FEATURE/crossplane (#13)

* Feature: Crossplane Support

- use crossplane to deploy, track and manage the state of cloud
  resources like s3, vpc peering, fsx (netapp ontap) and route53.

- dynamic automatic route53 failover during DR activities

- argocd resource actions to provide better UX during failover
  activities.

* sanitizing values files

* update README.md

* update values-hub for linter

* update README for super-linter

* linter

* natural language linter

* removing unnecessary values file

* updated readme and added example aws iam policy

* fixed readme and iam policy for linter

Author: day0hero

.ansible-lint

@@ -9,6 +9,11 @@ exclude_paths:
   - common/
   - tests/
 
+# Role `route53_failover_terraform` intentionally exposes `route53_failover_*` variables
+# to playbooks; renaming to `route53_failover_terraform_*` would be a breaking API change.
+skip_list:
+  - var-naming[no-role-prefix]
+
 # warn_list:
 #   - yaml
 #   - schema

.github/linters/trivy.yaml

@@ -8,3 +8,7 @@ scan:
     - MEDIUM
     - CRITICAL
     - HIGH
+  # Legacy Terraform modules: starter defaults trip many AWS hardening rules; Crossplane is the primary path.
+  skip-dirs:
+    - terraform/fsx-ontap
+    - terraform/terraform-state

.github/workflows/jsonschema.yaml

@@ -53,7 +53,7 @@ jobs:
             # disable shellcheck of single quotes in yq
             # shellcheck disable=2016
             yq eval-all '. as $item ireduce ({}; . * $item )' values-global.yaml "$i" > tmp.yaml
-            check-jsonschema --fill-defaults --schemafile https://raw.githubusercontent.com/validatedpatterns/clustergroup-chart/refs/heads/main/values.schema.json tmp.yaml
+            check-jsonschema --fill-defaults --schemafile https://raw.githubusercontent.com/day0hero/clustergroup-chart/refs/heads/resource_actions/values.schema.json tmp.yaml
             rm -f tmp.yaml
           done
 

.github/workflows/superlinter.yml

@@ -21,6 +21,12 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
+      # When VALIDATE_TRIVY is true, super-linter runs `helm template` on charts; Crossplane is a wrapper chart and needs dependencies present.
+      - name: Helm dependency build (crossplane)
+        run: |
+          helm repo add crossplane-stable https://charts.crossplane.io/stable --force-update
+          helm dependency build charts/all/crossplane
+
       ################################
       # Run Linter against code base #
       ################################
@@ -35,6 +41,7 @@ jobs:
           VALIDATE_BASH: false
           VALIDATE_CHECKOV: false
           VALIDATE_JSCPD: false
+          # JSON is formatted with Biome in super-linter v8. Local parity: npm ci && npm run lint:biome (see package.json / biome.json).
           VALIDATE_JSON_PRETTIER: false
           VALIDATE_MARKDOWN_PRETTIER: false
           VALIDATE_PYTHON_PYLINT: false

.gitignore

@@ -1,3 +1,8 @@
+node_modules/
+
+# Helm dependency archives (built in CI before super-linter; keep Chart.lock)
+charts/all/crossplane/charts/
+
 *~
 *.swp
 *.swo

.trivyignore

@@ -3,5 +3,3 @@ AVD-KSV-0020 # Container 'apache' of Deployment 'hello-world' should set 'securi
 AVD-KSV-0021 # Container 'apache' of Deployment 'hello-world' should set 'securityContext.runAsGroup' > 10000. Not needed on OCP
 AVD-KSV-0014 # Readonly root filesystem does not work with httpd ubi images
 AVD-KSV-0125 # Container apache in deployment hello-world (namespace: default) uses an image from an untrusted registry. registry.access.redhat.com is trusted
-
-

Makefile

@@ -8,18 +8,14 @@ include Makefile-common
 # NetApp DR Starter Kit - Infrastructure Targets
 # =============================================================================
 #
-# These targets manage the DR infrastructure:
-#   - Terraform state backend (S3 bucket + DynamoDB from values-trident.yaml)
+# These targets manage the DR infrastructure via Crossplane (GitOps):
 #   - Cluster discovery (auto-detect VPC, CIDR, region from kubeconfigs)
-#   - VPC peering between prod and DR clusters
-#   - FSx for NetApp ONTAP filesystems in each region
+#   - Crossplane values written to Helm values files
+#   - ArgoCD syncs Crossplane managed resources (FSx, S3, VPC Peering, Route53)
 #
 # Required:
 #   PROD_KUBECONFIG - path to production cluster kubeconfig
 #   DR_KUBECONFIG   - path to DR cluster kubeconfig
-#
-# The terraform state bucket name is read from values-trident.yaml
-# (.terraform.state.bucket) automatically by the playbook.
 # =============================================================================
 
 # Expand ~ in kubeconfig paths
@@ -82,130 +78,64 @@ endef
 
 ##@ NetApp DR Infrastructure
 
-.PHONY: build-dr
-build-dr: ## Build complete DR infrastructure (state backend, VPC peering, FSx filesystems)
-	$(call _validate_kubeconfigs,build-dr)
-	@echo "=========================================="
-	@echo "Building DR Infrastructure"
-	@echo "  Prod kubeconfig: $(_PROD_KUBECONFIG)"
-	@echo "  DR kubeconfig:   $(_DR_KUBECONFIG)"
-	@echo "  State bucket:    from values-trident.yaml"
-	@echo "=========================================="
-	ansible-playbook $(EXTRA_PLAYBOOK_OPTS) ansible/dr-setup.yaml \
-		-e @ansible/dr-vars.yml \
-		$(_DR_EXTRA_VARS)
+##@ Crossplane Infrastructure
 
-.PHONY: destroy-dr
-destroy-dr: ## Destroy DR infrastructure (FSx filesystems and VPC peering; preserves state bucket)
-	$(call _validate_kubeconfigs,destroy-dr)
+.PHONY: crossplane-setup
+crossplane-setup: ## Discover clusters and write Crossplane values (then commit+push for ArgoCD)
+	$(call _validate_kubeconfigs,crossplane-setup)
 	@echo "=========================================="
-	@echo "Destroying DR Infrastructure"
+	@echo "Crossplane Infrastructure Setup"
 	@echo "  Prod kubeconfig: $(_PROD_KUBECONFIG)"
 	@echo "  DR kubeconfig:   $(_DR_KUBECONFIG)"
-	@echo "  Note: State bucket is preserved"
+	@echo "  (Route53: configure AWS credentials for hosted-zone discovery — no zone ID in Git)"
 	@echo "=========================================="
-	ansible-playbook $(EXTRA_PLAYBOOK_OPTS) ansible/dr-setup.yaml \
-		-e @ansible/dr-vars.yml \
-		$(_DR_EXTRA_VARS) \
-		-e destroy_resources=true
-
-# Trident Protect AppVault S3 bucket from values-global.yaml
-_APPVAULT_BUCKET := $(shell yq '.global.tridentProtect.appVault.s3.bucketName // ""' values-global.yaml 2>/dev/null)
-_APPVAULT_REGION := $(shell yq '.global.tridentProtect.appVault.s3.region // ""' values-global.yaml 2>/dev/null)
-
-.PHONY: create-appvault-bucket
-create-appvault-bucket: ## Create the S3 bucket for Trident Protect AppVault
-	@if [ -z "$(_APPVAULT_BUCKET)" ]; then \
-		echo "Error: Could not read .global.tridentProtect.appVault.s3.bucketName from values-global.yaml"; \
-		exit 1; \
-	fi
-	@if [ -z "$(_APPVAULT_REGION)" ]; then \
-		echo "Error: Could not read .global.tridentProtect.appVault.s3.region from values-global.yaml"; \
-		exit 1; \
-	fi
-	@echo "=========================================="
-	@echo "Trident Protect AppVault S3 Bucket"
+	ansible-playbook $(EXTRA_PLAYBOOK_OPTS) ansible/crossplane-setup.yaml \
+		-e @ansible/crossplane-vars.yml \
+		$(_DR_EXTRA_VARS)
+	@echo ""
 	@echo "=========================================="
-	@echo "  Bucket: $(_APPVAULT_BUCKET)"
-	@echo "  Region: $(_APPVAULT_REGION)"
+	@echo "  Values files updated. Next steps:"
+	@echo "    1. git diff  (review changes)"
+	@echo "    2. git add -A && git commit"
+	@echo "    3. git push  (triggers ArgoCD sync)"
+	@echo "    4. kubectl get managed  (monitor)"
 	@echo "=========================================="
-	@if aws s3api head-bucket --bucket $(_APPVAULT_BUCKET) --region $(_APPVAULT_REGION) 2>/dev/null; then \
-		echo "Bucket '$(_APPVAULT_BUCKET)' already exists - nothing to do."; \
-	else \
-		echo "Creating S3 bucket '$(_APPVAULT_BUCKET)' in $(_APPVAULT_REGION)..."; \
-		if [ "$(_APPVAULT_REGION)" = "us-east-1" ]; then \
-			aws s3api create-bucket \
-				--bucket $(_APPVAULT_BUCKET) \
-				--region $(_APPVAULT_REGION); \
-		else \
-			aws s3api create-bucket \
-				--bucket $(_APPVAULT_BUCKET) \
-				--region $(_APPVAULT_REGION) \
-				--create-bucket-configuration LocationConstraint=$(_APPVAULT_REGION); \
-		fi; \
-		echo "Bucket '$(_APPVAULT_BUCKET)' created."; \
-	fi
 
-# State bucket name, DynamoDB table, and region from values-trident.yaml
-_STATE_BUCKET := $(shell yq '.terraform.state.bucket // ""' values-trident.yaml 2>/dev/null)
-_DYNAMODB_TABLE := $(shell yq '.terraform.state.dynamodb_table // "terraform-state-lock"' values-trident.yaml 2>/dev/null)
-_STATE_REGION := $(shell yq '.terraform.state.region // "us-east-1"' values-trident.yaml 2>/dev/null)
+##@ Crossplane DR Teardown
 
-.PHONY: destroy-terraform-state
-destroy-terraform-state: ## Destroy the Terraform state backend (S3 bucket + DynamoDB table) - DESTRUCTIVE
-	@if [ -z "$(_STATE_BUCKET)" ]; then \
-		echo "Error: Could not read .terraform.state.bucket from values-trident.yaml"; \
-		exit 1; \
-	fi
+.PHONY: destroy-dr dr-destroy
+# dr-destroy is an alias (same recipe as destroy-dr)
+destroy-dr dr-destroy: ## Destroy DR infrastructure (pauses ArgoCD, cleans ONTAP, deletes Crossplane resources)
+	$(call _validate_kubeconfigs,destroy-dr)
 	@echo "=========================================="
-	@echo "WARNING: Destroying Terraform State Backend"
+	@echo "WARNING: Destroying DR Infrastructure"
 	@echo "=========================================="
-	@echo "  S3 Bucket:      $(_STATE_BUCKET)"
-	@echo "  DynamoDB Table: $(_DYNAMODB_TABLE)"
-	@echo "  Region:         $(_STATE_REGION)"
+	@echo "  Prod kubeconfig: $(_PROD_KUBECONFIG)"
+	@echo "  DR kubeconfig:   $(_DR_KUBECONFIG)"
 	@echo ""
-	@echo "  This will permanently delete all Terraform state!"
-	@echo "  Make sure you have destroyed all DR resources first"
-	@echo "  (make destroy-dr) or they will become orphaned."
+	@echo "  This will:"
+	@echo "    1. Pause ArgoCD auto-sync on both clusters"
+	@echo "    2. Clean up ONTAP (SnapMirror, volumes, peers)"
+	@echo "    3. Scrub AppVault S3 bucket"
+	@echo "    4. Delete Crossplane-managed AWS resources (hub oc delete)"
+	@echo "    5. AWS CLI fallback: remove any remaining FSx + VPC peering by tag/VPC pair"
+	@echo "       (playbook fails if they still exist — needs aws configure / env creds)"
 	@echo "=========================================="
 	@echo ""
 	@read -p "Type 'yes' to confirm: " confirm && [ "$$confirm" = "yes" ] || (echo "Aborted."; exit 1)
-	@echo ""
-	@echo "--- Emptying S3 bucket (all object versions) ---"
-	@aws s3api list-object-versions \
-		--bucket $(_STATE_BUCKET) \
-		--region $(_STATE_REGION) \
-		--query '{Objects: Versions[].{Key:Key,VersionId:VersionId}}' \
-		--output json 2>/dev/null | \
-	python3 -c "\
-	import sys, json, subprocess; \
-	data = json.load(sys.stdin); \
-	objects = data.get('Objects') or []; \
-	[subprocess.run(['aws', 's3api', 'delete-objects', '--bucket', '$(_STATE_BUCKET)', '--region', '$(_STATE_REGION)', '--delete', json.dumps({'Objects': objects[i:i+1000], 'Quiet': True})], check=True) for i in range(0, len(objects), 1000)] if objects else None; \
-	print(f'Deleted {len(objects)} object versions') if objects else print('No object versions to delete')" || true
-	@echo "--- Removing delete markers ---"
-	@aws s3api list-object-versions \
-		--bucket $(_STATE_BUCKET) \
-		--region $(_STATE_REGION) \
-		--query '{Objects: DeleteMarkers[].{Key:Key,VersionId:VersionId}}' \
-		--output json 2>/dev/null | \
-	python3 -c "\
-	import sys, json, subprocess; \
-	data = json.load(sys.stdin); \
-	objects = data.get('Objects') or []; \
-	[subprocess.run(['aws', 's3api', 'delete-objects', '--bucket', '$(_STATE_BUCKET)', '--region', '$(_STATE_REGION)', '--delete', json.dumps({'Objects': objects[i:i+1000], 'Quiet': True})], check=True) for i in range(0, len(objects), 1000)] if objects else None; \
-	print(f'Removed {len(objects)} delete markers') if objects else print('No delete markers to remove')" || true
-	@echo "--- Deleting S3 bucket ---"
-	@aws s3api delete-bucket --bucket $(_STATE_BUCKET) --region $(_STATE_REGION) \
-		&& echo "S3 bucket '$(_STATE_BUCKET)' deleted" \
-		|| echo "S3 bucket '$(_STATE_BUCKET)' not found (already deleted?)"
-	@echo "--- Deleting DynamoDB table ---"
-	@aws dynamodb delete-table --table-name $(_DYNAMODB_TABLE) --region $(_STATE_REGION) > /dev/null 2>&1 \
-		&& echo "DynamoDB table '$(_DYNAMODB_TABLE)' deleted" \
-		|| echo "DynamoDB table '$(_DYNAMODB_TABLE)' not found (already deleted?)"
-	@echo "--- Cleaning local working directory ---"
-	@rm -rf /tmp/netapp-dr-terraform/terraform-state
-	@echo ""
-	@echo "=========================================="
-	@echo "  Terraform State Backend Destroyed"
-	@echo "=========================================="
+	ansible-playbook $(EXTRA_PLAYBOOK_OPTS) ansible/crossplane-destroy.yaml \
+		-e @ansible/crossplane-vars.yml \
+		$(_DR_EXTRA_VARS)
+
+##@ Code quality (Biome — JSON formatter parity with GitHub super-linter v8)
+
+.PHONY: deps-js lint-biome format-biome
+
+deps-js: ## Install Node devDependencies (Biome); uses package-lock.json
+	npm ci
+
+lint-biome: deps-js ## Run Biome check (format + lint) on the repo
+	npm run lint:biome
+
+format-biome: deps-js ## Write Biome formatting (e.g. Grafana dashboard JSON)
+	npm run format:biome