build(deps): bump eks::stacks-terraform from 6.0.27 to 6.0.31 in /deploy/aws/infra #111
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: air.stacks-infrastructure-eks | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| # The following SECRETS must be defined per environment (which must match environment key) in your GH Repository: | |
| # AWS_ACCESS_KEY_ID | |
| # AWS_ACCOUNT_ID | |
| # AWS_SECRET_ACCESS_KEY | |
| # AWS_TF_STATE_BUCKET | |
| # AWS_TF_STATE_DYNAMOTABLE | |
| CLOUD_PROVIDER: "aws" | |
| TaskctlVersion: '1.7.2' | |
| TF_INFRA_FILE_LOCATION: deploy/aws/infra | |
| TF_PRE_INFRA_FILE_LOCATION: deploy/aws/pre-infra | |
| VPC_CIDR: "10.0.0.0/16" | |
| NON_PROD_VPC_NAT_GATEWAY_PER_AZ: false | |
| PROD_VPC_NAT_GATEWAY_PER_AZ: true | |
| # DNS | |
| DNS_CREATE_HOSTEDZONE: true | |
| DNS_CREATE_HOSTEDZONE_PARENT_LINK: true | |
| CLUSTER_VERSION: "1.30" | |
| NON_PROD_CLUSTER_SINGLE_AZ: true | |
| PROD_CLUSTER_SINGLE_AZ: false | |
| NON_PROD_EKS_MINIMUM_NODES: "2" | |
| ## Prod is in all AZs so that's 1*<AZ Count Machines> | |
| PROD_EKS_MINIMUM_NODES: "1" | |
| NON_PROD_EKS_DESIRED_NODES: "2" | |
| PROD_EKS_DESIRED_NODES: "1" | |
| EKS_MAXIMUM_NODES: "3" | |
| EKS_NODE_SIZE: "t3.small" | |
| CLUSTER_ENDPOINT_PRIVATE_ACCESS: false | |
| CLUSTER_ENDPOINT_PUBLIC_ACCESS: true | |
| CLUSTER_ENABLE_CONTAINER_INSIGHTS: true | |
| CONTAINER_REGISTRY_PULL_PUSH_USER: true | |
| NON_PROD_FIREWALL_ENABLED: false | |
| PROD_FIREWALL_ENABLED: true | |
| FIREWALL_ALLOWED_DOMAIN_TARGETS: "[]" | |
| NON_PROD_FIREWALL_CREATE_TLS_ALERT_RULE: false | |
| PROD_FIREWALL_CREATE_TLS_ALERT_RULE: true | |
| # Ingress Nginx Helm | |
| INGRESS_NGINX_ENABLED: true | |
| INGRESS_NGINX_NAMESPACE: "ingress-nginx" | |
| INGRESS_NGINX_SERVICE_ACCOUNT_NAME: "ingress-nginx" | |
| INGRESS_NGINX_REPLICA_COUNT: 3 | |
| # Cert Manager Helm | |
| CERT_MANAGER_ENABLED: true | |
| CERT_MANAGER_NAMESPACE: "cert-manager" | |
| CERT_MANAGER_SERVICE_ACCOUNT_NAME: "cert-manager" | |
| # External DNS Helm | |
| EXTERNAL_DNS_ENABLED: true | |
| EXTERNAL_DNS_NAMESPACE: "external-dns" | |
| EXTERNAL_DNS_SERVICE_ACCOUNT_NAME: "external-dns" | |
| jobs: | |
| Lint: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set environment variables | |
| run: | | |
| cat .github/workflows/infrastructure.env >> $GITHUB_ENV | |
| - uses: ./build/github/templates/install-taskctl | |
| - run: taskctl image-pull | |
| - run: taskctl yaml-lint | |
| - name: Pre-Infrastructure Terraform Lint | |
| run: taskctl terraform-lint | |
| env: | |
| TF_FILE_LOCATION: ${{ env.TF_PRE_INFRA_FILE_LOCATION }} | |
| - name: Infrastructure Terraform Lint | |
| run: taskctl terraform-lint | |
| env: | |
| TF_FILE_LOCATION: ${{ env.TF_INFRA_FILE_LOCATION }} | |
| InfraDev: | |
| if: github.ref != 'refs/heads/main' | |
| needs: Lint | |
| runs-on: ubuntu-24.04 | |
| environment: nonprod | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set environment variables | |
| run: | | |
| cat .github/workflows/infrastructure.env >> $GITHUB_ENV | |
| - uses: ./build/github/templates/install-taskctl | |
| - run: taskctl image-pull | |
| - name: Pre-Infrastructure Deploy | |
| run: | | |
| taskctl infrastructure | |
| taskctl pre-infra:post-deploy | |
| env: | |
| ENV_NAME: nonprod | |
| # AWS Environmental Config | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: ${{ env.REGION }} | |
| # Terraform Backend Configuration | |
| TF_FILE_LOCATION: ${{ env.TF_PRE_INFRA_FILE_LOCATION }} | |
| TF_BACKEND_ARGS: region=${{ env.AWS_TF_STATE_REGION }},access_key=${{ secrets.AWS_ACCESS_KEY_ID }},secret_key=${{ secrets.AWS_SECRET_ACCESS_KEY }},bucket=${{ secrets.AWS_TF_STATE_BUCKET }},key=${{ env.AWS_TF_PRE_INFRA_STATE_KEY }},dynamodb_table=${{ secrets.AWS_TF_STATE_DYNAMOTABLE }},encrypt=true | |
| # Terraform Resource Configuration | |
| TF_VAR_name_company: ${{ env.COMPANY }} | |
| TF_VAR_name_project: ${{ env.PROJECT }} | |
| TF_VAR_name_component: ${{ env.COMPONENT }} | |
| TF_VAR_name_environment: "nonprod" | |
| TF_VAR_region: ${{ env.REGION }} | |
| TF_VAR_dns_create_hostedzone: ${{ env.DNS_CREATE_HOSTEDZONE}} | |
| TF_VAR_dns_hostedzone_name: ${{ env.NON_PROD_DOMAIN_NAME }} | |
| TF_VAR_dns_create_hostedzone_parent_link: ${{ env.DNS_CREATE_HOSTEDZONE_PARENT_LINK }} | |
| TF_VAR_dns_parent_hostedzone_name: ${{ env.DNS_PARENT_NAME }} | |
| TF_VAR_k8s_role_file_map: "[\"../../k8s/users/nonprod-admin-users.json\", \"../../k8s/users/nonprod-developer-users.json\"]" | |
| TF_VAR_container_registry_pull_push_user: ${{ env.CONTAINER_REGISTRY_PULL_PUSH_USER }} | |
| - name: Infrastructure Deploy | |
| run: taskctl infrastructure | |
| env: | |
| ENV_NAME: nonprod | |
| # AWS Environmental Config | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: ${{ env.REGION }} | |
| # Terraform Backend Configuration | |
| TF_FILE_LOCATION: ${{ env.TF_INFRA_FILE_LOCATION }} | |
| TF_BACKEND_ARGS: region=${{ env.AWS_TF_STATE_REGION }},access_key=${{ secrets.AWS_ACCESS_KEY_ID }},secret_key=${{ secrets.AWS_SECRET_ACCESS_KEY }},bucket=${{ secrets.AWS_TF_STATE_BUCKET }},key=${{ env.AWS_TF_INFRA_STATE_KEY }},dynamodb_table=${{ secrets.AWS_TF_STATE_DYNAMOTABLE }},encrypt=true | |
| # Terraform Resource Configuration | |
| TF_VAR_name_company: ${{ env.COMPANY }} | |
| TF_VAR_name_project: ${{ env.PROJECT }} | |
| TF_VAR_name_component: ${{ env.COMPONENT }} | |
| TF_VAR_name_environment: "nonprod" | |
| TF_VAR_region: ${{ env.REGION }} | |
| TF_VAR_vpc_cidr: ${{ env.VPC_CIDR }} | |
| TF_VAR_vpc_nat_gateway_per_az: ${{ env.NON_PROD_VPC_NAT_GATEWAY_PER_AZ }} | |
| TF_VAR_firewall_enabled: ${{ env.NON_PROD_FIREWALL_ENABLED }} | |
| TF_VAR_firewall_allowed_domain_targets: ${{ env.FIREWALL_ALLOWED_DOMAIN_TARGETS }} | |
| TF_VAR_firewall_create_tls_alert_rule: ${{ env.NON_PROD_FIREWALL_CREATE_TLS_ALERT_RULE }} | |
| TF_VAR_cluster_version: ${{ env.CLUSTER_VERSION }} | |
| TF_VAR_cluster_single_az: ${{ env.NON_PROD_CLUSTER_SINGLE_AZ }} | |
| TF_VAR_cluster_endpoint_private_access: ${{ env.CLUSTER_ENDPOINT_PRIVATE_ACCESS }} | |
| TF_VAR_cluster_endpoint_public_access: ${{ env.CLUSTER_ENDPOINT_PUBLIC_ACCESS }} | |
| TF_VAR_cluster_enable_container_insights: ${{ env.CLUSTER_ENABLE_CONTAINER_INSIGHTS }} | |
| TF_VAR_eks_minimum_nodes: ${{ env.NON_PROD_EKS_MINIMUM_NODES }} | |
| TF_VAR_eks_desired_nodes: ${{ env.NON_PROD_EKS_DESIRED_NODES }} | |
| TF_VAR_eks_maximum_nodes: ${{ env.EKS_MAXIMUM_NODES }} | |
| TF_VAR_eks_node_size: ${{ env.EKS_NODE_SIZE }} | |
| TF_VAR_cert_manager_enabled: "${{ env.CERT_MANAGER_ENABLED }}" | |
| TF_VAR_cert_manager_namespace: "${{ env.CERT_MANAGER_NAMESPACE }}" | |
| TF_VAR_cert_manager_service_account_name: "${{ env.CERT_MANAGER_SERVICE_ACCOUNT_NAME }}" | |
| TF_VAR_external_dns_enabled: "${{ env.EXTERNAL_DNS_ENABLED }}" | |
| TF_VAR_external_dns_namespace: "${{ env.EXTERNAL_DNS_NAMESPACE }}" | |
| TF_VAR_external_dns_service_account_name: "${{ env.EXTERNAL_DNS_SERVICE_ACCOUNT_NAME }}" | |
| - name: Helm Deploy | |
| run: taskctl helm | |
| env: | |
| ENV_NAME: nonprod | |
| # AWS Environmental Config | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: ${{ env.REGION }} | |
| # Helm Config | |
| CERT_MANAGER_DNS_NAME: ${{ env.NON_PROD_DOMAIN_NAME }} | |
| InfraProd: | |
| if: github.ref == 'refs/heads/main' | |
| needs: Lint | |
| runs-on: ubuntu-24.04 | |
| environment: prod | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set environment variables | |
| run: | | |
| cat .github/workflows/infrastructure.env >> $GITHUB_ENV | |
| - uses: ./build/github/templates/install-taskctl | |
| - run: taskctl image-pull | |
| - name: Pre-Infrastructure Deploy | |
| run: | | |
| taskctl infrastructure | |
| taskctl pre-infra:post-deploy | |
| env: | |
| ENV_NAME: prod | |
| # AWS Environmental Config | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: ${{ env.REGION }} | |
| # Terraform Backend Configuration | |
| TF_FILE_LOCATION: ${{ env.TF_PRE_INFRA_FILE_LOCATION }} | |
| TF_BACKEND_ARGS: region=${{ env.AWS_TF_STATE_REGION }},access_key=${{ secrets.AWS_ACCESS_KEY_ID }},secret_key=${{ secrets.AWS_SECRET_ACCESS_KEY }},bucket=${{ secrets.AWS_TF_STATE_BUCKET }},key=${{ env.AWS_TF_PRE_INFRA_STATE_KEY }},dynamodb_table=${{ secrets.AWS_TF_STATE_DYNAMOTABLE }},encrypt=true | |
| # Terraform Resource Configuration | |
| TF_VAR_name_company: ${{ env.COMPANY }} | |
| TF_VAR_name_project: ${{ env.PROJECT }} | |
| TF_VAR_name_component: ${{ env.COMPONENT }} | |
| TF_VAR_name_environment: "prod" | |
| TF_VAR_region: ${{ env.REGION }} | |
| TF_VAR_dns_create_hostedzone: ${{ env.DNS_CREATE_HOSTEDZONE}} | |
| TF_VAR_dns_hostedzone_name: ${{ env.PROD_DOMAIN_NAME }} | |
| TF_VAR_dns_create_hostedzone_parent_link: ${{ env.DNS_CREATE_HOSTEDZONE_PARENT_LINK }} | |
| TF_VAR_dns_parent_hostedzone_name: ${{ env.DNS_PARENT_NAME }} | |
| TF_VAR_k8s_role_file_map: "[\"../../k8s/users/prod-admin-users.json\", \"../../k8s/users/prod-developer-users.json\"]" | |
| TF_VAR_container_registry_pull_push_user: ${{ env.CONTAINER_REGISTRY_PULL_PUSH_USER }} | |
| - name: Infrastructure Deploy | |
| run: taskctl infrastructure | |
| env: | |
| ENV_NAME: prod | |
| # AWS Environmental Config | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: ${{ env.REGION }} | |
| # Terraform Backend Configuration | |
| TF_FILE_LOCATION: ${{ env.TF_INFRA_FILE_LOCATION }} | |
| TF_BACKEND_ARGS: region=${{ env.AWS_TF_STATE_REGION }},access_key=${{ secrets.AWS_ACCESS_KEY_ID }},secret_key=${{ secrets.AWS_SECRET_ACCESS_KEY }},bucket=${{ secrets.AWS_TF_STATE_BUCKET }},key=${{ env.AWS_TF_INFRA_STATE_KEY }},dynamodb_table=${{ secrets.AWS_TF_STATE_DYNAMOTABLE }},encrypt=true | |
| # Terraform Resource Configuration | |
| TF_VAR_name_company: ${{ env.COMPANY }} | |
| TF_VAR_name_project: ${{ env.PROJECT }} | |
| TF_VAR_name_component: ${{ env.COMPONENT }} | |
| TF_VAR_name_environment: "prod" | |
| TF_VAR_region: ${{ env.REGION }} | |
| TF_VAR_vpc_cidr: ${{ env.VPC_CIDR }} | |
| TF_VAR_vpc_nat_gateway_per_az: ${{ env.PROD_VPC_NAT_GATEWAY_PER_AZ }} | |
| TF_VAR_firewall_enabled: ${{ env.PROD_FIREWALL_ENABLED }} | |
| TF_VAR_firewall_allowed_domain_targets: ${{ env.FIREWALL_ALLOWED_DOMAIN_TARGETS }} | |
| TF_VAR_firewall_create_tls_alert_rule: ${{ env.PROD_FIREWALL_CREATE_TLS_ALERT_RULE }} | |
| TF_VAR_cluster_version: ${{ env.CLUSTER_VERSION }} | |
| TF_VAR_cluster_single_az: ${{ env.PROD_CLUSTER_SINGLE_AZ }} | |
| TF_VAR_cluster_endpoint_private_access: ${{ env.CLUSTER_ENDPOINT_PRIVATE_ACCESS }} | |
| TF_VAR_cluster_endpoint_public_access: ${{ env.CLUSTER_ENDPOINT_PUBLIC_ACCESS }} | |
| TF_VAR_cluster_enable_container_insights: ${{ env.CLUSTER_ENABLE_CONTAINER_INSIGHTS }} | |
| TF_VAR_eks_minimum_nodes: ${{ env.PROD_EKS_MINIMUM_NODES }} | |
| TF_VAR_eks_desired_nodes: ${{ env.PROD_EKS_DESIRED_NODES }} | |
| TF_VAR_eks_maximum_nodes: ${{ env.EKS_MAXIMUM_NODES }} | |
| TF_VAR_eks_node_size: ${{ env.EKS_NODE_SIZE }} | |
| TF_VAR_cert_manager_enabled: "${{ env.CERT_MANAGER_ENABLED }}" | |
| TF_VAR_cert_manager_namespace: "${{ env.CERT_MANAGER_NAMESPACE }}" | |
| TF_VAR_cert_manager_service_account_name: "${{ env.CERT_MANAGER_SERVICE_ACCOUNT_NAME }}" | |
| TF_VAR_external_dns_enabled: "${{ env.EXTERNAL_DNS_ENABLED }}" | |
| TF_VAR_external_dns_namespace: "${{ env.EXTERNAL_DNS_NAMESPACE }}" | |
| TF_VAR_external_dns_service_account_name: "${{ env.EXTERNAL_DNS_SERVICE_ACCOUNT_NAME }}" | |
| - name: Helm Deploy | |
| run: taskctl helm | |
| env: | |
| ENV_NAME: prod | |
| # AWS Environmental Config | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: ${{ env.REGION }} | |
| # Helm Config | |
| CERT_MANAGER_DNS_NAME: ${{ env.PROD_DOMAIN_NAME }} |