From 2b6fa3f9ca0cb6a9b9fd297b97027e40a1753052 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Fri, 23 Jan 2026 09:13:14 -0500 Subject: [PATCH 01/23] Refresh TF state. --- .../.terraform.lock.hcl | 26 +++++-------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/terraform-k8s-infrastructure/.terraform.lock.hcl b/terraform-k8s-infrastructure/.terraform.lock.hcl index 785e9bf..80d3d94 100644 --- a/terraform-k8s-infrastructure/.terraform.lock.hcl +++ b/terraform-k8s-infrastructure/.terraform.lock.hcl @@ -6,6 +6,7 @@ provider "registry.terraform.io/cloudflare/cloudflare" { constraints = "~> 3.30.0" hashes = [ "h1:VoKtn0DsmPCwOWirDIzxhjAnLKlHy4WFcYjtcg/FG/U=", + "h1:h+FHHosP01pKaH0Tn5+pId3IT6vBE6uHQxvEtNeL/KY=", "zh:1f1a09c954f21fc4665292b898db8c12c8b2083cfb02fb4fffa3b9db1df5a789", "zh:3212a58a15d69ba0781f4d60290164d8690f831d9f8b8d35c21e6616620e0cb0", "zh:574af296091adb2c109547f5ef919bae90a0ef72a86894e40d93304551b5b176", @@ -28,6 +29,7 @@ provider "registry.terraform.io/gavinbunney/kubectl" { constraints = "~> 1.14.0" hashes = [ "h1:gLFn+RvP37sVzp9qnFCwngRjjFV649r6apjxvJ1E/SE=", + "h1:mX2AOFIMIxJmW5kM8DT51gloIOKCr9iT6W8yodnUyfs=", "zh:0350f3122ff711984bbc36f6093c1fe19043173fad5a904bce27f86afe3cc858", "zh:07ca36c7aa7533e8325b38232c77c04d6ef1081cb0bac9d56e8ccd51f12f2030", "zh:0c351afd91d9e994a71fe64bbd1662d0024006b3493bb61d46c23ea3e42a7cf5", @@ -40,30 +42,12 @@ provider "registry.terraform.io/gavinbunney/kubectl" { ] } -provider "registry.terraform.io/hashicorp/archive" { - version = "2.4.0" - hashes = [ - "h1:EtN1lnoHoov3rASpgGmh6zZ/W6aRCTgKC7iMwvFY1yc=", - "zh:18e408596dd53048f7fc8229098d0e3ad940b92036a24287eff63e2caec72594", - "zh:392d4216ecd1a1fd933d23f4486b642a8480f934c13e2cae3c13b6b6a7e34a7b", - "zh:655dd1fa5ca753a4ace21d0de3792d96fff429445717f2ce31c125d19c38f3ff", - "zh:70dae36c176aa2b258331ad366a471176417a94dd3b4985a911b8be9ff842b00", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7d8c8e3925f1e21daf73f85983894fbe8868e326910e6df3720265bc657b9c9c", - "zh:a032ec0f0aee27a789726e348e8ad20778c3a1c9190ef25e7cff602c8d175f44", - "zh:b8e50de62ba185745b0fe9713755079ad0e9f7ac8638d204de6762cc36870410", - "zh:c8ad0c7697a3d444df21ff97f3473a8604c8639be64afe3f31b8ec7ad7571e18", - "zh:df736c5a2a7c3a82c5493665f659437a22f0baf8c2d157e45f4dd7ca40e739fc", - "zh:e8ffbf578a0977074f6d08aa8734e36c726e53dc79894cfc4f25fadc4f45f1df", - "zh:efea57ff23b141551f92b2699024d356c7ffd1a4ad62931da7ed7a386aef7f1f", - ] -} - provider "registry.terraform.io/hashicorp/aws" { version = "4.48.0" constraints = "~> 4.48.0" hashes = [ "h1:Fz26mWZmM9syrY91aPeTdd3hXG4DvMR81ylWC9xE2uA=", + "h1:t/R3B4mibkp2zLer4MfhFbwHAVLAq71mJz4nwdUydBE=", "zh:08f5e3c5256a4fbd5c988863d10e5279172b2470fec6d4fb13c372663e7f7cac", "zh:2a04376b7fa84681bd2938973c7d0822c8c0f0656a4e7661a2f50ac4d852d4a3", "zh:30d6cdf321aaba874934cbde505333d89d172d8d5ffcf40b6e66626c57bc6ab2", @@ -86,6 +70,7 @@ provider "registry.terraform.io/hashicorp/helm" { version = "2.8.0" constraints = "~> 2.8.0" hashes = [ + "h1:U0w0mUT0SwZCR0poGNSxGaZJKWcOiu4GerpGztYBiMM=", "h1:abRryu69lsIGXctqjMVoaKqi74eE12Vzd2FLpds1/PI=", "zh:1e42d1a04c07d4006844e477ca32b5f45b04f6525dbbbe00b6be6e6ec5a11c54", "zh:2f87187cb48ccfb18d12e2c4332e7e822923b659e7339b954b7db78aff91529f", @@ -106,6 +91,7 @@ provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.16.1" constraints = "~> 2.16.1" hashes = [ + "h1:PO4Ye/+lu5hCaUEOtwNOldQYoA0dqL1bcBICIpdlcd8=", "h1:i+DwtJK82sIWmTcQA9lL0mlET+14/QpUqv10fU2o3As=", "zh:06224975f5910d41e73b35a4d5079861da2c24f9353e3ebb015fbb3b3b996b1c", "zh:2bc400a8d9fe7755cca27c2551564a9e2609cfadc77f526ef855114ee02d446f", @@ -126,6 +112,7 @@ provider "registry.terraform.io/hashicorp/null" { version = "3.2.1" hashes = [ "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", + "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", @@ -144,6 +131,7 @@ provider "registry.terraform.io/hashicorp/null" { provider "registry.terraform.io/hashicorp/template" { version = "2.2.0" hashes = [ + "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=", "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", From 5bec9b48a11c9cac7c1fa3c65fd5df33bc613e2c Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Mon, 26 Jan 2026 14:19:18 -0500 Subject: [PATCH 02/23] Add TF Plan to GHA for k8s, and fix cloudflare keys. --- .github/workflows/terraform_plan.yaml | 36 ++++++++++++++++++- .../.terraform.lock.hcl | 27 +++++++------- terraform-k8s-infrastructure/main.tf | 12 ++++--- .../modules/k8s_infrastructure/variable.tf | 10 ++++++ .../modules/k8s_infrastructure/versions.tf | 10 ++++++ .../k8s_microservice_routing/variables.tf | 10 ++++++ .../k8s_microservice_routing/versions.tf | 5 +++ terraform-k8s-infrastructure/variables.tf | 17 +++++++++ terraform-k8s-infrastructure/versions.tf | 10 ++++++ 9 files changed, 118 insertions(+), 19 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 11565d0..a487abe 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -5,7 +5,7 @@ on: branches: [dev, staging] jobs: - plan: + plan-infra: runs-on: ubuntu-latest env: @@ -38,3 +38,37 @@ jobs: -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}" + + plan-k8s: + runs-on: ubuntu-latest + + env: + ENV: ${{ github.base_ref }} + AWS_ACCESS_KEY_ID: >- + ${{ github.base_ref == 'production' && secrets.aws_key_production || + github.base_ref == 'staging' && secrets.aws_key_staging || + secrets.aws_key_dev }} + AWS_SECRET_ACCESS_KEY: >- + ${{ github.base_ref == 'production' && secrets.aws_secret_production || + github.base_ref == 'staging' && secrets.aws_secret_staging || + secrets.aws_secret_dev }} + AWS_REGION: >- + ${{ github.base_ref == 'production' && secrets.aws_region_production || + github.base_ref == 'staging' && secrets.aws_region_staging || + secrets.aws_region_dev }} + TF_VAR_cloudflare_api_key: ${{ secrets.cloudflare_api_key }} + TF_VAR_cloudflare_email: ${{ secrets.cloudflare_email }} + TF_VAR_sparkpost_api_key: ${{ secrets.sparkpost_api_key }} + + steps: + - uses: actions/checkout@v1 + + - name: TF Init + run: ./scripts/infra -chdir=terraform-k8s-infrastructure init -backend-config=vars/backend-$ENV.tfvars + + - name: TF Plan + run: | + ./scripts/infra -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ + -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ + -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ + -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}" diff --git a/terraform-k8s-infrastructure/.terraform.lock.hcl b/terraform-k8s-infrastructure/.terraform.lock.hcl index 80d3d94..cc9b02c 100644 --- a/terraform-k8s-infrastructure/.terraform.lock.hcl +++ b/terraform-k8s-infrastructure/.terraform.lock.hcl @@ -109,22 +109,21 @@ provider "registry.terraform.io/hashicorp/kubernetes" { } provider "registry.terraform.io/hashicorp/null" { - version = "3.2.1" + version = "3.2.4" hashes = [ - "h1:FbGfc+muBsC17Ohy5g806iuI1hQc4SIexpYCrQHQd8w=", - "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=", - "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840", - "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb", - "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5", - "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3", + "h1:hkf5w5B6q8e2A42ND2CjAvgvSN3puAosDmOJb3zCVQM=", + "zh:59f6b52ab4ff35739647f9509ee6d93d7c032985d9f8c6237d1f8a59471bbbe2", "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238", - "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc", - "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970", - "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2", - "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5", - "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f", - "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694", + "zh:795c897119ff082133150121d39ff26cb5f89a730a2c8c26f3a9c1abf81a9c43", + "zh:7b9c7b16f118fbc2b05a983817b8ce2f86df125857966ad356353baf4bff5c0a", + "zh:85e33ab43e0e1726e5f97a874b8e24820b6565ff8076523cc2922ba671492991", + "zh:9d32ac3619cfc93eb3c4f423492a8e0f79db05fec58e449dee9b2d5873d5f69f", + "zh:9e15c3c9dd8e0d1e3731841d44c34571b6c97f5b95e8296a45318b94e5287a6e", + "zh:b4c2ab35d1b7696c30b64bf2c0f3a62329107bd1a9121ce70683dec58af19615", + "zh:c43723e8cc65bcdf5e0c92581dcbbdcbdcf18b8d2037406a5f2033b1e22de442", + "zh:ceb5495d9c31bfb299d246ab333f08c7fb0d67a4f82681fbf47f2a21c3e11ab5", + "zh:e171026b3659305c558d9804062762d168f50ba02b88b231d20ec99578a6233f", + "zh:ed0fe2acdb61330b01841fa790be00ec6beaac91d41f311fb8254f74eb6a711f", ] } diff --git a/terraform-k8s-infrastructure/main.tf b/terraform-k8s-infrastructure/main.tf index 1c85f00..1e68a42 100644 --- a/terraform-k8s-infrastructure/main.tf +++ b/terraform-k8s-infrastructure/main.tf @@ -18,17 +18,19 @@ data "aws_vpc" "eks_vpc" { module "k8s_infrastructure" { source = "./modules/k8s_infrastructure" - cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:4433" + cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" cluster_ca = data.aws_eks_cluster.rw_api.certificate_authority.0.data cluster_name = data.aws_eks_cluster.rw_api.name aws_region = var.aws_region vpc_id = data.aws_vpc.eks_vpc.id deploy_metrics_server = var.deploy_metrics_server + cloudflare_api_key = var.cloudflare_api_key + cloudflare_email = var.cloudflare_email } module "k8s_data_layer" { source = "./modules/k8s_data_layer" - cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:4433" + cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" cluster_ca = data.aws_eks_cluster.rw_api.certificate_authority.0.data cluster_name = data.aws_eks_cluster.rw_api.name aws_region = var.aws_region @@ -45,18 +47,20 @@ module "k8s_microservice_routing" { environment = var.environment dns_prefix = var.dns_prefix vpc = data.aws_vpc.eks_vpc - cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:4433" + cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" cluster_ca = data.aws_eks_cluster.rw_api.certificate_authority.0.data cluster_name = data.aws_eks_cluster.rw_api.name tf_core_state_bucket = var.tf_core_state_bucket x_rw_domain = var.x_rw_domain fw_backend_url = var.fw_backend_url require_api_key = var.require_api_key + cloudflare_api_key = var.cloudflare_api_key + cloudflare_email = var.cloudflare_email } module "k8s_namespaces" { source = "./modules/k8s_namespaces" - cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:4433" + cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" cluster_ca = data.aws_eks_cluster.rw_api.certificate_authority.0.data cluster_name = data.aws_eks_cluster.rw_api.name kubectl_context = "aws-rw-${var.environment}" diff --git a/terraform-k8s-infrastructure/modules/k8s_infrastructure/variable.tf b/terraform-k8s-infrastructure/modules/k8s_infrastructure/variable.tf index 03672f3..c18a6b6 100644 --- a/terraform-k8s-infrastructure/modules/k8s_infrastructure/variable.tf +++ b/terraform-k8s-infrastructure/modules/k8s_infrastructure/variable.tf @@ -28,3 +28,13 @@ variable "deploy_metrics_server" { type = bool description = "If AWS Metrics server should be deployed" } + +variable "cloudflare_api_key" { + type = string + description = "Cloudflare API key" +} + +variable "cloudflare_email" { + type = string + description = "Cloudflare email" +} diff --git a/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf b/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf index d928a93..f035d31 100644 --- a/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf @@ -14,6 +14,11 @@ terraform { source = "hashicorp/helm" version = "~> 2.8.0" } + + cloudflare = { + source = "cloudflare/cloudflare" + version = "~> 3.30.0" + } } required_version = "1.3.6" } @@ -22,6 +27,11 @@ provider "aws" { region = var.aws_region } +provider "cloudflare" { + api_key = var.cloudflare_api_key + email = var.cloudflare_email +} + provider "helm" { kubernetes { host = var.cluster_endpoint diff --git a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/variables.tf b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/variables.tf index aea05bf..0bbe06d 100644 --- a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/variables.tf +++ b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/variables.tf @@ -66,3 +66,13 @@ variable "require_api_key" { type = bool default = false } + +variable "cloudflare_api_key" { + type = string + description = "Cloudflare API key" +} + +variable "cloudflare_email" { + type = string + description = "Cloudflare email" +} \ No newline at end of file diff --git a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf index 109bf07..70710e3 100644 --- a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf @@ -15,3 +15,8 @@ terraform { } required_version = "1.3.6" } + +provider "cloudflare" { + api_key = var.cloudflare_api_key + email = var.cloudflare_email +} \ No newline at end of file diff --git a/terraform-k8s-infrastructure/variables.tf b/terraform-k8s-infrastructure/variables.tf index 0b56188..5996515 100644 --- a/terraform-k8s-infrastructure/variables.tf +++ b/terraform-k8s-infrastructure/variables.tf @@ -15,6 +15,12 @@ variable "aws_region" { description = "A valid AWS region to configure the underlying AWS SDK." } +variable "cluster_port" { + type = string + description = "THe k8s cluster port, if different from 443." + default = "443" +} + variable "dns_prefix" { type = string description = "DNS prefix for public URLs created in this project." @@ -87,3 +93,14 @@ variable "fw_backend_url" { variable "require_api_key" { type = bool } + +variable "cloudflare_api_key" { + type = string + description = "Cloudflare API key" +} + +variable "cloudflare_email" { + type = string + description = "Cloudflare email" +} + diff --git a/terraform-k8s-infrastructure/versions.tf b/terraform-k8s-infrastructure/versions.tf index a9453dc..9c10bd8 100644 --- a/terraform-k8s-infrastructure/versions.tf +++ b/terraform-k8s-infrastructure/versions.tf @@ -4,6 +4,11 @@ terraform { source = "hashicorp/aws" version = "~> 4.48.0" } + + cloudflare = { + source = "cloudflare/cloudflare" + version = "~> 3.30.0" + } } required_version = "1.3.6" } @@ -11,3 +16,8 @@ terraform { provider "aws" { region = var.aws_region } + +provider "cloudflare" { + api_key = var.cloudflare_api_key + email = var.cloudflare_email +} \ No newline at end of file From 819d23624c0a86c7f3f75d60ac5cf06798ec3882 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Mon, 26 Jan 2026 14:21:22 -0500 Subject: [PATCH 03/23] Remove unneeded Sparkpost variable. --- .github/workflows/terraform_plan.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index a487abe..2672f76 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -58,7 +58,6 @@ jobs: secrets.aws_region_dev }} TF_VAR_cloudflare_api_key: ${{ secrets.cloudflare_api_key }} TF_VAR_cloudflare_email: ${{ secrets.cloudflare_email }} - TF_VAR_sparkpost_api_key: ${{ secrets.sparkpost_api_key }} steps: - uses: actions/checkout@v1 From 9c5a54dce419f2b01d656350a33c3fef08f8de79 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Mon, 26 Jan 2026 14:23:15 -0500 Subject: [PATCH 04/23] Add steps to existing job in order to ensure sequential run. --- .github/workflows/terraform_plan.yaml | 31 ++++----------------------- 1 file changed, 4 insertions(+), 27 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 2672f76..064014e 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -5,7 +5,7 @@ on: branches: [dev, staging] jobs: - plan-infra: + plan: runs-on: ubuntu-latest env: @@ -38,30 +38,7 @@ jobs: -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}" - - plan-k8s: - runs-on: ubuntu-latest - - env: - ENV: ${{ github.base_ref }} - AWS_ACCESS_KEY_ID: >- - ${{ github.base_ref == 'production' && secrets.aws_key_production || - github.base_ref == 'staging' && secrets.aws_key_staging || - secrets.aws_key_dev }} - AWS_SECRET_ACCESS_KEY: >- - ${{ github.base_ref == 'production' && secrets.aws_secret_production || - github.base_ref == 'staging' && secrets.aws_secret_staging || - secrets.aws_secret_dev }} - AWS_REGION: >- - ${{ github.base_ref == 'production' && secrets.aws_region_production || - github.base_ref == 'staging' && secrets.aws_region_staging || - secrets.aws_region_dev }} - TF_VAR_cloudflare_api_key: ${{ secrets.cloudflare_api_key }} - TF_VAR_cloudflare_email: ${{ secrets.cloudflare_email }} - - steps: - - uses: actions/checkout@v1 - + - name: TF Init run: ./scripts/infra -chdir=terraform-k8s-infrastructure init -backend-config=vars/backend-$ENV.tfvars @@ -69,5 +46,5 @@ jobs: run: | ./scripts/infra -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ - -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ - -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}" + -var "cloudflare_email=${TF_VAR_cloudflare_email}" + From bdbb4f401ef30e1ada476167f91eca74260dfa81 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Mon, 26 Jan 2026 14:34:10 -0500 Subject: [PATCH 05/23] Ensure AWS cli is installed. --- .github/workflows/terraform_plan.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 064014e..8a74311 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -29,6 +29,11 @@ jobs: steps: - uses: actions/checkout@v1 + - name: Install AWS CLI + run: | + sudo apt-get update + sudo apt-get install -y awscli + - name: TF Init run: ./scripts/infra -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars From cf5c7ef0ceaf52d3521fca31bdbca79884e1b4ac Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Mon, 26 Jan 2026 14:34:36 -0500 Subject: [PATCH 06/23] Fix indentation. --- .github/workflows/terraform_plan.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 8a74311..22a2be9 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -30,9 +30,9 @@ jobs: - uses: actions/checkout@v1 - name: Install AWS CLI - run: | - sudo apt-get update - sudo apt-get install -y awscli + run: | + sudo apt-get update + sudo apt-get install -y awscli - name: TF Init run: ./scripts/infra -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars From 4f909e067f79170be30876f7a44f917b3363704d Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Tue, 27 Jan 2026 16:26:04 -0500 Subject: [PATCH 07/23] Build custom image with AWS CLI installed. --- .github/workflows/terraform_plan.yaml | 5 ----- terraform/docker/Dockerfile | 7 +++++++ terraform/docker/docker-compose.yml | 3 ++- 3 files changed, 9 insertions(+), 6 deletions(-) create mode 100644 terraform/docker/Dockerfile diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 22a2be9..064014e 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -29,11 +29,6 @@ jobs: steps: - uses: actions/checkout@v1 - - name: Install AWS CLI - run: | - sudo apt-get update - sudo apt-get install -y awscli - - name: TF Init run: ./scripts/infra -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars diff --git a/terraform/docker/Dockerfile b/terraform/docker/Dockerfile new file mode 100644 index 0000000..a6b660f --- /dev/null +++ b/terraform/docker/Dockerfile @@ -0,0 +1,7 @@ +FROM hashicorp/terraform:1.3.6 + +RUN apk add --upgrade --no-cache curl unzip \ + && curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o /tmp/awscliv2.zip \ + && unzip /tmp/awscliv2.zip -d /tmp \ + && /tmp/aws/install \ + && rm -rf /tmp/awscliv2.zip /tmp/aws diff --git a/terraform/docker/docker-compose.yml b/terraform/docker/docker-compose.yml index 47419f9..c9caaff 100644 --- a/terraform/docker/docker-compose.yml +++ b/terraform/docker/docker-compose.yml @@ -1,6 +1,7 @@ services: terraform: - image: hashicorp/terraform:1.3.6 + #image: hashicorp/terraform:1.3.6 + build: . volumes: - ../../:/usr/local/src - $HOME/.aws:/root/.aws:ro From 108119187d545aedd30f162386495a384c9f9561 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Tue, 27 Jan 2026 16:55:37 -0500 Subject: [PATCH 08/23] Try without docker --- .github/workflows/terraform_plan.yaml | 17 ++++++++++++----- terraform/docker/Dockerfile | 3 ++- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 064014e..51bcb41 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -27,24 +27,31 @@ jobs: TF_VAR_sparkpost_api_key: ${{ secrets.sparkpost_api_key }} steps: - - uses: actions/checkout@v1 + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.3.6 - name: TF Init - run: ./scripts/infra -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars + #run: ./scripts/infra -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars + run: terraform -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars - name: TF Plan run: | - ./scripts/infra -chdir=terraform plan -var-file=vars/terraform-$ENV.tfvars \ + terraform -chdir=terraform plan -var-file=vars/terraform-$ENV.tfvars \ -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}" - name: TF Init - run: ./scripts/infra -chdir=terraform-k8s-infrastructure init -backend-config=vars/backend-$ENV.tfvars + run: terraform -chdir=terraform-k8s-infrastructure init -backend-config=vars/backend-$ENV.tfvars - name: TF Plan run: | - ./scripts/infra -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ + terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ -var "cloudflare_email=${TF_VAR_cloudflare_email}" diff --git a/terraform/docker/Dockerfile b/terraform/docker/Dockerfile index a6b660f..3bf3886 100644 --- a/terraform/docker/Dockerfile +++ b/terraform/docker/Dockerfile @@ -4,4 +4,5 @@ RUN apk add --upgrade --no-cache curl unzip \ && curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o /tmp/awscliv2.zip \ && unzip /tmp/awscliv2.zip -d /tmp \ && /tmp/aws/install \ - && rm -rf /tmp/awscliv2.zip /tmp/aws + && rm -rf /tmp/awscliv2.zip /tmp/aws \ + && hash aws From f7f1b8ab3bc1896d54cf15c72c1c53be27573a3a Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Tue, 27 Jan 2026 17:04:58 -0500 Subject: [PATCH 09/23] Add kubeconfig setup. --- .github/workflows/terraform_plan.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 51bcb41..0ee0365 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -49,6 +49,9 @@ jobs: - name: TF Init run: terraform -chdir=terraform-k8s-infrastructure init -backend-config=vars/backend-$ENV.tfvars + - name: Configure Kubeconfig + run: aws eks update-kubeconfig --region us-east-1 --name core-k8s-cluster-$ENV + - name: TF Plan run: | terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ From c7c043acff2d84389c72dd15d12a15aa012db514 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Tue, 27 Jan 2026 19:43:53 -0500 Subject: [PATCH 10/23] Switch all k8s providers to using a token generated up front. --- .../modules/k8s_data_layer/main.tf | 3 -- .../modules/k8s_data_layer/versions.tf | 36 ++++++++++-------- .../modules/k8s_infrastructure/main.tf | 11 ------ .../modules/k8s_infrastructure/versions.tf | 38 ++++++++++++------- .../modules/k8s_microservice_routing/main.tf | 10 ----- .../k8s_microservice_routing/versions.tf | 15 ++++++++ 6 files changed, 61 insertions(+), 52 deletions(-) diff --git a/terraform-k8s-infrastructure/modules/k8s_data_layer/main.tf b/terraform-k8s-infrastructure/modules/k8s_data_layer/main.tf index b1fe765..e69de29 100644 --- a/terraform-k8s-infrastructure/modules/k8s_data_layer/main.tf +++ b/terraform-k8s-infrastructure/modules/k8s_data_layer/main.tf @@ -1,3 +0,0 @@ -data "aws_eks_cluster_auth" "cluster" { - name = var.cluster_name -} \ No newline at end of file diff --git a/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf b/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf index b303265..f0fb4d7 100644 --- a/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf @@ -22,15 +22,20 @@ provider "aws" { region = var.aws_region } +data "aws_eks_cluster_auth" "cluster" { + name = var.cluster_name +} + provider "kubernetes" { host = var.cluster_endpoint config_path = "~/.kube/config" cluster_ca_certificate = base64decode(var.cluster_ca) - exec { - api_version = "client.authentication.k8s.io/v1beta1" - args = ["eks", "get-token", "--cluster-name", var.cluster_name] - command = "aws" - } + token = data.aws_eks_cluster_auth.cluster.token + #exec { + # api_version = "client.authentication.k8s.io/v1beta1" + # args = ["eks", "get-token", "--cluster-name", var.cluster_name] + # command = "aws" + #} } provider "kubectl" { @@ -44,15 +49,16 @@ provider "helm" { kubernetes { host = var.cluster_endpoint cluster_ca_certificate = base64decode(var.cluster_ca) - exec { - api_version = "client.authentication.k8s.io/v1beta1" - args = [ - "eks", - "get-token", - "--cluster-name", - var.cluster_name - ] - command = "aws" - } + token = data.aws_eks_cluster_auth.cluster.token + #exec { + # api_version = "client.authentication.k8s.io/v1beta1" + # args = [ + # "eks", + # "get-token", + # "--cluster-name", + # var.cluster_name + # ] + # command = "aws" + #} } } diff --git a/terraform-k8s-infrastructure/modules/k8s_infrastructure/main.tf b/terraform-k8s-infrastructure/modules/k8s_infrastructure/main.tf index 55fcd73..0a6a766 100644 --- a/terraform-k8s-infrastructure/modules/k8s_infrastructure/main.tf +++ b/terraform-k8s-infrastructure/modules/k8s_infrastructure/main.tf @@ -1,14 +1,3 @@ -data "aws_eks_cluster_auth" "cluster" { - name = var.cluster_name -} - -provider "kubectl" { - host = var.cluster_endpoint - cluster_ca_certificate = base64decode(var.cluster_ca) - token = data.aws_eks_cluster_auth.cluster.token - load_config_file = false -} - #// https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html #// ALB Ingress Controller module "alb" { diff --git a/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf b/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf index f035d31..e613ff6 100644 --- a/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf @@ -27,24 +27,36 @@ provider "aws" { region = var.aws_region } -provider "cloudflare" { - api_key = var.cloudflare_api_key - email = var.cloudflare_email +data "aws_eks_cluster_auth" "cluster" { + name = var.cluster_name +} + +provider "kubectl" { + host = var.cluster_endpoint + cluster_ca_certificate = base64decode(var.cluster_ca) + token = data.aws_eks_cluster_auth.cluster.token + load_config_file = false } provider "helm" { kubernetes { host = var.cluster_endpoint cluster_ca_certificate = base64decode(var.cluster_ca) - exec { - api_version = "client.authentication.k8s.io/v1beta1" - args = [ - "eks", - "get-token", - "--cluster-name", - var.cluster_name - ] - command = "aws" - } + token = data.aws_eks_cluster_auth.cluster.token + #exec { + # api_version = "client.authentication.k8s.io/v1beta1" + # args = [ + # "eks", + # "get-token", + # "--cluster-name", + # var.cluster_name + # ] + # command = "aws" + #} } } + +provider "cloudflare" { + api_key = var.cloudflare_api_key + email = var.cloudflare_email +} diff --git a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/main.tf b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/main.tf index e06c951..078efbb 100644 --- a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/main.tf +++ b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/main.tf @@ -8,16 +8,6 @@ data "terraform_remote_state" "core" { } } -provider "kubernetes" { - host = var.cluster_endpoint - cluster_ca_certificate = base64decode(var.cluster_ca) - exec { - api_version = "client.authentication.k8s.io/v1beta1" - args = ["eks", "get-token", "--cluster-name", var.cluster_name] - command = "aws" - } -} - # # Base API Gateway setup # diff --git a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf index 70710e3..bd2b326 100644 --- a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf @@ -16,6 +16,21 @@ terraform { required_version = "1.3.6" } +data "aws_eks_cluster_auth" "cluster" { + name = var.cluster_name +} + +provider "kubernetes" { + host = var.cluster_endpoint + cluster_ca_certificate = base64decode(var.cluster_ca) + token = data.aws_eks_cluster_auth.cluster.token + exec { + api_version = "client.authentication.k8s.io/v1beta1" + args = ["eks", "get-token", "--cluster-name", var.cluster_name] + command = "aws" + } +} + provider "cloudflare" { api_key = var.cloudflare_api_key email = var.cloudflare_email From 9ee7ff07941e7b2222f967fcc440708b84e0317c Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Tue, 27 Jan 2026 20:14:08 -0500 Subject: [PATCH 11/23] Missed one exec. --- .../modules/k8s_microservice_routing/versions.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf index bd2b326..9576088 100644 --- a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf @@ -24,11 +24,11 @@ provider "kubernetes" { host = var.cluster_endpoint cluster_ca_certificate = base64decode(var.cluster_ca) token = data.aws_eks_cluster_auth.cluster.token - exec { - api_version = "client.authentication.k8s.io/v1beta1" - args = ["eks", "get-token", "--cluster-name", var.cluster_name] - command = "aws" - } + #exec { + # api_version = "client.authentication.k8s.io/v1beta1" + # args = ["eks", "get-token", "--cluster-name", var.cluster_name] + # command = "aws" + #} } provider "cloudflare" { From 8eda5a71a1591196a761ca4b6b6149215291fbeb Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Thu, 5 Feb 2026 11:24:16 -0500 Subject: [PATCH 12/23] Trying to fix helm/k8s auth. --- .../modules/k8s_data_layer/versions.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf b/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf index f0fb4d7..837e6c8 100644 --- a/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf @@ -27,10 +27,10 @@ data "aws_eks_cluster_auth" "cluster" { } provider "kubernetes" { - host = var.cluster_endpoint - config_path = "~/.kube/config" - cluster_ca_certificate = base64decode(var.cluster_ca) - token = data.aws_eks_cluster_auth.cluster.token + host = var.cluster_endpoint + #config_path = "~/.kube/config" + cluster_ca_certificate = base64decode(var.cluster_ca) + token = data.aws_eks_cluster_auth.cluster.token #exec { # api_version = "client.authentication.k8s.io/v1beta1" # args = ["eks", "get-token", "--cluster-name", var.cluster_name] From 76410dd567ac43b670c969a10d7a84f425bf5b6b Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Thu, 5 Feb 2026 14:52:40 -0500 Subject: [PATCH 13/23] Cleanup of provider configurations. --- .../modules/k8s_data_layer/versions.tf | 45 --------------- .../alb_ingress/versions.tf | 6 +- .../modules/k8s_infrastructure/versions.tf | 56 +++---------------- .../k8s_microservice_routing/versions.tf | 12 ++-- .../modules/k8s_namespaces/versions.tf | 10 +--- terraform-k8s-infrastructure/versions.tf | 56 +++++++++++++++++++ 6 files changed, 71 insertions(+), 114 deletions(-) diff --git a/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf b/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf index 837e6c8..4f6ac2a 100644 --- a/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_data_layer/versions.tf @@ -17,48 +17,3 @@ terraform { } required_version = "1.3.6" } - -provider "aws" { - region = var.aws_region -} - -data "aws_eks_cluster_auth" "cluster" { - name = var.cluster_name -} - -provider "kubernetes" { - host = var.cluster_endpoint - #config_path = "~/.kube/config" - cluster_ca_certificate = base64decode(var.cluster_ca) - token = data.aws_eks_cluster_auth.cluster.token - #exec { - # api_version = "client.authentication.k8s.io/v1beta1" - # args = ["eks", "get-token", "--cluster-name", var.cluster_name] - # command = "aws" - #} -} - -provider "kubectl" { - host = var.cluster_endpoint - cluster_ca_certificate = base64decode(var.cluster_ca) - token = data.aws_eks_cluster_auth.cluster.token - load_config_file = false -} - -provider "helm" { - kubernetes { - host = var.cluster_endpoint - cluster_ca_certificate = base64decode(var.cluster_ca) - token = data.aws_eks_cluster_auth.cluster.token - #exec { - # api_version = "client.authentication.k8s.io/v1beta1" - # args = [ - # "eks", - # "get-token", - # "--cluster-name", - # var.cluster_name - # ] - # command = "aws" - #} - } -} diff --git a/terraform-k8s-infrastructure/modules/k8s_infrastructure/alb_ingress/versions.tf b/terraform-k8s-infrastructure/modules/k8s_infrastructure/alb_ingress/versions.tf index 48161ee..a832e6f 100644 --- a/terraform-k8s-infrastructure/modules/k8s_infrastructure/alb_ingress/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_infrastructure/alb_ingress/versions.tf @@ -10,8 +10,4 @@ terraform { } } required_version = "~> 1.3.2" -} - -provider "kubernetes" { - config_path = "~/.kube/config" -} +} \ No newline at end of file diff --git a/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf b/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf index e613ff6..3667555 100644 --- a/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_infrastructure/versions.tf @@ -5,58 +5,20 @@ terraform { version = "~> 4.48.0" } - kubectl = { - source = "gavinbunney/kubectl" - version = "~> 1.14.0" - } - - helm = { - source = "hashicorp/helm" - version = "~> 2.8.0" - } - cloudflare = { source = "cloudflare/cloudflare" version = "~> 3.30.0" } - } - required_version = "1.3.6" -} - -provider "aws" { - region = var.aws_region -} -data "aws_eks_cluster_auth" "cluster" { - name = var.cluster_name -} - -provider "kubectl" { - host = var.cluster_endpoint - cluster_ca_certificate = base64decode(var.cluster_ca) - token = data.aws_eks_cluster_auth.cluster.token - load_config_file = false -} + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.16.1" + } -provider "helm" { - kubernetes { - host = var.cluster_endpoint - cluster_ca_certificate = base64decode(var.cluster_ca) - token = data.aws_eks_cluster_auth.cluster.token - #exec { - # api_version = "client.authentication.k8s.io/v1beta1" - # args = [ - # "eks", - # "get-token", - # "--cluster-name", - # var.cluster_name - # ] - # command = "aws" - #} + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14.0" + } } -} - -provider "cloudflare" { - api_key = var.cloudflare_api_key - email = var.cloudflare_email + required_version = "1.3.6" } diff --git a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf index 9576088..db7a708 100644 --- a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf @@ -21,17 +21,13 @@ data "aws_eks_cluster_auth" "cluster" { } provider "kubernetes" { - host = var.cluster_endpoint - cluster_ca_certificate = base64decode(var.cluster_ca) - token = data.aws_eks_cluster_auth.cluster.token + host = var.cluster_endpoint + #config_path = "~/.kube/config" + cluster_ca_certificate = base64decode(var.cluster_ca) + token = data.aws_eks_cluster_auth.cluster.token #exec { # api_version = "client.authentication.k8s.io/v1beta1" # args = ["eks", "get-token", "--cluster-name", var.cluster_name] # command = "aws" #} -} - -provider "cloudflare" { - api_key = var.cloudflare_api_key - email = var.cloudflare_email } \ No newline at end of file diff --git a/terraform-k8s-infrastructure/modules/k8s_namespaces/versions.tf b/terraform-k8s-infrastructure/modules/k8s_namespaces/versions.tf index c28252f..44a878b 100644 --- a/terraform-k8s-infrastructure/modules/k8s_namespaces/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_namespaces/versions.tf @@ -10,12 +10,4 @@ terraform { } } required_version = "1.3.6" -} - -provider "aws" { - region = var.aws_region -} - -provider "kubernetes" { - config_path = "~/.kube/config" -} +} \ No newline at end of file diff --git a/terraform-k8s-infrastructure/versions.tf b/terraform-k8s-infrastructure/versions.tf index 9c10bd8..459abbe 100644 --- a/terraform-k8s-infrastructure/versions.tf +++ b/terraform-k8s-infrastructure/versions.tf @@ -9,6 +9,21 @@ terraform { source = "cloudflare/cloudflare" version = "~> 3.30.0" } + + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.16.1" + } + + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.14.0" + } + + helm = { + source = "hashicorp/helm" + version = "~> 2.8.0" + } } required_version = "1.3.6" } @@ -20,4 +35,45 @@ provider "aws" { provider "cloudflare" { api_key = var.cloudflare_api_key email = var.cloudflare_email +} + +data "aws_eks_cluster_auth" "cluster" { + name = data.aws_eks_cluster.rw_api.name +} + +provider "kubernetes" { + host = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" + #config_path = "~/.kube/config" + cluster_ca_certificate = base64decode(data.aws_eks_cluster.rw_api.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token + #exec { + # api_version = "client.authentication.k8s.io/v1beta1" + # args = ["eks", "get-token", "--cluster-name", var.cluster_name] + # command = "aws" + #} +} + +provider "kubectl" { + host = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" + cluster_ca_certificate = base64decode(data.aws_eks_cluster.rw_api.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token + load_config_file = false +} + +provider "helm" { + kubernetes { + host = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" + cluster_ca_certificate = base64decode(data.aws_eks_cluster.rw_api.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token + #exec { + # api_version = "client.authentication.k8s.io/v1beta1" + # args = [ + # "eks", + # "get-token", + # "--cluster-name", + # var.cluster_name + # ] + # command = "aws" + #} + } } \ No newline at end of file From d6e49ed87926d49011189ea98f46714524f81f59 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Thu, 5 Feb 2026 15:26:41 -0500 Subject: [PATCH 14/23] Run each module separately to avoid token timeout --- .github/workflows/terraform_plan.yaml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 0ee0365..1af2d4b 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -52,9 +52,30 @@ jobs: - name: Configure Kubeconfig run: aws eks update-kubeconfig --region us-east-1 --name core-k8s-cluster-$ENV - - name: TF Plan + - name: TF Plan Namespaces + run: | + terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ + -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ + -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ + -target module.k8s_namespaces + + - name: TF Plan Infrastructure + run: | + terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ + -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ + -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ + -target module.k8s_infrastructure + + - name: TF Plan Data Layer run: | terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ - -var "cloudflare_email=${TF_VAR_cloudflare_email}" + -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ + -target module.k8s_data_layer + - name: TF Plan MS Routing + run: | + terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ + -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ + -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ + -target module.k8s_microservice_routing From 41c4cf8d89065cbedf65419336db7b2d7a0ab4c2 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Fri, 6 Feb 2026 14:54:10 -0500 Subject: [PATCH 15/23] Trying kube config instead of token. --- .github/workflows/terraform_plan.yaml | 39 ++++++++++--------- .../k8s_microservice_routing/versions.tf | 10 ++--- terraform-k8s-infrastructure/versions.tf | 18 +++++---- 3 files changed, 35 insertions(+), 32 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 1af2d4b..4655f77 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -57,25 +57,26 @@ jobs: terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ - -target module.k8s_namespaces + +# -target module.k8s_namespaces - - name: TF Plan Infrastructure - run: | - terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ - -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ - -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ - -target module.k8s_infrastructure +# - name: TF Plan Infrastructure +# run: | +# terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ +# -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ +# -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ +# -target module.k8s_infrastructure - - name: TF Plan Data Layer - run: | - terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ - -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ - -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ - -target module.k8s_data_layer +# - name: TF Plan Data Layer +# run: | +# terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ +# -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ +# -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ +# -target module.k8s_data_layer - - name: TF Plan MS Routing - run: | - terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ - -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ - -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ - -target module.k8s_microservice_routing +# - name: TF Plan MS Routing +# run: | +# terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ +# -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ +# -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ +# -target module.k8s_microservice_routing diff --git a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf index db7a708..7800cf5 100644 --- a/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf +++ b/terraform-k8s-infrastructure/modules/k8s_microservice_routing/versions.tf @@ -16,15 +16,15 @@ terraform { required_version = "1.3.6" } -data "aws_eks_cluster_auth" "cluster" { - name = var.cluster_name -} +#data "aws_eks_cluster_auth" "cluster" { +# name = var.cluster_name +#} provider "kubernetes" { host = var.cluster_endpoint - #config_path = "~/.kube/config" + config_path = "~/.kube/config" cluster_ca_certificate = base64decode(var.cluster_ca) - token = data.aws_eks_cluster_auth.cluster.token + #token = data.aws_eks_cluster_auth.cluster.token #exec { # api_version = "client.authentication.k8s.io/v1beta1" # args = ["eks", "get-token", "--cluster-name", var.cluster_name] diff --git a/terraform-k8s-infrastructure/versions.tf b/terraform-k8s-infrastructure/versions.tf index 459abbe..42b6fef 100644 --- a/terraform-k8s-infrastructure/versions.tf +++ b/terraform-k8s-infrastructure/versions.tf @@ -37,15 +37,15 @@ provider "cloudflare" { email = var.cloudflare_email } -data "aws_eks_cluster_auth" "cluster" { - name = data.aws_eks_cluster.rw_api.name -} +#data "aws_eks_cluster_auth" "cluster" { +# name = data.aws_eks_cluster.rw_api.name +#} provider "kubernetes" { host = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" - #config_path = "~/.kube/config" + config_path = "~/.kube/config" cluster_ca_certificate = base64decode(data.aws_eks_cluster.rw_api.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.cluster.token + #token = data.aws_eks_cluster_auth.cluster.token #exec { # api_version = "client.authentication.k8s.io/v1beta1" # args = ["eks", "get-token", "--cluster-name", var.cluster_name] @@ -56,15 +56,17 @@ provider "kubernetes" { provider "kubectl" { host = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" cluster_ca_certificate = base64decode(data.aws_eks_cluster.rw_api.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.cluster.token - load_config_file = false + #token = data.aws_eks_cluster_auth.cluster.token + load_config_file = true + config_path = "~/.kube/config" } provider "helm" { kubernetes { host = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" cluster_ca_certificate = base64decode(data.aws_eks_cluster.rw_api.certificate_authority.0.data) - token = data.aws_eks_cluster_auth.cluster.token + #token = data.aws_eks_cluster_auth.cluster.token + config_path = "~/.kube/config" #exec { # api_version = "client.authentication.k8s.io/v1beta1" # args = [ From c32ff1c0357a5151193dcc8e3d6d67057cfd68c2 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Fri, 6 Feb 2026 15:17:59 -0500 Subject: [PATCH 16/23] Try init after kube config. --- .github/workflows/terraform_plan.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 4655f77..1373cfc 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -35,24 +35,24 @@ jobs: with: terraform_version: 1.3.6 - - name: TF Init + - name: TF Init EKS Cluster #run: ./scripts/infra -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars run: terraform -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars - - name: TF Plan + - name: TF Plan EKS Cluster run: | terraform -chdir=terraform plan -var-file=vars/terraform-$ENV.tfvars \ -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}" - - - name: TF Init - run: terraform -chdir=terraform-k8s-infrastructure init -backend-config=vars/backend-$ENV.tfvars - name: Configure Kubeconfig run: aws eks update-kubeconfig --region us-east-1 --name core-k8s-cluster-$ENV - - name: TF Plan Namespaces + - name: TF Init K8s Infra + run: terraform -chdir=terraform-k8s-infrastructure init -backend-config=vars/backend-$ENV.tfvars + + - name: TF Plan K8s Infra run: | terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ From d507528bf3b6982d972f305700153423e0668e04 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Fri, 6 Feb 2026 15:26:00 -0500 Subject: [PATCH 17/23] Try excluding Data Layer. --- terraform-k8s-infrastructure/main.tf | 44 ++++++++++++++-------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/terraform-k8s-infrastructure/main.tf b/terraform-k8s-infrastructure/main.tf index 1e68a42..467af85 100644 --- a/terraform-k8s-infrastructure/main.tf +++ b/terraform-k8s-infrastructure/main.tf @@ -16,6 +16,15 @@ data "aws_vpc" "eks_vpc" { cidr_block = "10.0.0.0/16" } +module "k8s_namespaces" { + source = "./modules/k8s_namespaces" + cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" + cluster_ca = data.aws_eks_cluster.rw_api.certificate_authority.0.data + cluster_name = data.aws_eks_cluster.rw_api.name + kubectl_context = "aws-rw-${var.environment}" + namespaces = var.namespaces +} + module "k8s_infrastructure" { source = "./modules/k8s_infrastructure" cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" @@ -28,19 +37,19 @@ module "k8s_infrastructure" { cloudflare_email = var.cloudflare_email } -module "k8s_data_layer" { - source = "./modules/k8s_data_layer" - cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" - cluster_ca = data.aws_eks_cluster.rw_api.certificate_authority.0.data - cluster_name = data.aws_eks_cluster.rw_api.name - aws_region = var.aws_region - vpc = data.aws_vpc.eks_vpc - elasticsearch_disk_size_gb = var.elasticsearch_disk_size_gb - elasticsearch_use_dedicated_master_nodes = var.elasticsearch_use_dedicated_master_nodes - elasticsearch_data_nodes_count = var.elasticsearch_data_nodes_count - backups_bucket = var.backups_bucket - elasticsearch_data_nodes_type = var.elasticsearch_data_nodes_type -} +#module "k8s_data_layer" { +# source = "./modules/k8s_data_layer" +# cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" +# cluster_ca = data.aws_eks_cluster.rw_api.certificate_authority.0.data +# cluster_name = data.aws_eks_cluster.rw_api.name +# aws_region = var.aws_region +# vpc = data.aws_vpc.eks_vpc +# elasticsearch_disk_size_gb = var.elasticsearch_disk_size_gb +# elasticsearch_use_dedicated_master_nodes = var.elasticsearch_use_dedicated_master_nodes +# elasticsearch_data_nodes_count = var.elasticsearch_data_nodes_count +# backups_bucket = var.backups_bucket +# elasticsearch_data_nodes_type = var.elasticsearch_data_nodes_type +#} module "k8s_microservice_routing" { source = "./modules/k8s_microservice_routing" @@ -57,12 +66,3 @@ module "k8s_microservice_routing" { cloudflare_api_key = var.cloudflare_api_key cloudflare_email = var.cloudflare_email } - -module "k8s_namespaces" { - source = "./modules/k8s_namespaces" - cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" - cluster_ca = data.aws_eks_cluster.rw_api.certificate_authority.0.data - cluster_name = data.aws_eks_cluster.rw_api.name - kubectl_context = "aws-rw-${var.environment}" - namespaces = var.namespaces -} From 7e6607117c67e20fb31f3338af4090b93aa4f115 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Fri, 6 Feb 2026 15:33:30 -0500 Subject: [PATCH 18/23] Oops, use target instead. --- .github/workflows/terraform_plan.yaml | 5 +++-- terraform-k8s-infrastructure/main.tf | 26 +++++++++++++------------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 1373cfc..2f32564 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -57,8 +57,9 @@ jobs: terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ - -# -target module.k8s_namespaces + -target module.k8s_namespaces + -target module.k8s_infrastructure + -target module.k8s_microservice_routing # - name: TF Plan Infrastructure # run: | diff --git a/terraform-k8s-infrastructure/main.tf b/terraform-k8s-infrastructure/main.tf index 467af85..619e3a9 100644 --- a/terraform-k8s-infrastructure/main.tf +++ b/terraform-k8s-infrastructure/main.tf @@ -37,19 +37,19 @@ module "k8s_infrastructure" { cloudflare_email = var.cloudflare_email } -#module "k8s_data_layer" { -# source = "./modules/k8s_data_layer" -# cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" -# cluster_ca = data.aws_eks_cluster.rw_api.certificate_authority.0.data -# cluster_name = data.aws_eks_cluster.rw_api.name -# aws_region = var.aws_region -# vpc = data.aws_vpc.eks_vpc -# elasticsearch_disk_size_gb = var.elasticsearch_disk_size_gb -# elasticsearch_use_dedicated_master_nodes = var.elasticsearch_use_dedicated_master_nodes -# elasticsearch_data_nodes_count = var.elasticsearch_data_nodes_count -# backups_bucket = var.backups_bucket -# elasticsearch_data_nodes_type = var.elasticsearch_data_nodes_type -#} +module "k8s_data_layer" { + source = "./modules/k8s_data_layer" + cluster_endpoint = "${data.aws_eks_cluster.rw_api.endpoint}:${var.cluster_port}" + cluster_ca = data.aws_eks_cluster.rw_api.certificate_authority.0.data + cluster_name = data.aws_eks_cluster.rw_api.name + aws_region = var.aws_region + vpc = data.aws_vpc.eks_vpc + elasticsearch_disk_size_gb = var.elasticsearch_disk_size_gb + elasticsearch_use_dedicated_master_nodes = var.elasticsearch_use_dedicated_master_nodes + elasticsearch_data_nodes_count = var.elasticsearch_data_nodes_count + backups_bucket = var.backups_bucket + elasticsearch_data_nodes_type = var.elasticsearch_data_nodes_type +} module "k8s_microservice_routing" { source = "./modules/k8s_microservice_routing" From 444a263109fc03b6f402c44b6d80cabb87a193e4 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Fri, 6 Feb 2026 16:34:18 -0500 Subject: [PATCH 19/23] Try using OIDC role. --- .github/workflows/terraform_plan.yaml | 29 ++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 2f32564..c83c8a2 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -5,7 +5,7 @@ on: branches: [dev, staging] jobs: - plan: + plan_eks_cluster: runs-on: ubuntu-latest env: @@ -46,6 +46,33 @@ jobs: -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}" + plan_k8s_infra: + runs-on: ubuntu-latest + + env: + ENV: ${{ github.base_ref }} + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: | + ${{ github.base_ref == 'production' && 'TBD' || + github.base_ref == 'staging' && 'TBD' || + 'arn:aws:iam::842534099497:role/wri-api-dev-githubactions-role' }} + aws-region: | + ${{ github.base_ref == 'production' && secrets.aws_region_production || + github.base_ref == 'staging' && secrets.aws_region_staging || + secrets.aws_region_dev }} + + - name: Setup terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.3.6 + - name: Configure Kubeconfig run: aws eks update-kubeconfig --region us-east-1 --name core-k8s-cluster-$ENV From c7706815ae79337aff0790b29adc52357b99db37 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Fri, 6 Feb 2026 16:38:54 -0500 Subject: [PATCH 20/23] Adds needed permission and job order. --- .github/workflows/terraform_plan.yaml | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index c83c8a2..fd47615 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -4,6 +4,9 @@ on: pull_request: branches: [dev, staging] +permissions: + id-token: write + jobs: plan_eks_cluster: runs-on: ubuntu-latest @@ -48,9 +51,21 @@ jobs: plan_k8s_infra: runs-on: ubuntu-latest + needs: plan_eks_cluster env: ENV: ${{ github.base_ref }} + AWS_ROLE: >- + ${{ github.base_ref == 'production' && 'TBD' || + github.base_ref == 'staging' && 'TBD' || + 'arn:aws:iam::842534099497:role/wri-api-dev-githubactions-role' }} + AWS_REGION: >- + ${{ github.base_ref == 'production' && secrets.aws_region_production || + github.base_ref == 'staging' && secrets.aws_region_staging || + secrets.aws_region_dev }} + TF_VAR_cloudflare_api_key: ${{ secrets.cloudflare_api_key }} + TF_VAR_cloudflare_email: ${{ secrets.cloudflare_email }} + TF_VAR_sparkpost_api_key: ${{ secrets.sparkpost_api_key }} steps: - name: Checkout repository @@ -59,14 +74,8 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@main with: - role-to-assume: | - ${{ github.base_ref == 'production' && 'TBD' || - github.base_ref == 'staging' && 'TBD' || - 'arn:aws:iam::842534099497:role/wri-api-dev-githubactions-role' }} - aws-region: | - ${{ github.base_ref == 'production' && secrets.aws_region_production || - github.base_ref == 'staging' && secrets.aws_region_staging || - secrets.aws_region_dev }} + role-to-assume: $AWS_ROLE + aws-region: $AWS_REGION - name: Setup terraform uses: hashicorp/setup-terraform@v3 From 8cf6ffde8f9ab55aa8254dd12ff18edb74cd2cea Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Fri, 6 Feb 2026 16:42:08 -0500 Subject: [PATCH 21/23] Fix env var.s --- .github/workflows/terraform_plan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index fd47615..9157ed0 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -74,8 +74,8 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@main with: - role-to-assume: $AWS_ROLE - aws-region: $AWS_REGION + role-to-assume: ${{ env.AWS_ROLE }} + aws-region: ${{ env.AWS_REGION }} - name: Setup terraform uses: hashicorp/setup-terraform@v3 From 9acd71a8c04b6df6f86bc89aa0ffd762f84ee267 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Fri, 6 Feb 2026 21:09:53 -0500 Subject: [PATCH 22/23] Forgot to escape newlines. --- .github/workflows/terraform_plan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 9157ed0..1892572 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -93,8 +93,8 @@ jobs: terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ - -target module.k8s_namespaces - -target module.k8s_infrastructure + -target module.k8s_namespaces \ + -target module.k8s_infrastructure \ -target module.k8s_microservice_routing # - name: TF Plan Infrastructure From 35d7acf200ccfd1a0d755e030b53832c93563293 Mon Sep 17 00:00:00 2001 From: Tim Anderegg Date: Fri, 6 Feb 2026 23:35:14 -0500 Subject: [PATCH 23/23] Remove targets. --- .github/workflows/terraform_plan.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml index 1892572..83f4469 100644 --- a/.github/workflows/terraform_plan.yaml +++ b/.github/workflows/terraform_plan.yaml @@ -92,10 +92,7 @@ jobs: run: | terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \ -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \ - -var "cloudflare_email=${TF_VAR_cloudflare_email}" \ - -target module.k8s_namespaces \ - -target module.k8s_infrastructure \ - -target module.k8s_microservice_routing + -var "cloudflare_email=${TF_VAR_cloudflare_email}" # - name: TF Plan Infrastructure # run: |