strip cluster bootstraps

2026-04-27 21:34:11 +02:00
parent 0353803d4f
commit 96dde22884
42 changed files with 65 additions and 2338 deletions
--- a/.tofu/platforms/eks/dev/main.tf
+++ b/.tofu/platforms/eks/dev/main.tf
@@ -2,7 +2,7 @@ module "cluster" {
  source = "../modules/cluster"

  region = var.region
-  prefix = "devhub-dev"
+  prefix = "clst-dev"

  # VPC
  availability_zones = ["${var.region}a", "${var.region}b"]
@@ -14,24 +14,6 @@ module "cluster" {
  node_max_count     = 4
  kubernetes_version = "1.30"

-  # RDS — small burstable tier for dev
-  rds_instance_class    = "db.t3.micro"
-  rds_allocated_storage = 20
-  rds_multi_az          = false
-
-  # ElastiCache — small single node for dev
-  redis_node_type          = "cache.t3.micro"
-  redis_num_cache_clusters = 1
-  redis_automatic_failover = false
-
-  # DNS — must match an existing Route53 hosted zone
-  domain = "dev.example.com" # TODO: set to your actual domain
-
-  # Cognito — domain prefix must be globally unique
-  cognito_domain_prefix = "devhub-dev-devhub" # TODO: customize to avoid conflicts
-
-  enable_deletion_protection = false
-
  tags = {
    Environment = "dev"
    ManagedBy   = "tofu"
--- a/.tofu/platforms/eks/dev/outputs.tf
+++ b/.tofu/platforms/eks/dev/outputs.tf
@@ -1,17 +1,5 @@
-output "cluster_name"              { value = module.cluster.cluster_name }
-output "aws_region"                { value = module.cluster.aws_region }
-output "pg_host"                   { value = module.cluster.pg_host }
-output "pg_port"                   { value = module.cluster.pg_port }
-output "pg_admin_login"            { value = module.cluster.pg_admin_login }
-output "pg_admin_password"         { value = module.cluster.pg_admin_password;      sensitive = true }
-output "pg_keycloak_password"      { value = module.cluster.pg_keycloak_password;   sensitive = true }
-output "pg_gitlab_password"        { value = module.cluster.pg_gitlab_password;     sensitive = true }
-output "redis_host"                { value = module.cluster.redis_host }
-output "redis_port"                { value = module.cluster.redis_port }
-output "gitlab_s3_bucket_prefix"   { value = module.cluster.gitlab_s3_bucket_prefix }
-output "gitlab_irsa_role_arn"      { value = module.cluster.gitlab_irsa_role_arn }
-output "cognito_user_pool_id"      { value = module.cluster.cognito_user_pool_id }
-output "cognito_issuer_url"        { value = module.cluster.cognito_issuer_url }
-output "cognito_hosted_ui_domain"  { value = module.cluster.cognito_hosted_ui_domain }
-output "cognito_client_id"         { value = module.cluster.cognito_client_id }
-output "cognito_client_secret"     { value = module.cluster.cognito_client_secret;  sensitive = true }
+output "cluster_name"    { value = module.cluster.cluster_name }
+output "aws_region"      { value = module.cluster.aws_region }
+output "oidc_issuer_url" { value = module.cluster.oidc_issuer_url }
+output "oidc_provider_arn" { value = module.cluster.oidc_provider_arn }
+output "vpc_id"          { value = module.cluster.vpc_id }
--- a/.tofu/platforms/eks/dev/providers.tf
+++ b/.tofu/platforms/eks/dev/providers.tf
@@ -8,15 +8,11 @@ terraform {
      source  = "hashicorp/tls"
      version = "~> 4.0"
    }
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 3.0"
-    }
  }
 }

 # Authentication: set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
-# or configure an AWS profile: export AWS_PROFILE=devhub
+# or configure an AWS profile: export AWS_PROFILE=clst
 provider "aws" {
  region = var.region
 }
--- a/.tofu/platforms/eks/modules/cluster/main.tf
+++ b/.tofu/platforms/eks/modules/cluster/main.tf
@@ -29,7 +29,7 @@ resource "aws_subnet" "public" {
  })
 }

-# Private subnets (one per AZ) — for EKS nodes, RDS, ElastiCache
+# Private subnets (one per AZ) — for EKS nodes
 resource "aws_subnet" "private" {
  count             = length(var.availability_zones)
  vpc_id            = aws_vpc.main.id
@@ -91,62 +91,6 @@ resource "aws_route_table_association" "private" {
  route_table_id = aws_route_table.private.id
 }

-# ─── Security Groups ──────────────────────────────────────────────────
-
-resource "aws_security_group" "rds" {
-  name_prefix = "${var.prefix}-rds-"
-  description = "Allow PostgreSQL access from within VPC"
-  vpc_id      = aws_vpc.main.id
-
-  ingress {
-    description = "PostgreSQL from VPC"
-    from_port   = 5432
-    to_port     = 5432
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc_cidr]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = merge(var.tags, { Name = "${var.prefix}-rds-sg" })
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-resource "aws_security_group" "redis" {
-  name_prefix = "${var.prefix}-redis-"
-  description = "Allow Redis access from within VPC"
-  vpc_id      = aws_vpc.main.id
-
-  ingress {
-    description = "Redis from VPC"
-    from_port   = 6379
-    to_port     = 6379
-    protocol    = "tcp"
-    cidr_blocks = [var.vpc_cidr]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = merge(var.tags, { Name = "${var.prefix}-redis-sg" })
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
 # ─── EKS Cluster ──────────────────────────────────────────────────────

 resource "aws_iam_role" "eks_cluster" {
@@ -261,443 +205,3 @@ resource "aws_eks_node_group" "main" {
    aws_iam_role_policy_attachment.eks_ecr_readonly,
  ]
 }
-
-# ─── RDS PostgreSQL ────────────────────────────────────────────────────
-#
-# NOTE: RDS doesn't support Terraform-managed local user creation.
-#       Create users post-provision via psql:
-#       kubectl run pg-init --rm -it --image=postgres:16 -- psql -h <rds_endpoint> -U pgadmin
-
-resource "aws_db_subnet_group" "main" {
-  name_prefix = "${var.prefix}-pg-"
-  subnet_ids  = aws_subnet.private[*].id
-
-  tags = merge(var.tags, { Name = "${var.prefix}-pg-subnet-group" })
-}
-
-resource "random_password" "pg_admin" {
-  length  = 32
-  special = false
-}
-
-resource "random_password" "pg_keycloak" {
-  length  = 32
-  special = false
-}
-
-resource "random_password" "pg_gitlab" {
-  length  = 32
-  special = false
-}
-
-resource "aws_db_instance" "main" {
-  identifier        = "${var.prefix}-postgresql"
-  engine            = "postgres"
-  engine_version    = "16"
-  instance_class    = var.rds_instance_class
-  allocated_storage = var.rds_allocated_storage
-  storage_type      = "gp3"
-  storage_encrypted = true
-
-  db_name  = "postgres"
-  username = "pgadmin"
-  password = random_password.pg_admin.result
-
-  db_subnet_group_name   = aws_db_subnet_group.main.name
-  vpc_security_group_ids = [aws_security_group.rds.id]
-
-  multi_az            = var.rds_multi_az
-  deletion_protection = var.enable_deletion_protection
-  skip_final_snapshot = !var.enable_deletion_protection
-
-  tags = var.tags
-}
-
-# ─── ElastiCache Redis ────────────────────────────────────────────────
-#
-# In-VPC Redis with no TLS/auth — security via security group (VPC-only access).
-# For production, consider enabling transit_encryption_enabled + auth_token.
-
-resource "aws_elasticache_subnet_group" "main" {
-  name_prefix = "${var.prefix}-redis-"
-  subnet_ids  = aws_subnet.private[*].id
-
-  tags = var.tags
-}
-
-resource "aws_elasticache_replication_group" "main" {
-  replication_group_id       = "${var.prefix}-redis"
-  description                = "Redis for DevHub ${var.prefix}"
-  node_type                  = var.redis_node_type
-  num_cache_clusters         = var.redis_num_cache_clusters
-  automatic_failover_enabled = var.redis_automatic_failover
-  engine_version             = "7.0"
-  port                       = 6379
-
-  subnet_group_name  = aws_elasticache_subnet_group.main.name
-  security_group_ids = [aws_security_group.redis.id]
-
-  at_rest_encryption_enabled = true
-
-  tags = var.tags
-}
-
-# ─── S3 Buckets (GitLab Object Storage) ──────────────────────────────
-#
-# GitLab supports S3 natively — no shim needed.
-# IRSA (IAM Role for Service Accounts) provides keyless access.
-# NOTE: S3 bucket names are globally unique. Adjust var.prefix if conflicts arise.
-
-locals {
-  s3_bucket_prefix = "${var.prefix}-gitlab"
-}
-
-resource "aws_s3_bucket" "gitlab_artifacts" {
-  bucket        = "${local.s3_bucket_prefix}-artifacts"
-  force_destroy = true
-  tags          = var.tags
-}
-
-resource "aws_s3_bucket" "gitlab_uploads" {
-  bucket        = "${local.s3_bucket_prefix}-uploads"
-  force_destroy = true
-  tags          = var.tags
-}
-
-resource "aws_s3_bucket" "gitlab_packages" {
-  bucket        = "${local.s3_bucket_prefix}-packages"
-  force_destroy = true
-  tags          = var.tags
-}
-
-resource "aws_s3_bucket" "gitlab_lfs" {
-  bucket        = "${local.s3_bucket_prefix}-lfs"
-  force_destroy = true
-  tags          = var.tags
-}
-
-resource "aws_s3_bucket" "gitlab_registry" {
-  bucket        = "${local.s3_bucket_prefix}-registry"
-  force_destroy = true
-  tags          = var.tags
-}
-
-resource "aws_s3_bucket" "gitlab_backups" {
-  bucket        = "${local.s3_bucket_prefix}-backups"
-  force_destroy = true
-  tags          = var.tags
-}
-
-# Block public access on all GitLab buckets
-resource "aws_s3_bucket_public_access_block" "gitlab_artifacts" {
-  bucket                  = aws_s3_bucket.gitlab_artifacts.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_public_access_block" "gitlab_uploads" {
-  bucket                  = aws_s3_bucket.gitlab_uploads.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_public_access_block" "gitlab_packages" {
-  bucket                  = aws_s3_bucket.gitlab_packages.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_public_access_block" "gitlab_lfs" {
-  bucket                  = aws_s3_bucket.gitlab_lfs.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_public_access_block" "gitlab_registry" {
-  bucket                  = aws_s3_bucket.gitlab_registry.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_public_access_block" "gitlab_backups" {
-  bucket                  = aws_s3_bucket.gitlab_backups.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-# Server-side encryption for all buckets
-resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_artifacts" {
-  bucket = aws_s3_bucket.gitlab_artifacts.id
-  rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_uploads" {
-  bucket = aws_s3_bucket.gitlab_uploads.id
-  rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_packages" {
-  bucket = aws_s3_bucket.gitlab_packages.id
-  rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_lfs" {
-  bucket = aws_s3_bucket.gitlab_lfs.id
-  rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_registry" {
-  bucket = aws_s3_bucket.gitlab_registry.id
-  rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "gitlab_backups" {
-  bucket = aws_s3_bucket.gitlab_backups.id
-  rule { apply_server_side_encryption_by_default { sse_algorithm = "AES256" } }
-}
-
-# ─── Cognito User Pool (IdP for Keycloak) ────────────────────────────
-#
-# Keycloak federates with Cognito — users authenticate via "Sign in with AWS"
-# through Keycloak, which remains the single OIDC issuer for all services.
-#
-# Three Cognito groups map to Keycloak groups via setup-keycloak.sh IdP mappers.
-# The token's `cognito:groups` claim is an array — assign users to Cognito groups
-# in the AWS console or via `aws cognito-idp admin-add-user-to-group`.
-#
-# NOTE: var.cognito_domain_prefix must be globally unique across ALL AWS accounts.
-
-resource "aws_cognito_user_pool" "main" {
-  name = "${var.prefix}-devhub"
-
-  username_attributes      = ["email"]
-  auto_verified_attributes = ["email"]
-
-  admin_create_user_config {
-    allow_admin_create_user_only = true # admins create users; disable for self-signup
-  }
-
-  password_policy {
-    minimum_length                   = 12
-    require_lowercase                = true
-    require_numbers                  = true
-    require_symbols                  = false
-    require_uppercase                = true
-    temporary_password_validity_days = 7
-  }
-
-  schema {
-    attribute_data_type = "String"
-    name                = "email"
-    required            = true
-    mutable             = true
-    string_attribute_constraints {
-      min_length = 5
-      max_length = 254
-    }
-  }
-
-  tags = var.tags
-}
-
-resource "aws_cognito_user_pool_client" "keycloak_idp" {
-  name         = "${var.prefix}-keycloak-idp"
-  user_pool_id = aws_cognito_user_pool.main.id
-
-  generate_secret                      = true
-  prevent_user_existence_errors        = "ENABLED"
-  allowed_oauth_flows_user_pool_client = true
-  allowed_oauth_flows                  = ["code"]
-  allowed_oauth_scopes                 = ["openid", "email", "profile"]
-  supported_identity_providers         = ["COGNITO"]
-
-  # Placeholder redirect URI — updated by setup-keycloak.sh via AWS CLI
-  callback_urls = ["https://placeholder.invalid/realms/devops/broker/aws-cognito/endpoint"]
-
-  refresh_token_validity = 30
-  access_token_validity  = 60
-  id_token_validity      = 60
-
-  token_validity_units {
-    refresh_token = "days"
-    access_token  = "minutes"
-    id_token      = "minutes"
-  }
-}
-
-resource "aws_cognito_user_pool_domain" "main" {
-  # Must be globally unique. Customize var.cognito_domain_prefix to avoid conflicts.
-  domain       = var.cognito_domain_prefix
-  user_pool_id = aws_cognito_user_pool.main.id
-}
-
-# Cognito groups — assign users to these groups to grant platform access.
-# The token's `cognito:groups` claim maps to Keycloak groups via IdP mappers.
-resource "aws_cognito_user_group" "devops_admins" {
-  name         = "devops-admins"
-  user_pool_id = aws_cognito_user_pool.main.id
-  description  = "Full access to DevOps platform administration"
-}
-
-resource "aws_cognito_user_group" "developers" {
-  name         = "developers"
-  user_pool_id = aws_cognito_user_pool.main.id
-  description  = "Developer access to DevOps platform services"
-}
-
-resource "aws_cognito_user_group" "viewers" {
-  name         = "viewers"
-  user_pool_id = aws_cognito_user_pool.main.id
-  description  = "Read-only access to DevOps platform services"
-}
-
-# ─── IRSA for GitLab ─────────────────────────────────────────────────
-#
-# Allows GitLab pods (webservice, sidekiq) to access S3 without explicit
-# AWS credentials. The K8s service account "gitlab" in the "gitlab" namespace
-# exchanges its projected OIDC token for temporary AWS credentials.
-
-data "aws_iam_policy_document" "gitlab_assume_role" {
-  statement {
-    effect = "Allow"
-
-    principals {
-      type        = "Federated"
-      identifiers = [aws_iam_openid_connect_provider.eks.arn]
-    }
-
-    actions = ["sts:AssumeRoleWithWebIdentity"]
-
-    condition {
-      test     = "StringEquals"
-      variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
-      values   = ["system:serviceaccount:gitlab:gitlab"]
-    }
-
-    condition {
-      test     = "StringEquals"
-      variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:aud"
-      values   = ["sts.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "gitlab_irsa" {
-  name_prefix        = "${var.prefix}-gitlab-irsa-"
-  assume_role_policy = data.aws_iam_policy_document.gitlab_assume_role.json
-
-  tags = var.tags
-}
-
-data "aws_iam_policy_document" "gitlab_s3" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "s3:GetObject",
-      "s3:PutObject",
-      "s3:DeleteObject",
-      "s3:ListMultipartUploadParts",
-      "s3:AbortMultipartUpload",
-    ]
-    resources = [
-      "${aws_s3_bucket.gitlab_artifacts.arn}/*",
-      "${aws_s3_bucket.gitlab_uploads.arn}/*",
-      "${aws_s3_bucket.gitlab_packages.arn}/*",
-      "${aws_s3_bucket.gitlab_lfs.arn}/*",
-      "${aws_s3_bucket.gitlab_registry.arn}/*",
-      "${aws_s3_bucket.gitlab_backups.arn}/*",
-    ]
-  }
-
-  statement {
-    effect    = "Allow"
-    actions   = ["s3:ListBucket"]
-    resources = [
-      aws_s3_bucket.gitlab_artifacts.arn,
-      aws_s3_bucket.gitlab_uploads.arn,
-      aws_s3_bucket.gitlab_packages.arn,
-      aws_s3_bucket.gitlab_lfs.arn,
-      aws_s3_bucket.gitlab_registry.arn,
-      aws_s3_bucket.gitlab_backups.arn,
-    ]
-  }
-}
-
-resource "aws_iam_role_policy" "gitlab_s3" {
-  name_prefix = "${var.prefix}-gitlab-s3-"
-  role        = aws_iam_role.gitlab_irsa.id
-  policy      = data.aws_iam_policy_document.gitlab_s3.json
-}
-
-# ─── External-DNS IRSA ───────────────────────────────────────────────
-# Allows external-dns to manage Route53 records for the cluster's domain.
-# The K8s service account "external-dns/external-dns" assumes this role via IRSA.
-
-data "aws_route53_zone" "main" {
-  name         = var.domain
-  private_zone = false
-}
-
-data "aws_iam_policy_document" "external_dns_assume_role" {
-  statement {
-    effect = "Allow"
-
-    principals {
-      type        = "Federated"
-      identifiers = [aws_iam_openid_connect_provider.eks.arn]
-    }
-
-    actions = ["sts:AssumeRoleWithWebIdentity"]
-
-    condition {
-      test     = "StringEquals"
-      variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
-      values   = ["system:serviceaccount:external-dns:external-dns"]
-    }
-
-    condition {
-      test     = "StringEquals"
-      variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:aud"
-      values   = ["sts.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "external_dns_irsa" {
-  name_prefix        = "${var.prefix}-external-dns-irsa-"
-  assume_role_policy = data.aws_iam_policy_document.external_dns_assume_role.json
-
-  tags = var.tags
-}
-
-data "aws_iam_policy_document" "external_dns_route53" {
-  statement {
-    effect    = "Allow"
-    actions   = ["route53:ChangeResourceRecordSets"]
-    resources = ["arn:aws:route53:::hostedzone/${data.aws_route53_zone.main.zone_id}"]
-  }
-
-  statement {
-    effect  = "Allow"
-    actions = ["route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource"]
-    resources = ["*"]
-  }
-}
-
-resource "aws_iam_role_policy" "external_dns_route53" {
-  name_prefix = "${var.prefix}-external-dns-route53-"
-  role        = aws_iam_role.external_dns_irsa.id
-  policy      = data.aws_iam_policy_document.external_dns_route53.json
-}
--- a/.tofu/platforms/eks/modules/cluster/outputs.tf
+++ b/.tofu/platforms/eks/modules/cluster/outputs.tf
@@ -10,101 +10,17 @@ output "aws_region" {
  value       = var.region
 }

-# ─── PostgreSQL ───────────────────────────────────────────────────────
-
-output "pg_host" {
-  description = "RDS PostgreSQL endpoint (private, reachable from EKS)"
-  value       = aws_db_instance.main.address
+output "oidc_issuer_url" {
+  description = "EKS OIDC issuer URL (for IRSA)"
+  value       = aws_eks_cluster.main.identity[0].oidc[0].issuer
 }

-output "pg_port" {
-  description = "PostgreSQL port"
-  value       = aws_db_instance.main.port
+output "oidc_provider_arn" {
+  description = "IAM OIDC provider ARN (for IRSA trust policies)"
+  value       = aws_iam_openid_connect_provider.eks.arn
 }

-output "pg_admin_login" {
-  description = "RDS administrator login"
-  value       = aws_db_instance.main.username
-}
-
-output "pg_admin_password" {
-  description = "RDS administrator password"
-  value       = random_password.pg_admin.result
-  sensitive   = true
-}
-
-output "pg_keycloak_password" {
-  description = "Pre-generated password for keycloak DB user — create user post-provision"
-  value       = random_password.pg_keycloak.result
-  sensitive   = true
-}
-
-output "pg_gitlab_password" {
-  description = "Pre-generated password for gitlab DB user — create user post-provision"
-  value       = random_password.pg_gitlab.result
-  sensitive   = true
-}
-
-# ─── Redis ────────────────────────────────────────────────────────────
-
-output "redis_host" {
-  description = "ElastiCache Redis primary endpoint"
-  value       = aws_elasticache_replication_group.main.primary_endpoint_address
-}
-
-output "redis_port" {
-  description = "ElastiCache Redis port"
-  value       = aws_elasticache_replication_group.main.port
-}
-
-# ─── S3 ──────────────────────────────────────────────────────────────
-
-output "gitlab_s3_bucket_prefix" {
-  description = "S3 bucket name prefix — buckets are {prefix}-artifacts, {prefix}-uploads, etc."
-  value       = local.s3_bucket_prefix
-}
-
-output "aws_region_output" {
-  description = "AWS region (for S3 connection config)"
-  value       = var.region
-}
-
-# ─── IRSA ────────────────────────────────────────────────────────────
-
-output "gitlab_irsa_role_arn" {
-  description = "IAM Role ARN for GitLab IRSA — annotate the K8s service account with this value"
-  value       = aws_iam_role.gitlab_irsa.arn
-}
-
-output "external_dns_irsa_role_arn" {
-  description = "IAM Role ARN for external-dns IRSA — written to config.yaml by sync-tofu-outputs.sh"
-  value       = aws_iam_role.external_dns_irsa.arn
-}
-
-# ─── Cognito ─────────────────────────────────────────────────────────
-
-output "cognito_user_pool_id" {
-  description = "Cognito User Pool ID"
-  value       = aws_cognito_user_pool.main.id
-}
-
-output "cognito_issuer_url" {
-  description = "Cognito OIDC issuer URL — used in Keycloak IdP config"
-  value       = "https://cognito-idp.${var.region}.amazonaws.com/${aws_cognito_user_pool.main.id}"
-}
-
-output "cognito_hosted_ui_domain" {
-  description = "Cognito hosted UI domain (for auth/token endpoints)"
-  value       = "${aws_cognito_user_pool_domain.main.domain}.auth.${var.region}.amazoncognito.com"
-}
-
-output "cognito_client_id" {
-  description = "Cognito app client ID for the Keycloak IdP"
-  value       = aws_cognito_user_pool_client.keycloak_idp.id
-}
-
-output "cognito_client_secret" {
-  description = "Cognito app client secret for the Keycloak IdP"
-  value       = aws_cognito_user_pool_client.keycloak_idp.client_secret
-  sensitive   = true
+output "vpc_id" {
+  description = "VPC ID"
+  value       = aws_vpc.main.id
 }
--- a/.tofu/platforms/eks/modules/cluster/providers.tf
+++ b/.tofu/platforms/eks/modules/cluster/providers.tf
@@ -8,9 +8,5 @@ terraform {
      source  = "hashicorp/tls"
      version = "~> 4.0"
    }
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 3.0"
-    }
  }
 }
--- a/.tofu/platforms/eks/modules/cluster/variables.tf
+++ b/.tofu/platforms/eks/modules/cluster/variables.tf
@@ -6,7 +6,7 @@ variable "region" {
 }

 variable "prefix" {
-  description = "Prefix for resource names (e.g., devhub-dev)"
+  description = "Prefix for resource names (e.g., clst-dev)"
  type        = string
 }

@@ -52,64 +52,6 @@ variable "kubernetes_version" {
  default     = "1.30"
 }

-variable "enable_deletion_protection" {
-  description = "Enable deletion protection on stateful resources (RDS)"
-  type        = bool
-  default     = false
-}
-
-# ─── RDS (PostgreSQL) ────────────────────────────────────────────────
-
-variable "rds_instance_class" {
-  description = "RDS instance class (e.g., db.t3.micro, db.r5.large)"
-  type        = string
-}
-
-variable "rds_allocated_storage" {
-  description = "RDS allocated storage in GB"
-  type        = number
-  default     = 20
-}
-
-variable "rds_multi_az" {
-  description = "Enable RDS Multi-AZ deployment"
-  type        = bool
-  default     = false
-}
-
-# ─── ElastiCache (Redis) ──────────────────────────────────────────────
-
-variable "redis_node_type" {
-  description = "ElastiCache node type (e.g., cache.t3.micro, cache.r5.large)"
-  type        = string
-}
-
-variable "redis_num_cache_clusters" {
-  description = "Number of Redis cache clusters (1 = single, 2 = primary+replica)"
-  type        = number
-  default     = 1
-}
-
-variable "redis_automatic_failover" {
-  description = "Enable automatic Redis failover (requires num_cache_clusters >= 2)"
-  type        = bool
-  default     = false
-}
-
-# ─── DNS ─────────────────────────────────────────────────────────────
-
-variable "domain" {
-  description = "Public domain name for the cluster (e.g., dev.example.com) — must have an existing Route53 hosted zone"
-  type        = string
-}
-
-# ─── Cognito (IdP for Keycloak) ───────────────────────────────────────
-
-variable "cognito_domain_prefix" {
-  description = "Cognito hosted UI domain prefix — must be globally unique across all AWS accounts"
-  type        = string
-}
-
 # ─── Tags ─────────────────────────────────────────────────────────────

 variable "tags" {
--- a/.tofu/platforms/eks/prod/main.tf
+++ b/.tofu/platforms/eks/prod/main.tf
@@ -2,7 +2,7 @@ module "cluster" {
  source = "../modules/cluster"

  region = var.region
-  prefix = "devhub"
+  prefix = "clst"

  # VPC
  availability_zones = ["${var.region}a", "${var.region}b", "${var.region}c"]
@@ -14,24 +14,6 @@ module "cluster" {
  node_max_count     = 6
  kubernetes_version = "1.30"

-  # RDS — larger instance with Multi-AZ for production
-  rds_instance_class    = "db.r5.large"
-  rds_allocated_storage = 100
-  rds_multi_az          = true
-
-  # ElastiCache — larger instance with replica for production
-  redis_node_type          = "cache.r5.large"
-  redis_num_cache_clusters = 2
-  redis_automatic_failover = true
-
-  # DNS — must match an existing Route53 hosted zone
-  domain = "example.com" # TODO: set to your actual domain
-
-  # Cognito — domain prefix must be globally unique
-  cognito_domain_prefix = "devhub-prod-devhub" # TODO: customize to avoid conflicts
-
-  enable_deletion_protection = true
-
  tags = {
    Environment = "prod"
    ManagedBy   = "tofu"
--- a/.tofu/platforms/eks/prod/outputs.tf
+++ b/.tofu/platforms/eks/prod/outputs.tf
@@ -1,17 +1,5 @@
-output "cluster_name"              { value = module.cluster.cluster_name }
-output "aws_region"                { value = module.cluster.aws_region }
-output "pg_host"                   { value = module.cluster.pg_host }
-output "pg_port"                   { value = module.cluster.pg_port }
-output "pg_admin_login"            { value = module.cluster.pg_admin_login }
-output "pg_admin_password"         { value = module.cluster.pg_admin_password;      sensitive = true }
-output "pg_keycloak_password"      { value = module.cluster.pg_keycloak_password;   sensitive = true }
-output "pg_gitlab_password"        { value = module.cluster.pg_gitlab_password;     sensitive = true }
-output "redis_host"                { value = module.cluster.redis_host }
-output "redis_port"                { value = module.cluster.redis_port }
-output "gitlab_s3_bucket_prefix"   { value = module.cluster.gitlab_s3_bucket_prefix }
-output "gitlab_irsa_role_arn"      { value = module.cluster.gitlab_irsa_role_arn }
-output "cognito_user_pool_id"      { value = module.cluster.cognito_user_pool_id }
-output "cognito_issuer_url"        { value = module.cluster.cognito_issuer_url }
-output "cognito_hosted_ui_domain"  { value = module.cluster.cognito_hosted_ui_domain }
-output "cognito_client_id"         { value = module.cluster.cognito_client_id }
-output "cognito_client_secret"     { value = module.cluster.cognito_client_secret;  sensitive = true }
+output "cluster_name"    { value = module.cluster.cluster_name }
+output "aws_region"      { value = module.cluster.aws_region }
+output "oidc_issuer_url" { value = module.cluster.oidc_issuer_url }
+output "oidc_provider_arn" { value = module.cluster.oidc_provider_arn }
+output "vpc_id"          { value = module.cluster.vpc_id }
--- a/.tofu/platforms/eks/prod/providers.tf
+++ b/.tofu/platforms/eks/prod/providers.tf
@@ -8,10 +8,6 @@ terraform {
      source  = "hashicorp/tls"
      version = "~> 4.0"
    }
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 3.0"
-    }
  }
 }

--- a/.tofu/platforms/eks/workload/main.tf
+++ b/.tofu/platforms/eks/workload/main.tf
@@ -15,9 +15,9 @@
 # =============================================================================

 variable "prefix" {
-  description = "Prefix for resource names (e.g., devhub-workload)"
+  description = "Prefix for resource names (e.g., clst-workload)"
  type        = string
-  default     = "devhub-workload"
+  default     = "clst-workload"
 }

 variable "availability_zones" {
--- a/.tofu/platforms/eks/workload/providers.tf
+++ b/.tofu/platforms/eks/workload/providers.tf
@@ -12,7 +12,7 @@ terraform {
 }

 # Authentication: set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
-# or configure an AWS profile: export AWS_PROFILE=devhub
+# or configure an AWS profile: export AWS_PROFILE=clst
 provider "aws" {
  region = var.region
 }