diff --git a/.github/workflows/crossplane-release.yaml b/.github/workflows/crossplane-release.yaml new file mode 100644 index 00000000..4358a957 --- /dev/null +++ b/.github/workflows/crossplane-release.yaml @@ -0,0 +1,167 @@ +on: + workflow_call: + inputs: + environment: + required: true + type: string + service_name: + required: true + type: string + +permissions: + id-token: write + contents: read + pull-requests: write + statuses: write + +jobs: + crossplane-terraform: + runs-on: ubuntu-latest + timeout-minutes: 10 + + steps: + - + name: Checkout shared-actions + uses: actions/checkout@v4 + with: + repository: vimeda/shared-actions + path: ./scripts + ref: feature/shared-crossplane + - + name: Checkout service + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + path: ./scripts/${{ inputs.service_name }} + - + name: Install yq + uses: chrisdickinson/setup-yq@v1.0.1 + with: + yq-version: v4.25.3 + - + name: Install 1Password CLI + uses: 1password/install-cli-action@v1 + - + name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-kubernetes-role + role-session-name: ga-${{ inputs.service_name }} + aws-region: eu-central-1 + - + name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ~1.9 + + #build lambdas zip or lambda docker images + + - name: Build lambdas + if: ${{inputs.run_zip_lambda_workflow_step == true}} + run: cd ${{ github.workspace }} && make lambda + env: + GITHUB_TOKEN: ${{ secrets.GB_TOKEN_PRIVATE }} + GOPRIVATE: "github.com/vimeda/*" + + - name: Upload Build Artifacts + if: ${{inputs.run_zip_lambda_workflow_step == true}} + uses: actions/upload-artifact@v4 + with: + name: srv-lambdas + path: ${{ github.workspace }}/dist/* + + - uses: actions/download-artifact@v4 + id: download + if: ${{inputs.run_zip_lambda_workflow_step == true}} + with: + name: srv-lambdas + path: ${{ github.workspace }}/dist + + - name: Display structure of downloaded files + if: ${{env.run_zip_lambda_workflow_step == true}} + run: ls -R + working-directory: ${{ steps.download.outputs.download-path }} + env: + run_zip_lambda_workflow_step: ${{ inputs.run_zip_lambda_workflow_step }} + + - name: Push all functions to Bucket + if: ${{env.run_zip_lambda_workflow_step == true}} + run: | + cd ${{ github.workspace }}/dist && ls + for file in "./"/*lambda.zip + do + filename=$(basename "$file" .zip) + function_name=${filename%_lambda} + aws s3 cp "$file" "s3://${{inputs.env}}-lykon-lambdas/${{ github.event.repository.name}}/$function_name.zip" + done + env: + run_zip_lambda_workflow_step: ${{ inputs.run_zip_lambda_workflow_step }} + + #apply terraform + + - + name: Terraform Init + working-directory: ./scripts/crossplane + run: | + terraform init \ + -backend-config="region=eu-central-1" \ + -backend-config="bucket=terraform-eks" \ + -backend-config="key=crossplane/${{ inputs.environment }}/${{ inputs.service_name }}" + + - + name: Terraform Validate + working-directory: ./scripts/crossplane + run: | + terraform validate -no-color + - + name: Verify Kubeconfig + working-directory: ./scripts/crossplane + run: | + if [ -z "$KUBECONFIG" ]; then + echo "Error: KUBECONFIG environment variable is not set" + exit 1 + fi + + # Test if we can connect to the cluster using the kubeconfig directly + if ! echo "$KUBECONFIG" | base64 -d | kubectl --kubeconfig=/dev/stdin cluster-info; then + echo "Error: Unable to connect to Kubernetes cluster" + exit 1 + fi + + echo "Kubeconfig verification successful" + env: + KUBECONFIG: ${{ secrets.PRD_KUBECONFIG }} + + - name: Terraform + working-directory: ./scripts/crossplane + run: | + # Create and decode kubeconfig + echo "${{ secrets.PRD_KUBECONFIG }}" | base64 -d > ${{ github.workspace }}/kubeconfig.yaml + chmod 600 ${{ github.workspace }}/kubeconfig.yaml + + # Set KUBECONFIG environment variable + export KUBECONFIG=${{ github.workspace }}/kubeconfig.yaml + + # Verify kubectl can connect to the cluster + kubectl cluster-info + + # Create provider configuration file + cat > provider.tf << EOF + provider "kubectl" { + config_path = "${{ github.workspace }}/kubeconfig.yaml" + apply_retry_count = 5 + load_config_file = true + } + EOF + + # Run terraform apply + terraform apply -auto-approve -no-color \ + -var-file=${{ inputs.environment }}.tfvars \ + -var="commit_hash=${{ github.sha }}" \ + -var="service_name=${{ inputs.service_name }}" + env: + TF_WORKSPACE: ${{ inputs.environment }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.PROD_ONEPASSWORD_SERVICEACCOUNT_TOKEN }} + AWS_DEFAULT_REGION: eu-central-1 + + diff --git a/.github/workflows/crossplane.yaml b/.github/workflows/crossplane.yaml new file mode 100644 index 00000000..c06d22a6 --- /dev/null +++ b/.github/workflows/crossplane.yaml @@ -0,0 +1,138 @@ +on: + workflow_call: + inputs: + environment: + required: true + type: string + service_name: + required: true + type: string + run_zip_lambda_workflow_step: + type: boolean + default: false + role_name: + type: string + default: 'github-actions-kubernetes-role' + role_session_name: + type: string + default: 'ga-kubernetes' + + +permissions: + id-token: write + contents: read + pull-requests: write + statuses: write + +jobs: + crossplane-terraform: + runs-on: ubuntu-latest + timeout-minutes: 10 + + steps: + - + name: Checkout shared-actions + uses: actions/checkout@v4 + with: + repository: vimeda/shared-actions + path: ./scripts + ref: feature/shared-crossplane + - + name: Checkout service + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + path: ./scripts/${{ inputs.service_name }} + - + name: Install yq + uses: chrisdickinson/setup-yq@v1.0.1 + with: + yq-version: v4.25.3 + - + name: Install 1Password CLI + uses: 1password/install-cli-action@v1 + - + name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.role_name }} + role-session-name: ${{ inputs.role_session_name }} + aws-region: eu-central-1 + - + name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ~1.9 + + #build lambdas zip or lambda docker images + + - name: Build lambdas + if: ${{inputs.run_zip_lambda_workflow_step == true}} + run: cd ${{ github.workspace }} && make lambda + env: + GITHUB_TOKEN: ${{ secrets.GB_TOKEN_PRIVATE }} + GOPRIVATE: "github.com/vimeda/*" + + - name: Upload Build Artifacts + if: ${{inputs.run_zip_lambda_workflow_step == true}} + uses: actions/upload-artifact@v4 + with: + name: srv-lambdas + path: ${{ github.workspace }}/dist/* + + - uses: actions/download-artifact@v4 + id: download + if: ${{inputs.run_zip_lambda_workflow_step == true}} + with: + name: srv-lambdas + path: ${{ github.workspace }}/dist + + - name: Display structure of downloaded files + if: ${{env.run_zip_lambda_workflow_step == true}} + run: ls -R + working-directory: ${{ steps.download.outputs.download-path }} + env: + run_zip_lambda_workflow_step: ${{ inputs.run_zip_lambda_workflow_step }} + + - name: Push all functions to Bucket + if: ${{env.run_zip_lambda_workflow_step == true}} + run: | + cd ${{ github.workspace }}/dist && ls + for file in "./"/*lambda.zip + do + filename=$(basename "$file" .zip) + function_name=${filename%_lambda} + aws s3 cp "$file" "s3://${{inputs.env}}-lykon-lambdas/${{ github.event.repository.name}}/$function_name.zip" + done + env: + run_zip_lambda_workflow_step: ${{ inputs.run_zip_lambda_workflow_step }} + + #apply terraform + + - + name: Terraform Init + working-directory: ./scripts/crossplane + run: | + terraform init \ + -backend-config="region=eu-central-1" \ + -backend-config="bucket=terraform-eks" \ + -backend-config="key=crossplane/${{ inputs.environment }}/${{ inputs.service_name }}" + + - + name: Terraform Validate + working-directory: ./scripts/crossplane + run: | + terraform validate -no-color + - + name: Terraform + working-directory: ./scripts/crossplane + run: | + echo "${{ secrets.STG_KUBECONFIG }}" > ${{ github.workspace }}/kubeconfig.yaml + export KUBECONFIG=${{ github.workspace }}/kubeconfig.yaml + terraform apply -auto-approve -no-color \ + -var-file=${{ inputs.environment }}.tfvars \ + -var="commit_hash=${{ github.sha }}" \ + -var="service_name=${{ inputs.service_name }}" + env: + TF_WORKSPACE: ${{ inputs.environment }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.STAGING_ONEPASSWORD_SERVICEACCOUNT_TOKEN }} diff --git a/.github/workflows/kubeconfig b/.github/workflows/kubeconfig new file mode 100644 index 00000000..9ecd6518 --- /dev/null +++ b/.github/workflows/kubeconfig @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Config +preferences: {} +current-context: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2 + +clusters: +- name: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2 + cluster: + server: https://6FAE7EA31F6ABDC83D35085CD36856A9.gr7.eu-central-1.eks.amazonaws.com + certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJZXBDbzlyUGFBN1V3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TlRBME1ETXhOekk1TlRGYUZ3MHpOVEEwTURFeE56TTBOVEZhTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURsYXRxcENFaHhjNHZuR1Q2U3htbzcwY3pFZ0M2Nm5TR2NwaDdNeTl4Njg4UTZTSWV6MFFyTnNPM3IKdExjaGRsaWtpREdZU1RwK2dmUlVNWDN5UjdYVTVyTHVEaktWWkh1N21XTTR4RFEwenhkNlVKcGd5NFRzK0kvbwpmc0NESnZoOUdtRjk4Z2kxdTdvTnorU0d3OXdFd3U1MzJsbEVtUXRTclpSemZuNHFYOUk1b1hRSXB0dkd3ekxXCk1ON0RmSjVTTGZIWlloblZPTmJUeCtQOWN4QW0yMXhVdGRYUlFIaXRJbklxZnFsTlhsYWlLbWlwQUNNRlJtazQKeTFETElVM1lWZDk0eGtJcDlVTFdMTnRjZ2NtWEdvZUMyMGhDUXJnRkJWaC9LRlNlQmNkOWQ2eVdySjFhVCtKUgovWEJTa1BvMWNBMDBjYy9jajNjWjVhZ3ozSXEvQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSeUF5aGd2Rm1LY2plTFcvNUNia0M0R2hYUFVEQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ0VQNUVzc0pnMAo5VW03TkZId0FRN0JWdCs0VWJkR3VQZEdaU0JDVWFwS1pCN05tUlFKdGtac05oRHJkQngydlpGZjVDWm1iUzB1CkhrRVJpSjc3K2hweWtuSEVKZmdyMjV0NWZ1cFBUdXRWU3V6ZTBicEJFMmZheEZpQy9kQlQ5bjBlK2lRVnd0SUkKemxGbVZBQUVRU2VSQjNqdFhFTk1CSUdOSXhoSUw4ZGRPVnFLQmdRWm9tZGlvdzhRRVRYV29iSzZLM3ZUVmRKcwozYmVUZ204NTZYdnRuSGtWM0JmTTFRK1dMTm1DYlYzeS9SODBHd3drQXJaK01VN2J1Q1hOUkhqem9qTkx0UEdTCmk3cjdZVmlUenlvTHFubVBub3N6VFZzTVh4YWxLelNnSGlQOGxFNUhWM2xQYm9TeUFnMm13ZEVVRFQ2ZkFzb0cKK2ROY1BBUnNwVUpvCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + +contexts: +- name: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2 + context: + cluster: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2 + user: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2 + +users: +- name: arn:aws:eks:eu-central-1:279707217826:cluster/prd-eks-v2 + user: + exec: + apiVersion: client.authentication.k8s.io/v1beta1 + command: aws + args: + - --region + - eu-central-1 + - eks + - get-token + - --cluster-name + - prd-eks-v2 \ No newline at end of file diff --git a/.github/workflows/main-deploy.yaml b/.github/workflows/main-deploy.yaml index bccb7422..16429eca 100644 --- a/.github/workflows/main-deploy.yaml +++ b/.github/workflows/main-deploy.yaml @@ -78,4 +78,4 @@ jobs: release: ${{ inputs.release_name }} namespace: ${{ inputs.namespace }} env: - KUBECONFIG_FILE: ${{ secrets.STAGING_KUBECONFIG }} + KUBECONFIG_FILE: ${{ secrets.STG_KUBECONFIG }} diff --git a/.github/workflows/pr-crossplane.yaml b/.github/workflows/pr-crossplane.yaml deleted file mode 100644 index 5d2d9877..00000000 --- a/.github/workflows/pr-crossplane.yaml +++ /dev/null @@ -1,138 +0,0 @@ -on: - workflow_call: - inputs: - role_name: - required: true - type: string - role_session_name: - required: true - type: string - aws_region: - required: false - type: string - default: eu-central-1 - working_directory: - required: true - type: string - env: - required: true - type: string - zip_lambda_workflow_step: - required: true - type: boolean - commit_hash: - required: true - type: string - -permissions: - id-token: write - contents: read - pull-requests: write - statuses: write - -jobs: - terraform: - name: Terraform - runs-on: ubuntu-latest - timeout-minutes: 15 - - defaults: - run: - working-directory: ${{ inputs.working_directory }} - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Configure AWS Credentials - id: aws - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.role_name }} - role-session-name: ${{ inputs.role_session_name }} - aws-region: ${{ inputs.aws_region }} - - - name: Build lambdas - run: cd ${{ github.workspace }} && make lambda - if: ${{env.zip_lambda_workflow_step==true}} - env: - GITHUB_TOKEN: ${{ secrets.GB_TOKEN_PRIVATE }} - GOPRIVATE: "github.com/vimeda/*" - zip_lambda_workflow_step: ${{ inputs.zip_lambda_workflow_step }} - - - name: Upload Build Artifacts - uses: actions/upload-artifact@v4 - if: ${{env.zip_lambda_workflow_step==true}} - with: - name: srv-lambdas - path: ${{ github.workspace }}/dist/* - zip_lambda_workflow_step: ${{ inputs.zip_lambda_workflow_step }} - - - uses: actions/download-artifact@v4 - id: download - if: ${{env.zip_lambda_workflow_step==true}} - with: - name: srv-lambdas - path: ${{ github.workspace }}/dist - zip_lambda_workflow_step: ${{ inputs.zip_lambda_workflow_step }} - - - name: Display structure of downloaded files - run: ls -R - working-directory: ${{ steps.download.outputs.download-path }} - - - - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: ~1.4 - - - uses: actions/download-artifact@v4 - id: downloadscripts - with: - name: scripts - path: ./scripts - - - name: copy scripts to scripts folder in working directory - run: | - mkdir ./scripts && ls - cp -r ${{ github.workspace }}/scripts/.github/workflows ./scripts - shell: sh - - - name: Install 1Password Cli, patch claim - run: | - curl https://cache.agilebits.com/dist/1P/op2/pkg/v2.18.0/op_linux_amd64_v2.18.0.zip > op.zip - unzip op.zip - sudo mv op /usr/local/bin - rm op.zip - ls - python -m pip install "ruamel.yaml<0.18.0" - - python scripts/workflows/scripts/patch.py - - - for file in *claims.yaml; do - if [ -f "$file" ]; then - cat $file - fi - done - - env: - OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.STAGING_ONEPASSWORD_SERVICEACCOUNT_TOKEN }} - VAULT_ID: "errsir3kqd4gdjgaxliofyskey" - ENV: ${{ inputs.env }} - - - name: patch claim image uri with commit hash - id: patch_image_uri_with_commit_hash - run: | - find ./ -type f -name "*.yaml" -exec sed -i -e 's/COMMIT_HASH/${{ env.commit_hash }}/g' -e 's/ECR_BASE_URL/279707217826.dkr.ecr.eu-central-1.amazonaws.com\/lykon/g' {} \; - env: - TF_WORKSPACE: ${{ inputs.env }} - commit_hash: ${{ inputs.commit_hash }} - - - name: Terraform Plan - id: plan - run: | - echo "${{ secrets.STAGING_KUBECONFIG }}" > ${{ github.workspace }}/kubeconfig.yaml - export KUBECONFIG=${{ github.workspace }}/kubeconfig.yaml - cd ${{ github.workspace }}/configs/crossplane && terraform init && terraform -chdir=${{ github.workspace }}/configs/crossplane plan - env: - TF_WORKSPACE: ${{ inputs.env }} diff --git a/.github/workflows/pr-terraform.yaml b/.github/workflows/pr-terraform.yaml index 82f8af07..e6845e5b 100644 --- a/.github/workflows/pr-terraform.yaml +++ b/.github/workflows/pr-terraform.yaml @@ -39,9 +39,9 @@ jobs: id: aws uses: aws-actions/configure-aws-credentials@v2 with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.role_name }} - role-session-name: ${{ inputs.role_session_name }} - aws-region: ${{ inputs.aws_region }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-${{ inputs.service_name }}-role + role-session-name: ga-${{ inputs.service_name }} + aws-region: eu-central-1 - name: Download Staging Variables uses: actions/download-artifact@v4 diff --git a/.github/workflows/release-crossplane.yaml b/.github/workflows/release-crossplane.yaml index 32099230..de74b82c 100644 --- a/.github/workflows/release-crossplane.yaml +++ b/.github/workflows/release-crossplane.yaml @@ -120,7 +120,7 @@ jobs: - name: Terraform apply id: apply run: | - echo "${{ secrets.PROD_KUBECONFIG }}" > ${{ github.workspace }}/kubeconfig.yaml + echo "${{ secrets.PRD_KUBECONFIG }}" > ${{ github.workspace }}/kubeconfig.yaml export KUBECONFIG=${{ github.workspace }}/kubeconfig.yaml cd ${{ github.workspace }}/configs/crossplane && terraform init && terraform apply -auto-approve env: diff --git a/.github/workflows/release-deploy.yaml b/.github/workflows/release-deploy.yaml index 3f47e8bf..a301dc54 100644 --- a/.github/workflows/release-deploy.yaml +++ b/.github/workflows/release-deploy.yaml @@ -78,4 +78,4 @@ jobs: release: ${{ inputs.release_name }} namespace: ${{ inputs.namespace }} env: - KUBECONFIG_FILE: ${{ secrets.PROD_KUBECONFIG }} + KUBECONFIG_FILE: ${{ secrets.PRD_KUBECONFIG }} diff --git a/.github/workflows/test-crossplane.yaml b/.github/workflows/test-crossplane.yaml index f98dd4e4..c8a6b0ba 100644 --- a/.github/workflows/test-crossplane.yaml +++ b/.github/workflows/test-crossplane.yaml @@ -49,7 +49,7 @@ jobs: - name: Terraform Apply - Prod Crossplane id: apply-crossplane run: | - echo "${{ secrets.PROD_KUBECONFIG }}" > ${{ github.workspace }}/kubeconfig.yaml + echo "${{ secrets.PRD_KUBECONFIG }}" > ${{ github.workspace }}/kubeconfig.yaml export KUBECONFIG=${{ github.workspace }}/kubeconfig.yaml cd ${{ github.workspace }}/configs/crossplane ls diff --git a/crossplane/.gitignore b/crossplane/.gitignore new file mode 100644 index 00000000..cc5778cf --- /dev/null +++ b/crossplane/.gitignore @@ -0,0 +1,2 @@ +.terraform/ +.terraform.lock.hcl diff --git a/crossplane/backend-config.hcl b/crossplane/backend-config.hcl new file mode 100644 index 00000000..2396500d --- /dev/null +++ b/crossplane/backend-config.hcl @@ -0,0 +1,3 @@ +region = "eu-central-1" +bucket = "terraform-eks" +key = "crossplane/${service_name}/state.tf" diff --git a/crossplane/main.tf b/crossplane/main.tf new file mode 100644 index 00000000..5bd52471 --- /dev/null +++ b/crossplane/main.tf @@ -0,0 +1,61 @@ +data "template_file" "claims" { + for_each = fileset("../${var.service_name}/configs/crossplane/${terraform.workspace}", "*.yaml") + template = file("../${var.service_name}/configs/crossplane/${terraform.workspace}/${each.value}") + + vars = { + commit_hash = var.commit_hash + } +} + +# +# Use external data source to run the bash script to modify the claims +data "external" "modified_yaml" { + for_each = data.template_file.claims + program = ["bash", "${path.module}/modify-claims.sh"] + + query = { + vault_id = var.vault_id + claim_yaml = each.value.rendered + env = terraform.workspace + } +} + +output "modified_yaml" { + value = data.external.modified_yaml +} + +# Locals for decoding the updated YAML from the external script output +locals { + # Define the path to the directory containing YAML files + yaml_dir = "${path.module}/tmp" # Adjust this to your module's relative path + yaml_files = fileset(local.yaml_dir, "*.yaml") # Get all YAML files in the specified directory +} + +# Parse the YAML content into Kubernetes documents using kubectl provider +data "kubectl_file_documents" "claims" { + depends_on = [data.external.modified_yaml] # Ensure this runs after the external data source + for_each = data.external.modified_yaml + content = yamlencode(jsondecode(each.value.result.manifest)) +} + +output "kubectl_manifest" { + value = data.kubectl_file_documents.claims +} + +locals { + # Collect all manifests into a flat list + manifests_array = flatten([ + for doc in data.kubectl_file_documents.claims : [ + for _, manifest in doc.manifests : manifest + ] + ]) +} + +resource "kubectl_manifest" "apply" { + depends_on = [data.kubectl_file_documents.claims] + for_each = toset(local.manifests_array) + yaml_body = each.value # Apply each manifest from the array + lifecycle { + create_before_destroy = true # recreate the resource each time + } +} diff --git a/crossplane/modify-claims.sh b/crossplane/modify-claims.sh new file mode 100755 index 00000000..1a040a4d --- /dev/null +++ b/crossplane/modify-claims.sh @@ -0,0 +1,98 @@ +#!/bin/bash + +set -euov pipefail + +# Ensure the tmp/ folder exists in the current working directory +mkdir -p tmp/ + +# Extract variables using jq +eval "$(jq -r '@sh "ENV=\(.env) VAULT_ID=\(.vault_id) CLAIM_YAML=\(.claim_yaml)"')" + +# Generate a SHA256 hash from CLAIM_YAML and use part of it for the file name +hash=$(echo -n "$CLAIM_YAML" | sha256sum | cut -d' ' -f1) + +# Create a temporary file in the tmp/ folder, prefixed with 'tmpfile_' and suffixed with the hash +temp_yaml_file="tmp/tmpfile_${hash}.yaml" + +# Write the input YAML to the temporary file for processing +echo "$CLAIM_YAML" > "$temp_yaml_file" + +# Predefined arrays of claim types to process +CLAIM_TYPES_LAMBDA=("XLykonLambda" "XLykonLambdaDockerImage") +CLAIM_TYPES_GOAPP=("XLykonGoApp") + +# Check the kind of the YAML +kind=$(yq eval '.kind' "$temp_yaml_file") + +# Function to add VPC configuration based on environment +add_vpc_config() { + local env="$1" + local config + + if [[ "$env" == "staging" ]]; then + config='{"vpcConfig":[{"securityGroupIds":["sg-03c24245575c1ebc0"],"subnetIds":["subnet-011cb6fe763310759","subnet-08deca209f9e46ebb","subnet-06e62ab1abfd70465"]}]}' + elif [[ "$env" == "prod" ]]; then + config='{"vpcConfig":[{"securityGroupIds":["sg-0c928b162190fd686"],"subnetIds":["subnet-0a03a55b3efec8bc5","subnet-074c6060a0d7ebe56","subnet-0ee3dbbbc8db2762e"]}]}' + else + echo "Error: Unsupported environment $env" + exit 1 + fi + + yq eval ".spec.parameters += $config" -i "$temp_yaml_file" +} + +if [[ " ${CLAIM_TYPES_LAMBDA[@]} " =~ " ${kind} " ]]; then + # Handle XLykonLambda and XLykonLambdaDockerImage + service_name=$(yq eval '.spec.parameters.service_name' "$temp_yaml_file") + + if [[ -z "$service_name" ]]; then + echo "Warning: service_name is not defined, skipping secret fetching." + else + secrets=$(op items get "$service_name" --vault="$VAULT_ID" --format=json | jq '.fields | map({(.label): .value}) | add') + + if [[ -z "$secrets" ]]; then + echo "Warning: Failed to fetch secrets for $service_name, skipping secret addition." + else + # Wrap secrets in an array with 'variables' + secrets_with_variables=$(jq -n --argjson secrets "$secrets" '[{"variables": $secrets}]') + + # Update the YAML file with the secrets under 'secrets' field + yq eval ".spec.parameters.secrets = $secrets_with_variables" -i "$temp_yaml_file" + fi + fi + add_vpc_config "$ENV" # Add VPC config only for Lambda types +elif [[ " ${CLAIM_TYPES_GOAPP[@]} " =~ " ${kind} " ]]; then + # Handle XLykonGoApp + if [[ "$ENV" == "staging" ]]; then + vault_id="errsir3kqd4gdjgaxliofyskey" + elif [[ "$ENV" == "prod" ]]; then + vault_id="37y43e5v2qd3iptgt7wgyk34ga" + else + echo "Error: Unsupported environment $ENV" + exit 1 + fi + + yq eval ".spec.parameters.vault_id = \"$vault_id\"" -i "$temp_yaml_file" +fi + +if [[ "$kind" == "XLykonLambdaDockerImage" || "$kind" == "XEventSourceMapping" ]]; then + # Get the current stream value + stream=$(yq eval '.spec.parameters.stream' "$temp_yaml_file") + + # Modify the stream based on whether it's S3, Kinesis, or a simple Kinesis stream name + if [[ "$stream" == s3:* ]]; then + # Extract bucket name from the stream and form the S3 ARN + bucket_name=$(echo "$stream" | cut -d':' -f2) + new_stream="arn:aws:s3:::$bucket_name" + yq eval ".spec.parameters.stream = \"$new_stream\"" -i "$temp_yaml_file" + elif [[ "$stream" == kinesis:* ]]; then + # Extract stream name from the stream and form the Kinesis ARN + stream_name=$(echo "$stream" | cut -d':' -f2) + new_stream="arn:aws:kinesis:eu-central-1:279707217826:stream/$stream_name" + yq eval ".spec.parameters.stream = \"$new_stream\"" -i "$temp_yaml_file" + fi +fi + +# Convert the final YAML to JSON for Terraform +manifest=$(yq eval -o=json "$temp_yaml_file") +jq -n --arg manifest "$manifest" '{ manifest: $manifest }' diff --git a/crossplane/prod.tfvars b/crossplane/prod.tfvars new file mode 100644 index 00000000..674312de --- /dev/null +++ b/crossplane/prod.tfvars @@ -0,0 +1,2 @@ +cluster_name = "prd-eks-v2" +vault_id = "37y43e5v2qd3iptgt7wgyk34ga" diff --git a/crossplane/staging.tfvars b/crossplane/staging.tfvars new file mode 100644 index 00000000..18baf14d --- /dev/null +++ b/crossplane/staging.tfvars @@ -0,0 +1,2 @@ +cluster_name = "staging-eks-v2" +vault_id = "errsir3kqd4gdjgaxliofyskey" diff --git a/crossplane/variables.tf b/crossplane/variables.tf new file mode 100644 index 00000000..fce241c0 --- /dev/null +++ b/crossplane/variables.tf @@ -0,0 +1,20 @@ +variable "commit_hash" { + description = "git commit hash, which will be used to tag the docker image" + type = string +} + +variable "cluster_name" { + description = "name of the eks cluster" + type = string +} + +variable "service_name" { + description = "name of the service to deploy" + type = string +} + +variable "vault_id" { + description = "1password vault id" + type = string +} + diff --git a/crossplane/versions.tf b/crossplane/versions.tf new file mode 100644 index 00000000..338feac8 --- /dev/null +++ b/crossplane/versions.tf @@ -0,0 +1,25 @@ +terraform { + required_version = ">= 1.0.0" + + required_providers { + kubectl = { + source = "alekc/kubectl" + version = ">= 2.0.0" + } + local = { + source = "hashicorp/local" + version = "2.5.2" + } + aws = { + source = "hashicorp/aws" + version = "4.64.0" + } + template = { + source = "hashicorp/template" + version = "2.2.0" + } + } + backend "s3" { + } +} + diff --git a/renovate.json b/renovate.json deleted file mode 100644 index 39a2b6e9..00000000 --- a/renovate.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ - "config:base" - ] -}