[Major] Code Freeze PR

.github/workflows/terraform-release.yaml

@@ -1,25 +1,20 @@
-name: Terraform CI/CD
+name: Terraform Module Release
 on:
   workflow_dispatch:
   pull_request:
     types: [closed]
     branches:
       - main
 jobs:
-  terraform-ci-cd:
-    runs-on: 229685449397
+  terraform-release:
+    runs-on: "229685449397"
     permissions:
       contents: write
 
     steps:
       - name: Checkout code
         uses: CSVD/gh-actions-checkout@v4
 
-      - name: Setup Terraform
-        uses: CSVD/gh-actions-setup-terraform@v3
-        with:
-          terraform_version: "1.9.1"
-
       - name: Setup GITHUB Credentials
         id: github_credentials
         uses: CSVD/gh-auth@main
@@ -28,28 +23,6 @@ jobs:
           github_app_installation_id: ${{ vars.GH_APP_INSTALLATION_ID }}
           github_app_id: ${{ vars.GH_APP_ID }}
 
-
-      - name: Debug Authentication
-        run: |
-          # Print the GitHub server URL
-          echo "GitHub Server URL: ${{ github.server_url }}"
-
-          # Extract the host from the URL
-          HOST="${{ github.server_url }}"
-          HOST="${HOST#*//}"
-          HOST="${HOST%%/*}"
-          echo "GitHub Host: $HOST"
-
-          # Check if token exists
-          if [[ -n "${{ steps.github_credentials.outputs.github_token }}" ]]; then
-            echo "Token generated successfully"
-            # Test the token with a simple GitHub API call (without exposing the token)
-            STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer ${{ steps.github_credentials.outputs.github_token }}" "${{ github.server_url }}/api/v3/user")
-            echo "API Test Status Code: $STATUS"
-          else
-            echo "No token was generated!"
-          fi
-
       - name: Setup GitHub CLI
         run: |
           # Force manual authentication since setup-git might not work with GitHub Enterprise
@@ -60,14 +33,8 @@ jobs:
           # Test GitHub CLI auth status
           gh auth status || echo "GitHub CLI authentication failed"
 
-      - name: AWS Auth
-        id: aws_auth
-        uses: CSVD/aws-auth@main
-        with:
-          ecs: true
-
-      - name: Run Terraform Module Release Action
-        uses: CSVD/terraform-module-release@main
+      - name: Run Release Action
+        uses: CSVD/releaser@main
         with:
           github-token: ${{ steps.github_credentials.outputs.github_token }}
           working-directory: '.'

.github/workflows/terraform-validate.yaml

@@ -16,7 +16,7 @@ jobs:
       - name: Setup Terraform
         uses: CSVD/gh-actions-setup-terraform@v2
         with:
-          terraform_version: '1.7.3'
+          terraform_version: '1.10.5'
 
       - name: Validate Terraform Configuration
         id: validate

README.md

@@ -62,14 +62,19 @@ sys     0m3.489s
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.14.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.11.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.94.1 |
+| <a name="provider_aws.eecr"></a> [aws.eecr](#provider\_aws.eecr) | 5.94.1 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.17.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | 3.2.3 |
 
 ## Modules
 
@@ -82,13 +87,18 @@ sys     0m3.489s
 | Name | Type |
 |------|------|
 | [helm_release.prometheus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_ecr_authorization_token.ecr_token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
+| [aws_ecr_authorization_token.token](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecr_authorization_token) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | aws account number | `string` | `""` | no |
 | <a name="input_alertmanager_tag"></a> [alertmanager\_tag](#input\_alertmanager\_tag) | The image tag of the alertmanager image. | `string` | `"v0.27.0"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | The name of the cluster into which prometheus will be installed. | `string` | n/a | yes |
+| <a name="input_eecr_info"></a> [eecr\_info](#input\_eecr\_info) | Enterprise ECR source information | <pre>object({<br/>    account_id = string<br/>    alias      = string<br/>    profile    = string<br/>    region     = string<br/>  })</pre> | <pre>{<br/>  "account_id": "269222635945",<br/>  "alias": "lab-gov-shared-nonprod",<br/>  "profile": "269222635945-lab-gov-shared-nonprod",<br/>  "region": "us-gov-east-1"<br/>}</pre> | no |
 | <a name="input_kube_state_metrics_tag"></a> [kube\_state\_metrics\_tag](#input\_kube\_state\_metrics\_tag) | The image tag of the kube-state-metrics image. | `string` | `"v2.13.0"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | The namespace to install the prometheus components. Defaults to 'prometheus' | `string` | `"prometheus"` | no |
 | <a name="input_node_exporter_tag"></a> [node\_exporter\_tag](#input\_node\_exporter\_tag) | The image tag of the node-exporter image. | `string` | `"v1.8.2"` | no |
@@ -97,6 +107,7 @@ sys     0m3.489s
 | <a name="input_prometheus_config_reloader_tag"></a> [prometheus\_config\_reloader\_tag](#input\_prometheus\_config\_reloader\_tag) | The image tag of the prometheus-config-reloader image. | `string` | `"v0.75.2"` | no |
 | <a name="input_prometheus_server_tag"></a> [prometheus\_server\_tag](#input\_prometheus\_server\_tag) | The image tag of prometheus server to install into the cluster. | `string` | `"v2.54.0"` | no |
 | <a name="input_pushgateway_tag"></a> [pushgateway\_tag](#input\_pushgateway\_tag) | The image tag of the pushgateway image. | `string` | `"v1.9.0"` | no |
+| <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | n/a | yes |
 | <a name="input_rwo_storage_class"></a> [rwo\_storage\_class](#input\_rwo\_storage\_class) | Specify the storage class for read/write/once persistent volumes. | `string` | `"gp3-encrypted"` | no |
 
 ## Outputs

copy_images.tf

@@ -1,19 +1,21 @@
 locals {
-  prom_config_reload_name = "prometheus/prometheus-config-reloader"
-  prom_config_reload_key  = format("%v#%v", local.prom_config_reload_name, var.prometheus_config_reloader_tag)
-
-  prom_name = "prometheus/prometheus"
-  prom_key  = format("%v#%v", local.prom_name, var.prometheus_server_tag)
-
   alertman_name = "prometheus/alertmanager"
   alertman_key  = format("%v#%v", local.alertman_name, var.alertmanager_tag)
 
+  ent_ecr_source = format("%v.%v.%v.%v", var.eecr_info.account_id, "dkr.ecr", var.region, "amazonaws.com/ent-images")
+
   ksm_name = "prometheus/kube-state-metrics"
   ksm_key  = format("%v#%v", local.ksm_name, var.kube_state_metrics_tag)
 
   node_exporter_name = "prometheus/node-exporter"
   node_exporter_key  = format("%v#%v", local.node_exporter_name, var.node_exporter_tag)
 
+  prom_config_reload_name = "prometheus/prometheus-config-reloader"
+  prom_config_reload_key  = format("%v#%v", local.prom_config_reload_name, var.prometheus_config_reloader_tag)
+
+  prom_name = "prometheus/prometheus"
+  prom_key  = format("%v#%v", local.prom_name, var.prometheus_server_tag)
+
   pushgateway_name = "prometheus/pushgateway"
   pushgateway_key  = format("%v#%v", local.pushgateway_name, var.pushgateway_tag)
 
@@ -22,44 +24,44 @@ locals {
       enabled         = true
       dest_path       = null
       name            = local.prom_config_reload_name
-      source_image    = "prometheus-operator/prometheus-config-reloader"
-      source_registry = "quay.io"
+      source_image    = "opensource/prometheus-operator/prometheus-config-reloader"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.prometheus_config_reloader_tag
       tag             = var.prometheus_config_reloader_tag
     },
     {
       enabled         = true
       dest_path       = null
       name            = local.prom_name
-      source_image    = "prometheus/prometheus"
-      source_registry = "quay.io"
+      source_image    = "opensource/prometheus/prometheus"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.prometheus_server_tag
       tag             = var.prometheus_server_tag
     },
     {
       enabled         = true
       dest_path       = null
       name            = local.alertman_name
-      source_image    = "prometheus/alertmanager"
-      source_registry = "quay.io"
+      source_image    = "opensource/prometheus/alertmanager"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.alertmanager_tag
       tag             = var.alertmanager_tag
     },
     {
       enabled         = true
       dest_path       = null
       name            = local.ksm_name
-      source_image    = "kube-state-metrics/kube-state-metrics"
-      source_registry = "registry.k8s.io"
+      source_image    = "opensource/kubernetes/kube-state-metrics"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.kube_state_metrics_tag
       tag             = var.kube_state_metrics_tag
     },
     {
       enabled         = true
       dest_path       = null
       name            = local.node_exporter_name
-      source_image    = "prometheus/node-exporter"
-      source_registry = "quay.io"
+      source_image    = "opensource/prometheus/node-exporter"
+      source_registry = format("%v/%v", local.ent_ecr_source, "ironbank")
       source_tag      = var.node_exporter_tag
       tag             = var.node_exporter_tag
     },
@@ -68,7 +70,7 @@ locals {
       dest_path       = null
       name            = local.pushgateway_name
       source_image    = "prometheus/pushgateway"
-      source_registry = "quay.io"
+      source_registry = format("%v/%v", local.ent_ecr_source, "quay")
       source_tag      = var.pushgateway_tag
       tag             = var.pushgateway_tag
     },
@@ -86,5 +88,26 @@ module "images" {
   enable_lifecycle_policy     = true
   lifecycle_policy_all        = true
   force_delete                = true
-  lifecycle_policy_keep_count = 3
+  lifecycle_policy_keep_count = 5
+
+  source_username = data.aws_ecr_authorization_token.ecr_token.user_name
+  source_password = data.aws_ecr_authorization_token.ecr_token.password
+
+  destination_username = data.aws_ecr_authorization_token.token.user_name
+  destination_password = data.aws_ecr_authorization_token.token.password
+}
+
+data "aws_ecr_authorization_token" "token" {
+  registry_id = var.account_id
+}
+
+data "aws_ecr_authorization_token" "ecr_token" {
+  provider    = aws.eecr
+  registry_id = var.eecr_info.account_id
+}
+
+provider "aws" {
+  alias   = "eecr"
+  profile = var.eecr_info.profile
+  region  = var.eecr_info.region
 }

main.tf

@@ -25,6 +25,7 @@ resource "helm_release" "prometheus" {
   namespace  = var.namespace
   version    = var.prometheus_chart_version
   repository = "https://prometheus-community.github.io/helm-charts"
+  timeout    = 600
 
   # Global
   set {

requirements.tf

@@ -2,6 +2,10 @@ terraform {
   required_version = ">= 0.13"
 
   required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.14.0"
+    }
     helm = {
       source  = "hashicorp/helm"
       version = ">= 2.11.0"
@@ -10,5 +14,9 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = ">= 2.23.0"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.2.1"
+    }
   }
 }