Bump module versions

[brettcurtis]

Summary by CodeRabbit

• New Features

  • Updated the Google provider version to 6.14.1 across multiple components.
  • Updated the Helm provider version to 2.17.0 across multiple components.
  • Updated the Kubernetes provider version to 2.35.1 across multiple components.
  • Incremented the version of various modules, including Kubernetes Cert Manager, Kubernetes Datadog Operator, Kubernetes Istio, and OPA Gatekeeper.
  • Added a new backstage namespace entry in the configuration.
  • Updated the remote_bucket variable in multiple Terraform variable files for various environments.

• Documentation

  • Updated version numbers in README files to reflect the latest provider and module versions.

[coderabbitai]

Walkthrough

This pull request involves multiple updates across various Terraform configuration files, primarily focusing on version upgrades for Terraform providers (Google, Helm, Kubernetes) and several Kubernetes-related modules. The changes span multiple directories, including cert-manager, datadog, istio, onboarding, and opa-gatekeeper. The updates include incrementing provider versions from 6.12.0 to 6.14.1 for Google, 2.16.1 to 2.17.0 for Helm, and 2.34.0 to 2.35.1 for Kubernetes, along with corresponding hash value updates in .terraform.lock.hcl files. Additionally, the Checkov repository version is updated in the .pre-commit-config.yaml file.

Changes

File/Path	Change Summary
.pre-commit-config.yaml	Checkov repository version updated from 3.2.296 to 3.2.344, pre-commit-terraform version updated from v1.96.2 to v1.96.3, --skip-check argument modified to only skip CKV_TF_1.
.terraform.lock.hcl files	Provider versions updated: Google (6.12.0 → 6.14.1), Helm (2.16.1 → 2.17.0), Kubernetes (2.34.0 → 2.35.1); new hashes added.
regional/*/README.md	Provider and module versions updated across multiple directories.
regional/*/main.tf	Module source references updated to newer versions.
shared/tfvars/sandbox.tfvars	New entry added for backstage namespace in kubernetes_engine_namespaces, and google_service_account for gke-info updated.
.github/ISSUE_TEMPLATE/add-update-k8s-namespace.yml	Placeholder examples for OIDC service account emails updated.
.github/workflows/*.yml	service_account and terraform_state_bucket parameters updated across multiple jobs.
regional/*/tfvars/*.tfvars	remote_bucket variable updated across multiple environments.

Possibly related PRs

• Refactor project ID and number references #142: Updates Checkov repository version in .pre-commit-config.yaml.
• Consume terraform-kubernetes-cert-manager Terraform child module #150: Introduces new jobs in GitHub Actions workflows for managing cert-manager resources.
• Enable Datadog integration and update module references in manifests #275: Modifies Checkov hook arguments in .pre-commit-config.yaml.

Suggested labels

enhancement

Suggested reviewers

• osinfra-sa

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[infracost]

💰 Infracost report

Monthly estimate generated

Estimate details (includes details of unsupported resources and skipped projects due to errors)

──────────────────────────────────
Project: main-production
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: main-sandbox
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-cert-manager-istio-csr-production
Module path: regional/cert-manager/istio-csr
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/cert-manager/istio-csr open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-cert-manager-istio-csr-sandbox
Module path: regional/cert-manager/istio-csr
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/cert-manager/istio-csr open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-cert-manager-production
Module path: regional/cert-manager
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/cert-manager open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-cert-manager-sandbox
Module path: regional/cert-manager
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/cert-manager open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-datadog-manifests-production
Module path: regional/datadog/manifests
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/datadog/manifests open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-datadog-manifests-sandbox
Module path: regional/datadog/manifests
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/datadog/manifests open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-datadog-production
Module path: regional/datadog
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/datadog open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-datadog-sandbox
Module path: regional/datadog
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/datadog open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-istio-manifests-production
Module path: regional/istio/manifests
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/istio/manifests open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-istio-manifests-sandbox
Module path: regional/istio/manifests
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/istio/manifests open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-istio-production
Module path: regional/istio
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/istio open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-istio-sandbox
Module path: regional/istio
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional/istio open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-production
Module path: regional
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
Project: regional-sandbox
Module path: regional
Errors:
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /usr/src/app/osinfra-io/google-cloud-kubernetes/main/regional open /usr/src/app/osinfra-io/google-cloud-kubernetes/main/.infracost/terraform_modules/0b4ad10c0a3cad31f1ab128d4a778444/root:
        no such file or directory

──────────────────────────────────
──────────────────────────────────
9 projects have no cost estimate changes.
Run the following command to see their breakdown: infracost breakdown --path=/path/to/code

──────────────────────────────────
137 cloud resources were detected:
∙ 16 were estimated
∙ 106 were free
∙ 15 are not supported yet, see https://infracost.io/requested-resources:
  ∙ 4 x google_gke_hub_feature
  ∙ 3 x google_gke_hub_membership
  ∙ 2 x google_billing_budget
  ∙ 2 x google_cloud_identity_group_membership
  ∙ 2 x google_compute_security_policy
  ∙ 2 x google_container_node_pool

_{This comment will be updated when code changes.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3965bd3 and 9b336c7.

📒 Files selected for processing (1)

• shared/tfvars/sandbox.tfvars (1 hunks)

🔇 Additional comments (1)

shared/tfvars/sandbox.tfvars (1)

2-4: Verify the GCP service account exists

The configuration references a service account plt-backstage-github@ptl-lz-terraform-tf91-sb.iam.gserviceaccount.com. Ensure this service account exists in GCP before applying these changes.

Let's verify the service account pattern consistency across the codebase:

[coderabbitai]

💡 Codebase verification

Istio injection should be enabled for the backstage namespace

Based on the evidence found in the codebase:

1. The variables.tf file shows that istio_injection is a supported configuration option with a default value of "disabled"
2. The gke-info namespace has istio_injection explicitly set to "enabled"
3. The presence of extensive Istio gateway DNS configurations and virtual services across the codebase indicates that Istio is actively used in the cluster infrastructure

Since Istio is clearly a core part of the infrastructure (evidenced by the numerous Istio gateway and virtual service configurations), the backstage namespace should have Istio injection enabled for consistency with other service namespaces like gke-info.

🔗 Analysis chain

Consider if istio_injection setting is needed

The gke-info namespace has istio_injection configured, but it's not set for the backstage namespace. If Istio is used in the cluster, consider whether the backstage namespace should also have this setting configured.

Let's check if other namespaces typically have istio_injection configured:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check istio_injection patterns across namespace definitions
# Expected: Consistent istio configuration across similar namespaces

# Search for namespace definitions with istio_injection
rg -t tf "kubernetes_engine_namespaces.*=.*\{" -A 10

Length of output: 54

---

Script:

#!/bin/bash
# Let's try different approaches to find namespace configurations and istio settings

# Search for namespace-related configurations
rg -t tf "namespace.*=.*{" -A 10

# Search specifically for istio injection configurations
rg -t tf "istio.*injection"

# Search for any kubernetes namespace resources
rg -t tf "resource.*kubernetes.*namespace"

# Look for tfvars files that might contain namespace configurations
fd -e tfvars -x cat {}

Length of output: 14415