST#*//}"
+          HOST="${HOST%%/*}"
+          echo "GitHub Host: $HOST"
+
+          # Check if token exists
+          if [[ -n "${{ steps.github_credentials.outputs.github_token }}" ]]; then
+            echo "Token generated successfully"
+            # Test the token with a simple GitHub API call (without exposing the token)
+            STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${{ steps.github_credentials.outputs.github_token }}" "${{ github.server_url }}/api/v3/user")
+            echo "API Test Status Code: $STATUS"
+          else
+            echo "No token was generated!"
+          fi
+
+      - name: Setup GitHub CLI
+        run: |
+          # Force manual authentication since setup-git might not work with GitHub Enterprise
+          echo "${{ steps.github_credentials.outputs.github_token }}" > /tmp/token.txt
+          gh auth login --with-token --hostname "github.e.it.census.gov" < /tmp/token.txt
+          rm /tmp/token.txt
+
+          # Test GitHub CLI auth status
+          gh auth status || echo "GitHub CLI authentication failed"
+
+      - name: AWS Auth
+        id: aws_auth
+        uses: CSVD/aws-auth@main
+        with:
+          ecs: true
+
+      - name: Run Terraform Module Release Action
+        uses: CSVD/terraform-module-release@main
+        with:
+          github-token: ${{ steps.github_credentials.outputs.github_token }}
+          working-directory: '.'

.github/workflows/terraform-validate.yaml

@@ -0,0 +1,42 @@
+name: Terraform Validate
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+
+  terraform-validate:
+    runs-on: "229685449397"
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout code
+        uses: CSVD/gh-actions-checkout@v4
+
+      - name: Setup Terraform
+        uses: CSVD/gh-actions-setup-terraform@v2
+        with:
+          terraform_version: '1.10.5'
+
+      - name: Validate Terraform Configuration
+        id: validate
+        uses: CSVD/terraform-validate@main
+
+      - name: Check Validation/Test Results
+        if: always()
+        run: |
+          # Set default values if outputs are empty
+          IS_VALID="${{ steps.validate.outputs.is_valid }}"
+          TESTS_PASSED="${{ steps.validate.outputs.tests_passed }}"
+
+          # If outputs are empty, set them to false
+          [ -z "$IS_VALID" ] && IS_VALID="false"
+          [ -z "$TESTS_PASSED" ] && TESTS_PASSED="false"
+
+          if [[ "$IS_VALID" != "true" || "$TESTS_PASSED" != "true" ]]; then
+            echo "Validation or test errors found:"
+            echo "${{ steps.validate.outputs.stderr }}"
+            exit 1
+          else
+            echo "All validations and tests passed successfully!"
+          fi

README.md

@@ -28,7 +28,7 @@ The following addons are automatically installed and configured:
 
 ```hcl
 module "eks" {
-  source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git"
+  source = "https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks.git?ref=v20.35.0"
 
   cluster_name    = "my-cluster"
   cluster_version = "1.28"
@@ -111,7 +111,7 @@ efs-csi-controller    0         5m
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
-| <a name="module_cluster"></a> [cluster](#module\_cluster) | git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git | v20.33.1 |
+| <a name="module_cluster"></a> [cluster](#module\_cluster) | git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/ | v20.35.0 |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_vpc_cni_irsa_role"></a> [vpc\_cni\_irsa\_role](#module\_vpc\_cni\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | n/a |
@@ -123,6 +123,7 @@ efs-csi-controller    0         5m
 | [aws_ec2_tag.container_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [aws_security_group.additional_eks_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
@@ -142,16 +143,18 @@ efs-csi-controller    0         5m
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_entries"></a> [access\_entries](#input\_access\_entries) | Map of access entries to add to the cluster | `any` | `{}` | no |
-| <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16"<br/>]</pre> | no |
-| <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `false` | no |
+| <a name="input_census_private_cidr"></a> [census\_private\_cidr](#input\_census\_private\_cidr) | Census Private CIR Blocks | `list(string)` | <pre>[<br/>  "148.129.0.0/16",<br/>  "172.16.0.0/12",<br/>  "192.168.0.0/16",<br/>  "10.0.0.0/16"<br/>]</pre> | no |
+| <a name="input_cloudwatch_retention_days"></a> [cloudwatch\_retention\_days](#input\_cloudwatch\_retention\_days) | number of days to retain logs in cloudwatch | `string` | `"14"` | no |
+| <a name="input_cluster_endpoint_private_access"></a> [cluster\_endpoint\_private\_access](#input\_cluster\_endpoint\_private\_access) | Whether the EKS cluster API server endpoint is privately accessible | `bool` | `true` | no |
+| <a name="input_cluster_endpoint_public_access"></a> [cluster\_endpoint\_public\_access](#input\_cluster\_endpoint\_public\_access) | Whether the EKS cluster API server endpoint is publicly accessible | `bool` | `true` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_eks_instance_disk_size"></a> [eks\_instance\_disk\_size](#input\_eks\_instance\_disk\_size) | Size of the EKS node disk in GB | `number` | `80` | no |
-| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t3a.large"<br/>]</pre> | no |
+| <a name="input_eks_instance_types"></a> [eks\_instance\_types](#input\_eks\_instance\_types) | List of EC2 instance types for the EKS node group | `list(string)` | <pre>[<br/>  "t3a.medium"<br/>]</pre> | no |
 | <a name="input_eks_ng_desired_size"></a> [eks\_ng\_desired\_size](#input\_eks\_ng\_desired\_size) | Desired size of the EKS node group | `number` | `4` | no |
 | <a name="input_eks_ng_max_size"></a> [eks\_ng\_max\_size](#input\_eks\_ng\_max\_size) | Maximum size of the EKS node group | `number` | `15` | no |
 | <a name="input_eks_ng_min_size"></a> [eks\_ng\_min\_size](#input\_eks\_ng\_min\_size) | Minimum size of the EKS node group | `number` | `4` | no |
-| <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Grant admin permissions to the cluster creator | `bool` | `false` | no |
+| <a name="input_enable_cluster_creator_admin_permissions"></a> [enable\_cluster\_creator\_admin\_permissions](#input\_enable\_cluster\_creator\_admin\_permissions) | Grant admin permissions to the cluster creator | `bool` | `true` | no |
 | <a name="input_subnets_name"></a> [subnets\_name](#input\_subnets\_name) | Name pattern for subnets to be used by EKS cluster | `string` | `"*-container-*"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Additional tags to apply to all resources | `map(string)` | `{}` | no |
 | <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | Name of the VPC where EKS cluster will be created | `string` | n/a | yes |

aws_data.tf

@@ -3,3 +3,31 @@ data "aws_caller_identity" "current" {}
 data "aws_arn" "current" {
   arn = data.aws_caller_identity.current.arn
 }
+data "aws_vpc" "eks_vpc" {
+  filter {
+    name   = "tag:Name"
+    values = [var.vpc_name]
+  }
+}
+
+data "aws_subnets" "subnets" {
+  filter {
+    name   = "tag:Name"
+    values = [var.subnets_name]
+  }
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.eks_vpc.id]
+  }
+}
+
+data "aws_subnet" "subnets" {
+  for_each = toset(data.aws_subnets.subnets.ids)
+  id       = each.key
+}
+
+data "aws_ebs_default_kms_key" "current" {}
+
+data "aws_kms_key" "ebs_key" {
+  key_id = data.aws_ebs_default_kms_key.current.key_arn
+}

irsa_roles.tf

@@ -2,7 +2,7 @@
 module "vpc_cni_irsa_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
-  role_name = "${var.cluster_name}-vpc-cni"
+  role_name = format("%v%v-%v", local.prefixes["eks-role"], var.cluster_name, "vpc-cni")
 
   attach_vpc_cni_policy = true
   vpc_cni_enable_ipv4   = true
@@ -20,7 +20,7 @@ module "vpc_cni_irsa_role" {
 module "ebs_csi_irsa_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
-  role_name             = "${var.cluster_name}-ebs-csi-driver"
+  role_name             = format("%v%v-%v", local.prefixes["eks-role"], var.cluster_name, "ebs-csi-driver")
   attach_ebs_csi_policy = true
 
   oidc_providers = {
@@ -36,7 +36,7 @@ module "ebs_csi_irsa_role" {
 module "efs_csi_irsa_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
-  role_name             = "${var.cluster_name}-efs-csi-driver"
+  role_name             = format("%v%v-%v", local.prefixes["eks-role"], var.cluster_name, "efs-csi-driver")
   attach_efs_csi_policy = true
 
   oidc_providers = {
@@ -52,7 +52,7 @@ module "efs_csi_irsa_role" {
 module "cloudwatch_observability_irsa_role" {
   source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
-  role_name                              = "${var.cluster_name}-cloudwatch-observability"
+  role_name                              = format("%v%v-%v", local.prefixes["eks-role"], var.cluster_name, "cloudwatch-observability")
   attach_cloudwatch_observability_policy = true
 
   oidc_providers = {

main.tf

@@ -1,32 +1,3 @@
-data "aws_vpc" "eks_vpc" {
-  filter {
-    name   = "tag:Name"
-    values = [var.vpc_name]
-  }
-}
-
-data "aws_subnets" "subnets" {
-  filter {
-    name   = "tag:Name"
-    values = [var.subnets_name]
-  }
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.eks_vpc.id]
-  }
-}
-
-data "aws_subnet" "subnets" {
-  for_each = toset(data.aws_subnets.subnets.ids)
-  id       = each.key
-}
-
-data "aws_ebs_default_kms_key" "current" {}
-
-data "aws_kms_key" "ebs_key" {
-  key_id = data.aws_ebs_default_kms_key.current.key_arn
-}
-
 locals {
   additional_policies = {}
   base_tags = {
@@ -55,13 +26,16 @@ resource "terraform_data" "subnet_validation" {
 }
 
 module "cluster" {
-  source = "git@github.e.it.census.gov:SCT-Engineering/terraform-aws-eks.git?ref=v20.33.1"
+  source = "git::https://github.e.it.census.gov/SCT-Engineering/terraform-aws-eks/?ref=v20.35.0"
 
+  access_entries                           = local.access_entries
+  cloudwatch_log_group_retention_in_days   = var.cloudwatch_retention_days
+  cluster_endpoint_private_access          = var.cluster_endpoint_private_access
+  cluster_endpoint_public_access           = var.cluster_endpoint_public_access
   cluster_name                             = var.cluster_name
+  cluster_upgrade_policy                   = { support_type = "STANDARD" }
   cluster_version                          = var.cluster_version
-  cluster_endpoint_public_access           = var.cluster_endpoint_public_access
   enable_cluster_creator_admin_permissions = var.enable_cluster_creator_admin_permissions
-  access_entries                           = local.access_entries
 
   cluster_enabled_log_types = [
     "api",
@@ -124,7 +98,7 @@ module "cluster" {
       max_size     = var.eks_ng_max_size
       desired_size = var.eks_ng_desired_size
 
-      iam_role_name                = local.ng_name
+      iam_role_name                = format("%v%v-nodegroup", local.prefixes["eks-role"], var.cluster_name)
       iam_role_additional_policies = local.additional_policies
 
       block_device_mappings = {