diff --git a/.github/workflows/terraform-release.yaml b/.github/workflows/terraform-release.yaml
index 90910bc..3f67574 100644
--- a/.github/workflows/terraform-release.yaml
+++ b/.github/workflows/terraform-release.yaml
@@ -1,4 +1,4 @@
-name: Terraform CI/CD
+name: Terraform Module Release
on:
workflow_dispatch:
pull_request:
@@ -6,8 +6,8 @@ on:
branches:
- main
jobs:
- terraform-ci-cd:
- runs-on: 229685449397
+ terraform-release:
+ runs-on: "229685449397"
permissions:
contents: write
@@ -15,11 +15,6 @@ jobs:
- name: Checkout code
uses: CSVD/gh-actions-checkout@v4
- - name: Setup Terraform
- uses: CSVD/gh-actions-setup-terraform@v3
- with:
- terraform_version: "1.9.1"
-
- name: Setup GITHUB Credentials
id: github_credentials
uses: CSVD/gh-auth@main
@@ -28,28 +23,6 @@ jobs:
github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
github_app_id: ${{ vars.GH_APP_ID }}
-
- - name: Debug Authentication
- run: |
- # Print the GitHub server URL
- echo "GitHub Server URL: ${{ github.server_url }}"
-
- # Extract the host from the URL
- HOST="${{ github.server_url }}"
- HOST="${HOST#*//}"
- HOST="${HOST%%/*}"
- echo "GitHub Host: $HOST"
-
- # Check if token exists
- if [[ -n "${{ steps.github_credentials.outputs.github_token }}" ]]; then
- echo "Token generated successfully"
- # Test the token with a simple GitHub API call (without exposing the token)
- STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${{ steps.github_credentials.outputs.github_token }}" "${{ github.server_url }}/api/v3/user")
- echo "API Test Status Code: $STATUS"
- else
- echo "No token was generated!"
- fi
-
- name: Setup GitHub CLI
run: |
# Force manual authentication since setup-git might not work with GitHub Enterprise
@@ -60,14 +33,8 @@ jobs:
# Test GitHub CLI auth status
gh auth status || echo "GitHub CLI authentication failed"
- - name: AWS Auth
- id: aws_auth
- uses: CSVD/aws-auth@main
- with:
- ecs: true
-
- - name: Run Terraform Module Release Action
- uses: CSVD/terraform-module-release@main
+ - name: Run Release Action
+ uses: CSVD/releaser@main
with:
github-token: ${{ steps.github_credentials.outputs.github_token }}
working-directory: '.'
diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml
index 72829d8..ac349eb 100644
--- a/.github/workflows/terraform-validate.yaml
+++ b/.github/workflows/terraform-validate.yaml
@@ -16,7 +16,7 @@ jobs:
- name: Setup Terraform
uses: CSVD/gh-actions-setup-terraform@v2
with:
- terraform_version: '1.7.3'
+ terraform_version: '1.10.5'
- name: Validate Terraform Configuration
id: validate
diff --git a/README.md b/README.md
index 977b61c..abaf214 100644
--- a/README.md
+++ b/README.md
@@ -61,13 +61,16 @@ resource "kubernetes_manifest" "example_grafana_datasource" {
| [aws](#requirement\_aws) | >= 5.14.0 |
| [helm](#requirement\_helm) | >= 2.11.0 |
| [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| [null](#requirement\_null) | >= 3.2.1 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 5.89.0 |
+| [aws](#provider\_aws) | 5.94.1 |
+| [aws.eecr](#provider\_aws.eecr) | 5.94.1 |
| [helm](#provider\_helm) | 2.17.0 |
+| [null](#provider\_null) | 3.2.3 |
| [terraform](#provider\_terraform) | n/a |
## Modules
@@ -83,15 +86,20 @@ resource "kubernetes_manifest" "example_grafana_datasource" {
| Name | Type |
|------|------|
| [helm_release.loki](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [terraform_data.bucket_name_validator](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ecr_authorization_token.ecr_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
+| [aws_ecr_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
| [aws_s3_bucket.s3_server_access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no |
| [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| [eecr\_info](#input\_eecr\_info) | Enterprise ECR source information | object({
account_id = string
alias = string
profile = string
region = string
}) | {
"account_id": "269222635945",
"alias": "lab-gov-shared-nonprod",
"profile": "269222635945-lab-gov-shared-nonprod",
"region": "us-gov-east-1"
} | no |
| [enterprise\_logs\_provisioner\_tag](#input\_enterprise\_logs\_provisioner\_tag) | The version of the grafana/enterprise-logs-provisioner image to use. | `string` | `"v1.7.0"` | no |
| [exporter\_tag](#input\_exporter\_tag) | The version of prom/memcached-exporter to use for the gateway. | `string` | `"v0.14.4"` | no |
| [gateway\_tag](#input\_gateway\_tag) | The version of nginxinc/nginx-unprivileged to use for the gateway. | `string` | `"1.25.2-alpine"` | no |
diff --git a/copy_images.tf b/copy_images.tf
index e8cb9ed..7237fdf 100644
--- a/copy_images.tf
+++ b/copy_images.tf
@@ -1,4 +1,5 @@
locals {
+ ent_ecr_source = format("%v.%v.%v.%v", var.eecr_info.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images")
exporter_key = format("%v#%v", "prom/memcached-exporter", var.exporter_tag)
gateway_key = format("%v#%v", "grafana/nginx-unprivileged", var.gateway_tag)
loki_key = format("%v#%v", "grafana/loki", var.loki_tag)
@@ -11,8 +12,8 @@ locals {
enabled = true
dest_path = null
name = "grafana/loki"
- source_image = "bitnami/grafana-loki"
- source_registry = "public.ecr.aws"
+ source_image = "opensource/grafana/loki"
+ source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
source_tag = var.loki_tag
tag = var.loki_tag
},
@@ -20,8 +21,8 @@ locals {
enabled = true
dest_path = null
name = "memcached"
- source_image = "bitnami/memcached"
- source_registry = "public.ecr.aws"
+ source_image = "opensource/memcached/memcached"
+ source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
source_tag = var.memcached_tag
tag = var.memcached_tag
},
@@ -29,8 +30,8 @@ locals {
enabled = true
dest_path = null
name = "prom/memcached-exporter"
- source_image = "prom/memcached-exporter"
- source_registry = "docker.io"
+ source_image = "opensource/prometheus/memcached-exporter"
+ source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
source_tag = var.exporter_tag
tag = var.exporter_tag
},
@@ -39,7 +40,7 @@ locals {
dest_path = null
name = "kiwigrid/k8s-sidecar"
source_image = "kiwigrid/k8s-sidecar"
- source_registry = "quay.io"
+ source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
source_tag = var.sidecar_tag
tag = var.sidecar_tag
},
@@ -47,8 +48,8 @@ locals {
enabled = true
dest_path = null
name = "grafana/enterprise-logs-provisioner"
- source_image = "grafana/enterprise-logs-provisioner"
- source_registry = "docker.io"
+ source_image = "ironbank/opensource/grafana/enterprise-logs-provisioner"
+ source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
source_tag = var.enterprise_logs_provisioner_tag
tag = var.enterprise_logs_provisioner_tag
},
@@ -56,8 +57,8 @@ locals {
enabled = true
dest_path = null
name = "grafana/nginx-unprivileged"
- source_image = "nginx/nginx-unprivileged"
- source_registry = "public.ecr.aws"
+ source_image = "opensource/nginx/nginx-alpine"
+ source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
source_tag = var.gateway_tag
tag = var.gateway_tag
},
@@ -72,17 +73,29 @@ module "images" {
image_config = local.image_config
tags = {}
- ### optional
- ## account_alias = ""
- ## account_id = ""
- ## destination_password = ""
- ## destination_username = ""
- ## override_prefixes = {}
- ## region = ""
- ## source_password = ""
- ## source_username = ""
+ enable_lifecycle_policy = true
+ lifecycle_policy_all = true
+ force_delete = true
+ lifecycle_policy_keep_count = 5
- enable_lifecycle_policy = true
- lifecycle_policy_all = true
- force_delete = true
+ source_username = data.aws_ecr_authorization_token.ecr_token.user_name
+ source_password = data.aws_ecr_authorization_token.ecr_token.password
+
+ destination_username = data.aws_ecr_authorization_token.token.user_name
+ destination_password = data.aws_ecr_authorization_token.token.password
+}
+
+data "aws_ecr_authorization_token" "token" {
+ registry_id = var.account_id
+}
+
+data "aws_ecr_authorization_token" "ecr_token" {
+ provider = aws.eecr
+ registry_id = var.eecr_info.account_id
+}
+
+provider "aws" {
+ alias = "eecr"
+ profile = var.eecr_info.profile
+ region = var.eecr_info.region
}
diff --git a/requirements.tf b/requirements.tf
index ae62e15..32e5c6f 100644
--- a/requirements.tf
+++ b/requirements.tf
@@ -14,5 +14,9 @@ terraform {
source = "hashicorp/kubernetes"
version = ">= 2.23.0"
}
+ null = {
+ source = "hashicorp/null"
+ version = ">= 3.2.1"
+ }
}
}
diff --git a/variables.tf b/variables.tf
index 35009fe..05bfade 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,13 +1,7 @@
-
-variable "tags" {
- description = "Additional tags to add to resources created in AWS (s3 bucket, ...)"
- type = map(string)
- default = {}
-}
-
-variable "region" {
- description = "The region holding these resources (for the s3 bucket.)"
+variable "account_id" {
+ description = "aws account number"
type = string
+ default = ""
}
variable "cluster_name" {
@@ -15,27 +9,38 @@ variable "cluster_name" {
type = string
}
-variable "profile" {
- description = "AWS config profile used to upload images into ECR"
- type = string
- default = ""
+variable "eecr_info" {
+ description = "Enterprise ECR source information"
+ type = object({
+ account_id = string
+ alias = string
+ profile = string
+ region = string
+ })
+ default = {
+ account_id = "269222635945"
+ alias = "lab-gov-shared-nonprod"
+ profile = "269222635945-lab-gov-shared-nonprod"
+ region = "us-gov-east-1"
+ }
}
-variable "namespace" {
- description = "The namespace into which grafana will be deployed"
+variable "enterprise_logs_provisioner_tag" {
+ description = "The version of the grafana/enterprise-logs-provisioner image to use."
type = string
- default = "loki"
+ default = "v1.7.0"
}
-variable "oidc_provider_arn" {
- description = "The ARN in the EKS cluster for the OpenID Connect identity provider."
+variable "exporter_tag" {
+ description = "The version of prom/memcached-exporter to use for the gateway."
type = string
+ default = "v0.14.4"
}
-variable "rwo_storage_class" {
- description = "Specify the storage class for read/write/once persistent volumes."
+variable "gateway_tag" {
+ description = "The version of nginxinc/nginx-unprivileged to use for the gateway."
type = string
- default = "gp3-encrypted"
+ default = "1.25.2-alpine"
}
# helm add repo grafana "https://grafana.github.io/helm-charts"
@@ -53,28 +58,38 @@ variable "loki_tag" {
default = "3.1.1"
}
-variable "enterprise_logs_provisioner_tag" {
- description = "The version of the grafana/enterprise-logs-provisioner image to use."
+variable "memcached_tag" {
+ description = "The version of memcached to use for the gateway."
type = string
- default = "v1.7.0"
+ default = "1.6.23-alpine"
}
-variable "gateway_tag" {
- description = "The version of nginxinc/nginx-unprivileged to use for the gateway."
+variable "namespace" {
+ description = "The namespace into which grafana will be deployed"
type = string
- default = "1.25.2-alpine"
+ default = "loki"
}
-variable "memcached_tag" {
- description = "The version of memcached to use for the gateway."
+variable "oidc_provider_arn" {
+ description = "The ARN in the EKS cluster for the OpenID Connect identity provider."
type = string
- default = "1.6.23-alpine"
}
-variable "exporter_tag" {
- description = "The version of prom/memcached-exporter to use for the gateway."
+variable "profile" {
+ description = "AWS config profile used to upload images into ECR"
type = string
- default = "v0.14.4"
+ default = ""
+}
+
+variable "region" {
+ description = "The region holding these resources (for the s3 bucket.)"
+ type = string
+}
+
+variable "rwo_storage_class" {
+ description = "Specify the storage class for read/write/once persistent volumes."
+ type = string
+ default = "gp3-encrypted"
}
variable "sidecar_tag" {
@@ -82,3 +97,9 @@ variable "sidecar_tag" {
type = string
default = "1.27.4"
}
+
+variable "tags" {
+ description = "Additional tags to add to resources created in AWS (s3 bucket, ...)"
+ type = map(string)
+ default = {}
+}
diff --git a/version.tf b/version.tf
index 33ac557..94f902b 100644
--- a/version.tf
+++ b/version.tf
@@ -1,4 +1,16 @@
+resource "null_resource" "git_version" {
+ triggers = {
+ # Force this to run on every apply to get the latest tag value
+ always_run = timestamp()
+ }
+
+ provisioner "local-exec" {
+ command = "git describe --tags --abbrev=0 2>/dev/null || echo 'unknown' > ${path.module}/.git_tag"
+ on_failure = continue
+ }
+}
+
locals {
module_name = "tfmod-loki"
- module_version = "0.1.1"
+ module_version = fileexists("${path.module}/.git_tag") ? trimspace(file("${path.module}/.git_tag")) : "latest"
}