Feature/cluster setup

.github/dependabot.yml

@@ -9,7 +9,7 @@ updates:
 
   - package-ecosystem: opentofu
     directories:
-      - /terraform/catalog/modules/**/*
+      - /terraform/modules/**/*
     schedule:
       interval: weekly
     cooldown:

.github/workflows/ci-terraform.yml

@@ -34,9 +34,9 @@ jobs:
 
       - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1
 
-      - name: Validate all catalog modules
+      - name: Validate all modules
         run: |
-          find terraform/catalog/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
+          find terraform/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
             echo "--- Validating $dir ---"
             tofu -chdir="$dir" init -backend=false
             tofu -chdir="$dir" validate

.github/workflows/docker-push.yml

@@ -0,0 +1,43 @@
+name: Build and Push
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'applications/hello-world/**'
+
+concurrency:
+  group: docker-push-hello-world
+  cancel-in-progress: false
+
+jobs:
+  build-and-push:
+    name: Build and push (dev)
+    runs-on: ubuntu-latest
+    environment: dev
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
+        with:
+          role-to-assume: ${{ vars.HELLO_WORLD_PUSH_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@fa648b43de3d4d023bcb3f89ed6940096949c419 # v2.1.5
+
+      - name: Build and push
+        working-directory: applications/hello-world
+        env:
+          REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker build -t $REGISTRY/hello-world:$IMAGE_TAG .
+          docker push $REGISTRY/hello-world:$IMAGE_TAG

.github/workflows/terragrunt-apply.yml

@@ -27,7 +27,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
         with:
           role-to-assume: ${{ vars.APPLY_ROLE_ARN }}
-          aws-region: ap-southeast-2
+          aws-region: ${{ vars.AWS_REGION }}
       - name: Terragrunt Apply
         uses: gruntwork-io/terragrunt-action@4ed5b7344c80315e5357f28f36159fc980bc2d5a # v3.4.0
         with:

.github/workflows/terragrunt-plan.yml

@@ -34,9 +34,9 @@ jobs:
         run: |
           CHANGED=$(git diff --name-only "origin/$BASE_REF...HEAD")
 
-          # A catalog change (module/unit/stack) can affect every environment,
+          # A module change can affect every environment,
           # so plan them all. Otherwise, only plan environments with direct changes.
-          if echo "$CHANGED" | grep -q '^terraform/catalog/'; then
+          if echo "$CHANGED" | grep -q '^terraform/modules/'; then
             ENVS=$(find terraform/environments \
               -maxdepth 1 -mindepth 1 -type d \
               -printf '%f\n' | sort \
@@ -76,7 +76,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@99214aa6889fcddfa57764031d71add364327e59 # v6.1.3
         with:
           role-to-assume: ${{ vars.PLAN_ROLE_ARN }}
-          aws-region: ap-southeast-2
+          aws-region: ${{ vars.AWS_REGION }}
 
       - name: Terragrunt Plan
         id: plan

.pre-commit-config.yaml

@@ -30,7 +30,7 @@ repos:
 
       - id: tofu-validate
         name: tofu validate
-        entry: bash -c 'find terraform/catalog/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
+        entry: bash -c 'find terraform/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
           echo "--- Validating $dir ---";
           tofu -chdir="$dir" init -backend=false;
           tofu -chdir="$dir" validate;

README.md

@@ -6,12 +6,9 @@ A personal sandbox for learning Terraform and Kubernetes, using Terragrunt to ma
 
 ```
 terraform/
-├── catalog/
-│   ├── modules/    # Raw Terraform modules
-│   ├── units/      # Terragrunt wrappers around modules
-│   └── stacks/     # Compositions of units
+├── modules/        # Raw OpenTofu modules
 └── environments/
-    └── dev/        # Environment-specific stack instantiations
+    └── dev/        # Environment-specific Terragrunt units
 ```
 
 ## Prerequisites
@@ -44,7 +41,7 @@ task tf:destroy:dev   # destroy all units in dev
 
 ```bash
 task tf:fmt           # format all Terraform files
-task tf:validate      # validate all catalog modules
+task tf:validate      # validate all modules
 task tf:clean         # remove local Terraform and Terragrunt caches
 ```
 

Taskfile.yml

@@ -47,10 +47,10 @@ tasks:
       - tofu fmt -recursive terraform/
 
   tf:validate:
-    desc: Validate all catalog modules
+    desc: Validate all modules
     cmds:
       - |
-        find terraform/catalog/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
+        find terraform/modules -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
           echo "--- Validating $dir ---"
           tofu -chdir="$dir" init -backend=false
           tofu -chdir="$dir" validate

applications/hello-world/Dockerfile

@@ -0,0 +1,6 @@
+FROM nginx:alpine
+
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY index.html /usr/share/nginx/html/index.html
+
+EXPOSE 80

applications/hello-world/index.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Hello, World!</title>
+</head>
+<body>
+  <h1>Hello, World!</h1>
+</body>
+</html>

applications/hello-world/nginx.conf

@@ -0,0 +1,8 @@
+server {
+  listen 80;
+
+  location / {
+    root /usr/share/nginx/html;
+    index index.html;
+  }
+}

terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.stack.hcl → terraform/environments/dev/ap-southeast-2/github-oidc/terragrunt.hcl

@@ -1,19 +1,20 @@
+include "root" {
+  path = find_in_parent_folders("root.hcl")
+}
+
+terraform {
+  source = "${get_repo_root()}//terraform/modules/github-oidc"
+}
+
 locals {
-  stacks_path  = "${get_repo_root()}/terraform/catalog/stacks"
-  environment  = "dev"
   account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
   region_vars  = read_terragrunt_config(find_in_parent_folders("region.hcl"))
   state_bucket = "terragrunt-tf-state-${local.account_vars.locals.account_name}-${local.region_vars.locals.aws_region}"
 }
 
-stack "dev-oidc" {
-  source = "${local.stacks_path}/github-oidc"
-  path   = "dev/oidc"
-
-  values = {
-    github_org   = "AdamJHall"
-    github_repo  = "platform-lab"
-    environment  = local.environment
-    state_bucket = local.state_bucket
-  }
-}
+inputs = {
+  github_org   = "AdamJHall"
+  github_repo  = "platform-lab"
+  environment  = "dev"
+  state_bucket = local.state_bucket
+}

terraform/environments/dev/ap-southeast-2/hello-world-ecr/terragrunt.hcl

@@ -0,0 +1,23 @@
+include "root" {
+  path = find_in_parent_folders("root.hcl")
+}
+
+terraform {
+  source = "${get_repo_root()}//terraform/modules/ecr"
+}
+
+dependency "github_oidc" {
+  config_path = "../github-oidc"
+
+  mock_outputs = {
+    oidc_provider_arn = "arn:aws:iam::000000000000:oidc-provider/token.actions.githubusercontent.com"
+  }
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+}
+
+inputs = {
+  name              = "hello-world"
+  environment       = "dev"
+  oidc_provider_arn = dependency.github_oidc.outputs.oidc_provider_arn
+  github_repository = "AdamJHall/platform-lab"
+}

terraform/environments/dev/ap-southeast-2/network/terragrunt.hcl

@@ -0,0 +1,30 @@
+include "root" {
+  path = find_in_parent_folders("root.hcl")
+}
+
+terraform {
+  source = "${get_repo_root()}//terraform/modules/vpc"
+}
+
+inputs = {
+  name        = "dev-network"
+  environment = "dev"
+  cidr_block  = "10.0.0.0/16"
+  az_count    = 2
+  subnet_cidrs = {
+    public              = ["10.0.0.0/20", "10.0.16.0/20"]
+    private             = ["10.0.32.0/20", "10.0.48.0/20"]
+    private_with_egress = ["10.0.64.0/20", "10.0.80.0/20"]
+  }
+  enable_flow_logs       = false
+  nat_use_spot_instances = true
+  nat_instance_type      = "t4g.nano"
+  subnet_tags = {
+    public = {
+      "kubernetes.io/role/elb" = "1"
+    }
+    private_with_egress = {
+      "kubernetes.io/role/internal-elb" = "1"
+    }
+  }
+}

terraform/catalog/modules/ecr/main.tf → terraform/modules/ecr/main.tf

@@ -4,7 +4,7 @@ locals {
 
 resource "aws_ecr_repository" "this" {
   name                 = var.name
-  image_tag_mutability = var.mutability
+  image_tag_mutability = var.mutable ? "MUTABLE" : "IMMUTABLE"
   image_scanning_configuration {
     scan_on_push = var.image_scanning_on_push
   }

terraform/catalog/modules/ecr/outputs.tf → terraform/modules/ecr/outputs.tf

@@ -6,4 +6,9 @@ output "repository_url" {
 output "repository_arn" {
   description = "ARN of the ECR repo."
   value       = aws_ecr_repository.this.arn
+}
+
+output "push_role_arn" {
+  description = "ARN of the IAM role that can push images to this repo."
+  value       = local.create_push_role ? aws_iam_role.push[0].arn : null
 }