First iteration

.docker/agent/agent.Dockerfile

@@ -7,8 +7,8 @@ ARG CREATE_USER=false
 ARG USER=bp-agent
 
 ENV TF_VERSION=1.9.8 \
-    TF_LINT_VERSION=v0.51.1 \
-    TF_DOCS_VERSION=v0.18.0 \
+    TF_LINT_VERSION=v0.59.1 \
+    TF_DOCS_VERSION=v0.20.0 \
     KUBECTL_VERSION=1.31.2 \
     VELERO_VERSION=1.16.1 \
     EKSCTL_VERSION=0.210.0 \

.github/workflows/markdown.links.config.json

@@ -6,5 +6,6 @@
 		{
 			"pattern": "https://github.com/jenkinsci/opentelemetry-plugin/blob/main/docs/job-traces.md "
 		}
-	]
+	],
+	"aliveStatusCodes": [429, 200]
 }

.github/workflows/md-link-checker.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: gaurav-nelson/github-action-markdown-link-check@v1
+      - uses: tcort/github-action-markdown-link-check@a800ad5f1c35bf61987946fd31c15726a1c9f2ba # v1.1.0
         with:
           use-quiet-mode: 'yes'
           use-verbose-mode: 'yes'

.github/workflows/terraform-docs.yml

@@ -21,23 +21,23 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
 
       - name: Render documentation and push changes back to branch
-        uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # v1.0.0
+        uses: terraform-docs/gh-actions@6de6da0cefcc6b4b7a5cbea4d79d97060733093c # v1.4.1
         with:
           config-file: ".terraform-docs.yml"
           output-file: "README.md"
           output-method: inject
           git-push: true
 
       - name: Render documentation for `01-getting-started` example and push changes back to branch
-        uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # v1.0.0
+        uses: terraform-docs/gh-actions@6de6da0cefcc6b4b7a5cbea4d79d97060733093c # v1.4.1
         with:
           config-file: ".terraform-docs.yml"
           output-file: "README.md"
           git-push: true
           working-dir: "./blueprints/01-getting-started"
 
       - name: Render documentation for `02-at-scale` example and push changes back to branch
-        uses: terraform-docs/gh-actions@f6d59f89a280fa0a3febf55ef68f146784b20ba0 # v1.0.0
+        uses: terraform-docs/gh-actions@6de6da0cefcc6b4b7a5cbea4d79d97060733093c # v1.4.1
         with:
           config-file: ".terraform-docs.yml"
           output-file: "README.md"

.github/workflows/terraform.yml

@@ -12,8 +12,8 @@ on:
 permissions: read-all
 
 env:
-  TERRAFORM_DOCS_VERSION: v0.16.0
-  TFLINT_VERSION: v0.51.1
+  TERRAFORM_DOCS_VERSION: v0.20.0
+  TFLINT_VERSION: v0.59.1
 
 concurrency:
   group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'

.gitignore

@@ -47,6 +47,7 @@ backend*.tf
 
 # Terraform Plan file
 tfplan*.txt
+tfplan
 
 #Ignore auto-generated files and directories
 .DS_Store

.pre-commit-config.yaml

@@ -2,8 +2,24 @@
 
 fail_fast: false
 repos:
+- repo: https://github.com/thlorenz/doctoc
+  rev: v2.2.0
+  hooks:
+  - id: doctoc
+    args:
+    - -u
+
+- repo: https://github.com/tcort/markdown-link-check
+  rev: v3.13.7
+  hooks:
+    - id: markdown-link-check
+      args:
+        - -v
+        - -c
+        - .github/workflows/markdown.links.config.json
+
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.4.0
+  rev: v6.0.0
   hooks:
     - id: trailing-whitespace
       args: ['--markdown-linebreak-ext=md']
@@ -23,7 +39,7 @@ repos:
     - id: check-vcs-permalinks
 
 - repo: https://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.92.0
+  rev: v1.100.0
   hooks:
     - id: terraform_fmt
       name: Format Terraform Configuration

CONTRIBUTING.md

@@ -1,12 +1,50 @@
 # Contribute
 
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+
+- [Design principles](#design-principles)
+  - [Changing the default repo and branch for GitOps](#changing-the-default-repo-and-branch-for-gitops)
+- [Release process](#release-process)
+- [Report bugs and feature requests](#report-bugs-and-feature-requests)
+- [Contribute via pull requests](#contribute-via-pull-requests)
+  - [Pre-commits: Linting, formatting and secrets scanning](#pre-commits-linting-formatting-and-secrets-scanning)
+  - [Blueprint Terraform CI pipeline](#blueprint-terraform-ci-pipeline)
+    - [Prerequisites](#prerequisites)
+- [Release](#release)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
 This document provides guidelines for contributing to the CloudBees CI add-on for Amazon EKS blueprints.
 
 ## Design principles
 
 - It follows the same approach as the [Terraform AWS EKS Blueprints for Terraform Patterns](https://aws-ia.github.io/terraform-aws-eks-blueprints/).
-- The blueprints use a monorepo configuration to ensure that all the components are versioned together. In a production environment, it would be expected to have a single repository for the blueprints, and another repositories for the CloudBees CI configuration as code (CasC) bundles and shared libraries (see [At scale blueprint](blueprints/02-at-scale)). This approach is managed using [Spare Checkouts](https://github.blog/open-source/git/bring-your-monorepo-down-to-size-with-sparse-checkout/).
-  - The make target `CBCI_REPO=https://github.com/example-org/example-repo.git CBCI_BRANCH=new-feat make set-cbci-location` makes possible to switch between branches when you are making updates to the CasC bundles or shared libraries.
+- The blueprints use a monorepo configuration to ensure that all the components are versioned together.
+- In a production environment, it would be expected to have a single repository for the blueprints, and another repositories for the CloudBees CI configuration as code (CasC) bundles and shared libraries (see [At scale blueprint](blueprints/02-at-scale)).
+- This monorepo approach is managed using [Spare Checkouts](https://github.blog/open-source/git/bring-your-monorepo-down-to-size-with-sparse-checkout/).
+
+### Changing the default repo and branch for GitOps
+
+The `02-at-scale` blueprint relies on a repository and branch for some of its configuration. The following variables found in the [./blueprints/02-at-scale/.auto.tfvars.example](./blueprints/02-at-scale/.auto.tfvars.example) make it possible to switch between branches when you are making updates to the CasC bundles and shared libraries.
+
+```sh
+# Required variables pointing to the monorepo and branch
+# oc_casc_scm_repo_url = "https://github.com/cloudbees-oss/terraform-aws-cloudbees-ci-eks-addon.git"
+# oc_casc_scm_branch    = "develop"
+
+# Optional variables to further tweak configuration
+# oc_casc_scm_bundle_path = "blueprints/02-at-scale/cbci/casc/oc"
+# oc_casc_scm_polling_interval = "PT2M"
+# cbci_casc_path_controller = "blueprints/02-at-scale/cbci/casc/mc"
+# cbci_casc_path_shared_library = "blueprints/02-at-scale/cbci/shared-lib"
+```
+
+So in this case, simply:
+
+- fork this repository
+- create a new branch from develop
+- change the repo and branch in the copied `.auto.tfvars` to match your fork and branch
 
 ## Release process
 
@@ -64,7 +102,7 @@ To submit a pull request:
 7. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
 
 > [!IMPORTANT]
-> If you make updates to embedded repository (for example, CasC bundles), you must push the changes to the public upstream (repository/branch) before running `terraform apply` locally. The endpoint and/or branch can be updated via `set-casc-location` from the companion [Makefile](blueprints/Makefile).
+> If you make updates to embedded repository (for example, CasC bundles), you must push the changes to the public upstream (repository/branch) before running `terraform apply` locally. The endpoint and/or branch can be updated via the terraform variables mentioned in [Changing the default repo and branch for GitOps](#changing-the-default-repo-and-branch-for-gitops).
 
 ### Pre-commits: Linting, formatting and secrets scanning
 

README.md

@@ -75,7 +75,7 @@ The two main components of CloudBees CI - the operations center and managed cont
 - Amazon EBS volumes are scoped to a particular availability zone to offer high-speed, low-latency access to the Amazon Elastic Compute Cloud (Amazon EC2) instances they are connected to. If an availability zone fails, an Amazon EBS volume becomes inaccessible due to file corruption, or there is a service outage, the data on these volumes becomes inaccessible. The operations center and managed controller pods require this persistent data and have no mechanism to replicate the data, so CloudBees recommends frequent backups for Amazon EBS.
 - Amazon EFS file systems are scoped to an AWS region and can be accessed from any availability zone in the region that the file system was created in. Using Amazon EFS as a storage class for the operations center and managed controllers allows pods to be rescheduled successfully onto healthy nodes in the event of an availability zone outage. Amazon EFS is more expensive than Amazon EBS, but provides greater fault tolerance.
 
-> [!IMPORTANT]  
+> [!IMPORTANT]
 > CloudBees CI High Availability (HA) (active-active) requires Amazon EFS. For more information, refer to [CloudBees CI EKS storage requirements](https://docs.cloudbees.com/docs/cloudbees-ci/latest/eks-install-guide/eks-pre-install-requirements-helm#_storage_requirements).
 
 > [!NOTE]
@@ -110,14 +110,14 @@ The CloudBees CI add-on uses `helms release` for its resources definition, makin
 | create_pi_s3 | Create Pod Identity for s3. It requires the EKS Pod Identity agent running. | `bool` | `false` | no |
 | create_prometheus_target | Creates a service monitor to discover the CloudBees CI Prometheus target dynamically. It is designed to be enabled with the AWS EKS Terraform Addon Kube Prometheus Stack. | `bool` | `false` | no |
 | create_reg_secret | Create a Kubernetes dockerconfigjson secret for container registry authentication (cbci-sec-reg) for CI builds agents. | `bool` | `false` | no |
-| helm_config | CloudBees CI Helm chart configuration. | `any` | <pre>{<br>  "values": [<br>    ""<br>  ]<br>}</pre> | no |
+| helm_config | CloudBees CI Helm chart configuration. | `any` | <pre>{<br/>  "values": [<br/>    ""<br/>  ]<br/>}</pre> | no |
 | pi_ecr_cbci_agents_ns | Kubernetes namespace for CloudBees CI ephemeral agents. | `string` | `"cbci-agents"` | no |
 | pi_eks_cluster_name | EKS cluster name for Pod Identity. | `string` | `"acme-cluster"` | no |
 | pi_s3_bucket_arn | S3 bucket arn for CBCI Backups and/or Workspace Cache | `string` | `"arn:aws:s3:::foo-bucket"` | no |
 | pi_s3_bucket_cbci_prefix | S3 bucket path prefix for CBCI Backups and/or Workspace Cache | `string` | `"bar-prefix"` | no |
-| pi_s3_sa_controllers | List of service account names for controllers that need S3 pod identity. Defaults to ['cjoc'] if not provided. | `list(string)` | <pre>[<br>  "cjoc"<br>]</pre> | no |
+| pi_s3_sa_controllers | List of service account names for controllers that need S3 pod identity. Defaults to ['cjoc'] if not provided. | `list(string)` | <pre>[<br/>  "cjoc"<br/>]</pre> | no |
 | prometheus_target_ns | Prometheus target namespace, designed to be enabled with the AWS EKS Terraform Addon Kube Prometheus Stack. It is required when prometheus_target is enabled. | `string` | `"observability"` | no |
-| reg_secret_auth | Registry server authentication details for cbci-sec-reg secret. It is required when create_reg_secret is enabled. | `map(string)` | <pre>{<br>  "email": "foo.bar@acme.com",<br>  "password": "changeme1234",<br>  "server": "my-registry.acme:5000",<br>  "username": "foo"<br>}</pre> | no |
+| reg_secret_auth | Registry server authentication details for cbci-sec-reg secret. It is required when create_reg_secret is enabled. | `map(string)` | <pre>{<br/>  "email": "email@example.com",<br/>  "password": "changeme1234",<br/>  "server": "my-registry.acme:5000",<br/>  "username": "foo"<br/>}</pre> | no |
 | reg_secret_ns | Agent namespace to allocate the cbci-sec-reg secret. It is required when create_reg_secret is enabled. | `string` | `"cbci"` | no |
 
 ### Outputs

blueprints/01-getting-started/.auto.tfvars.example

@@ -3,7 +3,7 @@ hosted_zone = "acme.domain.com" # Required. Route 53 Hosted Zone to host CloudBe
 trial_license = { # Required. CloudBees CI Trial license details for evaluation.
   first_name  = "Foo"
   last_name  = "Bar"
-  email = "foo.bar@acme.com"
+  email = "email@example.com"
   company = "Acme Inc."
 }
 

blueprints/01-getting-started/Makefile

@@ -0,0 +1,3 @@
+ROOT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+export ROOT := $(notdir $(patsubst %/,%,$(ROOT_DIR)))
+include ../Makefile

blueprints/01-getting-started/main.tf

@@ -116,6 +116,8 @@ module "eks" {
   vpc_id     = module.vpc.vpc_id
   subnet_ids = module.vpc.private_subnets
 
+  enable_cluster_creator_admin_permissions = true
+
   # Security groups based on the best practices doc https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html.
   #   So, by default the security groups are restrictive. Users needs to enable rules for specific ports required for App requirement or Add-ons
   #   See the notes below for each rule used in these examples
@@ -198,6 +200,8 @@ resource "kubernetes_annotations" "gp2" {
   annotations = {
     "storageclass.kubernetes.io/is-default-class" = "false"
   }
+
+  depends_on = [module.eks_blueprints_addons]
 }
 
 resource "kubernetes_storage_class_v1" "gp3" {
@@ -220,6 +224,7 @@ resource "kubernetes_storage_class_v1" "gp3" {
     type      = "gp3"
   }
 
+  depends_on = [module.eks_blueprints_addons]
 }
 
 # Kubeconfig

blueprints/02-at-scale/.auto.tfvars.example

@@ -3,14 +3,14 @@ hosted_zone = "acme.domain.com" # Required. Route 53 Hosted Zone to host CloudBe
 trial_license = { # Required. CloudBees CI Trial license details for evaluation. Replace Default values by your own.
   first_name  = "Foo"
   last_name  = "Bar"
-  email = "foo.bar@acme.com"
+  email = "email@example.com"
   company = "Acme Inc."
 }
 
 dh_reg_secret_auth = { # Required.
   username = "foo"
   password = "d0ckerPass12"
-  email    = "foo.bar@acme.com"
+  email    = "email@example.com"
 }
 
 # tags = {  # Optional. Tags for the resources created. Default set to empty. Shared among all.
@@ -19,6 +19,17 @@ dh_reg_secret_auth = { # Required.
 #   "cb-purpose" : "demo-env"
 # }
 
+# Required variables pointing to the monorepo and branch
+# oc_casc_scm_repo_url = "https://github.com/cloudbees-oss/terraform-aws-cloudbees-ci-eks-addon.git"
+# oc_casc_scm_branch    = "develop"
+
+# Optional variables to further tweak configuration
+# oc_casc_scm_bundle_path = "blueprints/02-at-scale/cbci/casc/oc"
+# oc_casc_scm_polling_interval = "PT2M"
+# cbci_casc_path_controller = "blueprints/02-at-scale/cbci/casc/mc"
+# cbci_casc_path_shared_library = "blueprints/02-at-scale/cbci/shared-lib"
+
+
 # suffix = my-demo #Optional
 
 # aws_region = "us-west-2" #Optional

blueprints/02-at-scale/Makefile

@@ -0,0 +1,3 @@
+ROOT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
+export ROOT := $(notdir $(patsubst %/,%,$(ROOT_DIR)))
+include ../Makefile

blueprints/02-at-scale/README.md

@@ -95,8 +95,14 @@ CloudBees CI uses a couple of Kubernetes secrets for different purposes dependin
 | hosted_zone | Amazon Route 53 hosted zone. CloudBees CI applications are configured to use subdomains in this hosted zone. | `string` | n/a | yes |
 | trial_license | CloudBees CI trial license details for evaluation. | `map(string)` | n/a | yes |
 | aws_region | AWS region to deploy resources to. It requires a minimum of three availability zones. | `string` | `"us-west-2"` | no |
+| cbci_casc_path_controller | Path within the Git repository that contains the CloudBees CI controllers. | `string` | `"blueprints/02-at-scale/cbci/mc"` | no |
+| cbci_casc_path_shared_library | Path within the Git repository that contains the CloudBees CI shared library. | `string` | `"blueprints/02-at-scale/cbci/shared-lib"` | no |
 | ci | Running in a CI service versus running locally. False when running locally, true when running in a CI service. | `bool` | `false` | no |
-| dh_reg_secret_auth | Docker Hub registry server authentication details for cbci-sec-reg secret. | `map(string)` | <pre>{<br>  "email": "[email protected]",<br>  "password": "changeme1234",<br>  "username": "foo"<br>}</pre> | no |
+| dh_reg_secret_auth | Docker Hub registry server authentication details for cbci-sec-reg secret. | `map(string)` | <pre>{<br/>  "email": "[email protected]",<br/>  "password": "changeme1234",<br/>  "username": "foo"<br/>}</pre> | no |
+| oc_casc_scm_branch | Branch of the Git repository that contains the CloudBees CI CasC bundle configuration for the operations center. | `string` | `"develop"` | no |
+| oc_casc_scm_bundle_path | Path within the Git repository that contains the CloudBees CI CasC bundle configuration for the operations center. | `string` | `"blueprints/02-at-scale/cbci/casc/oc"` | no |
+| oc_casc_scm_polling_interval | Polling interval for the Git repository that contains the CloudBees CI CasC bundle configuration for the operations center. | `string` | `"PT20M"` | no |
+| oc_casc_scm_repo_url | URL of the Git repository that contains the CloudBees CI CasC bundle configuration for the operations center. | `string` | `"https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon.git"` | no |
 | suffix | Unique suffix to assign to all resources. When adding the suffix, changes are required in CloudBees CI for the validation phase. | `string` | `""` | no |
 | tags | Tags to apply to resources. | `map(string)` | `{}` | no |
 
@@ -359,7 +365,7 @@ Steps:
 
 For backup and restore operations, you can use the [preconfigured CloudBees CI Cluster Operations job](#cloudbees-ci-backup) to automatically perform a daily backup, which can be used for Amazon EFS and Amazon EBS storage.
 
-[Velero](#create-a-velero-backup-schedule) is an alternative for services only for controllers using Amazon EBS. Velero commands and configuration in this blueprint follow [Using Velero back up and restore Kubernetes cluster resources](https://docs.cloudbees.com/docs/cloudbees-ci/latest/backup-restore/velero-dr). There is no alternative for services using Amazon EFS storage. Although [AWS Backup](https://aws.amazon.com/backup/) includes the Amazon EFS drive as a protected resource, there is not currently a best practice to dynamically restore Amazon EFS PVCs. For more information, refer to [Issue 39](https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon/issues/39).
+[Velero](#velero) is an alternative for services only for controllers using Amazon EBS. Velero commands and configuration in this blueprint follow [Using Velero back up and restore Kubernetes cluster resources](https://docs.cloudbees.com/docs/cloudbees-ci/latest/backup-restore/velero-dr). There is no alternative for services using Amazon EFS storage. Although [AWS Backup](https://aws.amazon.com/backup/) includes the Amazon EFS drive as a protected resource, there is not currently a best practice to dynamically restore Amazon EFS PVCs. For more information, refer to [Issue 39](https://github.com/cloudbees/terraform-aws-cloudbees-ci-eks-addon/issues/39).
 
 > [!NOTE]
 > - An installation that has been completely converted to CasC may not need traditional backups; a restore operation could consist simply of running a CasC bootstrap script. This is only an option if you have translated every significant system setting and job configuration to CasC. Even then, it may be desirable to perform a filesystem-level restore from backup to preserve transient data, such as build history.
@@ -387,7 +393,7 @@ Issue the following command to create a Velero backup schedule for selected cont
 Issue the following command to take an on-demand Velero backup for a specific point in time for `team-b` based on the schedule definition:
 
 >[!NOTE]
-> When using this CloudBees CI add-on, you must [create at least one Velero backup schedule](#create-a-velero-backup-schedule) prior to taking an on-demand Velero backup.
+> When using this CloudBees CI add-on, you must [create at least one Velero backup schedule](#velero) prior to taking an on-demand Velero backup.
 
    ```sh
    eval $(terraform output --raw velero_backup_on_demand)

blueprints/02-at-scale/cbci/casc/mc/mc-ha/bundle.yaml

@@ -7,5 +7,3 @@ allowCapExceptions: true
 jcascMergeStrategy: "errorOnConflict"
 jcasc:
   - jcasc.main.yaml
-variables:
-  - variables.yaml