Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

feature/tofu #15

Merged
danijel.simeunovic merged 6 commits from feature/tofu into main 2026-05-29 15:48:29 +00:00
Conversation 74 Commits 6 Files Changed 63 +2546 -9
63 changed files with 2546 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.gitignore vendored
View File

@@ -16,3 +16,11 @@ devbox.d/
devbox.lock devbox.lock
.devbox/ .devbox/
bash.exe.stackdump bash.exe.stackdump
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:06 +00:00
Review
Copy Link

Empty line with trailing space should be cleaned up.

#ai-review-inline

Empty line with trailing space should be cleaned up. #ai-review-inline
# OpenTofu
.tofu/configs/*.env
.tofu/scripts/*.config
.tofu/platforms/**/.terraform/
.tofu/platforms/**/terraform.tfstate*
.tofu/platforms/**/tfplan
.tofu/platforms/**/.terraform.lock.hcl

9
.tofu/configs/aks.env.example Normal file
View File

@@ -0,0 +1,9 @@
# Azure AKS credentials — copy to aks.env and fill in values
# NEVER commit aks.env to git!
# Required
AZURE_TENANT_ID=your-azure-tenant-id
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:07 +00:00
Review
Copy Link

Example file contains placeholder values that could be mistaken for real credentials.

AZURE_TENANT_ID=00000000-0000-0000-0000-000000000000

#ai-review-inline

Example file contains placeholder values that could be mistaken for real credentials. ```suggestion AZURE_TENANT_ID=00000000-0000-0000-0000-000000000000 ``` #ai-review-inline
AZURE_SUBSCRIPTION_ID=your-azure-subscription-id
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:06 +00:00
Review
Copy Link

Example file contains placeholder values that could be mistaken for real credentials.

AZURE_SUBSCRIPTION_ID=00000000-0000-0000-0000-000000000000

#ai-review-inline

Example file contains placeholder values that could be mistaken for real credentials. ```suggestion AZURE_SUBSCRIPTION_ID=00000000-0000-0000-0000-000000000000 ``` #ai-review-inline
# Optional — defaults to cluster name if not set
ARM_RESOURCE_GROUP=

10
.tofu/configs/eks.env.example Normal file
View File

@@ -0,0 +1,10 @@
# AWS EKS credentials — copy to eks.env and fill in values
# NEVER commit eks.env to git!
# Required — AWS CLI profile or access key
AWS_PROFILE=default
AWS_REGION=eu-west-1
# Optional — override with explicit keys instead of profile
# AWS_ACCESS_KEY_ID=
# AWS_SECRET_ACCESS_KEY=

9
.tofu/configs/gke.env.example Normal file
View File

@@ -0,0 +1,9 @@
# GCP GKE credentials — copy to gke.env and fill in values
# NEVER commit gke.env to git!
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:07 +00:00
Review
Copy Link

Remove empty line with trailing comment marker to clean up the example file format.

#ai-review-inline

Remove empty line with trailing comment marker to clean up the example file format. #ai-review-inline
# Required
GCP_PROJECT_ID=your-gcp-project-id
GCP_REGION=europe-west4
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:07 +00:00
Review
Copy Link

Remove empty line with trailing comment marker to clean up the example file format.

#ai-review-inline

Remove empty line with trailing comment marker to clean up the example file format. #ai-review-inline
# Optional — path to service account JSON key (if not using gcloud auth)
# GOOGLE_APPLICATION_CREDENTIALS=/path/to/sa-key.json

8
.tofu/configs/upc.env.example Normal file
View File

@@ -0,0 +1,8 @@
# UpCloud credentials — copy to upc.env and fill in values
# NEVER commit upc.env to git!
# Required
UPCLOUD_TOKEN=your-upcloud-api-token
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:07 +00:00
Review
Copy Link

Example credential files should use placeholder values that cannot be mistaken for real tokens.

UPCLOUD_TOKEN=upcloud-api-token-here

#ai-review-inline

Example credential files should use placeholder values that cannot be mistaken for real tokens. ```suggestion UPCLOUD_TOKEN=upcloud-api-token-here ``` #ai-review-inline
# Optional — set after cluster creation for kubeconfig retrieval
UPCLOUD_CLUSTER_ID=

18
.tofu/platforms/aks/dev/main.tf Normal file
View File

@@ -0,0 +1,18 @@
module "cluster" {
source = "../modules/cluster"
prefix = "clst-dev"
location = "norwayeast"
resource_group_name = "clst-dev-rg"
# AKS — small dev nodes
aks_node_vm_size = "Standard_B2s"
gitea_admin commented 2026-04-28 06:52:07 +00:00
Review
Copy Link

Standard_B2s is a burstable instance type which may not provide consistent performance for AKS workloads.

aks_node_vm_size = "Standard_D2s_v3"

#ai-review-inline

Standard_B2s is a burstable instance type which may not provide consistent performance for AKS workloads. ```suggestion aks_node_vm_size = "Standard_D2s_v3" ``` #ai-review-inline
aks_node_count = 2
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:07 +00:00
Review
Copy Link

Two nodes provides no redundancy; consider at least 3 nodes for high availability.

aks_node_count   = 3

#ai-review-inline

Two nodes provides no redundancy; consider at least 3 nodes for high availability. ```suggestion aks_node_count = 3 ``` #ai-review-inline
enable_delete_lock = false
tags = {
Environment = "dev"
ManagedBy = "tofu"
}
}

26
.tofu/platforms/aks/dev/outputs.tf Normal file
View File

@@ -0,0 +1,26 @@
# ─── Cluster ─────────────────────────────────────────────────────────
output "cluster_name" {
value = module.cluster.cluster_name
}
output "resource_group_name" {
value = module.cluster.resource_group_name
}
output "kubernetes_version" {
value = module.cluster.kubernetes_version
}
output "location" {
value = module.cluster.location
}
output "oidc_issuer_url" {
value = module.cluster.oidc_issuer_url
}
output "kubeconfig" {
value = module.cluster.kubeconfig
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:06 +00:00
Review
Copy Link

Kubeconfig should not be exposed as a Terraform output as it contains sensitive cluster credentials that could be logged or stored insecurely.

#ai-review-inline

Kubeconfig should not be exposed as a Terraform output as it contains sensitive cluster credentials that could be logged or stored insecurely. #ai-review-inline
sensitive = true
}

17
.tofu/platforms/aks/dev/providers.tf Normal file
View File

@@ -0,0 +1,17 @@
terraform {
required_version = ">= 1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 4.0"
}
}
}
provider "azurerm" {
features {}
# Credentials via environment variables:
# ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
# Or: az login (uses your Azure CLI session)
}

72
.tofu/platforms/aks/modules/cluster/main.tf Normal file
View File

@@ -0,0 +1,72 @@
# Current Azure/Entra ID context — provides tenant_id used in outputs
data "azurerm_client_config" "current" {}
# ─── Resource Group ───────────────────────────────────────────────────
resource "azurerm_resource_group" "main" {
name = var.resource_group_name
location = var.location
tags = var.tags
}
resource "azurerm_management_lock" "main" {
count = var.enable_delete_lock ? 1 : 0
name = "${var.prefix}-delete-lock"
scope = azurerm_resource_group.main.id
lock_level = "CanNotDelete"
notes = "Prevents accidental deletion of production resources"
}
# ─── Networking ───────────────────────────────────────────────────────
resource "azurerm_virtual_network" "main" {
name = "${var.prefix}-vnet"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
address_space = [var.vnet_address_space]
tags = var.tags
}
# AKS nodes subnet
resource "azurerm_subnet" "aks" {
name = "${var.prefix}-aks-subnet"
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = azurerm_virtual_network.main.name
address_prefixes = [var.aks_subnet_cidr]
}
# ─── AKS Cluster ──────────────────────────────────────────────────────
resource "azurerm_kubernetes_cluster" "main" {
gitea_admin commented 2026-04-28 06:52:13 +00:00
Review
Copy Link

AKS cluster lacks essential security configurations like private cluster mode and authorized IP ranges.

#ai-review-inline

AKS cluster lacks essential security configurations like private cluster mode and authorized IP ranges. #ai-review-inline
name = "${var.prefix}-aks"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
dns_prefix = replace(var.prefix, "-", "")
kubernetes_version = var.aks_kubernetes_version
tags = var.tags
default_node_pool {
gitea_admin commented 2026-04-28 06:52:13 +00:00
Review
Copy Link

Default node pool lacks resource limits (max_count) and auto-scaling, which can lead to unbounded resource consumption.

  default_node_pool {
    name            = "system"
    node_count      = var.aks_node_count
    min_count       = var.aks_node_count
    max_count       = var.aks_node_count * 3
    enable_auto_scaling = true
    vm_size         = var.aks_node_vm_size
    vnet_subnet_id  = azurerm_subnet.aks.id
    node_labels = {
      prefix = var.prefix
      role   = "worker"
      env    = lookup(var.tags, "Environment", "dev")
    }
  }

#ai-review-inline

Default node pool lacks resource limits (max_count) and auto-scaling, which can lead to unbounded resource consumption. ```suggestion default_node_pool { name = "system" node_count = var.aks_node_count min_count = var.aks_node_count max_count = var.aks_node_count * 3 enable_auto_scaling = true vm_size = var.aks_node_vm_size vnet_subnet_id = azurerm_subnet.aks.id node_labels = { prefix = var.prefix role = "worker" env = lookup(var.tags, "Environment", "dev") } } ``` #ai-review-inline
name = "system"
node_count = var.aks_node_count
vm_size = var.aks_node_vm_size
vnet_subnet_id = azurerm_subnet.aks.id
node_labels = {
prefix = var.prefix
role = "worker"
env = lookup(var.tags, "Environment", "dev")
}
}
identity {
type = "SystemAssigned"
}
network_profile {
gitea_admin commented 2026-04-28 06:52:13 +00:00
Review
Copy Link

Network profile is missing pod_cidr and service_cidr configuration, which may cause IP allocation conflicts.

  network_profile {
    network_plugin    = "azure"
    network_policy    = "azure"
    service_cidr      = "10.0.0.0/16"
    dns_service_ip    = "10.0.0.10"
  }

#ai-review-inline

Network profile is missing pod_cidr and service_cidr configuration, which may cause IP allocation conflicts. ```suggestion network_profile { network_plugin = "azure" network_policy = "azure" service_cidr = "10.0.0.0/16" dns_service_ip = "10.0.0.10" } ``` #ai-review-inline
network_plugin = "azure"
network_policy = "azure"
}
# Enable Workload Identity for keyless Azure service access (MSI)
oidc_issuer_enabled = true
workload_identity_enabled = true
}

32
.tofu/platforms/aks/modules/cluster/outputs.tf Normal file
View File

@@ -0,0 +1,32 @@
# ─── Cluster ─────────────────────────────────────────────────────────
output "cluster_name" {
description = "AKS cluster name"
value = azurerm_kubernetes_cluster.main.name
}
output "resource_group_name" {
description = "Resource group name"
value = azurerm_resource_group.main.name
}
output "kubernetes_version" {
description = "Kubernetes version"
value = azurerm_kubernetes_cluster.main.kubernetes_version
}
output "location" {
description = "Azure region"
value = azurerm_resource_group.main.location
}
output "oidc_issuer_url" {
description = "AKS OIDC issuer URL (for workload identity federation)"
value = azurerm_kubernetes_cluster.main.oidc_issuer_url
}
output "kubeconfig" {
description = "Kubeconfig for the AKS cluster"
value = azurerm_kubernetes_cluster.main.kube_config_raw
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:09 +00:00
Review
Copy Link

Exposing raw kubeconfig as output can lead to credential leakage in Terraform state and logs.

#ai-review-inline

Exposing raw kubeconfig as output can lead to credential leakage in Terraform state and logs. #ai-review-inline
sensitive = true
}

18
.tofu/platforms/aks/modules/cluster/providers.tf Normal file
View File

@@ -0,0 +1,18 @@
terraform {
required_version = ">= 1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 4.0"
}
azuread = {
source = "hashicorp/azuread"
version = "~> 3.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.0"
}
}
}

56
.tofu/platforms/aks/modules/cluster/variables.tf Normal file
View File

@@ -0,0 +1,56 @@
# ─── Cluster ─────────────────────────────────────────────────────────
variable "prefix" {
description = "Prefix for resource names"
type = string
}
variable "location" {
description = "Azure region (e.g., norwayeast, westeurope, northeurope)"
type = string
}
variable "resource_group_name" {
description = "Name of the Azure Resource Group to create"
type = string
}
variable "vnet_address_space" {
description = "Address space for the virtual network"
type = string
default = "10.100.0.0/16"
gitea_admin commented 2026-04-28 06:52:16 +00:00
Review
Copy Link

Consider using a smaller default CIDR range to avoid potential IP conflicts with on-premises networks.

  default     = "10.240.0.0/16"

#ai-review-inline

Consider using a smaller default CIDR range to avoid potential IP conflicts with on-premises networks. ```suggestion default = "10.240.0.0/16" ``` #ai-review-inline
}
variable "aks_subnet_cidr" {
description = "CIDR block for the AKS node subnet"
type = string
default = "10.100.0.0/22"
gitea_admin commented 2026-04-28 06:52:16 +00:00
Review
Copy Link

Default subnet CIDR should align with the updated VNet address space if changed.

  default     = "10.240.0.0/22"

#ai-review-inline

Default subnet CIDR should align with the updated VNet address space if changed. ```suggestion default = "10.240.0.0/22" ``` #ai-review-inline
}
variable "aks_node_vm_size" {
description = "VM size for AKS worker nodes (e.g., Standard_B2s, Standard_D4s_v3)"
type = string
}
gitea_admin commented 2026-04-28 06:52:16 +00:00
Review
Copy Link

Consider adding validation to restrict to supported Azure VM sizes for better cost control and compatibility.

variable "aks_node_vm_size" {
  description = "VM size for AKS worker nodes (e.g., Standard_B2s, Standard_D4s_v3)"
  type        = string
  validation {
    condition = can(regex("^Standard_[BDEFGHKLMNPRS][0-9]+[a-z]*_v[0-9]+$|^Standard_[BDEFGHKLMNPRS][0-9]+[a-z]*$", var.aks_node_vm_size))
    error_message = "VM size must be a valid Azure VM size (e.g., Standard_B2s, Standard_D4s_v3)."
  }
}

#ai-review-inline

Consider adding validation to restrict to supported Azure VM sizes for better cost control and compatibility. ```suggestion variable "aks_node_vm_size" { description = "VM size for AKS worker nodes (e.g., Standard_B2s, Standard_D4s_v3)" type = string validation { condition = can(regex("^Standard_[BDEFGHKLMNPRS][0-9]+[a-z]*_v[0-9]+$|^Standard_[BDEFGHKLMNPRS][0-9]+[a-z]*$", var.aks_node_vm_size)) error_message = "VM size must be a valid Azure VM size (e.g., Standard_B2s, Standard_D4s_v3)." } } ``` #ai-review-inline
variable "aks_node_count" {
description = "Number of AKS worker nodes"
type = number
}
gitea_admin commented 2026-04-28 06:52:16 +00:00
Review
Copy Link

Consider adding validation to ensure node count is within reasonable bounds (1-100).

variable "aks_node_count" {
  description = "Number of AKS worker nodes"
  type        = number
  validation {
    condition     = var.aks_node_count >= 1 && var.aks_node_count <= 100
    error_message = "Node count must be between 1 and 100."
  }
}

#ai-review-inline

Consider adding validation to ensure node count is within reasonable bounds (1-100). ```suggestion variable "aks_node_count" { description = "Number of AKS worker nodes" type = number validation { condition = var.aks_node_count >= 1 && var.aks_node_count <= 100 error_message = "Node count must be between 1 and 100." } } ``` #ai-review-inline
variable "aks_kubernetes_version" {
description = "Kubernetes version for AKS (null = latest stable)"
type = string
default = null
}
variable "enable_delete_lock" {
description = "Protect the resource group from accidental deletion"
type = bool
default = false
}
variable "tags" {
description = "Tags applied to all resources"
type = map(string)
default = {}
}

18
.tofu/platforms/aks/prod/main.tf Normal file
View File

@@ -0,0 +1,18 @@
module "cluster" {
source = "../modules/cluster"
prefix = "clst"
location = "westeurope"
resource_group_name = "clst-prod-rg"
# AKS — general-purpose nodes for production
aks_node_vm_size = "Standard_D4s_v3"
aks_node_count = 3
gitea_admin commented 2026-04-28 06:52:10 +00:00
Review
Copy Link

Production AKS cluster has only 3 nodes which may not provide sufficient availability for production workloads.

  aks_node_count   = 5

#ai-review-inline

Production AKS cluster has only 3 nodes which may not provide sufficient availability for production workloads. ```suggestion aks_node_count = 5 ``` #ai-review-inline
enable_delete_lock = true
tags = {
Environment = "prod"
ManagedBy = "tofu"
}
}

26
.tofu/platforms/aks/prod/outputs.tf Normal file
View File

@@ -0,0 +1,26 @@
# ─── Cluster ─────────────────────────────────────────────────────────
output "cluster_name" {
value = module.cluster.cluster_name
}
output "resource_group_name" {
value = module.cluster.resource_group_name
}
output "kubernetes_version" {
value = module.cluster.kubernetes_version
}
output "location" {
value = module.cluster.location
}
output "oidc_issuer_url" {
value = module.cluster.oidc_issuer_url
}
output "kubeconfig" {
value = module.cluster.kubeconfig
sensitive = true
}

17
.tofu/platforms/aks/prod/providers.tf Normal file
View File

@@ -0,0 +1,17 @@
terraform {
required_version = ">= 1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 4.0"
gitea_admin commented 2026-04-28 06:52:10 +00:00
Review
Copy Link

Use a more specific version constraint to ensure reproducible deployments and avoid potential breaking changes.

      version = "~> 4.8"

#ai-review-inline

Use a more specific version constraint to ensure reproducible deployments and avoid potential breaking changes. ```suggestion version = "~> 4.8" ``` #ai-review-inline
}
}
}
provider "azurerm" {
features {}
# Credentials via environment variables:
# ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
# Or: az login (uses your Azure CLI session)
}

173
.tofu/platforms/aks/workload/main.tf Normal file
View File

@@ -0,0 +1,173 @@
# =============================================================================
# Azure Workload Cluster
# =============================================================================
# A lean AKS cluster for running application workloads. No managed data
# services — those live on the platform cluster. ArgoCD (on the platform
# cluster) deploys apps to this cluster via the app-of-apps pattern.
#
# Platform components deployed by deploy-workload.sh:
# nginx-ingress, cert-manager, external-dns, external-secrets, alloy
#
# Usage:
# tofu init && tofu plan && tofu apply
# ./sync-tofu-outputs.sh --env azure-workload
# ./deploy-workload.sh --env azure-workload
# =============================================================================
variable "prefix" {
description = "Prefix for resource names (e.g., clst-workload)"
type = string
default = "clst-workload"
}
variable "location" {
description = "Azure region"
type = string
default = "norwayeast"
}
variable "resource_group_name" {
description = "Name of the Azure Resource Group to create"
type = string
default = "clst-workload-rg"
}
variable "vnet_address_space" {
description = "Address space for the virtual network"
type = string
default = "10.110.0.0/16"
}
variable "aks_subnet_cidr" {
description = "CIDR block for the AKS node subnet"
type = string
default = "10.110.0.0/22"
}
variable "aks_node_vm_size" {
description = "VM size for AKS worker nodes"
type = string
default = "Standard_B2s"
gitea_admin commented 2026-04-28 06:52:17 +00:00
Review
Copy Link

VM size Standard_B2s may be too small for production workloads and could cause resource constraints.

  default     = "Standard_D2s_v3"

#ai-review-inline

VM size Standard_B2s may be too small for production workloads and could cause resource constraints. ```suggestion default = "Standard_D2s_v3" ``` #ai-review-inline
}
variable "aks_node_count" {
description = "Number of AKS worker nodes"
type = number
default = 2
gitea_admin commented 2026-04-28 06:52:17 +00:00
Review
Copy Link

Node count of 2 provides no high availability; consider at least 3 nodes for production resilience.

  default     = 3

#ai-review-inline

Node count of 2 provides no high availability; consider at least 3 nodes for production resilience. ```suggestion default = 3 ``` #ai-review-inline
}
variable "aks_kubernetes_version" {
description = "Kubernetes version for AKS (null = latest stable)"
type = string
default = null
}
variable "domain" {
description = "Public domain name — must have an existing Azure DNS zone"
type = string
gitea_admin commented 2026-04-28 06:52:17 +00:00
Review
Copy Link

Domain variable lacks a default value and has no validation, which could cause deployment failures.

variable "domain" {
  description = "Public domain name — must have an existing Azure DNS zone"
  type        = string
  
  validation {
    condition     = can(regex("^[a-z0-9.-]+\\.[a-z]{2,}$", var.domain))
    error_message = "Domain must be a valid FQDN."
  }
}

#ai-review-inline

Domain variable lacks a default value and has no validation, which could cause deployment failures. ```suggestion variable "domain" { description = "Public domain name — must have an existing Azure DNS zone" type = string validation { condition = can(regex("^[a-z0-9.-]+\\.[a-z]{2,}$", var.domain)) error_message = "Domain must be a valid FQDN." } } ``` #ai-review-inline
}
variable "dns_zone_resource_group" {
description = "Resource group containing the Azure DNS zone (defaults to cluster RG)"
type = string
default = ""
}
variable "tags" {
description = "Tags applied to all resources"
type = map(string)
default = {
Environment = "workload"
ManagedBy = "tofu"
}
}
# ─── Resource Group ───────────────────────────────────────────────────
resource "azurerm_resource_group" "main" {
name = var.resource_group_name
location = var.location
tags = var.tags
}
# ─── Networking ───────────────────────────────────────────────────────
resource "azurerm_virtual_network" "main" {
name = "${var.prefix}-vnet"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
address_space = [var.vnet_address_space]
tags = var.tags
}
resource "azurerm_subnet" "aks" {
name = "${var.prefix}-aks-subnet"
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = azurerm_virtual_network.main.name
address_prefixes = [var.aks_subnet_cidr]
}
# ─── AKS Cluster ──────────────────────────────────────────────────────
resource "azurerm_kubernetes_cluster" "main" {
name = "${var.prefix}-aks"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
dns_prefix = replace(var.prefix, "-", "")
kubernetes_version = var.aks_kubernetes_version
tags = var.tags
default_node_pool {
gitea_admin commented 2026-04-28 06:52:17 +00:00
Review
Copy Link

Default node pool is missing enable_auto_scaling and lacks resource limits which could cause node exhaustion.

  default_node_pool {
    name               = "system"
    node_count         = var.aks_node_count
    vm_size            = var.aks_node_vm_size
    vnet_subnet_id     = azurerm_subnet.aks.id
    enable_auto_scaling = true
    min_count          = 2
    max_count          = 5
    node_labels = {
      prefix = var.prefix
      role   = "worker"
      env    = lookup(var.tags, "Environment", "workload")
    }
  }

#ai-review-inline

Default node pool is missing enable_auto_scaling and lacks resource limits which could cause node exhaustion. ```suggestion default_node_pool { name = "system" node_count = var.aks_node_count vm_size = var.aks_node_vm_size vnet_subnet_id = azurerm_subnet.aks.id enable_auto_scaling = true min_count = 2 max_count = 5 node_labels = { prefix = var.prefix role = "worker" env = lookup(var.tags, "Environment", "workload") } } ``` #ai-review-inline
name = "system"
node_count = var.aks_node_count
vm_size = var.aks_node_vm_size
vnet_subnet_id = azurerm_subnet.aks.id
node_labels = {
prefix = var.prefix
role = "worker"
env = lookup(var.tags, "Environment", "workload")
}
}
identity {
type = "SystemAssigned"
}
network_profile {
network_plugin = "azure"
network_policy = "azure"
}
oidc_issuer_enabled = true
workload_identity_enabled = true
}
# ─── External-DNS Workload Identity ──────────────────────────────────
# Allows external-dns to manage Azure DNS records for app ingresses.
data "azurerm_dns_zone" "main" {
name = var.domain
resource_group_name = var.dns_zone_resource_group != "" ? var.dns_zone_resource_group : azurerm_resource_group.main.name
}
resource "azurerm_user_assigned_identity" "external_dns" {
name = "${var.prefix}-external-dns-identity"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
tags = var.tags
}
resource "azurerm_role_assignment" "external_dns_dns_contributor" {
scope = data.azurerm_dns_zone.main.id
role_definition_name = "DNS Zone Contributor"
principal_id = azurerm_user_assigned_identity.external_dns.principal_id
}
resource "azurerm_federated_identity_credential" "external_dns" {
name = "${var.prefix}-external-dns-fedcred"
resource_group_name = azurerm_resource_group.main.name
parent_id = azurerm_user_assigned_identity.external_dns.id
audience = ["api://AzureADTokenExchange"]
issuer = azurerm_kubernetes_cluster.main.oidc_issuer_url
subject = "system:serviceaccount:external-dns:external-dns"
}

4
.tofu/platforms/aks/workload/outputs.tf Normal file
View File

@@ -0,0 +1,4 @@
output "cluster_name" { value = azurerm_kubernetes_cluster.main.name }
output "resource_group_name" { value = azurerm_resource_group.main.name }
output "location" { value = azurerm_resource_group.main.location }
output "external_dns_identity_client_id" { value = azurerm_user_assigned_identity.external_dns.client_id }

21
.tofu/platforms/aks/workload/providers.tf Normal file
View File

@@ -0,0 +1,21 @@
terraform {
required_version = ">= 1.0"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 4.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.0"
}
}
}
provider "azurerm" {
features {}
# Credentials via environment variables:
# ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET
# Or: az login (uses your Azure CLI session)
}

21
.tofu/platforms/eks/dev/main.tf Normal file
View File

@@ -0,0 +1,21 @@
module "cluster" {
source = "../modules/cluster"
region = var.region
prefix = "clst-dev"
# VPC
availability_zones = ["${var.region}a", "${var.region}b"]
# EKS — small dev nodes
node_instance_type = "t3.medium"
node_count = 2
node_min_count = 1
node_max_count = 4
kubernetes_version = "1.30"
gitea_admin commented 2026-04-28 06:52:13 +00:00
Review
Copy Link

Kubernetes version should be pinned to a specific patch version for reproducibility and security patching control.

  kubernetes_version = "1.30.6"

#ai-review-inline

Kubernetes version should be pinned to a specific patch version for reproducibility and security patching control. ```suggestion kubernetes_version = "1.30.6" ``` #ai-review-inline
tags = {
Environment = "dev"
ManagedBy = "tofu"
}
}

5
.tofu/platforms/eks/dev/outputs.tf Normal file
View File

@@ -0,0 +1,5 @@
output "cluster_name" { value = module.cluster.cluster_name }
output "aws_region" { value = module.cluster.aws_region }
output "oidc_issuer_url" { value = module.cluster.oidc_issuer_url }
output "oidc_provider_arn" { value = module.cluster.oidc_provider_arn }
output "vpc_id" { value = module.cluster.vpc_id }

24
.tofu/platforms/eks/dev/providers.tf Normal file
View File

@@ -0,0 +1,24 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0"
}
}
}
# Authentication: set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
# or configure an AWS profile: export AWS_PROFILE=clst
provider "aws" {
region = var.region
}
variable "region" {
description = "AWS region for dev environment"
type = string
default = "eu-west-1"
}

207
.tofu/platforms/eks/modules/cluster/main.tf Normal file
View File

@@ -0,0 +1,207 @@
# ─── VPC ──────────────────────────────────────────────────────────────
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
enable_dns_hostnames = true
enable_dns_support = true
tags = merge(var.tags, { Name = "${var.prefix}-vpc" })
}
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = merge(var.tags, { Name = "${var.prefix}-igw" })
}
# Public subnets (one per AZ) — for NAT gateways and load balancers
resource "aws_subnet" "public" {
count = length(var.availability_zones)
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index)
availability_zone = var.availability_zones[count.index]
map_public_ip_on_launch = true
tags = merge(var.tags, {
Name = "${var.prefix}-public-${count.index + 1}"
"kubernetes.io/cluster/${var.prefix}-eks" = "shared"
"kubernetes.io/role/elb" = "1"
})
}
# Private subnets (one per AZ) — for EKS nodes
resource "aws_subnet" "private" {
count = length(var.availability_zones)
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones))
availability_zone = var.availability_zones[count.index]
tags = merge(var.tags, {
Name = "${var.prefix}-private-${count.index + 1}"
"kubernetes.io/cluster/${var.prefix}-eks" = "shared"
"kubernetes.io/role/internal-elb" = "1"
})
}
# NAT Gateway (single, in first public subnet — use one per AZ for prod HA)
gitea_admin commented 2026-04-28 06:52:18 +00:00
Review
Copy Link

Using a single NAT Gateway creates a single point of failure; consider one NAT Gateway per AZ for production high availability.

#ai-review-inline

Using a single NAT Gateway creates a single point of failure; consider one NAT Gateway per AZ for production high availability. #ai-review-inline
resource "aws_eip" "nat" {
domain = "vpc"
tags = merge(var.tags, { Name = "${var.prefix}-nat-eip" })
}
resource "aws_nat_gateway" "main" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public[0].id
tags = merge(var.tags, { Name = "${var.prefix}-nat" })
depends_on = [aws_internet_gateway.main]
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main.id
}
tags = merge(var.tags, { Name = "${var.prefix}-public-rt" })
}
resource "aws_route_table_association" "public" {
count = length(var.availability_zones)
subnet_id = aws_subnet.public[count.index].id
route_table_id = aws_route_table.public.id
}
resource "aws_route_table" "private" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.main.id
}
tags = merge(var.tags, { Name = "${var.prefix}-private-rt" })
}
resource "aws_route_table_association" "private" {
count = length(var.availability_zones)
subnet_id = aws_subnet.private[count.index].id
route_table_id = aws_route_table.private.id
}
# ─── EKS Cluster ──────────────────────────────────────────────────────
resource "aws_iam_role" "eks_cluster" {
name_prefix = "${var.prefix}-eks-cluster-"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "eks.amazonaws.com" }
}]
})
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.eks_cluster.name
}
resource "aws_eks_cluster" "main" {
name = "${var.prefix}-eks"
role_arn = aws_iam_role.eks_cluster.arn
version = var.kubernetes_version
vpc_config {
subnet_ids = concat(aws_subnet.private[*].id, aws_subnet.public[*].id)
endpoint_private_access = true
endpoint_public_access = true
gitea_admin commented 2026-04-28 06:52:18 +00:00
Review
Copy Link

Public API endpoint access should be restricted to specific CIDR blocks for security.

    endpoint_public_access  = true
    public_access_cidrs     = ["YOUR_OFFICE_IP/32"]

#ai-review-inline

Public API endpoint access should be restricted to specific CIDR blocks for security. ```suggestion endpoint_public_access = true public_access_cidrs = ["YOUR_OFFICE_IP/32"] ``` #ai-review-inline
}
# Enable OIDC issuer for IRSA (IAM Roles for Service Accounts)
access_config {
authentication_mode = "API_AND_CONFIG_MAP"
}
tags = var.tags
depends_on = [aws_iam_role_policy_attachment.eks_cluster_policy]
}
# OIDC provider — required for IRSA (IAM Roles for Service Accounts)
data "tls_certificate" "eks" {
url = aws_eks_cluster.main.identity[0].oidc[0].issuer
}
resource "aws_iam_openid_connect_provider" "eks" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint]
url = aws_eks_cluster.main.identity[0].oidc[0].issuer
tags = var.tags
}
# EKS Node Group
resource "aws_iam_role" "eks_nodes" {
name_prefix = "${var.prefix}-eks-nodes-"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "ec2.amazonaws.com" }
}]
})
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.eks_nodes.name
}
resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = aws_iam_role.eks_nodes.name
}
resource "aws_iam_role_policy_attachment" "eks_ecr_readonly" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.eks_nodes.name
}
resource "aws_eks_node_group" "main" {
cluster_name = aws_eks_cluster.main.name
node_group_name = "${var.prefix}-nodes"
node_role_arn = aws_iam_role.eks_nodes.arn
subnet_ids = aws_subnet.private[*].id
instance_types = [var.node_instance_type]
gitea_admin commented 2026-04-28 06:52:18 +00:00
Review
Copy Link

Node instance types should be configurable as a list to support multiple instance types for better availability and cost optimization.

  instance_types = var.node_instance_types

#ai-review-inline

Node instance types should be configurable as a list to support multiple instance types for better availability and cost optimization. ```suggestion instance_types = var.node_instance_types ``` #ai-review-inline
scaling_config {
desired_size = var.node_count
max_size = var.node_max_count
min_size = var.node_min_count
}
update_config {
max_unavailable = 1
gitea_admin commented 2026-04-28 06:52:18 +00:00
Review
Copy Link

Consider using max_unavailable_percentage instead of a fixed number for better scaling flexibility.

    max_unavailable_percentage = 25

#ai-review-inline

Consider using `max_unavailable_percentage` instead of a fixed number for better scaling flexibility. ```suggestion max_unavailable_percentage = 25 ``` #ai-review-inline
}
tags = var.tags
depends_on = [
aws_iam_role_policy_attachment.eks_worker_node_policy,
aws_iam_role_policy_attachment.eks_cni_policy,
aws_iam_role_policy_attachment.eks_ecr_readonly,
]
}

26
.tofu/platforms/eks/modules/cluster/outputs.tf Normal file
View File

@@ -0,0 +1,26 @@
# ─── Cluster ─────────────────────────────────────────────────────────
output "cluster_name" {
description = "EKS cluster name"
value = aws_eks_cluster.main.name
}
output "aws_region" {
description = "AWS region"
value = var.region
}
output "oidc_issuer_url" {
description = "EKS OIDC issuer URL (for IRSA)"
value = aws_eks_cluster.main.identity[0].oidc[0].issuer
}
output "oidc_provider_arn" {
description = "IAM OIDC provider ARN (for IRSA trust policies)"
value = aws_iam_openid_connect_provider.eks.arn
}
output "vpc_id" {
description = "VPC ID"
value = aws_vpc.main.id
}

12
.tofu/platforms/eks/modules/cluster/providers.tf Normal file
View File

@@ -0,0 +1,12 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
gitea_admin commented 2026-04-28 06:52:16 +00:00
Review
Copy Link

Consider using a more specific version constraint to ensure reproducible builds and avoid unexpected updates.

      version = "~> 5.70"

#ai-review-inline

Consider using a more specific version constraint to ensure reproducible builds and avoid unexpected updates. ```suggestion version = "~> 5.70" ``` #ai-review-inline
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0"
gitea_admin commented 2026-04-28 06:52:16 +00:00
Review
Copy Link

Consider using a more specific version constraint to ensure reproducible builds and avoid unexpected updates.

      version = "~> 4.0.5"

#ai-review-inline

Consider using a more specific version constraint to ensure reproducible builds and avoid unexpected updates. ```suggestion version = "~> 4.0.5" ``` #ai-review-inline
}
}
}

61
.tofu/platforms/eks/modules/cluster/variables.tf Normal file
View File

@@ -0,0 +1,61 @@
# ─── Region ──────────────────────────────────────────────────────────
variable "region" {
description = "AWS region (e.g., eu-west-1, us-east-1)"
type = string
}
variable "prefix" {
description = "Prefix for resource names (e.g., clst-dev)"
type = string
}
# ─── Networking ───────────────────────────────────────────────────────
variable "vpc_cidr" {
description = "VPC CIDR block"
type = string
default = "10.100.0.0/16"
}
variable "availability_zones" {
description = "List of AZs for subnets (23 recommended)"
type = list(string)
}
# ─── EKS Cluster ─────────────────────────────────────────────────────
variable "node_instance_type" {
description = "EKS node instance type (e.g., t3.medium, m5.xlarge)"
type = string
}
variable "node_count" {
description = "Desired number of EKS worker nodes"
type = number
}
variable "node_min_count" {
description = "Minimum number of EKS worker nodes"
type = number
default = 1
}
variable "node_max_count" {
description = "Maximum number of EKS worker nodes"
type = number
}
variable "kubernetes_version" {
description = "Kubernetes version for EKS (e.g., \"1.30\")"
type = string
default = "1.30"
}
# ─── Tags ─────────────────────────────────────────────────────────────
variable "tags" {
description = "Tags applied to all resources"
type = map(string)
default = {}
}

21
.tofu/platforms/eks/prod/main.tf Normal file
View File

@@ -0,0 +1,21 @@
module "cluster" {
source = "../modules/cluster"
region = var.region
prefix = "clst"
# VPC
availability_zones = ["${var.region}a", "${var.region}b", "${var.region}c"]
# EKS — general-purpose nodes for production
node_instance_type = "m5.xlarge"
node_count = 3
node_min_count = 3
node_max_count = 6
kubernetes_version = "1.30"
gitea_admin commented 2026-04-28 06:52:16 +00:00
Review
Copy Link

Kubernetes version should be pinned to a specific patch version (e.g., '1.30.6') to ensure consistent deployments and avoid unexpected upgrades.

  kubernetes_version = "1.30.6"

#ai-review-inline

Kubernetes version should be pinned to a specific patch version (e.g., '1.30.6') to ensure consistent deployments and avoid unexpected upgrades. ```suggestion kubernetes_version = "1.30.6" ``` #ai-review-inline
tags = {
Environment = "prod"
ManagedBy = "tofu"
}
}

5
.tofu/platforms/eks/prod/outputs.tf Normal file
View File

@@ -0,0 +1,5 @@
output "cluster_name" { value = module.cluster.cluster_name }
output "aws_region" { value = module.cluster.aws_region }
output "oidc_issuer_url" { value = module.cluster.oidc_issuer_url }
output "oidc_provider_arn" { value = module.cluster.oidc_provider_arn }
output "vpc_id" { value = module.cluster.vpc_id }

22
.tofu/platforms/eks/prod/providers.tf Normal file
View File

@@ -0,0 +1,22 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0"
}
}
}
provider "aws" {
region = var.region
}
variable "region" {
description = "AWS region for prod environment"
type = string
default = "eu-west-1"
}

339
.tofu/platforms/eks/workload/main.tf Normal file
View File

@@ -0,0 +1,339 @@
# =============================================================================
# AWS Workload Cluster
# =============================================================================
# A lean EKS cluster for running application workloads. No managed data
# services — those live on the platform cluster. ArgoCD (on the platform
# cluster) deploys apps to this cluster via the app-of-apps pattern.
#
# Platform components deployed by deploy-workload.sh:
# nginx-ingress, cert-manager, external-dns, external-secrets, alloy
#
# Usage:
# tofu init && tofu plan && tofu apply
# ./sync-tofu-outputs.sh --env aws-workload
# ./deploy-workload.sh --env aws-workload
# =============================================================================
variable "prefix" {
description = "Prefix for resource names (e.g., clst-workload)"
type = string
default = "clst-workload"
}
variable "availability_zones" {
description = "List of AZs for subnets"
type = list(string)
default = ["eu-west-1a", "eu-west-1b"]
}
variable "vpc_cidr" {
description = "VPC CIDR block"
type = string
default = "10.110.0.0/16"
}
variable "node_instance_type" {
description = "EKS node instance type"
type = string
default = "t3.medium"
}
variable "node_count" {
description = "Desired number of EKS worker nodes"
type = number
default = 2
}
variable "node_min_count" {
description = "Minimum number of EKS worker nodes"
type = number
default = 1
}
variable "node_max_count" {
description = "Maximum number of EKS worker nodes"
type = number
default = 4
}
variable "kubernetes_version" {
description = "Kubernetes version for EKS"
type = string
default = "1.30"
}
variable "domain" {
description = "Public domain name — must have an existing Route53 hosted zone"
type = string
gitea_admin commented 2026-04-28 06:52:24 +00:00
Review
Copy Link

Missing validation for domain variable - should ensure it's a valid FQDN.

variable "domain" {
  description = "Public domain name — must have an existing Route53 hosted zone"
  type        = string
  validation {
    condition = can(regex("^[a-z0-9.-]+\\.[a-z]{2,}$", var.domain))
    error_message = "Domain must be a valid FQDN (e.g., example.com)."
  }
}

#ai-review-inline

Missing validation for domain variable - should ensure it's a valid FQDN. ```suggestion variable "domain" { description = "Public domain name — must have an existing Route53 hosted zone" type = string validation { condition = can(regex("^[a-z0-9.-]+\\.[a-z]{2,}$", var.domain)) error_message = "Domain must be a valid FQDN (e.g., example.com)." } } ``` #ai-review-inline
}
variable "tags" {
description = "Tags applied to all resources"
type = map(string)
default = {
Environment = "workload"
ManagedBy = "tofu"
}
}
# ─── VPC ──────────────────────────────────────────────────────────────
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
enable_dns_hostnames = true
enable_dns_support = true
tags = merge(var.tags, { Name = "${var.prefix}-vpc" })
}
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = merge(var.tags, { Name = "${var.prefix}-igw" })
}
resource "aws_subnet" "public" {
count = length(var.availability_zones)
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index)
availability_zone = var.availability_zones[count.index]
map_public_ip_on_launch = true
tags = merge(var.tags, {
Name = "${var.prefix}-public-${count.index + 1}"
"kubernetes.io/cluster/${var.prefix}-eks" = "shared"
"kubernetes.io/role/elb" = "1"
})
}
resource "aws_subnet" "private" {
count = length(var.availability_zones)
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.vpc_cidr, 4, count.index + length(var.availability_zones))
availability_zone = var.availability_zones[count.index]
tags = merge(var.tags, {
Name = "${var.prefix}-private-${count.index + 1}"
"kubernetes.io/cluster/${var.prefix}-eks" = "shared"
"kubernetes.io/role/internal-elb" = "1"
})
}
resource "aws_eip" "nat" {
domain = "vpc"
tags = merge(var.tags, { Name = "${var.prefix}-nat-eip" })
}
resource "aws_nat_gateway" "main" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public[0].id
tags = merge(var.tags, { Name = "${var.prefix}-nat" })
depends_on = [aws_internet_gateway.main]
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main.id
}
tags = merge(var.tags, { Name = "${var.prefix}-public-rt" })
}
resource "aws_route_table_association" "public" {
count = length(var.availability_zones)
subnet_id = aws_subnet.public[count.index].id
route_table_id = aws_route_table.public.id
}
resource "aws_route_table" "private" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.main.id
}
tags = merge(var.tags, { Name = "${var.prefix}-private-rt" })
}
resource "aws_route_table_association" "private" {
count = length(var.availability_zones)
subnet_id = aws_subnet.private[count.index].id
route_table_id = aws_route_table.private.id
}
# ─── EKS Cluster ──────────────────────────────────────────────────────
resource "aws_iam_role" "eks_cluster" {
name_prefix = "${var.prefix}-eks-cluster-"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "eks.amazonaws.com" }
}]
})
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "eks_cluster_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.eks_cluster.name
}
resource "aws_eks_cluster" "main" {
name = "${var.prefix}-eks"
role_arn = aws_iam_role.eks_cluster.arn
version = var.kubernetes_version
vpc_config {
subnet_ids = concat(aws_subnet.private[*].id, aws_subnet.public[*].id)
endpoint_private_access = true
gitea_admin commented 2026-04-28 06:52:24 +00:00
Review
Copy Link

EKS endpoint_public_access enabled - consider restricting public access with public_access_cidrs for better security.

  vpc_config {
    subnet_ids                 = concat(aws_subnet.private[*].id, aws_subnet.public[*].id)
    endpoint_private_access    = true
    endpoint_public_access     = true
    public_access_cidrs        = ["0.0.0.0/0"] # TODO: Restrict to specific CIDR blocks
  }

#ai-review-inline

EKS endpoint_public_access enabled - consider restricting public access with public_access_cidrs for better security. ```suggestion vpc_config { subnet_ids = concat(aws_subnet.private[*].id, aws_subnet.public[*].id) endpoint_private_access = true endpoint_public_access = true public_access_cidrs = ["0.0.0.0/0"] # TODO: Restrict to specific CIDR blocks } ``` #ai-review-inline
endpoint_public_access = true
}
access_config {
authentication_mode = "API_AND_CONFIG_MAP"
}
tags = var.tags
depends_on = [aws_iam_role_policy_attachment.eks_cluster_policy]
}
# OIDC provider — required for IRSA
data "tls_certificate" "eks" {
url = aws_eks_cluster.main.identity[0].oidc[0].issuer
}
resource "aws_iam_openid_connect_provider" "eks" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.tls_certificate.eks.certificates[0].sha1_fingerprint]
url = aws_eks_cluster.main.identity[0].oidc[0].issuer
tags = var.tags
}
resource "aws_iam_role" "eks_nodes" {
name_prefix = "${var.prefix}-eks-nodes-"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = { Service = "ec2.amazonaws.com" }
}]
})
tags = var.tags
}
resource "aws_iam_role_policy_attachment" "eks_worker_node_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.eks_nodes.name
}
resource "aws_iam_role_policy_attachment" "eks_cni_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = aws_iam_role.eks_nodes.name
}
resource "aws_iam_role_policy_attachment" "eks_ecr_readonly" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.eks_nodes.name
}
resource "aws_eks_node_group" "main" {
cluster_name = aws_eks_cluster.main.name
node_group_name = "${var.prefix}-nodes"
node_role_arn = aws_iam_role.eks_nodes.arn
subnet_ids = aws_subnet.private[*].id
instance_types = [var.node_instance_type]
gitea_admin commented 2026-04-28 06:52:24 +00:00
Review
Copy Link

Node group using only one instance type - consider adding a secondary type for better availability.

  instance_types = [var.node_instance_type, "t3.large"]

#ai-review-inline

Node group using only one instance type - consider adding a secondary type for better availability. ```suggestion instance_types = [var.node_instance_type, "t3.large"] ``` #ai-review-inline
scaling_config {
desired_size = var.node_count
max_size = var.node_max_count
min_size = var.node_min_count
}
update_config {
max_unavailable = 1
}
tags = var.tags
depends_on = [
aws_iam_role_policy_attachment.eks_worker_node_policy,
aws_iam_role_policy_attachment.eks_cni_policy,
aws_iam_role_policy_attachment.eks_ecr_readonly,
]
}
# ─── External-DNS IRSA ───────────────────────────────────────────────
# Allows external-dns to manage Route53 records for app ingresses.
data "aws_route53_zone" "main" {
name = var.domain
private_zone = false
}
data "aws_iam_policy_document" "external_dns_assume_role" {
statement {
effect = "Allow"
principals {
type = "Federated"
identifiers = [aws_iam_openid_connect_provider.eks.arn]
}
actions = ["sts:AssumeRoleWithWebIdentity"]
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:sub"
values = ["system:serviceaccount:external-dns:external-dns"]
}
condition {
test = "StringEquals"
variable = "${replace(aws_iam_openid_connect_provider.eks.url, "https://", "")}:aud"
values = ["sts.amazonaws.com"]
}
}
}
resource "aws_iam_role" "external_dns_irsa" {
name_prefix = "${var.prefix}-external-dns-irsa-"
assume_role_policy = data.aws_iam_policy_document.external_dns_assume_role.json
tags = var.tags
}
data "aws_iam_policy_document" "external_dns_route53" {
statement {
effect = "Allow"
actions = ["route53:ChangeResourceRecordSets"]
resources = ["arn:aws:route53:::hostedzone/${data.aws_route53_zone.main.zone_id}"]
}
statement {
effect = "Allow"
actions = ["route53:ListHostedZones", "route53:ListResourceRecordSets", "route53:ListTagsForResource"]
resources = ["*"]
gitea_admin commented 2026-04-28 06:52:24 +00:00
Review
Copy Link

Route53 IAM policy uses wildcard resource for list operations - consider scoping to specific hosted zones if possible.

#ai-review-inline

Route53 IAM policy uses wildcard resource for list operations - consider scoping to specific hosted zones if possible. #ai-review-inline
}
}
resource "aws_iam_role_policy" "external_dns_route53" {
name_prefix = "${var.prefix}-external-dns-route53-"
role = aws_iam_role.external_dns_irsa.id
policy = data.aws_iam_policy_document.external_dns_route53.json
}

3
.tofu/platforms/eks/workload/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "cluster_name" { value = aws_eks_cluster.main.name }
output "aws_region" { value = var.region }
output "external_dns_irsa_role_arn" { value = aws_iam_role.external_dns_irsa.arn }

24
.tofu/platforms/eks/workload/providers.tf Normal file
View File

@@ -0,0 +1,24 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
gitea_admin commented 2026-04-28 06:52:19 +00:00
Review
Copy Link

Use exact version pinning instead of pessimistic version constraint for better reproducibility in production environments.

      version = "5.73.0"

#ai-review-inline

Use exact version pinning instead of pessimistic version constraint for better reproducibility in production environments. ```suggestion version = "5.73.0" ``` #ai-review-inline
}
tls = {
source = "hashicorp/tls"
version = "~> 4.0"
gitea_admin commented 2026-04-28 06:52:19 +00:00
Review
Copy Link

Use exact version pinning instead of pessimistic version constraint for better reproducibility in production environments.

      version = "4.0.6"

#ai-review-inline

Use exact version pinning instead of pessimistic version constraint for better reproducibility in production environments. ```suggestion version = "4.0.6" ``` #ai-review-inline
}
}
}
# Authentication: set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
# or configure an AWS profile: export AWS_PROFILE=clst
provider "aws" {
region = var.region
}
variable "region" {
description = "AWS region for the workload environment"
type = string
default = "eu-west-1"
}

17
.tofu/platforms/gke/dev/main.tf Normal file
View File

@@ -0,0 +1,17 @@
module "cluster" {
source = "../modules/cluster"
project_id = var.project_id
region = var.region
prefix = "clst-dev"
# GKE — small dev nodes
node_machine_type = "e2-standard-2"
node_count = 2
deletion_protection = false
gitea_admin commented 2026-04-28 06:52:18 +00:00
Review
Copy Link

Deletion protection disabled in dev environment creates risk of accidental cluster deletion.

  deletion_protection = true

#ai-review-inline

Deletion protection disabled in dev environment creates risk of accidental cluster deletion. ```suggestion deletion_protection = true ``` #ai-review-inline
labels = {
environment = "dev"
managed-by = "tofu"
}
}

3
.tofu/platforms/gke/dev/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "cluster_name" { value = module.cluster.cluster_name }
output "project_id" { value = module.cluster.project_id }
output "region" { value = module.cluster.region }

26
.tofu/platforms/gke/dev/providers.tf Normal file
View File

@@ -0,0 +1,26 @@
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> 6.0"
}
}
}
# Authentication: use Application Default Credentials (gcloud auth application-default login)
# or set GOOGLE_APPLICATION_CREDENTIALS to a service account key file.
provider "google" {
project = var.project_id
region = var.region
}
variable "project_id" {
description = "GCP project ID for the dev environment"
gitea_admin commented 2026-04-28 06:52:21 +00:00
Review
Copy Link

Variable lacks validation to ensure it follows GCP project ID naming rules (6-30 chars, lowercase, numbers, hyphens).

variable "project_id" {
  description = "GCP project ID for the dev environment"
  type        = string
  validation {
    condition     = can(regex("^[a-z][a-z0-9-]{4,28}[a-z0-9]$", var.project_id))
    error_message = "Project ID must be 6-30 characters, start with lowercase letter, and contain only lowercase letters, numbers, and hyphens."
  }
}

#ai-review-inline

Variable lacks validation to ensure it follows GCP project ID naming rules (6-30 chars, lowercase, numbers, hyphens). ```suggestion variable "project_id" { description = "GCP project ID for the dev environment" type = string validation { condition = can(regex("^[a-z][a-z0-9-]{4,28}[a-z0-9]$", var.project_id)) error_message = "Project ID must be 6-30 characters, start with lowercase letter, and contain only lowercase letters, numbers, and hyphens." } } ``` #ai-review-inline
type = string
}
variable "region" {
description = "GCP region"
type = string
default = "europe-west4"
}

115
.tofu/platforms/gke/modules/cluster/main.tf Normal file
View File

@@ -0,0 +1,115 @@
# ─── Required APIs ────────────────────────────────────────────────────
resource "google_project_service" "compute" {
project = var.project_id
service = "compute.googleapis.com"
disable_on_destroy = false
}
resource "google_project_service" "container" {
project = var.project_id
service = "container.googleapis.com"
disable_on_destroy = false
}
# ─── Networking ───────────────────────────────────────────────────────
resource "google_compute_network" "main" {
project = var.project_id
name = "${var.prefix}-vpc"
auto_create_subnetworks = false
depends_on = [google_project_service.compute]
}
resource "google_compute_subnetwork" "main" {
project = var.project_id
name = "${var.prefix}-subnet"
ip_cidr_range = "10.100.0.0/22"
gitea_admin commented 2026-04-28 06:52:26 +00:00
Review
Copy Link

Hardcoded CIDR range should be configurable via variable to support different network architectures.

  ip_cidr_range = var.subnet_cidr

#ai-review-inline

Hardcoded CIDR range should be configurable via variable to support different network architectures. ```suggestion ip_cidr_range = var.subnet_cidr ``` #ai-review-inline
region = var.region
network = google_compute_network.main.id
# Secondary ranges required for GKE VPC-native cluster
secondary_ip_range {
range_name = "pods"
ip_cidr_range = "10.200.0.0/14" # /14 = ~262k pod IPs
gitea_admin commented 2026-04-28 06:52:26 +00:00
Review
Copy Link

Hardcoded pod CIDR range should be configurable via variable for flexibility across environments.

    ip_cidr_range = var.pod_cidr

#ai-review-inline

Hardcoded pod CIDR range should be configurable via variable for flexibility across environments. ```suggestion ip_cidr_range = var.pod_cidr ``` #ai-review-inline
}
secondary_ip_range {
range_name = "services"
ip_cidr_range = "10.204.0.0/20" # /20 = ~4k service IPs
gitea_admin commented 2026-04-28 06:52:26 +00:00
Review
Copy Link

Hardcoded service CIDR range should be configurable via variable for flexibility across environments.

    ip_cidr_range = var.service_cidr

#ai-review-inline

Hardcoded service CIDR range should be configurable via variable for flexibility across environments. ```suggestion ip_cidr_range = var.service_cidr ``` #ai-review-inline
}
}
# ─── GKE Cluster ──────────────────────────────────────────────────────
#
# Regional cluster (3 control-plane replicas) for HA.
# Workload Identity enabled — allows K8s service accounts to impersonate
# Google Service Accounts for keyless access to GCP services.
resource "google_container_cluster" "main" {
project = var.project_id
name = "${var.prefix}-gke"
location = var.region # regional cluster
network = google_compute_network.main.id
subnetwork = google_compute_subnetwork.main.id
# VPC-native cluster with alias IP ranges
ip_allocation_policy {
cluster_secondary_range_name = "pods"
services_secondary_range_name = "services"
}
# Workload Identity pool — enables OIDC token projection for pods
workload_identity_config {
workload_pool = "${var.project_id}.svc.id.goog"
}
# Remove default node pool — we manage our own below
remove_default_node_pool = true
initial_node_count = 1
deletion_protection = var.deletion_protection
dynamic "release_channel" {
for_each = var.kubernetes_version == null ? [1] : []
content {
channel = "STABLE"
}
}
resource_labels = var.labels
depends_on = [google_project_service.container]
}
resource "google_container_node_pool" "main" {
project = var.project_id
name = "${var.prefix}-nodes"
location = var.region
cluster = google_container_cluster.main.name
node_count = var.node_count
node_config {
gitea_admin commented 2026-04-28 06:52:26 +00:00
Review
Copy Link

Missing security hardening options like boot disk encryption and security group configuration.

  node_config {
    machine_type = var.node_machine_type
    
    disk_encryption = "ENCRYPTION_AT_REST"
    
    shielded_instance_config {
      enable_secure_boot          = true
      enable_integrity_monitoring = true
    }

#ai-review-inline

Missing security hardening options like boot disk encryption and security group configuration. ```suggestion node_config { machine_type = var.node_machine_type disk_encryption = "ENCRYPTION_AT_REST" shielded_instance_config { enable_secure_boot = true enable_integrity_monitoring = true } ``` #ai-review-inline
machine_type = var.node_machine_type
# GKE_METADATA mode is required for Workload Identity
workload_metadata_config {
mode = "GKE_METADATA"
}
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform",
gitea_admin commented 2026-04-28 06:52:26 +00:00
Review
Copy Link

OAuth scope 'cloud-platform' is overly broad and grants excessive permissions - use specific scopes instead.

      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
      "https://www.googleapis.com/auth/devstorage.read_only",

#ai-review-inline

OAuth scope 'cloud-platform' is overly broad and grants excessive permissions - use specific scopes instead. ```suggestion "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring", "https://www.googleapis.com/auth/devstorage.read_only", ``` #ai-review-inline
]
labels = merge(var.labels, {
role = "worker"
})
}
management {
auto_repair = true
auto_upgrade = true
}
}

16
.tofu/platforms/gke/modules/cluster/outputs.tf Normal file
View File

@@ -0,0 +1,16 @@
# ─── Cluster ─────────────────────────────────────────────────────────
output "cluster_name" {
description = "GKE cluster name"
value = google_container_cluster.main.name
}
output "project_id" {
description = "GCP project ID"
value = var.project_id
}
output "region" {
description = "GCP region"
value = var.region
}

8
.tofu/platforms/gke/modules/cluster/providers.tf Normal file
View File

@@ -0,0 +1,8 @@
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> 6.0"
}
}
}

48
.tofu/platforms/gke/modules/cluster/variables.tf Normal file
View File

@@ -0,0 +1,48 @@
# ─── Project / Region ────────────────────────────────────────────────
variable "project_id" {
description = "GCP project ID"
type = string
}
variable "region" {
description = "GCP region (e.g., europe-west4, europe-west1)"
type = string
}
variable "prefix" {
description = "Prefix for resource names (e.g., clst-dev)"
type = string
}
# ─── GKE Cluster ─────────────────────────────────────────────────────
variable "node_machine_type" {
description = "GKE node machine type (e.g., e2-standard-2, e2-standard-4)"
type = string
}
variable "node_count" {
description = "Number of nodes per zone (regional cluster spawns nodes in each zone)"
type = number
}
variable "kubernetes_version" {
description = "GKE Kubernetes version channel (null = STABLE release channel)"
type = string
default = null
}
variable "deletion_protection" {
description = "Prevent cluster deletion (set true for production)"
type = bool
default = false
}
# ─── Labels ──────────────────────────────────────────────────────────
variable "labels" {
description = "Labels applied to all resources"
type = map(string)
default = {}
}

17
.tofu/platforms/gke/prod/main.tf Normal file
View File

@@ -0,0 +1,17 @@
module "cluster" {
source = "../modules/cluster"
project_id = var.project_id
region = var.region
prefix = "clst"
# GKE — general-purpose nodes for production
node_machine_type = "e2-standard-4"
node_count = 3
deletion_protection = true
gitea_admin commented 2026-04-28 06:52:21 +00:00
Review
Copy Link

Consider enabling deletion protection for production clusters to prevent accidental deletion.

#ai-review-inline

Consider enabling deletion protection for production clusters to prevent accidental deletion. #ai-review-inline
labels = {
environment = "prod"
managed-by = "tofu"
}
}

3
.tofu/platforms/gke/prod/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "cluster_name" { value = module.cluster.cluster_name }
output "project_id" { value = module.cluster.project_id }
output "region" { value = module.cluster.region }

24
.tofu/platforms/gke/prod/providers.tf Normal file
View File

@@ -0,0 +1,24 @@
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> 6.0"
}
}
}
provider "google" {
project = var.project_id
region = var.region
}
variable "project_id" {
description = "GCP project ID for the prod environment"
type = string
}
variable "region" {
description = "GCP region"
type = string
default = "europe-west1"
}

194
.tofu/platforms/gke/workload/main.tf Normal file
View File

@@ -0,0 +1,194 @@
# =============================================================================
# GCP Workload Cluster
# =============================================================================
# A lean GKE cluster for running application workloads. No managed data
# services — those live on the platform cluster. ArgoCD (on the platform
# cluster) deploys apps to this cluster via the app-of-apps pattern.
#
# Platform components deployed by deploy-workload.sh:
# nginx-ingress, cert-manager, external-dns, external-secrets, alloy
#
# Usage:
# tofu init && tofu plan && tofu apply
# ./sync-tofu-outputs.sh --env gcp-workload
# ./deploy-workload.sh --env gcp-workload
# =============================================================================
variable "prefix" {
description = "Prefix for resource names (e.g., clst-workload)"
type = string
default = "clst-workload"
}
variable "node_machine_type" {
description = "GKE node machine type"
type = string
default = "e2-standard-2"
}
variable "node_count" {
description = "Number of nodes per zone"
type = number
default = 1
}
variable "kubernetes_version" {
description = "GKE Kubernetes version (null = STABLE release channel)"
type = string
default = null
}
variable "deletion_protection" {
description = "Prevent cluster deletion"
type = bool
default = false
}
variable "labels" {
description = "Labels applied to all resources"
type = map(string)
default = {
environment = "workload"
managed-by = "tofu"
}
}
# ─── Required APIs ────────────────────────────────────────────────────
resource "google_project_service" "compute" {
project = var.project_id
gitea_admin commented 2026-04-28 06:52:24 +00:00
Review
Copy Link

Variable 'project_id' is referenced but not defined in this file.

#ai-review-inline

Variable 'project_id' is referenced but not defined in this file. #ai-review-inline
service = "compute.googleapis.com"
disable_on_destroy = false
}
resource "google_project_service" "container" {
project = var.project_id
service = "container.googleapis.com"
disable_on_destroy = false
}
resource "google_project_service" "iam" {
project = var.project_id
service = "iam.googleapis.com"
disable_on_destroy = false
}
resource "google_project_service" "dns" {
project = var.project_id
service = "dns.googleapis.com"
disable_on_destroy = false
}
# ─── Networking ───────────────────────────────────────────────────────
resource "google_compute_network" "main" {
project = var.project_id
name = "${var.prefix}-vpc"
auto_create_subnetworks = false
depends_on = [google_project_service.compute]
}
resource "google_compute_subnetwork" "main" {
project = var.project_id
name = "${var.prefix}-subnet"
ip_cidr_range = "10.110.0.0/22"
region = var.region
gitea_admin commented 2026-04-28 06:52:24 +00:00
Review
Copy Link

Variable 'region' is referenced but not defined in this file.

#ai-review-inline

Variable 'region' is referenced but not defined in this file. #ai-review-inline
network = google_compute_network.main.id
secondary_ip_range {
range_name = "pods"
ip_cidr_range = "10.210.0.0/14"
}
secondary_ip_range {
range_name = "services"
ip_cidr_range = "10.214.0.0/20"
}
}
# ─── GKE Cluster ──────────────────────────────────────────────────────
resource "google_container_cluster" "main" {
project = var.project_id
name = "${var.prefix}-gke"
location = var.region
network = google_compute_network.main.id
subnetwork = google_compute_subnetwork.main.id
ip_allocation_policy {
cluster_secondary_range_name = "pods"
services_secondary_range_name = "services"
}
workload_identity_config {
workload_pool = "${var.project_id}.svc.id.goog"
}
remove_default_node_pool = true
initial_node_count = 1
deletion_protection = var.deletion_protection
dynamic "release_channel" {
for_each = var.kubernetes_version == null ? [1] : []
content {
channel = "STABLE"
}
}
resource_labels = var.labels
depends_on = [google_project_service.container]
}
resource "google_container_node_pool" "main" {
project = var.project_id
name = "${var.prefix}-nodes"
location = var.region
cluster = google_container_cluster.main.name
node_count = var.node_count
node_config {
machine_type = var.node_machine_type
workload_metadata_config {
mode = "GKE_METADATA"
}
oauth_scopes = [
"https://www.googleapis.com/auth/cloud-platform",
]
labels = merge(var.labels, { role = "worker" })
}
management {
auto_repair = true
auto_upgrade = true
}
}
# ─── External-DNS Workload Identity ──────────────────────────────────
# Allows external-dns to manage Cloud DNS records for app ingresses.
resource "google_service_account" "external_dns" {
project = var.project_id
account_id = "${var.prefix}-external-dns"
display_name = "External-DNS Service Account (Workload Identity)"
depends_on = [google_project_service.iam]
}
resource "google_project_iam_member" "external_dns_dns_admin" {
project = var.project_id
role = "roles/dns.admin"
gitea_admin commented 2026-04-28 06:52:24 +00:00
Review
Copy Link

The 'roles/dns.admin' role is overly permissive and grants broad DNS management access.

role    = "roles/dns.recordsOwner"

#ai-review-inline

The 'roles/dns.admin' role is overly permissive and grants broad DNS management access. ```suggestion role = "roles/dns.recordsOwner" ``` #ai-review-inline
member = "serviceAccount:${google_service_account.external_dns.email}"
}
resource "google_service_account_iam_member" "external_dns_workload_identity" {
service_account_id = google_service_account.external_dns.name
role = "roles/iam.workloadIdentityUser"
member = "serviceAccount:${var.project_id}.svc.id.goog[external-dns/external-dns]"
}

4
.tofu/platforms/gke/workload/outputs.tf Normal file
View File

@@ -0,0 +1,4 @@
output "cluster_name" { value = google_container_cluster.main.name }
gitea_admin commented 2026-04-28 06:52:25 +00:00
Review
Copy Link

Output value should be wrapped in quotes for consistency with Terraform string outputs.

output "cluster_name"           { value = google_container_cluster.main.name } # added

#ai-review-inline

Output value should be wrapped in quotes for consistency with Terraform string outputs. ```suggestion output "cluster_name" { value = google_container_cluster.main.name } # added ``` #ai-review-inline
output "project_id" { value = var.project_id }
gitea_admin commented 2026-04-28 06:52:25 +00:00
Review
Copy Link

Output value should be wrapped in quotes for consistency with Terraform string outputs.

output "project_id"             { value = var.project_id } # added

#ai-review-inline

Output value should be wrapped in quotes for consistency with Terraform string outputs. ```suggestion output "project_id" { value = var.project_id } # added ``` #ai-review-inline
output "region" { value = var.region }
gitea_admin commented 2026-04-28 06:52:25 +00:00
Review
Copy Link

Output value should be wrapped in quotes for consistency with Terraform string outputs.

output "region"                 { value = var.region } # added

#ai-review-inline

Output value should be wrapped in quotes for consistency with Terraform string outputs. ```suggestion output "region" { value = var.region } # added ``` #ai-review-inline
output "external_dns_gsa_email" { value = google_service_account.external_dns.email }
gitea_admin commented 2026-04-28 06:52:25 +00:00
Review
Copy Link

Output value should be wrapped in quotes for consistency with Terraform string outputs.

output "external_dns_gsa_email" { value = google_service_account.external_dns.email } # added

#ai-review-inline

Output value should be wrapped in quotes for consistency with Terraform string outputs. ```suggestion output "external_dns_gsa_email" { value = google_service_account.external_dns.email } # added ``` #ai-review-inline

26
.tofu/platforms/gke/workload/providers.tf Normal file
View File

@@ -0,0 +1,26 @@
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> 6.0"
gitea_admin commented 2026-04-28 06:52:24 +00:00
Review
Copy Link

Consider pinning to a more specific version range to avoid potential breaking changes from minor version updates.

      version = "~> 6.11"

#ai-review-inline

Consider pinning to a more specific version range to avoid potential breaking changes from minor version updates. ```suggestion version = "~> 6.11" ``` #ai-review-inline
}
}
}
# Authentication: use Application Default Credentials (gcloud auth application-default login)
# or set GOOGLE_APPLICATION_CREDENTIALS to a service account key file.
provider "google" {
project = var.project_id
region = var.region
}
variable "project_id" {
description = "GCP project ID for the workload environment"
type = string
}
variable "region" {
description = "GCP region"
type = string
default = "europe-west4"
}

14
.tofu/platforms/upc/dev/main.tf Normal file
View File

@@ -0,0 +1,14 @@
module "cluster" {
source = "../modules/cluster"
prefix = "clst-dev"
zone = "no-svg1"
node_plan = "DEV-1xCPU-2GB"
node_count = 2
network_cidr = "10.100.0.0/24"
tags = {
Environment = "dev"
ManagedBy = "tofu"
}
}

13
.tofu/platforms/upc/dev/outputs.tf Normal file
View File

@@ -0,0 +1,13 @@
# ─── Cluster ─────────────────────────────────────────────────────────
output "cluster_id" {
value = module.cluster.cluster_id
}
output "cluster_name" {
value = module.cluster.cluster_name
}
output "zone" {
value = module.cluster.zone
}

14
.tofu/platforms/upc/dev/providers.tf Normal file
View File

@@ -0,0 +1,14 @@
terraform {
required_version = ">= 1.0"
required_providers {
upcloud = {
source = "UpCloudLtd/upcloud"
version = "~> 5.0"
}
}
}
provider "upcloud" {
# Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
gitea_admin commented 2026-04-28 06:52:26 +00:00
Review
Copy Link

Provider authentication should reference environment variables explicitly or use a more secure method than username/password.

  # Authentication via environment variables:
  # UPCLOUD_USERNAME and UPCLOUD_PASSWORD
  # Consider using API tokens instead of username/password for better security

#ai-review-inline

Provider authentication should reference environment variables explicitly or use a more secure method than username/password. ```suggestion # Authentication via environment variables: # UPCLOUD_USERNAME and UPCLOUD_PASSWORD # Consider using API tokens instead of username/password for better security ``` #ai-review-inline
}

56
.tofu/platforms/upc/modules/cluster/main.tf Normal file
View File

@@ -0,0 +1,56 @@
# Router for the private network
resource "upcloud_router" "kubernetes" {
name = "${var.prefix}-${var.cluster_name}-router"
}
# Gateway for internet connectivity
resource "upcloud_gateway" "kubernetes" {
name = "${var.prefix}-${var.cluster_name}-gateway"
zone = var.zone
features = ["nat"]
router {
id = upcloud_router.kubernetes.id
}
}
# Private network for the Kubernetes cluster
resource "upcloud_network" "kubernetes" {
name = "${var.prefix}-${var.cluster_name}-network"
zone = var.zone
router = upcloud_router.kubernetes.id
ip_network {
address = var.network_cidr
dhcp = true
dhcp_default_route = true
family = "IPv4"
gateway = cidrhost(var.network_cidr, 1)
}
depends_on = [upcloud_gateway.kubernetes]
}
# Kubernetes cluster
resource "upcloud_kubernetes_cluster" "main" {
name = "${var.prefix}-${var.cluster_name}"
zone = var.zone
network = upcloud_network.kubernetes.id
control_plane_ip_filter = var.control_plane_ip_filter
gitea_admin commented 2026-04-28 06:52:26 +00:00
Review
Copy Link

Consider making control plane IP filter more restrictive than default to limit management access.

#ai-review-inline

Consider making control plane IP filter more restrictive than default to limit management access. #ai-review-inline
private_node_groups = true
gitea_admin commented 2026-04-28 06:52:26 +00:00
Review
Copy Link

Private node groups is a good security practice for isolating worker nodes from public internet.

#ai-review-inline

Private node groups is a good security practice for isolating worker nodes from public internet. #ai-review-inline
}
# Node group for worker nodes
resource "upcloud_kubernetes_node_group" "workers" {
cluster = upcloud_kubernetes_cluster.main.id
name = "${var.prefix}-${var.cluster_name}-workers"
node_count = var.node_count
plan = var.node_plan
anti_affinity = var.node_count > 1
labels = {
prefix = var.prefix
cluster = var.cluster_name
role = "worker"
env = lookup(var.tags, "Environment", "dev")
}
}

31
.tofu/platforms/upc/modules/cluster/outputs.tf Normal file
View File

@@ -0,0 +1,31 @@
# ─── Cluster ─────────────────────────────────────────────────────────
output "cluster_id" {
description = "The ID of the Kubernetes cluster"
value = upcloud_kubernetes_cluster.main.id
}
output "cluster_name" {
description = "The name of the Kubernetes cluster"
value = upcloud_kubernetes_cluster.main.name
}
output "network_id" {
description = "The ID of the private network"
value = upcloud_network.kubernetes.id
}
output "network_cidr" {
description = "The CIDR block of the private network"
value = var.network_cidr
}
output "kubernetes_version" {
description = "The Kubernetes version of the cluster"
value = upcloud_kubernetes_cluster.main.version
}
output "zone" {
description = "The zone where the cluster is deployed"
value = var.zone
}

8
.tofu/platforms/upc/modules/cluster/providers.tf Normal file
View File

@@ -0,0 +1,8 @@
terraform {
required_providers {
upcloud = {
source = "UpCloudLtd/upcloud"
version = "~> 5.0"
}
}
}

44
.tofu/platforms/upc/modules/cluster/variables.tf Normal file
View File

@@ -0,0 +1,44 @@
# ─── Cluster ─────────────────────────────────────────────────────────
variable "prefix" {
description = "Prefix for resource names"
type = string
}
variable "cluster_name" {
description = "Name of the Kubernetes cluster"
type = string
default = "main"
}
variable "zone" {
description = "UpCloud zone"
type = string
}
variable "node_plan" {
description = "UpCloud server plan for worker nodes"
type = string
}
variable "node_count" {
description = "Number of worker nodes"
type = number
}
variable "network_cidr" {
description = "CIDR block for the private network"
type = string
default = "10.100.0.0/24"
}
variable "control_plane_ip_filter" {
description = "CIDRs allowed to access the K8s API"
type = list(string)
default = ["0.0.0.0/0"]
gitea_admin commented 2026-04-28 06:52:27 +00:00
Review
Copy Link

Default control plane access allows all IPs (0.0.0.0/0), which exposes the Kubernetes API to the entire internet - this is a significant security risk.

  default     = []

#ai-review-inline

Default control plane access allows all IPs (0.0.0.0/0), which exposes the Kubernetes API to the entire internet - this is a significant security risk. ```suggestion default = [] ``` #ai-review-inline
}
variable "tags" {
description = "Labels to apply to resources"
type = map(string)
}

16
.tofu/platforms/upc/prod/main.tf Normal file
View File

@@ -0,0 +1,16 @@
module "cluster" {
source = "../modules/cluster"
prefix = "clst"
zone = "de-fra1"
node_plan = "4xCPU-8GB"
node_count = 3
network_cidr = "10.100.0.0/24"
control_plane_ip_filter = ["0.0.0.0/0"] # TODO: restrict to known CIDRs
gitea_admin commented 2026-04-28 06:52:28 +00:00
Review
Copy Link

Control plane access is exposed to the entire internet (0.0.0.0/0), which is a critical security risk for production.

  control_plane_ip_filter = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] # Restrict to private networks

#ai-review-inline

Control plane access is exposed to the entire internet (0.0.0.0/0), which is a critical security risk for production. ```suggestion control_plane_ip_filter = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] # Restrict to private networks ``` #ai-review-inline
tags = {
Environment = "prod"
ManagedBy = "tofu"
}
}

13
.tofu/platforms/upc/prod/outputs.tf Normal file
View File

@@ -0,0 +1,13 @@
# ─── Cluster ─────────────────────────────────────────────────────────
output "cluster_id" {
value = module.cluster.cluster_id
}
output "cluster_name" {
value = module.cluster.cluster_name
}
output "zone" {
value = module.cluster.zone
}

14
.tofu/platforms/upc/prod/providers.tf Normal file
View File

@@ -0,0 +1,14 @@
terraform {
required_version = ">= 1.0"
required_providers {
upcloud = {
source = "UpCloudLtd/upcloud"
version = "~> 5.0"
}
}
}
provider "upcloud" {
# Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
gitea_admin commented 2026-04-28 06:52:29 +00:00
Review
Copy Link

Authentication credentials should be explicitly documented or validated to ensure they're properly set via environment variables.

  # Authentication via environment variables: UPCLOUD_USERNAME and UPCLOUD_PASSWORD
  # Verify these are set in your CI/CD pipeline or local environment

#ai-review-inline

Authentication credentials should be explicitly documented or validated to ensure they're properly set via environment variables. ```suggestion # Authentication via environment variables: UPCLOUD_USERNAME and UPCLOUD_PASSWORD # Verify these are set in your CI/CD pipeline or local environment ``` #ai-review-inline
}

116
.tofu/platforms/upc/workload/main.tf Normal file
View File

@@ -0,0 +1,116 @@
# =============================================================================
# UpCloud Workload Cluster
# =============================================================================
# A lean UCS cluster for running application workloads. No managed data
# services — those live on the platform cluster. ArgoCD (on the platform
# cluster) deploys apps to this cluster via the app-of-apps pattern.
#
# Platform components deployed by deploy-workload.sh:
# nginx-ingress, cert-manager, external-dns, external-secrets, alloy
#
# Usage:
# tofu init && tofu plan && tofu apply
# ./sync-tofu-outputs.sh --env upcloud-workload
# ./deploy-workload.sh --env upcloud-workload
# =============================================================================
variable "prefix" {
description = "Prefix for resource names"
type = string
default = "clst-workload"
}
variable "zone" {
description = "UpCloud zone"
type = string
default = "fi-hel1"
}
variable "node_plan" {
description = "UpCloud server plan for worker nodes"
type = string
default = "2xCPU-4GB"
}
variable "node_count" {
description = "Number of worker nodes"
type = number
default = 2
}
variable "network_cidr" {
description = "CIDR block for the private network"
type = string
default = "10.110.0.0/24"
}
variable "control_plane_ip_filter" {
description = "CIDRs allowed to access the K8s API"
type = list(string)
default = ["0.0.0.0/0"]
gitea_admin commented 2026-04-28 06:52:29 +00:00
Review
Copy Link

Control plane API is exposed to the entire internet with 0.0.0.0/0 CIDR which creates a security risk.

default     = ["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12"]

#ai-review-inline

Control plane API is exposed to the entire internet with 0.0.0.0/0 CIDR which creates a security risk. ```suggestion default = ["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12"] ``` #ai-review-inline
}
variable "tags" {
description = "Labels to apply to resources"
type = map(string)
default = {
Environment = "workload"
ManagedBy = "tofu"
}
}
# ─── Networking ───────────────────────────────────────────────────────
resource "upcloud_router" "kubernetes" {
name = "${var.prefix}-workload-router"
}
resource "upcloud_gateway" "kubernetes" {
name = "${var.prefix}-workload-gateway"
zone = var.zone
features = ["nat"]
router {
id = upcloud_router.kubernetes.id
}
}
resource "upcloud_network" "kubernetes" {
name = "${var.prefix}-workload-network"
zone = var.zone
router = upcloud_router.kubernetes.id
ip_network {
address = var.network_cidr
dhcp = true
dhcp_default_route = true
family = "IPv4"
gateway = cidrhost(var.network_cidr, 1)
}
depends_on = [upcloud_gateway.kubernetes]
}
# ─── Kubernetes Cluster ───────────────────────────────────────────────
resource "upcloud_kubernetes_cluster" "main" {
name = "${var.prefix}-workload"
zone = var.zone
network = upcloud_network.kubernetes.id
control_plane_ip_filter = var.control_plane_ip_filter
private_node_groups = true
}
resource "upcloud_kubernetes_node_group" "workers" {
cluster = upcloud_kubernetes_cluster.main.id
name = "${var.prefix}-workload-workers"
node_count = var.node_count
plan = var.node_plan
anti_affinity = var.node_count > 1
labels = {
prefix = var.prefix
cluster = "workload"
role = "worker"
env = lookup(var.tags, "Environment", "workload")
}
}

3
.tofu/platforms/upc/workload/outputs.tf Normal file
View File

@@ -0,0 +1,3 @@
output "cluster_name" { value = upcloud_kubernetes_cluster.main.name }
output "cluster_id" { value = upcloud_kubernetes_cluster.main.id }
output "zone" { value = var.zone }

14
.tofu/platforms/upc/workload/providers.tf Normal file
View File

@@ -0,0 +1,14 @@
terraform {
required_version = ">= 1.0"
required_providers {
upcloud = {
source = "UpCloudLtd/upcloud"
version = "~> 5.0"
}
}
}
provider "upcloud" {
# Set via environment variables: UPCLOUD_USERNAME, UPCLOUD_PASSWORD
gitea_admin commented 2026-04-28 06:52:29 +00:00
Review
Copy Link

Document the required environment variables in a README or use Terraform variables with descriptions instead of relying solely on comments.

#ai-review-inline

Document the required environment variables in a README or use Terraform variables with descriptions instead of relying solely on comments. #ai-review-inline
}

66
.tofu/scripts/get-kubeconfig.sh Normal file
View File

@@ -0,0 +1,66 @@
#!/bin/bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TOFU_ROOT="$(dirname "$SCRIPT_DIR")"
PROJECT_ROOT="$(dirname "$TOFU_ROOT")"
CLUSTER="${1:?Usage: $0 <cluster> (e.g., aks-dev, eks-prod)}"
PLATFORM="${CLUSTER%%-*}"
ENV="${CLUSTER#*-}"
KUBECONFIG_FILE="$PROJECT_ROOT/private/$CLUSTER/kubeconfig"
if [[ -f "$KUBECONFIG_FILE" ]]; then
echo "Kubeconfig already exists: $KUBECONFIG_FILE"
echo ""
echo " export KUBECONFIG=$KUBECONFIG_FILE"
else
echo "No cached kubeconfig. Fetching from platform..."
# Load platform credentials
ENV_FILE="$TOFU_ROOT/configs/$PLATFORM.env"
if [[ -f "$ENV_FILE" ]]; then
set -a; source "$ENV_FILE"; set +a
fi
TOFU_DIR="$TOFU_ROOT/platforms/$PLATFORM/$ENV"
mkdir -p "$(dirname "$KUBECONFIG_FILE")"
case "$PLATFORM" in
aks)
cd "$TOFU_DIR"
RG=$(tofu output -raw resource_group_name 2>/dev/null || echo "$CLUSTER-rg")
gitea_admin commented 2026-04-28 06:52:34 +00:00
Review
Copy Link

Command substitution with 'tofu output' could fail silently; add error handling or validation for the fallback values.

RG=$(tofu output -raw resource_group_name 2>/dev/null) || RG="$CLUSTER-rg"

#ai-review-inline

Command substitution with 'tofu output' could fail silently; add error handling or validation for the fallback values. ```suggestion RG=$(tofu output -raw resource_group_name 2>/dev/null) || RG="$CLUSTER-rg" ``` #ai-review-inline
NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "$CLUSTER")
az aks get-credentials --resource-group "$RG" --name "$NAME" --file "$KUBECONFIG_FILE" --overwrite-existing
;;
eks)
cd "$TOFU_DIR"
NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "$CLUSTER")
gitea_admin commented 2026-04-28 06:52:34 +00:00
Review
Copy Link

Command substitution with 'tofu output' could fail silently; add error handling or validation for the fallback values.

NAME=$(tofu output -raw cluster_name 2>/dev/null) || NAME="$CLUSTER"

#ai-review-inline

Command substitution with 'tofu output' could fail silently; add error handling or validation for the fallback values. ```suggestion NAME=$(tofu output -raw cluster_name 2>/dev/null) || NAME="$CLUSTER" ``` #ai-review-inline
REGION=$(tofu output -raw aws_region 2>/dev/null || echo "${AWS_REGION:-eu-west-1}")
aws eks update-kubeconfig --name "$NAME" --region "$REGION" --kubeconfig "$KUBECONFIG_FILE"
;;
gke)
cd "$TOFU_DIR"
NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "$CLUSTER")
gitea_admin commented 2026-04-28 06:52:34 +00:00
Review
Copy Link

Command substitution with 'tofu output' could fail silently; add error handling or validation for the fallback values.

NAME=$(tofu output -raw cluster_name 2>/dev/null) || NAME="$CLUSTER"

#ai-review-inline

Command substitution with 'tofu output' could fail silently; add error handling or validation for the fallback values. ```suggestion NAME=$(tofu output -raw cluster_name 2>/dev/null) || NAME="$CLUSTER" ``` #ai-review-inline
REGION=$(tofu output -raw region 2>/dev/null || echo "${GCP_REGION:-europe-west4}")
PROJECT=$(tofu output -raw project_id 2>/dev/null || echo "${GCP_PROJECT_ID:-}")
gitea_admin commented 2026-04-28 06:52:34 +00:00
Review
Copy Link

Missing validation for required GCP_PROJECT_ID variable; script could fail with empty project ID.

PROJECT=$(tofu output -raw project_id 2>/dev/null) || PROJECT="${GCP_PROJECT_ID:?GCP_PROJECT_ID environment variable is required}"

#ai-review-inline

Missing validation for required GCP_PROJECT_ID variable; script could fail with empty project ID. ```suggestion PROJECT=$(tofu output -raw project_id 2>/dev/null) || PROJECT="${GCP_PROJECT_ID:?GCP_PROJECT_ID environment variable is required}" ``` #ai-review-inline
gcloud container clusters get-credentials "$NAME" --region "$REGION" --project "$PROJECT"
cp ~/.kube/config "$KUBECONFIG_FILE"
;;
upc)
cd "$TOFU_DIR"
CLUSTER_ID=$(tofu output -raw cluster_id 2>/dev/null || echo "${UPCLOUD_CLUSTER_ID:-}")
gitea_admin commented 2026-04-28 06:52:34 +00:00
Review
Copy Link

Missing validation for required UPCLOUD_CLUSTER_ID variable; script could fail with empty cluster ID.

CLUSTER_ID=$(tofu output -raw cluster_id 2>/dev/null) || CLUSTER_ID="${UPCLOUD_CLUSTER_ID:?UPCLOUD_CLUSTER_ID environment variable is required}"

#ai-review-inline

Missing validation for required UPCLOUD_CLUSTER_ID variable; script could fail with empty cluster ID. ```suggestion CLUSTER_ID=$(tofu output -raw cluster_id 2>/dev/null) || CLUSTER_ID="${UPCLOUD_CLUSTER_ID:?UPCLOUD_CLUSTER_ID environment variable is required}" ``` #ai-review-inline
upctl kubernetes config "$CLUSTER_ID" > "$KUBECONFIG_FILE"
;;
*)
echo "Error: unknown platform '$PLATFORM'"
exit 1
;;
esac
chmod 600 "$KUBECONFIG_FILE"
echo "Kubeconfig saved: $KUBECONFIG_FILE"
echo ""
echo " export KUBECONFIG=$KUBECONFIG_FILE"
fi

246
.tofu/scripts/setup-cluster.sh Normal file
View File

@@ -0,0 +1,246 @@
#!/bin/bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
TOFU_ROOT="$(dirname "$SCRIPT_DIR")"
PROJECT_ROOT="$(dirname "$TOFU_ROOT")"
# ─── Usage ────────────────────────────────────────────────────────────
usage() {
cat <<EOF
Usage: $0 <cluster> [options]
Provision a Kubernetes cluster using OpenTofu.
Mirrors bootstrap.sh convention: cluster = <platform>-<env>
Clusters: aks-dev | aks-prod | eks-dev | eks-prod
gke-dev | gke-prod | upc-dev | upc-prod
<platform>-workload (for workload clusters)
Options:
--plan Plan only, don't apply
--destroy Destroy the cluster (use teardown-cluster.sh instead)
--auto Skip confirmation prompts
-h, --help Show this help
Examples:
$0 aks-dev
$0 eks-prod --plan
$0 upc-dev --auto
Prerequisites:
- tofu, kubectl, helm installed
- Platform credentials in .tofu/configs/<platform>.env
- Cluster config in clusters/<cluster>.yaml
After provisioning, run:
./bootstrap.sh <cluster>
EOF
exit "${1:-0}"
}
# ─── Parse arguments ──────────────────────────────────────────────────
CLUSTER=""
PLAN_ONLY=false
DESTROY=false
AUTO_APPROVE=false
while [[ $# -gt 0 ]]; do
case "$1" in
--plan) PLAN_ONLY=true; shift ;;
--destroy) DESTROY=true; shift ;;
--auto) AUTO_APPROVE=true; shift ;;
-h|--help) usage 0 ;;
-*) echo "Unknown option: $1"; usage 1 ;;
*)
if [[ -z "$CLUSTER" ]]; then
CLUSTER="$1"
else
echo "Error: unexpected argument '$1'"
usage 1
fi
shift
;;
esac
done
[[ -z "$CLUSTER" ]] && { echo "Error: <cluster> argument required"; usage 1; }
# ─── Map cluster → platform + env ────────────────────────────────────
PLATFORM="${CLUSTER%%-*}" # aks-dev → aks
ENV="${CLUSTER#*-}" # aks-dev → dev
case "$PLATFORM" in
aks|eks|gke|upc) ;;
*) echo "Error: unknown platform '$PLATFORM'. Expected: aks, eks, gke, upc"; exit 1 ;;
esac
TOFU_DIR="$TOFU_ROOT/platforms/$PLATFORM/$ENV"
if [[ ! -d "$TOFU_DIR" ]]; then
echo "Error: tofu directory not found: $TOFU_DIR"
echo "Available environments for $PLATFORM:"
ls -1 "$TOFU_ROOT/platforms/$PLATFORM/" 2>/dev/null | grep -v modules || echo " (none)"
exit 1
fi
echo "========================================="
echo " Kubernetes Cluster Setup"
echo "========================================="
echo ""
echo " Cluster: $CLUSTER"
echo " Platform: $PLATFORM"
echo " Env: $ENV"
echo " Tofu dir: $TOFU_DIR"
echo ""
# ─── Prerequisites ────────────────────────────────────────────────────
echo "=== Checking Prerequisites ==="
command -v tofu >/dev/null 2>&1 || { echo "Error: tofu is not installed."; exit 1; }
command -v kubectl >/dev/null 2>&1 || { echo "Error: kubectl is not installed."; exit 1; }
command -v helm >/dev/null 2>&1 || { echo "Error: helm is not installed."; exit 1; }
echo " tofu, kubectl, helm: OK"
# ─── Load platform credentials ────────────────────────────────────────
ENV_FILE="$TOFU_ROOT/configs/$PLATFORM.env"
if [[ -f "$ENV_FILE" ]]; then
echo " Loading credentials from configs/$PLATFORM.env"
set -a
# shellcheck disable=SC1090
source "$ENV_FILE"
set +a
else
echo " Warning: $ENV_FILE not found — using existing environment/CLI auth"
echo " Copy configs/$PLATFORM.env.example → configs/$PLATFORM.env to configure"
fi
# ─── Load cluster config (if exists) ──────────────────────────────────
CLUSTER_CONFIG="$PROJECT_ROOT/clusters/$CLUSTER.yaml"
if [[ -f "$CLUSTER_CONFIG" ]]; then
echo " Loading cluster config from clusters/$CLUSTER.yaml"
if command -v yq >/dev/null 2>&1; then
eval "$(yq -r 'to_entries[] | "export CLUSTER_\(.key)=\"\(.value)\""' "$CLUSTER_CONFIG")"
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:36 +00:00
Review
Copy Link

Potential command injection vulnerability when using yq with user-controlled cluster config.

    # Parse cluster config safely
    if yq -e '.clusterName' "$CLUSTER_CONFIG" >/dev/null 2>&1; then
      CLUSTER_NAME=$(yq -r '.clusterName' "$CLUSTER_CONFIG")
      export CLUSTER_clusterName="$CLUSTER_NAME"
      echo "  Cluster name: $CLUSTER_NAME"
    fi

#ai-review-inline

Potential command injection vulnerability when using yq with user-controlled cluster config. ```suggestion # Parse cluster config safely if yq -e '.clusterName' "$CLUSTER_CONFIG" >/dev/null 2>&1; then CLUSTER_NAME=$(yq -r '.clusterName' "$CLUSTER_CONFIG") export CLUSTER_clusterName="$CLUSTER_NAME" echo " Cluster name: $CLUSTER_NAME" fi ``` #ai-review-inline
echo " Cluster name: ${CLUSTER_clusterName:-$CLUSTER}"
else
echo " Warning: yq not installed — cluster config not loaded"
fi
else
echo " Warning: $CLUSTER_CONFIG not found — using defaults"
fi
echo ""
# ─── Run OpenTofu ─────────────────────────────────────────────────────
cd "$TOFU_DIR"
echo "=== Initializing OpenTofu ==="
tofu init
echo ""
if $DESTROY; then
echo "=== Planning Destruction ==="
tofu plan -destroy -out=tfplan
if ! $AUTO_APPROVE; then
echo ""
read -rp "DESTROY cluster $CLUSTER? This is irreversible. (yes/no) " REPLY
[[ "$REPLY" == "yes" ]] || { echo "Cancelled."; exit 1; }
fi
echo "Destroying infrastructure..."
tofu apply tfplan
echo ""
echo "=== Cluster $CLUSTER Destroyed ==="
elif $PLAN_ONLY; then
echo "=== Planning Infrastructure ==="
tofu plan
echo ""
echo "=== Plan complete (--plan mode, no changes applied) ==="
else
echo "=== Planning Infrastructure ==="
tofu plan -out=tfplan
if ! $AUTO_APPROVE; then
echo ""
read -rp "Apply this plan for $CLUSTER? (y/n) " -n 1 REPLY
echo
[[ "$REPLY" =~ ^[Yy]$ ]] || { echo "Cancelled."; exit 1; }
fi
echo "Applying infrastructure..."
tofu apply tfplan
# ─── Save kubeconfig ──────────────────────────────────────────────
KUBECONFIG_DIR="$PROJECT_ROOT/private/$CLUSTER"
mkdir -p "$KUBECONFIG_DIR"
KUBECONFIG_FILE="$KUBECONFIG_DIR/kubeconfig"
echo ""
echo "=== Saving Kubeconfig ==="
case "$PLATFORM" in
aks)
if tofu output -raw kubeconfig > "$KUBECONFIG_FILE" 2>/dev/null; then
echo " Saved from tofu output"
else
echo " Fetching from Azure CLI..."
RG=$(tofu output -raw resource_group_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}-rg")
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:36 +00:00
Review
Copy Link

Unquoted variable substitution could lead to command injection if cluster name contains special characters.

        RG=$(tofu output -raw resource_group_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}-rg")

#ai-review-inline

Unquoted variable substitution could lead to command injection if cluster name contains special characters. ```suggestion RG=$(tofu output -raw resource_group_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}-rg") ``` #ai-review-inline
NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:36 +00:00
Review
Copy Link

Unquoted variable substitution could lead to command injection.

        NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")

#ai-review-inline

Unquoted variable substitution could lead to command injection. ```suggestion NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}") ``` #ai-review-inline
az aks get-credentials --resource-group "$RG" --name "$NAME" --file "$KUBECONFIG_FILE" --overwrite-existing
fi
;;
eks)
NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:36 +00:00
Review
Copy Link

Unquoted variable substitution could lead to command injection.

      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")

#ai-review-inline

Unquoted variable substitution could lead to command injection. ```suggestion NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}") ``` #ai-review-inline
REGION=$(tofu output -raw aws_region 2>/dev/null || echo "${AWS_REGION:-eu-west-1}")
aws eks update-kubeconfig --name "$NAME" --region "$REGION" --kubeconfig "$KUBECONFIG_FILE"
;;
gke)
NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")
Ghost marked this conversation as resolved
gitea_admin commented 2026-04-28 06:52:36 +00:00
Review
Copy Link

Unquoted variable substitution could lead to command injection.

      NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}")

#ai-review-inline

Unquoted variable substitution could lead to command injection. ```suggestion NAME=$(tofu output -raw cluster_name 2>/dev/null || echo "${CLUSTER_clusterName:-$CLUSTER}") ``` #ai-review-inline
REGION=$(tofu output -raw region 2>/dev/null || echo "${GCP_REGION:-europe-west4}")
PROJECT=$(tofu output -raw project_id 2>/dev/null || echo "${GCP_PROJECT_ID:-}")
gcloud container clusters get-credentials "$NAME" --region "$REGION" --project "$PROJECT" 2>/dev/null \
&& cp ~/.kube/config "$KUBECONFIG_FILE" \
|| echo " Warning: could not fetch kubeconfig via gcloud"
;;
upc)
if tofu output -raw kubeconfig > "$KUBECONFIG_FILE" 2>/dev/null; then
echo " Saved from tofu output"
else
CLUSTER_ID=$(tofu output -raw cluster_id 2>/dev/null || echo "${UPCLOUD_CLUSTER_ID:-}")
if [[ -n "$CLUSTER_ID" ]]; then
upctl kubernetes config "$CLUSTER_ID" > "$KUBECONFIG_FILE"
else
echo " Warning: could not determine cluster ID for kubeconfig"
fi
fi
;;
esac
if [[ -f "$KUBECONFIG_FILE" ]]; then
chmod 600 "$KUBECONFIG_FILE"
echo " Kubeconfig: $KUBECONFIG_FILE"
fi
# ─── Wait for nodes ──────────────────────────────────────────────
echo ""
echo "=== Waiting for Cluster Nodes ==="
export KUBECONFIG="$KUBECONFIG_FILE"
if kubectl wait --for=condition=Ready nodes --all --timeout=300s 2>/dev/null; then
echo " All nodes ready"
else
echo " Warning: nodes not ready within timeout — check cluster status"
fi
# ─── Summary ─────────────────────────────────────────────────────
echo ""
echo "========================================="
echo " Cluster $CLUSTER Provisioned"
echo "========================================="
echo ""
echo " Kubeconfig: $KUBECONFIG_FILE"
echo ""
echo " Next steps:"
echo " export KUBECONFIG=$KUBECONFIG_FILE"
echo " ./bootstrap.sh $CLUSTER"
echo ""
fi

7
.tofu/scripts/teardown-cluster.sh Normal file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# Delegate to setup-cluster.sh with --destroy flag
exec "$SCRIPT_DIR/setup-cluster.sh" "$@" --destroy
gitea_admin commented 2026-04-28 06:52:30 +00:00
Review
Copy Link

Using exec with user-provided arguments ($@) before --destroy creates a command injection risk if malicious arguments are passed.

exec "$SCRIPT_DIR/setup-cluster.sh" --destroy "$@"

#ai-review-inline

Using exec with user-provided arguments ($@) before --destroy creates a command injection risk if malicious arguments are passed. ```suggestion exec "$SCRIPT_DIR/setup-cluster.sh" --destroy "$@" ``` #ai-review-inline

19
README.md
View File

@@ -80,8 +80,23 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
``` ```
. .
├── bootstrap.sh # Cluster initialization script ├── bootstrap.sh # Cluster initialization (ArgoCD + GitOps)
├── _app-of-apps.yaml # Root ArgoCD Application (App-of-Apps pattern) ├── _app-of-apps-{cluster}.yaml # Root ArgoCD Application (per cluster)
├── .tofu/ # Infrastructure provisioning (OpenTofu)
│ ├── platforms/ # Per-platform IaC (one dir per cloud)
│ │ ├── aks/ # Azure AKS (modules/ + dev/ + prod/ + workload/)
│ │ ├── eks/ # AWS EKS
│ │ ├── gke/ # GCP GKE
│ │ └── upc/ # UpCloud
│ ├── configs/ # Platform credentials (git-ignored)
│ │ └── *.env.example # Template for each platform
│ └── scripts/ # Cluster lifecycle scripts
│ ├── setup-cluster.sh # Create cluster: ./setup-cluster.sh aks-dev
│ ├── teardown-cluster.sh
│ └── get-kubeconfig.sh
├── clusters/ # Cluster metadata (domain, trustedIPs, etc.)
├── infra/ # Infrastructure ArgoCD Applications (Kustomize multi-cluster) ├── infra/ # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
│ ├── base/ # Base ArgoCD Application manifests (one dir per component) │ ├── base/ # Base ArgoCD Application manifests (one dir per component)

27
docs/GITOPS-ARCHITECTURE.md
View File

@@ -115,9 +115,30 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
``` ```
launchpad/ launchpad/
├── bootstrap.sh # Cluster initialization script ├── bootstrap.sh # Cluster initialization (ArgoCD + GitOps)
├── _app-of-apps-upc-dev.yaml # Root ArgoCD Application (upc-dev cluster) ├── _app-of-apps-{cluster}.yaml # Root ArgoCD Application (per cluster)
├── _app-of-apps-upc-prod.yaml # Root ArgoCD Application (upc-prod cluster)
├── .tofu/ # Infrastructure provisioning (OpenTofu)
│ ├── platforms/ # Per-platform IaC
│ │ ├── aks/ # Azure AKS
│ │ │ ├── modules/cluster/ # Reusable AKS module
│ │ │ ├── dev/ # tofu root for aks-dev
│ │ │ ├── prod/ # tofu root for aks-prod
│ │ │ └── workload/ # workload cluster (no data services)
│ │ ├── eks/ # AWS EKS (same structure)
│ │ ├── gke/ # GCP GKE
│ │ └── upc/ # UpCloud
│ ├── configs/ # Platform credentials (git-ignored)
│ │ └── {platform}.env.example # Template per platform
│ └── scripts/
│ ├── setup-cluster.sh # ./setup-cluster.sh <cluster> [--plan|--auto]
│ ├── teardown-cluster.sh # ./teardown-cluster.sh <cluster>
│ └── get-kubeconfig.sh # ./get-kubeconfig.sh <cluster>
├── clusters/ # Cluster metadata YAML (domain, IPs, etc.)
│ ├── aks-dev.yaml
│ ├── upc-dev.yaml
│ └── ...
├── infra/ # Infrastructure ArgoCD Applications (Kustomize) ├── infra/ # Infrastructure ArgoCD Applications (Kustomize)
│ ├── base/ # Base Application manifests (one dir per component) │ ├── base/ # Base Application manifests (one dir per component)

19
docs/REFERENCE.md
View File

@@ -72,9 +72,22 @@ Internet
``` ```
launchpad/ launchpad/
├── bootstrap.sh # Cluster initialization script ├── bootstrap.sh # Cluster initialization (ArgoCD + GitOps)
├── _app-of-apps-upc-dev.yaml # Root ArgoCD Application (upc-dev) ├── _app-of-apps-{cluster}.yaml # Root ArgoCD Application (per cluster)
├── _app-of-apps-upc-prod.yaml # Root ArgoCD Application (upc-prod)
├── .tofu/ # Infrastructure provisioning (OpenTofu)
│ ├── platforms/ # Per-platform IaC
│ │ ├── aks/ # Azure: modules/cluster/, dev/, prod/, workload/
│ │ ├── eks/ # AWS: same structure
│ │ ├── gke/ # GCP
│ │ └── upc/ # UpCloud
│ ├── configs/ # Platform credentials (git-ignored)
│ └── scripts/ # setup-cluster.sh, teardown-cluster.sh, get-kubeconfig.sh
├── clusters/ # Cluster metadata YAML
│ ├── aks-dev.yaml
│ ├── upc-dev.yaml
│ └── ...
├── infra/ # Infrastructure applications (Kustomize) ├── infra/ # Infrastructure applications (Kustomize)
│ ├── base/ # One subdirectory per component │ ├── base/ # One subdirectory per component