separate out github workflows, typo and description updates

CDCgov · Nov 4, 2024 · a7cf09c · a7cf09c
1 parent e0393f9
commit a7cf09c
Show file tree

Hide file tree

Showing 10 changed files with 131 additions and 63 deletions.
diff --git a/.github/workflows/deployment.yaml → .github/workflows/deployment_apply.yaml b/.github/workflows/deployment.yaml → .github/workflows/deployment_apply.yaml
@@ -1,4 +1,4 @@
-name: Terraform (Plan||Apply)
+name: Terraform Apply
 run-name: Terraform ${{ inputs.terraform_action }} ${{ inputs.workspace }} by @${{ github.actor }}
 
 on:
@@ -11,13 +11,6 @@ on:
         options:
           - ""
           - prod
-      terraform_action:
-        description: 'The terraform action to perform'
-        required: true
-        type: choice
-        options:
-          - plan
-          - apply
 
 concurrency:
   group: ${{ github.event.inputs.workspace }}-terraform
@@ -29,7 +22,7 @@ permissions:
 
 env:
   workspace: ${{ github.event.inputs.workspace }}
-  terraform_action: ${{ github.event.inputs.terraform_action }}
+  terraform_action: apply
 
 jobs:
   terraform:
@@ -51,7 +44,7 @@ jobs:
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           role-session-name: githubDeploymentWorkflow
-          aws-region: ${{ secrets.AWS_REGION }}
+          aws-region: ${{ vars.AWS_REGION }}
 
       - name: Terraform
         env:
@@ -60,7 +53,7 @@ jobs:
           DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }}
           OWNER: ${{ vars.OWNER }}
           PROJECT: ${{ vars.PROJECT }}
-          REGION: ${{ secrets.AWS_REGION }}
+          REGION: ${{ vars.AWS_REGION }}
           WORKSPACE: ${{ env.workspace }}
         shell: bash
         run: |
@@ -74,9 +67,4 @@ jobs:
             -backend-config "region=$REGION" \
             || (echo "terraform init failed, exiting..." && exit 1)
           terraform workspace select "$WORKSPACE"
-          if [ "$ACTION" == "plan" ]; then
-            terraform plan -var-file="$WORKSPACE.tfvars"
-          fi
-          if [ "$ACTION" == "apply" ]; then
-            terraform apply -auto-approve -var-file="$WORKSPACE.tfvars"
-          fi
+          terraform apply -auto-approve -var-file="$WORKSPACE.tfvars"
diff --git a/.github/workflows/deployment_plan.yaml b/.github/workflows/deployment_plan.yaml
@@ -0,0 +1,70 @@
+name: Terraform Plan
+run-name: Terraform ${{ inputs.terraform_action }} ${{ inputs.workspace }} by @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      workspace:
+        description: 'The workspace to terraform against'
+        required: true
+        type: choice
+        options:
+          - ""
+          - prod
+
+concurrency:
+  group: ${{ github.event.inputs.workspace }}-terraform
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  workspace: ${{ github.event.inputs.workspace }}
+  terraform_action: plan
+
+jobs:
+  terraform:
+    name: Run Terraform
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./terraform/implementation/ecs
+    steps:
+      - name: Check Out Changes
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: githubDeploymentWorkflow
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Terraform
+        env:
+          ACTION: ${{ env.terraform_action }}
+          BUCKET: ${{ secrets.TFSTATE_BUCKET }}
+          DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }}
+          OWNER: ${{ vars.OWNER }}
+          PROJECT: ${{ vars.PROJECT }}
+          REGION: ${{ vars.AWS_REGION }}
+          WORKSPACE: ${{ env.workspace }}
+        shell: bash
+        run: |
+          echo "owner = \"$OWNER\"" >> $WORKSPACE.tfvars
+          echo "project = \"$PROJECT\"" >> $WORKSPACE.tfvars
+          echo "region = \"$REGION\"" >> $WORKSPACE.tfvars
+          terraform init \
+            -var-file="$WORKSPACE.tfvars" \
+            -backend-config "bucket=$BUCKET" \
+            -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
+            -backend-config "region=$REGION" \
+            || (echo "terraform init failed, exiting..." && exit 1)
+          terraform workspace select "$WORKSPACE"
+          terraform plan -var-file="$WORKSPACE.tfvars"
diff --git a/terraform/implementation/ecs/README.md b/terraform/implementation/ecs/README.md
@@ -29,19 +29,16 @@
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | The availability zones to use | `list(string)` | <pre>[<br>  "us-east-1a",<br>  "us-east-1b",<br>  "us-east-1c"<br>]</pre> | no |
-| <a name="input_create_internet_gateway"></a> [create\_internet\_gateway](#input\_create\_internet\_gateway) | Flag to determine if an internet gateway should be created | `bool` | `false` | no |
 | <a name="input_ecr_viewer_database_schema"></a> [ecr\_viewer\_database\_schema](#input\_ecr\_viewer\_database\_schema) | The database schema used for the eCR data tables | `string` | `"core"` | no |
 | <a name="input_ecr_viewer_database_type"></a> [ecr\_viewer\_database\_type](#input\_ecr\_viewer\_database\_type) | The SQL variant used for the eCR data tables | `string` | `"postgres"` | no |
 | <a name="input_ecs_alb_sg"></a> [ecs\_alb\_sg](#input\_ecs\_alb\_sg) | The security group for the Application Load Balancer | `string` | `"ecs-albsg"` | no |
-| <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Enable NAT Gateway | `bool` | `false` | no |
-| <a name="input_internal"></a> [internal](#input\_internal) | Internal | `bool` | `true` | no |
+| <a name="input_internal"></a> [internal](#input\_internal) | Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example). | `bool` | `true` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | The owner of the infrastructure | `string` | `"skylight"` | no |
 | <a name="input_phdi_version"></a> [phdi\_version](#input\_phdi\_version) | PHDI container image version | `string` | `"v1.4.4"` | no |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | The private subnets | `list(string)` | <pre>[<br>  "176.24.1.0/24",<br>  "176.24.3.0/24"<br>]</pre> | no |
 | <a name="input_project"></a> [project](#input\_project) | The project name | `string` | `"dibbs"` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | The public subnets | `list(string)` | <pre>[<br>  "176.24.2.0/24",<br>  "176.24.4.0/24"<br>]</pre> | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no |
-| <a name="input_single_nat_gateway"></a> [single\_nat\_gateway](#input\_single\_nat\_gateway) | Single NAT Gateway | `bool` | `false` | no |
 | <a name="input_vpc"></a> [vpc](#input\_vpc) | The name of the VPC | `string` | `"ecs-vpc"` | no |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | `"176.24.0.0/16"` | no |
 

diff --git a/terraform/implementation/ecs/SERVICEDATA.md b/terraform/implementation/ecs/SERVICEDATA.md
@@ -6,12 +6,14 @@ service_data = {
     short_name     = "ecrv",
     fargate_cpu    = 1024,
     fargate_memory = 2048,
-    app_count      = 1
-    app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-ecr-viewer",
+    min_capacity   = 1
+    max_capacity   = 5
+    app_image      = var.disable_ecr == false ? "${terraform.workspace}-ecr-viewer" : "ecr-viewer",
     app_version    = var.phdi_version,
     container_port = 3000,
     host_port      = 3000,
     public         = true
+    registry_url   = local.registry_url
     env_vars = [
       {
         name  = "AWS_REGION",
@@ -24,86 +26,118 @@ service_data = {
       {
         name  = "HOSTNAME",
         value = "0.0.0.0"
+      },
+      {
+        name  = "NEXT_PUBLIC_NON_INTEGRATED_VIEWER",
+        value = var.non_integrated_viewer
+      },
+      {
+        name  = "SOURCE",
+        value = "s3"
+      },
+      {
+        name  = "APP_ENV",
+        value = var.ecr_viewer_app_env
+      },
+      {
+        name  = "NBS_PUB_KEY",
+        value = var.ecr_viewer_auth_pub_key
+      },
+      {
+        name  = "NEXT_PUBLIC_BASEPATH",
+        value = var.ecr_viewer_basepath
       }
     ]
   },
   fhir-converter = {
     short_name     = "fhirc",
     fargate_cpu    = 1024,
     fargate_memory = 2048,
-    app_count      = 1
-    app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-fhir-converter",
+    min_capacity   = 1
+    max_capacity   = 5
+    app_image      = var.disable_ecr == false ? "${terraform.workspace}-fhir-converter" : "fhir-converter",
     app_version    = var.phdi_version,
     container_port = 8080,
     host_port      = 8080,
     public         = false
+    registry_url   = local.registry_url
     env_vars       = []
   },
   ingestion = {
     short_name     = "inge",
     fargate_cpu    = 1024,
     fargate_memory = 2048,
-    app_count      = 1
-    app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-ingestion",
+    min_capacity   = 1
+    max_capacity   = 5
+    app_image      = var.disable_ecr == false ? "${terraform.workspace}-ingestion" : "ingestion",
     app_version    = var.phdi_version,
     container_port = 8080,
     host_port      = 8080,
     public         = false
+    registry_url   = local.registry_url
     env_vars       = []
   },
   validation = {
     short_name     = "vali",
     fargate_cpu    = 1024,
     fargate_memory = 2048,
-    app_count      = 1
-    app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-validation",
+    min_capacity   = 1
+    max_capacity   = 5
+    app_image      = var.disable_ecr == false ? "${terraform.workspace}-validation" : "validation",
     app_version    = var.phdi_version,
     container_port = 8080,
     host_port      = 8080,
     public         = false
+    registry_url   = local.registry_url
     env_vars       = []
   },
   trigger-code-reference = {
     short_name     = "trigcr",
     fargate_cpu    = 1024,
     fargate_memory = 2048,
-    app_count      = 1
-    app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-trigger-code-reference",
+    min_capacity   = 1
+    max_capacity   = 5
+    app_image      = var.disable_ecr == false ? "${terraform.workspace}-trigger-code-reference" : "trigger-code-reference",
     app_version    = var.phdi_version,
     container_port = 8080,
     host_port      = 8080,
     public         = false
+    registry_url   = local.registry_url
     env_vars       = []
   },
   message-parser = {
     short_name     = "msgp",
     fargate_cpu    = 1024,
     fargate_memory = 2048,
-    app_count      = 1
-    app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-message-parser",
+    min_capacity   = 1
+    max_capacity   = 5
+    app_image      = var.disable_ecr == false ? "${terraform.workspace}-message-parser" : "message-parser",
     app_version    = var.phdi_version,
     container_port = 8080,
     host_port      = 8080,
     public         = false
+    registry_url   = local.registry_url
     env_vars       = []
   },
   orchestration = {
     short_name     = "orch",
     fargate_cpu    = 1024,
     fargate_memory = 2048,
-    app_count      = 1
-    app_image      = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-orchestration",
+    min_capacity   = 1
+    max_capacity   = 5
+    app_image      = var.disable_ecr == false ? "${terraform.workspace}-orchestration" : "orchestration",
     app_version    = var.phdi_version,
     container_port = 8080,
     host_port      = 8080,
     public         = true
+    registry_url   = local.registry_url
     env_vars = [
       {
-        name = "OTEL_METRICS",
+        name  = "OTEL_METRICS",
         value = "none"
       },
       {
-        name = "OTEL_METRICS_EXPORTER",
+        name  = "OTEL_METRICS_EXPORTER",
         value = "none"
       },
       {
@@ -120,7 +154,7 @@ service_data = {
       },
       {
         name  = "ECR_VIEWER_URL",
-        value = "http://ecr-viewer:3000"
+        value = "http://ecr-viewer:3000${var.ecr_viewer_basepath}"
       },
       {
         name  = "MESSAGE_PARSER_URL",

diff --git a/terraform/implementation/ecs/_variable.tf b/terraform/implementation/ecs/_variable.tf
@@ -5,28 +5,17 @@ variable "availability_zones" {
 }
 
 variable "internal" {
-  description = "Internal"
+  description = "Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example)."
   type        = bool
   default     = true
 }
-variable "create_internet_gateway" {
-  type        = bool
-  description = "Flag to determine if an internet gateway should be created"
-  default     = false
-}
 
 variable "ecs_alb_sg" {
   description = "The security group for the Application Load Balancer"
   type        = string
   default     = "ecs-albsg"
 }
 
-variable "enable_nat_gateway" {
-  description = "Enable NAT Gateway"
-  type        = bool
-  default     = false
-}
-
 variable "owner" {
   description = "The owner of the infrastructure"
   type        = string
@@ -64,12 +53,6 @@ variable "region" {
   default     = "us-east-1"
 }
 
-variable "single_nat_gateway" {
-  description = "Single NAT Gateway"
-  type        = bool
-  default     = false
-}
-
 variable "vpc" {
   description = "The name of the VPC"
   type        = string

diff --git a/terraform/implementation/setup/setup.sh b/terraform/implementation/setup/setup.sh
@@ -80,7 +80,7 @@ if ! grep -q "region" "$WORKSPACE.tfvars"; then
 fi
 
 if ! grep -q "oidc_github_repo" "$WORKSPACE.tfvars"; then
-    read -p "Do you want to setup a GitHub IODC role? (y/n): " github_choice
+    read -p "Do you want to setup a GitHub OIDC role? (y/n): " github_choice
     if [[ "$github_choice" =~ ^[Yy]$ ]]; then
         read -p "What is the organization/repo value for assume role? ( default=\"\" ): " repo_choice
         repo_choice=${repo_choice:-""}

diff --git a/terraform/modules/ecs/README.md b/terraform/modules/ecs/README.md
@@ -26,8 +26,6 @@ No modules.
 | [aws_alb_listener.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/alb_listener) | resource |
 | [aws_alb_listener_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/alb_listener_rule) | resource |
 | [aws_alb_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/alb_target_group) | resource |
-| [aws_appautoscaling_policy.ecs_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource |
-| [aws_appautoscaling_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource |
 | [aws_appmesh_mesh.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appmesh_mesh) | resource |
 | [aws_appmesh_virtual_node.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appmesh_virtual_node) | resource |
 | [aws_cloudwatch_log_group.ecs_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |

diff --git a/terraform/modules/ecs/alb.tf b/terraform/modules/ecs/alb.tf
@@ -1,5 +1,3 @@
-# https://avd.aquasec.com/misconfig/aws/elb/avd-aws-0053
-# trivy:ignore:AVD-AWS-0053
 resource "aws_alb" "ecs" {
   name                       = local.ecs_alb_name
   internal                   = var.internal

diff --git a/terraform/modules/oidc/_variable.tf b/terraform/modules/oidc/_variable.tf
@@ -14,7 +14,7 @@ variable "owner" {
   default     = "skylight"
   validation {
     condition     = can(regex("^[[:alnum:]]{1,8}$", var.owner))
-    error_message = "owner must be 8 characters or less, all lowerspace with no special characters or spaces"
+    error_message = "owner must be 8 characters or less, all lowercase with no special characters or spaces"
   }
 }
 

diff --git a/terraform/modules/tfstate/_variable.tf b/terraform/modules/tfstate/_variable.tf
@@ -4,7 +4,7 @@ variable "owner" {
   default     = "skylight"
   validation {
     condition     = can(regex("^[[:alnum:]]{1,8}$", var.owner))
-    error_message = "owner must be 8 characters/numbers or less, all lowerspace with no special characters or spaces"
+    error_message = "owner must be 8 characters/numbers or less, all lowercase with no special characters or spaces"
   }
 }