diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml
index 72829d8..04b96db 100644
--- a/.github/workflows/terraform-validate.yaml
+++ b/.github/workflows/terraform-validate.yaml
@@ -1,42 +1,40 @@
-name: Terraform Validate
+name: Terraform CI/CD
on:
- pull_request:
workflow_dispatch:
-
+ pull_request:
+ types: [closed]
+ branches:
+ - main
jobs:
-
- terraform-validate:
- runs-on: "229685449397"
+ terraform-ci-cd:
+ runs-on: 229685449397
permissions:
contents: write
+
steps:
- name: Checkout code
uses: CSVD/gh-actions-checkout@v4
- - name: Setup Terraform
- uses: CSVD/gh-actions-setup-terraform@v2
+ - name: Setup GITHUB Credentials
+ id: github_credentials
+ uses: CSVD/gh-auth@main
with:
- terraform_version: '1.7.3'
-
- - name: Validate Terraform Configuration
- id: validate
- uses: CSVD/terraform-validate@main
+ github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }}
+ github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
+ github_app_id: ${{ vars.GH_APP_ID }}
- - name: Check Validation/Test Results
- if: always()
+ - name: Setup GitHub CLI
run: |
- # Set default values if outputs are empty
- IS_VALID="${{ steps.validate.outputs.is_valid }}"
- TESTS_PASSED="${{ steps.validate.outputs.tests_passed }}"
+ # Force manual authentication since setup-git might not work with GitHub Enterprise
+ echo "${{ steps.github_credentials.outputs.github_token }}" > /tmp/token.txt
+ gh auth login --with-token --hostname "github.e.it.census.gov" < /tmp/token.txt
+ rm /tmp/token.txt
- # If outputs are empty, set them to false
- [ -z "$IS_VALID" ] && IS_VALID="false"
- [ -z "$TESTS_PASSED" ] && TESTS_PASSED="false"
+ # Test GitHub CLI auth status
+ gh auth status || echo "GitHub CLI authentication failed"
- if [[ "$IS_VALID" != "true" || "$TESTS_PASSED" != "true" ]]; then
- echo "Validation or test errors found:"
- echo "${{ steps.validate.outputs.stderr }}"
- exit 1
- else
- echo "All validations and tests passed successfully!"
- fi
+ - name: Run Release Action
+ uses: CSVD/releaser@main
+ with:
+ github-token: ${{ steps.github_credentials.outputs.github_token }}
+ working-directory: '.'
diff --git a/README.md b/README.md
index 977b61c..2647d60 100644
--- a/README.md
+++ b/README.md
@@ -85,12 +85,15 @@ resource "kubernetes_manifest" "example_grafana_datasource" {
| [helm_release.loki](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [terraform_data.bucket_name_validator](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ecr_authorization_token.ecr_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
+| [aws_ecr_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
| [aws_s3_bucket.s3_server_access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no |
| [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
| [enterprise\_logs\_provisioner\_tag](#input\_enterprise\_logs\_provisioner\_tag) | The version of the grafana/enterprise-logs-provisioner image to use. | `string` | `"v1.7.0"` | no |
| [exporter\_tag](#input\_exporter\_tag) | The version of prom/memcached-exporter to use for the gateway. | `string` | `"v0.14.4"` | no |
diff --git a/copy_images.tf b/copy_images.tf
index e8cb9ed..32cf25f 100644
--- a/copy_images.tf
+++ b/copy_images.tf
@@ -1,4 +1,5 @@
locals {
+ ent_ecr_source = format("%v.%v.%v.%v", var.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images")
exporter_key = format("%v#%v", "prom/memcached-exporter", var.exporter_tag)
gateway_key = format("%v#%v", "grafana/nginx-unprivileged", var.gateway_tag)
loki_key = format("%v#%v", "grafana/loki", var.loki_tag)
@@ -12,7 +13,7 @@ locals {
dest_path = null
name = "grafana/loki"
source_image = "bitnami/grafana-loki"
- source_registry = "public.ecr.aws"
+ source_registry = format("%v/%v", local.ent_ecr_source, "public-ecr")
source_tag = var.loki_tag
tag = var.loki_tag
},
@@ -21,7 +22,7 @@ locals {
dest_path = null
name = "memcached"
source_image = "bitnami/memcached"
- source_registry = "public.ecr.aws"
+ source_registry = format("%v/%v", local.ent_ecr_source, "public-ecr")
source_tag = var.memcached_tag
tag = var.memcached_tag
},
@@ -30,7 +31,7 @@ locals {
dest_path = null
name = "prom/memcached-exporter"
source_image = "prom/memcached-exporter"
- source_registry = "docker.io"
+ source_registry = format("%v/%v", local.ent_ecr_source, "docker")
source_tag = var.exporter_tag
tag = var.exporter_tag
},
@@ -39,7 +40,7 @@ locals {
dest_path = null
name = "kiwigrid/k8s-sidecar"
source_image = "kiwigrid/k8s-sidecar"
- source_registry = "quay.io"
+ source_registry = format("%v/%v", local.ent_ecr_source, "quay")
source_tag = var.sidecar_tag
tag = var.sidecar_tag
},
@@ -48,7 +49,7 @@ locals {
dest_path = null
name = "grafana/enterprise-logs-provisioner"
source_image = "grafana/enterprise-logs-provisioner"
- source_registry = "docker.io"
+ source_registry = format("%v/%v", local.ent_ecr_source, "docker")
source_tag = var.enterprise_logs_provisioner_tag
tag = var.enterprise_logs_provisioner_tag
},
@@ -57,7 +58,7 @@ locals {
dest_path = null
name = "grafana/nginx-unprivileged"
source_image = "nginx/nginx-unprivileged"
- source_registry = "public.ecr.aws"
+ source_registry = format("%v/%v", local.ent_ecr_source, "public-ecr")
source_tag = var.gateway_tag
tag = var.gateway_tag
},
@@ -72,17 +73,22 @@ module "images" {
image_config = local.image_config
tags = {}
- ### optional
- ## account_alias = ""
- ## account_id = ""
- ## destination_password = ""
- ## destination_username = ""
- ## override_prefixes = {}
- ## region = ""
- ## source_password = ""
- ## source_username = ""
+ enable_lifecycle_policy = true
+ lifecycle_policy_all = true
+ force_delete = true
+ lifecycle_policy_keep_count = 5
- enable_lifecycle_policy = true
- lifecycle_policy_all = true
- force_delete = true
+ source_username = data.aws_ecr_authorization_token.ecr_token.user_name
+ source_password = data.aws_ecr_authorization_token.ecr_token.password
+
+ destination_username = data.aws_ecr_authorization_token.token.user_name
+ destination_password = data.aws_ecr_authorization_token.token.password
+}
+
+data "aws_ecr_authorization_token" "ecr_token" {
+ registry_id = var.account_id
+}
+
+data "aws_ecr_authorization_token" "token" {
+ registry_id = var.account_id
}
diff --git a/variables.tf b/variables.tf
index 35009fe..cc7aafd 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,13 +1,7 @@
-
-variable "tags" {
- description = "Additional tags to add to resources created in AWS (s3 bucket, ...)"
- type = map(string)
- default = {}
-}
-
-variable "region" {
- description = "The region holding these resources (for the s3 bucket.)"
+variable "account_id" {
+ description = "aws account number"
type = string
+ default = ""
}
variable "cluster_name" {
@@ -15,27 +9,22 @@ variable "cluster_name" {
type = string
}
-variable "profile" {
- description = "AWS config profile used to upload images into ECR"
- type = string
- default = ""
-}
-
-variable "namespace" {
- description = "The namespace into which grafana will be deployed"
+variable "enterprise_logs_provisioner_tag" {
+ description = "The version of the grafana/enterprise-logs-provisioner image to use."
type = string
- default = "loki"
+ default = "v1.7.0"
}
-variable "oidc_provider_arn" {
- description = "The ARN in the EKS cluster for the OpenID Connect identity provider."
+variable "exporter_tag" {
+ description = "The version of prom/memcached-exporter to use for the gateway."
type = string
+ default = "v0.14.4"
}
-variable "rwo_storage_class" {
- description = "Specify the storage class for read/write/once persistent volumes."
+variable "gateway_tag" {
+ description = "The version of nginxinc/nginx-unprivileged to use for the gateway."
type = string
- default = "gp3-encrypted"
+ default = "1.25.2-alpine"
}
# helm add repo grafana "https://grafana.github.io/helm-charts"
@@ -53,28 +42,38 @@ variable "loki_tag" {
default = "3.1.1"
}
-variable "enterprise_logs_provisioner_tag" {
- description = "The version of the grafana/enterprise-logs-provisioner image to use."
+variable "memcached_tag" {
+ description = "The version of memcached to use for the gateway."
type = string
- default = "v1.7.0"
+ default = "1.6.23-alpine"
}
-variable "gateway_tag" {
- description = "The version of nginxinc/nginx-unprivileged to use for the gateway."
+variable "namespace" {
+ description = "The namespace into which grafana will be deployed"
type = string
- default = "1.25.2-alpine"
+ default = "loki"
}
-variable "memcached_tag" {
- description = "The version of memcached to use for the gateway."
+variable "oidc_provider_arn" {
+ description = "The ARN in the EKS cluster for the OpenID Connect identity provider."
type = string
- default = "1.6.23-alpine"
}
-variable "exporter_tag" {
- description = "The version of prom/memcached-exporter to use for the gateway."
+variable "profile" {
+ description = "AWS config profile used to upload images into ECR"
type = string
- default = "v0.14.4"
+ default = ""
+}
+
+variable "region" {
+ description = "The region holding these resources (for the s3 bucket.)"
+ type = string
+}
+
+variable "rwo_storage_class" {
+ description = "Specify the storage class for read/write/once persistent volumes."
+ type = string
+ default = "gp3-encrypted"
}
variable "sidecar_tag" {
@@ -82,3 +81,9 @@ variable "sidecar_tag" {
type = string
default = "1.27.4"
}
+
+variable "tags" {
+ description = "Additional tags to add to resources created in AWS (s3 bucket, ...)"
+ type = map(string)
+ default = {}
+}