diff --git a/.github/workflows/terraform-release.yaml b/.github/workflows/terraform-release.yaml
index 04b96db..3f67574 100644
--- a/.github/workflows/terraform-release.yaml
+++ b/.github/workflows/terraform-release.yaml
@@ -1,4 +1,4 @@
-name: Terraform CI/CD
+name: Terraform Module Release
on:
workflow_dispatch:
pull_request:
@@ -6,8 +6,8 @@ on:
branches:
- main
jobs:
- terraform-ci-cd:
- runs-on: 229685449397
+ terraform-release:
+ runs-on: "229685449397"
permissions:
contents: write
diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml
index 72829d8..ac349eb 100644
--- a/.github/workflows/terraform-validate.yaml
+++ b/.github/workflows/terraform-validate.yaml
@@ -16,7 +16,7 @@ jobs:
- name: Setup Terraform
uses: CSVD/gh-actions-setup-terraform@v2
with:
- terraform_version: '1.7.3'
+ terraform_version: '1.10.5'
- name: Validate Terraform Configuration
id: validate
diff --git a/.github/workflows/terragrunt-cicd.yml b/.github/workflows/terragrunt-cicd.yml
deleted file mode 100644
index a78523e..0000000
--- a/.github/workflows/terragrunt-cicd.yml
+++ /dev/null
@@ -1,101 +0,0 @@
-name: 'Terraform Module CI'
-
-on:
- push:
- branches:
- - main
- paths:
- - '**/*.hcl'
- - '**/*.tf'
- pull_request:
- branches:
- - main
- paths:
- - '**/*.hcl'
- - '**/*.tf'
-
-permissions:
- contents: read
- pull-requests: write
-
-jobs:
- validate:
- name: 'Validate Module'
- runs-on: self-hosted
-
- steps:
- - name: Checkout
- uses: actions/checkout@v3
-
- - name: Setup Terraform
- uses: hashicorp/setup-terraform@v2
- with:
- terraform_version: 1.5.0
-
- - name: Terraform Init
- run: |
- terraform init -backend=false
-
- - name: Terraform Format
- run: |
- terraform fmt -check
-
- - name: Terraform Validate
- run: |
- terraform validate
-
- - name: Run tflint
- uses: terraform-linters/setup-tflint@v3
- if: github.event_name == 'pull_request'
-
- - name: Lint Terraform
- if: github.event_name == 'pull_request'
- run: |
- tflint --format compact
-
- release:
- name: 'Create Release'
- needs: validate
- if: github.ref == 'refs/heads/main' && github.event_name == 'push'
- runs-on: self-hosted
- permissions:
- contents: write
-
- steps:
- - name: Checkout
- uses: actions/checkout@v3
- with:
- fetch-depth: 0
- token: ${{ secrets.GITHUB_TOKEN }}
-
- - name: Setup Python
- uses: actions/setup-python@v4
- with:
- python-version: '3.9'
-
- - name: Install Commitizen
- run: |
- pip install commitizen
-
- - name: Configure Git
- run: |
- git config --local user.email "action@github.com"
- git config --local user.name "GitHub Action"
-
- - name: Bump Version and Generate Changelog
- id: cz
- run: |
- cz bump --yes
- echo "new_version=$(cz version --project)" >> $GITHUB_OUTPUT
- echo "changelog=$(cz changelog --dry-run)" >> $GITHUB_OUTPUT
-
- - name: Create Release
- uses: actions/create-release@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- tag_name: v${{ steps.cz.outputs.new_version }}
- release_name: Release v${{ steps.cz.outputs.new_version }}
- draft: false
- prerelease: false
- body: ${{ steps.cz.outputs.changelog }}
diff --git a/README.md b/README.md
index 2917130..42a27ff 100644
--- a/README.md
+++ b/README.md
@@ -82,14 +82,17 @@ have a istio proxy configured, prevent communication with that pod.)
| [aws](#requirement\_aws) | >= 5.14.0 |
| [helm](#requirement\_helm) | >= 2.11.0 |
| [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| [null](#requirement\_null) | >= 3.2.1 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.89.0 |
+| [aws](#provider\_aws) | 5.94.1 |
+| [aws.eecr](#provider\_aws.eecr) | 5.94.1 |
| [helm](#provider\_helm) | 2.17.0 |
| [kubernetes](#provider\_kubernetes) | 2.36.0 |
+| [null](#provider\_null) | 3.2.3 |
## Modules
@@ -106,6 +109,9 @@ have a istio proxy configured, prevent communication with that pod.)
| [helm_release.ingress](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.istiod](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_ecr_authorization_token.ecr_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
+| [aws_ecr_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
| [aws_lb.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb) | data source |
| [kubernetes_service.istio_ingressgateway](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/service) | data source |
@@ -113,7 +119,9 @@ have a istio proxy configured, prevent communication with that pod.)
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no |
| [cluster\_name](#input\_cluster\_name) | The name of the cluster into which istio will be installed. | `string` | n/a | yes |
+| [eecr\_info](#input\_eecr\_info) | Enterprise ECR source information | object({
account_id = string
alias = string
profile = string
region = string
}) | {
"account_id": "269222635945",
"alias": "lab-gov-shared-nonprod",
"profile": "269222635945-lab-gov-shared-nonprod",
"region": "us-gov-east-1"
} | no |
| [enable\_egress\_gateway](#input\_enable\_egress\_gateway) | Enable Istio to control outbound traffic from the cluster. | `bool` | `true` | no |
| [enable\_telemetry](#input\_enable\_telemetry) | Enable Istio's stracing, monitoring, and logging features. | `string` | `"true"` | no |
| [extra\_listener\_ports](#input\_extra\_listener\_ports) | A list of additional ports that the ingress load balancer should listen to, 9094 for kafka as an example. | list(object({
name = string
port = string
})) | `[]` | no |
diff --git a/copy_images.tf b/copy_images.tf
index ed05587..0b79f6c 100644
--- a/copy_images.tf
+++ b/copy_images.tf
@@ -1,14 +1,15 @@
locals {
- pilot_key = format("%v#%v", "istio/pilot", var.istio_version)
- proxy_key = format("%v#%v", "istio/proxyv2", var.istio_version)
+ pilot_key = format("%v#%v", "istio/pilot", var.istio_version)
+ proxy_key = format("%v#%v", "istio/proxyv2", var.istio_version)
+ ent_ecr_source = format("%v.%v.%v.%v", var.eecr_info.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images")
image_config = [
{
enabled = true
dest_path = null
name = "istio/pilot"
- source_image = "istio/pilot"
- source_registry = "docker.io"
+ source_image = "opensource/istio/pilot"
+ source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
source_tag = var.istio_version
tag = var.istio_version
},
@@ -16,8 +17,8 @@ locals {
enabled = true
dest_path = null
name = "istio/proxyv2"
- source_image = "istio/proxyv2"
- source_registry = "docker.io"
+ source_image = "opensource/istio/proxyv2"
+ source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
source_tag = var.istio_version
tag = var.istio_version
},
@@ -32,7 +33,29 @@ module "images" {
image_config = local.image_config
tags = {}
- enable_lifecycle_policy = true
- lifecycle_policy_all = true
- force_delete = true
+ enable_lifecycle_policy = true
+ lifecycle_policy_all = true
+ force_delete = true
+ lifecycle_policy_keep_count = 5
+
+ source_username = data.aws_ecr_authorization_token.ecr_token.user_name
+ source_password = data.aws_ecr_authorization_token.ecr_token.password
+
+ destination_username = data.aws_ecr_authorization_token.token.user_name
+ destination_password = data.aws_ecr_authorization_token.token.password
+}
+
+data "aws_ecr_authorization_token" "token" {
+ registry_id = var.account_id
+}
+
+data "aws_ecr_authorization_token" "ecr_token" {
+ provider = aws.eecr
+ registry_id = var.eecr_info.account_id
+}
+
+provider "aws" {
+ alias = "eecr"
+ profile = var.eecr_info.profile
+ region = var.eecr_info.region
}
diff --git a/requirements.tf b/requirements.tf
index ae62e15..32e5c6f 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -14,5 +14,9 @@ terraform {
source = "hashicorp/kubernetes"
version = ">= 2.23.0"
}
+ null = {
+ source = "hashicorp/null"
+ version = ">= 3.2.1"
+ }
}
}
diff --git a/variables.tf b/variables.tf
index bd11eb6..f7537cf 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,3 +1,9 @@
+variable "account_id" {
+ description = "aws account number"
+ type = string
+ default = ""
+}
+
variable "profile" {
description = "AWS_PROFILE to use to apply the terraform script."
type = string
@@ -9,6 +15,22 @@ variable "cluster_name" {
type = string
}
+variable "eecr_info" {
+ description = "Enterprise ECR source information"
+ type = object({
+ account_id = string
+ alias = string
+ profile = string
+ region = string
+ })
+ default = {
+ account_id = "269222635945"
+ alias = "lab-gov-shared-nonprod"
+ profile = "269222635945-lab-gov-shared-nonprod"
+ region = "us-gov-east-1"
+ }
+}
+
# tflint-ignore: terraform_unused_declarations
variable "region" {
description = "The region in which the cluster is running."
diff --git a/version.tf b/version.tf
index 87a51f5..dc66a5e 100644
--- a/version.tf
+++ b/version.tf
@@ -1,4 +1,16 @@
+resource "null_resource" "git_version" {
+ triggers = {
+ # Force this to run on every apply to get the latest tag value
+ always_run = timestamp()
+ }
+
+ provisioner "local-exec" {
+ command = "git describe --tags --abbrev=0 2>/dev/null || echo 'unknown' > ${path.module}/.git_tag"
+ on_failure = continue
+ }
+}
+
locals {
module_name = "tfmod-istio"
- module_version = "0.1.1"
+ module_version = fileexists("${path.module}/.git_tag") ? trimspace(file("${path.module}/.git_tag")) : "latest"
}