[Major] Code Freeze PR

.github/workflows/terraform-release.yaml

@@ -1,13 +1,13 @@
-name: Terraform CI/CD
+name: Terraform Module Release
 on:
   workflow_dispatch:
   pull_request:
     types: [closed]
     branches:
       - main
 jobs:
-  terraform-ci-cd:
-    runs-on: 229685449397
+  terraform-release:
+    runs-on: "229685449397"
     permissions:
       contents: write
 

.github/workflows/terraform-validate.yaml

@@ -16,7 +16,7 @@ jobs:
       - name: Setup Terraform
         uses: CSVD/gh-actions-setup-terraform@v2
         with:
-          terraform_version: '1.7.3'
+          terraform_version: '1.10.5'
 
       - name: Validate Terraform Configuration
         id: validate

README.md

@@ -82,14 +82,17 @@ have a istio proxy configured, prevent communication with that pod.)
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.11.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.89.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.94.1 |
+| <a name="provider_aws.eecr"></a> [aws.eecr](#provider\_aws.eecr) | 5.94.1 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.17.0 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.36.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.3 |
 
 ## Modules
 
@@ -106,14 +109,19 @@ have a istio proxy configured, prevent communication with that pod.)
 | [helm_release.ingress](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.istiod](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_ecr_authorization_token.ecr_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
+| [aws_ecr_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
 | [aws_lb.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb) | data source |
 | [kubernetes_service.istio_ingressgateway](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/service) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the cluster into which istio will be installed. | `string` | n/a | yes |
+| <a name="input_eecr_info"></a> [eecr\_info](#input\_eecr\_info) | Enterprise ECR source information | <pre>object({<br/>    account_id = string<br/>    alias      = string<br/>    profile    = string<br/>    region     = string<br/>  })</pre> | <pre>{<br/>  "account_id": "269222635945",<br/>  "alias": "lab-gov-shared-nonprod",<br/>  "profile": "269222635945-lab-gov-shared-nonprod",<br/>  "region": "us-gov-east-1"<br/>}</pre> | no |
 | <a name="input_enable_egress_gateway"></a> [enable\_egress\_gateway](#input\_enable\_egress\_gateway) | Enable Istio to control outbound traffic from the cluster. | `bool` | `true` | no |
 | <a name="input_enable_telemetry"></a> [enable\_telemetry](#input\_enable\_telemetry) | Enable Istio's stracing, monitoring, and logging features. | `string` | `"true"` | no |
 | <a name="input_extra_listener_ports"></a> [extra\_listener\_ports](#input\_extra\_listener\_ports) | A list of additional ports that the ingress load balancer should listen to, 9094 for kafka as an example. | <pre>list(object({<br/>    name = string<br/>    port = string<br/>  }))</pre> | `[]` | no |

copy_images.tf

@@ -1,23 +1,24 @@
 locals {
-  pilot_key = format("%v#%v", "istio/pilot", var.istio_version)
-  proxy_key = format("%v#%v", "istio/proxyv2", var.istio_version)
+  pilot_key      = format("%v#%v", "istio/pilot", var.istio_version)
+  proxy_key      = format("%v#%v", "istio/proxyv2", var.istio_version)
+  ent_ecr_source = format("%v.%v.%v.%v", var.eecr_info.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images")
 
   image_config = [
     {
       enabled         = true
       dest_path       = null
       name            = "istio/pilot"
-      source_image    = "istio/pilot"
-      source_registry = "docker.io"
+      source_image    = "opensource/istio/pilot"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.istio_version
       tag             = var.istio_version
     },
     {
       enabled         = true
       dest_path       = null
       name            = "istio/proxyv2"
-      source_image    = "istio/proxyv2"
-      source_registry = "docker.io"
+      source_image    = "opensource/istio/proxyv2"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.istio_version
       tag             = var.istio_version
     },
@@ -32,7 +33,29 @@ module "images" {
   image_config     = local.image_config
   tags             = {}
 
-  enable_lifecycle_policy = true
-  lifecycle_policy_all    = true
-  force_delete            = true
+  enable_lifecycle_policy     = true
+  lifecycle_policy_all        = true
+  force_delete                = true
+  lifecycle_policy_keep_count = 5
+
+  source_username = data.aws_ecr_authorization_token.ecr_token.user_name
+  source_password = data.aws_ecr_authorization_token.ecr_token.password
+
+  destination_username = data.aws_ecr_authorization_token.token.user_name
+  destination_password = data.aws_ecr_authorization_token.token.password
+}
+
+data "aws_ecr_authorization_token" "token" {
+  registry_id = var.account_id
+}
+
+data "aws_ecr_authorization_token" "ecr_token" {
+  provider    = aws.eecr
+  registry_id = var.eecr_info.account_id
+}
+
+provider "aws" {
+  alias   = "eecr"
+  profile = var.eecr_info.profile
+  region  = var.eecr_info.region
 }

requirements.tf

@@ -14,5 +14,9 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = ">= 2.23.0"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.2.1"
+    }
   }
 }

variables.tf

@@ -1,3 +1,9 @@
+variable "account_id" {
+  description = "aws account number"
+  type        = string
+  default     = ""
+}
+
 variable "profile" {
   description = "AWS_PROFILE to use to apply the terraform script."
   type        = string
@@ -9,6 +15,22 @@ variable "cluster_name" {
   type        = string
 }
 
+variable "eecr_info" {
+  description = "Enterprise ECR source information"
+  type = object({
+    account_id = string
+    alias      = string
+    profile    = string
+    region     = string
+  })
+  default = {
+    account_id = "269222635945"
+    alias      = "lab-gov-shared-nonprod"
+    profile    = "269222635945-lab-gov-shared-nonprod"
+    region     = "us-gov-east-1"
+  }
+}
+
 # tflint-ignore: terraform_unused_declarations
 variable "region" {
   description = "The region in which the cluster is running."

version.tf

@@ -1,4 +1,16 @@
+resource "null_resource" "git_version" {
+  triggers = {
+    # Force this to run on every apply to get the latest tag value
+    always_run = timestamp()
+  }
+
+  provisioner "local-exec" {
+    command    = "git describe --tags --abbrev=0 2>/dev/null || echo 'unknown' > ${path.module}/.git_tag"
+    on_failure = continue
+  }
+}
+
 locals {
   module_name    = "tfmod-istio"
-  module_version = "0.1.1"
+  module_version = fileexists("${path.module}/.git_tag") ? trimspace(file("${path.module}/.git_tag")) : "latest"
 }