initial commit

common-fate · Oct 25, 2024 · 207a201 · 207a201
1 parent 5870983
commit 207a201
Show file tree

Hide file tree

Showing 13 changed files with 1,194 additions and 0 deletions.
diff --git a/.changeset/README.md b/.changeset/README.md
@@ -0,0 +1,8 @@
+# Changesets
+
+Hello and welcome! This folder has been automatically generated by `@changesets/cli`, a build tool that works
+with multi-package repos, or single-package repos to help you version and publish your code. You can
+find the full documentation for it [in our repository](https://github.com/changesets/changesets)
+
+We have a quick list of common questions to get you started engaging with this project in
+[our documentation](https://github.com/changesets/changesets/blob/main/docs/common-questions.md)
diff --git a/.changeset/config.json b/.changeset/config.json
@@ -0,0 +1,11 @@
+{
+  "$schema": "https://unpkg.com/@changesets/[email protected]/schema.json",
+  "changelog": "@changesets/cli/changelog",
+  "commit": false,
+  "fixed": [],
+  "linked": [],
+  "access": "restricted",
+  "baseBranch": "main",
+  "updateInternalDependencies": "patch",
+  "ignore": []
+}
diff --git a/.github/workflows/changeset.yaml b/.github/workflows/changeset.yaml
@@ -0,0 +1,105 @@
+name: Changeset and Tag Releases
+
+on:
+  push:
+    branches:
+      - "main"
+      - "release/*"
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
+jobs:
+  changeset:
+    name: Changeset
+    runs-on: ubuntu-latest
+    # Map a step output to a job output
+    outputs:
+      published: ${{ steps.publish.outputs.published }}
+      tag: ${{ steps.publish.outputs.tag }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          lfs: true
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v2
+        with:
+          version: 8
+
+      - name: Setup Node.JS
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18.12
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Run Changesets Action
+        id: changesets
+        uses: changesets/action@v1
+        with:
+          title: Version Packages for ${{ github.head_ref || github.ref_name }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish
+        id: publish
+        if: steps.changesets.outputs.hasChangesets == 'false'
+        # Push a new tag when changesets have been merged.
+        run: |
+          echo publishing
+          pnpm changeset tag
+          git push --follow-tags
+          echo pushed tags
+          echo "published=true" >> "$GITHUB_OUTPUT"
+          echo "tag=$(git describe --tags --abbrev=0)" >> "$GITHUB_OUTPUT"
+
+  release-notes:
+    name: Publish Release Notes
+    runs-on: ubuntu-latest
+    needs: changeset
+    if: needs.changeset.outputs.published == 'true'
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v3
+        with: # fetch-depth 0 is required so we can get the last tag and extract the changelog from the previous commit
+          fetch-depth: 0
+
+      - name: Get previous tag
+        id: set-tags
+        run: |
+          echo "previous_tag=$(git describe --tags --abbrev=0 ${{ needs.changeset.outputs.tag }}^)" >> $GITHUB_OUTPUT
+
+      - name: Create release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run:
+          | # in this the RELEASE_NOTES are built line by line and +=$ syntax is used so that the \n newlines are correctly interpreted as newlines ratehr than string literals
+          BODY=$(git show HEAD -- CHANGELOG.md | grep '^+[^+]' | sed 's/^+//')
+
+          RELEASE_NOTES="## What's Changed"
+          RELEASE_NOTES+=$'\n'"${BODY}"
+          RELEASE_NOTES+=$'\n\n'"**Full Changelog**: https://github.com/${{ github.repository }}/compare/${{ steps.set-tags.outputs.previous_tag }}...${{ needs.changeset.outputs.tag }}"
+
+          # Echo the tag and the formatted body for debugging purposes
+          echo "Tag: ${{ needs.changeset.outputs.tag }}"
+          echo "Previous Tag: ${{ steps.set-tags.outputs.previous_tag }}"
+          echo "Release Notes: ${RELEASE_NOTES}"
+
+          # Use the GitHub CLI (gh) to create a new release with the formatted release notes
+          gh api \
+            --method POST \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /repos/${{ github.repository }}/releases \
+            -f "tag_name=${{ needs.changeset.outputs.tag }}" \
+            -f "name=${{ needs.changeset.outputs.tag }}" \
+            -f "body=${RELEASE_NOTES}" \
+            -F "draft=false" \
+            -F "prerelease=false" \
+            -F "generate_release_notes=false"
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,46 @@
+node_modules
+.DS_Store
+
+*__debug*
+.env
+.env.test
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+
+# example: *tfplan*
+tfplugindocs
+.env
+terraform-provider-commonfate
+
+go.work.sum
+
+.idea
+.zed
+infra/dev
diff --git a/README.md b/README.md
@@ -0,0 +1,3 @@
+# terraform-aws-common-fate-proxy-aws-eks
+
+The terraform module for configuring a EKS cluster with the Common Fate proxy.
diff --git a/create-minor-release.sh b/create-minor-release.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Step 1: Ask for the version
+read -p "Enter the version: " version
+
+# Step 2: Create a new git branch
+branch_name="release/$version"
+git checkout -b "$branch_name"
+
+# Step 3: Replace .changesets/config.json
+config_file=".changeset/config.json"
+config_content='{
+  "$schema": "https://unpkg.com/@changesets/[email protected]/schema.json",
+  "changelog": "@changesets/cli/changelog",
+  "commit": false,
+  "fixed": [],
+  "linked": [],
+  "access": "restricted",
+  "baseBranch": "release/'"$version"'",
+  "updateInternalDependencies": "patch",
+  "ignore": [],
+  "privatePackages": { "version": false, "tag": false }
+}'
+echo "$config_content" > "$config_file"
+
+# Commit the changes
+git add "$config_file"
+git commit -m "Add changesets config for release $version"
+
+echo "Branch '$branch_name' created with changesets config updated."
diff --git a/main.tf b/main.tf
@@ -0,0 +1,89 @@
+terraform {
+  required_providers {
+    commonfate = {
+      source  = "common-fate/commonfate"
+      version = ">= 2.25.3, < 3.0.0"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+data "aws_region" "current" {}
+
+
+data "aws_caller_identity" "current" {}
+locals {
+  aws_region     = data.aws_region.current.name
+  aws_account_id = data.aws_caller_identity.current.account_id
+}
+
+
+//data source to look up proxy that has already been registered
+data "commonfate_ecs_proxy" "proxy_data" {
+  id = var.proxy_id
+}
+
+
+
+data "aws_eks_cluster" "eks-cluster" {
+  name = var.cluster_name
+}
+
+
+resource "commonfate_proxy_eks_cluster" "cluster" {
+  proxy_id                 = var.proxy_id
+  name                     = var.name == "" ? var.cluster_name : var.name
+  region                   = local.aws_region
+  aws_account_id           = local.aws_account_id
+  cluster_name             = var.name
+  cluster_access_role_name = data.aws_eks_cluster.eks-cluster.role_arn
+  users                    = var.users
+}
+
+//allow proxy to describe cluster
+resource "aws_iam_policy" "eks_describe_cluster" {
+  // use a name prefix so that multiple or this module may be deployed
+  name_prefix = "${var.namespace}-${var.stage}-describe-cluster"
+  description = "Allow the Common Fate AWS EKS Proxy (${var.proxy_id}) to describe clusters"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        "Action" : [
+          "eks:DescribeCluster"
+        ],
+        "Resource" : data.aws_eks_cluster.eks-cluster.arn
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "describe_cluster" {
+  role       = data.commonfate_ecs_proxy.proxy_data.ecs_cluster_task_role_name
+  policy_arn = aws_iam_policy.eks_describe_cluster.arn
+}
+
+
+
+data "aws_iam_role" "proxy_task_role" {
+  name = data.commonfate_ecs_proxy.proxy_data.ecs_cluster_task_role_name
+}
+
+//create the access entry for the new role
+resource "aws_eks_access_entry" "proxy_access_entry" {
+  cluster_name      = var.cluster_name
+  kubernetes_groups = [""]
+  principal_arn     = data.aws_iam_role.proxy_task_role.arn
+  type              = "STANDARD"
+}
+
+
+//make the default rbac roles for the cluster to allow for the service account access
+module "k8s_rbac" {
+  source       = "./modules/k8s-rbac"
+  cluster_name = var.cluster_name
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# terraform-aws-common-fate-proxy-aws-eks

		The terraform module for configuring a EKS cluster with the Common Fate proxy.