From 72a2d5cbc245e65605b7f42aa3ffc509cd397558 Mon Sep 17 00:00:00 2001 From: "lara-template-sync[bot]" <194776794+lara-template-sync[bot]@users.noreply.github.com> Date: Mon, 7 Jul 2025 12:40:16 +0200 Subject: [PATCH 1/3] feat(sync): sync universal-addon changes (#15) Merge https://github.com/lablabs/terraform-aws-eks-universal-addon 952cd8d --------- Signed-off-by: jaygridley Co-authored-by: jaygridley Co-authored-by: jaygridley --- .github/workflows/cache-warmup.yaml | 45 ++++++++++++++++++++++++++++ .github/workflows/pre-commit.yaml | 22 ++++++-------- .github/workflows/template-sync.yaml | 21 +++++-------- .github/workflows/validate.yaml | 2 +- .pre-commit-config.yaml | 8 ++--- .tool-versions | 5 ++-- README.md | 20 +++++++------ addon-irsa.tf | 6 +++- addon.tf | 2 +- examples/basic/versions.tf | 2 +- variables-addon-irsa.tf | 22 ++++++++++---- variables-addon.tf | 2 +- versions.tf | 2 +- 13 files changed, 106 insertions(+), 53 deletions(-) create mode 100644 .github/workflows/cache-warmup.yaml diff --git a/.github/workflows/cache-warmup.yaml b/.github/workflows/cache-warmup.yaml new file mode 100644 index 0000000..81b12a8 --- /dev/null +++ b/.github/workflows/cache-warmup.yaml @@ -0,0 +1,45 @@ +name: Cache Warmup + +on: + push: + branches: + - main # caches from the main branch are shared with all other branches and pull requests + +permissions: {} + +env: + # renovate: datasource=github-releases depName=asdf-vm/asdf + ASDF_VERSION: 0.18.0 + +jobs: + pre-commit: + runs-on: ubuntu-24.04 + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Setup ASDF + uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0 + with: + asdf_version: ${{ env.ASDF_VERSION }} + + - name: Cache ASDF + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + id: asdf-cache + with: + # https://github.com/asdf-vm/asdf/blob/master/.gitignore + path: | + ~/.asdf/installs + ~/.asdf/plugins + ~/.asdf/shims + ~/.cache/pip + key: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }}-warmup + restore-keys: ${{ runner.os }}-asdf- + + - name: Install ASDF + uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0 + if: ${{ steps.asdf-cache.outputs.cache-hit != 'true' }} + with: + asdf_version: ${{ env.ASDF_VERSION }} diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index d4d1dc6..5b943af 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -16,7 +16,7 @@ concurrency: env: # renovate: datasource=github-releases depName=asdf-vm/asdf - ASDF_VERSION: 31e8c93004abd76253d186b8896785895069749b # v0.15.0 # pragma: allowlist secret + ASDF_VERSION: 0.18.0 jobs: pre-commit: @@ -28,7 +28,9 @@ jobs: persist-credentials: false - name: Setup ASDF - uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2 + uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0 + with: + asdf_version: ${{ env.ASDF_VERSION }} - name: Cache ASDF uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 @@ -39,28 +41,22 @@ jobs: ~/.asdf/installs ~/.asdf/plugins ~/.asdf/shims + ~/.cache/pip key: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }} - restore-keys: ${{ runner.os }}-asdf- + restore-keys: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }}- - name: Install ASDF - uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2 + uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0 if: ${{ steps.asdf-cache.outputs.cache-hit != 'true' }} with: - asdf_branch: ${{ env.ASDF_VERSION }} + asdf_version: ${{ env.ASDF_VERSION }} - name: Reshim installed ASDF tools shell: bash run: asdf reshim - - name: Cache pip - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 - with: - path: ~/.cache/pip/ - key: ${{ runner.os }}-pip-${{ hashFiles('.pre-commit-config.yaml') }} - restore-keys: | - ${{ runner.os }}-pip- - - name: Run pre-commit run: pre-commit run --show-diff-on-failure --color=always --all-files env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for GH API calls quota GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for zizmor diff --git a/.github/workflows/template-sync.yaml b/.github/workflows/template-sync.yaml index 7bdfc45..83736f7 100644 --- a/.github/workflows/template-sync.yaml +++ b/.github/workflows/template-sync.yaml @@ -13,7 +13,7 @@ concurrency: env: # renovate: datasource=github-releases depName=asdf-vm/asdf - ASDF_VERSION: 31e8c93004abd76253d186b8896785895069749b # v0.15.0 # pragma: allowlist secret + ASDF_VERSION: 0.18.0 jobs: universal-addon: @@ -54,7 +54,9 @@ jobs: is_pr_cleanup: true - name: Setup ASDF - uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2 + uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0 + with: + asdf_version: ${{ env.ASDF_VERSION }} - name: Cache ASDF uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 @@ -65,27 +67,20 @@ jobs: ~/.asdf/installs ~/.asdf/plugins ~/.asdf/shims + ~/.cache/pip key: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }} - restore-keys: ${{ runner.os }}-asdf- + restore-keys: ${{ runner.os }}-asdf-${{ hashFiles('.tool-versions') }}- - name: Install ASDF - uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6 # v3.0.2 + uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302 # v4.0.0 if: ${{ steps.asdf-cache.outputs.cache-hit != 'true' }} with: - asdf_branch: ${{ env.ASDF_VERSION }} + asdf_version: ${{ env.ASDF_VERSION }} - name: Reshim installed ASDF tools shell: bash run: asdf reshim - - name: Cache pip - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 - with: - path: ~/.cache/pip/ - key: ${{ runner.os }}-pip-${{ hashFiles('.pre-commit-config.yaml') }} - restore-keys: | - ${{ runner.os }}-pip- - - name: Update README.md run: pre-commit run --show-diff-on-failure --color=always terraform_docs --all-files || true diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index b7463fe..6062040 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -23,7 +23,7 @@ jobs: - name: Extract Terraform min/max versions id: terraform-min-max - uses: clowdhaus/terraform-min-max@f489335873df04c3ce04b5e73f385a726d910039 # v1.3.2 + uses: clowdhaus/terraform-min-max@503e88c41953f537fc2b283a310c85e0a2cd585c # v1.4.0 with: directory: . outputs: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6adba1b..c65c956 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform # renovate: datasource=github-releases depName=antonbabenko/pre-commit-terraform - rev: 55d0143972eec4905fdaea2f444f1e88218f9dce # v1.96.3 # pragma: allowlist secret + rev: 2f8bda194a420ad77a050a9de627d77a74841fdc # v1.99.4 # pragma: allowlist secret hooks: - id: terraform_docs # should be run after luactl sync args: @@ -54,8 +54,8 @@ repos: args: ["--baseline", ".secrets.baseline"] exclude: terraform.tfstate - - repo: https://github.com/woodruffw/zizmor-pre-commit - # renovate: datasource=github-releases depName=woodruffw/zizmor-pre-commit - rev: 07a06156e31897fbb5ba0e22a961e8e3c2a0677b # v1.16.0 # pragma: allowlist secret + - repo: https://github.com/zizmorcore/zizmor-pre-commit + # renovate: datasource=github-releases depName=zizmorcore/zizmor-pre-commit + rev: 69fa534d69454f44ddd4451b5e2da7a1c48e525b # v1.11.0 # pragma: allowlist secret hooks: - id: zizmor diff --git a/.tool-versions b/.tool-versions index a480dfd..d8745b0 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,7 +1,6 @@ terraform 1.5.7 terraform-docs 0.20.0 tflint 0.50.3 -checkov 3.2.352 -awscli 2.27.42 +checkov 3.2.447 +awscli 2.27.49 pre-commit 4.2.0 -python 3.13.5 diff --git a/README.md b/README.md index 5345b89..676b2e0 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ See [basic example](examples/basic) for further information. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5.0 | +| [terraform](#requirement\_terraform) | ~> 1.5.0 | | [aws](#requirement\_aws) | ~> 5 | | [helm](#requirement\_helm) | ~> 2.6 | | [kubernetes](#requirement\_kubernetes) | ~> 2.20 | @@ -50,8 +50,8 @@ See [basic example](examples/basic) for further information. | Name | Source | Version | |------|--------|---------| -| [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.22 | -| [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.22 | +| [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.23 | +| [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.23 | ## Resources | Name | Type | @@ -81,7 +81,7 @@ See [basic example](examples/basic) for further information. | [argo\_helm\_enabled](#input\_argo\_helm\_enabled) | If set to `true`, the ArgoCD Application manifest will be deployed using Kubernetes provider as a Helm release. Otherwise it'll be deployed as a Kubernetes manifest. See README for more info. Defaults to `false`. | `bool` | | [argo\_helm\_values](#input\_argo\_helm\_values) | Value overrides to use when deploying ArgoCD Application object with Helm. Defaults to `""`. | `string` | | [argo\_helm\_wait\_backoff\_limit](#input\_argo\_helm\_wait\_backoff\_limit) | Backoff limit for ArgoCD Application Helm release wait job. Defaults to `6`. | `number` | -| [argo\_helm\_wait\_kubectl\_version](#input\_argo\_helm\_wait\_kubectl\_version) | Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.0`. | `string` | +| [argo\_helm\_wait\_kubectl\_version](#input\_argo\_helm\_wait\_kubectl\_version) | Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.2`. | `string` | | [argo\_helm\_wait\_node\_selector](#input\_argo\_helm\_wait\_node\_selector) | Node selector for ArgoCD Application Helm release wait job. Defaults to `{}`. | `map(string)` | | [argo\_helm\_wait\_timeout](#input\_argo\_helm\_wait\_timeout) | Timeout for ArgoCD Application Helm release wait job. Defaults to `10m`. | `string` | | [argo\_helm\_wait\_tolerations](#input\_argo\_helm\_wait\_tolerations) | Tolerations for ArgoCD Application Helm release wait job. Defaults to `[]`. | `list(any)` | @@ -104,7 +104,7 @@ See [basic example](examples/basic) for further information. | [argo\_sync\_policy](#input\_argo\_sync\_policy) | ArgoCD Application manifest syncPolicy parameter. Defaults to `{}`. | `any` | | [cluster\_identity\_oidc\_issuer](#input\_cluster\_identity\_oidc\_issuer) | The OIDC Identity issuer for the cluster (required for IRSA). Defaults to `""`. | `string` | | [cluster\_identity\_oidc\_issuer\_arn](#input\_cluster\_identity\_oidc\_issuer\_arn) | The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a Service Account (required for IRSA). Defaults to `""`. | `string` | -| [cluster\_name](#input\_cluster\_name) | The name of the cluster (required for pod identity). Defaults to `""`. | `string` | +| [cluster\_name](#input\_cluster\_name) | The name of the cluster (required for Pod Identity). Defaults to `""`. | `string` | | [dex\_server\_irsa\_additional\_policies](#input\_dex\_server\_irsa\_additional\_policies) | Additional IAM policies to attach to the ArgoCD Dex Server IRSA role. | `map(string)` | | [dex\_server\_irsa\_role\_create](#input\_dex\_server\_irsa\_role\_create) | Set to false to prevent the ArgoCD Dex Server IRSA role from being created. | `bool` | | [dex\_server\_irsa\_role\_name](#input\_dex\_server\_irsa\_role\_name) | Name of the ArgoCD Dex Server IRSA role. | `string` | @@ -153,6 +153,7 @@ See [basic example](examples/basic) for further information. | [irsa\_permissions\_boundary](#input\_irsa\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the IRSA role. Defaults to `null`. | `string` | | [irsa\_policy](#input\_irsa\_policy) | AWS IAM policy JSON document to be attached to the IRSA role. Applied only if `irsa_policy_enabled` is `true`. Defaults to `""`. | `string` | | [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create IAM policy specified by `irsa_policy`. Defaults to `false`. | `bool` | +| [irsa\_role\_additional\_trust\_policies](#input\_irsa\_role\_additional\_trust\_policies) | Map of additional trust policy statements to attach to the IRSA role where map key is a statement SID and value is a statement object. Defaults to `{}`. | `map(any)` | | [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate Service Account. Defaults to `true`. | `bool` | | [irsa\_role\_name](#input\_irsa\_role\_name) | IRSA role name. The value is prefixed by `irsa_role_name_prefix`. Either `irsa_role_name` or `irsa_role_name_prefix` must be set. Defaults to `""`. | `string` | | [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | IRSA role name prefix. Either `irsa_role_name_prefix` or `irsa_role_name` must be set. Defaults to `""`. | `string` | @@ -163,11 +164,12 @@ See [basic example](examples/basic) for further information. | [notifications\_controller\_irsa\_role\_name](#input\_notifications\_controller\_irsa\_role\_name) | Name of the ArgoCD Notifications controller IRSA role. | `string` | | [notifications\_controller\_service\_account\_create](#input\_notifications\_controller\_service\_account\_create) | Set to false to prevent the ArgoCD Notifications controller Service Account from being created. | `bool` | | [notifications\_controller\_service\_account\_name](#input\_notifications\_controller\_service\_account\_name) | Name of the ArgoCD Notifications controller Service Account. | `string` | -| [pod\_identity\_additional\_policies](#input\_pod\_identity\_additional\_policies) | Map of the additional policies to be attached to pod identity role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` | -| [pod\_identity\_permissions\_boundary](#input\_pod\_identity\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the pod identity role. Defaults to `null`. | `string` | -| [pod\_identity\_policy](#input\_pod\_identity\_policy) | AWS IAM policy JSON document to be attached to the pod identity role. Applied only if `pod_identity_policy_enabled` is `true`. Defaults to `""`. | `string` | +| [pod\_identity\_additional\_policies](#input\_pod\_identity\_additional\_policies) | Map of the additional policies to be attached to Pod Identity role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`. | `map(string)` | +| [pod\_identity\_permissions\_boundary](#input\_pod\_identity\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the Pod Identity role. Defaults to `null`. | `string` | +| [pod\_identity\_policy](#input\_pod\_identity\_policy) | AWS IAM policy JSON document to be attached to the Pod Identity role. Applied only if `pod_identity_policy_enabled` is `true`. Defaults to `""`. | `string` | | [pod\_identity\_policy\_enabled](#input\_pod\_identity\_policy\_enabled) | Whether to create IAM policy specified by `pod_identity_policy`. Defaults to `false`. | `bool` | -| [pod\_identity\_role\_create](#input\_pod\_identity\_role\_create) | Whether to create pod identity role and annotate Service Account. Defaults to `false`. | `bool` | +| [pod\_identity\_role\_additional\_trust\_policies](#input\_pod\_identity\_role\_additional\_trust\_policies) | Additional trust policy statements to attach to the Pod Identity role where map key is a statement SID and value is a statement object. Defaults to `{}`. | `map(any)` | +| [pod\_identity\_role\_create](#input\_pod\_identity\_role\_create) | Whether to create Pod Identity role and annotate Service Account. Defaults to `false`. | `bool` | | [pod\_identity\_role\_name](#input\_pod\_identity\_role\_name) | Pod identity role name. The value is prefixed by `pod_identity_role_name_prefix`. Either `pod_identity_role_name` or `pod_identity_role_name_prefix` must be set. Defaults to `""`. | `string` | | [pod\_identity\_role\_name\_prefix](#input\_pod\_identity\_role\_name\_prefix) | Pod identity role name prefix. Either `pod_identity_role_name_prefix` or `pod_identity_role_name` must be set. Defaults to `""`. | `string` | | [pod\_identity\_tags](#input\_pod\_identity\_tags) | Pod identity resources tags. Defaults to `{}`. | `map(string)` | diff --git a/addon-irsa.tf b/addon-irsa.tf index 8d12aba..cadaec7 100644 --- a/addon-irsa.tf +++ b/addon-irsa.tf @@ -2,7 +2,7 @@ module "addon-irsa" { for_each = local.addon_irsa - source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.22" + source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.23" enabled = var.enabled @@ -19,6 +19,8 @@ module "addon-irsa" { irsa_role_name_prefix = var.irsa_role_name_prefix != null ? var.irsa_role_name_prefix : lookup(each.value, "irsa_role_name_prefix", "${local.addon.name}-irsa") irsa_role_name = var.irsa_role_name != null ? var.irsa_role_name : lookup(each.value, "irsa_role_name", local.addon_name) + irsa_role_additional_trust_policies = var.irsa_role_additional_trust_policies != null ? var.irsa_role_additional_trust_policies : lookup(each.value, "irsa_role_additional_trust_policies", null) + irsa_policy_enabled = var.irsa_policy_enabled != null ? var.irsa_policy_enabled : lookup(each.value, "irsa_policy_enabled", null) irsa_policy = var.irsa_policy != null ? var.irsa_policy : lookup(each.value, "irsa_policy", null) irsa_assume_role_enabled = var.irsa_assume_role_enabled != null ? var.irsa_assume_role_enabled : lookup(each.value, "irsa_assume_role_enabled", null) @@ -38,6 +40,8 @@ module "addon-irsa" { pod_identity_role_name_prefix = var.pod_identity_role_name_prefix != null ? var.pod_identity_role_name_prefix : lookup(each.value, "pod_identity_role_name_prefix", "${local.addon.name}-pi") pod_identity_role_name = var.pod_identity_role_name != null ? var.pod_identity_role_name : lookup(each.value, "pod_identity_role_name", local.addon_name) + pod_identity_role_additional_trust_policies = var.pod_identity_role_additional_trust_policies != null ? var.pod_identity_role_additional_trust_policies : lookup(each.value, "pod_identity_role_additional_trust_policies", null) + pod_identity_policy_enabled = var.pod_identity_policy_enabled != null ? var.pod_identity_policy_enabled : lookup(each.value, "pod_identity_policy_enabled", null) pod_identity_policy = var.pod_identity_policy != null ? var.pod_identity_policy : lookup(each.value, "pod_identity_policy", null) pod_identity_permissions_boundary = var.pod_identity_permissions_boundary != null ? var.pod_identity_permissions_boundary : lookup(each.value, "pod_identity_permissions_boundary", null) diff --git a/addon.tf b/addon.tf index 3ac4900..01c99d2 100644 --- a/addon.tf +++ b/addon.tf @@ -11,7 +11,7 @@ locals { } module "addon" { - source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.22" + source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.23" enabled = var.enabled diff --git a/examples/basic/versions.tf b/examples/basic/versions.tf index 4897168..b38be4b 100644 --- a/examples/basic/versions.tf +++ b/examples/basic/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.5.0" + required_version = "~> 1.5.0" required_providers { aws = { diff --git a/variables-addon-irsa.tf b/variables-addon-irsa.tf index 3f4fdc9..c71afdf 100644 --- a/variables-addon-irsa.tf +++ b/variables-addon-irsa.tf @@ -54,6 +54,12 @@ variable "irsa_role_name" { description = "IRSA role name. The value is prefixed by `irsa_role_name_prefix`. Either `irsa_role_name` or `irsa_role_name_prefix` must be set. Defaults to `\"\"`." } +variable "irsa_role_additional_trust_policies" { + type = map(any) + default = null + description = "Map of additional trust policy statements to attach to the IRSA role where map key is a statement SID and value is a statement object. Defaults to `{}`." +} + variable "irsa_policy_enabled" { type = bool default = null @@ -111,13 +117,13 @@ variable "irsa_assume_role_policy_condition_values" { variable "cluster_name" { type = string default = null - description = "The name of the cluster (required for pod identity). Defaults to `\"\"`." + description = "The name of the cluster (required for Pod Identity). Defaults to `\"\"`." } variable "pod_identity_role_create" { type = bool default = null - description = "Whether to create pod identity role and annotate Service Account. Defaults to `false`." + description = "Whether to create Pod Identity role and annotate Service Account. Defaults to `false`." } variable "pod_identity_role_name_prefix" { @@ -132,6 +138,12 @@ variable "pod_identity_role_name" { description = "Pod identity role name. The value is prefixed by `pod_identity_role_name_prefix`. Either `pod_identity_role_name` or `pod_identity_role_name_prefix` must be set. Defaults to `\"\"`." } +variable "pod_identity_role_additional_trust_policies" { + type = map(any) + default = null + description = "Additional trust policy statements to attach to the Pod Identity role where map key is a statement SID and value is a statement object. Defaults to `{}`." +} + variable "pod_identity_policy_enabled" { type = bool default = null @@ -141,19 +153,19 @@ variable "pod_identity_policy_enabled" { variable "pod_identity_policy" { type = string default = null - description = "AWS IAM policy JSON document to be attached to the pod identity role. Applied only if `pod_identity_policy_enabled` is `true`. Defaults to `\"\"`." + description = "AWS IAM policy JSON document to be attached to the Pod Identity role. Applied only if `pod_identity_policy_enabled` is `true`. Defaults to `\"\"`." } variable "pod_identity_permissions_boundary" { type = string default = null - description = "ARN of the policy that is used to set the permissions boundary for the pod identity role. Defaults to `null`." + description = "ARN of the policy that is used to set the permissions boundary for the Pod Identity role. Defaults to `null`." } variable "pod_identity_additional_policies" { type = map(string) default = null - description = "Map of the additional policies to be attached to pod identity role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`." + description = "Map of the additional policies to be attached to Pod Identity role. Where key is arbitrary id and value is policy ARN. Defaults to `{}`." } variable "pod_identity_tags" { diff --git a/variables-addon.tf b/variables-addon.tf index 26786d8..59d03c2 100644 --- a/variables-addon.tf +++ b/variables-addon.tf @@ -105,7 +105,7 @@ variable "argo_helm_wait_backoff_limit" { variable "argo_helm_wait_kubectl_version" { type = string default = null - description = "Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.0`." + description = "Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.2`." } variable "argo_source_type" { diff --git a/versions.tf b/versions.tf index cb5b91f..c6abec7 100644 --- a/versions.tf +++ b/versions.tf @@ -1,6 +1,6 @@ # IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module. terraform { - required_version = ">= 1.5.0" + required_version = "~> 1.5.0" required_providers { aws = { From 259d753f40e7549bca7758a4cea8c2bf6b486e48 Mon Sep 17 00:00:00 2001 From: "lara-template-sync[bot]" <194776794+lara-template-sync[bot]@users.noreply.github.com> Date: Mon, 7 Jul 2025 20:54:30 +0200 Subject: [PATCH 2/3] feat(sync): sync universal-addon changes (#16) Merge https://github.com/lablabs/terraform-aws-eks-universal-addon 25c4a28 --------- Signed-off-by: jaygridley Co-authored-by: jaygridley Co-authored-by: jaygridley --- README.md | 2 +- examples/basic/versions.tf | 2 +- versions.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 676b2e0..e5c5f6e 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ See [basic example](examples/basic) for further information. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | ~> 1.5.0 | +| [terraform](#requirement\_terraform) | ~> 1.5 | | [aws](#requirement\_aws) | ~> 5 | | [helm](#requirement\_helm) | ~> 2.6 | | [kubernetes](#requirement\_kubernetes) | ~> 2.20 | diff --git a/examples/basic/versions.tf b/examples/basic/versions.tf index b38be4b..ea124b0 100644 --- a/examples/basic/versions.tf +++ b/examples/basic/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = "~> 1.5.0" + required_version = "~> 1.5" required_providers { aws = { diff --git a/versions.tf b/versions.tf index c6abec7..9aa47c3 100644 --- a/versions.tf +++ b/versions.tf @@ -1,6 +1,6 @@ # IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module. terraform { - required_version = "~> 1.5.0" + required_version = "~> 1.5" required_providers { aws = { From 3cd90e3fa3526a52b5aaf20dec64268f1a18df7d Mon Sep 17 00:00:00 2001 From: "lara-template-sync[bot]" <194776794+lara-template-sync[bot]@users.noreply.github.com> Date: Thu, 31 Jul 2025 11:12:26 +0200 Subject: [PATCH 3/3] feat(sync): sync universal-addon changes (#18) Merge https://github.com/lablabs/terraform-aws-eks-universal-addon 8cf38d3 --------- Signed-off-by: jaygridley Co-authored-by: jaygridley Co-authored-by: jaygridley --- .github/workflows/cache-warmup.yaml | 12 +++++ .github/workflows/pre-commit.yaml | 7 +++ .github/workflows/template-sync.yaml | 2 +- .github/workflows/validate.yaml | 2 +- .pre-commit-config.yaml | 4 +- .terraform-docs.yml | 1 + .terraform.lock.hcl | 8 ++-- .tool-versions | 4 +- README.md | 72 +++++++++++++++------------- addon-irsa.tf | 2 +- addon.tf | 2 +- docs/.addon.md | 14 +++--- docs/.footer.md | 34 ++++++------- docs/.intro.md | 8 ++++ examples/basic/.terraform.lock.hcl | 8 ++-- examples/basic/versions.tf | 8 ++-- variables-addon.tf | 2 +- versions.tf | 10 ++-- 18 files changed, 118 insertions(+), 82 deletions(-) create mode 100644 docs/.intro.md diff --git a/.github/workflows/cache-warmup.yaml b/.github/workflows/cache-warmup.yaml index 81b12a8..6215b8e 100644 --- a/.github/workflows/cache-warmup.yaml +++ b/.github/workflows/cache-warmup.yaml @@ -43,3 +43,15 @@ jobs: if: ${{ steps.asdf-cache.outputs.cache-hit != 'true' }} with: asdf_version: ${{ env.ASDF_VERSION }} + + - name: Cache pre-commit + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + with: + path: ~/.cache/pre-commit + key: ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}-warmup + restore-keys: ${{ runner.os }}-pre-commit- + + - name: Run pre-commit + run: pre-commit install --install-hooks + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for GH API calls quota diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 5b943af..8035265 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -55,6 +55,13 @@ jobs: shell: bash run: asdf reshim + - name: Cache pre-commit + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + with: + path: ~/.cache/pre-commit + key: ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }} + restore-keys: ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}- + - name: Run pre-commit run: pre-commit run --show-diff-on-failure --color=always --all-files env: diff --git a/.github/workflows/template-sync.yaml b/.github/workflows/template-sync.yaml index 83736f7..4aa77b3 100644 --- a/.github/workflows/template-sync.yaml +++ b/.github/workflows/template-sync.yaml @@ -36,7 +36,7 @@ jobs: persist-credentials: false - name: Sync universal-addon template - uses: AndreasAugustin/actions-template-sync@bcb94410a4f1dffdfe5eaabc8234c3b8e76ebc5b # v2.5.1 + uses: AndreasAugustin/actions-template-sync@8ec19a5f2721ffb81ff809aa340ddf75e6a85ea6 # v2.5.2 with: source_gh_token: ${{ steps.template-sync-app-token.outputs.token }} source_repo_path: lablabs/terraform-aws-eks-universal-addon diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 6062040..bb76f41 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -23,7 +23,7 @@ jobs: - name: Extract Terraform min/max versions id: terraform-min-max - uses: clowdhaus/terraform-min-max@503e88c41953f537fc2b283a310c85e0a2cd585c # v1.4.0 + uses: clowdhaus/terraform-min-max@04440fe3b2a1e64eb5ad115f8f7c57c4d6a54333 # v1.4.1 with: directory: . outputs: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c65c956..84badc1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -13,7 +13,7 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform # renovate: datasource=github-releases depName=antonbabenko/pre-commit-terraform - rev: 2f8bda194a420ad77a050a9de627d77a74841fdc # v1.99.4 # pragma: allowlist secret + rev: c0f51014b8ec51c4455a7dac40697be15e285668 # v1.99.5 # pragma: allowlist secret hooks: - id: terraform_validate - id: terraform_fmt @@ -40,7 +40,7 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform # renovate: datasource=github-releases depName=antonbabenko/pre-commit-terraform - rev: 2f8bda194a420ad77a050a9de627d77a74841fdc # v1.99.4 # pragma: allowlist secret + rev: c0f51014b8ec51c4455a7dac40697be15e285668 # v1.99.5 # pragma: allowlist secret hooks: - id: terraform_docs # should be run after luactl sync args: diff --git a/.terraform-docs.yml b/.terraform-docs.yml index d45d422..1868ba4 100644 --- a/.terraform-docs.yml +++ b/.terraform-docs.yml @@ -4,6 +4,7 @@ header-from: main.tf footer-from: docs/.footer.md content: |- + {{ include "docs/.intro.md" }} {{ .Header }} {{ include "docs/.addon.md" }} {{ .Requirements }} diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 835b76c..15b1c75 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -3,7 +3,7 @@ provider "registry.terraform.io/cloudposse/utils" { version = "1.30.0" - constraints = "~> 1.0" + constraints = ">= 1.0.0, ~> 1.0" hashes = [ "h1:KmKu9rXFQIAvaXbwKYLR4QSUm5UBoh0wpftRKkG34Co=", "h1:be9bmaq5PJ1US+WtgVjhdUPU0eiWhQNYAIb81EI+/Dw=", @@ -27,7 +27,7 @@ provider "registry.terraform.io/cloudposse/utils" { provider "registry.terraform.io/hashicorp/aws" { version = "5.100.0" - constraints = "~> 5.0" + constraints = ">= 5.0.0, ~> 5.0" hashes = [ "h1:Ijt7pOlB7Tr7maGQIqtsLFbl7pSMIj06TVdkoSBcYOw=", "h1:edXOJWE4ORX8Fm+dpVpICzMZJat4AX0VRCAy/xkcOc0=", @@ -52,7 +52,7 @@ provider "registry.terraform.io/hashicorp/aws" { provider "registry.terraform.io/hashicorp/helm" { version = "2.17.0" - constraints = "~> 2.6" + constraints = ">= 2.6.0, ~> 2.6" hashes = [ "h1:0LSHBFqJvHTzQesUwagpDLsrzVliY+t2c26nDJizHFM=", "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", @@ -74,7 +74,7 @@ provider "registry.terraform.io/hashicorp/helm" { provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.37.1" - constraints = "~> 2.20" + constraints = ">= 2.20.0, ~> 2.20" hashes = [ "h1:+37jC6JlkPyPvDHudK3qaj7ZVJ0Zy9zc9+oq8h1WayA=", "h1:qo9Ue/rIEnvxOpiK9qizwRFV7rvb5gCziKVytIcZHyk=", diff --git a/.tool-versions b/.tool-versions index d8745b0..dfe1393 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,6 +1,6 @@ terraform 1.5.7 terraform-docs 0.20.0 tflint 0.50.3 -checkov 3.2.447 -awscli 2.27.49 +checkov 3.2.457 +awscli 2.27.62 pre-commit 4.2.0 diff --git a/README.md b/README.md index e5c5f6e..12ecb17 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,12 @@ +[](https://lablabs.io/) + +**About us:**
+[Labyrinth Labs](https://lablabs.io/) is a one-stop-shop for **DevOps, Cloud & Kubernetes**! We specialize in creating **powerful**, **scalable** and **cloud-native platforms** tailored to elevate your business. + +[As a team of experienced DevOps engineers](https://lablabs.io/about/), we know how to help our customers start their journey in the cloud, address the issues they have in their current setups and provide a **strategic solution to transform their infrastructure**. + +---- # AWS EKS ArgoCD Terraform module A Terraform module to deploy the https://argo-cd.readthedocs.io/en/stable on Amazon EKS cluster. @@ -8,29 +16,27 @@ A Terraform module to deploy the https://argo-cd.readthedocs.io/en/stable on Ama --- -## Related Projects - -Check out other [Terraform Kubernetes addons](https://github.com/orgs/lablabs/repositories?q=terraform-aws-eks&type=public&language=&sort=). - -[](https://lablabs.io/) +## Supported Terraform provider versions -We help companies build, run, deploy and scale software and infrastructure by embracing the right technologies and principles. Check out our website at . +While we are not setting upper bound on the Terraform providers used by the addon we are testing its functionality only against versions specified in the [`.terraform.lock.hcl`](.terraform.lock.hcl) file. ## Deployment methods ### Helm + Deploy Helm chart via Helm resource (default method, set `enabled = true`) ### Argo Kubernetes + Deploy Helm chart as ArgoCD Application via Kubernetes manifest resource (set `enabled = true` and `argo_enabled = true`) -> **Warning** -> +> [!WARNING] > When deploying with ArgoCD application, Kubernetes terraform provider requires access to Kubernetes cluster API during plan time. This introduces potential issue when you want to deploy the cluster with this addon at the same time, during the same Terraform run. > > To overcome this issue, the module deploys the ArgoCD application object using the Helm provider, which does not require API access during plan. If you want to deploy the application using this workaround, you can set the `argo_helm_enabled` variable to `true`. ### Argo Helm + Deploy Helm chart as ArgoCD Application via Helm resource (set `enabled = true`, `argo_enabled = true` and `argo_helm_enabled = true`) ## Examples @@ -40,18 +46,18 @@ See [basic example](examples/basic) for further information. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | ~> 1.5 | -| [aws](#requirement\_aws) | ~> 5 | -| [helm](#requirement\_helm) | ~> 2.6 | -| [kubernetes](#requirement\_kubernetes) | ~> 2.20 | -| [utils](#requirement\_utils) | ~> 1 | +| [terraform](#requirement\_terraform) | >= 1.5 | +| [aws](#requirement\_aws) | >= 5 | +| [helm](#requirement\_helm) | >= 2.6 | +| [kubernetes](#requirement\_kubernetes) | >= 2.20 | +| [utils](#requirement\_utils) | >= 1 | ## Modules | Name | Source | Version | |------|--------|---------| -| [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.23 | -| [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.23 | +| [addon](#module\_addon) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon | v0.0.24 | +| [addon-irsa](#module\_addon-irsa) | git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa | v0.0.24 | ## Resources | Name | Type | @@ -81,7 +87,7 @@ See [basic example](examples/basic) for further information. | [argo\_helm\_enabled](#input\_argo\_helm\_enabled) | If set to `true`, the ArgoCD Application manifest will be deployed using Kubernetes provider as a Helm release. Otherwise it'll be deployed as a Kubernetes manifest. See README for more info. Defaults to `false`. | `bool` | | [argo\_helm\_values](#input\_argo\_helm\_values) | Value overrides to use when deploying ArgoCD Application object with Helm. Defaults to `""`. | `string` | | [argo\_helm\_wait\_backoff\_limit](#input\_argo\_helm\_wait\_backoff\_limit) | Backoff limit for ArgoCD Application Helm release wait job. Defaults to `6`. | `number` | -| [argo\_helm\_wait\_kubectl\_version](#input\_argo\_helm\_wait\_kubectl\_version) | Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.2`. | `string` | +| [argo\_helm\_wait\_kubectl\_version](#input\_argo\_helm\_wait\_kubectl\_version) | Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.3`. | `string` | | [argo\_helm\_wait\_node\_selector](#input\_argo\_helm\_wait\_node\_selector) | Node selector for ArgoCD Application Helm release wait job. Defaults to `{}`. | `map(string)` | | [argo\_helm\_wait\_timeout](#input\_argo\_helm\_wait\_timeout) | Timeout for ArgoCD Application Helm release wait job. Defaults to `10m`. | `string` | | [argo\_helm\_wait\_tolerations](#input\_argo\_helm\_wait\_tolerations) | Tolerations for ArgoCD Application Helm release wait job. Defaults to `[]`. | `list(any)` | @@ -218,20 +224,22 @@ details. See [LICENSE](LICENSE) for full details. - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - https://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. +```plan +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +``` diff --git a/addon-irsa.tf b/addon-irsa.tf index cadaec7..1dea7d9 100644 --- a/addon-irsa.tf +++ b/addon-irsa.tf @@ -2,7 +2,7 @@ module "addon-irsa" { for_each = local.addon_irsa - source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.23" + source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon-irsa?ref=v0.0.24" enabled = var.enabled diff --git a/addon.tf b/addon.tf index 01c99d2..a490ea6 100644 --- a/addon.tf +++ b/addon.tf @@ -11,7 +11,7 @@ locals { } module "addon" { - source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.23" + source = "git::https://github.com/lablabs/terraform-aws-eks-universal-addon.git//modules/addon?ref=v0.0.24" enabled = var.enabled diff --git a/docs/.addon.md b/docs/.addon.md index 156c110..478e636 100644 --- a/docs/.addon.md +++ b/docs/.addon.md @@ -1,29 +1,27 @@ --- -## Related Projects +## Supported Terraform provider versions -Check out other [Terraform Kubernetes addons](https://github.com/orgs/lablabs/repositories?q=terraform-aws-eks&type=public&language=&sort=). - -[](https://lablabs.io/) - -We help companies build, run, deploy and scale software and infrastructure by embracing the right technologies and principles. Check out our website at . +While we are not setting upper bound on the Terraform providers used by the addon we are testing its functionality only against versions specified in the [`.terraform.lock.hcl`](.terraform.lock.hcl) file. ## Deployment methods ### Helm + Deploy Helm chart via Helm resource (default method, set `enabled = true`) ### Argo Kubernetes + Deploy Helm chart as ArgoCD Application via Kubernetes manifest resource (set `enabled = true` and `argo_enabled = true`) -> **Warning** -> +> [!WARNING] > When deploying with ArgoCD application, Kubernetes terraform provider requires access to Kubernetes cluster API during plan time. This introduces potential issue when you want to deploy the cluster with this addon at the same time, during the same Terraform run. > > To overcome this issue, the module deploys the ArgoCD application object using the Helm provider, which does not require API access during plan. If you want to deploy the application using this workaround, you can set the `argo_helm_enabled` variable to `true`. ### Argo Helm + Deploy Helm chart as ArgoCD Application via Helm resource (set `enabled = true`, `argo_enabled = true` and `argo_helm_enabled = true`) ## Examples diff --git a/docs/.footer.md b/docs/.footer.md index 971db04..cafb431 100644 --- a/docs/.footer.md +++ b/docs/.footer.md @@ -19,19 +19,21 @@ details. See [LICENSE](LICENSE) for full details. - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - https://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. +```plan +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +``` diff --git a/docs/.intro.md b/docs/.intro.md new file mode 100644 index 0000000..8107b9f --- /dev/null +++ b/docs/.intro.md @@ -0,0 +1,8 @@ +[](https://lablabs.io/) + +**About us:**
+[Labyrinth Labs](https://lablabs.io/) is a one-stop-shop for **DevOps, Cloud & Kubernetes**! We specialize in creating **powerful**, **scalable** and **cloud-native platforms** tailored to elevate your business. + +[As a team of experienced DevOps engineers](https://lablabs.io/about/), we know how to help our customers start their journey in the cloud, address the issues they have in their current setups and provide a **strategic solution to transform their infrastructure**. + +---- diff --git a/examples/basic/.terraform.lock.hcl b/examples/basic/.terraform.lock.hcl index 9a4f256..b265a45 100644 --- a/examples/basic/.terraform.lock.hcl +++ b/examples/basic/.terraform.lock.hcl @@ -3,7 +3,7 @@ provider "registry.terraform.io/cloudposse/utils" { version = "1.30.0" - constraints = "~> 1.0" + constraints = ">= 1.0.0" hashes = [ "h1:KmKu9rXFQIAvaXbwKYLR4QSUm5UBoh0wpftRKkG34Co=", "h1:be9bmaq5PJ1US+WtgVjhdUPU0eiWhQNYAIb81EI+/Dw=", @@ -27,7 +27,7 @@ provider "registry.terraform.io/cloudposse/utils" { provider "registry.terraform.io/hashicorp/aws" { version = "5.100.0" - constraints = ">= 3.0.0, ~> 5.0, >= 5.8.0, >= 5.74.0, >= 5.79.0" + constraints = ">= 3.0.0, >= 5.0.0, >= 5.8.0, >= 5.74.0, >= 5.79.0" hashes = [ "h1:Ijt7pOlB7Tr7maGQIqtsLFbl7pSMIj06TVdkoSBcYOw=", "h1:edXOJWE4ORX8Fm+dpVpICzMZJat4AX0VRCAy/xkcOc0=", @@ -52,7 +52,7 @@ provider "registry.terraform.io/hashicorp/aws" { provider "registry.terraform.io/hashicorp/helm" { version = "2.17.0" - constraints = "~> 2.6" + constraints = ">= 2.6.0" hashes = [ "h1:0LSHBFqJvHTzQesUwagpDLsrzVliY+t2c26nDJizHFM=", "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", @@ -74,7 +74,7 @@ provider "registry.terraform.io/hashicorp/helm" { provider "registry.terraform.io/hashicorp/kubernetes" { version = "2.37.1" - constraints = "~> 2.20" + constraints = ">= 2.20.0" hashes = [ "h1:+37jC6JlkPyPvDHudK3qaj7ZVJ0Zy9zc9+oq8h1WayA=", "h1:qo9Ue/rIEnvxOpiK9qizwRFV7rvb5gCziKVytIcZHyk=", diff --git a/examples/basic/versions.tf b/examples/basic/versions.tf index ea124b0..f77a76d 100644 --- a/examples/basic/versions.tf +++ b/examples/basic/versions.tf @@ -1,18 +1,18 @@ terraform { - required_version = "~> 1.5" + required_version = ">= 1.5" required_providers { aws = { source = "hashicorp/aws" - version = "~> 5" + version = ">= 5" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.20" + version = ">= 2.20" } helm = { source = "hashicorp/helm" - version = "~> 2.6" + version = ">= 2.6" } } } diff --git a/variables-addon.tf b/variables-addon.tf index 59d03c2..b14592b 100644 --- a/variables-addon.tf +++ b/variables-addon.tf @@ -105,7 +105,7 @@ variable "argo_helm_wait_backoff_limit" { variable "argo_helm_wait_kubectl_version" { type = string default = null - description = "Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.2`." + description = "Version of kubectl to use for ArgoCD Application wait job. Defaults to `1.33.3`." } variable "argo_source_type" { diff --git a/versions.tf b/versions.tf index 9aa47c3..abfd60c 100644 --- a/versions.tf +++ b/versions.tf @@ -1,23 +1,23 @@ # IMPORTANT: This file is synced with the "terraform-aws-eks-universal-addon" module. Any changes to this file might be overwritten upon the next release of that module. terraform { - required_version = "~> 1.5" + required_version = ">= 1.5" required_providers { aws = { source = "hashicorp/aws" - version = "~> 5" + version = ">= 5" } kubernetes = { source = "hashicorp/kubernetes" - version = "~> 2.20" + version = ">= 2.20" } helm = { source = "hashicorp/helm" - version = "~> 2.6" + version = ">= 2.6" } utils = { source = "cloudposse/utils" - version = "~> 1" + version = ">= 1" } } }