add a plan workflow

CDCgov · Oct 16, 2024 · 27d72e8 · 27d72e8
1 parent 41f77a9
commit 27d72e8
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 20 deletions.
diff --git a/.github/workflows/deployment.yaml b/.github/workflows/deployment.yaml
@@ -1,19 +1,26 @@
-name: Deploy
-run-name: Deploy to ${{ inputs.workspace }} by @${{ github.actor }}
+name: Terraform (Plan||Apply)
+run-name: Terraform ${{ inputs.terraform_action }} ${{ inputs.workspace }} by @${{ github.actor }}
 
 on:
   workflow_dispatch:
     inputs:
       workspace:
-        description: 'The workspace to deploy to'
+        description: 'The workspace to terraform against'
         required: true
         type: choice
         options:
           - ""
           - prod
+      terraform_action:
+        description: 'The terraform action to perform'
+        required: true
+        type: choice
+        options:
+          - plan
+          - apply
 
 concurrency:
-  group: ${{ github.event.inputs.workspace }}-deploy
+  group: ${{ github.event.inputs.workspace }}-terraform
   cancel-in-progress: false
 
 permissions:
@@ -22,6 +29,7 @@ permissions:
 
 env:
   workspace: ${{ github.event.inputs.workspace }}
+  terraform_action: ${{ github.event.inputs.terraform_action }}
 
 jobs:
   terraform:
@@ -47,19 +55,28 @@ jobs:
 
       - name: Terraform
         env:
-          WORKSPACE: ${{ env.workspace }}
+          ACTION: ${{ env.terraform_action }}
           BUCKET: ${{ secrets.TFSTATE_BUCKET }}
           DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }}
-          REGION: ${{ secrets.AWS_REGION }}
           OWNER: ${{ vars.OWNER }}
           PROJECT: ${{ vars.PROJECT }}
+          REGION: ${{ secrets.AWS_REGION }}
+          WORKSPACE: ${{ env.workspace }}
         shell: bash
         run: |
-          echo "WORKSPACE=$WORKSPACE" >> .env
-          echo "BUCKET=$BUCKET" >> .env
-          echo "DYNAMODB_TABLE=$DYNAMODB_TABLE" >> .env
-          echo "REGION=$REGION" >> .env
           echo "owner = \"$OWNER\"" >> $WORKSPACE.tfvars
           echo "project = \"$PROJECT\"" >> $WORKSPACE.tfvars
           echo "region = \"$REGION\"" >> $WORKSPACE.tfvars
-          ./deploy.sh -e $WORKSPACE --ci
+          terraform init \
+            -var-file="$WORKSPACE.tfvars" \
+            -backend-config "bucket=$BUCKET" \
+            -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
+            -backend-config "region=$REGION" \
+            || (echo "terraform init failed, exiting..." && exit 1)
+          terraform workspace select "$WORKSPACE"
+          if [ "$ACTION" == "plan" ]; then
+            terraform plan -var-file="$WORKSPACE.tfvars"
+          fi
+          if [ "$ACTION" == "apply" ]; then
+            terraform apply -auto-approve -var-file="$WORKSPACE.tfvars"
+          fi
diff --git a/terraform/implementation/ecs/README.md b/terraform/implementation/ecs/README.md
@@ -34,6 +34,7 @@
 | <a name="input_ecr_viewer_database_type"></a> [ecr\_viewer\_database\_type](#input\_ecr\_viewer\_database\_type) | The SQL variant used for the eCR data tables | `string` | `"postgres"` | no |
 | <a name="input_ecs_alb_sg"></a> [ecs\_alb\_sg](#input\_ecs\_alb\_sg) | The security group for the Application Load Balancer | `string` | `"ecs-albsg"` | no |
 | <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Enable NAT Gateway | `bool` | `false` | no |
+| <a name="input_internal"></a> [internal](#input\_internal) | Internal | `bool` | `true` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | The owner of the infrastructure | `string` | `"skylight"` | no |
 | <a name="input_phdi_version"></a> [phdi\_version](#input\_phdi\_version) | PHDI container image version | `string` | `"v1.4.4"` | no |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | The private subnets | `list(string)` | <pre>[<br>  "176.24.1.0/24",<br>  "176.24.3.0/24"<br>]</pre> | no |

diff --git a/terraform/implementation/ecs/_variable.tf b/terraform/implementation/ecs/_variable.tf
@@ -4,6 +4,11 @@ variable "availability_zones" {
   default     = ["us-east-1a", "us-east-1b", "us-east-1c"]
 }
 
+variable "internal" {
+  description = "Internal"
+  type        = bool
+  default     = true
+}
 variable "create_internet_gateway" {
   type        = bool
   description = "Flag to determine if an internet gateway should be created"

diff --git a/terraform/implementation/ecs/main.tf b/terraform/implementation/ecs/main.tf
@@ -1,14 +1,15 @@
 module "vpc" {
   source = "terraform-aws-modules/vpc/aws"
 
-  name               = local.vpc_name
-  cidr               = var.vpc_cidr
-  azs                = var.availability_zones
-  private_subnets    = var.private_subnets
-  public_subnets     = var.public_subnets
-  enable_nat_gateway = var.enable_nat_gateway
-  single_nat_gateway = var.single_nat_gateway
-  create_igw         = var.create_internet_gateway
+  name            = local.vpc_name
+  cidr            = var.vpc_cidr
+  azs             = var.availability_zones
+  private_subnets = var.private_subnets
+  public_subnets  = var.public_subnets
+  # if internal is true, then the VPC will not have a NAT or internet gateway
+  enable_nat_gateway = var.internal ? false : true
+  single_nat_gateway = var.internal ? false : true
+  create_igw         = var.internal ? false : true
   tags               = local.tags
 }
 
@@ -32,7 +33,7 @@ module "ecs" {
 
   # If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true)
   # This requires an internet gateway to be present in the VPC.
-  # internal       = false
+  internal = var.internal
 
   # If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod")
   # ecr_viewer_app_env = "test"