eks infra, pipeline changes

Author: vonschtirlitz

.github/workflows/build-and-deploy.yml

@@ -66,4 +66,21 @@ jobs:
             ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ steps.meta.outputs.IMAGE_TAG }}
             ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:latest
           cache-from: type=registry,ref=${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:buildcache,image-manifest=true
-          cache-to:   type=registry,ref=${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:buildcache,mode=max,image-manifest=true
+          cache-to:   type=registry,ref=${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:buildcache,mode=max,image-manifest=true
+
+      # after ECR push
+      - name: ⬇️  Configure AWS creds & kubeconfig
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}   # rimworld_hay_calc_github_oidc
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - run: aws eks update-kubeconfig \
+            --name rimworld-hay-calc-dev-eks \
+            --region ${{ vars.AWS_REGION }}
+
+      - name: 🚀  Deploy
+        run: |
+          IMAGE=${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ steps.meta.outputs.IMAGE_TAG }}
+          kubectl set image deployment/rimworld-hay-calc web=$IMAGE --record || \
+            kubectl apply -f infra/k8s/dev-deployment.yaml

.gitignore

@@ -23,5 +23,5 @@ dist-ssr
 *.sln
 *.sw?
 
-.terraform/*
+**/.terraform/
 .terraform.tfstate*

infra/eks.tf

@@ -0,0 +1,91 @@
+###############################################################################
+#  1. Tiny VPC  (skip if you already have one)
+###############################################################################
+data "aws_availability_zones" "available" { state = "available" }
+
+locals {
+  azs = slice(data.aws_availability_zones.available.names, 0, 2)
+}
+
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  name = "${var.project_name}-${var.environment}-vpc"
+  cidr = "10.10.0.0/24"
+  azs  = local.azs
+
+  public_subnets  = ["10.10.0.0/26", "10.10.0.64/26"] # /26 = 64 IPs
+  private_subnets = ["10.10.0.128/26","10.10.0.192/26"]
+
+  enable_nat_gateway = true # keep it ultra-minimal
+  single_nat_gateway = true
+
+  tags = var.global_tags
+}
+
+###############################################################################
+# 2. EKS cluster (minimal)
+###############################################################################
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 20.0"
+
+  cluster_name    = "${var.project_name}-${var.environment}-eks"
+  cluster_version = "1.28"
+  subnet_ids      = module.vpc.private_subnets
+  vpc_id          = module.vpc.vpc_id
+
+  #access
+   cluster_endpoint_public_access  = true
+   cluster_endpoint_public_access_cidrs = [
+    "136.57.60.172/32",
+    "0.0.0.0/0"
+  ]
+
+
+  # One small managed node group
+  eks_managed_node_groups = {}
+  fargate_profiles = {
+    all = {
+      selectors = [{ namespace = "default" }]
+    }
+  }
+
+  # map the GitHub OIDC deploy role so CI can kubectl
+  access_entries = {
+    github-ci = {
+      principal_arn     = aws_iam_role.github_deploy.arn
+      kubernetes_groups = ["cluster-admin"]
+    }
+  }
+ 
+  cluster_enabled_log_types = [
+    "api", "audit", "authenticator", "controllerManager", "scheduler"
+  ]
+
+  cloudwatch_log_group_retention_in_days = 30
+
+  tags = var.global_tags
+}
+
+# aws-for-fluent-bit add-on (EKS add-ons support add-ons/v1 API)
+# resource "aws_eks_addon" "fluentbit" {
+#   cluster_name   = module.eks.cluster_name
+#   addon_name     = "aws-for-fluent-bit"
+#   addon_version  = "v2.31.0-eksbuild.1"           # latest as of 2025-07
+#   resolve_conflicts_on_create = "OVERWRITE"
+
+#   tags = var.global_tags
+# }
+
+# resource "aws_cloudwatch_log_group" "app_logs" {
+#   name              = "/aws/containerinsights/${module.eks.cluster_name}/application"
+#   retention_in_days = 30
+# }
+
+output "cluster_name"  { value = module.eks.cluster_name }
+output "cluster_endpoint" { value = module.eks.cluster_endpoint }
+output "cluster_ca"    { value = module.eks.cluster_certificate_authority_data }
+

infra/envs/dev/.terraform.lock.hcl

@@ -5,6 +5,8 @@ module "rimworld_hay_calc" {
   aws_region    = var.aws_region
   github_repo   = var.github_repo
   project_name  = var.project_name
+  global_tags   = var.global_tags
+  environment   = var.environment
 }
 
 # Re-expose useful outputs

infra/envs/dev/main.tf

@@ -1,3 +1,8 @@
 github_repo = "vonschtirlitz/rimworld-hay-calc"
 aws_region = "us-east-1"
-project_name = "rimworld-hay-calc"
+project_name = "rimworld-hay-calc"
+environment = "dev"
+global_tags = {
+  Project = "RimworldHayCalc"
+  Application = "rimworld-hay-calc"
+}

infra/envs/dev/terraform.tfvars

@@ -1,3 +1,5 @@
 variable "aws_region"   { type = string }
 variable "github_repo"  { type = string }
-variable "project_name" { type = string }
+variable "project_name" { type = string }
+variable "global_tags"  { type = map(string) }
+variable "environment" { type = string }

infra/envs/dev/variables.tf

@@ -20,7 +20,7 @@ data "aws_iam_policy_document" "github_trust" {
     effect = "Allow"
     principals {
       type        = "Federated"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
+      identifiers = [aws_iam_openid_connect_provider.github.arn]
     }
     actions = ["sts:AssumeRoleWithWebIdentity"]
 
@@ -47,3 +47,56 @@ resource "aws_iam_role_policy_attachment" "ecr_power" {
   role       = aws_iam_role.github_deploy.name
   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
 }
+
+resource "aws_iam_openid_connect_provider" "github" {
+  url = "https://token.actions.githubusercontent.com"
+
+  # GitHub always sends this client_id
+  client_id_list = ["sts.amazonaws.com"]
+
+  # Thumbprint for DigiCert Global Root G2 (valid as of 2025-07)
+  thumbprint_list = ["6938fd4d98bab03faadb97b34396831e3780aea1"]
+
+  tags = {
+    Name    = "github-oidc"
+    Project = var.global_tags["Project"]
+  }
+}
+
+output "github_oidc_provider_arn" {
+  value = aws_iam_openid_connect_provider.github.arn
+}
+
+########################
+#  AWS COST TRACKING   #
+########################
+# resource "aws_ce_cost_allocation_tag" "project" {
+#   tag_key   = "Project"
+#   status    = "Active"    # must be Active to show up in Cost Explorer
+# }
+
+# resource "aws_ce_cost_allocation_tag" "environment" {
+#   tag_key   = "Environment"
+#   status    = "Active"
+# }
+
+# resource "aws_ce_cost_allocation_tag" "application" {
+#   tag_key = "Application"
+#   status  = "Active"
+# }
+
+resource "aws_resourcegroups_group" "my_app" {
+  name = "${var.global_tags["Application"]}-${var.environment}"
+
+  resource_query {
+    query = jsonencode({
+      ResourceTypeFilters = ["AWS::AllSupported"]
+      TagFilters = [
+        { Key = "Application", Values = [var.global_tags["Application"]] },
+        { Key = "Environment", Values = [var.environment] }
+      ]
+    })
+  }
+
+  tags = var.global_tags
+}

infra/main.tf

@@ -14,10 +14,16 @@ variable "global_tags" {
   type = map(string)
   default = {
     Project = "RimworldHayCalc"
+    Application = "rimworld-hay-calc"
   }
 }
 
 variable "github_repo" {
   description = "owner/repo used in the GitHub OIDC subject"
   type        = string
+}
+
+variable "environment"     {
+    type = string
+    description = "Environment name, e.g. dev, staging, prod"
 }