SCT-Engineering · morga471 · Apr 22, 2025 · Mar 7, 2025 · Mar 7, 2025 · Mar 7, 2025
diff --git a/.github/workflows/terraform-release.yaml b/.github/workflows/terraform-release.yaml
@@ -1,25 +1,20 @@
-name: Terraform CI/CD
+name: Terraform Module Release
 on:
   workflow_dispatch:
   pull_request:
     types: [closed]
     branches:
       - main
 jobs:
-  terraform-ci-cd:
-    runs-on: 229685449397
+  terraform-release:
+    runs-on: "229685449397"
     permissions:
       contents: write
 
     steps:
       - name: Checkout code
         uses: CSVD/gh-actions-checkout@v4
 
-      - name: Setup Terraform
-        uses: CSVD/gh-actions-setup-terraform@v3
-        with:
-          terraform_version: "1.9.1"
-
       - name: Setup GITHUB Credentials
         id: github_credentials
         uses: CSVD/gh-auth@main
@@ -28,28 +23,6 @@ jobs:
           github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
           github_app_id: ${{ vars.GH_APP_ID }}
 
-
-      - name: Debug Authentication
-        run: |
-          # Print the GitHub server URL
-          echo "GitHub Server URL: ${{ github.server_url }}"
-
-          # Extract the host from the URL
-          HOST="${{ github.server_url }}"
-          HOST="${HOST#*//}"
-          HOST="${HOST%%/*}"
-          echo "GitHub Host: $HOST"
-
-          # Check if token exists
-          if [[ -n "${{ steps.github_credentials.outputs.github_token }}" ]]; then
-            echo "Token generated successfully"
-            # Test the token with a simple GitHub API call (without exposing the token)
-            STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${{ steps.github_credentials.outputs.github_token }}" "${{ github.server_url }}/api/v3/user")
-            echo "API Test Status Code: $STATUS"
-          else
-            echo "No token was generated!"
-          fi
-
       - name: Setup GitHub CLI
         run: |
           # Force manual authentication since setup-git might not work with GitHub Enterprise
@@ -60,14 +33,8 @@ jobs:
           # Test GitHub CLI auth status
           gh auth status || echo "GitHub CLI authentication failed"
 
-      - name: AWS Auth
-        id: aws_auth
-        uses: CSVD/aws-auth@main
-        with:
-          ecs: true
-
-      - name: Run Terraform Module Release Action
-        uses: CSVD/terraform-module-release@main
+      - name: Run Release Action
+        uses: CSVD/releaser@main
         with:
           github-token: ${{ steps.github_credentials.outputs.github_token }}
           working-directory: '.'
diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml
@@ -16,7 +16,7 @@ jobs:
       - name: Setup Terraform
         uses: CSVD/gh-actions-setup-terraform@v2
         with:
-          terraform_version: '1.7.3'
+          terraform_version: '1.10.5'
 
       - name: Validate Terraform Configuration
         id: validate

diff --git a/README.md b/README.md
@@ -61,13 +61,16 @@ resource "kubernetes_manifest" "example_grafana_datasource" {
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.11.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.89.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.94.1 |
+| <a name="provider_aws.eecr"></a> [aws.eecr](#provider\_aws.eecr) | 5.94.1 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.17.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.3 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
 ## Modules
@@ -83,15 +86,20 @@ resource "kubernetes_manifest" "example_grafana_datasource" {
 | Name | Type |
 |------|------|
 | [helm_release.loki](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [terraform_data.bucket_name_validator](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_ecr_authorization_token.ecr_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
+| [aws_ecr_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
 | [aws_s3_bucket.s3_server_access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev) | `string` | n/a | yes |
+| <a name="input_eecr_info"></a> [eecr\_info](#input\_eecr\_info) | Enterprise ECR source information | <pre>object({<br/>    account_id = string<br/>    alias      = string<br/>    profile    = string<br/>    region     = string<br/>  })</pre> | <pre>{<br/>  "account_id": "269222635945",<br/>  "alias": "lab-gov-shared-nonprod",<br/>  "profile": "269222635945-lab-gov-shared-nonprod",<br/>  "region": "us-gov-east-1"<br/>}</pre> | no |
 | <a name="input_enterprise_logs_provisioner_tag"></a> [enterprise\_logs\_provisioner\_tag](#input\_enterprise\_logs\_provisioner\_tag) | The version of the grafana/enterprise-logs-provisioner image to use. | `string` | `"v1.7.0"` | no |
 | <a name="input_exporter_tag"></a> [exporter\_tag](#input\_exporter\_tag) | The version of prom/memcached-exporter to use for the gateway. | `string` | `"v0.14.4"` | no |
 | <a name="input_gateway_tag"></a> [gateway\_tag](#input\_gateway\_tag) | The version of nginxinc/nginx-unprivileged to use for the gateway. | `string` | `"1.25.2-alpine"` | no |

diff --git a/copy_images.tf b/copy_images.tf
@@ -1,4 +1,5 @@
 locals {
+  ent_ecr_source  = format("%v.%v.%v.%v", var.eecr_info.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images")
   exporter_key    = format("%v#%v", "prom/memcached-exporter", var.exporter_tag)
   gateway_key     = format("%v#%v", "grafana/nginx-unprivileged", var.gateway_tag)
   loki_key        = format("%v#%v", "grafana/loki", var.loki_tag)
@@ -11,26 +12,26 @@ locals {
       enabled         = true
       dest_path       = null
       name            = "grafana/loki"
-      source_image    = "bitnami/grafana-loki"
-      source_registry = "public.ecr.aws"
+      source_image    = "opensource/grafana/loki"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.loki_tag
       tag             = var.loki_tag
     },
     {
       enabled         = true
       dest_path       = null
       name            = "memcached"
-      source_image    = "bitnami/memcached"
-      source_registry = "public.ecr.aws"
+      source_image    = "opensource/memcached/memcached"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.memcached_tag
       tag             = var.memcached_tag
     },
     {
       enabled         = true
       dest_path       = null
       name            = "prom/memcached-exporter"
-      source_image    = "prom/memcached-exporter"
-      source_registry = "docker.io"
+      source_image    = "opensource/prometheus/memcached-exporter"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.exporter_tag
       tag             = var.exporter_tag
     },
@@ -39,25 +40,25 @@ locals {
       dest_path       = null
       name            = "kiwigrid/k8s-sidecar"
       source_image    = "kiwigrid/k8s-sidecar"
-      source_registry = "quay.io"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.sidecar_tag
       tag             = var.sidecar_tag
     },
     {
       enabled         = true
       dest_path       = null
       name            = "grafana/enterprise-logs-provisioner"
-      source_image    = "grafana/enterprise-logs-provisioner"
-      source_registry = "docker.io"
+      source_image    = "ironbank/opensource/grafana/enterprise-logs-provisioner"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.enterprise_logs_provisioner_tag
       tag             = var.enterprise_logs_provisioner_tag
     },
     {
       enabled         = true
       dest_path       = null
       name            = "grafana/nginx-unprivileged"
-      source_image    = "nginx/nginx-unprivileged"
-      source_registry = "public.ecr.aws"
+      source_image    = "opensource/nginx/nginx-alpine"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.gateway_tag
       tag             = var.gateway_tag
     },
@@ -72,17 +73,29 @@ module "images" {
   image_config     = local.image_config
   tags             = {}
 
-  ### optional
-  ##  account_alias        = ""
-  ##  account_id           = ""
-  ##  destination_password = ""
-  ##  destination_username = ""
-  ##  override_prefixes    = {}
-  ##  region               = ""
-  ##  source_password      = ""
-  ##  source_username      = ""
+  enable_lifecycle_policy     = true
+  lifecycle_policy_all        = true
+  force_delete                = true
+  lifecycle_policy_keep_count = 5
 
-  enable_lifecycle_policy = true
-  lifecycle_policy_all    = true
-  force_delete            = true
+  source_username = data.aws_ecr_authorization_token.ecr_token.user_name
+  source_password = data.aws_ecr_authorization_token.ecr_token.password
+
+  destination_username = data.aws_ecr_authorization_token.token.user_name
+  destination_password = data.aws_ecr_authorization_token.token.password
+}
+
+data "aws_ecr_authorization_token" "token" {
+  registry_id = var.account_id
+}
+
+data "aws_ecr_authorization_token" "ecr_token" {
+  provider    = aws.eecr
+  registry_id = var.eecr_info.account_id
+}
+
+provider "aws" {
+  alias   = "eecr"
+  profile = var.eecr_info.profile
+  region  = var.eecr_info.region
 }
diff --git a/requirements.tf b/requirements.tf
@@ -14,5 +14,9 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = ">= 2.23.0"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.2.1"
+    }
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -1,41 +1,46 @@
-
-variable "tags" {
-  description = "Additional tags to add to resources created in AWS (s3 bucket, ...)"
-  type        = map(string)
-  default     = {}
-}
-
-variable "region" {
-  description = "The region holding these resources (for the s3 bucket.)"
+variable "account_id" {
+  description = "aws account number"
   type        = string
+  default     = ""
 }
 
 variable "cluster_name" {
   description = "EKS cluster name name component used through out the EKS cluster describing its purpose (ex: dice-dev)"
   type        = string
 }
 
-variable "profile" {
-  description = "AWS config profile used to upload images into ECR"
-  type        = string
-  default     = ""
+variable "eecr_info" {
+  description = "Enterprise ECR source information"
+  type = object({
+    account_id = string
+    alias      = string
+    profile    = string
+    region     = string
+  })
+  default = {
+    account_id = "269222635945"
+    alias      = "lab-gov-shared-nonprod"
+    profile    = "269222635945-lab-gov-shared-nonprod"
+    region     = "us-gov-east-1"
+  }
 }
 
-variable "namespace" {
-  description = "The namespace into which grafana will be deployed"
+variable "enterprise_logs_provisioner_tag" {
+  description = "The version of the grafana/enterprise-logs-provisioner image to use."
   type        = string
-  default     = "loki"
+  default     = "v1.7.0"
 }
 
-variable "oidc_provider_arn" {
-  description = "The ARN in the EKS cluster for the OpenID Connect identity provider."
+variable "exporter_tag" {
+  description = "The version of prom/memcached-exporter to use for the gateway."
   type        = string
+  default     = "v0.14.4"
 }
 
-variable "rwo_storage_class" {
-  description = "Specify the storage class for read/write/once persistent volumes."
+variable "gateway_tag" {
+  description = "The version of nginxinc/nginx-unprivileged to use for the gateway."
   type        = string
-  default     = "gp3-encrypted"
+  default     = "1.25.2-alpine"
 }
 
 # helm add repo grafana "https://grafana.github.io/helm-charts"
@@ -53,32 +58,48 @@ variable "loki_tag" {
   default     = "3.1.1"
 }
 
-variable "enterprise_logs_provisioner_tag" {
-  description = "The version of the grafana/enterprise-logs-provisioner image to use."
+variable "memcached_tag" {
+  description = "The version of memcached to use for the gateway."
   type        = string
-  default     = "v1.7.0"
+  default     = "1.6.23-alpine"
 }
 
-variable "gateway_tag" {
-  description = "The version of nginxinc/nginx-unprivileged to use for the gateway."
+variable "namespace" {
+  description = "The namespace into which grafana will be deployed"
   type        = string
-  default     = "1.25.2-alpine"
+  default     = "loki"
 }
 
-variable "memcached_tag" {
-  description = "The version of memcached to use for the gateway."
+variable "oidc_provider_arn" {
+  description = "The ARN in the EKS cluster for the OpenID Connect identity provider."
   type        = string
-  default     = "1.6.23-alpine"
 }
 
-variable "exporter_tag" {
-  description = "The version of prom/memcached-exporter to use for the gateway."
+variable "profile" {
+  description = "AWS config profile used to upload images into ECR"
   type        = string
-  default     = "v0.14.4"
+  default     = ""
+}
+
+variable "region" {
+  description = "The region holding these resources (for the s3 bucket.)"
+  type        = string
+}
+
+variable "rwo_storage_class" {
+  description = "Specify the storage class for read/write/once persistent volumes."
+  type        = string
+  default     = "gp3-encrypted"
 }
 
 variable "sidecar_tag" {
   description = "The version of kiwigrid/k8s-sidecar to use for the gateway."
   type        = string
   default     = "1.27.4"
 }
+
+variable "tags" {
+  description = "Additional tags to add to resources created in AWS (s3 bucket, ...)"
+  type        = map(string)
+  default     = {}
+}
diff --git a/version.tf b/version.tf
@@ -1,4 +1,16 @@
+resource "null_resource" "git_version" {
+  triggers = {
+    # Force this to run on every apply to get the latest tag value
+    always_run = timestamp()
+  }
+
+  provisioner "local-exec" {
+    command    = "git describe --tags --abbrev=0 2>/dev/null || echo 'unknown' > ${path.module}/.git_tag"
+    on_failure = continue
+  }
+}
+
 locals {
   module_name    = "tfmod-loki"
-  module_version = "0.1.1"
+  module_version = fileexists("${path.module}/.git_tag") ? trimspace(file("${path.module}/.git_tag")) : "latest"
 }