copier-aws-central-infrastructure/copier.yml at main · LabAutomationAndScreening/copier-aws-central-infrastructure · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
# Questions specific to this template


# Questions managed by upstream template
repo_name:
    type: str
    help: What is the name of the repository?

repo_org_name:
    type: str
    help: What's the organization or username that owns this repository (look in the URL)?

description:
    type: str
    help: What is the description of this repository?

install_claude_cli:
    type: bool
    help: Should the Claude CLI be installed in the devcontainer?
    default: no

is_open_source:
    type: bool
    help: Is this library open source?
    default: no

ssh_port_number:
    type: int
    help: What port should the devcontainer bind SSH to?
    # Pick a random port, but ensure it's not in the excluded port range on Windows (powershell: `netsh int ipv4 show excludedportrange protocol=tcp`)
    default: "{{ ( (range(49152, 49752)   | list) + (range(49852, 50000)   | list) + (range(50060, 50160)   | list) + (range(50160, 50260)   | list) + (range(50260, 50360)   | list) + (range(50914, 51014)   | list) + (range(51114, 51214)   | list) + (range(51214, 51314)   | list) + (range(51314, 51414)   | list) + (range(51623, 51723)   | list) + (range(51723, 51823)   | list) + (range(65269, 65369)   | list) + (range(65369, 65469)   | list) ) | random }}"

pull_from_ecr:
    type: bool
    help: Will you need to pull images from a central AWS Elastic Container Registry?
    default: no

use_windows_in_ci:
    type: bool
    help: Should CI in the instantiated template also use Windows runners?
    default: no


python_version:
    type: str
    help: What version of Python is used for development?
    default: "3.13.9"

python_package_registry:
    type: str
    help: What registry should Python Packgaes be installed from?
    choices:
        - PyPI
        - AWS CodeArtifact
    default: PyPI


aws_identity_center_id:
    type: str
    help: What's the ID of your Organization's AWS Identity center, e.g. d-9145c20053?
    when: "{{ python_package_registry == 'AWS CodeArtifact' or install_aws_ssm_port_forwarding_plugin or pull_from_ecr or True }}"

aws_org_home_region:
    type: str
    help: What is the home region of the AWS Organization (where all of the central infrastructure is deployed)?
    default: us-east-1
    when: "{{ python_package_registry == 'AWS CodeArtifact' or install_aws_ssm_port_forwarding_plugin or pull_from_ecr or True }}"

aws_central_infrastructure_account_id:
    type: str
    help: What's the ID of your Organization's AWS Account containing Central Infrastructure (e.g. CodeArtifact)?
    when: "{{ python_package_registry == 'AWS CodeArtifact' or pull_from_ecr }}"
    default: "000000000000"

core_infra_base_access_profile_name:
    type: str
    help: What's the AWS Identity Center Profile name for base access to the Central Infrastructure account (i.e. to read from CodeArtifact)?
    when: "{{ python_package_registry == 'AWS CodeArtifact' or pull_from_ecr }}"
    default: CoreInfraBaseAccess


aws_production_account_id:
    type: str
    help: What's the AWS Account ID for the Production environment?

use_staging_environment:
    type: bool
    help: Does this workload use a Staging environment for its infrastructure?
    default: yes

aws_staging_account_id:
    type: str
    help: What's the AWS Account ID for the Staging environment?
    when: "{{ use_staging_environment }}"

aws_test_account_id:
    type: str
    help: What's the AWS Account ID for the ephemeral Test environment?
    when: "{{ use_staging_environment }}"

aws_development_account_id:
    type: str
    help: What's the AWS Account ID for local development (often the same as the ephemeral test environment)?
    when: "{{ use_staging_environment }}"
    default: "{{ aws_test_account_id }}"

aws_region_for_stack:
    type: str
    help: What AWS region should be used for this workload?
    default: "{{ aws_org_home_region }}"


# Questions specific to this template
central_infra_github_organization_name:
    type: str
    help: What is the name of the GitHub organization that owns the central infrastructure repository?

initial_iac_management_deploy_occurred:
    type: bool
    help: Has the initial merge to main and the deployment of the IaC Management stack occurred yet?
    default: no

identity_center_production_account_id:
    type: str
    help: What is the account ID for the delegated account to manage the AWS Identity Center?

manage_okta:
    type: bool
    help: Do you want to use this repository to manage Okta through Infrastructure as Code?
    default: no

okta_org_name:
    type: str
    help: What's the okta org name?
    when: "{{ manage_okta }}"

okta_tokens_created:
    type: bool
    help: Has a merge to main already occurred that created the AWS Secrets to hold the Okta API tokens and have those API tokens been manually entered into Secrets Manager?
    default: no
    when: "{{ manage_okta }}"

manage_github_repos:
    type: bool
    help: Do you want to use this repository to manage some of the other GitHub repositories through Infrastructure as Code?
    default: no

initial_github_admin:
    type: str
    help: What is your GitHub username (to be set as the initial admin of the root Team)?
    when: "{{ manage_github_repos }}"

use_repo_secret_for_github_iac_tokens:
    type: bool
    help: Not recommended for enterprise users, this allows much less controlled access to secrets, only do this if you're a 1-2 person team super concerned about a dollar per month of AWS SecretsManager charges.\nDo you want skip using AWS Secrets Manager to hold the Github deploy tokens and just add them as repository secrets?
    default: no
    when: "{{ manage_github_repos }}"

github_tokens_created:
    type: bool
    help: Has a merge to main already occurred that created the AWS Secrets to hold the Github API tokens and have those API tokens been manually entered into Secrets Manager? (Or has the token been entered as a secret in the repository if you chose that route?)
    default: no
    when: "{{ manage_github_repos }}"

import_github_aws_org_repos:
    type: bool
    help: Do you want to start the process of importing the AWS-Organization and AWS-Central-Infrastructure repositories to be managed by this project?
    default: no
    when: "{{ manage_github_repos }}"

finished_importing_github_aws_org_repos:
    type: bool
    help: Did you complete a successful deployment to main of importing the AWS-Organization and AWS-Central-Infrastructure repositories yet?
    default: no
    when: "{{ import_github_aws_org_repos }}"

allow_admin_rule_bypass_for_github_aws_org_repos:
    type: bool
    help: Do you want to allow GitHub Organization admins to bypass the branch protection rules for the AWS-Organization and AWS-Central-Infrastructure repositories?
    default: no
    when: "{{ finished_importing_github_aws_org_repos }}"

aws_organization_repo_name:
    type: str
    help: What is the name of the Github repository used to manage your AWS Organization?
    when: "{{ manage_github_repos }}"
    default: aws-organization

create_private_subnet:
    type: bool
    help: Do you want to create a private subnet with a NAT Gateway within the central networking VPC (this will incur costs...around $30/month)?
    default: no

configure_cloud_courier:
    type: bool
    help: Should Identity Center permissions be automatically configured to facilitate using Cloud Courier?
    default: no

cloud_courier_infra_repo_name:
    type: str
    help: What is the name of the repository that contains the Cloud Courier Infrastructure?
    when: "{{ configure_cloud_courier }}"
    default: "cloud-courier-infrastructure"


# Questions managed by upstream template

repo_names_for_codespaces_read_permissions:
    type: str
    help: Provide a comma-separated list of repository names only within this GitHub organization that you would like the codespace to have read access to (for example, private-template, not my-org/private-template)
    default: ""


_tasks:
  - command: |
        python3 '{{ _copier_conf.src_path }}/src/copier_tasks/remove_precommit_hooks.py' \
            --hook-id-regex '^\s*-\s+id:\s+merge-claude-settings\s*$' \
            --target-file .pre-commit-config.yaml
    when: "{{ not install_claude_cli }}"
  - command: |
        if [ -f ruff.toml ]; then
            echo "Updating ruff target-version from python_version..."
            py_major_minor="$(printf '%s' '{{ python_version }}' | cut -d. -f1,2)"
            py_tag="py$(printf '%s' "$py_major_minor" | tr -d '.')"
            sed -i -E 's/^target-version = "py[0-9]+"/target-version = "'"$py_tag"'"/' ruff.toml
        else
            echo "ruff.toml not found; skipping Ruff target-version update."
        fi

# Additional Settings
_min_copier_version: "9.8"

_subdirectory: template

_templates_suffix: .jinja

_exclude:
    - "copier.yml"

# adapted from https://github.com/copier-org/copier-template-extensions#context-hook-extension
_jinja_extensions:
- copier_template_extensions.TemplateExtensionLoader
- extensions/context.py:ContextUpdater