QoL updates ✅

.github/workflows/deployment.yaml

@@ -1,29 +1,35 @@
-name: Deploy to ECS
+name: Terraform (Plan||Apply)
+run-name: Terraform ${{ inputs.terraform_action }} ${{ inputs.workspace }} by @${{ github.actor }}
 
 on:
   workflow_dispatch:
     inputs:
-      environment:
-        description: 'The environment to deploy to'
+      workspace:
+        description: 'The workspace to terraform against'
         required: true
         type: choice
         options:
           - ""
           - prod
+      terraform_action:
+        description: 'The terraform action to perform'
+        required: true
+        type: choice
+        options:
+          - plan
+          - apply
 
 concurrency:
-  group: ${{ github.event.inputs.environment }}-deploy
+  group: ${{ github.event.inputs.workspace }}-terraform
   cancel-in-progress: false
 
 permissions:
   id-token: write
   contents: read
 
 env:
-  aws_region: us-east-1
-  environment: ${{ github.event.inputs.environment }}
-  owner: "skylight"
-  project: "dibbs-ce"
+  workspace: ${{ github.event.inputs.workspace }}
+  terraform_action: ${{ github.event.inputs.terraform_action }}
 
 jobs:
   terraform:
@@ -45,23 +51,32 @@ jobs:
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           role-session-name: githubDeploymentWorkflow
-          aws-region: ${{ env.aws_region }}
+          aws-region: ${{ secrets.AWS_REGION }}
 
       - name: Terraform
         env:
-          ENVIRONMENT: ${{ env.environment }}
+          ACTION: ${{ env.terraform_action }}
           BUCKET: ${{ secrets.TFSTATE_BUCKET }}
           DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }}
-          REGION: ${{ env.aws_region }}
-          OWNER: ${{ env.owner }}
-          PROJECT: ${{ env.project }}
+          OWNER: ${{ vars.OWNER }}
+          PROJECT: ${{ vars.PROJECT }}
+          REGION: ${{ secrets.AWS_REGION }}
+          WORKSPACE: ${{ env.workspace }}
         shell: bash
         run: |
-          echo "ENVIRONMENT=$ENVIRONMENT" >> .env
-          echo "BUCKET=$BUCKET" >> .env
-          echo "DYNAMODB_TABLE=$DYNAMODB_TABLE" >> .env
-          echo "REGION=$REGION" >> .env
-          echo "owner = \"$OWNER\"" >> $ENVIRONMENT.tfvars
-          echo "project = \"$PROJECT\"" >> $ENVIRONMENT.tfvars
-          echo "region = \"$REGION\"" >> $ENVIRONMENT.tfvars
-          ./deploy.sh -e $ENVIRONMENT --ci
+          echo "owner = \"$OWNER\"" >> $WORKSPACE.tfvars
+          echo "project = \"$PROJECT\"" >> $WORKSPACE.tfvars
+          echo "region = \"$REGION\"" >> $WORKSPACE.tfvars
+          terraform init \
+            -var-file="$WORKSPACE.tfvars" \
+            -backend-config "bucket=$BUCKET" \
+            -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
+            -backend-config "region=$REGION" \
+            || (echo "terraform init failed, exiting..." && exit 1)
+          terraform workspace select "$WORKSPACE"
+          if [ "$ACTION" == "plan" ]; then
+            terraform plan -var-file="$WORKSPACE.tfvars"
+          fi
+          if [ "$ACTION" == "apply" ]; then
+            terraform apply -auto-approve -var-file="$WORKSPACE.tfvars"
+          fi

terraform/implementation/ecs/README.md

@@ -28,18 +28,20 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | The availability zones to use | `list(string)` | <pre>[<br/>  "us-east-1a",<br/>  "us-east-1b",<br/>  "us-east-1c"<br/>]</pre> | no |
+| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | The availability zones to use | `list(string)` | <pre>[<br>  "us-east-1a",<br>  "us-east-1b",<br>  "us-east-1c"<br>]</pre> | no |
+| <a name="input_create_internet_gateway"></a> [create\_internet\_gateway](#input\_create\_internet\_gateway) | Flag to determine if an internet gateway should be created | `bool` | `false` | no |
 | <a name="input_ecr_viewer_database_schema"></a> [ecr\_viewer\_database\_schema](#input\_ecr\_viewer\_database\_schema) | The database schema used for the eCR data tables | `string` | `"core"` | no |
 | <a name="input_ecr_viewer_database_type"></a> [ecr\_viewer\_database\_type](#input\_ecr\_viewer\_database\_type) | The SQL variant used for the eCR data tables | `string` | `"postgres"` | no |
 | <a name="input_ecs_alb_sg"></a> [ecs\_alb\_sg](#input\_ecs\_alb\_sg) | The security group for the Application Load Balancer | `string` | `"ecs-albsg"` | no |
-| <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Enable NAT Gateway | `bool` | `true` | no |
+| <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Enable NAT Gateway | `bool` | `false` | no |
+| <a name="input_internal"></a> [internal](#input\_internal) | Internal | `bool` | `true` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | The owner of the infrastructure | `string` | `"skylight"` | no |
 | <a name="input_phdi_version"></a> [phdi\_version](#input\_phdi\_version) | PHDI container image version | `string` | `"v1.4.4"` | no |
-| <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | The private subnets | `list(string)` | <pre>[<br/>  "176.24.1.0/24",<br/>  "176.24.3.0/24"<br/>]</pre> | no |
-| <a name="input_project"></a> [project](#input\_project) | The project name | `string` | `"dibbs-ce"` | no |
-| <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | The public subnets | `list(string)` | <pre>[<br/>  "176.24.2.0/24",<br/>  "176.24.4.0/24"<br/>]</pre> | no |
+| <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | The private subnets | `list(string)` | <pre>[<br>  "176.24.1.0/24",<br>  "176.24.3.0/24"<br>]</pre> | no |
+| <a name="input_project"></a> [project](#input\_project) | The project name | `string` | `"dibbs"` | no |
+| <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | The public subnets | `list(string)` | <pre>[<br>  "176.24.2.0/24",<br>  "176.24.4.0/24"<br>]</pre> | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no |
-| <a name="input_single_nat_gateway"></a> [single\_nat\_gateway](#input\_single\_nat\_gateway) | Single NAT Gateway | `bool` | `true` | no |
+| <a name="input_single_nat_gateway"></a> [single\_nat\_gateway](#input\_single\_nat\_gateway) | Single NAT Gateway | `bool` | `false` | no |
 | <a name="input_vpc"></a> [vpc](#input\_vpc) | The name of the VPC | `string` | `"ecs-vpc"` | no |
 | <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | `"176.24.0.0/16"` | no |
 

terraform/implementation/ecs/_variable.tf

@@ -4,6 +4,17 @@ variable "availability_zones" {
   default     = ["us-east-1a", "us-east-1b", "us-east-1c"]
 }
 
+variable "internal" {
+  description = "Internal"
+  type        = bool
+  default     = true
+}
+variable "create_internet_gateway" {
+  type        = bool
+  description = "Flag to determine if an internet gateway should be created"
+  default     = false
+}
+
 variable "ecs_alb_sg" {
   description = "The security group for the Application Load Balancer"
   type        = string
@@ -13,7 +24,7 @@ variable "ecs_alb_sg" {
 variable "enable_nat_gateway" {
   description = "Enable NAT Gateway"
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "owner" {
@@ -38,7 +49,7 @@ variable "private_subnets" {
 variable "project" {
   description = "The project name"
   type        = string
-  default     = "dibbs-ce"
+  default     = "dibbs"
 }
 
 variable "public_subnets" {
@@ -56,7 +67,7 @@ variable "region" {
 variable "single_nat_gateway" {
   description = "Single NAT Gateway"
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "vpc" {

terraform/implementation/ecs/deploy.sh

@@ -6,7 +6,7 @@ if [ -f .env ]; then
 fi
 
 # set default values
-ENVIRONMENT="${ENVIRONMENT:-}"
+WORKSPACE="${WORKSPACE:-}"
 BUCKET="${BUCKET:-}"
 DYNAMODB_TABLE="${DYNAMODB_TABLE:-}"
 REGION="${REGION:-}"
@@ -20,7 +20,7 @@ do
 
     case $key in
         -env|--env|-e)
-        ENVIRONMENT="$2"
+        WORKSPACE="$2"
         shift
         shift
         ;;
@@ -71,9 +71,9 @@ if ! command -v terraform &> /dev/null; then
     exit 1
 fi
 
-if [ -z "$ENVIRONMENT" ] || [ -z "$BUCKET" ] || [ -z "$DYNAMODB_TABLE" ] || [ -z "$REGION" ]; then
+if [ -z "$WORKSPACE" ] || [ -z "$BUCKET" ] || [ -z "$DYNAMODB_TABLE" ] || [ -z "$REGION" ]; then
     echo "Missing required arguments. Please provide all the required arguments."
-    echo "ENVIRONMENT: $ENVIRONMENT"
+    echo "WORKSPACE: $WORKSPACE"
     echo "BUCKET: $BUCKET"
     echo "DYNAMODB_TABLE: $DYNAMODB_TABLE"
     echo "REGION: $REGION"
@@ -82,69 +82,69 @@ if [ -z "$ENVIRONMENT" ] || [ -z "$BUCKET" ] || [ -z "$DYNAMODB_TABLE" ] || [ -z
 fi
 
 if [ "$CI" = false ]; then
-    if [ ! -f "$ENVIRONMENT.tfvars" ]; then
-        echo "Creating $ENVIRONMENT.tfvars"
-        touch "$ENVIRONMENT.tfvars"
+    if [ ! -f "$WORKSPACE.tfvars" ]; then
+        echo "Creating $WORKSPACE.tfvars"
+        touch "$WORKSPACE.tfvars"
     fi
 
-    if ! grep -q "owner" "$ENVIRONMENT.tfvars"; then
+    if ! grep -q "owner" "$WORKSPACE.tfvars"; then
         read -p "Who is the owner of this infrastructure? ( default=skylight ): " owner_choice
         owner_choice=${owner_choice:-skylight}
-        echo "owner = \"$owner_choice\"" >> "$ENVIRONMENT.tfvars"
+        echo "owner = \"$owner_choice\"" >> "$WORKSPACE.tfvars"
     fi
 
-    if ! grep -q "project" "$ENVIRONMENT.tfvars"; then
-        read -p "What is this project called? ( default=dibbs-ce ): " project_choice
-        project_choice=${project_choice:-dibbs-ce}
-        echo "project = \"$project_choice\"" >> "$ENVIRONMENT.tfvars"
+    if ! grep -q "project" "$WORKSPACE.tfvars"; then
+        read -p "What is this project called? ( default=dibbs ): " project_choice
+        project_choice=${project_choice:-dibbs}
+        echo "project = \"$project_choice\"" >> "$WORKSPACE.tfvars"
     fi
 
-    if ! grep -q "region" "$ENVIRONMENT.tfvars"; then
+    if ! grep -q "region" "$WORKSPACE.tfvars"; then
         read -p "What aws region are you setting up in? ( default=us-east-1 ): " region_choice
         region_choice=${region_choice:-us-east-1}
-        echo "region = \"$region_choice\"" >> "$ENVIRONMENT.tfvars"
+        echo "region = \"$region_choice\"" >> "$WORKSPACE.tfvars"
     fi
 fi
 
 echo "Running Terraform with the following variables:"
-echo "Environment: $ENVIRONMENT"
-echo "Terraform Workspace: $ENVIRONMENT"
+echo "Environment: $WORKSPACE"
+echo "Terraform Workspace: $WORKSPACE"
 echo "Bucket: $BUCKET"
 echo "DynamoDB Table: $DYNAMODB_TABLE"
 echo "Region: $REGION"
-cat "$ENVIRONMENT.tfvars"
+cat "$WORKSPACE.tfvars"
 echo ""
 
 terraform init \
-    -var-file="$ENVIRONMENT.tfvars" \
+    -var-file="$WORKSPACE.tfvars" \
     -backend-config "bucket=$BUCKET" \
     -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
     -backend-config "region=$REGION" \
     || (echo "terraform init failed, exiting..." && exit 1)
 
 
 # Check if workspace exists
-if terraform workspace list | grep -q "$ENVIRONMENT"; then
-    echo "Selecting $ENVIRONMENT terraform workspace"
-    terraform workspace select "$ENVIRONMENT"
+if terraform workspace list | grep -q "$WORKSPACE"; then
+    echo "Selecting $WORKSPACE terraform workspace"
+    terraform workspace select "$WORKSPACE"
 else
     if [ "$CI" = false ]; then
-        read -p "Workspace '$ENVIRONMENT' does not exist. Do you want to create it? (y/n): " choice
+        read -p "Workspace '$WORKSPACE' does not exist. Do you want to create it? (y/n): " choice
         if [[ $choice =~ ^[Yy]$ ]]; then
-            echo "Creating '$ENVIRONMENT' terraform workspace"
-            terraform workspace new "$ENVIRONMENT"
+            echo "Creating '$WORKSPACE' terraform workspace"
+            terraform workspace new "$WORKSPACE"
         else
             echo "Workspace creation cancelled."
             exit 1
         fi
     else
-        echo "Creating '$ENVIRONMENT' terraform workspace"
-        terraform workspace new "$ENVIRONMENT"
+        echo "Creating '$WORKSPACE' terraform workspace"
+        terraform workspace new "$WORKSPACE"
     fi
 fi
 
 if [ "$CI" = false ]; then
-    terraform apply -var-file="$ENVIRONMENT.tfvars"
+    terraform apply -var-file="$WORKSPACE.tfvars"
 else
-    terraform apply -auto-approve -var-file="$ENVIRONMENT.tfvars"
+    terraform apply -auto-approve -var-file="$WORKSPACE.tfvars"
 fi

terraform/implementation/ecs/main.tf

@@ -1,13 +1,15 @@
 module "vpc" {
   source = "terraform-aws-modules/vpc/aws"
 
-  name               = local.vpc_name
-  cidr               = var.vpc_cidr
-  azs                = var.availability_zones
-  private_subnets    = var.private_subnets
-  public_subnets     = var.public_subnets
-  enable_nat_gateway = var.enable_nat_gateway
-  single_nat_gateway = var.single_nat_gateway
+  name            = local.vpc_name
+  cidr            = var.vpc_cidr
+  azs             = var.availability_zones
+  private_subnets = var.private_subnets
+  public_subnets  = var.public_subnets
+  # if internal is true, then the VPC will not have a NAT or internet gateway
+  enable_nat_gateway = var.internal ? false : true
+  single_nat_gateway = var.internal ? false : true
+  create_igw         = var.internal ? false : true
   tags               = local.tags
 }
 
@@ -18,14 +20,21 @@ module "ecs" {
   private_subnet_ids = flatten(module.vpc.private_subnets)
   vpc_id             = module.vpc.vpc_id
   region             = var.region
-  alb_internal       = false
 
   owner   = var.owner
   project = var.project
   tags    = local.tags
-  
+
   # If intent is to pull from the phdi GHCR, set disable_ecr to true (default is false)
   # disable_ecr = true
-  # If intent is to use the non-integrated viewer, set non_integrated_viewer to true (default is false)
+
+  # If intent is to use the non-integrated viewer, set non_integrated_viewer to "true" (default is false)
   # non_integrated_viewer = "true"
+
+  # If the intent is to make the ecr-viewer availabble on the public internet, set internal to false (default is true)
+  # This requires an internet gateway to be present in the VPC.
+  internal = var.internal
+
+  # If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod")
+  # ecr_viewer_app_env = "test"
 }

terraform/implementation/setup/README.md

@@ -1,32 +1,28 @@
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | =5.70.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
-| <a name="provider_local"></a> [local](#provider\_local) | n/a |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_local"></a> [local](#provider\_local) | 2.5.2 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_oidc"></a> [oidc](#module\_oidc) | ../../modules/oidc | n/a |
+| <a name="module_tfstate"></a> [tfstate](#module\_tfstate) | ../../modules/tfstate | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_dynamodb_table.tfstate_lock](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table) | resource |
-| [aws_s3_bucket.tfstate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
-| [aws_s3_bucket_versioning.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
-| [local_file.ecs_env](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [local_file.setup_env](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [random_string.setup](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource |
 
@@ -36,7 +32,7 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | <a name="input_oidc_github_repo"></a> [oidc\_github\_repo](#input\_oidc\_github\_repo) | The GitHub repository for OIDC | `string` | `""` | no |
 | <a name="input_owner"></a> [owner](#input\_owner) | The owner of the project | `string` | `"skylight"` | no |
-| <a name="input_project"></a> [project](#input\_project) | The name of the project | `string` | `"dibbs-ce"` | no |
+| <a name="input_project"></a> [project](#input\_project) | The name of the project | `string` | `"dibbs"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The AWS region where resources are created | `string` | `"us-east-1"` | no |
 
 ## Outputs

terraform/implementation/setup/_variable.tf

@@ -13,7 +13,7 @@ variable "owner" {
 variable "project" {
   description = "The name of the project"
   type        = string
-  default     = "dibbs-ce"
+  default     = "dibbs"
 }
 
 variable "region" {