From c583e3ad640c92d1156f30f9fca227da7853d123 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Sun, 30 Nov 2025 19:26:20 +0100 Subject: [PATCH 01/85] fix: fix regression bug in handler_per_service (#207) --- .../splunk_aws_billing/lambda/handler_per_service.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/integrations/splunk_aws_billing/lambda/handler_per_service.py b/modules/integrations/splunk_aws_billing/lambda/handler_per_service.py index 941e3b39..6f563039 100644 --- a/modules/integrations/splunk_aws_billing/lambda/handler_per_service.py +++ b/modules/integrations/splunk_aws_billing/lambda/handler_per_service.py @@ -10,7 +10,7 @@ import common import pandas as pd -LOG = logging.getLOG() +LOG = logging.getLogger() level_str = os.environ.get('LOG_LEVEL', 'INFO').upper() LOG.setLevel(getattr(logging, level_str, logging.INFO)) From fffa0d12f639755bd4d52a57afd23f0b49ca267a Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Sun, 30 Nov 2025 20:10:48 +0100 Subject: [PATCH 02/85] chore: merge renovate updates (#204) * chore(deps): update terraform terraform-aws-modules/eks/aws to v21.10.0 (#26) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update docker/metadata-action action to v5.10.0 (#28) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/build-forge-github-app-register.yml | 2 +- .github/workflows/build-pre-commit.yml | 2 +- modules/infra/eks/eks.tf | 2 +- modules/infra/eks/karpenter.tf | 2 +- modules/infra/eks/nodes.tf | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-forge-github-app-register.yml b/.github/workflows/build-forge-github-app-register.yml index 43835bf0..4288aa69 100644 --- a/.github/workflows/build-forge-github-app-register.yml +++ b/.github/workflows/build-forge-github-app-register.yml @@ -54,7 +54,7 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} diff --git a/.github/workflows/build-pre-commit.yml b/.github/workflows/build-pre-commit.yml index 2452a4d2..ae00cf3c 100644 --- a/.github/workflows/build-pre-commit.yml +++ b/.github/workflows/build-pre-commit.yml @@ -54,7 +54,7 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} diff --git a/modules/infra/eks/eks.tf b/modules/infra/eks/eks.tf index aa879be4..f5acd860 100644 --- a/modules/infra/eks/eks.tf +++ b/modules/infra/eks/eks.tf @@ -17,7 +17,7 @@ module "ebs_csi_irsa_role" { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "21.9.0" + version = "21.10.0" name = var.cluster_name kubernetes_version = var.cluster_version diff --git a/modules/infra/eks/karpenter.tf b/modules/infra/eks/karpenter.tf index eff8b74c..32ea05c4 100644 --- a/modules/infra/eks/karpenter.tf +++ b/modules/infra/eks/karpenter.tf @@ -1,6 +1,6 @@ module "karpenter" { source = "terraform-aws-modules/eks/aws//modules/karpenter" - version = "21.9.0" + version = "21.10.0" namespace = "karpenter" cluster_name = var.cluster_name diff --git a/modules/infra/eks/nodes.tf b/modules/infra/eks/nodes.tf index fb143a1b..1c2955e5 100644 --- a/modules/infra/eks/nodes.tf +++ b/modules/infra/eks/nodes.tf @@ -9,7 +9,7 @@ data "aws_ami" "eks_default" { } module "self_managed_node_group" { source = "terraform-aws-modules/eks/aws//modules/self-managed-node-group" - version = "21.9.0" + version = "21.10.0" name = var.cluster_name cluster_name = var.cluster_name From 5b88970a9c1138701b09df2d36f6cbc44450ee22 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 1 Dec 2025 00:11:20 +0100 Subject: [PATCH 03/85] feat: add splunk o11y dashboards (#206) * feat: add dashboard for ec2 * feat: add dashboard for k8s * feat: add dashboard for billing * feat: enhance readability * fix: add backend * feat: add options in charts --- .../splunk_o11y_conf_shared/backend.tf | 4 + .../dashboard_billing.tf | 287 +++ .../dashboard_groups.tf | 5 + .../dashboard_runner_ec2.tf | 1705 +++++++++++++++++ .../dashboard_runner_k8s.tf | 553 ++++++ .../splunk_o11y_conf_shared/providers.tf | 17 + .../splunk_o11y_conf_shared/secrets.tf | 20 + .../splunk_o11y_conf_shared/variables.tf | 71 + .../splunk_o11y_conf_shared/versions.tf | 16 + 9 files changed, 2678 insertions(+) create mode 100644 modules/integrations/splunk_o11y_conf_shared/backend.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboard_billing.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboard_runner_ec2.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboard_runner_k8s.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/providers.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/secrets.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/variables.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/versions.tf diff --git a/modules/integrations/splunk_o11y_conf_shared/backend.tf b/modules/integrations/splunk_o11y_conf_shared/backend.tf new file mode 100644 index 00000000..ca3c8dcb --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/backend.tf @@ -0,0 +1,4 @@ +terraform { + # Intentionally empty. Will be filled by Terragrunt. + backend "s3" {} +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_billing.tf b/modules/integrations/splunk_o11y_conf_shared/dashboard_billing.tf new file mode 100644 index 00000000..20214a1a --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboard_billing.tf @@ -0,0 +1,287 @@ +resource "signalfx_time_chart" "cost_per_service" { + name = "Cost per service" + description = "" + + program_text = <<-EOF +A = data('forge.per_service.cost_usd') +B = A.max(by=['usage_date', 'service', 'forgecicd_tenant','usage_month', 'usage_year']) +C = B.sum(by=['service', 'forgecicd_tenant','usage_month', 'usage_year']) + +# publish both current and baseline +C.publish(label='current') +EOF + + plot_type = "AreaChart" + + axes_precision = 0 + on_chart_legend_dimension = "service" + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + color = "blue" + display_name = "current" + label = "current" + } +} + +resource "signalfx_time_chart" "net_cost_per_service" { + name = "Net Cost per service" + description = "" + + program_text = <<-EOF +A = data('forge.per_service.net_cost_usd') +B = A.max(by=['usage_date', 'service', 'forgecicd_tenant','usage_month', 'usage_year']) +C = B.sum(by=['service', 'forgecicd_tenant','usage_month', 'usage_year']) # removes usage_date from label + +# publish both current and baseline +C.publish(label='current') +EOF + + plot_type = "AreaChart" + + axes_precision = 0 + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + color = "blue" + display_name = "current" + label = "current" + } +} + +resource "signalfx_time_chart" "net_cost_per_tenant" { + name = "Net Cost per tenant" + description = "" + + program_text = <<-EOF +A = data('forge.per_service.net_cost_usd') +B = A.max(by=['usage_date', 'service', 'forgecicd_tenant','usage_month', 'usage_year']) +C = B.sum(by=['forgecicd_tenant','usage_month', 'usage_year']) +D = C.timeshift('29d') + +# publish both current and baseline +C.publish(label='current') +#D.publish(label='baseline') +EOF + + plot_type = "AreaChart" + + axes_precision = 0 + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + color = "blue" + display_name = "current" + label = "current" + } +} + +resource "signalfx_time_chart" "cost_per_tenant" { + name = "Cost per tenant" + description = "" + + program_text = <<-EOF +A = data('forge.per_service.cost_usd') +B = A.max(by=['usage_date', 'service', 'forgecicd_tenant','usage_month', 'usage_year']) +C = B.sum(by=['forgecicd_tenant','usage_month', 'usage_year']) +D = C.timeshift('29d') + +# publish both current and baseline +C.publish(label='current') +#D.publish(label='baseline') +EOF + + plot_type = "AreaChart" + + axes_precision = 0 + on_chart_legend_dimension = "service" + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + color = "blue" + display_name = "current" + label = "current" + } +} + +resource "signalfx_time_chart" "total_cost" { + name = "Total Cost" + description = "" + + program_text = <<-EOF +A = data('forge.per_service.cost_usd') + +# Take max per day/service/tenant, carrying forward last value if missing +B = A.max(by=['usage_date', 'service', 'forgecicd_tenant','usage_month', 'usage_year']) + +# Sum by month, still carrying forward where needed +C = B.sum(by=['usage_month', 'usage_year']) + +# Shift by 29 days to get a baseline comparison +D = C.timeshift('29d') + +# Publish both +C.publish(label='current') +D.publish(label='baseline') +EOF + + plot_type = "AreaChart" + axes_precision = 0 + on_chart_legend_dimension = "service" + + + time_range = 3600 + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + color = "blue" + display_name = "current" + label = "current" + } + viz_options { + axis = "left" + color = "red" + display_name = "baseline" + label = "baseline" + } +} + +resource "signalfx_time_chart" "total_net_cost" { + name = "Total Net Cost" + description = "" + + program_text = <<-EOF +A = data('forge.per_service.net_cost_usd') + +# Take max per day/service/tenant, carrying forward last value if missing +B = A.max(by=['usage_date', 'service', 'forgecicd_tenant','usage_month', 'usage_year']) + +# Sum by month, still carrying forward where needed +C = B.sum(by=['usage_month', 'usage_year']) + +# Shift by 29 days to get a baseline comparison +D = C.timeshift('29d') + +# Publish both +C.publish(label='current') +# D.publish(label='baseline') +EOF + + plot_type = "AreaChart" + axes_precision = 0 + + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + color = "blue" + display_name = "current" + label = "current" + } +} + +resource "signalfx_dashboard" "billing" { + name = "Billing" + description = "" + dashboard_group = signalfx_dashboard_group.forgecicd.id + + time_range = "-31d" + + variable { + property = "forgecicd_tenant" + alias = "ForgeCICD Tenant Name" + description = "" + values = [] + value_required = false + values_suggested = var.dashboard_variables.runner_k8s.tenant_names + } + + dynamic "variable" { + for_each = var.dashboard_variables.billing.dynamic_variables + iterator = var_def + + content { + property = var_def.value.property + alias = var_def.value.alias + description = var_def.value.description + values = var_def.value.values + value_required = var_def.value.value_required + values_suggested = var_def.value.values_suggested + } + } + + chart { + chart_id = signalfx_time_chart.cost_per_service.id + row = 0 + column = 0 + width = 6 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.net_cost_per_service.id + row = 0 + column = 6 + width = 6 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.cost_per_tenant.id + row = 1 + column = 0 + width = 6 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.net_cost_per_tenant.id + row = 1 + column = 6 + width = 6 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.total_cost.id + row = 2 + column = 0 + width = 6 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.total_net_cost.id + row = 2 + column = 6 + width = 6 + height = 1 + } +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf b/modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf new file mode 100644 index 00000000..6d4ee47e --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf @@ -0,0 +1,5 @@ +resource "signalfx_dashboard_group" "forgecicd" { + name = "ForgeCICD Dashboards" + description = "" + teams = [var.team] +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_ec2.tf b/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_ec2.tf new file mode 100644 index 00000000..3c82c26c --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_ec2.tf @@ -0,0 +1,1705 @@ +resource "signalfx_time_chart" "chart_disk_ops" { + name = "# Disk ops" + + program_text = <<-EOF +A = data('^aws.ec2.disk.ops.write.total', extrapolation='last_value', maxExtrapolations=5).sum().publish(label='A') +B = data('^aws.ec2.disk.ops.read.total', extrapolation='last_value', maxExtrapolations=5).sum().publish(label='B') +EOF + + plot_type = "ColumnChart" + on_chart_legend_dimension = "plot_label" + time_range = 3600 + + axes_precision = 0 + + axis_left { + min_value = 0 + } + axis_right { + min_value = 0 + } + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "sf_metric" + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Write ops" + label = "A" + } + viz_options { + axis = "right" + color = "orange" + display_name = "Read ops" + label = "B" + } +} + +resource "signalfx_time_chart" "chart_total_memory_overview_bytes" { + name = "Total memory overview (bytes)" + description = "From hosts with agent installed" + + program_text = <<-EOF +C = data('system.memory.usage', filter=filter('state', 'free') and filter('cloud.platform', 'aws_ec2', 'aws_eks')).sum().publish(label='C') +F = data('system.memory.usage', filter=filter('state', 'used') and filter('cloud.platform', 'aws_ec2', 'aws_eks')).sum().publish(label='F') +A = data('system.memory.usage', filter=filter('state', 'buffered') and filter('cloud.platform', 'aws_ec2', 'aws_eks')).sum().publish(label='A') +B = data('system.memory.usage', filter=filter('state', 'cached') and filter('cloud.platform', 'aws_ec2', 'aws_eks')).sum().publish(label='B') +D = data('system.memory.usage', filter=filter('state', 'slab_reclaimable') and filter('cloud.platform', 'aws_ec2', 'aws_eks')).sum().publish(label='D') +E = data('system.memory.usage', filter=filter('state', 'slab_unreclaimable') and filter('cloud.platform', 'aws_ec2', 'aws_eks')).sum().publish(label='E') +EOF + + plot_type = "AreaChart" + + axes_precision = 4 + on_chart_legend_dimension = "plot_label" + stacked = true + unit_prefix = "Binary" + + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = true + property = "sf_metric" + } + + viz_options { + axis = "left" + color = "azure" + display_name = "Cached" + label = "B" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "emerald" + display_name = "Free" + label = "C" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "pink" + display_name = "Unreclaimable" + label = "E" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "red" + display_name = "Used" + label = "F" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "violet" + display_name = "Reclaimable" + label = "D" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "yellow" + display_name = "Buffered" + label = "A" + value_unit = "Byte" + } +} + +resource "signalfx_time_chart" "chart_network_out_bytes_vs_24h_change" { + name = "Network out (bytes) vs. 24h change (%)" + + program_text = <<-EOF +A = data('^aws.ec2.network.io.transmit.total', extrapolation='last_value', maxExtrapolations=5).sum().mean(over='1h').publish(label='A') +B = (A).timeshift('1d').publish(label='B', enable=False) +C = (A/B-1).scale(100).publish(label='C') +EOF + + plot_type = "ColumnChart" + + axes_precision = 0 + unit_prefix = "Binary" + on_chart_legend_dimension = "plot_label" + + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "sf_metric" + } + + viz_options { + axis = "left" + display_name = "A - timeshift 1d" + label = "B" + } + viz_options { + axis = "left" + color = "blue" + display_name = "Network out" + label = "A" + value_unit = "Byte" + } + viz_options { + axis = "right" + color = "orange" + display_name = "24h change (%)" + label = "C" + plot_type = "LineChart" + } +} + +resource "signalfx_time_chart" "chart_network_out_bytes" { + name = "Network out (bytes)" + description = "Percentile distribution across all active hosts" + + program_text = <<-EOF +A = data('^aws.ec2.network.io.transmit.total', extrapolation='last_value', maxExtrapolations=5).publish(label='A', enable=False) +B = (A).min().publish(label='B') +C = (A).percentile(pct=10).publish(label='C') +D = (A).percentile(pct=50).publish(label='D') +E = (A).percentile(pct=90).publish(label='E') +F = (A).max().publish(label='F') +EOF + + plot_type = "AreaChart" + + axes_precision = 0 + unit_prefix = "Binary" + on_chart_legend_dimension = "plot_label" + + time_range = 3600 + + axis_left { + min_value = 0 + label = "Bytes" + } + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "sf_metric" + } + + viz_options { + axis = "left" + display_name = "Network bytes out" + label = "A" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "azure" + display_name = "Median" + label = "D" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "chartreuse" + display_name = "Min" + label = "B" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "pink" + display_name = "P90" + label = "E" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "red" + display_name = "Max" + label = "F" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "yellowgreen" + display_name = "P10" + label = "C" + value_unit = "Byte" + } +} + +resource "signalfx_list_chart" "chart_top_instances_by_cpu_utilization" { + name = "Top instances by CPU utilization (%)" + description = "By AWSUniqueId" + + program_text = "A = data('^aws.ec2.cpu.utilization', extrapolation='last_value', maxExtrapolations=5).mean(by=['AWSUniqueId']).top(count=5).publish(label='A')" + + sort_by = "-value" + + color_by = "Scale" + refresh_interval = 60 + max_precision = 4 + time_range = 900 + secondary_visualization = "None" + + color_scale { + color = "blue" + gt = 0 + } + color_scale { + color = "red" + lte = 0 + } + + legend_options_fields { + enabled = true + property = "AWSUniqueId" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "aws_instance_id" + } + + viz_options { + display_name = "Top instances by CPU utilization" + label = "A" + value_suffix = "%" + } +} + +resource "signalfx_time_chart" "chart_disk_utilization" { + name = "Disk utilization (%)" + description = "Percentile distribution across active hosts with agent installed" + + program_text = <<-EOF +B = data('system.filesystem.usage', filter=filter('cloud.platform', 'aws_ec2', 'aws_eks') and filter('state', 'used')).publish(label='B', enable=False) +C = data('system.filesystem.usage', filter=filter('cloud.platform', 'aws_ec2', 'aws_eks') and filter('state', 'free')).publish(label='C', enable=False) +D = ((B/(B+C))*100).mean(by=['AWSUniqueId']).publish(label='D', enable=False) +E = (D).min().publish(label='E') +F = (D).percentile(pct=10).publish(label='F') +G = (D).percentile(pct=50).publish(label='G') +H = (D).percentile(pct=90).publish(label='H') +I = (D).max().publish(label='I') +A = alerts(autodetect_id='F6cykK5AYAA', filter=filter('aws_tag_ProductFamilyName', 'Forge MT')).publish(label='A') +EOF + + plot_type = "AreaChart" + + axes_precision = 0 + + on_chart_legend_dimension = "plot_label" + time_range = 3600 + + event_options { + display_name = "Autodetect alerts" + label = "A" + } + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = true + property = "sf_metric" + } + legend_options_fields { + enabled = true + property = "aws_instance_id" + } + legend_options_fields { + enabled = true + property = "k8s.cluster.name" + } + legend_options_fields { + enabled = true + property = "host.image.id" + } + legend_options_fields { + enabled = true + property = "os.type" + } + legend_options_fields { + enabled = true + property = "type" + } + legend_options_fields { + enabled = true + property = "AWSUniqueId" + } + legend_options_fields { + enabled = true + property = "host.type" + } + legend_options_fields { + enabled = true + property = "cloud.availability_zone" + } + legend_options_fields { + enabled = true + property = "mountpoint" + } + legend_options_fields { + enabled = true + property = "mode" + } + legend_options_fields { + enabled = true + property = "host.name" + } + legend_options_fields { + enabled = true + property = "cloud.platform" + } + legend_options_fields { + enabled = true + property = "host.id" + } + legend_options_fields { + enabled = true + property = "cloud.region" + } + legend_options_fields { + enabled = true + property = "cloud.provider" + } + legend_options_fields { + enabled = true + property = "k8s.node.name" + } + legend_options_fields { + enabled = true + property = "cloud.account.id" + } + legend_options_fields { + enabled = true + property = "device" + } + legend_options_fields { + enabled = true + property = "deployment.environment" + } + legend_options_fields { + enabled = true + property = "state" + } + legend_options_fields { + enabled = true + property = "azure.resourcegroup.name" + } + legend_options_fields { + enabled = true + property = "azure.vm.name" + } + legend_options_fields { + enabled = true + property = "azure.vm.size" + } + legend_options_fields { + enabled = true + property = "azure_resource_id" + } + legend_options_fields { + enabled = true + property = "azure.vm.scaleset.name" + } + legend_options_fields { + enabled = true + property = "gcp_id" + } + + viz_options { + axis = "left" + display_name = "Disk utilization" + label = "D" + value_suffix = "%" + } + viz_options { + axis = "left" + display_name = "Free disk" + label = "C" + value_suffix = "%" + } + viz_options { + axis = "left" + display_name = "Used disk" + label = "B" + value_suffix = "%" + } + viz_options { + axis = "left" + color = "azure" + display_name = "P50" + label = "G" + } + viz_options { + axis = "left" + color = "chartreuse" + display_name = "Min" + label = "E" + } + viz_options { + axis = "left" + color = "pink" + display_name = "P90" + label = "H" + } + viz_options { + axis = "left" + color = "red" + display_name = "Max" + label = "I" + } + viz_options { + axis = "left" + color = "yellowgreen" + display_name = "P10" + label = "F" + } +} + +resource "signalfx_list_chart" "chart_disk_metrics_24h_change" { + name = "Disk metrics 24h change (%)" + description = "Change over 24h" + + program_text = <<-EOF +A = data('^aws.ec2.disk.ops.read.total').sum().mean(over='1h').scale(60).publish(label='A', enable=False) +B = (A).timeshift('1d').publish(label='B', enable=False) +C = (A/B-1).scale(100).publish(label='C') +D = data('^aws.ec2.disk.ops.write.total').sum().mean(over='1h').scale(60).publish(label='D', enable=False) +E = (D).timeshift('1d').publish(label='E', enable=False) +F = (D/E-1).scale(100).publish(label='F') +G = data('^aws.ec2.disk.io.read.total').sum().mean(over='1h').scale(60).publish(label='G', enable=False) +H = (G).timeshift('1d').publish(label='H', enable=False) +I = (G/H-1).scale(100).publish(label='I') +J = data('^aws.ec2.disk.io.write.total').sum().mean(over='1h').scale(60).publish(label='J', enable=False) +K = (J).timeshift('1d').publish(label='K', enable=False) +L = (J/K-1).scale(100).publish(label='L') +EOF + + sort_by = "-value" + + color_by = "Scale" + unit_prefix = "Binary" + max_precision = 4 + secondary_visualization = "Sparkline" + time_range = 900 + refresh_interval = 60 + + color_scale { + color = "blue" + gt = 0 + } + color_scale { + color = "red" + lte = 0 + } + + legend_options_fields { + enabled = true + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + + viz_options { + display_name = "A - timeshift 1d" + label = "B" + } + viz_options { + display_name = "D - timeshift 1d" + label = "E" + } + viz_options { + display_name = "Disk I/O read" + label = "I" + value_suffix = "%" + } + viz_options { + display_name = "Disk I/O write" + label = "L" + value_suffix = "%" + } + viz_options { + display_name = "Disk ops read" + label = "C" + value_suffix = "%" + } + viz_options { + display_name = "Disk ops write" + label = "F" + value_suffix = "%" + } + viz_options { + display_name = "G - timeshift 1d" + label = "H" + } + viz_options { + display_name = "J - timeshift 1d" + label = "K" + } + viz_options { + display_name = "^aws.ec2.disk.io.read.total - sum - mean(1h) - scale:60" + label = "G" + } + viz_options { + display_name = "^aws.ec2.disk.io.write.total - sum - mean(1h) - scale:60" + label = "J" + } + viz_options { + display_name = "^aws.ec2.disk.ops.read.total - sum - mean(1h) - scale:60" + label = "A" + } + viz_options { + display_name = "^aws.ec2.disk.ops.write.total - sum - mean(1h) - scale:60" + label = "D" + } +} + +resource "signalfx_list_chart" "chart_top_images_by_mean_cpu_utilization" { + name = "Top images by mean CPU utilization (%)" + description = "By aws_image_id" + + program_text = <<-EOF +A = data('CPUUtilization', filter=filter('namespace', 'AWS/EC2') and filter('stat', 'mean'), extrapolation='last_value', maxExtrapolations=5).mean(by=['aws_image_id']).top(count=5).publish(label='A',enable=False) +B = data('cpu.utilization', filter=filter('cloud.platform', 'aws_ec2', 'aws_eks'), extrapolation='last_value', maxExtrapolations=5).dimensions(renames={'aws_image_id':'host.image.id'}).mean(by=['aws_image_id']).top(count=5).publish(label='B',enable=False) +C = union(A,B).top(count=5).publish("C") +EOF + + sort_by = "-value" + + color_by = "Scale" + time_range = 900 + refresh_interval = 60 + max_precision = 4 + secondary_visualization = "None" + + color_scale { + color = "blue" + gt = 0 + } + color_scale { + color = "red" + lte = 0 + } + + legend_options_fields { + enabled = true + property = "aws_image_id" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + + viz_options { + display_name = "CPU utilization - OTel" + label = "B" + } + viz_options { + display_name = "CPU utilization - cloudWatch" + label = "A" + value_suffix = "%" + } + viz_options { + display_name = "Union" + label = "C" + value_suffix = "%" + } +} + +resource "signalfx_time_chart" "chart_network_in_bytes" { + name = "Network in (bytes)" + description = "Percentile distribution across all active hosts" + + program_text = <<-EOF +A = data('^aws.ec2.network.io.receive.total', extrapolation='last_value', maxExtrapolations=5).publish(label='A', enable=False) +B = (A).min().publish(label='B') +C = (A).percentile(pct=10).publish(label='C') +D = (A).percentile(pct=50).publish(label='D') +E = (A).percentile(pct=90).publish(label='E') +F = (A).max().publish(label='F') +EOF + + plot_type = "AreaChart" + + axes_precision = 0 + unit_prefix = "Binary" + on_chart_legend_dimension = "plot_label" + + time_range = 3600 + + axis_left { + min_value = 0 + label = "Bytes" + } + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "sf_metric" + } + + viz_options { + axis = "left" + display_name = "Network bytes in" + label = "A" + } + viz_options { + axis = "left" + color = "azure" + display_name = "Median" + label = "D" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "chartreuse" + display_name = "Min" + label = "B" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "pink" + display_name = "P90" + label = "E" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "red" + display_name = "Max" + label = "F" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "yellowgreen" + display_name = "P10" + label = "C" + value_unit = "Byte" + } +} + +resource "signalfx_time_chart" "chart_memory_utilization" { + name = "Memory utilization (%)" + description = "Percentile distribution across active hosts with agent installed" + + program_text = <<-EOF +H = data('system.memory.usage', filter=filter('cloud.platform', 'aws_ec2', 'aws_eks') and filter('state', 'used')).sum(by=['host.name']).publish(label='H', enable=False) +I = data('system.memory.usage', filter=filter('cloud.platform', 'aws_ec2', 'aws_eks') and filter('state', 'used', 'free', 'cached', 'buffered')).sum(by=['host.name']).publish(label='I', enable=False) +J = ((H/I)*100).publish(label='J', enable=False) +C = (J).min().publish(label='C') +D = (J).percentile(pct=10).publish(label='D') +E = (J).percentile(pct=50).publish(label='E') +F = (J).percentile(pct=90).publish(label='F') +G = (J).max().publish(label='G') +A = alerts(autodetect_id='F7vC_VlAYAI', filter=filter('aws_tag_ProductFamilyName', 'Forge MT')).publish(label='A') +EOF + + plot_type = "AreaChart" + + axes_precision = 0 + + on_chart_legend_dimension = "plot_label" + time_range = 3600 + + axis_left { + max_value = 120 + min_value = 0 + } + + event_options { + display_name = "Autodetect alerts" + label = "A" + } + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = true + property = "sf_metric" + } + legend_options_fields { + enabled = true + property = "cloud.region" + } + legend_options_fields { + enabled = true + property = "host.image.id" + } + legend_options_fields { + enabled = true + property = "os.type" + } + legend_options_fields { + enabled = true + property = "AWSUniqueId" + } + legend_options_fields { + enabled = true + property = "host.type" + } + legend_options_fields { + enabled = true + property = "cloud.availability_zone" + } + legend_options_fields { + enabled = true + property = "cloud.provider" + } + legend_options_fields { + enabled = true + property = "cloud.account.id" + } + legend_options_fields { + enabled = true + property = "host.name" + } + legend_options_fields { + enabled = true + property = "state" + } + legend_options_fields { + enabled = true + property = "cloud.platform" + } + legend_options_fields { + enabled = true + property = "host.id" + } + legend_options_fields { + enabled = true + property = "k8s.cluster.name" + } + legend_options_fields { + enabled = true + property = "deployment.environment" + } + legend_options_fields { + enabled = true + property = "k8s.node.name" + } + legend_options_fields { + enabled = true + property = "azure.resourcegroup.name" + } + legend_options_fields { + enabled = true + property = "azure.vm.name" + } + legend_options_fields { + enabled = true + property = "azure.vm.size" + } + legend_options_fields { + enabled = true + property = "azure_resource_id" + } + legend_options_fields { + enabled = true + property = "azure.vm.scaleset.name" + } + legend_options_fields { + enabled = true + property = "gcp_id" + } + legend_options_fields { + enabled = true + property = "telemetry.sdk.name" + } + legend_options_fields { + enabled = true + property = "telemetry.sdk.language" + } + legend_options_fields { + enabled = true + property = "telemetry.sdk.version" + } + legend_options_fields { + enabled = true + property = "service.name" + } + + viz_options { + axis = "left" + display_name = "Memory total" + label = "I" + } + viz_options { + axis = "left" + display_name = "Memory usage" + label = "H" + } + viz_options { + axis = "left" + display_name = "Memory utilization" + label = "J" + } + viz_options { + axis = "left" + color = "azure" + display_name = "Median" + label = "E" + value_suffix = "%" + } + viz_options { + axis = "left" + color = "chartreuse" + display_name = "Min" + label = "C" + value_suffix = "%" + } + viz_options { + axis = "left" + color = "pink" + display_name = "P90" + label = "F" + value_suffix = "%" + } + viz_options { + axis = "left" + color = "red" + display_name = "Max" + label = "G" + value_suffix = "%" + } + viz_options { + axis = "left" + color = "yellowgreen" + display_name = "P10" + label = "D" + value_suffix = "%" + } +} + +resource "signalfx_time_chart" "chart_disk_io_bytes" { + name = "Disk I/O (bytes)" + + program_text = <<-EOF +A = data('^aws.ec2.disk.io.write.total', extrapolation='last_value', maxExtrapolations=5).sum().publish(label='A') +B = data('^aws.ec2.disk.io.read.total', extrapolation='last_value', maxExtrapolations=5).sum().publish(label='B') +EOF + + plot_type = "ColumnChart" + + axes_precision = 0 + unit_prefix = "Binary" + on_chart_legend_dimension = "plot_label" + time_range = 3600 + + axis_left { + min_value = 0 + } + axis_right { + min_value = 0 + } + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "sf_metric" + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Bytes written" + label = "A" + value_unit = "Byte" + } + viz_options { + axis = "right" + color = "orange" + display_name = "Bytes read" + label = "B" + value_unit = "Byte" + } +} + +resource "signalfx_time_chart" "chart_network_in_bytes_vs_24h_change" { + name = "Network in (bytes) vs. 24h change (%)" + + program_text = <<-EOF +C = (B).timeshift('1d').publish(label='C', enable=False) +A = data('^aws.ec2.network.io.receive.total', extrapolation='last_value', maxExtrapolations=5).sum().publish(label='A') +B = (A).mean(over='1h').publish(label='B', enable=False) +D = (B/C-1).scale(100).publish(label='D') +EOF + + plot_type = "ColumnChart" + + axes_precision = 0 + unit_prefix = "Binary" + + on_chart_legend_dimension = "plot_label" + + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "sf_metric" + } + + viz_options { + axis = "left" + display_name = "A - mean(1h)" + label = "B" + } + viz_options { + axis = "left" + color = "blue" + display_name = "Network in" + label = "A" + value_unit = "Byte" + } + viz_options { + axis = "right" + color = "orange" + display_name = "24h change (%)" + label = "D" + plot_type = "LineChart" + } + viz_options { + axis = "right" + color = "yellow" + display_name = "C" + label = "C" + plot_type = "LineChart" + } +} + +resource "signalfx_list_chart" "chart_total_network_errors" { + name = "# Total network errors" + + program_text = <<-EOF +A = data('system.network.errors', filter=filter('direction', 'receive') and filter('cloud.platform', 'aws_ec2', 'aws_eks')).count().publish(label='A') +B = data('system.network.errors', filter=filter('direction', 'transmit') and filter('cloud.platform', 'aws_ec2', 'aws_eks')).count().publish(label='B') +EOF + + sort_by = "-value" + + color_by = "Metric" + max_precision = 4 + refresh_interval = 60 + time_range = 900 + + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = true + property = "sf_metric" + } + + viz_options { + color = "blue" + display_name = "Errors with bytes in" + label = "A" + } + viz_options { + color = "orange" + display_name = "Errors with bytes out" + label = "B" + } +} + +resource "signalfx_list_chart" "chart_top_memory_page_swaps_sec" { + name = "Top memory page swaps/sec" + description = "From hosts with agent installed" + + program_text = <<-EOF +A = data('vmpage_io.swap.in', filter=filter('cloud.platform', 'aws_ec2', 'aws_eks')).mean(by=['host.name']).top(count=5).publish(label='A') +B = data('vmpage_io.swap.out', filter=filter('cloud.platform', 'aws_ec2', 'aws_eks'), rollup='rate').mean(by=['host.name']).top(count=5).publish(label='B') +EOF + + sort_by = "-value" + + color_by = "Scale" + max_precision = 4 + time_range = 900 + refresh_interval = 60 + + color_scale { + color = "blue" + gt = 0 + } + color_scale { + color = "red" + lte = 0 + } + + legend_options_fields { + enabled = true + property = "host.name" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + + viz_options { + display_name = "Pages swapped in" + label = "A" + } + viz_options { + display_name = "Pages swapped out" + label = "B" + } +} + +resource "signalfx_list_chart" "chart_active_hosts_per_instance_type" { + name = "# Active hosts per instance type" + description = "That reported in the last hour" + + program_text = <<-EOF +A = data('CPUUtilization', filter=filter('namespace', 'AWS/EC2') and filter('stat', 'mean'), extrapolation='last_value', maxExtrapolations=5).max(over='1h').count(by=['aws_instance_type']).publish(label='A',enable=False) +A.publish("C") +EOF + + sort_by = "-value" + + color_by = "Scale" + max_precision = 0 + secondary_visualization = "Sparkline" + time_range = 900 + + color_scale { + color = "blue" + gt = 0 + } + color_scale { + color = "red" + lte = 0 + } + + legend_options_fields { + enabled = true + property = "aws_instance_type" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + + viz_options { + display_name = "CPU utilization - cloudWatch" + label = "A" + } + viz_options { + display_name = "Union" + label = "C" + } +} + +resource "signalfx_time_chart" "chart_cpu_utilization" { + name = "CPU utilization (%)" + description = "Percentile distribution across all active hosts" + + program_text = <<-EOF +AB = alerts(autodetect_id='F7vDCq0AgAE', filter=filter('aws_tag_ProductFamilyName', 'Forge MT')).publish(label='Autodetect alerts') +A = data('^aws.ec2.cpu.utilization', extrapolation='last_value', maxExtrapolations=5).publish(label='A', enable=False) +B = (A).min().publish(label='B') +C = (A).percentile(pct=10).publish(label='C') +D = (A).percentile(pct=50).publish(label='D') +E = (A).percentile(pct=90).publish(label='E') +F = (A).max().publish(label='F') +EOF + + plot_type = "AreaChart" + + axes_precision = 0 + on_chart_legend_dimension = "plot_label" + time_range = 3600 + + axis_left { + max_value = 110 + } + + event_options { + display_name = "Autodetect alerts" + label = "Autodetect alerts" + } + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "sf_metric" + } + + viz_options { + axis = "left" + display_name = "CPU utilization" + label = "A" + } + viz_options { + axis = "left" + color = "azure" + display_name = "Median" + label = "D" + } + viz_options { + axis = "left" + color = "chartreuse" + display_name = "Min" + label = "B" + } + viz_options { + axis = "left" + color = "pink" + display_name = "P90" + label = "E" + } + viz_options { + axis = "left" + color = "red" + display_name = "Max" + label = "F" + } + viz_options { + axis = "left" + color = "yellowgreen" + display_name = "P10" + label = "C" + } +} + +resource "signalfx_list_chart" "chart_active_hosts_by_availability_zone" { + name = "# Active hosts by availability zone" + description = "That reported in the last hour" + + program_text = <<-EOF +A = data('CPUUtilization', filter=filter('namespace', 'AWS/EC2') and filter('stat', 'mean'), extrapolation='last_value', maxExtrapolations=5).max(over='1h').count(by=['aws_availability_zone']).publish(label='A',enable=False) +B = data('cpu.utilization', filter=filter('cloud.platform', 'aws_ec2', 'aws_eks'), extrapolation='last_value', maxExtrapolations=5).dimensions(renames={'aws_availability_zone':'cloud.availability_zone'}).max(over='1h').count(by=['aws_availability_zone']).publish(label='B',enable=False) +C = union(A,B).publish("C") +EOF + + sort_by = "-value" + + color_by = "Scale" + time_range = 900 + secondary_visualization = "None" + + color_scale { + color = "blue" + gt = 0 + } + color_scale { + color = "red" + lte = 0 + } + + legend_options_fields { + enabled = true + property = "aws_availability_zone" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + + viz_options { + display_name = "CPU utilization - OTel" + label = "B" + } + viz_options { + display_name = "CPU utilization - cloudWatch" + label = "A" + } + viz_options { + display_name = "Union" + label = "C" + } +} + +resource "signalfx_list_chart" "chart_disk_summary_utilization" { + name = "Disk summary utilization (%)" + description = "Percent of disk space utilized on all volumes on active hosts with agent installed. Instance id | Host" + + program_text = <<-EOF +A = data('system.filesystem.usage', filter=filter('cloud.platform', 'aws_ec2', 'aws_eks') and filter('state', 'used')).publish(label='A', enable=False) +B = data('system.filesystem.usage', filter=filter('cloud.platform', 'aws_ec2', 'aws_eks') and filter('state', 'free')).publish(label='B', enable=False) +C = ((A/(A+B))*100).mean(by=['host.name', 'AWSUniqueId']).publish(label='C') +EOF + + sort_by = "-value" + + max_precision = 4 + time_range = 3600 + + + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = true + property = "aws_instance_id" + } + legend_options_fields { + enabled = true + property = "host.name" + } + legend_options_fields { + enabled = true + property = "AWSUniqueId" + } + legend_options_fields { + enabled = true + property = "host.image.id" + } + legend_options_fields { + enabled = true + property = "os.type" + } + legend_options_fields { + enabled = true + property = "type" + } + legend_options_fields { + enabled = true + property = "host.type" + } + legend_options_fields { + enabled = true + property = "cloud.availability_zone" + } + legend_options_fields { + enabled = true + property = "mountpoint" + } + legend_options_fields { + enabled = true + property = "mode" + } + legend_options_fields { + enabled = true + property = "state" + } + legend_options_fields { + enabled = true + property = "cloud.platform" + } + legend_options_fields { + enabled = true + property = "host.id" + } + legend_options_fields { + enabled = true + property = "cloud.region" + } + legend_options_fields { + enabled = true + property = "cloud.provider" + } + legend_options_fields { + enabled = true + property = "cloud.account.id" + } + legend_options_fields { + enabled = true + property = "device" + } + legend_options_fields { + enabled = true + property = "k8s.cluster.name" + } + legend_options_fields { + enabled = true + property = "k8s.node.name" + } + legend_options_fields { + enabled = true + property = "deployment.environment" + } + + viz_options { + display_name = "Disk free" + label = "B" + value_suffix = "%" + } + viz_options { + display_name = "Disk summary urilzation" + label = "C" + value_suffix = "%" + } + viz_options { + display_name = "Disk used" + label = "A" + value_suffix = "%" + } +} + +resource "signalfx_single_value_chart" "chart_hosts_with_agent_installed" { + name = "# Hosts with agent installed" + description = "Splunk OTel connector installed" + + program_text = "A = data('system.memory.usage', filter=filter('cloud.platform', 'aws_ec2', 'aws_eks'), rollup='average').sum(by=['AWSUniqueId']).count().publish(label='A')" + + color_by = "Dimension" + max_precision = 4 + refresh_interval = 60 + + viz_options { + display_name = "Hosts with agent installed" + label = "A" + } +} + +resource "signalfx_list_chart" "chart_top_5_network_out_bytes" { + name = "Top 5 network out (bytes)" + description = "By AWSUniqueId" + + program_text = "A = data('^aws.ec2.network.io.transmit.total', extrapolation='last_value', maxExtrapolations=5).mean(by=['AWSUniqueId']).top(count=5).publish(label='A')" + + sort_by = "-value" + + color_by = "Scale" + unit_prefix = "Binary" + time_range = 900 + max_precision = 4 + refresh_interval = 60 + secondary_visualization = "None" + + color_scale { + color = "blue" + gt = 0 + } + color_scale { + color = "red" + lte = 0 + } + + legend_options_fields { + enabled = true + property = "AWSUniqueId" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "aws_instance_id" + } + + viz_options { + display_name = "Network out" + label = "A" + value_unit = "Byte" + } +} + +resource "signalfx_single_value_chart" "chart_active_hosts" { + name = "# Active hosts" + + program_text = "A = data('^aws.ec2.cpu.utilization', extrapolation='last_value', maxExtrapolations=2).sum(by=['AWSUniqueId']).count().publish(label='A')" + + color_by = "Dimension" + max_precision = 4 + refresh_interval = 60 + + viz_options { + display_name = "# Hosts" + label = "A" + } +} + +resource "signalfx_list_chart" "chart_top_5_network_in_bytes" { + name = "Top 5 network in (bytes)" + description = "By AWSUniqueId" + + program_text = "A = data('^aws.ec2.network.io.receive.total', extrapolation='last_value', maxExtrapolations=5).mean(by=['AWSUniqueId']).top(count=5).publish(label='A')" + + sort_by = "-value" + + color_by = "Scale" + unit_prefix = "Binary" + max_precision = 4 + refresh_interval = 60 + time_range = 900 + secondary_visualization = "None" + + color_scale { + color = "blue" + gt = 0 + } + color_scale { + color = "red" + lte = 0 + } + + legend_options_fields { + enabled = true + property = "AWSUniqueId" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "aws_instance_id" + } + + viz_options { + display_name = "Network in" + label = "A" + value_unit = "Byte" + } +} + + +######################## +# DASHBOARD +######################## + +resource "signalfx_dashboard" "runner_ec2" { + name = "EC2 Runners" + description = "" + dashboard_group = signalfx_dashboard_group.forgecicd.id + + variable { + property = "aws_tag_TenantName" + alias = "ForgeCICD Tenant Name" + description = "" + values = [] + value_required = false + values_suggested = var.dashboard_variables.runner_ec2.tenant_names + } + + variable { + property = "aws_instance_id" + alias = "ForgeCICD Instance ID" + description = "" + values = [] + value_required = false + values_suggested = [] + } + + dynamic "variable" { + for_each = var.dashboard_variables.runner_ec2.dynamic_variables + iterator = var_def + + content { + property = var_def.value.property + alias = var_def.value.alias + description = var_def.value.description + values = var_def.value.values + value_required = var_def.value.value_required + values_suggested = var_def.value.values_suggested + } + } + chart { + chart_id = signalfx_single_value_chart.chart_active_hosts.id + row = 0 + column = 0 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_single_value_chart.chart_hosts_with_agent_installed.id + row = 0 + column = 3 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_list_chart.chart_active_hosts_per_instance_type.id + row = 0 + column = 9 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_list_chart.chart_active_hosts_by_availability_zone.id + row = 0 + column = 6 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_time_chart.chart_cpu_utilization.id + row = 1 + column = 0 + width = 4 + height = 1 + } + chart { + chart_id = signalfx_list_chart.chart_top_instances_by_cpu_utilization.id + row = 1 + column = 4 + width = 4 + height = 1 + } + chart { + chart_id = signalfx_list_chart.chart_top_images_by_mean_cpu_utilization.id + row = 1 + column = 8 + width = 4 + height = 1 + } + chart { + chart_id = signalfx_time_chart.chart_total_memory_overview_bytes.id + row = 2 + column = 4 + width = 4 + height = 1 + } + chart { + chart_id = signalfx_list_chart.chart_top_memory_page_swaps_sec.id + row = 2 + column = 8 + width = 4 + height = 1 + } + chart { + chart_id = signalfx_time_chart.chart_memory_utilization.id + row = 2 + column = 0 + width = 4 + height = 1 + } + chart { + chart_id = signalfx_list_chart.chart_disk_metrics_24h_change.id + row = 3 + column = 9 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_time_chart.chart_disk_io_bytes.id + row = 3 + column = 6 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_time_chart.chart_disk_utilization.id + row = 3 + column = 0 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_time_chart.chart_disk_ops.id + row = 3 + column = 3 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_list_chart.chart_top_5_network_in_bytes.id + row = 4 + column = 6 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_time_chart.chart_network_in_bytes_vs_24h_change.id + row = 4 + column = 9 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_list_chart.chart_disk_summary_utilization.id + row = 4 + column = 0 + width = 6 + height = 2 + } + chart { + chart_id = signalfx_list_chart.chart_top_5_network_out_bytes.id + row = 5 + column = 6 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_time_chart.chart_network_out_bytes_vs_24h_change.id + row = 5 + column = 9 + width = 3 + height = 1 + } + chart { + chart_id = signalfx_time_chart.chart_network_out_bytes.id + row = 6 + column = 8 + width = 4 + height = 1 + } + chart { + chart_id = signalfx_time_chart.chart_network_in_bytes.id + row = 6 + column = 0 + width = 4 + height = 1 + } + chart { + chart_id = signalfx_list_chart.chart_total_network_errors.id + row = 6 + column = 4 + width = 4 + height = 1 + } + +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_k8s.tf b/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_k8s.tf new file mode 100644 index 00000000..a67d6697 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_k8s.tf @@ -0,0 +1,553 @@ +resource "signalfx_single_value_chart" "k8s_available_pods_by_deployments" { + name = "# Available pods by deployments" + description = "Number of pods ready by deployments" + + program_text = "A = data('k8s.deployment.available', rollup='latest').sum(by=['k8s.cluster.name', 'k8s.namespace.name', 'k8s.deployment.name']).sum().publish(label='A')" + + # optional: time_range = "-15m" + color_by = "Dimension" + refresh_interval = 5 + + viz_options { + display_name = "Available pods" + label = "A" + } +} + +resource "signalfx_list_chart" "k8s_top_10_cpu_usage_per_pod" { + name = "Top 10 CPU usage per pod (CPU units)" + description = "Pod name | Node name" + + program_text = <<-EOF +A = data('container_cpu_utilization', rollup='rate').mean(by=['k8s.pod.name', 'k8s.node.name', 'k8s.cluster.name', 'k8s.pod.uid']).scale(0.01).top(count=10).publish(label='A') +B = data('container.cpu.time').mean(by=['k8s.pod.name', 'k8s.node.name', 'k8s.cluster.name', 'k8s.pod.uid']).top(count=10).publish(label='B') +EOF + + sort_by = "-value" + + disable_sampling = true + hide_missing_values = true + max_precision = 5 + refresh_interval = 5 + time_range = 900 + + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = true + property = "k8s.pod.name" + } + legend_options_fields { + enabled = true + property = "k8s.node.name" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "k8s.cluster.name" + } + legend_options_fields { + enabled = false + property = "k8s.pod.uid" + } + + viz_options { + display_name = "OTel pre translated CPU usage" + label = "B" + } + viz_options { + display_name = "Top 10 pods by average CPU usage" + label = "A" + } +} + +resource "signalfx_time_chart" "k8s_network_bytes_per_sec" { + name = "Network bytes / sec" + description = "" + + program_text = "A = data('k8s.pod.network.io', filter=filter('k8s.cluster.name', '*') and filter('k8s.namespace.name', '*') and filter('sf_tags', '*', match_missing=True) and filter('k8s.deployment.name', '*', match_missing=True), rollup='rate', extrapolation='zero').sum(by=['k8s.pod.name', 'k8s.node.name', 'k8s.cluster.name', 'k8s.pod.uid']).publish(label='A')" + + plot_type = "ColumnChart" + + time_range = 900 + unit_prefix = "Binary" + + axes_precision = 0 + + disable_sampling = true + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Rx bytes /sec (RED)" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = 0 + } + + axis_right { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Tx bytes /sec (BLUE)" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = 0 + } + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + color = "brown" + display_name = "Network bytes / sec" + label = "A" + value_unit = "Byte" + } +} + +resource "signalfx_single_value_chart" "k8s_desired_pods_by_deployments" { + name = "# Desired pods by deployments" + description = "Number of pods that should be created by deployments" + + program_text = "A = data('k8s.deployment.desired', rollup='latest').sum(by=['k8s.cluster.name', 'k8s.namespace.name', 'k8s.deployment.name']).sum().publish(label='A')" + + color_by = "Dimension" + refresh_interval = 5 + + viz_options { + display_name = "Desired pods by deployments" + label = "A" + } +} + +resource "signalfx_list_chart" "k8s_network_errors_per_sec" { + name = "Network errors / sec" + description = "" + + program_text = "A = data('k8s.pod.network.errors', filter=filter('k8s.cluster.name', '*') and filter('k8s.namespace.name', '*') and filter('k8s.deployment.name', '*', match_missing=True) and filter('sf_tags', '*', match_missing=True), rollup='rate').sum(by=['k8s.pod.name', 'k8s.cluster.name', 'k8s.node.name', 'k8s.pod.uid']).publish(label='A')" + + sort_by = "-value" + + disable_sampling = true + max_precision = 4 + refresh_interval = 5 + time_range = 900 + + legend_options_fields { + enabled = true + property = "k8s.pod.name" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = true + property = "k8s.node.name" + } + legend_options_fields { + enabled = false + property = "k8s.cluster.name" + } + legend_options_fields { + enabled = false + property = "k8s.pod.uid" + } + + viz_options { + color = "brown" + display_name = "Network error / sec" + label = "A" + } +} + +resource "signalfx_time_chart" "k8s_memory_usage_pct" { + name = "Memory usage (%)" + description = "With EKS/Fargate metric data can possibly go >100%" + + program_text = <<-EOF +A = data('container.memory.usage', filter=filter('k8s.cluster.name', '*') and filter('k8s.namespace.name', '*') and filter('k8s.deployment.name', '*', match_missing=True) and filter('sf_tags', '*', match_missing=True)).sum(by=['k8s.pod.name', 'k8s.node.name', 'k8s.cluster.name', 'k8s.pod.uid']).publish(label='A', enable=False) +B = data('k8s.container.memory_limit', filter=filter('k8s.cluster.name', '*') and filter('k8s.namespace.name', '*') and filter('k8s.deployment.name', '*', match_missing=True) and filter('sf_tags', '*', match_missing=True)).sum(by=['k8s.pod.name', 'k8s.node.name', 'k8s.cluster.name', 'k8s.pod.uid']).above(0, inclusive=True).publish(label='B', enable=False) +C = (A/B*100).publish(label='C') +EOF + + plot_type = "LineChart" + + + time_range = 900 + disable_sampling = true + axes_precision = 0 + axes_include_zero = true + + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "% memory used" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 110 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "k8s.pod.name" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = true + property = "k8s.node.name" + } + legend_options_fields { + enabled = true + property = "k8s.cluster.name" + } + legend_options_fields { + enabled = true + property = "k8s.pod.uid" + } + + viz_options { + axis = "left" + display_name = "Memory used (%)" + label = "C" + value_suffix = "%" + } + viz_options { + axis = "left" + color = "blue" + display_name = "Container" + label = "A" + } + viz_options { + axis = "left" + color = "yellow" + display_name = "Limit" + label = "B" + } +} + +resource "signalfx_single_value_chart" "k8s_active_pods" { + name = "# Active pods" + description = "This may include \"pause\" containers used internally by k8s" + + program_text = "A = data('k8s.pod.phase').between(1.5, 2.5, low_inclusive=True, high_inclusive=True).count().publish(label='A')" + + color_by = "Dimension" + refresh_interval = 5 + + viz_options { + display_name = "Number of pods" + label = "A" + } +} + +resource "signalfx_list_chart" "k8s_top_10_pods_by_avg_memory_usage" { + name = "Top 10 pods by average memory usage (bytes)" + description = "Pod name | Node name" + + program_text = "A = data('container.memory.usage', filter=filter('k8s.cluster.name', '*') and filter('k8s.namespace.name', '*') and filter('k8s.deployment.name', '*', match_missing=True) and filter('sf_tags', '*', match_missing=True)).mean(by=['k8s.pod.name', 'k8s.node.name', 'k8s.cluster.name', 'k8s.pod.uid']).top(count=10).publish(label='A')" + + sort_by = "-value" + + disable_sampling = true + unit_prefix = "Binary" + refresh_interval = 5 + max_precision = 4 + secondary_visualization = "None" + time_range = 900 + + legend_options_fields { + enabled = true + property = "k8s.pod.name" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = true + property = "k8s.node.name" + } + legend_options_fields { + enabled = false + property = "k8s.cluster.name" + } + legend_options_fields { + enabled = false + property = "k8s.pod.uid" + } + + viz_options { + display_name = "Top 10 pods by average memory usage" + label = "A" + value_unit = "Byte" + } +} + +resource "signalfx_list_chart" "k8s_pods_by_phase" { + name = "# Pods by phase" + description = "" + + program_text = <<-EOF +B = data('k8s.pod.phase', rollup='latest').between(1.5, 2.5, low_inclusive=True, high_inclusive=True).count().publish(label='B') +A = data('k8s.pod.phase', rollup='latest').between(0, 1.5, low_inclusive=True, high_inclusive=True).count().publish(label='A') +C = data('k8s.pod.phase', rollup='latest').between(2.5, 3.5, low_inclusive=True, high_inclusive=True).count().publish(label='C') +D = data('k8s.pod.phase', rollup='latest').between(3.5, 4.5, low_inclusive=True, high_inclusive=True).count().publish(label='D') +E = data('k8s.pod.phase', rollup='latest').between(4.5, 5.5, low_inclusive=True, high_inclusive=True).count().publish(label='E') +EOF + + sort_by = "+sf_originatingMetric" + + disable_sampling = true + max_precision = 4 + refresh_interval = 5 + time_range = 900 + + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = true + property = "sf_metric" + } + + viz_options { + color = "azure" + display_name = "Succeeded" + label = "C" + value_suffix = "pods" + } + viz_options { + color = "brown" + display_name = "Failed" + label = "D" + value_suffix = "pods" + } + viz_options { + color = "purple" + display_name = "Unknown" + label = "E" + value_suffix = "pods" + } + viz_options { + color = "yellow" + display_name = "Pending" + label = "A" + value_suffix = "pods" + } + viz_options { + color = "yellowgreen" + display_name = "Running" + label = "B" + value_suffix = "pods" + } +} + +resource "signalfx_time_chart" "k8s_memory_usage_bytes" { + name = "Memory usage (bytes)" + description = "" + + program_text = "A = data('container.memory.usage', filter=filter('k8s.node.name', '*')).sum(by=['k8s.cluster.name', 'k8s.namespace.name', 'k8s.pod.uid', 'k8s.pod.name', 'k8s.node.name']).publish(label='A')" + + plot_type = "LineChart" + + + axes_precision = 0 + disable_sampling = true + time_range = 900 + unit_prefix = "Binary" + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = true + property = "kubernetes_pod_name" + } + legend_options_fields { + enabled = true + property = "kubernetes_namespace" + } + legend_options_fields { + enabled = true + property = "kubernetes_cluster" + } + legend_options_fields { + enabled = true + property = "kubernetes_pod_uid" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = true + property = "k8s.namespace.name" + } + legend_options_fields { + enabled = true + property = "k8s.pod.name" + } + legend_options_fields { + enabled = true + property = "k8s.cluster.name" + } + legend_options_fields { + enabled = true + property = "k8s.pod.uid" + } + legend_options_fields { + enabled = true + property = "k8s.node.name" + } + + viz_options { + axis = "left" + display_name = "Memory usage per pod" + label = "A" + value_unit = "Byte" + } +} + + +resource "signalfx_dashboard" "runner_k8s" { + name = "K8S Runners" + description = "" + dashboard_group = signalfx_dashboard_group.forgecicd.id + + variable { + property = "k8s.namespace.name" + alias = "ForgeCICD Tenant Name" + description = "" + values = [] + value_required = false + values_suggested = var.dashboard_variables.runner_k8s.tenant_names + } + + variable { + property = "k8s.pod.name" + alias = "ForgeCICD Instance Id" + description = "" + values = [] + value_required = false + values_suggested = [] + } + + dynamic "variable" { + for_each = var.dashboard_variables.runner_k8s.dynamic_variables + iterator = var_def + + content { + property = var_def.value.property + alias = var_def.value.alias + description = var_def.value.description + values = var_def.value.values + value_required = var_def.value.value_required + values_suggested = var_def.value.values_suggested + } + } + chart { + chart_id = signalfx_single_value_chart.k8s_active_pods.id + row = 0 + column = 0 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_single_value_chart.k8s_available_pods_by_deployments.id + row = 0 + column = 3 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_list_chart.k8s_top_10_pods_by_avg_memory_usage.id + row = 0 + column = 9 + width = 3 + height = 2 + } + + chart { + chart_id = signalfx_single_value_chart.k8s_desired_pods_by_deployments.id + row = 0 + column = 6 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_list_chart.k8s_pods_by_phase.id + row = 1 + column = 0 + width = 3 + height = 2 + } + + chart { + chart_id = signalfx_time_chart.k8s_memory_usage_pct.id + row = 1 + column = 3 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.k8s_memory_usage_bytes.id + row = 1 + column = 6 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_list_chart.k8s_network_errors_per_sec.id + row = 2 + column = 3 + width = 5 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.k8s_network_bytes_per_sec.id + row = 2 + column = 8 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_list_chart.k8s_top_10_cpu_usage_per_pod.id + row = 3 + column = 0 + width = 3 + height = 2 + } +} diff --git a/modules/integrations/splunk_o11y_conf_shared/providers.tf b/modules/integrations/splunk_o11y_conf_shared/providers.tf new file mode 100644 index 00000000..6ac7d5f0 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/providers.tf @@ -0,0 +1,17 @@ +provider "aws" { + region = var.aws_region + profile = var.aws_profile + + # Required, as per security guidelines. + default_tags { + tags = merge(var.default_tags, ) + } +} + +provider "signalfx" { + api_url = var.splunk_api_url + + email = data.aws_secretsmanager_secret_version.secrets["splunk_o11y_username"].secret_string + password = data.aws_secretsmanager_secret_version.secrets["splunk_o11y_password"].secret_string + organization_id = var.splunk_organization_id +} diff --git a/modules/integrations/splunk_o11y_conf_shared/secrets.tf b/modules/integrations/splunk_o11y_conf_shared/secrets.tf new file mode 100644 index 00000000..42b5e7c9 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/secrets.tf @@ -0,0 +1,20 @@ +locals { + secrets = { + splunk_o11y_username = { + name = "/cicd/common/splunk_o11y_username" + } + splunk_o11y_password = { + name = "/cicd/common/splunk_o11y_password" + } + } +} + +data "aws_secretsmanager_secret" "secrets" { + for_each = local.secrets + name = each.value.name +} + +data "aws_secretsmanager_secret_version" "secrets" { + for_each = data.aws_secretsmanager_secret.secrets + secret_id = each.value.id +} diff --git a/modules/integrations/splunk_o11y_conf_shared/variables.tf b/modules/integrations/splunk_o11y_conf_shared/variables.tf new file mode 100644 index 00000000..9685f58b --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/variables.tf @@ -0,0 +1,71 @@ +variable "aws_profile" { + type = string + description = "AWS profile (i.e., generated via 'sl aws session generate') to use." +} + +variable "aws_region" { + type = string + description = "Default AWS region." +} + +variable "default_tags" { + type = map(string) + description = "A map of tags to apply to resources." +} + +variable "splunk_api_url" { + description = "URL for plunk Observability Cloud API." + type = string +} + +variable "splunk_organization_id" { + description = "organization ID for Splunk Observability Cloud." + type = string +} + +variable "team" { + description = "Team ID" + type = string +} + +variable "dashboard_variables" { + type = object({ + runner_k8s = object({ + tenant_names = list(string) + dynamic_variables = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + } + )) + }) + runner_ec2 = object({ + tenant_names = list(string) + dynamic_variables = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + } + )) + }) + billing = object({ + tenant_names = list(string) + dynamic_variables = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + } + )) + }) + }) + description = "Variables for Dashboards" +} diff --git a/modules/integrations/splunk_o11y_conf_shared/versions.tf b/modules/integrations/splunk_o11y_conf_shared/versions.tf new file mode 100644 index 00000000..704bf3d6 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/versions.tf @@ -0,0 +1,16 @@ +terraform { + # Provider versions. + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.90" + } + signalfx = { + source = "splunk-terraform/signalfx" + version = "< 10.0.0" + } + } + + # OpenTofu version. + required_version = ">= 1.9.1" +} From ea20ec108745fe448d141d23287e97866180bf8f Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 1 Dec 2025 00:11:43 +0100 Subject: [PATCH 04/85] fix: fix regexManagers (#209) --- renovate.json | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/renovate.json b/renovate.json index bb534b2e..12a8c5c5 100644 --- a/renovate.json +++ b/renovate.json @@ -30,6 +30,16 @@ "matchStrings": ["required_version\\s=\\s\">= (?.*?)\""], "depNameTemplate": "opentofu/opentofu", "datasourceTemplate": "github-releases" + }, + { + "customType": "regex", + "fileMatch": ["^.*\\.tf$"], + "matchStrings": [ + "download_lambdas\\.sh\"\\s*,\\s*\"[^\"]+\"\\s*,\\s*\"(?v\\d+\\.\\d+\\.\\d+)\"" + ], + "depNameTemplate": "github-aws-runners/terraform-aws-github-runner", + "datasourceTemplate": "github-tags", + "versioningTemplate": "semver-coerced" } ], @@ -119,17 +129,5 @@ "automergeType": "pr", "addLabels": ["security", "auto-merge"] } - ], - - "regexManagers": [ - { - "fileMatch": ["^.*\\.tf$"], - "matchStrings": [ - "download_lambdas\\.sh\"\\s*,\\s*\"[^\"]+\"\\s*,\\s*\"v(?\\d+\\.\\d+\\.\\d+)\"" - ], - "datasourceTemplate": "github-tags", - "depNameTemplate": "github-aws-runners/terraform-aws-github-runner", - "versioningTemplate": "semver" - } ] } From 90d8a53ee26b2e2f8d6f646233565778ce2610c1 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 1 Dec 2025 00:23:47 +0100 Subject: [PATCH 05/85] chore: update terraform modules (#210) * chore(deps): update aws providers and modules to v6.10.1 (#31) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update terraform terraform-aws-modules/eks/aws to v21.10.1 (#32) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- modules/infra/eks/eks.tf | 2 +- modules/infra/eks/karpenter.tf | 2 +- modules/infra/eks/nodes.tf | 2 +- modules/platform/ec2_deployment/main.tf | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/infra/eks/eks.tf b/modules/infra/eks/eks.tf index f5acd860..4501077d 100644 --- a/modules/infra/eks/eks.tf +++ b/modules/infra/eks/eks.tf @@ -17,7 +17,7 @@ module "ebs_csi_irsa_role" { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "21.10.0" + version = "21.10.1" name = var.cluster_name kubernetes_version = var.cluster_version diff --git a/modules/infra/eks/karpenter.tf b/modules/infra/eks/karpenter.tf index 32ea05c4..2da250be 100644 --- a/modules/infra/eks/karpenter.tf +++ b/modules/infra/eks/karpenter.tf @@ -1,6 +1,6 @@ module "karpenter" { source = "terraform-aws-modules/eks/aws//modules/karpenter" - version = "21.10.0" + version = "21.10.1" namespace = "karpenter" cluster_name = var.cluster_name diff --git a/modules/infra/eks/nodes.tf b/modules/infra/eks/nodes.tf index 1c2955e5..4abf7517 100644 --- a/modules/infra/eks/nodes.tf +++ b/modules/infra/eks/nodes.tf @@ -9,7 +9,7 @@ data "aws_ami" "eks_default" { } module "self_managed_node_group" { source = "terraform-aws-modules/eks/aws//modules/self-managed-node-group" - version = "21.10.0" + version = "21.10.1" name = var.cluster_name cluster_name = var.cluster_name diff --git a/modules/platform/ec2_deployment/main.tf b/modules/platform/ec2_deployment/main.tf index ac660583..59727046 100644 --- a/modules/platform/ec2_deployment/main.tf +++ b/modules/platform/ec2_deployment/main.tf @@ -52,11 +52,11 @@ data "aws_subnet" "runner_subnet" { } data "external" "download_lambdas" { - program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v6.9.1"] + program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v6.10.1"] } module "runners" { - source = "git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner?ref=v6.10.0" + source = "git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner?ref=v6.10.1" aws_region = var.aws_region From 6cd32d3a504b923f7aa4c99d059214a6fd5c0e5d Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 1 Dec 2025 12:19:59 +0100 Subject: [PATCH 06/85] fix: add restricted_suggestions in variables (#211) --- .../dashboard_billing.tf | 26 +++++++------ .../dashboard_runner_ec2.tf | 39 ++++++++++--------- .../dashboard_runner_k8s.tf | 39 ++++++++++--------- .../splunk_o11y_conf_shared/variables.tf | 13 ++++--- 4 files changed, 63 insertions(+), 54 deletions(-) diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_billing.tf b/modules/integrations/splunk_o11y_conf_shared/dashboard_billing.tf index 20214a1a..0def4f2d 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboard_billing.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboard_billing.tf @@ -215,12 +215,13 @@ resource "signalfx_dashboard" "billing" { time_range = "-31d" variable { - property = "forgecicd_tenant" - alias = "ForgeCICD Tenant Name" - description = "" - values = [] - value_required = false - values_suggested = var.dashboard_variables.runner_k8s.tenant_names + property = "forgecicd_tenant" + alias = "ForgeCICD Tenant Name" + description = "" + values = [] + value_required = false + values_suggested = var.dashboard_variables.runner_k8s.tenant_names + restricted_suggestions = true } dynamic "variable" { @@ -228,12 +229,13 @@ resource "signalfx_dashboard" "billing" { iterator = var_def content { - property = var_def.value.property - alias = var_def.value.alias - description = var_def.value.description - values = var_def.value.values - value_required = var_def.value.value_required - values_suggested = var_def.value.values_suggested + property = var_def.value.property + alias = var_def.value.alias + description = var_def.value.description + values = var_def.value.values + value_required = var_def.value.value_required + values_suggested = var_def.value.values_suggested + restricted_suggestions = var_def.value.restricted_suggestions } } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_ec2.tf b/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_ec2.tf index 3c82c26c..b207d0c1 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_ec2.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_ec2.tf @@ -1517,21 +1517,23 @@ resource "signalfx_dashboard" "runner_ec2" { dashboard_group = signalfx_dashboard_group.forgecicd.id variable { - property = "aws_tag_TenantName" - alias = "ForgeCICD Tenant Name" - description = "" - values = [] - value_required = false - values_suggested = var.dashboard_variables.runner_ec2.tenant_names + property = "aws_tag_TenantName" + alias = "ForgeCICD Tenant Name" + description = "" + values = [] + value_required = false + values_suggested = var.dashboard_variables.runner_ec2.tenant_names + restricted_suggestions = true } variable { - property = "aws_instance_id" - alias = "ForgeCICD Instance ID" - description = "" - values = [] - value_required = false - values_suggested = [] + property = "aws_instance_id" + alias = "ForgeCICD Instance ID" + description = "" + values = [] + value_required = false + values_suggested = [] + restricted_suggestions = false } dynamic "variable" { @@ -1539,12 +1541,13 @@ resource "signalfx_dashboard" "runner_ec2" { iterator = var_def content { - property = var_def.value.property - alias = var_def.value.alias - description = var_def.value.description - values = var_def.value.values - value_required = var_def.value.value_required - values_suggested = var_def.value.values_suggested + property = var_def.value.property + alias = var_def.value.alias + description = var_def.value.description + values = var_def.value.values + value_required = var_def.value.value_required + values_suggested = var_def.value.values_suggested + restricted_suggestions = var_def.value.restricted_suggestions } } chart { diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_k8s.tf b/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_k8s.tf index a67d6697..60849fd1 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_k8s.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_k8s.tf @@ -441,21 +441,23 @@ resource "signalfx_dashboard" "runner_k8s" { dashboard_group = signalfx_dashboard_group.forgecicd.id variable { - property = "k8s.namespace.name" - alias = "ForgeCICD Tenant Name" - description = "" - values = [] - value_required = false - values_suggested = var.dashboard_variables.runner_k8s.tenant_names + property = "k8s.namespace.name" + alias = "ForgeCICD Tenant Name" + description = "" + values = [] + value_required = false + values_suggested = var.dashboard_variables.runner_k8s.tenant_names + restricted_suggestions = true } variable { - property = "k8s.pod.name" - alias = "ForgeCICD Instance Id" - description = "" - values = [] - value_required = false - values_suggested = [] + property = "k8s.pod.name" + alias = "ForgeCICD Instance Id" + description = "" + values = [] + value_required = false + values_suggested = [] + restricted_suggestions = false } dynamic "variable" { @@ -463,12 +465,13 @@ resource "signalfx_dashboard" "runner_k8s" { iterator = var_def content { - property = var_def.value.property - alias = var_def.value.alias - description = var_def.value.description - values = var_def.value.values - value_required = var_def.value.value_required - values_suggested = var_def.value.values_suggested + property = var_def.value.property + alias = var_def.value.alias + description = var_def.value.description + values = var_def.value.values + value_required = var_def.value.value_required + values_suggested = var_def.value.values_suggested + restricted_suggestions = var_def.value.restricted_suggestions } } chart { diff --git a/modules/integrations/splunk_o11y_conf_shared/variables.tf b/modules/integrations/splunk_o11y_conf_shared/variables.tf index 9685f58b..cd108f33 100644 --- a/modules/integrations/splunk_o11y_conf_shared/variables.tf +++ b/modules/integrations/splunk_o11y_conf_shared/variables.tf @@ -57,12 +57,13 @@ variable "dashboard_variables" { billing = object({ tenant_names = list(string) dynamic_variables = list(object({ - property = string - alias = string - description = string - values = list(string) - value_required = bool - values_suggested = list(string) + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool } )) }) From 99a35e69c498908ed5fb997d30d3186b7df81082 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 1 Dec 2025 16:34:29 +0100 Subject: [PATCH 07/85] feat: add lambda submodule to validate trust relationship (#212) * feat: add lambda submodule to validate trust relationship * feat: add logic to update forge role to allow trust validator to assume * feat: add logging in function --- .../forge_runners/forge_trust_validator.tf | 21 ++ .../forge_trust_validator/README.md | 51 ++++ .../forge_trust_validator/data.tf | 1 + .../forge_trust_validator/forge_roles.tf | 77 +++++++ .../lambda/forge_trust_validator.py | 218 ++++++++++++++++++ .../forge_trust_validator/main.tf | 82 +++++++ .../forge_trust_validator/variables.tf | 39 ++++ .../forge_trust_validator/versions.tf | 15 ++ 8 files changed, 504 insertions(+) create mode 100644 modules/platform/forge_runners/forge_trust_validator.tf create mode 100644 modules/platform/forge_runners/forge_trust_validator/README.md create mode 100644 modules/platform/forge_runners/forge_trust_validator/data.tf create mode 100644 modules/platform/forge_runners/forge_trust_validator/forge_roles.tf create mode 100644 modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py create mode 100644 modules/platform/forge_runners/forge_trust_validator/main.tf create mode 100644 modules/platform/forge_runners/forge_trust_validator/variables.tf create mode 100644 modules/platform/forge_runners/forge_trust_validator/versions.tf diff --git a/modules/platform/forge_runners/forge_trust_validator.tf b/modules/platform/forge_runners/forge_trust_validator.tf new file mode 100644 index 00000000..afbe598d --- /dev/null +++ b/modules/platform/forge_runners/forge_trust_validator.tf @@ -0,0 +1,21 @@ +module "forge_trust_validator" { + count = length(var.tenant.iam_roles_to_assume) > 0 ? 1 : 0 + source = "./forge_trust_validator" + + providers = { + aws = aws + } + + aws_profile = var.aws_profile + prefix = var.deployment_config.prefix + logging_retention_in_days = var.logging_retention_in_days + log_level = var.log_level + tags = local.all_security_tags + + forge_iam_roles = values(merge( + try(module.ec2_runners[0].ec2_runners_arn_map, {}), + try(module.arc_runners.arc_runners_arn_map, {}), + )) + + tenant_iam_roles = var.tenant.iam_roles_to_assume +} diff --git a/modules/platform/forge_runners/forge_trust_validator/README.md b/modules/platform/forge_runners/forge_trust_validator/README.md new file mode 100644 index 00000000..730d72c3 --- /dev/null +++ b/modules/platform/forge_runners/forge_trust_validator/README.md @@ -0,0 +1,51 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.9.1 | +| [aws](#requirement\_aws) | >= 5.27 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 6.19.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [register\_github\_app\_runner\_group\_lambda](#module\_register\_github\_app\_runner\_group\_lambda) | terraform-aws-modules/lambda/aws | 8.1.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_event_rule.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_log_group.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_lambda_permission.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_iam_policy_document.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [ghes\_org](#input\_ghes\_org) | GitHub organization (GHES or GitHub.com). | `string` | n/a | yes | +| [github\_api](#input\_github\_api) | Base URL for the GitHub API (set to GHES API endpoint if using Enterprise). | `string` | `"https://api.github.com"` | no | +| [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | +| [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | +| [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | +| [repository\_selection](#input\_repository\_selection) | Repository selection type: 'all' or 'selected'. | `string` | n/a | yes | +| [runner\_group\_name](#input\_runner\_group\_name) | Name of the GitHub Actions runner group to create/update and attach repositories to. | `string` | n/a | yes | +| [secrets\_prefix](#input\_secrets\_prefix) | Prefix for all secrets | `string` | n/a | yes | +| [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | + +## Outputs + +No outputs. + diff --git a/modules/platform/forge_runners/forge_trust_validator/data.tf b/modules/platform/forge_runners/forge_trust_validator/data.tf new file mode 100644 index 00000000..8fc4b38c --- /dev/null +++ b/modules/platform/forge_runners/forge_trust_validator/data.tf @@ -0,0 +1 @@ +data "aws_caller_identity" "current" {} diff --git a/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf new file mode 100644 index 00000000..65ad80b6 --- /dev/null +++ b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf @@ -0,0 +1,77 @@ +data "aws_iam_role" "forge" { + for_each = toset(var.forge_iam_roles) + + name = replace(each.value, "/^.*//", "") +} + +locals { + # Statement we want to add to EVERY forge IAM role + lambda_trust_statement = { + Sid = "AllowLambdaValidationAssume" + Effect = "Allow" + Principal = { + AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.prefix}-forge-trust-validator" + } + Action = "sts:AssumeRole" + } + + # original_trust[arn] = decoded assume_role_policy JSON for each role + original_trust = { + for arn, role in data.aws_iam_role.forge : + arn => jsondecode(role.assume_role_policy) + } + + # original_statements[arn] = existing Statements list (or []) + original_statements = { + for arn, trust in local.original_trust : + arn => try(trust.Statement, []) + } + + # concatenated_trust_object[arn] = full updated policy for each role + # = original (Version + Statements) + our lambda_trust_statement + concatenated_trust_object = { + for arn, trust in local.original_trust : + arn => { + Version = try(trust.Version, "2012-10-17") + Statement = concat( + local.original_statements[arn], + [local.lambda_trust_statement] + ) + } + } + + # concatenated_trust_json[arn] = final JSON string for each role + concatenated_trust_json = { + for arn, obj in local.concatenated_trust_object : + arn => jsonencode(obj) + } +} + +resource "null_resource" "update_forge_role_trust" { + for_each = data.aws_iam_role.forge + + triggers = { + role_name = each.value.name + future_sha = sha1(local.concatenated_trust_json[each.key]) + } + + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + + command = <<-EOT + set -euo pipefail + + ROLE_NAME="${each.value.name}" + TMP_FILE="/tmp/${each.value.name}-trust.json" + + cat > "$${TMP_FILE}" << 'JSON' +${local.concatenated_trust_json[each.key]} +JSON + + aws iam update-assume-role-policy \ + --role-name "$${ROLE_NAME}" \ + --policy-document "file://$${TMP_FILE}" \ + --profile "${var.aws_profile}" + EOT + } +} diff --git a/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py b/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py new file mode 100644 index 00000000..e3c7d73d --- /dev/null +++ b/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py @@ -0,0 +1,218 @@ +import json +import logging +import os +import time +from typing import Any, Dict, List + +import boto3 +from botocore.exceptions import ClientError + +sts = boto3.client('sts') + +LOG = logging.getLogger() +level_str = os.environ.get('LOG_LEVEL', 'INFO').upper() +LOG.setLevel(getattr(logging, level_str, logging.INFO)) + + +def parse_env_list(name: str) -> List[str]: + """ + Parse an environment variable Comma-separated string: 'a,b' + """ + LOG.info(f"Parsing environment variable: {name}") + value = os.environ.get(name, '') + if not value: + LOG.warning(f"Environment variable {name} is empty or missing") + return [] + + items = [v.strip() for v in value.split(',') if v.strip()] + LOG.info(f"Parsed {len(items)} items from {name}") + return items + + +def build_session_policy_for_tenants(tenant_role_arns: List[str]) -> str: + """ + Restrictive inline session policy: only allow sts:AssumeRole on tenant roles. + This means the forge-role session can't do anything else. + """ + policy = { + 'Version': '2012-10-17', + 'Statement': [ + { + 'Sid': 'AllowAssumeTenantRolesForValidation', + 'Effect': 'Allow', + 'Action': 'sts:AssumeRole', + 'Resource': tenant_role_arns, + } + ], + } + return json.dumps(policy) + + +def assume_role( + role_arn: str, + session_name: str, + session_policy: str | None = None, +) -> Dict[str, Any]: + """ + Wrapper around sts.assume_role that optionally applies a restrictive session policy. + """ + LOG.info( + f"Attempting to assume role: {role_arn} (Session: {session_name})") + kwargs: Dict[str, Any] = { + 'RoleArn': role_arn, + 'RoleSessionName': session_name, + 'DurationSeconds': 900, # 15 minutes is plenty for validation + } + if session_policy: + kwargs['Policy'] = session_policy + + return sts.assume_role(**kwargs) + + +def build_sts_client_from_creds(creds: Dict[str, Any]): + """ + Given STS credentials from assume_role, build an STS client using them. + """ + return boto3.client( + 'sts', + aws_access_key_id=creds['AccessKeyId'], + aws_secret_access_key=creds['SecretAccessKey'], + aws_session_token=creds['SessionToken'], + ) + + +def validate_forge_role_against_tenants( + forge_role_arn: str, + tenant_role_arns: List[str], +) -> Dict[str, Any]: + """ + For a single Forge role: + - assume forge role (with restrictive session policy) + - using that session, try to assume each tenant role + - return per-tenant results + Assumes: + - Lambda execution role already has sts:AssumeRole on forge_role_arn + - Forge role trust already allows the Lambda execution role + """ + LOG.info(f"Starting validation for Forge role: {forge_role_arn}") + result: Dict[str, Any] = { + 'forge_role_arn': forge_role_arn, + 'tenant_results': [], + 'errors': [], + } + + try: + # 1) Assume the Forge role with a restrictive policy + session_policy = build_session_policy_for_tenants(tenant_role_arns) + forge_assume_resp = assume_role( + role_arn=forge_role_arn, + session_name=f"ForgeValidation-{int(time.time())}", + session_policy=session_policy, + ) + LOG.info(f"Successfully assumed Forge role: {forge_role_arn}") + + forge_creds = forge_assume_resp['Credentials'] + sts_as_forge = build_sts_client_from_creds(forge_creds) + + # 2) From the forge session, attempt to assume each tenant role + for tenant_arn in tenant_role_arns: + LOG.info( + f"Attempting to assume Tenant role: {tenant_arn} from Forge role: {forge_role_arn}") + tenant_entry = { + 'tenant_role_arn': tenant_arn, + 'success': False, + 'error': None, + } + try: + tenant_resp = sts_as_forge.assume_role( + RoleArn=tenant_arn, + RoleSessionName=f"TenantValidation-{int(time.time())}", + ) + + # Optional: verify the tenant creds actually work + tenant_creds = tenant_resp['Credentials'] + sts_as_tenant = boto3.client( + 'sts', + aws_access_key_id=tenant_creds['AccessKeyId'], + aws_secret_access_key=tenant_creds['SecretAccessKey'], + aws_session_token=tenant_creds['SessionToken'], + ) + identity = sts_as_tenant.get_caller_identity() + LOG.info( + f"Successfully assumed Tenant role: {tenant_arn}. Identity: {identity['Arn']}") + + tenant_entry['success'] = True + except ClientError as e: + LOG.error( + f"ClientError assuming Tenant role {tenant_arn}: {e}") + tenant_entry['error'] = str(e) + except Exception as e: + LOG.error( + f"Unexpected error assuming Tenant role {tenant_arn}: {e}") + tenant_entry['error'] = f"Unexpected error assuming tenant role: {e}" + + result['tenant_results'].append(tenant_entry) + + except ClientError as e: + LOG.error(f"IAM/STS error for Forge role {forge_role_arn}: {e}") + result['errors'].append( + f"IAM/STS error for forge role {forge_role_arn}: {e}" + ) + except Exception as e: + LOG.error(f"Unexpected error for Forge role {forge_role_arn}: {e}") + result['errors'].append( + f"Unexpected error for forge role {forge_role_arn}: {e}" + ) + + return result + + +def lambda_handler(event, context): + """ + Main Lambda entrypoint. + + Configuration: + - FORGE_IAM_ROLES: env var, JSON list or CSV of forge role ARNs + - TENANT_IAM_ROLES: env var, JSON list or CSV of tenant role ARNs + + Example: + FORGE_IAM_ROLES='["arn:aws:iam::123:role/forge-1","arn:aws:iam::123:role/forge-2"]' + TENANT_IAM_ROLES="arn:aws:iam::456:role/tenant-1,arn:aws:iam::789:role/tenant-2" + """ + LOG.info('Lambda handler started') + forge_iam_roles = parse_env_list('FORGE_IAM_ROLES') + tenant_iam_roles = parse_env_list('TENANT_IAM_ROLES') + + if not forge_iam_roles or not tenant_iam_roles: + LOG.error( + 'Missing required environment variables: FORGE_IAM_ROLES or TENANT_IAM_ROLES') + return { + 'statusCode': 400, + 'body': json.dumps( + { + 'message': ( + 'Missing forge_iam_roles or tenant_iam_roles ' + '(check env variables FORGE_IAM_ROLES and TENANT_IAM_ROLES).' + ) + } + ), + } + + LOG.info( + f"Loaded configuration: {len(forge_iam_roles)} Forge roles, {len(tenant_iam_roles)} Tenant roles") + all_results: List[Dict[str, Any]] = [] + + for forge_arn in forge_iam_roles: + res = validate_forge_role_against_tenants( + forge_role_arn=forge_arn, + tenant_role_arns=tenant_iam_roles, + ) + all_results.append(res) + + LOG.info('Validation complete') + print(json.dumps(all_results, indent=2)) + + return { + 'statusCode': 200, + 'body': json.dumps(all_results), + } diff --git a/modules/platform/forge_runners/forge_trust_validator/main.tf b/modules/platform/forge_runners/forge_trust_validator/main.tf new file mode 100644 index 00000000..54aa26dd --- /dev/null +++ b/modules/platform/forge_runners/forge_trust_validator/main.tf @@ -0,0 +1,82 @@ +module "forge_trust_validator_lambda" { + source = "terraform-aws-modules/lambda/aws" + version = "8.1.2" + + function_name = "${var.prefix}-forge-trust-validator" + handler = "forge_trust_validator.lambda_handler" + runtime = "python3.12" + timeout = 900 + architectures = ["x86_64"] + + source_path = [{ + path = "${path.module}/lambda" + }] + + logging_log_group = aws_cloudwatch_log_group.forge_trust_validator_lambda.name + use_existing_cloudwatch_log_group = true + + trigger_on_package_timestamp = false + + environment_variables = { + FORGE_IAM_ROLES = join(",", var.forge_iam_roles) + TENANT_IAM_ROLES = join(",", var.tenant_iam_roles) + LOG_LEVEL = var.log_level + } + + attach_policy_json = true + + policy_json = data.aws_iam_policy_document.forge_trust_validator_lambda.json + + function_tags = var.tags + role_tags = var.tags + tags = var.tags + + depends_on = [aws_cloudwatch_log_group.forge_trust_validator_lambda] +} + +data "aws_iam_policy_document" "forge_trust_validator_lambda" { + statement { + actions = [ + "iam:GetRole", + "iam:UpdateAssumeRolePolicy", + "sts:AssumeRole", + ] + effect = "Allow" + resources = var.forge_iam_roles + } +} + +resource "aws_cloudwatch_log_group" "forge_trust_validator_lambda" { + name = "/aws/lambda/${var.prefix}-forge-trust-validator" + retention_in_days = var.logging_retention_in_days + tags = var.tags + tags_all = var.tags +} + +resource "aws_cloudwatch_event_rule" "forge_trust_validator_lambda" { + name = "${var.prefix}-forge-trust-validator" + description = "Trigger Lambda every 10 minutes" + schedule_expression = "cron(*/10 * * * ? *)" + + tags = var.tags + tags_all = var.tags + + depends_on = [module.forge_trust_validator_lambda] +} + +resource "aws_cloudwatch_event_target" "forge_trust_validator_lambda" { + rule = aws_cloudwatch_event_rule.forge_trust_validator_lambda.name + arn = module.forge_trust_validator_lambda.lambda_function_arn + + depends_on = [module.forge_trust_validator_lambda] +} + +resource "aws_lambda_permission" "forge_trust_validator_lambda" { + action = "lambda:InvokeFunction" + function_name = "${var.prefix}-forge-trust-validator" + principal = "events.amazonaws.com" + statement_id = "AllowExecutionFromCloudWatch" + source_arn = aws_cloudwatch_event_rule.forge_trust_validator_lambda.arn + + depends_on = [module.forge_trust_validator_lambda] +} diff --git a/modules/platform/forge_runners/forge_trust_validator/variables.tf b/modules/platform/forge_runners/forge_trust_validator/variables.tf new file mode 100644 index 00000000..58dce9e5 --- /dev/null +++ b/modules/platform/forge_runners/forge_trust_validator/variables.tf @@ -0,0 +1,39 @@ +variable "aws_profile" { + type = string + description = "AWS profile (i.e. generated via 'sl aws session generate') to use." +} + +variable "prefix" { + description = "Prefix for all resources" + type = string +} + +variable "tags" { + description = "Tags to apply to created resources." + type = map(string) + default = {} +} + +variable "logging_retention_in_days" { + description = "Retention in days for CloudWatch Log Group for the Lambdas." + type = number + default = 30 +} + +variable "log_level" { + type = string + description = "Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR)" + default = "INFO" +} + +variable "forge_iam_roles" { + type = list(string) + description = "List of IAM role ARNs for Forge runners." +} + +variable "tenant_iam_roles" { + type = list(string) + description = "List of IAM role ARNs that the runners will assume to test trust relationships." + default = [] + +} diff --git a/modules/platform/forge_runners/forge_trust_validator/versions.tf b/modules/platform/forge_runners/forge_trust_validator/versions.tf new file mode 100644 index 00000000..f7a53c68 --- /dev/null +++ b/modules/platform/forge_runners/forge_trust_validator/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.27" + } + null = { + source = "hashicorp/null" + version = ">= 3.2" + } + } + + # OpenTofu version. + required_version = ">= 1.9.1" +} From 2bdccf78d4aaae36381f413b038baf075e73825d Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 1 Dec 2025 16:46:40 +0100 Subject: [PATCH 08/85] fix: add missing property in dynamic_variables (#213) --- .../splunk_o11y_conf_shared/variables.tf | 26 ++++++++++--------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/modules/integrations/splunk_o11y_conf_shared/variables.tf b/modules/integrations/splunk_o11y_conf_shared/variables.tf index cd108f33..592cffc8 100644 --- a/modules/integrations/splunk_o11y_conf_shared/variables.tf +++ b/modules/integrations/splunk_o11y_conf_shared/variables.tf @@ -33,24 +33,26 @@ variable "dashboard_variables" { runner_k8s = object({ tenant_names = list(string) dynamic_variables = list(object({ - property = string - alias = string - description = string - values = list(string) - value_required = bool - values_suggested = list(string) + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool } )) }) runner_ec2 = object({ tenant_names = list(string) dynamic_variables = list(object({ - property = string - alias = string - description = string - values = list(string) - value_required = bool - values_suggested = list(string) + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool } )) }) From 40dc19f207591f2c9987aaa682cf11ad86d32394 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 1 Dec 2025 17:23:50 +0100 Subject: [PATCH 09/85] feat: add support to validate if tenant role allows session tag (#214) --- .../forge_trust_validator/forge_roles.tf | 20 +++-- .../lambda/forge_trust_validator.py | 78 +++++++++++++------ 2 files changed, 68 insertions(+), 30 deletions(-) diff --git a/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf index 65ad80b6..6d72880b 100644 --- a/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf +++ b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf @@ -27,16 +27,24 @@ locals { arn => try(trust.Statement, []) } + # updated_statements[arn]: ensure exactly one statement with this Sid + updated_statements = { + for arn, stmts in local.original_statements : + arn => concat( + [ + for s in stmts : + s if !(can(s.Sid) && s.Sid == local.lambda_trust_statement.Sid) + ], + [local.lambda_trust_statement] + ) + } + # concatenated_trust_object[arn] = full updated policy for each role - # = original (Version + Statements) + our lambda_trust_statement concatenated_trust_object = { for arn, trust in local.original_trust : arn => { - Version = try(trust.Version, "2012-10-17") - Statement = concat( - local.original_statements[arn], - [local.lambda_trust_statement] - ) + Version = try(trust.Version, "2012-10-17") + Statement = local.updated_statements[arn] } } diff --git a/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py b/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py index e3c7d73d..e126653f 100644 --- a/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py +++ b/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py @@ -40,7 +40,10 @@ def build_session_policy_for_tenants(tenant_role_arns: List[str]) -> str: { 'Sid': 'AllowAssumeTenantRolesForValidation', 'Effect': 'Allow', - 'Action': 'sts:AssumeRole', + 'Action': [ + 'sts:AssumeRole', + 'sts:TagSession', + ], 'Resource': tenant_role_arns, } ], @@ -120,36 +123,63 @@ def validate_forge_role_against_tenants( f"Attempting to assume Tenant role: {tenant_arn} from Forge role: {forge_role_arn}") tenant_entry = { 'tenant_role_arn': tenant_arn, - 'success': False, - 'error': None, + 'assume_role_success': False, + 'assume_role_error': None, + 'tag_session_success': False, + 'tag_session_error': None } + + # --- Test 1: Basic AssumeRole (no tags) --- try: - tenant_resp = sts_as_forge.assume_role( + sts_as_forge.assume_role( RoleArn=tenant_arn, - RoleSessionName=f"TenantValidation-{int(time.time())}", - ) - - # Optional: verify the tenant creds actually work - tenant_creds = tenant_resp['Credentials'] - sts_as_tenant = boto3.client( - 'sts', - aws_access_key_id=tenant_creds['AccessKeyId'], - aws_secret_access_key=tenant_creds['SecretAccessKey'], - aws_session_token=tenant_creds['SessionToken'], + RoleSessionName=f"TenantValidation-Basic-{int(time.time())}", ) - identity = sts_as_tenant.get_caller_identity() - LOG.info( - f"Successfully assumed Tenant role: {tenant_arn}. Identity: {identity['Arn']}") - - tenant_entry['success'] = True + LOG.info(f"Basic AssumeRole successful for {tenant_arn}") + tenant_entry['assume_role_success'] = True except ClientError as e: - LOG.error( - f"ClientError assuming Tenant role {tenant_arn}: {e}") - tenant_entry['error'] = str(e) + LOG.error(f"Basic AssumeRole failed for {tenant_arn}: {e}") + tenant_entry['assume_role_error'] = str(e) except Exception as e: LOG.error( - f"Unexpected error assuming Tenant role {tenant_arn}: {e}") - tenant_entry['error'] = f"Unexpected error assuming tenant role: {e}" + f"Unexpected error in Basic AssumeRole for {tenant_arn}: {e}") + tenant_entry['assume_role_error'] = f"Unexpected error: {e}" + + # --- Test 2: AssumeRole WITH Tags (only if basic succeeded) --- + if tenant_entry['assume_role_success']: + try: + tenant_resp = sts_as_forge.assume_role( + RoleArn=tenant_arn, + RoleSessionName=f"TenantValidation-Tags-{int(time.time())}", + Tags=[ + {'Key': 'CreatedBy', 'Value': 'ForgeTrustValidator'}, + {'Key': 'Validation', 'Value': 'True'} + ] + ) + + # Optional: verify the tenant creds actually work + tenant_creds = tenant_resp['Credentials'] + sts_as_tenant = boto3.client( + 'sts', + aws_access_key_id=tenant_creds['AccessKeyId'], + aws_secret_access_key=tenant_creds['SecretAccessKey'], + aws_session_token=tenant_creds['SessionToken'], + ) + identity = sts_as_tenant.get_caller_identity() + LOG.info( + f"AssumeRole WITH Tags successful for {tenant_arn}. Identity: {identity['Arn']}") + + tenant_entry['tag_session_success'] = True + except ClientError as e: + LOG.error( + f"AssumeRole WITH Tags failed for {tenant_arn}: {e}") + tenant_entry['tag_session_error'] = str(e) + except Exception as e: + LOG.error( + f"Unexpected error in AssumeRole WITH Tags for {tenant_arn}: {e}") + tenant_entry['tag_session_error'] = f"Unexpected error: {e}" + else: + tenant_entry['tag_session_error'] = 'Skipped because basic AssumeRole failed' result['tenant_results'].append(tenant_entry) From ea8ef289e39d6345d28eb06ac4ebe54508dd0359 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 1 Dec 2025 21:58:19 +0100 Subject: [PATCH 10/85] feat: add field extraction to all extra lambdas (#215) * feat: add field extraction to all extra lambdas * fix: remove print in lambda * feat: create field extraction forgecicd_trust_validation * fix: replace time from session name --- .../props_cloudwatchlogs.tf | 1 + .../transforms_lambda.tf | 36 ++++++++++++++++++- .../forge_trust_validator/forge_roles.tf | 14 ++++++-- .../lambda/forge_trust_validator.py | 11 +++--- 4 files changed, 51 insertions(+), 11 deletions(-) diff --git a/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf b/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf index 1f0c1e9e..b12dae37 100644 --- a/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf +++ b/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf @@ -6,6 +6,7 @@ resource "splunk_configs_conf" "forgecicd_cloudwatchlogs" { "REPORT-forgecicd_cloudwatchlogs_lambda_tenant_fields" = "forgecicd_cloudwatchlogs_lambda_tenant_fields" "REPORT-forgecicd_cloudwatchlogs_global_lambda_tenant_fields" = "forgecicd_cloudwatchlogs_global_lambda_tenant_fields" "REPORT-forgecicd_extra_lambda_tenant_fields" = "forgecicd_extra_lambda_tenant_fields" + "REPORT-forgecicd_trust_validation" = "forgecicd_trust_validation" } lifecycle { ignore_changes = [ diff --git a/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf b/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf index 96f40eab..483c750a 100644 --- a/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf +++ b/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf @@ -2,7 +2,7 @@ resource "splunk_configs_conf" "forgecicd_extra_lambda_tenant_fields" { name = "transforms/forgecicd_extra_lambda_tenant_fields" variables = { - "REGEX" = "(?[^:]+):\\/aws\\/lambda\\/(?[a-z0-9]+)-(?[a-z0-9]+)-(?[a-z0-9]+)-(?github-app-runner-group|github-clean-global-lock)" + "REGEX" = "(?[^:]+):\\/aws\\/lambda\\/(?[a-z0-9]+)-(?[a-z0-9]+)-(?[a-z0-9]+)-(?register-github-app-runner-group|github-webhook-relay|clean-global-lock|job-log-archiver|job-log-dispatcher|forge-trust-validator)" "FORMAT" = "aws_region::$1 forgecicd_tenant::$2 forgecicd_region_alias::$3 forgecicd_vpc_alias::$4 forgecicd_log_type::$5" "SOURCE_KEY" = "source" "CLEAN_KEYS" = "0" @@ -29,3 +29,37 @@ resource "splunk_configs_conf" "forgecicd_extra_lambda_tenant_fields" { ] } } + + +resource "splunk_configs_conf" "forgecicd_trust_validation" { + name = "transforms/forgecicd_trust_validation" + + variables = { + REGEX = "Validation complete:\\s*(\\[[^\\r\\n]+])" + FORMAT = "forgecicd_trust_validation::$1" + SOURCE_KEY = "_raw" + CLEAN_KEYS = "0" + } + + acl { + app = var.splunk_conf.acl.app + owner = var.splunk_conf.acl.owner + sharing = var.splunk_conf.acl.sharing + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { + ignore_changes = [ + variables["CAN_OPTIMIZE"], + variables["DEFAULT_VALUE"], + variables["DEPTH_LIMIT"], + variables["DEST_KEY"], + variables["KEEP_EMPTY_VALS"], + variables["LOOKAHEAD"], + variables["MATCH_LIMIT"], + variables["MV_ADD"], + variables["WRITE_META"], + variables["disabled"] + ] + } +} diff --git a/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf index 6d72880b..f802d60c 100644 --- a/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf +++ b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf @@ -2,6 +2,8 @@ data "aws_iam_role" "forge" { for_each = toset(var.forge_iam_roles) name = replace(each.value, "/^.*//", "") + + depends_on = [module.forge_trust_validator_lambda] } locals { @@ -41,7 +43,7 @@ locals { # concatenated_trust_object[arn] = full updated policy for each role concatenated_trust_object = { - for arn, trust in local.original_trust : + for arn, trust in local.updated_statements : arn => { Version = try(trust.Version, "2012-10-17") Statement = local.updated_statements[arn] @@ -53,14 +55,20 @@ locals { for arn, obj in local.concatenated_trust_object : arn => jsonencode(obj) } + + original_statements_trust_json = { + for arn, obj in local.original_statements : + arn => jsonencode(obj) + } } resource "null_resource" "update_forge_role_trust" { for_each = data.aws_iam_role.forge triggers = { - role_name = each.value.name - future_sha = sha1(local.concatenated_trust_json[each.key]) + role_name = each.value.name + original_sha = sha1(local.original_statements_trust_json[each.key]) + future_sha = sha1(local.concatenated_trust_json[each.key]) } provisioner "local-exec" { diff --git a/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py b/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py index e126653f..a11b081a 100644 --- a/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py +++ b/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py @@ -1,7 +1,6 @@ import json import logging import os -import time from typing import Any, Dict, List import boto3 @@ -109,7 +108,7 @@ def validate_forge_role_against_tenants( session_policy = build_session_policy_for_tenants(tenant_role_arns) forge_assume_resp = assume_role( role_arn=forge_role_arn, - session_name=f"ForgeValidation-{int(time.time())}", + session_name='ForgeValidation', session_policy=session_policy, ) LOG.info(f"Successfully assumed Forge role: {forge_role_arn}") @@ -133,7 +132,7 @@ def validate_forge_role_against_tenants( try: sts_as_forge.assume_role( RoleArn=tenant_arn, - RoleSessionName=f"TenantValidation-Basic-{int(time.time())}", + RoleSessionName='TenantValidation-Basic', ) LOG.info(f"Basic AssumeRole successful for {tenant_arn}") tenant_entry['assume_role_success'] = True @@ -150,14 +149,13 @@ def validate_forge_role_against_tenants( try: tenant_resp = sts_as_forge.assume_role( RoleArn=tenant_arn, - RoleSessionName=f"TenantValidation-Tags-{int(time.time())}", + RoleSessionName='TenantValidation-Tags', Tags=[ {'Key': 'CreatedBy', 'Value': 'ForgeTrustValidator'}, {'Key': 'Validation', 'Value': 'True'} ] ) - # Optional: verify the tenant creds actually work tenant_creds = tenant_resp['Credentials'] sts_as_tenant = boto3.client( 'sts', @@ -239,8 +237,7 @@ def lambda_handler(event, context): ) all_results.append(res) - LOG.info('Validation complete') - print(json.dumps(all_results, indent=2)) + LOG.info('Validation complete: %s', json.dumps(all_results)) return { 'statusCode': 200, From 8c9a7aba8484a140c7559585b9e81d43164917c0 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Tue, 2 Dec 2025 21:50:15 +0100 Subject: [PATCH 11/85] feat: add extra submodule for ec2_deployment (#216) * feat: add submodule ec2_update_runner_ssm_ami * feat: add submodule ec2_redrive_deadletter * feat: add submodule ec2_update_runner_tags * feat: add new field extraction for new lambdas * fix: add provider * fix: fix ec2_redrive_deadletter * fix: fix ec2_update_runner_ssm_ami * deprecated: remove old lambdas * fix: add missing code for ec2_redrive_deadletter.py --- .../transforms_lambda.tf | 31 ++++ .../ec2_deployment/ec2_redrive_deadletter.tf | 20 +++ .../ec2_redrive_deadletter/README.md | 56 +++++++ .../ec2_redrive_deadletter/data.tf | 3 + .../lambda/ec2_redrive_deadletter.py | 141 ++++++++++++++++++ .../ec2_redrive_deadletter/main.tf | 106 +++++++++++++ .../ec2_redrive_deadletter/variables.tf | 30 ++++ .../ec2_redrive_deadletter/versions.tf | 11 ++ .../ec2_update_runner_ssm_ami.tf | 23 +++ .../ec2_update_runner_ssm_ami/README.md | 56 +++++++ .../lambda/ec2_update_runner_ssm_ami.py} | 0 .../ec2_update_runner_ssm_ami/main.tf | 94 ++++++++++++ .../ec2_update_runner_ssm_ami/variables.tf | 34 +++++ .../ec2_update_runner_ssm_ami/versions.tf | 11 ++ .../ec2_deployment/ec2_update_runner_tags.tf | 14 ++ .../ec2_update_runner_tags/README.md | 56 +++++++ .../lambda/ec2_update_runner_tags.py} | 0 .../ec2_update_runner_tags/main.tf | 101 +++++++++++++ .../ec2_update_runner_tags/variables.tf | 27 ++++ .../ec2_update_runner_tags/versions.tf | 11 ++ .../ec2_deployment/update-ec2-tags.tf | 101 ------------- .../ec2_deployment/update_ssm_ami_id.tf | 107 ------------- modules/platform/forge_runners/ec2_runners.tf | 4 + 23 files changed, 829 insertions(+), 208 deletions(-) create mode 100644 modules/platform/ec2_deployment/ec2_redrive_deadletter.tf create mode 100644 modules/platform/ec2_deployment/ec2_redrive_deadletter/README.md create mode 100644 modules/platform/ec2_deployment/ec2_redrive_deadletter/data.tf create mode 100644 modules/platform/ec2_deployment/ec2_redrive_deadletter/lambda/ec2_redrive_deadletter.py create mode 100644 modules/platform/ec2_deployment/ec2_redrive_deadletter/main.tf create mode 100644 modules/platform/ec2_deployment/ec2_redrive_deadletter/variables.tf create mode 100644 modules/platform/ec2_deployment/ec2_redrive_deadletter/versions.tf create mode 100644 modules/platform/ec2_deployment/ec2_update_runner_ssm_ami.tf create mode 100644 modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md rename modules/platform/ec2_deployment/{lambda/update_ssm_ami_id.py => ec2_update_runner_ssm_ami/lambda/ec2_update_runner_ssm_ami.py} (100%) create mode 100644 modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf create mode 100644 modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/variables.tf create mode 100644 modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf create mode 100644 modules/platform/ec2_deployment/ec2_update_runner_tags.tf create mode 100644 modules/platform/ec2_deployment/ec2_update_runner_tags/README.md rename modules/platform/ec2_deployment/{lambda/update_ec2_tags.py => ec2_update_runner_tags/lambda/ec2_update_runner_tags.py} (100%) create mode 100644 modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf create mode 100644 modules/platform/ec2_deployment/ec2_update_runner_tags/variables.tf create mode 100644 modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf delete mode 100644 modules/platform/ec2_deployment/update-ec2-tags.tf delete mode 100644 modules/platform/ec2_deployment/update_ssm_ami_id.tf diff --git a/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf b/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf index 483c750a..defa4eb8 100644 --- a/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf +++ b/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf @@ -30,6 +30,37 @@ resource "splunk_configs_conf" "forgecicd_extra_lambda_tenant_fields" { } } +resource "splunk_configs_conf" "forgecicd_extra_lambda_ec2_tenant_fields" { + name = "transforms/forgecicd_extra_lambda_ec2_tenant_fields" + + variables = { + "REGEX" = "(?[^:]+):\\/aws\\/lambda\\/(?[a-z0-9]+)-(?[a-z0-9]+)-(?[a-z0-9]+)-(?ec2-redrive-deadletter|ec2-update-runner-ssm-ami|ec2-update-runner-tags)" + "FORMAT" = "aws_region::$1 forgecicd_tenant::$2 forgecicd_region_alias::$3 forgecicd_vpc_alias::$4 forgecicd_log_type::$5 forgecicd_type::ec2" + "SOURCE_KEY" = "source" + "CLEAN_KEYS" = "0" + } + acl { + app = var.splunk_conf.acl.app + owner = var.splunk_conf.acl.owner + sharing = var.splunk_conf.acl.sharing + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { + ignore_changes = [ + variables["CAN_OPTIMIZE"], + variables["DEFAULT_VALUE"], + variables["DEPTH_LIMIT"], + variables["DEST_KEY"], + variables["KEEP_EMPTY_VALS"], + variables["LOOKAHEAD"], + variables["MATCH_LIMIT"], + variables["MV_ADD"], + variables["WRITE_META"], + variables["disabled"] + ] + } +} resource "splunk_configs_conf" "forgecicd_trust_validation" { name = "transforms/forgecicd_trust_validation" diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter.tf b/modules/platform/ec2_deployment/ec2_redrive_deadletter.tf new file mode 100644 index 00000000..2dd61bad --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_redrive_deadletter.tf @@ -0,0 +1,20 @@ +module "ec2_redrive_deadletter" { + source = "./ec2_redrive_deadletter" + + providers = { + aws = aws + } + + prefix = var.runner_configs.prefix + logging_retention_in_days = var.runner_configs.logging_retention_in_days + log_level = var.runner_configs.log_level + tags = var.tenant_configs.tags + + sqs_map = { + for key in keys(var.runner_configs.runner_specs) : + key => { + dlq = "${var.runner_configs.prefix}-${key}-queued-builds_dead_letter" + main = "${var.runner_configs.prefix}-${key}-queued-builds" + } + } +} diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/README.md b/modules/platform/ec2_deployment/ec2_redrive_deadletter/README.md new file mode 100644 index 00000000..a302b9c6 --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_redrive_deadletter/README.md @@ -0,0 +1,56 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.9.1 | +| [aws](#requirement\_aws) | >= 5.27 | +| [random](#requirement\_random) | >= 3.6 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 6.19.0 | +| [random](#provider\_random) | 3.7.2 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [github\_webhook\_relay\_source](#module\_github\_webhook\_relay\_source) | ../../../integrations/github_webhook_relay_source | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_role.secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.secret_reader_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_kms_alias.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_secretsmanager_secret.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret_version.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | +| [random_id.github_webhook_relay_source_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [aws_iam_policy_document.secret_reader_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.secret_reader_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [github\_webhook\_relay](#input\_github\_webhook\_relay) | Configuration for the (optional) webhook relay source module.
If enabled=true we provision the API Gateway + source EventBridge forwarding rule.
destination\_event\_bus\_name must already exist or be created in the destination account (or via the destination submodule run there). | 
object({
    enabled                     = bool
    destination_account_id      = optional(string)
    destination_event_bus_name  = optional(string)
    destination_region          = optional(string)
    destination_reader_role_arn = optional(string)
  })
| 
{
  "destination_account_id": "",
  "destination_event_bus_name": "",
  "destination_reader_role_arn": "",
  "destination_region": "",
  "enabled": false
}
| no | +| [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | +| [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | +| [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | +| [secret\_prefix](#input\_secret\_prefix) | Prefix for secret | `string` | n/a | yes | +| [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [source\_secret\_arn](#output\_source\_secret\_arn) | ARN of the GitHub webhook relay secret | +| [source\_secret\_region](#output\_source\_secret\_region) | AWS region the secret resides in | +| [source\_secret\_role\_arn](#output\_source\_secret\_role\_arn) | ARN of IAM role permitted to read/decrypt the webhook relay secret | + diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/data.tf b/modules/platform/ec2_deployment/ec2_redrive_deadletter/data.tf new file mode 100644 index 00000000..f4693af5 --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_redrive_deadletter/data.tf @@ -0,0 +1,3 @@ +data "aws_caller_identity" "current" {} + +data "aws_region" "current" {} diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/lambda/ec2_redrive_deadletter.py b/modules/platform/ec2_deployment/ec2_redrive_deadletter/lambda/ec2_redrive_deadletter.py new file mode 100644 index 00000000..95d7740d --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_redrive_deadletter/lambda/ec2_redrive_deadletter.py @@ -0,0 +1,141 @@ +import json +import logging +import os +import time +from typing import Dict, List + +import boto3 + +LOG = logging.getLogger() +level_str = os.environ.get('LOG_LEVEL', 'INFO').upper() +LOG.setLevel(getattr(logging, level_str, logging.INFO)) + +sqs = boto3.client('sqs') + + +def parse_sqs_map(raw: str) -> List[Dict[str, str]]: + """ + Expected SQS_MAP env var (from Terraform map): + { + "runner-a": {"main": "queue-a-main", "dlq": "queue-a-dlq"}, + "runner-b": {"main": "queue-b-main", "dlq": "queue-b-dlq"} + } + + Returns a list of: + [{"key": "runner-a", "main": "...", "dlq": "..."}, ...] + """ + if not raw.strip(): + return [] + + try: + parsed = json.loads(raw) + except json.JSONDecodeError as e: + raise Exception(f"Invalid SQS_MAP JSON: {e}. Value: {raw}") from e + + if not isinstance(parsed, dict): + raise Exception( + f"SQS_MAP must be a JSON object/map, got: {type(parsed)}") + + mappings: List[Dict[str, str]] = [] + for key, value in parsed.items(): + if not isinstance(value, dict): + raise Exception( + f"SQS_MAP['{key}'] must be an object with 'main' and 'dlq'") + if 'main' not in value or 'dlq' not in value: + raise Exception( + f"SQS_MAP['{key}'] missing 'main' or 'dlq' keys: {value}") + mappings.append( + { + 'key': key, + 'main': str(value['main']), + 'dlq': str(value['dlq']), + } + ) + + return mappings + + +def resolve_queue_url(sqs_client, name_or_url: str) -> str: + """Return URL if already full URL, else resolve by queue name.""" + if name_or_url.startswith('https://'): + return name_or_url + + resp = sqs_client.get_queue_url(QueueName=name_or_url) + return resp['QueueUrl'] + + +def drain_dlq(sqs_client, dlq_url: str, main_url: str) -> int: + """Drain DLQ → main queue, returns number of moved messages.""" + moved = 0 + + while True: + resp = sqs_client.receive_message( + QueueUrl=dlq_url, + MaxNumberOfMessages=10, + WaitTimeSeconds=0, + VisibilityTimeout=30, + ) + + messages = resp.get('Messages', []) + if not messages: + break + + for msg in messages: + sqs_client.send_message( + QueueUrl=main_url, + MessageBody=msg['Body'], + ) + sqs_client.delete_message( + QueueUrl=dlq_url, + ReceiptHandle=msg['ReceiptHandle'], + ) + moved += 1 + + # small throttle to avoid hammering SQS too hard + time.sleep(0.1) + + return moved + + +def lambda_handler(event, context): + raw_sqs_map = os.getenv('SQS_MAP', '') + mappings = parse_sqs_map(raw_sqs_map) + + if not mappings: + LOG.warning('SQS_MAP is empty; nothing to do.') + return {'status': 'noop', 'message': 'SQS_MAP is empty', 'results': []} + + LOG.info('Starting DLQ drain for %d mapping(s)', len(mappings)) + + results = [] + for entry in mappings: + key = entry['key'] + dlq_name_or_url = entry['dlq'] + main_name_or_url = entry['main'] + + LOG.info('Processing SQS mapping key=%s dlq=%s main=%s', + key, dlq_name_or_url, main_name_or_url) + + dlq_url = resolve_queue_url(sqs, dlq_name_or_url) + main_url = resolve_queue_url(sqs, main_name_or_url) + + moved = drain_dlq(sqs, dlq_url, main_url) + + LOG.info( + 'Finished SQS mapping key=%s dlq=%s main=%s moved=%d', + key, + dlq_name_or_url, + main_name_or_url, + moved, + ) + + results.append( + { + 'key': key, + 'dlq': dlq_name_or_url, + 'main': main_name_or_url, + 'moved': moved, + } + ) + + return {'status': 'ok', 'results': results} diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/main.tf b/modules/platform/ec2_deployment/ec2_redrive_deadletter/main.tf new file mode 100644 index 00000000..21e9e765 --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_redrive_deadletter/main.tf @@ -0,0 +1,106 @@ +module "ec2_redrive_deadletter_lambda" { + source = "terraform-aws-modules/lambda/aws" + version = "8.1.2" + + function_name = "${var.prefix}-ec2-redrive-deadletter" + handler = "ec2_redrive_deadletter.lambda_handler" + runtime = "python3.12" + timeout = 900 + architectures = ["x86_64"] + + source_path = [{ + path = "${path.module}/lambda" + }] + + logging_log_group = aws_cloudwatch_log_group.ec2_redrive_deadletter_lambda.name + use_existing_cloudwatch_log_group = true + + trigger_on_package_timestamp = false + + environment_variables = { + SQS_MAP = jsonencode(var.sqs_map) + LOG_LEVEL = var.log_level + } + + attach_policy_json = true + + policy_json = data.aws_iam_policy_document.ec2_redrive_deadletter_lambda.json + + function_tags = var.tags + role_tags = var.tags + tags = var.tags + + depends_on = [aws_cloudwatch_log_group.ec2_redrive_deadletter_lambda] +} + +data "aws_iam_policy_document" "ec2_redrive_deadletter_lambda" { + statement { + sid = "SQSReceiveFromDLQ" + effect = "Allow" + + actions = [ + "sqs:ReceiveMessage", + "sqs:GetQueueUrl", + "sqs:GetQueueAttributes", + "sqs:DeleteMessage", + ] + + resources = [ + for key, cfg in var.sqs_map : + "arn:aws:sqs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${cfg.dlq}" + ] + } + + statement { + sid = "SQSSendToMainQueue" + effect = "Allow" + + actions = [ + "sqs:SendMessage", + "sqs:GetQueueUrl", + "sqs:GetQueueAttributes", + ] + + resources = [ + for key, cfg in var.sqs_map : + "arn:aws:sqs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${cfg.main}" + ] + } +} + + + +resource "aws_cloudwatch_log_group" "ec2_redrive_deadletter_lambda" { + name = "/aws/lambda/${var.prefix}-ec2-redrive-deadletter" + retention_in_days = var.logging_retention_in_days + tags = var.tags + tags_all = var.tags +} + +resource "aws_cloudwatch_event_rule" "ec2_redrive_deadletter_lambda" { + name = "${var.prefix}-ec2-redrive-deadletter" + description = "Trigger Lambda every 10 minutes" + schedule_expression = "cron(*/10 * * * ? *)" + + tags = var.tags + tags_all = var.tags + + depends_on = [module.ec2_redrive_deadletter_lambda] +} + +resource "aws_cloudwatch_event_target" "ec2_redrive_deadletter_lambda" { + rule = aws_cloudwatch_event_rule.ec2_redrive_deadletter_lambda.name + arn = module.ec2_redrive_deadletter_lambda.lambda_function_arn + + depends_on = [module.ec2_redrive_deadletter_lambda] +} + +resource "aws_lambda_permission" "ec2_redrive_deadletter_lambda" { + action = "lambda:InvokeFunction" + function_name = "${var.prefix}-ec2-redrive-deadletter" + principal = "events.amazonaws.com" + statement_id = "AllowExecutionFromCloudWatch" + source_arn = aws_cloudwatch_event_rule.ec2_redrive_deadletter_lambda.arn + + depends_on = [module.ec2_redrive_deadletter_lambda] +} diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/variables.tf b/modules/platform/ec2_deployment/ec2_redrive_deadletter/variables.tf new file mode 100644 index 00000000..3d715477 --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_redrive_deadletter/variables.tf @@ -0,0 +1,30 @@ +variable "prefix" { + description = "Prefix for all resources" + type = string +} + +variable "tags" { + description = "Tags to apply to created resources." + type = map(string) + default = {} +} + +variable "logging_retention_in_days" { + description = "Retention in days for CloudWatch Log Group for the Lambdas." + type = number + default = 30 +} + +variable "log_level" { + type = string + description = "Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR)" + default = "INFO" +} + +variable "sqs_map" { + description = "Map of runner SQS queue names." + type = map(object({ + main = string + dlq = string + })) +} diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/versions.tf b/modules/platform/ec2_deployment/ec2_redrive_deadletter/versions.tf new file mode 100644 index 00000000..d193e844 --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_redrive_deadletter/versions.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.27" + } + } + + # OpenTofu version. + required_version = ">= 1.9.1" +} diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami.tf new file mode 100644 index 00000000..7cdfe919 --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami.tf @@ -0,0 +1,23 @@ +module "ec2_update_runner_ssm_ami" { + source = "./ec2_update_runner_ssm_ami" + + providers = { + aws = aws + } + + prefix = var.runner_configs.prefix + logging_retention_in_days = var.runner_configs.logging_retention_in_days + log_level = var.runner_configs.log_level + tags = var.tenant_configs.tags + + runner_ami_map = { + for key in keys(var.runner_configs.runner_specs) : + key => { + resource_ssm_id = replace(module.runners.runners_map[key].launch_template_ami_id, "resolve:ssm:", "") + ssm_id = split("parameter", module.runners.runners_map[key].launch_template_ami_id)[1] + ami_filter = var.runner_configs.runner_specs[key].ami_filter + ami_owners = var.runner_configs.runner_specs[key].ami_owners + } + } + +} diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md new file mode 100644 index 00000000..a302b9c6 --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md @@ -0,0 +1,56 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.9.1 | +| [aws](#requirement\_aws) | >= 5.27 | +| [random](#requirement\_random) | >= 3.6 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 6.19.0 | +| [random](#provider\_random) | 3.7.2 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [github\_webhook\_relay\_source](#module\_github\_webhook\_relay\_source) | ../../../integrations/github_webhook_relay_source | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_role.secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.secret_reader_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_kms_alias.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_secretsmanager_secret.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret_version.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | +| [random_id.github_webhook_relay_source_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [aws_iam_policy_document.secret_reader_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.secret_reader_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [github\_webhook\_relay](#input\_github\_webhook\_relay) | Configuration for the (optional) webhook relay source module.
If enabled=true we provision the API Gateway + source EventBridge forwarding rule.
destination\_event\_bus\_name must already exist or be created in the destination account (or via the destination submodule run there). | 
object({
    enabled                     = bool
    destination_account_id      = optional(string)
    destination_event_bus_name  = optional(string)
    destination_region          = optional(string)
    destination_reader_role_arn = optional(string)
  })
| 
{
  "destination_account_id": "",
  "destination_event_bus_name": "",
  "destination_reader_role_arn": "",
  "destination_region": "",
  "enabled": false
}
| no | +| [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | +| [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | +| [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | +| [secret\_prefix](#input\_secret\_prefix) | Prefix for secret | `string` | n/a | yes | +| [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [source\_secret\_arn](#output\_source\_secret\_arn) | ARN of the GitHub webhook relay secret | +| [source\_secret\_region](#output\_source\_secret\_region) | AWS region the secret resides in | +| [source\_secret\_role\_arn](#output\_source\_secret\_role\_arn) | ARN of IAM role permitted to read/decrypt the webhook relay secret | + diff --git a/modules/platform/ec2_deployment/lambda/update_ssm_ami_id.py b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/lambda/ec2_update_runner_ssm_ami.py similarity index 100% rename from modules/platform/ec2_deployment/lambda/update_ssm_ami_id.py rename to modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/lambda/ec2_update_runner_ssm_ami.py diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf new file mode 100644 index 00000000..da783661 --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf @@ -0,0 +1,94 @@ +module "ec2_update_runner_ssm_ami_lambda" { + source = "terraform-aws-modules/lambda/aws" + version = "8.1.2" + + function_name = "${var.prefix}-ec2-update-runner-ssm-ami" + handler = "ec2_update_runner_ssm_ami.lambda_handler" + runtime = "python3.12" + timeout = 900 + architectures = ["x86_64"] + + source_path = [{ + path = "${path.module}/lambda" + }] + + logging_log_group = aws_cloudwatch_log_group.ec2_update_runner_ssm_ami_lambda.name + use_existing_cloudwatch_log_group = true + + trigger_on_package_timestamp = false + + environment_variables = { + RUNNER_AMI_MAP = jsonencode(var.runner_ami_map) + LOG_LEVEL = var.log_level + } + + attach_policy_json = true + + policy_json = data.aws_iam_policy_document.ec2_update_runner_ssm_ami_lambda.json + + function_tags = var.tags + role_tags = var.tags + tags = var.tags + + depends_on = [aws_cloudwatch_log_group.ec2_update_runner_ssm_ami_lambda] +} + +data "aws_iam_policy_document" "ec2_update_runner_ssm_ami_lambda" { + statement { + effect = "Allow" + actions = [ + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:PutParameter", + "ssm:AddTagsToResource" + ] + + resources = [ + for key, cfg in var.runner_ami_map : + cfg.resource_ssm_id + ] + } + + statement { + effect = "Allow" + actions = [ + "ec2:DescribeImages", + ] + resources = ["*"] + } +} + +resource "aws_cloudwatch_log_group" "ec2_update_runner_ssm_ami_lambda" { + name = "/aws/lambda/${var.prefix}-ec2-update-runner-ssm-ami" + retention_in_days = var.logging_retention_in_days + tags = var.tags + tags_all = var.tags +} + +resource "aws_cloudwatch_event_rule" "ec2_update_runner_ssm_ami_lambda" { + name = "${var.prefix}-ec2-update-runner-ssm-ami" + description = "Trigger Lambda every 10 minutes" + schedule_expression = "cron(*/10 * * * ? *)" + + tags = var.tags + tags_all = var.tags + + depends_on = [module.ec2_update_runner_ssm_ami_lambda] +} + +resource "aws_cloudwatch_event_target" "ec2_update_runner_ssm_ami_lambda" { + rule = aws_cloudwatch_event_rule.ec2_update_runner_ssm_ami_lambda.name + arn = module.ec2_update_runner_ssm_ami_lambda.lambda_function_arn + + depends_on = [module.ec2_update_runner_ssm_ami_lambda] +} + +resource "aws_lambda_permission" "ec2_update_runner_ssm_ami_lambda" { + action = "lambda:InvokeFunction" + function_name = "${var.prefix}-ec2-update-runner-ssm-ami" + principal = "events.amazonaws.com" + statement_id = "AllowExecutionFromCloudWatch" + source_arn = aws_cloudwatch_event_rule.ec2_update_runner_ssm_ami_lambda.arn + + depends_on = [module.ec2_update_runner_ssm_ami_lambda] +} diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/variables.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/variables.tf new file mode 100644 index 00000000..1654e1de --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/variables.tf @@ -0,0 +1,34 @@ +variable "prefix" { + description = "Prefix for all resources" + type = string +} + +variable "tags" { + description = "Tags to apply to created resources." + type = map(string) + default = {} +} + +variable "logging_retention_in_days" { + description = "Retention in days for CloudWatch Log Group for the Lambdas." + type = number + default = 30 +} + +variable "log_level" { + type = string + description = "Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR)" + default = "INFO" +} + +variable "runner_ami_map" { + type = map(object({ + resource_ssm_id = string + ssm_id = string + ami_filter = object({ + name = list(string) + state = list(string) + }) + ami_owners = list(string) + })) +} diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf new file mode 100644 index 00000000..d193e844 --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.27" + } + } + + # OpenTofu version. + required_version = ">= 1.9.1" +} diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags.tf b/modules/platform/ec2_deployment/ec2_update_runner_tags.tf new file mode 100644 index 00000000..3c35f414 --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags.tf @@ -0,0 +1,14 @@ +module "ec2_update_runner_tags" { + source = "./ec2_update_runner_tags" + + providers = { + aws = aws + } + + prefix = var.runner_configs.prefix + logging_retention_in_days = var.runner_configs.logging_retention_in_days + log_level = var.runner_configs.log_level + tags = var.tenant_configs.tags + + event_bus = module.runners.webhook.eventbridge.event_bus.name +} diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md new file mode 100644 index 00000000..a302b9c6 --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md @@ -0,0 +1,56 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.9.1 | +| [aws](#requirement\_aws) | >= 5.27 | +| [random](#requirement\_random) | >= 3.6 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 6.19.0 | +| [random](#provider\_random) | 3.7.2 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [github\_webhook\_relay\_source](#module\_github\_webhook\_relay\_source) | ../../../integrations/github_webhook_relay_source | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_role.secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.secret_reader_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_kms_alias.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_secretsmanager_secret.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret_version.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | +| [random_id.github_webhook_relay_source_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [aws_iam_policy_document.secret_reader_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.secret_reader_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [github\_webhook\_relay](#input\_github\_webhook\_relay) | Configuration for the (optional) webhook relay source module.
If enabled=true we provision the API Gateway + source EventBridge forwarding rule.
destination\_event\_bus\_name must already exist or be created in the destination account (or via the destination submodule run there). | 
object({
    enabled                     = bool
    destination_account_id      = optional(string)
    destination_event_bus_name  = optional(string)
    destination_region          = optional(string)
    destination_reader_role_arn = optional(string)
  })
| 
{
  "destination_account_id": "",
  "destination_event_bus_name": "",
  "destination_reader_role_arn": "",
  "destination_region": "",
  "enabled": false
}
| no | +| [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | +| [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | +| [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | +| [secret\_prefix](#input\_secret\_prefix) | Prefix for secret | `string` | n/a | yes | +| [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [source\_secret\_arn](#output\_source\_secret\_arn) | ARN of the GitHub webhook relay secret | +| [source\_secret\_region](#output\_source\_secret\_region) | AWS region the secret resides in | +| [source\_secret\_role\_arn](#output\_source\_secret\_role\_arn) | ARN of IAM role permitted to read/decrypt the webhook relay secret | + diff --git a/modules/platform/ec2_deployment/lambda/update_ec2_tags.py b/modules/platform/ec2_deployment/ec2_update_runner_tags/lambda/ec2_update_runner_tags.py similarity index 100% rename from modules/platform/ec2_deployment/lambda/update_ec2_tags.py rename to modules/platform/ec2_deployment/ec2_update_runner_tags/lambda/ec2_update_runner_tags.py diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf new file mode 100644 index 00000000..8984950b --- /dev/null +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf @@ -0,0 +1,101 @@ +module "ec2_update_runner_tags_lambda" { + source = "terraform-aws-modules/lambda/aws" + version = "8.1.2" + + function_name = "${var.prefix}-ec2-update-runner-tags" + handler = "ec2_update_runner_tags.lambda_handler" + runtime = "python3.12" + timeout = 900 + architectures = ["x86_64"] + + source_path = [{ + path = "${path.module}/lambda" + }] + + logging_log_group = aws_cloudwatch_log_group.ec2_update_runner_tags_lambda.name + use_existing_cloudwatch_log_group = true + + trigger_on_package_timestamp = false + + environment_variables = { + LOG_LEVEL = var.log_level + } + + + attach_policy_json = true + + policy_json = data.aws_iam_policy_document.ec2_update_runner_tags_lambda.json + + function_tags = var.tags + role_tags = var.tags + tags = var.tags + + depends_on = [aws_cloudwatch_log_group.ec2_update_runner_tags_lambda] +} + +data "aws_iam_policy_document" "ec2_update_runner_tags_lambda" { + + # Allow DescribeInstances without condition + statement { + effect = "Allow" + actions = ["ec2:DescribeInstances"] + resources = ["*"] + } + + # Allow tagging operations conditioned on environment tag + statement { + effect = "Allow" + actions = [ + "ec2:CreateTags", + "ec2:DeleteTags" + ] + resources = ["*"] + + condition { + test = "StringLike" + variable = "ec2:ResourceTag/ghr:environment" + values = ["${var.prefix}-*"] + } + } +} + +resource "aws_cloudwatch_log_group" "ec2_update_runner_tags_lambda" { + name = "/aws/lambda/${var.prefix}-ec2-update-runner-tags" + retention_in_days = var.logging_retention_in_days + tags = var.tags + tags_all = var.tags +} + +resource "aws_lambda_permission" "ec2_update_runner_tags_lambda" { + action = "lambda:InvokeFunction" + function_name = "${var.prefix}-ec2-update-runner-tags" + principal = "events.amazonaws.com" + statement_id = "AllowExecutionFromCloudWatch" + source_arn = aws_cloudwatch_event_rule.ec2_update_runner_tags_lambda.arn + + depends_on = [module.ec2_update_runner_tags_lambda] +} + +resource "aws_cloudwatch_event_rule" "ec2_update_runner_tags_lambda" { + name = "${var.prefix}-ec2-update-runner-tags" + description = "Workflow job event rule to update EC2 tags." + event_bus_name = var.event_bus + + tags = var.tags + tags_all = var.tags + + event_pattern = < { - ssm_id = split("parameter", module.runners.runners_map[key].launch_template_ami_id)[1] - ami_filter = var.runner_configs.runner_specs[key].ami_filter - ami_owners = var.runner_configs.runner_specs[key].ami_owners - } - } - - runner_ami_map_json = jsonencode(local.runner_ami_map) -} - -module "update_runner_ami_lambda" { - source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" - - function_name = "${var.runner_configs.prefix}-update-runner-ami" - handler = "update_ssm_ami_id.lambda_handler" - runtime = "python3.12" - timeout = 900 - architectures = ["x86_64"] - - source_path = [{ - path = "${path.module}/lambda" - }] - - logging_log_group = aws_cloudwatch_log_group.update_runner_ami_lambda.name - use_existing_cloudwatch_log_group = true - - trigger_on_package_timestamp = false - - environment_variables = { - RUNNER_AMI_MAP = local.runner_ami_map_json - LOG_LEVEL = var.runner_configs.log_level - } - - attach_policy_json = true - - policy_json = data.aws_iam_policy_document.update_runner_ami_lambda.json - - function_tags = var.tenant_configs.tags - role_tags = var.tenant_configs.tags - tags = var.tenant_configs.tags - - depends_on = [aws_cloudwatch_log_group.update_runner_ami_lambda] -} - -data "aws_iam_policy_document" "update_runner_ami_lambda" { - statement { - effect = "Allow" - actions = [ - "ssm:GetParameter", - "ssm:GetParameters", - "ssm:PutParameter", - "ssm:AddTagsToResource" - ] - - resources = [ - for key in keys(var.runner_configs.runner_specs) : - replace(module.runners.runners_map[key].launch_template_ami_id, "resolve:ssm:", "") - ] - } - - statement { - effect = "Allow" - actions = [ - "ec2:DescribeImages" - ] - resources = ["*"] - } -} - -resource "aws_cloudwatch_log_group" "update_runner_ami_lambda" { - name = "/aws/lambda/${var.runner_configs.prefix}-update-runner-ami" - retention_in_days = var.runner_configs.logging_retention_in_days - tags = var.tenant_configs.tags - tags_all = var.tenant_configs.tags -} - -resource "aws_cloudwatch_event_rule" "update_runner_ami_lambda" { - name = "${var.runner_configs.prefix}-update-runner-ami" - description = "Trigger Lambda every 10 minutes" - schedule_expression = "cron(*/10 * * * ? *)" - - tags = var.tenant_configs.tags - tags_all = var.tenant_configs.tags - - depends_on = [module.update_runner_ami_lambda] -} - -resource "aws_cloudwatch_event_target" "update_runner_ami_lambda" { - rule = aws_cloudwatch_event_rule.update_runner_ami_lambda.name - arn = module.update_runner_ami_lambda.lambda_function_arn - - depends_on = [module.update_runner_ami_lambda] -} - -resource "aws_lambda_permission" "update_runner_ami_lambda" { - action = "lambda:InvokeFunction" - function_name = "${var.runner_configs.prefix}-update-runner-ami" - principal = "events.amazonaws.com" - statement_id = "AllowExecutionFromCloudWatch" - source_arn = aws_cloudwatch_event_rule.update_runner_ami_lambda.arn - - depends_on = [module.update_runner_ami_lambda] -} diff --git a/modules/platform/forge_runners/ec2_runners.tf b/modules/platform/forge_runners/ec2_runners.tf index 4dbdc503..90d62a92 100644 --- a/modules/platform/forge_runners/ec2_runners.tf +++ b/modules/platform/forge_runners/ec2_runners.tf @@ -13,6 +13,10 @@ module "ec2_runners" { aws_region = var.aws_region + providers = { + aws = aws + } + network_configs = { vpc_id = var.vpc_id subnet_ids = var.subnet_ids From ede4e92f9ea9e55a142ebfa74597dea249647462 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Tue, 2 Dec 2025 22:11:11 +0100 Subject: [PATCH 12/85] docs: update terraform (#217) --- modules/core/arc/README.md | 2 +- modules/core/arc/scale_set/README.md | 4 +- .../core/arc/scale_set_controller/README.md | 2 +- modules/infra/ami_policy/README.md | 2 +- modules/infra/ami_sharing/README.md | 2 +- modules/infra/cloud_custodian/README.md | 2 +- modules/infra/cloud_formation/README.md | 2 +- modules/infra/ecr/README.md | 2 +- modules/infra/eks/README.md | 12 +-- modules/infra/opt_in_regions/README.md | 2 +- modules/infra/service_linked_roles/README.md | 2 +- modules/infra/storage/README.md | 4 +- .../README.md | 2 +- .../README.md | 2 +- .../webex_webhook_relay/README.md | 2 +- .../github_webhook_relay_source/README.md | 4 +- .../integrations/splunk_aws_billing/README.md | 8 +- .../splunk_cloud_conf_shared/README.md | 4 +- .../props_billing_cur.tf | 7 +- .../props_cloudwatchlogs.tf | 8 +- .../splunk_cloud_conf_shared/props_ec2.tf | 10 +-- .../splunk_cloud_conf_shared/props_k8s.tf | 60 ++++++++++--- .../props_runner_logs.tf | 12 ++- .../README.md | 2 +- .../splunk_cloud_s3_runner_logs/README.md | 4 +- .../splunk_o11y_aws_integration/README.md | 2 +- .../README.md | 4 +- .../splunk_o11y_conf_shared/README.md | 85 +++++++++++++++++++ .../integrations/splunk_otel_eks/README.md | 4 +- modules/integrations/teleport/README.md | 16 +++- .../integrations/teleport/tenant/README.md | 13 +-- modules/platform/ec2_deployment/README.md | 19 ++--- .../ec2_redrive_deadletter/README.md | 30 +++---- .../ec2_update_runner_ssm_ami/README.md | 30 ++----- .../ec2_update_runner_tags/README.md | 30 ++----- modules/platform/forge_runners/README.md | 3 +- .../forge_trust_validator/README.md | 30 +++---- .../github_actions_job_logs/README.md | 6 +- .../github_app_runner_group/README.md | 4 +- .../github_global_lock/README.md | 4 +- .../github_webhook_relay/README.md | 2 +- 41 files changed, 273 insertions(+), 172 deletions(-) create mode 100644 modules/integrations/splunk_o11y_conf_shared/README.md diff --git a/modules/core/arc/README.md b/modules/core/arc/README.md index cac2291f..2fdafb89 100644 --- a/modules/core/arc/README.md +++ b/modules/core/arc/README.md @@ -14,7 +14,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | | [external](#provider\_external) | 2.3.5 | | [kubernetes](#provider\_kubernetes) | 2.38.0 | | [null](#provider\_null) | 3.2.4 | diff --git a/modules/core/arc/scale_set/README.md b/modules/core/arc/scale_set/README.md index 582b35eb..bde82073 100644 --- a/modules/core/arc/scale_set/README.md +++ b/modules/core/arc/scale_set/README.md @@ -12,8 +12,8 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | -| [helm](#provider\_helm) | 3.1.0 | +| [aws](#provider\_aws) | 6.23.0 | +| [helm](#provider\_helm) | 3.1.1 | | [kubernetes](#provider\_kubernetes) | 2.38.0 | ## Modules diff --git a/modules/core/arc/scale_set_controller/README.md b/modules/core/arc/scale_set_controller/README.md index c8336013..e1b18621 100644 --- a/modules/core/arc/scale_set_controller/README.md +++ b/modules/core/arc/scale_set_controller/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [helm](#provider\_helm) | 3.1.0 | +| [helm](#provider\_helm) | 3.1.1 | | [kubernetes](#provider\_kubernetes) | 2.38.0 | ## Modules diff --git a/modules/infra/ami_policy/README.md b/modules/infra/ami_policy/README.md index fda1e5b1..e616383f 100644 --- a/modules/infra/ami_policy/README.md +++ b/modules/infra/ami_policy/README.md @@ -10,7 +10,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules diff --git a/modules/infra/ami_sharing/README.md b/modules/infra/ami_sharing/README.md index 02413d64..31ab8029 100644 --- a/modules/infra/ami_sharing/README.md +++ b/modules/infra/ami_sharing/README.md @@ -10,7 +10,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules diff --git a/modules/infra/cloud_custodian/README.md b/modules/infra/cloud_custodian/README.md index 40cdb5e1..8f4ea7e5 100644 --- a/modules/infra/cloud_custodian/README.md +++ b/modules/infra/cloud_custodian/README.md @@ -10,7 +10,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules diff --git a/modules/infra/cloud_formation/README.md b/modules/infra/cloud_formation/README.md index 1807e088..e77ccb80 100644 --- a/modules/infra/cloud_formation/README.md +++ b/modules/infra/cloud_formation/README.md @@ -10,7 +10,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules diff --git a/modules/infra/ecr/README.md b/modules/infra/ecr/README.md index 8703de24..01d3b228 100644 --- a/modules/infra/ecr/README.md +++ b/modules/infra/ecr/README.md @@ -10,7 +10,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules diff --git a/modules/infra/eks/README.md b/modules/infra/eks/README.md index b4a51c0e..bf963f4e 100644 --- a/modules/infra/eks/README.md +++ b/modules/infra/eks/README.md @@ -16,19 +16,19 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | | [external](#provider\_external) | 2.3.5 | -| [helm](#provider\_helm) | 3.1.0 | +| [helm](#provider\_helm) | 3.1.1 | | [null](#provider\_null) | 3.2.4 | ## Modules | Name | Source | Version | |------|--------|---------| -| [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts | 6.1.0 | -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 21.1.0 | -| [karpenter](#module\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | 21.1.0 | -| [self\_managed\_node\_group](#module\_self\_managed\_node\_group) | terraform-aws-modules/eks/aws//modules/self-managed-node-group | 21.1.0 | +| [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts | 6.2.3 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 21.10.1 | +| [karpenter](#module\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | 21.10.1 | +| [self\_managed\_node\_group](#module\_self\_managed\_node\_group) | terraform-aws-modules/eks/aws//modules/self-managed-node-group | 21.10.1 | ## Resources diff --git a/modules/infra/opt_in_regions/README.md b/modules/infra/opt_in_regions/README.md index 30937ffc..88b75fbc 100644 --- a/modules/infra/opt_in_regions/README.md +++ b/modules/infra/opt_in_regions/README.md @@ -10,7 +10,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules diff --git a/modules/infra/service_linked_roles/README.md b/modules/infra/service_linked_roles/README.md index b0e929aa..3e3046a4 100644 --- a/modules/infra/service_linked_roles/README.md +++ b/modules/infra/service_linked_roles/README.md @@ -10,7 +10,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules diff --git a/modules/infra/storage/README.md b/modules/infra/storage/README.md index 2add1133..a42a99a4 100644 --- a/modules/infra/storage/README.md +++ b/modules/infra/storage/README.md @@ -4,13 +4,13 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.9.0 | -| [aws](#requirement\_aws) | ~> 5.80 | +| [aws](#requirement\_aws) | ~> 6.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.100.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules diff --git a/modules/integrations/github_webhook_relay_destination/README.md b/modules/integrations/github_webhook_relay_destination/README.md index b015efd2..86ce5145 100644 --- a/modules/integrations/github_webhook_relay_destination/README.md +++ b/modules/integrations/github_webhook_relay_destination/README.md @@ -48,7 +48,7 @@ graph TD | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | | [external](#provider\_external) | 2.3.5 | ## Modules diff --git a/modules/integrations/github_webhook_relay_destination_receivers/README.md b/modules/integrations/github_webhook_relay_destination_receivers/README.md index 53446fba..5064ad05 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/README.md +++ b/modules/integrations/github_webhook_relay_destination_receivers/README.md @@ -10,7 +10,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md index 84643ce2..226bfd73 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md @@ -55,7 +55,7 @@ Both `token` and `room_id` keys are required. The function will prepend `Bearer | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | | [time](#provider\_time) | 0.13.1 | ## Modules diff --git a/modules/integrations/github_webhook_relay_source/README.md b/modules/integrations/github_webhook_relay_source/README.md index a50585dc..31f82315 100644 --- a/modules/integrations/github_webhook_relay_source/README.md +++ b/modules/integrations/github_webhook_relay_source/README.md @@ -66,13 +66,13 @@ curl -X POST "$(terraform output -raw webhook_endpoint)/webhook" \ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [validate\_signature\_lambda](#module\_validate\_signature\_lambda) | terraform-aws-modules/lambda/aws | 8.1.0 | +| [validate\_signature\_lambda](#module\_validate\_signature\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources diff --git a/modules/integrations/splunk_aws_billing/README.md b/modules/integrations/splunk_aws_billing/README.md index 37fb941c..fa9f572e 100644 --- a/modules/integrations/splunk_aws_billing/README.md +++ b/modules/integrations/splunk_aws_billing/README.md @@ -14,15 +14,15 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [cur\_per\_resource](#module\_cur\_per\_resource) | terraform-aws-modules/lambda/aws | 8.1.0 | -| [cur\_per\_resource\_process](#module\_cur\_per\_resource\_process) | terraform-aws-modules/lambda/aws | 8.1.0 | -| [cur\_per\_service](#module\_cur\_per\_service) | terraform-aws-modules/lambda/aws | 8.1.0 | +| [cur\_per\_resource](#module\_cur\_per\_resource) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [cur\_per\_resource\_process](#module\_cur\_per\_resource\_process) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [cur\_per\_service](#module\_cur\_per\_service) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources diff --git a/modules/integrations/splunk_cloud_conf_shared/README.md b/modules/integrations/splunk_cloud_conf_shared/README.md index 8eb3bc1f..d02c1580 100644 --- a/modules/integrations/splunk_cloud_conf_shared/README.md +++ b/modules/integrations/splunk_cloud_conf_shared/README.md @@ -11,7 +11,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | | [splunk](#provider\_splunk) | 1.4.32 | ## Modules @@ -34,6 +34,7 @@ No modules. | [splunk_configs_conf.forgecicd_cloudwatchlogs_runner_gh_runner_version](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_configs_conf.forgecicd_cloudwatchlogs_runner_pages_github_repo_name](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_configs_conf.forgecicd_cloudwatchlogs_runner_tenant_fields](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | +| [splunk_configs_conf.forgecicd_extra_lambda_ec2_tenant_fields](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_configs_conf.forgecicd_extra_lambda_tenant_fields](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_configs_conf.forgecicd_kube_container_dind](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_configs_conf.forgecicd_kube_container_init_dind_externals](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | @@ -61,6 +62,7 @@ No modules. | [splunk_configs_conf.forgecicd_runner_logs_logs](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_configs_conf.forgecicd_runner_logs_tenant_fields_event](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_configs_conf.forgecicd_runner_logs_tenant_fields_logs](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | +| [splunk_configs_conf.forgecicd_trust_validation](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_data_ui_views.ci_jobs](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/data_ui_views) | resource | | [splunk_data_ui_views.tenant](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/data_ui_views) | resource | | [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | diff --git a/modules/integrations/splunk_cloud_conf_shared/props_billing_cur.tf b/modules/integrations/splunk_cloud_conf_shared/props_billing_cur.tf index e245a02f..4d21f223 100644 --- a/modules/integrations/splunk_cloud_conf_shared/props_billing_cur.tf +++ b/modules/integrations/splunk_cloud_conf_shared/props_billing_cur.tf @@ -5,9 +5,14 @@ resource "splunk_configs_conf" "forgecicd_aws_billing_cur" { "REPORT-forgecicd_billing_cur_instance_id" = "forgecicd_billing_cur_instance_id" "REPORT-forgecicd_billing_cur_volume_id" = "forgecicd_billing_cur_volume_id" } + + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], diff --git a/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf b/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf index b12dae37..802b79c1 100644 --- a/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf +++ b/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf @@ -7,10 +7,16 @@ resource "splunk_configs_conf" "forgecicd_cloudwatchlogs" { "REPORT-forgecicd_cloudwatchlogs_global_lambda_tenant_fields" = "forgecicd_cloudwatchlogs_global_lambda_tenant_fields" "REPORT-forgecicd_extra_lambda_tenant_fields" = "forgecicd_extra_lambda_tenant_fields" "REPORT-forgecicd_trust_validation" = "forgecicd_trust_validation" + "REPORT-forgecicd_extra_lambda_ec2_tenant_fields" = "forgecicd_extra_lambda_ec2_tenant_fields" } + + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], diff --git a/modules/integrations/splunk_cloud_conf_shared/props_ec2.tf b/modules/integrations/splunk_cloud_conf_shared/props_ec2.tf index 26fc140c..3eb82ebe 100644 --- a/modules/integrations/splunk_cloud_conf_shared/props_ec2.tf +++ b/modules/integrations/splunk_cloud_conf_shared/props_ec2.tf @@ -8,16 +8,14 @@ resource "splunk_configs_conf" "forgecicd_cloudwatchlogs_forgecicd" { "REPORT-forgecicd_cloudwatchlogs_runner_ci_result" = "forgecicd_cloudwatchlogs_runner_ci_result" "REPORT-forgecicd_cloudwatchlogs_runner_gh_runner_version" = "forgecicd_cloudwatchlogs_runner_gh_runner_version" } + acl { - app = var.splunk_conf.acl.app - owner = var.splunk_conf.acl.owner - sharing = var.splunk_conf.acl.sharing - read = var.splunk_conf.acl.read - write = var.splunk_conf.acl.write + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], diff --git a/modules/integrations/splunk_cloud_conf_shared/props_k8s.tf b/modules/integrations/splunk_cloud_conf_shared/props_k8s.tf index e47e2812..44440bd5 100644 --- a/modules/integrations/splunk_cloud_conf_shared/props_k8s.tf +++ b/modules/integrations/splunk_cloud_conf_shared/props_k8s.tf @@ -7,9 +7,13 @@ resource "splunk_configs_conf" "forgecicd_kube_container_runner" { "REPORT-forgecicd_kube_container_runner_gh_runner_version" = "forgecicd_kube_container_runner_gh_runner_version" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], @@ -67,9 +71,13 @@ resource "splunk_configs_conf" "forgecicd_kube_container_init_docker_creds" { "REPORT-forgecicd_kube_container_runner_tenant_fields" = "forgecicd_kube_container_runner_tenant_fields" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], @@ -125,9 +133,13 @@ resource "splunk_configs_conf" "forgecicd_kube_container_init_dind_rootless" { "REPORT-forgecicd_kube_container_runner_tenant_fields" = "forgecicd_kube_container_runner_tenant_fields" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], @@ -183,9 +195,13 @@ resource "splunk_configs_conf" "forgecicd_kube_container_init_work" { "REPORT-forgecicd_kube_container_runner_tenant_fields" = "forgecicd_kube_container_runner_tenant_fields" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], @@ -241,9 +257,13 @@ resource "splunk_configs_conf" "forgecicd_kube_container_init_dind_externals" { "REPORT-forgecicd_kube_container_runner_tenant_fields" = "forgecicd_kube_container_runner_tenant_fields" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], @@ -299,9 +319,13 @@ resource "splunk_configs_conf" "forgecicd_kube_container_dind" { "REPORT-forgecicd_kube_container_runner_tenant_fields" = "forgecicd_kube_container_runner_tenant_fields" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], @@ -357,9 +381,13 @@ resource "splunk_configs_conf" "forgecicd_kube_container_listener" { "REPORT-forgecicd_kube_container_listener_tenant_fields" = "forgecicd_kube_container_listener_tenant_fields" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], @@ -415,9 +443,13 @@ resource "splunk_configs_conf" "forgecicd_kube_container_manager" { "REPORT-forgecicd_kube_container_manager_tenant_fields" = "forgecicd_kube_container_manager_tenant_fields" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], @@ -472,9 +504,13 @@ resource "splunk_configs_conf" "forgecicd_kube_container_log_worker" { "REPORT-forgecicd_kube_container_runner_tenant_fields" = "forgecicd_kube_container_runner_tenant_fields" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], @@ -529,9 +565,13 @@ resource "splunk_configs_conf" "forgecicd_kube_container_log_hook" { "REPORT-forgecicd_kube_container_runner_tenant_fields" = "forgecicd_kube_container_runner_tenant_fields" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], diff --git a/modules/integrations/splunk_cloud_conf_shared/props_runner_logs.tf b/modules/integrations/splunk_cloud_conf_shared/props_runner_logs.tf index c5b43240..7382f80b 100644 --- a/modules/integrations/splunk_cloud_conf_shared/props_runner_logs.tf +++ b/modules/integrations/splunk_cloud_conf_shared/props_runner_logs.tf @@ -7,9 +7,13 @@ resource "splunk_configs_conf" "forgecicd_runner_logs_json" { "REPORT-forgecicd_runner_arc" = "forgecicd_runner_arc" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], @@ -68,9 +72,13 @@ resource "splunk_configs_conf" "forgecicd_runner_logs_logs" { "REPORT-forgecicd_runner_arc" = "forgecicd_runner_arc" } + acl { + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } + lifecycle { ignore_changes = [ - acl, variables["ADD_EXTRA_TIME_FIELDS"], variables["ANNOTATE_PUNCT"], variables["AUTO_KV_JSON"], diff --git a/modules/integrations/splunk_cloud_data_manager_common/README.md b/modules/integrations/splunk_cloud_data_manager_common/README.md index 4a28a663..0c1fe241 100644 --- a/modules/integrations/splunk_cloud_data_manager_common/README.md +++ b/modules/integrations/splunk_cloud_data_manager_common/README.md @@ -11,7 +11,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | | [external](#provider\_external) | 2.3.5 | ## Modules diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/README.md b/modules/integrations/splunk_cloud_s3_runner_logs/README.md index aa302d93..dadc3bd7 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/README.md +++ b/modules/integrations/splunk_cloud_s3_runner_logs/README.md @@ -11,14 +11,14 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | | [external](#provider\_external) | 2.3.5 | ## Modules | Name | Source | Version | |------|--------|---------| -| [splunk\_s3\_runner\_logs\_lambda](#module\_splunk\_s3\_runner\_logs\_lambda) | terraform-aws-modules/lambda/aws | 8.1.0 | +| [splunk\_s3\_runner\_logs\_lambda](#module\_splunk\_s3\_runner\_logs\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources diff --git a/modules/integrations/splunk_o11y_aws_integration/README.md b/modules/integrations/splunk_o11y_aws_integration/README.md index 7146a2d8..8f605b08 100644 --- a/modules/integrations/splunk_o11y_aws_integration/README.md +++ b/modules/integrations/splunk_o11y_aws_integration/README.md @@ -10,7 +10,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules diff --git a/modules/integrations/splunk_o11y_aws_integration_common/README.md b/modules/integrations/splunk_o11y_aws_integration_common/README.md index 759d5ecf..42365053 100644 --- a/modules/integrations/splunk_o11y_aws_integration_common/README.md +++ b/modules/integrations/splunk_o11y_aws_integration_common/README.md @@ -12,8 +12,8 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | -| [signalfx](#provider\_signalfx) | 9.22.2 | +| [aws](#provider\_aws) | 6.23.0 | +| [signalfx](#provider\_signalfx) | 9.22.3 | | [time](#provider\_time) | 0.13.1 | ## Modules diff --git a/modules/integrations/splunk_o11y_conf_shared/README.md b/modules/integrations/splunk_o11y_conf_shared/README.md new file mode 100644 index 00000000..23f34774 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/README.md @@ -0,0 +1,85 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.9.1 | +| [aws](#requirement\_aws) | >= 5.90 | +| [signalfx](#requirement\_signalfx) | < 10.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 6.23.0 | +| [signalfx](#provider\_signalfx) | 9.22.3 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [signalfx_dashboard.billing](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | +| [signalfx_dashboard.runner_ec2](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | +| [signalfx_dashboard.runner_k8s](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | +| [signalfx_dashboard_group.forgecicd](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard_group) | resource | +| [signalfx_list_chart.chart_active_hosts_by_availability_zone](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_active_hosts_per_instance_type](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_disk_metrics_24h_change](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_disk_summary_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_top_5_network_in_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_top_5_network_out_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_top_images_by_mean_cpu_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_top_instances_by_cpu_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_top_memory_page_swaps_sec](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_total_network_errors](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.k8s_network_errors_per_sec](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.k8s_pods_by_phase](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.k8s_top_10_cpu_usage_per_pod](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.k8s_top_10_pods_by_avg_memory_usage](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_single_value_chart.chart_active_hosts](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.chart_hosts_with_agent_installed](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.k8s_active_pods](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.k8s_available_pods_by_deployments](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.k8s_desired_pods_by_deployments](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_time_chart.chart_cpu_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_disk_io_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_disk_ops](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_disk_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_memory_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_network_in_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_network_in_bytes_vs_24h_change](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_network_out_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_network_out_bytes_vs_24h_change](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_total_memory_overview_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.cost_per_service](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.cost_per_tenant](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.k8s_memory_usage_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.k8s_memory_usage_pct](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.k8s_network_bytes_per_sec](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.net_cost_per_service](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.net_cost_per_tenant](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.total_cost](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.total_net_cost](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | +| [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e., generated via 'sl aws session generate') to use. | `string` | n/a | yes | +| [aws\_region](#input\_aws\_region) | Default AWS region. | `string` | n/a | yes | +| [dashboard\_variables](#input\_dashboard\_variables) | Variables for Dashboards | 
object({
    runner_k8s = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    runner_ec2 = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    billing = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
  })
| n/a | yes | +| [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | +| [splunk\_api\_url](#input\_splunk\_api\_url) | URL for plunk Observability Cloud API. | `string` | n/a | yes | +| [splunk\_organization\_id](#input\_splunk\_organization\_id) | organization ID for Splunk Observability Cloud. | `string` | n/a | yes | +| [team](#input\_team) | Team ID | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/modules/integrations/splunk_otel_eks/README.md b/modules/integrations/splunk_otel_eks/README.md index 9f1be39c..1e3b991e 100644 --- a/modules/integrations/splunk_otel_eks/README.md +++ b/modules/integrations/splunk_otel_eks/README.md @@ -12,8 +12,8 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | -| [helm](#provider\_helm) | 3.1.0 | +| [aws](#provider\_aws) | 6.23.0 | +| [helm](#provider\_helm) | 3.1.1 | ## Modules diff --git a/modules/integrations/teleport/README.md b/modules/integrations/teleport/README.md index cebb0ce4..1c266d22 100644 --- a/modules/integrations/teleport/README.md +++ b/modules/integrations/teleport/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | | [kubernetes](#provider\_kubernetes) | 2.38.0 | ## Modules @@ -25,9 +25,15 @@ | Name | Type | |------|------| +| [aws_iam_policy.eks_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.teleport_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.attach_eks_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [kubernetes_config_map.aws_auth_teleport](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [aws_iam_policy_document.eks_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs @@ -38,10 +44,14 @@ | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [tags](#input\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [teleport\_config](#input\_teleport\_config) | Map of IAM roles to assume for teleport access, including EKS cluster ARNs and other roles. | 
object({
    cluster_name                = string
    teleport_iam_role_to_assume = string
  })
| n/a | yes | -| [tenant\_prefix](#input\_tenant\_prefix) | Name of the EKS cluster | `string` | n/a | yes | | [tenants](#input\_tenants) | List of tenants to create roles for. | `list(string)` | n/a | yes | ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| [teleport\_account\_id](#output\_teleport\_account\_id) | AWS account ID where Teleport role and resources are created. | +| [teleport\_cluster\_name](#output\_teleport\_cluster\_name) | EKS cluster name used by the Teleport integration. | +| [teleport\_role\_arn](#output\_teleport\_role\_arn) | ARN of the IAM role created for Teleport access to the EKS cluster. | +| [teleport\_tenant\_groups](#output\_teleport\_tenant\_groups) | Map of tenant name to Kubernetes group name used in aws-auth (teleport-). | diff --git a/modules/integrations/teleport/tenant/README.md b/modules/integrations/teleport/tenant/README.md index bbaa4e99..d2424d5b 100644 --- a/modules/integrations/teleport/tenant/README.md +++ b/modules/integrations/teleport/tenant/README.md @@ -12,7 +12,6 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | | [kubernetes](#provider\_kubernetes) | 2.38.0 | ## Modules @@ -23,28 +22,18 @@ No modules. | Name | Type | |------|------| -| [aws_iam_policy.eks_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.teleport_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.attach_eks_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [kubernetes_cluster_role.impersonate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role.pods](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role_binding.impersonate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource | | [kubernetes_role_binding.pods](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | -| [aws_iam_policy_document.eks_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.trust_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [namespace](#input\_namespace) | Namespace for chart installation | `string` | n/a | yes | -| [release\_name](#input\_release\_name) | Name of the Helm release | `string` | n/a | yes | -| [tags](#input\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | -| [teleport\_config](#input\_teleport\_config) | Map of IAM roles to assume for teleport access, including EKS cluster ARNs and other roles. | 
object({
    teleport_iam_role_to_assume = string
  })
| n/a | yes | ## Outputs -| Name | Description | -|------|-------------| -| [iam\_role\_arn](#output\_iam\_role\_arn) | n/a | +No outputs. diff --git a/modules/platform/ec2_deployment/README.md b/modules/platform/ec2_deployment/README.md index 0f62868c..3a9f619f 100644 --- a/modules/platform/ec2_deployment/README.md +++ b/modules/platform/ec2_deployment/README.md @@ -12,38 +12,29 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | | [external](#provider\_external) | 2.3.5 | ## Modules | Name | Source | Version | |------|--------|---------| -| [runners](#module\_runners) | git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner | v6.7.8 | -| [update\_ec2\_tags](#module\_update\_ec2\_tags) | terraform-aws-modules/lambda/aws | 8.1.0 | -| [update\_runner\_ami\_lambda](#module\_update\_runner\_ami\_lambda) | terraform-aws-modules/lambda/aws | 8.1.0 | +| [ec2\_redrive\_deadletter](#module\_ec2\_redrive\_deadletter) | ./ec2_redrive_deadletter | n/a | +| [ec2\_update\_runner\_ssm\_ami](#module\_ec2\_update\_runner\_ssm\_ami) | ./ec2_update_runner_ssm_ami | n/a | +| [ec2\_update\_runner\_tags](#module\_ec2\_update\_runner\_tags) | ./ec2_update_runner_tags | n/a | +| [runners](#module\_runners) | git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner | v6.10.1 | ## Resources | Name | Type | |------|------| -| [aws_cloudwatch_event_rule.update_ec2_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | -| [aws_cloudwatch_event_rule.update_runner_ami_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | -| [aws_cloudwatch_event_target.update_ec2_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | -| [aws_cloudwatch_event_target.update_runner_ami_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | -| [aws_cloudwatch_log_group.update_ec2_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_cloudwatch_log_group.update_runner_ami_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_iam_policy.ec2_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_kms_alias.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_key.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_lambda_permission.update_ec2_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | -| [aws_lambda_permission.update_runner_ami_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | | [aws_security_group.gh_runner_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.gh_runner_lambda_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_ami.runner_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_iam_policy_document.ec2_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.update_ec2_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.update_runner_ami_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_ssm_parameter.ami_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | | [aws_subnet.runner_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | | [external_external.download_lambdas](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source | diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/README.md b/modules/platform/ec2_deployment/ec2_redrive_deadletter/README.md index a302b9c6..434031c2 100644 --- a/modules/platform/ec2_deployment/ec2_redrive_deadletter/README.md +++ b/modules/platform/ec2_deployment/ec2_redrive_deadletter/README.md @@ -5,52 +5,42 @@ |------|---------| | [terraform](#requirement\_terraform) | >= 1.9.1 | | [aws](#requirement\_aws) | >= 5.27 | -| [random](#requirement\_random) | >= 3.6 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | -| [random](#provider\_random) | 3.7.2 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [github\_webhook\_relay\_source](#module\_github\_webhook\_relay\_source) | ../../../integrations/github_webhook_relay_source | n/a | +| [ec2\_redrive\_deadletter\_lambda](#module\_ec2\_redrive\_deadletter\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources | Name | Type | |------|------| -| [aws_iam_role.secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy.secret_reader_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_kms_alias.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_secretsmanager_secret.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | -| [aws_secretsmanager_secret_version.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | -| [random_id.github_webhook_relay_source_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | -| [aws_iam_policy_document.secret_reader_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.secret_reader_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_cloudwatch_event_rule.ec2_redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.ec2_redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_log_group.ec2_redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_lambda_permission.ec2_redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.ec2_redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [github\_webhook\_relay](#input\_github\_webhook\_relay) | Configuration for the (optional) webhook relay source module.
If enabled=true we provision the API Gateway + source EventBridge forwarding rule.
destination\_event\_bus\_name must already exist or be created in the destination account (or via the destination submodule run there). | 
object({
    enabled                     = bool
    destination_account_id      = optional(string)
    destination_event_bus_name  = optional(string)
    destination_region          = optional(string)
    destination_reader_role_arn = optional(string)
  })
| 
{
  "destination_account_id": "",
  "destination_event_bus_name": "",
  "destination_reader_role_arn": "",
  "destination_region": "",
  "enabled": false
}
| no | | [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | | [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | | [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | -| [secret\_prefix](#input\_secret\_prefix) | Prefix for secret | `string` | n/a | yes | +| [sqs\_map](#input\_sqs\_map) | Map of runner SQS queue names. | 
map(object({
    main = string
    dlq  = string
  }))
| n/a | yes | | [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | ## Outputs -| Name | Description | -|------|-------------| -| [source\_secret\_arn](#output\_source\_secret\_arn) | ARN of the GitHub webhook relay secret | -| [source\_secret\_region](#output\_source\_secret\_region) | AWS region the secret resides in | -| [source\_secret\_role\_arn](#output\_source\_secret\_role\_arn) | ARN of IAM role permitted to read/decrypt the webhook relay secret | +No outputs. diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md index a302b9c6..e57f6400 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md @@ -5,52 +5,40 @@ |------|---------| | [terraform](#requirement\_terraform) | >= 1.9.1 | | [aws](#requirement\_aws) | >= 5.27 | -| [random](#requirement\_random) | >= 3.6 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | -| [random](#provider\_random) | 3.7.2 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [github\_webhook\_relay\_source](#module\_github\_webhook\_relay\_source) | ../../../integrations/github_webhook_relay_source | n/a | +| [ec2\_update\_runner\_ssm\_ami\_lambda](#module\_ec2\_update\_runner\_ssm\_ami\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources | Name | Type | |------|------| -| [aws_iam_role.secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy.secret_reader_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_kms_alias.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_secretsmanager_secret.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | -| [aws_secretsmanager_secret_version.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | -| [random_id.github_webhook_relay_source_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | -| [aws_iam_policy_document.secret_reader_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.secret_reader_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_cloudwatch_event_rule.ec2_update_runner_ssm_ami_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.ec2_update_runner_ssm_ami_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_log_group.ec2_update_runner_ssm_ami_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_lambda_permission.ec2_update_runner_ssm_ami_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_iam_policy_document.ec2_update_runner_ssm_ami_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [github\_webhook\_relay](#input\_github\_webhook\_relay) | Configuration for the (optional) webhook relay source module.
If enabled=true we provision the API Gateway + source EventBridge forwarding rule.
destination\_event\_bus\_name must already exist or be created in the destination account (or via the destination submodule run there). | 
object({
    enabled                     = bool
    destination_account_id      = optional(string)
    destination_event_bus_name  = optional(string)
    destination_region          = optional(string)
    destination_reader_role_arn = optional(string)
  })
| 
{
  "destination_account_id": "",
  "destination_event_bus_name": "",
  "destination_reader_role_arn": "",
  "destination_region": "",
  "enabled": false
}
| no | | [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | | [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | | [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | -| [secret\_prefix](#input\_secret\_prefix) | Prefix for secret | `string` | n/a | yes | +| [runner\_ami\_map](#input\_runner\_ami\_map) | n/a | 
map(object({
    resource_ssm_id = string
    ssm_id          = string
    ami_filter = object({
      name  = list(string)
      state = list(string)
    })
    ami_owners = list(string)
  }))
| n/a | yes | | [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | ## Outputs -| Name | Description | -|------|-------------| -| [source\_secret\_arn](#output\_source\_secret\_arn) | ARN of the GitHub webhook relay secret | -| [source\_secret\_region](#output\_source\_secret\_region) | AWS region the secret resides in | -| [source\_secret\_role\_arn](#output\_source\_secret\_role\_arn) | ARN of IAM role permitted to read/decrypt the webhook relay secret | +No outputs. diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md index a302b9c6..e70775a1 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md @@ -5,52 +5,40 @@ |------|---------| | [terraform](#requirement\_terraform) | >= 1.9.1 | | [aws](#requirement\_aws) | >= 5.27 | -| [random](#requirement\_random) | >= 3.6 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | -| [random](#provider\_random) | 3.7.2 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [github\_webhook\_relay\_source](#module\_github\_webhook\_relay\_source) | ../../../integrations/github_webhook_relay_source | n/a | +| [ec2\_update\_runner\_tags\_lambda](#module\_ec2\_update\_runner\_tags\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources | Name | Type | |------|------| -| [aws_iam_role.secret_reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy.secret_reader_inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [aws_kms_alias.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_secretsmanager_secret.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | -| [aws_secretsmanager_secret_version.github_webhook_relay](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | -| [random_id.github_webhook_relay_source_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | -| [aws_iam_policy_document.secret_reader_permissions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.secret_reader_trust](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_cloudwatch_event_rule.ec2_update_runner_tags_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.ec2_update_runner_tags_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_log_group.ec2_update_runner_tags_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_lambda_permission.ec2_update_runner_tags_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_iam_policy_document.ec2_update_runner_tags_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [github\_webhook\_relay](#input\_github\_webhook\_relay) | Configuration for the (optional) webhook relay source module.
If enabled=true we provision the API Gateway + source EventBridge forwarding rule.
destination\_event\_bus\_name must already exist or be created in the destination account (or via the destination submodule run there). | 
object({
    enabled                     = bool
    destination_account_id      = optional(string)
    destination_event_bus_name  = optional(string)
    destination_region          = optional(string)
    destination_reader_role_arn = optional(string)
  })
| 
{
  "destination_account_id": "",
  "destination_event_bus_name": "",
  "destination_reader_role_arn": "",
  "destination_region": "",
  "enabled": false
}
| no | +| [event\_bus](#input\_event\_bus) | The name of the EventBridge event bus to subscribe to. | `string` | n/a | yes | | [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | | [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | | [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | -| [secret\_prefix](#input\_secret\_prefix) | Prefix for secret | `string` | n/a | yes | | [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | ## Outputs -| Name | Description | -|------|-------------| -| [source\_secret\_arn](#output\_source\_secret\_arn) | ARN of the GitHub webhook relay secret | -| [source\_secret\_region](#output\_source\_secret\_region) | AWS region the secret resides in | -| [source\_secret\_role\_arn](#output\_source\_secret\_role\_arn) | ARN of IAM role permitted to read/decrypt the webhook relay secret | +No outputs. diff --git a/modules/platform/forge_runners/README.md b/modules/platform/forge_runners/README.md index a951d979..c68e7a95 100644 --- a/modules/platform/forge_runners/README.md +++ b/modules/platform/forge_runners/README.md @@ -16,7 +16,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | | [null](#provider\_null) | 3.2.4 | | [random](#provider\_random) | 3.7.2 | | [time](#provider\_time) | 0.13.1 | @@ -27,6 +27,7 @@ |------|--------|---------| | [arc\_runners](#module\_arc\_runners) | ../arc_deployment | n/a | | [ec2\_runners](#module\_ec2\_runners) | ../ec2_deployment | n/a | +| [forge\_trust\_validator](#module\_forge\_trust\_validator) | ./forge_trust_validator | n/a | | [github\_actions\_job\_logs](#module\_github\_actions\_job\_logs) | ./github_actions_job_logs | n/a | | [github\_app\_runner\_group](#module\_github\_app\_runner\_group) | ./github_app_runner_group | n/a | | [github\_global\_lock](#module\_github\_global\_lock) | ./github_global_lock | n/a | diff --git a/modules/platform/forge_runners/forge_trust_validator/README.md b/modules/platform/forge_runners/forge_trust_validator/README.md index 730d72c3..176ab114 100644 --- a/modules/platform/forge_runners/forge_trust_validator/README.md +++ b/modules/platform/forge_runners/forge_trust_validator/README.md @@ -5,45 +5,45 @@ |------|---------| | [terraform](#requirement\_terraform) | >= 1.9.1 | | [aws](#requirement\_aws) | >= 5.27 | +| [null](#requirement\_null) | >= 3.2 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | +| [null](#provider\_null) | 3.2.4 | ## Modules | Name | Source | Version | |------|--------|---------| -| [register\_github\_app\_runner\_group\_lambda](#module\_register\_github\_app\_runner\_group\_lambda) | terraform-aws-modules/lambda/aws | 8.1.0 | +| [forge\_trust\_validator\_lambda](#module\_forge\_trust\_validator\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources | Name | Type | |------|------| -| [aws_cloudwatch_event_rule.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | -| [aws_cloudwatch_event_target.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | -| [aws_cloudwatch_log_group.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_lambda_permission.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | -| [aws_iam_policy_document.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | +| [aws_cloudwatch_event_rule.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_log_group.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_lambda_permission.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [null_resource.update_forge_role_trust](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_role.forge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [ghes\_org](#input\_ghes\_org) | GitHub organization (GHES or GitHub.com). | `string` | n/a | yes | -| [github\_api](#input\_github\_api) | Base URL for the GitHub API (set to GHES API endpoint if using Enterprise). | `string` | `"https://api.github.com"` | no | +| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e. generated via 'sl aws session generate') to use. | `string` | n/a | yes | +| [forge\_iam\_roles](#input\_forge\_iam\_roles) | List of IAM role ARNs for Forge runners. | `list(string)` | n/a | yes | | [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | | [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | | [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | -| [repository\_selection](#input\_repository\_selection) | Repository selection type: 'all' or 'selected'. | `string` | n/a | yes | -| [runner\_group\_name](#input\_runner\_group\_name) | Name of the GitHub Actions runner group to create/update and attach repositories to. | `string` | n/a | yes | -| [secrets\_prefix](#input\_secrets\_prefix) | Prefix for all secrets | `string` | n/a | yes | | [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | +| [tenant\_iam\_roles](#input\_tenant\_iam\_roles) | List of IAM role ARNs that the runners will assume to test trust relationships. | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/platform/forge_runners/github_actions_job_logs/README.md b/modules/platform/forge_runners/github_actions_job_logs/README.md index 9f539840..fe7a51a9 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/README.md +++ b/modules/platform/forge_runners/github_actions_job_logs/README.md @@ -130,14 +130,14 @@ See parent repository license. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [job\_log\_archiver](#module\_job\_log\_archiver) | terraform-aws-modules/lambda/aws | 8.1.0 | -| [job\_log\_dispatcher](#module\_job\_log\_dispatcher) | terraform-aws-modules/lambda/aws | 8.1.0 | +| [job\_log\_archiver](#module\_job\_log\_archiver) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [job\_log\_dispatcher](#module\_job\_log\_dispatcher) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources diff --git a/modules/platform/forge_runners/github_app_runner_group/README.md b/modules/platform/forge_runners/github_app_runner_group/README.md index 730d72c3..6234a9d1 100644 --- a/modules/platform/forge_runners/github_app_runner_group/README.md +++ b/modules/platform/forge_runners/github_app_runner_group/README.md @@ -10,13 +10,13 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [register\_github\_app\_runner\_group\_lambda](#module\_register\_github\_app\_runner\_group\_lambda) | terraform-aws-modules/lambda/aws | 8.1.0 | +| [register\_github\_app\_runner\_group\_lambda](#module\_register\_github\_app\_runner\_group\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources diff --git a/modules/platform/forge_runners/github_global_lock/README.md b/modules/platform/forge_runners/github_global_lock/README.md index dbd96c6b..f5722232 100644 --- a/modules/platform/forge_runners/github_global_lock/README.md +++ b/modules/platform/forge_runners/github_global_lock/README.md @@ -10,13 +10,13 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [clean\_global\_lock\_lambda](#module\_clean\_global\_lock\_lambda) | terraform-aws-modules/lambda/aws | 8.1.0 | +| [clean\_global\_lock\_lambda](#module\_clean\_global\_lock\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources diff --git a/modules/platform/forge_runners/github_webhook_relay/README.md b/modules/platform/forge_runners/github_webhook_relay/README.md index a302b9c6..967da2b6 100644 --- a/modules/platform/forge_runners/github_webhook_relay/README.md +++ b/modules/platform/forge_runners/github_webhook_relay/README.md @@ -11,7 +11,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.19.0 | +| [aws](#provider\_aws) | 6.23.0 | | [random](#provider\_random) | 3.7.2 | ## Modules From ed12f8c8a25b67b393eecf010ef2b74db3cabdb1 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Tue, 2 Dec 2025 22:21:41 +0100 Subject: [PATCH 13/85] chore: merge renovate updates (#218) * chore(deps): update actions/checkout action to v6.0.1 (#35) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook ansible-community/ansible-lint to v25.12.0 (#36) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .github/workflows/build-forge-github-app-register.yml | 2 +- .github/workflows/build-pre-commit.yml | 2 +- .github/workflows/pre-commit.yml | 2 +- .pre-commit-config.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-forge-github-app-register.yml b/.github/workflows/build-forge-github-app-register.yml index 4288aa69..c927dee1 100644 --- a/.github/workflows/build-forge-github-app-register.yml +++ b/.github/workflows/build-forge-github-app-register.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 diff --git a/.github/workflows/build-pre-commit.yml b/.github/workflows/build-pre-commit.yml index ae00cf3c..c94b9f8f 100644 --- a/.github/workflows/build-pre-commit.yml +++ b/.github/workflows/build-pre-commit.yml @@ -38,7 +38,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 8275bd26..ba8fcad6 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -28,7 +28,7 @@ jobs: if: github.event.pull_request.user.login != 'dependabot[bot]' steps: - name: Checkout Repository - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Cache Pre-commit uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4bf0310c..1196edde 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -266,7 +266,7 @@ repos: # Ansible Hooks # --------------------- - repo: https://github.com/ansible-community/ansible-lint.git - rev: v25.11.1 + rev: v25.12.0 hooks: - id: ansible-lint name: Ansible · Linter From af881545ff02e74f93d5319caa12ae3744170f39 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Wed, 3 Dec 2025 13:37:07 +0100 Subject: [PATCH 14/85] fix: use retry and backoff to update assume policy (#219) --- .github/workflows/pre-commit.yml | 4 +- .../forge_trust_validator/forge_roles.tf | 38 +++++++++++++++++-- 2 files changed, 37 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index ba8fcad6..64ef7f56 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -40,7 +40,9 @@ jobs: uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: /github/home/.terraform.d/plugin - key: tf-providers + key: tf-providers-${{ github.run_id }} + restore-keys: | + tf-providers - name: Set Terraform plugin cache run: echo "TF_PLUGIN_CACHE_DIR=/github/home/.terraform.d/plugin" >> $GITHUB_ENV diff --git a/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf index f802d60c..7e4fa89a 100644 --- a/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf +++ b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf @@ -77,6 +77,39 @@ resource "null_resource" "update_forge_role_trust" { command = <<-EOT set -euo pipefail + retry_with_backoff() { + local max_attempts=10 + local attempt=1 + local delay=2 + + while true; do + # Capture stderr so we can inspect it + if output=$(aws iam update-assume-role-policy \ + --role-name "$${ROLE_NAME}" \ + --policy-document "file://$${TMP_FILE}" \ + --profile "${var.aws_profile}" 2>&1); then + echo "$output" + return 0 + fi + + # If it's not a throttling / rate exceeded error, fail fast + if ! echo "$output" | grep -q "Rate exceeded"; then + echo "$output" >&2 + return 1 + fi + + # Throttling: if we've hit max attempts, print and fail + if [ "$attempt" -ge "$max_attempts" ]; then + echo "$output" >&2 + return 1 + fi + + sleep "$delay" + attempt=$((attempt + 1)) + delay=$((delay * 2)) + done + } + ROLE_NAME="${each.value.name}" TMP_FILE="/tmp/${each.value.name}-trust.json" @@ -84,10 +117,7 @@ resource "null_resource" "update_forge_role_trust" { ${local.concatenated_trust_json[each.key]} JSON - aws iam update-assume-role-policy \ - --role-name "$${ROLE_NAME}" \ - --policy-document "file://$${TMP_FILE}" \ - --profile "${var.aws_profile}" + retry_with_backoff EOT } } From e5ea427878056e5a9fc0e8f2adaf2fb1f5113ce1 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 4 Dec 2025 18:02:22 +0100 Subject: [PATCH 15/85] refactor: move redrive deadletter function (#221) --- .../transforms_lambda.tf | 4 +- .../ec2_deployment/ec2_redrive_deadletter.tf | 20 --- .../lambda/ec2_redrive_deadletter.py | 141 ----------------- .../ec2_redrive_deadletter/main.tf | 106 ------------- .../data.tf | 0 .../forge_runners/redrive_deadletter.tf | 32 ++++ .../redrive_deadletter}/README.md | 12 +- .../lambda/redrive_deadletter.py | 145 ++++++++++++++++++ .../forge_runners/redrive_deadletter/main.tf | 106 +++++++++++++ .../redrive_deadletter}/variables.tf | 0 .../redrive_deadletter}/versions.tf | 0 11 files changed, 291 insertions(+), 275 deletions(-) delete mode 100644 modules/platform/ec2_deployment/ec2_redrive_deadletter.tf delete mode 100644 modules/platform/ec2_deployment/ec2_redrive_deadletter/lambda/ec2_redrive_deadletter.py delete mode 100644 modules/platform/ec2_deployment/ec2_redrive_deadletter/main.tf rename modules/platform/{ec2_deployment/ec2_redrive_deadletter => forge_runners}/data.tf (100%) create mode 100644 modules/platform/forge_runners/redrive_deadletter.tf rename modules/platform/{ec2_deployment/ec2_redrive_deadletter => forge_runners/redrive_deadletter}/README.md (64%) create mode 100644 modules/platform/forge_runners/redrive_deadletter/lambda/redrive_deadletter.py create mode 100644 modules/platform/forge_runners/redrive_deadletter/main.tf rename modules/platform/{ec2_deployment/ec2_redrive_deadletter => forge_runners/redrive_deadletter}/variables.tf (100%) rename modules/platform/{ec2_deployment/ec2_redrive_deadletter => forge_runners/redrive_deadletter}/versions.tf (100%) diff --git a/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf b/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf index defa4eb8..9f2d0c58 100644 --- a/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf +++ b/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf @@ -2,7 +2,7 @@ resource "splunk_configs_conf" "forgecicd_extra_lambda_tenant_fields" { name = "transforms/forgecicd_extra_lambda_tenant_fields" variables = { - "REGEX" = "(?[^:]+):\\/aws\\/lambda\\/(?[a-z0-9]+)-(?[a-z0-9]+)-(?[a-z0-9]+)-(?register-github-app-runner-group|github-webhook-relay|clean-global-lock|job-log-archiver|job-log-dispatcher|forge-trust-validator)" + "REGEX" = "(?[^:]+):\\/aws\\/lambda\\/(?[a-z0-9]+)-(?[a-z0-9]+)-(?[a-z0-9]+)-(?register-github-app-runner-group|github-webhook-relay|clean-global-lock|job-log-archiver|job-log-dispatcher|forge-trust-validator|redrive-deadletter)" "FORMAT" = "aws_region::$1 forgecicd_tenant::$2 forgecicd_region_alias::$3 forgecicd_vpc_alias::$4 forgecicd_log_type::$5" "SOURCE_KEY" = "source" "CLEAN_KEYS" = "0" @@ -34,7 +34,7 @@ resource "splunk_configs_conf" "forgecicd_extra_lambda_ec2_tenant_fields" { name = "transforms/forgecicd_extra_lambda_ec2_tenant_fields" variables = { - "REGEX" = "(?[^:]+):\\/aws\\/lambda\\/(?[a-z0-9]+)-(?[a-z0-9]+)-(?[a-z0-9]+)-(?ec2-redrive-deadletter|ec2-update-runner-ssm-ami|ec2-update-runner-tags)" + "REGEX" = "(?[^:]+):\\/aws\\/lambda\\/(?[a-z0-9]+)-(?[a-z0-9]+)-(?[a-z0-9]+)-(?|ec2-update-runner-ssm-ami|ec2-update-runner-tags)" "FORMAT" = "aws_region::$1 forgecicd_tenant::$2 forgecicd_region_alias::$3 forgecicd_vpc_alias::$4 forgecicd_log_type::$5 forgecicd_type::ec2" "SOURCE_KEY" = "source" "CLEAN_KEYS" = "0" diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter.tf b/modules/platform/ec2_deployment/ec2_redrive_deadletter.tf deleted file mode 100644 index 2dd61bad..00000000 --- a/modules/platform/ec2_deployment/ec2_redrive_deadletter.tf +++ /dev/null @@ -1,20 +0,0 @@ -module "ec2_redrive_deadletter" { - source = "./ec2_redrive_deadletter" - - providers = { - aws = aws - } - - prefix = var.runner_configs.prefix - logging_retention_in_days = var.runner_configs.logging_retention_in_days - log_level = var.runner_configs.log_level - tags = var.tenant_configs.tags - - sqs_map = { - for key in keys(var.runner_configs.runner_specs) : - key => { - dlq = "${var.runner_configs.prefix}-${key}-queued-builds_dead_letter" - main = "${var.runner_configs.prefix}-${key}-queued-builds" - } - } -} diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/lambda/ec2_redrive_deadletter.py b/modules/platform/ec2_deployment/ec2_redrive_deadletter/lambda/ec2_redrive_deadletter.py deleted file mode 100644 index 95d7740d..00000000 --- a/modules/platform/ec2_deployment/ec2_redrive_deadletter/lambda/ec2_redrive_deadletter.py +++ /dev/null @@ -1,141 +0,0 @@ -import json -import logging -import os -import time -from typing import Dict, List - -import boto3 - -LOG = logging.getLogger() -level_str = os.environ.get('LOG_LEVEL', 'INFO').upper() -LOG.setLevel(getattr(logging, level_str, logging.INFO)) - -sqs = boto3.client('sqs') - - -def parse_sqs_map(raw: str) -> List[Dict[str, str]]: - """ - Expected SQS_MAP env var (from Terraform map): - { - "runner-a": {"main": "queue-a-main", "dlq": "queue-a-dlq"}, - "runner-b": {"main": "queue-b-main", "dlq": "queue-b-dlq"} - } - - Returns a list of: - [{"key": "runner-a", "main": "...", "dlq": "..."}, ...] - """ - if not raw.strip(): - return [] - - try: - parsed = json.loads(raw) - except json.JSONDecodeError as e: - raise Exception(f"Invalid SQS_MAP JSON: {e}. Value: {raw}") from e - - if not isinstance(parsed, dict): - raise Exception( - f"SQS_MAP must be a JSON object/map, got: {type(parsed)}") - - mappings: List[Dict[str, str]] = [] - for key, value in parsed.items(): - if not isinstance(value, dict): - raise Exception( - f"SQS_MAP['{key}'] must be an object with 'main' and 'dlq'") - if 'main' not in value or 'dlq' not in value: - raise Exception( - f"SQS_MAP['{key}'] missing 'main' or 'dlq' keys: {value}") - mappings.append( - { - 'key': key, - 'main': str(value['main']), - 'dlq': str(value['dlq']), - } - ) - - return mappings - - -def resolve_queue_url(sqs_client, name_or_url: str) -> str: - """Return URL if already full URL, else resolve by queue name.""" - if name_or_url.startswith('https://'): - return name_or_url - - resp = sqs_client.get_queue_url(QueueName=name_or_url) - return resp['QueueUrl'] - - -def drain_dlq(sqs_client, dlq_url: str, main_url: str) -> int: - """Drain DLQ → main queue, returns number of moved messages.""" - moved = 0 - - while True: - resp = sqs_client.receive_message( - QueueUrl=dlq_url, - MaxNumberOfMessages=10, - WaitTimeSeconds=0, - VisibilityTimeout=30, - ) - - messages = resp.get('Messages', []) - if not messages: - break - - for msg in messages: - sqs_client.send_message( - QueueUrl=main_url, - MessageBody=msg['Body'], - ) - sqs_client.delete_message( - QueueUrl=dlq_url, - ReceiptHandle=msg['ReceiptHandle'], - ) - moved += 1 - - # small throttle to avoid hammering SQS too hard - time.sleep(0.1) - - return moved - - -def lambda_handler(event, context): - raw_sqs_map = os.getenv('SQS_MAP', '') - mappings = parse_sqs_map(raw_sqs_map) - - if not mappings: - LOG.warning('SQS_MAP is empty; nothing to do.') - return {'status': 'noop', 'message': 'SQS_MAP is empty', 'results': []} - - LOG.info('Starting DLQ drain for %d mapping(s)', len(mappings)) - - results = [] - for entry in mappings: - key = entry['key'] - dlq_name_or_url = entry['dlq'] - main_name_or_url = entry['main'] - - LOG.info('Processing SQS mapping key=%s dlq=%s main=%s', - key, dlq_name_or_url, main_name_or_url) - - dlq_url = resolve_queue_url(sqs, dlq_name_or_url) - main_url = resolve_queue_url(sqs, main_name_or_url) - - moved = drain_dlq(sqs, dlq_url, main_url) - - LOG.info( - 'Finished SQS mapping key=%s dlq=%s main=%s moved=%d', - key, - dlq_name_or_url, - main_name_or_url, - moved, - ) - - results.append( - { - 'key': key, - 'dlq': dlq_name_or_url, - 'main': main_name_or_url, - 'moved': moved, - } - ) - - return {'status': 'ok', 'results': results} diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/main.tf b/modules/platform/ec2_deployment/ec2_redrive_deadletter/main.tf deleted file mode 100644 index 21e9e765..00000000 --- a/modules/platform/ec2_deployment/ec2_redrive_deadletter/main.tf +++ /dev/null @@ -1,106 +0,0 @@ -module "ec2_redrive_deadletter_lambda" { - source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" - - function_name = "${var.prefix}-ec2-redrive-deadletter" - handler = "ec2_redrive_deadletter.lambda_handler" - runtime = "python3.12" - timeout = 900 - architectures = ["x86_64"] - - source_path = [{ - path = "${path.module}/lambda" - }] - - logging_log_group = aws_cloudwatch_log_group.ec2_redrive_deadletter_lambda.name - use_existing_cloudwatch_log_group = true - - trigger_on_package_timestamp = false - - environment_variables = { - SQS_MAP = jsonencode(var.sqs_map) - LOG_LEVEL = var.log_level - } - - attach_policy_json = true - - policy_json = data.aws_iam_policy_document.ec2_redrive_deadletter_lambda.json - - function_tags = var.tags - role_tags = var.tags - tags = var.tags - - depends_on = [aws_cloudwatch_log_group.ec2_redrive_deadletter_lambda] -} - -data "aws_iam_policy_document" "ec2_redrive_deadletter_lambda" { - statement { - sid = "SQSReceiveFromDLQ" - effect = "Allow" - - actions = [ - "sqs:ReceiveMessage", - "sqs:GetQueueUrl", - "sqs:GetQueueAttributes", - "sqs:DeleteMessage", - ] - - resources = [ - for key, cfg in var.sqs_map : - "arn:aws:sqs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${cfg.dlq}" - ] - } - - statement { - sid = "SQSSendToMainQueue" - effect = "Allow" - - actions = [ - "sqs:SendMessage", - "sqs:GetQueueUrl", - "sqs:GetQueueAttributes", - ] - - resources = [ - for key, cfg in var.sqs_map : - "arn:aws:sqs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:${cfg.main}" - ] - } -} - - - -resource "aws_cloudwatch_log_group" "ec2_redrive_deadletter_lambda" { - name = "/aws/lambda/${var.prefix}-ec2-redrive-deadletter" - retention_in_days = var.logging_retention_in_days - tags = var.tags - tags_all = var.tags -} - -resource "aws_cloudwatch_event_rule" "ec2_redrive_deadletter_lambda" { - name = "${var.prefix}-ec2-redrive-deadletter" - description = "Trigger Lambda every 10 minutes" - schedule_expression = "cron(*/10 * * * ? *)" - - tags = var.tags - tags_all = var.tags - - depends_on = [module.ec2_redrive_deadletter_lambda] -} - -resource "aws_cloudwatch_event_target" "ec2_redrive_deadletter_lambda" { - rule = aws_cloudwatch_event_rule.ec2_redrive_deadletter_lambda.name - arn = module.ec2_redrive_deadletter_lambda.lambda_function_arn - - depends_on = [module.ec2_redrive_deadletter_lambda] -} - -resource "aws_lambda_permission" "ec2_redrive_deadletter_lambda" { - action = "lambda:InvokeFunction" - function_name = "${var.prefix}-ec2-redrive-deadletter" - principal = "events.amazonaws.com" - statement_id = "AllowExecutionFromCloudWatch" - source_arn = aws_cloudwatch_event_rule.ec2_redrive_deadletter_lambda.arn - - depends_on = [module.ec2_redrive_deadletter_lambda] -} diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/data.tf b/modules/platform/forge_runners/data.tf similarity index 100% rename from modules/platform/ec2_deployment/ec2_redrive_deadletter/data.tf rename to modules/platform/forge_runners/data.tf diff --git a/modules/platform/forge_runners/redrive_deadletter.tf b/modules/platform/forge_runners/redrive_deadletter.tf new file mode 100644 index 00000000..2ae40ffa --- /dev/null +++ b/modules/platform/forge_runners/redrive_deadletter.tf @@ -0,0 +1,32 @@ +locals { + sqs_prefix_arn = "arn:aws:sqs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}" +} + +module "redrive_deadletter" { + source = "./redrive_deadletter" + + providers = { + aws = aws + } + + prefix = var.deployment_config.prefix + logging_retention_in_days = var.logging_retention_in_days + log_level = var.log_level + tags = local.all_security_tags + + sqs_map = merge( + { + for key in keys(var.ec2_runner_specs) : + key => { + dlq = "${local.sqs_prefix_arn}:${var.deployment_config.prefix}-${key}-queued-builds_dead_letter" + main = "${local.sqs_prefix_arn}:${var.deployment_config.prefix}-${key}-queued-builds" + } + }, + { + "gha-job-logs" = { + dlq = "${local.sqs_prefix_arn}:${var.deployment_config.prefix}-gha-job-logs-dead-letter" + main = "${local.sqs_prefix_arn}:${var.deployment_config.prefix}-gha-job-logs" + } + }, + ) +} diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/README.md b/modules/platform/forge_runners/redrive_deadletter/README.md similarity index 64% rename from modules/platform/ec2_deployment/ec2_redrive_deadletter/README.md rename to modules/platform/forge_runners/redrive_deadletter/README.md index 434031c2..51938f16 100644 --- a/modules/platform/ec2_deployment/ec2_redrive_deadletter/README.md +++ b/modules/platform/forge_runners/redrive_deadletter/README.md @@ -16,18 +16,18 @@ | Name | Source | Version | |------|--------|---------| -| [ec2\_redrive\_deadletter\_lambda](#module\_ec2\_redrive\_deadletter\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [ec2\_redrive\_deadletter\_lambda](#module\_ec2\_redrive\_deadletter\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources | Name | Type | |------|------| -| [aws_cloudwatch_event_rule.ec2_redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | -| [aws_cloudwatch_event_target.ec2_redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | -| [aws_cloudwatch_log_group.ec2_redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | -| [aws_lambda_permission.ec2_redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_cloudwatch_event_rule.redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_log_group.redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_lambda_permission.redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy_document.ec2_redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs diff --git a/modules/platform/forge_runners/redrive_deadletter/lambda/redrive_deadletter.py b/modules/platform/forge_runners/redrive_deadletter/lambda/redrive_deadletter.py new file mode 100644 index 00000000..a2afbcca --- /dev/null +++ b/modules/platform/forge_runners/redrive_deadletter/lambda/redrive_deadletter.py @@ -0,0 +1,145 @@ +import json +import logging +import os +from typing import Dict, List + +import boto3 +from botocore.exceptions import ClientError + +LOG = logging.getLogger() +level_str = os.environ.get('LOG_LEVEL', 'INFO').upper() +LOG.setLevel(getattr(logging, level_str, logging.INFO)) + +sqs = boto3.client('sqs') + + +def parse_sqs_map(raw: str) -> List[Dict[str, str]]: + """ + Expected SQS_MAP env var (from Terraform map), now using ARNs: + + { + "runner-a": { + "main": "arn:aws:sqs:us-east-1:111122223333:queue-a-main", + "dlq": "arn:aws:sqs:us-east-1:111122223333:queue-a-dlq" + }, + "runner-b": { + "main": "arn:aws:sqs:us-east-1:111122223333:queue-b-main", + "dlq": "arn:aws:sqs:us-east-1:111122223333:queue-b-dlq" + } + } + + Returns a list of: + [{"key": "runner-a", "main": "", "dlq": ""}, ...] + """ + if not raw.strip(): + return [] + + try: + parsed = json.loads(raw) + except json.JSONDecodeError as e: + raise Exception(f"Invalid SQS_MAP JSON: {e}. Value: {raw}") from e + + if not isinstance(parsed, dict): + raise Exception( + f"SQS_MAP must be a JSON object/map, got: {type(parsed)}" + ) + + mappings: List[Dict[str, str]] = [] + for key, value in parsed.items(): + if not isinstance(value, dict): + raise Exception( + f"SQS_MAP['{key}'] must be an object with 'main' and 'dlq'" + ) + if 'main' not in value or 'dlq' not in value: + raise Exception( + f"SQS_MAP['{key}'] missing 'main' or 'dlq' keys: {value}" + ) + mappings.append( + { + 'key': key, + 'main': str(value['main']), + 'dlq': str(value['dlq']), + } + ) + + return mappings + + +def start_dlq_redrive_to_source(sqs_client, dlq_identifier: str) -> Dict[str, str]: + """ + Start an SQS message move task from the given DLQ to its *source* queue. + + Uses StartMessageMoveTask with only SourceArn so that SQS + uses the DLQ's redrive policy to determine the destination. + """ + LOG.info('Starting message move task for DLQ ARN=%s', dlq_identifier) + + try: + resp = sqs_client.start_message_move_task( + SourceArn=dlq_identifier + ) + except ClientError as e: + LOG.error( + 'Failed to start message move task for DLQ ARN=%s: %s', + dlq_identifier, + e, + exc_info=True, + ) + return { + 'status': 'error', + 'dlq_identifier': dlq_identifier, + 'error': str(e), + } + + task_handle = resp.get('TaskHandle') + LOG.info( + 'Started message move task for DLQ ARN=%s task_handle=%s', + dlq_identifier, + task_handle, + ) + + return { + 'status': 'started', + 'dlq_identifier': dlq_identifier, + 'task_handle': task_handle, + } + + +def lambda_handler(event, context): + raw_sqs_map = os.getenv('SQS_MAP', '') + mappings = parse_sqs_map(raw_sqs_map) + + if not mappings: + LOG.warning('SQS_MAP is empty; nothing to do.') + return {'status': 'noop', 'message': 'SQS_MAP is empty', 'results': []} + + LOG.info( + 'Starting DLQ redrive (StartMessageMoveTask) for %d mapping(s)', + len(mappings), + ) + + results = [] + for entry in mappings: + key = entry['key'] + dlq_identifier = entry['dlq'] + main_identifier = entry['main'] + + LOG.info( + 'Processing SQS mapping key=%s dlq=%s main=%s', + key, + dlq_identifier, + main_identifier, + ) + + redrive_result = start_dlq_redrive_to_source(sqs, dlq_identifier) + + results.append( + { + 'key': key, + 'dlq': dlq_identifier, + 'main': main_identifier, + **redrive_result, + } + ) + + return {'status': 'ok', 'results': results} diff --git a/modules/platform/forge_runners/redrive_deadletter/main.tf b/modules/platform/forge_runners/redrive_deadletter/main.tf new file mode 100644 index 00000000..8b1fb19a --- /dev/null +++ b/modules/platform/forge_runners/redrive_deadletter/main.tf @@ -0,0 +1,106 @@ +module "redrive_deadletter_lambda" { + source = "terraform-aws-modules/lambda/aws" + version = "8.1.2" + + function_name = "${var.prefix}-redrive-deadletter" + handler = "redrive_deadletter.lambda_handler" + runtime = "python3.12" + timeout = 900 + architectures = ["x86_64"] + + source_path = [{ + path = "${path.module}/lambda" + }] + + logging_log_group = aws_cloudwatch_log_group.redrive_deadletter_lambda.name + use_existing_cloudwatch_log_group = true + + trigger_on_package_timestamp = false + + environment_variables = { + SQS_MAP = jsonencode(var.sqs_map) + LOG_LEVEL = var.log_level + } + + attach_policy_json = true + + policy_json = data.aws_iam_policy_document.redrive_deadletter_lambda.json + + function_tags = var.tags + role_tags = var.tags + tags = var.tags + + depends_on = [aws_cloudwatch_log_group.redrive_deadletter_lambda] +} + +data "aws_iam_policy_document" "redrive_deadletter_lambda" { + statement { + sid = "SQSReceiveFromDLQ" + effect = "Allow" + + actions = [ + "sqs:ReceiveMessage", + "sqs:GetQueueUrl", + "sqs:GetQueueAttributes", + "sqs:DeleteMessage", + ] + + resources = [ + for key, cfg in var.sqs_map : + cfg.dlq + ] + } + + statement { + sid = "SQSSendToMainQueue" + effect = "Allow" + + actions = [ + "sqs:SendMessage", + "sqs:GetQueueUrl", + "sqs:GetQueueAttributes", + ] + + resources = [ + for key, cfg in var.sqs_map : + cfg.main + ] + } +} + + + +resource "aws_cloudwatch_log_group" "redrive_deadletter_lambda" { + name = "/aws/lambda/${var.prefix}-redrive-deadletter" + retention_in_days = var.logging_retention_in_days + tags = var.tags + tags_all = var.tags +} + +resource "aws_cloudwatch_event_rule" "redrive_deadletter_lambda" { + name = "${var.prefix}-redrive-deadletter" + description = "Trigger Lambda every 10 minutes" + schedule_expression = "cron(*/10 * * * ? *)" + + tags = var.tags + tags_all = var.tags + + depends_on = [module.redrive_deadletter_lambda] +} + +resource "aws_cloudwatch_event_target" "redrive_deadletter_lambda" { + rule = aws_cloudwatch_event_rule.redrive_deadletter_lambda.name + arn = module.redrive_deadletter_lambda.lambda_function_arn + + depends_on = [module.redrive_deadletter_lambda] +} + +resource "aws_lambda_permission" "redrive_deadletter_lambda" { + action = "lambda:InvokeFunction" + function_name = "${var.prefix}-redrive-deadletter" + principal = "events.amazonaws.com" + statement_id = "AllowExecutionFromCloudWatch" + source_arn = aws_cloudwatch_event_rule.redrive_deadletter_lambda.arn + + depends_on = [module.redrive_deadletter_lambda] +} diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/variables.tf b/modules/platform/forge_runners/redrive_deadletter/variables.tf similarity index 100% rename from modules/platform/ec2_deployment/ec2_redrive_deadletter/variables.tf rename to modules/platform/forge_runners/redrive_deadletter/variables.tf diff --git a/modules/platform/ec2_deployment/ec2_redrive_deadletter/versions.tf b/modules/platform/forge_runners/redrive_deadletter/versions.tf similarity index 100% rename from modules/platform/ec2_deployment/ec2_redrive_deadletter/versions.tf rename to modules/platform/forge_runners/redrive_deadletter/versions.tf From 25952835149ccb1914ff09253681a177136092d1 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 4 Dec 2025 19:45:25 +0100 Subject: [PATCH 16/85] feat: add dashboard for sqs performance (#222) * feat: add dashboard for sqs performance * fix: use correct options * fix: fix variable --- .../dashboard_groups.tf | 6 + .../dashboard_sqs_performance.tf | 452 ++++++++++++++++++ .../splunk_o11y_conf_shared/variables.tf | 13 + 3 files changed, 471 insertions(+) create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboard_sqs_performance.tf diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf b/modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf index 6d4ee47e..c66413aa 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf @@ -2,4 +2,10 @@ resource "signalfx_dashboard_group" "forgecicd" { name = "ForgeCICD Dashboards" description = "" teams = [var.team] + + lifecycle { + ignore_changes = [ + import_qualifier + ] + } } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_sqs_performance.tf b/modules/integrations/splunk_o11y_conf_shared/dashboard_sqs_performance.tf new file mode 100644 index 00000000..4edcc873 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboard_sqs_performance.tf @@ -0,0 +1,452 @@ +resource "signalfx_single_value_chart" "queues" { + name = "# Queues" + description = "Shows how many SQS queues are being monitored" + + program_text = "A = data('ApproximateAgeOfOldestMessage', rollup='latest').count(by=['QueueName']).count().publish(label='A')" + + max_precision = 4 + unit_prefix = "Metric" + color_by = "Dimension" + show_spark_line = false + + viz_options { + display_name = "Number of SQS queues monitored" + label = "A" + } +} + +resource "signalfx_list_chart" "top_queues_by_message_sent" { + name = "Top queues by message sent" + description = "Ranks queues by number of sent messages" + + program_text = "A = data('NumberOfMessagesSent', rollup='latest').sum(by=['QueueName']).top(count=5).publish(label='A')" + sort_by = "-value" + + disable_sampling = false + hide_missing_values = true + max_precision = 4 + time_range = 900 + unit_prefix = "Metric" + secondary_visualization = "None" + + legend_options_fields { + enabled = true + property = "QueueName" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + + viz_options { + display_name = "Top queues by visible messages" + label = "A" + } +} + +resource "signalfx_time_chart" "sent_message_size" { + name = "Sent message size" + description = "Tracks the size of sent messages over time." + + program_text = <<-EOF +A = data('SentMessageSize', filter=filter('namespace', 'AWS/SQS')).sum(over=Args.get('ui.dashboard_window', '15m')).publish(label='A') +EOF + + plot_type = "LineChart" + disable_sampling = true + show_event_lines = false + stacked = false + time_range = 900 + unit_prefix = "Metric" + + axes_precision = 0 + + axis_left { + label = "Bytes" + } + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = true + property = "QueueName" + } + legend_options_fields { + enabled = false + property = "stat" + } + + viz_options { + display_name = "Sent message size over time" + label = "A" + value_unit = "Byte" + } +} + +resource "signalfx_time_chart" "messages_by_state" { + name = "Messages by state" + description = "Shows delayed, visible, and in-flight message breakdown." + + program_text = <<-EOF +A = data('ApproximateNumberOfMessagesDelayed', rollup='latest').sum().publish(label='A') +B = data('ApproximateNumberOfMessagesVisible', rollup='latest').sum().publish(label='B') +C = data('ApproximateNumberOfMessagesNotVisible', rollup='latest').sum().publish(label='C') +EOF + + plot_type = "AreaChart" + disable_sampling = false + show_event_lines = false + stacked = true + time_range = 900 + unit_prefix = "Metric" + axes_precision = 0 + + on_chart_legend_dimension = "plot_label" + + axis_left { + label = "#Messages" + } + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Delayed messages" + label = "A" + value_suffix = "No of messages" + } + viz_options { + axis = "left" + color = "emerald" + display_name = "Visible messages" + label = "B" + value_suffix = "No of messages" + } + viz_options { + axis = "left" + color = "pink" + display_name = "In-flight messages" + label = "C" + value_suffix = "No of messages" + } +} + +resource "signalfx_list_chart" "oldest_message_age" { + name = "Oldest message age" + description = "Displays the max age of the oldest unprocessed message in seconds" + + program_text = "A = data('ApproximateAgeOfOldestMessage', filter=filter('namespace', 'AWS/SQS') and filter('stat', 'mean')).sum(by=['QueueName', 'aws_region']).publish(label='A')" + + disable_sampling = false + hide_missing_values = true + time_range = 900 + unit_prefix = "Metric" + + secondary_visualization = "None" + sort_by = "-value" + + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = true + property = "QueueName" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = true + property = "aws_region" + } + + viz_options { + display_name = "ApproximateAgeOfOldestMessage - Sum by QueueName,aws_region" + label = "A" + } +} + +resource "signalfx_time_chart" "empty_receives" { + name = "# Empty receives" + description = "Tracks ReceiveMessage API calls returning zero messages" + + program_text = "A = data('NumberOfEmptyReceives', rollup='latest').sum().publish(label='A')" + + plot_type = "LineChart" + disable_sampling = false + show_event_lines = false + stacked = false + time_range = 900 + unit_prefix = "Metric" + axes_precision = 0 + + histogram_options { + color_theme = "gold" + } + + axis_left { + label = "# Calls" + } + + viz_options { + axis = "left" + color = "brown" + display_name = "Number of empty receives" + label = "A" + value_suffix = "No of receives" + } +} + +resource "signalfx_list_chart" "top_queues_by_message_received" { + name = "Top queues by message received" + description = "Ranks queues by number of received messages" + + program_text = "A = data('NumberOfMessagesReceived', rollup='latest').sum(by=['QueueName']).top(count=5).publish(label='A')" + + sort_by = "-value" + + disable_sampling = false + hide_missing_values = true + max_precision = 4 + time_range = 900 + unit_prefix = "Metric" + secondary_visualization = "None" + + legend_options_fields { + enabled = true + property = "QueueName" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + + viz_options { + display_name = "Top queues by visible messages" + label = "A" + } +} + +resource "signalfx_time_chart" "message_processing_trend" { + name = "Message processing trend" + description = "Tracks messages sent, received, and deleted over time." + + program_text = <<-EOF +A = data('NumberOfMessagesSent', rollup='latest').sum().publish(label='A') +B = data('NumberOfMessagesReceived', rollup='latest').sum().publish(label='B') +C = data('NumberOfMessagesDeleted', rollup='latest').sum().publish(label='C') +EOF + + plot_type = "AreaChart" + disable_sampling = false + show_event_lines = false + time_range = 900 + unit_prefix = "Metric" + axes_precision = 0 + + on_chart_legend_dimension = "plot_label" + + axis_left { + label = "Count" + } + + histogram_options { + color_theme = "gold" + } + + + viz_options { + axis = "left" + color = "azure" + display_name = "Messages received" + label = "B" + value_suffix = "No of messages" + } + viz_options { + axis = "left" + color = "blue" + display_name = "Messages sent" + label = "A" + value_suffix = "No of messages" + } + viz_options { + axis = "left" + color = "orange" + display_name = "Messages deleted" + label = "C" + value_suffix = "No of messages" + } +} + +resource "signalfx_time_chart" "messages_deleted" { + name = "# Messages deleted" + description = "Displays messages successfully deleted from queues" + + program_text = "A = data('NumberOfMessagesDeleted', rollup='latest').sum().publish(label='A')" + + plot_type = "LineChart" + disable_sampling = false + show_event_lines = false + stacked = false + time_range = 900 + unit_prefix = "Metric" + axes_precision = 0 + + axis_left { + label = "# Messages" + } + + histogram_options { + color_theme = "gold" + } + viz_options { + axis = "left" + color = "emerald" + display_name = "Number of messages deleted" + label = "A" + value_suffix = "No of messages" + } +} + +resource "signalfx_dashboard" "sqs_performance" { + name = "SQS performance" + description = "SQS performance dashboard for AWS SQS queues" + + dashboard_group = signalfx_dashboard_group.forgecicd.id + + variable { + property = "aws_tag_TenantName" + alias = "ForgeCICD Tenant Name" + description = "" + values = [] + value_required = false + values_suggested = var.dashboard_variables.runner_ec2.tenant_names + restricted_suggestions = true + } + + dynamic "variable" { + for_each = var.dashboard_variables.sqs_performance.dynamic_variables + iterator = var_def + + content { + property = var_def.value.property + alias = var_def.value.alias + description = var_def.value.description + values = var_def.value.values + value_required = var_def.value.value_required + values_suggested = var_def.value.values_suggested + restricted_suggestions = var_def.value.restricted_suggestions + } + } + + chart { + chart_id = signalfx_time_chart.message_processing_trend.id + column = 4 + row = 0 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.sent_message_size.id + column = 8 + row = 0 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_single_value_chart.queues.id + column = 0 + row = 0 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_list_chart.top_queues_by_message_received.id + column = 0 + row = 1 + width = 4 + height = 2 + } + + chart { + chart_id = signalfx_list_chart.oldest_message_age.id + column = 8 + row = 1 + width = 4 + height = 2 + } + + chart { + chart_id = signalfx_list_chart.top_queues_by_message_sent.id + column = 4 + row = 1 + width = 4 + height = 2 + } + + chart { + chart_id = signalfx_time_chart.messages_deleted.id + column = 6 + row = 3 + width = 6 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.messages_by_state.id + column = 0 + row = 3 + width = 6 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.empty_receives.id + column = 0 + row = 4 + width = 12 + height = 1 + } +} diff --git a/modules/integrations/splunk_o11y_conf_shared/variables.tf b/modules/integrations/splunk_o11y_conf_shared/variables.tf index 592cffc8..23a2dc55 100644 --- a/modules/integrations/splunk_o11y_conf_shared/variables.tf +++ b/modules/integrations/splunk_o11y_conf_shared/variables.tf @@ -69,6 +69,19 @@ variable "dashboard_variables" { } )) }) + sqs_performance = object({ + tenant_names = list(string) + dynamic_variables = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool + } + )) + }) }) description = "Variables for Dashboards" } From 141fd946a5e8373146d49efdbb1c8e3d5cd051a4 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 4 Dec 2025 20:57:48 +0100 Subject: [PATCH 17/85] fix: prevent the removal of a public access block (#223) * fix: prevent the removal of a public access block * fix: fix permission to run redrive * fix: add more memory for lambda download logs --- modules/infra/storage/main.tf | 6 +++++- modules/integrations/splunk_aws_billing/s3.tf | 2 ++ .../github_actions_job_logs/job_log_archiver.tf | 1 + .../platform/forge_runners/github_actions_job_logs/s3.tf | 7 ++++--- modules/platform/forge_runners/redrive_deadletter/main.tf | 4 +--- 5 files changed, 13 insertions(+), 7 deletions(-) diff --git a/modules/infra/storage/main.tf b/modules/infra/storage/main.tf index acc74902..ac30d8ae 100644 --- a/modules/infra/storage/main.tf +++ b/modules/infra/storage/main.tf @@ -3,7 +3,7 @@ # for stability and auditing purposes). resource "aws_s3_bucket" "s3_long_term" { bucket = "${var.aws_account_id}-long-term-storage" - tags = {} + tags = local.all_security_tags } # Ownership controls. @@ -40,6 +40,8 @@ resource "aws_s3_bucket_public_access_block" "s3_long_term" { block_public_policy = true ignore_public_acls = true restrict_public_buckets = true + + skip_destroy = true } # Short-term storage (i.e. temporary/feature-branch builds, core dumps, and @@ -96,4 +98,6 @@ resource "aws_s3_bucket_public_access_block" "s3_short_term" { block_public_policy = true ignore_public_acls = true restrict_public_buckets = true + + skip_destroy = true } diff --git a/modules/integrations/splunk_aws_billing/s3.tf b/modules/integrations/splunk_aws_billing/s3.tf index 8f068dfb..00fface4 100644 --- a/modules/integrations/splunk_aws_billing/s3.tf +++ b/modules/integrations/splunk_aws_billing/s3.tf @@ -48,6 +48,8 @@ resource "aws_s3_bucket_public_access_block" "aws_billing_report" { block_public_policy = true ignore_public_acls = true restrict_public_buckets = true + + skip_destroy = true } data "aws_iam_policy_document" "cur_bucket_policy" { diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf index 0d585e48..4f5f28b6 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf @@ -10,6 +10,7 @@ module "job_log_archiver" { function_name = local.resource_name_archiver handler = "job_log_archiver.lambda_handler" runtime = "python3.12" + memory_size = 1024 timeout = 900 architectures = ["x86_64"] diff --git a/modules/platform/forge_runners/github_actions_job_logs/s3.tf b/modules/platform/forge_runners/github_actions_job_logs/s3.tf index 5192baa1..a1e35415 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/s3.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/s3.tf @@ -1,7 +1,6 @@ resource "aws_s3_bucket" "gh_logs" { - bucket = "${var.prefix}-forge-gh-logs-${data.aws_caller_identity.current.account_id}" - tags = var.tags - tags_all = var.tags + bucket = "${var.prefix}-forge-gh-logs-${data.aws_caller_identity.current.account_id}" + tags = var.tags } resource "aws_s3_bucket_ownership_controls" "gh_logs" { @@ -80,6 +79,8 @@ resource "aws_s3_bucket_public_access_block" "gh_logs" { block_public_policy = true ignore_public_acls = true restrict_public_buckets = true + + skip_destroy = true } diff --git a/modules/platform/forge_runners/redrive_deadletter/main.tf b/modules/platform/forge_runners/redrive_deadletter/main.tf index 8b1fb19a..3be372d9 100644 --- a/modules/platform/forge_runners/redrive_deadletter/main.tf +++ b/modules/platform/forge_runners/redrive_deadletter/main.tf @@ -39,8 +39,8 @@ data "aws_iam_policy_document" "redrive_deadletter_lambda" { effect = "Allow" actions = [ + "sqs:StartMessageMoveTask", "sqs:ReceiveMessage", - "sqs:GetQueueUrl", "sqs:GetQueueAttributes", "sqs:DeleteMessage", ] @@ -57,8 +57,6 @@ data "aws_iam_policy_document" "redrive_deadletter_lambda" { actions = [ "sqs:SendMessage", - "sqs:GetQueueUrl", - "sqs:GetQueueAttributes", ] resources = [ From 437879c40f063f8fd9abea2fe901a736bd8aff05 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Fri, 5 Dec 2025 15:49:12 +0100 Subject: [PATCH 18/85] feat: add new splunk o11y dashboards (#224) * refactor: rename sqs dashboard * feat: add dynamodb dashboard * feat: add options * feat: add dashboard for lambda * feat: add options * feat: add dashboard for ebs * feat: add options * refactor: create submodules --- .../dashboard_groups.tf | 11 - .../splunk_o11y_conf_shared/dashboards.tf | 98 +++ .../billing/main.tf} | 8 +- .../dashboards/billing/variables.tf | 24 + .../dashboards/billing/versions.tf | 12 + .../dashboards/dynamodb/main.tf | 631 ++++++++++++++ .../dashboards/dynamodb/variables.tf | 24 + .../dashboards/dynamodb/versions.tf | 12 + .../dashboards/ebs/main.tf | 677 ++++++++++++++ .../dashboards/ebs/variables.tf | 24 + .../dashboards/ebs/versions.tf | 12 + .../dashboards/lambda/main.tf | 824 ++++++++++++++++++ .../dashboards/lambda/variables.tf | 24 + .../dashboards/lambda/versions.tf | 12 + .../runner_ec2/main.tf} | 13 +- .../dashboards/runner_ec2/variables.tf | 24 + .../dashboards/runner_ec2/versions.tf | 12 + .../runner_k8s/main.tf} | 9 +- .../dashboards/runner_k8s/variables.tf | 24 + .../dashboards/runner_k8s/versions.tf | 12 + .../sqs/main.tf} | 12 +- .../dashboards/sqs/variables.tf | 24 + .../dashboards/sqs/versions.tf | 12 + .../splunk_o11y_conf_shared/variables.tf | 41 +- 24 files changed, 2540 insertions(+), 36 deletions(-) delete mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards.tf rename modules/integrations/splunk_o11y_conf_shared/{dashboard_billing.tf => dashboards/billing/main.tf} (96%) create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/billing/variables.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/main.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/variables.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/main.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/variables.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/main.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/variables.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf rename modules/integrations/splunk_o11y_conf_shared/{dashboard_runner_ec2.tf => dashboards/runner_ec2/main.tf} (99%) create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/variables.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf rename modules/integrations/splunk_o11y_conf_shared/{dashboard_runner_k8s.tf => dashboards/runner_k8s/main.tf} (98%) create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/variables.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf rename modules/integrations/splunk_o11y_conf_shared/{dashboard_sqs_performance.tf => dashboards/sqs/main.tf} (96%) create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/variables.tf create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf b/modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf deleted file mode 100644 index c66413aa..00000000 --- a/modules/integrations/splunk_o11y_conf_shared/dashboard_groups.tf +++ /dev/null @@ -1,11 +0,0 @@ -resource "signalfx_dashboard_group" "forgecicd" { - name = "ForgeCICD Dashboards" - description = "" - teams = [var.team] - - lifecycle { - ignore_changes = [ - import_qualifier - ] - } -} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards.tf new file mode 100644 index 00000000..ebe831e1 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards.tf @@ -0,0 +1,98 @@ +resource "signalfx_dashboard_group" "forgecicd" { + name = "ForgeCICD Dashboards" + description = "" + teams = [var.team] + + lifecycle { + ignore_changes = [ + import_qualifier + ] + } +} + +# Core platform health +module "dashboard_runner_ec2" { + source = "./dashboards/runner_ec2" + + providers = { + signalfx = signalfx + } + + tenant_names = var.dashboard_variables.runner_ec2.tenant_names + dynamic_variables = var.dashboard_variables.runner_ec2.dynamic_variables + dashboard_group = signalfx_dashboard_group.forgecicd.id +} + +module "dashboard_runner_k8s" { + source = "./dashboards/runner_k8s" + + providers = { + signalfx = signalfx + } + + tenant_names = var.dashboard_variables.runner_k8s.tenant_names + dynamic_variables = var.dashboard_variables.runner_k8s.dynamic_variables + dashboard_group = signalfx_dashboard_group.forgecicd.id +} + +module "dashboard_lambda" { + source = "./dashboards/lambda" + + providers = { + signalfx = signalfx + } + + tenant_names = var.dashboard_variables.lambda.tenant_names + dynamic_variables = var.dashboard_variables.lambda.dynamic_variables + dashboard_group = signalfx_dashboard_group.forgecicd.id +} + +# Messaging and storage +module "dashboard_sqs" { + source = "./dashboards/sqs" + + providers = { + signalfx = signalfx + } + + tenant_names = var.dashboard_variables.sqs.tenant_names + dynamic_variables = var.dashboard_variables.sqs.dynamic_variables + dashboard_group = signalfx_dashboard_group.forgecicd.id +} + +module "dashboard_dynamodb" { + source = "./dashboards/dynamodb" + + providers = { + signalfx = signalfx + } + + tenant_names = var.dashboard_variables.dynamodb.tenant_names + dynamic_variables = var.dashboard_variables.dynamodb.dynamic_variables + dashboard_group = signalfx_dashboard_group.forgecicd.id +} + +module "dashboard_ebs" { + source = "./dashboards/ebs" + + providers = { + signalfx = signalfx + } + + tenant_names = var.dashboard_variables.ebs.tenant_names + dynamic_variables = var.dashboard_variables.ebs.dynamic_variables + dashboard_group = signalfx_dashboard_group.forgecicd.id +} + +# Cost and usage +module "dashboard_billing" { + source = "./dashboards/billing" + + providers = { + signalfx = signalfx + } + + tenant_names = var.dashboard_variables.billing.tenant_names + dynamic_variables = var.dashboard_variables.billing.dynamic_variables + dashboard_group = signalfx_dashboard_group.forgecicd.id +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_billing.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/main.tf similarity index 96% rename from modules/integrations/splunk_o11y_conf_shared/dashboard_billing.tf rename to modules/integrations/splunk_o11y_conf_shared/dashboards/billing/main.tf index 0def4f2d..fd136209 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboard_billing.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/main.tf @@ -209,8 +209,8 @@ EOF resource "signalfx_dashboard" "billing" { name = "Billing" - description = "" - dashboard_group = signalfx_dashboard_group.forgecicd.id + description = "Forge CICD cost and net cost by service and tenant." + dashboard_group = var.dashboard_group time_range = "-31d" @@ -220,12 +220,12 @@ resource "signalfx_dashboard" "billing" { description = "" values = [] value_required = false - values_suggested = var.dashboard_variables.runner_k8s.tenant_names + values_suggested = var.tenant_names restricted_suggestions = true } dynamic "variable" { - for_each = var.dashboard_variables.billing.dynamic_variables + for_each = var.dynamic_variables iterator = var_def content { diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/variables.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/variables.tf new file mode 100644 index 00000000..d926894e --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/variables.tf @@ -0,0 +1,24 @@ + +variable "tenant_names" { + description = "List of tenant names used for the dashboard." + type = list(string) +} + +variable "dynamic_variables" { + description = "Additional dynamic variable definitions for the dashboard." + type = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool + })) + default = [] +} + +variable "dashboard_group" { + description = "Dashboard group name for organizing dashboards." + type = string +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf new file mode 100644 index 00000000..8218b2cb --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf @@ -0,0 +1,12 @@ +terraform { + # Provider versions. + required_providers { + signalfx = { + source = "splunk-terraform/signalfx" + version = "< 10.0.0" + } + } + + # OpenTofu version. + required_version = ">= 1.9.1" +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/main.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/main.tf new file mode 100644 index 00000000..9cd58ffd --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/main.tf @@ -0,0 +1,631 @@ +resource "signalfx_time_chart" "write_throttle_events" { + name = "Write throttle events" + description = "Requests to DynamoDB that exceed the provisioned write capacity units for a table or a global secondary index." + program_text = <<-EOF +A = data('WriteThrottleEvents', filter=filter('namespace', 'AWS/DynamoDB') and filter('stat', 'sum') and filter('TableName', '*'), rollup='sum').publish(label='A') +EOF + + plot_type = "AreaChart" + unit_prefix = "Metric" + color_by = "Dimension" + stacked = true + + axes_precision = 0 + + show_data_markers = true + + time_range = 900 + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + color = "orange" + display_name = "Writethrottleevents" + label = "A" + } +} + +resource "signalfx_time_chart" "system_errors_ts" { + name = "System errors" + description = "Requests to DynamoDB or Amazon DynamoDB streams that generate an HTTP 500 status code during the specified time period." + program_text = <<-EOF +A = data('SystemErrors', filter=filter('namespace', 'AWS/DynamoDB') and filter('stat', 'sum') and filter('TableName', '*') and filter('Operation', '*'), rollup='sum').publish(label='A') +EOF + + plot_type = "AreaChart" + unit_prefix = "Metric" + color_by = "Dimension" + stacked = true + + axes_precision = 0 + + time_range = 900 + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + display_name = "Systemerrors" + label = "A" + } +} + +resource "signalfx_time_chart" "read_capacity_percentage" { + name = "Percentage of read capacity consumed" + description = "The percentage of read capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used." + program_text = <<-EOF +A = data('ProvisionedReadCapacityUnits', filter=filter('namespace', 'AWS/DynamoDB') and filter('stat', 'mean') and filter('TableName', '*')).publish(label='A', enable=False) +B = data('ConsumedReadCapacityUnits', filter=filter('namespace', 'AWS/DynamoDB') and filter('stat', 'mean') and filter('TableName', '*')).publish(label='B', enable=False) +C = ((B/A)*100).publish(label='C') +EOF + + plot_type = "LineChart" + unit_prefix = "Metric" + color_by = "Dimension" + stacked = false + + axes_precision = 0 + on_chart_legend_dimension = "TableName" + show_data_markers = true + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = true + property = "TableName" + } + + viz_options { + axis = "left" + display_name = "Consumedreadcapacityunits" + label = "B" + } + viz_options { + axis = "left" + display_name = "Percentage of read capacity consumed" + label = "C" + } + viz_options { + axis = "left" + display_name = "Provisionedreadcapacityunits" + label = "A" + } +} + +resource "signalfx_time_chart" "returned_item_count" { + name = "Returned item count" + description = "The number of items returned by query or scan operations during the specified time period." + program_text = <<-EOF +A = data('ReturnedItemCount', filter=filter('namespace', 'AWS/DynamoDB') and filter('TableName', '*') and filter('Operation', '*') and filter('stat', 'count'), rollup='sum').publish(label='A') +EOF + + plot_type = "LineChart" + unit_prefix = "Metric" + color_by = "Dimension" + stacked = false + + axes_precision = 0 + + on_chart_legend_dimension = "Operation" + + show_data_markers = true + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = true + property = "Operation" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = true + property = "TableName" + } + + viz_options { + axis = "left" + display_name = "Returneditemcount" + label = "A" + } +} + +resource "signalfx_single_value_chart" "avg_request_latency_single" { + name = "Average request latency (ms)" + description = "Successful requests to DynamoDB or Amazon DynamoDB streams during the specified time period." + unit_prefix = "Metric" + color_by = "Dimension" + + max_precision = 3 + + program_text = <<-EOF +A = data('SuccessfulRequestLatency', filter=filter('namespace', 'AWS/DynamoDB') and filter('stat', 'mean')).mean().publish(label='A') +EOF + + viz_options { + display_name = "Successfulrequestlatency - mean" + label = "A" + } +} + +resource "signalfx_time_chart" "avg_request_latency_ts" { + name = "Average request latency (ms)" + description = "Successful requests to DynamoDB or Amazon DynamoDB streams during the specified time period." + program_text = <<-EOF +A = data('SuccessfulRequestLatency', filter=filter('namespace', 'AWS/DynamoDB') and filter('stat', 'mean')).publish(label='A') +EOF + + axes_precision = 0 + + on_chart_legend_dimension = "Operation" + + plot_type = "LineChart" + unit_prefix = "Metric" + color_by = "Dimension" + stacked = false + + show_data_markers = true + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = true + property = "Operation" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = true + property = "TableName" + } + + viz_options { + axis = "left" + display_name = "Successfulrequestlatency" + label = "A" + } +} + +resource "signalfx_single_value_chart" "throttled_requests_single" { + name = "Throttled requests" + description = "Requests to DynamoDB that exceed the provisioned throughput limits on a resource (such as a table or an index)." + unit_prefix = "Metric" + color_by = "Dimension" + + program_text = <<-EOF +A = data('ThrottledRequests', filter=filter('namespace', 'AWS/DynamoDB') and filter('stat', 'sum'), rollup='sum').sum().publish(label='A') +EOF + viz_options { + color = "yellow" + display_name = "Throttledrequests - sum" + label = "A" + } +} + +resource "signalfx_single_value_chart" "system_errors_single" { + name = "System errors" + description = "Requests to DynamoDB or Amazon DynamoDB streams that generate an HTTP 500 status code during the specified time period." + unit_prefix = "Metric" + color_by = "Dimension" + + program_text = <<-EOF +A = data('SystemErrors', filter=filter('namespace', 'AWS/DynamoDB') and filter('stat', 'sum') and filter('TableName', '*') and filter('Operation', '*'), rollup='sum').publish(label='A') +EOF + + viz_options { + color = "brown" + display_name = "Systemerrors" + label = "A" + } +} + +resource "signalfx_time_chart" "user_errors_ts" { + name = "User errors" + description = "Requests to DynamoDB or Amazon DynamoDB streams that generate an HTTP 400 status code during the specified time period." + program_text = <<-EOF +A = data('UserErrors', filter=filter('namespace', 'AWS/DynamoDB') and filter('sf_metric', 'UserErrors') and filter('stat', 'sum'), rollup='sum').publish(label='A') +EOF + + plot_type = "ColumnChart" + unit_prefix = "Metric" + color_by = "Dimension" + stacked = false + + axes_precision = 0 + + show_data_markers = true + + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + color = "brown" + display_name = "Usererrors" + label = "A" + } +} + +resource "signalfx_time_chart" "read_throttle_events" { + name = "Read throttle events" + description = "Requests to DynamoDB that exceed the provisioned read capacity units for a table or a global secondary index." + program_text = <<-EOF +A = data('ReadThrottleEvents', filter=filter('stat', 'sum') and filter('TableName', '*'), rollup='sum').publish(label='A') +EOF + + plot_type = "AreaChart" + unit_prefix = "Metric" + color_by = "Dimension" + stacked = true + + axes_precision = 0 + on_chart_legend_dimension = "TableName" + show_data_markers = true + time_range = 3600 + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + color = "purple" + display_name = "Readthrottleevents" + label = "A" + } +} + +resource "signalfx_time_chart" "throttled_requests_ts" { + name = "Throttled requests" + description = "Requests to DynamoDB that exceed the provisioned throughput limits on a resource (such as a table or an index)." + program_text = <<-EOF +A = data('ThrottledRequests', filter=filter('namespace', 'AWS/DynamoDB') and filter('stat', 'sum'), rollup='sum').publish(label='A') +EOF + + plot_type = "AreaChart" + unit_prefix = "Metric" + color_by = "Dimension" + stacked = true + + axes_precision = 0 + + on_chart_legend_dimension = "Operation" + + show_data_markers = true + + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = true + property = "Operation" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = true + property = "TableName" + } + + viz_options { + axis = "left" + display_name = "Throttledrequests" + label = "A" + } +} + +resource "signalfx_time_chart" "write_capacity_percentage" { + name = "Percentage of write capacity consumed" + description = "The percentage of write capacity units consumed over the specified time period, so you can track how much of your provisioned throughput is used." + program_text = <<-EOF +A = data('ProvisionedWriteCapacityUnits', filter=filter('namespace', 'AWS/DynamoDB') and filter('stat', 'mean') and filter('TableName', '*')).publish(label='A', enable=False) +B = data('ConsumedWriteCapacityUnits', filter=filter('namespace', 'AWS/DynamoDB') and filter('stat', 'mean') and filter('TableName', '*')).publish(label='B', enable=False) +C = ((B/A)*100).publish(label='C') +EOF + + plot_type = "LineChart" + unit_prefix = "Metric" + color_by = "Dimension" + stacked = false + + axes_precision = 0 + + on_chart_legend_dimension = "TableName" + + show_data_markers = true + + time_range = 3600 + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = true + property = "TableName" + } + + viz_options { + axis = "left" + display_name = "Consumedwritecapacityunits" + label = "B" + } + viz_options { + axis = "left" + display_name = "Percentage of write capacity consumed" + label = "C" + } + viz_options { + axis = "left" + color = "chartreuse" + display_name = "Provisionedwritecapacityunits" + label = "A" + } +} + +resource "signalfx_single_value_chart" "user_errors_single" { + name = "User errors" + description = "Requests to DynamoDB or DynamoDB streams that generate an HTTP 400 status code during the specified time period." + unit_prefix = "Metric" + color_by = "Dimension" + + program_text = <<-EOF +A = data('UserErrors', filter=filter('namespace', 'AWS/DynamoDB') and filter('sf_metric', 'UserErrors') and filter('stat', 'sum'), rollup='sum').publish(label='A') +EOF + + viz_options { + color = "brown" + display_name = "Usererrors" + label = "A" + } +} + + +resource "signalfx_dashboard" "dynamodb" { + name = "DynamoDBs" + description = "Forge CICD DynamoDB table performance, capacity, and throttling." + + dashboard_group = var.dashboard_group + + variable { + property = "aws_tag_TenantName" + alias = "ForgeCICD Tenant Name" + description = "" + values = [] + value_required = false + values_suggested = var.tenant_names + restricted_suggestions = true + } + + dynamic "variable" { + for_each = var.dynamic_variables + iterator = var_def + + content { + property = var_def.value.property + alias = var_def.value.alias + description = var_def.value.description + values = var_def.value.values + value_required = var_def.value.value_required + values_suggested = var_def.value.values_suggested + restricted_suggestions = var_def.value.restricted_suggestions + } + } + + chart { + chart_id = signalfx_single_value_chart.avg_request_latency_single.id + column = 0 + row = 0 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.avg_request_latency_ts.id + column = 3 + row = 0 + width = 9 + height = 1 + } + + chart { + chart_id = signalfx_single_value_chart.throttled_requests_single.id + column = 0 + row = 1 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.throttled_requests_ts.id + column = 3 + row = 1 + width = 9 + height = 1 + } + + chart { + chart_id = signalfx_single_value_chart.user_errors_single.id + column = 9 + row = 2 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.user_errors_ts.id + column = 0 + row = 2 + width = 9 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.system_errors_ts.id + column = 0 + row = 3 + width = 9 + height = 1 + } + + chart { + chart_id = signalfx_single_value_chart.system_errors_single.id + column = 9 + row = 3 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.read_capacity_percentage.id + column = 0 + row = 4 + width = 6 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.write_capacity_percentage.id + column = 6 + row = 4 + width = 6 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.read_throttle_events.id + column = 0 + row = 5 + width = 6 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.write_throttle_events.id + column = 6 + row = 5 + width = 6 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.returned_item_count.id + column = 0 + row = 6 + width = 12 + height = 1 + } +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/variables.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/variables.tf new file mode 100644 index 00000000..d926894e --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/variables.tf @@ -0,0 +1,24 @@ + +variable "tenant_names" { + description = "List of tenant names used for the dashboard." + type = list(string) +} + +variable "dynamic_variables" { + description = "Additional dynamic variable definitions for the dashboard." + type = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool + })) + default = [] +} + +variable "dashboard_group" { + description = "Dashboard group name for organizing dashboards." + type = string +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf new file mode 100644 index 00000000..8218b2cb --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf @@ -0,0 +1,12 @@ +terraform { + # Provider versions. + required_providers { + signalfx = { + source = "splunk-terraform/signalfx" + version = "< 10.0.0" + } + } + + # OpenTofu version. + required_version = ">= 1.9.1" +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/main.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/main.tf new file mode 100644 index 00000000..8fb6dcd9 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/main.tf @@ -0,0 +1,677 @@ +resource "signalfx_time_chart" "byte_utilization_pct" { + name = "Byte utilization %" + + description = "Compares delivered bytes to maximum allowed for Nitro volumes" + program_text = <<-EOF +A = data('EBSByteBalance%').mean(by=['AWSUniqueId']).publish(label='A') +EOF + plot_type = "LineChart" + color_by = "Dimension" + unit_prefix = "Metric" + + axes_precision = 4 + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Percent" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + display_name = "Byte utilization percentage" + label = "A" + value_suffix = "%" + } +} + +resource "signalfx_time_chart" "write_latency" { + name = "Write latency (ms/op)" + description = "Estimates average latency per write operation for troubleshooting" + program_text = <<-EOF +A = data('VolumeTotalWriteTime').sum(by=['VolumeId']).publish(label='A', enable=False) +B = data('VolumeWriteOps').sum(by=['VolumeId']).publish(label='B', enable=False) +C = (A/B * 1000).publish(label='C', enable=True) +EOF + plot_type = "LineChart" + color_by = "Dimension" + + axes_precision = 4 + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Ms/Op" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Intermediate: Write operations count" + label = "B" + value_suffix = "No of ops" + } + viz_options { + axis = "left" + color = "emerald" + display_name = "Average write latency (ms/op)" + label = "C" + value_unit = "Millisecond" + } + viz_options { + axis = "left" + color = "gray" + display_name = "Intermediate: Total write time" + label = "A" + value_unit = "Millisecond" + } +} + +resource "signalfx_time_chart" "read_ops" { + name = "# Read ops" + description = "Displays reads performed per interval for EBS volume" + program_text = <<-EOF +A = data('VolumeReadOps').sum().publish(label='A', enable=True) +EOF + plot_type = "LineChart" + color_by = "Dimension" + + axes_precision = 4 + disable_sampling = true + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Ops" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Read operations count" + label = "A" + value_suffix = "No of ops" + } +} + +resource "signalfx_time_chart" "write_throughput" { + name = "Write throughput" + description = "Shows throughput of writes in bytes per time interval" + program_text = <<-EOF +A = data('VolumeWriteBytes').rate().publish(label='A', enable=True) +EOF + plot_type = "LineChart" + color_by = "Dimension" + + axes_precision = 4 + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Bytes" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Write throughput (bytes/sec)" + label = "A" + value_unit = "Byte" + } +} + +resource "signalfx_time_chart" "rw_bytes_breakdown" { + name = "Read/write bytes breakdown" + description = "Compares total bytes read to bytes written across timeline" + program_text = <<-EOF +A = data('VolumeReadBytes').sum().publish(label='A', enable=True) +B = data('VolumeWriteBytes').sum().publish(label='B', enable=True) +EOF + plot_type = "AreaChart" + color_by = "Dimension" + stacked = true + + axes_precision = 4 + disable_sampling = false + on_chart_legend_dimension = "plot_label" + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Bytes" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Total bytes read" + label = "A" + value_unit = "Byte" + } + viz_options { + axis = "left" + color = "brown" + display_name = "Total bytes written" + label = "B" + value_unit = "Byte" + } +} + +resource "signalfx_time_chart" "read_latency" { + name = "Read latency (ms/op)" + description = "Estimates average latency per read operation as efficiency measure" + program_text = <<-EOF +A = data('VolumeTotalReadTime').sum(by=['VolumeId']).publish(label='A', enable=False) +B = data('VolumeReadOps').sum(by=['VolumeId']).publish(label='B', enable=False) +C = (A/B*1000).publish(label='C', enable=True) +EOF + plot_type = "LineChart" + color_by = "Dimension" + + axes_precision = 4 + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Ms/Op" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Read ops per volume (raw)" + label = "B" + value_suffix = "No of ops" + } + viz_options { + axis = "left" + color = "brown" + display_name = "Average read latency (ms/op)" + label = "C" + value_unit = "Millisecond" + } + viz_options { + axis = "left" + color = "gray" + display_name = "Read time per volume (raw)" + label = "A" + value_unit = "Millisecond" + } +} + +resource "signalfx_time_chart" "read_throughput" { + name = "Read throughput" + description = "Shows throughput of reads in bytes per time interval" + program_text = <<-EOF +A = data('VolumeReadBytes').rate().publish(label='A', enable=True) +EOF + plot_type = "LineChart" + color_by = "Dimension" + + axes_precision = 4 + disable_sampling = true + + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Bytes" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Read throughput (bytes/sec)" + label = "A" + value_unit = "Byte" + } +} + +resource "signalfx_single_value_chart" "state" { + name = "State" + description = "Indicates availability and current status for workload visibility" + program_text = <<-EOF +A = data('VolumeReadOps').count(by=['aws_state']).publish(label='A', enable=True) +EOF + color_by = "Dimension" + + max_precision = 4 + secondary_visualization = "Sparkline" + + viz_options { + display_name = "Volume state reporting count" + label = "A" + value_suffix = "No of ops" + } +} + +resource "signalfx_time_chart" "total_read_time" { + name = "Total read time" + description = "Total seconds spent in servicing read operations" + program_text = <<-EOF +A = data('VolumeTotalReadTime').sum().publish(label='A', enable=True) +EOF + plot_type = "LineChart" + color_by = "Dimension" + + axes_precision = 4 + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Seconds" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Total time spent reading" + label = "A" + value_unit = "Millisecond" + } +} + +resource "signalfx_time_chart" "latency_op" { + name = "Latency/op (ms)" + description = "" + program_text = <<-EOF +A = data('VolumeWriteOps', filter=filter('namespace', 'AWS/EBS') and filter('VolumeId', 'vol-46dcc55f') and filter('stat', 'sum'), extrapolation='zero', rollup='rate').scale(60).publish(label='A') +B = data('VolumeTotalWriteTime', filter=filter('namespace', 'AWS/EBS') and filter('VolumeId', 'vol-46dcc55f') and filter('stat', 'sum'), extrapolation='zero', rollup='rate').scale(60).publish(label='B', enable=False) +C = data('VolumeReadOps', filter=filter('namespace', 'AWS/EBS') and filter('VolumeId', 'vol-46dcc55f') and filter('stat', 'sum'), extrapolation='zero', rollup='rate').scale(60).publish(label='C') +D = data('VolumeTotalReadTime', filter=filter('namespace', 'AWS/EBS') and filter('VolumeId', 'vol-46dcc55f') and filter('stat', 'sum'), extrapolation='zero', rollup='rate').scale(60).publish(label='D', enable=False) +E = (B/A).scale(1000).publish(label='E') +F = (D/C).scale(1000).publish(label='F') +EOF + plot_type = "ColumnChart" + color_by = "Dimension" + + axes_precision = 0 + time_range = 7200 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Ms/write - BLUE" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = 0 + } + + axis_right { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Ms/read - RED" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = 0 + } + + histogram_options { + color_theme = "gold" + } + + viz_options { + axis = "left" + display_name = "Volumereadops - scale:60" + label = "C" + } + viz_options { + axis = "left" + display_name = "Volumetotalreadtime - scale:60" + label = "D" + } + viz_options { + axis = "left" + display_name = "Volumetotalwritetime - scale:60" + label = "B" + } + viz_options { + axis = "left" + display_name = "Volumewriteops - scale:60" + label = "A" + } + viz_options { + axis = "left" + color = "blue" + display_name = "Millisec/write" + label = "E" + } + viz_options { + axis = "right" + color = "brown" + display_name = "Millisec/read" + label = "F" + } +} + +resource "signalfx_time_chart" "total_write_time" { + name = "Total write time" + description = "Total seconds spent in servicing write operations" + program_text = <<-EOF +A = data('VolumeTotalWriteTime').sum().publish(label='A', enable=True) +EOF + plot_type = "LineChart" + color_by = "Dimension" + + axes_precision = 4 + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Seconds" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "azure" + display_name = "Total write time" + label = "A" + value_unit = "Millisecond" + } +} + +resource "signalfx_time_chart" "read_vs_write_ops" { + name = "Read vs write ops" + description = "Visualizes relative load of read and write ops over time" + program_text = <<-EOF +A = data('VolumeReadOps').sum().publish(label='A', enable=True) +B = data('VolumeWriteOps').sum().publish(label='B', enable=True) +EOF + plot_type = "AreaChart" + color_by = "Dimension" + + axes_precision = 4 + disable_sampling = false + on_chart_legend_dimension = "plot_label" + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Ops" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Read operations" + label = "A" + value_suffix = "No of ops" + } + viz_options { + axis = "left" + color = "brown" + display_name = "Write operations" + label = "B" + value_suffix = "No of ops" + } +} + +resource "signalfx_time_chart" "avg_queue_length" { + name = "Average queue length" + description = "Measures operations awaiting completion, highlighting saturation" + program_text = <<-EOF +A = data('VolumeQueueLength').mean().publish(label='A', enable=True) +EOF + plot_type = "LineChart" + color_by = "Dimension" + + axes_precision = 4 + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Queue length" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Average volume queue length" + label = "A" + value_suffix = "No of ops" + } +} + +resource "signalfx_time_chart" "idle_time" { + name = "Idle time" + description = "Indicates when disk is idle and not serving I/O" + program_text = <<-EOF +A = data('VolumeIdleTime').sum().publish(label='A', enable=True) +EOF + plot_type = "LineChart" + color_by = "Dimension" + + axes_precision = 4 + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Seconds" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Total idle time" + label = "A" + value_unit = "Millisecond" + } +} + +resource "signalfx_time_chart" "write_ops" { + name = "# Write ops" + description = "Displays writes performed per interval for EBS volume" + program_text = <<-EOF +A = data('VolumeWriteOps').sum().publish(label='A', enable=True) +EOF + plot_type = "LineChart" + color_by = "Dimension" + + axes_precision = 4 + time_range = 900 + + axis_left { + high_watermark = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + label = "Ops" + low_watermark = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + max_value = 179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + min_value = -179769313486231570000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + } + + viz_options { + axis = "left" + color = "blue" + display_name = "Number of write operations" + label = "A" + value_suffix = "No of ops" + } +} +resource "signalfx_dashboard" "ebs" { + name = "EBS" + description = "EC2/EBS volume throughput, IOPS, and latency for Forge runners." + dashboard_group = var.dashboard_group + + variable { + property = "aws_tag_TenantName" + alias = "ForgeCICD Tenant Name" + description = "" + values = [] + value_required = false + values_suggested = var.tenant_names + restricted_suggestions = true + } + + dynamic "variable" { + for_each = var.dynamic_variables + iterator = var_def + + content { + property = var_def.value.property + alias = var_def.value.alias + description = var_def.value.description + values = var_def.value.values + value_required = var_def.value.value_required + values_suggested = var_def.value.values_suggested + restricted_suggestions = var_def.value.restricted_suggestions + } + } + + chart { + chart_id = signalfx_single_value_chart.state.id + column = 0 + row = 0 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.read_ops.id + column = 4 + row = 0 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.write_ops.id + column = 8 + row = 0 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.write_latency.id + column = 8 + row = 1 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.read_latency.id + column = 4 + row = 1 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.latency_op.id + column = 0 + row = 1 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.read_vs_write_ops.id + column = 0 + row = 2 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.write_throughput.id + column = 8 + row = 2 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.read_throughput.id + column = 4 + row = 2 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.rw_bytes_breakdown.id + column = 0 + row = 3 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.total_read_time.id + column = 4 + row = 3 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.total_write_time.id + column = 8 + row = 3 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.byte_utilization_pct.id + column = 0 + row = 4 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.idle_time.id + column = 8 + row = 4 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.avg_queue_length.id + column = 4 + row = 4 + width = 4 + height = 1 + } + +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/variables.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/variables.tf new file mode 100644 index 00000000..d926894e --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/variables.tf @@ -0,0 +1,24 @@ + +variable "tenant_names" { + description = "List of tenant names used for the dashboard." + type = list(string) +} + +variable "dynamic_variables" { + description = "Additional dynamic variable definitions for the dashboard." + type = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool + })) + default = [] +} + +variable "dashboard_group" { + description = "Dashboard group name for organizing dashboards." + type = string +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf new file mode 100644 index 00000000..8218b2cb --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf @@ -0,0 +1,12 @@ +terraform { + # Provider versions. + required_providers { + signalfx = { + source = "splunk-terraform/signalfx" + version = "< 10.0.0" + } + } + + # OpenTofu version. + required_version = ">= 1.9.1" +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/main.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/main.tf new file mode 100644 index 00000000..5839b4dc --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/main.tf @@ -0,0 +1,824 @@ +resource "signalfx_time_chart" "provisioned_concurrent_executions_by_version" { + name = "Provisioned concurrent executions by version" + description = "The number of events that are being processed on provisioned concurrency. For each invocation of an alias or version with provisioned concurrency, Lambda emits the current count." + program_text = <<-EOF +A = data('ProvisionedConcurrentExecutions', filter=filter('stat', 'upper') and filter('Resource', '*') and filter('ExecutedVersion', '*')).sum(by=['ExecutedVersion']).publish(label='A') +EOF + + plot_type = "AreaChart" + unit_prefix = "Metric" + color_by = "Dimension" + timezone = "UTC" + stacked = true + + axes_precision = 0 + on_chart_legend_dimension = "ExecutedVersion" + + time_range = 900 + + viz_options { + axis = "left" + display_name = "Provisioned concurrent executions" + label = "A" + } + +} + +resource "signalfx_time_chart" "provisioned_concurrency_invocations_by_version" { + name = "Provisioned concurrency invocations by version" + description = "The number of invocations that are run on provisioned concurrency. Lambda increments the count once for each invocation that runs on provisioned concurrency." + program_text = <<-EOF +A = data('ProvisionedConcurrencyInvocations', filter=filter('stat', 'sum') and filter('Resource', '*') and filter('ExecutedVersion', '*'), rollup='rate').sum(by=['ExecutedVersion']).publish(label='A') +EOF + + plot_type = "AreaChart" + unit_prefix = "Metric" + color_by = "Dimension" + timezone = "UTC" + stacked = true + + axes_precision = 0 + on_chart_legend_dimension = "ExecutedVersion" + time_range = 900 + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = true + property = "ExecutedVersion" + } + legend_options_fields { + enabled = true + property = "FunctionName" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "Resource" + } + legend_options_fields { + enabled = false + property = "stat" + } + + viz_options { + axis = "left" + display_name = "Provisioned concurrent invocations" + label = "A" + } +} + +resource "signalfx_time_chart" "provisioned_concurrency_spillover_invocations_by_version" { + name = "Provisioned concurrency spillover invocations by version" + description = "The number of invocations that are run on nonprovisioned concurrency, when all provisioned concurrency is in use. For a version or alias that is configured to use provisioned concurrency, Lambda increments the count once for each invocation that runs on non-provisioned concurrency." + program_text = <<-EOF +A = data('ProvisionedConcurrencySpilloverInvocations', filter=filter('stat', 'sum') and filter('Resource', '*') and filter('ExecutedVersion', '*'), rollup='rate').sum(by=['ExecutedVersion']).publish(label='A') +EOF + + plot_type = "AreaChart" + unit_prefix = "Metric" + color_by = "Dimension" + timezone = "UTC" + stacked = true + + axes_precision = 0 + on_chart_legend_dimension = "ExecutedVersion" + time_range = 900 + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = true + property = "ExecutedVersion" + } + legend_options_fields { + enabled = true + property = "FunctionName" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "Resource" + } + legend_options_fields { + enabled = false + property = "stat" + } + + viz_options { + axis = "left" + display_name = "Provisioned concurrent invocations" + label = "A" + } +} + +resource "signalfx_single_value_chart" "total_spillover_invocations" { + name = "Total spillover invocations" + description = "Over 5m | Spillover invocations are run on nonprovisioned concurrency, when all provisioned concurrency is in use." + unit_prefix = "Metric" + color_by = "Dimension" + + program_text = <<-EOF +A = data('ProvisionedConcurrencySpilloverInvocations', filter=filter('stat', 'sum') and filter('Resource', '*') and filter('ExecutedVersion', '*'), rollup='rate').sum(over='5m').sum().publish(label='A') +EOF + + viz_options { + display_name = "Provisioned concurrent invocations" + label = "A" + } +} + +resource "signalfx_list_chart" "percent_invocations_by_version" { + name = "% invocations by version" + description = "The % of total invocations handled by version" + unit_prefix = "Metric" + color_by = "Dimension" + secondary_visualization = "Sparkline" + sort_by = "-value" + + program_text = <<-EOF +C = (B/A).scale(100).publish(label='C') +A = data('Invocations', filter=filter('namespace', 'AWS/Lambda') and filter('stat', 'sum') and filter('Resource', '*') and filter('ExecutedVersion', '*'), rollup='sum', extrapolation='zero').sum().publish(label='A', enable=False) +B = data('Invocations', filter=filter('namespace', 'AWS/Lambda') and filter('stat', 'sum') and filter('Resource', '*') and filter('ExecutedVersion', '*'), rollup='sum', extrapolation='zero').sum(by=['ExecutedVersion']).publish(label='B', enable=False) +EOF + + time_range = 900 + + legend_options_fields { + enabled = true + property = "sf_metric" + } + legend_options_fields { + enabled = true + property = "ExecutedVersion" + } + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = false + property = "FunctionName" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "Resource" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = false + property = "aws_function_version" + } + + viz_options { + display_name = "A" + label = "A" + } + viz_options { + display_name = "B" + label = "B" + } + viz_options { + display_name = "Version" + label = "C" + value_suffix = "%" + } +} + +resource "signalfx_time_chart" "errors_by_version" { + name = "Errors by version" + description = "The number of invocations that failed due to errors in the function (response code 4XX)." + program_text = <<-EOF +A = data('Errors', filter=filter('namespace', 'AWS/Lambda') and filter('stat', 'sum') and filter('ExecutedVersion', '*') and filter('Resource', '*'), rollup='sum').sum(by=['ExecutedVersion']).publish(label='A') +EOF + + plot_type = "AreaChart" + unit_prefix = "Metric" + color_by = "Dimension" + timezone = "UTC" + stacked = false + + axes_precision = 0 + on_chart_legend_dimension = "ExecutedVersion" + + time_range = 900 + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = true + property = "FunctionName" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "Resource" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = false + property = "aws_function_version" + } + legend_options_fields { + enabled = true + property = "ExecutedVersion" + } + + viz_options { + axis = "left" + display_name = "Errors by version" + label = "A" + value_suffix = "-errors" + } +} + +resource "signalfx_single_value_chart" "total_throttles" { + name = "Total throttles" + description = "Over 5m" + unit_prefix = "Metric" + color_by = "Dimension" + + program_text = <<-EOF +A = data('Throttles', filter=filter('namespace', 'AWS/Lambda') and filter('stat', 'sum') and filter('Resource', '*') and (not filter('ExecutedVersion', '*')), rollup='sum', extrapolation='zero').sum(over='5m').sum().publish(label='A') +EOF + + viz_options { + color = "yellow" + display_name = "Throttles - sum(5m) - sum" + label = "A" + } +} + +resource "signalfx_list_chart" "avg_duration_by_version" { + name = "Average duration by version" + unit_prefix = "Metric" + color_by = "Dimension" + secondary_visualization = "Sparkline" + sort_by = "-value" + + disable_sampling = true + + program_text = <<-EOF +A = data('Duration', filter=filter('namespace', 'AWS/Lambda') and filter('stat', 'mean') and filter('Resource', '*') and filter('ExecutedVersion', '*'), rollup='average').sum(by=['ExecutedVersion']).publish(label='A') +EOF + + time_range = 900 + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = false + property = "FunctionName" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = true + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "Resource" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = false + property = "aws_function_version" + } + legend_options_fields { + enabled = true + property = "ExecutedVersion" + } + + viz_options { + display_name = "Version" + label = "A" + value_unit = "Millisecond" + } +} + +resource "signalfx_single_value_chart" "avg_invocation_duration" { + name = "Average invocation duration" + unit_prefix = "Metric" + color_by = "Metric" + + program_text = <<-EOF +A = data('Duration', filter=filter('namespace', 'AWS/Lambda') and filter('stat', 'mean') and filter('Resource', '*') and (not filter('ExecutedVersion', '*')), rollup='average').publish(label='A') +EOF + + max_precision = 5 + + viz_options { + display_name = "Duration (ms)" + label = "A" + value_unit = "Millisecond" + } +} + +resource "signalfx_time_chart" "throttles_by_version" { + name = "Throttles by version" + description = "The number of Lambda function invocation attempts that were throttled due to invocation rates exceeding the customer’s concurrent limits (error code 429)." + program_text = <<-EOF +A = data('Throttles', filter=filter('namespace', 'AWS/Lambda') and filter('stat', 'sum') and filter('Resource', '*') and filter('ExecutedVersion', '*'), rollup='sum').sum(by=['ExecutedVersion']).publish(label='A') +EOF + + plot_type = "AreaChart" + unit_prefix = "Metric" + color_by = "Dimension" + timezone = "UTC" + stacked = true + + axes_precision = 0 + on_chart_legend_dimension = "ExecutedVersion" + + time_range = 900 + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = true + property = "FunctionName" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "Resource" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = true + property = "aws_function_version" + } + legend_options_fields { + enabled = true + property = "ExecutedVersion" + } + + viz_options { + axis = "left" + display_name = "Throttles by version" + label = "A" + } + +} + +resource "signalfx_time_chart" "invocations_by_version" { + name = "Invocations by version" + description = "The number of times a function is invoked in response to an event or invocation API call." + program_text = <<-EOF +A = data('Invocations', filter=filter('namespace', 'AWS/Lambda') and filter('stat', 'sum') and filter('Resource', '*') and filter('ExecutedVersion', '*'), rollup='sum').sum(by=['ExecutedVersion']).publish(label='A') +EOF + + plot_type = "AreaChart" + unit_prefix = "Metric" + color_by = "Dimension" + timezone = "UTC" + stacked = true + + + axes_precision = 0 + on_chart_legend_dimension = "ExecutedVersion" + time_range = 900 + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = true + property = "FunctionName" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "Resource" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = false + property = "aws_function_version" + } + legend_options_fields { + enabled = true + property = "ExecutedVersion" + } + + viz_options { + axis = "left" + display_name = "Invocations by version" + label = "A" + value_suffix = "-invocations" + } + +} + +resource "signalfx_time_chart" "invocations" { + name = "Invocations" + description = "The number of times a function is invoked in response to an event or invocation API call and associated errors or throttles." + program_text = <<-EOF +A = data('Invocations', filter=filter('namespace', 'AWS/Lambda') and filter('stat', 'sum') and filter('Resource', '*') and (not filter('ExecutedVersion', '*')), rollup='sum').sum().publish(label='A') +EOF + + plot_type = "AreaChart" + unit_prefix = "Metric" + color_by = "Dimension" + timezone = "UTC" + stacked = false + + axes_precision = 0 + on_chart_legend_dimension = "plot_label" + + time_range = 900 + + histogram_options { + color_theme = "gold" + } + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = true + property = "FunctionName" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "Resource" + } + legend_options_fields { + enabled = false + property = "stat" + } + legend_options_fields { + enabled = false + property = "aws_function_version" + } + legend_options_fields { + enabled = true + property = "ExecutedVersion" + } + + viz_options { + axis = "left" + display_name = "Invocations" + label = "A" + } +} + +resource "signalfx_single_value_chart" "total_errors" { + name = "Total errors" + description = "Over 5m" + unit_prefix = "Metric" + color_by = "Dimension" + + program_text = <<-EOF +A = data('Errors', filter=filter('namespace', 'AWS/Lambda') and filter('stat', 'sum') and filter('Resource', '*') and (not filter('ExecutedVersion', '*')), rollup='sum', extrapolation='zero').sum(over='5m').sum().publish(label='A') +EOF + + viz_options { + color = "brown" + display_name = "Errors" + label = "A" + } +} + +resource "signalfx_time_chart" "provisioned_concurrency_utilization" { + name = "Provisioned concurrency utilization" + description = "The number of events that are being processed on provisioned concurrency, divided by the total amount of provisioned concurrency allocated. For example, .5 indicates that 50 percent of allocated provisioned concurrency is in use. For each invocation of an alias or version with provisioned concurrency, Lambda emits the current count." + program_text = <<-EOF +A = data('ProvisionedConcurrencyUtilization', filter=filter('stat', 'upper') and filter('Resource', '*') and filter('ExecutedVersion', '*')).scale(100).publish(label='A') +EOF + + plot_type = "LineChart" + unit_prefix = "Metric" + color_by = "Dimension" + timezone = "UTC" + stacked = false + + axes_include_zero = true + axes_precision = 0 + on_chart_legend_dimension = "ExecutedVersion" + + time_range = 900 + + legend_options_fields { + enabled = false + property = "AWSUniqueId" + } + legend_options_fields { + enabled = true + property = "FunctionName" + } + legend_options_fields { + enabled = true + property = "ExecutedVersion" + } + legend_options_fields { + enabled = false + property = "sf_originatingMetric" + } + legend_options_fields { + enabled = false + property = "namespace" + } + legend_options_fields { + enabled = false + property = "sf_metric" + } + legend_options_fields { + enabled = false + property = "Resource" + } + legend_options_fields { + enabled = false + property = "stat" + } + + viz_options { + axis = "left" + display_name = "Provisioned concurrency utilization" + label = "A" + value_suffix = "%" + } +} + +resource "signalfx_single_value_chart" "total_invocations" { + name = "Total invocations" + description = "Over 5m" + unit_prefix = "Metric" + color_by = "Dimension" + + program_text = <<-EOF +A = data('Invocations', filter=filter('namespace', 'AWS/Lambda') and filter('stat', 'sum') and filter('Resource', '*') and (not filter('ExecutedVersion', '*')), rollup='sum').sum(over='5m').sum().publish(label='A') +EOF + + viz_options { + color = "chartreuse" + display_name = "Invocations - sum(5m) - sum" + label = "A" + } +} + +resource "signalfx_dashboard" "lambda" { + name = "Lambdas" + description = "Forge CICD Lambda invocation rate, errors, duration, and concurrency." + dashboard_group = var.dashboard_group + + variable { + property = "aws_tag_TenantName" + alias = "ForgeCICD Tenant Name" + description = "" + values = [] + value_required = false + values_suggested = var.tenant_names + restricted_suggestions = true + } + + dynamic "variable" { + for_each = var.dynamic_variables + iterator = var_def + + content { + property = var_def.value.property + alias = var_def.value.alias + description = var_def.value.description + values = var_def.value.values + value_required = var_def.value.value_required + values_suggested = var_def.value.values_suggested + restricted_suggestions = var_def.value.restricted_suggestions + } + } + + time_range = "-1h" + + chart { + chart_id = signalfx_time_chart.invocations.id + column = 0 + row = 1 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_single_value_chart.total_invocations.id + column = 0 + row = 0 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_single_value_chart.avg_invocation_duration.id + column = 3 + row = 0 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_single_value_chart.total_spillover_invocations.id + column = 6 + row = 0 + width = 2 + height = 1 + } + + chart { + chart_id = signalfx_single_value_chart.total_errors.id + column = 8 + row = 0 + width = 2 + height = 1 + } + + chart { + chart_id = signalfx_single_value_chart.total_throttles.id + column = 10 + row = 0 + width = 2 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.invocations_by_version.id + column = 3 + row = 1 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.provisioned_concurrency_invocations_by_version.id + column = 6 + row = 1 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.provisioned_concurrent_executions_by_version.id + column = 9 + row = 1 + width = 3 + height = 1 + } + + chart { + chart_id = signalfx_list_chart.avg_duration_by_version.id + column = 0 + row = 2 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.errors_by_version.id + column = 4 + row = 2 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.throttles_by_version.id + column = 8 + row = 2 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_list_chart.percent_invocations_by_version.id + column = 0 + row = 3 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.provisioned_concurrency_spillover_invocations_by_version.id + column = 4 + row = 3 + width = 4 + height = 1 + } + + chart { + chart_id = signalfx_time_chart.provisioned_concurrency_utilization.id + column = 8 + row = 3 + width = 4 + height = 1 + } +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/variables.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/variables.tf new file mode 100644 index 00000000..d926894e --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/variables.tf @@ -0,0 +1,24 @@ + +variable "tenant_names" { + description = "List of tenant names used for the dashboard." + type = list(string) +} + +variable "dynamic_variables" { + description = "Additional dynamic variable definitions for the dashboard." + type = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool + })) + default = [] +} + +variable "dashboard_group" { + description = "Dashboard group name for organizing dashboards." + type = string +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf new file mode 100644 index 00000000..8218b2cb --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf @@ -0,0 +1,12 @@ +terraform { + # Provider versions. + required_providers { + signalfx = { + source = "splunk-terraform/signalfx" + version = "< 10.0.0" + } + } + + # OpenTofu version. + required_version = ">= 1.9.1" +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_ec2.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/main.tf similarity index 99% rename from modules/integrations/splunk_o11y_conf_shared/dashboard_runner_ec2.tf rename to modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/main.tf index b207d0c1..2068d11d 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_ec2.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/main.tf @@ -1506,15 +1506,10 @@ resource "signalfx_list_chart" "chart_top_5_network_in_bytes" { } } - -######################## -# DASHBOARD -######################## - resource "signalfx_dashboard" "runner_ec2" { name = "EC2 Runners" - description = "" - dashboard_group = signalfx_dashboard_group.forgecicd.id + description = "EC2-based GitHub Actions runners: CPU, memory, disk, and network." + dashboard_group = var.dashboard_group variable { property = "aws_tag_TenantName" @@ -1522,7 +1517,7 @@ resource "signalfx_dashboard" "runner_ec2" { description = "" values = [] value_required = false - values_suggested = var.dashboard_variables.runner_ec2.tenant_names + values_suggested = var.tenant_names restricted_suggestions = true } @@ -1537,7 +1532,7 @@ resource "signalfx_dashboard" "runner_ec2" { } dynamic "variable" { - for_each = var.dashboard_variables.runner_ec2.dynamic_variables + for_each = var.dynamic_variables iterator = var_def content { diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/variables.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/variables.tf new file mode 100644 index 00000000..d926894e --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/variables.tf @@ -0,0 +1,24 @@ + +variable "tenant_names" { + description = "List of tenant names used for the dashboard." + type = list(string) +} + +variable "dynamic_variables" { + description = "Additional dynamic variable definitions for the dashboard." + type = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool + })) + default = [] +} + +variable "dashboard_group" { + description = "Dashboard group name for organizing dashboards." + type = string +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf new file mode 100644 index 00000000..8218b2cb --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf @@ -0,0 +1,12 @@ +terraform { + # Provider versions. + required_providers { + signalfx = { + source = "splunk-terraform/signalfx" + version = "< 10.0.0" + } + } + + # OpenTofu version. + required_version = ">= 1.9.1" +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_k8s.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/main.tf similarity index 98% rename from modules/integrations/splunk_o11y_conf_shared/dashboard_runner_k8s.tf rename to modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/main.tf index 60849fd1..35c559e2 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboard_runner_k8s.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/main.tf @@ -4,7 +4,6 @@ resource "signalfx_single_value_chart" "k8s_available_pods_by_deployments" { program_text = "A = data('k8s.deployment.available', rollup='latest').sum(by=['k8s.cluster.name', 'k8s.namespace.name', 'k8s.deployment.name']).sum().publish(label='A')" - # optional: time_range = "-15m" color_by = "Dimension" refresh_interval = 5 @@ -437,8 +436,8 @@ resource "signalfx_time_chart" "k8s_memory_usage_bytes" { resource "signalfx_dashboard" "runner_k8s" { name = "K8S Runners" - description = "" - dashboard_group = signalfx_dashboard_group.forgecicd.id + description = "Kubernetes-based runners: pod states, CPU, memory, and network health." + dashboard_group = var.dashboard_group variable { property = "k8s.namespace.name" @@ -446,7 +445,7 @@ resource "signalfx_dashboard" "runner_k8s" { description = "" values = [] value_required = false - values_suggested = var.dashboard_variables.runner_k8s.tenant_names + values_suggested = var.tenant_names restricted_suggestions = true } @@ -461,7 +460,7 @@ resource "signalfx_dashboard" "runner_k8s" { } dynamic "variable" { - for_each = var.dashboard_variables.runner_k8s.dynamic_variables + for_each = var.dynamic_variables iterator = var_def content { diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/variables.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/variables.tf new file mode 100644 index 00000000..d926894e --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/variables.tf @@ -0,0 +1,24 @@ + +variable "tenant_names" { + description = "List of tenant names used for the dashboard." + type = list(string) +} + +variable "dynamic_variables" { + description = "Additional dynamic variable definitions for the dashboard." + type = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool + })) + default = [] +} + +variable "dashboard_group" { + description = "Dashboard group name for organizing dashboards." + type = string +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf new file mode 100644 index 00000000..8218b2cb --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf @@ -0,0 +1,12 @@ +terraform { + # Provider versions. + required_providers { + signalfx = { + source = "splunk-terraform/signalfx" + version = "< 10.0.0" + } + } + + # OpenTofu version. + required_version = ">= 1.9.1" +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboard_sqs_performance.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/main.tf similarity index 96% rename from modules/integrations/splunk_o11y_conf_shared/dashboard_sqs_performance.tf rename to modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/main.tf index 4edcc873..3806a766 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboard_sqs_performance.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/main.tf @@ -347,11 +347,11 @@ resource "signalfx_time_chart" "messages_deleted" { } } -resource "signalfx_dashboard" "sqs_performance" { - name = "SQS performance" - description = "SQS performance dashboard for AWS SQS queues" +resource "signalfx_dashboard" "sqs" { + name = "SQS" + description = "SQS queue counts, message states, sizes, and processing trends." - dashboard_group = signalfx_dashboard_group.forgecicd.id + dashboard_group = var.dashboard_group variable { property = "aws_tag_TenantName" @@ -359,12 +359,12 @@ resource "signalfx_dashboard" "sqs_performance" { description = "" values = [] value_required = false - values_suggested = var.dashboard_variables.runner_ec2.tenant_names + values_suggested = var.tenant_names restricted_suggestions = true } dynamic "variable" { - for_each = var.dashboard_variables.sqs_performance.dynamic_variables + for_each = var.dynamic_variables iterator = var_def content { diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/variables.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/variables.tf new file mode 100644 index 00000000..d926894e --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/variables.tf @@ -0,0 +1,24 @@ + +variable "tenant_names" { + description = "List of tenant names used for the dashboard." + type = list(string) +} + +variable "dynamic_variables" { + description = "Additional dynamic variable definitions for the dashboard." + type = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool + })) + default = [] +} + +variable "dashboard_group" { + description = "Dashboard group name for organizing dashboards." + type = string +} diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf new file mode 100644 index 00000000..8218b2cb --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf @@ -0,0 +1,12 @@ +terraform { + # Provider versions. + required_providers { + signalfx = { + source = "splunk-terraform/signalfx" + version = "< 10.0.0" + } + } + + # OpenTofu version. + required_version = ">= 1.9.1" +} diff --git a/modules/integrations/splunk_o11y_conf_shared/variables.tf b/modules/integrations/splunk_o11y_conf_shared/variables.tf index 23a2dc55..9222c6b0 100644 --- a/modules/integrations/splunk_o11y_conf_shared/variables.tf +++ b/modules/integrations/splunk_o11y_conf_shared/variables.tf @@ -69,7 +69,46 @@ variable "dashboard_variables" { } )) }) - sqs_performance = object({ + sqs = object({ + tenant_names = list(string) + dynamic_variables = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool + } + )) + }) + ebs = object({ + tenant_names = list(string) + dynamic_variables = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool + } + )) + }) + lambda = object({ + tenant_names = list(string) + dynamic_variables = list(object({ + property = string + alias = string + description = string + values = list(string) + value_required = bool + values_suggested = list(string) + restricted_suggestions = bool + } + )) + }) + dynamodb = object({ tenant_names = list(string) dynamic_variables = list(object({ property = string From 276b5b16d970ba45f93408b19d66a25795dbd9e7 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 8 Dec 2025 18:17:43 +0100 Subject: [PATCH 19/85] chore: update renovate deps (#225) * chore(deps): update actions/checkout action to v6.0.1 (#35) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook ansible-community/ansible-lint to v25.12.0 (#36) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to b823ded (#37) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .docker/forge-github-app-register/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.docker/forge-github-app-register/Dockerfile b/.docker/forge-github-app-register/Dockerfile index a17a9b8a..74715209 100644 --- a/.docker/forge-github-app-register/Dockerfile +++ b/.docker/forge-github-app-register/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.14-slim@sha256:0aecac02dc3d4c5dbb024b753af084cafe41f5416e02193f1ce345d671ec966e +FROM python:3.14-slim@sha256:b823ded4377ebb5ff1af5926702df2284e53cecbc6e3549e93a19d8632a1897e RUN useradd --create-home appuser WORKDIR /home/appuser From 6645239aea51cc4a8812bf40469bb50637212c8f Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 8 Dec 2025 18:56:40 +0100 Subject: [PATCH 20/85] fix: fix trust validator submodule (#227) * fix: fix trust validator submodule * fix: use count in update_forge_role_trust * fix: fix triggers * fix: fix concatenated_trust_json --- .../forge_runners/forge_trust_validator.tf | 15 ++++++++---- .../forge_trust_validator/forge_roles.tf | 23 ++++++++++--------- .../forge_trust_validator/main.tf | 4 ++-- .../forge_trust_validator/variables.tf | 8 +++++-- 4 files changed, 31 insertions(+), 19 deletions(-) diff --git a/modules/platform/forge_runners/forge_trust_validator.tf b/modules/platform/forge_runners/forge_trust_validator.tf index afbe598d..e21b1b43 100644 --- a/modules/platform/forge_runners/forge_trust_validator.tf +++ b/modules/platform/forge_runners/forge_trust_validator.tf @@ -12,10 +12,17 @@ module "forge_trust_validator" { log_level = var.log_level tags = local.all_security_tags - forge_iam_roles = values(merge( - try(module.ec2_runners[0].ec2_runners_arn_map, {}), - try(module.arc_runners.arc_runners_arn_map, {}), - )) + forge_iam_roles = { + for idx, arn in values(merge( + try(module.ec2_runners[0].ec2_runners_arn_map, {}), + try(module.arc_runners.arc_runners_arn_map, {}), + )) : + idx => arn + } + number_forge_iram_roles = ( + length(var.ec2_runner_specs) + + length(var.arc_runner_specs) + ) tenant_iam_roles = var.tenant.iam_roles_to_assume } diff --git a/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf index 7e4fa89a..8620ef40 100644 --- a/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf +++ b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf @@ -1,12 +1,13 @@ data "aws_iam_role" "forge" { - for_each = toset(var.forge_iam_roles) + count = var.number_forge_iram_roles - name = replace(each.value, "/^.*//", "") + name = regex("([^/]+)$", var.forge_iam_roles[count.index])[0] depends_on = [module.forge_trust_validator_lambda] } locals { + # Statement we want to add to EVERY forge IAM role lambda_trust_statement = { Sid = "AllowLambdaValidationAssume" @@ -19,8 +20,8 @@ locals { # original_trust[arn] = decoded assume_role_policy JSON for each role original_trust = { - for arn, role in data.aws_iam_role.forge : - arn => jsondecode(role.assume_role_policy) + for idx, role in data.aws_iam_role.forge : + var.forge_iam_roles[idx] => jsondecode(role.assume_role_policy) } # original_statements[arn] = existing Statements list (or []) @@ -63,12 +64,12 @@ locals { } resource "null_resource" "update_forge_role_trust" { - for_each = data.aws_iam_role.forge + count = var.number_forge_iram_roles triggers = { - role_name = each.value.name - original_sha = sha1(local.original_statements_trust_json[each.key]) - future_sha = sha1(local.concatenated_trust_json[each.key]) + role_name = data.aws_iam_role.forge[count.index].id + original_policy = jsonencode(local.original_statements_trust_json[var.forge_iam_roles[count.index]]) + future_policy = jsonencode(local.concatenated_trust_json[var.forge_iam_roles[count.index]]) } provisioner "local-exec" { @@ -110,11 +111,11 @@ resource "null_resource" "update_forge_role_trust" { done } - ROLE_NAME="${each.value.name}" - TMP_FILE="/tmp/${each.value.name}-trust.json" + ROLE_NAME="${data.aws_iam_role.forge[count.index].name}" + TMP_FILE="/tmp/${data.aws_iam_role.forge[count.index].name}-trust.json" cat > "$${TMP_FILE}" << 'JSON' -${local.concatenated_trust_json[each.key]} +${local.concatenated_trust_json[var.forge_iam_roles[count.index]]} JSON retry_with_backoff diff --git a/modules/platform/forge_runners/forge_trust_validator/main.tf b/modules/platform/forge_runners/forge_trust_validator/main.tf index 54aa26dd..d372c59a 100644 --- a/modules/platform/forge_runners/forge_trust_validator/main.tf +++ b/modules/platform/forge_runners/forge_trust_validator/main.tf @@ -18,7 +18,7 @@ module "forge_trust_validator_lambda" { trigger_on_package_timestamp = false environment_variables = { - FORGE_IAM_ROLES = join(",", var.forge_iam_roles) + FORGE_IAM_ROLES = join(",", [for key, arn in var.forge_iam_roles : arn]) TENANT_IAM_ROLES = join(",", var.tenant_iam_roles) LOG_LEVEL = var.log_level } @@ -42,7 +42,7 @@ data "aws_iam_policy_document" "forge_trust_validator_lambda" { "sts:AssumeRole", ] effect = "Allow" - resources = var.forge_iam_roles + resources = [for key, arn in var.forge_iam_roles : arn] } } diff --git a/modules/platform/forge_runners/forge_trust_validator/variables.tf b/modules/platform/forge_runners/forge_trust_validator/variables.tf index 58dce9e5..de321229 100644 --- a/modules/platform/forge_runners/forge_trust_validator/variables.tf +++ b/modules/platform/forge_runners/forge_trust_validator/variables.tf @@ -27,13 +27,17 @@ variable "log_level" { } variable "forge_iam_roles" { - type = list(string) + type = map(string) description = "List of IAM role ARNs for Forge runners." } +variable "number_forge_iram_roles" { + type = number + description = "Number of Iam roles ARNs for Forge runners" +} + variable "tenant_iam_roles" { type = list(string) description = "List of IAM role ARNs that the runners will assume to test trust relationships." default = [] - } From afc6a08ed46247ae3274e40e567c3311c53463e0 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 8 Dec 2025 20:57:39 +0100 Subject: [PATCH 21/85] fix: upgrade kubernetes_config_map (#226) --- modules/core/arc/scale_set/README.md | 4 ++-- modules/core/arc/scale_set/helm.tf | 4 ++-- modules/integrations/teleport/README.md | 2 +- modules/integrations/teleport/main.tf | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/core/arc/scale_set/README.md b/modules/core/arc/scale_set/README.md index bde82073..8a547dba 100644 --- a/modules/core/arc/scale_set/README.md +++ b/modules/core/arc/scale_set/README.md @@ -28,8 +28,8 @@ No modules. | [aws_iam_role.runner_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.runner_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [helm_release.gha_runner_scale_set](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_config_map.hook_extension](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | -| [kubernetes_config_map.hook_pre_post_job](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | +| [kubernetes_config_map_v1.hook_extension](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | +| [kubernetes_config_map_v1.hook_pre_post_job](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | | [kubernetes_role.k8s](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource | | [kubernetes_role_binding.k8s](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_service_account_v1.runner_sa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource | diff --git a/modules/core/arc/scale_set/helm.tf b/modules/core/arc/scale_set/helm.tf index c2f1b0b5..ed68c8b5 100644 --- a/modules/core/arc/scale_set/helm.tf +++ b/modules/core/arc/scale_set/helm.tf @@ -1,4 +1,4 @@ -resource "kubernetes_config_map" "hook_extension" { +resource "kubernetes_config_map_v1" "hook_extension" { count = var.migrate_arc_cluster == false ? 1 : 0 metadata { name = "hook-extension-${var.scale_set_name}" @@ -23,7 +23,7 @@ resource "kubernetes_config_map" "hook_extension" { } } -resource "kubernetes_config_map" "hook_pre_post_job" { +resource "kubernetes_config_map_v1" "hook_pre_post_job" { count = var.migrate_arc_cluster == false ? 1 : 0 metadata { name = "hook-pre-post-job-${var.scale_set_name}" diff --git a/modules/integrations/teleport/README.md b/modules/integrations/teleport/README.md index 1c266d22..3512be6d 100644 --- a/modules/integrations/teleport/README.md +++ b/modules/integrations/teleport/README.md @@ -28,7 +28,7 @@ | [aws_iam_policy.eks_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.teleport_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.attach_eks_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [kubernetes_config_map.aws_auth_teleport](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | +| [kubernetes_config_map_v1.aws_auth_teleport](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | diff --git a/modules/integrations/teleport/main.tf b/modules/integrations/teleport/main.tf index a880f88b..e664d56c 100644 --- a/modules/integrations/teleport/main.tf +++ b/modules/integrations/teleport/main.tf @@ -5,7 +5,7 @@ module "tenant" { namespace = each.value } -resource "kubernetes_config_map" "aws_auth_teleport" { +resource "kubernetes_config_map_v1" "aws_auth_teleport" { count = length(var.tenants) > 0 ? 1 : 0 metadata { name = "aws-auth" From fcb8238a73bd5cd0fe43342c9d14433bd863883b Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 8 Dec 2025 23:10:59 +0100 Subject: [PATCH 22/85] refactor: migrate kubernetes resource to `v1` (#228) * fix: upgrade kubernetes_role_binding and kubernetes_role_binding * fix: upgrade role, cluster role and their bindings --- modules/core/arc/scale_set/README.md | 4 ++-- modules/core/arc/scale_set/k8s_mode.tf | 6 +++--- modules/core/arc/scale_set_controller/helm.tf | 2 +- modules/core/arc/scale_set_controller/secret.tf | 6 +++--- modules/integrations/teleport/tenant/README.md | 2 +- modules/integrations/teleport/tenant/main.tf | 8 ++++---- modules/platform/arc_deployment/outputs.tf | 9 ++++++++- modules/platform/ec2_deployment/outputs.tf | 11 ++++++++--- modules/platform/forge_runners/outputs.tf | 1 + 9 files changed, 31 insertions(+), 18 deletions(-) diff --git a/modules/core/arc/scale_set/README.md b/modules/core/arc/scale_set/README.md index 8a547dba..0e55dfcd 100644 --- a/modules/core/arc/scale_set/README.md +++ b/modules/core/arc/scale_set/README.md @@ -30,8 +30,8 @@ No modules. | [helm_release.gha_runner_scale_set](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_config_map_v1.hook_extension](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | | [kubernetes_config_map_v1.hook_pre_post_job](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | -| [kubernetes_role.k8s](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource | -| [kubernetes_role_binding.k8s](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_role_v1.k8s](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource | +| [kubernetes_role_binding_v1.k8s](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_service_account_v1.runner_sa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | diff --git a/modules/core/arc/scale_set/k8s_mode.tf b/modules/core/arc/scale_set/k8s_mode.tf index e140dce8..daf8f010 100644 --- a/modules/core/arc/scale_set/k8s_mode.tf +++ b/modules/core/arc/scale_set/k8s_mode.tf @@ -1,4 +1,4 @@ -resource "kubernetes_role" "k8s" { +resource "kubernetes_role_v1" "k8s" { count = var.scale_set_type == "k8s" && var.migrate_arc_cluster == false ? 1 : 0 metadata { @@ -37,7 +37,7 @@ resource "kubernetes_role" "k8s" { } } -resource "kubernetes_role_binding" "k8s" { +resource "kubernetes_role_binding_v1" "k8s" { count = var.scale_set_type == "k8s" && var.migrate_arc_cluster == false ? 1 : 0 metadata { @@ -48,7 +48,7 @@ resource "kubernetes_role_binding" "k8s" { role_ref { api_group = "rbac.authorization.k8s.io" kind = "Role" - name = kubernetes_role.k8s[0].metadata[0].name + name = kubernetes_role_v1.k8s[0].metadata[0].name } subject { diff --git a/modules/core/arc/scale_set_controller/helm.tf b/modules/core/arc/scale_set_controller/helm.tf index ce6b6e4b..dca751c2 100644 --- a/modules/core/arc/scale_set_controller/helm.tf +++ b/modules/core/arc/scale_set_controller/helm.tf @@ -21,5 +21,5 @@ resource "helm_release" "gha_runner_scale_set_controller" { cleanup_on_fail = true timeout = 1200 - depends_on = [kubernetes_secret.github_app] + depends_on = [kubernetes_secret_v1.github_app] } diff --git a/modules/core/arc/scale_set_controller/secret.tf b/modules/core/arc/scale_set_controller/secret.tf index ea195ac2..fe5ba6dc 100644 --- a/modules/core/arc/scale_set_controller/secret.tf +++ b/modules/core/arc/scale_set_controller/secret.tf @@ -1,11 +1,11 @@ -resource "kubernetes_namespace" "controller_namespace" { +resource "kubernetes_namespace_v1" "controller_namespace" { count = var.migrate_arc_cluster == false ? 1 : 0 metadata { name = var.namespace } } -resource "kubernetes_secret" "github_app" { +resource "kubernetes_secret_v1" "github_app" { count = var.migrate_arc_cluster == false ? 1 : 0 metadata { @@ -23,5 +23,5 @@ resource "kubernetes_secret" "github_app" { lifecycle { create_before_destroy = true } - depends_on = [kubernetes_namespace.controller_namespace] + depends_on = [kubernetes_namespace_v1.controller_namespace] } diff --git a/modules/integrations/teleport/tenant/README.md b/modules/integrations/teleport/tenant/README.md index d2424d5b..1da44863 100644 --- a/modules/integrations/teleport/tenant/README.md +++ b/modules/integrations/teleport/tenant/README.md @@ -25,7 +25,7 @@ No modules. | [kubernetes_cluster_role.impersonate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role.pods](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | | [kubernetes_cluster_role_binding.impersonate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource | -| [kubernetes_role_binding.pods](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_role_binding_v1.pods](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | ## Inputs diff --git a/modules/integrations/teleport/tenant/main.tf b/modules/integrations/teleport/tenant/main.tf index 76945d46..f3819aa8 100644 --- a/modules/integrations/teleport/tenant/main.tf +++ b/modules/integrations/teleport/tenant/main.tf @@ -1,4 +1,4 @@ -resource "kubernetes_cluster_role" "impersonate" { +resource "kubernetes_cluster_role_v1" "impersonate" { metadata { name = "teleport-${var.namespace}-impersonate" } @@ -16,7 +16,7 @@ resource "kubernetes_cluster_role" "impersonate" { } } -resource "kubernetes_cluster_role" "pods" { +resource "kubernetes_cluster_role_v1" "pods" { metadata { name = "teleport-${var.namespace}-pods" } @@ -29,7 +29,7 @@ resource "kubernetes_cluster_role" "pods" { } -resource "kubernetes_cluster_role_binding" "impersonate" { +resource "kubernetes_cluster_role_binding_v1" "impersonate" { metadata { name = "teleport-${var.namespace}-impersonate-binding" } @@ -48,7 +48,7 @@ resource "kubernetes_cluster_role_binding" "impersonate" { } } -resource "kubernetes_role_binding" "pods" { +resource "kubernetes_role_binding_v1" "pods" { metadata { name = "teleport-${var.namespace}-pods-binding" namespace = var.namespace diff --git a/modules/platform/arc_deployment/outputs.tf b/modules/platform/arc_deployment/outputs.tf index 8866d2e4..81d04b70 100644 --- a/modules/platform/arc_deployment/outputs.tf +++ b/modules/platform/arc_deployment/outputs.tf @@ -2,8 +2,15 @@ output "arc_runners_arn_map" { value = { for runner_key, runner in module.arc.runners_map : runner_key => runner.runner_role_arn } + description = "Map of ARC runner keys to their IAM role ARNs." } output "subnet_cidr_blocks" { - value = module.arc.subnet_cidr_blocks + value = module.arc.subnet_cidr_blocks + description = "Map of ARC runner subnet IDs to their CIDR blocks." +} + +output "arc_cluster_name" { + value = var.runner_configs.arc_cluster_name + description = "Name of the Kubernetes cluster used for ARC runners." } diff --git a/modules/platform/ec2_deployment/outputs.tf b/modules/platform/ec2_deployment/outputs.tf index e0e803a4..2a0e73b1 100644 --- a/modules/platform/ec2_deployment/outputs.tf +++ b/modules/platform/ec2_deployment/outputs.tf @@ -1,23 +1,28 @@ output "webhook_endpoint" { - value = module.runners.webhook.endpoint + value = module.runners.webhook.endpoint + description = "Public HTTPS endpoint URL for the GitHub Actions webhook relay." } output "ec2_runners_arn_map" { value = { for runner_key, runner in module.runners.runners_map : runner_key => runner.role_runner.arn } + description = "Map of EC2 runner keys to their IAM role ARNs." } output "ec2_runners_ami_name_map" { value = { for runner_key, runner in module.runners.runners_map : runner_key => data.aws_ami.runner_ami[runner_key].name } + description = "Map of EC2 runner keys to the AMI names used for each runner." } output "subnet_cidr_blocks" { - value = { for id, subnet in data.aws_subnet.runner_subnet : id => subnet.cidr_block } + value = { for id, subnet in data.aws_subnet.runner_subnet : id => subnet.cidr_block } + description = "Map of EC2 runner subnet IDs to their CIDR blocks." } output "event_bus_name" { - value = module.runners.webhook.eventbridge.event_bus.name + value = module.runners.webhook.eventbridge.event_bus.name + description = "Name of the EventBridge event bus used by the webhook relay." } diff --git a/modules/platform/forge_runners/outputs.tf b/modules/platform/forge_runners/outputs.tf index 9378a35a..b735ea17 100644 --- a/modules/platform/forge_runners/outputs.tf +++ b/modules/platform/forge_runners/outputs.tf @@ -15,6 +15,7 @@ output "forge_runners" { subnet_cidr_blocks = try(module.ec2_runners[0].subnet_cidr_blocks, []) } arc = { + cluster_name = try(module.arc_runners.arc_cluster_name, {}) runners_arn_map = try(module.arc_runners.arc_runners_arn_map, {}) subnet_cidr_blocks = try(module.arc_runners.subnet_cidr_blocks, []) } From f4aba699c10367e106fca3af26a641f7ac86d4e2 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Tue, 9 Dec 2025 01:21:36 +0100 Subject: [PATCH 23/85] ci: update tofu, terragrunt and tflint (#230) --- .docker/pre-commit/Dockerfile | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index 88487ddf..11f1d165 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -92,10 +92,10 @@ RUN set -eux; \ chmod 755 /usr/local/bin/terraform-docs # renovate: datasource=github-releases depName=gruntwork-io/terragrunt registryUrl=https://github.com/ -ARG TERRAGRUNT_VERSION="0.77.22" +ARG TERRAGRUNT_VERSION="0.93.11" ARG TERRAGRUNT_SRC="https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" ARG TERRAGRUNT_ARTIFACT="terragrunt" -ARG TERRAGRUNT_CHECKSUM="42036586250f5db53dd2460427c5df43420fa22b935998f1530181474f525386" +ARG TERRAGRUNT_CHECKSUM="9bf7a5620c8626cef8ebfae91ec4ff0db994993e2888d3e185e51bf155627c38" RUN set -eux; \ wget --progress=dot:giga -O ${TERRAGRUNT_ARTIFACT} ${TERRAGRUNT_SRC}; \ echo "${TERRAGRUNT_CHECKSUM} ${TERRAGRUNT_ARTIFACT}" | sha256sum -c -; \ @@ -103,21 +103,21 @@ RUN set -eux; \ chmod 755 /usr/local/bin/terragrunt # renovate: datasource=github-releases depName=terraform-linters/tflint registryUrl=https://github.com/ -ARG TFLINT_VERSION="0.56.0" +ARG TFLINT_VERSION="0.60.0" ARG TFLINT_SRC="https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/tflint_linux_amd64.zip" ARG TFLINT_ARTIFACT="tflint.zip" -ARG TFLINT_CHECKSUM="e0d74c557815ee51c6ecfe826ed62fd411ee6c10e1eab5532a0b0cc684c5db8a" +ARG TFLINT_CHECKSUM="3476ceedcf0c4f9f2bed35e92988e1411bec2caa543c9387bffaa720df9efaf7" RUN set -eux; \ wget --progress=dot:giga -O ${TFLINT_ARTIFACT} ${TFLINT_SRC}; \ echo "${TFLINT_CHECKSUM} ${TFLINT_ARTIFACT}" | sha256sum -c -; \ unzip -o ${TFLINT_ARTIFACT} -d /usr/local/bin/; \ - chmod 755 /usr/local/bin/tflint + chmod 755 /usr/local/bin/tflint; # renovate: datasource=github-releases depName=opentofu/opentofu registryUrl=https://github.com/ -ARG TOFU_VERSION="1.9.1" +ARG TOFU_VERSION="1.10.7" ARG TOFU_SRC="https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_linux_amd64.zip" ARG TOFU_ARTIFACT="tofu.zip" -ARG TOFU_CHECKSUM="19eda43eaa45bef3e21d87c58f31a6df73e8534ea30e78619a463bdfdb889cd2" +ARG TOFU_CHECKSUM="c79bb458e7d7fa08c44be98b373ab3434647598808fc2a75dc9338aef7432ae6" RUN set -eux; \ wget --progress=dot:giga -O ${TOFU_ARTIFACT} ${TOFU_SRC}; \ echo "${TOFU_CHECKSUM} ${TOFU_ARTIFACT}" | sha256sum -c -; \ From 11d86f63e0e06bc249de6863be608455d19d824f Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Tue, 9 Dec 2025 01:42:46 +0100 Subject: [PATCH 24/85] chore: upgrade providers (#229) * chore: upgrade providers * docs: update terraform docs --- modules/core/arc/README.md | 10 +-- modules/core/arc/scale_set/README.md | 16 ++--- modules/core/arc/scale_set/versions.tf | 6 +- .../core/arc/scale_set_controller/README.md | 10 +-- .../core/arc/scale_set_controller/versions.tf | 6 +- modules/core/arc/versions.tf | 8 +-- modules/infra/ami_policy/README.md | 6 +- modules/infra/ami_policy/versions.tf | 4 +- modules/infra/ami_sharing/README.md | 6 +- modules/infra/ami_sharing/versions.tf | 4 +- modules/infra/cloud_custodian/README.md | 6 +- modules/infra/cloud_custodian/versions.tf | 4 +- modules/infra/cloud_formation/README.md | 6 +- modules/infra/cloud_formation/versions.tf | 4 +- modules/infra/ecr/README.md | 6 +- modules/infra/ecr/versions.tf | 4 +- modules/infra/eks/README.md | 8 +-- modules/infra/eks/versions.tf | 8 +-- modules/infra/forge_subscription/version.tf | 4 +- modules/infra/opt_in_regions/README.md | 6 +- modules/infra/opt_in_regions/versions.tf | 4 +- modules/infra/service_linked_roles/README.md | 6 +- .../infra/service_linked_roles/versions.tf | 4 +- modules/infra/storage/README.md | 6 +- modules/infra/storage/versions.tf | 7 ++- .../README.md | 6 +- .../versions.tf | 4 +- .../README.md | 6 +- .../versions.tf | 4 +- .../webex_webhook_relay/README.md | 6 +- .../webex_webhook_relay/versions.tf | 4 +- .../github_webhook_relay_source/README.md | 6 +- .../github_webhook_relay_source/versions.tf | 4 +- .../integrations/splunk_aws_billing/README.md | 6 +- .../splunk_aws_billing/versions.tf | 4 +- .../splunk_cloud_conf_shared/README.md | 6 +- .../splunk_cloud_conf_shared/versions.tf | 4 +- .../data_input/versions.tf | 8 +-- .../sec_meta_ec2_tags/versions.tf | 4 +- .../splunk_cloud_data_manager/versions.tf | 8 +-- .../README.md | 6 +- .../versions.tf | 4 +- .../splunk_cloud_s3_runner_logs/README.md | 6 +- .../splunk_cloud_s3_runner_logs/versions.tf | 4 +- .../splunk_o11y_aws_integration/README.md | 6 +- .../splunk_o11y_aws_integration/versions.tf | 4 +- .../README.md | 8 +-- .../versions.tf | 4 +- .../splunk_o11y_conf_shared/README.md | 61 +++++-------------- .../dashboards/billing/README.md | 42 +++++++++++++ .../dashboards/billing/versions.tf | 2 +- .../dashboards/dynamodb/README.md | 49 +++++++++++++++ .../dashboards/dynamodb/versions.tf | 2 +- .../dashboards/ebs/README.md | 51 ++++++++++++++++ .../dashboards/ebs/versions.tf | 2 +- .../dashboards/lambda/README.md | 51 ++++++++++++++++ .../dashboards/lambda/versions.tf | 2 +- .../dashboards/runner_ec2/README.md | 58 ++++++++++++++++++ .../dashboards/runner_ec2/versions.tf | 2 +- .../dashboards/runner_k8s/README.md | 46 ++++++++++++++ .../dashboards/runner_k8s/versions.tf | 2 +- .../dashboards/sqs/README.md | 45 ++++++++++++++ .../dashboards/sqs/versions.tf | 2 +- .../splunk_o11y_conf_shared/versions.tf | 4 +- .../integrations/splunk_otel_eks/README.md | 6 +- .../integrations/splunk_otel_eks/versions.tf | 6 +- .../integrations/splunk_secrets/versions.tf | 4 +- modules/integrations/teleport/README.md | 10 +-- .../integrations/teleport/tenant/README.md | 14 ++--- .../integrations/teleport/tenant/versions.tf | 6 +- modules/integrations/teleport/versions.tf | 6 +- modules/platform/arc_deployment/README.md | 7 ++- modules/platform/arc_deployment/versions.tf | 2 +- modules/platform/ec2_deployment/README.md | 17 +++--- .../ec2_update_runner_ssm_ami/README.md | 6 +- .../ec2_update_runner_ssm_ami/versions.tf | 4 +- .../ec2_update_runner_tags/README.md | 6 +- .../ec2_update_runner_tags/versions.tf | 4 +- modules/platform/ec2_deployment/versions.tf | 4 +- modules/platform/forge_runners/README.md | 9 ++- .../forge_trust_validator/README.md | 9 +-- .../forge_trust_validator/versions.tf | 4 +- .../github_actions_job_logs/README.md | 6 +- .../github_actions_job_logs/versions.tf | 4 +- .../github_app_runner_group/README.md | 6 +- .../github_app_runner_group/versions.tf | 4 +- .../github_global_lock/README.md | 6 +- .../github_global_lock/versions.tf | 4 +- .../github_webhook_relay/README.md | 6 +- .../github_webhook_relay/versions.tf | 4 +- .../redrive_deadletter/README.md | 10 ++- .../redrive_deadletter/versions.tf | 4 +- modules/platform/forge_runners/versions.tf | 4 +- 93 files changed, 598 insertions(+), 286 deletions(-) create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md create mode 100644 modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md diff --git a/modules/core/arc/README.md b/modules/core/arc/README.md index 2fdafb89..0e0ee092 100644 --- a/modules/core/arc/README.md +++ b/modules/core/arc/README.md @@ -3,20 +3,20 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | -| [null](#requirement\_null) | >= 3.2.3 | +| [null](#requirement\_null) | >= 3.2 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [external](#provider\_external) | 2.3.5 | -| [kubernetes](#provider\_kubernetes) | 2.38.0 | +| [kubernetes](#provider\_kubernetes) | 3.0.0 | | [null](#provider\_null) | 3.2.4 | ## Modules diff --git a/modules/core/arc/scale_set/README.md b/modules/core/arc/scale_set/README.md index 0e55dfcd..ecbbc0b5 100644 --- a/modules/core/arc/scale_set/README.md +++ b/modules/core/arc/scale_set/README.md @@ -3,8 +3,8 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | @@ -12,9 +12,9 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [helm](#provider\_helm) | 3.1.1 | -| [kubernetes](#provider\_kubernetes) | 2.38.0 | +| [kubernetes](#provider\_kubernetes) | 3.0.0 | ## Modules @@ -28,10 +28,10 @@ No modules. | [aws_iam_role.runner_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.runner_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [helm_release.gha_runner_scale_set](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_config_map_v1.hook_extension](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | -| [kubernetes_config_map_v1.hook_pre_post_job](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | -| [kubernetes_role_v1.k8s](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource | -| [kubernetes_role_binding_v1.k8s](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_config_map_v1.hook_extension](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource | +| [kubernetes_config_map_v1.hook_pre_post_job](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource | +| [kubernetes_role_binding_v1.k8s](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding_v1) | resource | +| [kubernetes_role_v1.k8s](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_v1) | resource | | [kubernetes_service_account_v1.runner_sa](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account_v1) | resource | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | diff --git a/modules/core/arc/scale_set/versions.tf b/modules/core/arc/scale_set/versions.tf index 06035e89..7f8762af 100644 --- a/modules/core/arc/scale_set/versions.tf +++ b/modules/core/arc/scale_set/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } helm = { source = "hashicorp/helm" @@ -10,10 +10,10 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.36.0" + version = ">= 3.0" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/core/arc/scale_set_controller/README.md b/modules/core/arc/scale_set_controller/README.md index e1b18621..b71e37d4 100644 --- a/modules/core/arc/scale_set_controller/README.md +++ b/modules/core/arc/scale_set_controller/README.md @@ -3,8 +3,8 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | @@ -13,7 +13,7 @@ | Name | Version | |------|---------| | [helm](#provider\_helm) | 3.1.1 | -| [kubernetes](#provider\_kubernetes) | 2.38.0 | +| [kubernetes](#provider\_kubernetes) | 3.0.0 | ## Modules @@ -24,8 +24,8 @@ No modules. | Name | Type | |------|------| | [helm_release.gha_runner_scale_set_controller](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_namespace.controller_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [kubernetes_secret.github_app](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource | +| [kubernetes_namespace_v1.controller_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource | +| [kubernetes_secret_v1.github_app](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource | ## Inputs diff --git a/modules/core/arc/scale_set_controller/versions.tf b/modules/core/arc/scale_set_controller/versions.tf index 06035e89..7f8762af 100644 --- a/modules/core/arc/scale_set_controller/versions.tf +++ b/modules/core/arc/scale_set_controller/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } helm = { source = "hashicorp/helm" @@ -10,10 +10,10 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.36.0" + version = ">= 3.0" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/core/arc/versions.tf b/modules/core/arc/versions.tf index 03ec6947..cf16e8aa 100644 --- a/modules/core/arc/versions.tf +++ b/modules/core/arc/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } external = { source = "hashicorp/external" @@ -14,14 +14,14 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.36.0" + version = ">= 3.0" } null = { source = "hashicorp/null" - version = ">= 3.2.3" + version = ">= 3.2" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/infra/ami_policy/README.md b/modules/infra/ami_policy/README.md index e616383f..0d4b0f02 100644 --- a/modules/infra/ami_policy/README.md +++ b/modules/infra/ami_policy/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/infra/ami_policy/versions.tf b/modules/infra/ami_policy/versions.tf index 3353a29f..d509d257 100644 --- a/modules/infra/ami_policy/versions.tf +++ b/modules/infra/ami_policy/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/infra/ami_sharing/README.md b/modules/infra/ami_sharing/README.md index 31ab8029..955958fb 100644 --- a/modules/infra/ami_sharing/README.md +++ b/modules/infra/ami_sharing/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/infra/ami_sharing/versions.tf b/modules/infra/ami_sharing/versions.tf index 3353a29f..d509d257 100644 --- a/modules/infra/ami_sharing/versions.tf +++ b/modules/infra/ami_sharing/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/infra/cloud_custodian/README.md b/modules/infra/cloud_custodian/README.md index 8f4ea7e5..de63df6d 100644 --- a/modules/infra/cloud_custodian/README.md +++ b/modules/infra/cloud_custodian/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/infra/cloud_custodian/versions.tf b/modules/infra/cloud_custodian/versions.tf index 3353a29f..d509d257 100644 --- a/modules/infra/cloud_custodian/versions.tf +++ b/modules/infra/cloud_custodian/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/infra/cloud_formation/README.md b/modules/infra/cloud_formation/README.md index e77ccb80..5e481fdb 100644 --- a/modules/infra/cloud_formation/README.md +++ b/modules/infra/cloud_formation/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/infra/cloud_formation/versions.tf b/modules/infra/cloud_formation/versions.tf index 3353a29f..d509d257 100644 --- a/modules/infra/cloud_formation/versions.tf +++ b/modules/infra/cloud_formation/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/infra/ecr/README.md b/modules/infra/ecr/README.md index 01d3b228..7d027b44 100644 --- a/modules/infra/ecr/README.md +++ b/modules/infra/ecr/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/infra/ecr/versions.tf b/modules/infra/ecr/versions.tf index 3353a29f..d509d257 100644 --- a/modules/infra/ecr/versions.tf +++ b/modules/infra/ecr/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/infra/eks/README.md b/modules/infra/eks/README.md index bf963f4e..1a77e049 100644 --- a/modules/infra/eks/README.md +++ b/modules/infra/eks/README.md @@ -3,20 +3,20 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubectl](#requirement\_kubectl) | >= 1.19.0 | | [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | -| [null](#requirement\_null) | >= 3.2.3 | +| [null](#requirement\_null) | >= 3.2 | | [time](#requirement\_time) | >= 0.13.1 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [external](#provider\_external) | 2.3.5 | | [helm](#provider\_helm) | 3.1.1 | | [null](#provider\_null) | 3.2.4 | diff --git a/modules/infra/eks/versions.tf b/modules/infra/eks/versions.tf index 8b53b24b..fdf21628 100644 --- a/modules/infra/eks/versions.tf +++ b/modules/infra/eks/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } helm = { source = "hashicorp/helm" @@ -11,11 +11,11 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.36.0" + version = ">= 3.0" } null = { source = "hashicorp/null" - version = ">= 3.2.3" + version = ">= 3.2" } kubectl = { source = "gavinbunney/kubectl" @@ -32,5 +32,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/infra/forge_subscription/version.tf b/modules/infra/forge_subscription/version.tf index 3353a29f..d509d257 100644 --- a/modules/infra/forge_subscription/version.tf +++ b/modules/infra/forge_subscription/version.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/infra/opt_in_regions/README.md b/modules/infra/opt_in_regions/README.md index 88b75fbc..c5062b39 100644 --- a/modules/infra/opt_in_regions/README.md +++ b/modules/infra/opt_in_regions/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/infra/opt_in_regions/versions.tf b/modules/infra/opt_in_regions/versions.tf index 3353a29f..d509d257 100644 --- a/modules/infra/opt_in_regions/versions.tf +++ b/modules/infra/opt_in_regions/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/infra/service_linked_roles/README.md b/modules/infra/service_linked_roles/README.md index 3e3046a4..9c1ebcc8 100644 --- a/modules/infra/service_linked_roles/README.md +++ b/modules/infra/service_linked_roles/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/infra/service_linked_roles/versions.tf b/modules/infra/service_linked_roles/versions.tf index 3353a29f..d509d257 100644 --- a/modules/infra/service_linked_roles/versions.tf +++ b/modules/infra/service_linked_roles/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/infra/storage/README.md b/modules/infra/storage/README.md index a42a99a4..2db6aa09 100644 --- a/modules/infra/storage/README.md +++ b/modules/infra/storage/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.0 | -| [aws](#requirement\_aws) | ~> 6.0 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/infra/storage/versions.tf b/modules/infra/storage/versions.tf index 750e8a83..d509d257 100644 --- a/modules/infra/storage/versions.tf +++ b/modules/infra/storage/versions.tf @@ -1,11 +1,12 @@ -# Needed to interact with in-house/on-prem SLVM resources. terraform { + # Provider versions. required_providers { aws = { source = "hashicorp/aws" - version = "~> 6.0" + version = ">= 6.25" } } + # OpenTofu version. - required_version = ">= 1.9.0" + required_version = ">= 1.10" } diff --git a/modules/integrations/github_webhook_relay_destination/README.md b/modules/integrations/github_webhook_relay_destination/README.md index 86ce5145..7f344006 100644 --- a/modules/integrations/github_webhook_relay_destination/README.md +++ b/modules/integrations/github_webhook_relay_destination/README.md @@ -40,15 +40,15 @@ graph TD | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [external](#provider\_external) | 2.3.5 | ## Modules diff --git a/modules/integrations/github_webhook_relay_destination/versions.tf b/modules/integrations/github_webhook_relay_destination/versions.tf index 288ee2ec..578aa4d4 100644 --- a/modules/integrations/github_webhook_relay_destination/versions.tf +++ b/modules/integrations/github_webhook_relay_destination/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } external = { source = "hashicorp/external" @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/github_webhook_relay_destination_receivers/README.md b/modules/integrations/github_webhook_relay_destination_receivers/README.md index 5064ad05..6223e192 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/README.md +++ b/modules/integrations/github_webhook_relay_destination_receivers/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | ~> 6.0 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/integrations/github_webhook_relay_destination_receivers/versions.tf b/modules/integrations/github_webhook_relay_destination_receivers/versions.tf index bdf91f45..d509d257 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/versions.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 6.0" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md index 226bfd73..b0deaec0 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md @@ -47,15 +47,15 @@ Both `token` and `room_id` keys are required. The function will prepend `Bearer | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | ~> 6.0 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [time](#requirement\_time) | >= 0.13.1 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [time](#provider\_time) | 0.13.1 | ## Modules diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf index ae56fcdf..624e7505 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 6.0" + version = ">= 6.25" } time = { source = "hashicorp/time" @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/github_webhook_relay_source/README.md b/modules/integrations/github_webhook_relay_source/README.md index 31f82315..71271571 100644 --- a/modules/integrations/github_webhook_relay_source/README.md +++ b/modules/integrations/github_webhook_relay_source/README.md @@ -59,14 +59,14 @@ curl -X POST "$(terraform output -raw webhook_endpoint)/webhook" \ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/integrations/github_webhook_relay_source/versions.tf b/modules/integrations/github_webhook_relay_source/versions.tf index 3353a29f..d509d257 100644 --- a/modules/integrations/github_webhook_relay_source/versions.tf +++ b/modules/integrations/github_webhook_relay_source/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_aws_billing/README.md b/modules/integrations/splunk_aws_billing/README.md index fa9f572e..dea2aa2a 100644 --- a/modules/integrations/splunk_aws_billing/README.md +++ b/modules/integrations/splunk_aws_billing/README.md @@ -3,9 +3,9 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | +| [terraform](#requirement\_terraform) | >= 1.10 | | [archive](#requirement\_archive) | >= 2.7.0 | -| [aws](#requirement\_aws) | >= 5.27 | +| [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | | [null](#requirement\_null) | >= 3.2 | | [random](#requirement\_random) | >= 3.6 | @@ -14,7 +14,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/integrations/splunk_aws_billing/versions.tf b/modules/integrations/splunk_aws_billing/versions.tf index f3cb4cba..98fc9562 100644 --- a/modules/integrations/splunk_aws_billing/versions.tf +++ b/modules/integrations/splunk_aws_billing/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } external = { source = "hashicorp/external" @@ -23,5 +23,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_cloud_conf_shared/README.md b/modules/integrations/splunk_cloud_conf_shared/README.md index d02c1580..bc99a491 100644 --- a/modules/integrations/splunk_cloud_conf_shared/README.md +++ b/modules/integrations/splunk_cloud_conf_shared/README.md @@ -3,15 +3,15 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [splunk](#requirement\_splunk) | >= 1.4.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [splunk](#provider\_splunk) | 1.4.32 | ## Modules diff --git a/modules/integrations/splunk_cloud_conf_shared/versions.tf b/modules/integrations/splunk_cloud_conf_shared/versions.tf index 7b0eef9a..1f36511d 100644 --- a/modules/integrations/splunk_cloud_conf_shared/versions.tf +++ b/modules/integrations/splunk_cloud_conf_shared/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } splunk = { source = "splunk/splunk" @@ -11,5 +11,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf b/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf index 6ed9baaa..fe216b9a 100644 --- a/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf @@ -3,11 +3,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } random = { source = "hashicorp/random" - version = ">= 3.7.1" + version = ">= 3.6" } external = { source = "hashicorp/external" @@ -19,7 +19,7 @@ terraform { } local = { source = "hashicorp/local" - version = ">= 2.5.2" + version = ">= 2.5" } time = { source = "hashicorp/time" @@ -28,5 +28,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf index 3353a29f..d509d257 100644 --- a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_cloud_data_manager/versions.tf b/modules/integrations/splunk_cloud_data_manager/versions.tf index 378b9c90..fe216b9a 100644 --- a/modules/integrations/splunk_cloud_data_manager/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager/versions.tf @@ -3,11 +3,11 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } random = { source = "hashicorp/random" - version = ">=3.7.1" + version = ">= 3.6" } external = { source = "hashicorp/external" @@ -19,7 +19,7 @@ terraform { } local = { source = "hashicorp/local" - version = ">= 2.5.2" + version = ">= 2.5" } time = { source = "hashicorp/time" @@ -28,5 +28,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_cloud_data_manager_common/README.md b/modules/integrations/splunk_cloud_data_manager_common/README.md index 0c1fe241..a5697507 100644 --- a/modules/integrations/splunk_cloud_data_manager_common/README.md +++ b/modules/integrations/splunk_cloud_data_manager_common/README.md @@ -3,15 +3,15 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [external](#provider\_external) | 2.3.5 | ## Modules diff --git a/modules/integrations/splunk_cloud_data_manager_common/versions.tf b/modules/integrations/splunk_cloud_data_manager_common/versions.tf index 288ee2ec..578aa4d4 100644 --- a/modules/integrations/splunk_cloud_data_manager_common/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager_common/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } external = { source = "hashicorp/external" @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/README.md b/modules/integrations/splunk_cloud_s3_runner_logs/README.md index dadc3bd7..d4832493 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/README.md +++ b/modules/integrations/splunk_cloud_s3_runner_logs/README.md @@ -3,15 +3,15 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [external](#provider\_external) | 2.3.5 | ## Modules diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf b/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf index 288ee2ec..578aa4d4 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf +++ b/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } external = { source = "hashicorp/external" @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_o11y_aws_integration/README.md b/modules/integrations/splunk_o11y_aws_integration/README.md index 8f605b08..b792a099 100644 --- a/modules/integrations/splunk_o11y_aws_integration/README.md +++ b/modules/integrations/splunk_o11y_aws_integration/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/integrations/splunk_o11y_aws_integration/versions.tf b/modules/integrations/splunk_o11y_aws_integration/versions.tf index 3353a29f..d509d257 100644 --- a/modules/integrations/splunk_o11y_aws_integration/versions.tf +++ b/modules/integrations/splunk_o11y_aws_integration/versions.tf @@ -3,10 +3,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_o11y_aws_integration_common/README.md b/modules/integrations/splunk_o11y_aws_integration_common/README.md index 42365053..7056217b 100644 --- a/modules/integrations/splunk_o11y_aws_integration_common/README.md +++ b/modules/integrations/splunk_o11y_aws_integration_common/README.md @@ -3,8 +3,8 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | | [time](#requirement\_time) | >= 0.13 | @@ -12,8 +12,8 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | -| [signalfx](#provider\_signalfx) | 9.22.3 | +| [aws](#provider\_aws) | 6.25.0 | +| [signalfx](#provider\_signalfx) | 9.23.0 | | [time](#provider\_time) | 0.13.1 | ## Modules diff --git a/modules/integrations/splunk_o11y_aws_integration_common/versions.tf b/modules/integrations/splunk_o11y_aws_integration_common/versions.tf index 6452cee6..aeaf6ade 100644 --- a/modules/integrations/splunk_o11y_aws_integration_common/versions.tf +++ b/modules/integrations/splunk_o11y_aws_integration_common/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } signalfx = { source = "splunk-terraform/signalfx" @@ -16,5 +16,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_o11y_conf_shared/README.md b/modules/integrations/splunk_o11y_conf_shared/README.md index 23f34774..f23cb62e 100644 --- a/modules/integrations/splunk_o11y_conf_shared/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/README.md @@ -3,67 +3,34 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | -| [signalfx](#provider\_signalfx) | 9.22.3 | +| [aws](#provider\_aws) | 6.25.0 | +| [signalfx](#provider\_signalfx) | 9.23.0 | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [dashboard\_billing](#module\_dashboard\_billing) | ./dashboards/billing | n/a | +| [dashboard\_dynamodb](#module\_dashboard\_dynamodb) | ./dashboards/dynamodb | n/a | +| [dashboard\_ebs](#module\_dashboard\_ebs) | ./dashboards/ebs | n/a | +| [dashboard\_lambda](#module\_dashboard\_lambda) | ./dashboards/lambda | n/a | +| [dashboard\_runner\_ec2](#module\_dashboard\_runner\_ec2) | ./dashboards/runner_ec2 | n/a | +| [dashboard\_runner\_k8s](#module\_dashboard\_runner\_k8s) | ./dashboards/runner_k8s | n/a | +| [dashboard\_sqs](#module\_dashboard\_sqs) | ./dashboards/sqs | n/a | ## Resources | Name | Type | |------|------| -| [signalfx_dashboard.billing](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | -| [signalfx_dashboard.runner_ec2](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | -| [signalfx_dashboard.runner_k8s](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | | [signalfx_dashboard_group.forgecicd](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard_group) | resource | -| [signalfx_list_chart.chart_active_hosts_by_availability_zone](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.chart_active_hosts_per_instance_type](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.chart_disk_metrics_24h_change](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.chart_disk_summary_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.chart_top_5_network_in_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.chart_top_5_network_out_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.chart_top_images_by_mean_cpu_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.chart_top_instances_by_cpu_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.chart_top_memory_page_swaps_sec](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.chart_total_network_errors](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.k8s_network_errors_per_sec](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.k8s_pods_by_phase](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.k8s_top_10_cpu_usage_per_pod](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_list_chart.k8s_top_10_pods_by_avg_memory_usage](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | -| [signalfx_single_value_chart.chart_active_hosts](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | -| [signalfx_single_value_chart.chart_hosts_with_agent_installed](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | -| [signalfx_single_value_chart.k8s_active_pods](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | -| [signalfx_single_value_chart.k8s_available_pods_by_deployments](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | -| [signalfx_single_value_chart.k8s_desired_pods_by_deployments](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | -| [signalfx_time_chart.chart_cpu_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.chart_disk_io_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.chart_disk_ops](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.chart_disk_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.chart_memory_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.chart_network_in_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.chart_network_in_bytes_vs_24h_change](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.chart_network_out_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.chart_network_out_bytes_vs_24h_change](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.chart_total_memory_overview_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.cost_per_service](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.cost_per_tenant](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.k8s_memory_usage_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.k8s_memory_usage_pct](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.k8s_network_bytes_per_sec](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.net_cost_per_service](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.net_cost_per_tenant](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.total_cost](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | -| [signalfx_time_chart.total_net_cost](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | | [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | | [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | @@ -73,7 +40,7 @@ No modules. |------|-------------|------|---------|:--------:| | [aws\_profile](#input\_aws\_profile) | AWS profile (i.e., generated via 'sl aws session generate') to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Default AWS region. | `string` | n/a | yes | -| [dashboard\_variables](#input\_dashboard\_variables) | Variables for Dashboards | 
object({
    runner_k8s = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    runner_ec2 = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    billing = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
  })
| n/a | yes | +| [dashboard\_variables](#input\_dashboard\_variables) | Variables for Dashboards | 
object({
    runner_k8s = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    runner_ec2 = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    billing = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    sqs = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    ebs = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    lambda = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    dynamodb = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
  })
| n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [splunk\_api\_url](#input\_splunk\_api\_url) | URL for plunk Observability Cloud API. | `string` | n/a | yes | | [splunk\_organization\_id](#input\_splunk\_organization\_id) | organization ID for Splunk Observability Cloud. | `string` | n/a | yes | diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md new file mode 100644 index 00000000..24f84338 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md @@ -0,0 +1,42 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.10 | +| [signalfx](#requirement\_signalfx) | < 10.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [signalfx](#provider\_signalfx) | 9.23.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [signalfx_dashboard.billing](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | +| [signalfx_time_chart.cost_per_service](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.cost_per_tenant](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.net_cost_per_service](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.net_cost_per_tenant](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.total_cost](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.total_net_cost](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dashboard\_group](#input\_dashboard\_group) | Dashboard group name for organizing dashboards. | `string` | n/a | yes | +| [dynamic\_variables](#input\_dynamic\_variables) | Additional dynamic variable definitions for the dashboard. | 
list(object({
    property               = string
    alias                  = string
    description            = string
    values                 = list(string)
    value_required         = bool
    values_suggested       = list(string)
    restricted_suggestions = bool
  }))
| `[]` | no | +| [tenant\_names](#input\_tenant\_names) | List of tenant names used for the dashboard. | `list(string)` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf index 8218b2cb..cb5da702 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md new file mode 100644 index 00000000..f42daf49 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md @@ -0,0 +1,49 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.10 | +| [signalfx](#requirement\_signalfx) | < 10.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [signalfx](#provider\_signalfx) | 9.23.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [signalfx_dashboard.dynamodb](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | +| [signalfx_single_value_chart.avg_request_latency_single](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.system_errors_single](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.throttled_requests_single](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.user_errors_single](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_time_chart.avg_request_latency_ts](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.read_capacity_percentage](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.read_throttle_events](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.returned_item_count](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.system_errors_ts](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.throttled_requests_ts](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.user_errors_ts](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.write_capacity_percentage](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.write_throttle_events](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dashboard\_group](#input\_dashboard\_group) | Dashboard group name for organizing dashboards. | `string` | n/a | yes | +| [dynamic\_variables](#input\_dynamic\_variables) | Additional dynamic variable definitions for the dashboard. | 
list(object({
    property               = string
    alias                  = string
    description            = string
    values                 = list(string)
    value_required         = bool
    values_suggested       = list(string)
    restricted_suggestions = bool
  }))
| `[]` | no | +| [tenant\_names](#input\_tenant\_names) | List of tenant names used for the dashboard. | `list(string)` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf index 8218b2cb..cb5da702 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md new file mode 100644 index 00000000..e55e3d0c --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md @@ -0,0 +1,51 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.10 | +| [signalfx](#requirement\_signalfx) | < 10.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [signalfx](#provider\_signalfx) | 9.23.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [signalfx_dashboard.ebs](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | +| [signalfx_single_value_chart.state](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_time_chart.avg_queue_length](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.byte_utilization_pct](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.idle_time](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.latency_op](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.read_latency](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.read_ops](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.read_throughput](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.read_vs_write_ops](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.rw_bytes_breakdown](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.total_read_time](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.total_write_time](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.write_latency](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.write_ops](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.write_throughput](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dashboard\_group](#input\_dashboard\_group) | Dashboard group name for organizing dashboards. | `string` | n/a | yes | +| [dynamic\_variables](#input\_dynamic\_variables) | Additional dynamic variable definitions for the dashboard. | 
list(object({
    property               = string
    alias                  = string
    description            = string
    values                 = list(string)
    value_required         = bool
    values_suggested       = list(string)
    restricted_suggestions = bool
  }))
| `[]` | no | +| [tenant\_names](#input\_tenant\_names) | List of tenant names used for the dashboard. | `list(string)` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf index 8218b2cb..cb5da702 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md new file mode 100644 index 00000000..ff38642b --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md @@ -0,0 +1,51 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.10 | +| [signalfx](#requirement\_signalfx) | < 10.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [signalfx](#provider\_signalfx) | 9.23.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [signalfx_dashboard.lambda](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | +| [signalfx_list_chart.avg_duration_by_version](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.percent_invocations_by_version](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_single_value_chart.avg_invocation_duration](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.total_errors](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.total_invocations](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.total_spillover_invocations](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.total_throttles](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_time_chart.errors_by_version](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.invocations](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.invocations_by_version](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.provisioned_concurrency_invocations_by_version](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.provisioned_concurrency_spillover_invocations_by_version](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.provisioned_concurrency_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.provisioned_concurrent_executions_by_version](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.throttles_by_version](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dashboard\_group](#input\_dashboard\_group) | Dashboard group name for organizing dashboards. | `string` | n/a | yes | +| [dynamic\_variables](#input\_dynamic\_variables) | Additional dynamic variable definitions for the dashboard. | 
list(object({
    property               = string
    alias                  = string
    description            = string
    values                 = list(string)
    value_required         = bool
    values_suggested       = list(string)
    restricted_suggestions = bool
  }))
| `[]` | no | +| [tenant\_names](#input\_tenant\_names) | List of tenant names used for the dashboard. | `list(string)` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf index 8218b2cb..cb5da702 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md new file mode 100644 index 00000000..fd98966b --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md @@ -0,0 +1,58 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.10 | +| [signalfx](#requirement\_signalfx) | < 10.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [signalfx](#provider\_signalfx) | 9.23.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [signalfx_dashboard.runner_ec2](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | +| [signalfx_list_chart.chart_active_hosts_by_availability_zone](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_active_hosts_per_instance_type](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_disk_metrics_24h_change](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_disk_summary_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_top_5_network_in_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_top_5_network_out_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_top_images_by_mean_cpu_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_top_instances_by_cpu_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_top_memory_page_swaps_sec](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.chart_total_network_errors](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_single_value_chart.chart_active_hosts](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.chart_hosts_with_agent_installed](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_time_chart.chart_cpu_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_disk_io_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_disk_ops](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_disk_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_memory_utilization](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_network_in_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_network_in_bytes_vs_24h_change](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_network_out_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_network_out_bytes_vs_24h_change](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.chart_total_memory_overview_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dashboard\_group](#input\_dashboard\_group) | Dashboard group name for organizing dashboards. | `string` | n/a | yes | +| [dynamic\_variables](#input\_dynamic\_variables) | Additional dynamic variable definitions for the dashboard. | 
list(object({
    property               = string
    alias                  = string
    description            = string
    values                 = list(string)
    value_required         = bool
    values_suggested       = list(string)
    restricted_suggestions = bool
  }))
| `[]` | no | +| [tenant\_names](#input\_tenant\_names) | List of tenant names used for the dashboard. | `list(string)` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf index 8218b2cb..cb5da702 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md new file mode 100644 index 00000000..3c04dac1 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md @@ -0,0 +1,46 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.10 | +| [signalfx](#requirement\_signalfx) | < 10.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [signalfx](#provider\_signalfx) | 9.23.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [signalfx_dashboard.runner_k8s](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | +| [signalfx_list_chart.k8s_network_errors_per_sec](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.k8s_pods_by_phase](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.k8s_top_10_cpu_usage_per_pod](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.k8s_top_10_pods_by_avg_memory_usage](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_single_value_chart.k8s_active_pods](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.k8s_available_pods_by_deployments](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_single_value_chart.k8s_desired_pods_by_deployments](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_time_chart.k8s_memory_usage_bytes](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.k8s_memory_usage_pct](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.k8s_network_bytes_per_sec](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dashboard\_group](#input\_dashboard\_group) | Dashboard group name for organizing dashboards. | `string` | n/a | yes | +| [dynamic\_variables](#input\_dynamic\_variables) | Additional dynamic variable definitions for the dashboard. | 
list(object({
    property               = string
    alias                  = string
    description            = string
    values                 = list(string)
    value_required         = bool
    values_suggested       = list(string)
    restricted_suggestions = bool
  }))
| `[]` | no | +| [tenant\_names](#input\_tenant\_names) | List of tenant names used for the dashboard. | `list(string)` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf index 8218b2cb..cb5da702 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md new file mode 100644 index 00000000..1c103893 --- /dev/null +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md @@ -0,0 +1,45 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.10 | +| [signalfx](#requirement\_signalfx) | < 10.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [signalfx](#provider\_signalfx) | 9.23.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [signalfx_dashboard.sqs](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/dashboard) | resource | +| [signalfx_list_chart.oldest_message_age](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.top_queues_by_message_received](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_list_chart.top_queues_by_message_sent](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/list_chart) | resource | +| [signalfx_single_value_chart.queues](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/single_value_chart) | resource | +| [signalfx_time_chart.empty_receives](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.message_processing_trend](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.messages_by_state](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.messages_deleted](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | +| [signalfx_time_chart.sent_message_size](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/time_chart) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dashboard\_group](#input\_dashboard\_group) | Dashboard group name for organizing dashboards. | `string` | n/a | yes | +| [dynamic\_variables](#input\_dynamic\_variables) | Additional dynamic variable definitions for the dashboard. | 
list(object({
    property               = string
    alias                  = string
    description            = string
    values                 = list(string)
    value_required         = bool
    values_suggested       = list(string)
    restricted_suggestions = bool
  }))
| `[]` | no | +| [tenant\_names](#input\_tenant\_names) | List of tenant names used for the dashboard. | `list(string)` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf index 8218b2cb..cb5da702 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_o11y_conf_shared/versions.tf b/modules/integrations/splunk_o11y_conf_shared/versions.tf index 704bf3d6..5f5c12c2 100644 --- a/modules/integrations/splunk_o11y_conf_shared/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } signalfx = { source = "splunk-terraform/signalfx" @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_otel_eks/README.md b/modules/integrations/splunk_otel_eks/README.md index 1e3b991e..b9e41061 100644 --- a/modules/integrations/splunk_otel_eks/README.md +++ b/modules/integrations/splunk_otel_eks/README.md @@ -3,8 +3,8 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [helm](#provider\_helm) | 3.1.1 | ## Modules diff --git a/modules/integrations/splunk_otel_eks/versions.tf b/modules/integrations/splunk_otel_eks/versions.tf index 21e524f6..63c48c83 100644 --- a/modules/integrations/splunk_otel_eks/versions.tf +++ b/modules/integrations/splunk_otel_eks/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } helm = { source = "hashicorp/helm" @@ -11,10 +11,10 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.36.0" + version = ">= 3.0" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/splunk_secrets/versions.tf b/modules/integrations/splunk_secrets/versions.tf index 04078419..148f4aec 100644 --- a/modules/integrations/splunk_secrets/versions.tf +++ b/modules/integrations/splunk_secrets/versions.tf @@ -3,7 +3,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } time = { source = "hashicorp/time" @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/teleport/README.md b/modules/integrations/teleport/README.md index 3512be6d..39f3af40 100644 --- a/modules/integrations/teleport/README.md +++ b/modules/integrations/teleport/README.md @@ -3,8 +3,8 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | @@ -12,8 +12,8 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | -| [kubernetes](#provider\_kubernetes) | 2.38.0 | +| [aws](#provider\_aws) | 6.25.0 | +| [kubernetes](#provider\_kubernetes) | 3.0.0 | ## Modules @@ -28,7 +28,7 @@ | [aws_iam_policy.eks_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_role.teleport_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.attach_eks_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [kubernetes_config_map_v1.aws_auth_teleport](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource | +| [kubernetes_config_map_v1.aws_auth_teleport](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | diff --git a/modules/integrations/teleport/tenant/README.md b/modules/integrations/teleport/tenant/README.md index 1da44863..c3adce58 100644 --- a/modules/integrations/teleport/tenant/README.md +++ b/modules/integrations/teleport/tenant/README.md @@ -3,8 +3,8 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.90 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [kubernetes](#provider\_kubernetes) | 2.38.0 | +| [kubernetes](#provider\_kubernetes) | 3.0.0 | ## Modules @@ -22,10 +22,10 @@ No modules. | Name | Type | |------|------| -| [kubernetes_cluster_role.impersonate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | -| [kubernetes_cluster_role.pods](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | -| [kubernetes_cluster_role_binding.impersonate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource | -| [kubernetes_role_binding_v1.pods](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | +| [kubernetes_cluster_role_binding_v1.impersonate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding_v1) | resource | +| [kubernetes_cluster_role_v1.impersonate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_v1) | resource | +| [kubernetes_cluster_role_v1.pods](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_v1) | resource | +| [kubernetes_role_binding_v1.pods](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding_v1) | resource | ## Inputs diff --git a/modules/integrations/teleport/tenant/versions.tf b/modules/integrations/teleport/tenant/versions.tf index 5163401e..7f8762af 100644 --- a/modules/integrations/teleport/tenant/versions.tf +++ b/modules/integrations/teleport/tenant/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.90" + version = ">= 6.25" } helm = { source = "hashicorp/helm" @@ -10,10 +10,10 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.36.0" + version = ">= 3.0" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/integrations/teleport/versions.tf b/modules/integrations/teleport/versions.tf index 06035e89..7f8762af 100644 --- a/modules/integrations/teleport/versions.tf +++ b/modules/integrations/teleport/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } helm = { source = "hashicorp/helm" @@ -10,10 +10,10 @@ terraform { } kubernetes = { source = "hashicorp/kubernetes" - version = ">= 2.36.0" + version = ">= 3.0" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/platform/arc_deployment/README.md b/modules/platform/arc_deployment/README.md index 9d57f2b1..ff61528f 100644 --- a/modules/platform/arc_deployment/README.md +++ b/modules/platform/arc_deployment/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | +| [terraform](#requirement\_terraform) | >= 1.10 | ## Providers @@ -32,6 +32,7 @@ No resources. | Name | Description | |------|-------------| -| [arc\_runners\_arn\_map](#output\_arc\_runners\_arn\_map) | n/a | -| [subnet\_cidr\_blocks](#output\_subnet\_cidr\_blocks) | n/a | +| [arc\_cluster\_name](#output\_arc\_cluster\_name) | Name of the Kubernetes cluster used for ARC runners. | +| [arc\_runners\_arn\_map](#output\_arc\_runners\_arn\_map) | Map of ARC runner keys to their IAM role ARNs. | +| [subnet\_cidr\_blocks](#output\_subnet\_cidr\_blocks) | Map of ARC runner subnet IDs to their CIDR blocks. | diff --git a/modules/platform/arc_deployment/versions.tf b/modules/platform/arc_deployment/versions.tf index 5a407547..6a3a3d9d 100644 --- a/modules/platform/arc_deployment/versions.tf +++ b/modules/platform/arc_deployment/versions.tf @@ -1,4 +1,4 @@ terraform { # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/platform/ec2_deployment/README.md b/modules/platform/ec2_deployment/README.md index 3a9f619f..da669c04 100644 --- a/modules/platform/ec2_deployment/README.md +++ b/modules/platform/ec2_deployment/README.md @@ -3,23 +3,22 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | +| [terraform](#requirement\_terraform) | >= 1.10 | | [archive](#requirement\_archive) | >= 2.7.0 | -| [aws](#requirement\_aws) | >= 5.27 | +| [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [external](#provider\_external) | 2.3.5 | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_redrive\_deadletter](#module\_ec2\_redrive\_deadletter) | ./ec2_redrive_deadletter | n/a | | [ec2\_update\_runner\_ssm\_ami](#module\_ec2\_update\_runner\_ssm\_ami) | ./ec2_update_runner_ssm_ami | n/a | | [ec2\_update\_runner\_tags](#module\_ec2\_update\_runner\_tags) | ./ec2_update_runner_tags | n/a | | [runners](#module\_runners) | git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner | v6.10.1 | @@ -52,9 +51,9 @@ | Name | Description | |------|-------------| -| [ec2\_runners\_ami\_name\_map](#output\_ec2\_runners\_ami\_name\_map) | n/a | -| [ec2\_runners\_arn\_map](#output\_ec2\_runners\_arn\_map) | n/a | -| [event\_bus\_name](#output\_event\_bus\_name) | n/a | -| [subnet\_cidr\_blocks](#output\_subnet\_cidr\_blocks) | n/a | -| [webhook\_endpoint](#output\_webhook\_endpoint) | n/a | +| [ec2\_runners\_ami\_name\_map](#output\_ec2\_runners\_ami\_name\_map) | Map of EC2 runner keys to the AMI names used for each runner. | +| [ec2\_runners\_arn\_map](#output\_ec2\_runners\_arn\_map) | Map of EC2 runner keys to their IAM role ARNs. | +| [event\_bus\_name](#output\_event\_bus\_name) | Name of the EventBridge event bus used by the webhook relay. | +| [subnet\_cidr\_blocks](#output\_subnet\_cidr\_blocks) | Map of EC2 runner subnet IDs to their CIDR blocks. | +| [webhook\_endpoint](#output\_webhook\_endpoint) | Public HTTPS endpoint URL for the GitHub Actions webhook relay. | diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md index e57f6400..c27f7d3d 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf index d193e844..606ac009 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf @@ -2,10 +2,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md index e70775a1..886e9d0e 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf b/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf index d193e844..606ac009 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf @@ -2,10 +2,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/platform/ec2_deployment/versions.tf b/modules/platform/ec2_deployment/versions.tf index f0429d46..fec589d8 100644 --- a/modules/platform/ec2_deployment/versions.tf +++ b/modules/platform/ec2_deployment/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } external = { source = "hashicorp/external" @@ -15,5 +15,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/platform/forge_runners/README.md b/modules/platform/forge_runners/README.md index c68e7a95..c6f6fb27 100644 --- a/modules/platform/forge_runners/README.md +++ b/modules/platform/forge_runners/README.md @@ -3,9 +3,9 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | +| [terraform](#requirement\_terraform) | >= 1.10 | | [archive](#requirement\_archive) | >= 2.7.0 | -| [aws](#requirement\_aws) | >= 5.27 | +| [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | | [local](#requirement\_local) | >= 2.5 | | [null](#requirement\_null) | >= 3.2 | @@ -16,7 +16,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [null](#provider\_null) | 3.2.4 | | [random](#provider\_random) | 3.7.2 | | [time](#provider\_time) | 0.13.1 | @@ -32,6 +32,7 @@ | [github\_app\_runner\_group](#module\_github\_app\_runner\_group) | ./github_app_runner_group | n/a | | [github\_global\_lock](#module\_github\_global\_lock) | ./github_global_lock | n/a | | [github\_webhook\_relay](#module\_github\_webhook\_relay) | ./github_webhook_relay | n/a | +| [redrive\_deadletter](#module\_redrive\_deadletter) | ./redrive_deadletter | n/a | ## Resources @@ -45,8 +46,10 @@ | [null_resource.update_github_app_webhook](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [random_id.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [time_sleep.wait_60_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.ecr_access_for_ec2_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.role_assumption_for_forge_runners](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | | [aws_secretsmanager_random_password.secret_seeds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_random_password) | data source | | [aws_secretsmanager_secret.data_cicd_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | | [aws_secretsmanager_secret_version.data_cicd_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | diff --git a/modules/platform/forge_runners/forge_trust_validator/README.md b/modules/platform/forge_runners/forge_trust_validator/README.md index 176ab114..8635d970 100644 --- a/modules/platform/forge_runners/forge_trust_validator/README.md +++ b/modules/platform/forge_runners/forge_trust_validator/README.md @@ -3,15 +3,15 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [null](#requirement\_null) | >= 3.2 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [null](#provider\_null) | 3.2.4 | ## Modules @@ -38,9 +38,10 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [aws\_profile](#input\_aws\_profile) | AWS profile (i.e. generated via 'sl aws session generate') to use. | `string` | n/a | yes | -| [forge\_iam\_roles](#input\_forge\_iam\_roles) | List of IAM role ARNs for Forge runners. | `list(string)` | n/a | yes | +| [forge\_iam\_roles](#input\_forge\_iam\_roles) | List of IAM role ARNs for Forge runners. | `map(string)` | n/a | yes | | [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | | [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | +| [number\_forge\_iram\_roles](#input\_number\_forge\_iram\_roles) | Number of Iam roles ARNs for Forge runners | `number` | n/a | yes | | [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | | [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | | [tenant\_iam\_roles](#input\_tenant\_iam\_roles) | List of IAM role ARNs that the runners will assume to test trust relationships. | `list(string)` | `[]` | no | diff --git a/modules/platform/forge_runners/forge_trust_validator/versions.tf b/modules/platform/forge_runners/forge_trust_validator/versions.tf index f7a53c68..e8095de4 100644 --- a/modules/platform/forge_runners/forge_trust_validator/versions.tf +++ b/modules/platform/forge_runners/forge_trust_validator/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } null = { source = "hashicorp/null" @@ -11,5 +11,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/platform/forge_runners/github_actions_job_logs/README.md b/modules/platform/forge_runners/github_actions_job_logs/README.md index fe7a51a9..ccbbd076 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/README.md +++ b/modules/platform/forge_runners/github_actions_job_logs/README.md @@ -123,14 +123,14 @@ See parent repository license. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/platform/forge_runners/github_actions_job_logs/versions.tf b/modules/platform/forge_runners/github_actions_job_logs/versions.tf index d193e844..606ac009 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/versions.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/versions.tf @@ -2,10 +2,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/platform/forge_runners/github_app_runner_group/README.md b/modules/platform/forge_runners/github_app_runner_group/README.md index 6234a9d1..025dabc5 100644 --- a/modules/platform/forge_runners/github_app_runner_group/README.md +++ b/modules/platform/forge_runners/github_app_runner_group/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/platform/forge_runners/github_app_runner_group/versions.tf b/modules/platform/forge_runners/github_app_runner_group/versions.tf index d193e844..606ac009 100644 --- a/modules/platform/forge_runners/github_app_runner_group/versions.tf +++ b/modules/platform/forge_runners/github_app_runner_group/versions.tf @@ -2,10 +2,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/platform/forge_runners/github_global_lock/README.md b/modules/platform/forge_runners/github_global_lock/README.md index f5722232..fbe6ca91 100644 --- a/modules/platform/forge_runners/github_global_lock/README.md +++ b/modules/platform/forge_runners/github_global_lock/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules diff --git a/modules/platform/forge_runners/github_global_lock/versions.tf b/modules/platform/forge_runners/github_global_lock/versions.tf index d193e844..606ac009 100644 --- a/modules/platform/forge_runners/github_global_lock/versions.tf +++ b/modules/platform/forge_runners/github_global_lock/versions.tf @@ -2,10 +2,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/platform/forge_runners/github_webhook_relay/README.md b/modules/platform/forge_runners/github_webhook_relay/README.md index 967da2b6..4573b847 100644 --- a/modules/platform/forge_runners/github_webhook_relay/README.md +++ b/modules/platform/forge_runners/github_webhook_relay/README.md @@ -3,15 +3,15 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | | [random](#requirement\_random) | >= 3.6 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | | [random](#provider\_random) | 3.7.2 | ## Modules diff --git a/modules/platform/forge_runners/github_webhook_relay/versions.tf b/modules/platform/forge_runners/github_webhook_relay/versions.tf index edde8e7b..fe5652d8 100644 --- a/modules/platform/forge_runners/github_webhook_relay/versions.tf +++ b/modules/platform/forge_runners/github_webhook_relay/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } random = { source = "hashicorp/random" @@ -11,5 +11,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/platform/forge_runners/redrive_deadletter/README.md b/modules/platform/forge_runners/redrive_deadletter/README.md index 51938f16..bde2e043 100644 --- a/modules/platform/forge_runners/redrive_deadletter/README.md +++ b/modules/platform/forge_runners/redrive_deadletter/README.md @@ -3,20 +3,20 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.9.1 | -| [aws](#requirement\_aws) | >= 5.27 | +| [terraform](#requirement\_terraform) | >= 1.10 | +| [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.23.0 | +| [aws](#provider\_aws) | 6.25.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_redrive\_deadletter\_lambda](#module\_ec2\_redrive\_deadletter\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [redrive\_deadletter\_lambda](#module\_redrive\_deadletter\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | ## Resources @@ -26,9 +26,7 @@ | [aws_cloudwatch_event_target.redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | | [aws_cloudwatch_log_group.redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | | [aws_lambda_permission.redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.redrive_deadletter_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs diff --git a/modules/platform/forge_runners/redrive_deadletter/versions.tf b/modules/platform/forge_runners/redrive_deadletter/versions.tf index d193e844..606ac009 100644 --- a/modules/platform/forge_runners/redrive_deadletter/versions.tf +++ b/modules/platform/forge_runners/redrive_deadletter/versions.tf @@ -2,10 +2,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } diff --git a/modules/platform/forge_runners/versions.tf b/modules/platform/forge_runners/versions.tf index 3dc35d43..a0af3665 100644 --- a/modules/platform/forge_runners/versions.tf +++ b/modules/platform/forge_runners/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.27" + version = ">= 6.25" } local = { source = "hashicorp/local" @@ -31,5 +31,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.9.1" + required_version = ">= 1.10" } From 74000c50ce8f5ebdae7cb886633a07edecb2155c Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Tue, 9 Dec 2025 23:52:40 +0100 Subject: [PATCH 25/85] fix: fix renovate config (#231) --- .docker/pre-commit/Dockerfile | 28 +- .../build-forge-github-app-register.yml | 1 + .github/workflows/build-pre-commit.yml | 1 + .github/workflows/pre-commit.yml | 1 + renovate.json | 344 +++++++++++------- 5 files changed, 222 insertions(+), 153 deletions(-) diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index 11f1d165..1b8b0b0b 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -15,33 +15,27 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"] ARG GITLEAKS_VERSION="8.24.3" ARG GITLEAKS_SRC="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" ARG GITLEAKS_ARTIFACT="gitleaks.tar.gz" -ARG GITLEAKS_CHECKSUM="9991e0b2903da4c8f6122b5c3186448b927a5da4deef1fe45271c3793f4ee29c" RUN set -eux; \ wget --progress=dot:giga -O ${GITLEAKS_ARTIFACT} ${GITLEAKS_SRC}; \ - echo "${GITLEAKS_CHECKSUM} ${GITLEAKS_ARTIFACT}" | sha256sum -c -; \ tar -zxvf ${GITLEAKS_ARTIFACT} -C /usr/local/bin/; \ chmod 755 /usr/local/bin/gitleaks # renovate: datasource=github-releases depName=hadolint/hadolint registryUrl=https://github.com/ -ARG HADOLINT_VERSION="v2.12.0" -ARG HADOLINT_SRC="https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64" +ARG HADOLINT_VERSION="2.12.0" +ARG HADOLINT_SRC="https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-x86_64" ARG HADOLINT_ARTIFACT="hadolint" -ARG HADOLINT_CHECKSUM="56de6d5e5ec427e17b74fa48d51271c7fc0d61244bf5c90e828aab8362d55010" RUN set -eux; \ wget --progress=dot:giga -O ${HADOLINT_ARTIFACT} ${HADOLINT_SRC}; \ - echo "${HADOLINT_CHECKSUM} ${HADOLINT_ARTIFACT}" | sha256sum -c -; \ mv ${HADOLINT_ARTIFACT} /usr/local/bin; \ chmod 755 /usr/local/bin/hadolint # Download jq. -# renovate: datasource=github-releases depName=stedolan/jq registryUrl=https://github.com/ +# renovate: datasource=github-releases depName=jqlang/jq registryUrl=https://github.com/ ARG JQ_VERSION="1.7.1" -ARG JQ_SRC="https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64" +ARG JQ_SRC="https://github.com/jqlang/jq/releases/download/jq-${JQ_VERSION}/jq-linux64" ARG JQ_ARTIFACT="jq" -ARG JQ_CHECKSUM="5942c9b0934e510ee61eb3e30273f1b3fe2590df93933a93d7c58b81d19c8ff5" RUN set -eux; \ wget --progress=dot:giga -O ${JQ_ARTIFACT} ${JQ_SRC}; \ - echo "${JQ_CHECKSUM} ${JQ_ARTIFACT}" | sha256sum -c -; \ mv ${JQ_ARTIFACT} /usr/local/bin/; \ chmod 755 /usr/local/bin/jq @@ -49,10 +43,8 @@ RUN set -eux; \ ARG PACKER_VERSION="1.12.0" ARG PACKER_SRC="https://releases.hashicorp.com/packer/${PACKER_VERSION}/packer_${PACKER_VERSION}_linux_amd64.zip" ARG PACKER_ARTIFACT="packer.zip" -ARG PACKER_CHECKSUM="e859a76659570d1e29fa55396d5d908091bacacd4567c17770e616c4b58c9ace" RUN set -eux; \ wget --progress=dot:giga -O ${PACKER_ARTIFACT} ${PACKER_SRC}; \ - echo "${PACKER_CHECKSUM} ${PACKER_ARTIFACT}" | sha256sum -c -; \ unzip -o ${PACKER_ARTIFACT} -d /usr/local/bin/; \ chmod 755 /usr/local/bin/packer; \ rm ${PACKER_ARTIFACT} @@ -61,10 +53,8 @@ RUN set -eux; \ ARG SHELLCHECK_VERSION="0.10.0" ARG SHELLCHECK_SRC="https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" ARG SHELLCHECK_ARTIFACT="shellcheck.tar.xz" -ARG SHELLCHECK_CHECKSUM="6c881ab0698e4e6ea235245f22832860544f17ba386442fe7e9d629f8cbedf87" RUN set -eux; \ wget --progress=dot:giga -O ${SHELLCHECK_ARTIFACT} ${SHELLCHECK_SRC}; \ - echo "${SHELLCHECK_CHECKSUM} ${SHELLCHECK_ARTIFACT}" | sha256sum -c -; \ tar -xJvf ${SHELLCHECK_ARTIFACT}; \ mv shellcheck-v${SHELLCHECK_VERSION}/shellcheck /usr/local/bin/shellcheck; \ chmod 755 /usr/local/bin/shellcheck @@ -73,10 +63,8 @@ RUN set -eux; \ ARG SHFMT_VERSION="3.11.0" ARG SHFMT_SRC="https://github.com/mvdan/sh/releases/download/v${SHFMT_VERSION}/shfmt_v${SHFMT_VERSION}_linux_amd64" ARG SHFMT_ARTIFACT="shfmt" -ARG SHFMT_CHECKSUM="1904ec6bac715c1d05cd7f6612eec8f67a625c3749cb327e5bfb4127d09035ff" RUN set -eux; \ wget --progress=dot:giga -O ${SHFMT_ARTIFACT} ${SHFMT_SRC}; \ - echo "${SHFMT_CHECKSUM} ${SHFMT_ARTIFACT}" | sha256sum -c -; \ mv ${SHFMT_ARTIFACT} /usr/local/bin; \ chmod 755 /usr/local/bin/shfmt @@ -84,10 +72,8 @@ RUN set -eux; \ ARG TERRAFORM_DOCS_VERSION="0.20.0" ARG TERRAFORM_DOCS_SRC="https://github.com/terraform-docs/terraform-docs/releases/download/v${TERRAFORM_DOCS_VERSION}/terraform-docs-v${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz" ARG TERRAFORM_DOCS_ARTIFACT="terraform-docs.tar.gz" -ARG TERRAFORM_DOCS_CHECKSUM="34ae01772412bb11474e6718ea62113e38ff5964ee570a98c69fafe3a6dff286" RUN set -eux; \ wget --progress=dot:giga -O ${TERRAFORM_DOCS_ARTIFACT} ${TERRAFORM_DOCS_SRC}; \ - echo "${TERRAFORM_DOCS_CHECKSUM} ${TERRAFORM_DOCS_ARTIFACT}" | sha256sum -c -; \ tar -zxvf ${TERRAFORM_DOCS_ARTIFACT} -C /usr/local/bin/;\ chmod 755 /usr/local/bin/terraform-docs @@ -95,10 +81,8 @@ RUN set -eux; \ ARG TERRAGRUNT_VERSION="0.93.11" ARG TERRAGRUNT_SRC="https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" ARG TERRAGRUNT_ARTIFACT="terragrunt" -ARG TERRAGRUNT_CHECKSUM="9bf7a5620c8626cef8ebfae91ec4ff0db994993e2888d3e185e51bf155627c38" RUN set -eux; \ wget --progress=dot:giga -O ${TERRAGRUNT_ARTIFACT} ${TERRAGRUNT_SRC}; \ - echo "${TERRAGRUNT_CHECKSUM} ${TERRAGRUNT_ARTIFACT}" | sha256sum -c -; \ mv ${TERRAGRUNT_ARTIFACT} /usr/local/bin; \ chmod 755 /usr/local/bin/terragrunt @@ -106,10 +90,8 @@ RUN set -eux; \ ARG TFLINT_VERSION="0.60.0" ARG TFLINT_SRC="https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/tflint_linux_amd64.zip" ARG TFLINT_ARTIFACT="tflint.zip" -ARG TFLINT_CHECKSUM="3476ceedcf0c4f9f2bed35e92988e1411bec2caa543c9387bffaa720df9efaf7" RUN set -eux; \ wget --progress=dot:giga -O ${TFLINT_ARTIFACT} ${TFLINT_SRC}; \ - echo "${TFLINT_CHECKSUM} ${TFLINT_ARTIFACT}" | sha256sum -c -; \ unzip -o ${TFLINT_ARTIFACT} -d /usr/local/bin/; \ chmod 755 /usr/local/bin/tflint; @@ -117,10 +99,8 @@ RUN set -eux; \ ARG TOFU_VERSION="1.10.7" ARG TOFU_SRC="https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_linux_amd64.zip" ARG TOFU_ARTIFACT="tofu.zip" -ARG TOFU_CHECKSUM="c79bb458e7d7fa08c44be98b373ab3434647598808fc2a75dc9338aef7432ae6" RUN set -eux; \ wget --progress=dot:giga -O ${TOFU_ARTIFACT} ${TOFU_SRC}; \ - echo "${TOFU_CHECKSUM} ${TOFU_ARTIFACT}" | sha256sum -c -; \ unzip -o ${TOFU_ARTIFACT} -d /usr/local/bin/; \ chmod 755 /usr/local/bin/tofu diff --git a/.github/workflows/build-forge-github-app-register.yml b/.github/workflows/build-forge-github-app-register.yml index c927dee1..2572f77d 100644 --- a/.github/workflows/build-forge-github-app-register.yml +++ b/.github/workflows/build-forge-github-app-register.yml @@ -19,6 +19,7 @@ on: - reopened branches: - main + - renovatebot paths: - .docker/forge-github-app-register/** - .github/workflows/build-forge-github-app-register.yml diff --git a/.github/workflows/build-pre-commit.yml b/.github/workflows/build-pre-commit.yml index c94b9f8f..d8155551 100644 --- a/.github/workflows/build-pre-commit.yml +++ b/.github/workflows/build-pre-commit.yml @@ -19,6 +19,7 @@ on: - reopened branches: - main + - renovatebot paths: - .docker/pre-commit/** - .github/workflows/build-pre-commit.yml diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 64ef7f56..edad491f 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -11,6 +11,7 @@ on: - reopened branches: - main + - renovatebot push: branches: - main diff --git a/renovate.json b/renovate.json index 12a8c5c5..21bb904d 100644 --- a/renovate.json +++ b/renovate.json @@ -1,133 +1,219 @@ { - "$schema": "https://docs.renovatebot.com/renovate-schema.json", - "extends": [ - "config:recommended", - "config:base", - ":rebaseStalePrs", - ":semanticCommits", - ":semanticCommitScope(deps)" - ], - - "pre-commit": { - "enabled": true - }, - - "vulnerabilityAlerts": { - "enabled": true, - "schedule": ["at any time"] - }, - "osvVulnerabilityAlerts": true, - "automerge": false, - "platformAutomerge": true, - "stabilityDays": 0, - "separateMinorPatch": true, - "separateMajorMinor": true, - - "customManagers": [ - { - "customType": "regex", - "fileMatch": ["^*\\.tf$"], - "matchStrings": ["required_version\\s=\\s\">= (?.*?)\""], - "depNameTemplate": "opentofu/opentofu", - "datasourceTemplate": "github-releases" + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + "config:base", + ":rebaseStalePrs", + ":semanticCommits", + ":semanticCommitScope(deps)" + ], + "pre-commit": { + "enabled": true }, - { - "customType": "regex", - "fileMatch": ["^.*\\.tf$"], - "matchStrings": [ - "download_lambdas\\.sh\"\\s*,\\s*\"[^\"]+\"\\s*,\\s*\"(?v\\d+\\.\\d+\\.\\d+)\"" - ], - "depNameTemplate": "github-aws-runners/terraform-aws-github-runner", - "datasourceTemplate": "github-tags", - "versioningTemplate": "semver-coerced" - } - ], - - "packageRules": [ - { - "matchDatasources": ["github-tags"], - "matchPackageNames": ["github-aws-runners/terraform-aws-github-runner"], - "groupName": "terraform-aws-github-runner version", - "separateMajorMinor": false, - "separateMinorPatch": false - }, - { - "description": "Security updates - immediate processing (override stability days)", - "matchPackagePatterns": ["*"], - "matchUpdateTypes": ["patch", "minor"], - "vulnerabilityAlerts": {"enabled": true}, - "stabilityDays": 0, - "prPriority": 10, - "prCreation": "immediate", - "addLabels": ["security", "critical"] - }, - { - "matchUpdateTypes": ["patch","pin","digest"], - "addLabels": ["simple-review"], - "automerge": true - }, - { - "matchUpdateTypes": ["minor"], - "addLabels": ["simple-review"] - }, - { - "matchPackagePatterns": ["aws","terraform-aws-modules"], - "groupName": "AWS providers and modules", - "addLabels": ["aws-updates"] - }, - { - "description": "GitHub Actions - pin to commit SHA for security", - "matchManagers": ["github-actions"], - "pinDigests": true, - "groupName": "GitHub Actions", - "addLabels": ["github-actions", "ci-cd"] - }, - { - "matchManagers": ["pre-commit"], - "groupName": "Pre-commit hooks", - "addLabels": ["pre-commit"] + "vulnerabilityAlerts": { + "enabled": true, + "schedule": [ + "at any time" + ] }, - { - "matchPackagePatterns": ["python","pip"], - "groupName": "Python dependencies", - "addLabels": ["python"] - }, - { - "description": "Development dependencies - reduced stability days", - "matchDepTypes": ["devDependencies"], - "matchUpdateTypes": ["patch", "minor"], - "stabilityDays": 1, - "automerge": true, - "addLabels": ["dev-dependencies"] - }, - { - "description": "Docker images - grouped with digest pinning", - "matchManagers": ["docker-compose", "dockerfile"], - "groupName": "Docker images", - "pinDigests": true, - "addLabels": ["docker", "containers"] - }, - { - "description": "Terraform providers from public registry", - "matchDatasources": ["terraform-provider"], - "matchPackagePatterns": ["^hashicorp/.*"], - "registryUrls": ["https://registry.opentofu.org"] - }, - { - "description": "Major version updates - extended stability period", - "matchUpdateTypes": ["major"], - "stabilityDays": 7, - "prPriority": 1, - "addLabels": ["major-update", "breaking-change"] - }, - { - "description": "Critical security patches - auto-merge enabled", - "matchPackagePatterns": ["*"], - "matchUpdateTypes": ["patch"], - "vulnerabilityAlerts": {"enabled": true}, - "automerge": true, - "automergeType": "pr", - "addLabels": ["security", "auto-merge"] - } - ] + "osvVulnerabilityAlerts": true, + "automerge": false, + "platformAutomerge": true, + "stabilityDays": 0, + "separateMinorPatch": true, + "separateMajorMinor": true, + "customManagers": [ + { + "customType": "regex", + "fileMatch": [ + "^*\\.tf$" + ], + "matchStrings": [ + "required_version\\s=\\s\">= (?.*?)\"" + ], + "datasourceTemplate": "github-releases", + "depNameTemplate": "opentofu/opentofu", + "extractVersionTemplate": "^v?(?.*)$" + }, + { + "customType": "regex", + "fileMatch": [ + "^.*\\.tf$" + ], + "matchStrings": [ + "download_lambdas\\.sh\"\\s*,\\s*\"[^\"]+\"\\s*,\\s*\"(?v\\d+\\.\\d+\\.\\d+)\"" + ], + "depNameTemplate": "github-aws-runners/terraform-aws-github-runner", + "datasourceTemplate": "github-tags", + "versioningTemplate": "semver-coerced" + }, + { + "fileMatch": ["Dockerfile$"], + "matchStrings": ["# renovate: datasource=(?\\S+) depName=(?\\S+) registryUrl=(?\\S+)( extractVersion=(?.+?))?( versioning=(?.*?))?\\n.*?VERSION=\"(?.*)?\"\\s"], + "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}" + } + ], + "packageRules": [ + { + "matchDatasources": [ + "github-tags" + ], + "matchPackageNames": [ + "github-aws-runners/terraform-aws-github-runner" + ], + "groupName": "terraform-aws-github-runner version", + "separateMajorMinor": false, + "separateMinorPatch": false + }, + { + "description": "Security updates - immediate processing (override stability days)", + "matchPackagePatterns": [ + "*" + ], + "matchUpdateTypes": [ + "patch", + "minor" + ], + "vulnerabilityAlerts": { + "enabled": true + }, + "stabilityDays": 0, + "prPriority": 10, + "prCreation": "immediate", + "addLabels": [ + "security", + "critical" + ] + }, + { + "matchUpdateTypes": [ + "patch", + "pin", + "digest" + ], + "addLabels": [ + "simple-review" + ], + "automerge": true + }, + { + "matchUpdateTypes": [ + "minor" + ], + "addLabels": [ + "simple-review" + ] + }, + { + "matchPackagePatterns": [ + "aws", + "terraform-aws-modules" + ], + "groupName": "AWS providers and modules", + "addLabels": [ + "aws-updates" + ] + }, + { + "description": "GitHub Actions - pin to commit SHA for security", + "matchManagers": [ + "github-actions" + ], + "pinDigests": true, + "groupName": "GitHub Actions", + "addLabels": [ + "github-actions", + "ci-cd" + ] + }, + { + "matchManagers": [ + "pre-commit" + ], + "groupName": "Pre-commit hooks", + "addLabels": [ + "pre-commit" + ] + }, + { + "matchPackagePatterns": [ + "python", + "pip" + ], + "groupName": "Python dependencies", + "addLabels": [ + "python" + ] + }, + { + "description": "Development dependencies - reduced stability days", + "matchDepTypes": [ + "devDependencies" + ], + "matchUpdateTypes": [ + "patch", + "minor" + ], + "stabilityDays": 1, + "automerge": true, + "addLabels": [ + "dev-dependencies" + ] + }, + { + "description": "Docker images - grouped with digest pinning", + "matchManagers": [ + "docker-compose", + "dockerfile" + ], + "groupName": "Docker images", + "pinDigests": true, + "addLabels": [ + "docker", + "containers" + ] + }, + { + "description": "Terraform providers from public registry", + "matchDatasources": [ + "terraform-provider" + ], + "matchPackagePatterns": [ + "^hashicorp/.*" + ], + "registryUrls": [ + "https://registry.opentofu.org" + ] + }, + { + "description": "Major version updates - extended stability period", + "matchUpdateTypes": [ + "major" + ], + "stabilityDays": 7, + "prPriority": 1, + "addLabels": [ + "major-update", + "breaking-change" + ] + }, + { + "description": "Critical security patches - auto-merge enabled", + "matchPackagePatterns": [ + "*" + ], + "matchUpdateTypes": [ + "patch" + ], + "vulnerabilityAlerts": { + "enabled": true + }, + "automerge": true, + "automergeType": "pr", + "addLabels": [ + "security", + "auto-merge" + ] + } + ] } From f6358599a0028c0c5ba0565254454826a91dd84f Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Wed, 10 Dec 2025 00:40:57 +0100 Subject: [PATCH 26/85] chore: update docker deps (#232) * chore(deps): update dependency mvdan/sh to v3.12.0 (#49) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency koalaman/shellcheck to v0.11.0 (#48) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency hashicorp/packer to v1.14.3 (#47) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency hadolint/hadolint to v2.14.0 (#46) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to fd2aff3 (#51) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency gruntwork-io/terragrunt to v0.94.0 (#45) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency gitleaks/gitleaks to v8.30.0 (#44) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .docker/forge-github-app-register/Dockerfile | 2 +- .docker/pre-commit/Dockerfile | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.docker/forge-github-app-register/Dockerfile b/.docker/forge-github-app-register/Dockerfile index 74715209..3351f885 100644 --- a/.docker/forge-github-app-register/Dockerfile +++ b/.docker/forge-github-app-register/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.14-slim@sha256:b823ded4377ebb5ff1af5926702df2284e53cecbc6e3549e93a19d8632a1897e +FROM python:3.14-slim@sha256:fd2aff39e5a3ed23098108786a9966fb036fdeeedd487d5360e466bb2a84377b RUN useradd --create-home appuser WORKDIR /home/appuser diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index 1b8b0b0b..b548e60e 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -12,7 +12,7 @@ RUN apt-get update && apt-get install -y \ SHELL ["/bin/bash", "-o", "pipefail", "-c"] # renovate: datasource=github-releases depName=gitleaks/gitleaks registryUrl=https://github.com/ -ARG GITLEAKS_VERSION="8.24.3" +ARG GITLEAKS_VERSION="8.30.0" ARG GITLEAKS_SRC="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" ARG GITLEAKS_ARTIFACT="gitleaks.tar.gz" RUN set -eux; \ @@ -21,7 +21,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/gitleaks # renovate: datasource=github-releases depName=hadolint/hadolint registryUrl=https://github.com/ -ARG HADOLINT_VERSION="2.12.0" +ARG HADOLINT_VERSION="2.14.0" ARG HADOLINT_SRC="https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-Linux-x86_64" ARG HADOLINT_ARTIFACT="hadolint" RUN set -eux; \ @@ -40,7 +40,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/jq # renovate: datasource=github-releases depName=hashicorp/packer registryUrl=https://github.com/ -ARG PACKER_VERSION="1.12.0" +ARG PACKER_VERSION="1.14.3" ARG PACKER_SRC="https://releases.hashicorp.com/packer/${PACKER_VERSION}/packer_${PACKER_VERSION}_linux_amd64.zip" ARG PACKER_ARTIFACT="packer.zip" RUN set -eux; \ @@ -50,7 +50,7 @@ RUN set -eux; \ rm ${PACKER_ARTIFACT} # renovate: datasource=github-releases depName=koalaman/shellcheck registryUrl=https://github.com/ -ARG SHELLCHECK_VERSION="0.10.0" +ARG SHELLCHECK_VERSION="0.11.0" ARG SHELLCHECK_SRC="https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" ARG SHELLCHECK_ARTIFACT="shellcheck.tar.xz" RUN set -eux; \ @@ -60,7 +60,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/shellcheck # renovate: datasource=github-releases depName=mvdan/sh registryUrl=https://github.com/ -ARG SHFMT_VERSION="3.11.0" +ARG SHFMT_VERSION="3.12.0" ARG SHFMT_SRC="https://github.com/mvdan/sh/releases/download/v${SHFMT_VERSION}/shfmt_v${SHFMT_VERSION}_linux_amd64" ARG SHFMT_ARTIFACT="shfmt" RUN set -eux; \ @@ -78,7 +78,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/terraform-docs # renovate: datasource=github-releases depName=gruntwork-io/terragrunt registryUrl=https://github.com/ -ARG TERRAGRUNT_VERSION="0.93.11" +ARG TERRAGRUNT_VERSION="0.94.0" ARG TERRAGRUNT_SRC="https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" ARG TERRAGRUNT_ARTIFACT="terragrunt" RUN set -eux; \ From 3b60fd25ff9356a512fcc9cb8553d1932842fd5a Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Wed, 10 Dec 2025 12:41:18 +0100 Subject: [PATCH 27/85] chore(deps): update dependency opentofu/opentofu to v1.11.0 (#233) --- .docker/pre-commit/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index b548e60e..29295c8c 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -30,7 +30,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/hadolint # Download jq. -# renovate: datasource=github-releases depName=jqlang/jq registryUrl=https://github.com/ +# renovate: datasource=github-releases depName=jqlang/jq registryUrl=https://github.com/ extractVersion=^jq-(?.*)$ ARG JQ_VERSION="1.7.1" ARG JQ_SRC="https://github.com/jqlang/jq/releases/download/jq-${JQ_VERSION}/jq-linux64" ARG JQ_ARTIFACT="jq" @@ -96,7 +96,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/tflint; # renovate: datasource=github-releases depName=opentofu/opentofu registryUrl=https://github.com/ -ARG TOFU_VERSION="1.10.7" +ARG TOFU_VERSION="1.11.0" ARG TOFU_SRC="https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_linux_amd64.zip" ARG TOFU_ARTIFACT="tofu.zip" RUN set -eux; \ From 474ec88c9fc5383465d9751626324941dbcf0910 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Wed, 10 Dec 2025 14:16:33 +0100 Subject: [PATCH 28/85] refactor(deps): update dependency opentofu/opentofu to v1.11.0 (#234) * chore(deps): update dependency jqlang/jq to v1.8.1 (#52) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency opentofu/opentofu to v1.11.0 (#50) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .docker/pre-commit/Dockerfile | 2 +- modules/core/arc/scale_set/versions.tf | 2 +- modules/core/arc/scale_set_controller/versions.tf | 2 +- modules/core/arc/versions.tf | 2 +- modules/infra/ami_policy/versions.tf | 2 +- modules/infra/ami_sharing/versions.tf | 2 +- modules/infra/cloud_custodian/versions.tf | 2 +- modules/infra/cloud_formation/versions.tf | 2 +- modules/infra/ecr/versions.tf | 2 +- modules/infra/eks/versions.tf | 2 +- modules/infra/forge_subscription/version.tf | 2 +- modules/infra/opt_in_regions/versions.tf | 2 +- modules/infra/service_linked_roles/versions.tf | 2 +- modules/infra/storage/versions.tf | 2 +- .../integrations/github_webhook_relay_destination/versions.tf | 2 +- .../github_webhook_relay_destination_receivers/versions.tf | 2 +- .../webex_webhook_relay/versions.tf | 2 +- modules/integrations/github_webhook_relay_source/versions.tf | 2 +- modules/integrations/splunk_aws_billing/versions.tf | 2 +- modules/integrations/splunk_cloud_conf_shared/versions.tf | 2 +- .../splunk_cloud_data_manager/data_input/versions.tf | 2 +- .../splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf | 2 +- modules/integrations/splunk_cloud_data_manager/versions.tf | 2 +- .../integrations/splunk_cloud_data_manager_common/versions.tf | 2 +- modules/integrations/splunk_cloud_s3_runner_logs/versions.tf | 2 +- modules/integrations/splunk_o11y_aws_integration/versions.tf | 2 +- .../integrations/splunk_o11y_aws_integration_common/versions.tf | 2 +- .../splunk_o11y_conf_shared/dashboards/billing/versions.tf | 2 +- .../splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf | 2 +- .../splunk_o11y_conf_shared/dashboards/ebs/versions.tf | 2 +- .../splunk_o11y_conf_shared/dashboards/lambda/versions.tf | 2 +- .../splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf | 2 +- .../splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf | 2 +- .../splunk_o11y_conf_shared/dashboards/sqs/versions.tf | 2 +- modules/integrations/splunk_o11y_conf_shared/versions.tf | 2 +- modules/integrations/splunk_otel_eks/versions.tf | 2 +- modules/integrations/splunk_secrets/versions.tf | 2 +- modules/integrations/teleport/tenant/versions.tf | 2 +- modules/integrations/teleport/versions.tf | 2 +- modules/platform/arc_deployment/versions.tf | 2 +- .../ec2_deployment/ec2_update_runner_ssm_ami/versions.tf | 2 +- .../platform/ec2_deployment/ec2_update_runner_tags/versions.tf | 2 +- modules/platform/ec2_deployment/versions.tf | 2 +- .../platform/forge_runners/forge_trust_validator/versions.tf | 2 +- .../platform/forge_runners/github_actions_job_logs/versions.tf | 2 +- .../platform/forge_runners/github_app_runner_group/versions.tf | 2 +- modules/platform/forge_runners/github_global_lock/versions.tf | 2 +- modules/platform/forge_runners/github_webhook_relay/versions.tf | 2 +- modules/platform/forge_runners/redrive_deadletter/versions.tf | 2 +- modules/platform/forge_runners/versions.tf | 2 +- 50 files changed, 50 insertions(+), 50 deletions(-) diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index 29295c8c..80b511c2 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -31,7 +31,7 @@ RUN set -eux; \ # Download jq. # renovate: datasource=github-releases depName=jqlang/jq registryUrl=https://github.com/ extractVersion=^jq-(?.*)$ -ARG JQ_VERSION="1.7.1" +ARG JQ_VERSION="1.8.1" ARG JQ_SRC="https://github.com/jqlang/jq/releases/download/jq-${JQ_VERSION}/jq-linux64" ARG JQ_ARTIFACT="jq" RUN set -eux; \ diff --git a/modules/core/arc/scale_set/versions.tf b/modules/core/arc/scale_set/versions.tf index 7f8762af..a91c6e64 100644 --- a/modules/core/arc/scale_set/versions.tf +++ b/modules/core/arc/scale_set/versions.tf @@ -15,5 +15,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/core/arc/scale_set_controller/versions.tf b/modules/core/arc/scale_set_controller/versions.tf index 7f8762af..a91c6e64 100644 --- a/modules/core/arc/scale_set_controller/versions.tf +++ b/modules/core/arc/scale_set_controller/versions.tf @@ -15,5 +15,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/core/arc/versions.tf b/modules/core/arc/versions.tf index cf16e8aa..68b99849 100644 --- a/modules/core/arc/versions.tf +++ b/modules/core/arc/versions.tf @@ -23,5 +23,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/infra/ami_policy/versions.tf b/modules/infra/ami_policy/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/infra/ami_policy/versions.tf +++ b/modules/infra/ami_policy/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/infra/ami_sharing/versions.tf b/modules/infra/ami_sharing/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/infra/ami_sharing/versions.tf +++ b/modules/infra/ami_sharing/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/infra/cloud_custodian/versions.tf b/modules/infra/cloud_custodian/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/infra/cloud_custodian/versions.tf +++ b/modules/infra/cloud_custodian/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/infra/cloud_formation/versions.tf b/modules/infra/cloud_formation/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/infra/cloud_formation/versions.tf +++ b/modules/infra/cloud_formation/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/infra/ecr/versions.tf b/modules/infra/ecr/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/infra/ecr/versions.tf +++ b/modules/infra/ecr/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/infra/eks/versions.tf b/modules/infra/eks/versions.tf index fdf21628..6270f195 100644 --- a/modules/infra/eks/versions.tf +++ b/modules/infra/eks/versions.tf @@ -32,5 +32,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/infra/forge_subscription/version.tf b/modules/infra/forge_subscription/version.tf index d509d257..dc4bbac0 100644 --- a/modules/infra/forge_subscription/version.tf +++ b/modules/infra/forge_subscription/version.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/infra/opt_in_regions/versions.tf b/modules/infra/opt_in_regions/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/infra/opt_in_regions/versions.tf +++ b/modules/infra/opt_in_regions/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/infra/service_linked_roles/versions.tf b/modules/infra/service_linked_roles/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/infra/service_linked_roles/versions.tf +++ b/modules/infra/service_linked_roles/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/infra/storage/versions.tf b/modules/infra/storage/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/infra/storage/versions.tf +++ b/modules/infra/storage/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/github_webhook_relay_destination/versions.tf b/modules/integrations/github_webhook_relay_destination/versions.tf index 578aa4d4..87069c2c 100644 --- a/modules/integrations/github_webhook_relay_destination/versions.tf +++ b/modules/integrations/github_webhook_relay_destination/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/github_webhook_relay_destination_receivers/versions.tf b/modules/integrations/github_webhook_relay_destination_receivers/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/versions.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf index 624e7505..912bb250 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/github_webhook_relay_source/versions.tf b/modules/integrations/github_webhook_relay_source/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/integrations/github_webhook_relay_source/versions.tf +++ b/modules/integrations/github_webhook_relay_source/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_aws_billing/versions.tf b/modules/integrations/splunk_aws_billing/versions.tf index 98fc9562..d9c88676 100644 --- a/modules/integrations/splunk_aws_billing/versions.tf +++ b/modules/integrations/splunk_aws_billing/versions.tf @@ -23,5 +23,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_cloud_conf_shared/versions.tf b/modules/integrations/splunk_cloud_conf_shared/versions.tf index 1f36511d..e323bba2 100644 --- a/modules/integrations/splunk_cloud_conf_shared/versions.tf +++ b/modules/integrations/splunk_cloud_conf_shared/versions.tf @@ -11,5 +11,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf b/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf index fe216b9a..f0e90fec 100644 --- a/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf @@ -28,5 +28,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_cloud_data_manager/versions.tf b/modules/integrations/splunk_cloud_data_manager/versions.tf index fe216b9a..f0e90fec 100644 --- a/modules/integrations/splunk_cloud_data_manager/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager/versions.tf @@ -28,5 +28,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_cloud_data_manager_common/versions.tf b/modules/integrations/splunk_cloud_data_manager_common/versions.tf index 578aa4d4..87069c2c 100644 --- a/modules/integrations/splunk_cloud_data_manager_common/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager_common/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf b/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf index 578aa4d4..87069c2c 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf +++ b/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_o11y_aws_integration/versions.tf b/modules/integrations/splunk_o11y_aws_integration/versions.tf index d509d257..dc4bbac0 100644 --- a/modules/integrations/splunk_o11y_aws_integration/versions.tf +++ b/modules/integrations/splunk_o11y_aws_integration/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_o11y_aws_integration_common/versions.tf b/modules/integrations/splunk_o11y_aws_integration_common/versions.tf index aeaf6ade..3edc27f3 100644 --- a/modules/integrations/splunk_o11y_aws_integration_common/versions.tf +++ b/modules/integrations/splunk_o11y_aws_integration_common/versions.tf @@ -16,5 +16,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf index cb5da702..f47f5818 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf index cb5da702..f47f5818 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf index cb5da702..f47f5818 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf index cb5da702..f47f5818 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf index cb5da702..f47f5818 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf index cb5da702..f47f5818 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf index cb5da702..f47f5818 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_o11y_conf_shared/versions.tf b/modules/integrations/splunk_o11y_conf_shared/versions.tf index 5f5c12c2..f2cc72c9 100644 --- a/modules/integrations/splunk_o11y_conf_shared/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_otel_eks/versions.tf b/modules/integrations/splunk_otel_eks/versions.tf index 63c48c83..6b80a125 100644 --- a/modules/integrations/splunk_otel_eks/versions.tf +++ b/modules/integrations/splunk_otel_eks/versions.tf @@ -16,5 +16,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/splunk_secrets/versions.tf b/modules/integrations/splunk_secrets/versions.tf index 148f4aec..1fcbad75 100644 --- a/modules/integrations/splunk_secrets/versions.tf +++ b/modules/integrations/splunk_secrets/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/teleport/tenant/versions.tf b/modules/integrations/teleport/tenant/versions.tf index 7f8762af..a91c6e64 100644 --- a/modules/integrations/teleport/tenant/versions.tf +++ b/modules/integrations/teleport/tenant/versions.tf @@ -15,5 +15,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/integrations/teleport/versions.tf b/modules/integrations/teleport/versions.tf index 7f8762af..a91c6e64 100644 --- a/modules/integrations/teleport/versions.tf +++ b/modules/integrations/teleport/versions.tf @@ -15,5 +15,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/platform/arc_deployment/versions.tf b/modules/platform/arc_deployment/versions.tf index 6a3a3d9d..4f2e6449 100644 --- a/modules/platform/arc_deployment/versions.tf +++ b/modules/platform/arc_deployment/versions.tf @@ -1,4 +1,4 @@ terraform { # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf index 606ac009..fd5120e2 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf b/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf index 606ac009..fd5120e2 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/platform/ec2_deployment/versions.tf b/modules/platform/ec2_deployment/versions.tf index fec589d8..9407915f 100644 --- a/modules/platform/ec2_deployment/versions.tf +++ b/modules/platform/ec2_deployment/versions.tf @@ -15,5 +15,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/platform/forge_runners/forge_trust_validator/versions.tf b/modules/platform/forge_runners/forge_trust_validator/versions.tf index e8095de4..824bcea7 100644 --- a/modules/platform/forge_runners/forge_trust_validator/versions.tf +++ b/modules/platform/forge_runners/forge_trust_validator/versions.tf @@ -11,5 +11,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/platform/forge_runners/github_actions_job_logs/versions.tf b/modules/platform/forge_runners/github_actions_job_logs/versions.tf index 606ac009..fd5120e2 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/versions.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/platform/forge_runners/github_app_runner_group/versions.tf b/modules/platform/forge_runners/github_app_runner_group/versions.tf index 606ac009..fd5120e2 100644 --- a/modules/platform/forge_runners/github_app_runner_group/versions.tf +++ b/modules/platform/forge_runners/github_app_runner_group/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/platform/forge_runners/github_global_lock/versions.tf b/modules/platform/forge_runners/github_global_lock/versions.tf index 606ac009..fd5120e2 100644 --- a/modules/platform/forge_runners/github_global_lock/versions.tf +++ b/modules/platform/forge_runners/github_global_lock/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/platform/forge_runners/github_webhook_relay/versions.tf b/modules/platform/forge_runners/github_webhook_relay/versions.tf index fe5652d8..88a0f22b 100644 --- a/modules/platform/forge_runners/github_webhook_relay/versions.tf +++ b/modules/platform/forge_runners/github_webhook_relay/versions.tf @@ -11,5 +11,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/platform/forge_runners/redrive_deadletter/versions.tf b/modules/platform/forge_runners/redrive_deadletter/versions.tf index 606ac009..fd5120e2 100644 --- a/modules/platform/forge_runners/redrive_deadletter/versions.tf +++ b/modules/platform/forge_runners/redrive_deadletter/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } diff --git a/modules/platform/forge_runners/versions.tf b/modules/platform/forge_runners/versions.tf index a0af3665..b3212733 100644 --- a/modules/platform/forge_runners/versions.tf +++ b/modules/platform/forge_runners/versions.tf @@ -31,5 +31,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.10" + required_version = ">= 1.11.0" } From 57df220026305e134f6f8ff2f725bfaf4c16999a Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Wed, 10 Dec 2025 21:18:16 +0100 Subject: [PATCH 29/85] docs: update terraform docs (#237) --- modules/core/arc/README.md | 6 +++--- modules/core/arc/scale_set/README.md | 6 +++--- modules/core/arc/scale_set_controller/README.md | 6 +++--- modules/infra/ami_policy/README.md | 2 +- modules/infra/ami_sharing/README.md | 2 +- modules/infra/cloud_custodian/README.md | 2 +- modules/infra/cloud_formation/README.md | 2 +- modules/infra/ecr/README.md | 2 +- modules/infra/eks/README.md | 4 ++-- modules/infra/opt_in_regions/README.md | 2 +- modules/infra/service_linked_roles/README.md | 2 +- modules/infra/storage/README.md | 2 +- .../integrations/github_webhook_relay_destination/README.md | 2 +- .../github_webhook_relay_destination_receivers/README.md | 2 +- .../webex_webhook_relay/README.md | 2 +- modules/integrations/github_webhook_relay_source/README.md | 2 +- modules/integrations/splunk_aws_billing/README.md | 2 +- modules/integrations/splunk_cloud_conf_shared/README.md | 2 +- .../integrations/splunk_cloud_data_manager_common/README.md | 2 +- modules/integrations/splunk_cloud_s3_runner_logs/README.md | 2 +- modules/integrations/splunk_o11y_aws_integration/README.md | 2 +- .../splunk_o11y_aws_integration_common/README.md | 2 +- modules/integrations/splunk_o11y_conf_shared/README.md | 2 +- .../splunk_o11y_conf_shared/dashboards/billing/README.md | 2 +- .../splunk_o11y_conf_shared/dashboards/dynamodb/README.md | 2 +- .../splunk_o11y_conf_shared/dashboards/ebs/README.md | 2 +- .../splunk_o11y_conf_shared/dashboards/lambda/README.md | 2 +- .../splunk_o11y_conf_shared/dashboards/runner_ec2/README.md | 2 +- .../splunk_o11y_conf_shared/dashboards/runner_k8s/README.md | 2 +- .../splunk_o11y_conf_shared/dashboards/sqs/README.md | 2 +- modules/integrations/splunk_otel_eks/README.md | 4 ++-- modules/integrations/teleport/README.md | 6 +++--- modules/integrations/teleport/tenant/README.md | 6 +++--- modules/platform/arc_deployment/README.md | 2 +- modules/platform/ec2_deployment/README.md | 2 +- .../ec2_deployment/ec2_update_runner_ssm_ami/README.md | 2 +- .../ec2_deployment/ec2_update_runner_tags/README.md | 2 +- modules/platform/forge_runners/README.md | 2 +- .../platform/forge_runners/forge_trust_validator/README.md | 2 +- .../forge_runners/github_actions_job_logs/README.md | 2 +- .../forge_runners/github_app_runner_group/README.md | 2 +- modules/platform/forge_runners/github_global_lock/README.md | 2 +- .../platform/forge_runners/github_webhook_relay/README.md | 2 +- modules/platform/forge_runners/redrive_deadletter/README.md | 2 +- 44 files changed, 56 insertions(+), 56 deletions(-) diff --git a/modules/core/arc/README.md b/modules/core/arc/README.md index 0e0ee092..ca7f7186 100644 --- a/modules/core/arc/README.md +++ b/modules/core/arc/README.md @@ -3,11 +3,11 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | | [helm](#requirement\_helm) | >= 3.0.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | +| [kubernetes](#requirement\_kubernetes) | >= 3.0 | | [null](#requirement\_null) | >= 3.2 | ## Providers @@ -16,7 +16,7 @@ |------|---------| | [aws](#provider\_aws) | 6.25.0 | | [external](#provider\_external) | 2.3.5 | -| [kubernetes](#provider\_kubernetes) | 3.0.0 | +| [kubernetes](#provider\_kubernetes) | 3.0.1 | | [null](#provider\_null) | 3.2.4 | ## Modules diff --git a/modules/core/arc/scale_set/README.md b/modules/core/arc/scale_set/README.md index ecbbc0b5..bc3e5d0d 100644 --- a/modules/core/arc/scale_set/README.md +++ b/modules/core/arc/scale_set/README.md @@ -3,10 +3,10 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | +| [kubernetes](#requirement\_kubernetes) | >= 3.0 | ## Providers @@ -14,7 +14,7 @@ |------|---------| | [aws](#provider\_aws) | 6.25.0 | | [helm](#provider\_helm) | 3.1.1 | -| [kubernetes](#provider\_kubernetes) | 3.0.0 | +| [kubernetes](#provider\_kubernetes) | 3.0.1 | ## Modules diff --git a/modules/core/arc/scale_set_controller/README.md b/modules/core/arc/scale_set_controller/README.md index b71e37d4..1e4927d9 100644 --- a/modules/core/arc/scale_set_controller/README.md +++ b/modules/core/arc/scale_set_controller/README.md @@ -3,17 +3,17 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | +| [kubernetes](#requirement\_kubernetes) | >= 3.0 | ## Providers | Name | Version | |------|---------| | [helm](#provider\_helm) | 3.1.1 | -| [kubernetes](#provider\_kubernetes) | 3.0.0 | +| [kubernetes](#provider\_kubernetes) | 3.0.1 | ## Modules diff --git a/modules/infra/ami_policy/README.md b/modules/infra/ami_policy/README.md index 0d4b0f02..a784ffe7 100644 --- a/modules/infra/ami_policy/README.md +++ b/modules/infra/ami_policy/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/infra/ami_sharing/README.md b/modules/infra/ami_sharing/README.md index 955958fb..9cd3410a 100644 --- a/modules/infra/ami_sharing/README.md +++ b/modules/infra/ami_sharing/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/infra/cloud_custodian/README.md b/modules/infra/cloud_custodian/README.md index de63df6d..1c8ce18d 100644 --- a/modules/infra/cloud_custodian/README.md +++ b/modules/infra/cloud_custodian/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/infra/cloud_formation/README.md b/modules/infra/cloud_formation/README.md index 5e481fdb..3bf6f9f9 100644 --- a/modules/infra/cloud_formation/README.md +++ b/modules/infra/cloud_formation/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/infra/ecr/README.md b/modules/infra/ecr/README.md index 7d027b44..137d97c3 100644 --- a/modules/infra/ecr/README.md +++ b/modules/infra/ecr/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/infra/eks/README.md b/modules/infra/eks/README.md index 1a77e049..2019e28d 100644 --- a/modules/infra/eks/README.md +++ b/modules/infra/eks/README.md @@ -3,12 +3,12 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubectl](#requirement\_kubectl) | >= 1.19.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | +| [kubernetes](#requirement\_kubernetes) | >= 3.0 | | [null](#requirement\_null) | >= 3.2 | | [time](#requirement\_time) | >= 0.13.1 | diff --git a/modules/infra/opt_in_regions/README.md b/modules/infra/opt_in_regions/README.md index c5062b39..4da850f3 100644 --- a/modules/infra/opt_in_regions/README.md +++ b/modules/infra/opt_in_regions/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/infra/service_linked_roles/README.md b/modules/infra/service_linked_roles/README.md index 9c1ebcc8..c05ca026 100644 --- a/modules/infra/service_linked_roles/README.md +++ b/modules/infra/service_linked_roles/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/infra/storage/README.md b/modules/infra/storage/README.md index 2db6aa09..e7094768 100644 --- a/modules/infra/storage/README.md +++ b/modules/infra/storage/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/integrations/github_webhook_relay_destination/README.md b/modules/integrations/github_webhook_relay_destination/README.md index 7f344006..506900cc 100644 --- a/modules/integrations/github_webhook_relay_destination/README.md +++ b/modules/integrations/github_webhook_relay_destination/README.md @@ -40,7 +40,7 @@ graph TD | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | diff --git a/modules/integrations/github_webhook_relay_destination_receivers/README.md b/modules/integrations/github_webhook_relay_destination_receivers/README.md index 6223e192..f9bec9d9 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/README.md +++ b/modules/integrations/github_webhook_relay_destination_receivers/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md index b0deaec0..6b2d9abb 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md @@ -47,7 +47,7 @@ Both `token` and `room_id` keys are required. The function will prepend `Bearer | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [time](#requirement\_time) | >= 0.13.1 | diff --git a/modules/integrations/github_webhook_relay_source/README.md b/modules/integrations/github_webhook_relay_source/README.md index 71271571..1a2ad6a8 100644 --- a/modules/integrations/github_webhook_relay_source/README.md +++ b/modules/integrations/github_webhook_relay_source/README.md @@ -59,7 +59,7 @@ curl -X POST "$(terraform output -raw webhook_endpoint)/webhook" \ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/integrations/splunk_aws_billing/README.md b/modules/integrations/splunk_aws_billing/README.md index dea2aa2a..2310ffa5 100644 --- a/modules/integrations/splunk_aws_billing/README.md +++ b/modules/integrations/splunk_aws_billing/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [archive](#requirement\_archive) | >= 2.7.0 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | diff --git a/modules/integrations/splunk_cloud_conf_shared/README.md b/modules/integrations/splunk_cloud_conf_shared/README.md index bc99a491..b28c8fac 100644 --- a/modules/integrations/splunk_cloud_conf_shared/README.md +++ b/modules/integrations/splunk_cloud_conf_shared/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [splunk](#requirement\_splunk) | >= 1.4.30 | diff --git a/modules/integrations/splunk_cloud_data_manager_common/README.md b/modules/integrations/splunk_cloud_data_manager_common/README.md index a5697507..45dcffee 100644 --- a/modules/integrations/splunk_cloud_data_manager_common/README.md +++ b/modules/integrations/splunk_cloud_data_manager_common/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/README.md b/modules/integrations/splunk_cloud_s3_runner_logs/README.md index d4832493..2c33f261 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/README.md +++ b/modules/integrations/splunk_cloud_s3_runner_logs/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | diff --git a/modules/integrations/splunk_o11y_aws_integration/README.md b/modules/integrations/splunk_o11y_aws_integration/README.md index b792a099..37e4a8a8 100644 --- a/modules/integrations/splunk_o11y_aws_integration/README.md +++ b/modules/integrations/splunk_o11y_aws_integration/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/integrations/splunk_o11y_aws_integration_common/README.md b/modules/integrations/splunk_o11y_aws_integration_common/README.md index 7056217b..39eb0e9c 100644 --- a/modules/integrations/splunk_o11y_aws_integration_common/README.md +++ b/modules/integrations/splunk_o11y_aws_integration_common/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | | [time](#requirement\_time) | >= 0.13 | diff --git a/modules/integrations/splunk_o11y_conf_shared/README.md b/modules/integrations/splunk_o11y_conf_shared/README.md index f23cb62e..5e1ae0ef 100644 --- a/modules/integrations/splunk_o11y_conf_shared/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md index 24f84338..cf7e1d21 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md index f42daf49..ae34b57d 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md index e55e3d0c..04e73a5c 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md index ff38642b..e8b11bec 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md index fd98966b..9dbe8e10 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md index 3c04dac1..2ba6def4 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md index 1c103893..dc685a25 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers diff --git a/modules/integrations/splunk_otel_eks/README.md b/modules/integrations/splunk_otel_eks/README.md index b9e41061..6ebdd093 100644 --- a/modules/integrations/splunk_otel_eks/README.md +++ b/modules/integrations/splunk_otel_eks/README.md @@ -3,10 +3,10 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | +| [kubernetes](#requirement\_kubernetes) | >= 3.0 | ## Providers diff --git a/modules/integrations/teleport/README.md b/modules/integrations/teleport/README.md index 39f3af40..47d940c6 100644 --- a/modules/integrations/teleport/README.md +++ b/modules/integrations/teleport/README.md @@ -3,17 +3,17 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | +| [kubernetes](#requirement\_kubernetes) | >= 3.0 | ## Providers | Name | Version | |------|---------| | [aws](#provider\_aws) | 6.25.0 | -| [kubernetes](#provider\_kubernetes) | 3.0.0 | +| [kubernetes](#provider\_kubernetes) | 3.0.1 | ## Modules diff --git a/modules/integrations/teleport/tenant/README.md b/modules/integrations/teleport/tenant/README.md index c3adce58..c76b8a20 100644 --- a/modules/integrations/teleport/tenant/README.md +++ b/modules/integrations/teleport/tenant/README.md @@ -3,16 +3,16 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | -| [kubernetes](#requirement\_kubernetes) | >= 2.36.0 | +| [kubernetes](#requirement\_kubernetes) | >= 3.0 | ## Providers | Name | Version | |------|---------| -| [kubernetes](#provider\_kubernetes) | 3.0.0 | +| [kubernetes](#provider\_kubernetes) | 3.0.1 | ## Modules diff --git a/modules/platform/arc_deployment/README.md b/modules/platform/arc_deployment/README.md index ff61528f..c61fbf5c 100644 --- a/modules/platform/arc_deployment/README.md +++ b/modules/platform/arc_deployment/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | ## Providers diff --git a/modules/platform/ec2_deployment/README.md b/modules/platform/ec2_deployment/README.md index da669c04..060db263 100644 --- a/modules/platform/ec2_deployment/README.md +++ b/modules/platform/ec2_deployment/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [archive](#requirement\_archive) | >= 2.7.0 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md index c27f7d3d..ee77fa86 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md index 886e9d0e..e3ebbd20 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/platform/forge_runners/README.md b/modules/platform/forge_runners/README.md index c6f6fb27..d6125067 100644 --- a/modules/platform/forge_runners/README.md +++ b/modules/platform/forge_runners/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [archive](#requirement\_archive) | >= 2.7.0 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | diff --git a/modules/platform/forge_runners/forge_trust_validator/README.md b/modules/platform/forge_runners/forge_trust_validator/README.md index 8635d970..ab777d2b 100644 --- a/modules/platform/forge_runners/forge_trust_validator/README.md +++ b/modules/platform/forge_runners/forge_trust_validator/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [null](#requirement\_null) | >= 3.2 | diff --git a/modules/platform/forge_runners/github_actions_job_logs/README.md b/modules/platform/forge_runners/github_actions_job_logs/README.md index ccbbd076..79852ce0 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/README.md +++ b/modules/platform/forge_runners/github_actions_job_logs/README.md @@ -123,7 +123,7 @@ See parent repository license. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/platform/forge_runners/github_app_runner_group/README.md b/modules/platform/forge_runners/github_app_runner_group/README.md index 025dabc5..e2c8888f 100644 --- a/modules/platform/forge_runners/github_app_runner_group/README.md +++ b/modules/platform/forge_runners/github_app_runner_group/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/platform/forge_runners/github_global_lock/README.md b/modules/platform/forge_runners/github_global_lock/README.md index fbe6ca91..a7b0088f 100644 --- a/modules/platform/forge_runners/github_global_lock/README.md +++ b/modules/platform/forge_runners/github_global_lock/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers diff --git a/modules/platform/forge_runners/github_webhook_relay/README.md b/modules/platform/forge_runners/github_webhook_relay/README.md index 4573b847..e0dab2a4 100644 --- a/modules/platform/forge_runners/github_webhook_relay/README.md +++ b/modules/platform/forge_runners/github_webhook_relay/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | | [random](#requirement\_random) | >= 3.6 | diff --git a/modules/platform/forge_runners/redrive_deadletter/README.md b/modules/platform/forge_runners/redrive_deadletter/README.md index bde2e043..45347cf8 100644 --- a/modules/platform/forge_runners/redrive_deadletter/README.md +++ b/modules/platform/forge_runners/redrive_deadletter/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.10 | +| [terraform](#requirement\_terraform) | >= 1.11.0 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers From 46a6e640ef8298b82cb87607b8b85084696c8a9d Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Wed, 10 Dec 2025 23:36:49 +0100 Subject: [PATCH 30/85] feat: add new dashboard (#238) --- .../splunk_cloud_conf_shared/README.md | 3 +- .../dashboard_ec2_scale_up_errors.json.tf | 40 ++++++ .../dashboard_jobs.tf | 3 +- .../dashboard_tenant.tf | 3 +- .../template_files/ci_jobs.json.tftpl | 71 +++-------- .../ec2_scale_up_errors.json.tftpl | 118 ++++++++++++++++++ .../template_files/tenant.json.tftpl | 46 ++----- .../splunk_cloud_conf_shared/variables.tf | 3 +- 8 files changed, 190 insertions(+), 97 deletions(-) create mode 100644 modules/integrations/splunk_cloud_conf_shared/dashboard_ec2_scale_up_errors.json.tf create mode 100644 modules/integrations/splunk_cloud_conf_shared/template_files/ec2_scale_up_errors.json.tftpl diff --git a/modules/integrations/splunk_cloud_conf_shared/README.md b/modules/integrations/splunk_cloud_conf_shared/README.md index b28c8fac..7974b691 100644 --- a/modules/integrations/splunk_cloud_conf_shared/README.md +++ b/modules/integrations/splunk_cloud_conf_shared/README.md @@ -64,6 +64,7 @@ No modules. | [splunk_configs_conf.forgecicd_runner_logs_tenant_fields_logs](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_configs_conf.forgecicd_trust_validation](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_data_ui_views.ci_jobs](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/data_ui_views) | resource | +| [splunk_data_ui_views.ec2_scale_up_errors](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/data_ui_views) | resource | | [splunk_data_ui_views.tenant](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/data_ui_views) | resource | | [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | | [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | @@ -75,7 +76,7 @@ No modules. | [aws\_profile](#input\_aws\_profile) | AWS profile (i.e. generated via 'sl aws session generate') to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Assuming single region for now. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | -| [splunk\_conf](#input\_splunk\_conf) | n/a | 
object({
    splunk_cloud = string
    acl = object({
      app     = string
      owner   = string
      sharing = string
      read    = list(string)
      write   = list(string)
    })
    index = string
  })
| n/a | yes | +| [splunk\_conf](#input\_splunk\_conf) | n/a | 
object({
    splunk_cloud = string
    acl = object({
      app     = string
      owner   = string
      sharing = string
      read    = list(string)
      write   = list(string)
    })
    index   = string
    tenant_names = list(string)
  })
| n/a | yes | ## Outputs diff --git a/modules/integrations/splunk_cloud_conf_shared/dashboard_ec2_scale_up_errors.json.tf b/modules/integrations/splunk_cloud_conf_shared/dashboard_ec2_scale_up_errors.json.tf new file mode 100644 index 00000000..6b4c4760 --- /dev/null +++ b/modules/integrations/splunk_cloud_conf_shared/dashboard_ec2_scale_up_errors.json.tf @@ -0,0 +1,40 @@ +locals { + ec2_scale_up_errors_definition = templatefile( + "${path.module}/template_files/ec2_scale_up_errors.json.tftpl", + { + splunk_index = var.splunk_conf.index, + tenants = var.splunk_conf.tenant_names + } + ) + ec2_scale_up_errors_eai_data = < + + + + + + + + + +EOF +} + +resource "splunk_data_ui_views" "ec2_scale_up_errors" { + name = "ec2_scale_up_errors" + eai_data = local.ec2_scale_up_errors_eai_data + + acl { + app = var.splunk_conf.acl.app + owner = var.splunk_conf.acl.owner + sharing = var.splunk_conf.acl.sharing + read = var.splunk_conf.acl.read + write = var.splunk_conf.acl.write + } +} diff --git a/modules/integrations/splunk_cloud_conf_shared/dashboard_jobs.tf b/modules/integrations/splunk_cloud_conf_shared/dashboard_jobs.tf index c1538c08..7a58128b 100644 --- a/modules/integrations/splunk_cloud_conf_shared/dashboard_jobs.tf +++ b/modules/integrations/splunk_cloud_conf_shared/dashboard_jobs.tf @@ -2,7 +2,8 @@ locals { job_definition = templatefile( "${path.module}/template_files/ci_jobs.json.tftpl", { - splunk_index = var.splunk_conf.index + splunk_index = var.splunk_conf.index, + tenants = var.splunk_conf.tenant_names } ) job_eai_data = <statics | formatByType(formattedConfig)", - "label": ">primary | seriesByName(\"forgecicd_tenant\") | renameSeries(\"label\") | formatByType(formattedConfig)", - "statics": [ - [ - "Select Tenant" - ], - [ - "-" - ] - ], - "value": ">primary | seriesByName(\"forgecicd_tenant\") | renameSeries(\"value\") | formatByType(formattedConfig)" - }, - "dataSources": { - "primary": "ds_x8AMw4ri" - }, + "context": {}, + "dataSources": {}, "options": { - "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "items": ${jsonencode( + concat( + [{ label = "Select Tenant", value = "-" }], + [for tenant in tenants : { label = tenant, value = tenant }] + ) + )}, "selectFirstSearchResult": true, "token": "dd_8enHUmpH" }, @@ -124,40 +110,11 @@ } }, "dataSources": { - "ds_5a4R8xaz": { - "name": "log type list", - "options": { - "query": "index=\"${splunk_index}\" | stats count by forgecicd_log_type | table forgecicd_log_type", - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - } - }, - "type": "ds.search" - }, - "ds_iONxCEsT": { - "name": "logs", - "options": { - "query": "index=\"${splunk_index}\" forgecicd_tenant=\"$dd_8enHUmpH$\" forgecicd_log_type\n=\"$dd_ZlvrLiNG$\" forgecicd_instance_id=\"$text_9yxn14bn$\"\n| sort _time asc" - }, - "type": "ds.search" - }, - "ds_x8AMw4ri": { - "name": "tenant list", - "options": { - "query": "index=\"${splunk_index}\" | stats count by forgecicd_tenant | table forgecicd_tenant", - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - } - }, - "type": "ds.search" - }, "ds_yDvZOb30": { "name": "GH Job Details search", "options": { "enableSmartSources": true, - "query": "index=\"${splunk_index}\" forgecicd_log_type=hook type=\"completed\" forgecicd_tenant=\"$dd_8enHUmpH$\" forgecicd_instance_id=\"$text_9yxn14bn$\"\n| eval repo_url = GITHUB_SERVER_URL . \"/\" . GITHUB_REPOSITORY\n| eval run_url = repo_url . \"/actions/runs/\" . GITHUB_RUN_ID . \"/attempts/\" . GITHUB_RUN_ATTEMPT\n| fields \n GITHUB_SHA,\n run_url,\n repo_url,\n GITHUB_RUN_ID,\n GITHUB_RUN_ATTEMPT,\n GITHUB_ACTOR,\n GITHUB_TRIGGERING_ACTOR,\n GITHUB_WORKFLOW,\n GITHUB_HEAD_REF,\n GITHUB_BASE_REF,\n GITHUB_EVENT_NAME,\n forgecicd_instance_id\n| join forgecicd_instance_id type=left [\n search index=\"${splunk_index}\" forgecicd_log_type=runner forgecicd_tenant=\"$dd_8enHUmpH$\" forgecicd_instance_id=\"$text_9yxn14bn$\" ci_result=*\n | fields forgecicd_instance_id, ci_result, job_name\n]\n| join forgecicd_instance_id type=left [\n search index=\"${splunk_index}\" forgecicd_log_type=hook (type=\"started\" OR type=\"completed\") forgecicd_tenant=\"$dd_8enHUmpH$\" forgecicd_instance_id=\"$text_9yxn14bn$\"\n | stats earliest(_time) as start latest(_time) as end by forgecicd_instance_id\n | eval duration_minutes = round((end - start) / 60, 2)\n | fields forgecicd_instance_id, duration_minutes\n]\n| search ci_result=\"$dd_sHd7IGav$\"\n| table \n GITHUB_SHA,\n duration_minutes,\n run_url,\n repo_url,\n GITHUB_RUN_ID,\n GITHUB_RUN_ATTEMPT,\n GITHUB_ACTOR,\n GITHUB_TRIGGERING_ACTOR,\n GITHUB_WORKFLOW,\n GITHUB_HEAD_REF,\n GITHUB_BASE_REF,\n GITHUB_EVENT_NAME,\n forgecicd_instance_id,\n job_name,\n ci_result\n", + "query": "index=\"${splunk_index}\" forgecicd_log_type=\"runner-job-event\" \nconclusion=\"$dd_sHd7IGav$\"\nforgecicd_instance_id=\"$text_9yxn14bn$\"\nforgecicd_tenant=\"$dd_8enHUmpH$\"\n| table \n workflow_job.html_url \n workflow_job.conclusion\n workflow_job.name \n workflow_job.run_id \n workflow_job.run_attempt \n workflow_job.id \n workflow_job.created_at \n workflow_job.started_at\n workflow_job.completed_at \n workflow_job.runner_name \n forgecicd_instance_id\n| rename \n workflow_job.html_url as run_url\n workflow_job.conclusion as ci_result\n workflow_job.name as workflow_name\n workflow_job.run_id as workflow_run_id\n workflow_job.run_attempt as workflow_run_attempt\n workflow_job.id as workflow_job_id\n workflow_job.created_at as created_at\n workflow_job.started_at as started_at\n workflow_job.completed_at as completed_at\n workflow_job.runner_name as runner_name\n| eval created_epoch = strptime(created_at, \"%Y-%m-%dT%H:%M:%SZ\")\n| eval started_epoch = strptime(started_at, \"%Y-%m-%dT%H:%M:%SZ\")\n| eval completed_epoch = strptime(completed_at, \"%Y-%m-%dT%H:%M:%SZ\")\n| eval duration_created_to_started = tostring(started_epoch - created_epoch, \"duration\")\n| eval duration_started_to_completed = tostring(completed_epoch - started_epoch, \"duration\")\n| eval duration_total = tostring(completed_epoch - created_epoch, \"duration\")\n| table \n run_url \n ci_result \n workflow_name \n workflow_run_id \n workflow_run_attempt \n workflow_job_id \n created_at \n started_at \n completed_at \n duration_created_to_started \n duration_started_to_completed \n duration_total \n runner_name \n forgecicd_instance_id", "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" diff --git a/modules/integrations/splunk_cloud_conf_shared/template_files/ec2_scale_up_errors.json.tftpl b/modules/integrations/splunk_cloud_conf_shared/template_files/ec2_scale_up_errors.json.tftpl new file mode 100644 index 00000000..b9fbb9d8 --- /dev/null +++ b/modules/integrations/splunk_cloud_conf_shared/template_files/ec2_scale_up_errors.json.tftpl @@ -0,0 +1,118 @@ +{ + "title": "EC2 Scale up Errors", + "description": "Lists failed EC2 runner scale-up attempts with related workflow, tenant, and environment context.", + "inputs": { + "input_global_trp": { + "options": { + "defaultValue": "-7d@h,now", + "token": "global_time" + }, + "title": "Global Time Range", + "type": "input.timerange" + }, + "input_uFiEIG6X": { + "context": {}, + "dataSources": {}, + "options": { + "items": ${jsonencode( + concat( + [{ label = "Select Tenant", value = "()" }], + [for tenant in tenants : { label = tenant, value = tenant }] + ) + )}, + "selectFirstSearchResult": true, + "token": "dd_8enHUmpH" + }, + "title": "Forge Tenant", + "type": "input.dropdown" + } + }, + "defaults": { + "dataSources": { + "ds.o11y": { + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + } + }, + "ds.search": { + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + } + } + } + }, + "visualizations": { + "viz_YqZBTBIB": { + "containerOptions": {}, + "dataSources": { + "primary": "ds_yDvZOb30" + }, + "eventHandlers": [], + "options": { + "count": 20 + }, + "showLastUpdated": false, + "showProgressBar": false, + "title": "", + "type": "splunk.table" + } + }, + "dataSources": { + "ds_yDvZOb30": { + "name": "Ec2 scale up errors", + "options": { + "enableSmartSources": true, + "query": "index=\"${splunk_index}\" forgecicd_log_type=\"scale-up\" \"Ignoring error\" \n| where \"$dd_8enHUmpH$\"=\"*\" OR forgecicd_tenant=\"$dd_8enHUmpH$\"\n| rename aws-request-id as aws_request_id\n| dedup aws_request_id\n| fields aws_request_id message\n| join aws_request_id type=inner\n [\n search index=\"${splunk_index}\" message=\"Received event\"\n | rename aws-request-id as aws_request_id\n | stats \n values(github.workflow_job_id) as workflow_job_id\n values(forgecicd_tenant) as tenant\n values(forgecicd_vpc_alias) as vpc_alias\n values(forgecicd_region_alias) as region_alias\n values(timestamp) as event_timestamp\n by aws_request_id\n | mvexpand workflow_job_id\n ]\n| table aws_request_id workflow_job_id tenant vpc_alias region_alias message event_timestamp\n", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "type": "ds.search" + } + }, + "layout": { + "globalInputs": [ + "input_global_trp", + "input_uFiEIG6X" + ], + "layoutDefinitions": { + "layout_6CHuojec": { + "options": { + "gutterSize": 9 + }, + "structure": [ + { + "item": "viz_YqZBTBIB", + "position": { + "h": 974, + "w": 1200, + "x": 0, + "y": 0 + }, + "type": "block" + } + ], + "type": "grid" + } + }, + "options": {}, + "tabs": { + "items": [ + { + "label": "EC2 Runner scale up errors", + "layoutId": "layout_6CHuojec" + } + ] + } + }, + "applicationProperties": { + "collapseNavigation": true + } +} diff --git a/modules/integrations/splunk_cloud_conf_shared/template_files/tenant.json.tftpl b/modules/integrations/splunk_cloud_conf_shared/template_files/tenant.json.tftpl index a3ece1fd..e7d2e32e 100644 --- a/modules/integrations/splunk_cloud_conf_shared/template_files/tenant.json.tftpl +++ b/modules/integrations/splunk_cloud_conf_shared/template_files/tenant.json.tftpl @@ -1,6 +1,6 @@ { "title": "Tenant Logs", - "description": "", + "description": "Displays Forge runner logs for a selected tenant, log type, and time range.", "inputs": { "input_4A2iEpn6": { "options": { @@ -36,29 +36,15 @@ "type": "input.timerange" }, "input_uFiEIG6X": { - "context": { - "formattedConfig": { - "number": { - "prefix": "" - } - }, - "formattedStatics": ">statics | formatByType(formattedConfig)", - "label": ">primary | seriesByName(\"forgecicd_tenant\") | renameSeries(\"label\") | formatByType(formattedConfig)", - "statics": [ - [ - "Select Tenant" - ], - [ - "-" - ] - ], - "value": ">primary | seriesByName(\"forgecicd_tenant\") | renameSeries(\"value\") | formatByType(formattedConfig)" - }, - "dataSources": { - "primary": "ds_x8AMw4ri" - }, + "context": {}, + "dataSources": {}, "options": { - "items": ">frame(label, value) | prepend(formattedStatics) | objects()", + "items": ${jsonencode( + concat( + [{ label = "Select Tenant", value = "-" }], + [for tenant in tenants : { label = tenant, value = tenant }] + ) + )}, "selectFirstSearchResult": true, "token": "dd_8enHUmpH" }, @@ -114,7 +100,7 @@ "ds_iONxCEsT": { "name": "logs", "options": { - "query": "index=\"${splunk_index}\" forgecicd_tenant=\"$dd_8enHUmpH$\" forgecicd_log_type\n=\"$dd_ZlvrLiNG$\" forgecicd_instance_id=\"$text_9yxn14bn$\"\n| sort _time asc" + "query": "index=\"${splunk_index}\" forgecicd_tenant=\"$dd_8enHUmpH$\" forgecicd_log_type=\"$dd_ZlvrLiNG$\"\n| where \"$text_9yxn14bn$\"=\"*\" OR forgecicd_instance_id=\"$text_9yxn14bn$\"\n| sort _time asc" }, "type": "ds.search" }, @@ -128,18 +114,6 @@ } }, "type": "ds.search" - }, - "ds_yDvZOb30": { - "name": "GH Job Details search", - "options": { - "enableSmartSources": true, - "query": "index=\"${splunk_index}\" forgecicd_log_type=hook type=\"completed\" forgecicd_tenant=\"$dd_8enHUmpH$\" forgecicd_instance_id=\"$text_9yxn14bn$\"\n| eval repo_url = GITHUB_SERVER_URL . \"/\" . GITHUB_REPOSITORY\n| eval run_url = repo_url . \"/actions/runs/\" . GITHUB_RUN_ID . \"/attempts/\" . GITHUB_RUN_ATTEMPT\n| fields \n GITHUB_SHA,\n run_url,\n repo_url,\n GITHUB_RUN_ID,\n GITHUB_RUN_ATTEMPT,\n GITHUB_ACTOR,\n GITHUB_TRIGGERING_ACTOR,\n GITHUB_WORKFLOW,\n GITHUB_HEAD_REF,\n GITHUB_BASE_REF,\n GITHUB_EVENT_NAME,\n forgecicd_instance_id\n| join forgecicd_instance_id type=left [\n search index=\"${splunk_index}\" forgecicd_log_type=runner forgecicd_tenant=\"$dd_8enHUmpH$\" forgecicd_instance_id=\"$text_9yxn14bn$\" ci_result=*\n | fields forgecicd_instance_id, ci_result, job_name\n]\n| join forgecicd_instance_id type=left [\n search index=\"${splunk_index}\" forgecicd_log_type=hook (type=\"started\" OR type=\"completed\") forgecicd_tenant=\"$dd_8enHUmpH$\" forgecicd_instance_id=\"$text_9yxn14bn$\"\n | stats earliest(_time) as start latest(_time) as end by forgecicd_instance_id\n | eval duration_minutes = round((end - start) / 60, 2)\n | fields forgecicd_instance_id, duration_minutes\n]\n| table \n GITHUB_SHA,\n duration_minutes,\n run_url,\n repo_url,\n GITHUB_RUN_ID,\n GITHUB_RUN_ATTEMPT,\n GITHUB_ACTOR,\n GITHUB_TRIGGERING_ACTOR,\n GITHUB_WORKFLOW,\n GITHUB_HEAD_REF,\n GITHUB_BASE_REF,\n GITHUB_EVENT_NAME,\n forgecicd_instance_id,\n job_name,\n ci_result\n", - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - } - }, - "type": "ds.search" } }, "layout": { diff --git a/modules/integrations/splunk_cloud_conf_shared/variables.tf b/modules/integrations/splunk_cloud_conf_shared/variables.tf index e35c6b6f..7dde3b71 100644 --- a/modules/integrations/splunk_cloud_conf_shared/variables.tf +++ b/modules/integrations/splunk_cloud_conf_shared/variables.tf @@ -23,6 +23,7 @@ variable "splunk_conf" { read = list(string) write = list(string) }) - index = string + index = string + tenant_names = list(string) }) } From bf0bd2cf90b6656a71f2b9a3604518d850c91e93 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 11 Dec 2025 03:36:55 +0100 Subject: [PATCH 31/85] deprecated: remove variable aws_account_id (#239) --- modules/infra/cloud_formation/data.tf | 1 + modules/infra/cloud_formation/main.tf | 2 +- modules/infra/cloud_formation/variables.tf | 5 ----- modules/infra/storage/data.tf | 1 + modules/infra/storage/main.tf | 4 ++-- modules/infra/storage/variables.tf | 5 ----- .../variables.tf | 2 +- .../splunk_aws_billing/variables.tf | 2 +- .../splunk_cloud_conf_shared/README.md | 2 +- .../splunk_cloud_conf_shared/variables.tf | 2 +- .../splunk_cloud_data_manager/cloudwatch.tf | 2 +- .../custom_cloudwatch.tf | 2 +- .../splunk_cloud_data_manager/data.tf | 1 + .../splunk_cloud_data_manager/sec_meta.tf | 2 +- .../splunk_cloud_data_manager/variables.tf | 7 +------ .../splunk_cloud_data_manager_common/data.tf | 1 + .../splunk_cloud_data_manager_common/role.tf | 18 +++++++++--------- .../variables.tf | 7 ++----- .../splunk_cloud_s3_runner_logs/variables.tf | 2 +- .../splunk_o11y_aws_integration/variables.tf | 2 +- .../splunk_o11y_aws_integration_common/data.tf | 1 + .../splunk_o11y_aws_integration_common/role.tf | 2 +- .../variables.tf | 7 +------ .../splunk_o11y_conf_shared/variables.tf | 2 +- modules/integrations/teleport/README.md | 2 +- modules/integrations/teleport/variables.tf | 2 +- 26 files changed, 34 insertions(+), 52 deletions(-) create mode 100644 modules/infra/cloud_formation/data.tf create mode 100644 modules/infra/storage/data.tf create mode 100644 modules/integrations/splunk_cloud_data_manager/data.tf create mode 100644 modules/integrations/splunk_cloud_data_manager_common/data.tf create mode 100644 modules/integrations/splunk_o11y_aws_integration_common/data.tf diff --git a/modules/infra/cloud_formation/data.tf b/modules/infra/cloud_formation/data.tf new file mode 100644 index 00000000..8fc4b38c --- /dev/null +++ b/modules/infra/cloud_formation/data.tf @@ -0,0 +1 @@ +data "aws_caller_identity" "current" {} diff --git a/modules/infra/cloud_formation/main.tf b/modules/infra/cloud_formation/main.tf index bef69a4f..5b39c324 100644 --- a/modules/infra/cloud_formation/main.tf +++ b/modules/infra/cloud_formation/main.tf @@ -39,7 +39,7 @@ data "aws_iam_policy_document" "execution_assume_admin_role_policy" { actions = ["sts:AssumeRole"] principals { type = "AWS" - identifiers = ["arn:aws:iam::${var.aws_account_id}:role/AWSCloudFormationStackSetAdministrationRole"] + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/AWSCloudFormationStackSetAdministrationRole"] } } } diff --git a/modules/infra/cloud_formation/variables.tf b/modules/infra/cloud_formation/variables.tf index 77e613ed..d022f8f6 100644 --- a/modules/infra/cloud_formation/variables.tf +++ b/modules/infra/cloud_formation/variables.tf @@ -1,8 +1,3 @@ -variable "aws_account_id" { - description = "AWS account ID associated with the infra/backend." - type = string -} - variable "aws_profile" { type = string description = "AWS profile to use." diff --git a/modules/infra/storage/data.tf b/modules/infra/storage/data.tf new file mode 100644 index 00000000..8fc4b38c --- /dev/null +++ b/modules/infra/storage/data.tf @@ -0,0 +1 @@ +data "aws_caller_identity" "current" {} diff --git a/modules/infra/storage/main.tf b/modules/infra/storage/main.tf index ac30d8ae..e928b240 100644 --- a/modules/infra/storage/main.tf +++ b/modules/infra/storage/main.tf @@ -2,7 +2,7 @@ # Long-term storage (i.e. release builds and SBOMs we need to retain long-term # for stability and auditing purposes). resource "aws_s3_bucket" "s3_long_term" { - bucket = "${var.aws_account_id}-long-term-storage" + bucket = "${data.aws_caller_identity.current.account_id}-long-term-storage" tags = local.all_security_tags } @@ -47,7 +47,7 @@ resource "aws_s3_bucket_public_access_block" "s3_long_term" { # Short-term storage (i.e. temporary/feature-branch builds, core dumps, and # other artifacts we aren't obligated to retain long-term). resource "aws_s3_bucket" "s3_short_term" { - bucket = "${var.aws_account_id}-short-term-storage" + bucket = "${data.aws_caller_identity.current.account_id}-short-term-storage" tags = local.all_security_tags } diff --git a/modules/infra/storage/variables.tf b/modules/infra/storage/variables.tf index 3be1a121..e16c7bf7 100644 --- a/modules/infra/storage/variables.tf +++ b/modules/infra/storage/variables.tf @@ -1,8 +1,3 @@ -variable "aws_account_id" { - type = string - description = "AWS account ID (not SL AWS account ID) associated with the infra/backend." -} - variable "aws_profile" { description = "AWS profile to use." type = string diff --git a/modules/integrations/github_webhook_relay_destination_receivers/variables.tf b/modules/integrations/github_webhook_relay_destination_receivers/variables.tf index c3a344ba..6e2c42ef 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/variables.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/variables.tf @@ -1,5 +1,5 @@ variable "aws_profile" { - description = "AWS profile (i.e., generated via 'sl aws session generate') to use." + description = "AWS profile to use." type = string } diff --git a/modules/integrations/splunk_aws_billing/variables.tf b/modules/integrations/splunk_aws_billing/variables.tf index 20895611..bfbd4cac 100644 --- a/modules/integrations/splunk_aws_billing/variables.tf +++ b/modules/integrations/splunk_aws_billing/variables.tf @@ -1,6 +1,6 @@ variable "aws_profile" { type = string - description = "AWS profile (i.e., generated via 'sl aws session generate') to use." + description = "AWS profile to use." } variable "aws_region" { diff --git a/modules/integrations/splunk_cloud_conf_shared/README.md b/modules/integrations/splunk_cloud_conf_shared/README.md index 7974b691..a4c52fd4 100644 --- a/modules/integrations/splunk_cloud_conf_shared/README.md +++ b/modules/integrations/splunk_cloud_conf_shared/README.md @@ -73,7 +73,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e. generated via 'sl aws session generate') to use. | `string` | n/a | yes | +| [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Assuming single region for now. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [splunk\_conf](#input\_splunk\_conf) | n/a | 
object({
    splunk_cloud = string
    acl = object({
      app     = string
      owner   = string
      sharing = string
      read    = list(string)
      write   = list(string)
    })
    index   = string
    tenant_names = list(string)
  })
| n/a | yes | diff --git a/modules/integrations/splunk_cloud_conf_shared/variables.tf b/modules/integrations/splunk_cloud_conf_shared/variables.tf index 7dde3b71..2e3a7d93 100644 --- a/modules/integrations/splunk_cloud_conf_shared/variables.tf +++ b/modules/integrations/splunk_cloud_conf_shared/variables.tf @@ -1,6 +1,6 @@ variable "aws_profile" { type = string - description = "AWS profile (i.e. generated via 'sl aws session generate') to use." + description = "AWS profile to use." } variable "aws_region" { diff --git a/modules/integrations/splunk_cloud_data_manager/cloudwatch.tf b/modules/integrations/splunk_cloud_data_manager/cloudwatch.tf index 37bc02f7..a2a0a1e2 100644 --- a/modules/integrations/splunk_cloud_data_manager/cloudwatch.tf +++ b/modules/integrations/splunk_cloud_data_manager/cloudwatch.tf @@ -35,7 +35,7 @@ locals { iamRegion = var.aws_region regions = var.cloudwatch_log_groups_config.regions datasetInfo = local.dataset_info_cloudwatch - dataAccounts = [var.aws_account_id] + dataAccounts = [data.aws_caller_identity.current.account_id] resourceTags = local.resource_tags } } diff --git a/modules/integrations/splunk_cloud_data_manager/custom_cloudwatch.tf b/modules/integrations/splunk_cloud_data_manager/custom_cloudwatch.tf index 2138ab7c..fcc4adfb 100644 --- a/modules/integrations/splunk_cloud_data_manager/custom_cloudwatch.tf +++ b/modules/integrations/splunk_cloud_data_manager/custom_cloudwatch.tf @@ -46,7 +46,7 @@ locals { } } } - dataAccounts = [var.aws_account_id] + dataAccounts = [data.aws_caller_identity.current.account_id] resourceTags = local.resource_tags } } diff --git a/modules/integrations/splunk_cloud_data_manager/data.tf b/modules/integrations/splunk_cloud_data_manager/data.tf new file mode 100644 index 00000000..8fc4b38c --- /dev/null +++ b/modules/integrations/splunk_cloud_data_manager/data.tf @@ -0,0 +1 @@ +data "aws_caller_identity" "current" {} diff --git a/modules/integrations/splunk_cloud_data_manager/sec_meta.tf b/modules/integrations/splunk_cloud_data_manager/sec_meta.tf index a3e83845..a073f315 100644 --- a/modules/integrations/splunk_cloud_data_manager/sec_meta.tf +++ b/modules/integrations/splunk_cloud_data_manager/sec_meta.tf @@ -40,7 +40,7 @@ locals { iamRegion = var.aws_region regions = var.security_metadata_config.regions datasetInfo = local.dataset_info_security_metadata - dataAccounts = [var.aws_account_id] + dataAccounts = [data.aws_caller_identity.current.account_id] resourceTags = local.resource_tags } } diff --git a/modules/integrations/splunk_cloud_data_manager/variables.tf b/modules/integrations/splunk_cloud_data_manager/variables.tf index fde61872..d7427534 100644 --- a/modules/integrations/splunk_cloud_data_manager/variables.tf +++ b/modules/integrations/splunk_cloud_data_manager/variables.tf @@ -1,11 +1,6 @@ -variable "aws_account_id" { - description = "AWS account ID (not SL AWS account ID) associated with the infra/backend." - type = string -} - variable "aws_profile" { type = string - description = "AWS profile (i.e., generated via 'sl aws session generate') to use." + description = "AWS profile to use." } variable "aws_region" { diff --git a/modules/integrations/splunk_cloud_data_manager_common/data.tf b/modules/integrations/splunk_cloud_data_manager_common/data.tf new file mode 100644 index 00000000..8fc4b38c --- /dev/null +++ b/modules/integrations/splunk_cloud_data_manager_common/data.tf @@ -0,0 +1 @@ +data "aws_caller_identity" "current" {} diff --git a/modules/integrations/splunk_cloud_data_manager_common/role.tf b/modules/integrations/splunk_cloud_data_manager_common/role.tf index 66601716..53c9e0c3 100644 --- a/modules/integrations/splunk_cloud_data_manager_common/role.tf +++ b/modules/integrations/splunk_cloud_data_manager_common/role.tf @@ -11,15 +11,15 @@ data "aws_iam_policy_document" "splunk_dm_policy" { "iam:GetPolicyVersion" ] resources = [ - "arn:aws:iam::${var.aws_account_id}:role/SplunkDM*", - "arn:aws:iam::${var.aws_account_id}:policy/*" + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/SplunkDM*", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/*" ] } statement { effect = "Allow" actions = ["guardduty:GetMasterAccount"] - resources = ["arn:aws:guardduty:*:${var.aws_account_id}:detector/*"] + resources = ["arn:aws:guardduty:*:${data.aws_caller_identity.current.account_id}:detector/*"] } statement { @@ -30,7 +30,7 @@ data "aws_iam_policy_document" "splunk_dm_policy" { "securityhub:ListMembers", "securityhub:ListInvitations" ] - resources = ["arn:aws:securityhub:*:${var.aws_account_id}:hub/default"] + resources = ["arn:aws:securityhub:*:${data.aws_caller_identity.current.account_id}:hub/default"] } statement { @@ -39,7 +39,7 @@ data "aws_iam_policy_document" "splunk_dm_policy" { "cloudformation:DescribeStacks", "cloudformation:GetTemplate" ] - resources = ["arn:aws:cloudformation:*:${var.aws_account_id}:stack/SplunkDM*/*"] + resources = ["arn:aws:cloudformation:*:${data.aws_caller_identity.current.account_id}:stack/SplunkDM*/*"] } statement { @@ -65,19 +65,19 @@ data "aws_iam_policy_document" "splunk_dm_policy" { "logs:DescribeLogGroups", "logs:DescribeSubscriptionFilters" ] - resources = ["arn:aws:logs:*:${var.aws_account_id}:log-group:*"] + resources = ["arn:aws:logs:*:${data.aws_caller_identity.current.account_id}:log-group:*"] } statement { effect = "Allow" actions = ["firehose:DescribeDeliveryStream"] - resources = ["arn:aws:firehose:*:${var.aws_account_id}:deliverystream/SplunkDM*"] + resources = ["arn:aws:firehose:*:${data.aws_caller_identity.current.account_id}:deliverystream/SplunkDM*"] } statement { effect = "Allow" actions = ["events:DescribeRule"] - resources = ["arn:aws:events:*:${var.aws_account_id}:rule/SplunkDM*"] + resources = ["arn:aws:events:*:${data.aws_caller_identity.current.account_id}:rule/SplunkDM*"] } statement { @@ -92,7 +92,7 @@ data "aws_iam_policy_document" "splunk_dm_policy" { statement { effect = "Allow" actions = ["lambda:GetFunction"] - resources = ["arn:aws:lambda:*:${var.aws_account_id}:function:SplunkDM*"] + resources = ["arn:aws:lambda:*:${data.aws_caller_identity.current.account_id}:function:SplunkDM*"] } } diff --git a/modules/integrations/splunk_cloud_data_manager_common/variables.tf b/modules/integrations/splunk_cloud_data_manager_common/variables.tf index 044d828e..72155f3d 100644 --- a/modules/integrations/splunk_cloud_data_manager_common/variables.tf +++ b/modules/integrations/splunk_cloud_data_manager_common/variables.tf @@ -1,11 +1,8 @@ -variable "aws_account_id" { - description = "AWS account ID (not SL AWS account ID) associated with the infra/backend." - type = string -} + variable "aws_profile" { type = string - description = "AWS profile (i.e., generated via 'sl aws session generate') to use." + description = "AWS profile to use." } variable "aws_region" { diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/variables.tf b/modules/integrations/splunk_cloud_s3_runner_logs/variables.tf index 35ec4e31..56e0b4d6 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/variables.tf +++ b/modules/integrations/splunk_cloud_s3_runner_logs/variables.tf @@ -1,6 +1,6 @@ variable "aws_profile" { type = string - description = "AWS profile (i.e., generated via 'sl aws session generate') to use." + description = "AWS profile to use." } variable "aws_region" { diff --git a/modules/integrations/splunk_o11y_aws_integration/variables.tf b/modules/integrations/splunk_o11y_aws_integration/variables.tf index fa794b49..bf70cca8 100644 --- a/modules/integrations/splunk_o11y_aws_integration/variables.tf +++ b/modules/integrations/splunk_o11y_aws_integration/variables.tf @@ -1,6 +1,6 @@ variable "aws_profile" { type = string - description = "AWS profile (i.e., generated via 'sl aws session generate') to use." + description = "AWS profile to use." } variable "aws_region" { diff --git a/modules/integrations/splunk_o11y_aws_integration_common/data.tf b/modules/integrations/splunk_o11y_aws_integration_common/data.tf new file mode 100644 index 00000000..8fc4b38c --- /dev/null +++ b/modules/integrations/splunk_o11y_aws_integration_common/data.tf @@ -0,0 +1 @@ +data "aws_caller_identity" "current" {} diff --git a/modules/integrations/splunk_o11y_aws_integration_common/role.tf b/modules/integrations/splunk_o11y_aws_integration_common/role.tf index 658aa38e..6213dc6d 100644 --- a/modules/integrations/splunk_o11y_aws_integration_common/role.tf +++ b/modules/integrations/splunk_o11y_aws_integration_common/role.tf @@ -122,7 +122,7 @@ data "aws_iam_policy_document" "splunk_managed_policy" { effect = "Allow" actions = ["iam:PassRole"] # Role to be created by Cloudformation stack - resources = ["arn:aws:iam::${var.aws_account_id}:role/splunk-metric-streams*"] + resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/splunk-metric-streams*"] } } diff --git a/modules/integrations/splunk_o11y_aws_integration_common/variables.tf b/modules/integrations/splunk_o11y_aws_integration_common/variables.tf index 18e1d44e..f2f6b20f 100644 --- a/modules/integrations/splunk_o11y_aws_integration_common/variables.tf +++ b/modules/integrations/splunk_o11y_aws_integration_common/variables.tf @@ -1,11 +1,6 @@ -variable "aws_account_id" { - description = "AWS account ID (not SL AWS account ID) associated with the infra/backend." - type = string -} - variable "aws_profile" { type = string - description = "AWS profile (i.e., generated via 'sl aws session generate') to use." + description = "AWS profile to use." } variable "aws_region" { diff --git a/modules/integrations/splunk_o11y_conf_shared/variables.tf b/modules/integrations/splunk_o11y_conf_shared/variables.tf index 9222c6b0..5bed82d1 100644 --- a/modules/integrations/splunk_o11y_conf_shared/variables.tf +++ b/modules/integrations/splunk_o11y_conf_shared/variables.tf @@ -1,6 +1,6 @@ variable "aws_profile" { type = string - description = "AWS profile (i.e., generated via 'sl aws session generate') to use." + description = "AWS profile to use." } variable "aws_region" { diff --git a/modules/integrations/teleport/README.md b/modules/integrations/teleport/README.md index 47d940c6..7694a9f2 100644 --- a/modules/integrations/teleport/README.md +++ b/modules/integrations/teleport/README.md @@ -39,7 +39,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e. generated via 'sl aws session generate') to use. | `string` | n/a | yes | +| [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Assuming single region for now. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [tags](#input\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | diff --git a/modules/integrations/teleport/variables.tf b/modules/integrations/teleport/variables.tf index e4213aa6..ae97a383 100644 --- a/modules/integrations/teleport/variables.tf +++ b/modules/integrations/teleport/variables.tf @@ -1,6 +1,6 @@ variable "aws_profile" { type = string - description = "AWS profile (i.e. generated via 'sl aws session generate') to use." + description = "AWS profile to use." } variable "aws_region" { From 3f72d2ce69946acf8ee3c9c559b8ac218d91920a Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 11 Dec 2025 13:17:43 +0100 Subject: [PATCH 32/85] refactor: refactor forge variables (#241) * refactor: refactor forge variables * docs: update docs with new variable contract --- docs/configurations/deployments/new_tenant.md | 10 + .../vpcs/sl/tenants/acme/config.yaml | 5 + .../vpcs/sl/tenants/acme/runner_settings.hcl | 42 +-- .../tenant/_global_settings/tenant.hcl | 41 ++- examples/templates/tenant/tenant/config.yaml | 5 + .../tenant/tenant/runner_settings.hcl | 42 +-- modules/platform/forge_runners/arc_runners.tf | 19 +- modules/platform/forge_runners/ec2_runners.tf | 24 +- .../forge_runners/forge_trust_validator.tf | 10 +- .../forge_runners/github_actions_job_log.tf | 8 +- .../forge_runners/github_app_runner_group.tf | 8 +- .../forge_runners/github_global_lock.tf | 2 +- .../forge_runners/github_webhook_relay.tf | 4 +- modules/platform/forge_runners/locals.tf | 6 +- modules/platform/forge_runners/outputs.tf | 4 +- .../forge_runners/redrive_deadletter.tf | 12 +- modules/platform/forge_runners/roles.tf | 10 +- modules/platform/forge_runners/secrets.tf | 14 +- .../platform/forge_runners/service_catalog.tf | 2 +- .../platform/forge_runners/update_gh_app.tf | 6 +- modules/platform/forge_runners/variables.tf | 296 +++++++++++------- 21 files changed, 323 insertions(+), 247 deletions(-) diff --git a/docs/configurations/deployments/new_tenant.md b/docs/configurations/deployments/new_tenant.md index 7185d086..e427db72 100644 --- a/docs/configurations/deployments/new_tenant.md +++ b/docs/configurations/deployments/new_tenant.md @@ -67,6 +67,11 @@ gh_config: destination_region: "" # Destination AWS region for the forwarding rule destination_reader_role_arn: "" # IAM role in destination allowed to read forwarded events (leave blank if not needed) # NOTE: Leave all destination_* fields blank when enabled=false; they are ignored. + github_app: + id: # Numeric GitHub App ID from GitHub settings + client_id: # OAuth client ID shown on the GitHub App page + installation_id: # Installation ID after installing the app in your org/account + name: # Exact GitHub App name (must match the created app) tenant: iam_roles_to_assume: # List of full AWS IAM role ARNs runners may assume for workloads @@ -156,6 +161,11 @@ gh_config: destination_event_bus_name: "" destination_region: "" destination_reader_role_arn: "" + github_app: + id: 1234567890 + client_id: abcdefghijklmnopqrstuvwx + installation_id: 9876543210 + name: forge-github-app tenant: iam_roles_to_assume: diff --git a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/config.yaml b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/config.yaml index dd4b9983..0ee1f313 100644 --- a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/config.yaml +++ b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/config.yaml @@ -5,6 +5,11 @@ gh_config: repository_selection: selected github_webhook_relay: enabled: false + github_app: + id: 1234567890 + client_id: abcdefghijklmnopqrstuvwx + installation_id: 9876543210 + name: forge-github-app tenant: iam_roles_to_assume: - arn:aws:iam::123456789012:role/role_for_forge_runners diff --git a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl index fd818f29..d833601b 100644 --- a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl +++ b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl @@ -30,33 +30,37 @@ locals { # Tenant tenant_name = basename(get_terragrunt_dir()) - deployment_config = { - prefix = "${local.tenant_name}-${local.region_alias}-${local.vpc_alias}" - secret_suffix = local.vpc_alias - } - log_level = "info" logging_retention_in_days = 3 # Load and parse runner specs YAML once - runner_specs_raw = yamldecode(file("config.yaml")) + config = yamldecode(file("config.yml")) # GitHub App settings - ghes_url = local.runner_specs_raw.gh_config.ghes_url - ghes_org = local.runner_specs_raw.gh_config.ghes_org - repository_selection = local.runner_specs_raw.gh_config.repository_selection - github_webhook_relay = local.runner_specs_raw.gh_config.github_webhook_relay + github_webhook_relay = local.config.gh_config.github_webhook_relay - tenant = { - name = local.tenant_name - iam_roles_to_assume = local.runner_specs_raw.tenant.iam_roles_to_assume - ecr_registries = local.runner_specs_raw.tenant.ecr_registries - github_logs_reader_role_arns = local.runner_specs_raw.tenant.github_logs_reader_role_arns + deployment_config = { + deployment_prefix = "${local.tenant_name}-${local.region_alias}-${local.vpc_alias}" + secret_suffix = local.vpc_alias + env = local.env_name + github_app = local.config.gh_config.github_app + tenant = { + name = local.tenant_name + iam_roles_to_assume = local.config.tenant.iam_roles_to_assume + ecr_registries = local.config.tenant.ecr_registries + github_logs_reader_role_arns = local.config.tenant.github_logs_reader_role_arns + } + github = { + ghes_org = local.config.gh_config.ghes_org + ghes_url = local.config.gh_config.ghes_url + repository_selection = local.config.gh_config.repository_selection + runner_group_name = local.runner_group_name + } } ec2_runner_specs = { - for size, spec in local.runner_specs_raw.ec2_runner_specs : + for size, spec in local.config.ec2_runner_specs : size => { ami_filter = { name = [spec.ami_name], @@ -97,11 +101,11 @@ locals { pool_config = spec.pool_config } } - arc_cluster_name = local.runner_specs_raw.arc_cluster_name - migrate_arc_cluster = local.runner_specs_raw.migrate_arc_cluster + arc_cluster_name = local.config.arc_cluster_name + migrate_arc_cluster = local.config.migrate_arc_cluster arc_runner_specs = { - for size, spec in local.runner_specs_raw.arc_runner_specs : + for size, spec in local.config.arc_runner_specs : size => { runner_size = spec.runner_size scale_set_name = spec.scale_set_name diff --git a/examples/templates/tenant/_global_settings/tenant.hcl b/examples/templates/tenant/_global_settings/tenant.hcl index 98c05b7d..332c84bf 100644 --- a/examples/templates/tenant/_global_settings/tenant.hcl +++ b/examples/templates/tenant/_global_settings/tenant.hcl @@ -50,34 +50,29 @@ locals { inputs = { # Core Environment - env = local.env_name - aws_account_id = local.aws_account_id - aws_profile = local.default_aws_profile - aws_region = local.region - - # Networking - vpc_id = local.runner_settings_data.locals.vpc_id - subnet_ids = local.runner_settings_data.locals.subnet_ids - lambda_subnet_ids = local.runner_settings_data.locals.lambda_subnet_ids + aws_profile = local.default_aws_profile + aws_region = local.region # Runners (EC2/ARC) - ec2_runner_specs = local.runner_settings_data.locals.ec2_runner_specs - arc_cluster_name = local.runner_settings_data.locals.arc_cluster_name - arc_runner_specs = local.runner_settings_data.locals.arc_runner_specs - migrate_arc_cluster = local.runner_settings_data.locals.migrate_arc_cluster + ec2_deployment_specs = { + lambda_subnet_ids = local.config.locals.lambda_subnet_ids + subnet_ids = local.config.locals.subnet_ids + vpc_id = local.config.locals.vpc_id + runner_specs = local.config.locals.ec2_runner_specs + } + + arc_deployment_specs = { + cluster_name = local.config.locals.arc_cluster_name + migrate_cluster = local.config.locals.migrate_arc_cluster + runner_specs = local.config.locals.arc_runner_specs + } - # GitHub Settings - ghes_url = local.runner_settings_data.locals.ghes_url - ghes_org = local.runner_settings_data.locals.ghes_org - repository_selection = local.runner_settings_data.locals.repository_selection - runner_group_name = local.runner_settings_data.locals.runner_group_name - github_webhook_relay = local.runner_settings_data.locals.github_webhook_relay + # Deployment Settings + deployment_config = local.config.locals.deployment_config # Misc - deployment_config = local.runner_settings_data.locals.deployment_config - log_level = local.runner_settings_data.locals.log_level - logging_retention_in_days = local.runner_settings_data.locals.logging_retention_in_days - tenant = local.tenant + log_level = local.config.locals.log_level + logging_retention_in_days = local.config.locals.logging_retention_in_days tags = local.tags default_tags = local.default_tags } diff --git a/examples/templates/tenant/tenant/config.yaml b/examples/templates/tenant/tenant/config.yaml index 46f47b8b..72192ed1 100644 --- a/examples/templates/tenant/tenant/config.yaml +++ b/examples/templates/tenant/tenant/config.yaml @@ -9,6 +9,11 @@ gh_config: destination_event_bus_name: destination_region: destination_reader_role_arn: + github_app: + id: + client_id: + installation_id: + name: tenant: iam_roles_to_assume: - arn:aws:iam:::role/ diff --git a/examples/templates/tenant/tenant/runner_settings.hcl b/examples/templates/tenant/tenant/runner_settings.hcl index fd818f29..d833601b 100644 --- a/examples/templates/tenant/tenant/runner_settings.hcl +++ b/examples/templates/tenant/tenant/runner_settings.hcl @@ -30,33 +30,37 @@ locals { # Tenant tenant_name = basename(get_terragrunt_dir()) - deployment_config = { - prefix = "${local.tenant_name}-${local.region_alias}-${local.vpc_alias}" - secret_suffix = local.vpc_alias - } - log_level = "info" logging_retention_in_days = 3 # Load and parse runner specs YAML once - runner_specs_raw = yamldecode(file("config.yaml")) + config = yamldecode(file("config.yml")) # GitHub App settings - ghes_url = local.runner_specs_raw.gh_config.ghes_url - ghes_org = local.runner_specs_raw.gh_config.ghes_org - repository_selection = local.runner_specs_raw.gh_config.repository_selection - github_webhook_relay = local.runner_specs_raw.gh_config.github_webhook_relay + github_webhook_relay = local.config.gh_config.github_webhook_relay - tenant = { - name = local.tenant_name - iam_roles_to_assume = local.runner_specs_raw.tenant.iam_roles_to_assume - ecr_registries = local.runner_specs_raw.tenant.ecr_registries - github_logs_reader_role_arns = local.runner_specs_raw.tenant.github_logs_reader_role_arns + deployment_config = { + deployment_prefix = "${local.tenant_name}-${local.region_alias}-${local.vpc_alias}" + secret_suffix = local.vpc_alias + env = local.env_name + github_app = local.config.gh_config.github_app + tenant = { + name = local.tenant_name + iam_roles_to_assume = local.config.tenant.iam_roles_to_assume + ecr_registries = local.config.tenant.ecr_registries + github_logs_reader_role_arns = local.config.tenant.github_logs_reader_role_arns + } + github = { + ghes_org = local.config.gh_config.ghes_org + ghes_url = local.config.gh_config.ghes_url + repository_selection = local.config.gh_config.repository_selection + runner_group_name = local.runner_group_name + } } ec2_runner_specs = { - for size, spec in local.runner_specs_raw.ec2_runner_specs : + for size, spec in local.config.ec2_runner_specs : size => { ami_filter = { name = [spec.ami_name], @@ -97,11 +101,11 @@ locals { pool_config = spec.pool_config } } - arc_cluster_name = local.runner_specs_raw.arc_cluster_name - migrate_arc_cluster = local.runner_specs_raw.migrate_arc_cluster + arc_cluster_name = local.config.arc_cluster_name + migrate_arc_cluster = local.config.migrate_arc_cluster arc_runner_specs = { - for size, spec in local.runner_specs_raw.arc_runner_specs : + for size, spec in local.config.arc_runner_specs : size => { runner_size = spec.runner_size scale_set_name = spec.scale_set_name diff --git a/modules/platform/forge_runners/arc_runners.tf b/modules/platform/forge_runners/arc_runners.tf index 6a614233..a6cebdee 100644 --- a/modules/platform/forge_runners/arc_runners.tf +++ b/modules/platform/forge_runners/arc_runners.tf @@ -8,25 +8,24 @@ module "arc_runners" { aws_region = var.aws_region tenant_configs = { - ecr_registries = var.tenant.ecr_registries - name = var.tenant.name + ecr_registries = var.deployment_config.tenant.ecr_registries + name = var.deployment_config.tenant.name tags = local.all_security_tags } runner_configs = { - arc_cluster_name = var.arc_cluster_name - migrate_arc_cluster = var.migrate_arc_cluster - prefix = var.deployment_config.prefix - ghes_url = var.ghes_url - ghes_org = var.ghes_org - log_level = var.log_level + arc_cluster_name = var.arc_deployment_specs.cluster_name + migrate_arc_cluster = var.arc_deployment_specs.migrate_cluster + prefix = var.deployment_config.deployment_prefix + ghes_url = var.deployment_config.github.ghes_url + ghes_org = var.deployment_config.github.ghes_org runner_iam_role_managed_policy_arns = local.runner_iam_role_managed_policy_arns github_app = { key_base64 = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_key"].secret_string id = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_id"].secret_string installation_id = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_installation_id"].secret_string } - runner_group_name = var.runner_group_name - runner_specs = var.arc_runner_specs + runner_group_name = var.deployment_config.github.runner_group_name + runner_specs = var.arc_deployment_specs.runner_specs } } diff --git a/modules/platform/forge_runners/ec2_runners.tf b/modules/platform/forge_runners/ec2_runners.tf index 90d62a92..ae3e4a20 100644 --- a/modules/platform/forge_runners/ec2_runners.tf +++ b/modules/platform/forge_runners/ec2_runners.tf @@ -2,12 +2,12 @@ # For generating a webhook secret. Apparently this is a cryptographically secure # PRNG. resource "random_id" "random" { - count = length(var.ec2_runner_specs) > 0 ? 1 : 0 + count = length(var.ec2_deployment_specs.runner_specs) > 0 ? 1 : 0 byte_length = 20 } module "ec2_runners" { - count = length(var.ec2_runner_specs) > 0 ? 1 : 0 + count = length(var.ec2_deployment_specs.runner_specs) > 0 ? 1 : 0 # Using multi-runner example as a baseline. source = "../ec2_deployment" @@ -18,21 +18,21 @@ module "ec2_runners" { } network_configs = { - vpc_id = var.vpc_id - subnet_ids = var.subnet_ids - lambda_subnet_ids = var.lambda_subnet_ids + vpc_id = var.ec2_deployment_specs.vpc_id + subnet_ids = var.ec2_deployment_specs.subnet_ids + lambda_subnet_ids = var.ec2_deployment_specs.lambda_subnet_ids } tenant_configs = { - ecr_registries = var.tenant.ecr_registries + ecr_registries = var.deployment_config.tenant.ecr_registries tags = local.all_security_tags } runner_configs = { - env = var.env - prefix = var.deployment_config.prefix - ghes_url = var.ghes_url - ghes_org = var.ghes_org + env = var.deployment_config.env + prefix = var.deployment_config.deployment_prefix + ghes_url = var.deployment_config.github.ghes_url + ghes_org = var.deployment_config.github.ghes_org log_level = var.log_level logging_retention_in_days = var.logging_retention_in_days runner_iam_role_managed_policy_arns = local.runner_iam_role_managed_policy_arns @@ -41,7 +41,7 @@ module "ec2_runners" { id = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_id"].secret_string webhook_secret = random_id.random[0].hex } - runner_group_name = var.runner_group_name - runner_specs = var.ec2_runner_specs + runner_group_name = var.deployment_config.github.runner_group_name + runner_specs = var.ec2_deployment_specs.runner_specs } } diff --git a/modules/platform/forge_runners/forge_trust_validator.tf b/modules/platform/forge_runners/forge_trust_validator.tf index e21b1b43..42c3981c 100644 --- a/modules/platform/forge_runners/forge_trust_validator.tf +++ b/modules/platform/forge_runners/forge_trust_validator.tf @@ -1,5 +1,5 @@ module "forge_trust_validator" { - count = length(var.tenant.iam_roles_to_assume) > 0 ? 1 : 0 + count = length(var.deployment_config.tenant.iam_roles_to_assume) > 0 ? 1 : 0 source = "./forge_trust_validator" providers = { @@ -7,7 +7,7 @@ module "forge_trust_validator" { } aws_profile = var.aws_profile - prefix = var.deployment_config.prefix + prefix = var.deployment_config.deployment_prefix logging_retention_in_days = var.logging_retention_in_days log_level = var.log_level tags = local.all_security_tags @@ -20,9 +20,9 @@ module "forge_trust_validator" { idx => arn } number_forge_iram_roles = ( - length(var.ec2_runner_specs) + - length(var.arc_runner_specs) + length(var.ec2_deployment_specs.runner_specs) + + length(var.arc_deployment_specs.runner_specs) ) - tenant_iam_roles = var.tenant.iam_roles_to_assume + tenant_iam_roles = var.deployment_config.tenant.iam_roles_to_assume } diff --git a/modules/platform/forge_runners/github_actions_job_log.tf b/modules/platform/forge_runners/github_actions_job_log.tf index 9bf67d04..ba1fd8d8 100644 --- a/modules/platform/forge_runners/github_actions_job_log.tf +++ b/modules/platform/forge_runners/github_actions_job_log.tf @@ -1,19 +1,19 @@ module "github_actions_job_logs" { - count = length(var.ec2_runner_specs) > 0 ? 1 : 0 + count = length(var.ec2_deployment_specs.runner_specs) > 0 ? 1 : 0 source = "./github_actions_job_logs" providers = { aws = aws } - prefix = var.deployment_config.prefix + prefix = var.deployment_config.deployment_prefix secrets_prefix = local.cicd_secrets_prefix - shared_role_arns = var.tenant.github_logs_reader_role_arns + shared_role_arns = var.deployment_config.tenant.github_logs_reader_role_arns logging_retention_in_days = var.logging_retention_in_days log_level = var.log_level tags = local.all_security_tags event_bus_name = module.ec2_runners[0].event_bus_name - ghes_url = var.ghes_url + ghes_url = var.deployment_config.github.ghes_url depends_on = [data.aws_secretsmanager_secret_version.data_cicd_secrets] } diff --git a/modules/platform/forge_runners/github_app_runner_group.tf b/modules/platform/forge_runners/github_app_runner_group.tf index 52abb701..8d0474f2 100644 --- a/modules/platform/forge_runners/github_app_runner_group.tf +++ b/modules/platform/forge_runners/github_app_runner_group.tf @@ -5,15 +5,15 @@ module "github_app_runner_group" { aws = aws } - prefix = var.deployment_config.prefix + prefix = var.deployment_config.deployment_prefix secrets_prefix = local.cicd_secrets_prefix logging_retention_in_days = var.logging_retention_in_days log_level = var.log_level tags = local.all_security_tags github_api = local.github_api - ghes_org = var.ghes_org - runner_group_name = var.runner_group_name - repository_selection = var.repository_selection + ghes_org = var.deployment_config.github.ghes_org + runner_group_name = var.deployment_config.github.runner_group_name + repository_selection = var.deployment_config.github.repository_selection depends_on = [data.aws_secretsmanager_secret_version.data_cicd_secrets] } diff --git a/modules/platform/forge_runners/github_global_lock.tf b/modules/platform/forge_runners/github_global_lock.tf index 000abf86..fedb73df 100644 --- a/modules/platform/forge_runners/github_global_lock.tf +++ b/modules/platform/forge_runners/github_global_lock.tf @@ -5,7 +5,7 @@ module "github_global_lock" { aws = aws } - prefix = var.deployment_config.prefix + prefix = var.deployment_config.deployment_prefix secrets_prefix = local.cicd_secrets_prefix logging_retention_in_days = var.logging_retention_in_days log_level = var.log_level diff --git a/modules/platform/forge_runners/github_webhook_relay.tf b/modules/platform/forge_runners/github_webhook_relay.tf index 354cb10e..2997b2c1 100644 --- a/modules/platform/forge_runners/github_webhook_relay.tf +++ b/modules/platform/forge_runners/github_webhook_relay.tf @@ -6,8 +6,8 @@ module "github_webhook_relay" { aws = aws } - prefix = var.deployment_config.prefix - secret_prefix = "/cicd/common/${var.tenant.name}/${var.deployment_config.secret_suffix}" + prefix = var.deployment_config.deployment_prefix + secret_prefix = "/cicd/common/${var.deployment_config.tenant.name}/${var.deployment_config.secret_suffix}" logging_retention_in_days = var.logging_retention_in_days log_level = var.log_level tags = local.all_security_tags diff --git a/modules/platform/forge_runners/locals.tf b/modules/platform/forge_runners/locals.tf index f1697a62..b837b940 100644 --- a/modules/platform/forge_runners/locals.tf +++ b/modules/platform/forge_runners/locals.tf @@ -1,13 +1,13 @@ locals { runner_iam_role_managed_policy_arns = concat( # If the policy exists, include it, otherwise skip it - length(var.tenant.iam_roles_to_assume) > 0 ? [aws_iam_policy.role_assumption_for_forge_runners[0].arn] : [], + length(var.deployment_config.tenant.iam_roles_to_assume) > 0 ? [aws_iam_policy.role_assumption_for_forge_runners[0].arn] : [], [ aws_iam_policy.ecr_access_for_ec2_instances.arn, module.github_global_lock.dynamodb_policy_arn, ] ) - github_app_installation = "${var.ghes_url == "" ? "https://github.com" : var.ghes_url}/apps/${data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_name"].secret_string}/installations/${data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_installation_id"].secret_string}" - github_api = var.ghes_url == "" ? "https://api.github.com" : "https://api.${replace(var.ghes_url, "https://", "")}" + github_app_installation = "${var.deployment_config.github.ghes_url == "" ? "https://github.com" : var.deployment_config.github.ghes_url}/apps/${data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_name"].secret_string}/installations/${data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_installation_id"].secret_string}" + github_api = var.deployment_config.github.ghes_url == "" ? "https://api.github.com" : "https://api.${replace(var.deployment_config.github.ghes_url, "https://", "")}" } diff --git a/modules/platform/forge_runners/outputs.tf b/modules/platform/forge_runners/outputs.tf index b735ea17..a22d60c4 100644 --- a/modules/platform/forge_runners/outputs.tf +++ b/modules/platform/forge_runners/outputs.tf @@ -1,8 +1,8 @@ output "forge_core" { description = "Core tenant-level metadata (non-sensitive)." value = { - tenant = var.tenant - runner_group_name = var.runner_group_name + tenant = var.deployment_config.tenant + runner_group_name = var.deployment_config.github.runner_group_name } } diff --git a/modules/platform/forge_runners/redrive_deadletter.tf b/modules/platform/forge_runners/redrive_deadletter.tf index 2ae40ffa..35ee1a78 100644 --- a/modules/platform/forge_runners/redrive_deadletter.tf +++ b/modules/platform/forge_runners/redrive_deadletter.tf @@ -9,23 +9,23 @@ module "redrive_deadletter" { aws = aws } - prefix = var.deployment_config.prefix + prefix = var.deployment_config.deployment_prefix logging_retention_in_days = var.logging_retention_in_days log_level = var.log_level tags = local.all_security_tags sqs_map = merge( { - for key in keys(var.ec2_runner_specs) : + for key in keys(var.ec2_deployment_specs.runner_specs) : key => { - dlq = "${local.sqs_prefix_arn}:${var.deployment_config.prefix}-${key}-queued-builds_dead_letter" - main = "${local.sqs_prefix_arn}:${var.deployment_config.prefix}-${key}-queued-builds" + dlq = "${local.sqs_prefix_arn}:${var.deployment_config.deployment_prefix}-${key}-queued-builds_dead_letter" + main = "${local.sqs_prefix_arn}:${var.deployment_config.deployment_prefix}-${key}-queued-builds" } }, { "gha-job-logs" = { - dlq = "${local.sqs_prefix_arn}:${var.deployment_config.prefix}-gha-job-logs-dead-letter" - main = "${local.sqs_prefix_arn}:${var.deployment_config.prefix}-gha-job-logs" + dlq = "${local.sqs_prefix_arn}:${var.deployment_config.deployment_prefix}-gha-job-logs-dead-letter" + main = "${local.sqs_prefix_arn}:${var.deployment_config.deployment_prefix}-gha-job-logs" } }, ) diff --git a/modules/platform/forge_runners/roles.tf b/modules/platform/forge_runners/roles.tf index a038d809..ea7aa743 100644 --- a/modules/platform/forge_runners/roles.tf +++ b/modules/platform/forge_runners/roles.tf @@ -1,6 +1,6 @@ # Define the IAM policy for role assumption data "aws_iam_policy_document" "role_assumption_for_forge_runners" { - count = length(var.tenant.iam_roles_to_assume) > 0 ? 1 : 0 + count = length(var.deployment_config.tenant.iam_roles_to_assume) > 0 ? 1 : 0 statement { effect = "Allow" @@ -8,15 +8,15 @@ data "aws_iam_policy_document" "role_assumption_for_forge_runners" { "sts:AssumeRole", "sts:TagSession", ] - resources = var.tenant.iam_roles_to_assume + resources = var.deployment_config.tenant.iam_roles_to_assume } } # Define the actual IAM policy for role assumption resource "aws_iam_policy" "role_assumption_for_forge_runners" { - count = length(var.tenant.iam_roles_to_assume) > 0 ? 1 : 0 + count = length(var.deployment_config.tenant.iam_roles_to_assume) > 0 ? 1 : 0 - name = "${var.deployment_config.prefix}-policy-for-role-assumption-for-forge_runners" + name = "${var.deployment_config.deployment_prefix}-policy-for-role-assumption-for-forge_runners" description = "Managed policy for IAM role assumption." policy = element(data.aws_iam_policy_document.role_assumption_for_forge_runners[*].json, 0) @@ -43,7 +43,7 @@ data "aws_iam_policy_document" "ecr_access_for_ec2_instances" { # Define the actual IAM policy for ECR access resource "aws_iam_policy" "ecr_access_for_ec2_instances" { - name = "${var.deployment_config.prefix}-policy-for-ecr-access-for-ec2-instances" + name = "${var.deployment_config.deployment_prefix}-policy-for-ecr-access-for-ec2-instances" description = "Managed policy for IAM role assumption." policy = data.aws_iam_policy_document.ecr_access_for_ec2_instances.json diff --git a/modules/platform/forge_runners/secrets.tf b/modules/platform/forge_runners/secrets.tf index ecb6a09d..5a8eebfc 100644 --- a/modules/platform/forge_runners/secrets.tf +++ b/modules/platform/forge_runners/secrets.tf @@ -1,31 +1,31 @@ locals { - cicd_secrets_prefix = "/cicd/common/${var.tenant.name}/${var.deployment_config.secret_suffix}/" + cicd_secrets_prefix = "/cicd/common/${var.deployment_config.tenant.name}/${var.deployment_config.secret_suffix}/" secrets = [ # CI/CD runners: secrets used in build/deploy pipelines. { name = "${local.cicd_secrets_prefix}github_actions_runners_app_key" - description = "Base64 encoded GitHub App private key for GHA ephemeral runners for Tenant ${var.tenant.name}(${var.deployment_config.secret_suffix})." + description = "Base64 encoded GitHub App private key for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}(${var.deployment_config.secret_suffix})." recovery_days = 7 }, { name = "${local.cicd_secrets_prefix}github_actions_runners_app_id" - description = "GitHub App ID for GHA ephemeral runners for Tenant ${var.tenant.name}(${var.deployment_config.secret_suffix})." + description = "GitHub App ID for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}(${var.deployment_config.secret_suffix})." recovery_days = 7 }, { name = "${local.cicd_secrets_prefix}github_actions_runners_app_client_id" - description = "GitHub App Client ID for GHA ephemeral runners for Tenant ${var.tenant.name}(${var.deployment_config.secret_suffix})." + description = "GitHub App Client ID for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}(${var.deployment_config.secret_suffix})." recovery_days = 7 }, { name = "${local.cicd_secrets_prefix}github_actions_runners_app_installation_id" - description = "GitHub App Installation ID for GHA ephemeral runners for Tenant ${var.tenant.name}(${var.deployment_config.secret_suffix})." + description = "GitHub App Installation ID for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}(${var.deployment_config.secret_suffix})." recovery_days = 7 }, { name = "${local.cicd_secrets_prefix}github_actions_runners_app_name" - description = "GitHub App Name for GHA ephemeral runners for Tenant ${var.tenant.name}(${var.deployment_config.secret_suffix})." + description = "GitHub App Name for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}(${var.deployment_config.secret_suffix})." recovery_days = 7 } ] @@ -93,7 +93,7 @@ data "aws_secretsmanager_secret" "data_cicd_secrets" { depends_on = [ aws_secretsmanager_secret.cicd_secrets, ] - arn = "arn:aws:secretsmanager:${var.aws_region}:${var.aws_account_id}:secret:${each.key}" + arn = "arn:aws:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:${each.key}" } # Need both these objects to be able to extract the secrets' respective diff --git a/modules/platform/forge_runners/service_catalog.tf b/modules/platform/forge_runners/service_catalog.tf index d1e50953..469fe95a 100644 --- a/modules/platform/forge_runners/service_catalog.tf +++ b/modules/platform/forge_runners/service_catalog.tf @@ -1,3 +1,3 @@ resource "aws_servicecatalogappregistry_application" "forge" { - name = var.deployment_config.prefix + name = var.deployment_config.deployment_prefix } diff --git a/modules/platform/forge_runners/update_gh_app.tf b/modules/platform/forge_runners/update_gh_app.tf index 22076bde..fc48789f 100644 --- a/modules/platform/forge_runners/update_gh_app.tf +++ b/modules/platform/forge_runners/update_gh_app.tf @@ -1,7 +1,7 @@ resource "null_resource" "update_github_app_webhook" { triggers = { - ghes_org = var.ghes_org - ghes_url = var.ghes_url + ghes_org = var.deployment_config.github.ghes_org + ghes_url = var.deployment_config.github.ghes_url webhook_url = try(module.ec2_runners[0].webhook_endpoint, "https://cisco-open.github.io/forge") secret = try(random_id.random[0].hex, null) secret_version = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_key"].id @@ -16,7 +16,7 @@ resource "null_resource" "update_github_app_webhook" { WEBHOOK_URL = self.triggers.webhook_url SECRET = self.triggers.secret GITHUB_API = local.github_api - PREFIX = "${var.env}-${var.deployment_config.prefix}" + PREFIX = "${var.deployment_config.env}-${var.deployment_config.deployment_prefix}" } command = "${path.module}/scripts/generate_and_patch_github_app.sh" diff --git a/modules/platform/forge_runners/variables.tf b/modules/platform/forge_runners/variables.tf index 0e083c90..b33fc99b 100644 --- a/modules/platform/forge_runners/variables.tf +++ b/modules/platform/forge_runners/variables.tf @@ -1,147 +1,201 @@ -variable "aws_account_id" { - type = string - description = "AWS account ID (not SL AWS account ID) associated with the infra/backend." -} - variable "aws_profile" { type = string - description = "AWS profile (i.e. generated via 'sl aws session generate') to use." + description = "AWS profile to use." } variable "aws_region" { type = string - description = "Assuming single region for now." + description = "AWS region where Forge runners and supporting infrastructure are deployed." } -variable "env" { - type = string - description = "Deployment environments." -} +variable "ec2_deployment_specs" { + type = object({ + lambda_subnet_ids = list(string) + subnet_ids = list(string) + vpc_id = string + runner_specs = map(object({ + ami_filter = object({ + name = list(string) + state = list(string) + }) + ami_kms_key_arn = string + ami_owners = list(string) + runner_labels = list(string) + runner_os = string + runner_architecture = string + extra_labels = list(string) + max_instances = number + min_run_time = number + instance_types = list(string) + pool_config = list(object({ + size = number + schedule_expression = string + schedule_expression_timezone = string + })) + runner_user = string + enable_userdata = bool + instance_target_capacity_type = string + block_device_mappings = list(object({ + delete_on_termination = bool + device_name = string + encrypted = bool + iops = number + kms_key_id = string + snapshot_id = string + throughput = number + volume_size = number + volume_type = string + })) + })) + }) -variable "ghes_org" { - type = string - description = "GitHub organization." + description = <<-EOT + EC2 deployment configuration for GitHub Actions runners. + + Top-level fields: + - lambda_subnet_ids: Subnets where runner-related lambdas execute. + These can be more permissive than the runner subnets. + - subnet_ids : Subnets where the EC2 runners are launched. + - vpc_id : VPC that contains both runner and lambda subnets. + - runner_specs : Map of runner pool keys to their EC2 sizing and + scheduling configuration. + + runner_specs[*] object fields: + - ami_filter : Name/state filters used to select the runner AMI. + - ami_kms_key_arn : KMS key ARN used to encrypt AMI EBS volumes. + - ami_owners : List of AWS account IDs that own the AMI. + - runner_labels : Base GitHub labels applied to jobs for this pool. + - runner_os : Runner operating system (for example, linux). + - runner_architecture: CPU architecture (for example, x86_64 or arm64). + - extra_labels : Additional GitHub labels that further specialize + this runner pool. + - max_instances : Maximum number of EC2 runners in this pool. + - min_run_time : Minimum job run time (in minutes) before a runner + is eligible for scale-down. + - instance_types : Allowed EC2 instance types for runners in this pool. + - pool_config : List of pool size schedules (size + cron expression + and optional time zone) controlling baseline capacity. + - runner_user : OS user under which the GitHub runner process runs. + - enable_userdata : Whether the module should inject its standard + userdata to configure the runner VM. + - instance_target_capacity_type: EC2 capacity type to use (spot or + on-demand). + - block_device_mappings: EBS volume configuration for the runner + instances, including size, type, encryption, and KMS. + EOT } -variable "ghes_url" { - type = string - description = "GitHub Enterprise Server URL." -} -variable "repository_selection" { - type = string - description = "Repository selection type." +variable "deployment_config" { + type = object({ + deployment_prefix = string + secret_suffix = string + env = string + github_app = object({ + id = string + client_id = string + installation_id = string + name = string + }) + github = object({ + ghes_org = string + ghes_url = string + repository_selection = string + runner_group_name = string + }) + tenant = object({ + name = string + iam_roles_to_assume = optional(list(string), []) + ecr_registries = optional(list(string), []) + github_logs_reader_role_arns = optional(list(string), []) + }) + }) validation { - condition = contains(["all", "selected"], var.repository_selection) + condition = contains(["all", "selected"], var.deployment_config.github.repository_selection) error_message = "repository_selection must be 'all' or 'selected'." } -} - -variable "lambda_subnet_ids" { - type = list(string) - description = "So the lambdas can run in our pre-determined subnets. They don't require the same security policy as the runners though." -} -variable "runner_group_name" { - type = string - description = "Name of the group applied to all runners." + description = <<-EOT + High-level deployment configuration for a Forge runner installation. + + Top-level fields: + - deployment_prefix: Prefix used when naming resources (for example, + log groups, KMS keys, and SSM parameters). + - env : Logical environment name (for example, dev, stage, + prod). Used for tagging and dashboards. + + github_app object: + - id : Numeric GitHub App ID. + - client_id : OAuth client ID for the app. + - installation_id: GitHub App installation ID for this tenant. + - name : GitHub App name, used to build URLs and logs. + + github object: + - ghes_org : GitHub organization that owns the repos where + runners will be used. + - ghes_url : GitHub.com or GHES base URL. Empty string implies + public github.com. + - repository_selection: Scope for runners (all or selected repositories). + - runner_group_name : GitHub runner group to attach new runners to. + + tenant object: + - name : Tenant identifier used in naming and + tagging. + - iam_roles_to_assume : Optional list of IAM role ARNs that + runners are allowed to assume for workload execution. + - ecr_registries : Optional list of ECR registry URLs that + runners may need to pull images from. + - github_logs_reader_role_arns: Optional list of IAM roles that can read + GitHub Actions logs for this tenant. + EOT } -variable "deployment_config" { +variable "arc_deployment_specs" { type = object({ - prefix = string - secret_suffix = string - }) - description = "Prefix for the deployment, used to distinguish resources." -} - -variable "ec2_runner_specs" { - description = "Map of runner specifications" - type = map(object({ - ami_filter = object({ - name = list(string) - state = list(string) - }) - ami_kms_key_arn = string - ami_owners = list(string) - runner_labels = list(string) - runner_os = string - runner_architecture = string - extra_labels = list(string) - max_instances = number - min_run_time = number - instance_types = list(string) - pool_config = list(object({ - size = number - schedule_expression = string - schedule_expression_timezone = string + cluster_name = string + migrate_cluster = optional(bool, false) + runner_specs = map(object({ + runner_size = object({ + max_runners = number + min_runners = number + }) + scale_set_name = string + scale_set_type = string + container_actions_runner = string + container_limits_cpu = string + container_limits_memory = string + container_requests_cpu = string + container_requests_memory = string + volume_requests_storage_size = string + volume_requests_storage_type = string })) - runner_user = string - enable_userdata = bool - instance_target_capacity_type = string - block_device_mappings = list(object({ - delete_on_termination = bool - device_name = string - encrypted = bool - iops = number - kms_key_id = string - snapshot_id = string - throughput = number - volume_size = number - volume_type = string - })) - })) -} - -variable "subnet_ids" { - type = list(string) - description = "Subnet(s) in which our runners will be deployed. Supplied by the underlying AWS-based CI/CD stack." -} - -variable "tenant" { - description = "Map of tenant configs" - type = object({ - name = string - iam_roles_to_assume = optional(list(string), []) - ecr_registries = optional(list(string), []) - github_logs_reader_role_arns = optional(list(string), []) }) -} - -variable "vpc_id" { - type = string - description = "VPC in which our runners will be deployed. Supplied by the underlying AWS-based CI/CD stack." -} - -variable "arc_cluster_name" { - description = "Name of the EKS cluster" - type = string -} - -variable "arc_runner_specs" { - description = "Map of runner specifications" - type = map(object({ - runner_size = object({ - max_runners = number - min_runners = number - }) - scale_set_name = string - scale_set_type = string - container_actions_runner = string - container_limits_cpu = string - container_limits_memory = string - container_requests_cpu = string - container_requests_memory = string - volume_requests_storage_size = string - volume_requests_storage_type = string - })) -} -variable "migrate_arc_cluster" { - type = bool - description = "Flag to indicate if the cluster is being migrated." - default = false + description = <<-EOT + Deployment configuration for Azure Container Apps (ARC) runners. + + Top-level fields: + - cluster_name : Name of the EKS cluster used for ARC runners. + - migrate_cluster: Optional flag to indicate a one-time migration or + blue/green cutover of the ARC runner cluster. + - runner_specs : Map of ARC runner pool keys to their sizing and + container resource settings. + + runner_specs[*] object fields: + - runner_size.max_runners: Maximum concurrent ARC runners for this pool. + - runner_size.min_runners: Minimum number of warm runners. + - scale_set_name : Logical name for the scale set / pool. + - scale_set_type : Backing type for the scale set (for example, + kubernetes or containerapp, depending on integration). + - container_actions_runner : Container image used for the ARC runner. + - container_limits_cpu : CPU limit for the runner container. + - container_limits_memory : Memory limit for the runner container. + - container_requests_cpu : CPU request (baseline reservation). + - container_requests_memory : Memory request (baseline reservation). + - volume_requests_storage_size: Size of attached storage for the runner. + - volume_requests_storage_type: Storage class or type for attached volume. + EOT } variable "tags" { From 95f3fc4a12574d82ee31301d86afa98069a697c4 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 11 Dec 2025 14:11:55 +0100 Subject: [PATCH 33/85] feat: add code to create ssm (#242) --- modules/platform/ec2_deployment/main.tf | 52 ++++++++---------- modules/platform/forge_runners/ssm.tf | 71 +++++++++++++++++++++++++ 2 files changed, 92 insertions(+), 31 deletions(-) create mode 100644 modules/platform/forge_runners/ssm.tf diff --git a/modules/platform/ec2_deployment/main.tf b/modules/platform/ec2_deployment/main.tf index 59727046..5038f459 100644 --- a/modules/platform/ec2_deployment/main.tf +++ b/modules/platform/ec2_deployment/main.tf @@ -17,15 +17,6 @@ locals { } ) - # Security settings for the binaries (lambdas) stored in S3. - s3_security_settings = { - rule = { - apply_server_side_encryption_by_default = { - sse_algorithm = "AES256" - } - } - } - } # Enable AWS-managed encryption key. @@ -116,7 +107,6 @@ module "runners" { enabled = true maxReceiveCount = 10 } - delay_webhook_event = 0 runner_config = { runner_metadata_options = { "http_endpoint" : "enabled", @@ -124,27 +114,27 @@ module "runners" { "http_tokens" : "optional", "instance_metadata_tags" : "enabled" } - runner_ec2_tags = var.tenant_configs.tags - runner_binaries_s3_sse_configuration = local.s3_security_settings - runner_os = val["runner_os"] - runner_architecture = val["runner_architecture"] - runner_extra_labels = val["extra_labels"] - enable_ssm_on_runners = true - instance_types = val["instance_types"] - runners_maximum_count = val["max_instances"] - scale_down_schedule_expression = "cron(*/5 * * * ? *)" - minimum_running_time_in_minutes = val["min_run_time"] - runner_group_name = var.runner_configs.runner_group_name - enable_runner_binaries_syncer = false - enable_userdata = val["enable_userdata"] - userdata_template = local.user_data_template_runner - userdata_pre_install = "# No pre-install steps." - userdata_post_install = local.userdata_post_install - runner_hook_job_started = local.runner_hook_job_started - runner_hook_job_completed = local.runner_hook_job_completed - enable_runner_detailed_monitoring = true - runner_run_as = val["runner_user"] - block_device_mappings = val["block_device_mappings"] + delay_webhook_event = 0 + runner_ec2_tags = var.tenant_configs.tags + runner_os = val["runner_os"] + runner_architecture = val["runner_architecture"] + runner_extra_labels = val["extra_labels"] + enable_ssm_on_runners = true + instance_types = val["instance_types"] + runners_maximum_count = val["max_instances"] + scale_down_schedule_expression = "cron(*/5 * * * ? *)" + minimum_running_time_in_minutes = val["min_run_time"] + runner_group_name = var.runner_configs.runner_group_name + enable_runner_binaries_syncer = false + enable_userdata = val["enable_userdata"] + userdata_template = local.user_data_template_runner + userdata_pre_install = "# No pre-install steps." + userdata_post_install = local.userdata_post_install + runner_hook_job_started = local.runner_hook_job_started + runner_hook_job_completed = local.runner_hook_job_completed + enable_runner_detailed_monitoring = true + runner_run_as = val["runner_user"] + block_device_mappings = val["block_device_mappings"] runner_log_files = [ { "log_group_name" : "forge-logs", diff --git a/modules/platform/forge_runners/ssm.tf b/modules/platform/forge_runners/ssm.tf new file mode 100644 index 00000000..43f94bbe --- /dev/null +++ b/modules/platform/forge_runners/ssm.tf @@ -0,0 +1,71 @@ +resource "aws_ssm_parameter" "github_app_key" { + name = "/forge/${var.deployment_config.deployment_prefix}/github_app_key" + description = "Base64 encoded GitHub App private key for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}." + type = "SecureString" + value = "initial-placeholder-value" + tags = local.all_security_tags + + lifecycle { + # Allow operators to rotate the key directly in SSM without Terraform + # forcing it back to the original value. + ignore_changes = [value] + } +} + +resource "aws_ssm_parameter" "github_app_id" { + name = "/forge/${var.deployment_config.deployment_prefix}/github_app_id" + description = "GitHub App ID for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}." + type = "SecureString" + value = var.deployment_config.github_app.id + + tags = local.all_security_tags +} + +resource "aws_ssm_parameter" "github_app_client_id" { + name = "/forge/${var.deployment_config.deployment_prefix}/github_app_client_id" + description = "GitHub App Client ID for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}." + type = "SecureString" + value = var.deployment_config.github_app.client_id + + tags = local.all_security_tags +} + +resource "aws_ssm_parameter" "github_app_installation_id" { + name = "/forge/${var.deployment_config.deployment_prefix}/github_app_installation_id" + description = "GitHub App Installation ID for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}." + type = "SecureString" + value = var.deployment_config.github_app.installation_id + + tags = local.all_security_tags +} + +resource "aws_ssm_parameter" "github_app_name" { + name = "/forge/${var.deployment_config.deployment_prefix}/github_app_name" + description = "GitHub App Name for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}." + type = "SecureString" + value = var.deployment_config.github_app.name + + tags = local.all_security_tags +} + +resource "aws_ssm_parameter" "github_app_webhook_secret" { + name = "/forge/${var.deployment_config.deployment_prefix}/github_app_webhook_secret" + description = "GitHub App webhook secret for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}." + type = "SecureString" + value = random_password.github_app_webhook_secret.result + + tags = local.all_security_tags +} + + +resource "time_rotating" "every_30_days" { + rotation_days = 30 +} + +resource "random_password" "github_app_webhook_secret" { + length = 20 + + keepers = { + rotation = time_rotating.every_30_days.id + } +} From 1563d38de6e16002d23e755b4c81dae8dd10f741 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 11 Dec 2025 15:26:59 +0100 Subject: [PATCH 34/85] refactor(extra-lambdas): replace secret manager for ssm (#243) * refactor: replace secret manager for ssm * feat: use exceptions to trigger errors in monitoring * fix: address github code quality issue --- .../lambda/forge_trust_validator.py | 69 +++++----- .../forge_runners/github_actions_job_log.tf | 14 +- .../job_log_archiver.tf | 20 +-- .../job_log_archiver/job_log_archiver.py | 120 +++++++++--------- .../job_log_dispatcher/job_log_dispatcher.py | 77 +++++------ .../github_actions_job_logs/secrets.tf | 23 ---- .../github_actions_job_logs/variables.tf | 16 ++- .../forge_runners/github_app_runner_group.tf | 14 +- .../lambda/github_app_runner_group.py | 19 ++- .../github_app_runner_group/main.tf | 22 ++-- .../github_app_runner_group/secrets.tf | 23 ---- .../github_app_runner_group/variables.tf | 20 ++- .../forge_runners/github_global_lock.tf | 14 +- .../lambda/github_clean_global_lock.py | 18 ++- .../forge_runners/github_global_lock/main.tf | 22 ++-- .../github_global_lock/secrets.tf | 23 ---- .../github_global_lock/variables.tf | 21 ++- .../lambda/redrive_deadletter.py | 65 +++++----- 18 files changed, 309 insertions(+), 291 deletions(-) delete mode 100644 modules/platform/forge_runners/github_actions_job_logs/secrets.tf delete mode 100644 modules/platform/forge_runners/github_app_runner_group/secrets.tf delete mode 100644 modules/platform/forge_runners/github_global_lock/secrets.tf diff --git a/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py b/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py index a11b081a..ca8a87f7 100644 --- a/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py +++ b/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py @@ -207,39 +207,44 @@ def lambda_handler(event, context): FORGE_IAM_ROLES='["arn:aws:iam::123:role/forge-1","arn:aws:iam::123:role/forge-2"]' TENANT_IAM_ROLES="arn:aws:iam::456:role/tenant-1,arn:aws:iam::789:role/tenant-2" """ - LOG.info('Lambda handler started') - forge_iam_roles = parse_env_list('FORGE_IAM_ROLES') - tenant_iam_roles = parse_env_list('TENANT_IAM_ROLES') - - if not forge_iam_roles or not tenant_iam_roles: - LOG.error( - 'Missing required environment variables: FORGE_IAM_ROLES or TENANT_IAM_ROLES') - return { - 'statusCode': 400, - 'body': json.dumps( - { - 'message': ( - 'Missing forge_iam_roles or tenant_iam_roles ' - '(check env variables FORGE_IAM_ROLES and TENANT_IAM_ROLES).' - ) - } - ), - } + try: + LOG.info('Lambda handler started') + forge_role_arns = parse_env_list('FORGE_IAM_ROLES') + tenant_role_arns = parse_env_list('TENANT_IAM_ROLES') + + if not forge_role_arns or not tenant_role_arns: + LOG.error( + 'Missing required environment variables: FORGE_IAM_ROLES or TENANT_IAM_ROLES') + return { + 'statusCode': 400, + 'body': json.dumps( + { + 'message': ( + 'Missing forge_role_arns or tenant_role_arns ' + '(check env variables FORGE_IAM_ROLES and TENANT_IAM_ROLES).' + ) + } + ), + } - LOG.info( - f"Loaded configuration: {len(forge_iam_roles)} Forge roles, {len(tenant_iam_roles)} Tenant roles") - all_results: List[Dict[str, Any]] = [] + LOG.info( + f"Loaded configuration: {len(forge_role_arns)} Forge roles, {len(tenant_role_arns)} Tenant roles") + all_results: List[Dict[str, Any]] = [] - for forge_arn in forge_iam_roles: - res = validate_forge_role_against_tenants( - forge_role_arn=forge_arn, - tenant_role_arns=tenant_iam_roles, - ) - all_results.append(res) + for forge_role_arn in forge_role_arns: + res = validate_forge_role_against_tenants( + forge_role_arn=forge_role_arn, + tenant_role_arns=tenant_role_arns, + ) + all_results.append(res) - LOG.info('Validation complete: %s', json.dumps(all_results)) + LOG.info('Validation complete: %s', json.dumps(all_results)) - return { - 'statusCode': 200, - 'body': json.dumps(all_results), - } + return { + 'statusCode': 200, + 'body': json.dumps(all_results), + } + except Exception as e: + LOG.exception( + f'Unhandled exception in forge_trust_validator lambda. Error: {str(e)}') + raise diff --git a/modules/platform/forge_runners/github_actions_job_log.tf b/modules/platform/forge_runners/github_actions_job_log.tf index ba1fd8d8..826fea91 100644 --- a/modules/platform/forge_runners/github_actions_job_log.tf +++ b/modules/platform/forge_runners/github_actions_job_log.tf @@ -6,8 +6,18 @@ module "github_actions_job_logs" { aws = aws } - prefix = var.deployment_config.deployment_prefix - secrets_prefix = local.cicd_secrets_prefix + prefix = var.deployment_config.deployment_prefix + github_app = { + key_base64_ssm = { + arn = aws_ssm_parameter.github_app_key.arn + } + id_ssm = { + arn = aws_ssm_parameter.github_app_id.arn + } + installation_id_ssm = { + arn = aws_ssm_parameter.github_app_installation_id.arn + } + } shared_role_arns = var.deployment_config.tenant.github_logs_reader_role_arns logging_retention_in_days = var.logging_retention_in_days log_level = var.log_level diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf index 4f5f28b6..f2793e7e 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf @@ -31,9 +31,9 @@ module "job_log_archiver" { environment_variables = { GITHUB_API = local.github_api - SECRET_NAME_APP_ID = local.secrets["github_actions_runners_app_id"].name - SECRET_NAME_PRIVATE_KEY = local.secrets["github_actions_runners_app_key"].name - SECRET_NAME_INSTALLATION_ID = local.secrets["github_actions_runners_app_installation_id"].name + SECRET_NAME_APP_ID = var.github_app.id_ssm.arn + SECRET_NAME_PRIVATE_KEY = var.github_app.key_base64_ssm.arn + SECRET_NAME_INSTALLATION_ID = var.github_app.installation_id_ssm.arn BUCKET_NAME = aws_s3_bucket.gh_logs.id KMS_KEY_ARN = aws_kms_key.gh_logs.arn LOG_LEVEL = var.log_level @@ -83,14 +83,18 @@ data "aws_iam_policy_document" "job_log_archiver" { statement { effect = "Allow" + actions = [ - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret", + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParameterHistory", + "ssm:DescribeParameters", ] + resources = [ - data.aws_secretsmanager_secret_version.secrets["github_actions_runners_app_key"].arn, - data.aws_secretsmanager_secret_version.secrets["github_actions_runners_app_id"].arn, - data.aws_secretsmanager_secret_version.secrets["github_actions_runners_app_installation_id"].arn, + var.github_app.id_ssm.arn, + var.github_app.key_base64_ssm.arn, + var.github_app.installation_id_ssm.arn, ] } diff --git a/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py b/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py index fb3578d9..b4c1b489 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py +++ b/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py @@ -15,7 +15,7 @@ level_str = os.environ.get('LOG_LEVEL', 'INFO').upper() LOG.setLevel(getattr(logging, level_str, logging.INFO)) -SECRETS = boto3.client('secretsmanager') +SSM = boto3.client('ssm') S3 = boto3.client('s3') MAX_S3_TAGS = 10 @@ -23,11 +23,9 @@ GITHUB_RETRY_DELAY = 2 -def _get_secret_value(secret_id: str) -> str: - resp = SECRETS.get_secret_value(SecretId=secret_id) - if 'SecretString' in resp: - return resp['SecretString'] - return base64.b64decode(resp['SecretBinary']).decode() +def _get_secret_value(parameter_name: str) -> str: + resp = SSM.get_parameter(Name=parameter_name, WithDecryption=True) + return resp['Parameter']['Value'] def _generate_jwt(app_id: str, private_key_pem: str) -> str: @@ -157,63 +155,67 @@ def _tags(wf: Dict[str, Any]) -> Dict[str, str]: def lambda_handler(event: Dict[str, Any], _context: Any) -> Dict[str, Any]: # pragma: no cover - LOG.debug('Event: %s', json.dumps(event)) try: - gh_event, workflow_job = _parse_event(event) - except ValueError: - LOG.error('Invalid JSON in SQS body') - return {'status': 'error', 'error': 'invalid_json'} + LOG.debug('Event: %s', json.dumps(event)) + try: + gh_event, workflow_job = _parse_event(event) + except Exception as e: + raise ValueError('invalid_json Error: %s', str(e)) - detail = gh_event.get('detail', {}) - if detail.get('action') != 'completed' or not workflow_job: - return {'status': 'ignored'} + detail = gh_event.get('detail', {}) + if detail.get('action') != 'completed' or not workflow_job: + LOG.info( + 'Event action is not completed or workflow_job is missing, ignoring.') + return {'status': 'ignored'} - repo_full_name = (detail.get('repository') or {}).get('full_name') - if not repo_full_name: - return {'status': 'error', 'error': 'missing_repository'} + repo_full_name = (detail.get('repository') or {}).get('full_name') + if not repo_full_name: + raise ValueError('missing_repository') - try: - env = _get_env() - except RuntimeError as e: - LOG.error(str(e)) - return {'status': 'error', 'error': 'missing_env'} + try: + env = _get_env() + except Exception as e: + raise ValueError('missing_env. Error: %s', str(e)) - owner, repo = repo_full_name.split('/', 1) - job_id = workflow_job.get('id') - run_id = workflow_job.get('run_id') - runner_name = workflow_job.get('runner_name') - run_attempt = workflow_job.get('run_attempt') - workflow_name = workflow_job.get('workflow_name') + owner, repo = repo_full_name.split('/', 1) + job_id = workflow_job.get('id') + run_id = workflow_job.get('run_id') + runner_name = workflow_job.get('runner_name') + run_attempt = workflow_job.get('run_attempt') + workflow_name = workflow_job.get('workflow_name') - if not all([runner_name, run_id, job_id]): - return {'status': 'error', 'error': 'missing_ids'} + if not all([runner_name, run_id, job_id]): + raise ValueError('missing_ids') - try: - install_token = _github_auth( - env['SECRET_NAME_APP_ID'], env['SECRET_NAME_PRIVATE_KEY'], env['SECRET_NAME_INSTALLATION_ID'], env['GITHUB_API'] - ) - _, log_key, event_key = _keys( - repo_full_name, run_id, run_attempt, job_id) - obj_tags = _tags(workflow_job) - body = _download_job_logs(owner, repo, int( - job_id), install_token, env['GITHUB_API']) - _put_log_object(env['BUCKET_NAME'], log_key, body, - env['KMS_KEY_ARN'], obj_tags) - size = len(body) - _put_json_object(env['BUCKET_NAME'], event_key, - detail, env['KMS_KEY_ARN'], obj_tags) - - return { - 'status': 'ok', - 'job_id': job_id, - 'run_id': run_id, - 'run_attempt': run_attempt, - 'workflow_name': workflow_name, - 'repository': repo_full_name, - 'log_key': log_key, - 'event_key': event_key, - 'size': size - } - except Exception: - LOG.exception('archive_failed job_id=%s run_id=%s', job_id, run_id) - return {'status': 'error', 'job_id': job_id, 'run_id': run_id, 'error': 'see logs'} + try: + install_token = _github_auth( + env['SECRET_NAME_APP_ID'], env['SECRET_NAME_PRIVATE_KEY'], env['SECRET_NAME_INSTALLATION_ID'], env['GITHUB_API'] + ) + _, log_key, event_key = _keys( + repo_full_name, run_id, run_attempt, job_id) + obj_tags = _tags(workflow_job) + body = _download_job_logs(owner, repo, int( + job_id), install_token, env['GITHUB_API']) + _put_log_object(env['BUCKET_NAME'], log_key, body, + env['KMS_KEY_ARN'], obj_tags) + size = len(body) + _put_json_object(env['BUCKET_NAME'], event_key, + detail, env['KMS_KEY_ARN'], obj_tags) + + return { + 'status': 'ok', + 'job_id': job_id, + 'run_id': run_id, + 'run_attempt': run_attempt, + 'workflow_name': workflow_name, + 'repository': repo_full_name, + 'log_key': log_key, + 'event_key': event_key, + 'size': size + } + except Exception as e: + raise ValueError( + 'archiver_error: job_id=%s run_id=%s. Error: %s', job_id, run_id, str(e)) + except Exception as e: + LOG.exception( + 'Unhandled exception in job_log_archiver lambda. Error: %s', str(e)) diff --git a/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_dispatcher/job_log_dispatcher.py b/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_dispatcher/job_log_dispatcher.py index f665bfe7..46f988ab 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_dispatcher/job_log_dispatcher.py +++ b/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_dispatcher/job_log_dispatcher.py @@ -15,39 +15,44 @@ def lambda_handler(event, context): - LOG.debug('Received event') - - if event.get('detail-type') != 'workflow_job': - LOG.info('Ignoring non-workflow_job event: %s', - event.get('detail-type')) - return {'statusCode': 200, 'body': json.dumps({'message': 'ignored event'})} - sqs.send_message(QueueUrl=QUEUE_URL, MessageBody=json.dumps(event)) - - detail = event.get('detail', {}) - workflow_job = detail.get('workflow_job', {}) - repo = detail.get('repository', {}).get('full_name') - - payload = { - 'repository': repo, - 'job_id': workflow_job.get('id'), - 'run_id': workflow_job.get('run_id'), - 'workflow': workflow_job.get('workflow_name'), - 'attempt': workflow_job.get('run_attempt', 1), - 'job_name': workflow_job.get('name'), - 'status': workflow_job.get('status'), - 'conclusion': workflow_job.get('conclusion'), - 'branch': workflow_job.get('head_branch'), - 'sha': (workflow_job.get('head_sha') or '')[:12], - 'labels': workflow_job.get('labels', []), - 'action': detail.get('action'), - } - - LOG.info( - 'Enqueued workflow_job action=%s repo=%s job_id=%s run_id=%s workflow=%s job_name=%s status=%s conclusion=%s attempt=%s branch=%s sha=%s labels=%s', - payload['action'], payload['repository'], payload['job_id'], payload['run_id'], - payload['workflow'], payload['job_name'], payload['status'], payload['conclusion'], - payload['attempt'], payload['branch'], payload['sha'], ','.join( - payload['labels']) - ) - - return {'enqueued': True} + try: + LOG.debug('Received event') + + if event.get('detail-type') != 'workflow_job': + LOG.info('Ignoring non-workflow_job event: %s', + event.get('detail-type')) + return {'statusCode': 200, 'body': json.dumps({'message': 'ignored event'})} + sqs.send_message(QueueUrl=QUEUE_URL, MessageBody=json.dumps(event)) + + detail = event.get('detail', {}) + workflow_job = detail.get('workflow_job', {}) + repo = detail.get('repository', {}).get('full_name') + + payload = { + 'repository': repo, + 'job_id': workflow_job.get('id'), + 'run_id': workflow_job.get('run_id'), + 'workflow': workflow_job.get('workflow_name'), + 'attempt': workflow_job.get('run_attempt', 1), + 'job_name': workflow_job.get('name'), + 'status': workflow_job.get('status'), + 'conclusion': workflow_job.get('conclusion'), + 'branch': workflow_job.get('head_branch'), + 'sha': (workflow_job.get('head_sha') or '')[:12], + 'labels': workflow_job.get('labels', []), + 'action': detail.get('action'), + } + + LOG.info( + 'Enqueued workflow_job action=%s repo=%s job_id=%s run_id=%s workflow=%s job_name=%s status=%s conclusion=%s attempt=%s branch=%s sha=%s labels=%s', + payload['action'], payload['repository'], payload['job_id'], payload['run_id'], + payload['workflow'], payload['job_name'], payload['status'], payload['conclusion'], + payload['attempt'], payload['branch'], payload['sha'], ','.join( + payload['labels']) + ) + + return {'enqueued': True} + except Exception as e: + LOG.exception( + f'Unhandled exception in job_log_dispatcher lambda. Error: {str(e)}') + raise diff --git a/modules/platform/forge_runners/github_actions_job_logs/secrets.tf b/modules/platform/forge_runners/github_actions_job_logs/secrets.tf deleted file mode 100644 index 75be70cf..00000000 --- a/modules/platform/forge_runners/github_actions_job_logs/secrets.tf +++ /dev/null @@ -1,23 +0,0 @@ -locals { - secrets = { - github_actions_runners_app_key = { - name = "${var.secrets_prefix}github_actions_runners_app_key" - } - github_actions_runners_app_installation_id = { - name = "${var.secrets_prefix}github_actions_runners_app_installation_id" - } - github_actions_runners_app_id = { - name = "${var.secrets_prefix}github_actions_runners_app_id" - } - } -} - -data "aws_secretsmanager_secret" "secrets" { - for_each = local.secrets - name = each.value.name -} - -data "aws_secretsmanager_secret_version" "secrets" { - for_each = data.aws_secretsmanager_secret.secrets - secret_id = each.value.id -} diff --git a/modules/platform/forge_runners/github_actions_job_logs/variables.tf b/modules/platform/forge_runners/github_actions_job_logs/variables.tf index cdd28c87..c6159d06 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/variables.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/variables.tf @@ -38,7 +38,17 @@ variable "prefix" { type = string } -variable "secrets_prefix" { - description = "Prefix for all secrets" - type = string +variable "github_app" { + description = "GitHub App configuration" + type = object({ + key_base64_ssm = object({ + arn = string + }) + id_ssm = object({ + arn = string + }) + installation_id_ssm = object({ + arn = string + }) + }) } diff --git a/modules/platform/forge_runners/github_app_runner_group.tf b/modules/platform/forge_runners/github_app_runner_group.tf index 8d0474f2..ae781003 100644 --- a/modules/platform/forge_runners/github_app_runner_group.tf +++ b/modules/platform/forge_runners/github_app_runner_group.tf @@ -5,8 +5,18 @@ module "github_app_runner_group" { aws = aws } - prefix = var.deployment_config.deployment_prefix - secrets_prefix = local.cicd_secrets_prefix + prefix = var.deployment_config.deployment_prefix + github_app = { + key_base64_ssm = { + arn = aws_ssm_parameter.github_app_key.arn + } + id_ssm = { + arn = aws_ssm_parameter.github_app_id.arn + } + installation_id_ssm = { + arn = aws_ssm_parameter.github_app_installation_id.arn + } + } logging_retention_in_days = var.logging_retention_in_days log_level = var.log_level tags = local.all_security_tags diff --git a/modules/platform/forge_runners/github_app_runner_group/lambda/github_app_runner_group.py b/modules/platform/forge_runners/github_app_runner_group/lambda/github_app_runner_group.py index 6e450dcf..96a068f5 100644 --- a/modules/platform/forge_runners/github_app_runner_group/lambda/github_app_runner_group.py +++ b/modules/platform/forge_runners/github_app_runner_group/lambda/github_app_runner_group.py @@ -20,6 +20,8 @@ level_str = os.environ.get('LOG_LEVEL', 'INFO').upper() LOG.setLevel(getattr(logging, level_str, logging.INFO)) +SSM = boto3.client('ssm') + def generate_jwt(app_id: str, private_key: str) -> str: """Generate a JWT for GitHub App authentication.""" @@ -144,11 +146,10 @@ def save_to_runner_group(access_token: str, github_api: str, organization: str, f"Added repository {repo['full_name']} to runner group {runner_group_name}.") -def get_secret(secret_name: str) -> Dict[str, Any]: - """Retrieve secrets from AWS Secrets Manager.""" - client = boto3.client('secretsmanager') - response = client.get_secret_value(SecretId=secret_name) - return response['SecretString'] +def get_secret(secret_name: str) -> str: + """Retrieve secrets from AWS Systems Manager Parameter Store.""" + response = SSM.get_parameter(Name=secret_name, WithDecryption=True) + return response['Parameter']['Value'] def lambda_handler(event: Dict[str, Any], context: Any) -> Dict[str, Any]: @@ -192,8 +193,6 @@ def lambda_handler(event: Dict[str, Any], context: Any) -> Dict[str, Any]: 'body': json.dumps({'message': 'Repositories added to runner group successfully.'}) } except Exception as e: - LOG.error(f'Error: {str(e)}') - return { - 'statusCode': 500, - 'body': json.dumps({'message': 'An error occurred', 'error': str(e)}) - } + LOG.exception( + f'Unhandled exception in github_app_runner_group lambda. Error: {str(e)}') + raise diff --git a/modules/platform/forge_runners/github_app_runner_group/main.tf b/modules/platform/forge_runners/github_app_runner_group/main.tf index 12babbca..e304db9f 100644 --- a/modules/platform/forge_runners/github_app_runner_group/main.tf +++ b/modules/platform/forge_runners/github_app_runner_group/main.tf @@ -28,9 +28,9 @@ module "register_github_app_runner_group_lambda" { ORGANIZATION = var.ghes_org RUNNER_GROUP_NAME = var.runner_group_name REPOSITORY_SELECTION = var.repository_selection - SECRET_NAME_APP_ID = local.secrets.github_actions_runners_app_id.name - SECRET_NAME_PRIVATE_KEY = local.secrets.github_actions_runners_app_key.name - SECRET_NAME_INSTALLATION_ID = local.secrets.github_actions_runners_app_installation_id.name + SECRET_NAME_APP_ID = var.github_app.id_ssm.arn + SECRET_NAME_PRIVATE_KEY = var.github_app.key_base64_ssm.arn + SECRET_NAME_INSTALLATION_ID = var.github_app.installation_id_ssm.arn LOG_LEVEL = var.log_level } @@ -47,15 +47,19 @@ module "register_github_app_runner_group_lambda" { data "aws_iam_policy_document" "register_github_app_runner_group_lambda" { statement { + effect = "Allow" + actions = [ - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret", + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParameterHistory", + "ssm:DescribeParameters", ] - effect = "Allow" + resources = [ - data.aws_secretsmanager_secret_version.secrets["github_actions_runners_app_key"].arn, - data.aws_secretsmanager_secret_version.secrets["github_actions_runners_app_id"].arn, - data.aws_secretsmanager_secret_version.secrets["github_actions_runners_app_installation_id"].arn, + var.github_app.id_ssm.arn, + var.github_app.key_base64_ssm.arn, + var.github_app.installation_id_ssm.arn, ] } } diff --git a/modules/platform/forge_runners/github_app_runner_group/secrets.tf b/modules/platform/forge_runners/github_app_runner_group/secrets.tf deleted file mode 100644 index d412e54f..00000000 --- a/modules/platform/forge_runners/github_app_runner_group/secrets.tf +++ /dev/null @@ -1,23 +0,0 @@ -locals { - secrets = { - github_actions_runners_app_key = { - name = "${var.secrets_prefix}github_actions_runners_app_key" - } - github_actions_runners_app_id = { - name = "${var.secrets_prefix}github_actions_runners_app_id" - } - github_actions_runners_app_installation_id = { - name = "${var.secrets_prefix}github_actions_runners_app_installation_id" - } - } -} - -data "aws_secretsmanager_secret" "secrets" { - for_each = local.secrets - name = each.value.name -} - -data "aws_secretsmanager_secret_version" "secrets" { - for_each = data.aws_secretsmanager_secret.secrets - secret_id = each.value.id -} diff --git a/modules/platform/forge_runners/github_app_runner_group/variables.tf b/modules/platform/forge_runners/github_app_runner_group/variables.tf index 5868d297..0d4883c9 100644 --- a/modules/platform/forge_runners/github_app_runner_group/variables.tf +++ b/modules/platform/forge_runners/github_app_runner_group/variables.tf @@ -9,11 +9,6 @@ variable "tags" { default = {} } -variable "secrets_prefix" { - description = "Prefix for all secrets" - type = string -} - variable "logging_retention_in_days" { description = "Retention in days for CloudWatch Log Group for the Lambdas." type = number @@ -50,3 +45,18 @@ variable "repository_selection" { error_message = "repository_selection must be 'all' or 'selected'." } } + +variable "github_app" { + description = "GitHub App configuration" + type = object({ + key_base64_ssm = object({ + arn = string + }) + id_ssm = object({ + arn = string + }) + installation_id_ssm = object({ + arn = string + }) + }) +} diff --git a/modules/platform/forge_runners/github_global_lock.tf b/modules/platform/forge_runners/github_global_lock.tf index fedb73df..e3cb3f04 100644 --- a/modules/platform/forge_runners/github_global_lock.tf +++ b/modules/platform/forge_runners/github_global_lock.tf @@ -5,8 +5,18 @@ module "github_global_lock" { aws = aws } - prefix = var.deployment_config.deployment_prefix - secrets_prefix = local.cicd_secrets_prefix + prefix = var.deployment_config.deployment_prefix + github_app = { + key_base64_ssm = { + arn = aws_ssm_parameter.github_app_key.arn + } + id_ssm = { + arn = aws_ssm_parameter.github_app_id.arn + } + installation_id_ssm = { + arn = aws_ssm_parameter.github_app_installation_id.arn + } + } logging_retention_in_days = var.logging_retention_in_days log_level = var.log_level tags = local.all_security_tags diff --git a/modules/platform/forge_runners/github_global_lock/lambda/github_clean_global_lock.py b/modules/platform/forge_runners/github_global_lock/lambda/github_clean_global_lock.py index d25e57b5..54aa4f5c 100644 --- a/modules/platform/forge_runners/github_global_lock/lambda/github_clean_global_lock.py +++ b/modules/platform/forge_runners/github_global_lock/lambda/github_clean_global_lock.py @@ -23,6 +23,7 @@ DYNAMODB_TABLE = os.getenv('DYNAMODB_TABLE') +SSM = boto3.client('ssm') dynamodb = boto3.resource('dynamodb') table = dynamodb.Table(DYNAMODB_TABLE) @@ -49,11 +50,10 @@ def get_installation_access_token(jwt_token: str, installation_id: str) -> str: return response.json()['token'] -def get_secret(secret_name: str) -> Dict[str, Any]: - """Retrieve secrets from AWS Secrets Manager.""" - client = boto3.client('secretsmanager') - response = client.get_secret_value(SecretId=secret_name) - return response['SecretString'] +def get_secret(secret_name: str) -> str: + """Retrieve secrets from AWS Systems Manager Parameter Store.""" + response = SSM.get_parameter(Name=secret_name, WithDecryption=True) + return response['Parameter']['Value'] def parse_github_url(workflow_run_url: str) -> Tuple[str, str, str]: @@ -144,8 +144,6 @@ def lambda_handler(event: Dict[str, Any], context: Any) -> Dict[str, Any]: 'body': json.dumps({'message': 'Cleaned lock successfully.'}) } except Exception as e: - LOG.error(f'Error: {str(e)}') - return { - 'statusCode': 500, - 'body': json.dumps({'message': 'An error occurred', 'error': str(e)}) - } + LOG.exception( + f'Unhandled exception in github_global_lock lambda. Error: {str(e)}') + raise diff --git a/modules/platform/forge_runners/github_global_lock/main.tf b/modules/platform/forge_runners/github_global_lock/main.tf index ce4b3ec4..1cb1933f 100644 --- a/modules/platform/forge_runners/github_global_lock/main.tf +++ b/modules/platform/forge_runners/github_global_lock/main.tf @@ -95,9 +95,9 @@ module "clean_global_lock_lambda" { environment_variables = { DYNAMODB_TABLE = "${var.prefix}-gh-actions-lock" - SECRET_NAME_APP_ID = local.secrets.github_actions_runners_app_id.name - SECRET_NAME_PRIVATE_KEY = local.secrets.github_actions_runners_app_key.name - SECRET_NAME_INSTALLATION_ID = local.secrets.github_actions_runners_app_installation_id.name + SECRET_NAME_APP_ID = var.github_app.id_ssm.arn + SECRET_NAME_PRIVATE_KEY = var.github_app.key_base64_ssm.arn + SECRET_NAME_INSTALLATION_ID = var.github_app.installation_id_ssm.arn LOG_LEVEL = var.log_level } @@ -114,15 +114,19 @@ module "clean_global_lock_lambda" { data "aws_iam_policy_document" "clean_global_lock_lambda" { statement { + effect = "Allow" + actions = [ - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret", + "ssm:GetParameter", + "ssm:GetParameters", + "ssm:GetParameterHistory", + "ssm:DescribeParameters", ] - effect = "Allow" + resources = [ - data.aws_secretsmanager_secret_version.secrets["github_actions_runners_app_key"].arn, - data.aws_secretsmanager_secret_version.secrets["github_actions_runners_app_id"].arn, - data.aws_secretsmanager_secret_version.secrets["github_actions_runners_app_installation_id"].arn, + var.github_app.id_ssm.arn, + var.github_app.key_base64_ssm.arn, + var.github_app.installation_id_ssm.arn, ] } statement { diff --git a/modules/platform/forge_runners/github_global_lock/secrets.tf b/modules/platform/forge_runners/github_global_lock/secrets.tf deleted file mode 100644 index d412e54f..00000000 --- a/modules/platform/forge_runners/github_global_lock/secrets.tf +++ /dev/null @@ -1,23 +0,0 @@ -locals { - secrets = { - github_actions_runners_app_key = { - name = "${var.secrets_prefix}github_actions_runners_app_key" - } - github_actions_runners_app_id = { - name = "${var.secrets_prefix}github_actions_runners_app_id" - } - github_actions_runners_app_installation_id = { - name = "${var.secrets_prefix}github_actions_runners_app_installation_id" - } - } -} - -data "aws_secretsmanager_secret" "secrets" { - for_each = local.secrets - name = each.value.name -} - -data "aws_secretsmanager_secret_version" "secrets" { - for_each = data.aws_secretsmanager_secret.secrets - secret_id = each.value.id -} diff --git a/modules/platform/forge_runners/github_global_lock/variables.tf b/modules/platform/forge_runners/github_global_lock/variables.tf index 0ea9e192..ab464b50 100644 --- a/modules/platform/forge_runners/github_global_lock/variables.tf +++ b/modules/platform/forge_runners/github_global_lock/variables.tf @@ -9,11 +9,6 @@ variable "tags" { default = {} } -variable "secrets_prefix" { - description = "Prefix for all secrets" - type = string -} - variable "logging_retention_in_days" { description = "Retention in days for CloudWatch Log Group for the Lambdas." type = number @@ -25,3 +20,19 @@ variable "log_level" { description = "Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR)" default = "INFO" } + + +variable "github_app" { + description = "GitHub App configuration" + type = object({ + key_base64_ssm = object({ + arn = string + }) + id_ssm = object({ + arn = string + }) + installation_id_ssm = object({ + arn = string + }) + }) +} diff --git a/modules/platform/forge_runners/redrive_deadletter/lambda/redrive_deadletter.py b/modules/platform/forge_runners/redrive_deadletter/lambda/redrive_deadletter.py index a2afbcca..84182926 100644 --- a/modules/platform/forge_runners/redrive_deadletter/lambda/redrive_deadletter.py +++ b/modules/platform/forge_runners/redrive_deadletter/lambda/redrive_deadletter.py @@ -106,40 +106,45 @@ def start_dlq_redrive_to_source(sqs_client, dlq_identifier: str) -> Dict[str, st def lambda_handler(event, context): - raw_sqs_map = os.getenv('SQS_MAP', '') - mappings = parse_sqs_map(raw_sqs_map) - - if not mappings: - LOG.warning('SQS_MAP is empty; nothing to do.') - return {'status': 'noop', 'message': 'SQS_MAP is empty', 'results': []} - - LOG.info( - 'Starting DLQ redrive (StartMessageMoveTask) for %d mapping(s)', - len(mappings), - ) + try: + raw_sqs_map = os.getenv('SQS_MAP', '') + mappings = parse_sqs_map(raw_sqs_map) - results = [] - for entry in mappings: - key = entry['key'] - dlq_identifier = entry['dlq'] - main_identifier = entry['main'] + if not mappings: + LOG.warning('SQS_MAP is empty; nothing to do.') + return {'status': 'noop', 'message': 'SQS_MAP is empty', 'results': []} LOG.info( - 'Processing SQS mapping key=%s dlq=%s main=%s', - key, - dlq_identifier, - main_identifier, + 'Starting DLQ redrive (StartMessageMoveTask) for %d mapping(s)', + len(mappings), ) - redrive_result = start_dlq_redrive_to_source(sqs, dlq_identifier) + results = [] + for entry in mappings: + key = entry['key'] + dlq_identifier = entry['dlq'] + main_identifier = entry['main'] + + LOG.info( + 'Processing SQS mapping key=%s dlq=%s main=%s', + key, + dlq_identifier, + main_identifier, + ) - results.append( - { - 'key': key, - 'dlq': dlq_identifier, - 'main': main_identifier, - **redrive_result, - } - ) + redrive_result = start_dlq_redrive_to_source(sqs, dlq_identifier) + + results.append( + { + 'key': key, + 'dlq': dlq_identifier, + 'main': main_identifier, + **redrive_result, + } + ) - return {'status': 'ok', 'results': results} + return {'status': 'ok', 'results': results} + except Exception as e: + LOG.exception( + f'Unhandled exception in redrive_deadletter lambda. Error: {str(e)}') + raise From 9271b44f3d4d8cff21988bad2dec488d9f22fc12 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 11 Dec 2025 17:14:46 +0100 Subject: [PATCH 35/85] refactor: replace usage sm for ssm (#244) * refactor: replace usage sm for ssm * deprecated: remove secrets --- modules/platform/forge_runners/arc_runners.tf | 6 +- modules/platform/forge_runners/ec2_runners.tf | 6 +- .../forge_runners/github_actions_job_log.tf | 1 - .../forge_runners/github_app_runner_group.tf | 1 - .../forge_runners/github_global_lock.tf | 2 - .../forge_runners/github_webhook_relay.tf | 2 - modules/platform/forge_runners/locals.tf | 2 +- modules/platform/forge_runners/outputs.tf | 4 +- modules/platform/forge_runners/secrets.tf | 111 ------------------ modules/platform/forge_runners/ssm.tf | 5 + .../platform/forge_runners/update_gh_app.tf | 12 +- 11 files changed, 18 insertions(+), 134 deletions(-) delete mode 100644 modules/platform/forge_runners/secrets.tf diff --git a/modules/platform/forge_runners/arc_runners.tf b/modules/platform/forge_runners/arc_runners.tf index a6cebdee..b5bd44e3 100644 --- a/modules/platform/forge_runners/arc_runners.tf +++ b/modules/platform/forge_runners/arc_runners.tf @@ -21,9 +21,9 @@ module "arc_runners" { ghes_org = var.deployment_config.github.ghes_org runner_iam_role_managed_policy_arns = local.runner_iam_role_managed_policy_arns github_app = { - key_base64 = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_key"].secret_string - id = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_id"].secret_string - installation_id = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_installation_id"].secret_string + key_base64 = data.aws_ssm_parameter.github_app_key.value + id = var.deployment_config.github_app.id + installation_id = var.deployment_config.github_app.installation_id } runner_group_name = var.deployment_config.github.runner_group_name runner_specs = var.arc_deployment_specs.runner_specs diff --git a/modules/platform/forge_runners/ec2_runners.tf b/modules/platform/forge_runners/ec2_runners.tf index ae3e4a20..4c33ec36 100644 --- a/modules/platform/forge_runners/ec2_runners.tf +++ b/modules/platform/forge_runners/ec2_runners.tf @@ -37,9 +37,9 @@ module "ec2_runners" { logging_retention_in_days = var.logging_retention_in_days runner_iam_role_managed_policy_arns = local.runner_iam_role_managed_policy_arns github_app = { - key_base64 = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_key"].secret_string - id = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_id"].secret_string - webhook_secret = random_id.random[0].hex + key_base64 = data.aws_ssm_parameter.github_app_key.value + id = var.deployment_config.github_app.id + webhook_secret = aws_ssm_parameter.github_app_webhook_secret.value } runner_group_name = var.deployment_config.github.runner_group_name runner_specs = var.ec2_deployment_specs.runner_specs diff --git a/modules/platform/forge_runners/github_actions_job_log.tf b/modules/platform/forge_runners/github_actions_job_log.tf index 826fea91..5a31aba6 100644 --- a/modules/platform/forge_runners/github_actions_job_log.tf +++ b/modules/platform/forge_runners/github_actions_job_log.tf @@ -25,5 +25,4 @@ module "github_actions_job_logs" { event_bus_name = module.ec2_runners[0].event_bus_name ghes_url = var.deployment_config.github.ghes_url - depends_on = [data.aws_secretsmanager_secret_version.data_cicd_secrets] } diff --git a/modules/platform/forge_runners/github_app_runner_group.tf b/modules/platform/forge_runners/github_app_runner_group.tf index ae781003..7d6cebbe 100644 --- a/modules/platform/forge_runners/github_app_runner_group.tf +++ b/modules/platform/forge_runners/github_app_runner_group.tf @@ -25,5 +25,4 @@ module "github_app_runner_group" { runner_group_name = var.deployment_config.github.runner_group_name repository_selection = var.deployment_config.github.repository_selection - depends_on = [data.aws_secretsmanager_secret_version.data_cicd_secrets] } diff --git a/modules/platform/forge_runners/github_global_lock.tf b/modules/platform/forge_runners/github_global_lock.tf index e3cb3f04..17c72986 100644 --- a/modules/platform/forge_runners/github_global_lock.tf +++ b/modules/platform/forge_runners/github_global_lock.tf @@ -20,6 +20,4 @@ module "github_global_lock" { logging_retention_in_days = var.logging_retention_in_days log_level = var.log_level tags = local.all_security_tags - - depends_on = [data.aws_secretsmanager_secret_version.data_cicd_secrets] } diff --git a/modules/platform/forge_runners/github_webhook_relay.tf b/modules/platform/forge_runners/github_webhook_relay.tf index 2997b2c1..d855b9a5 100644 --- a/modules/platform/forge_runners/github_webhook_relay.tf +++ b/modules/platform/forge_runners/github_webhook_relay.tf @@ -13,6 +13,4 @@ module "github_webhook_relay" { tags = local.all_security_tags github_webhook_relay = var.github_webhook_relay - - depends_on = [data.aws_secretsmanager_secret_version.data_cicd_secrets] } diff --git a/modules/platform/forge_runners/locals.tf b/modules/platform/forge_runners/locals.tf index b837b940..5f2d2372 100644 --- a/modules/platform/forge_runners/locals.tf +++ b/modules/platform/forge_runners/locals.tf @@ -8,6 +8,6 @@ locals { ] ) - github_app_installation = "${var.deployment_config.github.ghes_url == "" ? "https://github.com" : var.deployment_config.github.ghes_url}/apps/${data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_name"].secret_string}/installations/${data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_installation_id"].secret_string}" + github_app_installation = "${var.deployment_config.github.ghes_url == "" ? "https://github.com" : var.deployment_config.github.ghes_url}/apps/${var.deployment_config.github_app.name}}/installations/${var.deployment_config.github_app.installation_id}" github_api = var.deployment_config.github.ghes_url == "" ? "https://api.github.com" : "https://api.${replace(var.deployment_config.github.ghes_url, "https://", "")}" } diff --git a/modules/platform/forge_runners/outputs.tf b/modules/platform/forge_runners/outputs.tf index a22d60c4..8f491699 100644 --- a/modules/platform/forge_runners/outputs.tf +++ b/modules/platform/forge_runners/outputs.tf @@ -43,8 +43,8 @@ output "forge_github_app" { description = "GitHub App related outputs." value = { installation_url = local.github_app_installation - installation_id = try(data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_installation_id"].secret_string, null) - name = try(data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_name"].secret_string, null) + installation_id = var.deployment_config.github_app.installation_id + name = var.deployment_config.github_app.name } sensitive = true } diff --git a/modules/platform/forge_runners/secrets.tf b/modules/platform/forge_runners/secrets.tf deleted file mode 100644 index 5a8eebfc..00000000 --- a/modules/platform/forge_runners/secrets.tf +++ /dev/null @@ -1,111 +0,0 @@ -locals { - cicd_secrets_prefix = "/cicd/common/${var.deployment_config.tenant.name}/${var.deployment_config.secret_suffix}/" - - secrets = [ - # CI/CD runners: secrets used in build/deploy pipelines. - { - name = "${local.cicd_secrets_prefix}github_actions_runners_app_key" - description = "Base64 encoded GitHub App private key for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}(${var.deployment_config.secret_suffix})." - recovery_days = 7 - }, - { - name = "${local.cicd_secrets_prefix}github_actions_runners_app_id" - description = "GitHub App ID for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}(${var.deployment_config.secret_suffix})." - recovery_days = 7 - }, - { - name = "${local.cicd_secrets_prefix}github_actions_runners_app_client_id" - description = "GitHub App Client ID for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}(${var.deployment_config.secret_suffix})." - recovery_days = 7 - }, - { - name = "${local.cicd_secrets_prefix}github_actions_runners_app_installation_id" - description = "GitHub App Installation ID for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}(${var.deployment_config.secret_suffix})." - recovery_days = 7 - }, - { - name = "${local.cicd_secrets_prefix}github_actions_runners_app_name" - description = "GitHub App Name for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}(${var.deployment_config.secret_suffix})." - recovery_days = 7 - } - ] -} - -# Psuedo-random seeds we use for initializing the secrets. If we don't do this, -# then the secret "exists", but has no value or initial version, and "tf apply" -# steps fail, requiring one to manually set the password outside of Terraform. -data "aws_secretsmanager_random_password" "secret_seeds" { - for_each = { - for key, val in local.secrets : val.name => val - } - - password_length = 16 -} - -# Actual object containing the secret. -resource "aws_secretsmanager_secret" "cicd_secrets" { - for_each = { - for key, val in local.secrets : val.name => val - } - - name = each.value.name - description = each.value.description - recovery_window_in_days = each.value.recovery_days - - tags = local.all_security_tags - tags_all = local.all_security_tags -} - -# Force a delay between secret creation and seeding. We only need a few -# seconds, but if we don't do this, we get into a bad state requiring manual -# intervention and/or manual forced-deletion of secrets. -resource "time_sleep" "wait_60_seconds" { - depends_on = [ - aws_secretsmanager_secret.cicd_secrets, - ] - create_duration = "60s" -} - -# Only used for seeding purposes. Will not clobber/overwrite secrets afterward -# (i.e. if/when we set them manually via the AWS CLI or management console). -resource "aws_secretsmanager_secret_version" "cicd_secrets" { - depends_on = [time_sleep.wait_60_seconds] - for_each = { - for key, val in local.secrets : val.name => val - } - - secret_id = aws_secretsmanager_secret.cicd_secrets[each.key].id - secret_string = base64encode(data.aws_secretsmanager_random_password.secret_seeds[each.key].random_password) - - # Prevents this seed from being applied more than once (at initial "tf apply" - # time). - lifecycle { - ignore_changes = [secret_string, ] - } -} - -# Critical secrets needed for provisioning the CICD system. -data "aws_secretsmanager_secret" "data_cicd_secrets" { - for_each = { - for key, val in local.secrets : val.name => val - } - - depends_on = [ - aws_secretsmanager_secret.cicd_secrets, - ] - arn = "arn:aws:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:${each.key}" -} - -# Need both these objects to be able to extract the secrets' respective -# payloads. -data "aws_secretsmanager_secret_version" "data_cicd_secrets" { - for_each = { - for key, val in local.secrets : val.name => val - } - - depends_on = [ - aws_secretsmanager_secret_version.cicd_secrets, - data.aws_secretsmanager_secret.data_cicd_secrets - ] - secret_id = data.aws_secretsmanager_secret.data_cicd_secrets[each.key].id -} diff --git a/modules/platform/forge_runners/ssm.tf b/modules/platform/forge_runners/ssm.tf index 43f94bbe..d593ad03 100644 --- a/modules/platform/forge_runners/ssm.tf +++ b/modules/platform/forge_runners/ssm.tf @@ -69,3 +69,8 @@ resource "random_password" "github_app_webhook_secret" { rotation = time_rotating.every_30_days.id } } + +data "aws_ssm_parameter" "github_app_key" { + name = aws_ssm_parameter.github_app_key.name + depends_on = [aws_ssm_parameter.github_app_key] +} diff --git a/modules/platform/forge_runners/update_gh_app.tf b/modules/platform/forge_runners/update_gh_app.tf index fc48789f..89d8135e 100644 --- a/modules/platform/forge_runners/update_gh_app.tf +++ b/modules/platform/forge_runners/update_gh_app.tf @@ -3,15 +3,15 @@ resource "null_resource" "update_github_app_webhook" { ghes_org = var.deployment_config.github.ghes_org ghes_url = var.deployment_config.github.ghes_url webhook_url = try(module.ec2_runners[0].webhook_endpoint, "https://cisco-open.github.io/forge") - secret = try(random_id.random[0].hex, null) - secret_version = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_key"].id + secret = aws_ssm_parameter.github_app_webhook_secret.value + secret_version = aws_ssm_parameter.github_app_webhook_secret.version } provisioner "local-exec" { environment = { - CLIENT_ID = data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_client_id"].secret_string + CLIENT_ID = var.deployment_config.github_app.client_id PRIVATE_KEY = base64decode( - data.aws_secretsmanager_secret_version.data_cicd_secrets["${local.cicd_secrets_prefix}github_actions_runners_app_key"].secret_string + data.aws_ssm_parameter.github_app_key.value ) WEBHOOK_URL = self.triggers.webhook_url SECRET = self.triggers.secret @@ -21,8 +21,4 @@ resource "null_resource" "update_github_app_webhook" { command = "${path.module}/scripts/generate_and_patch_github_app.sh" } - - depends_on = [ - data.aws_secretsmanager_secret_version.data_cicd_secrets, - ] } From a3fc9ac86c2cce362aac19e14c173fb800f916c2 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 11 Dec 2025 22:27:33 +0100 Subject: [PATCH 36/85] feat: add more detail in logs (#246) --- .../lambda/job_log_archiver/job_log_archiver.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py b/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py index b4c1b489..36cceec1 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py +++ b/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py @@ -170,6 +170,8 @@ def lambda_handler(event: Dict[str, Any], _context: Any) -> Dict[str, Any]: # p repo_full_name = (detail.get('repository') or {}).get('full_name') if not repo_full_name: + LOG.info( + 'Missing repository full_name in event detail. Detail event: %s', detail) raise ValueError('missing_repository') try: @@ -185,6 +187,8 @@ def lambda_handler(event: Dict[str, Any], _context: Any) -> Dict[str, Any]: # p workflow_name = workflow_job.get('workflow_name') if not all([runner_name, run_id, job_id]): + LOG.info('Missing required IDs: runner_name=%s run_id=%s job_id=%s. Workflow job: %s', + runner_name, run_id, job_id, workflow_job) raise ValueError('missing_ids') try: From 213fe908cf87981a89c91bff26ef33ee296e2813 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 11 Dec 2025 22:48:23 +0100 Subject: [PATCH 37/85] docs: update docs for new tenant (#245) --- docs/configurations/deployments/new_tenant.md | 157 +++++++++--------- scripts/update-github-app-secrets.sh | 55 +++--- 2 files changed, 99 insertions(+), 113 deletions(-) diff --git a/docs/configurations/deployments/new_tenant.md b/docs/configurations/deployments/new_tenant.md index e427db72..b133da2c 100644 --- a/docs/configurations/deployments/new_tenant.md +++ b/docs/configurations/deployments/new_tenant.md @@ -149,7 +149,73 @@ ______________________________________________________________________ ______________________________________________________________________ -## 3. Minimal Working `config.yaml` Example +## 3. Create GitHub App + +1. **Pull the registration UI container (amd64):** + +```bash +docker pull ghcr.io/cisco-open/forge-forge-github-app-register:main +``` + +2. **Run it locally, exposing port 5000:** + +```bash +docker run --rm -p 5000:5000 ghcr.io/cisco-open/forge-forge-github-app-register:main +``` + +3. **Open the UI:** + +Go to `http://localhost:5000/` in your browser. + +4. **In the UI:** + +- Click **"Register App in Your Org"** +- Log in with your GitHub org or GHES admin account +- Use this pattern for the GitHub App name (replace variables): + +``` +${local.tenant_name}-${local.region_alias}-${local.vpc_alias}-${include.env.locals.runner_group_name_suffix} +``` + +Example: + +``` +sec-plat-euw1-shared-sbg-cicd-forge +``` + +- Click **“Create GitHub App”** + +5. **After creation:** + +- The app is created in your org or GHES instance. +- The UI will download the app config JSON containing critical secrets and keys. + +### Tips: + +- **Save the JSON file securely.** The private key (`pem`) in it is your authentication backbone. Lose it, and you start over. + +- You **need** these values from the JSON (or GitHub later) to configure Forge’s secrets: + + - `client_id` + - `id` (App ID) + - `installation_id` (get it by installing the app on repos/org) + - `pem` (private key) + +- Permissions must be **exactly**: + + - `actions`: read + - `checks`: read + - `metadata`: read + - `organization_self_hosted_runners`: write + - `organization_administration`: write + +- Subscribe the app to `"workflow_job"` event — this is how your runners get triggered. + +- Don’t forget to install the GitHub App on the repositories or organizations that will use these runners. + +______________________________________________________________________ + +## 4. Minimal Working `config.yaml` Example ```yaml gh_config: @@ -205,87 +271,24 @@ arc_runner_specs: ______________________________________________________________________ -## 4. Deploy Secrets +## 5. Deploy -1. **Navigate to the tenant directory** matching your AWS account, region, VPC, and tenant: +1. **Navigate to your tenant directory:** ```bash cd examples/deployments/forge-tenant/terragrunt/environments//regions//vpcs//tenants/ ``` -2. **Deploy only the secrets** to AWS Secrets Manager: - -```bash -terragrunt apply --target aws_secretsmanager_secret_version.cicd_secrets -``` - -> **Pro tip:** Use `--target` carefully — only apply secrets here to avoid accidental resource changes in other modules. - -______________________________________________________________________ - -## 5. Create GitHub App - -1. **Pull the registration UI container (amd64):** - -```bash -docker pull ghcr.io/cisco-open/forge-forge-github-app-register:main -``` - -2. **Run it locally, exposing port 5000:** +2. **Deploy everything in one go:** ```bash -docker run --rm -p 5000:5000 ghcr.io/cisco-open/forge-forge-github-app-register:main -``` - -3. **Open the UI:** - -Go to `http://localhost:5000/` in your browser. - -4. **In the UI:** - -- Click **"Register App in Your Org"** -- Log in with your GitHub org or GHES admin account -- Use this pattern for the GitHub App name (replace variables): - -``` -${local.tenant_name}-${local.region_alias}-${local.vpc_alias}-${include.env.locals.runner_group_name_suffix} -``` - -Example: - -``` -sec-plat-euw1-shared-sbg-cicd-forge +terragrunt apply ``` -- Click **“Create GitHub App”** - -5. **After creation:** - -- The app is created in your org or GHES instance. -- The UI will download the app config JSON containing critical secrets and keys. - -### Tips: - -- **Save the JSON file securely.** The private key (`pem`) in it is your authentication backbone. Lose it, and you start over. - -- You **need** these values from the JSON (or GitHub later) to configure Forge’s secrets: - - - `client_id` - - `id` (App ID) - - `installation_id` (get it by installing the app on repos/org) - - `pem` (private key) - -- Permissions must be **exactly**: - - - `actions`: read - - `checks`: read - - `metadata`: read - - `organization_self_hosted_runners`: write - - `organization_administration`: write - -- Subscribe the app to `"workflow_job"` event — this is how your runners get triggered. +3. **Verify success:** -- Don’t forget to install the GitHub App on the repositories or organizations that will use these runners. +- No errors in Terraform apply output. +- All expected AWS resources exist. ______________________________________________________________________ @@ -294,22 +297,18 @@ ______________________________________________________________________ Run the `update-github-app-secrets.sh` script to inject critical GitHub App values into your secrets: ```bash -./scripts/update-github-app-secrets.sh /full/path/to/tenant_dir client_id -./scripts/update-github-app-secrets.sh /full/path/to/tenant_dir name -./scripts/update-github-app-secrets.sh /full/path/to/tenant_dir id -./scripts/update-github-app-secrets.sh /full/path/to/tenant_dir key /path/to/private-key.pem -./scripts/update-github-app-secrets.sh /full/path/to/tenant_dir installation_id +./scripts/update-github-app-secrets.sh /full/path/to/tenant_dir /path/to/private-key.pem ``` ### Notes: - Use **absolute paths** for tenant directories and private key files to avoid path resolution issues inside the script. - Confirm the private key file has **correct permissions** (`chmod 600`) to avoid permission errors. -- The script will update AWS Secrets Manager values — verify with `terragrunt plan` or AWS Console if you want to double-check. +- The script will update AWS SSM Parameter values — verify with `terragrunt plan` or AWS Console if you want to double-check. ______________________________________________________________________ -## 7. Deploy +## 7. Redeploy with secrets updated 1. **Navigate to your tenant directory:** @@ -329,6 +328,4 @@ terragrunt apply - All expected AWS resources exist. - GitHub runners appear registered and are actively picking up jobs. -______________________________________________________________________ - > For more advanced scenarios or troubleshooting, see the [full documentation](../index.md). diff --git a/scripts/update-github-app-secrets.sh b/scripts/update-github-app-secrets.sh index ab5dfee8..a00c8837 100755 --- a/scripts/update-github-app-secrets.sh +++ b/scripts/update-github-app-secrets.sh @@ -2,9 +2,9 @@ set -euo pipefail usage() { - echo "Usage: $0 " - echo " : key | id | installation_id | name | client_id" - echo " : For 'key' type, path to PEM file to base64 encode. For others, string value." + echo "Usage: $0 " + echo " : Path to the Terragrunt directory for the tenant/stack" + echo " : Path to the GitHub App PEM file to base64 encode and store in SSM" exit 1 } @@ -24,12 +24,11 @@ validate_pem_file() { } } -get_secret_name() { +get_ssm_name() { local terragrunt_dir="$1" - local type="$2" - tenant_name=$(get_terragrunt_var "var.tenant.name" "$terragrunt_dir") - secret_suffix=$(get_terragrunt_var "var.deployment_config.secret_suffix" "$terragrunt_dir") - echo "/cicd/common/${tenant_name}/${secret_suffix}/github_actions_runners_app_${type}" + local deployment_prefix + deployment_prefix=$(get_terragrunt_var "var.deployment_config.deployment_prefix" "$terragrunt_dir") + echo "/forge/${deployment_prefix}/github_app_key" } get_terragrunt_var() { @@ -54,43 +53,33 @@ encode_pem() { tr -d '\n' <"$pem_file" | base64 } -update_secret() { - local secret_name="$1" - local secret_value="$2" - aws secretsmanager put-secret-value --secret-id "$secret_name" --secret-string "$secret_value" +update_ssm_param() { + local param_name="$1" + local param_value="$2" + aws ssm put-parameter \ + --name "$param_name" \ + --type "SecureString" \ + --value "$param_value" \ + --overwrite } main() { - if [[ $# -ne 3 ]]; then + if [[ $# -ne 2 ]]; then usage fi TERRAGRUNT_DIR="$1" - TYPE="$2" - VALUE="$3" - - case "$TYPE" in - key | id | installation_id | name | client_id) ;; - *) - echo "Error: Invalid type '$TYPE'. Allowed: key, id, installation_id, name" - exit 1 - ;; - esac + PEM_FILE="$2" validate_terragrunt_dir "$TERRAGRUNT_DIR" + validate_pem_file "$PEM_FILE" - if [[ "$TYPE" == "key" ]]; then - validate_pem_file "$VALUE" - SECRET_VALUE=$(encode_pem "$VALUE") - else - SECRET_VALUE="$VALUE" - fi - - SECRET_NAME=$(get_secret_name "$TERRAGRUNT_DIR" "$TYPE") + SSM_NAME=$(get_ssm_name "$TERRAGRUNT_DIR") + ENCODED_KEY=$(encode_pem "$PEM_FILE") - update_secret "$SECRET_NAME" "$SECRET_VALUE" + update_ssm_param "$SSM_NAME" "$ENCODED_KEY" - echo "✅ Updated secret '$SECRET_NAME'" + echo "✅ Updated SSM parameter '$SSM_NAME' with base64-encoded GitHub App key" } main "$@" From 128265c1e68e5e51b17d24834d789be1673fe8a1 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 11 Dec 2025 22:50:12 +0100 Subject: [PATCH 38/85] fix: ignore conclusion with skipped and cancelled status (#247) --- .../lambda/job_log_archiver/job_log_archiver.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py b/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py index 36cceec1..208c4fc9 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py +++ b/modules/platform/forge_runners/github_actions_job_logs/lambda/job_log_archiver/job_log_archiver.py @@ -168,6 +168,16 @@ def lambda_handler(event: Dict[str, Any], _context: Any) -> Dict[str, Any]: # p 'Event action is not completed or workflow_job is missing, ignoring.') return {'status': 'ignored'} + conclusion = workflow_job.get('conclusion') + + if conclusion in ('skipped', 'cancelled'): + LOG.info( + 'Job conclusion is %s, skipping log archival. Workflow job: %s', + conclusion, + workflow_job, + ) + return {'status': 'ignored'} + repo_full_name = (detail.get('repository') or {}).get('full_name') if not repo_full_name: LOG.info( From 25ee927360810ba7b2ab1f73cd790b76927bf21c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Dec 2025 10:01:53 +0100 Subject: [PATCH 39/85] chore(deps): bump actions/cache from 4.3.0 to 5.0.0 (#248) Bumps [actions/cache](https://github.com/actions/cache) from 4.3.0 to 5.0.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/0057852bfaa89a56745cba8c7296529d2fc39830...a7833574556fa59680c1b7cb190c1735db73ebf0) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pre-commit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index edad491f..eb091d98 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -32,13 +32,13 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Cache Pre-commit - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0 with: path: ~/.cache/pre-commit/ key: pre-commit|${{ github.repository }}|${{ hashFiles('.pre-commit-config.yaml') }} - name: Cache Terraform/OpenTofu providers - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 + uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0 with: path: /github/home/.terraform.d/plugin key: tf-providers-${{ github.run_id }} From 0f106a6538489abdc811390b551deaf2cfd93800 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Sat, 13 Dec 2025 00:43:44 +0100 Subject: [PATCH 40/85] chore: update karpenter and otel (#249) * chore(deps): update karpenter docker tag to v1.8.3 (#56) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hooks (#55) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update helm release splunk-otel-collector to v0.141.0 (#57) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency terraform-docs/terraform-docs to v0.21.0 (#59) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency gruntwork-io/terragrunt to v0.95.0 (#58) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .docker/pre-commit/Dockerfile | 4 ++-- .pre-commit-config.yaml | 4 ++-- modules/infra/eks/karpenter.tf | 2 +- modules/integrations/splunk_otel_eks/otel.tf | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index 80b511c2..c4b169d0 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -69,7 +69,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/shfmt # renovate: datasource=github-releases depName=terraform-docs/terraform-docs registryUrl=https://github.com/ -ARG TERRAFORM_DOCS_VERSION="0.20.0" +ARG TERRAFORM_DOCS_VERSION="0.21.0" ARG TERRAFORM_DOCS_SRC="https://github.com/terraform-docs/terraform-docs/releases/download/v${TERRAFORM_DOCS_VERSION}/terraform-docs-v${TERRAFORM_DOCS_VERSION}-linux-amd64.tar.gz" ARG TERRAFORM_DOCS_ARTIFACT="terraform-docs.tar.gz" RUN set -eux; \ @@ -78,7 +78,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/terraform-docs # renovate: datasource=github-releases depName=gruntwork-io/terragrunt registryUrl=https://github.com/ -ARG TERRAGRUNT_VERSION="0.94.0" +ARG TERRAGRUNT_VERSION="0.95.0" ARG TERRAGRUNT_SRC="https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" ARG TERRAGRUNT_ARTIFACT="terragrunt" RUN set -eux; \ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1196edde..f8828265 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -83,7 +83,7 @@ repos: # Commit Message Hooks # --------------------- - repo: https://github.com/commitizen-tools/commitizen - rev: v4.10.0 + rev: v4.10.1 hooks: - id: commitizen name: Git · Validate commit message @@ -266,7 +266,7 @@ repos: # Ansible Hooks # --------------------- - repo: https://github.com/ansible-community/ansible-lint.git - rev: v25.12.0 + rev: v25.12.1 hooks: - id: ansible-lint name: Ansible · Linter diff --git a/modules/infra/eks/karpenter.tf b/modules/infra/eks/karpenter.tf index 2da250be..f291a206 100644 --- a/modules/infra/eks/karpenter.tf +++ b/modules/infra/eks/karpenter.tf @@ -20,7 +20,7 @@ resource "helm_release" "karpenter" { create_namespace = true repository = "oci://public.ecr.aws/karpenter" chart = "karpenter" - version = "1.8.2" + version = "1.8.3" wait = false values = [ diff --git a/modules/integrations/splunk_otel_eks/otel.tf b/modules/integrations/splunk_otel_eks/otel.tf index 4038f1e3..6a58b33a 100644 --- a/modules/integrations/splunk_otel_eks/otel.tf +++ b/modules/integrations/splunk_otel_eks/otel.tf @@ -2,7 +2,7 @@ resource "helm_release" "splunk_otel_collector" { name = "splunk-otel-collector" repository = "https://signalfx.github.io/splunk-otel-collector-chart" chart = "splunk-otel-collector" - version = "0.140.0" + version = "0.141.0" namespace = "splunk-otel-collector" create_namespace = true From 3c838ecd6ec790cecbd3ed16fb6bb7a7d3e262d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 13 Dec 2025 00:44:21 +0100 Subject: [PATCH 41/85] chore(deps): bump actions/cache from 5.0.0 to 5.0.1 (#250) Bumps [actions/cache](https://github.com/actions/cache) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/a7833574556fa59680c1b7cb190c1735db73ebf0...9255dc7a253b0ccc959486e2bca901246202afeb) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pre-commit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index eb091d98..3153f8de 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -32,13 +32,13 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Cache Pre-commit - uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: ~/.cache/pre-commit/ key: pre-commit|${{ github.repository }}|${{ hashFiles('.pre-commit-config.yaml') }} - name: Cache Terraform/OpenTofu providers - uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v5.0.0 + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: /github/home/.terraform.d/plugin key: tf-providers-${{ github.run_id }} From d13672464c69754516d72762c0a95954f9dbf32a Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 15 Dec 2025 13:36:42 +0100 Subject: [PATCH 42/85] fix: remove helm chart provider and use null resource (#251) --- modules/infra/eks/karpenter.tf | 85 ++++++++++++++++++++++------------ modules/infra/eks/providers.tf | 10 +--- 2 files changed, 57 insertions(+), 38 deletions(-) diff --git a/modules/infra/eks/karpenter.tf b/modules/infra/eks/karpenter.tf index f291a206..3453092a 100644 --- a/modules/infra/eks/karpenter.tf +++ b/modules/infra/eks/karpenter.tf @@ -14,34 +14,61 @@ module "karpenter" { } } -resource "helm_release" "karpenter" { - name = "karpenter" - namespace = "karpenter" - create_namespace = true - repository = "oci://public.ecr.aws/karpenter" - chart = "karpenter" - version = "1.8.3" - wait = false - - values = [ - <<-EOT - serviceAccount: - name: ${module.karpenter.service_account} - dnsPolicy: Default - settings: - clusterName: ${module.eks.cluster_name} - clusterEndpoint: ${module.eks.cluster_endpoint} - interruptionQueue: ${module.karpenter.queue_name} - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: karpenter.sh/controller - operator: Exists - effect: NoSchedule - webhook: - enabled: false - EOT - ] +resource "null_resource" "karpenter" { + depends_on = [module.eks] + + triggers = { + chart_version = "1.8.3" + service_account = module.karpenter.service_account + cluster_name = module.eks.cluster_name + cluster_endpoint = module.eks.cluster_endpoint + interruption_queue = module.karpenter.queue_name + } + + # --- CREATE / UPDATE --- + provisioner "local-exec" { + command = </dev/null 2>&1 || true + +# Ensure namespace exists +kubectl get ns karpenter >/dev/null 2>&1 || kubectl create namespace karpenter + +helm upgrade --install karpenter karpenter/karpenter \ + --namespace karpenter \ + --version ${self.triggers.chart_version} \ + --set serviceAccount.name=${self.triggers.service_account} \ + --set dnsPolicy=Default \ + --set settings.clusterName=${self.triggers.cluster_name} \ + --set settings.clusterEndpoint=${self.triggers.cluster_endpoint} \ + --set settings.interruptionQueue=${self.triggers.interruption_queue} \ + --set tolerations[0].key=CriticalAddonsOnly \ + --set tolerations[0].operator=Exists \ + --set tolerations[1].key=karpenter.sh/controller \ + --set tolerations[1].operator=Exists \ + --set tolerations[1].effect=NoSchedule \ + --set webhook.enabled=false +EOF + } + + # --- DESTROY --- + provisioner "local-exec" { + when = destroy + command = < Date: Mon, 15 Dec 2025 13:41:35 +0100 Subject: [PATCH 43/85] feat: add exceptions in lambdas (#252) --- .../webex_webhook_relay/lambda/handler.py | 9 ++- .../lambda/validate_signature.py | 44 +++++------ .../ec2_scale_up_errors.json.tftpl | 2 +- .../lambda/ec2_update_runner_tags.py | 79 ++++++++++--------- .../lambda/forge_trust_validator.py | 19 ++--- 5 files changed, 77 insertions(+), 76 deletions(-) diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda/handler.py b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda/handler.py index c59a9241..9c1f7b7e 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda/handler.py +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda/handler.py @@ -230,6 +230,9 @@ def lambda_handler(event, _context): return {'statusCode': 200, 'body': 'Alert sent'} - except Exception as exc: - LOG.exception('lambda_error error=%s', exc) - return {'statusCode': 500, 'body': f"Error: {exc}"} + except Exception as e: + LOG.exception( + 'Unhandled exception in webex_webhook_relay lambda. Error: %s', + str(e), + ) + raise diff --git a/modules/integrations/github_webhook_relay_source/lambda/validate_signature.py b/modules/integrations/github_webhook_relay_source/lambda/validate_signature.py index 9c30e9eb..2baaf6a5 100644 --- a/modules/integrations/github_webhook_relay_source/lambda/validate_signature.py +++ b/modules/integrations/github_webhook_relay_source/lambda/validate_signature.py @@ -16,28 +16,25 @@ def lambda_handler(event, _): - LOG.info('Received event for processing: %s', event) - signature = event['headers'].get('X-Hub-Signature-256', '') - body = event['body'] - - if SECRET: - digest = hmac.new(SECRET, body.encode(), hashlib.sha256).hexdigest() - if not signature.endswith(digest): - LOG.warning( - 'Signature mismatch: provided %s, expected digest %s', signature, digest) - return {'statusCode': 401, 'body': 'Invalid signature'} - try: + LOG.info('Received event for processing: %s', event) + signature = event['headers'].get('X-Hub-Signature-256', '') + body = event['body'] + + if SECRET: + digest = hmac.new(SECRET, body.encode(), + hashlib.sha256).hexdigest() + if not signature.endswith(digest): + LOG.warning( + 'Signature mismatch: provided %s, expected digest %s', signature, digest) + raise ValueError('Invalid signature') + payload = json.loads(body) - except json.JSONDecodeError as e: - LOG.error('JSON decode error: %s', e) - return {'statusCode': 400, 'body': 'Invalid JSON'} - gh_event = event['headers'].get('X-GitHub-Event', 'unknown') - action = payload.get('action', 'none') + gh_event = event['headers'].get('X-GitHub-Event', 'unknown') + action = payload.get('action', 'none') - detail_type = f"github.{gh_event}.{action}" + detail_type = f"github.{gh_event}.{action}" - try: response = eb.put_events( Entries=[ { @@ -50,8 +47,11 @@ def lambda_handler(event, _): ) LOG.info('Event forwarded to EventBridge %s, response: %s', EVENT_BUS, response) - except Exception as e: - LOG.error('Failed to put event to EventBridge: %s', e) - return {'statusCode': 500, 'body': 'Failed to forward event'} - return {'statusCode': 200, 'body': 'Event forwarded'} + return {'statusCode': 200, 'body': 'Event forwarded'} + except Exception as e: + LOG.exception( + 'Unhandled exception in validate_signature lambda. Error: %s', + str(e), + ) + raise diff --git a/modules/integrations/splunk_cloud_conf_shared/template_files/ec2_scale_up_errors.json.tftpl b/modules/integrations/splunk_cloud_conf_shared/template_files/ec2_scale_up_errors.json.tftpl index b9fbb9d8..b5c43c9c 100644 --- a/modules/integrations/splunk_cloud_conf_shared/template_files/ec2_scale_up_errors.json.tftpl +++ b/modules/integrations/splunk_cloud_conf_shared/template_files/ec2_scale_up_errors.json.tftpl @@ -16,7 +16,7 @@ "options": { "items": ${jsonencode( concat( - [{ label = "Select Tenant", value = "()" }], + [{ label = "Select Tenant", value = "*" }], [for tenant in tenants : { label = tenant, value = tenant }] ) )}, diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/lambda/ec2_update_runner_tags.py b/modules/platform/ec2_deployment/ec2_update_runner_tags/lambda/ec2_update_runner_tags.py index 67906fb5..6e534b8f 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/lambda/ec2_update_runner_tags.py +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/lambda/ec2_update_runner_tags.py @@ -13,49 +13,52 @@ def lambda_handler(event, context): - LOG.debug('Received event') + try: + LOG.debug('Received event') - if event.get('detail-type') != 'workflow_job': - LOG.info('Ignoring non-workflow_job event: %s', - event.get('detail-type')) - return {'statusCode': 200, 'body': json.dumps({'message': 'ignored event'})} + if event.get('detail-type') != 'workflow_job': + LOG.info('Ignoring non-workflow_job event: %s', + event.get('detail-type')) + return {'statusCode': 200, 'body': json.dumps({'message': 'ignored event'})} - detail = event.get('detail', {}) + detail = event.get('detail', {}) - runner_name = detail.get('workflow_job').get('runner_name') - if not runner_name: - LOG.error('runner_name missing in event detail: %s', detail) - return {'statusCode': 400, 'body': json.dumps({'error': 'runner_name missing'})} + runner_name = detail.get('workflow_job').get('runner_name') + if not runner_name: + LOG.error('runner_name missing in event detail: %s', detail) + raise ValueError('runner_name missing') - if not (isinstance(runner_name, str) and runner_name.startswith('i-')): - LOG.info( - 'Runner name %s is not an EC2 instance ID, ignoring', runner_name) - return {'statusCode': 200, 'body': json.dumps({'message': 'ignored non-EC2 runner'})} + if not (isinstance(runner_name, str) and runner_name.startswith('i-')): + LOG.info( + 'Runner name %s is not an EC2 instance ID, ignoring', runner_name) + return {'statusCode': 200, 'body': json.dumps({'message': 'ignored non-EC2 runner'})} - LOG.info('Looking up EC2 instance by ID: %s', runner_name) - try: + LOG.info('Looking up EC2 instance by ID: %s', runner_name) resp = ec2.describe_instances(InstanceIds=[runner_name]) instance_ids = [inst['InstanceId'] for res in resp.get( 'Reservations', []) for inst in res.get('Instances', [])] - except ec2.exceptions.ClientError as e: - LOG.error('Error fetching instance %s: %s', runner_name, e) - return {'statusCode': 500, 'body': json.dumps({'error': 'describe_instances failed'})} - - LOG.info('Described instances, found IDs: %s', instance_ids) - if not instance_ids: - LOG.info('No instances found with Name tag %s', runner_name) - return {'statusCode': 200, 'body': json.dumps({'message': 'no instances found'})} - - job_url = detail.get('workflow_job', {}).get('html_url', '') - job_id = str(detail.get('workflow_job', {}).get('id', '')) - LOG.info('GitHub job URL: %s, job ID: %s', job_url, job_id) - - # Tag instances with found flag and GitHub URLs - LOG.info( - 'Tagging instances %s with tags job_url, job_id', instance_ids) - ec2.create_tags(Resources=instance_ids, Tags=[ - {'Key': 'ghr:job_id', 'Value': job_id}, - {'Key': 'ghr:job_url', 'Value': job_url} - ]) - LOG.info('Successfully tagged instances: %s', instance_ids) - return {'statusCode': 200, 'body': json.dumps({'tagged_instances': instance_ids})} + + LOG.info('Described instances, found IDs: %s', instance_ids) + if not instance_ids: + LOG.info('No instances found with Name tag %s', runner_name) + return {'statusCode': 200, 'body': json.dumps({'message': 'no instances found'})} + + job_url = detail.get('workflow_job', {}).get('html_url', '') + job_id = str(detail.get('workflow_job', {}).get('id', '')) + LOG.info('GitHub job URL: %s, job ID: %s', job_url, job_id) + + # Tag instances with found flag and GitHub URLs + LOG.info( + 'Tagging instances %s with tags job_url, job_id', instance_ids) + ec2.create_tags(Resources=instance_ids, Tags=[ + {'Key': 'ghr:job_id', 'Value': job_id}, + {'Key': 'ghr:job_url', 'Value': job_url} + ]) + LOG.info('Successfully tagged instances: %s', instance_ids) + return {'statusCode': 200, 'body': json.dumps({'tagged_instances': instance_ids})} + except Exception as e: + LOG.exception( + 'Unhandled exception in ec2_update_runner_tags lambda. Error: %s', + str(e), + ) + raise diff --git a/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py b/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py index ca8a87f7..7a483017 100644 --- a/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py +++ b/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py @@ -213,19 +213,14 @@ def lambda_handler(event, context): tenant_role_arns = parse_env_list('TENANT_IAM_ROLES') if not forge_role_arns or not tenant_role_arns: + msg = ( + 'Missing forge_role_arns or tenant_role_arns ' + '(check env variables FORGE_IAM_ROLES and TENANT_IAM_ROLES).' + ) LOG.error( - 'Missing required environment variables: FORGE_IAM_ROLES or TENANT_IAM_ROLES') - return { - 'statusCode': 400, - 'body': json.dumps( - { - 'message': ( - 'Missing forge_role_arns or tenant_role_arns ' - '(check env variables FORGE_IAM_ROLES and TENANT_IAM_ROLES).' - ) - } - ), - } + 'Missing required environment variables: FORGE_IAM_ROLES or TENANT_IAM_ROLES', + ) + raise RuntimeError(msg) LOG.info( f"Loaded configuration: {len(forge_role_arns)} Forge roles, {len(tenant_role_arns)} Tenant roles") From 8f18dde7795ba33150b02febd124708abb1662be Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 15 Dec 2025 16:01:19 +0100 Subject: [PATCH 44/85] fix: fix helm installation (#253) --- .github/workflows/pre-commit.yml | 2 +- README.md | 4 ++-- modules/infra/eks/karpenter.tf | 35 +++++++++++++++++++------------- 3 files changed, 24 insertions(+), 17 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 3153f8de..144e8e5a 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -37,7 +37,7 @@ jobs: path: ~/.cache/pre-commit/ key: pre-commit|${{ github.repository }}|${{ hashFiles('.pre-commit-config.yaml') }} - - name: Cache Terraform/OpenTofu providers + - name: Cache OpenTofu providers uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 with: path: /github/home/.terraform.d/plugin diff --git a/README.md b/README.md index 44870190..45c8c5f0 100644 --- a/README.md +++ b/README.md @@ -101,7 +101,7 @@ ______________________________________________________________________ - **Role:** Deploy and maintain ForgeMT infrastructure - **Responsibilities:** AWS account setup, tenant provisioning, platform updates -- **Tools:** Terraform/OpenTofu, AWS CLI, kubectl +- **Tools:** OpenTofu, AWS CLI, kubectl, helm - **Workflow:** Deploy control plane → Onboard tenants → Monitor platform ### 👩‍💻 **Development Team (Tenant)** @@ -122,7 +122,7 @@ Deploy and manage the ForgeMT infrastructure: - **[Deploy Your First Tenant](./docs/configurations/deployments/forge_tenant.md)** — Minimal setup to bootstrap ForgeMT. - **[All Deployment Scenarios](./docs/configurations/deployments/index.md)** — Includes EKS, Splunk, BYO AMIs, and advanced patterns. -**Prerequisites:** AWS CLI configured, Terraform 1.5+, kubectl +**Prerequisites:** AWS CLI configured, OpenTofu 1.11+, kubectl, helm ### For Development Teams (Tenants) diff --git a/modules/infra/eks/karpenter.tf b/modules/infra/eks/karpenter.tf index 3453092a..a8f43002 100644 --- a/modules/infra/eks/karpenter.tf +++ b/modules/infra/eks/karpenter.tf @@ -23,20 +23,24 @@ resource "null_resource" "karpenter" { cluster_name = module.eks.cluster_name cluster_endpoint = module.eks.cluster_endpoint interruption_queue = module.karpenter.queue_name + kube_context = "${var.cluster_name}-${var.aws_profile}-${var.aws_region}" } # --- CREATE / UPDATE --- provisioner "local-exec" { command = </dev/null 2>&1 || true +echo "PATH=$PATH" +command -v helm || { echo "helm not found"; exit 1; } +command -v kubectl || { echo "kubectl not found"; exit 1; } # Ensure namespace exists -kubectl get ns karpenter >/dev/null 2>&1 || kubectl create namespace karpenter +kubectl --context ${self.triggers.kube_context} get ns karpenter --ignore-not-found=true || \ + kubectl --context ${self.triggers.kube_context} create namespace karpenter -helm upgrade --install karpenter karpenter/karpenter \ +helm --kube-context ${self.triggers.kube_context} upgrade \ + --install karpenter oci://public.ecr.aws/karpenter/karpenter \ --namespace karpenter \ --version ${self.triggers.chart_version} \ --set serviceAccount.name=${self.triggers.service_account} \ @@ -44,11 +48,11 @@ helm upgrade --install karpenter karpenter/karpenter \ --set settings.clusterName=${self.triggers.cluster_name} \ --set settings.clusterEndpoint=${self.triggers.cluster_endpoint} \ --set settings.interruptionQueue=${self.triggers.interruption_queue} \ - --set tolerations[0].key=CriticalAddonsOnly \ - --set tolerations[0].operator=Exists \ - --set tolerations[1].key=karpenter.sh/controller \ - --set tolerations[1].operator=Exists \ - --set tolerations[1].effect=NoSchedule \ + --set 'tolerations[0].key'=CriticalAddonsOnly \ + --set 'tolerations[0].operator'=Exists \ + --set 'tolerations[1].key'=karpenter.sh/controller \ + --set 'tolerations[1].operator'=Exists \ + --set 'tolerations[1].effect'=NoSchedule \ --set webhook.enabled=false EOF } @@ -57,16 +61,19 @@ EOF provisioner "local-exec" { when = destroy command = < Date: Mon, 15 Dec 2025 16:23:32 +0100 Subject: [PATCH 45/85] fix: fix NS creation for karpenter (#254) --- modules/infra/eks/karpenter.tf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/infra/eks/karpenter.tf b/modules/infra/eks/karpenter.tf index a8f43002..e2c1b182 100644 --- a/modules/infra/eks/karpenter.tf +++ b/modules/infra/eks/karpenter.tf @@ -36,8 +36,12 @@ command -v helm || { echo "helm not found"; exit 1; } command -v kubectl || { echo "kubectl not found"; exit 1; } # Ensure namespace exists -kubectl --context ${self.triggers.kube_context} get ns karpenter --ignore-not-found=true || \ - kubectl --context ${self.triggers.kube_context} create namespace karpenter +kubectl --context ${self.triggers.kube_context} apply -f - < Date: Mon, 15 Dec 2025 16:38:08 +0100 Subject: [PATCH 46/85] docs: fix example (#255) --- .../regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl | 2 +- examples/templates/tenant/tenant/runner_settings.hcl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl index d833601b..87cd8b0e 100644 --- a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl +++ b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl @@ -35,7 +35,7 @@ locals { logging_retention_in_days = 3 # Load and parse runner specs YAML once - config = yamldecode(file("config.yml")) + config = yamldecode(file("config.yaml")) # GitHub App settings github_webhook_relay = local.config.gh_config.github_webhook_relay diff --git a/examples/templates/tenant/tenant/runner_settings.hcl b/examples/templates/tenant/tenant/runner_settings.hcl index d833601b..87cd8b0e 100644 --- a/examples/templates/tenant/tenant/runner_settings.hcl +++ b/examples/templates/tenant/tenant/runner_settings.hcl @@ -35,7 +35,7 @@ locals { logging_retention_in_days = 3 # Load and parse runner specs YAML once - config = yamldecode(file("config.yml")) + config = yamldecode(file("config.yaml")) # GitHub App settings github_webhook_relay = local.config.gh_config.github_webhook_relay From ebc9f449bf84381e073d2118ede17d9f44435786 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 15 Dec 2025 16:59:43 +0100 Subject: [PATCH 47/85] docs: fix tenant example (#256) --- .../terragrunt/_global_settings/tenant.hcl | 61 +++++++++---------- .../tenant/_global_settings/tenant.hcl | 8 +-- 2 files changed, 32 insertions(+), 37 deletions(-) diff --git a/examples/deployments/forge-tenant/terragrunt/_global_settings/tenant.hcl b/examples/deployments/forge-tenant/terragrunt/_global_settings/tenant.hcl index 98c05b7d..dfc6543b 100644 --- a/examples/deployments/forge-tenant/terragrunt/_global_settings/tenant.hcl +++ b/examples/deployments/forge-tenant/terragrunt/_global_settings/tenant.hcl @@ -26,58 +26,53 @@ locals { # ───────────────────────────────────────────────────────────────────────────── # Tenant Settings # ───────────────────────────────────────────────────────────────────────────── - runner_settings_data = read_terragrunt_config("runner_settings.hcl") - tenant = local.runner_settings_data.locals.tenant + config = read_terragrunt_config("runner_settings.hcl") # ───────────────────────────────────────────────────────────────────────────── # Tags # ───────────────────────────────────────────────────────────────────────────── tags = { - TenantName = local.tenant.name - ForgeCICDTenantName = local.tenant.name - ForgeCICDTenantVpcAlias = local.runner_settings_data.locals.vpc_alias + TenantName = local.config.locals.deployment_config.tenant.name + ForgeCICDTenantName = local.config.locals.deployment_config.tenant.name + ForgeCICDTenantVpcAlias = local.config.locals.vpc_alias + Service = "Forge Runners" } default_tags = { - ApplicationName = "${local.project_name}-${local.tenant.name}-${local.runner_settings_data.locals.region_alias}-${local.runner_settings_data.locals.vpc_alias}" + ApplicationName = "${local.project_name}-${local.config.locals.deployment_config.tenant.name}-${local.config.locals.region_alias}-${local.config.locals.vpc_alias}" ResourceOwner = local.team_name ProductFamilyName = local.product_name IntendedPublic = "No" LastRevalidatedBy = "Terraform" LastRevalidatedAt = "2025-05-15" } + } inputs = { - # Core Environment - env = local.env_name - aws_account_id = local.aws_account_id - aws_profile = local.default_aws_profile - aws_region = local.region + aws_profile = local.default_aws_profile + aws_region = local.region + + ec2_deployment_specs = { + lambda_subnet_ids = local.config.locals.lambda_subnet_ids + subnet_ids = local.config.locals.subnet_ids + vpc_id = local.config.locals.vpc_id + runner_specs = local.config.locals.ec2_runner_specs + } + + arc_deployment_specs = { + cluster_name = local.config.locals.arc_cluster_name + migrate_cluster = local.config.locals.migrate_arc_cluster + runner_specs = local.config.locals.arc_runner_specs + } - # Networking - vpc_id = local.runner_settings_data.locals.vpc_id - subnet_ids = local.runner_settings_data.locals.subnet_ids - lambda_subnet_ids = local.runner_settings_data.locals.lambda_subnet_ids + github_webhook_relay = local.config.locals.github_webhook_relay - # Runners (EC2/ARC) - ec2_runner_specs = local.runner_settings_data.locals.ec2_runner_specs - arc_cluster_name = local.runner_settings_data.locals.arc_cluster_name - arc_runner_specs = local.runner_settings_data.locals.arc_runner_specs - migrate_arc_cluster = local.runner_settings_data.locals.migrate_arc_cluster + deployment_config = local.config.locals.deployment_config - # GitHub Settings - ghes_url = local.runner_settings_data.locals.ghes_url - ghes_org = local.runner_settings_data.locals.ghes_org - repository_selection = local.runner_settings_data.locals.repository_selection - runner_group_name = local.runner_settings_data.locals.runner_group_name - github_webhook_relay = local.runner_settings_data.locals.github_webhook_relay + log_level = local.config.locals.log_level + logging_retention_in_days = local.config.locals.logging_retention_in_days - # Misc - deployment_config = local.runner_settings_data.locals.deployment_config - log_level = local.runner_settings_data.locals.log_level - logging_retention_in_days = local.runner_settings_data.locals.logging_retention_in_days - tenant = local.tenant - tags = local.tags - default_tags = local.default_tags + tags = local.tags + default_tags = local.default_tags } diff --git a/examples/templates/tenant/_global_settings/tenant.hcl b/examples/templates/tenant/_global_settings/tenant.hcl index 332c84bf..40487cc6 100644 --- a/examples/templates/tenant/_global_settings/tenant.hcl +++ b/examples/templates/tenant/_global_settings/tenant.hcl @@ -26,8 +26,8 @@ locals { # ───────────────────────────────────────────────────────────────────────────── # Tenant Settings # ───────────────────────────────────────────────────────────────────────────── - runner_settings_data = read_terragrunt_config("runner_settings.hcl") - tenant = local.runner_settings_data.locals.tenant + config = read_terragrunt_config("runner_settings.hcl") + tenant = local.config.locals.tenant # ───────────────────────────────────────────────────────────────────────────── # Tags @@ -35,11 +35,11 @@ locals { tags = { TenantName = local.tenant.name ForgeCICDTenantName = local.tenant.name - ForgeCICDTenantVpcAlias = local.runner_settings_data.locals.vpc_alias + ForgeCICDTenantVpcAlias = local.config.locals.vpc_alias } default_tags = { - ApplicationName = "${local.project_name}-${local.tenant.name}-${local.runner_settings_data.locals.region_alias}-${local.runner_settings_data.locals.vpc_alias}" + ApplicationName = "${local.project_name}-${local.tenant.name}-${local.config.locals.region_alias}-${local.runner_settings_data.locals.vpc_alias}" ResourceOwner = local.team_name ProductFamilyName = local.product_name IntendedPublic = "No" From a07f989ceb988eb77e24fa21f1502ea0bd25ed19 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 15 Dec 2025 19:17:43 +0100 Subject: [PATCH 48/85] fix: encode first dummy secret (#257) --- modules/platform/forge_runners/ssm.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/platform/forge_runners/ssm.tf b/modules/platform/forge_runners/ssm.tf index d593ad03..05712dc6 100644 --- a/modules/platform/forge_runners/ssm.tf +++ b/modules/platform/forge_runners/ssm.tf @@ -2,7 +2,7 @@ resource "aws_ssm_parameter" "github_app_key" { name = "/forge/${var.deployment_config.deployment_prefix}/github_app_key" description = "Base64 encoded GitHub App private key for GHA ephemeral runners for Tenant ${var.deployment_config.tenant.name}." type = "SecureString" - value = "initial-placeholder-value" + value = base64encode("initial-placeholder-value") tags = local.all_security_tags lifecycle { @@ -71,6 +71,7 @@ resource "random_password" "github_app_webhook_secret" { } data "aws_ssm_parameter" "github_app_key" { - name = aws_ssm_parameter.github_app_key.name - depends_on = [aws_ssm_parameter.github_app_key] + name = aws_ssm_parameter.github_app_key.name + with_decryption = true + depends_on = [aws_ssm_parameter.github_app_key] } From d447196c47c09df8c388b966149bd3a18f68e5f7 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 15 Dec 2025 19:37:24 +0100 Subject: [PATCH 49/85] fix: use bash interpreter (#258) --- modules/infra/eks/karpenter.tf | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/infra/eks/karpenter.tf b/modules/infra/eks/karpenter.tf index e2c1b182..acca9ee3 100644 --- a/modules/infra/eks/karpenter.tf +++ b/modules/infra/eks/karpenter.tf @@ -28,7 +28,8 @@ resource "null_resource" "karpenter" { # --- CREATE / UPDATE --- provisioner "local-exec" { - command = < Date: Mon, 15 Dec 2025 19:37:32 +0100 Subject: [PATCH 50/85] feat: add support for placement group (#220) * feat: add support for placement group * fix: replace deprecated inputsL for new ami input * style: fix format * chore: update module terraform-aws-github-runner --- modules/platform/ec2_deployment/main.tf | 61 ++++++++++---------- modules/platform/ec2_deployment/variables.tf | 3 + modules/platform/forge_runners/variables.tf | 3 + 3 files changed, 37 insertions(+), 30 deletions(-) diff --git a/modules/platform/ec2_deployment/main.tf b/modules/platform/ec2_deployment/main.tf index 5038f459..81114ae8 100644 --- a/modules/platform/ec2_deployment/main.tf +++ b/modules/platform/ec2_deployment/main.tf @@ -9,14 +9,6 @@ locals { runner_hook_job_started = file(local.runner_template_hook_job_started) runner_hook_job_completed = file(local.runner_template_hook_job_completed) - userdata_post_install = templatefile( - local.userdata_template_post_install, - { - runner_user = "ubuntu" - ecr_registries = var.tenant_configs.ecr_registries - } - ) - } # Enable AWS-managed encryption key. @@ -43,11 +35,11 @@ data "aws_subnet" "runner_subnet" { } data "external" "download_lambdas" { - program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v6.10.1"] + program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v7.0.0"] } module "runners" { - source = "git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner?ref=v6.10.1" + source = "git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner?ref=v7.0.0" aws_region = var.aws_region @@ -114,27 +106,34 @@ module "runners" { "http_tokens" : "optional", "instance_metadata_tags" : "enabled" } - delay_webhook_event = 0 - runner_ec2_tags = var.tenant_configs.tags - runner_os = val["runner_os"] - runner_architecture = val["runner_architecture"] - runner_extra_labels = val["extra_labels"] - enable_ssm_on_runners = true - instance_types = val["instance_types"] - runners_maximum_count = val["max_instances"] - scale_down_schedule_expression = "cron(*/5 * * * ? *)" - minimum_running_time_in_minutes = val["min_run_time"] - runner_group_name = var.runner_configs.runner_group_name - enable_runner_binaries_syncer = false - enable_userdata = val["enable_userdata"] - userdata_template = local.user_data_template_runner - userdata_pre_install = "# No pre-install steps." - userdata_post_install = local.userdata_post_install + delay_webhook_event = 0 + runner_ec2_tags = var.tenant_configs.tags + runner_os = val["runner_os"] + runner_architecture = val["runner_architecture"] + runner_extra_labels = val["extra_labels"] + enable_ssm_on_runners = true + instance_types = val["instance_types"] + runners_maximum_count = val["max_instances"] + scale_down_schedule_expression = "cron(*/5 * * * ? *)" + minimum_running_time_in_minutes = val["min_run_time"] + runner_group_name = var.runner_configs.runner_group_name + enable_runner_binaries_syncer = false + enable_userdata = val["enable_userdata"] + userdata_template = local.user_data_template_runner + userdata_pre_install = "# No pre-install steps." + userdata_post_install = templatefile( + local.userdata_template_post_install, + { + runner_user = val["runner_user"] + ecr_registries = var.tenant_configs.ecr_registries + } + ) runner_hook_job_started = local.runner_hook_job_started runner_hook_job_completed = local.runner_hook_job_completed enable_runner_detailed_monitoring = true runner_run_as = val["runner_user"] block_device_mappings = val["block_device_mappings"] + placement = val["placement"] runner_log_files = [ { "log_group_name" : "forge-logs", @@ -157,13 +156,15 @@ module "runners" { { "log_group_name" : "forge-logs", "prefix_log_group" : true, - "file_path" : "/home/ubuntu/hook.log", + "file_path" : "/home/${val["runner_user"]}/hook.log", "log_stream_name" : "{instance_id}/hook" }, ] - ami_owners = val["ami_owners"] - ami_filter = val["ami_filter"] - ami_kms_key_arn = val["ami_kms_key_arn"] + ami = { + owners = val["ami_owners"] + filter = val["ami_filter"] + kms_key_arn = val["ami_kms_key_arn"] + } instance_target_capacity_type = val["instance_target_capacity_type"] enable_job_queued_check = false runner_iam_role_managed_policy_arns = concat( diff --git a/modules/platform/ec2_deployment/variables.tf b/modules/platform/ec2_deployment/variables.tf index 2e1983b1..70993d44 100644 --- a/modules/platform/ec2_deployment/variables.tf +++ b/modules/platform/ec2_deployment/variables.tf @@ -32,6 +32,9 @@ variable "runner_configs" { max_instances = number min_run_time = number instance_types = list(string) + placement = optional(object({ + host_id = optional(string, null) + }), null) pool_config = list(object({ size = number schedule_expression = string diff --git a/modules/platform/forge_runners/variables.tf b/modules/platform/forge_runners/variables.tf index b33fc99b..dc6143ef 100644 --- a/modules/platform/forge_runners/variables.tf +++ b/modules/platform/forge_runners/variables.tf @@ -27,6 +27,9 @@ variable "ec2_deployment_specs" { max_instances = number min_run_time = number instance_types = list(string) + placement = optional(object({ + host_id = optional(string, null) + }), null) pool_config = list(object({ size = number schedule_expression = string From 1177be5a308a8e2dfe63a7e18a41b72cac6c6f66 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Tue, 16 Dec 2025 12:17:43 +0100 Subject: [PATCH 51/85] feat: allow to use different vpc and subnet for runners (#259) --- .../forge-tenant/terragrunt/_global_settings/tenant.hcl | 1 + .../eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl | 4 +++- examples/templates/tenant/_global_settings/tenant.hcl | 1 + examples/templates/tenant/tenant/runner_settings.hcl | 3 ++- modules/platform/ec2_deployment/security_group.tf | 2 +- modules/platform/ec2_deployment/variables.tf | 1 + modules/platform/forge_runners/ec2_runners.tf | 1 + modules/platform/forge_runners/variables.tf | 1 + 8 files changed, 11 insertions(+), 3 deletions(-) diff --git a/examples/deployments/forge-tenant/terragrunt/_global_settings/tenant.hcl b/examples/deployments/forge-tenant/terragrunt/_global_settings/tenant.hcl index dfc6543b..9c76410e 100644 --- a/examples/deployments/forge-tenant/terragrunt/_global_settings/tenant.hcl +++ b/examples/deployments/forge-tenant/terragrunt/_global_settings/tenant.hcl @@ -55,6 +55,7 @@ inputs = { ec2_deployment_specs = { lambda_subnet_ids = local.config.locals.lambda_subnet_ids + lambda_vpc_id = local.config.locals.lambda_vpc_id subnet_ids = local.config.locals.subnet_ids vpc_id = local.config.locals.vpc_id runner_specs = local.config.locals.ec2_runner_specs diff --git a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl index 87cd8b0e..3891d6c0 100644 --- a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl +++ b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl @@ -18,6 +18,7 @@ include "vpc" { locals { # VPC & region info from includes + lambda_vpc_id = include.vpc.locals.vpc_id lambda_subnet_ids = include.vpc.locals.lambda_subnet_ids vpc_id = include.vpc.locals.vpc_id subnet_ids = include.vpc.locals.subnet_ids @@ -98,7 +99,8 @@ locals { volume_size = spec.volume.size volume_type = spec.volume.type }] - pool_config = spec.pool_config + vpc_id = local.vpc_id + } } arc_cluster_name = local.config.arc_cluster_name diff --git a/examples/templates/tenant/_global_settings/tenant.hcl b/examples/templates/tenant/_global_settings/tenant.hcl index 40487cc6..eeb4e5df 100644 --- a/examples/templates/tenant/_global_settings/tenant.hcl +++ b/examples/templates/tenant/_global_settings/tenant.hcl @@ -56,6 +56,7 @@ inputs = { # Runners (EC2/ARC) ec2_deployment_specs = { lambda_subnet_ids = local.config.locals.lambda_subnet_ids + lambda_vpc_id = local.config.locals.lambda_vpc_id subnet_ids = local.config.locals.subnet_ids vpc_id = local.config.locals.vpc_id runner_specs = local.config.locals.ec2_runner_specs diff --git a/examples/templates/tenant/tenant/runner_settings.hcl b/examples/templates/tenant/tenant/runner_settings.hcl index 87cd8b0e..1df3e18c 100644 --- a/examples/templates/tenant/tenant/runner_settings.hcl +++ b/examples/templates/tenant/tenant/runner_settings.hcl @@ -18,6 +18,7 @@ include "vpc" { locals { # VPC & region info from includes + lambda_vpc_id = include.vpc.locals.vpc_id lambda_subnet_ids = include.vpc.locals.lambda_subnet_ids vpc_id = include.vpc.locals.vpc_id subnet_ids = include.vpc.locals.subnet_ids @@ -98,7 +99,7 @@ locals { volume_size = spec.volume.size volume_type = spec.volume.type }] - pool_config = spec.pool_config + vpc_id = local.vpc_id } } arc_cluster_name = local.config.arc_cluster_name diff --git a/modules/platform/ec2_deployment/security_group.tf b/modules/platform/ec2_deployment/security_group.tf index 932c749d..225c4b18 100644 --- a/modules/platform/ec2_deployment/security_group.tf +++ b/modules/platform/ec2_deployment/security_group.tf @@ -1,7 +1,7 @@ # Allow the lambda to egress to any destination via any protocol. resource "aws_security_group" "gh_runner_lambda_egress" { name = "${var.runner_configs.prefix}-gh-runner-lambda-egress-all" - vpc_id = var.network_configs.vpc_id + vpc_id = var.network_configs.lambda_vpc_id egress { from_port = 0 diff --git a/modules/platform/ec2_deployment/variables.tf b/modules/platform/ec2_deployment/variables.tf index 70993d44..6141acb8 100644 --- a/modules/platform/ec2_deployment/variables.tf +++ b/modules/platform/ec2_deployment/variables.tf @@ -62,6 +62,7 @@ variable "network_configs" { type = object({ vpc_id = string subnet_ids = list(string) + lambda_vpc_id = string lambda_subnet_ids = list(string) }) } diff --git a/modules/platform/forge_runners/ec2_runners.tf b/modules/platform/forge_runners/ec2_runners.tf index 4c33ec36..ab3e04b0 100644 --- a/modules/platform/forge_runners/ec2_runners.tf +++ b/modules/platform/forge_runners/ec2_runners.tf @@ -21,6 +21,7 @@ module "ec2_runners" { vpc_id = var.ec2_deployment_specs.vpc_id subnet_ids = var.ec2_deployment_specs.subnet_ids lambda_subnet_ids = var.ec2_deployment_specs.lambda_subnet_ids + lambda_vpc_id = var.ec2_deployment_specs.lambda_vpc_id } tenant_configs = { diff --git a/modules/platform/forge_runners/variables.tf b/modules/platform/forge_runners/variables.tf index dc6143ef..4c0ff0e5 100644 --- a/modules/platform/forge_runners/variables.tf +++ b/modules/platform/forge_runners/variables.tf @@ -12,6 +12,7 @@ variable "ec2_deployment_specs" { type = object({ lambda_subnet_ids = list(string) subnet_ids = list(string) + lambda_vpc_id = string vpc_id = string runner_specs = map(object({ ami_filter = object({ From df1e6756404bf153283c452fac1af552bbec5cc8 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Tue, 16 Dec 2025 15:09:34 +0100 Subject: [PATCH 52/85] deprecated: remove old and duplicated sg for runners (#260) --- modules/platform/ec2_deployment/main.tf | 7 ++---- .../platform/ec2_deployment/security_group.tf | 22 ------------------- 2 files changed, 2 insertions(+), 27 deletions(-) diff --git a/modules/platform/ec2_deployment/main.tf b/modules/platform/ec2_deployment/main.tf index 81114ae8..63da1076 100644 --- a/modules/platform/ec2_deployment/main.tf +++ b/modules/platform/ec2_deployment/main.tf @@ -43,11 +43,8 @@ module "runners" { aws_region = var.aws_region - vpc_id = var.network_configs.vpc_id - subnet_ids = var.network_configs.subnet_ids - runner_additional_security_group_ids = [ - aws_security_group.gh_runner_egress.id, - ] + vpc_id = var.network_configs.vpc_id + subnet_ids = var.network_configs.subnet_ids lambda_subnet_ids = var.network_configs.lambda_subnet_ids lambda_security_group_ids = [aws_security_group.gh_runner_lambda_egress.id] kms_key_arn = aws_kms_key.github.arn diff --git a/modules/platform/ec2_deployment/security_group.tf b/modules/platform/ec2_deployment/security_group.tf index 225c4b18..1f1c74e0 100644 --- a/modules/platform/ec2_deployment/security_group.tf +++ b/modules/platform/ec2_deployment/security_group.tf @@ -19,25 +19,3 @@ resource "aws_security_group" "gh_runner_lambda_egress" { tags_all = var.tenant_configs.tags } - -# Policy for the runners (not the lambdas). -resource "aws_security_group" "gh_runner_egress" { - name = "${var.runner_configs.prefix}-gh-runner-lambda-egress" - vpc_id = var.network_configs.vpc_id - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - tags = merge( - var.tenant_configs.tags, - { - Name = "${var.runner_configs.prefix}-gh-runner-lambda-egress" - } - ) - - tags_all = var.tenant_configs.tags -} From 23ba04c17d2a221f292fe78c4db7f69125323de7 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 29 Dec 2025 13:59:54 +0100 Subject: [PATCH 53/85] docs: fix template for tenant (#262) --- .../eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl | 4 ++-- examples/templates/tenant/tenant/runner_settings.hcl | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl index 3891d6c0..0f94caa2 100644 --- a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl +++ b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl @@ -99,8 +99,8 @@ locals { volume_size = spec.volume.size volume_type = spec.volume.type }] - vpc_id = local.vpc_id - + vpc_id = local.vpc_id + pool_config = spec.pool_config } } arc_cluster_name = local.config.arc_cluster_name diff --git a/examples/templates/tenant/tenant/runner_settings.hcl b/examples/templates/tenant/tenant/runner_settings.hcl index 1df3e18c..0f94caa2 100644 --- a/examples/templates/tenant/tenant/runner_settings.hcl +++ b/examples/templates/tenant/tenant/runner_settings.hcl @@ -99,7 +99,8 @@ locals { volume_size = spec.volume.size volume_type = spec.volume.type }] - vpc_id = local.vpc_id + vpc_id = local.vpc_id + pool_config = spec.pool_config } } arc_cluster_name = local.config.arc_cluster_name From 6e4fdddd322c10f578a1933ceb00d6aa3627754c Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 8 Jan 2026 21:25:40 +0100 Subject: [PATCH 54/85] fix: force dm template update (#264) --- .../splunk_cloud_data_manager/data_input/s3_template.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf b/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf index cda178d1..4644decc 100644 --- a/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf +++ b/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf @@ -3,8 +3,10 @@ resource "aws_s3_object" "cloudformation_template" { key = "${var.cloudformation_s3_config.key}${random_uuid.splunk_input_uuid.result}/template.json" source = "/tmp/${random_uuid.splunk_input_uuid.result}_template.json" + source_hash = filemd5("/tmp/${random_uuid.splunk_input_uuid.result}_template.json") + depends_on = [ - null_resource.create_integration, + data.external.splunk_dm_version, random_uuid.splunk_input_uuid, ] } From 0734618be824f6f60899b7eb64a67b2d79d4320d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 09:17:16 +0100 Subject: [PATCH 55/85] chore(deps): bump docker/setup-buildx-action from 3.11.1 to 3.12.0 (#261) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.11.1 to 3.12.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/e468171a9de216ec08956ac3ada2f0791b6bd435...8d2750c68a42422c14e847fe6c8ac0403b4cbd6f) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 3.12.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-forge-github-app-register.yml | 2 +- .github/workflows/build-pre-commit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-forge-github-app-register.yml b/.github/workflows/build-forge-github-app-register.yml index 2572f77d..c0c9e4ce 100644 --- a/.github/workflows/build-forge-github-app-register.yml +++ b/.github/workflows/build-forge-github-app-register.yml @@ -42,7 +42,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 with: platforms: ${{ env.PLATFORMS }} diff --git a/.github/workflows/build-pre-commit.yml b/.github/workflows/build-pre-commit.yml index d8155551..3f8034e4 100644 --- a/.github/workflows/build-pre-commit.yml +++ b/.github/workflows/build-pre-commit.yml @@ -42,7 +42,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 with: platforms: ${{ env.PLATFORMS }} From da6427f35428af5435a65af071b6a6cb6c0627e6 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Fri, 9 Jan 2026 10:21:05 +0100 Subject: [PATCH 56/85] fix: fix splunk DM template upload (#266) --- .../splunk_cloud_data_manager/data_input/s3_template.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf b/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf index 4644decc..d1533535 100644 --- a/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf +++ b/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf @@ -3,9 +3,10 @@ resource "aws_s3_object" "cloudformation_template" { key = "${var.cloudformation_s3_config.key}${random_uuid.splunk_input_uuid.result}/template.json" source = "/tmp/${random_uuid.splunk_input_uuid.result}_template.json" - source_hash = filemd5("/tmp/${random_uuid.splunk_input_uuid.result}_template.json") + source_hash = sha256(jsonencode(local.tags)) depends_on = [ + null_resource.create_integration, data.external.splunk_dm_version, random_uuid.splunk_input_uuid, ] From 6e0bc8825c4ea3ea53fc919278a39e2c243ee68f Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Fri, 9 Jan 2026 15:00:04 +0100 Subject: [PATCH 57/85] fix: add hash in data external splunk_dm_version (#267) * fix: add hash in data external splunk_dm_version * feat: change dm template path --- .../splunk_cloud_data_manager/data_input/locals.tf | 3 +-- .../splunk_cloud_data_manager/data_input/s3_template.tf | 4 +--- .../data_input/scripts/get_splunk_integration.sh | 7 +++++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/integrations/splunk_cloud_data_manager/data_input/locals.tf b/modules/integrations/splunk_cloud_data_manager/data_input/locals.tf index a3855193..790ca9f9 100644 --- a/modules/integrations/splunk_cloud_data_manager/data_input/locals.tf +++ b/modules/integrations/splunk_cloud_data_manager/data_input/locals.tf @@ -1,7 +1,7 @@ locals { name = "SplunkDMDataIngest-${random_uuid.splunk_input_uuid.result}" - template_url = "https://${var.cloudformation_s3_config.bucket}.s3.amazonaws.com/${var.cloudformation_s3_config.key}${random_uuid.splunk_input_uuid.result}/template.json" + template_url = "https://${var.cloudformation_s3_config.bucket}.s3.amazonaws.com/${var.cloudformation_s3_config.key}${random_uuid.splunk_input_uuid.result}/${data.external.splunk_dm_version.result.template_hash}/template.json" tags = merge( var.tags_all, @@ -15,5 +15,4 @@ locals { SplunkDMVersion = data.external.splunk_dm_version.result["version"] } ) - } diff --git a/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf b/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf index d1533535..036c7f55 100644 --- a/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf +++ b/modules/integrations/splunk_cloud_data_manager/data_input/s3_template.tf @@ -1,10 +1,8 @@ resource "aws_s3_object" "cloudformation_template" { bucket = var.cloudformation_s3_config.bucket - key = "${var.cloudformation_s3_config.key}${random_uuid.splunk_input_uuid.result}/template.json" + key = "${var.cloudformation_s3_config.key}${random_uuid.splunk_input_uuid.result}/${data.external.splunk_dm_version.result.template_hash}/template.json" source = "/tmp/${random_uuid.splunk_input_uuid.result}_template.json" - source_hash = sha256(jsonencode(local.tags)) - depends_on = [ null_resource.create_integration, data.external.splunk_dm_version, diff --git a/modules/integrations/splunk_cloud_data_manager/data_input/scripts/get_splunk_integration.sh b/modules/integrations/splunk_cloud_data_manager/data_input/scripts/get_splunk_integration.sh index 180e42d3..c2516aa3 100755 --- a/modules/integrations/splunk_cloud_data_manager/data_input/scripts/get_splunk_integration.sh +++ b/modules/integrations/splunk_cloud_data_manager/data_input/scripts/get_splunk_integration.sh @@ -118,5 +118,8 @@ curl "${splunk_cloud}/en-GB/splunkd/__raw/servicesNS/nobody/data_manager/cloudin -H "X-Splunk-Form-Key: $SPLUNKWEB_CSRF_TOKEN_8443" \ -o /tmp/${splunk_input_uuid}_template.json >>/tmp/${splunk_input_uuid}_logs.txt 2>&1 -# Output the version -cat /tmp/${splunk_input_uuid}_input.json | jq -c '{version: .details.version}' +# Calculate the hash of the template +TEMPLATE_HASH=$(shasum -a 256 /tmp/${splunk_input_uuid}_template.json | awk '{print $1}') + +# Output the version and template hash +cat /tmp/${splunk_input_uuid}_input.json | jq -c --arg hash "$TEMPLATE_HASH" '{version: .details.version, template_hash: $hash}' From 931997bef26e614f8b7d90478c6c53fce43d4c4b Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 19 Jan 2026 12:33:40 +0100 Subject: [PATCH 58/85] fix: add missing policy to terminate instances (#269) --- modules/infra/cloud_custodian/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/infra/cloud_custodian/main.tf b/modules/infra/cloud_custodian/main.tf index 7e866b2c..4ae19106 100644 --- a/modules/infra/cloud_custodian/main.tf +++ b/modules/infra/cloud_custodian/main.tf @@ -17,6 +17,7 @@ data "aws_iam_policy_document" "cloud_custodian_policy" { "ec2:DescribeSecurityGroupReferences", "ec2:DescribeVolumes", "ec2:DeleteVolume", + "ec2:TerminateInstances", ] resources = ["*"] } From 887184e095e5e49af4e01942553dba98b546499e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Jan 2026 12:33:55 +0100 Subject: [PATCH 59/85] chore(deps): bump actions/cache from 5.0.1 to 5.0.2 (#268) Bumps [actions/cache](https://github.com/actions/cache) from 5.0.1 to 5.0.2. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/9255dc7a253b0ccc959486e2bca901246202afeb...8b402f58fbc84540c8b491a91e594a4576fec3d7) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pre-commit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 144e8e5a..9c30599b 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -32,13 +32,13 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Cache Pre-commit - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 + uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2 with: path: ~/.cache/pre-commit/ key: pre-commit|${{ github.repository }}|${{ hashFiles('.pre-commit-config.yaml') }} - name: Cache OpenTofu providers - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1 + uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2 with: path: /github/home/.terraform.d/plugin key: tf-providers-${{ github.run_id }} From aaa8b78b59012589a76d940093ce4f18a6aae1ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 1 Feb 2026 19:49:52 +0100 Subject: [PATCH 60/85] chore(deps): bump actions/cache from 5.0.2 to 5.0.3 (#272) Bumps [actions/cache](https://github.com/actions/cache) from 5.0.2 to 5.0.3. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/8b402f58fbc84540c8b491a91e594a4576fec3d7...cdf6c1fa76f9f475f3d7449005a359c84ca0f306) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pre-commit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 9c30599b..014d9f6e 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -32,13 +32,13 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Cache Pre-commit - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: ~/.cache/pre-commit/ key: pre-commit|${{ github.repository }}|${{ hashFiles('.pre-commit-config.yaml') }} - name: Cache OpenTofu providers - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: /github/home/.terraform.d/plugin key: tf-providers-${{ github.run_id }} From d1eb77adea88027e0d9ea52758c4a97c5b7193c4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 1 Feb 2026 19:50:02 +0100 Subject: [PATCH 61/85] chore(deps): bump docker/login-action from 3.6.0 to 3.7.0 (#271) Bumps [docker/login-action](https://github.com/docker/login-action) from 3.6.0 to 3.7.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/5e57cd118135c172c3672efd75eb46360885c0ef...c94ce9fb468520275223c153574b00df6fe4bcc9) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-forge-github-app-register.yml | 2 +- .github/workflows/build-pre-commit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-forge-github-app-register.yml b/.github/workflows/build-forge-github-app-register.yml index c0c9e4ce..62e4fe82 100644 --- a/.github/workflows/build-forge-github-app-register.yml +++ b/.github/workflows/build-forge-github-app-register.yml @@ -47,7 +47,7 @@ jobs: platforms: ${{ env.PLATFORMS }} - name: Log in to the Container registry - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} diff --git a/.github/workflows/build-pre-commit.yml b/.github/workflows/build-pre-commit.yml index 3f8034e4..7b936df3 100644 --- a/.github/workflows/build-pre-commit.yml +++ b/.github/workflows/build-pre-commit.yml @@ -47,7 +47,7 @@ jobs: platforms: ${{ env.PLATFORMS }} - name: Log in to the Container registry - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} From 8a47e95cba1873f15d02203325cc77acc0449ffc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 1 Feb 2026 19:50:26 +0100 Subject: [PATCH 62/85] chore(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#270) Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/8e8c483db84b4bee98b60c0593521ed34d9990e8...de0fac2e4500dabe0009e67214ff5f5447ce83dd) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-forge-github-app-register.yml | 2 +- .github/workflows/build-pre-commit.yml | 2 +- .github/workflows/pre-commit.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-forge-github-app-register.yml b/.github/workflows/build-forge-github-app-register.yml index 62e4fe82..b884caad 100644 --- a/.github/workflows/build-forge-github-app-register.yml +++ b/.github/workflows/build-forge-github-app-register.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 diff --git a/.github/workflows/build-pre-commit.yml b/.github/workflows/build-pre-commit.yml index 7b936df3..4306ae17 100644 --- a/.github/workflows/build-pre-commit.yml +++ b/.github/workflows/build-pre-commit.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index 014d9f6e..c96c596b 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -29,7 +29,7 @@ jobs: if: github.event.pull_request.user.login != 'dependabot[bot]' steps: - name: Checkout Repository - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Cache Pre-commit uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 From c21684ecb2cc33b1d14a147eac0ef88c6066375b Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 2 Feb 2026 11:43:49 +0100 Subject: [PATCH 63/85] chore: sync renovatebot update (#273) * chore(deps): update karpenter docker tag to v1.8.3 (#56) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hooks (#55) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update helm release splunk-otel-collector to v0.141.0 (#57) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency terraform-docs/terraform-docs to v0.21.0 (#59) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency gruntwork-io/terragrunt to v0.95.0 (#58) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency gruntwork-io/terragrunt to v0.95.1 (#62) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to 2751cbe (#61) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook python-jsonschema/check-jsonschema to v0.36.0 (#63) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency gruntwork-io/terragrunt to v0.96.0 (#64) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency gruntwork-io/terragrunt to v0.96.1 (#65) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook ansible-community/ansible-lint to v25.12.2 (#69) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to aa5be11 (#71) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to f7864aa (#72) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to 3955a7d (#73) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook antonbabenko/pre-commit-terraform to v1.104.1 (#74) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to 38b6cc0 (#76) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to 1f741ae (#77) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update ubuntu:24.04 docker digest to 7a39814 (#79) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update actions/cache action to v5.0.2 (#80) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to 9b81fe9 (#81) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update ubuntu:24.04 docker digest to cd1dba6 (#82) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update actions/checkout action to v6.0.2 (#83) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook python-jsonschema/check-jsonschema to v0.36.1 (#84) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update actions/cache action to v5.0.3 (#85) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hooks (#41) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update aws providers and modules (#66) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hooks (#70) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update helm release splunk-otel-collector to v0.143.0 (#78) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency gruntwork-io/terragrunt to v0.99.1 (#75) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .docker/forge-github-app-register/Dockerfile | 2 +- .docker/pre-commit/Dockerfile | 6 +++--- .pre-commit-config.yaml | 16 ++++++++-------- modules/infra/eks/eks.tf | 4 ++-- modules/infra/eks/karpenter.tf | 2 +- modules/infra/eks/nodes.tf | 2 +- .../webex_webhook_relay/lambda.tf | 2 +- .../github_webhook_relay_source/lambda.tf | 2 +- .../splunk_aws_billing/billing_per_resource.tf | 2 +- .../billing_per_resource_process.tf | 2 +- .../splunk_aws_billing/billing_per_service.tf | 2 +- .../sec_meta_ec2_tags/main.tf | 2 +- .../splunk_cloud_s3_runner_logs/lambda.tf | 2 +- modules/integrations/splunk_otel_eks/otel.tf | 2 +- .../ec2_update_runner_ssm_ami/main.tf | 2 +- .../ec2_update_runner_tags/main.tf | 2 +- modules/platform/ec2_deployment/main.tf | 4 ++-- .../forge_runners/forge_trust_validator/main.tf | 2 +- .../github_actions_job_logs/job_log_archiver.tf | 2 +- .../job_log_dispatcher.tf | 2 +- .../github_app_runner_group/main.tf | 2 +- .../forge_runners/github_global_lock/main.tf | 2 +- .../forge_runners/redrive_deadletter/main.tf | 2 +- 23 files changed, 34 insertions(+), 34 deletions(-) diff --git a/.docker/forge-github-app-register/Dockerfile b/.docker/forge-github-app-register/Dockerfile index 3351f885..c57bdc4a 100644 --- a/.docker/forge-github-app-register/Dockerfile +++ b/.docker/forge-github-app-register/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.14-slim@sha256:fd2aff39e5a3ed23098108786a9966fb036fdeeedd487d5360e466bb2a84377b +FROM python:3.14-slim@sha256:9b81fe9acff79e61affb44aaf3b6ff234392e8ca477cb86c9f7fd11732ce9b6a RUN useradd --create-home appuser WORKDIR /home/appuser diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index c4b169d0..90e6da84 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:24.04@sha256:c35e29c9450151419d9448b0fd75374fec4fff364a27f176fb458d472dfc9e54 AS build +FROM ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b AS build WORKDIR /opt/build @@ -78,7 +78,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/terraform-docs # renovate: datasource=github-releases depName=gruntwork-io/terragrunt registryUrl=https://github.com/ -ARG TERRAGRUNT_VERSION="0.95.0" +ARG TERRAGRUNT_VERSION="0.99.1" ARG TERRAGRUNT_SRC="https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" ARG TERRAGRUNT_ARTIFACT="terragrunt" RUN set -eux; \ @@ -104,7 +104,7 @@ RUN set -eux; \ unzip -o ${TOFU_ARTIFACT} -d /usr/local/bin/; \ chmod 755 /usr/local/bin/tofu -FROM ubuntu:24.04@sha256:c35e29c9450151419d9448b0fd75374fec4fff364a27f176fb458d472dfc9e54 AS final +FROM ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b AS final ENV DEBIAN_FRONTEND=noninteractive diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f8828265..1e72831d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -83,7 +83,7 @@ repos: # Commit Message Hooks # --------------------- - repo: https://github.com/commitizen-tools/commitizen - rev: v4.10.1 + rev: v4.13.0 hooks: - id: commitizen name: Git · Validate commit message @@ -104,7 +104,7 @@ repos: exclude: (build/ansible/) - repo: https://github.com/adrienverge/yamllint - rev: v1.37.1 + rev: v1.38.0 hooks: - id: yamllint name: YAML · Linter @@ -144,7 +144,7 @@ repos: # Makefile Hooks # --------------------- - repo: https://github.com/mrtazz/checkmake.git - rev: 0.2.2 + rev: v0.3.2 hooks: - id: checkmake name: Makefile · Lint Makefile @@ -159,7 +159,7 @@ repos: name: Python · autopep8 - repo: https://github.com/PyCQA/isort - rev: 6.1.0 + rev: 7.0.0 hooks: - id: isort name: Python · Import sorter @@ -196,7 +196,7 @@ repos: # JSON Schema Hooks # --------------------- - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.35.0 + rev: 0.36.1 hooks: - id: check-github-workflows name: JSON Schema · GitHub workflows @@ -230,7 +230,7 @@ repos: always_run: true - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.104.0 + rev: v1.105.0 hooks: - id: terraform_fmt name: Terraform · Formatter @@ -266,7 +266,7 @@ repos: # Ansible Hooks # --------------------- - repo: https://github.com/ansible-community/ansible-lint.git - rev: v25.12.1 + rev: v26.1.1 hooks: - id: ansible-lint name: Ansible · Linter @@ -277,7 +277,7 @@ repos: # Markdown Hooks # --------------------- - repo: https://github.com/hukkin/mdformat - rev: 0.7.22 + rev: 1.0.0 hooks: - id: mdformat name: Markdown · Format markdown diff --git a/modules/infra/eks/eks.tf b/modules/infra/eks/eks.tf index 4501077d..87cd87cb 100644 --- a/modules/infra/eks/eks.tf +++ b/modules/infra/eks/eks.tf @@ -1,6 +1,6 @@ module "ebs_csi_irsa_role" { source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts" - version = "6.2.3" + version = "6.4.0" name = "${var.cluster_name}-${var.aws_region}-ebs-csi" use_name_prefix = false @@ -17,7 +17,7 @@ module "ebs_csi_irsa_role" { module "eks" { source = "terraform-aws-modules/eks/aws" - version = "21.10.1" + version = "21.15.1" name = var.cluster_name kubernetes_version = var.cluster_version diff --git a/modules/infra/eks/karpenter.tf b/modules/infra/eks/karpenter.tf index acca9ee3..fdd8a6f3 100644 --- a/modules/infra/eks/karpenter.tf +++ b/modules/infra/eks/karpenter.tf @@ -1,6 +1,6 @@ module "karpenter" { source = "terraform-aws-modules/eks/aws//modules/karpenter" - version = "21.10.1" + version = "21.15.1" namespace = "karpenter" cluster_name = var.cluster_name diff --git a/modules/infra/eks/nodes.tf b/modules/infra/eks/nodes.tf index 4abf7517..32e93db2 100644 --- a/modules/infra/eks/nodes.tf +++ b/modules/infra/eks/nodes.tf @@ -9,7 +9,7 @@ data "aws_ami" "eks_default" { } module "self_managed_node_group" { source = "terraform-aws-modules/eks/aws//modules/self-managed-node-group" - version = "21.10.1" + version = "21.15.1" name = var.cluster_name cluster_name = var.cluster_name diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf index 6a244cf8..804039eb 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf @@ -7,7 +7,7 @@ resource "aws_cloudwatch_log_group" "webex" { module "webex" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "webex-webhook-relay-destination-receiver" handler = "handler.lambda_handler" diff --git a/modules/integrations/github_webhook_relay_source/lambda.tf b/modules/integrations/github_webhook_relay_source/lambda.tf index 82cad234..fa3a0688 100644 --- a/modules/integrations/github_webhook_relay_source/lambda.tf +++ b/modules/integrations/github_webhook_relay_source/lambda.tf @@ -1,6 +1,6 @@ module "validate_signature_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.name_prefix}-validate-signature" handler = "validate_signature.lambda_handler" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource.tf b/modules/integrations/splunk_aws_billing/billing_per_resource.tf index 3a1bdc6f..bcb24366 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = local.cur_per_resource_lambda_name description = "Processes AWS Billing CUR reports per resource and sends data to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf index 59bb764f..91bc7a9f 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource_process" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = local.cur_per_resource_process_lambda_name description = "Processes AWS billing data and sends to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_service.tf b/modules/integrations/splunk_aws_billing/billing_per_service.tf index d0d7a35f..9d7ba036 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_service.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_service.tf @@ -4,7 +4,7 @@ locals { module "cur_per_service" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = local.cur_per_service_lambda_name description = "Processes AWS Billing CUR reports per service and sends data to Splunk" diff --git a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf index 1e80c58c..6d21921b 100644 --- a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf +++ b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf @@ -1,6 +1,6 @@ module "splunk_dm_metadata_ec2inst_pattern_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" role_name = "SplunkDMMetadataEC2InstPatternTags-${var.region}" diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf index 6415ad4d..b251e361 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf +++ b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf @@ -4,7 +4,7 @@ locals { module "splunk_s3_runner_logs_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${local.prefix_lambda}-lambda-${var.aws_region}" handler = "splunk_s3_runner_logs.lambda_handler" diff --git a/modules/integrations/splunk_otel_eks/otel.tf b/modules/integrations/splunk_otel_eks/otel.tf index 6a58b33a..e019defa 100644 --- a/modules/integrations/splunk_otel_eks/otel.tf +++ b/modules/integrations/splunk_otel_eks/otel.tf @@ -2,7 +2,7 @@ resource "helm_release" "splunk_otel_collector" { name = "splunk-otel-collector" repository = "https://signalfx.github.io/splunk-otel-collector-chart" chart = "splunk-otel-collector" - version = "0.141.0" + version = "0.143.0" namespace = "splunk-otel-collector" create_namespace = true diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf index da783661..ea371f85 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_ssm_ami_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-ec2-update-runner-ssm-ami" handler = "ec2_update_runner_ssm_ami.lambda_handler" diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf index 8984950b..50cf1dfc 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-ec2-update-runner-tags" handler = "ec2_update_runner_tags.lambda_handler" diff --git a/modules/platform/ec2_deployment/main.tf b/modules/platform/ec2_deployment/main.tf index 63da1076..c5008ce0 100644 --- a/modules/platform/ec2_deployment/main.tf +++ b/modules/platform/ec2_deployment/main.tf @@ -35,11 +35,11 @@ data "aws_subnet" "runner_subnet" { } data "external" "download_lambdas" { - program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v7.0.0"] + program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v7.3.0"] } module "runners" { - source = "git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner?ref=v7.0.0" + source = "git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner?ref=v7.3.0" aws_region = var.aws_region diff --git a/modules/platform/forge_runners/forge_trust_validator/main.tf b/modules/platform/forge_runners/forge_trust_validator/main.tf index d372c59a..8e0a3fa8 100644 --- a/modules/platform/forge_runners/forge_trust_validator/main.tf +++ b/modules/platform/forge_runners/forge_trust_validator/main.tf @@ -1,6 +1,6 @@ module "forge_trust_validator_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-forge-trust-validator" handler = "forge_trust_validator.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf index f2793e7e..8b854480 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf @@ -5,7 +5,7 @@ locals { module "job_log_archiver" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = local.resource_name_archiver handler = "job_log_archiver.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf index bdb85959..ef7c4d11 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf @@ -4,7 +4,7 @@ locals { module "job_log_dispatcher" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = local.resource_name_dispatcher handler = "job_log_dispatcher.lambda_handler" diff --git a/modules/platform/forge_runners/github_app_runner_group/main.tf b/modules/platform/forge_runners/github_app_runner_group/main.tf index e304db9f..0d408db2 100644 --- a/modules/platform/forge_runners/github_app_runner_group/main.tf +++ b/modules/platform/forge_runners/github_app_runner_group/main.tf @@ -1,6 +1,6 @@ module "register_github_app_runner_group_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-register-github-app-runner-group" handler = "github_app_runner_group.lambda_handler" diff --git a/modules/platform/forge_runners/github_global_lock/main.tf b/modules/platform/forge_runners/github_global_lock/main.tf index 1cb1933f..b13e8bf2 100644 --- a/modules/platform/forge_runners/github_global_lock/main.tf +++ b/modules/platform/forge_runners/github_global_lock/main.tf @@ -70,7 +70,7 @@ resource "aws_iam_policy" "dynamodb_policy" { ## GitHub Clean Global Lock Lambda module "clean_global_lock_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-clean-global-lock" handler = "github_clean_global_lock.lambda_handler" diff --git a/modules/platform/forge_runners/redrive_deadletter/main.tf b/modules/platform/forge_runners/redrive_deadletter/main.tf index 3be372d9..b75b7fda 100644 --- a/modules/platform/forge_runners/redrive_deadletter/main.tf +++ b/modules/platform/forge_runners/redrive_deadletter/main.tf @@ -1,6 +1,6 @@ module "redrive_deadletter_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-redrive-deadletter" handler = "redrive_deadletter.lambda_handler" From 1974d0b2a8702a0b190d70d2b42a4ee7a32f560a Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 5 Feb 2026 12:28:26 +0100 Subject: [PATCH 64/85] fix: prevent runner pod evication and use the same instance type (#274) --- docs/tenant-usage/index.md | 2 +- docs/tenant-usage/renovatebot/index.md | 4 ++-- modules/core/arc/scale_set/template_files/k8s.yml.tftpl | 3 +++ modules/infra/eks/karpenter.tf | 4 +++- modules/infra/eks/templates/node_pool.yaml.tpl | 9 ++------- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/tenant-usage/index.md b/docs/tenant-usage/index.md index 857d0cb9..b0b2f39b 100644 --- a/docs/tenant-usage/index.md +++ b/docs/tenant-usage/index.md @@ -56,7 +56,7 @@ jobs: runs-on: - self-hosted - x64 - - type: standard + - type:standard ``` For Kubernetes pods, use: diff --git a/docs/tenant-usage/renovatebot/index.md b/docs/tenant-usage/renovatebot/index.md index 75f69910..78ebbec6 100644 --- a/docs/tenant-usage/renovatebot/index.md +++ b/docs/tenant-usage/renovatebot/index.md @@ -36,8 +36,8 @@ jobs: runs-on: - self-hosted - x64 - - type: large - - env: ops-prod + - type:large + - env:ops-prod steps: - name: Checkout Repository diff --git a/modules/core/arc/scale_set/template_files/k8s.yml.tftpl b/modules/core/arc/scale_set/template_files/k8s.yml.tftpl index dbad4be2..1a2d4be6 100644 --- a/modules/core/arc/scale_set/template_files/k8s.yml.tftpl +++ b/modules/core/arc/scale_set/template_files/k8s.yml.tftpl @@ -20,6 +20,9 @@ containerMode: # with containerMode.type=kubernetes, we will populate the template.spec with following pod spec template: + metadata: + annotations: + karpenter.sh/do-not-evict: "true" spec: securityContext: fsGroup: 123 diff --git a/modules/infra/eks/karpenter.tf b/modules/infra/eks/karpenter.tf index fdd8a6f3..50ffa55b 100644 --- a/modules/infra/eks/karpenter.tf +++ b/modules/infra/eks/karpenter.tf @@ -98,7 +98,9 @@ locals { disk_throughput = var.cluster_volume.throughput }) - node_pool_manifest = templatefile("${path.module}/templates/node_pool.yaml.tpl", {}) + node_pool_manifest = templatefile("${path.module}/templates/node_pool.yaml.tpl", { + instance_type = var.cluster_size.instance_type + }) } resource "null_resource" "apply_ec2_node_class" { diff --git a/modules/infra/eks/templates/node_pool.yaml.tpl b/modules/infra/eks/templates/node_pool.yaml.tpl index 0b73649a..c650d17a 100644 --- a/modules/infra/eks/templates/node_pool.yaml.tpl +++ b/modules/infra/eks/templates/node_pool.yaml.tpl @@ -6,15 +6,10 @@ spec: template: spec: requirements: - - key: karpenter.k8s.aws/instance-family + - key: node.kubernetes.io/instance-type operator: In values: - - m6i - - m5 - - c6i - - c5 - - r6i - - r5 + - ${instance_type} - key: kubernetes.io/arch operator: In values: ["amd64"] From 1766e2e4d4f4f94689457d1d1b5cc71140cb033a Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 5 Feb 2026 16:07:35 +0100 Subject: [PATCH 65/85] feat: add support for macos (#265) * test: use my personal fork * feat: add custom scale errors * feat: wire custom_scale_errors * feat: add more options for placement * feat: add user data for osx * fix: fix interpolation * feat: add permission ec2:DescribeHosts * fix: fix wrong type for host_resource_group_arn * fix: remove non-compatible script * test: disable user_data_osx.tftpl * feat: add license_specification * fix: use list of license * fix: rename variable * fix: fix user data * feat: add windows support * test: use new user-data * fix: add cd in scripts * fix: add transcript * feat: use new branch * fix: fix typo in outputs * fix: trigger gh app update when github app setting has changed * chore: update ec2 lambda versions * feat: add support to tag karpenter nodes * fix: fix missing paramter in template * fix: add missing annotation * chore: update philips labs module * feat: use input to tag ssm * chore: upgrade arc * fix: use toleration and affinity * fix: rollback splunk_otel_collector * fix: undo affinity * fix: use affinity --- .../vpcs/sl/tenants/acme/runner_settings.hcl | 2 + .../tenant/tenant/runner_settings.hcl | 2 + modules/core/arc/karpenter.tf | 8 +- .../scale_set/template_files/dind.yml.tftpl | 7 ++ .../scale_set/template_files/k8s.yml.tftpl | 11 ++- modules/infra/eks/karpenter.tf | 1 + .../eks/templates/ec2_node_class.yaml.tpl | 1 + modules/infra/forge_subscription/policies.tf | 1 + modules/integrations/splunk_otel_eks/otel.tf | 2 +- modules/platform/arc_deployment/main.tf | 2 +- modules/platform/ec2_deployment/main.tf | 81 +++++++++++-------- ...{user_data.tftpl => user_data_linux.tftpl} | 0 .../template_files/user_data_osx.tftpl | 27 +++++++ .../template_files/user_data_windows.tftpl | 23 ++++++ modules/platform/ec2_deployment/variables.tf | 16 +++- modules/platform/forge_runners/ec2_runners.tf | 1 + modules/platform/forge_runners/locals.tf | 2 +- .../platform/forge_runners/update_gh_app.tf | 14 ++-- modules/platform/forge_runners/variables.tf | 16 +++- 19 files changed, 173 insertions(+), 44 deletions(-) rename modules/platform/ec2_deployment/template_files/{user_data.tftpl => user_data_linux.tftpl} (100%) create mode 100644 modules/platform/ec2_deployment/template_files/user_data_osx.tftpl create mode 100644 modules/platform/ec2_deployment/template_files/user_data_windows.tftpl diff --git a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl index 0f94caa2..e896a0c2 100644 --- a/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl +++ b/examples/deployments/forge-tenant/terragrunt/environments/prod/regions/eu-west-1/vpcs/sl/tenants/acme/runner_settings.hcl @@ -88,6 +88,8 @@ locals { min_run_time = 30 max_instances = spec.max_instances instance_types = spec.instance_types + placement = try(spec.placement, null) + license_specifications = try(spec.license_specifications, null) block_device_mappings = [{ delete_on_termination = true device_name = spec.volume.device_name diff --git a/examples/templates/tenant/tenant/runner_settings.hcl b/examples/templates/tenant/tenant/runner_settings.hcl index 0f94caa2..e896a0c2 100644 --- a/examples/templates/tenant/tenant/runner_settings.hcl +++ b/examples/templates/tenant/tenant/runner_settings.hcl @@ -88,6 +88,8 @@ locals { min_run_time = 30 max_instances = spec.max_instances instance_types = spec.instance_types + placement = try(spec.placement, null) + license_specifications = try(spec.license_specifications, null) block_device_mappings = [{ delete_on_termination = true device_name = spec.volume.device_name diff --git a/modules/core/arc/karpenter.tf b/modules/core/arc/karpenter.tf index d8329151..62ef5fbe 100644 --- a/modules/core/arc/karpenter.tf +++ b/modules/core/arc/karpenter.tf @@ -4,6 +4,12 @@ locals { }) kubeconfig_path = "${path.cwd}/.kube/${var.eks_cluster_name}-${var.aws_profile}-${var.aws_region}-${var.controller_config.namespace}.kubeconfig" + + merged_tags = merge( + var.tags, + { + Name = "${var.eks_cluster_name}-karpenter-${var.controller_config.namespace}-node" + }) } data "external" "update_kubeconfig" { @@ -51,7 +57,7 @@ data "external" "karpenter_ec2nodeclass" { ) ' - \ | yq eval -o=json - \ - | jq --argjson newtags '${jsonencode(var.tags)}' --arg newname "karpenter-${var.controller_config.namespace}" ' + | jq --argjson newtags '${jsonencode(local.merged_tags)}' --arg newname "karpenter-${var.controller_config.namespace}" ' .spec.tags = (.spec.tags // {}) | .spec.tags *= $newtags | .metadata.name = $newname diff --git a/modules/core/arc/scale_set/template_files/dind.yml.tftpl b/modules/core/arc/scale_set/template_files/dind.yml.tftpl index 5543bfbe..d2439179 100644 --- a/modules/core/arc/scale_set/template_files/dind.yml.tftpl +++ b/modules/core/arc/scale_set/template_files/dind.yml.tftpl @@ -7,6 +7,9 @@ runnerGroup: "${runner_group_name}" runnerScaleSetName: "${scale_set_name}" template: + metadata: + annotations: + karpenter.sh/do-not-disrupt: "true" spec: serviceAccountName: ${service_account} automountServiceAccountToken: true @@ -252,6 +255,7 @@ template: audience: sts.amazonaws.com tolerations: + # tenant tolerations - key: "forge.local/scale_set_type" operator: "Equal" value: "dind" @@ -266,6 +270,7 @@ template: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: + # tenant affinity - key: forge.local/scale_set_type operator: In values: @@ -274,6 +279,8 @@ template: operator: In values: - ${tenant} + - key: "karpenter.sh/disrupted" + operator: DoesNotExist controllerServiceAccount: namespace: ${controller_namespace} diff --git a/modules/core/arc/scale_set/template_files/k8s.yml.tftpl b/modules/core/arc/scale_set/template_files/k8s.yml.tftpl index 1a2d4be6..2416448d 100644 --- a/modules/core/arc/scale_set/template_files/k8s.yml.tftpl +++ b/modules/core/arc/scale_set/template_files/k8s.yml.tftpl @@ -22,7 +22,7 @@ containerMode: template: metadata: annotations: - karpenter.sh/do-not-evict: "true" + karpenter.sh/do-not-disrupt: "true" spec: securityContext: fsGroup: 123 @@ -136,6 +136,15 @@ template: configMap: name: hook-pre-post-job-${scale_set_name} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + # karpenter affinity + - key: "karpenter.sh/disrupted" + operator: DoesNotExist + controllerServiceAccount: namespace: ${controller_namespace} name: ${controller_service_account} diff --git a/modules/infra/eks/karpenter.tf b/modules/infra/eks/karpenter.tf index 50ffa55b..3dd8ac95 100644 --- a/modules/infra/eks/karpenter.tf +++ b/modules/infra/eks/karpenter.tf @@ -96,6 +96,7 @@ locals { disk_type = var.cluster_volume.type disk_iops = var.cluster_volume.iops disk_throughput = var.cluster_volume.throughput + cluster_name = var.cluster_name }) node_pool_manifest = templatefile("${path.module}/templates/node_pool.yaml.tpl", { diff --git a/modules/infra/eks/templates/ec2_node_class.yaml.tpl b/modules/infra/eks/templates/ec2_node_class.yaml.tpl index 0c53f68d..076421ca 100644 --- a/modules/infra/eks/templates/ec2_node_class.yaml.tpl +++ b/modules/infra/eks/templates/ec2_node_class.yaml.tpl @@ -29,3 +29,4 @@ spec: %{ for k, v in tags } ${k}: '${v}' %{ endfor } + Name: '${cluster_name}-karpenter-shared-node' diff --git a/modules/infra/forge_subscription/policies.tf b/modules/infra/forge_subscription/policies.tf index a7251036..aa1252ce 100644 --- a/modules/infra/forge_subscription/policies.tf +++ b/modules/infra/forge_subscription/policies.tf @@ -59,6 +59,7 @@ data "aws_iam_policy_document" "packer_support_for_forge_runners" { "ec2:DeleteSnapshot", "ec2:DeleteVolume", "ec2:DeregisterImage", + "ec2:DescribeHosts", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceStatus", diff --git a/modules/integrations/splunk_otel_eks/otel.tf b/modules/integrations/splunk_otel_eks/otel.tf index e019defa..6a58b33a 100644 --- a/modules/integrations/splunk_otel_eks/otel.tf +++ b/modules/integrations/splunk_otel_eks/otel.tf @@ -2,7 +2,7 @@ resource "helm_release" "splunk_otel_collector" { name = "splunk-otel-collector" repository = "https://signalfx.github.io/splunk-otel-collector-chart" chart = "splunk-otel-collector" - version = "0.143.0" + version = "0.141.0" namespace = "splunk-otel-collector" create_namespace = true diff --git a/modules/platform/arc_deployment/main.tf b/modules/platform/arc_deployment/main.tf index 74e00565..870d634b 100644 --- a/modules/platform/arc_deployment/main.tf +++ b/modules/platform/arc_deployment/main.tf @@ -50,7 +50,7 @@ module "arc" { release_name = var.runner_configs.prefix namespace = var.tenant_configs.name chart_name = "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set-controller" - chart_version = "0.13.0" + chart_version = "0.13.1" name = "${var.runner_configs.prefix}-gha-rs-controller" } diff --git a/modules/platform/ec2_deployment/main.tf b/modules/platform/ec2_deployment/main.tf index c5008ce0..3aa8402b 100644 --- a/modules/platform/ec2_deployment/main.tf +++ b/modules/platform/ec2_deployment/main.tf @@ -2,7 +2,6 @@ locals { # Templatized userdata (cloud-init) file. user_data_prefix = "${path.module}/template_files" userdata_template_post_install = "${local.user_data_prefix}/post_install.tftpl" - user_data_template_runner = "${local.user_data_prefix}/user_data.tftpl" runner_template_hook_job_started = "${local.user_data_prefix}/hook_job_started.tftpl" runner_template_hook_job_completed = "${local.user_data_prefix}/hook_job_completed.tftpl" @@ -35,11 +34,12 @@ data "aws_subnet" "runner_subnet" { } data "external" "download_lambdas" { - program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v7.3.0"] + program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v7.4.0"] } + module "runners" { - source = "git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner?ref=v7.3.0" + source = "git::https://github.com/edersonbrilhante/terraform-aws-github-runner.git//modules/multi-runner?ref=feat-macos-support" aws_region = var.aws_region @@ -58,8 +58,9 @@ module "runners" { enable = true } - lambda_tags = var.tenant_configs.tags - tags = var.tenant_configs.tags + lambda_tags = var.tenant_configs.tags + tags = var.tenant_configs.tags + parameter_store_tags = var.tenant_configs.tags # Verbose logging. log_level = var.runner_configs.log_level @@ -116,7 +117,8 @@ module "runners" { runner_group_name = var.runner_configs.runner_group_name enable_runner_binaries_syncer = false enable_userdata = val["enable_userdata"] - userdata_template = local.user_data_template_runner + scale_errors = var.runner_configs.scale_errors + userdata_template = "${local.user_data_prefix}/user_data_${val["runner_os"]}.tftpl" userdata_pre_install = "# No pre-install steps." userdata_post_install = templatefile( local.userdata_template_post_install, @@ -130,33 +132,46 @@ module "runners" { enable_runner_detailed_monitoring = true runner_run_as = val["runner_user"] block_device_mappings = val["block_device_mappings"] + license_specifications = val["license_specifications"] placement = val["placement"] - runner_log_files = [ - { - "log_group_name" : "forge-logs", - "prefix_log_group" : true, - "file_path" : "/var/log/syslog", - "log_stream_name" : "{instance_id}/syslog" - }, - { - "log_group_name" : "forge-logs", - "prefix_log_group" : true, - "file_path" : "/var/log/user-data.log", - "log_stream_name" : "{instance_id}/user-data" - }, - { - "log_group_name" : "forge-logs", - "prefix_log_group" : true, - "file_path" : "/opt/actions-runner/_diag/Runner_**.log", - "log_stream_name" : "{instance_id}/runner" - }, - { - "log_group_name" : "forge-logs", - "prefix_log_group" : true, - "file_path" : "/home/${val["runner_user"]}/hook.log", - "log_stream_name" : "{instance_id}/hook" - }, - ] + runner_log_files = concat( + // Linux/macOS-only logs + val["runner_os"] == "windows" ? [] : [ + { + "log_group_name" : "forge-logs", + "prefix_log_group" : true, + "file_path" : "/var/log/syslog", + "log_stream_name" : "{instance_id}/syslog" + }, + { + "log_group_name" : "forge-logs", + "prefix_log_group" : true, + "file_path" : "/home/${val["runner_user"]}/hook.log", + "log_stream_name" : "{instance_id}/hook" + }, + { + "log_group_name" : "forge-logs", + "prefix_log_group" : true, + "file_path" : "/home/${val["runner_user"]}/hook.log", + "log_stream_name" : "{instance_id}/hook" + }, + ], + // Logs that exist on all OSes, with OS-specific paths + [ + { + "log_group_name" : "forge-logs", + "prefix_log_group" : true, + "file_path" : val["runner_os"] == "windows" ? "C:/UserData.log" : "/var/log/user-data.log", + "log_stream_name" : "{instance_id}/user-data" + }, + { + "log_group_name" : "forge-logs", + "prefix_log_group" : true, + "file_path" : val["runner_os"] == "windows" ? "C:/actions-runner/_diag/Runner_*.log" : "/opt/actions-runner/_diag/Runner_**.log", + "log_stream_name" : "{instance_id}/runner" + }, + ], + ) ami = { owners = val["ami_owners"] filter = val["ami_filter"] @@ -170,6 +185,8 @@ module "runners" { aws_iam_policy.ec2_tags.arn, ] ) + vpc_id = val["vpc_id"] + subnet_ids = val["subnet_ids"] enable_ephemeral_runners = true create_service_linked_role_spot = true enable_organization_runners = true diff --git a/modules/platform/ec2_deployment/template_files/user_data.tftpl b/modules/platform/ec2_deployment/template_files/user_data_linux.tftpl similarity index 100% rename from modules/platform/ec2_deployment/template_files/user_data.tftpl rename to modules/platform/ec2_deployment/template_files/user_data_linux.tftpl diff --git a/modules/platform/ec2_deployment/template_files/user_data_osx.tftpl b/modules/platform/ec2_deployment/template_files/user_data_osx.tftpl new file mode 100644 index 00000000..84f97620 --- /dev/null +++ b/modules/platform/ec2_deployment/template_files/user_data_osx.tftpl @@ -0,0 +1,27 @@ +#!/bin/bash + +set +x +%{ if enable_debug_logging } +set -x +%{ endif } + +# Just a dummy value (user-supplied string; does nothing). +${pre_install} + +# Set defaults for macOS EC2 instances. +# Default user on EC2 macOS AMIs is typically "ec2-user". +user_name=ec2-user + +touch .env +chmod 0644 .env + +grep -q "^PATH=" .env || echo "PATH=$PATH" >> .env + +# Configure CloudWatch logging agent if installed and configured for macOS. +if command -v /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl >/dev/null 2>&1; then + /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c ssm:${ssm_key_cloudwatch_agent_config} || true +fi + +cd /opt/actions-runner + +${start_runner} diff --git a/modules/platform/ec2_deployment/template_files/user_data_windows.tftpl b/modules/platform/ec2_deployment/template_files/user_data_windows.tftpl new file mode 100644 index 00000000..0cc35b11 --- /dev/null +++ b/modules/platform/ec2_deployment/template_files/user_data_windows.tftpl @@ -0,0 +1,23 @@ + + +$logPath = 'C:\UserData.log' + +Start-Transcript -Path $logPath -Append + +$ssm = Get-Service AmazonSSMAgent -ErrorAction SilentlyContinue +if ($ssm) { + Set-Service AmazonSSMAgent -StartupType Automatic + if ($ssm.Status -ne 'Running') { + Start-Service AmazonSSMAgent + } +} + +${pre_install} + +Set-Location C:\actions-runner + +${start_runner} + +Stop-Transcript + + diff --git a/modules/platform/ec2_deployment/variables.tf b/modules/platform/ec2_deployment/variables.tf index 6141acb8..3831e0f2 100644 --- a/modules/platform/ec2_deployment/variables.tf +++ b/modules/platform/ec2_deployment/variables.tf @@ -18,6 +18,7 @@ variable "runner_configs" { }) runner_iam_role_managed_policy_arns = list(string) runner_group_name = string + scale_errors = optional(list(string), []) runner_specs = map(object({ ami_filter = object({ name = list(string) @@ -32,8 +33,19 @@ variable "runner_configs" { max_instances = number min_run_time = number instance_types = list(string) + license_specifications = optional(list(object({ + license_configuration_arn = string + })), null) placement = optional(object({ - host_id = optional(string, null) + affinity = optional(string) + availability_zone = optional(string) + group_id = optional(string) + group_name = optional(string) + host_id = optional(string) + host_resource_group_arn = optional(string) + spread_domain = optional(string) + tenancy = optional(string) + partition_number = optional(number) }), null) pool_config = list(object({ size = number @@ -43,6 +55,8 @@ variable "runner_configs" { runner_user = string enable_userdata = bool instance_target_capacity_type = string + vpc_id = optional(string, null) + subnet_ids = optional(list(string), null) block_device_mappings = list(object({ delete_on_termination = bool device_name = string diff --git a/modules/platform/forge_runners/ec2_runners.tf b/modules/platform/forge_runners/ec2_runners.tf index ab3e04b0..009c0af6 100644 --- a/modules/platform/forge_runners/ec2_runners.tf +++ b/modules/platform/forge_runners/ec2_runners.tf @@ -43,6 +43,7 @@ module "ec2_runners" { webhook_secret = aws_ssm_parameter.github_app_webhook_secret.value } runner_group_name = var.deployment_config.github.runner_group_name + scale_errors = var.ec2_deployment_specs.scale_errors runner_specs = var.ec2_deployment_specs.runner_specs } } diff --git a/modules/platform/forge_runners/locals.tf b/modules/platform/forge_runners/locals.tf index 5f2d2372..e36beb2b 100644 --- a/modules/platform/forge_runners/locals.tf +++ b/modules/platform/forge_runners/locals.tf @@ -8,6 +8,6 @@ locals { ] ) - github_app_installation = "${var.deployment_config.github.ghes_url == "" ? "https://github.com" : var.deployment_config.github.ghes_url}/apps/${var.deployment_config.github_app.name}}/installations/${var.deployment_config.github_app.installation_id}" + github_app_installation = "${var.deployment_config.github.ghes_url == "" ? "https://github.com" : var.deployment_config.github.ghes_url}/apps/${var.deployment_config.github_app.name}/installations/${var.deployment_config.github_app.installation_id}" github_api = var.deployment_config.github.ghes_url == "" ? "https://api.github.com" : "https://api.${replace(var.deployment_config.github.ghes_url, "https://", "")}" } diff --git a/modules/platform/forge_runners/update_gh_app.tf b/modules/platform/forge_runners/update_gh_app.tf index 89d8135e..82945e86 100644 --- a/modules/platform/forge_runners/update_gh_app.tf +++ b/modules/platform/forge_runners/update_gh_app.tf @@ -1,10 +1,14 @@ resource "null_resource" "update_github_app_webhook" { triggers = { - ghes_org = var.deployment_config.github.ghes_org - ghes_url = var.deployment_config.github.ghes_url - webhook_url = try(module.ec2_runners[0].webhook_endpoint, "https://cisco-open.github.io/forge") - secret = aws_ssm_parameter.github_app_webhook_secret.value - secret_version = aws_ssm_parameter.github_app_webhook_secret.version + ghes_org = var.deployment_config.github.ghes_org + ghes_url = var.deployment_config.github.ghes_url + webhook_url = try(module.ec2_runners[0].webhook_endpoint, "https://cisco-open.github.io/forge") + secret = aws_ssm_parameter.github_app_webhook_secret.value + secret_version = aws_ssm_parameter.github_app_webhook_secret.version + id = var.deployment_config.github_app.id + client_id = var.deployment_config.github_app.client_id + installation_id = var.deployment_config.github_app.installation_id + name = var.deployment_config.github_app.name } provisioner "local-exec" { diff --git a/modules/platform/forge_runners/variables.tf b/modules/platform/forge_runners/variables.tf index 4c0ff0e5..21700267 100644 --- a/modules/platform/forge_runners/variables.tf +++ b/modules/platform/forge_runners/variables.tf @@ -14,6 +14,7 @@ variable "ec2_deployment_specs" { subnet_ids = list(string) lambda_vpc_id = string vpc_id = string + scale_errors = optional(list(string), []) runner_specs = map(object({ ami_filter = object({ name = list(string) @@ -28,8 +29,19 @@ variable "ec2_deployment_specs" { max_instances = number min_run_time = number instance_types = list(string) + license_specifications = optional(list(object({ + license_configuration_arn = string + })), null) placement = optional(object({ - host_id = optional(string, null) + affinity = optional(string) + availability_zone = optional(string) + group_id = optional(string) + group_name = optional(string) + host_id = optional(string) + host_resource_group_arn = optional(string) + spread_domain = optional(string) + tenancy = optional(string) + partition_number = optional(number) }), null) pool_config = list(object({ size = number @@ -39,6 +51,8 @@ variable "ec2_deployment_specs" { runner_user = string enable_userdata = bool instance_target_capacity_type = string + vpc_id = optional(string, null) + subnet_ids = optional(list(string), null) block_device_mappings = list(object({ delete_on_termination = bool device_name = string From 5257a4cd0454001a11f4911a473b0ef92591dbda Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 5 Feb 2026 16:18:18 +0100 Subject: [PATCH 66/85] fix: fix typo (#275) --- modules/core/arc/scale_set/template_files/dind.yml.tftpl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/core/arc/scale_set/template_files/dind.yml.tftpl b/modules/core/arc/scale_set/template_files/dind.yml.tftpl index d2439179..6f1c3e9c 100644 --- a/modules/core/arc/scale_set/template_files/dind.yml.tftpl +++ b/modules/core/arc/scale_set/template_files/dind.yml.tftpl @@ -279,8 +279,10 @@ template: operator: In values: - ${tenant} + + # karpenter affinity - key: "karpenter.sh/disrupted" - operator: DoesNotExist + operator: DoesNotExist controllerServiceAccount: namespace: ${controller_namespace} From 6bb3f82cad506f532a0fff7998bed5d7e71f95e4 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 5 Feb 2026 17:02:21 +0100 Subject: [PATCH 67/85] chore: merge renovate updates (#276) * chore(deps): update terraform terraform-aws-modules/lambda/aws to v8.5.0 (#87) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook commitizen-tools/commitizen to v4.13.5 (#94) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency hashicorp/packer to v1.15.0 (#91) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook abravalheri/validate-pyproject to v0.25 (#86) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to fa0acdc (#95) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .docker/forge-github-app-register/Dockerfile | 2 +- .docker/pre-commit/Dockerfile | 2 +- .pre-commit-config.yaml | 4 ++-- .../webex_webhook_relay/lambda.tf | 2 +- modules/integrations/github_webhook_relay_source/lambda.tf | 2 +- .../integrations/splunk_aws_billing/billing_per_resource.tf | 2 +- .../splunk_aws_billing/billing_per_resource_process.tf | 2 +- .../integrations/splunk_aws_billing/billing_per_service.tf | 2 +- .../splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf | 2 +- modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf | 2 +- .../platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf | 2 +- .../platform/ec2_deployment/ec2_update_runner_tags/main.tf | 2 +- modules/platform/forge_runners/forge_trust_validator/main.tf | 2 +- .../forge_runners/github_actions_job_logs/job_log_archiver.tf | 2 +- .../github_actions_job_logs/job_log_dispatcher.tf | 2 +- .../platform/forge_runners/github_app_runner_group/main.tf | 2 +- modules/platform/forge_runners/github_global_lock/main.tf | 2 +- modules/platform/forge_runners/redrive_deadletter/main.tf | 2 +- 18 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.docker/forge-github-app-register/Dockerfile b/.docker/forge-github-app-register/Dockerfile index c57bdc4a..acff303d 100644 --- a/.docker/forge-github-app-register/Dockerfile +++ b/.docker/forge-github-app-register/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.14-slim@sha256:9b81fe9acff79e61affb44aaf3b6ff234392e8ca477cb86c9f7fd11732ce9b6a +FROM python:3.14-slim@sha256:fa0acdcd760f0bf265bc2c1ee6120776c4d92a9c3a37289e17b9642ad2e5b83b RUN useradd --create-home appuser WORKDIR /home/appuser diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index 90e6da84..06257522 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -40,7 +40,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/jq # renovate: datasource=github-releases depName=hashicorp/packer registryUrl=https://github.com/ -ARG PACKER_VERSION="1.14.3" +ARG PACKER_VERSION="1.15.0" ARG PACKER_SRC="https://releases.hashicorp.com/packer/${PACKER_VERSION}/packer_${PACKER_VERSION}_linux_amd64.zip" ARG PACKER_ARTIFACT="packer.zip" RUN set -eux; \ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1e72831d..5750be10 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -83,7 +83,7 @@ repos: # Commit Message Hooks # --------------------- - repo: https://github.com/commitizen-tools/commitizen - rev: v4.13.0 + rev: v4.13.5 hooks: - id: commitizen name: Git · Validate commit message @@ -185,7 +185,7 @@ repos: always_run: true - repo: https://github.com/abravalheri/validate-pyproject - rev: v0.24.1 + rev: v0.25 hooks: - id: validate-pyproject name: Python · Validate pyproject.toml diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf index 804039eb..d3ac879d 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf @@ -7,7 +7,7 @@ resource "aws_cloudwatch_log_group" "webex" { module "webex" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "webex-webhook-relay-destination-receiver" handler = "handler.lambda_handler" diff --git a/modules/integrations/github_webhook_relay_source/lambda.tf b/modules/integrations/github_webhook_relay_source/lambda.tf index fa3a0688..7f9a43aa 100644 --- a/modules/integrations/github_webhook_relay_source/lambda.tf +++ b/modules/integrations/github_webhook_relay_source/lambda.tf @@ -1,6 +1,6 @@ module "validate_signature_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.name_prefix}-validate-signature" handler = "validate_signature.lambda_handler" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource.tf b/modules/integrations/splunk_aws_billing/billing_per_resource.tf index bcb24366..42ae011b 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = local.cur_per_resource_lambda_name description = "Processes AWS Billing CUR reports per resource and sends data to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf index 91bc7a9f..9478c574 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource_process" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = local.cur_per_resource_process_lambda_name description = "Processes AWS billing data and sends to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_service.tf b/modules/integrations/splunk_aws_billing/billing_per_service.tf index 9d7ba036..b2203737 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_service.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_service.tf @@ -4,7 +4,7 @@ locals { module "cur_per_service" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = local.cur_per_service_lambda_name description = "Processes AWS Billing CUR reports per service and sends data to Splunk" diff --git a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf index 6d21921b..bd6ed38f 100644 --- a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf +++ b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf @@ -1,6 +1,6 @@ module "splunk_dm_metadata_ec2inst_pattern_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" role_name = "SplunkDMMetadataEC2InstPatternTags-${var.region}" diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf index b251e361..bbf28fdc 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf +++ b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf @@ -4,7 +4,7 @@ locals { module "splunk_s3_runner_logs_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${local.prefix_lambda}-lambda-${var.aws_region}" handler = "splunk_s3_runner_logs.lambda_handler" diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf index ea371f85..ccc28f25 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_ssm_ami_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-ec2-update-runner-ssm-ami" handler = "ec2_update_runner_ssm_ami.lambda_handler" diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf index 50cf1dfc..3ce4cf1f 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-ec2-update-runner-tags" handler = "ec2_update_runner_tags.lambda_handler" diff --git a/modules/platform/forge_runners/forge_trust_validator/main.tf b/modules/platform/forge_runners/forge_trust_validator/main.tf index 8e0a3fa8..a90a51e7 100644 --- a/modules/platform/forge_runners/forge_trust_validator/main.tf +++ b/modules/platform/forge_runners/forge_trust_validator/main.tf @@ -1,6 +1,6 @@ module "forge_trust_validator_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-forge-trust-validator" handler = "forge_trust_validator.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf index 8b854480..4c8da634 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf @@ -5,7 +5,7 @@ locals { module "job_log_archiver" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = local.resource_name_archiver handler = "job_log_archiver.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf index ef7c4d11..34da9fcb 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf @@ -4,7 +4,7 @@ locals { module "job_log_dispatcher" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = local.resource_name_dispatcher handler = "job_log_dispatcher.lambda_handler" diff --git a/modules/platform/forge_runners/github_app_runner_group/main.tf b/modules/platform/forge_runners/github_app_runner_group/main.tf index 0d408db2..2c8733ba 100644 --- a/modules/platform/forge_runners/github_app_runner_group/main.tf +++ b/modules/platform/forge_runners/github_app_runner_group/main.tf @@ -1,6 +1,6 @@ module "register_github_app_runner_group_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-register-github-app-runner-group" handler = "github_app_runner_group.lambda_handler" diff --git a/modules/platform/forge_runners/github_global_lock/main.tf b/modules/platform/forge_runners/github_global_lock/main.tf index b13e8bf2..ff733512 100644 --- a/modules/platform/forge_runners/github_global_lock/main.tf +++ b/modules/platform/forge_runners/github_global_lock/main.tf @@ -70,7 +70,7 @@ resource "aws_iam_policy" "dynamodb_policy" { ## GitHub Clean Global Lock Lambda module "clean_global_lock_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-clean-global-lock" handler = "github_clean_global_lock.lambda_handler" diff --git a/modules/platform/forge_runners/redrive_deadletter/main.tf b/modules/platform/forge_runners/redrive_deadletter/main.tf index b75b7fda..214f4fc9 100644 --- a/modules/platform/forge_runners/redrive_deadletter/main.tf +++ b/modules/platform/forge_runners/redrive_deadletter/main.tf @@ -1,6 +1,6 @@ module "redrive_deadletter_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-redrive-deadletter" handler = "redrive_deadletter.lambda_handler" From 2cae797a1cf1b49aa55ea3e9329e8bcfc97ceeb7 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 5 Feb 2026 18:02:35 +0100 Subject: [PATCH 68/85] fix: use new input structure (#277) --- scripts/migrate-tenant.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/migrate-tenant.sh b/scripts/migrate-tenant.sh index a308806c..7391960c 100755 --- a/scripts/migrate-tenant.sh +++ b/scripts/migrate-tenant.sh @@ -30,7 +30,7 @@ parse_args() { CONFIG_FILE="${TF_DIR}/config.yml" rendered=$(terragrunt render --format json --working-dir "$TF_DIR") - arc_cluster_name=$(echo "$rendered" | jq -r '.inputs.arc_cluster_name') + arc_cluster_name=$(echo "$rendered" | jq -r '.inputs.arc_deployment_specs.cluster_name') aws_profile=$(echo "$rendered" | jq -r '.inputs.aws_profile') aws_region=$(echo "$rendered" | jq -r '.inputs.aws_region') @@ -40,7 +40,7 @@ parse_args() { --alias "${arc_cluster_name}-${aws_profile}-${aws_region}" \ --profile "$aws_profile" - FROM_CTX="$arc_cluster_name" + FROM_CTX="${arc_cluster_name}-${aws_profile}-${aws_region}" } detect_clusters() { From f2f1b4b2cd104bfddbc922f836ea35d126a42a33 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 5 Feb 2026 19:16:53 +0100 Subject: [PATCH 69/85] fix: rollback aws lambda module (#278) --- .../webex_webhook_relay/lambda.tf | 2 +- modules/integrations/github_webhook_relay_source/lambda.tf | 2 +- modules/integrations/splunk_aws_billing/billing_per_resource.tf | 2 +- .../splunk_aws_billing/billing_per_resource_process.tf | 2 +- modules/integrations/splunk_aws_billing/billing_per_service.tf | 2 +- .../splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf | 2 +- modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf | 2 +- .../platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf | 2 +- modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf | 2 +- modules/platform/forge_runners/forge_trust_validator/main.tf | 2 +- .../forge_runners/github_actions_job_logs/job_log_archiver.tf | 2 +- .../forge_runners/github_actions_job_logs/job_log_dispatcher.tf | 2 +- modules/platform/forge_runners/github_app_runner_group/main.tf | 2 +- modules/platform/forge_runners/github_global_lock/main.tf | 2 +- modules/platform/forge_runners/redrive_deadletter/main.tf | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf index d3ac879d..6a244cf8 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf @@ -7,7 +7,7 @@ resource "aws_cloudwatch_log_group" "webex" { module "webex" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = "webex-webhook-relay-destination-receiver" handler = "handler.lambda_handler" diff --git a/modules/integrations/github_webhook_relay_source/lambda.tf b/modules/integrations/github_webhook_relay_source/lambda.tf index 7f9a43aa..82cad234 100644 --- a/modules/integrations/github_webhook_relay_source/lambda.tf +++ b/modules/integrations/github_webhook_relay_source/lambda.tf @@ -1,6 +1,6 @@ module "validate_signature_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = "${var.name_prefix}-validate-signature" handler = "validate_signature.lambda_handler" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource.tf b/modules/integrations/splunk_aws_billing/billing_per_resource.tf index 42ae011b..3a1bdc6f 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = local.cur_per_resource_lambda_name description = "Processes AWS Billing CUR reports per resource and sends data to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf index 9478c574..59bb764f 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource_process" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = local.cur_per_resource_process_lambda_name description = "Processes AWS billing data and sends to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_service.tf b/modules/integrations/splunk_aws_billing/billing_per_service.tf index b2203737..d0d7a35f 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_service.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_service.tf @@ -4,7 +4,7 @@ locals { module "cur_per_service" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = local.cur_per_service_lambda_name description = "Processes AWS Billing CUR reports per service and sends data to Splunk" diff --git a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf index bd6ed38f..1e80c58c 100644 --- a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf +++ b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf @@ -1,6 +1,6 @@ module "splunk_dm_metadata_ec2inst_pattern_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" role_name = "SplunkDMMetadataEC2InstPatternTags-${var.region}" diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf index bbf28fdc..6415ad4d 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf +++ b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf @@ -4,7 +4,7 @@ locals { module "splunk_s3_runner_logs_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = "${local.prefix_lambda}-lambda-${var.aws_region}" handler = "splunk_s3_runner_logs.lambda_handler" diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf index ccc28f25..da783661 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_ssm_ami_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = "${var.prefix}-ec2-update-runner-ssm-ami" handler = "ec2_update_runner_ssm_ami.lambda_handler" diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf index 3ce4cf1f..8984950b 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = "${var.prefix}-ec2-update-runner-tags" handler = "ec2_update_runner_tags.lambda_handler" diff --git a/modules/platform/forge_runners/forge_trust_validator/main.tf b/modules/platform/forge_runners/forge_trust_validator/main.tf index a90a51e7..d372c59a 100644 --- a/modules/platform/forge_runners/forge_trust_validator/main.tf +++ b/modules/platform/forge_runners/forge_trust_validator/main.tf @@ -1,6 +1,6 @@ module "forge_trust_validator_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = "${var.prefix}-forge-trust-validator" handler = "forge_trust_validator.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf index 4c8da634..f2793e7e 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf @@ -5,7 +5,7 @@ locals { module "job_log_archiver" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = local.resource_name_archiver handler = "job_log_archiver.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf index 34da9fcb..bdb85959 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf @@ -4,7 +4,7 @@ locals { module "job_log_dispatcher" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = local.resource_name_dispatcher handler = "job_log_dispatcher.lambda_handler" diff --git a/modules/platform/forge_runners/github_app_runner_group/main.tf b/modules/platform/forge_runners/github_app_runner_group/main.tf index 2c8733ba..e304db9f 100644 --- a/modules/platform/forge_runners/github_app_runner_group/main.tf +++ b/modules/platform/forge_runners/github_app_runner_group/main.tf @@ -1,6 +1,6 @@ module "register_github_app_runner_group_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = "${var.prefix}-register-github-app-runner-group" handler = "github_app_runner_group.lambda_handler" diff --git a/modules/platform/forge_runners/github_global_lock/main.tf b/modules/platform/forge_runners/github_global_lock/main.tf index ff733512..1cb1933f 100644 --- a/modules/platform/forge_runners/github_global_lock/main.tf +++ b/modules/platform/forge_runners/github_global_lock/main.tf @@ -70,7 +70,7 @@ resource "aws_iam_policy" "dynamodb_policy" { ## GitHub Clean Global Lock Lambda module "clean_global_lock_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = "${var.prefix}-clean-global-lock" handler = "github_clean_global_lock.lambda_handler" diff --git a/modules/platform/forge_runners/redrive_deadletter/main.tf b/modules/platform/forge_runners/redrive_deadletter/main.tf index 214f4fc9..3be372d9 100644 --- a/modules/platform/forge_runners/redrive_deadletter/main.tf +++ b/modules/platform/forge_runners/redrive_deadletter/main.tf @@ -1,6 +1,6 @@ module "redrive_deadletter_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.1.2" function_name = "${var.prefix}-redrive-deadletter" handler = "redrive_deadletter.lambda_handler" From 3d7ada98898fa49592230a6d7503d9931a84a819 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 5 Feb 2026 20:20:52 +0100 Subject: [PATCH 70/85] chore: update aws lambda module to 8.4.0 (#279) * chore: update aws lambda to 8.2.1 * chore: update module to 8.3.0 * chore: update module to 8.4.0 * chore: update module to 8.5.0 * fix: rollback to 8.4.0 --- .../webex_webhook_relay/lambda.tf | 2 +- modules/integrations/github_webhook_relay_source/lambda.tf | 2 +- modules/integrations/splunk_aws_billing/billing_per_resource.tf | 2 +- .../splunk_aws_billing/billing_per_resource_process.tf | 2 +- modules/integrations/splunk_aws_billing/billing_per_service.tf | 2 +- .../splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf | 2 +- modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf | 2 +- .../platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf | 2 +- modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf | 2 +- modules/platform/forge_runners/forge_trust_validator/main.tf | 2 +- .../forge_runners/github_actions_job_logs/job_log_archiver.tf | 2 +- .../forge_runners/github_actions_job_logs/job_log_dispatcher.tf | 2 +- modules/platform/forge_runners/github_app_runner_group/main.tf | 2 +- modules/platform/forge_runners/github_global_lock/main.tf | 2 +- modules/platform/forge_runners/redrive_deadletter/main.tf | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf index 6a244cf8..804039eb 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf @@ -7,7 +7,7 @@ resource "aws_cloudwatch_log_group" "webex" { module "webex" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "webex-webhook-relay-destination-receiver" handler = "handler.lambda_handler" diff --git a/modules/integrations/github_webhook_relay_source/lambda.tf b/modules/integrations/github_webhook_relay_source/lambda.tf index 82cad234..fa3a0688 100644 --- a/modules/integrations/github_webhook_relay_source/lambda.tf +++ b/modules/integrations/github_webhook_relay_source/lambda.tf @@ -1,6 +1,6 @@ module "validate_signature_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.name_prefix}-validate-signature" handler = "validate_signature.lambda_handler" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource.tf b/modules/integrations/splunk_aws_billing/billing_per_resource.tf index 3a1bdc6f..bcb24366 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = local.cur_per_resource_lambda_name description = "Processes AWS Billing CUR reports per resource and sends data to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf index 59bb764f..91bc7a9f 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource_process" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = local.cur_per_resource_process_lambda_name description = "Processes AWS billing data and sends to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_service.tf b/modules/integrations/splunk_aws_billing/billing_per_service.tf index d0d7a35f..9d7ba036 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_service.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_service.tf @@ -4,7 +4,7 @@ locals { module "cur_per_service" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = local.cur_per_service_lambda_name description = "Processes AWS Billing CUR reports per service and sends data to Splunk" diff --git a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf index 1e80c58c..6d21921b 100644 --- a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf +++ b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf @@ -1,6 +1,6 @@ module "splunk_dm_metadata_ec2inst_pattern_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" role_name = "SplunkDMMetadataEC2InstPatternTags-${var.region}" diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf index 6415ad4d..b251e361 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf +++ b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf @@ -4,7 +4,7 @@ locals { module "splunk_s3_runner_logs_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${local.prefix_lambda}-lambda-${var.aws_region}" handler = "splunk_s3_runner_logs.lambda_handler" diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf index da783661..ea371f85 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_ssm_ami_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-ec2-update-runner-ssm-ami" handler = "ec2_update_runner_ssm_ami.lambda_handler" diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf index 8984950b..50cf1dfc 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-ec2-update-runner-tags" handler = "ec2_update_runner_tags.lambda_handler" diff --git a/modules/platform/forge_runners/forge_trust_validator/main.tf b/modules/platform/forge_runners/forge_trust_validator/main.tf index d372c59a..8e0a3fa8 100644 --- a/modules/platform/forge_runners/forge_trust_validator/main.tf +++ b/modules/platform/forge_runners/forge_trust_validator/main.tf @@ -1,6 +1,6 @@ module "forge_trust_validator_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-forge-trust-validator" handler = "forge_trust_validator.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf index f2793e7e..8b854480 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf @@ -5,7 +5,7 @@ locals { module "job_log_archiver" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = local.resource_name_archiver handler = "job_log_archiver.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf index bdb85959..ef7c4d11 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf @@ -4,7 +4,7 @@ locals { module "job_log_dispatcher" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = local.resource_name_dispatcher handler = "job_log_dispatcher.lambda_handler" diff --git a/modules/platform/forge_runners/github_app_runner_group/main.tf b/modules/platform/forge_runners/github_app_runner_group/main.tf index e304db9f..0d408db2 100644 --- a/modules/platform/forge_runners/github_app_runner_group/main.tf +++ b/modules/platform/forge_runners/github_app_runner_group/main.tf @@ -1,6 +1,6 @@ module "register_github_app_runner_group_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-register-github-app-runner-group" handler = "github_app_runner_group.lambda_handler" diff --git a/modules/platform/forge_runners/github_global_lock/main.tf b/modules/platform/forge_runners/github_global_lock/main.tf index 1cb1933f..b13e8bf2 100644 --- a/modules/platform/forge_runners/github_global_lock/main.tf +++ b/modules/platform/forge_runners/github_global_lock/main.tf @@ -70,7 +70,7 @@ resource "aws_iam_policy" "dynamodb_policy" { ## GitHub Clean Global Lock Lambda module "clean_global_lock_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-clean-global-lock" handler = "github_clean_global_lock.lambda_handler" diff --git a/modules/platform/forge_runners/redrive_deadletter/main.tf b/modules/platform/forge_runners/redrive_deadletter/main.tf index 3be372d9..b75b7fda 100644 --- a/modules/platform/forge_runners/redrive_deadletter/main.tf +++ b/modules/platform/forge_runners/redrive_deadletter/main.tf @@ -1,6 +1,6 @@ module "redrive_deadletter_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.1.2" + version = "8.4.0" function_name = "${var.prefix}-redrive-deadletter" handler = "redrive_deadletter.lambda_handler" From 3164c358281b452c5311defc3a5160ae55d9ad0f Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Fri, 6 Feb 2026 15:45:59 +0100 Subject: [PATCH 71/85] fix: disable affinity for now (#280) --- modules/core/arc/scale_set/template_files/dind.yml.tftpl | 4 ---- modules/core/arc/scale_set/template_files/k8s.yml.tftpl | 9 --------- 2 files changed, 13 deletions(-) diff --git a/modules/core/arc/scale_set/template_files/dind.yml.tftpl b/modules/core/arc/scale_set/template_files/dind.yml.tftpl index 6f1c3e9c..74c5a9bb 100644 --- a/modules/core/arc/scale_set/template_files/dind.yml.tftpl +++ b/modules/core/arc/scale_set/template_files/dind.yml.tftpl @@ -280,10 +280,6 @@ template: values: - ${tenant} - # karpenter affinity - - key: "karpenter.sh/disrupted" - operator: DoesNotExist - controllerServiceAccount: namespace: ${controller_namespace} name: ${controller_service_account} diff --git a/modules/core/arc/scale_set/template_files/k8s.yml.tftpl b/modules/core/arc/scale_set/template_files/k8s.yml.tftpl index 2416448d..d2381cbb 100644 --- a/modules/core/arc/scale_set/template_files/k8s.yml.tftpl +++ b/modules/core/arc/scale_set/template_files/k8s.yml.tftpl @@ -136,15 +136,6 @@ template: configMap: name: hook-pre-post-job-${scale_set_name} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - # karpenter affinity - - key: "karpenter.sh/disrupted" - operator: DoesNotExist - controllerServiceAccount: namespace: ${controller_namespace} name: ${controller_service_account} From 4ed88e3faf46fb9cd5c8a3736165035bcbcd080e Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Fri, 6 Feb 2026 16:43:59 +0100 Subject: [PATCH 72/85] fix: set scale set with same version as controller (#281) * fix: set scale set with same version as controller * fix: remove amd filter --- modules/infra/eks/templates/node_pool.yaml.tpl | 3 --- modules/platform/arc_deployment/main.tf | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/infra/eks/templates/node_pool.yaml.tpl b/modules/infra/eks/templates/node_pool.yaml.tpl index c650d17a..b049cf6e 100644 --- a/modules/infra/eks/templates/node_pool.yaml.tpl +++ b/modules/infra/eks/templates/node_pool.yaml.tpl @@ -10,9 +10,6 @@ spec: operator: In values: - ${instance_type} - - key: kubernetes.io/arch - operator: In - values: ["amd64"] - key: kubernetes.io/os operator: In values: ["linux"] diff --git a/modules/platform/arc_deployment/main.tf b/modules/platform/arc_deployment/main.tf index 870d634b..b07c2440 100644 --- a/modules/platform/arc_deployment/main.tf +++ b/modules/platform/arc_deployment/main.tf @@ -22,7 +22,7 @@ module "arc" { release_name = "${var.runner_configs.prefix}-${key}" namespace = var.tenant_configs.name chart_name = "oci://ghcr.io/actions/actions-runner-controller-charts/gha-runner-scale-set" - chart_version = "0.13.0" + chart_version = "0.13.1" } runner_config = { runner_size = val.runner_size From 76db1409a40b0c0c01f8debcc11a543f99ecec4e Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Fri, 6 Feb 2026 17:52:12 +0100 Subject: [PATCH 73/85] fix: use karpenter.k8s.aws/instance-family (#282) --- modules/infra/eks/templates/node_pool.yaml.tpl | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/modules/infra/eks/templates/node_pool.yaml.tpl b/modules/infra/eks/templates/node_pool.yaml.tpl index b049cf6e..0b73649a 100644 --- a/modules/infra/eks/templates/node_pool.yaml.tpl +++ b/modules/infra/eks/templates/node_pool.yaml.tpl @@ -6,10 +6,18 @@ spec: template: spec: requirements: - - key: node.kubernetes.io/instance-type + - key: karpenter.k8s.aws/instance-family operator: In values: - - ${instance_type} + - m6i + - m5 + - c6i + - c5 + - r6i + - r5 + - key: kubernetes.io/arch + operator: In + values: ["amd64"] - key: kubernetes.io/os operator: In values: ["linux"] From 9ce41c15108963e87817f5b53bab298f939936a3 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Fri, 6 Feb 2026 21:27:36 +0100 Subject: [PATCH 74/85] fix: deploy forge_trust_validator in migration (#283) --- scripts/migrate-tenant.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/migrate-tenant.sh b/scripts/migrate-tenant.sh index 7391960c..6cd186ce 100755 --- a/scripts/migrate-tenant.sh +++ b/scripts/migrate-tenant.sh @@ -115,6 +115,7 @@ main() { echo "🚀 Enabling ARC for tenant on new cluster '$TO'" update_config false "$TO" terragrunt_apply 'module.arc_runners' + terragrunt_apply 'module.forge_trust_validator' echo "✅ Migration complete. Tenant '$TENANT' is now on '$TO'" } From 4aaa4d81d94d147a4c8eb2dc97d4e6e94db7a193 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 9 Feb 2026 20:08:07 +0100 Subject: [PATCH 75/85] feat: add new dashboard for show errors in trust relationship validation (#284) --- ....json.tf => dashboard_trust_relationship.tf} | 16 ++++++++-------- ...=> trust_relationship_validation.json.tftpl} | 17 ++++++++++------- 2 files changed, 18 insertions(+), 15 deletions(-) rename modules/integrations/splunk_cloud_conf_shared/{dashboard_ec2_scale_up_errors.json.tf => dashboard_trust_relationship.tf} (56%) rename modules/integrations/splunk_cloud_conf_shared/template_files/{ec2_scale_up_errors.json.tftpl => trust_relationship_validation.json.tftpl} (70%) diff --git a/modules/integrations/splunk_cloud_conf_shared/dashboard_ec2_scale_up_errors.json.tf b/modules/integrations/splunk_cloud_conf_shared/dashboard_trust_relationship.tf similarity index 56% rename from modules/integrations/splunk_cloud_conf_shared/dashboard_ec2_scale_up_errors.json.tf rename to modules/integrations/splunk_cloud_conf_shared/dashboard_trust_relationship.tf index 6b4c4760..c4f9e7d3 100644 --- a/modules/integrations/splunk_cloud_conf_shared/dashboard_ec2_scale_up_errors.json.tf +++ b/modules/integrations/splunk_cloud_conf_shared/dashboard_trust_relationship.tf @@ -1,17 +1,17 @@ locals { - ec2_scale_up_errors_definition = templatefile( - "${path.module}/template_files/ec2_scale_up_errors.json.tftpl", + trust_relationship_validation_definition = templatefile( + "${path.module}/template_files/trust_relationship_validation.json.tftpl", { splunk_index = var.splunk_conf.index, tenants = var.splunk_conf.tenant_names } ) - ec2_scale_up_errors_eai_data = < - + - + Date: Fri, 13 Feb 2026 15:09:37 +0100 Subject: [PATCH 76/85] chore: update deps (#288) * chore(deps): update pre-commit hook commitizen-tools/commitizen to v4.13.6 (#98) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to 486b809 (#100) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook commitizen-tools/commitizen to v4.13.7 (#101) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update docker/build-push-action action to v6.19.2 (#102) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency terraform-linters/tflint to v0.61.0 (#99) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update terraform terraform-aws-modules/lambda/aws to v8.5.0 (#97) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .docker/forge-github-app-register/Dockerfile | 2 +- .docker/pre-commit/Dockerfile | 2 +- .github/workflows/build-forge-github-app-register.yml | 2 +- .github/workflows/build-pre-commit.yml | 2 +- .pre-commit-config.yaml | 2 +- .../webex_webhook_relay/lambda.tf | 2 +- modules/integrations/github_webhook_relay_source/lambda.tf | 2 +- modules/integrations/splunk_aws_billing/billing_per_resource.tf | 2 +- .../splunk_aws_billing/billing_per_resource_process.tf | 2 +- modules/integrations/splunk_aws_billing/billing_per_service.tf | 2 +- .../splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf | 2 +- modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf | 2 +- .../platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf | 2 +- modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf | 2 +- modules/platform/forge_runners/forge_trust_validator/main.tf | 2 +- .../forge_runners/github_actions_job_logs/job_log_archiver.tf | 2 +- .../forge_runners/github_actions_job_logs/job_log_dispatcher.tf | 2 +- modules/platform/forge_runners/github_app_runner_group/main.tf | 2 +- modules/platform/forge_runners/github_global_lock/main.tf | 2 +- modules/platform/forge_runners/redrive_deadletter/main.tf | 2 +- 20 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.docker/forge-github-app-register/Dockerfile b/.docker/forge-github-app-register/Dockerfile index acff303d..68a6ede2 100644 --- a/.docker/forge-github-app-register/Dockerfile +++ b/.docker/forge-github-app-register/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.14-slim@sha256:fa0acdcd760f0bf265bc2c1ee6120776c4d92a9c3a37289e17b9642ad2e5b83b +FROM python:3.14-slim@sha256:486b8092bfb12997e10d4920897213a06563449c951c5506c2a2cfaf591c599f RUN useradd --create-home appuser WORKDIR /home/appuser diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index 06257522..31ad9856 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -87,7 +87,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/terragrunt # renovate: datasource=github-releases depName=terraform-linters/tflint registryUrl=https://github.com/ -ARG TFLINT_VERSION="0.60.0" +ARG TFLINT_VERSION="0.61.0" ARG TFLINT_SRC="https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/tflint_linux_amd64.zip" ARG TFLINT_ARTIFACT="tflint.zip" RUN set -eux; \ diff --git a/.github/workflows/build-forge-github-app-register.yml b/.github/workflows/build-forge-github-app-register.yml index b884caad..817f97b4 100644 --- a/.github/workflows/build-forge-github-app-register.yml +++ b/.github/workflows/build-forge-github-app-register.yml @@ -60,7 +60,7 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image [forge-github-app-register] - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: ./.docker/forge-github-app-register file: .docker/forge-github-app-register/Dockerfile diff --git a/.github/workflows/build-pre-commit.yml b/.github/workflows/build-pre-commit.yml index 4306ae17..8388f8db 100644 --- a/.github/workflows/build-pre-commit.yml +++ b/.github/workflows/build-pre-commit.yml @@ -60,7 +60,7 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image [pre-commit] - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . file: .docker/pre-commit/Dockerfile diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5750be10..221eb5b3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -83,7 +83,7 @@ repos: # Commit Message Hooks # --------------------- - repo: https://github.com/commitizen-tools/commitizen - rev: v4.13.5 + rev: v4.13.7 hooks: - id: commitizen name: Git · Validate commit message diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf index 804039eb..d3ac879d 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf @@ -7,7 +7,7 @@ resource "aws_cloudwatch_log_group" "webex" { module "webex" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "webex-webhook-relay-destination-receiver" handler = "handler.lambda_handler" diff --git a/modules/integrations/github_webhook_relay_source/lambda.tf b/modules/integrations/github_webhook_relay_source/lambda.tf index fa3a0688..7f9a43aa 100644 --- a/modules/integrations/github_webhook_relay_source/lambda.tf +++ b/modules/integrations/github_webhook_relay_source/lambda.tf @@ -1,6 +1,6 @@ module "validate_signature_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.name_prefix}-validate-signature" handler = "validate_signature.lambda_handler" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource.tf b/modules/integrations/splunk_aws_billing/billing_per_resource.tf index bcb24366..42ae011b 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = local.cur_per_resource_lambda_name description = "Processes AWS Billing CUR reports per resource and sends data to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf index 91bc7a9f..9478c574 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource_process" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = local.cur_per_resource_process_lambda_name description = "Processes AWS billing data and sends to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_service.tf b/modules/integrations/splunk_aws_billing/billing_per_service.tf index 9d7ba036..b2203737 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_service.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_service.tf @@ -4,7 +4,7 @@ locals { module "cur_per_service" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = local.cur_per_service_lambda_name description = "Processes AWS Billing CUR reports per service and sends data to Splunk" diff --git a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf index 6d21921b..bd6ed38f 100644 --- a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf +++ b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf @@ -1,6 +1,6 @@ module "splunk_dm_metadata_ec2inst_pattern_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" role_name = "SplunkDMMetadataEC2InstPatternTags-${var.region}" diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf index b251e361..bbf28fdc 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf +++ b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf @@ -4,7 +4,7 @@ locals { module "splunk_s3_runner_logs_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${local.prefix_lambda}-lambda-${var.aws_region}" handler = "splunk_s3_runner_logs.lambda_handler" diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf index ea371f85..ccc28f25 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_ssm_ami_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-ec2-update-runner-ssm-ami" handler = "ec2_update_runner_ssm_ami.lambda_handler" diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf index 50cf1dfc..3ce4cf1f 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-ec2-update-runner-tags" handler = "ec2_update_runner_tags.lambda_handler" diff --git a/modules/platform/forge_runners/forge_trust_validator/main.tf b/modules/platform/forge_runners/forge_trust_validator/main.tf index 8e0a3fa8..a90a51e7 100644 --- a/modules/platform/forge_runners/forge_trust_validator/main.tf +++ b/modules/platform/forge_runners/forge_trust_validator/main.tf @@ -1,6 +1,6 @@ module "forge_trust_validator_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-forge-trust-validator" handler = "forge_trust_validator.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf index 8b854480..4c8da634 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf @@ -5,7 +5,7 @@ locals { module "job_log_archiver" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = local.resource_name_archiver handler = "job_log_archiver.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf index ef7c4d11..34da9fcb 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf @@ -4,7 +4,7 @@ locals { module "job_log_dispatcher" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = local.resource_name_dispatcher handler = "job_log_dispatcher.lambda_handler" diff --git a/modules/platform/forge_runners/github_app_runner_group/main.tf b/modules/platform/forge_runners/github_app_runner_group/main.tf index 0d408db2..2c8733ba 100644 --- a/modules/platform/forge_runners/github_app_runner_group/main.tf +++ b/modules/platform/forge_runners/github_app_runner_group/main.tf @@ -1,6 +1,6 @@ module "register_github_app_runner_group_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-register-github-app-runner-group" handler = "github_app_runner_group.lambda_handler" diff --git a/modules/platform/forge_runners/github_global_lock/main.tf b/modules/platform/forge_runners/github_global_lock/main.tf index b13e8bf2..ff733512 100644 --- a/modules/platform/forge_runners/github_global_lock/main.tf +++ b/modules/platform/forge_runners/github_global_lock/main.tf @@ -70,7 +70,7 @@ resource "aws_iam_policy" "dynamodb_policy" { ## GitHub Clean Global Lock Lambda module "clean_global_lock_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-clean-global-lock" handler = "github_clean_global_lock.lambda_handler" diff --git a/modules/platform/forge_runners/redrive_deadletter/main.tf b/modules/platform/forge_runners/redrive_deadletter/main.tf index b75b7fda..214f4fc9 100644 --- a/modules/platform/forge_runners/redrive_deadletter/main.tf +++ b/modules/platform/forge_runners/redrive_deadletter/main.tf @@ -1,6 +1,6 @@ module "redrive_deadletter_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.4.0" + version = "8.5.0" function_name = "${var.prefix}-redrive-deadletter" handler = "redrive_deadletter.lambda_handler" From 549c3de2553412abaad857030ed911b27c40c171 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Wed, 18 Feb 2026 23:21:09 +0100 Subject: [PATCH 77/85] chore: update deps from renovatebot prs (#289) * chore(deps): update terraform terraform-aws-modules/lambda/aws to v8.7.0 (#113) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update ubuntu:24.04 docker digest to d1e2e92 (#114) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hooks (#112) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook python-jsonschema/check-jsonschema to v0.36.2 (#111) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency gruntwork-io/terragrunt to v0.99.2 (#110) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .docker/pre-commit/Dockerfile | 6 +++--- .pre-commit-config.yaml | 6 +++--- .../webex_webhook_relay/lambda.tf | 2 +- modules/integrations/github_webhook_relay_source/lambda.tf | 2 +- .../integrations/splunk_aws_billing/billing_per_resource.tf | 2 +- .../splunk_aws_billing/billing_per_resource_process.tf | 2 +- .../integrations/splunk_aws_billing/billing_per_service.tf | 2 +- .../splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf | 2 +- modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf | 2 +- .../ec2_deployment/ec2_update_runner_ssm_ami/main.tf | 2 +- .../platform/ec2_deployment/ec2_update_runner_tags/main.tf | 2 +- .../platform/forge_runners/forge_trust_validator/main.tf | 2 +- .../github_actions_job_logs/job_log_archiver.tf | 2 +- .../github_actions_job_logs/job_log_dispatcher.tf | 2 +- .../platform/forge_runners/github_app_runner_group/main.tf | 2 +- modules/platform/forge_runners/github_global_lock/main.tf | 2 +- modules/platform/forge_runners/redrive_deadletter/main.tf | 2 +- 17 files changed, 21 insertions(+), 21 deletions(-) diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index 31ad9856..eeeac3a9 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b AS build +FROM ubuntu:24.04@sha256:d1e2e92c075e5ca139d51a140fff46f84315c0fdce203eab2807c7e495eff4f9 AS build WORKDIR /opt/build @@ -78,7 +78,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/terraform-docs # renovate: datasource=github-releases depName=gruntwork-io/terragrunt registryUrl=https://github.com/ -ARG TERRAGRUNT_VERSION="0.99.1" +ARG TERRAGRUNT_VERSION="0.99.2" ARG TERRAGRUNT_SRC="https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" ARG TERRAGRUNT_ARTIFACT="terragrunt" RUN set -eux; \ @@ -104,7 +104,7 @@ RUN set -eux; \ unzip -o ${TOFU_ARTIFACT} -d /usr/local/bin/; \ chmod 755 /usr/local/bin/tofu -FROM ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b AS final +FROM ubuntu:24.04@sha256:d1e2e92c075e5ca139d51a140fff46f84315c0fdce203eab2807c7e495eff4f9 AS final ENV DEBIAN_FRONTEND=noninteractive diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 221eb5b3..f6b88b1d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -83,7 +83,7 @@ repos: # Commit Message Hooks # --------------------- - repo: https://github.com/commitizen-tools/commitizen - rev: v4.13.7 + rev: v4.13.8 hooks: - id: commitizen name: Git · Validate commit message @@ -165,7 +165,7 @@ repos: name: Python · Import sorter - repo: https://github.com/PyCQA/autoflake - rev: v2.3.1 + rev: v2.3.2 hooks: - id: autoflake name: Python · Remove unused imports @@ -196,7 +196,7 @@ repos: # JSON Schema Hooks # --------------------- - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.36.1 + rev: 0.36.2 hooks: - id: check-github-workflows name: JSON Schema · GitHub workflows diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf index d3ac879d..d2125adf 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/lambda.tf @@ -7,7 +7,7 @@ resource "aws_cloudwatch_log_group" "webex" { module "webex" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = "webex-webhook-relay-destination-receiver" handler = "handler.lambda_handler" diff --git a/modules/integrations/github_webhook_relay_source/lambda.tf b/modules/integrations/github_webhook_relay_source/lambda.tf index 7f9a43aa..1cb74bce 100644 --- a/modules/integrations/github_webhook_relay_source/lambda.tf +++ b/modules/integrations/github_webhook_relay_source/lambda.tf @@ -1,6 +1,6 @@ module "validate_signature_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = "${var.name_prefix}-validate-signature" handler = "validate_signature.lambda_handler" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource.tf b/modules/integrations/splunk_aws_billing/billing_per_resource.tf index 42ae011b..e9782aac 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = local.cur_per_resource_lambda_name description = "Processes AWS Billing CUR reports per resource and sends data to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf index 9478c574..66e5db2e 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_resource_process.tf @@ -4,7 +4,7 @@ locals { module "cur_per_resource_process" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = local.cur_per_resource_process_lambda_name description = "Processes AWS billing data and sends to Splunk" diff --git a/modules/integrations/splunk_aws_billing/billing_per_service.tf b/modules/integrations/splunk_aws_billing/billing_per_service.tf index b2203737..db9ef3a1 100644 --- a/modules/integrations/splunk_aws_billing/billing_per_service.tf +++ b/modules/integrations/splunk_aws_billing/billing_per_service.tf @@ -4,7 +4,7 @@ locals { module "cur_per_service" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = local.cur_per_service_lambda_name description = "Processes AWS Billing CUR reports per service and sends data to Splunk" diff --git a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf index bd6ed38f..45d84394 100644 --- a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf +++ b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/main.tf @@ -1,6 +1,6 @@ module "splunk_dm_metadata_ec2inst_pattern_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" role_name = "SplunkDMMetadataEC2InstPatternTags-${var.region}" diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf index bbf28fdc..f2e21678 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf +++ b/modules/integrations/splunk_cloud_s3_runner_logs/lambda.tf @@ -4,7 +4,7 @@ locals { module "splunk_s3_runner_logs_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = "${local.prefix_lambda}-lambda-${var.aws_region}" handler = "splunk_s3_runner_logs.lambda_handler" diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf index ccc28f25..4d8d88e9 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_ssm_ami_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = "${var.prefix}-ec2-update-runner-ssm-ami" handler = "ec2_update_runner_ssm_ami.lambda_handler" diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf index 3ce4cf1f..4763ccc9 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/main.tf @@ -1,6 +1,6 @@ module "ec2_update_runner_tags_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = "${var.prefix}-ec2-update-runner-tags" handler = "ec2_update_runner_tags.lambda_handler" diff --git a/modules/platform/forge_runners/forge_trust_validator/main.tf b/modules/platform/forge_runners/forge_trust_validator/main.tf index a90a51e7..2c7cc083 100644 --- a/modules/platform/forge_runners/forge_trust_validator/main.tf +++ b/modules/platform/forge_runners/forge_trust_validator/main.tf @@ -1,6 +1,6 @@ module "forge_trust_validator_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = "${var.prefix}-forge-trust-validator" handler = "forge_trust_validator.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf index 4c8da634..d0c6e56e 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_archiver.tf @@ -5,7 +5,7 @@ locals { module "job_log_archiver" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = local.resource_name_archiver handler = "job_log_archiver.lambda_handler" diff --git a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf index 34da9fcb..ce863004 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/job_log_dispatcher.tf @@ -4,7 +4,7 @@ locals { module "job_log_dispatcher" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = local.resource_name_dispatcher handler = "job_log_dispatcher.lambda_handler" diff --git a/modules/platform/forge_runners/github_app_runner_group/main.tf b/modules/platform/forge_runners/github_app_runner_group/main.tf index 2c8733ba..8348a0e5 100644 --- a/modules/platform/forge_runners/github_app_runner_group/main.tf +++ b/modules/platform/forge_runners/github_app_runner_group/main.tf @@ -1,6 +1,6 @@ module "register_github_app_runner_group_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = "${var.prefix}-register-github-app-runner-group" handler = "github_app_runner_group.lambda_handler" diff --git a/modules/platform/forge_runners/github_global_lock/main.tf b/modules/platform/forge_runners/github_global_lock/main.tf index ff733512..5bde0895 100644 --- a/modules/platform/forge_runners/github_global_lock/main.tf +++ b/modules/platform/forge_runners/github_global_lock/main.tf @@ -70,7 +70,7 @@ resource "aws_iam_policy" "dynamodb_policy" { ## GitHub Clean Global Lock Lambda module "clean_global_lock_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = "${var.prefix}-clean-global-lock" handler = "github_clean_global_lock.lambda_handler" diff --git a/modules/platform/forge_runners/redrive_deadletter/main.tf b/modules/platform/forge_runners/redrive_deadletter/main.tf index 214f4fc9..80d7cea6 100644 --- a/modules/platform/forge_runners/redrive_deadletter/main.tf +++ b/modules/platform/forge_runners/redrive_deadletter/main.tf @@ -1,6 +1,6 @@ module "redrive_deadletter_lambda" { source = "terraform-aws-modules/lambda/aws" - version = "8.5.0" + version = "8.7.0" function_name = "${var.prefix}-redrive-deadletter" handler = "redrive_deadletter.lambda_handler" From e2a42cbebf815ad8b727cd9bee3fcb4975029786 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Thu, 19 Feb 2026 16:20:27 +0100 Subject: [PATCH 78/85] chore: update splunk-otel-collector-chart to 0.145.0 (#290) * chore: upgrade otel to 0.142.0 * feat: add role for SA * chore: upgrade otel to 0.145.0 * chore: upgrade opentofu version in docker --- .docker/pre-commit/Dockerfile | 2 +- modules/integrations/splunk_otel_eks/iam.tf | 84 +++++++++++++++++++ modules/integrations/splunk_otel_eks/otel.tf | 2 +- modules/integrations/splunk_otel_eks/tags.tf | 4 + .../integrations/splunk_otel_eks/variables.tf | 5 ++ 5 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 modules/integrations/splunk_otel_eks/iam.tf create mode 100644 modules/integrations/splunk_otel_eks/tags.tf diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index eeeac3a9..e1dae7d8 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -96,7 +96,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/tflint; # renovate: datasource=github-releases depName=opentofu/opentofu registryUrl=https://github.com/ -ARG TOFU_VERSION="1.11.0" +ARG TOFU_VERSION="1.11.5" ARG TOFU_SRC="https://github.com/opentofu/opentofu/releases/download/v${TOFU_VERSION}/tofu_${TOFU_VERSION}_linux_amd64.zip" ARG TOFU_ARTIFACT="tofu.zip" RUN set -eux; \ diff --git a/modules/integrations/splunk_otel_eks/iam.tf b/modules/integrations/splunk_otel_eks/iam.tf new file mode 100644 index 00000000..0792e394 --- /dev/null +++ b/modules/integrations/splunk_otel_eks/iam.tf @@ -0,0 +1,84 @@ +data "aws_iam_openid_connect_provider" "cluster" { + url = data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer +} + +locals { + oidc_provider_arn = data.aws_iam_openid_connect_provider.cluster.arn +} + +data "aws_iam_policy_document" "splunk_otel_assume_role" { + + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["pods.eks.amazonaws.com"] + } + + actions = [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + + statement { + effect = "Allow" + + principals { + type = "Federated" + identifiers = [ + local.oidc_provider_arn + ] + } + + actions = ["sts:AssumeRoleWithWebIdentity"] + + condition { + test = "StringEquals" + variable = "${regex("^arn:aws:iam::\\d+:oidc-provider/(.+)$", local.oidc_provider_arn)[0]}:sub" + values = [ + "system:serviceaccount:splunk-otel-collector:splunk-otel-collector", + ] + } + } +} + +resource "aws_iam_role" "splunk_otel_ec2_describe" { + name = "splunk-otel-${var.cluster_name}-ec2-describe-role" + assume_role_policy = data.aws_iam_policy_document.splunk_otel_assume_role.json + + tags = local.all_security_tags + tags_all = local.all_security_tags +} + +data "aws_iam_policy_document" "ec2_describe_instances" { + statement { + sid = "AllowDescribeInstances" + effect = "Allow" + actions = ["ec2:DescribeInstances"] + resources = ["*"] + } +} + +resource "aws_iam_policy" "ec2_describe_instances" { + name = "splunk-otel-${var.cluster_name}-ec2-describe-policy" + policy = data.aws_iam_policy_document.ec2_describe_instances.json + + tags = local.all_security_tags +} + +resource "aws_iam_role_policy_attachment" "splunk_otel_ec2_describe" { + role = aws_iam_role.splunk_otel_ec2_describe.name + policy_arn = aws_iam_policy.ec2_describe_instances.arn +} + + +resource "aws_eks_pod_identity_association" "eks_pod_identity" { + cluster_name = var.cluster_name + namespace = "splunk-otel-collector" + service_account = "splunk-otel-collector" + role_arn = aws_iam_role.splunk_otel_ec2_describe.arn + + tags = local.all_security_tags +} diff --git a/modules/integrations/splunk_otel_eks/otel.tf b/modules/integrations/splunk_otel_eks/otel.tf index 6a58b33a..758694a0 100644 --- a/modules/integrations/splunk_otel_eks/otel.tf +++ b/modules/integrations/splunk_otel_eks/otel.tf @@ -2,7 +2,7 @@ resource "helm_release" "splunk_otel_collector" { name = "splunk-otel-collector" repository = "https://signalfx.github.io/splunk-otel-collector-chart" chart = "splunk-otel-collector" - version = "0.141.0" + version = "0.145.0" namespace = "splunk-otel-collector" create_namespace = true diff --git a/modules/integrations/splunk_otel_eks/tags.tf b/modules/integrations/splunk_otel_eks/tags.tf new file mode 100644 index 00000000..a527e72f --- /dev/null +++ b/modules/integrations/splunk_otel_eks/tags.tf @@ -0,0 +1,4 @@ +# Common tags we propagate project-wide. +locals { + all_security_tags = merge(var.default_tags, var.tags) +} diff --git a/modules/integrations/splunk_otel_eks/variables.tf b/modules/integrations/splunk_otel_eks/variables.tf index b26f5d83..fc5eb9eb 100644 --- a/modules/integrations/splunk_otel_eks/variables.tf +++ b/modules/integrations/splunk_otel_eks/variables.tf @@ -26,6 +26,11 @@ variable "splunk_otel_collector" { }) } +variable "tags" { + type = map(string) + description = "A map of tags to apply to resources." +} + variable "default_tags" { type = map(string) description = "A map of tags to apply to resources." From 2d7fc080f0c15b57c2baefaa2cccc55635020ca1 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Mon, 23 Feb 2026 11:47:41 +0100 Subject: [PATCH 79/85] fix: add missing input in splunk_otel_els example (#291) --- .../terragrunt/_global_settings/splunk_otel_eks.hcl | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/deployments/splunk-deployment/terragrunt/_global_settings/splunk_otel_eks.hcl b/examples/deployments/splunk-deployment/terragrunt/_global_settings/splunk_otel_eks.hcl index fdd7600c..0ff7044a 100644 --- a/examples/deployments/splunk-deployment/terragrunt/_global_settings/splunk_otel_eks.hcl +++ b/examples/deployments/splunk-deployment/terragrunt/_global_settings/splunk_otel_eks.hcl @@ -58,5 +58,6 @@ inputs = { splunk_otel_collector = local.eks_settings_data.locals.splunk_otel_collector # Misc + tags = local.tags default_tags = local.default_tags } From 877ed5547ed514fd192f531b6ff15333706a93f5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Mar 2026 11:55:45 +0100 Subject: [PATCH 80/85] chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 (#292) Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/c94ce9fb468520275223c153574b00df6fe4bcc9...b45d80f862d83dbcd57f89517bcf500b2ab88fb2) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-forge-github-app-register.yml | 2 +- .github/workflows/build-pre-commit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-forge-github-app-register.yml b/.github/workflows/build-forge-github-app-register.yml index 817f97b4..36915180 100644 --- a/.github/workflows/build-forge-github-app-register.yml +++ b/.github/workflows/build-forge-github-app-register.yml @@ -47,7 +47,7 @@ jobs: platforms: ${{ env.PLATFORMS }} - name: Log in to the Container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} diff --git a/.github/workflows/build-pre-commit.yml b/.github/workflows/build-pre-commit.yml index 8388f8db..4f056328 100644 --- a/.github/workflows/build-pre-commit.yml +++ b/.github/workflows/build-pre-commit.yml @@ -47,7 +47,7 @@ jobs: platforms: ${{ env.PLATFORMS }} - name: Log in to the Container registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} From 9f215c4c9abcd80e4768721dd34119623e13527c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Mar 2026 11:55:57 +0100 Subject: [PATCH 81/85] chore(deps): bump docker/build-push-action from 6.19.2 to 7.0.0 (#293) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.19.2 to 7.0.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/10e90e3645eae34f1e60eeb005ba3a3d33f178e8...d08e5c354a6adb9ed34480a06d141179aa583294) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-forge-github-app-register.yml | 2 +- .github/workflows/build-pre-commit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-forge-github-app-register.yml b/.github/workflows/build-forge-github-app-register.yml index 36915180..770b7e6e 100644 --- a/.github/workflows/build-forge-github-app-register.yml +++ b/.github/workflows/build-forge-github-app-register.yml @@ -60,7 +60,7 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image [forge-github-app-register] - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: ./.docker/forge-github-app-register file: .docker/forge-github-app-register/Dockerfile diff --git a/.github/workflows/build-pre-commit.yml b/.github/workflows/build-pre-commit.yml index 4f056328..a1480f0e 100644 --- a/.github/workflows/build-pre-commit.yml +++ b/.github/workflows/build-pre-commit.yml @@ -60,7 +60,7 @@ jobs: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image [pre-commit] - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: . file: .docker/pre-commit/Dockerfile From dd4325debdf60ffa820d1b1baa37a00b163cb042 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Mar 2026 11:56:12 +0100 Subject: [PATCH 82/85] chore(deps): bump docker/metadata-action from 5.10.0 to 6.0.0 (#294) Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.10.0 to 6.0.0. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](https://github.com/docker/metadata-action/compare/c299e40c65443455700f0fdfc63efafe5b349051...030e881283bb7a6894de51c315a6bfe6a94e05cf) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-forge-github-app-register.yml | 2 +- .github/workflows/build-pre-commit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-forge-github-app-register.yml b/.github/workflows/build-forge-github-app-register.yml index 770b7e6e..6615ec47 100644 --- a/.github/workflows/build-forge-github-app-register.yml +++ b/.github/workflows/build-forge-github-app-register.yml @@ -55,7 +55,7 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} diff --git a/.github/workflows/build-pre-commit.yml b/.github/workflows/build-pre-commit.yml index a1480f0e..03f54243 100644 --- a/.github/workflows/build-pre-commit.yml +++ b/.github/workflows/build-pre-commit.yml @@ -55,7 +55,7 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} From cb8476952b80256ed7b396c0d707a7305dbaeaa1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Mar 2026 11:56:32 +0100 Subject: [PATCH 83/85] chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 (#295) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.12.0 to 4.0.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/8d2750c68a42422c14e847fe6c8ac0403b4cbd6f...4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-forge-github-app-register.yml | 2 +- .github/workflows/build-pre-commit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-forge-github-app-register.yml b/.github/workflows/build-forge-github-app-register.yml index 6615ec47..4621bd30 100644 --- a/.github/workflows/build-forge-github-app-register.yml +++ b/.github/workflows/build-forge-github-app-register.yml @@ -42,7 +42,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: platforms: ${{ env.PLATFORMS }} diff --git a/.github/workflows/build-pre-commit.yml b/.github/workflows/build-pre-commit.yml index 03f54243..0b87ac6b 100644 --- a/.github/workflows/build-pre-commit.yml +++ b/.github/workflows/build-pre-commit.yml @@ -42,7 +42,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: platforms: ${{ env.PLATFORMS }} From 6711186ed79a6c179eaa983e5c87a59f8f39939d Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Wed, 11 Mar 2026 21:33:36 +0100 Subject: [PATCH 84/85] chore(renovatebot): update deps (#298) * chore(deps): update dependency opentofu/opentofu to v1.11.5 (#68) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency gruntwork-io/terragrunt to v0.99.4 (#116) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook pycqa/autoflake to v2.3.3 (#117) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update helm release splunk-otel-collector to v0.145.1 (#118) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook commitizen-tools/commitizen to v4.13.9 (#120) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to 9006fc6 (#119) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update python:3.14-slim docker digest to 6a27522 (#124) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency github-aws-runners/terraform-aws-github-runner to v7.4.1 (#127) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency mvdan/sh to v3.13.0 (#126) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook python-jsonschema/check-jsonschema to v0.37.0 (#123) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook ansible-community/ansible-lint to v26.3.0 (#121) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update pre-commit hook pycqa/isort to v8 (#122) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * docs: update terraform docs --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- .docker/forge-github-app-register/Dockerfile | 2 +- .docker/pre-commit/Dockerfile | 4 +- .pre-commit-config.yaml | 10 ++--- modules/core/arc/README.md | 4 +- modules/core/arc/scale_set/README.md | 4 +- modules/core/arc/scale_set/versions.tf | 2 +- .../core/arc/scale_set_controller/README.md | 2 +- .../core/arc/scale_set_controller/versions.tf | 2 +- modules/core/arc/versions.tf | 2 +- modules/infra/ami_policy/README.md | 4 +- modules/infra/ami_policy/versions.tf | 2 +- modules/infra/ami_sharing/README.md | 4 +- modules/infra/ami_sharing/versions.tf | 2 +- modules/infra/cloud_custodian/README.md | 4 +- modules/infra/cloud_custodian/versions.tf | 2 +- modules/infra/cloud_formation/README.md | 6 +-- modules/infra/cloud_formation/versions.tf | 2 +- modules/infra/ecr/README.md | 4 +- modules/infra/ecr/versions.tf | 2 +- modules/infra/eks/README.md | 15 +++---- modules/infra/eks/versions.tf | 2 +- modules/infra/forge_subscription/version.tf | 2 +- modules/infra/opt_in_regions/README.md | 4 +- modules/infra/opt_in_regions/versions.tf | 2 +- modules/infra/service_linked_roles/README.md | 4 +- .../infra/service_linked_roles/versions.tf | 2 +- modules/infra/storage/README.md | 6 +-- modules/infra/storage/versions.tf | 2 +- .../README.md | 4 +- .../versions.tf | 2 +- .../README.md | 6 +-- .../versions.tf | 2 +- .../webex_webhook_relay/README.md | 6 +-- .../webex_webhook_relay/versions.tf | 2 +- .../github_webhook_relay_source/README.md | 6 +-- .../github_webhook_relay_source/versions.tf | 2 +- .../integrations/splunk_aws_billing/README.md | 12 +++--- .../splunk_aws_billing/versions.tf | 2 +- .../splunk_cloud_conf_shared/README.md | 10 ++--- .../splunk_cloud_conf_shared/versions.tf | 2 +- .../data_input/versions.tf | 2 +- .../sec_meta_ec2_tags/versions.tf | 2 +- .../splunk_cloud_data_manager/versions.tf | 2 +- .../README.md | 8 ++-- .../versions.tf | 2 +- .../splunk_cloud_s3_runner_logs/README.md | 8 ++-- .../splunk_cloud_s3_runner_logs/versions.tf | 2 +- .../splunk_o11y_aws_integration/README.md | 6 +-- .../splunk_o11y_aws_integration/versions.tf | 2 +- .../README.md | 10 ++--- .../versions.tf | 2 +- .../splunk_o11y_conf_shared/README.md | 8 ++-- .../dashboards/billing/README.md | 4 +- .../dashboards/billing/versions.tf | 2 +- .../dashboards/dynamodb/README.md | 4 +- .../dashboards/dynamodb/versions.tf | 2 +- .../dashboards/ebs/README.md | 4 +- .../dashboards/ebs/versions.tf | 2 +- .../dashboards/lambda/README.md | 4 +- .../dashboards/lambda/versions.tf | 2 +- .../dashboards/runner_ec2/README.md | 4 +- .../dashboards/runner_ec2/versions.tf | 2 +- .../dashboards/runner_k8s/README.md | 4 +- .../dashboards/runner_k8s/versions.tf | 2 +- .../dashboards/sqs/README.md | 4 +- .../dashboards/sqs/versions.tf | 2 +- .../splunk_o11y_conf_shared/versions.tf | 2 +- .../integrations/splunk_otel_eks/README.md | 12 +++++- modules/integrations/splunk_otel_eks/otel.tf | 2 +- .../integrations/splunk_otel_eks/versions.tf | 2 +- .../integrations/splunk_secrets/versions.tf | 2 +- modules/integrations/teleport/README.md | 4 +- .../integrations/teleport/tenant/README.md | 2 +- .../integrations/teleport/tenant/versions.tf | 2 +- modules/integrations/teleport/versions.tf | 2 +- modules/platform/arc_deployment/README.md | 2 +- modules/platform/arc_deployment/versions.tf | 2 +- modules/platform/ec2_deployment/README.md | 11 +++-- .../ec2_update_runner_ssm_ami/README.md | 6 +-- .../ec2_update_runner_ssm_ami/versions.tf | 2 +- .../ec2_update_runner_tags/README.md | 6 +-- .../ec2_update_runner_tags/versions.tf | 2 +- modules/platform/ec2_deployment/main.tf | 2 +- modules/platform/ec2_deployment/versions.tf | 2 +- modules/platform/forge_runners/README.md | 43 ++++++++----------- .../forge_trust_validator/README.md | 6 +-- .../forge_trust_validator/versions.tf | 2 +- .../github_actions_job_logs/README.md | 12 +++--- .../github_actions_job_logs/versions.tf | 2 +- .../github_app_runner_group/README.md | 10 ++--- .../github_app_runner_group/versions.tf | 2 +- .../github_global_lock/README.md | 10 ++--- .../github_global_lock/versions.tf | 2 +- .../github_webhook_relay/README.md | 6 +-- .../github_webhook_relay/versions.tf | 2 +- .../redrive_deadletter/README.md | 6 +-- .../redrive_deadletter/versions.tf | 2 +- modules/platform/forge_runners/versions.tf | 2 +- 98 files changed, 209 insertions(+), 218 deletions(-) diff --git a/.docker/forge-github-app-register/Dockerfile b/.docker/forge-github-app-register/Dockerfile index 68a6ede2..5ff54542 100644 --- a/.docker/forge-github-app-register/Dockerfile +++ b/.docker/forge-github-app-register/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.14-slim@sha256:486b8092bfb12997e10d4920897213a06563449c951c5506c2a2cfaf591c599f +FROM python:3.14-slim@sha256:6a27522252aef8432841f224d9baaa6e9fce07b07584154fa0b9a96603af7456 RUN useradd --create-home appuser WORKDIR /home/appuser diff --git a/.docker/pre-commit/Dockerfile b/.docker/pre-commit/Dockerfile index e1dae7d8..0d0f77c5 100644 --- a/.docker/pre-commit/Dockerfile +++ b/.docker/pre-commit/Dockerfile @@ -60,7 +60,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/shellcheck # renovate: datasource=github-releases depName=mvdan/sh registryUrl=https://github.com/ -ARG SHFMT_VERSION="3.12.0" +ARG SHFMT_VERSION="3.13.0" ARG SHFMT_SRC="https://github.com/mvdan/sh/releases/download/v${SHFMT_VERSION}/shfmt_v${SHFMT_VERSION}_linux_amd64" ARG SHFMT_ARTIFACT="shfmt" RUN set -eux; \ @@ -78,7 +78,7 @@ RUN set -eux; \ chmod 755 /usr/local/bin/terraform-docs # renovate: datasource=github-releases depName=gruntwork-io/terragrunt registryUrl=https://github.com/ -ARG TERRAGRUNT_VERSION="0.99.2" +ARG TERRAGRUNT_VERSION="0.99.4" ARG TERRAGRUNT_SRC="https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" ARG TERRAGRUNT_ARTIFACT="terragrunt" RUN set -eux; \ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f6b88b1d..5031eeb3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -83,7 +83,7 @@ repos: # Commit Message Hooks # --------------------- - repo: https://github.com/commitizen-tools/commitizen - rev: v4.13.8 + rev: v4.13.9 hooks: - id: commitizen name: Git · Validate commit message @@ -159,13 +159,13 @@ repos: name: Python · autopep8 - repo: https://github.com/PyCQA/isort - rev: 7.0.0 + rev: 8.0.1 hooks: - id: isort name: Python · Import sorter - repo: https://github.com/PyCQA/autoflake - rev: v2.3.2 + rev: v2.3.3 hooks: - id: autoflake name: Python · Remove unused imports @@ -196,7 +196,7 @@ repos: # JSON Schema Hooks # --------------------- - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.36.2 + rev: 0.37.0 hooks: - id: check-github-workflows name: JSON Schema · GitHub workflows @@ -266,7 +266,7 @@ repos: # Ansible Hooks # --------------------- - repo: https://github.com/ansible-community/ansible-lint.git - rev: v26.1.1 + rev: v26.3.0 hooks: - id: ansible-lint name: Ansible · Linter diff --git a/modules/core/arc/README.md b/modules/core/arc/README.md index ca7f7186..5a63ae57 100644 --- a/modules/core/arc/README.md +++ b/modules/core/arc/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | | [helm](#requirement\_helm) | >= 3.0.0 | @@ -14,7 +14,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [external](#provider\_external) | 2.3.5 | | [kubernetes](#provider\_kubernetes) | 3.0.1 | | [null](#provider\_null) | 3.2.4 | diff --git a/modules/core/arc/scale_set/README.md b/modules/core/arc/scale_set/README.md index bc3e5d0d..8ed3f074 100644 --- a/modules/core/arc/scale_set/README.md +++ b/modules/core/arc/scale_set/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubernetes](#requirement\_kubernetes) | >= 3.0 | @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [helm](#provider\_helm) | 3.1.1 | | [kubernetes](#provider\_kubernetes) | 3.0.1 | diff --git a/modules/core/arc/scale_set/versions.tf b/modules/core/arc/scale_set/versions.tf index a91c6e64..056af10a 100644 --- a/modules/core/arc/scale_set/versions.tf +++ b/modules/core/arc/scale_set/versions.tf @@ -15,5 +15,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/core/arc/scale_set_controller/README.md b/modules/core/arc/scale_set_controller/README.md index 1e4927d9..a96426d8 100644 --- a/modules/core/arc/scale_set_controller/README.md +++ b/modules/core/arc/scale_set_controller/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubernetes](#requirement\_kubernetes) | >= 3.0 | diff --git a/modules/core/arc/scale_set_controller/versions.tf b/modules/core/arc/scale_set_controller/versions.tf index a91c6e64..056af10a 100644 --- a/modules/core/arc/scale_set_controller/versions.tf +++ b/modules/core/arc/scale_set_controller/versions.tf @@ -15,5 +15,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/core/arc/versions.tf b/modules/core/arc/versions.tf index 68b99849..bb87b70f 100644 --- a/modules/core/arc/versions.tf +++ b/modules/core/arc/versions.tf @@ -23,5 +23,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/infra/ami_policy/README.md b/modules/infra/ami_policy/README.md index a784ffe7..4f5d5121 100644 --- a/modules/infra/ami_policy/README.md +++ b/modules/infra/ami_policy/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules diff --git a/modules/infra/ami_policy/versions.tf b/modules/infra/ami_policy/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/infra/ami_policy/versions.tf +++ b/modules/infra/ami_policy/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/infra/ami_sharing/README.md b/modules/infra/ami_sharing/README.md index 9cd3410a..654c0716 100644 --- a/modules/infra/ami_sharing/README.md +++ b/modules/infra/ami_sharing/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules diff --git a/modules/infra/ami_sharing/versions.tf b/modules/infra/ami_sharing/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/infra/ami_sharing/versions.tf +++ b/modules/infra/ami_sharing/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/infra/cloud_custodian/README.md b/modules/infra/cloud_custodian/README.md index 1c8ce18d..83dc2c7f 100644 --- a/modules/infra/cloud_custodian/README.md +++ b/modules/infra/cloud_custodian/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules diff --git a/modules/infra/cloud_custodian/versions.tf b/modules/infra/cloud_custodian/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/infra/cloud_custodian/versions.tf +++ b/modules/infra/cloud_custodian/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/infra/cloud_formation/README.md b/modules/infra/cloud_formation/README.md index 3bf6f9f9..da244f51 100644 --- a/modules/infra/cloud_formation/README.md +++ b/modules/infra/cloud_formation/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules @@ -24,6 +24,7 @@ No modules. | [aws_iam_role.cloudformation_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy.admin_assume_execution_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | | [aws_iam_role_policy.execution_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.admin_assume_execution_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.cloudformation_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.execution_assume_admin_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -33,7 +34,6 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_account\_id](#input\_aws\_account\_id) | AWS account ID associated with the infra/backend. | `string` | n/a | yes | | [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Default AWS region. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | diff --git a/modules/infra/cloud_formation/versions.tf b/modules/infra/cloud_formation/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/infra/cloud_formation/versions.tf +++ b/modules/infra/cloud_formation/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/infra/ecr/README.md b/modules/infra/ecr/README.md index 137d97c3..1f7dd802 100644 --- a/modules/infra/ecr/README.md +++ b/modules/infra/ecr/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules diff --git a/modules/infra/ecr/versions.tf b/modules/infra/ecr/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/infra/ecr/versions.tf +++ b/modules/infra/ecr/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/infra/eks/README.md b/modules/infra/eks/README.md index 2019e28d..4a6c49ce 100644 --- a/modules/infra/eks/README.md +++ b/modules/infra/eks/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | | [helm](#requirement\_helm) | >= 3.0.0 | @@ -16,19 +16,18 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [external](#provider\_external) | 2.3.5 | -| [helm](#provider\_helm) | 3.1.1 | | [null](#provider\_null) | 3.2.4 | ## Modules | Name | Source | Version | |------|--------|---------| -| [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts | 6.2.3 | -| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 21.10.1 | -| [karpenter](#module\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | 21.10.1 | -| [self\_managed\_node\_group](#module\_self\_managed\_node\_group) | terraform-aws-modules/eks/aws//modules/self-managed-node-group | 21.10.1 | +| [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts | 6.4.0 | +| [eks](#module\_eks) | terraform-aws-modules/eks/aws | 21.15.1 | +| [karpenter](#module\_karpenter) | terraform-aws-modules/eks/aws//modules/karpenter | 21.15.1 | +| [self\_managed\_node\_group](#module\_self\_managed\_node\_group) | terraform-aws-modules/eks/aws//modules/self-managed-node-group | 21.15.1 | ## Resources @@ -37,9 +36,9 @@ | [aws_eks_addon.aws_ebs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource | | [aws_eks_addon.coredns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource | | [aws_eks_addon.eks_pod_identity_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource | -| [helm_release.karpenter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [null_resource.apply_ec2_node_class](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [null_resource.apply_node_pool](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [null_resource.karpenter](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [null_resource.patch_calico_installation](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [null_resource.wait_for_cluster](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [aws_ami.eks_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | diff --git a/modules/infra/eks/versions.tf b/modules/infra/eks/versions.tf index 6270f195..be0b0b74 100644 --- a/modules/infra/eks/versions.tf +++ b/modules/infra/eks/versions.tf @@ -32,5 +32,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/infra/forge_subscription/version.tf b/modules/infra/forge_subscription/version.tf index dc4bbac0..0631ae67 100644 --- a/modules/infra/forge_subscription/version.tf +++ b/modules/infra/forge_subscription/version.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/infra/opt_in_regions/README.md b/modules/infra/opt_in_regions/README.md index 4da850f3..a0ccb3f1 100644 --- a/modules/infra/opt_in_regions/README.md +++ b/modules/infra/opt_in_regions/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules diff --git a/modules/infra/opt_in_regions/versions.tf b/modules/infra/opt_in_regions/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/infra/opt_in_regions/versions.tf +++ b/modules/infra/opt_in_regions/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/infra/service_linked_roles/README.md b/modules/infra/service_linked_roles/README.md index c05ca026..6da06a59 100644 --- a/modules/infra/service_linked_roles/README.md +++ b/modules/infra/service_linked_roles/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules diff --git a/modules/infra/service_linked_roles/versions.tf b/modules/infra/service_linked_roles/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/infra/service_linked_roles/versions.tf +++ b/modules/infra/service_linked_roles/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/infra/storage/README.md b/modules/infra/storage/README.md index e7094768..bd4f06fd 100644 --- a/modules/infra/storage/README.md +++ b/modules/infra/storage/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules @@ -31,12 +31,12 @@ No modules. | [aws_s3_bucket_server_side_encryption_configuration.s3_short_term_settings](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.s3_long_term](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [aws_s3_bucket_versioning.s3_short_term](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_account\_id](#input\_aws\_account\_id) | AWS account ID (not SL AWS account ID) associated with the infra/backend. | `string` | n/a | yes | | [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Default AWS region. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | diff --git a/modules/infra/storage/versions.tf b/modules/infra/storage/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/infra/storage/versions.tf +++ b/modules/infra/storage/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/github_webhook_relay_destination/README.md b/modules/integrations/github_webhook_relay_destination/README.md index 506900cc..c4ba6421 100644 --- a/modules/integrations/github_webhook_relay_destination/README.md +++ b/modules/integrations/github_webhook_relay_destination/README.md @@ -40,7 +40,7 @@ graph TD | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | @@ -48,7 +48,7 @@ graph TD | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [external](#provider\_external) | 2.3.5 | ## Modules diff --git a/modules/integrations/github_webhook_relay_destination/versions.tf b/modules/integrations/github_webhook_relay_destination/versions.tf index 87069c2c..fae886cc 100644 --- a/modules/integrations/github_webhook_relay_destination/versions.tf +++ b/modules/integrations/github_webhook_relay_destination/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/github_webhook_relay_destination_receivers/README.md b/modules/integrations/github_webhook_relay_destination_receivers/README.md index f9bec9d9..50390365 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/README.md +++ b/modules/integrations/github_webhook_relay_destination_receivers/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules @@ -29,7 +29,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e., generated via 'sl aws session generate') to use. | `string` | n/a | yes | +| [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Default AWS region. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [enable\_webex\_webhook\_relay](#input\_enable\_webex\_webhook\_relay) | Enable Webex webhook relay. | `bool` | n/a | yes | diff --git a/modules/integrations/github_webhook_relay_destination_receivers/versions.tf b/modules/integrations/github_webhook_relay_destination_receivers/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/versions.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md index 6b2d9abb..81151965 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/README.md @@ -47,7 +47,7 @@ Both `token` and `room_id` keys are required. The function will prepend `Bearer | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [time](#requirement\_time) | >= 0.13.1 | @@ -55,14 +55,14 @@ Both `token` and `room_id` keys are required. The function will prepend `Bearer | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [time](#provider\_time) | 0.13.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [webex](#module\_webex) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [webex](#module\_webex) | terraform-aws-modules/lambda/aws | 8.7.0 | ## Resources diff --git a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf index 912bb250..38608bd6 100644 --- a/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf +++ b/modules/integrations/github_webhook_relay_destination_receivers/webex_webhook_relay/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/github_webhook_relay_source/README.md b/modules/integrations/github_webhook_relay_source/README.md index 1a2ad6a8..bfb28308 100644 --- a/modules/integrations/github_webhook_relay_source/README.md +++ b/modules/integrations/github_webhook_relay_source/README.md @@ -59,20 +59,20 @@ curl -X POST "$(terraform output -raw webhook_endpoint)/webhook" \ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [validate\_signature\_lambda](#module\_validate\_signature\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [validate\_signature\_lambda](#module\_validate\_signature\_lambda) | terraform-aws-modules/lambda/aws | 8.7.0 | ## Resources diff --git a/modules/integrations/github_webhook_relay_source/versions.tf b/modules/integrations/github_webhook_relay_source/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/integrations/github_webhook_relay_source/versions.tf +++ b/modules/integrations/github_webhook_relay_source/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_aws_billing/README.md b/modules/integrations/splunk_aws_billing/README.md index 2310ffa5..606c96af 100644 --- a/modules/integrations/splunk_aws_billing/README.md +++ b/modules/integrations/splunk_aws_billing/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [archive](#requirement\_archive) | >= 2.7.0 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | @@ -14,15 +14,15 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [cur\_per\_resource](#module\_cur\_per\_resource) | terraform-aws-modules/lambda/aws | 8.1.2 | -| [cur\_per\_resource\_process](#module\_cur\_per\_resource\_process) | terraform-aws-modules/lambda/aws | 8.1.2 | -| [cur\_per\_service](#module\_cur\_per\_service) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [cur\_per\_resource](#module\_cur\_per\_resource) | terraform-aws-modules/lambda/aws | 8.7.0 | +| [cur\_per\_resource\_process](#module\_cur\_per\_resource\_process) | terraform-aws-modules/lambda/aws | 8.7.0 | +| [cur\_per\_service](#module\_cur\_per\_service) | terraform-aws-modules/lambda/aws | 8.7.0 | ## Resources @@ -54,7 +54,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e., generated via 'sl aws session generate') to use. | `string` | n/a | yes | +| [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Default AWS region. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | diff --git a/modules/integrations/splunk_aws_billing/versions.tf b/modules/integrations/splunk_aws_billing/versions.tf index d9c88676..813a327a 100644 --- a/modules/integrations/splunk_aws_billing/versions.tf +++ b/modules/integrations/splunk_aws_billing/versions.tf @@ -23,5 +23,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_cloud_conf_shared/README.md b/modules/integrations/splunk_cloud_conf_shared/README.md index a4c52fd4..a07b3888 100644 --- a/modules/integrations/splunk_cloud_conf_shared/README.md +++ b/modules/integrations/splunk_cloud_conf_shared/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [splunk](#requirement\_splunk) | >= 1.4.30 | @@ -11,8 +11,8 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | -| [splunk](#provider\_splunk) | 1.4.32 | +| [aws](#provider\_aws) | 6.35.1 | +| [splunk](#provider\_splunk) | 1.4.34 | ## Modules @@ -64,8 +64,8 @@ No modules. | [splunk_configs_conf.forgecicd_runner_logs_tenant_fields_logs](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_configs_conf.forgecicd_trust_validation](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource | | [splunk_data_ui_views.ci_jobs](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/data_ui_views) | resource | -| [splunk_data_ui_views.ec2_scale_up_errors](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/data_ui_views) | resource | | [splunk_data_ui_views.tenant](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/data_ui_views) | resource | +| [splunk_data_ui_views.trust_relationship_validation](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/data_ui_views) | resource | | [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | | [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | @@ -76,7 +76,7 @@ No modules. | [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Assuming single region for now. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | -| [splunk\_conf](#input\_splunk\_conf) | n/a | 
object({
    splunk_cloud = string
    acl = object({
      app     = string
      owner   = string
      sharing = string
      read    = list(string)
      write   = list(string)
    })
    index   = string
    tenant_names = list(string)
  })
| n/a | yes | +| [splunk\_conf](#input\_splunk\_conf) | n/a | 
object({
    splunk_cloud = string
    acl = object({
      app     = string
      owner   = string
      sharing = string
      read    = list(string)
      write   = list(string)
    })
    index        = string
    tenant_names = list(string)
  })
| n/a | yes | ## Outputs diff --git a/modules/integrations/splunk_cloud_conf_shared/versions.tf b/modules/integrations/splunk_cloud_conf_shared/versions.tf index e323bba2..790b95f2 100644 --- a/modules/integrations/splunk_cloud_conf_shared/versions.tf +++ b/modules/integrations/splunk_cloud_conf_shared/versions.tf @@ -11,5 +11,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf b/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf index f0e90fec..86cb8743 100644 --- a/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager/data_input/versions.tf @@ -28,5 +28,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager/sec_meta_ec2_tags/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_cloud_data_manager/versions.tf b/modules/integrations/splunk_cloud_data_manager/versions.tf index f0e90fec..86cb8743 100644 --- a/modules/integrations/splunk_cloud_data_manager/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager/versions.tf @@ -28,5 +28,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_cloud_data_manager_common/README.md b/modules/integrations/splunk_cloud_data_manager_common/README.md index 45dcffee..78899e79 100644 --- a/modules/integrations/splunk_cloud_data_manager_common/README.md +++ b/modules/integrations/splunk_cloud_data_manager_common/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | @@ -11,7 +11,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [external](#provider\_external) | 2.3.5 | ## Modules @@ -24,6 +24,7 @@ No modules. |------|------| | [aws_iam_role.splunk_dm_read_only](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy.splunk_dm_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.splunk_dm_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | | [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | @@ -34,8 +35,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_account\_id](#input\_aws\_account\_id) | AWS account ID (not SL AWS account ID) associated with the infra/backend. | `string` | n/a | yes | -| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e., generated via 'sl aws session generate') to use. | `string` | n/a | yes | +| [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Default AWS region. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [splunk\_cloud](#input\_splunk\_cloud) | Splunk Cloud endpoint. | `string` | n/a | yes | diff --git a/modules/integrations/splunk_cloud_data_manager_common/versions.tf b/modules/integrations/splunk_cloud_data_manager_common/versions.tf index 87069c2c..fae886cc 100644 --- a/modules/integrations/splunk_cloud_data_manager_common/versions.tf +++ b/modules/integrations/splunk_cloud_data_manager_common/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/README.md b/modules/integrations/splunk_cloud_s3_runner_logs/README.md index 2c33f261..0e575d04 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/README.md +++ b/modules/integrations/splunk_cloud_s3_runner_logs/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | @@ -11,14 +11,14 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [external](#provider\_external) | 2.3.5 | ## Modules | Name | Source | Version | |------|--------|---------| -| [splunk\_s3\_runner\_logs\_lambda](#module\_splunk\_s3\_runner\_logs\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [splunk\_s3\_runner\_logs\_lambda](#module\_splunk\_s3\_runner\_logs\_lambda) | terraform-aws-modules/lambda/aws | 8.7.0 | ## Resources @@ -55,7 +55,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e., generated via 'sl aws session generate') to use. | `string` | n/a | yes | +| [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Default AWS region. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | diff --git a/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf b/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf index 87069c2c..fae886cc 100644 --- a/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf +++ b/modules/integrations/splunk_cloud_s3_runner_logs/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_o11y_aws_integration/README.md b/modules/integrations/splunk_o11y_aws_integration/README.md index 37e4a8a8..662d0e95 100644 --- a/modules/integrations/splunk_o11y_aws_integration/README.md +++ b/modules/integrations/splunk_o11y_aws_integration/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules @@ -28,7 +28,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e., generated via 'sl aws session generate') to use. | `string` | n/a | yes | +| [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Default AWS region. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [splunk\_ingest\_url](#input\_splunk\_ingest\_url) | URL for Splunk Ingest. | `string` | n/a | yes | diff --git a/modules/integrations/splunk_o11y_aws_integration/versions.tf b/modules/integrations/splunk_o11y_aws_integration/versions.tf index dc4bbac0..0631ae67 100644 --- a/modules/integrations/splunk_o11y_aws_integration/versions.tf +++ b/modules/integrations/splunk_o11y_aws_integration/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_o11y_aws_integration_common/README.md b/modules/integrations/splunk_o11y_aws_integration_common/README.md index 39eb0e9c..e10c1bf8 100644 --- a/modules/integrations/splunk_o11y_aws_integration_common/README.md +++ b/modules/integrations/splunk_o11y_aws_integration_common/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | | [time](#requirement\_time) | >= 0.13 | @@ -12,8 +12,8 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | -| [signalfx](#provider\_signalfx) | 9.23.0 | +| [aws](#provider\_aws) | 6.35.1 | +| [signalfx](#provider\_signalfx) | 9.25.1 | | [time](#provider\_time) | 0.13.1 | ## Modules @@ -30,6 +30,7 @@ No modules. | [signalfx_aws_external_integration.integration](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/aws_external_integration) | resource | | [signalfx_aws_integration.integration](https://registry.terraform.io/providers/splunk-terraform/signalfx/latest/docs/resources/aws_integration) | resource | | [time_sleep.wait_30_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.splunk_integration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.splunk_managed_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -40,8 +41,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_account\_id](#input\_aws\_account\_id) | AWS account ID (not SL AWS account ID) associated with the infra/backend. | `string` | n/a | yes | -| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e., generated via 'sl aws session generate') to use. | `string` | n/a | yes | +| [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Default AWS region. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [integration\_name](#input\_integration\_name) | Name of the integration. | `string` | n/a | yes | diff --git a/modules/integrations/splunk_o11y_aws_integration_common/versions.tf b/modules/integrations/splunk_o11y_aws_integration_common/versions.tf index 3edc27f3..fb9236a1 100644 --- a/modules/integrations/splunk_o11y_aws_integration_common/versions.tf +++ b/modules/integrations/splunk_o11y_aws_integration_common/versions.tf @@ -16,5 +16,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_o11y_conf_shared/README.md b/modules/integrations/splunk_o11y_conf_shared/README.md index 5e1ae0ef..3fbdddfd 100644 --- a/modules/integrations/splunk_o11y_conf_shared/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | @@ -11,8 +11,8 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | -| [signalfx](#provider\_signalfx) | 9.23.0 | +| [aws](#provider\_aws) | 6.35.1 | +| [signalfx](#provider\_signalfx) | 9.25.1 | ## Modules @@ -38,7 +38,7 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e., generated via 'sl aws session generate') to use. | `string` | n/a | yes | +| [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | Default AWS region. | `string` | n/a | yes | | [dashboard\_variables](#input\_dashboard\_variables) | Variables for Dashboards | 
object({
    runner_k8s = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    runner_ec2 = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    billing = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    sqs = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    ebs = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    lambda = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
    dynamodb = object({
      tenant_names = list(string)
      dynamic_variables = list(object({
        property               = string
        alias                  = string
        description            = string
        values                 = list(string)
        value_required         = bool
        values_suggested       = list(string)
        restricted_suggestions = bool
        }
      ))
    })
  })
| n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md index cf7e1d21..1b9696a5 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers | Name | Version | |------|---------| -| [signalfx](#provider\_signalfx) | 9.23.0 | +| [signalfx](#provider\_signalfx) | 9.25.1 | ## Modules diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf index f47f5818..dded539f 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/billing/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md index ae34b57d..09ad4894 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers | Name | Version | |------|---------| -| [signalfx](#provider\_signalfx) | 9.23.0 | +| [signalfx](#provider\_signalfx) | 9.25.1 | ## Modules diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf index f47f5818..dded539f 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/dynamodb/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md index 04e73a5c..7ac85a61 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers | Name | Version | |------|---------| -| [signalfx](#provider\_signalfx) | 9.23.0 | +| [signalfx](#provider\_signalfx) | 9.25.1 | ## Modules diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf index f47f5818..dded539f 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/ebs/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md index e8b11bec..20982d27 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers | Name | Version | |------|---------| -| [signalfx](#provider\_signalfx) | 9.23.0 | +| [signalfx](#provider\_signalfx) | 9.25.1 | ## Modules diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf index f47f5818..dded539f 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/lambda/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md index 9dbe8e10..bbb56528 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers | Name | Version | |------|---------| -| [signalfx](#provider\_signalfx) | 9.23.0 | +| [signalfx](#provider\_signalfx) | 9.25.1 | ## Modules diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf index f47f5818..dded539f 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_ec2/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md index 2ba6def4..0dd4bf76 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers | Name | Version | |------|---------| -| [signalfx](#provider\_signalfx) | 9.23.0 | +| [signalfx](#provider\_signalfx) | 9.25.1 | ## Modules diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf index f47f5818..dded539f 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/runner_k8s/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md index dc685a25..0ccf41e5 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/README.md @@ -3,14 +3,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [signalfx](#requirement\_signalfx) | < 10.0.0 | ## Providers | Name | Version | |------|---------| -| [signalfx](#provider\_signalfx) | 9.23.0 | +| [signalfx](#provider\_signalfx) | 9.25.1 | ## Modules diff --git a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf index f47f5818..dded539f 100644 --- a/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/dashboards/sqs/versions.tf @@ -8,5 +8,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_o11y_conf_shared/versions.tf b/modules/integrations/splunk_o11y_conf_shared/versions.tf index f2cc72c9..50012663 100644 --- a/modules/integrations/splunk_o11y_conf_shared/versions.tf +++ b/modules/integrations/splunk_o11y_conf_shared/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_otel_eks/README.md b/modules/integrations/splunk_otel_eks/README.md index 6ebdd093..b7c2ac02 100644 --- a/modules/integrations/splunk_otel_eks/README.md +++ b/modules/integrations/splunk_otel_eks/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubernetes](#requirement\_kubernetes) | >= 3.0 | @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [helm](#provider\_helm) | 3.1.1 | ## Modules @@ -23,9 +23,16 @@ No modules. | Name | Type | |------|------| +| [aws_eks_pod_identity_association.eks_pod_identity](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_pod_identity_association) | resource | +| [aws_iam_policy.ec2_describe_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.splunk_otel_ec2_describe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.splunk_otel_ec2_describe](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [helm_release.splunk_otel_collector](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_eks_cluster_auth.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [aws_iam_openid_connect_provider.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_openid_connect_provider) | data source | +| [aws_iam_policy_document.ec2_describe_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.splunk_otel_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | | [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | @@ -38,6 +45,7 @@ No modules. | [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | | [splunk\_otel\_collector](#input\_splunk\_otel\_collector) | Configuration for the Splunk OpenTelemetry Collector | 
object({
    splunk_observability_realm     = string
    splunk_platform_endpoint       = string
    splunk_platform_index          = string
    gateway                        = bool
    splunk_observability_profiling = bool
    environment                    = string
    discovery                      = bool
  })
| n/a | yes | +| [tags](#input\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | ## Outputs diff --git a/modules/integrations/splunk_otel_eks/otel.tf b/modules/integrations/splunk_otel_eks/otel.tf index 758694a0..e58ce71b 100644 --- a/modules/integrations/splunk_otel_eks/otel.tf +++ b/modules/integrations/splunk_otel_eks/otel.tf @@ -2,7 +2,7 @@ resource "helm_release" "splunk_otel_collector" { name = "splunk-otel-collector" repository = "https://signalfx.github.io/splunk-otel-collector-chart" chart = "splunk-otel-collector" - version = "0.145.0" + version = "0.145.1" namespace = "splunk-otel-collector" create_namespace = true diff --git a/modules/integrations/splunk_otel_eks/versions.tf b/modules/integrations/splunk_otel_eks/versions.tf index 6b80a125..b00cedb6 100644 --- a/modules/integrations/splunk_otel_eks/versions.tf +++ b/modules/integrations/splunk_otel_eks/versions.tf @@ -16,5 +16,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/splunk_secrets/versions.tf b/modules/integrations/splunk_secrets/versions.tf index 1fcbad75..cd0b6f7a 100644 --- a/modules/integrations/splunk_secrets/versions.tf +++ b/modules/integrations/splunk_secrets/versions.tf @@ -12,5 +12,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/teleport/README.md b/modules/integrations/teleport/README.md index 7694a9f2..8ca03bb4 100644 --- a/modules/integrations/teleport/README.md +++ b/modules/integrations/teleport/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubernetes](#requirement\_kubernetes) | >= 3.0 | @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [kubernetes](#provider\_kubernetes) | 3.0.1 | ## Modules diff --git a/modules/integrations/teleport/tenant/README.md b/modules/integrations/teleport/tenant/README.md index c76b8a20..89a70897 100644 --- a/modules/integrations/teleport/tenant/README.md +++ b/modules/integrations/teleport/tenant/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [helm](#requirement\_helm) | >= 3.0.0 | | [kubernetes](#requirement\_kubernetes) | >= 3.0 | diff --git a/modules/integrations/teleport/tenant/versions.tf b/modules/integrations/teleport/tenant/versions.tf index a91c6e64..056af10a 100644 --- a/modules/integrations/teleport/tenant/versions.tf +++ b/modules/integrations/teleport/tenant/versions.tf @@ -15,5 +15,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/integrations/teleport/versions.tf b/modules/integrations/teleport/versions.tf index a91c6e64..056af10a 100644 --- a/modules/integrations/teleport/versions.tf +++ b/modules/integrations/teleport/versions.tf @@ -15,5 +15,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/platform/arc_deployment/README.md b/modules/platform/arc_deployment/README.md index c61fbf5c..5df617f1 100644 --- a/modules/platform/arc_deployment/README.md +++ b/modules/platform/arc_deployment/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | ## Providers diff --git a/modules/platform/arc_deployment/versions.tf b/modules/platform/arc_deployment/versions.tf index 4f2e6449..c4822b74 100644 --- a/modules/platform/arc_deployment/versions.tf +++ b/modules/platform/arc_deployment/versions.tf @@ -1,4 +1,4 @@ terraform { # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/platform/ec2_deployment/README.md b/modules/platform/ec2_deployment/README.md index 060db263..13165123 100644 --- a/modules/platform/ec2_deployment/README.md +++ b/modules/platform/ec2_deployment/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [archive](#requirement\_archive) | >= 2.7.0 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [external](#provider\_external) | 2.3.5 | ## Modules @@ -21,7 +21,7 @@ |------|--------|---------| | [ec2\_update\_runner\_ssm\_ami](#module\_ec2\_update\_runner\_ssm\_ami) | ./ec2_update_runner_ssm_ami | n/a | | [ec2\_update\_runner\_tags](#module\_ec2\_update\_runner\_tags) | ./ec2_update_runner_tags | n/a | -| [runners](#module\_runners) | git::https://github.com/github-aws-runners/terraform-aws-github-runner.git//modules/multi-runner | v6.10.1 | +| [runners](#module\_runners) | git::https://github.com/edersonbrilhante/terraform-aws-github-runner.git//modules/multi-runner | feat-macos-support | ## Resources @@ -30,7 +30,6 @@ | [aws_iam_policy.ec2_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_kms_alias.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_key.github](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_security_group.gh_runner_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.gh_runner_lambda_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_ami.runner_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_iam_policy_document.ec2_tags](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -43,8 +42,8 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [aws\_region](#input\_aws\_region) | Assuming single region for now. | `string` | n/a | yes | -| [network\_configs](#input\_network\_configs) | n/a | 
object({
    vpc_id            = string
    subnet_ids        = list(string)
    lambda_subnet_ids = list(string)
  })
| n/a | yes | -| [runner\_configs](#input\_runner\_configs) | n/a | 
object({
    env                       = string
    prefix                    = string
    ghes_url                  = string
    ghes_org                  = string
    log_level                 = string
    logging_retention_in_days = string
    github_app = object({
      key_base64     = string
      id             = string
      webhook_secret = string
    })
    runner_iam_role_managed_policy_arns = list(string)
    runner_group_name                   = string
    runner_specs = map(object({
      ami_filter = object({
        name  = list(string)
        state = list(string)
      })
      ami_kms_key_arn     = string
      ami_owners          = list(string)
      runner_labels       = list(string)
      runner_os           = string
      runner_architecture = string
      extra_labels        = list(string)
      max_instances       = number
      min_run_time        = number
      instance_types      = list(string)
      pool_config = list(object({
        size                         = number
        schedule_expression          = string
        schedule_expression_timezone = string
      }))
      runner_user                   = string
      enable_userdata               = bool
      instance_target_capacity_type = string
      block_device_mappings = list(object({
        delete_on_termination = bool
        device_name           = string
        encrypted             = bool
        iops                  = number
        kms_key_id            = string
        snapshot_id           = string
        throughput            = number
        volume_size           = number
        volume_type           = string
      }))
    }))
  })
| n/a | yes | +| [network\_configs](#input\_network\_configs) | n/a | 
object({
    vpc_id            = string
    subnet_ids        = list(string)
    lambda_vpc_id     = string
    lambda_subnet_ids = list(string)
  })
| n/a | yes | +| [runner\_configs](#input\_runner\_configs) | n/a | 
object({
    env                       = string
    prefix                    = string
    ghes_url                  = string
    ghes_org                  = string
    log_level                 = string
    logging_retention_in_days = string
    github_app = object({
      key_base64     = string
      id             = string
      webhook_secret = string
    })
    runner_iam_role_managed_policy_arns = list(string)
    runner_group_name                   = string
    scale_errors                        = optional(list(string), [])
    runner_specs = map(object({
      ami_filter = object({
        name  = list(string)
        state = list(string)
      })
      ami_kms_key_arn     = string
      ami_owners          = list(string)
      runner_labels       = list(string)
      runner_os           = string
      runner_architecture = string
      extra_labels        = list(string)
      max_instances       = number
      min_run_time        = number
      instance_types      = list(string)
      license_specifications = optional(list(object({
        license_configuration_arn = string
      })), null)
      placement = optional(object({
        affinity                = optional(string)
        availability_zone       = optional(string)
        group_id                = optional(string)
        group_name              = optional(string)
        host_id                 = optional(string)
        host_resource_group_arn = optional(string)
        spread_domain           = optional(string)
        tenancy                 = optional(string)
        partition_number        = optional(number)
      }), null)
      pool_config = list(object({
        size                         = number
        schedule_expression          = string
        schedule_expression_timezone = string
      }))
      runner_user                   = string
      enable_userdata               = bool
      instance_target_capacity_type = string
      vpc_id                        = optional(string, null)
      subnet_ids                    = optional(list(string), null)
      block_device_mappings = list(object({
        delete_on_termination = bool
        device_name           = string
        encrypted             = bool
        iops                  = number
        kms_key_id            = string
        snapshot_id           = string
        throughput            = number
        volume_size           = number
        volume_type           = string
      }))
    }))
  })
| n/a | yes | | [tenant\_configs](#input\_tenant\_configs) | n/a | 
object({
    ecr_registries = list(string)
    tags           = map(string)
  })
| n/a | yes | ## Outputs diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md index ee77fa86..3a4ab931 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/README.md @@ -3,20 +3,20 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_update\_runner\_ssm\_ami\_lambda](#module\_ec2\_update\_runner\_ssm\_ami\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [ec2\_update\_runner\_ssm\_ami\_lambda](#module\_ec2\_update\_runner\_ssm\_ami\_lambda) | terraform-aws-modules/lambda/aws | 8.7.0 | ## Resources diff --git a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf index fd5120e2..7ce2660e 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_ssm_ami/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md index e3ebbd20..e6238c75 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/README.md @@ -3,20 +3,20 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [ec2\_update\_runner\_tags\_lambda](#module\_ec2\_update\_runner\_tags\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [ec2\_update\_runner\_tags\_lambda](#module\_ec2\_update\_runner\_tags\_lambda) | terraform-aws-modules/lambda/aws | 8.7.0 | ## Resources diff --git a/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf b/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf index fd5120e2..7ce2660e 100644 --- a/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf +++ b/modules/platform/ec2_deployment/ec2_update_runner_tags/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/platform/ec2_deployment/main.tf b/modules/platform/ec2_deployment/main.tf index 3aa8402b..ce388089 100644 --- a/modules/platform/ec2_deployment/main.tf +++ b/modules/platform/ec2_deployment/main.tf @@ -34,7 +34,7 @@ data "aws_subnet" "runner_subnet" { } data "external" "download_lambdas" { - program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v7.4.0"] + program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v7.4.1"] } diff --git a/modules/platform/ec2_deployment/versions.tf b/modules/platform/ec2_deployment/versions.tf index 9407915f..dc020a24 100644 --- a/modules/platform/ec2_deployment/versions.tf +++ b/modules/platform/ec2_deployment/versions.tf @@ -15,5 +15,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/platform/forge_runners/README.md b/modules/platform/forge_runners/README.md index d6125067..93b741a0 100644 --- a/modules/platform/forge_runners/README.md +++ b/modules/platform/forge_runners/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [archive](#requirement\_archive) | >= 2.7.0 | | [aws](#requirement\_aws) | >= 6.25 | | [external](#requirement\_external) | >= 2.3 | @@ -16,9 +16,9 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [null](#provider\_null) | 3.2.4 | -| [random](#provider\_random) | 3.7.2 | +| [random](#provider\_random) | 3.8.1 | | [time](#provider\_time) | 0.13.1 | ## Modules @@ -40,46 +40,37 @@ |------|------| | [aws_iam_policy.ecr_access_for_ec2_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy.role_assumption_for_forge_runners](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_secretsmanager_secret.cicd_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | -| [aws_secretsmanager_secret_version.cicd_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | | [aws_servicecatalogappregistry_application.forge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/servicecatalogappregistry_application) | resource | +| [aws_ssm_parameter.github_app_client_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.github_app_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.github_app_installation_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.github_app_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.github_app_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_ssm_parameter.github_app_webhook_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | | [null_resource.update_github_app_webhook](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | | [random_id.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | -| [time_sleep.wait_60_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [random_password.github_app_webhook_secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | +| [time_rotating.every_30_days](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/rotating) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.ecr_access_for_ec2_instances](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.role_assumption_for_forge_runners](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_secretsmanager_random_password.secret_seeds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_random_password) | data source | -| [aws_secretsmanager_secret.data_cicd_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret_version.data_cicd_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | +| [aws_ssm_parameter.github_app_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [arc\_cluster\_name](#input\_arc\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | -| [arc\_runner\_specs](#input\_arc\_runner\_specs) | Map of runner specifications | 
map(object({
    runner_size = object({
      max_runners = number
      min_runners = number
    })
    scale_set_name               = string
    scale_set_type               = string
    container_actions_runner     = string
    container_limits_cpu         = string
    container_limits_memory      = string
    container_requests_cpu       = string
    container_requests_memory    = string
    volume_requests_storage_size = string
    volume_requests_storage_type = string
  }))
| n/a | yes | -| [aws\_account\_id](#input\_aws\_account\_id) | AWS account ID (not SL AWS account ID) associated with the infra/backend. | `string` | n/a | yes | -| [aws\_profile](#input\_aws\_profile) | AWS profile (i.e. generated via 'sl aws session generate') to use. | `string` | n/a | yes | -| [aws\_region](#input\_aws\_region) | Assuming single region for now. | `string` | n/a | yes | +| [arc\_deployment\_specs](#input\_arc\_deployment\_specs) | Deployment configuration for Azure Container Apps (ARC) runners.

Top-level fields:
- cluster\_name : Name of the EKS cluster used for ARC runners.
- migrate\_cluster: Optional flag to indicate a one-time migration or
blue/green cutover of the ARC runner cluster.
- runner\_specs : Map of ARC runner pool keys to their sizing and
container resource settings.

runner\_specs[*] object fields:
- runner\_size.max\_runners: Maximum concurrent ARC runners for this pool.
- runner\_size.min\_runners: Minimum number of warm runners.
- scale\_set\_name : Logical name for the scale set / pool.
- scale\_set\_type : Backing type for the scale set (for example,
kubernetes or containerapp, depending on integration).
- container\_actions\_runner : Container image used for the ARC runner.
- container\_limits\_cpu : CPU limit for the runner container.
- container\_limits\_memory : Memory limit for the runner container.
- container\_requests\_cpu : CPU request (baseline reservation).
- container\_requests\_memory : Memory request (baseline reservation).
- volume\_requests\_storage\_size: Size of attached storage for the runner.
- volume\_requests\_storage\_type: Storage class or type for attached volume. | 
object({
    cluster_name    = string
    migrate_cluster = optional(bool, false)
    runner_specs = map(object({
      runner_size = object({
        max_runners = number
        min_runners = number
      })
      scale_set_name               = string
      scale_set_type               = string
      container_actions_runner     = string
      container_limits_cpu         = string
      container_limits_memory      = string
      container_requests_cpu       = string
      container_requests_memory    = string
      volume_requests_storage_size = string
      volume_requests_storage_type = string
    }))
  })
| n/a | yes | +| [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes | +| [aws\_region](#input\_aws\_region) | AWS region where Forge runners and supporting infrastructure are deployed. | `string` | n/a | yes | | [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | -| [deployment\_config](#input\_deployment\_config) | Prefix for the deployment, used to distinguish resources. | 
object({
    prefix        = string
    secret_suffix = string
  })
| n/a | yes | -| [ec2\_runner\_specs](#input\_ec2\_runner\_specs) | Map of runner specifications | 
map(object({
    ami_filter = object({
      name  = list(string)
      state = list(string)
    })
    ami_kms_key_arn     = string
    ami_owners          = list(string)
    runner_labels       = list(string)
    runner_os           = string
    runner_architecture = string
    extra_labels        = list(string)
    max_instances       = number
    min_run_time        = number
    instance_types      = list(string)
    pool_config = list(object({
      size                         = number
      schedule_expression          = string
      schedule_expression_timezone = string
    }))
    runner_user                   = string
    enable_userdata               = bool
    instance_target_capacity_type = string
    block_device_mappings = list(object({
      delete_on_termination = bool
      device_name           = string
      encrypted             = bool
      iops                  = number
      kms_key_id            = string
      snapshot_id           = string
      throughput            = number
      volume_size           = number
      volume_type           = string
    }))
  }))
| n/a | yes | -| [env](#input\_env) | Deployment environments. | `string` | n/a | yes | -| [ghes\_org](#input\_ghes\_org) | GitHub organization. | `string` | n/a | yes | -| [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. | `string` | n/a | yes | +| [deployment\_config](#input\_deployment\_config) | High-level deployment configuration for a Forge runner installation.

Top-level fields:
- deployment\_prefix: Prefix used when naming resources (for example,
log groups, KMS keys, and SSM parameters).
- env : Logical environment name (for example, dev, stage,
prod). Used for tagging and dashboards.

github\_app object:
- id : Numeric GitHub App ID.
- client\_id : OAuth client ID for the app.
- installation\_id: GitHub App installation ID for this tenant.
- name : GitHub App name, used to build URLs and logs.

github object:
- ghes\_org : GitHub organization that owns the repos where
runners will be used.
- ghes\_url : GitHub.com or GHES base URL. Empty string implies
public github.com.
- repository\_selection: Scope for runners (all or selected repositories).
- runner\_group\_name : GitHub runner group to attach new runners to.

tenant object:
- name : Tenant identifier used in naming and
tagging.
- iam\_roles\_to\_assume : Optional list of IAM role ARNs that
runners are allowed to assume for workload execution.
- ecr\_registries : Optional list of ECR registry URLs that
runners may need to pull images from.
- github\_logs\_reader\_role\_arns: Optional list of IAM roles that can read
GitHub Actions logs for this tenant. | 
object({
    deployment_prefix = string
    secret_suffix     = string
    env               = string
    github_app = object({
      id              = string
      client_id       = string
      installation_id = string
      name            = string
    })
    github = object({
      ghes_org             = string
      ghes_url             = string
      repository_selection = string
      runner_group_name    = string
    })
    tenant = object({
      name                         = string
      iam_roles_to_assume          = optional(list(string), [])
      ecr_registries               = optional(list(string), [])
      github_logs_reader_role_arns = optional(list(string), [])
    })
  })
| n/a | yes | +| [ec2\_deployment\_specs](#input\_ec2\_deployment\_specs) | EC2 deployment configuration for GitHub Actions runners.

Top-level fields:
- lambda\_subnet\_ids: Subnets where runner-related lambdas execute.
These can be more permissive than the runner subnets.
- subnet\_ids : Subnets where the EC2 runners are launched.
- vpc\_id : VPC that contains both runner and lambda subnets.
- runner\_specs : Map of runner pool keys to their EC2 sizing and
scheduling configuration.

runner\_specs[*] object fields:
- ami\_filter : Name/state filters used to select the runner AMI.
- ami\_kms\_key\_arn : KMS key ARN used to encrypt AMI EBS volumes.
- ami\_owners : List of AWS account IDs that own the AMI.
- runner\_labels : Base GitHub labels applied to jobs for this pool.
- runner\_os : Runner operating system (for example, linux).
- runner\_architecture: CPU architecture (for example, x86\_64 or arm64).
- extra\_labels : Additional GitHub labels that further specialize
this runner pool.
- max\_instances : Maximum number of EC2 runners in this pool.
- min\_run\_time : Minimum job run time (in minutes) before a runner
is eligible for scale-down.
- instance\_types : Allowed EC2 instance types for runners in this pool.
- pool\_config : List of pool size schedules (size + cron expression
and optional time zone) controlling baseline capacity.
- runner\_user : OS user under which the GitHub runner process runs.
- enable\_userdata : Whether the module should inject its standard
userdata to configure the runner VM.
- instance\_target\_capacity\_type: EC2 capacity type to use (spot or
on-demand).
- block\_device\_mappings: EBS volume configuration for the runner
instances, including size, type, encryption, and KMS. | 
object({
    lambda_subnet_ids = list(string)
    subnet_ids        = list(string)
    lambda_vpc_id     = string
    vpc_id            = string
    scale_errors      = optional(list(string), [])
    runner_specs = map(object({
      ami_filter = object({
        name  = list(string)
        state = list(string)
      })
      ami_kms_key_arn     = string
      ami_owners          = list(string)
      runner_labels       = list(string)
      runner_os           = string
      runner_architecture = string
      extra_labels        = list(string)
      max_instances       = number
      min_run_time        = number
      instance_types      = list(string)
      license_specifications = optional(list(object({
        license_configuration_arn = string
      })), null)
      placement = optional(object({
        affinity                = optional(string)
        availability_zone       = optional(string)
        group_id                = optional(string)
        group_name              = optional(string)
        host_id                 = optional(string)
        host_resource_group_arn = optional(string)
        spread_domain           = optional(string)
        tenancy                 = optional(string)
        partition_number        = optional(number)
      }), null)
      pool_config = list(object({
        size                         = number
        schedule_expression          = string
        schedule_expression_timezone = string
      }))
      runner_user                   = string
      enable_userdata               = bool
      instance_target_capacity_type = string
      vpc_id                        = optional(string, null)
      subnet_ids                    = optional(list(string), null)
      block_device_mappings = list(object({
        delete_on_termination = bool
        device_name           = string
        encrypted             = bool
        iops                  = number
        kms_key_id            = string
        snapshot_id           = string
        throughput            = number
        volume_size           = number
        volume_type           = string
      }))
    }))
  })
| n/a | yes | | [github\_webhook\_relay](#input\_github\_webhook\_relay) | Configuration for the (optional) webhook relay source module.
If enabled=true we provision the API Gateway + source EventBridge forwarding rule.
destination\_event\_bus\_name must already exist or be created in the destination account (or via the destination submodule run there). | 
object({
    enabled                     = bool
    destination_account_id      = optional(string)
    destination_event_bus_name  = optional(string)
    destination_region          = optional(string)
    destination_reader_role_arn = optional(string)
  })
| 
{
  "destination_account_id": "",
  "destination_event_bus_name": "",
  "destination_reader_role_arn": "",
  "destination_region": "",
  "enabled": false
}
| no | -| [lambda\_subnet\_ids](#input\_lambda\_subnet\_ids) | So the lambdas can run in our pre-determined subnets. They don't require the same security policy as the runners though. | `list(string)` | n/a | yes | | [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | n/a | yes | | [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Logging retention period in days. | `string` | n/a | yes | -| [migrate\_arc\_cluster](#input\_migrate\_arc\_cluster) | Flag to indicate if the cluster is being migrated. | `bool` | `false` | no | -| [repository\_selection](#input\_repository\_selection) | Repository selection type. | `string` | n/a | yes | -| [runner\_group\_name](#input\_runner\_group\_name) | Name of the group applied to all runners. | `string` | n/a | yes | -| [subnet\_ids](#input\_subnet\_ids) | Subnet(s) in which our runners will be deployed. Supplied by the underlying AWS-based CI/CD stack. | `list(string)` | n/a | yes | | [tags](#input\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes | -| [tenant](#input\_tenant) | Map of tenant configs | 
object({
    name                         = string
    iam_roles_to_assume          = optional(list(string), [])
    ecr_registries               = optional(list(string), [])
    github_logs_reader_role_arns = optional(list(string), [])
  })
| n/a | yes | -| [vpc\_id](#input\_vpc\_id) | VPC in which our runners will be deployed. Supplied by the underlying AWS-based CI/CD stack. | `string` | n/a | yes | ## Outputs diff --git a/modules/platform/forge_runners/forge_trust_validator/README.md b/modules/platform/forge_runners/forge_trust_validator/README.md index ab777d2b..59aa56c0 100644 --- a/modules/platform/forge_runners/forge_trust_validator/README.md +++ b/modules/platform/forge_runners/forge_trust_validator/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [null](#requirement\_null) | >= 3.2 | @@ -11,14 +11,14 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | | [null](#provider\_null) | 3.2.4 | ## Modules | Name | Source | Version | |------|--------|---------| -| [forge\_trust\_validator\_lambda](#module\_forge\_trust\_validator\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [forge\_trust\_validator\_lambda](#module\_forge\_trust\_validator\_lambda) | terraform-aws-modules/lambda/aws | 8.7.0 | ## Resources diff --git a/modules/platform/forge_runners/forge_trust_validator/versions.tf b/modules/platform/forge_runners/forge_trust_validator/versions.tf index 824bcea7..7fcd170f 100644 --- a/modules/platform/forge_runners/forge_trust_validator/versions.tf +++ b/modules/platform/forge_runners/forge_trust_validator/versions.tf @@ -11,5 +11,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/platform/forge_runners/github_actions_job_logs/README.md b/modules/platform/forge_runners/github_actions_job_logs/README.md index 79852ce0..fbdf2772 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/README.md +++ b/modules/platform/forge_runners/github_actions_job_logs/README.md @@ -123,21 +123,21 @@ See parent repository license. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [job\_log\_archiver](#module\_job\_log\_archiver) | terraform-aws-modules/lambda/aws | 8.1.2 | -| [job\_log\_dispatcher](#module\_job\_log\_dispatcher) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [job\_log\_archiver](#module\_job\_log\_archiver) | terraform-aws-modules/lambda/aws | 8.7.0 | +| [job\_log\_dispatcher](#module\_job\_log\_dispatcher) | terraform-aws-modules/lambda/aws | 8.7.0 | ## Resources @@ -170,8 +170,6 @@ See parent repository license. | [aws_iam_policy_document.job_log_archiver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.job_log_dispatcher](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | ## Inputs @@ -179,10 +177,10 @@ See parent repository license. |------|-------------|------|---------|:--------:| | [event\_bus\_name](#input\_event\_bus\_name) | Name of the EventBridge event bus to listen for workflow job events. | `string` | n/a | yes | | [ghes\_url](#input\_ghes\_url) | GitHub Enterprise Server URL. | `string` | `""` | no | +| [github\_app](#input\_github\_app) | GitHub App configuration | 
object({
    key_base64_ssm = object({
      arn = string
    })
    id_ssm = object({
      arn = string
    })
    installation_id_ssm = object({
      arn = string
    })
  })
| n/a | yes | | [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | | [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | | [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | -| [secrets\_prefix](#input\_secrets\_prefix) | Prefix for all secrets | `string` | n/a | yes | | [shared\_role\_arns](#input\_shared\_role\_arns) | Optional list of consumer identifier to IAM Role ARN granted read/list on tenant's github job logs. | `list(string)` | `[]` | no | | [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | diff --git a/modules/platform/forge_runners/github_actions_job_logs/versions.tf b/modules/platform/forge_runners/github_actions_job_logs/versions.tf index fd5120e2..7ce2660e 100644 --- a/modules/platform/forge_runners/github_actions_job_logs/versions.tf +++ b/modules/platform/forge_runners/github_actions_job_logs/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/platform/forge_runners/github_app_runner_group/README.md b/modules/platform/forge_runners/github_app_runner_group/README.md index e2c8888f..54893a7d 100644 --- a/modules/platform/forge_runners/github_app_runner_group/README.md +++ b/modules/platform/forge_runners/github_app_runner_group/README.md @@ -3,20 +3,20 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [register\_github\_app\_runner\_group\_lambda](#module\_register\_github\_app\_runner\_group\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [register\_github\_app\_runner\_group\_lambda](#module\_register\_github\_app\_runner\_group\_lambda) | terraform-aws-modules/lambda/aws | 8.7.0 | ## Resources @@ -28,8 +28,6 @@ | [aws_lambda_permission.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | | [aws_iam_policy_document.register_github_app_runner_group_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | ## Inputs @@ -37,12 +35,12 @@ |------|-------------|------|---------|:--------:| | [ghes\_org](#input\_ghes\_org) | GitHub organization (GHES or GitHub.com). | `string` | n/a | yes | | [github\_api](#input\_github\_api) | Base URL for the GitHub API (set to GHES API endpoint if using Enterprise). | `string` | `"https://api.github.com"` | no | +| [github\_app](#input\_github\_app) | GitHub App configuration | 
object({
    key_base64_ssm = object({
      arn = string
    })
    id_ssm = object({
      arn = string
    })
    installation_id_ssm = object({
      arn = string
    })
  })
| n/a | yes | | [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | | [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | | [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | | [repository\_selection](#input\_repository\_selection) | Repository selection type: 'all' or 'selected'. | `string` | n/a | yes | | [runner\_group\_name](#input\_runner\_group\_name) | Name of the GitHub Actions runner group to create/update and attach repositories to. | `string` | n/a | yes | -| [secrets\_prefix](#input\_secrets\_prefix) | Prefix for all secrets | `string` | n/a | yes | | [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | ## Outputs diff --git a/modules/platform/forge_runners/github_app_runner_group/versions.tf b/modules/platform/forge_runners/github_app_runner_group/versions.tf index fd5120e2..7ce2660e 100644 --- a/modules/platform/forge_runners/github_app_runner_group/versions.tf +++ b/modules/platform/forge_runners/github_app_runner_group/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/platform/forge_runners/github_global_lock/README.md b/modules/platform/forge_runners/github_global_lock/README.md index a7b0088f..d90b611a 100644 --- a/modules/platform/forge_runners/github_global_lock/README.md +++ b/modules/platform/forge_runners/github_global_lock/README.md @@ -3,20 +3,20 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [clean\_global\_lock\_lambda](#module\_clean\_global\_lock\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [clean\_global\_lock\_lambda](#module\_clean\_global\_lock\_lambda) | terraform-aws-modules/lambda/aws | 8.7.0 | ## Resources @@ -31,17 +31,15 @@ | [aws_iam_policy_document.clean_global_lock_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.dynamodb_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_secretsmanager_secret.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret) | data source | -| [aws_secretsmanager_secret_version.secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [github\_app](#input\_github\_app) | GitHub App configuration | 
object({
    key_base64_ssm = object({
      arn = string
    })
    id_ssm = object({
      arn = string
    })
    installation_id_ssm = object({
      arn = string
    })
  })
| n/a | yes | | [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no | | [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no | | [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes | -| [secrets\_prefix](#input\_secrets\_prefix) | Prefix for all secrets | `string` | n/a | yes | | [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no | ## Outputs diff --git a/modules/platform/forge_runners/github_global_lock/versions.tf b/modules/platform/forge_runners/github_global_lock/versions.tf index fd5120e2..7ce2660e 100644 --- a/modules/platform/forge_runners/github_global_lock/versions.tf +++ b/modules/platform/forge_runners/github_global_lock/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/platform/forge_runners/github_webhook_relay/README.md b/modules/platform/forge_runners/github_webhook_relay/README.md index e0dab2a4..544b7b06 100644 --- a/modules/platform/forge_runners/github_webhook_relay/README.md +++ b/modules/platform/forge_runners/github_webhook_relay/README.md @@ -3,7 +3,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | | [random](#requirement\_random) | >= 3.6 | @@ -11,8 +11,8 @@ | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | -| [random](#provider\_random) | 3.7.2 | +| [aws](#provider\_aws) | 6.35.1 | +| [random](#provider\_random) | 3.8.1 | ## Modules diff --git a/modules/platform/forge_runners/github_webhook_relay/versions.tf b/modules/platform/forge_runners/github_webhook_relay/versions.tf index 88a0f22b..05f1b0ca 100644 --- a/modules/platform/forge_runners/github_webhook_relay/versions.tf +++ b/modules/platform/forge_runners/github_webhook_relay/versions.tf @@ -11,5 +11,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/platform/forge_runners/redrive_deadletter/README.md b/modules/platform/forge_runners/redrive_deadletter/README.md index 45347cf8..d3094f16 100644 --- a/modules/platform/forge_runners/redrive_deadletter/README.md +++ b/modules/platform/forge_runners/redrive_deadletter/README.md @@ -3,20 +3,20 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.11.0 | +| [terraform](#requirement\_terraform) | ~> 1.11 | | [aws](#requirement\_aws) | >= 6.25 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 6.25.0 | +| [aws](#provider\_aws) | 6.35.1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [redrive\_deadletter\_lambda](#module\_redrive\_deadletter\_lambda) | terraform-aws-modules/lambda/aws | 8.1.2 | +| [redrive\_deadletter\_lambda](#module\_redrive\_deadletter\_lambda) | terraform-aws-modules/lambda/aws | 8.7.0 | ## Resources diff --git a/modules/platform/forge_runners/redrive_deadletter/versions.tf b/modules/platform/forge_runners/redrive_deadletter/versions.tf index fd5120e2..7ce2660e 100644 --- a/modules/platform/forge_runners/redrive_deadletter/versions.tf +++ b/modules/platform/forge_runners/redrive_deadletter/versions.tf @@ -7,5 +7,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } diff --git a/modules/platform/forge_runners/versions.tf b/modules/platform/forge_runners/versions.tf index b3212733..0ff94680 100644 --- a/modules/platform/forge_runners/versions.tf +++ b/modules/platform/forge_runners/versions.tf @@ -31,5 +31,5 @@ terraform { } # OpenTofu version. - required_version = ">= 1.11.0" + required_version = "~> 1.11" } From fd442378cf5c7c7c01ca17dda3cf94869921a030 Mon Sep 17 00:00:00 2001 From: Ederson Brilhante Date: Wed, 11 Mar 2026 21:46:54 +0100 Subject: [PATCH 85/85] chore: update lambda from philips labs (#299) --- modules/platform/ec2_deployment/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/platform/ec2_deployment/main.tf b/modules/platform/ec2_deployment/main.tf index ce388089..7fcc9240 100644 --- a/modules/platform/ec2_deployment/main.tf +++ b/modules/platform/ec2_deployment/main.tf @@ -34,7 +34,7 @@ data "aws_subnet" "runner_subnet" { } data "external" "download_lambdas" { - program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v7.4.1"] + program = ["bash", "${path.module}/scripts/download_lambdas.sh", "/tmp/${var.runner_configs.prefix}/", "v7.5.0"] }