osinfra-io · brettcurtis · Oct 12, 2024 · Oct 5, 2024 · Oct 5, 2024 · Oct 5, 2024
@@ -0,0 +1,4 @@
+# Code Owners
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+* @osinfra-sa
@@ -0,0 +1,12 @@
+# Dependabot
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates
+
+version: 2
+updates:
+  - package-ecosystem: github-actions
+
+    # NOTE: The "/" here is for checking for workflow files in .github/workflows
+
+    directory: /
+    schedule:
+      interval: daily
@@ -0,0 +1,21 @@
+name: Add To GitHub Projects
+
+on:
+  issues:
+    types:
+      - opened
+  pull_request:
+    types:
+      - opened
+
+permissions:
+  issues: write
+
+jobs:
+  add-to-osinfra-project:
+    name: Open Source Infrastructure (as Code)
+    uses: osinfra-io/github-misc-called-workflows/.github/workflows/[email protected]
+    with:
+     project_id: 1
+    secrets:
+     add_to_project_pat: ${{ secrets.ADD_TO_PROJECT_PAT }}
@@ -0,0 +1,13 @@
+name: Dependabot Approve and Merge
+
+on: pull_request_target
+
+permissions:
+  contents: read
+
+jobs:
+  dependabot:
+    name: Dependabot
+    uses: osinfra-io/github-misc-called-workflows/.github/workflows/[email protected]
+    secrets:
+      pr_approve_and_merge_pat: ${{ secrets.PR_APPROVE_AND_MERGE_PAT }}
@@ -0,0 +1,23 @@
+name: Terraform Tests
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+    paths-ignore:
+      - "**.md"
+
+permissions:
+  id-token: write
+
+jobs:
+  tests:
+    name: Tests
+    uses: osinfra-io/github-terraform-gcp-called-workflows/.github/workflows/[email protected]
+    if: github.actor != 'dependabot[bot]'
+    with:
+      service_account: plt-lz-testing-github@ptl-lz-terraform-tf91-sb.iam.gserviceaccount.com
+      terraform_version: ${{ vars.TERRAFORM_VERSION }}
+      workload_identity_provider: projects/746490462722/locations/global/workloadIdentityPools/github-actions/providers/github-actions-oidc
@@ -0,0 +1,43 @@
+# .gitignore
+# https://docs.github.com/en/get-started/getting-started-with-git/ignoring-files
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore provider lock file
+.terraform.lock.hcl
+
+# Ignore any local.tfvars. Most .tfvars files are managed as part of configuration and so should
+# be included in version control.
+local.tfvars
+
+# Provider.tf is used for local development of modules and shouldn't be added to repos.
+provider.tf
+
+# Ignore override files as they are usually used to override ressources locally
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore plan output files
+plan.out
+
+# Ignore Infracost directories and files
+.infracost
+
+# Other Files
+*.log
+*.bak
+*.swp
+*.tmp
+*.gz
+*.tgz
+*.tar
@@ -0,0 +1,37 @@
+# Pre-commit
+# https://github.com/pre-commit/pre-commit
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      - id: check-yaml
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: check-symlinks
+
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.96.1
+    hooks:
+      - id: terraform_fmt
+
+      # To speed up local validation add the following to your ~/.zshrc:
+      # export TF_PLUGIN_CACHE_DIR=$HOME/.terraform.d/plugin-cache
+
+      - id: terraform_validate
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+          - --tf-init-args=-upgrade
+        exclude: tests/fixtures/shared
+
+      # Always run after terraform_validate
+
+      - id: terraform_docs
+
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: 3.2.257
+    hooks:
+      - id: checkov
+        verbose: true
+        args:
+          - --quiet
@@ -0,0 +1,5 @@
+# Terraform Docs
+# https://github.com/terraform-docs/terraform-docs
+
+settings:
+  indent: 3
@@ -0,0 +1,70 @@
+# <img align="left" width="45" height="45" src="https://github.com/user-attachments/assets/9e7982fb-5f76-4e95-a4f2-f6bf4b458693"> Kubernetes - Open Policy Agent Gatekeeper Terraform Module
+
+**[GitHub Actions](https://github.com/osinfra-io/terraform-kubernetes-opa-gatekeeper/actions):**
+
+[![Terraform Tests](https://github.com/osinfra-io/terraform-kubernetes-opa-gatekeeper/actions/workflows/test.yml/badge.svg)](https://github.com/osinfra-io/terraform-kubernetes-opa-gatekeeper/actions/workflows/test.yml) [![Dependabot](https://github.com/osinfra-io/terraform-kubernetes-opa-gatekeeper/actions/workflows/dependabot.yml/badge.svg)](https://github.com/osinfra-io/terraform-kubernetes-opa-gatekeeper/actions/workflows/dependabot.yml)
+
+**[Infracost](https://www.infracost.io):**
+
+[![infracost](https://img.shields.io/endpoint?url=https://dashboard.api.infracost.io/shields/json/cbeecfe3-576f-4553-984c-e451a575ee47/repos/925e2406-d209-4aca-847d-21257bc478a5/branch/72fc4157-6bf8-46c0-9d51-593f3cd5bdef)](https://dashboard.infracost.io/org/osinfra-io/repos/925e2406-d209-4aca-847d-21257bc478a5?tab=settings)
+
+💵 Monthly estimates based on Infracost baseline costs.
+
+## Repository Description
+
+Terraform **example** module for Open Policy Agent Gatekeeper on Google Kubernetes Engine (GKE).
+
+> [!NOTE]
+> We do not recommend consuming this module like you might a [public module](https://registry.terraform.io/browse/modules). It is a baseline, something you can fork, potentially maintain, and modify to fit your organization's needs. Using public modules vs. writing your own has various [drivers and trade-offs](https://docs.osinfra.io/fundamentals/architecture-decision-records/adr-0003) that your organization should evaluate.
+
+## 🔩 Usage
+
+> [!TIP]
+> You can check the [tests/fixtures](tests/fixtures) directory for example configurations. These fixtures set up the system for testing by providing all the necessary initial code, thus creating good examples on which to base your configurations.
+
+## <img align="left" width="35" height="35" src="https://github.com/osinfra-io/github-organization-management/assets/1610100/39d6ae3b-ccc2-42db-92f1-276a5bc54e65"> Development
+
+Our focus is on the core fundamental practice of platform engineering, Infrastructure as Code.
+
+>Open Source Infrastructure (as Code) is a development model for infrastructure that focuses on open collaboration and applying relative lessons learned from software development practices that organizations can use internally at scale. - [Open Source Infrastructure (as Code)](https://www.osinfra.io)
+
+To avoid slowing down stream-aligned teams, we want to open up the possibility for contributions. The Open Source Infrastructure (as Code) model allows team members external to the platform team to contribute with only a slight increase in cognitive load. This section is for developers who want to contribute to this repository, describing the tools used, the skills, and the knowledge required, along with Terraform documentation.
+
+See the documentation for setting up a local development environment [here](https://docs.osinfra.io/fundamentals/development-setup).
+
+### 🛠️ Tools
+
+- [checkov](https://github.com/bridgecrewio/checkov)
+- [helm](https://github.com/helm/helm)
+- [infracost](https://github.com/infracost/infracost)
+- [pre-commit](https://github.com/pre-commit/pre-commit)
+- [pre-commit-terraform](https://github.com/antonbabenko/pre-commit-terraform)
+- [terraform-docs](https://github.com/terraform-docs/terraform-docs)
+
+### 📋 Skills and Knowledge
+
+Links to documentation and other resources required to develop and iterate in this repository successfully.
+
+- [open-policy-agent](https://www.openpolicyagent.org/docs/latest/)
+- [gatekeeper](https://open-policy-agent.github.io/gatekeeper/website)
+
+### 🔍 Tests
+
+All tests are [mocked](https://developer.hashicorp.com/terraform/language/tests/mocking) allowing us to test the module without creating infrastructure or requiring credentials. The trade-offs are acceptable in favor of speed and simplicity. In a Terraform test, a mocked provider or resource will generate fake data for all computed attributes that would normally be provided by the underlying provider APIs.
+
+```none
+terraform init
+```
+
+```none
+terraform test
+```
+
+## 📓 Terraform Documentation
+
+> A child module automatically inherits default (un-aliased) provider configurations from its parent. The provider versions below are informational only and do **not** need to align with the provider configurations from its parent.
+
+## 📓 Terraform Regional Documentation
+
+- [regional](regional/README.md)
+- [regional/manifests](regional/manifests/README.md)
@@ -0,0 +1,2 @@
+# This is currently required so we can initialize Terraform and run tests.
+# https://github.com/hashicorp/terraform/issues/35040
@@ -0,0 +1,54 @@
+# Terraform Documentation
+
+> A child module automatically inherits default (un-aliased) provider configurations from its parent. The provider versions below are informational only and do **not** need to align with the provider configurations from its parent.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_helm"></a> [helm](#provider\_helm) | 2.16.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.33.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [helm_release.gatekeeper](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_manifest.opa_gatekeeper_ca_certificate](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.opa_gatekeeper_ca_issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.opa_gatekeeper_selfsigned_issuer](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+| [kubernetes_manifest.opa_gatekeeper_server_cert](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_artifact_registry"></a> [artifact\_registry](#input\_artifact\_registry) | The registry to pull the images from | `string` | `"us-docker.pkg.dev/plt-lz-services-tf79-prod/plt-docker-virtual"` | no |
+| <a name="input_audit_resources_limits_cpu"></a> [audit\_resources\_limits\_cpu](#input\_audit\_resources\_limits\_cpu) | The CPU limit for the audit container | `string` | `"40m"` | no |
+| <a name="input_audit_resources_limits_memory"></a> [audit\_resources\_limits\_memory](#input\_audit\_resources\_limits\_memory) | The memory limit for the audit container | `string` | `"128Mi"` | no |
+| <a name="input_audit_resources_requests_cpu"></a> [audit\_resources\_requests\_cpu](#input\_audit\_resources\_requests\_cpu) | The CPU request for the audit container | `string` | `"10m"` | no |
+| <a name="input_audit_resources_requests_memory"></a> [audit\_resources\_requests\_memory](#input\_audit\_resources\_requests\_memory) | The memory request for the audit container | `string` | `"32Mi"` | no |
+| <a name="input_chart_repository"></a> [chart\_repository](#input\_chart\_repository) | The repository to pull the Helm chart from | `string` | `"https://open-policy-agent.github.io/gatekeeper/charts"` | no |
+| <a name="input_controller_manager_resources_limits_cpu"></a> [controller\_manager\_resources\_limits\_cpu](#input\_controller\_manager\_resources\_limits\_cpu) | The CPU limit for the controller manager container | `string` | `"100m"` | no |
+| <a name="input_controller_manager_resources_limits_memory"></a> [controller\_manager\_resources\_limits\_memory](#input\_controller\_manager\_resources\_limits\_memory) | The memory limit for the controller manager container | `string` | `"256Mi"` | no |
+| <a name="input_controller_manager_resources_requests_cpu"></a> [controller\_manager\_resources\_requests\_cpu](#input\_controller\_manager\_resources\_requests\_cpu) | The CPU request for the controller manager container | `string` | `"10m"` | no |
+| <a name="input_controller_manager_resources_requests_memory"></a> [controller\_manager\_resources\_requests\_memory](#input\_controller\_manager\_resources\_requests\_memory) | The memory request for the controller manager container | `string` | `"32Mi"` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | The environment must be one of `sandbox`, `non-production`, `production` | `string` | `"sandbox"` | no |
+| <a name="input_gatekeeper_version"></a> [gatekeeper\_version](#input\_gatekeeper\_version) | The version to install, this is used for the chart as well as the image tag | `string` | `"v3.17.1"` | no |
+| <a name="input_node_location"></a> [node\_location](#input\_node\_location) | The zone in which the cluster's nodes should be located. If not specified, the cluster's nodes are located across zones in the region | `string` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | The region in which the resource belongs | `string` | n/a | yes |
+| <a name="input_replicas"></a> [replicas](#input\_replicas) | The number of replicas to run | `number` | `1` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
@@ -0,0 +1,20 @@
+podLabels:
+  tags.datadoghq.com/service: gatekeeper
+
+controllerManager:
+  disableCertRotation: true
+  podLabels:
+    tags.datadoghq.com/service: gatekeeper-controller-manager
+
+audit:
+  disableCertRotation: true
+  podLabels:
+    tags.datadoghq.com/service: gatekeeper-audit
+
+validatingWebhookAnnotations:
+  cert-manager.io/inject-ca-from: gatekeeper-system/gatekeeper-webhook-server-cert
+mutatingWebhookAnnotations:
+  cert-manager.io/inject-ca-from: gatekeeper-system/gatekeeper-webhook-server-cert
+
+externalCertInjection:
+  enabled: true
@@ -0,0 +1,32 @@
+# Local Values
+# https://www.terraform.io/docs/language/values/locals.html
+
+locals {
+  env = lookup(local.env_map, var.environment, "none")
+
+  env_map = {
+    "non-production" = "nonprod"
+    "production"     = "prod"
+    "sandbox"        = "sb"
+  }
+
+  helm_values = {
+    "audit.resources.limits.cpu"                  = var.audit_resources_limits_cpu
+    "audit.resources.limits.memory"               = var.audit_resources_limits_memory
+    "audit.resources.requests.cpu"                = var.audit_resources_requests_cpu
+    "audit.resources.requests.memory"             = var.audit_resources_requests_memory
+    "controllerManager.resources.limits.cpu"      = var.controller_manager_resources_limits_cpu
+    "controllerManager.resources.limits.memory"   = var.controller_manager_resources_limits_memory
+    "controllerManager.resources.requests.cpu"    = var.controller_manager_resources_requests_cpu
+    "controllerManager.resources.requests.memory" = var.controller_manager_resources_requests_memory
+    "image.crdRepository"                         = "${var.artifact_registry}/openpolicyagent/gatekeeper-crds"
+    "image.repository"                            = "${var.artifact_registry}/openpolicyagent/gatekeeper"
+    "image.release"                               = var.gatekeeper_version
+    "podLabels.tags\\.datadoghq\\.com/env"        = var.environment
+    "podLabels.tags\\.datadoghq\\.com/version"    = var.gatekeeper_version
+    "postInstall.labelNamespace.image.repository" = "${var.artifact_registry}/openpolicyagent/gatekeeper-crds"
+    "postInstall.labelNamespace.image.tag"        = var.gatekeeper_version
+    "preInstall.crdRepository.image.tag"          = var.gatekeeper_version
+    "replicas"                                    = var.replicas
+  }
+}