Add Cloud DevOps workspace template for EKS (#518)

Co-authored-by: Noah Boyers <noah@MacBook-Pro.local>
Co-authored-by: Atif Ali <atif@coder.com>
Co-authored-by: DevCats <christofer@coder.com>
Co-authored-by: Noah Boyers <noah@coder.com>

Author: 5 people

.gitignore

@@ -1,3 +1,4 @@
+.DS_Store
 # Logs
 logs
 *.log

registry/nboyers/.gitignore

@@ -0,0 +1,41 @@
+# Local and OS files
+.DS_Store
+Thumbs.db
+*.log
+*.tmp
+*.swp
+*.bak
+
+# Terraform
+.terraform/
+.terraform.lock.hcl
+terraform.tfstate
+terraform.tfstate.backup
+crash.log
+
+# Node / Bun / Python / other tool artifacts
+node_modules/
+bun.lockb
+package-lock.json
+__pycache__/
+*.pyc
+
+# Cloud credentials and keys
+*.pem
+*.key
+*.p12
+*.json
+*.env
+.envrc
+aws-credentials
+gcp.json
+azure-creds.json
+
+# Archives
+*.zip
+*.tar.gz
+*.tgz
+
+# Workspace artifacts
+workspace/
+output/

registry/nboyers/.images/avatar.png

@@ -0,0 +1,14 @@
+---
+display_name: "Noah Boyers"
+bio: "Cloud & DevOps engineer with an MBA, building scalable multi-cloud infrastructure."
+avatar: "./.images/avatar.png"
+github: "noahboyers"
+linkedin: "https://www.linkedin.com/in/nboyers"
+website: "https://nobosoftware.com"
+support_email: "hello@nobosoftware.com"
+status: "community"
+---
+
+# Noah Boyers
+
+Cloud and DevOps engineer focused on scalable, secure, and automated infrastructure across AWS, Azure, and GCP.

registry/nboyers/README.md

@@ -0,0 +1,80 @@
+---
+display_name: "Cloud DevOps Workspace"
+description: "A multi-cloud DevOps workspace that runs on Amazon EKS and provides authenticated access to AWS, Azure, and GCP."
+icon: "https://raw.githubusercontent.com/coder/coder-icons/main/icons/cloud-devops.svg"
+tags:
+  - devops
+  - kubernetes
+  - aws
+  - eks
+  - multi-cloud
+  - terraform
+  - cdk
+  - pulumi
+---
+
+# Cloud DevOps Workspace
+
+A secure, company-standard DevOps environment for platform and cloud engineers.
+
+This template deploys workspaces **into an existing Amazon EKS cluster** and provides developers with tools and credentials to work with **AWS, Azure, and GCP** from inside their workspace.
+
+Supports multiple Infrastructure-as-Code frameworks — **Terraform**, **AWS CDK**, and **Pulumi** — for flexible, multi-cloud development.
+
+## Features
+
+- **Multi-Cloud Ready** — authenticate to AWS, Azure, or GCP from a single workspace
+- **Runs on EKS** — leverages existing Kubernetes infrastructure for scaling and security
+- **IaC Tools Included** — Terraform, Terragrunt, CDK, Pulumi, tfsec, and more
+- **Secure Isolation** — each workspace runs in its own Kubernetes namespace
+- **Configurable Auth** — supports IRSA (AWS), Federated Identity (Azure), and WIF (GCP)
+
+## Variables
+
+| Variable                                                      | Description                                                     | Type   | Default     |
+| ------------------------------------------------------------- | --------------------------------------------------------------- | ------ | ----------- |
+| `host_cluster_name`                                           | EKS cluster name where workspaces are deployed                  | string | —           |
+| `iac_tool`                                                    | Infrastructure-as-Code framework (`terraform`, `cdk`, `pulumi`) | string | `terraform` |
+| `enable_aws`                                                  | Enable AWS authentication and tools                             | bool   | `true`      |
+| `enable_azure`                                                | Enable Azure authentication and tools                           | bool   | `false`     |
+| `enable_gcp`                                                  | Enable GCP authentication and tools                             | bool   | `false`     |
+| `aws_access_key_id` / `aws_secret_access_key`                 | AWS credentials (optional)                                      | string | `""`        |
+| `azure_client_id` / `azure_client_secret` / `azure_tenant_id` | Azure credentials (optional)                                    | string | `""`        |
+| `gcp_service_account`                                         | GCP Service Account JSON (optional)                             | string | `""`        |
+
+## Runtime Architecture
+
+| Layer                   | Platform           | Purpose                                                      |
+| ----------------------- | ------------------ | ------------------------------------------------------------ |
+| **Infrastructure**      | Amazon EKS         | Where Coder deploys and runs the workspaces                  |
+| **Workspace Container** | Ubuntu-based image | Developer environment (Terraform, CDK, Pulumi, CLIs)         |
+| **Cloud Access**        | AWS / Azure / GCP  | Target environments for deploying infrastructure or services |
+
+## Required Permissions and Setup Steps
+
+This template **runs on EKS** but allows developers inside the workspace to authenticate with **AWS, Azure, or GCP** using their own credentials or service identities.
+
+### Coder & Infrastructure (Admin Setup)
+
+Your Coder deployment must have:
+
+- Network access to an **existing EKS cluster**
+- The Coder Helm chart installed and healthy
+- Terraform configured with access to the EKS API
+
+#### Minimum AWS IAM Permissions
+
+For the identity running the template (Coder service account, Terraform runner, or user):
+
+```json
+{
+  "Effect": "Allow",
+  "Action": [
+    "eks:DescribeCluster",
+    "eks:ListClusters",
+    "sts:GetCallerIdentity",
+    "sts:AssumeRole"
+  ],
+  "Resource": "*"
+}
+```

registry/nboyers/templates/cloud-dev/README.md

@@ -0,0 +1,120 @@
+terraform {
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = "~> 0.23"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.23"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+# --- Coder workspace context ---
+data "coder_workspace" "me" {}
+data "coder_workspace_owner" "me" {}
+
+# --- EKS connection ---
+data "aws_eks_cluster" "eks" {
+  name = trimspace(var.host_cluster_name)
+}
+
+
+data "aws_eks_cluster_auth" "eks" {
+  name = trimspace(var.host_cluster_name)
+}
+
+provider "kubernetes" {
+  host                   = data.aws_eks_cluster.eks.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority[0].data)
+  token                  = data.aws_eks_cluster_auth.eks.token
+}
+
+# --- Namespace per workspace ---
+resource "kubernetes_namespace" "workspace" {
+  metadata {
+    name = "coder-${data.coder_workspace_owner.me.name}-${data.coder_workspace.me.name}"
+    labels = {
+      "coder.workspace" = data.coder_workspace.me.name
+      "coder.owner"     = data.coder_workspace_owner.me.name
+    }
+  }
+}
+
+# --- ServiceAccount (IRSA optional) ---
+resource "kubernetes_service_account" "workspace" {
+  metadata {
+    name      = "coder-${data.coder_workspace_owner.me.name}-${data.coder_workspace.me.name}"
+    namespace = kubernetes_namespace.workspace.metadata[0].name
+
+    annotations = var.enable_aws && var.aws_role_arn != "" ? {
+      "eks.amazonaws.com/role-arn" = var.aws_role_arn
+    } : {}
+  }
+}
+
+# --- Coder Agent definition ---
+resource "coder_agent" "main" {
+  os   = "linux"
+  arch = "amd64"
+
+  startup_script = file("${path.module}/scripts/setup-workspace.sh")
+
+  env = {
+    # IaC tool & cloud toggles
+    IAC_TOOL     = var.iac_tool
+    ENABLE_AWS   = tostring(var.enable_aws)
+    ENABLE_AZURE = tostring(var.enable_azure)
+    ENABLE_GCP   = tostring(var.enable_gcp)
+
+    # Developer credentials
+    AWS_ACCESS_KEY_ID     = var.aws_access_key_id
+    AWS_SECRET_ACCESS_KEY = var.aws_secret_access_key
+    AZURE_CLIENT_ID       = var.azure_client_id
+    AZURE_TENANT_ID       = var.azure_tenant_id
+    AZURE_CLIENT_SECRET   = var.azure_client_secret
+    GCP_SERVICE_ACCOUNT   = var.gcp_service_account
+  }
+}
+
+# --- Kubernetes Pod (runs workspace container) ---
+resource "kubernetes_pod" "workspace" {
+  count = data.coder_workspace.me.start_count
+
+  metadata {
+    name      = "coder-${data.coder_workspace_owner.me.name}-${data.coder_workspace.me.name}"
+    namespace = kubernetes_namespace.workspace.metadata[0].name
+    labels = {
+      "app"         = "coder-workspace"
+      "coder.owner" = data.coder_workspace_owner.me.name
+      "coder.agent" = "true"
+    }
+  }
+
+  spec {
+    service_account_name = kubernetes_service_account.workspace.metadata[0].name
+
+    container {
+      name    = "workspace"
+      image   = "codercom/enterprise-base:ubuntu"
+      command = ["/bin/bash", "-c", coder_agent.main.init_script]
+
+      env {
+        name  = "CODER_AGENT_TOKEN"
+        value = coder_agent.main.token
+      }
+
+      resources {
+        requests = { cpu = "500m", memory = "1Gi" }
+        limits   = { cpu = "2", memory = "4Gi" }
+      }
+    }
+  }
+
+  depends_on = [coder_agent.main]
+}