From a7cf09c091a3095ab20d18cf3c92bb3825b615fd Mon Sep 17 00:00:00 2001 From: Alis Akers Date: Mon, 4 Nov 2024 11:50:48 -0800 Subject: [PATCH] separate out github workflows, typo and description updates --- ...{deployment.yaml => deployment_apply.yaml} | 22 ++---- .github/workflows/deployment_plan.yaml | 70 +++++++++++++++++++ terraform/implementation/ecs/README.md | 5 +- terraform/implementation/ecs/SERVICEDATA.md | 68 +++++++++++++----- terraform/implementation/ecs/_variable.tf | 19 +---- terraform/implementation/setup/setup.sh | 2 +- terraform/modules/ecs/README.md | 2 - terraform/modules/ecs/alb.tf | 2 - terraform/modules/oidc/_variable.tf | 2 +- terraform/modules/tfstate/_variable.tf | 2 +- 10 files changed, 131 insertions(+), 63 deletions(-) rename .github/workflows/{deployment.yaml => deployment_apply.yaml} (76%) create mode 100644 .github/workflows/deployment_plan.yaml diff --git a/.github/workflows/deployment.yaml b/.github/workflows/deployment_apply.yaml similarity index 76% rename from .github/workflows/deployment.yaml rename to .github/workflows/deployment_apply.yaml index 06cc0a1b..b9f885ee 100644 --- a/.github/workflows/deployment.yaml +++ b/.github/workflows/deployment_apply.yaml @@ -1,4 +1,4 @@ -name: Terraform (Plan||Apply) +name: Terraform Apply run-name: Terraform ${{ inputs.terraform_action }} ${{ inputs.workspace }} by @${{ github.actor }} on: @@ -11,13 +11,6 @@ on: options: - "" - prod - terraform_action: - description: 'The terraform action to perform' - required: true - type: choice - options: - - plan - - apply concurrency: group: ${{ github.event.inputs.workspace }}-terraform @@ -29,7 +22,7 @@ permissions: env: workspace: ${{ github.event.inputs.workspace }} - terraform_action: ${{ github.event.inputs.terraform_action }} + terraform_action: apply jobs: terraform: @@ -51,7 +44,7 @@ jobs: with: role-to-assume: ${{ secrets.AWS_ROLE_ARN }} role-session-name: githubDeploymentWorkflow - aws-region: ${{ secrets.AWS_REGION }} + aws-region: ${{ vars.AWS_REGION }} - name: Terraform env: @@ -60,7 +53,7 @@ jobs: DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }} OWNER: ${{ vars.OWNER }} PROJECT: ${{ vars.PROJECT }} - REGION: ${{ secrets.AWS_REGION }} + REGION: ${{ vars.AWS_REGION }} WORKSPACE: ${{ env.workspace }} shell: bash run: | @@ -74,9 +67,4 @@ jobs: -backend-config "region=$REGION" \ || (echo "terraform init failed, exiting..." && exit 1) terraform workspace select "$WORKSPACE" - if [ "$ACTION" == "plan" ]; then - terraform plan -var-file="$WORKSPACE.tfvars" - fi - if [ "$ACTION" == "apply" ]; then - terraform apply -auto-approve -var-file="$WORKSPACE.tfvars" - fi + terraform apply -auto-approve -var-file="$WORKSPACE.tfvars" diff --git a/.github/workflows/deployment_plan.yaml b/.github/workflows/deployment_plan.yaml new file mode 100644 index 00000000..9519cea1 --- /dev/null +++ b/.github/workflows/deployment_plan.yaml @@ -0,0 +1,70 @@ +name: Terraform Plan +run-name: Terraform ${{ inputs.terraform_action }} ${{ inputs.workspace }} by @${{ github.actor }} + +on: + workflow_dispatch: + inputs: + workspace: + description: 'The workspace to terraform against' + required: true + type: choice + options: + - "" + - prod + +concurrency: + group: ${{ github.event.inputs.workspace }}-terraform + cancel-in-progress: false + +permissions: + id-token: write + contents: read + +env: + workspace: ${{ github.event.inputs.workspace }} + terraform_action: plan + +jobs: + terraform: + name: Run Terraform + runs-on: ubuntu-latest + defaults: + run: + shell: bash + working-directory: ./terraform/implementation/ecs + steps: + - name: Check Out Changes + uses: actions/checkout@v4 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + role-session-name: githubDeploymentWorkflow + aws-region: ${{ vars.AWS_REGION }} + + - name: Terraform + env: + ACTION: ${{ env.terraform_action }} + BUCKET: ${{ secrets.TFSTATE_BUCKET }} + DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }} + OWNER: ${{ vars.OWNER }} + PROJECT: ${{ vars.PROJECT }} + REGION: ${{ vars.AWS_REGION }} + WORKSPACE: ${{ env.workspace }} + shell: bash + run: | + echo "owner = \"$OWNER\"" >> $WORKSPACE.tfvars + echo "project = \"$PROJECT\"" >> $WORKSPACE.tfvars + echo "region = \"$REGION\"" >> $WORKSPACE.tfvars + terraform init \ + -var-file="$WORKSPACE.tfvars" \ + -backend-config "bucket=$BUCKET" \ + -backend-config "dynamodb_table=$DYNAMODB_TABLE" \ + -backend-config "region=$REGION" \ + || (echo "terraform init failed, exiting..." && exit 1) + terraform workspace select "$WORKSPACE" + terraform plan -var-file="$WORKSPACE.tfvars" diff --git a/terraform/implementation/ecs/README.md b/terraform/implementation/ecs/README.md index 8bf44c0f..7a66cfae 100644 --- a/terraform/implementation/ecs/README.md +++ b/terraform/implementation/ecs/README.md @@ -29,19 +29,16 @@ | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [availability\_zones](#input\_availability\_zones) | The availability zones to use | `list(string)` | 
[
  "us-east-1a",
  "us-east-1b",
  "us-east-1c"
]
| no | -| [create\_internet\_gateway](#input\_create\_internet\_gateway) | Flag to determine if an internet gateway should be created | `bool` | `false` | no | | [ecr\_viewer\_database\_schema](#input\_ecr\_viewer\_database\_schema) | The database schema used for the eCR data tables | `string` | `"core"` | no | | [ecr\_viewer\_database\_type](#input\_ecr\_viewer\_database\_type) | The SQL variant used for the eCR data tables | `string` | `"postgres"` | no | | [ecs\_alb\_sg](#input\_ecs\_alb\_sg) | The security group for the Application Load Balancer | `string` | `"ecs-albsg"` | no | -| [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Enable NAT Gateway | `bool` | `false` | no | -| [internal](#input\_internal) | Internal | `bool` | `true` | no | +| [internal](#input\_internal) | Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example). | `bool` | `true` | no | | [owner](#input\_owner) | The owner of the infrastructure | `string` | `"skylight"` | no | | [phdi\_version](#input\_phdi\_version) | PHDI container image version | `string` | `"v1.4.4"` | no | | [private\_subnets](#input\_private\_subnets) | The private subnets | `list(string)` | 
[
  "176.24.1.0/24",
  "176.24.3.0/24"
]
| no | | [project](#input\_project) | The project name | `string` | `"dibbs"` | no | | [public\_subnets](#input\_public\_subnets) | The public subnets | `list(string)` | 
[
  "176.24.2.0/24",
  "176.24.4.0/24"
]
| no | | [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no | -| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Single NAT Gateway | `bool` | `false` | no | | [vpc](#input\_vpc) | The name of the VPC | `string` | `"ecs-vpc"` | no | | [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | `"176.24.0.0/16"` | no | diff --git a/terraform/implementation/ecs/SERVICEDATA.md b/terraform/implementation/ecs/SERVICEDATA.md index 25509058..a28d0eaa 100644 --- a/terraform/implementation/ecs/SERVICEDATA.md +++ b/terraform/implementation/ecs/SERVICEDATA.md @@ -6,12 +6,14 @@ service_data = { short_name = "ecrv", fargate_cpu = 1024, fargate_memory = 2048, - app_count = 1 - app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-ecr-viewer", + min_capacity = 1 + max_capacity = 5 + app_image = var.disable_ecr == false ? "${terraform.workspace}-ecr-viewer" : "ecr-viewer", app_version = var.phdi_version, container_port = 3000, host_port = 3000, public = true + registry_url = local.registry_url env_vars = [ { name = "AWS_REGION", @@ -24,6 +26,26 @@ service_data = { { name = "HOSTNAME", value = "0.0.0.0" + }, + { + name = "NEXT_PUBLIC_NON_INTEGRATED_VIEWER", + value = var.non_integrated_viewer + }, + { + name = "SOURCE", + value = "s3" + }, + { + name = "APP_ENV", + value = var.ecr_viewer_app_env + }, + { + name = "NBS_PUB_KEY", + value = var.ecr_viewer_auth_pub_key + }, + { + name = "NEXT_PUBLIC_BASEPATH", + value = var.ecr_viewer_basepath } ] }, @@ -31,79 +53,91 @@ service_data = { short_name = "fhirc", fargate_cpu = 1024, fargate_memory = 2048, - app_count = 1 - app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-fhir-converter", + min_capacity = 1 + max_capacity = 5 + app_image = var.disable_ecr == false ? "${terraform.workspace}-fhir-converter" : "fhir-converter", app_version = var.phdi_version, container_port = 8080, host_port = 8080, public = false + registry_url = local.registry_url env_vars = [] }, ingestion = { short_name = "inge", fargate_cpu = 1024, fargate_memory = 2048, - app_count = 1 - app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-ingestion", + min_capacity = 1 + max_capacity = 5 + app_image = var.disable_ecr == false ? "${terraform.workspace}-ingestion" : "ingestion", app_version = var.phdi_version, container_port = 8080, host_port = 8080, public = false + registry_url = local.registry_url env_vars = [] }, validation = { short_name = "vali", fargate_cpu = 1024, fargate_memory = 2048, - app_count = 1 - app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-validation", + min_capacity = 1 + max_capacity = 5 + app_image = var.disable_ecr == false ? "${terraform.workspace}-validation" : "validation", app_version = var.phdi_version, container_port = 8080, host_port = 8080, public = false + registry_url = local.registry_url env_vars = [] }, trigger-code-reference = { short_name = "trigcr", fargate_cpu = 1024, fargate_memory = 2048, - app_count = 1 - app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-trigger-code-reference", + min_capacity = 1 + max_capacity = 5 + app_image = var.disable_ecr == false ? "${terraform.workspace}-trigger-code-reference" : "trigger-code-reference", app_version = var.phdi_version, container_port = 8080, host_port = 8080, public = false + registry_url = local.registry_url env_vars = [] }, message-parser = { short_name = "msgp", fargate_cpu = 1024, fargate_memory = 2048, - app_count = 1 - app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-message-parser", + min_capacity = 1 + max_capacity = 5 + app_image = var.disable_ecr == false ? "${terraform.workspace}-message-parser" : "message-parser", app_version = var.phdi_version, container_port = 8080, host_port = 8080, public = false + registry_url = local.registry_url env_vars = [] }, orchestration = { short_name = "orch", fargate_cpu = 1024, fargate_memory = 2048, - app_count = 1 - app_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${terraform.workspace}-orchestration", + min_capacity = 1 + max_capacity = 5 + app_image = var.disable_ecr == false ? "${terraform.workspace}-orchestration" : "orchestration", app_version = var.phdi_version, container_port = 8080, host_port = 8080, public = true + registry_url = local.registry_url env_vars = [ { - name = "OTEL_METRICS", + name = "OTEL_METRICS", value = "none" }, { - name = "OTEL_METRICS_EXPORTER", + name = "OTEL_METRICS_EXPORTER", value = "none" }, { @@ -120,7 +154,7 @@ service_data = { }, { name = "ECR_VIEWER_URL", - value = "http://ecr-viewer:3000" + value = "http://ecr-viewer:3000${var.ecr_viewer_basepath}" }, { name = "MESSAGE_PARSER_URL", diff --git a/terraform/implementation/ecs/_variable.tf b/terraform/implementation/ecs/_variable.tf index 3743de6f..6eabe8be 100644 --- a/terraform/implementation/ecs/_variable.tf +++ b/terraform/implementation/ecs/_variable.tf @@ -5,15 +5,10 @@ variable "availability_zones" { } variable "internal" { - description = "Internal" + description = "Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example)." type = bool default = true } -variable "create_internet_gateway" { - type = bool - description = "Flag to determine if an internet gateway should be created" - default = false -} variable "ecs_alb_sg" { description = "The security group for the Application Load Balancer" @@ -21,12 +16,6 @@ variable "ecs_alb_sg" { default = "ecs-albsg" } -variable "enable_nat_gateway" { - description = "Enable NAT Gateway" - type = bool - default = false -} - variable "owner" { description = "The owner of the infrastructure" type = string @@ -64,12 +53,6 @@ variable "region" { default = "us-east-1" } -variable "single_nat_gateway" { - description = "Single NAT Gateway" - type = bool - default = false -} - variable "vpc" { description = "The name of the VPC" type = string diff --git a/terraform/implementation/setup/setup.sh b/terraform/implementation/setup/setup.sh index 0221e844..bff48acf 100755 --- a/terraform/implementation/setup/setup.sh +++ b/terraform/implementation/setup/setup.sh @@ -80,7 +80,7 @@ if ! grep -q "region" "$WORKSPACE.tfvars"; then fi if ! grep -q "oidc_github_repo" "$WORKSPACE.tfvars"; then - read -p "Do you want to setup a GitHub IODC role? (y/n): " github_choice + read -p "Do you want to setup a GitHub OIDC role? (y/n): " github_choice if [[ "$github_choice" =~ ^[Yy]$ ]]; then read -p "What is the organization/repo value for assume role? ( default=\"\" ): " repo_choice repo_choice=${repo_choice:-""} diff --git a/terraform/modules/ecs/README.md b/terraform/modules/ecs/README.md index 5d0a154f..afe73bb9 100644 --- a/terraform/modules/ecs/README.md +++ b/terraform/modules/ecs/README.md @@ -26,8 +26,6 @@ No modules. | [aws_alb_listener.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/alb_listener) | resource | | [aws_alb_listener_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/alb_listener_rule) | resource | | [aws_alb_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/alb_target_group) | resource | -| [aws_appautoscaling_policy.ecs_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_policy) | resource | -| [aws_appautoscaling_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appautoscaling_target) | resource | | [aws_appmesh_mesh.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appmesh_mesh) | resource | | [aws_appmesh_virtual_node.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appmesh_virtual_node) | resource | | [aws_cloudwatch_log_group.ecs_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | diff --git a/terraform/modules/ecs/alb.tf b/terraform/modules/ecs/alb.tf index bbcd2892..c036e0f5 100644 --- a/terraform/modules/ecs/alb.tf +++ b/terraform/modules/ecs/alb.tf @@ -1,5 +1,3 @@ -# https://avd.aquasec.com/misconfig/aws/elb/avd-aws-0053 -# trivy:ignore:AVD-AWS-0053 resource "aws_alb" "ecs" { name = local.ecs_alb_name internal = var.internal diff --git a/terraform/modules/oidc/_variable.tf b/terraform/modules/oidc/_variable.tf index 90dfc8c4..4f8a8a51 100644 --- a/terraform/modules/oidc/_variable.tf +++ b/terraform/modules/oidc/_variable.tf @@ -14,7 +14,7 @@ variable "owner" { default = "skylight" validation { condition = can(regex("^[[:alnum:]]{1,8}$", var.owner)) - error_message = "owner must be 8 characters or less, all lowerspace with no special characters or spaces" + error_message = "owner must be 8 characters or less, all lowercase with no special characters or spaces" } } diff --git a/terraform/modules/tfstate/_variable.tf b/terraform/modules/tfstate/_variable.tf index 69734312..514d742c 100644 --- a/terraform/modules/tfstate/_variable.tf +++ b/terraform/modules/tfstate/_variable.tf @@ -4,7 +4,7 @@ variable "owner" { default = "skylight" validation { condition = can(regex("^[[:alnum:]]{1,8}$", var.owner)) - error_message = "owner must be 8 characters/numbers or less, all lowerspace with no special characters or spaces" + error_message = "owner must be 8 characters/numbers or less, all lowercase with no special characters or spaces" } }