feat: first infra for EKS

.editorconfig

@@ -0,0 +1,27 @@
+# Editor configuration, see http://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 4
+insert_final_newline = true
+trim_trailing_whitespace = true
+max_line_length = 80
+
+[*.md]
+max_line_length = off
+trim_trailing_whitespace = false
+
+[*.ps1]
+indent_style = tab
+
+[*.{yml,yaml}]
+indent_size = 2
+
+[yamllint.conf]
+indent_size = 2
+
+[*.{tf,tfvars}]
+indent_size = 2

.github/workflows/ci.yml

@@ -15,9 +15,6 @@ on:
       - main
 
 env:
-  # The following SECRETS are required in your GH Repository:
-  #   PACT_BEARER_TOKEN
-  #   SONAR_TOKEN
   # The following SECRETS must be defined per environment (which must match environment key) in your GH Repository:
   #   AWS_ACCESS_KEY_ID
   #   AWS_ACCOUNT_ID
@@ -29,44 +26,89 @@ env:
   #   AWS_TF_STATE_KEY
   #   AWS_TF_STATE_REGION
   CLOUD_PROVIDER: "aws"
-  TaskctlVersion: '1.4.2'
+  TaskctlVersion: '1.5.1'
   COMPANY: "ensono"
   PROJECT: "stacks"
   COMPONENT: "eks"
   REGION: "eu-west-2"
-  AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
-  TF_FILE_LOCATION: deploy/aws/stacks-eks
-  NON_PROD_BASE_DOMAIN_NAME: "nonprod.aws.stacks.ensono.com"
-  PROD_BASE_DOMAIN_NAME: "prod.aws.stacks.ensono.com"
-  # AWS LB Controller Helm
-  AWS_LB_CONTROLLER_ENABLED: true
-  AWS_LB_CONTROLLER_NAMESPACE: "aws-lb-controller"
-  AWS_LB_CONTROLLER_SERVICE_ACCOUNT_NAME: "aws-lb-controller"
-  # External DNS Helm
-  EXTERNAL_DNS_ENABLED: true
-  EXTERNAL_DNS_NAMESPACE: "external-dns"
-  EXTERNAL_DNS_SERVICE_ACCOUNT_NAME: "external-dns"
+  NON_PROD_AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+  TF_INFRA_FILE_LOCATION: deploy/aws/infra
+  TF_PRE_INFRA_FILE_LOCATION: deploy/aws/pre-infra
+
+  VPC_CIDR: "10.0.0.0/16"
+  NON_PROD_VPC_NAT_GATEWAY_PER_AZ: false
+  PROD_VPC_NAT_GATEWAY_PER_AZ: true
+
+  # DNS
+  DNS_CREATE_HOSTEDZONE: true
+  DNS_CREATE_HOSTEDZONE_PARENT_LINK: true
+  NON_PROD_DOMAIN_NAME: "nonprod.aws.stacks.ensono.com"
+  PROD_DOMAIN_NAME: "prod.aws.stacks.ensono.com"
+  DNS_PARENT_NAME: "aws.stacks.ensono.com"
+
+  CLUSTER_VERSION: "1.30"
+  NON_PROD_CLUSTER_SINGLE_AZ: true
+  PROD_CLUSTER_SINGLE_AZ: false
+
+  EKS_MINIMUM_NODES: "1"
+  EKS_DESIRED_NODES: "1"
+  EKS_MAXIMUM_NODES: "3"
+  EKS_NODE_SIZE: "t3.small"
+
+  CLUSTER_ENDPOINT_PRIVATE_ACCESS: false
+  CLUSTER_ENDPOINT_PUBLIC_ACCESS: true
+
+  CONTAINER_REGISTRY_PULL_PUSH_USER: true
+
+  NON_PROD_FIREWALL_ENABLED: false
+  PROD_FIREWALL_ENABLED: true
+  FIREWALL_ALLOWED_DOMAIN_TARGETS: "[]"
+  NON_PROD_FIREWALL_CREATE_TLS_ALERT_RULE: false
+  PROD_FIREWALL_CREATE_TLS_ALERT_RULE: true
+
+  # Ingress Nginx Helm
+  INGRESS_NGINX_ENABLED: true
+  INGRESS_NGINX_NAMESPACE: "ingress-nginx"
+  INGRESS_NGINX_SERVICE_ACCOUNT_NAME: "ingress-nginx"
+  INGRESS_NGINX_REPLICA_COUNT: 3
+
+  # Cert Manager Helm
+  CERT_MANAGER_ENABLED: true
+  CERT_MANAGER_NAMESPACE: "cert-manager"
+  CERT_MANAGER_SERVICE_ACCOUNT_NAME: "cert-manager"
 
 jobs:
   Lint:
-    runs-on: ubuntu-latest
-
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+
       - uses: ./build/github/templates/install-taskctl
-      - run: taskctl -d lint
+
+      - run: taskctl image-pull
+
+      - run: taskctl -d yaml-lint
+
+      - run: taskctl -d terraform-lint
         env:
-          TF_FILE_LOCATION: ${{ env.TF_FILE_LOCATION }}
+          TF_FILE_LOCATION: ${{ env.TF_INFRA_FILE_LOCATION }}
+
+      - run: taskctl -d terraform-lint
+        env:
+          TF_FILE_LOCATION: ${{ env.TF_PRE_INFRA_FILE_LOCATION }}
 
   InfraDev:
     if: github.ref != 'refs/heads/master' && github.ref != 'refs/heads/main'
     needs: Lint
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     environment: nonprod
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+
       - uses: ./build/github/templates/install-taskctl
-      # TODO: This is tactical, will require refactor of task to take arguments as separate var
+
+      - run: taskctl image-pull
+
       - run: taskctl -d infrastructure
         env:
           ENV_NAME: nonprod
@@ -75,61 +117,95 @@ jobs:
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: ${{ env.REGION }}
           # Terraform Backend Configuration
-          AWS_TF_STATE_BUCKET: ${{ secrets.AWS_TF_STATE_BUCKET }}
-          AWS_TF_STATE_DYNAMOTABLE: ${{ secrets.AWS_TF_STATE_DYNAMOTABLE }}
-          AWS_TF_STATE_ENCRYPTION: ${{ secrets.AWS_TF_STATE_ENCRYPTION }}
-          AWS_TF_STATE_KEY: ${{ secrets.AWS_TF_STATE_KEY }}
-          AWS_TF_STATE_REGION: ${{ secrets.AWS_TF_STATE_REGION }}
-          TF_FILE_LOCATION: ${{ env.TF_FILE_LOCATION }}
+          TF_FILE_LOCATION: ${{ env.TF_PRE_INFRA_FILE_LOCATION }}
           TF_BACKEND_ARGS: region=${{ secrets.AWS_TF_STATE_REGION }},access_key=${{ secrets.AWS_ACCESS_KEY_ID }},secret_key=${{ secrets.AWS_SECRET_ACCESS_KEY }},bucket=${{ secrets.AWS_TF_STATE_BUCKET }},key=${{ secrets.AWS_TF_STATE_KEY }},dynamodb_table=${{ secrets.AWS_TF_STATE_DYNAMOTABLE }},encrypt=${{ secrets.AWS_TF_STATE_ENCRYPTION }}
           # Terraform Resource Configuration
-          TF_VAR_name_environment: "nonprod"
           TF_VAR_name_company: ${{ env.COMPANY }}
           TF_VAR_name_project: ${{ env.PROJECT }}
           TF_VAR_name_component: ${{ env.COMPONENT }}
+          TF_VAR_name_environment: "nonprod"
           TF_VAR_region: ${{ env.REGION }}
-          TF_VAR_dns_hostedzone_name: "${{ env.NON_PROD_BASE_DOMAIN_NAME }}"
-          TF_VAR_enable_zone: true
-          TF_VAR_manage_aws_auth_configmap: true
-          TF_VAR_external_dns_enabled: "${{ env.EXTERNAL_DNS_ENABLED }}"
-          TF_VAR_external_dns_namespace: "${{ env.EXTERNAL_DNS_NAMESPACE }}"
-          TF_VAR_external_dns_service_account_name: "${{ env.EXTERNAL_DNS_SERVICE_ACCOUNT_NAME }}"
-          TF_VAR_aws_lb_controller_enabled: ${{ env.AWS_LB_CONTROLLER_ENABLED }}
-          TF_VAR_aws_lb_controller_namespace: "${{ env.AWS_LB_CONTROLLER_NAMESPACE }}"
-          TF_VAR_aws_lb_controller_service_account_name: "${{ env.AWS_LB_CONTROLLER_SERVICE_ACCOUNT_NAME }}"
-
-  InfraProd:
-    if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main'
-    needs: Lint
-    runs-on: ubuntu-latest
-    environment: prod
-    steps:
-      - uses: actions/checkout@v3
-      - uses: ./build/github/templates/install-taskctl
-      # TODO: This is tactical, will require refactor of task to take arguments as separate var
+          TF_VAR_dns_create_hostedzone: ${{ env.DNS_CREATE_HOSTEDZONE}}
+          TF_VAR_dns_hostedzone_name: ${{ env.NON_PROD_DOMAIN_NAME }}
+          TF_VAR_dns_create_hostedzone_parent_link: ${{ env.DNS_CREATE_HOSTEDZONE_PARENT_LINK }}
+          TF_VAR_dns_parent_hostedzone_name: ${{ env.DNS_PARENT_NAME }}
+          TF_VAR_k8s_role_file_map: "[\"../../k8s/users/nonprod-admin-users.json\", \"../../k8s/users/nonprod-developer-users.json\"]"
+          TF_VAR_container_registry_pull_push_user: ${{ env.CONTAINER_REGISTRY_PULL_PUSH_USER }}
+
       - run: taskctl -d infrastructure
         env:
-          ENV_NAME: prod
+          ENV_NAME: nonprod
           # AWS Environmental Config
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: ${{ env.REGION }}
           # Terraform Backend Configuration
-          AWS_TF_STATE_BUCKET: ${{ secrets.AWS_TF_STATE_BUCKET }}
-          AWS_TF_STATE_DYNAMOTABLE: ${{ secrets.AWS_TF_STATE_DYNAMOTABLE }}
-          AWS_TF_STATE_ENCRYPTION: ${{ secrets.AWS_TF_STATE_ENCRYPTION }}
-          AWS_TF_STATE_KEY: ${{ secrets.AWS_TF_STATE_KEY }}
-          AWS_TF_STATE_REGION: ${{ secrets.AWS_TF_STATE_REGION }}
-          TF_FILE_LOCATION: ${{ env.TF_FILE_LOCATION }}
+          TF_FILE_LOCATION: ${{ env.TF_INFRA_FILE_LOCATION }}
           TF_BACKEND_ARGS: region=${{ secrets.AWS_TF_STATE_REGION }},access_key=${{ secrets.AWS_ACCESS_KEY_ID }},secret_key=${{ secrets.AWS_SECRET_ACCESS_KEY }},bucket=${{ secrets.AWS_TF_STATE_BUCKET }},key=${{ secrets.AWS_TF_STATE_KEY }},dynamodb_table=${{ secrets.AWS_TF_STATE_DYNAMOTABLE }},encrypt=${{ secrets.AWS_TF_STATE_ENCRYPTION }}
           # Terraform Resource Configuration
-          TF_VAR_name_environment: "prod"
           TF_VAR_name_company: ${{ env.COMPANY }}
           TF_VAR_name_project: ${{ env.PROJECT }}
           TF_VAR_name_component: ${{ env.COMPONENT }}
+          TF_VAR_name_environment: "nonprod"
           TF_VAR_region: ${{ env.REGION }}
-          TF_VAR_dns_hostedzone_name: "${{ env.PROD_BASE_DOMAIN_NAME }}"
-          TF_VAR_enable_zone: true
-          TF_VAR_external_dns_enabled: "${{ env.EXTERNAL_DNS_ENABLED }}"
-          TF_VAR_external_dns_namespace: "${{ env.EXTERNAL_DNS_NAMESPACE }}"
-          TF_VAR_external_dns_service_account_name: "${{ env.EXTERNAL_DNS_SERVICE_ACCOUNT_NAME }}"
+          TF_VAR_vpc_cidr: ${{ env.VPC_CIDR }}
+          TF_VAR_vpc_nat_gateway_per_az: ${{ env.NON_PROD_VPC_NAT_GATEWAY_PER_AZ }}
+          TF_VAR_firewall_enabled: ${{ env.NON_PROD_FIREWALL_ENABLED }}
+          TF_VAR_firewall_allowed_domain_targets: ${{ env.FIREWALL_ALLOWED_DOMAIN_TARGETS }}
+          TF_VAR_firewall_create_tls_alert_rule: ${{ env.NON_PROD_FIREWALL_CREATE_TLS_ALERT_RULE }}
+          TF_VAR_cluster_version: ${{ env.CLUSTER_VERSION }}
+          TF_VAR_cluster_single_az: ${{ env.NON_PROD_CLUSTER_SINGLE_AZ }}
+          TF_VAR_cluster_endpoint_private_access: ${{ env.CLUSTER_ENDPOINT_PRIVATE_ACCESS }}
+          TF_VAR_cluster_endpoint_public_access: ${{ env.CLUSTER_ENDPOINT_PUBLIC_ACCESS }}
+          TF_VAR_eks_minimum_nodes: ${{ env.EKS_MINIMUM_NODES }}
+          TF_VAR_eks_desired_nodes: ${{ env.EKS_DESIRED_NODES }}
+          TF_VAR_eks_maximum_nodes: ${{ env.EKS_MAXIMUM_NODES }}
+          TF_VAR_eks_node_size: ${{ env.EKS_NODE_SIZE }}
+          TF_VAR_cert_manager_enabled: "${{ env.CERT_MANAGER_ENABLED }}"
+          TF_VAR_cert_manager_namespace: "${{ env.CERT_MANAGER_NAMESPACE }}"
+          TF_VAR_cert_manager_service_account_name: "${{ env.CERT_MANAGER_SERVICE_ACCOUNT_NAME }}"
+
+      - run: taskctl -d helm
+        env:
+          ENV_NAME: nonprod
+          # AWS Environmental Config
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: ${{ env.REGION }}
+
+# InfraProd:
+#   if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main'
+#   needs: Lint
+#   runs-on: ubuntu-24.04
+#   environment: prod
+#   steps:
+#     - uses: actions/checkout@v4
+
+#     - uses: ./build/github/templates/install-taskctl
+#     - run: taskctl -d infrastructure
+#       env:
+#         ENV_NAME: prod
+#         # AWS Environmental Config
+#         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+#         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+#         AWS_DEFAULT_REGION: ${{ env.REGION }}
+#         # Terraform Backend Configuration
+#         AWS_TF_STATE_BUCKET: ${{ secrets.AWS_TF_STATE_BUCKET }}
+#         AWS_TF_STATE_DYNAMOTABLE: ${{ secrets.AWS_TF_STATE_DYNAMOTABLE }}
+#         AWS_TF_STATE_ENCRYPTION: ${{ secrets.AWS_TF_STATE_ENCRYPTION }}
+#         AWS_TF_STATE_KEY: ${{ secrets.AWS_TF_STATE_KEY }}
+#         AWS_TF_STATE_REGION: ${{ secrets.AWS_TF_STATE_REGION }}
+#         TF_FILE_LOCATION: ${{ env.TF_INFRA_FILE_LOCATION }}
+#         TF_BACKEND_ARGS: region=${{ secrets.AWS_TF_STATE_REGION }},access_key=${{ secrets.AWS_ACCESS_KEY_ID }},secret_key=${{ secrets.AWS_SECRET_ACCESS_KEY }},bucket=${{ secrets.AWS_TF_STATE_BUCKET }},key=${{ secrets.AWS_TF_STATE_KEY }},dynamodb_table=${{ secrets.AWS_TF_STATE_DYNAMOTABLE }},encrypt=${{ secrets.AWS_TF_STATE_ENCRYPTION }}
+#         # Terraform Resource Configuration
+#         TF_VAR_name_environment: "prod"
+#         TF_VAR_name_company: ${{ env.COMPANY }}
+#         TF_VAR_name_project: ${{ env.PROJECT }}
+#         TF_VAR_name_component: ${{ env.COMPONENT }}
+#         TF_VAR_region: ${{ env.REGION }}
+#         TF_VAR_dns_hostedzone_name: "${{ env.PROD_BASE_DOMAIN_NAME }}"
+#         TF_VAR_enable_zone: true
+#         TF_VAR_cert_manager_enabled: "${{ env.CERT_MANAGER_ENABLED }}"
+#         TF_VAR_cert_manager_namespace: "${{ env.CERT_MANAGER_NAMESPACE }}"
+#         TF_VAR_cert_manager_service_account_name: "${{ env.CERT_MANAGER_SERVICE_ACCOUNT_NAME }}"
+#         TF_VAR_firewall_enabled: "true"

build/github/templates/install-taskctl/action.yaml

@@ -4,6 +4,7 @@ runs:
   using: 'composite'
   steps:
     - run: |
-        wget https://github.com/taskctl/taskctl/releases/download/${{ env.TaskctlVersion }}/taskctl_${{ env.TaskctlVersion }}_linux_amd64.tar.gz -O /tmp/taskctl.tar.gz
+        rm -rf /tmp/taskctl.tar.gz
+        wget https://github.com/Ensono/taskctl/releases/download/v${{ env.TaskctlVersion }}/taskctl_${{ env.TaskctlVersion }}_linux_amd64.tar.gz -O /tmp/taskctl.tar.gz
         tar zxf /tmp/taskctl.tar.gz -C /usr/local/bin taskctl
       shell: bash