From f0c7a851bcdd9b535ebdc9aaa87b204596705a45 Mon Sep 17 00:00:00 2001 From: Matthew Creal Morgan Date: Tue, 22 Apr 2025 09:37:18 -0700 Subject: [PATCH] [Major] Code Freeze PR (#16) * autoscaling * add module release process * update module source * update release action * Copy images (#15) * pointing ecr images to eecr account * fixed ecr images issues * add eecr_account_id * dynamic version * dynamic version * remove eecr data item as it is in the provider * update copy images for eecr pulling * update var and ent_ecr_source * fix action * ensure workflows are current * ensure workflows are current * ensure committed --------- Co-authored-by: Srinivasa R Nangunuri --- .github/workflows/terraform-release.yaml | 6 +- .github/workflows/terraform-validate.yaml | 2 +- .github/workflows/terragrunt-cicd.yml | 101 ---------------------- README.md | 10 ++- copy_images.tf | 41 +++++++-- requirements.tf | 4 + variables.tf | 22 +++++ version.tf | 14 ++- 8 files changed, 84 insertions(+), 116 deletions(-) delete mode 100644 .github/workflows/terragrunt-cicd.yml diff --git a/.github/workflows/terraform-release.yaml b/.github/workflows/terraform-release.yaml index 04b96db..3f67574 100644 --- a/.github/workflows/terraform-release.yaml +++ b/.github/workflows/terraform-release.yaml @@ -1,4 +1,4 @@ -name: Terraform CI/CD +name: Terraform Module Release on: workflow_dispatch: pull_request: @@ -6,8 +6,8 @@ on: branches: - main jobs: - terraform-ci-cd: - runs-on: 229685449397 + terraform-release: + runs-on: "229685449397" permissions: contents: write diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml index 72829d8..ac349eb 100644 --- a/.github/workflows/terraform-validate.yaml +++ b/.github/workflows/terraform-validate.yaml @@ -16,7 +16,7 @@ jobs: - name: Setup Terraform uses: CSVD/gh-actions-setup-terraform@v2 with: - terraform_version: '1.7.3' + terraform_version: '1.10.5' - name: Validate Terraform Configuration id: validate diff --git a/.github/workflows/terragrunt-cicd.yml b/.github/workflows/terragrunt-cicd.yml deleted file mode 100644 index a78523e..0000000 --- a/.github/workflows/terragrunt-cicd.yml +++ /dev/null @@ -1,101 +0,0 @@ -name: 'Terraform Module CI' - -on: - push: - branches: - - main - paths: - - '**/*.hcl' - - '**/*.tf' - pull_request: - branches: - - main - paths: - - '**/*.hcl' - - '**/*.tf' - -permissions: - contents: read - pull-requests: write - -jobs: - validate: - name: 'Validate Module' - runs-on: self-hosted - - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: 1.5.0 - - - name: Terraform Init - run: | - terraform init -backend=false - - - name: Terraform Format - run: | - terraform fmt -check - - - name: Terraform Validate - run: | - terraform validate - - - name: Run tflint - uses: terraform-linters/setup-tflint@v3 - if: github.event_name == 'pull_request' - - - name: Lint Terraform - if: github.event_name == 'pull_request' - run: | - tflint --format compact - - release: - name: 'Create Release' - needs: validate - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - runs-on: self-hosted - permissions: - contents: write - - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Setup Python - uses: actions/setup-python@v4 - with: - python-version: '3.9' - - - name: Install Commitizen - run: | - pip install commitizen - - - name: Configure Git - run: | - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" - - - name: Bump Version and Generate Changelog - id: cz - run: | - cz bump --yes - echo "new_version=$(cz version --project)" >> $GITHUB_OUTPUT - echo "changelog=$(cz changelog --dry-run)" >> $GITHUB_OUTPUT - - - name: Create Release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: v${{ steps.cz.outputs.new_version }} - release_name: Release v${{ steps.cz.outputs.new_version }} - draft: false - prerelease: false - body: ${{ steps.cz.outputs.changelog }} diff --git a/README.md b/README.md index 2917130..42a27ff 100644 --- a/README.md +++ b/README.md @@ -82,14 +82,17 @@ have a istio proxy configured, prevent communication with that pod.) | [aws](#requirement\_aws) | >= 5.14.0 | | [helm](#requirement\_helm) | >= 2.11.0 | | [kubernetes](#requirement\_kubernetes) | >= 2.23.0 | +| [null](#requirement\_null) | >= 3.2.1 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.89.0 | +| [aws](#provider\_aws) | 5.94.1 | +| [aws.eecr](#provider\_aws.eecr) | 5.94.1 | | [helm](#provider\_helm) | 2.17.0 | | [kubernetes](#provider\_kubernetes) | 2.36.0 | +| [null](#provider\_null) | 3.2.3 | ## Modules @@ -106,6 +109,9 @@ have a istio proxy configured, prevent communication with that pod.) | [helm_release.ingress](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [helm_release.istiod](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_ecr_authorization_token.ecr_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source | +| [aws_ecr_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source | | [aws_lb.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb) | data source | | [kubernetes_service.istio_ingressgateway](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/service) | data source | @@ -113,7 +119,9 @@ have a istio proxy configured, prevent communication with that pod.) | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no | | [cluster\_name](#input\_cluster\_name) | The name of the cluster into which istio will be installed. | `string` | n/a | yes | +| [eecr\_info](#input\_eecr\_info) | Enterprise ECR source information | 
object({
    account_id = string
    alias      = string
    profile    = string
    region     = string
  })
| 
{
  "account_id": "269222635945",
  "alias": "lab-gov-shared-nonprod",
  "profile": "269222635945-lab-gov-shared-nonprod",
  "region": "us-gov-east-1"
}
| no | | [enable\_egress\_gateway](#input\_enable\_egress\_gateway) | Enable Istio to control outbound traffic from the cluster. | `bool` | `true` | no | | [enable\_telemetry](#input\_enable\_telemetry) | Enable Istio's stracing, monitoring, and logging features. | `string` | `"true"` | no | | [extra\_listener\_ports](#input\_extra\_listener\_ports) | A list of additional ports that the ingress load balancer should listen to, 9094 for kafka as an example. | 
list(object({
    name = string
    port = string
  }))
| `[]` | no | diff --git a/copy_images.tf b/copy_images.tf index ed05587..0b79f6c 100644 --- a/copy_images.tf +++ b/copy_images.tf @@ -1,14 +1,15 @@ locals { - pilot_key = format("%v#%v", "istio/pilot", var.istio_version) - proxy_key = format("%v#%v", "istio/proxyv2", var.istio_version) + pilot_key = format("%v#%v", "istio/pilot", var.istio_version) + proxy_key = format("%v#%v", "istio/proxyv2", var.istio_version) + ent_ecr_source = format("%v.%v.%v.%v", var.eecr_info.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images") image_config = [ { enabled = true dest_path = null name = "istio/pilot" - source_image = "istio/pilot" - source_registry = "docker.io" + source_image = "opensource/istio/pilot" + source_registry = format("%v/%v", local.ent_ecr_source, "ironbank") source_tag = var.istio_version tag = var.istio_version }, @@ -16,8 +17,8 @@ locals { enabled = true dest_path = null name = "istio/proxyv2" - source_image = "istio/proxyv2" - source_registry = "docker.io" + source_image = "opensource/istio/proxyv2" + source_registry = format("%v/%v", local.ent_ecr_source, "ironbank") source_tag = var.istio_version tag = var.istio_version }, @@ -32,7 +33,29 @@ module "images" { image_config = local.image_config tags = {} - enable_lifecycle_policy = true - lifecycle_policy_all = true - force_delete = true + enable_lifecycle_policy = true + lifecycle_policy_all = true + force_delete = true + lifecycle_policy_keep_count = 5 + + source_username = data.aws_ecr_authorization_token.ecr_token.user_name + source_password = data.aws_ecr_authorization_token.ecr_token.password + + destination_username = data.aws_ecr_authorization_token.token.user_name + destination_password = data.aws_ecr_authorization_token.token.password +} + +data "aws_ecr_authorization_token" "token" { + registry_id = var.account_id +} + +data "aws_ecr_authorization_token" "ecr_token" { + provider = aws.eecr + registry_id = var.eecr_info.account_id +} + +provider "aws" { + alias = "eecr" + profile = var.eecr_info.profile + region = var.eecr_info.region } diff --git a/requirements.tf b/requirements.tf index ae62e15..32e5c6f 100644 --- a/requirements.tf +++ b/requirements.tf @@ -14,5 +14,9 @@ terraform { source = "hashicorp/kubernetes" version = ">= 2.23.0" } + null = { + source = "hashicorp/null" + version = ">= 3.2.1" + } } } diff --git a/variables.tf b/variables.tf index bd11eb6..f7537cf 100644 --- a/variables.tf +++ b/variables.tf @@ -1,3 +1,9 @@ +variable "account_id" { + description = "aws account number" + type = string + default = "" +} + variable "profile" { description = "AWS_PROFILE to use to apply the terraform script." type = string @@ -9,6 +15,22 @@ variable "cluster_name" { type = string } +variable "eecr_info" { + description = "Enterprise ECR source information" + type = object({ + account_id = string + alias = string + profile = string + region = string + }) + default = { + account_id = "269222635945" + alias = "lab-gov-shared-nonprod" + profile = "269222635945-lab-gov-shared-nonprod" + region = "us-gov-east-1" + } +} + # tflint-ignore: terraform_unused_declarations variable "region" { description = "The region in which the cluster is running." diff --git a/version.tf b/version.tf index 87a51f5..dc66a5e 100644 --- a/version.tf +++ b/version.tf @@ -1,4 +1,16 @@ +resource "null_resource" "git_version" { + triggers = { + # Force this to run on every apply to get the latest tag value + always_run = timestamp() + } + + provisioner "local-exec" { + command = "git describe --tags --abbrev=0 2>/dev/null || echo 'unknown' > ${path.module}/.git_tag" + on_failure = continue + } +} + locals { module_name = "tfmod-istio" - module_version = "0.1.1" + module_version = fileexists("${path.module}/.git_tag") ? trimspace(file("${path.module}/.git_tag")) : "latest" }