refactor(addon): switch to universal addon (#29)

* refactor: switch to universal addon

This is first part - replace content by universal addon

* feat(modules): remove modules dir

All modules are loaded from universal-addon

* feat(addons): remove oidc

* fixup! feat(addons): remove oidc

* feat(main): initial setup of main

* fix(setup): remove renovate config

* fixup! fix(setup): remove renovate config

* feat(ci): install kubectl

* feat(iam): add default irsa policy

* fix(doc): fix docs after fucked-up rebase

* fix(ci): remove renovate config

* fix(main): change addon name

* feat(iam): load default policy with datasource instead of file

* feat(iam): make aws partition configurable

* fix(iam): rename default_policy to iam

* feat(pod identity): plumb pod identity

* fix(pod identity): change default value for service_account_namespace

* feat(pod identity): use similiar variables as in addon-irsa

* feat(pod identity): finally make all the conditions work

* refactor(pod identity): make resources names consistent

* doc(examples): fix examples

And add example how to use pod identity instead of irsa

* fix(addon-irsa): fix processing of irsa_additional_policies

Same as in lablabs/terraform-aws-eks-universal-addon#38

* refactor(pod-identity): rename pod_identity.tf to pod-identity.tf

* refactor(pod-identity): prefix local vars in pod-identity.tf

* fix(pod-identity): remove try for service_account_name

* refactor(pod-identity): remove redundant () for pod_identity_policy_enabled condition

* fix(pod-identity): use try() to set pod_identy_policy to empty string when null

* fix(iam): add local var for irsa_policy_enabled

* fix(main): do not explicitely set helm_chart_name

Correct value is taken from local.addon.name

* fix(main): use try() to set empty string to irsa_policy if null

* fix(main): use irsa_policy_enabled from locals

* feat(irsa): add migrations for irsa

* feat(addon): add migration resources

* feat(examples): Make examples work

Upgrade modules and make sure that at least helm examples are working

* feat(pod-identity): use pod identity from irsa module

* fix(pod identity): fix conditions

* fixup! fix(pod identity): fix conditions

* fix(pod identity): set pod_identity_policy_enabled to true by default.

It will do no harm and keep the default in sync with irsa_policy_enabled.

* feat(addon): add moved blocks to ease migration

* refactor(irsa): make tflint happy

* fix(iam): fix condition for irsa policy

* fix(migrations): use old name for irsa-related resources

Resources are just moved to correct destination (into irsa module). It is responsibility of irsa module itself to rename the resources.

* fix(migrations): removed indexes from moved blocks

Not necessary at all

* fix(variables): update variables from latest universal-addon

* fix(universal-addon): use univeral addon from specific commit

* fix(migrations): add moved blocks for all installation methods

* fix(ci): use github workflows from universal addon

* fix(ci): remove renovate from gh workflow

* fix(variables): add clusterName to values

Also add validation

* fix(main): update null handling for *_policy

* fix(doc): add link to lb-controller repo

* fix(docs): add repo link to main.tf

* fix(docs): remove empty line

* fix(examples): remove extra line

Author: matejhasul

.github/workflows/pre-commit.yaml

@@ -0,0 +1,69 @@
+name: pre-commit
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+      - master
+
+permissions:
+  contents: read
+
+concurrency:
+  group: pre-commit-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  # renovate: datasource=github-releases depName=asdf-vm/asdf
+  ASDF_VERSION: 31e8c93004abd76253d186b8896785895069749b # v0.15.0 # pragma: allowlist secret
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Setup ASDF
+        uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2
+
+      - name: Cache ASDF
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        id: asdf-cache
+        with:
+          # https://github.com/asdf-vm/asdf/blob/master/.gitignore
+          path: |
+            ~/.asdf/installs
+            ~/.asdf/plugins
+            ~/.asdf/shims
+          key: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }}
+          restore-keys: ${{ runner.os }}-asdf-
+
+      - name: Install ASDF
+        uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2
+        if: ${{ steps.asdf-cache.outputs.cache-hit != 'true' }}
+        with:
+          asdf_branch: ${{ env.ASDF_VERSION }}
+
+      - name: Reshim installed ASDF tools
+        shell: bash
+        run: asdf reshim
+
+      - name: Cache pip
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ~/.cache/pip/
+          key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements*.txt', '.pre-commit-config.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Install pip dependencies
+        run: pip install -r requirements.txt
+
+      - name: Run pre-commit
+        run: pre-commit run --show-diff-on-failure --color=always --all-files
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for zizmor

.github/workflows/pre-commit.yml

@@ -1,8 +1,4 @@
-name: Release Drafter
-
-permissions:
-  contents: write
-  pull-requests: read
+name: Release drafter
 
 on:
   push:
@@ -11,13 +7,21 @@ on:
       - master
 
   pull_request:
-    types: [opened, reopened, synchronize, labeled]
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - labeled
+
+permissions:
+  contents: write
+  pull-requests: read
 
 jobs:
-  update_release_draft:
-    runs-on: ubuntu-22.04
+  release-drafter:
+    runs-on: ubuntu-24.04
     steps:
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         with:
           config-name: RELEASE_DRAFTER.yml
         env:

.github/workflows/release-drafter.yml renamed to .github/workflows/release-drafter.yaml

@@ -0,0 +1,96 @@
+name: Template sync
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *' # every day at midnight
+
+permissions: {}
+
+concurrency:
+  group: pre-commit
+  cancel-in-progress: false
+
+env:
+  # renovate: datasource=github-releases depName=asdf-vm/asdf
+  ASDF_VERSION: 31e8c93004abd76253d186b8896785895069749b # v0.15.0 # pragma: allowlist secret
+
+jobs:
+  universal-addon:
+    if: github.repository != 'lablabs/terraform-aws-eks-universal-addon'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Generate GitHub App token
+        id: template-sync-app-token
+        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
+        with:
+          app-id: ${{ secrets.LARA_TEMPLATE_SYNC_APP_ID }}
+          private-key: ${{ secrets.LARA_TEMPLATE_SYNC_APP_PRIVATE_KEY }}
+          repositories: ${{ github.event.repository.name }}
+          owner: ${{ github.repository_owner }}
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: ${{ steps.template-sync-app-token.outputs.token }} # needed for private repositories
+          persist-credentials: false
+
+      - name: Sync universal-addon template
+        uses: AndreasAugustin/actions-template-sync@bcb94410a4f1dffdfe5eaabc8234c3b8e76ebc5b # v2.5.1
+        with:
+          source_gh_token: ${{ steps.template-sync-app-token.outputs.token }}
+          source_repo_path: lablabs/terraform-aws-eks-universal-addon
+          upstream_branch: main
+
+          target_gh_token: ${{ steps.template-sync-app-token.outputs.token }}
+
+          git_remote_pull_params: --allow-unrelated-histories --squash --strategy=recursive --no-tags -X theirs
+
+          pr_labels: kind/sync
+          pr_branch_name_prefix: "feat/universal-addon-sync"
+          pr_title: "feat(sync): sync universal-addon changes"
+          pr_commit_msg: "feat(sync): sync universal-addon changes"
+
+          is_pr_cleanup: true
+
+      - name: Setup ASDF
+        uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2
+
+      - name: Cache ASDF
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        id: asdf-cache
+        with:
+          # https://github.com/asdf-vm/asdf/blob/master/.gitignore
+          path: |
+            ~/.asdf/installs
+            ~/.asdf/plugins
+            ~/.asdf/shims
+          key: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }}
+          restore-keys: ${{ runner.os }}-asdf-
+
+      - name: Install ASDF
+        uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2
+        if: ${{ steps.asdf-cache.outputs.cache-hit != 'true' }}
+        with:
+          asdf_branch: ${{ env.ASDF_VERSION }}
+
+      - name: Reshim installed ASDF tools
+        shell: bash
+        run: asdf reshim
+
+      - name: Cache pip
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ~/.cache/pip/
+          key: ${{ runner.os }}-pip-${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pip-
+
+      - name: Update README.md
+        run: pre-commit run --show-diff-on-failure --color=always terraform_docs --all-files || true
+
+      - name: Commit and push README.md
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
+        with:
+          add: README.md
+          message: "docs: update README.md"

.github/workflows/template-sync.yaml

@@ -11,42 +11,45 @@ on:
       - master
 
 jobs:
-  versionExtract:
+  extract-version:
     name: Extract min/max Terraform versions
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Extract Terraform min/max versions
-        id: minMax
-        uses: clowdhaus/terraform-min-max@main
+        id: terraform-min-max
+        uses: clowdhaus/terraform-min-max@f489335873df04c3ce04b5e73f385a726d910039 # v1.3.2
         with:
           directory: .
     outputs:
-      minVersion: ${{ steps.minMax.outputs.minVersion }}
-      maxVersion: ${{ steps.minMax.outputs.maxVersion }}
+      minVersion: ${{ steps.terraform-min-max.outputs.minVersion }}
+      maxVersion: ${{ steps.terraform-min-max.outputs.maxVersion }}
 
   terraform-validate:
-    runs-on: ubuntu-22.04
-    needs: versionExtract
+    runs-on: ubuntu-24.04
+    needs: extract-version
     strategy:
       matrix:
         tf_ver:
-          - ${{ needs.versionExtract.outputs.minVersion }}
-          - ${{ needs.versionExtract.outputs.maxVersion }}
-
+          - ${{ needs.extract-version.outputs.minVersion }}
+          - ${{ needs.extract-version.outputs.maxVersion }}
     steps:
-    - uses: actions/checkout@v3
-    - uses: hashicorp/setup-terraform@v2
-      with:
-        terraform_version: ${{ matrix.tf_ver }}
-
-    - name: Terraform Init
-      id: init
-      run: terraform init
-
-    - name: Terraform Validate
-      id: validate
-      run: terraform validate
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        with:
+          terraform_version: ${{ matrix.tf_ver }}
+
+      - name: Terraform Init
+        run: terraform init
+
+      - name: Terraform Validate
+        run: terraform validate

.github/workflows/validate.yaml

@@ -32,5 +32,3 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
-
-.terraform.lock.hcl

.gitignore

@@ -1,32 +1,49 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v5.0.0
     hooks:
       - id: trailing-whitespace
+        args: ["--markdown-linebreak-ext=md"]
       - id: check-merge-conflict
       - id: detect-aws-credentials
-        args: ['--allow-missing-credentials']
+        args: ["--allow-missing-credentials"]
       - id: detect-private-key
       - id: end-of-file-fixer
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.1
+    rev: v1.96.3
     hooks:
-    - id: terraform_fmt
-    - id: terraform_tflint
-      args:
-        - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
-    - id: terraform_validate
-    - id: terraform_checkov
-      args:
-        - '--args=--skip-check CKV_TF_1' #CKV_TF_1: "Ensure Terraform module sources use a commit hash"
-    - id: terraform_docs
-      args:
-        - '--args=--config=.terraform-docs.yml'
+      - id: terraform_validate
+      - id: terraform_fmt
+      - id: terraform_providers_lock
+        args:
+          - --hook-config=--mode=only-check-is-current-lockfile-cross-platform
+          - --args=-platform=darwin_amd64
+          - --args=-platform=darwin_arm64
+          - --args=-platform=linux_amd64
+      - id: terraform_tflint
+        args:
+          - --args=--config=__GIT_WORKING_DIR__/.tflint.hcl
+      - id: terraform_checkov
+        args:
+          - "--args=--quiet --skip-check CKV_TF_1" #CKV_TF_1: "Ensure Terraform module sources use a commit hash"
+      - id: terraform_docs
+        args:
+          - "--args=--config=.terraform-docs.yml"
 
   - repo: https://github.com/Yelp/detect-secrets
-    rev: v1.4.0
+    rev: v1.5.0
     hooks:
       - id: detect-secrets
-        args: ['--baseline', '.secrets.baseline']
+        args: ["--baseline", ".secrets.baseline"]
         exclude: terraform.tfstate
+
+  - repo: local
+    hooks:
+      - id: sync-variables
+        name: Sync module variables
+        entry: ./scripts/sync-variables.py
+        language: system
+        types: [python]
+        always_run: true
+        pass_filenames: false