From b2571d0c5b3391d8d1f82c8532b7539725449751 Mon Sep 17 00:00:00 2001 From: "Matthew C. Morgan" Date: Mon, 14 Apr 2025 18:23:36 -0400 Subject: [PATCH] pull from ent-ecr --- .github/workflows/terraform-validate.yaml | 54 +++++++++-------- README.md | 6 ++ copy_images.tf | 44 +++++++++----- requirements.tf | 4 ++ variables.tf | 71 +++++++++++++---------- 5 files changed, 107 insertions(+), 72 deletions(-) diff --git a/.github/workflows/terraform-validate.yaml b/.github/workflows/terraform-validate.yaml index 72829d8..04b96db 100644 --- a/.github/workflows/terraform-validate.yaml +++ b/.github/workflows/terraform-validate.yaml @@ -1,42 +1,40 @@ -name: Terraform Validate +name: Terraform CI/CD on: - pull_request: workflow_dispatch: - + pull_request: + types: [closed] + branches: + - main jobs: - - terraform-validate: - runs-on: "229685449397" + terraform-ci-cd: + runs-on: 229685449397 permissions: contents: write + steps: - name: Checkout code uses: CSVD/gh-actions-checkout@v4 - - name: Setup Terraform - uses: CSVD/gh-actions-setup-terraform@v2 + - name: Setup GITHUB Credentials + id: github_credentials + uses: CSVD/gh-auth@main with: - terraform_version: '1.7.3' - - - name: Validate Terraform Configuration - id: validate - uses: CSVD/terraform-validate@main + github_app_pem_file: ${{ secrets.GH_APP_PEM_FILE }} + github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }} + github_app_id: ${{ vars.GH_APP_ID }} - - name: Check Validation/Test Results - if: always() + - name: Setup GitHub CLI run: | - # Set default values if outputs are empty - IS_VALID="${{ steps.validate.outputs.is_valid }}" - TESTS_PASSED="${{ steps.validate.outputs.tests_passed }}" + # Force manual authentication since setup-git might not work with GitHub Enterprise + echo "${{ steps.github_credentials.outputs.github_token }}" > /tmp/token.txt + gh auth login --with-token --hostname "github.e.it.census.gov" < /tmp/token.txt + rm /tmp/token.txt - # If outputs are empty, set them to false - [ -z "$IS_VALID" ] && IS_VALID="false" - [ -z "$TESTS_PASSED" ] && TESTS_PASSED="false" + # Test GitHub CLI auth status + gh auth status || echo "GitHub CLI authentication failed" - if [[ "$IS_VALID" != "true" || "$TESTS_PASSED" != "true" ]]; then - echo "Validation or test errors found:" - echo "${{ steps.validate.outputs.stderr }}" - exit 1 - else - echo "All validations and tests passed successfully!" - fi + - name: Run Release Action + uses: CSVD/releaser@main + with: + github-token: ${{ steps.github_credentials.outputs.github_token }} + working-directory: '.' diff --git a/README.md b/README.md index a7e1379..804d573 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ sys 0m3.489s | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13 | +| [aws](#requirement\_aws) | >= 5.14.0 | | [helm](#requirement\_helm) | >= 2.11.0 | | [kubernetes](#requirement\_kubernetes) | >= 2.23.0 | @@ -69,6 +70,7 @@ sys 0m3.489s | Name | Version | |------|---------| +| [aws](#provider\_aws) | 5.89.0 | | [helm](#provider\_helm) | 2.17.0 | ## Modules @@ -82,11 +84,14 @@ sys 0m3.489s | Name | Type | |------|------| | [helm_release.prometheus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [aws_ecr_authorization_token.ecr_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source | +| [aws_ecr_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no | | [alertmanager\_tag](#input\_alertmanager\_tag) | The image tag of the alertmanager image. | `string` | `"v0.27.0"` | no | | [cluster\_name](#input\_cluster\_name) | The name of the cluster into which prometheus will be installed. | `string` | n/a | yes | | [kube\_state\_metrics\_tag](#input\_kube\_state\_metrics\_tag) | The image tag of the kube-state-metrics image. | `string` | `"v2.13.0"` | no | @@ -97,6 +102,7 @@ sys 0m3.489s | [prometheus\_config\_reloader\_tag](#input\_prometheus\_config\_reloader\_tag) | The image tag of the prometheus-config-reloader image. | `string` | `"v0.75.2"` | no | | [prometheus\_server\_tag](#input\_prometheus\_server\_tag) | The image tag of prometheus server to install into the cluster. | `string` | `"v2.54.0"` | no | | [pushgateway\_tag](#input\_pushgateway\_tag) | The image tag of the pushgateway image. | `string` | `"v1.9.0"` | no | +| [region](#input\_region) | AWS region | `string` | n/a | yes | | [rwo\_storage\_class](#input\_rwo\_storage\_class) | Specify the storage class for read/write/once persistent volumes. | `string` | `"gp3-encrypted"` | no | ## Outputs diff --git a/copy_images.tf b/copy_images.tf index d92393b..d226182 100644 --- a/copy_images.tf +++ b/copy_images.tf @@ -1,19 +1,21 @@ locals { - prom_config_reload_name = "prometheus/prometheus-config-reloader" - prom_config_reload_key = format("%v#%v", local.prom_config_reload_name, var.prometheus_config_reloader_tag) - - prom_name = "prometheus/prometheus" - prom_key = format("%v#%v", local.prom_name, var.prometheus_server_tag) - alertman_name = "prometheus/alertmanager" alertman_key = format("%v#%v", local.alertman_name, var.alertmanager_tag) + ent_ecr_source = format("%v.%v.%v.%v", var.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images") + ksm_name = "prometheus/kube-state-metrics" ksm_key = format("%v#%v", local.ksm_name, var.kube_state_metrics_tag) node_exporter_name = "prometheus/node-exporter" node_exporter_key = format("%v#%v", local.node_exporter_name, var.node_exporter_tag) + prom_config_reload_name = "prometheus/prometheus-config-reloader" + prom_config_reload_key = format("%v#%v", local.prom_config_reload_name, var.prometheus_config_reloader_tag) + + prom_name = "prometheus/prometheus" + prom_key = format("%v#%v", local.prom_name, var.prometheus_server_tag) + pushgateway_name = "prometheus/pushgateway" pushgateway_key = format("%v#%v", local.pushgateway_name, var.pushgateway_tag) @@ -23,7 +25,7 @@ locals { dest_path = null name = local.prom_config_reload_name source_image = "prometheus-operator/prometheus-config-reloader" - source_registry = "quay.io" + source_registry = format("%v/%v", local.ent_ecr_source, "quay") source_tag = var.prometheus_config_reloader_tag tag = var.prometheus_config_reloader_tag }, @@ -32,7 +34,7 @@ locals { dest_path = null name = local.prom_name source_image = "prometheus/prometheus" - source_registry = "quay.io" + source_registry = format("%v/%v", local.ent_ecr_source, "quay") source_tag = var.prometheus_server_tag tag = var.prometheus_server_tag }, @@ -41,7 +43,7 @@ locals { dest_path = null name = local.alertman_name source_image = "prometheus/alertmanager" - source_registry = "quay.io" + source_registry = format("%v/%v", local.ent_ecr_source, "quay") source_tag = var.alertmanager_tag tag = var.alertmanager_tag }, @@ -49,8 +51,8 @@ locals { enabled = true dest_path = null name = local.ksm_name - source_image = "kube-state-metrics/kube-state-metrics" - source_registry = "registry.k8s.io" + source_image = "opensource/kubernetes/kube-state-metrics" + source_registry = format("%v/%v", local.ent_ecr_source, "ironbank") source_tag = var.kube_state_metrics_tag tag = var.kube_state_metrics_tag }, @@ -59,7 +61,7 @@ locals { dest_path = null name = local.node_exporter_name source_image = "prometheus/node-exporter" - source_registry = "quay.io" + source_registry = format("%v/%v", local.ent_ecr_source, "quay") source_tag = var.node_exporter_tag tag = var.node_exporter_tag }, @@ -68,7 +70,7 @@ locals { dest_path = null name = local.pushgateway_name source_image = "prometheus/pushgateway" - source_registry = "quay.io" + source_registry = format("%v/%v", local.ent_ecr_source, "quay") source_tag = var.pushgateway_tag tag = var.pushgateway_tag }, @@ -86,5 +88,19 @@ module "images" { enable_lifecycle_policy = true lifecycle_policy_all = true force_delete = true - lifecycle_policy_keep_count = 3 + lifecycle_policy_keep_count = 5 + + source_username = data.aws_ecr_authorization_token.ecr_token.user_name + source_password = data.aws_ecr_authorization_token.ecr_token.password + + destination_username = data.aws_ecr_authorization_token.token.user_name + destination_password = data.aws_ecr_authorization_token.token.password +} + +data "aws_ecr_authorization_token" "ecr_token" { + registry_id = var.account_id +} + +data "aws_ecr_authorization_token" "token" { + registry_id = var.account_id } diff --git a/requirements.tf b/requirements.tf index 5f150af..ae62e15 100644 --- a/requirements.tf +++ b/requirements.tf @@ -2,6 +2,10 @@ terraform { required_version = ">= 0.13" required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.14.0" + } helm = { source = "hashicorp/helm" version = ">= 2.11.0" diff --git a/variables.tf b/variables.tf index ad3b3b7..549f70f 100644 --- a/variables.tf +++ b/variables.tf @@ -1,20 +1,50 @@ -variable "profile" { - description = "AWS_PROFILE to use to apply the terraform script." +variable "account_id" { + description = "aws account number" type = string default = "" } +# The `APP VERSION` of the output: +# helm search repo prometheus-community/alertmanager +variable "alertmanager_tag" { + description = "The image tag of the alertmanager image." + type = string + default = "v0.27.0" +} + variable "cluster_name" { description = "The name of the cluster into which prometheus will be installed." type = string } +# The `APP VERSION` of the output: +# helm search repo prometheus-community/kube-state-metrics +variable "kube_state_metrics_tag" { + description = "The image tag of the kube-state-metrics image." + type = string + default = "v2.13.0" +} + variable "namespace" { description = "The namespace to install the prometheus components. Defaults to 'prometheus'" type = string default = "prometheus" } +# The `APP VERSION` of the output: +# helm search repo prometheus-community/prometheus-node-exporter +variable "node_exporter_tag" { + description = "The image tag of the node-exporter image." + type = string + default = "v1.8.2" +} + +variable "profile" { + description = "AWS_PROFILE to use to apply the terraform script." + type = string + default = "" +} + # helm repo add prometheus-community https://prometheus-community.github.io/helm-charts # helm search repo prometheus-community/prometheus | head -2 variable "prometheus_chart_version" { @@ -23,13 +53,6 @@ variable "prometheus_chart_version" { default = "25.26.0" } -# The `APP VERSION` of the output found while determining the chart version -variable "prometheus_server_tag" { - description = "The image tag of prometheus server to install into the cluster." - type = string - default = "v2.54.0" -} - # helm show values prometheus-community/prometheus | less variable "prometheus_config_reloader_tag" { description = "The image tag of the prometheus-config-reloader image." @@ -37,28 +60,11 @@ variable "prometheus_config_reloader_tag" { default = "v0.75.2" } -# The `APP VERSION` of the output: -# helm search repo prometheus-community/alertmanager -variable "alertmanager_tag" { - description = "The image tag of the alertmanager image." - type = string - default = "v0.27.0" -} - -# The `APP VERSION` of the output: -# helm search repo prometheus-community/kube-state-metrics -variable "kube_state_metrics_tag" { - description = "The image tag of the kube-state-metrics image." - type = string - default = "v2.13.0" -} - -# The `APP VERSION` of the output: -# helm search repo prometheus-community/prometheus-node-exporter -variable "node_exporter_tag" { - description = "The image tag of the node-exporter image." +# The `APP VERSION` of the output found while determining the chart version +variable "prometheus_server_tag" { + description = "The image tag of prometheus server to install into the cluster." type = string - default = "v1.8.2" + default = "v2.54.0" } # The `APP VERSION` of the output: @@ -69,6 +75,11 @@ variable "pushgateway_tag" { default = "v1.9.0" } +variable "region" { + description = "AWS region" + type = string +} + variable "rwo_storage_class" { description = "Specify the storage class for read/write/once persistent volumes." type = string